disable the regular ieee80211_encap() Tx path in monitor mode

Frames injected from user space carry the DLT_IEEE802_11_RADIO
mbuf tag, and are handled as a special case. Do not fall back
to regular encapsulation while we are in monitor mode and the
frame injected by userspace is found to be invalid.

This fixes an issue when iwx(4) runs in monitor mode with addresses
configured on the interface and leaving 11n/11ac mode directly for
monitor mode. In this case, traffic generated by userspace or the
kernel (such as ICMPv6) would trigger Tx attempts, which in turn
would trigger an attempt to set up a block ACK agreement and then
cause a firmware panic.

This points at a related issue where interface configuration state
is not properly cleaned up while switching into monitor mode.
The 11n/11ac interface config should ideally be cleared completely,
preventing block ack from being initiated.

But preventing the stack from trying to send frames down the regular
Tx path in monitor mode is a good idea in general because drivers may
not handle this very well for various reasons, block ack being just one.

tested by jmc@ and myself on iwx ax200

with empty body loops, put final semicolon on a new line for readability
ok bluhm@ jca@

Add initial 802.11ac (VHT) support to net80211.

Add VHT capability and operation IE definitions to ieee80211.h.
Introduce channel flags to identify 80MHz and 160MHz capable channels.

Parse VHT IEs in beacons, announce the driver's VHT capabilities in
probe requests and assoc requests, and hop into 11ac mode after
association to the AP if possible.

Enable VHT by default if the driver announces support for it.

ok claudio@

rename ETHERTYPE_PAE to ETHERTYPE_EAPOL.

everyone else seems to use ETHERTYPE_EAPOL, and as a bonus it also
appears to be more correct.

ok deraadt@ stsp@

Improve debug output when sending 802.11 action frames by showing the
action frame subtypes we care about (i.e. those related to 11n block ack).

ok mpi@

In hostap mode don't send data frames to nodes which aren't in state ASSOC.

Sending data frames to nodes in other states is wrong since the node's
data structure might not be set up properly in such states.
This could explain occasional "key unset for sw crypto" panics observed
with athn(4) hostap interfaces.

Problem reported and fix tested by Mikolaj Kucharski.

spelling

ok gnezdo@ semarie@ mpi@

Fix 802.11 RSN capabilities announced to peers.

We were echoing back all RSN capabilities announced by our peer, even
for features which we don't support.
One such feature is Management Frame Protection (MFP). If we announce this
capability then the peer sends us encrypted management frames which won't
be processed. One symptom of this is that we fail to negotiate block ack
with APs that support MFP.

Only echo the RSN capabilities which we support, i.e. key replay counters.
Handle MFP and PBAR bits here as done elsewhere. Neither of these features
is enabled yet at run-time. As far as I can tell, the remaining RSN caps are
not supported by drivers (e.g. SPP A-MPDU) or won't be supported (outdated
WEP->TKIP transition support). The corresponding bits should always be clear.

Problem with 0 input block ack sessions found by sthen@ and robert@
Fix tested by sthen@, robert@, phessler@, and kmos@

ok phessler@ kmos@

Revert previous; Set the ESS capability bit in assoc requests again.

Association to some access points breaks without the ESS capability bit.
Apparently I misunderstood something.

Reported by krw@ and tb@

Do not set the 802.11 ESS capability bit in association requests.

The ESS capability bit should be set if the transmitter is an AP.
Association requests are sent by clients.

ok jca@

Properly wrap 802.11 frame sequence numbers when incrementing them.

ok tb@ tobhe@ mpi@

Do not send any QoS data frames unless Tx aggregation has been negotiated.

Actual QoS support could be added to net80211 in the future, but for now we
only use QoS frames for A-MPDU aggregation. Without QoS support, sending
non-aggregated QoS frames does not actually buy us anything and makes it
harder to look at packet captures and tell whether frames sent by an OpenBSD
machine were in fact aggregated or not.

Tested on iwn(4) by jmc@, paco@, bket@, paco@, and Lauri Tirkkonen

Fix an mbuf corruption issue which occurs in net80211 hostap mode.

When sizing a memory allocation for a probe response frame, the AP used
the SSID length stored in the node structure which represents the client,
but used the actual length of the SSID when copying it into the frame.

If the actual length is sufficiently large this will result in corruption
of an adjacent mbuf on the free list since m->m_next will be overwritten
with data written to the tail of the probe response frame.

Bad things happen later on when the adjacent mbuf is used. Sometimes
the corruption is detected by mbufpl's use-after-free checking, at
other times we end up crashing somewhere in the network stack.

To prevent such a mistake from occuring again I am removing the 'ni'
argument from ieee80211_get_probe_resp() altogether. It is not needed.

A quick workaround is to configure a short SSID.

Debugged with help from claudio, kettenis, and dlg.

ok claudio

Add support for 802.11n Tx aggregation to net80211 and the iwn(4) driver.

In particular, add Tx block ack session management to net80211, with
enough funcionality to support Tx aggregation on devices which perform
A-MPDU subframe scheduling in firmware.
Make use of the iwn(4) firmware Tx scheduler to build A-MPDUs.

net80211's QoS support code is now enabled and used by Tx aggregation.

A-MSDU frames inside A-MPDUs have been tested and work in principle.
For now, this feature is disabled because unfair TCP connection sharing
was observed during testing, where bursts of TCP Ack frames for a single
tcpbench(1) connection arriving in A-MSDUs made other TCP connections stall.
Switch off support for A-MSDUs inside A-MPDUs on the Rx side as well.

Tested on iwn chipsets 1000, 4965, 5100, 5300, 2200, 6200, 6205, 6300
(committed version of tested diff has all debug printfs removed)
tests/ok benno kmos mlarkin kevlo

Fix 'ifconfig nwflags; These flags ended up overlapping with other flags
in ieee80211com's ic_flags because we haven't been paying attention to
them (they're not in the same place in the code and hence easy to miss).
Move them to a dedicated variable to avoid this problem in the future.

Add a new 'stayauth' nwflag which can be set to let net80211 ignore
deauth frames. This can be useful when deauth frames are being
persistently spoofed by an attacker. Idea from beck@

ok beck@ phessler@

On the transmit path the ethernet and ip headers might not be
in contiguous memory. Taking the pointer to the data and simply
looking at the IP header by adding an offset can lead to an out-
of-bounds access. Make the ieee80211 classify function copy the
ethernet and ip header into stack variables to fix it.

Fixes a panic for florian@
Discussed with claudio@
ok stsp@

MH_ALIGN -> m_align and make the spacing look the same in all three places.
OK bluhm@

My previous commit broke the ramdisk build; fix it

Stop printing debug info about stations leaving a wifi network when
we aren't running in hostap or ibss mode.

Omit the PMKID count field from RSN information elements (IE) if the PMKID
list has zero elements and PMKID would be the last field in the RSN IE.

This is correct as per 802.11-2012 8.4.2.27.1 and aligns net80211 code with
behaviour of bwfm(4) firmware, unblocking further progress in that driver.

ok patrick@ phessler@

Make ieee80211_classify() available in a header so we can make the
priority visible to underlying bus protocols like bwfm(4)'s bcdc.

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

In a comment inside ieee80211_up_to_ac(), update a reference section
number from the 802.11-2007 standard to the 802.11-2012 standard.

When telling clients which EDCA parameters to use, copy these parameters
from the client parameter set, rather than from the AP parameter set.
ok mpi@

Enable ieee80211_edca_table, which was under #if 0. This table can be used
by drivers to pass default EDCA parameters to firmware instead of passing
local hardcoded values.
ok millert@

Make the net80211 stack send EDCA parameters to the driver in hostap mode.
Fixes problems with timing of frame transmissions which caused packet loss.
tested by myself and tb@
ok phessler@ mpi@ tb@

When acting as 11n hostap, send Microsoft WME parameters to clients so
that Linux clients will decide to use 11n mode.
ok phessler@

Fix ieee80211_add_htop(), which is not yet called in active code paths.
It was creating a corrupt beacon element by ommitting one byte.
Fix this and fill the element with actual data from the ic_bss node instead
of filling it with zeroes, allowing future 11n hostap to announce the current
HT protection mode correctly.

Call if_enqueue() and if_start() instead of dereferencing the ifp
pointers.

These functions have been introduced to abstract some of the MP-
safeness^Wmadness and should be use everywhere.

Prodded by a comment from jsg@.

ok mikeb@, stsp@

Define EDCA tables for 11n mode. Per 802.11-2012 they are the same as
the tables for 11a/11g modes.
Add a function to append a Microsoft WME parameter element to a frame,
using EDCA tables to construct the parameter records. Some 11n AP's I have
observed provide this element.

None of this code is used yet, so no functional change. I wrote this while
debugging BlockAck and then realized it was only needed for hostap mode.
Once we support 11n in hostap mode and send A-MPDUs, this code will be needed.

Store ADDBA request and response parameters in the block ack record of
ieee80211_node. This way, we can keep track of the ACK policy and echo
it back to the AP as required by the standard. And use the correct bit
flag for the policy -- this code was confused between BlockAck and ADDBA,
both of which have a policy bit but in different places.

