1#ifndef _GPXE_IEEE80211_H
2#define _GPXE_IEEE80211_H
3
4#include <gpxe/if_ether.h>	/* for ETH_ALEN */
5#include <endian.h>
6
7/** @file
8 * Constants and data structures defined in IEEE 802.11, subsetted
9 * according to what gPXE knows how to use.
10 */
11
12FILE_LICENCE(GPL2_OR_LATER);
13
14/* ---------- Maximum lengths of things ---------- */
15
16/**
17 * @defgroup ieee80211_maxlen Maximum lengths in the 802.11 protocol
18 * @{
19 */
20
21/** Maximum length of frame payload
22 *
23 * This does not include cryptographic overhead, which can be up to 20
24 * bytes, but it DOES include the 802.2 LLC/SNAP headers that are used
25 * on data frames (but not management frames).
26 */
27#define IEEE80211_MAX_DATA_LEN          2304
28
29/** Length of LLC/SNAP headers on data frames */
30#define IEEE80211_LLC_HEADER_LEN	8
31
32/** Maximum cryptographic overhead before encrypted data */
33#define IEEE80211_MAX_CRYPTO_HEADER	8
34
35/** Maximum cryptographic overhead after encrypted data
36 *
37 * This does not count the MIC in TKIP frames, since that is
38 * considered to be part of the MSDU and thus contributes to the size
39 * of the data field.
40 *
41 * It @e does count the MIC in CCMP frames, which is considered part
42 * of the MPDU (outside the data field).
43 */
44#define IEEE80211_MAX_CRYPTO_TRAILER    8
45
46/** Total maximum cryptographic overhead */
47#define IEEE80211_MAX_CRYPTO_OVERHEAD	16
48
49/** Bytes of network-layer data that can go into a regular data frame */
50#define IEEE80211_MAX_FRAME_DATA	2296
51
52/** Frame header length for frames we might work with
53 *
54 * QoS adds a two-byte field on top of this, and APs communicating
55 * with each other in Wireless Distribution System (WDS) mode add an
56 * extra 6-byte MAC address field, but we do not work with such
57 * frames.
58 */
59#define IEEE80211_TYP_FRAME_HEADER_LEN	24
60
61/** Theoretical maximum frame header length
62 *
63 * This includes the QoS and WDS Addr4 fields that we should never
64 * see.
65 */
66#define IEEE80211_MAX_FRAME_HEADER_LEN	32
67
68/** Maximum combined frame length
69 *
70 * The biggest frame will include 32 frame header bytes, 16 bytes of
71 * crypto overhead, and 2304 data bytes.
72 */
73#define IEEE80211_MAX_FRAME_LEN         2352
74
75/** Maximum length of an ESSID */
76#define IEEE80211_MAX_SSID_LEN          32
77
78/** @} */
79
80
81/* ---------- Frame Control defines ---------- */
82
83/**
84 * @defgroup ieee80211_fc 802.11 Frame Control field bits
85 * @{
86 */
87
88/** 802.11 Frame Control field, Version bitmask */
89#define IEEE80211_FC_VERSION	0x0003
90
91/** Expected value of Version bits in Frame Control */
92#define  IEEE80211_THIS_VERSION  0x0000
93
94
95/** 802.11 Frame Control field, Frame Type bitmask */
96#define IEEE80211_FC_TYPE	0x000C
97
98/** Type value for management (layer-2) frames */
99#define  IEEE80211_TYPE_MGMT     0x0000
100
101/** Type value for control (layer-1, hardware-managed) frames */
102#define  IEEE80211_TYPE_CTRL     0x0004
103
104/** Type value for data frames */
105#define  IEEE80211_TYPE_DATA     0x0008
106
107
108/** 802.11 Frame Control field, Frame Subtype bitmask */
109#define IEEE80211_FC_SUBTYPE	0x00F0
110
111/** Subtype value for association-request management frames
112 *
113 * Association request frames are sent after authentication from the
114 * client to the Access Point to establish the client as part of the
115 * Access Point's network.
116 */
117#define  IEEE80211_STYPE_ASSOC_REQ    0x0000
118
119/** Subtype value for association-response management frames
120 *
121 * Association response frames are sent by the Access Point to confirm
122 * or deny the association requested in an association request frame.
123 */
124#define  IEEE80211_STYPE_ASSOC_RESP   0x0010
125
126/** Subtype value for reassociation-request management frames
127 *
128 * Reassociation request frames are sent by clients wishing to change
129 * from one Access Point to another while roaming within the same
130 * extended network (same ESSID).
131 */
132#define  IEEE80211_STYPE_REASSOC_REQ  0x0020
133
134/** Subtype value for reassociation-response management frames
135 *
136 * Reassociation response frames are sent by the Access Point to
137 * confirm or deny the swap requested in a reassociation request
138 * frame.
139 */
140#define  IEEE80211_STYPE_REASSOC_RESP 0x0030
141
142/** Subtype value for probe-request management frames
143 *
144 * Probe request frames are sent by clients to request that all Access
145 * Points on the sending channel, or all belonging to a particular
146 * ESSID, identify themselves by BSSID, supported transfer rates, RF
147 * configuration, and other capabilities.
148 */
149#define  IEEE80211_STYPE_PROBE_REQ    0x0040
150
151/** Subtype value for probe-response management frames
152 *
153 * Probe response frames are sent by Access Points in response to
154 * probe request frames, providing the requested information.
155 */
156#define  IEEE80211_STYPE_PROBE_RESP   0x0050
157
158/** Subtype value for beacon management frames
159 *
160 * Beacon frames are sent by Access Points at regular intervals,
161 * usually ten per second, on the channel on which they communicate.
162 * They can be used to probe passively for access points on a channel
163 * where local regulatory restrictions prohibit active scanning, or
164 * due to their regularity as a mechanism to determine the fraction of
165 * packets that are being dropped.
