Index: sys/net80211/ieee80211_adhoc.c =================================================================== --- sys/net80211/ieee80211_adhoc.c (revision 307549) +++ sys/net80211/ieee80211_adhoc.c (working copy) @@ -416,8 +416,12 @@ goto err; } /* - * Fake up a node for this newly - * discovered member of the IBSS. + * Fake up a node for this newly discovered member + * of the IBSS. + * + * Note: This doesn't "upgrade" the node to 11n; + * that will happen after a probe request/response + * exchange. */ ni = ieee80211_fakeup_adhoc_node(vap, wh->i_addr2); if (ni == NULL) { @@ -761,6 +765,18 @@ ni = ieee80211_add_neighbor(vap, wh, &scan); else ni = NULL; + + /* + * Send a probe request so we announce 11n + * capabilities. + */ + ieee80211_send_probereq(ni, /* node */ + vap->iv_myaddr, /* SA */ + ni->ni_macaddr, /* DA */ + vap->iv_bss->ni_bssid, /* BSSID */ + vap->iv_bss->ni_essid, + vap->iv_bss->ni_esslen); /* SSID */ + } else if (ni->ni_capinfo == 0) { /* * Update faked node created on transmit. @@ -767,6 +783,17 @@ * Note this also updates the tsf. */ ieee80211_init_neighbor(ni, wh, &scan); + + /* + * Send a probe request so we announce 11n + * capabilities. + */ + ieee80211_send_probereq(ni, /* node */ + vap->iv_myaddr, /* SA */ + ni->ni_macaddr, /* DA */ + vap->iv_bss->ni_bssid, /* BSSID */ + vap->iv_bss->ni_essid, + vap->iv_bss->ni_esslen); /* SSID */ } else { /* * Record tsf for potential resync. @@ -877,6 +904,12 @@ */ ieee80211_send_proberesp(vap, wh->i_addr2, is11bclient(rates, xrates) ? IEEE80211_SEND_LEGACY_11B : 0); + + /* + * Note: we don't benefit from stashing the probe request + * IEs away to use for IBSS negotiation, because we + * typically don't get all of the IEs. + */ break; case IEEE80211_FC0_SUBTYPE_ACTION: Index: sys/net80211/ieee80211_crypto.h =================================================================== --- sys/net80211/ieee80211_crypto.h (revision 307549) +++ sys/net80211/ieee80211_crypto.h (working copy) @@ -73,19 +73,25 @@ struct ieee80211_key { uint8_t wk_keylen; /* key length in bytes */ - uint8_t wk_pad; - uint16_t wk_flags; -#define IEEE80211_KEY_XMIT 0x0001 /* key used for xmit */ -#define IEEE80211_KEY_RECV 0x0002 /* key used for recv */ -#define IEEE80211_KEY_GROUP 0x0004 /* key used for WPA group operation */ -#define IEEE80211_KEY_NOREPLAY 0x0008 /* ignore replay failures */ -#define IEEE80211_KEY_SWENCRYPT 0x0010 /* host-based encrypt */ -#define IEEE80211_KEY_SWDECRYPT 0x0020 /* host-based decrypt */ -#define IEEE80211_KEY_SWENMIC 0x0040 /* host-based enmic */ -#define IEEE80211_KEY_SWDEMIC 0x0080 /* host-based demic */ -#define IEEE80211_KEY_DEVKEY 0x0100 /* device key request completed */ -#define IEEE80211_KEY_CIPHER0 0x1000 /* cipher-specific action 0 */ -#define IEEE80211_KEY_CIPHER1 0x2000 /* cipher-specific action 1 */ + uint8_t wk_pad; /* .. some drivers use this. Fix that. */ + uint8_t wk_pad1[2]; + uint32_t wk_flags; +#define IEEE80211_KEY_XMIT 0x00000001 /* key used for xmit */ +#define IEEE80211_KEY_RECV 0x00000002 /* key used for recv */ +#define IEEE80211_KEY_GROUP 0x00000004 /* key used for WPA group operation */ +#define IEEE80211_KEY_NOREPLAY 0x00000008 /* ignore replay failures */ +#define IEEE80211_KEY_SWENCRYPT 0x00000010 /* host-based encrypt */ +#define IEEE80211_KEY_SWDECRYPT 0x00000020 /* host-based decrypt */ +#define IEEE80211_KEY_SWENMIC 0x00000040 /* host-based enmic */ +#define IEEE80211_KEY_SWDEMIC 0x00000080 /* host-based demic */ +#define IEEE80211_KEY_DEVKEY 0x00000100 /* device key request completed */ +#define IEEE80211_KEY_CIPHER0 0x00001000 /* cipher-specific action 0 */ +#define IEEE80211_KEY_CIPHER1 0x00002000 /* cipher-specific action 1 */ +#define IEEE80211_KEY_NOIV 0x00004000 /* don't insert IV/MIC for !mgmt */ +#define IEEE80211_KEY_NOIVMGT 0x00008000 /* don't insert IV/MIC for mgmt */ +#define IEEE80211_KEY_NOMIC 0x00010000 /* don't insert MIC for !mgmt */ +#define IEEE80211_KEY_NOMICMGT 0x00020000 /* don't insert MIC for mgmt */ + ieee80211_keyix wk_keyix; /* h/w key index */ ieee80211_keyix wk_rxkeyix; /* optional h/w rx key index */ uint8_t wk_key[IEEE80211_KEYBUF_SIZE+IEEE80211_MICBUF_SIZE]; Index: sys/net80211/ieee80211_crypto_ccmp.c =================================================================== --- sys/net80211/ieee80211_crypto_ccmp.c (revision 307549) +++ sys/net80211/ieee80211_crypto_ccmp.c (working copy) @@ -162,14 +162,29 @@ static int ccmp_encap(struct ieee80211_key *k, struct mbuf *m) { + const struct ieee80211_frame *wh; struct ccmp_ctx *ctx = k->wk_private; struct ieee80211com *ic = ctx->cc_ic; uint8_t *ivp; int hdrlen; + int is_mgmt; hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); + wh = mtod(m, const struct ieee80211_frame *); + is_mgmt = IEEE80211_IS_MGMT(wh); /* + * Check to see if we need to insert IV/MIC. + * + * Some offload devices don't require the IV to be inserted + * as part of the hardware encryption. + */ + if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT)) + return 1; + if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV)) + return 1; + + /* * Copy down 802.11 header and add the IV, KeyID, and ExtIV. */ M_PREPEND(m, ccmp.ic_header, M_NOWAIT); @@ -217,6 +232,7 @@ static int ccmp_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) { + const struct ieee80211_rx_stats *rxs; struct ccmp_ctx *ctx = k->wk_private; struct ieee80211vap *vap = ctx->cc_vap; struct ieee80211_frame *wh; @@ -223,6 +239,11 @@ uint8_t *ivp, tid; uint64_t pn; + rxs = ieee80211_get_rx_params_ptr(m); + + if ((rxs != NULL) & (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP)) + goto finish; + /* * Header should have extended IV and sequence number; * verify the former and validate the latter. @@ -261,17 +282,28 @@ !ccmp_decrypt(k, pn, m, hdrlen)) return 0; +finish: /* * Copy up 802.11 header and strip crypto bits. */ - ovbcopy(mtod(m, void *), mtod(m, uint8_t *) + ccmp.ic_header, hdrlen); - m_adj(m, ccmp.ic_header); - m_adj(m, -ccmp.ic_trailer); + if (! ((rxs != NULL) & (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) { + ovbcopy(mtod(m, void *), mtod(m, uint8_t *) + ccmp.ic_header, + hdrlen); + m_adj(m, ccmp.ic_header); + } /* + * XXX TODO: see if MMIC_STRIP also covers CCMP MIC trailer. + */ + if (! ((rxs != NULL) & (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP))) + m_adj(m, -ccmp.ic_trailer); + + /* * Ok to update rsc now. */ - k->wk_keyrsc[tid] = pn; + if (! ((rxs != NULL) & (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) { + k->wk_keyrsc[tid] = pn; + } return 1; } Index: sys/net80211/ieee80211_crypto_tkip.c =================================================================== --- sys/net80211/ieee80211_crypto_tkip.c (revision 307549) +++ sys/net80211/ieee80211_crypto_tkip.c (working copy) @@ -177,9 +177,14 @@ struct tkip_ctx *ctx = k->wk_private; struct ieee80211vap *vap = ctx->tc_vap; struct ieee80211com *ic = vap->iv_ic; + struct ieee80211_frame *wh; uint8_t *ivp; int hdrlen; + int is_mgmt; + wh = mtod(m, struct ieee80211_frame *); + is_mgmt = IEEE80211_IS_MGMT(wh); + /* * Handle TKIP counter measures requirement. */ @@ -193,6 +198,16 @@ vap->iv_stats.is_crypto_tkipcm++; return 0; } + + /* + * Check to see whether IV needs to be included. + */ + if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT)) + return 1; + if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV)) + return 1; + + hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); /* @@ -224,7 +239,20 @@ tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) { struct tkip_ctx *ctx = k->wk_private; + struct ieee80211_frame *wh; + int is_mgmt; + wh = mtod(m, struct ieee80211_frame *); + is_mgmt = IEEE80211_IS_MGMT(wh); + + /* + * Check to see whether MIC needs to be included. + */ + if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT)) + return 1; + if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC)) + return 1; + if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) { struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); struct ieee80211vap *vap = ctx->tc_vap; @@ -259,12 +287,21 @@ static int tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) { + const struct ieee80211_rx_stats *rxs; struct tkip_ctx *ctx = k->wk_private; struct ieee80211vap *vap = ctx->tc_vap; struct ieee80211_frame *wh; uint8_t *ivp, tid; + rxs = ieee80211_get_rx_params_ptr(m); + /* + * If IV has been stripped, we skip most of the below. + */ + if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP)) + goto finish; + + /* * Header should have extended IV and sequence number; * verify the former and validate the latter. */ @@ -318,11 +355,22 @@ !tkip_decrypt(ctx, k, m, hdrlen)) return 0; +finish: + /* - * Copy up 802.11 header and strip crypto bits. + * Copy up 802.11 header and strip crypto bits - but only if we + * are required to. */ - memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen); - m_adj(m, tkip.ic_header); + if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) { + memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), + hdrlen); + m_adj(m, tkip.ic_header); + } + + /* + * XXX TODO: do we need an option to potentially not strip the + * WEP trailer? Does "MMIC_STRIP" also mean this? Or? + */ m_adj(m, -tkip.ic_trailer); return 1; @@ -334,10 +382,32 @@ static int tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) { + const struct ieee80211_rx_stats *rxs; struct tkip_ctx *ctx = k->wk_private; struct ieee80211_frame *wh; uint8_t tid; + rxs = ieee80211_get_rx_params_ptr(m); + + /* + * If we are told about a MIC failure from the driver, + * directly notify as a michael failure to the upper + * layers. + */ + if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MIC)) { + struct ieee80211vap *vap = ctx->tc_vap; + ieee80211_notify_michael_failure(vap, wh, + k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? + k->wk_rxkeyix : k->wk_keyix); + return 0; + } + + /* + * If IV has been stripped, we skip most of the below. + */ + if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP)) + goto finish; + wh = mtod(m, struct ieee80211_frame *); if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) { struct ieee80211vap *vap = ctx->tc_vap; @@ -371,6 +441,7 @@ tid = ieee80211_gettid(wh); k->wk_keyrsc[tid] = ctx->rx_rsc; +finish: return 1; } Index: sys/net80211/ieee80211_node.c =================================================================== --- sys/net80211/ieee80211_node.c (revision 307549) +++ sys/net80211/ieee80211_node.c (working copy) @@ -324,10 +324,11 @@ struct ieee80211_node *ni; IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN, - "%s: creating %s on channel %u%c\n", __func__, + "%s: creating %s on channel %u%c flags 0x%08x\n", __func__, ieee80211_opmode_name[vap->iv_opmode], ieee80211_chan2ieee(ic, chan), - ieee80211_channel_type_char(chan)); + ieee80211_channel_type_char(chan), + chan->ic_flags); ni = ieee80211_alloc_node(&ic->ic_sta, vap, vap->iv_myaddr); if (ni == NULL) { @@ -408,6 +409,14 @@ } } + /* XXX TODO: other bits and pieces - eg fast-frames? */ + + /* If we're an 11n channel then initialise the 11n bits */ + if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) { + /* XXX what else? */ + ieee80211_ht_node_init(ni); + } + (void) ieee80211_sta_join1(ieee80211_ref_node(ni)); } @@ -1549,6 +1558,9 @@ * so we can do interesting things (e.g. use * WME to disable ACK's). */ + /* + * XXX TODO: 11n? + */ if (vap->iv_flags & IEEE80211_F_WME) ni->ni_flags |= IEEE80211_NODE_QOS; #ifdef IEEE80211_SUPPORT_SUPERG @@ -1558,8 +1570,44 @@ } ieee80211_node_setuptxparms(ni); ieee80211_ratectl_node_init(ni); + + /* + * XXX TODO: 11n? At least 20MHz, at least A-MPDU RX, + * not A-MPDU TX; not 11n rates, etc. We'll cycle + * that after we hear that we can indeed do 11n + * (either by a beacon frame or by a probe response.) + */ + + /* + * This is the first time we see the node. + */ if (ic->ic_newassoc != NULL) ic->ic_newassoc(ni, 1); + + /* + * Kick off a probe request to the given node; + * we will then use the probe response to update + * 11n/etc configuration state. + * + * XXX TODO: this isn't guaranteed, and until we get + * a probe response, we won't be able