net80211: remove if_private.h from code that doesn't require it

The previous clean-ups to remove some direct ifp manipulation have
removed the need for if_private.h in these source files.

Different

net80211: remove if_private.h from code that doesn't require it

The previous clean-ups to remove some direct ifp manipulation have
removed the need for if_private.h in these source files.

Differential Revision: https://reviews.freebsd.org/D50646
Reviewed by: bz

show more ...

net80211: migrate direct printf() to net80211_printf()

Mechanically migrate printf() -> net80211_printf().
A few places looked like they should be using net80211_vap_printf(),
so migrate those appro

net80211: migrate direct printf() to net80211_printf()

Mechanically migrate printf() -> net80211_printf().
A few places looked like they should be using net80211_vap_printf(),
so migrate those appropriately.

Differential Revision: https://reviews.freebsd.org/D50644
Reviewed by: bz

show more ...

net80211: migrate if_printf() -> net80211_vap_printf()

Migrate the if_printf() calls to net80211_vap_printf(), which hides
the underlying ifp and the network stack.

Note: there are still a LOT of d

net80211: migrate if_printf() -> net80211_vap_printf()

Migrate the if_printf() calls to net80211_vap_printf(), which hides
the underlying ifp and the network stack.

Note: there are still a LOT of direct printf() calls in the codebase.
This is just a mostly mechanical conversion of if_printf() calls.

Differential Revision: https://reviews.freebsd.org/D50643
Reviewed by: bz

show more ...

net80211: refactor out ifp->if_broadcastaddr into ieee80211_freebsd.c

* create ieee80211_vap_get_broadcast_address() to fetch the broadcast
MAC address for the given VAP
* refactor references to i

net80211: refactor out ifp->if_broadcastaddr into ieee80211_freebsd.c

* create ieee80211_vap_get_broadcast_address() to fetch the broadcast
MAC address for the given VAP
* refactor references to ifp->if_broadcastaddr ->
ieee80211_vap_get_broadcast_address()

Differential Revision: https://reviews.freebsd.org/D50406
Reviewed by: bz

show more ...

net80211: validate control frame TA/RA before further processing

An earlier commit relaxed the TA/RA rules around control frames
to fix other issues, however it now results in control frames
not spe

net80211: validate control frame TA/RA before further processing

An earlier commit relaxed the TA/RA rules around control frames
to fix other issues, however it now results in control frames
not specifically from a known node / to us to be handled in the control
path.

Specifically, rtwn(4) RTL8812/RTL8821 NICs are currently passing BARs
from the AP TA to any destination to us; which is tripping up BAW
tracking and causing traffic hangs.

So do the check before vap->iv_recv_ctl() is called in each input path.

Note that mesh doesn't seem to pass the control frames up; however
I haven't tested/validated mesh in a long while and I know it's
currently broken.

Differential Revision: https://reviews.freebsd.org/D49575

show more ...

net80211: remove direct use of ni->ni_txrate, add indirection methods

The summary:

* Refactor ni_txrate access into ieee80211_node_get_txrate_dot11rate()
and ieee80211_node_set_txrate_dot11rate()

net80211: remove direct use of ni->ni_txrate, add indirection methods

The summary:

* Refactor ni_txrate access into ieee80211_node_get_txrate_dot11rate()
and ieee80211_node_set_txrate_dot11rate(). These wrap the ni->ni_txrate
access and will eventually be able to do runtime sanity checks and
fallback where necessary.

* Refactor ieee80211_node_get_txrate_kbit() from the ioctl code which
sets isi_txmbps (which is in 0.5Mbit/s units.) This new routine
returns the TX rate in kbit/s units.

* Also use ieee80211_node_get_txrate_kbit() in various places in the
code where the dot11rate was turned into a Mbit/sec value, which was
very wrong for HT (but also only used for logging, so it didn't
have an effect on normal runtime.)

* Mb -> Mbit/s

The long version:

The current ni->ni_txrate value is what net80211's phy code
calls a 'dot11rate'. Inside the ieee80211_phy.c tables you'll
find a bunch of tables which represent:

* for legacy rates its in 1/2 mbit units.
* for turbo (Atheros 40MHz OFDM) it's the non-turbo rates, but the
turbo rate speed in kbit/sec.
* for 802.11n rates its the MCS, starting at 0x80.

However there are a couple of catches with this:

* Basic rates are represented in the pre-11n rates using the high bit
(IEEE80211_RATE_BASIC)
* 11n rates are also represented using the high bit (IEEE80211_RATE_MCS)

Now, ni->ni_txrate will clear the IEEE80211_RATE_BASIC flag before
storing it, so if the high bit exists it must be an 802.11n rate.
However, there's still a bunch of code everywhere that purposefully
filters that out.

