On Tue, 11 Jun 2019 at 15:55, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote: > > On Tue, 2019-06-11 at 15:53 +0200, Ard Biesheuvel wrote: > > On Tue, 11 Jun 2019 at 15:52, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote: > > > > > > On Tue, 2019-06-11 at 15:47 +0200, Ard Biesheuvel wrote: > > > > > > > > +++ b/net/mac80211/mlme.c > > > > @@ -5038,8 +5038,6 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, > > > > auth_alg = WLAN_AUTH_OPEN; > > > > break; > > > > case NL80211_AUTHTYPE_SHARED_KEY: > > > > - if (IS_ERR(local->wep_tx_tfm)) > > > > - return -EOPNOTSUPP; > > > > auth_alg = WLAN_AUTH_SHARED_KEY; > > > > > > This bit is probably not right, we directly use the WEP functions for > > > shared key authentication. > > > > > > > OK. So we need to change this test to > > > > > > - if (fips_enabled) > > > > - return -EOPNOTSUPP; > > Right. > > > Does this also apply to > > > > diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c > > index a1973a26c7fc..9d8a8878a487 100644 > > --- a/net/mac80211/cfg.c > > +++ b/net/mac80211/cfg.c > > @@ -402,9 +402,6 @@ static int ieee80211_add_key(struct wiphy *wiphy, > > struct net_device *dev, > > case WLAN_CIPHER_SUITE_WEP40: > > case WLAN_CIPHER_SUITE_TKIP: > > case WLAN_CIPHER_SUITE_WEP104: > > - if (IS_ERR(local->wep_tx_tfm)) > > - return -EINVAL; > > - break; > > This shouldn't be possible because in cfg80211 we should be checking > that only ciphers are allowed that are in the cipher list (which we > built with the "have_wep" thing before), but perhaps better to be safe > here just in case we forgot something in cfg80211 - I could see e.g. the > old WEXT compatibility code not checking too carefully... > OK. I could make it a WARN_ONCE(fips_enabled) perhaps?