- Introduce IEEE80211_KEY_NOREPLAY, a per-key flag to ignore replay

  violations.
- Use SIOCGIFMEDIA to determine VAP's opmode, cache it and set
  IEEE80211_KEY_NOREPLAY for AHDEMO and IBSS.

Approved by:	rpaulo (mentor)

3 files changed, 7 insertions, 17 deletions

diff --git a/sys/net80211/ieee80211_crypto.h b/sys/net80211/ieee80211_crypto.h
index 57d05ad..d7ac436 100644
--- a/sys/net80211/ieee80211_crypto.h
+++ b/sys/net80211/ieee80211_crypto.h
@@ -78,6 +78,7 @@ struct ieee80211_key {
 #define	IEEE80211_KEY_XMIT	0x0001	/* key used for xmit */
 #define	IEEE80211_KEY_RECV	0x0002	/* key used for recv */
 #define	IEEE80211_KEY_GROUP	0x0004	/* key used for WPA group operation */
+#define	IEEE80211_KEY_NOREPLAY	0x0008	/* ignore replay failures */
 #define	IEEE80211_KEY_SWENCRYPT	0x0010	/* host-based encrypt */
 #define	IEEE80211_KEY_SWDECRYPT	0x0020	/* host-based decrypt */
 #define	IEEE80211_KEY_SWENMIC	0x0040	/* host-based enmic */
@@ -98,7 +99,8 @@ struct ieee80211_key {
 	uint8_t		wk_macaddr[IEEE80211_ADDR_LEN];
 };
 #define	IEEE80211_KEY_COMMON 		/* common flags passed in by apps */\
-	(IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV | IEEE80211_KEY_GROUP)
+	(IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV | IEEE80211_KEY_GROUP | \
+	 IEEE80211_KEY_NOREPLAY)
 #define	IEEE80211_KEY_DEVICE		/* flags owned by device driver */\
 	(IEEE80211_KEY_DEVKEY|IEEE80211_KEY_CIPHER0|IEEE80211_KEY_CIPHER1)
 
diff --git a/sys/net80211/ieee80211_crypto_ccmp.c b/sys/net80211/ieee80211_crypto_ccmp.c
index 9ad2409..cb9ed0a 100644
--- a/sys/net80211/ieee80211_crypto_ccmp.c
+++ b/sys/net80211/ieee80211_crypto_ccmp.c
@@ -226,14 +226,8 @@ ccmp_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
 	}
 	tid = ieee80211_gettid(wh);
 	pn = READ_6(ivp[0], ivp[1], ivp[4], ivp[5], ivp[6], ivp[7]);
-	/*
-	 * NB: Multiple stations are using the same key in
-	 * IBSS mode, there is currently no way to sync keyrsc
-	 * counters without discarding too many frames.
-	 */
-	if (vap->iv_opmode != IEEE80211_M_IBSS &&
-	    vap->iv_opmode != IEEE80211_M_AHDEMO &&
-	    pn <= k->wk_keyrsc[tid]) {
+	if (pn <= k->wk_keyrsc[tid] &&
+	    (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) {
 		/*
 		 * Replay violation.
 		 */
diff --git a/sys/net80211/ieee80211_crypto_tkip.c b/sys/net80211/ieee80211_crypto_tkip.c
index 0f17c17..05d9c74 100644
--- a/sys/net80211/ieee80211_crypto_tkip.c
+++ b/sys/net80211/ieee80211_crypto_tkip.c
@@ -281,14 +281,8 @@ tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
 
 	tid = ieee80211_gettid(wh);
 	ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
-	/*
-	 * NB: Multiple stations are using the same key in
-	 * IBSS mode, there is currently no way to sync keyrsc
-	 * counters without discarding too many frames.
-	 */
-	if (vap->iv_opmode != IEEE80211_M_IBSS &&
-	    vap->iv_opmode != IEEE80211_M_AHDEMO &&
-	    ctx->rx_rsc <= k->wk_keyrsc[tid]) {
+	if (ctx->rx_rsc <= k->wk_keyrsc[tid] &&
+	    (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) {
 		/*
 		 * Replay violation; notify upper layer.
 		 */