Add initial 802.11ac (VHT) support to net80211.

Add VHT capability and operation IE definitions to ieee80211.h.
Introduce channel flags to identify 80MHz and 160MHz capable channels.

Parse VHT IEs in beacons, announce the driver's VHT capabilities in
probe requests and assoc requests, and hop into 11ac mode after
association to the AP if possible.

Enable VHT by default if the driver announces support for it.

ok claudio@

Fix and re-enable active scans on iwm(4) and iwx(4).

Ensure that we supply the access point's DTIM period to firmware after
an active scan, as soon as the next beacon arrives. This prevents the
problems which prompted us to keep active scans disabled in our drivers.

Problem debugged and patch by zxystd from the OpenIntelWireless project.
I made some tweaks regarding TIM parsing, which were reviewed by zxystd.

Johannes Berg from Intel has confirmed to me via IRC that firmware
will misbehave if running with a zero DTIM period.

Tested:
8265: jca, stsp
9260: kettenis (possible fallout observed here; will keep an eye on it)
9650: stsp
ax200: zxystd, kevlo, stsp
ax201: stsp

ok kevlo@ kettenis@

Defer rtm_80211info() call from ieee80211_set_link_state() to a task context.

Sending routing messages requires a socket lock which may sleep.
ieee80211_set_link_state() is called from interrupts and timeouts where
sleeping is not allowed. mvs@ pointed out that if_link_state_change()
is already using a task for this reason.

Should fix a witness-related panic reported by cheloha@

ok mvs@ tobhe@ florian@

Introduce an optional driver-specific bgscan_done() handler which
allows the driver to take control of the roaming teardown sequence.
This handler allows drivers to ensure that race conditions between
firmware state and net80211 state are avoided, and will be used by
the iwm(4) and iwx(4) drivers soon.

Split the existing roaming teardown sequence into two steps, one step
for tearing down Tx block ack sessions which sends a DELBA frame, and a
second step for flushing Tx rings followed by sending a DEAUTH frame.
We used to queue both frames, expecting to switch APs once both were sent.
Now we effectively expect everything to be sent before we queue a final
DEAUTH frame, and wait for just this frame to be sent before switching.
This already made issues on iwm/iwx less frequent but by itself this was
not enough to close all races for those drivers. It should however help
when adding background scan support to a non-firmware device driver.

Tested, with driver patches:
iwm 8265: Aaron Poffenberger, stsp
iwm 9260: florian
iwm 9560: sthen
iwx ax200: jmc, stsp

Monitor 20/40 MHz channel width changes in beacons sent by our access point
and notify drivers when the channel width has changed.

Add support for 40MHz channels to net80211 RA.

For the moment we use either the 40MHz rate set or the 20 MHz one,
depending on whether our peer supports 40MHz channels.
If this turns out to be suboptimal we could probe the 40MHz and 20MHz
rate sets separately to detect which one works better.

The same applies to use of the short guard interval (SGI), which is
either always on or off at the moment. Again, probing for this could
be added later if needed.

Add an ADDBA_OFFLOAD capability for wifi devices manage Tx block ack
sessions entirely in firmware. This will be used by iwx(4).

put unused 802.11 fragmentation support code under #ifdef notyet

Make iwn, iwm, and iwx keep track of beacon parameters at run-time.

- HT protection settings (this was already implemented)
- ERP (11g) protection setting
- short slottime setting
- short preamble setting
- EDCA (QoS) parameters

All of these parameters are communicated in beacons and hardware is
now kept up-to-date with them.

Prompted by a problem report from Christian Ehrhardt regarding ERP.

Tested:
iwn 6205: stsp, Josh Grosse
iwm 7265: trondd
iwm 8265: stsp, Matthias Schmidt
iwm 9260: phessler
iwx ax200: stsp, jmc, gnezdo

ieee80211: track micfail timeout with getuptime(9) instead of ticks

With input from stsp@.

ok stsp@

Give access points which fail to AUTH or ASSOC less priority during
the next selection of networks from the join list. Prevents endless
attempts to connect to an AP which is out of reach but still somehow
manages to get a beacon or two across to us during scan.

Tested with wifi networks at the University of Bucharest.
Makes switching wifi networks possible after walking to a different
room without having to down/up the interface or suspend/resume.

ok phessler@

Trigger a background scan when root runs the 'ifconfig scan' command.
This will update the list of cached APs for future invocations of the
'scan' command, and will force a search for a better AP to roam to.
ok sthen@ phessler@

Raise net80211's "beacon miss" threshold to avoid frequent re-connects
to APs that are relatively far away and suffer some packet loss.

The former threshold was 7 beacons (about 700 ms).
This raises the threshold to 30 beacons (about 3 seconds).
Should still be good enough for detecting APs that have disappeared, and
makes wifi networks provided by the University of Bucharest more reliable
in the p2k19 hackroom.

While here, make 'ifconfig iwm0/iwn0 debug' print an obvious message when
we believe that the AP has disappeared.

Problem reported and fix tested by landry@ / pirofti@
ok mpi@ sthen@

Make background scans less frequent if we keep choosing the same AP.

This helps a bit in situations where a single AP is used and background scans
are causing packet loss, as seen with Jesper Wellin's Broadcom-based AP and my
Android phone in hotspot mode. This is not a proper fix but our background scan
frequency against a single AP was much higher than needed anyway.

Tested by jan, job, benno, Tracey Emery, Jesper Wallin

Add support for 802.11n Tx aggregation to net80211 and the iwn(4) driver.

In particular, add Tx block ack session management to net80211, with
enough funcionality to support Tx aggregation on devices which perform
A-MPDU subframe scheduling in firmware.
Make use of the iwn(4) firmware Tx scheduler to build A-MPDUs.

net80211's QoS support code is now enabled and used by Tx aggregation.

A-MSDU frames inside A-MPDUs have been tested and work in principle.
For now, this feature is disabled because unfair TCP connection sharing
was observed during testing, where bursts of TCP Ack frames for a single
tcpbench(1) connection arriving in A-MSDUs made other TCP connections stall.
Switch off support for A-MSDUs inside A-MPDUs on the Rx side as well.

Tested on iwn chipsets 1000, 4965, 5100, 5300, 2200, 6200, 6205, 6300
(committed version of tested diff has all debug printfs removed)
tests/ok benno kmos mlarkin kevlo

Fix 'ifconfig nwflags; These flags ended up overlapping with other flags
in ieee80211com's ic_flags because we haven't been paying attention to
them (they're not in the same place in the code and hence easy to miss).
Move them to a dedicated variable to avoid this problem in the future.

Add a new 'stayauth' nwflag which can be set to let net80211 ignore
deauth frames. This can be useful when deauth frames are being
persistently spoofed by an attacker. Idea from beck@

ok beck@ phessler@

Improve handling of HT protection for 'mode 11n' hostap.

Consider the mere presence of HTCAP IEs as indicator of 11n support,
rather than checking advertised Rx MCS. Fixes some devices being
misclassified as 11a/g, causing HT protection to be enabled even
though it is not needed.

Use CTS-to-self frames for HT protection instead of RTS/CTS.

These changes make my athn(4) AR9280 hostap perform much better.

ok phessler@

Make ifconfig(8) display whether bwfm(4) firmware is using 802.11ac.
ok patrick@ mpi@

add a len field when we delete an essid from the joinlist. this will have
us properly match, instead of hoping we got lucky when selecting it.

OK stsp@

pass around the ess and ni structures we plan to use directly, instead
of rediscovering them (possibly badly).

OK stsp@

Nuke unused LIST() ieee80211com_head.

ok stsp@

give set_ess a len variable, so we can correctly match the essid we want
to switch to.

pointed out by stsp@

convert the things we save in 'join' into a single ioctl. mixing related
settings over multiple calls was risky and racy. Pass essid, wpa, and wep
paramaters in a single ioctl and process it atomically.

no change for 'nwid' users

OK stsp@ benno@

Make 'ifconfig nwid' override 'ifconfig join'.

There was no way to override a decision made by join's network
selection algorithm (apart from disabling the feature by clearing
the join list). Automatic selection is based on heuristics which
cannot always guess correctly so we need to provide an override.

One specific problem was that if 'nwid foo' and 'nwid bar' were
both visible in the scan and only 'nwid foo' was a member of the
join list, then there was no way at all to connect to 'nwid bar'.
The wireless stack would keep selecting 'nwid foo' instead.

'ifconfig iwm0 nwid bar' command will now disable automatic
network selection and force the use of ESSID 'bar'.
Any of these commands will re-enable automatic network selection:
ifconfig iwm0 -nwid
ifconfig iwm0 nwid ''
ifconfig iwm0 join some-network-id

ok phessler@ deraadt@

Refactor ieee80211_add_ess():

Drop ieee80211_add_ess's nwid parameter. Read nwid and length directly
from the ic to make it more obvious where this function is reading from.

nwids are binary data with an explicit length, so treat them as such
instead of treating them like strings.

ok florian phessler

Introduce 'auto-join' to the wifi 802.11 stack.

This allows a system to remember which ESSIDs it wants to connect to, any
relevant security configuration, and switch to it when the network we are
currently connected to is no longer available.

Works when connecting and switching between WPA2/WPA1/WEP/clear encryptions.

example hostname.if:
join home wpakey password
join work wpakey mekmitasdigoat
join open-lounge
join cafe wpakey cafe2018
join "wepnetwork" nwkey "12345"
dhcp
inet6 autoconf
up

OK stsp@ reyk@
and enthusiasm from every hackroom I've been in for the last 3 years

net80211: stub SIOCS80211SCAN, make ifconfig scan instant.

The following removes the functionality of the SIOCS80211SCAN ioctl.
After long discussions with stps@, mpi@, and deraadt@ we decided that
this was the correct way of fixing ifconfig scan from blocking the
network stack.

The kernel will continue scanning in the background and filling the
nodes array, but ifconfig scan commands will now basically do just a
SIOCG80211ALLNODES and pretty print the array. So the output stays the
same but is instant.

In fact, when the interface is freshly brought up, if you type fast
enough, you can see the array being filled by running multiple ifconfig
scans in sequence.

The SIOCS80211SCAN ioctl stays for now as wi(4), pgt(4) and malo(4)
still need it around. But not for long...

Another change that this introduces is the fact that ifconfig scan no
longer plays with UP and DOWN. If the interface is down it complains and
exits. This is needed in order to maintain the nodes list.

Works on iwm(4), iwn(4), urtwn(4), run(4) and athn(4).

Tested by mpi@, landry@, florian@, thanks!
OK mpi@.

Add a new function hook to struct ieee80211com which wireless drivers
can use to process, and then acknowledge or reject, incoming AUTH
requests in hostap mode.

net80211 accepts an AUTH request from any STA which fits into the node
cache. This behaviour doesn't work for devices which have a lower limit
on concurrent STAs they can serve, so such drivers need an override.

This will be used by our athn(4) USB driver soon.

ok kevlo@

Make IEEE80211_CHAN_ANYC be a NULL pointer instead of a pointer to 0xffff.
Should speed up debugging.
ok phessler patrick

Add support for background scanning to net80211 and iwm(4).

The iwm(4) driver will now roam between access points which share an SSID.
Use 'ifconfig iwm0 debug' and 'tail -f /var/log/messages' to watch it do so.

