1/*	$NetBSD: ieee80211_output.c,v 1.67 2022/10/24 08:11:25 msaitoh Exp $	*/
2
3/*
4 * Copyright (c) 2001 Atsushi Onoe
5 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 * 3. The name of the author may not be used to endorse or promote products
17 *    derived from this software without specific prior written permission.
18 *
19 * Alternatively, this software may be distributed under the terms of the
20 * GNU General Public License ("GPL") version 2 as published by the Free
21 * Software Foundation.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35#include <sys/cdefs.h>
36#ifdef __FreeBSD__
37__FBSDID("$FreeBSD: src/sys/net80211/ieee80211_output.c,v 1.34 2005/08/10 16:22:29 sam Exp $");
38#endif
39#ifdef __NetBSD__
40__KERNEL_RCSID(0, "$NetBSD: ieee80211_output.c,v 1.67 2022/10/24 08:11:25 msaitoh Exp $");
41#endif
42
43#ifdef _KERNEL_OPT
44#include "opt_inet.h"
45#endif
46
47#include <sys/param.h>
48#include <sys/systm.h>
49#include <sys/mbuf.h>
50#include <sys/kernel.h>
51#include <sys/endian.h>
52#include <sys/errno.h>
53#include <sys/proc.h>
54#include <sys/sysctl.h>
55
56#include <net/if.h>
57#include <net/if_llc.h>
58#include <net/if_media.h>
59#include <net/if_arp.h>
60#include <net/if_ether.h>
61#include <net/if_llc.h>
62#include <net/if_vlanvar.h>
63
64#include <net80211/ieee80211_netbsd.h>
65#include <net80211/ieee80211_var.h>
66
67#include <net/bpf.h>
68
69#ifdef INET
70#include <netinet/in.h>
71#include <netinet/in_systm.h>
72#include <netinet/in_var.h>
73#include <netinet/ip.h>
74#include <net/if_ether.h>
75#endif
76
77static int ieee80211_fragment(struct ieee80211com *, struct mbuf *,
78	u_int hdrsize, u_int ciphdrsize, u_int mtu);
79
80#ifdef IEEE80211_DEBUG
81/*
82 * Decide if an outbound management frame should be
83 * printed when debugging is enabled.  This filters some
84 * of the less interesting frames that come frequently
85 * (e.g. beacons).
86 */
87static __inline int
88doprint(struct ieee80211com *ic, int subtype)
89{
90	switch (subtype) {
91	case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
92		return (ic->ic_opmode == IEEE80211_M_IBSS);
93	}
94	return 1;
95}
96#endif
97
98/*
99 * Set the direction field and address fields of an outgoing
100 * non-QoS frame.  Note this should be called early on in
101 * constructing a frame as it sets i_fc[1]; other bits can
102 * then be or'd in.
103 */
104static void
105ieee80211_send_setup(struct ieee80211com *ic,
106	struct ieee80211_node *ni,
107	struct ieee80211_frame *wh,
108	int type,
109	const u_int8_t sa[IEEE80211_ADDR_LEN],
110	const u_int8_t da[IEEE80211_ADDR_LEN],
111	const u_int8_t bssid[IEEE80211_ADDR_LEN])
112{
113#define	WH4(wh)	((struct ieee80211_frame_addr4 *)wh)
114
115	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type;
116
117	if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) {
118		switch (ic->ic_opmode) {
119		case IEEE80211_M_STA:
120			wh->i_fc[1] = IEEE80211_FC1_DIR_TODS;
121			IEEE80211_ADDR_COPY(wh->i_addr1, bssid);
122			IEEE80211_ADDR_COPY(wh->i_addr2, sa);
123			IEEE80211_ADDR_COPY(wh->i_addr3, da);
124			break;
125
126		case IEEE80211_M_IBSS:
127		case IEEE80211_M_AHDEMO:
128			wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
129			IEEE80211_ADDR_COPY(wh->i_addr1, da);
130			IEEE80211_ADDR_COPY(wh->i_addr2, sa);
131			IEEE80211_ADDR_COPY(wh->i_addr3, bssid);
132			break;
133
134		case IEEE80211_M_HOSTAP:
135			wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
136			IEEE80211_ADDR_COPY(wh->i_addr1, da);
137			IEEE80211_ADDR_COPY(wh->i_addr2, bssid);
138			IEEE80211_ADDR_COPY(wh->i_addr3, sa);
139			break;
140
141		case IEEE80211_M_MONITOR:	/* NB: to quiet compiler */
142			break;
143		}
144	} else {
145		wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
146		IEEE80211_ADDR_COPY(wh->i_addr1, da);
147		IEEE80211_ADDR_COPY(wh->i_addr2, sa);
148		IEEE80211_ADDR_COPY(wh->i_addr3, bssid);
149	}
150
151	*(u_int16_t *)&wh->i_dur[0] = 0;
152	/* NB: use non-QoS tid */
153	*(u_int16_t *)&wh->i_seq[0] =
154	    htole16(ni->ni_txseqs[0] << IEEE80211_SEQ_SEQ_SHIFT);
155	ni->ni_txseqs[0]++;
156#undef WH4
157}
158
159/*
160 * Send a management frame to the specified node.  The node pointer
161 * must have a reference as the pointer will be passed to the driver
162 * and potentially held for a long time.  If the frame is successfully
163 * dispatched to the driver, then it is responsible for freeing the
164 * reference (and potentially free'ing up any associated storage).
165 */
166static int
167ieee80211_mgmt_output(struct ieee80211com *ic, struct ieee80211_node *ni,
168    struct mbuf *m, int type, int timer)
169{
170	struct ifnet *ifp = ic->ic_ifp;
171	struct ieee80211_frame *wh;
172
173	IASSERT(ni != NULL, ("null node"));
174
175	/*
176	 * Yech, hack alert!  We want to pass the node down to the
177	 * driver's start routine.  If we don't do so then the start
178	 * routine must immediately look it up again and that can
179	 * cause a lock order reversal if, for example, this frame
180	 * is being sent because the station is being timedout and
181	 * the frame being sent is a DEAUTH message.  We could stick
182	 * this in an m_tag and tack that on to the mbuf.  However
183	 * that's rather expensive to do for every frame so instead
184	 * we stuff it in the rcvif field since outbound frames do
185	 * not (presently) use this.
186	 */
187	M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
188	if (m == NULL)
189		return ENOMEM;
190	M_SETCTX(m, ni);
191
192	wh = mtod(m, struct ieee80211_frame *);
193	ieee80211_send_setup(ic, ni, wh, IEEE80211_FC0_TYPE_MGT | type,
194	    ic->ic_myaddr, ni->ni_macaddr, ni->ni_bssid);
195
196	if ((m->m_flags & M_LINK0) != 0 && ni->ni_challenge != NULL) {
197		m->m_flags &= ~M_LINK0;
198		IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
199			"[%s] encrypting frame (%s)\n",
200			ether_sprintf(wh->i_addr1), __func__);
201		wh->i_fc[1] |= IEEE80211_FC1_WEP;
202	}
203
204#ifdef IEEE80211_DEBUG
205	/* avoid printing too many frames */
206	if ((ieee80211_msg_debug(ic) && doprint(ic, type)) ||
207	    ieee80211_msg_dumppkts(ic)) {
208		printf("[%s] send %s on channel %u\n",
209		    ether_sprintf(wh->i_addr1),
210		    ieee80211_mgt_subtype_name[
211			(type & IEEE80211_FC0_SUBTYPE_MASK) >>
212				IEEE80211_FC0_SUBTYPE_SHIFT],
213		    ieee80211_chan2ieee(ic, ic->ic_curchan));
214	}
215#endif
216
217	IEEE80211_NODE_STAT(ni, tx_mgmt);
218	IF_ENQUEUE(&ic->ic_mgtq, m);
219	if (timer) {
220		/*
221		 * Set the mgt frame timeout.
222		 */
223		ic->ic_mgt_timer = timer;
224		ifp->if_timer = 1;
225	}
226	if_start_lock(ifp);
227	return 0;
228}
229
230/*
231 * Send a null data frame to the specified node.
232 *
233 * NB: the caller is assumed to have setup a node reference
234 *     for use; this is necessary to deal with a race condition
235 *     when probing for inactive stations.
236 */
237int
238ieee80211_send_nulldata(struct ieee80211_node *ni)
239{
240	struct ieee80211com *ic = ni->ni_ic;
241	struct ifnet *ifp = ic->ic_ifp;
242	struct mbuf *m;
243	struct ieee80211_frame *wh;
244
245	MGETHDR(m, M_NOWAIT, MT_HEADER);
246	if (m == NULL) {
247		ic->ic_stats.is_tx_nobuf++;
248		ieee80211_unref_node(&ni);
249		return ENOMEM;
250	}
251	M_SETCTX(m, ni);
252
253	wh = mtod(m, struct ieee80211_frame *);
254
255	ieee80211_send_setup(ic, ni, wh,
256	    IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA,
257	    ic->ic_myaddr, ni->ni_macaddr, ni->ni_bssid);
258
259	/* NB: power management bit is never sent by an AP */
260	if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) &&
261	    ic->ic_opmode != IEEE80211_M_HOSTAP) {
262		wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT;
263	}
264
265	m->m_len = m->m_pkthdr.len = sizeof(struct ieee80211_frame);
266
267	IEEE80211_NODE_STAT(ni, tx_data);
268
269	IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS,
270	    "[%s] send null data frame on channel %u, pwr mgt %s\n",
271	    ether_sprintf(ni->ni_macaddr),
272	    ieee80211_chan2ieee(ic, ic->ic_curchan),
273	    wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis");
274
275	IF_ENQUEUE(&ic->ic_mgtq, m);		/* cheat */
276	if_start_lock(ifp);
277
278	return 0;
279}
280
281/*
282 * Assign priority to a frame based on any vlan tag assigned
283 * to the station and/or any Diffserv setting in an IP header.
284 * Finally, if an ACM policy is setup (in station mode) it's
285 * applied.
286 */
287int
288ieee80211_classify(struct ieee80211com *ic, struct mbuf *m,
289    struct ieee80211_node *ni)
290{
291	int v_wme_ac, d_wme_ac, ac;
292#ifdef INET
293	struct ether_header *eh;
294#endif
295
296	if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) {
297		ac = WME_AC_BE;
298		goto done;
299	}
300
301	/*
302	 * If node has a vlan tag then all traffic
303	 * to it must have a matching tag.
