From nobody@FreeBSD.org  Sun Jan 23 11:38:55 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8ECF1106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 Jan 2011 11:38:55 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (unknown [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 7E26B8FC15
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 Jan 2011 11:38:55 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p0NBctHP036551
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 Jan 2011 11:38:55 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p0NBctnq036550;
	Sun, 23 Jan 2011 11:38:55 GMT
	(envelope-from nobody)
Message-Id: <201101231138.p0NBctnq036550@red.freebsd.org>
Date: Sun, 23 Jan 2011 11:38:55 GMT
From: Adrian Chadd <adrian@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [ath] AR9280 w/ AES-CCMP (WPA2) group key does not work
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         154237
>Category:       kern
>Synopsis:       [ath] AR9280 w/ AES-CCMP (WPA2) group key does not work
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    adrian
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 23 11:40:11 UTC 2011
>Closed-Date:    Sat Apr 09 03:04:29 UTC 2011
>Last-Modified:  Sat Apr 09 03:04:29 UTC 2011
>Originator:     Adrian Chadd
>Release:        HEAD r217687
>Organization:
>Environment:
FreeBSD i386
>Description:
Associating to my local TP-Link WN-1043ND running OpenWRT works, but no traffic is passed.

Turning on the keycache debugging (athdebug +keycache) shows that the group keys are being installed in slots 1+2 (alternating for each group rekey), with the unicast key in slot 4.

Associating to the AP in WPA1 mode w/ TKIP as the group key shows no issue.

One important part - the MAC of the device is 94:0c:6d:fe:4f:20; notice the high bit of the MAC address is set. This is apparently a sign to the keycache that the key is a multicast key.

Just as a side-note; Working AES-CCMP WPA/WPA2 is required for 802.11n.
>How-To-Repeat:

>Fix:
If an AES group key is not installed in the shared key space (key 0->3), the problem goes away.

I'm not sure whether AR_KEYTABLE_VALID in the keycache entry is supposed to be involved here or not. I need to do some further digging.

This seems to fix it:

Index: if_ath.c
===================================================================
--- if_ath.c	(revision 217719)
+++ if_ath.c	(working copy)
@@ -2223,6 +2223,11 @@
 {
 	struct ath_softc *sc = vap->iv_ic->ic_ifp->if_softc;
 
+	/* Station mode? Don't use the group keys for AES/CCMP */
+	if (vap->iv_opmode == IEEE80211_M_STA && sc->sc_mcastkey && k->wk_cipher->ic_cipher == IEEE80211_CIPHER_AES_CCM) {
+		return key_alloc_single(sc, keyix, rxkeyix);
+	}
+
 	/*
 	 * Group key allocation must be handled specially for
 	 * parts that do not support multicast key cache search


>Release-Note:
>Audit-Trail:

From: Adrian Chadd <adrian@freebsd.org>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/154237: [ath] AR9280 w/ AES-CCMP (WPA2) group key does not work
Date: Sun, 23 Jan 2011 20:18:57 +0800

 bschmidt has reported that it breaks broadcast traffic in his
 environment. He's seeing encrypted frames being passed verbatim back
 to his station.
 
 This needs to be fully tested with combinations of encryption type
 (TKIP/AES-CCMP) and BSSID MAC.
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jan 26 11:07:24 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154237 
Responsible-Changed-From-To: freebsd-net->adrian 
Responsible-Changed-By: adrian 
Responsible-Changed-When: Thu Jan 27 06:46:47 UTC 2011 
Responsible-Changed-Why:  
My bug 


http://www.freebsd.org/cgi/query-pr.cgi?pr=154237 
State-Changed-From-To: open->closed 
State-Changed-By: adrian 
State-Changed-When: Sat Apr 9 03:03:40 UTC 2011 
State-Changed-Why:  
This bug has been fixed for a while; the keycache multicast key 
code was using the wrong bit in the ethernet address to signify 
what's going on. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=154237 
>Unformatted:
