1/* $OpenBSD: ieee80211_output.c,v 1.137 2022/03/14 15:07:24 stsp Exp $ */ 2/* $NetBSD: ieee80211_output.c,v 1.13 2004/05/31 11:02:55 dyoung Exp $ */ 3 4/*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2007-2009 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33#include "bpfilter.h" 34#include "vlan.h" 35 36#include <sys/param.h> 37#include <sys/systm.h> 38#include <sys/mbuf.h> 39#include <sys/kernel.h> 40#include <sys/socket.h> 41#include <sys/sockio.h> 42#include <sys/endian.h> 43#include <sys/errno.h> 44#include <sys/sysctl.h> 45 46#include <net/if.h> 47#include <net/if_dl.h> 48#include <net/if_media.h> 49#include <net/if_llc.h> 50#include <net/bpf.h> 51 52#include <netinet/in.h> 53#include <netinet/if_ether.h> 54#include <netinet/ip.h> 55#ifdef INET6 56#include <netinet/ip6.h> 57#endif 58 59#if NVLAN > 0 60#include <net/if_vlan_var.h> 61#endif 62 63#include <net80211/ieee80211_var.h> 64#include <net80211/ieee80211_priv.h> 65 66int ieee80211_mgmt_output(struct ifnet *, struct ieee80211_node *, 67 struct mbuf *, int); 68int ieee80211_can_use_ampdu(struct ieee80211com *, 69 struct ieee80211_node *); 70u_int8_t *ieee80211_add_rsn_body(u_int8_t *, struct ieee80211com *, 71 const struct ieee80211_node *, int); 72struct mbuf *ieee80211_getmgmt(int, int, u_int); 73struct mbuf *ieee80211_get_probe_req(struct ieee80211com *, 74 struct ieee80211_node *); 75#ifndef IEEE80211_STA_ONLY 76struct mbuf *ieee80211_get_probe_resp(struct ieee80211com *); 77#endif 78struct mbuf *ieee80211_get_auth(struct ieee80211com *, 79 struct ieee80211_node *, u_int16_t, u_int16_t); 80struct mbuf *ieee80211_get_deauth(struct ieee80211com *, 81 struct ieee80211_node *, u_int16_t); 82struct mbuf *ieee80211_get_assoc_req(struct ieee80211com *, 83 struct ieee80211_node *, int); 84#ifndef IEEE80211_STA_ONLY 85struct mbuf *ieee80211_get_assoc_resp(struct ieee80211com *, 86 struct ieee80211_node *, u_int16_t); 87#endif 88struct mbuf *ieee80211_get_disassoc(struct ieee80211com *, 89 struct ieee80211_node *, u_int16_t); 90struct mbuf *ieee80211_get_addba_req(struct ieee80211com *, 91 struct ieee80211_node *, u_int8_t); 92struct mbuf *ieee80211_get_addba_resp(struct ieee80211com *, 93 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t); 94struct mbuf *ieee80211_get_delba(struct ieee80211com *, 95 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t); 96uint8_t *ieee80211_add_wme_info(uint8_t *, struct ieee80211com *); 97#ifndef IEEE80211_STA_ONLY 98uint8_t *ieee80211_add_wme_param(uint8_t *, struct ieee80211com *); 99#endif 100struct mbuf *ieee80211_get_sa_query(struct ieee80211com *, 101 struct ieee80211_node *, u_int8_t); 102struct mbuf *ieee80211_get_action(struct ieee80211com *, 103 struct ieee80211_node *, u_int8_t, u_int8_t, int); 104 105/* 106 * IEEE 802.11 output routine. Normally this will directly call the 107 * Ethernet output routine because 802.11 encapsulation is called 108 * later by the driver. This function can be used to send raw frames 109 * if the mbuf has been tagged with a 802.11 data link type. 110 */ 111int 112ieee80211_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, 113 struct rtentry *rt) 114{ 115 struct ieee80211_frame *wh; 116 struct m_tag *mtag; 117 int error = 0; 118 119 /* Interface has to be up and running */ 120 if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) != 121 (IFF_UP | IFF_RUNNING)) { 122 error = ENETDOWN; 123 goto bad; 124 } 125 126#ifdef PACKET_TAG_DLT 127 /* Try to get the DLT from a mbuf tag */ 128 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 129 struct ieee80211com *ic = (void *)ifp; 130 u_int dlt = *(u_int *)(mtag + 1); 131 132 /* Fallback to ethernet for non-802.11 linktypes */ 133 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 134 goto fallback; 135 136 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) 137 return (EINVAL); 138 wh = mtod(m, struct ieee80211_frame *); 139 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 140 IEEE80211_FC0_VERSION_0) 141 return (EINVAL); 142 if (!(ic->ic_caps & IEEE80211_C_RAWCTL) && 143 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 144 IEEE80211_FC0_TYPE_CTL) 145 return (EINVAL); 146 147 return (if_enqueue(ifp, m)); 148 } 149#endif 150 151 fallback: 152 return (ether_output(ifp, m, dst, rt)); 153 154 bad: 155 m_freem(m); 156 return (error); 157} 158 159const char * 160ieee80211_action_name(struct ieee80211_frame *wh) 161{ 162 const u_int8_t *frm = (const uint8_t *)&wh[1]; 163 const char *categ_ba_name[3] = { "addba_req", "addba_resp", "delba" }; 164 165 if (frm[0] == IEEE80211_CATEG_BA && frm[1] < nitems(categ_ba_name)) 166 return categ_ba_name[frm[1]]; 167 168 return "action"; 169} 170 171/* 172 * Send a management frame to the specified node. The node pointer 173 * must have a reference as the pointer will be passed to the driver 174 * and potentially held for a long time. If the frame is successfully 175 * dispatched to the driver, then it is responsible for freeing the 176 * reference (and potentially free'ing up any associated storage). 177 */ 178int 179ieee80211_mgmt_output(struct ifnet *ifp, struct ieee80211_node *ni, 180 struct mbuf *m, int type) 181{ 182 struct ieee80211com *ic = (void *)ifp; 183 struct ieee80211_frame *wh; 184 185 if (ni == NULL) 186 panic("null node"); 187 ni->ni_inact = 0; 188 189 /* 190 * We want to pass the node down to the driver's start 191 * routine. We could stick this in an m_tag and tack that 192 * on to the mbuf. However that's rather expensive to do 193 * for every frame so instead we stuff it in a special pkthdr 194 * field. 195 */ 196 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 197 if (m == NULL) 198 return ENOMEM; 199 m->m_pkthdr.ph_cookie = ni; 200 201 wh = mtod(m, struct ieee80211_frame *); 202 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | type; 203 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 204 *(u_int16_t *)&wh->i_dur[0] = 0; 205 *(u_int16_t *)&wh->i_seq[0] = 206 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 207 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff; 208 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 209 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 210 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 211 212 /* check if protection is required for this mgmt frame */ 213 if ((ic->ic_caps & IEEE80211_C_MFP) && 214 (type == IEEE80211_FC0_SUBTYPE_DISASSOC || 215 type == IEEE80211_FC0_SUBTYPE_DEAUTH || 216 type == IEEE80211_FC0_SUBTYPE_ACTION)) { 217 /* 218 * Hack: we should not set the Protected bit in outgoing 219 * group management frames, however it is used as an 220 * indication to the drivers that they must encrypt the 221 * frame. Drivers should clear this bit from group 222 * management frames (software crypto code will do it). 223 * XXX could use an mbuf flag.. 224 */ 225 if (IEEE80211_IS_MULTICAST(wh->i_addr1) || 226 (ni->ni_flags & IEEE80211_NODE_TXMGMTPROT)) 227 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 228 } 229 230 if (ifp->if_flags & IFF_DEBUG) { 231 /* avoid to print too many frames */ 232 if ( 233#ifndef IEEE80211_STA_ONLY 234 ic->ic_opmode == IEEE80211_M_IBSS || 235#endif 236#ifdef IEEE80211_DEBUG 237 ieee80211_debug > 1 || 238#endif 239 (type & IEEE80211_FC0_SUBTYPE_MASK) != 240 IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 241 const char *subtype_name; 242 if ((type & IEEE80211_FC0_SUBTYPE_MASK) == 243 IEEE80211_FC0_SUBTYPE_ACTION) 244 subtype_name = ieee80211_action_name(wh); 245 else 246 subtype_name = ieee80211_mgt_subtype_name[ 247 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 248 IEEE80211_FC0_SUBTYPE_SHIFT]; 249 printf("%s: sending %s to %s on channel %u mode %s\n", 250 ifp->if_xname, subtype_name, 251 ether_sprintf(ni->ni_macaddr), 252 ieee80211_chan2ieee(ic, ni->ni_chan), 253 ieee80211_phymode_name[ic->ic_curmode]); 254 } 255 } 256 257#ifndef IEEE80211_STA_ONLY 258 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 259 ieee80211_pwrsave(ic, m, ni) != 0) 260 return 0; 261#endif 262 mq_enqueue(&ic->ic_mgtq, m); 263 ifp->if_timer = 1; 264 if_start(ifp); 265 return 0; 266} 267 268/*- 269 * EDCA tables are computed using the following formulas: 270 * 271 * 1) EDCATable (non-AP QSTA) 272 * 273 * AC CWmin CWmax AIFSN TXOP limit(ms) 274 * ------------------------------------------------------------- 275 * AC_BK