xref: /haiku/src/libs/compat/openbsd_wlan/net80211/ieee80211_output.c (revision 13581b3d2a71545960b98fefebc5225b5bf29072)
1 /*	$OpenBSD: ieee80211_output.c,v 1.139 2024/05/08 14:02:59 stsp Exp $	*/
2 /*	$NetBSD: ieee80211_output.c,v 1.13 2004/05/31 11:02:55 dyoung Exp $	*/
3 
4 /*-
5  * Copyright (c) 2001 Atsushi Onoe
6  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
7  * Copyright (c) 2007-2009 Damien Bergamini
8  * All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 3. The name of the author may not be used to endorse or promote products
19  *    derived from this software without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include "bpfilter.h"
34 #include "vlan.h"
35 
36 #include <sys/param.h>
37 #include <sys/systm.h>
38 #include <sys/mbuf.h>
39 #include <sys/kernel.h>
40 #include <sys/socket.h>
41 #include <sys/sockio.h>
42 #include <sys/endian.h>
43 #include <sys/errno.h>
44 #include <sys/sysctl.h>
45 
46 #include <net/if.h>
47 #include <net/if_dl.h>
48 #include <net/if_media.h>
49 #include <net/if_llc.h>
50 #include <net/bpf.h>
51 
52 #include <netinet/in.h>
53 #include <netinet/if_ether.h>
54 #include <netinet/ip.h>
55 #ifdef INET6
56 #include <netinet/ip6.h>
57 #endif
58 
59 #if NVLAN > 0
60 #include <net/if_vlan_var.h>
61 #endif
62 
63 #include <net80211/ieee80211_var.h>
64 #include <net80211/ieee80211_priv.h>
65 
66 int	ieee80211_mgmt_output(struct ifnet *, struct ieee80211_node *,
67 	    struct mbuf *, int);
68 int	ieee80211_can_use_ampdu(struct ieee80211com *,
69 	    struct ieee80211_node *);
70 u_int8_t *ieee80211_add_rsn_body(u_int8_t *, struct ieee80211com *,
71 	    const struct ieee80211_node *, int);
72 struct	mbuf *ieee80211_getmgmt(int, int, u_int);
73 struct	mbuf *ieee80211_get_probe_req(struct ieee80211com *,
74 	    struct ieee80211_node *);
75 #ifndef IEEE80211_STA_ONLY
76 struct	mbuf *ieee80211_get_probe_resp(struct ieee80211com *);
77 #endif
78 struct	mbuf *ieee80211_get_auth(struct ieee80211com *,
79 	    struct ieee80211_node *, u_int16_t, u_int16_t);
80 struct	mbuf *ieee80211_get_deauth(struct ieee80211com *,
81 	    struct ieee80211_node *, u_int16_t);
82 struct	mbuf *ieee80211_get_assoc_req(struct ieee80211com *,
83 	    struct ieee80211_node *, int);
84 #ifndef IEEE80211_STA_ONLY
85 struct	mbuf *ieee80211_get_assoc_resp(struct ieee80211com *,
86 	    struct ieee80211_node *, u_int16_t);
87 #endif
88 struct	mbuf *ieee80211_get_disassoc(struct ieee80211com *,
89 	    struct ieee80211_node *, u_int16_t);
90 struct	mbuf *ieee80211_get_addba_req(struct ieee80211com *,
91 	    struct ieee80211_node *, u_int8_t);
92 struct	mbuf *ieee80211_get_addba_resp(struct ieee80211com *,
93 	    struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t);
94 struct	mbuf *ieee80211_get_delba(struct ieee80211com *,
95 	    struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t);
96 uint8_t *ieee80211_add_wme_info(uint8_t *, struct ieee80211com *);
97 #ifndef IEEE80211_STA_ONLY
98 uint8_t *ieee80211_add_wme_param(uint8_t *, struct ieee80211com *);
99 #endif
100 struct	mbuf *ieee80211_get_sa_query(struct ieee80211com *,
101 	    struct ieee80211_node *, u_int8_t);
102 struct	mbuf *ieee80211_get_action(struct ieee80211com *,
103 	    struct ieee80211_node *, u_int8_t, u_int8_t, int);
104 
105 /*
106  * IEEE 802.11 output routine. Normally this will directly call the
107  * Ethernet output routine because 802.11 encapsulation is called
108  * later by the driver. This function can be used to send raw frames
109  * if the mbuf has been tagged with a 802.11 data link type.
110  */
111 int
112 ieee80211_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
113     struct rtentry *rt)
114 {
115 	struct ieee80211_frame *wh;
116 	struct m_tag *mtag;
117 	int error = 0;
118 
119 	/* Interface has to be up and running */
120 	if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) !=
121 	    (IFF_UP | IFF_RUNNING)) {
122 		error = ENETDOWN;
123 		goto bad;
124 	}
125 
126 #ifdef PACKET_TAG_DLT
127 	/* Try to get the DLT from a mbuf tag */
128 	if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) {
129 		struct ieee80211com *ic = (void *)ifp;
130 		u_int dlt = *(u_int *)(mtag + 1);
131 
132 		/* Fallback to ethernet for non-802.11 linktypes */
133 		if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO))
134 			goto fallback;
135 
136 		if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min))
137 			return (EINVAL);
138 		wh = mtod(m, struct ieee80211_frame *);
139 		if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
140 		    IEEE80211_FC0_VERSION_0)
141 			return (EINVAL);
142 		if (!(ic->ic_caps & IEEE80211_C_RAWCTL) &&
143 		    (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
144 		    IEEE80211_FC0_TYPE_CTL)
145 			return (EINVAL);
146 
147 		return (if_enqueue(ifp, m));
148 	}
149 #endif
150 
151  fallback:
152 	return (ether_output(ifp, m, dst, rt));
153 
154  bad:
155 	m_freem(m);
156 	return (error);
157 }
158 
159 const char *
160 ieee80211_action_name(struct ieee80211_frame *wh)
161 {
162 	const u_int8_t *frm = (const uint8_t *)&wh[1];
163 	const char *categ_ba_name[3] = { "addba_req", "addba_resp", "delba" };
164 
165 	if (frm[0] == IEEE80211_CATEG_BA && frm[1] < nitems(categ_ba_name))
166 		return categ_ba_name[frm[1]];
167 
168 	return "action";
169 }
170 
171 /*
172  * Send a management frame to the specified node.  The node pointer
173  * must have a reference as the pointer will be passed to the driver
174  * and potentially held for a long time.  If the frame is successfully
175  * dispatched to the driver, then it is responsible for freeing the
176  * reference (and potentially free'ing up any associated storage).
177  */
178 int
179 ieee80211_mgmt_output(struct ifnet *ifp, struct ieee80211_node *ni,
180     struct mbuf *m, int type)
181 {
182 	struct ieee80211com *ic = (void *)ifp;
183 	struct ieee80211_frame *wh;
184 
185 	if (ni == NULL)
186 		panic("null node");
187 	ni->ni_inact = 0;
188 
189 	/*
190 	 * We want to pass the node down to the driver's start
191 	 * routine.  We could stick this in an m_tag and tack that
192 	 * on to the mbuf.  However that's rather expensive to do
193 	 * for every frame so instead we stuff it in a special pkthdr
194 	 * field.
195 	 */
196 	M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
197 	if (m == NULL)
198 		return ENOMEM;
199 	m->m_pkthdr.ph_cookie = ni;
200 
201 	wh = mtod(m, struct ieee80211_frame *);
202 	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | type;
203 	wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
204 	*(u_int16_t *)&wh->i_dur[0] = 0;
205 	*(u_int16_t *)&wh->i_seq[0] =
206 	    htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT);
207 	ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff;
208 	IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr);
209 	IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
210 	IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid);
211 
212 	/* check if protection is required for this mgmt frame */
213 	if ((ic->ic_caps & IEEE80211_C_MFP) &&
214 	    (type == IEEE80211_FC0_SUBTYPE_DISASSOC ||
215 	     type == IEEE80211_FC0_SUBTYPE_DEAUTH ||
216 	     type == IEEE80211_FC0_SUBTYPE_ACTION)) {
217 		/*
218 		 * Hack: we should not set the Protected bit in outgoing
219 		 * group management frames, however it is used as an
220 		 * indication to the drivers that they must encrypt the
221 		 * frame.  Drivers should clear this bit from group
222 		 * management frames (software crypto code will do it).
223 		 * XXX could use an mbuf flag..
