1 /* $OpenBSD: ieee80211_output.c,v 1.139 2024/05/08 14:02:59 stsp Exp $ */ 2 /* $NetBSD: ieee80211_output.c,v 1.13 2004/05/31 11:02:55 dyoung Exp $ */ 3 4 /*- 5 * Copyright (c) 2001 Atsushi Onoe 6 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 7 * Copyright (c) 2007-2009 Damien Bergamini 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "bpfilter.h" 34 #include "vlan.h" 35 36 #include <sys/param.h> 37 #include <sys/systm.h> 38 #include <sys/mbuf.h> 39 #include <sys/kernel.h> 40 #include <sys/socket.h> 41 #include <sys/sockio.h> 42 #include <sys/endian.h> 43 #include <sys/errno.h> 44 #include <sys/sysctl.h> 45 46 #include <net/if.h> 47 #include <net/if_dl.h> 48 #include <net/if_media.h> 49 #include <net/if_llc.h> 50 #include <net/bpf.h> 51 52 #include <netinet/in.h> 53 #include <netinet/if_ether.h> 54 #include <netinet/ip.h> 55 #ifdef INET6 56 #include <netinet/ip6.h> 57 #endif 58 59 #if NVLAN > 0 60 #include <net/if_vlan_var.h> 61 #endif 62 63 #include <net80211/ieee80211_var.h> 64 #include <net80211/ieee80211_priv.h> 65 66 int ieee80211_mgmt_output(struct ifnet *, struct ieee80211_node *, 67 struct mbuf *, int); 68 int ieee80211_can_use_ampdu(struct ieee80211com *, 69 struct ieee80211_node *); 70 u_int8_t *ieee80211_add_rsn_body(u_int8_t *, struct ieee80211com *, 71 const struct ieee80211_node *, int); 72 struct mbuf *ieee80211_getmgmt(int, int, u_int); 73 struct mbuf *ieee80211_get_probe_req(struct ieee80211com *, 74 struct ieee80211_node *); 75 #ifndef IEEE80211_STA_ONLY 76 struct mbuf *ieee80211_get_probe_resp(struct ieee80211com *); 77 #endif 78 struct mbuf *ieee80211_get_auth(struct ieee80211com *, 79 struct ieee80211_node *, u_int16_t, u_int16_t); 80 struct mbuf *ieee80211_get_deauth(struct ieee80211com *, 81 struct ieee80211_node *, u_int16_t); 82 struct mbuf *ieee80211_get_assoc_req(struct ieee80211com *, 83 struct ieee80211_node *, int); 84 #ifndef IEEE80211_STA_ONLY 85 struct mbuf *ieee80211_get_assoc_resp(struct ieee80211com *, 86 struct ieee80211_node *, u_int16_t); 87 #endif 88 struct mbuf *ieee80211_get_disassoc(struct ieee80211com *, 89 struct ieee80211_node *, u_int16_t); 90 struct mbuf *ieee80211_get_addba_req(struct ieee80211com *, 91 struct ieee80211_node *, u_int8_t); 92 struct mbuf *ieee80211_get_addba_resp(struct ieee80211com *, 93 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t); 94 struct mbuf *ieee80211_get_delba(struct ieee80211com *, 95 struct ieee80211_node *, u_int8_t, u_int8_t, u_int16_t); 96 uint8_t *ieee80211_add_wme_info(uint8_t *, struct ieee80211com *); 97 #ifndef IEEE80211_STA_ONLY 98 uint8_t *ieee80211_add_wme_param(uint8_t *, struct ieee80211com *); 99 #endif 100 struct mbuf *ieee80211_get_sa_query(struct ieee80211com *, 101 struct ieee80211_node *, u_int8_t); 102 struct mbuf *ieee80211_get_action(struct ieee80211com *, 103 struct ieee80211_node *, u_int8_t, u_int8_t, int); 104 105 /* 106 * IEEE 802.11 output routine. Normally this will directly call the 107 * Ethernet output routine because 802.11 encapsulation is called 108 * later by the driver. This function can be used to send raw frames 109 * if the mbuf has been tagged with a 802.11 data link type. 110 */ 111 int 112 ieee80211_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, 113 struct rtentry *rt) 114 { 115 struct ieee80211_frame *wh; 116 struct m_tag *mtag; 117 int error = 0; 118 119 /* Interface has to be up and running */ 120 if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) != 121 (IFF_UP | IFF_RUNNING)) { 122 error = ENETDOWN; 123 goto bad; 124 } 125 126 #ifdef PACKET_TAG_DLT 127 /* Try to get the DLT from a mbuf tag */ 128 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 129 struct ieee80211com *ic = (void *)ifp; 130 u_int dlt = *(u_int *)(mtag + 1); 131 132 /* Fallback to ethernet for non-802.11 linktypes */ 133 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 134 goto fallback; 135 136 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) 137 return (EINVAL); 138 wh = mtod(m, struct ieee80211_frame *); 139 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != 140 IEEE80211_FC0_VERSION_0) 141 return (EINVAL); 142 if (!(ic->ic_caps & IEEE80211_C_RAWCTL) && 143 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 144 IEEE80211_FC0_TYPE_CTL) 145 return (EINVAL); 146 147 return (if_enqueue(ifp, m)); 148 } 149 #endif 150 151 fallback: 152 return (ether_output(ifp, m, dst, rt)); 153 154 bad: 155 m_freem(m); 156 return (error); 157 } 158 159 const char * 160 ieee80211_action_name(struct ieee80211_frame *wh) 161 { 162 const u_int8_t *frm = (const uint8_t *)&wh[1]; 163 const char *categ_ba_name[3] = { "addba_req", "addba_resp", "delba" }; 164 165 if (frm[0] == IEEE80211_CATEG_BA && frm[1] < nitems(categ_ba_name)) 166 return categ_ba_name[frm[1]]; 167 168 return "action"; 169 } 170 171 /* 172 * Send a management frame to the specified node. The node pointer 173 * must have a reference as the pointer will be passed to the driver 174 * and potentially held for a long time. If the frame is successfully 175 * dispatched to the driver, then it is responsible for freeing the 176 * reference (and potentially free'ing up any associated storage). 177 */ 178 int 179 ieee80211_mgmt_output(struct ifnet *ifp, struct ieee80211_node *ni, 180 struct mbuf *m, int type) 181 { 182 struct ieee80211com *ic = (void *)ifp; 183 struct ieee80211_frame *wh; 184 185 if (ni == NULL) 186 panic("null node"); 187 ni->ni_inact = 0; 188 189 /* 190 * We want to pass the node down to the driver's start 191 * routine. We could stick this in an m_tag and tack that 192 * on to the mbuf. However that's rather expensive to do 193 * for every frame so instead we stuff it in a special pkthdr 194 * field. 195 */ 196 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 197 if (m == NULL) 198 return ENOMEM; 199 m->m_pkthdr.ph_cookie = ni; 200 201 wh = mtod(m, struct ieee80211_frame *); 202 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | type; 203 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 204 *(u_int16_t *)&wh->i_dur[0] = 0; 205 *(u_int16_t *)&wh->i_seq[0] = 206 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 207 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff; 208 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 209 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 210 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 211 212 /* check if protection is required for this mgmt frame */ 213 if ((ic->ic_caps & IEEE80211_C_MFP) && 214 (type == IEEE80211_FC0_SUBTYPE_DISASSOC || 215 type == IEEE80211_FC0_SUBTYPE_DEAUTH || 216 type == IEEE80211_FC0_SUBTYPE_ACTION)) { 217 /* 218 * Hack: we should not set the Protected bit in outgoing 219 * group management frames, however it is used as an 220 * indication to the drivers that they must encrypt the 221 * frame. Drivers should clear this bit from group 222 * management frames (software crypto code will do it). 223 * XXX could use an mbuf flag.. 224 */ 225 if (IEEE80211_IS_MULTICAST(wh->i_addr1) || 226 (ni->ni_flags & IEEE80211_NODE_TXMGMTPROT)) 227 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 228 } 229 230 if (ifp->if_flags & IFF_DEBUG) { 231 /* avoid to print too many frames */ 232 if ( 233 #ifndef IEEE80211_STA_ONLY 234 ic->ic_opmode == IEEE80211_M_IBSS || 235 #endif 236 #ifdef IEEE80211_DEBUG 237 ieee80211_debug > 1 || 238 #endif 239 (type & IEEE80211_FC0_SUBTYPE_MASK) != 240 IEEE80211_FC0_SUBTYPE_PROBE_RESP) { 241 const char *subtype_name; 242 if ((type & IEEE80211_FC0_SUBTYPE_MASK) == 243 IEEE80211_FC0_SUBTYPE_ACTION) 244 subtype_name = ieee80211_action_name(wh); 245 else 246 subtype_name = ieee80211_mgt_subtype_name[ 247 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 248 IEEE80211_FC0_SUBTYPE_SHIFT]; 249 printf("%s: sending %s to %s on channel %u mode %s\n", 250 ifp->if_xname, subtype_name, 251 ether_sprintf(ni->ni_macaddr), 252 ieee80211_chan2ieee(ic, ni->ni_chan), 253 ieee80211_phymode_name[ic->ic_curmode]); 254 } 255 } 256 257 #ifndef IEEE80211_STA_ONLY 258 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 259 ieee80211_pwrsave(ic, m, ni) != 0) 260 return 0; 261 #endif 262 mq_enqueue(&ic->ic_mgtq, m); 263 ifp->if_timer = 1; 264 if_start(ifp); 265 return 0; 266 } 267 268 /*- 269 * EDCA tables are computed using the following formulas: 270 * 271 * 1) EDCATable (non-AP QSTA) 272 * 273 * AC CWmin CWmax AIFSN TXOP limit(ms) 274 * ------------------------------------------------------------- 275 * AC_BK aCWmin aCWmax 7 0 276 * AC_BE aCWmin aCWmax 3 0 277 * AC_VI (aCWmin+1)/2-1 aCWmin 2 agn=3.008 b=6.016 others=0 278 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 2 agn=1.504 b=3.264 others=0 279 * 280 * 2) QAPEDCATable (QAP) 281 * 282 * AC CWmin CWmax AIFSN TXOP limit(ms) 283 * ------------------------------------------------------------- 284 * AC_BK aCWmin aCWmax 7 0 285 * AC_BE aCWmin 4*(aCWmin+1)-1 3 0 286 * AC_VI (aCWmin+1)/2-1 aCWmin 1 agn=3.008 b=6.016 others=0 287 * AC_VO (aCWmin+1)/4-1 (aCWmin+1)/2-1 1 agn=1.504 b=3.264 others=0 288 * 289 * and the following aCWmin/aCWmax values: 290 * 291 * PHY aCWmin aCWmax 292 * --------------------------- 293 * 11A 15 1023 294 * 11B 31 1023 295 * 11G 15* 1023 (*) aCWmin(1) 296 * 11N 15 1023 297 */ 298 const struct ieee80211_edca_ac_params 299 ieee80211_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 300 [IEEE80211_MODE_11B] = { 301 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 302 [EDCA_AC_BE] = { 5, 10, 3, 0 }, 303 [EDCA_AC_VI] = { 4, 5, 2, 188 }, 304 [EDCA_AC_VO] = { 3, 4, 2, 102 } 305 }, 306 [IEEE80211_MODE_11A] = { 307 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 308 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 309 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 310 [EDCA_AC_VO] = { 2, 3, 2, 47 } 311 }, 312 [IEEE80211_MODE_11G] = { 313 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 314 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 315 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 316 [EDCA_AC_VO] = { 2, 3, 2, 47 } 317 }, 318 [IEEE80211_MODE_11N] = { 319 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 320 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 321 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 322 [EDCA_AC_VO] = { 2, 3, 2, 47 } 323 }, 324 [IEEE80211_MODE_11AC] = { 325 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 326 [EDCA_AC_BE] = { 4, 10, 3, 0 }, 327 [EDCA_AC_VI] = { 3, 4, 2, 94 }, 328 [EDCA_AC_VO] = { 2, 3, 2, 47 } 329 }, 330 }; 331 332 #ifndef IEEE80211_STA_ONLY 333 const struct ieee80211_edca_ac_params 334 ieee80211_qap_edca_table[IEEE80211_MODE_MAX][EDCA_NUM_AC] = { 335 [IEEE80211_MODE_11B] = { 336 [EDCA_AC_BK] = { 5, 10, 7, 0 }, 337 [EDCA_AC_BE] = { 5, 7, 3, 0 }, 338 [EDCA_AC_VI] = { 4, 5, 1, 188 }, 339 [EDCA_AC_VO] = { 3, 4, 1, 102 } 340 }, 341 [IEEE80211_MODE_11A] = { 342 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 343 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 344 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 345 [EDCA_AC_VO] = { 2, 3, 1, 47 } 346 }, 347 [IEEE80211_MODE_11G] = { 348 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 349 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 350 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 351 [EDCA_AC_VO] = { 2, 3, 1, 47 } 352 }, 353 [IEEE80211_MODE_11N] = { 354 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 355 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 356 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 357 [EDCA_AC_VO] = { 2, 3, 1, 47 } 358 }, 359 [IEEE80211_MODE_11AC] = { 360 [EDCA_AC_BK] = { 4, 10, 7, 0 }, 361 [EDCA_AC_BE] = { 4, 6, 3, 0 }, 362 [EDCA_AC_VI] = { 3, 4, 1, 94 }, 363 [EDCA_AC_VO] = { 2, 3, 1, 47 } 364 }, 365 }; 366 #endif /* IEEE80211_STA_ONLY */ 367 368 /* 369 * Return the EDCA Access Category to be used for transmitting a frame with 370 * user-priority `up'. 371 */ 372 enum ieee80211_edca_ac 373 ieee80211_up_to_ac(struct ieee80211com *ic, int up) 374 { 375 /* see Table 9-1 */ 376 static const enum ieee80211_edca_ac up_to_ac[] = { 377 EDCA_AC_BE, /* BE */ 378 EDCA_AC_BK, /* BK */ 379 EDCA_AC_BK, /* -- */ 380 EDCA_AC_BE, /* EE */ 381 EDCA_AC_VI, /* CL */ 382 EDCA_AC_VI, /* VI */ 383 EDCA_AC_VO, /* VO */ 384 EDCA_AC_VO /* NC */ 385 }; 386 enum ieee80211_edca_ac ac; 387 388 ac = (up <= 7) ? up_to_ac[up] : EDCA_AC_BE; 389 390 #ifndef IEEE80211_STA_ONLY 391 if (ic->ic_opmode == IEEE80211_M_HOSTAP) 392 return ac; 393 #endif 394 /* 395 * We do not support the admission control procedure defined in 396 * IEEE Std 802.11-2012 section 9.19.4.2.3. The spec says that 397 * non-AP QSTAs that don't support this procedure shall use EDCA 398 * parameters of a lower priority AC that does not require 399 * admission control. 400 */ 401 while (ac != EDCA_AC_BK && ic->ic_edca_ac[ac].ac_acm) { 402 switch (ac) { 403 case EDCA_AC_BK: 404 /* can't get there */ 405 break; 406 case EDCA_AC_BE: 407 /* BE shouldn't require admission control */ 408 ac = EDCA_AC_BK; 409 break; 410 case EDCA_AC_VI: 411 ac = EDCA_AC_BE; 412 break; 413 case EDCA_AC_VO: 414 ac = EDCA_AC_VI; 415 break; 416 } 417 } 418 return ac; 419 } 420 421 /* 422 * Get mbuf's user-priority: if mbuf is not VLAN tagged, select user-priority 423 * based on the DSCP (Differentiated Services Codepoint) field. 424 */ 425 int 426 ieee80211_classify(struct ieee80211com *ic, struct mbuf *m) 427 { 428 struct ether_header eh; 429 u_int8_t ds_field; 430 #if NVLAN > 0 431 if (m->m_flags & M_VLANTAG) /* use VLAN 802.1D user-priority */ 432 return EVL_PRIOFTAG(m->m_pkthdr.ether_vtag); 433 #endif 434 m_copydata(m, 0, sizeof(eh), (caddr_t)&eh); 435 if (eh.ether_type == htons(ETHERTYPE_IP)) { 436 struct ip ip; 437 m_copydata(m, sizeof(eh), sizeof(ip), (caddr_t)&ip); 438 if (ip.ip_v != 4) 439 return 0; 440 ds_field = ip.ip_tos; 441 } 442 #ifdef INET6 443 else if (eh.ether_type == htons(ETHERTYPE_IPV6)) { 444 struct ip6_hdr ip6; 445 u_int32_t flowlabel; 446 m_copydata(m, sizeof(eh), sizeof(ip6), (caddr_t)&ip6); 447 flowlabel = ntohl(ip6.ip6_flow); 448 if ((flowlabel >> 28) != 6) 449 return 0; 450 ds_field = (flowlabel >> 20) & 0xff; 451 } 452 #endif /* INET6 */ 453 else /* neither IPv4 nor IPv6 */ 454 return 0; 455 456 /* 457 * Map Differentiated Services Codepoint field (see RFC2474). 458 * Preserves backward compatibility with IP Precedence field. 459 */ 460 switch (ds_field & 0xfc) { 461 #ifdef IPTOS_PREC_PRIORITY 462 case IPTOS_PREC_PRIORITY: 463 return EDCA_AC_VI; 464 case IPTOS_PREC_IMMEDIATE: 465 return EDCA_AC_BK; 466 case IPTOS_PREC_FLASH: 467 case IPTOS_PREC_FLASHOVERRIDE: 468 case IPTOS_PREC_CRITIC_ECP: 469 case IPTOS_PREC_INTERNETCONTROL: 470 case IPTOS_PREC_NETCONTROL: 471 return EDCA_AC_VO; 472 #endif 473 default: 474 return EDCA_AC_BE; 475 } 476 } 477 478 int 479 ieee80211_can_use_ampdu(struct ieee80211com *ic, struct ieee80211_node *ni) 480 { 481 return (ni->ni_flags & IEEE80211_NODE_HT) && 482 (ic->ic_caps & IEEE80211_C_TX_AMPDU) && 483 !(ic->ic_opmode == IEEE80211_M_STA && ni != ic->ic_bss) && 484 /* 485 * Don't use A-MPDU on non-encrypted networks. There are devices 486 * with buggy firmware which allow an attacker to inject 802.11 487 * frames into a wifi network by embedding rogue A-MPDU subframes 488 * in an arbitrary data payload (e.g. PNG images) which may end 489 * up appearing as actual frames after de-aggregation by a buggy 490 * device; see https://github.com/rpp0/aggr-inject for details. 491 * WPA2 prevents this injection attack since the attacker would 492 * need to inject frames which get decrypted correctly. 493 */ 494 ((ic->ic_flags & IEEE80211_F_RSNON) && 495 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)); 496 } 497 498 void 499 ieee80211_tx_compressed_bar(struct ieee80211com *ic, struct ieee80211_node *ni, 500 int tid, uint16_t ssn) 501 { 502 struct ifnet *ifp = &ic->ic_if; 503 struct mbuf *m; 504 505 m = ieee80211_get_compressed_bar(ic, ni, tid, ssn); 506 if (m == NULL) 507 return; 508 509 ieee80211_ref_node(ni); 510 if (mq_enqueue(&ic->ic_mgtq, m) == 0) 511 if_start(ifp); 512 else 513 ieee80211_release_node(ic, ni); 514 } 515 516 /* 517 * Encapsulate an outbound data frame. The mbuf chain is updated and 518 * a reference to the destination node is returned. If an error is 519 * encountered NULL is returned and the node reference will also be NULL. 520 * 521 * NB: The caller is responsible for free'ing a returned node reference. 