The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/net80211/ieee80211_output.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 2001 Atsushi Onoe
    3  * Copyright (c) 2002-2007 Sam Leffler, Errno Consulting
    4  * All rights reserved.
    5  *
    6  * Redistribution and use in source and binary forms, with or without
    7  * modification, are permitted provided that the following conditions
    8  * are met:
    9  * 1. Redistributions of source code must retain the above copyright
   10  *    notice, this list of conditions and the following disclaimer.
   11  * 2. Redistributions in binary form must reproduce the above copyright
   12  *    notice, this list of conditions and the following disclaimer in the
   13  *    documentation and/or other materials provided with the distribution.
   14  *
   15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
   16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
   18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
   19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
   20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   25  */
   26 
   27 #include <sys/cdefs.h>
   28 __FBSDID("$FreeBSD: releng/7.3/sys/net80211/ieee80211_output.c 181802 2008-08-17 23:00:47Z sam $");
   29 
   30 #include "opt_inet.h"
   31 
   32 #include <sys/param.h>
   33 #include <sys/systm.h> 
   34 #include <sys/mbuf.h>   
   35 #include <sys/kernel.h>
   36 #include <sys/endian.h>
   37 
   38 #include <sys/socket.h>
   39  
   40 #include <net/bpf.h>
   41 #include <net/ethernet.h>
   42 #include <net/if.h>
   43 #include <net/if_llc.h>
   44 #include <net/if_media.h>
   45 #include <net/if_vlan_var.h>
   46 
   47 #include <net80211/ieee80211_var.h>
   48 #include <net80211/ieee80211_regdomain.h>
   49 
   50 #ifdef INET
   51 #include <netinet/in.h> 
   52 #include <netinet/if_ether.h>
   53 #include <netinet/in_systm.h>
   54 #include <netinet/ip.h>
   55 #endif
   56 
   57 #define ETHER_HEADER_COPY(dst, src) \
   58         memcpy(dst, src, sizeof(struct ether_header))
   59 
   60 static struct mbuf *ieee80211_encap_fastframe(struct ieee80211com *ic,
   61         struct mbuf *m1, const struct ether_header *eh1,
   62         struct mbuf *m2, const struct ether_header *eh2);
   63 static int ieee80211_fragment(struct ieee80211com *, struct mbuf *,
   64         u_int hdrsize, u_int ciphdrsize, u_int mtu);
   65 static  void ieee80211_tx_mgt_cb(struct ieee80211_node *, void *, int);
   66 
   67 #ifdef IEEE80211_DEBUG
   68 /*
   69  * Decide if an outbound management frame should be
   70  * printed when debugging is enabled.  This filters some
   71  * of the less interesting frames that come frequently
   72  * (e.g. beacons).
   73  */
   74 static __inline int
   75 doprint(struct ieee80211com *ic, int subtype)
   76 {
   77         switch (subtype) {
   78         case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
   79                 return (ic->ic_opmode == IEEE80211_M_IBSS);
   80         }
   81         return 1;
   82 }
   83 #endif
   84 
   85 /*
   86  * Set the direction field and address fields of an outgoing
   87  * non-QoS frame.  Note this should be called early on in
   88  * constructing a frame as it sets i_fc[1]; other bits can
   89  * then be or'd in.
   90  */
   91 static void
   92 ieee80211_send_setup(struct ieee80211com *ic,
   93         struct ieee80211_node *ni,
   94         struct ieee80211_frame *wh,
   95         int type,
   96         const uint8_t sa[IEEE80211_ADDR_LEN],
   97         const uint8_t da[IEEE80211_ADDR_LEN],
   98         const uint8_t bssid[IEEE80211_ADDR_LEN])
   99 {
  100 #define WH4(wh) ((struct ieee80211_frame_addr4 *)wh)
  101 
  102         wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type;
  103         if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) {
  104                 switch (ic->ic_opmode) {
  105                 case IEEE80211_M_STA:
  106                         wh->i_fc[1] = IEEE80211_FC1_DIR_TODS;
  107                         IEEE80211_ADDR_COPY(wh->i_addr1, bssid);
  108                         IEEE80211_ADDR_COPY(wh->i_addr2, sa);
  109                         IEEE80211_ADDR_COPY(wh->i_addr3, da);
  110                         break;
  111                 case IEEE80211_M_IBSS:
  112                 case IEEE80211_M_AHDEMO:
  113                         wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
  114                         IEEE80211_ADDR_COPY(wh->i_addr1, da);
  115                         IEEE80211_ADDR_COPY(wh->i_addr2, sa);
  116                         IEEE80211_ADDR_COPY(wh->i_addr3, bssid);
  117                         break;
  118                 case IEEE80211_M_HOSTAP:
  119                         wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
  120                         IEEE80211_ADDR_COPY(wh->i_addr1, da);
  121                         IEEE80211_ADDR_COPY(wh->i_addr2, bssid);
  122                         IEEE80211_ADDR_COPY(wh->i_addr3, sa);
  123                         break;
  124                 case IEEE80211_M_WDS:
  125                         wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS;
  126                         /* XXX cheat, bssid holds RA */
  127                         IEEE80211_ADDR_COPY(wh->i_addr1, bssid);
  128                         IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
  129                         IEEE80211_ADDR_COPY(wh->i_addr3, da);
  130                         IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa);
  131                         break;
  132                 case IEEE80211_M_MONITOR:       /* NB: to quiet compiler */
  133                         break;
  134                 }
  135         } else {
  136                 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
  137                 IEEE80211_ADDR_COPY(wh->i_addr1, da);
  138                 IEEE80211_ADDR_COPY(wh->i_addr2, sa);
  139                 IEEE80211_ADDR_COPY(wh->i_addr3, bssid);
  140         }
  141         *(uint16_t *)&wh->i_dur[0] = 0;
  142         /* NB: use non-QoS tid */
  143         *(uint16_t *)&wh->i_seq[0] =
  144             htole16(ni->ni_txseqs[IEEE80211_NONQOS_TID] << IEEE80211_SEQ_SEQ_SHIFT);
  145         ni->ni_txseqs[IEEE80211_NONQOS_TID]++;
  146 #undef WH4
  147 }
  148 
  149 /*
  150  * Send a management frame to the specified node.  The node pointer
  151  * must have a reference as the pointer will be passed to the driver
  152  * and potentially held for a long time.  If the frame is successfully
  153  * dispatched to the driver, then it is responsible for freeing the
  154  * reference (and potentially free'ing up any associated storage).
  155  */
  156 int
  157 ieee80211_mgmt_output(struct ieee80211com *ic, struct ieee80211_node *ni,
  158     struct mbuf *m, int type)
  159 {
  160         struct ifnet *ifp = ic->ic_ifp;
  161         struct ieee80211_frame *wh;
  162 
  163         KASSERT(ni != NULL, ("null node"));
  164 
  165         /*
  166          * Yech, hack alert!  We want to pass the node down to the
  167          * driver's start routine.  If we don't do so then the start
  168          * routine must immediately look it up again and that can
  169          * cause a lock order reversal if, for example, this frame
  170          * is being sent because the station is being timedout and
  171          * the frame being sent is a DEAUTH message.  We could stick
  172          * this in an m_tag and tack that on to the mbuf.  However
  173          * that's rather expensive to do for every frame so instead
  174          * we stuff it in the rcvif field since outbound frames do
  175          * not (presently) use this.
  176          */
  177         M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
  178         if (m == NULL)
  179                 return ENOMEM;
  180         KASSERT(m->m_pkthdr.rcvif == NULL, ("rcvif not null"));
  181         m->m_pkthdr.rcvif = (void *)ni;
  182 
  183         wh = mtod(m, struct ieee80211_frame *);
  184         ieee80211_send_setup(ic, ni, wh, 
  185                 IEEE80211_FC0_TYPE_MGT | type,
  186                 ic->ic_myaddr, ni->ni_macaddr, ni->ni_bssid);
  187         if ((m->m_flags & M_LINK0) != 0 && ni->ni_challenge != NULL) {
  188                 m->m_flags &= ~M_LINK0;
  189                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
  190                         "[%s] encrypting frame (%s)\n",
  191                         ether_sprintf(wh->i_addr1), __func__);
  192                 wh->i_fc[1] |= IEEE80211_FC1_WEP;
  193         }
  194         if (ni->ni_flags & IEEE80211_NODE_QOS) {
  195                 /* NB: force all management frames to the highest queue */
  196                 M_WME_SETAC(m, WME_AC_VO);
  197         } else
  198                 M_WME_SETAC(m, WME_AC_BE);
  199 #ifdef IEEE80211_DEBUG
  200         /* avoid printing too many frames */
  201         if ((ieee80211_msg_debug(ic) && doprint(ic, type)) ||
  202             ieee80211_msg_dumppkts(ic)) {
  203                 printf("[%s] send %s on channel %u\n",
  204                     ether_sprintf(wh->i_addr1),
  205                     ieee80211_mgt_subtype_name[
  206                         (type & IEEE80211_FC0_SUBTYPE_MASK) >>
  207                                 IEEE80211_FC0_SUBTYPE_SHIFT],
  208                     ieee80211_chan2ieee(ic, ic->ic_curchan));
  209         }
  210 #endif
  211         IEEE80211_NODE_STAT(ni, tx_mgmt);
  212         IF_ENQUEUE(&ic->ic_mgtq, m);
  213         if_start(ifp);
  214         ifp->if_opackets++;
  215 
  216         return 0;
  217 }
  218 
  219 /*
  220  * Raw packet transmit stub for legacy drivers.
  221  * Send the packet through the mgt q so we bypass
  222  * the normal encapsulation work.
  223  */
  224 int
  225 ieee80211_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
  226         const struct ieee80211_bpf_params *params)
  227 {
  228         struct ieee80211com *ic = ni->ni_ic;
  229         struct ifnet *ifp = ic->ic_ifp;
  230 
  231         m->m_pkthdr.rcvif = (void *) ni;
  232         IF_ENQUEUE(&ic->ic_mgtq, m);
  233         if_start(ifp);
  234         ifp->if_opackets++;
  235 
  236         return 0;
  237 }
  238 
  239 /*
  240  * 802.11 output routine. This is (currently) used only to
  241  * connect bpf write calls to the 802.11 layer for injecting
  242  * raw 802.11 frames.  Note we locate the ieee80211com from
  243  * the ifnet using a spare field setup at attach time.  This
  244  * will go away when the virtual ap support comes in.
  245  */
  246 int
  247 ieee80211_output(struct ifnet *ifp, struct mbuf *m,
  248         struct sockaddr *dst, struct rtentry *rt0)
  249 {
  250 #define senderr(e) do { error = (e); goto bad;} while (0)
  251         struct ieee80211com *ic = ifp->if_llsoftc;      /* XXX */
  252         struct ieee80211_node *ni = NULL;
  253         struct ieee80211_frame *wh;
  254         int error;
  255 
  256         /*
  257          * Hand to the 802.3 code if not tagged as
  258          * a raw 802.11 frame.
  259          */
  260         if (dst->sa_family != AF_IEEE80211)
  261                 return ether_output(ifp, m, dst, rt0);
  262 #ifdef MAC
  263         error = mac_check_ifnet_transmit(ifp, m);
  264         if (error)
  265                 senderr(error);
  266 #endif
  267         if (ifp->if_flags & IFF_MONITOR)
  268                 senderr(ENETDOWN);
  269         if ((ifp->if_flags & IFF_UP) == 0)
  270                 senderr(ENETDOWN);
  271 
  272         /* XXX bypass bridge, pfil, carp, etc. */
  273 
  274         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack))
  275                 senderr(EIO);   /* XXX */
  276         wh = mtod(m, struct ieee80211_frame *);
  277         if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
  278             IEEE80211_FC0_VERSION_0)
  279                 senderr(EIO);   /* XXX */
  280 
  281         /* locate destination node */
  282         switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
  283         case IEEE80211_FC1_DIR_NODS:
  284         case IEEE80211_FC1_DIR_FROMDS:
  285                 ni = ieee80211_find_txnode(ic, wh->i_addr1);
  286                 break;
  287         case IEEE80211_FC1_DIR_TODS:
  288         case IEEE80211_FC1_DIR_DSTODS:
  289                 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame))
  290                         senderr(EIO);   /* XXX */
  291                 ni = ieee80211_find_txnode(ic, wh->i_addr3);
  292                 break;
  293         default:
  294                 senderr(EIO);   /* XXX */
  295         }
  296         if (ni == NULL) {
  297                 /*
  298                  * Permit packets w/ bpf params through regardless
  299                  * (see below about sa_len).
  300                  */
  301                 if (dst->sa_len == 0)
  302                         senderr(EHOSTUNREACH);
  303                 ni = ieee80211_ref_node(ic->ic_bss);
  304         }
  305 
  306         /* XXX ctrl frames should go through */
  307         if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) &&
  308             (m->m_flags & M_PWR_SAV) == 0) {
  309                 /*
  310                  * Station in power save mode; pass the frame
  311                  * to the 802.11 layer and continue.  We'll get
  312                  * the frame back when the time is right.
