1 /* $OpenBSD: ieee80211_output.c,v 1.139 2024/05/08 14:02:59 stsp Exp $ */
2 /* $NetBSD: ieee80211_output.c,v 1.13 2004/05/31 11:02:55 dyoung Exp $ */
3
4 /*-
5 * Copyright (c) 2001 Atsushi Onoe
6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
7 * Copyright (c) 2007-2009 Damien Bergamini
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "bpfilter.h"
34 #include "vlan.h"
35
36 #include <sys/param.h>
37 #include <sys/systm.h>
38 #include <sys/mbuf.h>
39 #include <sys/kernel.h>
40 #include <sys/socket.h>
41 #include <sys/sockio.h>
42 #include <sys/endian.h>
43 #include <sys/errno.h>
44 #include <sys/sysctl.h>
45
46 #include <net/if.h>
47 #include <net/if_dl.h>
48 #include <net/if_media.h>
49 #include <net/if_llc.h>
50 #include <net/bpf.h>
51
52 #include <netinet/in.h>
53 #include <netinet/if_ether.h>
54 #include <netinet/ip.h>
55 #ifdef INET6
56 #include <netinet/ip6.h>
57 #endif
58
59 #if NVLAN > 0
60 #include <net/if_vlan_var.h>
61 #endif
62
63 #include <net80211/ieee80211_var.h>
64 #include <net80211/ieee80211_priv.h>
65
66 int ieee80211_mgmt_output(struct ifnet *, struct ieee80211_node *,
67 struct mbuf *, int);
68 int ieee80211_can_use_ampdu(struct ieee80211com *,
69 struct ieee80211_node *);
70 u_int8_t *ieee80211_add_rsn_body(u_int8_t *, struct ieee80211com *,
71 const struct ieee80211_node *, int);
72 struct mbuf *ieee80211_getmgmt(int, int, u_int);
73 struct mbuf *ieee80211_get_probe_req(struct ieee80211com *,
74 struct ieee80211_node *);
75 #ifndef IEEE80211_STA_ONLY
76 struct mbuf *ieee80211_get_probe_resp(struct ieee80211com *);
77 #endif
78 struct mbuf *ieee80211_get_auth(struct ieee80211com *,
79 struct ieee80211_node *, u_int16_t, u_int16_t);
80 struct mbuf *ieee80211_get_deauth(struct ieee80211com *,
81 struct ieee80211_node *, u_int16_t);
82 struct mbuf *ieee80211_get_assoc_req(struct ieee80211com *,
83 struct ieee80211_node *, int);
84 #ifndef IEEE80211_STA_ONLY
85 struct mbuf *ieee80211_get_assoc_resp(struct ieee80211com *,
86 struct ieee80211_node *, u_int16_t);
87 #endif
88 struct mbuf *ieee80211_get_disassoc(struct ieee80211com *,
89 struct ieee80211_node *, u_int16_t);
90 struct mbuf *ieee80211_get_addba_req(struct ieee80211com *,
91 struct ieee80211_node *, u_int8_t);
92 struct mbuf *ieee80211_get_addba_resp(struct ieee80211com *,
93 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t);
94 struct mbuf *ieee80211_get_delba(struct ieee80211com *,
95 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t);
96 uint8_t *ieee80211_add_wme_info(uint8_t *, struct ieee80211com *);
97 #ifndef IEEE80211_STA_ONLY
98 uint8_t *ieee80211_add_wme_param(uint8_t *, struct ieee80211com *);
99 #endif
100 struct mbuf *ieee80211_get_sa_query(struct ieee80211com *,
101 struct ieee80211_node *, u_int8_t);
102 struct mbuf *ieee80211_get_action(struct ieee80211com *,
103 struct ieee80211_node *, u_int8_t, u_int8_t, int);
104
105 /*
106 * IEEE 802.11 output routine. Normally this will directly call the
107 * Ethernet output routine because 802.11 encapsulation is called
108 * later by the driver. This function can be used to send raw frames
109 * if the mbuf has been tagged with a 802.11 data link type.
110 */
111 int
ieee80211_output(struct ifnet * ifp,struct mbuf * m,struct sockaddr * dst,struct rtentry * rt)112 ieee80211_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
113 struct rtentry *rt)
114 {
115 struct ieee80211_frame *wh;
116 struct m_tag *mtag;
117 int error = 0;
118
119 /* Interface has to be up and running */
120 if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) !=
121 (IFF_UP | IFF_RUNNING)) {
122 error = ENETDOWN;
123 goto bad;
124 }
125
126 #ifdef PACKET_TAG_DLT
127 /* Try to get the DLT from a mbuf tag */
128 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) {
129 struct ieee80211com *ic = (void *)ifp;
130 u_int dlt = *(u_int *)(mtag + 1);
131
132 /* Fallback to ethernet for non-802.11 linktypes */
133 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO))
134 goto fallback;
135
136 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min))
137 return (EINVAL);
138 wh = mtod(m, struct ieee80211_frame *);
139 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
140 IEEE80211_FC0_VERSION_0)
141 return (EINVAL);
142 if (!(ic->ic_caps & IEEE80211_C_RAWCTL) &&
143 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
144 IEEE80211_FC0_TYPE_CTL)
145 return (EINVAL);
146
147 return (if_enqueue(ifp, m));
148 }
149 #endif
150
151 fallback:
152 return (ether_output(ifp, m, dst, rt));
153
154 bad:
155 m_freem(m);
156 return (error);
157 }
158
159 const char *
ieee80211_action_name(struct ieee80211_frame * wh)160 ieee80211_action_name(struct ieee80211_frame *wh)
161 {
162 const u_int8_t *frm = (const uint8_t *)&wh[1];
163 const char *categ_ba_name[3] = { "addba_req", "addba_resp", "delba" };
164
165 if (frm[0] == IEEE80211_CATEG_BA && frm[1] < nitems(categ_ba_name))
166 return categ_ba_name[frm[1]];
167
168 return "action";
169 }
170
171 /*
172 * Send a management frame to the specified node. The node pointer
173 * must have a reference as the pointer will be passed to the driver
174 * and potentially held for a long time. If the frame is successfully
175 * dispatched to the driver, then it is responsible for freeing the
176 * reference (and potentially free'ing up any associated storage).
177 */
178 int
ieee80211_mgmt_output(struct ifnet * ifp,struct ieee80211_node * ni,struct mbuf * m,int type)179 ieee80211_mgmt_output(struct ifnet *ifp, struct ieee80211_node *ni,
180 struct mbuf *m, int type)
181 {
182 struct ieee80211com *ic = (void *)ifp;
183 struct ieee80211_frame *wh;
184
185 if (ni == NULL)
186 panic("null node");
187 ni->ni_inact = 0;
188
189 /*
190 * We want to pass the node down to the driver's start
191 * routine. We could stick this in an m_tag and tack that
192 * on to the mbuf. However that's rather expensive to do
193 * for every frame so instead we stuff it in a special pkthdr
194 * field.
195 */
196 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
197 if (m == NULL)
198 return ENOMEM;
199 m->m_pkthdr.ph_cookie = ni;
200
201 wh = mtod(m, struct ieee80211_frame *);
202 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | type;
203 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
204 *(u_int16_t *)&wh->i_dur[0] = 0;
205 *(u_int16_t *)&wh->i_seq[0] =
206 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT);
207 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff;
208 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr);
209 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
210 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid);
211
212 /* check if protection is required for this mgmt frame */
213 if ((ic->ic_caps & IEEE80211_C_MFP) &&
214 (type == IEEE80211_FC0_SUBTYPE_DISASSOC ||
215 type == IEEE80211_FC0_SUBTYPE_DEAUTH ||
216 type == IEEE80211_FC0_SUBTYPE_ACTION)) {
217 /*
218 * Hack: we should not set the Protected bit in outgoing
219 * group management frames, however it is used as an
220 * indication to the drivers that they must encrypt the
221 * frame. Drivers should clear this bit from group
222 * management frames (software crypto code will do it).
223 * XXX could use an mbuf flag..