522 * The convention is ic_bss is not reference counted; the caller must 523 * maintain that. 524 */ 525 struct mbuf * 526 ieee80211_encap(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node **pni) 527 { 528 struct ieee80211com *ic = (void *)ifp; 529 struct ether_header eh; 530 struct ieee80211_frame *wh; 531 struct ieee80211_node *ni = NULL; 532 struct llc *llc; 533 struct m_tag *mtag; 534 u_int8_t *addr; 535 u_int dlt, hdrlen; 536 int addqos, tid; 537 538 #ifdef PACKET_TAG_DLT 539 /* Handle raw frames if mbuf is tagged as 802.11 */ 540 if ((mtag = m_tag_find(m, PACKET_TAG_DLT, NULL)) != NULL) { 541 dlt = *(u_int *)(mtag + 1); 542 543 if (!(dlt == DLT_IEEE802_11 || dlt == DLT_IEEE802_11_RADIO)) 544 goto fallback; 545 546 wh = mtod(m, struct ieee80211_frame *); 547 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 548 case IEEE80211_FC1_DIR_NODS: 549 case IEEE80211_FC1_DIR_FROMDS: 550 addr = wh->i_addr1; 551 break; 552 case IEEE80211_FC1_DIR_DSTODS: 553 case IEEE80211_FC1_DIR_TODS: 554 addr = wh->i_addr3; 555 break; 556 default: 557 goto bad; 558 } 559 560 ni = ieee80211_find_txnode(ic, addr); 561 if (ni == NULL) 562 ni = ieee80211_ref_node(ic->ic_bss); 563 if (ni == NULL) { 564 printf("%s: no node for dst %s, " 565 "discard raw tx frame\n", ifp->if_xname, 566 ether_sprintf(addr)); 567 ic->ic_stats.is_tx_nonode++; 568 goto bad; 569 } 570 ni->ni_inact = 0; 571 572 *pni = ni; 573 return (m); 574 } 575 #endif 576 577 fallback: 578 if (ic->ic_opmode == IEEE80211_M_MONITOR) 579 goto bad; 580 581 if (m->m_len < sizeof(struct ether_header)) { 582 m = m_pullup(m, sizeof(struct ether_header)); 583 if (m == NULL) { 584 ic->ic_stats.is_tx_nombuf++; 585 goto bad; 586 } 587 } 588 memcpy(&eh, mtod(m, caddr_t), sizeof(struct ether_header)); 589 590 ni = ieee80211_find_txnode(ic, eh.ether_dhost); 591 if (ni == NULL) { 592 DPRINTF(("no node for dst %s, discard frame\n", 593 ether_sprintf(eh.ether_dhost))); 594 ic->ic_stats.is_tx_nonode++; 595 goto bad; 596 } 597 598 #ifndef IEEE80211_STA_ONLY 599 if (ic->ic_opmode == IEEE80211_M_HOSTAP && ni != ic->ic_bss && 600 ni->ni_state != IEEE80211_STA_ASSOC) { 601 ic->ic_stats.is_tx_nonode++; 602 goto bad; 603 } 604 #endif 605 606 if ((ic->ic_flags & IEEE80211_F_RSNON) && 607 !ni->ni_port_valid && 608 eh.ether_type != htons(ETHERTYPE_EAPOL)) { 609 DPRINTF(("port not valid: %s\n", 610 ether_sprintf(eh.ether_dhost))); 611 ic->ic_stats.is_tx_noauth++; 612 goto bad; 613 } 614 615 if ((ic->ic_flags & IEEE80211_F_COUNTERM) && 616 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP) 617 /* XXX TKIP countermeasures! */; 618 619 ni->ni_inact = 0; 620 621 if ((ic->ic_flags & IEEE80211_F_QOS) && 622 (ni->ni_flags & IEEE80211_NODE_QOS) && 623 /* do not QoS-encapsulate EAPOL frames */ 624 eh.ether_type != htons(ETHERTYPE_EAPOL)) { 625 struct ieee80211_tx_ba *ba; 626 tid = ieee80211_classify(ic, m); 627 ba = &ni->ni_tx_ba[tid]; 628 /* We use QoS data frames for aggregation only. */ 629 if (ba->ba_state != IEEE80211_BA_AGREED) { 630 hdrlen = sizeof(struct ieee80211_frame); 631 addqos = 0; 632 if (ieee80211_can_use_ampdu(ic, ni)) 633 ieee80211_node_trigger_addba_req(ni, tid); 634 } else { 635 hdrlen = sizeof(struct ieee80211_qosframe); 636 addqos = 1; 637 } 638 } else { 639 hdrlen = sizeof(struct ieee80211_frame); 640 addqos = 0; 641 } 642 m_adj(m, sizeof(struct ether_header) - LLC_SNAPFRAMELEN); 643 llc = mtod(m, struct llc *); 644 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 645 llc->llc_control = LLC_UI; 646 llc->llc_snap.org_code[0] = 0; 647 llc->llc_snap.org_code[1] = 0; 648 llc->llc_snap.org_code[2] = 0; 649 llc->llc_snap.ether_type = eh.ether_type; 650 M_PREPEND(m, hdrlen, M_DONTWAIT); 651 if (m == NULL) { 652 ic->ic_stats.is_tx_nombuf++; 653 goto bad; 654 } 655 wh = mtod(m, struct ieee80211_frame *); 656 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 657 *(u_int16_t *)&wh->i_dur[0] = 0; 658 if (addqos) { 659 struct ieee80211_qosframe *qwh = 660 (struct ieee80211_qosframe *)wh; 661 u_int16_t qos = tid; 662 663 if (ic->ic_tid_noack & (1 << tid)) 664 qos |= IEEE80211_QOS_ACK_POLICY_NOACK; 665 else { 666 /* Use HT immediate block-ack. */ 667 qos |= IEEE80211_QOS_ACK_POLICY_NORMAL; 668 } 669 qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 670 *(u_int16_t *)qwh->i_qos = htole16(qos); 671 *(u_int16_t *)qwh->i_seq = 672 htole16(ni->ni_qos_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT); 673 ni->ni_qos_txseqs[tid] = (ni->ni_qos_txseqs[tid] + 1) & 0xfff; 674 } else { 675 *(u_int16_t *)&wh->i_seq[0] = 676 htole16(ni->ni_txseq << IEEE80211_SEQ_SEQ_SHIFT); 677 ni->ni_txseq = (ni->ni_txseq + 1) & 0xfff; 678 } 679 switch (ic->ic_opmode) { 680 case IEEE80211_M_STA: 681 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 682 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 683 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 684 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 685 break; 686 #ifndef IEEE80211_STA_ONLY 687 case IEEE80211_M_IBSS: 688 case IEEE80211_M_AHDEMO: 689 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 690 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 691 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 692 IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid); 693 break; 694 case IEEE80211_M_HOSTAP: 695 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 696 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 697 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 698 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 699 break; 700 #endif 701 default: 702 /* should not get there */ 703 goto bad; 704 } 705 706 if ((ic->ic_flags & IEEE80211_F_WEPON) || 707 ((ic->ic_flags & IEEE80211_F_RSNON) && 708 (ni->ni_flags & IEEE80211_NODE_TXPROT))) 709 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; 710 711 #ifndef IEEE80211_STA_ONLY 712 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 713 ieee80211_pwrsave(ic, m, ni) != 0) { 714 *pni = NULL; 715 return NULL; 716 } 717 #endif 718 *pni = ni; 719 return m; 720 bad: 721 m_freem(m); 722 if (ni != NULL) 723 ieee80211_release_node(ic, ni); 724 *pni = NULL; 725 return NULL; 726 } 727 728 /* 729 * Add a Capability Information field to a frame (see 7.3.1.4). 730 */ 731 u_int8_t * 732 ieee80211_add_capinfo(u_int8_t *frm, struct ieee80211com *ic, 733 const struct ieee80211_node *ni) 734 { 735 u_int16_t capinfo; 736 737 #ifndef IEEE80211_STA_ONLY 738 if (ic->ic_opmode == IEEE80211_M_IBSS) 739 capinfo = IEEE80211_CAPINFO_IBSS; 740 else if (ic->ic_opmode == IEEE80211_M_HOSTAP) 741 capinfo = IEEE80211_CAPINFO_ESS; 742 else 743 #endif 744 capinfo = 0; 745 #ifndef IEEE80211_STA_ONLY 746 if (ic->ic_opmode == IEEE80211_M_HOSTAP && 747 (ic->ic_flags & (IEEE80211_F_WEPON | IEEE80211_F_RSNON))) 748 capinfo |= IEEE80211_CAPINFO_PRIVACY; 749 #endif 750 /* NB: some 11a AP's reject the request when short preamble is set */ 751 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 752 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 753 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 754 if (ic->ic_flags & IEEE80211_F_SHSLOT) 755 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 756 LE_WRITE_2(frm, capinfo); 757 return frm + 2; 758 } 759 760 /* 761 * Add an SSID element to a frame (see 7.3.2.1). 762 */ 763 u_int8_t * 764 ieee80211_add_ssid(u_int8_t *frm, const u_int8_t *ssid, u_int len) 765 { 766 *frm++ = IEEE80211_ELEMID_SSID; 767 *frm++ = len; 768 memcpy(frm, ssid, len); 769 return frm + len; 770 } 771 772 /* 773 * Add a supported rates element to a frame (see 7.3.2.2). 774 */ 775 u_int8_t * 776 ieee80211_add_rates(u_int8_t *frm, const struct ieee80211_rateset *rs) 777 { 778 int nrates; 779 780 *frm++ = IEEE80211_ELEMID_RATES; 781 nrates = min(rs->rs_nrates, IEEE80211_RATE_SIZE); 782 *frm++ = nrates; 783 memcpy(frm, rs->rs_rates, nrates); 784 return frm + nrates; 785 } 786 787 #ifndef IEEE80211_STA_ONLY 788 /* 789 * Add a DS Parameter Set element to a frame (see 7.3.2.4). 790 */ 791 u_int8_t * 792 ieee80211_add_ds_params(u_int8_t *frm, struct ieee80211com *ic, 793 const struct ieee80211_node *ni) 794 { 795 *frm++ = IEEE80211_ELEMID_DSPARMS; 796 *frm++ = 1; 797 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 798 return frm; 799 } 800 801 /* 802 * Add a TIM element to a frame (see 7.3.2.6 and Annex L). 