sys/netproto/802_11/wlan/ieee80211_hostap.c

   1 /*-
   2  * Copyright (c) 2007-2008 Sam Leffler, Errno Consulting
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  * 2. Redistributions in binary form must reproduce the above copyright
  11  *    notice, this list of conditions and the following disclaimer in the
  12  *    documentation and/or other materials provided with the distribution.
  13  *
  14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  24  *
  25  * $FreeBSD: head/sys/net80211/ieee80211_hostap.c 203422 2010-02-03 10:07:43Z rpaulo $
  26  */
  27
  28 /*
  29  * IEEE 802.11 HOSTAP mode support.
  30  */
  31 #include "opt_inet.h"
  32 #include "opt_wlan.h"
  33
  34 #include <sys/param.h>
  35 #include <sys/systm.h>
  36 #include <sys/mbuf.h>
  37 #include <sys/malloc.h>
  38 #include <sys/kernel.h>
  39
  40 #include <sys/socket.h>
  41 #include <sys/sockio.h>
  42 #include <sys/endian.h>
  43 #include <sys/errno.h>
  44 #include <sys/proc.h>
  45 #include <sys/sysctl.h>
  46
  47 #include <net/if.h>
  48 #include <net/if_media.h>
  49 #include <net/if_llc.h>
  50 #include <net/ifq_var.h>
  51 #include <net/ethernet.h>
  52 #include <net/route.h>
  53
  54 #include <net/bpf.h>
  55
  56 #include <netproto/802_11/ieee80211_var.h>
  57 #include <netproto/802_11/ieee80211_hostap.h>
  58 #include <netproto/802_11/ieee80211_input.h>
  59 #ifdef IEEE80211_SUPPORT_SUPERG
  60 #include <netproto/802_11/ieee80211_superg.h>
  61 #endif
  62 #include <netproto/802_11/ieee80211_wds.h>
  63
  64 #define IEEE80211_RATE2MBS(r)   (((r) & IEEE80211_RATE_VAL) / 2)
  65
  66 static  void hostap_vattach(struct ieee80211vap *);
  67 static  int hostap_newstate(struct ieee80211vap *, enum ieee80211_state, int);
  68 static  int hostap_input(struct ieee80211_node *ni, struct mbuf *m,
  69             int rssi, int nf);
  70 static void hostap_deliver_data(struct ieee80211vap *,
  71             struct ieee80211_node *, struct mbuf *);
  72 static void hostap_recv_mgmt(struct ieee80211_node *, struct mbuf *,
  73             int subtype, int rssi, int nf);
  74 static void hostap_recv_ctl(struct ieee80211_node *, struct mbuf *, int);
  75 static void hostap_recv_pspoll(struct ieee80211_node *, struct mbuf *);
  76
  77 void
  78 ieee80211_hostap_attach(struct ieee80211com *ic)
  79 {
  80         ic->ic_vattach[IEEE80211_M_HOSTAP] = hostap_vattach;
  81 }
  82
  83 void
  84 ieee80211_hostap_detach(struct ieee80211com *ic)
  85 {
  86 }
  87
  88 static void
  89 hostap_vdetach(struct ieee80211vap *vap)
  90 {
  91 }
  92
  93 static void
  94 hostap_vattach(struct ieee80211vap *vap)
  95 {
  96         vap->iv_newstate = hostap_newstate;
  97         vap->iv_input = hostap_input;
  98         vap->iv_recv_mgmt = hostap_recv_mgmt;
  99         vap->iv_recv_ctl = hostap_recv_ctl;
 100         vap->iv_opdetach = hostap_vdetach;
 101         vap->iv_deliver_data = hostap_deliver_data;
 102 }
 103
 104 static void
 105 sta_disassoc(void *arg, struct ieee80211_node *ni)
 106 {
 107         struct ieee80211vap *vap = arg;
 108
 109         if (ni->ni_vap == vap && ni->ni_associd != 0) {
 110                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
 111                         IEEE80211_REASON_ASSOC_LEAVE);
 112                 ieee80211_node_leave(ni);
 113         }
 114 }
 115
 116 static void
 117 sta_csa(void *arg, struct ieee80211_node *ni)
 118 {
 119         struct ieee80211vap *vap = arg;
 120
 121         if (ni->ni_vap == vap && ni->ni_associd != 0)
 122                 if (ni->ni_inact > vap->iv_inact_init) {
 123                         ni->ni_inact = vap->iv_inact_init;
 124                         IEEE80211_NOTE(vap, IEEE80211_MSG_INACT, ni,
 125                             "%s: inact %u", __func__, ni->ni_inact);
 126                 }
 127 }
 128
 129 static void
 130 sta_drop(void *arg, struct ieee80211_node *ni)
 131 {
 132         struct ieee80211vap *vap = arg;
 133
 134         if (ni->ni_vap == vap && ni->ni_associd != 0)
 135                 ieee80211_node_leave(ni);
 136 }
 137
 138 /*
 139  * Does a channel change require associated stations to re-associate
 140  * so protocol state is correct.  This is used when doing CSA across
 141  * bands or similar (e.g. HT -> legacy).
 142  */
 143 static int
 144 isbandchange(struct ieee80211com *ic)
 145 {
 146         return ((ic->ic_bsschan->ic_flags ^ ic->ic_csa_newchan->ic_flags) &
 147             (IEEE80211_CHAN_2GHZ | IEEE80211_CHAN_5GHZ | IEEE80211_CHAN_HALF |
 148              IEEE80211_CHAN_QUARTER | IEEE80211_CHAN_HT)) != 0;
 149 }
 150
 151 /*
 152  * IEEE80211_M_HOSTAP vap state machine handler.
 153  */
 154 static int
 155 hostap_newstate(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg)
 156 {
 157         struct ieee80211com *ic = vap->iv_ic;
 158         enum ieee80211_state ostate;
 159         char ethstr[ETHER_ADDRSTRLEN + 1];
 160
 161         ostate = vap->iv_state;
 162         IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE, "%s: %s -> %s (%d)\n",
 163             __func__, ieee80211_state_name[ostate],
 164             ieee80211_state_name[nstate], arg);
 165         vap->iv_state = nstate;                 /* state transition */
 166         if (ostate != IEEE80211_S_SCAN)
 167                 ieee80211_cancel_scan(vap);     /* background scan */
 168         switch (nstate) {
 169         case IEEE80211_S_INIT:
 170                 switch (ostate) {
 171                 case IEEE80211_S_SCAN:
 172                         ieee80211_cancel_scan(vap);
 173                         break;
 174                 case IEEE80211_S_CAC:
 175                         ieee80211_dfs_cac_stop(vap);
 176                         break;
 177                 case IEEE80211_S_RUN:
 178                         ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
 179                         break;
 180                 default:
 181                         break;
 182                 }
 183                 if (ostate != IEEE80211_S_INIT) {
 184                         /* NB: optimize INIT -> INIT case */
 185                         ieee80211_reset_bss(vap);
 186                 }
 187                 if (vap->iv_auth->ia_detach != NULL)
 188                         vap->iv_auth->ia_detach(vap);
 189                 break;
 190         case IEEE80211_S_SCAN:
 191                 switch (ostate) {
 192                 case IEEE80211_S_CSA:
 193                 case IEEE80211_S_RUN:
 194                         ieee80211_iterate_nodes(&ic->ic_sta, sta_disassoc, vap);
 195                         /*
 196                          * Clear overlapping BSS state; the beacon frame
 197                          * will be reconstructed on transition to the RUN
 198                          * state and the timeout routines check if the flag
 199                          * is set before doing anything so this is sufficient.
 200                          */
 201                         ic->ic_flags_ext &= ~IEEE80211_FEXT_NONERP_PR;
 202                         ic->ic_flags_ht &= ~IEEE80211_FHT_NONHT_PR;
 203                         /* fall thru... */
 204                 case IEEE80211_S_CAC:
 205                         /*
 206                          * NB: We may get here because of a manual channel
 207                          *     change in which case we need to stop CAC
 208                          * XXX no need to stop if ostate RUN but it's ok
 209                          */
 210                         ieee80211_dfs_cac_stop(vap);
 211                         /* fall thru... */
 212                 case IEEE80211_S_INIT:
 213                         if (vap->iv_des_chan != IEEE80211_CHAN_ANYC &&
 214                             !IEEE80211_IS_CHAN_RADAR(vap->iv_des_chan)) {
 215                                 /*
 216                                  * Already have a channel; bypass the
 217                                  * scan and startup immediately.
 218                                  * ieee80211_create_ibss will call back to
 219                                  * move us to RUN state.
 220                                  */
 221                                 ieee80211_create_ibss(vap, vap->iv_des_chan);
 222                                 break;
 223                         }
 224                         /*
 225                          * Initiate a scan.  We can come here as a result
 226                          * of an IEEE80211_IOC_SCAN_REQ too in which case
 227                          * the vap will be marked with IEEE80211_FEXT_SCANREQ
 228                          * and the scan request parameters will be present
 229                          * in iv_scanreq.  Otherwise we do the default.
 230                          */
 231                         if (vap->iv_flags_ext & IEEE80211_FEXT_SCANREQ) {
 232                                 ieee80211_check_scan(vap,
 233                                     vap->iv_scanreq_flags,
 234                                     vap->iv_scanreq_duration,
 235                                     vap->iv_scanreq_mindwell,
 236                                     vap->iv_scanreq_maxdwell,
 237                                     vap->iv_scanreq_nssid, vap->iv_scanreq_ssid);
 238                                 vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANREQ;
 239                         } else
 240                                 ieee80211_check_scan_current(vap);
 241                         break;
 242                 case IEEE80211_S_SCAN:
 243                         /*
 244                          * A state change requires a reset; scan.
 245                          */
 246                         ieee80211_check_scan_current(vap);
 247                         break;
 248                 default:
 249                         break;
 250                 }
 251                 break;
 252         case IEEE80211_S_CAC:
 253                 /*
 254                  * Start CAC on a DFS channel.  We come here when starting
 255                  * a bss on a DFS channel (see ieee80211_create_ibss).
 256                  */
 257                 ieee80211_dfs_cac_start(vap);
 258                 break;
 259         case IEEE80211_S_RUN:
 260                 if (vap->iv_flags & IEEE80211_F_WPA) {
 261                         /* XXX validate prerequisites */
 262                 }
 263                 switch (ostate) {
 264                 case IEEE80211_S_INIT:
 265                         /*
 266                          * Already have a channel; bypass the
 267                          * scan and startup immediately.
 268                          * Note that ieee80211_create_ibss will call
 269                          * back to do a RUN->RUN state change.
 270                          */
 271                         ieee80211_create_ibss(vap,
 272                             ieee80211_ht_adjust_channel(ic,
 273                                 ic->ic_curchan, vap->iv_flags_ht));
 274                         /* NB: iv_bss is changed on return */
 275                         break;
 276                 case IEEE80211_S_CAC:
 277                         /*
 278                          * NB: This is the normal state change when CAC
 279                          * expires and no radar was detected; no need to
 280                          * clear the CAC timer as it's already expired.
 281                          */
 282                         /* fall thru... */
 283                 case IEEE80211_S_CSA:
 284                         /*
 285                          * Shorten inactivity timer of associated stations
 286                          * to weed out sta's that don't follow a CSA.
 287                          */
 288                         ieee80211_iterate_nodes(&ic->ic_sta, sta_csa, vap);
 289                         /*
 290                          * Update bss node channel to reflect where
 291                          * we landed after CSA.