The goals of this commit:

* Provide an easy API to migrate existing drivers and other consumers
to - ieee80211_node_get_txrate_dot11rate() is defined as "will return
the normal legacy or HT rate" so all the existing code can work.
* Lay the ground work for extending ni_txrate (and a rate representation
in general) that can represent legacy, HT, VHT, EHT, HE, etc rates.
* Create a central place where ni_txrate is updated from rate control,
drivers that will update ni_txrate itself, and consumers,
so we can provide some basic runtime checks / logging as VHT, EHT, HE,
etc rates are eventually added.

For example, a VHT driver will eventually receive VHT rates, but an
existing HT driver will not, so the API should log and return a
sensible default when something like a VHT rate shows up on a HT only
device.

The rate control code currently returns a rix, and sets ni_txrate to the
dot11rate. Drivers can choose either. However, choosing the rix is
risky because you need to know if it's the ni_rates or ni_htrates, which
requires a lot of duplicate work that lines up consistently at all
layers (see the AMRR code for an example.)

Differential Revision: https://reviews.freebsd.org/D48601
Reviewed by: bz, thj

show more ...

net80211: clean up / add more macros to check the frame types

* Add new macros to check the version+type and version+type+subtype of a frame.
* Use these for existing frame checks.
* Convert the fla

net80211: clean up / add more macros to check the frame types

* Add new macros to check the version+type and version+type+subtype of a frame.
* Use these for existing frame checks.
* Convert the flag checks in net80211 to use the macros, rather than direct
header poking.

Notably I'm callign out things like QOS any versus QOS data, the
kind of NULL frames, etc. Eg, in the TKIP code it's checking whether
a frame is ANY kind of QOS frame, not just QOS data.

These macros should hopefully make the header checks clearer and less
error prone. They're also useful in drivers that are doing their
own header parsing.

Locally:

* ath(4), AP, STA, AP+STA modes
* local ath10k/athp - AP, STA modes
* rtwn - STA mode

Differential Revision: https://reviews.freebsd.org/D36615

show more ...

net80211: scan/internal: change boolean argument from int to bool

ieee80211_probe_curchan() passes a "force" argument which is bool.
Make it such. Adjust the (*sc_scan_probe_curchan)() KPI to bool

net80211: scan/internal: change boolean argument from int to bool

ieee80211_probe_curchan() passes a "force" argument which is bool.
Make it such. Adjust the (*sc_scan_probe_curchan)() KPI to bool
as well. This is all a big NOP as the only implementor of this
function, ieee80211_swscan_probe_curchan(), does not use the argument
at all.

I came across this when pondering a different scan implementation.
Rather than dropping the change remove the argument from the function,
and push the cleanup out given it is purely net80211 internal code
(the argument may have reason for existance in the future).

Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D45816

show more ...

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remov

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

IfAPI: Explicitly include <net/if_private.h> in netstack

Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header. <net/if_var.h> will stop in

IfAPI: Explicitly include <net/if_private.h> in netstack

Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header. <net/if_var.h> will stop including the
header in the future.

Sponsored by: Juniper Networks, Inc.
Reviewed by: glebius, melifaro
Differential Revision: https://reviews.freebsd.org/D38200

show more ...

net80211 / drivers: rename to IEEE80211_FC0_SUBTYPE_QOS_DATA

Going through the Frame (Sub)types the "QOS Data" being called "QOS"
scheme leads to a naming conflict for QOS_CFPOLL and QOS_CFACKPOLL
(

net80211 / drivers: rename to IEEE80211_FC0_SUBTYPE_QOS_DATA

Going through the Frame (Sub)types the "QOS Data" being called "QOS"
scheme leads to a naming conflict for QOS_CFPOLL and QOS_CFACKPOLL
(if added). Rename QOS* to QOS_DATA* to avoid the conflict and
to also better match the standards name.

No functional changes intended.

Sponsored by: The FreeBSD Foundation
MFC after: 5 days
Reviewed by: hselasky
Differential Revision: https://reviews.freebsd.org/D36409

show more ...

net80211: add an IEEE80211_IS_PROTECTED() macro

Summary: This returns whether the given 802.11 frame has the protected bit set.

Test Plan:
* tested in AP/STA mode
* STA mode - local athp/ath10k dri

net80211: add an IEEE80211_IS_PROTECTED() macro

Summary: This returns whether the given 802.11 frame has the protected bit set.

Test Plan:
* tested in AP/STA mode
* STA mode - local athp/ath10k driver
* AP mode - in tree ath driver

Subscribers: imp, melifaro, glebius
Reviewed by: bz
Approved by: bz

Differential Revision: https://reviews.freebsd.org/D36183

show more ...

net80211: fix -Wunused-but-set-variable warnings

Put the offending variables under the appropriate #ifdefs
(mostly IEEE80211_DEBUG, in one case IEEE80211_SUPPORT_SUPERG, and
in two cases under __not

net80211: fix -Wunused-but-set-variable warnings

Put the offending variables under the appropriate #ifdefs
(mostly IEEE80211_DEBUG, in one case IEEE80211_SUPPORT_SUPERG, and
in two cases under __notyet__ to revisit why these had been left
there but not used).

