net80211: clean up / add more macros to check the frame types

* Add new macros to check the version+type and version+type+subtype of a frame.
* Use these for existing frame checks.
* Convert the fla

net80211: clean up / add more macros to check the frame types

* Add new macros to check the version+type and version+type+subtype of a frame.
* Use these for existing frame checks.
* Convert the flag checks in net80211 to use the macros, rather than direct
header poking.

Notably I'm callign out things like QOS any versus QOS data, the
kind of NULL frames, etc. Eg, in the TKIP code it's checking whether
a frame is ANY kind of QOS frame, not just QOS data.

These macros should hopefully make the header checks clearer and less
error prone. They're also useful in drivers that are doing their
own header parsing.

Locally:

* ath(4), AP, STA, AP+STA modes
* local ath10k/athp - AP, STA modes
* rtwn - STA mode

Differential Revision: https://reviews.freebsd.org/D36615

show more ...

net80211: scan/internal: change boolean argument from int to bool

ieee80211_probe_curchan() passes a "force" argument which is bool.
Make it such. Adjust the (*sc_scan_probe_curchan)() KPI to bool

net80211: scan/internal: change boolean argument from int to bool

ieee80211_probe_curchan() passes a "force" argument which is bool.
Make it such. Adjust the (*sc_scan_probe_curchan)() KPI to bool
as well. This is all a big NOP as the only implementor of this
function, ieee80211_swscan_probe_curchan(), does not use the argument
at all.

I came across this when pondering a different scan implementation.
Rather than dropping the change remove the argument from the function,
and push the cleanup out given it is purely net80211 internal code
(the argument may have reason for existance in the future).

Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D45816

show more ...

net80211: fix RSN capability parsing

The RSN capability field may be the last two bytes in the IE.
802.11-2016 9.4.2.25.1 (General) doesn't require anything
afterwards - the PMKID/List and Group Man

net80211: fix RSN capability parsing

The RSN capability field may be the last two bytes in the IE.
802.11-2016 9.4.2.25.1 (General) doesn't require anything
afterwards - the PMKID/List and Group Management Cipher Suite
are optional.

Thus having a check of len > 2 will miss the situation where it
IS the last field.

This showed up when developing MFP, as I'm using optional MFP
at home and optional MFP doesn't encrypt group management frames.
(It should only add the BIP message integrity check IE in each
action frame.)

Differential Revision: https://reviews.freebsd.org/D45936

show more ...

net80211: Fix two typos in kernel messages

- s/defered/deferred/

MFC after: 5 days

net80211: adjust more VHT structures/fields

Replace ieee80211_ie_vhtcap with ieee80211_vht_cap and
ieee80211_ie_vht_operation with ieee80211_vht_operation.
The "ie" version has the two bytes type/le

net80211: adjust more VHT structures/fields

Replace ieee80211_ie_vhtcap with ieee80211_vht_cap and
ieee80211_ie_vht_operation with ieee80211_vht_operation.
The "ie" version has the two bytes type/length at the beginning which
we did not actually use as such (the one place doing did just as unused
extra work).

Using the non-"ie" versions allows us to re-use them on shared code.
Using an enum helps us to not accidentally get unsuppored or unhandled
values tough we cannot use it in the struct as we need to ensure the
field width.

ieee80211_vht_operation is guarded by _KERNEL/WANT_NET80211. While the
header is supposed to be exported to user land historically, software
such as wpa bring their own structure definitions. For in-tree usage
it is only ifconfig which really cares (at least for now).

Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: adrian (earlier), cc
Differential Revision: https://reviews.freebsd.org/D42901

show more ...

net80211: move net_epoch into net80211

Move the net_epoch into net80211 around the if_input calls and out of
the driver (in this first case LinuxKPI). This reduces coverage but
also allows us to al

net80211: move net_epoch into net80211

Move the net_epoch into net80211 around the if_input calls and out of
the driver (in this first case LinuxKPI). This reduces coverage but
also allows us to alloc in calls like (*ampdu_rx_start) which do not
actually pass data up the stack.

The follow-up commits will revert b65f813c1ab99448278961c5ca80dc422b1eae29,
21c4082de9e2cf9a0fd81a9a981ab06022956847,
17c328b6aebfa03cd1c2cbfbbc617e3b341bf1e4,
af2441fbc7fa9e522e7f8697e5a181bdd4ff9e00,
and 6c3e93cb5a4aa4b8a2d8d4d326f2a7c34d3a4458 for ath.

Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Tested by: few (rtwn, ath, iwlwifi, ...)
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D42427

show more ...

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remov

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

IfAPI: Explicitly include <net/if_private.h> in netstack

Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header. <net/if_var.h> will stop in

IfAPI: Explicitly include <net/if_private.h> in netstack

Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header. <net/if_var.h> will stop including the
header in the future.