 292                          */
 293                         ieee80211_node_set_chan(vap->iv_bss,
 294                             ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
 295                                 ieee80211_htchanflags(vap->iv_bss->ni_chan)));
 296                         /* XXX bypass debug msgs */
 297                         break;
 298                 case IEEE80211_S_SCAN:
 299                 case IEEE80211_S_RUN:
 300 #ifdef IEEE80211_DEBUG
 301                         if (ieee80211_msg_debug(vap)) {
 302                                 struct ieee80211_node *ni = vap->iv_bss;
 303                                 ieee80211_note(vap,
 304                                     "synchronized with %s ssid ",
 305                                     kether_ntoa(ni->ni_bssid, ethstr));
 306                                 ieee80211_print_essid(ni->ni_essid,
 307                                     ni->ni_esslen);
 308                                 /* XXX MCS/HT */
 309                                 kprintf(" channel %d start %uMb\n",
 310                                     ieee80211_chan2ieee(ic, ic->ic_curchan),
 311                                     IEEE80211_RATE2MBS(ni->ni_txrate));
 312                         }
 313 #endif
 314                         break;
 315                 default:
 316                         break;
 317                 }
 318                 /*
 319                  * Start/stop the authenticator.  We delay until here
 320                  * to allow configuration to happen out of order.
 321                  */
 322                 if (vap->iv_auth->ia_attach != NULL) {
 323                         /* XXX check failure */
 324                         vap->iv_auth->ia_attach(vap);
 325                 } else if (vap->iv_auth->ia_detach != NULL) {
 326                         vap->iv_auth->ia_detach(vap);
 327                 }
 328                 ieee80211_node_authorize(vap->iv_bss);
 329                 break;
 330         case IEEE80211_S_CSA:
 331                 if (ostate == IEEE80211_S_RUN && isbandchange(ic)) {
 332                         /*
 333                          * On a ``band change'' silently drop associated
 334                          * stations as they must re-associate before they
 335                          * can pass traffic (as otherwise protocol state
 336                          * such as capabilities and the negotiated rate
 337                          * set may/will be wrong).
 338                          */
 339                         ieee80211_iterate_nodes(&ic->ic_sta, sta_drop, vap);
 340                 }
 341                 break;
 342         default:
 343                 break;
 344         }
 345         return 0;
 346 }
 347
 348 static void
 349 hostap_deliver_data(struct ieee80211vap *vap,
 350         struct ieee80211_node *ni, struct mbuf *m)
 351 {
 352         struct ether_header *eh = mtod(m, struct ether_header *);
 353         struct ifnet *ifp = vap->iv_ifp;
 354
 355         /* clear driver/net80211 flags before passing up */
 356         m->m_flags &= ~(M_80211_RX | M_MCAST | M_BCAST);
 357
 358         KASSERT(vap->iv_opmode == IEEE80211_M_HOSTAP,
 359             ("gack, opmode %d", vap->iv_opmode));
 360         /*
 361          * Do accounting.
 362          */
 363         ifp->if_ipackets++;
 364         IEEE80211_NODE_STAT(ni, rx_data);
 365         IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
 366         if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
 367                 m->m_flags |= M_MCAST;          /* XXX M_BCAST? */
 368                 IEEE80211_NODE_STAT(ni, rx_mcast);
 369         } else
 370                 IEEE80211_NODE_STAT(ni, rx_ucast);
 371
 372         /* perform as a bridge within the AP */
 373         if ((vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0) {
 374                 struct mbuf *mcopy = NULL;
 375
 376                 if (m->m_flags & M_MCAST) {
 377                         mcopy = m_dup(m, MB_DONTWAIT);
 378                         if (mcopy == NULL)
 379                                 ifp->if_oerrors++;
 380                         else
 381                                 mcopy->m_flags |= M_MCAST;
 382                 } else {
 383                         /*
 384                          * Check if the destination is associated with the
 385                          * same vap and authorized to receive traffic.
 386                          * Beware of traffic destined for the vap itself;
 387                          * sending it will not work; just let it be delivered
 388                          * normally.
 389                          */
 390                         struct ieee80211_node *sta = ieee80211_find_vap_node(
 391                              &vap->iv_ic->ic_sta, vap, eh->ether_dhost);
 392                         if (sta != NULL) {
 393                                 if (ieee80211_node_is_authorized(sta)) {
 394                                         /*
 395                                          * Beware of sending to ourself; this
 396                                          * needs to happen via the normal
 397                                          * input path.
 398                                          */
 399                                         if (sta != vap->iv_bss) {
 400                                                 mcopy = m;
 401                                                 m = NULL;
 402                                         }
 403                                 } else {
 404                                         vap->iv_stats.is_rx_unauth++;
 405                                         IEEE80211_NODE_STAT(sta, rx_unauth);
 406                                 }
 407                                 ieee80211_free_node(sta);
 408                         }
 409                 }
 410                 if (mcopy != NULL) {
 411                         int err;
 412                         err = ieee80211_handoff(ifp, mcopy);
 413                         if (err) {
 414                                 /* NB: IFQ_HANDOFF reclaims mcopy */
 415                         } else {
 416                                 ifp->if_opackets++;
 417                         }
 418                 }
 419         }
 420         if (m != NULL) {
 421                 /*
 422                  * Mark frame as coming from vap's interface.
 423                  */
 424                 m->m_pkthdr.rcvif = ifp;
 425                 if (m->m_flags & M_MCAST) {
 426                         /*
 427                          * Spam DWDS vap's w/ multicast traffic.
 428                          */
 429                         /* XXX only if dwds in use? */
 430                         ieee80211_dwds_mcast(vap, m);
 431                 }
 432                 if (ni->ni_vlan != 0) {
 433                         /* attach vlan tag */
 434                         m->m_pkthdr.ether_vlantag = ni->ni_vlan;
 435                         m->m_flags |= M_VLANTAG;
 436                 }
 437                 ifp->if_input(ifp, m);
 438         }
 439 }
 440
 441 /*
 442  * Decide if a received management frame should be
 443  * printed when debugging is enabled.  This filters some
 444  * of the less interesting frames that come frequently
 445  * (e.g. beacons).
 446  */
 447 static __inline int
 448 doprint(struct ieee80211vap *vap, int subtype)
 449 {
 450         switch (subtype) {
 451         case IEEE80211_FC0_SUBTYPE_BEACON:
 452                 return (vap->iv_ic->ic_flags & IEEE80211_F_SCAN);
 453         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
 454                 return 0;
 455         }
 456         return 1;
 457 }
 458
 459 /*
 460  * Process a received frame.  The node associated with the sender
 461  * should be supplied.  If nothing was found in the node table then
 462  * the caller is assumed to supply a reference to iv_bss instead.
 463  * The RSSI and a timestamp are also supplied.  The RSSI data is used
 464  * during AP scanning to select a AP to associate with; it can have
 465  * any units so long as values have consistent units and higher values
 466  * mean ``better signal''.  The receive timestamp is currently not used
 467  * by the 802.11 layer.
 468  */
 469 static int
 470 hostap_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf)
 471 {
 472 #define SEQ_LEQ(a,b)    ((int)((a)-(b)) <= 0)
 473 #define HAS_SEQ(type)   ((type & 0x4) == 0)
 474         struct ieee80211vap *vap = ni->ni_vap;
 475         struct ieee80211com *ic = ni->ni_ic;
 476         struct ifnet *ifp = vap->iv_ifp;
 477         struct ieee80211_frame *wh;
 478         struct ieee80211_key *key;
 479         struct ether_header *eh;
 480         int hdrspace, need_tap = 1;     /* mbuf need to be tapped. */
 481         uint8_t dir, type, subtype, qos;
 482         uint8_t *bssid;
 483         uint16_t rxseq;
 484         char ethstr[ETHER_ADDRSTRLEN + 1];
 485
 486         if (m->m_flags & M_AMPDU_MPDU) {
 487                 /*
 488                  * Fastpath for A-MPDU reorder q resubmission.  Frames
 489                  * w/ M_AMPDU_MPDU marked have already passed through
 490                  * here but were received out of order and been held on
 491                  * the reorder queue.  When resubmitted they are marked
 492                  * with the M_AMPDU_MPDU flag and we can bypass most of
 493                  * the normal processing.
 494                  */
 495                 wh = mtod(m, struct ieee80211_frame *);
 496                 type = IEEE80211_FC0_TYPE_DATA;
 497                 dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
 498                 subtype = IEEE80211_FC0_SUBTYPE_QOS;
 499                 hdrspace = ieee80211_hdrspace(ic, wh);  /* XXX optimize? */
 500                 goto resubmit_ampdu;
 501         }
 502
 503         KASSERT(ni != NULL, ("null node"));
 504         ni->ni_inact = ni->ni_inact_reload;
 505
 506         type = -1;                      /* undefined */
 507
 508         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
 509                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 510                     ni->ni_macaddr, NULL,
 511                     "too short (1): len %u", m->m_pkthdr.len);
 512                 vap->iv_stats.is_rx_tooshort++;
 513                 goto out;
 514         }
 515         /*
 516          * Bit of a cheat here, we use a pointer for a 3-address
 517          * frame format but don't reference fields past outside
 518          * ieee80211_frame_min w/o first validating the data is
 519          * present.
 520          */
 521         wh = mtod(m, struct ieee80211_frame *);
 522
 523         if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
 524             IEEE80211_FC0_VERSION_0) {
 525                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 526                     ni->ni_macaddr, NULL, "wrong version, fc %02x:%02x",
 527                     wh->i_fc[0], wh->i_fc[1]);
 528                 vap->iv_stats.is_rx_badversion++;
 529                 goto err;
 530         }
 531
 532         dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK;
 533         type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
 534         subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
 535         if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
 536                 if (dir != IEEE80211_FC1_DIR_NODS)
 537                         bssid = wh->i_addr1;
 538                 else if (type == IEEE80211_FC0_TYPE_CTL)
 539                         bssid = wh->i_addr1;
 540                 else {
 541                         if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
 542                                 IEEE80211_DISCARD_MAC(vap,
 543                                     IEEE80211_MSG_ANY, ni->ni_macaddr,
 544                                     NULL, "too short (2): len %u",
 545                                     m->m_pkthdr.len);
 546                                 vap->iv_stats.is_rx_tooshort++;
 547                                 goto out;
 548                         }
 549                         bssid = wh->i_addr3;
 550                 }
 551                 /*
 552                  * Validate the bssid.
