Always check for EBUSY when the return value of ic_set_key() is tested.

Fixes urtwn(4) repeated DEAUTH and subsequent loss/restoration of link.
It was a great dhclient(4) stress test. Note that urtwn(4) is the first
and so far only device whose *_set_key() function returns EBUSY.

Debugging hints and ok stsp@

Don't enable port or link until all crypto keys are installed by
async task(s).

Makes dhclient(8) much happier.

Suggestions and ok stsp@, jmatthew@

When a wifi interface acts as a client and the WPA handshake is done,
update the WPA group cipher value in interface configuration data.

Code relying in this value will otherwise get the group cipher wrong.
One obvious example is ifconfig which now displays the negotiated group
cipher rather than always displaying the default value 'ccmp'.

Fixes a regression where athn(4) no longer worked against WPA2 APs which
use TKIP as a group cipher for compatibility with WPA1.

Problem reported by Tim Chase.

ok kettenis@

Typo in WPA supplicant state machine: RNSA_SUPP_PTKDONE -> RSNA_SUPP_PTKDONE

Make net80211 expose reasons for association failures to userland and have
ifconfig display them in 'scan' output and on the ieee80211 status line if
the failure is applicable to an already selected AP (e.g. wrong WPA key).

This will hopefully reduce the amount of help requests for what often
turn out to be trivial misconfiguration issues that were previously
hard to diagnose without debug mode.

ifconfig must be recompiled with the new ieee80211_ioctl.h to stay in
sync with the kernel. A full 'make build' will do the right thing!

Very helpful input by mpi@ and deraadt@

Remove 'reused group key update received' printfs.
These have served no useful purpose in practice; all reported instances were
legitimate group key retransmissions by the AP, e.g. after laptop suspend.
We fixed KRACK long ago; re-used group key messages are nothing to worry about.

Add comments which document already fixed WPA attack vectors.

Add an entry to dmesg if pairwise WPA keys arrive unexpectedly or if WPA
group keys are being reused. OpenBSD wireless clients will now leave a
trail of such events in their message log.

There has been increased public scrutiny of WPA's security recently, so
I am curious to see if anyone is attempting replay attacks in the wild.

ok deraadt

Fix length checks in EAPOL key frame parsing.
Problem reported by Ilja Van Sprundel.
ok tb@ kevlo@

branches: 1.28.4;
Fix some DPRINTFs I just added to ieee80211_pae_input.c.
No fnuctional change.

Fix a bug allowing a man-in-the-middle attack against WPA wireless clients.
A malicious AP could trick clients into connecting to the malicious AP
instead of the desired AP. All frames would then be sent in the clear.
This problem was found and reported by Mathy Vanhoef who also provided
an initial patch which we improved together.

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

branches: 1.25.2; 1.25.6;
m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

Fix debug printf, from Nathanael Rensen and chris@.

Fewer <netinet/in_systm.h> !

Collapse m_pullup and m_pullup2 into a single function, as they're
essentially identical; the only difference being that m_pullup2 is
capable of handling mbuf clusters, but called m_pullup for shorter
lengths (!).

testing dlg@ ok claudio@

when receiving the first message of an rsn group key handshake
packet, copy the key out of it properly.

fixes the problem where only broadcast packets like ipv6 router
advertisements were failing decryption and processing, only after a
rekey.

ok damien@

how did i manage to forget that file in my last commit?

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

typo, no binary change.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

do not increment is_rx_eapol_key twice for each frame.
fix a test on the mbuf length and one on the descriptor version.
remove redundant checking of GTK KDE length.

new SHA-256 based AKMPs.

process IGTK KDEs in EAPOL-Key frames and install integrity group keys
if MFP was negotiated with the peer (not possible yet).

Change the way we process EAPOL-Key frames.
Free the mbuf in the ieee80211_eapol_key_input() function.
Do not assume the frame is contiguous, call m_pullup2() if it is not.
We need the frame to be contiguous to process KDEs efficiently in
EAPOL-Key frames (just like we process IEs in management frames).
However, there are drivers like upgt(4) that use m_devget() in the
RX path. m_devget() can return fragmented mbuf chains.
Notice that we should do the same m_pullup2() for management frames.
This will be done later.
Remove the ic_recv_eapol callback.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

print the correct value in a debug message.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

move processing of EAPOL frames away from ieee80211_{input,output}.c

Don't enable port or link until all crypto keys are installed by
async task(s).