224 		 */
225 		if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
226 		    (ni->ni_flags & IEEE80211_NODE_TXMGMTPROT))
227 			wh->i_fc[1] |= IEEE80211_FC1_PROTECTED;
228 	}
229 
230 	if (ifp->if_flags & IFF_DEBUG) {
231 		/* avoid to print too many frames */
232 		if (
233 #ifndef IEEE80211_STA_ONLY
234 		    ic->ic_opmode == IEEE80211_M_IBSS ||
235 #endif
236 #ifdef IEEE80211_DEBUG
237 		    ieee80211_debug > 1 ||
238 #endif
239 		    (type & IEEE80211_FC0_SUBTYPE_MASK) !=
240 		    IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
241 			const char *subtype_name;
242 			if ((type & IEEE80211_FC0_SUBTYPE_MASK) ==
243 			    IEEE80211_FC0_SUBTYPE_ACTION)
244 				subtype_name = ieee80211_action_name(wh);
245 			else
246 				subtype_name = ieee80211_mgt_subtype_name[
247 				    (type & IEEE80211_FC0_SUBTYPE_MASK) >>
248 				    IEEE80211_FC0_SUBTYPE_SHIFT];
249 			printf("%s: sending %s to %s on channel %u mode %s\n",
250 			    ifp->if_xname, subtype_name,
251 			    ether_sprintf(ni->ni_macaddr),
252 			    ieee80211_chan2ieee(ic, ni->ni_chan),
253 			    ieee80211_phymode_name[ic->ic_curmode]);
254 		}
255 	}
256 
257 #ifndef IEEE80211_STA_ONLY
258 	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
259 	    ieee80211_pwrsave(ic, m, ni) != 0)
260 		return 0;
261 #endif
262 	mq_enqueue(&ic->ic_mgtq, m);
263 	ifp->if_timer = 1;
264 	if_start(ifp);
265 	return 0;
266 }
267 
268 /*-
269  * EDCA tables are computed using the following formulas:
270  *
271  * 1) EDCATable (non-AP QSTA)
272  *
273  * AC     CWmin 	   CWmax	   AIFSN  TXOP limit(ms)
274  * -------------------------------------------------------------
275  * AC_BK  aCWmin	   aCWmax	   7	  0
276  * AC_BE  aCWmin	   aCWmax	   3	  0
277  * AC_VI  (aCWmin+1)/2-1   aCWmin	   2	  agn=3.008 b=6.016 others=0
278  * AC_VO  (aCWmin+1)/4-1   (aCWmin+1)/2-1  2	  agn=1.504 b=3.264 others=0
279  *
280  * 2) QAPEDCATable (QAP)
281  *
282  * AC     CWmin 	   CWmax	   AIFSN  TXOP limit(ms)
283  * -------------------------------------------------------------
284  * AC_BK  aCWmin	   aCWmax	   7	  0
285  * AC_BE  aCWmin	   4*(aCWmin+1)-1  3	  0
286  * AC_VI  (aCWmin+1)/2-1   aCWmin	   1	  agn=3.008 b=6.016 others=0
287  * AC_VO  (aCWmin+1)/4-1   (aCWmin+1)/2-1  1	  agn=1.504 b=3.264 others=0
288  *
289  * and the following aCWmin/aCWmax values:
290  *
291  * PHY		aCWmin	aCWmax
292  * ---------------------------
293  * 11A		15	1023
294  * 11B  	31	1023
295  * 11G		15*	1023	(*) aCWmin(1)
296  * 11N		15	1023
297  */
298 const struct ieee80211_edca_ac_params
299     ieee80211_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = {
300 	[IEEE80211_MODE_11B] = {
301 		[EDCA_AC_BK] = { 5, 10, 7,   0 },
302 		[EDCA_AC_BE] = { 5, 10, 3,   0 },
303 		[EDCA_AC_VI] = { 4,  5, 2, 188 },
304 		[EDCA_AC_VO] = { 3,  4, 2, 102 }
305 	},
306 	[IEEE80211_MODE_11A] = {
307 		[EDCA_AC_BK] = { 4, 10, 7,   0 },
308 		[EDCA_AC_BE] = { 4, 10, 3,   0 },
309 		[EDCA_AC_VI] = { 3,  4, 2,  94 },
310 		[EDCA_AC_VO] = { 2,  3, 2,  47 }
311 	},
312 	[IEEE80211_MODE_11G] = {
313 		[EDCA_AC_BK] = { 4, 10, 7,   0 },
314 		[EDCA_AC_BE] = { 4, 10, 3,   0 },
315 		[EDCA_AC_VI] = { 3,  4, 2,  94 },
316 		[EDCA_AC_VO] = { 2,  3, 2,  47 }
317 	},
318 	[IEEE80211_MODE_11N] = {
319 		[EDCA_AC_BK] = { 4, 10, 7,   0 },
320 		[EDCA_AC_BE] = { 4, 10, 3,   0 },
321 		[EDCA_AC_VI] = { 3,  4, 2,  94 },
322 		[EDCA_AC_VO] = { 2,  3, 2,  47 }
323 	},
324 	[IEEE80211_MODE_11AC] = {
325 		[EDCA_AC_BK] = { 4, 10, 7,   0 },
326 		[EDCA_AC_BE] = { 4, 10, 3,   0 },
327 		[EDCA_AC_VI] = { 3,  4, 2,  94 },
328 		[EDCA_AC_VO] = { 2,  3, 2,  47 }
329 	},
330 };
331 
332 #ifndef IEEE80211_STA_ONLY
333 const struct ieee80211_edca_ac_params
334     ieee80211_qap_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = {
335 	[IEEE80211_MODE_11B] = {
336 		[EDCA_AC_BK] = { 5, 10, 7,   0 },
337 		[EDCA_AC_BE] = { 5,  7, 3,   0 },
338 		[EDCA_AC_VI] = { 4,  5, 1, 188 },
339 		[EDCA_AC_VO] = { 3,  4, 1, 102 }
340 	},
341 	[IEEE80211_MODE_11A] = {
342 		[EDCA_AC_BK] = { 4, 10, 7,   0 },
343 		[EDCA_AC_BE] = { 4,  6, 3,   0 },
344 		[EDCA_AC_VI] = { 3,  4, 1,  94 },
345 		[EDCA_AC_VO] = { 2,  3, 1,  47 }
346 	},
347 	[IEEE80211_MODE_11G] = {
348 		[EDCA_AC_BK] = { 4, 10, 7,   0 },
349 		[EDCA_AC_BE] = { 4,  6, 3,   0 },
350 		[EDCA_AC_VI] = { 3,  4, 1,  94 },
351 		[EDCA_AC_VO] = { 2,  3, 1,  47 }
352 	},
353 	[IEEE80211_MODE_11N] = {
354 		[EDCA_AC_BK] = { 4, 10, 7,   0 },
355 		[EDCA_AC_BE] = { 4,  6, 3,   0 },
356 		[EDCA_AC_VI] = { 3,  4, 1,  94 },
357 		[EDCA_AC_VO] = { 2,  3, 1,  47 }
358 	},
359 	[IEEE80211_MODE_11AC] = {
360 		[EDCA_AC_BK] = { 4, 10, 7,   0 },
361 		[EDCA_AC_BE] = { 4,  6, 3,   0 },
362 		[EDCA_AC_VI] = { 3,  4, 1,  94 },
363 		[EDCA_AC_VO] = { 2,  3, 1,  47 }
364 	},
365 };
366 #endif	/* IEEE80211_STA_ONLY */
367 
368 /*
369  * Return the EDCA Access Category to be used for transmitting a frame with
370  * user-priority `up'.
371  */
372 enum ieee80211_edca_ac
373 ieee80211_up_to_ac(struct ieee80211com *ic, int up)
374 {
375 	/* see Table 9-1 */
376 	static const enum ieee80211_edca_ac up_to_ac[] = {
377 		EDCA_AC_BE,	/* BE */
378 		EDCA_AC_BK,	/* BK */
379 		EDCA_AC_BK,	/* -- */
380 		EDCA_AC_BE,	/* EE */
381 		EDCA_AC_VI,	/* CL */
382 		EDCA_AC_VI,	/* VI */
383 		EDCA_AC_VO,	/* VO */
384 		EDCA_AC_VO	/* NC */
385 	};
386 	enum ieee80211_edca_ac ac;
387 
388 	ac = (up <= 7) ? up_to_ac[up] : EDCA_AC_BE;
389 
390 #ifndef IEEE80211_STA_ONLY
391 	if (ic->ic_opmode == IEEE80211_M_HOSTAP)
392 		return ac;
393 #endif
394 	/*
395 	 * We do not support the admission control procedure defined in
396 	 * IEEE Std 802.11-2012 section 9.19.4.2.3. The spec says that
397 	 * non-AP QSTAs that don't support this procedure shall use EDCA
398 	 * parameters of a lower priority AC that does not require
399 	 * admission control.
400 	 */
401 	while (ac != EDCA_AC_BK && ic->ic_edca_ac[ac].ac_acm) {
402 		switch (ac) {
403 		case EDCA_AC_BK:
404 			/* can't get there */
405 			break;
406 		case EDCA_AC_BE:
407 			/* BE shouldn't require admission control */
408 			ac = EDCA_AC_BK;
409 			break;
410 		case EDCA_AC_VI:
411 			ac = EDCA_AC_BE;
412 			break;
413 		case EDCA_AC_VO:
414 			ac = EDCA_AC_VI;
415 			break;
416 		}
417 	}
418 	return ac;
419 }
420 
421 /*
422  * Get mbuf's user-priority: if mbuf is not VLAN tagged, select user-priority
423  * based on the DSCP (Differentiated Services Codepoint) field.
424  */
425 int
426 ieee80211_classify(struct ieee80211com *ic, struct mbuf *m)
427 {
428 	struct ether_header eh;
429 	u_int8_t ds_field;
430 #if NVLAN > 0
431 	if (m->m_flags & M_VLANTAG)	/* use VLAN 802.1D user-priority */
432 		return EVL_PRIOFTAG(m->m_pkthdr.ether_vtag);
433 #endif
434 	m_copydata(m, 0, sizeof(eh), (caddr_t)&eh);
435 	if (eh.ether_type == htons(ETHERTYPE_IP)) {
436 		struct ip ip;
437 		m_copydata(m, sizeof(eh), sizeof(ip), (caddr_t)&ip);
438 		if (ip.ip_v != 4)
439 			return 0;
440 		ds_field = ip.ip_tos;
441 	}
442 #ifdef INET6
443 	else if (eh.ether_type == htons(ETHERTYPE_IPV6)) {
444 		struct ip6_hdr ip6;
445 		u_int32_t flowlabel;
446 		m_copydata(m, sizeof(eh), sizeof(ip6), (caddr_t)&ip6);
447 		flowlabel = ntohl(ip6.ip6_flow);
448 		if ((flowlabel >> 28) != 6)
449 			return 0;
450 		ds_field = (flowlabel >> 20) & 0xff;
451 	}
452 #endif	/* INET6 */
453 	else	/* neither IPv4 nor IPv6 */
454 		return 0;
455 
456 	/*
457 	 * Map Differentiated Services Codepoint field (see RFC2474).
458 	 * Preserves backward compatibility with IP Precedence field.
459 	 */
460 	switch (ds_field & 0xfc) {
461 #ifdef IPTOS_PREC_PRIORITY
462 	case IPTOS_PREC_PRIORITY:
463 		return EDCA_AC_VI;
464 	case IPTOS_PREC_IMMEDIATE:
465 		return EDCA_AC_BK;
466 	case IPTOS_PREC_FLASH:
467 	case IPTOS_PREC_FLASHOVERRIDE:
468 	case IPTOS_PREC_CRITIC_ECP:
469 	case IPTOS_PREC_INTERNETCONTROL:
470 	case IPTOS_PREC_NETCONTROL:
471 		return EDCA_AC_VO;
472 #endif
473 	default:
474 		return EDCA_AC_BE;
475 	}
476 }
477 
478 int
479 ieee80211_can_use_ampdu(struct ieee80211com *ic, struct ieee80211_node *ni)
480 {
481 	return (ni->ni_flags & IEEE80211_NODE_HT) &&
482 	    (ic->ic_caps & IEEE80211_C_TX_AMPDU) &&
483 	    !(ic->ic_opmode == IEEE80211_M_STA && ni != ic->ic_bss) &&
484 	    /*
485 	     * Don't use A-MPDU on non-encrypted networks. There are devices
486 	     * with buggy firmware which allow an attacker to inject 802.11
487 	     * frames into a wifi network by embedding rogue A-MPDU subframes
488 	     * in an arbitrary data payload (e.g. PNG images) which may end
489 	     * up appearing as actual frames after de-aggregation by a buggy
490 	     * device; see https://github.com/rpp0/aggr-inject for details.
491 	     * WPA2 prevents this injection attack since the attacker would
492 	     * need to inject frames which get decrypted correctly.
493 	     */
494 	    ((ic->ic_flags & IEEE80211_F_RSNON) &&
495 	      (ni->ni_rsnprotos & IEEE80211_PROTO_RSN));
496 }
497 
498 void
499 ieee80211_tx_compressed_bar(struct ieee80211com *ic, struct ieee80211_node *ni,
500     int tid, uint16_t ssn)
501 {
502 	struct ifnet *ifp = &ic->ic_if;
503 	struct mbuf *m;
504 
505 	m = ieee80211_get_compressed_bar(ic, ni, tid, ssn);
506 	if (m == NULL)
507 		return;
508 
509 	ieee80211_ref_node(ni);
510 	if (mq_enqueue(&ic->ic_mgtq, m) == 0)
511 		if_start(ifp);
512 	else
513 		ieee80211_release_node(ic, ni);
514 }
515 
516 /*
517  * Encapsulate an outbound data frame.  The mbuf chain is updated and
518  * a reference to the destination node is returned.  If an error is
519  * encountered NULL is returned and the node reference will also be NULL.