 553                  */
 554                 if (!(type == IEEE80211_FC0_TYPE_MGT &&
 555                       subtype == IEEE80211_FC0_SUBTYPE_BEACON) &&
 556                     !IEEE80211_ADDR_EQ(bssid, vap->iv_bss->ni_bssid) &&
 557                     !IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
 558                         /* not interested in */
 559                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 560                             bssid, NULL, "%s", "not to bss");
 561                         vap->iv_stats.is_rx_wrongbss++;
 562                         goto out;
 563                 }
 564
 565                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
 566                 ni->ni_noise = nf;
 567                 if (HAS_SEQ(type)) {
 568                         uint8_t tid = ieee80211_gettid(wh);
 569                         if (IEEE80211_QOS_HAS_SEQ(wh) &&
 570                             TID_TO_WME_AC(tid) >= WME_AC_VI)
 571                                 ic->ic_wme.wme_hipri_traffic++;
 572                         rxseq = le16toh(*(uint16_t *)wh->i_seq);
 573                         if ((ni->ni_flags & IEEE80211_NODE_HT) == 0 &&
 574                             (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
 575                             SEQ_LEQ(rxseq, ni->ni_rxseqs[tid])) {
 576                                 /* duplicate, discard */
 577                                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 578                                     bssid, "duplicate",
 579                                     "seqno <%u,%u> fragno <%u,%u> tid %u",
 580                                     rxseq >> IEEE80211_SEQ_SEQ_SHIFT,
 581                                     ni->ni_rxseqs[tid] >>
 582                                         IEEE80211_SEQ_SEQ_SHIFT,
 583                                     rxseq & IEEE80211_SEQ_FRAG_MASK,
 584                                     ni->ni_rxseqs[tid] &
 585                                         IEEE80211_SEQ_FRAG_MASK,
 586                                     tid);
 587                                 vap->iv_stats.is_rx_dup++;
 588                                 IEEE80211_NODE_STAT(ni, rx_dup);
 589                                 goto out;
 590                         }
 591                         ni->ni_rxseqs[tid] = rxseq;
 592                 }
 593         }
 594
 595         switch (type) {
 596         case IEEE80211_FC0_TYPE_DATA:
 597                 hdrspace = ieee80211_hdrspace(ic, wh);
 598                 if (m->m_len < hdrspace &&
 599                     (m = m_pullup(m, hdrspace)) == NULL) {
 600                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 601                             ni->ni_macaddr, NULL,
 602                             "data too short: expecting %u", hdrspace);
 603                         vap->iv_stats.is_rx_tooshort++;
 604                         goto out;               /* XXX */
 605                 }
 606                 if (!(dir == IEEE80211_FC1_DIR_TODS ||
 607                      (dir == IEEE80211_FC1_DIR_DSTODS &&
 608                       (vap->iv_flags & IEEE80211_F_DWDS)))) {
 609                         if (dir != IEEE80211_FC1_DIR_DSTODS) {
 610                                 IEEE80211_DISCARD(vap,
 611                                     IEEE80211_MSG_INPUT, wh, "data",
 612                                     "incorrect dir 0x%x", dir);
 613                         } else {
 614                                 IEEE80211_DISCARD(vap,
 615                                     IEEE80211_MSG_INPUT |
 616                                     IEEE80211_MSG_WDS, wh,
 617                                     "4-address data",
 618                                     "%s", "DWDS not enabled");
 619                         }
 620                         vap->iv_stats.is_rx_wrongdir++;
 621                         goto out;
 622                 }
 623                 /* check if source STA is associated */
 624                 if (ni == vap->iv_bss) {
 625                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 626                             wh, "data", "%s", "unknown src");
 627                         ieee80211_send_error(ni, wh->i_addr2,
 628                             IEEE80211_FC0_SUBTYPE_DEAUTH,
 629                             IEEE80211_REASON_NOT_AUTHED);
 630                         vap->iv_stats.is_rx_notassoc++;
 631                         goto err;
 632                 }
 633                 if (ni->ni_associd == 0) {
 634                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 635                             wh, "data", "%s", "unassoc src");
 636                         IEEE80211_SEND_MGMT(ni,
 637                             IEEE80211_FC0_SUBTYPE_DISASSOC,
 638                             IEEE80211_REASON_NOT_ASSOCED);
 639                         vap->iv_stats.is_rx_notassoc++;
 640                         goto err;
 641                 }
 642
 643                 /*
 644                  * Check for power save state change.
 645                  * XXX out-of-order A-MPDU frames?
 646                  */
 647                 if (((wh->i_fc[1] & IEEE80211_FC1_PWR_MGT) ^
 648                     (ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
 649                         ieee80211_node_pwrsave(ni,
 650                                 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT);
 651                 /*
 652                  * For 4-address packets handle WDS discovery
 653                  * notifications.  Once a WDS link is setup frames
 654                  * are just delivered to the WDS vap (see below).
 655                  */
 656                 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap == NULL) {
 657                         if (!ieee80211_node_is_authorized(ni)) {
 658                                 IEEE80211_DISCARD(vap,
 659                                     IEEE80211_MSG_INPUT |
 660                                     IEEE80211_MSG_WDS, wh,
 661                                     "4-address data",
 662                                     "%s", "unauthorized port");
 663                                 vap->iv_stats.is_rx_unauth++;
 664                                 IEEE80211_NODE_STAT(ni, rx_unauth);
 665                                 goto err;
 666                         }
 667                         ieee80211_dwds_discover(ni, m);
 668                         return type;
 669                 }
 670
 671                 /*
 672                  * Handle A-MPDU re-ordering.  If the frame is to be
 673                  * processed directly then ieee80211_ampdu_reorder
 674                  * will return 0; otherwise it has consumed the mbuf
 675                  * and we should do nothing more with it.
 676                  */
 677                 if ((m->m_flags & M_AMPDU) &&
 678                     ieee80211_ampdu_reorder(ni, m) != 0) {
 679                         m = NULL;
 680                         goto out;
 681                 }
 682         resubmit_ampdu:
 683
 684                 /*
 685                  * Handle privacy requirements.  Note that we
 686                  * must not be preempted from here until after
 687                  * we (potentially) call ieee80211_crypto_demic;
 688                  * otherwise we may violate assumptions in the
 689                  * crypto cipher modules used to do delayed update
 690                  * of replay sequence numbers.
 691                  */
 692                 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
 693                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
 694                                 /*
 695                                  * Discard encrypted frames when privacy is off.
 696                                  */
 697                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 698                                     wh, "WEP", "%s", "PRIVACY off");
 699                                 vap->iv_stats.is_rx_noprivacy++;
 700                                 IEEE80211_NODE_STAT(ni, rx_noprivacy);
 701                                 goto out;
 702                         }
 703                         key = ieee80211_crypto_decap(ni, m, hdrspace);
 704                         if (key == NULL) {
 705                                 /* NB: stats+msgs handled in crypto_decap */
 706                                 IEEE80211_NODE_STAT(ni, rx_wepfail);
 707                                 goto out;
 708                         }
 709                         wh = mtod(m, struct ieee80211_frame *);
 710                         wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
 711                 } else {
 712                         /* XXX M_WEP and IEEE80211_F_PRIVACY */
 713                         key = NULL;
 714                 }
 715
 716                 /*
 717                  * Save QoS bits for use below--before we strip the header.
 718                  */
 719                 if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
 720                         qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
 721                             ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
 722                             ((struct ieee80211_qosframe *)wh)->i_qos[0];
 723                 } else
 724                         qos = 0;
 725
 726                 /*
 727                  * Next up, any fragmentation.
 728                  */
 729                 if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
 730                         m = ieee80211_defrag(ni, m, hdrspace);
 731                         if (m == NULL) {
 732                                 /* Fragment dropped or frame not complete yet */
 733                                 goto out;
 734                         }
 735                 }
 736                 wh = NULL;              /* no longer valid, catch any uses */
 737
 738                 /*
 739                  * Next strip any MSDU crypto bits.
 740                  */
 741                 if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) {
 742                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 743                             ni->ni_macaddr, "data", "%s", "demic error");
 744                         vap->iv_stats.is_rx_demicfail++;
 745                         IEEE80211_NODE_STAT(ni, rx_demicfail);
 746                         goto out;
 747                 }
 748                 /* copy to listener after decrypt */
 749                 if (ieee80211_radiotap_active_vap(vap))
 750                         ieee80211_radiotap_rx(vap, m);
 751                 need_tap = 0;
 752                 /*
 753                  * Finally, strip the 802.11 header.
 754                  */
 755                 m = ieee80211_decap(vap, m, hdrspace);
 756                 if (m == NULL) {
 757                         /* XXX mask bit to check for both */
 758                         /* don't count Null data frames as errors */
 759                         if (subtype == IEEE80211_FC0_SUBTYPE_NODATA ||
 760                             subtype == IEEE80211_FC0_SUBTYPE_QOS_NULL)
 761                                 goto out;
 762                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 763                             ni->ni_macaddr, "data", "%s", "decap error");
 764                         vap->iv_stats.is_rx_decap++;
 765                         IEEE80211_NODE_STAT(ni, rx_decap);
 766                         goto err;
 767                 }
 768                 eh = mtod(m, struct ether_header *);
 769                 if (!ieee80211_node_is_authorized(ni)) {
 770                         /*
 771                          * Deny any non-PAE frames received prior to
 772                          * authorization.  For open/shared-key
 773                          * authentication the port is mark authorized
 774                          * after authentication completes.  For 802.1x
 775                          * the port is not marked authorized by the
 776                          * authenticator until the handshake has completed.
 777                          */
 778                         if (eh->ether_type != htons(ETHERTYPE_PAE)) {
 779                                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
 780                                     eh->ether_shost, "data",
 781                                     "unauthorized port: ether type 0x%x len %u",
 782                                     eh->ether_type, m->m_pkthdr.len);
 783                                 vap->iv_stats.is_rx_unauth++;
 784                                 IEEE80211_NODE_STAT(ni, rx_unauth);
 785                                 goto err;
 786                         }
 787                 } else {
 788                         /*
 789                          * When denying unencrypted frames, discard
 790                          * any non-PAE frames received without encryption.
 791                          */
 792                         if ((vap->iv_flags & IEEE80211_F_DROPUNENC) &&
 793                             (key == NULL && (m->m_flags & M_WEP) == 0) &&
 794                             eh->ether_type != htons(ETHERTYPE_PAE)) {
 795                                 /*
 796                                  * Drop unencrypted frames.
 797                                  */
 798                                 vap->iv_stats.is_rx_unencrypted++;
 799                                 IEEE80211_NODE_STAT(ni, rx_unencrypted);
 800                                 goto out;
 801                         }
 802                 }
 803                 /* XXX require HT? */
 804                 if (qos & IEEE80211_QOS_AMSDU) {
 805                         m = ieee80211_decap_amsdu(ni, m);
 806                         if (m == NULL)
 807                                 return IEEE80211_FC0_TYPE_DATA;
 808                 } else {
 809 #ifdef IEEE80211_SUPPORT_SUPERG
 810                         m = ieee80211_decap_fastframe(vap, ni, m);
 811                         if (m == NULL)
 812                                 return IEEE80211_FC0_TYPE_DATA;
 813 #endif
 814                 }
 815                 if (dir == IEEE80211_FC1_DIR_DSTODS && ni->ni_wdsvap != NULL)
 816                         ieee80211_deliver_data(ni->ni_wdsvap, ni, m);
 817                 else
 818                         hostap_deliver_data(vap, ni, m);
 819                 return IEEE80211_FC0_TYPE_DATA;
 820
 821         case IEEE80211_FC0_TYPE_MGT:
 822                 vap->iv_stats.is_rx_mgmt++;
 823                 IEEE80211_NODE_STAT(ni, rx_mgmt);
 824                 if (dir != IEEE80211_FC1_DIR_NODS) {
 825                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 826                             wh, "mgt", "incorrect dir 0x%x", dir);
 827                         vap->iv_stats.is_rx_wrongdir++;
 828                         goto err;
 829                 }
 830                 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
 831                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_ANY,
 832                             ni->ni_macaddr, "mgt", "too short: len %u",
 833                             m->m_pkthdr.len);
 834                         vap->iv_stats.is_rx_tooshort++;
 835                         goto out;
 836                 }
 837                 if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
 838                         /* ensure return frames are unicast */
 839                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
 840                             wh, NULL, "source is multicast: %s",
 841                             kether_ntoa(wh->i_addr2, ethstr));
 842                         vap->iv_stats.is_rx_mgtdiscard++;       /* XXX stat */
 843                         goto out;
 844                 }
 845 #ifdef IEEE80211_DEBUG
 846                 if ((ieee80211_msg_debug(vap) && doprint(vap, subtype)) ||
 847                     ieee80211_msg_dumppkts(vap)) {
 848                         if_printf(ifp, "received %s from %s rssi %d\n",
 849                             ieee80211_mgt_subtype_name[subtype >>
 850                                 IEEE80211_FC0_SUBTYPE_SHIFT],
 851                             kether_ntoa(wh->i_addr2, ethstr), rssi);
 852                 }
 853 #endif
 854                 if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
 855                         if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
 856                                 /*
 857                                  * Only shared key auth frames with a challenge
 858                                  * should be encrypted, discard all others.
