spelling; checked by jmc@, ok miod@ mglocker@ krw@

disable the regular ieee80211_encap() Tx path in monitor mode

Frames injected from user space carry the DLT_IEEE802_11_RADIO
mbuf tag, and are handled as a special case. Do not fall back
to regular

disable the regular ieee80211_encap() Tx path in monitor mode

Frames injected from user space carry the DLT_IEEE802_11_RADIO
mbuf tag, and are handled as a special case. Do not fall back
to regular encapsulation while we are in monitor mode and the
frame injected by userspace is found to be invalid.

This fixes an issue when iwx(4) runs in monitor mode with addresses
configured on the interface and leaving 11n/11ac mode directly for
monitor mode. In this case, traffic generated by userspace or the
kernel (such as ICMPv6) would trigger Tx attempts, which in turn
would trigger an attempt to set up a block ACK agreement and then
cause a firmware panic.

This points at a related issue where interface configuration state
is not properly cleaned up while switching into monitor mode.
The 11n/11ac interface config should ideally be cleared completely,
preventing block ack from being initiated.

But preventing the stack from trying to send frames down the regular
Tx path in monitor mode is a good idea in general because drivers may
not handle this very well for various reasons, block ack being just one.

tested by jmc@ and myself on iwx ax200

show more ...

with empty body loops, put final semicolon on a new line for readability
ok bluhm@ jca@

Add initial 802.11ac (VHT) support to net80211.

Add VHT capability and operation IE definitions to ieee80211.h.
Introduce channel flags to identify 80MHz and 160MHz capable channels.

Parse VHT IEs

Add initial 802.11ac (VHT) support to net80211.

Add VHT capability and operation IE definitions to ieee80211.h.
Introduce channel flags to identify 80MHz and 160MHz capable channels.

Parse VHT IEs in beacons, announce the driver's VHT capabilities in
probe requests and assoc requests, and hop into 11ac mode after
association to the AP if possible.

Enable VHT by default if the driver announces support for it.

ok claudio@

show more ...

rename ETHERTYPE_PAE to ETHERTYPE_EAPOL.

everyone else seems to use ETHERTYPE_EAPOL, and as a bonus it also
appears to be more correct.

ok deraadt@ stsp@

Improve debug output when sending 802.11 action frames by showing the
action frame subtypes we care about (i.e. those related to 11n block ack).

ok mpi@

In hostap mode don't send data frames to nodes which aren't in state ASSOC.

Sending data frames to nodes in other states is wrong since the node's
data structure might not be set up properly in such

In hostap mode don't send data frames to nodes which aren't in state ASSOC.

Sending data frames to nodes in other states is wrong since the node's
data structure might not be set up properly in such states.
This could explain occasional "key unset for sw crypto" panics observed
with athn(4) hostap interfaces.

Problem reported and fix tested by Mikolaj Kucharski.

show more ...

spelling

ok gnezdo@ semarie@ mpi@

Fix 802.11 RSN capabilities announced to peers.

We were echoing back all RSN capabilities announced by our peer, even
for features which we don't support.
One such feature is Management Frame Protec

Fix 802.11 RSN capabilities announced to peers.

We were echoing back all RSN capabilities announced by our peer, even
for features which we don't support.
One such feature is Management Frame Protection (MFP). If we announce this
capability then the peer sends us encrypted management frames which won't
be processed. One symptom of this is that we fail to negotiate block ack
with APs that support MFP.

Only echo the RSN capabilities which we support, i.e. key replay counters.
Handle MFP and PBAR bits here as done elsewhere. Neither of these features
is enabled yet at run-time. As far as I can tell, the remaining RSN caps are
not supported by drivers (e.g. SPP A-MPDU) or won't be supported (outdated
WEP->TKIP transition support). The corresponding bits should always be clear.

Problem with 0 input block ack sessions found by sthen@ and robert@
Fix tested by sthen@, robert@, phessler@, and kmos@

ok phessler@ kmos@

show more ...

Revert previous; Set the ESS capability bit in assoc requests again.

Association to some access points breaks without the ESS capability bit.
Apparently I misunderstood something.

Reported by krw@

Revert previous; Set the ESS capability bit in assoc requests again.

Association to some access points breaks without the ESS capability bit.
Apparently I misunderstood something.

Reported by krw@ and tb@

show more ...

Do not set the 802.11 ESS capability bit in association requests.

The ESS capability bit should be set if the transmitter is an AP.
Association requests are sent by clients.

ok jca@

Properly wrap 802.11 frame sequence numbers when incrementing them.

ok tb@ tobhe@ mpi@

Do not send any QoS data frames unless Tx aggregation has been negotiated.

Actual QoS support could be added to net80211 in the future, but for now we
only use QoS frames for A-MPDU aggregation. Wit

Do not send any QoS data frames unless Tx aggregation has been negotiated.