Fixes apple airport APs.

tested by tb@, krw@, sthen@, abieber@, and Henrik Friedrichsen

Fix the timeout value sent in ADDBA request and response frames.
ba_timeout_val is in usec so we must divide by TU when copying it to the frame.
ok kettenis@ millert@

Remove wireless turbo mode support. It is a non-standard extension
which only worked with ath(4) devices from a decade ago.
Diff tested on ath(4) hardware by me to verify that 11a/b modes still work.
ok reyk deraadt chris sthen kettenis

Initialize the A-MPDU parameters field in HT capability elements.
ok kettenis@

Remove the IEEE80211_NO_HT macro. Reduces ifdef spaghetti, enables 11n mode
in bsd.rd, and might uncover some bugs. Suggested by tedu@ and deraadt@.
ok sthen@ jasper@ deraadt@

Fix another case where the return value of ieee80211_chan2mode() was
used for indexing something other than ic_sup_rates. Should have been
part of earlier commit.

ADDBA frames have a parameter set which we check against our own capabilities
but we were checking bits in these parameters with the wrong set of bitmasks.
Negotiating A-MPDUs with some APs failed because of this bug.
ok kettenis@

11n/HT negotiation fixes:

Some APs will not negotiate HT if the vendor-specific WME info
element is missing in probe and association requests, so add one.

Fix the wrong flag (NODE_HT) being checked to determine whether 11n
related elements should be included in management frames. If 11n mode
is enabled (F_HTON flag) we can always include 11n related elements
in management frames.

ok mpi@

No need to include <net/if_types.h> for <net/if_vlan_var.h>

Declare 802.11n mode and channel flags. Tweak 11n related fields in struct
ieee80211com and move them inside #ifndef IEEE80211_NO_HT without breaking
the build in rsu(4) for RAMDISK_CD.
Also declare 11n protection modes and MCS count.
ok deraadt mpi kettenis guenther

Update section and table numbers inside comments in the RSN code to
the 802.11-2012 standard.
ok mpi@

replace the ifqueues in net80211 with mbuf_queues.

the specific queues are ic_mgtq, ic_pwrsaveq, and ni_savedq. rtw
had its own queue for beacons.

tested by mpi@ and jmc@
ok mpi@

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Rename if_output() into if_enqueue() to avoid confusion with comments
talking about (*ifp->if_output)().

ok claudio@, dlg@

Use if_output() instead of rerolling it.

ok stsp@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

remove uneeded proc.h includes
ok mpi@ kspillner@

Fewer <netinet/in_systm.h> !

Stop abusing the rcvif pointer to pass wireless nodes down to the
driver start routines. Instead add & use a pointer in the pkthdr
since we don't want the overhead of using a mbuf_tags(9).

claudio@ pointed out that other subsystems might want to use this
pointer too, so here's a new cookie!

ok claudio@, mikeb@, deraadt@

#if 0 out the ieee80211_edca_table table to appease the LLVM warning.

ieee80211_output.c:311:5: error: unused variable 'ieee80211_edca_table' [-Werror,-Wunused-const-variable]

ok stsp@

use the correct block ack structure when building an ADDBA response.

fix prev commit (s/ic_flags/ic_caps/).

from dhill@

prevent injection of raw 802.11 control frames through bpf on drivers
that do not explicitly state this capability (using flag IEEE80211_C_RAWCTL).
also, perform all the sanity checks on injected raw 802.11 frames earlier
(in ieee80211_output instead of ieee80211_encap).

prevent kernel panics with many drivers when running aircrack-ng.
when/if all drivers are capable, we can remove this C_RAWCTL flag.

sync with 802.11w draft 8.0.
the SA Query Transaction Identifier field is now a 16-bit non-negative
counter value instead of a 128-bit random value.

Fix setting of the Short Slot Time subfield of the Capability Information
field in (Re)Association Requests.
This fixes association with APs refusing non-short-slot-time capable STAs.
This should also prevent the AP we're associating with to disable the use
of short slot time in the BSS as we join.
Fix debug message in recv_assoc_resp() while I'm here (s/reason/status/).
Scary.

Thanks to Adam Emanuel for spotting this.

Block Ack agreements are unidirectional.
Maintain state for both originator and recipient roles separately.
Do not allocate receive reordering buffer in addba_request().
Test the "initiator" bit in incoming DELBA frames and set it appropriately
in outgoing DELBA frames.
Separate callbacks for Tx/Rx too.

no binary change since all this is #ifdef'ed out.

remove ni_ba field from ieee80211_node structure as it is not used yet.
this reduces memory footprint and avoids a stack usage warning in
ieee80211_find_node() that breaks amd64 build.

pointed out by landry@

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

cleanup ieee80211_classify(): retrieve VLAN tag from m_pkthdr.ether_vtag.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

Add some inline functions to test the presence of optional 802.11
header fields (Sequence Control, Address 4, QoS Control, +HTC) and
use them where appropriate.

Add ieee80211_get_qos() inline function to extract the QoS control
field of an 802.11 header instead of duplicating the same scary
code everywhere (the location of this field depends on the presence
of an Address 4 field).

Export ieee80211_up_to_ac() so that drivers can select the access
category to use based on the TID subfield of the QoS Control field.

Define more QoS-related bits for the RSN Capabilities field of RSN IE
(will be used later).

third parameter of ieee80211_get_assoc_req() is a management frame
subtype, not a boolean indicating assoc or reassoc.
rename the parameter and use if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ)
instead of if (reassoc).
it worked only because IEEE80211_FC0_SUBTYPE_ASSOC_REQ is equal to 0.

add ic_tid_noack bitmap to indicate a per-TID ACK policy (1=no ack,
0=normal ack). all bits are currently set to 0.
use this bitmap to set the ACK policy of the QoS control field of
outgoing QoS frames.

extend ieee80211_classify() to extract DSCP field from IPv6 packets too.

rework previously unused ieee80211_pwrsave() function, call it from
ieee80211_mgmt_output() and ieee80211_encap().
use new IEEE80211_C_APPMGT capability flag where appropriate.
rename ic_tim_mcast to ic_tim_mcast_pending.

move code to support Frequency-Hopping spread spectrum (FHSS) PHYs
to the Attic. nothing uses it in the tree and it is very unlikely
that something will use it one day.
the only driver supporting FHSS PHYs in the tree is ray(4) and it
does not use net80211.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

use LLC_SNAPFRAMELEN here too.

add the code to encrypt/decrypt management frames, retrieve key id
from MMIE etc...
this code can't be triggered as no drivers claim MFP capability yet.

new SHA-256 based AKMPs.

add/process group integrity cipher suite in RSN IEs.
add support for MFP negotiation during association.

add IEEE80211_RSNIE_MAXLEN and IEEE80211_WPAIE_MAXLEN definitions
instead of hard-coding values.
for RSN IE, request space for Group Integrity Cipher Suite.

do not use IEEE80211_QOS_TID. its definition in ieee80211.h is
wrong. hard-code 0xf for now. will be fixed post-release.

do not touch m after it has been enqueued with IFQ_ENQUEUE().
copy m_pkthdr.len and m_flags before and use that after to update
the statistics.

from altq(4) man page and for consistency with what is done in
other parts of the tree.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

Fix a blatant misuse of MINCLSIZE I introduced in ieee80211_output.c r1.59
The bug was added on 04/16 but it started to show up only after 06/12 when
the value of MINCLSIZE was changed to something different from MHLEN + 1.

Thanks to dlg@ and giovanni (qgiovanni at gmail dot com) for putting me
on the right track.

Tested by giovanni.
Should fix system/5881 too.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

move processing of EAPOL frames away from ieee80211_{input,output}.c

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

rework ieee80211_recv_4way_msg2() function.
add some RSNA authenticator state machine bits.

Checking the MIC early in ieee80211_recv_eapol() does not work for
message 2/4 of the 4-way handshake because the authenticator must
derive the PTK first (the MIC is computed using the KCK).
Move calls to ieee80211_eapol_key_check_mic() - and as a consequence
ieee80211_eapol_key_decrypt() - directly in the
ieee80211_recv_{group,4way}_msg*() functions.
Unconstify the first parameter since checking the MIC modifies the
frame. Remove ni->ni_ptk_ok field while i'm here.

- add k_rxmic and k_txmic fields to struct ieee80211_key to store the
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.

