[PATCH] cfg80211: Allow non-zero indexes for device specific pair-wise ciphers

[PATCH] cfg80211: Allow non-zero indexes for device specific pair-wise ciphers

[juuso.oikarinen]

From: Juuso Oikarinen <juuso.oikarinen@nokia.com>

Some vendor specific cipher suites require non-zero key indexes for pairwise
keys, but as of currently, the cfg80211 does not allow it.

As validating they cipher parameters for vendor specific cipher suites is the
job of the driver or hardware/firmware, change the cfg80211 to allow also
non-zero pairwise key indexes for vendor specific ciphers.

Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com>
---
 net/wireless/util.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 4ed065d..6a750bc 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -167,12 +167,15 @@ int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
 
 	/*
 	 * Disallow pairwise keys with non-zero index unless it's WEP
-	 * (because current deployments use pairwise WEP keys with
-	 * non-zero indizes but 802.11i clearly specifies to use zero)
+	 * or a vendor specific cipher (because current deployments use
+	 * pairwise WEP keys with non-zero indices and for vendor specific
+	 * ciphers this should be validated in the driver or hardware level
+	 * - but 802.11i clearly specifies to use zero)
 	 */
 	if (pairwise && key_idx &&
-	    params->cipher != WLAN_CIPHER_SUITE_WEP40 &&
-	    params->cipher != WLAN_CIPHER_SUITE_WEP104)
+	    ((params->cipher == WLAN_CIPHER_SUITE_TKIP) ||
+	     (params->cipher == WLAN_CIPHER_SUITE_CCMP) ||
+	     (params->cipher == WLAN_CIPHER_SUITE_AES_CMAC)))
 		return -EINVAL;
 
 	switch (params->cipher) {
-- 
1.7.1

Re: [PATCH] cfg80211: Allow non-zero indexes for device specific pair-wise ciphers

[Johannes Berg]

On Tue, 2011-01-25 at 12:21 +0200, juuso.oikarinen@nokia.com wrote:
> From: Juuso Oikarinen <juuso.oikarinen@nokia.com>
> 
> Some vendor specific cipher suites require non-zero key indexes for pairwise
> keys, but as of currently, the cfg80211 does not allow it.

Well, technically, that is incorrect -- just adding a vendor-specific
cipher to 802.11-2007 (11i) will uphold that requirement. Using
different mechanisms like WAPI might run afoul of this check... But
technically WAPI could also use CCMP etc. and then you might have to use
non-zero even for CCMP, so this code would again be wrong.

OTOH, I don't really see a good way to capture this in code...

johannes

Re: [PATCH] cfg80211: Allow non-zero indexes for device specific pair-wise ciphers

[Johannes Berg]

On Tue, 2011-01-25 at 12:21 +0200, juuso.oikarinen@nokia.com wrote:
> From: Juuso Oikarinen <juuso.oikarinen@nokia.com>
> 
> Some vendor specific cipher suites require non-zero key indexes for pairwise
> keys, but as of currently, the cfg80211 does not allow it.

Hmm, also -- does this mean that WAPI might use multiple pairwise keys?
That's most definitely not supported at all in mac80211.

johannes

Re: [PATCH] cfg80211: Allow non-zero indexes for device specific pair-wise ciphers

[Juuso Oikarinen]

On Tue, 2011-01-25 at 11:28 +0100, ext Johannes Berg wrote:
> On Tue, 2011-01-25 at 12:21 +0200, juuso.oikarinen@nokia.com wrote:
> > From: Juuso Oikarinen <juuso.oikarinen@nokia.com>
> > 
> > Some vendor specific cipher suites require non-zero key indexes for pairwise
> > keys, but as of currently, the cfg80211 does not allow it.
> 
> Hmm, also -- does this mean that WAPI might use multiple pairwise keys?
> That's most definitely not supported at all in mac80211.

Hi, AFAIK no, it does not use multiple pairwise keys. At least the
wl12xx hardware does not appear to support that - it just uses the
latest set key.

Still, in WAPI, the key index is toggled between 0 and 1 for each key
re-negotiation. I don't know the exact encryption details, but the key
index is present in the encrypted data, so it needs to be set correctly
for successful encryption/decryption.

-Juuso

> johannes
> 

Re: [PATCH] cfg80211: Allow non-zero indexes for device specific pair-wise ciphers

[Juuso Oikarinen]

On Tue, 2011-01-25 at 11:27 +0100, ext Johannes Berg wrote:
> On Tue, 2011-01-25 at 12:21 +0200, juuso.oikarinen@nokia.com wrote:
> > From: Juuso Oikarinen <juuso.oikarinen@nokia.com>
> > 
> > Some vendor specific cipher suites require non-zero key indexes for pairwise
> > keys, but as of currently, the cfg80211 does not allow it.
> 
> Well, technically, that is incorrect -- just adding a vendor-specific
> cipher to 802.11-2007 (11i) will uphold that requirement. Using
> different mechanisms like WAPI might run afoul of this check... But
> technically WAPI could also use CCMP etc. and then you might have to use
> non-zero even for CCMP, so this code would again be wrong.

I guess thats right. I was assuming this was for SMS-4 only, but I guess
it extends to other ciphers too in association with WAPI.

> OTOH, I don't really see a good way to capture this in code...

I would be surprised to see WAPI used with CCMP though - or any other
voluntary manner for that matter - although it is possible ;)

So you think this patch is ok as is, or do I need to find some other
way?

-Juuso

Re: [PATCH] cfg80211: Allow non-zero indexes for device specific pair-wise ciphers

[Johannes Berg]

On Tue, 2011-01-25 at 15:47 +0200, Juuso Oikarinen wrote:

> I would be surprised to see WAPI used with CCMP though - or any other
> voluntary manner for that matter - although it is possible ;)

:)

> So you think this patch is ok as is, or do I need to find some other
> way?

I guess it's fine -- I was trying to figure out what they tried to do
with the key index but the WAPI "standard" is kinda vague on that ...

johannes