Makes dhclient(8) much happier.

Suggestions and ok stsp@, jmatthew@

When a wifi interface acts as a client and the WPA handshake is done,
update the WPA group cipher value in interface configuration data.

Code relying in this value will otherwise get the group cipher wrong.
One obvious example is ifconfig which now displays the negotiated group
cipher rather than always displaying the default value 'ccmp'.

Fixes a regression where athn(4) no longer worked against WPA2 APs which
use TKIP as a group cipher for compatibility with WPA1.

Problem reported by Tim Chase.

ok kettenis@

Typo in WPA supplicant state machine: RNSA_SUPP_PTKDONE -> RSNA_SUPP_PTKDONE

Make net80211 expose reasons for association failures to userland and have
ifconfig display them in 'scan' output and on the ieee80211 status line if
the failure is applicable to an already selected AP (e.g. wrong WPA key).

This will hopefully reduce the amount of help requests for what often
turn out to be trivial misconfiguration issues that were previously
hard to diagnose without debug mode.

ifconfig must be recompiled with the new ieee80211_ioctl.h to stay in
sync with the kernel. A full 'make build' will do the right thing!

Very helpful input by mpi@ and deraadt@

Remove 'reused group key update received' printfs.
These have served no useful purpose in practice; all reported instances were
legitimate group key retransmissions by the AP, e.g. after laptop suspend.
We fixed KRACK long ago; re-used group key messages are nothing to worry about.

Add comments which document already fixed WPA attack vectors.

Add an entry to dmesg if pairwise WPA keys arrive unexpectedly or if WPA
group keys are being reused. OpenBSD wireless clients will now leave a
trail of such events in their message log.

There has been increased public scrutiny of WPA's security recently, so
I am curious to see if anyone is attempting replay attacks in the wild.

ok deraadt

Fix length checks in EAPOL key frame parsing.
Problem reported by Ilja Van Sprundel.
ok tb@ kevlo@

branches: 1.28.4;
Fix some DPRINTFs I just added to ieee80211_pae_input.c.
No fnuctional change.

Fix a bug allowing a man-in-the-middle attack against WPA wireless clients.
A malicious AP could trick clients into connecting to the malicious AP
instead of the desired AP. All frames would then be sent in the clear.
This problem was found and reported by Mathy Vanhoef who also provided
an initial patch which we improved together.

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

branches: 1.25.2; 1.25.6;
m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

Fix debug printf, from Nathanael Rensen and chris@.

Fewer <netinet/in_systm.h> !

Collapse m_pullup and m_pullup2 into a single function, as they're
essentially identical; the only difference being that m_pullup2 is
capable of handling mbuf clusters, but called m_pullup for shorter
lengths (!).

testing dlg@ ok claudio@

when receiving the first message of an rsn group key handshake
packet, copy the key out of it properly.

fixes the problem where only broadcast packets like ipv6 router
advertisements were failing decryption and processing, only after a
rekey.

ok damien@

how did i manage to forget that file in my last commit?

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

typo, no binary change.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

do not increment is_rx_eapol_key twice for each frame.
fix a test on the mbuf length and one on the descriptor version.
remove redundant checking of GTK KDE length.

new SHA-256 based AKMPs.

process IGTK KDEs in EAPOL-Key frames and install integrity group keys
if MFP was negotiated with the peer (not possible yet).

Change the way we process EAPOL-Key frames.
Free the mbuf in the ieee80211_eapol_key_input() function.
Do not assume the frame is contiguous, call m_pullup2() if it is not.
We need the frame to be contiguous to process KDEs efficiently in
EAPOL-Key frames (just like we process IEs in management frames).
However, there are drivers like upgt(4) that use m_devget() in the
RX path. m_devget() can return fragmented mbuf chains.
Notice that we should do the same m_pullup2() for management frames.
This will be done later.
Remove the ic_recv_eapol callback.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

print the correct value in a debug message.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

move processing of EAPOL frames away from ieee80211_{input,output}.c

When a wifi interface acts as a client and the WPA handshake is done,
update the WPA group cipher value in interface configuration data.

Code relying in this value will otherwise get the group cipher wrong.
One obvious example is ifconfig which now displays the negotiated group
cipher rather than always displaying the default value 'ccmp'.

Fixes a regression where athn(4) no longer worked against WPA2 APs which
use TKIP as a group cipher for compatibility with WPA1.