Fix the length calculation of the TIM bitmask in ieee80211_add_tim().
Even no bit was set we copied the full 225bytes bitmaks into the beacon.
Found the hard way with acx(4) by mglocker@ and myself.
OK mglocker@ damien@

add a ni_eapol_desc field to struct ieee80211_node to know whether
a station is using WPA1 or RSN descriptors.
make sure that a station that advertises WPA1 capability in an IE
uses the WPA1 EAPOL-Key descriptor type and not the RSN one.
fix construction of EAPOL-Key frames for WPA1.
i can now successfuly complete a 4-way and group-key handshake
with both a WPA1 and a WPA2 access point.
add some TKIP encapsulation code (no SW crypto yet).

ok deraadt@

set key length field in message 1 & 3 of the 4-way handshake.

pass the supplicant's nonce generated on reception of message 1 of the
4-way handshake to ieee80211_send_4way_msg2().

fix parsing and construction of RSN/WPA IEs.

the EAPOL-Key MIC must be computed with the MIC bit set.
this simplifies ieee80211_eapol_key_mic() and ieee80211_eapol_key_check_mic()
quite a bit.
set the EAPOL-Key body length before computing the MIC since the MIC is
computed with the 802.1X header too.
add a missing htons() while i'm here.

cipher suite type for CCMP is 4 not 3.

adds functions to parse and to build EAPOL-Key frames used in
the 4-way and group-key handshake.
the state machine is still missing though so this is not used
anywhere yet.

update QoS Tx/Rx sequence numbers for each TID.
add a parameter to ieee80211_decap() to handle different 802.11
header sizes.
cleanup and clarify ieee80211_classify().

do not increment ic_stats.is_tx_nombuf in ieee80211_get_rts() and
ieee80211_get_cts_to_self() if mbuf allocation fails.

cleanup the computation of mgmt frames sizes.
still very ugly but hopefully correct.

remove remaining bits for pre-RSNA shared authmode support.
it has been #if 0'd since 3.9 and we have never supported this mode (no
ifconfig option etc...).

always set the IEEE80211_CAPINFO_ESS bit in association requests.
fixes my 1.36 commit (the bit should not be set for non-AP STA
only in Probe Responses and Beacons).

move the logic of determining whether an extended supported rates IE is
needed or not to the callers (instead of doing nothing in add_xrates).

split ieee80211_add_rsn() so that the code can be reused for
vendor-specific IE.

allow USEGROUP as the pairwise cipher for RSN IE.
add RSN IE to beacons, probe responses and (re)association requests.

maintain the traffic-indication (TIM) virtual bitmap by defining
a default ieee80211_set_tim() function that drivers can override
by setting ic_set_tim.

add a function that builds an RSN IE (ieee80211_add_rsn).

move construction of IEs into individual functions so that we don't
duplicate the same code multiple times.
add references to the spec for all these functions.
fixes beacon_alloc() for FH PHYs as a side-effect.

don't set the IEEE80211_CAPINFO_ESS bit in the Capability Information
field if we're not operating as an AP (see 7.3.1.4).

no TIM in probe reponses.

In ieee80211_getmbuf(), if we need to allocate a mbuf cluster because
the length is greater than MHLEN, test that the allocation succeeded.
Otherwise, free the mbuf header and return NULL.
Callers assume that if the function returns a value != NULL then
enough space has been allocated.

fix SSID IE in the case where HIDENWID is used.
HIDENWID has been broken from the very beginning.

initial bits for proper TIM support.

split ieee80211_send_mgmt() like I did for ieee80211_recv_mgmt()

add EDCA Parameter Set and QoS capability IEs to appropriate frames
when QoS is supported and activated.

add two new functions:

ieee80211_up_to_ac(): returns the access category to be used for
transmitting a frame with a given user priority.

ieee80211_classify(): returns the user-priority of an mbuf based
on VLAN 802.1D user-priority (if any) or IP TOS precedence field.

indent prototypes and add myself to the copyright list while i'm here.

don't mix u_int{8,16,32}_t and uint{8,16,32}_t
use u_int{8,16,32}_t everywhere.

de-static

ok jsg@

adds 802.11e EDCA tables for QAPs and non-AP QSTAs.
not used yet.

ok jsg@ deraadt@

move ieee80211_compute_duration() and ieee80211_compute_duration1()
functions into the two drivers that use them (atw and rtw.)
this code is not generic enough to be used by other drivers and
there is no chance that it will ever be used in newer driver since
it supports 802.11b only.
plus, it hurts my eyes each time i look into ieee80211_output.c.

"fine with me as long as the logic doesn't change in the functions" jsg@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

print the phy mode in IFF_DEBUG status output which helps to debug
dual/multi mode chipset operation.

ok jsg@

Add two new functions:
- ieee80211_get_rts
- ieee80211_get_cts_to_self
that can be use by drivers for chipsets that don't offer hardware assisted
RTS/CTS protection (like ral/ural/rum).

"no objections here" jsg@

add the net80211 hostap options "nwflag hidenwid" for hidden SSID mode
and "nwflag nobridge" to prevent inter-station communications.
"hidenwid" will also work with wi(4) to replace the old -E 3 option of
wicontrol.

ok damien@ jmc@

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@

account for the size of a 802.11 header in ieee80211_getmbuf().
fix some typos while i'm here.

ok reyk@ brad@

use ieee80211_add_ssid() in ieee80211_beacon_alloc() and wpi(4) instead
of duplicating the code.

last commit was ok reyk@

- export ieee80211_add_ssid() just like ieee80211_add_(x)rates() so I don't
need to duplicate the code in wpi(4)
- fix ieee80211_alloc_beacon()
- clean two comments while i'm here

With the exception of two other small uncommited diffs this moves
the remainder of the network stack from splimp to splnet.

ok miod@

Fix kernel builds without bpfilter. Linking is still broken.

"Please commit this diff ASAP" brad@

Disable shared key mode until we have a way for the user to specify
that they explicitly want it. What we have currently doesn't seem
to work anyway. Add support for specifying a status type when
sending managemnent frames; adapted from FreeBSD. OK jsg@

mostly knf

ok jsg@

Remove the last of the FreeBSD compatiblity goop.
ok reyk@

Remove FreeBSD if_printf compat function from net80211.
ok reyk@

Remove FreeBSD/NetBSD ifdef mess. We are not likely to be
doing a wholesale merge with them in future.
very enthusiastic ok from reyk@

send raw 802.11 frames with bpf(4) using the IEEE802_11 or
IEEE802_11_RADIO data link types.

ok canacar@ damien@

Make sure we associate an interface with the m_pkthdr in
ieee80211_beacon_alloc.
ok damien@ reyk@

addtion of a generic function for allocating beacons: ieee80211_beacon_alloc().
ok jsg@, reyk@, dlg@

Fix a problem introduced with the recent lru cache change.
Check that we actually have a node before trying to release it.
This was causing a panic when playing with IBSS. ok reyk@

derived from NetBSD:

---
Make the node table into an LRU cache: least-recently used nodes
are at the end of the node queue. Change the reference-counting
discipline: ni->ni_refcnt indicates how many times net80211 has
granted ni to the driver. Every node in the table with ni_refcnt=0
is eligible to be garbage-collected. The mere presence of a node
in the table does not any longer indicate its auth/assoc state;
nodes have a ni_state variable, now.

While I am here, patch ieee80211_find_node_for_beacon to do a "best
match" by bssid/ssid/channel, not a "perfect match." This keeps
net80211 from caching duplicate nodes in the table.
---

ok deraadt@ dlg@, looks good jsg@

Sync with recent NetBSD ieee80211_compute_duration() changes.

From dyoung@NetBSD:

ieee80211.h r 1.9

#define the difference in microseconds between a fast and a slow
preamble and PLCP header.

ieee80211_output.c r 1.19

Fix a bug in ieee80211_compute_duration: the 802.11 Duration field
in an 802.11 unicast data packet is equal to the duration of the
SIFS and Acknowledgement. That is, the amount of time reserved
*after* the packet has finished transmitting.

Change the arguments to ieee80211_compute_duration: pass the entire
packet length, not just the payload length. Add a 'debug' argument
to ieee80211_compute_duration and its helper subroutine,
ieee80211_compute_duration1.

If debug != 0, ieee80211_compute_duration printfs its arguments
and several local variables.

In rtw(4), load the 802.11 Duration field with the result from
ieee80211_compute_duration.

From dyoung@NetBSD:

Define for more bits in the Service field of the 802.11 PLCP Header.

For use by the subroutine ieee80211_compute_duration, add struct
ieee80211_duration, and #define a number of microsecond constants
used for the transmit timing of 802.11 packets.

Add the subroutine ieee80211_compute_duration, which computes for
any packet the appropriate 802.11 Duration field, the PLCP Length
field, as well as the Duration and Length fields for an RTS frame.

atw(4), rtw(4), future drivers, and possibly ath(4) will share
ieee80211_compute_duration.

ok millert@

Import current NetBSD/FreeBSD 802.11 framework.
Based in part on a diff from Matthew Gream.

with empty body loops, put final semicolon on a new line for readability
ok bluhm@ jca@

Add initial 802.11ac (VHT) support to net80211.

Add VHT capability and operation IE definitions to ieee80211.h.
Introduce channel flags to identify 80MHz and 160MHz capable channels.

Parse VHT IEs in beacons, announce the driver's VHT capabilities in
probe requests and assoc requests, and hop into 11ac mode after
association to the AP if possible.

Enable VHT by default if the driver announces support for it.

ok claudio@

rename ETHERTYPE_PAE to ETHERTYPE_EAPOL.

everyone else seems to use ETHERTYPE_EAPOL, and as a bonus it also
appears to be more correct.

ok deraadt@ stsp@

Improve debug output when sending 802.11 action frames by showing the
action frame subtypes we care about (i.e. those related to 11n block ack).

ok mpi@

In hostap mode don't send data frames to nodes which aren't in state ASSOC.