Tested by several people in various iterations.
As usual, let me know if you run into issues.

ok phessler deraadt

move a function declaration, so the whole net80211 stack can disable wep or wpa

OK stsp@

Kill unused members using forward declaration only types.

Found with ctfconv(1). ok jsg@, guenther@

The net80211 stack was providing a 'beacon miss timeout' value (in ms)
which specified how much time may elapse without beacons before drivers
begin searching for a new AP.

Drivers convert this timeout value into the amount of beacons they're allowed
to miss. Having the stack provide this number upfront simplifies things.

ok mpi@

Introduce ieee80211_min_basic_rate() and ieee80211_max_basic_rate().

These helpers can be used by drivers to improve compatibility with APs
that disable some mandatory PHY rates in the basic rate set.

For instance, many of our drivers hard-code 11b rates on 2 Ghz and run
into problems when APs disable them. Since 11b rates are being disabled
by default by some vendors, hardcoding them is not a good idea anymore.

ok mpi@ phessler@

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

Enable ieee80211_edca_table, which was under #if 0. This table can be used
by drivers to pass default EDCA parameters to firmware instead of passing
local hardcoded values.
ok millert@

Make the net80211 stack send EDCA parameters to the driver in hostap mode.
Fixes problems with timing of frame transmissions which caused packet loss.
tested by myself and tb@
ok phessler@ mpi@ tb@

Manage the HT protection setting if acting as hostap with 11n enabled.

For now we flip-flop only between non-member protection and non-HT protection.
Running a HT network without protection would require monitoring environmental
conditions (e.g. foreign beacons) which make HT protection necessary.

The ic_update_htprot driver function becomes optional because it won't be
needed by all drivers. Only call it if the driver has set a function pointer.

ok tb@

Complete our half-done implementation of TKIP countermeasures in hostap mode.

The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.

Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@

Add a wireless driver capability flag for devices which scan 2GHz and 5GHz
bands in a single scan offload request. This will be used by iwm(4) soon.
ok kettenis@, earlier version ok phessler@

Keep track of HT protection settings in beacons and have 11n-capable
drivers update hardware configuration accordingly.
tested by myself, tb@, deraadt@, abieber@
ok mpi@

Remove wireless turbo mode support. It is a non-standard extension
which only worked with ath(4) devices from a decade ago.
Diff tested on ath(4) hardware by me to verify that 11a/b modes still work.
ok reyk deraadt chris sthen kettenis

Initialize the A-MPDU parameters field in HT capability elements.
ok kettenis@

Remove the IEEE80211_NO_HT macro. Reduces ifdef spaghetti, enables 11n mode
in bsd.rd, and might uncover some bugs. Suggested by tedu@ and deraadt@.
ok sthen@ jasper@ deraadt@

Expose 11n mode to the ifmedia layer and introduce the concept of MCS.
Make sure 11n features are enabled only if media type is autoselect or 11n.

11n mode uses MCS (modulation & coding scheme) instead of rates like 11a/b/g.
This means we'll have to take the current mode into account and decide whether
to use a rate or an MCS for transmission. Receiving frames on legacy rates
will still work in 11n mode. We just won't be using legacy rates to send
data frames to an STA or AP we negotiated 11n features with.

My initial plan was to grow the ieee80211_rateset structure and treat MCS
just like rates. However, ieee80211_rateset corresponds to rates and xrates
elements in management frames and is copied directly into such elements
so its size cannot change. Thus, MCS stands on its own and corresponds to
elements in management frames related to 11n HT capabilities.

ok deraadt mpi phessler kettenis guenther

Declare 802.11n mode and channel flags. Tweak 11n related fields in struct
ieee80211com and move them inside #ifndef IEEE80211_NO_HT without breaking
the build in rsu(4) for RAMDISK_CD.
Also declare 11n protection modes and MCS count.
ok deraadt mpi kettenis guenther

replace the ifqueues in net80211 with mbuf_queues.

the specific queues are ic_mgtq, ic_pwrsaveq, and ni_savedq. rtw
had its own queue for beacons.

tested by mpi@ and jmc@
ok mpi@

Add ieee80211_channel_init(), factored out from ieee80211_ifattach().
Will be used by iwm(4) soon.
ok kettenis@

Make room for media types of the future. Extend the ifmedia word to 64 bits.
This changes numbers of the SIOCSIFMEDIA and SIOCGIFMEDIA ioctls and
grows struct ifmediareq.

Old ifconfig and dhclient binaries can still assign addresses, however
the 'media' subcommand stops working. Recompiling ifconfig and dhclient
with new headers before a reboot should not be necessary unless in very
special circumstances where non-default media settings must be used to
get link and console access is not available.

There may be some MD fallout but that will be cleared up later.

ok deraadt miod
with help and suggestions from several sharks attending l2k15

Implement missing bits of node inactivity accounting in hostap mode.
Small parts of code for this feature were already present but unused.

A node becomes inactive after not sending or receiving a frame within
5 minutes. Inactive cached nodes (not authenticated or associated) are
automatically cleared from the cache once every hour, making room for
new nodes. If the node cache is full and room must be made for a new node,
clean either a cached node (active or inactive), or an inactive
authenticated or associated node.

Also, do not send de-auth frames to nodes which never authenticated,
and only send a de-auth frame once for a given node.
This part was contributed by Steven Chamberlain, thanks!

Tested by myself, krw@, edd@, Steven Chamberlain, and Markus Schatzl.
ok deraadt@

in hostap mode, notify drivers via a new callback when a STA leaves
the BSS. this is needed by drivers that need to maintain a hardware
table of associated STAs (like ral(4) RT2860).

idea from Nathanael Rensen

prevent injection of raw 802.11 control frames through bpf on drivers
that do not explicitly state this capability (using flag IEEE80211_C_RAWCTL).
also, perform all the sanity checks on injected raw 802.11 frames earlier
(in ieee80211_output instead of ieee80211_encap).

prevent kernel panics with many drivers when running aircrack-ng.
when/if all drivers are capable, we can remove this C_RAWCTL flag.

move #define IEEE80211_NO_HT under #ifdef SMALL_KERNEL instead
of defining it unconditionnaly.
although the HT code is not ready yet, making it compile on
GENERIC kernels will help catch regressions/bugs if any.

initial 802.11 defragmentation bits.
the code will allow the concurrent reception of fragments of three
fragmented MSDUs or MMPDUs as required by the 802.11 standard.

Block Ack agreements are unidirectional.
Maintain state for both originator and recipient roles separately.
Do not allocate receive reordering buffer in addba_request().
Test the "initiator" bit in incoming DELBA frames and set it appropriately
in outgoing DELBA frames.
Separate callbacks for Tx/Rx too.

no binary change since all this is #ifdef'ed out.

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

use different TSCs when sending the two MIC failure report frames
to our AP as we enter TKIP countermeasures by caching the TSC of
the last frame to fail the MIC; prompted by and ok damien@

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

define IEEE80211_STA_ONLY if SMALL_KERNEL is defined to shrink
the size of install media.

ok damien@ deraadt@

add ic_tid_noack bitmap to indicate a per-TID ACK policy (1=no ack,
0=normal ack). all bits are currently set to 0.
use this bitmap to set the ACK policy of the QoS control field of
outgoing QoS frames.

rework previously unused ieee80211_pwrsave() function, call it from
ieee80211_mgmt_output() and ieee80211_encap().
use new IEEE80211_C_APPMGT capability flag where appropriate.
rename ic_tim_mcast to ic_tim_mcast_pending.

move code to support Frequency-Hopping spread spectrum (FHSS) PHYs
to the Attic. nothing uses it in the tree and it is very unlikely
that something will use it one day.
the only driver supporting FHSS PHYs in the tree is ray(4) and it
does not use net80211.

garbage collect unused capabilities and configurations flags.
add two capabilities flags: IEEE80211_C_HT for HT STAs (802.11n)
and IEEE80211_C_APPMGT which indicates the capability for an AP
to buffer unicast and multicast traffic for STAs in PS mode.
all drivers claiming HostAP support should support that but the
truth is that none of them do.
most of them are still at the 802.11b-only era and do not update
dynamic parts of beacons or process frames from ic_pwrsaveq.

move definitions of channels attributes away from ieee80211.h such
that ieee80211.h contains only definitions that are part of the
802.11 standard and not constants used internally by net80211.
because channels attributes are exported to userland through the
radiotap BPF interface, add the definitions to ieee80211_radiotap.h
too (which must be kept in sync with what is used in net80211).
also, do not export combinations of channel attributes to userland
so that noone get stupid ideas.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

nuke unused fields.

add IEEE80211_F_MFPR config flags (management frame protection required)
and IEEE80211_C_MFP capability bit (driver supports MFP).

extend the ic_nw_keys[] array to 6 elements.
indices 0-3 will be used for group data keys while indices 4-5 will
be used for integrity group keys.
add a ic_rsngroupmgmtcipher field too.

Change the way we process EAPOL-Key frames.
Free the mbuf in the ieee80211_eapol_key_input() function.
Do not assume the frame is contiguous, call m_pullup2() if it is not.
We need the frame to be contiguous to process KDEs efficiently in
EAPOL-Key frames (just like we process IEs in management frames).
However, there are drivers like upgt(4) that use m_devget() in the
RX path. m_devget() can return fragmented mbuf chains.
Notice that we should do the same m_pullup2() for management frames.
This will be done later.
Remove the ic_recv_eapol callback.

ignore PS mode changes and PS-Poll from non-associated STAs.
keep track of the number of associated STAs in PS mode.

sanitize RX path a bit.
make sure drivers pass a contiguous header, check header length earlier.
fix checking of frames sequence number for frames containing an Address 4
field (required for future work).
fix processing of control frames (only pspoll for now).

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

instead of passing rx tstamp and rssi to the ieee80211_input function,
pass a pointer to an ieee80211_rxinfo structure containing those two
fields plus an extra flags field that indicates whether the frame was
decrypted by hardware or not.
required for a future fix.

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

make it clear in the code and in the man page that the rate2plcp and
plcp2rate functions use plcp codes in most-significant-bit-first format
(R4-R1).
some drivers like wpi(4) and iwn(4) want plcp codes in lsb-first format
so they can't use those functions.
also the IEEE standard uses R1-R4 notation so this can be a bit confusing
for those refering to it.

use u_int8_t for plcp code and rate instead of int.

Add ieee80211_rate2plcp() and ieee80211_plcp2rate() functions, which
convert the PLCP header signal field to a rate value and vice versa.

This implementation has been discussed with Damien and doesn't change
any existing net80211 structures.

ok damien@

Revert last commit which added ieee80211_rate2plcp() and
ieee80211_plcp2rate() because I've got a late feedback from Damien that
he dislike the implementation method a lot.

Add ieee80211_rate2plcp() and ieee80211_plcp2rate() functions.

Help and OK reyk@

- add k_rxmic and k_txmic fields to struct ieee80211_key to store the
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.

add callbacks that drivers must implement to install/reset keys.
add a 64-bit replay counter for sending EAPOL-Key request frames.
add a ic_recv_eapol callback to process EAPOL frames.
drivers can redefine this callback but net80211 will implement it.

add ic_globalcnt to struct ieee80211com:
in an RSNA, each STA must maintain a 256-bit global key counter that
must be initialized to a random value (see 8.5.7).

replace the ieee80211_wepkey structure with a more generic ieee80211_key
one that can be used with other ciphers than WEP.

split ieee80211_add_rsn() so that the code can be reused for
vendor-specific IE.

add RSN flags for ic_caps and ic_flags.

maintain the traffic-indication (TIM) virtual bitmap by defining
a default ieee80211_set_tim() function that drivers can override
by setting ic_set_tim.

initial bits for proper TIM support.

add (currently unused) code to parse RSN IEs.

add fields for EDCA.