 859                                  */
 860                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 861                                     wh, NULL,
 862                                     "%s", "WEP set but not permitted");
 863                                 vap->iv_stats.is_rx_mgtdiscard++; /* XXX */
 864                                 goto out;
 865                         }
 866                         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
 867                                 /*
 868                                  * Discard encrypted frames when privacy is off.
 869                                  */
 870                                 IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
 871                                     wh, NULL, "%s", "WEP set but PRIVACY off");
 872                                 vap->iv_stats.is_rx_noprivacy++;
 873                                 goto out;
 874                         }
 875                         hdrspace = ieee80211_hdrspace(ic, wh);
 876                         key = ieee80211_crypto_decap(ni, m, hdrspace);
 877                         if (key == NULL) {
 878                                 /* NB: stats+msgs handled in crypto_decap */
 879                                 goto out;
 880                         }
 881                         wh = mtod(m, struct ieee80211_frame *);
 882                         wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
 883                 }
 884                 vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
 885                 goto out;
 886
 887         case IEEE80211_FC0_TYPE_CTL:
 888                 vap->iv_stats.is_rx_ctl++;
 889                 IEEE80211_NODE_STAT(ni, rx_ctrl);
 890                 vap->iv_recv_ctl(ni, m, subtype);
 891                 goto out;
 892         default:
 893                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
 894                     wh, "bad", "frame type 0x%x", type);
 895                 /* should not come here */
 896                 break;
 897         }
 898 err:
 899         ifp->if_ierrors++;
 900 out:
 901         if (m != NULL) {
 902                 if (need_tap && ieee80211_radiotap_active_vap(vap))
 903                         ieee80211_radiotap_rx(vap, m);
 904                 m_freem(m);
 905         }
 906         return type;
 907 #undef SEQ_LEQ
 908 }
 909
 910 static void
 911 hostap_auth_open(struct ieee80211_node *ni, struct ieee80211_frame *wh,
 912     int rssi, int nf, uint16_t seq, uint16_t status)
 913 {
 914         struct ieee80211vap *vap = ni->ni_vap;
 915
 916         KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
 917
 918         if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
 919                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
 920                     ni->ni_macaddr, "open auth",
 921                     "bad sta auth mode %u", ni->ni_authmode);
 922                 vap->iv_stats.is_rx_bad_auth++; /* XXX */
 923                 /*
 924                  * Clear any challenge text that may be there if
 925                  * a previous shared key auth failed and then an
 926                  * open auth is attempted.
 927                  */
 928                 if (ni->ni_challenge != NULL) {
 929                         kfree(ni->ni_challenge, M_80211_NODE);
 930                         ni->ni_challenge = NULL;
 931                 }
 932                 /* XXX hack to workaround calling convention */
 933                 ieee80211_send_error(ni, wh->i_addr2,
 934                     IEEE80211_FC0_SUBTYPE_AUTH,
 935                     (seq + 1) | (IEEE80211_STATUS_ALG<<16));
 936                 return;
 937         }
 938         if (seq != IEEE80211_AUTH_OPEN_REQUEST) {
 939                 vap->iv_stats.is_rx_bad_auth++;
 940                 return;
 941         }
 942         /* always accept open authentication requests */
 943         if (ni == vap->iv_bss) {
 944                 ni = ieee80211_dup_bss(vap, wh->i_addr2);
 945                 if (ni == NULL)
 946                         return;
 947         } else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
 948                 (void) ieee80211_ref_node(ni);
 949         /*
 950          * Mark the node as referenced to reflect that it's
 951          * reference count has been bumped to insure it remains
 952          * after the transaction completes.
 953          */
 954         ni->ni_flags |= IEEE80211_NODE_AREF;
 955         /*
 956          * Mark the node as requiring a valid association id
 957          * before outbound traffic is permitted.
 958          */
 959         ni->ni_flags |= IEEE80211_NODE_ASSOCID;
 960
 961         if (vap->iv_acl != NULL &&
 962             vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
 963                 /*
 964                  * When the ACL policy is set to RADIUS we defer the
 965                  * authorization to a user agent.  Dispatch an event,
 966                  * a subsequent MLME call will decide the fate of the
 967                  * station.  If the user agent is not present then the
 968                  * node will be reclaimed due to inactivity.
 969                  */
 970                 IEEE80211_NOTE_MAC(vap,
 971                     IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL, ni->ni_macaddr,
 972                     "%s", "station authentication defered (radius acl)");
 973                 ieee80211_notify_node_auth(ni);
 974         } else {
 975                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
 976                 IEEE80211_NOTE_MAC(vap,
 977                     IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH, ni->ni_macaddr,
 978                     "%s", "station authenticated (open)");
 979                 /*
 980                  * When 802.1x is not in use mark the port
 981                  * authorized at this point so traffic can flow.
 982                  */
 983                 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
 984                         ieee80211_node_authorize(ni);
 985         }
 986 }
 987
 988 static void
 989 hostap_auth_shared(struct ieee80211_node *ni, struct ieee80211_frame *wh,
 990     uint8_t *frm, uint8_t *efrm, int rssi, int nf,
 991     uint16_t seq, uint16_t status)
 992 {
 993         struct ieee80211vap *vap = ni->ni_vap;
 994         uint8_t *challenge;
 995         int allocbs, estatus;
 996
 997         KASSERT(vap->iv_state == IEEE80211_S_RUN, ("state %d", vap->iv_state));
 998
 999         /*
1000          * NB: this can happen as we allow pre-shared key
1001          * authentication to be enabled w/o wep being turned
1002          * on so that configuration of these can be done
1003          * in any order.  It may be better to enforce the
1004          * ordering in which case this check would just be
1005          * for sanity/consistency.
1006          */
1007         if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) {
1008                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1009                     ni->ni_macaddr, "shared key auth",
1010                     "%s", " PRIVACY is disabled");
1011                 estatus = IEEE80211_STATUS_ALG;
1012                 goto bad;
1013         }
1014         /*
1015          * Pre-shared key authentication is evil; accept
1016          * it only if explicitly configured (it is supported
1017          * mainly for compatibility with clients like Mac OS X).
1018          */
1019         if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1020             ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1021                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1022                     ni->ni_macaddr, "shared key auth",
1023                     "bad sta auth mode %u", ni->ni_authmode);
1024                 vap->iv_stats.is_rx_bad_auth++; /* XXX maybe a unique error? */
1025                 estatus = IEEE80211_STATUS_ALG;
1026                 goto bad;
1027         }
1028
1029         challenge = NULL;
1030         if (frm + 1 < efrm) {
1031                 if ((frm[1] + 2) > (efrm - frm)) {
1032                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1033                             ni->ni_macaddr, "shared key auth",
1034                             "ie %d/%d too long",
1035                             frm[0], (int)((frm[1] + 2) - (efrm - frm)));
1036                         vap->iv_stats.is_rx_bad_auth++;
1037                         estatus = IEEE80211_STATUS_CHALLENGE;
1038                         goto bad;
1039                 }
1040                 if (*frm == IEEE80211_ELEMID_CHALLENGE)
1041                         challenge = frm;
1042                 frm += frm[1] + 2;
1043         }
1044         switch (seq) {
1045         case IEEE80211_AUTH_SHARED_CHALLENGE:
1046         case IEEE80211_AUTH_SHARED_RESPONSE:
1047                 if (challenge == NULL) {
1048                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1049                             ni->ni_macaddr, "shared key auth",
1050                             "%s", "no challenge");
1051                         vap->iv_stats.is_rx_bad_auth++;
1052                         estatus = IEEE80211_STATUS_CHALLENGE;
1053                         goto bad;
1054                 }
1055                 if (challenge[1] != IEEE80211_CHALLENGE_LEN) {
1056                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1057                             ni->ni_macaddr, "shared key auth",
1058                             "bad challenge len %d", challenge[1]);
1059                         vap->iv_stats.is_rx_bad_auth++;
1060                         estatus = IEEE80211_STATUS_CHALLENGE;
1061                         goto bad;
1062                 }
1063         default:
1064                 break;
1065         }
1066         switch (seq) {
1067         case IEEE80211_AUTH_SHARED_REQUEST:
1068                 if (ni == vap->iv_bss) {
1069                         ni = ieee80211_dup_bss(vap, wh->i_addr2);
1070                         if (ni == NULL) {
1071                                 /* NB: no way to return an error */
1072                                 return;
1073                         }
1074                         allocbs = 1;
1075                 } else {
1076                         if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
1077                                 (void) ieee80211_ref_node(ni);
1078                         allocbs = 0;
1079                 }
1080                 /*
1081                  * Mark the node as referenced to reflect that it's
1082                  * reference count has been bumped to insure it remains
1083                  * after the transaction completes.
1084                  */
1085                 ni->ni_flags |= IEEE80211_NODE_AREF;
1086                 /*
1087                  * Mark the node as requiring a valid associatio id
1088                  * before outbound traffic is permitted.
1089                  */
1090                 ni->ni_flags |= IEEE80211_NODE_ASSOCID;
1091                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
1092                 ni->ni_noise = nf;
1093                 if (!ieee80211_alloc_challenge(ni)) {
1094                         /* NB: don't return error so they rexmit */
1095                         return;
1096                 }
1097                 get_random_bytes(ni->ni_challenge,
1098                         IEEE80211_CHALLENGE_LEN);
1099                 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1100                     ni, "shared key %sauth request", allocbs ? "" : "re");
1101                 /*
1102                  * When the ACL policy is set to RADIUS we defer the
1103                  * authorization to a user agent.  Dispatch an event,
1104                  * a subsequent MLME call will decide the fate of the
1105                  * station.  If the user agent is not present then the
1106                  * node will be reclaimed due to inactivity.
1107                  */
1108                 if (vap->iv_acl != NULL &&
1109                     vap->iv_acl->iac_getpolicy(vap) == IEEE80211_MACCMD_POLICY_RADIUS) {
1110                         IEEE80211_NOTE_MAC(vap,
1111                             IEEE80211_MSG_AUTH | IEEE80211_MSG_ACL,
1112                             ni->ni_macaddr,
1113                             "%s", "station authentication defered (radius acl)");
1114                         ieee80211_notify_node_auth(ni);
1115                         return;
1116                 }
1117                 break;
1118         case IEEE80211_AUTH_SHARED_RESPONSE:
1119                 if (ni == vap->iv_bss) {
1120                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1121                             ni->ni_macaddr, "shared key response",
1122                             "%s", "unknown station");
1123                         /* NB: don't send a response */
1124                         return;
1125                 }
1126                 if (ni->ni_challenge == NULL) {
1127                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1128                             ni->ni_macaddr, "shared key response",
1129                             "%s", "no challenge recorded");
1130                         vap->iv_stats.is_rx_bad_auth++;
1131                         estatus = IEEE80211_STATUS_CHALLENGE;
1132                         goto bad;
1133                 }
1134                 if (memcmp(ni->ni_challenge, &challenge[2],
1135                            challenge[1]) != 0) {
1136                         IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1137                             ni->ni_macaddr, "shared key response",
1138                             "%s", "challenge mismatch");
1139                         vap->iv_stats.is_rx_auth_fail++;
1140                         estatus = IEEE80211_STATUS_CHALLENGE;
1141                         goto bad;
1142                 }
1143                 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1144                     ni, "%s", "station authenticated (shared key)");
1145                 ieee80211_node_authorize(ni);
1146                 break;
1147         default:
1148                 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
1149                     ni->ni_macaddr, "shared key auth",
1150                     "bad seq %d", seq);
1151                 vap->iv_stats.is_rx_bad_auth++;
1152                 estatus = IEEE80211_STATUS_SEQUENCE;
1153                 goto bad;
1154         }
1155         IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1156         return;
1157 bad:
1158         /*
1159          * Send an error response; but only when operating as an AP.
