summaryrefslogtreecommitdiff
path: root/sys/net80211
AgeCommit message (Collapse)Author
2017-10-26Move common code to add/remove multicast filters to ieee80211_ioctl(9).Martin Pieuchot
ok jsg@, stsp@
2017-10-24remove defines for ioctls the kernel doesn't recogniseJonathan Gray
ok mpi@
2017-10-21Make ieee80211_classify() available in a header so we can make thePatrick Wildt
priority visible to underlying bus protocols like bwfm(4)'s bcdc.
2017-10-16Add comments which document already fixed WPA attack vectors.Stefan Sperling
2017-09-05When starting a new scan always set the mode to AUTO if the driver scansStefan Sperling
all bands at once. Fixes a problem where e.g. 5GHz APs were filtered out if we were previously associated to an 11g-only AP. ok mpi@ phessler@
2017-09-05When selecting the next wireless mode during the scan loop, always selectStefan Sperling
AUTO mode if the driver scans all bands at once. Otherwise the net80211 layer unnecessarily filters out some of the beacons received by the device. ok phessler@ mpi@ kevlo@
2017-09-04If a beacon is received in RUN state, reset the management timer.Stefan Sperling
Some wifi drivers send a probe request if the hardware reports "missed beacon" events. If the AP replies with a probe response it is still servicing us and there is no need to search for a new AP. However, the management timer was not reset if a beacon was received while in RUN state. So the interface watchdog always ended up putting the driver into SCAN state after a missed beacon event, even if the AP did respond to our probe request. Under some conditions this bug would cause spurious disconnects. Problem reported and fix tested by mlarkin@ (Using the management timer in RUN state is a new convention. Before support for missed beacons was added, this timer was only used during the association sequence to handle APs which don't respond to our assoc requests and such.)
2017-08-18Clear WPA group keys from memory before initiating a key exchangeStefan Sperling
with an access point. Prevents false positive 'reused group key' warnings in dmesg when re-associating to the same access point. Problem reported by tb@ ok tb@
2017-08-17Add an entry to dmesg if pairwise WPA keys arrive unexpectedly or if WPAStefan Sperling
group keys are being reused. OpenBSD wireless clients will now leave a trail of such events in their message log. There has been increased public scrutiny of WPA's security recently, so I am curious to see if anyone is attempting replay attacks in the wild. ok deraadt
2017-08-04Compile a debug printf in ieee80211_match_bss() by default, previouslyStefan Sperling
guarded by the IEEE80211_DEBUG preprocessor flag. This shows one line per detected AP after a scan, and indicates which APs are considered candidates for association. Shorten the output a bit to fit into 80 columns more likely. ok sthen@
2017-08-04Remove ieee80211_input_print() which printed information about receivedStefan Sperling
frames to dmesg, if debug mode was enabled with ifconfig. This debug output was much too verbose and not actually useful for debugging. tcpdump -y IEEE802_11_RADIO will show the same information. ok sthen@
2017-08-04Show net80211 state transitions in desmg if 'ifconfig debug' was used.Stefan Sperling
This information is needed in bug reports. Convert the invalid state transitions from panic() to a printf() which is also guarded by ifconfig debug. There are many races exposed by these panics which should all be fixed. But that will surely take some time, and the panics have now served their purpose. Thanks to everyone who reported these panics being triggered, your help is appreciated.