Add a new capability flag IEEE80211_C_QOS indicating that the driver
supports QoS.
Add a new flag IEEE80211_F_QOS indicating whether QoS is enabled or not.
Add a callback to notify drivers that AC parameters have changed in
the QBSS. Drivers implementing QoS should define this callback and
update their EDCA settings accordingly.

constify

adds 802.11e EDCA tables for QAPs and non-AP QSTAs.
not used yet.

ok jsg@ deraadt@

expand the IEEE80211_NODE_{LOCK,UNLOCK}* macros into their respective
definitions.
remove comments about "lock order reversals" that are specific to freebsd.

ok reyk@ jsg@ mglocker@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

s/roundup/howmany/ where it makes sense.

s/Mhz/MHz/ in comments and printf() strings

ok jsg@

add the net80211 hostap options "nwflag hidenwid" for hidden SSID mode
and "nwflag nobridge" to prevent inter-station communications.
"hidenwid" will also work with wi(4) to replace the old -E 3 option of
wicontrol.

ok damien@ jmc@

ieee80211_cfgget() and ieee80211_cfgset() are dead; ok jsg

add an optional max_rssi attribute to the ieee80211com structure and
allow to export the RSSI Max value with ioctls and by radiotap
headers.

ok damien@ jsg@

description:

we currently use "dB" as an indication for the signal strength in
ifconfig and in the radiotap headers. it means "decibel difference
from an arbitrary, fixed reference". this is quite confusing, because
different chipsets have different references for the dB/rssi values.

we can use the plain RSSI which is described in IEEE 802.11: "The
receive signal strength indicator (RSSI) is an optional parameter that
has a value of 0 through RSSI Max.". all wireless chipsets have
something like a RSSI (normally as a Rx descriptor field), but the
value for RSSI Max is chipset-specific.

if we know the RSSI Max, we can calculate a percentage which is much
easier to understand for the user. we even don't have to use the
absolute RSSI Max, we can use an average RSSI Max, figured out by
monitoring and tuning the RSSI Max of the drivers. if the user gets a
signal of 110%, it would mean "better than the average Max signal".

there's no need to do any RSSI calculations in the kernel, it just
passes the the relative rssi and max_rssi values to userspace. this is
done in the ieee80211_nodereq ioctl structure and possible with a new
radiotap header. the radiotap RSSI header allows to get a flexible but
common signal indicator instead of the complex and unrelated dB/dBm
signal fields. it must include two 8bit values current rssi and RSSI
max.

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@

replace the node hash table with a red-black tree. this fixes some
bugs in the node table (like duplicate nodes in hostap mode), we get
rid of possible hash collisions, and it simplifies the code.

tested by many, ok damien@, jsg@

mostly knf

ok jsg@

Remove FreeBSD/NetBSD ifdef mess. We are not likely to be
doing a wholesale merge with them in future.
very enthusiastic ok from reyk@

add ifconfig -M option to replace wicontrol -L and -l for ap scanning
and node listing. wicontrol is not supported by net80211 drivers
anymore. further improvements will be done.

ok dlg@, jsg@

do { } while (0) wrappers on debug printf macros. ok reyk@

scan the next mode if nothing has been found. this is necessary if the
device supports different incompatible modes in the same channel
range, like like 11b and "pure" 11G mode.

ok dlg@ pvalchev@

derived from NetBSD:

---
Make the node table into an LRU cache: least-recently used nodes
are at the end of the node queue. Change the reference-counting
discipline: ni->ni_refcnt indicates how many times net80211 has
granted ni to the driver. Every node in the table with ni_refcnt=0
is eligible to be garbage-collected. The mere presence of a node
in the table does not any longer indicate its auth/assoc state;
nodes have a ni_state variable, now.

While I am here, patch ieee80211_find_node_for_beacon to do a "best
match" by bssid/ssid/channel, not a "perfect match." This keeps
net80211 from caching duplicate nodes in the table.
---

ok deraadt@ dlg@, looks good jsg@

add the manual tx power option. this is supported by some prism2/2.5/3
cards in hostap mode but it depends on the firmware version. support
for other wireless chipsets will be added in the future using the
net80211-framework.

ok robert@ bob@ danh@, tested by some others

in real C, there is not , after the last enum entry; ok reyk

add a flag that lets a wireless card indicate it can receive probe responses
or beacons on any channel during a scan.

ok damien@ "come on" deraadt@

some changes merged in from netbsd. ieee80211_regdomain.# will be used
by sdr (software defined radios).

ok deraadt@ millert@ damien@

Import current NetBSD/FreeBSD 802.11 framework.
Based in part on a diff from Matthew Gream.

Fix and re-enable active scans on iwm(4) and iwx(4).

Ensure that we supply the access point's DTIM period to firmware after
an active scan, as soon as the next beacon arrives. This prevents the
problems which prompted us to keep active scans disabled in our drivers.

Problem debugged and patch by zxystd from the OpenIntelWireless project.
I made some tweaks regarding TIM parsing, which were reviewed by zxystd.

Johannes Berg from Intel has confirmed to me via IRC that firmware
will misbehave if running with a zero DTIM period.

Tested:
8265: jca, stsp
9260: kettenis (possible fallout observed here; will keep an eye on it)
9650: stsp
ax200: zxystd, kevlo, stsp
ax201: stsp

ok kevlo@ kettenis@

Defer rtm_80211info() call from ieee80211_set_link_state() to a task context.

Sending routing messages requires a socket lock which may sleep.
ieee80211_set_link_state() is called from interrupts and timeouts where
sleeping is not allowed. mvs@ pointed out that if_link_state_change()
is already using a task for this reason.

Should fix a witness-related panic reported by cheloha@

ok mvs@ tobhe@ florian@

Introduce an optional driver-specific bgscan_done() handler which
allows the driver to take control of the roaming teardown sequence.
This handler allows drivers to ensure that race conditions between
firmware state and net80211 state are avoided, and will be used by
the iwm(4) and iwx(4) drivers soon.

Split the existing roaming teardown sequence into two steps, one step
for tearing down Tx block ack sessions which sends a DELBA frame, and a
second step for flushing Tx rings followed by sending a DEAUTH frame.
We used to queue both frames, expecting to switch APs once both were sent.
Now we effectively expect everything to be sent before we queue a final
DEAUTH frame, and wait for just this frame to be sent before switching.
This already made issues on iwm/iwx less frequent but by itself this was
not enough to close all races for those drivers. It should however help
when adding background scan support to a non-firmware device driver.

Tested, with driver patches:
iwm 8265: Aaron Poffenberger, stsp
iwm 9260: florian
iwm 9560: sthen
iwx ax200: jmc, stsp

Monitor 20/40 MHz channel width changes in beacons sent by our access point
and notify drivers when the channel width has changed.

Add support for 40MHz channels to net80211 RA.

For the moment we use either the 40MHz rate set or the 20 MHz one,
depending on whether our peer supports 40MHz channels.
If this turns out to be suboptimal we could probe the 40MHz and 20MHz
rate sets separately to detect which one works better.

The same applies to use of the short guard interval (SGI), which is
either always on or off at the moment. Again, probing for this could
be added later if needed.

Add an ADDBA_OFFLOAD capability for wifi devices manage Tx block ack
sessions entirely in firmware. This will be used by iwx(4).

put unused 802.11 fragmentation support code under #ifdef notyet

Make iwn, iwm, and iwx keep track of beacon parameters at run-time.

- HT protection settings (this was already implemented)
- ERP (11g) protection setting
- short slottime setting
- short preamble setting
- EDCA (QoS) parameters

All of these parameters are communicated in beacons and hardware is
now kept up-to-date with them.

Prompted by a problem report from Christian Ehrhardt regarding ERP.

Tested:
iwn 6205: stsp, Josh Grosse
iwm 7265: trondd
iwm 8265: stsp, Matthias Schmidt
iwm 9260: phessler
iwx ax200: stsp, jmc, gnezdo

ieee80211: track micfail timeout with getuptime(9) instead of ticks

With input from stsp@.

ok stsp@

Give access points which fail to AUTH or ASSOC less priority during
the next selection of networks from the join list. Prevents endless
attempts to connect to an AP which is out of reach but still somehow
manages to get a beacon or two across to us during scan.

Tested with wifi networks at the University of Bucharest.
Makes switching wifi networks possible after walking to a different
room without having to down/up the interface or suspend/resume.

ok phessler@

Trigger a background scan when root runs the 'ifconfig scan' command.
This will update the list of cached APs for future invocations of the
'scan' command, and will force a search for a better AP to roam to.
ok sthen@ phessler@

Raise net80211's "beacon miss" threshold to avoid frequent re-connects
to APs that are relatively far away and suffer some packet loss.

The former threshold was 7 beacons (about 700 ms).
This raises the threshold to 30 beacons (about 3 seconds).
Should still be good enough for detecting APs that have disappeared, and
makes wifi networks provided by the University of Bucharest more reliable
in the p2k19 hackroom.

While here, make 'ifconfig iwm0/iwn0 debug' print an obvious message when
we believe that the AP has disappeared.

Problem reported and fix tested by landry@ / pirofti@
ok mpi@ sthen@

Make background scans less frequent if we keep choosing the same AP.

This helps a bit in situations where a single AP is used and background scans
are causing packet loss, as seen with Jesper Wellin's Broadcom-based AP and my
Android phone in hotspot mode. This is not a proper fix but our background scan
frequency against a single AP was much higher than needed anyway.

Tested by jan, job, benno, Tracey Emery, Jesper Wallin

Add support for 802.11n Tx aggregation to net80211 and the iwn(4) driver.

In particular, add Tx block ack session management to net80211, with
enough funcionality to support Tx aggregation on devices which perform
A-MPDU subframe scheduling in firmware.
Make use of the iwn(4) firmware Tx scheduler to build A-MPDUs.

net80211's QoS support code is now enabled and used by Tx aggregation.

A-MSDU frames inside A-MPDUs have been tested and work in principle.
For now, this feature is disabled because unfair TCP connection sharing
was observed during testing, where bursts of TCP Ack frames for a single
tcpbench(1) connection arriving in A-MSDUs made other TCP connections stall.
Switch off support for A-MSDUs inside A-MPDUs on the Rx side as well.

Tested on iwn chipsets 1000, 4965, 5100, 5300, 2200, 6200, 6205, 6300
(committed version of tested diff has all debug printfs removed)
tests/ok benno kmos mlarkin kevlo

Fix 'ifconfig nwflags; These flags ended up overlapping with other flags
in ieee80211com's ic_flags because we haven't been paying attention to
them (they're not in the same place in the code and hence easy to miss).
Move them to a dedicated variable to avoid this problem in the future.

Add a new 'stayauth' nwflag which can be set to let net80211 ignore
deauth frames. This can be useful when deauth frames are being
persistently spoofed by an attacker. Idea from beck@

ok beck@ phessler@

Improve handling of HT protection for 'mode 11n' hostap.

Consider the mere presence of HTCAP IEs as indicator of 11n support,
rather than checking advertised Rx MCS. Fixes some devices being
misclassified as 11a/g, causing HT protection to be enabled even
though it is not needed.