1160          */
1161         /* XXX hack to workaround calling convention */
1162         ieee80211_send_error(ni, wh->i_addr2,
1163             IEEE80211_FC0_SUBTYPE_AUTH,
1164             (seq + 1) | (estatus<<16));
1165 }
1166
1167 /*
1168  * Convert a WPA cipher selector OUI to an internal
1169  * cipher algorithm.  Where appropriate we also
1170  * record any key length.
1171  */
1172 static int
1173 wpa_cipher(const uint8_t *sel, uint8_t *keylen)
1174 {
1175 #define WPA_SEL(x)      (((x)<<24)|WPA_OUI)
1176         uint32_t w = LE_READ_4(sel);
1177
1178         switch (w) {
1179         case WPA_SEL(WPA_CSE_NULL):
1180                 return IEEE80211_CIPHER_NONE;
1181         case WPA_SEL(WPA_CSE_WEP40):
1182                 if (keylen)
1183                         *keylen = 40 / NBBY;
1184                 return IEEE80211_CIPHER_WEP;
1185         case WPA_SEL(WPA_CSE_WEP104):
1186                 if (keylen)
1187                         *keylen = 104 / NBBY;
1188                 return IEEE80211_CIPHER_WEP;
1189         case WPA_SEL(WPA_CSE_TKIP):
1190                 return IEEE80211_CIPHER_TKIP;
1191         case WPA_SEL(WPA_CSE_CCMP):
1192                 return IEEE80211_CIPHER_AES_CCM;
1193         }
1194         return 32;              /* NB: so 1<< is discarded */
1195 #undef WPA_SEL
1196 }
1197
1198 /*
1199  * Convert a WPA key management/authentication algorithm
1200  * to an internal code.
1201  */
1202 static int
1203 wpa_keymgmt(const uint8_t *sel)
1204 {
1205 #define WPA_SEL(x)      (((x)<<24)|WPA_OUI)
1206         uint32_t w = LE_READ_4(sel);
1207
1208         switch (w) {
1209         case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1210                 return WPA_ASE_8021X_UNSPEC;
1211         case WPA_SEL(WPA_ASE_8021X_PSK):
1212                 return WPA_ASE_8021X_PSK;
1213         case WPA_SEL(WPA_ASE_NONE):
1214                 return WPA_ASE_NONE;
1215         }
1216         return 0;               /* NB: so is discarded */
1217 #undef WPA_SEL
1218 }
1219
1220 /*
1221  * Parse a WPA information element to collect parameters.
1222  * Note that we do not validate security parameters; that
1223  * is handled by the authenticator; the parsing done here
1224  * is just for internal use in making operational decisions.
1225  */
1226 static int
1227 ieee80211_parse_wpa(struct ieee80211vap *vap, const uint8_t *frm,
1228         struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1229 {
1230         uint8_t len = frm[1];
1231         uint32_t w;
1232         int n;
1233
1234         /*
1235          * Check the length once for fixed parts: OUI, type,
1236          * version, mcast cipher, and 2 selector counts.
1237          * Other, variable-length data, must be checked separately.
1238          */
1239         if ((vap->iv_flags & IEEE80211_F_WPA1) == 0) {
1240                 IEEE80211_DISCARD_IE(vap,
1241                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1242                     wh, "WPA", "not WPA, flags 0x%x", vap->iv_flags);
1243                 return IEEE80211_REASON_IE_INVALID;
1244         }
1245         if (len < 14) {
1246                 IEEE80211_DISCARD_IE(vap,
1247                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1248                     wh, "WPA", "too short, len %u", len);
1249                 return IEEE80211_REASON_IE_INVALID;
1250         }
1251         frm += 6, len -= 4;             /* NB: len is payload only */
1252         /* NB: iswpaoui already validated the OUI and type */
1253         w = LE_READ_2(frm);
1254         if (w != WPA_VERSION) {
1255                 IEEE80211_DISCARD_IE(vap,
1256                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1257                     wh, "WPA", "bad version %u", w);
1258                 return IEEE80211_REASON_IE_INVALID;
1259         }
1260         frm += 2, len -= 2;
1261
1262         memset(rsn, 0, sizeof(*rsn));
1263
1264         /* multicast/group cipher */
1265         rsn->rsn_mcastcipher = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1266         frm += 4, len -= 4;
1267
1268         /* unicast ciphers */
1269         n = LE_READ_2(frm);
1270         frm += 2, len -= 2;
1271         if (len < n*4+2) {
1272                 IEEE80211_DISCARD_IE(vap,
1273                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1274                     wh, "WPA", "ucast cipher data too short; len %u, n %u",
1275                     len, n);
1276                 return IEEE80211_REASON_IE_INVALID;
1277         }
1278         w = 0;
1279         for (; n > 0; n--) {
1280                 w |= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1281                 frm += 4, len -= 4;
1282         }
1283         if (w & (1<<IEEE80211_CIPHER_TKIP))
1284                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1285         else
1286                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1287
1288         /* key management algorithms */
1289         n = LE_READ_2(frm);
1290         frm += 2, len -= 2;
1291         if (len < n*4) {
1292                 IEEE80211_DISCARD_IE(vap,
1293                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1294                     wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1295                     len, n);
1296                 return IEEE80211_REASON_IE_INVALID;
1297         }
1298         w = 0;
1299         for (; n > 0; n--) {
1300                 w |= wpa_keymgmt(frm);
1301                 frm += 4, len -= 4;
1302         }
1303         if (w & WPA_ASE_8021X_UNSPEC)
1304                 rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1305         else
1306                 rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1307
1308         if (len > 2)            /* optional capabilities */
1309                 rsn->rsn_caps = LE_READ_2(frm);
1310
1311         return 0;
1312 }
1313
1314 /*
1315  * Convert an RSN cipher selector OUI to an internal
1316  * cipher algorithm.  Where appropriate we also
1317  * record any key length.
1318  */
1319 static int
1320 rsn_cipher(const uint8_t *sel, uint8_t *keylen)
1321 {
1322 #define RSN_SEL(x)      (((x)<<24)|RSN_OUI)
1323         uint32_t w = LE_READ_4(sel);
1324
1325         switch (w) {
1326         case RSN_SEL(RSN_CSE_NULL):
1327                 return IEEE80211_CIPHER_NONE;
1328         case RSN_SEL(RSN_CSE_WEP40):
1329                 if (keylen)
1330                         *keylen = 40 / NBBY;
1331                 return IEEE80211_CIPHER_WEP;
1332         case RSN_SEL(RSN_CSE_WEP104):
1333                 if (keylen)
1334                         *keylen = 104 / NBBY;
1335                 return IEEE80211_CIPHER_WEP;
1336         case RSN_SEL(RSN_CSE_TKIP):
1337                 return IEEE80211_CIPHER_TKIP;
1338         case RSN_SEL(RSN_CSE_CCMP):
1339                 return IEEE80211_CIPHER_AES_CCM;
1340         case RSN_SEL(RSN_CSE_WRAP):
1341                 return IEEE80211_CIPHER_AES_OCB;
1342         }
1343         return 32;              /* NB: so 1<< is discarded */
1344 #undef WPA_SEL
1345 }
1346
1347 /*
1348  * Convert an RSN key management/authentication algorithm
1349  * to an internal code.
1350  */
1351 static int
1352 rsn_keymgmt(const uint8_t *sel)
1353 {
1354 #define RSN_SEL(x)      (((x)<<24)|RSN_OUI)
1355         uint32_t w = LE_READ_4(sel);
1356
1357         switch (w) {
1358         case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1359                 return RSN_ASE_8021X_UNSPEC;
1360         case RSN_SEL(RSN_ASE_8021X_PSK):
1361                 return RSN_ASE_8021X_PSK;
1362         case RSN_SEL(RSN_ASE_NONE):
1363                 return RSN_ASE_NONE;
1364         }
1365         return 0;               /* NB: so is discarded */
1366 #undef RSN_SEL
1367 }
1368
1369 /*
1370  * Parse a WPA/RSN information element to collect parameters
1371  * and validate the parameters against what has been
1372  * configured for the system.
1373  */
1374 static int
1375 ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm,
1376         struct ieee80211_rsnparms *rsn, const struct ieee80211_frame *wh)
1377 {
1378         uint8_t len = frm[1];
1379         uint32_t w;
1380         int n;
1381
1382         /*
1383          * Check the length once for fixed parts:
1384          * version, mcast cipher, and 2 selector counts.
1385          * Other, variable-length data, must be checked separately.
1386          */
1387         if ((vap->iv_flags & IEEE80211_F_WPA2) == 0) {
1388                 IEEE80211_DISCARD_IE(vap,
1389                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1390                     wh, "WPA", "not RSN, flags 0x%x", vap->iv_flags);
1391                 return IEEE80211_REASON_IE_INVALID;
1392         }
1393         if (len < 10) {
1394                 IEEE80211_DISCARD_IE(vap,
1395                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1396                     wh, "RSN", "too short, len %u", len);
1397                 return IEEE80211_REASON_IE_INVALID;
1398         }
1399         frm += 2;
1400         w = LE_READ_2(frm);
1401         if (w != RSN_VERSION) {
1402                 IEEE80211_DISCARD_IE(vap,
1403                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1404                     wh, "RSN", "bad version %u", w);
1405                 return IEEE80211_REASON_IE_INVALID;
1406         }
1407         frm += 2, len -= 2;
1408
1409         memset(rsn, 0, sizeof(*rsn));
1410
1411         /* multicast/group cipher */
1412         rsn->rsn_mcastcipher = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1413         frm += 4, len -= 4;
1414
1415         /* unicast ciphers */
1416         n = LE_READ_2(frm);
1417         frm += 2, len -= 2;
1418         if (len < n*4+2) {
1419                 IEEE80211_DISCARD_IE(vap,
1420                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1421                     wh, "RSN", "ucast cipher data too short; len %u, n %u",
1422                     len, n);
1423                 return IEEE80211_REASON_IE_INVALID;
1424         }
1425         w = 0;
1426         for (; n > 0; n--) {
1427                 w |= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1428                 frm += 4, len -= 4;
1429         }
1430         if (w & (1<<IEEE80211_CIPHER_TKIP))
1431                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1432         else
1433                 rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1434
1435         /* key management algorithms */
1436         n = LE_READ_2(frm);
1437         frm += 2, len -= 2;
1438         if (len < n*4) {
1439                 IEEE80211_DISCARD_IE(vap,
1440                     IEEE80211_MSG_ELEMID | IEEE80211_MSG_WPA,
1441                     wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1442                     len, n);
1443                 return IEEE80211_REASON_IE_INVALID;
1444         }
1445         w = 0;
1446         for (; n > 0; n--) {
1447                 w |= rsn_keymgmt(frm);
1448                 frm += 4, len -= 4;
1449         }
1450         if (w & RSN_ASE_8021X_UNSPEC)
1451                 rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1452         else
1453                 rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1454
1455         /* optional RSN capabilities */
1456         if (len > 2)
1457                 rsn->rsn_caps = LE_READ_2(frm);
1458         /* XXXPMKID */
1459
1460         return 0;
1461 }
1462
1463 /*
1464  * WPA/802.11i assocation request processing.
1465  */
1466 static int
1467 wpa_assocreq(struct ieee80211_node *ni, struct ieee80211_rsnparms *rsnparms,
1468         const struct ieee80211_frame *wh, const uint8_t *wpa,
1469         const uint8_t *rsn, uint16_t capinfo)
1470 {
1471         struct ieee80211vap *vap = ni->ni_vap;
1472         uint8_t reason;
1473         int badwparsn;
1474
1475         ni->ni_flags &= ~(IEEE80211_NODE_WPS|IEEE80211_NODE_TSN);
1476         if (wpa == NULL && rsn == NULL) {
1477                 if (vap->iv_flags_ext & IEEE80211_FEXT_WPS) {
1478                         /*
1479                          * W-Fi Protected Setup (WPS) permits
1480                          * clients to associate and pass EAPOL frames
1481                          * to establish initial credentials.