Sending data frames to nodes in other states is wrong since the node's
data structure might not be set up properly in such states.
This could explain occasional "key unset for sw crypto" panics observed
with athn(4) hostap interfaces.

Problem reported and fix tested by Mikolaj Kucharski.

spelling

ok gnezdo@ semarie@ mpi@

Fix 802.11 RSN capabilities announced to peers.

We were echoing back all RSN capabilities announced by our peer, even
for features which we don't support.
One such feature is Management Frame Protection (MFP). If we announce this
capability then the peer sends us encrypted management frames which won't
be processed. One symptom of this is that we fail to negotiate block ack
with APs that support MFP.

Only echo the RSN capabilities which we support, i.e. key replay counters.
Handle MFP and PBAR bits here as done elsewhere. Neither of these features
is enabled yet at run-time. As far as I can tell, the remaining RSN caps are
not supported by drivers (e.g. SPP A-MPDU) or won't be supported (outdated
WEP->TKIP transition support). The corresponding bits should always be clear.

Problem with 0 input block ack sessions found by sthen@ and robert@
Fix tested by sthen@, robert@, phessler@, and kmos@

ok phessler@ kmos@

Revert previous; Set the ESS capability bit in assoc requests again.

Association to some access points breaks without the ESS capability bit.
Apparently I misunderstood something.

Reported by krw@ and tb@

Do not set the 802.11 ESS capability bit in association requests.

The ESS capability bit should be set if the transmitter is an AP.
Association requests are sent by clients.

ok jca@

Properly wrap 802.11 frame sequence numbers when incrementing them.

ok tb@ tobhe@ mpi@

Do not send any QoS data frames unless Tx aggregation has been negotiated.

Actual QoS support could be added to net80211 in the future, but for now we
only use QoS frames for A-MPDU aggregation. Without QoS support, sending
non-aggregated QoS frames does not actually buy us anything and makes it
harder to look at packet captures and tell whether frames sent by an OpenBSD
machine were in fact aggregated or not.

Tested on iwn(4) by jmc@, paco@, bket@, paco@, and Lauri Tirkkonen

Fix an mbuf corruption issue which occurs in net80211 hostap mode.

When sizing a memory allocation for a probe response frame, the AP used
the SSID length stored in the node structure which represents the client,
but used the actual length of the SSID when copying it into the frame.

If the actual length is sufficiently large this will result in corruption
of an adjacent mbuf on the free list since m->m_next will be overwritten
with data written to the tail of the probe response frame.

Bad things happen later on when the adjacent mbuf is used. Sometimes
the corruption is detected by mbufpl's use-after-free checking, at
other times we end up crashing somewhere in the network stack.

To prevent such a mistake from occuring again I am removing the 'ni'
argument from ieee80211_get_probe_resp() altogether. It is not needed.

A quick workaround is to configure a short SSID.

Debugged with help from claudio, kettenis, and dlg.

ok claudio

Add support for 802.11n Tx aggregation to net80211 and the iwn(4) driver.

In particular, add Tx block ack session management to net80211, with
enough funcionality to support Tx aggregation on devices which perform
A-MPDU subframe scheduling in firmware.
Make use of the iwn(4) firmware Tx scheduler to build A-MPDUs.

net80211's QoS support code is now enabled and used by Tx aggregation.

A-MSDU frames inside A-MPDUs have been tested and work in principle.
For now, this feature is disabled because unfair TCP connection sharing
was observed during testing, where bursts of TCP Ack frames for a single
tcpbench(1) connection arriving in A-MSDUs made other TCP connections stall.
Switch off support for A-MSDUs inside A-MPDUs on the Rx side as well.

Tested on iwn chipsets 1000, 4965, 5100, 5300, 2200, 6200, 6205, 6300
(committed version of tested diff has all debug printfs removed)
tests/ok benno kmos mlarkin kevlo

Fix 'ifconfig nwflags; These flags ended up overlapping with other flags
in ieee80211com's ic_flags because we haven't been paying attention to
them (they're not in the same place in the code and hence easy to miss).
Move them to a dedicated variable to avoid this problem in the future.

Add a new 'stayauth' nwflag which can be set to let net80211 ignore
deauth frames. This can be useful when deauth frames are being
persistently spoofed by an attacker. Idea from beck@

ok beck@ phessler@

On the transmit path the ethernet and ip headers might not be
in contiguous memory. Taking the pointer to the data and simply
looking at the IP header by adding an offset can lead to an out-
of-bounds access. Make the ieee80211 classify function copy the
ethernet and ip header into stack variables to fix it.

Fixes a panic for florian@
Discussed with claudio@
ok stsp@

MH_ALIGN -> m_align and make the spacing look the same in all three places.
OK bluhm@

My previous commit broke the ramdisk build; fix it

Stop printing debug info about stations leaving a wifi network when
we aren't running in hostap or ibss mode.

Omit the PMKID count field from RSN information elements (IE) if the PMKID
list has zero elements and PMKID would be the last field in the RSN IE.

This is correct as per 802.11-2012 8.4.2.27.1 and aligns net80211 code with
behaviour of bwfm(4) firmware, unblocking further progress in that driver.

ok patrick@ phessler@

Make ieee80211_classify() available in a header so we can make the
priority visible to underlying bus protocols like bwfm(4)'s bcdc.

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

In a comment inside ieee80211_up_to_ac(), update a reference section
number from the 802.11-2007 standard to the 802.11-2012 standard.

When telling clients which EDCA parameters to use, copy these parameters
from the client parameter set, rather than from the AP parameter set.
ok mpi@

Enable ieee80211_edca_table, which was under #if 0. This table can be used
by drivers to pass default EDCA parameters to firmware instead of passing
local hardcoded values.
ok millert@

Make the net80211 stack send EDCA parameters to the driver in hostap mode.
Fixes problems with timing of frame transmissions which caused packet loss.
tested by myself and tb@
ok phessler@ mpi@ tb@

When acting as 11n hostap, send Microsoft WME parameters to clients so
that Linux clients will decide to use 11n mode.
ok phessler@

Fix ieee80211_add_htop(), which is not yet called in active code paths.
It was creating a corrupt beacon element by ommitting one byte.
Fix this and fill the element with actual data from the ic_bss node instead
of filling it with zeroes, allowing future 11n hostap to announce the current
HT protection mode correctly.

Call if_enqueue() and if_start() instead of dereferencing the ifp
pointers.

These functions have been introduced to abstract some of the MP-
safeness^Wmadness and should be use everywhere.

Prodded by a comment from jsg@.

ok mikeb@, stsp@

Define EDCA tables for 11n mode. Per 802.11-2012 they are the same as
the tables for 11a/11g modes.
Add a function to append a Microsoft WME parameter element to a frame,
using EDCA tables to construct the parameter records. Some 11n AP's I have
observed provide this element.

None of this code is used yet, so no functional change. I wrote this while
debugging BlockAck and then realized it was only needed for hostap mode.
Once we support 11n in hostap mode and send A-MPDUs, this code will be needed.

Store ADDBA request and response parameters in the block ack record of
ieee80211_node. This way, we can keep track of the ACK policy and echo
it back to the AP as required by the standard. And use the correct bit
flag for the policy -- this code was confused between BlockAck and ADDBA,
both of which have a policy bit but in different places.

Fixes apple airport APs.

tested by tb@, krw@, sthen@, abieber@, and Henrik Friedrichsen

Fix the timeout value sent in ADDBA request and response frames.
ba_timeout_val is in usec so we must divide by TU when copying it to the frame.
ok kettenis@ millert@

Remove wireless turbo mode support. It is a non-standard extension
which only worked with ath(4) devices from a decade ago.
Diff tested on ath(4) hardware by me to verify that 11a/b modes still work.
ok reyk deraadt chris sthen kettenis

Initialize the A-MPDU parameters field in HT capability elements.
ok kettenis@

Remove the IEEE80211_NO_HT macro. Reduces ifdef spaghetti, enables 11n mode
in bsd.rd, and might uncover some bugs. Suggested by tedu@ and deraadt@.
ok sthen@ jasper@ deraadt@

Fix another case where the return value of ieee80211_chan2mode() was
used for indexing something other than ic_sup_rates. Should have been
part of earlier commit.

ADDBA frames have a parameter set which we check against our own capabilities
but we were checking bits in these parameters with the wrong set of bitmasks.
Negotiating A-MPDUs with some APs failed because of this bug.
ok kettenis@

11n/HT negotiation fixes:

Some APs will not negotiate HT if the vendor-specific WME info
element is missing in probe and association requests, so add one.

