| Age | Commit message (Collapse) | Author |
|---|
|
We now prefer stronger crypto over weaker crypto over none, prefer 5 GHz
band with reasonable RSSI, and use RSSI as a tie-breaker with a slight
advantage for 5GHz. Candidate APs are now ranked by a score which is
calculated based on these attributes.
There is likely room for improvements to make these heuristics
work well across many different environments, but it's a start.
ok phessler@
|
|
Some access points have a feature called "band steering" where they
will try to push clients from 2 GHz channels to 5 GHz channels.
If a client sends probe-requests on both 2 GHz and 5GHz channels, and
then attempts to authenticate on a 2 GHz channel, such APs will deny
authentication and hope that the client will come back on a 5 GHz channel.
So if we fail to AUTH for any reason, and if there is a different
AP with the same ESSID that we haven't tried yet, try that AP next.
Keep trying until no APs are left, and only then continue scanning.
APs with support for this feature were provided by Mischa Peters.
ok phessler@ mpi@
|
|
requested by mpi@
|
|
Some APs (Aruba 105) send a bogus basic MCS set in assoc responses
which prevents us from enabling 11n support with those APs, while
these APs still behave as if were were an 11n client which renders
the association unusable.
The basic MSC set is already provided in beacons anyway, and the
802.11 2012 standard says the basic MSC set is reserved in frames
other than beacons (see Table 8-130).
ok mpi@
|
|
Status codes and reason codes are separate things listed in distinct tables.
This debug message made me look at the wrong table and scratch my head.
|
|
auto-join
with feedback from florian and stsp
ok florian@ phessler@ (on previous versions of the diff) stsp@
|
|
Drop ieee80211_add_ess's nwid parameter. Read nwid and length directly
from the ic to make it more obvious where this function is reading from.
nwids are binary data with an explicit length, so treat them as such
instead of treating them like strings.
ok florian phessler
|
|
the nwid. It will not have changed in the meantime.
OK stsp
|
|
the stack doesn't always fill in the paramaters correctly
reported by many
|
|
Should fix a panic with bwfm(4) reported by mlarkin@
ok phessler@
|
|
false so we always selected the first wifi available, not the best
one.
While here shuffle some deck chairs to make it clearer that anything is
better than nothing.
tweak & OK phessler
|
|
in case we want WPA2 and they have WPA1 still enabled
|
|
OK stsp@
|
|
Make sure all of the crypto options the AP announces matches what we
would configure. While here, don't switch if the user has specified
a specific BSSID, and the new AP does not match.
OK stsp@
|
|
magic constant to panic() calls.
ok benno@ henning@ tb@
|
|
This allows a system to remember which ESSIDs it wants to connect to, any
relevant security configuration, and switch to it when the network we are
currently connected to is no longer available.
Works when connecting and switching between WPA2/WPA1/WEP/clear encryptions.
example hostname.if:
join home wpakey password
join work wpakey mekmitasdigoat
join open-lounge
join cafe wpakey cafe2018
join "wepnetwork" nwkey "12345"
dhcp
inet6 autoconf
up
OK stsp@ reyk@
and enthusiasm from every hackroom I've been in for the last 3 years
|
|
OK stsp@
|
|
response in case a lower RSSI is measured for a subsequent beacon.
I have run into a 5Ghz AP which sends beacons with very low Tx power for some
reason, while probe responses are transmitted with reasonable signal strength.
This change ensures such 5GHz APs will be considered as a reasonable choice
during access point selection.
Discussed with sthen@, Patrick Dohman, and others on tech@
ok phessler@ pirofti@
|
|
Patch by Jesper Wallin
|
|
debug print "invalid transition" to dmesg in this case.
|
|
get an up-to-date view of APs around us. In particular, we need to
kick out the AP we are associated to. Otherwise, our current AP might
stay cached if it is turned off while we are scanning, and we could
end up picking a now non-existent but "good looking" AP over and over.
found with and ok phessler@
|
|
The WEP key index is stored in ic_def_txkey. The iGTK ("integrity group key")
index is specific to WPA. The previous code happened to always select WEP key
index 0 since the iGTK index is not yet used by any driver.
ok phessler@
|
|
type then panic immediately instead of silently dropping packets.
ok phessler@
|
|
point in scheduling ic_bgscan_timeout() since this timeout will find that
it has nothing to do.
ok phessler pirofti
|
|
Clear group keys in iee80211_newstate only if we're doing WPA.