803 */ 804 u_int8_t * 805 ieee80211_add_tim(u_int8_t *frm, struct ieee80211com *ic) 806 { 807 u_int i, offset = 0, len; 808 809 /* find first non-zero octet in the virtual bit map */ 810 for (i = 0; i < ic->ic_tim_len && ic->ic_tim_bitmap[i] == 0; i++) 811 ; 812 813 /* clear the lsb as it is reserved for the broadcast indication bit */ 814 if (i < ic->ic_tim_len) 815 offset = i & ~1; 816 817 /* find last non-zero octet in the virtual bit map */ 818 for (i = ic->ic_tim_len - 1; i > 0 && ic->ic_tim_bitmap[i] == 0; i--) 819 ; 820 821 len = i - offset + 1; 822 823 *frm++ = IEEE80211_ELEMID_TIM; 824 *frm++ = len + 3; /* length */ 825 *frm++ = ic->ic_dtim_count; /* DTIM count */ 826 *frm++ = ic->ic_dtim_period; /* DTIM period */ 827 828 /* Bitmap Control */ 829 *frm = offset; 830 /* set broadcast/multicast indication bit if necessary */ 831 if (ic->ic_dtim_count == 0 && ic->ic_tim_mcast_pending) 832 *frm |= 0x01; 833 frm++; 834 835 /* Partial Virtual Bitmap */ 836 memcpy(frm, &ic->ic_tim_bitmap[offset], len); 837 return frm + len; 838 } 839 840 /* 841 * Add an IBSS Parameter Set element to a frame (see 7.3.2.7). 842 */ 843 u_int8_t * 844 ieee80211_add_ibss_params(u_int8_t *frm, const struct ieee80211_node *ni) 845 { 846 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 847 *frm++ = 2; 848 LE_WRITE_2(frm, 0); /* TODO: ATIM window */ 849 return frm + 2; 850 } 851 852 /* 853 * Add an EDCA Parameter Set element to a frame (see 7.3.2.29). 854 */ 855 u_int8_t * 856 ieee80211_add_edca_params(u_int8_t *frm, struct ieee80211com *ic) 857 { 858 const struct ieee80211_edca_ac_params *edca; 859 int aci; 860 861 *frm++ = IEEE80211_ELEMID_EDCAPARMS; 862 *frm++ = 18; /* length */ 863 *frm++ = 0; /* QoS Info */ 864 *frm++ = 0; /* reserved */ 865 866 /* setup AC Parameter Records */ 867 edca = ieee80211_edca_table[ic->ic_curmode]; 868 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 869 const struct ieee80211_edca_ac_params *ac = &edca[aci]; 870 871 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) | 872 (ac->ac_aifsn & 0xf); 873 *frm++ = (ac->ac_ecwmax << 4) | 874 (ac->ac_ecwmin & 0xf); 875 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2; 876 } 877 return frm; 878 } 879 880 /* 881 * Add an ERP element to a frame (see 7.3.2.13). 882 */ 883 u_int8_t * 884 ieee80211_add_erp(u_int8_t *frm, struct ieee80211com *ic) 885 { 886 u_int8_t erp; 887 int nonerpsta = 0; 888 889 *frm++ = IEEE80211_ELEMID_ERP; 890 *frm++ = 1; 891 erp = 0; 892 /* 893 * The NonERP_Present bit shall be set to 1 when a NonERP STA 894 * is associated with the BSS. 895 */ 896 ieee80211_iterate_nodes(ic, ieee80211_count_nonerpsta, &nonerpsta); 897 if (nonerpsta != 0) 898 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 899 /* 900 * If one or more NonERP STAs are associated in the BSS, the 901 * Use_Protection bit shall be set to 1 in transmitted ERP 902 * Information Elements. 903 */ 904 if (ic->ic_flags & IEEE80211_F_USEPROT) 905 erp |= IEEE80211_ERP_USE_PROTECTION; 906 /* 907 * The Barker_Preamble_Mode bit shall be set to 1 by the ERP 908 * Information Element sender if one or more associated NonERP 909 * STAs are not short preamble capable. 910 */ 911 if (!(ic->ic_flags & IEEE80211_F_SHPREAMBLE)) 912 erp |= IEEE80211_ERP_BARKER_MODE; 913 *frm++ = erp; 914 return frm; 915 } 916 #endif /* IEEE80211_STA_ONLY */ 917 918 /* 919 * Add a QoS Capability element to a frame (see 7.3.2.35). 920 */ 921 u_int8_t * 922 ieee80211_add_qos_capability(u_int8_t *frm, struct ieee80211com *ic) 923 { 924 *frm++ = IEEE80211_ELEMID_QOS_CAP; 925 *frm++ = 1; 926 *frm++ = 0; /* QoS Info */ 927 return frm; 928 } 929 930 /* 931 * Add a Wifi-Alliance WME (aka WMM) info element to a frame. 932 * WME is a requirement for Wifi-Alliance compliance and some 933 * 11n APs will not negotiate HT if this element is missing. 934 */ 935 uint8_t * 936 ieee80211_add_wme_info(uint8_t *frm, struct ieee80211com *ic) 937 { 938 *frm++ = IEEE80211_ELEMID_VENDOR; 939 *frm++ = 7; 940 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 941 *frm++ = 2; /* OUI type */ 942 *frm++ = 0; /* OUI subtype */ 943 *frm++ = 1; /* version */ 944 *frm++ = 0; /* info */ 945 946 return frm; 947 } 948 949 #ifndef IEEE80211_STA_ONLY 950 /* 951 * Add a Wifi-Alliance WMM (aka WME) parameter element to a frame. 952 */ 953 uint8_t * 954 ieee80211_add_wme_param(uint8_t *frm, struct ieee80211com *ic) 955 { 956 const struct ieee80211_edca_ac_params *edca; 957 int aci; 958 959 *frm++ = IEEE80211_ELEMID_VENDOR; 960 *frm++ = 24; 961 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 962 *frm++ = 2; /* OUI type */ 963 *frm++ = 1; /* OUI subtype */ 964 *frm++ = 1; /* version */ 965 *frm++ = 0; /* info */ 966 *frm++ = 0; /* reserved */ 967 968 /* setup AC Parameter Records */ 969 edca = ieee80211_edca_table[ic->ic_curmode]; 970 for (aci = 0; aci < EDCA_NUM_AC; aci++) { 971 const struct ieee80211_edca_ac_params *ac = &edca[aci]; 972 973 *frm++ = (aci << 5) | ((ac->ac_acm & 0x1) << 4) | 974 (ac->ac_aifsn & 0xf); 975 *frm++ = (ac->ac_ecwmax << 4) | 976 (ac->ac_ecwmin & 0xf); 977 LE_WRITE_2(frm, ac->ac_txoplimit); frm += 2; 978 } 979 980 return frm; 981 } 982 #endif 983 984 /* 985 * Add an RSN element to a frame (see 802.11-2012 8.4.2.27) 986 */ 987 u_int8_t * 988 ieee80211_add_rsn_body(u_int8_t *frm, struct ieee80211com *ic, 989 const struct ieee80211_node *ni, int wpa) 990 { 991 const u_int8_t *oui = wpa ? MICROSOFT_OUI : IEEE80211_OUI; 992 u_int8_t *pcount; 993 u_int16_t count, rsncaps; 994 995 /* write Version field */ 996 LE_WRITE_2(frm, 1); frm += 2; 997 998 /* write Group Data Cipher Suite field (see 802.11-2012 Table 8-99) */ 999 memcpy(frm, oui, 3); frm += 3; 1000 switch (ni->ni_rsngroupcipher) { 1001 case IEEE80211_CIPHER_WEP40: 1002 *frm++ = 1; 1003 break; 1004 case IEEE80211_CIPHER_TKIP: 1005 *frm++ = 2; 1006 break; 1007 case IEEE80211_CIPHER_CCMP: 1008 *frm++ = 4; 1009 break; 1010 case IEEE80211_CIPHER_WEP104: 1011 *frm++ = 5; 1012 break; 1013 default: 1014 /* can't get there */ 1015 panic("invalid group data cipher!"); 1016 } 1017 1018 pcount = frm; frm += 2; 1019 count = 0; 1020 /* write Pairwise Cipher Suite List */ 1021 if (ni->ni_rsnciphers & IEEE80211_CIPHER_USEGROUP) { 1022 memcpy(frm, oui, 3); frm += 3; 1023 *frm++ = 0; 1024 count++; 1025 } 1026 if (ni->ni_rsnciphers & IEEE80211_CIPHER_TKIP) { 1027 memcpy(frm, oui, 3); frm += 3; 1028 *frm++ = 2; 1029 count++; 1030 } 1031 if (ni->ni_rsnciphers & IEEE80211_CIPHER_CCMP) { 1032 memcpy(frm, oui, 3); frm += 3; 1033 *frm++ = 4; 1034 count++; 1035 } 1036 /* write Pairwise Cipher Suite Count field */ 1037 LE_WRITE_2(pcount, count); 1038 1039 pcount = frm; frm += 2; 1040 count = 0; 1041 /* write AKM Suite List (see Table 20dc) */ 1042 if (ni->ni_rsnakms & IEEE80211_AKM_8021X) { 1043 memcpy(frm, oui, 3); frm += 3; 1044 *frm++ = 1; 1045 count++; 1046 } 1047 if (ni->ni_rsnakms & IEEE80211_AKM_PSK) { 1048 memcpy(frm, oui, 3); frm += 3; 1049 *frm++ = 2; 1050 count++; 1051 } 1052 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_8021X)) { 1053 memcpy(frm, oui, 3); frm += 3; 1054 *frm++ = 5; 1055 count++; 1056 } 1057 if (!wpa && (ni->ni_rsnakms & IEEE80211_AKM_SHA256_PSK)) { 1058 memcpy(frm, oui, 3); frm += 3; 1059 *frm++ = 6; 1060 count++; 1061 } 1062 /* write AKM Suite List Count field */ 1063 LE_WRITE_2(pcount, count); 1064 1065 if (wpa) 1066 return frm; 1067 1068 /* write RSN Capabilities field */ 1069 rsncaps = (ni->ni_rsncaps & (IEEE80211_RSNCAP_PTKSA_RCNT_MASK | 1070 IEEE80211_RSNCAP_GTKSA_RCNT_MASK)); 1071 if (ic->ic_caps & IEEE80211_C_MFP) { 1072 rsncaps |= IEEE80211_RSNCAP_MFPC; 1073 if (ic->ic_flags & IEEE80211_F_MFPR) 1074 rsncaps |= IEEE80211_RSNCAP_MFPR; 1075 } 1076 if (ic->ic_flags & IEEE80211_F_PBAR) 1077 rsncaps |= IEEE80211_RSNCAP_PBAC; 1078 LE_WRITE_2(frm, rsncaps); frm += 2; 1079 1080 if (ni->ni_flags & IEEE80211_NODE_PMKID) { 1081 /* write PMKID Count field */ 1082 LE_WRITE_2(frm, 1); frm += 2; 1083 /* write PMKID List (only 1) */ 1084 memcpy(frm, ni->ni_pmkid, IEEE80211_PMKID_LEN); 1085 frm += IEEE80211_PMKID_LEN; 1086 } 1087 1088 if (!(ic->ic_caps & IEEE80211_C_MFP)) 1089 return frm; 1090 1091 if ((ni->ni_flags & IEEE80211_NODE_PMKID) == 0) { 1092 /* no PMKID (PMKID Count=0) */ 1093 LE_WRITE_2(frm, 0); frm += 2; 1094 } 1095 1096 /* write Group Integrity Cipher Suite field */ 1097 memcpy(frm, oui, 3); frm += 3; 1098 switch (ic->ic_rsngroupmgmtcipher) { 1099 case IEEE80211_CIPHER_BIP: 1100 *frm++ = 6; 1101 break; 1102 default: 1103 /* can't get there */ 1104 panic("invalid integrity group cipher!"); 1105 } 1106 return frm; 1107 } 1108 1109 u_int8_t * 1110 ieee80211_add_rsn(u_int8_t *frm, struct ieee80211com *ic, 1111 const struct ieee80211_node *ni) 1112 { 1113 u_int8_t *plen; 1114 1115 *frm++ = IEEE80211_ELEMID_RSN; 1116 plen = frm++; /* length filled in later */ 1117 frm = ieee80211_add_rsn_body(frm, ic, ni, 0); 1118 1119 /* write length field */ 1120 *plen = frm - plen - 1; 1121 return frm; 1122 } 1123 1124 /* 1125 * Add a vendor-specific WPA element to a frame. 