fix 40 MHz channel validation checks for the 2.4 GHz channel range

Just like the 5 GHz channels, 2.4 GHz channels are spaced 5 MHz apart.
40 MHz wide channels hence span channels [N, N + 4] not [N, N + 1].
Adjust our secondary channel range checks accordingly.

ignore wide channel configs that do not appear in the 802.11ac spec

Wide channel configurations not listed in operating class tables of
the 802.11ac spec can trigger regulatory assertion failures in iwm(4)
firmware, and potentially other device firmware.
Ignore non-standard channels configs such that we downgrade to 40MHz
or even 20MHz to make such APs usable, albeit at lower speed.

Found by dlg@ with a mikrotik AP advertising channel configs that do
not appear as such in the spec:
80 MHz: |104|108|112|116|
40 MHz: |primary: 112|secondary above: 116|
Either of these triggered iwm0: 0x000014FD | ADVANCED_SYSASSERT

Fix tested by myself on iwx(4) AX200 and dlg@ on iwm(4) 7260.
Johannes Berg helped with deciphering the error code, thanks!

fix double words in comments
feedback and ok jmc@ miod, ok millert@

Make background scans pick up APs on 2GHz channels while in 11ac mode.

found by landry@

Fix wrongly implemented check for 5GHz access point RSSI threshold.

This check was wrong for drivers which report RSSI as a percentage,
such as iwm(4) and iwx(4). Such drivers will now prefer 5GHz with
50% or greater RSSI, as was intended.

ok phessler@

Give 11n and 11ac networks a higher score during SSID selection.

ok phessler@

Add initial 802.11ac (VHT) support to net80211.

Add VHT capability and operation IE definitions to ieee80211.h.
Introduce channel flags to identify 80MHz and 160MHz capable channels.

Parse VHT IEs in beacons, announce the driver's VHT capabilities in
probe requests and assoc requests, and hop into 11ac mode after
association to the AP if possible.

Enable VHT by default if the driver announces support for it.

ok claudio@

Remove ieee80211_find_node_for_beacon().

The original purpose of ieee80211_find_node_for_beacon() was to avoid
storing duplicate nodes with the same source MAC address in a hash table.
Later on, our node table data structure was changed from a hash table
to an RB tree. The RB tree can only store a single node per MAC address.
However, find_node_for_beacon() was kept regardless, now documented to
serve a different purpose.

Its new purpose is to tell apart different nodes which happen to use
the same MAC address and hence cannot both be stored in the RB tree.
The idea is to filter such duplicate nodes out during a scan. But colliding
nodes are told apart by RSSI and channel, and either may change over time.
So this does not really prevent duplicate MAC addresses from causing issues.

The code which decides which node is "better" can erroneously match an
AP against itself, in case the AP uses a hidden SSID. This caused
workarounds for hidden SSID to pile up over time.
Just a bit further down, the code looks up the same node again and
performs all of the intended node state updates. Simply skipping the
ieee80211_find_node_for_beacon() check makes such state updates work.

ok tobhe@

Teach the net80211 stack to remove corresponding frames from ic_pwrsaveq
when a power-saving client decides to leave our hostap interface.

Prevents a "key unset for sw crypto" panic as we try to send a frame
to a node which is in COLLECT state with its WPA keys already cleared.

We were already clearing the queue which buffers power-saved frames for
the client node. This queue is stored within the node structure itself.
However, the interface has another global queue for frames which need to
be transmitted by the driver to a set of nodes during the next DTIM.
We missed removing frames for a departing node from this global queue.

While here, add missing node refcount adjustments as frames get purged.

Problem reported by Mikolaj Kucharski, who tested this fix for more
than a week with athn(4), with no further panics observed.

Introduce an optional driver-specific bgscan_done() handler which
allows the driver to take control of the roaming teardown sequence.
This handler allows drivers to ensure that race conditions between
firmware state and net80211 state are avoided, and will be used by
the iwm(4) and iwx(4) drivers soon.

Split the existing roaming teardown sequence into two steps, one step
for tearing down Tx block ack sessions which sends a DELBA frame, and a
second step for flushing Tx rings followed by sending a DEAUTH frame.
We used to queue both frames, expecting to switch APs once both were sent.
Now we effectively expect everything to be sent before we queue a final
DEAUTH frame, and wait for just this frame to be sent before switching.
This already made issues on iwm/iwx less frequent but by itself this was
not enough to close all races for those drivers. It should however help
when adding background scan support to a non-firmware device driver.

Tested, with driver patches:
iwm 8265: Aaron Poffenberger, stsp
iwm 9260: florian
iwm 9560: sthen
iwx ax200: jmc, stsp

In addition to the WEP key(s) being set at device initialization with
'nwid'/'nwkey', the keys will be set at random times when 'join'/'nwkey' is
used. So also stop trying to set IEEE80211_CIPHER_NONE keys on that path.

James Hastings confirms this fixes his '(null node)' panics on run(4). Thanks!

ok stsp@

Revert my previous commit to ieee80211_node.c (CVS commit Hne35XgzezGa9zmv).

Sending frames from ieee80211_node_join_bss() won't work as expected.
I missed that IEEE80211_SEND_MGMT() calls if_start() immediately after
queueing the management frame. This means the probe request is being
sent in a state where, while ic_bss represents our new AP, the driver
did not yet have a chance to move the device over to our new AP.

The auth request for the new AP is sent from ieee80211_newstate() which
runs after the driver has reconfigured the device. If want to send a
probe request to the new AP then we would need to send it at that point,
before the auth frame gets sent.

Send a probe request to our new AP when we are about to roam to it.

Tested by fkr on iwx ax200/ax201 and myself on iwm 8265.
Also tested by florian and bket as part of a larger diff.

ok mpi@

Make iwn, iwm, and iwx keep track of beacon parameters at run-time.

- HT protection settings (this was already implemented)
- ERP (11g) protection setting
- short slottime setting
- short preamble setting
- EDCA (QoS) parameters

All of these parameters are communicated in beacons and hardware is
now kept up-to-date with them.

Prompted by a problem report from Christian Ehrhardt regarding ERP.

Tested:
iwn 6205: stsp, Josh Grosse
iwm 7265: trondd
iwm 8265: stsp, Matthias Schmidt
iwm 9260: phessler
iwx ax200: stsp, jmc, gnezdo

When starting an AP or IBSS network, reconfigure the operation mode to
11ac/n/a/g/b as applicable. Fixes an issue where hostap would end up
running in the rather meaningless MODE_AUTO unless a mode was explicitly
configured with ifconfig.

Found while investigating issues reported by trondd testing my athn RA patch.

ok deraadt@

spelling

ok gnezdo@ semarie@ mpi@

Remove a dead assignment to ni_rsn_state in ieee80211_node_leave_rsn().

Patch by Mikolaj Kucharski

Purge the ic_bss->ni_savedq mbuf queue when a wireless interface goes down.

Purging this queue prevents a panic which occurs when a WPA2-enabled athn(4)
hostap interface is reconfigured while this queue contains frames.

In hostap mode, this queue contains group-addressed (broadcast) frames
which are buffered for clients sleeping in powersave state. Frames on
this queue are transmitted when it is time to send another beacon, at
which point in time sleeping clients wake up to receive such frames.

The panic message is "key unset for sw crypto", which can be explained as
follows: Group keys are cleared when the interface goes down. The beacon Tx
interrupt handler gets triggered by hardware when the interface comes back
up. This handler attempts to encrypt the queued frames for transmission,
resulting in the above panic since the group key has been zeroed out.

This panic has been observed with athn(4) by Jan Stary and Ted Patterson,
and Ted has confirmed that this patch fixes the problem.

ok kettenis@ (with the caveat that it's been a long time since he put our
AP-side powersave support into a working state)

Fix ifconfig "media:" line for 11n wifi interfaces during and after bgscan.

Media was displayed as e.g. "autoselect (OFDM6)" even though 11n was active
because the current media mode is changed to AUTO for background scanning
and was never switched back to 11N.

ok mpi@ pirofti@

If join is connected to an AP, remove the node from the cache so we properly
reconnect to the AP

OK stsp@

If the new candidate AP found after a background scan has an RSSI level
that will also trigger background scans, remain with the current AP.
Avoids ping-pong in environments where APs are tuned for low transmit
range, such as 36c3.

ok phessler benno

Stop connecting to available open wifi networks when the interface is put up.
From now on, this behaviour must be explicitly enabled with ifconfig join "".
ok sthen jcs deraadt

Give access points which fail to AUTH or ASSOC less priority during
the next selection of networks from the join list. Prevents endless
attempts to connect to an AP which is out of reach but still somehow
manages to get a beacon or two across to us during scan.

Tested with wifi networks at the University of Bucharest.
Makes switching wifi networks possible after walking to a different
room without having to down/up the interface or suspend/resume.

ok phessler@

Clear the unref callback function pointer when cleaning up an ieee80211_node.
ok mpi@

Make background scans less frequent if we keep choosing the same AP.

This helps a bit in situations where a single AP is used and background scans
are causing packet loss, as seen with Jesper Wellin's Broadcom-based AP and my
Android phone in hotspot mode. This is not a proper fix but our background scan
frequency against a single AP was much higher than needed anyway.

Tested by jan, job, benno, Tracey Emery, Jesper Wallin

Make net80211 expose reasons for association failures to userland and have
ifconfig display them in 'scan' output and on the ieee80211 status line if
the failure is applicable to an already selected AP (e.g. wrong WPA key).

This will hopefully reduce the amount of help requests for what often
turn out to be trivial misconfiguration issues that were previously
hard to diagnose without debug mode.

ifconfig must be recompiled with the new ieee80211_ioctl.h to stay in
sync with the kernel. A full 'make build' will do the right thing!

Very helpful input by mpi@ and deraadt@

Keep ieee80211_node structures cached across scans, rather than
wiping the entire cache every time a scan is triggered.

This has benefits for userland programs trying to look at scan results,
and for drivers which don't get a full view from hardware on every scan.

Nodes will still be evicted from the cache in one of several ways:

Add a new way of timing out inactive nodes which don't send a beacon
within 10 scan iterations, for client mode only. This should get rid
of stale APs if we're scanning for some time in a changing environment.

If we fail to associate a few times, the corresponding node is removed.

If net80211 transitions back to INIT state (e.g. because of a
user-initiated configuration change) all nodes are removed.

When a background scan starts all nodes will be removed. This could be
revisited later but has been intentionally left as-is for now.

Tested by myself, jmc@, benno@, procter@ on iwm(4), athn(4) and ral(4).

remove redundant assignment to ic_curmode

This assignment to ic_curmode is redundant because it already occurs
inside ieee80211_setmode(), and channel information in selbs and ni
is equivalent after node_copy().

ok mpi@ kevlo@

Add support for 802.11n Tx aggregation to net80211 and the iwn(4) driver.

In particular, add Tx block ack session management to net80211, with
enough funcionality to support Tx aggregation on devices which perform
A-MPDU subframe scheduling in firmware.
Make use of the iwn(4) firmware Tx scheduler to build A-MPDUs.

net80211's QoS support code is now enabled and used by Tx aggregation.

A-MSDU frames inside A-MPDUs have been tested and work in principle.
For now, this feature is disabled because unfair TCP connection sharing
was observed during testing, where bursts of TCP Ack frames for a single
tcpbench(1) connection arriving in A-MSDUs made other TCP connections stall.
Switch off support for A-MSDUs inside A-MPDUs on the Rx side as well.

Tested on iwn chipsets 1000, 4965, 5100, 5300, 2200, 6200, 6205, 6300
(committed version of tested diff has all debug printfs removed)
tests/ok benno kmos mlarkin kevlo

In 11n hostap mode, properly disable HT protection when needed
by actually overwriting the relevant bits in ni_htop1.
ok tedu@ phessler@ kettenis@

Revised version of 'ifconfig mode' command fix.

The 'mode' command is supposed to force a wireless interface into 11a/b/g/n
media mode. This stopped working some time ago, probably during my work on
background scanning. Problem spotted by mlarkin@ who noticed that interfaces
were using 11g mode while forced to 11b mode.

ok phessler, jmatthew (earlier version)
relentless testing by krw@

Revert my "Repair the 'ifconfig mode' command" commit.

The "recursion in end_scan()" problem is apparently still present in
the committed version of the diff (reported by krw@).

Repair the 'ifconfig mode' command.

The 'mode' command is supposed to force a wireless interface into 11a/b/g/n
media mode. This stopped working some time ago, probably during my work on
background scanning. Problem spotted by mlarkin@ who noticed that interfaces
were using 11g mode while forced to 11b mode.

ok phessler, jmatthew

Show driver name on net80211 scan debug lines.
ok mpi@

Removes the KERNEL_LOCK() from bridge(4)'s output fast-path.

This redefines the ifp <-> bridge relationship. No lock can be
currently used across the multiples contexts where the bridge has
tentacles to protect a pointer, use an interface index.

Tested by various, ok dlg@, visa@

fix autojoin for WEP network by actually saving the WEP auth key

discovered while attempting to autojoin WEP networks

Improve handling of HT protection for 'mode 11n' hostap.

Consider the mere presence of HTCAP IEs as indicator of 11n support,
rather than checking advertised Rx MCS. Fixes some devices being
misclassified as 11a/g, causing HT protection to be enabled even
though it is not needed.

Use CTS-to-self frames for HT protection instead of RTS/CTS.

These changes make my athn(4) AR9280 hostap perform much better.

ok phessler@

Move 802.11n rateset definitions out of MiRA and make them available to
net80211 and drivers in general. Add ratesets for 'short guard interval'
(SGI) rates, and add SGI support to MiRA. SGI is currently only used by
iwm(4), and of course internally by bwfm(4) firmware.
Ratesets for 11n 40 MHz channels and 11ac will come later.
ok mpi@ phessler@

add a len field when we delete an essid from the joinlist. this will have
us properly match, instead of hoping we got lucky when selecting it.

OK stsp@

let users automatically use join to connect to any open wifi network.
if a known network is visible, always prefer that instead.

requested by many, OK stsp@

print more details about the join'd networks we have saved when a user runs
ifconfig if joinlist

OK stsp@

fix whitespace in debugging function

The first packet received from each AP in each QoS class would be
dropped as the sequence number matches the initial value of the
cached last sequence number (zero). On some APs (notably Android
WIFI hotspots) this hits the first packet of the WPA2 4-way
handshake. This causes connection delays and in some cases
connection to the AP fails completely. Initialize the cached last
sequence numbers for received packets to an invalid value instead.

From Christian Ehrhardt
ok gerhard@ stsp@

pass around the ess and ni structures we plan to use directly, instead
of rediscovering them (possibly badly).

OK stsp@

clean up accounting of the AUTO_JOIN flag by making sure it is set or cleared
based on the state of the joinlist

OK stsp@

don't join to a network where we expect cleartext, and the AP is using crypto

OK stsp@

fix memory leak in ieee80211_end_scan()

OK phessler@ jsg@

fix memory leaks in ieee80211_add_ess()
ok stsp@ phessler@

ues the format string for signed ints, for signed ints

reminded by stsp@

With the interface debug flag enabled, print a "score" for each AP we
consider during auto-join. This can help users determine why a specific
network was chosen.

OK stsp@

fix typo in the length of the essid we want to switch to

found with and OK stsp@

extract clearing WEP/WPA in ess into helper functions

give set_ess a len variable, so we can correctly match the essid we want
to switch to.

pointed out by stsp@

convert the things we save in 'join' into a single ioctl. mixing related
settings over multiple calls was risky and racy. Pass essid, wpa, and wep
paramaters in a single ioctl and process it atomically.

no change for 'nwid' users

OK stsp@ benno@

fix whitespace

Make 'ifconfig nwid' override 'ifconfig join'.

There was no way to override a decision made by join's network
selection algorithm (apart from disabling the feature by clearing
the join list). Automatic selection is based on heuristics which
cannot always guess correctly so we need to provide an override.

One specific problem was that if 'nwid foo' and 'nwid bar' were
both visible in the scan and only 'nwid foo' was a member of the
join list, then there was no way at all to connect to 'nwid bar'.
The wireless stack would keep selecting 'nwid foo' instead.

'ifconfig iwm0 nwid bar' command will now disable automatic
network selection and force the use of ESSID 'bar'.
Any of these commands will re-enable automatic network selection:
ifconfig iwm0 -nwid
ifconfig iwm0 nwid ''
ifconfig iwm0 join some-network-id

ok phessler@ deraadt@

Update AP selection heuristics for auto-join.

We now prefer stronger crypto over weaker crypto over none, prefer 5 GHz
band with reasonable RSSI, and use RSSI as a tie-breaker with a slight
advantage for 5GHz. Candidate APs are now ranked by a score which is
calculated based on these attributes.

There is likely room for improvements to make these heuristics
work well across many different environments, but it's a start.

ok phessler@

Add support for band-steering access points to net80211.

Some access points have a feature called "band steering" where they
will try to push clients from 2 GHz channels to 5 GHz channels.
If a client sends probe-requests on both 2 GHz and 5GHz channels, and
then attempts to authenticate on a 2 GHz channel, such APs will deny
authentication and hope that the client will come back on a 5 GHz channel.

So if we fail to AUTH for any reason, and if there is a different
AP with the same ESSID that we haven't tried yet, try that AP next.
Keep trying until no APs are left, and only then continue scanning.

APs with support for this feature were provided by Mischa Peters.

ok phessler@ mpi@

Add comment explaining why we read basic MCS set only from beacon/probereq.
requested by mpi@

Ignore basic MCS set information found in association responses.

Some APs (Aruba 105) send a bogus basic MCS set in assoc responses
which prevents us from enabling 11n support with those APs, while
these APs still behave as if were were an 11n client which renders
the association unusable.

The basic MSC set is already provided in beacons anyway, and the
802.11 2012 standard says the basic MSC set is reserved in frames
other than beacons (see Table 8-130).

ok mpi@

Refactor ieee80211_add_ess():

Drop ieee80211_add_ess's nwid parameter. Read nwid and length directly
from the ic to make it more obvious where this function is reading from.

nwids are binary data with an explicit length, so treat them as such
instead of treating them like strings.

ok florian phessler

Do not set nwid over and over again. We just found the ess by comparing
the nwid. It will not have changed in the meantime.
OK stsp

revert 1.133 and part of 1.131
the stack doesn't always fill in the paramaters correctly

reported by many

Don't ask drivers to join a wifi network before an AP has been chosen.
Should fix a panic with bwfm(4) reported by mlarkin@
ok phessler@

ieee80211_ess_is_better() returns 0 or 1, comparing > 1 is always
false so we always selected the first wifi available, not the best
one.

While here shuffle some deck chairs to make it clearer that anything is
better than nothing.

tweak & OK phessler

the AP sends their crypto parameters as a mask, so let us still select it
in case we want WPA2 and they have WPA1 still enabled

don't save or use auto-join when the card is not in station (aka client) mode

OK stsp@

Some more checks before auto-join switches networks.

Make sure all of the crypto options the AP announces matches what we
would configure. While here, don't switch if the user has specified
a specific BSSID, and the new AP does not match.

OK stsp@

Introduce 'auto-join' to the wifi 802.11 stack.

This allows a system to remember which ESSIDs it wants to connect to, any
relevant security configuration, and switch to it when the network we are
currently connected to is no longer available.

Works when connecting and switching between WPA2/WPA1/WEP/clear encryptions.

example hostname.if:
join home wpakey password
join work wpakey mekmitasdigoat
join open-lounge
join cafe wpakey cafe2018
join "wepnetwork" nwkey "12345"
dhcp
inet6 autoconf
up

OK stsp@ reyk@
and enthusiasm from every hackroom I've been in for the last 3 years

When starting a background scan, free the nodes table to ensure we
get an up-to-date view of APs around us. In particular, we need to
kick out the AP we are associated to. Otherwise, our current AP might
stay cached if it is turned off while we are scanning, and we could
end up picking a now non-existent but "good looking" AP over and over.

found with and ok phessler@

Fix the scan loop: We were only looking for an AP once and stopped
scanning if none was found.
Accidentally broken in recent ifconfig scan changes by pirofti and me.
ok pirofti

net80211: stub SIOCS80211SCAN, make ifconfig scan instant.