Fix the wrong flag (NODE_HT) being checked to determine whether 11n
related elements should be included in management frames. If 11n mode
is enabled (F_HTON flag) we can always include 11n related elements
in management frames.

ok mpi@

No need to include <net/if_types.h> for <net/if_vlan_var.h>

Declare 802.11n mode and channel flags. Tweak 11n related fields in struct
ieee80211com and move them inside #ifndef IEEE80211_NO_HT without breaking
the build in rsu(4) for RAMDISK_CD.
Also declare 11n protection modes and MCS count.
ok deraadt mpi kettenis guenther

Update section and table numbers inside comments in the RSN code to
the 802.11-2012 standard.
ok mpi@

replace the ifqueues in net80211 with mbuf_queues.

the specific queues are ic_mgtq, ic_pwrsaveq, and ni_savedq. rtw
had its own queue for beacons.

tested by mpi@ and jmc@
ok mpi@

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Rename if_output() into if_enqueue() to avoid confusion with comments
talking about (*ifp->if_output)().

ok claudio@, dlg@

Use if_output() instead of rerolling it.

ok stsp@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

remove uneeded proc.h includes
ok mpi@ kspillner@

Fewer <netinet/in_systm.h> !

Stop abusing the rcvif pointer to pass wireless nodes down to the
driver start routines. Instead add & use a pointer in the pkthdr
since we don't want the overhead of using a mbuf_tags(9).

claudio@ pointed out that other subsystems might want to use this
pointer too, so here's a new cookie!

ok claudio@, mikeb@, deraadt@

#if 0 out the ieee80211_edca_table table to appease the LLVM warning.

ieee80211_output.c:311:5: error: unused variable 'ieee80211_edca_table' [-Werror,-Wunused-const-variable]

ok stsp@

use the correct block ack structure when building an ADDBA response.

fix prev commit (s/ic_flags/ic_caps/).

from dhill@

prevent injection of raw 802.11 control frames through bpf on drivers
that do not explicitly state this capability (using flag IEEE80211_C_RAWCTL).
also, perform all the sanity checks on injected raw 802.11 frames earlier
(in ieee80211_output instead of ieee80211_encap).

prevent kernel panics with many drivers when running aircrack-ng.
when/if all drivers are capable, we can remove this C_RAWCTL flag.

sync with 802.11w draft 8.0.
the SA Query Transaction Identifier field is now a 16-bit non-negative
counter value instead of a 128-bit random value.

Fix setting of the Short Slot Time subfield of the Capability Information
field in (Re)Association Requests.
This fixes association with APs refusing non-short-slot-time capable STAs.
This should also prevent the AP we're associating with to disable the use
of short slot time in the BSS as we join.
Fix debug message in recv_assoc_resp() while I'm here (s/reason/status/).
Scary.

Thanks to Adam Emanuel for spotting this.

Block Ack agreements are unidirectional.
Maintain state for both originator and recipient roles separately.
Do not allocate receive reordering buffer in addba_request().
Test the "initiator" bit in incoming DELBA frames and set it appropriately
in outgoing DELBA frames.
Separate callbacks for Tx/Rx too.

no binary change since all this is #ifdef'ed out.

remove ni_ba field from ieee80211_node structure as it is not used yet.
this reduces memory footprint and avoids a stack usage warning in
ieee80211_find_node() that breaks amd64 build.

pointed out by landry@

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

cleanup ieee80211_classify(): retrieve VLAN tag from m_pkthdr.ether_vtag.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

Add some inline functions to test the presence of optional 802.11
header fields (Sequence Control, Address 4, QoS Control, +HTC) and
use them where appropriate.

Add ieee80211_get_qos() inline function to extract the QoS control
field of an 802.11 header instead of duplicating the same scary
code everywhere (the location of this field depends on the presence
of an Address 4 field).

Export ieee80211_up_to_ac() so that drivers can select the access
category to use based on the TID subfield of the QoS Control field.

Define more QoS-related bits for the RSN Capabilities field of RSN IE
(will be used later).

third parameter of ieee80211_get_assoc_req() is a management frame
subtype, not a boolean indicating assoc or reassoc.
rename the parameter and use if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ)
instead of if (reassoc).
it worked only because IEEE80211_FC0_SUBTYPE_ASSOC_REQ is equal to 0.

add ic_tid_noack bitmap to indicate a per-TID ACK policy (1=no ack,
0=normal ack). all bits are currently set to 0.
use this bitmap to set the ACK policy of the QoS control field of
outgoing QoS frames.

extend ieee80211_classify() to extract DSCP field from IPv6 packets too.

rework previously unused ieee80211_pwrsave() function, call it from
ieee80211_mgmt_output() and ieee80211_encap().
use new IEEE80211_C_APPMGT capability flag where appropriate.
rename ic_tim_mcast to ic_tim_mcast_pending.

move code to support Frequency-Hopping spread spectrum (FHSS) PHYs
to the Attic. nothing uses it in the tree and it is very unlikely
that something will use it one day.
the only driver supporting FHSS PHYs in the tree is ray(4) and it
does not use net80211.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

use LLC_SNAPFRAMELEN here too.

add the code to encrypt/decrypt management frames, retrieve key id
from MMIE etc...
this code can't be triggered as no drivers claim MFP capability yet.

new SHA-256 based AKMPs.

add/process group integrity cipher suite in RSN IEs.
add support for MFP negotiation during association.

add IEEE80211_RSNIE_MAXLEN and IEEE80211_WPAIE_MAXLEN definitions
instead of hard-coding values.
for RSN IE, request space for Group Integrity Cipher Suite.

do not use IEEE80211_QOS_TID. its definition in ieee80211.h is
wrong. hard-code 0xf for now. will be fixed post-release.

do not touch m after it has been enqueued with IFQ_ENQUEUE().
copy m_pkthdr.len and m_flags before and use that after to update
the statistics.

from altq(4) man page and for consistency with what is done in
other parts of the tree.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

Fix a blatant misuse of MINCLSIZE I introduced in ieee80211_output.c r1.59
The bug was added on 04/16 but it started to show up only after 06/12 when
the value of MINCLSIZE was changed to something different from MHLEN + 1.

Thanks to dlg@ and giovanni (qgiovanni at gmail dot com) for putting me
on the right track.

Tested by giovanni.
Should fix system/5881 too.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

move processing of EAPOL frames away from ieee80211_{input,output}.c

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

rework ieee80211_recv_4way_msg2() function.
add some RSNA authenticator state machine bits.

Checking the MIC early in ieee80211_recv_eapol() does not work for
message 2/4 of the 4-way handshake because the authenticator must
derive the PTK first (the MIC is computed using the KCK).
Move calls to ieee80211_eapol_key_check_mic() - and as a consequence
ieee80211_eapol_key_decrypt() - directly in the
ieee80211_recv_{group,4way}_msg*() functions.
Unconstify the first parameter since checking the MIC modifies the
frame. Remove ni->ni_ptk_ok field while i'm here.

- add k_rxmic and k_txmic fields to struct ieee80211_key to store the
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.

Fix the length calculation of the TIM bitmask in ieee80211_add_tim().
Even no bit was set we copied the full 225bytes bitmaks into the beacon.
Found the hard way with acx(4) by mglocker@ and myself.
OK mglocker@ damien@

add a ni_eapol_desc field to struct ieee80211_node to know whether
a station is using WPA1 or RSN descriptors.
make sure that a station that advertises WPA1 capability in an IE
uses the WPA1 EAPOL-Key descriptor type and not the RSN one.
fix construction of EAPOL-Key frames for WPA1.
i can now successfuly complete a 4-way and group-key handshake
with both a WPA1 and a WPA2 access point.
add some TKIP encapsulation code (no SW crypto yet).

ok deraadt@

set key length field in message 1 & 3 of the 4-way handshake.

pass the supplicant's nonce generated on reception of message 1 of the
4-way handshake to ieee80211_send_4way_msg2().

fix parsing and construction of RSN/WPA IEs.

the EAPOL-Key MIC must be computed with the MIC bit set.
this simplifies ieee80211_eapol_key_mic() and ieee80211_eapol_key_check_mic()
quite a bit.
set the EAPOL-Key body length before computing the MIC since the MIC is
computed with the 802.1X header too.
add a missing htons() while i'm here.

cipher suite type for CCMP is 4 not 3.

adds functions to parse and to build EAPOL-Key frames used in
the 4-way and group-key handshake.
the state machine is still missing though so this is not used
anywhere yet.

update QoS Tx/Rx sequence numbers for each TID.
add a parameter to ieee80211_decap() to handle different 802.11
header sizes.
cleanup and clarify ieee80211_classify().

do not increment ic_stats.is_tx_nombuf in ieee80211_get_rts() and
ieee80211_get_cts_to_self() if mbuf allocation fails.

cleanup the computation of mgmt frames sizes.
still very ugly but hopefully correct.

remove remaining bits for pre-RSNA shared authmode support.
it has been #if 0'd since 3.9 and we have never supported this mode (no
ifconfig option etc...).

always set the IEEE80211_CAPINFO_ESS bit in association requests.
fixes my 1.36 commit (the bit should not be set for non-AP STA
only in Probe Responses and Beacons).

move the logic of determining whether an extended supported rates IE is
needed or not to the callers (instead of doing nothing in add_xrates).

split ieee80211_add_rsn() so that the code can be reused for
vendor-specific IE.

allow USEGROUP as the pairwise cipher for RSN IE.
add RSN IE to beacons, probe responses and (re)association requests.

maintain the traffic-indication (TIM) virtual bitmap by defining
a default ieee80211_set_tim() function that drivers can override
by setting ic_set_tim.

add a function that builds an RSN IE (ieee80211_add_rsn).

move construction of IEs into individual functions so that we don't
duplicate the same code multiple times.
add references to the spec for all these functions.
fixes beacon_alloc() for FH PHYs as a side-effect.

don't set the IEEE80211_CAPINFO_ESS bit in the Capability Information
field if we're not operating as an AP (see 7.3.1.4).

no TIM in probe reponses.