aCWmin aCWmax 7 0 276 * AC_BE aCWmin aCWmax 3 0 277 * AC_VI (aCWmin+1)/2-1 aCWmin 2 agn=3.008 b=6.016 others=0 278 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 2 agn=1.504 b=3.264 others=0 279 * 280 * 2) QAPEDCATable (QAP) 281 * 282 * AC CWmin CWmax AIFSN TXOP limit(ms) 283 * ------------------------------------------------------------- 284 * AC_BK aCWmin aCWmax 7 0 285 * AC_BE aCWmin 4*(aCWmin+1)-1 3 0 286 * AC_VI (aCWmin+1)/2-1 aCWmin 1 agn=3.008 b=6.016 others=0 287 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 1 agn=1.504 b=3.264 others=0 288 * 289 * and the following aCWmin/aCWmax values: 290 * 291 * PHY aCWmin aCWmax 292 * --------------------------- 293 * 11A 15 1023 294 * 11B 31 1023 295 * 11G 15* 1023 (*) aCWmin(1) 296 * 11N 15 1023 297 */ 298const struct ieee80211_edca_ac_params 299 ieee80211_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 300 [IEEE80211_MODE_11B] = { 301 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 302 [EDCA_AC_BE] = { 5, 10, 3, 0 }, 303 [EDCA_AC_VI] = { 4, 5, 2, 188 }, 304 [EDCA_AC_VO] = { 3, 4, 2, 102 } 305 }, 306 [IEEE80211_MODE_11A] = { 307 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 308 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 309 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 310 [EDCA_AC_VO] = { 2, 3, 2, 47 } 311 }, 312 [IEEE80211_MODE_11G] = { 313 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 314 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 315 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 316 [EDCA_AC_VO] = { 2, 3, 2, 47 } 317 }, 318 [IEEE80211_MODE_11N] = { 319 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 320 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 321 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 322 [EDCA_AC_VO] = { 2, 3, 2, 47 } 323 }, 324 [IEEE80211_MODE_11AC] = { 325 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 326 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 327 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 328 [EDCA_AC_VO] = { 2, 3, 2, 47 } 329 }, 330}; 331 332#ifndef IEEE80211_STA_ONLY 333const struct ieee80211_edca_ac_params 334 ieee80211_qap_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 335 [IEEE80211_MODE_11B] = { 336 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 337 [EDCA_AC_BE] = { 5, 7, 3, 0 }, 338 [EDCA_AC_VI] = { 4, 5, 1, 188 }, 339 [EDCA_AC_VO] = { 3, 4, 1, 102 } 340 }, 341 [IEEE80211_MODE_11A] = { 342 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 343 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 344 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 345 [EDCA_AC_VO] = { 2, 3, 1, 47 } 346 }, 347 [IEEE80211_MODE_11G] = { 348 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 349 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 350 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 351 [EDCA_AC_VO] = { 2, 3, 1, 47 } 352 }, 353 [IEEE80211_MODE_11N] = { 354 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 355 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 356 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 357 [EDCA_AC_VO] = { 2, 3, 1, 47 } 358 }, 359 [IEEE80211_MODE_11AC] = { 360 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 361 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 362 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 363 [EDCA_AC_VO] = { 2, 3, 1, 47 } 364 }, 365}; 366#endif /* IEEE80211_STA_ONLY */ 367 368/* 369 * Return the EDCA Access Category to be used for transmitting a frame with 370 * user-priority `up'. 371 */ 372enum ieee80211_edca_ac 373ieee80211_up_to_ac(struct ieee80211com *ic, int up) 374{ 375 /* see Table 9-1 */ 376 static const enum ieee80211_edca_ac up_to_ac[] = { 377 EDCA_AC_BE, /* BE */ 378 EDCA_AC_BK, /* BK */ 379 EDCA_AC_BK, /* -- */ 380 EDCA_AC_BE, /* EE */ 381 EDCA_AC_VI, /* CL */ 382 EDCA_AC_VI, /* VI */ 383 EDCA_AC_VO, /* VO */ 384 EDCA_AC_VO /* NC */ 385 }; 386 enum ieee80211_edca_ac ac; 387 388 ac = (up <= 7) ? up_to_ac[up] : EDCA_AC_BE; 389 390#ifndef IEEE80211_STA_ONLY 391 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 392 return ac; 393#endif 394 /* 395 * We do not support the admission control procedure defined in 396 * IEEE Std 802.11-2012 section 9.19.4.2.3. The spec says that 397 * non-AP QSTAs that don't support this procedure shall use EDCA 398 * parameters of a lower priority AC that does not require 399 * admission control. 400 */ 401 while (ac != EDCA_AC_BK && ic->ic_edca_ac[ac].ac_acm) { 402 switch (ac) { 403 case EDCA_AC_BK: 404 /* can't get there */ 405 break; 406 case EDCA_AC_BE: 407 /* BE shouldn't require admission control */ 408 ac = EDCA_AC_BK; 409 break; 410 case EDCA_AC_VI: 411 ac = EDCA_AC_BE; 412 break; 413 case EDCA_AC_VO: 414 ac = EDCA_AC_VI; 415 break; 416 } 417 } 418 return ac; 419} 420 421/* 422 * Get mbuf's user-priority: if mbuf is not VLAN tagged, select user-priority 423 * based on the DSCP (Differentiated Services Codepoint) field. 424 */ 425int 426ieee80211_classify(struct ieee80211com *ic, struct mbuf *m) 427{ 428 struct ether_header eh; 429 u_int8_t ds_field; 430#if NVLAN > 0 431 if (m->m_flags & M_VLANTAG) /* use VLAN 802.1D user-priority */ 432 return EVL_PRIOFTAG(m->m_pkthdr.ether_vtag); 433#endif 434 m_copydata(m, 0, sizeof(eh), (caddr_t)&eh); 435 if (eh.ether_type == htons(ETHERTYPE_IP)) { 436 struct ip ip; 437 m_copydata(m, sizeof(eh), sizeof(ip), (caddr_t)&ip); 438 if (ip.ip_v != 4) 439 return 0; 440 ds_field = ip.ip_tos; 441 } 442#ifdef INET6 443 else if (eh.ether_type == htons(ETHERTYPE_IPV6)) { 444 struct ip6_hdr ip6; 445 u_int32_t flowlabel; 446 m_copydata(m, sizeof(eh), sizeof(ip6), (caddr_t)&ip6); 447 flowlabel = ntohl(ip6.ip6_flow); 448 if ((flowlabel >> 28) != 6) 449 return 0; 450 ds_field = (flowlabel >> 20) & 0xff; 451 } 452#endif /* INET6 */ 453 else /* neither IPv4 nor IPv6 */ 454 return 0; 455 456 /* 457 * Map Differentiated Services Codepoint field (see RFC2474). 458 * Preserves backward compatibility with IP Precedence field. 459 */ 460 switch (ds_field & 0xfc) { 461#ifdef IPTOS_PREC_PRIORITY 462 case IPTOS_PREC_PRIORITY: 463 return EDCA_AC_VI; 464 case IPTOS_PREC_IMMEDIATE: 465 return EDCA_AC_BK; 466 case IPTOS_PREC_FLASH: 467 case IPTOS_PREC_FLASHOVERRIDE: 468 case IPTOS_PREC_CRITIC_ECP: 469 case IPTOS_PREC_INTERNETCONTROL: 470 case IPTOS_PREC_NETCONTROL: 471 return EDCA_AC_VO; 472#endif 473 default: 474 return EDCA_AC_BE; 475 } 476} 477 478int 479ieee80211_can_use_ampdu(struct ieee80211com *ic, struct ieee80211_node *ni) 480{ 481 return (ni->ni_flags & IEEE80211_NODE_HT) && 482 (ic->ic_caps & IEEE80211_C_TX_AMPDU) && 483 !(ic->ic_opmode == IEEE80211_M_STA && ni != ic->ic_bss) && 484 /* 485 * Don't use A-MPDU on non-encrypted networks. There are devices 486 * with buggy firmware which allow an attacker to inject 802.11 487 * frames into a wifi network by embedding rogue A-MPDU subframes 488 * in an arbitrary data payload (e.g. PNG images) which may end 489 * up appearing as actual frames after de-aggregation by a buggy 490 * device; see https://github.com/rpp0/aggr-inject for details. 491 * WPA2 prevents this injection attack since the attacker would 492 * need to inject frames which get decrypted correctly. 493 */ 494 ((ic->ic_flags & IEEE80211_F_RSNON) && 495 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)); 496} 497 498void 499ieee80211_tx_compressed_bar(struct ieee80211com *ic, struct ieee80211_node *ni, 500 int tid, uint16_t ssn) 501{ 502 struct ifnet *ifp = &ic->ic_if; 503 struct mbuf *m; 504 505 m = ieee80211_get_compressed_bar(ic, ni, tid, ssn); 506 if (m == NULL) 507 return; 508 509 ieee80211_ref_node(ni); 510 if (mq_enqueue(&ic->ic_mgtq, m) == 0) 511 if_start(ifp); 512 else 513 ieee80211_release_node(ic, ni); 514} 515 516/* 517 * Encapsulate an outbound data frame. The mbuf chain is updated and 518 * a reference to the destination node is returned. If an error is 519 * encountered NULL is returned and the node reference will also be NULL. 520 * 521 * NB: The caller is responsible for free'ing a returned node reference. 