Otherwise, ieee80211_crypto_clear_groupkeys() will clear WEP
keys configured by userland before associating.
(All WEP keys are group keys.)
ok phessler@ tb@ pirofti@
|
|
scanning if none was found.
Accidentally broken in recent ifconfig scan changes by pirofti and me.
ok pirofti
|
|
The following removes the functionality of the SIOCS80211SCAN ioctl.
After long discussions with stps@, mpi@, and deraadt@ we decided that
this was the correct way of fixing ifconfig scan from blocking the
network stack.
The kernel will continue scanning in the background and filling the
nodes array, but ifconfig scan commands will now basically do just a
SIOCG80211ALLNODES and pretty print the array. So the output stays the
same but is instant.
In fact, when the interface is freshly brought up, if you type fast
enough, you can see the array being filled by running multiple ifconfig
scans in sequence.
The SIOCS80211SCAN ioctl stays for now as wi(4), pgt(4) and malo(4)
still need it around. But not for long...
Another change that this introduces is the fact that ifconfig scan no
longer plays with UP and DOWN. If the interface is down it complains and
exits. This is needed in order to maintain the nodes list.
Works on iwm(4), iwn(4), urtwn(4), run(4) and athn(4).
Tested by mpi@, landry@, florian@, thanks!
OK mpi@.
|
|
afterwards.
crash reported by Piotr Isajew
ok stsp@
|
|
The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.
No objection from millert@, ok tedu@, bluhm@
|
|
no binary change on amd64
|
|
instead of testing some un-obvious bitfield
OK stsp@
|
|
left-over kernel malloc feature we don't use.
OK deraadt@
|
|
can use to process, and then acknowledge or reject, incoming AUTH
requests in hostap mode.
net80211 accepts an AUTH request from any STA which fits into the node
cache. This behaviour doesn't work for devices which have a lower limit
on concurrent STAs they can serve, so such drivers need an override.
This will be used by our athn(4) USB driver soon.
ok kevlo@
|
|
Using if_enqueue() here, from interrupt context, might result in
the packet beeing enqueued, incorrectly encrypted, on the TX ring.
This race has been recently exposed by the re-introduction of the
TX mitigation. It exists because the net80211 stack sets
IEEE80211_NODE_TXPROT on the node while processing the 3rd message,
assuming the answer has already been transmitted. However a CPU
returns from if_enqueue() it cannot assume that the send queue is
empty. So call if_start() to flush this queue.
Encrypting the 4th message of the 4way handshake with the new key
breaks WPA handshake as found the hardway by anton@.
Race analysed by dlg@, a lot of net80211 inputs and suggetions from
stsp@.
ok stsp@, dlg@
|
|
|
|
we aren't running in hostap or ibss mode.
|
|
a node's RSSI info while we are still in INIT state.
ok phessler@
|
|
ok patrick@
|
|
Should speed up debugging.
ok phessler patrick
|
|
Problem reported by Gregoire Jadi on bugs@
|
|
strongest received signal.
OK stsp@
|
|
2Ghz APs because the 5Ghz band is generally less saturated.
The previous implementation was dependent upon the order of walking
APs.
ok stsp
|
|
list has zero elements and PMKID would be the last field in the RSN IE.
This is correct as per 802.11-2012 8.4.2.27.1 and aligns net80211 code with
behaviour of bwfm(4) firmware, unblocking further progress in that driver.
ok patrick@ phessler@
|
|
The iwm(4) driver will now roam between access points which share an SSID.
Use 'ifconfig iwm0 debug' and 'tail -f /var/log/messages' to watch it do so.
Tested by several people in various iterations.
As usual, let me know if you run into issues.
ok phessler deraadt
|
|
The kernel is not a password database; look your wifi keys up elsewhere.
Discussed with several.
ok phessler@ jca@
|
|
OK stsp@
|
|
WPA and WEP configuration.
OK pirofti@ stsp@ sthen@
|
|
Found with ctfconv(1). ok jsg@, guenther@
|
|
ok stsp@ kevlo@ jca@
|
|
ok jsg@, stsp@
|