520  *
521  * NB: The caller is responsible for free'ing a returned node reference.
522  *     The convention is ic_bss is not reference counted; the caller must
523  *     maintain that.
524  */
525 struct mbuf *
526 ieee80211_encap(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node **pni)
527 {
528 	struct ieee80211com *ic = (void *)ifp;
529 	struct ether_header eh;
530 	struct ieee80211_frame *wh;
531 	struct ieee80211_node *ni = NULL;
532 	struct llc *llc;
533 	struct m_tag *mtag;
534 	u_int8_t *addr;
535 	u_int dlt, hdrlen;
536 	int addqos, tid;
537 
538 #ifdef PACKET_TAG_DLT
539 	/* Handle raw frames if mbuf is tagged as 802.11 */
540 	if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) {
541 		dlt = *(u_int *)(mtag + 1);
542 
543 		if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO))
544 			goto fallback;
545 
546 		wh = mtod(m, struct ieee80211_frame *);
547 		switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
548 		case IEEE80211_FC1_DIR_NODS:
549 		case IEEE80211_FC1_DIR_FROMDS:
550 			addr = wh->i_addr1;
551 			break;
552 		case IEEE80211_FC1_DIR_DSTODS:
553 		case IEEE80211_FC1_DIR_TODS:
554 			addr = wh->i_addr3;
555 			break;
556 		default:
557 			goto bad;
558 		}
559 
560 		ni = ieee80211_find_txnode(ic, addr);
561 		if (ni == NULL)
562 			ni = ieee80211_ref_node(ic->ic_bss);
563 		if (ni == NULL) {
564 			printf("%s: no node for dst %s, "
565 			    "discard raw tx frame\n", ifp->if_xname,
566 			    ether_sprintf(addr));
567 			ic->ic_stats.is_tx_nonode++;
568 			goto bad;
569 		}
570 		ni->ni_inact = 0;
571 
572 		*pni = ni;
573 		return (m);
574 	}
575 #endif
576 
577  fallback:
578 	if (ic->ic_opmode == IEEE80211_M_MONITOR)
579 		goto bad;
580 
581 	if (m->m_len < sizeof(struct ether_header)) {
582 		m = m_pullup(m, sizeof(struct ether_header));
583 		if (m == NULL) {
584 			ic->ic_stats.is_tx_nombuf++;
585 			goto bad;
586 		}
587 	}
588 	memcpy(&eh, mtod(m, caddr_t), sizeof(struct ether_header));
589 
590 	ni = ieee80211_find_txnode(ic, eh.ether_dhost);
591 	if (ni == NULL) {
592 		DPRINTF(("no node for dst %s, discard frame\n",
593 		    ether_sprintf(eh.ether_dhost)));
594 		ic->ic_stats.is_tx_nonode++;
595 		goto bad;
596 	}
597 
598 #ifndef IEEE80211_STA_ONLY
599 	if (ic->ic_opmode == IEEE80211_M_HOSTAP && ni != ic->ic_bss &&
600 	    ni->ni_state != IEEE80211_STA_ASSOC) {
601 		ic->ic_stats.is_tx_nonode++;
602 		goto bad;
603 	}
604 #endif
605 
606 	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
607 	    !ni->ni_port_valid &&
608 	    eh.ether_type != htons(ETHERTYPE_EAPOL)) {
609 		DPRINTF(("port not valid: %s\n",
610 		    ether_sprintf(eh.ether_dhost)));
611 		ic->ic_stats.is_tx_noauth++;
612 		goto bad;
613 	}
614 
615 	if ((ic->ic_flags & IEEE80211_F_COUNTERM) &&
616 	    ni->ni_rsncipher == IEEE80211_CIPHER_TKIP)
617 		/* XXX TKIP countermeasures! */;
618 
619 	ni->ni_inact = 0;
620 
621 	if ((ic->ic_flags & IEEE80211_F_QOS) &&
622 	    (ni->ni_flags & IEEE80211_NODE_QOS) &&
623 	    /* do not QoS-encapsulate EAPOL frames */
624 	    eh.ether_type != htons(ETHERTYPE_EAPOL)) {
625 		struct ieee80211_tx_ba *ba;
626 		tid = ieee80211_classify(ic, m);
627 		ba = &ni->ni_tx_ba[tid];
628 		/* We use QoS data frames for aggregation only. */
629 		if (ba->ba_state != IEEE80211_BA_AGREED) {
630 			hdrlen = sizeof(struct ieee80211_frame);
631 			addqos = 0;
632 			if (ieee80211_can_use_ampdu(ic, ni))
633 				ieee80211_node_trigger_addba_req(ni, tid);
634 		} else {
635 			hdrlen = sizeof(struct ieee80211_qosframe);
636 			addqos = 1;
637 		}
638 	} else {
639 		hdrlen = sizeof(struct ieee80211_frame);
640 		addqos = 0;
641 	}
642 	m_adj(m, sizeof(struct ether_header) - LLC_SNAPFRAMELEN);
643 	llc = mtod(m, struct llc *);
644 	llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP;
645 	llc->llc_control = LLC_UI;
646 	llc->llc_snap.org_code[0] = 0;
647 	llc->llc_snap.org_code[1] = 0;
648 	llc->llc_snap.org_code[2] = 0;
649 	llc->llc_snap.ether_type = eh.ether_type;
650 	M_PREPEND(m, hdrlen, M_DONTWAIT);
651 	if (m == NULL) {
652 		ic->ic_stats.is_tx_nombuf++;
653 		goto bad;
654 	}
655 	wh = mtod(m, struct ieee80211_frame *);
656 	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA;
657 	*(u_int16_t *)&wh->i_dur[0] = 0;
658 	if (addqos) {
659 		struct ieee80211_qosframe *qwh =
660 		    (struct ieee80211_qosframe *)wh;
661 		u_int16_t qos = tid;
662 
663 		if (ic->ic_tid_noack & (1 << tid))
664 			qos |= IEEE80211_QOS_ACK_POLICY_NOACK;
665 		else {
666 			/* Use HT immediate block-ack. */
667 			qos |= IEEE80211_QOS_ACK_POLICY_NORMAL;
668 		}
669 		qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS;
670 		*(u_int16_t *)qwh->i_qos = htole16(qos);
671 		*(u_int16_t *)qwh->i_seq =
672 		    htole16(ni->ni_qos_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT);
673 		ni->ni_qos_txseqs[tid] = (ni->ni_qos_txseqs[tid] + 1) & 0xfff;
674 	} else {
675 		*(u_int16_t *)&wh->i_seq[0] =
676 		    htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT);
677 		ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff;
678 	}
679 	switch (ic->ic_opmode) {
680 	case IEEE80211_M_STA:
681 		wh->i_fc[1] = IEEE80211_FC1_DIR_TODS;
682 		IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid);
683 		IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
684 		IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost);
685 		break;
686 #ifndef IEEE80211_STA_ONLY
687 	case IEEE80211_M_IBSS:
688 	case IEEE80211_M_AHDEMO:
689 		wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
690 		IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
691 		IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
692 		IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid);
693 		break;
694 	case IEEE80211_M_HOSTAP:
695 		wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
696 		IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
697 		IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid);
698 		IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost);
699 		break;
700 #endif
701 	default:
702 		/* should not get there */
703 		goto bad;
704 	}
705 
706 	if ((ic->ic_flags & IEEE80211_F_WEPON) ||
707 	    ((ic->ic_flags & IEEE80211_F_RSNON) &&
708 	     (ni->ni_flags & IEEE80211_NODE_TXPROT)))
709 		wh->i_fc[1] |= IEEE80211_FC1_PROTECTED;
710 
711 #ifndef IEEE80211_STA_ONLY
712 	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
713 	    ieee80211_pwrsave(ic, m, ni) != 0) {
714 		*pni = NULL;
715 		return NULL;
716 	}
717 #endif
718 	*pni = ni;
719 	return m;
720 bad:
721 	m_freem(m);
722 	if (ni != NULL)
723 		ieee80211_release_node(ic, ni);
724 	*pni = NULL;
725 	return NULL;
726 }
727 
728 /*
729  * Add a Capability Information field to a frame (see 7.3.1.4).
730  */
731 u_int8_t *
732 ieee80211_add_capinfo(u_int8_t *frm, struct ieee80211com *ic,
733     const struct ieee80211_node *ni)
734 {
735 	u_int16_t capinfo;
736 
737 #ifndef IEEE80211_STA_ONLY
738 	if (ic->ic_opmode == IEEE80211_M_IBSS)
739 		capinfo = IEEE80211_CAPINFO_IBSS;
740 	else if (ic->ic_opmode == IEEE80211_M_HOSTAP)
741 		capinfo = IEEE80211_CAPINFO_ESS;
742 	else
743 #endif
744 		capinfo = 0;
745 #ifndef IEEE80211_STA_ONLY
746 	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
747 	    (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON)))
748 		capinfo |= IEEE80211_CAPINFO_PRIVACY;
749 #endif
750 	/* NB: some 11a AP's reject the request when short preamble is set */
751 	if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
752 	    IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
753 		capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
754 	if (ic->ic_flags & IEEE80211_F_SHSLOT)
755 		capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
756 	LE_WRITE_2(frm, capinfo);
757 	return frm + 2;
758 }
759 
760 /*
761  * Add an SSID element to a frame (see 7.3.2.1).
762  */
763 u_int8_t *
764 ieee80211_add_ssid(u_int8_t *frm, const u_int8_t *ssid, u_int len)
765 {
766 	*frm++ = IEEE80211_ELEMID_SSID;
767 	*frm++ = len;
768 	memcpy(frm, ssid, len);
769 	return frm + len;
770 }
771 
772 /*
773  * Add a supported rates element to a frame (see 7.3.2.2).
774  */
775 u_int8_t *
776 ieee80211_add_rates(u_int8_t *frm, const struct ieee80211_rateset *rs)
777 {
778 	int nrates;
779 
780 	*frm++ = IEEE80211_ELEMID_RATES;
781 	nrates = min(rs->rs_nrates, IEEE80211_RATE_SIZE);
782 	*frm++ = nrates;
783 	memcpy(frm, rs->rs_rates, nrates);
784 	return frm + nrates;
785 }
786 
787 #ifndef IEEE80211_STA_ONLY
788 /*
789  * Add a DS Parameter Set element to a frame (see 7.3.2.4).
790  */
791 u_int8_t *
792 ieee80211_add_ds_params(u_int8_t *frm, struct ieee80211com *ic,
793     const struct ieee80211_node *ni)
794 {
795 	*frm++ = IEEE80211_ELEMID_DSPARMS;
796 	*frm++ = 1;
797 	*frm++ = ieee80211_chan2ieee(ic, ni->ni_chan);
798 	return frm;
799 }
800 
801 /*
802  * Add a TIM element to a frame (see 7.3.2.6 and Annex L).
