From nobody Tue Apr 08 01:35:29 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZWpYZ04rtz5sWhl; Tue, 08 Apr 2025 01:35:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZWpYY60Bwz3PR4; Tue, 08 Apr 2025 01:35:29 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1744076129; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8GbHGQyhAgruM9Pt7YwWFZ1iSITg/QkfyyqsthFZvH4=; b=k/O6FFfrDNdXJQn2aHs3f8gOWFcSVuqurDWTb9XZrPGglOLQrLWkGhEMqMrSIhkAfJrWnX 5cIRqNlLWcVgG76uyZgF8qiDPzA9G+DaCDOK0lEjlCD+7viNJwrYN3fWKNnCc7CgCqnC6D qDqae29do+3HYPaf03q1oJm7s/QV/kBH6bEA21RFqoT1OT+NLr+HWTfvdPR171ZK9UQYiy gb/9tHfyTxQa/RSJxmzLwGIuTe7fRcPutfx2aHswTzpSaGJFXUtMhGW8pcsX9ms4JYbbP7 1ogTSfX47H7YGo7RgGQbXT+7ywnNVXCVd5ppgy5vjC8FjoMfGKGZpr8J1OiXrw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1744076129; a=rsa-sha256; cv=none; b=P1mFwhU5VgoMuDHhk3ml9OUBe+VVodaexgkNJ+jAD5hnFiVvKa3LZ41NTGBsl8QoOWe7Ov y8Uf1/0Q56EKP65L2Y3d5JnpoOKTGLVVEa8xxDR6CPc3aJNl+Ipc7BybJenvvpvg1hGLMp KHKqClgtc2aMtXUp0PexDVVvpUmapp1J8W7TJkViZMOSHPybPGukcyDTUE9MzVChLNUtc5 kiMBUTg+Y0xci8DN400iPCt3O7qyuwxtDegLHF42nOr42EaP202MLTa365YDND7ZosbmQy eWWXNk4fuZxm3CrPqLP3/UEKP5vDuamp/nJg2aInFp3qTQ+a9kEMGTTO9nPV/A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1744076129; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8GbHGQyhAgruM9Pt7YwWFZ1iSITg/QkfyyqsthFZvH4=; b=jIzocfpnFrmw1etXyuZLah79cZTSQB0n9+OEm3Ns7l64MVl7NV11gruqbMd+K/0TigPeVq ICA1bb+nogSOq9dGXCoZkmX4JnxvQ5JP1svHr9jUMmbODzJPbyMxqNbimUX+cCuuyzw9Qp 811TMSx+XufTQBbOSIDaLRXXWDx8N5gOmj7fd7ztgVl+80qwE4JdVow+jbNQu/Edanlsoz YIWPogHubP5C/T1UDsx5YpnoA7fp85ki4nXOmXcLFgd+t/fRoD+xKY6KoMOp1tax2YP5Fq exP5P6hOV3vLocfbvnx4pVQakVxm+fA9plOPN74H0Py0Vbw5YAw4NarAyN3/4w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZWpYY5Zj7z19jT; Tue, 08 Apr 2025 01:35:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5381ZTCl071309; Tue, 8 Apr 2025 01:35:29 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5381ZTPl071306; Tue, 8 Apr 2025 01:35:29 GMT (envelope-from git) Date: Tue, 8 Apr 2025 01:35:29 GMT Message-Id: <202504080135.5381ZTPl071306@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Adrian Chadd Subject: git: 1751bf9e58dd - main - net80211: fail setting a key if the cipher isn't HW/SW supported List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: adrian X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1751bf9e58ddc41f3cde013ebe7cc6bcfc17eb56 Auto-Submitted: auto-generated The branch main has been updated by adrian: URL: https://cgit.FreeBSD.org/src/commit/?id=1751bf9e58ddc41f3cde013ebe7cc6bcfc17eb56 commit 1751bf9e58ddc41f3cde013ebe7cc6bcfc17eb56 Author: Adrian Chadd AuthorDate: 2025-03-17 03:16:06 +0000 Commit: Adrian Chadd CommitDate: 2025-04-08 01:35:22 +0000 net80211: fail setting a key if the cipher isn't HW/SW supported The key alloc path was checking if the key was supported in hardware but treated /all/ keys as supported in software. As I discovered during my ath10k port, not all NICs that support ciphers in hardware support enough of an 802.11 frame transmit/receive path to actually handle software encryption. So, do a second check after the hardware encryption check to see if it's in the software list and hard fail it if it isn't in there. Otherwise a fun failure mode occurs - the frames are marked as protected, but since there's no GCMP support setup/enabled, they just get marked as "protected" but they don't go through the encryption path, and the receiver dutifully tosses them as invalid. I've verified this by trying to use GCMP in wpa_supplicant with a NIC that doesn't announce GCMP HW/SW encryption, and now it actually fails. Differential Revision: https://reviews.freebsd.org/D49393 Reviewed by: bz --- sys/net80211/ieee80211_crypto.c | 15 +++++++++++++++ sys/net80211/ieee80211_ioctl.h | 1 + 2 files changed, 16 insertions(+) diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c index 84cf1d02e408..6b636da9fa2c 100644 --- a/sys/net80211/ieee80211_crypto.c +++ b/sys/net80211/ieee80211_crypto.c @@ -397,6 +397,21 @@ ieee80211_crypto_newkey(struct ieee80211vap *vap, __func__, cip->ic_name); flags |= IEEE80211_KEY_SWCRYPT; } + /* + * Check if the software cipher is available; if not then + * fail it early. + * + * Some devices do not support all ciphers in software + * (for example they don't support a "raw" data path.) + */ + if ((flags & IEEE80211_KEY_SWCRYPT) && + (ic->ic_sw_cryptocaps & (1<ic_name); + vap->iv_stats.is_crypto_swcipherfail++; + return (0); + } /* * Hardware TKIP with software MIC is an important * combination; we handle it by flagging each key, diff --git a/sys/net80211/ieee80211_ioctl.h b/sys/net80211/ieee80211_ioctl.h index 6064f586c923..d542d75312b9 100644 --- a/sys/net80211/ieee80211_ioctl.h +++ b/sys/net80211/ieee80211_ioctl.h @@ -259,6 +259,7 @@ struct ieee80211_stats { uint32_t is_rx_gcmpmic; /* rx MIC check failed (GCMP) */ uint32_t is_crypto_gcmp_nomem; /* gcmp crypto failed; no mem */ uint32_t is_crypto_gcmp_nospc; /* gcmp crypto failed; no mbuf space */ + uint32_t is_crypto_swcipherfail; /* no support for SW cipher */ uint32_t is_spare[5]; };