304	 */
305	v_wme_ac = 0;
306	if (ni->ni_vlan != 0) {
307		/* XXX used to check ec_nvlans. */
308		if (!vlan_has_tag(m)) {
309			IEEE80211_NODE_STAT(ni, tx_novlantag);
310			return 1;
311		}
312		if (EVL_VLANOFTAG(vlan_get_tag(m)) !=
313		    EVL_VLANOFTAG(ni->ni_vlan)) {
314			IEEE80211_NODE_STAT(ni, tx_vlanmismatch);
315			return 1;
316		}
317		/* map vlan priority to AC */
318		switch (EVL_PRIOFTAG(ni->ni_vlan)) {
319		case 1:
320		case 2:
321			v_wme_ac = WME_AC_BK;
322			break;
323		case 0:
324		case 3:
325			v_wme_ac = WME_AC_BE;
326			break;
327		case 4:
328		case 5:
329			v_wme_ac = WME_AC_VI;
330			break;
331		case 6:
332		case 7:
333			v_wme_ac = WME_AC_VO;
334			break;
335		}
336	}
337
338#ifdef INET
339	eh = mtod(m, struct ether_header *);
340	if (eh->ether_type == htons(ETHERTYPE_IP)) {
341		const struct ip *ip = (struct ip *)
342			(mtod(m, u_int8_t *) + sizeof (*eh));
343		/*
344		 * IP frame, map the TOS field.
345		 */
346		switch (ip->ip_tos) {
347		case 0x08:
348		case 0x20:
349			d_wme_ac = WME_AC_BK;	/* background */
350			break;
351		case 0x28:
352		case 0xa0:
353			d_wme_ac = WME_AC_VI;	/* video */
354			break;
355		case 0x30:			/* voice */
356		case 0xe0:
357		case 0x88:			/* XXX UPSD */
358		case 0xb8:
359			d_wme_ac = WME_AC_VO;
360			break;
361		default:
362			d_wme_ac = WME_AC_BE;
363			break;
364		}
365	} else {
366#endif /* INET */
367		d_wme_ac = WME_AC_BE;
368#ifdef INET
369	}
370#endif
371	/*
372	 * Use highest priority AC.
373	 */
374	if (v_wme_ac > d_wme_ac)
375		ac = v_wme_ac;
376	else
377		ac = d_wme_ac;
378
379	/*
380	 * Apply ACM policy.
381	 */
382	if (ic->ic_opmode == IEEE80211_M_STA) {
383		static const int acmap[4] = {
384			WME_AC_BK,	/* WME_AC_BE */
385			WME_AC_BK,	/* WME_AC_BK */
386			WME_AC_BE,	/* WME_AC_VI */
387			WME_AC_VI,	/* WME_AC_VO */
388		};
389		while (ac != WME_AC_BK &&
390		    ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm)
391			ac = acmap[ac];
392	}
393done:
394	M_WME_SETAC(m, ac);
395	return 0;
396}
397
398/*
399 * Insure there is sufficient contiguous space to encapsulate the
400 * 802.11 data frame.  If room isn't already there, arrange for it.
401 * Drivers and cipher modules assume we have done the necessary work
402 * and fail rudely if they don't find the space they need.
403 *
404 * Basically, we are trying to make sure that the several M_PREPENDs
405 * called after this function do not fail.
406 */
407static struct mbuf *
408ieee80211_mbuf_adjust(struct ieee80211com *ic, int hdrsize,
409	struct ieee80211_key *key, struct mbuf *m)
410{
411#define	TO_BE_RECLAIMED	(sizeof(struct ether_header) - sizeof(struct llc))
412	int needed_space = hdrsize;
413	int wlen = 0;
414
415	if (key != NULL) {
416		/* XXX belongs in crypto code? */
417		needed_space += key->wk_cipher->ic_header;
418		/* XXX frags */
419	}
420
421	/*
422	 * We know we are called just before stripping an Ethernet
423	 * header and prepending an LLC header.  This means we know
424	 * there will be
425	 *	sizeof(struct ether_header) - sizeof(struct llc)
426	 * bytes recovered to which we need additional space for the
427	 * 802.11 header and any crypto header.
428	 */
429	/* XXX check trailing space and copy instead? */
430	if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) {
431		struct mbuf *n = m_gethdr(M_NOWAIT, m->m_type);
432		if (n == NULL) {
433			ic->ic_stats.is_tx_nobuf++;
434			m_freem(m);
435			return NULL;
436		}
437
438		IASSERT(needed_space <= MHLEN,
439		    ("not enough room, need %u got %lu\n", needed_space, (u_long)MHLEN));
440
441		/*
442		 * Setup new mbuf to have leading space to prepend the
443		 * 802.11 header and any crypto header bits that are
444		 * required (the latter are added when the driver calls
445		 * back to ieee80211_crypto_encap to do crypto encapsulation).
446		 */
447		m_move_pkthdr(n, m);
448		n->m_len = 0;
449		n->m_data += needed_space;
450
451		/*
452		 * Pull up Ethernet header to create the expected layout.
453		 * We could use m_pullup but that's overkill (i.e. we don't
454		 * need the actual data) and it cannot fail so do it inline
455		 * for speed.
456		 */
457		n->m_len += sizeof(struct ether_header);
458		m->m_len -= sizeof(struct ether_header);
459		m->m_data += sizeof(struct ether_header);
460
461		/*
462		 * Replace the head of the chain.
463		 */
464		n->m_next = m;
465		m = n;
466	} else {
467		/*
468		 * We will overwrite the ethernet header in the
469		 * 802.11 encapsulation stage.  Make sure that it
470		 * is writable.
471		 */
472		wlen = sizeof(struct ether_header);
473	}
474
475	/*
476	 * If we're going to s/w encrypt the mbuf chain make sure it is
477	 * writable.
478	 */
479	if (key != NULL && (key->wk_flags & IEEE80211_KEY_SWCRYPT) != 0) {
480		wlen = M_COPYALL;
481	}
482	if (wlen != 0 && m_makewritable(&m, 0, wlen, M_DONTWAIT) != 0) {
483		m_freem(m);
484		return NULL;
485	}
486
487	return m;
488#undef TO_BE_RECLAIMED
489}
490
491/*
492 * Return the transmit key to use in sending a unicast frame.
493 * If a unicast key is set we use that.  When no unicast key is set
494 * we fall back to the default transmit key.
495 */
496static __inline struct ieee80211_key *
497ieee80211_crypto_getucastkey(struct ieee80211com *ic, struct ieee80211_node *ni)
498{
499	if (IEEE80211_KEY_UNDEFINED(ni->ni_ucastkey)) {
500		if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE ||
501		    IEEE80211_KEY_UNDEFINED(ic->ic_nw_keys[ic->ic_def_txkey]))
502			return NULL;
503		return &ic->ic_nw_keys[ic->ic_def_txkey];
504	} else {
505		return &ni->ni_ucastkey;
506	}
507}
508
509/*
510 * Return the transmit key to use in sending a multicast frame.
511 * Multicast traffic always uses the group key which is installed as
512 * the default tx key.
513 */
514static __inline struct ieee80211_key *
515ieee80211_crypto_getmcastkey(struct ieee80211com *ic,
516    struct ieee80211_node *ni)
517{
518	if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE ||
519	    IEEE80211_KEY_UNDEFINED(ic->ic_nw_keys[ic->ic_def_txkey]))
520		return NULL;
521	return &ic->ic_nw_keys[ic->ic_def_txkey];
522}
523
524/*
525 * Encapsulate an outbound data frame.  The mbuf chain is updated.
526 * If an error is encountered NULL is returned.  The caller is required
527 * to provide a node reference and pullup the ethernet header in the
528 * first mbuf.
529 */
530struct mbuf *
531ieee80211_encap(struct ieee80211com *ic, struct mbuf *m,
532	struct ieee80211_node *ni)
533{
534	struct ether_header eh;
535	struct ieee80211_frame *wh;
536	struct ieee80211_key *key;
537	struct llc *llc;
538	int hdrsize, datalen, addqos, txfrag;
539
540	IASSERT(m->m_len >= sizeof(eh), ("no ethernet header!"));
541	memcpy(&eh, mtod(m, void *), sizeof(struct ether_header));
542
543	/*
544	 * Insure space for additional headers.  First identify
545	 * transmit key to use in calculating any buffer adjustments
546	 * required.  This is also used below to do privacy
547	 * encapsulation work.  Then calculate the 802.11 header
548	 * size and any padding required by the driver.
549	 *
550	 * Note key may be NULL if we fall back to the default
551	 * transmit key and that is not set.  In that case the
552	 * buffer may not be expanded as needed by the cipher
553	 * routines, but they will/should discard it.
554	 */
555	if (ic->ic_flags & IEEE80211_F_PRIVACY) {
556		if (ic->ic_opmode == IEEE80211_M_STA ||
557		    !IEEE80211_IS_MULTICAST(eh.ether_dhost)) {
558			key = ieee80211_crypto_getucastkey(ic, ni);
559		} else {
560			key = ieee80211_crypto_getmcastkey(ic, ni);
561		}
562		if (key == NULL && eh.ether_type != htons(ETHERTYPE_PAE)) {
563			IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,
564			    "[%s] no default transmit key (%s) deftxkey %u\n",
565			    ether_sprintf(eh.ether_dhost), __func__,
566			    ic->ic_def_txkey);
567			ic->ic_stats.is_tx_nodefkey++;
568		}
569	} else {
570		key = NULL;
571	}
572
573	/*
574	 * XXX 4-address format.
575	 *
576	 * XXX Some ap's don't handle QoS-encapsulated EAPOL
577	 * frames so suppress use.  This may be an issue if other
578	 * ap's require all data frames to be QoS-encapsulated
579	 * once negotiated in which case we'll need to make this
580	 * configurable.