The following removes the functionality of the SIOCS80211SCAN ioctl.
After long discussions with stps@, mpi@, and deraadt@ we decided that
this was the correct way of fixing ifconfig scan from blocking the
network stack.

The kernel will continue scanning in the background and filling the
nodes array, but ifconfig scan commands will now basically do just a
SIOCG80211ALLNODES and pretty print the array. So the output stays the
same but is instant.

In fact, when the interface is freshly brought up, if you type fast
enough, you can see the array being filled by running multiple ifconfig
scans in sequence.

The SIOCS80211SCAN ioctl stays for now as wi(4), pgt(4) and malo(4)
still need it around. But not for long...

Another change that this introduces is the fact that ifconfig scan no
longer plays with UP and DOWN. If the interface is down it complains and
exits. This is needed in order to maintain the nodes list.

Works on iwm(4), iwn(4), urtwn(4), run(4) and athn(4).

Tested by mpi@, landry@, florian@, thanks!
OK mpi@.

convert the test if a node support HT (aka, 11n) into an inline function,
instead of testing some un-obvious bitfield

OK stsp@

Don't dereference IEEE80211_CHAN_ANYC pointer in ieee80211_node_checkrssi().

Problem reported by Gregoire Jadi on bugs@

Allow interfaces that aren't SCANNALLBAND drivers to benefit from the
strongest received signal.

OK stsp@

Fix the behavior of preferring weaker-but-still-good 5Ghz APs over
2Ghz APs because the 5Ghz band is generally less saturated.

The previous implementation was dependent upon the order of walking
APs.

ok stsp

Add support for background scanning to net80211 and iwm(4).

The iwm(4) driver will now roam between access points which share an SSID.
Use 'ifconfig iwm0 debug' and 'tail -f /var/log/messages' to watch it do so.

Tested by several people in various iterations.
As usual, let me know if you run into issues.

ok phessler deraadt

When starting a new scan always set the mode to AUTO if the driver scans
all bands at once. Fixes a problem where e.g. 5GHz APs were filtered out
if we were previously associated to an 11g-only AP.
ok mpi@ phessler@

Add an entry to dmesg if pairwise WPA keys arrive unexpectedly or if WPA
group keys are being reused. OpenBSD wireless clients will now leave a
trail of such events in their message log.

There has been increased public scrutiny of WPA's security recently, so
I am curious to see if anyone is attempting replay attacks in the wild.

ok deraadt

Compile a debug printf in ieee80211_match_bss() by default, previously
guarded by the IEEE80211_DEBUG preprocessor flag. This shows one line
per detected AP after a scan, and indicates which APs are considered
candidates for association.
Shorten the output a bit to fit into 80 columns more likely.
ok sthen@

Improve the heuristic which selects 5GHz APs over 2GHz APs.

The previous code wasn't quite right: it didn't account for the fact that
some drivers don't set ic_max_rssi, and it compared 5GHz APs to a threshold
relative to the max RSSI, rather than comparing RSSI on 5GHz relative to
RSSI on 2GHz.

This heuristic is only used by SCANNALLBAND drivers: iwn(4), iwm(4), wpi(4)

In the future the AP selection heuristic should be made more intelligent,
e.g. it should take BSS load information in beacons into account.
Another open problem is inconsistent representation of RSSI measurement
values throughout our drivers and stack. Help is welcome!

For now, this hopefully improves AP selection at busy airports.

ok sthen@ deraadt@

Add sizes for free for the RSN IEs. Rewrite ieee80211_save_ie() slightly
to make it more readable.

help, many explanations and ok stsp

Add a few sizes to free().

Input, help & ok stsp

branches: 1.115.4;
In 11n hostap mode, dynamically adjust HT protection settings based on
the presence of non-HT nodes in the node cache.
OpenBSD 11n APs will now disable HT protection if it is not necessary.
ok mpi@

Fix 11b clients sending bogus ratesets in association requests. The common
rateset with the AP is calculated only after the association response was
received, which is too late. Fix rates when an AP is selected after a scan.
ok mpi@ tb@

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

Reset block ack state and cancel related timeouts when a HT node disassociates.
The existing code (from damien@) already took care of freeing related buffers
but because block ack state was not reset we were still trying to use these
buffers if the node sent another A-MPDU. This problem only affects 11n hostap.
Fixes kernel crash reported by Timo Myyra on bugs@

When a HT node leaves or reassociates as a non-HT node,
clear HT capabilities stored in its node cache object.

A node may switch from 11n mode to 11a/b/g mode.
If we don't clear HT capabilities from the cache the node will
be mistaken as 11n-capable after reassociation.

ok phessler@ mpi@

Make the net80211 stack send EDCA parameters to the driver in hostap mode.
Fixes problems with timing of frame transmissions which caused packet loss.
tested by myself and tb@
ok phessler@ mpi@ tb@

Manage the HT protection setting if acting as hostap with 11n enabled.

For now we flip-flop only between non-member protection and non-HT protection.
Running a HT network without protection would require monitoring environmental
conditions (e.g. foreign beacons) which make HT protection necessary.

The ic_update_htprot driver function becomes optional because it won't be
needed by all drivers. Only call it if the driver has set a function pointer.

ok tb@

The point of ieee80211_node_leave() is to place the node in COLLECT state.
Return early and do nothing if the node is already in COLLECT state upon
entry to this function.

When acting as hostap, negotiate HT before calling the driver's ic_newassoc()
function, not afterwards. Drivers now know whether a joining node supports HT
which helps with setting up state such as which Tx rate to use.

Complete our half-done implementation of TKIP countermeasures in hostap mode.

The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.

Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@

move from RB macros to the RBT functions.

shaves about 5k off an amd64 GENERIC.MP kernel

If a wireless device or driver scans all bands at once give 5GHz APs
a slight priority in cases where good matches exist in either band.
ok sthen@

branches: 1.103.2;
Add a wireless driver capability flag for devices which scan 2GHz and 5GHz
bands in a single scan offload request. This will be used by iwm(4) soon.
ok kettenis@, earlier version ok phessler@

In hostap mode, don't re-use association IDs (AIDs) of nodes which are
still lingering in the node cache. This could cause an AID to be assigned
twice, once to a newly associated node and once to a different node in
COLLECT cache state (i.e. marked for future eviction from the node cache).

Drivers (e.g. rt2860) may use AIDs to keep track of nodes in firmware
tables and get confused when AIDs aren't unique across the node cache.
The symptom observed with rt2860 were nodes stuck at 1 Mbps Tx rate since
the duplicate AID made the driver perform Tx rate (AMRR) accounting on
the wrong node object.

To find out if a node is associated we now check the node's cache state,
rather than comparing the node's AID against zero. An AID is assigned when
a node associates and it lasts until the node is eventually purged from the
node cache (previously, the AID was made available for re-use when the node
was placed in COLLECT state). There is no need to be stingy with AIDs since
the number of possible AIDs exceeds the maximum number of nodes in the cache.

Problem found by Nathanael Rensen.
Fix written by Nathanael and myself. Tested by Nathanael.
Comitting now to get this change tested across as many drivers as possible.

Call if_enqueue() and if_start() instead of dereferencing the ifp
pointers.

These functions have been introduced to abstract some of the MP-
safeness^Wmadness and should be use everywhere.

Prodded by a comment from jsg@.

ok mikeb@, stsp@

Restore assignment of ic_curmode that was accidentally removed when
moving the ERP code to post-assoc phase. Fixes iwi(4) fatal firmware
errors.

ok stsp@, sobrado@

branches: 1.99.2;
Honour ERP protection on 2 GHz channels in 11n mode, as done for 11g.
ok millert@

Don't try to interpret htprot data if the last beacon didn't contain such data.
ok mpi@ millert@

Make the A-MPDU reordering buffer more resilient against APs which drop
some subframes or let the sequence number jump up by more than 1 (hard
to tell which it is). We decrease the BA inactivity timeout for quicker
recovery from stalled BA sessions, and add a new timeout which keeps track
of gaps in the subframe sequence number space due to dropped frames.
Gaps expire after 500 msec, the same value FreeBSD uses for their
implementation of this workaround. And Linux uses this trick, too.

This should fix network stalls some people have been seeing in 11n mode.

ok deraadt@

Remove the IEEE80211_NO_HT macro. Reduces ifdef spaghetti, enables 11n mode
in bsd.rd, and might uncover some bugs. Suggested by tedu@ and deraadt@.
ok sthen@ jasper@ deraadt@

While configuring ERP we need to know if we're in 11a or 11g mode so only
configure ERP once we are sure about our operation mode against the AP.
ok sthen jasper kettenis deraadt mpi

unnoccupied->unoccupied

Finish support for receiving 11n A-MPDUs.

The initial implementation was added by damien@ years ago.
Summary of the changes made in this commit:
- In ieee80211_input(), process A-MPDUs before duplicate detection.
- Don't forget to set ba->ba_ni in ieee80211_recv_addba_req()
so we don't crash in ieee80211_rx_ba_timeout().
- In ieee80211_recv_addba_req(), tweak the logic to deny BlockAck
requests if the driver has no callback for doing so.
- Implement ieee80211_ba_del() which cleans up BlockAck state.
- Increase the minimum and maximum lifetime for BlockAck agrements.

ok mpi@

No need to include <net/if_arp.h>

This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.

A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.

Parse 11n HT capabilities and operational info from association response
frames, negotiate HT with the AP, and move the interface into or out of
11n mode accordingly. If running as AP negotiate HT with nodes joining the BSS.

ok deraadt mpi kettenis guenther

Extend struct ieee80211_node with fields for 11n STA HT capabilities and
HT operational information sent by 11n APs. These fields reflect the structure
of elements in management frames so that IEEE80211_HTCAP* and IEEE80211_HTOP*
macros designed to operate on frame elements can be used directly to read
or set the fields.

