ieee80211_output.c revision 174388
1/*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2007 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#include <sys/cdefs.h> 28__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_output.c 174388 2007-12-07 01:46:13Z kmacy $"); 29 30#include "opt_inet.h" 31 32#include <sys/param.h> 33#include <sys/systm.h> 34#include <sys/mbuf.h> 35#include <sys/kernel.h> 36#include <sys/endian.h> 37 38#include <sys/socket.h> 39 40#include <net/bpf.h> 41#include <net/ethernet.h> 42#include <net/if.h> 43#include <net/if_llc.h> 44#include <net/if_media.h> 45#include <net/if_vlan_var.h> 46 47#include <net80211/ieee80211_var.h> 48#include <net80211/ieee80211_regdomain.h> 49 50#ifdef INET 51#include <netinet/in.h> 52#include <netinet/if_ether.h> 53#include <netinet/in_systm.h> 54#include <netinet/ip.h> 55#endif 56 57#define ETHER_HEADER_COPY(dst, src) \ 58 memcpy(dst, src, sizeof(struct ether_header)) 59 60static struct mbuf *ieee80211_encap_fastframe(struct ieee80211com *ic, 61 struct mbuf *m1, const struct ether_header *eh1, 62 struct mbuf *m2, const struct ether_header *eh2); 63static int ieee80211_fragment(struct ieee80211com *, struct mbuf *, 64 u_int hdrsize, u_int ciphdrsize, u_int mtu); 65static void ieee80211_tx_mgt_cb(struct ieee80211_node *, void *, int); 66 67#ifdef IEEE80211_DEBUG 68/* 69 * Decide if an outbound management frame should be 70 * printed when debugging is enabled. This filters some 71 * of the less interesting frames that come frequently 72 * (e.g. beacons). 73 */ 74static __inline int 75doprint(struct ieee80211com *ic, int subtype) 76{ 77 switch (subtype) { 78 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 79 return (ic->ic_opmode == IEEE80211_M_IBSS); 80 } 81 return 1; 82} 83#endif 84 85/* 86 * Set the direction field and address fields of an outgoing 87 * non-QoS frame. Note this should be called early on in 88 * constructing a frame as it sets i_fc[1]; other bits can 89 * then be or'd in. 90 */ 91static void 92ieee80211_send_setup(struct ieee80211com *ic, 93 struct ieee80211_node *ni, 94 struct ieee80211_frame *wh, 95 int type, 96 const uint8_t sa[IEEE80211_ADDR_LEN], 97 const uint8_t da[IEEE80211_ADDR_LEN], 98 const uint8_t bssid[IEEE80211_ADDR_LEN]) 99{ 100#define WH4(wh) ((struct ieee80211_frame_addr4 *)wh) 101 102 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type; 103 if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) { 104 switch (ic->ic_opmode) { 105 case IEEE80211_M_STA: 106 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 107 IEEE80211_ADDR_COPY(wh->i_addr1, bssid); 108 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 109 IEEE80211_ADDR_COPY(wh->i_addr3, da); 110 break; 111 case IEEE80211_M_IBSS: 112 case IEEE80211_M_AHDEMO: 113 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 114 IEEE80211_ADDR_COPY(wh->i_addr1, da); 115 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 116 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 117 break; 118 case IEEE80211_M_HOSTAP: 119 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 120 IEEE80211_ADDR_COPY(wh->i_addr1, da); 121 IEEE80211_ADDR_COPY(wh->i_addr2, bssid); 122 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 123 break; 124 case IEEE80211_M_WDS: 125 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 126 /* XXX cheat, bssid holds RA */ 127 IEEE80211_ADDR_COPY(wh->i_addr1, bssid); 128 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 129 IEEE80211_ADDR_COPY(wh->i_addr3, da); 130 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 131 break; 132 case IEEE80211_M_MONITOR: /* NB: to quiet compiler */ 133 break; 134 } 135 } else { 136 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 137 IEEE80211_ADDR_COPY(wh->i_addr1, da); 138 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 139 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 140 } 141 *(uint16_t *)&wh->i_dur[0] = 0; 142 /* NB: use non-QoS tid */ 143 *(uint16_t *)&wh->i_seq[0] = 144 htole16(ni->ni_txseqs[IEEE80211_NONQOS_TID] << IEEE80211_SEQ_SEQ_SHIFT); 145 ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 146#undef WH4 147} 148 149/* 150 * Send a management frame to the specified node. The node pointer 151 * must have a reference as the pointer will be passed to the driver 152 * and potentially held for a long time. If the frame is successfully 153 * dispatched to the driver, then it is responsible for freeing the 154 * reference (and potentially free'ing up any associated storage). 155 */ 156int 157ieee80211_mgmt_output(struct ieee80211com *ic, struct ieee80211_node *ni, 158 struct mbuf *m, int type) 159{ 160 struct ifnet *ifp = ic->ic_ifp; 161 struct ieee80211_frame *wh; 162 163 KASSERT(ni != NULL, ("null node")); 164 165 /* 166 * Yech, hack alert! We want to pass the node down to the 167 * driver's start routine. If we don't do so then the start 168 * routine must immediately look it up again and that can 169 * cause a lock order reversal if, for example, this frame 170 * is being sent because the station is being timedout and 171 * the frame being sent is a DEAUTH message. We could stick 172 * this in an m_tag and tack that on to the mbuf. However 173 * that's rather expensive to do for every frame so instead 174 * we stuff it in the rcvif field since outbound frames do 175 * not (presently) use this. 176 */ 177 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 178 if (m == NULL) 179 return ENOMEM; 180 KASSERT(m->m_pkthdr.rcvif == NULL, ("rcvif not null")); 181 m->m_pkthdr.rcvif = (void *)ni; 182 183 wh = mtod(m, struct ieee80211_frame *); 184 ieee80211_send_setup(ic, ni, wh, 185 IEEE80211_FC0_TYPE_MGT | type, 186 ic->ic_myaddr, ni->ni_macaddr, ni->ni_bssid); 187 if ((m->m_flags & M_LINK0) != 0 && ni->ni_challenge != NULL) { 188 m->m_flags &= ~M_LINK0; 189 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 190 "[%s] encrypting frame (%s)\n", 191 ether_sprintf(wh->i_addr1), __func__); 192 wh->i_fc[1] |= IEEE80211_FC1_WEP; 193 } 194 if (ni->ni_flags & IEEE80211_NODE_QOS) { 195 /* NB: force all management frames to the highest queue */ 196 M_WME_SETAC(m, WME_AC_VO); 197 } else 198 M_WME_SETAC(m, WME_AC_BE); 199#ifdef IEEE80211_DEBUG 200 /* avoid printing too many frames */ 201 if ((ieee80211_msg_debug(ic) && doprint(ic, type)) || 202 ieee80211_msg_dumppkts(ic)) { 203 printf("[%s] send %s on channel %u\n", 204 ether_sprintf(wh->i_addr1), 205 ieee80211_mgt_subtype_name[ 206 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 207 IEEE80211_FC0_SUBTYPE_SHIFT], 208 ieee80211_chan2ieee(ic, ic->ic_curchan)); 209 } 210#endif 211 IEEE80211_NODE_STAT(ni, tx_mgmt); 212 IF_ENQUEUE(&ic->ic_mgtq, m); 213 if_start(ifp); 214 ifp->if_opackets++; 215 216 return 0; 217} 218 219/* 220 * Raw packet transmit stub for legacy drivers. 221 * Send the packet through the mgt q so we bypass 222 * the normal encapsulation work. 223 */ 224int 225ieee80211_raw_xmit(struct ieee80211_node *ni, struct mbuf *m, 226 const struct ieee80211_bpf_params *params) 227{ 228 struct ieee80211com *ic = ni->ni_ic; 229 struct ifnet *ifp = ic->ic_ifp; 230 231 m->m_pkthdr.rcvif = (void *) ni; 232 IF_ENQUEUE(&ic->ic_mgtq, m); 233 if_start(ifp); 234 ifp->if_opackets++; 235 236 return 0; 237} 238 239/* 240 * 802.11 output routine. This is (currently) used only to 241 * connect bpf write calls to the 802.11 layer for injecting 242 * raw 802.11 frames. Note we locate the ieee80211com from 243 * the ifnet using a spare field setup at attach time. This 244 * will go away when the virtual ap support comes in. 245 */ 246int 247ieee80211_output(struct ifnet *ifp, struct mbuf *m, 248 struct sockaddr *dst, struct rtentry *rt0) 249{ 250#define senderr(e) do { error = (e); goto bad;} while (0) 251 struct ieee80211com *ic = ifp->if_llsoftc; /* XXX */ 252 struct ieee80211_node *ni = NULL; 253 struct ieee80211_frame *wh; 254 int error; 255 256 /* 257 * Hand to the 802.3 code if not tagged as 258 * a raw 802.11 frame. 259 */ 260 if (dst->sa_family != AF_IEEE80211) 261 return ether_output(ifp, m, dst, rt0); 262#ifdef MAC 263 error = mac_check_ifnet_transmit(ifp, m); 264 if (error) 265 senderr(error); 266#endif 267 if (ifp->if_flags & IFF_MONITOR) 268 senderr(ENETDOWN); 269 if ((ifp->if_flags & IFF_UP) == 0) 270 senderr(ENETDOWN); 271 272 /* XXX bypass bridge, pfil, carp, etc. */ 273 274 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack)) 275 senderr(EIO); /* XXX */ 276 wh = mtod(m, struct ieee80211_frame *); 277 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 278 IEEE80211_FC0_VERSION_0) 279 senderr(EIO); /* XXX */ 280 281 /* locate destination node */ 282 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 283 case IEEE80211_FC1_DIR_NODS: 284 case IEEE80211_FC1_DIR_FROMDS: 285 ni = ieee80211_find_txnode(ic, wh->i_addr1); 286 break; 287 case IEEE80211_FC1_DIR_TODS: 288 case IEEE80211_FC1_DIR_DSTODS: 289 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) 290 senderr(EIO); /* XXX */ 291 ni = ieee80211_find_txnode(ic, wh->i_addr3); 292 break; 293 default: 294 senderr(EIO); /* XXX */ 295 } 296 if (ni == NULL) { 297 /* 298 * Permit packets w/ bpf params through regardless 299 * (see below about sa_len). 300 */ 301 if (dst->sa_len == 0) 302 senderr(EHOSTUNREACH); 303 ni = ieee80211_ref_node(ic->ic_bss); 304 } 305 306 /* XXX ctrl frames should go through */ 307 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 308 (m->m_flags & M_PWR_SAV) == 0) { 309 /* 310 * Station in power save mode; pass the frame 311 * to the 802.11 layer and continue. We'll get 312 * the frame back when the time is right. 