Use CTS-to-self frames for HT protection instead of RTS/CTS.

These changes make my athn(4) AR9280 hostap perform much better.

ok phessler@

Make ifconfig(8) display whether bwfm(4) firmware is using 802.11ac.
ok patrick@ mpi@

add a len field when we delete an essid from the joinlist. this will have
us properly match, instead of hoping we got lucky when selecting it.

OK stsp@

pass around the ess and ni structures we plan to use directly, instead
of rediscovering them (possibly badly).

OK stsp@

Nuke unused LIST() ieee80211com_head.

ok stsp@

give set_ess a len variable, so we can correctly match the essid we want
to switch to.

pointed out by stsp@

convert the things we save in 'join' into a single ioctl. mixing related
settings over multiple calls was risky and racy. Pass essid, wpa, and wep
paramaters in a single ioctl and process it atomically.

no change for 'nwid' users

OK stsp@ benno@

Make 'ifconfig nwid' override 'ifconfig join'.

There was no way to override a decision made by join's network
selection algorithm (apart from disabling the feature by clearing
the join list). Automatic selection is based on heuristics which
cannot always guess correctly so we need to provide an override.

One specific problem was that if 'nwid foo' and 'nwid bar' were
both visible in the scan and only 'nwid foo' was a member of the
join list, then there was no way at all to connect to 'nwid bar'.
The wireless stack would keep selecting 'nwid foo' instead.

'ifconfig iwm0 nwid bar' command will now disable automatic
network selection and force the use of ESSID 'bar'.
Any of these commands will re-enable automatic network selection:
ifconfig iwm0 -nwid
ifconfig iwm0 nwid ''
ifconfig iwm0 join some-network-id

ok phessler@ deraadt@

Refactor ieee80211_add_ess():

Drop ieee80211_add_ess's nwid parameter. Read nwid and length directly
from the ic to make it more obvious where this function is reading from.

nwids are binary data with an explicit length, so treat them as such
instead of treating them like strings.

ok florian phessler

Introduce 'auto-join' to the wifi 802.11 stack.

This allows a system to remember which ESSIDs it wants to connect to, any
relevant security configuration, and switch to it when the network we are
currently connected to is no longer available.

Works when connecting and switching between WPA2/WPA1/WEP/clear encryptions.

example hostname.if:
join home wpakey password
join work wpakey mekmitasdigoat
join open-lounge
join cafe wpakey cafe2018
join "wepnetwork" nwkey "12345"
dhcp
inet6 autoconf
up

OK stsp@ reyk@
and enthusiasm from every hackroom I've been in for the last 3 years

net80211: stub SIOCS80211SCAN, make ifconfig scan instant.

The following removes the functionality of the SIOCS80211SCAN ioctl.
After long discussions with stps@, mpi@, and deraadt@ we decided that
this was the correct way of fixing ifconfig scan from blocking the
network stack.

The kernel will continue scanning in the background and filling the
nodes array, but ifconfig scan commands will now basically do just a
SIOCG80211ALLNODES and pretty print the array. So the output stays the
same but is instant.

In fact, when the interface is freshly brought up, if you type fast
enough, you can see the array being filled by running multiple ifconfig
scans in sequence.

The SIOCS80211SCAN ioctl stays for now as wi(4), pgt(4) and malo(4)
still need it around. But not for long...

Another change that this introduces is the fact that ifconfig scan no
longer plays with UP and DOWN. If the interface is down it complains and
exits. This is needed in order to maintain the nodes list.

Works on iwm(4), iwn(4), urtwn(4), run(4) and athn(4).

Tested by mpi@, landry@, florian@, thanks!
OK mpi@.

Add a new function hook to struct ieee80211com which wireless drivers
can use to process, and then acknowledge or reject, incoming AUTH
requests in hostap mode.

net80211 accepts an AUTH request from any STA which fits into the node
cache. This behaviour doesn't work for devices which have a lower limit
on concurrent STAs they can serve, so such drivers need an override.

This will be used by our athn(4) USB driver soon.

ok kevlo@

Make IEEE80211_CHAN_ANYC be a NULL pointer instead of a pointer to 0xffff.
Should speed up debugging.
ok phessler patrick

Add support for background scanning to net80211 and iwm(4).

The iwm(4) driver will now roam between access points which share an SSID.
Use 'ifconfig iwm0 debug' and 'tail -f /var/log/messages' to watch it do so.

Tested by several people in various iterations.
As usual, let me know if you run into issues.

ok phessler deraadt

move a function declaration, so the whole net80211 stack can disable wep or wpa

OK stsp@

Kill unused members using forward declaration only types.

Found with ctfconv(1). ok jsg@, guenther@

The net80211 stack was providing a 'beacon miss timeout' value (in ms)
which specified how much time may elapse without beacons before drivers
begin searching for a new AP.

Drivers convert this timeout value into the amount of beacons they're allowed
to miss. Having the stack provide this number upfront simplifies things.

ok mpi@

Introduce ieee80211_min_basic_rate() and ieee80211_max_basic_rate().

These helpers can be used by drivers to improve compatibility with APs
that disable some mandatory PHY rates in the basic rate set.

For instance, many of our drivers hard-code 11b rates on 2 Ghz and run
into problems when APs disable them. Since 11b rates are being disabled
by default by some vendors, hardcoding them is not a good idea anymore.

ok mpi@ phessler@

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

Enable ieee80211_edca_table, which was under #if 0. This table can be used
by drivers to pass default EDCA parameters to firmware instead of passing
local hardcoded values.
ok millert@

Make the net80211 stack send EDCA parameters to the driver in hostap mode.
Fixes problems with timing of frame transmissions which caused packet loss.
tested by myself and tb@
ok phessler@ mpi@ tb@

Manage the HT protection setting if acting as hostap with 11n enabled.

For now we flip-flop only between non-member protection and non-HT protection.
Running a HT network without protection would require monitoring environmental
conditions (e.g. foreign beacons) which make HT protection necessary.

The ic_update_htprot driver function becomes optional because it won't be
needed by all drivers. Only call it if the driver has set a function pointer.

ok tb@

Complete our half-done implementation of TKIP countermeasures in hostap mode.

The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.

Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@

Add a wireless driver capability flag for devices which scan 2GHz and 5GHz
bands in a single scan offload request. This will be used by iwm(4) soon.
ok kettenis@, earlier version ok phessler@

Keep track of HT protection settings in beacons and have 11n-capable
drivers update hardware configuration accordingly.
tested by myself, tb@, deraadt@, abieber@
ok mpi@

Remove wireless turbo mode support. It is a non-standard extension
which only worked with ath(4) devices from a decade ago.
Diff tested on ath(4) hardware by me to verify that 11a/b modes still work.
ok reyk deraadt chris sthen kettenis

Initialize the A-MPDU parameters field in HT capability elements.
ok kettenis@

Remove the IEEE80211_NO_HT macro. Reduces ifdef spaghetti, enables 11n mode
in bsd.rd, and might uncover some bugs. Suggested by tedu@ and deraadt@.
ok sthen@ jasper@ deraadt@

Expose 11n mode to the ifmedia layer and introduce the concept of MCS.
Make sure 11n features are enabled only if media type is autoselect or 11n.

11n mode uses MCS (modulation & coding scheme) instead of rates like 11a/b/g.
This means we'll have to take the current mode into account and decide whether
to use a rate or an MCS for transmission. Receiving frames on legacy rates
will still work in 11n mode. We just won't be using legacy rates to send
data frames to an STA or AP we negotiated 11n features with.

My initial plan was to grow the ieee80211_rateset structure and treat MCS
just like rates. However, ieee80211_rateset corresponds to rates and xrates
elements in management frames and is copied directly into such elements
so its size cannot change. Thus, MCS stands on its own and corresponds to
elements in management frames related to 11n HT capabilities.

ok deraadt mpi phessler kettenis guenther

Declare 802.11n mode and channel flags. Tweak 11n related fields in struct
ieee80211com and move them inside #ifndef IEEE80211_NO_HT without breaking
the build in rsu(4) for RAMDISK_CD.
Also declare 11n protection modes and MCS count.
ok deraadt mpi kettenis guenther

replace the ifqueues in net80211 with mbuf_queues.

the specific queues are ic_mgtq, ic_pwrsaveq, and ni_savedq. rtw
had its own queue for beacons.

tested by mpi@ and jmc@
ok mpi@

Add ieee80211_channel_init(), factored out from ieee80211_ifattach().
Will be used by iwm(4) soon.
ok kettenis@

Make room for media types of the future. Extend the ifmedia word to 64 bits.
This changes numbers of the SIOCSIFMEDIA and SIOCGIFMEDIA ioctls and
grows struct ifmediareq.

Old ifconfig and dhclient binaries can still assign addresses, however
the 'media' subcommand stops working. Recompiling ifconfig and dhclient
with new headers before a reboot should not be necessary unless in very
special circumstances where non-default media settings must be used to
get link and console access is not available.

There may be some MD fallout but that will be cleared up later.

ok deraadt miod
with help and suggestions from several sharks attending l2k15

Implement missing bits of node inactivity accounting in hostap mode.
Small parts of code for this feature were already present but unused.

A node becomes inactive after not sending or receiving a frame within
5 minutes. Inactive cached nodes (not authenticated or associated) are
automatically cleared from the cache once every hour, making room for
new nodes. If the node cache is full and room must be made for a new node,
clean either a cached node (active or inactive), or an inactive
authenticated or associated node.

Also, do not send de-auth frames to nodes which never authenticated,
and only send a de-auth frame once for a given node.
This part was contributed by Steven Chamberlain, thanks!

Tested by myself, krw@, edd@, Steven Chamberlain, and Markus Schatzl.
ok deraadt@

in hostap mode, notify drivers via a new callback when a STA leaves
the BSS. this is needed by drivers that need to maintain a hardware
table of associated STAs (like ral(4) RT2860).

idea from Nathanael Rensen

prevent injection of raw 802.11 control frames through bpf on drivers
that do not explicitly state this capability (using flag IEEE80211_C_RAWCTL).
also, perform all the sanity checks on injected raw 802.11 frames earlier
(in ieee80211_output instead of ieee80211_encap).

prevent kernel panics with many drivers when running aircrack-ng.
when/if all drivers are capable, we can remove this C_RAWCTL flag.

move #define IEEE80211_NO_HT under #ifdef SMALL_KERNEL instead
of defining it unconditionnaly.
although the HT code is not ready yet, making it compile on
GENERIC kernels will help catch regressions/bugs if any.

initial 802.11 defragmentation bits.
the code will allow the concurrent reception of fragments of three
fragmented MSDUs or MMPDUs as required by the 802.11 standard.

Block Ack agreements are unidirectional.
Maintain state for both originator and recipient roles separately.
Do not allocate receive reordering buffer in addba_request().
Test the "initiator" bit in incoming DELBA frames and set it appropriately
in outgoing DELBA frames.
Separate callbacks for Tx/Rx too.

no binary change since all this is #ifdef'ed out.

