sys/netproto/802_11/wlan/ieee80211_hostap.c

   1 /*-
   2  * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  * 2. Redistributions in binary form must reproduce the above copyright
  11  *    notice, this list of conditions and the following disclaimer in the
  12  *    documentation and/or other materials provided with the distribution.
  13  *
  14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  24  */
  25
  26 #include <sys/cdefs.h>
  27 #ifdef __FreeBSD__
  28 __FBSDID("$FreeBSD$");
  29 #endif
  30
  31 /*
  32  * IEEE 802.11 HOSTAP mode support.
  33  */
  34 #include "opt_inet.h"
  35 #include "opt_wlan.h"
  36
  37 #include <sys/param.h>
  38 #include <sys/systm.h>
  39 #include <sys/mbuf.h>
  40 #include <sys/malloc.h>
  41 #include <sys/kernel.h>
  42
  43 #include <sys/socket.h>
  44 #include <sys/sockio.h>
  45 #include <sys/endian.h>
  46 #include <sys/errno.h>
  47 #include <sys/proc.h>
  48 #include <sys/sysctl.h>
  49
  50 #include <net/if.h>
  51 #include <net/if_var.h>
  52 #include <net/if_media.h>
  53 #include <net/if_llc.h>
  54 #include <net/ethernet.h>
  55
  56 #include <net/bpf.h>
  57
  58 #include <netproto/802_11/ieee80211_var.h>
  59 #include <netproto/802_11/ieee80211_hostap.h>
  60 #include <netproto/802_11/ieee80211_input.h>
  61 #ifdef IEEE80211_SUPPORT_SUPERG
  62 #include <netproto/802_11/ieee80211_superg.h>
  63 #endif
  64 #include <netproto/802_11/ieee80211_wds.h>
  65
  66 #define IEEE80211_RATE2MBS(r)   (((r) & IEEE80211_RATE_VAL) / 2)
  67
  68 static  void hostap_vattach(struct ieee80211vap *);
  69 static  int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
  70 static  int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
  71             const struct ieee80211_rx_stats *,
  72             int rssi, int nf);
  73 static void hostap_deliver_data(struct ieee80211vap *,
  74             struct ieee80211_node *, struct mbuf *);
  75 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
  76             int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf);
  77 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
  78
  79 void
  80 ieee80211_hostap_attach(struct ieee80211com *ic)
  81 {
  82         ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
  83 }
  84
  85 void
  86 ieee80211_hostap_detach(struct ieee80211com *ic)
  87 {
  88 }
  89
  90 static void
  91 hostap_vdetach(struct ieee80211vap *vap)
  92 {
  93 }
  94
  95 static void
  96 hostap_vattach(struct ieee80211vap *vap)
  97 {
  98         vap->iv_newstate = hostap_newstate;
  99         vap->iv_input = hostap_input;
 100         vap->iv_recv_mgmt = hostap_recv_mgmt;
 101         vap->iv_recv_ctl = hostap_recv_ctl;
 102         vap->iv_opdetach = hostap_vdetach;
 103         vap->iv_deliver_data = hostap_deliver_data;
 104         vap->iv_recv_pspoll = ieee80211_recv_pspoll;
 105 }
 106
 107 static void
 108 sta_disassoc(void *arg, struct ieee80211_node *ni)
 109 {
 110         struct ieee80211vap *vap = arg;
 111
 112         if (ni->ni_vap == vap && ni->ni_associd != 0) {
 113                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
 114                         IEEE80211_REASON_ASSOC_LEAVE);
 115                 ieee80211_node_leave(ni);
 116         }
 117 }
 118
 119 static void
 120 sta_csa(void *arg, struct ieee80211_node *ni)
 121 {
 122         struct ieee80211vap *vap = arg;
 123
 124         if (ni->ni_vap == vap && ni->ni_associd != 0)
 125                 if (ni->ni_inact > vap->iv_inact_init) {
 126                         ni->ni_inact = vap->iv_inact_init;
 127                         IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
 128                             "%s: inact %u", __func__, ni->ni_inact);
 129                 }
 130 }
 131
 132 static void
 133 sta_drop(void *arg, struct ieee80211_node *ni)
 134 {
 135         struct ieee80211vap *vap = arg;
 136
 137         if (ni->ni_vap == vap && ni->ni_associd != 0)
 138                 ieee80211_node_leave(ni);
 139 }
 140
 141 /*
 142  * Does a channel change require associated stations to re-associate
 143  * so protocol state is correct.  This is used when doing CSA across
 144  * bands or similar (e.g. HT -> legacy).
 145  */
 146 static int
 147 isbandchange(struct ieee80211com *ic)
 148 {
 149         return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
 150             (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
 151              IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
 152 }
 153
 154 /*
 155  * IEEE80211_M_HOSTAP vap state machine handler.
 156  */
 157 static int
 158 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
 159 {
 160         struct ieee80211com *ic = vap->iv_ic;
 161         enum ieee80211_state ostate;
 162
 163         IEEE80211_LOCK_ASSERT(ic);
 164
 165         ostate = vap->iv_state;
 166         IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
 167             __func__, ieee80211_state_name[ostate],
 168             ieee80211_state_name[nstate], arg);
 169         vap->iv_state = nstate;                 /* state transition */
 170         if (ostate != IEEE80211_S_SCAN)
 171                 ieee80211_cancel_scan(vap);     /* background scan */
 172         switch (nstate) {
 173         case IEEE80211_S_INIT:
 174                 switch (ostate) {
 175                 case IEEE80211_S_SCAN:
 176                         ieee80211_cancel_scan(vap);
 177                         break;
 178                 case IEEE80211_S_CAC:
 179                         ieee80211_dfs_cac_stop(vap);
 180                         break;
 181                 case IEEE80211_S_RUN:
 182                         ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
 183                         break;
 184                 default:
 185                         break;
 186                 }
 187                 if (ostate != IEEE80211_S_INIT) {
 188                         /* NB: optimize INIT -> INIT case */
 189                         ieee80211_reset_bss(vap);
 190                 }
 191                 if (vap->iv_auth->ia_detach != NULL)
 192                         vap->iv_auth->ia_detach(vap);
 193                 break;
 194         case IEEE80211_S_SCAN:
 195                 switch (ostate) {
 196                 case IEEE80211_S_CSA:
 197                 case IEEE80211_S_RUN:
 198                         ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
 199                         /*
 200                          * Clear overlapping BSS state; the beacon frame
 201                          * will be reconstructed on transition to the RUN
 202                          * state and the timeout routines check if the flag
 203                          * is set before doing anything so this is sufficient.
 204                          */
 205                         ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
 206                         ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
 207                         /* fall thru... */
 208                 case IEEE80211_S_CAC:
 209                         /*
 210                          * NB: We may get here because of a manual channel
 211                          *     change in which case we need to stop CAC
 212                          * XXX no need to stop if ostate RUN but it's ok
 213                          */
 214                         ieee80211_dfs_cac_stop(vap);
 215                         /* fall thru... */
 216                 case IEEE80211_S_INIT:
 217                         if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
 218                             !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
 219                                 /*
 220                                  * Already have a channel; bypass the
 221                                  * scan and startup immediately.
 222                                  * ieee80211_create_ibss will call back to
 223                                  * move us to RUN state.
 224                                  */
 225                                 ieee80211_create_ibss(vap, vap->iv_des_chan);
 226                                 break;
 227                         }
 228                         /*
 229                          * Initiate a scan.  We can come here as a result
 230                          * of an IEEE80211_IOC_SCAN_REQ too in which case
 231                          * the vap will be marked with IEEE80211_FEXT_SCANREQ
 232                          * and the scan request parameters will be present
 233                          * in iv_scanreq.  Otherwise we do the default.
 234                          */
 235                         if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
 236                                 ieee80211_check_scan(vap,
 237                                     vap->iv_scanreq_flags,
 238                                     vap->iv_scanreq_duration,
 239                                     vap->iv_scanreq_mindwell,
 240                                     vap->iv_scanreq_maxdwell,
 241                                     vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
 242                                 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
 243                         } else
 244                                 ieee80211_check_scan_current(vap);
 245                         break;
 246                 case IEEE80211_S_SCAN:
 247                         /*
 248                          * A state change requires a reset; scan.
 249                          */
 250                         ieee80211_check_scan_current(vap);
 251                         break;
 252                 default:
 253                         break;
 254                 }
 255                 break;
 256         case IEEE80211_S_CAC:
 257                 /*
 258                  * Start CAC on a DFS channel.  We come here when starting
 259                  * a bss on a DFS channel (see ieee80211_create_ibss).
 260                  */
 261                 ieee80211_dfs_cac_start(vap);
 262                 break;
 263         case IEEE80211_S_RUN:
 264                 if (vap->iv_flags & IEEE80211_F_WPA) {
 265                         /* XXX validate prerequisites */
 266                 }
 267                 switch (ostate) {
 268                 case IEEE80211_S_INIT:
 269                         /*
 270                          * Already have a channel; bypass the
 271                          * scan and startup immediately.
 272                          * Note that ieee80211_create_ibss will call
 273                          * back to do a RUN->RUN state change.
 274                          */
 275                         ieee80211_create_ibss(vap,
 276                             ieee80211_ht_adjust_channel(ic,
 277                                 ic->ic_curchan, vap->iv_flags_ht));
 278                         /* NB: iv_bss is changed on return */
 279                         break;
 280                 case IEEE80211_S_CAC:
 281                         /*
 282                          * NB: This is the normal state change when CAC
 283                          * expires and no radar was detected; no need to
 284                          * clear the CAC timer as it's already expired.
 285                          */
 286                         /* fall thru... */
 287                 case IEEE80211_S_CSA:
 288                         /*
 289                          * Shorten inactivity timer of associated stations
 290                          * to weed out sta's that don't follow a CSA.
 291                          */
 292                         ieee80211_iterate_nodes(&ic->ic_sta, sta_csa, vap);
 293                         /*
 294                          * Update bss node channel to reflect where
 295                          * we landed after CSA.
 296                          */
 297                         ieee80211_node_set_chan(vap->iv_bss,
 298                             ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
 299                                 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
 300                         /* XXX bypass debug msgs */
 301                         break;
 302                 case IEEE80211_S_SCAN:
 303                 case IEEE80211_S_RUN:
 304 #ifdef IEEE80211_DEBUG
 305                         if (ieee80211_msg_debug(vap)) {
 306                                 struct ieee80211_node *ni = vap->iv_bss;
 307                                 ieee80211_note(vap,
 308                                     "synchronized with %s ssid ",
 309                                     ether_sprintf(ni->ni_bssid));
 310                                 ieee80211_print_essid(ni->ni_essid,
 311                                     ni->ni_esslen);
 312                                 /* XXX MCS/HT */
 313                                 kprintf(" channel %d start %uMb\n",
 314                                     ieee80211_chan2ieee(ic, ic->ic_curchan),
 315                                     IEEE80211_RATE2MBS(ni->ni_txrate));
 316                         }
 317 #endif
 318                         break;
 319                 default:
 320                         break;
 321                 }
 322                 /*
 323                  * Start/stop the authenticator.  We delay until here
 324                  * to allow configuration to happen out of order.