1126 * This is required for compatibility with Wi-Fi Alliance WPA. 1127 */ 1128 u_int8_t * 1129 ieee80211_add_wpa(u_int8_t *frm, struct ieee80211com *ic, 1130 const struct ieee80211_node *ni) 1131 { 1132 u_int8_t *plen; 1133 1134 *frm++ = IEEE80211_ELEMID_VENDOR; 1135 plen = frm++; /* length filled in later */ 1136 memcpy(frm, MICROSOFT_OUI, 3); frm += 3; 1137 *frm++ = 1; /* WPA */ 1138 frm = ieee80211_add_rsn_body(frm, ic, ni, 1); 1139 1140 /* write length field */ 1141 *plen = frm - plen - 1; 1142 return frm; 1143 } 1144 1145 /* 1146 * Add an extended supported rates element to a frame (see 7.3.2.14). 1147 */ 1148 u_int8_t * 1149 ieee80211_add_xrates(u_int8_t *frm, const struct ieee80211_rateset *rs) 1150 { 1151 int nrates; 1152 1153 KASSERT(rs->rs_nrates > IEEE80211_RATE_SIZE); 1154 1155 *frm++ = IEEE80211_ELEMID_XRATES; 1156 nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 1157 *frm++ = nrates; 1158 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 1159 return frm + nrates; 1160 } 1161 1162 /* 1163 * Add an HT Capabilities element to a frame (see 7.3.2.57). 1164 */ 1165 u_int8_t * 1166 ieee80211_add_htcaps(u_int8_t *frm, struct ieee80211com *ic) 1167 { 1168 *frm++ = IEEE80211_ELEMID_HTCAPS; 1169 *frm++ = 26; 1170 LE_WRITE_2(frm, ic->ic_htcaps); frm += 2; 1171 *frm++ = ic->ic_ampdu_params; 1172 memcpy(frm, ic->ic_sup_mcs, 10); frm += 10; 1173 LE_WRITE_2(frm, (ic->ic_max_rxrate & IEEE80211_MCS_RX_RATE_HIGH)); 1174 frm += 2; 1175 *frm++ = ic->ic_tx_mcs_set; 1176 *frm++ = 0; /* reserved */ 1177 *frm++ = 0; /* reserved */ 1178 *frm++ = 0; /* reserved */ 1179 LE_WRITE_2(frm, ic->ic_htxcaps); frm += 2; 1180 LE_WRITE_4(frm, ic->ic_txbfcaps); frm += 4; 1181 *frm++ = ic->ic_aselcaps; 1182 return frm; 1183 } 1184 1185 #ifndef IEEE80211_STA_ONLY 1186 /* 1187 * Add an HT Operation element to a frame (see 7.3.2.58). 1188 */ 1189 u_int8_t * 1190 ieee80211_add_htop(u_int8_t *frm, struct ieee80211com *ic) 1191 { 1192 *frm++ = IEEE80211_ELEMID_HTOP; 1193 *frm++ = 22; 1194 *frm++ = ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan); 1195 *frm++ = ic->ic_bss->ni_htop0; 1196 LE_WRITE_2(frm, ic->ic_bss->ni_htop1); frm += 2; 1197 LE_WRITE_2(frm, ic->ic_bss->ni_htop2); frm += 2; 1198 memset(frm, 0, 16); frm += 16; 1199 return frm; 1200 } 1201 #endif /* !IEEE80211_STA_ONLY */ 1202 1203 /* 1204 * Add a VHT Capabilities element to a frame (see 802.11ac-2013 8.4.2.160.2). 1205 */ 1206 u_int8_t * 1207 ieee80211_add_vhtcaps(u_int8_t *frm, struct ieee80211com *ic) 1208 { 1209 *frm++ = IEEE80211_ELEMID_VHTCAPS; 1210 *frm++ = 12; 1211 LE_WRITE_4(frm, ic->ic_vhtcaps); frm += 4; 1212 LE_WRITE_2(frm, ic->ic_vht_rxmcs); frm += 2; 1213 LE_WRITE_2(frm, ic->ic_vht_rx_max_lgi_mbit_s); frm += 2; 1214 LE_WRITE_2(frm, ic->ic_vht_txmcs); frm += 2; 1215 LE_WRITE_2(frm, ic->ic_vht_tx_max_lgi_mbit_s); frm += 2; 1216 return frm; 1217 } 1218 1219 #ifndef IEEE80211_STA_ONLY 1220 /* 1221 * Add a Timeout Interval element to a frame (see 7.3.2.49). 1222 */ 1223 u_int8_t * 1224 ieee80211_add_tie(u_int8_t *frm, u_int8_t type, u_int32_t value) 1225 { 1226 *frm++ = IEEE80211_ELEMID_TIE; 1227 *frm++ = 5; /* length */ 1228 *frm++ = type; /* Timeout Interval type */ 1229 LE_WRITE_4(frm, value); 1230 return frm + 4; 1231 } 1232 #endif 1233 1234 struct mbuf * 1235 ieee80211_getmgmt(int flags, int type, u_int pktlen) 1236 { 1237 struct mbuf *m; 1238 1239 /* reserve space for 802.11 header */ 1240 pktlen += sizeof(struct ieee80211_frame); 1241 1242 if (pktlen > MCLBYTES) 1243 panic("management frame too large: %u", pktlen); 1244 MGETHDR(m, flags, type); 1245 if (m == NULL) 1246 return NULL; 1247 if (pktlen > MHLEN) { 1248 MCLGET(m, flags); 1249 if (!(m->m_flags & M_EXT)) 1250 return m_free(m); 1251 } 1252 m->m_data += sizeof(struct ieee80211_frame); 1253 return m; 1254 } 1255 1256 /*- 1257 * Probe request frame format: 1258 * [tlv] SSID 1259 * [tlv] Supported rates 1260 * [tlv] Extended Supported Rates (802.11g) 1261 * [tlv] HT Capabilities (802.11n) 1262 */ 1263 struct mbuf * 1264 ieee80211_get_probe_req(struct ieee80211com *ic, struct ieee80211_node *ni) 1265 { 1266 const struct ieee80211_rateset *rs = 1267 &ic->ic_sup_rates[ieee80211_chan2mode(ic, ni->ni_chan)]; 1268 struct mbuf *m; 1269 u_int8_t *frm; 1270 1271 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1272 2 + ic->ic_des_esslen + 1273 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1274 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1275 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1276 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) + 1277 ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0)); 1278 if (m == NULL) 1279 return NULL; 1280 1281 frm = mtod(m, u_int8_t *); 1282 frm = ieee80211_add_ssid(frm, ic->ic_des_essid, ic->ic_des_esslen); 1283 frm = ieee80211_add_rates(frm, rs); 1284 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1285 frm = ieee80211_add_xrates(frm, rs); 1286 if (ic->ic_flags & IEEE80211_F_HTON) { 1287 frm = ieee80211_add_htcaps(frm, ic); 1288 frm = ieee80211_add_wme_info(frm, ic); 1289 } 1290 if (ic->ic_flags & IEEE80211_F_VHTON) 1291 frm = ieee80211_add_htcaps(frm, ic); 1292 1293 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1294 1295 return m; 1296 } 1297 1298 #ifndef IEEE80211_STA_ONLY 1299 /*- 1300 * Probe response frame format: 1301 * [8] Timestamp 1302 * [2] Beacon interval 1303 * [2] Capability 1304 * [tlv] Service Set Identifier (SSID) 1305 * [tlv] Supported rates 1306 * [tlv] DS Parameter Set (802.11g) 1307 * [tlv] ERP Information (802.11g) 1308 * [tlv] Extended Supported Rates (802.11g) 1309 * [tlv] RSN (802.11i) 1310 * [tlv] EDCA Parameter Set (802.11e) 1311 * [tlv] HT Capabilities (802.11n) 1312 * [tlv] HT Operation (802.11n) 1313 */ 1314 struct mbuf * 1315 ieee80211_get_probe_resp(struct ieee80211com *ic) 1316 { 1317 const struct ieee80211_rateset *rs = &ic->ic_bss->ni_rates; 1318 struct mbuf *m; 1319 u_int8_t *frm; 1320 1321 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1322 8 + 2 + 2 + 1323 2 + ic->ic_bss->ni_esslen + 1324 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1325 2 + 1 + 1326 ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 + 2 : 0) + 1327 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 1328 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1329 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1330 (((ic->ic_flags & IEEE80211_F_RSNON) && 1331 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1332 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1333 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 1334 (((ic->ic_flags & IEEE80211_F_RSNON) && 1335 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1336 2 + IEEE80211_WPAIE_MAXLEN : 0) + 1337 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 1338 if (m == NULL) 1339 return NULL; 1340 1341 frm = mtod(m, u_int8_t *); 1342 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 1343 LE_WRITE_2(frm, ic->ic_bss->ni_intval); frm += 2; 1344 frm = ieee80211_add_capinfo(frm, ic, ic->ic_bss); 1345 frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid, 1346 ic->ic_bss->ni_esslen); 1347 frm = ieee80211_add_rates(frm, rs); 1348 frm = ieee80211_add_ds_params(frm, ic, ic->ic_bss); 1349 if (ic->ic_opmode == IEEE80211_M_IBSS) 1350 frm = ieee80211_add_ibss_params(frm, ic->ic_bss); 1351 if (ic->ic_curmode == IEEE80211_MODE_11G) 1352 frm = ieee80211_add_erp(frm, ic); 1353 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1354 frm = ieee80211_add_xrates(frm, rs); 1355 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1356 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1357 frm = ieee80211_add_rsn(frm, ic, ic->ic_bss); 1358 if (ic->ic_flags & IEEE80211_F_QOS) 1359 frm = ieee80211_add_edca_params(frm, ic); 1360 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1361 (ic->ic_bss->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1362 frm = ieee80211_add_wpa(frm, ic, ic->ic_bss); 1363 if (ic->ic_flags & IEEE80211_F_HTON) { 1364 frm = ieee80211_add_htcaps(frm, ic); 1365 