1482                          */
1483                         ni->ni_flags |= IEEE80211_NODE_WPS;
1484                         return 1;
1485                 }
1486                 if ((vap->iv_flags_ext & IEEE80211_FEXT_TSN) &&
1487                     (capinfo & IEEE80211_CAPINFO_PRIVACY)) {
1488                         /*
1489                          * Transitional Security Network.  Permits clients
1490                          * to associate and use WEP while WPA is configured.
1491                          */
1492                         ni->ni_flags |= IEEE80211_NODE_TSN;
1493                         return 1;
1494                 }
1495                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1496                     wh, NULL, "%s", "no WPA/RSN IE in association request");
1497                 vap->iv_stats.is_rx_assoc_badwpaie++;
1498                 reason = IEEE80211_REASON_IE_INVALID;
1499                 goto bad;
1500         }
1501         /* assert right association security credentials */
1502         badwparsn = 0;                  /* NB: to silence compiler */
1503         switch (vap->iv_flags & IEEE80211_F_WPA) {
1504         case IEEE80211_F_WPA1:
1505                 badwparsn = (wpa == NULL);
1506                 break;
1507         case IEEE80211_F_WPA2:
1508                 badwparsn = (rsn == NULL);
1509                 break;
1510         case IEEE80211_F_WPA1|IEEE80211_F_WPA2:
1511                 badwparsn = (wpa == NULL && rsn == NULL);
1512                 break;
1513         }
1514         if (badwparsn) {
1515                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA,
1516                     wh, NULL,
1517                     "%s", "missing WPA/RSN IE in association request");
1518                 vap->iv_stats.is_rx_assoc_badwpaie++;
1519                 reason = IEEE80211_REASON_IE_INVALID;
1520                 goto bad;
1521         }
1522         /*
1523          * Parse WPA/RSN information element.
1524          */
1525         if (wpa != NULL)
1526                 reason = ieee80211_parse_wpa(vap, wpa, rsnparms, wh);
1527         else
1528                 reason = ieee80211_parse_rsn(vap, rsn, rsnparms, wh);
1529         if (reason != 0) {
1530                 /* XXX distinguish WPA/RSN? */
1531                 vap->iv_stats.is_rx_assoc_badwpaie++;
1532                 goto bad;
1533         }
1534         IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_WPA, ni,
1535             "%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
1536             wpa != NULL ? "WPA" : "RSN",
1537             rsnparms->rsn_mcastcipher, rsnparms->rsn_mcastkeylen,
1538             rsnparms->rsn_ucastcipher, rsnparms->rsn_ucastkeylen,
1539             rsnparms->rsn_keymgmt, rsnparms->rsn_caps);
1540
1541         return 1;
1542 bad:
1543         ieee80211_node_deauth(ni, reason);
1544         return 0;
1545 }
1546
1547 /* XXX find a better place for definition */
1548 struct l2_update_frame {
1549         struct ether_header eh;
1550         uint8_t dsap;
1551         uint8_t ssap;
1552         uint8_t control;
1553         uint8_t xid[3];
1554 }  __packed;
1555
1556 /*
1557  * Deliver a TGf L2UF frame on behalf of a station.
1558  * This primes any bridge when the station is roaming
1559  * between ap's on the same wired network.
1560  */
1561 static void
1562 ieee80211_deliver_l2uf(struct ieee80211_node *ni)
1563 {
1564         struct ieee80211vap *vap = ni->ni_vap;
1565         struct ifnet *ifp = vap->iv_ifp;
1566         struct mbuf *m;
1567         struct l2_update_frame *l2uf;
1568         struct ether_header *eh;
1569
1570         m = m_gethdr(MB_DONTWAIT, MT_DATA);
1571         if (m == NULL) {
1572                 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
1573                     "%s", "no mbuf for l2uf frame");
1574                 vap->iv_stats.is_rx_nobuf++;    /* XXX not right */
1575                 return;
1576         }
1577         l2uf = mtod(m, struct l2_update_frame *);
1578         eh = &l2uf->eh;
1579         /* dst: Broadcast address */
1580         IEEE80211_ADDR_COPY(eh->ether_dhost, ifp->if_broadcastaddr);
1581         /* src: associated STA */
1582         IEEE80211_ADDR_COPY(eh->ether_shost, ni->ni_macaddr);
1583         eh->ether_type = htons(sizeof(*l2uf) - sizeof(*eh));
1584
1585         l2uf->dsap = 0;
1586         l2uf->ssap = 0;
1587         l2uf->control = 0xf5;
1588         l2uf->xid[0] = 0x81;
1589         l2uf->xid[1] = 0x80;
1590         l2uf->xid[2] = 0x00;
1591
1592         m->m_pkthdr.len = m->m_len = sizeof(*l2uf);
1593         hostap_deliver_data(vap, ni, m);
1594 }
1595
1596 static void
1597 ratesetmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1598         int reassoc, int resp, const char *tag, int rate)
1599 {
1600         IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1601             "deny %s request, %s rate set mismatch, rate/MCS %d",
1602             reassoc ? "reassoc" : "assoc", tag, rate & IEEE80211_RATE_VAL);
1603         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_BASIC_RATE);
1604         ieee80211_node_leave(ni);
1605 }
1606
1607 static void
1608 capinfomismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1609         int reassoc, int resp, const char *tag, int capinfo)
1610 {
1611         struct ieee80211vap *vap = ni->ni_vap;
1612
1613         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1614             "deny %s request, %s mismatch 0x%x",
1615             reassoc ? "reassoc" : "assoc", tag, capinfo);
1616         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_CAPINFO);
1617         ieee80211_node_leave(ni);
1618         vap->iv_stats.is_rx_assoc_capmismatch++;
1619 }
1620
1621 static void
1622 htcapmismatch(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1623         int reassoc, int resp)
1624 {
1625         IEEE80211_NOTE_MAC(ni->ni_vap, IEEE80211_MSG_ANY, wh->i_addr2,
1626             "deny %s request, missing HT ie", reassoc ? "reassoc" : "assoc");
1627         /* XXX no better code */
1628         IEEE80211_SEND_MGMT(ni, resp, IEEE80211_STATUS_MISSING_HT_CAPS);
1629         ieee80211_node_leave(ni);
1630 }
1631
1632 static void
1633 authalgreject(struct ieee80211_node *ni, const struct ieee80211_frame *wh,
1634         int algo, int seq, int status)
1635 {
1636         struct ieee80211vap *vap = ni->ni_vap;
1637
1638         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1639             wh, NULL, "unsupported alg %d", algo);
1640         vap->iv_stats.is_rx_auth_unsupported++;
1641         ieee80211_send_error(ni, wh->i_addr2, IEEE80211_FC0_SUBTYPE_AUTH,
1642             seq | (status << 16));
1643 }
1644
1645 static __inline int
1646 ishtmixed(const uint8_t *ie)
1647 {
1648         const struct ieee80211_ie_htinfo *ht =
1649             (const struct ieee80211_ie_htinfo *) ie;
1650         return (ht->hi_byte2 & IEEE80211_HTINFO_OPMODE) ==
1651             IEEE80211_HTINFO_OPMODE_MIXED;
1652 }
1653
1654 static int
1655 is11bclient(const uint8_t *rates, const uint8_t *xrates)
1656 {
1657         static const uint32_t brates = (1<<2*1)|(1<<2*2)|(1<<11)|(1<<2*11);
1658         int i;
1659
1660         /* NB: the 11b clients we care about will not have xrates */
1661         if (xrates != NULL || rates == NULL)
1662                 return 0;
1663         for (i = 0; i < rates[1]; i++) {
1664                 int r = rates[2+i] & IEEE80211_RATE_VAL;
1665                 if (r > 2*11 || ((1<<r) & brates) == 0)
1666                         return 0;
1667         }
1668         return 1;
1669 }
1670
1671 static void
1672 hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
1673         int subtype, int rssi, int nf)
1674 {
1675         struct ieee80211vap *vap = ni->ni_vap;
1676         struct ieee80211com *ic = ni->ni_ic;
1677         struct ieee80211_frame *wh;
1678         uint8_t *frm, *efrm, *sfrm;
1679         uint8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath, *htcap;
1680         int reassoc, resp;
1681         uint8_t rate;
1682
1683         wh = mtod(m0, struct ieee80211_frame *);
1684         frm = (uint8_t *)&wh[1];
1685         efrm = mtod(m0, uint8_t *) + m0->m_len;
1686         switch (subtype) {
1687         case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1688         case IEEE80211_FC0_SUBTYPE_BEACON: {
1689                 struct ieee80211_scanparams scan;
1690                 /*
1691                  * We process beacon/probe response frames when scanning;
1692                  * otherwise we check beacon frames for overlapping non-ERP
1693                  * BSS in 11g and/or overlapping legacy BSS when in HT.
1694                  */
1695                 if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 &&
1696                     subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) {
1697                         vap->iv_stats.is_rx_mgtdiscard++;
1698                         return;
1699                 }
1700                 /* NB: accept off-channel frames */
1701                 if (ieee80211_parse_beacon(ni, m0, &scan) &~ IEEE80211_BPARSE_OFFCHAN)
1702                         return;
1703                 /*
1704                  * Count frame now that we know it's to be processed.
1705                  */
1706                 if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
1707                         vap->iv_stats.is_rx_beacon++;           /* XXX remove */
1708                         IEEE80211_NODE_STAT(ni, rx_beacons);
1709                 } else
1710                         IEEE80211_NODE_STAT(ni, rx_proberesp);
1711                 /*
1712                  * If scanning, just pass information to the scan module.
1713                  */
1714                 if (ic->ic_flags & IEEE80211_F_SCAN) {
1715                         if (scan.status == 0 &&         /* NB: on channel */
1716                             (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN)) {
1717                                 /*
1718                                  * Actively scanning a channel marked passive;
1719                                  * send a probe request now that we know there
1720                                  * is 802.11 traffic present.
1721                                  *
1722                                  * XXX check if the beacon we recv'd gives
1723                                  * us what we need and suppress the probe req
1724                                  */
1725                                 ieee80211_probe_curchan(vap, 1);
1726                                 ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
1727                         }
1728                         ieee80211_add_scan(vap, &scan, wh, subtype, rssi, nf);
1729                         return;
1730                 }
1731                 /*
1732                  * Check beacon for overlapping bss w/ non ERP stations.
1733                  * If we detect one and protection is configured but not
1734                  * enabled, enable it and start a timer that'll bring us
1735                  * out if we stop seeing the bss.
1736                  */
1737                 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
1738                     scan.status == 0 &&                 /* NB: on-channel */
1739                     ((scan.erp & 0x100) == 0 ||         /* NB: no ERP, 11b sta*/
1740                      (scan.erp & IEEE80211_ERP_NON_ERP_PRESENT))) {
1741                         ic->ic_lastnonerp = ticks;
1742                         ic->ic_flags_ext |= IEEE80211_FEXT_NONERP_PR;
1743                         if (ic->ic_protmode != IEEE80211_PROT_NONE &&
1744                             (ic->ic_flags & IEEE80211_F_USEPROT) == 0) {
1745                                 IEEE80211_NOTE_FRAME(vap,
1746                                     IEEE80211_MSG_ASSOC, wh,
1747                                     "non-ERP present on channel %d "
1748                                     "(saw erp 0x%x from channel %d), "
1749                                     "enable use of protection",
1750                                     ic->ic_curchan->ic_ieee,
1751                                     scan.erp, scan.chan);
1752                                 ic->ic_flags |= IEEE80211_F_USEPROT;
1753                                 ieee80211_notify_erp(ic);
1754                         }
1755                 }
1756                 /*
1757                  * Check beacon for non-HT station on HT channel
1758                  * and update HT BSS occupancy as appropriate.
