ieee80211_output.c revision 1.59
1 /* $NetBSD: ieee80211_output.c,v 1.59 2017/09/26 07:42:06 knakahara Exp $ */ 2 /*- 3 * Copyright (c) 2001 Atsushi Onoe 4 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * Alternatively, this software may be distributed under the terms of the 19 * GNU General Public License ("GPL") version 2 as published by the Free 20 * Software Foundation. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 #ifdef __FreeBSD__ 36 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_output.c,v 1.34 2005/08/10 16:22:29 sam Exp $"); 37 #endif 38 #ifdef __NetBSD__ 39 __KERNEL_RCSID(0, "$NetBSD: ieee80211_output.c,v 1.59 2017/09/26 07:42:06 knakahara Exp $"); 40 #endif 41 42 #ifdef _KERNEL_OPT 43 #include "opt_inet.h" 44 #endif 45 46 #ifdef __NetBSD__ 47 #endif /* __NetBSD__ */ 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/mbuf.h> 52 #include <sys/kernel.h> 53 #include <sys/endian.h> 54 #include <sys/errno.h> 55 #include <sys/proc.h> 56 #include <sys/sysctl.h> 57 58 #include <net/if.h> 59 #include <net/if_llc.h> 60 #include <net/if_media.h> 61 #include <net/if_arp.h> 62 #include <net/if_ether.h> 63 #include <net/if_llc.h> 64 #include <net/if_vlanvar.h> 65 66 #include <net80211/ieee80211_netbsd.h> 67 #include <net80211/ieee80211_var.h> 68 69 #include <net/bpf.h> 70 71 #ifdef INET 72 #include <netinet/in.h> 73 #include <netinet/in_systm.h> 74 #include <netinet/in_var.h> 75 #include <netinet/ip.h> 76 #include <net/if_ether.h> 77 #endif 78 79 static int ieee80211_fragment(struct ieee80211com *, struct mbuf *, 80 u_int hdrsize, u_int ciphdrsize, u_int mtu); 81 82 #ifdef IEEE80211_DEBUG 83 /* 84 * Decide if an outbound management frame should be 85 * printed when debugging is enabled. This filters some 86 * of the less interesting frames that come frequently 87 * (e.g. beacons). 88 */ 89 static __inline int 90 doprint(struct ieee80211com *ic, int subtype) 91 { 92 switch (subtype) { 93 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 94 return (ic->ic_opmode == IEEE80211_M_IBSS); 95 } 96 return 1; 97 } 98 #endif 99 100 /* 101 * Set the direction field and address fields of an outgoing 102 * non-QoS frame. Note this should be called early on in 103 * constructing a frame as it sets i_fc[1]; other bits can 104 * then be or'd in. 105 */ 106 static void 107 ieee80211_send_setup(struct ieee80211com *ic, 108 struct ieee80211_node *ni, 109 struct ieee80211_frame *wh, 110 int type, 111 const u_int8_t sa[IEEE80211_ADDR_LEN], 112 const u_int8_t da[IEEE80211_ADDR_LEN], 113 const u_int8_t bssid[IEEE80211_ADDR_LEN]) 114 { 115 #define WH4(wh) ((struct ieee80211_frame_addr4 *)wh) 116 117 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type; 118 if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) { 119 switch (ic->ic_opmode) { 120 case IEEE80211_M_STA: 121 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 122 IEEE80211_ADDR_COPY(wh->i_addr1, bssid); 123 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 124 IEEE80211_ADDR_COPY(wh->i_addr3, da); 125 break; 126 case IEEE80211_M_IBSS: 127 case IEEE80211_M_AHDEMO: 128 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 129 IEEE80211_ADDR_COPY(wh->i_addr1, da); 130 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 131 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 132 break; 133 case IEEE80211_M_HOSTAP: 134 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 135 IEEE80211_ADDR_COPY(wh->i_addr1, da); 136 IEEE80211_ADDR_COPY(wh->i_addr2, bssid); 137 IEEE80211_ADDR_COPY(wh->i_addr3, sa); 138 break; 139 case IEEE80211_M_MONITOR: /* NB: to quiet compiler */ 140 break; 141 } 142 } else { 143 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 144 IEEE80211_ADDR_COPY(wh->i_addr1, da); 145 IEEE80211_ADDR_COPY(wh->i_addr2, sa); 146 IEEE80211_ADDR_COPY(wh->i_addr3, bssid); 147 } 148 *(u_int16_t *)&wh->i_dur[0] = 0; 149 /* NB: use non-QoS tid */ 150 *(u_int16_t *)&wh->i_seq[0] = 151 htole16(ni->ni_txseqs[0] << IEEE80211_SEQ_SEQ_SHIFT); 152 ni->ni_txseqs[0]++; 153 #undef WH4 154 } 155 156 /* 157 * Send a management frame to the specified node. The node pointer 158 * must have a reference as the pointer will be passed to the driver 159 * and potentially held for a long time. If the frame is successfully 160 * dispatched to the driver, then it is responsible for freeing the 161 * reference (and potentially free'ing up any associated storage). 162 */ 163 static int 164 ieee80211_mgmt_output(struct ieee80211com *ic, struct ieee80211_node *ni, 165 struct mbuf *m, int type, int timer) 166 { 167 struct ifnet *ifp = ic->ic_ifp; 168 struct ieee80211_frame *wh; 169 170 IASSERT(ni != NULL, ("null node")); 171 172 /* 173 * Yech, hack alert! We want to pass the node down to the 174 * driver's start routine. If we don't do so then the start 175 * routine must immediately look it up again and that can 176 * cause a lock order reversal if, for example, this frame 177 * is being sent because the station is being timedout and 178 * the frame being sent is a DEAUTH message. We could stick 179 * this in an m_tag and tack that on to the mbuf. However 180 * that's rather expensive to do for every frame so instead 181 * we stuff it in the rcvif field since outbound frames do 182 * not (presently) use this. 183 */ 184 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 185 if (m == NULL) 186 return ENOMEM; 187 M_SETCTX(m, ni); 188 189 wh = mtod(m, struct ieee80211_frame *); 190 ieee80211_send_setup(ic, ni, wh, 191 IEEE80211_FC0_TYPE_MGT | type, 192 ic->ic_myaddr, ni->ni_macaddr, ni->ni_bssid); 193 if ((m->m_flags & M_LINK0) != 0 && ni->ni_challenge != NULL) { 194 m->m_flags &= ~M_LINK0; 195 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 196 "[%s] encrypting frame (%s)\n", 197 ether_sprintf(wh->i_addr1), __func__); 198 wh->i_fc[1] |= IEEE80211_FC1_WEP; 199 } 200 #ifdef IEEE80211_DEBUG 201 /* avoid printing too many frames */ 202 if ((ieee80211_msg_debug(ic) && doprint(ic, type)) || 203 ieee80211_msg_dumppkts(ic)) { 204 printf("[%s] send %s on channel %u\n", 205 ether_sprintf(wh->i_addr1), 206 ieee80211_mgt_subtype_name[ 207 (type & IEEE80211_FC0_SUBTYPE_MASK) >> 208 IEEE80211_FC0_SUBTYPE_SHIFT], 209 ieee80211_chan2ieee(ic, ic->ic_curchan)); 210 } 211 #endif 212 IEEE80211_NODE_STAT(ni, tx_mgmt); 213 IF_ENQUEUE(&ic->ic_mgtq, m); 214 if (timer) { 215 /* 216 * Set the mgt frame timeout. 217 */ 218 ic->ic_mgt_timer = timer; 219 ifp->if_timer = 1; 220 } 221 if_start_lock(ifp); 222 return 0; 223 } 224 225 /* 226 * Send a null data frame to the specified node. 227 * 228 * NB: the caller is assumed to have setup a node reference 229 * for use; this is necessary to deal with a race condition 230 * when probing for inactive stations. 231 */ 232 int 233 ieee80211_send_nulldata(struct ieee80211_node *ni) 234 { 235 struct ieee80211com *ic = ni->ni_ic; 236 struct ifnet *ifp = ic->ic_ifp; 237 struct mbuf *m; 238 struct ieee80211_frame *wh; 239 240 MGETHDR(m, M_NOWAIT, MT_HEADER); 241 if (m == NULL) { 242 /* XXX debug msg */ 243 ic->ic_stats.is_tx_nobuf++; 244 ieee80211_unref_node(&ni); 245 return ENOMEM; 246 } 247 M_SETCTX(m, ni); 248 249 wh = mtod(m, struct ieee80211_frame *); 250 ieee80211_send_setup(ic, ni, wh, 251 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA, 252 ic->ic_myaddr, ni->ni_macaddr, ni->ni_bssid); 253 /* NB: power management bit is never sent by an AP */ 254 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) && 255 ic->ic_opmode != IEEE80211_M_HOSTAP) 256 wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT; 257 m->m_len = m->m_pkthdr.len = sizeof(struct ieee80211_frame); 258 259 IEEE80211_NODE_STAT(ni, tx_data); 260 261 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 262 "[%s] send null data frame on channel %u, pwr mgt %s\n", 263 ether_sprintf(ni->ni_macaddr), 264 ieee80211_chan2ieee(ic, ic->ic_curchan), 265 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis"); 266 267 IF_ENQUEUE(&ic->ic_mgtq, m); /* cheat */ 268 if_start_lock(ifp); 269 270 return 0; 271 } 272 273 /* 274 * Assign priority to a frame based on any vlan tag assigned 275 * to the station and/or any Diffserv setting in an IP header. 276 * Finally, if an ACM policy is setup (in station mode) it's 277 * applied. 