Problem reported by Tim Chase.

ok kettenis@

Typo in WPA supplicant state machine: RNSA_SUPP_PTKDONE -> RSNA_SUPP_PTKDONE

Make net80211 expose reasons for association failures to userland and have
ifconfig display them in 'scan' output and on the ieee80211 status line if
the failure is applicable to an already selected AP (e.g. wrong WPA key).

This will hopefully reduce the amount of help requests for what often
turn out to be trivial misconfiguration issues that were previously
hard to diagnose without debug mode.

ifconfig must be recompiled with the new ieee80211_ioctl.h to stay in
sync with the kernel. A full 'make build' will do the right thing!

Very helpful input by mpi@ and deraadt@

Remove 'reused group key update received' printfs.
These have served no useful purpose in practice; all reported instances were
legitimate group key retransmissions by the AP, e.g. after laptop suspend.
We fixed KRACK long ago; re-used group key messages are nothing to worry about.

Add comments which document already fixed WPA attack vectors.

Add an entry to dmesg if pairwise WPA keys arrive unexpectedly or if WPA
group keys are being reused. OpenBSD wireless clients will now leave a
trail of such events in their message log.

There has been increased public scrutiny of WPA's security recently, so
I am curious to see if anyone is attempting replay attacks in the wild.

ok deraadt

Fix length checks in EAPOL key frame parsing.
Problem reported by Ilja Van Sprundel.
ok tb@ kevlo@

branches: 1.28.4;
Fix some DPRINTFs I just added to ieee80211_pae_input.c.
No fnuctional change.

Fix a bug allowing a man-in-the-middle attack against WPA wireless clients.
A malicious AP could trick clients into connecting to the malicious AP
instead of the desired AP. All frames would then be sent in the clear.
This problem was found and reported by Mathy Vanhoef who also provided
an initial patch which we improved together.

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

branches: 1.25.2; 1.25.6;
m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

Fix debug printf, from Nathanael Rensen and chris@.

Fewer <netinet/in_systm.h> !

Collapse m_pullup and m_pullup2 into a single function, as they're
essentially identical; the only difference being that m_pullup2 is
capable of handling mbuf clusters, but called m_pullup for shorter
lengths (!).

testing dlg@ ok claudio@

when receiving the first message of an rsn group key handshake
packet, copy the key out of it properly.

fixes the problem where only broadcast packets like ipv6 router
advertisements were failing decryption and processing, only after a
rekey.

ok damien@

how did i manage to forget that file in my last commit?

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

typo, no binary change.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

do not increment is_rx_eapol_key twice for each frame.
fix a test on the mbuf length and one on the descriptor version.
remove redundant checking of GTK KDE length.

new SHA-256 based AKMPs.

process IGTK KDEs in EAPOL-Key frames and install integrity group keys
if MFP was negotiated with the peer (not possible yet).

Change the way we process EAPOL-Key frames.
Free the mbuf in the ieee80211_eapol_key_input() function.
Do not assume the frame is contiguous, call m_pullup2() if it is not.
We need the frame to be contiguous to process KDEs efficiently in
EAPOL-Key frames (just like we process IEs in management frames).
However, there are drivers like upgt(4) that use m_devget() in the
RX path. m_devget() can return fragmented mbuf chains.
Notice that we should do the same m_pullup2() for management frames.
This will be done later.
Remove the ic_recv_eapol callback.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

print the correct value in a debug message.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

move processing of EAPOL frames away from ieee80211_{input,output}.c

Typo in WPA supplicant state machine: RNSA_SUPP_PTKDONE -> RSNA_SUPP_PTKDONE

Make net80211 expose reasons for association failures to userland and have
ifconfig display them in 'scan' output and on the ieee80211 status line if
the failure is applicable to an already selected AP (e.g. wrong WPA key).

This will hopefully reduce the amount of help requests for what often
turn out to be trivial misconfiguration issues that were previously
hard to diagnose without debug mode.

ifconfig must be recompiled with the new ieee80211_ioctl.h to stay in
sync with the kernel. A full 'make build' will do the right thing!

Very helpful input by mpi@ and deraadt@

Remove 'reused group key update received' printfs.
These have served no useful purpose in practice; all reported instances were
legitimate group key retransmissions by the AP, e.g. after laptop suspend.
We fixed KRACK long ago; re-used group key messages are nothing to worry about.

Add comments which document already fixed WPA attack vectors.

Add an entry to dmesg if pairwise WPA keys arrive unexpectedly or if WPA
group keys are being reused. OpenBSD wireless clients will now leave a
trail of such events in their message log.