522 * The convention is ic_bss is not reference counted; the caller must 523 * maintain that. 524 */ 525struct mbuf * 526ieee80211_encap(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node **pni) 527{ 528 struct ieee80211com *ic = (void *)ifp; 529 struct ether_header eh; 530 struct ieee80211_frame *wh; 531 struct ieee80211_node *ni = NULL; 532 struct llc *llc; 533 struct m_tag *mtag; 534 u_int8_t *addr; 535 u_int dlt, hdrlen; 536 int addqos, tid; 537 538#ifdef PACKET_TAG_DLT 539 /* Handle raw frames if mbuf is tagged as 802.11 */ 540 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 541 dlt = *(u_int *)(mtag + 1); 542 543 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 544 goto fallback; 545 546 wh = mtod(m, struct ieee80211_frame *); 547 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 548 case IEEE80211_FC1_DIR_NODS: 549 case IEEE80211_FC1_DIR_FROMDS: 550 addr = wh->i_addr1; 551 break; 552 case IEEE80211_FC1_DIR_DSTODS: 553 case IEEE80211_FC1_DIR_TODS: 554 addr = wh->i_addr3; 555 break; 556 default: 557 goto bad; 558 } 559 560 ni = ieee80211_find_txnode(ic, addr); 561 if (ni == NULL) 562 ni = ieee80211_ref_node(ic->ic_bss); 563 if (ni == NULL) { 564 printf("%s: no node for dst %s, " 565 "discard raw tx frame\n", ifp->if_xname, 566 ether_sprintf(addr)); 567 ic->ic_stats.is_tx_nonode++; 568 goto bad; 569 } 570 ni->ni_inact = 0; 571 572 *pni = ni; 573 return (m); 574 } 575#endif 576 577 fallback: 578 if (m->m_len < sizeof(struct ether_header)) { 579 m = m_pullup(m, sizeof(struct ether_header)); 580 if (m == NULL) { 581 ic->ic_stats.is_tx_nombuf++; 582 goto bad; 583 } 584 } 585 memcpy(&eh, mtod(m, caddr_t), sizeof(struct ether_header)); 586 587 ni = ieee80211_find_txnode(ic, eh.ether_dhost); 588 if (ni == NULL) { 589 DPRINTF(("no node for dst %s, discard frame\n", 590 ether_sprintf(eh.ether_dhost))); 591 ic->ic_stats.is_tx_nonode++; 592 goto bad; 593 } 594 595#ifndef IEEE80211_STA_ONLY 596 if (ic->ic_opmode == IEEE80211_M_HOSTAP && ni != ic->ic_bss && 597 ni->ni_state != IEEE80211_STA_ASSOC) { 598 ic->ic_stats.is_tx_nonode++; 599 goto bad; 600 } 601#endif 602 603 if ((ic->ic_flags & IEEE80211_F_RSNON) && 604 !ni->ni_port_valid && 605 eh.ether_type != htons(ETHERTYPE_EAPOL)) { 606 DPRINTF(("port not valid: %s\n", 607 ether_sprintf(eh.ether_dhost))); 608 ic->ic_stats.is_tx_noauth++; 609 goto bad; 610 } 611 612 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 613 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP) 614 /* XXX TKIP countermeasures! */; 615 616 ni->ni_inact = 0; 617 618 if ((ic->ic_flags & IEEE80211_F_QOS) && 619 (ni->ni_flags & IEEE80211_NODE_QOS) && 620 /* do not QoS-encapsulate EAPOL frames */ 621 eh.ether_type != htons(ETHERTYPE_EAPOL)) { 622 struct ieee80211_tx_ba *ba; 623 tid = ieee80211_classify(ic, m); 624 ba = &ni->ni_tx_ba[tid]; 625 /* We use QoS data frames for aggregation only. */ 626 if (ba->ba_state != IEEE80211_BA_AGREED) { 627 hdrlen = sizeof(struct ieee80211_frame); 628 addqos = 0; 629 if (ieee80211_can_use_ampdu(ic, ni)) 630 ieee80211_node_trigger_addba_req(ni, tid); 631 } else { 632 hdrlen = sizeof(struct ieee80211_qosframe); 633 addqos = 1; 634 } 635 } else { 636 hdrlen = sizeof(struct ieee80211_frame); 637 addqos = 0; 638 } 639 m_adj(m, sizeof(struct ether_header) - LLC_SNAPFRAMELEN); 640 llc = mtod(m, struct llc *); 641 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 642 llc->llc_control = LLC_UI; 643 llc->llc_snap.org_code[0] = 0; 644 llc->llc_snap.org_code[1] = 0; 645 llc->llc_snap.org_code[2] = 0; 646 llc->llc_snap.ether_type = eh.ether_type; 647 M_PREPEND(m, hdrlen, M_DONTWAIT); 648 if (m == NULL) { 649 ic->ic_stats.is_tx_nombuf++; 650 goto bad; 651 } 652 wh = mtod(m, struct ieee80211_frame *); 653 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 654 *(u_int16_t *)&wh->i_dur[0] = 0; 655 if (addqos) { 656 struct ieee80211_qosframe *qwh = 657 (struct ieee80211_qosframe *)wh; 658 u_int16_t qos = tid; 659 660 if (ic->ic_tid_noack & (1 << tid)) 661 qos |= IEEE80211_QOS_ACK_POLICY_NOACK; 662 else { 663 /* Use HT immediate block-ack. */ 664 qos |= IEEE80211_QOS_ACK_POLICY_NORMAL; 665 } 666 qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 667 *(u_int16_t *)qwh->i_qos = htole16(qos); 668 *(u_int16_t *)qwh->i_seq = 669 htole16(ni->ni_qos_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT); 670 ni->ni_qos_txseqs[tid] = (ni->ni_qos_txseqs[tid] + 1) & 0xfff; 671 } else { 672 *(u_int16_t *)&wh->i_seq[0] = 673 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 674 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff; 675 } 676 switch (ic->ic_opmode) { 677 case IEEE80211_M_STA: 678 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 679 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 680 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 681 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 682 break; 683#ifndef IEEE80211_STA_ONLY 684 case IEEE80211_M_IBSS: 685 case IEEE80211_M_AHDEMO: 686 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 687 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 688 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 689 IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid); 690 break; 691 case IEEE80211_M_HOSTAP: 692 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 693 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 694 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 695 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 696 break; 697#endif 698 default: 699 /* should not get there */ 700 goto bad; 701 } 702 703 if ((ic->ic_flags & IEEE80211_F_WEPON) || 704 ((ic->ic_flags & IEEE80211_F_RSNON) && 705 (ni->ni_flags & IEEE80211_NODE_TXPROT))) 706 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 707 708#ifndef IEEE80211_STA_ONLY 709 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 710 ieee80211_pwrsave(ic, m, ni) != 0) { 711 *pni = NULL; 712 return NULL; 713 } 714#endif 715 *pni = ni; 716 return m; 717bad: 718 m_freem(m); 719 if (ni != NULL) 720 ieee80211_release_node(ic, ni); 721 *pni = NULL; 722 return NULL; 723} 724 725/* 726 * Add a Capability Information field to a frame (see 7.3.1.4). 727 */ 728u_int8_t * 729ieee80211_add_capinfo(u_int8_t *frm, struct ieee80211com *ic, 730 const struct ieee80211_node *ni) 731{ 732 u_int16_t capinfo; 733 734#ifndef IEEE80211_STA_ONLY 735 if (ic->ic_opmode == IEEE80211_M_IBSS) 736 capinfo = IEEE80211_CAPINFO_IBSS; 737 else if (ic->ic_opmode == IEEE80211_M_HOSTAP) 738 capinfo = IEEE80211_CAPINFO_ESS; 739 else 740#endif 741 capinfo = 0; 742#ifndef IEEE80211_STA_ONLY 743 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 744 (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON))) 745 capinfo |= IEEE80211_CAPINFO_PRIVACY; 746#endif 747 /* NB: some 11a AP's reject the request when short preamble is set */ 748 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 749 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 750 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 751 if (ic->ic_flags & IEEE80211_F_SHSLOT) 752 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 753 LE_WRITE_2(frm, capinfo); 754 return frm + 2; 755} 756 757/* 758 * Add an SSID element to a frame (see 7.3.2.1). 759 */ 760u_int8_t * 761ieee80211_add_ssid(u_int8_t *frm, const u_int8_t *ssid, u_int len) 762{ 763 *frm++ = IEEE80211_ELEMID_SSID; 764 *frm++ = len; 765 memcpy(frm, ssid, len); 766 return frm + len; 767} 768 769/* 770 * Add a supported rates element to a frame (see 7.3.2.2). 771 */ 772u_int8_t * 773ieee80211_add_rates(u_int8_t *frm, const struct ieee80211_rateset *rs) 774{ 775 int nrates; 776 777 *frm++ = IEEE80211_ELEMID_RATES; 778 nrates = min(rs->rs_nrates, IEEE80211_RATE_SIZE); 779 *frm++ = nrates; 780 memcpy(frm, rs->rs_rates, nrates); 781 return frm + nrates; 782} 783 784#ifndef IEEE80211_STA_ONLY 785/* 786 * Add a DS Parameter Set element to a frame (see 7.3.2.4). 787 */ 788u_int8_t * 789ieee80211_add_ds_params(u_int8_t *frm, struct ieee80211com *ic, 790 const struct ieee80211_node *ni) 791{ 792 *frm++ = IEEE80211_ELEMID_DSPARMS; 793 *frm++ = 1; 794 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 795 return frm; 796} 797 798/* 799 * Add a TIM element to a frame (see 7.3.2.6 and Annex L). 