1759                  */
1760                 if (IEEE80211_IS_CHAN_HT(ic->ic_curchan)) {
1761                         if (scan.status & IEEE80211_BPARSE_OFFCHAN) {
1762                                 /*
1763                                  * Off control channel; only check frames
1764                                  * that come in the extension channel when
1765                                  * operating w/ HT40.
1766                                  */
1767                                 if (!IEEE80211_IS_CHAN_HT40(ic->ic_curchan))
1768                                         break;
1769                                 if (scan.chan != ic->ic_curchan->ic_extieee)
1770                                         break;
1771                         }
1772                         if (scan.htinfo == NULL) {
1773                                 ieee80211_htprot_update(ic,
1774                                     IEEE80211_HTINFO_OPMODE_PROTOPT |
1775                                     IEEE80211_HTINFO_NONHT_PRESENT);
1776                         } else if (ishtmixed(scan.htinfo)) {
1777                                 /* XXX? take NONHT_PRESENT from beacon? */
1778                                 ieee80211_htprot_update(ic,
1779                                     IEEE80211_HTINFO_OPMODE_MIXED |
1780                                     IEEE80211_HTINFO_NONHT_PRESENT);
1781                         }
1782                 }
1783                 break;
1784         }
1785
1786         case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
1787                 if (vap->iv_state != IEEE80211_S_RUN) {
1788                         vap->iv_stats.is_rx_mgtdiscard++;
1789                         return;
1790                 }
1791                 /*
1792                  * prreq frame format
1793                  *      [tlv] ssid
1794                  *      [tlv] supported rates
1795                  *      [tlv] extended supported rates
1796                  */
1797                 ssid = rates = xrates = NULL;
1798                 sfrm = frm;
1799                 while (efrm - frm > 1) {
1800                         IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1801                         switch (*frm) {
1802                         case IEEE80211_ELEMID_SSID:
1803                                 ssid = frm;
1804                                 break;
1805                         case IEEE80211_ELEMID_RATES:
1806                                 rates = frm;
1807                                 break;
1808                         case IEEE80211_ELEMID_XRATES:
1809                                 xrates = frm;
1810                                 break;
1811                         }
1812                         frm += frm[1] + 2;
1813                 }
1814                 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
1815                 if (xrates != NULL)
1816                         IEEE80211_VERIFY_ELEMENT(xrates,
1817                                 IEEE80211_RATE_MAXSIZE - rates[1], return);
1818                 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
1819                 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
1820                 if ((vap->iv_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
1821                         IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
1822                             wh, NULL,
1823                             "%s", "no ssid with ssid suppression enabled");
1824                         vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
1825                         return;
1826                 }
1827
1828                 /* XXX find a better class or define it's own */
1829                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
1830                     "%s", "recv probe req");
1831                 /*
1832                  * Some legacy 11b clients cannot hack a complete
1833                  * probe response frame.  When the request includes
1834                  * only a bare-bones rate set, communicate this to
1835                  * the transmit side.
1836                  */
1837                 ieee80211_send_proberesp(vap, wh->i_addr2,
1838                     is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0);
1839                 break;
1840
1841         case IEEE80211_FC0_SUBTYPE_AUTH: {
1842                 uint16_t algo, seq, status;
1843
1844                 if (vap->iv_state != IEEE80211_S_RUN) {
1845                         vap->iv_stats.is_rx_mgtdiscard++;
1846                         return;
1847                 }
1848                 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1849                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1850                             wh, NULL, "%s", "wrong bssid");
1851                         vap->iv_stats.is_rx_wrongbss++; /*XXX unique stat?*/
1852                         return;
1853                 }
1854                 /*
1855                  * auth frame format
1856                  *      [2] algorithm
1857                  *      [2] sequence
1858                  *      [2] status
1859                  *      [tlv*] challenge
1860                  */
1861                 IEEE80211_VERIFY_LENGTH(efrm - frm, 6, return);
1862                 algo   = le16toh(*(uint16_t *)frm);
1863                 seq    = le16toh(*(uint16_t *)(frm + 2));
1864                 status = le16toh(*(uint16_t *)(frm + 4));
1865                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr2,
1866                     "recv auth frame with algorithm %d seq %d", algo, seq);
1867                 /*
1868                  * Consult the ACL policy module if setup.
1869                  */
1870                 if (vap->iv_acl != NULL &&
1871                     !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
1872                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
1873                             wh, NULL, "%s", "disallowed by ACL");
1874                         vap->iv_stats.is_rx_acl++;
1875                         ieee80211_send_error(ni, wh->i_addr2,
1876                             IEEE80211_FC0_SUBTYPE_AUTH,
1877                             (seq+1) | (IEEE80211_STATUS_UNSPECIFIED<<16));
1878                         return;
1879                 }
1880                 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
1881                         IEEE80211_DISCARD(vap,
1882                             IEEE80211_MSG_AUTH | IEEE80211_MSG_CRYPTO,
1883                             wh, NULL, "%s", "TKIP countermeasures enabled");
1884                         vap->iv_stats.is_rx_auth_countermeasures++;
1885                         ieee80211_send_error(ni, wh->i_addr2,
1886                                 IEEE80211_FC0_SUBTYPE_AUTH,
1887                                 IEEE80211_REASON_MIC_FAILURE);
1888                         return;
1889                 }
1890                 if (algo == IEEE80211_AUTH_ALG_SHARED)
1891                         hostap_auth_shared(ni, wh, frm + 6, efrm, rssi, nf,
1892                             seq, status);
1893                 else if (algo == IEEE80211_AUTH_ALG_OPEN)
1894                         hostap_auth_open(ni, wh, rssi, nf, seq, status);
1895                 else if (algo == IEEE80211_AUTH_ALG_LEAP) {
1896                         authalgreject(ni, wh, algo,
1897                             seq+1, IEEE80211_STATUS_ALG);
1898                         return;
1899                 } else {
1900                         /*
1901                          * We assume that an unknown algorithm is the result
1902                          * of a decryption failure on a shared key auth frame;
1903                          * return a status code appropriate for that instead
1904                          * of IEEE80211_STATUS_ALG.
1905                          *
1906                          * NB: a seq# of 4 is intentional; the decrypted
1907                          *     frame likely has a bogus seq value.
1908                          */
1909                         authalgreject(ni, wh, algo,
1910                             4, IEEE80211_STATUS_CHALLENGE);
1911                         return;
1912                 }
1913                 break;
1914         }
1915
1916         case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1917         case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
1918                 uint16_t capinfo, lintval;
1919                 struct ieee80211_rsnparms rsnparms;
1920
1921                 if (vap->iv_state != IEEE80211_S_RUN) {
1922                         vap->iv_stats.is_rx_mgtdiscard++;
1923                         return;
1924                 }
1925                 if (!IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bss->ni_bssid)) {
1926                         IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
1927                             wh, NULL, "%s", "wrong bssid");
1928                         vap->iv_stats.is_rx_assoc_bss++;
1929                         return;
1930                 }
1931                 if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
1932                         reassoc = 1;
1933                         resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
1934                 } else {
1935                         reassoc = 0;
1936                         resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
1937                 }
1938                 if (ni == vap->iv_bss) {
1939                         IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_ANY, wh->i_addr2,
1940                             "deny %s request, sta not authenticated",
1941                             reassoc ? "reassoc" : "assoc");
1942                         ieee80211_send_error(ni, wh->i_addr2,
1943                             IEEE80211_FC0_SUBTYPE_DEAUTH,
1944                             IEEE80211_REASON_ASSOC_NOT_AUTHED);
1945                         vap->iv_stats.is_rx_assoc_notauth++;
1946                         return;
1947                 }
1948
1949                 /*
1950                  * asreq frame format
1951                  *      [2] capability information
1952                  *      [2] listen interval
1953                  *      [6*] current AP address (reassoc only)
1954                  *      [tlv] ssid
1955                  *      [tlv] supported rates
1956                  *      [tlv] extended supported rates
1957                  *      [tlv] WPA or RSN
1958                  *      [tlv] HT capabilities
1959                  *      [tlv] Atheros capabilities
1960                  */
1961                 IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? 10 : 4), return);
1962                 capinfo = le16toh(*(uint16_t *)frm);    frm += 2;
1963                 lintval = le16toh(*(uint16_t *)frm);    frm += 2;
1964                 if (reassoc)
1965                         frm += 6;       /* ignore current AP info */
1966                 ssid = rates = xrates = wpa = rsn = wme = ath = htcap = NULL;
1967                 sfrm = frm;
1968                 while (efrm - frm > 1) {
1969                         IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
1970                         switch (*frm) {
1971                         case IEEE80211_ELEMID_SSID:
1972                                 ssid = frm;
1973                                 break;
1974                         case IEEE80211_ELEMID_RATES:
1975                                 rates = frm;
1976                                 break;
1977                         case IEEE80211_ELEMID_XRATES:
1978                                 xrates = frm;
1979                                 break;
1980                         case IEEE80211_ELEMID_RSN:
1981                                 rsn = frm;
1982                                 break;
1983                         case IEEE80211_ELEMID_HTCAP:
1984                                 htcap = frm;
1985                                 break;
1986                         case IEEE80211_ELEMID_VENDOR:
1987                                 if (iswpaoui(frm))
1988                                         wpa = frm;
1989                                 else if (iswmeinfo(frm))
1990                                         wme = frm;
1991 #ifdef IEEE80211_SUPPORT_SUPERG
1992                                 else if (isatherosoui(frm))
1993                                         ath = frm;
1994 #endif
1995                                 else if (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) {
1996                                         if (ishtcapoui(frm) && htcap == NULL)
1997                                                 htcap = frm;
1998                                 }
1999                                 break;
2000                         }
2001                         frm += frm[1] + 2;
2002                 }
2003                 IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE, return);
2004                 if (xrates != NULL)
2005                         IEEE80211_VERIFY_ELEMENT(xrates,
2006                                 IEEE80211_RATE_MAXSIZE - rates[1], return);
2007                 IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN, return);
2008                 IEEE80211_VERIFY_SSID(vap->iv_bss, ssid, return);
2009                 if (htcap != NULL) {
2010                         IEEE80211_VERIFY_LENGTH(htcap[1],
2011                              htcap[0] == IEEE80211_ELEMID_VENDOR ?
2012                                  4 + sizeof(struct ieee80211_ie_htcap)-2 :
2013                                  sizeof(struct ieee80211_ie_htcap)-2,
2014                              return);           /* XXX just NULL out? */
2015                 }
2016
2017                 if ((vap->iv_flags & IEEE80211_F_WPA) &&
2018                     !wpa_assocreq(ni, &rsnparms, wh, wpa, rsn, capinfo))
2019                         return;
2020                 /* discard challenge after association */
2021                 if (ni->ni_challenge != NULL) {
2022                         kfree(ni->ni_challenge, M_80211_NODE);
2023                         ni->ni_challenge = NULL;
2024                 }
2025                 /* NB: 802.11 spec says to ignore station's privacy bit */
2026                 if ((capinfo & IEEE80211_CAPINFO_ESS) == 0) {
2027                         capinfomismatch(ni, wh, reassoc, resp,
2028                             "capability", capinfo);
2029                         return;
2030                 }
2031                 /*
2032                  * Disallow re-associate w/ invalid slot time setting.