In ieee80211_getmbuf(), if we need to allocate a mbuf cluster because
the length is greater than MHLEN, test that the allocation succeeded.
Otherwise, free the mbuf header and return NULL.
Callers assume that if the function returns a value != NULL then
enough space has been allocated.

fix SSID IE in the case where HIDENWID is used.
HIDENWID has been broken from the very beginning.

initial bits for proper TIM support.

split ieee80211_send_mgmt() like I did for ieee80211_recv_mgmt()

add EDCA Parameter Set and QoS capability IEs to appropriate frames
when QoS is supported and activated.

add two new functions:

ieee80211_up_to_ac(): returns the access category to be used for
transmitting a frame with a given user priority.

ieee80211_classify(): returns the user-priority of an mbuf based
on VLAN 802.1D user-priority (if any) or IP TOS precedence field.

indent prototypes and add myself to the copyright list while i'm here.

don't mix u_int{8,16,32}_t and uint{8,16,32}_t
use u_int{8,16,32}_t everywhere.

de-static

ok jsg@

adds 802.11e EDCA tables for QAPs and non-AP QSTAs.
not used yet.

ok jsg@ deraadt@

move ieee80211_compute_duration() and ieee80211_compute_duration1()
functions into the two drivers that use them (atw and rtw.)
this code is not generic enough to be used by other drivers and
there is no chance that it will ever be used in newer driver since
it supports 802.11b only.
plus, it hurts my eyes each time i look into ieee80211_output.c.

"fine with me as long as the logic doesn't change in the functions" jsg@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

print the phy mode in IFF_DEBUG status output which helps to debug
dual/multi mode chipset operation.

ok jsg@

Add two new functions:
- ieee80211_get_rts
- ieee80211_get_cts_to_self
that can be use by drivers for chipsets that don't offer hardware assisted
RTS/CTS protection (like ral/ural/rum).

"no objections here" jsg@

add the net80211 hostap options "nwflag hidenwid" for hidden SSID mode
and "nwflag nobridge" to prevent inter-station communications.
"hidenwid" will also work with wi(4) to replace the old -E 3 option of
wicontrol.

ok damien@ jmc@

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@

account for the size of a 802.11 header in ieee80211_getmbuf().
fix some typos while i'm here.

ok reyk@ brad@

use ieee80211_add_ssid() in ieee80211_beacon_alloc() and wpi(4) instead
of duplicating the code.

last commit was ok reyk@

- export ieee80211_add_ssid() just like ieee80211_add_(x)rates() so I don't
need to duplicate the code in wpi(4)
- fix ieee80211_alloc_beacon()
- clean two comments while i'm here

With the exception of two other small uncommited diffs this moves
the remainder of the network stack from splimp to splnet.

ok miod@

Fix kernel builds without bpfilter. Linking is still broken.

"Please commit this diff ASAP" brad@

Disable shared key mode until we have a way for the user to specify
that they explicitly want it. What we have currently doesn't seem
to work anyway. Add support for specifying a status type when
sending managemnent frames; adapted from FreeBSD. OK jsg@

mostly knf

ok jsg@

Remove the last of the FreeBSD compatiblity goop.
ok reyk@

Remove FreeBSD if_printf compat function from net80211.
ok reyk@

Remove FreeBSD/NetBSD ifdef mess. We are not likely to be
doing a wholesale merge with them in future.
very enthusiastic ok from reyk@

send raw 802.11 frames with bpf(4) using the IEEE802_11 or
IEEE802_11_RADIO data link types.

ok canacar@ damien@

Make sure we associate an interface with the m_pkthdr in
ieee80211_beacon_alloc.
ok damien@ reyk@

addtion of a generic function for allocating beacons: ieee80211_beacon_alloc().
ok jsg@, reyk@, dlg@

Fix a problem introduced with the recent lru cache change.
Check that we actually have a node before trying to release it.
This was causing a panic when playing with IBSS. ok reyk@

derived from NetBSD:

---
Make the node table into an LRU cache: least-recently used nodes
are at the end of the node queue. Change the reference-counting
discipline: ni->ni_refcnt indicates how many times net80211 has
granted ni to the driver. Every node in the table with ni_refcnt=0
is eligible to be garbage-collected. The mere presence of a node
in the table does not any longer indicate its auth/assoc state;
nodes have a ni_state variable, now.

While I am here, patch ieee80211_find_node_for_beacon to do a "best
match" by bssid/ssid/channel, not a "perfect match." This keeps
net80211 from caching duplicate nodes in the table.
---

ok deraadt@ dlg@, looks good jsg@

Sync with recent NetBSD ieee80211_compute_duration() changes.

From dyoung@NetBSD:

ieee80211.h r 1.9

#define the difference in microseconds between a fast and a slow
preamble and PLCP header.

ieee80211_output.c r 1.19

Fix a bug in ieee80211_compute_duration: the 802.11 Duration field
in an 802.11 unicast data packet is equal to the duration of the
SIFS and Acknowledgement. That is, the amount of time reserved
*after* the packet has finished transmitting.

Change the arguments to ieee80211_compute_duration: pass the entire
packet length, not just the payload length. Add a 'debug' argument
to ieee80211_compute_duration and its helper subroutine,
ieee80211_compute_duration1.

If debug != 0, ieee80211_compute_duration printfs its arguments
and several local variables.

In rtw(4), load the 802.11 Duration field with the result from
ieee80211_compute_duration.

From dyoung@NetBSD:

Define for more bits in the Service field of the 802.11 PLCP Header.

For use by the subroutine ieee80211_compute_duration, add struct
ieee80211_duration, and #define a number of microsecond constants
used for the transmit timing of 802.11 packets.

Add the subroutine ieee80211_compute_duration, which computes for
any packet the appropriate 802.11 Duration field, the PLCP Length
field, as well as the Duration and Length fields for an RTS frame.

atw(4), rtw(4), future drivers, and possibly ath(4) will share
ieee80211_compute_duration.

ok millert@

Import current NetBSD/FreeBSD 802.11 framework.
Based in part on a diff from Matthew Gream.

Add initial 802.11ac (VHT) support to net80211.

Add VHT capability and operation IE definitions to ieee80211.h.
Introduce channel flags to identify 80MHz and 160MHz capable channels.

Parse VHT IEs in beacons, announce the driver's VHT capabilities in
probe requests and assoc requests, and hop into 11ac mode after
association to the AP if possible.

Enable VHT by default if the driver announces support for it.

ok claudio@

rename ETHERTYPE_PAE to ETHERTYPE_EAPOL.

everyone else seems to use ETHERTYPE_EAPOL, and as a bonus it also
appears to be more correct.

ok deraadt@ stsp@

Improve debug output when sending 802.11 action frames by showing the
action frame subtypes we care about (i.e. those related to 11n block ack).

ok mpi@

In hostap mode don't send data frames to nodes which aren't in state ASSOC.

Sending data frames to nodes in other states is wrong since the node's
data structure might not be set up properly in such states.
This could explain occasional "key unset for sw crypto" panics observed
with athn(4) hostap interfaces.

Problem reported and fix tested by Mikolaj Kucharski.

spelling

ok gnezdo@ semarie@ mpi@

Fix 802.11 RSN capabilities announced to peers.

We were echoing back all RSN capabilities announced by our peer, even
for features which we don't support.
One such feature is Management Frame Protection (MFP). If we announce this
capability then the peer sends us encrypted management frames which won't
be processed. One symptom of this is that we fail to negotiate block ack
with APs that support MFP.

Only echo the RSN capabilities which we support, i.e. key replay counters.
Handle MFP and PBAR bits here as done elsewhere. Neither of these features
is enabled yet at run-time. As far as I can tell, the remaining RSN caps are
not supported by drivers (e.g. SPP A-MPDU) or won't be supported (outdated
WEP->TKIP transition support). The corresponding bits should always be clear.

Problem with 0 input block ack sessions found by sthen@ and robert@
Fix tested by sthen@, robert@, phessler@, and kmos@

ok phessler@ kmos@

Revert previous; Set the ESS capability bit in assoc requests again.

Association to some access points breaks without the ESS capability bit.
Apparently I misunderstood something.

Reported by krw@ and tb@

Do not set the 802.11 ESS capability bit in association requests.

The ESS capability bit should be set if the transmitter is an AP.
Association requests are sent by clients.

ok jca@

Properly wrap 802.11 frame sequence numbers when incrementing them.

ok tb@ tobhe@ mpi@

Do not send any QoS data frames unless Tx aggregation has been negotiated.

Actual QoS support could be added to net80211 in the future, but for now we
only use QoS frames for A-MPDU aggregation. Without QoS support, sending
non-aggregated QoS frames does not actually buy us anything and makes it
harder to look at packet captures and tell whether frames sent by an OpenBSD
machine were in fact aggregated or not.