Populate nodes with HT information received in probe responses, probe
requests, and association requests.

ok deraadt mpi phessler kettenis guenther

replace the ifqueues in net80211 with mbuf_queues.

the specific queues are ic_mgtq, ic_pwrsaveq, and ni_savedq. rtw
had its own queue for beacons.

tested by mpi@ and jmc@
ok mpi@

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

Remove cached 802.11 nodes in IEEE80211_STA_CACHE state (these are nodes
which have been seen but which haven't otherwise interacted with us), fixing
a problem where old cached nodes are seen when doing a scan.
From Marcin Piotr Pawlowski, feedback stsp@ ok kspillner@ dcoppa@

use nitems() instead of various local constructs

ok stsp@

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

Reset txrate array index after changing a node's rate list.
Should prevent "bogus xmit rate %d setup" panics, which I ran into again
in IBSS mode.
ok kettenis

Remove unneeded include.

ok deraadt@

Make ieee80211_set_tim() available from outside of ieee80211_node.c
so drivers like acx(4) can use that function directly instead of
reimplementing the function again. Requested by kettenis@ long time ago.

Fix DPRINTF() format string treating n->ni_refcnt, which is unsigned, as signed.
diff from dhill; ok kettenis reyk

Clear the powersave flag and purge queued packets when a node leaves the AP
(either by disassociating or by timeout). Fixes (most) remaining issues with
power saving.

From Nathanael Rensen.

ok claudio@, krw@, sthen@

Point an interface directly to its bridgeport configuration, instead
of to the bridge itself. This is ok, since an interface can only be part
of one bridge, and the parent bridge is easy to find from the bridgeport.

This way we can get rid of a lot of list walks, improving performance
and shortening the code.

ok henning stsp sthen reyk

Nuke M_80211_NODE #define which mapped to M_DEVBUF and use M_DEVBUF directly.
ok henning

Set up ni_savedq for the initial BSS node such that it can actually be used
to store multicast frames when one of the associated stations is in power
saving mode.

ok stsp@

Fix possible panic while switching from STA mode into hostap/ibss modes.
ieee80211_create_ibss() resets the set of supported rates but failed
to update the index into the rate set array accordingly. If the rate
configured during STA operation didn't belong to the newly configured
rate set the system ran into an assertion ("bogus xmit rate %u setup")
while trying to create the IBSS.
ok fgsch@

Print messages about nodes purged from the node cache if hostap/ibss modes are
compiled in and the interface is in debug mode. ok sthen

Move increment of ic_nnodes closer to where the node is actually inserted
into the cache. Make sure we're at IPL_NET while incrementing/decrementing
ic_nnodes. Add a debug message that warns about possible node leaks.
All of this affects hostap mode only.

Tweak node cache eviction strategy when the cache is full: kick off new nodes
in AUTH state that weren't active during the cache wait interval rather than
keeping them for the entire cache timeout interval. Fixes association failures
in noisy RF environments. Tested by edd and myself with a slow soekris
suffering from RF noise with about of 50 interrupts per second on ral0.
ok deraadt

There is no need to explicitly skip ic_bss when iterating over cached nodes.
The ic_bss is never put into the RB tree.

Clean inactive authenticated nodes during cache timeout as well.
There is no need to keep nodes cached with never associated and were
inactive within the last 5 minutes or more. Keeps the node cache pretty
clean in my environment with typical city-center wlan noise.

Implement missing bits of node inactivity accounting in hostap mode.
Small parts of code for this feature were already present but unused.

A node becomes inactive after not sending or receiving a frame within
5 minutes. Inactive cached nodes (not authenticated or associated) are
automatically cleared from the cache once every hour, making room for
new nodes. If the node cache is full and room must be made for a new node,
clean either a cached node (active or inactive), or an inactive
authenticated or associated node.

Also, do not send de-auth frames to nodes which never authenticated,
and only send a de-auth frame once for a given node.
This part was contributed by Steven Chamberlain, thanks!

Tested by myself, krw@, edd@, Steven Chamberlain, and Markus Schatzl.
ok deraadt@

Hold interrupts blocked while comparing a cached node's refcount to zero
and freeing the node. Just in case an interrupt happens to ref the node after
the refcount was checked but before the node is freed.
Tested by several as part of a larger diff.

Make it possible to free cached nodes which never associated (e.g. nodes
only scanning for networks). These were never put into COLLECT state and
were thus never evicted from the node cache in hostap mode.
ok jsg@

Clean nodes until the number of cached nodes is smaller than the maximum number
of nodes, otherwise we'll never actually clean any nodes. Fixes issues with
clients failing too attach because the node cache is completely filled.

ok damien@

No "\n" needed at the end of panic() strings.

Bogus chunks pointed out by matthew@ and miod@. No cookies for
marco@ and jasper@.

ok deraadt@ miod@ matthew@ jasper@ macro@

in hostap mode, notify drivers via a new callback when a STA leaves
the BSS. this is needed by drivers that need to maintain a hardware
table of associated STAs (like ral(4) RT2860).

idea from Nathanael Rensen

In ieee80211_node_leave(), clear the associd after calling
ieee80211_node_leave_rsn() since ieee80211_node_leave_rsn()
calls ic_delete_key() and drivers like ral(4) RT2860 need
a valid associd in their delete_key callbacks.
This affects HostAP mode only.

from Nathanael Rensen.

remove a useless (nested) #ifndef IEEE80211_STA_ONLY while i'm here

fix my previous commit, i forgot BIP, so instead of enumerating
what is not supported as a group cipher, enumerate what is supported.

do not try to associate with an AP using an unsupported group cipher,
otherwise we will panic in ieee80211_add_rsn_body().

this may be the cause of a panic seen by reyk@ though i'm not 100% sure.

Four uses of uninitialized variables found by clang via jsg@. ar5416, ar9287
and athn are only theoretically interesting. i33380211_node fixes a real
bug in occupied channel detection.

ok damien@

Do not always create a new node when a beacon or a probe response
is received. The creation of a new node is already handled in
ieee80211_recv_probe_resp() when necessary.
This avoids creating empty nodes with wrong channels when beacons
are received on the wrong channel (overlapping channels).
Those empty nodes may also prevent the real node from being
discovered because of ieee80211_find_node_for_beacon() filtering.

This should prevent entries of the form:
nwid "" chan 3 bssid 00:01:02:03:04:05 0dB 54M
in "ifconfig if0 scan" output, like reported by Rivo Nurges.

fix a panic that occurs when IEEE80211_STA_ONLY is defined (SMALL_KERNEL).

noticed by ray@, more investigation from sthen@
fix tested by sthen@

Block Ack agreements are unidirectional.
Maintain state for both originator and recipient roles separately.
Do not allocate receive reordering buffer in addba_request().
Test the "initiator" bit in incoming DELBA frames and set it appropriately
in outgoing DELBA frames.
Separate callbacks for Tx/Rx too.

no binary change since all this is #ifdef'ed out.

In ieee80211_find_node(), roll our own RB_FIND() based on the key (macaddr)
instead of resorting to horrid hacks/casts.
Restore the ieee80211_node structure back to its original state.

unbreak SMALL_KERNEL builds by adding missing #ifndef IEEE80211_STA_ONLY

pointed out by krw@

move ni_macaddr field at the top of the ieee80211_node structure.
this way we can avoid putting a full node structure (which is huge)
on the stack in ieee80211_find_node().
this is a bit tricky but the RB_FIND macro wants an "elem" structure,
not a field of "elem".

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

Add an ieee80211_notify_dtim() function that drivers should call after
every DTIM in HostAP mode.
Flushes all group addressed MSDUs buffered at the AP for power management.

Prevent a crash in ieee80211_setkeys() when unplugging an interface in
hostap mode by canceling the group rekey timeout in ieee80211_node_detach().

ok damien

Second pass of simple timeout_add -> timeout_add_sec conversions
This should take care of the simpler ones (i.e., timeout values of
integer multiples of hz).

ok krw@, art@

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

move code to support Frequency-Hopping spread spectrum (FHSS) PHYs
to the Attic. nothing uses it in the tree and it is very unlikely
that something will use it one day.
the only driver supporting FHSS PHYs in the tree is ray(4) and it
does not use net80211.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

new SHA-256 based AKMPs.

add/process group integrity cipher suite in RSN IEs.
add support for MFP negotiation during association.

the only integrity group cipher currently supported is AES-128-CMAC.

generate a random IGTK in HostAP mode if we're MFP-capable.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

ignore PS mode changes and PS-Poll from non-associated STAs.
keep track of the number of associated STAs in PS mode.

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

rename arc4random_bytes => arc4random_buf to match libc's nicer name;
ok deraadt@

move ieee80211_ibss_merge() from ieee80211_input.c to ieee80211_node.c

move ieee80211_auth_open() to ieee80211_proto.c
move ieee80211_setup_rates() to ieee80211_node.c
move some prototypes from ieee80211_proto.h to ieee80211_crypto.h

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

MALLOC/FREE -> malloc/free

ok krw@

use new malloc M_ZERO flag + replace MALLOC with malloc

remove remaining bits for pre-RSNA shared authmode support.
it has been #if 0'd since 3.9 and we have never supported this mode (no
ifconfig option etc...).

initialize an unitialized variable.

maintain the traffic-indication (TIM) virtual bitmap by defining
a default ieee80211_set_tim() function that drivers can override
by setting ic_set_tim.

initial bits for proper TIM support.

constify

don't mix u_int{8,16,32}_t and uint{8,16,32}_t
use u_int{8,16,32}_t everywhere.

de-static

ok jsg@

expand the IEEE80211_NODE_{LOCK,UNLOCK}* macros into their respective
definitions.
remove comments about "lock order reversals" that are specific to freebsd.

ok reyk@ jsg@ mglocker@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

``it's'' -> ``its'' when the grammar gods require this change.

s/roundup/howmany/ where it makes sense.

fix a possible NULL deref.

unbreak the code if compiled with IEEE80211_DEBUG by using the right
node attribute.

ok damien@, figured out by claudio@

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@

Fix a comment in ieee80211_next_scan().

if the wireless hostap interface belongs to a bridge, learn the node's
address dynamically on this interface after successful association.
this could speed wireless roaming to openbsd accesspoints.

ok jason@, jsg@ can't see anything obectionable

minor knf

replace the node hash table with a red-black tree. this fixes some
bugs in the node table (like duplicate nodes in hostap mode), we get
rid of possible hash collisions, and it simplifies the code.

tested by many, ok damien@, jsg@

mostly knf

ok jsg@

Remove the last of the FreeBSD compatiblity goop.
ok reyk@

Remove FreeBSD if_printf compat function from net80211.
ok reyk@

reset the scan state for each new mode

ok jsg@

Remove FreeBSD/NetBSD ifdef mess. We are not likely to be
doing a wholesale merge with them in future.
very enthusiastic ok from reyk@

add ifconfig -M option to replace wicontrol -L and -l for ap scanning
and node listing. wicontrol is not supported by net80211 drivers
anymore. further improvements will be done.

ok dlg@, jsg@

scan the next mode if nothing has been found. this is necessary if the
device supports different incompatible modes in the same channel
range, like like 11b and "pure" 11G mode.

ok dlg@ pvalchev@

derived from NetBSD:

---
Make the node table into an LRU cache: least-recently used nodes
are at the end of the node queue. Change the reference-counting
discipline: ni->ni_refcnt indicates how many times net80211 has
granted ni to the driver. Every node in the table with ni_refcnt=0
is eligible to be garbage-collected. The mere presence of a node
in the table does not any longer indicate its auth/assoc state;
nodes have a ni_state variable, now.