 325                  */
 326                 if (vap->iv_auth->ia_attach != NULL) {
 327                         /* XXX check failure */
 328                         vap->iv_auth->ia_attach(vap);
 329                 } else if (vap->iv_auth->ia_detach != NULL) {
 330                         vap->iv_auth->ia_detach(vap);
 331                 }
 332                 ieee80211_node_authorize(vap->iv_bss);
 333                 break;
 334         case IEEE80211_S_CSA:
 335                 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
 336                         /*
 337                          * On a ``band change'' silently drop associated
 338                          * stations as they must re-associate before they
 339                          * can pass traffic (as otherwise protocol state
 340                          * such as capabilities and the negotiated rate
 341                          * set may/will be wrong).
 342                          */
 343                         ieee80211_iterate_nodes(&ic->ic_sta, sta_drop, vap);
 344                 }
 345                 break;
 346         default:
 347                 break;
 348         }
 349         return 0;
 350 }
 351
 352 static void
 353 hostap_deliver_data(struct ieee80211vap *vap,
 354         struct ieee80211_node *ni, struct mbuf *m)
 355 {
 356         struct ether_header *eh = mtod(m, struct ether_header *);
 357         struct ifnet *ifp = vap->iv_ifp;
 358
 359         /* clear driver/net80211 flags before passing up */
 360 #if defined(__DragonFly__)
 361         m->m_flags &= ~(M_80211_RX | M_MCAST | M_BCAST);
 362 #else
 363         m->m_flags &= ~(M_MCAST | M_BCAST);
 364         m_clrprotoflags(m);
 365 #endif
 366
 367         KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
 368             ("gack, opmode %d", vap->iv_opmode));
 369         /*
 370          * Do accounting.
 371          */
 372         if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
 373         IEEE80211_NODE_STAT(ni, rx_data);
 374         IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
 375         if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
 376                 m->m_flags |= M_MCAST;          /* XXX M_BCAST? */
 377                 IEEE80211_NODE_STAT(ni, rx_mcast);
 378         } else
 379                 IEEE80211_NODE_STAT(ni, rx_ucast);
 380
 381         /* perform as a bridge within the AP */
 382         if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
 383                 struct mbuf *mcopy = NULL;
 384
 385                 if (m->m_flags & M_MCAST) {
 386                         mcopy = m_dup(m, M_NOWAIT);
 387                         if (mcopy == NULL)
 388                                 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
 389                         else
 390                                 mcopy->m_flags |= M_MCAST;
 391                 } else {
 392                         /*
 393                          * Check if the destination is associated with the
 394                          * same vap and authorized to receive traffic.
 395                          * Beware of traffic destined for the vap itself;
 396                          * sending it will not work; just let it be delivered
 397                          * normally.
 398                          */
 399                         struct ieee80211_node *sta = ieee80211_find_vap_node(
 400                              &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
 401                         if (sta != NULL) {
 402                                 if (ieee80211_node_is_authorized(sta)) {
 403                                         /*
 404                                          * Beware of sending to ourself; this
 405                                          * needs to happen via the normal
 406                                          * input path.
 407                                          */
 408                                         if (sta != vap->iv_bss) {
 409                                                 mcopy = m;
 410                                                 m = NULL;
 411                                         }
 412                                 } else {
 413                                         vap->iv_stats.is_rx_unauth++;
 414                                         IEEE80211_NODE_STAT(sta, rx_unauth);
 415                                 }
 416                                 ieee80211_free_node(sta);
 417                         }
 418                 }
 419                 if (mcopy != NULL) {
 420                         int len, err;
 421                         len = mcopy->m_pkthdr.len;
 422                         err = ieee80211_vap_xmitpkt(vap, mcopy);
 423                         if (err) {
 424                                 /* NB: IFQ_HANDOFF reclaims mcopy */
 425                         } else {
 426                                 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
 427                         }
 428                 }
 429         }
 430         if (m != NULL) {
 431                 /*
 432                  * Mark frame as coming from vap's interface.
 433                  */
 434                 m->m_pkthdr.rcvif = ifp;
 435                 if (m->m_flags & M_MCAST) {
 436                         /*
 437                          * Spam DWDS vap's w/ multicast traffic.
 438                          */
 439                         /* XXX only if dwds in use? */
 440                         ieee80211_dwds_mcast(vap, m);
 441                 }
 442                 if (ni->ni_vlan != 0) {
 443                         /* attach vlan tag */
 444 #if defined(__DragonFly__)
 445                         /* XXX ntohs() needed? */
 446                         m->m_pkthdr.ether_vlantag = ni->ni_vlan;
 447 #else
 448                         m->m_pkthdr.ether_vtag = ni->ni_vlan;
 449 #endif
 450                         m->m_flags |= M_VLANTAG;
 451                 }
 452 #if defined(__DragonFly__)
 453                 ifp->if_input(ifp, m, NULL, -1);
 454 #else
 455                 ifp->if_input(ifp, m);
 456 #endif
 457         }
 458 }
 459
 460 /*
 461  * Decide if a received management frame should be
 462  * printed when debugging is enabled.  This filters some
 463  * of the less interesting frames that come frequently
 464  * (e.g. beacons).
 465  */
 466 static __inline int
 467 doprint(struct ieee80211vap *vap, int subtype)
 468 {
 469         switch (subtype) {
 470         case IEEE80211_FC0_SUBTYPE_BEACON:
 471                 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
 472         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
 473                 return 0;
 474         }
 475         return 1;
 476 }
 477
 478 /*
 479  * Process a received frame.  The node associated with the sender
 480  * should be supplied.  If nothing was found in the node table then
 481  * the caller is assumed to supply a reference to iv_bss instead.
 482  * The RSSI and a timestamp are also supplied.  The RSSI data is used
 483  * during AP scanning to select a AP to associate with; it can have
 484  * any units so long as values have consistent units and higher values
 485  * mean ``better signal''.  The receive timestamp is currently not used
 486  * by the 802.11 layer.
 487  */
 488 static int
 489 hostap_input(struct ieee80211_node *ni, struct mbuf *m,
 490     const struct ieee80211_rx_stats *rxs, int rssi, int nf)
 491 {
 492         struct ieee80211vap *vap = ni->ni_vap;
 493         struct ieee80211com *ic = ni->ni_ic;
 494         struct ifnet *ifp = vap->iv_ifp;
 495         struct ieee80211_frame *wh;
 496         struct ieee80211_key *key;
 497         struct ether_header *eh;
 498         int hdrspace, need_tap = 1;     /* mbuf need to be tapped. */
 499         uint8_t dir, type, subtype, qos;
 500         uint8_t *bssid;
 501
 502         if (m->m_flags & M_AMPDU_MPDU) {
 503                 /*
 504                  * Fastpath for A-MPDU reorder q resubmission.  Frames
 505                  * w/ M_AMPDU_MPDU marked have already passed through
 506                  * here but were received out of order and been held on
 507                  * the reorder queue.  When resubmitted they are marked
 508                  * with the M_AMPDU_MPDU flag and we can bypass most of
 509                  * the normal processing.
 510                  */
 511                 wh = mtod(m, struct ieee80211_frame *);
 512                 type = IEEE80211_FC0_TYPE_DATA;
 513                 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
 514                 subtype = IEEE80211_FC0_SUBTYPE_QOS;
 515                 hdrspace = ieee80211_hdrspace(ic, wh);  /* XXX optimize? */
 516                 goto resubmit_ampdu;
 517         }
 518
 519         KASSERT(ni != NULL, ("null node"));
 520         ni->ni_inact = ni->ni_inact_reload;
 521
 522         type = -1;                      /* undefined */
 523
 524         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
 525                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 526                     ni->ni_macaddr, NULL,
 527                     "too short (1): len %u", m->m_pkthdr.len);
 528                 vap->iv_stats.is_rx_tooshort++;
 529                 goto out;
 530         }
 531         /*
 532          * Bit of a cheat here, we use a pointer for a 3-address
 533          * frame format but don't reference fields past outside
 534          * ieee80211_frame_min w/o first validating the data is
 535          * present.
 536          */
 537         wh = mtod(m, struct ieee80211_frame *);
 538
 539         if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
 540             IEEE80211_FC0_VERSION_0) {
 541                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 542                     ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
 543                     wh->i_fc[0], wh->i_fc[1]);
 544                 vap->iv_stats.is_rx_badversion++;
 545                 goto err;
 546         }
 547
 548         dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
 549         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
 550         subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
 551         if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
 552                 if (dir != IEEE80211_FC1_DIR_NODS)
 553                         bssid = wh->i_addr1;
 554                 else if (type == IEEE80211_FC0_TYPE_CTL)
 555                         bssid = wh->i_addr1;
 556                 else {
 557                         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
 558                                 IEEE80211_DISCARD_MAC(vap,
 559                                     IEEE80211_MSG_ANY, ni->ni_macaddr,
 560                                     NULL, "too short (2): len %u",
 561                                     m->m_pkthdr.len);
 562                                 vap->iv_stats.is_rx_tooshort++;
 563                                 goto out;
 564                         }
 565                         bssid = wh->i_addr3;
 566                 }
 567                 /*
 568                  * Validate the bssid.