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

use different TSCs when sending the two MIC failure report frames
to our AP as we enter TKIP countermeasures by caching the TSC of
the last frame to fail the MIC; prompted by and ok damien@

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

define IEEE80211_STA_ONLY if SMALL_KERNEL is defined to shrink
the size of install media.

ok damien@ deraadt@

add ic_tid_noack bitmap to indicate a per-TID ACK policy (1=no ack,
0=normal ack). all bits are currently set to 0.
use this bitmap to set the ACK policy of the QoS control field of
outgoing QoS frames.

rework previously unused ieee80211_pwrsave() function, call it from
ieee80211_mgmt_output() and ieee80211_encap().
use new IEEE80211_C_APPMGT capability flag where appropriate.
rename ic_tim_mcast to ic_tim_mcast_pending.

move code to support Frequency-Hopping spread spectrum (FHSS) PHYs
to the Attic. nothing uses it in the tree and it is very unlikely
that something will use it one day.
the only driver supporting FHSS PHYs in the tree is ray(4) and it
does not use net80211.

garbage collect unused capabilities and configurations flags.
add two capabilities flags: IEEE80211_C_HT for HT STAs (802.11n)
and IEEE80211_C_APPMGT which indicates the capability for an AP
to buffer unicast and multicast traffic for STAs in PS mode.
all drivers claiming HostAP support should support that but the
truth is that none of them do.
most of them are still at the 802.11b-only era and do not update
dynamic parts of beacons or process frames from ic_pwrsaveq.

move definitions of channels attributes away from ieee80211.h such
that ieee80211.h contains only definitions that are part of the
802.11 standard and not constants used internally by net80211.
because channels attributes are exported to userland through the
radiotap BPF interface, add the definitions to ieee80211_radiotap.h
too (which must be kept in sync with what is used in net80211).
also, do not export combinations of channel attributes to userland
so that noone get stupid ideas.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

nuke unused fields.

add IEEE80211_F_MFPR config flags (management frame protection required)
and IEEE80211_C_MFP capability bit (driver supports MFP).

extend the ic_nw_keys[] array to 6 elements.
indices 0-3 will be used for group data keys while indices 4-5 will
be used for integrity group keys.
add a ic_rsngroupmgmtcipher field too.

Change the way we process EAPOL-Key frames.
Free the mbuf in the ieee80211_eapol_key_input() function.
Do not assume the frame is contiguous, call m_pullup2() if it is not.
We need the frame to be contiguous to process KDEs efficiently in
EAPOL-Key frames (just like we process IEs in management frames).
However, there are drivers like upgt(4) that use m_devget() in the
RX path. m_devget() can return fragmented mbuf chains.
Notice that we should do the same m_pullup2() for management frames.
This will be done later.
Remove the ic_recv_eapol callback.

ignore PS mode changes and PS-Poll from non-associated STAs.
keep track of the number of associated STAs in PS mode.

sanitize RX path a bit.
make sure drivers pass a contiguous header, check header length earlier.
fix checking of frames sequence number for frames containing an Address 4
field (required for future work).
fix processing of control frames (only pspoll for now).

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

instead of passing rx tstamp and rssi to the ieee80211_input function,
pass a pointer to an ieee80211_rxinfo structure containing those two
fields plus an extra flags field that indicates whether the frame was
decrypted by hardware or not.
required for a future fix.

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

make it clear in the code and in the man page that the rate2plcp and
plcp2rate functions use plcp codes in most-significant-bit-first format
(R4-R1).
some drivers like wpi(4) and iwn(4) want plcp codes in lsb-first format
so they can't use those functions.
also the IEEE standard uses R1-R4 notation so this can be a bit confusing
for those refering to it.

use u_int8_t for plcp code and rate instead of int.

Add ieee80211_rate2plcp() and ieee80211_plcp2rate() functions, which
convert the PLCP header signal field to a rate value and vice versa.

This implementation has been discussed with Damien and doesn't change
any existing net80211 structures.

ok damien@

Revert last commit which added ieee80211_rate2plcp() and
ieee80211_plcp2rate() because I've got a late feedback from Damien that
he dislike the implementation method a lot.

Add ieee80211_rate2plcp() and ieee80211_plcp2rate() functions.

Help and OK reyk@

- add k_rxmic and k_txmic fields to struct ieee80211_key to store the
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.

add callbacks that drivers must implement to install/reset keys.
add a 64-bit replay counter for sending EAPOL-Key request frames.
add a ic_recv_eapol callback to process EAPOL frames.
drivers can redefine this callback but net80211 will implement it.

add ic_globalcnt to struct ieee80211com:
in an RSNA, each STA must maintain a 256-bit global key counter that
must be initialized to a random value (see 8.5.7).

replace the ieee80211_wepkey structure with a more generic ieee80211_key
one that can be used with other ciphers than WEP.

split ieee80211_add_rsn() so that the code can be reused for
vendor-specific IE.

add RSN flags for ic_caps and ic_flags.

maintain the traffic-indication (TIM) virtual bitmap by defining
a default ieee80211_set_tim() function that drivers can override
by setting ic_set_tim.

initial bits for proper TIM support.

add (currently unused) code to parse RSN IEs.

add fields for EDCA.

Add a new capability flag IEEE80211_C_QOS indicating that the driver
supports QoS.
Add a new flag IEEE80211_F_QOS indicating whether QoS is enabled or not.
Add a callback to notify drivers that AC parameters have changed in
the QBSS. Drivers implementing QoS should define this callback and
update their EDCA settings accordingly.

constify

adds 802.11e EDCA tables for QAPs and non-AP QSTAs.
not used yet.

ok jsg@ deraadt@

expand the IEEE80211_NODE_{LOCK,UNLOCK}* macros into their respective
definitions.
remove comments about "lock order reversals" that are specific to freebsd.

ok reyk@ jsg@ mglocker@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

s/roundup/howmany/ where it makes sense.

s/Mhz/MHz/ in comments and printf() strings

ok jsg@

add the net80211 hostap options "nwflag hidenwid" for hidden SSID mode
and "nwflag nobridge" to prevent inter-station communications.
"hidenwid" will also work with wi(4) to replace the old -E 3 option of
wicontrol.

ok damien@ jmc@

ieee80211_cfgget() and ieee80211_cfgset() are dead; ok jsg

add an optional max_rssi attribute to the ieee80211com structure and
allow to export the RSSI Max value with ioctls and by radiotap
headers.

ok damien@ jsg@

description:

we currently use "dB" as an indication for the signal strength in
ifconfig and in the radiotap headers. it means "decibel difference
from an arbitrary, fixed reference". this is quite confusing, because
different chipsets have different references for the dB/rssi values.

we can use the plain RSSI which is described in IEEE 802.11: "The
receive signal strength indicator (RSSI) is an optional parameter that
has a value of 0 through RSSI Max.". all wireless chipsets have
something like a RSSI (normally as a Rx descriptor field), but the
value for RSSI Max is chipset-specific.

if we know the RSSI Max, we can calculate a percentage which is much
easier to understand for the user. we even don't have to use the
absolute RSSI Max, we can use an average RSSI Max, figured out by
monitoring and tuning the RSSI Max of the drivers. if the user gets a
signal of 110%, it would mean "better than the average Max signal".

there's no need to do any RSSI calculations in the kernel, it just
passes the the relative rssi and max_rssi values to userspace. this is
done in the ieee80211_nodereq ioctl structure and possible with a new
radiotap header. the radiotap RSSI header allows to get a flexible but
common signal indicator instead of the complex and unrelated dB/dBm
signal fields. it must include two 8bit values current rssi and RSSI
max.

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@

replace the node hash table with a red-black tree. this fixes some
bugs in the node table (like duplicate nodes in hostap mode), we get
rid of possible hash collisions, and it simplifies the code.

tested by many, ok damien@, jsg@

mostly knf

ok jsg@

Remove FreeBSD/NetBSD ifdef mess. We are not likely to be
doing a wholesale merge with them in future.
very enthusiastic ok from reyk@

add ifconfig -M option to replace wicontrol -L and -l for ap scanning
and node listing. wicontrol is not supported by net80211 drivers
anymore. further improvements will be done.

ok dlg@, jsg@

do { } while (0) wrappers on debug printf macros. ok reyk@

scan the next mode if nothing has been found. this is necessary if the
device supports different incompatible modes in the same channel
range, like like 11b and "pure" 11G mode.

ok dlg@ pvalchev@

derived from NetBSD:

---
Make the node table into an LRU cache: least-recently used nodes
are at the end of the node queue. Change the reference-counting
discipline: ni->ni_refcnt indicates how many times net80211 has
granted ni to the driver. Every node in the table with ni_refcnt=0
is eligible to be garbage-collected. The mere presence of a node
in the table does not any longer indicate its auth/assoc state;
nodes have a ni_state variable, now.

While I am here, patch ieee80211_find_node_for_beacon to do a "best
match" by bssid/ssid/channel, not a "perfect match." This keeps
net80211 from caching duplicate nodes in the table.
---

ok deraadt@ dlg@, looks good jsg@

add the manual tx power option. this is supported by some prism2/2.5/3
cards in hostap mode but it depends on the firmware version. support
for other wireless chipsets will be added in the future using the
net80211-framework.

ok robert@ bob@ danh@, tested by some others

in real C, there is not , after the last enum entry; ok reyk

add a flag that lets a wireless card indicate it can receive probe responses
or beacons on any channel during a scan.

ok damien@ "come on" deraadt@

some changes merged in from netbsd. ieee80211_regdomain.# will be used
by sdr (software defined radios).

ok deraadt@ millert@ damien@

Import current NetBSD/FreeBSD 802.11 framework.
Based in part on a diff from Matthew Gream.

Defer rtm_80211info() call from ieee80211_set_link_state() to a task context.

Sending routing messages requires a socket lock which may sleep.
ieee80211_set_link_state() is called from interrupts and timeouts where
sleeping is not allowed. mvs@ pointed out that if_link_state_change()
is already using a task for this reason.

Should fix a witness-related panic reported by cheloha@

ok mvs@ tobhe@ florian@

Introduce an optional driver-specific bgscan_done() handler which
allows the driver to take control of the roaming teardown sequence.
This handler allows drivers to ensure that race conditions between
firmware state and net80211 state are avoided, and will be used by
the iwm(4) and iwx(4) drivers soon.

Split the existing roaming teardown sequence into two steps, one step
for tearing down Tx block ack sessions which sends a DELBA frame, and a
second step for flushing Tx rings followed by sending a DEAUTH frame.
We used to queue both frames, expecting to switch APs once both were sent.
Now we effectively expect everything to be sent before we queue a final
DEAUTH frame, and wait for just this frame to be sent before switching.
This already made issues on iwm/iwx less frequent but by itself this was
not enough to close all races for those drivers. It should however help
when adding background scan support to a non-firmware device driver.

Tested, with driver patches:
iwm 8265: Aaron Poffenberger, stsp
iwm 9260: florian
iwm 9560: sthen
iwx ax200: jmc, stsp

Monitor 20/40 MHz channel width changes in beacons sent by our access point
and notify drivers when the channel width has changed.

Add support for 40MHz channels to net80211 RA.

For the moment we use either the 40MHz rate set or the 20 MHz one,
depending on whether our peer supports 40MHz channels.
If this turns out to be suboptimal we could probe the 40MHz and 20MHz
rate sets separately to detect which one works better.

The same applies to use of the short guard interval (SGI), which is
either always on or off at the moment. Again, probing for this could
be added later if needed.

Add an ADDBA_OFFLOAD capability for wifi devices manage Tx block ack
sessions entirely in firmware. This will be used by iwx(4).

put unused 802.11 fragmentation support code under #ifdef notyet

Make iwn, iwm, and iwx keep track of beacon parameters at run-time.

- HT protection settings (this was already implemented)
- ERP (11g) protection setting
- short slottime setting
- short preamble setting
- EDCA (QoS) parameters

All of these parameters are communicated in beacons and hardware is
now kept up-to-date with them.

Prompted by a problem report from Christian Ehrhardt regarding ERP.

Tested:
iwn 6205: stsp, Josh Grosse
iwm 7265: trondd
iwm 8265: stsp, Matthias Schmidt
iwm 9260: phessler
iwx ax200: stsp, jmc, gnezdo

ieee80211: track micfail timeout with getuptime(9) instead of ticks

With input from stsp@.

ok stsp@

Give access points which fail to AUTH or ASSOC less priority during
the next selection of networks from the join list. Prevents endless
attempts to connect to an AP which is out of reach but still somehow
manages to get a beacon or two across to us during scan.

Tested with wifi networks at the University of Bucharest.
Makes switching wifi networks possible after walking to a different
room without having to down/up the interface or suspend/resume.

ok phessler@

Trigger a background scan when root runs the 'ifconfig scan' command.
This will update the list of cached APs for future invocations of the
'scan' command, and will force a search for a better AP to roam to.
ok sthen@ phessler@

Raise net80211's "beacon miss" threshold to avoid frequent re-connects
to APs that are relatively far away and suffer some packet loss.

The former threshold was 7 beacons (about 700 ms).
This raises the threshold to 30 beacons (about 3 seconds).
Should still be good enough for detecting APs that have disappeared, and
makes wifi networks provided by the University of Bucharest more reliable
in the p2k19 hackroom.

While here, make 'ifconfig iwm0/iwn0 debug' print an obvious message when
we believe that the AP has disappeared.

Problem reported and fix tested by landry@ / pirofti@
ok mpi@ sthen@

Make background scans less frequent if we keep choosing the same AP.

This helps a bit in situations where a single AP is used and background scans
are causing packet loss, as seen with Jesper Wellin's Broadcom-based AP and my
Android phone in hotspot mode. This is not a proper fix but our background scan
frequency against a single AP was much higher than needed anyway.

Tested by jan, job, benno, Tracey Emery, Jesper Wallin

Add support for 802.11n Tx aggregation to net80211 and the iwn(4) driver.

In particular, add Tx block ack session management to net80211, with
enough funcionality to support Tx aggregation on devices which perform
A-MPDU subframe scheduling in firmware.
Make use of the iwn(4) firmware Tx scheduler to build A-MPDUs.

net80211's QoS support code is now enabled and used by Tx aggregation.

A-MSDU frames inside A-MPDUs have been tested and work in principle.
For now, this feature is disabled because unfair TCP connection sharing
was observed during testing, where bursts of TCP Ack frames for a single
tcpbench(1) connection arriving in A-MSDUs made other TCP connections stall.
Switch off support for A-MSDUs inside A-MPDUs on the Rx side as well.

Tested on iwn chipsets 1000, 4965, 5100, 5300, 2200, 6200, 6205, 6300
(committed version of tested diff has all debug printfs removed)
tests/ok benno kmos mlarkin kevlo

Fix 'ifconfig nwflags; These flags ended up overlapping with other flags
in ieee80211com's ic_flags because we haven't been paying attention to
them (they're not in the same place in the code and hence easy to miss).
Move them to a dedicated variable to avoid this problem in the future.

Add a new 'stayauth' nwflag which can be set to let net80211 ignore
deauth frames. This can be useful when deauth frames are being
persistently spoofed by an attacker. Idea from beck@

ok beck@ phessler@

Improve handling of HT protection for 'mode 11n' hostap.

Consider the mere presence of HTCAP IEs as indicator of 11n support,
rather than checking advertised Rx MCS. Fixes some devices being
misclassified as 11a/g, causing HT protection to be enabled even
though it is not needed.

Use CTS-to-self frames for HT protection instead of RTS/CTS.

These changes make my athn(4) AR9280 hostap perform much better.

ok phessler@

Make ifconfig(8) display whether bwfm(4) firmware is using 802.11ac.
ok patrick@ mpi@

add a len field when we delete an essid from the joinlist. this will have
us properly match, instead of hoping we got lucky when selecting it.

OK stsp@

pass around the ess and ni structures we plan to use directly, instead
of rediscovering them (possibly badly).

OK stsp@

Nuke unused LIST() ieee80211com_head.

ok stsp@

give set_ess a len variable, so we can correctly match the essid we want
to switch to.

pointed out by stsp@

convert the things we save in 'join' into a single ioctl. mixing related
settings over multiple calls was risky and racy. Pass essid, wpa, and wep
paramaters in a single ioctl and process it atomically.

no change for 'nwid' users

OK stsp@ benno@

Make 'ifconfig nwid' override 'ifconfig join'.

There was no way to override a decision made by join's network
selection algorithm (apart from disabling the feature by clearing
the join list). Automatic selection is based on heuristics which
cannot always guess correctly so we need to provide an override.

One specific problem was that if 'nwid foo' and 'nwid bar' were
both visible in the scan and only 'nwid foo' was a member of the
join list, then there was no way at all to connect to 'nwid bar'.
The wireless stack would keep selecting 'nwid foo' instead.

'ifconfig iwm0 nwid bar' command will now disable automatic
network selection and force the use of ESSID 'bar'.
Any of these commands will re-enable automatic network selection:
ifconfig iwm0 -nwid
ifconfig iwm0 nwid ''
ifconfig iwm0 join some-network-id

ok phessler@ deraadt@

Refactor ieee80211_add_ess():

Drop ieee80211_add_ess's nwid parameter. Read nwid and length directly
from the ic to make it more obvious where this function is reading from.

nwids are binary data with an explicit length, so treat them as such
instead of treating them like strings.

ok florian phessler

Introduce 'auto-join' to the wifi 802.11 stack.

This allows a system to remember which ESSIDs it wants to connect to, any
relevant security configuration, and switch to it when the network we are
currently connected to is no longer available.

Works when connecting and switching between WPA2/WPA1/WEP/clear encryptions.

example hostname.if:
join home wpakey password
join work wpakey mekmitasdigoat
join open-lounge
join cafe wpakey cafe2018
join "wepnetwork" nwkey "12345"
dhcp
inet6 autoconf
up

OK stsp@ reyk@
and enthusiasm from every hackroom I've been in for the last 3 years

net80211: stub SIOCS80211SCAN, make ifconfig scan instant.

The following removes the functionality of the SIOCS80211SCAN ioctl.
After long discussions with stps@, mpi@, and deraadt@ we decided that
this was the correct way of fixing ifconfig scan from blocking the
network stack.

The kernel will continue scanning in the background and filling the
nodes array, but ifconfig scan commands will now basically do just a
SIOCG80211ALLNODES and pretty print the array. So the output stays the
same but is instant.

In fact, when the interface is freshly brought up, if you type fast
enough, you can see the array being filled by running multiple ifconfig
scans in sequence.

The SIOCS80211SCAN ioctl stays for now as wi(4), pgt(4) and malo(4)
still need it around. But not for long...

Another change that this introduces is the fact that ifconfig scan no
longer plays with UP and DOWN. If the interface is down it complains and
exits. This is needed in order to maintain the nodes list.

Works on iwm(4), iwn(4), urtwn(4), run(4) and athn(4).

Tested by mpi@, landry@, florian@, thanks!
OK mpi@.

Add a new function hook to struct ieee80211com which wireless drivers
can use to process, and then acknowledge or reject, incoming AUTH
requests in hostap mode.

net80211 accepts an AUTH request from any STA which fits into the node
cache. This behaviour doesn't work for devices which have a lower limit
on concurrent STAs they can serve, so such drivers need an override.

This will be used by our athn(4) USB driver soon.

ok kevlo@

Make IEEE80211_CHAN_ANYC be a NULL pointer instead of a pointer to 0xffff.
Should speed up debugging.
ok phessler patrick

Add support for background scanning to net80211 and iwm(4).

The iwm(4) driver will now roam between access points which share an SSID.
Use 'ifconfig iwm0 debug' and 'tail -f /var/log/messages' to watch it do so.

Tested by several people in various iterations.
As usual, let me know if you run into issues.

ok phessler deraadt

move a function declaration, so the whole net80211 stack can disable wep or wpa

OK stsp@

Kill unused members using forward declaration only types.

Found with ctfconv(1). ok jsg@, guenther@

The net80211 stack was providing a 'beacon miss timeout' value (in ms)
which specified how much time may elapse without beacons before drivers
begin searching for a new AP.

Drivers convert this timeout value into the amount of beacons they're allowed
to miss. Having the stack provide this number upfront simplifies things.

ok mpi@

Introduce ieee80211_min_basic_rate() and ieee80211_max_basic_rate().

These helpers can be used by drivers to improve compatibility with APs
that disable some mandatory PHY rates in the basic rate set.

For instance, many of our drivers hard-code 11b rates on 2 Ghz and run
into problems when APs disable them. Since 11b rates are being disabled
by default by some vendors, hardcoding them is not a good idea anymore.

ok mpi@ phessler@

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

Enable ieee80211_edca_table, which was under #if 0. This table can be used
by drivers to pass default EDCA parameters to firmware instead of passing
local hardcoded values.
ok millert@

Make the net80211 stack send EDCA parameters to the driver in hostap mode.
Fixes problems with timing of frame transmissions which caused packet loss.
tested by myself and tb@
ok phessler@ mpi@ tb@

Manage the HT protection setting if acting as hostap with 11n enabled.

For now we flip-flop only between non-member protection and non-HT protection.
Running a HT network without protection would require monitoring environmental
conditions (e.g. foreign beacons) which make HT protection necessary.

The ic_update_htprot driver function becomes optional because it won't be
needed by all drivers. Only call it if the driver has set a function pointer.

ok tb@

Complete our half-done implementation of TKIP countermeasures in hostap mode.

The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.

Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@

Add a wireless driver capability flag for devices which scan 2GHz and 5GHz
bands in a single scan offload request. This will be used by iwm(4) soon.
ok kettenis@, earlier version ok phessler@

Keep track of HT protection settings in beacons and have 11n-capable
drivers update hardware configuration accordingly.
tested by myself, tb@, deraadt@, abieber@
ok mpi@

Remove wireless turbo mode support. It is a non-standard extension
which only worked with ath(4) devices from a decade ago.
Diff tested on ath(4) hardware by me to verify that 11a/b modes still work.
ok reyk deraadt chris sthen kettenis

Initialize the A-MPDU parameters field in HT capability elements.
ok kettenis@

Remove the IEEE80211_NO_HT macro. Reduces ifdef spaghetti, enables 11n mode
in bsd.rd, and might uncover some bugs. Suggested by tedu@ and deraadt@.
ok sthen@ jasper@ deraadt@

Expose 11n mode to the ifmedia layer and introduce the concept of MCS.
Make sure 11n features are enabled only if media type is autoselect or 11n.

11n mode uses MCS (modulation & coding scheme) instead of rates like 11a/b/g.
This means we'll have to take the current mode into account and decide whether
to use a rate or an MCS for transmission. Receiving frames on legacy rates
will still work in 11n mode. We just won't be using legacy rates to send
data frames to an STA or AP we negotiated 11n features with.

