xref: /freebsd/sys/net80211/ieee80211_ioctl.c (revision 801df4a58c3ab31599013059803afcab5fad37cf)

/*-
 * Copyright (c) 2001 Atsushi Onoe
 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote products
 *    derived from this software without specific prior written permission.
 *
 * Alternatively, this software may be distributed under the terms of the
 * GNU General Public License ("GPL") version 2 as published by the Free
 * Software Foundation.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");

#include "opt_compat.h"

/*
 * IEEE 802.11 ioctl support (FreeBSD-specific)
 */

#include "opt_inet.h"
#include "opt_ipx.h"

#include <sys/endian.h>
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/priv.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <sys/systm.h>

#include <net/if.h>
#include <net/if_dl.h>
#include <net/if_media.h>
#include <net/ethernet.h>

#ifdef INET
#include <netinet/in.h>
#include <netinet/if_ether.h>
#endif

#ifdef IPX
#include <netipx/ipx.h>
#include <netipx/ipx_if.h>
#endif

#include <net80211/ieee80211_var.h>
#include <net80211/ieee80211_ioctl.h>

#include <dev/wi/if_wavelan_ieee.h>

#define	IS_UP(_ic) \
	(((_ic)->ic_ifp->if_flags & IFF_UP) &&			\
	    ((_ic)->ic_ifp->if_drv_flags & IFF_DRV_RUNNING))
#define	IS_UP_AUTO(_ic) \
	(IS_UP(_ic) && (_ic)->ic_roaming == IEEE80211_ROAMING_AUTO)

/*
 * XXX
 * Wireless LAN specific configuration interface, which is compatible
 * with wicontrol(8).
 */

struct wi_read_ap_args {
	int	i;		/* result count */
	struct wi_apinfo *ap;	/* current entry in result buffer */
	caddr_t	max;		/* result buffer bound */
};

static void
wi_read_ap_result(void *arg, struct ieee80211_node *ni)
{
	struct ieee80211com *ic = ni->ni_ic;
	struct wi_read_ap_args *sa = arg;
	struct wi_apinfo *ap = sa->ap;
	struct ieee80211_rateset *rs;
	int j;

	if ((caddr_t)(ap + 1) > sa->max)
		return;
	memset(ap, 0, sizeof(struct wi_apinfo));
	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
		IEEE80211_ADDR_COPY(ap->bssid, ni->ni_macaddr);
		ap->namelen = ic->ic_des_esslen;
		if (ic->ic_des_esslen)
			memcpy(ap->name, ic->ic_des_essid,
			    ic->ic_des_esslen);
	} else {
		IEEE80211_ADDR_COPY(ap->bssid, ni->ni_bssid);
		ap->namelen = ni->ni_esslen;
		if (ni->ni_esslen)
			memcpy(ap->name, ni->ni_essid,
			    ni->ni_esslen);
	}
	ap->channel = ieee80211_chan2ieee(ic, ni->ni_chan);
	ap->signal = ic->ic_node_getrssi(ni);
	ap->capinfo = ni->ni_capinfo;
	ap->interval = ni->ni_intval;
	rs = &ni->ni_rates;
	for (j = 0; j < rs->rs_nrates; j++) {
		if (rs->rs_rates[j] & IEEE80211_RATE_BASIC) {
			ap->rate = (rs->rs_rates[j] &
			    IEEE80211_RATE_VAL) * 5; /* XXX */
		}
	}
	sa->i++;
	sa->ap++;
}

struct wi_read_prism2_args {
	int	i;		/* result count */
	struct wi_scan_res *res;/* current entry in result buffer */
	caddr_t	max;		/* result buffer bound */
};

static void
wi_read_prism2_result(void *arg, struct ieee80211_node *ni)
{
	struct ieee80211com *ic = ni->ni_ic;
	struct wi_read_prism2_args *sa = arg;
	struct wi_scan_res *res = sa->res;

	if ((caddr_t)(res + 1) > sa->max)
		return;
	res->wi_chan = ieee80211_chan2ieee(ic, ni->ni_chan);
	res->wi_noise = 0;
	res->wi_signal = ic->ic_node_getrssi(ni);
	IEEE80211_ADDR_COPY(res->wi_bssid, ni->ni_bssid);
	res->wi_interval = ni->ni_intval;
	res->wi_capinfo = ni->ni_capinfo;
	res->wi_ssid_len = ni->ni_esslen;
	memcpy(res->wi_ssid, ni->ni_essid, IEEE80211_NWID_LEN);
	/* NB: assumes wi_srates holds <= ni->ni_rates */
	memcpy(res->wi_srates, ni->ni_rates.rs_rates,
		sizeof(res->wi_srates));
	if (ni->ni_rates.rs_nrates < 10)
		res->wi_srates[ni->ni_rates.rs_nrates] = 0;
	res->wi_rate = ni->ni_rates.rs_rates[ni->ni_txrate];
	res->wi_rsvd = 0;

	sa->i++;
	sa->res++;
}

struct wi_read_sigcache_args {
	int	i;		/* result count */
	struct wi_sigcache *wsc;/* current entry in result buffer */
	caddr_t	max;		/* result buffer bound */
};

static void
wi_read_sigcache(void *arg, struct ieee80211_node *ni)
{
	struct ieee80211com *ic = ni->ni_ic;
	struct wi_read_sigcache_args *sa = arg;
	struct wi_sigcache *wsc = sa->wsc;

	if ((caddr_t)(wsc + 1) > sa->max)
		return;
	memset(wsc, 0, sizeof(struct wi_sigcache));
	IEEE80211_ADDR_COPY(wsc->macsrc, ni->ni_macaddr);
	wsc->signal = ic->ic_node_getrssi(ni);

	sa->wsc++;
	sa->i++;
}

int
ieee80211_cfgget(struct ieee80211com *ic, u_long cmd, caddr_t data)
{
	struct ifnet *ifp = ic->ic_ifp;
	int i, j, error;
	struct ifreq *ifr = (struct ifreq *)data;
	struct wi_req wreq;
	struct wi_ltv_keys *keys;

	error = copyin(ifr->ifr_data, &wreq, sizeof(wreq));
	if (error)
		return error;
	wreq.wi_len = 0;
	switch (wreq.wi_type) {
	case WI_RID_SERIALNO:
		/* nothing appropriate */
		break;
	case WI_RID_NODENAME:
		strcpy((char *)&wreq.wi_val[1], hostname);
		wreq.wi_val[0] = htole16(strlen(hostname));
		wreq.wi_len = (1 + strlen(hostname) + 1) / 2;
		break;
	case WI_RID_CURRENT_SSID:
		if (ic->ic_state != IEEE80211_S_RUN) {
			wreq.wi_val[0] = 0;
			wreq.wi_len = 1;
			break;
		}
		wreq.wi_val[0] = htole16(ic->ic_bss->ni_esslen);
		memcpy(&wreq.wi_val[1], ic->ic_bss->ni_essid,
		    ic->ic_bss->ni_esslen);
		wreq.wi_len = (1 + ic->ic_bss->ni_esslen + 1) / 2;
		break;
	case WI_RID_OWN_SSID:
	case WI_RID_DESIRED_SSID:
		wreq.wi_val[0] = htole16(ic->ic_des_esslen);
		memcpy(&wreq.wi_val[1], ic->ic_des_essid, ic->ic_des_esslen);
		wreq.wi_len = (1 + ic->ic_des_esslen + 1) / 2;
		break;
	case WI_RID_CURRENT_BSSID:
		if (ic->ic_state == IEEE80211_S_RUN)
			IEEE80211_ADDR_COPY(wreq.wi_val, ic->ic_bss->ni_bssid);
		else
			memset(wreq.wi_val, 0, IEEE80211_ADDR_LEN);
		wreq.wi_len = IEEE80211_ADDR_LEN / 2;
		break;
	case WI_RID_CHANNEL_LIST:
		memset(wreq.wi_val, 0, sizeof(wreq.wi_val));
		/*
		 * Since channel 0 is not available for DS, channel 1
		 * is assigned to LSB on WaveLAN.
		 */
		if (ic->ic_phytype == IEEE80211_T_DS)
			i = 1;
		else
			i = 0;
		for (j = 0; i <= IEEE80211_CHAN_MAX; i++, j++)
			if (isset(ic->ic_chan_active, i)) {
				setbit((u_int8_t *)wreq.wi_val, j);
				wreq.wi_len = j / 16 + 1;
			}
		break;
	case WI_RID_OWN_CHNL:
		wreq.wi_val[0] = htole16(
			ieee80211_chan2ieee(ic, ic->ic_ibss_chan));
		wreq.wi_len = 1;
		break;
	case WI_RID_CURRENT_CHAN:
		wreq.wi_val[0] = htole16(
			ieee80211_chan2ieee(ic, ic->ic_curchan));
		wreq.wi_len = 1;
		break;
	case WI_RID_COMMS_QUALITY:
		wreq.wi_val[0] = 0;				/* quality */
		wreq.wi_val[1] = htole16(ic->ic_node_getrssi(ic->ic_bss));
		wreq.wi_val[2] = 0;				/* noise */
		wreq.wi_len = 3;
		break;
	case WI_RID_PROMISC:
		wreq.wi_val[0] = htole16((ifp->if_flags & IFF_PROMISC) ? 1 : 0);
		wreq.wi_len = 1;
		break;
	case WI_RID_PORTTYPE:
		wreq.wi_val[0] = htole16(ic->ic_opmode);
		wreq.wi_len = 1;
		break;
	case WI_RID_MAC_NODE:
		IEEE80211_ADDR_COPY(wreq.wi_val, ic->ic_myaddr);
		wreq.wi_len = IEEE80211_ADDR_LEN / 2;
		break;
	case WI_RID_TX_RATE:
		if (ic->ic_fixed_rate == IEEE80211_FIXED_RATE_NONE)
			wreq.wi_val[0] = 0;	/* auto */
		else
			wreq.wi_val[0] = htole16(
			    (ic->ic_sup_rates[ic->ic_curmode].rs_rates[ic->ic_fixed_rate] &
			    IEEE80211_RATE_VAL) / 2);
		wreq.wi_len = 1;
		break;
	case WI_RID_CUR_TX_RATE:
		wreq.wi_val[0] = htole16(
		    (ic->ic_bss->ni_rates.rs_rates[ic->ic_bss->ni_txrate] &
		    IEEE80211_RATE_VAL) / 2);
		wreq.wi_len = 1;
		break;
	case WI_RID_RTS_THRESH:
		wreq.wi_val[0] = htole16(ic->ic_rtsthreshold);
		wreq.wi_len = 1;
		break;
	case WI_RID_CREATE_IBSS:
		wreq.wi_val[0] =
		    htole16((ic->ic_flags & IEEE80211_F_IBSSON) ? 1 : 0);
		wreq.wi_len = 1;
		break;
	case WI_RID_MICROWAVE_OVEN:
		wreq.wi_val[0] = 0;	/* no ... not supported */
		wreq.wi_len = 1;
		break;
	case WI_RID_ROAMING_MODE:
		wreq.wi_val[0] = htole16(ic->ic_roaming);	/* XXX map */
		wreq.wi_len = 1;
		break;
	case WI_RID_SYSTEM_SCALE:
		wreq.wi_val[0] = htole16(1);	/* low density ... not supp */
		wreq.wi_len = 1;
		break;
	case WI_RID_PM_ENABLED:
		wreq.wi_val[0] =
		    htole16((ic->ic_flags & IEEE80211_F_PMGTON) ? 1 : 0);
		wreq.wi_len = 1;
		break;
	case WI_RID_MAX_SLEEP:
		wreq.wi_val[0] = htole16(ic->ic_lintval);
		wreq.wi_len = 1;
		break;
	case WI_RID_CUR_BEACON_INT:
		wreq.wi_val[0] = htole16(ic->ic_bss->ni_intval);
		wreq.wi_len = 1;
		break;
	case WI_RID_WEP_AVAIL:
		wreq.wi_val[0] = htole16(1);	/* always available */
		wreq.wi_len = 1;
		break;
	case WI_RID_CNFAUTHMODE:
		wreq.wi_val[0] = htole16(1);	/* TODO: open system only */
		wreq.wi_len = 1;
		break;
	case WI_RID_ENCRYPTION:
		wreq.wi_val[0] =
		    htole16((ic->ic_flags & IEEE80211_F_PRIVACY) ? 1 : 0);
		wreq.wi_len = 1;
		break;
	case WI_RID_TX_CRYPT_KEY:
		wreq.wi_val[0] = htole16(ic->ic_def_txkey);
		wreq.wi_len = 1;
		break;
	case WI_RID_DEFLT_CRYPT_KEYS:
		keys = (struct wi_ltv_keys *)&wreq;
		/* do not show keys to non-root user */
		error = priv_check(curthread, PRIV_NET80211_GETKEY);
		if (error) {
			memset(keys, 0, sizeof(*keys));
			error = 0;
			break;
		}
		for (i = 0; i < IEEE80211_WEP_NKID; i++) {
			keys->wi_keys[i].wi_keylen =
			    htole16(ic->ic_nw_keys[i].wk_keylen);
			memcpy(keys->wi_keys[i].wi_keydat,
			    ic->ic_nw_keys[i].wk_key,
			    ic->ic_nw_keys[i].wk_keylen);
		}
		wreq.wi_len = sizeof(*keys) / 2;
		break;
	case WI_RID_MAX_DATALEN:
		wreq.wi_val[0] = htole16(ic->ic_fragthreshold);
		wreq.wi_len = 1;
		break;
	case WI_RID_IFACE_STATS:
		/* XXX: should be implemented in lower drivers */
		break;
	case WI_RID_READ_APS:
		/*
		 * Don't return results until active scan completes.
		 */
		if ((ic->ic_flags & (IEEE80211_F_SCAN|IEEE80211_F_ASCAN)) == 0) {
			struct wi_read_ap_args args;

			args.i = 0;
			args.ap = (void *)((char *)wreq.wi_val + sizeof(i));
			args.max = (void *)(&wreq + 1);
			ieee80211_iterate_nodes(&ic->ic_scan,
				wi_read_ap_result, &args);
			memcpy(wreq.wi_val, &args.i, sizeof(args.i));
			wreq.wi_len = (sizeof(int) +
				sizeof(struct wi_apinfo) * args.i) / 2;
		} else
			error = EINPROGRESS;
		break;
	case WI_RID_PRISM2:
		/* NB: we lie so WI_RID_SCAN_RES can include rates */
		wreq.wi_val[0] = 1;
		wreq.wi_len = sizeof(u_int16_t) / 2;
		break;
	case WI_RID_SCAN_RES:			/* compatibility interface */
		if ((ic->ic_flags & (IEEE80211_F_SCAN|IEEE80211_F_ASCAN)) == 0) {
			struct wi_read_prism2_args args;
			struct wi_scan_p2_hdr *p2;