  313                  */
  314                 ieee80211_pwrsave(ni, m);
  315                 error = 0;
  316                 goto reclaim;
  317         }
  318 
  319         /* calculate priority so drivers can find the tx queue */
  320         /* XXX assumes an 802.3 frame */
  321         if (ieee80211_classify(ic, m, ni))
  322                 senderr(EIO);           /* XXX */
  323 
  324         BPF_MTAP(ifp, m);
  325         /*
  326          * NB: DLT_IEEE802_11_RADIO identifies the parameters are
  327          * present by setting the sa_len field of the sockaddr (yes,
  328          * this is a hack).
  329          * NB: we assume sa_data is suitably aligned to cast.
  330          */
  331         return ic->ic_raw_xmit(ni, m, (const struct ieee80211_bpf_params *)
  332                 (dst->sa_len ? dst->sa_data : NULL));
  333 bad:
  334         if (m != NULL)
  335                 m_freem(m);
  336 reclaim:
  337         if (ni != NULL)
  338                 ieee80211_free_node(ni);
  339         return error;
  340 #undef senderr
  341 }
  342 
  343 /*
  344  * Send a null data frame to the specified node.
  345  *
  346  * NB: the caller is assumed to have setup a node reference
  347  *     for use; this is necessary to deal with a race condition
  348  *     when probing for inactive stations.
  349  */
  350 int
  351 ieee80211_send_nulldata(struct ieee80211_node *ni)
  352 {
  353         struct ieee80211com *ic = ni->ni_ic;
  354         struct ifnet *ifp = ic->ic_ifp;
  355         struct mbuf *m;
  356         struct ieee80211_frame *wh;
  357 
  358         MGETHDR(m, M_NOWAIT, MT_DATA);
  359         if (m == NULL) {
  360                 /* XXX debug msg */
  361                 ieee80211_unref_node(&ni);
  362                 ic->ic_stats.is_tx_nobuf++;
  363                 return ENOMEM;
  364         }
  365         MH_ALIGN(m, sizeof(struct ieee80211_frame));
  366         m->m_pkthdr.rcvif = (void *) ni;
  367 
  368         wh = mtod(m, struct ieee80211_frame *);
  369         ieee80211_send_setup(ic, ni, wh,
  370                 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA,
  371                 ic->ic_myaddr, ni->ni_macaddr, ni->ni_bssid);
  372         /* NB: power management bit is never sent by an AP */
  373         if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) &&
  374             ic->ic_opmode != IEEE80211_M_HOSTAP &&
  375             ic->ic_opmode != IEEE80211_M_WDS)
  376                 wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT;
  377         m->m_len = m->m_pkthdr.len = sizeof(struct ieee80211_frame);
  378         M_WME_SETAC(m, WME_AC_BE);
  379 
  380         IEEE80211_NODE_STAT(ni, tx_data);
  381 
  382         IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS,
  383             "[%s] send null data frame on channel %u, pwr mgt %s\n",
  384             ether_sprintf(ni->ni_macaddr),
  385             ieee80211_chan2ieee(ic, ic->ic_curchan),
  386             wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis");
  387 
  388         IF_ENQUEUE(&ic->ic_mgtq, m);            /* cheat */
  389         if_start(ifp);
  390 
  391         return 0;
  392 }
  393 
  394 /* 
  395  * Assign priority to a frame based on any vlan tag assigned
  396  * to the station and/or any Diffserv setting in an IP header.
  397  * Finally, if an ACM policy is setup (in station mode) it's
  398  * applied.
  399  */
  400 int
  401 ieee80211_classify(struct ieee80211com *ic, struct mbuf *m, struct ieee80211_node *ni)
  402 {
  403         int v_wme_ac, d_wme_ac, ac;
  404 #ifdef INET
  405         struct ether_header *eh;
  406 #endif
  407 
  408         if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) {
  409                 ac = WME_AC_BE;
  410                 goto done;
  411         }
  412 
  413         /* 
  414          * If node has a vlan tag then all traffic
  415          * to it must have a matching tag.
  416          */
  417         v_wme_ac = 0;
  418         if (ni->ni_vlan != 0) {
  419                  if ((m->m_flags & M_VLANTAG) == 0) {
  420                         IEEE80211_NODE_STAT(ni, tx_novlantag);
  421                         return 1;
  422                 }
  423                 if (EVL_VLANOFTAG(m->m_pkthdr.ether_vtag) !=
  424                     EVL_VLANOFTAG(ni->ni_vlan)) {
  425                         IEEE80211_NODE_STAT(ni, tx_vlanmismatch);
  426                         return 1;
  427                 }
  428                 /* map vlan priority to AC */
  429                 v_wme_ac = TID_TO_WME_AC(EVL_PRIOFTAG(ni->ni_vlan));
  430         }
  431 
  432 #ifdef INET
  433         eh = mtod(m, struct ether_header *);
  434         if (eh->ether_type == htons(ETHERTYPE_IP)) {
  435                 uint8_t tos;
  436                 /*
  437                  * IP frame, map the DSCP bits from the TOS field.
  438                  */
  439                 /* XXX m_copydata may be too slow for fast path */
  440                 /* NB: ip header may not be in first mbuf */
  441                 m_copydata(m, sizeof(struct ether_header) +
  442                     offsetof(struct ip, ip_tos), sizeof(tos), &tos);
  443                 tos >>= 5;              /* NB: ECN + low 3 bits of DSCP */
  444                 d_wme_ac = TID_TO_WME_AC(tos);
  445         } else {
  446 #endif /* INET */
  447                 d_wme_ac = WME_AC_BE;
  448 #ifdef INET
  449         }
  450 #endif
  451         /*
  452          * Use highest priority AC.
  453          */
  454         if (v_wme_ac > d_wme_ac)
  455                 ac = v_wme_ac;
  456         else
  457                 ac = d_wme_ac;
  458 
  459         /*
  460          * Apply ACM policy.
  461          */
  462         if (ic->ic_opmode == IEEE80211_M_STA) {
  463                 static const int acmap[4] = {
  464                         WME_AC_BK,      /* WME_AC_BE */
  465                         WME_AC_BK,      /* WME_AC_BK */
  466                         WME_AC_BE,      /* WME_AC_VI */
  467                         WME_AC_VI,      /* WME_AC_VO */
  468                 };
  469                 while (ac != WME_AC_BK &&
  470                     ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm)
  471                         ac = acmap[ac];
  472         }
  473 done:
  474         M_WME_SETAC(m, ac);
  475         return 0;
  476 }
  477 
  478 /*
  479  * Insure there is sufficient contiguous space to encapsulate the
  480  * 802.11 data frame.  If room isn't already there, arrange for it.
  481  * Drivers and cipher modules assume we have done the necessary work
  482  * and fail rudely if they don't find the space they need.
  483  */
  484 static struct mbuf *
  485 ieee80211_mbuf_adjust(struct ieee80211com *ic, int hdrsize,
  486         struct ieee80211_key *key, struct mbuf *m)
  487 {
  488 #define TO_BE_RECLAIMED (sizeof(struct ether_header) - sizeof(struct llc))
  489         int needed_space = ic->ic_headroom + hdrsize;
  490 
  491         if (key != NULL) {
  492                 /* XXX belongs in crypto code? */
  493                 needed_space += key->wk_cipher->ic_header;
  494                 /* XXX frags */
  495                 /*
  496                  * When crypto is being done in the host we must insure
  497                  * the data are writable for the cipher routines; clone
  498                  * a writable mbuf chain.
  499                  * XXX handle SWMIC specially
  500                  */
  501                 if (key->wk_flags & (IEEE80211_KEY_SWCRYPT|IEEE80211_KEY_SWMIC)) {
  502                         m = m_unshare(m, M_NOWAIT);
  503                         if (m == NULL) {
  504                                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_OUTPUT,
  505                                     "%s: cannot get writable mbuf\n", __func__);
  506                                 ic->ic_stats.is_tx_nobuf++; /* XXX new stat */
  507                                 return NULL;
  508                         }
  509                 }
  510         }
  511         /*
  512          * We know we are called just before stripping an Ethernet
  513          * header and prepending an LLC header.  This means we know
  514          * there will be
  515          *      sizeof(struct ether_header) - sizeof(struct llc)
  516          * bytes recovered to which we need additional space for the
  517          * 802.11 header and any crypto header.
  518          */
  519         /* XXX check trailing space and copy instead? */
  520         if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) {
  521                 struct mbuf *n = m_gethdr(M_NOWAIT, m->m_type);
  522                 if (n == NULL) {
  523                         IEEE80211_DPRINTF(ic, IEEE80211_MSG_OUTPUT,
  524                             "%s: cannot expand storage\n", __func__);
  525                         ic->ic_stats.is_tx_nobuf++;
  526                         m_freem(m);
  527                         return NULL;
  528                 }
  529                 KASSERT(needed_space <= MHLEN,
  530                     ("not enough room, need %u got %zu\n", needed_space, MHLEN));
  531                 /*
  532                  * Setup new mbuf to have leading space to prepend the
  533                  * 802.11 header and any crypto header bits that are
  534                  * required (the latter are added when the driver calls
  535                  * back to ieee80211_crypto_encap to do crypto encapsulation).
  536                  */
  537                 /* NB: must be first 'cuz it clobbers m_data */
  538                 m_move_pkthdr(n, m);
  539                 n->m_len = 0;                   /* NB: m_gethdr does not set */
  540                 n->m_data += needed_space;
  541                 /*
  542                  * Pull up Ethernet header to create the expected layout.
  543                  * We could use m_pullup but that's overkill (i.e. we don't
  544                  * need the actual data) and it cannot fail so do it inline
  545                  * for speed.
  546                  */
  547                 /* NB: struct ether_header is known to be contiguous */
  548                 n->m_len += sizeof(struct ether_header);
  549                 m->m_len -= sizeof(struct ether_header);
  550                 m->m_data += sizeof(struct ether_header);
  551                 /*
  552                  * Replace the head of the chain.
  553                  */
  554                 n->m_next = m;
  555                 m = n;
  556         }
  557         return m;
  558 #undef TO_BE_RECLAIMED
  559 }
  560 
  561 /*
  562  * Return the transmit key to use in sending a unicast frame.
  563  * If a unicast key is set we use that.  When no unicast key is set
  564  * we fall back to the default transmit key.
  565  */ 
  566 static __inline struct ieee80211_key *
  567 ieee80211_crypto_getucastkey(struct ieee80211com *ic, struct ieee80211_node *ni)
  568 {
  569         if (IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)) {
  570                 if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE ||
  571                     IEEE80211_KEY_UNDEFINED(&ic->ic_nw_keys[ic->ic_def_txkey]))
  572                         return NULL;
  573                 return &ic->ic_nw_keys[ic->ic_def_txkey];
  574         } else {
  575                 return &ni->ni_ucastkey;
  576         }
  577 }
  578 
  579 /*
  580  * Return the transmit key to use in sending a multicast frame.
  581  * Multicast traffic always uses the group key which is installed as
  582  * the default tx key.
  583  */ 
  584 static __inline struct ieee80211_key *
  585 ieee80211_crypto_getmcastkey(struct ieee80211com *ic, struct ieee80211_node *ni)
  586 {
  587         if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE ||
  588             IEEE80211_KEY_UNDEFINED(&ic->ic_nw_keys[ic->ic_def_txkey]))
  589                 return NULL;
  590         return &ic->ic_nw_keys[ic->ic_def_txkey];
  591 }
  592 
  593 /*
  594  * Encapsulate an outbound data frame.  The mbuf chain is updated.
  595  * If an error is encountered NULL is returned.  The caller is required
  596  * to provide a node reference and pullup the ethernet header in the
  597  * first mbuf.
  598  */
  599 struct mbuf *
  600 ieee80211_encap(struct ieee80211com *ic, struct mbuf *m,
  601         struct ieee80211_node *ni)
  602 {
  603         struct ether_header eh;
  604         struct ieee80211_frame *wh;
  605         struct ieee80211_key *key;
  606         struct llc *llc;
  607         int hdrsize, datalen, addqos, txfrag, isff;
  608 
  609         /*
  610          * Copy existing Ethernet header to a safe place.  The
  611          * rest of the code assumes it's ok to strip it when
  612          * reorganizing state for the final encapsulation.
  613          */
  614         KASSERT(m->m_len >= sizeof(eh), ("no ethernet header!"));
  615         memcpy(&eh, mtod(m, caddr_t), sizeof(struct ether_header));
  616 
  617         /*
  618          * Insure space for additional headers.  First identify
  619          * transmit key to use in calculating any buffer adjustments
  620          * required.  This is also used below to do privacy
  621          * encapsulation work.  Then calculate the 802.11 header
  622          * size and any padding required by the driver.
  623          *
  624          * Note key may be NULL if we fall back to the default
  625          * transmit key and that is not set.  In that case the
  626          * buffer may not be expanded as needed by the cipher
  627          * routines, but they will/should discard it.