313 */ 314 ieee80211_pwrsave(ni, m); 315 error = 0; 316 goto reclaim; 317 } 318 319 /* calculate priority so drivers can find the tx queue */ 320 /* XXX assumes an 802.3 frame */ 321 if (ieee80211_classify(ic, m, ni)) 322 senderr(EIO); /* XXX */ 323 324 BPF_MTAP(ifp, m); 325 /* 326 * NB: DLT_IEEE802_11_RADIO identifies the parameters are 327 * present by setting the sa_len field of the sockaddr (yes, 328 * this is a hack). 329 * NB: we assume sa_data is suitably aligned to cast. 330 */ 331 return ic->ic_raw_xmit(ni, m, (const struct ieee80211_bpf_params *) 332 (dst->sa_len ? dst->sa_data : NULL)); 333bad: 334 if (m != NULL) 335 m_freem(m); 336reclaim: 337 if (ni != NULL) 338 ieee80211_free_node(ni); 339 return error; 340#undef senderr 341} 342 343/* 344 * Send a null data frame to the specified node. 345 * 346 * NB: the caller is assumed to have setup a node reference 347 * for use; this is necessary to deal with a race condition 348 * when probing for inactive stations. 349 */ 350int 351ieee80211_send_nulldata(struct ieee80211_node *ni) 352{ 353 struct ieee80211com *ic = ni->ni_ic; 354 struct ifnet *ifp = ic->ic_ifp; 355 struct mbuf *m; 356 struct ieee80211_frame *wh; 357 358 MGETHDR(m, M_NOWAIT, MT_DATA); 359 if (m == NULL) { 360 /* XXX debug msg */ 361 ieee80211_unref_node(&ni); 362 ic->ic_stats.is_tx_nobuf++; 363 return ENOMEM; 364 } 365 MH_ALIGN(m, sizeof(struct ieee80211_frame)); 366 m->m_pkthdr.rcvif = (void *) ni; 367 368 wh = mtod(m, struct ieee80211_frame *); 369 ieee80211_send_setup(ic, ni, wh, 370 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA, 371 ic->ic_myaddr, ni->ni_macaddr, ni->ni_bssid); 372 /* NB: power management bit is never sent by an AP */ 373 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 374 ic->ic_opmode != IEEE80211_M_HOSTAP && 375 ic->ic_opmode != IEEE80211_M_WDS) 376 wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT; 377 m->m_len = m->m_pkthdr.len = sizeof(struct ieee80211_frame); 378 M_WME_SETAC(m, WME_AC_BE); 379 380 IEEE80211_NODE_STAT(ni, tx_data); 381 382 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 383 "[%s] send null data frame on channel %u, pwr mgt %s\n", 384 ether_sprintf(ni->ni_macaddr), 385 ieee80211_chan2ieee(ic, ic->ic_curchan), 386 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis"); 387 388 IF_ENQUEUE(&ic->ic_mgtq, m); /* cheat */ 389 if_start(ifp); 390 391 return 0; 392} 393 394/* 395 * Assign priority to a frame based on any vlan tag assigned 396 * to the station and/or any Diffserv setting in an IP header. 397 * Finally, if an ACM policy is setup (in station mode) it's 398 * applied. 399 */ 400int 401ieee80211_classify(struct ieee80211com *ic, struct mbuf *m, struct ieee80211_node *ni) 402{ 403 int v_wme_ac, d_wme_ac, ac; 404#ifdef INET 405 struct ether_header *eh; 406#endif 407 408 if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) { 409 ac = WME_AC_BE; 410 goto done; 411 } 412 413 /* 414 * If node has a vlan tag then all traffic 415 * to it must have a matching tag. 416 */ 417 v_wme_ac = 0; 418 if (ni->ni_vlan != 0) { 419 if ((m->m_flags & M_VLANTAG) == 0) { 420 IEEE80211_NODE_STAT(ni, tx_novlantag); 421 return 1; 422 } 423 if (EVL_VLANOFTAG(m->m_pkthdr.ether_vtag) != 424 EVL_VLANOFTAG(ni->ni_vlan)) { 425 IEEE80211_NODE_STAT(ni, tx_vlanmismatch); 426 return 1; 427 } 428 /* map vlan priority to AC */ 429 v_wme_ac = TID_TO_WME_AC(EVL_PRIOFTAG(ni->ni_vlan)); 430 } 431 432#ifdef INET 433 eh = mtod(m, struct ether_header *); 434 if (eh->ether_type == htons(ETHERTYPE_IP)) { 435 uint8_t tos; 436 /* 437 * IP frame, map the DSCP bits from the TOS field. 438 */ 439 /* XXX m_copydata may be too slow for fast path */ 440 /* NB: ip header may not be in first mbuf */ 441 m_copydata(m, sizeof(struct ether_header) + 442 offsetof(struct ip, ip_tos), sizeof(tos), &tos); 443 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 444 d_wme_ac = TID_TO_WME_AC(tos); 445 } else { 446#endif /* INET */ 447 d_wme_ac = WME_AC_BE; 448#ifdef INET 449 } 450#endif 451 /* 452 * Use highest priority AC. 453 */ 454 if (v_wme_ac > d_wme_ac) 455 ac = v_wme_ac; 456 else 457 ac = d_wme_ac; 458 459 /* 460 * Apply ACM policy. 461 */ 462 if (ic->ic_opmode == IEEE80211_M_STA) { 463 static const int acmap[4] = { 464 WME_AC_BK, /* WME_AC_BE */ 465 WME_AC_BK, /* WME_AC_BK */ 466 WME_AC_BE, /* WME_AC_VI */ 467 WME_AC_VI, /* WME_AC_VO */ 468 }; 469 while (ac != WME_AC_BK && 470 ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm) 471 ac = acmap[ac]; 472 } 473done: 474 M_WME_SETAC(m, ac); 475 return 0; 476} 477 478/* 479 * Insure there is sufficient contiguous space to encapsulate the 480 * 802.11 data frame. If room isn't already there, arrange for it. 481 * Drivers and cipher modules assume we have done the necessary work 482 * and fail rudely if they don't find the space they need. 483 */ 484static struct mbuf * 485ieee80211_mbuf_adjust(struct ieee80211com *ic, int hdrsize, 486 struct ieee80211_key *key, struct mbuf *m) 487{ 488#define TO_BE_RECLAIMED (sizeof(struct ether_header) - sizeof(struct llc)) 489 int needed_space = ic->ic_headroom + hdrsize; 490 491 if (key != NULL) { 492 /* XXX belongs in crypto code? */ 493 needed_space += key->wk_cipher->ic_header; 494 /* XXX frags */ 495 /* 496 * When crypto is being done in the host we must insure 497 * the data are writable for the cipher routines; clone 498 * a writable mbuf chain. 499 * XXX handle SWMIC specially 500 */ 501 if (key->wk_flags & (IEEE80211_KEY_SWCRYPT|IEEE80211_KEY_SWMIC)) { 502 m = m_unshare(m, M_NOWAIT); 503 if (m == NULL) { 504 IEEE80211_DPRINTF(ic, IEEE80211_MSG_OUTPUT, 505 "%s: cannot get writable mbuf\n", __func__); 506 ic->ic_stats.is_tx_nobuf++; /* XXX new stat */ 507 return NULL; 508 } 509 } 510 } 511 /* 512 * We know we are called just before stripping an Ethernet 513 * header and prepending an LLC header. This means we know 514 * there will be 515 * sizeof(struct ether_header) - sizeof(struct llc) 516 * bytes recovered to which we need additional space for the 517 * 802.11 header and any crypto header. 518 */ 519 /* XXX check trailing space and copy instead? */ 520 if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) { 521 struct mbuf *n = m_gethdr(M_NOWAIT, m->m_type); 522 if (n == NULL) { 523 IEEE80211_DPRINTF(ic, IEEE80211_MSG_OUTPUT, 524 "%s: cannot expand storage\n", __func__); 525 ic->ic_stats.is_tx_nobuf++; 526 m_freem(m); 527 return NULL; 528 } 529 KASSERT(needed_space <= MHLEN, 530 ("not enough room, need %u got %zu\n", needed_space, MHLEN)); 531 /* 532 * Setup new mbuf to have leading space to prepend the 533 * 802.11 header and any crypto header bits that are 534 * required (the latter are added when the driver calls 535 * back to ieee80211_crypto_encap to do crypto encapsulation). 536 */ 537 /* NB: must be first 'cuz it clobbers m_data */ 538 m_move_pkthdr(n, m); 539 n->m_len = 0; /* NB: m_gethdr does not set */ 540 n->m_data += needed_space; 541 /* 542 * Pull up Ethernet header to create the expected layout. 543 * We could use m_pullup but that's overkill (i.e. we don't 544 * need the actual data) and it cannot fail so do it inline 545 * for speed. 546 */ 547 /* NB: struct ether_header is known to be contiguous */ 548 n->m_len += sizeof(struct ether_header); 549 m->m_len -= sizeof(struct ether_header); 550 m->m_data += sizeof(struct ether_header); 551 /* 552 * Replace the head of the chain. 553 */ 554 n->m_next = m; 555 m = n; 556 } 557 return m; 558#undef TO_BE_RECLAIMED 559} 560 561/* 562 * Return the transmit key to use in sending a unicast frame. 563 * If a unicast key is set we use that. When no unicast key is set 564 * we fall back to the default transmit key. 565 */ 566static __inline struct ieee80211_key * 567ieee80211_crypto_getucastkey(struct ieee80211com *ic, struct ieee80211_node *ni) 568{ 569 if (IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)) { 570 if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE || 571 IEEE80211_KEY_UNDEFINED(&ic->ic_nw_keys[ic->ic_def_txkey])) 572 return NULL; 573 return &ic->ic_nw_keys[ic->ic_def_txkey]; 574 } else { 575 return &ni->ni_ucastkey; 576 } 577} 578 579/* 580 * Return the transmit key to use in sending a multicast frame. 581 * Multicast traffic always uses the group key which is installed as 582 * the default tx key. 583 */ 584static __inline struct ieee80211_key * 585ieee80211_crypto_getmcastkey(struct ieee80211com *ic, struct ieee80211_node *ni) 586{ 587 if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE || 588 IEEE80211_KEY_UNDEFINED(&ic->ic_nw_keys[ic->ic_def_txkey])) 589 return NULL; 590 return &ic->ic_nw_keys[ic->ic_def_txkey]; 591} 592 593/* 594 * Encapsulate an outbound data frame. The mbuf chain is updated. 595 * If an error is encountered NULL is returned. The caller is required 596 * to provide a node reference and pullup the ethernet header in the 597 * first mbuf. 598 */ 599struct mbuf * 600ieee80211_encap(struct ieee80211com *ic, struct mbuf *m, 601 struct ieee80211_node *ni) 602{ 603 struct ether_header eh; 604 struct ieee80211_frame *wh; 605 struct ieee80211_key *key; 606 struct llc *llc; 607 int hdrsize, datalen, addqos, txfrag, isff; 608 609 /* 610 * Copy existing Ethernet header to a safe place. The 611 * rest of the code assumes it's ok to strip it when 612 * reorganizing state for the final encapsulation. 