On Thu, 2017-05-11 at 16:22 -0400, Michael Skeffington wrote:
> I am using an rt5350 SoC using the rt2x00 driver. We were doing
> WiFi-alliance certification testing on our device and the it wasn't
> issuing countermeasures appropriately.
>
> Your assumption is correct. I had overlooked that devices using this
> driver have hardware decoding and the driver sets RX_FLAG_MMIC_ERROR.
> In retrospect, the change I proposed is totally broken.
>
> I'm running through the failure case again so I can identify where in
> the rx_decrypt function it falls through. It seems odd that it would
> drop the packet in rx_decrypt given that it doesn't actually do any
> decryption. I suspect thats related to the underlying bug.
Here's the driver code from rt2500usb (but it's similar in the others):
rxdesc->flags |= RX_FLAG_MMIC_STRIPPED;
if (rxdesc->cipher_status == RX_CRYPTO_SUCCESS)
rxdesc->flags |= RX_FLAG_DECRYPTED;
else if (rxdesc->cipher_status == RX_CRYPTO_FAIL_MIC)
rxdesc->flags |= RX_FLAG_MMIC_ERROR;
I think if you just change it to be
[...]
else if (rxdesc->cipher_status == RX_CRYPTO_FAIL_MIC)
rxdesc->flags |= RX_FLAG_MMIC_ERROR |
RX_FLAG_DECRYPTED;
things will start working. This is arguably correct since to be able to
check the MMIC, the frame has to have been decrypted (properly) before.
johannes