  628          */
  629         if (ic->ic_flags & IEEE80211_F_PRIVACY) {
  630                 if (ic->ic_opmode == IEEE80211_M_STA ||
  631                     !IEEE80211_IS_MULTICAST(eh.ether_dhost))
  632                         key = ieee80211_crypto_getucastkey(ic, ni);
  633                 else
  634                         key = ieee80211_crypto_getmcastkey(ic, ni);
  635                 if (key == NULL && eh.ether_type != htons(ETHERTYPE_PAE)) {
  636                         IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,
  637                             "[%s] no default transmit key (%s) deftxkey %u\n",
  638                             ether_sprintf(eh.ether_dhost), __func__,
  639                             ic->ic_def_txkey);
  640                         ic->ic_stats.is_tx_nodefkey++;
  641                         goto bad;
  642                 }
  643         } else
  644                 key = NULL;
  645         /* XXX 4-address format */
  646         /*
  647          * XXX Some ap's don't handle QoS-encapsulated EAPOL
  648          * frames so suppress use.  This may be an issue if other
  649          * ap's require all data frames to be QoS-encapsulated
  650          * once negotiated in which case we'll need to make this
  651          * configurable.
  652          */
  653         addqos = (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT)) &&
  654                  eh.ether_type != htons(ETHERTYPE_PAE);
  655         if (addqos)
  656                 hdrsize = sizeof(struct ieee80211_qosframe);
  657         else
  658                 hdrsize = sizeof(struct ieee80211_frame);
  659         if (ic->ic_flags & IEEE80211_F_DATAPAD)
  660                 hdrsize = roundup(hdrsize, sizeof(uint32_t));
  661 
  662         if ((isff = m->m_flags & M_FF) != 0) {
  663                 struct mbuf *m2;
  664                 struct ether_header eh2;
  665 
  666                 /*
  667                  * Fast frame encapsulation.  There must be two packets
  668                  * chained with m_nextpkt.  We do header adjustment for
  669                  * each, add the tunnel encapsulation, and then concatenate
  670                  * the mbuf chains to form a single frame for transmission.
  671                  */
  672                 m2 = m->m_nextpkt;
  673                 if (m2 == NULL) {
  674                         IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG,
  675                                 "%s: only one frame\n", __func__);
  676                         goto bad;
  677                 }
  678                 m->m_nextpkt = NULL;
  679                 /*
  680                  * Include fast frame headers in adjusting header
  681                  * layout; this allocates space according to what
  682                  * ieee80211_encap_fastframe will do.
  683                  */
  684                 m = ieee80211_mbuf_adjust(ic,
  685                         hdrsize + sizeof(struct llc) + sizeof(uint32_t) + 2 +
  686                             sizeof(struct ether_header),
  687                         key, m);
  688                 if (m == NULL) {
  689                         /* NB: ieee80211_mbuf_adjust handles msgs+statistics */
  690                         m_freem(m2);
  691                         goto bad;
  692                 }
  693                 /*
  694                  * Copy second frame's Ethernet header out of line
  695                  * and adjust for encapsulation headers.  Note that
  696                  * we make room for padding in case there isn't room
  697                  * at the end of first frame.
  698                  */
  699                 KASSERT(m2->m_len >= sizeof(eh2), ("no ethernet header!"));
  700                 memcpy(&eh2, mtod(m2, caddr_t), sizeof(struct ether_header));
  701                 m2 = ieee80211_mbuf_adjust(ic,
  702                         ATH_FF_MAX_HDR_PAD + sizeof(struct ether_header),
  703                         NULL, m2);
  704                 if (m2 == NULL) {
  705                         /* NB: ieee80211_mbuf_adjust handles msgs+statistics */
  706                         goto bad;
  707                 }
  708                 m = ieee80211_encap_fastframe(ic, m, &eh, m2, &eh2);
  709                 if (m == NULL)
  710                         goto bad;
  711         } else {
  712                 /*
  713                  * Normal frame.
  714                  */
  715                 m = ieee80211_mbuf_adjust(ic, hdrsize, key, m);
  716                 if (m == NULL) {
  717                         /* NB: ieee80211_mbuf_adjust handles msgs+statistics */
  718                         goto bad;
  719                 }
  720                 /* NB: this could be optimized 'cuz of ieee80211_mbuf_adjust */
  721                 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc));
  722                 llc = mtod(m, struct llc *);
  723                 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP;
  724                 llc->llc_control = LLC_UI;
  725                 llc->llc_snap.org_code[0] = 0;
  726                 llc->llc_snap.org_code[1] = 0;
  727                 llc->llc_snap.org_code[2] = 0;
  728                 llc->llc_snap.ether_type = eh.ether_type;
  729         }
  730         datalen = m->m_pkthdr.len;              /* NB: w/o 802.11 header */
  731 
  732         M_PREPEND(m, hdrsize, M_DONTWAIT);
  733         if (m == NULL) {
  734                 ic->ic_stats.is_tx_nobuf++;
  735                 goto bad;
  736         }
  737         wh = mtod(m, struct ieee80211_frame *);
  738         wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA;
  739         *(uint16_t *)wh->i_dur = 0;
  740         switch (ic->ic_opmode) {
  741         case IEEE80211_M_STA:
  742                 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS;
  743                 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid);
  744                 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
  745                 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost);
  746                 break;
  747         case IEEE80211_M_IBSS:
  748         case IEEE80211_M_AHDEMO:
  749                 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
  750                 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
  751                 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
  752                 /*
  753                  * NB: always use the bssid from ic_bss as the
  754                  *     neighbor's may be stale after an ibss merge
  755                  */
  756                 IEEE80211_ADDR_COPY(wh->i_addr3, ic->ic_bss->ni_bssid);
  757                 break;
  758         case IEEE80211_M_HOSTAP:
  759                 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
  760                 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
  761                 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid);
  762                 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost);
  763                 break;
  764         case IEEE80211_M_MONITOR:
  765         case IEEE80211_M_WDS:
  766                 goto bad;
  767         }
  768         if (m->m_flags & M_MORE_DATA)
  769                 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA;
  770         if (addqos) {
  771                 struct ieee80211_qosframe *qwh =
  772                         (struct ieee80211_qosframe *) wh;
  773                 int ac, tid;
  774 
  775                 ac = M_WME_GETAC(m);
  776                 /* map from access class/queue to 11e header priorty value */
  777                 tid = WME_AC_TO_TID(ac);
  778                 qwh->i_qos[0] = tid & IEEE80211_QOS_TID;
  779                 /*
  780                  * Check if A-MPDU tx aggregation is setup or if we
  781                  * should try to enable it.  The sta must be associated
  782                  * with HT and A-MPDU enabled for use.  On the first
  783                  * frame that goes out We issue an ADDBA request and
  784                  * wait for a reply.  The frame being encapsulated
  785                  * will go out w/o using A-MPDU, or possibly it might
  786                  * be collected by the driver and held/retransmit.
  787                  * ieee80211_ampdu_request handles staggering requests
  788                  * in case the receiver NAK's us or we are otherwise
  789                  * unable to establish a BA stream.
  790                  */
  791                 if ((ni->ni_flags & IEEE80211_NODE_AMPDU_TX) &&
  792                     (ic->ic_flags_ext & IEEE80211_FEXT_AMPDU_TX)) {
  793                         struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[ac];
  794 
  795                         if (IEEE80211_AMPDU_RUNNING(tap)) {
  796                                 /*
  797                                  * Operational, mark frame for aggregation.
  798                                  */
  799                                 qwh->i_qos[0] |= IEEE80211_QOS_ACKPOLICY_BA;
  800                         } else if (!IEEE80211_AMPDU_REQUESTED(tap)) {
  801                                 /*
  802                                  * Not negotiated yet, request service.
  803                                  */
  804                                 ieee80211_ampdu_request(ni, tap);
  805                         }
  806                 }
  807                 /* XXX works even when BA marked above */
  808                 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy)
  809                         qwh->i_qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK;
  810                 qwh->i_qos[1] = 0;
  811                 qwh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS;
  812 
  813                 *(uint16_t *)wh->i_seq =
  814                     htole16(ni->ni_txseqs[tid] << IEEE80211_SEQ_SEQ_SHIFT);
  815                 ni->ni_txseqs[tid]++;
  816         } else {
  817                 *(uint16_t *)wh->i_seq =
  818                     htole16(ni->ni_txseqs[IEEE80211_NONQOS_TID] << IEEE80211_SEQ_SEQ_SHIFT);
  819                 ni->ni_txseqs[IEEE80211_NONQOS_TID]++;
  820         }
  821         /* check if xmit fragmentation is required */
  822         txfrag = (m->m_pkthdr.len > ic->ic_fragthreshold &&
  823             !IEEE80211_IS_MULTICAST(wh->i_addr1) &&
  824             (ic->ic_caps & IEEE80211_C_TXFRAG) &&
  825             !isff);             /* NB: don't fragment ff's */
  826         if (key != NULL) {
  827                 /*
  828                  * IEEE 802.1X: send EAPOL frames always in the clear.
  829                  * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set.
  830                  */
  831                 if (eh.ether_type != htons(ETHERTYPE_PAE) ||
  832                     ((ic->ic_flags & IEEE80211_F_WPA) &&
  833                      (ic->ic_opmode == IEEE80211_M_STA ?
  834                       !IEEE80211_KEY_UNDEFINED(key) :
  835                       !IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)))) {
  836                         wh->i_fc[1] |= IEEE80211_FC1_WEP;
  837                         if (!ieee80211_crypto_enmic(ic, key, m, txfrag)) {
  838                                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_OUTPUT,
  839                                     "[%s] enmic failed, discard frame\n",
  840                                     ether_sprintf(eh.ether_dhost));
  841                                 ic->ic_stats.is_crypto_enmicfail++;
  842                                 goto bad;
  843                         }
  844                 }
  845         }
  846         /*
  847          * NB: frag flags may leak from above; they should only
  848          *     be set on return to the caller if we fragment at
  849          *     the 802.11 layer.
  850          */
  851         m->m_flags &= ~(M_FRAG | M_FIRSTFRAG);
  852         if (txfrag && !ieee80211_fragment(ic, m, hdrsize,
  853             key != NULL ? key->wk_cipher->ic_header : 0, ic->ic_fragthreshold))
  854                 goto bad;
  855 
  856         IEEE80211_NODE_STAT(ni, tx_data);
  857         if (IEEE80211_IS_MULTICAST(wh->i_addr1))
  858                 IEEE80211_NODE_STAT(ni, tx_mcast);
  859         else
  860                 IEEE80211_NODE_STAT(ni, tx_ucast);
  861         IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen);
  862 
  863         return m;
  864 bad:
  865         if (m != NULL)
  866                 m_freem(m);
  867         return NULL;
  868 }
  869 
  870 /*
  871  * Do Ethernet-LLC encapsulation for each payload in a fast frame
  872  * tunnel encapsulation.  The frame is assumed to have an Ethernet
  873  * header at the front that must be stripped before prepending the
  874  * LLC followed by the Ethernet header passed in (with an Ethernet
  875  * type that specifies the payload size).
  876  */
  877 static struct mbuf *
  878 ieee80211_encap1(struct ieee80211com *ic, struct mbuf *m,
  879         const struct ether_header *eh)
  880 {
  881         struct llc *llc;
  882         uint16_t payload;
  883 
  884         /* XXX optimize by combining m_adj+M_PREPEND */
  885         m_adj(m, sizeof(struct ether_header) - sizeof(struct llc));
  886         llc = mtod(m, struct llc *);
  887         llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP;
  888         llc->llc_control = LLC_UI;
  889         llc->llc_snap.org_code[0] = 0;
  890         llc->llc_snap.org_code[1] = 0;
  891         llc->llc_snap.org_code[2] = 0;
  892         llc->llc_snap.ether_type = eh->ether_type;
  893         payload = m->m_pkthdr.len;              /* NB: w/o Ethernet header */
  894 
  895         M_PREPEND(m, sizeof(struct ether_header), M_DONTWAIT);
  896         if (m == NULL) {                /* XXX cannot happen */
  897                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG,
  898                         "%s: no space for ether_header\n", __func__);
  899                 ic->ic_stats.is_tx_nobuf++;
  900                 return NULL;
  901         }
  902         ETHER_HEADER_COPY(mtod(m, void *), eh);
  903         mtod(m, struct ether_header *)->ether_type = htons(payload);
  904         return m;
  905 }
  906 
  907 /*
  908  * Do fast frame tunnel encapsulation.  The two frames and
  909  * Ethernet headers are supplied.  The caller is assumed to
  910  * have arrange for space in the mbuf chains for encapsulating
  911  * headers (to avoid major mbuf fragmentation).
  912  *
  913  * The encapsulated frame is returned or NULL if there is a
  914  * problem (should not happen).
  915  */
  916 static struct mbuf *
  917 ieee80211_encap_fastframe(struct ieee80211com *ic,
  918         struct mbuf *m1, const struct ether_header *eh1,
  919         struct mbuf *m2, const struct ether_header *eh2)
  920 {
  921         struct llc *llc;
  922         struct mbuf *m;
  923         int pad;
  924 
  925         /*
  926          * First, each frame gets a standard encapsulation.
  927          */
  928         m1 = ieee80211_encap1(ic, m1, eh1);
  929         if (m1 == NULL) {
  930                 m_freem(m2);
  931                 return NULL;
  932         }
  933         m2 = ieee80211_encap1(ic, m2, eh2);
  934         if (m2 == NULL) {
  935                 m_freem(m1);
  936                 return NULL;
  937         }
  938 
  939         /*
  940          * Pad leading frame to a 4-byte boundary.  If there
  941          * is space at the end of the first frame, put it
  942          * there; otherwise prepend to the front of the second
  943          * frame.  We know doing the second will always work
  944          * because we reserve space above.  We prefer appending
  945          * as this typically has better DMA alignment properties.
