summaryrefslogtreecommitdiff
path: root/sys/net80211
AgeCommit message (Collapse)Author
2021-11-08Send MiRA source files to the Attic.Stefan Sperling
These files were unhooked from the build in April 2021.
2021-11-03In addition to the WEP key(s) being set at device initialization withKenneth R Westerback
'nwid'/'nwkey', the keys will be set at random times when 'join'/'nwkey' is used. So also stop trying to set IEEE80211_CIPHER_NONE keys on that path. James Hastings confirms this fixes his '(null node)' panics on run(4). Thanks! ok stsp@
2021-10-11Monitor 20/40 MHz channel width changes in beacons sent by our access pointStefan Sperling
and notify drivers when the channel width has changed.
2021-10-11Add support for 40MHz channels to net80211 RA.Stefan Sperling
For the moment we use either the 40MHz rate set or the 20 MHz one, depending on whether our peer supports 40MHz channels. If this turns out to be suboptimal we could probe the 40MHz and 20MHz rate sets separately to detect which one works better. The same applies to use of the short guard interval (SGI), which is either always on or off at the moment. Again, probing for this could be added later if needed.
2021-10-08Revert my previous commit to ieee80211_node.c (CVS commit Hne35XgzezGa9zmv).Stefan Sperling
Sending frames from ieee80211_node_join_bss() won't work as expected. I missed that IEEE80211_SEND_MGMT() calls if_start() immediately after queueing the management frame. This means the probe request is being sent in a state where, while ic_bss represents our new AP, the driver did not yet have a chance to move the device over to our new AP. The auth request for the new AP is sent from ieee80211_newstate() which runs after the driver has reconfigured the device. If want to send a probe request to the new AP then we would need to send it at that point, before the auth frame gets sent.
2021-10-07Send a probe request to our new AP when we are about to roam to it.Stefan Sperling
Tested by fkr on iwx ax200/ax201 and myself on iwm 8265. Also tested by florian and bket as part of a larger diff. ok mpi@
2021-09-23Revert ieee80211_proto.c r1.97 (cvs commit ID 8vKZsdvvkjTr5BG5).Stefan Sperling
My assumption that frames which are buffered on the power save queue were already encrypted was wrong. And the issue which this change intended to fix is still present (reported by Mikolaj Kucharski).
2021-09-23Add an ADDBA_OFFLOAD capability for wifi devices manage Tx block ackStefan Sperling
sessions entirely in firmware. This will be used by iwx(4).
2021-09-08Improve debug output when sending 802.11 action frames by showing theStefan Sperling
action frame subtypes we care about (i.e. those related to 11n block ack). ok mpi@
2021-09-03Reset a net80211 node's QoS Tx sequence counter to the start of theStefan Sperling
block ack window when a new Tx block ack agreement is established. In the future this change will allow the iwx(4) driver to initialize this sequence number such that it corresponds to what the firmware expects. Note that ba->ba_winstart is set to ni->ni_qos_txseqs[tid] when a new Tx agg agreement is initiated in ieee80211_node_addba_request(). Unless the driver resets ba->ba_winstart before ieee80211_addba_resp_accept() runs, which is what iwx(4) will do, the assignment added with this patch is a no-op.
2021-05-18Drop fragmented 802.11 frames.Stefan Sperling
Fragmented frames were never of any practical use to us anyway, given that our net80211 stack does not (yet?) re-assemble them. Counter-measure against attacks where an arbitrary packet is injected in a fragment with attacker-controlled content (via an AP which supports fragments). See https://papers.mathyvanhoef.com/usenix2021.pdf Section 6.8 "Treating fragments as full frames" ok mpi@
2021-05-17put unused 802.11 fragmentation support code under #ifdef notyetStefan Sperling
2021-05-17Prevent frame injection via forged 802.11n A-MSDUs.Stefan Sperling
This mitigates an attack where a single 802.11 frame is interpreted as an A-MSDU because of a forged AMSDU-present bit in the 802.11 QoS frame header. See https://papers.mathyvanhoef.com/usenix2021.pdf section 3.2. MAC address validation is added as an additional measure to prevent hostap clients from sending A-MSDU subframes with a spoofed source address. An earlier version of this patch was reviewed by Mathy Vanhoef, who spotted a bug in my original attempt at preventing spoofed addresses. ok mpi@
2021-05-11During a "key unset for sw crypto" panic, display more meta-dataStefan Sperling
about the offending key. This will hopefully help with debugging.