278 */ 279 int 280 ieee80211_classify(struct ieee80211com *ic, struct mbuf *m, struct ieee80211_node *ni) 281 { 282 int v_wme_ac, d_wme_ac, ac; 283 #ifdef INET 284 struct ether_header *eh; 285 #endif 286 287 if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) { 288 ac = WME_AC_BE; 289 goto done; 290 } 291 292 /* 293 * If node has a vlan tag then all traffic 294 * to it must have a matching tag. 295 */ 296 v_wme_ac = 0; 297 if (ni->ni_vlan != 0) { 298 /* XXX used to check ec_nvlans. */ 299 if (!vlan_has_tag(m)) { 300 IEEE80211_NODE_STAT(ni, tx_novlantag); 301 return 1; 302 } 303 if (EVL_VLANOFTAG(vlan_get_tag(m)) != 304 EVL_VLANOFTAG(ni->ni_vlan)) { 305 IEEE80211_NODE_STAT(ni, tx_vlanmismatch); 306 return 1; 307 } 308 /* map vlan priority to AC */ 309 switch (EVL_PRIOFTAG(ni->ni_vlan)) { 310 case 1: 311 case 2: 312 v_wme_ac = WME_AC_BK; 313 break; 314 case 0: 315 case 3: 316 v_wme_ac = WME_AC_BE; 317 break; 318 case 4: 319 case 5: 320 v_wme_ac = WME_AC_VI; 321 break; 322 case 6: 323 case 7: 324 v_wme_ac = WME_AC_VO; 325 break; 326 } 327 } 328 329 #ifdef INET 330 eh = mtod(m, struct ether_header *); 331 if (eh->ether_type == htons(ETHERTYPE_IP)) { 332 const struct ip *ip = (struct ip *) 333 (mtod(m, u_int8_t *) + sizeof (*eh)); 334 /* 335 * IP frame, map the TOS field. 336 */ 337 switch (ip->ip_tos) { 338 case 0x08: 339 case 0x20: 340 d_wme_ac = WME_AC_BK; /* background */ 341 break; 342 case 0x28: 343 case 0xa0: 344 d_wme_ac = WME_AC_VI; /* video */ 345 break; 346 case 0x30: /* voice */ 347 case 0xe0: 348 case 0x88: /* XXX UPSD */ 349 case 0xb8: 350 d_wme_ac = WME_AC_VO; 351 break; 352 default: 353 d_wme_ac = WME_AC_BE; 354 break; 355 } 356 } else { 357 #endif /* INET */ 358 d_wme_ac = WME_AC_BE; 359 #ifdef INET 360 } 361 #endif 362 /* 363 * Use highest priority AC. 364 */ 365 if (v_wme_ac > d_wme_ac) 366 ac = v_wme_ac; 367 else 368 ac = d_wme_ac; 369 370 /* 371 * Apply ACM policy. 372 */ 373 if (ic->ic_opmode == IEEE80211_M_STA) { 374 static const int acmap[4] = { 375 WME_AC_BK, /* WME_AC_BE */ 376 WME_AC_BK, /* WME_AC_BK */ 377 WME_AC_BE, /* WME_AC_VI */ 378 WME_AC_VI, /* WME_AC_VO */ 379 }; 380 while (ac != WME_AC_BK && 381 ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm) 382 ac = acmap[ac]; 383 } 384 done: 385 M_WME_SETAC(m, ac); 386 return 0; 387 } 388 389 /* 390 * Insure there is sufficient contiguous space to encapsulate the 391 * 802.11 data frame. If room isn't already there, arrange for it. 392 * Drivers and cipher modules assume we have done the necessary work 393 * and fail rudely if they don't find the space they need. 394 */ 395 static struct mbuf * 396 ieee80211_mbuf_adjust(struct ieee80211com *ic, int hdrsize, 397 struct ieee80211_key *key, struct mbuf *m) 398 { 399 #define TO_BE_RECLAIMED (sizeof(struct ether_header) - sizeof(struct llc)) 400 int needed_space = hdrsize; 401 int wlen = 0; 402 403 if (key != NULL) { 404 /* XXX belongs in crypto code? */ 405 needed_space += key->wk_cipher->ic_header; 406 /* XXX frags */ 407 } 408 /* 409 * We know we are called just before stripping an Ethernet 410 * header and prepending an LLC header. This means we know 411 * there will be 412 * sizeof(struct ether_header) - sizeof(struct llc) 413 * bytes recovered to which we need additional space for the 414 * 802.11 header and any crypto header. 415 */ 416 /* XXX check trailing space and copy instead? */ 417 if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) { 418 struct mbuf *n = m_gethdr(M_NOWAIT, m->m_type); 419 if (n == NULL) { 420 IEEE80211_DPRINTF(ic, IEEE80211_MSG_OUTPUT, 421 "%s: cannot expand storage\n", __func__); 422 ic->ic_stats.is_tx_nobuf++; 423 m_freem(m); 424 return NULL; 425 } 426 IASSERT(needed_space <= MHLEN, 427 ("not enough room, need %u got %zu\n", needed_space, MHLEN)); 428 /* 429 * Setup new mbuf to have leading space to prepend the 430 * 802.11 header and any crypto header bits that are 431 * required (the latter are added when the driver calls 432 * back to ieee80211_crypto_encap to do crypto encapsulation). 433 */ 434 /* NB: must be first 'cuz it clobbers m_data */ 435 M_MOVE_PKTHDR(n, m); 436 n->m_len = 0; /* NB: m_gethdr does not set */ 437 n->m_data += needed_space; 438 /* 439 * Pull up Ethernet header to create the expected layout. 440 * We could use m_pullup but that's overkill (i.e. we don't 441 * need the actual data) and it cannot fail so do it inline 442 * for speed. 443 */ 444 /* NB: struct ether_header is known to be contiguous */ 445 n->m_len += sizeof(struct ether_header); 446 m->m_len -= sizeof(struct ether_header); 447 m->m_data += sizeof(struct ether_header); 448 /* 449 * Replace the head of the chain. 450 */ 451 n->m_next = m; 452 m = n; 453 } else { 454 /* We will overwrite the ethernet header in the 455 * 802.11 encapsulation stage. Make sure that it 456 * is writable. 457 */ 458 wlen = sizeof(struct ether_header); 459 } 460 461 /* 462 * If we're going to s/w encrypt the mbuf chain make sure it is 463 * writable. 464 */ 465 if (key != NULL && (key->wk_flags & IEEE80211_KEY_SWCRYPT) != 0) 466 wlen = M_COPYALL; 467 468 if (wlen != 0 && m_makewritable(&m, 0, wlen, M_DONTWAIT) != 0) { 469 m_freem(m); 470 return NULL; 471 } 472 return m; 473 #undef TO_BE_RECLAIMED 474 } 475 476 /* 477 * Return the transmit key to use in sending a unicast frame. 478 * If a unicast key is set we use that. When no unicast key is set 479 * we fall back to the default transmit key. 480 */ 481 static __inline struct ieee80211_key * 482 ieee80211_crypto_getucastkey(struct ieee80211com *ic, struct ieee80211_node *ni) 483 { 484 if (IEEE80211_KEY_UNDEFINED(ni->ni_ucastkey)) { 485 if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE || 486 IEEE80211_KEY_UNDEFINED(ic->ic_nw_keys[ic->ic_def_txkey])) 487 return NULL; 488 return &ic->ic_nw_keys[ic->ic_def_txkey]; 489 } else { 490 return &ni->ni_ucastkey; 491 } 492 } 493 494 /* 495 * Return the transmit key to use in sending a multicast frame. 496 * Multicast traffic always uses the group key which is installed as 497 * the default tx key. 498 */ 499 static __inline struct ieee80211_key * 500 ieee80211_crypto_getmcastkey(struct ieee80211com *ic, 501 struct ieee80211_node *ni) 502 { 503 if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE || 504 IEEE80211_KEY_UNDEFINED(ic->ic_nw_keys[ic->ic_def_txkey])) 505 return NULL; 506 return &ic->ic_nw_keys[ic->ic_def_txkey]; 507 } 508 509 /* 510 * Encapsulate an outbound data frame. The mbuf chain is updated. 511 * If an error is encountered NULL is returned. The caller is required 512 * to provide a node reference and pullup the ethernet header in the 513 * first mbuf. 514 */ 515 struct mbuf * 516 ieee80211_encap(struct ieee80211com *ic, struct mbuf *m, 517 struct ieee80211_node *ni) 518 { 519 struct ether_header eh; 520 struct ieee80211_frame *wh; 521 struct ieee80211_key *key; 522 struct llc *llc; 523 int hdrsize, datalen, addqos, txfrag; 524 525 IASSERT(m->m_len >= sizeof(eh), ("no ethernet header!")); 526 memcpy(&eh, mtod(m, void *), sizeof(struct ether_header)); 527 528 /* 529 * Insure space for additional headers. First identify 530 * transmit key to use in calculating any buffer adjustments 531 * required. This is also used below to do privacy 532 * encapsulation work. Then calculate the 802.11 header 533 * size and any padding required by the driver. 534 * 535 * Note key may be NULL if we fall back to the default 536 * transmit key and that is not set. In that case the 537 * buffer may not be expanded as needed by the cipher 538 * routines, but they will/should discard it. 539 */ 540 if (ic->ic_flags & IEEE80211_F_PRIVACY) { 541 if (ic->ic_opmode == IEEE80211_M_STA || 542 !IEEE80211_IS_MULTICAST(eh.ether_dhost)) 543 key = ieee80211_crypto_getucastkey(ic, ni); 544 else 545 key = ieee80211_crypto_getmcastkey(ic, ni); 546 if (key == NULL && eh.ether_type != htons(ETHERTYPE_PAE)) { 547 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 548 "[%s] no default transmit key (%s) deftxkey %u\n", 549 ether_sprintf(eh.ether_dhost), __func__, 550 ic->ic_def_txkey); 551 ic->ic_stats.is_tx_nodefkey++; 552 } 553 } else 554 key = NULL; 555 /* XXX 4-address format */ 556 /* 557 * XXX Some ap's don't handle QoS-encapsulated EAPOL 558 * frames so suppress use. This may be an issue if other 559 * ap's require all data frames to be QoS-encapsulated 560 * once negotiated in which case we'll need to make this 561 * configurable. 