			/* NB: use Prism2 format so we can include rate info */
			p2 = (struct wi_scan_p2_hdr *)wreq.wi_val;
			args.i = 0;
			args.res = (void *)&p2[1];
			args.max = (void *)(&wreq + 1);
			ieee80211_iterate_nodes(&ic->ic_scan,
				wi_read_prism2_result, &args);
			p2->wi_rsvd = 0;
			p2->wi_reason = args.i;
			wreq.wi_len = (sizeof(*p2) +
				sizeof(struct wi_scan_res) * args.i) / 2;
		} else
			error = EINPROGRESS;
		break;
	case WI_RID_READ_CACHE: {
		struct wi_read_sigcache_args args;
		args.i = 0;
		args.wsc = (struct wi_sigcache *) wreq.wi_val;
		args.max = (void *)(&wreq + 1);
		ieee80211_iterate_nodes(&ic->ic_scan, wi_read_sigcache, &args);
		wreq.wi_len = sizeof(struct wi_sigcache) * args.i / 2;
		break;
	}
	default:
		error = EINVAL;
		break;
	}
	if (error == 0) {
		wreq.wi_len++;
		error = copyout(&wreq, ifr->ifr_data, sizeof(wreq));
	}
	return error;
}

static int
findrate(struct ieee80211com *ic, enum ieee80211_phymode mode, int rate)
{
#define	IEEERATE(_ic,_m,_i) \
	((_ic)->ic_sup_rates[_m].rs_rates[_i] & IEEE80211_RATE_VAL)
	int i, nrates = ic->ic_sup_rates[mode].rs_nrates;
	for (i = 0; i < nrates; i++)
		if (IEEERATE(ic, mode, i) == rate)
			return i;
	return -1;
#undef IEEERATE
}

/*
 * Prepare to do a user-initiated scan for AP's.  If no
 * current/default channel is setup or the current channel
 * is invalid then pick the first available channel from
 * the active list as the place to start the scan.
 */
static int
ieee80211_setupscan(struct ieee80211com *ic, const u_int8_t chanlist[])
{

	/*
	 * XXX don't permit a scan to be started unless we
	 * know the device is ready.  For the moment this means
	 * the device is marked up as this is the required to
	 * initialize the hardware.  It would be better to permit
	 * scanning prior to being up but that'll require some
	 * changes to the infrastructure.
	 */
	if (!IS_UP(ic))
		return EINVAL;
	memcpy(ic->ic_chan_active, chanlist, sizeof(ic->ic_chan_active));
	/*
	 * We force the state to INIT before calling ieee80211_new_state
	 * to get ieee80211_begin_scan called.  We really want to scan w/o
	 * altering the current state but that's not possible right now.
	 */
	/* XXX handle proberequest case */
	ic->ic_state = IEEE80211_S_INIT;	/* XXX bypass state machine */
	return 0;
}

int
ieee80211_cfgset(struct ieee80211com *ic, u_long cmd, caddr_t data)
{
	struct ifnet *ifp = ic->ic_ifp;
	int i, j, len, error, rate;
	struct ifreq *ifr = (struct ifreq *)data;
	struct wi_ltv_keys *keys;
	struct wi_req wreq;
	u_char chanlist[roundup(IEEE80211_CHAN_MAX, NBBY)];

	error = copyin(ifr->ifr_data, &wreq, sizeof(wreq));
	if (error)
		return error;
	len = wreq.wi_len ? (wreq.wi_len - 1) * 2 : 0;
	switch (wreq.wi_type) {
	case WI_RID_SERIALNO:
	case WI_RID_NODENAME:
		return EPERM;
	case WI_RID_CURRENT_SSID:
		return EPERM;
	case WI_RID_OWN_SSID:
	case WI_RID_DESIRED_SSID:
		if (le16toh(wreq.wi_val[0]) * 2 > len ||
		    le16toh(wreq.wi_val[0]) > IEEE80211_NWID_LEN) {
			error = ENOSPC;
			break;
		}
		memset(ic->ic_des_essid, 0, sizeof(ic->ic_des_essid));
		ic->ic_des_esslen = le16toh(wreq.wi_val[0]) * 2;
		memcpy(ic->ic_des_essid, &wreq.wi_val[1], ic->ic_des_esslen);
		error = ENETRESET;
		break;
	case WI_RID_CURRENT_BSSID:
		return EPERM;
	case WI_RID_OWN_CHNL:
		if (len != 2)
			return EINVAL;
		i = le16toh(wreq.wi_val[0]);
		if (i < 0 ||
		    i > IEEE80211_CHAN_MAX ||
		    isclr(ic->ic_chan_active, i))
			return EINVAL;
		ic->ic_ibss_chan = &ic->ic_channels[i];
		if (ic->ic_opmode == IEEE80211_M_MONITOR)
			error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		else
			error = ENETRESET;
		break;
	case WI_RID_CURRENT_CHAN:
		return EPERM;
	case WI_RID_COMMS_QUALITY:
		return EPERM;
	case WI_RID_PROMISC:
		if (len != 2)
			return EINVAL;
		if (ifp->if_flags & IFF_PROMISC) {
			if (wreq.wi_val[0] == 0) {
				ifp->if_flags &= ~IFF_PROMISC;
				error = ENETRESET;
			}
		} else {
			if (wreq.wi_val[0] != 0) {
				ifp->if_flags |= IFF_PROMISC;
				error = ENETRESET;
			}
		}
		break;
	case WI_RID_PORTTYPE:
		if (len != 2)
			return EINVAL;
		switch (le16toh(wreq.wi_val[0])) {
		case IEEE80211_M_STA:
			break;
		case IEEE80211_M_IBSS:
			if (!(ic->ic_caps & IEEE80211_C_IBSS))
				return EINVAL;
			break;
		case IEEE80211_M_AHDEMO:
			if (ic->ic_phytype != IEEE80211_T_DS ||
			    !(ic->ic_caps & IEEE80211_C_AHDEMO))
				return EINVAL;
			break;
		case IEEE80211_M_HOSTAP:
			if (!(ic->ic_caps & IEEE80211_C_HOSTAP))
				return EINVAL;
			break;
		default:
			return EINVAL;
		}
		if (le16toh(wreq.wi_val[0]) != ic->ic_opmode) {
			ic->ic_opmode = le16toh(wreq.wi_val[0]);
			error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		}
		break;
#if 0
	case WI_RID_MAC_NODE:
		if (len != IEEE80211_ADDR_LEN)
			return EINVAL;
		IEEE80211_ADDR_COPY(LLADDR(ifp->if_sadl), wreq.wi_val);
		/* if_init will copy lladdr into ic_myaddr */
		error = ENETRESET;
		break;
#endif
	case WI_RID_TX_RATE:
		if (len != 2)
			return EINVAL;
		if (wreq.wi_val[0] == 0) {
			/* auto */
			ic->ic_fixed_rate = IEEE80211_FIXED_RATE_NONE;
			break;
		}
		rate = 2 * le16toh(wreq.wi_val[0]);
		if (ic->ic_curmode == IEEE80211_MODE_AUTO) {
			/*
			 * In autoselect mode search for the rate.  We take
			 * the first instance which may not be right, but we
			 * are limited by the interface.  Note that we also
			 * lock the mode to insure the rate is meaningful
			 * when it is used.
			 */
			for (j = IEEE80211_MODE_11A;
			     j < IEEE80211_MODE_MAX; j++) {
				if ((ic->ic_modecaps & (1<<j)) == 0)
					continue;
				i = findrate(ic, j, rate);
				if (i != -1) {
					/* lock mode too */
					ic->ic_curmode = j;
					goto setrate;
				}
			}
		} else {
			i = findrate(ic, ic->ic_curmode, rate);
			if (i != -1)
				goto setrate;
		}
		return EINVAL;
	setrate:
		ic->ic_fixed_rate = i;
		error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		break;
	case WI_RID_CUR_TX_RATE:
		return EPERM;
	case WI_RID_RTS_THRESH:
		if (len != 2)
			return EINVAL;
		if (le16toh(wreq.wi_val[0]) != IEEE80211_MAX_LEN)
			return EINVAL;		/* TODO: RTS */
		break;
	case WI_RID_CREATE_IBSS:
		if (len != 2)
			return EINVAL;
		if (wreq.wi_val[0] != 0) {
			if ((ic->ic_caps & IEEE80211_C_IBSS) == 0)
				return EINVAL;
			if ((ic->ic_flags & IEEE80211_F_IBSSON) == 0) {
				ic->ic_flags |= IEEE80211_F_IBSSON;
				if (ic->ic_opmode == IEEE80211_M_IBSS &&
				    ic->ic_state == IEEE80211_S_SCAN)
					error = IS_UP_AUTO(ic) ? ENETRESET : 0;
			}
		} else {
			if (ic->ic_flags & IEEE80211_F_IBSSON) {
				ic->ic_flags &= ~IEEE80211_F_IBSSON;
				if (ic->ic_flags & IEEE80211_F_SIBSS) {
					ic->ic_flags &= ~IEEE80211_F_SIBSS;
					error = IS_UP_AUTO(ic) ? ENETRESET : 0;
				}
			}
		}
		break;
	case WI_RID_MICROWAVE_OVEN:
		if (len != 2)
			return EINVAL;
		if (wreq.wi_val[0] != 0)
			return EINVAL;		/* not supported */
		break;
	case WI_RID_ROAMING_MODE:
		if (len != 2)
			return EINVAL;
		i = le16toh(wreq.wi_val[0]);
		if (i > IEEE80211_ROAMING_MANUAL)
			return EINVAL;		/* not supported */
		ic->ic_roaming = i;
		break;
	case WI_RID_SYSTEM_SCALE:
		if (len != 2)
			return EINVAL;
		if (le16toh(wreq.wi_val[0]) != 1)
			return EINVAL;		/* not supported */
		break;
	case WI_RID_PM_ENABLED:
		if (len != 2)
			return EINVAL;
		if (wreq.wi_val[0] != 0) {
			if ((ic->ic_caps & IEEE80211_C_PMGT) == 0)
				return EINVAL;
			if ((ic->ic_flags & IEEE80211_F_PMGTON) == 0) {
				ic->ic_flags |= IEEE80211_F_PMGTON;
				error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
			}
		} else {
			if (ic->ic_flags & IEEE80211_F_PMGTON) {
				ic->ic_flags &= ~IEEE80211_F_PMGTON;
				error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
			}
		}
		break;
	case WI_RID_MAX_SLEEP:
		if (len != 2)
			return EINVAL;
		ic->ic_lintval = le16toh(wreq.wi_val[0]);
		if (ic->ic_flags & IEEE80211_F_PMGTON)
			error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		break;
	case WI_RID_CUR_BEACON_INT:
		return EPERM;
	case WI_RID_WEP_AVAIL:
		return EPERM;
	case WI_RID_CNFAUTHMODE:
		if (len != 2)
			return EINVAL;
		i = le16toh(wreq.wi_val[0]);
		if (i > IEEE80211_AUTH_WPA)
			return EINVAL;
		ic->ic_bss->ni_authmode = i;		/* XXX ENETRESET? */
		error = ENETRESET;
		break;
	case WI_RID_ENCRYPTION:
		if (len != 2)
			return EINVAL;
		if (wreq.wi_val[0] != 0) {
			if ((ic->ic_caps & IEEE80211_C_WEP) == 0)
				return EINVAL;
			if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0) {
				ic->ic_flags |= IEEE80211_F_PRIVACY;
				error = ENETRESET;
			}
		} else {
			if (ic->ic_flags & IEEE80211_F_PRIVACY) {
				ic->ic_flags &= ~IEEE80211_F_PRIVACY;
				error = ENETRESET;
			}
		}
		break;
	case WI_RID_TX_CRYPT_KEY:
		if (len != 2)
			return EINVAL;
		i = le16toh(wreq.wi_val[0]);
		if (i >= IEEE80211_WEP_NKID)
			return EINVAL;
		ic->ic_def_txkey = i;
		error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		break;
	case WI_RID_DEFLT_CRYPT_KEYS:
		if (len != sizeof(struct wi_ltv_keys))
			return EINVAL;
		keys = (struct wi_ltv_keys *)&wreq;
		for (i = 0; i < IEEE80211_WEP_NKID; i++) {
			len = le16toh(keys->wi_keys[i].wi_keylen);
			if (len != 0 && len < IEEE80211_WEP_KEYLEN)
				return EINVAL;
			if (len > IEEE80211_KEYBUF_SIZE)
				return EINVAL;
		}
		for (i = 0; i < IEEE80211_WEP_NKID; i++) {
			struct ieee80211_key *k = &ic->ic_nw_keys[i];