613 */ 614 KASSERT(m->m_len >= sizeof(eh), ("no ethernet header!")); 615 memcpy(&eh, mtod(m, caddr_t), sizeof(struct ether_header)); 616 617 /* 618 * Insure space for additional headers. First identify 619 * transmit key to use in calculating any buffer adjustments 620 * required. This is also used below to do privacy 621 * encapsulation work. Then calculate the 802.11 header 622 * size and any padding required by the driver. 623 * 624 * Note key may be NULL if we fall back to the default 625 * transmit key and that is not set. In that case the 626 * buffer may not be expanded as needed by the cipher 627 * routines, but they will/should discard it. 628 */ 629 if (ic->ic_flags & IEEE80211_F_PRIVACY) { 630 if (ic->ic_opmode == IEEE80211_M_STA || 631 !IEEE80211_IS_MULTICAST(eh.ether_dhost)) 632 key = ieee80211_crypto_getucastkey(ic, ni); 633 else 634 key = ieee80211_crypto_getmcastkey(ic, ni); 635 if (key == NULL && eh.ether_type != htons(ETHERTYPE_PAE)) { 636 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 637 "[%s] no default transmit key (%s) deftxkey %u\n", 638 ether_sprintf(eh.ether_dhost), __func__, 639 ic->ic_def_txkey); 640 ic->ic_stats.is_tx_nodefkey++; 641 goto bad; 642 } 643 } else 644 key = NULL; 645 /* XXX 4-address format */ 646 /* 647 * XXX Some ap's don't handle QoS-encapsulated EAPOL 648 * frames so suppress use. This may be an issue if other 649 * ap's require all data frames to be QoS-encapsulated 650 * once negotiated in which case we'll need to make this 651 * configurable. 652 */ 653 addqos = (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) && 654 eh.ether_type != htons(ETHERTYPE_PAE); 655 if (addqos) 656 hdrsize = sizeof(struct ieee80211_qosframe); 657 else 658 hdrsize = sizeof(struct ieee80211_frame); 659 if (ic->ic_flags & IEEE80211_F_DATAPAD) 660 hdrsize = roundup(hdrsize, sizeof(uint32_t)); 661 662 if ((isff = m->m_flags & M_FF) != 0) { 663 struct mbuf *m2; 664 struct ether_header eh2; 665 666 /* 667 * Fast frame encapsulation. There must be two packets 668 * chained with m_nextpkt. We do header adjustment for 669 * each, add the tunnel encapsulation, and then concatenate 670 * the mbuf chains to form a single frame for transmission. 671 */ 672 m2 = m->m_nextpkt; 673 if (m2 == NULL) { 674 IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG, 675 "%s: only one frame\n", __func__); 676 goto bad; 677 } 678 m->m_nextpkt = NULL; 679 /* 680 * Include fast frame headers in adjusting header 681 * layout; this allocates space according to what 682 * ieee80211_encap_fastframe will do. 683 */ 684 m = ieee80211_mbuf_adjust(ic, 685 hdrsize + sizeof(struct llc) + sizeof(uint32_t) + 2 + 686 sizeof(struct ether_header), 687 key, m); 688 if (m == NULL) { 689 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */ 690 m_freem(m2); 691 goto bad; 692 } 693 /* 694 * Copy second frame's Ethernet header out of line 695 * and adjust for encapsulation headers. Note that 696 * we make room for padding in case there isn't room 697 * at the end of first frame. 698 */ 699 KASSERT(m2->m_len >= sizeof(eh2), ("no ethernet header!")); 700 memcpy(&eh2, mtod(m2, caddr_t), sizeof(struct ether_header)); 701 m2 = ieee80211_mbuf_adjust(ic, 702 ATH_FF_MAX_HDR_PAD + sizeof(struct ether_header), 703 NULL, m2); 704 if (m2 == NULL) { 705 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */ 706 goto bad; 707 } 708 m = ieee80211_encap_fastframe(ic, m, &eh, m2, &eh2); 709 if (m == NULL) 710 goto bad; 711 } else { 712 /* 713 * Normal frame. 714 */ 715 m = ieee80211_mbuf_adjust(ic, hdrsize, key, m); 716 if (m == NULL) { 717 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */ 718 goto bad; 719 } 720 /* NB: this could be optimized 'cuz of ieee80211_mbuf_adjust */ 721 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 722 llc = mtod(m, struct llc *); 723 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 724 llc->llc_control = LLC_UI; 725 llc->llc_snap.org_code[0] = 0; 726 llc->llc_snap.org_code[1] = 0; 727 llc->llc_snap.org_code[2] = 0; 728 llc->llc_snap.ether_type = eh.ether_type; 729 } 730 datalen = m->m_pkthdr.len; /* NB: w/o 802.11 header */ 731 732 M_PREPEND(m, hdrsize, M_DONTWAIT); 733 if (m == NULL) { 734 ic->ic_stats.is_tx_nobuf++; 735 goto bad; 736 } 737 wh = mtod(m, struct ieee80211_frame *); 738 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 739 *(uint16_t *)wh->i_dur = 0; 740 switch (ic->ic_opmode) { 741 case IEEE80211_M_STA: 742 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 743 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 744 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 745 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 746 break; 747 case IEEE80211_M_IBSS: 748 case IEEE80211_M_AHDEMO: 749 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 750 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 751 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 752 /* 753 * NB: always use the bssid from ic_bss as the 754 * neighbor's may be stale after an ibss merge 755 */ 756 IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid); 757 break; 758 case IEEE80211_M_HOSTAP: 759 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 760 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 761 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 762 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 763 break; 764 case IEEE80211_M_MONITOR: 765 case IEEE80211_M_WDS: 766 goto bad; 767 } 768 if (m->m_flags & M_MORE_DATA) 769 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 770 if (addqos) { 771 struct ieee80211_qosframe *qwh = 772 (struct ieee80211_qosframe *) wh; 773 int ac, tid; 774 775 ac = M_WME_GETAC(m); 776 /* map from access class/queue to 11e header priorty value */ 777 tid = WME_AC_TO_TID(ac); 778 qwh->i_qos[0] = tid & IEEE80211_QOS_TID; 779 /* 780 * Check if A-MPDU tx aggregation is setup or if we 781 * should try to enable it. The sta must be associated 782 * with HT and A-MPDU enabled for use. On the first 783 * frame that goes out We issue an ADDBA request and 784 * wait for a reply. The frame being encapsulated 785 * will go out w/o using A-MPDU, or possibly it might 786 * be collected by the driver and held/retransmit. 787 * ieee80211_ampdu_request handles staggering requests 788 * in case the receiver NAK's us or we are otherwise 789 * unable to establish a BA stream. 790 */ 791 if ((ni->ni_flags & IEEE80211_NODE_AMPDU_TX) && 792 (ic->ic_flags_ext & IEEE80211_FEXT_AMPDU_TX)) { 793 struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[ac]; 794 795 if (IEEE80211_AMPDU_RUNNING(tap)) { 796 /* 797 * Operational, mark frame for aggregation. 798 */ 799 qwh->i_qos[0] |= IEEE80211_QOS_ACKPOLICY_BA; 800 } else if (!IEEE80211_AMPDU_REQUESTED(tap)) { 801 /* 802 * Not negotiated yet, request service. 803 */ 804 ieee80211_ampdu_request(ni, tap); 805 } 806 } 807 /* XXX works even when BA marked above */ 808 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy) 809 qwh->i_qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 810 qwh->i_qos[1] = 0; 811 qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 812 813 *(uint16_t *)wh->i_seq = 814 htole16(ni->ni_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT); 815 ni->ni_txseqs[tid]++; 816 } else { 817 *(uint16_t *)wh->i_seq = 818 htole16(ni->ni_txseqs[IEEE80211_NONQOS_TID] << IEEE80211_SEQ_SEQ_SHIFT); 819 ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 820 } 821 /* check if xmit fragmentation is required */ 822 txfrag = (m->m_pkthdr.len > ic->ic_fragthreshold && 823 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 824 (ic->ic_caps & IEEE80211_C_TXFRAG) && 825 !isff); /* NB: don't fragment ff's */ 826 if (key != NULL) { 827 /* 828 * IEEE 802.1X: send EAPOL frames always in the clear. 829 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set. 830 */ 831 if (eh.ether_type != htons(ETHERTYPE_PAE) || 832 ((ic->ic_flags & IEEE80211_F_WPA) && 833 (ic->ic_opmode == IEEE80211_M_STA ? 834 !IEEE80211_KEY_UNDEFINED(key) : 835 !IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)))) { 836 wh->i_fc[1] |= IEEE80211_FC1_WEP; 837 if (!ieee80211_crypto_enmic(ic, key, m, txfrag)) { 838 IEEE80211_DPRINTF(ic, IEEE80211_MSG_OUTPUT, 839 "[%s] enmic failed, discard frame\n", 840 ether_sprintf(eh.ether_dhost)); 841 ic->ic_stats.is_crypto_enmicfail++; 842 goto bad; 843 } 844 } 845 } 846 /* 847 * NB: frag flags may leak from above; they should only 848 * be set on return to the caller if we fragment at 849 * the 802.11 layer. 850 */ 851 m->m_flags &= ~(M_FRAG | M_FIRSTFRAG); 852 if (txfrag && !ieee80211_fragment(ic, m, hdrsize, 853 key != NULL ? key->wk_cipher->ic_header : 0, ic->ic_fragthreshold)) 854 goto bad; 855 856 IEEE80211_NODE_STAT(ni, tx_data); 857 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) 858 IEEE80211_NODE_STAT(ni, tx_mcast); 859 else 860 IEEE80211_NODE_STAT(ni, tx_ucast); 861 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen); 862 863 return m; 864bad: 865 if (m != NULL) 866 m_freem(m); 867 return NULL; 868} 869 870/* 871 * Do Ethernet-LLC encapsulation for each payload in a fast frame 872 * tunnel encapsulation. The frame is assumed to have an Ethernet 873 * header at the front that must be stripped before prepending the 874 * LLC followed by the Ethernet header passed in (with an Ethernet 875 * type that specifies the payload size). 