ieee80211_input.c source code [src/src/sys/net80211/ieee80211_input.c]

1	/ $NetBSD: ieee80211_input.c,v 1.85 2016/09/27 20:20:06 christos Exp $ /
2	/-*
3	* Copyright (c) 2001 Atsushi Onoe
4	* Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
5	* All rights reserved.
6	*
7	* Redistribution and use in source and binary forms, with or without
8	* modification, are permitted provided that the following conditions
9	* are met:
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	* 2. Redistributions in binary form must reproduce the above copyright
13	* notice, this list of conditions and the following disclaimer in the
14	* documentation and/or other materials provided with the distribution.
15	* 3. The name of the author may not be used to endorse or promote products
16	* derived from this software without specific prior written permission.
17	*
18	* Alternatively, this software may be distributed under the terms of the
19	* GNU General Public License ("GPL") version 2 as published by the Free
20	* Software Foundation.
21	*
22	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
23	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
24	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
25	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
26	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
27	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
31	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32	*/
33
34	#include <sys/cdefs.h>
35	#ifdef __FreeBSD__
36	__FBSDID("$FreeBSD: src/sys/net80211/ieee80211_input.c,v 1.81 2005/08/10 16:22:29 sam Exp $");
37	#endif
38	#ifdef __NetBSD__
39	__KERNEL_RCSID(`0`, "$NetBSD: ieee80211_input.c,v 1.85 2016/09/27 20:20:06 christos Exp $");
40	#endif
41
42	#ifdef _KERNEL_OPT
43	#include "opt_inet.h"
44	#endif
45
46	#ifdef __NetBSD__
47	#endif /* __NetBSD__ */
48
49	#include <sys/param.h>
50	#include <sys/systm.h>
51	#include <sys/mbuf.h>
52	#include <sys/malloc.h>
53	#include <sys/endian.h>
54	#include <sys/kernel.h>
55
56	#include <sys/socket.h>
57	#include <sys/sockio.h>
58	#include <sys/endian.h>
59	#include <sys/errno.h>
60	#include <sys/proc.h>
61	#include <sys/sysctl.h>
62
63	#include <net/if.h>
64	#include <net/if_media.h>
65	#include <net/if_arp.h>
66	#include <net/if_ether.h>
67	#include <net/if_llc.h>
68
69	#include <net80211/ieee80211_var.h>
70
71	#include <net/bpf.h>
72
73	#ifdef INET
74	#include <netinet/in.h>
75	#include <net/if_ether.h>
76	#endif
77
78	const struct timeval ieee80211_merge_print_intvl = {.tv_sec = `1`, .tv_usec = `0`};
79
80	#ifdef IEEE80211_DEBUG
81
82	/*
83	* Decide if a received management frame should be
84	* printed when debugging is enabled. This filters some
85	* of the less interesting frames that come frequently
86	* (e.g. beacons).
87	*/
88	static __inline int
89	doprint(struct ieee80211com ic, int* subtype)
90	{
91	switch (subtype) {
92	case IEEE80211_FC0_SUBTYPE_BEACON:
93	return (ic->ic_flags & IEEE80211_F_SCAN);
94	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
95	return (ic->ic_opmode == IEEE80211_M_IBSS);
96	}
97	return `1`;
98	}
99
100	/*
101	* Emit a debug message about discarding a frame or information
102	* element. One format is for extracting the mac address from
103	* the frame header; the other is for when a header is not
104	* available or otherwise appropriate.
105	*/
106	#define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...) do { \
107	if ((_ic)->ic_debug & (_m)) \
108	ieee80211_discard_frame(_ic, _wh, _type, _fmt, __VA_ARGS__);\
109	} while (0)
110	#define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...) do { \
111	if ((_ic)->ic_debug & (_m)) \
112	ieee80211_discard_ie(_ic, _wh, _type, _fmt, __VA_ARGS__);\
113	} while (0)
114	#define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...) do { \
115	if ((_ic)->ic_debug & (_m)) \
116	ieee80211_discard_mac(_ic, _mac, _type, _fmt, __VA_ARGS__);\
117	} while (0)
118	#define IEEE80211_DEBUGVAR(a) a
119
120	static const u_int8_t ieee80211_getbssid(struct* ieee80211com *,
121	const struct ieee80211_frame *);
122	static void ieee80211_discard_frame(struct ieee80211com *,
123	const struct ieee80211_frame , const* char type, const* char *fmt, ...);
124	static void ieee80211_discard_ie(struct ieee80211com *,
125	const struct ieee80211_frame , const* char type, const* char *fmt, ...);
126	static void ieee80211_discard_mac(struct ieee80211com *,
127	const u_int8_t mac[IEEE80211_ADDR_LEN], const char *type,
128	const char *fmt, ...);
129	#else
130	#define IEEE80211_DISCARD(_ic, _m, _wh, _type, _fmt, ...)
131	#define IEEE80211_DISCARD_IE(_ic, _m, _wh, _type, _fmt, ...)
132	#define IEEE80211_DISCARD_MAC(_ic, _m, _mac, _type, _fmt, ...)
133	#define IEEE80211_DEBUGVAR(a)
134	#endif /* IEEE80211_DEBUG */
135
136	static struct mbuf ieee80211_defrag(struct* ieee80211com *,
137	struct ieee80211_node , struct* mbuf , int*);
138	static struct mbuf ieee80211_decap(struct* ieee80211com , struct* mbuf , int*);
139	static void ieee80211_send_error(struct ieee80211com , struct* ieee80211_node *,
140	const u_int8_t mac, int* subtype, int arg);
141	static void ieee80211_deliver_data(struct ieee80211com *,
142	struct ieee80211_node , struct* mbuf *);
143	#ifndef IEEE80211_NO_HOSTAP
144	static void ieee80211_node_pwrsave(struct ieee80211_node , int* enable);
145	static void ieee80211_recv_pspoll(struct ieee80211com *,
146	struct ieee80211_node , struct* mbuf *);
147	#endif /* !IEEE80211_NO_HOSTAP */
148	static void ieee80211_update_adhoc_node(struct ieee80211com *,
149	struct ieee80211_node , struct* ieee80211_frame *,
150	struct ieee80211_scanparams , int*, u_int32_t);
151
152	/*
153	* Process a received frame. The node associated with the sender
154	* should be supplied. If nothing was found in the node table then
155	* the caller is assumed to supply a reference to ic_bss instead.
156	* The RSSI and a timestamp are also supplied. The RSSI data is used
157	* during AP scanning to select a AP to associate with; it can have
158	* any units so long as values have consistent units and higher values
159	* mean ``better signal''. The receive timestamp is currently not used
160	* by the 802.11 layer.
161	*/
162	int
163	ieee80211_input(struct ieee80211com ic, struct* mbuf *m,
164	struct ieee80211_node ni, int* rssi, u_int32_t rstamp)
165	{
166	#define SEQ_LEQ(a,b) ((int)((a)-(b)) <= 0)
167	#define HAS_SEQ(type) ((type & 0x4) == 0)
168	struct ifnet *ifp = ic->ic_ifp;
169	struct ieee80211_frame *wh;
170	struct ieee80211_key *key;
171	struct ether_header *eh;
172	int hdrspace;
173	u_int8_t dir, type, subtype;
174	u_int8_t *bssid;
175	u_int16_t rxseq;
176	IEEE80211_DEBUGVAR(char ebuf[`3` * ETHER_ADDR_LEN]);
177
178	IASSERT(ni != NULL, ("null node"));
179	ni->ni_inact = ni->ni_inact_reload;
180
181	/ trim CRC here so WEP can find its own CRC at the end of packet. /
182	if (m->m_flags & M_HASFCS) {
183	m_adj(m, -IEEE80211_CRC_LEN);
184	m->m_flags &= ~M_HASFCS;
185	}
186	type = -`1`; / undefined /
187	/*
188	* In monitor mode, send everything directly to bpf.
189	* XXX may want to include the CRC
190	*/
191	if (ic->ic_opmode == IEEE80211_M_MONITOR)
192	goto out;
193
194	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_min)) {
195	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
196	ni->ni_macaddr, NULL,
197	"too short (1): len %u", m->m_pkthdr.len);
198	ic->ic_stats.is_rx_tooshort++;
199	goto out;
200	}
201	/*
202	* Bit of a cheat here, we use a pointer for a 3-address
203	* frame format but don't reference fields past outside
204	* ieee80211_frame_min w/o first validating the data is
205	* present.
206	*/
207	wh = mtod(m, struct ieee80211_frame *);
208
209	if ((wh->i_fc[`0`] & IEEE80211_FC0_VERSION_MASK) !=
210	IEEE80211_FC0_VERSION_0) {
211	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
212	ni->ni_macaddr, NULL, "wrong version %x", wh->i_fc[`0`]);
213	ic->ic_stats.is_rx_badversion++;
214	goto err;
215	}
216
217	dir = wh->i_fc[`1`] & IEEE80211_FC1_DIR_MASK;
218	type = wh->i_fc[`0`] & IEEE80211_FC0_TYPE_MASK;
219	subtype = wh->i_fc[`0`] & IEEE80211_FC0_SUBTYPE_MASK;
220	if ((ic->ic_flags & IEEE80211_F_SCAN) == `0`) {
221	switch (ic->ic_opmode) {
222	case IEEE80211_M_STA:
223	bssid = wh->i_addr2;
224	if (!IEEE80211_ADDR_EQ(bssid, ni->ni_bssid)) {
225	/ not interested in /
226	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
227	bssid, NULL, "node %s, %s",
228	ether_snprintf(ebuf, sizeof(ebuf),
229	ni->ni_bssid), "not to bss");
230	ic->ic_stats.is_rx_wrongbss++;
231	goto out;
232	}
233
234	/ Filter out packets not directed to us in case the*
235	* device is in promiscous mode
236	*/
237	if ((! IEEE80211_IS_MULTICAST(wh->i_addr1))
238	&& (! IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr))) {
239	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
240	bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D",
241	ic->ic_myaddr, ":", wh->i_addr1, ":");
242	ic->ic_stats.is_rx_wrongbss++;
243	goto out;
244	}
245	break;
246	case IEEE80211_M_IBSS:
247	case IEEE80211_M_AHDEMO:
248	case IEEE80211_M_HOSTAP:
249	if (dir != IEEE80211_FC1_DIR_NODS)
250	bssid = wh->i_addr1;
251	else if (type == IEEE80211_FC0_TYPE_CTL)
252	bssid = wh->i_addr1;
253	else {
254	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
255	IEEE80211_DISCARD_MAC(ic,
256	IEEE80211_MSG_ANY, ni->ni_macaddr,
257	NULL, "too short (2): len %u",
258	m->m_pkthdr.len);
259	ic->ic_stats.is_rx_tooshort++;
260	goto out;
261	}
262	bssid = wh->i_addr3;
263	}
264	if (type != IEEE80211_FC0_TYPE_DATA)
265	break;
266	/*
267	* Data frame, validate the bssid.
268	*/
269	if (!IEEE80211_ADDR_EQ(bssid, ic->ic_bss->ni_bssid) &&
270	!IEEE80211_ADDR_EQ(bssid, ifp->if_broadcastaddr)) {
271	/ not interested in /
272	IEEE80211_DEBUGVAR(
273	char bbuf[`3` * ETHER_ADDR_LEN]);
274	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
275	bssid, NULL, "bss %s, broadcast %s, %s",
276	ether_snprintf(ebuf, sizeof(ebuf),
277	ic->ic_bss->ni_bssid),
278	ether_snprintf(bbuf, sizeof(bbuf),
279	ifp->if_broadcastaddr), "not to bss");
280	ic->ic_stats.is_rx_wrongbss++;
281	goto out;
282	}
283	/*
284	* For adhoc mode we cons up a node when it doesn't
285	* exist. This should probably done after an ACL check.
286	*/
287	if (ni == ic->ic_bss &&
288	ic->ic_opmode != IEEE80211_M_HOSTAP &&
289	!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
290	/*
291	* Fake up a node for this newly
292	* discovered member of the IBSS.
293	*/
294	ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
295	wh->i_addr2);
296	if (ni == NULL) {
297	/ NB: stat kept for alloc failure /
298	goto err;
299	}
300	}
301	break;
302	default:
303	goto out;
304	}
305	ni->ni_rssi = rssi;
306	ni->ni_rstamp = rstamp;
307	if (HAS_SEQ(type) && (ic->ic_opmode != IEEE80211_M_STA \|\|
308	!IEEE80211_IS_MULTICAST(wh->i_addr1))) {
309	u_int8_t tid, retry;
310	u_int16_t rxno, orxno;
311
312	if (ieee80211_has_qos(wh)) {
313	tid = ((struct ieee80211_qosframe *)wh)->
314	i_qos[`0`] & IEEE80211_QOS_TID;
315	if (TID_TO_WME_AC(tid) >= WME_AC_VI)
316	ic->ic_wme.wme_hipri_traffic++;
317	tid++;
318	} else
319	tid = `0`;
320	rxseq = le16toh((u_int16_t )wh->i_seq);
321	retry = wh->i_fc[`1`] & IEEE80211_FC1_RETRY;
322	rxno = rxseq >> IEEE80211_SEQ_SEQ_SHIFT;
323	orxno = ni->ni_rxseqs[tid] >> IEEE80211_SEQ_SEQ_SHIFT;
324	if (retry && (
325	(orxno == `4095` && rxno == orxno) \|\|
326	(orxno != `4095` &&
327	SEQ_LEQ(rxseq, ni->ni_rxseqs[tid]))
328	)) {
329	/ duplicate, discard /
330	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
331	bssid, "duplicate",
332	"seqno <%u,%u> fragno <%u,%u> tid %u",
333	rxno,
334	orxno,
335	rxseq & IEEE80211_SEQ_FRAG_MASK,
336	ni->ni_rxseqs[tid] &
337	IEEE80211_SEQ_FRAG_MASK,
338	tid);
339	ic->ic_stats.is_rx_dup++;
340	IEEE80211_NODE_STAT(ni, rx_dup);
341	goto out;
342	}
343	ni->ni_rxseqs[tid] = rxseq;
344	}
345	}
346
347	switch (type) {
348	case IEEE80211_FC0_TYPE_DATA:
349	hdrspace = ieee80211_hdrspace(ic, wh);
350	if (m->m_len < hdrspace &&
351	(m = m_pullup(m, hdrspace)) == NULL) {
352	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
353	ni->ni_macaddr, NULL,
354	"data too short: expecting %u", hdrspace);
355	ic->ic_stats.is_rx_tooshort++;
356	goto out; / XXX /
357	}
358	switch (ic->ic_opmode) {
359	case IEEE80211_M_STA:
360	if (dir != IEEE80211_FC1_DIR_FROMDS) {
361	IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
362	wh, "data", "%s", "unknown dir 0x%x", dir);
363	ic->ic_stats.is_rx_wrongdir++;
364	goto out;
365	}
366	if ((ifp->if_flags & IFF_SIMPLEX) &&
367	IEEE80211_IS_MULTICAST(wh->i_addr1) &&
368	IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_myaddr)) {
369	/*
370	* In IEEE802.11 network, multicast packet
371	* sent from me is broadcasted from AP.