562 */ 563 addqos = (ni->ni_flags & IEEE80211_NODE_QOS) && 564 eh.ether_type != htons(ETHERTYPE_PAE); 565 if (addqos) 566 hdrsize = sizeof(struct ieee80211_qosframe); 567 else 568 hdrsize = sizeof(struct ieee80211_frame); 569 if (ic->ic_flags & IEEE80211_F_DATAPAD) 570 hdrsize = roundup(hdrsize, sizeof(u_int32_t)); 571 m = ieee80211_mbuf_adjust(ic, hdrsize, key, m); 572 if (m == NULL) { 573 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */ 574 goto bad; 575 } 576 577 /* NB: this could be optimized because of ieee80211_mbuf_adjust */ 578 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc)); 579 llc = mtod(m, struct llc *); 580 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP; 581 llc->llc_control = LLC_UI; 582 llc->llc_snap.org_code[0] = 0; 583 llc->llc_snap.org_code[1] = 0; 584 llc->llc_snap.org_code[2] = 0; 585 llc->llc_snap.ether_type = eh.ether_type; 586 datalen = m->m_pkthdr.len; /* NB: w/o 802.11 header */ 587 588 M_PREPEND(m, hdrsize, M_DONTWAIT); 589 if (m == NULL) { 590 ic->ic_stats.is_tx_nobuf++; 591 goto bad; 592 } 593 wh = mtod(m, struct ieee80211_frame *); 594 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA; 595 *(u_int16_t *)wh->i_dur = 0; 596 switch (ic->ic_opmode) { 597 case IEEE80211_M_STA: 598 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS; 599 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid); 600 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 601 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost); 602 break; 603 case IEEE80211_M_IBSS: 604 case IEEE80211_M_AHDEMO: 605 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 606 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 607 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost); 608 /* 609 * NB: always use the bssid from ic_bss as the 610 * neighbor's may be stale after an ibss merge 611 */ 612 IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid); 613 break; 614 case IEEE80211_M_HOSTAP: 615 #ifndef IEEE80211_NO_HOSTAP 616 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS; 617 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost); 618 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid); 619 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost); 620 #endif /* !IEEE80211_NO_HOSTAP */ 621 break; 622 case IEEE80211_M_MONITOR: 623 goto bad; 624 } 625 if (m->m_flags & M_MORE_DATA) 626 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA; 627 if (addqos) { 628 struct ieee80211_qosframe *qwh = 629 (struct ieee80211_qosframe *) wh; 630 int ac, tid; 631 632 ac = M_WME_GETAC(m); 633 /* map from access class/queue to 11e header priorty value */ 634 tid = WME_AC_TO_TID(ac); 635 qwh->i_qos[0] = tid & IEEE80211_QOS_TID; 636 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy) 637 qwh->i_qos[0] |= 1 << IEEE80211_QOS_ACKPOLICY_S; 638 qwh->i_qos[1] = 0; 639 qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS; 640 641 *(u_int16_t *)wh->i_seq = 642 htole16(ni->ni_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT); 643 ni->ni_txseqs[tid]++; 644 } else { 645 *(u_int16_t *)wh->i_seq = 646 htole16(ni->ni_txseqs[0] << IEEE80211_SEQ_SEQ_SHIFT); 647 ni->ni_txseqs[0]++; 648 } 649 /* check if xmit fragmentation is required */ 650 txfrag = (m->m_pkthdr.len > ic->ic_fragthreshold && 651 !IEEE80211_IS_MULTICAST(wh->i_addr1) && 652 (m->m_flags & M_FF) == 0); /* NB: don't fragment ff's */ 653 if (key != NULL) { 654 /* 655 * IEEE 802.1X: send EAPOL frames always in the clear. 656 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set. 657 */ 658 if (eh.ether_type != htons(ETHERTYPE_PAE) || 659 ((ic->ic_flags & IEEE80211_F_WPA) && 660 (ic->ic_opmode == IEEE80211_M_STA ? 661 !IEEE80211_KEY_UNDEFINED(*key) : 662 !IEEE80211_KEY_UNDEFINED(ni->ni_ucastkey)))) { 663 wh->i_fc[1] |= IEEE80211_FC1_WEP; 664 if (!ieee80211_crypto_enmic(ic, key, m, txfrag)) { 665 IEEE80211_DPRINTF(ic, IEEE80211_MSG_OUTPUT, 666 "[%s] enmic failed, discard frame\n", 667 ether_sprintf(eh.ether_dhost)); 668 ic->ic_stats.is_crypto_enmicfail++; 669 goto bad; 670 } 671 } 672 } 673 if (txfrag && !ieee80211_fragment(ic, m, hdrsize, 674 key != NULL ? key->wk_cipher->ic_header : 0, ic->ic_fragthreshold)) 675 goto bad; 676 677 IEEE80211_NODE_STAT(ni, tx_data); 678 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen); 679 680 return m; 681 bad: 682 if (m != NULL) 683 m_freem(m); 684 return NULL; 685 } 686 687 /* 688 * Arguments in: 689 * 690 * paylen: payload length (no FCS, no WEP header) 691 * 692 * hdrlen: header length 693 * 694 * rate: MSDU speed, units 500kb/s 695 * 696 * flags: IEEE80211_F_SHPREAMBLE (use short preamble), 697 * IEEE80211_F_SHSLOT (use short slot length) 698 * 699 * Arguments out: 700 * 701 * d: 802.11 Duration field for RTS, 702 * 802.11 Duration field for data frame, 703 * PLCP Length for data frame, 704 * residual octets at end of data slot 705 */ 706 static int 707 ieee80211_compute_duration1(int len, int use_ack, uint32_t icflags, int rate, 708 struct ieee80211_duration *d) 709 { 710 int pre, ctsrate; 711 int ack, bitlen, data_dur, remainder; 712 713 /* RTS reserves medium for SIFS | CTS | SIFS | (DATA) | SIFS | ACK 714 * DATA reserves medium for SIFS | ACK, 715 * 716 * (XXX or SIFS | ACK | SIFS | DATA | SIFS | ACK, if more fragments) 717 * 718 * XXXMYC: no ACK on multicast/broadcast or control packets 719 */ 720 721 bitlen = len * 8; 722 723 pre = IEEE80211_DUR_DS_SIFS; 724 if ((icflags & IEEE80211_F_SHPREAMBLE) != 0) 725 pre += IEEE80211_DUR_DS_SHORT_PREAMBLE + IEEE80211_DUR_DS_FAST_PLCPHDR; 726 else 727 pre += IEEE80211_DUR_DS_LONG_PREAMBLE + IEEE80211_DUR_DS_SLOW_PLCPHDR; 728 729 d->d_residue = 0; 730 data_dur = (bitlen * 2) / rate; 731 remainder = (bitlen * 2) % rate; 732 if (remainder != 0) { 733 d->d_residue = (rate - remainder) / 16; 734 data_dur++; 735 } 736 737 switch (rate) { 738 case 2: /* 1 Mb/s */ 739 case 4: /* 2 Mb/s */ 740 /* 1 - 2 Mb/s WLAN: send ACK/CTS at 1 Mb/s */ 741 ctsrate = 2; 742 break; 743 case 11: /* 5.5 Mb/s */ 744 case 22: /* 11 Mb/s */ 745 case 44: /* 22 Mb/s */ 746 /* 5.5 - 11 Mb/s WLAN: send ACK/CTS at 2 Mb/s */ 747 ctsrate = 4; 748 break; 749 default: 750 /* TBD */ 751 return -1; 752 } 753 754 d->d_plcp_len = data_dur; 755 756 ack = (use_ack) ? pre + (IEEE80211_DUR_DS_SLOW_ACK * 2) / ctsrate : 0; 757 758 d->d_rts_dur = 759 pre + (IEEE80211_DUR_DS_SLOW_CTS * 2) / ctsrate + 760 pre + data_dur + 761 ack; 762 763 d->d_data_dur = ack; 764 765 return 0; 766 } 767 768 /* 769 * Arguments in: 770 * 771 * wh: 802.11 header 772 * 773 * paylen: payload length (no FCS, no WEP header) 774 * 775 * rate: MSDU speed, units 500kb/s 776 * 777 * fraglen: fragment length, set to maximum (or higher) for no 778 * fragmentation 779 * 780 * flags: IEEE80211_F_PRIVACY (hardware adds WEP), 781 * IEEE80211_F_SHPREAMBLE (use short preamble), 782 * IEEE80211_F_SHSLOT (use short slot length) 783 * 784 * Arguments out: 785 * 786 * d0: 802.11 Duration fields (RTS/Data), PLCP Length, Service fields 787 * of first/only fragment 788 * 789 * dn: 802.11 Duration fields (RTS/Data), PLCP Length, Service fields 790 * of last fragment 791 * 792 * ieee80211_compute_duration assumes crypto-encapsulation, if any, 793 * has already taken place. 