with empty body loops, put final semicolon on a new line for readability
ok bluhm@ jca@

During a "key unset for sw crypto" panic, display more meta-data
about the offending key. This will hopefully help with debugging.

ieee80211_decrypt must use m_freem() instead of m_free()

Patch by zxystd from the OpenIntelWireless project (drivers for macOS)

ok tobhe@

Fix CCMP replay check with 11n Rx aggregation and CCMP hardware offloading.

So far, drivers using hardware CCMP decryption were expected to keep the
most recently seen CCMP packet number (PN) up-to-date, and to discard frames
with lower PNs as replays.

A-MPDU subframes may legitimately arrive out of order, and the drivers skipped
CCMP replay checking for such frames. Re-ordering happens in ieee80211_inputm(),
after the driver is done with a frame. Drivers cannot tell replayed frames
apart from legitimate out-of-order retransmissions.

To fix this, update the PN value in ieee80211_inputm() after subframes have
been reordered into their proper sequence. Drivers still perform replay checks
but they no longer have to worry about updating the last seen PN value.

The 802.11 spec confirms that replay checking is supposed to happen after
A-MPDU re-ordering.

Tested by jmc@, benno@, solene@, and myself with the following drivers:
athn(4), iwn(4), iwm(4), wpi(4), urtwn(4)

ok solene@

check that software de/encrypt is possible: under hardware
offload, it needn't be. the stack must otherwise rely on every
offloading driver correctly handling all frames governed by a
given key.
ok stsp@

Prevent ieee80211_get_txkey() from returning the integrity group temporal
key (IGTK) if a node doesn't have management frame protection (MFP) enabled.
The IGTK is not initialized if MFP is disabled, so using it triggers this
panic in ieee80211_encrypt(): panic("invalid key cipher 0x%x", k->k_cipher)

(As far as I can tell, at present, MFP is never enabled.)

Problem reported and fix tested by tj@ on athn(4) hostap

Fix WEP key selection in ieee80211_get_txkey().

The WEP key index is stored in ic_def_txkey. The iGTK ("integrity group key")
index is specific to WPA. The previous code happened to always select WEP key
index 0 since the iGTK index is not yet used by any driver.

ok phessler@

If ieee80211_encrypt() is passed a key with an unrecognized cipher
type then panic immediately instead of silently dropping packets.

ok phessler@

Clear WPA group keys from memory before initiating a key exchange
with an access point. Prevents false positive 'reused group key'
warnings in dmesg when re-associating to the same access point.
Problem reported by tb@
ok tb@

Switch 802.11 crypto over to the new AES

OK stsp@

branches: 1.69.4;
Use explicit_bzero() to wipe out key material and add some sizes to free().

ok stsp

Disable TKIP (WPA1) by default.

It is time for this legacy of WEP to die (remember WEP?).
The 802.11-2012 standard says:
The use of TKIP is deprecated. The TKIP algorithm is unsuitable for
the purposes of this standard.

TKIP has numerous problems. One of which is that TKIP allows a denial of
service attack which can be triggered by any client. Report 2 Michael MIC
failures to a TKIP AP to trigger "TKIP countermeasures". The AP is now
required by the 802.11 standard to lock everyone out for at least 60 seconds.
The network will remain unusable for as long as such MIC failure reports
are sent twice per minute.

TKIP remains available for interoperability purposes, for now.
It must be enabled manually with ifconfig(8).

Prompted by discussion with Mathy Vanhoef.
ok deraadt@ sthen@ reyk@

Complete our half-done implementation of TKIP countermeasures in hostap mode.

The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.

Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@

branches: 1.66.4;
No need to include <net/if_arp.h>

This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.

A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

Remove unneeded include.

ok deraadt@

for key material that is being being discarded, convert bzero() to
explicit_bzero() where required
ok markus mikeb

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

Change ifconfig wpaakms default setting to `psk' instead of `psk,802.1x'.
Some supplicants will autoselect 802.1X without giving users the
possibility to choose between PSK or 802.1X.

Similarly, no longer announce `PSK with SHA-256 based KDF' AKMP (defined
in Draft 802.11w) by default in the RSN IE of beacons and probe responses
as it confuses some broken supplicants. This kind of sacrifies security
for interoperability with shitty (but unfortunately widespread) clients
that do not follow the 802.11 standard properly.
This fixes associations from Intel PROSet on XP and also reportedly fixes
some Mac OS clients. I will likely make `psk-sha256' configurable through
ifconfig wpaakms after the 4.5 release.

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

ieee80211_derive_pmkid() is not used either

#ifdef notyet ieee80211_kdf() as it is not used yet (shrink kernel a bit)

add the code to encrypt/decrypt management frames, retrieve key id
from MMIE etc...
this code can't be triggered as no drivers claim MFP capability yet.

missing SHA-256 bits.

new SHA-256 based AKMPs.

add support for EAPOL-Key v3 descriptors (similar to v2 except that the
MIC is computed using AES-128-CMAC instead of HMAC-SHA1).
add a SHA-256 based key derivation function (not used yet).

the only integrity group cipher currently supported is AES-128-CMAC.

extend the ic_nw_keys[] array to 6 elements.
indices 0-3 will be used for group data keys while indices 4-5 will
be used for integrity group keys.
add a ic_rsngroupmgmtcipher field too.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

use HMAC-MD5, HMAC-SHA1 and AES Key Wrap sys/crypto/

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

remove now useless casts since the rijndael_* protos have been
constified.

move things from ieee80211_ifattach() to ieee80211_crypto_attach().

- do not process ethernet PAE frames if RSN is not enabled
- add a ieee80211_recv_action() function (will be used later)
- some cleanup, remove unused prototypes, get rid of the
IEEE80211_VERIFY_* macros

extend the if_ethersubr.c crc functions to support updating a running
crc in addition to the existing "oneshot" mode and use them to replace
ieee80211_crc_update() with the new ether_crc32_le_update(). Saves 1k
kernel bss + some code.

Mark the new ether_crc32_[lb]e_update functions as __pure for a
~25x speedup (on my i386 at least).

feedback and ok damien@

call ieee80211_crc_init() only once, when the first 802.11 device
attaches instead of at every attach.

discussed with deraadt@

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

remove horrid casts now that SHA1Update() has been constified.

- use ieee80211_get_hdrlen() where appropriate.
- discard all EAPOL-Key frames with an unknown descriptor version.
- when receiving message 3/4 of the 4-way handshake, do not install
the PTK if the INSTALL bit is not set. this fixes 4-way handshake
with APs using group keys only.
- similarly, do not mark the 802.1X port as valid if the SECURE bit
is not set (it will be marked as valid after group key handshake).

fix ieee80211_map_ptk() for TKIP.

add a ieee80211_get_txkey() function to determine the key to use for
transmitting a frame to a given node.
change ieee80211_encrypt() so that it now takes the key as parameter.
this change is required because drivers doing hardware crypto need to
know what key is being used.