803  */
804 u_int8_t *
805 ieee80211_add_tim(u_int8_t *frm, struct ieee80211com *ic)
806 {
807 	u_int i, offset = 0, len;
808 
809 	/* find first non-zero octet in the virtual bit map */
810 	for (i = 0; i < ic->ic_tim_len && ic->ic_tim_bitmap[i] == 0; i++)
811 		;
812 
813 	/* clear the lsb as it is reserved for the broadcast indication bit */
814 	if (i < ic->ic_tim_len)
815 		offset = i & ~1;
816 
817 	/* find last non-zero octet in the virtual bit map */
818 	for (i = ic->ic_tim_len - 1; i > 0 && ic->ic_tim_bitmap[i] == 0; i--)
819 		;
820 
821 	len = i - offset + 1;
822 
823 	*frm++ = IEEE80211_ELEMID_TIM;
824 	*frm++ = len + 3;		/* length */
825 	*frm++ = ic->ic_dtim_count;	/* DTIM count */
826 	*frm++ = ic->ic_dtim_period;	/* DTIM period */
827 
828 	/* Bitmap Control */
829 	*frm = offset;
830 	/* set broadcast/multicast indication bit if necessary */
831 	if (ic->ic_dtim_count == 0 && ic->ic_tim_mcast_pending)
832 		*frm |= 0x01;
833 	frm++;
834 
835 	/* Partial Virtual Bitmap */
836 	memcpy(frm, &ic->ic_tim_bitmap[offset], len);
837 	return frm + len;
838 }
839 
840 /*
841  * Add an IBSS Parameter Set element to a frame (see 7.3.2.7).
842  */
843 u_int8_t *
844 ieee80211_add_ibss_params(u_int8_t *frm, const struct ieee80211_node *ni)
845 {
846 	*frm++ = IEEE80211_ELEMID_IBSSPARMS;
847 	*frm++ = 2;
848 	LE_WRITE_2(frm, 0);	/* TODO: ATIM window */
849 	return frm + 2;
850 }
851 
852 /*
853  * Add an EDCA Parameter Set element to a frame (see 7.3.2.29).
854  */
855 u_int8_t *
856 ieee80211_add_edca_params(u_int8_t *frm, struct ieee80211com *ic)
857 {
858 	const struct ieee80211_edca_ac_params *edca;
859 	int aci;
860 
861 	*frm++ = IEEE80211_ELEMID_EDCAPARMS;
862 	*frm++ = 18;	/* length */
863 	*frm++ = 0;	/* QoS Info */
864 	*frm++ = 0;	/* reserved */
865 
866 	/* setup AC Parameter Records */
867 	edca = ieee80211_edca_table[ic->ic_curmode];
868 	for (aci = 0; aci < EDCA_NUM_AC; aci++) {
869 		const struct ieee80211_edca_ac_params *ac = &edca[aci];
870 
871 		*frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) |
872 			 (ac->ac_aifsn & 0xf);
873 		*frm++ = (ac->ac_ecwmax << 4) |
874 			 (ac->ac_ecwmin & 0xf);
875 		LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2;
876 	}
877 	return frm;
878 }
879 
880 /*
881  * Add an ERP element to a frame (see 7.3.2.13).
882  */
883 u_int8_t *
884 ieee80211_add_erp(u_int8_t *frm, struct ieee80211com *ic)
885 {
886 	u_int8_t erp;
887 	int nonerpsta = 0;
888 
889 	*frm++ = IEEE80211_ELEMID_ERP;
890 	*frm++ = 1;
891 	erp = 0;
892 	/*
893 	 * The NonERP_Present bit shall be set to 1 when a NonERP STA
894 	 * is associated with the BSS.
895 	 */
896 	ieee80211_iterate_nodes(ic, ieee80211_count_nonerpsta, &nonerpsta);
897 	if (nonerpsta != 0)
898 		erp |= IEEE80211_ERP_NON_ERP_PRESENT;
899 	/*
900 	 * If one or more NonERP STAs are associated in the BSS, the
901 	 * Use_Protection bit shall be set to 1 in transmitted ERP
902 	 * Information Elements.
903 	 */
904 	if (ic->ic_flags & IEEE80211_F_USEPROT)
905 		erp |= IEEE80211_ERP_USE_PROTECTION;
906 	/*
907 	 * The Barker_Preamble_Mode bit shall be set to 1 by the ERP
908 	 * Information Element sender if one or more associated NonERP
909 	 * STAs are not short preamble capable.
910 	 */
911 	if (!(ic->ic_flags & IEEE80211_F_SHPREAMBLE))
912 		erp |= IEEE80211_ERP_BARKER_MODE;
913 	*frm++ = erp;
914 	return frm;
915 }
916 #endif	/* IEEE80211_STA_ONLY */
917 
918 /*
919  * Add a QoS Capability element to a frame (see 7.3.2.35).
920  */
921 u_int8_t *
922 ieee80211_add_qos_capability(u_int8_t *frm, struct ieee80211com *ic)
923 {
924 	*frm++ = IEEE80211_ELEMID_QOS_CAP;
925 	*frm++ = 1;
926 	*frm++ = 0;	/* QoS Info */
927 	return frm;
928 }
929 
930 /*
931  * Add a Wifi-Alliance WME (aka WMM) info element to a frame.
932  * WME is a requirement for Wifi-Alliance compliance and some
933  * 11n APs will not negotiate HT if this element is missing.
934  */
935 uint8_t *
936 ieee80211_add_wme_info(uint8_t *frm, struct ieee80211com *ic)
937 {
938 	*frm++ = IEEE80211_ELEMID_VENDOR;
939 	*frm++ = 7;
940 	memcpy(frm, MICROSOFT_OUI, 3); frm += 3;
941 	*frm++ = 2; /* OUI type */
942 	*frm++ = 0; /* OUI subtype */
943 	*frm++ = 1; /* version */
944 	*frm++ = 0; /* info */
945 
946 	return frm;
947 }
948 
949 #ifndef IEEE80211_STA_ONLY
950 /*
951  * Add a Wifi-Alliance WMM (aka WME) parameter element to a frame.
952  */
953 uint8_t *
954 ieee80211_add_wme_param(uint8_t *frm, struct ieee80211com *ic)
955 {
956 	const struct ieee80211_edca_ac_params *edca;
957 	int aci;
958 
959 	*frm++ = IEEE80211_ELEMID_VENDOR;
960 	*frm++ = 24;
961 	memcpy(frm, MICROSOFT_OUI, 3); frm += 3;
962 	*frm++ = 2; /* OUI type */
963 	*frm++ = 1; /* OUI subtype */
964 	*frm++ = 1; /* version */
965 	*frm++ = 0; /* info */
966 	*frm++ = 0; /* reserved */
967 
968 	/* setup AC Parameter Records */
969 	edca = ieee80211_edca_table[ic->ic_curmode];
970 	for (aci = 0; aci < EDCA_NUM_AC; aci++) {
971 		const struct ieee80211_edca_ac_params *ac = &edca[aci];
972 
973 		*frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) |
974 			 (ac->ac_aifsn & 0xf);
975 		*frm++ = (ac->ac_ecwmax << 4) |
976 			 (ac->ac_ecwmin & 0xf);
977 		LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2;
978 	}
979 
980 	return frm;
981 }
982 #endif
983 
984 /*
985  * Add an RSN element to a frame (see 802.11-2012 8.4.2.27)
986  */
987 u_int8_t *
988 ieee80211_add_rsn_body(u_int8_t *frm, struct ieee80211com *ic,
989     const struct ieee80211_node *ni, int wpa)
990 {
991 	const u_int8_t *oui = wpa ? MICROSOFT_OUI : IEEE80211_OUI;
992 	u_int8_t *pcount;
993 	u_int16_t count, rsncaps;
994 
995 	/* write Version field */
996 	LE_WRITE_2(frm, 1); frm += 2;
997 
998 	/* write Group Data Cipher Suite field (see 802.11-2012 Table 8-99) */
999 	memcpy(frm, oui, 3); frm += 3;
1000 	switch (ni->ni_rsngroupcipher) {
1001 	case IEEE80211_CIPHER_WEP40:
1002 		*frm++ = 1;
1003 		break;
1004 	case IEEE80211_CIPHER_TKIP:
1005 		*frm++ = 2;
1006 		break;
1007 	case IEEE80211_CIPHER_CCMP:
1008 		*frm++ = 4;
1009 		break;
1010 	case IEEE80211_CIPHER_WEP104:
1011 		*frm++ = 5;
1012 		break;
1013 	default:
1014 		/* can't get there */
1015 		panic("invalid group data cipher!");
1016 	}
1017 
1018 	pcount = frm; frm += 2;
1019 	count = 0;
1020 	/* write Pairwise Cipher Suite List */
1021 	if (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP) {
1022 		memcpy(frm, oui, 3); frm += 3;
1023 		*frm++ = 0;
1024 		count++;
1025 	}
1026 	if (ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP) {
1027 		memcpy(frm, oui, 3); frm += 3;
1028 		*frm++ = 2;
1029 		count++;
1030 	}
1031 	if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) {
1032 		memcpy(frm, oui, 3); frm += 3;
1033 		*frm++ = 4;
1034 		count++;
1035 	}
1036 	/* write Pairwise Cipher Suite Count field */
1037 	LE_WRITE_2(pcount, count);
1038 
1039 	pcount = frm; frm += 2;
1040 	count = 0;
1041 	/* write AKM Suite List (see Table 20dc) */
1042 	if (ni->ni_rsnakms & IEEE80211_AKM_8021X) {
1043 		memcpy(frm, oui, 3); frm += 3;
1044 		*frm++ = 1;
1045 		count++;
1046 	}
1047 	if (ni->ni_rsnakms & IEEE80211_AKM_PSK) {
1048 		memcpy(frm, oui, 3); frm += 3;
1049 		*frm++ = 2;
1050 		count++;
1051 	}
1052 	if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X)) {
1053 		memcpy(frm, oui, 3); frm += 3;
1054 		*frm++ = 5;
1055 		count++;
1056 	}
1057 	if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK)) {
1058 		memcpy(frm, oui, 3); frm += 3;
1059 		*frm++ = 6;
1060 		count++;
1061 	}
1062 	/* write AKM Suite List Count field */
1063 	LE_WRITE_2(pcount, count);
1064 
1065 	if (wpa)
1066 		return frm;
1067 
1068 	/* write RSN Capabilities field */
1069 	rsncaps = (ni->ni_rsncaps & (IEEE80211_RSNCAP_PTKSA_RCNT_MASK |
1070 	    IEEE80211_RSNCAP_GTKSA_RCNT_MASK));
1071 	if (ic->ic_caps & IEEE80211_C_MFP) {
1072 		rsncaps |= IEEE80211_RSNCAP_MFPC;
1073 		if (ic->ic_flags & IEEE80211_F_MFPR)
1074 			rsncaps |= IEEE80211_RSNCAP_MFPR;
1075 	}
1076 	if (ic->ic_flags & IEEE80211_F_PBAR)
1077 		rsncaps |= IEEE80211_RSNCAP_PBAC;
1078 	LE_WRITE_2(frm, rsncaps); frm += 2;
1079 
1080 	if (ni->ni_flags & IEEE80211_NODE_PMKID) {
1081 		/* write PMKID Count field */
1082 		LE_WRITE_2(frm, 1); frm += 2;
1083 		/* write PMKID List (only 1) */
1084 		memcpy(frm, ni->ni_pmkid, IEEE80211_PMKID_LEN);
1085 		frm += IEEE80211_PMKID_LEN;
1086 	}
1087 
1088 	if (!(ic->ic_caps & IEEE80211_C_MFP))
1089 		return frm;
1090 
1091 	if ((ni->ni_flags & IEEE80211_NODE_PMKID) == 0) {
1092 		/* no PMKID (PMKID Count=0) */
1093 		LE_WRITE_2(frm, 0); frm += 2;
1094 	}
1095 
1096 	/* write Group Integrity Cipher Suite field */
1097 	memcpy(frm, oui, 3); frm += 3;
1098 	switch (ic->ic_rsngroupmgmtcipher) {
1099 	case IEEE80211_CIPHER_BIP:
1100 		*frm++ = 6;
1101 		break;
1102 	default:
1103 		/* can't get there */
1104 		panic("invalid integrity group cipher!");
1105 	}
1106 	return frm;
1107 }
1108 
1109 u_int8_t *
1110 ieee80211_add_rsn(u_int8_t *frm, struct ieee80211com *ic,
1111     const struct ieee80211_node *ni)
1112 {
1113 	u_int8_t *plen;
1114 
1115 	*frm++ = IEEE80211_ELEMID_RSN;
1116 	plen = frm++;	/* length filled in later */
1117 	frm = ieee80211_add_rsn_body(frm, ic, ni, 0);
1118 
1119 	/* write length field */
1120 	*plen = frm - plen - 1;
1121 	return frm;
1122 }
1123 
1124 /*
1125  * Add a vendor-specific WPA element to a frame.