			len = le16toh(keys->wi_keys[i].wi_keylen);
			k->wk_keylen = len;
			k->wk_flags = IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV;
			memset(k->wk_key, 0, sizeof(k->wk_key));
			memcpy(k->wk_key, keys->wi_keys[i].wi_keydat, len);
#if 0
			k->wk_type = IEEE80211_CIPHER_WEP;
#endif
		}
		error = ENETRESET;
		break;
	case WI_RID_MAX_DATALEN:
		if (len != 2)
			return EINVAL;
		len = le16toh(wreq.wi_val[0]);
		if (len < 350 /* ? */ || len > IEEE80211_MAX_LEN)
			return EINVAL;
		ic->ic_fragthreshold = len;
		error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		break;
	case WI_RID_IFACE_STATS:
		error = EPERM;
		break;
	case WI_RID_SCAN_REQ:			/* XXX wicontrol */
		if (ic->ic_opmode == IEEE80211_M_HOSTAP)
			break;
		error = ieee80211_setupscan(ic, ic->ic_chan_avail);
		if (error == 0)
			error = ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
		break;
	case WI_RID_SCAN_APS:
		if (ic->ic_opmode == IEEE80211_M_HOSTAP)
			break;
		len--;			/* XXX: tx rate? */
		/* FALLTHRU */
	case WI_RID_CHANNEL_LIST:
		memset(chanlist, 0, sizeof(chanlist));
		/*
		 * Since channel 0 is not available for DS, channel 1
		 * is assigned to LSB on WaveLAN.
		 */
		if (ic->ic_phytype == IEEE80211_T_DS)
			i = 1;
		else
			i = 0;
		for (j = 0; i <= IEEE80211_CHAN_MAX; i++, j++) {
			if ((j / 8) >= len)
				break;
			if (isclr((u_int8_t *)wreq.wi_val, j))
				continue;
			if (isclr(ic->ic_chan_active, i)) {
				if (wreq.wi_type != WI_RID_CHANNEL_LIST)
					continue;
				if (isclr(ic->ic_chan_avail, i))
					return EPERM;
			}
			setbit(chanlist, i);
		}
		error = ieee80211_setupscan(ic, chanlist);
		if (wreq.wi_type == WI_RID_CHANNEL_LIST) {
			/* NB: ignore error from ieee80211_setupscan */
			error = ENETRESET;
		} else if (error == 0)
			error = ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
		break;
	default:
		error = EINVAL;
		break;
	}
	if (error == ENETRESET && !IS_UP_AUTO(ic))
		error = 0;
	return error;
}

static int
cap2cipher(int flag)
{
	switch (flag) {
	case IEEE80211_C_WEP:		return IEEE80211_CIPHER_WEP;
	case IEEE80211_C_AES:		return IEEE80211_CIPHER_AES_OCB;
	case IEEE80211_C_AES_CCM:	return IEEE80211_CIPHER_AES_CCM;
	case IEEE80211_C_CKIP:		return IEEE80211_CIPHER_CKIP;
	case IEEE80211_C_TKIP:		return IEEE80211_CIPHER_TKIP;
	}
	return -1;
}

static int
ieee80211_ioctl_getkey(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211_node *ni;
	struct ieee80211req_key ik;
	struct ieee80211_key *wk;
	const struct ieee80211_cipher *cip;
	u_int kid;
	int error;

	if (ireq->i_len != sizeof(ik))
		return EINVAL;
	error = copyin(ireq->i_data, &ik, sizeof(ik));
	if (error)
		return error;
	kid = ik.ik_keyix;
	if (kid == IEEE80211_KEYIX_NONE) {
		ni = ieee80211_find_node(&ic->ic_sta, ik.ik_macaddr);
		if (ni == NULL)
			return EINVAL;		/* XXX */
		wk = &ni->ni_ucastkey;
	} else {
		if (kid >= IEEE80211_WEP_NKID)
			return EINVAL;
		wk = &ic->ic_nw_keys[kid];
		IEEE80211_ADDR_COPY(&ik.ik_macaddr, ic->ic_bss->ni_macaddr);
		ni = NULL;
	}
	cip = wk->wk_cipher;
	ik.ik_type = cip->ic_cipher;
	ik.ik_keylen = wk->wk_keylen;
	ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV);
	if (wk->wk_keyix == ic->ic_def_txkey)
		ik.ik_flags |= IEEE80211_KEY_DEFAULT;
	if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) {
		/* NB: only root can read key data */
		ik.ik_keyrsc = wk->wk_keyrsc;
		ik.ik_keytsc = wk->wk_keytsc;
		memcpy(ik.ik_keydata, wk->wk_key, wk->wk_keylen);
		if (cip->ic_cipher == IEEE80211_CIPHER_TKIP) {
			memcpy(ik.ik_keydata+wk->wk_keylen,
				wk->wk_key + IEEE80211_KEYBUF_SIZE,
				IEEE80211_MICBUF_SIZE);
			ik.ik_keylen += IEEE80211_MICBUF_SIZE;
		}
	} else {
		ik.ik_keyrsc = 0;
		ik.ik_keytsc = 0;
		memset(ik.ik_keydata, 0, sizeof(ik.ik_keydata));
	}
	if (ni != NULL)
		ieee80211_free_node(ni);
	return copyout(&ik, ireq->i_data, sizeof(ik));
}

static int
ieee80211_ioctl_getchanlist(struct ieee80211com *ic, struct ieee80211req *ireq)
{

	if (sizeof(ic->ic_chan_active) < ireq->i_len)
		ireq->i_len = sizeof(ic->ic_chan_active);
	return copyout(&ic->ic_chan_active, ireq->i_data, ireq->i_len);
}

static int
ieee80211_ioctl_getchaninfo(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211req_chaninfo chans;	/* XXX off stack? */
	int i, space;

	/*
	 * Since channel 0 is not available for DS, channel 1
	 * is assigned to LSB on WaveLAN.
	 */
	if (ic->ic_phytype == IEEE80211_T_DS)
		i = 1;
	else
		i = 0;
	memset(&chans, 0, sizeof(chans));
	for (; i <= IEEE80211_CHAN_MAX; i++)
		if (isset(ic->ic_chan_avail, i)) {
			struct ieee80211_channel *c = &ic->ic_channels[i];
			chans.ic_chans[chans.ic_nchans].ic_freq = c->ic_freq;
			chans.ic_chans[chans.ic_nchans].ic_flags = c->ic_flags;
			chans.ic_nchans++;
		}
	space = __offsetof(struct ieee80211req_chaninfo,
			ic_chans[chans.ic_nchans]);
	if (space > ireq->i_len)
		space = ireq->i_len;
	return copyout(&chans, ireq->i_data, space);
}

static int
ieee80211_ioctl_getwpaie(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211_node *ni;
	struct ieee80211req_wpaie wpaie;
	int error;

	if (ireq->i_len < IEEE80211_ADDR_LEN)
		return EINVAL;
	error = copyin(ireq->i_data, wpaie.wpa_macaddr, IEEE80211_ADDR_LEN);
	if (error != 0)
		return error;
	ni = ieee80211_find_node(&ic->ic_sta, wpaie.wpa_macaddr);
	if (ni == NULL)
		return EINVAL;		/* XXX */
	memset(wpaie.wpa_ie, 0, sizeof(wpaie.wpa_ie));
	if (ni->ni_wpa_ie != NULL) {
		int ielen = ni->ni_wpa_ie[1] + 2;
		if (ielen > sizeof(wpaie.wpa_ie))
			ielen = sizeof(wpaie.wpa_ie);
		memcpy(wpaie.wpa_ie, ni->ni_wpa_ie, ielen);
	}
	ieee80211_free_node(ni);
	if (ireq->i_len > sizeof(wpaie))
		ireq->i_len = sizeof(wpaie);
	return copyout(&wpaie, ireq->i_data, ireq->i_len);
}

static int
ieee80211_ioctl_getstastats(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211_node *ni;
	u_int8_t macaddr[IEEE80211_ADDR_LEN];
	const int off = __offsetof(struct ieee80211req_sta_stats, is_stats);
	int error;

	if (ireq->i_len < off)
		return EINVAL;
	error = copyin(ireq->i_data, macaddr, IEEE80211_ADDR_LEN);
	if (error != 0)
		return error;
	ni = ieee80211_find_node(&ic->ic_sta, macaddr);
	if (ni == NULL) {
		/* XXX special-case sta-mode until bss is node in ic_sta */
		if (ic->ic_opmode != IEEE80211_M_STA)
			return ENOENT;
		ni = ieee80211_ref_node(ic->ic_bss);
	}
	if (ireq->i_len > sizeof(struct ieee80211req_sta_stats))
		ireq->i_len = sizeof(struct ieee80211req_sta_stats);
	/* NB: copy out only the statistics */
	error = copyout(&ni->ni_stats, (u_int8_t *) ireq->i_data + off,
			ireq->i_len - off);
	ieee80211_free_node(ni);
	return error;
}

#ifdef COMPAT_FREEBSD6
#define	IEEE80211_IOC_SCAN_RESULTS_OLD	24

struct scan_result_old {
	u_int16_t	isr_len;		/* length (mult of 4) */
	u_int16_t	isr_freq;		/* MHz */
	u_int16_t	isr_flags;		/* channel flags */
	u_int8_t	isr_noise;
	u_int8_t	isr_rssi;
	u_int8_t	isr_intval;		/* beacon interval */
	u_int8_t	isr_capinfo;		/* capabilities */
	u_int8_t	isr_erp;		/* ERP element */
	u_int8_t	isr_bssid[IEEE80211_ADDR_LEN];
	u_int8_t	isr_nrates;
	u_int8_t	isr_rates[IEEE80211_RATE_MAXSIZE];
	u_int8_t	isr_ssid_len;		/* SSID length */
	u_int8_t	isr_ie_len;		/* IE length */
	u_int8_t	isr_pad[5];
	/* variable length SSID followed by IE data */
};

static void
old_get_scan_result(struct scan_result_old *sr,
	const struct ieee80211_node *ni)
{
	struct ieee80211com *ic = ni->ni_ic;
	u_int ielen;

	memset(sr, 0, sizeof(*sr));
	sr->isr_ssid_len = ni->ni_esslen;
	ielen = 0;
	if (ni->ni_wpa_ie != NULL)
		ielen += 2+ni->ni_wpa_ie[1];
	if (ni->ni_wme_ie != NULL)
		ielen += 2+ni->ni_wme_ie[1];
	/* NB: beware of overflow, isr_ie_len is 8 bits */
	sr->isr_ie_len = (ielen > 255 ? 0 : ielen);
	sr->isr_len = sizeof(*sr) + sr->isr_ssid_len + sr->isr_ie_len;
	sr->isr_len = roundup(sr->isr_len, sizeof(u_int32_t));
	if (ni->ni_chan != IEEE80211_CHAN_ANYC) {
		sr->isr_freq = ni->ni_chan->ic_freq;
		sr->isr_flags = ni->ni_chan->ic_flags;
	}
	sr->isr_rssi = ic->ic_node_getrssi(ni);
	sr->isr_intval = ni->ni_intval;
	sr->isr_capinfo = ni->ni_capinfo;
	sr->isr_erp = ni->ni_erp;
	IEEE80211_ADDR_COPY(sr->isr_bssid, ni->ni_bssid);
	sr->isr_nrates = ni->ni_rates.rs_nrates;
	if (sr->isr_nrates > 15)
		sr->isr_nrates = 15;
	memcpy(sr->isr_rates, ni->ni_rates.rs_rates, sr->isr_nrates);
}

static int
old_getscanresults(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	union {
		struct scan_result_old res;
		char data[512];		/* XXX shrink? */
	} u;
	struct scan_result_old *sr = &u.res;
	struct ieee80211_node_table *nt;
	struct ieee80211_node *ni;
	int error, space;
	u_int8_t *p, *cp;

	p = ireq->i_data;
	space = ireq->i_len;
	error = 0;
	/* XXX locking */
	nt =  &ic->ic_scan;
	TAILQ_FOREACH(ni, &nt->nt_node, ni_list) {
		/* NB: skip pre-scan node state */
		if (ni->ni_chan == IEEE80211_CHAN_ANYC)
			continue;
		old_get_scan_result(sr, ni);
		if (sr->isr_len > sizeof(u))
			continue;		/* XXX */
		if (space < sr->isr_len)
			break;
		cp = (u_int8_t *)(sr+1);
		memcpy(cp, ni->ni_essid, ni->ni_esslen);
		cp += ni->ni_esslen;
		if (sr->isr_ie_len) {
			if (ni->ni_wpa_ie != NULL) {
				memcpy(cp, ni->ni_wpa_ie, 2+ni->ni_wpa_ie[1]);
				cp += 2+ni->ni_wpa_ie[1];
			}
			if (ni->ni_wme_ie != NULL) {
				memcpy(cp, ni->ni_wme_ie, 2+ni->ni_wme_ie[1]);
				cp += 2+ni->ni_wme_ie[1];
			}
		}
		error = copyout(sr, p, sr->isr_len);
		if (error)
			break;
		p += sr->isr_len;
		space -= sr->isr_len;
	}
	ireq->i_len -= space;
	return error;
}
#endif /* COMPAT_FREEBSD6 */

struct scanresultsreq {
	struct ieee80211req_scan_result *sr;
	size_t	space;
};

static size_t
scan_space(const struct ieee80211_node *ni, size_t *ielen)
{
	size_t len;