794 */ 795 int 796 ieee80211_compute_duration(const struct ieee80211_frame_min *wh, 797 const struct ieee80211_key *wk, int len, 798 uint32_t icflags, int fraglen, int rate, struct ieee80211_duration *d0, 799 struct ieee80211_duration *dn, int *npktp, int debug) 800 { 801 int ack, rc; 802 int cryptolen, /* crypto overhead: header+trailer */ 803 firstlen, /* first fragment's payload + overhead length */ 804 hdrlen, /* header length w/o driver padding */ 805 lastlen, /* last fragment's payload length w/ overhead */ 806 lastlen0, /* last fragment's payload length w/o overhead */ 807 npkt, /* number of fragments */ 808 overlen, /* non-802.11 header overhead per fragment */ 809 paylen; /* payload length w/o overhead */ 810 811 hdrlen = ieee80211_anyhdrsize((const void *)wh); 812 813 /* Account for padding required by the driver. */ 814 if (icflags & IEEE80211_F_DATAPAD) 815 paylen = len - roundup(hdrlen, sizeof(u_int32_t)); 816 else 817 paylen = len - hdrlen; 818 819 overlen = IEEE80211_CRC_LEN; 820 821 if (wk != NULL) { 822 cryptolen = wk->wk_cipher->ic_header + 823 wk->wk_cipher->ic_trailer; 824 paylen -= cryptolen; 825 overlen += cryptolen; 826 } 827 828 npkt = paylen / fraglen; 829 lastlen0 = paylen % fraglen; 830 831 if (npkt == 0) /* no fragments */ 832 lastlen = paylen + overlen; 833 else if (lastlen0 != 0) { /* a short "tail" fragment */ 834 lastlen = lastlen0 + overlen; 835 npkt++; 836 } else /* full-length "tail" fragment */ 837 lastlen = fraglen + overlen; 838 839 if (npktp != NULL) 840 *npktp = npkt; 841 842 if (npkt > 1) 843 firstlen = fraglen + overlen; 844 else 845 firstlen = paylen + overlen; 846 847 if (debug) { 848 printf("%s: npkt %d firstlen %d lastlen0 %d lastlen %d " 849 "fraglen %d overlen %d len %d rate %d icflags %08x\n", 850 __func__, npkt, firstlen, lastlen0, lastlen, fraglen, 851 overlen, len, rate, icflags); 852 } 853 854 ack = !IEEE80211_IS_MULTICAST(wh->i_addr1) && 855 (wh->i_fc[1] & IEEE80211_FC0_TYPE_MASK) != IEEE80211_FC0_TYPE_CTL; 856 857 rc = ieee80211_compute_duration1(firstlen + hdrlen, 858 ack, icflags, rate, d0); 859 if (rc == -1) 860 return rc; 861 862 if (npkt <= 1) { 863 *dn = *d0; 864 return 0; 865 } 866 return ieee80211_compute_duration1(lastlen + hdrlen, ack, icflags, rate, 867 dn); 868 } 869 870 /* 871 * Fragment the frame according to the specified mtu. 872 * The size of the 802.11 header (w/o padding) is provided 873 * so we don't need to recalculate it. We create a new 874 * mbuf for each fragment and chain it through m_nextpkt; 875 * we might be able to optimize this by reusing the original 876 * packet's mbufs but that is significantly more complicated. 877 */ 878 static int 879 ieee80211_fragment(struct ieee80211com *ic, struct mbuf *m0, 880 u_int hdrsize, u_int ciphdrsize, u_int mtu) 881 { 882 struct ieee80211_frame *wh, *whf; 883 struct mbuf *m, *prev, *next; 884 u_int totalhdrsize, fragno, fragsize, off, remainder, payload; 885 886 IASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?")); 887 IASSERT(m0->m_pkthdr.len > mtu, 888 ("pktlen %u mtu %u", m0->m_pkthdr.len, mtu)); 889 890 wh = mtod(m0, struct ieee80211_frame *); 891 /* NB: mark the first frag; it will be propagated below */ 892 wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG; 893 totalhdrsize = hdrsize + ciphdrsize; 894 fragno = 1; 895 off = mtu - ciphdrsize; 896 remainder = m0->m_pkthdr.len - off; 897 prev = m0; 898 do { 899 fragsize = totalhdrsize + remainder; 900 if (fragsize > mtu) 901 fragsize = mtu; 902 IASSERT(fragsize < MCLBYTES, 903 ("fragment size %u too big!", fragsize)); 904 if (fragsize > MHLEN) 905 m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR); 906 else 907 m = m_gethdr(M_DONTWAIT, MT_DATA); 908 if (m == NULL) 909 goto bad; 910 /* leave room to prepend any cipher header */ 911 m_align(m, fragsize - ciphdrsize); 912 913 /* 914 * Form the header in the fragment. Note that since 915 * we mark the first fragment with the MORE_FRAG bit 916 * it automatically is propagated to each fragment; we 917 * need only clear it on the last fragment (done below). 918 */ 919 whf = mtod(m, struct ieee80211_frame *); 920 memcpy(whf, wh, hdrsize); 921 *(u_int16_t *)&whf->i_seq[0] |= htole16( 922 (fragno & IEEE80211_SEQ_FRAG_MASK) << 923 IEEE80211_SEQ_FRAG_SHIFT); 924 fragno++; 925 926 payload = fragsize - totalhdrsize; 927 /* NB: destination is known to be contiguous */ 928 m_copydata(m0, off, payload, mtod(m, u_int8_t *) + hdrsize); 929 m->m_len = hdrsize + payload; 930 m->m_pkthdr.len = hdrsize + payload; 931 m->m_flags |= M_FRAG; 932 933 /* chain up the fragment */ 934 prev->m_nextpkt = m; 935 prev = m; 936 937 /* deduct fragment just formed */ 938 remainder -= payload; 939 off += payload; 940 } while (remainder != 0); 941 whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG; 942 943 /* strip first mbuf now that everything has been copied */ 944 m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize))); 945 m0->m_flags |= M_FIRSTFRAG | M_FRAG; 946 947 ic->ic_stats.is_tx_fragframes++; 948 ic->ic_stats.is_tx_frags += fragno-1; 949 950 return 1; 951 bad: 952 /* reclaim fragments but leave original frame for caller to free */ 953 for (m = m0->m_nextpkt; m != NULL; m = next) { 954 next = m->m_nextpkt; 955 m->m_nextpkt = NULL; /* XXX paranoid */ 956 m_freem(m); 957 } 958 m0->m_nextpkt = NULL; 959 return 0; 960 } 961 962 /* 963 * Add a supported rates element id to a frame. 964 */ 965 u_int8_t * 966 ieee80211_add_rates(u_int8_t *frm, const struct ieee80211_rateset *rs) 967 { 968 int nrates; 969 970 *frm++ = IEEE80211_ELEMID_RATES; 971 nrates = rs->rs_nrates; 972 if (nrates > IEEE80211_RATE_SIZE) 973 nrates = IEEE80211_RATE_SIZE; 974 *frm++ = nrates; 975 memcpy(frm, rs->rs_rates, nrates); 976 return frm + nrates; 977 } 978 979 /* 980 * Add an extended supported rates element id to a frame. 981 */ 982 u_int8_t * 983 ieee80211_add_xrates(u_int8_t *frm, const struct ieee80211_rateset *rs) 984 { 985 /* 986 * Add an extended supported rates element if operating in 11g mode. 987 */ 988 if (rs->rs_nrates > IEEE80211_RATE_SIZE) { 989 int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE; 990 *frm++ = IEEE80211_ELEMID_XRATES; 991 *frm++ = nrates; 992 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates); 993 frm += nrates; 994 } 995 return frm; 996 } 997 998 /* 999 * Add an ssid elemet to a frame. 1000 */ 1001 u_int8_t * 1002 ieee80211_add_ssid(u_int8_t *frm, const u_int8_t *ssid, u_int len) 1003 { 1004 *frm++ = IEEE80211_ELEMID_SSID; 1005 *frm++ = len; 1006 memcpy(frm, ssid, len); 1007 return frm + len; 1008 } 1009 1010 /* 1011 * Add an erp element to a frame. 1012 */ 1013 static u_int8_t * 1014 ieee80211_add_erp(u_int8_t *frm, struct ieee80211com *ic) 1015 { 1016 u_int8_t erp; 1017 1018 *frm++ = IEEE80211_ELEMID_ERP; 1019 *frm++ = 1; 1020 erp = 0; 1021 if (ic->ic_nonerpsta != 0) 1022 erp |= IEEE80211_ERP_NON_ERP_PRESENT; 1023 if (ic->ic_flags & IEEE80211_F_USEPROT) 1024 erp |= IEEE80211_ERP_USE_PROTECTION; 1025 if (ic->ic_flags & IEEE80211_F_USEBARKER) 1026 erp |= IEEE80211_ERP_LONG_PREAMBLE; 1027 *frm++ = erp; 1028 return frm; 1029 } 1030 1031 static u_int8_t * 1032 ieee80211_setup_wpa_ie(struct ieee80211com *ic, u_int8_t *ie) 1033 { 1034 #define WPA_OUI_BYTES 0x00, 0x50, 0xf2 1035 #define ADDSHORT(frm, v) do { \ 1036 frm[0] = (v) & 0xff; \ 1037 frm[1] = (v) >> 8; \ 1038 frm += 2; \ 1039 } while (0) 1040 #define ADDSELECTOR(frm, sel) do { \ 1041 memcpy(frm, sel, 4); \ 1042 frm += 4; \ 1043 } while (0) 1044 static const u_int8_t oui[4] = { WPA_OUI_BYTES, WPA_OUI_TYPE }; 1045 static const u_int8_t cipher_suite[][4] = { 1046 { WPA_OUI_BYTES, WPA_CSE_WEP40 }, /* NB: 40-bit */ 1047 { WPA_OUI_BYTES, WPA_CSE_TKIP }, 1048 { 0x00, 0x00, 0x00, 0x00 }, /* XXX WRAP */ 1049 { WPA_OUI_BYTES, WPA_CSE_CCMP }, 1050 { 0x00, 0x00, 0x00, 0x00 }, /* XXX CKIP */ 1051 { WPA_OUI_BYTES, WPA_CSE_NULL }, 1052 }; 1053 static const u_int8_t wep104_suite[4] = 1054 { WPA_OUI_BYTES, WPA_CSE_WEP104 }; 1055 static const u_int8_t key_mgt_unspec[4] = 1056 { WPA_OUI_BYTES, WPA_ASE_8021X_UNSPEC }; 1057 static const u_int8_t key_mgt_psk[4] = 1058 { WPA_OUI_BYTES, WPA_ASE_8021X_PSK }; 1059 const struct ieee80211_rsnparms *rsn = &ic->ic_bss->ni_rsn; 1060 u_int8_t *frm = ie; 1061 u_int8_t *selcnt; 1062 1063 *frm++ = IEEE80211_ELEMID_VENDOR; 1064 *frm++ = 0; /* length filled in below */ 1065 memcpy(frm, oui, sizeof(oui)); /* WPA OUI */ 1066 frm += sizeof(oui); 1067 ADDSHORT(frm, WPA_VERSION); 1068 1069 /* XXX filter out CKIP */ 1070 1071 /* multicast cipher */ 1072 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP && 1073 rsn->rsn_mcastkeylen >= 13) 1074 ADDSELECTOR(frm, wep104_suite); 1075 else 1076 ADDSELECTOR(frm, cipher_suite[rsn->rsn_mcastcipher]); 1077 1078 /* unicast cipher list */ 1079 selcnt = frm; 1080 ADDSHORT(frm, 0); /* selector count */ 1081 if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_AES_CCM)) { 1082 selcnt[0]++; 1083 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_AES_CCM]); 1084 } 1085 if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_TKIP)) { 1086 selcnt[0]++; 1087 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_TKIP]); 1088 } 1089 