2021-05-11In hostap mode don't send data frames to nodes which aren't in state ASSOC.Stefan Sperling
Sending data frames to nodes in other states is wrong since the node's data structure might not be set up properly in such states. This could explain occasional "key unset for sw crypto" panics observed with athn(4) hostap interfaces. Problem reported and fix tested by Mikolaj Kucharski.
2021-05-03Tweak the heuristic net80211 RA is using to decide whether enoughStefan Sperling
statistics have been gathered for a candidate Tx rate. The goal is to avoid Tx rate choices that might turn out to be too optimistic. In practice this only affects the case where we probe upwards. If the current Tx rate starts seeing loss we will still scale down very quickly. Based on a larger collection of patches by Christian Ehrhardt. I have made stylistic tweaks for consistency. Tested: iwn 6205: stsp, Josh Grosse iwm 7265: stsp iwm 8265: Matthias Schmidt iwm 9260: phessler
2021-04-29Make iwn, iwm, and iwx keep track of beacon parameters at run-time.Stefan Sperling
- HT protection settings (this was already implemented) - ERP (11g) protection setting - short slottime setting - short preamble setting - EDCA (QoS) parameters All of these parameters are communicated in beacons and hardware is now kept up-to-date with them. Prompted by a problem report from Christian Ehrhardt regarding ERP. Tested: iwn 6205: stsp, Josh Grosse iwm 7265: trondd iwm 8265: stsp, Matthias Schmidt iwm 9260: phessler iwx ax200: stsp, jmc, gnezdo
2021-04-25Implement support for Rx aggregation offload in iwm(9) and iwx(4), andStefan Sperling
re-enable de-aggregation of A-MSDUs in net80211 for all drivers capable of 11n mode. This can provide improved Rx performance if the access point supports transmission of A-MSDUs nested in A-MDPUs. iwm(9) 9k and iwx(4) devices de-aggregate A-MSDUs in hardware. Neither our drivers nor the net80211 stack were prepared to handle this. Add two Rx-info flags which drivers can use to avoid having subframes which arrived in the same A-MSDU rejected as duplicates in the net80211 input layer: IEEE80211_RXI_HWDEC_SAME_PN allows the same CCMP packet number for a series of subsequent frames. IEEE80211_RXI_SAME_SEQ allows the same 802.11 frame header sequence number for a series of subsequent of frames. Handle A-MPDU reordering on iwm 9k and iwx devices, based on code from iwlwifi. Rx block ack window information is provided by firmware. So far this info was ignored by drivers and reordering of A-MPDU subframes happened twice: Once in firmware, and again in net80211. Tested: iwm 7260: bcallah, dv iwm 7265: mpi, trondd, Matthias Schmidt iwm 8260: bket, Marcus MERIGHI iwm 8265: stsp, tracey, Uwe Werler iwm 9260: phessler, matthieu iwm 9560: stsp, Uwe Werler iwx ax200: jmc, stsp iwx ax201: stsp
2021-04-15When starting an AP or IBSS network, reconfigure the operation mode toStefan Sperling
11ac/n/a/g/b as applicable. Fixes an issue where hostap would end up running in the rather meaningless MODE_AUTO unless a mode was explicitly configured with ifconfig. Found while investigating issues reported by trondd testing my athn RA patch. ok deraadt@
2021-03-26Fix wrong sequence number wrap in ieee80211_recv_auth().Stefan Sperling
IEEE 802.11 sequence numbers wrap around at 0xfff, not 0xffff. ok phessler@ kevlo@
2021-03-25an invalid value of `mcs' may come from the hardware so adjust code so that theRicardo Mestre
value is only used after checking if it's valid or not. CID 1502921 OK stsp@ phessler@
2021-03-23Fix a corner case bug in Rx block ack window gap-wait timeout handling.Stefan Sperling
If ieee80211_input_ba_flush() was called when there was nothing to flush, the (already pending) gap wait timeout was re-armed. This is only correct if we flush at least one packet. Otherwise packets that arrive at a constant rate of about 4-5 packets per second would extend the gap-wait timeout until the block ack window fills up. In extreme cases this can result in packets being queued for almost 20s. Fix this by returning immediately from ieee80211_input_ba_flush() if the first packet in the reordering buffer is missing. This prevents the timeout from being re-armed. Patch by Christian Ehrhardt. Tested by me on iwm(4) 7265.
