Fix CCMP replay check with 11n Rx aggregation and CCMP hardware offloading.

So far, drivers using hardware CCMP decryption were expected to keep the
most recently seen CCMP packet number (PN) up-to-date, and to discard frames
with lower PNs as replays.

A-MPDU subframes may legitimately arrive out of order, and the drivers skipped
CCMP replay checking for such frames. Re-ordering happens in ieee80211_inputm(),
after the driver is done with a frame. Drivers cannot tell replayed frames
apart from legitimate out-of-order retransmissions.

To fix this, update the PN value in ieee80211_inputm() after subframes have
been reordered into their proper sequence. Drivers still perform replay checks
but they no longer have to worry about updating the last seen PN value.

The 802.11 spec confirms that replay checking is supposed to happen after
A-MPDU re-ordering.

Tested by jmc@, benno@, solene@, and myself with the following drivers:
athn(4), iwn(4), iwm(4), wpi(4), urtwn(4)

ok solene@

M_LEADINGSPACE() and M_TRAILINGSPACE() are just wrappers for
m_leadingspace() and m_trailingspace(). Convert all callers to call
directly the functions and remove the defines.
OK krw@, mpi@

Switch 802.11 crypto over to the new AES

OK stsp@

Use explicit_bzero() to wipe out key material and add some sizes to free().

ok stsp

No need to include <net/if_arp.h>

This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.

A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.

Fix CCMP (WPA2) in preparation for 11n. This code didn't handle QoS
frames correctly but QoS frames are required for 11n A-MPDU aggregation
and 11n STAs are required to use CCMP instead of WEP or TKIP ciphers.

The QoS bit in FC0 is part of AAD (additional authentication data) but
was being masked unconditionally.
The FC1 order bit is masked to 0 in AAD if a data frame contains a QoS
control field but this code was looking for HT control fields instead.

Add an XXX comment about another bit which must be set if SPP (signaling
and payload protected) A-MSDUs are supported. Neither Linux nor FreeBSD
seem to set this bit, and we don't support SPP A-MSDUs yet so a comment
seems good enough for now.

ok deraadt mpi kettenis guenther
helpful hints from mikeb

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

unifdef some more INET. v4 4life.

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

Remove unneeded include.

ok deraadt@

Passing M_WAITOK to mbuf functions is supposed to be a contract between
the caller and the function that the function will not fail to allocate
memory and return a NULL pointer. However, m_dup_pkthdr() violates
this contract, making it possible for functions that pass M_WAITOK to
be surprised in ways that hurt.

Fix this by passing the wait flag all the way down the functions that
actually do the allocation for m_dup_pkthdr() so that we won't be
surprised.

man page update forthcoming

ok claudio@

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

do not call m_free(n0) followed by m_freem(n0) when m_dup_pkthdr()
call fails. this double-free was introduced with the M_DUP_PKTHRD
to m_dup_pkthdr change that got committed before I had a chance to
review it.

M_DUP_PKTHDR() define -> m_dup_pkthdr() function to properly deal
with m_tag_copy_chain() failures.

Use m_defrag() to eliminate hand rolled defragging of mbufs and
some uses of M_DUP_PKTHDR().

Original diff from thib@, claudio@'s feedback integrated by me.

Tests kevlo@ claudio@, "reads ok" blambert@

ok thib@ claudio@, "m_defrag() bits ok" kettenis@

typos in comments - no binary change.

Add some inline functions to test the presence of optional 802.11
header fields (Sequence Control, Address 4, QoS Control, +HTC) and
use them where appropriate.

Add ieee80211_get_qos() inline function to extract the QoS control
field of an 802.11 header instead of duplicating the same scary
code everywhere (the location of this field depends on the presence
of an Address 4 field).

Export ieee80211_up_to_ac() so that drivers can select the access
category to use based on the TID subfield of the QoS Control field.

Define more QoS-related bits for the RSN Capabilities field of RSN IE
(will be used later).

in a near future, unicast management frames will be encrypted/decrypted
using CCMP. use the right replay counter in this case.

maintain a count of TKIP and CCMP replayed frames.
some cleanup while i'm here.

retrieve the TID from QoS frames to use with the appropriate
replay counter.

use MINCLSIZE to decide wether we need to allocate an mbuf cluster instead
of MLEM, damien ok

properly handle management frames (required for future work).
remove useless #includes.

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

M_LEADINGSPACE() and M_TRAILINGSPACE() are just wrappers for
m_leadingspace() and m_trailingspace(). Convert all callers to call
directly the functions and remove the defines.
OK krw@, mpi@

Switch 802.11 crypto over to the new AES

OK stsp@

Use explicit_bzero() to wipe out key material and add some sizes to free().

ok stsp

No need to include <net/if_arp.h>

This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.

A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.

Fix CCMP (WPA2) in preparation for 11n. This code didn't handle QoS
frames correctly but QoS frames are required for 11n A-MPDU aggregation
and 11n STAs are required to use CCMP instead of WEP or TKIP ciphers.

The QoS bit in FC0 is part of AAD (additional authentication data) but
was being masked unconditionally.
The FC1 order bit is masked to 0 in AAD if a data frame contains a QoS
control field but this code was looking for HT control fields instead.

Add an XXX comment about another bit which must be set if SPP (signaling
and payload protected) A-MSDUs are supported. Neither Linux nor FreeBSD
seem to set this bit, and we don't support SPP A-MSDUs yet so a comment
seems good enough for now.

ok deraadt mpi kettenis guenther
helpful hints from mikeb

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

unifdef some more INET. v4 4life.