There has been increased public scrutiny of WPA's security recently, so
I am curious to see if anyone is attempting replay attacks in the wild.

ok deraadt

Fix length checks in EAPOL key frame parsing.
Problem reported by Ilja Van Sprundel.
ok tb@ kevlo@

branches: 1.28.4;
Fix some DPRINTFs I just added to ieee80211_pae_input.c.
No fnuctional change.

Fix a bug allowing a man-in-the-middle attack against WPA wireless clients.
A malicious AP could trick clients into connecting to the malicious AP
instead of the desired AP. All frames would then be sent in the clear.
This problem was found and reported by Mathy Vanhoef who also provided
an initial patch which we improved together.

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

branches: 1.25.2; 1.25.6;
m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

Fix debug printf, from Nathanael Rensen and chris@.

Fewer <netinet/in_systm.h> !

Collapse m_pullup and m_pullup2 into a single function, as they're
essentially identical; the only difference being that m_pullup2 is
capable of handling mbuf clusters, but called m_pullup for shorter
lengths (!).

testing dlg@ ok claudio@

when receiving the first message of an rsn group key handshake
packet, copy the key out of it properly.

fixes the problem where only broadcast packets like ipv6 router
advertisements were failing decryption and processing, only after a
rekey.

ok damien@

how did i manage to forget that file in my last commit?

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

typo, no binary change.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

do not increment is_rx_eapol_key twice for each frame.
fix a test on the mbuf length and one on the descriptor version.
remove redundant checking of GTK KDE length.

new SHA-256 based AKMPs.

process IGTK KDEs in EAPOL-Key frames and install integrity group keys
if MFP was negotiated with the peer (not possible yet).

Change the way we process EAPOL-Key frames.
Free the mbuf in the ieee80211_eapol_key_input() function.
Do not assume the frame is contiguous, call m_pullup2() if it is not.
We need the frame to be contiguous to process KDEs efficiently in
EAPOL-Key frames (just like we process IEs in management frames).
However, there are drivers like upgt(4) that use m_devget() in the
RX path. m_devget() can return fragmented mbuf chains.
Notice that we should do the same m_pullup2() for management frames.
This will be done later.
Remove the ic_recv_eapol callback.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

print the correct value in a debug message.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

move processing of EAPOL frames away from ieee80211_{input,output}.c

Make net80211 expose reasons for association failures to userland and have
ifconfig display them in 'scan' output and on the ieee80211 status line if
the failure is applicable to an already selected AP (e.g. wrong WPA key).

This will hopefully reduce the amount of help requests for what often
turn out to be trivial misconfiguration issues that were previously
hard to diagnose without debug mode.

ifconfig must be recompiled with the new ieee80211_ioctl.h to stay in
sync with the kernel. A full 'make build' will do the right thing!

Very helpful input by mpi@ and deraadt@

Remove 'reused group key update received' printfs.
These have served no useful purpose in practice; all reported instances were
legitimate group key retransmissions by the AP, e.g. after laptop suspend.
We fixed KRACK long ago; re-used group key messages are nothing to worry about.

Add comments which document already fixed WPA attack vectors.

Add an entry to dmesg if pairwise WPA keys arrive unexpectedly or if WPA
group keys are being reused. OpenBSD wireless clients will now leave a
trail of such events in their message log.

There has been increased public scrutiny of WPA's security recently, so
I am curious to see if anyone is attempting replay attacks in the wild.

ok deraadt

Fix length checks in EAPOL key frame parsing.
Problem reported by Ilja Van Sprundel.
ok tb@ kevlo@

branches: 1.28.4;
Fix some DPRINTFs I just added to ieee80211_pae_input.c.
No fnuctional change.

Fix a bug allowing a man-in-the-middle attack against WPA wireless clients.
A malicious AP could trick clients into connecting to the malicious AP
instead of the desired AP. All frames would then be sent in the clear.
This problem was found and reported by Mathy Vanhoef who also provided
an initial patch which we improved together.

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

branches: 1.25.2; 1.25.6;
m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

Fix debug printf, from Nathanael Rensen and chris@.

Fewer <netinet/in_systm.h> !