800 */ 801u_int8_t * 802ieee80211_add_tim(u_int8_t *frm, struct ieee80211com *ic) 803{ 804 u_int i, offset = 0, len; 805 806 /* find first non-zero octet in the virtual bit map */ 807 for (i = 0; i < ic->ic_tim_len && ic->ic_tim_bitmap[i] == 0; i++); 808 809 /* clear the lsb as it is reserved for the broadcast indication bit */ 810 if (i < ic->ic_tim_len) 811 offset = i & ~1; 812 813 /* find last non-zero octet in the virtual bit map */ 814 for (i = ic->ic_tim_len - 1; i > 0 && ic->ic_tim_bitmap[i] == 0; i--); 815 816 len = i - offset + 1; 817 818 *frm++ = IEEE80211_ELEMID_TIM; 819 *frm++ = len + 3; /* length */ 820 *frm++ = ic->ic_dtim_count; /* DTIM count */ 821 *frm++ = ic->ic_dtim_period; /* DTIM period */ 822 823 /* Bitmap Control */ 824 *frm = offset; 825 /* set broadcast/multicast indication bit if necessary */ 826 if (ic->ic_dtim_count == 0 && ic->ic_tim_mcast_pending) 827 *frm |= 0x01; 828 frm++; 829 830 /* Partial Virtual Bitmap */ 831 memcpy(frm, &ic->ic_tim_bitmap[offset], len); 832 return frm + len; 833} 834 835/* 836 * Add an IBSS Parameter Set element to a frame (see 7.3.2.7). 837 */ 838u_int8_t * 839ieee80211_add_ibss_params(u_int8_t *frm, const struct ieee80211_node *ni) 840{ 841 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 842 *frm++ = 2; 843 LE_WRITE_2(frm, 0); /* TODO: ATIM window */ 844 return frm + 2; 845} 846 847/* 848 * Add an EDCA Parameter Set element to a frame (see 7.3.2.29). 849 */ 850u_int8_t * 851ieee80211_add_edca_params(u_int8_t *frm, struct ieee80211com *ic) 852{ 853 const struct ieee80211_edca_ac_params *edca; 854 int aci; 855 856 *frm++ = IEEE80211_ELEMID_EDCAPARMS; 857 *frm++ = 18; /* length */ 858 *frm++ = 0; /* QoS Info */ 859 *frm++ = 0; /* reserved */ 860 861 /* setup AC Parameter Records */ 862 edca = ieee80211_edca_table[ic->ic_curmode]; 863 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 864 const struct ieee80211_edca_ac_params *ac = &edca[aci]; 865 866 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) | 867 (ac->ac_aifsn & 0xf); 868 *frm++ = (ac->ac_ecwmax << 4) | 869 (ac->ac_ecwmin & 0xf); 870 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2; 871 } 872 return frm; 873} 874 875/* 876 * Add an ERP element to a frame (see 7.3.2.13). 877 */ 878u_int8_t * 879ieee80211_add_erp(u_int8_t *frm, struct ieee80211com *ic) 880{ 881 u_int8_t erp; 882 int nonerpsta = 0; 883 884 *frm++ = IEEE80211_ELEMID_ERP; 885 *frm++ = 1; 886 erp = 0; 887 /* 888 * The NonERP_Present bit shall be set to 1 when a NonERP STA 889 * is associated with the BSS. 890 */ 891 ieee80211_iterate_nodes(ic, ieee80211_count_nonerpsta, &nonerpsta); 892 if (nonerpsta != 0) 893 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 894 /* 895 * If one or more NonERP STAs are associated in the BSS, the 896 * Use_Protection bit shall be set to 1 in transmitted ERP 897 * Information Elements. 898 */ 899 if (ic->ic_flags & IEEE80211_F_USEPROT) 900 erp |= IEEE80211_ERP_USE_PROTECTION; 901 /* 902 * The Barker_Preamble_Mode bit shall be set to 1 by the ERP 903 * Information Element sender if one or more associated NonERP 904 * STAs are not short preamble capable. 905 */ 906 if (!(ic->ic_flags & IEEE80211_F_SHPREAMBLE)) 907 erp |= IEEE80211_ERP_BARKER_MODE; 908 *frm++ = erp; 909 return frm; 910} 911#endif /* IEEE80211_STA_ONLY */ 912 913/* 914 * Add a QoS Capability element to a frame (see 7.3.2.35). 915 */ 916u_int8_t * 917ieee80211_add_qos_capability(u_int8_t *frm, struct ieee80211com *ic) 918{ 919 *frm++ = IEEE80211_ELEMID_QOS_CAP; 920 *frm++ = 1; 921 *frm++ = 0; /* QoS Info */ 922 return frm; 923} 924 925/* 926 * Add a Wifi-Alliance WME (aka WMM) info element to a frame. 927 * WME is a requirement for Wifi-Alliance compliance and some 928 * 11n APs will not negotiate HT if this element is missing. 929 */ 930uint8_t * 931ieee80211_add_wme_info(uint8_t *frm, struct ieee80211com *ic) 932{ 933 *frm++ = IEEE80211_ELEMID_VENDOR; 934 *frm++ = 7; 935 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 936 *frm++ = 2; /* OUI type */ 937 *frm++ = 0; /* OUI subtype */ 938 *frm++ = 1; /* version */ 939 *frm++ = 0; /* info */ 940 941 return frm; 942} 943 944#ifndef IEEE80211_STA_ONLY 945/* 946 * Add a Wifi-Alliance WMM (aka WME) parameter element to a frame. 947 */ 948uint8_t * 949ieee80211_add_wme_param(uint8_t *frm, struct ieee80211com *ic) 950{ 951 const struct ieee80211_edca_ac_params *edca; 952 int aci; 953 954 *frm++ = IEEE80211_ELEMID_VENDOR; 955 *frm++ = 24; 956 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 957 *frm++ = 2; /* OUI type */ 958 *frm++ = 1; /* OUI subtype */ 959 *frm++ = 1; /* version */ 960 *frm++ = 0; /* info */ 961 *frm++ = 0; /* reserved */ 962 963 /* setup AC Parameter Records */ 964 edca = ieee80211_edca_table[ic->ic_curmode]; 965 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 966 const struct ieee80211_edca_ac_params *ac = &edca[aci]; 967 968 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) | 969 (ac->ac_aifsn & 0xf); 970 *frm++ = (ac->ac_ecwmax << 4) | 971 (ac->ac_ecwmin & 0xf); 972 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2; 973 } 974 975 return frm; 976} 977#endif 978 979/* 980 * Add an RSN element to a frame (see 802.11-2012 8.4.2.27) 981 */ 982u_int8_t * 983ieee80211_add_rsn_body(u_int8_t *frm, struct ieee80211com *ic, 984 const struct ieee80211_node *ni, int wpa) 985{ 986 const u_int8_t *oui = wpa ? MICROSOFT_OUI : IEEE80211_OUI; 987 u_int8_t *pcount; 988 u_int16_t count, rsncaps; 989 990 /* write Version field */ 991 LE_WRITE_2(frm, 1); frm += 2; 992 993 /* write Group Data Cipher Suite field (see 802.11-2012 Table 8-99) */ 994 memcpy(frm, oui, 3); frm += 3; 995 switch (ni->ni_rsngroupcipher) { 996 case IEEE80211_CIPHER_WEP40: 997 *frm++ = 1; 998 break; 999 case IEEE80211_CIPHER_TKIP: 1000 *frm++ = 2; 1001 break; 1002 case IEEE80211_CIPHER_CCMP: 1003 *frm++ = 4; 1004 break; 1005 case IEEE80211_CIPHER_WEP104: 1006 *frm++ = 5; 1007 break; 1008 default: 1009 /* can't get there */ 1010 panic("invalid group data cipher!"); 1011 } 1012 1013 pcount = frm; frm += 2; 1014 count = 0; 1015 /* write Pairwise Cipher Suite List */ 1016 if (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP) { 1017 memcpy(frm, oui, 3); frm += 3; 1018 *frm++ = 0; 1019 count++; 1020 } 1021 if (ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP) { 1022 memcpy(frm, oui, 3); frm += 3; 1023 *frm++ = 2; 1024 count++; 1025 } 1026 if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) { 1027 memcpy(frm, oui, 3); frm += 3; 1028 *frm++ = 4; 1029 count++; 1030 } 1031 /* write Pairwise Cipher Suite Count field */ 1032 LE_WRITE_2(pcount, count); 1033 1034 pcount = frm; frm += 2; 1035 count = 0; 1036 /* write AKM Suite List (see Table 20dc) */ 1037 if (ni->ni_rsnakms & IEEE80211_AKM_8021X) { 1038 memcpy(frm, oui, 3); frm += 3; 1039 *frm++ = 1; 1040 count++; 1041 } 1042 if (ni->ni_rsnakms & IEEE80211_AKM_PSK) { 1043 memcpy(frm, oui, 3); frm += 3; 1044 *frm++ = 2; 1045 count++; 1046 } 1047 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X)) { 1048 memcpy(frm, oui, 3); frm += 3; 1049 *frm++ = 5; 1050 count++; 1051 } 1052 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK)) { 1053 memcpy(frm, oui, 3); frm += 3; 1054 *frm++ = 6; 1055 count++; 1056 } 1057 /* write AKM Suite List Count field */ 1058 LE_WRITE_2(pcount, count); 1059 1060 if (wpa) 1061 return frm; 1062 1063 /* write RSN Capabilities field */ 1064 rsncaps = (ni->ni_rsncaps & (IEEE80211_RSNCAP_PTKSA_RCNT_MASK | 1065 IEEE80211_RSNCAP_GTKSA_RCNT_MASK)); 1066 if (ic->ic_caps & IEEE80211_C_MFP) { 1067 rsncaps |= IEEE80211_RSNCAP_MFPC; 1068 if (ic->ic_flags & IEEE80211_F_MFPR) 1069 rsncaps |= IEEE80211_RSNCAP_MFPR; 1070 } 1071 if (ic->ic_flags & IEEE80211_F_PBAR) 1072 rsncaps |= IEEE80211_RSNCAP_PBAC; 1073 LE_WRITE_2(frm, rsncaps); frm += 2; 1074 1075 if (ni->ni_flags & IEEE80211_NODE_PMKID) { 1076 /* write PMKID Count field */ 1077 LE_WRITE_2(frm, 1); frm += 2; 1078 /* write PMKID List (only 1) */ 1079 memcpy(frm, ni->ni_pmkid, IEEE80211_PMKID_LEN); 1080 frm += IEEE80211_PMKID_LEN; 1081 } 1082 1083 if (!(ic->ic_caps & IEEE80211_C_MFP)) 1084 return frm; 1085 1086 if ((ni->ni_flags & IEEE80211_NODE_PMKID) == 0) { 1087 /* no PMKID (PMKID Count=0) */ 1088 LE_WRITE_2(frm, 0); frm += 2; 1089 } 1090 1091 /* write Group Integrity Cipher Suite field */ 1092 memcpy(frm, oui, 3); frm += 3; 1093 switch (ic->ic_rsngroupmgmtcipher) { 1094 case IEEE80211_CIPHER_BIP: 1095 *frm++ = 6; 1096 break; 1097 default: 1098 /* can't get there */ 1099 panic("invalid integrity group cipher!"); 1100 } 1101 return frm; 1102} 1103 1104u_int8_t * 1105ieee80211_add_rsn(u_int8_t *frm, struct ieee80211com *ic, 1106 const struct ieee80211_node *ni) 1107{ 1108 u_int8_t *plen; 1109 1110 *frm++ = IEEE80211_ELEMID_RSN; 1111 plen = frm++; /* length filled in later */ 1112 frm = ieee80211_add_rsn_body(frm, ic, ni, 0); 1113 1114 /* write length field */ 1115 *plen = frm - plen - 1; 1116 return frm; 1117} 1118 1119/* 1120 * Add a vendor-specific WPA element to a frame. 