Sponsored by: Juniper Networks, Inc.
Reviewed by: glebius, melifaro
Differential Revision: https://reviews.freebsd.org/D38200

show more ...

net80211 / drivers: rename to IEEE80211_FC0_SUBTYPE_QOS_DATA

Going through the Frame (Sub)types the "QOS Data" being called "QOS"
scheme leads to a naming conflict for QOS_CFPOLL and QOS_CFACKPOLL
(

net80211 / drivers: rename to IEEE80211_FC0_SUBTYPE_QOS_DATA

Going through the Frame (Sub)types the "QOS Data" being called "QOS"
scheme leads to a naming conflict for QOS_CFPOLL and QOS_CFACKPOLL
(if added). Rename QOS* to QOS_DATA* to avoid the conflict and
to also better match the standards name.

No functional changes intended.

Sponsored by: The FreeBSD Foundation
MFC after: 5 days
Reviewed by: hselasky
Differential Revision: https://reviews.freebsd.org/D36409

show more ...

net80211: consistently use the IEEE80211_M_ memory related options

Replace a malloc() by IEEE80211_MALLOC().
For malloc flags even in the local ieee80211_freebsd.c there was a mix
of both versions M

net80211: consistently use the IEEE80211_M_ memory related options

Replace a malloc() by IEEE80211_MALLOC().
For malloc flags even in the local ieee80211_freebsd.c there was a mix
of both versions M_ and IEEE80211_M_.
Consistently use the IEEE80211_M_ malloc options everywhere.
If the field is changed for malloc, it'll also be changed for the
other accessor functions taking a "how" field to avoid any confusion.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D36249

show more ...

net80211: add an IEEE80211_IS_PROTECTED() macro

Summary: This returns whether the given 802.11 frame has the protected bit set.

Test Plan:
* tested in AP/STA mode
* STA mode - local athp/ath10k dri

net80211: add an IEEE80211_IS_PROTECTED() macro

Summary: This returns whether the given 802.11 frame has the protected bit set.

Test Plan:
* tested in AP/STA mode
* STA mode - local athp/ath10k driver
* AP mode - in tree ath driver

Subscribers: imp, melifaro, glebius
Reviewed by: bz
Approved by: bz

Differential Revision: https://reviews.freebsd.org/D36183

show more ...

net80211: fix -Wunused-but-set-variable warnings

Put the offending variables under the appropriate #ifdefs
(mostly IEEE80211_DEBUG, in one case IEEE80211_SUPPORT_SUPERG, and
in two cases under __not

net80211: fix -Wunused-but-set-variable warnings

Put the offending variables under the appropriate #ifdefs
(mostly IEEE80211_DEBUG, in one case IEEE80211_SUPPORT_SUPERG, and
in two cases under __notyet__ to revisit why these had been left
there but not used).

Sponsored by: The FreeBSD Foundation
MFC after: 10 days

show more ...

net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames

No longer accept plaintext A-MSDU frames that start with an RFC1042
header with EtherType EAPOL. This is done by only accepting

net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames

No longer accept plaintext A-MSDU frames that start with an RFC1042
header with EtherType EAPOL. This is done by only accepting EAPOL
packets that are included in non-aggregated 802.11 frames.

Note that before this patch, FreeBSD also only accepted EAPOL frames
that are sent in a non-aggregated 802.11 frame due to bugs in
processing EAPOL packets inside A-MSDUs. In other words,
compatibility with legitimate devices remains the same.

This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.

Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-26144
PR: 256120
MFC after: 7 days
Differential Revision: https://reviews.freebsd.org/D30665

show more ...

net80211: mitigation against A-MSDU design flaw

Mitigate A-MSDU injection attacks by detecting if the destination address
of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so
dropping

net80211: mitigation against A-MSDU design flaw

Mitigate A-MSDU injection attacks by detecting if the destination address
of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so
dropping the complete A-MSDU frame. This mitigates known attacks,
although new (unknown) aggregation-based attacks may remain possible.

This defense works because in A-MSDU aggregation injection attacks, a
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
header. In other words, the destination MAC address of the first A-MSDU
subframe contains the start of an RFC1042 header during an aggregation
attack. We can detect this and thereby prevent this specific attack.

This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.

Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-24588
PR: 256119
Differential Revision: https://reviews.freebsd.org/D30664

show more ...

net80211: reject mixed plaintext/encrypted fragments

ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
network even when some of the fragments are not encrypted.
Track whether

net80211: reject mixed plaintext/encrypted fragments

ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
network even when some of the fragments are not encrypted.
Track whether the fragments are encrypted or not and only accept
successive ones if they match the state of the first fragment.

This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.

Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-26147
PR: 256118
Differential Revision: https://reviews.freebsd.org/D30663

show more ...

net80211: prefix get_random_bytes() with net80211_

Both linux/random.h and net80211 have a function named
get_random_bytes(). With overlapping files included these collide.
Arguably the function co

net80211: prefix get_random_bytes() with net80211_

Both linux/random.h and net80211 have a function named
get_random_bytes(). With overlapping files included these collide.
Arguably the function could be renamed in linuxkpi but the generic
name should also not be used in net80211 so rename it there.

Sponsored-by: The FreeBSD Foundation
MFC-after: 2 weeks
Reviewed-by: philip, adrian
Differential Revision: https://reviews.freebsd.org/D29335

show more ...

net: clean up empty lines in .c and .h files

[net80211] Migrate HT/legacy protection mode and preamble calculation to per-VAP flags

The later firmware devices (including iwn!) support multiple configuration
contexts for a lot of things, leavin

[net80211] Migrate HT/legacy protection mode and preamble calculation to per-VAP flags

The later firmware devices (including iwn!) support multiple configuration
contexts for a lot of things, leaving it up to the firmware to decide
which channel and vap is active. This allows for things like off-channel
p2p sta/ap operation and other weird things.

However, net80211 is still focused on a "net80211 drives all" when it comes to driving
the NIC, and as part of this history a lot of these options are global and not per-VAP.
This is fine when net80211 drives things and all VAPs share a single channel - these
parameters importantly really reflect the state of the channel! - but it will increasingly
be not fine when we start supporting more weird configurations and more recent NICs.
Yeah, recent like iwn/iwm.

Anyway - so, migrate all of the HT protection, legacy protection and preamble
stuff to be per-VAP. The global flags are still there; they're now calculated
in a deferred taskqueue that mirrors the old behaviour. Firmware based drivers
which have per-VAP configuration of these parameters can now just listen to the
per-VAP options.

What do I mean by per-channel? Well, the above configuration parameters really
are about interoperation with other devices on the same channel. Eg, HT protection
mode will flip to legacy/mixed if it hears ANY BSS that supports non-HT stations or
indicates it has non-HT stations associated. So, these flags really should be
per-channel rather than per-VAP, and then for things like "do i need short preamble
or long preamble?" turn into a "do I need it for this current operating channel".
Then any VAP using it can query the channel that it's on, reflecting the real
required state.

This patch does none of the above paragraph just yet.

I'm also cheating a bit - I'm currently not using separate taskqueues for
the beacon updates and the per-VAP configuration updates. I can always further
split it later if I need to but I didn't think it was SUPER important here.

So:

* Create vap taskqueue entries for ERP/protection, HT protection and short/long
preamble;
* Migrate the HT station count, short/long slot station count, etc - into per-VAP
variables rather than global;
* Fix a bug with my WME work from a while ago which made it per-VAP - do the WME
beacon update /after/ the WME update taskqueue runs, not before;
* Any time the HT protmode configuration changes or the ERP protection mode
config changes - schedule the task, which will call the driver without the
net80211 lock held and all correctly serialised;
* Use the global flags for beacon IEs and VAP flags for probe responses and
other IE situations.

The primary consumer of this is ath10k. iwn could use it when sending RXON,
but we don't support IBSS or AP modes on it yet, and I'm not yet sure whether
it's required in STA mode (ie whether the firmware parses beacons to change
protection mode or whether we need to.)

Tested:

* AR9280, STA/AP
* AR9380, DWDS STA+STA/AP
* ath10k work, STA/AP
* Intel 6235, STA
* Various rtwn / run NICs, DWDS STA and STA configurations

show more ...

[net80211] Add initial U-APSD negotiation support.

U-APSD (unscheduled automatic power save delivery) is a power save method
that's a bit better than legacy PS-POLL - stations can mark frames with
a

[net80211] Add initial U-APSD negotiation support.

U-APSD (unscheduled automatic power save delivery) is a power save method
that's a bit better than legacy PS-POLL - stations can mark frames with
an extra flag that tells the AP to leak out more frames after it sends
its own frames rather than needing to send a PS-POLL to get another frame
from the AP.

Now, this code just handles the negotiation bits; it doesn't actually
implement U-APSD. That's up to drivers, and nothing in the tree yet
implements this. I /may/ implement this for ath(4) if I eventually care
enough but right now I plan on just implementing it for firmware offload
based NICs that handle this in the NIC.

I'll commit the ifconfig bit after this and I may have some follow-up
commits as this gets used more by me in local testing.

This should be a glorious no-op for everyone else. If things change
for anyone that isn't fixed by a complete recompile then please reach out
to me.

show more ...

Merge ^/head r343956 through r344177.

net80211(4): hide casts for 'i_seq' field offset calculation inside
ieee80211_getqos() and reuse it in various places.

Checked with RTL8188EE, HOSTAP mode + RTL8188CUS, STA mode.

MFC after: 2 weeks

sys: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
pro

sys: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

show more ...

Merge ^/head r318560 through r318657.