581	 */
582	addqos = (ni->ni_flags & IEEE80211_NODE_QOS) &&
583	    eh.ether_type != htons(ETHERTYPE_PAE);
584	if (addqos)
585		hdrsize = sizeof(struct ieee80211_qosframe);
586	else
587		hdrsize = sizeof(struct ieee80211_frame);
588	if (ic->ic_flags & IEEE80211_F_DATAPAD)
589		hdrsize = roundup(hdrsize, sizeof(u_int32_t));
590
591	m = ieee80211_mbuf_adjust(ic, hdrsize, key, m);
592	if (m == NULL) {
593		/* NB: ieee80211_mbuf_adjust handles msgs+statistics */
594		goto bad;
595	}
596
597	/* NB: this could be optimized because of ieee80211_mbuf_adjust */
598	m_adj(m, sizeof(struct ether_header) - sizeof(struct llc));
599	llc = mtod(m, struct llc *);
600	llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP;
601	llc->llc_control = LLC_UI;
602	llc->llc_snap.org_code[0] = 0;
603	llc->llc_snap.org_code[1] = 0;
604	llc->llc_snap.org_code[2] = 0;
605	llc->llc_snap.ether_type = eh.ether_type;
606	datalen = m->m_pkthdr.len;		/* NB: w/o 802.11 header */
607
608	M_PREPEND(m, hdrsize, M_DONTWAIT);
609	if (m == NULL) {
610		ic->ic_stats.is_tx_nobuf++;
611		goto bad;
612	}
613
614	wh = mtod(m, struct ieee80211_frame *);
615	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA;
616	*(u_int16_t *)wh->i_dur = 0;
617
618	switch (ic->ic_opmode) {
619	case IEEE80211_M_STA:
620		wh->i_fc[1] = IEEE80211_FC1_DIR_TODS;
621		IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid);
622		IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
623		IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost);
624		break;
625
626	case IEEE80211_M_IBSS:
627	case IEEE80211_M_AHDEMO:
628		wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
629		IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
630		IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
631		/*
632		 * NB: always use the bssid from ic_bss as the
633		 *     neighbor's may be stale after an ibss merge
634		 */
635		IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid);
636		break;
637
638	case IEEE80211_M_HOSTAP:
639#ifndef IEEE80211_NO_HOSTAP
640		wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
641		IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
642		IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid);
643		IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost);
644#endif
645		break;
646
647	case IEEE80211_M_MONITOR:
648		goto bad;
649	}
650
651	if (m->m_flags & M_MORE_DATA)
652		wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA;
653
654	if (addqos) {
655		struct ieee80211_qosframe *qwh =
656			(struct ieee80211_qosframe *)wh;
657		int ac, tid;
658
659		ac = M_WME_GETAC(m);
660		/* map from access class/queue to 11e header priorty value */
661		tid = WME_AC_TO_TID(ac);
662		qwh->i_qos[0] = tid & IEEE80211_QOS_TID;
663		if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy)
664			qwh->i_qos[0] |= 1 << IEEE80211_QOS_ACKPOLICY_S;
665		qwh->i_qos[1] = 0;
666		qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS;
667
668		*(u_int16_t *)wh->i_seq =
669		    htole16(ni->ni_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT);
670		ni->ni_txseqs[tid]++;
671	} else {
672		*(u_int16_t *)wh->i_seq =
673		    htole16(ni->ni_txseqs[0] << IEEE80211_SEQ_SEQ_SHIFT);
674		ni->ni_txseqs[0]++;
675	}
676
677	/* check if xmit fragmentation is required */
678	txfrag = (m->m_pkthdr.len > ic->ic_fragthreshold &&
679	    !IEEE80211_IS_MULTICAST(wh->i_addr1) &&
680	    (m->m_flags & M_FF) == 0);          /* NB: don't fragment ff's */
681
682	if (key != NULL) {
683		/*
684		 * IEEE 802.1X: send EAPOL frames always in the clear.
685		 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set.
686		 */
687		if (eh.ether_type != htons(ETHERTYPE_PAE) ||
688		    ((ic->ic_flags & IEEE80211_F_WPA) &&
689		     (ic->ic_opmode == IEEE80211_M_STA ?
690		      !IEEE80211_KEY_UNDEFINED(*key) :
691		      !IEEE80211_KEY_UNDEFINED(ni->ni_ucastkey)))) {
692			wh->i_fc[1] |= IEEE80211_FC1_WEP;
693			if (!ieee80211_crypto_enmic(ic, key, m, txfrag)) {
694				IEEE80211_DPRINTF(ic, IEEE80211_MSG_OUTPUT,
695				    "[%s] enmic failed, discard frame\n",
696				    ether_sprintf(eh.ether_dhost));
697				ic->ic_stats.is_crypto_enmicfail++;
698				goto bad;
699			}
700		}
701	}
702
703	if (txfrag && !ieee80211_fragment(ic, m, hdrsize,
704	    key != NULL ? key->wk_cipher->ic_header : 0, ic->ic_fragthreshold))
705		goto bad;
706
707	IEEE80211_NODE_STAT(ni, tx_data);
708	IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen);
709
710	return m;
711
712bad:
713	if (m != NULL)
714		m_freem(m);
715	return NULL;
716}
717
718/*
719 * Arguments in:
720 *
721 * paylen:  payload length (no FCS, no WEP header)
722 *
723 * hdrlen:  header length
724 *
725 * rate:    MSDU speed, units 500kb/s
726 *
727 * flags:   IEEE80211_F_SHPREAMBLE (use short preamble),
728 *          IEEE80211_F_SHSLOT (use short slot length)
729 *
730 * Arguments out:
731 *
732 * d:       802.11 Duration field for RTS,
733 *          802.11 Duration field for data frame,
734 *          PLCP Length for data frame,
735 *          residual octets at end of data slot
736 */
737static int
738ieee80211_compute_duration1(int len, int use_ack, uint32_t icflags, int rate,
739    struct ieee80211_duration *d)
740{
741	int pre, ctsrate;
742	int ack, bitlen, data_dur, remainder;
743
744	/* RTS reserves medium for SIFS | CTS | SIFS | (DATA) | SIFS | ACK
745	 * DATA reserves medium for SIFS | ACK,
746	 *
747	 * (XXX or SIFS | ACK | SIFS | DATA | SIFS | ACK, if more fragments)
748	 *
749	 * XXXMYC: no ACK on multicast/broadcast or control packets
750	 */
751
752	bitlen = len * 8;
753
754	pre = IEEE80211_DUR_DS_SIFS;
755	if ((icflags & IEEE80211_F_SHPREAMBLE) != 0)
756		pre += IEEE80211_DUR_DS_SHORT_PREAMBLE + IEEE80211_DUR_DS_FAST_PLCPHDR;
757	else
758		pre += IEEE80211_DUR_DS_LONG_PREAMBLE + IEEE80211_DUR_DS_SLOW_PLCPHDR;
759
760	d->d_residue = 0;
761	data_dur = (bitlen * 2) / rate;
762	remainder = (bitlen * 2) % rate;
763	if (remainder != 0) {
764		d->d_residue = (rate - remainder) / 16;
765		data_dur++;
766	}
767
768	switch (rate) {
769	case 2:		/* 1 Mb/s */
770	case 4:		/* 2 Mb/s */
771		/* 1 - 2 Mb/s WLAN: send ACK/CTS at 1 Mb/s */
772		ctsrate = 2;
773		break;
774	case 11:	/* 5.5 Mb/s */
775	case 22:	/* 11  Mb/s */
776	case 44:	/* 22  Mb/s */
777		/* 5.5 - 11 Mb/s WLAN: send ACK/CTS at 2 Mb/s */
778		ctsrate = 4;
779		break;
780	default:
781		/* TBD */
782		return -1;
783	}
784
785	d->d_plcp_len = data_dur;
786
787	ack = (use_ack) ? pre + (IEEE80211_DUR_DS_SLOW_ACK * 2) / ctsrate : 0;
788
789	d->d_rts_dur =
790	    pre + (IEEE80211_DUR_DS_SLOW_CTS * 2) / ctsrate +
791	    pre + data_dur +
792	    ack;
793
794	d->d_data_dur = ack;
795
796	return 0;
797}
798
799/*
800 * Arguments in:
801 *
802 * wh:      802.11 header
803 *
804 * paylen:  payload length (no FCS, no WEP header)
805 *
806 * rate:    MSDU speed, units 500kb/s
807 *
808 * fraglen: fragment length, set to maximum (or higher) for no
809 *          fragmentation
810 *
811 * flags:   IEEE80211_F_PRIVACY (hardware adds WEP),
812 *          IEEE80211_F_SHPREAMBLE (use short preamble),
813 *          IEEE80211_F_SHSLOT (use short slot length)
814 *
815 * Arguments out:
816 *
817 * d0: 802.11 Duration fields (RTS/Data), PLCP Length, Service fields
818 *     of first/only fragment
819 *
820 * dn: 802.11 Duration fields (RTS/Data), PLCP Length, Service fields
821 *     of last fragment
822 *
823 * ieee80211_compute_duration assumes crypto-encapsulation, if any,
824 * has already taken place.
825 */
826int
827ieee80211_compute_duration(const struct ieee80211_frame_min *wh,
828    const struct ieee80211_key *wk, int len,
829    uint32_t icflags, int fraglen, int rate, struct ieee80211_duration *d0,
830    struct ieee80211_duration *dn, int *npktp, int debug)
831{
832	int ack, rc;
833	int cryptolen,	/* crypto overhead: header+trailer */
834	    firstlen,	/* first fragment's payload + overhead length */
835	    hdrlen,	/* header length w/o driver padding */
836	    lastlen,	/* last fragment's payload length w/ overhead */
837	    lastlen0,	/* last fragment's payload length w/o overhead */
838	    npkt,	/* number of fragments */
839	    overlen,	/* non-802.11 header overhead per fragment */
840	    paylen;	/* payload length w/o overhead */
841
842	hdrlen = ieee80211_anyhdrsize((const void *)wh);
843
844	/* Account for padding required by the driver. */
845	if (icflags & IEEE80211_F_DATAPAD) {
846		paylen = len - roundup(hdrlen, sizeof(u_int32_t));
847		if (paylen < 0) {
848			panic("%s: paylen < 0", __func__);
849		}
850	} else {
851		paylen = len - hdrlen;
852	}
853
854	overlen = IEEE80211_CRC_LEN;
855
856	if (wk != NULL) {
857		cryptolen = wk->wk_cipher->ic_header +
858		            wk->wk_cipher->ic_trailer;
859		paylen -= cryptolen;
860		overlen += cryptolen;
861	}
862
863	npkt = paylen / fraglen;
864	lastlen0 = paylen % fraglen;
865
866	if (npkt == 0)			/* no fragments */
867		lastlen = paylen + overlen;
868	else if (lastlen0 != 0) {	/* a short "tail" fragment */
869		lastlen = lastlen0 + overlen;
870		npkt++;
871	} else				/* full-length "tail" fragment */
872		lastlen = fraglen + overlen;
873
874	if (npktp != NULL)
875		*npktp = npkt;
876
877	if (npkt > 1)
878		firstlen = fraglen + overlen;
879	else
880		firstlen = paylen + overlen;
881
882	if (debug) {
883		printf("%s: npkt %d firstlen %d lastlen0 %d lastlen %d "
884		    "fraglen %d overlen %d len %d rate %d icflags %08x\n",
885		    __func__, npkt, firstlen, lastlen0, lastlen, fraglen,
886		    overlen, len, rate, icflags);
887	}
888
889	ack = !IEEE80211_IS_MULTICAST(wh->i_addr1) &&
890	    (wh->i_fc[1] & IEEE80211_FC0_TYPE_MASK) != IEEE80211_FC0_TYPE_CTL;
891
892	rc = ieee80211_compute_duration1(firstlen + hdrlen,
893	    ack, icflags, rate, d0);
894	if (rc == -1)
895		return rc;
896
897	if (npkt <= 1) {
898		*dn = *d0;
899		return 0;
900	}
901	return ieee80211_compute_duration1(lastlen + hdrlen, ack, icflags, rate,
902	    dn);
903}
904
905/*
906 * Fragment the frame according to the specified mtu.