While I am here, patch ieee80211_find_node_for_beacon to do a "best
match" by bssid/ssid/channel, not a "perfect match." This keeps
net80211 from caching duplicate nodes in the table.
---

ok deraadt@ dlg@, looks good jsg@

Don't call memset() if MALLOC returns NULL; also fix the rcs ID.
From Patrick Latifi; OK reyk@

Import current NetBSD/FreeBSD 802.11 framework.
Based in part on a diff from Matthew Gream.

fix double words in comments
feedback and ok jmc@ miod, ok millert@

Make background scans pick up APs on 2GHz channels while in 11ac mode.

found by landry@

Fix wrongly implemented check for 5GHz access point RSSI threshold.

This check was wrong for drivers which report RSSI as a percentage,
such as iwm(4) and iwx(4). Such drivers will now prefer 5GHz with
50% or greater RSSI, as was intended.

ok phessler@

Give 11n and 11ac networks a higher score during SSID selection.

ok phessler@

Add initial 802.11ac (VHT) support to net80211.

Add VHT capability and operation IE definitions to ieee80211.h.
Introduce channel flags to identify 80MHz and 160MHz capable channels.

Parse VHT IEs in beacons, announce the driver's VHT capabilities in
probe requests and assoc requests, and hop into 11ac mode after
association to the AP if possible.

Enable VHT by default if the driver announces support for it.

ok claudio@

Remove ieee80211_find_node_for_beacon().

The original purpose of ieee80211_find_node_for_beacon() was to avoid
storing duplicate nodes with the same source MAC address in a hash table.
Later on, our node table data structure was changed from a hash table
to an RB tree. The RB tree can only store a single node per MAC address.
However, find_node_for_beacon() was kept regardless, now documented to
serve a different purpose.

Its new purpose is to tell apart different nodes which happen to use
the same MAC address and hence cannot both be stored in the RB tree.
The idea is to filter such duplicate nodes out during a scan. But colliding
nodes are told apart by RSSI and channel, and either may change over time.
So this does not really prevent duplicate MAC addresses from causing issues.

The code which decides which node is "better" can erroneously match an
AP against itself, in case the AP uses a hidden SSID. This caused
workarounds for hidden SSID to pile up over time.
Just a bit further down, the code looks up the same node again and
performs all of the intended node state updates. Simply skipping the
ieee80211_find_node_for_beacon() check makes such state updates work.

ok tobhe@

Teach the net80211 stack to remove corresponding frames from ic_pwrsaveq
when a power-saving client decides to leave our hostap interface.

Prevents a "key unset for sw crypto" panic as we try to send a frame
to a node which is in COLLECT state with its WPA keys already cleared.

We were already clearing the queue which buffers power-saved frames for
the client node. This queue is stored within the node structure itself.
However, the interface has another global queue for frames which need to
be transmitted by the driver to a set of nodes during the next DTIM.
We missed removing frames for a departing node from this global queue.

While here, add missing node refcount adjustments as frames get purged.

Problem reported by Mikolaj Kucharski, who tested this fix for more
than a week with athn(4), with no further panics observed.

Introduce an optional driver-specific bgscan_done() handler which
allows the driver to take control of the roaming teardown sequence.
This handler allows drivers to ensure that race conditions between
firmware state and net80211 state are avoided, and will be used by
the iwm(4) and iwx(4) drivers soon.

Split the existing roaming teardown sequence into two steps, one step
for tearing down Tx block ack sessions which sends a DELBA frame, and a
second step for flushing Tx rings followed by sending a DEAUTH frame.
We used to queue both frames, expecting to switch APs once both were sent.
Now we effectively expect everything to be sent before we queue a final
DEAUTH frame, and wait for just this frame to be sent before switching.
This already made issues on iwm/iwx less frequent but by itself this was
not enough to close all races for those drivers. It should however help
when adding background scan support to a non-firmware device driver.

Tested, with driver patches:
iwm 8265: Aaron Poffenberger, stsp
iwm 9260: florian
iwm 9560: sthen
iwx ax200: jmc, stsp

In addition to the WEP key(s) being set at device initialization with
'nwid'/'nwkey', the keys will be set at random times when 'join'/'nwkey' is
used. So also stop trying to set IEEE80211_CIPHER_NONE keys on that path.

James Hastings confirms this fixes his '(null node)' panics on run(4). Thanks!

ok stsp@

Revert my previous commit to ieee80211_node.c (CVS commit Hne35XgzezGa9zmv).

Sending frames from ieee80211_node_join_bss() won't work as expected.
I missed that IEEE80211_SEND_MGMT() calls if_start() immediately after
queueing the management frame. This means the probe request is being
sent in a state where, while ic_bss represents our new AP, the driver
did not yet have a chance to move the device over to our new AP.

The auth request for the new AP is sent from ieee80211_newstate() which
runs after the driver has reconfigured the device. If want to send a
probe request to the new AP then we would need to send it at that point,
before the auth frame gets sent.

Send a probe request to our new AP when we are about to roam to it.

Tested by fkr on iwx ax200/ax201 and myself on iwm 8265.
Also tested by florian and bket as part of a larger diff.

ok mpi@

Make iwn, iwm, and iwx keep track of beacon parameters at run-time.

- HT protection settings (this was already implemented)
- ERP (11g) protection setting
- short slottime setting
- short preamble setting
- EDCA (QoS) parameters

All of these parameters are communicated in beacons and hardware is
now kept up-to-date with them.

Prompted by a problem report from Christian Ehrhardt regarding ERP.

Tested:
iwn 6205: stsp, Josh Grosse
iwm 7265: trondd
iwm 8265: stsp, Matthias Schmidt
iwm 9260: phessler
iwx ax200: stsp, jmc, gnezdo

When starting an AP or IBSS network, reconfigure the operation mode to
11ac/n/a/g/b as applicable. Fixes an issue where hostap would end up
running in the rather meaningless MODE_AUTO unless a mode was explicitly
configured with ifconfig.

Found while investigating issues reported by trondd testing my athn RA patch.

ok deraadt@

spelling

ok gnezdo@ semarie@ mpi@

Remove a dead assignment to ni_rsn_state in ieee80211_node_leave_rsn().

Patch by Mikolaj Kucharski

Purge the ic_bss->ni_savedq mbuf queue when a wireless interface goes down.

Purging this queue prevents a panic which occurs when a WPA2-enabled athn(4)
hostap interface is reconfigured while this queue contains frames.

In hostap mode, this queue contains group-addressed (broadcast) frames
which are buffered for clients sleeping in powersave state. Frames on
this queue are transmitted when it is time to send another beacon, at
which point in time sleeping clients wake up to receive such frames.

The panic message is "key unset for sw crypto", which can be explained as
follows: Group keys are cleared when the interface goes down. The beacon Tx
interrupt handler gets triggered by hardware when the interface comes back
up. This handler attempts to encrypt the queued frames for transmission,
resulting in the above panic since the group key has been zeroed out.

This panic has been observed with athn(4) by Jan Stary and Ted Patterson,
and Ted has confirmed that this patch fixes the problem.

ok kettenis@ (with the caveat that it's been a long time since he put our
AP-side powersave support into a working state)

Fix ifconfig "media:" line for 11n wifi interfaces during and after bgscan.

Media was displayed as e.g. "autoselect (OFDM6)" even though 11n was active
because the current media mode is changed to AUTO for background scanning
and was never switched back to 11N.

ok mpi@ pirofti@

If join is connected to an AP, remove the node from the cache so we properly
reconnect to the AP

OK stsp@

If the new candidate AP found after a background scan has an RSSI level
that will also trigger background scans, remain with the current AP.
Avoids ping-pong in environments where APs are tuned for low transmit
range, such as 36c3.

ok phessler benno

Stop connecting to available open wifi networks when the interface is put up.
From now on, this behaviour must be explicitly enabled with ifconfig join "".
ok sthen jcs deraadt

Give access points which fail to AUTH or ASSOC less priority during
the next selection of networks from the join list. Prevents endless
attempts to connect to an AP which is out of reach but still somehow
manages to get a beacon or two across to us during scan.

Tested with wifi networks at the University of Bucharest.
Makes switching wifi networks possible after walking to a different
room without having to down/up the interface or suspend/resume.

ok phessler@

Clear the unref callback function pointer when cleaning up an ieee80211_node.
ok mpi@

Make background scans less frequent if we keep choosing the same AP.

This helps a bit in situations where a single AP is used and background scans
are causing packet loss, as seen with Jesper Wellin's Broadcom-based AP and my
Android phone in hotspot mode. This is not a proper fix but our background scan
frequency against a single AP was much higher than needed anyway.

Tested by jan, job, benno, Tracey Emery, Jesper Wallin

Make net80211 expose reasons for association failures to userland and have
ifconfig display them in 'scan' output and on the ieee80211 status line if
the failure is applicable to an already selected AP (e.g. wrong WPA key).

This will hopefully reduce the amount of help requests for what often
turn out to be trivial misconfiguration issues that were previously
hard to diagnose without debug mode.

ifconfig must be recompiled with the new ieee80211_ioctl.h to stay in
sync with the kernel. A full 'make build' will do the right thing!