166 */
167#define  IEEE80211_STYPE_BEACON       0x0080
168
169/** Subtype value for disassociation management frames
170 *
171 * Disassociation frames are sent by either a client or an Access
172 * Point to unequivocally terminate the association between the two.
173 * They may be sent by clients upon leaving the network, or by an
174 * Access Point upon reconfiguration, among other reasons; they are
175 * usually more "polite" than deauthentication frames.
176 */
177#define  IEEE80211_STYPE_DISASSOC     0x00A0
178
179/** Subtype value for authentication management frames
180 *
181 * Authentication frames are exchanged between a client and an Access
182 * Point before association may be performed. Confusingly, in the most
183 * common authentication method (Open System) no security tokens are
184 * exchanged at all. Modern 802.11 security handshaking takes place
185 * after association.
186 */
187#define  IEEE80211_STYPE_AUTH         0x00B0
188
189/** Subtype value for deauthentication management frames
190 *
191 * Deauthentication frames are sent by either a client or an Access
192 * Point to terminate the authentication (and therefore also the
193 * association) between the two. They are generally more forceful than
194 * disassociation frames, sent for such reasons as a failure to
195 * set up security properly after associating.
196 */
197#define  IEEE80211_STYPE_DEAUTH       0x00C0
198
199/** Subtype value for action management frames
200 *
201 * Action frames are used to implement spectrum management and QoS
202 * features that gPXE currently does not support.
203 */
204#define  IEEE80211_STYPE_ACTION	      0x00D0
205
206
207/** Subtype value for RTS (request to send) control frames */
208#define  IEEE80211_STYPE_RTS          0x00B0
209
210/** Subtype value for CTS (clear to send) control frames */
211#define  IEEE80211_STYPE_CTS          0x00C0
212
213/** Subtype value for ACK (acknowledgement) control frames */
214#define  IEEE80211_STYPE_ACK          0x00D0
215
216
217/** Subtype value for ordinary data frames, with no QoS or CF add-ons */
218#define  IEEE80211_STYPE_DATA         0x0000
219
220/** Subtype value for data frames containing no data */
221#define  IEEE80211_STYPE_NODATA       0x0040
222
223
224/** 802.11 Frame Control field: To Data System flag
225 *
226 * This is set on data frames sent to an Access Point.
227 */
228#define IEEE80211_FC_TODS       0x0100
229
230/** 802.11 Frame Control field: From Data System flag
231 *
232 * This is set on data frames sent from an Access Point. If both TODS
233 * and FROMDS are set, the frame header is a 4-address format used for
234 * inter-Access Point communication.
235 */
236#define IEEE80211_FC_FROMDS     0x0200
237
238/** 802.11 Frame Control field: More Fragments flag */
239#define IEEE80211_FC_MORE_FRAG  0x0400
240
241/** 802.11 Frame Control field: Retransmission flag */
242#define IEEE80211_FC_RETRY      0x0800
243
244/** 802.11 Frame Control field: Power Managed flag
245 *
246 * This is set on any frame sent by a low-power station that will go
247 * into a power-saving mode immediately after this frame. Access
248 * Points are not allowed to act as low-power stations.
249 */
250#define IEEE80211_FC_PWR_MGMT   0x1000
251
252/** 802.11 Frame Control field: More Data flag
253 *
254 * This is set on any frame sent by a station that has more data
255 * queued to be sent than is in the frame.
256 */
257#define IEEE80211_FC_MORE_DATA  0x2000
258
259/** 802.11 Frame Control field: Protected flag
260 *
261 * This is set on frames in which data is encrypted (by any method).
262 */
263#define IEEE80211_FC_PROTECTED  0x4000
264
265/** 802.11 Frame Control field: Ordered flag [?] */
266#define IEEE80211_FC_ORDER      0x8000
267
268/** @} */
269
270
271/* ---------- Sequence Control defines ---------- */
272
273/**
274 * @defgroup ieee80211_seq 802.11 Sequence Control field handling
275 * @{
276 */
277
278/** Extract sequence number from 802.11 Sequence Control field */
279#define IEEE80211_SEQNR( seq )		( ( seq ) >> 4 )
280
281/** Extract fragment number from 802.11 Sequence Control field */
282#define IEEE80211_FRAG( seq )		( ( seq ) & 0x000F )
283
284/** Make 802.11 Sequence Control field from sequence and fragment numbers */
285#define IEEE80211_MAKESEQ( seqnr, frag )	\
286	( ( ( ( seqnr ) & 0xFFF ) << 4 ) | ( ( frag ) & 0xF ) )
287
288/** @} */
289
290
291/* ---------- Frame header formats ---------- */
292
293/**
294 * @defgroup ieee80211_hdr 802.11 frame header formats
295 * @{
296 */
297
298/** An 802.11 data or management frame without QoS or WDS header fields */
299struct ieee80211_frame
300{
301	u16 fc;			/**< 802.11 Frame Control field */
302	u16 duration;		/**< Microseconds to reserve link */
303	u8 addr1[ETH_ALEN];	/**< Address 1 (immediate receiver) */
304	u8 addr2[ETH_ALEN];	/**< Address 2 (immediate sender) */
305	u8 addr3[ETH_ALEN];	/**< Address 3 (often "forward to") */
306	u16 seq;		/**< 802.11 Sequence Control field */
307	u8 data[0];		/**< Beginning of frame data */
308} __attribute__((packed));
309
310/** The 802.2 LLC/SNAP header sent before actual data in a data frame
311 *
312 * This header is not acknowledged in the 802.11 standard at all; it
313 * is treated just like data for MAC-layer purposes, including
314 * fragmentation and encryption. It is actually two headers
315 * concatenated: a three-byte 802.2 LLC header indicating Subnetwork
316 * Accesss Protocol (SNAP) in both source and destination Service
317 * Access Point (SAP) fields, and a five-byte SNAP header indicating a
318 * zero OUI and two-byte Ethernet protocol type field.