1090 /* authenticator selector list */ 1091 selcnt = frm; 1092 ADDSHORT(frm, 0); /* selector count */ 1093 if (rsn->rsn_keymgmtset & WPA_ASE_8021X_UNSPEC) { 1094 selcnt[0]++; 1095 ADDSELECTOR(frm, key_mgt_unspec); 1096 } 1097 if (rsn->rsn_keymgmtset & WPA_ASE_8021X_PSK) { 1098 selcnt[0]++; 1099 ADDSELECTOR(frm, key_mgt_psk); 1100 } 1101 1102 /* optional capabilities */ 1103 if (rsn->rsn_caps != 0 && rsn->rsn_caps != RSN_CAP_PREAUTH) 1104 ADDSHORT(frm, rsn->rsn_caps); 1105 1106 /* calculate element length */ 1107 ie[1] = frm - ie - 2; 1108 IASSERT(ie[1]+2 <= sizeof(struct ieee80211_ie_wpa), 1109 ("WPA IE too big, %u > %zu", 1110 ie[1]+2, sizeof(struct ieee80211_ie_wpa))); 1111 return frm; 1112 #undef ADDSHORT 1113 #undef ADDSELECTOR 1114 #undef WPA_OUI_BYTES 1115 } 1116 1117 static u_int8_t * 1118 ieee80211_setup_rsn_ie(struct ieee80211com *ic, u_int8_t *ie) 1119 { 1120 #define RSN_OUI_BYTES 0x00, 0x0f, 0xac 1121 #define ADDSHORT(frm, v) do { \ 1122 frm[0] = (v) & 0xff; \ 1123 frm[1] = (v) >> 8; \ 1124 frm += 2; \ 1125 } while (0) 1126 #define ADDSELECTOR(frm, sel) do { \ 1127 memcpy(frm, sel, 4); \ 1128 frm += 4; \ 1129 } while (0) 1130 static const u_int8_t cipher_suite[][4] = { 1131 { RSN_OUI_BYTES, RSN_CSE_WEP40 }, /* NB: 40-bit */ 1132 { RSN_OUI_BYTES, RSN_CSE_TKIP }, 1133 { RSN_OUI_BYTES, RSN_CSE_WRAP }, 1134 { RSN_OUI_BYTES, RSN_CSE_CCMP }, 1135 { 0x00, 0x00, 0x00, 0x00 }, /* XXX CKIP */ 1136 { RSN_OUI_BYTES, RSN_CSE_NULL }, 1137 }; 1138 static const u_int8_t wep104_suite[4] = 1139 { RSN_OUI_BYTES, RSN_CSE_WEP104 }; 1140 static const u_int8_t key_mgt_unspec[4] = 1141 { RSN_OUI_BYTES, RSN_ASE_8021X_UNSPEC }; 1142 static const u_int8_t key_mgt_psk[4] = 1143 { RSN_OUI_BYTES, RSN_ASE_8021X_PSK }; 1144 const struct ieee80211_rsnparms *rsn = &ic->ic_bss->ni_rsn; 1145 u_int8_t *frm = ie; 1146 u_int8_t *selcnt; 1147 1148 *frm++ = IEEE80211_ELEMID_RSN; 1149 *frm++ = 0; /* length filled in below */ 1150 ADDSHORT(frm, RSN_VERSION); 1151 1152 /* XXX filter out CKIP */ 1153 1154 /* multicast cipher */ 1155 if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP && 1156 rsn->rsn_mcastkeylen >= 13) 1157 ADDSELECTOR(frm, wep104_suite); 1158 else 1159 ADDSELECTOR(frm, cipher_suite[rsn->rsn_mcastcipher]); 1160 1161 /* unicast cipher list */ 1162 selcnt = frm; 1163 ADDSHORT(frm, 0); /* selector count */ 1164 if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_AES_CCM)) { 1165 selcnt[0]++; 1166 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_AES_CCM]); 1167 } 1168 if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_TKIP)) { 1169 selcnt[0]++; 1170 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_TKIP]); 1171 } 1172 1173 /* authenticator selector list */ 1174 selcnt = frm; 1175 ADDSHORT(frm, 0); /* selector count */ 1176 if (rsn->rsn_keymgmtset & WPA_ASE_8021X_UNSPEC) { 1177 selcnt[0]++; 1178 ADDSELECTOR(frm, key_mgt_unspec); 1179 } 1180 if (rsn->rsn_keymgmtset & WPA_ASE_8021X_PSK) { 1181 selcnt[0]++; 1182 ADDSELECTOR(frm, key_mgt_psk); 1183 } 1184 1185 /* optional capabilities */ 1186 ADDSHORT(frm, rsn->rsn_caps); 1187 /* XXX PMKID */ 1188 1189 /* calculate element length */ 1190 ie[1] = frm - ie - 2; 1191 IASSERT(ie[1]+2 <= sizeof(struct ieee80211_ie_wpa), 1192 ("RSN IE too big, %u > %zu", 1193 ie[1]+2, sizeof(struct ieee80211_ie_wpa))); 1194 return frm; 1195 #undef ADDSELECTOR 1196 #undef ADDSHORT 1197 #undef RSN_OUI_BYTES 1198 } 1199 1200 /* 1201 * Add a WPA/RSN element to a frame. 1202 */ 1203 u_int8_t * 1204 ieee80211_add_wpa(u_int8_t *frm, struct ieee80211com *ic) 1205 { 1206 1207 IASSERT(ic->ic_flags & IEEE80211_F_WPA, ("no WPA/RSN!")); 1208 if (ic->ic_flags & IEEE80211_F_WPA2) 1209 frm = ieee80211_setup_rsn_ie(ic, frm); 1210 if (ic->ic_flags & IEEE80211_F_WPA1) 1211 frm = ieee80211_setup_wpa_ie(ic, frm); 1212 return frm; 1213 } 1214 1215 #define WME_OUI_BYTES 0x00, 0x50, 0xf2 1216 /* 1217 * Add a WME information element to a frame. 1218 */ 1219 u_int8_t * 1220 ieee80211_add_wme_info(u_int8_t *frm, struct ieee80211_wme_state *wme) 1221 { 1222 static const struct ieee80211_wme_info info = { 1223 .wme_id = IEEE80211_ELEMID_VENDOR, 1224 .wme_len = sizeof(struct ieee80211_wme_info) - 2, 1225 .wme_oui = { WME_OUI_BYTES }, 1226 .wme_type = WME_OUI_TYPE, 1227 .wme_subtype = WME_INFO_OUI_SUBTYPE, 1228 .wme_version = WME_VERSION, 1229 .wme_info = 0, 1230 }; 1231 memcpy(frm, &info, sizeof(info)); 1232 return frm + sizeof(info); 1233 } 1234 1235 /* 1236 * Add a WME parameters element to a frame. 1237 */ 1238 static u_int8_t * 1239 ieee80211_add_wme_param(u_int8_t *frm, struct ieee80211_wme_state *wme) 1240 { 1241 #define SM(_v, _f) (((_v) << _f##_S) & _f) 1242 #define ADDSHORT(frm, v) do { \ 1243 frm[0] = (v) & 0xff; \ 1244 frm[1] = (v) >> 8; \ 1245 frm += 2; \ 1246 } while (0) 1247 /* NB: this works 'cuz a param has an info at the front */ 1248 static const struct ieee80211_wme_info param = { 1249 .wme_id = IEEE80211_ELEMID_VENDOR, 1250 .wme_len = sizeof(struct ieee80211_wme_param) - 2, 1251 .wme_oui = { WME_OUI_BYTES }, 1252 .wme_type = WME_OUI_TYPE, 1253 .wme_subtype = WME_PARAM_OUI_SUBTYPE, 1254 .wme_version = WME_VERSION, 1255 }; 1256 int i; 1257 1258 memcpy(frm, ¶m, sizeof(param)); 1259 frm += offsetof(struct ieee80211_wme_info, wme_info); 1260 *frm++ = wme->wme_bssChanParams.cap_info; /* AC info */ 1261 *frm++ = 0; /* reserved field */ 1262 for (i = 0; i < WME_NUM_AC; i++) { 1263 const struct wmeParams *ac = 1264 &wme->wme_bssChanParams.cap_wmeParams[i]; 1265 *frm++ = SM(i, WME_PARAM_ACI) 1266 | SM(ac->wmep_acm, WME_PARAM_ACM) 1267 | SM(ac->wmep_aifsn, WME_PARAM_AIFSN) 1268 ; 1269 *frm++ = SM(ac->wmep_logcwmax, WME_PARAM_LOGCWMAX) 1270 | SM(ac->wmep_logcwmin, WME_PARAM_LOGCWMIN) 1271 ; 1272 ADDSHORT(frm, ac->wmep_txopLimit); 1273 } 1274 return frm; 1275 #undef SM 1276 #undef ADDSHORT 1277 } 1278 #undef WME_OUI_BYTES 1279 1280 /* 1281 * Send a probe request frame with the specified ssid 1282 * and any optional information element data. 1283 */ 1284 int 1285 ieee80211_send_probereq(struct ieee80211_node *ni, 1286 const u_int8_t sa[IEEE80211_ADDR_LEN], 1287 const u_int8_t da[IEEE80211_ADDR_LEN], 1288 const u_int8_t bssid[IEEE80211_ADDR_LEN], 1289 const u_int8_t *ssid, size_t ssidlen, 1290 const void *optie, size_t optielen) 1291 { 1292 struct ieee80211com *ic = ni->ni_ic; 1293 enum ieee80211_phymode mode; 1294 struct ieee80211_frame *wh; 1295 struct mbuf *m; 1296 u_int8_t *frm; 1297 1298 /* 1299 * Hold a reference on the node so it doesn't go away until after 1300 * the xmit is complete all the way in the driver. On error we 1301 * will remove our reference. 1302 */ 1303 IEEE80211_DPRINTF(ic, IEEE80211_MSG_NODE, 1304 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1305 __func__, __LINE__, 1306 ni, ether_sprintf(ni->ni_macaddr), 1307 ieee80211_node_refcnt(ni)+1); 1308 ieee80211_ref_node(ni); 1309 1310 /* 1311 * prreq frame format 1312 * [tlv] ssid 1313 * [tlv] supported rates 1314 * [tlv] extended supported rates 1315 * [tlv] user-specified ie's 1316 */ 1317 m = ieee80211_getmgtframe(&frm, 1318 2 + IEEE80211_NWID_LEN 1319 + 2 + IEEE80211_RATE_SIZE 1320 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1321 + (optie != NULL ? optielen : 0) 1322 ); 1323 if (m == NULL) { 1324 ic->ic_stats.is_tx_nobuf++; 1325 ieee80211_free_node(ni); 1326 return ENOMEM; 1327 } 1328 1329 frm = ieee80211_add_ssid(frm, ssid, ssidlen); 1330 mode = ieee80211_chan2mode(ic, ic->ic_curchan); 1331 frm = ieee80211_add_rates(frm, &ic->ic_sup_rates[mode]); 1332 frm = ieee80211_add_xrates(frm, &ic->ic_sup_rates[mode]); 1333 1334 if (optie != NULL) { 1335 memcpy(frm, optie, optielen); 1336 frm += optielen; 1337 } 1338 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1339 1340 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 1341 if (m == NULL) 1342 return ENOMEM; 1343 M_SETCTX(m, ni); 1344 1345 wh = mtod(m, struct ieee80211_frame *); 1346 ieee80211_send_setup(ic, ni, wh, 1347 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ, 1348 sa, da, bssid); 1349 /* XXX power management? */ 1350 1351 IEEE80211_NODE_STAT(ni, tx_probereq); 1352 IEEE80211_NODE_STAT(ni, tx_mgmt); 1353 1354 IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, 1355 "[%s] send probe req on channel %u\n", 1356 ether_sprintf(wh->i_addr1), 1357 ieee80211_chan2ieee(ic, ic->ic_curchan)); 1358 1359 IF_ENQUEUE(&ic->ic_mgtq, m); 1360 if_start_lock(ic->ic_ifp); 1361 return 0; 1362 } 1363 1364 /* 1365 * Send a management frame. The node is for the destination (or ic_bss 1366 * when in station mode). Nodes other than ic_bss have their reference 1367 * count bumped to reflect our use for an indeterminant time. 1368 */ 1369 int 1370 ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni, 1371 int type, int arg) 1372 { 1373 #define senderr(_x, _v) do { ic->ic_stats._v++; ret = _x; goto bad; } while (0) 1374 struct mbuf *m; 1375 u_int8_t *frm; 1376 u_int16_t capinfo; 1377 int has_challenge, is_shared_key, ret, timer, status; 1378 1379 IASSERT(ni != NULL, ("null node")); 1380 1381 /* 1382 * Hold a reference on the node so it doesn't go away until after 1383 * the xmit is complete all the way in the driver. On error we 1384 * will remove our reference. 