  946          */
  947         for (m = m1; m->m_next != NULL; m = m->m_next)
  948                 ;
  949         pad = roundup2(m1->m_pkthdr.len, 4) - m1->m_pkthdr.len;
  950         if (pad) {
  951                 if (M_TRAILINGSPACE(m) < pad) {         /* prepend to second */
  952                         m2->m_data -= pad;
  953                         m2->m_len += pad;
  954                         m2->m_pkthdr.len += pad;
  955                 } else {                                /* append to first */
  956                         m->m_len += pad;
  957                         m1->m_pkthdr.len += pad;
  958                 }
  959         }
  960 
  961         /*
  962          * Now, stick 'em together and prepend the tunnel headers;
  963          * first the Atheros tunnel header (all zero for now) and
  964          * then a special fast frame LLC.
  965          *
  966          * XXX optimize by prepending together
  967          */
  968         m->m_next = m2;                 /* NB: last mbuf from above */
  969         m1->m_pkthdr.len += m2->m_pkthdr.len;
  970         M_PREPEND(m1, sizeof(uint32_t)+2, M_DONTWAIT);
  971         if (m1 == NULL) {               /* XXX cannot happen */
  972                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG,
  973                         "%s: no space for tunnel header\n", __func__);
  974                 ic->ic_stats.is_tx_nobuf++;
  975                 return NULL;
  976         }
  977         memset(mtod(m1, void *), 0, sizeof(uint32_t)+2);
  978 
  979         M_PREPEND(m1, sizeof(struct llc), M_DONTWAIT);
  980         if (m1 == NULL) {               /* XXX cannot happen */
  981                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG,
  982                         "%s: no space for llc header\n", __func__);
  983                 ic->ic_stats.is_tx_nobuf++;
  984                 return NULL;
  985         }
  986         llc = mtod(m1, struct llc *);
  987         llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP;
  988         llc->llc_control = LLC_UI;
  989         llc->llc_snap.org_code[0] = ATH_FF_SNAP_ORGCODE_0;
  990         llc->llc_snap.org_code[1] = ATH_FF_SNAP_ORGCODE_1;
  991         llc->llc_snap.org_code[2] = ATH_FF_SNAP_ORGCODE_2;
  992         llc->llc_snap.ether_type = htons(ATH_FF_ETH_TYPE);
  993 
  994         ic->ic_stats.is_ff_encap++;
  995 
  996         return m1;
  997 }
  998 
  999 /*
 1000  * Fragment the frame according to the specified mtu.
 1001  * The size of the 802.11 header (w/o padding) is provided
 1002  * so we don't need to recalculate it.  We create a new
 1003  * mbuf for each fragment and chain it through m_nextpkt;
 1004  * we might be able to optimize this by reusing the original
 1005  * packet's mbufs but that is significantly more complicated.
 1006  */
 1007 static int
 1008 ieee80211_fragment(struct ieee80211com *ic, struct mbuf *m0,
 1009         u_int hdrsize, u_int ciphdrsize, u_int mtu)
 1010 {
 1011         struct ieee80211_frame *wh, *whf;
 1012         struct mbuf *m, *prev, *next;
 1013         u_int totalhdrsize, fragno, fragsize, off, remainder, payload;
 1014 
 1015         KASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?"));
 1016         KASSERT(m0->m_pkthdr.len > mtu,
 1017                 ("pktlen %u mtu %u", m0->m_pkthdr.len, mtu));
 1018 
 1019         wh = mtod(m0, struct ieee80211_frame *);
 1020         /* NB: mark the first frag; it will be propagated below */
 1021         wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG;
 1022         totalhdrsize = hdrsize + ciphdrsize;
 1023         fragno = 1;
 1024         off = mtu - ciphdrsize;
 1025         remainder = m0->m_pkthdr.len - off;
 1026         prev = m0;
 1027         do {
 1028                 fragsize = totalhdrsize + remainder;
 1029                 if (fragsize > mtu)
 1030                         fragsize = mtu;
 1031                 KASSERT(fragsize < MCLBYTES,
 1032                         ("fragment size %u too big!", fragsize));
 1033                 if (fragsize > MHLEN)
 1034                         m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR);
 1035                 else
 1036                         m = m_gethdr(M_DONTWAIT, MT_DATA);
 1037                 if (m == NULL)
 1038                         goto bad;
 1039                 /* leave room to prepend any cipher header */
 1040                 m_align(m, fragsize - ciphdrsize);
 1041 
 1042                 /*
 1043                  * Form the header in the fragment.  Note that since
 1044                  * we mark the first fragment with the MORE_FRAG bit
 1045                  * it automatically is propagated to each fragment; we
 1046                  * need only clear it on the last fragment (done below).
 1047                  */
 1048                 whf = mtod(m, struct ieee80211_frame *);
 1049                 memcpy(whf, wh, hdrsize);
 1050                 *(uint16_t *)&whf->i_seq[0] |= htole16(
 1051                         (fragno & IEEE80211_SEQ_FRAG_MASK) <<
 1052                                 IEEE80211_SEQ_FRAG_SHIFT);
 1053                 fragno++;
 1054 
 1055                 payload = fragsize - totalhdrsize;
 1056                 /* NB: destination is known to be contiguous */
 1057                 m_copydata(m0, off, payload, mtod(m, uint8_t *) + hdrsize);
 1058                 m->m_len = hdrsize + payload;
 1059                 m->m_pkthdr.len = hdrsize + payload;
 1060                 m->m_flags |= M_FRAG;
 1061 
 1062                 /* chain up the fragment */
 1063                 prev->m_nextpkt = m;
 1064                 prev = m;
 1065 
 1066                 /* deduct fragment just formed */
 1067                 remainder -= payload;
 1068                 off += payload;
 1069         } while (remainder != 0);
 1070         whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG;
 1071 
 1072         /* strip first mbuf now that everything has been copied */
 1073         m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize)));
 1074         m0->m_flags |= M_FIRSTFRAG | M_FRAG;
 1075 
 1076         ic->ic_stats.is_tx_fragframes++;
 1077         ic->ic_stats.is_tx_frags += fragno-1;
 1078 
 1079         return 1;
 1080 bad:
 1081         /* reclaim fragments but leave original frame for caller to free */
 1082         for (m = m0->m_nextpkt; m != NULL; m = next) {
 1083                 next = m->m_nextpkt;
 1084                 m->m_nextpkt = NULL;            /* XXX paranoid */
 1085                 m_freem(m);
 1086         }
 1087         m0->m_nextpkt = NULL;
 1088         return 0;
 1089 }
 1090 
 1091 /*
 1092  * Add a supported rates element id to a frame.
 1093  */
 1094 static uint8_t *
 1095 ieee80211_add_rates(uint8_t *frm, const struct ieee80211_rateset *rs)
 1096 {
 1097         int nrates;
 1098 
 1099         *frm++ = IEEE80211_ELEMID_RATES;
 1100         nrates = rs->rs_nrates;
 1101         if (nrates > IEEE80211_RATE_SIZE)
 1102                 nrates = IEEE80211_RATE_SIZE;
 1103         *frm++ = nrates;
 1104         memcpy(frm, rs->rs_rates, nrates);
 1105         return frm + nrates;
 1106 }
 1107 
 1108 /*
 1109  * Add an extended supported rates element id to a frame.
 1110  */
 1111 static uint8_t *
 1112 ieee80211_add_xrates(uint8_t *frm, const struct ieee80211_rateset *rs)
 1113 {
 1114         /*
 1115          * Add an extended supported rates element if operating in 11g mode.
 1116          */
 1117         if (rs->rs_nrates > IEEE80211_RATE_SIZE) {
 1118                 int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE;
 1119                 *frm++ = IEEE80211_ELEMID_XRATES;
 1120                 *frm++ = nrates;
 1121                 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates);
 1122                 frm += nrates;
 1123         }
 1124         return frm;
 1125 }
 1126 
 1127 /* 
 1128  * Add an ssid elemet to a frame.
 1129  */
 1130 static uint8_t *
 1131 ieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len)
 1132 {
 1133         *frm++ = IEEE80211_ELEMID_SSID;
 1134         *frm++ = len;
 1135         memcpy(frm, ssid, len);
 1136         return frm + len;
 1137 }
 1138 
 1139 /*
 1140  * Add an erp element to a frame.
 1141  */
 1142 static uint8_t *
 1143 ieee80211_add_erp(uint8_t *frm, struct ieee80211com *ic)
 1144 {
 1145         uint8_t erp;
 1146 
 1147         *frm++ = IEEE80211_ELEMID_ERP;
 1148         *frm++ = 1;
 1149         erp = 0;
 1150         if (ic->ic_nonerpsta != 0)
 1151                 erp |= IEEE80211_ERP_NON_ERP_PRESENT;
 1152         if (ic->ic_flags & IEEE80211_F_USEPROT)
 1153                 erp |= IEEE80211_ERP_USE_PROTECTION;
 1154         if (ic->ic_flags & IEEE80211_F_USEBARKER)
 1155                 erp |= IEEE80211_ERP_LONG_PREAMBLE;
 1156         *frm++ = erp;
 1157         return frm;
 1158 }
 1159 
 1160 static uint8_t *
 1161 ieee80211_setup_wpa_ie(struct ieee80211com *ic, uint8_t *ie)
 1162 {
 1163 #define WPA_OUI_BYTES           0x00, 0x50, 0xf2
 1164 #define ADDSHORT(frm, v) do {                   \
 1165         frm[0] = (v) & 0xff;                    \
 1166         frm[1] = (v) >> 8;                      \
 1167         frm += 2;                               \
 1168 } while (0)
 1169 #define ADDSELECTOR(frm, sel) do {              \
 1170         memcpy(frm, sel, 4);                    \
 1171         frm += 4;                               \
 1172 } while (0)
 1173         static const uint8_t oui[4] = { WPA_OUI_BYTES, WPA_OUI_TYPE };
 1174         static const uint8_t cipher_suite[][4] = {
 1175                 { WPA_OUI_BYTES, WPA_CSE_WEP40 },       /* NB: 40-bit */
 1176                 { WPA_OUI_BYTES, WPA_CSE_TKIP },
 1177                 { 0x00, 0x00, 0x00, 0x00 },             /* XXX WRAP */
 1178                 { WPA_OUI_BYTES, WPA_CSE_CCMP },
 1179                 { 0x00, 0x00, 0x00, 0x00 },             /* XXX CKIP */
 1180                 { WPA_OUI_BYTES, WPA_CSE_NULL },
 1181         };
 1182         static const uint8_t wep104_suite[4] =
 1183                 { WPA_OUI_BYTES, WPA_CSE_WEP104 };
 1184         static const uint8_t key_mgt_unspec[4] =
 1185                 { WPA_OUI_BYTES, WPA_ASE_8021X_UNSPEC };
 1186         static const uint8_t key_mgt_psk[4] =
 1187                 { WPA_OUI_BYTES, WPA_ASE_8021X_PSK };
 1188         const struct ieee80211_rsnparms *rsn = &ic->ic_bss->ni_rsn;
 1189         uint8_t *frm = ie;
 1190         uint8_t *selcnt;
 1191 
 1192         *frm++ = IEEE80211_ELEMID_VENDOR;
 1193         *frm++ = 0;                             /* length filled in below */
 1194         memcpy(frm, oui, sizeof(oui));          /* WPA OUI */
 1195         frm += sizeof(oui);
 1196         ADDSHORT(frm, WPA_VERSION);
 1197 
 1198         /* XXX filter out CKIP */
 1199 
 1200         /* multicast cipher */
 1201         if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP &&
 1202             rsn->rsn_mcastkeylen >= 13)
 1203                 ADDSELECTOR(frm, wep104_suite);
 1204         else
 1205                 ADDSELECTOR(frm, cipher_suite[rsn->rsn_mcastcipher]);
 1206 
 1207         /* unicast cipher list */
 1208         selcnt = frm;
 1209         ADDSHORT(frm, 0);                       /* selector count */
 1210         if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_AES_CCM)) {
 1211                 selcnt[0]++;
 1212                 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_AES_CCM]);
 1213         }
 1214         if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_TKIP)) {
 1215                 selcnt[0]++;
 1216                 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_TKIP]);
 1217         }
 1218 
 1219         /* authenticator selector list */
 1220         selcnt = frm;
 1221         ADDSHORT(frm, 0);                       /* selector count */
 1222         if (rsn->rsn_keymgmtset & WPA_ASE_8021X_UNSPEC) {
 1223                 selcnt[0]++;
 1224                 ADDSELECTOR(frm, key_mgt_unspec);
 1225         }
 1226         if (rsn->rsn_keymgmtset & WPA_ASE_8021X_PSK) {
 1227                 selcnt[0]++;
