From nobody Tue Apr 29 11:41:38 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zmz1G5tmYz5tvBj; Tue, 29 Apr 2025 11:41:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Zmz1G3dMjz3wbG; Tue, 29 Apr 2025 11:41:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1745926898; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4P2ci31k0TrmQ1zwQfzkkrRHmj2ubQnrvcWx4A1PVgU=; b=Lv7POzekjaLrsu+qMr1I3hCpoRI3o8zAmn6uhoeL7n1G3pg5pdVQ9rVaIMx6jeF9HHyTqz KcqBE87iiEnMXwJ0ol4DBvoDGBZR8fTQ/rv8SxQg198PGnCmcbVi7ynD7TFyR92fNd1T8O +5nednts/XXS16pFJ48LtOZRxvSc0UX+gVYvAJ4/2bz2+2vRzuiQb5wbEVi4MsS06A8ACl x1U/OcupMPB61rN6BwasenX5Yxu6LxodMgmZkPvnu+vEBpx3lwhFnpqxJ9Ww30t6yrqs0j +D7Omb2QLPS+0eUP7VXMAprdP2EutmMXBkuCmmo/g4SxR4t/gMiQhxX8seTjyw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1745926898; a=rsa-sha256; cv=none; b=T98hLrGUd3BPlG5bg8NR5jfep0t5Or1Or36aXMVLc2YdK6NDmieIhR3nJoX2Zt2KVmyqrt 35UFHX4z7PWvg05zb+vSzoKQ8cudB1Jwg1ObB7FWB0KGHg7Vfr9LDyyl8qgJzdUVhZKuXC Tp1sDw1rOc7wZnLiuzmIYsJZ1N2u+92IsRCfEjLWUCu27vKn/n3dE0SZRsW8YpwmGbRfN7 U0seR31kD+v2ICClDmjl10jPqAlgzn9BxRBCc5U1zEhHozHmmRgwLaJHZHm4+eDt0Paq8L X1RCIsU6HTZT5Jp6RG/d7rPR7x8K1mt1Uvb+UVd25MkS+ngh8AYEzUosNSxTug== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1745926898; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4P2ci31k0TrmQ1zwQfzkkrRHmj2ubQnrvcWx4A1PVgU=; b=xjIcmr1za4sBwxAj+HfJbMuoNhzFIAopdvNkd0E5se4YqttqZKvYqmc+WQyEl8akZL1tCX NBH8pJMOqI5Hv/xaT9nnh0JjUjkgYrw8rcU+R+eiPzlOVJXRmxVVCS0W1wPGDu0OJTfbuD B0qJFZ4iDwg91gekZsKHYuvhwRh2mnXRykuIT36thNQw+b4oe4vfk0GaFdJowPfIs77t52 L9muXuyGk6ZeCyKwt/EFYkDrXm86dDNsvJmqMgFwEw9yhgw2oS/GyXWdytZZPnBeFT5Qxn UPk4BadQnfZK/8npVbk8/TdQ+9D8gHKl5wP66ayZvSapBMxEvYzOdVNvVYbNQw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Zmz1G3FLYz3SY; Tue, 29 Apr 2025 11:41:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53TBfcIh045771; Tue, 29 Apr 2025 11:41:38 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53TBfcFw045768; Tue, 29 Apr 2025 11:41:38 GMT (envelope-from git) Date: Tue, 29 Apr 2025 11:41:38 GMT Message-Id: <202504291141.53TBfcFw045768@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: "Bjoern A. Zeeb" Subject: git: caebab19e711 - stable/14 - net80211: add a new field specifically for announcing specific ciphers List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bz X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: caebab19e711d0f5c12070ae4c2b74d2d13d5cb3 Auto-Submitted: auto-generated The branch stable/14 has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=caebab19e711d0f5c12070ae4c2b74d2d13d5cb3 commit caebab19e711d0f5c12070ae4c2b74d2d13d5cb3 Author: Adrian Chadd AuthorDate: 2024-04-17 01:53:52 +0000 Commit: Bjoern A. Zeeb CommitDate: 2025-04-29 10:49:28 +0000 net80211: add a new field specifically for announcing specific ciphers This dates way, way back with the original net80211 support w/ atheros chips. The earliest chip (AR5210) had limitations supporting software encryption. It only had the four WEP slots, and not any keycache entries. So when trying to do CCMP/TKIP encryption would be enabled and the key slots would have nothing useful in them, resulting in garbage encryption/decryption. I changed this back in 2012 to disable supporting hardware WEP for AR5210 so if_ath(4) / net80211 crypto is all done in software and yes, I could do CCMP/TKIP on AR5210 in software. Fast-forward to newer-ish hardware - the Qualcomm 11ac hardware. Those also don't support pass-through keycache slots! Well, the hardware does at that layer, but then there's a whole offload data path encap/decap layer that's turning the frames from raw wifi into ethernet frames (for "dumb" AP behaviours) or "wifi direct" frames (ie, "windows".) This hides a bunch of header frame contents required for doing the software encryption / decryption path. But then if you enable the raw transmit/receive frame format it ALSO bypasses the hardware encryption/decryption engine! So for those NICs: * If you want to do encryption, you can only use the firmware supported ciphers w/ wifi direct or ethernet; * If you want to use software encrypt/decrypt, you MUST disable all encryption and instead use 100% software encryption. The wpa_supplicant bsd driver code has a specific comment about this and flips on supporting WEP/TKIP/CCMP, which is understandable but it doesn't fix the ACTUAL intention of all of this stuff. So: * create a new field, ic_sw_cryptocaps * populate it with the default supported set of ciphers for net80211 (right