frm = ieee80211_add_htop(frm, ic); 1366 frm = ieee80211_add_wme_param(frm, ic); 1367 } 1368 1369 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1370 1371 return m; 1372 } 1373 #endif /* IEEE80211_STA_ONLY */ 1374 1375 /*- 1376 * Authentication frame format: 1377 * [2] Authentication algorithm number 1378 * [2] Authentication transaction sequence number 1379 * [2] Status code 1380 */ 1381 struct mbuf * 1382 ieee80211_get_auth(struct ieee80211com *ic, struct ieee80211_node *ni, 1383 u_int16_t status, u_int16_t seq) 1384 { 1385 struct mbuf *m; 1386 u_int8_t *frm; 1387 1388 MGETHDR(m, M_DONTWAIT, MT_DATA); 1389 if (m == NULL) 1390 return NULL; 1391 m_align(m, 2 * 3); 1392 m->m_pkthdr.len = m->m_len = 2 * 3; 1393 1394 frm = mtod(m, u_int8_t *); 1395 LE_WRITE_2(frm, IEEE80211_AUTH_ALG_OPEN); frm += 2; 1396 LE_WRITE_2(frm, seq); frm += 2; 1397 LE_WRITE_2(frm, status); 1398 1399 return m; 1400 } 1401 1402 /*- 1403 * Deauthentication frame format: 1404 * [2] Reason code 1405 */ 1406 struct mbuf * 1407 ieee80211_get_deauth(struct ieee80211com *ic, struct ieee80211_node *ni, 1408 u_int16_t reason) 1409 { 1410 struct mbuf *m; 1411 1412 MGETHDR(m, M_DONTWAIT, MT_DATA); 1413 if (m == NULL) 1414 return NULL; 1415 m_align(m, 2); 1416 m->m_pkthdr.len = m->m_len = 2; 1417 1418 *mtod(m, u_int16_t *) = htole16(reason); 1419 1420 return m; 1421 } 1422 1423 /*- 1424 * (Re)Association request frame format: 1425 * [2] Capability information 1426 * [2] Listen interval 1427 * [6*] Current AP address (Reassociation only) 1428 * [tlv] SSID 1429 * [tlv] Supported rates 1430 * [tlv] Extended Supported Rates (802.11g) 1431 * [tlv] RSN (802.11i) 1432 * [tlv] QoS Capability (802.11e) 1433 * [tlv] HT Capabilities (802.11n) 1434 */ 1435 struct mbuf * 1436 ieee80211_get_assoc_req(struct ieee80211com *ic, struct ieee80211_node *ni, 1437 int type) 1438 { 1439 const struct ieee80211_rateset *rs = &ni->ni_rates; 1440 struct mbuf *m; 1441 u_int8_t *frm; 1442 u_int16_t capinfo; 1443 1444 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1445 2 + 2 + 1446 ((type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) ? 1447 IEEE80211_ADDR_LEN : 0) + 1448 2 + ni->ni_esslen + 1449 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1450 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1451 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1452 (((ic->ic_flags & IEEE80211_F_RSNON) && 1453 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 1454 2 + IEEE80211_RSNIE_MAXLEN : 0) + 1455 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 1 : 0) + 1456 (((ic->ic_flags & IEEE80211_F_RSNON) && 1457 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 1458 2 + IEEE80211_WPAIE_MAXLEN : 0) + 1459 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 9 : 0) + 1460 ((ic->ic_flags & IEEE80211_F_VHTON) ? 14 : 0)); 1461 if (m == NULL) 1462 return NULL; 1463 1464 frm = mtod(m, u_int8_t *); 1465 capinfo = IEEE80211_CAPINFO_ESS; 1466 if (ic->ic_flags & IEEE80211_F_WEPON) 1467 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1468 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1469 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 1470 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1471 if (ic->ic_caps & IEEE80211_C_SHSLOT) 1472 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1473 LE_WRITE_2(frm, capinfo); frm += 2; 1474 LE_WRITE_2(frm, ic->ic_lintval); frm += 2; 1475 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1476 IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid); 1477 frm += IEEE80211_ADDR_LEN; 1478 } 1479 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 1480 frm = ieee80211_add_rates(frm, rs); 1481 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1482 frm = ieee80211_add_xrates(frm, rs); 1483 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1484 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 1485 frm = ieee80211_add_rsn(frm, ic, ni); 1486 if (ni->ni_flags & IEEE80211_NODE_QOS) 1487 frm = ieee80211_add_qos_capability(frm, ic); 1488 if ((ic->ic_flags & IEEE80211_F_RSNON) && 1489 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 1490 frm = ieee80211_add_wpa(frm, ic, ni); 1491 if (ic->ic_flags & IEEE80211_F_HTON) { 1492 frm = ieee80211_add_htcaps(frm, ic); 1493 frm = ieee80211_add_wme_info(frm, ic); 1494 } 1495 if (ic->ic_flags & IEEE80211_F_VHTON) 1496 frm = ieee80211_add_vhtcaps(frm, ic); 1497 1498 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1499 1500 return m; 1501 } 1502 1503 #ifndef IEEE80211_STA_ONLY 1504 /*- 1505 * (Re)Association response frame format: 1506 * [2] Capability information 1507 * [2] Status code 1508 * [2] Association ID (AID) 1509 * [tlv] Supported rates 1510 * [tlv] Extended Supported Rates (802.11g) 1511 * [tlv] EDCA Parameter Set (802.11e) 1512 * [tlv] Timeout Interval (802.11w) 1513 * [tlv] HT Capabilities (802.11n) 1514 * [tlv] HT Operation (802.11n) 1515 */ 1516 struct mbuf * 1517 ieee80211_get_assoc_resp(struct ieee80211com *ic, struct ieee80211_node *ni, 1518 u_int16_t status) 1519 { 1520 const struct ieee80211_rateset *rs = &ni->ni_rates; 1521 struct mbuf *m; 1522 u_int8_t *frm; 1523 1524 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 1525 2 + 2 + 2 + 1526 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 1527 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 1528 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 1529 ((ni->ni_flags & IEEE80211_NODE_QOS) ? 2 + 18 : 0) + 1530 ((status == IEEE80211_STATUS_TRY_AGAIN_LATER) ? 2 + 7 : 0) + 1531 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 1532 if (m == NULL) 1533 return NULL; 1534 1535 frm = mtod(m, u_int8_t *); 1536 frm = ieee80211_add_capinfo(frm, ic, ni); 1537 LE_WRITE_2(frm, status); frm += 2; 1538 if (status == IEEE80211_STATUS_SUCCESS) 1539 LE_WRITE_2(frm, ni->ni_associd); 1540 else 1541 LE_WRITE_2(frm, 0); 1542 frm += 2; 1543 frm = ieee80211_add_rates(frm, rs); 1544 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 1545 frm = ieee80211_add_xrates(frm, rs); 1546 if (ni->ni_flags & IEEE80211_NODE_QOS) 1547 frm = ieee80211_add_edca_params(frm, ic); 1548 if ((ni->ni_flags & IEEE80211_NODE_MFP) && 1549 status == IEEE80211_STATUS_TRY_AGAIN_LATER) { 1550 /* Association Comeback Time */ 1551 frm = ieee80211_add_tie(frm, 3, 1000 /* XXX */); 1552 } 1553 if (ic->ic_flags & IEEE80211_F_HTON) { 1554 frm = ieee80211_add_htcaps(frm, ic); 1555 frm = ieee80211_add_htop(frm, ic); 1556 frm = ieee80211_add_wme_param(frm, ic); 1557 } 1558 1559 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1560 1561 return m; 1562 } 1563 #endif /* IEEE80211_STA_ONLY */ 1564 1565 /*- 1566 * Disassociation frame format: 1567 * [2] Reason code 1568 */ 1569 struct mbuf * 1570 ieee80211_get_disassoc(struct ieee80211com *ic, struct ieee80211_node *ni, 1571 u_int16_t reason) 1572 { 1573 struct mbuf *m; 1574 1575 MGETHDR(m, M_DONTWAIT, MT_DATA); 1576 if (m == NULL) 1577 return NULL; 1578 m_align(m, 2); 1579 m->m_pkthdr.len = m->m_len = 2; 1580 1581 *mtod(m, u_int16_t *) = htole16(reason); 1582 1583 return m; 1584 } 1585 1586 /*- 1587 * ADDBA Request frame format: 1588 * [1] Category 1589 * [1] Action 1590 * [1] Dialog Token 1591 * [2] Block Ack Parameter Set 1592 * [2] Block Ack Timeout Value 1593 * [2] Block Ack Starting Sequence Control 1594 */ 1595 struct mbuf * 1596 ieee80211_get_addba_req(struct ieee80211com *ic, struct ieee80211_node *ni, 1597 u_int8_t tid) 1598 { 1599 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1600 struct mbuf *m; 1601 u_int8_t *frm; 1602 1603 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9); 1604 if (m == NULL) 1605 return m; 1606 1607 frm = mtod(m, u_int8_t *); 1608 *frm++ = IEEE80211_CATEG_BA; 1609 *frm++ = IEEE80211_ACTION_ADDBA_REQ; 1610 *frm++ = ba->ba_token; 1611 LE_WRITE_2(frm, ba->ba_params); frm += 2; 1612 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); frm += 2; 1613 LE_WRITE_2(frm, ba->ba_winstart << IEEE80211_SEQ_SEQ_SHIFT); frm += 2; 1614 1615 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1616 1617 return m; 1618 } 1619 1620 /* Move Tx BA window forward to the specified SSN. */ 1621 void 1622 ieee80211_output_ba_move_window(struct ieee80211com *ic, 1623 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1624 { 1625 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1626 uint16_t s = ba->ba_winstart; 1627 1628 while (SEQ_LT(s, ssn) && ba->ba_bitmap) { 1629 s = (s + 1) % 0xfff; 1630 ba->ba_bitmap >>= 1; 1631 } 1632 1633 ba->ba_winstart = (ssn & 0xfff); 1634 ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; 1635 } 1636 1637 /* 1638 * Move Tx BA window forward up to the first hole in the bitmap 1639 * or up to the specified SSN, whichever comes first. 