372	* It should be silently discarded for
373	* SIMPLEX interface.
374	*/
375	IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
376	wh, NULL, "%s", "multicast echo");
377	ic->ic_stats.is_rx_mcastecho++;
378	goto out;
379	}
380	break;
381	case IEEE80211_M_IBSS:
382	case IEEE80211_M_AHDEMO:
383	if (dir != IEEE80211_FC1_DIR_NODS) {
384	IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
385	wh, "data", "%s", "unknown dir 0x%x", dir);
386	ic->ic_stats.is_rx_wrongdir++;
387	goto out;
388	}
389	/ XXX no power-save support /
390	break;
391	case IEEE80211_M_HOSTAP:
392	#ifndef IEEE80211_NO_HOSTAP
393	if (dir != IEEE80211_FC1_DIR_TODS) {
394	IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
395	wh, "data", "%s", "unknown dir 0x%x", dir);
396	ic->ic_stats.is_rx_wrongdir++;
397	goto out;
398	}
399	/ check if source STA is associated /
400	if (ni == ic->ic_bss) {
401	IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
402	wh, "data", "%s", "unknown src");
403	ieee80211_send_error(ic, ni, wh->i_addr2,
404	IEEE80211_FC0_SUBTYPE_DEAUTH,
405	IEEE80211_REASON_NOT_AUTHED);
406	ic->ic_stats.is_rx_notassoc++;
407	goto err;
408	}
409	if (ni->ni_associd == `0`) {
410	IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
411	wh, "data", "%s", "unassoc src");
412	IEEE80211_SEND_MGMT(ic, ni,
413	IEEE80211_FC0_SUBTYPE_DISASSOC,
414	IEEE80211_REASON_NOT_ASSOCED);
415	ic->ic_stats.is_rx_notassoc++;
416	goto err;
417	}
418
419	/*
420	* Check for power save state change.
421	*/
422	if (((wh->i_fc[`1`] & IEEE80211_FC1_PWR_MGT) ^
423	(ni->ni_flags & IEEE80211_NODE_PWR_MGT)))
424	ieee80211_node_pwrsave(ni,
425	wh->i_fc[`1`] & IEEE80211_FC1_PWR_MGT);
426	#endif /* !IEEE80211_NO_HOSTAP */
427	break;
428	default:
429	/ XXX here to keep compiler happy /
430	goto out;
431	}
432
433	/*
434	* Handle privacy requirements. Note that we
435	* must not be preempted from here until after
436	* we (potentially) call ieee80211_crypto_demic;
437	* otherwise we may violate assumptions in the
438	* crypto cipher modules used to do delayed update
439	* of replay sequence numbers.
440	*/
441	if (wh->i_fc[`1`] & IEEE80211_FC1_WEP) {
442	if ((ic->ic_flags & IEEE80211_F_PRIVACY) == `0`) {
443	/*
444	* Discard encrypted frames when privacy is off.
445	*/
446	IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
447	wh, "WEP", "%s", "PRIVACY off");
448	ic->ic_stats.is_rx_noprivacy++;
449	IEEE80211_NODE_STAT(ni, rx_noprivacy);
450	goto out;
451	}
452	key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
453	if (key == NULL) {
454	/ NB: stats+msgs handled in crypto_decap /
455	IEEE80211_NODE_STAT(ni, rx_wepfail);
456	goto out;
457	}
458	wh = mtod(m, struct ieee80211_frame *);
459	wh->i_fc[`1`] &= ~IEEE80211_FC1_WEP;
460	} else {
461	key = NULL;
462	}
463
464	/*
465	* Next up, any fragmentation.
466	*/
467	if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) {
468	m = ieee80211_defrag(ic, ni, m, hdrspace);
469	if (m == NULL) {
470	/ Fragment dropped or frame not complete yet /
471	goto out;
472	}
473	}
474	wh = NULL; / no longer valid, catch any uses /
475
476	/*
477	* Next strip any MSDU crypto bits.
478	*/
479	if (key != NULL && !ieee80211_crypto_demic(ic, key, m, `0`)) {
480	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
481	ni->ni_macaddr, "data", "%s", "demic error");
482	IEEE80211_NODE_STAT(ni, rx_demicfail);
483	goto out;
484	}
485
486	/ copy to listener after decrypt /
487	bpf_mtap3(ic->ic_rawbpf, m);
488
489	/*
490	* Finally, strip the 802.11 header.
491	*/
492	m = ieee80211_decap(ic, m, hdrspace);
493	if (m == NULL) {
494	/ don't count Null data frames as errors /
495	if (subtype == IEEE80211_FC0_SUBTYPE_NODATA)
496	goto out;
497	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
498	ni->ni_macaddr, "data", "%s", "decap error");
499	ic->ic_stats.is_rx_decap++;
500	IEEE80211_NODE_STAT(ni, rx_decap);
501	goto err;
502	}
503	eh = mtod(m, struct ether_header *);
504	if (!ieee80211_node_is_authorized(ni)) {
505	/*
506	* Deny any non-PAE frames received prior to
507	* authorization. For open/shared-key
508	* authentication the port is mark authorized
509	* after authentication completes. For 802.1x
510	* the port is not marked authorized by the
511	* authenticator until the handshake has completed.
512	*/
513	if (eh->ether_type != htons(ETHERTYPE_PAE)) {
514	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
515	eh->ether_shost, "data",
516	"unauthorized port: ether type 0x%x len %u",
517	eh->ether_type, m->m_pkthdr.len);
518	ic->ic_stats.is_rx_unauth++;
519	IEEE80211_NODE_STAT(ni, rx_unauth);
520	goto err;
521	}
522	} else {
523	/*
524	* When denying unencrypted frames, discard
525	* any non-PAE frames received without encryption.
526	*/
527	if ((ic->ic_flags & IEEE80211_F_DROPUNENC) &&
528	key == NULL &&
529	eh->ether_type != htons(ETHERTYPE_PAE)) {
530	/*
531	* Drop unencrypted frames.
532	*/
533	ic->ic_stats.is_rx_unencrypted++;
534	IEEE80211_NODE_STAT(ni, rx_unencrypted);
535	goto out;
536	}
537	}
538	ifp->if_ipackets++;
539	IEEE80211_NODE_STAT(ni, rx_data);
540	IEEE80211_NODE_STAT_ADD(ni, rx_bytes, m->m_pkthdr.len);
541
542	ieee80211_deliver_data(ic, ni, m);
543	return IEEE80211_FC0_TYPE_DATA;
544
545	case IEEE80211_FC0_TYPE_MGT:
546	IEEE80211_NODE_STAT(ni, rx_mgmt);
547	if (dir != IEEE80211_FC1_DIR_NODS) {
548	IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
549	wh, "data", "%s", "unknown dir 0x%x", dir);
550	ic->ic_stats.is_rx_wrongdir++;
551	goto err;
552	}
553	if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) {
554	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_ANY,
555	ni->ni_macaddr, "mgt", "too short: len %u",
556	m->m_pkthdr.len);
557	ic->ic_stats.is_rx_tooshort++;
558	goto out;
559	}
560	#ifdef IEEE80211_DEBUG
561	if ((ieee80211_msg_debug(ic) && doprint(ic, subtype)) \|\|
562	ieee80211_msg_dumppkts(ic)) {
563	if_printf(ic->ic_ifp, "received %s from %s rssi %d\n",
564	ieee80211_mgt_subtype_name[subtype >>
565	IEEE80211_FC0_SUBTYPE_SHIFT],
566	ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
567	rssi);
568	}
569	#endif
570	if (wh->i_fc[`1`] & IEEE80211_FC1_WEP) {
571	if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) {
572	/*
573	* Only shared key auth frames with a challenge
574	* should be encrypted, discard all others.
575	*/
576	IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
577	wh, ieee80211_mgt_subtype_name[subtype >>
578	IEEE80211_FC0_SUBTYPE_SHIFT],
579	"%s", "WEP set but not permitted");
580	ic->ic_stats.is_rx_mgtdiscard++; / XXX /
581	goto out;
582	}
583	if ((ic->ic_flags & IEEE80211_F_PRIVACY) == `0`) {
584	/*
585	* Discard encrypted frames when privacy is off.
586	*/
587	IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
588	wh, "mgt", "%s", "WEP set but PRIVACY off");
589	ic->ic_stats.is_rx_noprivacy++;
590	goto out;
591	}
592	hdrspace = ieee80211_hdrspace(ic, wh);
593	key = ieee80211_crypto_decap(ic, ni, m, hdrspace);
594	if (key == NULL) {
595	/ NB: stats+msgs handled in crypto_decap /
596	goto out;
597	}
598	wh = mtod(m, struct ieee80211_frame *);
599	wh->i_fc[`1`] &= ~IEEE80211_FC1_WEP;
600	}
601	bpf_mtap3(ic->ic_rawbpf, m);
602	(*ic->ic_recv_mgmt)(ic, m, ni, subtype, rssi, rstamp);
603	m_freem(m);
604	return type;
605
606	case IEEE80211_FC0_TYPE_CTL:
607	IEEE80211_NODE_STAT(ni, rx_ctrl);
608	ic->ic_stats.is_rx_ctl++;
609	#ifndef IEEE80211_NO_HOSTAP
610	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
611	switch (subtype) {
612	case IEEE80211_FC0_SUBTYPE_PS_POLL:
613	ieee80211_recv_pspoll(ic, ni, m);
614	break;
615	}
616	}
617	#endif /* !IEEE80211_NO_HOSTAP */
618	goto out;
619	default:
620	IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
621	wh, NULL, "bad frame type 0x%x", type);
622	/ should not come here /
623	break;
624	}
625	err:
626	ifp->if_ierrors++;
627	out:
628	if (m != NULL) {
629	bpf_mtap3(ic->ic_rawbpf, m);
630	m_freem(m);
631	}
632	return type;
633	#undef SEQ_LEQ
634	}
635
636	/*
637	* This function reassemble fragments.
638	*/
639	static struct mbuf *
640	ieee80211_defrag(struct ieee80211com ic, struct* ieee80211_node *ni,
641	struct mbuf m, int* hdrspace)
642	{
643	struct ieee80211_frame wh = mtod(m, struct* ieee80211_frame *);
644	struct ieee80211_frame *lwh;
645	u_int16_t rxseq;
646	u_int8_t fragno;
647	u_int8_t more_frag = wh->i_fc[`1`] & IEEE80211_FC1_MORE_FRAG;
648	struct mbuf *mfrag;
649
650	IASSERT(!IEEE80211_IS_MULTICAST(wh->i_addr1), ("multicast fragm?"));
651
652	rxseq = le16toh((u_int16_t )wh->i_seq);
653	fragno = rxseq & IEEE80211_SEQ_FRAG_MASK;
654
655	/ Quick way out, if there's nothing to defragment /
656	if (!more_frag && fragno == `0` && ni->ni_rxfrag[`0`] == NULL)
657	return m;
658
659	/*
660	* Remove frag to insure it doesn't get reaped by timer.
661	*/
662	if (ni->ni_table == NULL) {
663	/*
664	* Should never happen. If the node is orphaned (not in
665	* the table) then input packets should not reach here.
666	* Otherwise, a concurrent request that yanks the table
667	* should be blocked by other interlocking and/or by first
668	* shutting the driver down. Regardless, be defensive
669	* here and just bail
670	*/
671	/ XXX need msg+stat /
672	m_freem(m);
673	return NULL;
674	}
675	IEEE80211_NODE_LOCK(ni->ni_table);
676	mfrag = ni->ni_rxfrag[`0`];
677	ni->ni_rxfrag[`0`] = NULL;
678	IEEE80211_NODE_UNLOCK(ni->ni_table);
679
680	/*
681	* Validate new fragment is in order and
682	* related to the previous ones.
683	*/
684	if (mfrag != NULL) {
685	u_int16_t last_rxseq;
686
687	lwh = mtod(mfrag, struct ieee80211_frame *);
688	last_rxseq = le16toh((u_int16_t )lwh->i_seq);
689	/ NB: check seq # and frag together /
690	if (rxseq != last_rxseq+`1` \|\|
691	!IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) \|\|
692	!IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
693	/*
694	* Unrelated fragment or no space for it,
695	* clear current fragments.
696	*/
697	m_freem(mfrag);
698	mfrag = NULL;
699	}
700	}
701
702	if (mfrag == NULL) {
703	if (fragno != `0`) { / !first fragment, discard /
704	IEEE80211_NODE_STAT(ni, rx_defrag);
705	m_freem(m);
706	return NULL;
707	}
708	mfrag = m;
709	} else { / concatenate /
710	m_adj(m, hdrspace); / strip header /
711	m_cat(mfrag, m);
712	/ NB: m_cat doesn't update the packet header /
713	mfrag->m_pkthdr.len += m->m_pkthdr.len;
714	/ track last seqnum and fragno /
715	lwh = mtod(mfrag, struct ieee80211_frame *);
716	(u_int16_t ) lwh->i_seq = (u_int16_t ) wh->i_seq;
717	}
718	if (more_frag) { / more to come, save /
719	ni->ni_rxfragstamp = ticks;
720	ni->ni_rxfrag[`0`] = mfrag;
721	mfrag = NULL;
722	}
723	return mfrag;
724	}
725
726	static void
727	ieee80211_deliver_data(struct ieee80211com *ic,
728	struct ieee80211_node ni, struct* mbuf *m)
729	{
730	struct ether_header eh = mtod(m, struct* ether_header *);
731	struct ifnet *ifp = ic->ic_ifp;
732	int error;
733
734	/ perform as a bridge within the AP /
735	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
736	(ic->ic_flags & IEEE80211_F_NOBRIDGE) == `0`) {
737	struct mbuf *m1 = NULL;
738
739	if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
740	m1 = m_copypacket(m, M_DONTWAIT);
741	if (m1 == NULL)
742	ifp->if_oerrors++;
743	else
744	m1->m_flags \|= M_MCAST;
745	} else {
746	/*
747	* Check if the destination is known; if so
748	* and the port is authorized dispatch directly.
749	*/
750	struct ieee80211_node *sta =
751	ieee80211_find_node(&ic->ic_sta, eh->ether_dhost);
752	if (sta != NULL) {
753	if (ieee80211_node_is_authorized(sta)) {
754	/*
755	* Beware of sending to ourself; this
756	* needs to happen via the normal
757	* input path.
758	*/
759	if (sta != ic->ic_bss) {
760	m1 = m;
761	m = NULL;
762	}
763	} else {
764	ic->ic_stats.is_rx_unauth++;
765	IEEE80211_NODE_STAT(sta, rx_unauth);
766	}
767	ieee80211_free_node(sta);
768	}
769	}
770	if (m1 != NULL) {
771	int len;
772	#ifdef ALTQ
773	if (ALTQ_IS_ENABLED(&ifp->if_snd)) {
774	altq_etherclassify(&ifp->if_snd, m1);
775	}
776	#endif
777	len = m1->m_pkthdr.len;
778	IFQ_ENQUEUE(&ifp->if_snd, m1, error);
779	if (error) {
780	ifp->if_omcasts++;
781	m = NULL;
782	}
783	ifp->if_obytes += len;
784	}
785	}
786	if (m != NULL) {
787	/*
788	* XXX If we forward packet into transmitter of the AP,
789	* we don't need to duplicate for DLT_EN10MB.
