IEEE802.11n does not allow TKIP/WEP as pairwise cipher in HT mode.
Connect in non-ht mode if either of these ciphers is cofigured as
pairwise.
Signed-off-by: Vasanthakumar Thiagarajan <[email protected]>
---
net/mac80211/ieee80211_i.h | 1 +
net/mac80211/mlme.c | 9 ++++++++-
net/mac80211/wext.c | 5 ++++-
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index a7dabae..5d78d2e 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -314,6 +314,7 @@ struct ieee80211_if_sta {
unsigned int auth_algs; /* bitfield of allowed auth algs */
int auth_alg; /* currently used IEEE 802.11 authentication algorithm */
int auth_transaction;
+ u32 ucast_cipher;
unsigned long ibss_join_req;
struct sk_buff *probe_resp; /* ProbeResp template for IBSS */
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 829cdf8..8a8c48c 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -391,10 +391,17 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata,
}
/* wmm support is a must to HT */
+ /*
+ * IEEE802.11n does not allow TKIP/WEP as pairwise
+ * ciphers in HT mode. Connect in non-ht mode if any
+ * one of these ciphers is configured as pairwise.
+ */
if (wmm && (ifsta->flags & IEEE80211_STA_WMM_ENABLED) &&
sband->ht_cap.ht_supported &&
(ht_ie = ieee80211_bss_get_ie(bss, WLAN_EID_HT_INFORMATION)) &&
- ht_ie[1] >= sizeof(struct ieee80211_ht_info)) {
+ ht_ie[1] >= sizeof(struct ieee80211_ht_info) &&
+ (ifsta->ucast_cipher & (IW_AUTH_CIPHER_NONE |
+ IW_AUTH_CIPHER_CCMP))) {
struct ieee80211_ht_info *ht_info =
(struct ieee80211_ht_info *)(ht_ie + 2);
u16 cap = sband->ht_cap.cap;
diff --git a/net/mac80211/wext.c b/net/mac80211/wext.c
index 1542804..385b322 100644
--- a/net/mac80211/wext.c
+++ b/net/mac80211/wext.c
@@ -873,12 +873,15 @@ static int ieee80211_ioctl_siwauth(struct net_device *dev,
switch (data->flags & IW_AUTH_INDEX) {
case IW_AUTH_WPA_VERSION:
- case IW_AUTH_CIPHER_PAIRWISE:
case IW_AUTH_CIPHER_GROUP:
case IW_AUTH_WPA_ENABLED:
case IW_AUTH_RX_UNENCRYPTED_EAPOL:
case IW_AUTH_KEY_MGMT:
break;
+ case IW_AUTH_CIPHER_PAIRWISE:
+ if (sdata->vif.type == NL80211_IFTYPE_STATION)
+ sdata->u.sta.ucast_cipher = data->value;
+ break;
case IW_AUTH_DROP_UNENCRYPTED:
sdata->drop_unencrypted = !!data->value;
break;
--
1.5.5.1
On Fri, 2008-12-19 at 18:40 +0530, Vasanthakumar Thiagarajan wrote:
> IEEE802.11n does not allow TKIP/WEP as pairwise cipher in HT mode.
> Connect in non-ht mode if either of these ciphers is cofigured as
> pairwise.
>
> Signed-off-by: Vasanthakumar Thiagarajan <[email protected]>
> ---
> net/mac80211/ieee80211_i.h | 1 +
> net/mac80211/mlme.c | 9 ++++++++-
> net/mac80211/wext.c | 5 ++++-
> 3 files changed, 13 insertions(+), 2 deletions(-)
Needs to touch cfg.c too, I think? I'd also prefer to avoid using the
wext constants throughout mac80211.
johannes
On Fri, Dec 19, 2008 at 04:56:16PM +0200, Jouni Malinen wrote:
> On Fri, Dec 19, 2008 at 09:28:22AM -0500, John W. Linville wrote:
> > Are there perhaps any broken APs out there that support such a
> > configuration? I would hate to prevent users from connecting simply
> > out of blind obedience to the standard.
>
> The goal of this change is _not_ to prevent connection, it only disables
> HT association, i.e., legacy (11a/g/b) is still available.
It was pointed-out to me that allowing TKIP/HT connections exposes
the user to unnecessary security risks as well.
Please resubmit with a changelog that a) makes it clear that
connections are still possible, just not HT; and b) "TKIP is not
updated to new security needs (e.g., related to some block ack details)
since it is not allowed mode, i.e., those extensions are only defined
for CCMP" (quoted from Jouni).
John
--
John W. Linville Linux should be at the core
[email protected] of your literate lifestyle.
On Fri, Dec 19, 2008 at 08:03:34PM +0530, Vasanthakumar Thiagarajan wrote:
> John W. Linville wrote:
> > On Fri, Dec 19, 2008 at 06:40:35PM +0530, Vasanthakumar Thiagarajan wrote:
> >> IEEE802.11n does not allow TKIP/WEP as pairwise cipher in HT mode.