Sponsored by: The FreeBSD Foundation
MFC after: 10 days

show more ...

net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames

No longer accept plaintext A-MSDU frames that start with an RFC1042
header with EtherType EAPOL. This is done by only accepting

net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames

No longer accept plaintext A-MSDU frames that start with an RFC1042
header with EtherType EAPOL. This is done by only accepting EAPOL
packets that are included in non-aggregated 802.11 frames.

Note that before this patch, FreeBSD also only accepted EAPOL frames
that are sent in a non-aggregated 802.11 frame due to bugs in
processing EAPOL packets inside A-MSDUs. In other words,
compatibility with legitimate devices remains the same.

This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.

Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-26144
PR: 256120
MFC after: 7 days
Differential Revision: https://reviews.freebsd.org/D30665

show more ...

net80211: mitigation against A-MSDU design flaw

Mitigate A-MSDU injection attacks by detecting if the destination address
of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so
dropping

net80211: mitigation against A-MSDU design flaw

Mitigate A-MSDU injection attacks by detecting if the destination address
of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so
dropping the complete A-MSDU frame. This mitigates known attacks,
although new (unknown) aggregation-based attacks may remain possible.

This defense works because in A-MSDU aggregation injection attacks, a
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
header. In other words, the destination MAC address of the first A-MSDU
subframe contains the start of an RFC1042 header during an aggregation
attack. We can detect this and thereby prevent this specific attack.

This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.

Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-24588
PR: 256119
Differential Revision: https://reviews.freebsd.org/D30664

show more ...

net80211: reject mixed plaintext/encrypted fragments

ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
network even when some of the fragments are not encrypted.
Track whether

net80211: reject mixed plaintext/encrypted fragments

ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
network even when some of the fragments are not encrypted.
Track whether the fragments are encrypted or not and only accept
successive ones if they match the state of the first fragment.

This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.

Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-26147
PR: 256118
Differential Revision: https://reviews.freebsd.org/D30663

show more ...

[net80211] Send a probe request after IBSS node discovery

This sends a probe request after IBSS node discovery through
beacon frames. This allows things like HT and VHT capabilities
to be "negotiate

[net80211] Send a probe request after IBSS node discovery

This sends a probe request after IBSS node discovery through
beacon frames. This allows things like HT and VHT capabilities
to be "negotiated" in adhoc mode.

It is .. kinda fire and pray - this isn't retried after discovery
so it's quite possible that nodes occasionally don't come up with
HT/VHT rate upgrades. At some point it may be a fun side project
to add support for retrying these probe requests/negotiations
after IBSS node discovery.

Tested:

* tested with multiple ath(4) NICs in 11n mode.

Differential Revision: https://reviews.freebsd.org/D24979

show more ...

Merge ^/head r343956 through r344177.

net80211(4): hide casts for 'i_seq' field offset calculation inside
ieee80211_getqos() and reuse it in various places.

Checked with RTL8188EE, HOSTAP mode + RTL8188CUS, STA mode.

MFC after: 2 weeks

sys: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
pro

sys: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

show more ...

Merge ^/head r318560 through r318657.

[net80211] prepare for A-MSDU/A-MPDU offload crypto / sequence number checking.

When doing AMSDU offload, the driver (for now!) presents 802.11 frames with
the same sequence number and crypto sequen

[net80211] prepare for A-MSDU/A-MPDU offload crypto / sequence number checking.

When doing AMSDU offload, the driver (for now!) presents 802.11 frames with
the same sequence number and crypto sequence number / IV values up to the stack.
But, this will trip afoul over the sequence number detection.

So drivers now have a way to signify that a frame is part of an offloaded
AMSDU group, so we can just ensure that we pass those frames up to the
stack.

The logic will be a bit messy - the TL;DR will be that if it's part of
the previously seen sequence number then it belongs in the same burst.
But if we get a repeat of the same sequence number (eg we sent an ACK
but the receiver didn't hear it) then we shouldn't be passing those frames
up. So, we can't just say "all subframes go up", we need to track
whether we've seen the end of a burst of frames for the given sequence
number or not, so we know whether to actually pass them up or not.

The first part of doing all of this is to ensure the ieee80211_rx_stats
struct is available in the RX sequence number check path and the
RX ampdu reorder path. So, start by passing the pointer into these
functions to avoid doing another lookup.

The actual support will come in a subsequent commit once I know the
functionality actually works!

show more ...

Merge ^/head r311940 through r312200.