Return-path: Received: from he.sipsolutions.net ([78.46.109.217]:41784 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753443Ab2IDQxw (ORCPT ); Tue, 4 Sep 2012 12:53:52 -0400 Message-ID: <1346777666.3737.38.camel@jlt4.sipsolutions.net> (sfid-20120904_185355_873918_EDCB7DF3) Subject: Re: [PATCH] ath5k: add support of HW encryption in management frames From: Johannes Berg To: Yeoh Chun-Yeow Cc: Jouni Malinen , linux-wireless@vger.kernel.org, jirislaby@gmail.com, mickflemm@gmail.com, mcgrof@qca.qualcomm.com, ath5k-devel@venema.h4ckr.net Date: Tue, 04 Sep 2012 18:54:26 +0200 In-Reply-To: (sfid-20120904_184120_528116_7894DA18) References: <1346146446-628-1-git-send-email-yeohchunyeow@gmail.com> <1346746298.3737.0.camel@jlt4.sipsolutions.net> <20120904102204.GA2541@w1.fi> <1346758521.3737.28.camel@jlt4.sipsolutions.net> (sfid-20120904_184120_528116_7894DA18) Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org List-ID: Hi, > > I would guess that hardware *decryption* is faulty, maybe only one > > action frame needs to be correct and so if one of them is nohwcrypt=1 it > > still works? > Yes, you are correct. Case 3 is working only accidentally not always > if the mesh node loaded with nohwcrypt=1 is reboot. So, with following > case is also not working. > > mesh1: ath5k loaded without nohwcrypt=1 (with > IEEE80211_KEY_FLAG_SW_MGMT enabled) > mesh2: ath5k loaded without nohwcrypt=1 (with > IEEE80211_KEY_FLAG_SW_MGMT enabled) > > Can we conclude that unicast data frames get processed in hardware and > robust unicast management frames get processed in software for CCMP > are not working. I'm sure robust management frames in software *are* working, but obviously the KEY_FLAG_SW_MGMT only affects transmit, not receive, so receiving may still be broken. > By the way, current secured mesh requires the AES CMAC to be enabled. > But without enabling IEEE80211_HW_MFP_CAPABLE, the key cannot be added > since this cipher suite is considered not supported. But actually AES > CMAC can be done in software. Any work around on this? Well, that's a separate question. Of course we could enable it, but what would the point be? You don't have CCM for management frames right now, so CMAC is pretty useless? And if you had CCM for management frames, say with the things discussed in the p54 thread, then you could just enable both, right? johannes