907 * The size of the 802.11 header (w/o padding) is provided
908 * so we don't need to recalculate it.  We create a new
909 * mbuf for each fragment and chain it through m_nextpkt;
910 * we might be able to optimize this by reusing the original
911 * packet's mbufs but that is significantly more complicated.
912 */
913static int
914ieee80211_fragment(struct ieee80211com *ic, struct mbuf *m0,
915	u_int hdrsize, u_int ciphdrsize, u_int mtu)
916{
917	struct ieee80211_frame *wh, *whf;
918	struct mbuf *m, *prev, *next;
919	const u_int totalhdrsize = hdrsize + ciphdrsize;
920	u_int fragno, fragsize, off, remainder, payload;
921
922	IASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?"));
923	IASSERT(m0->m_pkthdr.len > mtu,
924		("pktlen %u mtu %u", m0->m_pkthdr.len, mtu));
925
926	wh = mtod(m0, struct ieee80211_frame *);
927	/* NB: mark the first frag; it will be propagated below */
928	wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG;
929
930	fragno = 1;
931	off = mtu - ciphdrsize;
932	remainder = m0->m_pkthdr.len - off;
933	prev = m0;
934	do {
935		fragsize = totalhdrsize + remainder;
936		if (fragsize > mtu)
937			fragsize = mtu;
938		IASSERT(fragsize < MCLBYTES,
939			("fragment size %u too big!", fragsize));
940		if (fragsize > MHLEN)
941			m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR);
942		else
943			m = m_gethdr(M_DONTWAIT, MT_DATA);
944		if (m == NULL)
945			goto bad;
946
947		/* leave room to prepend any cipher header */
948		m_align(m, fragsize - ciphdrsize);
949
950		/*
951		 * Form the header in the fragment.  Note that since
952		 * we mark the first fragment with the MORE_FRAG bit
953		 * it automatically is propagated to each fragment; we
954		 * need only clear it on the last fragment (done below).
955		 */
956		whf = mtod(m, struct ieee80211_frame *);
957		memcpy(whf, wh, hdrsize);
958		*(u_int16_t *)&whf->i_seq[0] |= htole16(
959			(fragno & IEEE80211_SEQ_FRAG_MASK) <<
960				IEEE80211_SEQ_FRAG_SHIFT);
961		fragno++;
962
963		payload = fragsize - totalhdrsize;
964		/* NB: destination is known to be contiguous */
965		m_copydata(m0, off, payload, mtod(m, u_int8_t *) + hdrsize);
966		m->m_len = hdrsize + payload;
967		m->m_pkthdr.len = hdrsize + payload;
968		m->m_flags |= M_FRAG;
969
970		/* chain up the fragment */
971		prev->m_nextpkt = m;
972		prev = m;
973
974		/* deduct fragment just formed */
975		remainder -= payload;
976		off += payload;
977	} while (remainder != 0);
978
979	whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG;
980
981	/* strip first mbuf now that everything has been copied */
982	m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize)));
983	m0->m_flags |= M_FIRSTFRAG | M_FRAG;
984
985	ic->ic_stats.is_tx_fragframes++;
986	ic->ic_stats.is_tx_frags += fragno-1;
987
988	return 1;
989
990bad:
991	/* reclaim fragments but leave original frame for caller to free */
992	for (m = m0->m_nextpkt; m != NULL; m = next) {
993		next = m->m_nextpkt;
994		m->m_nextpkt = NULL;
995		m_freem(m);
996	}
997	m0->m_nextpkt = NULL;
998
999	return 0;
1000}
1001
1002/*
1003 * Add a supported rates element id to a frame.
1004 */
1005u_int8_t *
1006ieee80211_add_rates(u_int8_t *frm, const struct ieee80211_rateset *rs)
1007{
1008	int nrates;
1009
1010	*frm++ = IEEE80211_ELEMID_RATES;
1011	nrates = rs->rs_nrates;
1012	if (nrates > IEEE80211_RATE_SIZE)
1013		nrates = IEEE80211_RATE_SIZE;
1014	*frm++ = nrates;
1015	memcpy(frm, rs->rs_rates, nrates);
1016	return frm + nrates;
1017}
1018
1019/*
1020 * Add an extended supported rates element id to a frame.
1021 */
1022u_int8_t *
1023ieee80211_add_xrates(u_int8_t *frm, const struct ieee80211_rateset *rs)
1024{
1025	/*
1026	 * Add an extended supported rates element if operating in 11g mode.
1027	 */
1028	if (rs->rs_nrates > IEEE80211_RATE_SIZE) {
1029		int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE;
1030		*frm++ = IEEE80211_ELEMID_XRATES;
1031		*frm++ = nrates;
1032		memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates);
1033		frm += nrates;
1034	}
1035	return frm;
1036}
1037
1038/*
1039 * Add an ssid elemet to a frame.
1040 */
1041u_int8_t *
1042ieee80211_add_ssid(u_int8_t *frm, const u_int8_t *ssid, u_int len)
1043{
1044	*frm++ = IEEE80211_ELEMID_SSID;
1045	*frm++ = len;
1046	memcpy(frm, ssid, len);
1047	return frm + len;
1048}
1049
1050/*
1051 * Add an erp element to a frame.
1052 */
1053static u_int8_t *
1054ieee80211_add_erp(u_int8_t *frm, struct ieee80211com *ic)
1055{
1056	u_int8_t erp;
1057
1058	*frm++ = IEEE80211_ELEMID_ERP;
1059	*frm++ = 1;
1060	erp = 0;
1061	if (ic->ic_nonerpsta != 0)
1062		erp |= IEEE80211_ERP_NON_ERP_PRESENT;
1063	if (ic->ic_flags & IEEE80211_F_USEPROT)
1064		erp |= IEEE80211_ERP_USE_PROTECTION;
1065	if (ic->ic_flags & IEEE80211_F_USEBARKER)
1066		erp |= IEEE80211_ERP_LONG_PREAMBLE;
1067	*frm++ = erp;
1068	return frm;
1069}
1070
1071static u_int8_t *
1072ieee80211_setup_wpa_ie(struct ieee80211com *ic, u_int8_t *ie)
1073{
1074#define	WPA_OUI_BYTES		0x00, 0x50, 0xf2
1075#define	ADDSHORT(frm, v) do {			\
1076	frm[0] = (v) & 0xff;			\
1077	frm[1] = (v) >> 8;			\
1078	frm += 2;				\
1079} while (0)
1080#define	ADDSELECTOR(frm, sel) do {		\
1081	memcpy(frm, sel, 4);			\
1082	frm += 4;				\
1083} while (0)
1084	static const u_int8_t oui[4] = { WPA_OUI_BYTES, WPA_OUI_TYPE };
1085	static const u_int8_t cipher_suite[][4] = {
1086		{ WPA_OUI_BYTES, WPA_CSE_WEP40 },	/* NB: 40-bit */
1087		{ WPA_OUI_BYTES, WPA_CSE_TKIP },
1088		{ 0x00, 0x00, 0x00, 0x00 },		/* XXX WRAP */
1089		{ WPA_OUI_BYTES, WPA_CSE_CCMP },
1090		{ 0x00, 0x00, 0x00, 0x00 },		/* XXX CKIP */
1091		{ WPA_OUI_BYTES, WPA_CSE_NULL },
1092	};
1093	static const u_int8_t wep104_suite[4] =
1094		{ WPA_OUI_BYTES, WPA_CSE_WEP104 };
1095	static const u_int8_t key_mgt_unspec[4] =
1096		{ WPA_OUI_BYTES, WPA_ASE_8021X_UNSPEC };
1097	static const u_int8_t key_mgt_psk[4] =
1098		{ WPA_OUI_BYTES, WPA_ASE_8021X_PSK };
1099	const struct ieee80211_rsnparms *rsn = &ic->ic_bss->ni_rsn;
1100	u_int8_t *frm = ie;
1101	u_int8_t *selcnt;
1102
1103	*frm++ = IEEE80211_ELEMID_VENDOR;
1104	*frm++ = 0;				/* length filled in below */
1105	memcpy(frm, oui, sizeof(oui));		/* WPA OUI */
1106	frm += sizeof(oui);
1107	ADDSHORT(frm, WPA_VERSION);
1108
1109	/* XXX filter out CKIP */
1110
1111	/* multicast cipher */
1112	if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP &&
1113	    rsn->rsn_mcastkeylen >= 13)
1114		ADDSELECTOR(frm, wep104_suite);
1115	else
1116		ADDSELECTOR(frm, cipher_suite[rsn->rsn_mcastcipher]);
1117
1118	/* unicast cipher list */
1119	selcnt = frm;
1120	ADDSHORT(frm, 0);			/* selector count */
1121	if (rsn->rsn_ucastcipherset & (1 << IEEE80211_CIPHER_AES_CCM)) {
1122		selcnt[0]++;
1123		ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_AES_CCM]);
1124	}
1125	if (rsn->rsn_ucastcipherset & (1 << IEEE80211_CIPHER_TKIP)) {
1126		selcnt[0]++;
1127		ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_TKIP]);
1128	}
1129
1130	/* authenticator selector list */
1131	selcnt = frm;
1132	ADDSHORT(frm, 0);			/* selector count */
1133	if (rsn->rsn_keymgmtset & WPA_ASE_8021X_UNSPEC) {
1134		selcnt[0]++;
1135		ADDSELECTOR(frm, key_mgt_unspec);
1136	}
1137	if (rsn->rsn_keymgmtset & WPA_ASE_8021X_PSK) {
1138		selcnt[0]++;
1139		ADDSELECTOR(frm, key_mgt_psk);
1140	}
1141
1142	/* optional capabilities */
1143	if (rsn->rsn_caps != 0 && rsn->rsn_caps != RSN_CAP_PREAUTH)
1144		ADDSHORT(frm, rsn->rsn_caps);
1145
1146	/* calculate element length */
1147	ie[1] = frm - ie - 2;
1148	IASSERT(ie[1]+2 <= sizeof(struct ieee80211_ie_wpa),
1149		("WPA IE too big, %u > %zu",
1150		ie[1]+2, sizeof(struct ieee80211_ie_wpa)));
1151	return frm;
1152#undef ADDSHORT
1153#undef ADDSELECTOR
1154#undef WPA_OUI_BYTES
1155}
1156
1157static u_int8_t *
1158ieee80211_setup_rsn_ie(struct ieee80211com *ic, u_int8_t *ie)
1159{
1160#define	RSN_OUI_BYTES		0x00, 0x0f, 0xac
1161#define	ADDSHORT(frm, v) do {			\