My initial plan was to grow the ieee80211_rateset structure and treat MCS
just like rates. However, ieee80211_rateset corresponds to rates and xrates
elements in management frames and is copied directly into such elements
so its size cannot change. Thus, MCS stands on its own and corresponds to
elements in management frames related to 11n HT capabilities.

ok deraadt mpi phessler kettenis guenther

Declare 802.11n mode and channel flags. Tweak 11n related fields in struct
ieee80211com and move them inside #ifndef IEEE80211_NO_HT without breaking
the build in rsu(4) for RAMDISK_CD.
Also declare 11n protection modes and MCS count.
ok deraadt mpi kettenis guenther

replace the ifqueues in net80211 with mbuf_queues.

the specific queues are ic_mgtq, ic_pwrsaveq, and ni_savedq. rtw
had its own queue for beacons.

tested by mpi@ and jmc@
ok mpi@

Add ieee80211_channel_init(), factored out from ieee80211_ifattach().
Will be used by iwm(4) soon.
ok kettenis@

Make room for media types of the future. Extend the ifmedia word to 64 bits.
This changes numbers of the SIOCSIFMEDIA and SIOCGIFMEDIA ioctls and
grows struct ifmediareq.

Old ifconfig and dhclient binaries can still assign addresses, however
the 'media' subcommand stops working. Recompiling ifconfig and dhclient
with new headers before a reboot should not be necessary unless in very
special circumstances where non-default media settings must be used to
get link and console access is not available.

There may be some MD fallout but that will be cleared up later.

ok deraadt miod
with help and suggestions from several sharks attending l2k15

Implement missing bits of node inactivity accounting in hostap mode.
Small parts of code for this feature were already present but unused.

A node becomes inactive after not sending or receiving a frame within
5 minutes. Inactive cached nodes (not authenticated or associated) are
automatically cleared from the cache once every hour, making room for
new nodes. If the node cache is full and room must be made for a new node,
clean either a cached node (active or inactive), or an inactive
authenticated or associated node.

Also, do not send de-auth frames to nodes which never authenticated,
and only send a de-auth frame once for a given node.
This part was contributed by Steven Chamberlain, thanks!

Tested by myself, krw@, edd@, Steven Chamberlain, and Markus Schatzl.
ok deraadt@

in hostap mode, notify drivers via a new callback when a STA leaves
the BSS. this is needed by drivers that need to maintain a hardware
table of associated STAs (like ral(4) RT2860).

idea from Nathanael Rensen

prevent injection of raw 802.11 control frames through bpf on drivers
that do not explicitly state this capability (using flag IEEE80211_C_RAWCTL).
also, perform all the sanity checks on injected raw 802.11 frames earlier
(in ieee80211_output instead of ieee80211_encap).

prevent kernel panics with many drivers when running aircrack-ng.
when/if all drivers are capable, we can remove this C_RAWCTL flag.

move #define IEEE80211_NO_HT under #ifdef SMALL_KERNEL instead
of defining it unconditionnaly.
although the HT code is not ready yet, making it compile on
GENERIC kernels will help catch regressions/bugs if any.

initial 802.11 defragmentation bits.
the code will allow the concurrent reception of fragments of three
fragmented MSDUs or MMPDUs as required by the 802.11 standard.

Block Ack agreements are unidirectional.
Maintain state for both originator and recipient roles separately.
Do not allocate receive reordering buffer in addba_request().
Test the "initiator" bit in incoming DELBA frames and set it appropriately
in outgoing DELBA frames.
Separate callbacks for Tx/Rx too.

no binary change since all this is #ifdef'ed out.

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

use different TSCs when sending the two MIC failure report frames
to our AP as we enter TKIP countermeasures by caching the TSC of
the last frame to fail the MIC; prompted by and ok damien@

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

define IEEE80211_STA_ONLY if SMALL_KERNEL is defined to shrink
the size of install media.

ok damien@ deraadt@

add ic_tid_noack bitmap to indicate a per-TID ACK policy (1=no ack,
0=normal ack). all bits are currently set to 0.
use this bitmap to set the ACK policy of the QoS control field of
outgoing QoS frames.

rework previously unused ieee80211_pwrsave() function, call it from
ieee80211_mgmt_output() and ieee80211_encap().
use new IEEE80211_C_APPMGT capability flag where appropriate.
rename ic_tim_mcast to ic_tim_mcast_pending.

move code to support Frequency-Hopping spread spectrum (FHSS) PHYs
to the Attic. nothing uses it in the tree and it is very unlikely
that something will use it one day.
the only driver supporting FHSS PHYs in the tree is ray(4) and it
does not use net80211.

garbage collect unused capabilities and configurations flags.
add two capabilities flags: IEEE80211_C_HT for HT STAs (802.11n)
and IEEE80211_C_APPMGT which indicates the capability for an AP
to buffer unicast and multicast traffic for STAs in PS mode.
all drivers claiming HostAP support should support that but the
truth is that none of them do.
most of them are still at the 802.11b-only era and do not update
dynamic parts of beacons or process frames from ic_pwrsaveq.

move definitions of channels attributes away from ieee80211.h such
that ieee80211.h contains only definitions that are part of the
802.11 standard and not constants used internally by net80211.
because channels attributes are exported to userland through the
radiotap BPF interface, add the definitions to ieee80211_radiotap.h
too (which must be kept in sync with what is used in net80211).
also, do not export combinations of channel attributes to userland
so that noone get stupid ideas.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

nuke unused fields.

add IEEE80211_F_MFPR config flags (management frame protection required)
and IEEE80211_C_MFP capability bit (driver supports MFP).

extend the ic_nw_keys[] array to 6 elements.
indices 0-3 will be used for group data keys while indices 4-5 will
be used for integrity group keys.
add a ic_rsngroupmgmtcipher field too.

Change the way we process EAPOL-Key frames.
Free the mbuf in the ieee80211_eapol_key_input() function.
Do not assume the frame is contiguous, call m_pullup2() if it is not.
We need the frame to be contiguous to process KDEs efficiently in
EAPOL-Key frames (just like we process IEs in management frames).
However, there are drivers like upgt(4) that use m_devget() in the
RX path. m_devget() can return fragmented mbuf chains.
Notice that we should do the same m_pullup2() for management frames.
This will be done later.
Remove the ic_recv_eapol callback.

ignore PS mode changes and PS-Poll from non-associated STAs.
keep track of the number of associated STAs in PS mode.

sanitize RX path a bit.
make sure drivers pass a contiguous header, check header length earlier.
fix checking of frames sequence number for frames containing an Address 4
field (required for future work).
fix processing of control frames (only pspoll for now).

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

instead of passing rx tstamp and rssi to the ieee80211_input function,
pass a pointer to an ieee80211_rxinfo structure containing those two
fields plus an extra flags field that indicates whether the frame was
decrypted by hardware or not.
required for a future fix.

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

make it clear in the code and in the man page that the rate2plcp and
plcp2rate functions use plcp codes in most-significant-bit-first format
(R4-R1).
some drivers like wpi(4) and iwn(4) want plcp codes in lsb-first format
so they can't use those functions.
also the IEEE standard uses R1-R4 notation so this can be a bit confusing
for those refering to it.

use u_int8_t for plcp code and rate instead of int.

Add ieee80211_rate2plcp() and ieee80211_plcp2rate() functions, which
convert the PLCP header signal field to a rate value and vice versa.

This implementation has been discussed with Damien and doesn't change
any existing net80211 structures.

ok damien@

Revert last commit which added ieee80211_rate2plcp() and
ieee80211_plcp2rate() because I've got a late feedback from Damien that
he dislike the implementation method a lot.

Add ieee80211_rate2plcp() and ieee80211_plcp2rate() functions.

Help and OK reyk@

- add k_rxmic and k_txmic fields to struct ieee80211_key to store the
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.

add callbacks that drivers must implement to install/reset keys.
add a 64-bit replay counter for sending EAPOL-Key request frames.
add a ic_recv_eapol callback to process EAPOL frames.
drivers can redefine this callback but net80211 will implement it.

add ic_globalcnt to struct ieee80211com:
in an RSNA, each STA must maintain a 256-bit global key counter that
must be initialized to a random value (see 8.5.7).

replace the ieee80211_wepkey structure with a more generic ieee80211_key
one that can be used with other ciphers than WEP.

split ieee80211_add_rsn() so that the code can be reused for
vendor-specific IE.

add RSN flags for ic_caps and ic_flags.

maintain the traffic-indication (TIM) virtual bitmap by defining
a default ieee80211_set_tim() function that drivers can override
by setting ic_set_tim.

initial bits for proper TIM support.

add (currently unused) code to parse RSN IEs.

add fields for EDCA.

Add a new capability flag IEEE80211_C_QOS indicating that the driver
supports QoS.
Add a new flag IEEE80211_F_QOS indicating whether QoS is enabled or not.
Add a callback to notify drivers that AC parameters have changed in
the QBSS. Drivers implementing QoS should define this callback and
update their EDCA settings accordingly.

constify

adds 802.11e EDCA tables for QAPs and non-AP QSTAs.
not used yet.

ok jsg@ deraadt@

expand the IEEE80211_NODE_{LOCK,UNLOCK}* macros into their respective
definitions.
remove comments about "lock order reversals" that are specific to freebsd.

ok reyk@ jsg@ mglocker@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

s/roundup/howmany/ where it makes sense.

s/Mhz/MHz/ in comments and printf() strings

ok jsg@

add the net80211 hostap options "nwflag hidenwid" for hidden SSID mode
and "nwflag nobridge" to prevent inter-station communications.
"hidenwid" will also work with wi(4) to replace the old -E 3 option of
wicontrol.

ok damien@ jmc@

ieee80211_cfgget() and ieee80211_cfgset() are dead; ok jsg

add an optional max_rssi attribute to the ieee80211com structure and
allow to export the RSSI Max value with ioctls and by radiotap
headers.

ok damien@ jsg@

description:

we currently use "dB" as an indication for the signal strength in
ifconfig and in the radiotap headers. it means "decibel difference
from an arbitrary, fixed reference". this is quite confusing, because
different chipsets have different references for the dB/rssi values.

we can use the plain RSSI which is described in IEEE 802.11: "The
receive signal strength indicator (RSSI) is an optional parameter that
has a value of 0 through RSSI Max.". all wireless chipsets have
something like a RSSI (normally as a Rx descriptor field), but the
value for RSSI Max is chipset-specific.

if we know the RSSI Max, we can calculate a percentage which is much
easier to understand for the user. we even don't have to use the
absolute RSSI Max, we can use an average RSSI Max, figured out by
monitoring and tuning the RSSI Max of the drivers. if the user gets a
signal of 110%, it would mean "better than the average Max signal".

there's no need to do any RSSI calculations in the kernel, it just
passes the the relative rssi and max_rssi values to userspace. this is
done in the ieee80211_nodereq ioctl structure and possible with a new
radiotap header. the radiotap RSSI header allows to get a flexible but
common signal indicator instead of the complex and unrelated dB/dBm
signal fields. it must include two 8bit values current rssi and RSSI
max.