2021-03-23When moving the Rx block ack window forward do not implicitly rely onStefan Sperling
ieee80211_input_ba_flush() for updating ba->ba_winend. Required for an upcoming ieee80211_input_ba_flush() fix. Patch by Christian Ehrhardt who found one instance of this problem in ieee80211_input_ba_seq(). I spotted another in ieee80211_ba_move_window().
2021-03-12Add RA, a new 11n Tx rate adaptation module for net80211.Stefan Sperling
Written by Christian Ehrhardt and myself, based on ieee80211_mira.c but with significant changes. The main difference is that RA does not attempt to precisely measure actual throughput but simply deducts a loss percentage from the theoretical throughput which can be achieved by a given MCS. Unlike MiRa, RA does not use timeouts to trigger probing. Probing is triggered only by changes in measured throughput. Unlike MiRA, RA doesn't care whether a frame was part of an A-MPDU. RA simply collects statistics for individual subframes. This makes reporting very easy for drivers and seems to work well enough in practice. Another difference is that drivers can report multi-rate retries properly via ieee80211_ra_add_stats_ht(mcs, total, fail) which can be called several times before ieee80211_ra_choose() selects a new Tx rate. There is no reason any issues could not be fixed in ieee8011_mira.c but I felt it was a good moment to burn the house down and start over. And since this code diverges from how MiRA is described in the research paper applying the "MiRA" label becomes inappropriate.
2021-03-10spellingJonathan Gray
ok gnezdo@ semarie@ mpi@
2020-12-10ieee80211_decrypt must use m_freem() instead of m_free()Stefan Sperling
Patch by zxystd from the OpenIntelWireless project (drivers for macOS) ok tobhe@
2020-12-10Fix double-free on error in ieee80211_amsdu_decap().Stefan Sperling
Bug was introduced by my previous commit to this file. ok tobhe@
2020-12-09Ignore trailing data in A-MSDU frame buffers if it is smaller than theStefan Sperling
Ethernet header size. Avoids spurious "input packet decapsulations failed" errors in 'netstat -W' with A-MSDU enabled (currently disabled in-tree). Problem observed and fix verified on iwm(4) 8260 by me and 7260 by tobhe. ok phessler@ tobhe@
2020-12-09Disable A-MSDU support again.Stefan Sperling
iwm(4) 9k and iwx(4) need more work before AMSDU can be enabled. These devices decapsulate A-MSDU in hardware and required changes to make this work with our drivers and stack seem to be non-trivial. Problems reported by phessler@ ok phessler@
2020-12-09Flush reorder buffer after gap timeout, otherwise the frames remaintobhe
in the buffer until the next frame is received. Found by and fix from Christian Ehrhardt ok stsp@
2020-12-08Enable 802.11 A-MSDU support again. It was disabled some time ago butStefan Sperling
the underlying problems have since been fixed. Using A-MSDUs results in improved download speeds with APs that support them. tested by robert@
2020-12-08Fix 802.11 RSN capabilities announced to peers.Stefan Sperling
We were echoing back all RSN capabilities announced by our peer, even for features which we don't support. One such feature is Management Frame Protection (MFP). If we announce this capability then the peer sends us encrypted management frames which won't be processed. One symptom of this is that we fail to negotiate block ack with APs that support MFP. Only echo the RSN capabilities which we support, i.e. key replay counters. Handle MFP and PBAR bits here as done elsewhere. Neither of these features is enabled yet at run-time. As far as I can tell, the remaining RSN caps are not supported by drivers (e.g. SPP A-MPDU) or won't be supported (outdated WEP->TKIP transition support). The corresponding bits should always be clear. Problem with 0 input block ack sessions found by sthen@ and robert@ Fix tested by sthen@, robert@, phessler@, and kmos@ ok phessler@ kmos@