1162	frm[0] = (v) & 0xff;			\
1163	frm[1] = (v) >> 8;			\
1164	frm += 2;				\
1165} while (0)
1166#define	ADDSELECTOR(frm, sel) do {		\
1167	memcpy(frm, sel, 4);			\
1168	frm += 4;				\
1169} while (0)
1170	static const u_int8_t cipher_suite[][4] = {
1171		{ RSN_OUI_BYTES, RSN_CSE_WEP40 },	/* NB: 40-bit */
1172		{ RSN_OUI_BYTES, RSN_CSE_TKIP },
1173		{ RSN_OUI_BYTES, RSN_CSE_WRAP },
1174		{ RSN_OUI_BYTES, RSN_CSE_CCMP },
1175		{ 0x00, 0x00, 0x00, 0x00 },		/* XXX CKIP */
1176		{ RSN_OUI_BYTES, RSN_CSE_NULL },
1177	};
1178	static const u_int8_t wep104_suite[4] =
1179		{ RSN_OUI_BYTES, RSN_CSE_WEP104 };
1180	static const u_int8_t key_mgt_unspec[4] =
1181		{ RSN_OUI_BYTES, RSN_ASE_8021X_UNSPEC };
1182	static const u_int8_t key_mgt_psk[4] =
1183		{ RSN_OUI_BYTES, RSN_ASE_8021X_PSK };
1184	const struct ieee80211_rsnparms *rsn = &ic->ic_bss->ni_rsn;
1185	u_int8_t *frm = ie;
1186	u_int8_t *selcnt;
1187
1188	*frm++ = IEEE80211_ELEMID_RSN;
1189	*frm++ = 0;				/* length filled in below */
1190	ADDSHORT(frm, RSN_VERSION);
1191
1192	/* XXX filter out CKIP */
1193
1194	/* multicast cipher */
1195	if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP &&
1196	    rsn->rsn_mcastkeylen >= 13)
1197		ADDSELECTOR(frm, wep104_suite);
1198	else
1199		ADDSELECTOR(frm, cipher_suite[rsn->rsn_mcastcipher]);
1200
1201	/* unicast cipher list */
1202	selcnt = frm;
1203	ADDSHORT(frm, 0);			/* selector count */
1204	if (rsn->rsn_ucastcipherset & (1 << IEEE80211_CIPHER_AES_CCM)) {
1205		selcnt[0]++;
1206		ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_AES_CCM]);
1207	}
1208	if (rsn->rsn_ucastcipherset & (1 << IEEE80211_CIPHER_TKIP)) {
1209		selcnt[0]++;
1210		ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_TKIP]);
1211	}
1212
1213	/* authenticator selector list */
1214	selcnt = frm;
1215	ADDSHORT(frm, 0);			/* selector count */
1216	if (rsn->rsn_keymgmtset & WPA_ASE_8021X_UNSPEC) {
1217		selcnt[0]++;
1218		ADDSELECTOR(frm, key_mgt_unspec);
1219	}
1220	if (rsn->rsn_keymgmtset & WPA_ASE_8021X_PSK) {
1221		selcnt[0]++;
1222		ADDSELECTOR(frm, key_mgt_psk);
1223	}
1224
1225	/* optional capabilities */
1226	ADDSHORT(frm, rsn->rsn_caps);
1227	/* XXX PMKID */
1228
1229	/* calculate element length */
1230	ie[1] = frm - ie - 2;
1231	IASSERT(ie[1]+2 <= sizeof(struct ieee80211_ie_wpa),
1232		("RSN IE too big, %u > %zu",
1233		ie[1]+2, sizeof(struct ieee80211_ie_wpa)));
1234	return frm;
1235#undef ADDSELECTOR
1236#undef ADDSHORT
1237#undef RSN_OUI_BYTES
1238}
1239
1240/*
1241 * Add a WPA/RSN element to a frame.
1242 */
1243u_int8_t *
1244ieee80211_add_wpa(u_int8_t *frm, struct ieee80211com *ic)
1245{
1246
1247	IASSERT(ic->ic_flags & IEEE80211_F_WPA, ("no WPA/RSN!"));
1248	if (ic->ic_flags & IEEE80211_F_WPA2)
1249		frm = ieee80211_setup_rsn_ie(ic, frm);
1250	if (ic->ic_flags & IEEE80211_F_WPA1)
1251		frm = ieee80211_setup_wpa_ie(ic, frm);
1252	return frm;
1253}
1254
1255#define	WME_OUI_BYTES		0x00, 0x50, 0xf2
1256/*
1257 * Add a WME information element to a frame.
1258 */
1259u_int8_t *
1260ieee80211_add_wme_info(u_int8_t *frm, struct ieee80211_wme_state *wme)
1261{
1262	static const struct ieee80211_wme_info info = {
1263		.wme_id		= IEEE80211_ELEMID_VENDOR,
1264		.wme_len	= sizeof(struct ieee80211_wme_info) - 2,
1265		.wme_oui	= { WME_OUI_BYTES },
1266		.wme_type	= WME_OUI_TYPE,
1267		.wme_subtype	= WME_INFO_OUI_SUBTYPE,
1268		.wme_version	= WME_VERSION,
1269		.wme_info	= 0,
1270	};
1271	memcpy(frm, &info, sizeof(info));
1272	return frm + sizeof(info);
1273}
1274
1275/*
1276 * Add a WME parameters element to a frame.
1277 */
1278static u_int8_t *
1279ieee80211_add_wme_param(u_int8_t *frm, struct ieee80211_wme_state *wme)
1280{
1281#define	SM(_v, _f)	(((_v) << _f##_S) & _f)
1282#define	ADDSHORT(frm, v) do {			\
1283	frm[0] = (v) & 0xff;			\
1284	frm[1] = (v) >> 8;			\
1285	frm += 2;				\
1286} while (0)
1287	/* NB: this works because a param has an info at the front */
1288	static const struct ieee80211_wme_info param = {
1289		.wme_id		= IEEE80211_ELEMID_VENDOR,
1290		.wme_len	= sizeof(struct ieee80211_wme_param) - 2,
1291		.wme_oui	= { WME_OUI_BYTES },
1292		.wme_type	= WME_OUI_TYPE,
1293		.wme_subtype	= WME_PARAM_OUI_SUBTYPE,
1294		.wme_version	= WME_VERSION,
1295	};
1296	int i;
1297
1298	memcpy(frm, &param, sizeof(param));
1299	frm += offsetof(struct ieee80211_wme_info, wme_info);
1300	*frm++ = wme->wme_bssChanParams.cap_info;	/* AC info */
1301	*frm++ = 0;					/* reserved field */
1302	for (i = 0; i < WME_NUM_AC; i++) {
1303		const struct wmeParams *ac =
1304		       &wme->wme_bssChanParams.cap_wmeParams[i];
1305		*frm++ = SM(i, WME_PARAM_ACI) |
1306		    SM(ac->wmep_acm, WME_PARAM_ACM) |
1307		    SM(ac->wmep_aifsn, WME_PARAM_AIFSN);
1308		*frm++ = SM(ac->wmep_logcwmax, WME_PARAM_LOGCWMAX) |
1309		    SM(ac->wmep_logcwmin, WME_PARAM_LOGCWMIN);
1310		ADDSHORT(frm, ac->wmep_txopLimit);
1311	}
1312
1313	return frm;
1314#undef SM
1315#undef ADDSHORT
1316}
1317#undef WME_OUI_BYTES
1318
1319/*
1320 * Send a probe request frame with the specified ssid
1321 * and any optional information element data.
1322 */
1323int
1324ieee80211_send_probereq(struct ieee80211_node *ni,
1325	const u_int8_t sa[IEEE80211_ADDR_LEN],
1326	const u_int8_t da[IEEE80211_ADDR_LEN],
1327	const u_int8_t bssid[IEEE80211_ADDR_LEN],
1328	const u_int8_t *ssid, size_t ssidlen,
1329	const void *optie, size_t optielen)
1330{
1331	struct ieee80211com *ic = ni->ni_ic;
1332	enum ieee80211_phymode mode;
1333	struct ieee80211_frame *wh;
1334	struct mbuf *m;
1335	u_int8_t *frm;
1336
1337	/*
1338	 * Hold a reference on the node so it doesn't go away until after
1339	 * the xmit is complete all the way in the driver.  On error we
1340	 * will remove our reference.
1341	 */
1342	IEEE80211_DPRINTF(ic, IEEE80211_MSG_NODE,
1343		"ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n",
1344		__func__, __LINE__,
1345		ni, ether_sprintf(ni->ni_macaddr),
1346		ieee80211_node_refcnt(ni)+1);
1347	ieee80211_ref_node(ni);
1348
1349	/*
1350	 * prreq frame format
1351	 *	[tlv] ssid
1352	 *	[tlv] supported rates
1353	 *	[tlv] extended supported rates
1354	 *	[tlv] user-specified ie's
1355	 */
1356	m = ieee80211_getmgtframe(&frm,
1357		 2 + IEEE80211_NWID_LEN
1358	       + 2 + IEEE80211_RATE_SIZE
1359	       + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
1360	       + (optie != NULL ? optielen : 0)
1361	);
1362	if (m == NULL) {
1363		ic->ic_stats.is_tx_nobuf++;
1364		ieee80211_free_node(ni);
1365		return ENOMEM;
1366	}
1367
1368	frm = ieee80211_add_ssid(frm, ssid, ssidlen);
1369	mode = ieee80211_chan2mode(ic, ic->ic_curchan);
1370	frm = ieee80211_add_rates(frm, &ic->ic_sup_rates[mode]);
1371	frm = ieee80211_add_xrates(frm, &ic->ic_sup_rates[mode]);
1372
1373	if (optie != NULL) {
1374		memcpy(frm, optie, optielen);
1375		frm += optielen;
1376	}
1377	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1378
1379	M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
1380	if (m == NULL) {
1381		ic->ic_stats.is_tx_nobuf++;
1382		ieee80211_free_node(ni);
1383		return ENOMEM;
1384	}
1385	M_SETCTX(m, ni);
1386
1387	wh = mtod(m, struct ieee80211_frame *);
1388	ieee80211_send_setup(ic, ni, wh,
1389	    IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ,
1390	    sa, da, bssid);
1391	/* XXX power management? */
1392
1393	IEEE80211_NODE_STAT(ni, tx_probereq);
1394	IEEE80211_NODE_STAT(ni, tx_mgmt);
1395
1396	IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS,
1397	    "[%s] send probe req on channel %u\n",
1398	    ether_sprintf(wh->i_addr1),
1399	    ieee80211_chan2ieee(ic, ic->ic_curchan));
1400
1401	IF_ENQUEUE(&ic->ic_mgtq, m);
1402	if_start_lock(ic->ic_ifp);
1403	return 0;
1404}
1405
1406/*
1407 * Send a management frame.  The node is for the destination (or ic_bss
1408 * when in station mode).  Nodes other than ic_bss have their reference
1409 * count bumped to reflect our use for an indeterminant time.