1640 * After calling this function, frames before the start of the 1641 * potentially changed BA window should be discarded. 1642 */ 1643 void 1644 ieee80211_output_ba_move_window_to_first_unacked(struct ieee80211com *ic, 1645 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1646 { 1647 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1648 uint16_t s = ba->ba_winstart; 1649 uint64_t bitmap = ba->ba_bitmap; 1650 int can_move_window = 0; 1651 1652 while (bitmap && SEQ_LT(s, ssn)) { 1653 if ((bitmap & 1) == 0) 1654 break; 1655 s = (s + 1) % 0xfff; 1656 bitmap >>= 1; 1657 can_move_window = 1; 1658 } 1659 1660 if (can_move_window) 1661 ieee80211_output_ba_move_window(ic, ni, tid, s); 1662 } 1663 1664 /* Record an ACK for a frame with a given SSN within the Tx BA window. */ 1665 void 1666 ieee80211_output_ba_record_ack(struct ieee80211com *ic, 1667 struct ieee80211_node *ni, uint8_t tid, uint16_t ssn) 1668 { 1669 struct ieee80211_tx_ba *ba = &ni->ni_tx_ba[tid]; 1670 int i = 0; 1671 uint16_t s = ba->ba_winstart; 1672 1673 KASSERT(!SEQ_LT(ssn, ba->ba_winstart)); 1674 KASSERT(!SEQ_LT(ba->ba_winend, ssn)); 1675 1676 while (SEQ_LT(s, ssn)) { 1677 s = (s + 1) % 0xfff; 1678 i++; 1679 } 1680 if (i < ba->ba_winsize) 1681 ba->ba_bitmap |= (1 << i); 1682 } 1683 1684 /*- 1685 * ADDBA Response frame format: 1686 * [1] Category 1687 * [1] Action 1688 * [1] Dialog Token 1689 * [2] Status Code 1690 * [2] Block Ack Parameter Set 1691 * [2] Block Ack Timeout Value 1692 */ 1693 struct mbuf * 1694 ieee80211_get_addba_resp(struct ieee80211com *ic, struct ieee80211_node *ni, 1695 u_int8_t tid, u_int8_t token, u_int16_t status) 1696 { 1697 struct ieee80211_rx_ba *ba = &ni->ni_rx_ba[tid]; 1698 struct mbuf *m; 1699 u_int8_t *frm; 1700 u_int16_t params; 1701 1702 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 9); 1703 if (m == NULL) 1704 return m; 1705 1706 frm = mtod(m, u_int8_t *); 1707 *frm++ = IEEE80211_CATEG_BA; 1708 *frm++ = IEEE80211_ACTION_ADDBA_RESP; 1709 *frm++ = token; 1710 LE_WRITE_2(frm, status); frm += 2; 1711 if (status == 0) 1712 params = ba->ba_params; 1713 else 1714 params = tid << IEEE80211_ADDBA_TID_SHIFT; 1715 LE_WRITE_2(frm, params); frm += 2; 1716 if (status == 0) 1717 LE_WRITE_2(frm, ba->ba_timeout_val / IEEE80211_DUR_TU); 1718 else 1719 LE_WRITE_2(frm, 0); 1720 frm += 2; 1721 1722 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1723 1724 return m; 1725 } 1726 1727 /*- 1728 * DELBA frame format: 1729 * [1] Category 1730 * [1] Action 1731 * [2] DELBA Parameter Set 1732 * [2] Reason Code 1733 */ 1734 struct mbuf * 1735 ieee80211_get_delba(struct ieee80211com *ic, struct ieee80211_node *ni, 1736 u_int8_t tid, u_int8_t dir, u_int16_t reason) 1737 { 1738 struct mbuf *m; 1739 u_int8_t *frm; 1740 u_int16_t params; 1741 1742 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 6); 1743 if (m == NULL) 1744 return m; 1745 1746 frm = mtod(m, u_int8_t *); 1747 *frm++ = IEEE80211_CATEG_BA; 1748 *frm++ = IEEE80211_ACTION_DELBA; 1749 params = tid << 12; 1750 if (dir) 1751 params |= IEEE80211_DELBA_INITIATOR; 1752 LE_WRITE_2(frm, params); frm += 2; 1753 LE_WRITE_2(frm, reason); frm += 2; 1754 1755 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1756 1757 return m; 1758 } 1759 1760 /*- 1761 * SA Query Request/Response frame format: 1762 * [1] Category 1763 * [1] Action 1764 * [16] Transaction Identifier 1765 */ 1766 struct mbuf * 1767 ieee80211_get_sa_query(struct ieee80211com *ic, struct ieee80211_node *ni, 1768 u_int8_t action) 1769 { 1770 struct mbuf *m; 1771 u_int8_t *frm; 1772 1773 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 4); 1774 if (m == NULL) 1775 return NULL; 1776 1777 frm = mtod(m, u_int8_t *); 1778 *frm++ = IEEE80211_CATEG_SA_QUERY; 1779 *frm++ = action; /* ACTION_SA_QUERY_REQ/RESP */ 1780 LE_WRITE_2(frm, ni->ni_sa_query_trid); frm += 2; 1781 1782 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1783 1784 return m; 1785 } 1786 1787 struct mbuf * 1788 ieee80211_get_action(struct ieee80211com *ic, struct ieee80211_node *ni, 1789 u_int8_t categ, u_int8_t action, int arg) 1790 { 1791 struct mbuf *m = NULL; 1792 1793 switch (categ) { 1794 case IEEE80211_CATEG_BA: 1795 switch (action) { 1796 case IEEE80211_ACTION_ADDBA_REQ: 1797 m = ieee80211_get_addba_req(ic, ni, arg & 0xffff); 1798 break; 1799 case IEEE80211_ACTION_ADDBA_RESP: 1800 m = ieee80211_get_addba_resp(ic, ni, arg & 0xff, 1801 arg >> 8, arg >> 16); 1802 break; 1803 case IEEE80211_ACTION_DELBA: 1804 m = ieee80211_get_delba(ic, ni, arg & 0xff, arg >> 8, 1805 arg >> 16); 1806 break; 1807 } 1808 break; 1809 case IEEE80211_CATEG_SA_QUERY: 1810 switch (action) { 1811 #ifndef IEEE80211_STA_ONLY 1812 case IEEE80211_ACTION_SA_QUERY_REQ: 1813 #endif 1814 case IEEE80211_ACTION_SA_QUERY_RESP: 1815 m = ieee80211_get_sa_query(ic, ni, action); 1816 break; 1817 } 1818 break; 1819 } 1820 return m; 1821 } 1822 1823 /* 1824 * Send a management frame. The node is for the destination (or ic_bss 1825 * when in station mode). Nodes other than ic_bss have their reference 1826 * count bumped to reflect our use for an indeterminant time. 1827 */ 1828 int 1829 ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni, 1830 int type, int arg1, int arg2) 1831 { 1832 #define senderr(_x, _v) do { ic->ic_stats._v++; ret = _x; goto bad; } while (0) 1833 struct ifnet *ifp = &ic->ic_if; 1834 struct mbuf *m; 1835 int ret, timer; 1836 1837 if (ni == NULL) 1838 panic("null node"); 1839 1840 /* 1841 * Hold a reference on the node so it doesn't go away until after 1842 * the xmit is complete all the way in the driver. On error we 1843 * will remove our reference. 1844 */ 1845 ieee80211_ref_node(ni); 1846 timer = 0; 1847 switch (type) { 1848 case IEEE80211_FC0_SUBTYPE_PROBE_REQ: 1849 if ((m = ieee80211_get_probe_req(ic, ni)) == NULL) 1850 senderr(ENOMEM, is_tx_nombuf); 1851 1852 timer = IEEE80211_TRANS_WAIT; 1853 break; 1854 #ifndef IEEE80211_STA_ONLY 1855 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1856 if ((m = ieee80211_get_probe_resp(ic)) == NULL) 1857 senderr(ENOMEM, is_tx_nombuf); 1858 break; 1859 #endif 1860 case IEEE80211_FC0_SUBTYPE_AUTH: 1861 m = ieee80211_get_auth(ic, ni, arg1 >> 16, arg1 & 0xffff); 1862 if (m == NULL) 1863 senderr(ENOMEM, is_tx_nombuf); 1864 1865 if (ic->ic_opmode == IEEE80211_M_STA) 1866 timer = IEEE80211_TRANS_WAIT; 1867 break; 1868 1869 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1870 if ((m = ieee80211_get_deauth(ic, ni, arg1)) == NULL) 1871 senderr(ENOMEM, is_tx_nombuf); 1872 #ifndef IEEE80211_STA_ONLY 1873 if ((ifp->if_flags & IFF_DEBUG) && 1874 (ic->ic_opmode == IEEE80211_M_HOSTAP || 1875 ic->ic_opmode == IEEE80211_M_IBSS)) 1876 printf("%s: station %s deauthenticate (reason %d)\n", 1877 ifp->if_xname, ether_sprintf(ni->ni_macaddr), 1878 arg1); 1879 #endif 1880 break; 1881 1882 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1883 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1884 if ((m = ieee80211_get_assoc_req(ic, ni, type)) == NULL) 1885 senderr(ENOMEM, is_tx_nombuf); 1886 1887 timer = IEEE80211_TRANS_WAIT; 1888 break; 1889 #ifndef IEEE80211_STA_ONLY 1890 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1891 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 1892 if ((m = ieee80211_get_assoc_resp(ic, ni, arg1)) == NULL) 1893 senderr(ENOMEM, is_tx_nombuf); 1894 break; 1895 #endif 1896 case IEEE80211_FC0_SUBTYPE_DISASSOC: 1897 if ((m = ieee80211_get_disassoc(ic, ni, arg1)) == NULL) 1898 senderr(ENOMEM, is_tx_nombuf); 1899 #ifndef IEEE80211_STA_ONLY 1900 if ((ifp->if_flags & IFF_DEBUG) && 1901 (ic->ic_opmode == IEEE80211_M_HOSTAP || 1902 ic->ic_opmode == IEEE80211_M_IBSS)) 1903 printf("%s: station %s disassociate (reason %d)\n", 1904 ifp->if_xname, ether_sprintf(ni->ni_macaddr), 1905 arg1); 1906 #endif 1907 break; 1908 1909 case IEEE80211_FC0_SUBTYPE_ACTION: 1910 m = ieee80211_get_action(ic, ni, arg1 >> 16, arg1 & 0xffff, 1911 arg2); 1912 if (m == NULL) 1913 senderr(ENOMEM, is_tx_nombuf); 1914 break; 1915 1916 default: 1917 DPRINTF(("invalid mgmt frame type %u\n", type)); 1918 senderr(EINVAL, is_tx_unknownmgt); 1919 /* NOTREACHED */ 1920 } 1921 1922 ret = ieee80211_mgmt_output(ifp, ni, m, type); 1923 if (ret == 0) { 1924 if (timer) 1925 ic->ic_mgt_timer = timer; 1926 } else { 1927 bad: 1928 ieee80211_release_node(ic, ni); 1929 } 1930 return ret; 1931 #undef senderr 1932 } 1933 1934 /* 1935 * Build a RTS (Request To Send) control frame (see 7.2.1.1). 