	*ielen = 0;
	if (ni->ni_wpa_ie != NULL)
		*ielen += 2+ni->ni_wpa_ie[1];
	if (ni->ni_wme_ie != NULL)
		*ielen += 2+ni->ni_wme_ie[1];
	/*
	 * NB: ie's can be no more than 255 bytes and the max 802.11
	 * packet is <3Kbytes so we are sure this doesn't overflow
	 * 16-bits; if this is a concern we can drop the ie's.
	 */
	len = sizeof(struct ieee80211req_scan_result) + ni->ni_esslen + *ielen;
	return roundup(len, sizeof(u_int32_t));
}

static void
get_scan_space(void *arg, struct ieee80211_node *ni)
{
	struct scanresultsreq *req = arg;
	size_t ielen;

	req->space += scan_space(ni, &ielen);
}

static void
get_scan_result(void *arg, struct ieee80211_node *ni)
{
	struct scanresultsreq *req = arg;
	struct ieee80211com *ic = ni->ni_ic;
	struct ieee80211req_scan_result *sr;
	size_t ielen, len;
	u_int8_t *cp;

	len = scan_space(ni, &ielen);
	if (len > req->space)
		return;
	sr = req->sr;
	KASSERT(len <= 65535 && ielen <= 65535,
	    ("len %zu ssid %u ie %zu", len, ni->ni_esslen, ielen));
	sr->isr_len = len;
	sr->isr_ssid_len = ni->ni_esslen;
	sr->isr_ie_len = ielen;
	if (ni->ni_chan != IEEE80211_CHAN_ANYC) {
		sr->isr_freq = ni->ni_chan->ic_freq;
		sr->isr_flags = ni->ni_chan->ic_flags;
	}
	/* XXX need to rev driver apis for signal data */
	sr->isr_rssi = (int8_t) ic->ic_node_getrssi(ni);
	sr->isr_intval = ni->ni_intval;
	sr->isr_capinfo = ni->ni_capinfo;
	sr->isr_erp = ni->ni_erp;
	IEEE80211_ADDR_COPY(sr->isr_bssid, ni->ni_bssid);
	sr->isr_nrates = ni->ni_rates.rs_nrates;
	if (sr->isr_nrates > 15)
		sr->isr_nrates = 15;
	memcpy(sr->isr_rates, ni->ni_rates.rs_rates, sr->isr_nrates);
	cp = (u_int8_t *)(sr+1);
	memcpy(cp, ni->ni_essid, ni->ni_esslen);
	cp += ni->ni_esslen;
	if (sr->isr_ie_len) {
		if (ni->ni_wpa_ie != NULL) {
			memcpy(cp, ni->ni_wpa_ie, 2+ni->ni_wpa_ie[1]);
			cp += 2+ni->ni_wpa_ie[1];
		}
		if (ni->ni_wme_ie != NULL) {
			memcpy(cp, ni->ni_wme_ie, 2+ni->ni_wme_ie[1]);
			cp += 2+ni->ni_wme_ie[1];
		}
	}

	req->sr = (struct ieee80211req_scan_result *)(((u_int8_t *)sr) + len);
	req->space -= len;
}

static int
ieee80211_ioctl_getscanresults(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct scanresultsreq req;
	int error;

	if (ireq->i_len < sizeof(struct ieee80211req_scan_result))
		return EFAULT;

	error = 0;
	req.space = 0;
	ieee80211_iterate_nodes(&ic->ic_scan, get_scan_space, &req);
	if (req.space > ireq->i_len)
		req.space = ireq->i_len;
	if (req.space > 0) {
		size_t space;
		void *p;

		space = req.space;
		/* XXX M_WAITOK after driver lock released */
		MALLOC(p, void *, space, M_TEMP, M_NOWAIT | M_ZERO);
		if (p == NULL)
			return ENOMEM;
		req.sr = p;
		ieee80211_iterate_nodes(&ic->ic_scan, get_scan_result, &req);
		ireq->i_len = space - req.space;
		error = copyout(p, ireq->i_data, ireq->i_len);
		FREE(p, M_TEMP);
	} else
		ireq->i_len = 0;

	return error;
}

struct stainforeq {
	struct ieee80211com *ic;
	struct ieee80211req_sta_info *si;
	size_t	space;
};

static size_t
sta_space(const struct ieee80211_node *ni, size_t *ielen)
{
	*ielen = 0;
	if (ni->ni_wpa_ie != NULL)
		*ielen += 2+ni->ni_wpa_ie[1];
	if (ni->ni_wme_ie != NULL)
		*ielen += 2+ni->ni_wme_ie[1];
	return roundup(sizeof(struct ieee80211req_sta_info) + *ielen,
		      sizeof(u_int32_t));
}

static void
get_sta_space(void *arg, struct ieee80211_node *ni)
{
	struct stainforeq *req = arg;
	struct ieee80211com *ic = ni->ni_ic;
	size_t ielen;

	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
	    ni->ni_associd == 0)	/* only associated stations */
		return;
	req->space += sta_space(ni, &ielen);
}

static void
get_sta_info(void *arg, struct ieee80211_node *ni)
{
	struct stainforeq *req = arg;
	struct ieee80211com *ic = ni->ni_ic;
	struct ieee80211req_sta_info *si;
	size_t ielen, len;
	u_int8_t *cp;

	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
	    ni->ni_associd == 0)	/* only associated stations */
		return;
	if (ni->ni_chan == IEEE80211_CHAN_ANYC)	/* XXX bogus entry */
		return;
	len = sta_space(ni, &ielen);
	if (len > req->space)
		return;
	si = req->si;
	KASSERT(len <= 65535 && ielen <= 65535, ("len %zu ie %zu", len, ielen));
	si->isi_len = len;
	si->isi_ie_len = ielen;
	si->isi_freq = ni->ni_chan->ic_freq;
	si->isi_flags = ni->ni_chan->ic_flags;
	si->isi_state = ni->ni_flags;
	si->isi_authmode = ni->ni_authmode;
	si->isi_rssi = ic->ic_node_getrssi(ni);
	si->isi_noise = 0;		/* XXX */
	si->isi_capinfo = ni->ni_capinfo;
	si->isi_erp = ni->ni_erp;
	IEEE80211_ADDR_COPY(si->isi_macaddr, ni->ni_macaddr);
	si->isi_nrates = ni->ni_rates.rs_nrates;
	if (si->isi_nrates > 15)
		si->isi_nrates = 15;
	memcpy(si->isi_rates, ni->ni_rates.rs_rates, si->isi_nrates);
	si->isi_txrate = ni->ni_txrate;
	si->isi_associd = ni->ni_associd;
	si->isi_txpower = ni->ni_txpower;
	si->isi_vlan = ni->ni_vlan;
	if (ni->ni_flags & IEEE80211_NODE_QOS) {
		memcpy(si->isi_txseqs, ni->ni_txseqs, sizeof(ni->ni_txseqs));
		memcpy(si->isi_rxseqs, ni->ni_rxseqs, sizeof(ni->ni_rxseqs));
	} else {
		si->isi_txseqs[0] = ni->ni_txseqs[IEEE80211_NONQOS_TID];
		si->isi_rxseqs[0] = ni->ni_rxseqs[IEEE80211_NONQOS_TID];
	}
	/* NB: leave all cases in case we relax ni_associd == 0 check */
	if (ieee80211_node_is_authorized(ni))
		si->isi_inact = ic->ic_inact_run;
	else if (ni->ni_associd != 0)
		si->isi_inact = ic->ic_inact_auth;
	else
		si->isi_inact = ic->ic_inact_init;
	si->isi_inact = (si->isi_inact - ni->ni_inact) * IEEE80211_INACT_WAIT;

	cp = (u_int8_t *)(si+1);
	if (ni->ni_wpa_ie != NULL) {
		memcpy(cp, ni->ni_wpa_ie, 2+ni->ni_wpa_ie[1]);
		cp += 2+ni->ni_wpa_ie[1];
	}
	if (ni->ni_wme_ie != NULL) {
		memcpy(cp, ni->ni_wme_ie, 2+ni->ni_wme_ie[1]);
		cp += 2+ni->ni_wme_ie[1];
	}

	req->si = (struct ieee80211req_sta_info *)(((u_int8_t *)si) + len);
	req->space -= len;
}

static int
getstainfo_common(struct ieee80211com *ic, struct ieee80211req *ireq,
	struct ieee80211_node *ni, int off)
{
	struct stainforeq req;
	size_t space;
	void *p;
	int error;

	error = 0;
	req.space = 0;
	if (ni == NULL)
		ieee80211_iterate_nodes(&ic->ic_sta, get_sta_space, &req);
	else
		get_sta_space(&req, ni);
	if (req.space > ireq->i_len)
		req.space = ireq->i_len;
	if (req.space > 0) {
		space = req.space;
		/* XXX M_WAITOK after driver lock released */
		MALLOC(p, void *, space, M_TEMP, M_NOWAIT);
		if (p == NULL) {
			error = ENOMEM;
			goto bad;
		}
		req.si = p;
		if (ni == NULL)
			ieee80211_iterate_nodes(&ic->ic_sta, get_sta_info, &req);
		else
			get_sta_info(&req, ni);
		ireq->i_len = space - req.space;
		error = copyout(p, (u_int8_t *) ireq->i_data+off, ireq->i_len);
		FREE(p, M_TEMP);
	} else
		ireq->i_len = 0;
bad:
	if (ni != NULL)
		ieee80211_free_node(ni);
	return error;
}

static int
ieee80211_ioctl_getstainfo(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	u_int8_t macaddr[IEEE80211_ADDR_LEN];
	const int off = __offsetof(struct ieee80211req_sta_req, info);
	struct ieee80211_node *ni;
	int error;

	if (ireq->i_len < sizeof(struct ieee80211req_sta_req))
		return EFAULT;
	error = copyin(ireq->i_data, macaddr, IEEE80211_ADDR_LEN);
	if (error != 0)
		return error;
	if (IEEE80211_ADDR_EQ(macaddr, ic->ic_ifp->if_broadcastaddr)) {
		ni = NULL;
	} else {
		ni = ieee80211_find_node(&ic->ic_sta, macaddr);
		if (ni == NULL) {
			/* XXX special-case sta-mode until bss is in ic_sta */
			if (ic->ic_opmode != IEEE80211_M_STA)
				return EINVAL;		/* XXX */
			ni = ieee80211_ref_node(ic->ic_bss);
		}
	}
	return getstainfo_common(ic, ireq, ni, off);
}

#ifdef COMPAT_FREEBSD6
#define	IEEE80211_IOC_STA_INFO_OLD	45

static int
old_getstainfo(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	if (ireq->i_len < sizeof(struct ieee80211req_sta_info))
		return EFAULT;
	return getstainfo_common(ic, ireq, NULL, 0);
}
#endif /* COMPAT_FREEBSD6 */

static int
ieee80211_ioctl_getstatxpow(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211_node *ni;
	struct ieee80211req_sta_txpow txpow;
	int error;

	if (ireq->i_len != sizeof(txpow))
		return EINVAL;
	error = copyin(ireq->i_data, &txpow, sizeof(txpow));
	if (error != 0)
		return error;
	ni = ieee80211_find_node(&ic->ic_sta, txpow.it_macaddr);
	if (ni == NULL)
		return EINVAL;		/* XXX */
	txpow.it_txpow = ni->ni_txpower;
	error = copyout(&txpow, ireq->i_data, sizeof(txpow));
	ieee80211_free_node(ni);
	return error;
}

static int
ieee80211_ioctl_getwmeparam(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211_wme_state *wme = &ic->ic_wme;
	struct wmeParams *wmep;
	int ac;

	if ((ic->ic_caps & IEEE80211_C_WME) == 0)
		return EINVAL;

