1 #ifndef _GPXE_IEEE80211_H 2 #define _GPXE_IEEE80211_H 3 4 #include <gpxe/if_ether.h> /* for ETH_ALEN */ 5 #include <endian.h> 6 7 /** @file 8 * Constants and data structures defined in IEEE 802.11, subsetted 9 * according to what gPXE knows how to use. 10 */ 11 12 FILE_LICENCE(GPL2_OR_LATER); 13 14 /* ---------- Maximum lengths of things ---------- */ 15 16 /** 17 * @defgroup ieee80211_maxlen Maximum lengths in the 802.11 protocol 18 * @{ 19 */ 20 21 /** Maximum length of frame payload 22 * 23 * This does not include cryptographic overhead, which can be up to 20 24 * bytes, but it DOES include the 802.2 LLC/SNAP headers that are used 25 * on data frames (but not management frames). 26 */ 27 #define IEEE80211_MAX_DATA_LEN 2304 28 29 /** Length of LLC/SNAP headers on data frames */ 30 #define IEEE80211_LLC_HEADER_LEN 8 31 32 /** Maximum cryptographic overhead before encrypted data */ 33 #define IEEE80211_MAX_CRYPTO_HEADER 8 34 35 /** Maximum cryptographic overhead after encrypted data 36 * 37 * This does not count the MIC in TKIP frames, since that is 38 * considered to be part of the MSDU and thus contributes to the size 39 * of the data field. 40 * 41 * It @e does count the MIC in CCMP frames, which is considered part 42 * of the MPDU (outside the data field). 43 */ 44 #define IEEE80211_MAX_CRYPTO_TRAILER 8 45 46 /** Total maximum cryptographic overhead */ 47 #define IEEE80211_MAX_CRYPTO_OVERHEAD 16 48 49 /** Bytes of network-layer data that can go into a regular data frame */ 50 #define IEEE80211_MAX_FRAME_DATA 2296 51 52 /** Frame header length for frames we might work with 53 * 54 * QoS adds a two-byte field on top of this, and APs communicating 55 * with each other in Wireless Distribution System (WDS) mode add an 56 * extra 6-byte MAC address field, but we do not work with such 57 * frames. 58 */ 59 #define IEEE80211_TYP_FRAME_HEADER_LEN 24 60 61 /** Theoretical maximum frame header length 62 * 63 * This includes the QoS and WDS Addr4 fields that we should never 64 * see. 65 */ 66 #define IEEE80211_MAX_FRAME_HEADER_LEN 32 67 68 /** Maximum combined frame length 69 * 70 * The biggest frame will include 32 frame header bytes, 16 bytes of 71 * crypto overhead, and 2304 data bytes. 72 */ 73 #define IEEE80211_MAX_FRAME_LEN 2352 74 75 /** Maximum length of an ESSID */ 76 #define IEEE80211_MAX_SSID_LEN 32 77 78 /** @} */ 79 80 81 /* ---------- Frame Control defines ---------- */ 82 83 /** 84 * @defgroup ieee80211_fc 802.11 Frame Control field bits 85 * @{ 86 */ 87 88 /** 802.11 Frame Control field, Version bitmask */ 89 #define IEEE80211_FC_VERSION 0x0003 90 91 /** Expected value of Version bits in Frame Control */ 92 #define IEEE80211_THIS_VERSION 0x0000 93 94 95 /** 802.11 Frame Control field, Frame Type bitmask */ 96 #define IEEE80211_FC_TYPE 0x000C 97 98 /** Type value for management (layer-2) frames */ 99 #define IEEE80211_TYPE_MGMT 0x0000 100 101 /** Type value for control (layer-1, hardware-managed) frames */ 102 #define IEEE80211_TYPE_CTRL 0x0004 103 104 /** Type value for data frames */ 105 #define IEEE80211_TYPE_DATA 0x0008 106 107 108 /** 802.11 Frame Control field, Frame Subtype bitmask */ 109 #define IEEE80211_FC_SUBTYPE 0x00F0 110 111 /** Subtype value for association-request management frames 112 * 113 * Association request frames are sent after authentication from the 114 * client to the Access Point to establish the client as part of the 115 * Access Point's network. 116 */ 117 #define IEEE80211_STYPE_ASSOC_REQ 0x0000 118 119 /** Subtype value for association-response management frames 120 * 121 * Association response frames are sent by the Access Point to confirm 122 * or deny the association requested in an association request frame. 123 */ 124 #define IEEE80211_STYPE_ASSOC_RESP 0x0010 125 126 /** Subtype value for reassociation-request management frames 127 * 128 * Reassociation request frames are sent by clients wishing to change 129 * from one Access Point to another while roaming within the same 130 * extended network (same ESSID). 131 */ 132 #define IEEE80211_STYPE_REASSOC_REQ 0x0020 133 134 /** Subtype value for reassociation-response management frames 135 * 136 * Reassociation response frames are sent by the Access Point to 137 * confirm or deny the swap requested in a reassociation request 138 * frame. 139 */ 140 #define IEEE80211_STYPE_REASSOC_RESP 0x0030 141 142 /** Subtype value for probe-request management frames 143 * 144 * Probe request frames are sent by clients to request that all Access 145 * Points on the sending channel, or all belonging to a particular 146 * ESSID, identify themselves by BSSID, supported transfer rates, RF 147 * configuration, and other capabilities. 148 */ 149 #define IEEE80211_STYPE_PROBE_REQ 0x0040 150 151 /** Subtype value for probe-response management frames 152 * 153 * Probe response frames are sent by Access Points in response to 154 * probe request frames, providing the requested information. 