- add k_rxmic and k_txmic fields to struct ieee80211_key to store the
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.

add a ni_eapol_desc field to struct ieee80211_node to know whether
a station is using WPA1 or RSN descriptors.
make sure that a station that advertises WPA1 capability in an IE
uses the WPA1 EAPOL-Key descriptor type and not the RSN one.
fix construction of EAPOL-Key frames for WPA1.
i can now successfuly complete a 4-way and group-key handshake
with both a WPA1 and a WPA2 access point.
add some TKIP encapsulation code (no SW crypto yet).

ok deraadt@

add generic ieee80211_encrypt() and ieee80211_decrypt() functions that
can handle multiple ciphers (the key to use is determined automatically
by these functions based on the frame's destination address).
add ieee80211_ccmp_encrypt() and ieee80211_ccmp_decrypt().
those two functions only do encapsulation/decapsulation of CCMP frames
for now (they don't do SW crypto). they will help to test things with
drivers that can do HW crypto.
add a ni_pairwise_key field to struct ieee80211_node to actually install
the pairwise transient key.
install the GTK in ic_nw_keys[].

group key handshake message 1 is very different between RSN and WPA1.
RSN uses a GTK KDE while WPA1 stores the GTK in the EAPOL-Key frame
data field (encrypted) and uses some bits in the info field.
split ieee80211_recv_group_msg1() in two separate functions.

all WPA implementations i have tested use EAPOL-Key frames version 1,
so use that too and remove a check in ieee80211_recv_eapol().
WPA1 stores the group key id into bits 4-5 of the EAPOL-Key frame info
field and uses bit 6 to indicate if the key is Rx/Tx or Rx only.
remove a check in ieee80211_eapol_key_decrypt() because WPA1 encrypts
the payload of message 1 of the group-key handshake without setting the
encrypted bit in the info field.

the EAPOL-Key MIC must be computed with the MIC bit set.
this simplifies ieee80211_eapol_key_mic() and ieee80211_eapol_key_check_mic()
quite a bit.
set the EAPOL-Key body length before computing the MIC since the MIC is
computed with the 802.1X header too.
add a missing htons() while i'm here.

extend the ieee80211_key structure with a key identifier, a flags field
and a 64-bit receive sequence counter (for group keys).
add a ieee80211_cipher_keylen() function to retrieve the key length
in bytes used by a specific cipher.
account for 802.1X header size when computing the Key MIC.
some cleanup in comments and variable names while i'm here.

new function to check the MIC of a received EAPOL-Key frame.

use rc4_skip().
fix ieee80211_eapol_key_encrypt() so that we don't add more padding
bytes than necessary in the case of AES Key Wrap encryption.

remove some unused key derivation functions.
we won't support PeerKey handshake in a first time.

remove arc4_ compatibility macros.

add functions to compute EAPOL-Key Key MIC fields and to encrypt/decrypt
EAPOL-Key Data fields.

add ic_globalcnt to struct ieee80211com:
in an RSNA, each STA must maintain a 256-bit global key counter that
must be initialized to a random value (see 8.5.7).

modify ieee80211_aes_key_wrap() to support in-place encryption.
explicitly use ovbcopy() even if our kernel memcpy() supports
overlapping buffers.

add AES Key Wrap algorithm (see RFC 3394).
this will be used to encrypt/decrypt EAPOL-Key frames payload.

replace the ieee80211_wepkey structure with a more generic ieee80211_key
one that can be used with other ciphers than WEP.

s/uint8_t/u_int8_t/ for consistency.

update QoS Tx/Rx sequence numbers for each TID.
add a parameter to ieee80211_decap() to handle different 802.11
header sizes.
cleanup and clarify ieee80211_classify().

add myself to the copyright list.

add the pseudo-random function (PRF) and various key derivation
functions defined in 802.11i.

constify

de-static

ok jsg@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

fix the key buffer size used for software wep, this could cause
problems with non-standard wep keys >= 104 bits.

thanks to Alexander Bluhm

ok mglocker@ jsg@

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@

mostly knf

ok jsg@

Remove the last of the FreeBSD compatiblity goop.
ok reyk@

Remove FreeBSD if_printf compat function from net80211.
ok reyk@

Remove FreeBSD/NetBSD ifdef mess. We are not likely to be
doing a wholesale merge with them in future.
very enthusiastic ok from reyk@

Don't restrict WEP keys to exactly 40 or 108 bits.

Hack to avoid panic in arc4maybeinit() due to rnd device not being
attached yet.

Import current NetBSD/FreeBSD 802.11 framework.
Based in part on a diff from Matthew Gream.

During a "key unset for sw crypto" panic, display more meta-data
about the offending key. This will hopefully help with debugging.

ieee80211_decrypt must use m_freem() instead of m_free()

Patch by zxystd from the OpenIntelWireless project (drivers for macOS)

ok tobhe@

Fix CCMP replay check with 11n Rx aggregation and CCMP hardware offloading.

So far, drivers using hardware CCMP decryption were expected to keep the
most recently seen CCMP packet number (PN) up-to-date, and to discard frames
with lower PNs as replays.

A-MPDU subframes may legitimately arrive out of order, and the drivers skipped
CCMP replay checking for such frames. Re-ordering happens in ieee80211_inputm(),
after the driver is done with a frame. Drivers cannot tell replayed frames
apart from legitimate out-of-order retransmissions.

To fix this, update the PN value in ieee80211_inputm() after subframes have
been reordered into their proper sequence. Drivers still perform replay checks
but they no longer have to worry about updating the last seen PN value.

The 802.11 spec confirms that replay checking is supposed to happen after
A-MPDU re-ordering.

Tested by jmc@, benno@, solene@, and myself with the following drivers:
athn(4), iwn(4), iwm(4), wpi(4), urtwn(4)

ok solene@

check that software de/encrypt is possible: under hardware
offload, it needn't be. the stack must otherwise rely on every
offloading driver correctly handling all frames governed by a
given key.
ok stsp@

Prevent ieee80211_get_txkey() from returning the integrity group temporal
key (IGTK) if a node doesn't have management frame protection (MFP) enabled.
The IGTK is not initialized if MFP is disabled, so using it triggers this
panic in ieee80211_encrypt(): panic("invalid key cipher 0x%x", k->k_cipher)

(As far as I can tell, at present, MFP is never enabled.)

Problem reported and fix tested by tj@ on athn(4) hostap

Fix WEP key selection in ieee80211_get_txkey().

The WEP key index is stored in ic_def_txkey. The iGTK ("integrity group key")
index is specific to WPA. The previous code happened to always select WEP key
index 0 since the iGTK index is not yet used by any driver.

ok phessler@

If ieee80211_encrypt() is passed a key with an unrecognized cipher
type then panic immediately instead of silently dropping packets.

ok phessler@

Clear WPA group keys from memory before initiating a key exchange
with an access point. Prevents false positive 'reused group key'
warnings in dmesg when re-associating to the same access point.
Problem reported by tb@
ok tb@

Switch 802.11 crypto over to the new AES

OK stsp@

branches: 1.69.4;
Use explicit_bzero() to wipe out key material and add some sizes to free().

ok stsp

Disable TKIP (WPA1) by default.

It is time for this legacy of WEP to die (remember WEP?).
The 802.11-2012 standard says:
The use of TKIP is deprecated. The TKIP algorithm is unsuitable for
the purposes of this standard.

TKIP has numerous problems. One of which is that TKIP allows a denial of
service attack which can be triggered by any client. Report 2 Michael MIC
failures to a TKIP AP to trigger "TKIP countermeasures". The AP is now
required by the 802.11 standard to lock everyone out for at least 60 seconds.
The network will remain unusable for as long as such MIC failure reports
are sent twice per minute.