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

Remove unneeded include.

ok deraadt@

Passing M_WAITOK to mbuf functions is supposed to be a contract between
the caller and the function that the function will not fail to allocate
memory and return a NULL pointer. However, m_dup_pkthdr() violates
this contract, making it possible for functions that pass M_WAITOK to
be surprised in ways that hurt.

Fix this by passing the wait flag all the way down the functions that
actually do the allocation for m_dup_pkthdr() so that we won't be
surprised.

man page update forthcoming

ok claudio@

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

do not call m_free(n0) followed by m_freem(n0) when m_dup_pkthdr()
call fails. this double-free was introduced with the M_DUP_PKTHRD
to m_dup_pkthdr change that got committed before I had a chance to
review it.

M_DUP_PKTHDR() define -> m_dup_pkthdr() function to properly deal
with m_tag_copy_chain() failures.

Use m_defrag() to eliminate hand rolled defragging of mbufs and
some uses of M_DUP_PKTHDR().

Original diff from thib@, claudio@'s feedback integrated by me.

Tests kevlo@ claudio@, "reads ok" blambert@

ok thib@ claudio@, "m_defrag() bits ok" kettenis@

typos in comments - no binary change.

Add some inline functions to test the presence of optional 802.11
header fields (Sequence Control, Address 4, QoS Control, +HTC) and
use them where appropriate.

Add ieee80211_get_qos() inline function to extract the QoS control
field of an 802.11 header instead of duplicating the same scary
code everywhere (the location of this field depends on the presence
of an Address 4 field).

Export ieee80211_up_to_ac() so that drivers can select the access
category to use based on the TID subfield of the QoS Control field.

Define more QoS-related bits for the RSN Capabilities field of RSN IE
(will be used later).

in a near future, unicast management frames will be encrypted/decrypted
using CCMP. use the right replay counter in this case.

maintain a count of TKIP and CCMP replayed frames.
some cleanup while i'm here.

retrieve the TID from QoS frames to use with the appropriate
replay counter.

use MINCLSIZE to decide wether we need to allocate an mbuf cluster instead
of MLEM, damien ok

properly handle management frames (required for future work).
remove useless #includes.

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@

Switch 802.11 crypto over to the new AES

OK stsp@

Use explicit_bzero() to wipe out key material and add some sizes to free().

ok stsp

No need to include <net/if_arp.h>

This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.

A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.

Fix CCMP (WPA2) in preparation for 11n. This code didn't handle QoS
frames correctly but QoS frames are required for 11n A-MPDU aggregation
and 11n STAs are required to use CCMP instead of WEP or TKIP ciphers.

The QoS bit in FC0 is part of AAD (additional authentication data) but
was being masked unconditionally.
The FC1 order bit is masked to 0 in AAD if a data frame contains a QoS
control field but this code was looking for HT control fields instead.

Add an XXX comment about another bit which must be set if SPP (signaling
and payload protected) A-MSDUs are supported. Neither Linux nor FreeBSD
seem to set this bit, and we don't support SPP A-MSDUs yet so a comment
seems good enough for now.

ok deraadt mpi kettenis guenther
helpful hints from mikeb

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

unifdef some more INET. v4 4life.

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

Remove unneeded include.

ok deraadt@

Passing M_WAITOK to mbuf functions is supposed to be a contract between
the caller and the function that the function will not fail to allocate
memory and return a NULL pointer. However, m_dup_pkthdr() violates
this contract, making it possible for functions that pass M_WAITOK to
be surprised in ways that hurt.

Fix this by passing the wait flag all the way down the functions that
actually do the allocation for m_dup_pkthdr() so that we won't be
surprised.

man page update forthcoming

ok claudio@

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

do not call m_free(n0) followed by m_freem(n0) when m_dup_pkthdr()
call fails. this double-free was introduced with the M_DUP_PKTHRD
to m_dup_pkthdr change that got committed before I had a chance to
review it.

M_DUP_PKTHDR() define -> m_dup_pkthdr() function to properly deal
with m_tag_copy_chain() failures.

Use m_defrag() to eliminate hand rolled defragging of mbufs and
some uses of M_DUP_PKTHDR().

Original diff from thib@, claudio@'s feedback integrated by me.

Tests kevlo@ claudio@, "reads ok" blambert@

ok thib@ claudio@, "m_defrag() bits ok" kettenis@

typos in comments - no binary change.

Add some inline functions to test the presence of optional 802.11
header fields (Sequence Control, Address 4, QoS Control, +HTC) and
use them where appropriate.

Add ieee80211_get_qos() inline function to extract the QoS control
field of an 802.11 header instead of duplicating the same scary
code everywhere (the location of this field depends on the presence
of an Address 4 field).

Export ieee80211_up_to_ac() so that drivers can select the access
category to use based on the TID subfield of the QoS Control field.

Define more QoS-related bits for the RSN Capabilities field of RSN IE
(will be used later).

in a near future, unicast management frames will be encrypted/decrypted
using CCMP. use the right replay counter in this case.

maintain a count of TKIP and CCMP replayed frames.
some cleanup while i'm here.

retrieve the TID from QoS frames to use with the appropriate
replay counter.

use MINCLSIZE to decide wether we need to allocate an mbuf cluster instead
of MLEM, damien ok

properly handle management frames (required for future work).
remove useless #includes.

Kernel implementation of the 4-way handshake and group-key
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.

Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.

This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.

In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.

The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)

The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher

wpa-psk(8) can be used to generate keys from passphrases.

tested by many@
ok deraadt@