155 */ 156 #define IEEE80211_STYPE_PROBE_RESP 0x0050 157 158 /** Subtype value for beacon management frames 159 * 160 * Beacon frames are sent by Access Points at regular intervals, 161 * usually ten per second, on the channel on which they communicate. 162 * They can be used to probe passively for access points on a channel 163 * where local regulatory restrictions prohibit active scanning, or 164 * due to their regularity as a mechanism to determine the fraction of 165 * packets that are being dropped. 166 */ 167 #define IEEE80211_STYPE_BEACON 0x0080 168 169 /** Subtype value for disassociation management frames 170 * 171 * Disassociation frames are sent by either a client or an Access 172 * Point to unequivocally terminate the association between the two. 173 * They may be sent by clients upon leaving the network, or by an 174 * Access Point upon reconfiguration, among other reasons; they are 175 * usually more "polite" than deauthentication frames. 176 */ 177 #define IEEE80211_STYPE_DISASSOC 0x00A0 178 179 /** Subtype value for authentication management frames 180 * 181 * Authentication frames are exchanged between a client and an Access 182 * Point before association may be performed. Confusingly, in the most 183 * common authentication method (Open System) no security tokens are 184 * exchanged at all. Modern 802.11 security handshaking takes place 185 * after association. 186 */ 187 #define IEEE80211_STYPE_AUTH 0x00B0 188 189 /** Subtype value for deauthentication management frames 190 * 191 * Deauthentication frames are sent by either a client or an Access 192 * Point to terminate the authentication (and therefore also the 193 * association) between the two. They are generally more forceful than 194 * disassociation frames, sent for such reasons as a failure to 195 * set up security properly after associating. 196 */ 197 #define IEEE80211_STYPE_DEAUTH 0x00C0 198 199 /** Subtype value for action management frames 200 * 201 * Action frames are used to implement spectrum management and QoS 202 * features that gPXE currently does not support. 203 */ 204 #define IEEE80211_STYPE_ACTION 0x00D0 205 206 207 /** Subtype value for RTS (request to send) control frames */ 208 #define IEEE80211_STYPE_RTS 0x00B0 209 210 /** Subtype value for CTS (clear to send) control frames */ 211 #define IEEE80211_STYPE_CTS 0x00C0 212 213 /** Subtype value for ACK (acknowledgement) control frames */ 214 #define IEEE80211_STYPE_ACK 0x00D0 215 216 217 /** Subtype value for ordinary data frames, with no QoS or CF add-ons */ 218 #define IEEE80211_STYPE_DATA 0x0000 219 220 /** Subtype value for data frames containing no data */ 221 #define IEEE80211_STYPE_NODATA 0x0040 222 223 224 /** 802.11 Frame Control field: To Data System flag 225 * 226 * This is set on data frames sent to an Access Point. 227 */ 228 #define IEEE80211_FC_TODS 0x0100 229 230 /** 802.11 Frame Control field: From Data System flag 231 * 232 * This is set on data frames sent from an Access Point. If both TODS 233 * and FROMDS are set, the frame header is a 4-address format used for 234 * inter-Access Point communication. 235 */ 236 #define IEEE80211_FC_FROMDS 0x0200 237 238 /** 802.11 Frame Control field: More Fragments flag */ 239 #define IEEE80211_FC_MORE_FRAG 0x0400 240 241 /** 802.11 Frame Control field: Retransmission flag */ 242 #define IEEE80211_FC_RETRY 0x0800 243 244 /** 802.11 Frame Control field: Power Managed flag 245 * 246 * This is set on any frame sent by a low-power station that will go 247 * into a power-saving mode immediately after this frame. Access 248 * Points are not allowed to act as low-power stations. 249 */ 250 #define IEEE80211_FC_PWR_MGMT 0x1000 251 252 /** 802.11 Frame Control field: More Data flag 253 * 254 * This is set on any frame sent by a station that has more data 255 * queued to be sent than is in the frame. 256 */ 257 #define IEEE80211_FC_MORE_DATA 0x2000 258 259 /** 802.11 Frame Control field: Protected flag 260 * 261 * This is set on frames in which data is encrypted (by any method). 262 */ 263 #define IEEE80211_FC_PROTECTED 0x4000 264 265 /** 802.11 Frame Control field: Ordered flag [?] */ 266 #define IEEE80211_FC_ORDER 0x8000 267 268 /** @} */ 269 270 271 /* ---------- Sequence Control defines ---------- */ 272 273 /** 274 * @defgroup ieee80211_seq 802.11 Sequence Control field handling 275 * @{ 276 */ 277 278 /** Extract sequence number from 802.11 Sequence Control field */ 279 #define IEEE80211_SEQNR( seq ) ( ( seq ) >> 4 ) 280 281 /** Extract fragment number from 802.11 Sequence Control field */ 282 #define IEEE80211_FRAG( seq ) ( ( seq ) & 0x000F ) 283 284 /** Make 802.11 Sequence Control field from sequence and fragment numbers */ 285 #define IEEE80211_MAKESEQ( seqnr, frag ) \ 286 ( ( ( ( seqnr ) & 0xFFF ) << 4 ) | ( ( frag ) & 0xF ) ) 287 288 /** @} */ 289 290 291 /* ---------- Frame header formats ---------- */ 292 293 /** 294 * @defgroup ieee80211_hdr 802.11 frame header formats 295 * @{ 296 */ 297 298 /** An 802.11 data or management frame without QoS or WDS header fields */ 299 struct ieee80211_frame 300 { 301 u16 fc; /**< 802.11 Frame Control field */ 302 u16 duration; /**< Microseconds to reserve link */ 303 u8 addr1[ETH_ALEN]; /**< Address 1 (immediate receiver) */ 304 u8 addr2[ETH_ALEN]; /**< Address 2 (immediate sender) */ 305 u8 addr3[ETH_ALEN]; /**< Address 3 (often "forward to") */ 306 u16 seq; /**< 802.11 Sequence Control field */ 307 u8 data[0]; /**< Beginning of frame data */ 308 } __attribute__((packed)); 309 310 /** The 802.2 LLC/SNAP header sent before actual data in a data frame 311 * 312 * This header is not acknowledged in the 802.11 standard at all; it 313 * is treated just like data for MAC-layer purposes, including 314 * fragmentation and encryption. It is actually two headers 315 * concatenated: a three-byte 802.2 LLC header indicating Subnetwork 316 * Accesss Protocol (SNAP) in both source and destination Service 317 * Access Point (SAP) fields, and a five-byte SNAP header indicating a 318 * zero OUI and two-byte Ethernet protocol type field. 319 * 320 * Thus, an eight-byte header in which six of the bytes are redundant. 321 * Lovely, isn't it? 322 */ 323 struct ieee80211_llc_snap_header 324 { 325 /* LLC part: */ 326 u8 dsap; /**< Destination SAP ID */ 327 u8 ssap; /**< Source SAP ID */ 328 u8 ctrl; /**< Control information */ 329 330 /* SNAP part: */ 331 u8 oui[3]; /**< Organization code, usually 0 */ 332 u16 ethertype; /**< Ethernet Type field */ 333 } __attribute__((packed)); 334 335 /** Value for DSAP field in 802.2 LLC header for 802.11 frames: SNAP */ 336 #define IEEE80211_LLC_DSAP 0xAA 337 338 /** Value for SSAP field in 802.2 LLC header for 802.11 frames: SNAP */ 339 #define IEEE80211_LLC_SSAP 0xAA 340 341 /** Value for control field in 802.2 LLC header for 802.11 frames 342 * 343 * "Unnumbered Information". 344 */ 345 #define IEEE80211_LLC_CTRL 0x03 346 347 348 /** 16-byte RTS frame format, with abbreviated header */ 349 struct ieee80211_rts 350 { 351 u16 fc; /**< 802.11 Frame Control field */ 352 u16 duration; /**< Microseconds to reserve link */ 353 u8 addr1[ETH_ALEN]; /**< Address 1 (immediate receiver) */ 354 u8 addr2[ETH_ALEN]; /**< Address 2 (immediate sender) */ 355 } __attribute__((packed)); 356 357 /** Length of 802.11 RTS control frame */ 358 #define IEEE80211_RTS_LEN 16 359 360 /** 10-byte CTS or ACK frame format, with abbreviated header */ 361 struct ieee80211_cts_or_ack 362 { 363 u16 fc; /**< 802.11 Frame Control field */ 364 u16 duration; /**< Microseconds to reserve link */ 365 u8 addr1[ETH_ALEN]; /**< Address 1 (immediate receiver) */ 366 } __attribute__((packed)); 367 368 #define ieee80211_cts ieee80211_cts_or_ack 369 #define ieee80211_ack ieee80211_cts_or_ack 370 371 /** Length of 802.11 CTS control frame */ 372 #define IEEE80211_CTS_LEN 10 373 374 /** Length of 802.11 ACK control frame */ 375 #define IEEE80211_ACK_LEN 10 376 377 /** @} */ 378 379 380 /* ---------- Capability bits, status and reason codes ---------- */ 381 382 /** 383 * @defgroup ieee80211_capab 802.11 management frame capability field bits 384 * @{ 385 */ 386 387 /** Set if using an Access Point (managed mode) */ 388 #define IEEE80211_CAPAB_MANAGED 0x0001 389 390 /** Set if operating in IBSS (no-AP, "Ad-Hoc") mode */ 391 #define IEEE80211_CAPAB_ADHOC 0x0002 392 393 /** Set if we support Contention-Free Period operation */ 394 #define IEEE80211_CAPAB_CFPOLL 0x0004 395 396 /** Set if we wish to be polled for Contention-Free operation */ 397 #define IEEE80211_CAPAB_CFPR 0x0008 398 399 /** Set if the network is encrypted (by any method) */ 400 #define IEEE80211_CAPAB_PRIVACY 0x0010 401 402 /** Set if PHY supports short preambles on 802.11b */ 403 #define IEEE80211_CAPAB_SHORT_PMBL 0x0020 404 405 /** Set if PHY supports PBCC modulation */ 406 #define IEEE80211_CAPAB_PBCC 0x0040 407 408 /** Set if we support Channel Agility */ 409 #define IEEE80211_CAPAB_CHAN_AGILITY 0x0080 410 411 /** Set if we support spectrum management (DFS and TPC) on the 5GHz band */ 412 #define IEEE80211_CAPAB_SPECTRUM_MGMT 0x0100 413 414 /** Set if we support Quality of Service enhancements */ 415 #define IEEE80211_CAPAB_QOS 0x0200 416 417 /** Set if PHY supports short slot time on 802.11g */ 418 #define IEEE80211_CAPAB_SHORT_SLOT 0x0400 419 420 /** Set if PHY supports APSD option */ 421 #define IEEE80211_CAPAB_APSD 0x0800 422 423 /** Set if PHY supports DSSS/OFDM modulation (one way of 802.11 b/g mixing) */ 424 #define IEEE80211_CAPAB_DSSS_OFDM 0x2000 425 426 /** Set if we support delayed block ACK */ 427 #define IEEE80211_CAPAB_DELAYED_BACK 0x4000 428 429 /** Set if we support immediate block ACK */ 430 #define IEEE80211_CAPAB_IMMED_BACK 0x8000 431 432 /** @} */ 433 434 435 /** 436 * @defgroup ieee80211_status 802.11 status codes 437 * 438 * These are returned to indicate an immediate denial of 439 * authentication or association. In gPXE, the lower 5 bits of the 440 * status code are encoded into the file-unique portion of an error 441 * code, the ERRFILE portion is always @c ERRFILE_net80211, and the 442 * POSIX error code is @c ECONNREFUSED for status 0-31 or @c 443 * EHOSTUNREACH for status 32-63. 