From nobody Thu Mar 13 00:14:22 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZCnzz2jvpz5qjNn; Thu, 13 Mar 2025 00:14:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZCnzz0JYWz3jxX; Thu, 13 Mar 2025 00:14:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1741824863; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7AbbokNs9K7/edTQO5wQjOWIKZJwgiN/ZPyQZ45oGEM=; b=hmgQ/OGcIiV9woq2IjqHjaNs6WbW5uikA6U7mhlICbOtqi6Q6yV3iemJzZIxEnP1icT6tj PqHfBDWIBUnpxp02HBSqf/BovJ0FhcF6PNyG6R+73TYHK3stur3dKF6YzTZK/JghF7qi2l YIICOOxAwwlVl/d03j2Tk+Ck8XPReGiaU2BcPS9ZYL5v/A+D1pBWdPZ3WhaZP96cyReq4v X+iI5jqhDLrEHt8bqrra6j+X+annoxUgP8bmNMjWIqsDaGlBTXDM1XypGDgBeBp6vS1Apa T9AhsWOuamZqmYZJnr49loqVfFGxMiTFR61erdJqs7SA3B024X/t7u0qT+Yzsg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1741824863; a=rsa-sha256; cv=none; b=lLP3JSKiOWw21bxYGTwWco7uZz3/Oxa5jDPKat6vs/L30f4rTicNxmaGezD4nCyTlc29+m e2u56dzkY5EPDei3fOTKPFJMiq5zH6OXyLypHz5QMgAW621+kcUI22IV35XcCyWt0i0GbR otMFUhQ0dI0JXVN311Z6wQBnJQY46DfZDtUtmlgA8MCb51YgvsH0Offr0F6eYsTy84g3cB 2kaX1kF0tUUtfA4a2pgG2GrTcqnjuGKWYYCoMFwMefNT8BE+FXvkxFZXQfE9cijvZp4fO7 pjlFgs8SeTMbscKcXTbemol18oBmTECMAyR+F8UPFz0Q7684bKc+T0nmBZjglw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1741824863; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7AbbokNs9K7/edTQO5wQjOWIKZJwgiN/ZPyQZ45oGEM=; b=OA85/T+wOKTfEr/+V+jDO4RLFyGP1G5bz3b9fdD1J50MZ+31MQ6AcL8rGEcVzAzNCczeX+ hn49kYPC47ll9odbLdb3v52hS71zENcaVMCESfO5MwKsJYfI9sZtM4fer0jp1AoZVCzdpo Z+8nZ75eq/6xhRJxqeEj+NFkpl6cgxT6jEpVgIF9PJmT8xlysdVhIAqCKnvfMd3ZKOKLcJ TfR2Mm1eGHw9FREyI96titql49FeJgYbGED3aD7yGfMzzHSsKQxyW3tV5aOaCfEXYLmaiH 4krXHhLu/8LfTu325t4kQLuCIM0FqpZ1ISGl294Kwnecuh1GHdcpUA/j0wv14Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZCnzy72CNzbZR; Thu, 13 Mar 2025 00:14:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 52D0EMdo064095; Thu, 13 Mar 2025 00:14:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 52D0EMj9064092; Thu, 13 Mar 2025 00:14:22 GMT (envelope-from git) Date: Thu, 13 Mar 2025 00:14:22 GMT Message-Id: <202503130014.52D0EMj9064092@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Adrian Chadd Subject: git: 70dc8e5e7f5c - main - net80211: add AES-GCM to the hostap logic List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: adrian X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 70dc8e5e7f5cfdb393d38d8a0304590f1196dfda Auto-Submitted: auto-generated The branch main has been updated by adrian: URL: https://cgit.FreeBSD.org/src/commit/?id=70dc8e5e7f5cfdb393d38d8a0304590f1196dfda commit 70dc8e5e7f5cfdb393d38d8a0304590f1196dfda Author: Adrian Chadd AuthorDate: 2025-03-01 04:33:40 +0000 Commit: Adrian Chadd CommitDate: 2025-03-13 00:02:43 +0000 net80211: add AES-GCM to the hostap logic This is currently an untested diff set for implementing the AES-GCM negotiation in hostap mode. * Decode the AES-GCM-128 cipher in the RSN field; * Add AES-GCM as the first cipher to check when deciding the unicast cipher type; * Refactor out the "can we do HT A-MPDU + this cipher" check for the unicast cipher; and * .. add AES-GCM-128 to the allowable ciphers. I haven't tested this yet to make sure I haven't broken the hostapd path, nor that it actually DOES