1410 */
1411int
1412ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni,
1413	int type, int arg)
1414{
1415#define	senderr(_x, _v)	do { ic->ic_stats._v++; ret = _x; goto bad; } while (0)
1416	struct mbuf *m;
1417	u_int8_t *frm;
1418	u_int16_t capinfo;
1419	int ret, timer, status;
1420
1421	IASSERT(ni != NULL, ("null node"));
1422
1423	/*
1424	 * Hold a reference on the node so it doesn't go away until after
1425	 * the xmit is complete all the way in the driver.  On error we
1426	 * will remove our reference.
1427	 */
1428	IEEE80211_DPRINTF(ic, IEEE80211_MSG_NODE,
1429		"ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n",
1430		__func__, __LINE__,
1431		ni, ether_sprintf(ni->ni_macaddr),
1432		ieee80211_node_refcnt(ni)+1);
1433	ieee80211_ref_node(ni);
1434
1435	timer = 0;
1436	switch (type) {
1437	case IEEE80211_FC0_SUBTYPE_PROBE_RESP: {
1438		const bool has_wpa = (ic->ic_flags & IEEE80211_F_WPA) != 0;
1439
1440		/*
1441		 * probe response frame format
1442		 *	[8] time stamp
1443		 *	[2] beacon interval
1444		 *	[2] cabability information
1445		 *	[tlv] ssid
1446		 *	[tlv] supported rates
1447		 *	[tlv] parameter set (FH/DS)
1448		 *	[tlv] parameter set (IBSS)
1449		 *	[tlv] extended rate phy (ERP)
1450		 *	[tlv] extended supported rates
1451		 *	[tlv] WPA
1452		 *	[tlv] WME (optional)
1453		 */
1454		m = ieee80211_getmgtframe(&frm,
1455			 8 /* timestamp */
1456		       + sizeof(u_int16_t) /* interval */
1457		       + sizeof(u_int16_t) /* capinfo */
1458		       + 2 + IEEE80211_NWID_LEN /* ssid */
1459		       + 2 + IEEE80211_RATE_SIZE /* rates */
1460		       + 7 /* max(7,3) */
1461		       + 6 /* ibss (XXX could be 4?) */
1462		       + 3 /* erp */
1463		       + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
1464		       /* XXX !WPA1+WPA2 fits w/o a cluster */
1465		       + (has_wpa ? (2 * sizeof(struct ieee80211_ie_wpa)) : 0)
1466		       + sizeof(struct ieee80211_wme_param)
1467		);
1468		if (m == NULL)
1469			senderr(ENOMEM, is_tx_nobuf);
1470
1471		/* timestamp (should be filled later) */
1472		memset(frm, 0, 8);
1473		frm += 8;
1474
1475		/* interval */
1476		*(u_int16_t *)frm = htole16(ic->ic_bss->ni_intval);
1477		frm += 2;
1478
1479		/* capinfo */
1480		if (ic->ic_opmode == IEEE80211_M_IBSS)
1481			capinfo = IEEE80211_CAPINFO_IBSS;
1482		else
1483			capinfo = IEEE80211_CAPINFO_ESS;
1484		if (ic->ic_flags & IEEE80211_F_PRIVACY)
1485			capinfo |= IEEE80211_CAPINFO_PRIVACY;
1486		if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
1487		    IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan))
1488			capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
1489		if (ic->ic_flags & IEEE80211_F_SHSLOT)
1490			capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
1491		*(u_int16_t *)frm = htole16(capinfo);
1492		frm += 2;
1493
1494		/* ssid */
1495		frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid,
1496		    ic->ic_bss->ni_esslen);
1497
1498		/* rates */
1499		frm = ieee80211_add_rates(frm, &ni->ni_rates);
1500
1501		/* variable */
1502		if (ic->ic_phytype == IEEE80211_T_FH) {
1503			*frm++ = IEEE80211_ELEMID_FHPARMS;
1504			*frm++ = 5;
1505			*frm++ = ni->ni_fhdwell & 0x00ff;
1506			*frm++ = (ni->ni_fhdwell >> 8) & 0x00ff;
1507			*frm++ = IEEE80211_FH_CHANSET(
1508			    ieee80211_chan2ieee(ic, ic->ic_curchan));
1509			*frm++ = IEEE80211_FH_CHANPAT(
1510			    ieee80211_chan2ieee(ic, ic->ic_curchan));
1511			*frm++ = ni->ni_fhindex;
1512		} else {
1513			*frm++ = IEEE80211_ELEMID_DSPARMS;
1514			*frm++ = 1;
1515			*frm++ = ieee80211_chan2ieee(ic, ic->ic_curchan);
1516		}
1517
1518		/* ibss */
1519		if (ic->ic_opmode == IEEE80211_M_IBSS) {
1520			*frm++ = IEEE80211_ELEMID_IBSSPARMS;
1521			*frm++ = 2;
1522			*frm++ = 0; *frm++ = 0;	/* TODO: ATIM window */
1523		}
1524
1525		/* wpa */
1526		if (has_wpa)
1527			frm = ieee80211_add_wpa(frm, ic);
1528
1529		/* erp */
1530		if (ic->ic_curmode == IEEE80211_MODE_11G)
1531			frm = ieee80211_add_erp(frm, ic);
1532
1533		/* xrates */
1534		frm = ieee80211_add_xrates(frm, &ni->ni_rates);
1535
1536		/* wme */
1537		if (ic->ic_flags & IEEE80211_F_WME)
1538			frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
1539
1540		m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1541		break;
1542	}
1543
1544	case IEEE80211_FC0_SUBTYPE_AUTH: {
1545		status = arg >> 16;
1546		arg &= 0xffff;
1547		const bool has_challenge =
1548		    (arg == IEEE80211_AUTH_SHARED_CHALLENGE ||
1549		     arg == IEEE80211_AUTH_SHARED_RESPONSE) &&
1550		    ni->ni_challenge != NULL;
1551
1552		/*
1553		 * Deduce whether we're doing open authentication or
1554		 * shared key authentication.  We do the latter if
1555		 * we're in the middle of a shared key authentication
1556		 * handshake or if we're initiating an authentication
1557		 * request and configured to use shared key.
1558		 */
1559		const bool is_shared_key = has_challenge ||
1560		    (arg >= IEEE80211_AUTH_SHARED_RESPONSE) ||
1561		    (arg == IEEE80211_AUTH_SHARED_REQUEST &&
1562		     ic->ic_bss->ni_authmode == IEEE80211_AUTH_SHARED);
1563
1564		const bool need_challenge =
1565		    has_challenge && (status == IEEE80211_STATUS_SUCCESS);
1566
1567		const int frm_size = 3 * sizeof(u_int16_t)
1568			+ (need_challenge ?
1569				sizeof(u_int16_t)+IEEE80211_CHALLENGE_LEN : 0);
1570
1571		m = ieee80211_getmgtframe(&frm, frm_size);
1572		if (m == NULL)
1573			senderr(ENOMEM, is_tx_nobuf);
1574
1575		((u_int16_t *)frm)[0] =
1576		      is_shared_key ? htole16(IEEE80211_AUTH_ALG_SHARED)
1577		                    : htole16(IEEE80211_AUTH_ALG_OPEN);
1578		((u_int16_t *)frm)[1] = htole16(arg);	/* sequence number */
1579		((u_int16_t *)frm)[2] = htole16(status);/* status */
1580
1581		if (need_challenge) {
1582			((u_int16_t *)frm)[3] =
1583			    htole16((IEEE80211_CHALLENGE_LEN << 8) |
1584			    IEEE80211_ELEMID_CHALLENGE);
1585			memcpy(&((u_int16_t *)frm)[4], ni->ni_challenge,
1586			    IEEE80211_CHALLENGE_LEN);
1587
1588			if (arg == IEEE80211_AUTH_SHARED_RESPONSE) {
1589				IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
1590				    "[%s] request encrypt frame (%s)\n",
1591				    ether_sprintf(ni->ni_macaddr), __func__);
1592				m->m_flags |= M_LINK0; /* WEP-encrypt, please */
1593			}
1594		}
1595
1596		m->m_pkthdr.len = m->m_len = frm_size;
1597
1598		/* XXX not right for shared key */
1599		if (status == IEEE80211_STATUS_SUCCESS)
1600			IEEE80211_NODE_STAT(ni, tx_auth);
1601		else
1602			IEEE80211_NODE_STAT(ni, tx_auth_fail);
1603
1604		if (ic->ic_opmode == IEEE80211_M_STA)
1605			timer = IEEE80211_TRANS_WAIT;
1606		break;
1607	}
1608
1609	case IEEE80211_FC0_SUBTYPE_DEAUTH:
1610		IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
1611			"[%s] send station deauthenticate (reason %d)\n",
1612			ether_sprintf(ni->ni_macaddr), arg);
1613		m = ieee80211_getmgtframe(&frm, sizeof(u_int16_t));
1614		if (m == NULL)
1615			senderr(ENOMEM, is_tx_nobuf);
1616		*(u_int16_t *)frm = htole16(arg);	/* reason */
1617		m->m_pkthdr.len = m->m_len = sizeof(u_int16_t);
1618
1619		IEEE80211_NODE_STAT(ni, tx_deauth);
1620		IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg);
1621
1622		ieee80211_node_unauthorize(ni);		/* port closed */
1623		break;
1624
1625	case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1626	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1627		/*
1628		 * asreq frame format
1629		 *	[2] capability information
1630		 *	[2] listen interval
1631		 *	[6*] current AP address (reassoc only)
1632		 *	[tlv] ssid
1633		 *	[tlv] supported rates
1634		 *	[tlv] extended supported rates
1635		 *	[tlv] WME
1636		 *	[tlv] user-specified ie's
1637		 */
1638		m = ieee80211_getmgtframe(&frm,
1639			 sizeof(u_int16_t)
1640		       + sizeof(u_int16_t)
1641		       + IEEE80211_ADDR_LEN
1642		       + 2 + IEEE80211_NWID_LEN
1643		       + 2 + IEEE80211_RATE_SIZE
1644		       + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
1645		       + sizeof(struct ieee80211_wme_info)
1646		       + (ic->ic_opt_ie != NULL ? ic->ic_opt_ie_len : 0)
1647		);
1648		if (m == NULL)
1649			senderr(ENOMEM, is_tx_nobuf);
1650
1651		capinfo = 0;
1652		if (ic->ic_opmode == IEEE80211_M_IBSS)
1653			capinfo |= IEEE80211_CAPINFO_IBSS;
1654		else /* IEEE80211_M_STA */
1655			capinfo |= IEEE80211_CAPINFO_ESS;
1656		if (ic->ic_flags & IEEE80211_F_PRIVACY)
1657			capinfo |= IEEE80211_CAPINFO_PRIVACY;
1658		/*
1659		 * NB: Some 11a AP's reject the request when
1660		 *     short premable is set.
