summaryrefslogtreecommitdiff
path: root/sys/net80211
AgeCommit message (Collapse)Author
2017-01-19Enable TKIP as pairwise cipher when ifconfig's wpaprotos option enables WPA1.Stefan Sperling
Without this fix it was impossible to use WPA1 without also making use of the wpaciphers option to enable TKIP. Problem noticed by pirofti@. ok mpi@
2017-01-16Reset block ack state and cancel related timeouts when a HT node disassociates.Stefan Sperling
The existing code (from damien@) already took care of freeing related buffers but because block ack state was not reset we were still trying to use these buffers if the node sent another A-MPDU. This problem only affects 11n hostap. Fixes kernel crash reported by Timo Myyra on bugs@
2017-01-16Prevent wireless frame injection attack described at 33C3 in the talkStefan Sperling
titled "Predicting and Abusing WPA2/802.11 Group Keys" by Mathy Vanhoef. https://media.ccc.de/v/33c3-8195-predicting_and_abusing_wpa2_802_11_group_keys If an attacker knows the WPA group key the attacker could inject a unicast frame by sending a group-encrypted frame to the AP with addresses set as: addr1 (receiver): ff:ff:ff:ff:ff:ff addr2 (source): MAC of attacker addr3 (target): MAC of victim client The AP would forward this frame as unicast, re-encrypted with the pair-wise session key of the victim client. But an AP should not forward such frames. Guessing a WPA group key used by an OpenBSD AP is hard because our random numbers are actually random. So we are not vulnerable to this attack but we are fixing the forwarding path anyway. ok mpi@ tb@
2017-01-12Rename ieee80211_mira_node_destroy() to ieee80211_mira_cancel_timeouts().Stefan Sperling
No functional change. The previous name was chosen at a time when I could not yet anticipate what this function would really end up doing. The new name should make this function's purpose more obvious, especially where it appears at strategic places in driver code.
2017-01-10Make receiving A-MPDUs with an 11n-enabled athn(4) driver work by notStefan Sperling
requiring 11n wireless drivers to provide an ic_ampdu_rx_start() function. The athn(4) driver won't need this function since the hardware receives A-MPDU and sends block ack without setting up anything.
2017-01-09When a HT node leaves or reassociates as a non-HT node,Stefan Sperling
clear HT capabilities stored in its node cache object. A node may switch from 11n mode to 11a/b/g mode. If we don't clear HT capabilities from the cache the node will be mistaken as 11n-capable after reassociation. ok phessler@ mpi@
2017-01-09Stop defining MIRA_DEBUG by default.Stefan Sperling
2017-01-09Show node MAC addresses in mira debug output.Stefan Sperling
2017-01-09Make the net80211 stack send EDCA parameters to the driver in hostap mode.Stefan Sperling
Fixes problems with timing of frame transmissions which caused packet loss. tested by myself and tb@ ok phessler@ mpi@ tb@
2017-01-09When acting as 11n hostap, send Microsoft WME parameters to clients soStefan Sperling
that Linux clients will decide to use 11n mode. ok phessler@
2017-01-09Manage the HT protection setting if acting as hostap with 11n enabled.Stefan Sperling
For now we flip-flop only between non-member protection and non-HT protection. Running a HT network without protection would require monitoring environmental conditions (e.g. foreign beacons) which make HT protection necessary. The ic_update_htprot driver function becomes optional because it won't be needed by all drivers. Only call it if the driver has set a function pointer. ok tb@
2017-01-09The point of ieee80211_node_leave() is to place the node in COLLECT state.Stefan Sperling
Return early and do nothing if the node is already in COLLECT state upon entry to this function.
2017-01-09When acting as hostap, negotiate HT before calling the driver's ic_newassoc()Stefan Sperling
function, not afterwards. Drivers now know whether a joining node supports HT which helps with setting up state such as which Tx rate to use.
2017-01-09Fix ieee80211_add_htop(), which is not yet called in active code paths.Stefan Sperling
It was creating a corrupt beacon element by ommitting one byte. Fix this and fill the element with actual data from the ic_bss node instead of filling it with zeroes, allowing future 11n hostap to announce the current HT protection mode correctly.