> >> Connect in non-ht mode if either of these ciphers is cofigured as
> >> pairwise.
> >>
> >> Signed-off-by: Vasanthakumar Thiagarajan <[email protected]>
> >
> > Are there perhaps any broken APs out there that support such a
> > configuration? I would hate to prevent users from connecting simply
> > out of blind obedience to the standard.
>
> This particular configuration is not allowed in the latest 11n draft (7.0).
> Yes, we have quite a few AP's around which support this configuration.
Honestly, as a STA I would rather violate the standard and connect
to the coffee shop's broken/misconfigured pre-draft7 .11n AP than stand
on principle and have to fall back on my cell phone's data plan or sip
my latte in internet silence... :-)
John
--
John W. Linville Linux should be at the core
[email protected] of your literate lifestyle.
On Fri, Dec 19, 2008 at 06:47:34PM +0530, Johannes Berg wrote:
> On Fri, 2008-12-19 at 18:40 +0530, Vasanthakumar Thiagarajan wrote:
> > IEEE802.11n does not allow TKIP/WEP as pairwise cipher in HT mode.
> > Connect in non-ht mode if either of these ciphers is cofigured as
> > pairwise.
> > net/mac80211/ieee80211_i.h | 1 +
> > net/mac80211/mlme.c | 9 ++++++++-
> > net/mac80211/wext.c | 5 ++++-
> > 3 files changed, 13 insertions(+), 2 deletions(-)
>
> Needs to touch cfg.c too, I think?
I think you are referring to populating ucast_cipher in
add_key() hook in cfg.c but we need the pairwise cipher before
starting the association in HT mode.
>I'd also prefer to avoid using the
> wext constants throughout mac80211.
ok.
>
> johannes
Thanks for your comments.
Vasanth
John W. Linville wrote:
> On Fri, Dec 19, 2008 at 08:03:34PM +0530, Vasanthakumar Thiagarajan wrote:
>
>> John W. Linville wrote:
>>
>>> On Fri, Dec 19, 2008 at 06:40:35PM +0530, Vasanthakumar Thiagarajan wrote:
>>>
>>>> IEEE802.11n does not allow TKIP/WEP as pairwise cipher in HT mode.
>>>> Connect in non-ht mode if either of these ciphers is cofigured as
>>>> pairwise.
>>>>
>>>> Signed-off-by: Vasanthakumar Thiagarajan <[email protected]>
>>>>
>>> Are there perhaps any broken APs out there that support such a
>>> configuration? I would hate to prevent users from connecting simply
>>> out of blind obedience to the standard.
>>>
>> This particular configuration is not allowed in the latest 11n draft (7.0).
>> Yes, we have quite a few AP's around which support this configuration.
>>
>
> Honestly, as a STA I would rather violate the standard and connect
> to the coffee shop's broken/misconfigured pre-draft7 .11n AP than stand
> on principle and have to fall back on my cell phone's data plan or sip
> my latte in internet silence... :-)
>
>
ACKED-BY: Rick Farina
I think as a station we should support connecting to the AP unless it is
against the law. If you want to stand on principle in master or IBSS
then that is fair, but please give the stations a bit more wiggle room.
thanks,
Rick Farina
> John
>
John W. Linville wrote:
> On Fri, Dec 19, 2008 at 06:40:35PM +0530, Vasanthakumar Thiagarajan wrote:
>> IEEE802.11n does not allow TKIP/WEP as pairwise cipher in HT mode.
>> Connect in non-ht mode if either of these ciphers is cofigured as
>> pairwise.
>>
>> Signed-off-by: Vasanthakumar Thiagarajan <[email protected]>
>
> Are there perhaps any broken APs out there that support such a
> configuration? I would hate to prevent users from connecting simply
> out of blind obedience to the standard.
This particular configuration is not allowed in the latest 11n draft (7.0).
Yes, we have quite a few AP's around which support this configuration.
Vasanth
On Fri, Dec 19, 2008 at 09:28:22AM -0500, John W. Linville wrote:
> Are there perhaps any broken APs out there that support such a
> configuration? I would hate to prevent users from connecting simply
> out of blind obedience to the standard.
The goal of this change is _not_ to prevent connection, it only disables
HT association, i.e., legacy (11a/g/b) is still available.
--
Jouni Malinen PGP id EFC895FA
On Fri, Dec 19, 2008 at 06:40:35PM +0530, Vasanthakumar Thiagarajan wrote:
> IEEE802.11n does not allow TKIP/WEP as pairwise cipher in HT mode.
> Connect in non-ht mode if either of these ciphers is cofigured as
> pairwise.
>
> Signed-off-by: Vasanthakumar Thiagarajan <[email protected]>
Are there perhaps any broken APs out there that support such a
configuration? I would hate to prevent users from connecting simply
out of blind obedience to the standard.
John
--
John W. Linville Linux should be at the core
[email protected] of your literate lifestyle.