876 */ 877static struct mbuf * 878ieee80211_encap1(struct ieee80211com *ic, struct mbuf *m, 879 const struct ether_header *eh) 880{ 881 struct llc *llc; 882 uint16_t payload; 883 884 /* XXX optimize by combining m_adj+M_PREPEND */ 885 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 886 llc = mtod(m, struct llc *); 887 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 888 llc->llc_control = LLC_UI; 889 llc->llc_snap.org_code[0] = 0; 890 llc->llc_snap.org_code[1] = 0; 891 llc->llc_snap.org_code[2] = 0; 892 llc->llc_snap.ether_type = eh->ether_type; 893 payload = m->m_pkthdr.len; /* NB: w/o Ethernet header */ 894 895 M_PREPEND(m, sizeof(struct ether_header), M_DONTWAIT); 896 if (m == NULL) { /* XXX cannot happen */ 897 IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG, 898 "%s: no space for ether_header\n", __func__); 899 ic->ic_stats.is_tx_nobuf++; 900 return NULL; 901 } 902 ETHER_HEADER_COPY(mtod(m, void *), eh); 903 mtod(m, struct ether_header *)->ether_type = htons(payload); 904 return m; 905} 906 907/* 908 * Do fast frame tunnel encapsulation. The two frames and 909 * Ethernet headers are supplied. The caller is assumed to 910 * have arrange for space in the mbuf chains for encapsulating 911 * headers (to avoid major mbuf fragmentation). 912 * 913 * The encapsulated frame is returned or NULL if there is a 914 * problem (should not happen). 915 */ 916static struct mbuf * 917ieee80211_encap_fastframe(struct ieee80211com *ic, 918 struct mbuf *m1, const struct ether_header *eh1, 919 struct mbuf *m2, const struct ether_header *eh2) 920{ 921 struct llc *llc; 922 struct mbuf *m; 923 int pad; 924 925 /* 926 * First, each frame gets a standard encapsulation. 927 */ 928 m1 = ieee80211_encap1(ic, m1, eh1); 929 if (m1 == NULL) { 930 m_freem(m2); 931 return NULL; 932 } 933 m2 = ieee80211_encap1(ic, m2, eh2); 934 if (m2 == NULL) { 935 m_freem(m1); 936 return NULL; 937 } 938 939 /* 940 * Pad leading frame to a 4-byte boundary. If there 941 * is space at the end of the first frame, put it 942 * there; otherwise prepend to the front of the second 943 * frame. We know doing the second will always work 944 * because we reserve space above. We prefer appending 945 * as this typically has better DMA alignment properties. 946 */ 947 for (m = m1; m->m_next != NULL; m = m->m_next) 948 ; 949 pad = roundup2(m1->m_pkthdr.len, 4) - m1->m_pkthdr.len; 950 if (pad) { 951 if (M_TRAILINGSPACE(m) < pad) { /* prepend to second */ 952 m2->m_data -= pad; 953 m2->m_len += pad; 954 m2->m_pkthdr.len += pad; 955 } else { /* append to first */ 956 m->m_len += pad; 957 m1->m_pkthdr.len += pad; 958 } 959 } 960 961 /* 962 * Now, stick 'em together and prepend the tunnel headers; 963 * first the Atheros tunnel header (all zero for now) and 964 * then a special fast frame LLC. 965 * 966 * XXX optimize by prepending together 967 */ 968 m->m_next = m2; /* NB: last mbuf from above */ 969 m1->m_pkthdr.len += m2->m_pkthdr.len; 970 M_PREPEND(m1, sizeof(uint32_t)+2, M_DONTWAIT); 971 if (m1 == NULL) { /* XXX cannot happen */ 972 IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG, 973 "%s: no space for tunnel header\n", __func__); 974 ic->ic_stats.is_tx_nobuf++; 975 return NULL; 976 } 977 memset(mtod(m1, void *), 0, sizeof(uint32_t)+2); 978 979 M_PREPEND(m1, sizeof(struct llc), M_DONTWAIT); 980 if (m1 == NULL) { /* XXX cannot happen */ 981 IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG, 982 "%s: no space for llc header\n", __func__); 983 ic->ic_stats.is_tx_nobuf++; 984 return NULL; 985 } 986 llc = mtod(m1, struct llc *); 987 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 988 llc->llc_control = LLC_UI; 989 llc->llc_snap.org_code[0] = ATH_FF_SNAP_ORGCODE_0; 990 llc->llc_snap.org_code[1] = ATH_FF_SNAP_ORGCODE_1; 991 llc->llc_snap.org_code[2] = ATH_FF_SNAP_ORGCODE_2; 992 llc->llc_snap.ether_type = htons(ATH_FF_ETH_TYPE); 993 994 ic->ic_stats.is_ff_encap++; 995 996 return m1; 997} 998 999/* 1000 * Fragment the frame according to the specified mtu. 1001 * The size of the 802.11 header (w/o padding) is provided 1002 * so we don't need to recalculate it. We create a new 1003 * mbuf for each fragment and chain it through m_nextpkt; 1004 * we might be able to optimize this by reusing the original 1005 * packet's mbufs but that is significantly more complicated. 1006 */ 1007static int 1008ieee80211_fragment(struct ieee80211com *ic, struct mbuf *m0, 1009 u_int hdrsize, u_int ciphdrsize, u_int mtu) 1010{ 1011 struct ieee80211_frame *wh, *whf; 1012 struct mbuf *m, *prev, *next; 1013 u_int totalhdrsize, fragno, fragsize, off, remainder, payload; 1014 1015 KASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?")); 1016 KASSERT(m0->m_pkthdr.len > mtu, 1017 ("pktlen %u mtu %u", m0->m_pkthdr.len, mtu)); 1018 1019 wh = mtod(m0, struct ieee80211_frame *); 1020 /* NB: mark the first frag; it will be propagated below */ 1021 wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG; 1022 totalhdrsize = hdrsize + ciphdrsize; 1023 fragno = 1; 1024 off = mtu - ciphdrsize; 1025 remainder = m0->m_pkthdr.len - off; 1026 prev = m0; 1027 do { 1028 fragsize = totalhdrsize + remainder; 1029 if (fragsize > mtu) 1030 fragsize = mtu; 1031 KASSERT(fragsize < MCLBYTES, 1032 ("fragment size %u too big!", fragsize)); 1033 if (fragsize > MHLEN) 1034 m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR); 1035 else 1036 m = m_gethdr(M_DONTWAIT, MT_DATA); 1037 if (m == NULL) 1038 goto bad; 1039 /* leave room to prepend any cipher header */ 1040 m_align(m, fragsize - ciphdrsize); 1041 1042 /* 1043 * Form the header in the fragment. Note that since 1044 * we mark the first fragment with the MORE_FRAG bit 1045 * it automatically is propagated to each fragment; we 1046 * need only clear it on the last fragment (done below). 1047 */ 1048 whf = mtod(m, struct ieee80211_frame *); 1049 memcpy(whf, wh, hdrsize); 1050 *(uint16_t *)&whf->i_seq[0] |= htole16( 1051 (fragno & IEEE80211_SEQ_FRAG_MASK) << 1052 IEEE80211_SEQ_FRAG_SHIFT); 1053 fragno++; 1054 1055 payload = fragsize - totalhdrsize; 1056 /* NB: destination is known to be contiguous */ 1057 m_copydata(m0, off, payload, mtod(m, uint8_t *) + hdrsize); 1058 m->m_len = hdrsize + payload; 1059 m->m_pkthdr.len = hdrsize + payload; 1060 m->m_flags |= M_FRAG; 1061 1062 /* chain up the fragment */ 1063 prev->m_nextpkt = m; 1064 prev = m; 1065 1066 /* deduct fragment just formed */ 1067 remainder -= payload; 1068 off += payload; 1069 } while (remainder != 0); 1070 whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG; 1071 1072 /* strip first mbuf now that everything has been copied */ 1073 m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize))); 1074 m0->m_flags |= M_FIRSTFRAG | M_FRAG; 1075 1076 ic->ic_stats.is_tx_fragframes++; 1077 ic->ic_stats.is_tx_frags += fragno-1; 1078 1079 return 1; 1080bad: 1081 /* reclaim fragments but leave original frame for caller to free */ 1082 for (m = m0->m_nextpkt; m != NULL; m = next) { 1083 next = m->m_nextpkt; 1084 m->m_nextpkt = NULL; /* XXX paranoid */ 1085 m_freem(m); 1086 } 1087 m0->m_nextpkt = NULL; 1088 return 0; 1089} 1090 1091/* 1092 * Add a supported rates element id to a frame. 1093 */ 1094static uint8_t * 1095ieee80211_add_rates(uint8_t *frm, const struct ieee80211_rateset *rs) 1096{ 1097 int nrates; 1098 1099 *frm++ = IEEE80211_ELEMID_RATES; 1100 nrates = rs->rs_nrates; 1101 if (nrates > IEEE80211_RATE_SIZE) 1102 nrates = IEEE80211_RATE_SIZE; 1103 *frm++ = nrates; 1104 memcpy(frm, rs->rs_rates, nrates); 1105 return frm + nrates; 1106} 1107 1108/* 1109 * Add an extended supported rates element id to a frame. 1110 */ 1111static uint8_t * 1112ieee80211_add_xrates(uint8_t *frm, const struct ieee80211_rateset *rs) 1113{ 1114 /* 1115 * Add an extended supported rates element if operating in 11g mode. 1116 */ 1117 if (rs->rs_nrates > IEEE80211_RATE_SIZE) { 1118 int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1119 *frm++ = IEEE80211_ELEMID_XRATES; 1120 *frm++ = nrates; 1121 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1122 frm += nrates; 1123 } 1124 return frm; 1125} 1126 1127/* 1128 * Add an ssid elemet to a frame. 1129 */ 1130static uint8_t * 1131ieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len) 1132{ 1133 *frm++ = IEEE80211_ELEMID_SSID; 1134 *frm++ = len; 1135 memcpy(frm, ssid, len); 1136 return frm + len; 1137} 1138 1139/* 1140 * Add an erp element to a frame. 