1121 * This is required for compatibility with Wi-Fi Alliance WPA. 1122 */ 1123u_int8_t * 1124ieee80211_add_wpa(u_int8_t *frm, struct ieee80211com *ic, 1125 const struct ieee80211_node *ni) 1126{ 1127 u_int8_t *plen; 1128 1129 *frm++ = IEEE80211_ELEMID_VENDOR; 1130 plen = frm++; /* length filled in later */ 1131 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 1132 *frm++ = 1; /* WPA */ 1133 frm = ieee80211_add_rsn_body(frm, ic, ni, 1); 1134 1135 /* write length field */ 1136 *plen = frm - plen - 1; 1137 return frm; 1138} 1139 1140/* 1141 * Add an extended supported rates element to a frame (see 7.3.2.14). 1142 */ 1143u_int8_t * 1144ieee80211_add_xrates(u_int8_t *frm, const struct ieee80211_rateset *rs) 1145{ 1146 int nrates; 1147 1148 KASSERT(rs->rs_nrates > IEEE80211_RATE_SIZE); 1149 1150 *frm++ = IEEE80211_ELEMID_XRATES; 1151 nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1152 *frm++ = nrates; 1153 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1154 return frm + nrates; 1155} 1156 1157/* 1158 * Add an HT Capabilities element to a frame (see 7.3.2.57). 1159 */ 1160u_int8_t * 1161ieee80211_add_htcaps(u_int8_t *frm, struct ieee80211com *ic) 1162{ 1163 *frm++ = IEEE80211_ELEMID_HTCAPS; 1164 *frm++ = 26; 1165 LE_WRITE_2(frm, ic->ic_htcaps); frm += 2; 1166 *frm++ = ic->ic_ampdu_params; 1167 memcpy(frm, ic->ic_sup_mcs, 10); frm += 10; 1168 LE_WRITE_2(frm, (ic->ic_max_rxrate & IEEE80211_MCS_RX_RATE_HIGH)); 1169 frm += 2; 1170 *frm++ = ic->ic_tx_mcs_set; 1171 *frm++ = 0; /* reserved */ 1172 *frm++ = 0; /* reserved */ 1173 *frm++ = 0; /* reserved */ 1174 LE_WRITE_2(frm, ic->ic_htxcaps); frm += 2; 1175 LE_WRITE_4(frm, ic->ic_txbfcaps); frm += 4; 1176 *frm++ = ic->ic_aselcaps; 1177 return frm; 1178} 1179 1180#ifndef IEEE80211_STA_ONLY 1181/* 1182 * Add an HT Operation element to a frame (see 7.3.2.58). 1183 */ 1184u_int8_t * 1185ieee80211_add_htop(u_int8_t *frm, struct ieee80211com *ic) 1186{ 1187 *frm++ = IEEE80211_ELEMID_HTOP; 1188 *frm++ = 22; 1189 *frm++ = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1190 *frm++ = ic->ic_bss->ni_htop0; 1191 LE_WRITE_2(frm, ic->ic_bss->ni_htop1); frm += 2; 1192 LE_WRITE_2(frm, ic->ic_bss->ni_htop2); frm += 2; 1193 memset(frm, 0, 16); frm += 16; 1194 return frm; 1195} 1196#endif /* !IEEE80211_STA_ONLY */ 1197 1198/* 1199 * Add a VHT Capabilities element to a frame (see 802.11ac-2013 8.4.2.160.2). 1200 */ 1201u_int8_t * 1202ieee80211_add_vhtcaps(u_int8_t *frm, struct ieee80211com *ic) 1203{ 1204 *frm++ = IEEE80211_ELEMID_VHTCAPS; 1205 *frm++ = 12; 1206 LE_WRITE_4(frm, ic->ic_vhtcaps); frm += 4; 1207 LE_WRITE_2(frm, ic->ic_vht_rxmcs); frm += 2; 1208 LE_WRITE_2(frm, ic->ic_vht_rx_max_lgi_mbit_s); frm += 2; 1209 LE_WRITE_2(frm, ic->ic_vht_txmcs); frm += 2; 1210 LE_WRITE_2(frm, ic->ic_vht_tx_max_lgi_mbit_s); frm += 2; 1211 return frm; 1212} 1213 1214#ifndef IEEE80211_STA_ONLY 1215/* 1216 * Add a Timeout Interval element to a frame (see 7.3.2.49). 1217 */ 1218u_int8_t * 1219ieee80211_add_tie(u_int8_t *frm, u_int8_t type, u_int32_t value) 1220{ 1221 *frm++ = IEEE80211_ELEMID_TIE; 1222 *frm++ = 5; /* length */ 1223 *frm++ = type; /* Timeout Interval type */ 1224 LE_WRITE_4(frm, value); 1225 return frm + 4; 1226} 1227#endif 1228 1229struct mbuf * 1230ieee80211_getmgmt(int flags, int type, u_int pktlen) 1231{ 1232 struct mbuf *m; 1233 1234 /* reserve space for 802.11 header */ 1235 pktlen += sizeof(struct ieee80211_frame); 1236 1237 if (pktlen > MCLBYTES) 1238 panic("management frame too large: %u", pktlen); 1239 MGETHDR(m, flags, type); 1240 if (m == NULL) 1241 return NULL; 1242 if (pktlen > MHLEN) { 1243 MCLGET(m, flags); 1244 if (!(m->m_flags & M_EXT)) 1245 return m_free(m); 1246 } 1247 m->m_data += sizeof(struct ieee80211_frame); 1248 return m; 1249} 1250 1251/*- 1252 * Probe request frame format: 1253 * [tlv] SSID 1254 * [tlv] Supported rates 1255 * [tlv] Extended Supported Rates (802.11g) 1256 * [tlv] HT Capabilities (802.11n) 1257 */ 1258struct mbuf * 1259ieee80211_get_probe_req(struct ieee80211com *ic, struct ieee80211_node *ni) 1260{ 1261 const struct ieee80211_rateset *rs = 1262 &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 1263 struct mbuf *m; 1264 u_int8_t *frm; 1265 1266 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1267 2 + ic->ic_des_esslen + 1268 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1269 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1270 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1271 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) + 1272 ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0)); 1273 if (m == NULL) 1274 return NULL; 1275 1276 frm = mtod(m, u_int8_t *); 1277 frm = ieee80211_add_ssid(frm, ic->ic_des_essid, ic->ic_des_esslen); 1278 frm = ieee80211_add_rates(frm, rs); 1279 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1280 frm = ieee80211_add_xrates(frm, rs); 1281 if (ic->ic_flags & IEEE80211_F_HTON) { 1282 frm = ieee80211_add_htcaps(frm, ic); 1283 frm = ieee80211_add_wme_info(frm, ic); 1284 } 1285 if (ic->ic_flags & IEEE80211_F_VHTON) 1286 frm = ieee80211_add_htcaps(frm, ic); 1287 1288 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1289 1290 return m; 1291} 1292 1293#ifndef IEEE80211_STA_ONLY 1294/*- 1295 * Probe response frame format: 1296 * [8] Timestamp 1297 * [2] Beacon interval 1298 * [2] Capability 1299 * [tlv] Service Set Identifier (SSID) 1300 * [tlv] Supported rates 1301 * [tlv] DS Parameter Set (802.11g) 1302 * [tlv] ERP Information (802.11g) 1303 * [tlv] Extended Supported Rates (802.11g) 1304 * [tlv] RSN (802.11i) 1305 * [tlv] EDCA Parameter Set (802.11e) 1306 * [tlv] HT Capabilities (802.11n) 1307 * [tlv] HT Operation (802.11n) 1308 */ 1309struct mbuf * 1310ieee80211_get_probe_resp(struct ieee80211com *ic) 1311{ 1312 const struct ieee80211_rateset *rs = &ic->ic_bss->ni_rates; 1313 struct mbuf *m; 1314 u_int8_t *frm; 1315 1316 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1317 8 + 2 + 2 + 1318 2 + ic->ic_bss->ni_esslen + 1319 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1320 2 + 1 + 1321 ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 + 2 : 0) + 1322 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 1323 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1324 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1325 (((ic->ic_flags & IEEE80211_F_RSNON) && 1326 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1327 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1328 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 1329 (((ic->ic_flags & IEEE80211_F_RSNON) && 1330 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1331 2 + IEEE80211_WPAIE_MAXLEN : 0) + 1332 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 1333 if (m == NULL) 1334 return NULL; 1335 1336 frm = mtod(m, u_int8_t *); 1337 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 1338 LE_WRITE_2(frm, ic->ic_bss->ni_intval); frm += 2; 1339 frm = ieee80211_add_capinfo(frm, ic, ic->ic_bss); 1340 frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid, 1341 ic->ic_bss->ni_esslen); 1342 frm = ieee80211_add_rates(frm, rs); 1343 frm = ieee80211_add_ds_params(frm, ic, ic->ic_bss); 1344 if (ic->ic_opmode == IEEE80211_M_IBSS) 1345 frm = ieee80211_add_ibss_params(frm, ic->ic_bss); 1346 if (ic->ic_curmode == IEEE80211_MODE_11G) 1347 frm = ieee80211_add_erp(frm, ic); 1348 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1349 frm = ieee80211_add_xrates(frm, rs); 1350 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1351 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1352 frm = ieee80211_add_rsn(frm, ic, ic->ic_bss); 1353 if (ic->ic_flags & IEEE80211_F_QOS) 1354 frm = ieee80211_add_edca_params(frm, ic); 1355 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1356 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1357 frm = ieee80211_add_wpa(frm, ic, ic->ic_bss); 1358 if (ic->ic_flags & IEEE80211_F_HTON) { 1359 frm = ieee80211_add_htcaps(frm, ic); 1360 frm = ieee80211_add_htop(frm, ic); 1361 frm = ieee80211_add_wme_param(frm, ic); 1362 } 1363 1364 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1365 1366 return m; 1367} 1368#endif /* IEEE80211_STA_ONLY */ 1369 1370/*- 1371 * Authentication frame format: 1372 * [2] Authentication algorithm number 1373 * [2] Authentication transaction sequence number 1374 * [2] Status code 1375 */ 1376struct mbuf * 1377ieee80211_get_auth(struct ieee80211com *ic, struct ieee80211_node *ni, 1378 u_int16_t status, u_int16_t seq) 1379{ 1380 struct mbuf *m; 1381 u_int8_t *frm; 1382 1383 MGETHDR(m, M_DONTWAIT, MT_DATA); 1384 if (m == NULL) 1385 return NULL; 1386 m_align(m, 2 * 3); 1387 m->m_pkthdr.len = m->m_len = 2 * 3; 1388 1389 frm = mtod(m, u_int8_t *); 1390 LE_WRITE_2(frm, IEEE80211_AUTH_ALG_OPEN); frm += 2; 1391 LE_WRITE_2(frm, seq); frm += 2; 1392 LE_WRITE_2(frm, status); 1393 1394 return m; 1395} 1396 1397/*- 1398 * Deauthentication frame format: 1399 * [2] Reason code 1400 */ 1401struct mbuf * 1402ieee80211_get_deauth(struct ieee80211com *ic, struct ieee80211_node *ni, 1403 u_int16_t reason) 1404{ 1405 struct mbuf *m; 1406 1407 MGETHDR(m, M_DONTWAIT, MT_DATA); 1408 if (m == NULL) 1409 return NULL; 1410 m_align(m, 2); 1411 m->m_pkthdr.len = m->m_len = 2; 1412 1413 *mtod(m, u_int16_t *) = htole16(reason); 1414 1415 return m; 1416} 1417 1418/*- 1419 * (Re)Association request frame format: 1420 * [2] Capability information 1421 * [2] Listen interval 1422 * [6*] Current AP address (Reassociation only) 1423 * [tlv] SSID 1424 * [tlv] Supported rates 1425 * [tlv] Extended Supported Rates (802.11g) 1426 * [tlv] RSN (802.11i) 1427 * [tlv] QoS Capability (802.11e) 1428 * [tlv] HT Capabilities (802.11n) 1429 */ 1430struct mbuf * 1431ieee80211_get_assoc_req(struct ieee80211com *ic, struct ieee80211_node *ni, 1432 int type) 1433{ 1434 const struct ieee80211_rateset *rs = &ni->ni_rates; 1435 struct mbuf *m; 1436 u_int8_t *frm; 1437 u_int16_t capinfo; 1438 1439 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1440 2 + 2 + 1441 ((type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) ? 1442 IEEE80211_ADDR_LEN : 0) + 1443 2 + ni->ni_esslen + 1444 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1445 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1446 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1447 (((ic->ic_flags & IEEE80211_F_RSNON) && 1448 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1449 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1450 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 1 : 0) + 1451 (((ic->ic_flags & IEEE80211_F_RSNON) && 1452 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1453 2 + IEEE80211_WPAIE_MAXLEN : 0) + 1454 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) + 1455 ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0)); 1456 if (m == NULL) 1457 return NULL; 1458 1459 frm = mtod(m, u_int8_t *); 1460 capinfo = IEEE80211_CAPINFO_ESS; 1461 if (ic->ic_flags & IEEE80211_F_WEPON) 1462 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1463 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1464 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 1465 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1466 if (ic->ic_caps & IEEE80211_C_SHSLOT) 1467 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1468 LE_WRITE_2(frm, capinfo); frm += 2; 1469 LE_WRITE_2(frm, ic->ic_lintval); frm += 2; 1470 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1471 IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid); 1472 frm += IEEE80211_ADDR_LEN; 1473 } 1474 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 1475 frm = ieee80211_add_rates(frm, rs); 1476 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1477 frm = ieee80211_add_xrates(frm, rs); 1478 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1479 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1480 frm = ieee80211_add_rsn(frm, ic, ni); 1481 if (ni->ni_flags & IEEE80211_NODE_QOS) 1482 frm = ieee80211_add_qos_capability(frm, ic); 1483 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1484 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1485 frm = ieee80211_add_wpa(frm, ic, ni); 1486 if (ic->ic_flags & IEEE80211_F_HTON) { 1487 frm = ieee80211_add_htcaps(frm, ic); 1488 frm = ieee80211_add_wme_info(frm, ic); 1489 } 1490 if (ic->ic_flags & IEEE80211_F_VHTON) 1491 frm = ieee80211_add_vhtcaps(frm, ic); 1492 1493 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1494 1495 return m; 1496} 1497 1498#ifndef IEEE80211_STA_ONLY 1499/*- 1500 * (Re)Association response frame format: 1501 * [2] Capability information 1502 * [2] Status code 1503 * [2] Association ID (AID) 1504 * [tlv] Supported rates 1505 * [tlv] Extended Supported Rates (802.11g) 1506 * [tlv] EDCA Parameter Set (802.11e) 1507 * [tlv] Timeout Interval (802.11w) 1508 * [tlv] HT Capabilities (802.11n) 1509 * [tlv] HT Operation (802.11n) 1510 */ 1511struct mbuf * 1512ieee80211_get_assoc_resp(struct ieee80211com *ic, struct ieee80211_node *ni, 1513 u_int16_t status) 1514{ 1515 const struct ieee80211_rateset *rs = &ni->ni_rates; 1516 struct mbuf *m; 1517 u_int8_t *frm; 1518 1519 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1520 2 + 2 + 2 + 1521 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1522 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1523 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1524 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 18 : 0) + 1525 ((status == IEEE80211_STATUS_TRY_AGAIN_LATER) ? 2 + 7 : 0) + 1526 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 1527 if (m == NULL) 1528 return NULL; 1529 1530 frm = mtod(m, u_int8_t *); 1531 frm = ieee80211_add_capinfo(frm, ic, ni); 1532 LE_WRITE_2(frm, status); frm += 2; 1533 if (status == IEEE80211_STATUS_SUCCESS) 1534 LE_WRITE_2(frm, ni->ni_associd); 1535 else 1536 LE_WRITE_2(frm, 0); 1537 frm += 2; 1538 frm = ieee80211_add_rates(frm, rs); 1539 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1540 frm = ieee80211_add_xrates(frm, rs); 1541 if (ni->ni_flags & IEEE80211_NODE_QOS) 1542 frm = ieee80211_add_edca_params(frm, ic); 1543 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 1544 status == IEEE80211_STATUS_TRY_AGAIN_LATER) { 1545 /* Association Comeback Time */ 1546 frm = ieee80211_add_tie(frm, 3, 1000 /* XXX */); 1547 } 1548 if (ic->ic_flags & IEEE80211_F_HTON) { 1549 frm = ieee80211_add_htcaps(frm, ic); 1550 frm = ieee80211_add_htop(frm, ic); 1551 frm = ieee80211_add_wme_param(frm, ic); 1552 } 1553 1554 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1555 1556 return m; 1557} 1558#endif /* IEEE80211_STA_ONLY */ 1559 1560/*- 1561 * Disassociation frame format: 1562 * [2] Reason code 1563 */ 1564struct mbuf * 1565ieee80211_get_disassoc(struct ieee80211com *ic, struct ieee80211_node *ni, 1566 u_int16_t reason) 1567{ 1568 struct mbuf *m; 1569 1570 MGETHDR(m, M_DONTWAIT, MT_DATA); 1571 if (m == NULL) 1572 return NULL; 1573 m_align(m, 2); 1574 m->m_pkthdr.len = m->m_len = 2; 1575 1576 *mtod(m, u_int16_t *) = htole16(reason); 1577 1578 return m; 1579} 1580 1581/*- 1582 * ADDBA Request frame format: 1583 * [1] Category 1584 * [1] Action 1585 * [1] Dialog Token 1586 * [2] Block Ack Parameter Set 1587 * [2] Block Ack Timeout Value 1588 * [2] Block Ack Starting Sequence Control 1589 */ 1590struct mbuf * 1591ieee80211_get_addba_req(struct ieee80211com *ic, struct ieee80211_node *ni, 1592 u_int8_t tid) 1593{ 1594 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1595 struct mbuf *m; 1596 u_int8_t *frm; 1597 1598 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9); 1599 if (m == NULL) 1600 return m; 1601 1602 frm = mtod(m, u_int8_t *); 1603 *frm++ = IEEE80211_CATEG_BA; 1604 *frm++ = IEEE80211_ACTION_ADDBA_REQ; 1605 *frm++ = ba->ba_token; 1606 LE_WRITE_2(frm, ba->ba_params); frm += 2; 1607 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); frm += 2; 1608 LE_WRITE_2(frm, ba->ba_winstart << IEEE80211_SEQ_SEQ_SHIFT); frm += 2; 1609 1610 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1611 1612 return m; 1613} 1614 1615/* Move Tx BA window forward to the specified SSN. */ 1616void 1617ieee80211_output_ba_move_window(struct ieee80211com *ic, 1618 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1619{ 1620 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1621 uint16_t s = ba->ba_winstart; 1622 1623 while (SEQ_LT(s, ssn) && ba->ba_bitmap) { 1624 s = (s + 1) % 0xfff; 1625 ba->ba_bitmap >>= 1; 1626 } 1627 1628 ba->ba_winstart = (ssn & 0xfff); 1629 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 1630} 1631 1632/* 1633 * Move Tx BA window forward up to the first hole in the bitmap 1634 * or up to the specified SSN, whichever comes first. 