TKIP remains available for interoperability purposes, for now.
It must be enabled manually with ifconfig(8).

Prompted by discussion with Mathy Vanhoef.
ok deraadt@ sthen@ reyk@

Complete our half-done implementation of TKIP countermeasures in hostap mode.

The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.

Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@

branches: 1.66.4;
No need to include <net/if_arp.h>

This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.

A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

Remove unneeded include.

ok deraadt@

for key material that is being being discarded, convert bzero() to
explicit_bzero() where required
ok markus mikeb

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

Change ifconfig wpaakms default setting to `psk' instead of `psk,802.1x'.
Some supplicants will autoselect 802.1X without giving users the
possibility to choose between PSK or 802.1X.

Similarly, no longer announce `PSK with SHA-256 based KDF' AKMP (defined
in Draft 802.11w) by default in the RSN IE of beacons and probe responses
as it confuses some broken supplicants. This kind of sacrifies security
for interoperability with shitty (but unfortunately widespread) clients
that do not follow the 802.11 standard properly.
This fixes associations from Intel PROSet on XP and also reportedly fixes
some Mac OS clients. I will likely make `psk-sha256' configurable through
ifconfig wpaakms after the 4.5 release.

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

ieee80211_derive_pmkid() is not used either

#ifdef notyet ieee80211_kdf() as it is not used yet (shrink kernel a bit)

add the code to encrypt/decrypt management frames, retrieve key id
from MMIE etc...
this code can't be triggered as no drivers claim MFP capability yet.

missing SHA-256 bits.

new SHA-256 based AKMPs.

add support for EAPOL-Key v3 descriptors (similar to v2 except that the
MIC is computed using AES-128-CMAC instead of HMAC-SHA1).
add a SHA-256 based key derivation function (not used yet).

the only integrity group cipher currently supported is AES-128-CMAC.

extend the ic_nw_keys[] array to 6 elements.
indices 0-3 will be used for group data keys while indices 4-5 will
be used for integrity group keys.
add a ic_rsngroupmgmtcipher field too.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

use HMAC-MD5, HMAC-SHA1 and AES Key Wrap sys/crypto/

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

remove now useless casts since the rijndael_* protos have been
constified.

move things from ieee80211_ifattach() to ieee80211_crypto_attach().

- do not process ethernet PAE frames if RSN is not enabled
- add a ieee80211_recv_action() function (will be used later)
- some cleanup, remove unused prototypes, get rid of the
IEEE80211_VERIFY_* macros

extend the if_ethersubr.c crc functions to support updating a running
crc in addition to the existing "oneshot" mode and use them to replace
ieee80211_crc_update() with the new ether_crc32_le_update(). Saves 1k
kernel bss + some code.

Mark the new ether_crc32_[lb]e_update functions as __pure for a
~25x speedup (on my i386 at least).

feedback and ok damien@

call ieee80211_crc_init() only once, when the first 802.11 device
attaches instead of at every attach.

discussed with deraadt@

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

remove horrid casts now that SHA1Update() has been constified.

- use ieee80211_get_hdrlen() where appropriate.
- discard all EAPOL-Key frames with an unknown descriptor version.
- when receiving message 3/4 of the 4-way handshake, do not install
the PTK if the INSTALL bit is not set. this fixes 4-way handshake
with APs using group keys only.
- similarly, do not mark the 802.1X port as valid if the SECURE bit
is not set (it will be marked as valid after group key handshake).

fix ieee80211_map_ptk() for TKIP.

add a ieee80211_get_txkey() function to determine the key to use for
transmitting a frame to a given node.
change ieee80211_encrypt() so that it now takes the key as parameter.
this change is required because drivers doing hardware crypto need to
know what key is being used.

- add k_rxmic and k_txmic fields to struct ieee80211_key to store the
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.

add a ni_eapol_desc field to struct ieee80211_node to know whether
a station is using WPA1 or RSN descriptors.
make sure that a station that advertises WPA1 capability in an IE
uses the WPA1 EAPOL-Key descriptor type and not the RSN one.
fix construction of EAPOL-Key frames for WPA1.
i can now successfuly complete a 4-way and group-key handshake
with both a WPA1 and a WPA2 access point.
add some TKIP encapsulation code (no SW crypto yet).

ok deraadt@

add generic ieee80211_encrypt() and ieee80211_decrypt() functions that
can handle multiple ciphers (the key to use is determined automatically
by these functions based on the frame's destination address).
add ieee80211_ccmp_encrypt() and ieee80211_ccmp_decrypt().
those two functions only do encapsulation/decapsulation of CCMP frames
for now (they don't do SW crypto). they will help to test things with
drivers that can do HW crypto.
add a ni_pairwise_key field to struct ieee80211_node to actually install
the pairwise transient key.
install the GTK in ic_nw_keys[].

group key handshake message 1 is very different between RSN and WPA1.
RSN uses a GTK KDE while WPA1 stores the GTK in the EAPOL-Key frame
data field (encrypted) and uses some bits in the info field.
split ieee80211_recv_group_msg1() in two separate functions.

all WPA implementations i have tested use EAPOL-Key frames version 1,
so use that too and remove a check in ieee80211_recv_eapol().
WPA1 stores the group key id into bits 4-5 of the EAPOL-Key frame info
field and uses bit 6 to indicate if the key is Rx/Tx or Rx only.
remove a check in ieee80211_eapol_key_decrypt() because WPA1 encrypts
the payload of message 1 of the group-key handshake without setting the
encrypted bit in the info field.

the EAPOL-Key MIC must be computed with the MIC bit set.
this simplifies ieee80211_eapol_key_mic() and ieee80211_eapol_key_check_mic()
quite a bit.
set the EAPOL-Key body length before computing the MIC since the MIC is
computed with the 802.1X header too.
add a missing htons() while i'm here.

extend the ieee80211_key structure with a key identifier, a flags field
and a 64-bit receive sequence counter (for group keys).
add a ieee80211_cipher_keylen() function to retrieve the key length
in bytes used by a specific cipher.
account for 802.1X header size when computing the Key MIC.
some cleanup in comments and variable names while i'm here.

new function to check the MIC of a received EAPOL-Key frame.

use rc4_skip().
fix ieee80211_eapol_key_encrypt() so that we don't add more padding
bytes than necessary in the case of AES Key Wrap encryption.

remove some unused key derivation functions.
we won't support PeerKey handshake in a first time.

remove arc4_ compatibility macros.

add functions to compute EAPOL-Key Key MIC fields and to encrypt/decrypt
EAPOL-Key Data fields.

add ic_globalcnt to struct ieee80211com:
in an RSNA, each STA must maintain a 256-bit global key counter that
must be initialized to a random value (see 8.5.7).

modify ieee80211_aes_key_wrap() to support in-place encryption.
explicitly use ovbcopy() even if our kernel memcpy() supports
overlapping buffers.

add AES Key Wrap algorithm (see RFC 3394).
this will be used to encrypt/decrypt EAPOL-Key frames payload.

replace the ieee80211_wepkey structure with a more generic ieee80211_key
one that can be used with other ciphers than WEP.

s/uint8_t/u_int8_t/ for consistency.

update QoS Tx/Rx sequence numbers for each TID.
add a parameter to ieee80211_decap() to handle different 802.11
header sizes.
cleanup and clarify ieee80211_classify().

add myself to the copyright list.

add the pseudo-random function (PRF) and various key derivation
functions defined in 802.11i.

constify

de-static

ok jsg@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

fix the key buffer size used for software wep, this could cause
problems with non-standard wep keys >= 104 bits.

thanks to Alexander Bluhm

ok mglocker@ jsg@

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@

mostly knf

ok jsg@

Remove the last of the FreeBSD compatiblity goop.
ok reyk@

Remove FreeBSD if_printf compat function from net80211.
ok reyk@

Remove FreeBSD/NetBSD ifdef mess. We are not likely to be
doing a wholesale merge with them in future.
very enthusiastic ok from reyk@

Don't restrict WEP keys to exactly 40 or 108 bits.