2020-12-08Fix gapwait accounting. Count all the packets in the reordertobhe
buffer. Restart the gap timeout if the buffer is not empty after we flush out some of the packets. Found by and fix from Christian Ehrhardt ok stsp@ phessler@
2020-12-08Use BA agreement immediately after it is requested by the AP.tobhe
Some APs continue to send QOS packet for the same tid (with normal ack policy). Make those packets go through BA reordering to advance the sequence number counter in the BA agreement and prevent performance loss due to a gap wait later on. Found by and fix from Christian Erhardt ok stsp@ phessler@
2020-11-19Always check for EBUSY when the return value of ic_set_key() is tested.Kenneth R Westerback
Fixes urtwn(4) repeated DEAUTH and subsequent loss/restoration of link. It was a great dhclient(4) stress test. Note that urtwn(4) is the first and so far only device whose *_set_key() function returns EBUSY. Debugging hints and ok stsp@
2020-11-12Don't enable port or link until all crypto keys are installed byKenneth R Westerback
async task(s). Makes dhclient(8) much happier. Suggestions and ok stsp@, jmatthew@
2020-10-09Kill unused IEEE80211_RADIOTAP_HWQUEUE.Martin Pieuchot
Its value is conflicting with an effort to standardize TX flags fields of the radiotap header from Mathy Vanhoef. This flag used to indicate the presence of a specific hardware queue used by WME but is unchecked. ok sthen@, kn@
2020-10-06The command value of the _IOC() macro is limited to values [0..255].Gerhard Roth
This change results in no binary change, it just makes things more clear. OK deraadt
2020-08-28Add missing #if's to fix build without bpf(4).mvs
ok deraadt@
2020-07-21Improve processing of lost frames during 802.11 Rx aggregation.Stefan Sperling
Make ieee80211_input_ba() skip one missing frame at the head of the Rx block ack (BA) window once the rest of the window has filled up with pending frames. This avoids having to wait for the BA window gap timeout handler to run in order to make progress in such situations. Simplify the BA gap timeout handler by deferring the actual flushing of the BA window buffer to the regular input path. The timeout handler now simply advances the BA window across any missing frames at the head of the window, and if_input() is no longer called from the context of this timeout handler. The window will be flushed once another frame arrives. Packet loss under streamy traffic conditions and during Rx bursts is reduced. Much less stuttering, more stable tcpbench, and easier flight in Minecraft. tested by phessler@, Martin Vahlensieck, jmc@, Uwe Werler, and myself
2020-07-20The IEEE80211_F_HIDENWID flag is now part of ic_userflags, not ic_flags.Stefan Sperling
Fix code which was still looking for this flag at the old location. The 'hidenwid' feature was slightly broken as a result: The SSID was leaked in probe responses to wildcard probe requests. There are other trivial ways of snooping a "hidden" SSID however so this is not a big deal. Problem reported by Mogens Jensen.