2017-07-22Make the kernel panic if an invalid state transition occurs in net80211.Stefan Sperling
Triggers on driver bugs such as those which were fixed in rsu(4) recently. ok kevlo@
2017-07-22Fix length checks in EAPOL key frame parsing.Stefan Sperling
Problem reported by Ilja Van Sprundel. ok tb@ kevlo@
2017-07-19Plug an information leak in ieee80211_node2req().Stefan Sperling
Problem reported by Ilja Van Sprundel. ok tb@
2017-07-19Improve the heuristic which selects 5GHz APs over 2GHz APs.Stefan Sperling
The previous code wasn't quite right: it didn't account for the fact that some drivers don't set ic_max_rssi, and it compared 5GHz APs to a threshold relative to the max RSSI, rather than comparing RSSI on 5GHz relative to RSSI on 2GHz. This heuristic is only used by SCANNALLBAND drivers: iwn(4), iwm(4), wpi(4) In the future the AP selection heuristic should be made more intelligent, e.g. it should take BSS load information in beacons into account. Another open problem is inconsistent representation of RSSI measurement values throughout our drivers and stack. Help is welcome! For now, this hopefully improves AP selection at busy airports. ok sthen@ deraadt@
2017-07-02Add the definition of IEEE80211_DUR_DS_SHSLOT.Kevin Lo
From IEEE Std. 802.11-2016, Table 18-5 "ERP characteristics", p. 2332: aSlotTime characteristic: If dont11OperatingClassesRequired is false: Long = 20 us Short = 9 us ok stsp@
2017-06-20Initialize the link state of a wireless interface to DOWN when theStefan Sperling
interface is attached to the net80211 layer. Prevents confusion in cases where drivers forget to initialize the link state. ok mpi@ kettenis@
2017-06-04Add sizes for free for the RSN IEs. Rewrite ieee80211_save_ie() slightlyTheo Buehler
to make it more readable. help, many explanations and ok stsp
2017-06-03Add a few sizes to free().Theo Buehler
Input, help & ok stsp
2017-06-03Explicitly zero out the wepseed for TKIP and WEP.Theo Buehler
ok stsp
2017-06-02Scale the missed beacon counter threshold to the AP's beacon interval.Stefan Sperling
This should make fading APs time out consistently regardless of what the beacon interval is set to (range is 1 to 2^16 TU, though in practice 100 TU seems to be a common value). Print the beacon interval and missed beacon counter threshold to dmesg if the DEBUG flag was set on the wireless interface with ifconfig(8). This should help with diagnosing any issues that pop up. Requested and diff eye-balled by kettenis@ help & ok tb@ phessler@
2017-05-31The net80211 stack was providing a 'beacon miss timeout' value (in ms)Stefan Sperling
which specified how much time may elapse without beacons before drivers begin searching for a new AP. Drivers convert this timeout value into the amount of beacons they're allowed to miss. Having the stack provide this number upfront simplifies things. ok mpi@
2017-05-30Improve the new ieee80211_{min,max}_rates() APIs and fix regressions.Stefan Sperling
Instead of returning an index into ni_rates, return the RVAL of the basic rate we want to use. This allows a driver to unambiguously map the basic rate to the corresponding hardware-specific rate value, and reduces the possibility of bugs where indices are used with arrays they weren't intended for. Adjust iwn(4) accordingly, and use the lowest instead of the highest basic rate in iwn_tx() to cope better in noisy environments. Fixes association problems on 5GHz reported by tb@
2017-05-30Introduce ieee80211_min_basic_rate() and ieee80211_max_basic_rate().Stefan Sperling
These helpers can be used by drivers to improve compatibility with APs that disable some mandatory PHY rates in the basic rate set. For instance, many of our drivers hard-code 11b rates on 2 Ghz and run into problems when APs disable them. Since 11b rates are being disabled by default by some vendors, hardcoding them is not a good idea anymore. ok mpi@ phessler@
2017-05-30Always set the link state DOWN once we enter ieee80211_newstate(), regardlessStefan Sperling
of whether the wifi interface happens to be leaving RUN state. The interface is never usable during state transitions so setting the link DOWN is the only reasonable option when any transition is triggered. Fixes a problem where, at boot time, the link state of wifi interfaces was reported to userland as UNKNOWN (which, curiously, has value 0). dhclient's link detection logic was recently changed from ifmedia to getifaddrs which exposed the UNKOWN link state. Since dhclient assumes an UNKNOWN link state means UP it would start trying to negotiate a lease too early during boot. Problem reported by tb@ ok krw@
2017-05-02Switch 802.11 crypto over to the new AESMike Belopuhov
OK stsp@
2017-05-02Fix a problem with associating to wifi networks with a hidden SSID.Stefan Sperling
If an AP is configured to hide its SSID it sends a non-zero length SSID which contains only zeroes. The AP sends its actual SSID only in probe responses after a client includes this SSID in a probe request. If we happened to receive a beacon before the probe response we stored a non-zero-length SSID of zeroes and never updated the SSID when the probe response arrived. The client was then unable to find the AP. test & ok jung@
2017-04-23Handle unequal numbers of Tx and Rx streams in MiRA.Stefan Sperling
Problem reported by Colton Lewis on misc@ ok tb@
2017-04-11Partially revert previous mallocarray conversions that containDavid Hill
constants. The consensus is that if both operands are constant, we don't need mallocarray. Reminded by tedu@ ok deraadt@
2017-04-09Convert a malloc(9) to mallocarray(9)David Hill
ok deraadt@
2017-03-23Use explicit_bzero() to wipe out key material and add some sizes to free().Theo Buehler
ok stsp
2017-03-21When a new WPA key is set while WEP is enabled, disable WEP,Stefan Sperling
and when a new WEP key is set while WPA is enabled, disable WPA. Prevents unusable configurations where both WEP and WPA are active and makes switching between WEP/WPA networks easier. ok deraadt@ tb@ sthen@
2017-03-13Make 'ifconfig scan' show WPA information for other APs correctly whileStefan Sperling
the interface operates in hostap mode. test & ok tb@
2017-03-12Introduce separate fields for supported WPA protocols and AKMs in structStefan Sperling
ieee80211_node. Pass these fields to 'ifconfig scan' instead of giving it currently configured/enabled settings. Fixes display of AP WPA capabilities in 'ifconfig scan' while the wifi interface is not configured to use WPA (my previous commit attempted to fix the same problem but didn't make it work in all cases). ok tb@
2017-03-11Make 'ifconfig scan' display AP encryption correctly if WEP is configuredStefan Sperling
on the local wifi interface. ifconfig was mistakenly showing the common supported subset of client and AP, rather than showing the AP's capabilities. Exposes WPA protocol capabilities in struct ieee80211_nodereq, which means ifconfig must be recompiled to run on a new kernel. ok deraadt@ mpi@
2017-03-04In 11n hostap mode, dynamically adjust HT protection settings based onStefan Sperling
the presence of non-HT nodes in the node cache. OpenBSD 11n APs will now disable HT protection if it is not necessary. ok mpi@
2017-03-02Initialize 'ni' pointer in ieee80211_keyrun(). Fallout from last minuteStefan Sperling
changes I made to my WPA security patch. Affects WPA enterprise only. Problem found by patrick@ ok sthen@
2017-03-01Fix some DPRINTFs I just added to ieee80211_pae_input.c.Stefan Sperling
No fnuctional change.