	ac = (ireq->i_len & IEEE80211_WMEPARAM_VAL);
	if (ac >= WME_NUM_AC)
		ac = WME_AC_BE;
	if (ireq->i_len & IEEE80211_WMEPARAM_BSS)
		wmep = &wme->wme_wmeBssChanParams.cap_wmeParams[ac];
	else
		wmep = &wme->wme_wmeChanParams.cap_wmeParams[ac];
	switch (ireq->i_type) {
	case IEEE80211_IOC_WME_CWMIN:		/* WME: CWmin */
		ireq->i_val = wmep->wmep_logcwmin;
		break;
	case IEEE80211_IOC_WME_CWMAX:		/* WME: CWmax */
		ireq->i_val = wmep->wmep_logcwmax;
		break;
	case IEEE80211_IOC_WME_AIFS:		/* WME: AIFS */
		ireq->i_val = wmep->wmep_aifsn;
		break;
	case IEEE80211_IOC_WME_TXOPLIMIT:	/* WME: txops limit */
		ireq->i_val = wmep->wmep_txopLimit;
		break;
	case IEEE80211_IOC_WME_ACM:		/* WME: ACM (bss only) */
		wmep = &wme->wme_wmeBssChanParams.cap_wmeParams[ac];
		ireq->i_val = wmep->wmep_acm;
		break;
	case IEEE80211_IOC_WME_ACKPOLICY:	/* WME: ACK policy (!bss only)*/
		wmep = &wme->wme_wmeChanParams.cap_wmeParams[ac];
		ireq->i_val = !wmep->wmep_noackPolicy;
		break;
	}
	return 0;
}

static int
ieee80211_ioctl_getmaccmd(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	const struct ieee80211_aclator *acl = ic->ic_acl;

	return (acl == NULL ? EINVAL : acl->iac_getioctl(ic, ireq));
}

/*
 * When building the kernel with -O2 on the i386 architecture, gcc
 * seems to want to inline this function into ieee80211_ioctl()
 * (which is the only routine that calls it). When this happens,
 * ieee80211_ioctl() ends up consuming an additional 2K of stack
 * space. (Exactly why it needs so much is unclear.) The problem
 * is that it's possible for ieee80211_ioctl() to invoke other
 * routines (including driver init functions) which could then find
 * themselves perilously close to exhausting the stack.
 *
 * To avoid this, we deliberately prevent gcc from inlining this
 * routine. Another way to avoid this is to use less agressive
 * optimization when compiling this file (i.e. -O instead of -O2)
 * but special-casing the compilation of this one module in the
 * build system would be awkward.
 */
#ifdef __GNUC__
__attribute__ ((noinline))
#endif
static int
ieee80211_ioctl_get80211(struct ieee80211com *ic, u_long cmd, struct ieee80211req *ireq)
{
	const struct ieee80211_rsnparms *rsn = &ic->ic_bss->ni_rsn;
	int error = 0;
	u_int kid, len, m;
	u_int8_t tmpkey[IEEE80211_KEYBUF_SIZE];
	char tmpssid[IEEE80211_NWID_LEN];

	switch (ireq->i_type) {
	case IEEE80211_IOC_SSID:
		switch (ic->ic_state) {
		case IEEE80211_S_INIT:
		case IEEE80211_S_SCAN:
			ireq->i_len = ic->ic_des_esslen;
			memcpy(tmpssid, ic->ic_des_essid, ireq->i_len);
			break;
		default:
			ireq->i_len = ic->ic_bss->ni_esslen;
			memcpy(tmpssid, ic->ic_bss->ni_essid,
				ireq->i_len);
			break;
		}
		error = copyout(tmpssid, ireq->i_data, ireq->i_len);
		break;
	case IEEE80211_IOC_NUMSSIDS:
		ireq->i_val = 1;
		break;
	case IEEE80211_IOC_WEP:
		if ((ic->ic_flags & IEEE80211_F_PRIVACY) == 0)
			ireq->i_val = IEEE80211_WEP_OFF;
		else if (ic->ic_flags & IEEE80211_F_DROPUNENC)
			ireq->i_val = IEEE80211_WEP_ON;
		else
			ireq->i_val = IEEE80211_WEP_MIXED;
		break;
	case IEEE80211_IOC_WEPKEY:
		kid = (u_int) ireq->i_val;
		if (kid >= IEEE80211_WEP_NKID)
			return EINVAL;
		len = (u_int) ic->ic_nw_keys[kid].wk_keylen;
		/* NB: only root can read WEP keys */
		if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) {
			bcopy(ic->ic_nw_keys[kid].wk_key, tmpkey, len);
		} else {
			bzero(tmpkey, len);
		}
		ireq->i_len = len;
		error = copyout(tmpkey, ireq->i_data, len);
		break;
	case IEEE80211_IOC_NUMWEPKEYS:
		ireq->i_val = IEEE80211_WEP_NKID;
		break;
	case IEEE80211_IOC_WEPTXKEY:
		ireq->i_val = ic->ic_def_txkey;
		break;
	case IEEE80211_IOC_AUTHMODE:
		if (ic->ic_flags & IEEE80211_F_WPA)
			ireq->i_val = IEEE80211_AUTH_WPA;
		else
			ireq->i_val = ic->ic_bss->ni_authmode;
		break;
	case IEEE80211_IOC_CHANNEL:
		ireq->i_val = ieee80211_chan2ieee(ic, ic->ic_curchan);
		break;
	case IEEE80211_IOC_POWERSAVE:
		if (ic->ic_flags & IEEE80211_F_PMGTON)
			ireq->i_val = IEEE80211_POWERSAVE_ON;
		else
			ireq->i_val = IEEE80211_POWERSAVE_OFF;
		break;
	case IEEE80211_IOC_POWERSAVESLEEP:
		ireq->i_val = ic->ic_lintval;
		break;
	case IEEE80211_IOC_RTSTHRESHOLD:
		ireq->i_val = ic->ic_rtsthreshold;
		break;
	case IEEE80211_IOC_PROTMODE:
		ireq->i_val = ic->ic_protmode;
		break;
	case IEEE80211_IOC_TXPOWER:
		if ((ic->ic_caps & IEEE80211_C_TXPMGT) == 0)
			return EINVAL;
		ireq->i_val = ic->ic_txpowlimit;
		break;
	case IEEE80211_IOC_MCASTCIPHER:
		ireq->i_val = rsn->rsn_mcastcipher;
		break;
	case IEEE80211_IOC_MCASTKEYLEN:
		ireq->i_val = rsn->rsn_mcastkeylen;
		break;
	case IEEE80211_IOC_UCASTCIPHERS:
		ireq->i_val = 0;
		for (m = 0x1; m != 0; m <<= 1)
			if (rsn->rsn_ucastcipherset & m)
				ireq->i_val |= 1<<cap2cipher(m);
		break;
	case IEEE80211_IOC_UCASTCIPHER:
		ireq->i_val = rsn->rsn_ucastcipher;
		break;
	case IEEE80211_IOC_UCASTKEYLEN:
		ireq->i_val = rsn->rsn_ucastkeylen;
		break;
	case IEEE80211_IOC_KEYMGTALGS:
		ireq->i_val = rsn->rsn_keymgmtset;
		break;
	case IEEE80211_IOC_RSNCAPS:
		ireq->i_val = rsn->rsn_caps;
		break;
	case IEEE80211_IOC_WPA:
		switch (ic->ic_flags & IEEE80211_F_WPA) {
		case IEEE80211_F_WPA1:
			ireq->i_val = 1;
			break;
		case IEEE80211_F_WPA2:
			ireq->i_val = 2;
			break;
		case IEEE80211_F_WPA1 | IEEE80211_F_WPA2:
			ireq->i_val = 3;
			break;
		default:
			ireq->i_val = 0;
			break;
		}
		break;
	case IEEE80211_IOC_CHANLIST:
		error = ieee80211_ioctl_getchanlist(ic, ireq);
		break;
	case IEEE80211_IOC_ROAMING:
		ireq->i_val = ic->ic_roaming;
		break;
	case IEEE80211_IOC_PRIVACY:
		ireq->i_val = (ic->ic_flags & IEEE80211_F_PRIVACY) != 0;
		break;
	case IEEE80211_IOC_DROPUNENCRYPTED:
		ireq->i_val = (ic->ic_flags & IEEE80211_F_DROPUNENC) != 0;
		break;
	case IEEE80211_IOC_COUNTERMEASURES:
		ireq->i_val = (ic->ic_flags & IEEE80211_F_COUNTERM) != 0;
		break;
	case IEEE80211_IOC_DRIVER_CAPS:
		ireq->i_val = ic->ic_caps>>16;
		ireq->i_len = ic->ic_caps&0xffff;
		break;
	case IEEE80211_IOC_WME:
		ireq->i_val = (ic->ic_flags & IEEE80211_F_WME) != 0;
		break;
	case IEEE80211_IOC_HIDESSID:
		ireq->i_val = (ic->ic_flags & IEEE80211_F_HIDESSID) != 0;
		break;
	case IEEE80211_IOC_APBRIDGE:
		ireq->i_val = (ic->ic_flags & IEEE80211_F_NOBRIDGE) == 0;
		break;
	case IEEE80211_IOC_OPTIE:
		if (ic->ic_opt_ie == NULL)
			return EINVAL;
		/* NB: truncate, caller can check length */
		if (ireq->i_len > ic->ic_opt_ie_len)
			ireq->i_len = ic->ic_opt_ie_len;
		error = copyout(ic->ic_opt_ie, ireq->i_data, ireq->i_len);
		break;
	case IEEE80211_IOC_WPAKEY:
		error = ieee80211_ioctl_getkey(ic, ireq);
		break;
	case IEEE80211_IOC_CHANINFO:
		error = ieee80211_ioctl_getchaninfo(ic, ireq);
		break;
	case IEEE80211_IOC_BSSID:
		if (ireq->i_len != IEEE80211_ADDR_LEN)
			return EINVAL;
		error = copyout(ic->ic_state == IEEE80211_S_RUN ?
					ic->ic_bss->ni_bssid :
					ic->ic_des_bssid,
				ireq->i_data, ireq->i_len);
		break;
	case IEEE80211_IOC_WPAIE:
		error = ieee80211_ioctl_getwpaie(ic, ireq);
		break;
#ifdef COMPAT_FREEBSD6
	case IEEE80211_IOC_SCAN_RESULTS_OLD:
		error = old_getscanresults(ic, ireq);
		break;
#endif
	case IEEE80211_IOC_SCAN_RESULTS:
		error = ieee80211_ioctl_getscanresults(ic, ireq);
		break;
	case IEEE80211_IOC_STA_STATS:
		error = ieee80211_ioctl_getstastats(ic, ireq);
		break;
	case IEEE80211_IOC_TXPOWMAX:
		ireq->i_val = ic->ic_bss->ni_txpower;
		break;
	case IEEE80211_IOC_STA_TXPOW:
		error = ieee80211_ioctl_getstatxpow(ic, ireq);
		break;
#ifdef COMPAT_FREEBSD6
	case IEEE80211_IOC_STA_INFO_OLD:
		error = old_getstainfo(ic, ireq);
		break;
#endif
	case IEEE80211_IOC_STA_INFO:
		error = ieee80211_ioctl_getstainfo(ic, ireq);
		break;
	case IEEE80211_IOC_WME_CWMIN:		/* WME: CWmin */
	case IEEE80211_IOC_WME_CWMAX:		/* WME: CWmax */
	case IEEE80211_IOC_WME_AIFS:		/* WME: AIFS */
	case IEEE80211_IOC_WME_TXOPLIMIT:	/* WME: txops limit */
	case IEEE80211_IOC_WME_ACM:		/* WME: ACM (bss only) */
	case IEEE80211_IOC_WME_ACKPOLICY:	/* WME: ACK policy (bss only) */
		error = ieee80211_ioctl_getwmeparam(ic, ireq);
		break;
	case IEEE80211_IOC_DTIM_PERIOD:
		ireq->i_val = ic->ic_dtim_period;
		break;
	case IEEE80211_IOC_BEACON_INTERVAL:
		/* NB: get from ic_bss for station mode */
		ireq->i_val = ic->ic_bss->ni_intval;
		break;
	case IEEE80211_IOC_PUREG:
		ireq->i_val = (ic->ic_flags & IEEE80211_F_PUREG) != 0;
		break;
	case IEEE80211_IOC_MCAST_RATE:
		ireq->i_val = ic->ic_mcast_rate;
		break;
	case IEEE80211_IOC_FRAGTHRESHOLD:
		ireq->i_val = ic->ic_fragthreshold;
		break;
	case IEEE80211_IOC_MACCMD:
		error = ieee80211_ioctl_getmaccmd(ic, ireq);
		break;
	case IEEE80211_IOC_BURST:
		ireq->i_val = (ic->ic_flags & IEEE80211_F_BURST) != 0;
		break;
	case IEEE80211_IOC_BMISSTHRESHOLD:
		ireq->i_val = ic->ic_bmissthreshold;
		break;
	default:
		error = EINVAL;
		break;
	}
	return error;
}

static int
ieee80211_ioctl_setoptie(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	int error;
	void *ie, *oie;