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@

replace the node hash table with a red-black tree. this fixes some
bugs in the node table (like duplicate nodes in hostap mode), we get
rid of possible hash collisions, and it simplifies the code.

tested by many, ok damien@, jsg@

mostly knf

ok jsg@

Remove FreeBSD/NetBSD ifdef mess. We are not likely to be
doing a wholesale merge with them in future.
very enthusiastic ok from reyk@

add ifconfig -M option to replace wicontrol -L and -l for ap scanning
and node listing. wicontrol is not supported by net80211 drivers
anymore. further improvements will be done.

ok dlg@, jsg@

do { } while (0) wrappers on debug printf macros. ok reyk@

scan the next mode if nothing has been found. this is necessary if the
device supports different incompatible modes in the same channel
range, like like 11b and "pure" 11G mode.

ok dlg@ pvalchev@

derived from NetBSD:

---
Make the node table into an LRU cache: least-recently used nodes
are at the end of the node queue. Change the reference-counting
discipline: ni->ni_refcnt indicates how many times net80211 has
granted ni to the driver. Every node in the table with ni_refcnt=0
is eligible to be garbage-collected. The mere presence of a node
in the table does not any longer indicate its auth/assoc state;
nodes have a ni_state variable, now.

While I am here, patch ieee80211_find_node_for_beacon to do a "best
match" by bssid/ssid/channel, not a "perfect match." This keeps
net80211 from caching duplicate nodes in the table.
---

ok deraadt@ dlg@, looks good jsg@

add the manual tx power option. this is supported by some prism2/2.5/3
cards in hostap mode but it depends on the firmware version. support
for other wireless chipsets will be added in the future using the
net80211-framework.

ok robert@ bob@ danh@, tested by some others

in real C, there is not , after the last enum entry; ok reyk

add a flag that lets a wireless card indicate it can receive probe responses
or beacons on any channel during a scan.

ok damien@ "come on" deraadt@

some changes merged in from netbsd. ieee80211_regdomain.# will be used
by sdr (software defined radios).

ok deraadt@ millert@ damien@

Import current NetBSD/FreeBSD 802.11 framework.
Based in part on a diff from Matthew Gream.

Introduce an optional driver-specific bgscan_done() handler which
allows the driver to take control of the roaming teardown sequence.
This handler allows drivers to ensure that race conditions between
firmware state and net80211 state are avoided, and will be used by
the iwm(4) and iwx(4) drivers soon.

Split the existing roaming teardown sequence into two steps, one step
for tearing down Tx block ack sessions which sends a DELBA frame, and a
second step for flushing Tx rings followed by sending a DEAUTH frame.
We used to queue both frames, expecting to switch APs once both were sent.
Now we effectively expect everything to be sent before we queue a final
DEAUTH frame, and wait for just this frame to be sent before switching.
This already made issues on iwm/iwx less frequent but by itself this was
not enough to close all races for those drivers. It should however help
when adding background scan support to a non-firmware device driver.

Tested, with driver patches:
iwm 8265: Aaron Poffenberger, stsp
iwm 9260: florian
iwm 9560: sthen
iwx ax200: jmc, stsp

Monitor 20/40 MHz channel width changes in beacons sent by our access point
and notify drivers when the channel width has changed.

Add support for 40MHz channels to net80211 RA.

For the moment we use either the 40MHz rate set or the 20 MHz one,
depending on whether our peer supports 40MHz channels.
If this turns out to be suboptimal we could probe the 40MHz and 20MHz
rate sets separately to detect which one works better.

The same applies to use of the short guard interval (SGI), which is
either always on or off at the moment. Again, probing for this could
be added later if needed.

Add an ADDBA_OFFLOAD capability for wifi devices manage Tx block ack
sessions entirely in firmware. This will be used by iwx(4).

put unused 802.11 fragmentation support code under #ifdef notyet

Make iwn, iwm, and iwx keep track of beacon parameters at run-time.

- HT protection settings (this was already implemented)
- ERP (11g) protection setting
- short slottime setting
- short preamble setting
- EDCA (QoS) parameters

All of these parameters are communicated in beacons and hardware is
now kept up-to-date with them.

Prompted by a problem report from Christian Ehrhardt regarding ERP.

Tested:
iwn 6205: stsp, Josh Grosse
iwm 7265: trondd
iwm 8265: stsp, Matthias Schmidt
iwm 9260: phessler
iwx ax200: stsp, jmc, gnezdo

ieee80211: track micfail timeout with getuptime(9) instead of ticks

With input from stsp@.

ok stsp@

Give access points which fail to AUTH or ASSOC less priority during
the next selection of networks from the join list. Prevents endless
attempts to connect to an AP which is out of reach but still somehow
manages to get a beacon or two across to us during scan.

Tested with wifi networks at the University of Bucharest.
Makes switching wifi networks possible after walking to a different
room without having to down/up the interface or suspend/resume.

ok phessler@

Trigger a background scan when root runs the 'ifconfig scan' command.
This will update the list of cached APs for future invocations of the
'scan' command, and will force a search for a better AP to roam to.
ok sthen@ phessler@

Raise net80211's "beacon miss" threshold to avoid frequent re-connects
to APs that are relatively far away and suffer some packet loss.

The former threshold was 7 beacons (about 700 ms).
This raises the threshold to 30 beacons (about 3 seconds).
Should still be good enough for detecting APs that have disappeared, and
makes wifi networks provided by the University of Bucharest more reliable
in the p2k19 hackroom.

While here, make 'ifconfig iwm0/iwn0 debug' print an obvious message when
we believe that the AP has disappeared.

Problem reported and fix tested by landry@ / pirofti@
ok mpi@ sthen@

Make background scans less frequent if we keep choosing the same AP.

This helps a bit in situations where a single AP is used and background scans
are causing packet loss, as seen with Jesper Wellin's Broadcom-based AP and my
Android phone in hotspot mode. This is not a proper fix but our background scan
frequency against a single AP was much higher than needed anyway.

Tested by jan, job, benno, Tracey Emery, Jesper Wallin

Add support for 802.11n Tx aggregation to net80211 and the iwn(4) driver.

In particular, add Tx block ack session management to net80211, with
enough funcionality to support Tx aggregation on devices which perform
A-MPDU subframe scheduling in firmware.
Make use of the iwn(4) firmware Tx scheduler to build A-MPDUs.

net80211's QoS support code is now enabled and used by Tx aggregation.

A-MSDU frames inside A-MPDUs have been tested and work in principle.
For now, this feature is disabled because unfair TCP connection sharing
was observed during testing, where bursts of TCP Ack frames for a single
tcpbench(1) connection arriving in A-MSDUs made other TCP connections stall.
Switch off support for A-MSDUs inside A-MPDUs on the Rx side as well.

Tested on iwn chipsets 1000, 4965, 5100, 5300, 2200, 6200, 6205, 6300
(committed version of tested diff has all debug printfs removed)
tests/ok benno kmos mlarkin kevlo

Fix 'ifconfig nwflags; These flags ended up overlapping with other flags
in ieee80211com's ic_flags because we haven't been paying attention to
them (they're not in the same place in the code and hence easy to miss).
Move them to a dedicated variable to avoid this problem in the future.

Add a new 'stayauth' nwflag which can be set to let net80211 ignore
deauth frames. This can be useful when deauth frames are being
persistently spoofed by an attacker. Idea from beck@

ok beck@ phessler@

Improve handling of HT protection for 'mode 11n' hostap.

Consider the mere presence of HTCAP IEs as indicator of 11n support,
rather than checking advertised Rx MCS. Fixes some devices being
misclassified as 11a/g, causing HT protection to be enabled even
though it is not needed.

Use CTS-to-self frames for HT protection instead of RTS/CTS.

These changes make my athn(4) AR9280 hostap perform much better.

ok phessler@

Make ifconfig(8) display whether bwfm(4) firmware is using 802.11ac.
ok patrick@ mpi@

add a len field when we delete an essid from the joinlist. this will have
us properly match, instead of hoping we got lucky when selecting it.

OK stsp@

pass around the ess and ni structures we plan to use directly, instead
of rediscovering them (possibly badly).

OK stsp@

Nuke unused LIST() ieee80211com_head.

ok stsp@

give set_ess a len variable, so we can correctly match the essid we want
to switch to.

pointed out by stsp@

convert the things we save in 'join' into a single ioctl. mixing related
settings over multiple calls was risky and racy. Pass essid, wpa, and wep
paramaters in a single ioctl and process it atomically.

no change for 'nwid' users

OK stsp@ benno@

Make 'ifconfig nwid' override 'ifconfig join'.

There was no way to override a decision made by join's network
selection algorithm (apart from disabling the feature by clearing
the join list). Automatic selection is based on heuristics which
cannot always guess correctly so we need to provide an override.

One specific problem was that if 'nwid foo' and 'nwid bar' were
both visible in the scan and only 'nwid foo' was a member of the
join list, then there was no way at all to connect to 'nwid bar'.
The wireless stack would keep selecting 'nwid foo' instead.

'ifconfig iwm0 nwid bar' command will now disable automatic
network selection and force the use of ESSID 'bar'.
Any of these commands will re-enable automatic network selection:
ifconfig iwm0 -nwid
ifconfig iwm0 nwid ''
ifconfig iwm0 join some-network-id

ok phessler@ deraadt@

Refactor ieee80211_add_ess():

Drop ieee80211_add_ess's nwid parameter. Read nwid and length directly
from the ic to make it more obvious where this function is reading from.

nwids are binary data with an explicit length, so treat them as such
instead of treating them like strings.

ok florian phessler

Introduce 'auto-join' to the wifi 802.11 stack.

This allows a system to remember which ESSIDs it wants to connect to, any
relevant security configuration, and switch to it when the network we are
currently connected to is no longer available.

Works when connecting and switching between WPA2/WPA1/WEP/clear encryptions.

example hostname.if:
join home wpakey password
join work wpakey mekmitasdigoat
join open-lounge
join cafe wpakey cafe2018
join "wepnetwork" nwkey "12345"
dhcp
inet6 autoconf
up

OK stsp@ reyk@
and enthusiasm from every hackroom I've been in for the last 3 years

net80211: stub SIOCS80211SCAN, make ifconfig scan instant.

The following removes the functionality of the SIOCS80211SCAN ioctl.
After long discussions with stps@, mpi@, and deraadt@ we decided that
this was the correct way of fixing ifconfig scan from blocking the
network stack.

The kernel will continue scanning in the background and filling the
nodes array, but ifconfig scan commands will now basically do just a
SIOCG80211ALLNODES and pretty print the array. So the output stays the
same but is instant.

In fact, when the interface is freshly brought up, if you type fast
enough, you can see the array being filled by running multiple ifconfig
scans in sequence.

The SIOCS80211SCAN ioctl stays for now as wi(4), pgt(4) and malo(4)
still need it around. But not for long...

Another change that this introduces is the fact that ifconfig scan no
longer plays with UP and DOWN. If the interface is down it complains and
exits. This is needed in order to maintain the nodes list.

Works on iwm(4), iwn(4), urtwn(4), run(4) and athn(4).

Tested by mpi@, landry@, florian@, thanks!
OK mpi@.

Add a new function hook to struct ieee80211com which wireless drivers
can use to process, and then acknowledge or reject, incoming AUTH
requests in hostap mode.

net80211 accepts an AUTH request from any STA which fits into the node
cache. This behaviour doesn't work for devices which have a lower limit
on concurrent STAs they can serve, so such drivers need an override.

This will be used by our athn(4) USB driver soon.

ok kevlo@

Make IEEE80211_CHAN_ANYC be a NULL pointer instead of a pointer to 0xffff.
Should speed up debugging.
ok phessler patrick