diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c --- a/sys/net80211/ieee80211_crypto.c +++ b/sys/net80211/ieee80211_crypto.c @@ -142,6 +142,18 @@ { /* NB: we assume everything is pre-zero'd */ ciphers[IEEE80211_CIPHER_NONE] = &ieee80211_cipher_none; + + /* + * Default set of net80211 supported ciphers. + * + * These are the ones announced to userland (eg wpa_supplicant). + * ic_cryptocaps is actually the hardware supported ciphers. + * + * If drivers can NOT support a specific cipher then they + * should mask them OUT of this field. + */ + ic->ic_supp_cryptocaps = IEEE80211_CRYPTO_WEP | + IEEE80211_CRYPTO_TKIP | IEEE80211_CRYPTO_AES_CCM; } /* diff --git a/sys/net80211/ieee80211_ioctl.c b/sys/net80211/ieee80211_ioctl.c --- a/sys/net80211/ieee80211_ioctl.c +++ b/sys/net80211/ieee80211_ioctl.c @@ -709,7 +709,16 @@ if (dc == NULL) return ENOMEM; dc->dc_drivercaps = ic->ic_caps; - dc->dc_cryptocaps = ic->ic_cryptocaps; + /* + * Announce the net80211 supported ciphers; not JUST the + * hardware supported ciphers. + * + * Drivers will mask ciphers OUT of this during attach if + * they can't support them - ie they're required to do hardware + * ciphers only and don't support the software encrypt/decrypt + * path. + */ + dc->dc_cryptocaps = ic->ic_supp_cryptocaps; dc->dc_htcaps = ic->ic_htcaps; dc->dc_vhtcaps = ic->ic_vht_cap.vht_cap_info; ci = &dc->dc_chaninfo; diff --git a/sys/net80211/ieee80211_var.h b/sys/net80211/ieee80211_var.h --- a/sys/net80211/ieee80211_var.h +++ b/sys/net80211/ieee80211_var.h @@ -163,7 +163,9 @@ uint32_t ic_caps; /* capabilities */ uint32_t ic_htcaps; /* HT capabilities */ uint32_t ic_htextcaps; /* HT extended capabilities */ - uint32_t ic_cryptocaps; /* crypto capabilities */ + /* supported / announced crypto caps */ + uint32_t ic_supp_cryptocaps; + uint32_t ic_cryptocaps; /* hardware crypto caps */ /* set of mode capabilities */ uint8_t ic_modecaps[IEEE80211_MODE_BYTES]; uint8_t ic_promisc; /* vap's needing promisc mode */