 1228                 ADDSELECTOR(frm, key_mgt_psk);
 1229         }
 1230 
 1231         /* optional capabilities */
 1232         if (rsn->rsn_caps != 0 && rsn->rsn_caps != RSN_CAP_PREAUTH)
 1233                 ADDSHORT(frm, rsn->rsn_caps);
 1234 
 1235         /* calculate element length */
 1236         ie[1] = frm - ie - 2;
 1237         KASSERT(ie[1]+2 <= sizeof(struct ieee80211_ie_wpa),
 1238                 ("WPA IE too big, %u > %zu",
 1239                 ie[1]+2, sizeof(struct ieee80211_ie_wpa)));
 1240         return frm;
 1241 #undef ADDSHORT
 1242 #undef ADDSELECTOR
 1243 #undef WPA_OUI_BYTES
 1244 }
 1245 
 1246 static uint8_t *
 1247 ieee80211_setup_rsn_ie(struct ieee80211com *ic, uint8_t *ie)
 1248 {
 1249 #define RSN_OUI_BYTES           0x00, 0x0f, 0xac
 1250 #define ADDSHORT(frm, v) do {                   \
 1251         frm[0] = (v) & 0xff;                    \
 1252         frm[1] = (v) >> 8;                      \
 1253         frm += 2;                               \
 1254 } while (0)
 1255 #define ADDSELECTOR(frm, sel) do {              \
 1256         memcpy(frm, sel, 4);                    \
 1257         frm += 4;                               \
 1258 } while (0)
 1259         static const uint8_t cipher_suite[][4] = {
 1260                 { RSN_OUI_BYTES, RSN_CSE_WEP40 },       /* NB: 40-bit */
 1261                 { RSN_OUI_BYTES, RSN_CSE_TKIP },
 1262                 { RSN_OUI_BYTES, RSN_CSE_WRAP },
 1263                 { RSN_OUI_BYTES, RSN_CSE_CCMP },
 1264                 { 0x00, 0x00, 0x00, 0x00 },             /* XXX CKIP */
 1265                 { RSN_OUI_BYTES, RSN_CSE_NULL },
 1266         };
 1267         static const uint8_t wep104_suite[4] =
 1268                 { RSN_OUI_BYTES, RSN_CSE_WEP104 };
 1269         static const uint8_t key_mgt_unspec[4] =
 1270                 { RSN_OUI_BYTES, RSN_ASE_8021X_UNSPEC };
 1271         static const uint8_t key_mgt_psk[4] =
 1272                 { RSN_OUI_BYTES, RSN_ASE_8021X_PSK };
 1273         const struct ieee80211_rsnparms *rsn = &ic->ic_bss->ni_rsn;
 1274         uint8_t *frm = ie;
 1275         uint8_t *selcnt;
 1276 
 1277         *frm++ = IEEE80211_ELEMID_RSN;
 1278         *frm++ = 0;                             /* length filled in below */
 1279         ADDSHORT(frm, RSN_VERSION);
 1280 
 1281         /* XXX filter out CKIP */
 1282 
 1283         /* multicast cipher */
 1284         if (rsn->rsn_mcastcipher == IEEE80211_CIPHER_WEP &&
 1285             rsn->rsn_mcastkeylen >= 13)
 1286                 ADDSELECTOR(frm, wep104_suite);
 1287         else
 1288                 ADDSELECTOR(frm, cipher_suite[rsn->rsn_mcastcipher]);
 1289 
 1290         /* unicast cipher list */
 1291         selcnt = frm;
 1292         ADDSHORT(frm, 0);                       /* selector count */
 1293         if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_AES_CCM)) {
 1294                 selcnt[0]++;
 1295                 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_AES_CCM]);
 1296         }
 1297         if (rsn->rsn_ucastcipherset & (1<<IEEE80211_CIPHER_TKIP)) {
 1298                 selcnt[0]++;
 1299                 ADDSELECTOR(frm, cipher_suite[IEEE80211_CIPHER_TKIP]);
 1300         }
 1301 
 1302         /* authenticator selector list */
 1303         selcnt = frm;
 1304         ADDSHORT(frm, 0);                       /* selector count */
 1305         if (rsn->rsn_keymgmtset & WPA_ASE_8021X_UNSPEC) {
 1306                 selcnt[0]++;
 1307                 ADDSELECTOR(frm, key_mgt_unspec);
 1308         }
 1309         if (rsn->rsn_keymgmtset & WPA_ASE_8021X_PSK) {
 1310                 selcnt[0]++;
 1311                 ADDSELECTOR(frm, key_mgt_psk);
 1312         }
 1313 
 1314         /* optional capabilities */
 1315         ADDSHORT(frm, rsn->rsn_caps);
 1316         /* XXX PMKID */
 1317 
 1318         /* calculate element length */
 1319         ie[1] = frm - ie - 2;
 1320         KASSERT(ie[1]+2 <= sizeof(struct ieee80211_ie_wpa),
 1321                 ("RSN IE too big, %u > %zu",
 1322                 ie[1]+2, sizeof(struct ieee80211_ie_wpa)));
 1323         return frm;
 1324 #undef ADDSELECTOR
 1325 #undef ADDSHORT
 1326 #undef RSN_OUI_BYTES
 1327 }
 1328 
 1329 /*
 1330  * Add a WPA/RSN element to a frame.
 1331  */
 1332 static uint8_t *
 1333 ieee80211_add_wpa(uint8_t *frm, struct ieee80211com *ic)
 1334 {
 1335 
 1336         KASSERT(ic->ic_flags & IEEE80211_F_WPA, ("no WPA/RSN!"));
 1337         if (ic->ic_flags & IEEE80211_F_WPA2)
 1338                 frm = ieee80211_setup_rsn_ie(ic, frm);
 1339         if (ic->ic_flags & IEEE80211_F_WPA1)
 1340                 frm = ieee80211_setup_wpa_ie(ic, frm);
 1341         return frm;
 1342 }
 1343 
 1344 #define WME_OUI_BYTES           0x00, 0x50, 0xf2
 1345 /*
 1346  * Add a WME information element to a frame.
 1347  */
 1348 static uint8_t *
 1349 ieee80211_add_wme_info(uint8_t *frm, struct ieee80211_wme_state *wme)
 1350 {
 1351         static const struct ieee80211_wme_info info = {
 1352                 .wme_id         = IEEE80211_ELEMID_VENDOR,
 1353                 .wme_len        = sizeof(struct ieee80211_wme_info) - 2,
 1354                 .wme_oui        = { WME_OUI_BYTES },
 1355                 .wme_type       = WME_OUI_TYPE,
 1356                 .wme_subtype    = WME_INFO_OUI_SUBTYPE,
 1357                 .wme_version    = WME_VERSION,
 1358                 .wme_info       = 0,
 1359         };
 1360         memcpy(frm, &info, sizeof(info));
 1361         return frm + sizeof(info); 
 1362 }
 1363 
 1364 /*
 1365  * Add a WME parameters element to a frame.
 1366  */
 1367 static uint8_t *
 1368 ieee80211_add_wme_param(uint8_t *frm, struct ieee80211_wme_state *wme)
 1369 {
 1370 #define SM(_v, _f)      (((_v) << _f##_S) & _f)
 1371 #define ADDSHORT(frm, v) do {                   \
 1372         frm[0] = (v) & 0xff;                    \
 1373         frm[1] = (v) >> 8;                      \
 1374         frm += 2;                               \
 1375 } while (0)
 1376         /* NB: this works 'cuz a param has an info at the front */
 1377         static const struct ieee80211_wme_info param = {
 1378                 .wme_id         = IEEE80211_ELEMID_VENDOR,
 1379                 .wme_len        = sizeof(struct ieee80211_wme_param) - 2,
 1380                 .wme_oui        = { WME_OUI_BYTES },
 1381                 .wme_type       = WME_OUI_TYPE,
 1382                 .wme_subtype    = WME_PARAM_OUI_SUBTYPE,
 1383                 .wme_version    = WME_VERSION,
 1384         };
 1385         int i;
 1386 
 1387         memcpy(frm, &param, sizeof(param));
 1388         frm += __offsetof(struct ieee80211_wme_info, wme_info);
 1389         *frm++ = wme->wme_bssChanParams.cap_info;       /* AC info */
 1390         *frm++ = 0;                                     /* reserved field */
 1391         for (i = 0; i < WME_NUM_AC; i++) {
 1392                 const struct wmeParams *ac =
 1393                        &wme->wme_bssChanParams.cap_wmeParams[i];
 1394                 *frm++ = SM(i, WME_PARAM_ACI)
 1395                        | SM(ac->wmep_acm, WME_PARAM_ACM)
 1396                        | SM(ac->wmep_aifsn, WME_PARAM_AIFSN)
 1397                        ;
 1398                 *frm++ = SM(ac->wmep_logcwmax, WME_PARAM_LOGCWMAX)
 1399                        | SM(ac->wmep_logcwmin, WME_PARAM_LOGCWMIN)
 1400                        ;
 1401                 ADDSHORT(frm, ac->wmep_txopLimit);
 1402         }
 1403         return frm;
 1404 #undef SM
 1405 #undef ADDSHORT
 1406 }
 1407 #undef WME_OUI_BYTES
 1408 
 1409 #define ATH_OUI_BYTES           0x00, 0x03, 0x7f
 1410 /*
 1411  * Add a WME information element to a frame.
 1412  */
 1413 static uint8_t *
 1414 ieee80211_add_ath(uint8_t *frm, uint8_t caps, uint16_t defkeyix)
 1415 {
 1416         static const struct ieee80211_ath_ie info = {
 1417                 .ath_id         = IEEE80211_ELEMID_VENDOR,
 1418                 .ath_len        = sizeof(struct ieee80211_ath_ie) - 2,
 1419                 .ath_oui        = { ATH_OUI_BYTES },
 1420                 .ath_oui_type   = ATH_OUI_TYPE,
 1421                 .ath_oui_subtype= ATH_OUI_SUBTYPE,
 1422                 .ath_version    = ATH_OUI_VERSION,
 1423         };
 1424         struct ieee80211_ath_ie *ath = (struct ieee80211_ath_ie *) frm;
 1425 
 1426         memcpy(frm, &info, sizeof(info));
 1427         ath->ath_capability = caps;
 1428         ath->ath_defkeyix[0] = (defkeyix & 0xff);
 1429         ath->ath_defkeyix[1] = ((defkeyix >> 8) & 0xff);
 1430         return frm + sizeof(info); 
 1431 }
 1432 #undef ATH_OUI_BYTES
 1433 
 1434 /*
 1435  * Send a probe request frame with the specified ssid
 1436  * and any optional information element data.
 1437  */
 1438 int
 1439 ieee80211_send_probereq(struct ieee80211_node *ni,
 1440         const uint8_t sa[IEEE80211_ADDR_LEN],
 1441         const uint8_t da[IEEE80211_ADDR_LEN],
 1442         const uint8_t bssid[IEEE80211_ADDR_LEN],
 1443         const uint8_t *ssid, size_t ssidlen,
 1444         const void *optie, size_t optielen)
 1445 {
 1446         struct ieee80211com *ic = ni->ni_ic;
 1447         struct ieee80211_frame *wh;
 1448         const struct ieee80211_rateset *rs;
 1449         struct mbuf *m;
 1450         uint8_t *frm;
 1451 
 1452         /*
 1453          * Hold a reference on the node so it doesn't go away until after
 1454          * the xmit is complete all the way in the driver.  On error we
 1455          * will remove our reference.
 1456          */
 1457         IEEE80211_DPRINTF(ic, IEEE80211_MSG_NODE,
 1458                 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n",
 1459                 __func__, __LINE__,
 1460                 ni, ether_sprintf(ni->ni_macaddr),
 1461                 ieee80211_node_refcnt(ni)+1);
 1462         ieee80211_ref_node(ni);
 1463 
 1464         /*
 1465          * prreq frame format
 1466          *      [tlv] ssid
 1467          *      [tlv] supported rates
 1468          *      [tlv] extended supported rates
 1469          *      [tlv] user-specified ie's
 1470          */
 1471         m = ieee80211_getmgtframe(&frm,
 1472                  ic->ic_headroom + sizeof(struct ieee80211_frame),
 1473                  2 + IEEE80211_NWID_LEN
 1474                + 2 + IEEE80211_RATE_SIZE
 1475                + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
 1476                + (optie != NULL ? optielen : 0)
 1477         );
 1478         if (m == NULL) {
 1479                 ic->ic_stats.is_tx_nobuf++;
 1480                 ieee80211_free_node(ni);
 1481                 return ENOMEM;
 1482         }
 1483 
 1484         frm = ieee80211_add_ssid(frm, ssid, ssidlen);
 1485         rs = ieee80211_get_suprates(ic, ic->ic_curchan);
 1486         frm = ieee80211_add_rates(frm, rs);
 1487         frm = ieee80211_add_xrates(frm, rs);
 1488 
 1489         if (optie != NULL) {
 1490                 memcpy(frm, optie, optielen);
 1491                 frm += optielen;
 1492         }
 1493         m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
 1494 
 1495         M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
 1496         if (m == NULL)
 1497                 return ENOMEM;
 1498         KASSERT(m->m_pkthdr.rcvif == NULL, ("rcvif not null"));
 1499         m->m_pkthdr.rcvif = (void *)ni;
 1500 
 1501         wh = mtod(m, struct ieee80211_frame *);
 1502         ieee80211_send_setup(ic, ni, wh,
 1503                 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ,
 1504                 sa, da, bssid);
 1505         /* XXX power management? */
 1506 
 1507         IEEE80211_NODE_STAT(ni, tx_probereq);
 1508         IEEE80211_NODE_STAT(ni, tx_mgmt);
 1509 
 1510         IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS,
 1511             "[%s] send probe req on channel %u\n",
 1512             ether_sprintf(wh->i_addr1),
 1513             ieee80211_chan2ieee(ic, ic->ic_curchan));
 1514 
 1515         IF_ENQUEUE(&ic->ic_mgtq, m);
 1516         if_start(ic->ic_ifp);
 1517         return 0;
 1518 }
 1519 
 1520 /*
 1521  * Calculate capability information for mgt frames.