Very helpful input by mpi@ and deraadt@

Keep ieee80211_node structures cached across scans, rather than
wiping the entire cache every time a scan is triggered.

This has benefits for userland programs trying to look at scan results,
and for drivers which don't get a full view from hardware on every scan.

Nodes will still be evicted from the cache in one of several ways:

Add a new way of timing out inactive nodes which don't send a beacon
within 10 scan iterations, for client mode only. This should get rid
of stale APs if we're scanning for some time in a changing environment.

If we fail to associate a few times, the corresponding node is removed.

If net80211 transitions back to INIT state (e.g. because of a
user-initiated configuration change) all nodes are removed.

When a background scan starts all nodes will be removed. This could be
revisited later but has been intentionally left as-is for now.

Tested by myself, jmc@, benno@, procter@ on iwm(4), athn(4) and ral(4).

remove redundant assignment to ic_curmode

This assignment to ic_curmode is redundant because it already occurs
inside ieee80211_setmode(), and channel information in selbs and ni
is equivalent after node_copy().

ok mpi@ kevlo@

Add support for 802.11n Tx aggregation to net80211 and the iwn(4) driver.

In particular, add Tx block ack session management to net80211, with
enough funcionality to support Tx aggregation on devices which perform
A-MPDU subframe scheduling in firmware.
Make use of the iwn(4) firmware Tx scheduler to build A-MPDUs.

net80211's QoS support code is now enabled and used by Tx aggregation.

A-MSDU frames inside A-MPDUs have been tested and work in principle.
For now, this feature is disabled because unfair TCP connection sharing
was observed during testing, where bursts of TCP Ack frames for a single
tcpbench(1) connection arriving in A-MSDUs made other TCP connections stall.
Switch off support for A-MSDUs inside A-MPDUs on the Rx side as well.

Tested on iwn chipsets 1000, 4965, 5100, 5300, 2200, 6200, 6205, 6300
(committed version of tested diff has all debug printfs removed)
tests/ok benno kmos mlarkin kevlo

In 11n hostap mode, properly disable HT protection when needed
by actually overwriting the relevant bits in ni_htop1.
ok tedu@ phessler@ kettenis@

Revised version of 'ifconfig mode' command fix.

The 'mode' command is supposed to force a wireless interface into 11a/b/g/n
media mode. This stopped working some time ago, probably during my work on
background scanning. Problem spotted by mlarkin@ who noticed that interfaces
were using 11g mode while forced to 11b mode.

ok phessler, jmatthew (earlier version)
relentless testing by krw@

Revert my "Repair the 'ifconfig mode' command" commit.

The "recursion in end_scan()" problem is apparently still present in
the committed version of the diff (reported by krw@).

Repair the 'ifconfig mode' command.

The 'mode' command is supposed to force a wireless interface into 11a/b/g/n
media mode. This stopped working some time ago, probably during my work on
background scanning. Problem spotted by mlarkin@ who noticed that interfaces
were using 11g mode while forced to 11b mode.

ok phessler, jmatthew

Show driver name on net80211 scan debug lines.
ok mpi@

Removes the KERNEL_LOCK() from bridge(4)'s output fast-path.

This redefines the ifp <-> bridge relationship. No lock can be
currently used across the multiples contexts where the bridge has
tentacles to protect a pointer, use an interface index.

Tested by various, ok dlg@, visa@

fix autojoin for WEP network by actually saving the WEP auth key

discovered while attempting to autojoin WEP networks

Improve handling of HT protection for 'mode 11n' hostap.

Consider the mere presence of HTCAP IEs as indicator of 11n support,
rather than checking advertised Rx MCS. Fixes some devices being
misclassified as 11a/g, causing HT protection to be enabled even
though it is not needed.

Use CTS-to-self frames for HT protection instead of RTS/CTS.

These changes make my athn(4) AR9280 hostap perform much better.

ok phessler@

Move 802.11n rateset definitions out of MiRA and make them available to
net80211 and drivers in general. Add ratesets for 'short guard interval'
(SGI) rates, and add SGI support to MiRA. SGI is currently only used by
iwm(4), and of course internally by bwfm(4) firmware.
Ratesets for 11n 40 MHz channels and 11ac will come later.
ok mpi@ phessler@

add a len field when we delete an essid from the joinlist. this will have
us properly match, instead of hoping we got lucky when selecting it.

OK stsp@

let users automatically use join to connect to any open wifi network.
if a known network is visible, always prefer that instead.

requested by many, OK stsp@

print more details about the join'd networks we have saved when a user runs
ifconfig if joinlist

OK stsp@

fix whitespace in debugging function

The first packet received from each AP in each QoS class would be
dropped as the sequence number matches the initial value of the
cached last sequence number (zero). On some APs (notably Android
WIFI hotspots) this hits the first packet of the WPA2 4-way
handshake. This causes connection delays and in some cases
connection to the AP fails completely. Initialize the cached last
sequence numbers for received packets to an invalid value instead.

From Christian Ehrhardt
ok gerhard@ stsp@

pass around the ess and ni structures we plan to use directly, instead
of rediscovering them (possibly badly).

OK stsp@

clean up accounting of the AUTO_JOIN flag by making sure it is set or cleared
based on the state of the joinlist

OK stsp@

don't join to a network where we expect cleartext, and the AP is using crypto

OK stsp@

fix memory leak in ieee80211_end_scan()

OK phessler@ jsg@

fix memory leaks in ieee80211_add_ess()
ok stsp@ phessler@

ues the format string for signed ints, for signed ints

reminded by stsp@

With the interface debug flag enabled, print a "score" for each AP we
consider during auto-join. This can help users determine why a specific
network was chosen.

OK stsp@

fix typo in the length of the essid we want to switch to

found with and OK stsp@

extract clearing WEP/WPA in ess into helper functions

give set_ess a len variable, so we can correctly match the essid we want
to switch to.

pointed out by stsp@

convert the things we save in 'join' into a single ioctl. mixing related
settings over multiple calls was risky and racy. Pass essid, wpa, and wep
paramaters in a single ioctl and process it atomically.

no change for 'nwid' users

OK stsp@ benno@

fix whitespace

Make 'ifconfig nwid' override 'ifconfig join'.

There was no way to override a decision made by join's network
selection algorithm (apart from disabling the feature by clearing
the join list). Automatic selection is based on heuristics which
cannot always guess correctly so we need to provide an override.

One specific problem was that if 'nwid foo' and 'nwid bar' were
both visible in the scan and only 'nwid foo' was a member of the
join list, then there was no way at all to connect to 'nwid bar'.
The wireless stack would keep selecting 'nwid foo' instead.

'ifconfig iwm0 nwid bar' command will now disable automatic
network selection and force the use of ESSID 'bar'.
Any of these commands will re-enable automatic network selection:
ifconfig iwm0 -nwid
ifconfig iwm0 nwid ''
ifconfig iwm0 join some-network-id

ok phessler@ deraadt@

Update AP selection heuristics for auto-join.

We now prefer stronger crypto over weaker crypto over none, prefer 5 GHz
band with reasonable RSSI, and use RSSI as a tie-breaker with a slight
advantage for 5GHz. Candidate APs are now ranked by a score which is
calculated based on these attributes.

There is likely room for improvements to make these heuristics
work well across many different environments, but it's a start.

ok phessler@

Add support for band-steering access points to net80211.

Some access points have a feature called "band steering" where they
will try to push clients from 2 GHz channels to 5 GHz channels.
If a client sends probe-requests on both 2 GHz and 5GHz channels, and
then attempts to authenticate on a 2 GHz channel, such APs will deny
authentication and hope that the client will come back on a 5 GHz channel.

So if we fail to AUTH for any reason, and if there is a different
AP with the same ESSID that we haven't tried yet, try that AP next.
Keep trying until no APs are left, and only then continue scanning.

APs with support for this feature were provided by Mischa Peters.

ok phessler@ mpi@

Add comment explaining why we read basic MCS set only from beacon/probereq.
requested by mpi@

Ignore basic MCS set information found in association responses.

Some APs (Aruba 105) send a bogus basic MCS set in assoc responses
which prevents us from enabling 11n support with those APs, while
these APs still behave as if were were an 11n client which renders
the association unusable.

The basic MSC set is already provided in beacons anyway, and the
802.11 2012 standard says the basic MSC set is reserved in frames
other than beacons (see Table 8-130).

ok mpi@

Refactor ieee80211_add_ess():

Drop ieee80211_add_ess's nwid parameter. Read nwid and length directly
from the ic to make it more obvious where this function is reading from.

nwids are binary data with an explicit length, so treat them as such
instead of treating them like strings.

ok florian phessler

Do not set nwid over and over again. We just found the ess by comparing
the nwid. It will not have changed in the meantime.
OK stsp

revert 1.133 and part of 1.131
the stack doesn't always fill in the paramaters correctly

reported by many

Don't ask drivers to join a wifi network before an AP has been chosen.
Should fix a panic with bwfm(4) reported by mlarkin@
ok phessler@

ieee80211_ess_is_better() returns 0 or 1, comparing > 1 is always
false so we always selected the first wifi available, not the best
one.

While here shuffle some deck chairs to make it clearer that anything is
better than nothing.

tweak & OK phessler

the AP sends their crypto parameters as a mask, so let us still select it
in case we want WPA2 and they have WPA1 still enabled

don't save or use auto-join when the card is not in station (aka client) mode

OK stsp@

Some more checks before auto-join switches networks.

Make sure all of the crypto options the AP announces matches what we
would configure. While here, don't switch if the user has specified
a specific BSSID, and the new AP does not match.

OK stsp@

Introduce 'auto-join' to the wifi 802.11 stack.

This allows a system to remember which ESSIDs it wants to connect to, any
relevant security configuration, and switch to it when the network we are
currently connected to is no longer available.