2016-12-31When we disable WPA on an interface, wipe all of the WPA parameters,Peter Hessler
including removing the 802.1x configuration from the card. Found while coming home from CCC Congress. OK stsp@
2016-12-26Allow using 11n mode with APs that do not advertise support for all of MCS 0-7.Stefan Sperling
ok phessler@ tb@
2016-12-26When calculating the set of MCS rates below a particular MCS, skip ratesStefan Sperling
which are not supported by both peers, as already done elsewhere. ok phessler@ tb@
2016-12-20Disable TKIP (WPA1) by default.Stefan Sperling
It is time for this legacy of WEP to die (remember WEP?). The 802.11-2012 standard says: The use of TKIP is deprecated. The TKIP algorithm is unsuitable for the purposes of this standard. TKIP has numerous problems. One of which is that TKIP allows a denial of service attack which can be triggered by any client. Report 2 Michael MIC failures to a TKIP AP to trigger "TKIP countermeasures". The AP is now required by the 802.11 standard to lock everyone out for at least 60 seconds. The network will remain unusable for as long as such MIC failure reports are sent twice per minute. TKIP remains available for interoperability purposes, for now. It must be enabled manually with ifconfig(8). Prompted by discussion with Mathy Vanhoef. ok deraadt@ sthen@ reyk@
2016-12-18While copying out channel flags to userspace, omit the HT channel flag ifStefan Sperling
we're not in 11n mode. This will allow tcpdump to show the mode correctly. ok mpi@
2016-12-18Set the maximum TKIP countermeasure timeout to 90 seconds instead of 120.Stefan Sperling
Waiting more time does not buy us anything and makes a denial of service a tiny bit easier. Suggested by Mathy Vanhoef.
2016-12-17Don't crash while sending a TKIP MIC failure report to the AP.Stefan Sperling
Client-side bug found while investigating TKIP countermeasures.
2016-12-17Complete our half-done implementation of TKIP countermeasures in hostap mode.Stefan Sperling
The previous code would disable the AP until next reboot upon MIC failure. Instead, disable the AP for 60 seconds, as required by the 802.11 standard. I randomly added a bit of time (up to 120 seconds total) just because we can. Problem reported by Mathy Vanhoef, thanks! ok deraadt@ random input reyk@
2016-12-10Make mira rate scaling actually work with MIMO Tx rates.Stefan Sperling
The previous approach with an extra timeout was dumb (and of course untested). Additional fixes include: - Take HT protection settings into account when determining whether RTS is used. - Stop probing the current rateset as soon as measurements become worse. - Properly move probing timeouts for bad rates further into the future. Tested with MIMO-enabled iwm(4) (MCS 0-15) and also iwn(4) (MCS 0-7 only). Early versions also tested by phessler@ and bmercer@, and more testing by tb@. ok tb@
2016-12-08Fix mira's next intra-rate calculations for MCS >= 8.Stefan Sperling
ok tb@ phessler@
2016-12-06avoid a potentially uninitialised return valueJonathan Gray
ok stsp@
2016-11-30Add a new implementation of MiRA, a rate scaling algorithm for 802.11n.Stefan Sperling
This algorithm was designed for use with MIMO and Tx aggregation. This is joint work with tb@, who helped with all the tricky math bits. Additional help with testing by phessler@, mpi@, and jmatthew@. I believe this is now ready for wider testing, and for future work to happen in-tree. A paper which explains the algorithm can be found at: http://www.cs.ucla.edu/wing/publication/papers/Pefkianakis.MOBICOM10.pdf Roughly, this algorithm attempts to keep track of the current "goodput" (the effective data rate) for each MCS. It converges towards a rate which gets the most bits per second transmitted with least loss. Occasionally, frames will be steered to different rates to probe for changes. (The algorithm does not send frames on its own. It only advances whenever the driver has sent a frame.) Time-based probing to adjacent MCS rates occurs periodically. This is similar to what AMRR does, except that eventually mira will try out multi-antenna modes as well. Event-based probing happens when a sudden change in goodput is detected. I've chosen to make downwards probing fast, and upwards probing slow. (The paper does not specify such a preference.) This means it should react quickly to worsening conditions and pull the rate down (perhaps to the lowest possible rate). It should then raise upwards slowly on a rate-per-rate basis as conditions improve again. In my testing this works as intended as I keep moving a laptop outside and inside the AP's range. Not linked to the build yet. ok mpi@ kettenis@
2016-10-08Allow writing an MCS index to radiotap's rate field. The format we use isStefan Sperling
the same as FreeBSD is using and is already recognized by third party tools. For this file a documentation change is all that's needed. ok kettenis
2016-09-21When processing an ADDBA request, iwm(4) runs a task which sends aStefan Sperling
command to the firmware and waits for confirmation. This command can fail and there was no way we could recover from such an error. Allow drivers to return EBUSY from their ic_ampdu_rx_start() handler to tell the stack not to send a confirmation just yet. The stack provides functions which the driver can call to accept or refuse the request. There is no functional change yet. This just shuffles code around so drivers may insert themselves into the process. ok mpi@