2020-07-15ieee80211: track micfail timeout with getuptime(9) instead of tickscheloha
With input from stsp@. ok stsp@
2020-07-13When a wifi interface acts as a client and the WPA handshake is done,Stefan Sperling
update the WPA group cipher value in interface configuration data. Code relying in this value will otherwise get the group cipher wrong. One obvious example is ifconfig which now displays the negotiated group cipher rather than always displaying the default value 'ccmp'. Fixes a regression where athn(4) no longer worked against WPA2 APs which use TKIP as a group cipher for compatibility with WPA1. Problem reported by Tim Chase. ok kettenis@
2020-07-10Change users of IFQ_DEQUEUE(), IFQ_ENQUEUE() and IFQ_LEN() to use thePatrick Wildt
"new" API. ok dlg@ tobhe@
2020-06-08Undo pseudo-driver changes early in ieee80211_ifdetach() to prevent aStefan Sperling
use-after-free when a wireless device is detached. Pseudo-driver detach hooks may end up calling back into the driver, e.g. via an ioctl. So these hooks must run before net80211 data structures are freed. Reported by ratchov@ who saw the following trace when athn(4) detached while it was part of a trunk(4) interface. The trunk(4) detach hooks were run after ieee80211_ifdetach() had been run by athn_detach(). These hooks called back into the driver via athn_ioctl() which now operated on freed memory. uvm_fault(0xffffffff81facdd0, 0xb14, 0, 1) -> e kernel: page fault trap, code=0 Stopped at ieee80211_ba_del+0x20: cmpl $0,0x2c(%r15) ddb{0}> ieee80211_ba_del(0) at ieee80211_ba_del+0x20 ieee80211_newstate(ffff8000000c1048,0,ffffffff) at ieee80211_newstate+0xb51 athn_stop(ffff8000000c1048,1) at athn_stop+0x70 athn_ioctl(ffff8000000c1048,80206910,ffff800014d63800) at athn_ioctl+0x15b ifnewlladdr(ffff8000000c1048) at ifnewlladdr+0x100 trunk_port_destroy(ffff800000589800) at trunk_port_destroy+0x320 if_hooks_run(ffff8000000c10b8) at if_hooks_run+0xb0 if_deactivate(ffff8000000c1048) at if_deactivate+0x24 ether_ifdetach(ffff8000000c1048) at ether_ifdetach+0x1d athn_detach(ffff8000000c1000) at athn_detach+0x17b athn_pci_detach(ffff8000000c1000,1) at athn_pci_detach+0x2a config_detach(ffff8000000c1000,1) at config_detach+0x156 config_detach_children(ffff8000000b7500,1) at config_detach_children+0x58 pci_detach_devices(ffff8000000b7500,1) at pci_detach_devices+0x24 ppb_hotplug_remove(ffff800000033e00) at ppb_hotplug_remove+0x35 taskq_thread(ffffffff81f4bd48) at ok mpi@ ratchov@
2020-06-01Revert "Ignore new Rxblock ack agreements until the WPA handshake is done."Stefan Sperling
There are access points out there which insist on establishing a block ack agreement with the client before the WPA handshake can complete. This is sad, but we cannot operate against such APs if we require the handshake to complete first. This reverts CVS commit 4wXCjWU3qNtIX7gW. Problem reported and fix tested by Brandon Sahlin on bugs@
2020-05-31Typo in WPA supplicant state machine: RNSA_SUPP_PTKDONE -> RSNA_SUPP_PTKDONEStefan Sperling
2020-05-31Remove a dead assignment to ni_rsn_state in ieee80211_node_leave_rsn().Stefan Sperling
Patch by Mikolaj Kucharski
2020-05-29If no station happens to be associated when ieee80211_setkeys() runs thenStefan Sperling
complete group key renewal immediately. The old code would not install the new group key unless a station in need of re-keying was present. Tested by Mikolaj Kucharski on bugs@
2020-05-29In hostap mode, after completing a new group key handshake with allStefan Sperling
associated clients and before switching over to the new group key, purge the AP's global power-save frame queue. This queue may contain group-addressed frames which were encrypted with the old group key. Clients will not be able to decrypt such frames, and purging the queue prevents a panic ("key unset for sw crypto") where athn(4) attempts to transmit such frames from its software beacon alert interrupt handler. This is another variant of the problem fixed in CVS commit ufdFLtcLfPRrbshM. Panic reported and fix tested by Mikolaj Kucharski on bugs@