Collapse m_pullup and m_pullup2 into a single function, as they're
essentially identical; the only difference being that m_pullup2 is
capable of handling mbuf clusters, but called m_pullup for shorter
lengths (!).

testing dlg@ ok claudio@

when receiving the first message of an rsn group key handshake
packet, copy the key out of it properly.

fixes the problem where only broadcast packets like ipv6 router
advertisements were failing decryption and processing, only after a
rekey.

ok damien@

how did i manage to forget that file in my last commit?

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

typo, no binary change.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

do not increment is_rx_eapol_key twice for each frame.
fix a test on the mbuf length and one on the descriptor version.
remove redundant checking of GTK KDE length.

new SHA-256 based AKMPs.

process IGTK KDEs in EAPOL-Key frames and install integrity group keys
if MFP was negotiated with the peer (not possible yet).

Change the way we process EAPOL-Key frames.
Free the mbuf in the ieee80211_eapol_key_input() function.
Do not assume the frame is contiguous, call m_pullup2() if it is not.
We need the frame to be contiguous to process KDEs efficiently in
EAPOL-Key frames (just like we process IEs in management frames).
However, there are drivers like upgt(4) that use m_devget() in the
RX path. m_devget() can return fragmented mbuf chains.
Notice that we should do the same m_pullup2() for management frames.
This will be done later.
Remove the ic_recv_eapol callback.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

print the correct value in a debug message.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

move processing of EAPOL frames away from ieee80211_{input,output}.c

Remove 'reused group key update received' printfs.
These have served no useful purpose in practice; all reported instances were
legitimate group key retransmissions by the AP, e.g. after laptop suspend.
We fixed KRACK long ago; re-used group key messages are nothing to worry about.

Add comments which document already fixed WPA attack vectors.

Add an entry to dmesg if pairwise WPA keys arrive unexpectedly or if WPA
group keys are being reused. OpenBSD wireless clients will now leave a
trail of such events in their message log.

There has been increased public scrutiny of WPA's security recently, so
I am curious to see if anyone is attempting replay attacks in the wild.

ok deraadt

Fix length checks in EAPOL key frame parsing.
Problem reported by Ilja Van Sprundel.
ok tb@ kevlo@

branches: 1.28.4;
Fix some DPRINTFs I just added to ieee80211_pae_input.c.
No fnuctional change.

Fix a bug allowing a man-in-the-middle attack against WPA wireless clients.
A malicious AP could trick clients into connecting to the malicious AP
instead of the desired AP. All frames would then be sent in the clear.
This problem was found and reported by Mathy Vanhoef who also provided
an initial patch which we improved together.

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

branches: 1.25.2; 1.25.6;
m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

Fix debug printf, from Nathanael Rensen and chris@.

Fewer <netinet/in_systm.h> !

Collapse m_pullup and m_pullup2 into a single function, as they're
essentially identical; the only difference being that m_pullup2 is
capable of handling mbuf clusters, but called m_pullup for shorter
lengths (!).

testing dlg@ ok claudio@

when receiving the first message of an rsn group key handshake
packet, copy the key out of it properly.

fixes the problem where only broadcast packets like ipv6 router
advertisements were failing decryption and processing, only after a
rekey.

ok damien@

how did i manage to forget that file in my last commit?

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

typo, no binary change.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

do not increment is_rx_eapol_key twice for each frame.
fix a test on the mbuf length and one on the descriptor version.
remove redundant checking of GTK KDE length.

new SHA-256 based AKMPs.

process IGTK KDEs in EAPOL-Key frames and install integrity group keys
if MFP was negotiated with the peer (not possible yet).

Change the way we process EAPOL-Key frames.
Free the mbuf in the ieee80211_eapol_key_input() function.
Do not assume the frame is contiguous, call m_pullup2() if it is not.
We need the frame to be contiguous to process KDEs efficiently in
EAPOL-Key frames (just like we process IEs in management frames).
However, there are drivers like upgt(4) that use m_devget() in the
RX path. m_devget() can return fragmented mbuf chains.
Notice that we should do the same m_pullup2() for management frames.
This will be done later.
Remove the ic_recv_eapol callback.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

print the correct value in a debug message.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

move processing of EAPOL frames away from ieee80211_{input,output}.c

Add comments which document already fixed WPA attack vectors.

Add an entry to dmesg if pairwise WPA keys arrive unexpectedly or if WPA
group keys are being reused. OpenBSD wireless clients will now leave a
trail of such events in their message log.

There has been increased public scrutiny of WPA's security recently, so
I am curious to see if anyone is attempting replay attacks in the wild.

ok deraadt

Fix length checks in EAPOL key frame parsing.
Problem reported by Ilja Van Sprundel.
ok tb@ kevlo@

branches: 1.28.4;
Fix some DPRINTFs I just added to ieee80211_pae_input.c.
No fnuctional change.

