]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/blob - sys/net80211/ieee80211_hostap.c
projects / FreeBSD / FreeBSD.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Cleanup AMPDU handling:
[FreeBSD/FreeBSD.git] / sys / net80211 / ieee80211_hostap.c
1 /*-
2  * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25
26 #include <sys/cdefs.h>
27 #ifdef __FreeBSD__
28 __FBSDID("$FreeBSD$");
29 #endif
30
31 /*
32  * IEEE 802.11 HOSTAP mode support.
33  */
34 #include "opt_inet.h"
35 #include "opt_wlan.h"
36
37 #include <sys/param.h>
38 #include <sys/systm.h> 
39 #include <sys/mbuf.h>   
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
42
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
47 #include <sys/proc.h>
48 #include <sys/sysctl.h>
49
50 #include <net/if.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/ethernet.h>
54
55 #include <net/bpf.h>
56
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_hostap.h>
59 #include <net80211/ieee80211_input.h>
60 #include <net80211/ieee80211_wds.h>
61
62 #define IEEE80211_RATE2MBS(r)   (((r) & IEEE80211_RATE_VAL) / 2)
63
64 static  void hostap_vattach(struct ieee80211vap *);
65 static  int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
66 static  int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
67             int rssi, int noise, uint32_t rstamp);
68 static void hostap_deliver_data(struct ieee80211vap *,
69             struct ieee80211_node *, struct mbuf *);
70 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
71             int subtype, int rssi, int noise, uint32_t rstamp);
72 static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *);
73
74 void
75 ieee80211_hostap_attach(struct ieee80211com *ic)
76 {
77         ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
78 }
79
80 void
81 ieee80211_hostap_detach(struct ieee80211com *ic)
82 {
83 }
84
85 static void
86 hostap_vdetach(struct ieee80211vap *vap)
87 {
88 }
89
90 static void
91 hostap_vattach(struct ieee80211vap *vap)
92 {
93         vap->iv_newstate = hostap_newstate;
94         vap->iv_input = hostap_input;
95         vap->iv_recv_mgmt = hostap_recv_mgmt;
96         vap->iv_opdetach = hostap_vdetach;
97         vap->iv_deliver_data = hostap_deliver_data;
98 }
99
100 static void
101 sta_disassoc(void *arg, struct ieee80211_node *ni)
102 {
103         struct ieee80211vap *vap = arg;
104
105         if (ni->ni_vap == vap && ni->ni_associd != 0) {
106                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
107                         IEEE80211_REASON_ASSOC_LEAVE);
108                 ieee80211_node_leave(ni);
109         }
110 }
111
112 /*
113  * IEEE80211_M_HOSTAP vap state machine handler.
114  */
115 static int
116 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
117 {
118         struct ieee80211com *ic = vap->iv_ic;
119         enum ieee80211_state ostate;
120
121         IEEE80211_LOCK_ASSERT(ic);
122
123         ostate = vap->iv_state;
124         IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
125             __func__, ieee80211_state_name[ostate],
126             ieee80211_state_name[nstate], arg);
127         vap->iv_state = nstate;                 /* state transition */
128         if (ostate != IEEE80211_S_SCAN)
129                 ieee80211_cancel_scan(vap);     /* background scan */
130         switch (nstate) {
131         case IEEE80211_S_INIT:
132                 switch (ostate) {
133                 case IEEE80211_S_SCAN:
134                         ieee80211_cancel_scan(vap);
135                         break;
136                 case IEEE80211_S_CAC:
137                         ieee80211_dfs_cac_stop(vap);
138                         break;
139                 case IEEE80211_S_RUN:
140                         ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
141                         break;
142                 default:
143                         break;
144                 }
145                 if (ostate != IEEE80211_S_INIT) {
146                         /* NB: optimize INIT -> INIT case */
147                         ieee80211_reset_bss(vap);
148                 }
149                 if (vap->iv_auth->ia_detach != NULL)
150                         vap->iv_auth->ia_detach(vap);
151                 break;
152         case IEEE80211_S_SCAN:
153                 switch (ostate) {
154                 case IEEE80211_S_CSA:
155                 case IEEE80211_S_RUN:
156                         ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
157                         /*
158                          * Clear overlapping BSS state; the beacon frame
159                          * will be reconstructed on transition to the RUN
160                          * state and the timeout routines check if the flag
161                          * is set before doing anything so this is sufficient.
162                          */
163                         ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
164                         ic->ic_flags_ext &= ~IEEE80211_FEXT_NONHT_PR;
165                         /* fall thru... */
166                 case IEEE80211_S_CAC:
167                         /*
168                          * NB: We may get here because of a manual channel
169                          *     change in which case we need to stop CAC
170                          * XXX no need to stop if ostate RUN but it's ok
171                          */
172                         ieee80211_dfs_cac_stop(vap);
173                         /* fall thru... */
174                 case IEEE80211_S_INIT:
175                         if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
176                             !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
177                                 /*
178                                  * Already have a channel; bypass the
179                                  * scan and startup immediately.  
180                                  * ieee80211_create_ibss will call back to
181                                  * move us to RUN state.
182                                  */
183                                 ieee80211_create_ibss(vap, vap->iv_des_chan);
184                                 break;
185                         }
186                         /*
187                          * Initiate a scan.  We can come here as a result
188                          * of an IEEE80211_IOC_SCAN_REQ too in which case
189                          * the vap will be marked with IEEE80211_FEXT_SCANREQ
190                          * and the scan request parameters will be present
191                          * in iv_scanreq.  Otherwise we do the default.
192                          */
193                         if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
194                                 ieee80211_check_scan(vap,
195                                     vap->iv_scanreq_flags,
196                                     vap->iv_scanreq_duration,
197                                     vap->iv_scanreq_mindwell,
198                                     vap->iv_scanreq_maxdwell,
199                                     vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
200                                 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
201                         } else
202                                 ieee80211_check_scan_current(vap);
203                         break;
204                 case IEEE80211_S_SCAN:
205                         /*
206                          * A state change requires a reset; scan.
207                          */
208                         ieee80211_check_scan_current(vap);
209                         break;
210                 default:
211                         break;
212                 }
213                 break;
214         case IEEE80211_S_CAC:
215                 /*
216                  * Start CAC on a DFS channel.  We come here when starting
217                  * a bss on a DFS channel (see ieee80211_create_ibss).
218                  */
219                 ieee80211_dfs_cac_start(vap);
220                 break;
221         case IEEE80211_S_RUN:
222                 if (vap->iv_flags & IEEE80211_F_WPA) {
223                         /* XXX validate prerequisites */
224                 }
225                 switch (ostate) {
226                 case IEEE80211_S_INIT:
227                         /*
228                          * Already have a channel; bypass the
229                          * scan and startup immediately.
230                          * Note that ieee80211_create_ibss will call
231                          * back to do a RUN->RUN state change.
232                          */
233                         ieee80211_create_ibss(vap,
234                             ieee80211_ht_adjust_channel(ic,
235                                 ic->ic_curchan, vap->iv_flags_ext));
236                         /* NB: iv_bss is changed on return */
237                         break;
238                 case IEEE80211_S_CAC:
239                         /*
240                          * NB: This is the normal state change when CAC
241                          * expires and no radar was detected; no need to
242                          * clear the CAC timer as it's already expired.
243                          */
244                         /* fall thru... */
245                 case IEEE80211_S_CSA:
246                         /*
247                          * Update bss node channel to reflect where
248                          * we landed after CSA.
249                          */
250                         ieee80211_node_set_chan(vap->iv_bss,
251                             ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
252                                 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
253                         /* XXX bypass debug msgs */
254                         break;
255                 case IEEE80211_S_SCAN:
256                 case IEEE80211_S_RUN:
257 #ifdef IEEE80211_DEBUG
258                         if (ieee80211_msg_debug(vap)) {
259                                 struct ieee80211_node *ni = vap->iv_bss;
260                                 ieee80211_note(vap,
261                                     "synchronized with %s ssid ",
262                                     ether_sprintf(ni->ni_bssid));
263                                 ieee80211_print_essid(ni->ni_essid,
264                                     ni->ni_esslen);
265                                 /* XXX MCS/HT */
266                                 printf(" channel %d start %uMb\n",
267                                     ieee80211_chan2ieee(ic, ic->ic_curchan),
268                                     IEEE80211_RATE2MBS(ni->ni_txrate));
269                         }
270 #endif
271                         break;
272                 default:
273                         break;
274                 }
275                 /*
276                  * Start/stop the authenticator.  We delay until here
277                  * to allow configuration to happen out of order.
278                  */
279                 if (vap->iv_auth->ia_attach != NULL) {
280                         /* XXX check failure */
281                         vap->iv_auth->ia_attach(vap);
282                 } else if (vap->iv_auth->ia_detach != NULL) {
283                         vap->iv_auth->ia_detach(vap);
284                 }
285                 ieee80211_node_authorize(vap->iv_bss);
286                 break;
287         default:
288                 break;
289         }
290         return 0;
291 }
292
293 static void
294 hostap_deliver_data(struct ieee80211vap *vap,
295         struct ieee80211_node *ni, struct mbuf *m)
296 {
297         struct ether_header *eh = mtod(m, struct ether_header *);
298         struct ifnet *ifp = vap->iv_ifp;
299
300         KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
301             ("gack, opmode %d", vap->iv_opmode));
302         /*
303          * Do accounting.
304          */
305         ifp->if_ipackets++;
306         IEEE80211_NODE_STAT(ni, rx_data);
307         IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
308         if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
309                 m->m_flags |= M_MCAST;          /* XXX M_BCAST? */
310                 IEEE80211_NODE_STAT(ni, rx_mcast);
311         } else
312                 IEEE80211_NODE_STAT(ni, rx_ucast);
313
314         /* clear driver/net80211 flags before passing up */
315         m->m_flags &= ~M_80211_RX;
316
317         /* perform as a bridge within the AP */
318         if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
319                 struct mbuf *mcopy = NULL;
320
321                 if (m->m_flags & M_MCAST) {
322                         mcopy = m_copypacket(m, M_DONTWAIT);
323                         if (mcopy == NULL)
324                                 ifp->if_oerrors++;
325                         else
326                                 mcopy->m_flags |= M_MCAST;
327                 } else {
328                         /*
329                          * Check if the destination is associated with the
330                          * same vap and authorized to receive traffic.