Hack to avoid panic in arc4maybeinit() due to rnd device not being
attached yet.

Import current NetBSD/FreeBSD 802.11 framework.
Based in part on a diff from Matthew Gream.

ieee80211_decrypt must use m_freem() instead of m_free()

Patch by zxystd from the OpenIntelWireless project (drivers for macOS)

ok tobhe@

Fix CCMP replay check with 11n Rx aggregation and CCMP hardware offloading.

So far, drivers using hardware CCMP decryption were expected to keep the
most recently seen CCMP packet number (PN) up-to-date, and to discard frames
with lower PNs as replays.

A-MPDU subframes may legitimately arrive out of order, and the drivers skipped
CCMP replay checking for such frames. Re-ordering happens in ieee80211_inputm(),
after the driver is done with a frame. Drivers cannot tell replayed frames
apart from legitimate out-of-order retransmissions.

To fix this, update the PN value in ieee80211_inputm() after subframes have
been reordered into their proper sequence. Drivers still perform replay checks
but they no longer have to worry about updating the last seen PN value.

The 802.11 spec confirms that replay checking is supposed to happen after
A-MPDU re-ordering.

Tested by jmc@, benno@, solene@, and myself with the following drivers:
athn(4), iwn(4), iwm(4), wpi(4), urtwn(4)

ok solene@

check that software de/encrypt is possible: under hardware
offload, it needn't be. the stack must otherwise rely on every
offloading driver correctly handling all frames governed by a
given key.
ok stsp@

Prevent ieee80211_get_txkey() from returning the integrity group temporal
key (IGTK) if a node doesn't have management frame protection (MFP) enabled.
The IGTK is not initialized if MFP is disabled, so using it triggers this
panic in ieee80211_encrypt(): panic("invalid key cipher 0x%x", k->k_cipher)

(As far as I can tell, at present, MFP is never enabled.)

Problem reported and fix tested by tj@ on athn(4) hostap

Fix WEP key selection in ieee80211_get_txkey().

The WEP key index is stored in ic_def_txkey. The iGTK ("integrity group key")
index is specific to WPA. The previous code happened to always select WEP key
index 0 since the iGTK index is not yet used by any driver.

ok phessler@

If ieee80211_encrypt() is passed a key with an unrecognized cipher
type then panic immediately instead of silently dropping packets.

ok phessler@

Clear WPA group keys from memory before initiating a key exchange
with an access point. Prevents false positive 'reused group key'
warnings in dmesg when re-associating to the same access point.
Problem reported by tb@
ok tb@

Switch 802.11 crypto over to the new AES

OK stsp@

branches: 1.69.4;
Use explicit_bzero() to wipe out key material and add some sizes to free().

ok stsp

Disable TKIP (WPA1) by default.

It is time for this legacy of WEP to die (remember WEP?).
The 802.11-2012 standard says:
The use of TKIP is deprecated. The TKIP algorithm is unsuitable for
the purposes of this standard.

TKIP has numerous problems. One of which is that TKIP allows a denial of
service attack which can be triggered by any client. Report 2 Michael MIC
failures to a TKIP AP to trigger "TKIP countermeasures". The AP is now
required by the 802.11 standard to lock everyone out for at least 60 seconds.
The network will remain unusable for as long as such MIC failure reports
are sent twice per minute.

TKIP remains available for interoperability purposes, for now.
It must be enabled manually with ifconfig(8).

Prompted by discussion with Mathy Vanhoef.
ok deraadt@ sthen@ reyk@

Complete our half-done implementation of TKIP countermeasures in hostap mode.

The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.

Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@

branches: 1.66.4;
No need to include <net/if_arp.h>

This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.

A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

Remove unneeded include.

ok deraadt@

for key material that is being being discarded, convert bzero() to
explicit_bzero() where required
ok markus mikeb

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

Change ifconfig wpaakms default setting to `psk' instead of `psk,802.1x'.
Some supplicants will autoselect 802.1X without giving users the
possibility to choose between PSK or 802.1X.

Similarly, no longer announce `PSK with SHA-256 based KDF' AKMP (defined
in Draft 802.11w) by default in the RSN IE of beacons and probe responses
as it confuses some broken supplicants. This kind of sacrifies security
for interoperability with shitty (but unfortunately widespread) clients
that do not follow the 802.11 standard properly.
This fixes associations from Intel PROSet on XP and also reportedly fixes
some Mac OS clients. I will likely make `psk-sha256' configurable through
ifconfig wpaakms after the 4.5 release.

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

ieee80211_derive_pmkid() is not used either

#ifdef notyet ieee80211_kdf() as it is not used yet (shrink kernel a bit)

add the code to encrypt/decrypt management frames, retrieve key id
from MMIE etc...
this code can't be triggered as no drivers claim MFP capability yet.

missing SHA-256 bits.

new SHA-256 based AKMPs.

add support for EAPOL-Key v3 descriptors (similar to v2 except that the
MIC is computed using AES-128-CMAC instead of HMAC-SHA1).
add a SHA-256 based key derivation function (not used yet).

the only integrity group cipher currently supported is AES-128-CMAC.

extend the ic_nw_keys[] array to 6 elements.
indices 0-3 will be used for group data keys while indices 4-5 will
be used for integrity group keys.
add a ic_rsngroupmgmtcipher field too.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

use HMAC-MD5, HMAC-SHA1 and AES Key Wrap sys/crypto/

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

remove now useless casts since the rijndael_* protos have been
constified.

move things from ieee80211_ifattach() to ieee80211_crypto_attach().

- do not process ethernet PAE frames if RSN is not enabled
- add a ieee80211_recv_action() function (will be used later)
- some cleanup, remove unused prototypes, get rid of the
IEEE80211_VERIFY_* macros

extend the if_ethersubr.c crc functions to support updating a running
crc in addition to the existing "oneshot" mode and use them to replace
ieee80211_crc_update() with the new ether_crc32_le_update(). Saves 1k
kernel bss + some code.

Mark the new ether_crc32_[lb]e_update functions as __pure for a
~25x speedup (on my i386 at least).

feedback and ok damien@

call ieee80211_crc_init() only once, when the first 802.11 device
attaches instead of at every attach.

discussed with deraadt@

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

remove horrid casts now that SHA1Update() has been constified.