now wep, tkip, ccmp) * Communicate the combination of both ic_sw_cryptocaps and ic_cryptocaps to wpa_supplicant via the relevant devcap ioctl. * Update manpage. I'll follow this up with a driver_bsd.c change in wpa_supplicant to trust this again, and then start adding the other cipher support there. Differential Revision: https://reviews.freebsd.org/D44820 Adjusted for MFC by moving the new field to a spare. Sponsored by: The FreeBSD Foundation (cherry picked from commit 1116e8b95c601ddaac2feb4ab0904f77801a520f) --- share/man/man9/ieee80211.9 | 4 +++- sys/net80211/ieee80211_crypto.c | 12 ++++++++++++ sys/net80211/ieee80211_ioctl.c | 6 +++++- sys/net80211/ieee80211_ioctl.h | 4 ++-- sys/net80211/ieee80211_var.h | 8 ++++++-- 5 files changed, 28 insertions(+), 6 deletions(-) diff --git a/share/man/man9/ieee80211.9 b/share/man/man9/ieee80211.9 index 100b4e7540a5..40c8c243a77c 100644 --- a/share/man/man9/ieee80211.9 +++ b/share/man/man9/ieee80211.9 @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd January 26, 2021 +.Dd April 24, 2024 .Dt IEEE80211 9 .Os .Sh NAME @@ -514,6 +514,8 @@ General capabilities are specified by .Vt ic_caps . Hardware cryptographic capabilities are specified by .Vt ic_cryptocaps . +Software cryptographic capabilities are specified by +.Vt ic_sw_cryptocaps . 802.11n capabilities, if any, are specified by .Vt ic_htcaps . The diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c index bb7a612ac36c..fef63390c27b 100644 --- a/sys/net80211/ieee80211_crypto.c +++ b/sys/net80211/ieee80211_crypto.c @@ -142,6 +142,18 @@ ieee80211_crypto_attach(struct ieee80211com *ic) { /* NB: we assume everything is pre-zero'd */ ciphers[IEEE80211_CIPHER_NONE] = &ieee80211_cipher_none; + + /* + * Default set of net80211 supported ciphers. + * + * These are the default set that all drivers are expected to + * support, either/or in hardware and software. + * + * Drivers can add their own support to this and the + * hardware cipher list (ic_cryptocaps.) + */ + ic->ic_sw_cryptocaps = IEEE80211_CRYPTO_WEP | + IEEE80211_CRYPTO_TKIP | IEEE80211_CRYPTO_AES_CCM; } /* diff --git a/sys/net80211/ieee80211_ioctl.c b/sys/net80211/ieee80211_ioctl.c index 8432bf4bcbfd..3b57e7d8cd8e 100644 --- a/sys/net80211/ieee80211_ioctl.c +++ b/sys/net80211/ieee80211_ioctl.c @@ -709,7 +709,11 @@ ieee80211_ioctl_getdevcaps(struct ieee80211com *ic, if (dc == NULL) return ENOMEM; dc->dc_drivercaps = ic->ic_caps; - dc->dc_cryptocaps = ic->ic_cryptocaps; + /* + * Announce the set of both hardware and software supported + * ciphers. + */ + dc->dc_cryptocaps = ic->ic_cryptocaps | ic->ic_sw_cryptocaps; dc->dc_htcaps = ic->ic_htcaps; dc->dc_vhtcaps = ic->ic_vht_cap.vht_cap_info; ci = &dc->dc_chaninfo; diff --git a/sys/net80211/ieee80211_ioctl.h b/sys/net80211/ieee80211_ioctl.h index 58080025b5a9..18152495c499 100644 --- a/sys/net80211/ieee80211_ioctl.h +++ b/sys/net80211/ieee80211_ioctl.h @@ -551,13 +551,13 @@ struct ieee80211_regdomain_req { IEEE80211_REGDOMAIN_SIZE((_req)->chaninfo.ic_nchans) /* - * Get driver capabilities. Driver, hardware crypto, and + * Get driver capabilities. Driver, hardware/software crypto, and * HT/802.11n capabilities, and a table that describes what * the radio can do. */ struct ieee80211_devcaps_req { uint32_t dc_drivercaps; /* general driver caps */ - uint32_t dc_cryptocaps; /* hardware crypto support */ + uint32_t dc_cryptocaps; /* software + hardware crypto support */ uint32_t dc_htcaps; /* HT/802.11n support */ uint32_t dc_vhtcaps; /* VHT/802.11ac capabilities */ struct ieee80211req_chaninfo dc_chaninfo; diff --git a/sys/net80211/ieee80211_var.h b/sys/net80211/ieee80211_var.h index 3e7ad7942de7..dd6737aedb66 100644 --- a/sys/net80211/ieee80211_var.h +++ b/sys/net80211/ieee80211_var.h @@ -163,7 +163,7 @@ struct ieee80211com { uint32_t ic_caps; /* capabilities */ uint32_t ic_htcaps; /* HT capabilities */ uint32_t ic_htextcaps; /* HT extended capabilities */ - uint32_t ic_cryptocaps; /* crypto capabilities */ + uint32_t ic_cryptocaps; /* hardware crypto caps */ /* set of mode capabilities */ uint8_t ic_modecaps[IEEE80211_MODE_BYTES]; uint8_t ic_promisc; /* vap's needing promisc mode */ @@ -375,7 +375,11 @@ struct ieee80211com { void (*ic_update_chw)(struct ieee80211com *); const struct debugnet80211_methods *ic_debugnet_meth; - uint64_t ic_spare[7]; + /* driver-supported software crypto caps */ + uint32_t ic_sw_cryptocaps; + + uint32_t ic_spare1; + uint64_t ic_spare[6]; }; struct ieee80211_aclator;