 1522  */
 1523 static uint16_t
 1524 getcapinfo(struct ieee80211com *ic, struct ieee80211_channel *chan)
 1525 {
 1526         uint16_t capinfo;
 1527 
 1528         KASSERT(ic->ic_opmode != IEEE80211_M_STA, ("station mode"));
 1529 
 1530         if (ic->ic_opmode == IEEE80211_M_HOSTAP)
 1531                 capinfo = IEEE80211_CAPINFO_ESS;
 1532         else if (ic->ic_opmode == IEEE80211_M_IBSS)
 1533                 capinfo = IEEE80211_CAPINFO_IBSS;
 1534         else
 1535                 capinfo = 0;
 1536         if (ic->ic_flags & IEEE80211_F_PRIVACY)
 1537                 capinfo |= IEEE80211_CAPINFO_PRIVACY;
 1538         if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
 1539             IEEE80211_IS_CHAN_2GHZ(chan))
 1540                 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
 1541         if (ic->ic_flags & IEEE80211_F_SHSLOT)
 1542                 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
 1543         return capinfo;
 1544 }
 1545 
 1546 /*
 1547  * Send a management frame.  The node is for the destination (or ic_bss
 1548  * when in station mode).  Nodes other than ic_bss have their reference
 1549  * count bumped to reflect our use for an indeterminant time.
 1550  */
 1551 int
 1552 ieee80211_send_mgmt(struct ieee80211com *ic, struct ieee80211_node *ni,
 1553         int type, int arg)
 1554 {
 1555 #define HTFLAGS (IEEE80211_NODE_HT | IEEE80211_NODE_HTCOMPAT)
 1556 #define senderr(_x, _v) do { ic->ic_stats._v++; ret = _x; goto bad; } while (0)
 1557         const struct ieee80211_rateset *rs;
 1558         struct mbuf *m;
 1559         uint8_t *frm;
 1560         uint16_t capinfo;
 1561         int has_challenge, is_shared_key, ret, status;
 1562 
 1563         KASSERT(ni != NULL, ("null node"));
 1564 
 1565         /*
 1566          * Hold a reference on the node so it doesn't go away until after
 1567          * the xmit is complete all the way in the driver.  On error we
 1568          * will remove our reference.
 1569          */
 1570         IEEE80211_DPRINTF(ic, IEEE80211_MSG_NODE,
 1571                 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n",
 1572                 __func__, __LINE__,
 1573                 ni, ether_sprintf(ni->ni_macaddr),
 1574                 ieee80211_node_refcnt(ni)+1);
 1575         ieee80211_ref_node(ni);
 1576 
 1577         switch (type) {
 1578         case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
 1579                 /*
 1580                  * probe response frame format
 1581                  *      [8] time stamp
 1582                  *      [2] beacon interval
 1583                  *      [2] cabability information
 1584                  *      [tlv] ssid
 1585                  *      [tlv] supported rates
 1586                  *      [tlv] parameter set (FH/DS)
 1587                  *      [tlv] parameter set (IBSS)
 1588                  *      [tlv] extended rate phy (ERP)
 1589                  *      [tlv] extended supported rates
 1590                  *      [tlv] WPA
 1591                  *      [tlv] WME (optional)
 1592                  *      [tlv] HT capabilities
 1593                  *      [tlv] HT information
 1594                  *      [tlv] Vendor OUI HT capabilities (optional)
 1595                  *      [tlv] Vendor OUI HT information (optional)
 1596                  *      [tlv] Atheros capabilities
 1597                  */
 1598                 m = ieee80211_getmgtframe(&frm,
 1599                          ic->ic_headroom + sizeof(struct ieee80211_frame),
 1600                          8
 1601                        + sizeof(uint16_t)
 1602                        + sizeof(uint16_t)
 1603                        + 2 + IEEE80211_NWID_LEN
 1604                        + 2 + IEEE80211_RATE_SIZE
 1605                        + 7      /* max(7,3) */
 1606                        + 6
 1607                        + 3
 1608                        + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
 1609                        /* XXX !WPA1+WPA2 fits w/o a cluster */
 1610                        + (ic->ic_flags & IEEE80211_F_WPA ?
 1611                                 2*sizeof(struct ieee80211_ie_wpa) : 0)
 1612                        + sizeof(struct ieee80211_wme_param)
 1613                        /* XXX check for cluster requirement */
 1614                        + 2*sizeof(struct ieee80211_ie_htcap) + 4
 1615                        + 2*sizeof(struct ieee80211_ie_htinfo) + 4
 1616                        + sizeof(struct ieee80211_ath_ie)
 1617                 );
 1618                 if (m == NULL)
 1619                         senderr(ENOMEM, is_tx_nobuf);
 1620 
 1621                 memset(frm, 0, 8);      /* timestamp should be filled later */
 1622                 frm += 8;
 1623                 *(uint16_t *)frm = htole16(ic->ic_bss->ni_intval);
 1624                 frm += 2;
 1625                 capinfo = getcapinfo(ic, ic->ic_curchan);
 1626                 *(uint16_t *)frm = htole16(capinfo);
 1627                 frm += 2;
 1628 
 1629                 frm = ieee80211_add_ssid(frm, ic->ic_bss->ni_essid,
 1630                                 ic->ic_bss->ni_esslen);
 1631                 rs = ieee80211_get_suprates(ic, ic->ic_curchan);
 1632                 frm = ieee80211_add_rates(frm, rs);
 1633 
 1634                 if (IEEE80211_IS_CHAN_FHSS(ic->ic_curchan)) {
 1635                         *frm++ = IEEE80211_ELEMID_FHPARMS;
 1636                         *frm++ = 5;
 1637                         *frm++ = ni->ni_fhdwell & 0x00ff;
 1638                         *frm++ = (ni->ni_fhdwell >> 8) & 0x00ff;
 1639                         *frm++ = IEEE80211_FH_CHANSET(
 1640                             ieee80211_chan2ieee(ic, ic->ic_curchan));
 1641                         *frm++ = IEEE80211_FH_CHANPAT(
 1642                             ieee80211_chan2ieee(ic, ic->ic_curchan));
 1643                         *frm++ = ni->ni_fhindex;
 1644                 } else {
 1645                         *frm++ = IEEE80211_ELEMID_DSPARMS;
 1646                         *frm++ = 1;
 1647                         *frm++ = ieee80211_chan2ieee(ic, ic->ic_curchan);
 1648                 }
 1649 
 1650                 if (ic->ic_opmode == IEEE80211_M_IBSS) {
 1651                         *frm++ = IEEE80211_ELEMID_IBSSPARMS;
 1652                         *frm++ = 2;
 1653                         *frm++ = 0; *frm++ = 0;         /* TODO: ATIM window */
 1654                 }
 1655                 if (ic->ic_flags & IEEE80211_F_WPA)
 1656                         frm = ieee80211_add_wpa(frm, ic);
 1657                 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan))
 1658                         frm = ieee80211_add_erp(frm, ic);
 1659                 frm = ieee80211_add_xrates(frm, rs);
 1660                 /*
 1661                  * NB: legacy 11b clients do not get certain ie's.
 1662                  *     The caller identifies such clients by passing
 1663                  *     a token in arg to us.  Could expand this to be
 1664                  *     any legacy client for stuff like HT ie's.
 1665                  */
 1666                 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan) &&
 1667                     arg != IEEE80211_SEND_LEGACY_11B) {
 1668                         frm = ieee80211_add_htcap(frm, ni);
 1669                         frm = ieee80211_add_htinfo(frm, ni);
 1670                 }
 1671                 if (ic->ic_flags & IEEE80211_F_WME)
 1672                         frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
 1673                 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan) &&
 1674                     (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT) &&
 1675                     arg != IEEE80211_SEND_LEGACY_11B) {
 1676                         frm = ieee80211_add_htcap_vendor(frm, ni);
 1677                         frm = ieee80211_add_htinfo_vendor(frm, ni);
 1678                 }
 1679                 if (ni->ni_ies.ath_ie != NULL)
 1680                         frm = ieee80211_add_ath(frm, ni->ni_ath_flags,
 1681                                 ni->ni_ath_defkeyix);
 1682                 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
 1683                 break;
 1684 
 1685         case IEEE80211_FC0_SUBTYPE_AUTH:
 1686                 status = arg >> 16;
 1687                 arg &= 0xffff;
 1688                 has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE ||
 1689                     arg == IEEE80211_AUTH_SHARED_RESPONSE) &&
 1690                     ni->ni_challenge != NULL);
 1691 
 1692                 /*
 1693                  * Deduce whether we're doing open authentication or
 1694                  * shared key authentication.  We do the latter if
 1695                  * we're in the middle of a shared key authentication
 1696                  * handshake or if we're initiating an authentication
 1697                  * request and configured to use shared key.
 1698                  */
 1699                 is_shared_key = has_challenge ||
 1700                      arg >= IEEE80211_AUTH_SHARED_RESPONSE ||
 1701                      (arg == IEEE80211_AUTH_SHARED_REQUEST &&
 1702                       ic->ic_bss->ni_authmode == IEEE80211_AUTH_SHARED);
 1703 
 1704                 m = ieee80211_getmgtframe(&frm,
 1705                           ic->ic_headroom + sizeof(struct ieee80211_frame),
 1706                           3 * sizeof(uint16_t)
 1707                         + (has_challenge && status == IEEE80211_STATUS_SUCCESS ?
 1708                                 sizeof(uint16_t)+IEEE80211_CHALLENGE_LEN : 0)
 1709                 );
 1710                 if (m == NULL)
 1711                         senderr(ENOMEM, is_tx_nobuf);
 1712 
 1713                 ((uint16_t *)frm)[0] =
 1714                     (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED)
 1715                                     : htole16(IEEE80211_AUTH_ALG_OPEN);
 1716                 ((uint16_t *)frm)[1] = htole16(arg);    /* sequence number */
 1717                 ((uint16_t *)frm)[2] = htole16(status);/* status */
 1718 
 1719                 if (has_challenge && status == IEEE80211_STATUS_SUCCESS) {
 1720                         ((uint16_t *)frm)[3] =
 1721                             htole16((IEEE80211_CHALLENGE_LEN << 8) |
 1722                             IEEE80211_ELEMID_CHALLENGE);
 1723                         memcpy(&((uint16_t *)frm)[4], ni->ni_challenge,
 1724                             IEEE80211_CHALLENGE_LEN);
 1725                         m->m_pkthdr.len = m->m_len =
 1726                                 4 * sizeof(uint16_t) + IEEE80211_CHALLENGE_LEN;
 1727                         if (arg == IEEE80211_AUTH_SHARED_RESPONSE) {
 1728                                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
 1729                                     "[%s] request encrypt frame (%s)\n",
 1730                                     ether_sprintf(ni->ni_macaddr), __func__);
 1731                                 m->m_flags |= M_LINK0; /* WEP-encrypt, please */
 1732                         }
 1733                 } else
 1734                         m->m_pkthdr.len = m->m_len = 3 * sizeof(uint16_t);
 1735 
 1736                 /* XXX not right for shared key */
 1737                 if (status == IEEE80211_STATUS_SUCCESS)
 1738                         IEEE80211_NODE_STAT(ni, tx_auth);
 1739                 else
 1740                         IEEE80211_NODE_STAT(ni, tx_auth_fail);
 1741 
 1742                 if (ic->ic_opmode == IEEE80211_M_STA)
 1743                         ieee80211_add_callback(m, ieee80211_tx_mgt_cb,
 1744                                 (void *) ic->ic_state);
 1745                 break;
 1746 
 1747         case IEEE80211_FC0_SUBTYPE_DEAUTH:
 1748                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
 1749                         "[%s] send station deauthenticate (reason %d)\n",
 1750                         ether_sprintf(ni->ni_macaddr), arg);
 1751                 m = ieee80211_getmgtframe(&frm,
 1752                         ic->ic_headroom + sizeof(struct ieee80211_frame),
 1753                         sizeof(uint16_t));
 1754                 if (m == NULL)
 1755                         senderr(ENOMEM, is_tx_nobuf);
 1756                 *(uint16_t *)frm = htole16(arg);        /* reason */
 1757                 m->m_pkthdr.len = m->m_len = sizeof(uint16_t);
 1758 
 1759                 IEEE80211_NODE_STAT(ni, tx_deauth);
 1760                 IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg);
 1761 
 1762                 ieee80211_node_unauthorize(ni);         /* port closed */
 1763                 break;
 1764 
 1765         case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
 1766         case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
 1767                 /*
 1768                  * asreq frame format
 1769                  *      [2] capability information
 1770                  *      [2] listen interval
 1771                  *      [6*] current AP address (reassoc only)
 1772                  *      [tlv] ssid
 1773                  *      [tlv] supported rates
 1774                  *      [tlv] extended supported rates
 1775                  *      [tlv] WME
 1776                  *      [tlv] HT capabilities
 1777                  *      [tlv] Vendor OUI HT capabilities (optional)
 1778                  *      [tlv] Atheros capabilities (if negotiated)
 1779                  *      [tlv] user-specified ie's
 1780                  */
 1781                 m = ieee80211_getmgtframe(&frm,
 1782                          ic->ic_headroom + sizeof(struct ieee80211_frame),
 1783                          sizeof(uint16_t)
 1784                        + sizeof(uint16_t)
 1785                        + IEEE80211_ADDR_LEN
 1786                        + 2 + IEEE80211_NWID_LEN
 1787                        + 2 + IEEE80211_RATE_SIZE
 1788                        + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
 1789                        + sizeof(struct ieee80211_wme_info)
 1790                        + 2*sizeof(struct ieee80211_ie_htcap) + 4
 1791                        + sizeof(struct ieee80211_ath_ie)
 1792                        + (ic->ic_opt_ie != NULL ? ic->ic_opt_ie_len : 0)
 1793                 );
 1794                 if (m == NULL)
 1795                         senderr(ENOMEM, is_tx_nobuf);
 1796 
 1797                 KASSERT(ic->ic_opmode == IEEE80211_M_STA,
 1798                     ("wrong mode %u", ic->ic_opmode));
 1799                 capinfo = IEEE80211_CAPINFO_ESS;
 1800                 if (ic->ic_flags & IEEE80211_F_PRIVACY)
 1801                         capinfo |= IEEE80211_CAPINFO_PRIVACY;
 1802                 /*
 1803                  * NB: Some 11a AP's reject the request when
 1804                  *     short premable is set.