319 *
320 * Thus, an eight-byte header in which six of the bytes are redundant.
321 * Lovely, isn't it?
322 */
323struct ieee80211_llc_snap_header
324{
325	/* LLC part: */
326	u8 dsap;		/**< Destination SAP ID */
327	u8 ssap;		/**< Source SAP ID */
328	u8 ctrl;		/**< Control information */
329
330	/* SNAP part: */
331	u8 oui[3];		/**< Organization code, usually 0 */
332	u16 ethertype;		/**< Ethernet Type field */
333} __attribute__((packed));
334
335/** Value for DSAP field in 802.2 LLC header for 802.11 frames: SNAP */
336#define IEEE80211_LLC_DSAP	0xAA
337
338/** Value for SSAP field in 802.2 LLC header for 802.11 frames: SNAP */
339#define IEEE80211_LLC_SSAP	0xAA
340
341/** Value for control field in 802.2 LLC header for 802.11 frames
342 *
343 * "Unnumbered Information".
344 */
345#define IEEE80211_LLC_CTRL	0x03
346
347
348/** 16-byte RTS frame format, with abbreviated header */
349struct ieee80211_rts
350{
351	u16 fc;			/**< 802.11 Frame Control field */
352	u16 duration;		/**< Microseconds to reserve link */
353	u8 addr1[ETH_ALEN];	/**< Address 1 (immediate receiver) */
354	u8 addr2[ETH_ALEN];	/**< Address 2 (immediate sender) */
355} __attribute__((packed));
356
357/** Length of 802.11 RTS control frame */
358#define IEEE80211_RTS_LEN	16
359
360/** 10-byte CTS or ACK frame format, with abbreviated header */
361struct ieee80211_cts_or_ack
362{
363	u16 fc;			/**< 802.11 Frame Control field */
364	u16 duration;		/**< Microseconds to reserve link */
365	u8 addr1[ETH_ALEN];	/**< Address 1 (immediate receiver) */
366} __attribute__((packed));
367
368#define ieee80211_cts ieee80211_cts_or_ack
369#define ieee80211_ack ieee80211_cts_or_ack
370
371/** Length of 802.11 CTS control frame */
372#define IEEE80211_CTS_LEN	10
373
374/** Length of 802.11 ACK control frame */
375#define IEEE80211_ACK_LEN	10
376
377/** @} */
378
379
380/* ---------- Capability bits, status and reason codes ---------- */
381
382/**
383 * @defgroup ieee80211_capab 802.11 management frame capability field bits
384 * @{
385 */
386
387/** Set if using an Access Point (managed mode) */
388#define IEEE80211_CAPAB_MANAGED       0x0001
389
390/** Set if operating in IBSS (no-AP, "Ad-Hoc") mode */
391#define IEEE80211_CAPAB_ADHOC         0x0002
392
393/** Set if we support Contention-Free Period operation */
394#define IEEE80211_CAPAB_CFPOLL        0x0004
395
396/** Set if we wish to be polled for Contention-Free operation */
397#define IEEE80211_CAPAB_CFPR          0x0008
398
399/** Set if the network is encrypted (by any method) */
400#define IEEE80211_CAPAB_PRIVACY       0x0010
401
402/** Set if PHY supports short preambles on 802.11b */
403#define IEEE80211_CAPAB_SHORT_PMBL    0x0020
404
405/** Set if PHY supports PBCC modulation */
406#define IEEE80211_CAPAB_PBCC          0x0040
407
408/** Set if we support Channel Agility */
409#define IEEE80211_CAPAB_CHAN_AGILITY  0x0080
410
411/** Set if we support spectrum management (DFS and TPC) on the 5GHz band */
412#define IEEE80211_CAPAB_SPECTRUM_MGMT 0x0100
413
414/** Set if we support Quality of Service enhancements */
415#define IEEE80211_CAPAB_QOS           0x0200
416
417/** Set if PHY supports short slot time on 802.11g */
418#define IEEE80211_CAPAB_SHORT_SLOT    0x0400
419
420/** Set if PHY supports APSD option */
421#define IEEE80211_CAPAB_APSD          0x0800
422
423/** Set if PHY supports DSSS/OFDM modulation (one way of 802.11 b/g mixing) */
424#define IEEE80211_CAPAB_DSSS_OFDM     0x2000
425
426/** Set if we support delayed block ACK */
427#define IEEE80211_CAPAB_DELAYED_BACK  0x4000
428
429/** Set if we support immediate block ACK */
430#define IEEE80211_CAPAB_IMMED_BACK    0x8000
431
432/** @} */
433
434
435/**
436 * @defgroup ieee80211_status 802.11 status codes
437 *
438 * These are returned to indicate an immediate denial of
439 * authentication or association. In gPXE, the lower 5 bits of the
440 * status code are encoded into the file-unique portion of an error
441 * code, the ERRFILE portion is always @c ERRFILE_net80211, and the
442 * POSIX error code is @c ECONNREFUSED for status 0-31 or @c
443 * EHOSTUNREACH for status 32-63.
444 *
445 * For a complete table with non-abbreviated error messages, see IEEE
446 * Std 802.11-2007, Table 7-23, p.94.
447 *
448 * @{
449 */
450
451#define IEEE80211_STATUS_SUCCESS		0
452#define IEEE80211_STATUS_FAILURE		1
453#define IEEE80211_STATUS_CAPAB_UNSUPP		10
454#define IEEE80211_STATUS_REASSOC_INVALID	11
455#define IEEE80211_STATUS_ASSOC_DENIED		12
456#define IEEE80211_STATUS_AUTH_ALGO_UNSUPP	13
457#define IEEE80211_STATUS_AUTH_SEQ_INVALID	14
458#define IEEE80211_STATUS_AUTH_CHALL_INVALID	15
459#define IEEE80211_STATUS_AUTH_TIMEOUT		16
460#define IEEE80211_STATUS_ASSOC_NO_ROOM		17
461#define IEEE80211_STATUS_ASSOC_NEED_RATE	18
462#define IEEE80211_STATUS_ASSOC_NEED_SHORT_PMBL	19
463#define IEEE80211_STATUS_ASSOC_NEED_PBCC	20
464#define IEEE80211_STATUS_ASSOC_NEED_CHAN_AGILITY 21
465#define IEEE80211_STATUS_ASSOC_NEED_SPECTRUM_MGMT 22
466#define IEEE80211_STATUS_ASSOC_BAD_POWER	23
467#define IEEE80211_STATUS_ASSOC_BAD_CHANNELS	24
468#define IEEE80211_STATUS_ASSOC_NEED_SHORT_SLOT	25
469#define IEEE80211_STATUS_ASSOC_NEED_DSSS_OFDM	26
470#define IEEE80211_STATUS_QOS_FAILURE		32
471#define IEEE80211_STATUS_QOS_NO_ROOM		33
472#define IEEE80211_STATUS_LINK_IS_HORRIBLE	34
473#define IEEE80211_STATUS_ASSOC_NEED_QOS		35
474#define IEEE80211_STATUS_REQUEST_DECLINED	37
475#define IEEE80211_STATUS_REQUEST_INVALID	38
476#define IEEE80211_STATUS_TS_NOT_CREATED_AGAIN	39
477#define IEEE80211_STATUS_INVALID_IE		40
478#define IEEE80211_STATUS_GROUP_CIPHER_INVALID	41
479#define IEEE80211_STATUS_PAIR_CIPHER_INVALID	42
480#define IEEE80211_STATUS_AKMP_INVALID		43
481#define IEEE80211_STATUS_RSN_VERSION_UNSUPP	44
482#define IEEE80211_STATUS_RSN_CAPAB_INVALID	45
483#define IEEE80211_STATUS_CIPHER_REJECTED	46
484#define IEEE80211_STATUS_TS_NOT_CREATED_WAIT	47
485#define IEEE80211_STATUS_DIRECT_LINK_FORBIDDEN	48
486#define IEEE80211_STATUS_DEST_NOT_PRESENT	49
487#define IEEE80211_STATUS_DEST_NOT_QOS		50
488#define IEEE80211_STATUS_ASSOC_LISTEN_TOO_HIGH	51
489
490/** @} */
491
492
493
494/**
495 * @defgroup ieee80211_reason 802.11 reason codes
496 *
497 * These are returned to indicate the reason for a deauthentication or
498 * disassociation sent (usually) after authentication or association
499 * had succeeded.  In gPXE, the lower 5 bits of the reason code are
500 * encoded into the file-unique portion of an error code, the ERRFILE
501 * portion is always @c ERRFILE_net80211, and the POSIX error code is
502 * @c ECONNRESET for reason 0-31 or @c ENETRESET for reason 32-63.
503 *
504 * For a complete table with non-abbreviated error messages, see IEEE
505 * Std 802.11-2007, Table 7-22, p.92.
506 *
507 * @{
508 */
509
510#define IEEE80211_REASON_NONE			0
511#define IEEE80211_REASON_UNSPECIFIED		1
512#define IEEE80211_REASON_AUTH_NO_LONGER_VALID	2
513#define IEEE80211_REASON_LEAVING		3
514#define IEEE80211_REASON_INACTIVITY		4
515#define IEEE80211_REASON_OUT_OF_RESOURCES	5
516#define IEEE80211_REASON_NEED_AUTH		6
517#define IEEE80211_REASON_NEED_ASSOC		7
518#define IEEE80211_REASON_LEAVING_TO_ROAM	8
519#define IEEE80211_REASON_REASSOC_INVALID	9
520#define IEEE80211_REASON_BAD_POWER		10
521#define IEEE80211_REASON_BAD_CHANNELS		11
522#define IEEE80211_REASON_INVALID_IE		13
523#define IEEE80211_REASON_MIC_FAILURE		14
524#define IEEE80211_REASON_4WAY_TIMEOUT		15
525#define IEEE80211_REASON_GROUPKEY_TIMEOUT	16
526#define IEEE80211_REASON_4WAY_INVALID		17
527#define IEEE80211_REASON_GROUP_CIPHER_INVALID	18
528#define IEEE80211_REASON_PAIR_CIPHER_INVALID	19
529#define IEEE80211_REASON_AKMP_INVALID		20
530#define IEEE80211_REASON_RSN_VERSION_INVALID	21
531#define IEEE80211_REASON_RSN_CAPAB_INVALID	22
532#define IEEE80211_REASON_8021X_FAILURE		23
533#define IEEE80211_REASON_CIPHER_REJECTED	24
534#define IEEE80211_REASON_QOS_UNSPECIFIED	32
535#define IEEE80211_REASON_QOS_OUT_OF_RESOURCES	33
536#define IEEE80211_REASON_LINK_IS_HORRIBLE	34
537#define IEEE80211_REASON_INVALID_TXOP		35
538#define IEEE80211_REASON_REQUESTED_LEAVING	36
539#define IEEE80211_REASON_REQUESTED_NO_USE	37
540#define IEEE80211_REASON_REQUESTED_NEED_SETUP	38
541#define IEEE80211_REASON_REQUESTED_TIMEOUT	39
542#define IEEE80211_REASON_CIPHER_UNSUPPORTED	45
543
544/** @} */
545
546/* ---------- Information element declarations ---------- */
547
548/**
549 * @defgroup ieee80211_ie 802.11 information elements
550 *
551 * Many management frames include a section that amounts to a
552 * concatenation of these information elements, so that the sender can
553 * choose which information to send and the receiver can ignore the
554 * parts it doesn't understand. Each IE contains a two-byte header,
555 * one byte ID and one byte length, followed by IE-specific data. The
556 * length does not include the two-byte header. Information elements
557 * are required to be sorted by ID, but gPXE does not require that in
558 * those it receives.
559 *
560 * This group also includes a few inline functions to simplify common
561 * tasks in IE processing.
562 *
563 * @{
564 */
565
566/** Generic 802.11 information element header */
567struct ieee80211_ie_header {
568	u8 id;			/**< Information element ID */
569	u8 len;			/**< Information element length */
570} __attribute__ ((packed));
571
572
573/** 802.11 SSID information element */
574struct ieee80211_ie_ssid {
575	u8 id;			/**< SSID ID: 0 */
576	u8 len;			/**< SSID length */
577	char ssid[0];		/**< SSID data, not NUL-terminated */
578} __attribute__ ((packed));
579
580/** Information element ID for SSID information element */
581#define IEEE80211_IE_SSID	0
582
583
584/** 802.11 rates information element
585 *
586 * The first 8 rates go in an IE of type RATES (1), and any more rates
587 * go in one of type EXT_RATES (50). Each rate is a byte with the low
588 * 7 bits equal to the rate in units of 500 kbps, and the high bit set
589 * if and only if the rate is "basic" (must be supported by all
590 * connected stations).
591 */
592struct ieee80211_ie_rates {
593	u8 id;			/**< Rates ID: 1 or 50 */
594	u8 len;			/**< Number of rates */
595	u8 rates[0];		/**< Rates data, one rate per byte */
596} __attribute__ ((packed));
597
598/** Information element ID for rates information element */
599#define IEEE80211_IE_RATES	1
600
601/** Information element ID for extended rates information element */
602#define IEEE80211_IE_EXT_RATES	50
603
604
605/** 802.11 Direct Spectrum parameter information element
606 *
607 * This just contains the channel number. It has the fancy name
608 * because IEEE 802.11 also defines a frequency-hopping PHY that
609 * changes channels at regular intervals following a predetermined
610 * pattern; in practice nobody uses the FH PHY.
611 */
612struct ieee80211_ie_ds_param {
613	u8 id;			/**< DS parameter ID: 3 */
614	u8 len;			/**< DS parameter length: 1 */
615	u8 current_channel;	/**< Current channel number, 1-14 */
616} __attribute__ ((packed));
617
618/** Information element ID for Direct Spectrum parameter information element */
619#define IEEE80211_IE_DS_PARAM	3
620
621
622/** 802.11 Country information element regulatory extension triplet */
623struct ieee80211_ie_country_ext_triplet {
624	u8 reg_ext_id;		/**< Regulatory extension ID */
625	u8 reg_class_id;	/**< Regulatory class ID */
626	u8 coverage_class;	/**< Coverage class */
627} __attribute__ ((packed));
628
629/** 802.11 Country information element regulatory band triplet */
630struct ieee80211_ie_country_band_triplet {
631	u8 first_channel;	/**< Channel number for first channel in band */
632	u8 nr_channels;		/**< Number of contiguous channels in band */
633	u8 max_txpower;		/**< Maximum TX power in dBm */
634} __attribute__ ((packed));
635
636/** 802.11 Country information element regulatory triplet
637 *
638 * It is a band triplet if the first byte is 200 or less, and a
639 * regulatory extension triplet otherwise.
640 */
641union ieee80211_ie_country_triplet {
642	/** Differentiator between band and ext triplets */
643	u8 first;
644
645	/** Information about a band of channels */
646	struct ieee80211_ie_country_band_triplet band;
647
648	/** Regulatory extension information */
649	struct ieee80211_ie_country_ext_triplet ext;
650};
651
652/** 802.11 Country information element
653 *
654 * This contains some data about RF regulations.
655 */
656struct ieee80211_ie_country {
657	u8 id;			/**< Country information ID: 7 */
658	u8 len;			/**< Country information length: varies */
659	char name[2];		/**< ISO Alpha2 country code */
660	char in_out;		/**< 'I' for indoor, 'O' for outdoor */
661
662	/** List of regulatory triplets */
663	union ieee80211_ie_country_triplet triplet[0];
664} __attribute__ ((packed));
665
666/** Information element ID for Country information element */
667#define IEEE80211_IE_COUNTRY	7
668
669
670/** 802.11 Request information element
671 *
672 * This contains a list of information element types we would like to
673 * be included in probe response frames.
674 */
675struct ieee80211_ie_request {
676	u8 id;			/**< Request ID: 10 */
677	u8 len;			/**< Number of IEs requested */
678	u8 request[0];		/**< List of IEs requested */
679} __attribute__ ((packed));
680
681/** Information element ID for Request information element */
682#define IEEE80211_IE_REQUEST	10
683
684
685/** 802.11 Challenge Text information element
686 *
687 * This is used in authentication frames under Shared Key
688 * authentication.
689 */
690struct ieee80211_ie_challenge_text {
691	u8 id;			/**< Challenge Text ID: 16 */
692	u8 len;			/**< Challenge Text length: usually 128 */
693	u8 challenge_text[0];	/**< Challenge Text data */
694} __attribute__ ((packed));
695
696/** Information element ID for Challenge Text information element */
697#define IEEE80211_IE_CHALLENGE_TEXT	16
698
699
700/** 802.11 Power Constraint information element
701 *
702 * This is used to specify an additional power limitation on top of
703 * the Country requirements.