to actually + * do anything 802.11n related to the node. + * So if this does indeed work, maybe we should hold + * off on sending responses until we get the probe + * response, or just default to some sensible subset + * of 802.11n behaviour (eg always allow aggregation + * negotiation TO us, but not FROM us, etc) so we + * aren't entirely busted. + */ + if (vap->iv_opmode == IEEE80211_M_IBSS) { + ieee80211_send_probereq(ni, /* node */ + vap->iv_myaddr, /* SA */ + ni->ni_macaddr, /* DA */ + vap->iv_bss->ni_bssid, /* BSSID */ + vap->iv_bss->ni_essid, + vap->iv_bss->ni_esslen); /* SSID */ + } + /* XXX not right for 802.1x/WPA */ ieee80211_node_authorize(ni); } @@ -1632,6 +1680,21 @@ ni->ni_ies.htinfo_ie); ieee80211_node_setuptxparms(ni); ieee80211_ratectl_node_init(ni); + + /* Reassociate; we're now 11n */ + /* + * XXX TODO: this is the wrong thing to do - + * we're calling it with isnew=1 so the ath(4) + * driver reinitialises the rate tables. + * This "mostly" works for ath(4), but it won't + * be right for firmware devices which allocate + * node states. + * + * So, do we just create a new node and delete + * the old one? Or? + */ + if (ni->ni_ic->ic_newassoc) + ni->ni_ic->ic_newassoc(ni, 1); } } @@ -1809,6 +1872,10 @@ * caller to be consistent with * ieee80211_find_node_locked. */ + /* + * XXX TODO: this doesn't fake up 11n state; we need + * to find another way to get it upgraded. + */ ni = ieee80211_fakeup_adhoc_node(vap, macaddr); if (ni != NULL) (void) ieee80211_ref_node(ni); Index: sys/net80211/ieee80211_output.c =================================================================== --- sys/net80211/ieee80211_output.c (revision 307549) +++ sys/net80211/ieee80211_output.c (working copy) @@ -2074,6 +2074,7 @@ { struct ieee80211vap *vap = ni->ni_vap; struct ieee80211com *ic = ni->ni_ic; + struct ieee80211_node *bss; const struct ieee80211_txparam *tp; struct ieee80211_bpf_params params; const struct ieee80211_rateset *rs; @@ -2081,10 +2082,13 @@ uint8_t *frm; int ret; + bss = ieee80211_ref_node(vap->iv_bss); + if (vap->iv_state == IEEE80211_S_CAC) { IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, ni, "block %s frame in CAC state", "probe request"); vap->iv_stats.is_tx_badstate++; + ieee80211_free_node(bss); return EIO; /* XXX */ } @@ -2106,6 +2110,7 @@ * [tlv] supported rates * [tlv] RSN (optional) * [tlv] extended supported rates + * [tlv] HT cap (optional) * [tlv] WPA (optional) * [tlv] user-specified ie's */ @@ -2113,6 +2118,8 @@ ic->ic_headroom + sizeof(struct ieee80211_frame), 2 + IEEE80211_NWID_LEN + 2 + IEEE80211_RATE_SIZE + + sizeof(struct ieee80211_ie_htcap) + + sizeof(struct ieee80211_ie_htinfo) + sizeof(struct ieee80211_ie_wpa) + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE) + sizeof(struct ieee80211_ie_wpa) @@ -2122,6 +2129,7 @@ if (m == NULL) { vap->iv_stats.is_tx_nobuf++; ieee80211_free_node(ni); + ieee80211_free_node(bss); return ENOMEM; } @@ -2130,6 +2138,27 @@ frm = ieee80211_add_rates(frm, rs); frm = ieee80211_add_rsn(frm, vap); frm = ieee80211_add_xrates(frm, rs); + + /* + * Note: we can't use bss; we don't have one yet. + * + * So, we should announce our capabilities + * in this channel mode (2g/5g), not the + * channel details itself. + */ + if ((vap->iv_opmode == IEEE80211_M_IBSS) && + (vap->iv_flags_ht & IEEE80211_FHT_HT)) { + struct ieee80211_channel *c; + + /* + * Get the HT channel that we should try upgrading to. + * If we can do 40MHz then this'll upgrade it appropriately. + */ + c = ieee80211_ht_adjust_channel(ic, ic->ic_curchan, + vap->iv_flags_ht); + frm = ieee80211_add_htcap_ch(frm, vap, c); + } + frm = ieee80211_add_wpa(frm, vap); if (vap->iv_appie_probereq != NULL) frm = add_appie(frm, vap->iv_appie_probereq); @@ -2141,6 +2170,7 @@ if (m == NULL) { /* NB: cannot happen */ ieee80211_free_node(ni); + ieee80211_free_node(bss); return ENOMEM; } @@ -2157,8 +2187,11 @@ IEEE80211_NODE_STAT(ni, tx_mgmt); IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, - "send probe req on channel %u bssid %s ssid \"%.