- use ieee80211_get_hdrlen() where appropriate.
- discard all EAPOL-Key frames with an unknown descriptor version.
- when receiving message 3/4 of the 4-way handshake, do not install
the PTK if the INSTALL bit is not set. this fixes 4-way handshake
with APs using group keys only.
- similarly, do not mark the 802.1X port as valid if the SECURE bit
is not set (it will be marked as valid after group key handshake).

fix ieee80211_map_ptk() for TKIP.

add a ieee80211_get_txkey() function to determine the key to use for
transmitting a frame to a given node.
change ieee80211_encrypt() so that it now takes the key as parameter.
this change is required because drivers doing hardware crypto need to
know what key is being used.

- add k_rxmic and k_txmic fields to struct ieee80211_key to store the
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.

add a ni_eapol_desc field to struct ieee80211_node to know whether
a station is using WPA1 or RSN descriptors.
make sure that a station that advertises WPA1 capability in an IE
uses the WPA1 EAPOL-Key descriptor type and not the RSN one.
fix construction of EAPOL-Key frames for WPA1.
i can now successfuly complete a 4-way and group-key handshake
with both a WPA1 and a WPA2 access point.
add some TKIP encapsulation code (no SW crypto yet).

ok deraadt@

add generic ieee80211_encrypt() and ieee80211_decrypt() functions that
can handle multiple ciphers (the key to use is determined automatically
by these functions based on the frame's destination address).
add ieee80211_ccmp_encrypt() and ieee80211_ccmp_decrypt().
those two functions only do encapsulation/decapsulation of CCMP frames
for now (they don't do SW crypto). they will help to test things with
drivers that can do HW crypto.
add a ni_pairwise_key field to struct ieee80211_node to actually install
the pairwise transient key.
install the GTK in ic_nw_keys[].

group key handshake message 1 is very different between RSN and WPA1.
RSN uses a GTK KDE while WPA1 stores the GTK in the EAPOL-Key frame
data field (encrypted) and uses some bits in the info field.
split ieee80211_recv_group_msg1() in two separate functions.

all WPA implementations i have tested use EAPOL-Key frames version 1,
so use that too and remove a check in ieee80211_recv_eapol().
WPA1 stores the group key id into bits 4-5 of the EAPOL-Key frame info
field and uses bit 6 to indicate if the key is Rx/Tx or Rx only.
remove a check in ieee80211_eapol_key_decrypt() because WPA1 encrypts
the payload of message 1 of the group-key handshake without setting the
encrypted bit in the info field.

the EAPOL-Key MIC must be computed with the MIC bit set.
this simplifies ieee80211_eapol_key_mic() and ieee80211_eapol_key_check_mic()
quite a bit.
set the EAPOL-Key body length before computing the MIC since the MIC is
computed with the 802.1X header too.
add a missing htons() while i'm here.

extend the ieee80211_key structure with a key identifier, a flags field
and a 64-bit receive sequence counter (for group keys).
add a ieee80211_cipher_keylen() function to retrieve the key length
in bytes used by a specific cipher.
account for 802.1X header size when computing the Key MIC.
some cleanup in comments and variable names while i'm here.

new function to check the MIC of a received EAPOL-Key frame.

use rc4_skip().
fix ieee80211_eapol_key_encrypt() so that we don't add more padding
bytes than necessary in the case of AES Key Wrap encryption.

remove some unused key derivation functions.
we won't support PeerKey handshake in a first time.

remove arc4_ compatibility macros.

add functions to compute EAPOL-Key Key MIC fields and to encrypt/decrypt
EAPOL-Key Data fields.

add ic_globalcnt to struct ieee80211com:
in an RSNA, each STA must maintain a 256-bit global key counter that
must be initialized to a random value (see 8.5.7).

modify ieee80211_aes_key_wrap() to support in-place encryption.
explicitly use ovbcopy() even if our kernel memcpy() supports
overlapping buffers.

add AES Key Wrap algorithm (see RFC 3394).
this will be used to encrypt/decrypt EAPOL-Key frames payload.

replace the ieee80211_wepkey structure with a more generic ieee80211_key
one that can be used with other ciphers than WEP.

s/uint8_t/u_int8_t/ for consistency.

update QoS Tx/Rx sequence numbers for each TID.
add a parameter to ieee80211_decap() to handle different 802.11
header sizes.
cleanup and clarify ieee80211_classify().

add myself to the copyright list.

add the pseudo-random function (PRF) and various key derivation
functions defined in 802.11i.

constify

de-static

ok jsg@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

fix the key buffer size used for software wep, this could cause
problems with non-standard wep keys >= 104 bits.

thanks to Alexander Bluhm

ok mglocker@ jsg@

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@

mostly knf

ok jsg@

Remove the last of the FreeBSD compatiblity goop.
ok reyk@

Remove FreeBSD if_printf compat function from net80211.
ok reyk@

Remove FreeBSD/NetBSD ifdef mess. We are not likely to be
doing a wholesale merge with them in future.
very enthusiastic ok from reyk@

Don't restrict WEP keys to exactly 40 or 108 bits.

Hack to avoid panic in arc4maybeinit() due to rnd device not being
attached yet.

Import current NetBSD/FreeBSD 802.11 framework.
Based in part on a diff from Matthew Gream.

Fix CCMP replay check with 11n Rx aggregation and CCMP hardware offloading.

So far, drivers using hardware CCMP decryption were expected to keep the
most recently seen CCMP packet number (PN) up-to-date, and to discard frames
with lower PNs as replays.

A-MPDU subframes may legitimately arrive out of order, and the drivers skipped
CCMP replay checking for such frames. Re-ordering happens in ieee80211_inputm(),
after the driver is done with a frame. Drivers cannot tell replayed frames
apart from legitimate out-of-order retransmissions.

To fix this, update the PN value in ieee80211_inputm() after subframes have
been reordered into their proper sequence. Drivers still perform replay checks
but they no longer have to worry about updating the last seen PN value.

The 802.11 spec confirms that replay checking is supposed to happen after
A-MPDU re-ordering.

Tested by jmc@, benno@, solene@, and myself with the following drivers:
athn(4), iwn(4), iwm(4), wpi(4), urtwn(4)

ok solene@

check that software de/encrypt is possible: under hardware
offload, it needn't be. the stack must otherwise rely on every
offloading driver correctly handling all frames governed by a
given key.
ok stsp@

Prevent ieee80211_get_txkey() from returning the integrity group temporal
key (IGTK) if a node doesn't have management frame protection (MFP) enabled.
The IGTK is not initialized if MFP is disabled, so using it triggers this
panic in ieee80211_encrypt(): panic("invalid key cipher 0x%x", k->k_cipher)

(As far as I can tell, at present, MFP is never enabled.)

Problem reported and fix tested by tj@ on athn(4) hostap

Fix WEP key selection in ieee80211_get_txkey().

The WEP key index is stored in ic_def_txkey. The iGTK ("integrity group key")
index is specific to WPA. The previous code happened to always select WEP key
index 0 since the iGTK index is not yet used by any driver.

ok phessler@

If ieee80211_encrypt() is passed a key with an unrecognized cipher
type then panic immediately instead of silently dropping packets.

ok phessler@

Clear WPA group keys from memory before initiating a key exchange
with an access point. Prevents false positive 'reused group key'
warnings in dmesg when re-associating to the same access point.
Problem reported by tb@
ok tb@

Switch 802.11 crypto over to the new AES

OK stsp@

branches: 1.69.4;
Use explicit_bzero() to wipe out key material and add some sizes to free().

ok stsp

Disable TKIP (WPA1) by default.

It is time for this legacy of WEP to die (remember WEP?).
The 802.11-2012 standard says:
The use of TKIP is deprecated. The TKIP algorithm is unsuitable for
the purposes of this standard.

TKIP has numerous problems. One of which is that TKIP allows a denial of
service attack which can be triggered by any client. Report 2 Michael MIC
failures to a TKIP AP to trigger "TKIP countermeasures". The AP is now
required by the 802.11 standard to lock everyone out for at least 60 seconds.
The network will remain unusable for as long as such MIC failure reports
are sent twice per minute.

TKIP remains available for interoperability purposes, for now.
It must be enabled manually with ifconfig(8).

Prompted by discussion with Mathy Vanhoef.
ok deraadt@ sthen@ reyk@

Complete our half-done implementation of TKIP countermeasures in hostap mode.

The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.

Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@

branches: 1.66.4;
No need to include <net/if_arp.h>

This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.

A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

Remove unneeded include.

ok deraadt@

for key material that is being being discarded, convert bzero() to
explicit_bzero() where required
ok markus mikeb

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

Change ifconfig wpaakms default setting to `psk' instead of `psk,802.1x'.
Some supplicants will autoselect 802.1X without giving users the
possibility to choose between PSK or 802.1X.

Similarly, no longer announce `PSK with SHA-256 based KDF' AKMP (defined
in Draft 802.11w) by default in the RSN IE of beacons and probe responses
as it confuses some broken supplicants. This kind of sacrifies security
for interoperability with shitty (but unfortunately widespread) clients
that do not follow the 802.11 standard properly.
This fixes associations from Intel PROSet on XP and also reportedly fixes
some Mac OS clients. I will likely make `psk-sha256' configurable through
ifconfig wpaakms after the 4.5 release.

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

ieee80211_derive_pmkid() is not used either

#ifdef notyet ieee80211_kdf() as it is not used yet (shrink kernel a bit)

add the code to encrypt/decrypt management frames, retrieve key id
from MMIE etc...
this code can't be triggered as no drivers claim MFP capability yet.

missing SHA-256 bits.

new SHA-256 based AKMPs.

add support for EAPOL-Key v3 descriptors (similar to v2 except that the
MIC is computed using AES-128-CMAC instead of HMAC-SHA1).
add a SHA-256 based key derivation function (not used yet).

the only integrity group cipher currently supported is AES-128-CMAC.

extend the ic_nw_keys[] array to 6 elements.
indices 0-3 will be used for group data keys while indices 4-5 will
be used for integrity group keys.
add a ic_rsngroupmgmtcipher field too.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

use HMAC-MD5, HMAC-SHA1 and AES Key Wrap sys/crypto/

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

remove now useless casts since the rijndael_* protos have been
constified.

move things from ieee80211_ifattach() to ieee80211_crypto_attach().

- do not process ethernet PAE frames if RSN is not enabled
- add a ieee80211_recv_action() function (will be used later)
- some cleanup, remove unused prototypes, get rid of the
IEEE80211_VERIFY_* macros

extend the if_ethersubr.c crc functions to support updating a running
crc in addition to the existing "oneshot" mode and use them to replace
ieee80211_crc_update() with the new ether_crc32_le_update(). Saves 1k
kernel bss + some code.

Mark the new ether_crc32_[lb]e_update functions as __pure for a
~25x speedup (on my i386 at least).

feedback and ok damien@

call ieee80211_crc_init() only once, when the first 802.11 device
attaches instead of at every attach.

discussed with deraadt@

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

remove horrid casts now that SHA1Update() has been constified.

- use ieee80211_get_hdrlen() where appropriate.
- discard all EAPOL-Key frames with an unknown descriptor version.
- when receiving message 3/4 of the 4-way handshake, do not install
the PTK if the INSTALL bit is not set. this fixes 4-way handshake
with APs using group keys only.
- similarly, do not mark the 802.1X port as valid if the SECURE bit
is not set (it will be marked as valid after group key handshake).

fix ieee80211_map_ptk() for TKIP.

add a ieee80211_get_txkey() function to determine the key to use for
transmitting a frame to a given node.
change ieee80211_encrypt() so that it now takes the key as parameter.
this change is required because drivers doing hardware crypto need to
know what key is being used.

- add k_rxmic and k_txmic fields to struct ieee80211_key to store the
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.

add a ni_eapol_desc field to struct ieee80211_node to know whether
a station is using WPA1 or RSN descriptors.
make sure that a station that advertises WPA1 capability in an IE
uses the WPA1 EAPOL-Key descriptor type and not the RSN one.
fix construction of EAPOL-Key frames for WPA1.
i can now successfuly complete a 4-way and group-key handshake
with both a WPA1 and a WPA2 access point.
add some TKIP encapsulation code (no SW crypto yet).

ok deraadt@

add generic ieee80211_encrypt() and ieee80211_decrypt() functions that
can handle multiple ciphers (the key to use is determined automatically
by these functions based on the frame's destination address).
add ieee80211_ccmp_encrypt() and ieee80211_ccmp_decrypt().
those two functions only do encapsulation/decapsulation of CCMP frames
for now (they don't do SW crypto). they will help to test things with
drivers that can do HW crypto.
add a ni_pairwise_key field to struct ieee80211_node to actually install
the pairwise transient key.
install the GTK in ic_nw_keys[].

group key handshake message 1 is very different between RSN and WPA1.
RSN uses a GTK KDE while WPA1 stores the GTK in the EAPOL-Key frame
data field (encrypted) and uses some bits in the info field.
split ieee80211_recv_group_msg1() in two separate functions.

all WPA implementations i have tested use EAPOL-Key frames version 1,
so use that too and remove a check in ieee80211_recv_eapol().
WPA1 stores the group key id into bits 4-5 of the EAPOL-Key frame info
field and uses bit 6 to indicate if the key is Rx/Tx or Rx only.
remove a check in ieee80211_eapol_key_decrypt() because WPA1 encrypts
the payload of message 1 of the group-key handshake without setting the
encrypted bit in the info field.

the EAPOL-Key MIC must be computed with the MIC bit set.
this simplifies ieee80211_eapol_key_mic() and ieee80211_eapol_key_check_mic()
quite a bit.
set the EAPOL-Key body length before computing the MIC since the MIC is
computed with the 802.1X header too.
add a missing htons() while i'm here.

extend the ieee80211_key structure with a key identifier, a flags field
and a 64-bit receive sequence counter (for group keys).
add a ieee80211_cipher_keylen() function to retrieve the key length
in bytes used by a specific cipher.
account for 802.1X header size when computing the Key MIC.
some cleanup in comments and variable names while i'm here.

new function to check the MIC of a received EAPOL-Key frame.

use rc4_skip().
fix ieee80211_eapol_key_encrypt() so that we don't add more padding
bytes than necessary in the case of AES Key Wrap encryption.

remove some unused key derivation functions.
we won't support PeerKey handshake in a first time.

remove arc4_ compatibility macros.

add functions to compute EAPOL-Key Key MIC fields and to encrypt/decrypt
EAPOL-Key Data fields.

add ic_globalcnt to struct ieee80211com:
in an RSNA, each STA must maintain a 256-bit global key counter that
must be initialized to a random value (see 8.5.7).

