From nobody Thu May 09 00:49:41 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VZYLs69P1z5K5Y0; Thu, 09 May 2024 00:49:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VZYLs5Bphz4mn3; Thu, 9 May 2024 00:49:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715215781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RDm/C8WK8nsQTGXzAXUClBpn7+AuqJ94H4R0TkHck6Y=; b=EROKi/zMnbuopD3ex3cmPkphtlfJ/aJeXATFUqPnVSkrsMTQ216/+kOgCqVwWMZ8kifL4W aLXsXng0ZzR1vuDYXvQSLjQ46VXHzve9kZpSmOZbzoCMElAn+USXOYZCq6ovXrjcKZlTvD B9WQ1uKB4jxHu7rPBQ415n3gFfOY55vDH+ps77zXS4Qqnb6Msv41jTVjFJE/JJOJTRdXOw mX+JS0ZXjeIo4h1pJHSYSe9t63tIuz+mN/fwaH6/S3Eg4eAoz7kCtptHPoBaE9KpFmSefp QlxvCgI3eJIyZWVFfLq9R/uRPvucwEUZPn90n3FvYtr951iYjrsHpX9Y2i7nAg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1715215781; a=rsa-sha256; cv=none; b=Xq8uBOK3c/qbVxs6WODJwweQ0oN3ChurIWnO9OKg3H+VUiMe0gLpaLk4nOqmhZrBv6NStI MB8V9U6BQB8jHbm00PfMC/p7XBkwfvUu5cH+8h77G4SjWq8MzU+QsG9u45FGM4z8bu4jBq LSwzwyynYgJMb7kBo13fYdjMePbgnmjOkQJJVjpOhn8rOJfsCy3Wb9VLOEhEGf1fi8x2Pr PFiFRZ5JSpSJ9LTAINgNIohJIXHl/Y/Oaok6MNAFJpKpMAVSPqTBIH/sHYvWPETpFBpCSg cBPTNHuMhSADgtC6dfznN8sGz1mton9YCbewT78UcAWVIUjel0RCLHgIazLL5A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715215781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RDm/C8WK8nsQTGXzAXUClBpn7+AuqJ94H4R0TkHck6Y=; b=sRedUOWT95Ht6a+HCK5WoweuB79bRMG7ABL/e0csXxBb7034231WzoTdH6nvAQ7MC3+rCm cjdPfA7mUqzE0tFnGWbS/r5dEyK5+A696HoTVmPRfufBUXHZWde05udz7wKVofMMKx/FZG G92WerC3fMnAM0avoLg9FWr5A3ynWABVcDPT8beLxldJ6qVzwq9V3mHqd2MTPwV2m3OR9P d3UWfZBvxRn49Cw5918V+CDM4lZjzLBfeNAOqgyvib0T1bjF4byDRVsgZCDy77RKsNOY5u 1mhBVAH9REp5qq5Vx5+av26Sc14shJUIOqWqoodo+e6ORnoLuCQTx1arHdF5uQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VZYLs4p4pzn6L; Thu, 9 May 2024 00:49:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 4490nfok063538; Thu, 9 May 2024 00:49:41 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 4490nffH063535; Thu, 9 May 2024 00:49:41 GMT (envelope-from git) Date: Thu, 9 May 2024 00:49:41 GMT Message-Id: <202405090049.4490nffH063535@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Adrian Chadd Subject: git: 1116e8b95c60 - main - net80211: add a new field specifically for announcing specific ciphers List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: adrian X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1116e8b95c601ddaac2feb4ab0904f77801a520f Auto-Submitted: auto-generated The branch main has been updated by adrian: URL: https://cgit.FreeBSD.org/src/commit/?id=1116e8b95c601ddaac2feb4ab0904f77801a520f commit 1116e8b95c601ddaac2feb4ab0904f77801a520f Author: Adrian Chadd AuthorDate: 2024-04-17 01:53:52 +0000 Commit: Adrian Chadd CommitDate: 2024-05-09 00:48:40 +0000 net80211: add a new field specifically for announcing specific ciphers This dates way, way back with the original net80211 support w/ atheros chips. The earliest chip (AR5210) had limitations supporting software encryption. It only had the four WEP slots, and not any keycache entries. So when trying to do CCMP/TKIP encryption would be enabled and the key slots would have nothing useful in them, resulting in garbage encryption/decryption. I changed this back in 2012 to disable supporting hardware WEP for AR5210 so if_ath(4) / net80211 crypto is all done in software and yes, I could do CCMP/TKIP on AR5210 in software. Fast-forward to newer-ish hardware - the Qualcomm 11ac hardware. Those also don't support pass-through keycache slots! Well, the hardware does at that layer, but then there's a whole offload data path encap/decap layer that's turning the frames from raw wifi into ethernet frames (for "dumb" AP behaviours) or "wifi direct" frames (ie, "windows".) This hides a bunch of header frame contents required for doing the software encryption / decryption path. But then if you enable the raw transmit/receive frame format it ALSO bypasses the hardware encryption/decryption engine! So for those NICs: * If you want to do encryption, you can only use the firmware supported ciphers w/ wifi direct or ethernet; * If you want to use software encrypt/decrypt, you MUST disable all encryption and instead use 100% software encryption. The wpa_supplicant bsd driver code has a specific comment about this and flips on supporting WEP/TKIP/CCMP, which is understandable but it doesn't fix the ACTUAL intention of all of this stuff. So: * create a new field, ic_sw_cryptocaps * populate it with the default supported set of ciphers for net80211 (right now wep, tkip, ccmp) * Communicate the combination of both ic_sw_cryptocaps and ic_cryptocaps to wpa_supplicant via the relevant devcap ioctl. * Update manpage. I'll follow this up with a driver_bsd.c change in wpa_supplicant to trust this again, and then start adding the other cipher support there. Differential Revision: https://reviews.freebsd.org/D44820 --- share/man/man9/ieee80211.9 | 4 +++- sys/net80211/ieee80211_crypto.c | 12 ++++++++++++ sys/net80211/ieee80211_ioctl.c | 6 +++++- sys/net80211/ieee80211_ioctl.h | 4 ++-- sys/net80211/ieee80211_var.h | 4 +++- 5 files changed, 25 insertions(+), 5 deletions(-) diff --git a/share/man/man9/ieee80211.9 b/share/man/man9/ieee80211.9 index 100b4e7540a5..40c8c243a77c 100644 --- a/share/man/man9/ieee80211.9 +++ b/share/man/man9/ieee80211.9 @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd January 26, 2021 +.Dd April 24, 2024 .Dt IEEE80211 9 .Os .Sh NAME @@ -514,6 +514,8 @@ General capabilities are specified by .Vt ic_caps . Hardware cryptographic capabilities are specified by .Vt ic_cryptocaps . +Software cryptographic capabilities are specified by +.Vt ic_sw_cryptocaps . 802.11n capabilities, if any, are specified by .Vt ic_htcaps . The diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c index 6a1182b52480..ff78600e2f0e 100644 --- a/sys/net80211/ieee80211_crypto.c +++ b/sys/net80211/ieee80211_crypto.c @@ -142,6 +142,18 @@ ieee80211_crypto_attach(struct ieee80211com *ic) { /* NB: we assume everything is pre-zero'd */ ciphers[IEEE80211_CIPHER_NONE] = &ieee80211_cipher_none; + + /* + * Default set of net80211 supported ciphers. + * + * These are the default set that all drivers are expected to + * support, either/or in hardware and software. + * + * Drivers can add their own support to this and the + * hardware cipher list (ic_cryptocaps.) + */ + ic->ic_sw_cryptocaps = IEEE80211_CRYPTO_WEP | + IEEE80211_CRYPTO_TKIP | IEEE80211_CRYPTO_AES_CCM; } /* diff --git a/sys/net80211/ieee80211_ioctl.c b/sys/net80211/ieee80211_ioctl.c index d5b242b679d0..c0ba19b5db89 100644 --- a/sys/net80211/ieee80211_ioctl.c +++ b/sys/net80211/ieee80211_ioctl.c @@ -709,7 +709,11 @@ ieee80211_ioctl_getdevcaps(struct ieee80211com *ic, if (dc == NULL) return ENOMEM; dc->dc_drivercaps = ic->ic_caps; - dc->dc_cryptocaps = ic->ic_cryptocaps; + /* + * Announce the set of both hardware and software supported + * ciphers. + */ + dc->dc_cryptocaps = ic->ic_cryptocaps | ic->ic_sw_cryptocaps; dc->dc_htcaps = ic->ic_htcaps; dc->dc_vhtcaps = ic->ic_vht_cap.vht_cap_info; ci = &dc->dc_chaninfo; diff --git a/sys/net80211/ieee80211_ioctl.h b/sys/net80211/ieee80211_ioctl.h index 58080025b5a9..18152495c499 100644 --- a/sys/net80211/ieee80211_ioctl.h +++ b/sys/net80211/ieee80211_ioctl.h @@ -551,13 +551,13 @@ struct ieee80211_regdomain_req { IEEE80211_REGDOMAIN_SIZE((_req)->chaninfo.ic_nchans) /* - * Get driver capabilities. Driver, hardware crypto, and + * Get driver capabilities. Driver, hardware/software crypto, and * HT/802.11n capabilities, and a table that describes what * the radio can do. */ struct ieee80211_devcaps_req { uint32_t dc_drivercaps; /* general driver caps */ - uint32_t dc_cryptocaps; /* hardware crypto support */ + uint32_t dc_cryptocaps; /* software + hardware crypto support */ uint32_t dc_htcaps; /* HT/802.11n support */ uint32_t dc_vhtcaps; /* VHT/802.11ac capabilities */ struct ieee80211req_chaninfo dc_chaninfo; diff --git a/sys/net80211/ieee80211_var.h b/sys/net80211/ieee80211_var.h index 4c9cdcbfccd9..2c13113b92a1 100644 --- a/sys/net80211/ieee80211_var.h +++ b/sys/net80211/ieee80211_var.h @@ -163,7 +163,9 @@ struct ieee80211com { uint32_t ic_caps; /* capabilities */ uint32_t ic_htcaps; /* HT capabilities */ uint32_t ic_htextcaps; /* HT extended capabilities */ - uint32_t ic_cryptocaps; /* crypto capabilities */ + /* driver-supported software crypto caps */ + uint32_t ic_sw_cryptocaps; + uint32_t ic_cryptocaps; /* hardware crypto caps */ /* set of mode capabilities */ uint8_t ic_modecaps[IEEE80211_MODE_BYTES]; uint8_t ic_promisc; /* vap's needing promisc mode */