negotiate AES-GCM-128. Differential Revision: https://reviews.freebsd.org/D49189 --- sys/net80211/ieee80211_hostap.c | 42 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 5 deletions(-) diff --git a/sys/net80211/ieee80211_hostap.c b/sys/net80211/ieee80211_hostap.c index 76c419f5bdf8..c9e2c4896f15 100644 --- a/sys/net80211/ieee80211_hostap.c +++ b/sys/net80211/ieee80211_hostap.c @@ -1206,6 +1206,7 @@ wpa_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) case WPA_SEL(WPA_CSE_CCMP): *cipher = IEEE80211_CIPHER_AES_CCM; break; + /* Note: no GCM cipher in the legacy WPA1 OUI */ default: return (EINVAL); } @@ -1384,6 +1385,9 @@ rsn_cipher(const uint8_t *sel, uint8_t *keylen, uint8_t *cipher) case RSN_SEL(RSN_CSE_WRAP): *cipher = IEEE80211_CIPHER_AES_OCB; break; + case RSN_SEL(RSN_CSE_GCMP_128): + *cipher = IEEE80211_CIPHER_AES_GCM_128; + break; default: return (EINVAL); } @@ -1496,8 +1500,10 @@ ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, frm += 4, len -= 4; } - if (w & (1 << IEEE80211_CIPHER_AES_CCM)) - rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; + if (w & (1 << IEEE80211_CIPHER_AES_GCM_128)) + rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_GCM_128; + else if (w & (1 << IEEE80211_CIPHER_AES_CCM)) + rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM; else if (w & (1 << IEEE80211_CIPHER_AES_OCB)) rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_OCB; else if (w & (1 << IEEE80211_CIPHER_TKIP)) @@ -1756,6 +1762,29 @@ is11bclient(const uint8_t *rates, const uint8_t *xrates) return 1; } +/** + * Check if the given cipher is valid for 802.11 HT operation. + * + * The 802.11 specification only allows HT A-MPDU to be performed + * on CCMP / GCMP encrypted frames. The WEP/TKIP hardware crypto + * implementations may not meet the timing required for A-MPDU + * operation. + * + * @param cipher the IEEE80211_CIPHER_ value to check + * @returns true if the cipher is valid for HT A-MPDU, false otherwise + */ +static bool +hostapd_validate_cipher_for_ht_ampdu(uint8_t cipher) +{ + switch (cipher) { + case IEEE80211_CIPHER_AES_CCM: + case IEEE80211_CIPHER_AES_GCM_128: + return true; + default: + return false; + } +} + static void hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, int subtype, const struct ieee80211_rx_stats *rxs, int rssi, int nf) @@ -2222,13 +2251,16 @@ hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, #endif /* * Allow AMPDU operation only with unencrypted traffic - * or AES-CCM; the 11n spec only specifies these ciphers - * so permitting any others is undefined and can lead + * or AES-CCM / AES-GCM; the 802.11n spec only specifies these + * ciphers so permitting any others is undefined and can lead * to interoperability problems. + * + * TODO: before landing, find exactly where in 802.11-2020 this + * is called out! */ if ((ni->ni_flags & IEEE80211_NODE_HT) && (((vap->iv_flags & IEEE80211_F_WPA) && - rsnparms.rsn_ucastcipher != IEEE80211_CIPHER_AES_CCM) || + !hostapd_validate_cipher_for_ht_ampdu(rsnparms.rsn_ucastcipher)) || (vap->iv_flags & (IEEE80211_F_WPA|IEEE80211_F_PRIVACY)) == IEEE80211_F_PRIVACY)) { IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC | IEEE80211_MSG_11N, ni,