Actual QoS support could be added to net80211 in the future, but for now we
only use QoS frames for A-MPDU aggregation. Without QoS support, sending
non-aggregated QoS frames does not actually buy us anything and makes it
harder to look at packet captures and tell whether frames sent by an OpenBSD
machine were in fact aggregated or not.

Tested on iwn(4) by jmc@, paco@, bket@, paco@, and Lauri Tirkkonen

show more ...

Fix an mbuf corruption issue which occurs in net80211 hostap mode.

When sizing a memory allocation for a probe response frame, the AP used
the SSID length stored in the node structure which represen

Fix an mbuf corruption issue which occurs in net80211 hostap mode.

When sizing a memory allocation for a probe response frame, the AP used
the SSID length stored in the node structure which represents the client,
but used the actual length of the SSID when copying it into the frame.

If the actual length is sufficiently large this will result in corruption
of an adjacent mbuf on the free list since m->m_next will be overwritten
with data written to the tail of the probe response frame.

Bad things happen later on when the adjacent mbuf is used. Sometimes
the corruption is detected by mbufpl's use-after-free checking, at
other times we end up crashing somewhere in the network stack.

To prevent such a mistake from occuring again I am removing the 'ni'
argument from ieee80211_get_probe_resp() altogether. It is not needed.

A quick workaround is to configure a short SSID.

Debugged with help from claudio, kettenis, and dlg.

ok claudio

show more ...

Add support for 802.11n Tx aggregation to net80211 and the iwn(4) driver.

In particular, add Tx block ack session management to net80211, with
enough funcionality to support Tx aggregation on device

Add support for 802.11n Tx aggregation to net80211 and the iwn(4) driver.

In particular, add Tx block ack session management to net80211, with
enough funcionality to support Tx aggregation on devices which perform
A-MPDU subframe scheduling in firmware.
Make use of the iwn(4) firmware Tx scheduler to build A-MPDUs.

net80211's QoS support code is now enabled and used by Tx aggregation.

A-MSDU frames inside A-MPDUs have been tested and work in principle.
For now, this feature is disabled because unfair TCP connection sharing
was observed during testing, where bursts of TCP Ack frames for a single
tcpbench(1) connection arriving in A-MSDUs made other TCP connections stall.
Switch off support for A-MSDUs inside A-MPDUs on the Rx side as well.

Tested on iwn chipsets 1000, 4965, 5100, 5300, 2200, 6200, 6205, 6300
(committed version of tested diff has all debug printfs removed)
tests/ok benno kmos mlarkin kevlo

show more ...

Fix 'ifconfig nwflags; These flags ended up overlapping with other flags
in ieee80211com's ic_flags because we haven't been paying attention to
them (they're not in the same place in the code and hen

Fix 'ifconfig nwflags; These flags ended up overlapping with other flags
in ieee80211com's ic_flags because we haven't been paying attention to
them (they're not in the same place in the code and hence easy to miss).
Move them to a dedicated variable to avoid this problem in the future.

Add a new 'stayauth' nwflag which can be set to let net80211 ignore
deauth frames. This can be useful when deauth frames are being
persistently spoofed by an attacker. Idea from beck@

ok beck@ phessler@

show more ...

On the transmit path the ethernet and ip headers might not be
in contiguous memory. Taking the pointer to the data and simply
looking at the IP header by adding an offset can lead to an out-
of-boun

On the transmit path the ethernet and ip headers might not be
in contiguous memory. Taking the pointer to the data and simply
looking at the IP header by adding an offset can lead to an out-
of-bounds access. Make the ieee80211 classify function copy the
ethernet and ip header into stack variables to fix it.

Fixes a panic for florian@
Discussed with claudio@
ok stsp@

show more ...

MH_ALIGN -> m_align and make the spacing look the same in all three places.
OK bluhm@

My previous commit broke the ramdisk build; fix it

Stop printing debug info about stations leaving a wifi network when
we aren't running in hostap or ibss mode.

Omit the PMKID count field from RSN information elements (IE) if the PMKID
list has zero elements and PMKID would be the last field in the RSN IE.

This is correct as per 802.11-2012 8.4.2.27.1 and a

Omit the PMKID count field from RSN information elements (IE) if the PMKID
list has zero elements and PMKID would be the last field in the RSN IE.

This is correct as per 802.11-2012 8.4.2.27.1 and aligns net80211 code with
behaviour of bwfm(4) firmware, unblocking further progress in that driver.

ok patrick@ phessler@

show more ...

Make ieee80211_classify() available in a header so we can make the
priority visible to underlying bus protocols like bwfm(4)'s bcdc.

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nod

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

show more ...

In a comment inside ieee80211_up_to_ac(), update a reference section
number from the 802.11-2007 standard to the 802.11-2012 standard.

When telling clients which EDCA parameters to use, copy these parameters
from the client parameter set, rather than from the AP parameter set.
ok mpi@