224 */
225 if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
226 (ni->ni_flags & IEEE80211_NODE_TXMGMTPROT))
227 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED;
228 }
229
230 if (ifp->if_flags & IFF_DEBUG) {
231 /* avoid to print too many frames */
232 if (
233 #ifndef IEEE80211_STA_ONLY
234 ic->ic_opmode == IEEE80211_M_IBSS ||
235 #endif
236 #ifdef IEEE80211_DEBUG
237 ieee80211_debug > 1 ||
238 #endif
239 (type & IEEE80211_FC0_SUBTYPE_MASK) !=
240 IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
241 const char *subtype_name;
242 if ((type & IEEE80211_FC0_SUBTYPE_MASK) ==
243 IEEE80211_FC0_SUBTYPE_ACTION)
244 subtype_name = ieee80211_action_name(wh);
245 else
246 subtype_name = ieee80211_mgt_subtype_name[
247 (type & IEEE80211_FC0_SUBTYPE_MASK) >>
248 IEEE80211_FC0_SUBTYPE_SHIFT];
249 printf("%s: sending %s to %s on channel %u mode %s\n",
250 ifp->if_xname, subtype_name,
251 ether_sprintf(ni->ni_macaddr),
252 ieee80211_chan2ieee(ic, ni->ni_chan),
253 ieee80211_phymode_name[ic->ic_curmode]);
254 }
255 }
256
257 #ifndef IEEE80211_STA_ONLY
258 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
259 ieee80211_pwrsave(ic, m, ni) != 0)
260 return 0;
261 #endif
262 mq_enqueue(&ic->ic_mgtq, m);
263 ifp->if_timer = 1;
264 if_start(ifp);
265 return 0;
266 }
267
268 /*-
269 * EDCA tables are computed using the following formulas:
270 *
271 * 1) EDCATable (non-AP QSTA)
272 *
273 * AC CWmin CWmax AIFSN TXOP limit(ms)
274 * -------------------------------------------------------------
275 * AC_BK aCWmin aCWmax 7 0
276 * AC_BE aCWmin aCWmax 3 0
277 * AC_VI (aCWmin+1)/2-1 aCWmin 2 agn=3.008 b=6.016 others=0
278 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 2 agn=1.504 b=3.264 others=0
279 *
280 * 2) QAPEDCATable (QAP)
281 *
282 * AC CWmin CWmax AIFSN TXOP limit(ms)
283 * -------------------------------------------------------------
284 * AC_BK aCWmin aCWmax 7 0
285 * AC_BE aCWmin 4*(aCWmin+1)-1 3 0
286 * AC_VI (aCWmin+1)/2-1 aCWmin 1 agn=3.008 b=6.016 others=0
287 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 1 agn=1.504 b=3.264 others=0
288 *
289 * and the following aCWmin/aCWmax values:
290 *
291 * PHY aCWmin aCWmax
292 * ---------------------------
293 * 11A 15 1023
294 * 11B 31 1023
295 * 11G 15* 1023 (*) aCWmin(1)
296 * 11N 15 1023
297 */
298 const struct ieee80211_edca_ac_params
299 ieee80211_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = {
300 [IEEE80211_MODE_11B] = {
301 [EDCA_AC_BK] = { 5, 10, 7, 0 },
302 [EDCA_AC_BE] = { 5, 10, 3, 0 },
303 [EDCA_AC_VI] = { 4, 5, 2, 188 },
304 [EDCA_AC_VO] = { 3, 4, 2, 102 }
305 },
306 [IEEE80211_MODE_11A] = {
307 [EDCA_AC_BK] = { 4, 10, 7, 0 },
308 [EDCA_AC_BE] = { 4, 10, 3, 0 },
309 [EDCA_AC_VI] = { 3, 4, 2, 94 },
310 [EDCA_AC_VO] = { 2, 3, 2, 47 }
311 },
312 [IEEE80211_MODE_11G] = {
313 [EDCA_AC_BK] = { 4, 10, 7, 0 },
314 [EDCA_AC_BE] = { 4, 10, 3, 0 },
315 [EDCA_AC_VI] = { 3, 4, 2, 94 },
316 [EDCA_AC_VO] = { 2, 3, 2, 47 }
317 },
318 [IEEE80211_MODE_11N] = {
319 [EDCA_AC_BK] = { 4, 10, 7, 0 },
320 [EDCA_AC_BE] = { 4, 10, 3, 0 },
321 [EDCA_AC_VI] = { 3, 4, 2, 94 },
322 [EDCA_AC_VO] = { 2, 3, 2, 47 }
323 },
324 [IEEE80211_MODE_11AC] = {
325 [EDCA_AC_BK] = { 4, 10, 7, 0 },
326 [EDCA_AC_BE] = { 4, 10, 3, 0 },
327 [EDCA_AC_VI] = { 3, 4, 2, 94 },
328 [EDCA_AC_VO] = { 2, 3, 2, 47 }
329 },
330 };
331
332 #ifndef IEEE80211_STA_ONLY
333 const struct ieee80211_edca_ac_params
334 ieee80211_qap_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = {
335 [IEEE80211_MODE_11B] = {
336 [EDCA_AC_BK] = { 5, 10, 7, 0 },
337 [EDCA_AC_BE] = { 5, 7, 3, 0 },
338 [EDCA_AC_VI] = { 4, 5, 1, 188 },
339 [EDCA_AC_VO] = { 3, 4, 1, 102 }
340 },
341 [IEEE80211_MODE_11A] = {
342 [EDCA_AC_BK] = { 4, 10, 7, 0 },
343 [EDCA_AC_BE] = { 4, 6, 3, 0 },
344 [EDCA_AC_VI] = { 3, 4, 1, 94 },
345 [EDCA_AC_VO] = { 2, 3, 1, 47 }
346 },
347 [IEEE80211_MODE_11G] = {
348 [EDCA_AC_BK] = { 4, 10, 7, 0 },
349 [EDCA_AC_BE] = { 4, 6, 3, 0 },
350 [EDCA_AC_VI] = { 3, 4, 1, 94 },
351 [EDCA_AC_VO] = { 2, 3, 1, 47 }
352 },
353 [IEEE80211_MODE_11N] = {
354 [EDCA_AC_BK] = { 4, 10, 7, 0 },
355 [EDCA_AC_BE] = { 4, 6, 3, 0 },
356 [EDCA_AC_VI] = { 3, 4, 1, 94 },
357 [EDCA_AC_VO] = { 2, 3, 1, 47 }
358 },
359 [IEEE80211_MODE_11AC] = {
360 [EDCA_AC_BK] = { 4, 10, 7, 0 },
361 [EDCA_AC_BE] = { 4, 6, 3, 0 },
362 [EDCA_AC_VI] = { 3, 4, 1, 94 },
363 [EDCA_AC_VO] = { 2, 3, 1, 47 }
364 },
365 };
366 #endif /* IEEE80211_STA_ONLY */
367
368 /*
369 * Return the EDCA Access Category to be used for transmitting a frame with
370 * user-priority `up'.
371 */
372 enum ieee80211_edca_ac
ieee80211_up_to_ac(struct ieee80211com * ic,int up)373 ieee80211_up_to_ac(struct ieee80211com *ic, int up)
374 {
375 /* see Table 9-1 */
376 static const enum ieee80211_edca_ac up_to_ac[] = {
377 EDCA_AC_BE, /* BE */
378 EDCA_AC_BK, /* BK */
379 EDCA_AC_BK, /* -- */
380 EDCA_AC_BE, /* EE */
381 EDCA_AC_VI, /* CL */
382 EDCA_AC_VI, /* VI */
383 EDCA_AC_VO, /* VO */
384 EDCA_AC_VO /* NC */
385 };
386 enum ieee80211_edca_ac ac;
387
388 ac = (up <= 7) ? up_to_ac[up] : EDCA_AC_BE;
389
390 #ifndef IEEE80211_STA_ONLY
391 if (ic->ic_opmode == IEEE80211_M_HOSTAP)
392 return ac;
393 #endif
394 /*
395 * We do not support the admission control procedure defined in
396 * IEEE Std 802.11-2012 section 9.19.4.2.3. The spec says that
397 * non-AP QSTAs that don't support this procedure shall use EDCA
398 * parameters of a lower priority AC that does not require
399 * admission control.
400 */
401 while (ac != EDCA_AC_BK && ic->ic_edca_ac[ac].ac_acm) {
402 switch (ac) {
403 case EDCA_AC_BK:
404 /* can't get there */
405 break;
406 case EDCA_AC_BE:
407 /* BE shouldn't require admission control */
408 ac = EDCA_AC_BK;
409 break;
410 case EDCA_AC_VI:
411 ac = EDCA_AC_BE;
412 break;
413 case EDCA_AC_VO:
414 ac = EDCA_AC_VI;
415 break;
416 }
417 }
418 return ac;
419 }
420
421 /*
422 * Get mbuf's user-priority: if mbuf is not VLAN tagged, select user-priority
423 * based on the DSCP (Differentiated Services Codepoint) field.
424 */
425 int
ieee80211_classify(struct ieee80211com * ic,struct mbuf * m)426 ieee80211_classify(struct ieee80211com *ic, struct mbuf *m)
427 {
428 struct ether_header eh;
429 u_int8_t ds_field;
430 #if NVLAN > 0
431 if (m->m_flags & M_VLANTAG) /* use VLAN 802.1D user-priority */
432 return EVL_PRIOFTAG(m->m_pkthdr.ether_vtag);
433 #endif
434 m_copydata(m, 0, sizeof(eh), (caddr_t)&eh);
435 if (eh.ether_type == htons(ETHERTYPE_IP)) {
436 struct ip ip;
437 m_copydata(m, sizeof(eh), sizeof(ip), (caddr_t)&ip);
438 if (ip.ip_v != 4)
439 return 0;
440 ds_field = ip.ip_tos;
441 }
442 #ifdef INET6
443 else if (eh.ether_type == htons(ETHERTYPE_IPV6)) {
444 struct ip6_hdr ip6;
445 u_int32_t flowlabel;
446 m_copydata(m, sizeof(eh), sizeof(ip6), (caddr_t)&ip6);
447 flowlabel = ntohl(ip6.ip6_flow);
448 if ((flowlabel >> 28) != 6)
449 return 0;
450 ds_field = (flowlabel >> 20) & 0xff;
451 }
452 #endif /* INET6 */
453 else /* neither IPv4 nor IPv6 */
454 return 0;
455
456 /*
457 * Map Differentiated Services Codepoint field (see RFC2474).
458 * Preserves backward compatibility with IP Precedence field.
459 */
460 switch (ds_field & 0xfc) {
461 #ifdef IPTOS_PREC_PRIORITY
462 case IPTOS_PREC_PRIORITY:
463 return EDCA_AC_VI;
464 case IPTOS_PREC_IMMEDIATE:
465 return EDCA_AC_BK;
466 case IPTOS_PREC_FLASH:
467 case IPTOS_PREC_FLASHOVERRIDE:
468 case IPTOS_PREC_CRITIC_ECP:
469 case IPTOS_PREC_INTERNETCONTROL:
470 case IPTOS_PREC_NETCONTROL:
471 return EDCA_AC_VO;
472 #endif
473 default:
474 return EDCA_AC_BE;
475 }
476 }
477
478 int
ieee80211_can_use_ampdu(struct ieee80211com * ic,struct ieee80211_node * ni)479 ieee80211_can_use_ampdu(struct ieee80211com *ic, struct ieee80211_node *ni)
480 {
481 return (ni->ni_flags & IEEE80211_NODE_HT) &&
482 (ic->ic_caps & IEEE80211_C_TX_AMPDU) &&
483 !(ic->ic_opmode == IEEE80211_M_STA && ni != ic->ic_bss) &&
484 /*
485 * Don't use A-MPDU on non-encrypted networks. There are devices
486 * with buggy firmware which allow an attacker to inject 802.11
487 * frames into a wifi network by embedding rogue A-MPDU subframes
488 * in an arbitrary data payload (e.g. PNG images) which may end
489 * up appearing as actual frames after de-aggregation by a buggy
490 * device; see https://github.com/rpp0/aggr-inject for details.
491 * WPA2 prevents this injection attack since the attacker would
492 * need to inject frames which get decrypted correctly.
493 */
494 ((ic->ic_flags & IEEE80211_F_RSNON) &&
495 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN));
496 }
497
498 void
ieee80211_tx_compressed_bar(struct ieee80211com * ic,struct ieee80211_node * ni,int tid,uint16_t ssn)499 ieee80211_tx_compressed_bar(struct ieee80211com *ic, struct ieee80211_node *ni,
500 int tid, uint16_t ssn)
501 {
502 struct ifnet *ifp = &ic->ic_if;
503 struct mbuf *m;
504
505 m = ieee80211_get_compressed_bar(ic, ni, tid, ssn);
506 if (m == NULL)
507 return;
508
509 ieee80211_ref_node(ni);
510 if (mq_enqueue(&ic->ic_mgtq, m) == 0)
511 if_start(ifp);
512 else
513 ieee80211_release_node(ic, ni);
514 }
515
516 /*
517 * Encapsulate an outbound data frame. The mbuf chain is updated and
518 * a reference to the destination node is returned. If an error is
519 * encountered NULL is returned and the node reference will also be NULL.
520 *
521 * NB: The caller is responsible for free'ing a returned node reference.
522 * The convention is ic_bss is not reference counted; the caller must
523 * maintain that.