	/*
	 * NB: Doing this for ap operation could be useful (e.g. for
	 *     WPA and/or WME) except that it typically is worthless
	 *     without being able to intervene when processing
	 *     association response frames--so disallow it for now.
	 */
	if (ic->ic_opmode != IEEE80211_M_STA)
		return EINVAL;
	if (ireq->i_len > IEEE80211_MAX_OPT_IE)
		return EINVAL;
	if (ireq->i_len > 0) {
		MALLOC(ie, void *, ireq->i_len, M_DEVBUF, M_NOWAIT);
		if (ie == NULL)
			return ENOMEM;
		error = copyin(ireq->i_data, ie, ireq->i_len);
		if (error) {
			FREE(ie, M_DEVBUF);
			return error;
		}
	} else {
		ie = NULL;
		ireq->i_len = 0;
	}
	/* XXX sanity check data? */
	oie = ic->ic_opt_ie;
	ic->ic_opt_ie = ie;
	ic->ic_opt_ie_len = ireq->i_len;
	if (oie != NULL)
		FREE(oie, M_DEVBUF);
	return 0;
}

static int
ieee80211_ioctl_setkey(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211req_key ik;
	struct ieee80211_node *ni;
	struct ieee80211_key *wk;
	u_int16_t kid;
	int error;

	if (ireq->i_len != sizeof(ik))
		return EINVAL;
	error = copyin(ireq->i_data, &ik, sizeof(ik));
	if (error)
		return error;
	/* NB: cipher support is verified by ieee80211_crypt_newkey */
	/* NB: this also checks ik->ik_keylen > sizeof(wk->wk_key) */
	if (ik.ik_keylen > sizeof(ik.ik_keydata))
		return E2BIG;
	kid = ik.ik_keyix;
	if (kid == IEEE80211_KEYIX_NONE) {
		/* XXX unicast keys currently must be tx/rx */
		if (ik.ik_flags != (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV))
			return EINVAL;
		if (ic->ic_opmode == IEEE80211_M_STA) {
			ni = ieee80211_ref_node(ic->ic_bss);
			if (!IEEE80211_ADDR_EQ(ik.ik_macaddr, ni->ni_bssid)) {
				ieee80211_free_node(ni);
				return EADDRNOTAVAIL;
			}
		} else {
			ni = ieee80211_find_node(&ic->ic_sta, ik.ik_macaddr);
			if (ni == NULL)
				return ENOENT;
		}
		wk = &ni->ni_ucastkey;
	} else {
		if (kid >= IEEE80211_WEP_NKID)
			return EINVAL;
		wk = &ic->ic_nw_keys[kid];
		/*
		 * Global slots start off w/o any assigned key index.
		 * Force one here for consistency with IEEE80211_IOC_WEPKEY.
		 */
		if (wk->wk_keyix == IEEE80211_KEYIX_NONE)
			wk->wk_keyix = kid;
		ni = NULL;
	}
	error = 0;
	ieee80211_key_update_begin(ic);
	if (ieee80211_crypto_newkey(ic, ik.ik_type, ik.ik_flags, wk)) {
		wk->wk_keylen = ik.ik_keylen;
		/* NB: MIC presence is implied by cipher type */
		if (wk->wk_keylen > IEEE80211_KEYBUF_SIZE)
			wk->wk_keylen = IEEE80211_KEYBUF_SIZE;
		wk->wk_keyrsc = ik.ik_keyrsc;
		wk->wk_keytsc = 0;			/* new key, reset */
		memset(wk->wk_key, 0, sizeof(wk->wk_key));
		memcpy(wk->wk_key, ik.ik_keydata, ik.ik_keylen);
		if (!ieee80211_crypto_setkey(ic, wk,
		    ni != NULL ? ni->ni_macaddr : ik.ik_macaddr))
			error = EIO;
		else if ((ik.ik_flags & IEEE80211_KEY_DEFAULT))
			ic->ic_def_txkey = kid;
	} else
		error = ENXIO;
	ieee80211_key_update_end(ic);
	if (ni != NULL)
		ieee80211_free_node(ni);
	return error;
}

static int
ieee80211_ioctl_delkey(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211req_del_key dk;
	int kid, error;

	if (ireq->i_len != sizeof(dk))
		return EINVAL;
	error = copyin(ireq->i_data, &dk, sizeof(dk));
	if (error)
		return error;
	kid = dk.idk_keyix;
	/* XXX u_int8_t -> u_int16_t */
	if (dk.idk_keyix == (u_int8_t) IEEE80211_KEYIX_NONE) {
		struct ieee80211_node *ni;

		if (ic->ic_opmode == IEEE80211_M_STA) {
			ni = ieee80211_ref_node(ic->ic_bss);
			if (!IEEE80211_ADDR_EQ(dk.idk_macaddr, ni->ni_bssid)) {
				ieee80211_free_node(ni);
				return EADDRNOTAVAIL;
			}
		} else {
			ni = ieee80211_find_node(&ic->ic_sta, dk.idk_macaddr);
			if (ni == NULL)
				return ENOENT;
		}
		/* XXX error return */
		ieee80211_node_delucastkey(ni);
		ieee80211_free_node(ni);
	} else {
		if (kid >= IEEE80211_WEP_NKID)
			return EINVAL;
		/* XXX error return */
		ieee80211_crypto_delkey(ic, &ic->ic_nw_keys[kid]);
	}
	return 0;
}

static void
domlme(void *arg, struct ieee80211_node *ni)
{
	struct ieee80211com *ic = ni->ni_ic;
	struct ieee80211req_mlme *mlme = arg;

	if (ni->ni_associd != 0) {
		IEEE80211_SEND_MGMT(ic, ni,
			mlme->im_op == IEEE80211_MLME_DEAUTH ?
				IEEE80211_FC0_SUBTYPE_DEAUTH :
				IEEE80211_FC0_SUBTYPE_DISASSOC,
			mlme->im_reason);
	}
	ieee80211_node_leave(ic, ni);
}

static int
ieee80211_ioctl_setmlme(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211req_mlme mlme;
	struct ieee80211_node *ni;
	int error;

	if (ireq->i_len != sizeof(mlme))
		return EINVAL;
	error = copyin(ireq->i_data, &mlme, sizeof(mlme));
	if (error)
		return error;
	switch (mlme.im_op) {
	case IEEE80211_MLME_ASSOC:
		if (ic->ic_opmode != IEEE80211_M_STA)
			return EINVAL;
		/* XXX must be in S_SCAN state? */

		if (mlme.im_ssid_len != 0) {
			/*
			 * Desired ssid specified; must match both bssid and
			 * ssid to distinguish ap advertising multiple ssid's.
			 */
			ni = ieee80211_find_node_with_ssid(&ic->ic_scan,
				mlme.im_macaddr,
				mlme.im_ssid_len, mlme.im_ssid);
		} else {
			/*
			 * Normal case; just match bssid.
			 */
			ni = ieee80211_find_node(&ic->ic_scan, mlme.im_macaddr);
		}
		if (ni == NULL)
			return EINVAL;
		if (!ieee80211_sta_join(ic, ni)) {
			ieee80211_free_node(ni);
			return EINVAL;
		}
		break;
	case IEEE80211_MLME_DISASSOC:
	case IEEE80211_MLME_DEAUTH:
		switch (ic->ic_opmode) {
		case IEEE80211_M_STA:
			/* XXX not quite right */
			ieee80211_new_state(ic, IEEE80211_S_INIT,
				mlme.im_reason);
			break;
		case IEEE80211_M_HOSTAP:
			/* NB: the broadcast address means do 'em all */
			if (!IEEE80211_ADDR_EQ(mlme.im_macaddr, ic->ic_ifp->if_broadcastaddr)) {
				if ((ni = ieee80211_find_node(&ic->ic_sta,
						mlme.im_macaddr)) == NULL)
					return EINVAL;
				domlme(&mlme, ni);
				ieee80211_free_node(ni);
			} else {
				ieee80211_iterate_nodes(&ic->ic_sta,
						domlme, &mlme);
			}
			break;
		default:
			return EINVAL;
		}
		break;
	case IEEE80211_MLME_AUTHORIZE:
	case IEEE80211_MLME_UNAUTHORIZE:
		if (ic->ic_opmode != IEEE80211_M_HOSTAP)
			return EINVAL;
		ni = ieee80211_find_node(&ic->ic_sta, mlme.im_macaddr);
		if (ni == NULL)
			return EINVAL;
		if (mlme.im_op == IEEE80211_MLME_AUTHORIZE)
			ieee80211_node_authorize(ni);
		else
			ieee80211_node_unauthorize(ni);
		ieee80211_free_node(ni);
		break;
	default:
		return EINVAL;
	}
	return 0;
}

static int
ieee80211_ioctl_macmac(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	u_int8_t mac[IEEE80211_ADDR_LEN];
	const struct ieee80211_aclator *acl = ic->ic_acl;
	int error;

	if (ireq->i_len != sizeof(mac))
		return EINVAL;
	error = copyin(ireq->i_data, mac, ireq->i_len);
	if (error)
		return error;
	if (acl == NULL) {
		acl = ieee80211_aclator_get("mac");
		if (acl == NULL || !acl->iac_attach(ic))
			return EINVAL;
		ic->ic_acl = acl;
	}
	if (ireq->i_type == IEEE80211_IOC_ADDMAC)
		acl->iac_add(ic, mac);
	else
		acl->iac_remove(ic, mac);
	return 0;
}

static int
ieee80211_ioctl_setmaccmd(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	const struct ieee80211_aclator *acl = ic->ic_acl;

	switch (ireq->i_val) {
	case IEEE80211_MACCMD_POLICY_OPEN:
	case IEEE80211_MACCMD_POLICY_ALLOW:
	case IEEE80211_MACCMD_POLICY_DENY:
		if (acl == NULL) {
			acl = ieee80211_aclator_get("mac");
			if (acl == NULL || !acl->iac_attach(ic))
				return EINVAL;
			ic->ic_acl = acl;
		}
		acl->iac_setpolicy(ic, ireq->i_val);
		break;
	case IEEE80211_MACCMD_FLUSH:
		if (acl != NULL)
			acl->iac_flush(ic);
		/* NB: silently ignore when not in use */
		break;
	case IEEE80211_MACCMD_DETACH:
		if (acl != NULL) {
			ic->ic_acl = NULL;
			acl->iac_detach(ic);
		}
		break;
	default:
		if (acl == NULL)
			return EINVAL;
		else
			return acl->iac_setioctl(ic, ireq);
	}
	return 0;
}

static int
ieee80211_ioctl_setchanlist(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211req_chanlist list;
	u_char chanlist[IEEE80211_CHAN_BYTES];
	int i, j, error;

	if (ireq->i_len != sizeof(list))
		return EINVAL;
	error = copyin(ireq->i_data, &list, sizeof(list));
	if (error)
		return error;
	memset(chanlist, 0, sizeof(chanlist));
	/*
	 * Since channel 0 is not available for DS, channel 1
	 * is assigned to LSB on WaveLAN.
	 */
	if (ic->ic_phytype == IEEE80211_T_DS)
		i = 1;
	else
		i = 0;
	for (j = 0; i <= IEEE80211_CHAN_MAX; i++, j++) {
		/*
		 * NB: silently discard unavailable channels so users
		 *     can specify 1-255 to get all available channels.
		 */
		if (isset(list.ic_channels, j) && isset(ic->ic_chan_avail, i))
			setbit(chanlist, i);
	}
	if (ic->ic_ibss_chan == NULL ||
	    isclr(chanlist, ieee80211_chan2ieee(ic, ic->ic_ibss_chan))) {
		for (i = 0; i <= IEEE80211_CHAN_MAX; i++)
			if (isset(chanlist, i)) {
				ic->ic_ibss_chan = &ic->ic_channels[i];
				goto found;
			}
		return EINVAL;			/* no active channels */
found:
		;
	}
	memcpy(ic->ic_chan_active, chanlist, sizeof(ic->ic_chan_active));
	return IS_UP_AUTO(ic) ? ENETRESET : 0;
}

static int
ieee80211_ioctl_setstastats(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211_node *ni;
	u_int8_t macaddr[IEEE80211_ADDR_LEN];
	int error;

	/*
	 * NB: we could copyin ieee80211req_sta_stats so apps
	 *     could make selective changes but that's overkill;
	 *     just clear all stats for now.
	 */
	if (ireq->i_len < IEEE80211_ADDR_LEN)
		return EINVAL;
	error = copyin(ireq->i_data, macaddr, IEEE80211_ADDR_LEN);
	if (error != 0)
		return error;
	ni = ieee80211_find_node(&ic->ic_sta, macaddr);
	if (ni == NULL)
		return EINVAL;		/* XXX */
	memset(&ni->ni_stats, 0, sizeof(ni->ni_stats));
	ieee80211_free_node(ni);
	return 0;
}

static int
ieee80211_ioctl_setstatxpow(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211_node *ni;
	struct ieee80211req_sta_txpow txpow;
	int error;

	if (ireq->i_len != sizeof(txpow))
		return EINVAL;
	error = copyin(ireq->i_data, &txpow, sizeof(txpow));
	if (error != 0)
		return error;
	ni = ieee80211_find_node(&ic->ic_sta, txpow.it_macaddr);
	if (ni == NULL)
		return EINVAL;		/* XXX */
	ni->ni_txpower = txpow.it_txpow;
	ieee80211_free_node(ni);
	return error;
}

static int
ieee80211_ioctl_setwmeparam(struct ieee80211com *ic, struct ieee80211req *ireq)
{
	struct ieee80211_wme_state *wme = &ic->ic_wme;
	struct wmeParams *wmep, *chanp;
	int isbss, ac;

	if ((ic->ic_caps & IEEE80211_C_WME) == 0)
		return EINVAL;

