Drop frames that are received unencrypted when WEP is on or when

WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

1 files changed, 5 insertions, 3 deletions

diff --git a/sys/net80211/ieee80211_output.c b/sys/net80211/ieee80211_output.c
index 7ed7b2b9d00..982d7664143 100644
--- a/sys/net80211/ieee80211_output.c
+++ b/sys/net80211/ieee80211_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ieee80211_output.c,v 1.63 2008/07/27 14:21:15 damien Exp $	*/
+/*	$OpenBSD: ieee80211_output.c,v 1.64 2008/08/02 08:20:16 damien Exp $	*/
 /*	$NetBSD: ieee80211_output.c,v 1.13 2004/05/31 11:02:55 dyoung Exp $	*/
 
 /*-
@@ -501,7 +501,8 @@ ieee80211_encap(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node **pni)
 		goto bad;
 	}
 
-	if ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid &&
+	if ((ic->ic_flags & IEEE80211_F_RSNON) &&
+	    !ni->ni_port_valid &&
 	    eh.ether_type != htons(ETHERTYPE_PAE)) {
 		DPRINTF(("port not valid: %s\n",
 		    ether_sprintf(eh.ether_dhost)));
@@ -581,7 +582,8 @@ ieee80211_encap(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node **pni)
 	}
 
 	if ((ic->ic_flags & IEEE80211_F_WEPON) ||
-	    ((ic->ic_flags & IEEE80211_F_RSNON) && ni->ni_port_valid))
+	    ((ic->ic_flags & IEEE80211_F_RSNON) &&
+	     (ni->ni_flags & IEEE80211_NODE_TXPROT)))
 		wh->i_fc[1] |= IEEE80211_FC1_PROTECTED;
 
 	*pni = ni;