*s\"\n", - ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(bssid), + "send probe req on channel %u bssid %s sa %6D da %6D ssid \"%.*s\"\n", + ieee80211_chan2ieee(ic, ic->ic_curchan), + ether_sprintf(bssid), + sa, ":", + da, ":", ssidlen, ssid); memset(¶ms, 0, sizeof(params)); @@ -2173,6 +2206,7 @@ params.ibp_power = ni->ni_txpower; ret = ieee80211_raw_output(vap, ni, m, ¶ms); IEEE80211_TX_UNLOCK(ic); + ieee80211_free_node(bss); return (ret); } Index: sys/net80211/ieee80211_sta.c =================================================================== --- sys/net80211/ieee80211_sta.c (revision 307549) +++ sys/net80211/ieee80211_sta.c (working copy) @@ -546,7 +546,16 @@ int hdrspace, need_tap = 1; /* mbuf need to be tapped. */ uint8_t dir, type, subtype, qos; uint8_t *bssid; + int is_hw_decrypted = 0; + /* + * Some devices do hardware decryption all the way through + * to pretending the frame wasn't encrypted in the first place. + * So, tag it appropriately so it isn't discarded inappropriately. + */ + if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED)) + is_hw_decrypted = 1; + if (m->m_flags & M_AMPDU_MPDU) { /* * Fastpath for A-MPDU reorder q resubmission. Frames @@ -724,6 +733,21 @@ } /* + * Handle privacy requirements for hardware decryption + * devices. + * + * For those devices, a handful of things happen. + * + * + If IV has been stripped, then we can't run + * ieee80211_crypto_decap() - none of the key + * + If MIC has been stripped, we can't validate + * MIC here. + * + If MIC fails, then we need to communicate a + * MIC failure up to the stack - but we don't know + * which key was used. + */ + + /* * Handle privacy requirements. Note that we * must not be preempted from here until after * we (potentially) call ieee80211_crypto_demic; @@ -731,6 +755,7 @@ * crypto cipher modules used to do delayed update * of replay sequence numbers. */ + /* XXX is_hw_decrypted here too? */ if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { if ((vap->iv_flags & IEEE80211_F_PRIVACY) == 0) { /* @@ -742,6 +767,16 @@ IEEE80211_NODE_STAT(ni, rx_noprivacy); goto out; } + /* + * If we're doing hardware decryption where the + * IV/MIC/etc is stripped, then calling this + * routine will fail - it won't find what it + * needs. + * + * So, we should find an alternate way to drive + * decap and get told if the received frame failed + * it somehow - but also have 'key' be NULL. + */ key = ieee80211_crypto_decap(ni, m, hdrspace); if (key == NULL) { /* NB: stats+msgs handled in crypto_decap */ @@ -779,6 +814,16 @@ /* * Next strip any MSDU crypto bits. + * + * Note: we can't do MIC stripping/verification if the + * upper layer has stripped it. We have to check MIC + * ourselves. + * + * So, let's change the API to allow a NULL key to be + * passed in, and let this routine check the RX MIX failure + * flag + do notifications. No, it won't know the key, + * but the upper layers will still get notified. + * (Linux mac80211 passes up a keyidx=-1 in this instance.) */ if (key != NULL && !ieee80211_crypto_demic(vap, key, m, 0)) { IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, @@ -835,6 +880,7 @@ */ if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && (key == NULL && (m->m_flags & M_WEP) == 0) && + (is_hw_decrypted == 0) && eh->ether_type != htons(ETHERTYPE_PAE)) { /* * Drop unencrypted frames. @@ -883,6 +929,16 @@ ether_sprintf(wh->i_addr2), rssi); } #endif + + /* + * Note: See above for hardware offload privacy requirements. + * It also applies here. + */ + + /* + * Again, having encrypted flag set check would be good, but + * then we have to also handle crypto_decap() like above. + */ if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) { if (subtype != IEEE80211_FC0_SUBTYPE_AUTH) { /* @@ -905,6 +961,11 @@ goto out; } hdrspace = ieee80211_hdrspace(ic, wh); + + /* + * Again, if IV/MIC was stripped, then this whole + * setup will fail. That's going to need some poking. + */ key = ieee80211_crypto_decap(ni, m, hdrspace); if (key == NULL) { /* NB: stats+msgs handled in crypto_decap */