Tested on iwn(4) by jmc@, paco@, bket@, paco@, and Lauri Tirkkonen

Fix an mbuf corruption issue which occurs in net80211 hostap mode.

When sizing a memory allocation for a probe response frame, the AP used
the SSID length stored in the node structure which represents the client,
but used the actual length of the SSID when copying it into the frame.

If the actual length is sufficiently large this will result in corruption
of an adjacent mbuf on the free list since m->m_next will be overwritten
with data written to the tail of the probe response frame.

Bad things happen later on when the adjacent mbuf is used. Sometimes
the corruption is detected by mbufpl's use-after-free checking, at
other times we end up crashing somewhere in the network stack.

To prevent such a mistake from occuring again I am removing the 'ni'
argument from ieee80211_get_probe_resp() altogether. It is not needed.

A quick workaround is to configure a short SSID.

Debugged with help from claudio, kettenis, and dlg.

ok claudio

Add support for 802.11n Tx aggregation to net80211 and the iwn(4) driver.

In particular, add Tx block ack session management to net80211, with
enough funcionality to support Tx aggregation on devices which perform
A-MPDU subframe scheduling in firmware.
Make use of the iwn(4) firmware Tx scheduler to build A-MPDUs.

net80211's QoS support code is now enabled and used by Tx aggregation.

A-MSDU frames inside A-MPDUs have been tested and work in principle.
For now, this feature is disabled because unfair TCP connection sharing
was observed during testing, where bursts of TCP Ack frames for a single
tcpbench(1) connection arriving in A-MSDUs made other TCP connections stall.
Switch off support for A-MSDUs inside A-MPDUs on the Rx side as well.

Tested on iwn chipsets 1000, 4965, 5100, 5300, 2200, 6200, 6205, 6300
(committed version of tested diff has all debug printfs removed)
tests/ok benno kmos mlarkin kevlo

Fix 'ifconfig nwflags; These flags ended up overlapping with other flags
in ieee80211com's ic_flags because we haven't been paying attention to
them (they're not in the same place in the code and hence easy to miss).
Move them to a dedicated variable to avoid this problem in the future.

Add a new 'stayauth' nwflag which can be set to let net80211 ignore
deauth frames. This can be useful when deauth frames are being
persistently spoofed by an attacker. Idea from beck@

ok beck@ phessler@

On the transmit path the ethernet and ip headers might not be
in contiguous memory. Taking the pointer to the data and simply
looking at the IP header by adding an offset can lead to an out-
of-bounds access. Make the ieee80211 classify function copy the
ethernet and ip header into stack variables to fix it.

Fixes a panic for florian@
Discussed with claudio@
ok stsp@

MH_ALIGN -> m_align and make the spacing look the same in all three places.
OK bluhm@

My previous commit broke the ramdisk build; fix it

Stop printing debug info about stations leaving a wifi network when
we aren't running in hostap or ibss mode.

Omit the PMKID count field from RSN information elements (IE) if the PMKID
list has zero elements and PMKID would be the last field in the RSN IE.

This is correct as per 802.11-2012 8.4.2.27.1 and aligns net80211 code with
behaviour of bwfm(4) firmware, unblocking further progress in that driver.

ok patrick@ phessler@

Make ieee80211_classify() available in a header so we can make the
priority visible to underlying bus protocols like bwfm(4)'s bcdc.

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

In a comment inside ieee80211_up_to_ac(), update a reference section
number from the 802.11-2007 standard to the 802.11-2012 standard.

When telling clients which EDCA parameters to use, copy these parameters
from the client parameter set, rather than from the AP parameter set.
ok mpi@

Enable ieee80211_edca_table, which was under #if 0. This table can be used
by drivers to pass default EDCA parameters to firmware instead of passing
local hardcoded values.
ok millert@

Make the net80211 stack send EDCA parameters to the driver in hostap mode.
Fixes problems with timing of frame transmissions which caused packet loss.
tested by myself and tb@
ok phessler@ mpi@ tb@

When acting as 11n hostap, send Microsoft WME parameters to clients so
that Linux clients will decide to use 11n mode.
ok phessler@

Fix ieee80211_add_htop(), which is not yet called in active code paths.
It was creating a corrupt beacon element by ommitting one byte.
Fix this and fill the element with actual data from the ic_bss node instead
of filling it with zeroes, allowing future 11n hostap to announce the current
HT protection mode correctly.

Call if_enqueue() and if_start() instead of dereferencing the ifp
pointers.

These functions have been introduced to abstract some of the MP-
safeness^Wmadness and should be use everywhere.

Prodded by a comment from jsg@.

ok mikeb@, stsp@

Define EDCA tables for 11n mode. Per 802.11-2012 they are the same as
the tables for 11a/11g modes.
Add a function to append a Microsoft WME parameter element to a frame,
using EDCA tables to construct the parameter records. Some 11n AP's I have
observed provide this element.

None of this code is used yet, so no functional change. I wrote this while
debugging BlockAck and then realized it was only needed for hostap mode.
Once we support 11n in hostap mode and send A-MPDUs, this code will be needed.

Store ADDBA request and response parameters in the block ack record of
ieee80211_node. This way, we can keep track of the ACK policy and echo
it back to the AP as required by the standard. And use the correct bit
flag for the policy -- this code was confused between BlockAck and ADDBA,
both of which have a policy bit but in different places.

Fixes apple airport APs.

tested by tb@, krw@, sthen@, abieber@, and Henrik Friedrichsen

Fix the timeout value sent in ADDBA request and response frames.
ba_timeout_val is in usec so we must divide by TU when copying it to the frame.
ok kettenis@ millert@

Remove wireless turbo mode support. It is a non-standard extension
which only worked with ath(4) devices from a decade ago.
Diff tested on ath(4) hardware by me to verify that 11a/b modes still work.
ok reyk deraadt chris sthen kettenis

Initialize the A-MPDU parameters field in HT capability elements.
ok kettenis@

Remove the IEEE80211_NO_HT macro. Reduces ifdef spaghetti, enables 11n mode
in bsd.rd, and might uncover some bugs. Suggested by tedu@ and deraadt@.
ok sthen@ jasper@ deraadt@

Fix another case where the return value of ieee80211_chan2mode() was
used for indexing something other than ic_sup_rates. Should have been
part of earlier commit.

ADDBA frames have a parameter set which we check against our own capabilities
but we were checking bits in these parameters with the wrong set of bitmasks.
Negotiating A-MPDUs with some APs failed because of this bug.
ok kettenis@

11n/HT negotiation fixes:

Some APs will not negotiate HT if the vendor-specific WME info
element is missing in probe and association requests, so add one.

Fix the wrong flag (NODE_HT) being checked to determine whether 11n
related elements should be included in management frames. If 11n mode
is enabled (F_HTON flag) we can always include 11n related elements
in management frames.

ok mpi@

No need to include <net/if_types.h> for <net/if_vlan_var.h>

Declare 802.11n mode and channel flags. Tweak 11n related fields in struct
ieee80211com and move them inside #ifndef IEEE80211_NO_HT without breaking
the build in rsu(4) for RAMDISK_CD.
Also declare 11n protection modes and MCS count.
ok deraadt mpi kettenis guenther

Update section and table numbers inside comments in the RSN code to
the 802.11-2012 standard.
ok mpi@

replace the ifqueues in net80211 with mbuf_queues.

the specific queues are ic_mgtq, ic_pwrsaveq, and ni_savedq. rtw
had its own queue for beacons.

tested by mpi@ and jmc@
ok mpi@

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Rename if_output() into if_enqueue() to avoid confusion with comments
talking about (*ifp->if_output)().

ok claudio@, dlg@

Use if_output() instead of rerolling it.

ok stsp@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

remove uneeded proc.h includes
ok mpi@ kspillner@

Fewer <netinet/in_systm.h> !

Stop abusing the rcvif pointer to pass wireless nodes down to the
driver start routines. Instead add & use a pointer in the pkthdr
since we don't want the overhead of using a mbuf_tags(9).

claudio@ pointed out that other subsystems might want to use this
pointer too, so here's a new cookie!

ok claudio@, mikeb@, deraadt@

#if 0 out the ieee80211_edca_table table to appease the LLVM warning.

ieee80211_output.c:311:5: error: unused variable 'ieee80211_edca_table' [-Werror,-Wunused-const-variable]

ok stsp@

use the correct block ack structure when building an ADDBA response.

fix prev commit (s/ic_flags/ic_caps/).

from dhill@

prevent injection of raw 802.11 control frames through bpf on drivers
that do not explicitly state this capability (using flag IEEE80211_C_RAWCTL).
also, perform all the sanity checks on injected raw 802.11 frames earlier
(in ieee80211_output instead of ieee80211_encap).

prevent kernel panics with many drivers when running aircrack-ng.
when/if all drivers are capable, we can remove this C_RAWCTL flag.

sync with 802.11w draft 8.0.
the SA Query Transaction Identifier field is now a 16-bit non-negative
counter value instead of a 128-bit random value.