1126  * This is required for compatibility with Wi-Fi Alliance WPA.
1127  */
1128 u_int8_t *
1129 ieee80211_add_wpa(u_int8_t *frm, struct ieee80211com *ic,
1130     const struct ieee80211_node *ni)
1131 {
1132 	u_int8_t *plen;
1133 
1134 	*frm++ = IEEE80211_ELEMID_VENDOR;
1135 	plen = frm++;	/* length filled in later */
1136 	memcpy(frm, MICROSOFT_OUI, 3); frm += 3;
1137 	*frm++ = 1;	/* WPA */
1138 	frm = ieee80211_add_rsn_body(frm, ic, ni, 1);
1139 
1140 	/* write length field */
1141 	*plen = frm - plen - 1;
1142 	return frm;
1143 }
1144 
1145 /*
1146  * Add an extended supported rates element to a frame (see 7.3.2.14).
1147  */
1148 u_int8_t *
1149 ieee80211_add_xrates(u_int8_t *frm, const struct ieee80211_rateset *rs)
1150 {
1151 	int nrates;
1152 
1153 	KASSERT(rs->rs_nrates > IEEE80211_RATE_SIZE);
1154 
1155 	*frm++ = IEEE80211_ELEMID_XRATES;
1156 	nrates = rs->rs_nrates - IEEE80211_RATE_SIZE;
1157 	*frm++ = nrates;
1158 	memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates);
1159 	return frm + nrates;
1160 }
1161 
1162 /*
1163  * Add an HT Capabilities element to a frame (see 7.3.2.57).
1164  */
1165 u_int8_t *
1166 ieee80211_add_htcaps(u_int8_t *frm, struct ieee80211com *ic)
1167 {
1168 	*frm++ = IEEE80211_ELEMID_HTCAPS;
1169 	*frm++ = 26;
1170 	LE_WRITE_2(frm, ic->ic_htcaps); frm += 2;
1171 	*frm++ = ic->ic_ampdu_params;
1172 	memcpy(frm, ic->ic_sup_mcs, 10); frm += 10;
1173 	LE_WRITE_2(frm, (ic->ic_max_rxrate & IEEE80211_MCS_RX_RATE_HIGH));
1174 	frm += 2;
1175 	*frm++ = ic->ic_tx_mcs_set;
1176 	*frm++ = 0; /* reserved */
1177 	*frm++ = 0; /* reserved */
1178 	*frm++ = 0; /* reserved */
1179 	LE_WRITE_2(frm, ic->ic_htxcaps); frm += 2;
1180 	LE_WRITE_4(frm, ic->ic_txbfcaps); frm += 4;
1181 	*frm++ = ic->ic_aselcaps;
1182 	return frm;
1183 }
1184 
1185 #ifndef IEEE80211_STA_ONLY
1186 /*
1187  * Add an HT Operation element to a frame (see 7.3.2.58).
1188  */
1189 u_int8_t *
1190 ieee80211_add_htop(u_int8_t *frm, struct ieee80211com *ic)
1191 {
1192 	*frm++ = IEEE80211_ELEMID_HTOP;
1193 	*frm++ = 22;
1194 	*frm++ = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan);
1195 	*frm++ = ic->ic_bss->ni_htop0;
1196 	LE_WRITE_2(frm, ic->ic_bss->ni_htop1); frm += 2;
1197 	LE_WRITE_2(frm, ic->ic_bss->ni_htop2); frm += 2;
1198 	memset(frm, 0, 16); frm += 16;
1199 	return frm;
1200 }
1201 #endif	/* !IEEE80211_STA_ONLY */
1202 
1203 /*
1204  * Add a VHT Capabilities element to a frame (see 802.11ac-2013 8.4.2.160.2).
1205  */
1206 u_int8_t *
1207 ieee80211_add_vhtcaps(u_int8_t *frm, struct ieee80211com *ic)
1208 {
1209 	*frm++ = IEEE80211_ELEMID_VHTCAPS;
1210 	*frm++ = 12;
1211 	LE_WRITE_4(frm, ic->ic_vhtcaps); frm += 4;
1212 	LE_WRITE_2(frm, ic->ic_vht_rxmcs); frm += 2;
1213 	LE_WRITE_2(frm, ic->ic_vht_rx_max_lgi_mbit_s); frm += 2;
1214 	LE_WRITE_2(frm, ic->ic_vht_txmcs); frm += 2;
1215 	LE_WRITE_2(frm, ic->ic_vht_tx_max_lgi_mbit_s); frm += 2;
1216 	return frm;
1217 }
1218 
1219 #ifndef IEEE80211_STA_ONLY
1220 /*
1221  * Add a Timeout Interval element to a frame (see 7.3.2.49).
1222  */
1223 u_int8_t *
1224 ieee80211_add_tie(u_int8_t *frm, u_int8_t type, u_int32_t value)
1225 {
1226 	*frm++ = IEEE80211_ELEMID_TIE;
1227 	*frm++ = 5;	/* length */
1228 	*frm++ = type;	/* Timeout Interval type */
1229 	LE_WRITE_4(frm, value);
1230 	return frm + 4;
1231 }
1232 #endif
1233 
1234 struct mbuf *
1235 ieee80211_getmgmt(int flags, int type, u_int pktlen)
1236 {
1237 	struct mbuf *m;
1238 
1239 	/* reserve space for 802.11 header */
1240 	pktlen += sizeof(struct ieee80211_frame);
1241 
1242 	if (pktlen > MCLBYTES)
1243 		panic("management frame too large: %u", pktlen);
1244 	MGETHDR(m, flags, type);
1245 	if (m == NULL)
1246 		return NULL;
1247 	if (pktlen > MHLEN) {
1248 		MCLGET(m, flags);
1249 		if (!(m->m_flags & M_EXT))
1250 			return m_free(m);
1251 	}
1252 	m->m_data += sizeof(struct ieee80211_frame);
1253 	return m;
1254 }
1255 
1256 /*-
1257  * Probe request frame format:
1258  * [tlv] SSID
1259  * [tlv] Supported rates
1260  * [tlv] Extended Supported Rates (802.11g)
1261  * [tlv] HT Capabilities (802.11n)
1262  */
1263 struct mbuf *
1264 ieee80211_get_probe_req(struct ieee80211com *ic, struct ieee80211_node *ni)
1265 {
1266 	const struct ieee80211_rateset *rs =
1267 	    &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)];
1268 	struct mbuf *m;
1269 	u_int8_t *frm;
1270 
1271 	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
1272 	    2 + ic->ic_des_esslen +
1273 	    2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
1274 	    ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
1275 		2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
1276 	    ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) +
1277 	    ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0));
1278 	if (m == NULL)
1279 		return NULL;
1280 
1281 	frm = mtod(m, u_int8_t *);
1282 	frm = ieee80211_add_ssid(frm, ic->ic_des_essid, ic->ic_des_esslen);
1283 	frm = ieee80211_add_rates(frm, rs);
1284 	if (rs->rs_nrates > IEEE80211_RATE_SIZE)
1285 		frm = ieee80211_add_xrates(frm, rs);
1286 	if (ic->ic_flags & IEEE80211_F_HTON) {
1287 		frm = ieee80211_add_htcaps(frm, ic);
1288 		frm = ieee80211_add_wme_info(frm, ic);
1289 	}
1290 	if (ic->ic_flags & IEEE80211_F_VHTON)
1291 		frm = ieee80211_add_htcaps(frm, ic);
1292 
1293 	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1294 
1295 	return m;
1296 }
1297 
1298 #ifndef IEEE80211_STA_ONLY
1299 /*-
1300  * Probe response frame format:
1301  * [8]   Timestamp
1302  * [2]   Beacon interval
1303  * [2]   Capability
1304  * [tlv] Service Set Identifier (SSID)
1305  * [tlv] Supported rates
1306  * [tlv] DS Parameter Set (802.11g)
1307  * [tlv] ERP Information (802.11g)
1308  * [tlv] Extended Supported Rates (802.11g)
1309  * [tlv] RSN (802.11i)
1310  * [tlv] EDCA Parameter Set (802.11e)
1311  * [tlv] HT Capabilities (802.11n)
1312  * [tlv] HT Operation (802.11n)
1313  */
1314 struct mbuf *
1315 ieee80211_get_probe_resp(struct ieee80211com *ic)
1316 {
1317 	const struct ieee80211_rateset *rs = &ic->ic_bss->ni_rates;
1318 	struct mbuf *m;
1319 	u_int8_t *frm;
1320 
1321 	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
1322 	    8 + 2 + 2 +
1323 	    2 + ic->ic_bss->ni_esslen +
1324 	    2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
1325 	    2 + 1 +
1326 	    ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 + 2 : 0) +
1327 	    ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) +
1328 	    ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
1329 		2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
1330 	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
1331 	      (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) ?
1332 		2 + IEEE80211_RSNIE_MAXLEN : 0) +
1333 	    ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) +
1334 	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
1335 	      (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) ?