2033                  */
2034                 if (ni->ni_associd != 0 &&
2035                     IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan) &&
2036                     ((ni->ni_capinfo ^ capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME)) {
2037                         capinfomismatch(ni, wh, reassoc, resp,
2038                             "slot time", capinfo);
2039                         return;
2040                 }
2041                 rate = ieee80211_setup_rates(ni, rates, xrates,
2042                                 IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |
2043                                 IEEE80211_F_DONEGO | IEEE80211_F_DODEL);
2044                 if (rate & IEEE80211_RATE_BASIC) {
2045                         ratesetmismatch(ni, wh, reassoc, resp, "legacy", rate);
2046                         vap->iv_stats.is_rx_assoc_norate++;
2047                         return;
2048                 }
2049                 /*
2050                  * If constrained to 11g-only stations reject an
2051                  * 11b-only station.  We cheat a bit here by looking
2052                  * at the max negotiated xmit rate and assuming anyone
2053                  * with a best rate <24Mb/s is an 11b station.
2054                  */
2055                 if ((vap->iv_flags & IEEE80211_F_PUREG) && rate < 48) {
2056                         ratesetmismatch(ni, wh, reassoc, resp, "11g", rate);
2057                         vap->iv_stats.is_rx_assoc_norate++;
2058                         return;
2059                 }
2060                 /*
2061                  * Do HT rate set handling and setup HT node state.
2062                  */
2063                 ni->ni_chan = vap->iv_bss->ni_chan;
2064                 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) && htcap != NULL) {
2065                         rate = ieee80211_setup_htrates(ni, htcap,
2066                                 IEEE80211_F_DOFMCS | IEEE80211_F_DONEGO |
2067                                 IEEE80211_F_DOBRS);
2068                         if (rate & IEEE80211_RATE_BASIC) {
2069                                 ratesetmismatch(ni, wh, reassoc, resp,
2070                                     "HT", rate);
2071                                 vap->iv_stats.is_ht_assoc_norate++;
2072                                 return;
2073                         }
2074                         ieee80211_ht_node_init(ni);
2075                         ieee80211_ht_updatehtcap(ni, htcap);
2076                 } else if (ni->ni_flags & IEEE80211_NODE_HT)
2077                         ieee80211_ht_node_cleanup(ni);
2078 #ifdef IEEE80211_SUPPORT_SUPERG
2079                 else if (ni->ni_ath_flags & IEEE80211_NODE_ATH)
2080                         ieee80211_ff_node_cleanup(ni);
2081 #endif
2082                 /*
2083                  * Allow AMPDU operation only with unencrypted traffic
2084                  * or AES-CCM; the 11n spec only specifies these ciphers
2085                  * so permitting any others is undefined and can lead
2086                  * to interoperability problems.
2087                  */
2088                 if ((ni->ni_flags & IEEE80211_NODE_HT) &&
2089                     (((vap->iv_flags & IEEE80211_F_WPA) &&
2090                       rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) ||
2091                      (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) {
2092                         IEEE80211_NOTE(vap,
2093                             IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,
2094                             "disallow HT use because WEP or TKIP requested, "
2095                             "capinfo 0x%x ucastcipher %d", capinfo,
2096                             rsnparms.rsn_ucastcipher);
2097                         ieee80211_ht_node_cleanup(ni);
2098                         vap->iv_stats.is_ht_assoc_downgrade++;
2099                 }
2100                 /*
2101                  * If constrained to 11n-only stations reject legacy stations.
2102                  */
2103                 if ((vap->iv_flags_ht & IEEE80211_FHT_PUREN) &&
2104                     (ni->ni_flags & IEEE80211_NODE_HT) == 0) {
2105                         htcapmismatch(ni, wh, reassoc, resp);
2106                         vap->iv_stats.is_ht_assoc_nohtcap++;
2107                         return;
2108                 }
2109                 IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi);
2110                 ni->ni_noise = nf;
2111                 ni->ni_intval = lintval;
2112                 ni->ni_capinfo = capinfo;
2113                 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
2114                 ni->ni_fhindex = vap->iv_bss->ni_fhindex;
2115                 /*
2116                  * Store the IEs.
2117                  * XXX maybe better to just expand
2118                  */
2119                 if (ieee80211_ies_init(&ni->ni_ies, sfrm, efrm - sfrm)) {
2120 #define setie(_ie, _off)        ieee80211_ies_setie(ni->ni_ies, _ie, _off)
2121                         if (wpa != NULL)
2122                                 setie(wpa_ie, wpa - sfrm);
2123                         if (rsn != NULL)
2124                                 setie(rsn_ie, rsn - sfrm);
2125                         if (htcap != NULL)
2126                                 setie(htcap_ie, htcap - sfrm);
2127                         if (wme != NULL) {
2128                                 setie(wme_ie, wme - sfrm);
2129                                 /*
2130                                  * Mark node as capable of QoS.
2131                                  */
2132                                 ni->ni_flags |= IEEE80211_NODE_QOS;
2133                         } else
2134                                 ni->ni_flags &= ~IEEE80211_NODE_QOS;
2135 #ifdef IEEE80211_SUPPORT_SUPERG
2136                         if (ath != NULL) {
2137                                 setie(ath_ie, ath - sfrm);
2138                                 /*
2139                                  * Parse ATH station parameters.
2140                                  */
2141                                 ieee80211_parse_ath(ni, ni->ni_ies.ath_ie);
2142                         } else
2143 #endif
2144                                 ni->ni_ath_flags = 0;
2145 #undef setie
2146                 } else {
2147                         ni->ni_flags &= ~IEEE80211_NODE_QOS;
2148                         ni->ni_ath_flags = 0;
2149                 }
2150                 ieee80211_node_join(ni, resp);
2151                 ieee80211_deliver_l2uf(ni);
2152                 break;
2153         }
2154
2155         case IEEE80211_FC0_SUBTYPE_DEAUTH:
2156         case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2157                 uint16_t reason;
2158
2159                 if (vap->iv_state != IEEE80211_S_RUN ||
2160                     /* NB: can happen when in promiscuous mode */
2161                     !IEEE80211_ADDR_EQ(wh->i_addr1, vap->iv_myaddr)) {
2162                         vap->iv_stats.is_rx_mgtdiscard++;
2163                         break;
2164                 }
2165                 /*
2166                  * deauth/disassoc frame format
2167                  *      [2] reason
2168                  */
2169                 IEEE80211_VERIFY_LENGTH(efrm - frm, 2, return);
2170                 reason = le16toh(*(uint16_t *)frm);
2171                 if (subtype == IEEE80211_FC0_SUBTYPE_DEAUTH) {
2172                         vap->iv_stats.is_rx_deauth++;
2173                         IEEE80211_NODE_STAT(ni, rx_deauth);
2174                 } else {
2175                         vap->iv_stats.is_rx_disassoc++;
2176                         IEEE80211_NODE_STAT(ni, rx_disassoc);
2177                 }
2178                 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2179                     "recv %s (reason %d)", ieee80211_mgt_subtype_name[subtype >>
2180                         IEEE80211_FC0_SUBTYPE_SHIFT], reason);
2181                 if (ni != vap->iv_bss)
2182                         ieee80211_node_leave(ni);
2183                 break;
2184         }
2185
2186         case IEEE80211_FC0_SUBTYPE_ACTION:
2187                 if (vap->iv_state == IEEE80211_S_RUN) {
2188                         if (ieee80211_parse_action(ni, m0) == 0)
2189                                 ic->ic_recv_action(ni, wh, frm, efrm);
2190                 } else
2191                         vap->iv_stats.is_rx_mgtdiscard++;
2192                 break;
2193
2194         case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2195         case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2196         default:
2197                 IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
2198                      wh, "mgt", "subtype 0x%x not handled", subtype);
2199                 vap->iv_stats.is_rx_badsubtype++;
2200                 break;
2201         }
2202 }
2203
2204 static void
2205 hostap_recv_ctl(struct ieee80211_node *ni, struct mbuf *m, int subtype)
2206 {
2207         switch (subtype) {
2208         case IEEE80211_FC0_SUBTYPE_PS_POLL:
2209                 hostap_recv_pspoll(ni, m);
2210                 break;
2211         case IEEE80211_FC0_SUBTYPE_BAR:
2212                 ieee80211_recv_bar(ni, m);
2213                 break;
2214         }
2215 }
2216
2217 /*
2218  * Process a received ps-poll frame.
2219  */
2220 static void
2221 hostap_recv_pspoll(struct ieee80211_node *ni, struct mbuf *m0)
2222 {
2223         struct ieee80211vap *vap = ni->ni_vap;
2224         struct ieee80211_frame_min *wh;
2225         struct ifnet *ifp;
2226         struct ifaltq_subque *ifsq;
2227         struct mbuf *m;
2228         uint16_t aid;
2229         int qlen;
2230
2231         wh = mtod(m0, struct ieee80211_frame_min *);
2232         if (ni->ni_associd == 0) {
2233                 IEEE80211_DISCARD(vap,
2234                     IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2235                     (struct ieee80211_frame *) wh, NULL,
2236                     "%s", "unassociated station");
2237                 vap->iv_stats.is_ps_unassoc++;
2238                 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2239                         IEEE80211_REASON_NOT_ASSOCED);
2240                 return;
2241         }
2242
2243         aid = le16toh(*(uint16_t *)wh->i_dur);
2244         if (aid != ni->ni_associd) {
2245                 IEEE80211_DISCARD(vap,
2246                     IEEE80211_MSG_POWER | IEEE80211_MSG_DEBUG,
2247                     (struct ieee80211_frame *) wh, NULL,
2248                     "aid mismatch: sta aid 0x%x poll aid 0x%x",
2249                     ni->ni_associd, aid);
2250                 vap->iv_stats.is_ps_badaid++;
2251                 /*
2252                  * NB: We used to deauth the station but it turns out
2253                  * the Blackberry Curve 8230 (and perhaps other devices)
2254                  * sometimes send the wrong AID when WME is negotiated.
2255                  * Being more lenient here seems ok as we already check
2256                  * the station is associated and we only return frames
2257                  * queued for the station (i.e. we don't use the AID).
2258                  */
2259                 return;
2260         }
2261
2262         /* Okay, take the first queued packet and put it out... */
2263         m = ieee80211_node_psq_dequeue(ni, &qlen);
2264         if (m == NULL) {
2265                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
2266                     "%s", "recv ps-poll, but queue empty");
2267                 ieee80211_send_nulldata(ieee80211_ref_node(ni));
2268                 vap->iv_stats.is_ps_qempty++;   /* XXX node stat */
2269                 if (vap->iv_set_tim != NULL)
2270                         vap->iv_set_tim(ni, 0); /* just in case */
2271                 return;
2272         }
2273         /*
2274          * If there are more packets, set the more packets bit
2275          * in the packet dispatched to the station; otherwise
2276          * turn off the TIM bit.
2277          */
2278         if (qlen != 0) {
2279                 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2280                     "recv ps-poll, send packet, %u still queued", qlen);
2281                 m->m_flags |= M_MORE_DATA;
2282         } else {
2283                 IEEE80211_NOTE(vap, IEEE80211_MSG_POWER, ni,
2284                     "%s", "recv ps-poll, send packet, queue empty");
2285                 if (vap->iv_set_tim != NULL)
2286                         vap->iv_set_tim(ni, 0);
2287         }
2288         m->m_flags |= M_PWR_SAV;                /* bypass PS handling */
2289
2290         if (m->m_flags & M_ENCAP)
2291                 ifp = vap->iv_ic->ic_ifp;
2292         else
2293                 ifp = vap->iv_ifp;
2294
2295         ifsq = ifq_get_subq_default(&ifp->if_snd);
2296         ifsq_enqueue(ifsq, m, NULL);
2297         ifp->if_start(ifp, ifsq);
2298 }