modify ieee80211_aes_key_wrap() to support in-place encryption.
explicitly use ovbcopy() even if our kernel memcpy() supports
overlapping buffers.

add AES Key Wrap algorithm (see RFC 3394).
this will be used to encrypt/decrypt EAPOL-Key frames payload.

replace the ieee80211_wepkey structure with a more generic ieee80211_key
one that can be used with other ciphers than WEP.

s/uint8_t/u_int8_t/ for consistency.

update QoS Tx/Rx sequence numbers for each TID.
add a parameter to ieee80211_decap() to handle different 802.11
header sizes.
cleanup and clarify ieee80211_classify().

add myself to the copyright list.

add the pseudo-random function (PRF) and various key derivation
functions defined in 802.11i.

constify

de-static

ok jsg@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

fix the key buffer size used for software wep, this could cause
problems with non-standard wep keys >= 104 bits.

thanks to Alexander Bluhm

ok mglocker@ jsg@

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@

mostly knf

ok jsg@

Remove the last of the FreeBSD compatiblity goop.
ok reyk@

Remove FreeBSD if_printf compat function from net80211.
ok reyk@

Remove FreeBSD/NetBSD ifdef mess. We are not likely to be
doing a wholesale merge with them in future.
very enthusiastic ok from reyk@

Don't restrict WEP keys to exactly 40 or 108 bits.

Hack to avoid panic in arc4maybeinit() due to rnd device not being
attached yet.

Import current NetBSD/FreeBSD 802.11 framework.
Based in part on a diff from Matthew Gream.

check that software de/encrypt is possible: under hardware
offload, it needn't be. the stack must otherwise rely on every
offloading driver correctly handling all frames governed by a
given key.
ok stsp@

Prevent ieee80211_get_txkey() from returning the integrity group temporal
key (IGTK) if a node doesn't have management frame protection (MFP) enabled.
The IGTK is not initialized if MFP is disabled, so using it triggers this
panic in ieee80211_encrypt(): panic("invalid key cipher 0x%x", k->k_cipher)

(As far as I can tell, at present, MFP is never enabled.)

Problem reported and fix tested by tj@ on athn(4) hostap

Fix WEP key selection in ieee80211_get_txkey().

The WEP key index is stored in ic_def_txkey. The iGTK ("integrity group key")
index is specific to WPA. The previous code happened to always select WEP key
index 0 since the iGTK index is not yet used by any driver.

ok phessler@

If ieee80211_encrypt() is passed a key with an unrecognized cipher
type then panic immediately instead of silently dropping packets.

ok phessler@

Clear WPA group keys from memory before initiating a key exchange
with an access point. Prevents false positive 'reused group key'
warnings in dmesg when re-associating to the same access point.
Problem reported by tb@
ok tb@

Switch 802.11 crypto over to the new AES

OK stsp@

branches: 1.69.4;
Use explicit_bzero() to wipe out key material and add some sizes to free().

ok stsp

Disable TKIP (WPA1) by default.

It is time for this legacy of WEP to die (remember WEP?).
The 802.11-2012 standard says:
The use of TKIP is deprecated. The TKIP algorithm is unsuitable for
the purposes of this standard.

TKIP has numerous problems. One of which is that TKIP allows a denial of
service attack which can be triggered by any client. Report 2 Michael MIC
failures to a TKIP AP to trigger "TKIP countermeasures". The AP is now
required by the 802.11 standard to lock everyone out for at least 60 seconds.
The network will remain unusable for as long as such MIC failure reports
are sent twice per minute.

TKIP remains available for interoperability purposes, for now.
It must be enabled manually with ifconfig(8).

Prompted by discussion with Mathy Vanhoef.
ok deraadt@ sthen@ reyk@

Complete our half-done implementation of TKIP countermeasures in hostap mode.

The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.

Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@

branches: 1.66.4;
No need to include <net/if_arp.h>

This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.

A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

Remove unneeded include.

ok deraadt@

for key material that is being being discarded, convert bzero() to
explicit_bzero() where required
ok markus mikeb

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

Change ifconfig wpaakms default setting to `psk' instead of `psk,802.1x'.
Some supplicants will autoselect 802.1X without giving users the
possibility to choose between PSK or 802.1X.

Similarly, no longer announce `PSK with SHA-256 based KDF' AKMP (defined
in Draft 802.11w) by default in the RSN IE of beacons and probe responses
as it confuses some broken supplicants. This kind of sacrifies security
for interoperability with shitty (but unfortunately widespread) clients
that do not follow the 802.11 standard properly.
This fixes associations from Intel PROSet on XP and also reportedly fixes
some Mac OS clients. I will likely make `psk-sha256' configurable through
ifconfig wpaakms after the 4.5 release.

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

ieee80211_derive_pmkid() is not used either

#ifdef notyet ieee80211_kdf() as it is not used yet (shrink kernel a bit)

add the code to encrypt/decrypt management frames, retrieve key id
from MMIE etc...
this code can't be triggered as no drivers claim MFP capability yet.

missing SHA-256 bits.

new SHA-256 based AKMPs.

add support for EAPOL-Key v3 descriptors (similar to v2 except that the
MIC is computed using AES-128-CMAC instead of HMAC-SHA1).
add a SHA-256 based key derivation function (not used yet).

the only integrity group cipher currently supported is AES-128-CMAC.

extend the ic_nw_keys[] array to 6 elements.
indices 0-3 will be used for group data keys while indices 4-5 will
be used for integrity group keys.
add a ic_rsngroupmgmtcipher field too.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

use HMAC-MD5, HMAC-SHA1 and AES Key Wrap sys/crypto/

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

remove now useless casts since the rijndael_* protos have been
constified.

move things from ieee80211_ifattach() to ieee80211_crypto_attach().

- do not process ethernet PAE frames if RSN is not enabled
- add a ieee80211_recv_action() function (will be used later)
- some cleanup, remove unused prototypes, get rid of the
IEEE80211_VERIFY_* macros

extend the if_ethersubr.c crc functions to support updating a running
crc in addition to the existing "oneshot" mode and use them to replace
ieee80211_crc_update() with the new ether_crc32_le_update(). Saves 1k
kernel bss + some code.

Mark the new ether_crc32_[lb]e_update functions as __pure for a
~25x speedup (on my i386 at least).

feedback and ok damien@

call ieee80211_crc_init() only once, when the first 802.11 device
attaches instead of at every attach.

discussed with deraadt@

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

remove horrid casts now that SHA1Update() has been constified.

- use ieee80211_get_hdrlen() where appropriate.
- discard all EAPOL-Key frames with an unknown descriptor version.
- when receiving message 3/4 of the 4-way handshake, do not install
the PTK if the INSTALL bit is not set. this fixes 4-way handshake
with APs using group keys only.
- similarly, do not mark the 802.1X port as valid if the SECURE bit
is not set (it will be marked as valid after group key handshake).

fix ieee80211_map_ptk() for TKIP.

add a ieee80211_get_txkey() function to determine the key to use for
transmitting a frame to a given node.
change ieee80211_encrypt() so that it now takes the key as parameter.
this change is required because drivers doing hardware crypto need to
know what key is being used.