	isbss = (ireq->i_len & IEEE80211_WMEPARAM_BSS);
	ac = (ireq->i_len & IEEE80211_WMEPARAM_VAL);
	if (ac >= WME_NUM_AC)
		ac = WME_AC_BE;
	if (isbss) {
		chanp = &wme->wme_bssChanParams.cap_wmeParams[ac];
		wmep = &wme->wme_wmeBssChanParams.cap_wmeParams[ac];
	} else {
		chanp = &wme->wme_chanParams.cap_wmeParams[ac];
		wmep = &wme->wme_wmeChanParams.cap_wmeParams[ac];
	}
	switch (ireq->i_type) {
	case IEEE80211_IOC_WME_CWMIN:		/* WME: CWmin */
		if (isbss) {
			wmep->wmep_logcwmin = ireq->i_val;
			if ((wme->wme_flags & WME_F_AGGRMODE) == 0)
				chanp->wmep_logcwmin = ireq->i_val;
		} else {
			wmep->wmep_logcwmin = chanp->wmep_logcwmin =
				ireq->i_val;
		}
		break;
	case IEEE80211_IOC_WME_CWMAX:		/* WME: CWmax */
		if (isbss) {
			wmep->wmep_logcwmax = ireq->i_val;
			if ((wme->wme_flags & WME_F_AGGRMODE) == 0)
				chanp->wmep_logcwmax = ireq->i_val;
		} else {
			wmep->wmep_logcwmax = chanp->wmep_logcwmax =
				ireq->i_val;
		}
		break;
	case IEEE80211_IOC_WME_AIFS:		/* WME: AIFS */
		if (isbss) {
			wmep->wmep_aifsn = ireq->i_val;
			if ((wme->wme_flags & WME_F_AGGRMODE) == 0)
				chanp->wmep_aifsn = ireq->i_val;
		} else {
			wmep->wmep_aifsn = chanp->wmep_aifsn = ireq->i_val;
		}
		break;
	case IEEE80211_IOC_WME_TXOPLIMIT:	/* WME: txops limit */
		if (isbss) {
			wmep->wmep_txopLimit = ireq->i_val;
			if ((wme->wme_flags & WME_F_AGGRMODE) == 0)
				chanp->wmep_txopLimit = ireq->i_val;
		} else {
			wmep->wmep_txopLimit = chanp->wmep_txopLimit =
				ireq->i_val;
		}
		break;
	case IEEE80211_IOC_WME_ACM:		/* WME: ACM (bss only) */
		wmep->wmep_acm = ireq->i_val;
		if ((wme->wme_flags & WME_F_AGGRMODE) == 0)
			chanp->wmep_acm = ireq->i_val;
		break;
	case IEEE80211_IOC_WME_ACKPOLICY:	/* WME: ACK policy (!bss only)*/
		wmep->wmep_noackPolicy = chanp->wmep_noackPolicy =
			(ireq->i_val) == 0;
		break;
	}
	ieee80211_wme_updateparams(ic);
	return 0;
}

static int
cipher2cap(int cipher)
{
	switch (cipher) {
	case IEEE80211_CIPHER_WEP:	return IEEE80211_C_WEP;
	case IEEE80211_CIPHER_AES_OCB:	return IEEE80211_C_AES;
	case IEEE80211_CIPHER_AES_CCM:	return IEEE80211_C_AES_CCM;
	case IEEE80211_CIPHER_CKIP:	return IEEE80211_C_CKIP;
	case IEEE80211_CIPHER_TKIP:	return IEEE80211_C_TKIP;
	}
	return 0;
}

static int
ieee80211_ioctl_set80211(struct ieee80211com *ic, u_long cmd, struct ieee80211req *ireq)
{
	static const u_int8_t zerobssid[IEEE80211_ADDR_LEN];
	struct ieee80211_rsnparms *rsn = &ic->ic_bss->ni_rsn;
	int error;
	const struct ieee80211_authenticator *auth;
	u_int8_t tmpkey[IEEE80211_KEYBUF_SIZE];
	char tmpssid[IEEE80211_NWID_LEN];
	u_int8_t tmpbssid[IEEE80211_ADDR_LEN];
	struct ieee80211_key *k;
	int j, caps;
	u_int kid;