331                          * Beware of traffic destined for the vap itself;
332                          * sending it will not work; just let it be delivered
333                          * normally.
334                          */
335                         struct ieee80211_node *sta = ieee80211_find_vap_node(
336                              &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
337                         if (sta != NULL) {
338                                 if (ieee80211_node_is_authorized(sta)) {
339                                         /*
340                                          * Beware of sending to ourself; this
341                                          * needs to happen via the normal
342                                          * input path.
343                                          */
344                                         if (sta != vap->iv_bss) {
345                                                 mcopy = m;
346                                                 m = NULL;
347                                         }
348                                 } else {
349                                         vap->iv_stats.is_rx_unauth++;
350                                         IEEE80211_NODE_STAT(sta, rx_unauth);
351                                 }
352                                 ieee80211_free_node(sta);
353                         }
354                 }
355                 if (mcopy != NULL) {
356                         int len, err;
357                         len = mcopy->m_pkthdr.len;
358                         IFQ_HANDOFF(ifp, mcopy, err);
359                         if (err) {
360                                 /* NB: IFQ_HANDOFF reclaims mcopy */
361                         } else {
362                                 ifp->if_opackets++;
363                         }
364                 }
365         }
366         if (m != NULL) {
367                 /*
368                  * Mark frame as coming from vap's interface.
369                  */
370                 m->m_pkthdr.rcvif = ifp;
371                 if (m->m_flags & M_MCAST) {
372                         /*
373                          * Spam DWDS vap's w/ multicast traffic.
374                          */
375                         /* XXX only if dwds in use? */
376                         ieee80211_dwds_mcast(vap, m);
377                 }
378                 if (ni->ni_vlan != 0) {
379                         /* attach vlan tag */
380                         m->m_pkthdr.ether_vtag = ni->ni_vlan;
381                         m->m_flags |= M_VLANTAG;
382                 }
383                 ifp->if_input(ifp, m);
384         }
385 }
386
387 /*
388  * Decide if a received management frame should be
389  * printed when debugging is enabled.  This filters some
390  * of the less interesting frames that come frequently
391  * (e.g. beacons).
392  */
393 static __inline int
394 doprint(struct ieee80211vap *vap, int subtype)
395 {
396         switch (subtype) {
397         case IEEE80211_FC0_SUBTYPE_BEACON:
398                 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
399         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
400                 return 0;
401         }
402         return 1;
403 }
404
405 /*
406  * Process a received frame.  The node associated with the sender
407  * should be supplied.  If nothing was found in the node table then
408  * the caller is assumed to supply a reference to iv_bss instead.
409  * The RSSI and a timestamp are also supplied.  The RSSI data is used
410  * during AP scanning to select a AP to associate with; it can have
411  * any units so long as values have consistent units and higher values
412  * mean ``better signal''.  The receive timestamp is currently not used
413  * by the 802.11 layer.
414  */
415 static int
416 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
417         int rssi, int noise, uint32_t rstamp)
418 {
419 #define SEQ_LEQ(a,b)    ((int)((a)-(b)) <= 0)
420 #define HAS_SEQ(type)   ((type & 0x4) == 0)
421         struct ieee80211vap *vap = ni->ni_vap;
422         struct ieee80211com *ic = ni->ni_ic;
423         struct ifnet *ifp = vap->iv_ifp;
424         struct ieee80211_frame *wh;
425         struct ieee80211_key *key;
426         struct ether_header *eh;
427         int hdrspace, need_tap;
428         uint8_t dir, type, subtype, qos;
429         uint8_t *bssid;
430         uint16_t rxseq;
431
432         if (m->m_flags & M_AMPDU_MPDU) {
433                 /*
434                  * Fastpath for A-MPDU reorder q resubmission.  Frames
435                  * w/ M_AMPDU_MPDU marked have already passed through
436                  * here but were received out of order and been held on
437                  * the reorder queue.  When resubmitted they are marked
438                  * with the M_AMPDU_MPDU flag and we can bypass most of
439                  * the normal processing.
440                  */
441                 wh = mtod(m, struct ieee80211_frame *);
442                 type = IEEE80211_FC0_TYPE_DATA;
443                 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
444                 subtype = IEEE80211_FC0_SUBTYPE_QOS;
445                 hdrspace = ieee80211_hdrspace(ic, wh);  /* XXX optimize? */
446                 goto resubmit_ampdu;
447         }
448
449         KASSERT(ni != NULL, ("null node"));
450         ni->ni_inact = ni->ni_inact_reload;
451
452         need_tap = 1;                   /* mbuf need to be tapped. */
453         type = -1;                      /* undefined */
454
455         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
456                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
457                     ni->ni_macaddr, NULL,
458                     "too short (1): len %u", m->m_pkthdr.len);
459                 vap->iv_stats.is_rx_tooshort++;
460                 goto out;
461         }
462         /*
463          * Bit of a cheat here, we use a pointer for a 3-address
464          * frame format but don't reference fields past outside
465          * ieee80211_frame_min w/o first validating the data is
466          * present.
467          */
468         wh = mtod(m, struct ieee80211_frame *);
469
470         if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
471             IEEE80211_FC0_VERSION_0) {
472                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
473                     ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[0]);
474                 vap->iv_stats.is_rx_badversion++;
475                 goto err;
476         }
477
478         dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
479         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
480         subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
481         if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
482                 if (dir != IEEE80211_FC1_DIR_NODS)
483                         bssid = wh->i_addr1;
484                 else if (type == IEEE80211_FC0_TYPE_CTL)
485                         bssid = wh->i_addr1;
486                 else {
487                         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
488                                 IEEE80211_DISCARD_MAC(vap,
489                                     IEEE80211_MSG_ANY, ni->ni_macaddr,
490                                     NULL, "too short (2): len %u",
491                                     m->m_pkthdr.len);
492                                 vap->iv_stats.is_rx_tooshort++;
493                                 goto out;
494                         }
495                         bssid = wh->i_addr3;
496                 }
497                 /*
498                  * Validate the bssid.
499                  */
500                 if (!(type == IEEE80211_FC0_TYPE_MGT &&
501                       subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
502                     !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
503                     !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
504                         /* not interested in */
505                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
506                             bssid, NULL, "%s", "not to bss");
507                         vap->iv_stats.is_rx_wrongbss++;
508                         goto out;
509                 }
510
511                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
512                 ni->ni_noise = noise;
513                 ni->ni_rstamp = rstamp;
514                 if (HAS_SEQ(type)) {
515                         uint8_t tid = ieee80211_gettid(wh);
516                         if (IEEE80211_QOS_HAS_SEQ(wh) &&
517                             TID_TO_WME_AC(tid) >= WME_AC_VI)
518                                 ic->ic_wme.wme_hipri_traffic++;
519                         rxseq = le16toh(*(uint16_t *)wh->i_seq);
520                         if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
521                             (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
522                             SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
523                                 /* duplicate, discard */
524                                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
525                                     bssid, "duplicate",
526                                     "seqno <%u,%u> fragno <%u,%u> tid %u",
527                                     rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
528                                     ni->ni_rxseqs[tid] >>
529                                         IEEE80211_SEQ_SEQ_SHIFT,
530                                     rxseq & IEEE80211_SEQ_FRAG_MASK,
531                                     ni->ni_rxseqs[tid] &
532                                         IEEE80211_SEQ_FRAG_MASK,
533                                     tid);
534                                 vap->iv_stats.is_rx_dup++;
535                                 IEEE80211_NODE_STAT(ni, rx_dup);
536                                 goto out;
537                         }
538                         ni->ni_rxseqs[tid] = rxseq;
539                 }
540         }
541
542         switch (type) {
543         case IEEE80211_FC0_TYPE_DATA:
544                 hdrspace = ieee80211_hdrspace(ic, wh);
545                 if (m->m_len < hdrspace &&
546                     (m = m_pullup(m, hdrspace)) == NULL) {
547                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
548                             ni->ni_macaddr, NULL,
549                             "data too short: expecting %u", hdrspace);
550                         vap->iv_stats.is_rx_tooshort++;
551                         goto out;               /* XXX */
552                 }
553                 if (!(dir == IEEE80211_FC1_DIR_TODS ||
554                      (dir == IEEE80211_FC1_DIR_DSTODS &&
555                       (vap->iv_flags & IEEE80211_F_DWDS)))) {
556                         if (dir != IEEE80211_FC1_DIR_DSTODS) {
557                                 IEEE80211_DISCARD(vap,
558                                     IEEE80211_MSG_INPUT, wh, "data",
559                                     "incorrect dir 0x%x", dir);
560                         } else {
561                                 IEEE80211_DISCARD(vap,
562                                     IEEE80211_MSG_INPUT |
563                                     IEEE80211_MSG_WDS, wh,
564                                     "4-address data",
565                                     "%s", "DWDS not enabled");
566                         }
567                         vap->iv_stats.is_rx_wrongdir++;
568                         goto out;
569                 }
570                 /* check if source STA is associated */
571                 if (ni == vap->iv_bss) {
572                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
573                             wh, "data", "%s", "unknown src");
574                         ieee80211_send_error(ni, wh->i_addr2,
575                             IEEE80211_FC0_SUBTYPE_DEAUTH,
576                             IEEE80211_REASON_NOT_AUTHED);
577                         vap->iv_stats.is_rx_notassoc++;
578                         goto err;
579                 }
580                 if (ni->ni_associd == 0) {
581                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
582                             wh, "data", "%s", "unassoc src");
583                         IEEE80211_SEND_MGMT(ni,
584                             IEEE80211_FC0_SUBTYPE_DISASSOC,
585                             IEEE80211_REASON_NOT_ASSOCED);
586                         vap->iv_stats.is_rx_notassoc++;
587                         goto err;
588                 }
589
590                 /*
591                  * Check for power save state change.
592                  * XXX out-of-order A-MPDU frames?
593                  */
594                 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
595                     (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
596                         ieee80211_node_pwrsave(ni,
597                                 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
598                 /*
599                  * For 4-address packets handle WDS discovery
600                  * notifications.  Once a WDS link is setup frames
601                  * are just delivered to the WDS vap (see below).
602                  */
603                 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
604                         if (!ieee80211_node_is_authorized(ni)) {
605                                 IEEE80211_DISCARD(vap,
606                                     IEEE80211_MSG_INPUT |
607                                     IEEE80211_MSG_WDS, wh,
608                                     "4-address data",
609                                     "%s", "unauthorized port");
610                                 vap->iv_stats.is_rx_unauth++;
611                                 IEEE80211_NODE_STAT(ni, rx_unauth);
612                                 goto err;
613                         }
614                         ieee80211_dwds_discover(ni, m);
615                         return type;
616                 }
617
618                 /*
619                  * Handle A-MPDU re-ordering.  If the frame is to be
620                  * processed directly then ieee80211_ampdu_reorder
621                  * will return 0; otherwise it has consumed the mbuf
622                  * and we should do nothing more with it.
623                  */
624                 if ((m->m_flags & M_AMPDU) &&
625                     ieee80211_ampdu_reorder(ni, m) != 0) {
626                         m = NULL;
627                         goto out;
628                 }
629         resubmit_ampdu:
630
631                 /*
632                  * Handle privacy requirements.  Note that we
633                  * must not be preempted from here until after
634                  * we (potentially) call ieee80211_crypto_demic;
635                  * otherwise we may violate assumptions in the
636                  * crypto cipher modules used to do delayed update
637                  * of replay sequence numbers.
638                  */
639                 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
640                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
641                                 /*
642                                  * Discard encrypted frames when privacy is off.
643                                  */
644                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
645                                     wh, "WEP", "%s", "PRIVACY off");
646                                 vap->iv_stats.is_rx_noprivacy++;
647                                 IEEE80211_NODE_STAT(ni, rx_noprivacy);
648                                 goto out;
649                         }
650                         key = ieee80211_crypto_decap(ni, m, hdrspace);
651                         if (key == NULL) {
652                                 /* NB: stats+msgs handled in crypto_decap */
653                                 IEEE80211_NODE_STAT(ni, rx_wepfail);
654                                 goto out;
655                         }
656                         wh = mtod(m, struct ieee80211_frame *);
657                         wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
658                 } else {
659                         /* XXX M_WEP and IEEE80211_F_PRIVACY */
660                         key = NULL;
661                 }
662
663                 /*
664                  * Save QoS bits for use below--before we strip the header.
665                  */
666                 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
667                         qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
668                             ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
669                             ((struct ieee80211_qosframe *)wh)->i_qos[0];
670                 } else
671                         qos = 0;
672
673                 /*
674                  * Next up, any fragmentation.
675                  */
676                 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
677                         m = ieee80211_defrag(ni, m, hdrspace);
678                         if (m == NULL) {
679                                 /* Fragment dropped or frame not complete yet */
680                                 goto out;
681                         }
682                 }
683                 wh = NULL;              /* no longer valid, catch any uses */
684
685                 /*
686                  * Next strip any MSDU crypto bits.
687                  */
688                 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
689                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
690                             ni->ni_macaddr, "data", "%s", "demic error");
691                         vap->iv_stats.is_rx_demicfail++;
692                         IEEE80211_NODE_STAT(ni, rx_demicfail);
693                         goto out;
694                 }
695                 /* copy to listener after decrypt */
696                 if (bpf_peers_present(vap->iv_rawbpf))
697                         bpf_mtap(vap->iv_rawbpf, m);
698                 need_tap = 0;
699                 /*
700                  * Finally, strip the 802.11 header.
701                  */
702                 m = ieee80211_decap(vap, m, hdrspace);
703                 if (m == NULL) {
704                         /* XXX mask bit to check for both */
705                         /* don't count Null data frames as errors */
706                         if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
707                             subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
708                                 goto out;
709                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
710                             ni->ni_macaddr, "data", "%s", "decap error");
711                         vap->iv_stats.is_rx_decap++;
712                         IEEE80211_NODE_STAT(ni, rx_decap);
713                         goto err;
714                 }
715                 eh = mtod(m, struct ether_header *);
716                 if (!ieee80211_node_is_authorized(ni)) {
717                         /*
718                          * Deny any non-PAE frames received prior to
719                          * authorization.  For open/shared-key
720                          * authentication the port is mark authorized
721                          * after authentication completes.  For 802.1x
722                          * the port is not marked authorized by the
723                          * authenticator until the handshake has completed.
724                          */
725                         if (eh->ether_type != htons(ETHERTYPE_PAE)) {
726                                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
727                                     eh->ether_shost, "data",
728                                     "unauthorized port: ether type 0x%x len %u",
729                                     eh->ether_type, m->m_pkthdr.len);
730                                 vap->iv_stats.is_rx_unauth++;
731                                 IEEE80211_NODE_STAT(ni, rx_unauth);
732                                 goto err;
733                         }
734                 } else {
735                         /*
736                          * When denying unencrypted frames, discard
737                          * any non-PAE frames received without encryption.
738                          */
739                         if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
740                             (key == NULL && (m->m_flags & M_WEP) == 0) &&
741                             eh->ether_type != htons(ETHERTYPE_PAE)) {
742                                 /*
743                                  * Drop unencrypted frames.
744                                  */
745                                 vap->iv_stats.is_rx_unencrypted++;
746                                 IEEE80211_NODE_STAT(ni, rx_unencrypted);
747                                 goto out;
748                         }
749                 }
750                 /* XXX require HT? */
751                 if (qos & IEEE80211_QOS_AMSDU) {
752                         m = ieee80211_decap_amsdu(ni, m);
753                         if (m == NULL)
754                                 return IEEE80211_FC0_TYPE_DATA;
755                 } else if ((ni->ni_ath_flags & IEEE80211_NODE_FF) &&
756 #define FF_LLC_SIZE     (sizeof(struct ether_header) + sizeof(struct llc))
757                     m->m_pkthdr.len >= 3*FF_LLC_SIZE) {
758                         struct llc *llc;
759
760                         /*
761                          * Check for fast-frame tunnel encapsulation.
762                          */
763                         if (m->m_len < FF_LLC_SIZE &&
764                             (m = m_pullup(m, FF_LLC_SIZE)) == NULL) {
765                                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
766                                     ni->ni_macaddr, "fast-frame",
767                                     "%s", "m_pullup(llc) failed");
768                                 vap->iv_stats.is_rx_tooshort++;
769                                 return IEEE80211_FC0_TYPE_DATA;
770                         }
771                         llc = (struct llc *)(mtod(m, uint8_t *) + 
772                                 sizeof(struct ether_header));
773                         if (llc->llc_snap.ether_type == htons(ATH_FF_ETH_TYPE)) {
774                                 m_adj(m, FF_LLC_SIZE);
775                                 m = ieee80211_decap_fastframe(ni, m);
776                                 if (m == NULL)
777                                         return IEEE80211_FC0_TYPE_DATA;
778                         }
779                 }
780 #undef FF_LLC_SIZE
781                 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
782                         ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
783                 else
784                         hostap_deliver_data(vap, ni, m);
785                 return IEEE80211_FC0_TYPE_DATA;
786
787         case IEEE80211_FC0_TYPE_MGT:
788                 vap->iv_stats.is_rx_mgmt++;
789                 IEEE80211_NODE_STAT(ni, rx_mgmt);
790                 if (dir != IEEE80211_FC1_DIR_NODS) {
791                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
792                             wh, "mgt", "incorrect dir 0x%x", dir);
793                         vap->iv_stats.is_rx_wrongdir++;
794                         goto err;
795                 }
796                 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
797                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
798                             ni->ni_macaddr, "mgt", "too short: len %u",
799                             m->m_pkthdr.len);
800                         vap->iv_stats.is_rx_tooshort++;
801                         goto out;
802                 }
803                 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
804                         /* ensure return frames are unicast */
805                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
806                             wh, NULL, "source is multicast: %s",
807                             ether_sprintf(wh->i_addr2));
808                         vap->iv_stats.is_rx_mgtdiscard++;       /* XXX stat */
809                         goto out;
810                 }
811 #ifdef IEEE80211_DEBUG
812                 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
813                     ieee80211_msg_dumppkts(vap)) {
814                         if_printf(ifp, "received %s from %s rssi %d\n",
815                             ieee80211_mgt_subtype_name[subtype >>
816                                 IEEE80211_FC0_SUBTYPE_SHIFT],
817                             ether_sprintf(wh->i_addr2), rssi);
818                 }
819 #endif
820                 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
821                         if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
822                                 /*
823                                  * Only shared key auth frames with a challenge
824                                  * should be encrypted, discard all others.
825                                  */
826                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
827                                     wh, NULL,
828                                     "%s", "WEP set but not permitted");
829                                 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
830                                 goto out;
831                         }
832                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
833                                 /*
834                                  * Discard encrypted frames when privacy is off.
835                                  */
836                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
837                                     wh, NULL, "%s", "WEP set but PRIVACY off");
838                                 vap->iv_stats.is_rx_noprivacy++;
839                                 goto out;
840                         }
841                         hdrspace = ieee80211_hdrspace(ic, wh);
842                         key = ieee80211_crypto_decap(ni, m, hdrspace);
843                         if (key == NULL) {
844                                 /* NB: stats+msgs handled in crypto_decap */
845                                 goto out;
846                         }
847                         wh = mtod(m, struct ieee80211_frame *);
848                         wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
849                 }
850                 if (bpf_peers_present(vap->iv_rawbpf))
851                         bpf_mtap(vap->iv_rawbpf, m);
852                 vap->iv_recv_mgmt(ni, m, subtype, rssi, noise, rstamp);
853                 m_freem(m);
854                 return IEEE80211_FC0_TYPE_MGT;
855
856         case IEEE80211_FC0_TYPE_CTL:
857                 vap->iv_stats.is_rx_ctl++;
858                 IEEE80211_NODE_STAT(ni, rx_ctrl);
859                 switch (subtype) {
860                 case IEEE80211_FC0_SUBTYPE_PS_POLL:
861                         hostap_recv_pspoll(ni, m);
862                         break;
863                 case IEEE80211_FC0_SUBTYPE_BAR:
864                         ieee80211_recv_bar(ni, m);
865                         break;
866                 }
867                 goto out;
868         default:
869                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
870                     wh, "bad", "frame type 0x%x", type);
871                 /* should not come here */
872                 break;
873         }
874 err:
875         ifp->if_ierrors++;
876 out:
877         if (m != NULL) {
878                 if (bpf_peers_present(vap->iv_rawbpf) && need_tap)
879                         bpf_mtap(vap->iv_rawbpf, m);
880                 m_freem(m);
881         }
882         return type;
883 #undef SEQ_LEQ
884 }
885
886 static void
887 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
888     int rssi, int noise, uint32_t rstamp, uint16_t seq, uint16_t status)
889 {
890         struct ieee80211vap *vap = ni->ni_vap;
891
892         KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
893
894         if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
895                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
896                     ni->ni_macaddr, "open auth",
897                     "bad sta auth mode %u", ni->ni_authmode);
898                 vap->iv_stats.is_rx_bad_auth++; /* XXX */
899                 /*
900                  * Clear any challenge text that may be there if
901                  * a previous shared key auth failed and then an
902                  * open auth is attempted.
903                  */
904                 if (ni->ni_challenge != NULL) {
905                         FREE(ni->ni_challenge, M_80211_NODE);
906                         ni->ni_challenge = NULL;
907                 }
908                 /* XXX hack to workaround calling convention */
909                 ieee80211_send_error(ni, wh->i_addr2, 
910                     IEEE80211_FC0_SUBTYPE_AUTH,
911                     (seq + 1) | (IEEE80211_STATUS_ALG<<16));
912                 return;
913         }
914         if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
915                 vap->iv_stats.is_rx_bad_auth++;
916                 return;
917         }
918         /* always accept open authentication requests */
919         if (ni == vap->iv_bss) {
920                 ni = ieee80211_dup_bss(vap, wh->i_addr2);
921                 if (ni == NULL)
922                         return;
923         } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
924                 (void) ieee80211_ref_node(ni);
925         /*
926          * Mark the node as referenced to reflect that it's
927          * reference count has been bumped to insure it remains
928          * after the transaction completes.
929          */
930         ni->ni_flags |= IEEE80211_NODE_AREF;
931
932         if (vap->iv_acl != NULL &&
933             vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
934                 /*
935                  * When the ACL policy is set to RADIUS we defer the
936                  * authorization to a user agent.  Dispatch an event,
937                  * a subsequent MLME call will decide the fate of the
938                  * station.  If the user agent is not present then the
939                  * node will be reclaimed due to inactivity.
940                  */
941                 IEEE80211_NOTE_MAC(vap,
942                     IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
943                     "%s", "station authentication defered (radius acl)");
944                 ieee80211_notify_node_auth(ni);
945         } else {
946                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
947                 IEEE80211_NOTE_MAC(vap,
948                     IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
949                     "%s", "station authenticated (open)");
950                 /*
951                  * When 802.1x is not in use mark the port
952                  * authorized at this point so traffic can flow.
953                  */
954                 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
955                         ieee80211_node_authorize(ni);
956         }
957 }
958
959 static void
960 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
961     uint8_t *frm, uint8_t *efrm, int rssi, int noise, uint32_t rstamp,
962     uint16_t seq, uint16_t status)
963 {
964         struct ieee80211vap *vap = ni->ni_vap;
965         uint8_t *challenge;
966         int allocbs, estatus;
967
968         KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
969
970         /*
971          * NB: this can happen as we allow pre-shared key
972          * authentication to be enabled w/o wep being turned
973          * on so that configuration of these can be done
974          * in any order.  It may be better to enforce the
975          * ordering in which case this check would just be
976          * for sanity/consistency.
977          */
978         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
979                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
980                     ni->ni_macaddr, "shared key auth",
981                     "%s", " PRIVACY is disabled");
982                 estatus = IEEE80211_STATUS_ALG;
983                 goto bad;
984         }
985         /*
986          * Pre-shared key authentication is evil; accept
987          * it only if explicitly configured (it is supported
988          * mainly for compatibility with clients like Mac OS X).
989          */
990         if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
991             ni->ni_authmode != IEEE80211_AUTH_SHARED) {
992                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
993                     ni->ni_macaddr, "shared key auth",
994                     "bad sta auth mode %u", ni->ni_authmode);
995                 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
996                 estatus = IEEE80211_STATUS_ALG;
997                 goto bad;
998         }
999
1000         challenge = NULL;
1001         if (frm + 1 < efrm) {
1002                 if ((frm[1] + 2) > (efrm - frm)) {
1003                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1004                             ni->ni_macaddr, "shared key auth",
1005                             "ie %d/%d too long",
1006                             frm[0], (frm[1] + 2) - (efrm - frm));
1007                         vap->iv_stats.is_rx_bad_auth++;
1008                         estatus = IEEE80211_STATUS_CHALLENGE;
1009                         goto bad;
1010                 }
1011                 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1012                         challenge = frm;
1013                 frm += frm[1] + 2;
1014         }
1015         switch (seq) {
1016         case IEEE80211_AUTH_SHARED_CHALLENGE:
1017         case IEEE80211_AUTH_SHARED_RESPONSE:
1018                 if (challenge == NULL) {
1019                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1020                             ni->ni_macaddr, "shared key auth",
1021                             "%s", "no challenge");
1022                         vap->iv_stats.is_rx_bad_auth++;
1023                         estatus = IEEE80211_STATUS_CHALLENGE;
1024                         goto bad;
1025                 }
1026                 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1027                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1028                             ni->ni_macaddr, "shared key auth",
1029                             "bad challenge len %d", challenge[1]);
1030                         vap->iv_stats.is_rx_bad_auth++;
1031                         estatus = IEEE80211_STATUS_CHALLENGE;
1032                         goto bad;
1033                 }
1034         default:
1035                 break;
1036         }
1037         switch (seq) {
1038         case IEEE80211_AUTH_SHARED_REQUEST:
1039                 if (ni == vap->iv_bss) {
1040                         ni = ieee80211_dup_bss(vap, wh->i_addr2);
1041                         if (ni == NULL) {
1042                                 /* NB: no way to return an error */
1043                                 return;
1044                         }
1045                         allocbs = 1;
1046                 } else {
1047                         if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1048                                 (void) ieee80211_ref_node(ni);
1049                         allocbs = 0;
1050                 }
1051                 /*
1052                  * Mark the node as referenced to reflect that it's
1053                  * reference count has been bumped to insure it remains
1054                  * after the transaction completes.
1055                  */
1056                 ni->ni_flags |= IEEE80211_NODE_AREF;
1057                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1058                 ni->ni_noise = noise;
1059                 ni->ni_rstamp = rstamp;
1060                 if (!ieee80211_alloc_challenge(ni)) {
1061                         /* NB: don't return error so they rexmit */
1062                         return;
1063                 }
1064                 get_random_bytes(ni->ni_challenge,
1065                         IEEE80211_CHALLENGE_LEN);
1066                 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1067                     ni, "shared key %sauth request", allocbs ? "" : "re");
1068                 /*
1069                  * When the ACL policy is set to RADIUS we defer the
1070                  * authorization to a user agent.  Dispatch an event,
1071                  * a subsequent MLME call will decide the fate of the
1072                  * station.  If the user agent is not present then the
1073                  * node will be reclaimed due to inactivity.
1074                  */
1075                 if (vap->iv_acl != NULL &&
1076                     vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1077                         IEEE80211_NOTE_MAC(vap,
1078                             IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1079                             ni->ni_macaddr,
1080                             "%s", "station authentication defered (radius acl)");
1081                         ieee80211_notify_node_auth(ni);
1082                         return;
1083                 }
1084                 break;
1085         case IEEE80211_AUTH_SHARED_RESPONSE:
1086                 if (ni == vap->iv_bss) {
1087                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1088                             ni->ni_macaddr, "shared key response",
1089                             "%s", "unknown station");
1090                         /* NB: don't send a response */
1091                         return;
1092                 }
1093                 if (ni->ni_challenge == NULL) {
1094                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1095                             ni->ni_macaddr, "shared key response",
1096                             "%s", "no challenge recorded");
1097                         vap->iv_stats.is_rx_bad_auth++;
1098                         estatus = IEEE80211_STATUS_CHALLENGE;
1099                         goto bad;
1100                 }
1101                 if (memcmp(ni->ni_challenge, &challenge[2],
1102                            challenge[1]) != 0) {
1103                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1104                             ni->ni_macaddr, "shared key response",
1105                             "%s", "challenge mismatch");
1106                         vap->iv_stats.is_rx_auth_fail++;
1107                         estatus = IEEE80211_STATUS_CHALLENGE;
1108                         goto bad;
1109                 }
1110                 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1111                     ni, "%s", "station authenticated (shared key)");
1112                 ieee80211_node_authorize(ni);
1113                 break;
1114         default:
1115                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1116                     ni->ni_macaddr, "shared key auth",
1117                     "bad seq %d", seq);
1118                 vap->iv_stats.is_rx_bad_auth++;
1119                 estatus = IEEE80211_STATUS_SEQUENCE;
1120                 goto bad;
1121         }
1122         IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1123         return;
1124 bad:
1125         /*
1126          * Send an error response; but only when operating as an AP.
1127          */
1128         /* XXX hack to workaround calling convention */
1129         ieee80211_send_error(ni, wh->i_addr2,
1130             IEEE80211_FC0_SUBTYPE_AUTH,
1131             (seq + 1) | (estatus<<16));
1132 }
1133
1134 /*
1135  * Convert a WPA cipher selector OUI to an internal
1136  * cipher algorithm.  Where appropriate we also
1137  * record any key length.
1138  */
1139 static int
1140 wpa_cipher(const uint8_t *sel, uint8_t *keylen)
1141 {
1142 #define WPA_SEL(x)      (((x)<<24)|WPA_OUI)
1143         uint32_t w = LE_READ_4(sel);
1144
1145         switch (w) {
1146         case WPA_SEL(WPA_CSE_NULL):
1147                 return IEEE80211_CIPHER_NONE;
1148         case WPA_SEL(WPA_CSE_WEP40):
1149                 if (keylen)
1150                         *keylen = 40 / NBBY;
1151                 return IEEE80211_CIPHER_WEP;
1152         case WPA_SEL(WPA_CSE_WEP104):
1153                 if (keylen)
1154                         *keylen = 104 / NBBY;
1155                 return IEEE80211_CIPHER_WEP;
1156         case WPA_SEL(WPA_CSE_TKIP):
1157                 return IEEE80211_CIPHER_TKIP;
1158         case WPA_SEL(WPA_CSE_CCMP):
1159                 return IEEE80211_CIPHER_AES_CCM;
1160         }
1161         return 32;              /* NB: so 1<< is discarded */
1162 #undef WPA_SEL
1163 }
1164
1165 /*
1166  * Convert a WPA key management/authentication algorithm
1167  * to an internal code.
1168  */
1169 static int
1170 wpa_keymgmt(const uint8_t *sel)
1171 {
1172 #define WPA_SEL(x)      (((x)<<24)|WPA_OUI)
1173         uint32_t w = LE_READ_4(sel);
1174
1175         switch (w) {
1176         case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1177                 return WPA_ASE_8021X_UNSPEC;
1178         case WPA_SEL(WPA_ASE_8021X_PSK):
1179                 return WPA_ASE_8021X_PSK;
1180         case WPA_SEL(WPA_ASE_NONE):
1181                 return WPA_ASE_NONE;
1182         }
1183         return 0;               /* NB: so is discarded */
1184 #undef WPA_SEL
1185 }
1186
1187 /*
1188  * Parse a WPA information element to collect parameters.
1189  * Note that we do not validate security parameters; that
1190  * is handled by the authenticator; the parsing done here
1191  * is just for internal use in making operational decisions.
1192  */
1193 static int
1194 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1195         struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1196 {
1197         uint8_t len = frm[1];
1198         uint32_t w;
1199         int n;
1200
1201         /*
1202          * Check the length once for fixed parts: OUI, type,
1203          * version, mcast cipher, and 2 selector counts.
1204          * Other, variable-length data, must be checked separately.
1205          */
1206         if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1207                 IEEE80211_DISCARD_IE(vap,
1208                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1209                     wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1210                 return IEEE80211_REASON_IE_INVALID;
1211         }
1212         if (len < 14) {
1213                 IEEE80211_DISCARD_IE(vap,
1214                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1215                     wh, "WPA", "too short, len %u", len);
1216                 return IEEE80211_REASON_IE_INVALID;
1217         }
1218         frm += 6, len -= 4;             /* NB: len is payload only */
1219         /* NB: iswapoui already validated the OUI and type */
1220         w = LE_READ_2(frm);
1221         if (w != WPA_VERSION) {
1222                 IEEE80211_DISCARD_IE(vap,
1223                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1224                     wh, "WPA", "bad version %u", w);
1225                 return IEEE80211_REASON_IE_INVALID;
1226         }
1227         frm += 2, len -= 2;
1228
1229         memset(rsn, 0, sizeof(*rsn));
1230
1231         /* multicast/group cipher */
1232         rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1233         frm += 4, len -= 4;
1234
1235         /* unicast ciphers */
1236         n = LE_READ_2(frm);
1237         frm += 2, len -= 2;
1238         if (len < n*4+2) {
1239                 IEEE80211_DISCARD_IE(vap,
1240                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1241                     wh, "WPA", "ucast cipher data too short; len %u, n %u",
1242                     len, n);
1243                 return IEEE80211_REASON_IE_INVALID;
1244         }
1245         w = 0;
1246         for (; n > 0; n--) {
1247                 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1248                 frm += 4, len -= 4;
1249         }
1250         if (w & (1<<IEEE80211_CIPHER_TKIP))
1251                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1252         else
1253                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1254
1255         /* key management algorithms */
1256         n = LE_READ_2(frm);
1257         frm += 2, len -= 2;
1258         if (len < n*4) {
1259                 IEEE80211_DISCARD_IE(vap,
1260                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1261                     wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1262                     len, n);
1263                 return IEEE80211_REASON_IE_INVALID;
1264         }
1265         w = 0;
1266         for (; n > 0; n--) {
1267                 w |= wpa_keymgmt(frm);
1268                 frm += 4, len -= 4;
1269         }
1270         if (w & WPA_ASE_8021X_UNSPEC)
1271                 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1272         else
1273                 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1274
1275         if (len > 2)            /* optional capabilities */
1276                 rsn->rsn_caps = LE_READ_2(frm);
1277
1278         return 0;
1279 }
1280
1281 /*
1282  * Convert an RSN cipher selector OUI to an internal
1283  * cipher algorithm.  Where appropriate we also
1284  * record any key length.
1285  */
1286 static int
1287 rsn_cipher(const uint8_t *sel, uint8_t *keylen)
1288 {
1289 #define RSN_SEL(x)      (((x)<<24)|RSN_OUI)
1290         uint32_t w = LE_READ_4(sel);
1291
1292         switch (w) {
1293         case RSN_SEL(RSN_CSE_NULL):
1294                 return IEEE80211_CIPHER_NONE;
1295         case RSN_SEL(RSN_CSE_WEP40):
1296                 if (keylen)
1297                         *keylen = 40 / NBBY;
1298                 return IEEE80211_CIPHER_WEP;
1299         case RSN_SEL(RSN_CSE_WEP104):
1300                 if (keylen)
1301                         *keylen = 104 / NBBY;
1302                 return IEEE80211_CIPHER_WEP;
1303         case RSN_SEL(RSN_CSE_TKIP):
1304                 return IEEE80211_CIPHER_TKIP;
1305         case RSN_SEL(RSN_CSE_CCMP):
1306                 return IEEE80211_CIPHER_AES_CCM;
1307         case RSN_SEL(RSN_CSE_WRAP):
1308                 return IEEE80211_CIPHER_AES_OCB;
1309         }
1310         return 32;              /* NB: so 1<< is discarded */
1311 #undef WPA_SEL
1312 }
1313
1314 /*
1315  * Convert an RSN key management/authentication algorithm
1316  * to an internal code.
1317  */
1318 static int
1319 rsn_keymgmt(const uint8_t *sel)
1320 {
1321 #define RSN_SEL(x)      (((x)<<24)|RSN_OUI)
1322         uint32_t w = LE_READ_4(sel);
1323
1324         switch (w) {
1325         case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1326                 return RSN_ASE_8021X_UNSPEC;
1327         case RSN_SEL(RSN_ASE_8021X_PSK):
1328                 return RSN_ASE_8021X_PSK;
1329         case RSN_SEL(RSN_ASE_NONE):
1330                 return RSN_ASE_NONE;
1331         }
1332         return 0;               /* NB: so is discarded */
1333 #undef RSN_SEL
1334 }
1335
1336 /*
1337  * Parse a WPA/RSN information element to collect parameters
1338  * and validate the parameters against what has been
1339  * configured for the system.
1340  */
1341 static int
1342 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1343         struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1344 {
1345         uint8_t len = frm[1];
1346         uint32_t w;
1347         int n;
1348
1349         /*
1350          * Check the length once for fixed parts: 
1351          * version, mcast cipher, and 2 selector counts.
1352          * Other, variable-length data, must be checked separately.
1353          */
1354         if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1355                 IEEE80211_DISCARD_IE(vap,
1356                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1357                     wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1358                 return IEEE80211_REASON_IE_INVALID;
1359         }
1360         if (len < 10) {
1361                 IEEE80211_DISCARD_IE(vap,
1362                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1363                     wh, "RSN", "too short, len %u", len);
1364                 return IEEE80211_REASON_IE_INVALID;
1365         }
1366         frm += 2;
1367         w = LE_READ_2(frm);
1368         if (w != RSN_VERSION) {
1369                 IEEE80211_DISCARD_IE(vap,
1370                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1371                     wh, "RSN", "bad version %u", w);
1372                 return IEEE80211_REASON_IE_INVALID;
1373         }
1374         frm += 2, len -= 2;
1375
1376         memset(rsn, 0, sizeof(*rsn));
1377
1378         /* multicast/group cipher */
1379         rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1380         frm += 4, len -= 4;
1381
1382         /* unicast ciphers */
1383         n = LE_READ_2(frm);
1384         frm += 2, len -= 2;
1385         if (len < n*4+2) {
1386                 IEEE80211_DISCARD_IE(vap,
1387                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1388                     wh, "RSN", "ucast cipher data too short; len %u, n %u",
1389                     len, n);
1390                 return IEEE80211_REASON_IE_INVALID;
1391         }
1392         w = 0;
1393         for (; n > 0; n--) {
1394                 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1395                 frm += 4, len -= 4;
1396         }
1397         if (w & (1<<IEEE80211_CIPHER_TKIP))
1398                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1399         else
1400                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1401
1402         /* key management algorithms */
1403         n = LE_READ_2(frm);
1404         frm += 2, len -= 2;
1405         if (len < n*4) {
1406                 IEEE80211_DISCARD_IE(vap,
1407                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1408                     wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1409                     len, n);
1410                 return IEEE80211_REASON_IE_INVALID;
1411         }
1412         w = 0;
1413         for (; n > 0; n--) {
1414                 w |= rsn_keymgmt(frm);
1415                 frm += 4, len -= 4;
1416         }
1417         if (w & RSN_ASE_8021X_UNSPEC)
1418                 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1419         else
1420                 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1421
1422         /* optional RSN capabilities */
1423         if (len > 2)
1424                 rsn->rsn_caps = LE_READ_2(frm);
1425         /* XXXPMKID */
1426
1427         return 0;
1428 }
1429
1430 /*
1431  * WPA/802.11i assocation request processing.
1432  */
1433 static int
1434 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1435         const struct ieee80211_frame *wh, const uint8_t *wpa,
1436         const uint8_t *rsn, uint16_t capinfo)
1437 {
1438         struct ieee80211vap *vap = ni->ni_vap;
1439         uint8_t reason;
1440         int badwparsn;
1441
1442         ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1443         if (wpa == NULL && rsn == NULL) {
1444                 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1445                         /*
1446                          * W-Fi Protected Setup (WPS) permits
1447                          * clients to associate and pass EAPOL frames
1448                          * to establish initial credentials.
1449                          */
1450                         ni->ni_flags |= IEEE80211_NODE_WPS;
1451                         return 1;
1452                 }
1453                 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1454                     (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1455                         /* 
1456                          * Transitional Security Network.  Permits clients
1457                          * to associate and use WEP while WPA is configured.
1458                          */
1459                         ni->ni_flags |= IEEE80211_NODE_TSN;
1460                         return 1;
1461                 }
1462                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1463                     wh, NULL, "%s", "no WPA/RSN IE in association request");
1464                 vap->iv_stats.is_rx_assoc_badwpaie++;
1465                 reason = IEEE80211_REASON_IE_INVALID;
1466                 goto bad;
1467         }
1468         /* assert right association security credentials */
1469         badwparsn = 0;                  /* NB: to silence compiler */
1470         switch (vap->iv_flags & IEEE80211_F_WPA) {
1471         case IEEE80211_F_WPA1:
1472                 badwparsn = (wpa == NULL);
1473                 break;
1474         case IEEE80211_F_WPA2:
1475                 badwparsn = (rsn == NULL);
1476                 break;
1477         case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1478                 badwparsn = (wpa == NULL && rsn == NULL);
1479                 break;
1480         }
1481         if (badwparsn) {
1482                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1483                     wh, NULL,
1484                     "%s", "missing WPA/RSN IE in association request");
1485                 vap->iv_stats.is_rx_assoc_badwpaie++;
1486                 reason = IEEE80211_REASON_IE_INVALID;
1487                 goto bad;
1488         }
1489         /*
1490          * Parse WPA/RSN information element.
1491          */
1492         if (wpa != NULL)
1493                 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1494         else
1495                 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1496         if (reason != 0) {
1497                 /* XXX distinguish WPA/RSN? */
1498                 vap->iv_stats.is_rx_assoc_badwpaie++;
1499                 goto bad;
1500         }
1501         IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1502             "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1503             wpa != NULL ? "WPA" : "RSN",
1504             rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1505             rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1506             rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1507
1508         return 1;
1509 bad:
1510         ieee80211_node_deauth(ni, reason);
1511         return 0;
1512 }
1513
1514 /* XXX find a better place for definition */
1515 struct l2_update_frame {
1516         struct ether_header eh;
1517         uint8_t dsap;
1518         uint8_t ssap;
1519         uint8_t control;
1520         uint8_t xid[3];
1521 }  __packed;
1522
1523 /*
1524  * Deliver a TGf L2UF frame on behalf of a station.
1525  * This primes any bridge when the station is roaming
1526  * between ap's on the same wired network.
1527  */
1528 static void
1529 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1530 {
1531         struct ieee80211vap *vap = ni->ni_vap;
1532         struct ifnet *ifp = vap->iv_ifp;
1533         struct mbuf *m;
1534         struct l2_update_frame *l2uf;
1535         struct ether_header *eh;
1536         
1537         m = m_gethdr(M_NOWAIT, MT_DATA);
1538         if (m == NULL) {
1539                 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1540                     "%s", "no mbuf for l2uf frame");
1541                 vap->iv_stats.is_rx_nobuf++;    /* XXX not right */
1542                 return;
1543         }
1544         l2uf = mtod(m, struct l2_update_frame *);
1545         eh = &l2uf->eh;
1546         /* dst: Broadcast address */
1547         IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1548         /* src: associated STA */
1549         IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1550         eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1551         
1552         l2uf->dsap = 0;
1553         l2uf->ssap = 0;
1554         l2uf->control = 0xf5;
1555         l2uf->xid[0] = 0x81;
1556         l2uf->xid[1] = 0x80;
1557         l2uf->xid[2] = 0x00;
1558         
1559         m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1560         hostap_deliver_data(vap, ni, m);
1561 }
1562
1563 static void
1564 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1565         int reassoc, int resp, const char *tag, int rate)
1566 {
1567         IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1568             "deny %s request, %s rate set mismatch, rate/MCS %d",
1569             reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1570         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1571         ieee80211_node_leave(ni);
1572 }
1573
1574 static void
1575 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1576         int reassoc, int resp, const char *tag, int capinfo)
1577 {
1578         struct ieee80211vap *vap = ni->ni_vap;
1579
1580         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1581             "deny %s request, %s mismatch 0x%x",
1582             reassoc ? "reassoc" : "assoc", tag, capinfo);
1583         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1584         ieee80211_node_leave(ni);
1585         vap->iv_stats.is_rx_assoc_capmismatch++;
1586 }
1587
1588 static void
1589 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1590         int reassoc, int resp)
1591 {
1592         IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1593             "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1594         /* XXX no better code */
1595         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_OTHER);
1596         ieee80211_node_leave(ni);
1597 }
1598
1599 static void
1600 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1601         int algo, int seq, int status)
1602 {
1603         struct ieee80211vap *vap = ni->ni_vap;
1604
1605         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1606             wh, NULL, "unsupported alg %d", algo);
1607         vap->iv_stats.is_rx_auth_unsupported++;
1608         ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1609             seq | (status << 16));
1610 }
1611
1612 static __inline int
1613 ishtmixed(const uint8_t *ie)
1614 {
1615         const struct ieee80211_ie_htinfo *ht =
1616             (const struct ieee80211_ie_htinfo *) ie;
1617         return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1618             IEEE80211_HTINFO_OPMODE_MIXED;
1619 }
1620
1621 static int
1622 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1623 {
1624         static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1625         int i;
1626
1627         /* NB: the 11b clients we care about will not have xrates */
1628         if (xrates != NULL || rates == NULL)
1629                 return 0;
1630         for (i = 0; i < rates[1]; i++) {
1631                 int r = rates[2+i] & IEEE80211_RATE_VAL;
1632                 if (r > 2*11 || ((1<<r) & brates) == 0)
1633                         return 0;
1634         }
1635         return 1;
1636 }
1637
1638 static void
1639 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1640         int subtype, int rssi, int noise, uint32_t rstamp)
1641 {
1642         struct ieee80211vap *vap = ni->ni_vap;
1643         struct ieee80211com *ic = ni->ni_ic;
1644         struct ieee80211_frame *wh;
1645         uint8_t *frm, *efrm, *sfrm;
1646         uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1647         int reassoc, resp;
1648         uint8_t rate;
1649
1650         wh = mtod(m0, struct ieee80211_frame *);
1651         frm = (uint8_t *)&wh[1];
1652         efrm = mtod(m0, uint8_t *) + m0->m_len;
1653         switch (subtype) {
1654         case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1655         case IEEE80211_FC0_SUBTYPE_BEACON: {
1656                 struct ieee80211_scanparams scan;
1657                 /*
1658                  * We process beacon/probe response frames when scanning;
1659                  * otherwise we check beacon frames for overlapping non-ERP
1660                  * BSS in 11g and/or overlapping legacy BSS when in HT.
1661                  */ 
1662                 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 &&
1663                     subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
1664                         vap->iv_stats.is_rx_mgtdiscard++;
1665                         return;
1666                 }
1667                 /* NB: accept off-channel frames */
1668                 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1669                         return;
1670                 /*
1671                  * Count frame now that we know it's to be processed.
1672                  */
1673                 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1674                         vap->iv_stats.is_rx_beacon++;           /* XXX remove */
1675                         IEEE80211_NODE_STAT(ni, rx_beacons);
1676                 } else
1677                         IEEE80211_NODE_STAT(ni, rx_proberesp);
1678                 /*
1679                  * If scanning, just pass information to the scan module.
1680                  */
1681                 if (ic->ic_flags & IEEE80211_F_SCAN) {
1682                         if (scan.status == 0 &&         /* NB: on channel */
1683                             (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1684                                 /*
1685                                  * Actively scanning a channel marked passive;
1686                                  * send a probe request now that we know there
1687                                  * is 802.11 traffic present.
1688                                  *
1689                                  * XXX check if the beacon we recv'd gives
1690                                  * us what we need and suppress the probe req
1691                                  */
1692                                 ieee80211_probe_curchan(vap, 1);
1693                                 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1694                         }
1695                         ieee80211_add_scan(vap, &scan, wh,
1696                                 subtype, rssi, noise, rstamp);
1697                         return;
1698                 }
1699                 /*
1700                  * Check beacon for overlapping bss w/ non ERP stations.
1701                  * If we detect one and protection is configured but not
1702                  * enabled, enable it and start a timer that'll bring us
1703                  * out if we stop seeing the bss.
1704                  */
1705                 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1706                     scan.status == 0 &&                 /* NB: on-channel */
1707                     ((scan.erp & 0x100) == 0 ||         /* NB: no ERP, 11b sta*/
1708                      (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1709                         ic->ic_lastnonerp = ticks;
1710                         ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1711                         if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1712                             (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1713                                 IEEE80211_NOTE_FRAME(vap,
1714                                     IEEE80211_MSG_ASSOC, wh,
1715                                     "non-ERP present on channel %d "
1716                                     "(saw erp 0x%x from channel %d), "
1717                                     "enable use of protection",
1718                                     ic->ic_curchan->ic_ieee,
1719                                     scan.erp, scan.chan);
1720                                 ic->ic_flags |= IEEE80211_F_USEPROT;
1721                                 ieee80211_notify_erp(ic);
1722                         }
1723                 }
1724                 /* 
1725                  * Check beacon for non-HT station on HT channel
1726                  * and update HT BSS occupancy as appropriate.
1727                  */
1728                 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1729                         if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1730                                 /*
1731                                  * Off control channel; only check frames
1732                                  * that come in the extension channel when
1733                                  * operating w/ HT40.
1734                                  */
1735                                 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1736                                         break;
1737                                 if (scan.chan != ic->ic_curchan->ic_extieee)
1738                                         break;
1739                         }
1740                         if (scan.htinfo == NULL) {
1741                                 ieee80211_htprot_update(ic,
1742                                     IEEE80211_HTINFO_OPMODE_PROTOPT |
1743                                     IEEE80211_HTINFO_NONHT_PRESENT);
1744                         } else if (ishtmixed(scan.htinfo)) {
1745                                 /* XXX? take NONHT_PRESENT from beacon? */
1746                                 ieee80211_htprot_update(ic,
1747                                     IEEE80211_HTINFO_OPMODE_MIXED |
1748                                     IEEE80211_HTINFO_NONHT_PRESENT);
1749                         }
1750                 }
1751                 break;
1752         }
1753
1754         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1755                 if (vap->iv_state != IEEE80211_S_RUN) {
1756                         vap->iv_stats.is_rx_mgtdiscard++;
1757                         return;
1758                 }
1759                 /*
1760                  * prreq frame format
1761                  *      [tlv] ssid
1762                  *      [tlv] supported rates
1763                  *      [tlv] extended supported rates
1764                  */
1765                 ssid = rates = xrates = NULL;
1766                 sfrm = frm;
1767                 while (efrm - frm > 1) {
1768                         IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1769                         switch (*frm) {
1770                         case IEEE80211_ELEMID_SSID:
1771                                 ssid = frm;
1772                                 break;
1773                         case IEEE80211_ELEMID_RATES:
1774                                 rates = frm;
1775                                 break;
1776                         case IEEE80211_ELEMID_XRATES:
1777                                 xrates = frm;
1778                                 break;
1779                         }
1780                         frm += frm[1] + 2;
1781                 }
1782                 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1783                 if (xrates != NULL)
1784                         IEEE80211_VERIFY_ELEMENT(xrates,
1785                                 IEEE80211_RATE_MAXSIZE - rates[1], return);
1786                 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1787                 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1788                 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1789                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1790                             wh, NULL,
1791                             "%s", "no ssid with ssid suppression enabled");
1792                         vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1793                         return;
1794                 }
1795
1796                 /* XXX find a better class or define it's own */
1797                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1798                     "%s", "recv probe req");
1799                 /*
1800                  * Some legacy 11b clients cannot hack a complete
1801                  * probe response frame.  When the request includes
1802                  * only a bare-bones rate set, communicate this to
1803                  * the transmit side.
1804                  */
1805                 ieee80211_send_proberesp(vap, wh->i_addr2,
1806                     is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1807                 break;
1808
1809         case IEEE80211_FC0_SUBTYPE_AUTH: {
1810                 uint16_t algo, seq, status;
1811
1812                 if (vap->iv_state != IEEE80211_S_RUN) {
1813                         vap->iv_stats.is_rx_mgtdiscard++;
1814                         return;
1815                 }
1816                 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1817                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1818                             wh, NULL, "%s", "wrong bssid");
1819                         vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1820                         return;
1821                 }
1822                 /*
1823                  * auth frame format
1824                  *      [2] algorithm
1825                  *      [2] sequence
1826                  *      [2] status
1827                  *      [tlv*] challenge
1828                  */
1829                 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1830                 algo   = le16toh(*(uint16_t *)frm);
1831                 seq    = le16toh(*(uint16_t *)(frm + 2));
1832                 status = le16toh(*(uint16_t *)(frm + 4));
1833                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1834                     "recv auth frame with algorithm %d seq %d", algo, seq);
1835                 /*
1836                  * Consult the ACL policy module if setup.
1837                  */
1838                 if (vap->iv_acl != NULL &&
1839                     !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
1840                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1841                             wh, NULL, "%s", "disallowed by ACL");
1842                         vap->iv_stats.is_rx_acl++;
1843                         ieee80211_send_error(ni, wh->i_addr2,
1844                             IEEE80211_FC0_SUBTYPE_AUTH,
1845                             (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1846                         return;
1847                 }
1848                 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1849                         IEEE80211_DISCARD(vap,
1850                             IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1851                             wh, NULL, "%s", "TKIP countermeasures enabled");
1852                         vap->iv_stats.is_rx_auth_countermeasures++;
1853                         ieee80211_send_error(ni, wh->i_addr2,
1854                                 IEEE80211_FC0_SUBTYPE_AUTH,
1855                                 IEEE80211_REASON_MIC_FAILURE);
1856                         return;
1857                 }
1858                 if (algo == IEEE80211_AUTH_ALG_SHARED)
1859                         hostap_auth_shared(ni, wh, frm + 6, efrm, rssi,
1860                             noise, rstamp, seq, status);
1861                 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1862                         hostap_auth_open(ni, wh, rssi, noise, rstamp,
1863                             seq, status);
1864                 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1865                         authalgreject(ni, wh, algo,
1866                             seq+1, IEEE80211_STATUS_ALG);
1867                         return;
1868                 } else {
1869                         /*
1870                          * We assume that an unknown algorithm is the result
1871                          * of a decryption failure on a shared key auth frame;
1872                          * return a status code appropriate for that instead
1873                          * of IEEE80211_STATUS_ALG.
1874                          *
1875                          * NB: a seq# of 4 is intentional; the decrypted
1876                          *     frame likely has a bogus seq value.
1877                          */
1878                         authalgreject(ni, wh, algo,
1879                             4, IEEE80211_STATUS_CHALLENGE);
1880                         return;
1881                 } 
1882                 break;
1883         }
1884
1885         case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1886         case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1887                 uint16_t capinfo, lintval;
1888                 struct ieee80211_rsnparms rsnparms;
1889
1890                 if (vap->iv_state != IEEE80211_S_RUN) {
1891                         vap->iv_stats.is_rx_mgtdiscard++;
1892                         return;
1893                 }
1894                 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1895                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1896                             wh, NULL, "%s", "wrong bssid");
1897                         vap->iv_stats.is_rx_assoc_bss++;
1898                         return;
1899                 }
1900                 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1901                         reassoc = 1;
1902                         resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
1903                 } else {
1904                         reassoc = 0;
1905                         resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
1906                 }
1907                 if (ni == vap->iv_bss) {
1908                         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1909                             "deny %s request, sta not authenticated",
1910                             reassoc ? "reassoc" : "assoc");
1911                         ieee80211_send_error(ni, wh->i_addr2,
1912                             IEEE80211_FC0_SUBTYPE_DEAUTH,
1913                             IEEE80211_REASON_ASSOC_NOT_AUTHED);
1914                         vap->iv_stats.is_rx_assoc_notauth++;
1915                         return;
1916                 }
1917
1918                 /*
1919                  * asreq frame format
1920                  *      [2] capability information
1921                  *      [2] listen interval
1922                  *      [6*] current AP address (reassoc only)
1923                  *      [tlv] ssid
1924                  *      [tlv] supported rates
1925                  *      [tlv] extended supported rates
1926                  *      [tlv] WPA or RSN
1927                  *      [tlv] HT capabilities
1928                  *      [tlv] Atheros capabilities
1929                  */
1930                 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
1931                 capinfo = le16toh(*(uint16_t *)frm);    frm += 2;
1932                 lintval = le16toh(*(uint16_t *)frm);    frm += 2;
1933                 if (reassoc)
1934                         frm += 6;       /* ignore current AP info */
1935                 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
1936                 sfrm = frm;
1937                 while (efrm - frm > 1) {
1938                         IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1939                         switch (*frm) {
1940                         case IEEE80211_ELEMID_SSID:
1941                                 ssid = frm;
1942                                 break;
1943                         case IEEE80211_ELEMID_RATES:
1944                                 rates = frm;
1945                                 break;
1946                         case IEEE80211_ELEMID_XRATES:
1947                                 xrates = frm;
1948                                 break;
1949                         case IEEE80211_ELEMID_RSN:
1950                                 rsn = frm;
1951                                 break;
1952                         case IEEE80211_ELEMID_HTCAP:
1953                                 htcap = frm;
1954                                 break;
1955                         case IEEE80211_ELEMID_VENDOR:
1956                                 if (iswpaoui(frm))
1957                                         wpa = frm;
1958                                 else if (iswmeinfo(frm))
1959                                         wme = frm;
1960                                 else if (isatherosoui(frm))
1961                                         ath = frm;
1962                                 else if (vap->iv_flags_ext & IEEE80211_FEXT_HTCOMPAT) {
1963                                         if (ishtcapoui(frm) && htcap == NULL)
1964                                                 htcap = frm;
1965                                 }
1966                                 break;
1967                         }
1968                         frm += frm[1] + 2;
1969                 }
1970                 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1971                 if (xrates != NULL)
1972                         IEEE80211_VERIFY_ELEMENT(xrates,
1973                                 IEEE80211_RATE_MAXSIZE - rates[1], return);
1974                 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1975                 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1976                 if (htcap != NULL) {
1977                         IEEE80211_VERIFY_LENGTH(htcap[1],
1978                              htcap[0] == IEEE80211_ELEMID_VENDOR ?
1979                                  4 + sizeof(struct ieee80211_ie_htcap)-2 :
1980                                  sizeof(struct ieee80211_ie_htcap)-2,
1981                              return);           /* XXX just NULL out? */
1982                 }
1983
1984                 if ((vap->iv_flags & IEEE80211_F_WPA) &&
1985                     !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
1986                         return;
1987                 /* discard challenge after association */
1988                 if (ni->ni_challenge != NULL) {
1989                         FREE(ni->ni_challenge, M_80211_NODE);
1990                         ni->ni_challenge = NULL;
1991                 }
1992                 /* NB: 802.11 spec says to ignore station's privacy bit */
1993                 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
1994                         capinfomismatch(ni, wh, reassoc, resp,
1995                             "capability", capinfo);
1996                         return;
1997                 }
1998                 /*
1999                  * Disallow re-associate w/ invalid slot time setting.
2000                  */
2001                 if (ni->ni_associd != 0 &&
2002                     IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2003                     ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2004                         capinfomismatch(ni, wh, reassoc, resp,
2005                             "slot time", capinfo);
2006                         return;
2007                 }
2008                 rate = ieee80211_setup_rates(ni, rates, xrates,
2009                                 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2010                                 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2011                 if (rate & IEEE80211_RATE_BASIC) {
2012                         ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2013                         vap->iv_stats.is_rx_assoc_norate++;
2014                         return;
2015                 }
2016                 /*
2017                  * If constrained to 11g-only stations reject an
2018                  * 11b-only station.  We cheat a bit here by looking
2019                  * at the max negotiated xmit rate and assuming anyone
2020                  * with a best rate <24Mb/s is an 11b station.
2021                  */
2022                 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2023                         ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2024                         vap->iv_stats.is_rx_assoc_norate++;
2025                         return;
2026                 }
2027                 /*
2028                  * Do HT rate set handling and setup HT node state.
2029                  */
2030                 ni->ni_chan = vap->iv_bss->ni_chan;
2031                 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2032                         rate = ieee80211_setup_htrates(ni, htcap,
2033                                 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2034                                 IEEE80211_F_DOBRS);
2035                         if (rate & IEEE80211_RATE_BASIC) {
2036                                 ratesetmismatch(ni, wh, reassoc, resp,
2037                                     "HT", rate);
2038                                 vap->iv_stats.is_ht_assoc_norate++;
2039                                 return;
2040                         }
2041                         ieee80211_ht_node_init(ni, htcap);
2042                 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2043                         ieee80211_ht_node_cleanup(ni);
2044                 /*
2045                  * Allow AMPDU operation only with unencrypted traffic
2046                  * or AES-CCM; the 11n spec only specifies these ciphers
2047                  * so permitting any others is undefined and can lead
2048                  * to interoperability problems.
2049                  */
2050                 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2051                     (((vap->iv_flags & IEEE80211_F_WPA) &&
2052                       rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2053                      (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2054                         IEEE80211_NOTE(vap,
2055                             IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2056                             "disallow HT use because WEP or TKIP requested, "
2057                             "capinfo 0x%x ucastcipher %d", capinfo,
2058                             rsnparms.rsn_ucastcipher);
2059                         ieee80211_ht_node_cleanup(ni);
2060                         vap->iv_stats.is_ht_assoc_downgrade++;
2061                 }
2062                 /*
2063                  * If constrained to 11n-only stations reject legacy stations.
2064                  */
2065                 if ((vap->iv_flags_ext & IEEE80211_FEXT_PUREN) &&
2066                     (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2067                         htcapmismatch(ni, wh, reassoc, resp);
2068                         vap->iv_stats.is_ht_assoc_nohtcap++;
2069                         return;
2070                 }
2071                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2072                 ni->ni_noise = noise;
2073                 ni->ni_rstamp = rstamp;
2074                 ni->ni_intval = lintval;
2075                 ni->ni_capinfo = capinfo;
2076                 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2077                 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2078                 /*
2079                  * Store the IEs.
2080                  * XXX maybe better to just expand
2081                  */
2082                 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2083 #define setie(_ie, _off)        ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2084                         if (wpa != NULL)
2085                                 setie(wpa_ie, wpa - sfrm);
2086                         if (rsn != NULL)
2087                                 setie(rsn_ie, rsn - sfrm);
2088                         if (htcap != NULL)
2089                                 setie(htcap_ie, htcap - sfrm);
2090                         if (wme != NULL) {
2091                                 setie(wme_ie, wme - sfrm);
2092                                 /*
2093                                  * Mark node as capable of QoS.
2094                                  */
2095                                 ni->ni_flags |= IEEE80211_NODE_QOS;
2096                         } else
2097                                 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2098                         if (ath != NULL) {
2099                                 setie(ath_ie, ath - sfrm);
2100                                 /* 
2101                                  * Parse ATH station parameters.
2102                                  */
2103                                 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2104                         } else
2105                                 ni->ni_ath_flags = 0;
2106 #undef setie
2107                 } else {
2108                         ni->ni_flags &= ~IEEE80211_NODE_QOS;
2109                         ni->ni_ath_flags = 0;
2110                 }
2111                 ieee80211_node_join(ni, resp);
2112                 ieee80211_deliver_l2uf(ni);
2113                 break;
2114         }
2115
2116         case IEEE80211_FC0_SUBTYPE_DEAUTH:
2117         case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2118                 uint16_t reason;
2119
2120                 if (vap->iv_state != IEEE80211_S_RUN ||
2121                     /* NB: can happen when in promiscuous mode */
2122                     !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2123                         vap->iv_stats.is_rx_mgtdiscard++;
2124                         break;
2125                 }
2126                 /*
2127                  * deauth/disassoc frame format
2128                  *      [2] reason
2129                  */
2130                 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2131                 reason = le16toh(*(uint16_t *)frm);
2132                 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2133                         vap->iv_stats.is_rx_deauth++;
2134                         IEEE80211_NODE_STAT(ni, rx_deauth);
2135                 } else {
2136                         vap->iv_stats.is_rx_disassoc++;
2137                         IEEE80211_NODE_STAT(ni, rx_disassoc);
2138                 }
2139                 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2140                     "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >>
2141                         IEEE80211_FC0_SUBTYPE_SHIFT], reason);
2142                 if (ni != vap->iv_bss)
2143                         ieee80211_node_leave(ni);
2144                 break;
2145         }
2146
2147         case IEEE80211_FC0_SUBTYPE_ACTION:
2148                 if (vap->iv_state == IEEE80211_S_RUN) {
2149                         if (ieee80211_parse_action(ni, m0) == 0)
2150                                 ic->ic_recv_action(ni, frm, efrm);
2151                 } else
2152                         vap->iv_stats.is_rx_mgtdiscard++;
2153                 break;
2154
2155         case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2156         case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2157         default:
2158                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2159                      wh, "mgt", "subtype 0x%x not handled", subtype);
2160                 vap->iv_stats.is_rx_badsubtype++;
2161                 break;
2162         }
2163 }
2164
2165 /*
2166  * Process a received ps-poll frame.
2167  */
2168 static void
2169 hostap_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2170 {
2171         struct ieee80211vap *vap = ni->ni_vap;
2172         struct ieee80211_frame_min *wh;
2173         struct ifnet *ifp = vap->iv_ifp;
2174         struct mbuf *m;
2175         uint16_t aid;
2176         int qlen;
2177
2178         wh = mtod(m0, struct ieee80211_frame_min *);
2179         if (ni->ni_associd == 0) {
2180                 IEEE80211_DISCARD(vap,
2181                     IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2182                     (struct ieee80211_frame *) wh, NULL,
2183                     "%s", "unassociated station");
2184                 vap->iv_stats.is_ps_unassoc++;
2185                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2186                         IEEE80211_REASON_NOT_ASSOCED);
2187                 return;
2188         }
2189
2190         aid = le16toh(*(uint16_t *)wh->i_dur);
2191         if (aid != ni->ni_associd) {
2192                 IEEE80211_DISCARD(vap,
2193                     IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2194                     (struct ieee80211_frame *) wh, NULL,
2195                     "aid mismatch: sta aid 0x%x poll aid 0x%x",
2196                     ni->ni_associd, aid);
2197                 vap->iv_stats.is_ps_badaid++;
2198                 /*
2199                  * NB: We used to deauth the station but it turns out
2200                  * the Blackberry Curve 8230 (and perhaps other devices) 
2201                  * sometimes send the wrong AID when WME is negotiated.
2202                  * Being more lenient here seems ok as we already check
2203                  * the station is associated and we only return frames
2204                  * queued for the station (i.e. we don't use the AID).
2205                  */
2206                 return;
2207         }
2208
2209         /* Okay, take the first queued packet and put it out... */
2210         IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
2211         if (m == NULL) {
2212                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2213                     "%s", "recv ps-poll, but queue empty");
2214                 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2215                 vap->iv_stats.is_ps_qempty++;   /* XXX node stat */
2216                 if (vap->iv_set_tim != NULL)
2217                         vap->iv_set_tim(ni, 0); /* just in case */
2218                 return;
2219         }
2220         /* 
2221          * If there are more packets, set the more packets bit
2222          * in the packet dispatched to the station; otherwise
2223          * turn off the TIM bit.
2224          */
2225         if (qlen != 0) {
2226                 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2227                     "recv ps-poll, send packet, %u still queued", qlen);
2228                 m->m_flags |= M_MORE_DATA;
2229         } else {
2230                 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2231                     "%s", "recv ps-poll, send packet, queue empty");
2232                 if (vap->iv_set_tim != NULL)
2233                         vap->iv_set_tim(ni, 0);
2234         }
2235         m->m_flags |= M_PWR_SAV;                /* bypass PS handling */
2236         IF_ENQUEUE(&ifp->if_snd, m);
2237         if_start(ifp);
2238 }
Unnamed repository; edit this file 'description' to name the repository.