]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/blob - sys/net80211/ieee80211_hostap.c
projects / FreeBSD / FreeBSD.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add m_clrprotoflags() to clear protocol specific mbuf flags at up and
[FreeBSD/FreeBSD.git] / sys / net80211 / ieee80211_hostap.c
1 /*-
2  * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25
26 #include <sys/cdefs.h>
27 #ifdef __FreeBSD__
28 __FBSDID("$FreeBSD$");
29 #endif
30
31 /*
32  * IEEE 802.11 HOSTAP mode support.
33  */
34 #include "opt_inet.h"
35 #include "opt_wlan.h"
36
37 #include <sys/param.h>
38 #include <sys/systm.h> 
39 #include <sys/mbuf.h>   
40 #include <sys/malloc.h>
41 #include <sys/kernel.h>
42
43 #include <sys/socket.h>
44 #include <sys/sockio.h>
45 #include <sys/endian.h>
46 #include <sys/errno.h>
47 #include <sys/proc.h>
48 #include <sys/sysctl.h>
49
50 #include <net/if.h>
51 #include <net/if_media.h>
52 #include <net/if_llc.h>
53 #include <net/ethernet.h>
54
55 #include <net/bpf.h>
56
57 #include <net80211/ieee80211_var.h>
58 #include <net80211/ieee80211_hostap.h>
59 #include <net80211/ieee80211_input.h>
60 #ifdef IEEE80211_SUPPORT_SUPERG
61 #include <net80211/ieee80211_superg.h>
62 #endif
63 #include <net80211/ieee80211_wds.h>
64
65 #define IEEE80211_RATE2MBS(r)   (((r) & IEEE80211_RATE_VAL) / 2)
66
67 static  void hostap_vattach(struct ieee80211vap *);
68 static  int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
69 static  int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
70             int rssi, int nf);
71 static void hostap_deliver_data(struct ieee80211vap *,
72             struct ieee80211_node *, struct mbuf *);
73 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
74             int subtype, int rssi, int nf);
75 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
76
77 void
78 ieee80211_hostap_attach(struct ieee80211com *ic)
79 {
80         ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
81 }
82
83 void
84 ieee80211_hostap_detach(struct ieee80211com *ic)
85 {
86 }
87
88 static void
89 hostap_vdetach(struct ieee80211vap *vap)
90 {
91 }
92
93 static void
94 hostap_vattach(struct ieee80211vap *vap)
95 {
96         vap->iv_newstate = hostap_newstate;
97         vap->iv_input = hostap_input;
98         vap->iv_recv_mgmt = hostap_recv_mgmt;
99         vap->iv_recv_ctl = hostap_recv_ctl;
100         vap->iv_opdetach = hostap_vdetach;
101         vap->iv_deliver_data = hostap_deliver_data;
102         vap->iv_recv_pspoll = ieee80211_recv_pspoll;
103 }
104
105 static void
106 sta_disassoc(void *arg, struct ieee80211_node *ni)
107 {
108         struct ieee80211vap *vap = arg;
109
110         if (ni->ni_vap == vap && ni->ni_associd != 0) {
111                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
112                         IEEE80211_REASON_ASSOC_LEAVE);
113                 ieee80211_node_leave(ni);
114         }
115 }
116
117 static void
118 sta_csa(void *arg, struct ieee80211_node *ni)
119 {
120         struct ieee80211vap *vap = arg;
121
122         if (ni->ni_vap == vap && ni->ni_associd != 0)
123                 if (ni->ni_inact > vap->iv_inact_init) {
124                         ni->ni_inact = vap->iv_inact_init;
125                         IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
126                             "%s: inact %u", __func__, ni->ni_inact);
127                 }
128 }
129
130 static void
131 sta_drop(void *arg, struct ieee80211_node *ni)
132 {
133         struct ieee80211vap *vap = arg;
134
135         if (ni->ni_vap == vap && ni->ni_associd != 0)
136                 ieee80211_node_leave(ni);
137 }
138
139 /*
140  * Does a channel change require associated stations to re-associate
141  * so protocol state is correct.  This is used when doing CSA across
142  * bands or similar (e.g. HT -> legacy).
143  */
144 static int
145 isbandchange(struct ieee80211com *ic)
146 {
147         return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
148             (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
149              IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
150 }
151
152 /*
153  * IEEE80211_M_HOSTAP vap state machine handler.
154  */
155 static int
156 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
157 {
158         struct ieee80211com *ic = vap->iv_ic;
159         enum ieee80211_state ostate;
160
161         IEEE80211_LOCK_ASSERT(ic);
162
163         ostate = vap->iv_state;
164         IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
165             __func__, ieee80211_state_name[ostate],
166             ieee80211_state_name[nstate], arg);
167         vap->iv_state = nstate;                 /* state transition */
168         if (ostate != IEEE80211_S_SCAN)
169                 ieee80211_cancel_scan(vap);     /* background scan */
170         switch (nstate) {
171         case IEEE80211_S_INIT:
172                 switch (ostate) {
173                 case IEEE80211_S_SCAN:
174                         ieee80211_cancel_scan(vap);
175                         break;
176                 case IEEE80211_S_CAC:
177                         ieee80211_dfs_cac_stop(vap);
178                         break;
179                 case IEEE80211_S_RUN:
180                         ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
181                         break;
182                 default:
183                         break;
184                 }
185                 if (ostate != IEEE80211_S_INIT) {
186                         /* NB: optimize INIT -> INIT case */
187                         ieee80211_reset_bss(vap);
188                 }
189                 if (vap->iv_auth->ia_detach != NULL)
190                         vap->iv_auth->ia_detach(vap);
191                 break;
192         case IEEE80211_S_SCAN:
193                 switch (ostate) {
194                 case IEEE80211_S_CSA:
195                 case IEEE80211_S_RUN:
196                         ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
197                         /*
198                          * Clear overlapping BSS state; the beacon frame
199                          * will be reconstructed on transition to the RUN
200                          * state and the timeout routines check if the flag
201                          * is set before doing anything so this is sufficient.
202                          */
203                         ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
204                         ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
205                         /* fall thru... */
206                 case IEEE80211_S_CAC:
207                         /*
208                          * NB: We may get here because of a manual channel
209                          *     change in which case we need to stop CAC
210                          * XXX no need to stop if ostate RUN but it's ok
211                          */
212                         ieee80211_dfs_cac_stop(vap);
213                         /* fall thru... */
214                 case IEEE80211_S_INIT:
215                         if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
216                             !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
217                                 /*
218                                  * Already have a channel; bypass the
219                                  * scan and startup immediately.  
220                                  * ieee80211_create_ibss will call back to
221                                  * move us to RUN state.
222                                  */
223                                 ieee80211_create_ibss(vap, vap->iv_des_chan);
224                                 break;
225                         }
226                         /*
227                          * Initiate a scan.  We can come here as a result
228                          * of an IEEE80211_IOC_SCAN_REQ too in which case
229                          * the vap will be marked with IEEE80211_FEXT_SCANREQ
230                          * and the scan request parameters will be present
231                          * in iv_scanreq.  Otherwise we do the default.
232                          */
233                         if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
234                                 ieee80211_check_scan(vap,
235                                     vap->iv_scanreq_flags,
236                                     vap->iv_scanreq_duration,
237                                     vap->iv_scanreq_mindwell,
238                                     vap->iv_scanreq_maxdwell,
239                                     vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
240                                 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
241                         } else
242                                 ieee80211_check_scan_current(vap);
243                         break;
244                 case IEEE80211_S_SCAN:
245                         /*
246                          * A state change requires a reset; scan.
247                          */
248                         ieee80211_check_scan_current(vap);
249                         break;
250                 default:
251                         break;
252                 }
253                 break;
254         case IEEE80211_S_CAC:
255                 /*
256                  * Start CAC on a DFS channel.  We come here when starting
257                  * a bss on a DFS channel (see ieee80211_create_ibss).
258                  */
259                 ieee80211_dfs_cac_start(vap);
260                 break;
261         case IEEE80211_S_RUN:
262                 if (vap->iv_flags & IEEE80211_F_WPA) {
263                         /* XXX validate prerequisites */
264                 }
265                 switch (ostate) {
266                 case IEEE80211_S_INIT:
267                         /*
268                          * Already have a channel; bypass the
269                          * scan and startup immediately.
270                          * Note that ieee80211_create_ibss will call
271                          * back to do a RUN->RUN state change.
272                          */
273                         ieee80211_create_ibss(vap,
274                             ieee80211_ht_adjust_channel(ic,
275                                 ic->ic_curchan, vap->iv_flags_ht));
276                         /* NB: iv_bss is changed on return */
277                         break;
278                 case IEEE80211_S_CAC:
279                         /*
280                          * NB: This is the normal state change when CAC
281                          * expires and no radar was detected; no need to
282                          * clear the CAC timer as it's already expired.
283                          */
284                         /* fall thru... */
285                 case IEEE80211_S_CSA:
286                         /*
287                          * Shorten inactivity timer of associated stations
288                          * to weed out sta's that don't follow a CSA.
289                          */
290                         ieee80211_iterate_nodes(&ic->ic_sta, sta_csa, vap);
291                         /*
292                          * Update bss node channel to reflect where
293                          * we landed after CSA.
294                          */
295                         ieee80211_node_set_chan(vap->iv_bss,
296                             ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
297                                 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
298                         /* XXX bypass debug msgs */
299                         break;
300                 case IEEE80211_S_SCAN:
301                 case IEEE80211_S_RUN:
302 #ifdef IEEE80211_DEBUG
303                         if (ieee80211_msg_debug(vap)) {
304                                 struct ieee80211_node *ni = vap->iv_bss;
305                                 ieee80211_note(vap,
306                                     "synchronized with %s ssid ",
307                                     ether_sprintf(ni->ni_bssid));
308                                 ieee80211_print_essid(ni->ni_essid,
309                                     ni->ni_esslen);
310                                 /* XXX MCS/HT */
311                                 printf(" channel %d start %uMb\n",
312                                     ieee80211_chan2ieee(ic, ic->ic_curchan),
313                                     IEEE80211_RATE2MBS(ni->ni_txrate));
314                         }
315 #endif
316                         break;
317                 default:
318                         break;
319                 }
320                 /*
321                  * Start/stop the authenticator.  We delay until here
322                  * to allow configuration to happen out of order.
323                  */
324                 if (vap->iv_auth->ia_attach != NULL) {
325                         /* XXX check failure */
326                         vap->iv_auth->ia_attach(vap);
327                 } else if (vap->iv_auth->ia_detach != NULL) {
328                         vap->iv_auth->ia_detach(vap);
329                 }
330                 ieee80211_node_authorize(vap->iv_bss);
331                 break;
332         case IEEE80211_S_CSA:
333                 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
334                         /*
335                          * On a ``band change'' silently drop associated
336                          * stations as they must re-associate before they
337                          * can pass traffic (as otherwise protocol state
338                          * such as capabilities and the negotiated rate
339                          * set may/will be wrong).
340                          */
341                         ieee80211_iterate_nodes(&ic->ic_sta, sta_drop, vap);
342                 }
343                 break;
344         default:
345                 break;
346         }
347         return 0;
348 }
349
350 static void
351 hostap_deliver_data(struct ieee80211vap *vap,
352         struct ieee80211_node *ni, struct mbuf *m)
353 {
354         struct ether_header *eh = mtod(m, struct ether_header *);
355         struct ifnet *ifp = vap->iv_ifp;
356
357         /* clear driver/net80211 flags before passing up */
358         m->m_flags &= ~(M_MCAST | M_BCAST);
359         m_clrprotoflags(m);
360
361         KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
362             ("gack, opmode %d", vap->iv_opmode));
363         /*
364          * Do accounting.
365          */
366         ifp->if_ipackets++;
367         IEEE80211_NODE_STAT(ni, rx_data);
368         IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
369         if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
370                 m->m_flags |= M_MCAST;          /* XXX M_BCAST? */
371                 IEEE80211_NODE_STAT(ni, rx_mcast);
372         } else
373                 IEEE80211_NODE_STAT(ni, rx_ucast);
374
375         /* perform as a bridge within the AP */
376         if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
377                 struct mbuf *mcopy = NULL;
378
379                 if (m->m_flags & M_MCAST) {
380                         mcopy = m_dup(m, M_NOWAIT);
381                         if (mcopy == NULL)
382                                 ifp->if_oerrors++;
383                         else
384                                 mcopy->m_flags |= M_MCAST;
385                 } else {
386                         /*
387                          * Check if the destination is associated with the
388                          * same vap and authorized to receive traffic.
389                          * Beware of traffic destined for the vap itself;
390                          * sending it will not work; just let it be delivered
391                          * normally.
392                          */
393                         struct ieee80211_node *sta = ieee80211_find_vap_node(
394                              &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
395                         if (sta != NULL) {
396                                 if (ieee80211_node_is_authorized(sta)) {
397                                         /*
398                                          * Beware of sending to ourself; this
399                                          * needs to happen via the normal
400                                          * input path.
401                                          */
402                                         if (sta != vap->iv_bss) {
403                                                 mcopy = m;
404                                                 m = NULL;
405                                         }
406                                 } else {
407                                         vap->iv_stats.is_rx_unauth++;
408                                         IEEE80211_NODE_STAT(sta, rx_unauth);
409                                 }
410                                 ieee80211_free_node(sta);
411                         }
412                 }
413                 if (mcopy != NULL) {
414                         int len, err;
415                         len = mcopy->m_pkthdr.len;
416                         err = ieee80211_vap_xmitpkt(vap, mcopy);
417                         if (err) {
418                                 /* NB: IFQ_HANDOFF reclaims mcopy */
419                         } else {
420                                 ifp->if_opackets++;
421                         }
422                 }
423         }
424         if (m != NULL) {
425                 /*
426                  * Mark frame as coming from vap's interface.
427                  */
428                 m->m_pkthdr.rcvif = ifp;
429                 if (m->m_flags & M_MCAST) {
430                         /*
431                          * Spam DWDS vap's w/ multicast traffic.
432                          */
433                         /* XXX only if dwds in use? */
434                         ieee80211_dwds_mcast(vap, m);
435                 }
436                 if (ni->ni_vlan != 0) {
437                         /* attach vlan tag */
438                         m->m_pkthdr.ether_vtag = ni->ni_vlan;
439                         m->m_flags |= M_VLANTAG;
440                 }
441                 ifp->if_input(ifp, m);
442         }
443 }
444
445 /*
446  * Decide if a received management frame should be
447  * printed when debugging is enabled.  This filters some
448  * of the less interesting frames that come frequently
449  * (e.g. beacons).
450  */
451 static __inline int
452 doprint(struct ieee80211vap *vap, int subtype)
453 {
454         switch (subtype) {
455         case IEEE80211_FC0_SUBTYPE_BEACON:
456                 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
457         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
458                 return 0;
459         }
460         return 1;
461 }
462
463 /*
464  * Process a received frame.  The node associated with the sender
465  * should be supplied.  If nothing was found in the node table then
466  * the caller is assumed to supply a reference to iv_bss instead.
467  * The RSSI and a timestamp are also supplied.  The RSSI data is used
468  * during AP scanning to select a AP to associate with; it can have
469  * any units so long as values have consistent units and higher values
470  * mean ``better signal''.  The receive timestamp is currently not used
471  * by the 802.11 layer.
472  */
473 static int
474 hostap_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf)
475 {
476 #define HAS_SEQ(type)   ((type & 0x4) == 0)
477         struct ieee80211vap *vap = ni->ni_vap;
478         struct ieee80211com *ic = ni->ni_ic;
479         struct ifnet *ifp = vap->iv_ifp;
480         struct ieee80211_frame *wh;
481         struct ieee80211_key *key;
482         struct ether_header *eh;
483         int hdrspace, need_tap = 1;     /* mbuf need to be tapped. */
484         uint8_t dir, type, subtype, qos;
485         uint8_t *bssid;
486         uint16_t rxseq;
487
488         if (m->m_flags & M_AMPDU_MPDU) {
489                 /*
490                  * Fastpath for A-MPDU reorder q resubmission.  Frames
491                  * w/ M_AMPDU_MPDU marked have already passed through
492                  * here but were received out of order and been held on
493                  * the reorder queue.  When resubmitted they are marked
494                  * with the M_AMPDU_MPDU flag and we can bypass most of
495                  * the normal processing.
496                  */
497                 wh = mtod(m, struct ieee80211_frame *);
498                 type = IEEE80211_FC0_TYPE_DATA;
499                 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
500                 subtype = IEEE80211_FC0_SUBTYPE_QOS;
501                 hdrspace = ieee80211_hdrspace(ic, wh);  /* XXX optimize? */
502                 goto resubmit_ampdu;
503         }
504
505         KASSERT(ni != NULL, ("null node"));
506         ni->ni_inact = ni->ni_inact_reload;
507
508         type = -1;                      /* undefined */
509
510         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
511                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
512                     ni->ni_macaddr, NULL,
513                     "too short (1): len %u", m->m_pkthdr.len);
514                 vap->iv_stats.is_rx_tooshort++;
515                 goto out;
516         }
517         /*
518          * Bit of a cheat here, we use a pointer for a 3-address
519          * frame format but don't reference fields past outside
520          * ieee80211_frame_min w/o first validating the data is
521          * present.
522          */
523         wh = mtod(m, struct ieee80211_frame *);
524
525         if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
526             IEEE80211_FC0_VERSION_0) {
527                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
528                     ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
529                     wh->i_fc[0], wh->i_fc[1]);
530                 vap->iv_stats.is_rx_badversion++;
531                 goto err;
532         }
533
534         dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
535         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
536         subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
537         if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
538                 if (dir != IEEE80211_FC1_DIR_NODS)
539                         bssid = wh->i_addr1;
540                 else if (type == IEEE80211_FC0_TYPE_CTL)
541                         bssid = wh->i_addr1;
542                 else {
543                         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
544                                 IEEE80211_DISCARD_MAC(vap,
545                                     IEEE80211_MSG_ANY, ni->ni_macaddr,
546                                     NULL, "too short (2): len %u",
547                                     m->m_pkthdr.len);
548                                 vap->iv_stats.is_rx_tooshort++;
549                                 goto out;
550                         }
551                         bssid = wh->i_addr3;
552                 }
553                 /*
554                  * Validate the bssid.
555                  */
556                 if (!(type == IEEE80211_FC0_TYPE_MGT &&
557                       subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
558                     !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
559                     !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
560                         /* not interested in */
561                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
562                             bssid, NULL, "%s", "not to bss");
563                         vap->iv_stats.is_rx_wrongbss++;
564                         goto out;
565                 }
566
567                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
568                 ni->ni_noise = nf;
569                 if (HAS_SEQ(type)) {
570                         uint8_t tid = ieee80211_gettid(wh);
571                         if (IEEE80211_QOS_HAS_SEQ(wh) &&
572                             TID_TO_WME_AC(tid) >= WME_AC_VI)
573                                 ic->ic_wme.wme_hipri_traffic++;
574                         rxseq = le16toh(*(uint16_t *)wh->i_seq);
575                         if (! ieee80211_check_rxseq(ni, wh)) {
576                                 /* duplicate, discard */
577                                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
578                                     bssid, "duplicate",
579                                     "seqno <%u,%u> fragno <%u,%u> tid %u",
580                                     rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
581                                     ni->ni_rxseqs[tid] >>
582                                         IEEE80211_SEQ_SEQ_SHIFT,
583                                     rxseq & IEEE80211_SEQ_FRAG_MASK,
584                                     ni->ni_rxseqs[tid] &
585                                         IEEE80211_SEQ_FRAG_MASK,
586                                     tid);
587                                 vap->iv_stats.is_rx_dup++;
588                                 IEEE80211_NODE_STAT(ni, rx_dup);
589                                 goto out;
590                         }
591                         ni->ni_rxseqs[tid] = rxseq;
592                 }
593         }
594
595         switch (type) {
596         case IEEE80211_FC0_TYPE_DATA:
597                 hdrspace = ieee80211_hdrspace(ic, wh);
598                 if (m->m_len < hdrspace &&
599                     (m = m_pullup(m, hdrspace)) == NULL) {
600                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
601                             ni->ni_macaddr, NULL,
602                             "data too short: expecting %u", hdrspace);
603                         vap->iv_stats.is_rx_tooshort++;
604                         goto out;               /* XXX */
605                 }
606                 if (!(dir == IEEE80211_FC1_DIR_TODS ||
607                      (dir == IEEE80211_FC1_DIR_DSTODS &&
608                       (vap->iv_flags & IEEE80211_F_DWDS)))) {
609                         if (dir != IEEE80211_FC1_DIR_DSTODS) {
610                                 IEEE80211_DISCARD(vap,
611                                     IEEE80211_MSG_INPUT, wh, "data",
612                                     "incorrect dir 0x%x", dir);
613                         } else {
614                                 IEEE80211_DISCARD(vap,
615                                     IEEE80211_MSG_INPUT |
616                                     IEEE80211_MSG_WDS, wh,
617                                     "4-address data",
618                                     "%s", "DWDS not enabled");
619                         }
620                         vap->iv_stats.is_rx_wrongdir++;
621                         goto out;
622                 }
623                 /* check if source STA is associated */
624                 if (ni == vap->iv_bss) {
625                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
626                             wh, "data", "%s", "unknown src");
627                         ieee80211_send_error(ni, wh->i_addr2,
628                             IEEE80211_FC0_SUBTYPE_DEAUTH,
629                             IEEE80211_REASON_NOT_AUTHED);
630                         vap->iv_stats.is_rx_notassoc++;
631                         goto err;
632                 }
633                 if (ni->ni_associd == 0) {
634                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
635                             wh, "data", "%s", "unassoc src");
636                         IEEE80211_SEND_MGMT(ni,
637                             IEEE80211_FC0_SUBTYPE_DISASSOC,
638                             IEEE80211_REASON_NOT_ASSOCED);
639                         vap->iv_stats.is_rx_notassoc++;
640                         goto err;
641                 }
642
643                 /*
644                  * Check for power save state change.
645                  * XXX out-of-order A-MPDU frames?
646                  */
647                 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
648                     (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
649                         vap->iv_node_ps(ni,
650                                 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
651                 /*
652                  * For 4-address packets handle WDS discovery
653                  * notifications.  Once a WDS link is setup frames
654                  * are just delivered to the WDS vap (see below).
655                  */
656                 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
657                         if (!ieee80211_node_is_authorized(ni)) {
658                                 IEEE80211_DISCARD(vap,
659                                     IEEE80211_MSG_INPUT |
660                                     IEEE80211_MSG_WDS, wh,
661                                     "4-address data",
662                                     "%s", "unauthorized port");
663                                 vap->iv_stats.is_rx_unauth++;
664                                 IEEE80211_NODE_STAT(ni, rx_unauth);
665                                 goto err;
666                         }
667                         ieee80211_dwds_discover(ni, m);
668                         return type;
669                 }
670
671                 /*
672                  * Handle A-MPDU re-ordering.  If the frame is to be
673                  * processed directly then ieee80211_ampdu_reorder
674                  * will return 0; otherwise it has consumed the mbuf
675                  * and we should do nothing more with it.
676                  */
677                 if ((m->m_flags & M_AMPDU) &&
678                     ieee80211_ampdu_reorder(ni, m) != 0) {
679                         m = NULL;
680                         goto out;
681                 }
682         resubmit_ampdu:
683
684                 /*
685                  * Handle privacy requirements.  Note that we
686                  * must not be preempted from here until after
687                  * we (potentially) call ieee80211_crypto_demic;
688                  * otherwise we may violate assumptions in the
689                  * crypto cipher modules used to do delayed update
690                  * of replay sequence numbers.
691                  */
692                 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
693                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
694                                 /*
695                                  * Discard encrypted frames when privacy is off.
696                                  */
697                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
698                                     wh, "WEP", "%s", "PRIVACY off");
699                                 vap->iv_stats.is_rx_noprivacy++;
700                                 IEEE80211_NODE_STAT(ni, rx_noprivacy);
701                                 goto out;
702                         }
703                         key = ieee80211_crypto_decap(ni, m, hdrspace);
704                         if (key == NULL) {
705                                 /* NB: stats+msgs handled in crypto_decap */
706                                 IEEE80211_NODE_STAT(ni, rx_wepfail);
707                                 goto out;
708                         }
709                         wh = mtod(m, struct ieee80211_frame *);
710                         wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
711                 } else {
712                         /* XXX M_WEP and IEEE80211_F_PRIVACY */
713                         key = NULL;
714                 }
715
716                 /*
717                  * Save QoS bits for use below--before we strip the header.
718                  */
719                 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
720                         qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
721                             ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
722                             ((struct ieee80211_qosframe *)wh)->i_qos[0];
723                 } else
724                         qos = 0;
725
726                 /*
727                  * Next up, any fragmentation.
728                  */
729                 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
730                         m = ieee80211_defrag(ni, m, hdrspace);
731                         if (m == NULL) {
732                                 /* Fragment dropped or frame not complete yet */
733                                 goto out;
734                         }
735                 }
736                 wh = NULL;              /* no longer valid, catch any uses */
737
738                 /*
739                  * Next strip any MSDU crypto bits.
740                  */
741                 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
742                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
743                             ni->ni_macaddr, "data", "%s", "demic error");
744                         vap->iv_stats.is_rx_demicfail++;
745                         IEEE80211_NODE_STAT(ni, rx_demicfail);
746                         goto out;
747                 }
748                 /* copy to listener after decrypt */
749                 if (ieee80211_radiotap_active_vap(vap))
750                         ieee80211_radiotap_rx(vap, m);
751                 need_tap = 0;
752                 /*
753                  * Finally, strip the 802.11 header.
754                  */
755                 m = ieee80211_decap(vap, m, hdrspace);
756                 if (m == NULL) {
757                         /* XXX mask bit to check for both */
758                         /* don't count Null data frames as errors */
759                         if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
760                             subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
761                                 goto out;
762                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
763                             ni->ni_macaddr, "data", "%s", "decap error");
764                         vap->iv_stats.is_rx_decap++;
765                         IEEE80211_NODE_STAT(ni, rx_decap);
766                         goto err;
767                 }
768                 eh = mtod(m, struct ether_header *);
769                 if (!ieee80211_node_is_authorized(ni)) {
770                         /*
771                          * Deny any non-PAE frames received prior to
772                          * authorization.  For open/shared-key
773                          * authentication the port is mark authorized
774                          * after authentication completes.  For 802.1x
775                          * the port is not marked authorized by the
776                          * authenticator until the handshake has completed.
777                          */
778                         if (eh->ether_type != htons(ETHERTYPE_PAE)) {
779                                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
780                                     eh->ether_shost, "data",
781                                     "unauthorized port: ether type 0x%x len %u",
782                                     eh->ether_type, m->m_pkthdr.len);
783                                 vap->iv_stats.is_rx_unauth++;
784                                 IEEE80211_NODE_STAT(ni, rx_unauth);
785                                 goto err;
786                         }
787                 } else {
788                         /*
789                          * When denying unencrypted frames, discard
790                          * any non-PAE frames received without encryption.
791                          */
792                         if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
793                             (key == NULL && (m->m_flags & M_WEP) == 0) &&
794                             eh->ether_type != htons(ETHERTYPE_PAE)) {
795                                 /*
796                                  * Drop unencrypted frames.
797                                  */
798                                 vap->iv_stats.is_rx_unencrypted++;
799                                 IEEE80211_NODE_STAT(ni, rx_unencrypted);
800                                 goto out;
801                         }
802                 }
803                 /* XXX require HT? */
804                 if (qos & IEEE80211_QOS_AMSDU) {
805                         m = ieee80211_decap_amsdu(ni, m);
806                         if (m == NULL)
807                                 return IEEE80211_FC0_TYPE_DATA;
808                 } else {
809 #ifdef IEEE80211_SUPPORT_SUPERG
810                         m = ieee80211_decap_fastframe(vap, ni, m);
811                         if (m == NULL)
812                                 return IEEE80211_FC0_TYPE_DATA;
813 #endif
814                 }
815                 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
816                         ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
817                 else
818                         hostap_deliver_data(vap, ni, m);
819                 return IEEE80211_FC0_TYPE_DATA;
820
821         case IEEE80211_FC0_TYPE_MGT:
822                 vap->iv_stats.is_rx_mgmt++;
823                 IEEE80211_NODE_STAT(ni, rx_mgmt);
824                 if (dir != IEEE80211_FC1_DIR_NODS) {
825                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
826                             wh, "mgt", "incorrect dir 0x%x", dir);
827                         vap->iv_stats.is_rx_wrongdir++;
828                         goto err;
829                 }
830                 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
831                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
832                             ni->ni_macaddr, "mgt", "too short: len %u",
833                             m->m_pkthdr.len);
834                         vap->iv_stats.is_rx_tooshort++;
835                         goto out;
836                 }
837                 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
838                         /* ensure return frames are unicast */
839                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
840                             wh, NULL, "source is multicast: %s",
841                             ether_sprintf(wh->i_addr2));
842                         vap->iv_stats.is_rx_mgtdiscard++;       /* XXX stat */
843                         goto out;
844                 }
845 #ifdef IEEE80211_DEBUG
846                 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
847                     ieee80211_msg_dumppkts(vap)) {
848                         if_printf(ifp, "received %s from %s rssi %d\n",
849                             ieee80211_mgt_subtype_name[subtype >>
850                                 IEEE80211_FC0_SUBTYPE_SHIFT],
851                             ether_sprintf(wh->i_addr2), rssi);
852                 }
853 #endif
854                 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
855                         if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
856                                 /*
857                                  * Only shared key auth frames with a challenge
858                                  * should be encrypted, discard all others.
859                                  */
860                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
861                                     wh, NULL,
862                                     "%s", "WEP set but not permitted");
863                                 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
864                                 goto out;
865                         }
866                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
867                                 /*
868                                  * Discard encrypted frames when privacy is off.
869                                  */
870                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
871                                     wh, NULL, "%s", "WEP set but PRIVACY off");
872                                 vap->iv_stats.is_rx_noprivacy++;
873                                 goto out;
874                         }
875                         hdrspace = ieee80211_hdrspace(ic, wh);
876                         key = ieee80211_crypto_decap(ni, m, hdrspace);
877                         if (key == NULL) {
878                                 /* NB: stats+msgs handled in crypto_decap */
879                                 goto out;
880                         }
881                         wh = mtod(m, struct ieee80211_frame *);
882                         wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
883                 }
884                 /*
885                  * Pass the packet to radiotap before calling iv_recv_mgmt().
886                  * Otherwise iv_recv_mgmt() might pass another packet to
887                  * radiotap, resulting in out of order packet captures.
888                  */
889                 if (ieee80211_radiotap_active_vap(vap))
890                         ieee80211_radiotap_rx(vap, m);
891                 need_tap = 0;
892                 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
893                 goto out;
894
895         case IEEE80211_FC0_TYPE_CTL:
896                 vap->iv_stats.is_rx_ctl++;
897                 IEEE80211_NODE_STAT(ni, rx_ctrl);
898                 vap->iv_recv_ctl(ni, m, subtype);
899                 goto out;
900         default:
901                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
902                     wh, "bad", "frame type 0x%x", type);
903                 /* should not come here */
904                 break;
905         }
906 err:
907         ifp->if_ierrors++;
908 out:
909         if (m != NULL) {
910                 if (need_tap && ieee80211_radiotap_active_vap(vap))
911                         ieee80211_radiotap_rx(vap, m);
912                 m_freem(m);
913         }
914         return type;
915 }
916
917 static void
918 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
919     int rssi, int nf, uint16_t seq, uint16_t status)
920 {
921         struct ieee80211vap *vap = ni->ni_vap;
922
923         KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
924
925         if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
926                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
927                     ni->ni_macaddr, "open auth",
928                     "bad sta auth mode %u", ni->ni_authmode);
929                 vap->iv_stats.is_rx_bad_auth++; /* XXX */
930                 /*
931                  * Clear any challenge text that may be there if
932                  * a previous shared key auth failed and then an
933                  * open auth is attempted.
934                  */
935                 if (ni->ni_challenge != NULL) {
936                         free(ni->ni_challenge, M_80211_NODE);
937                         ni->ni_challenge = NULL;
938                 }
939                 /* XXX hack to workaround calling convention */
940                 ieee80211_send_error(ni, wh->i_addr2, 
941                     IEEE80211_FC0_SUBTYPE_AUTH,
942                     (seq + 1) | (IEEE80211_STATUS_ALG<<16));
943                 return;
944         }
945         if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
946                 vap->iv_stats.is_rx_bad_auth++;
947                 return;
948         }
949         /* always accept open authentication requests */
950         if (ni == vap->iv_bss) {
951                 ni = ieee80211_dup_bss(vap, wh->i_addr2);
952                 if (ni == NULL)
953                         return;
954         } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
955                 (void) ieee80211_ref_node(ni);
956         /*
957          * Mark the node as referenced to reflect that it's
958          * reference count has been bumped to insure it remains
959          * after the transaction completes.
960          */
961         ni->ni_flags |= IEEE80211_NODE_AREF;
962         /*
963          * Mark the node as requiring a valid association id
964          * before outbound traffic is permitted.
965          */
966         ni->ni_flags |= IEEE80211_NODE_ASSOCID;
967
968         if (vap->iv_acl != NULL &&
969             vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
970                 /*
971                  * When the ACL policy is set to RADIUS we defer the
972                  * authorization to a user agent.  Dispatch an event,
973                  * a subsequent MLME call will decide the fate of the
974                  * station.  If the user agent is not present then the
975                  * node will be reclaimed due to inactivity.
976                  */
977                 IEEE80211_NOTE_MAC(vap,
978                     IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
979                     "%s", "station authentication defered (radius acl)");
980                 ieee80211_notify_node_auth(ni);
981         } else {
982                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
983                 IEEE80211_NOTE_MAC(vap,
984                     IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
985                     "%s", "station authenticated (open)");
986                 /*
987                  * When 802.1x is not in use mark the port
988                  * authorized at this point so traffic can flow.
989                  */
990                 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
991                         ieee80211_node_authorize(ni);
992         }
993 }
994
995 static void
996 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
997     uint8_t *frm, uint8_t *efrm, int rssi, int nf,
998     uint16_t seq, uint16_t status)
999 {
1000         struct ieee80211vap *vap = ni->ni_vap;
1001         uint8_t *challenge;
1002         int allocbs, estatus;
1003
1004         KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
1005
1006         /*
1007          * NB: this can happen as we allow pre-shared key
1008          * authentication to be enabled w/o wep being turned
1009          * on so that configuration of these can be done
1010          * in any order.  It may be better to enforce the
1011          * ordering in which case this check would just be
1012          * for sanity/consistency.
1013          */
1014         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1015                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1016                     ni->ni_macaddr, "shared key auth",
1017                     "%s", " PRIVACY is disabled");
1018                 estatus = IEEE80211_STATUS_ALG;
1019                 goto bad;
1020         }
1021         /*
1022          * Pre-shared key authentication is evil; accept
1023          * it only if explicitly configured (it is supported
1024          * mainly for compatibility with clients like Mac OS X).
1025          */
1026         if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1027             ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1028                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1029                     ni->ni_macaddr, "shared key auth",
1030                     "bad sta auth mode %u", ni->ni_authmode);
1031                 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1032                 estatus = IEEE80211_STATUS_ALG;
1033                 goto bad;
1034         }
1035
1036         challenge = NULL;
1037         if (frm + 1 < efrm) {
1038                 if ((frm[1] + 2) > (efrm - frm)) {
1039                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1040                             ni->ni_macaddr, "shared key auth",
1041                             "ie %d/%d too long",
1042                             frm[0], (frm[1] + 2) - (efrm - frm));
1043                         vap->iv_stats.is_rx_bad_auth++;
1044                         estatus = IEEE80211_STATUS_CHALLENGE;
1045                         goto bad;
1046                 }
1047                 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1048                         challenge = frm;
1049                 frm += frm[1] + 2;
1050         }
1051         switch (seq) {
1052         case IEEE80211_AUTH_SHARED_CHALLENGE:
1053         case IEEE80211_AUTH_SHARED_RESPONSE:
1054                 if (challenge == NULL) {
1055                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1056                             ni->ni_macaddr, "shared key auth",
1057                             "%s", "no challenge");
1058                         vap->iv_stats.is_rx_bad_auth++;
1059                         estatus = IEEE80211_STATUS_CHALLENGE;
1060                         goto bad;
1061                 }
1062                 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1063                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1064                             ni->ni_macaddr, "shared key auth",
1065                             "bad challenge len %d", challenge[1]);
1066                         vap->iv_stats.is_rx_bad_auth++;
1067                         estatus = IEEE80211_STATUS_CHALLENGE;
1068                         goto bad;
1069                 }
1070         default:
1071                 break;
1072         }
1073         switch (seq) {
1074         case IEEE80211_AUTH_SHARED_REQUEST:
1075                 if (ni == vap->iv_bss) {
1076                         ni = ieee80211_dup_bss(vap, wh->i_addr2);
1077                         if (ni == NULL) {
1078                                 /* NB: no way to return an error */
1079                                 return;
1080                         }
1081                         allocbs = 1;
1082                 } else {
1083                         if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1084                                 (void) ieee80211_ref_node(ni);
1085                         allocbs = 0;
1086                 }
1087                 /*
1088                  * Mark the node as referenced to reflect that it's
1089                  * reference count has been bumped to insure it remains
1090                  * after the transaction completes.
1091                  */
1092                 ni->ni_flags |= IEEE80211_NODE_AREF;
1093                 /*
1094                  * Mark the node as requiring a valid associatio id
1095                  * before outbound traffic is permitted.
1096                  */
1097                 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1098                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1099                 ni->ni_noise = nf;
1100                 if (!ieee80211_alloc_challenge(ni)) {
1101                         /* NB: don't return error so they rexmit */
1102                         return;
1103                 }
1104                 get_random_bytes(ni->ni_challenge,
1105                         IEEE80211_CHALLENGE_LEN);
1106                 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1107                     ni, "shared key %sauth request", allocbs ? "" : "re");
1108                 /*
1109                  * When the ACL policy is set to RADIUS we defer the
1110                  * authorization to a user agent.  Dispatch an event,
1111                  * a subsequent MLME call will decide the fate of the
1112                  * station.  If the user agent is not present then the
1113                  * node will be reclaimed due to inactivity.
1114                  */
1115                 if (vap->iv_acl != NULL &&
1116                     vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1117                         IEEE80211_NOTE_MAC(vap,
1118                             IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1119                             ni->ni_macaddr,
1120                             "%s", "station authentication defered (radius acl)");
1121                         ieee80211_notify_node_auth(ni);
1122                         return;
1123                 }
1124                 break;
1125         case IEEE80211_AUTH_SHARED_RESPONSE:
1126                 if (ni == vap->iv_bss) {
1127                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1128                             ni->ni_macaddr, "shared key response",
1129                             "%s", "unknown station");
1130                         /* NB: don't send a response */
1131                         return;
1132                 }
1133                 if (ni->ni_challenge == NULL) {
1134                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1135                             ni->ni_macaddr, "shared key response",
1136                             "%s", "no challenge recorded");
1137                         vap->iv_stats.is_rx_bad_auth++;
1138                         estatus = IEEE80211_STATUS_CHALLENGE;
1139                         goto bad;
1140                 }
1141                 if (memcmp(ni->ni_challenge, &challenge[2],
1142                            challenge[1]) != 0) {
1143                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1144                             ni->ni_macaddr, "shared key response",
1145                             "%s", "challenge mismatch");
1146                         vap->iv_stats.is_rx_auth_fail++;
1147                         estatus = IEEE80211_STATUS_CHALLENGE;
1148                         goto bad;
1149                 }
1150                 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1151                     ni, "%s", "station authenticated (shared key)");
1152                 ieee80211_node_authorize(ni);
1153                 break;
1154         default:
1155                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1156                     ni->ni_macaddr, "shared key auth",
1157                     "bad seq %d", seq);
1158                 vap->iv_stats.is_rx_bad_auth++;
1159                 estatus = IEEE80211_STATUS_SEQUENCE;
1160                 goto bad;
1161         }
1162         IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1163         return;
1164 bad:
1165         /*
1166          * Send an error response; but only when operating as an AP.
1167          */
1168         /* XXX hack to workaround calling convention */
1169         ieee80211_send_error(ni, wh->i_addr2,
1170             IEEE80211_FC0_SUBTYPE_AUTH,
1171             (seq + 1) | (estatus<<16));
1172 }
1173
1174 /*
1175  * Convert a WPA cipher selector OUI to an internal
1176  * cipher algorithm.  Where appropriate we also
1177  * record any key length.
1178  */
1179 static int
1180 wpa_cipher(const uint8_t *sel, uint8_t *keylen)
1181 {
1182 #define WPA_SEL(x)      (((x)<<24)|WPA_OUI)
1183         uint32_t w = LE_READ_4(sel);
1184
1185         switch (w) {
1186         case WPA_SEL(WPA_CSE_NULL):
1187                 return IEEE80211_CIPHER_NONE;
1188         case WPA_SEL(WPA_CSE_WEP40):
1189                 if (keylen)
1190                         *keylen = 40 / NBBY;
1191                 return IEEE80211_CIPHER_WEP;
1192         case WPA_SEL(WPA_CSE_WEP104):
1193                 if (keylen)
1194                         *keylen = 104 / NBBY;
1195                 return IEEE80211_CIPHER_WEP;
1196         case WPA_SEL(WPA_CSE_TKIP):
1197                 return IEEE80211_CIPHER_TKIP;
1198         case WPA_SEL(WPA_CSE_CCMP):
1199                 return IEEE80211_CIPHER_AES_CCM;
1200         }
1201         return 32;              /* NB: so 1<< is discarded */
1202 #undef WPA_SEL
1203 }
1204
1205 /*
1206  * Convert a WPA key management/authentication algorithm
1207  * to an internal code.
1208  */
1209 static int
1210 wpa_keymgmt(const uint8_t *sel)
1211 {
1212 #define WPA_SEL(x)      (((x)<<24)|WPA_OUI)
1213         uint32_t w = LE_READ_4(sel);
1214
1215         switch (w) {
1216         case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1217                 return WPA_ASE_8021X_UNSPEC;
1218         case WPA_SEL(WPA_ASE_8021X_PSK):
1219                 return WPA_ASE_8021X_PSK;
1220         case WPA_SEL(WPA_ASE_NONE):
1221                 return WPA_ASE_NONE;
1222         }
1223         return 0;               /* NB: so is discarded */
1224 #undef WPA_SEL
1225 }
1226
1227 /*
1228  * Parse a WPA information element to collect parameters.
1229  * Note that we do not validate security parameters; that
1230  * is handled by the authenticator; the parsing done here
1231  * is just for internal use in making operational decisions.
1232  */
1233 static int
1234 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1235         struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1236 {
1237         uint8_t len = frm[1];
1238         uint32_t w;
1239         int n;
1240
1241         /*
1242          * Check the length once for fixed parts: OUI, type,
1243          * version, mcast cipher, and 2 selector counts.
1244          * Other, variable-length data, must be checked separately.
1245          */
1246         if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1247                 IEEE80211_DISCARD_IE(vap,
1248                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1249                     wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1250                 return IEEE80211_REASON_IE_INVALID;
1251         }
1252         if (len < 14) {
1253                 IEEE80211_DISCARD_IE(vap,
1254                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1255                     wh, "WPA", "too short, len %u", len);
1256                 return IEEE80211_REASON_IE_INVALID;
1257         }
1258         frm += 6, len -= 4;             /* NB: len is payload only */
1259         /* NB: iswpaoui already validated the OUI and type */
1260         w = LE_READ_2(frm);
1261         if (w != WPA_VERSION) {
1262                 IEEE80211_DISCARD_IE(vap,
1263                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1264                     wh, "WPA", "bad version %u", w);
1265                 return IEEE80211_REASON_IE_INVALID;
1266         }
1267         frm += 2, len -= 2;
1268
1269         memset(rsn, 0, sizeof(*rsn));
1270
1271         /* multicast/group cipher */
1272         rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1273         frm += 4, len -= 4;
1274
1275         /* unicast ciphers */
1276         n = LE_READ_2(frm);
1277         frm += 2, len -= 2;
1278         if (len < n*4+2) {
1279                 IEEE80211_DISCARD_IE(vap,
1280                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1281                     wh, "WPA", "ucast cipher data too short; len %u, n %u",
1282                     len, n);
1283                 return IEEE80211_REASON_IE_INVALID;
1284         }
1285         w = 0;
1286         for (; n > 0; n--) {
1287                 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1288                 frm += 4, len -= 4;
1289         }
1290         if (w & (1<<IEEE80211_CIPHER_TKIP))
1291                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1292         else
1293                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1294
1295         /* key management algorithms */
1296         n = LE_READ_2(frm);
1297         frm += 2, len -= 2;
1298         if (len < n*4) {
1299                 IEEE80211_DISCARD_IE(vap,
1300                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1301                     wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1302                     len, n);
1303                 return IEEE80211_REASON_IE_INVALID;
1304         }
1305         w = 0;
1306         for (; n > 0; n--) {
1307                 w |= wpa_keymgmt(frm);
1308                 frm += 4, len -= 4;
1309         }
1310         if (w & WPA_ASE_8021X_UNSPEC)
1311                 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1312         else
1313                 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1314
1315         if (len > 2)            /* optional capabilities */
1316                 rsn->rsn_caps = LE_READ_2(frm);
1317
1318         return 0;
1319 }
1320
1321 /*
1322  * Convert an RSN cipher selector OUI to an internal
1323  * cipher algorithm.  Where appropriate we also
1324  * record any key length.
1325  */
1326 static int
1327 rsn_cipher(const uint8_t *sel, uint8_t *keylen)
1328 {
1329 #define RSN_SEL(x)      (((x)<<24)|RSN_OUI)
1330         uint32_t w = LE_READ_4(sel);
1331
1332         switch (w) {
1333         case RSN_SEL(RSN_CSE_NULL):
1334                 return IEEE80211_CIPHER_NONE;
1335         case RSN_SEL(RSN_CSE_WEP40):
1336                 if (keylen)
1337                         *keylen = 40 / NBBY;
1338                 return IEEE80211_CIPHER_WEP;
1339         case RSN_SEL(RSN_CSE_WEP104):
1340                 if (keylen)
1341                         *keylen = 104 / NBBY;
1342                 return IEEE80211_CIPHER_WEP;
1343         case RSN_SEL(RSN_CSE_TKIP):
1344                 return IEEE80211_CIPHER_TKIP;
1345         case RSN_SEL(RSN_CSE_CCMP):
1346                 return IEEE80211_CIPHER_AES_CCM;
1347         case RSN_SEL(RSN_CSE_WRAP):
1348                 return IEEE80211_CIPHER_AES_OCB;
1349         }
1350         return 32;              /* NB: so 1<< is discarded */
1351 #undef WPA_SEL
1352 }
1353
1354 /*
1355  * Convert an RSN key management/authentication algorithm
1356  * to an internal code.
1357  */
1358 static int
1359 rsn_keymgmt(const uint8_t *sel)
1360 {
1361 #define RSN_SEL(x)      (((x)<<24)|RSN_OUI)
1362         uint32_t w = LE_READ_4(sel);
1363
1364         switch (w) {
1365         case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1366                 return RSN_ASE_8021X_UNSPEC;
1367         case RSN_SEL(RSN_ASE_8021X_PSK):
1368                 return RSN_ASE_8021X_PSK;
1369         case RSN_SEL(RSN_ASE_NONE):
1370                 return RSN_ASE_NONE;
1371         }
1372         return 0;               /* NB: so is discarded */
1373 #undef RSN_SEL
1374 }
1375
1376 /*
1377  * Parse a WPA/RSN information element to collect parameters
1378  * and validate the parameters against what has been
1379  * configured for the system.
1380  */
1381 static int
1382 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1383         struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1384 {
1385         uint8_t len = frm[1];
1386         uint32_t w;
1387         int n;
1388
1389         /*
1390          * Check the length once for fixed parts: 
1391          * version, mcast cipher, and 2 selector counts.
1392          * Other, variable-length data, must be checked separately.
1393          */
1394         if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1395                 IEEE80211_DISCARD_IE(vap,
1396                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1397                     wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1398                 return IEEE80211_REASON_IE_INVALID;
1399         }
1400         if (len < 10) {
1401                 IEEE80211_DISCARD_IE(vap,
1402                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1403                     wh, "RSN", "too short, len %u", len);
1404                 return IEEE80211_REASON_IE_INVALID;
1405         }
1406         frm += 2;
1407         w = LE_READ_2(frm);
1408         if (w != RSN_VERSION) {
1409                 IEEE80211_DISCARD_IE(vap,
1410                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1411                     wh, "RSN", "bad version %u", w);
1412                 return IEEE80211_REASON_IE_INVALID;
1413         }
1414         frm += 2, len -= 2;
1415
1416         memset(rsn, 0, sizeof(*rsn));
1417
1418         /* multicast/group cipher */
1419         rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1420         frm += 4, len -= 4;
1421
1422         /* unicast ciphers */
1423         n = LE_READ_2(frm);
1424         frm += 2, len -= 2;
1425         if (len < n*4+2) {
1426                 IEEE80211_DISCARD_IE(vap,
1427                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1428                     wh, "RSN", "ucast cipher data too short; len %u, n %u",
1429                     len, n);
1430                 return IEEE80211_REASON_IE_INVALID;
1431         }
1432         w = 0;
1433         for (; n > 0; n--) {
1434                 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1435                 frm += 4, len -= 4;
1436         }
1437         if (w & (1<<IEEE80211_CIPHER_TKIP))
1438                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1439         else
1440                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1441
1442         /* key management algorithms */
1443         n = LE_READ_2(frm);
1444         frm += 2, len -= 2;
1445         if (len < n*4) {
1446                 IEEE80211_DISCARD_IE(vap,
1447                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1448                     wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1449                     len, n);
1450                 return IEEE80211_REASON_IE_INVALID;
1451         }
1452         w = 0;
1453         for (; n > 0; n--) {
1454                 w |= rsn_keymgmt(frm);
1455                 frm += 4, len -= 4;
1456         }
1457         if (w & RSN_ASE_8021X_UNSPEC)
1458                 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1459         else
1460                 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1461
1462         /* optional RSN capabilities */
1463         if (len > 2)
1464                 rsn->rsn_caps = LE_READ_2(frm);
1465         /* XXXPMKID */
1466
1467         return 0;
1468 }
1469
1470 /*
1471  * WPA/802.11i assocation request processing.
1472  */
1473 static int
1474 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1475         const struct ieee80211_frame *wh, const uint8_t *wpa,
1476         const uint8_t *rsn, uint16_t capinfo)
1477 {
1478         struct ieee80211vap *vap = ni->ni_vap;
1479         uint8_t reason;
1480         int badwparsn;
1481
1482         ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1483         if (wpa == NULL && rsn == NULL) {
1484                 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1485                         /*
1486                          * W-Fi Protected Setup (WPS) permits
1487                          * clients to associate and pass EAPOL frames
1488                          * to establish initial credentials.
1489                          */
1490                         ni->ni_flags |= IEEE80211_NODE_WPS;
1491                         return 1;
1492                 }
1493                 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1494                     (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1495                         /* 
1496                          * Transitional Security Network.  Permits clients
1497                          * to associate and use WEP while WPA is configured.
1498                          */
1499                         ni->ni_flags |= IEEE80211_NODE_TSN;
1500                         return 1;
1501                 }
1502                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1503                     wh, NULL, "%s", "no WPA/RSN IE in association request");
1504                 vap->iv_stats.is_rx_assoc_badwpaie++;
1505                 reason = IEEE80211_REASON_IE_INVALID;
1506                 goto bad;
1507         }
1508         /* assert right association security credentials */
1509         badwparsn = 0;                  /* NB: to silence compiler */
1510         switch (vap->iv_flags & IEEE80211_F_WPA) {
1511         case IEEE80211_F_WPA1:
1512                 badwparsn = (wpa == NULL);
1513                 break;
1514         case IEEE80211_F_WPA2:
1515                 badwparsn = (rsn == NULL);
1516                 break;
1517         case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1518                 badwparsn = (wpa == NULL && rsn == NULL);
1519                 break;
1520         }
1521         if (badwparsn) {
1522                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1523                     wh, NULL,
1524                     "%s", "missing WPA/RSN IE in association request");
1525                 vap->iv_stats.is_rx_assoc_badwpaie++;
1526                 reason = IEEE80211_REASON_IE_INVALID;
1527                 goto bad;
1528         }
1529         /*
1530          * Parse WPA/RSN information element.
1531          */
1532         if (wpa != NULL)
1533                 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1534         else
1535                 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1536         if (reason != 0) {
1537                 /* XXX distinguish WPA/RSN? */
1538                 vap->iv_stats.is_rx_assoc_badwpaie++;
1539                 goto bad;
1540         }
1541         IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1542             "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1543             wpa != NULL ? "WPA" : "RSN",
1544             rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1545             rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1546             rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1547
1548         return 1;
1549 bad:
1550         ieee80211_node_deauth(ni, reason);
1551         return 0;
1552 }
1553
1554 /* XXX find a better place for definition */
1555 struct l2_update_frame {
1556         struct ether_header eh;
1557         uint8_t dsap;
1558         uint8_t ssap;
1559         uint8_t control;
1560         uint8_t xid[3];
1561 }  __packed;
1562
1563 /*
1564  * Deliver a TGf L2UF frame on behalf of a station.
1565  * This primes any bridge when the station is roaming
1566  * between ap's on the same wired network.
1567  */
1568 static void
1569 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1570 {
1571         struct ieee80211vap *vap = ni->ni_vap;
1572         struct ifnet *ifp = vap->iv_ifp;
1573         struct mbuf *m;
1574         struct l2_update_frame *l2uf;
1575         struct ether_header *eh;
1576         
1577         m = m_gethdr(M_NOWAIT, MT_DATA);
1578         if (m == NULL) {
1579                 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1580                     "%s", "no mbuf for l2uf frame");
1581                 vap->iv_stats.is_rx_nobuf++;    /* XXX not right */
1582                 return;
1583         }
1584         l2uf = mtod(m, struct l2_update_frame *);
1585         eh = &l2uf->eh;
1586         /* dst: Broadcast address */
1587         IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1588         /* src: associated STA */
1589         IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1590         eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1591         
1592         l2uf->dsap = 0;
1593         l2uf->ssap = 0;
1594         l2uf->control = 0xf5;
1595         l2uf->xid[0] = 0x81;
1596         l2uf->xid[1] = 0x80;
1597         l2uf->xid[2] = 0x00;
1598         
1599         m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1600         hostap_deliver_data(vap, ni, m);
1601 }
1602
1603 static void
1604 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1605         int reassoc, int resp, const char *tag, int rate)
1606 {
1607         IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1608             "deny %s request, %s rate set mismatch, rate/MCS %d",
1609             reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1610         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1611         ieee80211_node_leave(ni);
1612 }
1613
1614 static void
1615 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1616         int reassoc, int resp, const char *tag, int capinfo)
1617 {
1618         struct ieee80211vap *vap = ni->ni_vap;
1619
1620         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1621             "deny %s request, %s mismatch 0x%x",
1622             reassoc ? "reassoc" : "assoc", tag, capinfo);
1623         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1624         ieee80211_node_leave(ni);
1625         vap->iv_stats.is_rx_assoc_capmismatch++;
1626 }
1627
1628 static void
1629 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1630         int reassoc, int resp)
1631 {
1632         IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1633             "deny %s request, %s missing HT ie", reassoc ? "reassoc" : "assoc");
1634         /* XXX no better code */
1635         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1636         ieee80211_node_leave(ni);
1637 }
1638
1639 static void
1640 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1641         int algo, int seq, int status)
1642 {
1643         struct ieee80211vap *vap = ni->ni_vap;
1644
1645         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1646             wh, NULL, "unsupported alg %d", algo);
1647         vap->iv_stats.is_rx_auth_unsupported++;
1648         ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1649             seq | (status << 16));
1650 }
1651
1652 static __inline int
1653 ishtmixed(const uint8_t *ie)
1654 {
1655         const struct ieee80211_ie_htinfo *ht =
1656             (const struct ieee80211_ie_htinfo *) ie;
1657         return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1658             IEEE80211_HTINFO_OPMODE_MIXED;
1659 }
1660
1661 static int
1662 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1663 {
1664         static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1665         int i;
1666
1667         /* NB: the 11b clients we care about will not have xrates */
1668         if (xrates != NULL || rates == NULL)
1669                 return 0;
1670         for (i = 0; i < rates[1]; i++) {
1671                 int r = rates[2+i] & IEEE80211_RATE_VAL;
1672                 if (r > 2*11 || ((1<<r) & brates) == 0)
1673                         return 0;
1674         }
1675         return 1;
1676 }
1677
1678 static void
1679 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1680         int subtype, int rssi, int nf)
1681 {
1682         struct ieee80211vap *vap = ni->ni_vap;
1683         struct ieee80211com *ic = ni->ni_ic;
1684         struct ieee80211_frame *wh;
1685         uint8_t *frm, *efrm, *sfrm;
1686         uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1687         int reassoc, resp;
1688         uint8_t rate;
1689
1690         wh = mtod(m0, struct ieee80211_frame *);
1691         frm = (uint8_t *)&wh[1];
1692         efrm = mtod(m0, uint8_t *) + m0->m_len;
1693         switch (subtype) {
1694         case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1695         case IEEE80211_FC0_SUBTYPE_BEACON: {
1696                 struct ieee80211_scanparams scan;
1697                 /*
1698                  * We process beacon/probe response frames when scanning;
1699                  * otherwise we check beacon frames for overlapping non-ERP
1700                  * BSS in 11g and/or overlapping legacy BSS when in HT.
1701                  */ 
1702                 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 &&
1703                     subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
1704                         vap->iv_stats.is_rx_mgtdiscard++;
1705                         return;
1706                 }
1707                 /* NB: accept off-channel frames */
1708                 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1709                         return;
1710                 /*
1711                  * Count frame now that we know it's to be processed.
1712                  */
1713                 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1714                         vap->iv_stats.is_rx_beacon++;           /* XXX remove */
1715                         IEEE80211_NODE_STAT(ni, rx_beacons);
1716                 } else
1717                         IEEE80211_NODE_STAT(ni, rx_proberesp);
1718                 /*
1719                  * If scanning, just pass information to the scan module.
1720                  */
1721                 if (ic->ic_flags & IEEE80211_F_SCAN) {
1722                         if (scan.status == 0 &&         /* NB: on channel */
1723                             (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1724                                 /*
1725                                  * Actively scanning a channel marked passive;
1726                                  * send a probe request now that we know there
1727                                  * is 802.11 traffic present.
1728                                  *
1729                                  * XXX check if the beacon we recv'd gives
1730                                  * us what we need and suppress the probe req
1731                                  */
1732                                 ieee80211_probe_curchan(vap, 1);
1733                                 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1734                         }
1735                         ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf);
1736                         return;
1737                 }
1738                 /*
1739                  * Check beacon for overlapping bss w/ non ERP stations.
1740                  * If we detect one and protection is configured but not
1741                  * enabled, enable it and start a timer that'll bring us
1742                  * out if we stop seeing the bss.
1743                  */
1744                 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1745                     scan.status == 0 &&                 /* NB: on-channel */
1746                     ((scan.erp & 0x100) == 0 ||         /* NB: no ERP, 11b sta*/
1747                      (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1748                         ic->ic_lastnonerp = ticks;
1749                         ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1750                         if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1751                             (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1752                                 IEEE80211_NOTE_FRAME(vap,
1753                                     IEEE80211_MSG_ASSOC, wh,
1754                                     "non-ERP present on channel %d "
1755                                     "(saw erp 0x%x from channel %d), "
1756                                     "enable use of protection",
1757                                     ic->ic_curchan->ic_ieee,
1758                                     scan.erp, scan.chan);
1759                                 ic->ic_flags |= IEEE80211_F_USEPROT;
1760                                 ieee80211_notify_erp(ic);
1761                         }
1762                 }
1763                 /* 
1764                  * Check beacon for non-HT station on HT channel
1765                  * and update HT BSS occupancy as appropriate.
1766                  */
1767                 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1768                         if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1769                                 /*
1770                                  * Off control channel; only check frames
1771                                  * that come in the extension channel when
1772                                  * operating w/ HT40.
1773                                  */
1774                                 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1775                                         break;
1776                                 if (scan.chan != ic->ic_curchan->ic_extieee)
1777                                         break;
1778                         }
1779                         if (scan.htinfo == NULL) {
1780                                 ieee80211_htprot_update(ic,
1781                                     IEEE80211_HTINFO_OPMODE_PROTOPT |
1782                                     IEEE80211_HTINFO_NONHT_PRESENT);
1783                         } else if (ishtmixed(scan.htinfo)) {
1784                                 /* XXX? take NONHT_PRESENT from beacon? */
1785                                 ieee80211_htprot_update(ic,
1786                                     IEEE80211_HTINFO_OPMODE_MIXED |
1787                                     IEEE80211_HTINFO_NONHT_PRESENT);
1788                         }
1789                 }
1790                 break;
1791         }
1792
1793         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1794                 if (vap->iv_state != IEEE80211_S_RUN) {
1795                         vap->iv_stats.is_rx_mgtdiscard++;
1796                         return;
1797                 }
1798                 /*
1799                  * Consult the ACL policy module if setup.
1800                  */
1801                 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1802                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1803                             wh, NULL, "%s", "disallowed by ACL");
1804                         vap->iv_stats.is_rx_acl++;
1805                         return;
1806                 }
1807                 /*
1808                  * prreq frame format
1809                  *      [tlv] ssid
1810                  *      [tlv] supported rates
1811                  *      [tlv] extended supported rates
1812                  */
1813                 ssid = rates = xrates = NULL;
1814                 sfrm = frm;
1815                 while (efrm - frm > 1) {
1816                         IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1817                         switch (*frm) {
1818                         case IEEE80211_ELEMID_SSID:
1819                                 ssid = frm;
1820                                 break;
1821                         case IEEE80211_ELEMID_RATES:
1822                                 rates = frm;
1823                                 break;
1824                         case IEEE80211_ELEMID_XRATES:
1825                                 xrates = frm;
1826                                 break;
1827                         }
1828                         frm += frm[1] + 2;
1829                 }
1830                 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1831                 if (xrates != NULL)
1832                         IEEE80211_VERIFY_ELEMENT(xrates,
1833                                 IEEE80211_RATE_MAXSIZE - rates[1], return);
1834                 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1835                 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1836                 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1837                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1838                             wh, NULL,
1839                             "%s", "no ssid with ssid suppression enabled");
1840                         vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1841                         return;
1842                 }
1843
1844                 /* XXX find a better class or define it's own */
1845                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1846                     "%s", "recv probe req");
1847                 /*
1848                  * Some legacy 11b clients cannot hack a complete
1849                  * probe response frame.  When the request includes
1850                  * only a bare-bones rate set, communicate this to
1851                  * the transmit side.
1852                  */
1853                 ieee80211_send_proberesp(vap, wh->i_addr2,
1854                     is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1855                 break;
1856
1857         case IEEE80211_FC0_SUBTYPE_AUTH: {
1858                 uint16_t algo, seq, status;
1859
1860                 if (vap->iv_state != IEEE80211_S_RUN) {
1861                         vap->iv_stats.is_rx_mgtdiscard++;
1862                         return;
1863                 }
1864                 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1865                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1866                             wh, NULL, "%s", "wrong bssid");
1867                         vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1868                         return;
1869                 }
1870                 /*
1871                  * auth frame format
1872                  *      [2] algorithm
1873                  *      [2] sequence
1874                  *      [2] status
1875                  *      [tlv*] challenge
1876                  */
1877                 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1878                 algo   = le16toh(*(uint16_t *)frm);
1879                 seq    = le16toh(*(uint16_t *)(frm + 2));
1880                 status = le16toh(*(uint16_t *)(frm + 4));
1881                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1882                     "recv auth frame with algorithm %d seq %d", algo, seq);
1883                 /*
1884                  * Consult the ACL policy module if setup.
1885                  */
1886                 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1887                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1888                             wh, NULL, "%s", "disallowed by ACL");
1889                         vap->iv_stats.is_rx_acl++;
1890                         ieee80211_send_error(ni, wh->i_addr2,
1891                             IEEE80211_FC0_SUBTYPE_AUTH,
1892                             (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1893                         return;
1894                 }
1895                 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1896                         IEEE80211_DISCARD(vap,
1897                             IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1898                             wh, NULL, "%s", "TKIP countermeasures enabled");
1899                         vap->iv_stats.is_rx_auth_countermeasures++;
1900                         ieee80211_send_error(ni, wh->i_addr2,
1901                                 IEEE80211_FC0_SUBTYPE_AUTH,
1902                                 IEEE80211_REASON_MIC_FAILURE);
1903                         return;
1904                 }
1905                 if (algo == IEEE80211_AUTH_ALG_SHARED)
1906                         hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1907                             seq, status);
1908                 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1909                         hostap_auth_open(ni, wh, rssi, nf, seq, status);
1910                 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1911                         authalgreject(ni, wh, algo,
1912                             seq+1, IEEE80211_STATUS_ALG);
1913                         return;
1914                 } else {
1915                         /*
1916                          * We assume that an unknown algorithm is the result
1917                          * of a decryption failure on a shared key auth frame;
1918                          * return a status code appropriate for that instead
1919                          * of IEEE80211_STATUS_ALG.
1920                          *
1921                          * NB: a seq# of 4 is intentional; the decrypted
1922                          *     frame likely has a bogus seq value.
1923                          */
1924                         authalgreject(ni, wh, algo,
1925                             4, IEEE80211_STATUS_CHALLENGE);
1926                         return;
1927                 } 
1928                 break;
1929         }
1930
1931         case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1932         case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1933                 uint16_t capinfo, lintval;
1934                 struct ieee80211_rsnparms rsnparms;
1935
1936                 if (vap->iv_state != IEEE80211_S_RUN) {
1937                         vap->iv_stats.is_rx_mgtdiscard++;
1938                         return;
1939                 }
1940                 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1941                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1942                             wh, NULL, "%s", "wrong bssid");
1943                         vap->iv_stats.is_rx_assoc_bss++;
1944                         return;
1945                 }
1946                 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1947                         reassoc = 1;
1948                         resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
1949                 } else {
1950                         reassoc = 0;
1951                         resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
1952                 }
1953                 if (ni == vap->iv_bss) {
1954                         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1955                             "deny %s request, sta not authenticated",
1956                             reassoc ? "reassoc" : "assoc");
1957                         ieee80211_send_error(ni, wh->i_addr2,
1958                             IEEE80211_FC0_SUBTYPE_DEAUTH,
1959                             IEEE80211_REASON_ASSOC_NOT_AUTHED);
1960                         vap->iv_stats.is_rx_assoc_notauth++;
1961                         return;
1962                 }
1963
1964                 /*
1965                  * asreq frame format
1966                  *      [2] capability information
1967                  *      [2] listen interval
1968                  *      [6*] current AP address (reassoc only)
1969                  *      [tlv] ssid
1970                  *      [tlv] supported rates
1971                  *      [tlv] extended supported rates
1972                  *      [tlv] WPA or RSN
1973                  *      [tlv] HT capabilities
1974                  *      [tlv] Atheros capabilities
1975                  */
1976                 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
1977                 capinfo = le16toh(*(uint16_t *)frm);    frm += 2;
1978                 lintval = le16toh(*(uint16_t *)frm);    frm += 2;
1979                 if (reassoc)
1980                         frm += 6;       /* ignore current AP info */
1981                 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
1982                 sfrm = frm;
1983                 while (efrm - frm > 1) {
1984                         IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1985                         switch (*frm) {
1986                         case IEEE80211_ELEMID_SSID:
1987                                 ssid = frm;
1988                                 break;
1989                         case IEEE80211_ELEMID_RATES:
1990                                 rates = frm;
1991                                 break;
1992                         case IEEE80211_ELEMID_XRATES:
1993                                 xrates = frm;
1994                                 break;
1995                         case IEEE80211_ELEMID_RSN:
1996                                 rsn = frm;
1997                                 break;
1998                         case IEEE80211_ELEMID_HTCAP:
1999                                 htcap = frm;
2000                                 break;
2001                         case IEEE80211_ELEMID_VENDOR:
2002                                 if (iswpaoui(frm))
2003                                         wpa = frm;
2004                                 else if (iswmeinfo(frm))
2005                                         wme = frm;
2006 #ifdef IEEE80211_SUPPORT_SUPERG
2007                                 else if (isatherosoui(frm))
2008                                         ath = frm;
2009 #endif
2010                                 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2011                                         if (ishtcapoui(frm) && htcap == NULL)
2012                                                 htcap = frm;
2013                                 }
2014                                 break;
2015                         }
2016                         frm += frm[1] + 2;
2017                 }
2018                 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2019                 if (xrates != NULL)
2020                         IEEE80211_VERIFY_ELEMENT(xrates,
2021                                 IEEE80211_RATE_MAXSIZE - rates[1], return);
2022                 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2023                 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2024                 if (htcap != NULL) {
2025                         IEEE80211_VERIFY_LENGTH(htcap[1],
2026                              htcap[0] == IEEE80211_ELEMID_VENDOR ?
2027                                  4 + sizeof(struct ieee80211_ie_htcap)-2 :
2028                                  sizeof(struct ieee80211_ie_htcap)-2,
2029                              return);           /* XXX just NULL out? */
2030                 }
2031
2032                 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2033                     !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2034                         return;
2035                 /* discard challenge after association */
2036                 if (ni->ni_challenge != NULL) {
2037                         free(ni->ni_challenge, M_80211_NODE);
2038                         ni->ni_challenge = NULL;
2039                 }
2040                 /* NB: 802.11 spec says to ignore station's privacy bit */
2041                 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2042                         capinfomismatch(ni, wh, reassoc, resp,
2043                             "capability", capinfo);
2044                         return;
2045                 }
2046                 /*
2047                  * Disallow re-associate w/ invalid slot time setting.
2048                  */
2049                 if (ni->ni_associd != 0 &&
2050                     IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2051                     ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2052                         capinfomismatch(ni, wh, reassoc, resp,
2053                             "slot time", capinfo);
2054                         return;
2055                 }
2056                 rate = ieee80211_setup_rates(ni, rates, xrates,
2057                                 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2058                                 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2059                 if (rate & IEEE80211_RATE_BASIC) {
2060                         ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2061                         vap->iv_stats.is_rx_assoc_norate++;
2062                         return;
2063                 }
2064                 /*
2065                  * If constrained to 11g-only stations reject an
2066                  * 11b-only station.  We cheat a bit here by looking
2067                  * at the max negotiated xmit rate and assuming anyone
2068                  * with a best rate <24Mb/s is an 11b station.
2069                  */
2070                 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2071                         ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2072                         vap->iv_stats.is_rx_assoc_norate++;
2073                         return;
2074                 }
2075                 /*
2076                  * Do HT rate set handling and setup HT node state.
2077                  */
2078                 ni->ni_chan = vap->iv_bss->ni_chan;
2079                 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2080                         rate = ieee80211_setup_htrates(ni, htcap,
2081                                 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2082                                 IEEE80211_F_DOBRS);
2083                         if (rate & IEEE80211_RATE_BASIC) {
2084                                 ratesetmismatch(ni, wh, reassoc, resp,
2085                                     "HT", rate);
2086                                 vap->iv_stats.is_ht_assoc_norate++;
2087                                 return;
2088                         }
2089                         ieee80211_ht_node_init(ni);
2090                         ieee80211_ht_updatehtcap(ni, htcap);
2091                 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2092                         ieee80211_ht_node_cleanup(ni);
2093 #ifdef IEEE80211_SUPPORT_SUPERG
2094                 else if (ni->ni_ath_flags & IEEE80211_NODE_ATH)
2095                         ieee80211_ff_node_cleanup(ni);
2096 #endif
2097                 /*
2098                  * Allow AMPDU operation only with unencrypted traffic
2099                  * or AES-CCM; the 11n spec only specifies these ciphers
2100                  * so permitting any others is undefined and can lead
2101                  * to interoperability problems.
2102                  */
2103                 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2104                     (((vap->iv_flags & IEEE80211_F_WPA) &&
2105                       rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2106                      (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2107                         IEEE80211_NOTE(vap,
2108                             IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2109                             "disallow HT use because WEP or TKIP requested, "
2110                             "capinfo 0x%x ucastcipher %d", capinfo,
2111                             rsnparms.rsn_ucastcipher);
2112                         ieee80211_ht_node_cleanup(ni);
2113                         vap->iv_stats.is_ht_assoc_downgrade++;
2114                 }
2115                 /*
2116                  * If constrained to 11n-only stations reject legacy stations.
2117                  */
2118                 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2119                     (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2120                         htcapmismatch(ni, wh, reassoc, resp);
2121                         vap->iv_stats.is_ht_assoc_nohtcap++;
2122                         return;
2123                 }
2124                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2125                 ni->ni_noise = nf;
2126                 ni->ni_intval = lintval;
2127                 ni->ni_capinfo = capinfo;
2128                 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2129                 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2130                 /*
2131                  * Store the IEs.
2132                  * XXX maybe better to just expand
2133                  */
2134                 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2135 #define setie(_ie, _off)        ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2136                         if (wpa != NULL)
2137                                 setie(wpa_ie, wpa - sfrm);
2138                         if (rsn != NULL)
2139                                 setie(rsn_ie, rsn - sfrm);
2140                         if (htcap != NULL)
2141                                 setie(htcap_ie, htcap - sfrm);
2142                         if (wme != NULL) {
2143                                 setie(wme_ie, wme - sfrm);
2144                                 /*
2145                                  * Mark node as capable of QoS.
2146                                  */
2147                                 ni->ni_flags |= IEEE80211_NODE_QOS;
2148                         } else
2149                                 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2150 #ifdef IEEE80211_SUPPORT_SUPERG
2151                         if (ath != NULL) {
2152                                 setie(ath_ie, ath - sfrm);
2153                                 /* 
2154                                  * Parse ATH station parameters.
2155                                  */
2156                                 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2157                         } else
2158 #endif
2159                                 ni->ni_ath_flags = 0;
2160 #undef setie
2161                 } else {
2162                         ni->ni_flags &= ~IEEE80211_NODE_QOS;
2163                         ni->ni_ath_flags = 0;
2164                 }
2165                 ieee80211_node_join(ni, resp);
2166                 ieee80211_deliver_l2uf(ni);
2167                 break;
2168         }
2169
2170         case IEEE80211_FC0_SUBTYPE_DEAUTH:
2171         case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2172                 uint16_t reason;
2173
2174                 if (vap->iv_state != IEEE80211_S_RUN ||
2175                     /* NB: can happen when in promiscuous mode */
2176                     !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2177                         vap->iv_stats.is_rx_mgtdiscard++;
2178                         break;
2179                 }
2180                 /*
2181                  * deauth/disassoc frame format
2182                  *      [2] reason
2183                  */
2184                 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2185                 reason = le16toh(*(uint16_t *)frm);
2186                 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2187                         vap->iv_stats.is_rx_deauth++;
2188                         IEEE80211_NODE_STAT(ni, rx_deauth);
2189                 } else {
2190                         vap->iv_stats.is_rx_disassoc++;
2191                         IEEE80211_NODE_STAT(ni, rx_disassoc);
2192                 }
2193                 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2194                     "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >>
2195                         IEEE80211_FC0_SUBTYPE_SHIFT], reason);
2196                 if (ni != vap->iv_bss)
2197                         ieee80211_node_leave(ni);
2198                 break;
2199         }
2200
2201         case IEEE80211_FC0_SUBTYPE_ACTION:
2202         case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2203                 if (ni == vap->iv_bss) {
2204                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2205                             wh, NULL, "%s", "unknown node");
2206                         vap->iv_stats.is_rx_mgtdiscard++;
2207                 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2208                     !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2209                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2210                             wh, NULL, "%s", "not for us");
2211                         vap->iv_stats.is_rx_mgtdiscard++;
2212                 } else if (vap->iv_state != IEEE80211_S_RUN) {
2213                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2214                             wh, NULL, "wrong state %s",
2215                             ieee80211_state_name[vap->iv_state]);
2216                         vap->iv_stats.is_rx_mgtdiscard++;
2217                 } else {
2218                         if (ieee80211_parse_action(ni, m0) == 0)
2219                                 (void)ic->ic_recv_action(ni, wh, frm, efrm);
2220                 }
2221                 break;
2222
2223         case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2224         case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2225         case IEEE80211_FC0_SUBTYPE_ATIM:
2226                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2227                     wh, NULL, "%s", "not handled");
2228                 vap->iv_stats.is_rx_mgtdiscard++;
2229                 break;
2230
2231         default:
2232                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2233                     wh, "mgt", "subtype 0x%x not handled", subtype);
2234                 vap->iv_stats.is_rx_badsubtype++;
2235                 break;
2236         }
2237 }
2238
2239 static void
2240 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2241 {
2242         switch (subtype) {
2243         case IEEE80211_FC0_SUBTYPE_PS_POLL:
2244                 ni->ni_vap->iv_recv_pspoll(ni, m);
2245                 break;
2246         case IEEE80211_FC0_SUBTYPE_BAR:
2247                 ieee80211_recv_bar(ni, m);
2248                 break;
2249         }
2250 }
2251
2252 /*
2253  * Process a received ps-poll frame.
2254  */
2255 void
2256 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2257 {
2258         struct ieee80211vap *vap = ni->ni_vap;
2259         struct ieee80211com *ic = vap->iv_ic;
2260         struct ieee80211_frame_min *wh;
2261         struct mbuf *m;
2262         uint16_t aid;
2263         int qlen;
2264
2265         wh = mtod(m0, struct ieee80211_frame_min *);
2266         if (ni->ni_associd == 0) {
2267                 IEEE80211_DISCARD(vap,
2268                     IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2269                     (struct ieee80211_frame *) wh, NULL,
2270                     "%s", "unassociated station");
2271                 vap->iv_stats.is_ps_unassoc++;
2272                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2273                         IEEE80211_REASON_NOT_ASSOCED);
2274                 return;
2275         }
2276
2277         aid = le16toh(*(uint16_t *)wh->i_dur);
2278         if (aid != ni->ni_associd) {
2279                 IEEE80211_DISCARD(vap,
2280                     IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2281                     (struct ieee80211_frame *) wh, NULL,
2282                     "aid mismatch: sta aid 0x%x poll aid 0x%x",
2283                     ni->ni_associd, aid);
2284                 vap->iv_stats.is_ps_badaid++;
2285                 /*
2286                  * NB: We used to deauth the station but it turns out
2287                  * the Blackberry Curve 8230 (and perhaps other devices) 
2288                  * sometimes send the wrong AID when WME is negotiated.
2289                  * Being more lenient here seems ok as we already check
2290                  * the station is associated and we only return frames
2291                  * queued for the station (i.e. we don't use the AID).
2292                  */
2293                 return;
2294         }
2295
2296         /* Okay, take the first queued packet and put it out... */
2297         m = ieee80211_node_psq_dequeue(ni, &qlen);
2298         if (m == NULL) {
2299                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2300                     "%s", "recv ps-poll, but queue empty");
2301                 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2302                 vap->iv_stats.is_ps_qempty++;   /* XXX node stat */
2303                 if (vap->iv_set_tim != NULL)
2304                         vap->iv_set_tim(ni, 0); /* just in case */
2305                 return;
2306         }
2307         /* 
2308          * If there are more packets, set the more packets bit
2309          * in the packet dispatched to the station; otherwise
2310          * turn off the TIM bit.
2311          */
2312         if (qlen != 0) {
2313                 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2314                     "recv ps-poll, send packet, %u still queued", qlen);
2315                 m->m_flags |= M_MORE_DATA;
2316         } else {
2317                 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2318                     "%s", "recv ps-poll, send packet, queue empty");
2319                 if (vap->iv_set_tim != NULL)
2320                         vap->iv_set_tim(ni, 0);
2321         }
2322         m->m_flags |= M_PWR_SAV;                /* bypass PS handling */
2323
2324         /*
2325          * Do the right thing; if it's an encap'ed frame then
2326          * call ieee80211_parent_xmitpkt() (and free the ref) else
2327          * call ieee80211_vap_xmitpkt().
2328          */
2329         if (m->m_flags & M_ENCAP) {
2330                 if (ieee80211_parent_xmitpkt(ic, m) != 0)
2331                         ieee80211_free_node(ni);
2332         } else {
2333                 (void) ieee80211_vap_xmitpkt(vap, m);
2334         }
2335 }
Unnamed repository; edit this file 'description' to name the repository.