Works when connecting and switching between WPA2/WPA1/WEP/clear encryptions.

example hostname.if:
join home wpakey password
join work wpakey mekmitasdigoat
join open-lounge
join cafe wpakey cafe2018
join "wepnetwork" nwkey "12345"
dhcp
inet6 autoconf
up

OK stsp@ reyk@
and enthusiasm from every hackroom I've been in for the last 3 years

When starting a background scan, free the nodes table to ensure we
get an up-to-date view of APs around us. In particular, we need to
kick out the AP we are associated to. Otherwise, our current AP might
stay cached if it is turned off while we are scanning, and we could
end up picking a now non-existent but "good looking" AP over and over.

found with and ok phessler@

Fix the scan loop: We were only looking for an AP once and stopped
scanning if none was found.
Accidentally broken in recent ifconfig scan changes by pirofti and me.
ok pirofti

net80211: stub SIOCS80211SCAN, make ifconfig scan instant.

The following removes the functionality of the SIOCS80211SCAN ioctl.
After long discussions with stps@, mpi@, and deraadt@ we decided that
this was the correct way of fixing ifconfig scan from blocking the
network stack.

The kernel will continue scanning in the background and filling the
nodes array, but ifconfig scan commands will now basically do just a
SIOCG80211ALLNODES and pretty print the array. So the output stays the
same but is instant.

In fact, when the interface is freshly brought up, if you type fast
enough, you can see the array being filled by running multiple ifconfig
scans in sequence.

The SIOCS80211SCAN ioctl stays for now as wi(4), pgt(4) and malo(4)
still need it around. But not for long...

Another change that this introduces is the fact that ifconfig scan no
longer plays with UP and DOWN. If the interface is down it complains and
exits. This is needed in order to maintain the nodes list.

Works on iwm(4), iwn(4), urtwn(4), run(4) and athn(4).

Tested by mpi@, landry@, florian@, thanks!
OK mpi@.

convert the test if a node support HT (aka, 11n) into an inline function,
instead of testing some un-obvious bitfield

OK stsp@

Don't dereference IEEE80211_CHAN_ANYC pointer in ieee80211_node_checkrssi().

Problem reported by Gregoire Jadi on bugs@

Allow interfaces that aren't SCANNALLBAND drivers to benefit from the
strongest received signal.

OK stsp@

Fix the behavior of preferring weaker-but-still-good 5Ghz APs over
2Ghz APs because the 5Ghz band is generally less saturated.

The previous implementation was dependent upon the order of walking
APs.

ok stsp

Add support for background scanning to net80211 and iwm(4).

The iwm(4) driver will now roam between access points which share an SSID.
Use 'ifconfig iwm0 debug' and 'tail -f /var/log/messages' to watch it do so.

Tested by several people in various iterations.
As usual, let me know if you run into issues.

ok phessler deraadt

When starting a new scan always set the mode to AUTO if the driver scans
all bands at once. Fixes a problem where e.g. 5GHz APs were filtered out
if we were previously associated to an 11g-only AP.
ok mpi@ phessler@

Add an entry to dmesg if pairwise WPA keys arrive unexpectedly or if WPA
group keys are being reused. OpenBSD wireless clients will now leave a
trail of such events in their message log.

There has been increased public scrutiny of WPA's security recently, so
I am curious to see if anyone is attempting replay attacks in the wild.

ok deraadt

Compile a debug printf in ieee80211_match_bss() by default, previously
guarded by the IEEE80211_DEBUG preprocessor flag. This shows one line
per detected AP after a scan, and indicates which APs are considered
candidates for association.
Shorten the output a bit to fit into 80 columns more likely.
ok sthen@

Improve the heuristic which selects 5GHz APs over 2GHz APs.

The previous code wasn't quite right: it didn't account for the fact that
some drivers don't set ic_max_rssi, and it compared 5GHz APs to a threshold
relative to the max RSSI, rather than comparing RSSI on 5GHz relative to
RSSI on 2GHz.

This heuristic is only used by SCANNALLBAND drivers: iwn(4), iwm(4), wpi(4)

In the future the AP selection heuristic should be made more intelligent,
e.g. it should take BSS load information in beacons into account.
Another open problem is inconsistent representation of RSSI measurement
values throughout our drivers and stack. Help is welcome!

For now, this hopefully improves AP selection at busy airports.

ok sthen@ deraadt@

Add sizes for free for the RSN IEs. Rewrite ieee80211_save_ie() slightly
to make it more readable.

help, many explanations and ok stsp

Add a few sizes to free().

Input, help & ok stsp

branches: 1.115.4;
In 11n hostap mode, dynamically adjust HT protection settings based on
the presence of non-HT nodes in the node cache.
OpenBSD 11n APs will now disable HT protection if it is not necessary.
ok mpi@

Fix 11b clients sending bogus ratesets in association requests. The common
rateset with the AP is calculated only after the association response was
received, which is too late. Fix rates when an AP is selected after a scan.
ok mpi@ tb@

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

Reset block ack state and cancel related timeouts when a HT node disassociates.
The existing code (from damien@) already took care of freeing related buffers
but because block ack state was not reset we were still trying to use these
buffers if the node sent another A-MPDU. This problem only affects 11n hostap.
Fixes kernel crash reported by Timo Myyra on bugs@

When a HT node leaves or reassociates as a non-HT node,
clear HT capabilities stored in its node cache object.

A node may switch from 11n mode to 11a/b/g mode.
If we don't clear HT capabilities from the cache the node will
be mistaken as 11n-capable after reassociation.

ok phessler@ mpi@

Make the net80211 stack send EDCA parameters to the driver in hostap mode.
Fixes problems with timing of frame transmissions which caused packet loss.
tested by myself and tb@
ok phessler@ mpi@ tb@

Manage the HT protection setting if acting as hostap with 11n enabled.

For now we flip-flop only between non-member protection and non-HT protection.
Running a HT network without protection would require monitoring environmental
conditions (e.g. foreign beacons) which make HT protection necessary.

The ic_update_htprot driver function becomes optional because it won't be
needed by all drivers. Only call it if the driver has set a function pointer.

ok tb@

The point of ieee80211_node_leave() is to place the node in COLLECT state.
Return early and do nothing if the node is already in COLLECT state upon
entry to this function.

When acting as hostap, negotiate HT before calling the driver's ic_newassoc()
function, not afterwards. Drivers now know whether a joining node supports HT
which helps with setting up state such as which Tx rate to use.

Complete our half-done implementation of TKIP countermeasures in hostap mode.

The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.

Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@

move from RB macros to the RBT functions.

shaves about 5k off an amd64 GENERIC.MP kernel

If a wireless device or driver scans all bands at once give 5GHz APs
a slight priority in cases where good matches exist in either band.
ok sthen@

branches: 1.103.2;
Add a wireless driver capability flag for devices which scan 2GHz and 5GHz
bands in a single scan offload request. This will be used by iwm(4) soon.
ok kettenis@, earlier version ok phessler@

In hostap mode, don't re-use association IDs (AIDs) of nodes which are
still lingering in the node cache. This could cause an AID to be assigned
twice, once to a newly associated node and once to a different node in
COLLECT cache state (i.e. marked for future eviction from the node cache).

Drivers (e.g. rt2860) may use AIDs to keep track of nodes in firmware
tables and get confused when AIDs aren't unique across the node cache.
The symptom observed with rt2860 were nodes stuck at 1 Mbps Tx rate since
the duplicate AID made the driver perform Tx rate (AMRR) accounting on
the wrong node object.

To find out if a node is associated we now check the node's cache state,
rather than comparing the node's AID against zero. An AID is assigned when
a node associates and it lasts until the node is eventually purged from the
node cache (previously, the AID was made available for re-use when the node
was placed in COLLECT state). There is no need to be stingy with AIDs since
the number of possible AIDs exceeds the maximum number of nodes in the cache.

Problem found by Nathanael Rensen.
Fix written by Nathanael and myself. Tested by Nathanael.
Comitting now to get this change tested across as many drivers as possible.

Call if_enqueue() and if_start() instead of dereferencing the ifp
pointers.

These functions have been introduced to abstract some of the MP-
safeness^Wmadness and should be use everywhere.

Prodded by a comment from jsg@.

ok mikeb@, stsp@

Restore assignment of ic_curmode that was accidentally removed when
moving the ERP code to post-assoc phase. Fixes iwi(4) fatal firmware
errors.

ok stsp@, sobrado@

branches: 1.99.2;
Honour ERP protection on 2 GHz channels in 11n mode, as done for 11g.
ok millert@

Don't try to interpret htprot data if the last beacon didn't contain such data.
ok mpi@ millert@

Make the A-MPDU reordering buffer more resilient against APs which drop
some subframes or let the sequence number jump up by more than 1 (hard
to tell which it is). We decrease the BA inactivity timeout for quicker
recovery from stalled BA sessions, and add a new timeout which keeps track
of gaps in the subframe sequence number space due to dropped frames.
Gaps expire after 500 msec, the same value FreeBSD uses for their
implementation of this workaround. And Linux uses this trick, too.

This should fix network stalls some people have been seeing in 11n mode.

ok deraadt@

Remove the IEEE80211_NO_HT macro. Reduces ifdef spaghetti, enables 11n mode
in bsd.rd, and might uncover some bugs. Suggested by tedu@ and deraadt@.
ok sthen@ jasper@ deraadt@

While configuring ERP we need to know if we're in 11a or 11g mode so only
configure ERP once we are sure about our operation mode against the AP.
ok sthen jasper kettenis deraadt mpi

unnoccupied->unoccupied

Finish support for receiving 11n A-MPDUs.

The initial implementation was added by damien@ years ago.
Summary of the changes made in this commit:
- In ieee80211_input(), process A-MPDUs before duplicate detection.
- Don't forget to set ba->ba_ni in ieee80211_recv_addba_req()
so we don't crash in ieee80211_rx_ba_timeout().
- In ieee80211_recv_addba_req(), tweak the logic to deny BlockAck
requests if the driver has no callback for doing so.
- Implement ieee80211_ba_del() which cleans up BlockAck state.
- Increase the minimum and maximum lifetime for BlockAck agrements.

ok mpi@

No need to include <net/if_arp.h>

This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.

A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.

Parse 11n HT capabilities and operational info from association response
frames, negotiate HT with the AP, and move the interface into or out of
11n mode accordingly. If running as AP negotiate HT with nodes joining the BSS.

ok deraadt mpi kettenis guenther

Extend struct ieee80211_node with fields for 11n STA HT capabilities and
HT operational information sent by 11n APs. These fields reflect the structure
of elements in management frames so that IEEE80211_HTCAP* and IEEE80211_HTOP*
macros designed to operate on frame elements can be used directly to read
or set the fields.