 1805                  */
 1806                 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
 1807                     IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan))
 1808                         capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
 1809                 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
 1810                     (ic->ic_caps & IEEE80211_C_SHSLOT))
 1811                         capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
 1812                 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) &&
 1813                     (ic->ic_flags & IEEE80211_F_DOTH))
 1814                         capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT;
 1815                 *(uint16_t *)frm = htole16(capinfo);
 1816                 frm += 2;
 1817 
 1818                 KASSERT(ic->ic_bss->ni_intval != 0,
 1819                         ("beacon interval is zero!"));
 1820                 *(uint16_t *)frm = htole16(howmany(ic->ic_lintval,
 1821                                                    ic->ic_bss->ni_intval));
 1822                 frm += 2;
 1823 
 1824                 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
 1825                         IEEE80211_ADDR_COPY(frm, ic->ic_bss->ni_bssid);
 1826                         frm += IEEE80211_ADDR_LEN;
 1827                 }
 1828 
 1829                 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen);
 1830                 frm = ieee80211_add_rates(frm, &ni->ni_rates);
 1831                 frm = ieee80211_add_xrates(frm, &ni->ni_rates);
 1832                 if ((ic->ic_flags_ext & IEEE80211_FEXT_HT) &&
 1833                     ni->ni_ies.htcap_ie != NULL &&
 1834                     ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_HTCAP)
 1835                         frm = ieee80211_add_htcap(frm, ni);
 1836                 if ((ic->ic_flags & IEEE80211_F_WME) &&
 1837                     ni->ni_ies.wme_ie != NULL)
 1838                         frm = ieee80211_add_wme_info(frm, &ic->ic_wme);
 1839                 if ((ic->ic_flags_ext & IEEE80211_FEXT_HT) &&
 1840                     ni->ni_ies.htcap_ie != NULL &&
 1841                     ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_VENDOR)
 1842                         frm = ieee80211_add_htcap_vendor(frm, ni);
 1843                 if (IEEE80211_ATH_CAP(ic, ni, IEEE80211_F_ATHEROS))
 1844                         frm = ieee80211_add_ath(frm,
 1845                                 IEEE80211_ATH_CAP(ic, ni, IEEE80211_F_ATHEROS),
 1846                                 (ic->ic_flags & IEEE80211_F_WPA) == 0 &&
 1847                                 ni->ni_authmode != IEEE80211_AUTH_8021X &&
 1848                                 ic->ic_def_txkey != IEEE80211_KEYIX_NONE ?
 1849                                 ic->ic_def_txkey : 0x7fff);
 1850                 if (ic->ic_opt_ie != NULL) {
 1851                         memcpy(frm, ic->ic_opt_ie, ic->ic_opt_ie_len);
 1852                         frm += ic->ic_opt_ie_len;
 1853                 }
 1854                 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
 1855 
 1856                 ieee80211_add_callback(m, ieee80211_tx_mgt_cb,
 1857                         (void *) ic->ic_state);
 1858                 break;
 1859 
 1860         case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
 1861         case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
 1862                 /*
 1863                  * asresp frame format
 1864                  *      [2] capability information
 1865                  *      [2] status
 1866                  *      [2] association ID
 1867                  *      [tlv] supported rates
 1868                  *      [tlv] extended supported rates
 1869                  *      [tlv] WME (if enabled and STA enabled)
 1870                  *      [tlv] HT capabilities (standard or vendor OUI)
 1871                  *      [tlv] HT information (standard or vendor OUI)
 1872                  *      [tlv] Atheros capabilities (if enabled and STA enabled)
 1873                  */
 1874                 m = ieee80211_getmgtframe(&frm,
 1875                          ic->ic_headroom + sizeof(struct ieee80211_frame),
 1876                          sizeof(uint16_t)
 1877                        + sizeof(uint16_t)
 1878                        + sizeof(uint16_t)
 1879                        + 2 + IEEE80211_RATE_SIZE
 1880                        + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
 1881                        + sizeof(struct ieee80211_wme_param)
 1882                        + sizeof(struct ieee80211_ie_htcap) + 4
 1883                        + sizeof(struct ieee80211_ie_htinfo) + 4
 1884                        + sizeof(struct ieee80211_ath_ie)
 1885                 );
 1886                 if (m == NULL)
 1887                         senderr(ENOMEM, is_tx_nobuf);
 1888 
 1889                 capinfo = getcapinfo(ic, ic->ic_curchan);
 1890                 *(uint16_t *)frm = htole16(capinfo);
 1891                 frm += 2;
 1892 
 1893                 *(uint16_t *)frm = htole16(arg);        /* status */
 1894                 frm += 2;
 1895 
 1896                 if (arg == IEEE80211_STATUS_SUCCESS) {
 1897                         *(uint16_t *)frm = htole16(ni->ni_associd);
 1898                         IEEE80211_NODE_STAT(ni, tx_assoc);
 1899                 } else
 1900                         IEEE80211_NODE_STAT(ni, tx_assoc_fail);
 1901                 frm += 2;
 1902 
 1903                 frm = ieee80211_add_rates(frm, &ni->ni_rates);
 1904                 frm = ieee80211_add_xrates(frm, &ni->ni_rates);
 1905                 /* NB: respond according to what we received */
 1906                 if ((ni->ni_flags & HTFLAGS) == IEEE80211_NODE_HT) {
 1907                         frm = ieee80211_add_htcap(frm, ni);
 1908                         frm = ieee80211_add_htinfo(frm, ni);
 1909                 }
 1910                 if ((ic->ic_flags & IEEE80211_F_WME) &&
 1911                     ni->ni_ies.wme_ie != NULL)
 1912                         frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
 1913                 if ((ni->ni_flags & HTFLAGS) == HTFLAGS) {
 1914                         frm = ieee80211_add_htcap_vendor(frm, ni);
 1915                         frm = ieee80211_add_htinfo_vendor(frm, ni);
 1916                 }
 1917                 if (IEEE80211_ATH_CAP(ic, ni, IEEE80211_F_ATHEROS))
 1918                         frm = ieee80211_add_ath(frm,
 1919                                 IEEE80211_ATH_CAP(ic, ni, IEEE80211_F_ATHEROS),
 1920                                 ni->ni_ath_defkeyix);
 1921                 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
 1922                 break;
 1923 
 1924         case IEEE80211_FC0_SUBTYPE_DISASSOC:
 1925                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
 1926                         "[%s] send station disassociate (reason %d)\n",
 1927                         ether_sprintf(ni->ni_macaddr), arg);
 1928                 m = ieee80211_getmgtframe(&frm,
 1929                         ic->ic_headroom + sizeof(struct ieee80211_frame),
 1930                         sizeof(uint16_t));
 1931                 if (m == NULL)
 1932                         senderr(ENOMEM, is_tx_nobuf);
 1933                 *(uint16_t *)frm = htole16(arg);        /* reason */
 1934                 m->m_pkthdr.len = m->m_len = sizeof(uint16_t);
 1935 
 1936                 IEEE80211_NODE_STAT(ni, tx_disassoc);
 1937                 IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg);
 1938                 break;
 1939 
 1940         default:
 1941                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
 1942                         "[%s] invalid mgmt frame type %u\n",
 1943                         ether_sprintf(ni->ni_macaddr), type);
 1944                 senderr(EINVAL, is_tx_unknownmgt);
 1945                 /* NOTREACHED */
 1946         }
 1947 
 1948         ret = ieee80211_mgmt_output(ic, ni, m, type);
 1949         if (ret != 0)
 1950                 goto bad;
 1951         return 0;
 1952 bad:
 1953         ieee80211_free_node(ni);
 1954         return ret;
 1955 #undef senderr
 1956 #undef HTFLAGS
 1957 }
 1958 
 1959 static void
 1960 ieee80211_tx_mgt_timeout(void *arg)
 1961 {
 1962         struct ieee80211_node *ni = arg;
 1963         struct ieee80211com *ic = ni->ni_ic;
 1964 
 1965         if (ic->ic_state != IEEE80211_S_INIT &&
 1966             (ic->ic_flags & IEEE80211_F_SCAN) == 0) {
 1967                 /*
 1968                  * NB: it's safe to specify a timeout as the reason here;
 1969                  *     it'll only be used in the right state.
 1970                  */
 1971                 ieee80211_new_state(ic, IEEE80211_S_SCAN,
 1972                         IEEE80211_SCAN_FAIL_TIMEOUT);
 1973         }
 1974 }
 1975 
 1976 static void
 1977 ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status)
 1978 {
 1979         struct ieee80211com *ic = ni->ni_ic;
 1980         enum ieee80211_state ostate = (enum ieee80211_state) arg;
 1981 
 1982         /*
 1983          * Frame transmit completed; arrange timer callback.  If
 1984          * transmit was successfuly we wait for response.  Otherwise
 1985          * we arrange an immediate callback instead of doing the
 1986          * callback directly since we don't know what state the driver
 1987          * is in (e.g. what locks it is holding).  This work should
 1988          * not be too time-critical and not happen too often so the
 1989          * added overhead is acceptable.
 1990          *
 1991          * XXX what happens if !acked but response shows up before callback?
 1992          */
 1993         if (ic->ic_state == ostate)
 1994                 callout_reset(&ic->ic_mgtsend,
 1995                         status == 0 ? IEEE80211_TRANS_WAIT*hz : 0,
 1996                         ieee80211_tx_mgt_timeout, ni);
 1997 }
 1998 
 1999 /*
 2000  * Allocate a beacon frame and fillin the appropriate bits.
 2001  */
 2002 struct mbuf *
 2003 ieee80211_beacon_alloc(struct ieee80211_node *ni,
 2004         struct ieee80211_beacon_offsets *bo)
 2005 {
 2006         struct ieee80211com *ic = ni->ni_ic;
 2007         struct ifnet *ifp = ic->ic_ifp;
 2008         struct ieee80211_frame *wh;
 2009         struct mbuf *m;
 2010         int pktlen;
 2011         uint8_t *frm;
 2012         uint16_t capinfo;
 2013         struct ieee80211_rateset *rs;
 2014 
 2015         /*
 2016          * beacon frame format
 2017          *      [8] time stamp
 2018          *      [2] beacon interval
 2019          *      [2] cabability information
 2020          *      [tlv] ssid
 2021          *      [tlv] supported rates
 2022          *      [3] parameter set (DS)
 2023          *      [tlv] parameter set (IBSS/TIM)
 2024          *      [tlv] country code
 2025          *      [tlv] extended rate phy (ERP)
 2026          *      [tlv] extended supported rates
 2027          *      [tlv] WME parameters
 2028          *      [tlv] WPA/RSN parameters
 2029          *      [tlv] HT capabilities
 2030          *      [tlv] HT information
 2031          *      [tlv] Vendor OUI HT capabilities (optional)
 2032          *      [tlv] Vendor OUI HT information (optional)
 2033          * XXX Vendor-specific OIDs (e.g. Atheros)
 2034          * NB: we allocate the max space required for the TIM bitmap.
