[PATCH] carl9170: connect to 11w protected networks

[PATCH] carl9170: connect to 11w protected networks

[Christian Lamparter]

Previously, it was not possible to connect to
networks which requires 11w to be supported by
the stations.

While the documentation hints that there's some
hardware support for offloading MFP "decryption",
this simple implementation relies on the mac80211
stack to do the actual crypto operations.

Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
---
 drivers/net/wireless/ath/carl9170/mac.c  |    3 ++-
 drivers/net/wireless/ath/carl9170/main.c |    2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/carl9170/mac.c b/drivers/net/wireless/ath/carl9170/mac.c
index f867628..e3b1b6e 100644
--- a/drivers/net/wireless/ath/carl9170/mac.c
+++ b/drivers/net/wireless/ath/carl9170/mac.c
@@ -304,7 +304,8 @@ int carl9170_set_operating_mode(struct ar9170 *ar)
 	struct ath_common *common = &ar->common;
 	u8 *mac_addr, *bssid;
 	u32 cam_mode = AR9170_MAC_CAM_DEFAULTS;
-	u32 enc_mode = AR9170_MAC_ENCRYPTION_DEFAULTS;
+	u32 enc_mode = AR9170_MAC_ENCRYPTION_DEFAULTS |
+		AR9170_MAC_ENCRYPTION_MGMT_RX_SOFTWARE;
 	u32 rx_ctrl = AR9170_MAC_RX_CTRL_DEAGG |
 		      AR9170_MAC_RX_CTRL_SHORT_FILTER;
 	u32 sniffer = AR9170_MAC_SNIFFER_DEFAULTS;
diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c
index 18554ab..50c2949 100644
--- a/drivers/net/wireless/ath/carl9170/main.c
+++ b/drivers/net/wireless/ath/carl9170/main.c
@@ -1149,6 +1149,7 @@ static int carl9170_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
 		break;
 	case WLAN_CIPHER_SUITE_CCMP:
 		ktype = AR9170_ENC_ALG_AESCCMP;
+		key->flags |= IEEE80211_KEY_FLAG_SW_MGMT;
 		break;
 	default:
 		return -EOPNOTSUPP;
@@ -1780,6 +1781,7 @@ void *carl9170_alloc(size_t priv_size)
 	hw->wiphy->interface_modes = 0;
 
 	hw->flags |= IEEE80211_HW_RX_INCLUDES_FCS |
+		     IEEE80211_HW_MFP_CAPABLE |
 		     IEEE80211_HW_REPORTS_TX_ACK_STATUS |
 		     IEEE80211_HW_SUPPORTS_PS |
 		     IEEE80211_HW_PS_NULLFUNC_STACK |
-- 
1.7.10.4

Re: [PATCH] carl9170: connect to 11w protected networks

[Johannes Berg]

On Sun, 2012-09-02 at 14:25 +0200, Christian Lamparter wrote:
> Previously, it was not possible to connect to
> networks which requires 11w to be supported by
> the stations.
> 
> While the documentation hints that there's some
> hardware support for offloading MFP "decryption",
> this simple implementation relies on the mac80211
> stack to do the actual crypto operations.

Maybe we need to clarify the documentation...

The problem with MFP is that now unicast management frames are encrypted
with CCMP. If the device has HW crypto on RX or TX, it may not implement
it correctly due to the different header munging needed for management
frames over data frames.

You should verify that unicast management frames are properly encrypted
and decrypted by the hardware (or punted to software on RX like you do
on TX). The danger is that the hardware corrupts CCMP encrypted RX mgmt
frames and software can't recover.

johannes

Re: [PATCH] carl9170: connect to 11w protected networks

[Christian Lamparter]

On Sunday 02 September 2012 23:48:23 Johannes Berg wrote:
> On Sun, 2012-09-02 at 14:25 +0200, Christian Lamparter wrote:
> > Previously, it was not possible to connect to
> > networks which requires 11w to be supported by
> > the stations.
> > 
> > While the documentation hints that there's some
> > hardware support for offloading MFP "decryption",
> > this simple implementation relies on the mac80211
> > stack to do the actual crypto operations.
> 
> Maybe we need to clarify the documentation...

Something like a special section about converting
drivers of legacy devices like this one, or more
general?

> The problem with MFP is that now unicast management frames are encrypted
> with CCMP. If the device has HW crypto on RX or TX, it may not implement
> it correctly due to the different header munging needed for management
> frames over data frames.

understood.

> You should verify that unicast management frames are properly encrypted
> and decrypted by the hardware (or punted to software on RX like you do
> on TX). The danger is that the hardware corrupts CCMP encrypted RX mgmt
> frames and software can't recover.
At least for AR9170, there's a bit which tells the
hardware not do decrypt any management frames: 
	AR9170_MAC_ENCRYPTION_MGMT_RX_SOFTWARE

Of course, this 'very' patch sets it. Also,
in case of carl9170, it was easy to verify as
the device can easily establish BA sessions with
the 11w ap and the action mgmt frames are
properly encrypted on both sides.

Regards,
	Chr

Re: [PATCH] carl9170: connect to 11w protected networks

[Johannes Berg]

On Mon, 2012-09-03 at 00:53 +0200, Christian Lamparter wrote:
> > > While the documentation hints that there's some
> > > hardware support for offloading MFP "decryption",
> > > this simple implementation relies on the mac80211
> > > stack to do the actual crypto operations.
> > 
> > Maybe we need to clarify the documentation...
> 
> Something like a special section about converting
> drivers of legacy devices like this one, or more
> general?

Sorry, I got confused. I was thinking of clarifying the *mac80211*
documentation about why the flag exists and what the caveats are that I
described below.

> > You should verify that unicast management frames are properly encrypted
> > and decrypted by the hardware (or punted to software on RX like you do
> > on TX). The danger is that the hardware corrupts CCMP encrypted RX mgmt
> > frames and software can't recover.

> At least for AR9170, there's a bit which tells the
> hardware not do decrypt any management frames: 
> 	AR9170_MAC_ENCRYPTION_MGMT_RX_SOFTWARE
> 
> Of course, this 'very' patch sets it. Also,
> in case of carl9170, it was easy to verify as
> the device can easily establish BA sessions with
> the 11w ap and the action mgmt frames are
> properly encrypted on both sides.

Ok, cool! Just making sure ... :-)

johannes