524 */
525 struct mbuf *
ieee80211_encap(struct ifnet * ifp,struct mbuf * m,struct ieee80211_node ** pni)526 ieee80211_encap(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node **pni)
527 {
528 struct ieee80211com *ic = (void *)ifp;
529 struct ether_header eh;
530 struct ieee80211_frame *wh;
531 struct ieee80211_node *ni = NULL;
532 struct llc *llc;
533 struct m_tag *mtag;
534 u_int8_t *addr;
535 u_int dlt, hdrlen;
536 int addqos, tid;
537
538 #ifdef PACKET_TAG_DLT
539 /* Handle raw frames if mbuf is tagged as 802.11 */
540 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) {
541 dlt = *(u_int *)(mtag + 1);
542
543 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO))
544 goto fallback;
545
546 wh = mtod(m, struct ieee80211_frame *);
547 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
548 case IEEE80211_FC1_DIR_NODS:
549 case IEEE80211_FC1_DIR_FROMDS:
550 addr = wh->i_addr1;
551 break;
552 case IEEE80211_FC1_DIR_DSTODS:
553 case IEEE80211_FC1_DIR_TODS:
554 addr = wh->i_addr3;
555 break;
556 default:
557 goto bad;
558 }
559
560 ni = ieee80211_find_txnode(ic, addr);
561 if (ni == NULL)
562 ni = ieee80211_ref_node(ic->ic_bss);
563 if (ni == NULL) {
564 printf("%s: no node for dst %s, "
565 "discard raw tx frame\n", ifp->if_xname,
566 ether_sprintf(addr));
567 ic->ic_stats.is_tx_nonode++;
568 goto bad;
569 }
570 ni->ni_inact = 0;
571
572 *pni = ni;
573 return (m);
574 }
575 #endif
576
577 fallback:
578 if (ic->ic_opmode == IEEE80211_M_MONITOR)
579 goto bad;
580
581 if (m->m_len < sizeof(struct ether_header)) {
582 m = m_pullup(m, sizeof(struct ether_header));
583 if (m == NULL) {
584 ic->ic_stats.is_tx_nombuf++;
585 goto bad;
586 }
587 }
588 memcpy(&eh, mtod(m, caddr_t), sizeof(struct ether_header));
589
590 ni = ieee80211_find_txnode(ic, eh.ether_dhost);
591 if (ni == NULL) {
592 DPRINTF(("no node for dst %s, discard frame\n",
593 ether_sprintf(eh.ether_dhost)));
594 ic->ic_stats.is_tx_nonode++;
595 goto bad;
596 }
597
598 #ifndef IEEE80211_STA_ONLY
599 if (ic->ic_opmode == IEEE80211_M_HOSTAP && ni != ic->ic_bss &&
600 ni->ni_state != IEEE80211_STA_ASSOC) {
601 ic->ic_stats.is_tx_nonode++;
602 goto bad;
603 }
604 #endif
605
606 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
607 !ni->ni_port_valid &&
608 eh.ether_type != htons(ETHERTYPE_EAPOL)) {
609 DPRINTF(("port not valid: %s\n",
610 ether_sprintf(eh.ether_dhost)));
611 ic->ic_stats.is_tx_noauth++;
612 goto bad;
613 }
614
615 if ((ic->ic_flags & IEEE80211_F_COUNTERM) &&
616 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP)
617 /* XXX TKIP countermeasures! */;
618
619 ni->ni_inact = 0;
620
621 if ((ic->ic_flags & IEEE80211_F_QOS) &&
622 (ni->ni_flags & IEEE80211_NODE_QOS) &&
623 /* do not QoS-encapsulate EAPOL frames */
624 eh.ether_type != htons(ETHERTYPE_EAPOL)) {
625 struct ieee80211_tx_ba *ba;
626 tid = ieee80211_classify(ic, m);
627 ba = &ni->ni_tx_ba[tid];
628 /* We use QoS data frames for aggregation only. */
629 if (ba->ba_state != IEEE80211_BA_AGREED) {
630 hdrlen = sizeof(struct ieee80211_frame);
631 addqos = 0;
632 if (ieee80211_can_use_ampdu(ic, ni))
633 ieee80211_node_trigger_addba_req(ni, tid);
634 } else {
635 hdrlen = sizeof(struct ieee80211_qosframe);
636 addqos = 1;
637 }
638 } else {
639 hdrlen = sizeof(struct ieee80211_frame);
640 addqos = 0;
641 }
642 m_adj(m, sizeof(struct ether_header) - LLC_SNAPFRAMELEN);
643 llc = mtod(m, struct llc *);
644 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP;
645 llc->llc_control = LLC_UI;
646 llc->llc_snap.org_code[0] = 0;
647 llc->llc_snap.org_code[1] = 0;
648 llc->llc_snap.org_code[2] = 0;
649 llc->llc_snap.ether_type = eh.ether_type;
650 M_PREPEND(m, hdrlen, M_DONTWAIT);
651 if (m == NULL) {
652 ic->ic_stats.is_tx_nombuf++;
653 goto bad;
654 }
655 wh = mtod(m, struct ieee80211_frame *);
656 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA;
657 *(u_int16_t *)&wh->i_dur[0] = 0;
658 if (addqos) {
659 struct ieee80211_qosframe *qwh =
660 (struct ieee80211_qosframe *)wh;
661 u_int16_t qos = tid;
662
663 if (ic->ic_tid_noack & (1 << tid))
664 qos |= IEEE80211_QOS_ACK_POLICY_NOACK;
665 else {
666 /* Use HT immediate block-ack. */
667 qos |= IEEE80211_QOS_ACK_POLICY_NORMAL;
668 }
669 qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS;
670 *(u_int16_t *)qwh->i_qos = htole16(qos);
671 *(u_int16_t *)qwh->i_seq =
672 htole16(ni->ni_qos_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT);
673 ni->ni_qos_txseqs[tid] = (ni->ni_qos_txseqs[tid] + 1) & 0xfff;
674 } else {
675 *(u_int16_t *)&wh->i_seq[0] =
676 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT);
677 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff;
678 }
679 switch (ic->ic_opmode) {
680 case IEEE80211_M_STA:
681 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS;
682 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid);
683 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
684 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost);
685 break;
686 #ifndef IEEE80211_STA_ONLY
687 case IEEE80211_M_IBSS:
688 case IEEE80211_M_AHDEMO:
689 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
690 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
691 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
692 IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid);
693 break;
694 case IEEE80211_M_HOSTAP:
695 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
696 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
697 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid);
698 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost);
699 break;
700 #endif
701 default:
702 /* should not get there */
703 goto bad;
704 }
705
706 if ((ic->ic_flags & IEEE80211_F_WEPON) ||
707 ((ic->ic_flags & IEEE80211_F_RSNON) &&
708 (ni->ni_flags & IEEE80211_NODE_TXPROT)))
709 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED;
710
711 #ifndef IEEE80211_STA_ONLY
712 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
713 ieee80211_pwrsave(ic, m, ni) != 0) {
714 *pni = NULL;
715 return NULL;
716 }
717 #endif
718 *pni = ni;
719 return m;
720 bad:
721 m_freem(m);
722 if (ni != NULL)
723 ieee80211_release_node(ic, ni);
724 *pni = NULL;
725 return NULL;
726 }
727
728 /*
729 * Add a Capability Information field to a frame (see 7.3.1.4).
730 */
731 u_int8_t *
ieee80211_add_capinfo(u_int8_t * frm,struct ieee80211com * ic,const struct ieee80211_node * ni)732 ieee80211_add_capinfo(u_int8_t *frm, struct ieee80211com *ic,
733 const struct ieee80211_node *ni)
734 {
735 u_int16_t capinfo;
736
737 #ifndef IEEE80211_STA_ONLY
738 if (ic->ic_opmode == IEEE80211_M_IBSS)
739 capinfo = IEEE80211_CAPINFO_IBSS;
740 else if (ic->ic_opmode == IEEE80211_M_HOSTAP)
741 capinfo = IEEE80211_CAPINFO_ESS;
742 else
743 #endif
744 capinfo = 0;
745 #ifndef IEEE80211_STA_ONLY
746 if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
747 (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON)))
748 capinfo |= IEEE80211_CAPINFO_PRIVACY;
749 #endif
750 /* NB: some 11a AP's reject the request when short preamble is set */
751 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
752 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
753 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
754 if (ic->ic_flags & IEEE80211_F_SHSLOT)
755 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
756 LE_WRITE_2(frm, capinfo);
757 return frm + 2;
758 }
759
760 /*
761 * Add an SSID element to a frame (see 7.3.2.1).
762 */
763 u_int8_t *
ieee80211_add_ssid(u_int8_t * frm,const u_int8_t * ssid,u_int len)764 ieee80211_add_ssid(u_int8_t *frm, const u_int8_t *ssid, u_int len)
765 {
766 *frm++ = IEEE80211_ELEMID_SSID;
767 *frm++ = len;
768 memcpy(frm, ssid, len);
769 return frm + len;
770 }
771
772 /*
773 * Add a supported rates element to a frame (see 7.3.2.2).
774 */
775 u_int8_t *
ieee80211_add_rates(u_int8_t * frm,const struct ieee80211_rateset * rs)776 ieee80211_add_rates(u_int8_t *frm, const struct ieee80211_rateset *rs)
777 {
778 int nrates;
779
780 *frm++ = IEEE80211_ELEMID_RATES;
781 nrates = min(rs->rs_nrates, IEEE80211_RATE_SIZE);
782 *frm++ = nrates;
783 memcpy(frm, rs->rs_rates, nrates);
784 return frm + nrates;
785 }
786
787 #ifndef IEEE80211_STA_ONLY
788 /*
789 * Add a DS Parameter Set element to a frame (see 7.3.2.4).
790 */
791 u_int8_t *
ieee80211_add_ds_params(u_int8_t * frm,struct ieee80211com * ic,const struct ieee80211_node * ni)792 ieee80211_add_ds_params(u_int8_t *frm, struct ieee80211com *ic,
793 const struct ieee80211_node *ni)
794 {
795 *frm++ = IEEE80211_ELEMID_DSPARMS;
796 *frm++ = 1;
797 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan);
798 return frm;
799 }
800
801 /*
802 * Add a TIM element to a frame (see 7.3.2.6 and Annex L).
803 */
804 u_int8_t *
ieee80211_add_tim(u_int8_t * frm,struct ieee80211com * ic)805 ieee80211_add_tim(u_int8_t *frm, struct ieee80211com *ic)
806 {
807 u_int i, offset = 0, len;
808
809 /* find first non-zero octet in the virtual bit map */
810 for (i = 0; i < ic->ic_tim_len && ic->ic_tim_bitmap[i] == 0; i++)
811 ;
812
813 /* clear the lsb as it is reserved for the broadcast indication bit */
814 if (i < ic->ic_tim_len)
815 offset = i & ~1;
816
817 /* find last non-zero octet in the virtual bit map */
818 for (i = ic->ic_tim_len - 1; i > 0 && ic->ic_tim_bitmap[i] == 0; i--)
819 ;
820
821 len = i - offset + 1;
822
823 *frm++ = IEEE80211_ELEMID_TIM;
824 *frm++ = len + 3; /* length */
825 *frm++ = ic->ic_dtim_count; /* DTIM count */
826 *frm++ = ic->ic_dtim_period; /* DTIM period */
827
828 /* Bitmap Control */
829 *frm = offset;
830 /* set broadcast/multicast indication bit if necessary */
831 if (ic->ic_dtim_count == 0 && ic->ic_tim_mcast_pending)
832 *frm |= 0x01;
833 frm++;
834
835 /* Partial Virtual Bitmap */
836 memcpy(frm, &ic->ic_tim_bitmap[offset], len);
837 return frm + len;
838 }
839
840 /*
841 * Add an IBSS Parameter Set element to a frame (see 7.3.2.7).