1385 */ 1386 IEEE80211_DPRINTF(ic, IEEE80211_MSG_NODE, 1387 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n", 1388 __func__, __LINE__, 1389 ni, ether_sprintf(ni->ni_macaddr), 1390 ieee80211_node_refcnt(ni)+1); 1391 ieee80211_ref_node(ni); 1392 1393 timer = 0; 1394 switch (type) { 1395 case IEEE80211_FC0_SUBTYPE_PROBE_RESP: 1396 /* 1397 * probe response frame format 1398 * [8] time stamp 1399 * [2] beacon interval 1400 * [2] cabability information 1401 * [tlv] ssid 1402 * [tlv] supported rates 1403 * [tlv] parameter set (FH/DS) 1404 * [tlv] parameter set (IBSS) 1405 * [tlv] extended rate phy (ERP) 1406 * [tlv] extended supported rates 1407 * [tlv] WPA 1408 * [tlv] WME (optional) 1409 */ 1410 m = ieee80211_getmgtframe(&frm, 1411 8 1412 + sizeof(u_int16_t) 1413 + sizeof(u_int16_t) 1414 + 2 + IEEE80211_NWID_LEN 1415 + 2 + IEEE80211_RATE_SIZE 1416 + 7 /* max(7,3) */ 1417 + 6 1418 + 3 1419 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1420 /* XXX !WPA1+WPA2 fits w/o a cluster */ 1421 + (ic->ic_flags & IEEE80211_F_WPA ? 1422 2*sizeof(struct ieee80211_ie_wpa) : 0) 1423 + sizeof(struct ieee80211_wme_param) 1424 ); 1425 if (m == NULL) 1426 senderr(ENOMEM, is_tx_nobuf); 1427 1428 memset(frm, 0, 8); /* timestamp should be filled later */ 1429 frm += 8; 1430 *(u_int16_t *)frm = htole16(ic->ic_bss->ni_intval); 1431 frm += 2; 1432 if (ic->ic_opmode == IEEE80211_M_IBSS) 1433 capinfo = IEEE80211_CAPINFO_IBSS; 1434 else 1435 capinfo = IEEE80211_CAPINFO_ESS; 1436 if (ic->ic_flags & IEEE80211_F_PRIVACY) 1437 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1438 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1439 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) 1440 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1441 if (ic->ic_flags & IEEE80211_F_SHSLOT) 1442 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1443 *(u_int16_t *)frm = htole16(capinfo); 1444 frm += 2; 1445 1446 frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid, 1447 ic->ic_bss->ni_esslen); 1448 frm = ieee80211_add_rates(frm, &ni->ni_rates); 1449 1450 if (ic->ic_phytype == IEEE80211_T_FH) { 1451 *frm++ = IEEE80211_ELEMID_FHPARMS; 1452 *frm++ = 5; 1453 *frm++ = ni->ni_fhdwell & 0x00ff; 1454 *frm++ = (ni->ni_fhdwell >> 8) & 0x00ff; 1455 *frm++ = IEEE80211_FH_CHANSET( 1456 ieee80211_chan2ieee(ic, ic->ic_curchan)); 1457 *frm++ = IEEE80211_FH_CHANPAT( 1458 ieee80211_chan2ieee(ic, ic->ic_curchan)); 1459 *frm++ = ni->ni_fhindex; 1460 } else { 1461 *frm++ = IEEE80211_ELEMID_DSPARMS; 1462 *frm++ = 1; 1463 *frm++ = ieee80211_chan2ieee(ic, ic->ic_curchan); 1464 } 1465 1466 if (ic->ic_opmode == IEEE80211_M_IBSS) { 1467 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 1468 *frm++ = 2; 1469 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 1470 } 1471 if (ic->ic_flags & IEEE80211_F_WPA) 1472 frm = ieee80211_add_wpa(frm, ic); 1473 if (ic->ic_curmode == IEEE80211_MODE_11G) 1474 frm = ieee80211_add_erp(frm, ic); 1475 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 1476 if (ic->ic_flags & IEEE80211_F_WME) 1477 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 1478 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1479 break; 1480 1481 case IEEE80211_FC0_SUBTYPE_AUTH: 1482 status = arg >> 16; 1483 arg &= 0xffff; 1484 has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE || 1485 arg == IEEE80211_AUTH_SHARED_RESPONSE) && 1486 ni->ni_challenge != NULL); 1487 1488 /* 1489 * Deduce whether we're doing open authentication or 1490 * shared key authentication. We do the latter if 1491 * we're in the middle of a shared key authentication 1492 * handshake or if we're initiating an authentication 1493 * request and configured to use shared key. 1494 */ 1495 is_shared_key = has_challenge || 1496 arg >= IEEE80211_AUTH_SHARED_RESPONSE || 1497 (arg == IEEE80211_AUTH_SHARED_REQUEST && 1498 ic->ic_bss->ni_authmode == IEEE80211_AUTH_SHARED); 1499 1500 m = ieee80211_getmgtframe(&frm, 1501 3 * sizeof(u_int16_t) 1502 + (has_challenge && status == IEEE80211_STATUS_SUCCESS ? 1503 sizeof(u_int16_t)+IEEE80211_CHALLENGE_LEN : 0) 1504 ); 1505 if (m == NULL) 1506 senderr(ENOMEM, is_tx_nobuf); 1507 1508 ((u_int16_t *)frm)[0] = 1509 (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED) 1510 : htole16(IEEE80211_AUTH_ALG_OPEN); 1511 ((u_int16_t *)frm)[1] = htole16(arg); /* sequence number */ 1512 ((u_int16_t *)frm)[2] = htole16(status);/* status */ 1513 1514 if (has_challenge && status == IEEE80211_STATUS_SUCCESS) { 1515 ((u_int16_t *)frm)[3] = 1516 htole16((IEEE80211_CHALLENGE_LEN << 8) | 1517 IEEE80211_ELEMID_CHALLENGE); 1518 memcpy(&((u_int16_t *)frm)[4], ni->ni_challenge, 1519 IEEE80211_CHALLENGE_LEN); 1520 m->m_pkthdr.len = m->m_len = 1521 4 * sizeof(u_int16_t) + IEEE80211_CHALLENGE_LEN; 1522 if (arg == IEEE80211_AUTH_SHARED_RESPONSE) { 1523 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1524 "[%s] request encrypt frame (%s)\n", 1525 ether_sprintf(ni->ni_macaddr), __func__); 1526 m->m_flags |= M_LINK0; /* WEP-encrypt, please */ 1527 } 1528 } else 1529 m->m_pkthdr.len = m->m_len = 3 * sizeof(u_int16_t); 1530 1531 /* XXX not right for shared key */ 1532 if (status == IEEE80211_STATUS_SUCCESS) 1533 IEEE80211_NODE_STAT(ni, tx_auth); 1534 else 1535 IEEE80211_NODE_STAT(ni, tx_auth_fail); 1536 1537 if (ic->ic_opmode == IEEE80211_M_STA) 1538 timer = IEEE80211_TRANS_WAIT; 1539 break; 1540 1541 case IEEE80211_FC0_SUBTYPE_DEAUTH: 1542 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH, 1543 "[%s] send station deauthenticate (reason %d)\n", 1544 ether_sprintf(ni->ni_macaddr), arg); 1545 m = ieee80211_getmgtframe(&frm, sizeof(u_int16_t)); 1546 if (m == NULL) 1547 senderr(ENOMEM, is_tx_nobuf); 1548 *(u_int16_t *)frm = htole16(arg); /* reason */ 1549 m->m_pkthdr.len = m->m_len = sizeof(u_int16_t); 1550 1551 IEEE80211_NODE_STAT(ni, tx_deauth); 1552 IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg); 1553 1554 ieee80211_node_unauthorize(ni); /* port closed */ 1555 break; 1556 1557 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ: 1558 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: 1559 /* 1560 * asreq frame format 1561 * [2] capability information 1562 * [2] listen interval 1563 * [6*] current AP address (reassoc only) 1564 * [tlv] ssid 1565 * [tlv] supported rates 1566 * [tlv] extended supported rates 1567 * [tlv] WME 1568 * [tlv] user-specified ie's 1569 */ 1570 m = ieee80211_getmgtframe(&frm, 1571 sizeof(u_int16_t) 1572 + sizeof(u_int16_t) 1573 + IEEE80211_ADDR_LEN 1574 + 2 + IEEE80211_NWID_LEN 1575 + 2 + IEEE80211_RATE_SIZE 1576 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1577 + sizeof(struct ieee80211_wme_info) 1578 + (ic->ic_opt_ie != NULL ? ic->ic_opt_ie_len : 0) 1579 ); 1580 if (m == NULL) 1581 senderr(ENOMEM, is_tx_nobuf); 1582 1583 capinfo = 0; 1584 if (ic->ic_opmode == IEEE80211_M_IBSS) 1585 capinfo |= IEEE80211_CAPINFO_IBSS; 1586 else /* IEEE80211_M_STA */ 1587 capinfo |= IEEE80211_CAPINFO_ESS; 1588 if (ic->ic_flags & IEEE80211_F_PRIVACY) 1589 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1590 /* 1591 * NB: Some 11a AP's reject the request when 1592 * short premable is set. 1593 */ 1594 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1595 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) 1596 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1597 