ieee80211_output.c revision 195618
1/*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2009 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#include <sys/cdefs.h> 28__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_output.c 195618 2009-07-11 15:02:45Z rpaulo $"); 29 30#include "opt_inet.h" 31#include "opt_inet6.h" 32#include "opt_wlan.h" 33 34#include <sys/param.h> 35#include <sys/systm.h> 36#include <sys/mbuf.h> 37#include <sys/kernel.h> 38#include <sys/endian.h> 39 40#include <sys/socket.h> 41 42#include <net/bpf.h> 43#include <net/ethernet.h> 44#include <net/if.h> 45#include <net/if_llc.h> 46#include <net/if_media.h> 47#include <net/if_vlan_var.h> 48 49#include <net80211/ieee80211_var.h> 50#include <net80211/ieee80211_regdomain.h> 51#ifdef IEEE80211_SUPPORT_SUPERG 52#include <net80211/ieee80211_superg.h> 53#endif 54#ifdef IEEE80211_SUPPORT_TDMA 55#include <net80211/ieee80211_tdma.h> 56#endif 57#include <net80211/ieee80211_wds.h> 58#include <net80211/ieee80211_mesh.h> 59 60#ifdef INET 61#include <netinet/in.h> 62#include <netinet/if_ether.h> 63#include <netinet/in_systm.h> 64#include <netinet/ip.h> 65#endif 66#ifdef INET6 67#include <netinet/ip6.h> 68#endif 69 70#include <security/mac/mac_framework.h> 71 72#define ETHER_HEADER_COPY(dst, src) \ 73 memcpy(dst, src, sizeof(struct ether_header)) 74 75/* unalligned little endian access */ 76#define LE_WRITE_2(p, v) do { \ 77 ((uint8_t *)(p))[0] = (v) & 0xff; \ 78 ((uint8_t *)(p))[1] = ((v) >> 8) & 0xff; \ 79} while (0) 80#define LE_WRITE_4(p, v) do { \ 81 ((uint8_t *)(p))[0] = (v) & 0xff; \ 82 ((uint8_t *)(p))[1] = ((v) >> 8) & 0xff; \ 83 ((uint8_t *)(p))[2] = ((v) >> 16) & 0xff; \ 84 ((uint8_t *)(p))[3] = ((v) >> 24) & 0xff; \ 85} while (0) 86 87static int ieee80211_fragment(struct ieee80211vap *, struct mbuf *, 88 u_int hdrsize, u_int ciphdrsize, u_int mtu); 89static void ieee80211_tx_mgt_cb(struct ieee80211_node *, void *, int); 90 91#ifdef IEEE80211_DEBUG 92/* 93 * Decide if an outbound management frame should be 94 * printed when debugging is enabled. This filters some 95 * of the less interesting frames that come frequently 96 * (e.g. beacons). 97 */ 98static __inline int 99doprint(struct ieee80211vap *vap, int subtype) 100{ 101 switch (subtype) { 102 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 103 return (vap->iv_opmode == IEEE80211_M_IBSS); 104 } 105 return 1; 106} 107#endif 108 109/* 110 * Start method for vap's. All packets from the stack come 111 * through here. We handle common processing of the packets 112 * before dispatching them to the underlying device. 113 */ 114void 115ieee80211_start(struct ifnet *ifp) 116{ 117#define IS_DWDS(vap) \ 118 (vap->iv_opmode == IEEE80211_M_WDS && \ 119 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY) == 0) 120 struct ieee80211vap *vap = ifp->if_softc; 121 struct ieee80211com *ic = vap->iv_ic; 122 struct ifnet *parent = ic->ic_ifp; 123 struct ieee80211_node *ni; 124 struct mbuf *m; 125 struct ether_header *eh; 126 int error; 127 128 /* NB: parent must be up and running */ 129 if (!IFNET_IS_UP_RUNNING(parent)) { 130 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 131 "%s: ignore queue, parent %s not up+running\n", 132 __func__, parent->if_xname); 133 /* XXX stat */ 134 return; 135 } 136 if (vap->iv_state == IEEE80211_S_SLEEP) { 137 /* 138 * In power save, wakeup device for transmit. 139 */ 140 ieee80211_new_state(vap, IEEE80211_S_RUN, 0); 141 return; 142 } 143 /* 144 * No data frames go out unless we're running. 145 * Note in particular this covers CAC and CSA 146 * states (though maybe we should check muting 147 * for CSA). 148 */ 149 if (vap->iv_state != IEEE80211_S_RUN) { 150 IEEE80211_LOCK(ic); 151 /* re-check under the com lock to avoid races */ 152 if (vap->iv_state != IEEE80211_S_RUN) { 153 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 154 "%s: ignore queue, in %s state\n", 155 __func__, ieee80211_state_name[vap->iv_state]); 156 vap->iv_stats.is_tx_badstate++; 157 ifp->if_drv_flags |= IFF_DRV_OACTIVE; 158 IEEE80211_UNLOCK(ic); 159 return; 160 } 161 IEEE80211_UNLOCK(ic); 162 } 163 for (;;) { 164 IFQ_DEQUEUE(&ifp->if_snd, m); 165 if (m == NULL) 166 break; 167 /* 168 * Sanitize mbuf flags for net80211 use. We cannot 169 * clear M_PWR_SAV or M_MORE_DATA because these may 170 * be set for frames that are re-submitted from the 171 * power save queue. 172 * 173 * NB: This must be done before ieee80211_classify as 174 * it marks EAPOL in frames with M_EAPOL. 175 */ 176 m->m_flags &= ~(M_80211_TX - M_PWR_SAV - M_MORE_DATA); 177 /* 178 * Cancel any background scan. 179 */ 180 if (ic->ic_flags & IEEE80211_F_SCAN) 181 ieee80211_cancel_anyscan(vap); 182 /* 183 * Find the node for the destination so we can do 184 * things like power save and fast frames aggregation. 185 * 186 * NB: past this point various code assumes the first 187 * mbuf has the 802.3 header present (and contiguous). 188 */ 189 ni = NULL; 190 if (m->m_len < sizeof(struct ether_header) && 191 (m = m_pullup(m, sizeof(struct ether_header))) == NULL) { 192 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 193 "discard frame, %s\n", "m_pullup failed"); 194 vap->iv_stats.is_tx_nobuf++; /* XXX */ 195 ifp->if_oerrors++; 196 continue; 197 } 198 eh = mtod(m, struct ether_header *); 199 if (ETHER_IS_MULTICAST(eh->ether_dhost)) { 200 if (IS_DWDS(vap)) { 201 /* 202 * Only unicast frames from the above go out 203 * DWDS vaps; multicast frames are handled by 204 * dispatching the frame as it comes through 205 * the AP vap (see below). 206 */ 207 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_WDS, 208 eh->ether_dhost, "mcast", "%s", "on DWDS"); 209 vap->iv_stats.is_dwds_mcast++; 210 m_freem(m); 211 continue; 212 } 213 if (vap->iv_opmode == IEEE80211_M_HOSTAP) { 214 /* 215 * Spam DWDS vap's w/ multicast traffic. 216 */ 217 /* XXX only if dwds in use? */ 218 ieee80211_dwds_mcast(vap, m); 219 } 220 } 221#ifdef IEEE80211_SUPPORT_MESH 222 if (vap->iv_opmode != IEEE80211_M_MBSS) { 223#endif 224 ni = ieee80211_find_txnode(vap, eh->ether_dhost); 225 if (ni == NULL) { 226 /* NB: ieee80211_find_txnode does stat+msg */ 227 ifp->if_oerrors++; 228 m_freem(m); 229 continue; 230 } 231 if (ni->ni_associd == 0 && 232 (ni->ni_flags & IEEE80211_NODE_ASSOCID)) { 233 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 234 eh->ether_dhost, NULL, 235 "sta not associated (type 0x%04x)", 236 htons(eh->ether_type)); 237 vap->iv_stats.is_tx_notassoc++; 238 ifp->if_oerrors++; 239 m_freem(m); 240 ieee80211_free_node(ni); 241 continue; 242 } 243#ifdef IEEE80211_SUPPORT_MESH 244 } else { 245 ni = ieee80211_mesh_discover(vap, eh->ether_dhost, m); 246 if (ni == NULL) { 247 /* 248 * NB: ieee80211_mesh_discover function 249 * holds/disposes frame 250 * (e.g. queueing on path discovery). 251 */ 252 ifp->if_oerrors++; 253 continue; 254 } 255 } 256#endif 257 258 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 259 (m->m_flags & M_PWR_SAV) == 0) { 260 /* 261 * Station in power save mode; pass the frame 262 * to the 802.11 layer and continue. We'll get 263 * the frame back when the time is right. 264 * XXX lose WDS vap linkage? 265 */ 266 (void) ieee80211_pwrsave(ni, m); 267 ieee80211_free_node(ni); 268 continue; 269 } 270 /* calculate priority so drivers can find the tx queue */ 271 if (ieee80211_classify(ni, m)) { 272 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT, 273 eh->ether_dhost, NULL, 274 "%s", "classification failure"); 275 vap->iv_stats.is_tx_classify++; 276 ifp->if_oerrors++; 277 m_freem(m); 278 ieee80211_free_node(ni); 279 continue; 280 } 281 /* 282 * Stash the node pointer. Note that we do this after 283 * any call to ieee80211_dwds_mcast because that code 284 * uses any existing value for rcvif to identify the 285 * interface it (might have been) received on. 286 */ 287 m->m_pkthdr.rcvif = (void *)ni; 288 289 BPF_MTAP(ifp, m); /* 802.3 tx */ 290 291 /* 292 * Check if A-MPDU tx aggregation is setup or if we 293 * should try to enable it. The sta must be associated 294 * with HT and A-MPDU enabled for use. When the policy 295 * routine decides we should enable A-MPDU we issue an 296 * ADDBA request and wait for a reply. The frame being 297 * encapsulated will go out w/o using A-MPDU, or possibly 298 * it might be collected by the driver and held/retransmit. 299 * The default ic_ampdu_enable routine handles staggering 300 * ADDBA requests in case the receiver NAK's us or we are 301 * otherwise unable to establish a BA stream. 302 */ 303 if ((ni->ni_flags & IEEE80211_NODE_AMPDU_TX) && 304 (vap->iv_flags_ht & IEEE80211_FHT_AMPDU_TX) && 305 (m->m_flags & M_EAPOL) == 0) { 306 const int ac = M_WME_GETAC(m); 307 struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[ac]; 308 309 ieee80211_txampdu_count_packet(tap); 310 if (IEEE80211_AMPDU_RUNNING(tap)) { 311 /* 312 * Operational, mark frame for aggregation. 313 * 314 * XXX do tx aggregation here 315 */ 316 m->m_flags |= M_AMPDU_MPDU; 317 } else if (!IEEE80211_AMPDU_REQUESTED(tap) && 318 ic->ic_ampdu_enable(ni, tap)) { 319 /* 320 * Not negotiated yet, request service. 321 */ 322 ieee80211_ampdu_request(ni, tap); 323 /* XXX hold frame for reply? */ 324 } 325 } 326#ifdef IEEE80211_SUPPORT_SUPERG 327 else if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_NODE_FF)) { 328 m = ieee80211_ff_check(ni, m); 329 if (m == NULL) { 330 /* NB: any ni ref held on stageq */ 331 continue; 332 } 333 } 334#endif /* IEEE80211_SUPPORT_SUPERG */ 335 if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) { 336 /* 337 * Encapsulate the packet in prep for transmission. 338 */ 339 m = ieee80211_encap(vap, ni, m); 340 if (m == NULL) { 341 /* NB: stat+msg handled in ieee80211_encap */ 342 ieee80211_free_node(ni); 343 continue; 344 } 345 } 346 347 error = parent->if_transmit(parent, m); 348 if (error != 0) { 349 /* NB: IFQ_HANDOFF reclaims mbuf */ 350 ieee80211_free_node(ni); 351 } else { 352 ifp->if_opackets++; 353 } 354 ic->ic_lastdata = ticks; 355 } 356#undef IS_DWDS 357} 358 359/* 360 * 802.11 output routine. This is (currently) used only to 361 * connect bpf write calls to the 802.11 layer for injecting 362 * raw 802.11 frames. 363 */ 364int 365ieee80211_output(struct ifnet *ifp, struct mbuf *m, 366 struct sockaddr *dst, struct route *ro) 367{ 368#define senderr(e) do { error = (e); goto bad;} while (0) 369 struct ieee80211_node *ni = NULL; 370 struct ieee80211vap *vap; 371 struct ieee80211_frame *wh; 372 int error; 373 374 if (ifp->if_drv_flags & IFF_DRV_OACTIVE) { 375 /* 376 * Short-circuit requests if the vap is marked OACTIVE 377 * as this is used when tearing down state to indicate 378 * the vap may be gone. This can also happen because a 379 * packet came down through ieee80211_start before the 380 * vap entered RUN state in which case it's also ok to 381 * just drop the frame. This should not be necessary 382 * but callers of if_output don't check OACTIVE. 383 */ 384 senderr(ENETDOWN); 385 } 386 vap = ifp->if_softc; 387 /* 388 * Hand to the 802.3 code if not tagged as 389 * a raw 802.11 frame. 390 */ 391 if (dst->sa_family != AF_IEEE80211) 392 return vap->iv_output(ifp, m, dst, ro); 393#ifdef MAC 394 error = mac_ifnet_check_transmit(ifp, m); 395 if (error) 396 senderr(error); 397#endif 398 if (ifp->if_flags & IFF_MONITOR) 399 senderr(ENETDOWN); 400 if (!IFNET_IS_UP_RUNNING(ifp)) 401 senderr(ENETDOWN); 402 if (vap->iv_state == IEEE80211_S_CAC) { 403 IEEE80211_DPRINTF(vap, 404 IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 405 "block %s frame in CAC state\n", "raw data"); 406 vap->iv_stats.is_tx_badstate++; 407 senderr(EIO); /* XXX */ 408 } 409 /* XXX bypass bridge, pfil, carp, etc. */ 410 411 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack)) 412 senderr(EIO); /* XXX */ 413 wh = mtod(m, struct ieee80211_frame *); 414 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 415 IEEE80211_FC0_VERSION_0) 416 senderr(EIO); /* XXX */ 417 418 /* locate destination node */ 419 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 420 case IEEE80211_FC1_DIR_NODS: 421 case IEEE80211_FC1_DIR_FROMDS: 422 ni = ieee80211_find_txnode(vap, wh->i_addr1); 423 break; 424 case IEEE80211_FC1_DIR_TODS: 425 case IEEE80211_FC1_DIR_DSTODS: 426 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) 427 senderr(EIO); /* XXX */ 428 ni = ieee80211_find_txnode(vap, wh->i_addr3); 429 break; 430 default: 431 senderr(EIO); /* XXX */ 432 } 433 if (ni == NULL) { 434 /* 435 * Permit packets w/ bpf params through regardless 436 * (see below about sa_len). 437 */ 438 if (dst->sa_len == 0) 439 senderr(EHOSTUNREACH); 440 ni = ieee80211_ref_node(vap->iv_bss); 441 } 442 443 /* 444 * Sanitize mbuf for net80211 flags leaked from above. 445 * 446 * NB: This must be done before ieee80211_classify as 447 * it marks EAPOL in frames with M_EAPOL. 448 */ 449 m->m_flags &= ~M_80211_TX; 450 451 /* calculate priority so drivers can find the tx queue */ 452 /* XXX assumes an 802.3 frame */ 453 if (ieee80211_classify(ni, m)) 454 senderr(EIO); /* XXX */ 455 456 IEEE80211_NODE_STAT(ni, tx_data); 457 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 458 IEEE80211_NODE_STAT(ni, tx_mcast); 459 m->m_flags |= M_MCAST; 460 } else 461 IEEE80211_NODE_STAT(ni, tx_ucast); 462 /* NB: ieee80211_encap does not include 802.11 header */ 463 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, m->m_pkthdr.len); 464 465 /* 466 * NB: DLT_IEEE802_11_RADIO identifies the parameters are 467 * present by setting the sa_len field of the sockaddr (yes, 468 * this is a hack). 469 * NB: we assume sa_data is suitably aligned to cast. 470 */ 471 return vap->iv_ic->ic_raw_xmit(ni, m, 472 (const struct ieee80211_bpf_params *)(dst->sa_len ? 473 dst->sa_data : NULL)); 474bad: 475 if (m != NULL) 476 m_freem(m); 477 if (ni != NULL) 478 ieee80211_free_node(ni); 479 return error; 480#undef senderr 481} 482 483/* 484 * Set the direction field and address fields of an outgoing 485 * frame. Note this should be called early on in constructing 486 * a frame as it sets i_fc[1]; other bits can then be or'd in. 487 */ 488void 489ieee80211_send_setup( 490 struct ieee80211_node *ni, 491 struct mbuf *m, 492 int type, int tid, 493 const uint8_t sa[IEEE80211_ADDR_LEN], 494 const uint8_t da[IEEE80211_ADDR_LEN], 495 const uint8_t bssid[IEEE80211_ADDR_LEN]) 496{ 497#define WH4(wh) ((struct ieee80211_frame_addr4 *)wh) 498 struct ieee80211vap *vap = ni->ni_vap; 499 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 500 ieee80211_seq seqno; 501 502 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type; 503 if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) { 504 switch (vap->iv_opmode) { 505 case IEEE80211_M_STA: 506 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 507 IEEE80211_ADDR_COPY(wh->i_addr1, bssid); 508 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 509 IEEE80211_ADDR_COPY(wh->i_addr3, da); 510 break; 511 case IEEE80211_M_IBSS: 512 case IEEE80211_M_AHDEMO: 513 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 514 IEEE80211_ADDR_COPY(wh->i_addr1, da); 515 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 516 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 517 break; 518 case IEEE80211_M_HOSTAP: 519 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 520 IEEE80211_ADDR_COPY(wh->i_addr1, da); 521 IEEE80211_ADDR_COPY(wh->i_addr2, bssid); 522 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 523 break; 524 case IEEE80211_M_WDS: 525 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 526 IEEE80211_ADDR_COPY(wh->i_addr1, da); 527 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 528 IEEE80211_ADDR_COPY(wh->i_addr3, da); 529 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 530 break; 531 case IEEE80211_M_MBSS: 532#ifdef IEEE80211_SUPPORT_MESH 533 /* XXX add support for proxied addresses */ 534 if (IEEE80211_IS_MULTICAST(da)) { 535 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 536 /* XXX next hop */ 537 IEEE80211_ADDR_COPY(wh->i_addr1, da); 538 IEEE80211_ADDR_COPY(wh->i_addr2, 539 vap->iv_myaddr); 540 } else { 541 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 542 IEEE80211_ADDR_COPY(wh->i_addr1, da); 543 IEEE80211_ADDR_COPY(wh->i_addr2, 544 vap->iv_myaddr); 545 IEEE80211_ADDR_COPY(wh->i_addr3, da); 546 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa); 547 } 548#endif 549 break; 550 case IEEE80211_M_MONITOR: /* NB: to quiet compiler */ 551 break; 552 } 553 } else { 554 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 555 IEEE80211_ADDR_COPY(wh->i_addr1, da); 556 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 557#ifdef IEEE80211_SUPPORT_MESH 558 if (vap->iv_opmode == IEEE80211_M_MBSS) 559 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 560 else 561#endif 562 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 563 } 564 *(uint16_t *)&wh->i_dur[0] = 0; 565 566 seqno = ni->ni_txseqs[tid]++; 567 *(uint16_t *)&wh->i_seq[0] = htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 568 M_SEQNO_SET(m, seqno); 569 570 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) 571 m->m_flags |= M_MCAST; 572#undef WH4 573} 574 575/* 576 * Send a management frame to the specified node. The node pointer 577 * must have a reference as the pointer will be passed to the driver 578 * and potentially held for a long time. If the frame is successfully 579 * dispatched to the driver, then it is responsible for freeing the 580 * reference (and potentially free'ing up any associated storage); 581 * otherwise deal with reclaiming any reference (on error). 582 */ 583int 584ieee80211_mgmt_output(struct ieee80211_node *ni, struct mbuf *m, int type, 585 struct ieee80211_bpf_params *params) 586{ 587 struct ieee80211vap *vap = ni->ni_vap; 588 struct ieee80211com *ic = ni->ni_ic; 589 struct ieee80211_frame *wh; 590 591 KASSERT(ni != NULL, ("null node")); 592 593 if (vap->iv_state == IEEE80211_S_CAC) { 594 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 595 ni, "block %s frame in CAC state", 596 ieee80211_mgt_subtype_name[ 597 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 598 IEEE80211_FC0_SUBTYPE_SHIFT]); 599 vap->iv_stats.is_tx_badstate++; 600 ieee80211_free_node(ni); 601 m_freem(m); 602 return EIO; /* XXX */ 603 } 604 605 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 606 if (m == NULL) { 607 ieee80211_free_node(ni); 608 return ENOMEM; 609 } 610 611 wh = mtod(m, struct ieee80211_frame *); 612 ieee80211_send_setup(ni, m, 613 IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID, 614 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 615 if (params->ibp_flags & IEEE80211_BPF_CRYPTO) { 616 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr1, 617 "encrypting frame (%s)", __func__); 618 wh->i_fc[1] |= IEEE80211_FC1_WEP; 619 } 620 m->m_flags |= M_ENCAP; /* mark encapsulated */ 621 622 KASSERT(type != IEEE80211_FC0_SUBTYPE_PROBE_RESP, ("probe response?")); 623 M_WME_SETAC(m, params->ibp_pri); 624 625#ifdef IEEE80211_DEBUG 626 /* avoid printing too many frames */ 627 if ((ieee80211_msg_debug(vap) && doprint(vap, type)) || 628 ieee80211_msg_dumppkts(vap)) { 629 printf("[%s] send %s on channel %u\n", 630 ether_sprintf(wh->i_addr1), 631 ieee80211_mgt_subtype_name[ 632 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 633 IEEE80211_FC0_SUBTYPE_SHIFT], 634 ieee80211_chan2ieee(ic, ic->ic_curchan)); 635 } 636#endif 637 IEEE80211_NODE_STAT(ni, tx_mgmt); 638 639 return ic->ic_raw_xmit(ni, m, params); 640} 641 642/* 643 * Send a null data frame to the specified node. If the station 644 * is setup for QoS then a QoS Null Data frame is constructed. 645 * If this is a WDS station then a 4-address frame is constructed. 646 * 647 * NB: the caller is assumed to have setup a node reference 648 * for use; this is necessary to deal with a race condition 649 * when probing for inactive stations. Like ieee80211_mgmt_output 650 * we must cleanup any node reference on error; however we 651 * can safely just unref it as we know it will never be the 652 * last reference to the node. 653 */ 654int 655ieee80211_send_nulldata(struct ieee80211_node *ni) 656{ 657 struct ieee80211vap *vap = ni->ni_vap; 658 struct ieee80211com *ic = ni->ni_ic; 659 struct mbuf *m; 660 struct ieee80211_frame *wh; 661 int hdrlen; 662 uint8_t *frm; 663 664 if (vap->iv_state == IEEE80211_S_CAC) { 665 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH, 666 ni, "block %s frame in CAC state", "null data"); 667 ieee80211_unref_node(&ni); 668 vap->iv_stats.is_tx_badstate++; 669 return EIO; /* XXX */ 670 } 671 672 if (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) 673 hdrlen = sizeof(struct ieee80211_qosframe); 674 else 675 hdrlen = sizeof(struct ieee80211_frame); 676 /* NB: only WDS vap's get 4-address frames */ 677 if (vap->iv_opmode == IEEE80211_M_WDS) 678 hdrlen += IEEE80211_ADDR_LEN; 679 if (ic->ic_flags & IEEE80211_F_DATAPAD) 680 hdrlen = roundup(hdrlen, sizeof(uint32_t)); 681 682 m = ieee80211_getmgtframe(&frm, ic->ic_headroom + hdrlen, 0); 683 if (m == NULL) { 684 /* XXX debug msg */ 685 ieee80211_unref_node(&ni); 686 vap->iv_stats.is_tx_nobuf++; 687 return ENOMEM; 688 } 689 KASSERT(M_LEADINGSPACE(m) >= hdrlen, 690 ("leading space %zd", M_LEADINGSPACE(m))); 691 M_PREPEND(m, hdrlen, M_DONTWAIT); 692 if (m == NULL) { 693 /* NB: cannot happen */ 694 ieee80211_free_node(ni); 695 return ENOMEM; 696 } 697 698 wh = mtod(m, struct ieee80211_frame *); /* NB: a little lie */ 699 if (ni->ni_flags & IEEE80211_NODE_QOS) { 700 const int tid = WME_AC_TO_TID(WME_AC_BE); 701 uint8_t *qos; 702 703 ieee80211_send_setup(ni, m, 704 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_QOS_NULL, 705 tid, vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 706 707 if (vap->iv_opmode == IEEE80211_M_WDS) 708 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 709 else 710 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 711 qos[0] = tid & IEEE80211_QOS_TID; 712 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[WME_AC_BE].wmep_noackPolicy) 713 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 714 qos[1] = 0; 715 } else { 716 ieee80211_send_setup(ni, m, 717 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA, 718 IEEE80211_NONQOS_TID, 719 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid); 720 } 721 if (vap->iv_opmode != IEEE80211_M_WDS) { 722 /* NB: power management bit is never sent by an AP */ 723 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 724 vap->iv_opmode != IEEE80211_M_HOSTAP) 725 wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT; 726 } 727 m->m_len = m->m_pkthdr.len = hdrlen; 728 m->m_flags |= M_ENCAP; /* mark encapsulated */ 729 730 M_WME_SETAC(m, WME_AC_BE); 731 732 IEEE80211_NODE_STAT(ni, tx_data); 733 734 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, ni, 735 "send %snull data frame on channel %u, pwr mgt %s", 736 ni->ni_flags & IEEE80211_NODE_QOS ? "QoS " : "", 737 ieee80211_chan2ieee(ic, ic->ic_curchan), 738 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis"); 739 740 return ic->ic_raw_xmit(ni, m, NULL); 741} 742 743/* 744 * Assign priority to a frame based on any vlan tag assigned 745 * to the station and/or any Diffserv setting in an IP header. 746 * Finally, if an ACM policy is setup (in station mode) it's 747 * applied. 748 */ 749int 750ieee80211_classify(struct ieee80211_node *ni, struct mbuf *m) 751{ 752 const struct ether_header *eh = mtod(m, struct ether_header *); 753 int v_wme_ac, d_wme_ac, ac; 754 755 /* 756 * Always promote PAE/EAPOL frames to high priority. 757 */ 758 if (eh->ether_type == htons(ETHERTYPE_PAE)) { 759 /* NB: mark so others don't need to check header */ 760 m->m_flags |= M_EAPOL; 761 ac = WME_AC_VO; 762 goto done; 763 } 764 /* 765 * Non-qos traffic goes to BE. 766 */ 767 if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) { 768 ac = WME_AC_BE; 769 goto done; 770 } 771 772 /* 773 * If node has a vlan tag then all traffic 774 * to it must have a matching tag. 775 */ 776 v_wme_ac = 0; 777 if (ni->ni_vlan != 0) { 778 if ((m->m_flags & M_VLANTAG) == 0) { 779 IEEE80211_NODE_STAT(ni, tx_novlantag); 780 return 1; 781 } 782 if (EVL_VLANOFTAG(m->m_pkthdr.ether_vtag) != 783 EVL_VLANOFTAG(ni->ni_vlan)) { 784 IEEE80211_NODE_STAT(ni, tx_vlanmismatch); 785 return 1; 786 } 787 /* map vlan priority to AC */ 788 v_wme_ac = TID_TO_WME_AC(EVL_PRIOFTAG(ni->ni_vlan)); 789 } 790 791 /* XXX m_copydata may be too slow for fast path */ 792#ifdef INET 793 if (eh->ether_type == htons(ETHERTYPE_IP)) { 794 uint8_t tos; 795 /* 796 * IP frame, map the DSCP bits from the TOS field. 797 */ 798 /* NB: ip header may not be in first mbuf */ 799 m_copydata(m, sizeof(struct ether_header) + 800 offsetof(struct ip, ip_tos), sizeof(tos), &tos); 801 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 802 d_wme_ac = TID_TO_WME_AC(tos); 803 } else { 804#endif /* INET */ 805#ifdef INET6 806 if (eh->ether_type == htons(ETHERTYPE_IPV6)) { 807 uint32_t flow; 808 uint8_t tos; 809 /* 810 * IPv6 frame, map the DSCP bits from the TOS field. 811 */ 812 m_copydata(m, sizeof(struct ether_header) + 813 offsetof(struct ip6_hdr, ip6_flow), sizeof(flow), 814 (caddr_t) &flow); 815 tos = (uint8_t)(ntohl(flow) >> 20); 816 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */ 817 d_wme_ac = TID_TO_WME_AC(tos); 818 } else { 819#endif /* INET6 */ 820 d_wme_ac = WME_AC_BE; 821#ifdef INET6 822 } 823#endif 824#ifdef INET 825 } 826#endif 827 /* 828 * Use highest priority AC. 829 */ 830 if (v_wme_ac > d_wme_ac) 831 ac = v_wme_ac; 832 else 833 ac = d_wme_ac; 834 835 /* 836 * Apply ACM policy. 837 */ 838 if (ni->ni_vap->iv_opmode == IEEE80211_M_STA) { 839 static const int acmap[4] = { 840 WME_AC_BK, /* WME_AC_BE */ 841 WME_AC_BK, /* WME_AC_BK */ 842 WME_AC_BE, /* WME_AC_VI */ 843 WME_AC_VI, /* WME_AC_VO */ 844 }; 845 struct ieee80211com *ic = ni->ni_ic; 846 847 while (ac != WME_AC_BK && 848 ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm) 849 ac = acmap[ac]; 850 } 851done: 852 M_WME_SETAC(m, ac); 853 return 0; 854} 855 856/* 857 * Insure there is sufficient contiguous space to encapsulate the 858 * 802.11 data frame. If room isn't already there, arrange for it. 859 * Drivers and cipher modules assume we have done the necessary work 860 * and fail rudely if they don't find the space they need. 861 */ 862struct mbuf * 863ieee80211_mbuf_adjust(struct ieee80211vap *vap, int hdrsize, 864 struct ieee80211_key *key, struct mbuf *m) 865{ 866#define TO_BE_RECLAIMED (sizeof(struct ether_header) - sizeof(struct llc)) 867 int needed_space = vap->iv_ic->ic_headroom + hdrsize; 868 869 if (key != NULL) { 870 /* XXX belongs in crypto code? */ 871 needed_space += key->wk_cipher->ic_header; 872 /* XXX frags */ 873 /* 874 * When crypto is being done in the host we must insure 875 * the data are writable for the cipher routines; clone 876 * a writable mbuf chain. 877 * XXX handle SWMIC specially 878 */ 879 if (key->wk_flags & (IEEE80211_KEY_SWENCRYPT|IEEE80211_KEY_SWENMIC)) { 880 m = m_unshare(m, M_NOWAIT); 881 if (m == NULL) { 882 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 883 "%s: cannot get writable mbuf\n", __func__); 884 vap->iv_stats.is_tx_nobuf++; /* XXX new stat */ 885 return NULL; 886 } 887 } 888 } 889 /* 890 * We know we are called just before stripping an Ethernet 891 * header and prepending an LLC header. This means we know 892 * there will be 893 * sizeof(struct ether_header) - sizeof(struct llc) 894 * bytes recovered to which we need additional space for the 895 * 802.11 header and any crypto header. 896 */ 897 /* XXX check trailing space and copy instead? */ 898 if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) { 899 struct mbuf *n = m_gethdr(M_NOWAIT, m->m_type); 900 if (n == NULL) { 901 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT, 902 "%s: cannot expand storage\n", __func__); 903 vap->iv_stats.is_tx_nobuf++; 904 m_freem(m); 905 return NULL; 906 } 907 KASSERT(needed_space <= MHLEN, 908 ("not enough room, need %u got %zu\n", needed_space, MHLEN)); 909 /* 910 * Setup new mbuf to have leading space to prepend the 911 * 802.11 header and any crypto header bits that are 912 * required (the latter are added when the driver calls 913 * back to ieee80211_crypto_encap to do crypto encapsulation). 914 */ 915 /* NB: must be first 'cuz it clobbers m_data */ 916 m_move_pkthdr(n, m); 917 n->m_len = 0; /* NB: m_gethdr does not set */ 918 n->m_data += needed_space; 919 /* 920 * Pull up Ethernet header to create the expected layout. 921 * We could use m_pullup but that's overkill (i.e. we don't 922 * need the actual data) and it cannot fail so do it inline 923 * for speed. 924 */ 925 /* NB: struct ether_header is known to be contiguous */ 926 n->m_len += sizeof(struct ether_header); 927 m->m_len -= sizeof(struct ether_header); 928 m->m_data += sizeof(struct ether_header); 929 /* 930 * Replace the head of the chain. 931 */ 932 n->m_next = m; 933 m = n; 934 } 935 return m; 936#undef TO_BE_RECLAIMED 937} 938 939/* 940 * Return the transmit key to use in sending a unicast frame. 941 * If a unicast key is set we use that. When no unicast key is set 942 * we fall back to the default transmit key. 943 */ 944static __inline struct ieee80211_key * 945ieee80211_crypto_getucastkey(struct ieee80211vap *vap, 946 struct ieee80211_node *ni) 947{ 948 if (IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)) { 949 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 950 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 951 return NULL; 952 return &vap->iv_nw_keys[vap->iv_def_txkey]; 953 } else { 954 return &ni->ni_ucastkey; 955 } 956} 957 958/* 959 * Return the transmit key to use in sending a multicast frame. 960 * Multicast traffic always uses the group key which is installed as 961 * the default tx key. 962 */ 963static __inline struct ieee80211_key * 964ieee80211_crypto_getmcastkey(struct ieee80211vap *vap, 965 struct ieee80211_node *ni) 966{ 967 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE || 968 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey])) 969 return NULL; 970 return &vap->iv_nw_keys[vap->iv_def_txkey]; 971} 972 973/* 974 * Encapsulate an outbound data frame. The mbuf chain is updated. 975 * If an error is encountered NULL is returned. The caller is required 976 * to provide a node reference and pullup the ethernet header in the 977 * first mbuf. 978 * 979 * NB: Packet is assumed to be processed by ieee80211_classify which 980 * marked EAPOL frames w/ M_EAPOL. 981 */ 982struct mbuf * 983ieee80211_encap(struct ieee80211vap *vap, struct ieee80211_node *ni, 984 struct mbuf *m) 985{ 986#define WH4(wh) ((struct ieee80211_frame_addr4 *)(wh)) 987 struct ieee80211com *ic = ni->ni_ic; 988#ifdef IEEE80211_SUPPORT_MESH 989 struct ieee80211_mesh_state *ms = vap->iv_mesh; 990 struct ieee80211_meshcntl_ae11 *mc; 991#endif 992 struct ether_header eh; 993 struct ieee80211_frame *wh; 994 struct ieee80211_key *key; 995 struct llc *llc; 996 int hdrsize, hdrspace, datalen, addqos, txfrag, is4addr; 997 ieee80211_seq seqno; 998 int meshhdrsize, meshae; 999 uint8_t *qos; 1000 1001 /* 1002 * Copy existing Ethernet header to a safe place. The 1003 * rest of the code assumes it's ok to strip it when 1004 * reorganizing state for the final encapsulation. 1005 */ 1006 KASSERT(m->m_len >= sizeof(eh), ("no ethernet header!")); 1007 ETHER_HEADER_COPY(&eh, mtod(m, caddr_t)); 1008 1009 /* 1010 * Insure space for additional headers. First identify 1011 * transmit key to use in calculating any buffer adjustments 1012 * required. This is also used below to do privacy 1013 * encapsulation work. Then calculate the 802.11 header 1014 * size and any padding required by the driver. 1015 * 1016 * Note key may be NULL if we fall back to the default 1017 * transmit key and that is not set. In that case the 1018 * buffer may not be expanded as needed by the cipher 1019 * routines, but they will/should discard it. 1020 */ 1021 if (vap->iv_flags & IEEE80211_F_PRIVACY) { 1022 if (vap->iv_opmode == IEEE80211_M_STA || 1023 !IEEE80211_IS_MULTICAST(eh.ether_dhost) || 1024 (vap->iv_opmode == IEEE80211_M_WDS && 1025 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY))) 1026 key = ieee80211_crypto_getucastkey(vap, ni); 1027 else 1028 key = ieee80211_crypto_getmcastkey(vap, ni); 1029 if (key == NULL && (m->m_flags & M_EAPOL) == 0) { 1030 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 1031 eh.ether_dhost, 1032 "no default transmit key (%s) deftxkey %u", 1033 __func__, vap->iv_def_txkey); 1034 vap->iv_stats.is_tx_nodefkey++; 1035 goto bad; 1036 } 1037 } else 1038 key = NULL; 1039 /* 1040 * XXX Some ap's don't handle QoS-encapsulated EAPOL 1041 * frames so suppress use. This may be an issue if other 1042 * ap's require all data frames to be QoS-encapsulated 1043 * once negotiated in which case we'll need to make this 1044 * configurable. 1045 */ 1046 addqos = (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) && 1047 (m->m_flags & M_EAPOL) == 0; 1048 if (addqos) 1049 hdrsize = sizeof(struct ieee80211_qosframe); 1050 else 1051 hdrsize = sizeof(struct ieee80211_frame); 1052#ifdef IEEE80211_SUPPORT_MESH 1053 if (vap->iv_opmode == IEEE80211_M_MBSS) { 1054 /* 1055 * Mesh data frames are encapsulated according to the 1056 * rules of Section 11B.8.5 (p.139 of D3.0 spec). 1057 * o Group Addressed data (aka multicast) originating 1058 * at the local sta are sent w/ 3-address format and 1059 * address extension mode 00 1060 * o Individually Addressed data (aka unicast) originating 1061 * at the local sta are sent w/ 4-address format and 1062 * address extension mode 00 1063 * o Group Addressed data forwarded from a non-mesh sta are 1064 * sent w/ 3-address format and address extension mode 01 1065 * o Individually Address data from another sta are sent 1066 * w/ 4-address format and address extension mode 10 1067 */ 1068 is4addr = 0; /* NB: don't use, disable */ 1069 meshhdrsize = sizeof(struct ieee80211_meshcntl); 1070 /* XXX defines for AE modes */ 1071 /* XXX not right, need to check if from non-mesh-sta */ 1072 if (IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)) { 1073 if (!IEEE80211_IS_MULTICAST(eh.ether_dhost)) { 1074 hdrsize += IEEE80211_ADDR_LEN; 1075 meshae = 0; 1076 } else 1077 meshae = 4; /* NB: pseudo */ 1078 } else if (IEEE80211_IS_MULTICAST(eh.ether_dhost)) { 1079 meshae = 1; 1080 meshhdrsize += 2*IEEE80211_ADDR_LEN; 1081 } else { 1082 meshae = 2; 1083 meshhdrsize += 3*IEEE80211_ADDR_LEN; 1084 } 1085 } else { 1086#endif 1087 /* 1088 * 4-address frames need to be generated for: 1089 * o packets sent through a WDS vap (IEEE80211_M_WDS) 1090 * o packets sent through a vap marked for relaying 1091 * (e.g. a station operating with dynamic WDS) 1092 */ 1093 is4addr = vap->iv_opmode == IEEE80211_M_WDS || 1094 ((vap->iv_flags_ext & IEEE80211_FEXT_4ADDR) && 1095 !IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)); 1096 if (is4addr) 1097 hdrsize += IEEE80211_ADDR_LEN; 1098 meshhdrsize = meshae = 0; 1099#ifdef IEEE80211_SUPPORT_MESH 1100 } 1101#endif 1102 /* 1103 * Honor driver DATAPAD requirement. 1104 */ 1105 if (ic->ic_flags & IEEE80211_F_DATAPAD) 1106 hdrspace = roundup(hdrsize, sizeof(uint32_t)); 1107 else 1108 hdrspace = hdrsize; 1109 1110 if (__predict_true((m->m_flags & M_FF) == 0)) { 1111 /* 1112 * Normal frame. 1113 */ 1114 m = ieee80211_mbuf_adjust(vap, hdrspace + meshhdrsize, key, m); 1115 if (m == NULL) { 1116 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */ 1117 goto bad; 1118 } 1119 /* NB: this could be optimized 'cuz of ieee80211_mbuf_adjust */ 1120 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 1121 llc = mtod(m, struct llc *); 1122 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 1123 llc->llc_control = LLC_UI; 1124 llc->llc_snap.org_code[0] = 0; 1125 llc->llc_snap.org_code[1] = 0; 1126 llc->llc_snap.org_code[2] = 0; 1127 llc->llc_snap.ether_type = eh.ether_type; 1128 } else { 1129#ifdef IEEE80211_SUPPORT_SUPERG 1130 /* 1131 * Aggregated frame. 1132 */ 1133 m = ieee80211_ff_encap(vap, m, hdrspace + meshhdrsize, key); 1134 if (m == NULL) 1135#endif 1136 goto bad; 1137 } 1138 datalen = m->m_pkthdr.len; /* NB: w/o 802.11 header */ 1139 1140 M_PREPEND(m, hdrspace + meshhdrsize, M_DONTWAIT); 1141 if (m == NULL) { 1142 vap->iv_stats.is_tx_nobuf++; 1143 goto bad; 1144 } 1145 wh = mtod(m, struct ieee80211_frame *); 1146 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 1147 *(uint16_t *)wh->i_dur = 0; 1148 qos = NULL; /* NB: quiet compiler */ 1149 if (is4addr) { 1150 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1151 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1152 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1153 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1154 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1155 } else switch (vap->iv_opmode) { 1156 case IEEE80211_M_STA: 1157 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 1158 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 1159 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1160 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1161 break; 1162 case IEEE80211_M_IBSS: 1163 case IEEE80211_M_AHDEMO: 1164 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1165 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1166 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 1167 /* 1168 * NB: always use the bssid from iv_bss as the 1169 * neighbor's may be stale after an ibss merge 1170 */ 1171 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_bss->ni_bssid); 1172 break; 1173 case IEEE80211_M_HOSTAP: 1174 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1175 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1176 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 1177 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1178 break; 1179#ifdef IEEE80211_SUPPORT_MESH 1180 case IEEE80211_M_MBSS: 1181 /* NB: offset by hdrspace to deal with DATAPAD */ 1182 mc = (struct ieee80211_meshcntl_ae11 *) 1183 (mtod(m, uint8_t *) + hdrspace); 1184 switch (meshae) { 1185 case 0: /* ucast, no proxy */ 1186 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1187 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1188 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1189 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1190 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1191 mc->mc_flags = 0; 1192 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1193 break; 1194 case 4: /* mcast, no proxy */ 1195 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1196 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1197 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1198 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1199 mc->mc_flags = 0; /* NB: AE is really 0 */ 1200 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1201 break; 1202 case 1: /* mcast, proxy */ 1203 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 1204 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 1205 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1206 /* XXX not right, need MeshSA */ 1207 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 1208 mc->mc_flags = 1; 1209 IEEE80211_ADDR_COPY(mc->mc_addr4, eh.ether_shost); 1210 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1211 break; 1212 case 2: /* ucast, proxy */ 1213 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS; 1214 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 1215 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 1216 /* XXX not right, need MeshDA+MeshSA */ 1217 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 1218 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost); 1219 mc->mc_flags = 2; 1220 IEEE80211_ADDR_COPY(mc->mc_addr5, eh.ether_shost); 1221 IEEE80211_ADDR_COPY(mc->mc_addr6, eh.ether_shost); 1222 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1223 break; 1224 default: 1225 KASSERT(0, ("meshae %d", meshae)); 1226 break; 1227 } 1228 mc->mc_ttl = ms->ms_ttl; 1229 ms->ms_seq++; 1230 LE_WRITE_4(mc->mc_seq, ms->ms_seq); 1231 break; 1232#endif 1233 case IEEE80211_M_WDS: /* NB: is4addr should always be true */ 1234 default: 1235 goto bad; 1236 } 1237 if (m->m_flags & M_MORE_DATA) 1238 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 1239 if (addqos) { 1240 int ac, tid; 1241 1242 if (is4addr) { 1243 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos; 1244 /* NB: mesh case handled earlier */ 1245 } else if (vap->iv_opmode != IEEE80211_M_MBSS) 1246 qos = ((struct ieee80211_qosframe *) wh)->i_qos; 1247 ac = M_WME_GETAC(m); 1248 /* map from access class/queue to 11e header priorty value */ 1249 tid = WME_AC_TO_TID(ac); 1250 qos[0] = tid & IEEE80211_QOS_TID; 1251 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy) 1252 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK; 1253 qos[1] = 0; 1254 wh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 1255 1256 if ((m->m_flags & M_AMPDU_MPDU) == 0) { 1257 /* 1258 * NB: don't assign a sequence # to potential 1259 * aggregates; we expect this happens at the 1260 * point the frame comes off any aggregation q 1261 * as otherwise we may introduce holes in the 1262 * BA sequence space and/or make window accouting 1263 * more difficult. 1264 * 1265 * XXX may want to control this with a driver 1266 * capability; this may also change when we pull 1267 * aggregation up into net80211 1268 */ 1269 seqno = ni->ni_txseqs[tid]++; 1270 *(uint16_t *)wh->i_seq = 1271 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1272 M_SEQNO_SET(m, seqno); 1273 } 1274 } else { 1275 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++; 1276 *(uint16_t *)wh->i_seq = 1277 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT); 1278 M_SEQNO_SET(m, seqno); 1279 } 1280 1281 1282 /* check if xmit fragmentation is required */ 1283 txfrag = (m->m_pkthdr.len > vap->iv_fragthreshold && 1284 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 1285 (vap->iv_caps & IEEE80211_C_TXFRAG) && 1286 (m->m_flags & (M_FF | M_AMPDU_MPDU)) == 0); 1287 if (key != NULL) { 1288 /* 1289 * IEEE 802.1X: send EAPOL frames always in the clear. 1290 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set. 1291 */ 1292 if ((m->m_flags & M_EAPOL) == 0 || 1293 ((vap->iv_flags & IEEE80211_F_WPA) && 1294 (vap->iv_opmode == IEEE80211_M_STA ? 1295 !IEEE80211_KEY_UNDEFINED(key) : 1296 !IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)))) { 1297 wh->i_fc[1] |= IEEE80211_FC1_WEP; 1298 if (!ieee80211_crypto_enmic(vap, key, m, txfrag)) { 1299 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_OUTPUT, 1300 eh.ether_dhost, 1301 "%s", "enmic failed, discard frame"); 1302 vap->iv_stats.is_crypto_enmicfail++; 1303 goto bad; 1304 } 1305 } 1306 } 1307 if (txfrag && !ieee80211_fragment(vap, m, hdrsize, 1308 key != NULL ? key->wk_cipher->ic_header : 0, vap->iv_fragthreshold)) 1309 goto bad; 1310 1311 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1312 1313 IEEE80211_NODE_STAT(ni, tx_data); 1314 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 1315 IEEE80211_NODE_STAT(ni, tx_mcast); 1316 m->m_flags |= M_MCAST; 1317 } else 1318 IEEE80211_NODE_STAT(ni, tx_ucast); 1319 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen); 1320 1321 return m; 1322bad: 1323 if (m != NULL) 1324 m_freem(m); 1325 return NULL; 1326#undef WH4 1327} 1328 1329/* 1330 * Fragment the frame according to the specified mtu. 1331 * The size of the 802.11 header (w/o padding) is provided 1332 * so we don't need to recalculate it. We create a new 1333 * mbuf for each fragment and chain it through m_nextpkt; 1334 * we might be able to optimize this by reusing the original 1335 * packet's mbufs but that is significantly more complicated. 1336 */ 1337static int 1338ieee80211_fragment(struct ieee80211vap *vap, struct mbuf *m0, 1339 u_int hdrsize, u_int ciphdrsize, u_int mtu) 1340{ 1341 struct ieee80211_frame *wh, *whf; 1342 struct mbuf *m, *prev, *next; 1343 u_int totalhdrsize, fragno, fragsize, off, remainder, payload; 1344 1345 KASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?")); 1346 KASSERT(m0->m_pkthdr.len > mtu, 1347 ("pktlen %u mtu %u", m0->m_pkthdr.len, mtu)); 1348 1349 wh = mtod(m0, struct ieee80211_frame *); 1350 /* NB: mark the first frag; it will be propagated below */ 1351 wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG; 1352 totalhdrsize = hdrsize + ciphdrsize; 1353 fragno = 1; 1354 off = mtu - ciphdrsize; 1355 remainder = m0->m_pkthdr.len - off; 1356 prev = m0; 1357 do { 1358 fragsize = totalhdrsize + remainder; 1359 if (fragsize > mtu) 1360 fragsize = mtu; 1361 /* XXX fragsize can be >2048! */ 1362 KASSERT(fragsize < MCLBYTES, 1363 ("fragment size %u too big!", fragsize)); 1364 if (fragsize > MHLEN) 1365 m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR); 1366 else 1367 m = m_gethdr(M_DONTWAIT, MT_DATA); 1368 if (m == NULL) 1369 goto bad; 1370 /* leave room to prepend any cipher header */ 1371 m_align(m, fragsize - ciphdrsize); 1372 1373 /* 1374 * Form the header in the fragment. Note that since 1375 * we mark the first fragment with the MORE_FRAG bit 1376 * it automatically is propagated to each fragment; we 1377 * need only clear it on the last fragment (done below). 1378 */ 1379 whf = mtod(m, struct ieee80211_frame *); 1380 memcpy(whf, wh, hdrsize); 1381 *(uint16_t *)&whf->i_seq[0] |= htole16( 1382 (fragno & IEEE80211_SEQ_FRAG_MASK) << 1383 IEEE80211_SEQ_FRAG_SHIFT); 1384 fragno++; 1385 1386 payload = fragsize - totalhdrsize; 1387 /* NB: destination is known to be contiguous */ 1388 m_copydata(m0, off, payload, mtod(m, uint8_t *) + hdrsize); 1389 m->m_len = hdrsize + payload; 1390 m->m_pkthdr.len = hdrsize + payload; 1391 m->m_flags |= M_FRAG; 1392 1393 /* chain up the fragment */ 1394 prev->m_nextpkt = m; 1395 prev = m; 1396 1397 /* deduct fragment just formed */ 1398 remainder -= payload; 1399 off += payload; 1400 } while (remainder != 0); 1401 1402 /* set the last fragment */ 1403 m->m_flags |= M_LASTFRAG; 1404 whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG; 1405 1406 /* strip first mbuf now that everything has been copied */ 1407 m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize))); 1408 m0->m_flags |= M_FIRSTFRAG | M_FRAG; 1409 1410 vap->iv_stats.is_tx_fragframes++; 1411 vap->iv_stats.is_tx_frags += fragno-1; 1412 1413 return 1; 1414bad: 1415 /* reclaim fragments but leave original frame for caller to free */ 1416 for (m = m0->m_nextpkt; m != NULL; m = next) { 1417 next = m->m_nextpkt; 1418 m->m_nextpkt = NULL; /* XXX paranoid */ 1419 m_freem(m); 1420 } 1421 m0->m_nextpkt = NULL; 1422 return 0; 1423} 1424 1425/* 1426 * Add a supported rates element id to a frame. 1427 */ 1428uint8_t * 1429ieee80211_add_rates(uint8_t *frm, const struct ieee80211_rateset *rs) 1430{ 1431 int nrates; 1432 1433 *frm++ = IEEE80211_ELEMID_RATES; 1434 nrates = rs->rs_nrates; 1435 if (nrates > IEEE80211_RATE_SIZE) 1436 nrates = IEEE80211_RATE_SIZE; 1437 *frm++ = nrates; 1438 memcpy(frm, rs->rs_rates, nrates); 1439 return frm + nrates; 1440} 1441 1442/* 1443 * Add an extended supported rates element id to a frame. 1444 */ 1445uint8_t * 1446ieee80211_add_xrates(uint8_t *frm, const struct ieee80211_rateset *rs) 1447{ 1448 /* 1449 * Add an extended supported rates element if operating in 11g mode. 1450 */ 1451 if (rs->rs_nrates > IEEE80211_RATE_SIZE) { 1452 int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1453 *frm++ = IEEE80211_ELEMID_XRATES; 1454 *frm++ = nrates; 1455 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1456 frm += nrates; 1457 } 1458 return frm; 1459} 1460 1461/* 1462 * Add an ssid element to a frame. 1463 */ 1464static uint8_t * 1465ieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len) 1466{ 1467 *frm++ = IEEE80211_ELEMID_SSID; 1468 *frm++ = len; 1469 memcpy(frm, ssid, len); 1470 return frm + len; 1471} 1472 1473/* 1474 * Add an erp element to a frame. 1475 */ 1476static uint8_t * 1477ieee80211_add_erp(uint8_t *frm, struct ieee80211com *ic) 1478{ 1479 uint8_t erp; 1480 1481 *frm++ = IEEE80211_ELEMID_ERP; 1482 *frm++ = 1; 1483 erp = 0; 1484 if (ic->ic_nonerpsta != 0) 1485 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 1486 if (ic->ic_flags & IEEE80211_F_USEPROT) 1487 erp |= IEEE80211_ERP_USE_PROTECTION; 1488 if (ic->ic_flags & IEEE80211_F_USEBARKER) 1489 erp |= IEEE80211_ERP_LONG_PREAMBLE; 1490 *frm++ = erp; 1491 return frm; 1492} 1493 1494/* 1495 * Add a CFParams element to a frame. 1496 */ 1497static uint8_t * 1498ieee80211_add_cfparms(uint8_t *frm, struct ieee80211com *ic) 1499{ 1500#define ADDSHORT(frm, v) do { \ 1501 LE_WRITE_2(frm, v); \ 1502 frm += 2; \ 1503} while (0) 1504 *frm++ = IEEE80211_ELEMID_CFPARMS; 1505 *frm++ = 6; 1506 *frm++ = 0; /* CFP count */ 1507 *frm++ = 2; /* CFP period */ 1508 ADDSHORT(frm, 0); /* CFP MaxDuration (TU) */ 1509 ADDSHORT(frm, 0); /* CFP CurRemaining (TU) */ 1510 return frm; 1511#undef ADDSHORT 1512} 1513 1514static __inline uint8_t * 1515add_appie(uint8_t *frm, const struct ieee80211_appie *ie) 1516{ 1517 memcpy(frm, ie->ie_data, ie->ie_len); 1518 return frm + ie->ie_len; 1519} 1520 1521static __inline uint8_t * 1522add_ie(uint8_t *frm, const uint8_t *ie) 1523{ 1524 memcpy(frm, ie, 2 + ie[1]); 1525 return frm + 2 + ie[1]; 1526} 1527 1528#define WME_OUI_BYTES 0x00, 0x50, 0xf2 1529/* 1530 * Add a WME information element to a frame. 1531 */ 1532static uint8_t * 1533ieee80211_add_wme_info(uint8_t *frm, struct ieee80211_wme_state *wme) 1534{ 1535 static const struct ieee80211_wme_info info = { 1536 .wme_id = IEEE80211_ELEMID_VENDOR, 1537 .wme_len = sizeof(struct ieee80211_wme_info) - 2, 1538 .wme_oui = { WME_OUI_BYTES }, 1539 .wme_type = WME_OUI_TYPE, 1540 .wme_subtype = WME_INFO_OUI_SUBTYPE, 1541 .wme_version = WME_VERSION, 1542 .wme_info = 0, 1543 }; 1544 memcpy(frm, &info, sizeof(info)); 1545 return frm + sizeof(info); 1546} 1547 1548/* 1549 * Add a WME parameters element to a frame. 1550 */ 1551static uint8_t * 1552ieee80211_add_wme_param(uint8_t *frm, struct ieee80211_wme_state *wme) 1553{ 1554#define SM(_v, _f) (((_v) << _f##_S) & _f) 1555#define ADDSHORT(frm, v) do { \ 1556 LE_WRITE_2(frm, v); \ 1557 frm += 2; \ 1558} while (0) 1559 /* NB: this works 'cuz a param has an info at the front */ 1560 static const struct ieee80211_wme_info param = { 1561 .wme_id = IEEE80211_ELEMID_VENDOR, 1562 .wme_len = sizeof(struct ieee80211_wme_param) - 2, 1563 .wme_oui = { WME_OUI_BYTES }, 1564 .wme_type = WME_OUI_TYPE, 1565 .wme_subtype = WME_PARAM_OUI_SUBTYPE, 1566 .wme_version = WME_VERSION, 1567 }; 1568 int i; 1569 1570 memcpy(frm, ¶m, sizeof(param)); 1571 frm += __offsetof(struct ieee80211_wme_info, wme_info); 1572 *frm++ = wme->wme_bssChanParams.cap_info; /* AC info */ 1573 *frm++ = 0; /* reserved field */ 1574 for (i = 0; i < WME_NUM_AC; i++) { 1575 const struct wmeParams *ac = 1576 &wme->wme_bssChanParams.cap_wmeParams[i]; 1577 *frm++ = SM(i, WME_PARAM_ACI) 1578 | SM(ac->wmep_acm, WME_PARAM_ACM) 1579 | SM(ac->wmep_aifsn, WME_PARAM_AIFSN) 1580 ; 1581 *frm++ = SM(ac->wmep_logcwmax, WME_PARAM_LOGCWMAX) 1582 | SM(ac->wmep_logcwmin, WME_PARAM_LOGCWMIN) 1583 ; 1584 ADDSHORT(frm, ac->wmep_txopLimit); 1585 } 1586 return frm; 1587#undef SM 1588#undef ADDSHORT 1589} 1590#undef WME_OUI_BYTES 1591 1592/* 1593 * Add an 11h Power Constraint element to a frame. 1594 */ 1595static uint8_t * 1596ieee80211_add_powerconstraint(uint8_t *frm, struct ieee80211vap *vap) 1597{ 1598 const struct ieee80211_channel *c = vap->iv_bss->ni_chan; 1599 /* XXX per-vap tx power limit? */ 1600 int8_t limit = vap->iv_ic->ic_txpowlimit / 2; 1601 1602 frm[0] = IEEE80211_ELEMID_PWRCNSTR; 1603 frm[1] = 1; 1604 frm[2] = c->ic_maxregpower > limit ? c->ic_maxregpower - limit : 0; 1605 return frm + 3; 1606} 1607 1608/* 1609 * Add an 11h Power Capability element to a frame. 1610 */ 1611static uint8_t * 1612ieee80211_add_powercapability(uint8_t *frm, const struct ieee80211_channel *c) 1613{ 1614 frm[0] = IEEE80211_ELEMID_PWRCAP; 1615 frm[1] = 2; 1616 frm[2] = c->ic_minpower; 1617 frm[3] = c->ic_maxpower; 1618 return frm + 4; 1619} 1620 1621/* 1622 * Add an 11h Supported Channels element to a frame. 1623 */ 1624static uint8_t * 1625ieee80211_add_supportedchannels(uint8_t *frm, struct ieee80211com *ic) 1626{ 1627 static const int ielen = 26; 1628 1629 frm[0] = IEEE80211_ELEMID_SUPPCHAN; 1630 frm[1] = ielen; 1631 /* XXX not correct */ 1632 memcpy(frm+2, ic->ic_chan_avail, ielen); 1633 return frm + 2 + ielen; 1634} 1635 1636/* 1637 * Add an 11h Channel Switch Announcement element to a frame. 1638 * Note that we use the per-vap CSA count to adjust the global 1639 * counter so we can use this routine to form probe response 1640 * frames and get the current count. 1641 */ 1642static uint8_t * 1643ieee80211_add_csa(uint8_t *frm, struct ieee80211vap *vap) 1644{ 1645 struct ieee80211com *ic = vap->iv_ic; 1646 struct ieee80211_csa_ie *csa = (struct ieee80211_csa_ie *) frm; 1647 1648 csa->csa_ie = IEEE80211_ELEMID_CSA; 1649 csa->csa_len = 3; 1650 csa->csa_mode = 1; /* XXX force quiet on channel */ 1651 csa->csa_newchan = ieee80211_chan2ieee(ic, ic->ic_csa_newchan); 1652 csa->csa_count = ic->ic_csa_count - vap->iv_csa_count; 1653 return frm + sizeof(*csa); 1654} 1655 1656/* 1657 * Add an 11h country information element to a frame. 1658 */ 1659static uint8_t * 1660ieee80211_add_countryie(uint8_t *frm, struct ieee80211com *ic) 1661{ 1662 1663 if (ic->ic_countryie == NULL || 1664 ic->ic_countryie_chan != ic->ic_bsschan) { 1665 /* 1666 * Handle lazy construction of ie. This is done on 1667 * first use and after a channel change that requires 1668 * re-calculation. 1669 */ 1670 if (ic->ic_countryie != NULL) 1671 free(ic->ic_countryie, M_80211_NODE_IE); 1672 ic->ic_countryie = ieee80211_alloc_countryie(ic); 1673 if (ic->ic_countryie == NULL) 1674 return frm; 1675 ic->ic_countryie_chan = ic->ic_bsschan; 1676 } 1677 return add_appie(frm, ic->ic_countryie); 1678} 1679 1680/* 1681 * Send a probe request frame with the specified ssid 1682 * and any optional information element data. 1683 */ 1684int 1685ieee80211_send_probereq(struct ieee80211_node *ni, 1686 const uint8_t sa[IEEE80211_ADDR_LEN], 1687 const uint8_t da[IEEE80211_ADDR_LEN], 1688 const uint8_t bssid[IEEE80211_ADDR_LEN], 1689 const uint8_t *ssid, size_t ssidlen) 1690{ 1691 struct ieee80211vap *vap = ni->ni_vap; 1692 struct ieee80211com *ic = ni->ni_ic; 1693 const struct ieee80211_txparam *tp; 1694 struct ieee80211_bpf_params params; 1695 struct ieee80211_frame *wh; 1696 const struct ieee80211_rateset *rs; 1697 struct mbuf *m; 1698 uint8_t *frm; 1699 1700 if (vap->iv_state == IEEE80211_S_CAC) { 1701 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, ni, 1702 "block %s frame in CAC state", "probe request"); 1703 vap->iv_stats.is_tx_badstate++; 1704 return EIO; /* XXX */ 1705 } 1706 1707 /* 1708 * Hold a reference on the node so it doesn't go away until after 1709 * the xmit is complete all the way in the driver. On error we 1710 * will remove our reference. 1711 */ 1712 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 1713 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1714 __func__, __LINE__, 1715 ni, ether_sprintf(ni->ni_macaddr), 1716 ieee80211_node_refcnt(ni)+1); 1717 ieee80211_ref_node(ni); 1718 1719 /* 1720 * prreq frame format 1721 * [tlv] ssid 1722 * [tlv] supported rates 1723 * [tlv] RSN (optional) 1724 * [tlv] extended supported rates 1725 * [tlv] WPA (optional) 1726 * [tlv] user-specified ie's 1727 */ 1728 m = ieee80211_getmgtframe(&frm, 1729 ic->ic_headroom + sizeof(struct ieee80211_frame), 1730 2 + IEEE80211_NWID_LEN 1731 + 2 + IEEE80211_RATE_SIZE 1732 + sizeof(struct ieee80211_ie_wpa) 1733 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1734 + sizeof(struct ieee80211_ie_wpa) 1735 + (vap->iv_appie_probereq != NULL ? 1736 vap->iv_appie_probereq->ie_len : 0) 1737 ); 1738 if (m == NULL) { 1739 vap->iv_stats.is_tx_nobuf++; 1740 ieee80211_free_node(ni); 1741 return ENOMEM; 1742 } 1743 1744 frm = ieee80211_add_ssid(frm, ssid, ssidlen); 1745 rs = ieee80211_get_suprates(ic, ic->ic_curchan); 1746 frm = ieee80211_add_rates(frm, rs); 1747 if (vap->iv_flags & IEEE80211_F_WPA2) { 1748 if (vap->iv_rsn_ie != NULL) 1749 frm = add_ie(frm, vap->iv_rsn_ie); 1750 /* XXX else complain? */ 1751 } 1752 frm = ieee80211_add_xrates(frm, rs); 1753 if (vap->iv_flags & IEEE80211_F_WPA1) { 1754 if (vap->iv_wpa_ie != NULL) 1755 frm = add_ie(frm, vap->iv_wpa_ie); 1756 /* XXX else complain? */ 1757 } 1758 if (vap->iv_appie_probereq != NULL) 1759 frm = add_appie(frm, vap->iv_appie_probereq); 1760 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 1761 1762 KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ieee80211_frame), 1763 ("leading space %zd", M_LEADINGSPACE(m))); 1764 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 1765 if (m == NULL) { 1766 /* NB: cannot happen */ 1767 ieee80211_free_node(ni); 1768 return ENOMEM; 1769 } 1770 1771 wh = mtod(m, struct ieee80211_frame *); 1772 ieee80211_send_setup(ni, m, 1773 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ, 1774 IEEE80211_NONQOS_TID, sa, da, bssid); 1775 /* XXX power management? */ 1776 m->m_flags |= M_ENCAP; /* mark encapsulated */ 1777 1778 M_WME_SETAC(m, WME_AC_BE); 1779 1780 IEEE80211_NODE_STAT(ni, tx_probereq); 1781 IEEE80211_NODE_STAT(ni, tx_mgmt); 1782 1783 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 1784 "send probe req on channel %u bssid %s ssid \"%.*s\"\n", 1785 ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(bssid), 1786 ssidlen, ssid); 1787 1788 memset(¶ms, 0, sizeof(params)); 1789 params.ibp_pri = M_WME_GETAC(m); 1790 tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)]; 1791 params.ibp_rate0 = tp->mgmtrate; 1792 if (IEEE80211_IS_MULTICAST(da)) { 1793 params.ibp_flags |= IEEE80211_BPF_NOACK; 1794 params.ibp_try0 = 1; 1795 } else 1796 params.ibp_try0 = tp->maxretry; 1797 params.ibp_power = ni->ni_txpower; 1798 return ic->ic_raw_xmit(ni, m, ¶ms); 1799} 1800 1801/* 1802 * Calculate capability information for mgt frames. 1803 */ 1804uint16_t 1805ieee80211_getcapinfo(struct ieee80211vap *vap, struct ieee80211_channel *chan) 1806{ 1807 struct ieee80211com *ic = vap->iv_ic; 1808 uint16_t capinfo; 1809 1810 KASSERT(vap->iv_opmode != IEEE80211_M_STA, ("station mode")); 1811 1812 if (vap->iv_opmode == IEEE80211_M_HOSTAP) 1813 capinfo = IEEE80211_CAPINFO_ESS; 1814 else if (vap->iv_opmode == IEEE80211_M_IBSS) 1815 capinfo = IEEE80211_CAPINFO_IBSS; 1816 else 1817 capinfo = 0; 1818 if (vap->iv_flags & IEEE80211_F_PRIVACY) 1819 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1820 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1821 IEEE80211_IS_CHAN_2GHZ(chan)) 1822 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1823 if (ic->ic_flags & IEEE80211_F_SHSLOT) 1824 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1825 if (IEEE80211_IS_CHAN_5GHZ(chan) && (vap->iv_flags & IEEE80211_F_DOTH)) 1826 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 1827 return capinfo; 1828} 1829 1830/* 1831 * Send a management frame. The node is for the destination (or ic_bss 1832 * when in station mode). Nodes other than ic_bss have their reference 1833 * count bumped to reflect our use for an indeterminant time. 1834 */ 1835int 1836ieee80211_send_mgmt(struct ieee80211_node *ni, int type, int arg) 1837{ 1838#define HTFLAGS (IEEE80211_NODE_HT | IEEE80211_NODE_HTCOMPAT) 1839#define senderr(_x, _v) do { vap->iv_stats._v++; ret = _x; goto bad; } while (0) 1840 struct ieee80211vap *vap = ni->ni_vap; 1841 struct ieee80211com *ic = ni->ni_ic; 1842 struct ieee80211_node *bss = vap->iv_bss; 1843 struct ieee80211_bpf_params params; 1844 struct mbuf *m; 1845 uint8_t *frm; 1846 uint16_t capinfo; 1847 int has_challenge, is_shared_key, ret, status; 1848 1849 KASSERT(ni != NULL, ("null node")); 1850 1851 /* 1852 * Hold a reference on the node so it doesn't go away until after 1853 * the xmit is complete all the way in the driver. On error we 1854 * will remove our reference. 1855 */ 1856 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 1857 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1858 __func__, __LINE__, 1859 ni, ether_sprintf(ni->ni_macaddr), 1860 ieee80211_node_refcnt(ni)+1); 1861 ieee80211_ref_node(ni); 1862 1863 memset(¶ms, 0, sizeof(params)); 1864 switch (type) { 1865 1866 case IEEE80211_FC0_SUBTYPE_AUTH: 1867 status = arg >> 16; 1868 arg &= 0xffff; 1869 has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE || 1870 arg == IEEE80211_AUTH_SHARED_RESPONSE) && 1871 ni->ni_challenge != NULL); 1872 1873 /* 1874 * Deduce whether we're doing open authentication or 1875 * shared key authentication. We do the latter if 1876 * we're in the middle of a shared key authentication 1877 * handshake or if we're initiating an authentication 1878 * request and configured to use shared key. 1879 */ 1880 is_shared_key = has_challenge || 1881 arg >= IEEE80211_AUTH_SHARED_RESPONSE || 1882 (arg == IEEE80211_AUTH_SHARED_REQUEST && 1883 bss->ni_authmode == IEEE80211_AUTH_SHARED); 1884 1885 m = ieee80211_getmgtframe(&frm, 1886 ic->ic_headroom + sizeof(struct ieee80211_frame), 1887 3 * sizeof(uint16_t) 1888 + (has_challenge && status == IEEE80211_STATUS_SUCCESS ? 1889 sizeof(uint16_t)+IEEE80211_CHALLENGE_LEN : 0) 1890 ); 1891 if (m == NULL) 1892 senderr(ENOMEM, is_tx_nobuf); 1893 1894 ((uint16_t *)frm)[0] = 1895 (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED) 1896 : htole16(IEEE80211_AUTH_ALG_OPEN); 1897 ((uint16_t *)frm)[1] = htole16(arg); /* sequence number */ 1898 ((uint16_t *)frm)[2] = htole16(status);/* status */ 1899 1900 if (has_challenge && status == IEEE80211_STATUS_SUCCESS) { 1901 ((uint16_t *)frm)[3] = 1902 htole16((IEEE80211_CHALLENGE_LEN << 8) | 1903 IEEE80211_ELEMID_CHALLENGE); 1904 memcpy(&((uint16_t *)frm)[4], ni->ni_challenge, 1905 IEEE80211_CHALLENGE_LEN); 1906 m->m_pkthdr.len = m->m_len = 1907 4 * sizeof(uint16_t) + IEEE80211_CHALLENGE_LEN; 1908 if (arg == IEEE80211_AUTH_SHARED_RESPONSE) { 1909 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 1910 "request encrypt frame (%s)", __func__); 1911 /* mark frame for encryption */ 1912 params.ibp_flags |= IEEE80211_BPF_CRYPTO; 1913 } 1914 } else 1915 m->m_pkthdr.len = m->m_len = 3 * sizeof(uint16_t); 1916 1917 /* XXX not right for shared key */ 1918 if (status == IEEE80211_STATUS_SUCCESS) 1919 IEEE80211_NODE_STAT(ni, tx_auth); 1920 else 1921 IEEE80211_NODE_STAT(ni, tx_auth_fail); 1922 1923 if (vap->iv_opmode == IEEE80211_M_STA) 1924 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 1925 (void *) vap->iv_state); 1926 break; 1927 1928 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1929 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni, 1930 "send station deauthenticate (reason %d)", arg); 1931 m = ieee80211_getmgtframe(&frm, 1932 ic->ic_headroom + sizeof(struct ieee80211_frame), 1933 sizeof(uint16_t)); 1934 if (m == NULL) 1935 senderr(ENOMEM, is_tx_nobuf); 1936 *(uint16_t *)frm = htole16(arg); /* reason */ 1937 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 1938 1939 IEEE80211_NODE_STAT(ni, tx_deauth); 1940 IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg); 1941 1942 ieee80211_node_unauthorize(ni); /* port closed */ 1943 break; 1944 1945 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1946 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1947 /* 1948 * asreq frame format 1949 * [2] capability information 1950 * [2] listen interval 1951 * [6*] current AP address (reassoc only) 1952 * [tlv] ssid 1953 * [tlv] supported rates 1954 * [tlv] extended supported rates 1955 * [4] power capability (optional) 1956 * [28] supported channels (optional) 1957 * [tlv] HT capabilities 1958 * [tlv] WME (optional) 1959 * [tlv] Vendor OUI HT capabilities (optional) 1960 * [tlv] Atheros capabilities (if negotiated) 1961 * [tlv] AppIE's (optional) 1962 */ 1963 m = ieee80211_getmgtframe(&frm, 1964 ic->ic_headroom + sizeof(struct ieee80211_frame), 1965 sizeof(uint16_t) 1966 + sizeof(uint16_t) 1967 + IEEE80211_ADDR_LEN 1968 + 2 + IEEE80211_NWID_LEN 1969 + 2 + IEEE80211_RATE_SIZE 1970 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1971 + 4 1972 + 2 + 26 1973 + sizeof(struct ieee80211_wme_info) 1974 + sizeof(struct ieee80211_ie_htcap) 1975 + 4 + sizeof(struct ieee80211_ie_htcap) 1976#ifdef IEEE80211_SUPPORT_SUPERG 1977 + sizeof(struct ieee80211_ath_ie) 1978#endif 1979 + (vap->iv_appie_wpa != NULL ? 1980 vap->iv_appie_wpa->ie_len : 0) 1981 + (vap->iv_appie_assocreq != NULL ? 1982 vap->iv_appie_assocreq->ie_len : 0) 1983 ); 1984 if (m == NULL) 1985 senderr(ENOMEM, is_tx_nobuf); 1986 1987 KASSERT(vap->iv_opmode == IEEE80211_M_STA, 1988 ("wrong mode %u", vap->iv_opmode)); 1989 capinfo = IEEE80211_CAPINFO_ESS; 1990 if (vap->iv_flags & IEEE80211_F_PRIVACY) 1991 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1992 /* 1993 * NB: Some 11a AP's reject the request when 1994 * short premable is set. 1995 */ 1996 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1997 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) 1998 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1999 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) && 2000 (ic->ic_caps & IEEE80211_C_SHSLOT)) 2001 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 2002 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) && 2003 (vap->iv_flags & IEEE80211_F_DOTH)) 2004 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT; 2005 *(uint16_t *)frm = htole16(capinfo); 2006 frm += 2; 2007 2008 KASSERT(bss->ni_intval != 0, ("beacon interval is zero!")); 2009 *(uint16_t *)frm = htole16(howmany(ic->ic_lintval, 2010 bss->ni_intval)); 2011 frm += 2; 2012 2013 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 2014 IEEE80211_ADDR_COPY(frm, bss->ni_bssid); 2015 frm += IEEE80211_ADDR_LEN; 2016 } 2017 2018 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2019 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2020 if (vap->iv_flags & IEEE80211_F_WPA2) { 2021 if (vap->iv_rsn_ie != NULL) 2022 frm = add_ie(frm, vap->iv_rsn_ie); 2023 /* XXX else complain? */ 2024 } 2025 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2026 if (capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) { 2027 frm = ieee80211_add_powercapability(frm, 2028 ic->ic_curchan); 2029 frm = ieee80211_add_supportedchannels(frm, ic); 2030 } 2031 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2032 ni->ni_ies.htcap_ie != NULL && 2033 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_HTCAP) 2034 frm = ieee80211_add_htcap(frm, ni); 2035 if (vap->iv_flags & IEEE80211_F_WPA1) { 2036 if (vap->iv_wpa_ie != NULL) 2037 frm = add_ie(frm, vap->iv_wpa_ie); 2038 /* XXX else complain */ 2039 } 2040 if ((ic->ic_flags & IEEE80211_F_WME) && 2041 ni->ni_ies.wme_ie != NULL) 2042 frm = ieee80211_add_wme_info(frm, &ic->ic_wme); 2043 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) && 2044 ni->ni_ies.htcap_ie != NULL && 2045 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_VENDOR) 2046 frm = ieee80211_add_htcap_vendor(frm, ni); 2047#ifdef IEEE80211_SUPPORT_SUPERG 2048 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) { 2049 frm = ieee80211_add_ath(frm, 2050 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2051 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2052 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2053 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2054 } 2055#endif /* IEEE80211_SUPPORT_SUPERG */ 2056 if (vap->iv_appie_assocreq != NULL) 2057 frm = add_appie(frm, vap->iv_appie_assocreq); 2058 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2059 2060 ieee80211_add_callback(m, ieee80211_tx_mgt_cb, 2061 (void *) vap->iv_state); 2062 break; 2063 2064 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 2065 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 2066 /* 2067 * asresp frame format 2068 * [2] capability information 2069 * [2] status 2070 * [2] association ID 2071 * [tlv] supported rates 2072 * [tlv] extended supported rates 2073 * [tlv] HT capabilities (standard, if STA enabled) 2074 * [tlv] HT information (standard, if STA enabled) 2075 * [tlv] WME (if configured and STA enabled) 2076 * [tlv] HT capabilities (vendor OUI, if STA enabled) 2077 * [tlv] HT information (vendor OUI, if STA enabled) 2078 * [tlv] Atheros capabilities (if STA enabled) 2079 * [tlv] AppIE's (optional) 2080 */ 2081 m = ieee80211_getmgtframe(&frm, 2082 ic->ic_headroom + sizeof(struct ieee80211_frame), 2083 sizeof(uint16_t) 2084 + sizeof(uint16_t) 2085 + sizeof(uint16_t) 2086 + 2 + IEEE80211_RATE_SIZE 2087 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2088 + sizeof(struct ieee80211_ie_htcap) + 4 2089 + sizeof(struct ieee80211_ie_htinfo) + 4 2090 + sizeof(struct ieee80211_wme_param) 2091#ifdef IEEE80211_SUPPORT_SUPERG 2092 + sizeof(struct ieee80211_ath_ie) 2093#endif 2094 + (vap->iv_appie_assocresp != NULL ? 2095 vap->iv_appie_assocresp->ie_len : 0) 2096 ); 2097 if (m == NULL) 2098 senderr(ENOMEM, is_tx_nobuf); 2099 2100 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2101 *(uint16_t *)frm = htole16(capinfo); 2102 frm += 2; 2103 2104 *(uint16_t *)frm = htole16(arg); /* status */ 2105 frm += 2; 2106 2107 if (arg == IEEE80211_STATUS_SUCCESS) { 2108 *(uint16_t *)frm = htole16(ni->ni_associd); 2109 IEEE80211_NODE_STAT(ni, tx_assoc); 2110 } else 2111 IEEE80211_NODE_STAT(ni, tx_assoc_fail); 2112 frm += 2; 2113 2114 frm = ieee80211_add_rates(frm, &ni->ni_rates); 2115 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 2116 /* NB: respond according to what we received */ 2117 if ((ni->ni_flags & HTFLAGS) == IEEE80211_NODE_HT) { 2118 frm = ieee80211_add_htcap(frm, ni); 2119 frm = ieee80211_add_htinfo(frm, ni); 2120 } 2121 if ((vap->iv_flags & IEEE80211_F_WME) && 2122 ni->ni_ies.wme_ie != NULL) 2123 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2124 if ((ni->ni_flags & HTFLAGS) == HTFLAGS) { 2125 frm = ieee80211_add_htcap_vendor(frm, ni); 2126 frm = ieee80211_add_htinfo_vendor(frm, ni); 2127 } 2128#ifdef IEEE80211_SUPPORT_SUPERG 2129 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) 2130 frm = ieee80211_add_ath(frm, 2131 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS), 2132 ((vap->iv_flags & IEEE80211_F_WPA) == 0 && 2133 ni->ni_authmode != IEEE80211_AUTH_8021X) ? 2134 vap->iv_def_txkey : IEEE80211_KEYIX_NONE); 2135#endif /* IEEE80211_SUPPORT_SUPERG */ 2136 if (vap->iv_appie_assocresp != NULL) 2137 frm = add_appie(frm, vap->iv_appie_assocresp); 2138 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2139 break; 2140 2141 case IEEE80211_FC0_SUBTYPE_DISASSOC: 2142 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni, 2143 "send station disassociate (reason %d)", arg); 2144 m = ieee80211_getmgtframe(&frm, 2145 ic->ic_headroom + sizeof(struct ieee80211_frame), 2146 sizeof(uint16_t)); 2147 if (m == NULL) 2148 senderr(ENOMEM, is_tx_nobuf); 2149 *(uint16_t *)frm = htole16(arg); /* reason */ 2150 m->m_pkthdr.len = m->m_len = sizeof(uint16_t); 2151 2152 IEEE80211_NODE_STAT(ni, tx_disassoc); 2153 IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg); 2154 break; 2155 2156 default: 2157 IEEE80211_NOTE(vap, IEEE80211_MSG_ANY, ni, 2158 "invalid mgmt frame type %u", type); 2159 senderr(EINVAL, is_tx_unknownmgt); 2160 /* NOTREACHED */ 2161 } 2162 2163 /* NB: force non-ProbeResp frames to the highest queue */ 2164 params.ibp_pri = WME_AC_VO; 2165 params.ibp_rate0 = bss->ni_txparms->mgmtrate; 2166 /* NB: we know all frames are unicast */ 2167 params.ibp_try0 = bss->ni_txparms->maxretry; 2168 params.ibp_power = bss->ni_txpower; 2169 return ieee80211_mgmt_output(ni, m, type, ¶ms); 2170bad: 2171 ieee80211_free_node(ni); 2172 return ret; 2173#undef senderr 2174#undef HTFLAGS 2175} 2176 2177/* 2178 * Return an mbuf with a probe response frame in it. 2179 * Space is left to prepend and 802.11 header at the 2180 * front but it's left to the caller to fill in. 2181 */ 2182struct mbuf * 2183ieee80211_alloc_proberesp(struct ieee80211_node *bss, int legacy) 2184{ 2185 struct ieee80211vap *vap = bss->ni_vap; 2186 struct ieee80211com *ic = bss->ni_ic; 2187 const struct ieee80211_rateset *rs; 2188 struct mbuf *m; 2189 uint16_t capinfo; 2190 uint8_t *frm; 2191 2192 /* 2193 * probe response frame format 2194 * [8] time stamp 2195 * [2] beacon interval 2196 * [2] cabability information 2197 * [tlv] ssid 2198 * [tlv] supported rates 2199 * [tlv] parameter set (FH/DS) 2200 * [tlv] parameter set (IBSS) 2201 * [tlv] country (optional) 2202 * [3] power control (optional) 2203 * [5] channel switch announcement (CSA) (optional) 2204 * [tlv] extended rate phy (ERP) 2205 * [tlv] extended supported rates 2206 * [tlv] RSN (optional) 2207 * [tlv] HT capabilities 2208 * [tlv] HT information 2209 * [tlv] WPA (optional) 2210 * [tlv] WME (optional) 2211 * [tlv] Vendor OUI HT capabilities (optional) 2212 * [tlv] Vendor OUI HT information (optional) 2213 * [tlv] Atheros capabilities 2214 * [tlv] AppIE's (optional) 2215 * [tlv] Mesh ID (MBSS) 2216 * [tlv] Mesh Conf (MBSS) 2217 */ 2218 m = ieee80211_getmgtframe(&frm, 2219 ic->ic_headroom + sizeof(struct ieee80211_frame), 2220 8 2221 + sizeof(uint16_t) 2222 + sizeof(uint16_t) 2223 + 2 + IEEE80211_NWID_LEN 2224 + 2 + IEEE80211_RATE_SIZE 2225 + 7 /* max(7,3) */ 2226 + IEEE80211_COUNTRY_MAX_SIZE 2227 + 3 2228 + sizeof(struct ieee80211_csa_ie) 2229 + 3 2230 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2231 + sizeof(struct ieee80211_ie_wpa) 2232 + sizeof(struct ieee80211_ie_htcap) 2233 + sizeof(struct ieee80211_ie_htinfo) 2234 + sizeof(struct ieee80211_ie_wpa) 2235 + sizeof(struct ieee80211_wme_param) 2236 + 4 + sizeof(struct ieee80211_ie_htcap) 2237 + 4 + sizeof(struct ieee80211_ie_htinfo) 2238#ifdef IEEE80211_SUPPORT_SUPERG 2239 + sizeof(struct ieee80211_ath_ie) 2240#endif 2241#ifdef IEEE80211_SUPPORT_MESH 2242 + 2 + IEEE80211_MESHID_LEN 2243 + sizeof(struct ieee80211_meshconf_ie) 2244#endif 2245 + (vap->iv_appie_proberesp != NULL ? 2246 vap->iv_appie_proberesp->ie_len : 0) 2247 ); 2248 if (m == NULL) { 2249 vap->iv_stats.is_tx_nobuf++; 2250 return NULL; 2251 } 2252 2253 memset(frm, 0, 8); /* timestamp should be filled later */ 2254 frm += 8; 2255 *(uint16_t *)frm = htole16(bss->ni_intval); 2256 frm += 2; 2257 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan); 2258 *(uint16_t *)frm = htole16(capinfo); 2259 frm += 2; 2260 2261 frm = ieee80211_add_ssid(frm, bss->ni_essid, bss->ni_esslen); 2262 rs = ieee80211_get_suprates(ic, bss->ni_chan); 2263 frm = ieee80211_add_rates(frm, rs); 2264 2265 if (IEEE80211_IS_CHAN_FHSS(bss->ni_chan)) { 2266 *frm++ = IEEE80211_ELEMID_FHPARMS; 2267 *frm++ = 5; 2268 *frm++ = bss->ni_fhdwell & 0x00ff; 2269 *frm++ = (bss->ni_fhdwell >> 8) & 0x00ff; 2270 *frm++ = IEEE80211_FH_CHANSET( 2271 ieee80211_chan2ieee(ic, bss->ni_chan)); 2272 *frm++ = IEEE80211_FH_CHANPAT( 2273 ieee80211_chan2ieee(ic, bss->ni_chan)); 2274 *frm++ = bss->ni_fhindex; 2275 } else { 2276 *frm++ = IEEE80211_ELEMID_DSPARMS; 2277 *frm++ = 1; 2278 *frm++ = ieee80211_chan2ieee(ic, bss->ni_chan); 2279 } 2280 2281 if (vap->iv_opmode == IEEE80211_M_IBSS) { 2282 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 2283 *frm++ = 2; 2284 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 2285 } 2286 if ((vap->iv_flags & IEEE80211_F_DOTH) || 2287 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 2288 frm = ieee80211_add_countryie(frm, ic); 2289 if (vap->iv_flags & IEEE80211_F_DOTH) { 2290 if (IEEE80211_IS_CHAN_5GHZ(bss->ni_chan)) 2291 frm = ieee80211_add_powerconstraint(frm, vap); 2292 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 2293 frm = ieee80211_add_csa(frm, vap); 2294 } 2295 if (IEEE80211_IS_CHAN_ANYG(bss->ni_chan)) 2296 frm = ieee80211_add_erp(frm, ic); 2297 frm = ieee80211_add_xrates(frm, rs); 2298 if (vap->iv_flags & IEEE80211_F_WPA2) { 2299 if (vap->iv_rsn_ie != NULL) 2300 frm = add_ie(frm, vap->iv_rsn_ie); 2301 /* XXX else complain? */ 2302 } 2303 /* 2304 * NB: legacy 11b clients do not get certain ie's. 2305 * The caller identifies such clients by passing 2306 * a token in legacy to us. Could expand this to be 2307 * any legacy client for stuff like HT ie's. 2308 */ 2309 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 2310 legacy != IEEE80211_SEND_LEGACY_11B) { 2311 frm = ieee80211_add_htcap(frm, bss); 2312 frm = ieee80211_add_htinfo(frm, bss); 2313 } 2314 if (vap->iv_flags & IEEE80211_F_WPA1) { 2315 if (vap->iv_wpa_ie != NULL) 2316 frm = add_ie(frm, vap->iv_wpa_ie); 2317 /* XXX else complain? */ 2318 } 2319 if (vap->iv_flags & IEEE80211_F_WME) 2320 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2321 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) && 2322 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) && 2323 legacy != IEEE80211_SEND_LEGACY_11B) { 2324 frm = ieee80211_add_htcap_vendor(frm, bss); 2325 frm = ieee80211_add_htinfo_vendor(frm, bss); 2326 } 2327#ifdef IEEE80211_SUPPORT_SUPERG 2328 if ((vap->iv_flags & IEEE80211_F_ATHEROS) && 2329 legacy != IEEE80211_SEND_LEGACY_11B) 2330 frm = ieee80211_add_athcaps(frm, bss); 2331#endif 2332 if (vap->iv_appie_proberesp != NULL) 2333 frm = add_appie(frm, vap->iv_appie_proberesp); 2334#ifdef IEEE80211_SUPPORT_MESH 2335 if (vap->iv_opmode == IEEE80211_M_MBSS) { 2336 frm = ieee80211_add_meshid(frm, vap); 2337 frm = ieee80211_add_meshconf(frm, vap); 2338 } 2339#endif 2340 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2341 2342 return m; 2343} 2344 2345/* 2346 * Send a probe response frame to the specified mac address. 2347 * This does not go through the normal mgt frame api so we 2348 * can specify the destination address and re-use the bss node 2349 * for the sta reference. 2350 */ 2351int 2352ieee80211_send_proberesp(struct ieee80211vap *vap, 2353 const uint8_t da[IEEE80211_ADDR_LEN], int legacy) 2354{ 2355 struct ieee80211_node *bss = vap->iv_bss; 2356 struct ieee80211com *ic = vap->iv_ic; 2357 struct ieee80211_frame *wh; 2358 struct mbuf *m; 2359 2360 if (vap->iv_state == IEEE80211_S_CAC) { 2361 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, bss, 2362 "block %s frame in CAC state", "probe response"); 2363 vap->iv_stats.is_tx_badstate++; 2364 return EIO; /* XXX */ 2365 } 2366 2367 /* 2368 * Hold a reference on the node so it doesn't go away until after 2369 * the xmit is complete all the way in the driver. On error we 2370 * will remove our reference. 2371 */ 2372 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 2373 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 2374 __func__, __LINE__, bss, ether_sprintf(bss->ni_macaddr), 2375 ieee80211_node_refcnt(bss)+1); 2376 ieee80211_ref_node(bss); 2377 2378 m = ieee80211_alloc_proberesp(bss, legacy); 2379 if (m == NULL) { 2380 ieee80211_free_node(bss); 2381 return ENOMEM; 2382 } 2383 2384 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 2385 KASSERT(m != NULL, ("no room for header")); 2386 2387 wh = mtod(m, struct ieee80211_frame *); 2388 ieee80211_send_setup(bss, m, 2389 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP, 2390 IEEE80211_NONQOS_TID, vap->iv_myaddr, da, bss->ni_bssid); 2391 /* XXX power management? */ 2392 m->m_flags |= M_ENCAP; /* mark encapsulated */ 2393 2394 M_WME_SETAC(m, WME_AC_BE); 2395 2396 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 2397 "send probe resp on channel %u to %s%s\n", 2398 ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(da), 2399 legacy ? " <legacy>" : ""); 2400 IEEE80211_NODE_STAT(bss, tx_mgmt); 2401 2402 return ic->ic_raw_xmit(bss, m, NULL); 2403} 2404 2405/* 2406 * Allocate and build a RTS (Request To Send) control frame. 2407 */ 2408struct mbuf * 2409ieee80211_alloc_rts(struct ieee80211com *ic, 2410 const uint8_t ra[IEEE80211_ADDR_LEN], 2411 const uint8_t ta[IEEE80211_ADDR_LEN], 2412 uint16_t dur) 2413{ 2414 struct ieee80211_frame_rts *rts; 2415 struct mbuf *m; 2416 2417 /* XXX honor ic_headroom */ 2418 m = m_gethdr(M_DONTWAIT, MT_DATA); 2419 if (m != NULL) { 2420 rts = mtod(m, struct ieee80211_frame_rts *); 2421 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 2422 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_RTS; 2423 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2424 *(u_int16_t *)rts->i_dur = htole16(dur); 2425 IEEE80211_ADDR_COPY(rts->i_ra, ra); 2426 IEEE80211_ADDR_COPY(rts->i_ta, ta); 2427 2428 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 2429 } 2430 return m; 2431} 2432 2433/* 2434 * Allocate and build a CTS (Clear To Send) control frame. 2435 */ 2436struct mbuf * 2437ieee80211_alloc_cts(struct ieee80211com *ic, 2438 const uint8_t ra[IEEE80211_ADDR_LEN], uint16_t dur) 2439{ 2440 struct ieee80211_frame_cts *cts; 2441 struct mbuf *m; 2442 2443 /* XXX honor ic_headroom */ 2444 m = m_gethdr(M_DONTWAIT, MT_DATA); 2445 if (m != NULL) { 2446 cts = mtod(m, struct ieee80211_frame_cts *); 2447 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | 2448 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_CTS; 2449 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2450 *(u_int16_t *)cts->i_dur = htole16(dur); 2451 IEEE80211_ADDR_COPY(cts->i_ra, ra); 2452 2453 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 2454 } 2455 return m; 2456} 2457 2458static void 2459ieee80211_tx_mgt_timeout(void *arg) 2460{ 2461 struct ieee80211_node *ni = arg; 2462 struct ieee80211vap *vap = ni->ni_vap; 2463 2464 if (vap->iv_state != IEEE80211_S_INIT && 2465 (vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0) { 2466 /* 2467 * NB: it's safe to specify a timeout as the reason here; 2468 * it'll only be used in the right state. 2469 */ 2470 ieee80211_new_state(vap, IEEE80211_S_SCAN, 2471 IEEE80211_SCAN_FAIL_TIMEOUT); 2472 } 2473} 2474 2475static void 2476ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status) 2477{ 2478 struct ieee80211vap *vap = ni->ni_vap; 2479 enum ieee80211_state ostate = (enum ieee80211_state) arg; 2480 2481 /* 2482 * Frame transmit completed; arrange timer callback. If 2483 * transmit was successfuly we wait for response. Otherwise 2484 * we arrange an immediate callback instead of doing the 2485 * callback directly since we don't know what state the driver 2486 * is in (e.g. what locks it is holding). This work should 2487 * not be too time-critical and not happen too often so the 2488 * added overhead is acceptable. 2489 * 2490 * XXX what happens if !acked but response shows up before callback? 2491 */ 2492 if (vap->iv_state == ostate) 2493 callout_reset(&vap->iv_mgtsend, 2494 status == 0 ? IEEE80211_TRANS_WAIT*hz : 0, 2495 ieee80211_tx_mgt_timeout, ni); 2496} 2497 2498static void 2499ieee80211_beacon_construct(struct mbuf *m, uint8_t *frm, 2500 struct ieee80211_beacon_offsets *bo, struct ieee80211_node *ni) 2501{ 2502 struct ieee80211vap *vap = ni->ni_vap; 2503 struct ieee80211com *ic = ni->ni_ic; 2504 struct ieee80211_rateset *rs = &ni->ni_rates; 2505 uint16_t capinfo; 2506 2507 /* 2508 * beacon frame format 2509 * [8] time stamp 2510 * [2] beacon interval 2511 * [2] cabability information 2512 * [tlv] ssid 2513 * [tlv] supported rates 2514 * [3] parameter set (DS) 2515 * [8] CF parameter set (optional) 2516 * [tlv] parameter set (IBSS/TIM) 2517 * [tlv] country (optional) 2518 * [3] power control (optional) 2519 * [5] channel switch announcement (CSA) (optional) 2520 * [tlv] extended rate phy (ERP) 2521 * [tlv] extended supported rates 2522 * [tlv] RSN parameters 2523 * [tlv] HT capabilities 2524 * [tlv] HT information 2525 * XXX Vendor-specific OIDs (e.g. Atheros) 2526 * [tlv] WPA parameters 2527 * [tlv] WME parameters 2528 * [tlv] Vendor OUI HT capabilities (optional) 2529 * [tlv] Vendor OUI HT information (optional) 2530 * [tlv] Atheros capabilities (optional) 2531 * [tlv] TDMA parameters (optional) 2532 * [tlv] Mesh ID (MBSS) 2533 * [tlv] Mesh Conf (MBSS) 2534 * [tlv] application data (optional) 2535 */ 2536 2537 memset(bo, 0, sizeof(*bo)); 2538 2539 memset(frm, 0, 8); /* XXX timestamp is set by hardware/driver */ 2540 frm += 8; 2541 *(uint16_t *)frm = htole16(ni->ni_intval); 2542 frm += 2; 2543 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 2544 bo->bo_caps = (uint16_t *)frm; 2545 *(uint16_t *)frm = htole16(capinfo); 2546 frm += 2; 2547 *frm++ = IEEE80211_ELEMID_SSID; 2548 if ((vap->iv_flags & IEEE80211_F_HIDESSID) == 0) { 2549 *frm++ = ni->ni_esslen; 2550 memcpy(frm, ni->ni_essid, ni->ni_esslen); 2551 frm += ni->ni_esslen; 2552 } else 2553 *frm++ = 0; 2554 frm = ieee80211_add_rates(frm, rs); 2555 if (!IEEE80211_IS_CHAN_FHSS(ni->ni_chan)) { 2556 *frm++ = IEEE80211_ELEMID_DSPARMS; 2557 *frm++ = 1; 2558 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 2559 } 2560 if (ic->ic_flags & IEEE80211_F_PCF) { 2561 bo->bo_cfp = frm; 2562 frm = ieee80211_add_cfparms(frm, ic); 2563 } 2564 bo->bo_tim = frm; 2565 if (vap->iv_opmode == IEEE80211_M_IBSS) { 2566 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 2567 *frm++ = 2; 2568 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 2569 bo->bo_tim_len = 0; 2570 } else if (vap->iv_opmode == IEEE80211_M_HOSTAP || 2571 vap->iv_opmode == IEEE80211_M_MBSS) { 2572 /* TIM IE is the same for Mesh and Hostap */ 2573 struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm; 2574 2575 tie->tim_ie = IEEE80211_ELEMID_TIM; 2576 tie->tim_len = 4; /* length */ 2577 tie->tim_count = 0; /* DTIM count */ 2578 tie->tim_period = vap->iv_dtim_period; /* DTIM period */ 2579 tie->tim_bitctl = 0; /* bitmap control */ 2580 tie->tim_bitmap[0] = 0; /* Partial Virtual Bitmap */ 2581 frm += sizeof(struct ieee80211_tim_ie); 2582 bo->bo_tim_len = 1; 2583 } 2584 bo->bo_tim_trailer = frm; 2585 if ((vap->iv_flags & IEEE80211_F_DOTH) || 2586 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD)) 2587 frm = ieee80211_add_countryie(frm, ic); 2588 if (vap->iv_flags & IEEE80211_F_DOTH) { 2589 if (IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) 2590 frm = ieee80211_add_powerconstraint(frm, vap); 2591 bo->bo_csa = frm; 2592 if (ic->ic_flags & IEEE80211_F_CSAPENDING) 2593 frm = ieee80211_add_csa(frm, vap); 2594 } else 2595 bo->bo_csa = frm; 2596 if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan)) { 2597 bo->bo_erp = frm; 2598 frm = ieee80211_add_erp(frm, ic); 2599 } 2600 frm = ieee80211_add_xrates(frm, rs); 2601 if (vap->iv_flags & IEEE80211_F_WPA2) { 2602 if (vap->iv_rsn_ie != NULL) 2603 frm = add_ie(frm, vap->iv_rsn_ie); 2604 /* XXX else complain */ 2605 } 2606 if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) { 2607 frm = ieee80211_add_htcap(frm, ni); 2608 bo->bo_htinfo = frm; 2609 frm = ieee80211_add_htinfo(frm, ni); 2610 } 2611 if (vap->iv_flags & IEEE80211_F_WPA1) { 2612 if (vap->iv_wpa_ie != NULL) 2613 frm = add_ie(frm, vap->iv_wpa_ie); 2614 /* XXX else complain */ 2615 } 2616 if (vap->iv_flags & IEEE80211_F_WME) { 2617 bo->bo_wme = frm; 2618 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 2619 } 2620 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && 2621 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT)) { 2622 frm = ieee80211_add_htcap_vendor(frm, ni); 2623 frm = ieee80211_add_htinfo_vendor(frm, ni); 2624 } 2625#ifdef IEEE80211_SUPPORT_SUPERG 2626 if (vap->iv_flags & IEEE80211_F_ATHEROS) { 2627 bo->bo_ath = frm; 2628 frm = ieee80211_add_athcaps(frm, ni); 2629 } 2630#endif 2631#ifdef IEEE80211_SUPPORT_TDMA 2632 if (vap->iv_caps & IEEE80211_C_TDMA) { 2633 bo->bo_tdma = frm; 2634 frm = ieee80211_add_tdma(frm, vap); 2635 } 2636#endif 2637 if (vap->iv_appie_beacon != NULL) { 2638 bo->bo_appie = frm; 2639 bo->bo_appie_len = vap->iv_appie_beacon->ie_len; 2640 frm = add_appie(frm, vap->iv_appie_beacon); 2641 } 2642#ifdef IEEE80211_SUPPORT_MESH 2643 if (vap->iv_opmode == IEEE80211_M_MBSS) { 2644 frm = ieee80211_add_meshid(frm, vap); 2645 frm = ieee80211_add_meshconf(frm, vap); 2646 } 2647#endif 2648 bo->bo_tim_trailer_len = frm - bo->bo_tim_trailer; 2649 bo->bo_csa_trailer_len = frm - bo->bo_csa; 2650 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *); 2651} 2652 2653/* 2654 * Allocate a beacon frame and fillin the appropriate bits. 2655 */ 2656struct mbuf * 2657ieee80211_beacon_alloc(struct ieee80211_node *ni, 2658 struct ieee80211_beacon_offsets *bo) 2659{ 2660 struct ieee80211vap *vap = ni->ni_vap; 2661 struct ieee80211com *ic = ni->ni_ic; 2662 struct ifnet *ifp = vap->iv_ifp; 2663 struct ieee80211_frame *wh; 2664 struct mbuf *m; 2665 int pktlen; 2666 uint8_t *frm; 2667 2668 /* 2669 * beacon frame format 2670 * [8] time stamp 2671 * [2] beacon interval 2672 * [2] cabability information 2673 * [tlv] ssid 2674 * [tlv] supported rates 2675 * [3] parameter set (DS) 2676 * [8] CF parameter set (optional) 2677 * [tlv] parameter set (IBSS/TIM) 2678 * [tlv] country (optional) 2679 * [3] power control (optional) 2680 * [5] channel switch announcement (CSA) (optional) 2681 * [tlv] extended rate phy (ERP) 2682 * [tlv] extended supported rates 2683 * [tlv] RSN parameters 2684 * [tlv] HT capabilities 2685 * [tlv] HT information 2686 * [tlv] Vendor OUI HT capabilities (optional) 2687 * [tlv] Vendor OUI HT information (optional) 2688 * XXX Vendor-specific OIDs (e.g. Atheros) 2689 * [tlv] WPA parameters 2690 * [tlv] WME parameters 2691 * [tlv] TDMA parameters (optional) 2692 * [tlv] Mesh ID (MBSS) 2693 * [tlv] Mesh Conf (MBSS) 2694 * [tlv] application data (optional) 2695 * NB: we allocate the max space required for the TIM bitmap. 2696 * XXX how big is this? 2697 */ 2698 pktlen = 8 /* time stamp */ 2699 + sizeof(uint16_t) /* beacon interval */ 2700 + sizeof(uint16_t) /* capabilities */ 2701 + 2 + ni->ni_esslen /* ssid */ 2702 + 2 + IEEE80211_RATE_SIZE /* supported rates */ 2703 + 2 + 1 /* DS parameters */ 2704 + 2 + 6 /* CF parameters */ 2705 + 2 + 4 + vap->iv_tim_len /* DTIM/IBSSPARMS */ 2706 + IEEE80211_COUNTRY_MAX_SIZE /* country */ 2707 + 2 + 1 /* power control */ 2708 + sizeof(struct ieee80211_csa_ie) /* CSA */ 2709 + 2 + 1 /* ERP */ 2710 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 2711 + (vap->iv_caps & IEEE80211_C_WPA ? /* WPA 1+2 */ 2712 2*sizeof(struct ieee80211_ie_wpa) : 0) 2713 /* XXX conditional? */ 2714 + 4+2*sizeof(struct ieee80211_ie_htcap)/* HT caps */ 2715 + 4+2*sizeof(struct ieee80211_ie_htinfo)/* HT info */ 2716 + (vap->iv_caps & IEEE80211_C_WME ? /* WME */ 2717 sizeof(struct ieee80211_wme_param) : 0) 2718#ifdef IEEE80211_SUPPORT_SUPERG 2719 + sizeof(struct ieee80211_ath_ie) /* ATH */ 2720#endif 2721#ifdef IEEE80211_SUPPORT_TDMA 2722 + (vap->iv_caps & IEEE80211_C_TDMA ? /* TDMA */ 2723 sizeof(struct ieee80211_tdma_param) : 0) 2724#endif 2725#ifdef IEEE80211_SUPPORT_MESH 2726 + 2 + ni->ni_meshidlen 2727 + sizeof(struct ieee80211_meshconf_ie) 2728#endif 2729 + IEEE80211_MAX_APPIE 2730 ; 2731 m = ieee80211_getmgtframe(&frm, 2732 ic->ic_headroom + sizeof(struct ieee80211_frame), pktlen); 2733 if (m == NULL) { 2734 IEEE80211_DPRINTF(vap, IEEE80211_MSG_ANY, 2735 "%s: cannot get buf; size %u\n", __func__, pktlen); 2736 vap->iv_stats.is_tx_nobuf++; 2737 return NULL; 2738 } 2739 ieee80211_beacon_construct(m, frm, bo, ni); 2740 2741 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 2742 KASSERT(m != NULL, ("no space for 802.11 header?")); 2743 wh = mtod(m, struct ieee80211_frame *); 2744 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 2745 IEEE80211_FC0_SUBTYPE_BEACON; 2746 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2747 *(uint16_t *)wh->i_dur = 0; 2748 IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr); 2749 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr); 2750#ifdef IEEE80211_SUPPORT_MESH 2751 if (vap->iv_opmode == IEEE80211_M_MBSS) { 2752 static const uint8_t zerobssid[IEEE80211_ADDR_LEN]; 2753 IEEE80211_ADDR_COPY(wh->i_addr3, zerobssid); 2754 } else 2755#endif 2756 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 2757 *(uint16_t *)wh->i_seq = 0; 2758 2759 return m; 2760} 2761 2762/* 2763 * Update the dynamic parts of a beacon frame based on the current state. 2764 */ 2765int 2766ieee80211_beacon_update(struct ieee80211_node *ni, 2767 struct ieee80211_beacon_offsets *bo, struct mbuf *m, int mcast) 2768{ 2769 struct ieee80211vap *vap = ni->ni_vap; 2770 struct ieee80211com *ic = ni->ni_ic; 2771 int len_changed = 0; 2772 uint16_t capinfo; 2773 2774 IEEE80211_LOCK(ic); 2775 /* 2776 * Handle 11h channel change when we've reached the count. 2777 * We must recalculate the beacon frame contents to account 2778 * for the new channel. Note we do this only for the first 2779 * vap that reaches this point; subsequent vaps just update 2780 * their beacon state to reflect the recalculated channel. 2781 */ 2782 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA) && 2783 vap->iv_csa_count == ic->ic_csa_count) { 2784 vap->iv_csa_count = 0; 2785 /* 2786 * Effect channel change before reconstructing the beacon 2787 * frame contents as many places reference ni_chan. 2788 */ 2789 if (ic->ic_csa_newchan != NULL) 2790 ieee80211_csa_completeswitch(ic); 2791 /* 2792 * NB: ieee80211_beacon_construct clears all pending 2793 * updates in bo_flags so we don't need to explicitly 2794 * clear IEEE80211_BEACON_CSA. 2795 */ 2796 ieee80211_beacon_construct(m, 2797 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), bo, ni); 2798 2799 /* XXX do WME aggressive mode processing? */ 2800 IEEE80211_UNLOCK(ic); 2801 return 1; /* just assume length changed */ 2802 } 2803 2804 /* XXX faster to recalculate entirely or just changes? */ 2805 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan); 2806 *bo->bo_caps = htole16(capinfo); 2807 2808 if (vap->iv_flags & IEEE80211_F_WME) { 2809 struct ieee80211_wme_state *wme = &ic->ic_wme; 2810 2811 /* 2812 * Check for agressive mode change. When there is 2813 * significant high priority traffic in the BSS 2814 * throttle back BE traffic by using conservative 2815 * parameters. Otherwise BE uses agressive params 2816 * to optimize performance of legacy/non-QoS traffic. 2817 */ 2818 if (wme->wme_flags & WME_F_AGGRMODE) { 2819 if (wme->wme_hipri_traffic > 2820 wme->wme_hipri_switch_thresh) { 2821 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 2822 "%s: traffic %u, disable aggressive mode\n", 2823 __func__, wme->wme_hipri_traffic); 2824 wme->wme_flags &= ~WME_F_AGGRMODE; 2825 ieee80211_wme_updateparams_locked(vap); 2826 wme->wme_hipri_traffic = 2827 wme->wme_hipri_switch_hysteresis; 2828 } else 2829 wme->wme_hipri_traffic = 0; 2830 } else { 2831 if (wme->wme_hipri_traffic <= 2832 wme->wme_hipri_switch_thresh) { 2833 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME, 2834 "%s: traffic %u, enable aggressive mode\n", 2835 __func__, wme->wme_hipri_traffic); 2836 wme->wme_flags |= WME_F_AGGRMODE; 2837 ieee80211_wme_updateparams_locked(vap); 2838 wme->wme_hipri_traffic = 0; 2839 } else 2840 wme->wme_hipri_traffic = 2841 wme->wme_hipri_switch_hysteresis; 2842 } 2843 if (isset(bo->bo_flags, IEEE80211_BEACON_WME)) { 2844 (void) ieee80211_add_wme_param(bo->bo_wme, wme); 2845 clrbit(bo->bo_flags, IEEE80211_BEACON_WME); 2846 } 2847 } 2848 2849 if (isset(bo->bo_flags, IEEE80211_BEACON_HTINFO)) { 2850 ieee80211_ht_update_beacon(vap, bo); 2851 clrbit(bo->bo_flags, IEEE80211_BEACON_HTINFO); 2852 } 2853#ifdef IEEE80211_SUPPORT_TDMA 2854 if (vap->iv_caps & IEEE80211_C_TDMA) { 2855 /* 2856 * NB: the beacon is potentially updated every TBTT. 2857 */ 2858 ieee80211_tdma_update_beacon(vap, bo); 2859 } 2860#endif 2861 if (vap->iv_opmode == IEEE80211_M_HOSTAP || 2862 vap->iv_opmode == IEEE80211_M_MBSS) { /* NB: no IBSS support*/ 2863 struct ieee80211_tim_ie *tie = 2864 (struct ieee80211_tim_ie *) bo->bo_tim; 2865 if (isset(bo->bo_flags, IEEE80211_BEACON_TIM)) { 2866 u_int timlen, timoff, i; 2867 /* 2868 * ATIM/DTIM needs updating. If it fits in the 2869 * current space allocated then just copy in the 2870 * new bits. Otherwise we need to move any trailing 2871 * data to make room. Note that we know there is 2872 * contiguous space because ieee80211_beacon_allocate 2873 * insures there is space in the mbuf to write a 2874 * maximal-size virtual bitmap (based on iv_max_aid). 2875 */ 2876 /* 2877 * Calculate the bitmap size and offset, copy any 2878 * trailer out of the way, and then copy in the 2879 * new bitmap and update the information element. 2880 * Note that the tim bitmap must contain at least 2881 * one byte and any offset must be even. 2882 */ 2883 if (vap->iv_ps_pending != 0) { 2884 timoff = 128; /* impossibly large */ 2885 for (i = 0; i < vap->iv_tim_len; i++) 2886 if (vap->iv_tim_bitmap[i]) { 2887 timoff = i &~ 1; 2888 break; 2889 } 2890 KASSERT(timoff != 128, ("tim bitmap empty!")); 2891 for (i = vap->iv_tim_len-1; i >= timoff; i--) 2892 if (vap->iv_tim_bitmap[i]) 2893 break; 2894 timlen = 1 + (i - timoff); 2895 } else { 2896 timoff = 0; 2897 timlen = 1; 2898 } 2899 if (timlen != bo->bo_tim_len) { 2900 /* copy up/down trailer */ 2901 int adjust = tie->tim_bitmap+timlen 2902 - bo->bo_tim_trailer; 2903 ovbcopy(bo->bo_tim_trailer, 2904 bo->bo_tim_trailer+adjust, 2905 bo->bo_tim_trailer_len); 2906 bo->bo_tim_trailer += adjust; 2907 bo->bo_erp += adjust; 2908 bo->bo_htinfo += adjust; 2909#ifdef IEEE80211_SUPERG_SUPPORT 2910 bo->bo_ath += adjust; 2911#endif 2912#ifdef IEEE80211_TDMA_SUPPORT 2913 bo->bo_tdma += adjust; 2914#endif 2915 bo->bo_appie += adjust; 2916 bo->bo_wme += adjust; 2917 bo->bo_csa += adjust; 2918 bo->bo_tim_len = timlen; 2919 2920 /* update information element */ 2921 tie->tim_len = 3 + timlen; 2922 tie->tim_bitctl = timoff; 2923 len_changed = 1; 2924 } 2925 memcpy(tie->tim_bitmap, vap->iv_tim_bitmap + timoff, 2926 bo->bo_tim_len); 2927 2928 clrbit(bo->bo_flags, IEEE80211_BEACON_TIM); 2929 2930 IEEE80211_DPRINTF(vap, IEEE80211_MSG_POWER, 2931 "%s: TIM updated, pending %u, off %u, len %u\n", 2932 __func__, vap->iv_ps_pending, timoff, timlen); 2933 } 2934 /* count down DTIM period */ 2935 if (tie->tim_count == 0) 2936 tie->tim_count = tie->tim_period - 1; 2937 else 2938 tie->tim_count--; 2939 /* update state for buffered multicast frames on DTIM */ 2940 if (mcast && tie->tim_count == 0) 2941 tie->tim_bitctl |= 1; 2942 else 2943 tie->tim_bitctl &= ~1; 2944 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA)) { 2945 struct ieee80211_csa_ie *csa = 2946 (struct ieee80211_csa_ie *) bo->bo_csa; 2947 2948 /* 2949 * Insert or update CSA ie. If we're just starting 2950 * to count down to the channel switch then we need 2951 * to insert the CSA ie. Otherwise we just need to 2952 * drop the count. The actual change happens above 2953 * when the vap's count reaches the target count. 2954 */ 2955 if (vap->iv_csa_count == 0) { 2956 memmove(&csa[1], csa, bo->bo_csa_trailer_len); 2957 bo->bo_erp += sizeof(*csa); 2958 bo->bo_htinfo += sizeof(*csa); 2959 bo->bo_wme += sizeof(*csa); 2960#ifdef IEEE80211_SUPERG_SUPPORT 2961 bo->bo_ath += sizeof(*csa); 2962#endif 2963#ifdef IEEE80211_TDMA_SUPPORT 2964 bo->bo_tdma += sizeof(*csa); 2965#endif 2966 bo->bo_appie += sizeof(*csa); 2967 bo->bo_csa_trailer_len += sizeof(*csa); 2968 bo->bo_tim_trailer_len += sizeof(*csa); 2969 m->m_len += sizeof(*csa); 2970 m->m_pkthdr.len += sizeof(*csa); 2971 2972 ieee80211_add_csa(bo->bo_csa, vap); 2973 } else 2974 csa->csa_count--; 2975 vap->iv_csa_count++; 2976 /* NB: don't clear IEEE80211_BEACON_CSA */ 2977 } 2978 if (isset(bo->bo_flags, IEEE80211_BEACON_ERP)) { 2979 /* 2980 * ERP element needs updating. 2981 */ 2982 (void) ieee80211_add_erp(bo->bo_erp, ic); 2983 clrbit(bo->bo_flags, IEEE80211_BEACON_ERP); 2984 } 2985#ifdef IEEE80211_SUPPORT_SUPERG 2986 if (isset(bo->bo_flags, IEEE80211_BEACON_ATH)) { 2987 ieee80211_add_athcaps(bo->bo_ath, ni); 2988 clrbit(bo->bo_flags, IEEE80211_BEACON_ATH); 2989 } 2990#endif 2991 } 2992 if (isset(bo->bo_flags, IEEE80211_BEACON_APPIE)) { 2993 const struct ieee80211_appie *aie = vap->iv_appie_beacon; 2994 int aielen; 2995 uint8_t *frm; 2996 2997 aielen = 0; 2998 if (aie != NULL) 2999 aielen += aie->ie_len; 3000 if (aielen != bo->bo_appie_len) { 3001 /* copy up/down trailer */ 3002 int adjust = aielen - bo->bo_appie_len; 3003 ovbcopy(bo->bo_tim_trailer, bo->bo_tim_trailer+adjust, 3004 bo->bo_tim_trailer_len); 3005 bo->bo_tim_trailer += adjust; 3006 bo->bo_appie += adjust; 3007 bo->bo_appie_len = aielen; 3008 3009 len_changed = 1; 3010 } 3011 frm = bo->bo_appie; 3012 if (aie != NULL) 3013 frm = add_appie(frm, aie); 3014 clrbit(bo->bo_flags, IEEE80211_BEACON_APPIE); 3015 } 3016 IEEE80211_UNLOCK(ic); 3017 3018 return len_changed; 3019} 3020