1141 */ 1142static uint8_t * 1143ieee80211_add_erp(uint8_t *frm, struct ieee80211com *ic) 1144{ 1145 uint8_t erp; 1146 1147 *frm++ = IEEE80211_ELEMID_ERP; 1148 *frm++ = 1; 1149 erp = 0; 1150 if (ic->ic_nonerpsta != 0) 1151 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 1152 if (ic->ic_flags & IEEE80211_F_USEPROT) 1153 erp |= IEEE80211_ERP_USE_PROTECTION; 1154 if (ic->ic_flags & IEEE80211_F_USEBARKER) 1155 erp |= IEEE80211_ERP_LONG_PREAMBLE; 1156 *frm++ = erp; 1157 return frm; 1158} 1159 1160static uint8_t * 1161ieee80211_setup_wpa_ie(struct ieee80211com *ic, uint8_t *ie) 1162{ 1163#define WPA_OUI_BYTES 0x00, 0x50, 0xf2 1164#define ADDSHORT(frm, v) do { \ 1165 frm[0] = (v) & 0xff; \ 1166 frm[1] = (v) >> 8; \ 1167 frm += 2; \ 1168} while (0) 1169#define ADDSELECTOR(frm, sel) do { \ 1170 memcpy(frm, sel, 4); \ 1171 frm += 4; \ 1172} while (0) 1173 static const uint8_t oui[4] = { WPA_OUI_BYTES, WPA_OUI_TYPE }; 1174 static const uint8_t cipher_suite[][4] = { 1175 { WPA_OUI_BYTES, WPA_CSE_WEP40 }, /* NB: 40-bit */ 1176 { WPA_OUI_BYTES, WPA_CSE_TKIP }, 1177 { 0x00, 0x00, 0x00, 0x00 }, /* XXX WRAP */ 1178 { WPA_OUI_BYTES, WPA_CSE_CCMP }, 1179 { 0x00, 0x00, 0x00, 0x00 }, /* XXX CKIP */ 1180 { WPA_OUI_BYTES, WPA_CSE_NULL }, 1181 }; 1182 static const uint8_t wep104_suite[4] = 1183 { WPA_OUI_BYTES, WPA_CSE_WEP104 }; 1184 static const uint8_t key_mgt_unspec[4] = 1185 { WPA_OUI_BYTES, WPA_ASE_8021X_UNSPEC }; 1186 static const uint8_t key_mgt_psk[4] = 1187 { WPA_OUI_BYTES, WPA_ASE_8021X_PSK }; 1188 const struct ieee80211_rsnparms *rsn = &ic->ic_bss->ni_rsn; 1189 uint8_t *frm = ie; 1190 uint8_t *selcnt; 1191 1192 *frm++ = IEEE80211_ELEMID_VENDOR; 1193 *frm++ = 0; /* length filled in below */ 1194 memcpy(frm, oui, sizeof(oui)); /* WPA OUI */ 1195 frm += sizeof(oui); 1196 ADDSHORT(frm, WPA_VERSION); 1197 1198 /* XXX filter out CKIP */ 1199 1200 /* multicast cipher */ 1201 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP && 1202 rsn->rsn_mcastkeylen >= 13) 1203 ADDSELECTOR(frm, wep104_suite); 1204 else 1205 ADDSELECTOR(frm, cipher_suite[rsn->rsn_mcastcipher]); 1206 1207 /* unicast cipher list */ 1208 selcnt = frm; 1209 ADDSHORT(frm, 0); /* selector count */ 1210 if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_AES_CCM)) { 1211 selcnt[0]++; 1212 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_AES_CCM]); 1213 } 1214 if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_TKIP)) { 1215 selcnt[0]++; 1216 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_TKIP]); 1217 } 1218 1219 /* authenticator selector list */ 1220 selcnt = frm; 1221 ADDSHORT(frm, 0); /* selector count */ 1222 if (rsn->rsn_keymgmtset & WPA_ASE_8021X_UNSPEC) { 1223 selcnt[0]++; 1224 ADDSELECTOR(frm, key_mgt_unspec); 1225 } 1226 if (rsn->rsn_keymgmtset & WPA_ASE_8021X_PSK) { 1227 selcnt[0]++; 1228 ADDSELECTOR(frm, key_mgt_psk); 1229 } 1230 1231 /* optional capabilities */ 1232 if (rsn->rsn_caps != 0 && rsn->rsn_caps != RSN_CAP_PREAUTH) 1233 ADDSHORT(frm, rsn->rsn_caps); 1234 1235 /* calculate element length */ 1236 ie[1] = frm - ie - 2; 1237 KASSERT(ie[1]+2 <= sizeof(struct ieee80211_ie_wpa), 1238 ("WPA IE too big, %u > %zu", 1239 ie[1]+2, sizeof(struct ieee80211_ie_wpa))); 1240 return frm; 1241#undef ADDSHORT 1242#undef ADDSELECTOR 1243#undef WPA_OUI_BYTES 1244} 1245 1246static uint8_t * 1247ieee80211_setup_rsn_ie(struct ieee80211com *ic, uint8_t *ie) 1248{ 1249#define RSN_OUI_BYTES 0x00, 0x0f, 0xac 1250#define ADDSHORT(frm, v) do { \ 1251 frm[0] = (v) & 0xff; \ 1252 frm[1] = (v) >> 8; \ 1253 frm += 2; \ 1254} while (0) 1255#define ADDSELECTOR(frm, sel) do { \ 1256 memcpy(frm, sel, 4); \ 1257 frm += 4; \ 1258} while (0) 1259 static const uint8_t cipher_suite[][4] = { 1260 { RSN_OUI_BYTES, RSN_CSE_WEP40 }, /* NB: 40-bit */ 1261 { RSN_OUI_BYTES, RSN_CSE_TKIP }, 1262 { RSN_OUI_BYTES, RSN_CSE_WRAP }, 1263 { RSN_OUI_BYTES, RSN_CSE_CCMP }, 1264 { 0x00, 0x00, 0x00, 0x00 }, /* XXX CKIP */ 1265 { RSN_OUI_BYTES, RSN_CSE_NULL }, 1266 }; 1267 static const uint8_t wep104_suite[4] = 1268 { RSN_OUI_BYTES, RSN_CSE_WEP104 }; 1269 static const uint8_t key_mgt_unspec[4] = 1270 { RSN_OUI_BYTES, RSN_ASE_8021X_UNSPEC }; 1271 static const uint8_t key_mgt_psk[4] = 1272 { RSN_OUI_BYTES, RSN_ASE_8021X_PSK }; 1273 const struct ieee80211_rsnparms *rsn = &ic->ic_bss->ni_rsn; 1274 uint8_t *frm = ie; 1275 uint8_t *selcnt; 1276 1277 *frm++ = IEEE80211_ELEMID_RSN; 1278 *frm++ = 0; /* length filled in below */ 1279 ADDSHORT(frm, RSN_VERSION); 1280 1281 /* XXX filter out CKIP */ 1282 1283 /* multicast cipher */ 1284 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP && 1285 rsn->rsn_mcastkeylen >= 13) 1286 ADDSELECTOR(frm, wep104_suite); 1287 else 1288 ADDSELECTOR(frm, cipher_suite[rsn->rsn_mcastcipher]); 1289 1290 /* unicast cipher list */ 1291 selcnt = frm; 1292 ADDSHORT(frm, 0); /* selector count */ 1293 if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_AES_CCM)) { 1294 selcnt[0]++; 1295 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_AES_CCM]); 1296 } 1297 if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_TKIP)) { 1298 selcnt[0]++; 1299 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_TKIP]); 1300 } 1301 1302 /* authenticator selector list */ 1303 selcnt = frm; 1304 ADDSHORT(frm, 0); /* selector count */ 1305 if (rsn->rsn_keymgmtset & WPA_ASE_8021X_UNSPEC) { 1306 selcnt[0]++; 1307 ADDSELECTOR(frm, key_mgt_unspec); 1308 } 1309 if (rsn->rsn_keymgmtset & WPA_ASE_8021X_PSK) { 1310 selcnt[0]++; 1311 ADDSELECTOR(frm, key_mgt_psk); 1312 } 1313 1314 /* optional capabilities */ 1315 ADDSHORT(frm, rsn->rsn_caps); 1316 /* XXX PMKID */ 1317 1318 /* calculate element length */ 1319 ie[1] = frm - ie - 2; 1320 KASSERT(ie[1]+2 <= sizeof(struct ieee80211_ie_wpa), 1321 ("RSN IE too big, %u > %zu", 1322 ie[1]+2, sizeof(struct ieee80211_ie_wpa))); 1323 return frm; 1324#undef ADDSELECTOR 1325#undef ADDSHORT 1326#undef RSN_OUI_BYTES 1327} 1328 1329/* 1330 * Add a WPA/RSN element to a frame. 1331 */ 1332static uint8_t * 1333ieee80211_add_wpa(uint8_t *frm, struct ieee80211com *ic) 1334{ 1335 1336 KASSERT(ic->ic_flags & IEEE80211_F_WPA, ("no WPA/RSN!")); 1337 if (ic->ic_flags & IEEE80211_F_WPA2) 1338 frm = ieee80211_setup_rsn_ie(ic, frm); 1339 if (ic->ic_flags & IEEE80211_F_WPA1) 1340 frm = ieee80211_setup_wpa_ie(ic, frm); 1341 return frm; 1342} 1343 1344#define WME_OUI_BYTES 0x00, 0x50, 0xf2 1345/* 1346 * Add a WME information element to a frame. 1347 */ 1348static uint8_t * 1349ieee80211_add_wme_info(uint8_t *frm, struct ieee80211_wme_state *wme) 1350{ 1351 static const struct ieee80211_wme_info info = { 1352 .wme_id = IEEE80211_ELEMID_VENDOR, 1353 .wme_len = sizeof(struct ieee80211_wme_info) - 2, 1354 .wme_oui = { WME_OUI_BYTES }, 1355 .wme_type = WME_OUI_TYPE, 1356 .wme_subtype = WME_INFO_OUI_SUBTYPE, 1357 .wme_version = WME_VERSION, 1358 .wme_info = 0, 1359 }; 1360 memcpy(frm, &info, sizeof(info)); 1361 return frm + sizeof(info); 1362} 1363 1364/* 1365 * Add a WME parameters element to a frame. 1366 */ 1367static uint8_t * 1368ieee80211_add_wme_param(uint8_t *frm, struct ieee80211_wme_state *wme) 1369{ 1370#define SM(_v, _f) (((_v) << _f##_S) & _f) 1371#define ADDSHORT(frm, v) do { \ 1372 frm[0] = (v) & 0xff; \ 1373 frm[1] = (v) >> 8; \ 1374 frm += 2; \ 1375} while (0) 1376 /* NB: this works 'cuz a param has an info at the front */ 1377 static const struct ieee80211_wme_info param = { 1378 .wme_id = IEEE80211_ELEMID_VENDOR, 1379 .wme_len = sizeof(struct ieee80211_wme_param) - 2, 1380 .wme_oui = { WME_OUI_BYTES }, 1381 .wme_type = WME_OUI_TYPE, 1382 .wme_subtype = WME_PARAM_OUI_SUBTYPE, 1383 .wme_version = WME_VERSION, 1384 }; 1385 int i; 1386 1387 memcpy(frm, ¶m, sizeof(param)); 1388 frm += __offsetof(struct ieee80211_wme_info, wme_info); 1389 *frm++ = wme->wme_bssChanParams.cap_info; /* AC info */ 1390 *frm++ = 0; /* reserved field */ 1391 for (i = 0; i < WME_NUM_AC; i++) { 1392 const struct wmeParams *ac = 1393 &wme->wme_bssChanParams.cap_wmeParams[i]; 1394 *frm++ = SM(i, WME_PARAM_ACI) 1395 | SM(ac->wmep_acm, WME_PARAM_ACM) 1396 | SM(ac->wmep_aifsn, WME_PARAM_AIFSN) 1397 ; 1398 *frm++ = SM(ac->wmep_logcwmax, WME_PARAM_LOGCWMAX) 1399 | SM(ac->wmep_logcwmin, WME_PARAM_LOGCWMIN) 1400 ; 1401 ADDSHORT(frm, ac->wmep_txopLimit); 1402 } 1403 return frm; 1404#undef SM 1405#undef ADDSHORT 1406} 1407#undef WME_OUI_BYTES 1408 1409#define ATH_OUI_BYTES 0x00, 0x03, 0x7f 1410/* 1411 * Add a WME information element to a frame. 1412 */ 1413static uint8_t * 1414ieee80211_add_ath(uint8_t *frm, uint8_t caps, uint16_t defkeyix) 1415{ 1416 static const struct ieee80211_ath_ie info = { 1417 .ath_id = IEEE80211_ELEMID_VENDOR, 1418 .ath_len = sizeof(struct ieee80211_ath_ie) - 2, 1419 .ath_oui = { ATH_OUI_BYTES }, 1420 .ath_oui_type = ATH_OUI_TYPE, 1421 .ath_oui_subtype= ATH_OUI_SUBTYPE, 1422 .ath_version = ATH_OUI_VERSION, 1423 }; 1424 struct ieee80211_ath_ie *ath = (struct ieee80211_ath_ie *) frm; 1425 1426 memcpy(frm, &info, sizeof(info)); 1427 ath->ath_capability = caps; 1428 ath->ath_defkeyix[0] = (defkeyix & 0xff); 1429 ath->ath_defkeyix[1] = ((defkeyix >> 8) & 0xff); 1430 return frm + sizeof(info); 1431} 1432#undef ATH_OUI_BYTES 1433 1434/* 1435 * Send a probe request frame with the specified ssid 1436 * and any optional information element data. 1437 */ 1438int 1439ieee80211_send_probereq(struct ieee80211_node *ni, 1440 const uint8_t sa[IEEE80211_ADDR_LEN], 1441 const uint8_t da[IEEE80211_ADDR_LEN], 1442 const uint8_t bssid[IEEE80211_ADDR_LEN], 1443 const uint8_t *ssid, size_t ssidlen, 1444 const void *optie, size_t optielen) 1445{ 1446 struct ieee80211com *ic = ni->ni_ic; 1447 struct ieee80211_frame *wh; 1448 const struct ieee80211_rateset *rs; 1449 struct mbuf *m; 1450 uint8_t *frm; 1451 1452 /* 1453 * Hold a reference on the node so it doesn't go away until after 1454 * the xmit is complete all the way in the driver. On error we 1455 * will remove our reference. 