444 * 445 * For a complete table with non-abbreviated error messages, see IEEE 446 * Std 802.11-2007, Table 7-23, p.94. 447 * 448 * @{ 449 */ 450 451 #define IEEE80211_STATUS_SUCCESS 0 452 #define IEEE80211_STATUS_FAILURE 1 453 #define IEEE80211_STATUS_CAPAB_UNSUPP 10 454 #define IEEE80211_STATUS_REASSOC_INVALID 11 455 #define IEEE80211_STATUS_ASSOC_DENIED 12 456 #define IEEE80211_STATUS_AUTH_ALGO_UNSUPP 13 457 #define IEEE80211_STATUS_AUTH_SEQ_INVALID 14 458 #define IEEE80211_STATUS_AUTH_CHALL_INVALID 15 459 #define IEEE80211_STATUS_AUTH_TIMEOUT 16 460 #define IEEE80211_STATUS_ASSOC_NO_ROOM 17 461 #define IEEE80211_STATUS_ASSOC_NEED_RATE 18 462 #define IEEE80211_STATUS_ASSOC_NEED_SHORT_PMBL 19 463 #define IEEE80211_STATUS_ASSOC_NEED_PBCC 20 464 #define IEEE80211_STATUS_ASSOC_NEED_CHAN_AGILITY 21 465 #define IEEE80211_STATUS_ASSOC_NEED_SPECTRUM_MGMT 22 466 #define IEEE80211_STATUS_ASSOC_BAD_POWER 23 467 #define IEEE80211_STATUS_ASSOC_BAD_CHANNELS 24 468 #define IEEE80211_STATUS_ASSOC_NEED_SHORT_SLOT 25 469 #define IEEE80211_STATUS_ASSOC_NEED_DSSS_OFDM 26 470 #define IEEE80211_STATUS_QOS_FAILURE 32 471 #define IEEE80211_STATUS_QOS_NO_ROOM 33 472 #define IEEE80211_STATUS_LINK_IS_HORRIBLE 34 473 #define IEEE80211_STATUS_ASSOC_NEED_QOS 35 474 #define IEEE80211_STATUS_REQUEST_DECLINED 37 475 #define IEEE80211_STATUS_REQUEST_INVALID 38 476 #define IEEE80211_STATUS_TS_NOT_CREATED_AGAIN 39 477 #define IEEE80211_STATUS_INVALID_IE 40 478 #define IEEE80211_STATUS_GROUP_CIPHER_INVALID 41 479 #define IEEE80211_STATUS_PAIR_CIPHER_INVALID 42 480 #define IEEE80211_STATUS_AKMP_INVALID 43 481 #define IEEE80211_STATUS_RSN_VERSION_UNSUPP 44 482 #define IEEE80211_STATUS_RSN_CAPAB_INVALID 45 483 #define IEEE80211_STATUS_CIPHER_REJECTED 46 484 #define IEEE80211_STATUS_TS_NOT_CREATED_WAIT 47 485 #define IEEE80211_STATUS_DIRECT_LINK_FORBIDDEN 48 486 #define IEEE80211_STATUS_DEST_NOT_PRESENT 49 487 #define IEEE80211_STATUS_DEST_NOT_QOS 50 488 #define IEEE80211_STATUS_ASSOC_LISTEN_TOO_HIGH 51 489 490 /** @} */ 491 492 493 494 /** 495 * @defgroup ieee80211_reason 802.11 reason codes 496 * 497 * These are returned to indicate the reason for a deauthentication or 498 * disassociation sent (usually) after authentication or association 499 * had succeeded. In gPXE, the lower 5 bits of the reason code are 500 * encoded into the file-unique portion of an error code, the ERRFILE 501 * portion is always @c ERRFILE_net80211, and the POSIX error code is 502 * @c ECONNRESET for reason 0-31 or @c ENETRESET for reason 32-63. 503 * 504 * For a complete table with non-abbreviated error messages, see IEEE 505 * Std 802.11-2007, Table 7-22, p.92. 506 * 507 * @{ 508 */ 509 510 #define IEEE80211_REASON_NONE 0 511 #define IEEE80211_REASON_UNSPECIFIED 1 512 #define IEEE80211_REASON_AUTH_NO_LONGER_VALID 2 513 #define IEEE80211_REASON_LEAVING 3 514 #define IEEE80211_REASON_INACTIVITY 4 515 #define IEEE80211_REASON_OUT_OF_RESOURCES 5 516 #define IEEE80211_REASON_NEED_AUTH 6 517 #define IEEE80211_REASON_NEED_ASSOC 7 518 #define IEEE80211_REASON_LEAVING_TO_ROAM 8 519 #define IEEE80211_REASON_REASSOC_INVALID 9 520 #define IEEE80211_REASON_BAD_POWER 10 521 #define IEEE80211_REASON_BAD_CHANNELS 11 522 #define IEEE80211_REASON_INVALID_IE 13 523 #define IEEE80211_REASON_MIC_FAILURE 14 524 #define IEEE80211_REASON_4WAY_TIMEOUT 15 525 #define IEEE80211_REASON_GROUPKEY_TIMEOUT 16 526 #define IEEE80211_REASON_4WAY_INVALID 17 527 #define IEEE80211_REASON_GROUP_CIPHER_INVALID 18 528 #define IEEE80211_REASON_PAIR_CIPHER_INVALID 19 529 #define IEEE80211_REASON_AKMP_INVALID 20 530 #define IEEE80211_REASON_RSN_VERSION_INVALID 21 531 #define IEEE80211_REASON_RSN_CAPAB_INVALID 22 532 #define IEEE80211_REASON_8021X_FAILURE 23 533 #define IEEE80211_REASON_CIPHER_REJECTED 24 534 #define IEEE80211_REASON_QOS_UNSPECIFIED 32 535 #define IEEE80211_REASON_QOS_OUT_OF_RESOURCES 33 536 #define IEEE80211_REASON_LINK_IS_HORRIBLE 34 537 #define IEEE80211_REASON_INVALID_TXOP 35 538 #define IEEE80211_REASON_REQUESTED_LEAVING 36 539 #define IEEE80211_REASON_REQUESTED_NO_USE 37 540 #define IEEE80211_REASON_REQUESTED_NEED_SETUP 38 541 #define IEEE80211_REASON_REQUESTED_TIMEOUT 39 542 #define IEEE80211_REASON_CIPHER_UNSUPPORTED 45 543 544 /** @} */ 545 546 /* ---------- Information element declarations ---------- */ 547 548 /** 549 * @defgroup ieee80211_ie 802.11 information elements 550 * 551 * Many management frames include a section that amounts to a 552 * concatenation of these information elements, so that the sender can 553 * choose which information to send and the receiver can ignore the 554 * parts it doesn't understand. Each IE contains a two-byte header, 555 * one byte ID and one byte length, followed by IE-specific data. The 556 * length does not include the two-byte header. Information elements 557 * are required to be sorted by ID, but gPXE does not require that in 558 * those it receives. 