Hello, I've applied your diff and dhclient now works on my athn0 interface, where it didn't work before.
The symptom was that it did get a link, but couldn't get a lease. Thanks. Matej On Tue, 10 Nov 2020 at 12:39, Stefan Sperling <s...@stsp.name> wrote: > > Similar to the urtwn(4) WPA1/TKIP fix I have just committed, there's > a bug in athn(4) where the value of ni_rsncipher is used to guide the > hardware- vs. software-crypto decision for multicast frames, not just > for unicast frames as was intended. > > This means multicast frames could fail to decrypt if the AP is configured > to use WPA1/TKIP instead of WPA2/CMMP as the group cipher (symptoms may > include dhclient failing to get link). > > Ok? > > diff 89be218cf39e3311509e6aba9a8efd44b360a42f /usr/src > blob - 560db09a447651b7bcabac7b94286a872b313ee2 > file + sys/dev/ic/ar5008.c > --- sys/dev/ic/ar5008.c > +++ sys/dev/ic/ar5008.c > @@ -1003,7 +1003,8 @@ ar5008_rx_process(struct athn_softc *sc, struct mbuf_l > (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) && > (ic->ic_flags & IEEE80211_F_RSNON) && > (ni->ni_flags & IEEE80211_NODE_RXPROT) && > - (ni->ni_rsncipher == IEEE80211_CIPHER_CCMP || > + ((!IEEE80211_IS_MULTICAST(wh->i_addr1) && > + ni->ni_rsncipher == IEEE80211_CIPHER_CCMP) || > (IEEE80211_IS_MULTICAST(wh->i_addr1) && > ni->ni_rsngroupcipher == IEEE80211_CIPHER_CCMP))) { > if (ar5008_ccmp_decap(sc, m, ni) != 0) { > > >