1336 		2 + IEEE80211_WPAIE_MAXLEN : 0) +
1337 	    ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0));
1338 	if (m == NULL)
1339 		return NULL;
1340 
1341 	frm = mtod(m, u_int8_t *);
1342 	memset(frm, 0, 8); frm += 8;	/* timestamp is set by hardware */
1343 	LE_WRITE_2(frm, ic->ic_bss->ni_intval); frm += 2;
1344 	frm = ieee80211_add_capinfo(frm, ic, ic->ic_bss);
1345 	frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid,
1346 	    ic->ic_bss->ni_esslen);
1347 	frm = ieee80211_add_rates(frm, rs);
1348 	frm = ieee80211_add_ds_params(frm, ic, ic->ic_bss);
1349 	if (ic->ic_opmode == IEEE80211_M_IBSS)
1350 		frm = ieee80211_add_ibss_params(frm, ic->ic_bss);
1351 	if (ic->ic_curmode == IEEE80211_MODE_11G)
1352 		frm = ieee80211_add_erp(frm, ic);
1353 	if (rs->rs_nrates > IEEE80211_RATE_SIZE)
1354 		frm = ieee80211_add_xrates(frm, rs);
1355 	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
1356 	    (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN))
1357 		frm = ieee80211_add_rsn(frm, ic, ic->ic_bss);
1358 	if (ic->ic_flags & IEEE80211_F_QOS)
1359 		frm = ieee80211_add_edca_params(frm, ic);
1360 	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
1361 	    (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA))
1362 		frm = ieee80211_add_wpa(frm, ic, ic->ic_bss);
1363 	if (ic->ic_flags & IEEE80211_F_HTON) {
1364 		frm = ieee80211_add_htcaps(frm, ic);
1365 		frm = ieee80211_add_htop(frm, ic);
1366 		frm = ieee80211_add_wme_param(frm, ic);
1367 	}
1368 
1369 	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1370 
1371 	return m;
1372 }
1373 #endif	/* IEEE80211_STA_ONLY */
1374 
1375 /*-
1376  * Authentication frame format:
1377  * [2] Authentication algorithm number
1378  * [2] Authentication transaction sequence number
1379  * [2] Status code
1380  */
1381 struct mbuf *
1382 ieee80211_get_auth(struct ieee80211com *ic, struct ieee80211_node *ni,
1383     u_int16_t status, u_int16_t seq)
1384 {
1385 	struct mbuf *m;
1386 	u_int8_t *frm;
1387 
1388 	MGETHDR(m, M_DONTWAIT, MT_DATA);
1389 	if (m == NULL)
1390 		return NULL;
1391 	m_align(m, 2 * 3);
1392 	m->m_pkthdr.len = m->m_len = 2 * 3;
1393 
1394 	frm = mtod(m, u_int8_t *);
1395 	LE_WRITE_2(frm, IEEE80211_AUTH_ALG_OPEN); frm += 2;
1396 	LE_WRITE_2(frm, seq); frm += 2;
1397 	LE_WRITE_2(frm, status);
1398 
1399 	return m;
1400 }
1401 
1402 /*-
1403  * Deauthentication frame format:
1404  * [2] Reason code
1405  */
1406 struct mbuf *
1407 ieee80211_get_deauth(struct ieee80211com *ic, struct ieee80211_node *ni,
1408     u_int16_t reason)
1409 {
1410 	struct mbuf *m;
1411 
1412 	MGETHDR(m, M_DONTWAIT, MT_DATA);
1413 	if (m == NULL)
1414 		return NULL;
1415 	m_align(m, 2);
1416 	m->m_pkthdr.len = m->m_len = 2;
1417 
1418 	*mtod(m, u_int16_t *) = htole16(reason);
1419 
1420 	return m;
1421 }
1422 
1423 /*-
1424  * (Re)Association request frame format:
1425  * [2]   Capability information
1426  * [2]   Listen interval
1427  * [6*]  Current AP address (Reassociation only)
1428  * [tlv] SSID
1429  * [tlv] Supported rates
1430  * [tlv] Extended Supported Rates (802.11g)
1431  * [tlv] RSN (802.11i)
1432  * [tlv] QoS Capability (802.11e)
1433  * [tlv] HT Capabilities (802.11n)
1434  */
1435 struct mbuf *
1436 ieee80211_get_assoc_req(struct ieee80211com *ic, struct ieee80211_node *ni,
1437     int type)
1438 {
1439 	const struct ieee80211_rateset *rs = &ni->ni_rates;
1440 	struct mbuf *m;
1441 	u_int8_t *frm;
1442 	u_int16_t capinfo;
1443 
1444 	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
1445 	    2 + 2 +
1446 	    ((type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) ?
1447 		IEEE80211_ADDR_LEN : 0) +
1448 	    2 + ni->ni_esslen +
1449 	    2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
1450 	    ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
1451 		2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
1452 	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
1453 	      (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ?
1454 		2 + IEEE80211_RSNIE_MAXLEN : 0) +
1455 	    ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 1 : 0) +
1456 	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
1457 	      (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ?
1458 		2 + IEEE80211_WPAIE_MAXLEN : 0) +
1459 	    ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) +
1460 	    ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0));
1461 	if (m == NULL)
1462 		return NULL;
1463 
1464 	frm = mtod(m, u_int8_t *);
1465 	capinfo = IEEE80211_CAPINFO_ESS;
1466 	if (ic->ic_flags & IEEE80211_F_WEPON)
1467 		capinfo |= IEEE80211_CAPINFO_PRIVACY;
1468 	if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
1469 	    IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
1470 		capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
1471 	if (ic->ic_caps & IEEE80211_C_SHSLOT)
1472 		capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
1473 	LE_WRITE_2(frm, capinfo); frm += 2;
1474 	LE_WRITE_2(frm, ic->ic_lintval); frm += 2;
1475 	if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1476 		IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid);
1477 		frm += IEEE80211_ADDR_LEN;
1478 	}
1479 	frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen);
1480 	frm = ieee80211_add_rates(frm, rs);
1481 	if (rs->rs_nrates > IEEE80211_RATE_SIZE)
1482 		frm = ieee80211_add_xrates(frm, rs);
1483 	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
1484 	    (ni->ni_rsnprotos & IEEE80211_PROTO_RSN))
1485 		frm = ieee80211_add_rsn(frm, ic, ni);
1486 	if (ni->ni_flags & IEEE80211_NODE_QOS)
1487 		frm = ieee80211_add_qos_capability(frm, ic);
1488 	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
1489 	    (ni->ni_rsnprotos & IEEE80211_PROTO_WPA))
1490 		frm = ieee80211_add_wpa(frm, ic, ni);
1491 	if (ic->ic_flags & IEEE80211_F_HTON) {
1492 		frm = ieee80211_add_htcaps(frm, ic);
1493 		frm = ieee80211_add_wme_info(frm, ic);
1494 	}
1495 	if (ic->ic_flags & IEEE80211_F_VHTON)
1496 		frm = ieee80211_add_vhtcaps(frm, ic);
1497 
1498 	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1499 
1500 	return m;
1501 }
1502 
1503 #ifndef IEEE80211_STA_ONLY
1504 /*-
1505  * (Re)Association response frame format:
1506  * [2]   Capability information
1507  * [2]   Status code
1508  * [2]   Association ID (AID)
1509  * [tlv] Supported rates
1510  * [tlv] Extended Supported Rates (802.11g)
1511  * [tlv] EDCA Parameter Set (802.11e)
1512  * [tlv] Timeout Interval (802.11w)
1513  * [tlv] HT Capabilities (802.11n)
1514  * [tlv] HT Operation (802.11n)
1515  */
1516 struct mbuf *
1517 ieee80211_get_assoc_resp(struct ieee80211com *ic, struct ieee80211_node *ni,
1518     u_int16_t status)
1519 {
1520 	const struct ieee80211_rateset *rs = &ni->ni_rates;
1521 	struct mbuf *m;
1522 	u_int8_t *frm;
1523 
1524 	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
1525 	    2 + 2 + 2 +
1526 	    2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
1527 	    ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
1528 		2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
1529 	    ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 18 : 0) +
1530 	    ((status == IEEE80211_STATUS_TRY_AGAIN_LATER) ? 2 + 7 : 0) +
1531 	    ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0));
1532 	if (m == NULL)
1533 		return NULL;
1534 
1535 	frm = mtod(m, u_int8_t *);
1536 	frm = ieee80211_add_capinfo(frm, ic, ni);
1537 	LE_WRITE_2(frm, status); frm += 2;
1538 	if (status == IEEE80211_STATUS_SUCCESS)
1539 		LE_WRITE_2(frm, ni->ni_associd);
1540 	else
1541 		LE_WRITE_2(frm, 0);
1542 	frm += 2;
1543 	frm = ieee80211_add_rates(frm, rs);
1544 	if (rs->rs_nrates > IEEE80211_RATE_SIZE)
1545 		frm = ieee80211_add_xrates(frm, rs);
1546 	if (ni->ni_flags & IEEE80211_NODE_QOS)
1547 		frm = ieee80211_add_edca_params(frm, ic);
1548 	if ((ni->ni_flags & IEEE80211_NODE_MFP) &&
1549 	    status == IEEE80211_STATUS_TRY_AGAIN_LATER) {
1550 		/* Association Comeback Time */
1551 		frm = ieee80211_add_tie(frm, 3, 1000 /* XXX */);
1552 	}
1553 	if (ic->ic_flags & IEEE80211_F_HTON) {
1554 		frm = ieee80211_add_htcaps(frm, ic);
1555 		frm = ieee80211_add_htop(frm, ic);
1556 		frm = ieee80211_add_wme_param(frm, ic);
1557 	}
1558 
1559 	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1560 
1561 	return m;
1562 }
1563 #endif	/* IEEE80211_STA_ONLY */
1564 
1565 /*-
1566  * Disassociation frame format:
1567  * [2] Reason code
1568  */
1569 struct mbuf *
1570 ieee80211_get_disassoc(struct ieee80211com *ic, struct ieee80211_node *ni,
1571     u_int16_t reason)
1572 {
1573 	struct mbuf *m;
1574 
1575 	MGETHDR(m, M_DONTWAIT, MT_DATA);
1576 	if (m == NULL)
1577 		return NULL;
1578 	m_align(m, 2);
1579 	m->m_pkthdr.len = m->m_len = 2;
1580 
1581 	*mtod(m, u_int16_t *) = htole16(reason);
1582 
1583 	return m;
1584 }
1585 
1586 /*-
1587  * ADDBA Request frame format:
1588  * [1] Category
1589  * [1] Action
1590  * [1] Dialog Token
1591  * [2] Block Ack Parameter Set
1592  * [2] Block Ack Timeout Value
1593  * [2] Block Ack Starting Sequence Control
1594  */
1595 struct mbuf *
1596 ieee80211_get_addba_req(struct ieee80211com *ic, struct ieee80211_node *ni,
1597     u_int8_t tid)
1598 {
1599 	struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
1600 	struct mbuf *m;
1601 	u_int8_t *frm;
1602 
1603 	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9);
1604 	if (m == NULL)
1605 		return m;
1606 
1607 	frm = mtod(m, u_int8_t *);
1608 	*frm++ = IEEE80211_CATEG_BA;
1609 	*frm++ = IEEE80211_ACTION_ADDBA_REQ;
1610 	*frm++ = ba->ba_token;
1611 	LE_WRITE_2(frm, ba->ba_params); frm += 2;
1612 	LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); frm += 2;
1613 	LE_WRITE_2(frm, ba->ba_winstart << IEEE80211_SEQ_SEQ_SHIFT); frm += 2;
1614 
1615 	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1616 
1617 	return m;
1618 }
1619 
1620 /* Move Tx BA window forward to the specified SSN. */
1621 void
1622 ieee80211_output_ba_move_window(struct ieee80211com *ic,
1623     struct ieee80211_node *ni, uint8_t tid, uint16_t ssn)
1624 {
1625 	struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
1626 	uint16_t s = ba->ba_winstart;
1627 
1628 	while (SEQ_LT(s, ssn) && ba->ba_bitmap) {
1629 		s = (s + 1) % 0xfff;
1630 		ba->ba_bitmap >>= 1;
1631 	}
1632 
1633 	ba->ba_winstart = (ssn & 0xfff);
1634 	ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
1635 }
1636 
1637 /*
1638  * Move Tx BA window forward up to the first hole in the bitmap
1639  * or up to the specified SSN, whichever comes first.
1640  * After calling this function, frames before the start of the
1641  * potentially changed BA window should be discarded.
1642  */
1643 void
1644 ieee80211_output_ba_move_window_to_first_unacked(struct ieee80211com *ic,
1645     struct ieee80211_node *ni, uint8_t tid, uint16_t ssn)
1646 {
1647 	struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
1648 	uint16_t s = ba->ba_winstart;
1649 	uint64_t bitmap = ba->ba_bitmap;
1650 	int can_move_window = 0;
1651 
1652 	while (bitmap && SEQ_LT(s, ssn)) {
1653 		if ((bitmap & 1) == 0)
1654 			break;
1655 		s = (s + 1) % 0xfff;
1656 		bitmap >>= 1;
1657 		can_move_window = 1;
1658 	}
1659 
1660 	if (can_move_window)
1661 		ieee80211_output_ba_move_window(ic, ni, tid, s);
1662 }
1663 
1664 /* Record an ACK for a frame with a given SSN within the Tx BA window. */
1665 void
1666 ieee80211_output_ba_record_ack(struct ieee80211com *ic,
1667     struct ieee80211_node *ni, uint8_t tid, uint16_t ssn)
1668 {
1669 	struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid];
1670 	int i = 0;
1671 	uint16_t s = ba->ba_winstart;
1672 
1673 	KASSERT(!SEQ_LT(ssn, ba->ba_winstart));
1674 	KASSERT(!SEQ_LT(ba->ba_winend, ssn));
1675 
1676 	while (SEQ_LT(s, ssn)) {
1677 		s = (s + 1) % 0xfff;
1678 		i++;
1679 	}
1680 	if (i < ba->ba_winsize)
1681 		ba->ba_bitmap |= (1 << i);
1682 }
1683 
1684 /*-
1685  * ADDBA Response frame format:
1686  * [1] Category
1687  * [1] Action
1688  * [1] Dialog Token
1689  * [2] Status Code
1690  * [2] Block Ack Parameter Set
1691  * [2] Block Ack Timeout Value
1692  */
1693 struct mbuf *
1694 ieee80211_get_addba_resp(struct ieee80211com *ic, struct ieee80211_node *ni,
1695     u_int8_t tid, u_int8_t token, u_int16_t status)
1696 {
1697 	struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid];
1698 	struct mbuf *m;
1699 	u_int8_t *frm;
1700 	u_int16_t params;
1701 
1702 	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9);
1703 	if (m == NULL)
1704 		return m;
1705 
1706 	frm = mtod(m, u_int8_t *);
1707 	*frm++ = IEEE80211_CATEG_BA;
1708 	*frm++ = IEEE80211_ACTION_ADDBA_RESP;
1709 	*frm++ = token;
1710 	LE_WRITE_2(frm, status); frm += 2;
1711 	if (status == 0)
1712 		params = ba->ba_params;
1713 	else
1714 		params = tid << IEEE80211_ADDBA_TID_SHIFT;
1715 	LE_WRITE_2(frm, params); frm += 2;
1716 	if (status == 0)
1717 		LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU);
1718 	else
1719 		LE_WRITE_2(frm, 0);
1720 	frm += 2;
1721 
1722 	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1723 
1724 	return m;
1725 }
1726 
1727 /*-
1728  * DELBA frame format:
1729  * [1] Category
1730  * [1] Action
1731  * [2] DELBA Parameter Set
1732  * [2] Reason Code
1733  */
1734 struct mbuf *
1735 ieee80211_get_delba(struct ieee80211com *ic, struct ieee80211_node *ni,
1736     u_int8_t tid, u_int8_t dir, u_int16_t reason)
1737 {
1738 	struct mbuf *m;
1739 	u_int8_t *frm;
1740 	u_int16_t params;
1741 
1742 	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 6);
1743 	if (m == NULL)
1744 		return m;
1745 
1746 	frm = mtod(m, u_int8_t *);
1747 	*frm++ = IEEE80211_CATEG_BA;
1748 	*frm++ = IEEE80211_ACTION_DELBA;
1749 	params = tid << 12;
1750 	if (dir)
1751 		params |= IEEE80211_DELBA_INITIATOR;
1752 	LE_WRITE_2(frm, params); frm += 2;
1753 	LE_WRITE_2(frm, reason); frm += 2;
1754 
1755 	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1756 
1757 	return m;
1758 }
1759 
1760 /*-
1761  * SA Query Request/Response frame format:
1762  * [1]  Category
1763  * [1]  Action
1764  * [16] Transaction Identifier
1765  */
1766 struct mbuf *
1767 ieee80211_get_sa_query(struct ieee80211com *ic, struct ieee80211_node *ni,
1768     u_int8_t action)
1769 {
1770 	struct mbuf *m;
1771 	u_int8_t *frm;
1772 
1773 	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 4);
1774 	if (m == NULL)
1775 		return NULL;
1776 
1777 	frm = mtod(m, u_int8_t *);
1778 	*frm++ = IEEE80211_CATEG_SA_QUERY;
1779 	*frm++ = action;	/* ACTION_SA_QUERY_REQ/RESP */
1780 	LE_WRITE_2(frm, ni->ni_sa_query_trid); frm += 2;
1781 
1782 	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
1783 
1784 	return m;
1785 }
1786 
1787 struct mbuf *
1788 ieee80211_get_action(struct ieee80211com *ic, struct ieee80211_node *ni,
1789     u_int8_t categ, u_int8_t action, int arg)
1790 {
1791 	struct mbuf *m = NULL;
1792 
1793 	switch (categ) {
1794 	case IEEE80211_CATEG_BA:
1795 		switch (action) {
1796 		case IEEE80211_ACTION_ADDBA_REQ:
1797 			m = ieee80211_get_addba_req(ic, ni, arg & 0xffff);
1798 			break;
1799 		case IEEE80211_ACTION_ADDBA_RESP:
1800 			m = ieee80211_get_addba_resp(ic, ni, arg & 0xff,
1801 			    arg >> 8, arg >> 16);
1802 			break;
1803 		case IEEE80211_ACTION_DELBA:
1804 			m = ieee80211_get_delba(ic, ni, arg & 0xff, arg >> 8,
1805 			    arg >> 16);
1806 			break;
1807 		}
1808 		break;
1809 	case IEEE80211_CATEG_SA_QUERY:
1810 		switch (action) {
1811 #ifndef IEEE80211_STA_ONLY
1812 		case IEEE80211_ACTION_SA_QUERY_REQ:
1813 #endif
1814 		case IEEE80211_ACTION_SA_QUERY_RESP:
1815 			m = ieee80211_get_sa_query(ic, ni, action);
1816 			break;
1817 		}
1818 		break;
1819 	}
1820 	return m;
1821 }
1822 
1823 /*
1824  * Send a management frame.  The node is for the destination (or ic_bss
1825  * when in station mode).  Nodes other than ic_bss have their reference
1826  * count bumped to reflect our use for an indeterminant time.
1827  */
1828 int
1829 ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni,
1830     int type, int arg1, int arg2)
1831 {
1832 #define	senderr(_x, _v)	do { ic->ic_stats._v++; ret = _x; goto bad; } while (0)
1833 	struct ifnet *ifp = &ic->ic_if;
1834 	struct mbuf *m;
1835 	int ret, timer;
1836 
1837 	if (ni == NULL)
1838 		panic("null node");
1839 
1840 	/*
1841 	 * Hold a reference on the node so it doesn't go away until after
1842 	 * the xmit is complete all the way in the driver.  On error we
1843 	 * will remove our reference.
1844 	 */
1845 	ieee80211_ref_node(ni);
1846 	timer = 0;
1847 	switch (type) {
1848 	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1849 		if ((m = ieee80211_get_probe_req(ic, ni)) == NULL)
1850 			senderr(ENOMEM, is_tx_nombuf);
1851 
1852 		timer = IEEE80211_TRANS_WAIT;
1853 		break;
1854 #ifndef IEEE80211_STA_ONLY
1855 	case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1856 		if ((m = ieee80211_get_probe_resp(ic)) == NULL)
1857 			senderr(ENOMEM, is_tx_nombuf);
1858 		break;
1859 #endif
1860 	case IEEE80211_FC0_SUBTYPE_AUTH:
1861 		m = ieee80211_get_auth(ic, ni, arg1 >> 16, arg1 & 0xffff);
1862 		if (m == NULL)
1863 			senderr(ENOMEM, is_tx_nombuf);
1864 
1865 		if (ic->ic_opmode == IEEE80211_M_STA)
1866 			timer = IEEE80211_TRANS_WAIT;
1867 		break;
1868 
1869 	case IEEE80211_FC0_SUBTYPE_DEAUTH:
1870 		if ((m = ieee80211_get_deauth(ic, ni, arg1)) == NULL)
1871 			senderr(ENOMEM, is_tx_nombuf);
1872 #ifndef IEEE80211_STA_ONLY
1873 		if ((ifp->if_flags & IFF_DEBUG) &&
1874 		    (ic->ic_opmode == IEEE80211_M_HOSTAP ||
1875 		    ic->ic_opmode == IEEE80211_M_IBSS))
1876 			printf("%s: station %s deauthenticate (reason %d)\n",
1877 			    ifp->if_xname, ether_sprintf(ni->ni_macaddr),
1878 			    arg1);
1879 #endif
1880 		break;
1881 
1882 	case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1883 	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1884 		if ((m = ieee80211_get_assoc_req(ic, ni, type)) == NULL)
1885 			senderr(ENOMEM, is_tx_nombuf);
1886 
1887 		timer = IEEE80211_TRANS_WAIT;
1888 		break;
1889 #ifndef IEEE80211_STA_ONLY
1890 	case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1891 	case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
1892 		if ((m = ieee80211_get_assoc_resp(ic, ni, arg1)) == NULL)
1893 			senderr(ENOMEM, is_tx_nombuf);
1894 		break;
1895 #endif
1896 	case IEEE80211_FC0_SUBTYPE_DISASSOC:
1897 		if ((m = ieee80211_get_disassoc(ic, ni, arg1)) == NULL)
1898 			senderr(ENOMEM, is_tx_nombuf);
1899 #ifndef IEEE80211_STA_ONLY
1900 		if ((ifp->if_flags & IFF_DEBUG) &&
1901 		    (ic->ic_opmode == IEEE80211_M_HOSTAP ||
1902 		    ic->ic_opmode == IEEE80211_M_IBSS))
1903 			printf("%s: station %s disassociate (reason %d)\n",
1904 			    ifp->if_xname, ether_sprintf(ni->ni_macaddr),
1905 			    arg1);
1906 #endif
1907 		break;
1908 
1909 	case IEEE80211_FC0_SUBTYPE_ACTION:
1910 		m = ieee80211_get_action(ic, ni, arg1 >> 16, arg1 & 0xffff,
1911 		    arg2);
1912 		if (m == NULL)
1913 			senderr(ENOMEM, is_tx_nombuf);
1914 		break;
1915 
1916 	default:
1917 		DPRINTF(("invalid mgmt frame type %u\n", type));
1918 		senderr(EINVAL, is_tx_unknownmgt);
1919 		/* NOTREACHED */
1920 	}
1921 
1922 	ret = ieee80211_mgmt_output(ifp, ni, m, type);
1923 	if (ret == 0) {
1924 		if (timer)
1925 			ic->ic_mgt_timer = timer;
1926 	} else {
1927 bad:
1928 		ieee80211_release_node(ic, ni);
1929 	}
1930 	return ret;
1931 #undef senderr
1932 }
1933 
1934 /*
1935  * Build a RTS (Request To Send) control frame (see 7.2.1.1).
1936  */
1937 struct mbuf *
1938 ieee80211_get_rts(struct ieee80211com *ic, const struct ieee80211_frame *wh,
1939     u_int16_t dur)
1940 {
1941 	struct ieee80211_frame_rts *rts;
1942 	struct mbuf *m;
1943 
1944 	MGETHDR(m, M_DONTWAIT, MT_DATA);
1945 	if (m == NULL)
1946 		return NULL;
1947 
1948 	m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts);
1949 
1950 	rts = mtod(m, struct ieee80211_frame_rts *);
1951 	rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
1952 	    IEEE80211_FC0_SUBTYPE_RTS;
1953 	rts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
1954 	*(u_int16_t *)rts->i_dur = htole16(dur);
1955 	IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1);
1956 	IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2);
1957 
1958 	return m;
1959 }
1960 
1961 /*
1962  * Build a CTS-to-self (Clear To Send) control frame (see 7.2.1.2).
1963  */
1964 struct mbuf *
1965 ieee80211_get_cts_to_self(struct ieee80211com *ic, u_int16_t dur)
1966 {
1967 	struct ieee80211_frame_cts *cts;
1968 	struct mbuf *m;
1969 
1970 	MGETHDR(m, M_DONTWAIT, MT_DATA);
1971 	if (m == NULL)
1972 		return NULL;
1973 
1974 	m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts);
1975 
1976 	cts = mtod(m, struct ieee80211_frame_cts *);
1977 	cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
1978 	    IEEE80211_FC0_SUBTYPE_CTS;
1979 	cts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
1980 	*(u_int16_t *)cts->i_dur = htole16(dur);
1981 	IEEE80211_ADDR_COPY(cts->i_ra, ic->ic_myaddr);
1982 
1983 	return m;
1984 }
1985 
1986 /*
1987  * Build a compressed Block Ack Request control frame.
1988  */
1989 struct mbuf *
1990 ieee80211_get_compressed_bar(struct ieee80211com *ic,
1991     struct ieee80211_node *ni, int tid, uint16_t ssn)
1992 {
1993 	struct ieee80211_frame_min *wh;
1994 	uint8_t *frm;
1995 	uint16_t ctl;
1996 	struct mbuf *m;
1997 
1998 	MGETHDR(m, M_DONTWAIT, MT_DATA);
1999 	if (m == NULL)
2000 		return NULL;
2001 
2002 	m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_min) +
2003 	    sizeof(ctl) + sizeof(ssn);
2004 
2005 	wh = mtod(m, struct ieee80211_frame_min *);
2006 	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL |
2007 	    IEEE80211_FC0_SUBTYPE_BAR;
2008 	wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
2009 	*(u_int16_t *)wh->i_dur = 0;
2010 	IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr);
2011 	IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
2012 	frm = (uint8_t *)&wh[1];
2013 
2014 	ctl = IEEE80211_BA_COMPRESSED | (tid << IEEE80211_BA_TID_INFO_SHIFT);
2015 	LE_WRITE_2(frm, ctl);
2016 	frm += 2;
2017 
2018 	LE_WRITE_2(frm, ssn << IEEE80211_SEQ_SEQ_SHIFT);
2019 	frm += 2;
2020 
2021 	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
2022 	m->m_pkthdr.ph_cookie = ni;
2023 
2024 	return m;
2025 }
2026 
2027 #ifndef IEEE80211_STA_ONLY
2028 /*-
2029  * Beacon frame format:
2030  * [8]   Timestamp
2031  * [2]   Beacon interval
2032  * [2]   Capability
2033  * [tlv] Service Set Identifier (SSID)
2034  * [tlv] Supported rates
2035  * [tlv] DS Parameter Set (802.11g)
2036  * [tlv] IBSS Parameter Set
2037  * [tlv] Traffic Indication Map (TIM)
2038  * [tlv] ERP Information (802.11g)
2039  * [tlv] Extended Supported Rates (802.11g)
2040  * [tlv] RSN (802.11i)
2041  * [tlv] EDCA Parameter Set (802.11e)
2042  * [tlv] HT Capabilities (802.11n)
2043  * [tlv] HT Operation (802.11n)
2044  */
2045 struct mbuf *
2046 ieee80211_beacon_alloc(struct ieee80211com *ic, struct ieee80211_node *ni)
2047 {
2048 	const struct ieee80211_rateset *rs = &ni->ni_rates;
2049 	struct ieee80211_frame *wh;
2050 	struct mbuf *m;
2051 	u_int8_t *frm;
2052 
2053 	m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA,
2054 	    8 + 2 + 2 +
2055 	    2 + ((ic->ic_userflags & IEEE80211_F_HIDENWID) ?
2056 	    0 : ni->ni_esslen) +
2057 	    2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) +
2058 	    2 + 1 +
2059 	    2 + ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 : 254) +
2060 	    ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) +
2061 	    ((rs->rs_nrates > IEEE80211_RATE_SIZE) ?
2062 		2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) +
2063 	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
2064 	      (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ?
2065 		2 + IEEE80211_RSNIE_MAXLEN : 0) +
2066 	    ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) +
2067 	    (((ic->ic_flags & IEEE80211_F_RSNON) &&
2068 	      (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ?
2069 		2 + IEEE80211_WPAIE_MAXLEN : 0) +
2070 	    ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0));
2071 	if (m == NULL)
2072 		return NULL;
2073 
2074 	M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
2075 	if (m == NULL)
2076 		return NULL;
2077 	wh = mtod(m, struct ieee80211_frame *);
2078 	wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT |
2079 	    IEEE80211_FC0_SUBTYPE_BEACON;
2080 	wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
2081 	*(u_int16_t *)wh->i_dur = 0;
2082 	IEEE80211_ADDR_COPY(wh->i_addr1, etherbroadcastaddr);
2083 	IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
2084 	IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid);
2085 	*(u_int16_t *)wh->i_seq = 0;
2086 
2087 	frm = (u_int8_t *)&wh[1];
2088 	memset(frm, 0, 8); frm += 8;	/* timestamp is set by hardware */
2089 	LE_WRITE_2(frm, ni->ni_intval); frm += 2;
2090 	frm = ieee80211_add_capinfo(frm, ic, ni);
2091 	if (ic->ic_userflags & IEEE80211_F_HIDENWID)
2092 		frm = ieee80211_add_ssid(frm, NULL, 0);
2093 	else
2094 		frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen);
2095 	frm = ieee80211_add_rates(frm, rs);
2096 	frm = ieee80211_add_ds_params(frm, ic, ni);
2097 	if (ic->ic_opmode == IEEE80211_M_IBSS)
2098 		frm = ieee80211_add_ibss_params(frm, ni);
2099 	else
2100 		frm = ieee80211_add_tim(frm, ic);
2101 	if (ic->ic_curmode == IEEE80211_MODE_11G)
2102 		frm = ieee80211_add_erp(frm, ic);
2103 	if (rs->rs_nrates > IEEE80211_RATE_SIZE)
2104 		frm = ieee80211_add_xrates(frm, rs);
2105 	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
2106 	    (ni->ni_rsnprotos & IEEE80211_PROTO_RSN))
2107 		frm = ieee80211_add_rsn(frm, ic, ni);
2108 	if (ic->ic_flags & IEEE80211_F_QOS)
2109 		frm = ieee80211_add_edca_params(frm, ic);
2110 	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
2111 	    (ni->ni_rsnprotos & IEEE80211_PROTO_WPA))
2112 		frm = ieee80211_add_wpa(frm, ic, ni);
2113 	if (ic->ic_flags & IEEE80211_F_HTON) {
2114 		frm = ieee80211_add_htcaps(frm, ic);
2115 		frm = ieee80211_add_htop(frm, ic);
2116 		frm = ieee80211_add_wme_param(frm, ic);
2117 	}
2118 
2119 	m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
2120 	m->m_pkthdr.ph_cookie = ni;
2121 
2122 	return m;
2123 }
2124 
2125 /*
2126  * Check if an outgoing MSDU or management frame should be buffered into
2127  * the AP for power management.  Return 1 if the frame was buffered into
2128  * the AP, or 0 if the frame shall be transmitted immediately.
2129  */
2130 int
2131 ieee80211_pwrsave(struct ieee80211com *ic, struct mbuf *m,
2132     struct ieee80211_node *ni)
2133 {
2134 	const struct ieee80211_frame *wh;
2135 	int pssta = 0;
2136 
2137 	KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP);
2138 	if (!(ic->ic_caps & IEEE80211_C_APPMGT))
2139 		return 0;
2140 
2141 	wh = mtod(m, struct ieee80211_frame *);
2142 	if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2143 		/*
2144 		 * Buffer group addressed MSDUs with the Order bit clear
2145 		 * if any associated STAs are in PS mode.
2146 		 */
2147 		ieee80211_iterate_nodes(ic, ieee80211_count_pssta, &pssta);
2148 		if ((wh->i_fc[1] & IEEE80211_FC1_ORDER) || pssta == 0)
2149 			return 0;
2150 		ic->ic_tim_mcast_pending = 1;
2151 	} else {
2152 		/*
2153 		 * Buffer MSDUs, A-MSDUs or management frames destined for
2154 		 * PS STAs.
2155 		 */
2156 		if (ni->ni_pwrsave == IEEE80211_PS_AWAKE ||
2157 		    (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
2158 		    IEEE80211_FC0_TYPE_CTL)
2159 			return 0;
2160 		if (mq_empty(&ni->ni_savedq))
2161 			(*ic->ic_set_tim)(ic, ni->ni_associd, 1);
2162 	}
2163 	/* NB: ni == ic->ic_bss for broadcast/multicast */
2164 	/*
2165 	 * Similar to ieee80211_mgmt_output, store the node in a
2166 	 * special pkthdr field.
2167 	 */
2168 	m->m_pkthdr.ph_cookie = ni;
2169 	mq_enqueue(&ni->ni_savedq, m);
2170 	return 1;
2171 }
2172 #endif	/* IEEE80211_STA_ONLY */
2173