559 * 560 * This group also includes a few inline functions to simplify common 561 * tasks in IE processing. 562 * 563 * @{ 564 */ 565 566 /** Generic 802.11 information element header */ 567 struct ieee80211_ie_header { 568 u8 id; /**< Information element ID */ 569 u8 len; /**< Information element length */ 570 } __attribute__ ((packed)); 571 572 573 /** 802.11 SSID information element */ 574 struct ieee80211_ie_ssid { 575 u8 id; /**< SSID ID: 0 */ 576 u8 len; /**< SSID length */ 577 char ssid[0]; /**< SSID data, not NUL-terminated */ 578 } __attribute__ ((packed)); 579 580 /** Information element ID for SSID information element */ 581 #define IEEE80211_IE_SSID 0 582 583 584 /** 802.11 rates information element 585 * 586 * The first 8 rates go in an IE of type RATES (1), and any more rates 587 * go in one of type EXT_RATES (50). Each rate is a byte with the low 588 * 7 bits equal to the rate in units of 500 kbps, and the high bit set 589 * if and only if the rate is "basic" (must be supported by all 590 * connected stations). 591 */ 592 struct ieee80211_ie_rates { 593 u8 id; /**< Rates ID: 1 or 50 */ 594 u8 len; /**< Number of rates */ 595 u8 rates[0]; /**< Rates data, one rate per byte */ 596 } __attribute__ ((packed)); 597 598 /** Information element ID for rates information element */ 599 #define IEEE80211_IE_RATES 1 600 601 /** Information element ID for extended rates information element */ 602 #define IEEE80211_IE_EXT_RATES 50 603 604 605 /** 802.11 Direct Spectrum parameter information element 606 * 607 * This just contains the channel number. It has the fancy name 608 * because IEEE 802.11 also defines a frequency-hopping PHY that 609 * changes channels at regular intervals following a predetermined 610 * pattern; in practice nobody uses the FH PHY. 611 */ 612 struct ieee80211_ie_ds_param { 613 u8 id; /**< DS parameter ID: 3 */ 614 u8 len; /**< DS parameter length: 1 */ 615 u8 current_channel; /**< Current channel number, 1-14 */ 616 } __attribute__ ((packed)); 617 618 /** Information element ID for Direct Spectrum parameter information element */ 619 #define IEEE80211_IE_DS_PARAM 3 620 621 622 /** 802.11 Country information element regulatory extension triplet */ 623 struct ieee80211_ie_country_ext_triplet { 624 u8 reg_ext_id; /**< Regulatory extension ID */ 625 u8 reg_class_id; /**< Regulatory class ID */ 626 u8 coverage_class; /**< Coverage class */ 627 } __attribute__ ((packed)); 628 629 /** 802.11 Country information element regulatory band triplet */ 630 struct ieee80211_ie_country_band_triplet { 631 u8 first_channel; /**< Channel number for first channel in band */ 632 u8 nr_channels; /**< Number of contiguous channels in band */ 633 u8 max_txpower; /**< Maximum TX power in dBm */ 634 } __attribute__ ((packed)); 635 636 /** 802.11 Country information element regulatory triplet 637 * 638 * It is a band triplet if the first byte is 200 or less, and a 639 * regulatory extension triplet otherwise. 640 */ 641 union ieee80211_ie_country_triplet { 642 /** Differentiator between band and ext triplets */ 643 u8 first; 644 645 /** Information about a band of channels */ 646 struct ieee80211_ie_country_band_triplet band; 647 648 /** Regulatory extension information */ 649 struct ieee80211_ie_country_ext_triplet ext; 650 }; 651 652 /** 802.11 Country information element 653 * 654 * This contains some data about RF regulations. 655 */ 656 struct ieee80211_ie_country { 657 u8 id; /**< Country information ID: 7 */ 658 u8 len; /**< Country information length: varies */ 659 char name[2]; /**< ISO Alpha2 country code */ 660 char in_out; /**< 'I' for indoor, 'O' for outdoor */ 661 662 /** List of regulatory triplets */ 663 union ieee80211_ie_country_triplet triplet[0]; 664 } __attribute__ ((packed)); 665 666 /** Information element ID for Country information element */ 667 #define IEEE80211_IE_COUNTRY 7 668 669 670 /** 802.11 Request information element 671 * 672 * This contains a list of information element types we would like to 673 * be included in probe response frames. 674 */ 675 struct ieee80211_ie_request { 676 u8 id; /**< Request ID: 10 */ 677 u8 len; /**< Number of IEs requested */ 678 u8 request[0]; /**< List of IEs requested */ 679 } __attribute__ ((packed)); 680 681 /** Information element ID for Request information element */ 682 #define IEEE80211_IE_REQUEST 10 683 684 685 /** 802.11 Challenge Text information element 686 * 687 * This is used in authentication frames under Shared Key 688 * authentication. 689 */ 690 struct ieee80211_ie_challenge_text { 691 u8 id; /**< Challenge Text ID: 16 */ 692 u8 len; /**< Challenge Text length: usually 128 */ 693 u8 challenge_text[0]; /**< Challenge Text data */ 694 } __attribute__ ((packed)); 695 696 /** Information element ID for Challenge Text information element */ 697 #define IEEE80211_IE_CHALLENGE_TEXT 16 698 699 700 /** 802.11 Power Constraint information element 701 * 702 * This is used to specify an additional power limitation on top of 703 * the Country requirements. 704 */ 705 struct ieee80211_ie_power_constraint { 706 u8 id; /**< Power Constraint ID: 52 */ 707 u8 len; /**< Power Constraint length: 1 */ 708 u8 power_constraint; /**< Decrease in allowed TX power, dBm */ 709 } __attribute__ ((packed)); 710 711 /** Information element ID for Power Constraint information element */ 712 #define IEEE80211_IE_POWER_CONSTRAINT 52 713 714 715 /** 802.11 Power Capability information element 716 * 717 * This is used in association request frames to indicate the extremes 718 * of our TX power abilities. It is required only if we indicate 719 * support for spectrum management. 720 */ 721 struct ieee80211_ie_power_capab { 722 u8 id; /**< Power Capability ID: 33 */ 723 u8 len; /**< Power Capability length: 2 */ 724 u8 min_txpower; /**< Minimum possible TX power, dBm */ 725 u8 max_txpower; /**< Maximum possible TX power, dBm */ 726 } __attribute__ ((packed)); 727 728 /** Information element ID for Power Capability information element */ 729 #define IEEE80211_IE_POWER_CAPAB 33 730 731 732 /** 802.11 Channels information element channel band tuple */ 733 struct ieee80211_ie_channels_channel_band { 734 u8 first_channel; /**< Channel number of first channel in band */ 735 u8 nr_channels; /**< Number of channels in band */ 736 } __attribute__ ((packed)); 737 738 /** 802.11 Channels information element 739 * 740 * This is used in association frames to indicate the channels we can 741 * use. It is required only if we indicate support for spectrum 742 * management. 743 */ 744 struct ieee80211_ie_channels { 745 u8 id; /**< Channels ID: 36 */ 746 u8 len; /**< Channels length: 2 */ 747 748 /** List of (start, length) channel bands we can use */ 749 struct ieee80211_ie_channels_channel_band channels[0]; 750 } __attribute__ ((packed)); 751 752 /** Information element ID for Channels information element */ 753 #define IEEE80211_IE_CHANNELS 36 754 755 756 /** 802.11 ERP Information information element 757 * 758 * This is used to communicate some PHY-level flags. 759 */ 760 struct ieee80211_ie_erp_info { 761 u8 id; /**< ERP Information ID: 42 */ 762 u8 len; /**< ERP Information length: 1 */ 763 u8 erp_info; /**< ERP flags */ 764 } __attribute__ ((packed)); 765 766 /** Information element ID for ERP Information information element */ 767 #define IEEE80211_IE_ERP_INFO 42 768 769 /** ERP information element: Flag set if 802.11b stations are present */ 770 #define IEEE80211_ERP_NONERP_PRESENT 0x01 771 772 /** ERP information element: Flag set if CTS protection must be used */ 773 #define IEEE80211_ERP_USE_PROTECTION 0x02 774 775 /** ERP information element: Flag set if long preambles must be used */ 776 #define IEEE80211_ERP_BARKER_LONG 0x04 777 778 779 /** 802.11 Robust Security Network ("WPA") information element 780 * 781 * Showing once again a striking clarity of design, the IEEE folks put 782 * dynamically-sized data in the middle of this structure. As such, 783 * the below structure definition only works for IEs we create 784 * ourselves, which always have one pairwise cipher and one AKM; 785 * received IEs should be parsed piecemeal. 786 * 787 * Also inspired was IEEE's choice of 16-bit fields to count the 788 * number of 4-byte elements in a structure with a maximum length of 789 * 255 bytes. 790 * 791 * Many fields reference a cipher or authentication-type ID; this is a 792 * three-byte OUI followed by one byte identifying the cipher with 793 * respect to that OUI. For all standard ciphers the OUI is 00:0F:AC, 794 * except in old-style WPA IEs encapsulated in vendor-specific IEs, 795 * where it's 00:50:F2. 796 */ 797 struct ieee80211_ie_rsn { 798 /** Information element ID */ 799 u8 id; 800 801 /** Information element length */ 802 u8 len; 803 804 /** RSN information element version */ 805 u16 version; 806 807 /** Cipher ID for the cipher used in multicast/broadcast frames */ 808 u32 group_cipher; 809 810 /** Number of unicast ciphers supported */ 811 u16 pairwise_count; 812 813 /** List of cipher IDs for supported unicast frame ciphers */ 814 u32 pairwise_cipher[1]; 815 816 /** Number of authentication types supported */ 817 u16 akm_count; 818 819 /** List of authentication type IDs for supported types */ 820 u32 akm_list[1]; 821 822 /** Security capabilities field (RSN only) */ 823 u16 rsn_capab; 824 825 /** Number of PMKIDs included (present only in association frames) */ 826 u16 pmkid_count; 827 828 /** List of PMKIDs included, each a 16-byte SHA1 hash */ 829 u8 pmkid_list[0]; 830 } __attribute__((packed)); 831 832 /** Information element ID for Robust Security Network information element */ 833 #define IEEE80211_IE_RSN 48 834 835 /** Calculate necessary size of RSN information element 836 * 837 * @v npair Number of pairwise ciphers supported 838 * @v nauth Number of authentication types supported 839 * @v npmkid Number of PMKIDs to include 840 * @v is_rsn If TRUE, calculate RSN IE size; if FALSE, calculate WPA IE size 841 * @ret size Necessary size of IE, including header bytes 842 */ 843 static inline size_t ieee80211_rsn_size ( int npair, int nauth, int npmkid, 844 int rsn_ie ) { 845 return 16 + 4 * ( npair + nauth ) + 16 * npmkid - 4 * ! rsn_ie; 846 } 847 848 /** Make OUI plus type byte into 32-bit integer for easy comparison */ 849 #if __BYTE_ORDER == __BIG_ENDIAN 850 #define _MKOUI( a, b, c, t ) \ 851 ( ( ( a ) << 24 ) | ( ( b ) << 16 ) | ( ( c ) << 8 ) | ( d ) ) 852 #define OUI_ORG_MASK 0xFFFFFF00 853 #define OUI_TYPE_MASK 0x000000FF 854 #else 855 #define _MKOUI( a, b, c, t ) \ 856 ( ( ( t ) << 24 ) | ( ( c ) << 16 ) | ( ( b ) << 8 ) | ( a ) ) 857 #define OUI_ORG_MASK 0x00FFFFFF 858 #define OUI_TYPE_MASK 0xFF000000 859 #endif 860 861 /** Organization part for OUIs in standard RSN IE */ 862 #define IEEE80211_RSN_OUI _MKOUI ( 0x00, 0x0F, 0xAC, 0 ) 863 864 /** Organization part for OUIs in old WPA IE */ 865 #define IEEE80211_WPA_OUI _MKOUI ( 0x00, 0x50, 0xF2, 0 ) 866 867 /** Old vendor-type WPA IE OUI type + subtype */ 868 #define IEEE80211_WPA_OUI_VEN _MKOUI ( 0x00, 0x50, 0xF2, 0x01 ) 869 870 871 /** 802.11 RSN IE: expected version number */ 872 #define IEEE80211_RSN_VERSION 1 873 874 /** 802.11 RSN IE: cipher type for 40-bit WEP */ 875 #define IEEE80211_RSN_CTYPE_WEP40 _MKOUI ( 0, 0, 0, 0x01 ) 876 877 /** 802.11 RSN IE: cipher type for 104-bit WEP */ 878 #define IEEE80211_RSN_CTYPE_WEP104 _MKOUI ( 0, 0, 0, 0x05 ) 879 880 /** 802.11 RSN IE: cipher type for TKIP ("WPA") */ 881 #define IEEE80211_RSN_CTYPE_TKIP _MKOUI ( 0, 0, 0, 0x02 ) 882 883 /** 802.11 RSN IE: cipher type for CCMP ("WPA2") */ 884 #define IEEE80211_RSN_CTYPE_CCMP _MKOUI ( 0, 0, 0, 0x04 ) 885 886 /** 802.11 RSN IE: cipher type for "use group" 887 * 888 * This can only appear as a pairwise cipher, and means unicast frames 889 * should be encrypted in the same way as broadcast/multicast frames. 890 */ 891 #define IEEE80211_RSN_CTYPE_USEGROUP _MKOUI ( 0, 0, 0, 0x00 ) 892 893 /** 802.11 RSN IE: auth method type for using an 802.1X server */ 894 #define IEEE80211_RSN_ATYPE_8021X _MKOUI ( 0, 0, 0, 0x01 ) 895 896 /** 802.11 RSN IE: auth method type for using a pre-shared key */ 897 #define IEEE80211_RSN_ATYPE_PSK _MKOUI ( 0, 0, 0, 0x02 ) 898 899 /** 802.11 RSN IE capabilities: AP supports pre-authentication */ 900 #define IEEE80211_RSN_CAPAB_PREAUTH 0x001 901 902 /** 802.11 RSN IE capabilities: Node has conflict between TKIP and WEP 903 * 904 * This is a legacy issue; APs always set it to 0, and gPXE sets it to 905 * 0. 906 */ 907 #define IEEE80211_RSN_CAPAB_NO_PAIRWISE 0x002 908 909 /** 802.11 RSN IE capabilities: Number of PTKSA replay counters 910 * 911 * A value of 0 means one replay counter, 1 means two, 2 means four, 912 * and 3 means sixteen. 913 */ 914 #define IEEE80211_RSN_CAPAB_PTKSA_REPLAY 0x00C 915 916 /** 802.11 RSN IE capabilities: Number of GTKSA replay counters 917 * 918 * A value of 0 means one replay counter, 1 means two, 2 means four, 919 * and 3 means sixteen. 920 */ 921 #define IEEE80211_RSN_CAPAB_GTKSA_REPLAY 0x030 922 923 /** 802.11 RSN IE capabilities: PeerKey Handshaking is suported */ 924 #define IEEE80211_RSN_CAPAB_PEERKEY 0x200 925 926 927 /** 802.11 RSN IE capabilities: One replay counter 928 * 929 * This should be AND'ed with @c IEEE80211_RSN_CAPAB_PTKSA_REPLAY or 930 * @c IEEE80211_RSN_CAPAB_GTKSA_REPLAY (or both) to produce a value 931 * which can be OR'ed into the capabilities field. 932 */ 933 #define IEEE80211_RSN_1_CTR 0x000 934 935 /** 802.11 RSN IE capabilities: Two replay counters */ 936 #define IEEE80211_RSN_2_CTR 0x014 937 938 /** 802.11 RSN IE capabilities: Four replay counters */ 939 #define IEEE80211_RSN_4_CTR 0x028 940 941 /** 802.11 RSN IE capabilities: 16 replay counters */ 942 #define IEEE80211_RSN_16_CTR 0x03C 943 944 945 /** 802.11 Vendor Specific information element 946 * 947 * One often sees the RSN IE masquerading as vendor-specific on 948 * devices that were produced prior to 802.11i (the WPA amendment) 949 * being finalized. 950 */ 951 struct ieee80211_ie_vendor { 952 u8 id; /**< Vendor-specific ID: 221 */ 953 u8 len; /**< Vendor-specific length: variable */ 954 u32 oui; /**< OUI and vendor-specific type byte */ 955 u8 data[0]; /**< Vendor-specific data */ 956 } __attribute__ ((packed)); 957 958 /** Information element ID for Vendor Specific information element */ 959 #define IEEE80211_IE_VENDOR 221 960 961 962 963 964 /** Any 802.11 information element 965 * 966 * This is formatted for ease of use, so IEs with complex structures 967 * get referenced in full, while those with only one byte of data or a 968 * simple array are pulled in to avoid a layer of indirection like 969 * ie->channels.channels[0]. 970 */ 971 union ieee80211_ie 972 { 973 /** Generic and simple information element info */ 974 struct { 975 u8 id; /**< Information element ID */ 976 u8 len; /**< Information element data length */ 977 union { 978 char ssid[0]; /**< SSID text */ 979 u8 rates[0]; /**< Rates data */ 980 u8 request[0]; /**< Request list */ 981 u8 challenge_text[0]; /**< Challenge text data */ 982 u8 power_constraint; /**< Power constraint, dBm */ 983 u8 erp_info; /**< ERP information flags */ 984 /** List of channels */ 985 struct ieee80211_ie_channels_channel_band channels[0]; 986 }; 987 }; 988 989 /** DS parameter set */ 990 struct ieee80211_ie_ds_param ds_param; 991 992 /** Country information */ 993 struct ieee80211_ie_country country; 994 995 /** Power capability */ 996 struct ieee80211_ie_power_capab power_capab; 997 998 /** Security information */ 999 struct ieee80211_ie_rsn rsn; 1000 1001 /** Vendor-specific */ 1002 struct ieee80211_ie_vendor vendor; 1003 }; 1004 1005 /** Check that 802.11 information element is bounded by buffer 1006 * 1007 * @v ie Information element 1008 * @v end End of buffer in which information element is stored 1009 * @ret ok TRUE if the IE is completely contained within the buffer 1010 */ 1011 static inline int ieee80211_ie_bound ( union ieee80211_ie *ie, void *end ) 1012 { 1013 void *iep = ie; 1014 return ( iep + 2 <= end && iep + 2 + ie->len <= end ); 1015 } 1016 1017 /** Advance to next 802.11 information element 1018 * 1019 * @v ie Current information element pointer 1020 * @v end Pointer to first byte not in information element space 1021 * @ret next Pointer to next information element, or NULL if no more 1022 * 1023 * When processing received IEs, @a end should be set to the I/O 1024 * buffer tail pointer; when marshalling IEs for sending, @a end 1025 * should be NULL. 1026 */ 1027 static inline union ieee80211_ie * ieee80211_next_ie ( union ieee80211_ie *ie, 1028 void *end ) 1029 { 1030 void *next_ie_byte = ( void * ) ie + ie->len + 2; 1031 union ieee80211_ie *next_ie = next_ie_byte; 1032 1033 if ( ! end ) 1034 return next_ie; 1035 1036 if ( ieee80211_ie_bound ( next_ie, end ) ) 1037 return next_ie; 1038 1039 return NULL; 1040 } 1041 1042 /** @} */ 1043 1044 1045 /* ---------- Management frame data formats ---------- */ 1046 1047 /** 1048 * @defgroup ieee80211_mgmt_data Management frame data payloads 1049 * @{ 1050 */ 1051 1052 /** Beacon or probe response frame data */ 1053 struct ieee80211_beacon_or_probe_resp 1054 { 1055 /** 802.11 TSFT value at frame send */ 1056 u64 timestamp; 1057 1058 /** Interval at which beacons are sent, in units of 1024 us */ 1059 u16 beacon_interval; 1060 1061 /** Capability flags */ 1062 u16 capability; 1063 1064 /** List of information elements */ 1065 union ieee80211_ie info_element[0]; 1066 } __attribute__((packed)); 1067 1068 #define ieee80211_beacon ieee80211_beacon_or_probe_resp 1069 #define ieee80211_probe_resp ieee80211_beacon_or_probe_resp 1070 1071 /** Disassociation or deauthentication frame data */ 1072 struct ieee80211_disassoc_or_deauth 1073 { 1074 /** Reason code */ 1075 u16 reason; 1076 } __attribute__((packed)); 1077 1078 #define ieee80211_disassoc ieee80211_disassoc_or_deauth 1079 #define ieee80211_deauth ieee80211_disassoc_or_deauth 1080 1081 /** Association request frame data */ 1082 struct ieee80211_assoc_req 1083 { 1084 /** Capability flags */ 1085 u16 capability; 1086 1087 /** Interval at which we wake up, in units of the beacon interval */ 1088 u16 listen_interval; 1089 1090 /** List of information elements */ 1091 union ieee80211_ie info_element[0]; 1092 } __attribute__((packed)); 1093 1094 /** Association or reassociation response frame data */ 1095 struct ieee80211_assoc_or_reassoc_resp 1096 { 1097 /** Capability flags */ 1098 u16 capability; 1099 1100 /** Status code */ 1101 u16 status; 1102 1103 /** Association ID */ 1104 u16 aid; 1105 1106 /** List of information elements */ 1107 union ieee80211_ie info_element[0]; 1108 } __attribute__((packed)); 1109 1110 #define ieee80211_assoc_resp ieee80211_assoc_or_reassoc_resp 1111 #define ieee80211_reassoc_resp ieee80211_assoc_or_reassoc_resp 1112 1113 /** Reassociation request frame data */ 1114 struct ieee80211_reassoc_req 1115 { 1116 /** Capability flags */ 1117 u16 capability; 1118 1119 /** Interval at which we wake up, in units of the beacon interval */ 1120 u16 listen_interval; 1121 1122 /** MAC address of current Access Point */ 1123 u8 current_addr[ETH_ALEN]; 1124 1125 /** List of information elements */ 1126 union ieee80211_ie info_element[0]; 1127 } __attribute__((packed)); 1128 1129 /** Probe request frame data */ 1130 struct ieee80211_probe_req 1131 { 1132 /** List of information elements */ 1133 union ieee80211_ie info_element[0]; 1134 } __attribute__((packed)); 1135 1136 /** Authentication frame data */ 1137 struct ieee80211_auth 1138 { 1139 /** Authentication algorithm (Open System or Shared Key) */ 1140 u16 algorithm; 1141 1142 /** Sequence number of this frame; first from client to AP is 1 */ 1143 u16 tx_seq; 1144 1145 /** Status code */ 1146 u16 status; 1147 1148 /** List of information elements */ 1149 union ieee80211_ie info_element[0]; 1150 } __attribute__((packed)); 1151 1152 /** Open System authentication algorithm */ 1153 #define IEEE80211_AUTH_OPEN_SYSTEM 0 1154 1155 /** Shared Key authentication algorithm */ 1156 #define IEEE80211_AUTH_SHARED_KEY 1 1157 1158 /** @} */ 1159 1160 #endif 1161