 2035          */
 2036         rs = &ni->ni_rates;
 2037         pktlen =   8                                    /* time stamp */
 2038                  + sizeof(uint16_t)                     /* beacon interval */
 2039                  + sizeof(uint16_t)                     /* capabilities */
 2040                  + 2 + ni->ni_esslen                    /* ssid */
 2041                  + 2 + IEEE80211_RATE_SIZE              /* supported rates */
 2042                  + 2 + 1                                /* DS parameters */
 2043                  + 2 + 4 + ic->ic_tim_len               /* DTIM/IBSSPARMS */
 2044                  + sizeof(struct ieee80211_country_ie)  /* country code */
 2045                  + 2 + 1                                /* ERP */
 2046                  + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
 2047                  + (ic->ic_caps & IEEE80211_C_WME ?     /* WME */
 2048                         sizeof(struct ieee80211_wme_param) : 0)
 2049                  + (ic->ic_caps & IEEE80211_C_WPA ?     /* WPA 1+2 */
 2050                         2*sizeof(struct ieee80211_ie_wpa) : 0)
 2051                  /* XXX conditional? */
 2052                  + 4+2*sizeof(struct ieee80211_ie_htcap)/* HT caps */
 2053                  + 4+2*sizeof(struct ieee80211_ie_htinfo)/* HT info */
 2054                  ;
 2055         m = ieee80211_getmgtframe(&frm,
 2056                 ic->ic_headroom + sizeof(struct ieee80211_frame), pktlen);
 2057         if (m == NULL) {
 2058                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
 2059                         "%s: cannot get buf; size %u\n", __func__, pktlen);
 2060                 ic->ic_stats.is_tx_nobuf++;
 2061                 return NULL;
 2062         }
 2063 
 2064         memset(bo, 0, sizeof(*bo));
 2065 
 2066         memset(frm, 0, 8);      /* XXX timestamp is set by hardware/driver */
 2067         frm += 8;
 2068         *(uint16_t *)frm = htole16(ni->ni_intval);
 2069         frm += 2;
 2070         capinfo = getcapinfo(ic, ni->ni_chan);
 2071         bo->bo_caps = (uint16_t *)frm;
 2072         *(uint16_t *)frm = htole16(capinfo);
 2073         frm += 2;
 2074         *frm++ = IEEE80211_ELEMID_SSID;
 2075         if ((ic->ic_flags & IEEE80211_F_HIDESSID) == 0) {
 2076                 *frm++ = ni->ni_esslen;
 2077                 memcpy(frm, ni->ni_essid, ni->ni_esslen);
 2078                 frm += ni->ni_esslen;
 2079         } else
 2080                 *frm++ = 0;
 2081         frm = ieee80211_add_rates(frm, rs);
 2082         if (!IEEE80211_IS_CHAN_FHSS(ic->ic_bsschan)) {
 2083                 *frm++ = IEEE80211_ELEMID_DSPARMS;
 2084                 *frm++ = 1;
 2085                 *frm++ = ieee80211_chan2ieee(ic, ic->ic_bsschan);
 2086         }
 2087         bo->bo_tim = frm;
 2088         if (ic->ic_opmode == IEEE80211_M_IBSS) {
 2089                 *frm++ = IEEE80211_ELEMID_IBSSPARMS;
 2090                 *frm++ = 2;
 2091                 *frm++ = 0; *frm++ = 0;         /* TODO: ATIM window */
 2092                 bo->bo_tim_len = 0;
 2093         } else if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
 2094                 struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm;
 2095 
 2096                 tie->tim_ie = IEEE80211_ELEMID_TIM;
 2097                 tie->tim_len = 4;       /* length */
 2098                 tie->tim_count = 0;     /* DTIM count */ 
 2099                 tie->tim_period = ic->ic_dtim_period;   /* DTIM period */
 2100                 tie->tim_bitctl = 0;    /* bitmap control */
 2101                 tie->tim_bitmap[0] = 0; /* Partial Virtual Bitmap */
 2102                 frm += sizeof(struct ieee80211_tim_ie);
 2103                 bo->bo_tim_len = 1;
 2104         }
 2105         bo->bo_tim_trailer = frm;
 2106         if (ic->ic_flags & IEEE80211_F_DOTH)
 2107                 frm = ieee80211_add_countryie(frm, ic,
 2108                         ic->ic_countrycode, ic->ic_location);
 2109         if (ic->ic_flags & IEEE80211_F_WPA)
 2110                 frm = ieee80211_add_wpa(frm, ic);
 2111         if (IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan)) {
 2112                 bo->bo_erp = frm;
 2113                 frm = ieee80211_add_erp(frm, ic);
 2114         }
 2115         frm = ieee80211_add_xrates(frm, rs);
 2116         if (IEEE80211_IS_CHAN_HT(ic->ic_bsschan)) {
 2117                 frm = ieee80211_add_htcap(frm, ni);
 2118                 bo->bo_htinfo = frm;
 2119                 frm = ieee80211_add_htinfo(frm, ni);
 2120         }
 2121         if (ic->ic_flags & IEEE80211_F_WME) {
 2122                 bo->bo_wme = frm;
 2123                 frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
 2124         }
 2125         if (IEEE80211_IS_CHAN_HT(ic->ic_bsschan) &&
 2126             (ic->ic_flags_ext & IEEE80211_FEXT_HTCOMPAT)) {
 2127                 frm = ieee80211_add_htcap_vendor(frm, ni);
 2128                 frm = ieee80211_add_htinfo_vendor(frm, ni);
 2129         }
 2130         bo->bo_tim_trailer_len = frm - bo->bo_tim_trailer;
 2131         m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
 2132 
 2133         M_PREPEND(m, sizeof(struct ieee80211_frame), M_DONTWAIT);
 2134         KASSERT(m != NULL, ("no space for 802.11 header?"));
 2135         wh = mtod(m, struct ieee80211_frame *);
 2136         wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT |
 2137             IEEE80211_FC0_SUBTYPE_BEACON;
 2138         wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
 2139         *(uint16_t *)wh->i_dur = 0;
 2140         IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr);
 2141         IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
 2142         IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid);
 2143         *(uint16_t *)wh->i_seq = 0;
 2144 
 2145         return m;
 2146 }
 2147 
 2148 /*
 2149  * Update the dynamic parts of a beacon frame based on the current state.
 2150  */
 2151 int
 2152 ieee80211_beacon_update(struct ieee80211_node *ni,
 2153         struct ieee80211_beacon_offsets *bo, struct mbuf *m, int mcast)
 2154 {
 2155         struct ieee80211com *ic = ni->ni_ic;
 2156         int len_changed = 0;
 2157         uint16_t capinfo;
 2158 
 2159         IEEE80211_BEACON_LOCK(ic);
 2160         /* XXX faster to recalculate entirely or just changes? */
 2161         capinfo = getcapinfo(ic, ni->ni_chan);
 2162         *bo->bo_caps = htole16(capinfo);
 2163 
 2164         if (ic->ic_flags & IEEE80211_F_WME) {
 2165                 struct ieee80211_wme_state *wme = &ic->ic_wme;
 2166 
 2167                 /*
 2168                  * Check for agressive mode change.  When there is
 2169                  * significant high priority traffic in the BSS
 2170                  * throttle back BE traffic by using conservative
 2171                  * parameters.  Otherwise BE uses agressive params
 2172                  * to optimize performance of legacy/non-QoS traffic.
 2173                  */
 2174                 if (wme->wme_flags & WME_F_AGGRMODE) {
 2175                         if (wme->wme_hipri_traffic >
 2176                             wme->wme_hipri_switch_thresh) {
 2177                                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME,
 2178                                     "%s: traffic %u, disable aggressive mode\n",
 2179                                     __func__, wme->wme_hipri_traffic);
 2180                                 wme->wme_flags &= ~WME_F_AGGRMODE;
 2181                                 ieee80211_wme_updateparams_locked(ic);
 2182                                 wme->wme_hipri_traffic =
 2183                                         wme->wme_hipri_switch_hysteresis;
 2184                         } else
 2185                                 wme->wme_hipri_traffic = 0;
 2186                 } else {
 2187                         if (wme->wme_hipri_traffic <=
 2188                             wme->wme_hipri_switch_thresh) {
 2189                                 IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME,
 2190                                     "%s: traffic %u, enable aggressive mode\n",
 2191                                     __func__, wme->wme_hipri_traffic);
 2192                                 wme->wme_flags |= WME_F_AGGRMODE;
 2193                                 ieee80211_wme_updateparams_locked(ic);
 2194                                 wme->wme_hipri_traffic = 0;
 2195                         } else
 2196                                 wme->wme_hipri_traffic =
 2197                                         wme->wme_hipri_switch_hysteresis;
 2198                 }
 2199                 if (isset(bo->bo_flags, IEEE80211_BEACON_WME)) {
 2200                         (void) ieee80211_add_wme_param(bo->bo_wme, wme);
 2201                         clrbit(bo->bo_flags, IEEE80211_BEACON_WME);
 2202                 }
 2203         }
 2204 
 2205         if (isset(bo->bo_flags, IEEE80211_BEACON_HTINFO)) {
 2206                 ieee80211_ht_update_beacon(ic, bo);
 2207                 clrbit(bo->bo_flags, IEEE80211_BEACON_HTINFO);
 2208         }
 2209 
 2210         if (ic->ic_opmode == IEEE80211_M_HOSTAP) {      /* NB: no IBSS support*/
 2211                 struct ieee80211_tim_ie *tie =
 2212                         (struct ieee80211_tim_ie *) bo->bo_tim;
 2213                 if (isset(bo->bo_flags, IEEE80211_BEACON_TIM)) {
 2214                         u_int timlen, timoff, i;
 2215                         /* 
 2216                          * ATIM/DTIM needs updating.  If it fits in the
 2217                          * current space allocated then just copy in the
 2218                          * new bits.  Otherwise we need to move any trailing
 2219                          * data to make room.  Note that we know there is
 2220                          * contiguous space because ieee80211_beacon_allocate
 2221                          * insures there is space in the mbuf to write a
 2222                          * maximal-size virtual bitmap (based on ic_max_aid).
 2223                          */
 2224                         /*
 2225                          * Calculate the bitmap size and offset, copy any
 2226                          * trailer out of the way, and then copy in the
 2227                          * new bitmap and update the information element.
 2228                          * Note that the tim bitmap must contain at least
 2229                          * one byte and any offset must be even.
 2230                          */
 2231                         if (ic->ic_ps_pending != 0) {
 2232                                 timoff = 128;           /* impossibly large */
 2233                                 for (i = 0; i < ic->ic_tim_len; i++)
 2234                                         if (ic->ic_tim_bitmap[i]) {
 2235                                                 timoff = i &~ 1;
 2236                                                 break;
 2237                                         }
 2238                                 KASSERT(timoff != 128, ("tim bitmap empty!"));
 2239                                 for (i = ic->ic_tim_len-1; i >= timoff; i--)
 2240                                         if (ic->ic_tim_bitmap[i])
 2241                                                 break;
 2242                                 timlen = 1 + (i - timoff);
 2243                         } else {
 2244                                 timoff = 0;
 2245                                 timlen = 1;
 2246                         }
 2247                         if (timlen != bo->bo_tim_len) {
 2248                                 /* copy up/down trailer */
 2249                                 int adjust = tie->tim_bitmap+timlen
 2250                                            - bo->bo_tim_trailer;
 2251                                 ovbcopy(bo->bo_tim_trailer,
 2252                                     bo->bo_tim_trailer+adjust,
 2253                                     bo->bo_tim_trailer_len);
 2254                                 bo->bo_tim_trailer += adjust;
 2255                                 bo->bo_wme += adjust;
 2256                                 bo->bo_erp += adjust;
 2257                                 bo->bo_htinfo += adjust;
 2258                                 bo->bo_tim_len = timlen;
 2259 
 2260                                 /* update information element */
 2261                                 tie->tim_len = 3 + timlen;
 2262                                 tie->tim_bitctl = timoff;
 2263                                 len_changed = 1;
 2264                         }
 2265                         memcpy(tie->tim_bitmap, ic->ic_tim_bitmap + timoff,
 2266                                 bo->bo_tim_len);
 2267 
 2268                         clrbit(bo->bo_flags, IEEE80211_BEACON_TIM);
 2269 
 2270                         IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
 2271                                 "%s: TIM updated, pending %u, off %u, len %u\n",
 2272                                 __func__, ic->ic_ps_pending, timoff, timlen);
 2273                 }
 2274                 /* count down DTIM period */
 2275                 if (tie->tim_count == 0)
 2276                         tie->tim_count = tie->tim_period - 1;
 2277                 else
 2278                         tie->tim_count--;
 2279                 /* update state for buffered multicast frames on DTIM */
 2280                 if (mcast && tie->tim_count == 0)
 2281                         tie->tim_bitctl |= 1;
 2282                 else
 2283                         tie->tim_bitctl &= ~1;
 2284                 if (isset(bo->bo_flags, IEEE80211_BEACON_ERP)) {
 2285                         /*
 2286                          * ERP element needs updating.
 2287                          */
 2288                         (void) ieee80211_add_erp(bo->bo_erp, ic);
 2289                         clrbit(bo->bo_flags, IEEE80211_BEACON_ERP);
 2290                 }
 2291         }
 2292         IEEE80211_BEACON_UNLOCK(ic);
 2293 
 2294         return len_changed;
 2295 }

Cache object: 8aa76bd2ffafa26fc7b2d73c4a59e599


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.