 569                  */
 570                 if (!(type == IEEE80211_FC0_TYPE_MGT &&
 571                       subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
 572                     !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
 573                     !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
 574                         /* not interested in */
 575                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 576                             bssid, NULL, "%s", "not to bss");
 577                         vap->iv_stats.is_rx_wrongbss++;
 578                         goto out;
 579                 }
 580
 581                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
 582                 ni->ni_noise = nf;
 583                 if (IEEE80211_HAS_SEQ(type, subtype)) {
 584                         uint8_t tid = ieee80211_gettid(wh);
 585                         if (IEEE80211_QOS_HAS_SEQ(wh) &&
 586                             TID_TO_WME_AC(tid) >= WME_AC_VI)
 587                                 ic->ic_wme.wme_hipri_traffic++;
 588                         if (! ieee80211_check_rxseq(ni, wh, bssid))
 589                                 goto out;
 590                 }
 591         }
 592
 593         switch (type) {
 594         case IEEE80211_FC0_TYPE_DATA:
 595                 hdrspace = ieee80211_hdrspace(ic, wh);
 596                 if (m->m_len < hdrspace &&
 597                     (m = m_pullup(m, hdrspace)) == NULL) {
 598                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 599                             ni->ni_macaddr, NULL,
 600                             "data too short: expecting %u", hdrspace);
 601                         vap->iv_stats.is_rx_tooshort++;
 602                         goto out;               /* XXX */
 603                 }
 604                 if (!(dir == IEEE80211_FC1_DIR_TODS ||
 605                      (dir == IEEE80211_FC1_DIR_DSTODS &&
 606                       (vap->iv_flags & IEEE80211_F_DWDS)))) {
 607                         if (dir != IEEE80211_FC1_DIR_DSTODS) {
 608                                 IEEE80211_DISCARD(vap,
 609                                     IEEE80211_MSG_INPUT, wh, "data",
 610                                     "incorrect dir 0x%x", dir);
 611                         } else {
 612                                 IEEE80211_DISCARD(vap,
 613                                     IEEE80211_MSG_INPUT |
 614                                     IEEE80211_MSG_WDS, wh,
 615                                     "4-address data",
 616                                     "%s", "DWDS not enabled");
 617                         }
 618                         vap->iv_stats.is_rx_wrongdir++;
 619                         goto out;
 620                 }
 621                 /* check if source STA is associated */
 622                 if (ni == vap->iv_bss) {
 623                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 624                             wh, "data", "%s", "unknown src");
 625                         ieee80211_send_error(ni, wh->i_addr2,
 626                             IEEE80211_FC0_SUBTYPE_DEAUTH,
 627                             IEEE80211_REASON_NOT_AUTHED);
 628                         vap->iv_stats.is_rx_notassoc++;
 629                         goto err;
 630                 }
 631                 if (ni->ni_associd == 0) {
 632                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 633                             wh, "data", "%s", "unassoc src");
 634                         IEEE80211_SEND_MGMT(ni,
 635                             IEEE80211_FC0_SUBTYPE_DISASSOC,
 636                             IEEE80211_REASON_NOT_ASSOCED);
 637                         vap->iv_stats.is_rx_notassoc++;
 638                         goto err;
 639                 }
 640
 641                 /*
 642                  * Check for power save state change.
 643                  * XXX out-of-order A-MPDU frames?
 644                  */
 645                 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
 646                     (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
 647                         vap->iv_node_ps(ni,
 648                                 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
 649                 /*
 650                  * For 4-address packets handle WDS discovery
 651                  * notifications.  Once a WDS link is setup frames
 652                  * are just delivered to the WDS vap (see below).
 653                  */
 654                 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
 655                         if (!ieee80211_node_is_authorized(ni)) {
 656                                 IEEE80211_DISCARD(vap,
 657                                     IEEE80211_MSG_INPUT |
 658                                     IEEE80211_MSG_WDS, wh,
 659                                     "4-address data",
 660                                     "%s", "unauthorized port");
 661                                 vap->iv_stats.is_rx_unauth++;
 662                                 IEEE80211_NODE_STAT(ni, rx_unauth);
 663                                 goto err;
 664                         }
 665                         ieee80211_dwds_discover(ni, m);
 666                         return type;
 667                 }
 668
 669                 /*
 670                  * Handle A-MPDU re-ordering.  If the frame is to be
 671                  * processed directly then ieee80211_ampdu_reorder
 672                  * will return 0; otherwise it has consumed the mbuf
 673                  * and we should do nothing more with it.
 674                  */
 675                 if ((m->m_flags & M_AMPDU) &&
 676                     ieee80211_ampdu_reorder(ni, m) != 0) {
 677                         m = NULL;
 678                         goto out;
 679                 }
 680         resubmit_ampdu:
 681
 682                 /*
 683                  * Handle privacy requirements.  Note that we
 684                  * must not be preempted from here until after
 685                  * we (potentially) call ieee80211_crypto_demic;
 686                  * otherwise we may violate assumptions in the
 687                  * crypto cipher modules used to do delayed update
 688                  * of replay sequence numbers.
 689                  */
 690                 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
 691                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
 692                                 /*
 693                                  * Discard encrypted frames when privacy is off.
 694                                  */
 695                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 696                                     wh, "WEP", "%s", "PRIVACY off");
 697                                 vap->iv_stats.is_rx_noprivacy++;
 698                                 IEEE80211_NODE_STAT(ni, rx_noprivacy);
 699                                 goto out;
 700                         }
 701                         key = ieee80211_crypto_decap(ni, m, hdrspace);
 702                         if (key == NULL) {
 703                                 /* NB: stats+msgs handled in crypto_decap */
 704                                 IEEE80211_NODE_STAT(ni, rx_wepfail);
 705                                 goto out;
 706                         }
 707                         wh = mtod(m, struct ieee80211_frame *);
 708                         wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
 709                 } else {
 710                         /* XXX M_WEP and IEEE80211_F_PRIVACY */
 711                         key = NULL;
 712                 }
 713
 714                 /*
 715                  * Save QoS bits for use below--before we strip the header.
 716                  */
 717                 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
 718                         qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
 719                             ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
 720                             ((struct ieee80211_qosframe *)wh)->i_qos[0];
 721                 } else
 722                         qos = 0;
 723
 724                 /*
 725                  * Next up, any fragmentation.
 726                  */
 727                 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
 728                         m = ieee80211_defrag(ni, m, hdrspace);
 729                         if (m == NULL) {
 730                                 /* Fragment dropped or frame not complete yet */
 731                                 goto out;
 732                         }
 733                 }
 734                 wh = NULL;              /* no longer valid, catch any uses */
 735
 736                 /*
 737                  * Next strip any MSDU crypto bits.
 738                  */
 739                 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
 740                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 741                             ni->ni_macaddr, "data", "%s", "demic error");
 742                         vap->iv_stats.is_rx_demicfail++;
 743                         IEEE80211_NODE_STAT(ni, rx_demicfail);
 744                         goto out;
 745                 }
 746                 /* copy to listener after decrypt */
 747                 if (ieee80211_radiotap_active_vap(vap))
 748                         ieee80211_radiotap_rx(vap, m);
 749                 need_tap = 0;
 750                 /*
 751                  * Finally, strip the 802.11 header.
 752                  */
 753                 m = ieee80211_decap(vap, m, hdrspace);
 754                 if (m == NULL) {
 755                         /* XXX mask bit to check for both */
 756                         /* don't count Null data frames as errors */
 757                         if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
 758                             subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
 759                                 goto out;
 760                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 761                             ni->ni_macaddr, "data", "%s", "decap error");
 762                         vap->iv_stats.is_rx_decap++;
 763                         IEEE80211_NODE_STAT(ni, rx_decap);
 764                         goto err;
 765                 }
 766                 eh = mtod(m, struct ether_header *);
 767                 if (!ieee80211_node_is_authorized(ni)) {
 768                         /*
 769                          * Deny any non-PAE frames received prior to
 770                          * authorization.  For open/shared-key
 771                          * authentication the port is mark authorized
 772                          * after authentication completes.  For 802.1x
 773                          * the port is not marked authorized by the
 774                          * authenticator until the handshake has completed.
 775                          */
 776                         if (eh->ether_type != htons(ETHERTYPE_PAE)) {
 777                                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 778                                     eh->ether_shost, "data",
 779                                     "unauthorized port: ether type 0x%x len %u",
 780                                     eh->ether_type, m->m_pkthdr.len);
 781                                 vap->iv_stats.is_rx_unauth++;
 782                                 IEEE80211_NODE_STAT(ni, rx_unauth);
 783                                 goto err;
 784                         }
 785                 } else {
 786                         /*
 787                          * When denying unencrypted frames, discard
 788                          * any non-PAE frames received without encryption.
 789                          */
 790                         if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
 791                             (key == NULL && (m->m_flags & M_WEP) == 0) &&
 792                             eh->ether_type != htons(ETHERTYPE_PAE)) {
 793                                 /*
 794                                  * Drop unencrypted frames.
 795                                  */
 796                                 vap->iv_stats.is_rx_unencrypted++;
 797                                 IEEE80211_NODE_STAT(ni, rx_unencrypted);
 798                                 goto out;
 799                         }
 800                 }
 801                 /* XXX require HT? */
 802                 if (qos & IEEE80211_QOS_AMSDU) {
 803                         m = ieee80211_decap_amsdu(ni, m);
 804                         if (m == NULL)
 805                                 return IEEE80211_FC0_TYPE_DATA;
 806                 } else {
 807 #ifdef IEEE80211_SUPPORT_SUPERG
 808                         m = ieee80211_decap_fastframe(vap, ni, m);
 809                         if (m == NULL)
 810                                 return IEEE80211_FC0_TYPE_DATA;
 811 #endif
 812                 }
 813                 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
 814                         ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
 815                 else
 816                         hostap_deliver_data(vap, ni, m);
 817                 return IEEE80211_FC0_TYPE_DATA;
 818
 819         case IEEE80211_FC0_TYPE_MGT:
 820                 vap->iv_stats.is_rx_mgmt++;
 821                 IEEE80211_NODE_STAT(ni, rx_mgmt);
 822                 if (dir != IEEE80211_FC1_DIR_NODS) {
 823                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 824                             wh, "mgt", "incorrect dir 0x%x", dir);
 825                         vap->iv_stats.is_rx_wrongdir++;
 826                         goto err;
 827                 }
 828                 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
 829                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 830                             ni->ni_macaddr, "mgt", "too short: len %u",
 831                             m->m_pkthdr.len);
 832                         vap->iv_stats.is_rx_tooshort++;
 833                         goto out;
 834                 }
 835                 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
 836                         /* ensure return frames are unicast */
 837                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
 838                             wh, NULL, "source is multicast: %s",
 839                             ether_sprintf(wh->i_addr2));
 840                         vap->iv_stats.is_rx_mgtdiscard++;       /* XXX stat */
 841                         goto out;
 842                 }
 843 #ifdef IEEE80211_DEBUG
 844                 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
 845                     ieee80211_msg_dumppkts(vap)) {
 846                         if_printf(ifp, "received %s from %s rssi %d\n",
 847                             ieee80211_mgt_subtype_name(subtype),
 848                             ether_sprintf(wh->i_addr2), rssi);
 849                 }
 850 #endif
 851                 if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
 852                         if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
 853                                 /*
 854                                  * Only shared key auth frames with a challenge
 855                                  * should be encrypted, discard all others.