1661		 */
1662		if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
1663		    IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan))
1664			capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
1665		if ((ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME) &&
1666		    (ic->ic_caps & IEEE80211_C_SHSLOT))
1667			capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
1668		*(u_int16_t *)frm = htole16(capinfo);
1669		frm += 2;
1670
1671		*(u_int16_t *)frm = htole16(ic->ic_lintval);
1672		frm += 2;
1673
1674		if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1675			IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid);
1676			frm += IEEE80211_ADDR_LEN;
1677		}
1678
1679		frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen);
1680		frm = ieee80211_add_rates(frm, &ni->ni_rates);
1681		frm = ieee80211_add_xrates(frm, &ni->ni_rates);
1682		if ((ic->ic_flags & IEEE80211_F_WME) && ni->ni_wme_ie != NULL)
1683			frm = ieee80211_add_wme_info(frm, &ic->ic_wme);
1684		if (ic->ic_opt_ie != NULL) {
1685			memcpy(frm, ic->ic_opt_ie, ic->ic_opt_ie_len);
1686			frm += ic->ic_opt_ie_len;
1687		}
1688		m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1689
1690		timer = IEEE80211_TRANS_WAIT;
1691		break;
1692
1693	case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1694	case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
1695		/*
1696		 * asreq frame format
1697		 *	[2] capability information
1698		 *	[2] status
1699		 *	[2] association ID
1700		 *	[tlv] supported rates
1701		 *	[tlv] extended supported rates
1702		 *	[tlv] WME (if enabled and STA enabled)
1703		 */
1704		m = ieee80211_getmgtframe(&frm,
1705			 sizeof(u_int16_t)
1706		       + sizeof(u_int16_t)
1707		       + sizeof(u_int16_t)
1708		       + 2 + IEEE80211_RATE_SIZE
1709		       + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
1710		       + sizeof(struct ieee80211_wme_param)
1711		);
1712		if (m == NULL)
1713			senderr(ENOMEM, is_tx_nobuf);
1714
1715		capinfo = IEEE80211_CAPINFO_ESS;
1716		if (ic->ic_flags & IEEE80211_F_PRIVACY)
1717			capinfo |= IEEE80211_CAPINFO_PRIVACY;
1718		if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
1719		    IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan))
1720			capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
1721		if (ic->ic_flags & IEEE80211_F_SHSLOT)
1722			capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
1723		*(u_int16_t *)frm = htole16(capinfo);
1724		frm += 2;
1725
1726		*(u_int16_t *)frm = htole16(arg);	/* status */
1727		frm += 2;
1728
1729		if (arg == IEEE80211_STATUS_SUCCESS) {
1730			*(u_int16_t *)frm = htole16(ni->ni_associd);
1731			IEEE80211_NODE_STAT(ni, tx_assoc);
1732		} else {
1733			*(u_int16_t *)frm = 0;
1734			IEEE80211_NODE_STAT(ni, tx_assoc_fail);
1735		}
1736		frm += 2;
1737
1738		frm = ieee80211_add_rates(frm, &ni->ni_rates);
1739		frm = ieee80211_add_xrates(frm, &ni->ni_rates);
1740		if ((ic->ic_flags & IEEE80211_F_WME) && ni->ni_wme_ie != NULL)
1741			frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
1742		m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1743		break;
1744
1745	case IEEE80211_FC0_SUBTYPE_DISASSOC:
1746		IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
1747			"[%s] send station disassociate (reason %d)\n",
1748			ether_sprintf(ni->ni_macaddr), arg);
1749		m = ieee80211_getmgtframe(&frm, sizeof(u_int16_t));
1750		if (m == NULL)
1751			senderr(ENOMEM, is_tx_nobuf);
1752		*(u_int16_t *)frm = htole16(arg);	/* reason */
1753		m->m_pkthdr.len = m->m_len = sizeof(u_int16_t);
1754
1755		IEEE80211_NODE_STAT(ni, tx_disassoc);
1756		IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg);
1757		break;
1758
1759	default:
1760		IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
1761			"[%s] invalid mgmt frame type %u\n",
1762			ether_sprintf(ni->ni_macaddr), type);
1763		senderr(EINVAL, is_tx_unknownmgt);
1764		/* NOTREACHED */
1765	}
1766	ret = ieee80211_mgmt_output(ic, ni, m, type, timer);
1767	if (ret != 0) {
1768bad:
1769		ieee80211_free_node(ni);
1770	}
1771	return ret;
1772#undef senderr
1773}
1774
1775/*
1776 * Build a RTS (Request To Send) control frame.
1777 */
1778struct mbuf *
1779ieee80211_get_rts(struct ieee80211com *ic, const struct ieee80211_frame *wh,
1780    uint16_t dur)
1781{
1782	struct ieee80211_frame_rts *rts;
1783	struct mbuf *m;
1784
1785	MGETHDR(m, M_DONTWAIT, MT_DATA);
1786	if (m == NULL)
1787		return NULL;
1788
1789	m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts);
1790
1791	rts = mtod(m, struct ieee80211_frame_rts *);
1792	rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
1793	    IEEE80211_FC0_SUBTYPE_RTS;
1794	rts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
1795	*(uint16_t *)rts->i_dur = htole16(dur);
1796	IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1);
1797	IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2);
1798
1799	return m;
1800}
1801
1802/*
1803 * Build a CTS-to-self (Clear To Send) control frame.
1804 */
1805struct mbuf *
1806ieee80211_get_cts_to_self(struct ieee80211com *ic, uint16_t dur)
1807{
1808	struct ieee80211_frame_cts *cts;
1809	struct mbuf *m;
1810
1811	MGETHDR(m, M_DONTWAIT, MT_DATA);
1812	if (m == NULL)
1813		return NULL;
1814
1815	m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts);
1816
1817	cts = mtod(m, struct ieee80211_frame_cts *);
1818	cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
1819	    IEEE80211_FC0_SUBTYPE_CTS;
1820	cts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
1821	*(uint16_t *)cts->i_dur = htole16(dur);
1822	IEEE80211_ADDR_COPY(cts->i_ra, ic->ic_myaddr);
1823
1824	return m;
1825}
1826
1827/*
1828 * Allocate a beacon frame and fill in the appropriate bits.
1829 */
1830struct mbuf *
1831ieee80211_beacon_alloc(struct ieee80211com *ic, struct ieee80211_node *ni,
1832	struct ieee80211_beacon_offsets *bo)
1833{
1834	struct ifnet *ifp = ic->ic_ifp;
1835	struct ieee80211_frame *wh;
1836	struct mbuf *m;
1837	int pktlen;
1838	u_int8_t *frm, *efrm;
1839	u_int16_t capinfo;
1840	struct ieee80211_rateset *rs;
1841
1842	rs = &ni->ni_rates;
1843
1844	/*
1845	 * beacon frame format
1846	 *	[8] time stamp
1847	 *	[2] beacon interval
1848	 *	[2] cabability information
1849	 *	[tlv] ssid
1850	 *	[tlv] supported rates
1851	 *	[3] parameter set (DS)
1852	 *	[tlv] parameter set (IBSS/TIM)
1853	 *	[tlv] extended rate phy (ERP)
1854	 *	[tlv] extended supported rates
1855	 *	[tlv] WME parameters
1856	 *	[tlv] WPA/RSN parameters
1857	 * XXX Vendor-specific OIDs (e.g. Atheros)
1858	 *
1859	 * NB: we allocate the max space required for the TIM bitmap
1860	 * (ic_tim_len).
1861	 */
1862	pktlen =   8					/* time stamp */
1863		 + sizeof(u_int16_t)			/* beacon interval */
1864		 + sizeof(u_int16_t)			/* capabilities */
1865		 + 2 + ni->ni_esslen			/* ssid */
1866		 + 2 + IEEE80211_RATE_SIZE		/* supported rates */
1867		 + 2 + 1				/* DS parameters */
1868		 + 2 + 4 + ic->ic_tim_len		/* DTIM/IBSSPARMS */
1869		 + 2 + 1				/* ERP */
1870		 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
1871		 + (ic->ic_caps & IEEE80211_C_WME ?	/* WME */
1872			sizeof(struct ieee80211_wme_param) : 0)
1873		 + (ic->ic_caps & IEEE80211_C_WPA ?	/* WPA 1+2 */
1874			2*sizeof(struct ieee80211_ie_wpa) : 0)
1875		 ;
1876	m = ieee80211_getmgtframe(&frm, pktlen);
1877	if (m == NULL) {
1878		IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
1879			"%s: cannot get buf; size %u\n", __func__, pktlen);
1880		ic->ic_stats.is_tx_nobuf++;
1881		return NULL;
1882	}
1883
1884	memset(frm, 0, 8);	/* XXX timestamp is set by hardware/driver */
1885	frm += 8;
1886
1887	*(u_int16_t *)frm = htole16(ni->ni_intval);
1888	frm += 2;
1889
1890	if (ic->ic_opmode == IEEE80211_M_IBSS)
1891		capinfo = IEEE80211_CAPINFO_IBSS;
1892	else
1893		capinfo = IEEE80211_CAPINFO_ESS;
1894	if (ic->ic_flags & IEEE80211_F_PRIVACY)
1895		capinfo |= IEEE80211_CAPINFO_PRIVACY;
1896	if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
1897	    IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
1898		capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
1899	if (ic->ic_flags & IEEE80211_F_SHSLOT)
1900		capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
1901	bo->bo_caps = (u_int16_t *)frm;
1902	*(u_int16_t *)frm = htole16(capinfo);
1903	frm += 2;
1904
1905	*frm++ = IEEE80211_ELEMID_SSID;
1906	if ((ic->ic_flags & IEEE80211_F_HIDESSID) == 0) {
1907		*frm++ = ni->ni_esslen;
1908		memcpy(frm, ni->ni_essid, ni->ni_esslen);
1909		frm += ni->ni_esslen;
1910	} else
1911		*frm++ = 0;
1912
1913	frm = ieee80211_add_rates(frm, rs);
1914
1915	if (ic->ic_curmode != IEEE80211_MODE_FH) {
1916		*frm++ = IEEE80211_ELEMID_DSPARMS;
1917		*frm++ = 1;
1918		*frm++ = ieee80211_chan2ieee(ic, ni->ni_chan);
1919	}
1920
1921	bo->bo_tim = frm;
1922	if (ic->ic_opmode == IEEE80211_M_IBSS) {
1923		*frm++ = IEEE80211_ELEMID_IBSSPARMS;
1924		*frm++ = 2;
1925		*frm++ = 0; *frm++ = 0;		/* TODO: ATIM window */
1926		bo->bo_tim_len = 0;
1927	} else {
1928		struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *)frm;
1929
1930		tie->tim_ie = IEEE80211_ELEMID_TIM;
1931		tie->tim_len = 4;	/* length */
1932		tie->tim_count = 0;	/* DTIM count */
1933		tie->tim_period = ic->ic_dtim_period;	/* DTIM period */
1934		tie->tim_bitctl = 0;	/* bitmap control */
1935		tie->tim_bitmap[0] = 0;	/* Partial Virtual Bitmap */
1936		frm += sizeof(struct ieee80211_tim_ie);
1937		bo->bo_tim_len = 1;
1938	}
1939
1940	bo->bo_trailer = frm;
1941	if (ic->ic_flags & IEEE80211_F_WME) {
1942		bo->bo_wme = frm;
1943		frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
1944		ic->ic_flags &= ~IEEE80211_F_WMEUPDATE;
1945	}
1946
1947	if (ic->ic_flags & IEEE80211_F_WPA)
1948		frm = ieee80211_add_wpa(frm, ic);
1949
1950	if (ic->ic_curmode == IEEE80211_MODE_11G)
1951		frm = ieee80211_add_erp(frm, ic);
1952
1953	efrm = ieee80211_add_xrates(frm, rs);
1954
1955	bo->bo_trailer_len = efrm - bo->bo_trailer;
1956	m->m_pkthdr.len = m->m_len = efrm - mtod(m, u_int8_t *);
1957
1958	M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
1959	IASSERT(m != NULL, ("no space for 802.11 header?"));
1960
1961	wh = mtod(m, struct ieee80211_frame *);
1962	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT |
1963	    IEEE80211_FC0_SUBTYPE_BEACON;
1964	wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
1965	*(u_int16_t *)wh->i_dur = 0;
1966	IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr);
1967	IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
1968	IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid);
1969	*(u_int16_t *)wh->i_seq = 0;
1970
1971	return m;
1972}
1973
1974/*
1975 * Update the dynamic parts of a beacon frame based on the current state.
1976 */
1977int
1978ieee80211_beacon_update(struct ieee80211com *ic, struct ieee80211_node *ni,
1979    struct ieee80211_beacon_offsets *bo, struct mbuf *m, int mcast)
1980{
1981	int len_changed = 0;
1982	u_int16_t capinfo;
1983
1984	IEEE80211_BEACON_LOCK(ic);
1985
1986	/* XXX faster to recalculate entirely or just changes? */
1987	if (ic->ic_opmode == IEEE80211_M_IBSS)
1988		capinfo = IEEE80211_CAPINFO_IBSS;
1989	else
1990		capinfo = IEEE80211_CAPINFO_ESS;
1991	if (ic->ic_flags & IEEE80211_F_PRIVACY)
1992		capinfo |= IEEE80211_CAPINFO_PRIVACY;
1993	if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
1994	    IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
1995		capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
1996	if (ic->ic_flags & IEEE80211_F_SHSLOT)
1997		capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
1998	*bo->bo_caps = htole16(capinfo);
1999
2000	if (ic->ic_flags & IEEE80211_F_WME) {
2001		struct ieee80211_wme_state *wme = &ic->ic_wme;
2002
2003		/*
2004		 * Check for aggressive mode change.  When there is
2005		 * significant high priority traffic in the BSS
2006		 * throttle back BE traffic by using conservative
2007		 * parameters.  Otherwise BE uses aggressive params
2008		 * to optimize performance of legacy/non-QoS traffic.
2009		 */
2010		if (wme->wme_flags & WME_F_AGGRMODE) {
2011			if (wme->wme_hipri_traffic >
2012			    wme->wme_hipri_switch_thresh) {
2013				IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME,
2014				    "%s: traffic %u, disable aggressive mode\n",
2015				    __func__, wme->wme_hipri_traffic);
2016				wme->wme_flags &= ~WME_F_AGGRMODE;
2017				ieee80211_wme_updateparams_locked(ic);
2018				wme->wme_hipri_traffic =
2019					wme->wme_hipri_switch_hysteresis;
2020			} else
2021				wme->wme_hipri_traffic = 0;
2022		} else {
2023			if (wme->wme_hipri_traffic <=
2024			    wme->wme_hipri_switch_thresh) {
2025				IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME,
2026				    "%s: traffic %u, enable aggressive mode\n",
2027				    __func__, wme->wme_hipri_traffic);
2028				wme->wme_flags |= WME_F_AGGRMODE;
2029				ieee80211_wme_updateparams_locked(ic);
2030				wme->wme_hipri_traffic = 0;
2031			} else
2032				wme->wme_hipri_traffic =
2033					wme->wme_hipri_switch_hysteresis;
2034		}
2035		if (ic->ic_flags & IEEE80211_F_WMEUPDATE) {
2036			(void)ieee80211_add_wme_param(bo->bo_wme, wme);
2037			ic->ic_flags &= ~IEEE80211_F_WMEUPDATE;
2038		}
2039	}
2040
2041#ifndef IEEE80211_NO_HOSTAP
2042	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {	/* NB: no IBSS support*/
2043		struct ieee80211_tim_ie *tie =
2044			(struct ieee80211_tim_ie *)bo->bo_tim;
2045		if (ic->ic_flags & IEEE80211_F_TIMUPDATE) {
2046			u_int timlen, timoff, i;
2047			/*
2048			 * ATIM/DTIM needs updating.  If it fits in the
2049			 * current space allocated then just copy in the
2050			 * new bits.  Otherwise we need to move any trailing
2051			 * data to make room.  Note that we know there is
2052			 * contiguous space because ieee80211_beacon_allocate
2053			 * insures there is space in the mbuf to write a
2054			 * maximal-size virtual bitmap (based on ic_max_aid).
2055			 */
2056			/*
2057			 * Calculate the bitmap size and offset, copy any
2058			 * trailer out of the way, and then copy in the
2059			 * new bitmap and update the information element.
2060			 * Note that the tim bitmap must contain at least
2061			 * one byte and any offset must be even.
2062			 */
2063			if (ic->ic_ps_pending != 0) {
2064				timoff = 128;		/* impossibly large */
2065				for (i = 0; i < ic->ic_tim_len; i++)
2066					if (ic->ic_tim_bitmap[i]) {
2067						timoff = i &~ 1;
2068						break;
2069					}
2070				IASSERT(timoff != 128, ("tim bitmap empty!"));
2071				for (i = ic->ic_tim_len-1; i >= timoff; i--)
2072					if (ic->ic_tim_bitmap[i])
2073						break;
2074				timlen = 1 + (i - timoff);
2075			} else {
2076				timoff = 0;
2077				timlen = 1;
2078			}
2079			if (timlen != bo->bo_tim_len) {
2080				/* copy up/down trailer */
2081				memmove(tie->tim_bitmap+timlen, bo->bo_trailer,
2082					bo->bo_trailer_len);
2083				bo->bo_trailer = tie->tim_bitmap+timlen;
2084				bo->bo_wme = bo->bo_trailer;
2085				bo->bo_tim_len = timlen;
2086
2087				/* update information element */
2088				tie->tim_len = 3 + timlen;
2089				tie->tim_bitctl = timoff;
2090				len_changed = 1;
2091			}
2092			memcpy(tie->tim_bitmap, ic->ic_tim_bitmap + timoff,
2093				bo->bo_tim_len);
2094
2095			ic->ic_flags &= ~IEEE80211_F_TIMUPDATE;
2096
2097			IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2098				"%s: TIM updated, pending %u, off %u, len %u\n",
2099				__func__, ic->ic_ps_pending, timoff, timlen);
2100		}
2101		/* count down DTIM period */
2102		if (tie->tim_count == 0)
2103			tie->tim_count = tie->tim_period - 1;
2104		else
2105			tie->tim_count--;
2106		/* update state for buffered multicast frames on DTIM */
2107		if (mcast && (tie->tim_count == 1 || tie->tim_period == 1))
2108			tie->tim_bitctl |= 1;
2109		else
2110			tie->tim_bitctl &= ~1;
2111	}
2112#endif /* !IEEE80211_NO_HOSTAP */
2113
2114	IEEE80211_BEACON_UNLOCK(ic);
2115
2116	return len_changed;
2117}
2118
2119/*
2120 * Save an outbound packet for a node in power-save sleep state.
2121 * The new packet is placed on the node's saved queue, and the TIM
2122 * is changed, if necessary.
2123 */
2124void
2125ieee80211_pwrsave(struct ieee80211com *ic, struct ieee80211_node *ni,
2126    struct mbuf *m)
2127{
2128	int qlen, age;
2129
2130	IEEE80211_NODE_SAVEQ_LOCK(ni);
2131	if (IF_QFULL(&ni->ni_savedq)) {
2132		IF_DROP(&ni->ni_savedq);
2133		IEEE80211_NODE_SAVEQ_UNLOCK(ni);
2134
2135		IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2136		    "[%s] pwr save q overflow, drops %" PRIu64
2137		    " (size %d)\n",
2138		    ether_sprintf(ni->ni_macaddr),
2139		    ni->ni_savedq.ifq_drops, IEEE80211_PS_MAX_QUEUE);
2140#ifdef IEEE80211_DEBUG
2141		if (ieee80211_msg_dumppkts(ic))
2142			ieee80211_dump_pkt(mtod(m, void *), m->m_len, -1, -1);
2143#endif
2144
2145		m_freem(m);
2146		return;
2147	}
2148
2149	/*
2150	 * Tag the frame with its expiry time and insert
2151	 * it in the queue.  The aging interval is 4 times
2152	 * the listen interval specified by the station.
2153	 * Frames that sit around too long are reclaimed
2154	 * using this information.
2155	 */
2156	/* XXX handle overflow? */
2157	age = ((ni->ni_intval * ic->ic_bintval) << 2) / 1024; /* TU -> secs */
2158	_IEEE80211_NODE_SAVEQ_ENQUEUE(ni, m, qlen, age);
2159	IEEE80211_NODE_SAVEQ_UNLOCK(ni);
2160
2161	IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2162		"[%s] save frame with age %d, %u now queued\n",
2163		ether_sprintf(ni->ni_macaddr), age, qlen);
2164
2165	if (qlen == 1)
2166		ic->ic_set_tim(ni, 1);
2167}
2168