790	*/
791	bpf_mtap(ifp, m);
792
793	if (ni->ni_vlan != `0`) {
794	/ attach vlan tag /
795	/ XXX goto err? /
796	VLAN_INPUT_TAG(ifp, m, ni->ni_vlan, goto out);
797	}
798
799	/*
800	* XXX once ieee80211_input (or rxintr itself) runs in softint
801	* we have to change here too to use if_input.
802	*/
803	KASSERT(ifp->if_percpuq);
804	if_percpuq_enqueue(ifp->if_percpuq, m);
805	}
806	return;
807	out:
808	if (m != NULL) {
809	bpf_mtap3(ic->ic_rawbpf, m);
810	m_freem(m);
811	}
812	}
813
814	static struct mbuf *
815	ieee80211_decap(struct ieee80211com ic, struct* mbuf m, int* hdrlen)
816	{
817	struct ieee80211_qosframe_addr4 wh; / Max size address frames /
818	struct ether_header *eh;
819	struct llc *llc;
820
821	if (m->m_len < hdrlen + sizeof(*llc) &&
822	(m = m_pullup(m, hdrlen + sizeof(*llc))) == NULL) {
823	/ XXX stat, msg /
824	return NULL;
825	}
826	memcpy(&wh, mtod(m, void *), hdrlen);
827	llc = (struct llc )(mtod(m, char* *) + hdrlen);
828	if (llc->llc_dsap == LLC_SNAP_LSAP && llc->llc_ssap == LLC_SNAP_LSAP &&
829	llc->llc_control == LLC_UI && llc->llc_snap.org_code[`0`] == `0` &&
830	llc->llc_snap.org_code[`1`] == `0` && llc->llc_snap.org_code[`2`] == `0`) {
831	m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh));
832	llc = NULL;
833	} else {
834	m_adj(m, hdrlen - sizeof(*eh));
835	}
836	eh = mtod(m, struct ether_header *);
837	switch (wh.i_fc[`1`] & IEEE80211_FC1_DIR_MASK) {
838	case IEEE80211_FC1_DIR_NODS:
839	IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
840	IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
841	break;
842	case IEEE80211_FC1_DIR_TODS:
843	IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
844	IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr2);
845	break;
846	case IEEE80211_FC1_DIR_FROMDS:
847	IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr1);
848	IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr3);
849	break;
850	case IEEE80211_FC1_DIR_DSTODS:
851	IEEE80211_ADDR_COPY(eh->ether_dhost, wh.i_addr3);
852	IEEE80211_ADDR_COPY(eh->ether_shost, wh.i_addr4);
853	break;
854	}
855	#ifdef ALIGNED_POINTER
856	if (!ALIGNED_POINTER(mtod(m, char ) + sizeof(eh), u_int32_t)) {
857	struct mbuf n, n0, **np;
858	char *newdata;
859	int off, pktlen;
860
861	n0 = NULL;
862	np = &n0;
863	off = `0`;
864	pktlen = m->m_pkthdr.len;
865	while (pktlen > off) {
866	if (n0 == NULL) {
867	MGETHDR(n, M_DONTWAIT, MT_DATA);
868	if (n == NULL) {
869	m_freem(m);
870	return NULL;
871	}
872	M_MOVE_PKTHDR(n, m);
873	n->m_len = MHLEN;
874	} else {
875	MGET(n, M_DONTWAIT, MT_DATA);
876	if (n == NULL) {
877	m_freem(m);
878	m_freem(n0);
879	return NULL;
880	}
881	n->m_len = MLEN;
882	}
883	if (pktlen - off >= MINCLSIZE) {
884	MCLGET(n, M_DONTWAIT);
885	if (n->m_flags & M_EXT)
886	n->m_len = n->m_ext.ext_size;
887	}
888	if (n0 == NULL) {
889	newdata =
890	(char )ALIGN(n->m_data + sizeof(eh)) -
891	sizeof(*eh);
892	n->m_len -= newdata - n->m_data;
893	n->m_data = newdata;
894	}
895	if (n->m_len > pktlen - off)
896	n->m_len = pktlen - off;
897	m_copydata(m, off, n->m_len, mtod(n, void *));
898	off += n->m_len;
899	*np = n;
900	np = &n->m_next;
901	}
902	m_freem(m);
903	m = n0;
904	}
905	#endif /* ALIGNED_POINTER */
906	if (llc != NULL) {
907	eh = mtod(m, struct ether_header *);
908	eh->ether_type = htons(m->m_pkthdr.len - sizeof(*eh));
909	}
910	return m;
911	}
912
913	/*
914	* Install received rate set information in the node's state block.
915	*/
916	int
917	ieee80211_setup_rates(struct ieee80211_node *ni,
918	const u_int8_t rates, const* u_int8_t xrates, int* flags)
919	{
920	struct ieee80211com *ic = ni->ni_ic;
921	struct ieee80211_rateset *rs = &ni->ni_rates;
922
923	memset(rs, `0`, sizeof(*rs));
924	rs->rs_nrates = rates[`1`];
925	memcpy(rs->rs_rates, rates + `2`, rs->rs_nrates);
926	if (xrates != NULL) {
927	u_int8_t nxrates;
928	/*
929	* Tack on 11g extended supported rate element.
930	*/
931	nxrates = xrates[`1`];
932	if (rs->rs_nrates + nxrates > IEEE80211_RATE_MAXSIZE) {
933	IEEE80211_DEBUGVAR(char ebuf[`3` * ETHER_ADDR_LEN]);
934	nxrates = IEEE80211_RATE_MAXSIZE - rs->rs_nrates;
935	IEEE80211_DPRINTF(ic, IEEE80211_MSG_XRATE,
936	"[%s] extended rate set too large;"
937	" only using %u of %u rates\n",
938	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr),
939	nxrates, xrates[`1`]);
940	ic->ic_stats.is_rx_rstoobig++;
941	}
942	memcpy(rs->rs_rates + rs->rs_nrates, xrates+`2`, nxrates);
943	rs->rs_nrates += nxrates;
944	}
945	return ieee80211_fix_rate(ni, flags);
946	}
947
948	static void
949	ieee80211_auth_open(struct ieee80211com ic, struct* ieee80211_frame *wh,
950	struct ieee80211_node ni, int* rssi, u_int32_t rstamp,
951	u_int16_t seq, u_int16_t status)
952	{
953	IEEE80211_DEBUGVAR(char ebuf[`3` * ETHER_ADDR_LEN]);
954
955	if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
956	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
957	ni->ni_macaddr, "open auth",
958	"bad sta auth mode %u", ni->ni_authmode);
959	ic->ic_stats.is_rx_bad_auth++; / XXX /
960	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
961	/ XXX hack to workaround calling convention /
962	ieee80211_send_error(ic, ni, wh->i_addr2,
963	IEEE80211_FC0_SUBTYPE_AUTH,
964	(seq + `1`) \| (IEEE80211_STATUS_ALG<<`16`));
965	}
966	return;
967	}
968	switch (ic->ic_opmode) {
969	case IEEE80211_M_IBSS:
970	case IEEE80211_M_AHDEMO:
971	case IEEE80211_M_MONITOR:
972	/ should not come here /
973	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
974	ni->ni_macaddr, "open auth",
975	"bad operating mode %u", ic->ic_opmode);
976	break;
977
978	case IEEE80211_M_HOSTAP:
979	#ifndef IEEE80211_NO_HOSTAP
980	if (ic->ic_state != IEEE80211_S_RUN \|\|
981	seq != IEEE80211_AUTH_OPEN_REQUEST) {
982	ic->ic_stats.is_rx_bad_auth++;
983	return;
984	}
985	/ always accept open authentication requests /
986	if (ni == ic->ic_bss) {
987	ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
988	if (ni == NULL)
989	return;
990	} else if ((ni->ni_flags & IEEE80211_NODE_AREF) == `0`)
991	(void) ieee80211_ref_node(ni);
992	/*
993	* Mark the node as referenced to reflect that its
994	* reference count has been bumped to insure it remains
995	* after the transaction completes.
996	*/
997	ni->ni_flags \|= IEEE80211_NODE_AREF;
998
999	IEEE80211_SEND_MGMT(ic, ni,
1000	IEEE80211_FC0_SUBTYPE_AUTH, seq + `1`);
1001	IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH,
1002	"[%s] station authenticated (open)\n",
1003	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr));
1004	/*
1005	* When 802.1x is not in use mark the port
1006	* authorized at this point so traffic can flow.
1007	*/
1008	if (ni->ni_authmode != IEEE80211_AUTH_8021X)
1009	ieee80211_node_authorize(ni);
1010	#endif /* !IEEE80211_NO_HOSTAP */
1011	break;
1012
1013	case IEEE80211_M_STA:
1014	if (ic->ic_state != IEEE80211_S_AUTH \|\|
1015	seq != IEEE80211_AUTH_OPEN_RESPONSE) {
1016	ic->ic_stats.is_rx_bad_auth++;
1017	return;
1018	}
1019	if (status != `0`) {
1020
1021	IEEE80211_DPRINTF(ic,
1022	IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH,
1023	"[%s] open auth failed (reason %d)\n",
1024	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr),
1025	status);
1026	/ XXX can this happen? /
1027	if (ni != ic->ic_bss)
1028	ni->ni_fails++;
1029	ic->ic_stats.is_rx_auth_fail++;
1030	ieee80211_new_state(ic, IEEE80211_S_SCAN, `0`);
1031	} else
1032	ieee80211_new_state(ic, IEEE80211_S_ASSOC,
1033	wh->i_fc[`0`] & IEEE80211_FC0_SUBTYPE_MASK);
1034	break;
1035	}
1036	}
1037
1038	/*
1039	* Send a management frame error response to the specified
1040	* station. If ni is associated with the station then use
1041	* it; otherwise allocate a temporary node suitable for
1042	* transmitting the frame and then free the reference so
1043	* it will go away as soon as the frame has been transmitted.
1044	*/
1045	static void
1046	ieee80211_send_error(struct ieee80211com ic, struct* ieee80211_node *ni,
1047	const u_int8_t mac, int* subtype, int arg)
1048	{
1049	int istmp;
1050
1051	if (ni == ic->ic_bss) {
1052	ni = ieee80211_tmp_node(ic, mac);
1053	if (ni == NULL) {
1054	/ XXX msg /
1055	return;
1056	}
1057	istmp = `1`;
1058	} else
1059	istmp = `0`;
1060	IEEE80211_SEND_MGMT(ic, ni, subtype, arg);
1061	if (istmp)
1062	ieee80211_free_node(ni);
1063	}
1064
1065	static int
1066	alloc_challenge(struct ieee80211com ic, struct* ieee80211_node *ni)
1067	{
1068	if (ni->ni_challenge == NULL)
1069	ni->ni_challenge = malloc(IEEE80211_CHALLENGE_LEN,
1070	M_DEVBUF, M_NOWAIT);
1071	if (ni->ni_challenge == NULL) {
1072	IEEE80211_DEBUGVAR(char ebuf[`3` * ETHER_ADDR_LEN]);
1073
1074	IEEE80211_DPRINTF(ic, IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH,
1075	"[%s] shared key challenge alloc failed\n",
1076	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr));
1077	/ XXX statistic /
1078	}
1079	return (ni->ni_challenge != NULL);
1080	}
1081
1082	/ XXX TODO: add statistics /
1083	static void
1084	ieee80211_auth_shared(struct ieee80211com ic, struct* ieee80211_frame *wh,
1085	u_int8_t frm, u_int8_t efrm, struct ieee80211_node ni, int* rssi,
1086	u_int32_t rstamp, u_int16_t seq, u_int16_t status)
1087	{
1088	u_int8_t *challenge;
1089	int estatus;
1090	IEEE80211_DEBUGVAR(char ebuf[`3` * ETHER_ADDR_LEN]);
1091
1092	/*
1093	* NB: this can happen as we allow pre-shared key
1094	* authentication to be enabled w/o wep being turned
1095	* on so that configuration of these can be done
1096	* in any order. It may be better to enforce the
1097	* ordering in which case this check would just be
1098	* for sanity/consistency.
1099	*/
1100	if ((ic->ic_flags & IEEE80211_F_PRIVACY) == `0`) {
1101	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1102	ni->ni_macaddr, "shared key auth",
1103	"%s", " PRIVACY is disabled");
1104	estatus = IEEE80211_STATUS_ALG;
1105	goto bad;
1106	}
1107	/*
1108	* Pre-shared key authentication is evil; accept
1109	* it only if explicitly configured (it is supported
1110	* mainly for compatibility with clients like OS X).
1111	*/
1112	if (ni->ni_authmode != IEEE80211_AUTH_AUTO &&
1113	ni->ni_authmode != IEEE80211_AUTH_SHARED) {
1114	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1115	ni->ni_macaddr, "shared key auth",
1116	"bad sta auth mode %u", ni->ni_authmode);
1117	ic->ic_stats.is_rx_bad_auth++; / XXX maybe a unique error? /
1118	estatus = IEEE80211_STATUS_ALG;
1119	goto bad;
1120	}
1121
1122	challenge = NULL;
1123	if (frm + `1` < efrm) {
1124	if ((frm[`1`] + `2`) > (efrm - frm)) {
1125	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1126	ni->ni_macaddr, "shared key auth",
1127	"ie %d/%d too long",
1128	frm[`0`], (frm[`1`] + `2`) - (efrm - frm));
1129	ic->ic_stats.is_rx_bad_auth++;
1130	estatus = IEEE80211_STATUS_CHALLENGE;
1131	goto bad;
1132	}
1133	if (*frm == IEEE80211_ELEMID_CHALLENGE)
1134	challenge = frm;
1135	frm += frm[`1`] + `2`;
1136	}
1137	switch (seq) {
1138	case IEEE80211_AUTH_SHARED_CHALLENGE:
1139	case IEEE80211_AUTH_SHARED_RESPONSE:
1140	if (challenge == NULL) {
1141	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1142	ni->ni_macaddr, "shared key auth",
1143	"%s", "no challenge");
1144	ic->ic_stats.is_rx_bad_auth++;
1145	estatus = IEEE80211_STATUS_CHALLENGE;
1146	goto bad;
1147	}
1148	if (challenge[`1`] != IEEE80211_CHALLENGE_LEN) {
1149	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1150	ni->ni_macaddr, "shared key auth",
1151	"bad challenge len %d", challenge[`1`]);
1152	ic->ic_stats.is_rx_bad_auth++;
1153	estatus = IEEE80211_STATUS_CHALLENGE;
1154	goto bad;
1155	}
1156	default:
1157	break;
1158	}
1159	switch (ic->ic_opmode) {
1160	case IEEE80211_M_MONITOR:
1161	case IEEE80211_M_AHDEMO:
1162	case IEEE80211_M_IBSS:
1163	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1164	ni->ni_macaddr, "shared key auth",
1165	"bad operating mode %u", ic->ic_opmode);
1166	return;
1167	case IEEE80211_M_HOSTAP:
1168	#ifndef IEEE80211_NO_HOSTAP
1169	{
1170	int allocbs;
1171	if (ic->ic_state != IEEE80211_S_RUN) {
1172	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1173	ni->ni_macaddr, "shared key auth",
1174	"bad state %u", ic->ic_state);
1175	estatus = IEEE80211_STATUS_ALG; / XXX /
1176	goto bad;
1177	}
1178	switch (seq) {
1179	case IEEE80211_AUTH_SHARED_REQUEST:
1180	if (ni == ic->ic_bss) {
1181	ni = ieee80211_dup_bss(&ic->ic_sta, wh->i_addr2);
1182	if (ni == NULL) {
1183	/ NB: no way to return an error /
1184	return;
1185	}
1186	allocbs = `1`;
1187	} else {
1188	if ((ni->ni_flags & IEEE80211_NODE_AREF) == `0`)
1189	(void) ieee80211_ref_node(ni);
1190	allocbs = `0`;
1191	}
1192	__USE(allocbs);
1193	/*
1194	* Mark the node as referenced to reflect that its
1195	* reference count has been bumped to insure it remains
1196	* after the transaction completes.
1197	*/
1198	ni->ni_flags \|= IEEE80211_NODE_AREF;
1199	ni->ni_rssi = rssi;
1200	ni->ni_rstamp = rstamp;
1201	if (!alloc_challenge(ic, ni)) {
1202	/ NB: don't return error so they rexmit /
1203	return;
1204	}
1205	get_random_bytes(ni->ni_challenge,
1206	IEEE80211_CHALLENGE_LEN);
1207	IEEE80211_DPRINTF(ic,
1208	IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH,
1209	"[%s] shared key %sauth request\n",
1210	ether_snprintf(ebuf, sizeof(ebuf),
1211	ni->ni_macaddr),
1212	allocbs ? "" : "re");
1213	break;
1214	case IEEE80211_AUTH_SHARED_RESPONSE:
1215	if (ni == ic->ic_bss) {
1216	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1217	ni->ni_macaddr, "shared key response",
1218	"%s", "unknown station");
1219	/ NB: don't send a response /
1220	return;
1221	}
1222	if (ni->ni_challenge == NULL) {
1223	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1224	ni->ni_macaddr, "shared key response",
1225	"%s", "no challenge recorded");
1226	ic->ic_stats.is_rx_bad_auth++;
1227	estatus = IEEE80211_STATUS_CHALLENGE;
1228	goto bad;
1229	}
1230	if (memcmp(ni->ni_challenge, &challenge[`2`],
1231	challenge[`1`]) != `0`) {
1232	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1233	ni->ni_macaddr, "shared key response",
1234	"%s", "challenge mismatch");
1235	ic->ic_stats.is_rx_auth_fail++;
1236	estatus = IEEE80211_STATUS_CHALLENGE;
1237	goto bad;
1238	}
1239	IEEE80211_DPRINTF(ic,
1240	IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH,
1241	"[%s] station authenticated (shared key)\n",
1242	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr));
1243	ieee80211_node_authorize(ni);
1244	break;
1245	default:
1246	IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_AUTH,
1247	ni->ni_macaddr, "shared key auth",
1248	"bad seq %d", seq);
1249	ic->ic_stats.is_rx_bad_auth++;
1250	estatus = IEEE80211_STATUS_SEQUENCE;
1251	goto bad;
1252	}
1253	IEEE80211_SEND_MGMT(ic, ni,
1254	IEEE80211_FC0_SUBTYPE_AUTH, seq + `1`);
1255	}
1256	#endif /* !IEEE80211_NO_HOSTAP */
1257	break;
1258
1259	case IEEE80211_M_STA:
1260	if (ic->ic_state != IEEE80211_S_AUTH)
1261	return;
1262	switch (seq) {
1263	case IEEE80211_AUTH_SHARED_PASS:
1264	if (ni->ni_challenge != NULL) {
1265	free(ni->ni_challenge, M_DEVBUF);
1266	ni->ni_challenge = NULL;
1267	}
1268	if (status != `0`) {
1269	IEEE80211_DPRINTF(ic,
1270	IEEE80211_MSG_DEBUG \| IEEE80211_MSG_AUTH,
1271	"[%s] shared key auth failed (reason %d)\n",
1272	ether_snprintf(ebuf, sizeof(ebuf),
1273	ieee80211_getbssid(ic, wh)),
1274	status);
1275	/ XXX can this happen? /
1276	if (ni != ic->ic_bss)
1277	ni->ni_fails++;
1278	ic->ic_stats.is_rx_auth_fail++;
1279	return;
1280	}
1281	ieee80211_new_state(ic, IEEE80211_S_ASSOC,
1282	wh->i_fc[`0`] & IEEE80211_FC0_SUBTYPE_MASK);
1283	break;
1284	case IEEE80211_AUTH_SHARED_CHALLENGE:
1285	if (!alloc_challenge(ic, ni))
1286	return;
1287	/ XXX could optimize by passing recvd challenge /
1288	memcpy(ni->ni_challenge, &challenge[`2`], challenge[`1`]);
1289	IEEE80211_SEND_MGMT(ic, ni,
1290	IEEE80211_FC0_SUBTYPE_AUTH, seq + `1`);
1291	break;
1292	default:
1293	IEEE80211_DISCARD(ic, IEEE80211_MSG_AUTH,
1294	wh, "shared key auth", "bad seq %d", seq);
1295	ic->ic_stats.is_rx_bad_auth++;
1296	return;
1297	}
1298	break;
1299	}
1300	return;
1301	bad:
1302	#ifndef IEEE80211_NO_HOSTAP
1303	/*
1304	* Send an error response; but only when operating as an AP.
1305	*/
1306	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
1307	/ XXX hack to workaround calling convention /
1308	ieee80211_send_error(ic, ni, wh->i_addr2,
1309	IEEE80211_FC0_SUBTYPE_AUTH,
1310	(seq + `1`) \| (estatus<<`16`));
1311	} else if (ic->ic_opmode == IEEE80211_M_STA) {
1312	/*
1313	* Kick the state machine. This short-circuits
1314	* using the mgt frame timeout to trigger the
1315	* state transition.
1316	*/
1317	if (ic->ic_state == IEEE80211_S_AUTH)
1318	ieee80211_new_state(ic, IEEE80211_S_SCAN, `0`);
1319	}
1320	#else
1321	;
1322	#endif /* !IEEE80211_NO_HOSTAP */
1323	}
1324
1325	/ Verify the existence and length of __elem or get out. /
1326	#define IEEE80211_VERIFY_ELEMENT(__elem, __maxlen) do { \
1327	if ((__elem) == NULL) { \
1328	IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1329	wh, ieee80211_mgt_subtype_name[subtype >> \
1330	IEEE80211_FC0_SUBTYPE_SHIFT], \
1331	"%s", "no " #__elem ); \
1332	ic->ic_stats.is_rx_elem_missing++; \
1333	return; \
1334	} \
1335	if ((__elem)[1] > (__maxlen)) { \
1336	IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1337	wh, ieee80211_mgt_subtype_name[subtype >> \
1338	IEEE80211_FC0_SUBTYPE_SHIFT], \
1339	"bad " #__elem " len %d", (__elem)[1]); \
1340	ic->ic_stats.is_rx_elem_toobig++; \
1341	return; \
1342	} \
1343	} while (0)
1344
1345	#define IEEE80211_VERIFY_LENGTH(_len, _minlen) do { \
1346	if ((_len) < (_minlen)) { \
1347	IEEE80211_DISCARD(ic, IEEE80211_MSG_ELEMID, \
1348	wh, ieee80211_mgt_subtype_name[subtype >> \
1349	IEEE80211_FC0_SUBTYPE_SHIFT], \
1350	"%s", "ie too short"); \
1351	ic->ic_stats.is_rx_elem_toosmall++; \
1352	return; \
1353	} \
1354	} while (0)
1355
1356	#ifdef IEEE80211_DEBUG
1357	static void
1358	ieee80211_ssid_mismatch(struct ieee80211com ic, const* char *tag,
1359	u_int8_t mac[IEEE80211_ADDR_LEN], u_int8_t *ssid)
1360	{
1361	char ebuf[`3` * ETHER_ADDR_LEN];
1362
1363	printf("[%s] discard %s frame, ssid mismatch: ",
1364	ether_snprintf(ebuf, sizeof(ebuf), mac), tag);
1365	ieee80211_print_essid(ssid + `2`, ssid[`1`]);
1366	printf("\n");
1367	}
1368
1369	#define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1370	if ((_ssid)[1] != 0 && \
1371	((_ssid)[1] != (_ni)->ni_esslen \|\| \
1372	memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1373	if (ieee80211_msg_input(ic)) \
1374	ieee80211_ssid_mismatch(ic, \
1375	ieee80211_mgt_subtype_name[subtype >> \
1376	IEEE80211_FC0_SUBTYPE_SHIFT], \
1377	wh->i_addr2, _ssid); \
1378	ic->ic_stats.is_rx_ssidmismatch++; \
1379	return; \
1380	} \
1381	} while (0)
1382	#else /* !IEEE80211_DEBUG */
1383	#define IEEE80211_VERIFY_SSID(_ni, _ssid) do { \
1384	if ((_ssid)[1] != 0 && \
1385	((_ssid)[1] != (_ni)->ni_esslen \|\| \
1386	memcmp((_ssid) + 2, (_ni)->ni_essid, (_ssid)[1]) != 0)) { \
1387	ic->ic_stats.is_rx_ssidmismatch++; \
1388	return; \
1389	} \
1390	} while (0)
1391	#endif /* !IEEE80211_DEBUG */
1392
1393	/ unaligned little endian access /
1394	#define LE_READ_2(p) \
1395	((u_int16_t) \
1396	((((const u_int8_t *)(p))[0] ) \| \
1397	(((const u_int8_t *)(p))[1] << 8)))
1398	#define LE_READ_4(p) \
1399	((u_int32_t) \
1400	((((const u_int8_t *)(p))[0] ) \| \
1401	(((const u_int8_t *)(p))[1] << 8) \| \
1402	(((const u_int8_t *)(p))[2] << 16) \| \
1403	(((const u_int8_t *)(p))[3] << 24)))
1404
1405	static __inline int
1406	iswpaoui(const u_int8_t *frm)
1407	{
1408	return frm[`1`] > `3` && LE_READ_4(frm+`2`) == ((WPA_OUI_TYPE<<`24`)\|WPA_OUI);
1409	}
1410
1411	static __inline int
1412	iswmeoui(const u_int8_t *frm)
1413	{
1414	return frm[`1`] > `3` && LE_READ_4(frm+`2`) == ((WME_OUI_TYPE<<`24`)\|WME_OUI);
1415	}
1416
1417	static __inline int
1418	iswmeparam(const u_int8_t *frm)
1419	{
1420	return frm[`1`] > `5` && LE_READ_4(frm+`2`) == ((WME_OUI_TYPE<<`24`)\|WME_OUI) &&
1421	frm[`6`] == WME_PARAM_OUI_SUBTYPE;
1422	}
1423
1424	static __inline int
1425	iswmeinfo(const u_int8_t *frm)
1426	{
1427	return frm[`1`] > `5` && LE_READ_4(frm+`2`) == ((WME_OUI_TYPE<<`24`)\|WME_OUI) &&
1428	frm[`6`] == WME_INFO_OUI_SUBTYPE;
1429	}
1430
1431	/*
1432	* Convert a WPA cipher selector OUI to an internal
1433	* cipher algorithm. Where appropriate we also
1434	* record any key length.
1435	*/
1436	static int
1437	wpa_cipher(u_int8_t sel, u_int8_t keylen)
1438	{
1439	#define WPA_SEL(x) (((x)<<24)\|WPA_OUI)
1440	u_int32_t w = LE_READ_4(sel);
1441
1442	switch (w) {
1443	case WPA_SEL(WPA_CSE_NULL):
1444	return IEEE80211_CIPHER_NONE;
1445	case WPA_SEL(WPA_CSE_WEP40):
1446	if (keylen)
1447	*keylen = `40` / NBBY;
1448	return IEEE80211_CIPHER_WEP;
1449	case WPA_SEL(WPA_CSE_WEP104):
1450	if (keylen)
1451	*keylen = `104` / NBBY;
1452	return IEEE80211_CIPHER_WEP;
1453	case WPA_SEL(WPA_CSE_TKIP):
1454	return IEEE80211_CIPHER_TKIP;
1455	case WPA_SEL(WPA_CSE_CCMP):
1456	return IEEE80211_CIPHER_AES_CCM;
1457	}
1458	return `32`; / NB: so 1<< is discarded /
1459	#undef WPA_SEL
1460	}
1461
1462	/*
1463	* Convert a WPA key management/authentication algorithm
1464	* to an internal code.
1465	*/
1466	static int
1467	wpa_keymgmt(u_int8_t *sel)
1468	{
1469	#define WPA_SEL(x) (((x)<<24)\|WPA_OUI)
1470	u_int32_t w = LE_READ_4(sel);
1471
1472	switch (w) {
1473	case WPA_SEL(WPA_ASE_8021X_UNSPEC):
1474	return WPA_ASE_8021X_UNSPEC;
1475	case WPA_SEL(WPA_ASE_8021X_PSK):
1476	return WPA_ASE_8021X_PSK;
1477	case WPA_SEL(WPA_ASE_NONE):
1478	return WPA_ASE_NONE;
1479	}
1480	return `0`; / NB: so is discarded /
1481	#undef WPA_SEL
1482	}
1483
1484	/*
1485	* Parse a WPA information element to collect parameters
1486	* and validate the parameters against what has been
1487	* configured for the system.
1488	*/
1489	static int
1490	ieee80211_parse_wpa(struct ieee80211com ic, u_int8_t frm,
1491	struct ieee80211_rsnparms rsn, const* struct ieee80211_frame *wh)
1492	{
1493	u_int8_t len = frm[`1`];
1494	u_int32_t w;
1495	int n;
1496
1497	/*
1498	* Check the length once for fixed parts: OUI, type,
1499	* version, mcast cipher, and 2 selector counts.
1500	* Other, variable-length data, must be checked separately.
1501	*/
1502	if ((ic->ic_flags & IEEE80211_F_WPA1) == `0`) {
1503	IEEE80211_DISCARD_IE(ic,
1504	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1505	wh, "WPA", "not WPA, flags 0x%x", ic->ic_flags);
1506	return IEEE80211_REASON_IE_INVALID;
1507	}
1508	if (len < `14`) {
1509	IEEE80211_DISCARD_IE(ic,
1510	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1511	wh, "WPA", "too short, len %u", len);
1512	return IEEE80211_REASON_IE_INVALID;
1513	}
1514	frm += `6`, len -= `4`; / NB: len is payload only /
1515	/ NB: iswapoui already validated the OUI and type /
1516	w = LE_READ_2(frm);
1517	if (w != WPA_VERSION) {
1518	IEEE80211_DISCARD_IE(ic,
1519	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1520	wh, "WPA", "bad version %u", w);
1521	return IEEE80211_REASON_IE_INVALID;
1522	}
1523	frm += `2`, len -= `2`;
1524
1525	/ multicast/group cipher /
1526	w = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1527	if (w != rsn->rsn_mcastcipher) {
1528	IEEE80211_DISCARD_IE(ic,
1529	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1530	wh, "WPA", "mcast cipher mismatch; got %u, expected %u",
1531	w, rsn->rsn_mcastcipher);
1532	return IEEE80211_REASON_IE_INVALID;
1533	}
1534	frm += `4`, len -= `4`;
1535
1536	/ unicast ciphers /
1537	n = LE_READ_2(frm);
1538	frm += `2`, len -= `2`;
1539	if (len < n*`4`+`2`) {
1540	IEEE80211_DISCARD_IE(ic,
1541	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1542	wh, "WPA", "ucast cipher data too short; len %u, n %u",
1543	len, n);
1544	return IEEE80211_REASON_IE_INVALID;
1545	}
1546	w = `0`;
1547	for (; n > `0`; n--) {
1548	w \|= `1`<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
1549	frm += `4`, len -= `4`;
1550	}
1551	w &= rsn->rsn_ucastcipherset;
1552	if (w == `0`) {
1553	IEEE80211_DISCARD_IE(ic,
1554	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1555	wh, "WPA", "%s", "ucast cipher set empty");
1556	return IEEE80211_REASON_IE_INVALID;
1557	}
1558	if (w & (`1`<<IEEE80211_CIPHER_TKIP))
1559	rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1560	else
1561	rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1562
1563	/ key management algorithms /
1564	n = LE_READ_2(frm);
1565	frm += `2`, len -= `2`;
1566	if (len < n*`4`) {
1567	IEEE80211_DISCARD_IE(ic,
1568	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1569	wh, "WPA", "key mgmt alg data too short; len %u, n %u",
1570	len, n);
1571	return IEEE80211_REASON_IE_INVALID;
1572	}
1573	w = `0`;
1574	for (; n > `0`; n--) {
1575	w \|= wpa_keymgmt(frm);
1576	frm += `4`, len -= `4`;
1577	}
1578	w &= rsn->rsn_keymgmtset;
1579	if (w == `0`) {
1580	IEEE80211_DISCARD_IE(ic,
1581	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1582	wh, "WPA", "%s", "no acceptable key mgmt alg");
1583	return IEEE80211_REASON_IE_INVALID;
1584	}
1585	if (w & WPA_ASE_8021X_UNSPEC)
1586	rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1587	else
1588	rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
1589
1590	if (len > `2`) / optional capabilities /
1591	rsn->rsn_caps = LE_READ_2(frm);
1592
1593	return `0`;
1594	}
1595
1596	/*
1597	* Convert an RSN cipher selector OUI to an internal
1598	* cipher algorithm. Where appropriate we also
1599	* record any key length.
1600	*/
1601	static int
1602	rsn_cipher(u_int8_t sel, u_int8_t keylen)
1603	{
1604	#define RSN_SEL(x) (((x)<<24)\|RSN_OUI)
1605	u_int32_t w = LE_READ_4(sel);
1606
1607	switch (w) {
1608	case RSN_SEL(RSN_CSE_NULL):
1609	return IEEE80211_CIPHER_NONE;
1610	case RSN_SEL(RSN_CSE_WEP40):
1611	if (keylen)
1612	*keylen = `40` / NBBY;
1613	return IEEE80211_CIPHER_WEP;
1614	case RSN_SEL(RSN_CSE_WEP104):
1615	if (keylen)
1616	*keylen = `104` / NBBY;
1617	return IEEE80211_CIPHER_WEP;
1618	case RSN_SEL(RSN_CSE_TKIP):
1619	return IEEE80211_CIPHER_TKIP;
1620	case RSN_SEL(RSN_CSE_CCMP):
1621	return IEEE80211_CIPHER_AES_CCM;
1622	case RSN_SEL(RSN_CSE_WRAP):
1623	return IEEE80211_CIPHER_AES_OCB;
1624	}
1625	return `32`; / NB: so 1<< is discarded /
1626	#undef WPA_SEL
1627	}
1628
1629	/*
1630	* Convert an RSN key management/authentication algorithm
1631	* to an internal code.
1632	*/
1633	static int
1634	rsn_keymgmt(u_int8_t *sel)
1635	{
1636	#define RSN_SEL(x) (((x)<<24)\|RSN_OUI)
1637	u_int32_t w = LE_READ_4(sel);
1638
1639	switch (w) {
1640	case RSN_SEL(RSN_ASE_8021X_UNSPEC):
1641	return RSN_ASE_8021X_UNSPEC;
1642	case RSN_SEL(RSN_ASE_8021X_PSK):
1643	return RSN_ASE_8021X_PSK;
1644	case RSN_SEL(RSN_ASE_NONE):
1645	return RSN_ASE_NONE;
1646	}
1647	return `0`; / NB: so is discarded /
1648	#undef RSN_SEL
1649	}
1650
1651	/*
1652	* Parse a WPA/RSN information element to collect parameters
1653	* and validate the parameters against what has been
1654	* configured for the system.
1655	*/
1656	static int
1657	ieee80211_parse_rsn(struct ieee80211com ic, u_int8_t frm,
1658	struct ieee80211_rsnparms rsn, const* struct ieee80211_frame *wh)
1659	{
1660	u_int8_t len = frm[`1`];
1661	u_int32_t w;
1662	int n;
1663
1664	/*
1665	* Check the length once for fixed parts:
1666	* version, mcast cipher, and 2 selector counts.
1667	* Other, variable-length data, must be checked separately.
1668	*/
1669	if ((ic->ic_flags & IEEE80211_F_WPA2) == `0`) {
1670	IEEE80211_DISCARD_IE(ic,
1671	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1672	wh, "WPA", "not RSN, flags 0x%x", ic->ic_flags);
1673	return IEEE80211_REASON_IE_INVALID;
1674	}
1675	if (len < `10`) {
1676	IEEE80211_DISCARD_IE(ic,
1677	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1678	wh, "RSN", "too short, len %u", len);
1679	return IEEE80211_REASON_IE_INVALID;
1680	}
1681	frm += `2`;
1682	w = LE_READ_2(frm);
1683	if (w != RSN_VERSION) {
1684	IEEE80211_DISCARD_IE(ic,
1685	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1686	wh, "RSN", "bad version %u", w);
1687	return IEEE80211_REASON_IE_INVALID;
1688	}
1689	frm += `2`, len -= `2`;
1690
1691	/ multicast/group cipher /
1692	w = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1693	if (w != rsn->rsn_mcastcipher) {
1694	IEEE80211_DISCARD_IE(ic,
1695	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1696	wh, "RSN", "mcast cipher mismatch; got %u, expected %u",
1697	w, rsn->rsn_mcastcipher);
1698	return IEEE80211_REASON_IE_INVALID;
1699	}
1700	frm += `4`, len -= `4`;
1701
1702	/ unicast ciphers /
1703	n = LE_READ_2(frm);
1704	frm += `2`, len -= `2`;
1705	if (len < n*`4`+`2`) {
1706	IEEE80211_DISCARD_IE(ic,
1707	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1708	wh, "RSN", "ucast cipher data too short; len %u, n %u",
1709	len, n);
1710	return IEEE80211_REASON_IE_INVALID;
1711	}
1712	w = `0`;
1713	for (; n > `0`; n--) {
1714	w \|= `1`<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
1715	frm += `4`, len -= `4`;
1716	}
1717	w &= rsn->rsn_ucastcipherset;
1718	if (w == `0`) {
1719	IEEE80211_DISCARD_IE(ic,
1720	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1721	wh, "RSN", "%s", "ucast cipher set empty");
1722	return IEEE80211_REASON_IE_INVALID;
1723	}
1724	if (w & (`1`<<IEEE80211_CIPHER_TKIP))
1725	rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1726	else
1727	rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1728
1729	/ key management algorithms /
1730	n = LE_READ_2(frm);
1731	frm += `2`, len -= `2`;
1732	if (len < n*`4`) {
1733	IEEE80211_DISCARD_IE(ic,
1734	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1735	wh, "RSN", "key mgmt alg data too short; len %u, n %u",
1736	len, n);
1737	return IEEE80211_REASON_IE_INVALID;
1738	}
1739	w = `0`;
1740	for (; n > `0`; n--) {
1741	w \|= rsn_keymgmt(frm);
1742	frm += `4`, len -= `4`;
1743	}
1744	w &= rsn->rsn_keymgmtset;
1745	if (w == `0`) {
1746	IEEE80211_DISCARD_IE(ic,
1747	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1748	wh, "RSN", "%s", "no acceptable key mgmt alg");
1749	return IEEE80211_REASON_IE_INVALID;
1750	}
1751	if (w & RSN_ASE_8021X_UNSPEC)
1752	rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1753	else
1754	rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
1755
1756	/ optional RSN capabilities /
1757	if (len > `2`)
1758	rsn->rsn_caps = LE_READ_2(frm);
1759	/ XXXPMKID /
1760
1761	return `0`;
1762	}
1763
1764	static int
1765	ieee80211_parse_wmeparams(struct ieee80211com ic, u_int8_t frm,
1766	const struct ieee80211_frame *wh)
1767	{
1768	#define MS(_v, _f) (((_v) & _f) >> _f##_S)
1769	struct ieee80211_wme_state *wme = &ic->ic_wme;
1770	u_int len = frm[`1`], qosinfo;
1771	int i;
1772
1773	if (len < sizeof(struct ieee80211_wme_param)-`2`) {
1774	IEEE80211_DISCARD_IE(ic,
1775	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WME,
1776	wh, "WME", "too short, len %u", len);
1777	return -`1`;
1778	}
1779	qosinfo = frm[offsetof(struct ieee80211_wme_param, param_qosInfo)];
1780	qosinfo &= WME_QOSINFO_COUNT;
1781	/ XXX do proper check for wraparound /
1782	if (qosinfo == wme->wme_wmeChanParams.cap_info)
1783	return `0`;
1784	frm += offsetof(struct ieee80211_wme_param, params_acParams);
1785	for (i = `0`; i < WME_NUM_AC; i++) {
1786	struct wmeParams *wmep =
1787	&wme->wme_wmeChanParams.cap_wmeParams[i];
1788	/ NB: ACI not used /
1789	wmep->wmep_acm = MS(frm[`0`], WME_PARAM_ACM);
1790	wmep->wmep_aifsn = MS(frm[`0`], WME_PARAM_AIFSN);
1791	wmep->wmep_logcwmin = MS(frm[`1`], WME_PARAM_LOGCWMIN);
1792	wmep->wmep_logcwmax = MS(frm[`1`], WME_PARAM_LOGCWMAX);
1793	wmep->wmep_txopLimit = LE_READ_2(frm+`2`);
1794	frm += `4`;
1795	}
1796	wme->wme_wmeChanParams.cap_info = qosinfo;
1797	return `1`;
1798	#undef MS
1799	}
1800
1801	void
1802	ieee80211_saveie(u_int8_t *iep, const* u_int8_t *ie)
1803	{
1804	u_int ielen = ie[`1`]+`2`;
1805	/*
1806	* Record information element for later use.
1807	*/
1808	if (iep == NULL \|\| (iep)[`1`] != ie[`1`]) {
1809	if (*iep != NULL)
1810	free(*iep, M_DEVBUF);
1811	*iep = malloc(ielen, M_DEVBUF, M_NOWAIT);
1812	}
1813	if (*iep != NULL)
1814	memcpy(*iep, ie, ielen);
1815	/ XXX note failure /
1816	}
1817
1818	static void
1819	ieee80211_update_adhoc_node(struct ieee80211com ic, struct* ieee80211_node *ni,
1820	struct ieee80211_frame wh, struct* ieee80211_scanparams scan, int* rssi,
1821	u_int32_t rstamp)
1822	{
1823	if (!IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr)) {
1824	/*
1825	* Create a new entry in the neighbor table.
1826	* Records the TSF.
1827	*/
1828	if ((ni = ieee80211_add_neighbor(ic, wh, scan)) == NULL)
1829	return;
1830	} else if (ni->ni_capinfo == `0`) {
1831	/*
1832	* Initialize a node that was "faked up." Records
1833	* the TSF.
1834	*
1835	* No need to check for a change of BSSID: ni could
1836	* not have been the IBSS (ic_bss)
1837	*/
1838	ieee80211_init_neighbor(ic, ni, wh, scan, `0`);
1839	} else {
1840	/ Record TSF for potential resync. /
1841	memcpy(ni->ni_tstamp.data, scan->tstamp, sizeof(ni->ni_tstamp));
1842	}
1843
1844	ni->ni_rssi = rssi;
1845	ni->ni_rstamp = rstamp;
1846
1847	/ Mark a neighbor's change of BSSID. /
1848	if (IEEE80211_ADDR_EQ(wh->i_addr3, ni->ni_bssid))
1849	return;
1850
1851	IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
1852
1853	if (ni != ic->ic_bss)
1854	return;
1855	else if (ic->ic_flags & IEEE80211_F_DESBSSID) {
1856	/*
1857	* Now, ni does not represent a network we
1858	* want to belong to, so start a scan.
1859	*/
1860	ieee80211_new_state(ic, IEEE80211_S_SCAN, `0`);
1861	return;
1862	} else {
1863	/*
1864	* A RUN->RUN transition lets the driver
1865	* reprogram its BSSID filter.
1866	*
1867	* No need to SCAN, we already belong to
1868	* an IBSS that meets our criteria: channel,
1869	* SSID, etc. It could be harmful to scan,
1870	* too: if a scan does not detect nodes
1871	* belonging to my current IBSS, then we
1872	* will create a new IBSS at the end of
1873	* the scan, needlessly splitting the
1874	* network.
1875	*/
1876	ieee80211_new_state(ic, IEEE80211_S_RUN, `0`);
1877	}
1878	}
1879
1880	void
1881	ieee80211_recv_mgmt(struct ieee80211com ic, struct* mbuf *m0,
1882	struct ieee80211_node *ni,
1883	int subtype, int rssi, u_int32_t rstamp)
1884	{
1885	#define ISPROBE(_st) ((_st) == IEEE80211_FC0_SUBTYPE_PROBE_RESP)
1886	#define ISREASSOC(_st) ((_st) == IEEE80211_FC0_SUBTYPE_REASSOC_RESP)
1887	struct ieee80211_frame *wh;
1888	u_int8_t frm, efrm;
1889	u_int8_t ssid, rates, xrates, wpa, *wme;
1890	int reassoc, resp, allocbs;
1891	u_int8_t rate;
1892	IEEE80211_DEBUGVAR(char ebuf[`3` * ETHER_ADDR_LEN]);
1893
1894	wh = mtod(m0, struct ieee80211_frame *);
1895	frm = (u_int8_t *)&wh[`1`];
1896	efrm = mtod(m0, u_int8_t *) + m0->m_len;
1897	switch (subtype) {
1898	case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1899	case IEEE80211_FC0_SUBTYPE_BEACON: {
1900	struct ieee80211_scanparams scan;
1901
1902	/*
1903	* We process beacon/probe response frames:
1904	* o when scanning, or
1905	* o station mode when associated (to collect state
1906	* updates such as 802.11g slot time), or
1907	* o adhoc mode (to discover neighbors)
1908	* Frames otherwise received are discarded.
1909	*/
1910	if (!((ic->ic_flags & IEEE80211_F_SCAN) \|\|
1911	(ic->ic_opmode == IEEE80211_M_STA && ni->ni_associd) \|\|
1912	ic->ic_opmode == IEEE80211_M_IBSS)) {
1913	ic->ic_stats.is_rx_mgtdiscard++;
1914	return;
1915	}
1916	/*
1917	* beacon/probe response frame format
1918	* [8] time stamp
1919	* [2] beacon interval
1920	* [2] capability information
1921	* [tlv] ssid
1922	* [tlv] supported rates
1923	* [tlv] country information
1924	* [tlv] parameter set (FH/DS)
1925	* [tlv] erp information
1926	* [tlv] extended supported rates
1927	* [tlv] WME
1928	* [tlv] WPA or RSN
1929	*/
1930	IEEE80211_VERIFY_LENGTH(efrm - frm, `12`);
1931	memset(&scan, `0`, sizeof(scan));
1932	scan.tstamp = frm; frm += `8`;
1933	scan.bintval = le16toh((u_int16_t )frm); frm += `2`;
1934	scan.capinfo = le16toh((u_int16_t )frm); frm += `2`;
1935	scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan);
1936	scan.chan = scan.bchan;
1937
1938	while (frm < efrm) {
1939	switch (*frm) {
1940	case IEEE80211_ELEMID_SSID:
1941	scan.ssid = frm;
1942	break;
1943	case IEEE80211_ELEMID_RATES:
1944	scan.rates = frm;
1945	break;
1946	case IEEE80211_ELEMID_COUNTRY:
1947	scan.country = frm;
1948	break;
1949	case IEEE80211_ELEMID_FHPARMS:
1950	if (ic->ic_phytype == IEEE80211_T_FH) {
1951	scan.fhdwell = LE_READ_2(&frm[`2`]);
1952	scan.chan = IEEE80211_FH_CHAN(frm[`4`], frm[`5`]);
1953	scan.fhindex = frm[`6`];
1954	}
1955	break;
1956	case IEEE80211_ELEMID_DSPARMS:
1957	/*
1958	* XXX hack this since depending on phytype
1959	* is problematic for multi-mode devices.
1960	*/
1961	if (ic->ic_phytype != IEEE80211_T_FH)
1962	scan.chan = frm[`2`];
1963	break;
1964	case IEEE80211_ELEMID_TIM:
1965	/ XXX ATIM? /
1966	scan.tim = frm;
1967	scan.timoff = frm - mtod(m0, u_int8_t *);
1968	break;
1969	case IEEE80211_ELEMID_IBSSPARMS:
1970	break;
1971	case IEEE80211_ELEMID_XRATES:
1972	scan.xrates = frm;
1973	break;
1974	case IEEE80211_ELEMID_ERP:
1975	if (frm[`1`] != `1`) {
1976	IEEE80211_DISCARD_IE(ic,
1977	IEEE80211_MSG_ELEMID, wh, "ERP",
1978	"bad len %u", frm[`1`]);
1979	ic->ic_stats.is_rx_elem_toobig++;
1980	break;
1981	}
1982	scan.erp = frm[`2`];
1983	break;
1984	case IEEE80211_ELEMID_RSN:
1985	scan.wpa = frm;
1986	break;
1987	case IEEE80211_ELEMID_VENDOR:
1988	if (iswpaoui(frm))
1989	scan.wpa = frm;
1990	else if (iswmeparam(frm) \|\| iswmeinfo(frm))
1991	scan.wme = frm;
1992	/ XXX Atheros OUI support /
1993	break;
1994	default:
1995	IEEE80211_DISCARD_IE(ic, IEEE80211_MSG_ELEMID,
1996	wh, "unhandled",
1997	"id %u, len %u", *frm, frm[`1`]);
1998	ic->ic_stats.is_rx_elem_unknown++;
1999	break;
2000	}
2001	frm += frm[`1`] + `2`;
2002	}
2003	IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE);
2004	IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN);
2005	if (
2006	#if IEEE80211_CHAN_MAX < 255
2007	scan.chan > IEEE80211_CHAN_MAX \|\|
2008	#endif
2009	isclr(ic->ic_chan_active, scan.chan)) {
2010	IEEE80211_DISCARD(ic,
2011	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_INPUT,
2012	wh, ieee80211_mgt_subtype_name[subtype >>
2013	IEEE80211_FC0_SUBTYPE_SHIFT],
2014	"invalid channel %u", scan.chan);
2015	ic->ic_stats.is_rx_badchan++;
2016	return;
2017	}
2018	if (scan.chan != scan.bchan &&
2019	ic->ic_phytype != IEEE80211_T_FH) {
2020	/*
2021	* Frame was received on a channel different from the
2022	* one indicated in the DS params element id;
2023	* silently discard it.
2024	*
2025	* NB: this can happen due to signal leakage.
2026	* But we should take it for FH phy because
2027	* the rssi value should be correct even for
2028	* different hop pattern in FH.
2029	*/
2030	IEEE80211_DISCARD(ic,
2031	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_INPUT,
2032	wh, ieee80211_mgt_subtype_name[subtype >>
2033	IEEE80211_FC0_SUBTYPE_SHIFT],
2034	"for off-channel %u", scan.chan);
2035	ic->ic_stats.is_rx_chanmismatch++;
2036	return;
2037	}
2038	if (!(IEEE80211_BINTVAL_MIN <= scan.bintval &&
2039	scan.bintval <= IEEE80211_BINTVAL_MAX)) {
2040	IEEE80211_DISCARD(ic,
2041	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_INPUT,
2042	wh, ieee80211_mgt_subtype_name[subtype >>
2043	IEEE80211_FC0_SUBTYPE_SHIFT],
2044	"bogus beacon interval", scan.bintval);
2045	ic->ic_stats.is_rx_badbintval++;
2046	return;
2047	}
2048
2049	if (ni != ic->ic_bss) {
2050	ni = ieee80211_refine_node_for_beacon(ic, ni,
2051	&ic->ic_channels[scan.chan], scan.ssid);
2052	}
2053	/*
2054	* Count frame now that we know it's to be processed.
2055	*/
2056	if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) {
2057	ic->ic_stats.is_rx_beacon++; / XXX remove /
2058	IEEE80211_NODE_STAT(ni, rx_beacons);
2059	} else
2060	IEEE80211_NODE_STAT(ni, rx_proberesp);
2061
2062	/*
2063	* When operating in station mode, check for state updates.
2064	* Be careful to ignore beacons received while doing a
2065	* background scan. We consider only 11g/WMM stuff right now.
2066	*/
2067	if (ic->ic_opmode == IEEE80211_M_STA &&
2068	ni->ni_associd != `0` &&
2069	((ic->ic_flags & IEEE80211_F_SCAN) == `0` \|\|
2070	IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_bssid))) {
2071	/ record tsf of last beacon /
2072	memcpy(ni->ni_tstamp.data, scan.tstamp,
2073	sizeof(ni->ni_tstamp));
2074	if (ni->ni_erp != scan.erp) {
2075	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2076	"[%s] erp change: was 0x%x, now 0x%x\n",
2077	ether_snprintf(ebuf, sizeof(ebuf),
2078	wh->i_addr2), ni->ni_erp, scan.erp);
2079	if (ic->ic_curmode == IEEE80211_MODE_11G &&
2080	(ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2081	ic->ic_flags \|= IEEE80211_F_USEPROT;
2082	else
2083	ic->ic_flags &= ~IEEE80211_F_USEPROT;
2084	ni->ni_erp = scan.erp;
2085	/ XXX statistic /
2086	}
2087	if ((ni->ni_capinfo ^ scan.capinfo) & IEEE80211_CAPINFO_SHORT_SLOTTIME) {
2088	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2089	"[%s] capabilities change: before 0x%x,"
2090	" now 0x%x\n",
2091	ether_snprintf(ebuf, sizeof(ebuf),
2092	wh->i_addr2),
2093	ni->ni_capinfo, scan.capinfo);
2094	/*
2095	* NB: we assume short preamble doesn't
2096	* change dynamically
2097	*/
2098	ieee80211_set_shortslottime(ic,
2099	ic->ic_curmode == IEEE80211_MODE_11A \|\|
2100	(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2101	ni->ni_capinfo = scan.capinfo;
2102	/ XXX statistic /
2103	}
2104	if (scan.wme != NULL &&
2105	(ni->ni_flags & IEEE80211_NODE_QOS) &&
2106	ieee80211_parse_wmeparams(ic, scan.wme, wh) > `0`)
2107	ieee80211_wme_updateparams(ic);
2108	if (scan.tim != NULL) {
2109	struct ieee80211_tim_ie *ie =
2110	(struct ieee80211_tim_ie *) scan.tim;
2111
2112	ni->ni_dtim_count = ie->tim_count;
2113	ni->ni_dtim_period = ie->tim_period;
2114	}
2115	if (ic->ic_flags & IEEE80211_F_SCAN)
2116	ieee80211_add_scan(ic, &scan, wh,
2117	subtype, rssi, rstamp);
2118	ic->ic_bmiss_count = `0`;
2119	return;
2120	}
2121	/*
2122	* If scanning, just pass information to the scan module.
2123	*/
2124	if (ic->ic_flags & IEEE80211_F_SCAN) {
2125	if (ic->ic_flags_ext & IEEE80211_FEXT_PROBECHAN) {
2126	/*
2127	* Actively scanning a channel marked passive;
2128	* send a probe request now that we know there
2129	* is 802.11 traffic present.
2130	*
2131	* XXX check if the beacon we recv'd gives
2132	* us what we need and suppress the probe req
2133	*/
2134	ieee80211_probe_curchan(ic, `1`);
2135	ic->ic_flags_ext &= ~IEEE80211_FEXT_PROBECHAN;
2136	}
2137	ieee80211_add_scan(ic, &scan, wh,
2138	subtype, rssi, rstamp);
2139	return;
2140	}
2141	if (scan.capinfo & IEEE80211_CAPINFO_IBSS)
2142	ieee80211_update_adhoc_node(ic, ni, wh, &scan, rssi,
2143	rstamp);
2144	break;
2145	}
2146
2147	case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
2148	if (ic->ic_opmode == IEEE80211_M_STA \|\|
2149	ic->ic_state != IEEE80211_S_RUN) {
2150	ic->ic_stats.is_rx_mgtdiscard++;
2151	return;
2152	}
2153	if (IEEE80211_IS_MULTICAST(wh->i_addr2)) {
2154	/ frame must be directed /
2155	ic->ic_stats.is_rx_mgtdiscard++; / XXX stat /
2156	return;
2157	}
2158
2159	/*
2160	* prreq frame format
2161	* [tlv] ssid
2162	* [tlv] supported rates
2163	* [tlv] extended supported rates
2164	*/
2165	ssid = rates = xrates = NULL;
2166	while (frm < efrm) {
2167	switch (*frm) {
2168	case IEEE80211_ELEMID_SSID:
2169	ssid = frm;
2170	break;
2171	case IEEE80211_ELEMID_RATES:
2172	rates = frm;
2173	break;
2174	case IEEE80211_ELEMID_XRATES:
2175	xrates = frm;
2176	break;
2177	}
2178	frm += frm[`1`] + `2`;
2179	}
2180	IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2181	IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2182	IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2183	if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[`1`] == `0`) {
2184	IEEE80211_DISCARD(ic, IEEE80211_MSG_INPUT,
2185	wh, ieee80211_mgt_subtype_name[subtype >>
2186	IEEE80211_FC0_SUBTYPE_SHIFT],
2187	"%s", "no ssid with ssid suppression enabled");
2188	ic->ic_stats.is_rx_ssidmismatch++; /XXX/
2189	return;
2190	}
2191
2192	if (ni == ic->ic_bss) {
2193	if (ic->ic_opmode != IEEE80211_M_IBSS)
2194	ni = ieee80211_tmp_node(ic, wh->i_addr2);
2195	else if (IEEE80211_ADDR_EQ(wh->i_addr2, ni->ni_macaddr))
2196	;
2197	else {
2198	/*
2199	* XXX Cannot tell if the sender is operating
2200	* in ibss mode. But we need a new node to
2201	* send the response so blindly add them to the
2202	* neighbor table.
2203	*/
2204	ni = ieee80211_fakeup_adhoc_node(&ic->ic_sta,
2205	wh->i_addr2);
2206	}
2207	if (ni == NULL)
2208	return;
2209	allocbs = `1`;
2210	} else
2211	allocbs = `0`;
2212	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2213	"[%s] recv probe req\n", ether_snprintf(
2214	ebuf, sizeof(ebuf), wh->i_addr2));
2215	ni->ni_rssi = rssi;
2216	ni->ni_rstamp = rstamp;
2217	rate = ieee80211_setup_rates(ni, rates, xrates,
2218	IEEE80211_R_DOSORT \| IEEE80211_R_DOFRATE
2219	\| IEEE80211_R_DONEGO \| IEEE80211_R_DODEL);
2220	if (rate & IEEE80211_RATE_BASIC) {
2221	IEEE80211_DISCARD(ic, IEEE80211_MSG_XRATE,
2222	wh, ieee80211_mgt_subtype_name[subtype >>
2223	IEEE80211_FC0_SUBTYPE_SHIFT],
2224	"%s", "recv'd rate set invalid");
2225	} else {
2226	IEEE80211_SEND_MGMT(ic, ni,
2227	IEEE80211_FC0_SUBTYPE_PROBE_RESP, `0`);
2228	}
2229	if (allocbs && ic->ic_opmode != IEEE80211_M_IBSS) {
2230	/ reclaim immediately /
2231	ieee80211_free_node(ni);
2232	}
2233	break;
2234
2235	case IEEE80211_FC0_SUBTYPE_AUTH: {
2236	u_int16_t algo, seq, status;
2237	/*
2238	* auth frame format
2239	* [2] algorithm
2240	* [2] sequence
2241	* [2] status
2242	* [tlv*] challenge
2243	*/
2244	IEEE80211_VERIFY_LENGTH(efrm - frm, `6`);
2245	algo = le16toh((u_int16_t )frm);
2246	seq = le16toh((u_int16_t )(frm + `2`));
2247	status = le16toh((u_int16_t )(frm + `4`));
2248	IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2249	"[%s] recv auth frame with algorithm %d seq %d\n",
2250	ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2), algo, seq);
2251	/*
2252	* Consult the ACL policy module if setup.
2253	*/
2254	if (ic->ic_acl != NULL &&
2255	!ic->ic_acl->iac_check(ic, wh->i_addr2)) {
2256	IEEE80211_DISCARD(ic, IEEE80211_MSG_ACL,
2257	wh, "auth", "%s", "disallowed by ACL");
2258	ic->ic_stats.is_rx_acl++;
2259	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2260	IEEE80211_SEND_MGMT(ic, ni,
2261	IEEE80211_FC0_SUBTYPE_AUTH,
2262	(seq+`1`) \| (IEEE80211_STATUS_UNSPECIFIED<<`16`));
2263	}
2264	return;
2265	}
2266	if (ic->ic_flags & IEEE80211_F_COUNTERM) {
2267	IEEE80211_DISCARD(ic,
2268	IEEE80211_MSG_AUTH \| IEEE80211_MSG_CRYPTO,
2269	wh, "auth", "%s", "TKIP countermeasures enabled");
2270	ic->ic_stats.is_rx_auth_countermeasures++;
2271	#ifndef IEEE80211_NO_HOSTAP
2272	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2273	IEEE80211_SEND_MGMT(ic, ni,
2274	IEEE80211_FC0_SUBTYPE_AUTH,
2275	IEEE80211_REASON_MIC_FAILURE);
2276	}
2277	#endif /* !IEEE80211_NO_HOSTAP */
2278	return;
2279	}
2280	if (algo == IEEE80211_AUTH_ALG_SHARED)
2281	ieee80211_auth_shared(ic, wh, frm + `6`, efrm, ni, rssi,
2282	rstamp, seq, status);
2283	else if (algo == IEEE80211_AUTH_ALG_OPEN)
2284	ieee80211_auth_open(ic, wh, ni, rssi, rstamp, seq,
2285	status);
2286	else {
2287	IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2288	wh, "auth", "unsupported alg %d", algo);
2289	ic->ic_stats.is_rx_auth_unsupported++;
2290	#ifndef IEEE80211_NO_HOSTAP
2291	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
2292	/ XXX not right /
2293	IEEE80211_SEND_MGMT(ic, ni,
2294	IEEE80211_FC0_SUBTYPE_AUTH,
2295	(seq+`1`) \| (IEEE80211_STATUS_ALG<<`16`));
2296	}
2297	#endif /* !IEEE80211_NO_HOSTAP */
2298	return;
2299	}
2300	break;
2301	}
2302
2303	case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2304	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2305	u_int16_t capinfo, lintval;
2306	struct ieee80211_rsnparms rsn;
2307	u_int8_t reason;
2308
2309	if (ic->ic_opmode != IEEE80211_M_HOSTAP \|\|
2310	ic->ic_state != IEEE80211_S_RUN) {
2311	ic->ic_stats.is_rx_mgtdiscard++;
2312	return;
2313	}
2314
2315	if (subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2316	reassoc = `1`;
2317	resp = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
2318	} else {
2319	reassoc = `0`;
2320	resp = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
2321	}
2322	/*
2323	* asreq frame format
2324	* [2] capability information
2325	* [2] listen interval
2326	* [6*] current AP address (reassoc only)
2327	* [tlv] ssid
2328	* [tlv] supported rates
2329	* [tlv] extended supported rates
2330	* [tlv] WPA or RSN
2331	*/
2332	IEEE80211_VERIFY_LENGTH(efrm - frm, (reassoc ? `10` : `4`));
2333	if (!IEEE80211_ADDR_EQ(wh->i_addr3, ic->ic_bss->ni_bssid)) {
2334	IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2335	wh, ieee80211_mgt_subtype_name[subtype >>
2336	IEEE80211_FC0_SUBTYPE_SHIFT],
2337	"%s", "wrong bssid");
2338	ic->ic_stats.is_rx_assoc_bss++;
2339	return;
2340	}
2341	capinfo = le16toh((u_int16_t )frm); frm += `2`;
2342	lintval = le16toh((u_int16_t )frm); frm += `2`;
2343	if (reassoc)
2344	frm += `6`; / ignore current AP info /
2345	ssid = rates = xrates = wpa = wme = NULL;
2346	while (frm < efrm) {
2347	switch (*frm) {
2348	case IEEE80211_ELEMID_SSID:
2349	ssid = frm;
2350	break;
2351	case IEEE80211_ELEMID_RATES:
2352	rates = frm;
2353	break;
2354	case IEEE80211_ELEMID_XRATES:
2355	xrates = frm;
2356	break;
2357	/ XXX verify only one of RSN and WPA ie's? /
2358	case IEEE80211_ELEMID_RSN:
2359	wpa = frm;
2360	break;
2361	case IEEE80211_ELEMID_VENDOR:
2362	if (iswpaoui(frm))
2363	wpa = frm;
2364	else if (iswmeinfo(frm))
2365	wme = frm;
2366	/ XXX Atheros OUI support /
2367	break;
2368	}
2369	frm += frm[`1`] + `2`;
2370	}
2371	IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2372	IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
2373	IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
2374
2375	if (ni == ic->ic_bss) {
2376	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2377	"[%s] deny %s request, sta not authenticated\n",
2378	ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2379	reassoc ? "reassoc" : "assoc");
2380	ieee80211_send_error(ic, ni, wh->i_addr2,
2381	IEEE80211_FC0_SUBTYPE_DEAUTH,
2382	IEEE80211_REASON_ASSOC_NOT_AUTHED);
2383	ic->ic_stats.is_rx_assoc_notauth++;
2384	return;
2385	}
2386	/ assert right associstion security credentials /
2387	if (wpa == NULL && (ic->ic_flags & IEEE80211_F_WPA)) {
2388	IEEE80211_DPRINTF(ic,
2389	IEEE80211_MSG_ASSOC \| IEEE80211_MSG_WPA,
2390	"[%s] no WPA/RSN IE in association request\n",
2391	ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2));
2392	IEEE80211_SEND_MGMT(ic, ni,
2393	IEEE80211_FC0_SUBTYPE_DEAUTH,
2394	IEEE80211_REASON_RSN_REQUIRED);
2395	ieee80211_node_leave(ic, ni);
2396	/ XXX distinguish WPA/RSN? /
2397	ic->ic_stats.is_rx_assoc_badwpaie++;
2398	return;
2399	}
2400	if (wpa != NULL) {
2401	/*
2402	* Parse WPA information element. Note that
2403	* we initialize the param block from the node
2404	* state so that information in the IE overrides
2405	* our defaults. The resulting parameters are
2406	* installed below after the association is assured.
2407	*/
2408	rsn = ni->ni_rsn;
2409	if (wpa[`0`] != IEEE80211_ELEMID_RSN)
2410	reason = ieee80211_parse_wpa(ic, wpa, &rsn, wh);
2411	else
2412	reason = ieee80211_parse_rsn(ic, wpa, &rsn, wh);
2413	if (reason != `0`) {
2414	IEEE80211_SEND_MGMT(ic, ni,
2415	IEEE80211_FC0_SUBTYPE_DEAUTH, reason);
2416	ieee80211_node_leave(ic, ni);
2417	/ XXX distinguish WPA/RSN? /
2418	ic->ic_stats.is_rx_assoc_badwpaie++;
2419	return;
2420	}
2421	IEEE80211_DPRINTF(ic,
2422	IEEE80211_MSG_ASSOC \| IEEE80211_MSG_WPA,
2423	"[%s] %s ie: mc %u/%u uc %u/%u key %u caps 0x%x\n",
2424	ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2425	wpa[`0`] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN",
2426	rsn.rsn_mcastcipher, rsn.rsn_mcastkeylen,
2427	rsn.rsn_ucastcipher, rsn.rsn_ucastkeylen,
2428	rsn.rsn_keymgmt, rsn.rsn_caps);
2429	}
2430	/ discard challenge after association /
2431	if (ni->ni_challenge != NULL) {
2432	free(ni->ni_challenge, M_DEVBUF);
2433	ni->ni_challenge = NULL;
2434	}
2435	/ NB: 802.11 spec says to ignore station's privacy bit /
2436	if ((capinfo & IEEE80211_CAPINFO_ESS) == `0`) {
2437	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2438	"[%s] deny %s request, capability mismatch 0x%x\n",
2439	ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2440	reassoc ? "reassoc" : "assoc", capinfo);
2441	IEEE80211_SEND_MGMT(ic, ni, resp,
2442	IEEE80211_STATUS_CAPINFO);
2443	ieee80211_node_leave(ic, ni);
2444	ic->ic_stats.is_rx_assoc_capmismatch++;
2445	return;
2446	}
2447	rate = ieee80211_setup_rates(ni, rates, xrates,
2448	IEEE80211_R_DOSORT \| IEEE80211_R_DOFRATE \|
2449	IEEE80211_R_DONEGO \| IEEE80211_R_DODEL);
2450	/*
2451	* If constrained to 11g-only stations reject an
2452	* 11b-only station. We cheat a bit here by looking
2453	* at the max negotiated xmit rate and assuming anyone
2454	* with a best rate <24Mb/s is an 11b station.
2455	*/
2456	if ((rate & IEEE80211_RATE_BASIC) \|\|
2457	((ic->ic_flags & IEEE80211_F_PUREG) && rate < `48`)) {
2458	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
2459	"[%s] deny %s request, rate set mismatch\n",
2460	ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2461	reassoc ? "reassoc" : "assoc");
2462	IEEE80211_SEND_MGMT(ic, ni, resp,
2463	IEEE80211_STATUS_BASIC_RATE);
2464	ieee80211_node_leave(ic, ni);
2465	ic->ic_stats.is_rx_assoc_norate++;
2466	return;
2467	}
2468	ni->ni_rssi = rssi;
2469	ni->ni_rstamp = rstamp;
2470	ni->ni_intval = lintval;
2471	ni->ni_capinfo = capinfo;
2472	ni->ni_chan = ic->ic_bss->ni_chan;
2473	ni->ni_fhdwell = ic->ic_bss->ni_fhdwell;
2474	ni->ni_fhindex = ic->ic_bss->ni_fhindex;
2475	if (wpa != NULL) {
2476	/*
2477	* Record WPA/RSN parameters for station, mark
2478	* node as using WPA and record information element
2479	* for applications that require it.
2480	*/
2481	ni->ni_rsn = rsn;
2482	ieee80211_saveie(&ni->ni_wpa_ie, wpa);
2483	} else if (ni->ni_wpa_ie != NULL) {
2484	/*
2485	* Flush any state from a previous association.
2486	*/
2487	free(ni->ni_wpa_ie, M_DEVBUF);
2488	ni->ni_wpa_ie = NULL;
2489	}
2490	if (wme != NULL) {
2491	/*
2492	* Record WME parameters for station, mark node
2493	* as capable of QoS and record information
2494	* element for applications that require it.
2495	*/
2496	ieee80211_saveie(&ni->ni_wme_ie, wme);
2497	ni->ni_flags \|= IEEE80211_NODE_QOS;
2498	} else if (ni->ni_wme_ie != NULL) {
2499	/*
2500	* Flush any state from a previous association.
2501	*/
2502	free(ni->ni_wme_ie, M_DEVBUF);
2503	ni->ni_wme_ie = NULL;
2504	ni->ni_flags &= ~IEEE80211_NODE_QOS;
2505	}
2506	ieee80211_node_join(ic, ni, resp);
2507	break;
2508	}
2509
2510	case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2511	case IEEE80211_FC0_SUBTYPE_REASSOC_RESP: {
2512	u_int16_t capinfo, associd;
2513	u_int16_t status;
2514
2515	if (ic->ic_opmode != IEEE80211_M_STA \|\|
2516	ic->ic_state != IEEE80211_S_ASSOC) {
2517	ic->ic_stats.is_rx_mgtdiscard++;
2518	return;
2519	}
2520
2521	/*
2522	* asresp frame format
2523	* [2] capability information
2524	* [2] status
2525	* [2] association ID
2526	* [tlv] supported rates
2527	* [tlv] extended supported rates
2528	* [tlv] WME
2529	*/
2530	IEEE80211_VERIFY_LENGTH(efrm - frm, `6`);
2531	ni = ic->ic_bss;
2532	capinfo = le16toh((u_int16_t )frm);
2533	frm += `2`;
2534	status = le16toh((u_int16_t )frm);
2535	frm += `2`;
2536	if (status != `0`) {
2537	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2538	"[%s] %sassoc failed (reason %d)\n",
2539	ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2540	ISREASSOC(subtype) ? "re" : "", status);
2541	if (ni != ic->ic_bss) / XXX never true? /
2542	ni->ni_fails++;
2543	ic->ic_stats.is_rx_auth_fail++; / XXX /
2544	return;
2545	}
2546	associd = le16toh((u_int16_t )frm);
2547	frm += `2`;
2548
2549	rates = xrates = wpa = wme = NULL;
2550	while (frm < efrm) {
2551	switch (*frm) {
2552	case IEEE80211_ELEMID_RATES:
2553	rates = frm;
2554	break;
2555	case IEEE80211_ELEMID_XRATES:
2556	xrates = frm;
2557	break;
2558	case IEEE80211_ELEMID_VENDOR:
2559	if (iswmeoui(frm))
2560	wme = frm;
2561	/ XXX Atheros OUI support /
2562	break;
2563	}
2564	frm += frm[`1`] + `2`;
2565	}
2566
2567	IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
2568	rate = ieee80211_setup_rates(ni, rates, xrates,
2569	IEEE80211_R_DOSORT \| IEEE80211_R_DOFRATE \|
2570	IEEE80211_R_DONEGO \| IEEE80211_R_DODEL);
2571	if (rate & IEEE80211_RATE_BASIC) {
2572	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2573	"[%s] %sassoc failed (rate set mismatch)\n",
2574	ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2575	ISREASSOC(subtype) ? "re" : "");
2576	if (ni != ic->ic_bss) / XXX never true? /
2577	ni->ni_fails++;
2578	ic->ic_stats.is_rx_assoc_norate++;
2579	ieee80211_new_state(ic, IEEE80211_S_SCAN, `0`);
2580	return;
2581	}
2582
2583	ni->ni_capinfo = capinfo;
2584	ni->ni_associd = associd;
2585	if (wme != NULL &&
2586	ieee80211_parse_wmeparams(ic, wme, wh) >= `0`) {
2587	ni->ni_flags \|= IEEE80211_NODE_QOS;
2588	ieee80211_wme_updateparams(ic);
2589	} else
2590	ni->ni_flags &= ~IEEE80211_NODE_QOS;
2591	/*
2592	* Configure state now that we are associated.
2593	*
2594	* XXX may need different/additional driver callbacks?
2595	*/
2596	if (ic->ic_curmode == IEEE80211_MODE_11A \|\|
2597	(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
2598	ic->ic_flags \|= IEEE80211_F_SHPREAMBLE;
2599	ic->ic_flags &= ~IEEE80211_F_USEBARKER;
2600	} else {
2601	ic->ic_flags &= ~IEEE80211_F_SHPREAMBLE;
2602	ic->ic_flags \|= IEEE80211_F_USEBARKER;
2603	}
2604	ieee80211_set_shortslottime(ic,
2605	ic->ic_curmode == IEEE80211_MODE_11A \|\|
2606	(ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_SLOTTIME));
2607	/*
2608	* Honor ERP protection.
2609	*
2610	* NB: ni_erp should zero for non-11g operation.
2611	* XXX check ic_curmode anyway?
2612	*/
2613	if (ic->ic_curmode == IEEE80211_MODE_11G &&
2614	(ni->ni_erp & IEEE80211_ERP_USE_PROTECTION))
2615	ic->ic_flags \|= IEEE80211_F_USEPROT;
2616	else
2617	ic->ic_flags &= ~IEEE80211_F_USEPROT;
2618	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2619	"[%s] %sassoc success: %s preamble, %s slot time%s%s\n",
2620	ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2),
2621	ISREASSOC(subtype) ? "re" : "",
2622	ic->ic_flags&IEEE80211_F_SHPREAMBLE ? "short" : "long",
2623	ic->ic_flags&IEEE80211_F_SHSLOT ? "short" : "long",
2624	ic->ic_flags&IEEE80211_F_USEPROT ? ", protection" : "",
2625	ni->ni_flags & IEEE80211_NODE_QOS ? ", QoS" : ""
2626	);
2627	ieee80211_new_state(ic, IEEE80211_S_RUN, subtype);
2628	break;
2629	}
2630
2631	case IEEE80211_FC0_SUBTYPE_DEAUTH: {
2632	u_int16_t reason;
2633
2634	if (ic->ic_state == IEEE80211_S_SCAN) {
2635	ic->ic_stats.is_rx_mgtdiscard++;
2636	return;
2637	}
2638	/*
2639	* deauth frame format
2640	* [2] reason
2641	*/
2642	IEEE80211_VERIFY_LENGTH(efrm - frm, `2`);
2643	reason = le16toh((u_int16_t )frm);
2644	__USE(reason);
2645	ic->ic_stats.is_rx_deauth++;
2646	IEEE80211_NODE_STAT(ni, rx_deauth);
2647
2648	if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
2649	/ Not intended for this station. /
2650	ic->ic_stats.is_rx_mgtdiscard++;
2651	break;
2652	}
2653	IEEE80211_DPRINTF(ic, IEEE80211_MSG_AUTH,
2654	"[%s] recv deauthenticate (reason %d)\n",
2655	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason);
2656	switch (ic->ic_opmode) {
2657	case IEEE80211_M_STA:
2658	ieee80211_new_state(ic, IEEE80211_S_AUTH,
2659	wh->i_fc[`0`] & IEEE80211_FC0_SUBTYPE_MASK);
2660	break;
2661	case IEEE80211_M_HOSTAP:
2662	#ifndef IEEE80211_NO_HOSTAP
2663	if (ni != ic->ic_bss)
2664	ieee80211_node_leave(ic, ni);
2665	#endif /* !IEEE80211_NO_HOSTAP */
2666	break;
2667	default:
2668	ic->ic_stats.is_rx_mgtdiscard++;
2669	break;
2670	}
2671	break;
2672	}
2673
2674	case IEEE80211_FC0_SUBTYPE_DISASSOC: {
2675	u_int16_t reason;
2676
2677	if (ic->ic_state != IEEE80211_S_RUN &&
2678	ic->ic_state != IEEE80211_S_ASSOC &&
2679	ic->ic_state != IEEE80211_S_AUTH) {
2680	ic->ic_stats.is_rx_mgtdiscard++;
2681	return;
2682	}
2683	/*
2684	* disassoc frame format
2685	* [2] reason
2686	*/
2687	IEEE80211_VERIFY_LENGTH(efrm - frm, `2`);
2688	reason = le16toh((u_int16_t )frm);
2689	__USE(reason);
2690	ic->ic_stats.is_rx_disassoc++;
2691	IEEE80211_NODE_STAT(ni, rx_disassoc);
2692
2693	if (!IEEE80211_ADDR_EQ(wh->i_addr1, ic->ic_myaddr)) {
2694	/ Not intended for this station. /
2695	ic->ic_stats.is_rx_mgtdiscard++;
2696	break;
2697	}
2698	IEEE80211_DPRINTF(ic, IEEE80211_MSG_ASSOC,
2699	"[%s] recv disassociate (reason %d)\n",
2700	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), reason);
2701	switch (ic->ic_opmode) {
2702	case IEEE80211_M_STA:
2703	ieee80211_new_state(ic, IEEE80211_S_ASSOC,
2704	wh->i_fc[`0`] & IEEE80211_FC0_SUBTYPE_MASK);
2705	break;
2706	case IEEE80211_M_HOSTAP:
2707	#ifndef IEEE80211_NO_HOSTAP
2708	if (ni != ic->ic_bss)
2709	ieee80211_node_leave(ic, ni);
2710	#endif /* !IEEE80211_NO_HOSTAP */
2711	break;
2712	default:
2713	ic->ic_stats.is_rx_mgtdiscard++;
2714	break;
2715	}
2716	break;
2717	}
2718	default:
2719	IEEE80211_DISCARD(ic, IEEE80211_MSG_ANY,
2720	wh, "mgt", "subtype 0x%x not handled", subtype);
2721	ic->ic_stats.is_rx_badsubtype++;
2722	break;
2723	}
2724	#undef ISREASSOC
2725	#undef ISPROBE
2726	}
2727	#undef IEEE80211_VERIFY_LENGTH
2728	#undef IEEE80211_VERIFY_ELEMENT
2729
2730	#ifndef IEEE80211_NO_HOSTAP
2731	/*
2732	* Handle station power-save state change.
2733	*/
2734	static void
2735	ieee80211_node_pwrsave(struct ieee80211_node ni, int* enable)
2736	{
2737	struct ieee80211com *ic = ni->ni_ic;
2738	struct mbuf *m;
2739	IEEE80211_DEBUGVAR(char ebuf[`3` * ETHER_ADDR_LEN]);
2740
2741	if (enable) {
2742	if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) == `0`)
2743	ic->ic_ps_sta++;
2744	ni->ni_flags \|= IEEE80211_NODE_PWR_MGT;
2745	IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2746	"[%s] power save mode on, %u sta's in ps mode\n",
2747	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr),
2748	ic->ic_ps_sta);
2749	return;
2750	}
2751
2752	if (ni->ni_flags & IEEE80211_NODE_PWR_MGT)
2753	ic->ic_ps_sta--;
2754	ni->ni_flags &= ~IEEE80211_NODE_PWR_MGT;
2755	IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2756	"[%s] power save mode off, %u sta's in ps mode\n",
2757	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), ic->ic_ps_sta);
2758	/ XXX if no stations in ps mode, flush mc frames /
2759
2760	/*
2761	* Flush queued unicast frames.
2762	*/
2763	if (IEEE80211_NODE_SAVEQ_QLEN(ni) == `0`) {
2764	if (ic->ic_set_tim != NULL)
2765	ic->ic_set_tim(ni, `0`); / just in case /
2766	return;
2767	}
2768	IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2769	"[%s] flush ps queue, %u packets queued\n",
2770	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr),
2771	IEEE80211_NODE_SAVEQ_QLEN(ni));
2772	for (;;) {
2773	int qlen;
2774
2775	IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
2776	if (m == NULL)
2777	break;
2778	/*
2779	* If this is the last packet, turn off the TIM bit.
2780	* If there are more packets, set the more packets bit
2781	* in the mbuf so ieee80211_encap will mark the 802.11
2782	* head to indicate more data frames will follow.
2783	*/
2784	if (qlen != `0`)
2785	m->m_flags \|= M_MORE_DATA;
2786	/ XXX need different driver interface /
2787	/ XXX bypasses q max /
2788	IF_ENQUEUE(&ic->ic_ifp->if_snd, m);
2789	}
2790	if (ic->ic_set_tim != NULL)
2791	ic->ic_set_tim(ni, `0`);
2792	}
2793
2794	/*
2795	* Process a received ps-poll frame.
2796	*/
2797	static void
2798	ieee80211_recv_pspoll(struct ieee80211com *ic,
2799	struct ieee80211_node ni, struct* mbuf *m0)
2800	{
2801	struct ieee80211_frame_min *wh;
2802	struct mbuf *m;
2803	u_int16_t aid;
2804	int qlen;
2805	IEEE80211_DEBUGVAR(char ebuf[`3` * ETHER_ADDR_LEN]);
2806
2807	wh = mtod(m0, struct ieee80211_frame_min *);
2808	if (ni->ni_associd == `0`) {
2809	IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER \| IEEE80211_MSG_DEBUG,
2810	(struct ieee80211_frame *) wh, "ps-poll",
2811	"%s", "unassociated station");
2812	ic->ic_stats.is_ps_unassoc++;
2813	IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2814	IEEE80211_REASON_NOT_ASSOCED);
2815	return;
2816	}
2817
2818	aid = le16toh((u_int16_t )wh->i_dur);
2819	if (aid != ni->ni_associd) {
2820	IEEE80211_DISCARD(ic, IEEE80211_MSG_POWER \| IEEE80211_MSG_DEBUG,
2821	(struct ieee80211_frame *) wh, "ps-poll",
2822	"aid mismatch: sta aid 0x%x poll aid 0x%x",
2823	ni->ni_associd, aid);
2824	ic->ic_stats.is_ps_badaid++;
2825	IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
2826	IEEE80211_REASON_NOT_ASSOCED);
2827	return;
2828	}
2829
2830	/ Okay, take the first queued packet and put it out... /
2831	IEEE80211_NODE_SAVEQ_DEQUEUE(ni, m, qlen);
2832	if (m == NULL) {
2833	IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2834	"[%s] recv ps-poll, but queue empty\n",
2835	ether_snprintf(ebuf, sizeof(ebuf), wh->i_addr2));
2836	ieee80211_send_nulldata(ieee80211_ref_node(ni));
2837	ic->ic_stats.is_ps_qempty++; / XXX node stat /
2838	if (ic->ic_set_tim != NULL)
2839	ic->ic_set_tim(ni, `0`); / just in case /
2840	return;
2841	}
2842	/*
2843	* If there are more packets, set the more packets bit
2844	* in the packet dispatched to the station; otherwise
2845	* turn off the TIM bit.
2846	*/
2847	if (qlen != `0`) {
2848	IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2849	"[%s] recv ps-poll, send packet, %u still queued\n",
2850	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr), qlen);
2851	m->m_flags \|= M_MORE_DATA;
2852	} else {
2853	IEEE80211_DPRINTF(ic, IEEE80211_MSG_POWER,
2854	"[%s] recv ps-poll, send packet, queue empty\n",
2855	ether_snprintf(ebuf, sizeof(ebuf), ni->ni_macaddr));
2856	if (ic->ic_set_tim != NULL)
2857	ic->ic_set_tim(ni, `0`);
2858	}
2859	m->m_flags \|= M_PWR_SAV; / bypass PS handling /
2860	IF_ENQUEUE(&ic->ic_ifp->if_snd, m);
2861	}
2862	#endif /* !IEEE80211_NO_HOSTAP */
2863
2864	#ifdef IEEE80211_DEBUG
2865	/*
2866	* Debugging support.
2867	*/
2868
2869	/*
2870	* Return the bssid of a frame.
2871	*/
2872	static const u_int8_t *
2873	ieee80211_getbssid(struct ieee80211com ic, const* struct ieee80211_frame *wh)
2874	{
2875	if (ic->ic_opmode == IEEE80211_M_STA)
2876	return wh->i_addr2;
2877	if ((wh->i_fc[`1`] & IEEE80211_FC1_DIR_MASK) != IEEE80211_FC1_DIR_NODS)
2878	return wh->i_addr1;
2879	if ((wh->i_fc[`0`] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PS_POLL)
2880	return wh->i_addr1;
2881	return wh->i_addr3;
2882	}
2883
2884	void
2885	ieee80211_note(struct ieee80211com ic, const* char *fmt, ...)
2886	{
2887	char buf[`128`]; / XXX /
2888	va_list ap;
2889
2890	va_start(ap, fmt);
2891	vsnprintf(buf, sizeof(buf), fmt, ap);
2892	va_end(ap);
2893
2894	if_printf(ic->ic_ifp, "%s", buf); / NB: no \n /
2895	}
2896
2897	void
2898	ieee80211_note_frame(struct ieee80211com *ic,
2899	const struct ieee80211_frame *wh,
2900	const char *fmt, ...)
2901	{
2902	char buf[`128`]; / XXX /
2903	va_list ap;
2904	char ebuf[`3` * ETHER_ADDR_LEN];
2905
2906	va_start(ap, fmt);
2907	vsnprintf(buf, sizeof(buf), fmt, ap);
2908	va_end(ap);
2909	if_printf(ic->ic_ifp, "[%s] %s\n",
2910	ether_snprintf(ebuf, sizeof(ebuf),
2911	ieee80211_getbssid(ic, wh)), buf);
2912	}
2913
2914	void
2915	ieee80211_note_mac(struct ieee80211com *ic,
2916	const u_int8_t mac[IEEE80211_ADDR_LEN],
2917	const char *fmt, ...)
2918	{
2919	char buf[`128`]; / XXX /
2920	va_list ap;
2921	char ebuf[`3` * ETHER_ADDR_LEN];
2922
2923	va_start(ap, fmt);
2924	vsnprintf(buf, sizeof(buf), fmt, ap);
2925	va_end(ap);
2926	if_printf(ic->ic_ifp, "[%s] %s\n", ether_snprintf(ebuf, sizeof(ebuf),
2927	mac), buf);
2928	}
2929
2930	static void
2931	ieee80211_discard_frame(struct ieee80211com *ic,
2932	const struct ieee80211_frame *wh,
2933	const char type, const* char *fmt, ...)
2934	{
2935	va_list ap;
2936	char ebuf[`3` * ETHER_ADDR_LEN];
2937
2938	printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
2939	ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh)));
2940	if (type != NULL)
2941	printf("%s frame, ", type);
2942	else
2943	printf("frame, ");
2944	va_start(ap, fmt);
2945	vprintf(fmt, ap);
2946	va_end(ap);
2947	printf("\n");
2948	}
2949
2950	static void
2951	ieee80211_discard_ie(struct ieee80211com *ic,
2952	const struct ieee80211_frame *wh,
2953	const char type, const* char *fmt, ...)
2954	{
2955	va_list ap;
2956	char ebuf[`3` * ETHER_ADDR_LEN];
2957
2958	printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
2959	ether_snprintf(ebuf, sizeof(ebuf), ieee80211_getbssid(ic, wh)));
2960	if (type != NULL)
2961	printf("%s information element, ", type);
2962	else
2963	printf("information element, ");
2964	va_start(ap, fmt);
2965	vprintf(fmt, ap);
2966	va_end(ap);
2967	printf("\n");
2968	}
2969
2970	static void
2971	ieee80211_discard_mac(struct ieee80211com *ic,
2972	const u_int8_t mac[IEEE80211_ADDR_LEN],
2973	const char type, const* char *fmt, ...)
2974	{
2975	va_list ap;
2976	char ebuf[`3` * ETHER_ADDR_LEN];
2977
2978	printf("[%s:%s] discard ", ic->ic_ifp->if_xname,
2979	ether_snprintf(ebuf, sizeof(ebuf), mac));
2980	if (type != NULL)
2981	printf("%s frame, ", type);
2982	else
2983	printf("frame, ");
2984	va_start(ap, fmt);
2985	vprintf(fmt, ap);
2986	va_end(ap);
2987	printf("\n");
2988	}
2989	#endif /* IEEE80211_DEBUG */
2990

Browse the source code of src/src/sys/net80211/ieee80211_input.c