2017-03-01Fix a bug allowing a man-in-the-middle attack against WPA wireless clients.Stefan Sperling
A malicious AP could trick clients into connecting to the malicious AP instead of the desired AP. All frames would then be sent in the clear. This problem was found and reported by Mathy Vanhoef who also provided an initial patch which we improved together.
2017-02-07Enable the short slot time feature in 802.11n mode.Stefan Sperling
ok mpi@
2017-02-03Fix 11b clients sending bogus ratesets in association requests. The commonStefan Sperling
rateset with the AP is calculated only after the association response was received, which is too late. Fix rates when an AP is selected after a scan. ok mpi@ tb@
2017-02-02Remove global counters from struct ieee80211com which track the number ofStefan Sperling
associated nodes with particular properties: 11b-only ("non-ERP") nodes, nodes requiring long slot time, nodes using WPA, nodes not supporting 11n, nodes currently dozing in powersave state, and nodes with a pending group key update confirmation. These counters weren't properly maintained. There are bugs in the stack where these counters and actual node properties got out of sync. This is exposed by panics which are supposed to help us catch such bugs. But these panics don't provide real clues. Instead of maintaining global counters forcing us to hunt refcounting bugs, count nodes with the property in question on demand, by iterating over all nodes and checking their state. This is cheap since we'll never have more than 100 nodes cached, and none of the cases where we need such information is in a performance critical path. Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also encountered by my 11n APs ("panic: bogus non-HT station count 0"). tested by Lauri, tb@, and myself ok mpi@ tb@
2017-01-31In a comment inside ieee80211_up_to_ac(), update a reference sectionStefan Sperling
number from the 802.11-2007 standard to the 802.11-2012 standard.
2017-01-31When telling clients which EDCA parameters to use, copy these parametersStefan Sperling
from the client parameter set, rather than from the AP parameter set. ok mpi@
2017-01-30Enable ieee80211_edca_table, which was under #if 0. This table can be usedStefan Sperling
by drivers to pass default EDCA parameters to firmware instead of passing local hardcoded values. ok millert@
2017-01-28Make mira cope with out-of-range single frame error rate (SFER) values.Stefan Sperling
These are either due to driver bugs or rounding errors in fixed point math but can be dealt with gracefully and don't occur often (only one instance of this problem has been reported in the wild so far). Turn related panics into debug printfs. With 'ifconfig athn0 debug' the kernel now prints notifications about out-of-range SFER values in dmesg. Compile a kernel with 'option MIRA_DEBUG' to get a dump of driver stats in dmesg as well. This change should prevent an undesirable panic reported by Peter Kay, though it does not actually address the root cause of the problem. ok tb@
2017-01-28Introduce ieee80211_mira_probe_done() helper which resets probing state,Stefan Sperling
cancels timeouts, and resets driver stats. Call it when probing has finished instead of manually resetting only probing state. Right now this is only called once but an upcoming change will reuse it.
2017-01-25In amsdu_decap() check the actual length of the data in the remaining mbufStefan Sperling
chain. Else this function will sometimes signal end of AMSDU frame too early. Patch by Imre Vadasz. ok mpi@ phessler@
2017-01-19Enable TKIP as pairwise cipher when ifconfig's wpaprotos option enables WPA1.Stefan Sperling
Without this fix it was impossible to use WPA1 without also making use of the wpaciphers option to enable TKIP. Problem noticed by pirofti@. ok mpi@