1936 */ 1937 struct mbuf * 1938 ieee80211_get_rts(struct ieee80211com *ic, const struct ieee80211_frame *wh, 1939 u_int16_t dur) 1940 { 1941 struct ieee80211_frame_rts *rts; 1942 struct mbuf *m; 1943 1944 MGETHDR(m, M_DONTWAIT, MT_DATA); 1945 if (m == NULL) 1946 return NULL; 1947 1948 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 1949 1950 rts = mtod(m, struct ieee80211_frame_rts *); 1951 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1952 IEEE80211_FC0_SUBTYPE_RTS; 1953 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1954 *(u_int16_t *)rts->i_dur = htole16(dur); 1955 IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1); 1956 IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2); 1957 1958 return m; 1959 } 1960 1961 /* 1962 * Build a CTS-to-self (Clear To Send) control frame (see 7.2.1.2). 1963 */ 1964 struct mbuf * 1965 ieee80211_get_cts_to_self(struct ieee80211com *ic, u_int16_t dur) 1966 { 1967 struct ieee80211_frame_cts *cts; 1968 struct mbuf *m; 1969 1970 MGETHDR(m, M_DONTWAIT, MT_DATA); 1971 if (m == NULL) 1972 return NULL; 1973 1974 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 1975 1976 cts = mtod(m, struct ieee80211_frame_cts *); 1977 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1978 IEEE80211_FC0_SUBTYPE_CTS; 1979 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1980 *(u_int16_t *)cts->i_dur = htole16(dur); 1981 IEEE80211_ADDR_COPY(cts->i_ra, ic->ic_myaddr); 1982 1983 return m; 1984 } 1985 1986 /* 1987 * Build a compressed Block Ack Request control frame. 1988 */ 1989 struct mbuf * 1990 ieee80211_get_compressed_bar(struct ieee80211com *ic, 1991 struct ieee80211_node *ni, int tid, uint16_t ssn) 1992 { 1993 struct ieee80211_frame_min *wh; 1994 uint8_t *frm; 1995 uint16_t ctl; 1996 struct mbuf *m; 1997 1998 MGETHDR(m, M_DONTWAIT, MT_DATA); 1999 if (m == NULL) 2000 return NULL; 2001 2002 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_min) + 2003 sizeof(ctl) + sizeof(ssn); 2004 2005 wh = mtod(m, struct ieee80211_frame_min *); 2006 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 2007 IEEE80211_FC0_SUBTYPE_BAR; 2008 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2009 *(u_int16_t *)wh->i_dur = 0; 2010 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr); 2011 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 2012 frm = (uint8_t *)&wh[1]; 2013 2014 ctl = IEEE80211_BA_COMPRESSED | (tid << IEEE80211_BA_TID_INFO_SHIFT); 2015 LE_WRITE_2(frm, ctl); 2016 frm += 2; 2017 2018 LE_WRITE_2(frm, ssn << IEEE80211_SEQ_SEQ_SHIFT); 2019 frm += 2; 2020 2021 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 2022 m->m_pkthdr.ph_cookie = ni; 2023 2024 return m; 2025 } 2026 2027 #ifndef IEEE80211_STA_ONLY 2028 /*- 2029 * Beacon frame format: 2030 * [8] Timestamp 2031 * [2] Beacon interval 2032 * [2] Capability 2033 * [tlv] Service Set Identifier (SSID) 2034 * [tlv] Supported rates 2035 * [tlv] DS Parameter Set (802.11g) 2036 * [tlv] IBSS Parameter Set 2037 * [tlv] Traffic Indication Map (TIM) 2038 * [tlv] ERP Information (802.11g) 2039 * [tlv] Extended Supported Rates (802.11g) 2040 * [tlv] RSN (802.11i) 2041 * [tlv] EDCA Parameter Set (802.11e) 2042 * [tlv] HT Capabilities (802.11n) 2043 * [tlv] HT Operation (802.11n) 2044 */ 2045 struct mbuf * 2046 ieee80211_beacon_alloc(struct ieee80211com *ic, struct ieee80211_node *ni) 2047 { 2048 const struct ieee80211_rateset *rs = &ni->ni_rates; 2049 struct ieee80211_frame *wh; 2050 struct mbuf *m; 2051 u_int8_t *frm; 2052 2053 m = ieee80211_getmgmt(M_DONTWAIT, MT_DATA, 2054 8 + 2 + 2 + 2055 2 + ((ic->ic_userflags & IEEE80211_F_HIDENWID) ? 2056 0 : ni->ni_esslen) + 2057 2 + min(rs->rs_nrates, IEEE80211_RATE_SIZE) + 2058 2 + 1 + 2059 2 + ((ic->ic_opmode == IEEE80211_M_IBSS) ? 2 : 254) + 2060 ((ic->ic_curmode == IEEE80211_MODE_11G) ? 2 + 1 : 0) + 2061 ((rs->rs_nrates > IEEE80211_RATE_SIZE) ? 2062 2 + rs->rs_nrates - IEEE80211_RATE_SIZE : 0) + 2063 (((ic->ic_flags & IEEE80211_F_RSNON) && 2064 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) ? 2065 2 + IEEE80211_RSNIE_MAXLEN : 0) + 2066 ((ic->ic_flags & IEEE80211_F_QOS) ? 2 + 18 : 0) + 2067 (((ic->ic_flags & IEEE80211_F_RSNON) && 2068 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) ? 2069 2 + IEEE80211_WPAIE_MAXLEN : 0) + 2070 ((ic->ic_flags & IEEE80211_F_HTON) ? 28 + 24 + 26 : 0)); 2071 if (m == NULL) 2072 return NULL; 2073 2074 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 2075 if (m == NULL) 2076 return NULL; 2077 wh = mtod(m, struct ieee80211_frame *); 2078 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 2079 IEEE80211_FC0_SUBTYPE_BEACON; 2080 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 2081 *(u_int16_t *)wh->i_dur = 0; 2082 IEEE80211_ADDR_COPY(wh->i_addr1, etherbroadcastaddr); 2083 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 2084 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 2085 *(u_int16_t *)wh->i_seq = 0; 2086 2087 frm = (u_int8_t *)&wh[1]; 2088 memset(frm, 0, 8); frm += 8; /* timestamp is set by hardware */ 2089 LE_WRITE_2(frm, ni->ni_intval); frm += 2; 2090 frm = ieee80211_add_capinfo(frm, ic, ni); 2091 if (ic->ic_userflags & IEEE80211_F_HIDENWID) 2092 frm = ieee80211_add_ssid(frm, NULL, 0); 2093 else 2094 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 2095 frm = ieee80211_add_rates(frm, rs); 2096 frm = ieee80211_add_ds_params(frm, ic, ni); 2097 if (ic->ic_opmode == IEEE80211_M_IBSS) 2098 frm = ieee80211_add_ibss_params(frm, ni); 2099 else 2100 frm = ieee80211_add_tim(frm, ic); 2101 if (ic->ic_curmode == IEEE80211_MODE_11G) 2102 frm = ieee80211_add_erp(frm, ic); 2103 if (rs->rs_nrates > IEEE80211_RATE_SIZE) 2104 frm = ieee80211_add_xrates(frm, rs); 2105 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2106 (ni->ni_rsnprotos & IEEE80211_PROTO_RSN)) 2107 frm = ieee80211_add_rsn(frm, ic, ni); 2108 if (ic->ic_flags & IEEE80211_F_QOS) 2109 frm = ieee80211_add_edca_params(frm, ic); 2110 if ((ic->ic_flags & IEEE80211_F_RSNON) && 2111 (ni->ni_rsnprotos & IEEE80211_PROTO_WPA)) 2112 frm = ieee80211_add_wpa(frm, ic, ni); 2113 if (ic->ic_flags & IEEE80211_F_HTON) { 2114 frm = ieee80211_add_htcaps(frm, ic); 2115 frm = ieee80211_add_htop(frm, ic); 2116 frm = ieee80211_add_wme_param(frm, ic); 2117 } 2118 2119 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 2120 m->m_pkthdr.ph_cookie = ni; 2121 2122 return m; 2123 } 2124 2125 /* 2126 * Check if an outgoing MSDU or management frame should be buffered into 2127 * the AP for power management. Return 1 if the frame was buffered into 2128 * the AP, or 0 if the frame shall be transmitted immediately. 2129 */ 2130 int 2131 ieee80211_pwrsave(struct ieee80211com *ic, struct mbuf *m, 2132 struct ieee80211_node *ni) 2133 { 2134 const struct ieee80211_frame *wh; 2135 int pssta = 0; 2136 2137 KASSERT(ic->ic_opmode == IEEE80211_M_HOSTAP); 2138 if (!(ic->ic_caps & IEEE80211_C_APPMGT)) 2139 return 0; 2140 2141 wh = mtod(m, struct ieee80211_frame *); 2142 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) { 2143 /* 2144 * Buffer group addressed MSDUs with the Order bit clear 2145 * if any associated STAs are in PS mode. 2146 */ 2147 ieee80211_iterate_nodes(ic, ieee80211_count_pssta, &pssta); 2148 if ((wh->i_fc[1] & IEEE80211_FC1_ORDER) || pssta == 0) 2149 return 0; 2150 ic->ic_tim_mcast_pending = 1; 2151 } else { 2152 /* 2153 * Buffer MSDUs, A-MSDUs or management frames destined for 2154 * PS STAs. 2155 */ 2156 if (ni->ni_pwrsave == IEEE80211_PS_AWAKE || 2157 (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 2158 IEEE80211_FC0_TYPE_CTL) 2159 return 0; 2160 if (mq_empty(&ni->ni_savedq)) 2161 (*ic->ic_set_tim)(ic, ni->ni_associd, 1); 2162 } 2163 /* NB: ni == ic->ic_bss for broadcast/multicast */ 2164 /* 2165 * Similar to ieee80211_mgmt_output, store the node in a 2166 * special pkthdr field. 2167 */ 2168 m->m_pkthdr.ph_cookie = ni; 2169 mq_enqueue(&ni->ni_savedq, m); 2170 return 1; 2171 } 2172 #endif /* IEEE80211_STA_ONLY */ 2173