1456 */ 1457 IEEE80211_DPRINTF(ic, IEEE80211_MSG_NODE, 1458 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1459 __func__, __LINE__, 1460 ni, ether_sprintf(ni->ni_macaddr), 1461 ieee80211_node_refcnt(ni)+1); 1462 ieee80211_ref_node(ni); 1463 1464 /* 1465 * prreq frame format 1466 * [tlv] ssid 1467 * [tlv] supported rates 1468 * [tlv] extended supported rates 1469 * [tlv] user-specified ie's 1470 */ 1471 m = ieee80211_getmgtframe(&frm, 1472 ic->ic_headroom + sizeof(struct ieee80211_frame), 1473 2 + IEEE80211_NWID_LEN 1474 + 2 + IEEE80211_RATE_SIZE 1475 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1476 + (optie != NULL ? optielen : 0) 1477 ); 1478 if (m == NULL) { 1479 ic->ic_stats.is_tx_nobuf++; 1480 ieee80211_free_node(ni); 1481 return ENOMEM; 1482 } 1483 1484 frm = ieee80211_add_ssid(frm, ssid, ssidlen); 1485 rs = ieee80211_get_suprates(ic, ic->ic_curchan); 1486 frm = ieee80211_add_rates(frm, rs); 1487 frm = ieee80211_add_xrates(frm, rs); 1488 1489 if (optie != NULL) { 1490 memcpy(frm, optie, optielen); 1491 frm += optielen; 1492 } 1493 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 1494 1495 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 1496 if (m == NULL) 1497 return ENOMEM; 1498 KASSERT(m->m_pkthdr.rcvif == NULL, ("rcvif not null")); 1499 m->m_pkthdr.rcvif = (void *)ni; 1500 1501 wh = mtod(m, struct ieee80211_frame *); 1502 ieee80211_send_setup(ic, ni, wh, 1503 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ, 1504 sa, da, bssid); 1505 /* XXX power management? */ 1506 1507 IEEE80211_NODE_STAT(ni, tx_probereq); 1508 IEEE80211_NODE_STAT(ni, tx_mgmt); 1509 1510 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 1511 "[%s] send probe req on channel %u\n", 1512 ether_sprintf(wh->i_addr1), 1513 ieee80211_chan2ieee(ic, ic->ic_curchan)); 1514 1515 IF_ENQUEUE(&ic->ic_mgtq, m); 1516 if_start(ic->ic_ifp); 1517 return 0; 1518} 1519 1520/* 1521 * Calculate capability information for mgt frames. 1522 */ 1523static uint16_t 1524getcapinfo(struct ieee80211com *ic, struct ieee80211_channel *chan) 1525{ 1526 uint16_t capinfo; 1527 1528 KASSERT(ic->ic_opmode != IEEE80211_M_STA, ("station mode")); 1529 1530 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 1531 capinfo = IEEE80211_CAPINFO_ESS; 1532 else if (ic->ic_opmode == IEEE80211_M_IBSS) 1533 capinfo = IEEE80211_CAPINFO_IBSS; 1534 else 1535 capinfo = 0; 1536 if (ic->ic_flags & IEEE80211_F_PRIVACY) 1537 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1538 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1539 IEEE80211_IS_CHAN_2GHZ(chan)) 1540 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1541 if (ic->ic_flags & IEEE80211_F_SHSLOT) 1542 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1543 return capinfo; 1544} 1545 1546/* 1547 * Send a management frame. The node is for the destination (or ic_bss 1548 * when in station mode). Nodes other than ic_bss have their reference 1549 * count bumped to reflect our use for an indeterminant time. 1550 */ 1551int 1552ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni, 1553 int type, int arg) 1554{ 1555#define HTFLAGS (IEEE80211_NODE_HT | IEEE80211_NODE_HTCOMPAT) 1556#define senderr(_x, _v) do { ic->ic_stats._v++; ret = _x; goto bad; } while (0) 1557 const struct ieee80211_rateset *rs; 1558 struct mbuf *m; 1559 uint8_t *frm; 1560 uint16_t capinfo; 1561 int has_challenge, is_shared_key, ret, status; 1562 1563 KASSERT(ni != NULL, ("null node")); 1564 1565 /* 1566 * Hold a reference on the node so it doesn't go away until after 1567 * the xmit is complete all the way in the driver. On error we 1568 * will remove our reference. 1569 */ 1570 IEEE80211_DPRINTF(ic, IEEE80211_MSG_NODE, 1571 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1572 __func__, __LINE__, 1573 ni, ether_sprintf(ni->ni_macaddr), 1574 ieee80211_node_refcnt(ni)+1); 1575 ieee80211_ref_node(ni); 1576 1577 switch (type) { 1578 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1579 /* 1580 * probe response frame format 1581 * [8] time stamp 1582 * [2] beacon interval 1583 * [2] cabability information 1584 * [tlv] ssid 1585 * [tlv] supported rates 1586 * [tlv] parameter set (FH/DS) 1587 * [tlv] parameter set (IBSS) 1588 * [tlv] extended rate phy (ERP) 1589 * [tlv] extended supported rates 1590 * [tlv] WPA 1591 * [tlv] WME (optional) 1592 * [tlv] HT capabilities 1593 * [tlv] HT information 1594 * [tlv] Vendor OUI HT capabilities (optional) 1595 * [tlv] Vendor OUI HT information (optional) 1596 * [tlv] Atheros capabilities 1597 */ 1598 m = ieee80211_getmgtframe(&frm, 1599 ic->ic_headroom + sizeof(struct ieee80211_frame), 1600 8 1601 + sizeof(uint16_t) 1602 + sizeof(uint16_t) 1603 + 2 + IEEE80211_NWID_LEN 1604 + 2 + IEEE80211_RATE_SIZE 1605 + 7 /* max(7,3) */ 1606 + 6 1607 + 3 1608 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1609 /* XXX !WPA1+WPA2 fits w/o a cluster */ 1610 + (ic->ic_flags & IEEE80211_F_WPA ? 1611 2*sizeof(struct ieee80211_ie_wpa) : 0) 1612 + sizeof(struct ieee80211_wme_param) 1613 /* XXX check for cluster requirement */ 1614 + 2*sizeof(struct ieee80211_ie_htcap) + 4 1615 + 2*sizeof(struct ieee80211_ie_htinfo) + 4 1616 + sizeof(struct ieee80211_ath_ie) 1617 ); 1618 if (m == NULL) 1619 senderr(ENOMEM, is_tx_nobuf); 1620 1621 memset(frm, 0, 8); /* timestamp should be filled later */ 1622 frm += 8; 1623 *(uint16_t *)frm = htole16(ic->ic_bss->ni_intval); 1624 frm += 2; 1625 capinfo = getcapinfo(ic, ic->ic_curchan); 1626 *(uint16_t *)frm = htole16(capinfo); 1627 frm += 2; 1628 1629 frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid, 1630 ic->ic_bss->ni_esslen); 1631 rs = ieee80211_get_suprates(ic, ic->ic_curchan); 1632 frm = ieee80211_add_rates(frm, rs); 1633 1634 if (IEEE80211_IS_CHAN_FHSS(ic->ic_curchan)) { 1635 *frm++ = IEEE80211_ELEMID_FHPARMS; 1636 *frm++ = 5; 1637 *frm++ = ni->ni_fhdwell & 0x00ff; 1638 *frm++ = (ni->ni_fhdwell >> 8) & 0x00ff; 1639 *frm++ = IEEE80211_FH_CHANSET( 1640 ieee80211_chan2ieee(ic, ic->ic_curchan)); 1641 *frm++ = IEEE80211_FH_CHANPAT( 1642 ieee80211_chan2ieee(ic, ic->ic_curchan)); 1643 *frm++ = ni->ni_fhindex; 1644 } else { 1645 *frm++ = IEEE80211_ELEMID_DSPARMS; 1646 *frm++ = 1; 1647 *frm++ = ieee80211_chan2ieee(ic, ic->ic_curchan); 1648 } 1649 1650 if (ic->ic_opmode == IEEE80211_M_IBSS) { 1651 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 1652 *frm++ = 2; 1653 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 1654 } 1655 if (ic->ic_flags & IEEE80211_F_WPA) 1656 frm = ieee80211_add_wpa(frm, ic); 1657 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan)) 1658 frm = ieee80211_add_erp(frm, ic); 1659 frm = ieee80211_add_xrates(frm, rs); 1660 /* 1661 * NB: legacy 11b clients do not get certain ie's. 1662 * The caller identifies such clients by passing 1663 * a token in arg to us. Could expand this to be 1664 * any legacy client for stuff like HT ie's. 1665 */ 1666 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan) && 1667 arg != IEEE80211_SEND_LEGACY_11B) { 1668 frm = ieee80211_add_htcap(frm, ni); 1669 frm = ieee80211_add_htinfo(frm, ni); 1670 } 1671 if (ic->ic_flags & IEEE80211_F_WME) 1672 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 1673 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan) && 1674 (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) && 1675 arg != IEEE80211_SEND_LEGACY_11B) { 1676 frm = ieee80211_add_htcap_vendor(frm, ni); 1677 frm = ieee80211_add_htinfo_vendor(frm, ni); 1678 } 1679 if (ni->ni_ath_ie != NULL) 1680 frm = ieee80211_add_ath(frm, ni->ni_ath_flags, 1681 ni->ni_ath_defkeyix); 1682 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 1683 break; 1684 1685 case IEEE80211_FC0_SUBTYPE_AUTH: 1686 status = arg >> 16; 1687 arg &= 0xffff; 1688 has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE || 1689 arg == IEEE80211_AUTH_SHARED_RESPONSE) && 1690 ni->ni_challenge != NULL); 1691 1692 /* 1693 * Deduce whether we're doing open authentication or 1694 * shared key authentication. We do the latter if 1695 * we're in the middle of a shared key authentication 1696 * handshake or if we're initiating an authentication 1697 * request and configured to use shared key. 1698 */ 1699 is_shared_key = has_challenge || 1700 arg >= IEEE80211_AUTH_SHARED_RESPONSE || 1701 (arg == IEEE80211_AUTH_SHARED_REQUEST && 1702 ic->ic_bss->ni_authmode == IEEE80211_AUTH_SHARED); 1703 1704 m = ieee80211_getmgtframe(&frm, 1705 ic->ic_headroom + sizeof(struct ieee80211_frame), 1706 3 * sizeof(uint16_t) 1707 + (has_challenge && status == IEEE80211_STATUS_SUCCESS ? 1708 sizeof(uint16_t)+IEEE80211_CHALLENGE_LEN : 0) 1709 ); 1710 if (m == NULL) 1711 senderr(ENOMEM, is_tx_nobuf); 1712 1713 ((uint16_t *)frm)[0] = 1714 (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED) 1715 : htole16(IEEE80211_AUTH_ALG_OPEN); 1716 ((uint16_t *)frm)[1] = htole16(arg); /* sequence number */ 1717 ((uint16_t *)frm)[2] = htole16(status);/* status */ 1718 1719 if (has_challenge && status == IEEE80211_STATUS_SUCCESS) { 1720 ((uint16_t *)frm)[3] = 1721 htole16((IEEE80211_CHALLENGE_LEN << 8) | 1722 IEEE80211_ELEMID_CHALLENGE); 1723 memcpy(&((uint16_t *)frm)[4], ni->ni_challenge, 1724 IEEE80211_CHALLENGE_LEN); 1725 m->m_pkthdr.len = m->m_len = 1726 4 * sizeof(uint16_t) + IEEE80211_CHALLENGE_LEN; 1727 if (arg == IEEE80211_AUTH_SHARED_RESPONSE) { 1728 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1729 "[%s] request encrypt frame (%s)\n", 1730 ether_sprintf(ni->ni_macaddr), __func__); 1731 m->m_flags |= M_LINK0; /* WEP-encrypt, please */ 1732 } 1733 } else 1734 m->m_pkthdr.len = m->m_len = 3 * sizeof(uint16_t); 1735 1736 /* XXX not right for shared key */ 1737 if (status == IEEE80211_STATUS_SUCCESS) 1738 IEEE80211_NODE_STAT(ni, tx_auth); 1739 else 1740 IEEE80211_NODE_STAT(ni, tx_auth_fail); 1741 1742 if (ic->ic_opmode == IEEE80211_M_STA) 1743 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 1744 (void *) ic->ic_state); 1745 break; 1746 1747 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1748 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1749 "[%s] send station deauthenticate (reason %d)\n", 1750 ether_sprintf(ni->ni_macaddr), arg); 1751 m = ieee80211_getmgtframe(&frm, 1752 ic->ic_headroom + sizeof(struct ieee80211_frame), 1753 sizeof(uint16_t)); 1754 if (m == NULL) 1755 senderr(ENOMEM, is_tx_nobuf); 1756 *(uint16_t *)frm = htole16(arg); /* reason */ 1757 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 1758 1759 IEEE80211_NODE_STAT(ni, tx_deauth); 1760 IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg); 1761 1762 ieee80211_node_unauthorize(ni); /* port closed */ 1763 break; 1764 1765 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1766 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1767 /* 1768 * asreq frame format 1769 * [2] capability information 1770 * [2] listen interval 1771 * [6*] current AP address (reassoc only) 1772 * [tlv] ssid 1773 * [tlv] supported rates 1774 * [tlv] extended supported rates 1775 * [tlv] WME 1776 * [tlv] HT capabilities 1777 * [tlv] Vendor OUI HT capabilities (optional) 1778 * [tlv] Atheros capabilities (if negotiated) 1779 * [tlv] user-specified ie's 1780 */ 1781 m = ieee80211_getmgtframe(&frm, 1782 ic->ic_headroom + sizeof(struct ieee80211_frame), 1783 sizeof(uint16_t) 1784 + sizeof(uint16_t) 1785 + IEEE80211_ADDR_LEN 1786 + 2 + IEEE80211_NWID_LEN 1787 + 2 + IEEE80211_RATE_SIZE 1788 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1789 + sizeof(struct ieee80211_wme_info) 1790 + 2*sizeof(struct ieee80211_ie_htcap) + 4 1791 + sizeof(struct ieee80211_ath_ie) 1792 + (ic->ic_opt_ie != NULL ? ic->ic_opt_ie_len : 0) 1793 ); 1794 if (m == NULL) 1795 senderr(ENOMEM, is_tx_nobuf); 1796 1797 KASSERT(ic->ic_opmode == IEEE80211_M_STA, 1798 ("wrong mode %u", ic->ic_opmode)); 1799 capinfo = IEEE80211_CAPINFO_ESS; 1800 if (ic->ic_flags & IEEE80211_F_PRIVACY) 1801 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1802 /* 1803 * NB: Some 11a AP's reject the request when 1804 * short premable is set. 1805 */ 1806 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1807 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) 1808 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1809 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 1810 (ic->ic_caps & IEEE80211_C_SHSLOT)) 1811 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1812 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) && 1813 (ic->ic_flags & IEEE80211_F_DOTH)) 1814 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 1815 *(uint16_t *)frm = htole16(capinfo); 1816 frm += 2; 1817 1818 KASSERT(ic->ic_bss->ni_intval != 0, 1819 ("beacon interval is zero!")); 1820 *(uint16_t *)frm = htole16(howmany(ic->ic_lintval, 1821 ic->ic_bss->ni_intval)); 1822 frm += 2; 1823 1824 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1825 IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid); 1826 frm += IEEE80211_ADDR_LEN; 1827 } 1828 1829 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 1830 frm = ieee80211_add_rates(frm, &ni->ni_rates); 1831 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 1832 if ((ic->ic_flags_ext & IEEE80211_FEXT_HT) && 1833 ni->ni_htcap_ie != NULL && 1834 ni->ni_htcap_ie[0] == IEEE80211_ELEMID_HTCAP) 1835 frm = ieee80211_add_htcap(frm, ni); 1836 if ((ic->ic_flags & IEEE80211_F_WME) && ni->ni_wme_ie != NULL) 1837 frm = ieee80211_add_wme_info(frm, &ic->ic_wme); 1838 if ((ic->ic_flags_ext & IEEE80211_FEXT_HT) && 1839 ni->ni_htcap_ie != NULL && 1840 ni->ni_htcap_ie[0] == IEEE80211_ELEMID_VENDOR) 1841 frm = ieee80211_add_htcap_vendor(frm, ni); 1842 if (IEEE80211_ATH_CAP(ic, ni, IEEE80211_F_ATHEROS)) 1843 frm = ieee80211_add_ath(frm, 1844 IEEE80211_ATH_CAP(ic, ni, IEEE80211_F_ATHEROS), 1845 (ic->ic_flags & IEEE80211_F_WPA) == 0 && 1846 ni->ni_authmode != IEEE80211_AUTH_8021X && 1847 ic->ic_def_txkey != IEEE80211_KEYIX_NONE ? 1848 ic->ic_def_txkey : 0x7fff); 1849 if (ic->ic_opt_ie != NULL) { 1850 memcpy(frm, ic->ic_opt_ie, ic->ic_opt_ie_len); 1851 frm += ic->ic_opt_ie_len; 1852 } 1853 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 1854 1855 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 1856 (void *) ic->ic_state); 1857 break; 1858 1859 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1860 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 1861 /* 1862 * asresp frame format 1863 * [2] capability information 1864 * [2] status 1865 * [2] association ID 1866 * [tlv] supported rates 1867 * [tlv] extended supported rates 1868 * [tlv] WME (if enabled and STA enabled) 1869 * [tlv] HT capabilities (standard or vendor OUI) 1870 * [tlv] HT information (standard or vendor OUI) 1871 * [tlv] Atheros capabilities (if enabled and STA enabled) 1872 */ 1873 m = ieee80211_getmgtframe(&frm, 1874 ic->ic_headroom + sizeof(struct ieee80211_frame), 1875 sizeof(uint16_t) 1876 + sizeof(uint16_t) 1877 + sizeof(uint16_t) 1878 + 2 + IEEE80211_RATE_SIZE 1879 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1880 + sizeof(struct ieee80211_wme_param) 1881 + sizeof(struct ieee80211_ie_htcap) + 4 1882 + sizeof(struct ieee80211_ie_htinfo) + 4 1883 + sizeof(struct ieee80211_ath_ie) 1884 ); 1885 if (m == NULL) 1886 senderr(ENOMEM, is_tx_nobuf); 1887 1888 capinfo = getcapinfo(ic, ic->ic_curchan); 1889 *(uint16_t *)frm = htole16(capinfo); 1890 frm += 2; 1891 1892 *(uint16_t *)frm = htole16(arg); /* status */ 1893 frm += 2; 1894 1895 if (arg == IEEE80211_STATUS_SUCCESS) { 1896 *(uint16_t *)frm = htole16(ni->ni_associd); 1897 IEEE80211_NODE_STAT(ni, tx_assoc); 1898 } else 1899 IEEE80211_NODE_STAT(ni, tx_assoc_fail); 1900 frm += 2; 1901 1902 frm = ieee80211_add_rates(frm, &ni->ni_rates); 1903 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 1904 /* NB: respond according to what we received */ 1905 if ((ni->ni_flags & HTFLAGS) == IEEE80211_NODE_HT) { 1906 frm = ieee80211_add_htcap(frm, ni); 1907 frm = ieee80211_add_htinfo(frm, ni); 1908 } 1909 if ((ic->ic_flags & IEEE80211_F_WME) && ni->ni_wme_ie != NULL) 1910 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 1911 if ((ni->ni_flags & HTFLAGS) == HTFLAGS) { 1912 frm = ieee80211_add_htcap_vendor(frm, ni); 1913 frm = ieee80211_add_htinfo_vendor(frm, ni); 1914 } 1915 if (IEEE80211_ATH_CAP(ic, ni, IEEE80211_F_ATHEROS)) 1916 frm = ieee80211_add_ath(frm, 1917 IEEE80211_ATH_CAP(ic, ni, IEEE80211_F_ATHEROS), 1918 ni->ni_ath_defkeyix); 1919 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 1920 break; 1921 1922 case IEEE80211_FC0_SUBTYPE_DISASSOC: 1923 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1924 "[%s] send station disassociate (reason %d)\n", 1925 ether_sprintf(ni->ni_macaddr), arg); 1926 m = ieee80211_getmgtframe(&frm, 1927 ic->ic_headroom + sizeof(struct ieee80211_frame), 1928 sizeof(uint16_t)); 1929 if (m == NULL) 1930 senderr(ENOMEM, is_tx_nobuf); 1931 *(uint16_t *)frm = htole16(arg); /* reason */ 1932 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 1933 1934 IEEE80211_NODE_STAT(ni, tx_disassoc); 1935 IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg); 1936 break; 1937 1938 default: 1939 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1940 "[%s] invalid mgmt frame type %u\n", 1941 ether_sprintf(ni->ni_macaddr), type); 1942 senderr(EINVAL, is_tx_unknownmgt); 1943 /* NOTREACHED */ 1944 } 1945 1946 ret = ieee80211_mgmt_output(ic, ni, m, type); 1947 if (ret != 0) 1948 goto bad; 1949 return 0; 1950bad: 1951 ieee80211_free_node(ni); 1952 return ret; 1953#undef senderr 1954#undef HTFLAGS 1955} 1956 1957static void 1958ieee80211_tx_mgt_timeout(void *arg) 1959{ 1960 struct ieee80211_node *ni = arg; 1961 struct ieee80211com *ic = ni->ni_ic; 1962 1963 if (ic->ic_state != IEEE80211_S_INIT && 1964 (ic->ic_flags & IEEE80211_F_SCAN) == 0) { 1965 /* 1966 * NB: it's safe to specify a timeout as the reason here; 1967 * it'll only be used in the right state. 1968 */ 1969 ieee80211_new_state(ic, IEEE80211_S_SCAN, 1970 IEEE80211_SCAN_FAIL_TIMEOUT); 1971 } 1972} 1973 1974static void 1975ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status) 1976{ 1977 struct ieee80211com *ic = ni->ni_ic; 1978 enum ieee80211_state ostate = (enum ieee80211_state) arg; 1979 1980 /* 1981 * Frame transmit completed; arrange timer callback. If 1982 * transmit was successfuly we wait for response. Otherwise 1983 * we arrange an immediate callback instead of doing the 1984 * callback directly since we don't know what state the driver 1985 * is in (e.g. what locks it is holding). This work should 1986 * not be too time-critical and not happen too often so the 1987 * added overhead is acceptable. 1988 * 1989 * XXX what happens if !acked but response shows up before callback? 1990 */ 1991 if (ic->ic_state == ostate) 1992 callout_reset(&ic->ic_mgtsend, 1993 status == 0 ? IEEE80211_TRANS_WAIT*hz : 0, 1994 ieee80211_tx_mgt_timeout, ni); 1995} 1996 1997/* 1998 * Allocate a beacon frame and fillin the appropriate bits. 1999 */ 2000struct mbuf * 2001ieee80211_beacon_alloc(struct ieee80211_node *ni, 2002 struct ieee80211_beacon_offsets *bo) 2003{ 2004 struct ieee80211com *ic = ni->ni_ic; 2005 struct ifnet *ifp = ic->ic_ifp; 2006 struct ieee80211_frame *wh; 2007 struct mbuf *m; 2008 int pktlen; 2009 uint8_t *frm; 2010 uint16_t capinfo; 2011 struct ieee80211_rateset *rs; 2012 2013 /* 2014 * beacon frame format 2015 * [8] time stamp 2016 * [2] beacon interval 2017 * [2] cabability information 2018 * [tlv] ssid 2019 * [tlv] supported rates 2020 * [3] parameter set (DS) 2021 * [tlv] parameter set (IBSS/TIM) 2022 * [tlv] country code 2023 * [tlv] extended rate phy (ERP) 2024 * [tlv] extended supported rates 2025 * [tlv] WME parameters 2026 * [tlv] WPA/RSN parameters 2027 * [tlv] HT capabilities 2028 * [tlv] HT information 2029 * [tlv] Vendor OUI HT capabilities (optional) 2030 * [tlv] Vendor OUI HT information (optional) 2031 * XXX Vendor-specific OIDs (e.g. Atheros) 2032 * NB: we allocate the max space required for the TIM bitmap. 