1635 * After calling this function, frames before the start of the 1636 * potentially changed BA window should be discarded. 1637 */ 1638void 1639ieee80211_output_ba_move_window_to_first_unacked(struct ieee80211com *ic, 1640 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1641{ 1642 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1643 uint16_t s = ba->ba_winstart; 1644 uint64_t bitmap = ba->ba_bitmap; 1645 int can_move_window = 0; 1646 1647 while (bitmap && SEQ_LT(s, ssn)) { 1648 if ((bitmap & 1) == 0) 1649 break; 1650 s = (s + 1) % 0xfff; 1651 bitmap >>= 1; 1652 can_move_window = 1; 1653 } 1654 1655 if (can_move_window) 1656 ieee80211_output_ba_move_window(ic, ni, tid, s); 1657} 1658 1659/* Record an ACK for a frame with a given SSN within the Tx BA window. */ 1660void 1661ieee80211_output_ba_record_ack(struct ieee80211com *ic, 1662 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1663{ 1664 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1665 int i = 0; 1666 uint16_t s = ba->ba_winstart; 1667 1668 KASSERT(!SEQ_LT(ssn, ba->ba_winstart)); 1669 KASSERT(!SEQ_LT(ba->ba_winend, ssn)); 1670 1671 while (SEQ_LT(s, ssn)) { 1672 s = (s + 1) % 0xfff; 1673 i++; 1674 } 1675 if (i < ba->ba_winsize) 1676 ba->ba_bitmap |= (1 << i); 1677} 1678 1679/*- 1680 * ADDBA Response frame format: 1681 * [1] Category 1682 * [1] Action 1683 * [1] Dialog Token 1684 * [2] Status Code 1685 * [2] Block Ack Parameter Set 1686 * [2] Block Ack Timeout Value 1687 */ 1688struct mbuf * 1689ieee80211_get_addba_resp(struct ieee80211com *ic, struct ieee80211_node *ni, 1690 u_int8_t tid, u_int8_t token, u_int16_t status) 1691{ 1692 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1693 struct mbuf *m; 1694 u_int8_t *frm; 1695 u_int16_t params; 1696 1697 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9); 1698 if (m == NULL) 1699 return m; 1700 1701 frm = mtod(m, u_int8_t *); 1702 *frm++ = IEEE80211_CATEG_BA; 1703 *frm++ = IEEE80211_ACTION_ADDBA_RESP; 1704 *frm++ = token; 1705 LE_WRITE_2(frm, status); frm += 2; 1706 if (status == 0) 1707 params = ba->ba_params; 1708 else 1709 params = tid << IEEE80211_ADDBA_TID_SHIFT; 1710 LE_WRITE_2(frm, params); frm += 2; 1711 if (status == 0) 1712 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); 1713 else 1714 LE_WRITE_2(frm, 0); 1715 frm += 2; 1716 1717 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1718 1719 return m; 1720} 1721 1722/*- 1723 * DELBA frame format: 1724 * [1] Category 1725 * [1] Action 1726 * [2] DELBA Parameter Set 1727 * [2] Reason Code 1728 */ 1729struct mbuf * 1730ieee80211_get_delba(struct ieee80211com *ic, struct ieee80211_node *ni, 1731 u_int8_t tid, u_int8_t dir, u_int16_t reason) 1732{ 1733 struct mbuf *m; 1734 u_int8_t *frm; 1735 u_int16_t params; 1736 1737 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 6); 1738 if (m == NULL) 1739 return m; 1740 1741 frm = mtod(m, u_int8_t *); 1742 *frm++ = IEEE80211_CATEG_BA; 1743 *frm++ = IEEE80211_ACTION_DELBA; 1744 params = tid << 12; 1745 if (dir) 1746 params |= IEEE80211_DELBA_INITIATOR; 1747 LE_WRITE_2(frm, params); frm += 2; 1748 LE_WRITE_2(frm, reason); frm += 2; 1749 1750 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1751 1752 return m; 1753} 1754 1755/*- 1756 * SA Query Request/Response frame format: 1757 * [1] Category 1758 * [1] Action 1759 * [16] Transaction Identifier 1760 */ 1761struct mbuf * 1762ieee80211_get_sa_query(struct ieee80211com *ic, struct ieee80211_node *ni, 1763 u_int8_t action) 1764{ 1765 struct mbuf *m; 1766 u_int8_t *frm; 1767 1768 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 4); 1769 if (m == NULL) 1770 return NULL; 1771 1772 frm = mtod(m, u_int8_t *); 1773 *frm++ = IEEE80211_CATEG_SA_QUERY; 1774 *frm++ = action; /* ACTION_SA_QUERY_REQ/RESP */ 1775 LE_WRITE_2(frm, ni->ni_sa_query_trid); frm += 2; 1776 1777 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1778 1779 return m; 1780} 1781 1782struct mbuf * 1783ieee80211_get_action(struct ieee80211com *ic, struct ieee80211_node *ni, 1784 u_int8_t categ, u_int8_t action, int arg) 1785{ 1786 struct mbuf *m = NULL; 1787 1788 switch (categ) { 1789 case IEEE80211_CATEG_BA: 1790 switch (action) { 1791 case IEEE80211_ACTION_ADDBA_REQ: 1792 m = ieee80211_get_addba_req(ic, ni, arg & 0xffff); 1793 break; 1794 case IEEE80211_ACTION_ADDBA_RESP: 1795 m = ieee80211_get_addba_resp(ic, ni, arg & 0xff, 1796 arg >> 8, arg >> 16); 1797 break; 1798 case IEEE80211_ACTION_DELBA: 1799 m = ieee80211_get_delba(ic, ni, arg & 0xff, arg >> 8, 1800 arg >> 16); 1801 break; 1802 } 1803 break; 1804 case IEEE80211_CATEG_SA_QUERY: 1805 switch (action) { 1806#ifndef IEEE80211_STA_ONLY 1807 case IEEE80211_ACTION_SA_QUERY_REQ: 1808#endif 1809 case IEEE80211_ACTION_SA_QUERY_RESP: 1810 m = ieee80211_get_sa_query(ic, ni, action); 1811 break; 1812 } 1813 break; 1814 } 1815 return m; 1816} 1817 1818/* 1819 * Send a management frame. The node is for the destination (or ic_bss 1820 * when in station mode). Nodes other than ic_bss have their reference 1821 * count bumped to reflect our use for an indeterminant time. 1822 */ 1823int 1824ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni, 1825 int type, int arg1, int arg2) 1826{ 1827#define senderr(_x, _v) do { ic->ic_stats._v++; ret = _x; goto bad; } while (0) 1828 struct ifnet *ifp = &ic->ic_if; 1829 struct mbuf *m; 1830 int ret, timer; 1831 1832 if (ni == NULL) 1833 panic("null node"); 1834 1835 /* 1836 * Hold a reference on the node so it doesn't go away until after 1837 * the xmit is complete all the way in the driver. On error we 1838 * will remove our reference. 1839 */ 1840 ieee80211_ref_node(ni); 1841 timer = 0; 1842 switch (type) { 1843 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1844 if ((m = ieee80211_get_probe_req(ic, ni)) == NULL) 1845 senderr(ENOMEM, is_tx_nombuf); 1846 1847 timer = IEEE80211_TRANS_WAIT; 1848 break; 1849#ifndef IEEE80211_STA_ONLY 1850 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1851 if ((m = ieee80211_get_probe_resp(ic)) == NULL) 1852 senderr(ENOMEM, is_tx_nombuf); 1853 break; 1854#endif 1855 case IEEE80211_FC0_SUBTYPE_AUTH: 1856 m = ieee80211_get_auth(ic, ni, arg1 >> 16, arg1 & 0xffff); 1857 if (m == NULL) 1858 senderr(ENOMEM, is_tx_nombuf); 1859 1860 if (ic->ic_opmode == IEEE80211_M_STA) 1861 timer = IEEE80211_TRANS_WAIT; 1862 break; 1863 1864 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1865 if ((m = ieee80211_get_deauth(ic, ni, arg1)) == NULL) 1866 senderr(ENOMEM, is_tx_nombuf); 1867#ifndef IEEE80211_STA_ONLY 1868 if ((ifp->if_flags & IFF_DEBUG) && 1869 (ic->ic_opmode == IEEE80211_M_HOSTAP || 1870 ic->ic_opmode == IEEE80211_M_IBSS)) 1871 printf("%s: station %s deauthenticate (reason %d)\n", 1872 ifp->if_xname, ether_sprintf(ni->ni_macaddr), 1873 arg1); 1874#endif 1875 break; 1876 1877 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1878 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1879 if ((m = ieee80211_get_assoc_req(ic, ni, type)) == NULL) 1880 senderr(ENOMEM, is_tx_nombuf); 1881 1882 timer = IEEE80211_TRANS_WAIT; 1883 break; 1884#ifndef IEEE80211_STA_ONLY 1885 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1886 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 1887 if ((m = ieee80211_get_assoc_resp(ic, ni, arg1)) == NULL) 1888 senderr(ENOMEM, is_tx_nombuf); 1889 break; 1890#endif 1891 case IEEE80211_FC0_SUBTYPE_DISASSOC: 1892 if ((m = ieee80211_get_disassoc(ic, ni, arg1)) == NULL) 1893 senderr(ENOMEM, is_tx_nombuf); 1894#ifndef IEEE80211_STA_ONLY 1895 if ((ifp->if_flags & IFF_DEBUG) && 1896 (ic->ic_opmode == IEEE80211_M_HOSTAP || 1897 ic->ic_opmode == IEEE80211_M_IBSS)) 1898 printf("%s: station %s disassociate (reason %d)\n", 1899 ifp->if_xname, ether_sprintf(ni->ni_macaddr), 1900 arg1); 1901#endif 1902 break; 1903 1904 case IEEE80211_FC0_SUBTYPE_ACTION: 1905 m = ieee80211_get_action(ic, ni, arg1 >> 16, arg1 & 0xffff, 1906 arg2); 1907 if (m == NULL) 1908 senderr(ENOMEM, is_tx_nombuf); 1909 break; 1910 1911 default: 1912 DPRINTF(("invalid mgmt frame type %u\n", type)); 1913 senderr(EINVAL, is_tx_unknownmgt); 1914 /* NOTREACHED */ 1915 } 1916 1917 ret = ieee80211_mgmt_output(ifp, ni, m, type); 1918 if (ret == 0) { 1919 if (timer) 1920 ic->ic_mgt_timer = timer; 1921 } else { 1922bad: 1923 ieee80211_release_node(ic, ni); 1924 } 1925 return ret; 1926#undef senderr 1927} 1928 1929/* 1930 * Build a RTS (Request To Send) control frame (see 7.2.1.1). 1931 */ 1932struct mbuf * 1933ieee80211_get_rts(struct ieee80211com *ic, const struct ieee80211_frame *wh, 1934 u_int16_t dur) 1935{ 1936 struct ieee80211_frame_rts *rts; 1937 struct mbuf *m; 1938 1939 MGETHDR(m, M_DONTWAIT, MT_DATA); 1940 if (m == NULL) 1941 return NULL; 1942 1943 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 1944 1945 rts = mtod(m, struct ieee80211_frame_rts *); 1946 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1947 IEEE80211_FC0_SUBTYPE_RTS; 1948 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1949 *(u_int16_t *)rts->i_dur = htole16(dur); 1950 IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1); 1951 IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2); 1952 1953 return m; 1954} 1955 1956/* 1957 * Build a CTS-to-self (Clear To Send) control frame (see 7.2.1.2). 1958 */ 1959struct mbuf * 1960ieee80211_get_cts_to_self(struct ieee80211com *ic, u_int16_t dur) 1961{ 1962 struct ieee80211_frame_cts *cts; 1963 struct mbuf *m; 1964 1965 MGETHDR(m, M_DONTWAIT, MT_DATA); 1966 if (m == NULL) 1967 return NULL; 1968 1969 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 1970 1971 cts = mtod(m, struct ieee80211_frame_cts *); 1972 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1973 IEEE80211_FC0_SUBTYPE_CTS; 1974 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1975 *(u_int16_t *)cts->i_dur = htole16(dur); 1976 IEEE80211_ADDR_COPY(cts->i_ra, ic->ic_myaddr); 1977 1978 return m; 1979} 1980 1981/* 1982 * Build a compressed Block Ack Request control frame. 1983 */ 1984struct mbuf * 1985ieee80211_get_compressed_bar(struct ieee80211com *ic, 1986 struct ieee80211_node *ni, int tid, uint16_t ssn) 1987{ 1988 struct ieee80211_frame_min *wh; 1989 uint8_t *frm; 1990 uint16_t ctl; 1991 struct mbuf *m; 1992 1993 MGETHDR(m, M_DONTWAIT, MT_DATA); 1994 if (m == NULL) 1995 return NULL; 1996 1997 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_min) + 1998 sizeof(ctl) + sizeof(ssn); 1999 2000 wh = mtod(m, struct ieee80211_frame_min *); 2001 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 2002 IEEE80211_FC0_SUBTYPE_BAR; 2003 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2004 *(u_int16_t *)wh->i_dur = 0; 2005 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 2006 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 2007 frm = (uint8_t *)&wh[1]; 2008 2009 ctl = IEEE80211_BA_COMPRESSED | (tid << IEEE80211_BA_TID_INFO_SHIFT); 2010 LE_WRITE_2(frm, ctl); 2011 frm += 2; 2012 2013 LE_WRITE_2(frm, ssn << IEEE80211_SEQ_SEQ_SHIFT); 2014 frm += 2; 2015 2016 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 2017 m->m_pkthdr.ph_cookie = ni; 2018 2019 return m; 2020} 2021 2022#ifndef IEEE80211_STA_ONLY 2023/*- 2024 * Beacon frame format: 2025 * [8] Timestamp 2026 * [2] Beacon interval 2027 * [2] Capability 2028 * [tlv] Service Set Identifier (SSID) 2029 * [tlv] Supported rates 2030 * [tlv] DS Parameter Set (802.11g) 2031 * [tlv] IBSS Parameter Set 2032 * [tlv] Traffic Indication Map (TIM) 2033 * [tlv] ERP Information (802.11g) 2034 * [tlv] Extended Supported Rates (802.11g) 2035 * [tlv] RSN (802.11i) 2036 * [tlv] EDCA Parameter Set (802.11e) 2037 * [tlv] HT Capabilities (802.11n) 2038 * [tlv] HT Operation (802.11n) 2039 */ 2040struct mbuf * 2041ieee80211_beacon_alloc(struct ieee80211com *ic, struct ieee80211_node *ni) 2042{ 2043 const struct ieee80211_rateset *rs = &ni->ni_rates; 2044 struct ieee80211_frame *wh; 2045 struct mbuf *m; 2046 u_int8_t *frm; 2047 2048 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 2049 8 + 2 + 2 + 2050 2 + ((ic->ic_userflags & IEEE80211_F_HIDENWID) ? 2051 0 : ni->ni_esslen) + 2052 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 2053 2 + 1 + 2054 2 + ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 : 254) + 2055 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 2056 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 2057 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 2058 (((ic->ic_flags & IEEE80211_F_RSNON) && 2059 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 2060 2 + IEEE80211_RSNIE_MAXLEN : 0) + 2061 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 2062 (((ic->ic_flags & IEEE80211_F_RSNON) && 2063 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 2064 2 + IEEE80211_WPAIE_MAXLEN : 0) + 2065 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 2066 if (m == NULL) 2067 return NULL; 2068 2069 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 2070 if (m == NULL) 2071 return NULL; 2072 wh = mtod(m, struct ieee80211_frame *); 2073 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 2074 IEEE80211_FC0_SUBTYPE_BEACON; 2075 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2076 *(u_int16_t *)wh->i_dur = 0; 2077 IEEE80211_ADDR_COPY(wh->i_addr1, etherbroadcastaddr); 2078 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 2079 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 2080 *(u_int16_t *)wh->i_seq = 0; 2081 2082 frm = (u_int8_t *)&wh[1]; 2083 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 2084 LE_WRITE_2(frm, ni->ni_intval); frm += 2; 2085 frm = ieee80211_add_capinfo(frm, ic, ni); 2086 if (ic->ic_userflags & IEEE80211_F_HIDENWID) 2087 frm = ieee80211_add_ssid(frm, NULL, 0); 2088 else 2089 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2090 frm = ieee80211_add_rates(frm, rs); 2091 frm = ieee80211_add_ds_params(frm, ic, ni); 2092 if (ic->ic_opmode == IEEE80211_M_IBSS) 2093 frm = ieee80211_add_ibss_params(frm, ni); 2094 else 2095 frm = ieee80211_add_tim(frm, ic); 2096 if (ic->ic_curmode == IEEE80211_MODE_11G) 2097 frm = ieee80211_add_erp(frm, ic); 2098 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 2099 frm = ieee80211_add_xrates(frm, rs); 2100 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2101 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 2102 frm = ieee80211_add_rsn(frm, ic, ni); 2103 if (ic->ic_flags & IEEE80211_F_QOS) 2104 frm = ieee80211_add_edca_params(frm, ic); 2105 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2106 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 2107 frm = ieee80211_add_wpa(frm, ic, ni); 2108 if (ic->ic_flags & IEEE80211_F_HTON) { 2109 frm = ieee80211_add_htcaps(frm, ic); 2110 frm = ieee80211_add_htop(frm, ic); 2111 frm = ieee80211_add_wme_param(frm, ic); 2112 } 2113 2114 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 2115 m->m_pkthdr.ph_cookie = ni; 2116 2117 return m; 2118} 2119 2120/* 2121 * Check if an outgoing MSDU or management frame should be buffered into 2122 * the AP for power management. Return 1 if the frame was buffered into 2123 * the AP, or 0 if the frame shall be transmitted immediately. 2124 */ 2125int 2126ieee80211_pwrsave(struct ieee80211com *ic, struct mbuf *m, 2127 struct ieee80211_node *ni) 2128{ 2129 const struct ieee80211_frame *wh; 2130 int pssta = 0; 2131 2132 KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP); 2133 if (!(ic->ic_caps & IEEE80211_C_APPMGT)) 2134 return 0; 2135 2136 wh = mtod(m, struct ieee80211_frame *); 2137 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2138 /* 2139 * Buffer group addressed MSDUs with the Order bit clear 2140 * if any associated STAs are in PS mode. 2141 */ 2142 ieee80211_iterate_nodes(ic, ieee80211_count_pssta, &pssta); 2143 if ((wh->i_fc[1] & IEEE80211_FC1_ORDER) || pssta == 0) 2144 return 0; 2145 ic->ic_tim_mcast_pending = 1; 2146 } else { 2147 /* 2148 * Buffer MSDUs, A-MSDUs or management frames destined for 2149 * PS STAs. 2150 */ 2151 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE || 2152 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 2153 IEEE80211_FC0_TYPE_CTL) 2154 return 0; 2155 if (mq_empty(&ni->ni_savedq)) 2156 (*ic->ic_set_tim)(ic, ni->ni_associd, 1); 2157 } 2158 /* NB: ni == ic->ic_bss for broadcast/multicast */ 2159 /* 2160 * Similar to ieee80211_mgmt_output, store the node in a 2161 * special pkthdr field. 2162 */ 2163 m->m_pkthdr.ph_cookie = ni; 2164 mq_enqueue(&ni->ni_savedq, m); 2165 return 1; 2166} 2167#endif /* IEEE80211_STA_ONLY */ 2168