842 */
843 u_int8_t *
ieee80211_add_ibss_params(u_int8_t * frm,const struct ieee80211_node * ni)844 ieee80211_add_ibss_params(u_int8_t *frm, const struct ieee80211_node *ni)
845 {
846 *frm++ = IEEE80211_ELEMID_IBSSPARMS;
847 *frm++ = 2;
848 LE_WRITE_2(frm, 0); /* TODO: ATIM window */
849 return frm + 2;
850 }
851
852 /*
853 * Add an EDCA Parameter Set element to a frame (see 7.3.2.29).
854 */
855 u_int8_t *
ieee80211_add_edca_params(u_int8_t * frm,struct ieee80211com * ic)856 ieee80211_add_edca_params(u_int8_t *frm, struct ieee80211com *ic)
857 {
858 const struct ieee80211_edca_ac_params *edca;
859 int aci;
860
861 *frm++ = IEEE80211_ELEMID_EDCAPARMS;
862 *frm++ = 18; /* length */
863 *frm++ = 0; /* QoS Info */
864 *frm++ = 0; /* reserved */
865
866 /* setup AC Parameter Records */
867 edca = ieee80211_edca_table[ic->ic_curmode];
868 for (aci = 0; aci < EDCA_NUM_AC; aci++) {
869 const struct ieee80211_edca_ac_params *ac = &edca[aci];
870
871 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) |
872 (ac->ac_aifsn & 0xf);
873 *frm++ = (ac->ac_ecwmax << 4) |
874 (ac->ac_ecwmin & 0xf);
875 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2;
876 }
877 return frm;
878 }
879
880 /*
881 * Add an ERP element to a frame (see 7.3.2.13).
882 */
883 u_int8_t *
ieee80211_add_erp(u_int8_t * frm,struct ieee80211com * ic)884 ieee80211_add_erp(u_int8_t *frm, struct ieee80211com *ic)
885 {
886 u_int8_t erp;
887 int nonerpsta = 0;
888
889 *frm++ = IEEE80211_ELEMID_ERP;
890 *frm++ = 1;
891 erp = 0;
892 /*
893 * The NonERP_Present bit shall be set to 1 when a NonERP STA
894 * is associated with the BSS.
895 */
896 ieee80211_iterate_nodes(ic, ieee80211_count_nonerpsta, &nonerpsta);
897 if (nonerpsta != 0)
898 erp |= IEEE80211_ERP_NON_ERP_PRESENT;
899 /*
900 * If one or more NonERP STAs are associated in the BSS, the
901 * Use_Protection bit shall be set to 1 in transmitted ERP
902 * Information Elements.
903 */
904 if (ic->ic_flags & IEEE80211_F_USEPROT)
905 erp |= IEEE80211_ERP_USE_PROTECTION;
906 /*
907 * The Barker_Preamble_Mode bit shall be set to 1 by the ERP
908 * Information Element sender if one or more associated NonERP
909 * STAs are not short preamble capable.
910 */
911 if (!(ic->ic_flags & IEEE80211_F_SHPREAMBLE))
912 erp |= IEEE80211_ERP_BARKER_MODE;
913 *frm++ = erp;
914 return frm;
915 }
916 #endif /* IEEE80211_STA_ONLY */
917
918 /*
919 * Add a QoS Capability element to a frame (see 7.3.2.35).
920 */
921 u_int8_t *
ieee80211_add_qos_capability(u_int8_t * frm,struct ieee80211com * ic)922 ieee80211_add_qos_capability(u_int8_t *frm, struct ieee80211com *ic)
923 {
924 *frm++ = IEEE80211_ELEMID_QOS_CAP;
925 *frm++ = 1;
926 *frm++ = 0; /* QoS Info */
927 return frm;
928 }
929
930 /*
931 * Add a Wifi-Alliance WME (aka WMM) info element to a frame.
932 * WME is a requirement for Wifi-Alliance compliance and some
933 * 11n APs will not negotiate HT if this element is missing.
934 */
935 uint8_t *
ieee80211_add_wme_info(uint8_t * frm,struct ieee80211com * ic)936 ieee80211_add_wme_info(uint8_t *frm, struct ieee80211com *ic)
937 {
938 *frm++ = IEEE80211_ELEMID_VENDOR;
939 *frm++ = 7;
940 memcpy(frm, MICROSOFT_OUI, 3); frm += 3;
941 *frm++ = 2; /* OUI type */
942 *frm++ = 0; /* OUI subtype */
943 *frm++ = 1; /* version */
944 *frm++ = 0; /* info */
945
946 return frm;
947 }
948
949 #ifndef IEEE80211_STA_ONLY
950 /*
951 * Add a Wifi-Alliance WMM (aka WME) parameter element to a frame.
952 */
953 uint8_t *
ieee80211_add_wme_param(uint8_t * frm,struct ieee80211com * ic)954 ieee80211_add_wme_param(uint8_t *frm, struct ieee80211com *ic)
955 {
956 const struct ieee80211_edca_ac_params *edca;
957 int aci;
958
959 *frm++ = IEEE80211_ELEMID_VENDOR;
960 *frm++ = 24;
961 memcpy(frm, MICROSOFT_OUI, 3); frm += 3;
962 *frm++ = 2; /* OUI type */
963 *frm++ = 1; /* OUI subtype */
964 *frm++ = 1; /* version */
965 *frm++ = 0; /* info */
966 *frm++ = 0; /* reserved */
967
968 /* setup AC Parameter Records */
969 edca = ieee80211_edca_table[ic->ic_curmode];
970 for (aci = 0; aci < EDCA_NUM_AC; aci++) {
971 const struct ieee80211_edca_ac_params *ac = &edca[aci];
972
973 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) |
974 (ac->ac_aifsn & 0xf);
975 *frm++ = (ac->ac_ecwmax << 4) |
976 (ac->ac_ecwmin & 0xf);
977 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2;
978 }
979
980 return frm;
981 }
982 #endif
983
984 /*
985 * Add an RSN element to a frame (see 802.11-2012 8.4.2.27)
986 */
987 u_int8_t *
ieee80211_add_rsn_body(u_int8_t * frm,struct ieee80211com * ic,const struct ieee80211_node * ni,int wpa)988 ieee80211_add_rsn_body(u_int8_t *frm, struct ieee80211com *ic,
989 const struct ieee80211_node *ni, int wpa)
990 {
991 const u_int8_t *oui = wpa ? MICROSOFT_OUI : IEEE80211_OUI;
992 u_int8_t *pcount;
993 u_int16_t count, rsncaps;
994
995 /* write Version field */
996 LE_WRITE_2(frm, 1); frm += 2;
997
998 /* write Group Data Cipher Suite field (see 802.11-2012 Table 8-99) */
999 memcpy(frm, oui, 3); frm += 3;
1000 switch (ni->ni_rsngroupcipher) {
1001 case IEEE80211_CIPHER_WEP40:
1002 *frm++ = 1;
1003 break;
1004 case IEEE80211_CIPHER_TKIP:
1005 *frm++ = 2;
1006 break;
1007 case IEEE80211_CIPHER_CCMP:
1008 *frm++ = 4;
1009 break;
1010 case IEEE80211_CIPHER_WEP104:
1011 *frm++ = 5;
1012 break;
1013 default:
1014 /* can't get there */
1015 panic("invalid group data cipher!");
1016 }
1017
1018 pcount = frm; frm += 2;
1019 count = 0;
1020 /* write Pairwise Cipher Suite List */
1021 if (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP) {
1022 memcpy(frm, oui, 3); frm += 3;
1023 *frm++ = 0;
1024 count++;
1025 }
1026 if (ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP) {
1027 memcpy(frm, oui, 3); frm += 3;
1028 *frm++ = 2;
1029 count++;
1030 }
1031 if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) {
1032 memcpy(frm, oui, 3); frm += 3;
1033 *frm++ = 4;
1034 count++;
1035 }
1036 /* write Pairwise Cipher Suite Count field */
1037 LE_WRITE_2(pcount, count);
1038
1039 pcount = frm; frm += 2;
1040 count = 0;
1041 /* write AKM Suite List (see Table 20dc) */
1042 if (ni->ni_rsnakms & IEEE80211_AKM_8021X) {
1043 memcpy(frm, oui, 3); frm += 3;
1044 *frm++ = 1;
1045 count++;
1046 }
1047 if (ni->ni_rsnakms & IEEE80211_AKM_PSK) {
1048 memcpy(frm, oui, 3); frm += 3;
1049 *frm++ = 2;
1050 count++;
1051 }
1052 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X)) {
1053 memcpy(frm, oui, 3); frm += 3;
1054 *frm++ = 5;
1055 count++;
1056 }
1057 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK)) {
1058 memcpy(frm, oui, 3); frm += 3;
1059 *frm++ = 6;
1060 count++;
1061 }
1062 /* write AKM Suite List Count field */
1063 LE_WRITE_2(pcount, count);
1064
1065 if (wpa)
1066 return frm;
1067
1068 /* write RSN Capabilities field */
1069 rsncaps = (ni->ni_rsncaps & (IEEE80211_RSNCAP_PTKSA_RCNT_MASK |
1070 IEEE80211_RSNCAP_GTKSA_RCNT_MASK));
1071 if (ic->ic_caps & IEEE80211_C_MFP) {
1072 rsncaps |= IEEE80211_RSNCAP_MFPC;
1073 if (ic->ic_flags & IEEE80211_F_MFPR)
1074 rsncaps |= IEEE80211_RSNCAP_MFPR;
1075 }
1076 if (ic->ic_flags & IEEE80211_F_PBAR)
1077 rsncaps |= IEEE80211_RSNCAP_PBAC;
1078 LE_WRITE_2(frm, rsncaps); frm += 2;
1079
1080 if (ni->ni_flags & IEEE80211_NODE_PMKID) {
1081 /* write PMKID Count field */
1082 LE_WRITE_2(frm, 1); frm += 2;
1083 /* write PMKID List (only 1) */
1084 memcpy(frm, ni->ni_pmkid, IEEE80211_PMKID_LEN);
1085 frm += IEEE80211_PMKID_LEN;
1086 }
1087
1088 if (!(ic->ic_caps & IEEE80211_C_MFP))
1089 return frm;
1090
1091 if ((ni->ni_flags & IEEE80211_NODE_PMKID) == 0) {
1092 /* no PMKID (PMKID Count=0) */
1093 LE_WRITE_2(frm, 0); frm += 2;
1094 }
1095
1096 /* write Group Integrity Cipher Suite field */
1097 memcpy(frm, oui, 3); frm += 3;
1098 switch (ic->ic_rsngroupmgmtcipher) {
1099 case IEEE80211_CIPHER_BIP:
1100 *frm++ = 6;
1101 break;
1102 default:
1103 /* can't get there */
1104 panic("invalid integrity group cipher!");
1105 }
1106 return frm;
1107 }
1108
1109 u_int8_t *
ieee80211_add_rsn(u_int8_t * frm,struct ieee80211com * ic,const struct ieee80211_node * ni)1110 ieee80211_add_rsn(u_int8_t *frm, struct ieee80211com *ic,
1111 const struct ieee80211_node *ni)
1112 {
1113 u_int8_t *plen;
1114
1115 *frm++ = IEEE80211_ELEMID_RSN;
1116 plen = frm++; /* length filled in later */
1117 frm = ieee80211_add_rsn_body(frm, ic, ni, 0);
1118
1119 /* write length field */
1120 *plen = frm - plen - 1;
1121 return frm;
1122 }
1123
1124 /*
1125 * Add a vendor-specific WPA element to a frame.
1126 * This is required for compatibility with Wi-Fi Alliance WPA.
1127 */
1128 u_int8_t *
ieee80211_add_wpa(u_int8_t * frm,struct ieee80211com * ic,const struct ieee80211_node * ni)1129 ieee80211_add_wpa(u_int8_t *frm, struct ieee80211com *ic,
1130 const struct ieee80211_node *ni)
1131 {
1132 u_int8_t *plen;
1133
1134 *frm++ = IEEE80211_ELEMID_VENDOR;
1135 plen = frm++; /* length filled in later */
1136 memcpy(frm, MICROSOFT_OUI, 3); frm += 3;
1137 *frm++ = 1; /* WPA */
1138 frm = ieee80211_add_rsn_body(frm, ic, ni, 1);
1139
1140 /* write length field */
1141 *plen = frm - plen - 1;
1142 return frm;
1143 }
1144
1145 /*
1146 * Add an extended supported rates element to a frame (see 7.3.2.14).
1147 */
1148 u_int8_t *
ieee80211_add_xrates(u_int8_t * frm,const struct ieee80211_rateset * rs)1149 ieee80211_add_xrates(u_int8_t *frm, const struct ieee80211_rateset *rs)
1150 {
1151 int nrates;
1152
1153 KASSERT(rs->rs_nrates > IEEE80211_RATE_SIZE);
1154
1155 *frm++ = IEEE80211_ELEMID_XRATES;
1156 nrates = rs->rs_nrates - IEEE80211_RATE_SIZE;
1157 *frm++ = nrates;
1158 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates);
1159 return frm + nrates;
1160 }
1161
1162 /*
1163 * Add an HT Capabilities element to a frame (see 7.3.2.57).
1164 */
1165 u_int8_t *
ieee80211_add_htcaps(u_int8_t * frm,struct ieee80211com * ic)1166 ieee80211_add_htcaps(u_int8_t *frm, struct ieee80211com *ic)
1167 {
1168 *frm++ = IEEE80211_ELEMID_HTCAPS;
1169 *frm++ = 26;
1170 LE_WRITE_2(frm, ic->ic_htcaps); frm += 2;
1171 *frm++ = ic->ic_ampdu_params;
1172 memcpy(frm, ic->ic_sup_mcs, 10); frm += 10;
1173 LE_WRITE_2(frm, (ic->ic_max_rxrate & IEEE80211_MCS_RX_RATE_HIGH));
1174 frm += 2;
1175 *frm++ = ic->ic_tx_mcs_set;
1176 *frm++ = 0; /* reserved */
1177 *frm++ = 0; /* reserved */
1178 *frm++ = 0; /* reserved */
1179 LE_WRITE_2(frm, ic->ic_htxcaps); frm += 2;
1180 LE_WRITE_4(frm, ic->ic_txbfcaps); frm += 4;
1181 *frm++ = ic->ic_aselcaps;
1182 return frm;
1183 }
1184
1185 #ifndef IEEE80211_STA_ONLY
1186 /*
1187 * Add an HT Operation element to a frame (see 7.3.2.58).
1188 */
1189 u_int8_t *
ieee80211_add_htop(u_int8_t * frm,struct ieee80211com * ic)1190 ieee80211_add_htop(u_int8_t *frm, struct ieee80211com *ic)
1191 {
1192 *frm++ = IEEE80211_ELEMID_HTOP;
1193 *frm++ = 22;
1194 *frm++ = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan);
1195 *frm++ = ic->ic_bss->ni_htop0;
1196 LE_WRITE_2(frm, ic->ic_bss->ni_htop1); frm += 2;
1197 LE_WRITE_2(frm, ic->ic_bss->ni_htop2); frm += 2;
1198 memset(frm, 0, 16); frm += 16;
1199 return frm;
1200 }
1201 #endif /* !IEEE80211_STA_ONLY */
1202
1203 /*
1204 * Add a VHT Capabilities element to a frame (see 802.11ac-2013 8.4.2.160.2).
1205 */
1206 u_int8_t *
ieee80211_add_vhtcaps(u_int8_t * frm,struct ieee80211com * ic)1207 ieee80211_add_vhtcaps(u_int8_t *frm, struct ieee80211com *ic)
1208 {
1209 *frm++ = IEEE80211_ELEMID_VHTCAPS;
1210 *frm++ = 12;
1211 LE_WRITE_4(frm, ic->ic_vhtcaps); frm += 4;
1212 LE_WRITE_2(frm, ic->ic_vht_rxmcs); frm += 2;
1213 LE_WRITE_2(frm, ic->ic_vht_rx_max_lgi_mbit_s); frm += 2;
1214 LE_WRITE_2(frm, ic->ic_vht_txmcs); frm += 2;
1215 LE_WRITE_2(frm, ic->ic_vht_tx_max_lgi_mbit_s); frm += 2;
1216 return frm;
1217 }
1218
1219 #ifndef IEEE80211_STA_ONLY
1220 /*
1221 * Add a Timeout Interval element to a frame (see 7.3.2.49).
1222 */
1223 u_int8_t *
ieee80211_add_tie(u_int8_t * frm,u_int8_t type,u_int32_t value)1224 ieee80211_add_tie(u_int8_t *frm, u_int8_t type, u_int32_t value)
1225 {
1226 *frm++ = IEEE80211_ELEMID_TIE;
1227 *frm++ = 5; /* length */
1228 *frm++ = type; /* Timeout Interval type */
1229 LE_WRITE_4(frm, value);
1230 return frm + 4;
1231 }
1232 #endif
1233
1234 struct mbuf *
ieee80211_getmgmt(int flags,int type,u_int pktlen)1235 ieee80211_getmgmt(int flags, int type, u_int pktlen)
1236 {
1237 struct mbuf *m;
1238
1239 /* reserve space for 802.11 header */
1240 pktlen += sizeof(struct ieee80211_frame);
1241
1242 if (pktlen > MCLBYTES)
1243 panic("management frame too large: %u", pktlen);
1244 MGETHDR(m, flags, type);
1245 if (m == NULL)
1246 return NULL;
1247 if (pktlen > MHLEN) {
1248 MCLGET(m, flags);
1249 if (!(m->m_flags & M_EXT))
1250 return m_free(m);
1251 }
1252 m->m_data += sizeof(struct ieee80211_frame);
1253 return m;
1254 }
1255
1256 /*-
1257 * Probe request frame format:
1258 * [tlv] SSID
1259 * [tlv] Supported rates
1260 * [tlv] Extended Supported Rates (802.11g)
1261 * [tlv] HT Capabilities (802.11n)
1262 */
1263 struct mbuf *
ieee80211_get_probe_req(struct ieee80211com * ic,struct ieee80211_node * ni)1264 ieee80211_get_probe_req(struct ieee80211com *ic, struct ieee80211_node *ni)
1265 {
1266 const struct ieee80211_rateset *rs =
1267 &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)];
1268 struct mbuf *m;
1269 u_int8_t *frm;
1270
1271 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
1272 2 + ic->ic_des_esslen +
1273 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
1274 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
1275 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
1276 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) +
1277 ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0));
1278 if (m == NULL)
1279 return NULL;
1280
1281 frm = mtod(m, u_int8_t *);
1282 frm = ieee80211_add_ssid(frm, ic->ic_des_essid, ic->ic_des_esslen);
1283 frm = ieee80211_add_rates(frm, rs);
1284 if (rs->rs_nrates > IEEE80211_RATE_SIZE)
1285 frm = ieee80211_add_xrates(frm, rs);
1286 if (ic->ic_flags & IEEE80211_F_HTON) {
1287 frm = ieee80211_add_htcaps(frm, ic);
1288 frm = ieee80211_add_wme_info(frm, ic);
1289 }
1290 if (ic->ic_flags & IEEE80211_F_VHTON)
1291 frm = ieee80211_add_htcaps(frm, ic);
1292
1293 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1294
1295 return m;
1296 }
1297
1298 #ifndef IEEE80211_STA_ONLY
1299 /*-
1300 * Probe response frame format:
1301 * [8] Timestamp
1302 * [2] Beacon interval
1303 * [2] Capability
1304 * [tlv] Service Set Identifier (SSID)
1305 * [tlv] Supported rates
1306 * [tlv] DS Parameter Set (802.11g)
1307 * [tlv] ERP Information (802.11g)
1308 * [tlv] Extended Supported Rates (802.11g)
1309 * [tlv] RSN (802.11i)
1310 * [tlv] EDCA Parameter Set (802.11e)
1311 * [tlv] HT Capabilities (802.11n)
1312 * [tlv] HT Operation (802.11n)
1313 */
1314 struct mbuf *
ieee80211_get_probe_resp(struct ieee80211com * ic)1315 ieee80211_get_probe_resp(struct ieee80211com *ic)
1316 {
1317 const struct ieee80211_rateset *rs = &ic->ic_bss->ni_rates;
1318 struct mbuf *m;
1319 u_int8_t *frm;
1320
1321 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
1322 8 + 2 + 2 +
1323 2 + ic->ic_bss->ni_esslen +
1324 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
1325 2 + 1 +
1326 ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 + 2 : 0) +
1327 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) +
1328 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
1329 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
1330 (((ic->ic_flags & IEEE80211_F_RSNON) &&
1331 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) ?
1332 2 + IEEE80211_RSNIE_MAXLEN : 0) +
1333 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) +
1334 (((ic->ic_flags & IEEE80211_F_RSNON) &&
1335 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) ?
1336 2 + IEEE80211_WPAIE_MAXLEN : 0) +
1337 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0));
1338 if (m == NULL)
1339 return NULL;
1340
1341 frm = mtod(m, u_int8_t *);
1342 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */
1343 LE_WRITE_2(frm, ic->ic_bss->ni_intval); frm += 2;
1344 frm = ieee80211_add_capinfo(frm, ic, ic->ic_bss);
1345 frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid,
1346 ic->ic_bss->ni_esslen);
1347 frm = ieee80211_add_rates(frm, rs);
1348 frm = ieee80211_add_ds_params(frm, ic, ic->ic_bss);
1349 if (ic->ic_opmode == IEEE80211_M_IBSS)
1350 frm = ieee80211_add_ibss_params(frm, ic->ic_bss);
1351 if (ic->ic_curmode == IEEE80211_MODE_11G)
1352 frm = ieee80211_add_erp(frm, ic);
1353 if (rs->rs_nrates > IEEE80211_RATE_SIZE)
1354 frm = ieee80211_add_xrates(frm, rs);
1355 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
1356 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN))
1357 frm = ieee80211_add_rsn(frm, ic, ic->ic_bss);
1358 if (ic->ic_flags & IEEE80211_F_QOS)
1359 frm = ieee80211_add_edca_params(frm, ic);
1360 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
1361 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA))
1362 frm = ieee80211_add_wpa(frm, ic, ic->ic_bss);
1363 if (ic->ic_flags & IEEE80211_F_HTON) {
1364 frm = ieee80211_add_htcaps(frm, ic);
1365 frm = ieee80211_add_htop(frm, ic);
1366 frm = ieee80211_add_wme_param(frm, ic);
1367 }
1368
1369 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1370
1371 return m;
1372 }
1373 #endif /* IEEE80211_STA_ONLY */
1374
1375 /*-
1376 * Authentication frame format:
1377 * [2] Authentication algorithm number
1378 * [2] Authentication transaction sequence number
1379 * [2] Status code
1380 */
1381 struct mbuf *
ieee80211_get_auth(struct ieee80211com * ic,struct ieee80211_node * ni,u_int16_t status,u_int16_t seq)1382 ieee80211_get_auth(struct ieee80211com *ic, struct ieee80211_node *ni,
1383 u_int16_t status, u_int16_t seq)
1384 {
1385 struct mbuf *m;
1386 u_int8_t *frm;
1387
1388 MGETHDR(m, M_DONTWAIT, MT_DATA);
1389 if (m == NULL)
1390 return NULL;
1391 m_align(m, 2 * 3);
1392 m->m_pkthdr.len = m->m_len = 2 * 3;
1393
1394 frm = mtod(m, u_int8_t *);
1395 LE_WRITE_2(frm, IEEE80211_AUTH_ALG_OPEN); frm += 2;
1396 LE_WRITE_2(frm, seq); frm += 2;
1397 LE_WRITE_2(frm, status);
1398
1399 return m;
1400 }
1401
1402 /*-
1403 * Deauthentication frame format:
1404 * [2] Reason code
1405 */
1406 struct mbuf *
ieee80211_get_deauth(struct ieee80211com * ic,struct ieee80211_node * ni,u_int16_t reason)1407 ieee80211_get_deauth(struct ieee80211com *ic, struct ieee80211_node *ni,
1408 u_int16_t reason)
1409 {
1410 struct mbuf *m;
1411
1412 MGETHDR(m, M_DONTWAIT, MT_DATA);
1413 if (m == NULL)
1414 return NULL;
1415 m_align(m, 2);
1416 m->m_pkthdr.len = m->m_len = 2;
1417
1418 *mtod(m, u_int16_t *) = htole16(reason);
1419
1420 return m;
1421 }
1422
1423 /*-
1424 * (Re)Association request frame format:
1425 * [2] Capability information
1426 * [2] Listen interval
1427 * [6*] Current AP address (Reassociation only)
1428 * [tlv] SSID
1429 * [tlv] Supported rates
1430 * [tlv] Extended Supported Rates (802.11g)
1431 * [tlv] RSN (802.11i)
1432 * [tlv] QoS Capability (802.11e)
1433 * [tlv] HT Capabilities (802.11n)
1434 */
1435 struct mbuf *
ieee80211_get_assoc_req(struct ieee80211com * ic,struct ieee80211_node * ni,int type)1436 ieee80211_get_assoc_req(struct ieee80211com *ic, struct ieee80211_node *ni,
1437 int type)
1438 {
1439 const struct ieee80211_rateset *rs = &ni->ni_rates;
1440 struct mbuf *m;
1441 u_int8_t *frm;
1442 u_int16_t capinfo;
1443
1444 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
1445 2 + 2 +
1446 ((type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) ?
1447 IEEE80211_ADDR_LEN : 0) +
1448 2 + ni->ni_esslen +
1449 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
1450 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
1451 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
1452 (((ic->ic_flags & IEEE80211_F_RSNON) &&
1453 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ?
1454 2 + IEEE80211_RSNIE_MAXLEN : 0) +
1455 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 1 : 0) +
1456 (((ic->ic_flags & IEEE80211_F_RSNON) &&
1457 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ?
1458 2 + IEEE80211_WPAIE_MAXLEN : 0) +
1459 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) +
1460 ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0));
1461 if (m == NULL)
1462 return NULL;
1463
1464 frm = mtod(m, u_int8_t *);
1465 capinfo = IEEE80211_CAPINFO_ESS;
1466 if (ic->ic_flags & IEEE80211_F_WEPON)
1467 capinfo |= IEEE80211_CAPINFO_PRIVACY;
1468 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
1469 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
1470 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
1471 if (ic->ic_caps & IEEE80211_C_SHSLOT)
1472 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
1473 LE_WRITE_2(frm, capinfo); frm += 2;
1474 LE_WRITE_2(frm, ic->ic_lintval); frm += 2;
1475 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1476 IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid);
1477 frm += IEEE80211_ADDR_LEN;
1478 }
1479 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen);
1480 frm = ieee80211_add_rates(frm, rs);
1481 if (rs->rs_nrates > IEEE80211_RATE_SIZE)
1482 frm = ieee80211_add_xrates(frm, rs);
1483 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
1484 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN))
1485 frm = ieee80211_add_rsn(frm, ic, ni);
1486 if (ni->ni_flags & IEEE80211_NODE_QOS)
1487 frm = ieee80211_add_qos_capability(frm, ic);
1488 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
1489 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA))
1490 frm = ieee80211_add_wpa(frm, ic, ni);
1491 if (ic->ic_flags & IEEE80211_F_HTON) {
1492 frm = ieee80211_add_htcaps(frm, ic);
1493 frm = ieee80211_add_wme_info(frm, ic);
1494 }
1495 if (ic->ic_flags & IEEE80211_F_VHTON)
1496 frm = ieee80211_add_vhtcaps(frm, ic);
1497
1498 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1499
1500 return m;
1501 }
1502
1503 #ifndef IEEE80211_STA_ONLY
1504 /*-
1505 * (Re)Association response frame format:
1506 * [2] Capability information
1507 * [2] Status code
1508 * [2] Association ID (AID)
1509 * [tlv] Supported rates
1510 * [tlv] Extended Supported Rates (802.11g)
1511 * [tlv] EDCA Parameter Set (802.11e)
1512 * [tlv] Timeout Interval (802.11w)
1513 * [tlv] HT Capabilities (802.11n)
1514 * [tlv] HT Operation (802.11n)
1515 */
1516 struct mbuf *
ieee80211_get_assoc_resp(struct ieee80211com * ic,struct ieee80211_node * ni,u_int16_t status)1517 ieee80211_get_assoc_resp(struct ieee80211com *ic, struct ieee80211_node *ni,
1518 u_int16_t status)
1519 {
1520 const struct ieee80211_rateset *rs = &ni->ni_rates;
1521 struct mbuf *m;
1522 u_int8_t *frm;
1523
1524 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
1525 2 + 2 + 2 +
1526 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
1527 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
1528 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
1529 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 18 : 0) +
1530 ((status == IEEE80211_STATUS_TRY_AGAIN_LATER) ? 2 + 7 : 0) +
1531 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0));
1532 if (m == NULL)
1533 return NULL;
1534
1535 frm = mtod(m, u_int8_t *);
1536 frm = ieee80211_add_capinfo(frm, ic, ni);
1537 LE_WRITE_2(frm, status); frm += 2;
1538 if (status == IEEE80211_STATUS_SUCCESS)
1539 LE_WRITE_2(frm, ni->ni_associd);
1540 else
1541 LE_WRITE_2(frm, 0);
1542 frm += 2;
1543 frm = ieee80211_add_rates(frm, rs);
1544 if (rs->rs_nrates > IEEE80211_RATE_SIZE)
1545 frm = ieee80211_add_xrates(frm, rs);
1546 if (ni->ni_flags & IEEE80211_NODE_QOS)
1547 frm = ieee80211_add_edca_params(frm, ic);
1548 if ((ni->ni_flags & IEEE80211_NODE_MFP) &&
1549 status == IEEE80211_STATUS_TRY_AGAIN_LATER) {
1550 /* Association Comeback Time */
1551 frm = ieee80211_add_tie(frm, 3, 1000 /* XXX */);
1552 }
1553 if (ic->ic_flags & IEEE80211_F_HTON) {
1554 frm = ieee80211_add_htcaps(frm, ic);
1555 frm = ieee80211_add_htop(frm, ic);
1556 frm = ieee80211_add_wme_param(frm, ic);
1557 }
1558
1559 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1560
1561 return m;
1562 }
1563 #endif /* IEEE80211_STA_ONLY */
1564
1565 /*-
1566 * Disassociation frame format:
1567 * [2] Reason code
1568 */
1569 struct mbuf *
ieee80211_get_disassoc(struct ieee80211com * ic,struct ieee80211_node * ni,u_int16_t reason)1570 ieee80211_get_disassoc(struct ieee80211com *ic, struct ieee80211_node *ni,
1571 u_int16_t reason)
1572 {
1573 struct mbuf *m;
1574
1575 MGETHDR(m, M_DONTWAIT, MT_DATA);
1576 if (m == NULL)
1577 return NULL;
1578 m_align(m, 2);
1579 m->m_pkthdr.len = m->m_len = 2;
1580
1581 *mtod(m, u_int16_t *) = htole16(reason);
1582
1583 return m;
1584 }
1585
1586 /*-
1587 * ADDBA Request frame format:
1588 * [1] Category
1589 * [1] Action
1590 * [1] Dialog Token
1591 * [2] Block Ack Parameter Set
1592 * [2] Block Ack Timeout Value
1593 * [2] Block Ack Starting Sequence Control
1594 */
1595 struct mbuf *
ieee80211_get_addba_req(struct ieee80211com * ic,struct ieee80211_node * ni,u_int8_t tid)1596 ieee80211_get_addba_req(struct ieee80211com *ic, struct ieee80211_node *ni,
1597 u_int8_t tid)
1598 {
1599 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
1600 struct mbuf *m;
1601 u_int8_t *frm;
1602
1603 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9);
1604 if (m == NULL)
1605 return m;
1606
1607 frm = mtod(m, u_int8_t *);
1608 *frm++ = IEEE80211_CATEG_BA;
1609 *frm++ = IEEE80211_ACTION_ADDBA_REQ;
1610 *frm++ = ba->ba_token;
1611 LE_WRITE_2(frm, ba->ba_params); frm += 2;
1612 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); frm += 2;
1613 LE_WRITE_2(frm, ba->ba_winstart << IEEE80211_SEQ_SEQ_SHIFT); frm += 2;
1614
1615 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1616
1617 return m;
1618 }
1619
1620 /* Move Tx BA window forward to the specified SSN. */
1621 void
ieee80211_output_ba_move_window(struct ieee80211com * ic,struct ieee80211_node * ni,uint8_t tid,uint16_t ssn)1622 ieee80211_output_ba_move_window(struct ieee80211com *ic,
1623 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn)
1624 {
1625 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
1626 uint16_t s = ba->ba_winstart;
1627
1628 while (SEQ_LT(s, ssn) && ba->ba_bitmap) {
1629 s = (s + 1) % 0xfff;
1630 ba->ba_bitmap >>= 1;
1631 }
1632
1633 ba->ba_winstart = (ssn & 0xfff);
1634 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
1635 }
1636
1637 /*
1638 * Move Tx BA window forward up to the first hole in the bitmap
1639 * or up to the specified SSN, whichever comes first.
1640 * After calling this function, frames before the start of the
1641 * potentially changed BA window should be discarded.
1642 */
1643 void
ieee80211_output_ba_move_window_to_first_unacked(struct ieee80211com * ic,struct ieee80211_node * ni,uint8_t tid,uint16_t ssn)1644 ieee80211_output_ba_move_window_to_first_unacked(struct ieee80211com *ic,
1645 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn)
1646 {
1647 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
1648 uint16_t s = ba->ba_winstart;
1649 uint64_t bitmap = ba->ba_bitmap;
1650 int can_move_window = 0;
1651
1652 while (bitmap && SEQ_LT(s, ssn)) {
1653 if ((bitmap & 1) == 0)
1654 break;
1655 s = (s + 1) % 0xfff;
1656 bitmap >>= 1;
1657 can_move_window = 1;
1658 }
1659
1660 if (can_move_window)
1661 ieee80211_output_ba_move_window(ic, ni, tid, s);
1662 }
1663
1664 /* Record an ACK for a frame with a given SSN within the Tx BA window. */
1665 void
ieee80211_output_ba_record_ack(struct ieee80211com * ic,struct ieee80211_node * ni,uint8_t tid,uint16_t ssn)1666 ieee80211_output_ba_record_ack(struct ieee80211com *ic,
1667 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn)
1668 {
1669 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
1670 int i = 0;
1671 uint16_t s = ba->ba_winstart;
1672
1673 KASSERT(!SEQ_LT(ssn, ba->ba_winstart));
1674 KASSERT(!SEQ_LT(ba->ba_winend, ssn));
1675
1676 while (SEQ_LT(s, ssn)) {
1677 s = (s + 1) % 0xfff;
1678 i++;
1679 }
1680 if (i < ba->ba_winsize)
1681 ba->ba_bitmap |= (1 << i);
1682 }
1683
1684 /*-
1685 * ADDBA Response frame format:
1686 * [1] Category
1687 * [1] Action
1688 * [1] Dialog Token
1689 * [2] Status Code
1690 * [2] Block Ack Parameter Set
1691 * [2] Block Ack Timeout Value
1692 */
1693 struct mbuf *
ieee80211_get_addba_resp(struct ieee80211com * ic,struct ieee80211_node * ni,u_int8_t tid,u_int8_t token,u_int16_t status)1694 ieee80211_get_addba_resp(struct ieee80211com *ic, struct ieee80211_node *ni,
1695 u_int8_t tid, u_int8_t token, u_int16_t status)
1696 {
1697 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
1698 struct mbuf *m;
1699 u_int8_t *frm;
1700 u_int16_t params;
1701
1702 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9);
1703 if (m == NULL)
1704 return m;
1705
1706 frm = mtod(m, u_int8_t *);
1707 *frm++ = IEEE80211_CATEG_BA;
1708 *frm++ = IEEE80211_ACTION_ADDBA_RESP;
1709 *frm++ = token;
1710 LE_WRITE_2(frm, status); frm += 2;
1711 if (status == 0)
1712 params = ba->ba_params;
1713 else
1714 params = tid << IEEE80211_ADDBA_TID_SHIFT;
1715 LE_WRITE_2(frm, params); frm += 2;
1716 if (status == 0)
1717 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU);
1718 else
1719 LE_WRITE_2(frm, 0);
1720 frm += 2;
1721
1722 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1723
1724 return m;
1725 }
1726
1727 /*-
1728 * DELBA frame format:
1729 * [1] Category
1730 * [1] Action
1731 * [2] DELBA Parameter Set
1732 * [2] Reason Code
1733 */
1734 struct mbuf *
ieee80211_get_delba(struct ieee80211com * ic,struct ieee80211_node * ni,u_int8_t tid,u_int8_t dir,u_int16_t reason)1735 ieee80211_get_delba(struct ieee80211com *ic, struct ieee80211_node *ni,
1736 u_int8_t tid, u_int8_t dir, u_int16_t reason)
1737 {
1738 struct mbuf *m;
1739 u_int8_t *frm;
1740 u_int16_t params;
1741
1742 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 6);
1743 if (m == NULL)
1744 return m;
1745
1746 frm = mtod(m, u_int8_t *);
1747 *frm++ = IEEE80211_CATEG_BA;
1748 *frm++ = IEEE80211_ACTION_DELBA;
1749 params = tid << 12;
1750 if (dir)
1751 params |= IEEE80211_DELBA_INITIATOR;
1752 LE_WRITE_2(frm, params); frm += 2;
1753 LE_WRITE_2(frm, reason); frm += 2;
1754
1755 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1756
1757 return m;
1758 }
1759
1760 /*-
1761 * SA Query Request/Response frame format:
1762 * [1] Category
1763 * [1] Action
1764 * [16] Transaction Identifier
1765 */
1766 struct mbuf *
ieee80211_get_sa_query(struct ieee80211com * ic,struct ieee80211_node * ni,u_int8_t action)1767 ieee80211_get_sa_query(struct ieee80211com *ic, struct ieee80211_node *ni,
1768 u_int8_t action)
1769 {
1770 struct mbuf *m;
1771 u_int8_t *frm;
1772
1773 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 4);
1774 if (m == NULL)
1775 return NULL;
1776
1777 frm = mtod(m, u_int8_t *);
1778 *frm++ = IEEE80211_CATEG_SA_QUERY;
1779 *frm++ = action; /* ACTION_SA_QUERY_REQ/RESP */
1780 LE_WRITE_2(frm, ni->ni_sa_query_trid); frm += 2;
1781
1782 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1783
1784 return m;
1785 }
1786
1787 struct mbuf *
ieee80211_get_action(struct ieee80211com * ic,struct ieee80211_node * ni,u_int8_t categ,u_int8_t action,int arg)1788 ieee80211_get_action(struct ieee80211com *ic, struct ieee80211_node *ni,
1789 u_int8_t categ, u_int8_t action, int arg)
1790 {
1791 struct mbuf *m = NULL;
1792
1793 switch (categ) {
1794 case IEEE80211_CATEG_BA:
1795 switch (action) {
1796 case IEEE80211_ACTION_ADDBA_REQ:
1797 m = ieee80211_get_addba_req(ic, ni, arg & 0xffff);
1798 break;
1799 case IEEE80211_ACTION_ADDBA_RESP:
1800 m = ieee80211_get_addba_resp(ic, ni, arg & 0xff,
1801 arg >> 8, arg >> 16);
1802 break;
1803 case IEEE80211_ACTION_DELBA:
1804 m = ieee80211_get_delba(ic, ni, arg & 0xff, arg >> 8,
1805 arg >> 16);
1806 break;
1807 }
1808 break;
1809 case IEEE80211_CATEG_SA_QUERY:
1810 switch (action) {
1811 #ifndef IEEE80211_STA_ONLY
1812 case IEEE80211_ACTION_SA_QUERY_REQ:
1813 #endif
1814 case IEEE80211_ACTION_SA_QUERY_RESP:
1815 m = ieee80211_get_sa_query(ic, ni, action);
1816 break;
1817 }
1818 break;
1819 }
1820 return m;
1821 }
1822
1823 /*
1824 * Send a management frame. The node is for the destination (or ic_bss
1825 * when in station mode). Nodes other than ic_bss have their reference
1826 * count bumped to reflect our use for an indeterminant time.
1827 */
1828 int
ieee80211_send_mgmt(struct ieee80211com * ic,struct ieee80211_node * ni,int type,int arg1,int arg2)1829 ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni,
1830 int type, int arg1, int arg2)
1831 {
1832 #define senderr(_x, _v) do { ic->ic_stats._v++; ret = _x; goto bad; } while (0)
1833 struct ifnet *ifp = &ic->ic_if;
1834 struct mbuf *m;
1835 int ret, timer;
1836
1837 if (ni == NULL)
1838 panic("null node");
1839
1840 /*
1841 * Hold a reference on the node so it doesn't go away until after
1842 * the xmit is complete all the way in the driver. On error we
1843 * will remove our reference.
1844 */
1845 ieee80211_ref_node(ni);
1846 timer = 0;
1847 switch (type) {
1848 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1849 if ((m = ieee80211_get_probe_req(ic, ni)) == NULL)
1850 senderr(ENOMEM, is_tx_nombuf);
1851
1852 timer = IEEE80211_TRANS_WAIT;
1853 break;
1854 #ifndef IEEE80211_STA_ONLY
1855 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1856 if ((m = ieee80211_get_probe_resp(ic)) == NULL)
1857 senderr(ENOMEM, is_tx_nombuf);
1858 break;
1859 #endif
1860 case IEEE80211_FC0_SUBTYPE_AUTH:
1861 m = ieee80211_get_auth(ic, ni, arg1 >> 16, arg1 & 0xffff);
1862 if (m == NULL)
1863 senderr(ENOMEM, is_tx_nombuf);
1864
1865 if (ic->ic_opmode == IEEE80211_M_STA)
1866 timer = IEEE80211_TRANS_WAIT;
1867 break;
1868
1869 case IEEE80211_FC0_SUBTYPE_DEAUTH:
1870 if ((m = ieee80211_get_deauth(ic, ni, arg1)) == NULL)
1871 senderr(ENOMEM, is_tx_nombuf);
1872 #ifndef IEEE80211_STA_ONLY
1873 if ((ifp->if_flags & IFF_DEBUG) &&
1874 (ic->ic_opmode == IEEE80211_M_HOSTAP ||
1875 ic->ic_opmode == IEEE80211_M_IBSS))
1876 printf("%s: station %s deauthenticate (reason %d)\n",
1877 ifp->if_xname, ether_sprintf(ni->ni_macaddr),
1878 arg1);
1879 #endif
1880 break;
1881
1882 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1883 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1884 if ((m = ieee80211_get_assoc_req(ic, ni, type)) == NULL)
1885 senderr(ENOMEM, is_tx_nombuf);
1886
1887 timer = IEEE80211_TRANS_WAIT;
1888 break;
1889 #ifndef IEEE80211_STA_ONLY
1890 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1891 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
1892 if ((m = ieee80211_get_assoc_resp(ic, ni, arg1)) == NULL)
1893 senderr(ENOMEM, is_tx_nombuf);
1894 break;
1895 #endif
1896 case IEEE80211_FC0_SUBTYPE_DISASSOC:
1897 if ((m = ieee80211_get_disassoc(ic, ni, arg1)) == NULL)
1898 senderr(ENOMEM, is_tx_nombuf);
1899 #ifndef IEEE80211_STA_ONLY
1900 if ((ifp->if_flags & IFF_DEBUG) &&
1901 (ic->ic_opmode == IEEE80211_M_HOSTAP ||
1902 ic->ic_opmode == IEEE80211_M_IBSS))
1903 printf("%s: station %s disassociate (reason %d)\n",
1904 ifp->if_xname, ether_sprintf(ni->ni_macaddr),
1905 arg1);
1906 #endif
1907 break;
1908
1909 case IEEE80211_FC0_SUBTYPE_ACTION:
1910 m = ieee80211_get_action(ic, ni, arg1 >> 16, arg1 & 0xffff,
1911 arg2);
1912 if (m == NULL)
1913 senderr(ENOMEM, is_tx_nombuf);
1914 break;
1915
1916 default:
1917 DPRINTF(("invalid mgmt frame type %u\n", type));
1918 senderr(EINVAL, is_tx_unknownmgt);
1919 /* NOTREACHED */
1920 }
1921
1922 ret = ieee80211_mgmt_output(ifp, ni, m, type);
1923 if (ret == 0) {
1924 if (timer)
1925 ic->ic_mgt_timer = timer;
1926 } else {
1927 bad:
1928 ieee80211_release_node(ic, ni);
1929 }
1930 return ret;
1931 #undef senderr
1932 }
1933
1934 /*
1935 * Build a RTS (Request To Send) control frame (see 7.2.1.1).
1936 */
1937 struct mbuf *
ieee80211_get_rts(struct ieee80211com * ic,const struct ieee80211_frame * wh,u_int16_t dur)1938 ieee80211_get_rts(struct ieee80211com *ic, const struct ieee80211_frame *wh,
1939 u_int16_t dur)
1940 {
1941 struct ieee80211_frame_rts *rts;
1942 struct mbuf *m;
1943
1944 MGETHDR(m, M_DONTWAIT, MT_DATA);
1945 if (m == NULL)
1946 return NULL;
1947
1948 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts);
1949
1950 rts = mtod(m, struct ieee80211_frame_rts *);
1951 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
1952 IEEE80211_FC0_SUBTYPE_RTS;
1953 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
1954 *(u_int16_t *)rts->i_dur = htole16(dur);
1955 IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1);
1956 IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2);
1957
1958 return m;
1959 }
1960
1961 /*
1962 * Build a CTS-to-self (Clear To Send) control frame (see 7.2.1.2).
1963 */
1964 struct mbuf *
ieee80211_get_cts_to_self(struct ieee80211com * ic,u_int16_t dur)1965 ieee80211_get_cts_to_self(struct ieee80211com *ic, u_int16_t dur)
1966 {
1967 struct ieee80211_frame_cts *cts;
1968 struct mbuf *m;
1969
1970 MGETHDR(m, M_DONTWAIT, MT_DATA);
1971 if (m == NULL)
1972 return NULL;
1973
1974 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts);
1975
1976 cts = mtod(m, struct ieee80211_frame_cts *);
1977 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
1978 IEEE80211_FC0_SUBTYPE_CTS;
1979 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
1980 *(u_int16_t *)cts->i_dur = htole16(dur);
1981 IEEE80211_ADDR_COPY(cts->i_ra, ic->ic_myaddr);
1982
1983 return m;
1984 }
1985
1986 /*
1987 * Build a compressed Block Ack Request control frame.
1988 */
1989 struct mbuf *
ieee80211_get_compressed_bar(struct ieee80211com * ic,struct ieee80211_node * ni,int tid,uint16_t ssn)1990 ieee80211_get_compressed_bar(struct ieee80211com *ic,
1991 struct ieee80211_node *ni, int tid, uint16_t ssn)
1992 {
1993 struct ieee80211_frame_min *wh;
1994 uint8_t *frm;
1995 uint16_t ctl;
1996 struct mbuf *m;
1997
1998 MGETHDR(m, M_DONTWAIT, MT_DATA);
1999 if (m == NULL)
2000 return NULL;
2001
2002 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_min) +
2003 sizeof(ctl) + sizeof(ssn);
2004
2005 wh = mtod(m, struct ieee80211_frame_min *);
2006 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
2007 IEEE80211_FC0_SUBTYPE_BAR;
2008 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
2009 *(u_int16_t *)wh->i_dur = 0;
2010 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr);
2011 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
2012 frm = (uint8_t *)&wh[1];
2013
2014 ctl = IEEE80211_BA_COMPRESSED | (tid << IEEE80211_BA_TID_INFO_SHIFT);
2015 LE_WRITE_2(frm, ctl);
2016 frm += 2;
2017
2018 LE_WRITE_2(frm, ssn << IEEE80211_SEQ_SEQ_SHIFT);
2019 frm += 2;
2020
2021 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
2022 m->m_pkthdr.ph_cookie = ni;
2023
2024 return m;
2025 }
2026
2027 #ifndef IEEE80211_STA_ONLY
2028 /*-
2029 * Beacon frame format:
2030 * [8] Timestamp
2031 * [2] Beacon interval
2032 * [2] Capability
2033 * [tlv] Service Set Identifier (SSID)
2034 * [tlv] Supported rates
2035 * [tlv] DS Parameter Set (802.11g)
2036 * [tlv] IBSS Parameter Set
2037 * [tlv] Traffic Indication Map (TIM)
2038 * [tlv] ERP Information (802.11g)
2039 * [tlv] Extended Supported Rates (802.11g)
2040 * [tlv] RSN (802.11i)
2041 * [tlv] EDCA Parameter Set (802.11e)
2042 * [tlv] HT Capabilities (802.11n)
2043 * [tlv] HT Operation (802.11n)
2044 */
2045 struct mbuf *
ieee80211_beacon_alloc(struct ieee80211com * ic,struct ieee80211_node * ni)2046 ieee80211_beacon_alloc(struct ieee80211com *ic, struct ieee80211_node *ni)
2047 {
2048 const struct ieee80211_rateset *rs = &ni->ni_rates;
2049 struct ieee80211_frame *wh;
2050 struct mbuf *m;
2051 u_int8_t *frm;
2052
2053 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
2054 8 + 2 + 2 +
2055 2 + ((ic->ic_userflags & IEEE80211_F_HIDENWID) ?
2056 0 : ni->ni_esslen) +
2057 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
2058 2 + 1 +
2059 2 + ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 : 254) +
2060 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) +
2061 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
2062 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
2063 (((ic->ic_flags & IEEE80211_F_RSNON) &&
2064 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ?
2065 2 + IEEE80211_RSNIE_MAXLEN : 0) +
2066 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) +
2067 (((ic->ic_flags & IEEE80211_F_RSNON) &&
2068 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ?
2069 2 + IEEE80211_WPAIE_MAXLEN : 0) +
2070 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0));
2071 if (m == NULL)
2072 return NULL;
2073
2074 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
2075 if (m == NULL)
2076 return NULL;
2077 wh = mtod(m, struct ieee80211_frame *);
2078 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT |
2079 IEEE80211_FC0_SUBTYPE_BEACON;
2080 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
2081 *(u_int16_t *)wh->i_dur = 0;
2082 IEEE80211_ADDR_COPY(wh->i_addr1, etherbroadcastaddr);
2083 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
2084 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid);
2085 *(u_int16_t *)wh->i_seq = 0;
2086
2087 frm = (u_int8_t *)&wh[1];
2088 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */
2089 LE_WRITE_2(frm, ni->ni_intval); frm += 2;
2090 frm = ieee80211_add_capinfo(frm, ic, ni);
2091 if (ic->ic_userflags & IEEE80211_F_HIDENWID)
2092 frm = ieee80211_add_ssid(frm, NULL, 0);
2093 else
2094 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen);
2095 frm = ieee80211_add_rates(frm, rs);
2096 frm = ieee80211_add_ds_params(frm, ic, ni);
2097 if (ic->ic_opmode == IEEE80211_M_IBSS)
2098 frm = ieee80211_add_ibss_params(frm, ni);
2099 else
2100 frm = ieee80211_add_tim(frm, ic);
2101 if (ic->ic_curmode == IEEE80211_MODE_11G)
2102 frm = ieee80211_add_erp(frm, ic);
2103 if (rs->rs_nrates > IEEE80211_RATE_SIZE)
2104 frm = ieee80211_add_xrates(frm, rs);
2105 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
2106 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN))
2107 frm = ieee80211_add_rsn(frm, ic, ni);
2108 if (ic->ic_flags & IEEE80211_F_QOS)
2109 frm = ieee80211_add_edca_params(frm, ic);
2110 if ((ic->ic_flags & IEEE80211_F_RSNON) &&
2111 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA))
2112 frm = ieee80211_add_wpa(frm, ic, ni);
2113 if (ic->ic_flags & IEEE80211_F_HTON) {
2114 frm = ieee80211_add_htcaps(frm, ic);
2115 frm = ieee80211_add_htop(frm, ic);
2116 frm = ieee80211_add_wme_param(frm, ic);
2117 }
2118
2119 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
2120 m->m_pkthdr.ph_cookie = ni;
2121
2122 return m;
2123 }
2124
2125 /*
2126 * Check if an outgoing MSDU or management frame should be buffered into
2127 * the AP for power management. Return 1 if the frame was buffered into
2128 * the AP, or 0 if the frame shall be transmitted immediately.
2129 */
2130 int
ieee80211_pwrsave(struct ieee80211com * ic,struct mbuf * m,struct ieee80211_node * ni)2131 ieee80211_pwrsave(struct ieee80211com *ic, struct mbuf *m,
2132 struct ieee80211_node *ni)
2133 {
2134 const struct ieee80211_frame *wh;
2135 int pssta = 0;
2136
2137 KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP);
2138 if (!(ic->ic_caps & IEEE80211_C_APPMGT))
2139 return 0;
2140
2141 wh = mtod(m, struct ieee80211_frame *);
2142 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2143 /*
2144 * Buffer group addressed MSDUs with the Order bit clear
2145 * if any associated STAs are in PS mode.
2146 */
2147 ieee80211_iterate_nodes(ic, ieee80211_count_pssta, &pssta);
2148 if ((wh->i_fc[1] & IEEE80211_FC1_ORDER) || pssta == 0)
2149 return 0;
2150 ic->ic_tim_mcast_pending = 1;
2151 } else {
2152 /*
2153 * Buffer MSDUs, A-MSDUs or management frames destined for
2154 * PS STAs.
2155 */
2156 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE ||
2157 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
2158 IEEE80211_FC0_TYPE_CTL)
2159 return 0;
2160 if (mq_empty(&ni->ni_savedq))
2161 (*ic->ic_set_tim)(ic, ni->ni_associd, 1);
2162 }
2163 /* NB: ni == ic->ic_bss for broadcast/multicast */
2164 /*
2165 * Similar to ieee80211_mgmt_output, store the node in a
2166 * special pkthdr field.
2167 */
2168 m->m_pkthdr.ph_cookie = ni;
2169 mq_enqueue(&ni->ni_savedq, m);
2170 return 1;
2171 }
2172 #endif /* IEEE80211_STA_ONLY */
2173