Re: [PATCH] ath5k: add support of HW encryption in management frames

[Jouni Malinen <j@w1.fi>]

On Wed, Sep 05, 2012 at 03:31:08PM +0800, Yeoh Chun-Yeow wrote:
> I am based on the authsae source code for secured mesh setup which can
> be found at:
> https://github.com/cozybit/authsae/blob/master/linux/meshd-nl80211.c

It looks like this particular implementation is hardcoded to use MFP..

> > Any pointers to the specific standard clause(s) that say that?
> I have not gone through the standard on this.

.. while the standard does not actually have such requirement as far as
I can tell. I have nothing against adding support for MFP in general,
but just wanted to understand where this assumed requirement came from.

So yes, if you want to enable support for MFP, you cannot do it unless
the driver is able to handle both CCMP and BIP protection for robust
management frames. In case of ath5k, I would assume there are two
options:
- only enable MFP if software encryption is used for all frames (i.e.,
  no hwaccel even for data frames)
- implement workaround to re-encrypt(incorrectly) received robust
  unicast management frames if hwaccel for CCMP was configured for the
  transmitting STA (this is to undo the incorrect decryption done by the
  hardware) and then pass the encrypted frame to mac80211 for software
  decryption; with this option, you could advertise MFP support even
  with CCMP hwaccel enabled

-- 
Jouni Malinen                                            PGP id EFC895FA