	error = 0;
	switch (ireq->i_type) {
	case IEEE80211_IOC_SSID:
		if (ireq->i_val != 0 ||
		    ireq->i_len > IEEE80211_NWID_LEN)
			return EINVAL;
		error = copyin(ireq->i_data, tmpssid, ireq->i_len);
		if (error)
			break;
		memset(ic->ic_des_essid, 0, IEEE80211_NWID_LEN);
		ic->ic_des_esslen = ireq->i_len;
		memcpy(ic->ic_des_essid, tmpssid, ireq->i_len);
		error = ENETRESET;
		break;
	case IEEE80211_IOC_WEP:
		switch (ireq->i_val) {
		case IEEE80211_WEP_OFF:
			ic->ic_flags &= ~IEEE80211_F_PRIVACY;
			ic->ic_flags &= ~IEEE80211_F_DROPUNENC;
			break;
		case IEEE80211_WEP_ON:
			ic->ic_flags |= IEEE80211_F_PRIVACY;
			ic->ic_flags |= IEEE80211_F_DROPUNENC;
			break;
		case IEEE80211_WEP_MIXED:
			ic->ic_flags |= IEEE80211_F_PRIVACY;
			ic->ic_flags &= ~IEEE80211_F_DROPUNENC;
			break;
		}
		error = ENETRESET;
		break;
	case IEEE80211_IOC_WEPKEY:
		kid = (u_int) ireq->i_val;
		if (kid >= IEEE80211_WEP_NKID)
			return EINVAL;
		k = &ic->ic_nw_keys[kid];
		if (ireq->i_len == 0) {
			/* zero-len =>'s delete any existing key */
			(void) ieee80211_crypto_delkey(ic, k);
			break;
		}
		if (ireq->i_len > sizeof(tmpkey))
			return EINVAL;
		memset(tmpkey, 0, sizeof(tmpkey));
		error = copyin(ireq->i_data, tmpkey, ireq->i_len);
		if (error)
			break;
		ieee80211_key_update_begin(ic);
		k->wk_keyix = kid;	/* NB: force fixed key id */
		if (ieee80211_crypto_newkey(ic, IEEE80211_CIPHER_WEP,
		    IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV, k)) {
			k->wk_keylen = ireq->i_len;
			memcpy(k->wk_key, tmpkey, sizeof(tmpkey));
			if  (!ieee80211_crypto_setkey(ic, k, ic->ic_myaddr))
				error = EINVAL;
		} else
			error = EINVAL;
		ieee80211_key_update_end(ic);
		if (!error)			/* NB: for compatibility */
			error = ENETRESET;
		break;
	case IEEE80211_IOC_WEPTXKEY:
		kid = (u_int) ireq->i_val;
		if (kid >= IEEE80211_WEP_NKID &&
		    (u_int16_t) kid != IEEE80211_KEYIX_NONE)
			return EINVAL;
		ic->ic_def_txkey = kid;
		error = ENETRESET;	/* push to hardware */
		break;
	case IEEE80211_IOC_AUTHMODE:
		switch (ireq->i_val) {
		case IEEE80211_AUTH_WPA:
		case IEEE80211_AUTH_8021X:	/* 802.1x */
		case IEEE80211_AUTH_OPEN:	/* open */
		case IEEE80211_AUTH_SHARED:	/* shared-key */
		case IEEE80211_AUTH_AUTO:	/* auto */
			auth = ieee80211_authenticator_get(ireq->i_val);
			if (auth == NULL)
				return EINVAL;
			break;
		default:
			return EINVAL;
		}
		switch (ireq->i_val) {
		case IEEE80211_AUTH_WPA:	/* WPA w/ 802.1x */
			ic->ic_flags |= IEEE80211_F_PRIVACY;
			ireq->i_val = IEEE80211_AUTH_8021X;
			break;
		case IEEE80211_AUTH_OPEN:	/* open */
			ic->ic_flags &= ~(IEEE80211_F_WPA|IEEE80211_F_PRIVACY);
			break;
		case IEEE80211_AUTH_SHARED:	/* shared-key */
		case IEEE80211_AUTH_8021X:	/* 802.1x */
			ic->ic_flags &= ~IEEE80211_F_WPA;
			/* both require a key so mark the PRIVACY capability */
			ic->ic_flags |= IEEE80211_F_PRIVACY;
			break;
		case IEEE80211_AUTH_AUTO:	/* auto */
			ic->ic_flags &= ~IEEE80211_F_WPA;
			/* XXX PRIVACY handling? */
			/* XXX what's the right way to do this? */
			break;
		}
		/* NB: authenticator attach/detach happens on state change */
		ic->ic_bss->ni_authmode = ireq->i_val;
		/* XXX mixed/mode/usage? */
		ic->ic_auth = auth;
		error = ENETRESET;
		break;
	case IEEE80211_IOC_CHANNEL:
		/* XXX 0xffff overflows 16-bit signed */
		if (ireq->i_val == 0 ||
		    ireq->i_val == (int16_t) IEEE80211_CHAN_ANY)
			ic->ic_des_chan = IEEE80211_CHAN_ANYC;
		else if ((u_int) ireq->i_val > IEEE80211_CHAN_MAX ||
		    isclr(ic->ic_chan_active, ireq->i_val)) {
			return EINVAL;
		} else
			ic->ic_ibss_chan = ic->ic_des_chan =
				&ic->ic_channels[ireq->i_val];
		switch (ic->ic_state) {
		case IEEE80211_S_INIT:
		case IEEE80211_S_SCAN:
			error = ENETRESET;
			break;
		default:
			/*
			 * If the desired channel has changed (to something
			 * other than any) and we're not already scanning,
			 * then kick the state machine.
			 */
			if (ic->ic_des_chan != IEEE80211_CHAN_ANYC &&
			    ic->ic_bss->ni_chan != ic->ic_des_chan &&
			    (ic->ic_flags & IEEE80211_F_SCAN) == 0)
				error = ENETRESET;
			break;
		}
		if (error == ENETRESET &&
			ic->ic_opmode == IEEE80211_M_MONITOR) {
			if (IS_UP(ic)) {
				/*
				 * Monitor mode can switch directly.
				 */
				if (ic->ic_des_chan != IEEE80211_CHAN_ANYC)
					ic->ic_curchan = ic->ic_des_chan;
				error = ic->ic_reset(ic->ic_ifp);
			} else
				error = 0;
		}
		break;
	case IEEE80211_IOC_POWERSAVE:
		switch (ireq->i_val) {
		case IEEE80211_POWERSAVE_OFF:
			if (ic->ic_flags & IEEE80211_F_PMGTON) {
				ic->ic_flags &= ~IEEE80211_F_PMGTON;
				error = ENETRESET;
			}
			break;
		case IEEE80211_POWERSAVE_ON:
			if ((ic->ic_caps & IEEE80211_C_PMGT) == 0)
				error = EINVAL;
			else if ((ic->ic_flags & IEEE80211_F_PMGTON) == 0) {
				ic->ic_flags |= IEEE80211_F_PMGTON;
				error = ENETRESET;
			}
			break;
		default:
			error = EINVAL;
			break;
		}
		if (error == ENETRESET) {
			/*
			 * Switching in+out of power save mode
			 * should not require a state change.
			 */
			error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		}
		break;
	case IEEE80211_IOC_POWERSAVESLEEP:
		if (ireq->i_val < 0)
			return EINVAL;
		ic->ic_lintval = ireq->i_val;
		error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		break;
	case IEEE80211_IOC_RTSTHRESHOLD:
		if (!(IEEE80211_RTS_MIN <= ireq->i_val &&
		      ireq->i_val <= IEEE80211_RTS_MAX))
			return EINVAL;
		ic->ic_rtsthreshold = ireq->i_val;
		error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		break;
	case IEEE80211_IOC_PROTMODE:
		if (ireq->i_val > IEEE80211_PROT_RTSCTS)
			return EINVAL;
		ic->ic_protmode = ireq->i_val;
		/* NB: if not operating in 11g this can wait */
		if (ic->ic_curmode == IEEE80211_MODE_11G)
			error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		break;
	case IEEE80211_IOC_TXPOWER:
		if ((ic->ic_caps & IEEE80211_C_TXPMGT) == 0)
			return EINVAL;
		if (!(IEEE80211_TXPOWER_MIN < ireq->i_val &&
		      ireq->i_val < IEEE80211_TXPOWER_MAX))
			return EINVAL;
		ic->ic_txpowlimit = ireq->i_val;
		error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		break;
	case IEEE80211_IOC_ROAMING:
		if (!(IEEE80211_ROAMING_DEVICE <= ireq->i_val &&
		    ireq->i_val <= IEEE80211_ROAMING_MANUAL))
			return EINVAL;
		ic->ic_roaming = ireq->i_val;
		/* XXXX reset? */
		break;
	case IEEE80211_IOC_PRIVACY:
		if (ireq->i_val) {
			/* XXX check for key state? */
			ic->ic_flags |= IEEE80211_F_PRIVACY;
		} else
			ic->ic_flags &= ~IEEE80211_F_PRIVACY;
		break;
	case IEEE80211_IOC_DROPUNENCRYPTED:
		if (ireq->i_val)
			ic->ic_flags |= IEEE80211_F_DROPUNENC;
		else
			ic->ic_flags &= ~IEEE80211_F_DROPUNENC;
		break;
	case IEEE80211_IOC_WPAKEY:
		error = ieee80211_ioctl_setkey(ic, ireq);
		break;
	case IEEE80211_IOC_DELKEY:
		error = ieee80211_ioctl_delkey(ic, ireq);
		break;
	case IEEE80211_IOC_MLME:
		error = ieee80211_ioctl_setmlme(ic, ireq);
		break;
	case IEEE80211_IOC_OPTIE:
		error = ieee80211_ioctl_setoptie(ic, ireq);
		break;
	case IEEE80211_IOC_COUNTERMEASURES:
		if (ireq->i_val) {
			if ((ic->ic_flags & IEEE80211_F_WPA) == 0)
				return EINVAL;
			ic->ic_flags |= IEEE80211_F_COUNTERM;
		} else
			ic->ic_flags &= ~IEEE80211_F_COUNTERM;
		break;
	case IEEE80211_IOC_WPA:
		if (ireq->i_val > 3)
			return EINVAL;
		/* XXX verify ciphers available */
		ic->ic_flags &= ~IEEE80211_F_WPA;
		switch (ireq->i_val) {
		case 1:
			ic->ic_flags |= IEEE80211_F_WPA1;
			break;
		case 2:
			ic->ic_flags |= IEEE80211_F_WPA2;
			break;
		case 3:
			ic->ic_flags |= IEEE80211_F_WPA1 | IEEE80211_F_WPA2;
			break;
		}
		error = ENETRESET;		/* XXX? */
		break;
	case IEEE80211_IOC_WME:
		if (ireq->i_val) {
			if ((ic->ic_caps & IEEE80211_C_WME) == 0)
				return EINVAL;
			ic->ic_flags |= IEEE80211_F_WME;
		} else
			ic->ic_flags &= ~IEEE80211_F_WME;
		error = ENETRESET;		/* XXX maybe not for station? */
		break;
	case IEEE80211_IOC_HIDESSID:
		if (ireq->i_val)
			ic->ic_flags |= IEEE80211_F_HIDESSID;
		else
			ic->ic_flags &= ~IEEE80211_F_HIDESSID;
		error = ENETRESET;
		break;
	case IEEE80211_IOC_APBRIDGE:
		if (ireq->i_val == 0)
			ic->ic_flags |= IEEE80211_F_NOBRIDGE;
		else
			ic->ic_flags &= ~IEEE80211_F_NOBRIDGE;
		break;
	case IEEE80211_IOC_MCASTCIPHER:
		if ((ic->ic_caps & cipher2cap(ireq->i_val)) == 0 &&
		    !ieee80211_crypto_available(ireq->i_val))
			return EINVAL;
		rsn->rsn_mcastcipher = ireq->i_val;
		error = (ic->ic_flags & IEEE80211_F_WPA) ? ENETRESET : 0;
		break;
	case IEEE80211_IOC_MCASTKEYLEN:
		if (!(0 < ireq->i_val && ireq->i_val < IEEE80211_KEYBUF_SIZE))
			return EINVAL;
		/* XXX no way to verify driver capability */
		rsn->rsn_mcastkeylen = ireq->i_val;
		error = (ic->ic_flags & IEEE80211_F_WPA) ? ENETRESET : 0;
		break;
	case IEEE80211_IOC_UCASTCIPHERS:
		/*
		 * Convert user-specified cipher set to the set
		 * we can support (via hardware or software).
		 * NB: this logic intentionally ignores unknown and
		 * unsupported ciphers so folks can specify 0xff or
		 * similar and get all available ciphers.
		 */
		caps = 0;
		for (j = 1; j < 32; j++)	/* NB: skip WEP */
			if ((ireq->i_val & (1<<j)) &&
			    ((ic->ic_caps & cipher2cap(j)) ||
			     ieee80211_crypto_available(j)))
				caps |= 1<<j;
		if (caps == 0)			/* nothing available */
			return EINVAL;
		/* XXX verify ciphers ok for unicast use? */
		/* XXX disallow if running as it'll have no effect */
		rsn->rsn_ucastcipherset = caps;
		error = (ic->ic_flags & IEEE80211_F_WPA) ? ENETRESET : 0;
		break;
	case IEEE80211_IOC_UCASTCIPHER:
		if ((rsn->rsn_ucastcipherset & cipher2cap(ireq->i_val)) == 0)
			return EINVAL;
		rsn->rsn_ucastcipher = ireq->i_val;
		break;
	case IEEE80211_IOC_UCASTKEYLEN:
		if (!(0 < ireq->i_val && ireq->i_val < IEEE80211_KEYBUF_SIZE))
			return EINVAL;
		/* XXX no way to verify driver capability */
		rsn->rsn_ucastkeylen = ireq->i_val;
		break;
	case IEEE80211_IOC_DRIVER_CAPS:
		/* NB: for testing */
		ic->ic_caps = (((u_int16_t) ireq->i_val) << 16) |
			       ((u_int16_t) ireq->i_len);
		break;
	case IEEE80211_IOC_KEYMGTALGS:
		/* XXX check */
		rsn->rsn_keymgmtset = ireq->i_val;
		error = (ic->ic_flags & IEEE80211_F_WPA) ? ENETRESET : 0;
		break;
	case IEEE80211_IOC_RSNCAPS:
		/* XXX check */
		rsn->rsn_caps = ireq->i_val;
		error = (ic->ic_flags & IEEE80211_F_WPA) ? ENETRESET : 0;
		break;
	case IEEE80211_IOC_BSSID:
		if (ireq->i_len != sizeof(tmpbssid))
			return EINVAL;
		error = copyin(ireq->i_data, tmpbssid, ireq->i_len);
		if (error)
			break;
		IEEE80211_ADDR_COPY(ic->ic_des_bssid, tmpbssid);
		if (IEEE80211_ADDR_EQ(ic->ic_des_bssid, zerobssid))
			ic->ic_flags &= ~IEEE80211_F_DESBSSID;
		else
			ic->ic_flags |= IEEE80211_F_DESBSSID;
		error = ENETRESET;
		break;
	case IEEE80211_IOC_CHANLIST:
		error = ieee80211_ioctl_setchanlist(ic, ireq);
		break;
	case IEEE80211_IOC_SCAN_REQ:
		if (ic->ic_opmode == IEEE80211_M_HOSTAP)	/* XXX ignore */
			break;
		error = ieee80211_setupscan(ic, ic->ic_chan_avail);
		if (error == 0)		/* XXX background scan */
			error = ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
		break;
	case IEEE80211_IOC_ADDMAC:
	case IEEE80211_IOC_DELMAC:
		error = ieee80211_ioctl_macmac(ic, ireq);
		break;
	case IEEE80211_IOC_MACCMD:
		error = ieee80211_ioctl_setmaccmd(ic, ireq);
		break;
	case IEEE80211_IOC_STA_STATS:
		error = ieee80211_ioctl_setstastats(ic, ireq);
		break;
	case IEEE80211_IOC_STA_TXPOW:
		error = ieee80211_ioctl_setstatxpow(ic, ireq);
		break;
	case IEEE80211_IOC_WME_CWMIN:		/* WME: CWmin */
	case IEEE80211_IOC_WME_CWMAX:		/* WME: CWmax */
	case IEEE80211_IOC_WME_AIFS:		/* WME: AIFS */
	case IEEE80211_IOC_WME_TXOPLIMIT:	/* WME: txops limit */
	case IEEE80211_IOC_WME_ACM:		/* WME: ACM (bss only) */
	case IEEE80211_IOC_WME_ACKPOLICY:	/* WME: ACK policy (bss only) */
		error = ieee80211_ioctl_setwmeparam(ic, ireq);
		break;
	case IEEE80211_IOC_DTIM_PERIOD:
		if (ic->ic_opmode != IEEE80211_M_HOSTAP &&
		    ic->ic_opmode != IEEE80211_M_IBSS)
			return EINVAL;
		if (IEEE80211_DTIM_MIN <= ireq->i_val &&
		    ireq->i_val <= IEEE80211_DTIM_MAX) {
			ic->ic_dtim_period = ireq->i_val;
			error = ENETRESET;		/* requires restart */
		} else
			error = EINVAL;
		break;
	case IEEE80211_IOC_BEACON_INTERVAL:
		if (ic->ic_opmode != IEEE80211_M_HOSTAP &&
		    ic->ic_opmode != IEEE80211_M_IBSS)
			return EINVAL;
		if (IEEE80211_BINTVAL_MIN <= ireq->i_val &&
		    ireq->i_val <= IEEE80211_BINTVAL_MAX) {
			ic->ic_bintval = ireq->i_val;
			error = ENETRESET;		/* requires restart */
		} else
			error = EINVAL;
		break;
	case IEEE80211_IOC_PUREG:
		if (ireq->i_val)
			ic->ic_flags |= IEEE80211_F_PUREG;
		else
			ic->ic_flags &= ~IEEE80211_F_PUREG;
		/* NB: reset only if we're operating on an 11g channel */
		if (ic->ic_curmode == IEEE80211_MODE_11G)
			error = ENETRESET;
		break;
	case IEEE80211_IOC_MCAST_RATE:
		ic->ic_mcast_rate = ireq->i_val & IEEE80211_RATE_VAL;
		break;
	case IEEE80211_IOC_FRAGTHRESHOLD:
		if ((ic->ic_caps & IEEE80211_C_TXFRAG) == 0 &&
		    ireq->i_val != IEEE80211_FRAG_MAX)
			return EINVAL;
		if (!(IEEE80211_FRAG_MIN <= ireq->i_val &&
		      ireq->i_val <= IEEE80211_FRAG_MAX))
			return EINVAL;
		ic->ic_fragthreshold = ireq->i_val;
		error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		break;
	case IEEE80211_IOC_BURST:
		if (ireq->i_val) {
			if ((ic->ic_caps & IEEE80211_C_BURST) == 0)
				return EINVAL;
			ic->ic_flags |= IEEE80211_F_BURST;
		} else
			ic->ic_flags &= ~IEEE80211_F_BURST;
		error = ENETRESET;		/* XXX maybe not for station? */
		break;
	case IEEE80211_IOC_BMISSTHRESHOLD:
		if (!(IEEE80211_HWBMISS_MIN <= ireq->i_val &&
		      ireq->i_val <= IEEE80211_HWBMISS_MAX))
			return EINVAL;
		ic->ic_bmissthreshold = ireq->i_val;
		error = IS_UP(ic) ? ic->ic_reset(ic->ic_ifp) : 0;
		break;
	default:
		error = EINVAL;
		break;
	}
	if (error == ENETRESET && !IS_UP_AUTO(ic))
		error = 0;
	return error;
}

int
ieee80211_ioctl(struct ieee80211com *ic, u_long cmd, caddr_t data)
{
	struct ifnet *ifp = ic->ic_ifp;
	int error = 0;
	struct ifreq *ifr;
	struct ifaddr *ifa;			/* XXX */

	switch (cmd) {
	case SIOCSIFMEDIA:
	case SIOCGIFMEDIA:
		error = ifmedia_ioctl(ifp, (struct ifreq *) data,
				&ic->ic_media, cmd);
		break;
	case SIOCG80211:
		error = ieee80211_ioctl_get80211(ic, cmd,
				(struct ieee80211req *) data);
		break;
	case SIOCS80211:
		error = priv_check(curthread, PRIV_NET80211_MANAGE);
		if (error == 0)
			error = ieee80211_ioctl_set80211(ic, cmd,
					(struct ieee80211req *) data);
		break;
	case SIOCGIFGENERIC:
		error = ieee80211_cfgget(ic, cmd, data);
		break;
	case SIOCSIFGENERIC:
		error = priv_check(curthread, PRIV_NET80211_MANAGE);
		if (error)
			break;
		error = ieee80211_cfgset(ic, cmd, data);
		break;
	case SIOCG80211STATS:
		ifr = (struct ifreq *)data;
		copyout(&ic->ic_stats, ifr->ifr_data, sizeof (ic->ic_stats));
		break;
	case SIOCSIFMTU:
		ifr = (struct ifreq *)data;
		if (!(IEEE80211_MTU_MIN <= ifr->ifr_mtu &&
		    ifr->ifr_mtu <= IEEE80211_MTU_MAX))
			error = EINVAL;
		else
			ifp->if_mtu = ifr->ifr_mtu;
		break;
	case SIOCSIFADDR:
		/*
		 * XXX Handle this directly so we can supress if_init calls.
		 * XXX This should be done in ether_ioctl but for the moment
		 * XXX there are too many other parts of the system that
		 * XXX set IFF_UP and so supress if_init being called when
		 * XXX it should be.
		 */
		ifa = (struct ifaddr *) data;
		switch (ifa->ifa_addr->sa_family) {
#ifdef INET
		case AF_INET:
			if ((ifp->if_flags & IFF_UP) == 0) {
				ifp->if_flags |= IFF_UP;
				ifp->if_init(ifp->if_softc);
			}
			arp_ifinit(ifp, ifa);
			break;
#endif
#ifdef IPX
		/*
		 * XXX - This code is probably wrong,
		 *	 but has been copied many times.
		 */
		case AF_IPX: {
			struct ipx_addr *ina = &(IA_SIPX(ifa)->sipx_addr);

			if (ipx_nullhost(*ina))
				ina->x_host = *(union ipx_host *)
				    IF_LLADDR(ifp);
			else
				bcopy((caddr_t) ina->x_host.c_host,
				      (caddr_t) IF_LLADDR(ifp),
				      ETHER_ADDR_LEN);
			/* fall thru... */
		}
#endif
		default:
			if ((ifp->if_flags & IFF_UP) == 0) {
				ifp->if_flags |= IFF_UP;
				ifp->if_init(ifp->if_softc);
			}
			break;
		}
		break;
	default:
		error = ether_ioctl(ifp, cmd, data);
		break;
	}
	return error;
}