On Thu, Mar 24, 2022 at 08:48:16AM +0800, Ping-Ke Shih wrote: > Follow IEEE 802.11-21 that HTC subfield masked to 0 for all data frames > containing a QoS Control field. It also defines the AAD length depends on > QC and A4 fields, so change logic to determine length accordingly. > diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c > @@ -317,13 +317,12 @@ static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *b_0, u8 *aad) > /* > * Mask FC: zero subtype b4 b5 b6 (if not mgmt) > - * Retry, PwrMgt, MoreData; set Protected > + * Retry, PwrMgt, MoreData, Order (if Qos Data); set Protected > */ ... For completeness, we should really do the same got GCMP AAD which is identical to the CCMP AAD. In other words, these changes should be done in gcmp_special_blocks() as well. Those functions should really have next to identical implementation for the AAD part (nonce construction is different, though). There were already some differences in the design before.. Maybe all this AAD stuff should really be moved into a separate helper function that both CCMP and GCMP could use. -- Jouni Malinen PGP id EFC895FA