Fix setting of the Short Slot Time subfield of the Capability Information
field in (Re)Association Requests.
This fixes association with APs refusing non-short-slot-time capable STAs.
This should also prevent the AP we're associating with to disable the use
of short slot time in the BSS as we join.
Fix debug message in recv_assoc_resp() while I'm here (s/reason/status/).
Scary.

Thanks to Adam Emanuel for spotting this.

Block Ack agreements are unidirectional.
Maintain state for both originator and recipient roles separately.
Do not allocate receive reordering buffer in addba_request().
Test the "initiator" bit in incoming DELBA frames and set it appropriately
in outgoing DELBA frames.
Separate callbacks for Tx/Rx too.

no binary change since all this is #ifdef'ed out.

remove ni_ba field from ieee80211_node structure as it is not used yet.
this reduces memory footprint and avoids a stack usage warning in
ieee80211_find_node() that breaks amd64 build.

pointed out by landry@

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

cleanup ieee80211_classify(): retrieve VLAN tag from m_pkthdr.ether_vtag.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

Add some inline functions to test the presence of optional 802.11
header fields (Sequence Control, Address 4, QoS Control, +HTC) and
use them where appropriate.

Add ieee80211_get_qos() inline function to extract the QoS control
field of an 802.11 header instead of duplicating the same scary
code everywhere (the location of this field depends on the presence
of an Address 4 field).

Export ieee80211_up_to_ac() so that drivers can select the access
category to use based on the TID subfield of the QoS Control field.

Define more QoS-related bits for the RSN Capabilities field of RSN IE
(will be used later).

third parameter of ieee80211_get_assoc_req() is a management frame
subtype, not a boolean indicating assoc or reassoc.
rename the parameter and use if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ)
instead of if (reassoc).
it worked only because IEEE80211_FC0_SUBTYPE_ASSOC_REQ is equal to 0.

add ic_tid_noack bitmap to indicate a per-TID ACK policy (1=no ack,
0=normal ack). all bits are currently set to 0.
use this bitmap to set the ACK policy of the QoS control field of
outgoing QoS frames.

extend ieee80211_classify() to extract DSCP field from IPv6 packets too.

rework previously unused ieee80211_pwrsave() function, call it from
ieee80211_mgmt_output() and ieee80211_encap().
use new IEEE80211_C_APPMGT capability flag where appropriate.
rename ic_tim_mcast to ic_tim_mcast_pending.

move code to support Frequency-Hopping spread spectrum (FHSS) PHYs
to the Attic. nothing uses it in the tree and it is very unlikely
that something will use it one day.
the only driver supporting FHSS PHYs in the tree is ray(4) and it
does not use net80211.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

use LLC_SNAPFRAMELEN here too.

add the code to encrypt/decrypt management frames, retrieve key id
from MMIE etc...
this code can't be triggered as no drivers claim MFP capability yet.

new SHA-256 based AKMPs.

add/process group integrity cipher suite in RSN IEs.
add support for MFP negotiation during association.

add IEEE80211_RSNIE_MAXLEN and IEEE80211_WPAIE_MAXLEN definitions
instead of hard-coding values.
for RSN IE, request space for Group Integrity Cipher Suite.

do not use IEEE80211_QOS_TID. its definition in ieee80211.h is
wrong. hard-code 0xf for now. will be fixed post-release.

do not touch m after it has been enqueued with IFQ_ENQUEUE().
copy m_pkthdr.len and m_flags before and use that after to update
the statistics.

from altq(4) man page and for consistency with what is done in
other parts of the tree.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

Fix a blatant misuse of MINCLSIZE I introduced in ieee80211_output.c r1.59
The bug was added on 04/16 but it started to show up only after 06/12 when
the value of MINCLSIZE was changed to something different from MHLEN + 1.

Thanks to dlg@ and giovanni (qgiovanni at gmail dot com) for putting me
on the right track.

Tested by giovanni.
Should fix system/5881 too.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

move processing of EAPOL frames away from ieee80211_{input,output}.c

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

rework ieee80211_recv_4way_msg2() function.
add some RSNA authenticator state machine bits.

Checking the MIC early in ieee80211_recv_eapol() does not work for
message 2/4 of the 4-way handshake because the authenticator must
derive the PTK first (the MIC is computed using the KCK).
Move calls to ieee80211_eapol_key_check_mic() - and as a consequence
ieee80211_eapol_key_decrypt() - directly in the
ieee80211_recv_{group,4way}_msg*() functions.
Unconstify the first parameter since checking the MIC modifies the
frame. Remove ni->ni_ptk_ok field while i'm here.

- add k_rxmic and k_txmic fields to struct ieee80211_key to store the
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.

Fix the length calculation of the TIM bitmask in ieee80211_add_tim().
Even no bit was set we copied the full 225bytes bitmaks into the beacon.
Found the hard way with acx(4) by mglocker@ and myself.
OK mglocker@ damien@

add a ni_eapol_desc field to struct ieee80211_node to know whether
a station is using WPA1 or RSN descriptors.
make sure that a station that advertises WPA1 capability in an IE
uses the WPA1 EAPOL-Key descriptor type and not the RSN one.
fix construction of EAPOL-Key frames for WPA1.
i can now successfuly complete a 4-way and group-key handshake
with both a WPA1 and a WPA2 access point.
add some TKIP encapsulation code (no SW crypto yet).

ok deraadt@

set key length field in message 1 & 3 of the 4-way handshake.

pass the supplicant's nonce generated on reception of message 1 of the
4-way handshake to ieee80211_send_4way_msg2().

fix parsing and construction of RSN/WPA IEs.

the EAPOL-Key MIC must be computed with the MIC bit set.
this simplifies ieee80211_eapol_key_mic() and ieee80211_eapol_key_check_mic()
quite a bit.
set the EAPOL-Key body length before computing the MIC since the MIC is
computed with the 802.1X header too.
add a missing htons() while i'm here.

cipher suite type for CCMP is 4 not 3.

adds functions to parse and to build EAPOL-Key frames used in
the 4-way and group-key handshake.
the state machine is still missing though so this is not used
anywhere yet.

update QoS Tx/Rx sequence numbers for each TID.
add a parameter to ieee80211_decap() to handle different 802.11
header sizes.
cleanup and clarify ieee80211_classify().

do not increment ic_stats.is_tx_nombuf in ieee80211_get_rts() and
ieee80211_get_cts_to_self() if mbuf allocation fails.

cleanup the computation of mgmt frames sizes.
still very ugly but hopefully correct.

remove remaining bits for pre-RSNA shared authmode support.
it has been #if 0'd since 3.9 and we have never supported this mode (no
ifconfig option etc...).

always set the IEEE80211_CAPINFO_ESS bit in association requests.
fixes my 1.36 commit (the bit should not be set for non-AP STA
only in Probe Responses and Beacons).

move the logic of determining whether an extended supported rates IE is
needed or not to the callers (instead of doing nothing in add_xrates).

split ieee80211_add_rsn() so that the code can be reused for
vendor-specific IE.

allow USEGROUP as the pairwise cipher for RSN IE.
add RSN IE to beacons, probe responses and (re)association requests.

maintain the traffic-indication (TIM) virtual bitmap by defining
a default ieee80211_set_tim() function that drivers can override
by setting ic_set_tim.

add a function that builds an RSN IE (ieee80211_add_rsn).

move construction of IEs into individual functions so that we don't
duplicate the same code multiple times.
add references to the spec for all these functions.
fixes beacon_alloc() for FH PHYs as a side-effect.

don't set the IEEE80211_CAPINFO_ESS bit in the Capability Information
field if we're not operating as an AP (see 7.3.1.4).

no TIM in probe reponses.

In ieee80211_getmbuf(), if we need to allocate a mbuf cluster because
the length is greater than MHLEN, test that the allocation succeeded.
Otherwise, free the mbuf header and return NULL.
Callers assume that if the function returns a value != NULL then
enough space has been allocated.

fix SSID IE in the case where HIDENWID is used.
HIDENWID has been broken from the very beginning.

initial bits for proper TIM support.

split ieee80211_send_mgmt() like I did for ieee80211_recv_mgmt()

add EDCA Parameter Set and QoS capability IEs to appropriate frames
when QoS is supported and activated.

add two new functions:

ieee80211_up_to_ac(): returns the access category to be used for
transmitting a frame with a given user priority.

ieee80211_classify(): returns the user-priority of an mbuf based
on VLAN 802.1D user-priority (if any) or IP TOS precedence field.

indent prototypes and add myself to the copyright list while i'm here.

don't mix u_int{8,16,32}_t and uint{8,16,32}_t
use u_int{8,16,32}_t everywhere.

de-static

ok jsg@

adds 802.11e EDCA tables for QAPs and non-AP QSTAs.
not used yet.

ok jsg@ deraadt@

move ieee80211_compute_duration() and ieee80211_compute_duration1()
functions into the two drivers that use them (atw and rtw.)
this code is not generic enough to be used by other drivers and
there is no chance that it will ever be used in newer driver since
it supports 802.11b only.
plus, it hurts my eyes each time i look into ieee80211_output.c.

"fine with me as long as the logic doesn't change in the functions" jsg@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

print the phy mode in IFF_DEBUG status output which helps to debug
dual/multi mode chipset operation.

ok jsg@