 856                                  */
 857                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 858                                     wh, NULL,
 859                                     "%s", "WEP set but not permitted");
 860                                 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
 861                                 goto out;
 862                         }
 863                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
 864                                 /*
 865                                  * Discard encrypted frames when privacy is off.
 866                                  */
 867                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 868                                     wh, NULL, "%s", "WEP set but PRIVACY off");
 869                                 vap->iv_stats.is_rx_noprivacy++;
 870                                 goto out;
 871                         }
 872                         hdrspace = ieee80211_hdrspace(ic, wh);
 873                         key = ieee80211_crypto_decap(ni, m, hdrspace);
 874                         if (key == NULL) {
 875                                 /* NB: stats+msgs handled in crypto_decap */
 876                                 goto out;
 877                         }
 878                         wh = mtod(m, struct ieee80211_frame *);
 879                         wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
 880                 }
 881                 /*
 882                  * Pass the packet to radiotap before calling iv_recv_mgmt().
 883                  * Otherwise iv_recv_mgmt() might pass another packet to
 884                  * radiotap, resulting in out of order packet captures.
 885                  */
 886                 if (ieee80211_radiotap_active_vap(vap))
 887                         ieee80211_radiotap_rx(vap, m);
 888                 need_tap = 0;
 889                 vap->iv_recv_mgmt(ni, m, subtype, rxs, rssi, nf);
 890                 goto out;
 891
 892         case IEEE80211_FC0_TYPE_CTL:
 893                 vap->iv_stats.is_rx_ctl++;
 894                 IEEE80211_NODE_STAT(ni, rx_ctrl);
 895                 vap->iv_recv_ctl(ni, m, subtype);
 896                 goto out;
 897         default:
 898                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
 899                     wh, "bad", "frame type 0x%x", type);
 900                 /* should not come here */
 901                 break;
 902         }
 903 err:
 904         if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
 905 out:
 906         if (m != NULL) {
 907                 if (need_tap && ieee80211_radiotap_active_vap(vap))
 908                         ieee80211_radiotap_rx(vap, m);
 909                 m_freem(m);
 910         }
 911         return type;
 912 }
 913
 914 static void
 915 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
 916     int rssi, int nf, uint16_t seq, uint16_t status)
 917 {
 918         struct ieee80211vap *vap = ni->ni_vap;
 919
 920         KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
 921
 922         if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
 923                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 924                     ni->ni_macaddr, "open auth",
 925                     "bad sta auth mode %u", ni->ni_authmode);
 926                 vap->iv_stats.is_rx_bad_auth++; /* XXX */
 927                 /*
 928                  * Clear any challenge text that may be there if
 929                  * a previous shared key auth failed and then an
 930                  * open auth is attempted.
 931                  */
 932                 if (ni->ni_challenge != NULL) {
 933                         IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
 934                         ni->ni_challenge = NULL;
 935                 }
 936                 /* XXX hack to workaround calling convention */
 937                 ieee80211_send_error(ni, wh->i_addr2,
 938                     IEEE80211_FC0_SUBTYPE_AUTH,
 939                     (seq + 1) | (IEEE80211_STATUS_ALG<<16));
 940                 return;
 941         }
 942         if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
 943                 vap->iv_stats.is_rx_bad_auth++;
 944                 return;
 945         }
 946         /* always accept open authentication requests */
 947         if (ni == vap->iv_bss) {
 948                 ni = ieee80211_dup_bss(vap, wh->i_addr2);
 949                 if (ni == NULL)
 950                         return;
 951         } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
 952                 (void) ieee80211_ref_node(ni);
 953         /*
 954          * Mark the node as referenced to reflect that it's
 955          * reference count has been bumped to insure it remains
 956          * after the transaction completes.
 957          */
 958         ni->ni_flags |= IEEE80211_NODE_AREF;
 959         /*
 960          * Mark the node as requiring a valid association id
 961          * before outbound traffic is permitted.
 962          */
 963         ni->ni_flags |= IEEE80211_NODE_ASSOCID;
 964
 965         if (vap->iv_acl != NULL &&
 966             vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
 967                 /*
 968                  * When the ACL policy is set to RADIUS we defer the
 969                  * authorization to a user agent.  Dispatch an event,
 970                  * a subsequent MLME call will decide the fate of the
 971                  * station.  If the user agent is not present then the
 972                  * node will be reclaimed due to inactivity.
 973                  */
 974                 IEEE80211_NOTE_MAC(vap,
 975                     IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
 976                     "%s", "station authentication defered (radius acl)");
 977                 ieee80211_notify_node_auth(ni);
 978         } else {
 979                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
 980                 IEEE80211_NOTE_MAC(vap,
 981                     IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
 982                     "%s", "station authenticated (open)");
 983                 /*
 984                  * When 802.1x is not in use mark the port
 985                  * authorized at this point so traffic can flow.
 986                  */
 987                 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
 988                         ieee80211_node_authorize(ni);
 989         }
 990 }
 991
 992 static void
 993 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
 994     uint8_t *frm, uint8_t *efrm, int rssi, int nf,
 995     uint16_t seq, uint16_t status)
 996 {
 997         struct ieee80211vap *vap = ni->ni_vap;
 998         uint8_t *challenge;
 999         int allocbs, estatus;
1000
1001         KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
1002
1003         /*
1004          * NB: this can happen as we allow pre-shared key
1005          * authentication to be enabled w/o wep being turned
1006          * on so that configuration of these can be done
1007          * in any order.  It may be better to enforce the
1008          * ordering in which case this check would just be
1009          * for sanity/consistency.
1010          */
1011         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1012                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1013                     ni->ni_macaddr, "shared key auth",
1014                     "%s", " PRIVACY is disabled");
1015                 estatus = IEEE80211_STATUS_ALG;
1016                 goto bad;
1017         }
1018         /*
1019          * Pre-shared key authentication is evil; accept
1020          * it only if explicitly configured (it is supported
1021          * mainly for compatibility with clients like Mac OS X).
1022          */
1023         if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1024             ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1025                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1026                     ni->ni_macaddr, "shared key auth",
1027                     "bad sta auth mode %u", ni->ni_authmode);
1028                 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1029                 estatus = IEEE80211_STATUS_ALG;
1030                 goto bad;
1031         }
1032
1033         challenge = NULL;
1034         if (frm + 1 < efrm) {
1035                 if ((frm[1] + 2) > (efrm - frm)) {
1036                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1037                             ni->ni_macaddr, "shared key auth",
1038                             "ie %d/%ld too long",
1039                             frm[0], (frm[1] + 2) - (efrm - frm));
1040                         vap->iv_stats.is_rx_bad_auth++;
1041                         estatus = IEEE80211_STATUS_CHALLENGE;
1042                         goto bad;
1043                 }
1044                 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1045                         challenge = frm;
1046                 frm += frm[1] + 2;
1047         }
1048         switch (seq) {
1049         case IEEE80211_AUTH_SHARED_CHALLENGE:
1050         case IEEE80211_AUTH_SHARED_RESPONSE:
1051                 if (challenge == NULL) {
1052                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1053                             ni->ni_macaddr, "shared key auth",
1054                             "%s", "no challenge");
1055                         vap->iv_stats.is_rx_bad_auth++;
1056                         estatus = IEEE80211_STATUS_CHALLENGE;
1057                         goto bad;
1058                 }
1059                 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1060                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1061                             ni->ni_macaddr, "shared key auth",
1062                             "bad challenge len %d", challenge[1]);
1063                         vap->iv_stats.is_rx_bad_auth++;
1064                         estatus = IEEE80211_STATUS_CHALLENGE;
1065                         goto bad;
1066                 }
1067         default:
1068                 break;
1069         }
1070         switch (seq) {
1071         case IEEE80211_AUTH_SHARED_REQUEST:
1072                 if (ni == vap->iv_bss) {
1073                         ni = ieee80211_dup_bss(vap, wh->i_addr2);
1074                         if (ni == NULL) {
1075                                 /* NB: no way to return an error */
1076                                 return;
1077                         }
1078                         allocbs = 1;
1079                 } else {
1080                         if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1081                                 (void) ieee80211_ref_node(ni);
1082                         allocbs = 0;
1083                 }
1084                 /*
1085                  * Mark the node as referenced to reflect that it's
1086                  * reference count has been bumped to insure it remains
1087                  * after the transaction completes.
1088                  */
1089                 ni->ni_flags |= IEEE80211_NODE_AREF;
1090                 /*
1091                  * Mark the node as requiring a valid associatio id
1092                  * before outbound traffic is permitted.
1093                  */
1094                 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1095                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1096                 ni->ni_noise = nf;
1097                 if (!ieee80211_alloc_challenge(ni)) {
1098                         /* NB: don't return error so they rexmit */
1099                         return;
1100                 }
1101                 get_random_bytes(ni->ni_challenge,
1102                         IEEE80211_CHALLENGE_LEN);
1103                 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1104                     ni, "shared key %sauth request", allocbs ? "" : "re");
1105                 /*
1106                  * When the ACL policy is set to RADIUS we defer the
1107                  * authorization to a user agent.  Dispatch an event,
1108                  * a subsequent MLME call will decide the fate of the
1109                  * station.  If the user agent is not present then the
1110                  * node will be reclaimed due to inactivity.
1111                  */
1112                 if (vap->iv_acl != NULL &&
1113                     vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1114                         IEEE80211_NOTE_MAC(vap,
1115                             IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1116                             ni->ni_macaddr,
1117                             "%s", "station authentication defered (radius acl)");
1118                         ieee80211_notify_node_auth(ni);
1119                         return;
1120                 }
1121                 break;
1122         case IEEE80211_AUTH_SHARED_RESPONSE:
1123                 if (ni == vap->iv_bss) {
1124                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1125                             ni->ni_macaddr, "shared key response",
1126                             "%s", "unknown station");
1127                         /* NB: don't send a response */
1128                         return;
1129                 }
1130                 if (ni->ni_challenge == NULL) {
1131                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1132                             ni->ni_macaddr, "shared key response",
1133                             "%s", "no challenge recorded");
1134                         vap->iv_stats.is_rx_bad_auth++;
1135                         estatus = IEEE80211_STATUS_CHALLENGE;
1136                         goto bad;
1137                 }
1138                 if (memcmp(ni->ni_challenge, &challenge[2],
1139                            challenge[1]) != 0) {
1140                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1141                             ni->ni_macaddr, "shared key response",
1142                             "%s", "challenge mismatch");
1143                         vap->iv_stats.is_rx_auth_fail++;
1144                         estatus = IEEE80211_STATUS_CHALLENGE;
1145                         goto bad;
1146                 }
1147                 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1148                     ni, "%s", "station authenticated (shared key)");
1149                 ieee80211_node_authorize(ni);
1150                 break;
1151         default:
1152                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1153                     ni->ni_macaddr, "shared key auth",
1154                     "bad seq %d", seq);
1155                 vap->iv_stats.is_rx_bad_auth++;
1156                 estatus = IEEE80211_STATUS_SEQUENCE;
1157                 goto bad;
1158         }
1159         IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1160         return;
1161 bad:
1162         /*
1163          * Send an error response; but only when operating as an AP.