Populate nodes with HT information received in probe responses, probe
requests, and association requests.

ok deraadt mpi phessler kettenis guenther

replace the ifqueues in net80211 with mbuf_queues.

the specific queues are ic_mgtq, ic_pwrsaveq, and ni_savedq. rtw
had its own queue for beacons.

tested by mpi@ and jmc@
ok mpi@

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

Remove cached 802.11 nodes in IEEE80211_STA_CACHE state (these are nodes
which have been seen but which haven't otherwise interacted with us), fixing
a problem where old cached nodes are seen when doing a scan.
From Marcin Piotr Pawlowski, feedback stsp@ ok kspillner@ dcoppa@

use nitems() instead of various local constructs

ok stsp@

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

Reset txrate array index after changing a node's rate list.
Should prevent "bogus xmit rate %d setup" panics, which I ran into again
in IBSS mode.
ok kettenis

Remove unneeded include.

ok deraadt@

Make ieee80211_set_tim() available from outside of ieee80211_node.c
so drivers like acx(4) can use that function directly instead of
reimplementing the function again. Requested by kettenis@ long time ago.

Fix DPRINTF() format string treating n->ni_refcnt, which is unsigned, as signed.
diff from dhill; ok kettenis reyk

Clear the powersave flag and purge queued packets when a node leaves the AP
(either by disassociating or by timeout). Fixes (most) remaining issues with
power saving.

From Nathanael Rensen.

ok claudio@, krw@, sthen@

Point an interface directly to its bridgeport configuration, instead
of to the bridge itself. This is ok, since an interface can only be part
of one bridge, and the parent bridge is easy to find from the bridgeport.

This way we can get rid of a lot of list walks, improving performance
and shortening the code.

ok henning stsp sthen reyk

Nuke M_80211_NODE #define which mapped to M_DEVBUF and use M_DEVBUF directly.
ok henning

Set up ni_savedq for the initial BSS node such that it can actually be used
to store multicast frames when one of the associated stations is in power
saving mode.

ok stsp@

Fix possible panic while switching from STA mode into hostap/ibss modes.
ieee80211_create_ibss() resets the set of supported rates but failed
to update the index into the rate set array accordingly. If the rate
configured during STA operation didn't belong to the newly configured
rate set the system ran into an assertion ("bogus xmit rate %u setup")
while trying to create the IBSS.
ok fgsch@

Print messages about nodes purged from the node cache if hostap/ibss modes are
compiled in and the interface is in debug mode. ok sthen

Move increment of ic_nnodes closer to where the node is actually inserted
into the cache. Make sure we're at IPL_NET while incrementing/decrementing
ic_nnodes. Add a debug message that warns about possible node leaks.
All of this affects hostap mode only.

Tweak node cache eviction strategy when the cache is full: kick off new nodes
in AUTH state that weren't active during the cache wait interval rather than
keeping them for the entire cache timeout interval. Fixes association failures
in noisy RF environments. Tested by edd and myself with a slow soekris
suffering from RF noise with about of 50 interrupts per second on ral0.
ok deraadt

There is no need to explicitly skip ic_bss when iterating over cached nodes.
The ic_bss is never put into the RB tree.

Clean inactive authenticated nodes during cache timeout as well.
There is no need to keep nodes cached with never associated and were
inactive within the last 5 minutes or more. Keeps the node cache pretty
clean in my environment with typical city-center wlan noise.

Implement missing bits of node inactivity accounting in hostap mode.
Small parts of code for this feature were already present but unused.

A node becomes inactive after not sending or receiving a frame within
5 minutes. Inactive cached nodes (not authenticated or associated) are
automatically cleared from the cache once every hour, making room for
new nodes. If the node cache is full and room must be made for a new node,
clean either a cached node (active or inactive), or an inactive
authenticated or associated node.

Also, do not send de-auth frames to nodes which never authenticated,
and only send a de-auth frame once for a given node.
This part was contributed by Steven Chamberlain, thanks!

Tested by myself, krw@, edd@, Steven Chamberlain, and Markus Schatzl.
ok deraadt@

Hold interrupts blocked while comparing a cached node's refcount to zero
and freeing the node. Just in case an interrupt happens to ref the node after
the refcount was checked but before the node is freed.
Tested by several as part of a larger diff.

Make it possible to free cached nodes which never associated (e.g. nodes
only scanning for networks). These were never put into COLLECT state and
were thus never evicted from the node cache in hostap mode.
ok jsg@

Clean nodes until the number of cached nodes is smaller than the maximum number
of nodes, otherwise we'll never actually clean any nodes. Fixes issues with
clients failing too attach because the node cache is completely filled.

ok damien@

No "\n" needed at the end of panic() strings.

Bogus chunks pointed out by matthew@ and miod@. No cookies for
marco@ and jasper@.

ok deraadt@ miod@ matthew@ jasper@ macro@

in hostap mode, notify drivers via a new callback when a STA leaves
the BSS. this is needed by drivers that need to maintain a hardware
table of associated STAs (like ral(4) RT2860).

idea from Nathanael Rensen

In ieee80211_node_leave(), clear the associd after calling
ieee80211_node_leave_rsn() since ieee80211_node_leave_rsn()
calls ic_delete_key() and drivers like ral(4) RT2860 need
a valid associd in their delete_key callbacks.
This affects HostAP mode only.

from Nathanael Rensen.

remove a useless (nested) #ifndef IEEE80211_STA_ONLY while i'm here

fix my previous commit, i forgot BIP, so instead of enumerating
what is not supported as a group cipher, enumerate what is supported.

do not try to associate with an AP using an unsupported group cipher,
otherwise we will panic in ieee80211_add_rsn_body().

this may be the cause of a panic seen by reyk@ though i'm not 100% sure.

Four uses of uninitialized variables found by clang via jsg@. ar5416, ar9287
and athn are only theoretically interesting. i33380211_node fixes a real
bug in occupied channel detection.

ok damien@

Do not always create a new node when a beacon or a probe response
is received. The creation of a new node is already handled in
ieee80211_recv_probe_resp() when necessary.
This avoids creating empty nodes with wrong channels when beacons
are received on the wrong channel (overlapping channels).
Those empty nodes may also prevent the real node from being
discovered because of ieee80211_find_node_for_beacon() filtering.

This should prevent entries of the form:
nwid "" chan 3 bssid 00:01:02:03:04:05 0dB 54M
in "ifconfig if0 scan" output, like reported by Rivo Nurges.

fix a panic that occurs when IEEE80211_STA_ONLY is defined (SMALL_KERNEL).

noticed by ray@, more investigation from sthen@
fix tested by sthen@

Block Ack agreements are unidirectional.
Maintain state for both originator and recipient roles separately.
Do not allocate receive reordering buffer in addba_request().
Test the "initiator" bit in incoming DELBA frames and set it appropriately
in outgoing DELBA frames.
Separate callbacks for Tx/Rx too.

no binary change since all this is #ifdef'ed out.

In ieee80211_find_node(), roll our own RB_FIND() based on the key (macaddr)
instead of resorting to horrid hacks/casts.
Restore the ieee80211_node structure back to its original state.

unbreak SMALL_KERNEL builds by adding missing #ifndef IEEE80211_STA_ONLY

pointed out by krw@

move ni_macaddr field at the top of the ieee80211_node structure.
this way we can avoid putting a full node structure (which is huge)
on the stack in ieee80211_find_node().
this is a bit tricky but the RB_FIND macro wants an "elem" structure,
not a field of "elem".

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

Add an ieee80211_notify_dtim() function that drivers should call after
every DTIM in HostAP mode.
Flushes all group addressed MSDUs buffered at the AP for power management.

Prevent a crash in ieee80211_setkeys() when unplugging an interface in
hostap mode by canceling the group rekey timeout in ieee80211_node_detach().

ok damien

Second pass of simple timeout_add -> timeout_add_sec conversions
This should take care of the simpler ones (i.e., timeout values of
integer multiples of hz).

ok krw@, art@

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

move code to support Frequency-Hopping spread spectrum (FHSS) PHYs
to the Attic. nothing uses it in the tree and it is very unlikely
that something will use it one day.
the only driver supporting FHSS PHYs in the tree is ray(4) and it
does not use net80211.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

new SHA-256 based AKMPs.

add/process group integrity cipher suite in RSN IEs.
add support for MFP negotiation during association.

the only integrity group cipher currently supported is AES-128-CMAC.

generate a random IGTK in HostAP mode if we're MFP-capable.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

ignore PS mode changes and PS-Poll from non-associated STAs.
keep track of the number of associated STAs in PS mode.

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

rename arc4random_bytes => arc4random_buf to match libc's nicer name;
ok deraadt@

move ieee80211_ibss_merge() from ieee80211_input.c to ieee80211_node.c

move ieee80211_auth_open() to ieee80211_proto.c
move ieee80211_setup_rates() to ieee80211_node.c
move some prototypes from ieee80211_proto.h to ieee80211_crypto.h

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

MALLOC/FREE -> malloc/free

ok krw@

use new malloc M_ZERO flag + replace MALLOC with malloc

remove remaining bits for pre-RSNA shared authmode support.
it has been #if 0'd since 3.9 and we have never supported this mode (no
ifconfig option etc...).

initialize an unitialized variable.

maintain the traffic-indication (TIM) virtual bitmap by defining
a default ieee80211_set_tim() function that drivers can override
by setting ic_set_tim.

initial bits for proper TIM support.

constify

don't mix u_int{8,16,32}_t and uint{8,16,32}_t
use u_int{8,16,32}_t everywhere.

de-static

ok jsg@

expand the IEEE80211_NODE_{LOCK,UNLOCK}* macros into their respective
definitions.
remove comments about "lock order reversals" that are specific to freebsd.

ok reyk@ jsg@ mglocker@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

``it's'' -> ``its'' when the grammar gods require this change.

s/roundup/howmany/ where it makes sense.

fix a possible NULL deref.

unbreak the code if compiled with IEEE80211_DEBUG by using the right
node attribute.

ok damien@, figured out by claudio@

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@