Fix a bug allowing a man-in-the-middle attack against WPA wireless clients.
A malicious AP could trick clients into connecting to the malicious AP
instead of the desired AP. All frames would then be sent in the clear.
This problem was found and reported by Mathy Vanhoef who also provided
an initial patch which we improved together.

Remove global counters from struct ieee80211com which track the number of
associated nodes with particular properties: 11b-only ("non-ERP") nodes,
nodes requiring long slot time, nodes using WPA, nodes not supporting 11n,
nodes currently dozing in powersave state, and nodes with a pending group
key update confirmation.

These counters weren't properly maintained.
There are bugs in the stack where these counters and actual node properties
got out of sync. This is exposed by panics which are supposed to help us
catch such bugs. But these panics don't provide real clues.

Instead of maintaining global counters forcing us to hunt refcounting bugs,
count nodes with the property in question on demand, by iterating over all
nodes and checking their state.
This is cheap since we'll never have more than 100 nodes cached, and none of
the cases where we need such information is in a performance critical path.

Prevents panics in hostap mode reported by Lauri Tirkkonen on bugs@ last
year (https://marc.info/?l=openbsd-bugs&m=147513817930489&w=2) and also
encountered by my 11n APs ("panic: bogus non-HT station count 0").

tested by Lauri, tb@, and myself
ok mpi@ tb@

branches: 1.25.2; 1.25.6;
m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef some more INET. v4 4life.

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

Fix debug printf, from Nathanael Rensen and chris@.

Fewer <netinet/in_systm.h> !

Collapse m_pullup and m_pullup2 into a single function, as they're
essentially identical; the only difference being that m_pullup2 is
capable of handling mbuf clusters, but called m_pullup for shorter
lengths (!).

testing dlg@ ok claudio@

when receiving the first message of an rsn group key handshake
packet, copy the key out of it properly.

fixes the problem where only broadcast packets like ipv6 router
advertisements were failing decryption and processing, only after a
rekey.

ok damien@

how did i manage to forget that file in my last commit?

Add some initial HT bits (not enabled yet) based on 802.11n Draft 7.01:
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing

Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP

Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)

Did some code cleanup too.

The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.

Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.

typo, no binary change.

Initial implementation of PMKSA caching and pre-authentication.
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.

Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.

introduce new IEEE80211_STA_ONLY kernel option that can be set to
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.

do not increment is_rx_eapol_key twice for each frame.
fix a test on the mbuf length and one on the descriptor version.
remove redundant checking of GTK KDE length.

new SHA-256 based AKMPs.

process IGTK KDEs in EAPOL-Key frames and install integrity group keys
if MFP was negotiated with the peer (not possible yet).

Change the way we process EAPOL-Key frames.
Free the mbuf in the ieee80211_eapol_key_input() function.
Do not assume the frame is contiguous, call m_pullup2() if it is not.
We need the frame to be contiguous to process KDEs efficiently in
EAPOL-Key frames (just like we process IEs in management frames).
However, there are drivers like upgt(4) that use m_devget() in the
RX path. m_devget() can return fragmented mbuf chains.
Notice that we should do the same m_pullup2() for management frames.
This will be done later.
Remove the ic_recv_eapol callback.

get rid of the map_ptk()/map_gtk() functions, just inline them
which makes things easier to track.

simplify ieee80211_derive_ptk() prototype.
pass the AKMP so we can support other key derivation functions in the
future.

print the correct value in a debug message.

Drop frames that are received unencrypted when WEP is on or when
WPA is on and RX protection for TA is on.
Keep track of the TX/RX protection for each node when WPA is on.

tested by djm@ (ral+wpa), ckuethe@ (ath-noenc) and krw@ (wpi<->ral+wpa).
hints from bluhm@
has been in snaps for a few days.

pointed out by bluhm@ something like 1 year ago but we did not have
the right infrastructure to fix it properly at that time.

ok deraadt@

s/IEEE80211_DPRINTF/DPRINTF/
automatically prepend __func__ to output.

deobfuscates debug messages a bit.
no binary change unless compiled with IEEE80211_DEBUG.

add ieee80211_priv.h file: contains definitions private to net80211.
this must not be included by drivers.

move processing of EAPOL frames away from ieee80211_{input,output}.c