1164          */
1165         /* XXX hack to workaround calling convention */
1166         ieee80211_send_error(ni, wh->i_addr2,
1167             IEEE80211_FC0_SUBTYPE_AUTH,
1168             (seq + 1) | (estatus<<16));
1169 }
1170
1171 /*
1172  * Convert a WPA cipher selector OUI to an internal
1173  * cipher algorithm.  Where appropriate we also
1174  * record any key length.
1175  */
1176 static int
1177 wpa_cipher(const uint8_t *sel, uint8_t *keylen)
1178 {
1179 #define WPA_SEL(x)      (((x)<<24)|WPA_OUI)
1180         uint32_t w = le32dec(sel);
1181
1182         switch (w) {
1183         case WPA_SEL(WPA_CSE_NULL):
1184                 return IEEE80211_CIPHER_NONE;
1185         case WPA_SEL(WPA_CSE_WEP40):
1186                 if (keylen)
1187                         *keylen = 40 / NBBY;
1188                 return IEEE80211_CIPHER_WEP;
1189         case WPA_SEL(WPA_CSE_WEP104):
1190                 if (keylen)
1191                         *keylen = 104 / NBBY;
1192                 return IEEE80211_CIPHER_WEP;
1193         case WPA_SEL(WPA_CSE_TKIP):
1194                 return IEEE80211_CIPHER_TKIP;
1195         case WPA_SEL(WPA_CSE_CCMP):
1196                 return IEEE80211_CIPHER_AES_CCM;
1197         }
1198         return 32;              /* NB: so 1<< is discarded */
1199 #undef WPA_SEL
1200 }
1201
1202 /*
1203  * Convert a WPA key management/authentication algorithm
1204  * to an internal code.
1205  */
1206 static int
1207 wpa_keymgmt(const uint8_t *sel)
1208 {
1209 #define WPA_SEL(x)      (((x)<<24)|WPA_OUI)
1210         uint32_t w = le32dec(sel);
1211
1212         switch (w) {
1213         case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1214                 return WPA_ASE_8021X_UNSPEC;
1215         case WPA_SEL(WPA_ASE_8021X_PSK):
1216                 return WPA_ASE_8021X_PSK;
1217         case WPA_SEL(WPA_ASE_NONE):
1218                 return WPA_ASE_NONE;
1219         }
1220         return 0;               /* NB: so is discarded */
1221 #undef WPA_SEL
1222 }
1223
1224 /*
1225  * Parse a WPA information element to collect parameters.
1226  * Note that we do not validate security parameters; that
1227  * is handled by the authenticator; the parsing done here
1228  * is just for internal use in making operational decisions.
1229  */
1230 static int
1231 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1232         struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1233 {
1234         uint8_t len = frm[1];
1235         uint32_t w;
1236         int n;
1237
1238         /*
1239          * Check the length once for fixed parts: OUI, type,
1240          * version, mcast cipher, and 2 selector counts.
1241          * Other, variable-length data, must be checked separately.
1242          */
1243         if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1244                 IEEE80211_DISCARD_IE(vap,
1245                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1246                     wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1247                 return IEEE80211_REASON_IE_INVALID;
1248         }
1249         if (len < 14) {
1250                 IEEE80211_DISCARD_IE(vap,
1251                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1252                     wh, "WPA", "too short, len %u", len);
1253                 return IEEE80211_REASON_IE_INVALID;
1254         }
1255         frm += 6, len -= 4;             /* NB: len is payload only */
1256         /* NB: iswpaoui already validated the OUI and type */
1257         w = le16dec(frm);
1258         if (w != WPA_VERSION) {
1259                 IEEE80211_DISCARD_IE(vap,
1260                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1261                     wh, "WPA", "bad version %u", w);
1262                 return IEEE80211_REASON_IE_INVALID;
1263         }
1264         frm += 2, len -= 2;
1265
1266         memset(rsn, 0, sizeof(*rsn));
1267
1268         /* multicast/group cipher */
1269         rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1270         frm += 4, len -= 4;
1271
1272         /* unicast ciphers */
1273         n = le16dec(frm);
1274         frm += 2, len -= 2;
1275         if (len < n*4+2) {
1276                 IEEE80211_DISCARD_IE(vap,
1277                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1278                     wh, "WPA", "ucast cipher data too short; len %u, n %u",
1279                     len, n);
1280                 return IEEE80211_REASON_IE_INVALID;
1281         }
1282         w = 0;
1283         for (; n > 0; n--) {
1284                 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1285                 frm += 4, len -= 4;
1286         }
1287         if (w & (1<<IEEE80211_CIPHER_TKIP))
1288                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1289         else
1290                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1291
1292         /* key management algorithms */
1293         n = le16dec(frm);
1294         frm += 2, len -= 2;
1295         if (len < n*4) {
1296                 IEEE80211_DISCARD_IE(vap,
1297                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1298                     wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1299                     len, n);
1300                 return IEEE80211_REASON_IE_INVALID;
1301         }
1302         w = 0;
1303         for (; n > 0; n--) {
1304                 w |= wpa_keymgmt(frm);
1305                 frm += 4, len -= 4;
1306         }
1307         if (w & WPA_ASE_8021X_UNSPEC)
1308                 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1309         else
1310                 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1311
1312         if (len > 2)            /* optional capabilities */
1313                 rsn->rsn_caps = le16dec(frm);
1314
1315         return 0;
1316 }
1317
1318 /*
1319  * Convert an RSN cipher selector OUI to an internal
1320  * cipher algorithm.  Where appropriate we also
1321  * record any key length.
1322  */
1323 static int
1324 rsn_cipher(const uint8_t *sel, uint8_t *keylen)
1325 {
1326 #define RSN_SEL(x)      (((x)<<24)|RSN_OUI)
1327         uint32_t w = le32dec(sel);
1328
1329         switch (w) {
1330         case RSN_SEL(RSN_CSE_NULL):
1331                 return IEEE80211_CIPHER_NONE;
1332         case RSN_SEL(RSN_CSE_WEP40):
1333                 if (keylen)
1334                         *keylen = 40 / NBBY;
1335                 return IEEE80211_CIPHER_WEP;
1336         case RSN_SEL(RSN_CSE_WEP104):
1337                 if (keylen)
1338                         *keylen = 104 / NBBY;
1339                 return IEEE80211_CIPHER_WEP;
1340         case RSN_SEL(RSN_CSE_TKIP):
1341                 return IEEE80211_CIPHER_TKIP;
1342         case RSN_SEL(RSN_CSE_CCMP):
1343                 return IEEE80211_CIPHER_AES_CCM;
1344         case RSN_SEL(RSN_CSE_WRAP):
1345                 return IEEE80211_CIPHER_AES_OCB;
1346         }
1347         return 32;              /* NB: so 1<< is discarded */
1348 #undef WPA_SEL
1349 }
1350
1351 /*
1352  * Convert an RSN key management/authentication algorithm
1353  * to an internal code.
1354  */
1355 static int
1356 rsn_keymgmt(const uint8_t *sel)
1357 {
1358 #define RSN_SEL(x)      (((x)<<24)|RSN_OUI)
1359         uint32_t w = le32dec(sel);
1360
1361         switch (w) {
1362         case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1363                 return RSN_ASE_8021X_UNSPEC;
1364         case RSN_SEL(RSN_ASE_8021X_PSK):
1365                 return RSN_ASE_8021X_PSK;
1366         case RSN_SEL(RSN_ASE_NONE):
1367                 return RSN_ASE_NONE;
1368         }
1369         return 0;               /* NB: so is discarded */
1370 #undef RSN_SEL
1371 }
1372
1373 /*
1374  * Parse a WPA/RSN information element to collect parameters
1375  * and validate the parameters against what has been
1376  * configured for the system.
1377  */
1378 static int
1379 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1380         struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1381 {
1382         uint8_t len = frm[1];
1383         uint32_t w;
1384         int n;
1385
1386         /*
1387          * Check the length once for fixed parts:
1388          * version, mcast cipher, and 2 selector counts.
1389          * Other, variable-length data, must be checked separately.
1390          */
1391         if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1392                 IEEE80211_DISCARD_IE(vap,
1393                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1394                     wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1395                 return IEEE80211_REASON_IE_INVALID;
1396         }
1397         if (len < 10) {
1398                 IEEE80211_DISCARD_IE(vap,
1399                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1400                     wh, "RSN", "too short, len %u", len);
1401                 return IEEE80211_REASON_IE_INVALID;
1402         }
1403         frm += 2;
1404         w = le16dec(frm);
1405         if (w != RSN_VERSION) {
1406                 IEEE80211_DISCARD_IE(vap,
1407                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1408                     wh, "RSN", "bad version %u", w);
1409                 return IEEE80211_REASON_IE_INVALID;
1410         }
1411         frm += 2, len -= 2;
1412
1413         memset(rsn, 0, sizeof(*rsn));
1414
1415         /* multicast/group cipher */
1416         rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1417         frm += 4, len -= 4;
1418
1419         /* unicast ciphers */
1420         n = le16dec(frm);
1421         frm += 2, len -= 2;
1422         if (len < n*4+2) {
1423                 IEEE80211_DISCARD_IE(vap,
1424                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1425                     wh, "RSN", "ucast cipher data too short; len %u, n %u",
1426                     len, n);
1427                 return IEEE80211_REASON_IE_INVALID;
1428         }
1429         w = 0;
1430         for (; n > 0; n--) {
1431                 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1432                 frm += 4, len -= 4;
1433         }
1434         if (w & (1<<IEEE80211_CIPHER_TKIP))
1435                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1436         else
1437                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1438
1439         /* key management algorithms */
1440         n = le16dec(frm);
1441         frm += 2, len -= 2;
1442         if (len < n*4) {
1443                 IEEE80211_DISCARD_IE(vap,
1444                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1445                     wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1446                     len, n);
1447                 return IEEE80211_REASON_IE_INVALID;
1448         }
1449         w = 0;
1450         for (; n > 0; n--) {
1451                 w |= rsn_keymgmt(frm);
1452                 frm += 4, len -= 4;
1453         }
1454         if (w & RSN_ASE_8021X_UNSPEC)
1455                 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1456         else
1457                 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1458
1459         /* optional RSN capabilities */
1460         if (len > 2)
1461                 rsn->rsn_caps = le16dec(frm);
1462         /* XXXPMKID */
1463
1464         return 0;
1465 }
1466
1467 /*
1468  * WPA/802.11i association request processing.
1469  */
1470 static int
1471 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1472         const struct ieee80211_frame *wh, const uint8_t *wpa,
1473         const uint8_t *rsn, uint16_t capinfo)
1474 {
1475         struct ieee80211vap *vap = ni->ni_vap;
1476         uint8_t reason;
1477         int badwparsn;
1478
1479         ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1480         if (wpa == NULL && rsn == NULL) {
1481                 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1482                         /*
1483                          * W-Fi Protected Setup (WPS) permits
1484                          * clients to associate and pass EAPOL frames
1485                          * to establish initial credentials.
1486                          */
1487                         ni->ni_flags |= IEEE80211_NODE_WPS;
1488                         return 1;
1489                 }
1490                 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1491                     (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1492                         /*
1493                          * Transitional Security Network.  Permits clients
1494                          * to associate and use WEP while WPA is configured.
1495                          */
1496                         ni->ni_flags |= IEEE80211_NODE_TSN;
1497                         return 1;
1498                 }
1499                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1500                     wh, NULL, "%s", "no WPA/RSN IE in association request");
1501                 vap->iv_stats.is_rx_assoc_badwpaie++;
1502                 reason = IEEE80211_REASON_IE_INVALID;
1503                 goto bad;
1504         }
1505         /* assert right association security credentials */
1506         badwparsn = 0;                  /* NB: to silence compiler */
1507         switch (vap->iv_flags & IEEE80211_F_WPA) {
1508         case IEEE80211_F_WPA1:
1509                 badwparsn = (wpa == NULL);
1510                 break;
1511         case IEEE80211_F_WPA2:
1512                 badwparsn = (rsn == NULL);
1513                 break;
1514         case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1515                 badwparsn = (wpa == NULL && rsn == NULL);
1516                 break;
1517         }
1518         if (badwparsn) {
1519                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1520                     wh, NULL,
1521                     "%s", "missing WPA/RSN IE in association request");
1522                 vap->iv_stats.is_rx_assoc_badwpaie++;
1523                 reason = IEEE80211_REASON_IE_INVALID;
1524                 goto bad;
1525         }
1526         /*
1527          * Parse WPA/RSN information element.
1528          */
1529         if (wpa != NULL)
1530                 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1531         else
1532                 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1533         if (reason != 0) {
1534                 /* XXX distinguish WPA/RSN? */
1535                 vap->iv_stats.is_rx_assoc_badwpaie++;
1536                 goto bad;
1537         }
1538         IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1539             "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1540             wpa != NULL ? "WPA" : "RSN",
1541             rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1542             rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1543             rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1544
1545         return 1;
1546 bad:
1547         ieee80211_node_deauth(ni, reason);
1548         return 0;
1549 }
1550
1551 /* XXX find a better place for definition */
1552 struct l2_update_frame {
1553         struct ether_header eh;
1554         uint8_t dsap;
1555         uint8_t ssap;
1556         uint8_t control;
1557         uint8_t xid[3];
1558 }  __packed;
1559
1560 /*
1561  * Deliver a TGf L2UF frame on behalf of a station.
1562  * This primes any bridge when the station is roaming
1563  * between ap's on the same wired network.
1564  */
1565 static void
1566 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1567 {
1568         struct ieee80211vap *vap = ni->ni_vap;
1569         struct ifnet *ifp = vap->iv_ifp;
1570         struct mbuf *m;
1571         struct l2_update_frame *l2uf;
1572         struct ether_header *eh;
1573
1574         m = m_gethdr(M_NOWAIT, MT_DATA);
1575         if (m == NULL) {
1576                 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1577                     "%s", "no mbuf for l2uf frame");
1578                 vap->iv_stats.is_rx_nobuf++;    /* XXX not right */
1579                 return;
1580         }
1581         l2uf = mtod(m, struct l2_update_frame *);
1582         eh = &l2uf->eh;
1583         /* dst: Broadcast address */
1584         IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1585         /* src: associated STA */
1586         IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1587         eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1588
1589         l2uf->dsap = 0;
1590         l2uf->ssap = 0;
1591         l2uf->control = 0xf5;
1592         l2uf->xid[0] = 0x81;
1593         l2uf->xid[1] = 0x80;
1594         l2uf->xid[2] = 0x00;
1595
1596         m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1597         hostap_deliver_data(vap, ni, m);
1598 }
1599
1600 static void
1601 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1602         int reassoc, int resp, const char *tag, int rate)
1603 {
1604         IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1605             "deny %s request, %s rate set mismatch, rate/MCS %d",
1606             reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1607         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1608         ieee80211_node_leave(ni);
1609 }
1610
1611 static void
1612 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1613         int reassoc, int resp, const char *tag, int capinfo)
1614 {
1615         struct ieee80211vap *vap = ni->ni_vap;
1616
1617         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1618             "deny %s request, %s mismatch 0x%x",
1619             reassoc ? "reassoc" : "assoc", tag, capinfo);
1620         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1621         ieee80211_node_leave(ni);
1622         vap->iv_stats.is_rx_assoc_capmismatch++;
1623 }
1624
1625 static void
1626 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1627         int reassoc, int resp)
1628 {
1629         IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1630             "deny %s request, missing HT ie", reassoc ? "reassoc" : "assoc");
1631         /* XXX no better code */
1632         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1633         ieee80211_node_leave(ni);
1634 }
1635
1636 static void
1637 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1638         int algo, int seq, int status)
1639 {
1640         struct ieee80211vap *vap = ni->ni_vap;
1641
1642         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1643             wh, NULL, "unsupported alg %d", algo);
1644         vap->iv_stats.is_rx_auth_unsupported++;
1645         ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1646             seq | (status << 16));
1647 }
1648
1649 static __inline int
1650 ishtmixed(const uint8_t *ie)
1651 {
1652         const struct ieee80211_ie_htinfo *ht =
1653             (const struct ieee80211_ie_htinfo *) ie;
1654         return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1655             IEEE80211_HTINFO_OPMODE_MIXED;
1656 }
1657
1658 static int
1659 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1660 {
1661         static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1662         int i;
1663
1664         /* NB: the 11b clients we care about will not have xrates */
1665         if (xrates != NULL || rates == NULL)
1666                 return 0;
1667         for (i = 0; i < rates[1]; i++) {
1668                 int r = rates[2+i] & IEEE80211_RATE_VAL;
1669                 if (r > 2*11 || ((1<<r) & brates) == 0)
1670                         return 0;
1671         }
1672         return 1;
1673 }
1674
1675 static void
1676 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1677         int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf)
1678 {
1679         struct ieee80211vap *vap = ni->ni_vap;
1680         struct ieee80211com *ic = ni->ni_ic;
1681         struct ieee80211_frame *wh;
1682         uint8_t *frm, *efrm, *sfrm;
1683         uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1684         int reassoc, resp;
1685         uint8_t rate;
1686
1687         wh = mtod(m0, struct ieee80211_frame *);
1688         frm = (uint8_t *)&wh[1];
1689         efrm = mtod(m0, uint8_t *) + m0->m_len;
1690         switch (subtype) {
1691         case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1692                 /*
1693                  * We process beacon/probe response frames when scanning;
1694                  * otherwise we check beacon frames for overlapping non-ERP
1695                  * BSS in 11g and/or overlapping legacy BSS when in HT.
1696                  */
1697                 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
1698                         vap->iv_stats.is_rx_mgtdiscard++;
1699                         return;
1700                 }
1701                 /* FALLTHROUGH */
1702         case IEEE80211_FC0_SUBTYPE_BEACON: {
1703                 struct ieee80211_scanparams scan;
1704
1705                 /* NB: accept off-channel frames */
1706                 /* XXX TODO: use rxstatus to determine off-channel details */
1707                 if (ieee80211_parse_beacon(ni, m0, ic->ic_curchan, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1708                         return;
1709                 /*
1710                  * Count frame now that we know it's to be processed.
1711                  */
1712                 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1713                         vap->iv_stats.is_rx_beacon++;           /* XXX remove */
1714                         IEEE80211_NODE_STAT(ni, rx_beacons);
1715                 } else
1716                         IEEE80211_NODE_STAT(ni, rx_proberesp);
1717                 /*
1718                  * If scanning, just pass information to the scan module.
1719                  */
1720                 if (ic->ic_flags & IEEE80211_F_SCAN) {
1721                         if (scan.status == 0 &&         /* NB: on channel */
1722                             (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1723                                 /*
1724                                  * Actively scanning a channel marked passive;
1725                                  * send a probe request now that we know there
1726                                  * is 802.11 traffic present.
1727                                  *
1728                                  * XXX check if the beacon we recv'd gives
1729                                  * us what we need and suppress the probe req
1730                                  */
1731                                 ieee80211_probe_curchan(vap, 1);
1732                                 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1733                         }
1734                         ieee80211_add_scan(vap, ic->ic_curchan, &scan, wh,
1735                             subtype, rssi, nf);
1736                         return;
1737                 }
1738                 /*
1739                  * Check beacon for overlapping bss w/ non ERP stations.
1740                  * If we detect one and protection is configured but not
1741                  * enabled, enable it and start a timer that'll bring us
1742                  * out if we stop seeing the bss.
1743                  */
1744                 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1745                     scan.status == 0 &&                 /* NB: on-channel */
1746                     ((scan.erp & 0x100) == 0 ||         /* NB: no ERP, 11b sta*/
1747                      (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1748                         ic->ic_lastnonerp = ticks;
1749                         ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1750                         if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1751                             (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1752                                 IEEE80211_NOTE_FRAME(vap,
1753                                     IEEE80211_MSG_ASSOC, wh,
1754                                     "non-ERP present on channel %d "
1755                                     "(saw erp 0x%x from channel %d), "
1756                                     "enable use of protection",
1757                                     ic->ic_curchan->ic_ieee,
1758                                     scan.erp, scan.chan);
1759                                 ic->ic_flags |= IEEE80211_F_USEPROT;
1760                                 ieee80211_notify_erp(ic);
1761                         }
1762                 }
1763                 /*
1764                  * Check beacon for non-HT station on HT channel
1765                  * and update HT BSS occupancy as appropriate.
1766                  */
1767                 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1768                         if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1769                                 /*
1770                                  * Off control channel; only check frames
1771                                  * that come in the extension channel when
1772                                  * operating w/ HT40.
1773                                  */
1774                                 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1775                                         break;
1776                                 if (scan.chan != ic->ic_curchan->ic_extieee)
1777                                         break;
1778                         }
1779                         if (scan.htinfo == NULL) {
1780                                 ieee80211_htprot_update(ic,
1781                                     IEEE80211_HTINFO_OPMODE_PROTOPT |
1782                                     IEEE80211_HTINFO_NONHT_PRESENT);
1783                         } else if (ishtmixed(scan.htinfo)) {
1784                                 /* XXX? take NONHT_PRESENT from beacon? */
1785                                 ieee80211_htprot_update(ic,
1786                                     IEEE80211_HTINFO_OPMODE_MIXED |
1787                                     IEEE80211_HTINFO_NONHT_PRESENT);
1788                         }
1789                 }
1790                 break;
1791         }
1792
1793         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1794                 if (vap->iv_state != IEEE80211_S_RUN) {
1795                         vap->iv_stats.is_rx_mgtdiscard++;
1796                         return;
1797                 }
1798                 /*
1799                  * Consult the ACL policy module if setup.
1800                  */
1801                 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1802                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1803                             wh, NULL, "%s", "disallowed by ACL");
1804                         vap->iv_stats.is_rx_acl++;
1805                         return;
1806                 }
1807                 /*
1808                  * prreq frame format
1809                  *      [tlv] ssid
1810                  *      [tlv] supported rates
1811                  *      [tlv] extended supported rates
1812                  */
1813                 ssid = rates = xrates = NULL;
1814                 sfrm = frm;
1815                 while (efrm - frm > 1) {
1816                         IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1817                         switch (*frm) {
1818                         case IEEE80211_ELEMID_SSID:
1819                                 ssid = frm;
1820                                 break;
1821                         case IEEE80211_ELEMID_RATES:
1822                                 rates = frm;
1823                                 break;
1824                         case IEEE80211_ELEMID_XRATES:
1825                                 xrates = frm;
1826                                 break;
1827                         }
1828                         frm += frm[1] + 2;
1829                 }
1830                 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1831                 if (xrates != NULL)
1832                         IEEE80211_VERIFY_ELEMENT(xrates,
1833                                 IEEE80211_RATE_MAXSIZE - rates[1], return);
1834                 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1835                 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1836                 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1837                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1838                             wh, NULL,
1839                             "%s", "no ssid with ssid suppression enabled");
1840                         vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1841                         return;
1842                 }
1843
1844                 /* XXX find a better class or define it's own */
1845                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1846                     "%s", "recv probe req");
1847                 /*
1848                  * Some legacy 11b clients cannot hack a complete
1849                  * probe response frame.  When the request includes
1850                  * only a bare-bones rate set, communicate this to
1851                  * the transmit side.
1852                  */
1853                 ieee80211_send_proberesp(vap, wh->i_addr2,
1854                     is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1855                 break;
1856
1857         case IEEE80211_FC0_SUBTYPE_AUTH: {
1858                 uint16_t algo, seq, status;
1859
1860                 if (vap->iv_state != IEEE80211_S_RUN) {
1861                         vap->iv_stats.is_rx_mgtdiscard++;
1862                         return;
1863                 }
1864                 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1865                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1866                             wh, NULL, "%s", "wrong bssid");
1867                         vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1868                         return;
1869                 }
1870                 /*
1871                  * auth frame format
1872                  *      [2] algorithm
1873                  *      [2] sequence
1874                  *      [2] status
1875                  *      [tlv*] challenge
1876                  */
1877                 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1878                 algo   = le16toh(*(uint16_t *)frm);
1879                 seq    = le16toh(*(uint16_t *)(frm + 2));
1880                 status = le16toh(*(uint16_t *)(frm + 4));
1881                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1882                     "recv auth frame with algorithm %d seq %d", algo, seq);
1883                 /*
1884                  * Consult the ACL policy module if setup.
1885                  */
1886                 if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh)) {
1887                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1888                             wh, NULL, "%s", "disallowed by ACL");
1889                         vap->iv_stats.is_rx_acl++;
1890                         ieee80211_send_error(ni, wh->i_addr2,
1891                             IEEE80211_FC0_SUBTYPE_AUTH,
1892                             (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1893                         return;
1894                 }
1895                 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1896                         IEEE80211_DISCARD(vap,
1897                             IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1898                             wh, NULL, "%s", "TKIP countermeasures enabled");
1899                         vap->iv_stats.is_rx_auth_countermeasures++;
1900                         ieee80211_send_error(ni, wh->i_addr2,
1901                                 IEEE80211_FC0_SUBTYPE_AUTH,
1902                                 IEEE80211_REASON_MIC_FAILURE);
1903                         return;
1904                 }
1905                 if (algo == IEEE80211_AUTH_ALG_SHARED)
1906                         hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1907                             seq, status);
1908                 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1909                         hostap_auth_open(ni, wh, rssi, nf, seq, status);
1910                 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1911                         authalgreject(ni, wh, algo,
1912                             seq+1, IEEE80211_STATUS_ALG);
1913                         return;
1914                 } else {
1915                         /*
1916                          * We assume that an unknown algorithm is the result
1917                          * of a decryption failure on a shared key auth frame;
1918                          * return a status code appropriate for that instead
1919                          * of IEEE80211_STATUS_ALG.
1920                          *
1921                          * NB: a seq# of 4 is intentional; the decrypted
1922                          *     frame likely has a bogus seq value.
1923                          */
1924                         authalgreject(ni, wh, algo,
1925                             4, IEEE80211_STATUS_CHALLENGE);
1926                         return;
1927                 }
1928                 break;
1929         }
1930
1931         case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1932         case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1933                 uint16_t capinfo, lintval;
1934                 struct ieee80211_rsnparms rsnparms;
1935
1936                 if (vap->iv_state != IEEE80211_S_RUN) {
1937                         vap->iv_stats.is_rx_mgtdiscard++;
1938                         return;
1939                 }
1940                 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1941                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1942                             wh, NULL, "%s", "wrong bssid");
1943                         vap->iv_stats.is_rx_assoc_bss++;
1944                         return;
1945                 }
1946                 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1947                         reassoc = 1;
1948                         resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
1949                 } else {
1950                         reassoc = 0;
1951                         resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
1952                 }
1953                 if (ni == vap->iv_bss) {
1954                         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1955                             "deny %s request, sta not authenticated",
1956                             reassoc ? "reassoc" : "assoc");
1957                         ieee80211_send_error(ni, wh->i_addr2,
1958                             IEEE80211_FC0_SUBTYPE_DEAUTH,
1959                             IEEE80211_REASON_ASSOC_NOT_AUTHED);
1960                         vap->iv_stats.is_rx_assoc_notauth++;
1961                         return;
1962                 }
1963
1964                 /*
1965                  * asreq frame format
1966                  *      [2] capability information
1967                  *      [2] listen interval
1968                  *      [6*] current AP address (reassoc only)
1969                  *      [tlv] ssid
1970                  *      [tlv] supported rates
1971                  *      [tlv] extended supported rates
1972                  *      [tlv] WPA or RSN
1973                  *      [tlv] HT capabilities
1974                  *      [tlv] Atheros capabilities
1975                  */
1976                 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
1977                 capinfo = le16toh(*(uint16_t *)frm);    frm += 2;
1978                 lintval = le16toh(*(uint16_t *)frm);    frm += 2;
1979                 if (reassoc)
1980                         frm += 6;       /* ignore current AP info */
1981                 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
1982                 sfrm = frm;
1983                 while (efrm - frm > 1) {
1984                         IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1985                         switch (*frm) {
1986                         case IEEE80211_ELEMID_SSID:
1987                                 ssid = frm;
1988                                 break;
1989                         case IEEE80211_ELEMID_RATES:
1990                                 rates = frm;
1991                                 break;
1992                         case IEEE80211_ELEMID_XRATES:
1993                                 xrates = frm;
1994                                 break;
1995                         case IEEE80211_ELEMID_RSN:
1996                                 rsn = frm;
1997                                 break;
1998                         case IEEE80211_ELEMID_HTCAP:
1999                                 htcap = frm;
2000                                 break;
2001                         case IEEE80211_ELEMID_VENDOR:
2002                                 if (iswpaoui(frm))
2003                                         wpa = frm;
2004                                 else if (iswmeinfo(frm))
2005                                         wme = frm;
2006 #ifdef IEEE80211_SUPPORT_SUPERG
2007                                 else if (isatherosoui(frm))
2008                                         ath = frm;
2009 #endif
2010                                 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
2011                                         if (ishtcapoui(frm) && htcap == NULL)
2012                                                 htcap = frm;
2013                                 }
2014                                 break;
2015                         }
2016                         frm += frm[1] + 2;
2017                 }
2018                 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2019                 if (xrates != NULL)
2020                         IEEE80211_VERIFY_ELEMENT(xrates,
2021                                 IEEE80211_RATE_MAXSIZE - rates[1], return);
2022                 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2023                 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2024                 if (htcap != NULL) {
2025                         IEEE80211_VERIFY_LENGTH(htcap[1],
2026                              htcap[0] == IEEE80211_ELEMID_VENDOR ?
2027                                  4 + sizeof(struct ieee80211_ie_htcap)-2 :
2028                                  sizeof(struct ieee80211_ie_htcap)-2,
2029                              return);           /* XXX just NULL out? */
2030                 }
2031
2032                 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2033                     !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2034                         return;
2035                 /* discard challenge after association */
2036                 if (ni->ni_challenge != NULL) {
2037                         IEEE80211_FREE(ni->ni_challenge, M_80211_NODE);
2038                         ni->ni_challenge = NULL;
2039                 }
2040                 /* NB: 802.11 spec says to ignore station's privacy bit */
2041                 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2042                         capinfomismatch(ni, wh, reassoc, resp,
2043                             "capability", capinfo);
2044                         return;
2045                 }
2046                 /*
2047                  * Disallow re-associate w/ invalid slot time setting.
2048                  */
2049                 if (ni->ni_associd != 0 &&
2050                     IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2051                     ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2052                         capinfomismatch(ni, wh, reassoc, resp,
2053                             "slot time", capinfo);
2054                         return;
2055                 }
2056                 rate = ieee80211_setup_rates(ni, rates, xrates,
2057                                 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2058                                 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2059                 if (rate & IEEE80211_RATE_BASIC) {
2060                         ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2061                         vap->iv_stats.is_rx_assoc_norate++;
2062                         return;
2063                 }
2064                 /*
2065                  * If constrained to 11g-only stations reject an
2066                  * 11b-only station.  We cheat a bit here by looking
2067                  * at the max negotiated xmit rate and assuming anyone
2068                  * with a best rate <24Mb/s is an 11b station.
2069                  */
2070                 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2071                         ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2072                         vap->iv_stats.is_rx_assoc_norate++;
2073                         return;
2074                 }
2075                 /*
2076                  * Do HT rate set handling and setup HT node state.
2077                  */
2078                 ni->ni_chan = vap->iv_bss->ni_chan;
2079                 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2080                         rate = ieee80211_setup_htrates(ni, htcap,
2081                                 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2082                                 IEEE80211_F_DOBRS);
2083                         if (rate & IEEE80211_RATE_BASIC) {
2084                                 ratesetmismatch(ni, wh, reassoc, resp,
2085                                     "HT", rate);
2086                                 vap->iv_stats.is_ht_assoc_norate++;
2087                                 return;
2088                         }
2089                         ieee80211_ht_node_init(ni);
2090                         ieee80211_ht_updatehtcap(ni, htcap);
2091                 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2092                         ieee80211_ht_node_cleanup(ni);
2093 #ifdef IEEE80211_SUPPORT_SUPERG
2094                 /* Always do ff node cleanup; for A-MSDU */
2095                 ieee80211_ff_node_cleanup(ni);
2096 #endif
2097                 /*
2098                  * Allow AMPDU operation only with unencrypted traffic
2099                  * or AES-CCM; the 11n spec only specifies these ciphers
2100                  * so permitting any others is undefined and can lead
2101                  * to interoperability problems.
2102                  */
2103                 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2104                     (((vap->iv_flags & IEEE80211_F_WPA) &&
2105                       rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2106                      (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2107                         IEEE80211_NOTE(vap,
2108                             IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2109                             "disallow HT use because WEP or TKIP requested, "
2110                             "capinfo 0x%x ucastcipher %d", capinfo,
2111                             rsnparms.rsn_ucastcipher);
2112                         ieee80211_ht_node_cleanup(ni);
2113 #ifdef IEEE80211_SUPPORT_SUPERG
2114                         /* Always do ff node cleanup; for A-MSDU */
2115                         ieee80211_ff_node_cleanup(ni);
2116 #endif
2117                         vap->iv_stats.is_ht_assoc_downgrade++;
2118                 }
2119                 /*
2120                  * If constrained to 11n-only stations reject legacy stations.
2121                  */
2122                 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2123                     (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2124                         htcapmismatch(ni, wh, reassoc, resp);
2125                         vap->iv_stats.is_ht_assoc_nohtcap++;
2126                         return;
2127                 }
2128                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2129                 ni->ni_noise = nf;
2130                 ni->ni_intval = lintval;
2131                 ni->ni_capinfo = capinfo;
2132                 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2133                 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2134                 /*
2135                  * Store the IEs.
2136                  * XXX maybe better to just expand
2137                  */
2138                 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2139 #define setie(_ie, _off)        ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2140                         if (wpa != NULL)
2141                                 setie(wpa_ie, wpa - sfrm);
2142                         if (rsn != NULL)
2143                                 setie(rsn_ie, rsn - sfrm);
2144                         if (htcap != NULL)
2145                                 setie(htcap_ie, htcap - sfrm);
2146                         if (wme != NULL) {
2147                                 setie(wme_ie, wme - sfrm);
2148                                 /*
2149                                  * Mark node as capable of QoS.
2150                                  */
2151                                 ni->ni_flags |= IEEE80211_NODE_QOS;
2152                         } else
2153                                 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2154 #ifdef IEEE80211_SUPPORT_SUPERG
2155                         if (ath != NULL) {
2156                                 setie(ath_ie, ath - sfrm);
2157                                 /*
2158                                  * Parse ATH station parameters.
2159                                  */
2160                                 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2161                         } else
2162 #endif
2163                                 ni->ni_ath_flags = 0;
2164 #undef setie
2165                 } else {
2166                         ni->ni_flags &= ~IEEE80211_NODE_QOS;
2167                         ni->ni_ath_flags = 0;
2168                 }
2169                 ieee80211_node_join(ni, resp);
2170                 ieee80211_deliver_l2uf(ni);
2171                 break;
2172         }
2173
2174         case IEEE80211_FC0_SUBTYPE_DEAUTH:
2175         case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2176                 uint16_t reason;
2177
2178                 if (vap->iv_state != IEEE80211_S_RUN ||
2179                     /* NB: can happen when in promiscuous mode */
2180                     !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2181                         vap->iv_stats.is_rx_mgtdiscard++;
2182                         break;
2183                 }
2184                 /*
2185                  * deauth/disassoc frame format
2186                  *      [2] reason
2187                  */
2188                 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2189                 reason = le16toh(*(uint16_t *)frm);
2190                 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2191                         vap->iv_stats.is_rx_deauth++;
2192                         IEEE80211_NODE_STAT(ni, rx_deauth);
2193                 } else {
2194                         vap->iv_stats.is_rx_disassoc++;
2195                         IEEE80211_NODE_STAT(ni, rx_disassoc);
2196                 }
2197                 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2198                     "recv %s (reason: %d (%s))",
2199                     ieee80211_mgt_subtype_name(subtype),
2200                     reason, ieee80211_reason_to_string(reason));
2201                 if (ni != vap->iv_bss)
2202                         ieee80211_node_leave(ni);
2203                 break;
2204         }
2205
2206         case IEEE80211_FC0_SUBTYPE_ACTION:
2207         case IEEE80211_FC0_SUBTYPE_ACTION_NOACK:
2208                 if (ni == vap->iv_bss) {
2209                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2210                             wh, NULL, "%s", "unknown node");
2211                         vap->iv_stats.is_rx_mgtdiscard++;
2212                 } else if (!IEEE80211_ADDR_EQ(vap->iv_myaddr, wh->i_addr1) &&
2213                     !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
2214                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2215                             wh, NULL, "%s", "not for us");
2216                         vap->iv_stats.is_rx_mgtdiscard++;
2217                 } else if (vap->iv_state != IEEE80211_S_RUN) {
2218                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2219                             wh, NULL, "wrong state %s",
2220                             ieee80211_state_name[vap->iv_state]);
2221                         vap->iv_stats.is_rx_mgtdiscard++;
2222                 } else {
2223                         if (ieee80211_parse_action(ni, m0) == 0)
2224                                 (void)ic->ic_recv_action(ni, wh, frm, efrm);
2225                 }
2226                 break;
2227
2228         case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2229         case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2230         case IEEE80211_FC0_SUBTYPE_TIMING_ADV:
2231         case IEEE80211_FC0_SUBTYPE_ATIM:
2232                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
2233                     wh, NULL, "%s", "not handled");
2234                 vap->iv_stats.is_rx_mgtdiscard++;
2235                 break;
2236
2237         default:
2238                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2239                     wh, "mgt", "subtype 0x%x not handled", subtype);
2240                 vap->iv_stats.is_rx_badsubtype++;
2241                 break;
2242         }
2243 }
2244
2245 static void
2246 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2247 {
2248         switch (subtype) {
2249         case IEEE80211_FC0_SUBTYPE_PS_POLL:
2250                 ni->ni_vap->iv_recv_pspoll(ni, m);
2251                 break;
2252         case IEEE80211_FC0_SUBTYPE_BAR:
2253                 ieee80211_recv_bar(ni, m);
2254                 break;
2255         }
2256 }
2257
2258 /*
2259  * Process a received ps-poll frame.
2260  */
2261 void
2262 ieee80211_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2263 {
2264         struct ieee80211vap *vap = ni->ni_vap;
2265         struct ieee80211com *ic = vap->iv_ic;
2266         struct ieee80211_frame_min *wh;
2267         struct mbuf *m;
2268         uint16_t aid;
2269         int qlen;
2270
2271         wh = mtod(m0, struct ieee80211_frame_min *);
2272         if (ni->ni_associd == 0) {
2273                 IEEE80211_DISCARD(vap,
2274                     IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2275                     (struct ieee80211_frame *) wh, NULL,
2276                     "%s", "unassociated station");
2277                 vap->iv_stats.is_ps_unassoc++;
2278                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2279                         IEEE80211_REASON_NOT_ASSOCED);
2280                 return;
2281         }
2282
2283         aid = le16toh(*(uint16_t *)wh->i_dur);
2284         if (aid != ni->ni_associd) {
2285                 IEEE80211_DISCARD(vap,
2286                     IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2287                     (struct ieee80211_frame *) wh, NULL,
2288                     "aid mismatch: sta aid 0x%x poll aid 0x%x",
2289                     ni->ni_associd, aid);
2290                 vap->iv_stats.is_ps_badaid++;
2291                 /*
2292                  * NB: We used to deauth the station but it turns out
2293                  * the Blackberry Curve 8230 (and perhaps other devices)
2294                  * sometimes send the wrong AID when WME is negotiated.
2295                  * Being more lenient here seems ok as we already check
2296                  * the station is associated and we only return frames
2297                  * queued for the station (i.e. we don't use the AID).
2298                  */
2299                 return;
2300         }
2301
2302         /* Okay, take the first queued packet and put it out... */
2303         m = ieee80211_node_psq_dequeue(ni, &qlen);
2304         if (m == NULL) {
2305                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2306                     "%s", "recv ps-poll, but queue empty");
2307                 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2308                 vap->iv_stats.is_ps_qempty++;   /* XXX node stat */
2309                 if (vap->iv_set_tim != NULL)
2310                         vap->iv_set_tim(ni, 0); /* just in case */
2311                 return;
2312         }
2313         /*
2314          * If there are more packets, set the more packets bit
2315          * in the packet dispatched to the station; otherwise
2316          * turn off the TIM bit.
2317          */
2318         if (qlen != 0) {
2319                 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2320                     "recv ps-poll, send packet, %u still queued", qlen);
2321                 m->m_flags |= M_MORE_DATA;
2322         } else {
2323                 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2324                     "%s", "recv ps-poll, send packet, queue empty");
2325                 if (vap->iv_set_tim != NULL)
2326                         vap->iv_set_tim(ni, 0);
2327         }
2328         m->m_flags |= M_PWR_SAV;                /* bypass PS handling */
2329
2330         /*
2331          * Do the right thing; if it's an encap'ed frame then
2332          * call ieee80211_parent_xmitpkt() else
2333          * call ieee80211_vap_xmitpkt().
2334          */
2335         if (m->m_flags & M_ENCAP) {
2336                 (void) ieee80211_parent_xmitpkt(ic, m);
2337         } else {
2338                 (void) ieee80211_vap_xmitpkt(vap, m);
2339         }
2340 }