704 */
705struct ieee80211_ie_power_constraint {
706	u8 id;			/**< Power Constraint ID: 52 */
707	u8 len;			/**< Power Constraint length: 1 */
708	u8 power_constraint;	/**< Decrease in allowed TX power, dBm */
709} __attribute__ ((packed));
710
711/** Information element ID for Power Constraint information element */
712#define IEEE80211_IE_POWER_CONSTRAINT	52
713
714
715/** 802.11 Power Capability information element
716 *
717 * This is used in association request frames to indicate the extremes
718 * of our TX power abilities. It is required only if we indicate
719 * support for spectrum management.
720 */
721struct ieee80211_ie_power_capab {
722	u8 id;			/**< Power Capability ID: 33 */
723	u8 len;			/**< Power Capability length: 2 */
724	u8 min_txpower;		/**< Minimum possible TX power, dBm */
725	u8 max_txpower;		/**< Maximum possible TX power, dBm */
726} __attribute__ ((packed));
727
728/** Information element ID for Power Capability information element */
729#define IEEE80211_IE_POWER_CAPAB	33
730
731
732/** 802.11 Channels information element channel band tuple */
733struct ieee80211_ie_channels_channel_band {
734	u8 first_channel;	/**< Channel number of first channel in band */
735	u8 nr_channels;		/**< Number of channels in band */
736} __attribute__ ((packed));
737
738/** 802.11 Channels information element
739 *
740 * This is used in association frames to indicate the channels we can
741 * use. It is required only if we indicate support for spectrum
742 * management.
743 */
744struct ieee80211_ie_channels {
745	u8 id;			/**< Channels ID: 36 */
746	u8 len;			/**< Channels length: 2 */
747
748	/** List of (start, length) channel bands we can use */
749	struct ieee80211_ie_channels_channel_band channels[0];
750} __attribute__ ((packed));
751
752/** Information element ID for Channels information element */
753#define IEEE80211_IE_CHANNELS	36
754
755
756/** 802.11 ERP Information information element
757 *
758 * This is used to communicate some PHY-level flags.
759 */
760struct ieee80211_ie_erp_info {
761	u8 id;			/**< ERP Information ID: 42 */
762	u8 len;			/**< ERP Information length: 1 */
763	u8 erp_info;		/**< ERP flags */
764} __attribute__ ((packed));
765
766/** Information element ID for ERP Information information element */
767#define IEEE80211_IE_ERP_INFO	42
768
769/** ERP information element: Flag set if 802.11b stations are present */
770#define  IEEE80211_ERP_NONERP_PRESENT	0x01
771
772/** ERP information element: Flag set if CTS protection must be used */
773#define  IEEE80211_ERP_USE_PROTECTION	0x02
774
775/** ERP information element: Flag set if long preambles must be used */
776#define  IEEE80211_ERP_BARKER_LONG	0x04
777
778
779/** 802.11 Robust Security Network ("WPA") information element
780 *
781 * Showing once again a striking clarity of design, the IEEE folks put
782 * dynamically-sized data in the middle of this structure. As such,
783 * the below structure definition only works for IEs we create
784 * ourselves, which always have one pairwise cipher and one AKM;
785 * received IEs should be parsed piecemeal.
786 *
787 * Also inspired was IEEE's choice of 16-bit fields to count the
788 * number of 4-byte elements in a structure with a maximum length of
789 * 255 bytes.
790 *
791 * Many fields reference a cipher or authentication-type ID; this is a
792 * three-byte OUI followed by one byte identifying the cipher with
793 * respect to that OUI. For all standard ciphers the OUI is 00:0F:AC,
794 * except in old-style WPA IEs encapsulated in vendor-specific IEs,
795 * where it's 00:50:F2.
796 */
797struct ieee80211_ie_rsn {
798	/** Information element ID */
799	u8 id;
800
801	/** Information element length */
802	u8 len;
803
804	/** RSN information element version */
805	u16 version;
806
807	/** Cipher ID for the cipher used in multicast/broadcast frames */
808	u32 group_cipher;
809
810	/** Number of unicast ciphers supported */
811	u16 pairwise_count;
812
813	/** List of cipher IDs for supported unicast frame ciphers */
814	u32 pairwise_cipher[1];
815
816	/** Number of authentication types supported */
817	u16 akm_count;
818
819	/** List of authentication type IDs for supported types */
820	u32 akm_list[1];
821
822	/** Security capabilities field (RSN only) */
823	u16 rsn_capab;
824
825	/** Number of PMKIDs included (present only in association frames) */
826	u16 pmkid_count;
827
828	/** List of PMKIDs included, each a 16-byte SHA1 hash */
829	u8 pmkid_list[0];
830} __attribute__((packed));
831
832/** Information element ID for Robust Security Network information element */
833#define IEEE80211_IE_RSN	48
834
835/** Calculate necessary size of RSN information element
836 *
837 * @v npair	Number of pairwise ciphers supported
838 * @v nauth	Number of authentication types supported
839 * @v npmkid	Number of PMKIDs to include
840 * @v is_rsn	If TRUE, calculate RSN IE size; if FALSE, calculate WPA IE size
841 * @ret size	Necessary size of IE, including header bytes
842 */
843static inline size_t ieee80211_rsn_size ( int npair, int nauth, int npmkid,
844					  int rsn_ie ) {
845	return 16 + 4 * ( npair + nauth ) + 16 * npmkid - 4 * ! rsn_ie;
846}
847
848/** Make OUI plus type byte into 32-bit integer for easy comparison */
849#if __BYTE_ORDER == __BIG_ENDIAN
850#define _MKOUI( a, b, c, t )	\
851		( ( ( a ) << 24 ) | ( ( b ) << 16 ) | ( ( c ) << 8 ) | ( d ) )
852#define  OUI_ORG_MASK		0xFFFFFF00
853#define  OUI_TYPE_MASK		0x000000FF
854#else
855#define _MKOUI( a, b, c, t )	\
856		( ( ( t ) << 24 ) | ( ( c ) << 16 ) | ( ( b ) << 8 ) | ( a ) )
857#define  OUI_ORG_MASK		0x00FFFFFF
858#define  OUI_TYPE_MASK		0xFF000000
859#endif
860
861/** Organization part for OUIs in standard RSN IE */
862#define  IEEE80211_RSN_OUI	_MKOUI ( 0x00, 0x0F, 0xAC, 0 )
863
864/** Organization part for OUIs in old WPA IE */
865#define  IEEE80211_WPA_OUI	_MKOUI ( 0x00, 0x50, 0xF2, 0 )
866
867/** Old vendor-type WPA IE OUI type + subtype */
868#define  IEEE80211_WPA_OUI_VEN	_MKOUI ( 0x00, 0x50, 0xF2, 0x01 )
869
870
871/** 802.11 RSN IE: expected version number */
872#define  IEEE80211_RSN_VERSION		1
873
874/** 802.11 RSN IE: cipher type for 40-bit WEP */
875#define  IEEE80211_RSN_CTYPE_WEP40	_MKOUI ( 0, 0, 0, 0x01 )
876
877/** 802.11 RSN IE: cipher type for 104-bit WEP */
878#define  IEEE80211_RSN_CTYPE_WEP104	_MKOUI ( 0, 0, 0, 0x05 )
879
880/** 802.11 RSN IE: cipher type for TKIP ("WPA") */
881#define  IEEE80211_RSN_CTYPE_TKIP	_MKOUI ( 0, 0, 0, 0x02 )
882
883/** 802.11 RSN IE: cipher type for CCMP ("WPA2") */
884#define  IEEE80211_RSN_CTYPE_CCMP	_MKOUI ( 0, 0, 0, 0x04 )
885
886/** 802.11 RSN IE: cipher type for "use group"
887 *
888 * This can only appear as a pairwise cipher, and means unicast frames
889 * should be encrypted in the same way as broadcast/multicast frames.
890 */
891#define  IEEE80211_RSN_CTYPE_USEGROUP	_MKOUI ( 0, 0, 0, 0x00 )
892
893/** 802.11 RSN IE: auth method type for using an 802.1X server */
894#define  IEEE80211_RSN_ATYPE_8021X	_MKOUI ( 0, 0, 0, 0x01 )
895
896/** 802.11 RSN IE: auth method type for using a pre-shared key */
897#define  IEEE80211_RSN_ATYPE_PSK	_MKOUI ( 0, 0, 0, 0x02 )
898
899/** 802.11 RSN IE capabilities: AP supports pre-authentication */
900#define  IEEE80211_RSN_CAPAB_PREAUTH	0x001
901
902/** 802.11 RSN IE capabilities: Node has conflict between TKIP and WEP
903 *
904 * This is a legacy issue; APs always set it to 0, and gPXE sets it to
905 * 0.
906 */
907#define  IEEE80211_RSN_CAPAB_NO_PAIRWISE 0x002
908
909/** 802.11 RSN IE capabilities: Number of PTKSA replay counters
910 *
911 * A value of 0 means one replay counter, 1 means two, 2 means four,
912 * and 3 means sixteen.
913 */
914#define  IEEE80211_RSN_CAPAB_PTKSA_REPLAY 0x00C
915
916/** 802.11 RSN IE capabilities: Number of GTKSA replay counters
917 *
918 * A value of 0 means one replay counter, 1 means two, 2 means four,
919 * and 3 means sixteen.
920 */
921#define  IEEE80211_RSN_CAPAB_GTKSA_REPLAY 0x030
922
923/** 802.11 RSN IE capabilities: PeerKey Handshaking is suported */
924#define  IEEE80211_RSN_CAPAB_PEERKEY	0x200
925
926
927/** 802.11 RSN IE capabilities: One replay counter
928 *
929 * This should be AND'ed with @c IEEE80211_RSN_CAPAB_PTKSA_REPLAY or
930 * @c IEEE80211_RSN_CAPAB_GTKSA_REPLAY (or both) to produce a value
931 * which can be OR'ed into the capabilities field.
932 */
933#define IEEE80211_RSN_1_CTR		0x000
934
935/** 802.11 RSN IE capabilities: Two replay counters */
936#define IEEE80211_RSN_2_CTR		0x014
937
938/** 802.11 RSN IE capabilities: Four replay counters */
939#define IEEE80211_RSN_4_CTR		0x028
940
941/** 802.11 RSN IE capabilities: 16 replay counters */
942#define IEEE80211_RSN_16_CTR		0x03C
943
944
945/** 802.11 Vendor Specific information element
946 *
947 * One often sees the RSN IE masquerading as vendor-specific on
948 * devices that were produced prior to 802.11i (the WPA amendment)
949 * being finalized.
950 */
951struct ieee80211_ie_vendor {
952	u8 id;			/**< Vendor-specific ID: 221 */
953	u8 len;			/**< Vendor-specific length: variable */
954	u32 oui;		/**< OUI and vendor-specific type byte */
955	u8 data[0];		/**< Vendor-specific data */
956} __attribute__ ((packed));
957
958/** Information element ID for Vendor Specific information element */
959#define IEEE80211_IE_VENDOR	221
960
961
962
963
964/** Any 802.11 information element
965 *
966 * This is formatted for ease of use, so IEs with complex structures
967 * get referenced in full, while those with only one byte of data or a
968 * simple array are pulled in to avoid a layer of indirection like
969 * ie->channels.channels[0].
970 */
971union ieee80211_ie
972{
973	/** Generic and simple information element info */
974	struct {
975		u8 id;		/**< Information element ID */
976		u8 len;		/**< Information element data length */
977		union {
978			char ssid[0];	/**< SSID text */
979			u8 rates[0];	/**< Rates data */
980			u8 request[0];	/**< Request list */
981			u8 challenge_text[0]; /**< Challenge text data */
982			u8 power_constraint; /**< Power constraint, dBm */
983			u8 erp_info;	/**< ERP information flags */
984			/** List of channels */
985			struct ieee80211_ie_channels_channel_band channels[0];
986		};
987	};
988
989	/** DS parameter set */
990	struct ieee80211_ie_ds_param ds_param;
991
992	/** Country information */
993	struct ieee80211_ie_country country;
994
995	/** Power capability */
996	struct ieee80211_ie_power_capab power_capab;
997
998	/** Security information */
999	struct ieee80211_ie_rsn rsn;
1000
1001	/** Vendor-specific */
1002	struct ieee80211_ie_vendor vendor;
1003};
1004
1005/** Check that 802.11 information element is bounded by buffer
1006 *
1007 * @v ie	Information element
1008 * @v end	End of buffer in which information element is stored
1009 * @ret ok	TRUE if the IE is completely contained within the buffer
1010 */
1011static inline int ieee80211_ie_bound ( union ieee80211_ie *ie, void *end )
1012{
1013	void *iep = ie;
1014	return ( iep + 2 <= end && iep + 2 + ie->len <= end );
1015}
1016
1017/** Advance to next 802.11 information element
1018 *
1019 * @v ie	Current information element pointer
1020 * @v end	Pointer to first byte not in information element space
1021 * @ret next	Pointer to next information element, or NULL if no more
1022 *
1023 * When processing received IEs, @a end should be set to the I/O
1024 * buffer tail pointer; when marshalling IEs for sending, @a end
1025 * should be NULL.
1026 */
1027static inline union ieee80211_ie * ieee80211_next_ie ( union ieee80211_ie *ie,
1028						       void *end )
1029{
1030	void *next_ie_byte = ( void * ) ie + ie->len + 2;
1031	union ieee80211_ie *next_ie = next_ie_byte;
1032
1033	if ( ! end )
1034		return next_ie;
1035
1036	if ( ieee80211_ie_bound ( next_ie, end ) )
1037		return next_ie;
1038
1039	return NULL;
1040}
1041
1042/** @} */
1043
1044
1045/* ---------- Management frame data formats ---------- */
1046
1047/**
1048 * @defgroup ieee80211_mgmt_data Management frame data payloads
1049 * @{
1050 */
1051
1052/** Beacon or probe response frame data */
1053struct ieee80211_beacon_or_probe_resp
1054{
1055	/** 802.11 TSFT value at frame send */
1056	u64 timestamp;
1057
1058	/** Interval at which beacons are sent, in units of 1024 us */
1059	u16 beacon_interval;
1060
1061	/** Capability flags */
1062	u16 capability;
1063
1064	/** List of information elements */
1065	union ieee80211_ie info_element[0];
1066} __attribute__((packed));
1067
1068#define ieee80211_beacon	ieee80211_beacon_or_probe_resp
1069#define ieee80211_probe_resp	ieee80211_beacon_or_probe_resp
1070
1071/** Disassociation or deauthentication frame data */
1072struct ieee80211_disassoc_or_deauth
1073{
1074	/** Reason code */
1075	u16 reason;
1076} __attribute__((packed));
1077
1078#define ieee80211_disassoc	ieee80211_disassoc_or_deauth
1079#define ieee80211_deauth	ieee80211_disassoc_or_deauth
1080
1081/** Association request frame data */
1082struct ieee80211_assoc_req
1083{
1084	/** Capability flags */
1085	u16 capability;
1086
1087	/** Interval at which we wake up, in units of the beacon interval */
1088	u16 listen_interval;
1089
1090	/** List of information elements */
1091	union ieee80211_ie info_element[0];
1092} __attribute__((packed));
1093
1094/** Association or reassociation response frame data */
1095struct ieee80211_assoc_or_reassoc_resp
1096{
1097	/** Capability flags */
1098	u16 capability;
1099
1100	/** Status code */
1101	u16 status;
1102
1103	/** Association ID */
1104	u16 aid;
1105
1106	/** List of information elements */
1107	union ieee80211_ie info_element[0];
1108} __attribute__((packed));
1109
1110#define ieee80211_assoc_resp	ieee80211_assoc_or_reassoc_resp
1111#define ieee80211_reassoc_resp	ieee80211_assoc_or_reassoc_resp
1112
1113/** Reassociation request frame data */
1114struct ieee80211_reassoc_req
1115{
1116	/** Capability flags */
1117	u16 capability;
1118
1119	/** Interval at which we wake up, in units of the beacon interval */
1120	u16 listen_interval;
1121
1122	/** MAC address of current Access Point */
1123	u8 current_addr[ETH_ALEN];
1124
1125	/** List of information elements */
1126	union ieee80211_ie info_element[0];
1127} __attribute__((packed));
1128
1129/** Probe request frame data */
1130struct ieee80211_probe_req
1131{
1132	/** List of information elements */
1133	union ieee80211_ie info_element[0];
1134} __attribute__((packed));
1135
1136/** Authentication frame data */
1137struct ieee80211_auth
1138{
1139	/** Authentication algorithm (Open System or Shared Key) */
1140	u16 algorithm;
1141
1142	/** Sequence number of this frame; first from client to AP is 1 */
1143	u16 tx_seq;
1144
1145	/** Status code */
1146	u16 status;
1147
1148	/** List of information elements */
1149	union ieee80211_ie info_element[0];
1150} __attribute__((packed));
1151
1152/** Open System authentication algorithm */
1153#define IEEE80211_AUTH_OPEN_SYSTEM  0
1154
1155/** Shared Key authentication algorithm */
1156#define IEEE80211_AUTH_SHARED_KEY   1
1157
1158/** @} */
1159
1160#endif
1161