2016-09-20Parse the DTIM count and period advertised in beacons and store themStefan Sperling
in the node structure. This should be useful for iwm(4) in the future. ok phessler@
2016-09-15move from RB macros to the RBT functions.David Gwynne
shaves about 5k off an amd64 GENERIC.MP kernel
2016-08-31If a driver reports RSSI in the 20-100 range, convert to a negative value.Stefan Sperling
Fixes dBm values displayed by 'ifconfig scan' with several drivers. ok mpi@ jca@
2016-08-17If a wireless device or driver scans all bands at once give 5GHz APsStefan Sperling
a slight priority in cases where good matches exist in either band. ok sthen@
2016-08-15Expose more 802.11n information to userspace:Stefan Sperling
A flag which indicates whether HT has been negotiated with a node, and the current Tx MCS value we use for a node. This grows struct ieee80211_nodereq. Applications using it must be recompiled. ok mpi@
2016-07-20In net80211, enable RTS for frames above a particular size (currently 512Stefan Sperling
bytes). This is what other OS have been doing for years. In our stack this feature was present but disabled at compile-time by an #ifdef. This is a low risk change because drivers were already required to use RTS whenever the AP set the USE_PROTECTION flag in ERP elements of its beacons. This change allows for reasonable throughput on loaded 11g networks whereas before they were practically unusable. tests and ok phessler@
2016-05-21Add a wireless driver capability flag for devices which scan 2GHz and 5GHzStefan Sperling
bands in a single scan offload request. This will be used by iwm(4) soon. ok kettenis@, earlier version ok phessler@
2016-05-18In hostap mode, don't re-use association IDs (AIDs) of nodes which areStefan Sperling
still lingering in the node cache. This could cause an AID to be assigned twice, once to a newly associated node and once to a different node in COLLECT cache state (i.e. marked for future eviction from the node cache). Drivers (e.g. rt2860) may use AIDs to keep track of nodes in firmware tables and get confused when AIDs aren't unique across the node cache. The symptom observed with rt2860 were nodes stuck at 1 Mbps Tx rate since the duplicate AID made the driver perform Tx rate (AMRR) accounting on the wrong node object. To find out if a node is associated we now check the node's cache state, rather than comparing the node's AID against zero. An AID is assigned when a node associates and it lasts until the node is eventually purged from the node cache (previously, the AID was made available for re-use when the node was placed in COLLECT state). There is no need to be stingy with AIDs since the number of possible AIDs exceeds the maximum number of nodes in the cache. Problem found by Nathanael Rensen. Fix written by Nathanael and myself. Tested by Nathanael. Comitting now to get this change tested across as many drivers as possible.
2016-05-12Fix "comma at end of enumerator list" warningsDavid Coppa
Sure stsp@
2016-05-10make bpf_mtap callers set the M_FILDROP flag if they care about it.David Gwynne
ok mpi@
2016-05-02Fix a corner case of 12-bit arithmetic: also increment the ba_winmissTheo Buehler
counter if sn == 0 and ba_missedsn == 0xfff. ok stsp@
2016-05-02IEEE 802.11 sequence numbers wrap at 12 bit.Stefan Sperling
Fix a case where ieee80211_ba_input() failed to account for that. ok tb@
2016-04-28Rework handling of frames which fall beyond the block ack window.Stefan Sperling
tb@ discovered that we were not following the 802.11-2012 standard correctly for frames which fall within the range [winend, windend+winsize]. This could cause valid frames to be dropped because we moved the window too far ahead. with and ok tb@
2016-04-28Add a net80211 stat counter for block ack window "slides" as opposedStefan Sperling
to "jumps". Will be used soon by refined block ack window handling. netstat needs to be recompiled. With and ok tb@
2016-04-28When a frame which falls into the block ack window is received, clearStefan Sperling
counters that keep track of consecutive frames falling outside the window.
2016-04-28Copy some ieee8021_node HT information to userspace.Stefan Sperling
ifconfig needs to be recompiled. ok mpi@
2016-04-28Reduce block ack gap timeout to 300 msec in order to reduce Rx latency.Stefan Sperling
This value seems to be a sweet spot. testing and ok tb@
2016-04-27Add some stat counters for events related to 802.11n.Stefan Sperling
netstat(1) needs to be recompiled to work with new kernel. ok deraadt mpi
2016-04-15replace m_copym2 with m_dup_pktDavid Gwynne
tested by and ok stsp@
2016-04-12Call if_enqueue() and if_start() instead of dereferencing the ifpMartin Pieuchot
pointers. These functions have been introduced to abstract some of the MP- safeness^Wmadness and should be use everywhere. Prodded by a comment from jsg@. ok mikeb@, stsp@
2016-03-22replace ieee80211_align_mbuf with m_dup_pktDavid Gwynne
ok stsp@
2016-03-03Restore assignment of ic_curmode that was accidentally removed whenGerhard Roth
moving the ERP code to post-assoc phase. Fixes iwi(4) fatal firmware errors. ok stsp@, sobrado@