2033 */ 2034 rs = &ni->ni_rates; 2035 pktlen = 8 /* time stamp */ 2036 + sizeof(uint16_t) /* beacon interval */ 2037 + sizeof(uint16_t) /* capabilities */ 2038 + 2 + ni->ni_esslen /* ssid */ 2039 + 2 + IEEE80211_RATE_SIZE /* supported rates */ 2040 + 2 + 1 /* DS parameters */ 2041 + 2 + 4 + ic->ic_tim_len /* DTIM/IBSSPARMS */ 2042 + sizeof(struct ieee80211_country_ie) /* country code */ 2043 + 2 + 1 /* ERP */ 2044 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2045 + (ic->ic_caps & IEEE80211_C_WME ? /* WME */ 2046 sizeof(struct ieee80211_wme_param) : 0) 2047 + (ic->ic_caps & IEEE80211_C_WPA ? /* WPA 1+2 */ 2048 2*sizeof(struct ieee80211_ie_wpa) : 0) 2049 /* XXX conditional? */ 2050 + 4+2*sizeof(struct ieee80211_ie_htcap)/* HT caps */ 2051 + 4+2*sizeof(struct ieee80211_ie_htinfo)/* HT info */ 2052 ; 2053 m = ieee80211_getmgtframe(&frm, 2054 ic->ic_headroom + sizeof(struct ieee80211_frame), pktlen); 2055 if (m == NULL) { 2056 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2057 "%s: cannot get buf; size %u\n", __func__, pktlen); 2058 ic->ic_stats.is_tx_nobuf++; 2059 return NULL; 2060 } 2061 2062 memset(bo, 0, sizeof(*bo)); 2063 2064 memset(frm, 0, 8); /* XXX timestamp is set by hardware/driver */ 2065 frm += 8; 2066 *(uint16_t *)frm = htole16(ni->ni_intval); 2067 frm += 2; 2068 capinfo = getcapinfo(ic, ni->ni_chan); 2069 bo->bo_caps = (uint16_t *)frm; 2070 *(uint16_t *)frm = htole16(capinfo); 2071 frm += 2; 2072 *frm++ = IEEE80211_ELEMID_SSID; 2073 if ((ic->ic_flags & IEEE80211_F_HIDESSID) == 0) { 2074 *frm++ = ni->ni_esslen; 2075 memcpy(frm, ni->ni_essid, ni->ni_esslen); 2076 frm += ni->ni_esslen; 2077 } else 2078 *frm++ = 0; 2079 frm = ieee80211_add_rates(frm, rs); 2080 if (!IEEE80211_IS_CHAN_FHSS(ic->ic_bsschan)) { 2081 *frm++ = IEEE80211_ELEMID_DSPARMS; 2082 *frm++ = 1; 2083 *frm++ = ieee80211_chan2ieee(ic, ic->ic_bsschan); 2084 } 2085 bo->bo_tim = frm; 2086 if (ic->ic_opmode == IEEE80211_M_IBSS) { 2087 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 2088 *frm++ = 2; 2089 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 2090 bo->bo_tim_len = 0; 2091 } else if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 2092 struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm; 2093 2094 tie->tim_ie = IEEE80211_ELEMID_TIM; 2095 tie->tim_len = 4; /* length */ 2096 tie->tim_count = 0; /* DTIM count */ 2097 tie->tim_period = ic->ic_dtim_period; /* DTIM period */ 2098 tie->tim_bitctl = 0; /* bitmap control */ 2099 tie->tim_bitmap[0] = 0; /* Partial Virtual Bitmap */ 2100 frm += sizeof(struct ieee80211_tim_ie); 2101 bo->bo_tim_len = 1; 2102 } 2103 bo->bo_tim_trailer = frm; 2104 if (ic->ic_flags & IEEE80211_F_DOTH) 2105 frm = ieee80211_add_countryie(frm, ic, 2106 ic->ic_countrycode, ic->ic_location); 2107 if (ic->ic_flags & IEEE80211_F_WPA) 2108 frm = ieee80211_add_wpa(frm, ic); 2109 if (IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan)) { 2110 bo->bo_erp = frm; 2111 frm = ieee80211_add_erp(frm, ic); 2112 } 2113 frm = ieee80211_add_xrates(frm, rs); 2114 if (IEEE80211_IS_CHAN_HT(ic->ic_bsschan)) { 2115 frm = ieee80211_add_htcap(frm, ni); 2116 bo->bo_htinfo = frm; 2117 frm = ieee80211_add_htinfo(frm, ni); 2118 } 2119 if (ic->ic_flags & IEEE80211_F_WME) { 2120 bo->bo_wme = frm; 2121 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2122 } 2123 if (IEEE80211_IS_CHAN_HT(ic->ic_bsschan) && 2124 (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT)) { 2125 frm = ieee80211_add_htcap_vendor(frm, ni); 2126 frm = ieee80211_add_htinfo_vendor(frm, ni); 2127 } 2128 bo->bo_tim_trailer_len = frm - bo->bo_tim_trailer; 2129 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2130 2131 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 2132 KASSERT(m != NULL, ("no space for 802.11 header?")); 2133 wh = mtod(m, struct ieee80211_frame *); 2134 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 2135 IEEE80211_FC0_SUBTYPE_BEACON; 2136 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2137 *(uint16_t *)wh->i_dur = 0; 2138 IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr); 2139 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 2140 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 2141 *(uint16_t *)wh->i_seq = 0; 2142 2143 return m; 2144} 2145 2146/* 2147 * Update the dynamic parts of a beacon frame based on the current state. 2148 */ 2149int 2150ieee80211_beacon_update(struct ieee80211_node *ni, 2151 struct ieee80211_beacon_offsets *bo, struct mbuf *m, int mcast) 2152{ 2153 struct ieee80211com *ic = ni->ni_ic; 2154 int len_changed = 0; 2155 uint16_t capinfo; 2156 2157 IEEE80211_BEACON_LOCK(ic); 2158 /* XXX faster to recalculate entirely or just changes? */ 2159 capinfo = getcapinfo(ic, ni->ni_chan); 2160 *bo->bo_caps = htole16(capinfo); 2161 2162 if (ic->ic_flags & IEEE80211_F_WME) { 2163 struct ieee80211_wme_state *wme = &ic->ic_wme; 2164 2165 /* 2166 * Check for agressive mode change. When there is 2167 * significant high priority traffic in the BSS 2168 * throttle back BE traffic by using conservative 2169 * parameters. Otherwise BE uses agressive params 2170 * to optimize performance of legacy/non-QoS traffic. 2171 */ 2172 if (wme->wme_flags & WME_F_AGGRMODE) { 2173 if (wme->wme_hipri_traffic > 2174 wme->wme_hipri_switch_thresh) { 2175 IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME, 2176 "%s: traffic %u, disable aggressive mode\n", 2177 __func__, wme->wme_hipri_traffic); 2178 wme->wme_flags &= ~WME_F_AGGRMODE; 2179 ieee80211_wme_updateparams_locked(ic); 2180 wme->wme_hipri_traffic = 2181 wme->wme_hipri_switch_hysteresis; 2182 } else 2183 wme->wme_hipri_traffic = 0; 2184 } else { 2185 if (wme->wme_hipri_traffic <= 2186 wme->wme_hipri_switch_thresh) { 2187 IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME, 2188 "%s: traffic %u, enable aggressive mode\n", 2189 __func__, wme->wme_hipri_traffic); 2190 wme->wme_flags |= WME_F_AGGRMODE; 2191 ieee80211_wme_updateparams_locked(ic); 2192 wme->wme_hipri_traffic = 0; 2193 } else 2194 wme->wme_hipri_traffic = 2195 wme->wme_hipri_switch_hysteresis; 2196 } 2197 if (isset(bo->bo_flags, IEEE80211_BEACON_WME)) { 2198 (void) ieee80211_add_wme_param(bo->bo_wme, wme); 2199 clrbit(bo->bo_flags, IEEE80211_BEACON_WME); 2200 } 2201 } 2202 2203 if (isset(bo->bo_flags, IEEE80211_BEACON_HTINFO)) { 2204 ieee80211_ht_update_beacon(ic, bo); 2205 clrbit(bo->bo_flags, IEEE80211_BEACON_HTINFO); 2206 } 2207 2208 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { /* NB: no IBSS support*/ 2209 struct ieee80211_tim_ie *tie = 2210 (struct ieee80211_tim_ie *) bo->bo_tim; 2211 if (isset(bo->bo_flags, IEEE80211_BEACON_TIM)) { 2212 u_int timlen, timoff, i; 2213 /* 2214 * ATIM/DTIM needs updating. If it fits in the 2215 * current space allocated then just copy in the 2216 * new bits. Otherwise we need to move any trailing 2217 * data to make room. Note that we know there is 2218 * contiguous space because ieee80211_beacon_allocate 2219 * insures there is space in the mbuf to write a 2220 * maximal-size virtual bitmap (based on ic_max_aid). 2221 */ 2222 /* 2223 * Calculate the bitmap size and offset, copy any 2224 * trailer out of the way, and then copy in the 2225 * new bitmap and update the information element. 2226 * Note that the tim bitmap must contain at least 2227 * one byte and any offset must be even. 2228 */ 2229 if (ic->ic_ps_pending != 0) { 2230 timoff = 128; /* impossibly large */ 2231 for (i = 0; i < ic->ic_tim_len; i++) 2232 if (ic->ic_tim_bitmap[i]) { 2233 timoff = i &~ 1; 2234 break; 2235 } 2236 KASSERT(timoff != 128, ("tim bitmap empty!")); 2237 for (i = ic->ic_tim_len-1; i >= timoff; i--) 2238 if (ic->ic_tim_bitmap[i]) 2239 break; 2240 timlen = 1 + (i - timoff); 2241 } else { 2242 timoff = 0; 2243 timlen = 1; 2244 } 2245 if (timlen != bo->bo_tim_len) { 2246 /* copy up/down trailer */ 2247 int adjust = tie->tim_bitmap+timlen 2248 - bo->bo_tim_trailer; 2249 ovbcopy(bo->bo_tim_trailer, 2250 bo->bo_tim_trailer+adjust, 2251 bo->bo_tim_trailer_len); 2252 bo->bo_tim_trailer += adjust; 2253 bo->bo_wme += adjust; 2254 bo->bo_erp += adjust; 2255 bo->bo_htinfo += adjust; 2256 bo->bo_tim_len = timlen; 2257 2258 /* update information element */ 2259 tie->tim_len = 3 + timlen; 2260 tie->tim_bitctl = timoff; 2261 len_changed = 1; 2262 } 2263 memcpy(tie->tim_bitmap, ic->ic_tim_bitmap + timoff, 2264 bo->bo_tim_len); 2265 2266 clrbit(bo->bo_flags, IEEE80211_BEACON_TIM); 2267 2268 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2269 "%s: TIM updated, pending %u, off %u, len %u\n", 2270 __func__, ic->ic_ps_pending, timoff, timlen); 2271 } 2272 /* count down DTIM period */ 2273 if (tie->tim_count == 0) 2274 tie->tim_count = tie->tim_period - 1; 2275 else 2276 tie->tim_count--; 2277 /* update state for buffered multicast frames on DTIM */ 2278 if (mcast && tie->tim_count == 0) 2279 tie->tim_bitctl |= 1; 2280 else 2281 tie->tim_bitctl &= ~1; 2282 if (isset(bo->bo_flags, IEEE80211_BEACON_ERP)) { 2283 /* 2284 * ERP element needs updating. 2285 */ 2286 (void) ieee80211_add_erp(bo->bo_erp, ic); 2287 clrbit(bo->bo_flags, IEEE80211_BEACON_ERP); 2288 } 2289 } 2290 IEEE80211_BEACON_UNLOCK(ic); 2291 2292 return len_changed; 2293} 2294