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME) && 1598 (ic->ic_caps & IEEE80211_C_SHSLOT)) 1599 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1600 *(u_int16_t *)frm = htole16(capinfo); 1601 frm += 2; 1602 1603 *(u_int16_t *)frm = htole16(ic->ic_lintval); 1604 frm += 2; 1605 1606 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) { 1607 IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid); 1608 frm += IEEE80211_ADDR_LEN; 1609 } 1610 1611 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen); 1612 frm = ieee80211_add_rates(frm, &ni->ni_rates); 1613 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 1614 if ((ic->ic_flags & IEEE80211_F_WME) && ni->ni_wme_ie != NULL) 1615 frm = ieee80211_add_wme_info(frm, &ic->ic_wme); 1616 if (ic->ic_opt_ie != NULL) { 1617 memcpy(frm, ic->ic_opt_ie, ic->ic_opt_ie_len); 1618 frm += ic->ic_opt_ie_len; 1619 } 1620 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1621 1622 timer = IEEE80211_TRANS_WAIT; 1623 break; 1624 1625 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP: 1626 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: 1627 /* 1628 * asreq frame format 1629 * [2] capability information 1630 * [2] status 1631 * [2] association ID 1632 * [tlv] supported rates 1633 * [tlv] extended supported rates 1634 * [tlv] WME (if enabled and STA enabled) 1635 */ 1636 m = ieee80211_getmgtframe(&frm, 1637 sizeof(u_int16_t) 1638 + sizeof(u_int16_t) 1639 + sizeof(u_int16_t) 1640 + 2 + IEEE80211_RATE_SIZE 1641 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1642 + sizeof(struct ieee80211_wme_param) 1643 ); 1644 if (m == NULL) 1645 senderr(ENOMEM, is_tx_nobuf); 1646 1647 capinfo = IEEE80211_CAPINFO_ESS; 1648 if (ic->ic_flags & IEEE80211_F_PRIVACY) 1649 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1650 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1651 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan)) 1652 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1653 if (ic->ic_flags & IEEE80211_F_SHSLOT) 1654 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1655 *(u_int16_t *)frm = htole16(capinfo); 1656 frm += 2; 1657 1658 *(u_int16_t *)frm = htole16(arg); /* status */ 1659 frm += 2; 1660 1661 if (arg == IEEE80211_STATUS_SUCCESS) { 1662 *(u_int16_t *)frm = htole16(ni->ni_associd); 1663 IEEE80211_NODE_STAT(ni, tx_assoc); 1664 } else 1665 IEEE80211_NODE_STAT(ni, tx_assoc_fail); 1666 frm += 2; 1667 1668 frm = ieee80211_add_rates(frm, &ni->ni_rates); 1669 frm = ieee80211_add_xrates(frm, &ni->ni_rates); 1670 if ((ic->ic_flags & IEEE80211_F_WME) && ni->ni_wme_ie != NULL) 1671 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 1672 m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *); 1673 break; 1674 1675 case IEEE80211_FC0_SUBTYPE_DISASSOC: 1676 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC, 1677 "[%s] send station disassociate (reason %d)\n", 1678 ether_sprintf(ni->ni_macaddr), arg); 1679 m = ieee80211_getmgtframe(&frm, sizeof(u_int16_t)); 1680 if (m == NULL) 1681 senderr(ENOMEM, is_tx_nobuf); 1682 *(u_int16_t *)frm = htole16(arg); /* reason */ 1683 m->m_pkthdr.len = m->m_len = sizeof(u_int16_t); 1684 1685 IEEE80211_NODE_STAT(ni, tx_disassoc); 1686 IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg); 1687 break; 1688 1689 default: 1690 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1691 "[%s] invalid mgmt frame type %u\n", 1692 ether_sprintf(ni->ni_macaddr), type); 1693 senderr(EINVAL, is_tx_unknownmgt); 1694 /* NOTREACHED */ 1695 } 1696 ret = ieee80211_mgmt_output(ic, ni, m, type, timer); 1697 if (ret != 0) { 1698 bad: 1699 ieee80211_free_node(ni); 1700 } 1701 return ret; 1702 #undef senderr 1703 } 1704 1705 /* 1706 * Build a RTS (Request To Send) control frame. 1707 */ 1708 struct mbuf * 1709 ieee80211_get_rts(struct ieee80211com *ic, const struct ieee80211_frame *wh, 1710 uint16_t dur) 1711 { 1712 struct ieee80211_frame_rts *rts; 1713 struct mbuf *m; 1714 1715 MGETHDR(m, M_DONTWAIT, MT_DATA); 1716 if (m == NULL) 1717 return NULL; 1718 1719 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts); 1720 1721 rts = mtod(m, struct ieee80211_frame_rts *); 1722 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1723 IEEE80211_FC0_SUBTYPE_RTS; 1724 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1725 *(uint16_t *)rts->i_dur = htole16(dur); 1726 IEEE80211_ADDR_COPY(rts->i_ra, wh->i_addr1); 1727 IEEE80211_ADDR_COPY(rts->i_ta, wh->i_addr2); 1728 1729 return m; 1730 } 1731 1732 /* 1733 * Build a CTS-to-self (Clear To Send) control frame. 1734 */ 1735 struct mbuf * 1736 ieee80211_get_cts_to_self(struct ieee80211com *ic, uint16_t dur) 1737 { 1738 struct ieee80211_frame_cts *cts; 1739 struct mbuf *m; 1740 1741 MGETHDR(m, M_DONTWAIT, MT_DATA); 1742 if (m == NULL) 1743 return NULL; 1744 1745 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts); 1746 1747 cts = mtod(m, struct ieee80211_frame_cts *); 1748 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_CTL | 1749 IEEE80211_FC0_SUBTYPE_CTS; 1750 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1751 *(uint16_t *)cts->i_dur = htole16(dur); 1752 IEEE80211_ADDR_COPY(cts->i_ra, ic->ic_myaddr); 1753 1754 return m; 1755 } 1756 1757 /* 1758 * Allocate a beacon frame and fillin the appropriate bits. 1759 */ 1760 struct mbuf * 1761 ieee80211_beacon_alloc(struct ieee80211com *ic, struct ieee80211_node *ni, 1762 struct ieee80211_beacon_offsets *bo) 1763 { 1764 struct ifnet *ifp = ic->ic_ifp; 1765 struct ieee80211_frame *wh; 1766 struct mbuf *m; 1767 int pktlen; 1768 u_int8_t *frm, *efrm; 1769 u_int16_t capinfo; 1770 struct ieee80211_rateset *rs; 1771 1772 /* 1773 * beacon frame format 1774 * [8] time stamp 1775 * [2] beacon interval 1776 * [2] cabability information 1777 * [tlv] ssid 1778 * [tlv] supported rates 1779 * [3] parameter set (DS) 1780 * [tlv] parameter set (IBSS/TIM) 1781 * [tlv] extended rate phy (ERP) 1782 * [tlv] extended supported rates 1783 * [tlv] WME parameters 1784 * [tlv] WPA/RSN parameters 1785 * XXX Vendor-specific OIDs (e.g. Atheros) 1786 * NB: we allocate the max space required for the TIM bitmap. 1787 */ 1788 rs = &ni->ni_rates; 1789 pktlen = 8 /* time stamp */ 1790 + sizeof(u_int16_t) /* beacon interval */ 1791 + sizeof(u_int16_t) /* capabilities */ 1792 + 2 + ni->ni_esslen /* ssid */ 1793 + 2 + IEEE80211_RATE_SIZE /* supported rates */ 1794 + 2 + 1 /* DS parameters */ 1795 + 2 + 4 + ic->ic_tim_len /* DTIM/IBSSPARMS */ 1796 + 2 + 1 /* ERP */ 1797 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) 1798 + (ic->ic_caps & IEEE80211_C_WME ? /* WME */ 1799 sizeof(struct ieee80211_wme_param) : 0) 1800 + (ic->ic_caps & IEEE80211_C_WPA ? /* WPA 1+2 */ 1801 2*sizeof(struct ieee80211_ie_wpa) : 0) 1802 ; 1803 m = ieee80211_getmgtframe(&frm, pktlen); 1804 if (m == NULL) { 1805 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 1806 "%s: cannot get buf; size %u\n", __func__, pktlen); 1807 ic->ic_stats.is_tx_nobuf++; 1808 return NULL; 1809 } 1810 1811 memset(frm, 0, 8); /* XXX timestamp is set by hardware/driver */ 1812 frm += 8; 1813 *(u_int16_t *)frm = htole16(ni->ni_intval); 1814 frm += 2; 1815 if (ic->ic_opmode == IEEE80211_M_IBSS) 1816 capinfo = IEEE80211_CAPINFO_IBSS; 1817 else 1818 capinfo = IEEE80211_CAPINFO_ESS; 1819 if (ic->ic_flags & IEEE80211_F_PRIVACY) 1820 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1821 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1822 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 1823 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1824 if (ic->ic_flags & IEEE80211_F_SHSLOT) 1825 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1826 bo->bo_caps = (u_int16_t *)frm; 1827 *(u_int16_t *)frm = htole16(capinfo); 1828 frm += 2; 1829 *frm++ = IEEE80211_ELEMID_SSID; 1830 if ((ic->ic_flags & IEEE80211_F_HIDESSID) == 0) { 1831 *frm++ = ni->ni_esslen; 1832 memcpy(frm, ni->ni_essid, ni->ni_esslen); 1833 frm += ni->ni_esslen; 1834 } else 1835 *frm++ = 0; 1836 frm = ieee80211_add_rates(frm, rs); 1837 if (ic->ic_curmode != IEEE80211_MODE_FH) { 1838 *frm++ = IEEE80211_ELEMID_DSPARMS; 1839 *frm++ = 1; 1840 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan); 1841 } 1842 bo->bo_tim = frm; 1843 if (ic->ic_opmode == IEEE80211_M_IBSS) { 1844 *frm++ = IEEE80211_ELEMID_IBSSPARMS; 1845 *frm++ = 2; 1846 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */ 1847 bo->bo_tim_len = 0; 1848 } else { 1849 struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm; 1850 1851 tie->tim_ie = IEEE80211_ELEMID_TIM; 1852 tie->tim_len = 4; /* length */ 1853 tie->tim_count = 0; /* DTIM count */ 1854 tie->tim_period = ic->ic_dtim_period; /* DTIM period */ 1855 tie->tim_bitctl = 0; /* bitmap control */ 1856 tie->tim_bitmap[0] = 0; /* Partial Virtual Bitmap */ 1857 frm += sizeof(struct ieee80211_tim_ie); 1858 bo->bo_tim_len = 1; 1859 } 1860 bo->bo_trailer = frm; 1861 if (ic->ic_flags & IEEE80211_F_WME) { 1862 bo->bo_wme = frm; 1863 frm = ieee80211_add_wme_param(frm, &ic->ic_wme); 1864 ic->ic_flags &= ~IEEE80211_F_WMEUPDATE; 1865 } 1866 if (ic->ic_flags & IEEE80211_F_WPA) 1867 frm = ieee80211_add_wpa(frm, ic); 1868 if (ic->ic_curmode == IEEE80211_MODE_11G) 1869 frm = ieee80211_add_erp(frm, ic); 1870 efrm = ieee80211_add_xrates(frm, rs); 1871 bo->bo_trailer_len = efrm - bo->bo_trailer; 1872 m->m_pkthdr.len = m->m_len = efrm - mtod(m, u_int8_t *); 1873 1874 M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT); 1875 IASSERT(m != NULL, ("no space for 802.11 header?")); 1876 wh = mtod(m, struct ieee80211_frame *); 1877 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT | 1878 IEEE80211_FC0_SUBTYPE_BEACON; 1879 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS; 1880 *(u_int16_t *)wh->i_dur = 0; 1881 IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr); 1882 IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr); 1883 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid); 1884 *(u_int16_t *)wh->i_seq = 0; 1885 1886 return m; 1887 } 1888 1889 /* 1890 * Update the dynamic parts of a beacon frame based on the current state. 1891 */ 1892 int 1893 ieee80211_beacon_update(struct ieee80211com *ic, struct ieee80211_node *ni, 1894 struct ieee80211_beacon_offsets *bo, struct mbuf *m, int mcast) 1895 { 1896 int len_changed = 0; 1897 u_int16_t capinfo; 1898 1899 IEEE80211_BEACON_LOCK(ic); 1900 /* XXX faster to recalculate entirely or just changes? */ 1901 if (ic->ic_opmode == IEEE80211_M_IBSS) 1902 capinfo = IEEE80211_CAPINFO_IBSS; 1903 else 1904 capinfo = IEEE80211_CAPINFO_ESS; 1905 if (ic->ic_flags & IEEE80211_F_PRIVACY) 1906 capinfo |= IEEE80211_CAPINFO_PRIVACY; 1907 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && 1908 IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) 1909 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE; 1910 if (ic->ic_flags & IEEE80211_F_SHSLOT) 1911 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME; 1912 *bo->bo_caps = htole16(capinfo); 1913 1914 if (ic->ic_flags & IEEE80211_F_WME) { 1915 struct ieee80211_wme_state *wme = &ic->ic_wme; 1916 1917 /* 1918 * Check for agressive mode change. When there is 1919 * significant high priority traffic in the BSS 1920 * throttle back BE traffic by using conservative 1921 * parameters. Otherwise BE uses agressive params 1922 * to optimize performance of legacy/non-QoS traffic. 1923 */ 1924 if (wme->wme_flags & WME_F_AGGRMODE) { 1925 if (wme->wme_hipri_traffic > 1926 wme->wme_hipri_switch_thresh) { 1927 IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME, 1928 "%s: traffic %u, disable aggressive mode\n", 1929 __func__, wme->wme_hipri_traffic); 1930 wme->wme_flags &= ~WME_F_AGGRMODE; 1931 ieee80211_wme_updateparams_locked(ic); 1932 wme->wme_hipri_traffic = 1933 wme->wme_hipri_switch_hysteresis; 1934 } else 1935 wme->wme_hipri_traffic = 0; 1936 } else { 1937 if (wme->wme_hipri_traffic <= 1938 wme->wme_hipri_switch_thresh) { 1939 IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME, 1940 "%s: traffic %u, enable aggressive mode\n", 1941 __func__, wme->wme_hipri_traffic); 1942 wme->wme_flags |= WME_F_AGGRMODE; 1943 ieee80211_wme_updateparams_locked(ic); 1944 wme->wme_hipri_traffic = 0; 1945 } else 1946 wme->wme_hipri_traffic = 1947 wme->wme_hipri_switch_hysteresis; 1948 } 1949 if (ic->ic_flags & IEEE80211_F_WMEUPDATE) { 1950 (void) ieee80211_add_wme_param(bo->bo_wme, wme); 1951 ic->ic_flags &= ~IEEE80211_F_WMEUPDATE; 1952 } 1953 } 1954 1955 #ifndef IEEE80211_NO_HOSTAP 1956 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { /* NB: no IBSS support*/ 1957 struct ieee80211_tim_ie *tie = 1958 (struct ieee80211_tim_ie *) bo->bo_tim; 1959 if (ic->ic_flags & IEEE80211_F_TIMUPDATE) { 1960 u_int timlen, timoff, i; 1961 /* 1962 * ATIM/DTIM needs updating. If it fits in the 1963 * current space allocated then just copy in the 1964 * new bits. Otherwise we need to move any trailing 1965 * data to make room. Note that we know there is 1966 * contiguous space because ieee80211_beacon_allocate 1967 * insures there is space in the mbuf to write a 1968 * maximal-size virtual bitmap (based on ic_max_aid). 1969 */ 1970 /* 1971 * Calculate the bitmap size and offset, copy any 1972 * trailer out of the way, and then copy in the 1973 * new bitmap and update the information element. 1974 * Note that the tim bitmap must contain at least 1975 * one byte and any offset must be even. 1976 */ 1977 if (ic->ic_ps_pending != 0) { 1978 timoff = 128; /* impossibly large */ 1979 for (i = 0; i < ic->ic_tim_len; i++) 1980 if (ic->ic_tim_bitmap[i]) { 1981 timoff = i &~ 1; 1982 break; 1983 } 1984 IASSERT(timoff != 128, ("tim bitmap empty!")); 1985 for (i = ic->ic_tim_len-1; i >= timoff; i--) 1986 if (ic->ic_tim_bitmap[i]) 1987 break; 1988 timlen = 1 + (i - timoff); 1989 } else { 1990 timoff = 0; 1991 timlen = 1; 1992 } 1993 if (timlen != bo->bo_tim_len) { 1994 /* copy up/down trailer */ 1995 ovbcopy(bo->bo_trailer, tie->tim_bitmap+timlen, 1996 bo->bo_trailer_len); 1997 bo->bo_trailer = tie->tim_bitmap+timlen; 1998 bo->bo_wme = bo->bo_trailer; 1999 bo->bo_tim_len = timlen; 2000 2001 /* update information element */ 2002 tie->tim_len = 3 + timlen; 2003 tie->tim_bitctl = timoff; 2004 len_changed = 1; 2005 } 2006 memcpy(tie->tim_bitmap, ic->ic_tim_bitmap + timoff, 2007 bo->bo_tim_len); 2008 2009 ic->ic_flags &= ~IEEE80211_F_TIMUPDATE; 2010 2011 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2012 "%s: TIM updated, pending %u, off %u, len %u\n", 2013 __func__, ic->ic_ps_pending, timoff, timlen); 2014 } 2015 /* count down DTIM period */ 2016 if (tie->tim_count == 0) 2017 tie->tim_count = tie->tim_period - 1; 2018 else 2019 tie->tim_count--; 2020 /* update state for buffered multicast frames on DTIM */ 2021 if (mcast && (tie->tim_count == 1 || tie->tim_period == 1)) 2022 tie->tim_bitctl |= 1; 2023 else 2024 tie->tim_bitctl &= ~1; 2025 } 2026 #endif /* !IEEE80211_NO_HOSTAP */ 2027 IEEE80211_BEACON_UNLOCK(ic); 2028 2029 return len_changed; 2030 } 2031 2032 /* 2033 * Save an outbound packet for a node in power-save sleep state. 2034 * The new packet is placed on the node's saved queue, and the TIM 2035 * is changed, if necessary. 2036 */ 2037 void 2038 ieee80211_pwrsave(struct ieee80211com *ic, struct ieee80211_node *ni, 2039 struct mbuf *m) 2040 { 2041 int qlen, age; 2042 2043 IEEE80211_NODE_SAVEQ_LOCK(ni); 2044 if (IF_QFULL(&ni->ni_savedq)) { 2045 IF_DROP(&ni->ni_savedq); 2046 IEEE80211_NODE_SAVEQ_UNLOCK(ni); 2047 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 2048 "[%s] pwr save q overflow, drops %d (size %d)\n", 2049 ether_sprintf(ni->ni_macaddr), 2050 ni->ni_savedq.ifq_drops, IEEE80211_PS_MAX_QUEUE); 2051 #ifdef IEEE80211_DEBUG 2052 if (ieee80211_msg_dumppkts(ic)) 2053 ieee80211_dump_pkt(mtod(m, void *), m->m_len, -1, -1); 2054 #endif 2055 m_freem(m); 2056 return; 2057 } 2058 /* 2059 * Tag the frame with its expiry time and insert 2060 * it in the queue. The aging interval is 4 times 2061 * the listen interval specified by the station. 2062 * Frames that sit around too long are reclaimed 2063 * using this information. 2064 */ 2065 /* XXX handle overflow? */ 2066 age = ((ni->ni_intval * ic->ic_bintval) << 2) / 1024; /* TU -> secs */ 2067 _IEEE80211_NODE_SAVEQ_ENQUEUE(ni, m, qlen, age); 2068 IEEE80211_NODE_SAVEQ_UNLOCK(ni); 2069 2070 IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER, 2071 "[%s] save frame with age %d, %u now queued\n", 2072 ether_sprintf(ni->ni_macaddr), age, qlen); 2073 2074 if (qlen == 1) 2075 ic->ic_set_tim(ni, 1); 2076 } 2077
Indexes created Thu Sep 25 06:09:39 GMT 2025