- add k_rxmic and k_txmic fields to struct ieee80211_key to store the
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.

add a ni_eapol_desc field to struct ieee80211_node to know whether
a station is using WPA1 or RSN descriptors.
make sure that a station that advertises WPA1 capability in an IE
uses the WPA1 EAPOL-Key descriptor type and not the RSN one.
fix construction of EAPOL-Key frames for WPA1.
i can now successfuly complete a 4-way and group-key handshake
with both a WPA1 and a WPA2 access point.
add some TKIP encapsulation code (no SW crypto yet).

ok deraadt@

add generic ieee80211_encrypt() and ieee80211_decrypt() functions that
can handle multiple ciphers (the key to use is determined automatically
by these functions based on the frame's destination address).
add ieee80211_ccmp_encrypt() and ieee80211_ccmp_decrypt().
those two functions only do encapsulation/decapsulation of CCMP frames
for now (they don't do SW crypto). they will help to test things with
drivers that can do HW crypto.
add a ni_pairwise_key field to struct ieee80211_node to actually install
the pairwise transient key.
install the GTK in ic_nw_keys[].

group key handshake message 1 is very different between RSN and WPA1.
RSN uses a GTK KDE while WPA1 stores the GTK in the EAPOL-Key frame
data field (encrypted) and uses some bits in the info field.
split ieee80211_recv_group_msg1() in two separate functions.

all WPA implementations i have tested use EAPOL-Key frames version 1,
so use that too and remove a check in ieee80211_recv_eapol().
WPA1 stores the group key id into bits 4-5 of the EAPOL-Key frame info
field and uses bit 6 to indicate if the key is Rx/Tx or Rx only.
remove a check in ieee80211_eapol_key_decrypt() because WPA1 encrypts
the payload of message 1 of the group-key handshake without setting the
encrypted bit in the info field.

the EAPOL-Key MIC must be computed with the MIC bit set.
this simplifies ieee80211_eapol_key_mic() and ieee80211_eapol_key_check_mic()
quite a bit.
set the EAPOL-Key body length before computing the MIC since the MIC is
computed with the 802.1X header too.
add a missing htons() while i'm here.

extend the ieee80211_key structure with a key identifier, a flags field
and a 64-bit receive sequence counter (for group keys).
add a ieee80211_cipher_keylen() function to retrieve the key length
in bytes used by a specific cipher.
account for 802.1X header size when computing the Key MIC.
some cleanup in comments and variable names while i'm here.

new function to check the MIC of a received EAPOL-Key frame.

use rc4_skip().
fix ieee80211_eapol_key_encrypt() so that we don't add more padding
bytes than necessary in the case of AES Key Wrap encryption.

remove some unused key derivation functions.
we won't support PeerKey handshake in a first time.

remove arc4_ compatibility macros.

add functions to compute EAPOL-Key Key MIC fields and to encrypt/decrypt
EAPOL-Key Data fields.

add ic_globalcnt to struct ieee80211com:
in an RSNA, each STA must maintain a 256-bit global key counter that
must be initialized to a random value (see 8.5.7).

modify ieee80211_aes_key_wrap() to support in-place encryption.
explicitly use ovbcopy() even if our kernel memcpy() supports
overlapping buffers.

add AES Key Wrap algorithm (see RFC 3394).
this will be used to encrypt/decrypt EAPOL-Key frames payload.

replace the ieee80211_wepkey structure with a more generic ieee80211_key
one that can be used with other ciphers than WEP.

s/uint8_t/u_int8_t/ for consistency.

update QoS Tx/Rx sequence numbers for each TID.
add a parameter to ieee80211_decap() to handle different 802.11
header sizes.
cleanup and clarify ieee80211_classify().

add myself to the copyright list.

add the pseudo-random function (PRF) and various key derivation
functions defined in 802.11i.

constify

de-static

ok jsg@

The license permits us to redistribute this code under the BSD or the GPLv2.
Choose the BSD license so that future enhancements will be BSD-only.

ok jsg@ reyk@ deraadt@

fix the key buffer size used for software wep, this could cause
problems with non-standard wep keys >= 104 bits.

thanks to Alexander Bluhm

ok mglocker@ jsg@

Improve 802.11b/g interoperability and move toward better compliance
with IEEE Std 802.11g-2003 standard:

- add ERP Information Element in probe responses and beacons
- keep track of the number of associated non-ERP STAs and non-short slot
time capable STAs in the BSS
- enable use of RTS/CTS or CTS-to-self protection when required by the BSS
- add a ic_updateslot() callback to notify drivers of slot time changes
- cleanup computation of mgmt frames sizes in ieee80211_output.c
- nuke unnecessary <sys/cdefs.h> includes
- remove an unused macro (LOGICALLY_EQUAL) while i'm here

From {free,net}bsd, with additional fixes.

ok brad@, reyk@

mostly knf

ok jsg@

Remove the last of the FreeBSD compatiblity goop.
ok reyk@

Remove FreeBSD if_printf compat function from net80211.
ok reyk@

Remove FreeBSD/NetBSD ifdef mess. We are not likely to be
doing a wholesale merge with them in future.
very enthusiastic ok from reyk@

Don't restrict WEP keys to exactly 40 or 108 bits.

Hack to avoid panic in arc4maybeinit() due to rnd device not being
attached yet.

Import current NetBSD/FreeBSD 802.11 framework.
Based in part on a diff from Matthew Gream.

Prevent ieee80211_get_txkey() from returning the integrity group temporal
key (IGTK) if a node doesn't have management frame protection (MFP) enabled.
The IGTK is not initialized if MFP is disabled, so using it triggers this
panic in ieee80211_encrypt(): panic("invalid key cipher 0x%x", k->k_cipher)

(As far as I can tell, at present, MFP is never enabled.)

Problem reported and fix tested by tj@ on athn(4) hostap

Fix WEP key selection in ieee80211_get_txkey().

The WEP key index is stored in ic_def_txkey. The iGTK ("integrity group key")
index is specific to WPA. The previous code happened to always select WEP key
index 0 since the iGTK index is not yet used by any driver.

ok phessler@

If ieee80211_encrypt() is passed a key with an unrecognized cipher
type then panic immediately instead of silently dropping packets.

ok phessler@

Clear WPA group keys from memory before initiating a key exchange
with an access point. Prevents false positive 'reused group key'
warnings in dmesg when re-associating to the same access point.
Problem reported by tb@
ok tb@

Switch 802.11 crypto over to the new AES

OK stsp@

branches: 1.69.4;
Use explicit_bzero() to wipe out key material and add some sizes to free().

ok stsp

Disable TKIP (WPA1) by default.

It is time for this legacy of WEP to die (remember WEP?).
The 802.11-2012 standard says:
The use of TKIP is deprecated. The TKIP algorithm is unsuitable for
the purposes of this standard.

TKIP has numerous problems. One of which is that TKIP allows a denial of
service attack which can be triggered by any client. Report 2 Michael MIC
failures to a TKIP AP to trigger "TKIP countermeasures". The AP is now
required by the 802.11 standard to lock everyone out for at least 60 seconds.
The network will remain unusable for as long as such MIC failure reports
are sent twice per minute.

TKIP remains available for interoperability purposes, for now.
It must be enabled manually with ifconfig(8).

Prompted by discussion with Mathy Vanhoef.
ok deraadt@ sthen@ reyk@

Complete our half-done implementation of TKIP countermeasures in hostap mode.

The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.

Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@

branches: 1.66.4;
No need to include <net/if_arp.h>

This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.

A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg