projects / 15.05 / openwrt.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
mac80211: brcmfmac: backport patches that were skipped previously #1
[15.05/openwrt.git] / package / kernel / mac80211 / patches / 344-0020-brcmfmac-add-802.11w-management-frame-protection-sup.patch
diff --git a/package/kernel/mac80211/patches/344-0020-brcmfmac-add-802.11w-management-frame-protection-sup.patch b/package/kernel/mac80211/patches/344-0020-brcmfmac-add-802.11w-management-frame-protection-sup.patch
new file mode 100644 (file)
index 0000000..c20d40c
--- /dev/null
+++ b/package/kernel/mac80211/patches/344-0020-brcmfmac-add-802.11w-management-frame-protection-sup.patch
@@ -0,0 +1,509 @@
+From: Hante Meuleman <hante.meuleman@broadcom.com>
+Date: Wed, 17 Feb 2016 11:27:10 +0100
+Subject: [PATCH] brcmfmac: add 802.11w management frame protection support
+
+Add full support for both AP and STA for management frame protection.
+
+Reviewed-by: Arend Van Spriel <arend.van@broadcom.com>
+Reviewed-by: Franky (Zhenhui) Lin <franky.lin@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Signed-off-by: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -72,8 +72,13 @@
+ #define RSN_AKM_NONE                  0       /* None (IBSS) */
+ #define RSN_AKM_UNSPECIFIED           1       /* Over 802.1x */
+ #define RSN_AKM_PSK                   2       /* Pre-shared Key */
++#define RSN_AKM_SHA256_1X             5       /* SHA256, 802.1X */
++#define RSN_AKM_SHA256_PSK            6       /* SHA256, Pre-shared Key */
+ #define RSN_CAP_LEN                   2       /* Length of RSN capabilities */
+-#define RSN_CAP_PTK_REPLAY_CNTR_MASK  0x000C
++#define RSN_CAP_PTK_REPLAY_CNTR_MASK  (BIT(2) | BIT(3))
++#define RSN_CAP_MFPR_MASK             BIT(6)
++#define RSN_CAP_MFPC_MASK             BIT(7)
++#define RSN_PMKID_COUNT_LEN           2
+ #define VNDR_IE_CMD_LEN                       4       /* length of the set command
+                                                * string :"add", "del" (+ NUL)
+@@ -211,12 +216,19 @@ static const struct ieee80211_regdomain
+               REG_RULE(5470-10, 5850+10, 80, 6, 20, 0), }
+ };
+-static const u32 __wl_cipher_suites[] = {
++/* Note: brcmf_cipher_suites is an array of int defining which cipher suites
++ * are supported. A pointer to this array and the number of entries is passed
++ * on to upper layers. AES_CMAC defines whether or not the driver supports MFP.
++ * So the cipher suite AES_CMAC has to be the last one in the array, and when
++ * device does not support MFP then the number of suites will be decreased by 1
++ */
++static const u32 brcmf_cipher_suites[] = {
+       WLAN_CIPHER_SUITE_WEP40,
+       WLAN_CIPHER_SUITE_WEP104,
+       WLAN_CIPHER_SUITE_TKIP,
+       WLAN_CIPHER_SUITE_CCMP,
+-      WLAN_CIPHER_SUITE_AES_CMAC,
++      /* Keep as last entry: */
++      WLAN_CIPHER_SUITE_AES_CMAC
+ };
+ /* Vendor specific ie. id = 221, oui and type defines exact ie */
+@@ -1533,7 +1545,7 @@ static s32 brcmf_set_auth_type(struct ne
+ static s32
+ brcmf_set_wsec_mode(struct net_device *ndev,
+-                   struct cfg80211_connect_params *sme, bool mfp)
++                  struct cfg80211_connect_params *sme)
+ {
+       struct brcmf_cfg80211_profile *profile = ndev_to_prof(ndev);
+       struct brcmf_cfg80211_security *sec;
+@@ -1592,10 +1604,7 @@ brcmf_set_wsec_mode(struct net_device *n
+           sme->privacy)
+               pval = AES_ENABLED;
+-      if (mfp)
+-              wsec = pval | gval | MFP_CAPABLE;
+-      else
+-              wsec = pval | gval;
++      wsec = pval | gval;
+       err = brcmf_fil_bsscfg_int_set(netdev_priv(ndev), "wsec", wsec);
+       if (err) {
+               brcmf_err("error (%d)\n", err);
+@@ -1612,56 +1621,100 @@ brcmf_set_wsec_mode(struct net_device *n
+ static s32
+ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
+ {
+-      struct brcmf_cfg80211_profile *profile = ndev_to_prof(ndev);
+-      struct brcmf_cfg80211_security *sec;
+-      s32 val = 0;
+-      s32 err = 0;
++      struct brcmf_if *ifp = netdev_priv(ndev);
++      s32 val;
++      s32 err;
++      const struct brcmf_tlv *rsn_ie;
++      const u8 *ie;
++      u32 ie_len;
++      u32 offset;
++      u16 rsn_cap;
++      u32 mfp;
++      u16 count;
+-      if (sme->crypto.n_akm_suites) {
+-              err = brcmf_fil_bsscfg_int_get(netdev_priv(ndev),
+-                                             "wpa_auth", &val);
+-              if (err) {
+-                      brcmf_err("could not get wpa_auth (%d)\n", err);
+-                      return err;
++      if (!sme->crypto.n_akm_suites)
++              return 0;
++
++      err = brcmf_fil_bsscfg_int_get(netdev_priv(ndev), "wpa_auth", &val);
++      if (err) {
++              brcmf_err("could not get wpa_auth (%d)\n", err);
++              return err;
++      }
++      if (val & (WPA_AUTH_PSK | WPA_AUTH_UNSPECIFIED)) {
++              switch (sme->crypto.akm_suites[0]) {
++              case WLAN_AKM_SUITE_8021X:
++                      val = WPA_AUTH_UNSPECIFIED;
++                      break;
++              case WLAN_AKM_SUITE_PSK:
++                      val = WPA_AUTH_PSK;
++                      break;
++              default:
++                      brcmf_err("invalid cipher group (%d)\n",
++                                sme->crypto.cipher_group);
++                      return -EINVAL;
+               }
+-              if (val & (WPA_AUTH_PSK | WPA_AUTH_UNSPECIFIED)) {
+-                      switch (sme->crypto.akm_suites[0]) {
+-                      case WLAN_AKM_SUITE_8021X:
+-                              val = WPA_AUTH_UNSPECIFIED;
+-                              break;
+-                      case WLAN_AKM_SUITE_PSK:
+-                              val = WPA_AUTH_PSK;
+-                              break;
+-                      default:
+-                              brcmf_err("invalid cipher group (%d)\n",
+-                                        sme->crypto.cipher_group);
+-                              return -EINVAL;
+-                      }
+-              } else if (val & (WPA2_AUTH_PSK | WPA2_AUTH_UNSPECIFIED)) {
+-                      switch (sme->crypto.akm_suites[0]) {
+-                      case WLAN_AKM_SUITE_8021X:
+-                              val = WPA2_AUTH_UNSPECIFIED;
+-                              break;
+-                      case WLAN_AKM_SUITE_PSK:
+-                              val = WPA2_AUTH_PSK;
+-                              break;
+-                      default:
+-                              brcmf_err("invalid cipher group (%d)\n",
+-                                        sme->crypto.cipher_group);
+-                              return -EINVAL;
+-                      }
++      } else if (val & (WPA2_AUTH_PSK | WPA2_AUTH_UNSPECIFIED)) {
++              switch (sme->crypto.akm_suites[0]) {
++              case WLAN_AKM_SUITE_8021X:
++                      val = WPA2_AUTH_UNSPECIFIED;
++                      break;
++              case WLAN_AKM_SUITE_8021X_SHA256:
++                      val = WPA2_AUTH_1X_SHA256;
++                      break;
++              case WLAN_AKM_SUITE_PSK_SHA256:
++                      val = WPA2_AUTH_PSK_SHA256;
++                      break;
++              case WLAN_AKM_SUITE_PSK:
++                      val = WPA2_AUTH_PSK;
++                      break;
++              default:
++                      brcmf_err("invalid cipher group (%d)\n",
++                                sme->crypto.cipher_group);
++                      return -EINVAL;
+               }
++      }
+-              brcmf_dbg(CONN, "setting wpa_auth to %d\n", val);
+-              err = brcmf_fil_bsscfg_int_set(netdev_priv(ndev),
+-                                             "wpa_auth", val);
+-              if (err) {
+-                      brcmf_err("could not set wpa_auth (%d)\n", err);
+-                      return err;
+-              }
++      if (!brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MFP))
++              goto skip_mfp_config;
++      /* The MFP mode (1 or 2) needs to be determined, parse IEs. The
++       * IE will not be verified, just a quick search for MFP config
++       */
++      rsn_ie = brcmf_parse_tlvs((const u8 *)sme->ie, sme->ie_len,
++                                WLAN_EID_RSN);
++      if (!rsn_ie)
++              goto skip_mfp_config;
++      ie = (const u8 *)rsn_ie;
++      ie_len = rsn_ie->len + TLV_HDR_LEN;
++      /* Skip unicast suite */
++      offset = TLV_HDR_LEN + WPA_IE_VERSION_LEN + WPA_IE_MIN_OUI_LEN;
++      if (offset + WPA_IE_SUITE_COUNT_LEN >= ie_len)
++              goto skip_mfp_config;
++      /* Skip multicast suite */
++      count = ie[offset] + (ie[offset + 1] << 8);
++      offset += WPA_IE_SUITE_COUNT_LEN + (count * WPA_IE_MIN_OUI_LEN);
++      if (offset + WPA_IE_SUITE_COUNT_LEN >= ie_len)
++              goto skip_mfp_config;
++      /* Skip auth key management suite(s) */
++      count = ie[offset] + (ie[offset + 1] << 8);
++      offset += WPA_IE_SUITE_COUNT_LEN + (count * WPA_IE_MIN_OUI_LEN);
++      if (offset + WPA_IE_SUITE_COUNT_LEN > ie_len)
++              goto skip_mfp_config;
++      /* Ready to read capabilities */
++      mfp = BRCMF_MFP_NONE;
++      rsn_cap = ie[offset] + (ie[offset + 1] << 8);
++      if (rsn_cap & RSN_CAP_MFPR_MASK)
++              mfp = BRCMF_MFP_REQUIRED;
++      else if (rsn_cap & RSN_CAP_MFPC_MASK)
++              mfp = BRCMF_MFP_CAPABLE;
++      brcmf_fil_bsscfg_int_set(netdev_priv(ndev), "mfp", mfp);
++
++skip_mfp_config:
++      brcmf_dbg(CONN, "setting wpa_auth to %d\n", val);
++      err = brcmf_fil_bsscfg_int_set(netdev_priv(ndev), "wpa_auth", val);
++      if (err) {
++              brcmf_err("could not set wpa_auth (%d)\n", err);
++              return err;
+       }
+-      sec = &profile->sec;
+-      sec->wpa_auth = sme->crypto.akm_suites[0];
+       return err;
+ }
+@@ -1827,7 +1880,7 @@ brcmf_cfg80211_connect(struct wiphy *wip
+               goto done;
+       }
+-      err = brcmf_set_wsec_mode(ndev, sme, sme->mfp == NL80211_MFP_REQUIRED);
++      err = brcmf_set_wsec_mode(ndev, sme);
+       if (err) {
+               brcmf_err("wl_set_set_cipher failed (%d)\n", err);
+               goto done;
+@@ -2077,10 +2130,12 @@ brcmf_cfg80211_del_key(struct wiphy *wip
+                      u8 key_idx, bool pairwise, const u8 *mac_addr)
+ {
+       struct brcmf_if *ifp = netdev_priv(ndev);
+-      struct brcmf_wsec_key key;
+-      s32 err = 0;
++      struct brcmf_wsec_key *key;
++      s32 err;
+       brcmf_dbg(TRACE, "Enter\n");
++      brcmf_dbg(CONN, "key index (%d)\n", key_idx);
++
+       if (!check_vif_up(ifp->vif))
+               return -EIO;
+@@ -2089,16 +2144,19 @@ brcmf_cfg80211_del_key(struct wiphy *wip
+               return -EINVAL;
+       }
+-      memset(&key, 0, sizeof(key));
++      key = &ifp->vif->profile.key[key_idx];
+-      key.index = (u32)key_idx;
+-      key.flags = BRCMF_PRIMARY_KEY;
+-      key.algo = CRYPTO_ALGO_OFF;
++      if (key->algo == CRYPTO_ALGO_OFF) {
++              brcmf_dbg(CONN, "Ignore clearing of (never configured) key\n");
++              return -EINVAL;
++      }
+-      brcmf_dbg(CONN, "key index (%d)\n", key_idx);
++      memset(key, 0, sizeof(*key));
++      key->index = (u32)key_idx;
++      key->flags = BRCMF_PRIMARY_KEY;
+-      /* Set the new key/index */
+-      err = send_key_to_dongle(ifp, &key);
++      /* Clear the key/index */
++      err = send_key_to_dongle(ifp, key);
+       brcmf_dbg(TRACE, "Exit\n");
+       return err;
+@@ -2106,8 +2164,8 @@ brcmf_cfg80211_del_key(struct wiphy *wip
+ static s32
+ brcmf_cfg80211_add_key(struct wiphy *wiphy, struct net_device *ndev,
+-                  u8 key_idx, bool pairwise, const u8 *mac_addr,
+-                  struct key_params *params)
++                     u8 key_idx, bool pairwise, const u8 *mac_addr,
++                     struct key_params *params)
+ {
+       struct brcmf_if *ifp = netdev_priv(ndev);
+       struct brcmf_wsec_key *key;
+@@ -2214,9 +2272,10 @@ done:
+ }
+ static s32
+-brcmf_cfg80211_get_key(struct wiphy *wiphy, struct net_device *ndev,
+-                  u8 key_idx, bool pairwise, const u8 *mac_addr, void *cookie,
+-                  void (*callback) (void *cookie, struct key_params * params))
++brcmf_cfg80211_get_key(struct wiphy *wiphy, struct net_device *ndev, u8 key_idx,
++                     bool pairwise, const u8 *mac_addr, void *cookie,
++                     void (*callback)(void *cookie,
++                                      struct key_params *params))
+ {
+       struct key_params params;
+       struct brcmf_if *ifp = netdev_priv(ndev);
+@@ -2268,8 +2327,15 @@ done:
+ static s32
+ brcmf_cfg80211_config_default_mgmt_key(struct wiphy *wiphy,
+-                                  struct net_device *ndev, u8 key_idx)
++                                     struct net_device *ndev, u8 key_idx)
+ {
++      struct brcmf_if *ifp = netdev_priv(ndev);
++
++      brcmf_dbg(TRACE, "Enter key_idx %d\n", key_idx);
++
++      if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MFP))
++              return 0;
++
+       brcmf_dbg(INFO, "Not supported\n");
+       return -EOPNOTSUPP;
+@@ -3769,7 +3835,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
+       u32 auth = 0; /* d11 open authentication */
+       u16 count;
+       s32 err = 0;
+-      s32 len = 0;
++      s32 len;
+       u32 i;
+       u32 wsec;
+       u32 pval = 0;
+@@ -3779,6 +3845,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
+       u8 *data;
+       u16 rsn_cap;
+       u32 wme_bss_disable;
++      u32 mfp;
+       brcmf_dbg(TRACE, "Enter\n");
+       if (wpa_ie == NULL)
+@@ -3893,19 +3960,53 @@ brcmf_configure_wpaie(struct brcmf_if *i
+                       is_rsn_ie ? (wpa_auth |= WPA2_AUTH_PSK) :
+                                   (wpa_auth |= WPA_AUTH_PSK);
+                       break;
++              case RSN_AKM_SHA256_PSK:
++                      brcmf_dbg(TRACE, "RSN_AKM_MFP_PSK\n");
++                      wpa_auth |= WPA2_AUTH_PSK_SHA256;
++                      break;
++              case RSN_AKM_SHA256_1X:
++                      brcmf_dbg(TRACE, "RSN_AKM_MFP_1X\n");
++                      wpa_auth |= WPA2_AUTH_1X_SHA256;
++                      break;
+               default:
+                       brcmf_err("Ivalid key mgmt info\n");
+               }
+               offset++;
+       }
++      mfp = BRCMF_MFP_NONE;
+       if (is_rsn_ie) {
+               wme_bss_disable = 1;
+               if ((offset + RSN_CAP_LEN) <= len) {
+                       rsn_cap = data[offset] + (data[offset + 1] << 8);
+                       if (rsn_cap & RSN_CAP_PTK_REPLAY_CNTR_MASK)
+                               wme_bss_disable = 0;
++                      if (rsn_cap & RSN_CAP_MFPR_MASK) {
++                              brcmf_dbg(TRACE, "MFP Required\n");
++                              mfp = BRCMF_MFP_REQUIRED;
++                              /* Firmware only supports mfp required in
++                               * combination with WPA2_AUTH_PSK_SHA256 or
++                               * WPA2_AUTH_1X_SHA256.
++                               */
++                              if (!(wpa_auth & (WPA2_AUTH_PSK_SHA256 |
++                                                WPA2_AUTH_1X_SHA256))) {
++                                      err = -EINVAL;
++                                      goto exit;
++                              }
++                              /* Firmware has requirement that WPA2_AUTH_PSK/
++                               * WPA2_AUTH_UNSPECIFIED be set, if SHA256 OUI
++                               * is to be included in the rsn ie.
++                               */
++                              if (wpa_auth & WPA2_AUTH_PSK_SHA256)
++                                      wpa_auth |= WPA2_AUTH_PSK;
++                              else if (wpa_auth & WPA2_AUTH_1X_SHA256)
++                                      wpa_auth |= WPA2_AUTH_UNSPECIFIED;
++                      } else if (rsn_cap & RSN_CAP_MFPC_MASK) {
++                              brcmf_dbg(TRACE, "MFP Capable\n");
++                              mfp = BRCMF_MFP_CAPABLE;
++                      }
+               }
++              offset += RSN_CAP_LEN;
+               /* set wme_bss_disable to sync RSN Capabilities */
+               err = brcmf_fil_bsscfg_int_set(ifp, "wme_bss_disable",
+                                              wme_bss_disable);
+@@ -3913,6 +4014,21 @@ brcmf_configure_wpaie(struct brcmf_if *i
+                       brcmf_err("wme_bss_disable error %d\n", err);
+                       goto exit;
+               }
++
++              /* Skip PMKID cnt as it is know to be 0 for AP. */
++              offset += RSN_PMKID_COUNT_LEN;
++
++              /* See if there is BIP wpa suite left for MFP */
++              if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MFP) &&
++                  ((offset + WPA_IE_MIN_OUI_LEN) <= len)) {
++                      err = brcmf_fil_bsscfg_data_set(ifp, "bip",
++                                                      &data[offset],
++                                                      WPA_IE_MIN_OUI_LEN);
++                      if (err < 0) {
++                              brcmf_err("bip error %d\n", err);
++                              goto exit;
++                      }
++              }
+       }
+       /* FOR WPS , set SES_OW_ENABLED */
+       wsec = (pval | gval | SES_OW_ENABLED);
+@@ -3929,6 +4045,16 @@ brcmf_configure_wpaie(struct brcmf_if *i
+               brcmf_err("wsec error %d\n", err);
+               goto exit;
+       }
++      /* Configure MFP, this needs to go after wsec otherwise the wsec command
++       * will overwrite the values set by MFP
++       */
++      if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MFP)) {
++              err = brcmf_fil_bsscfg_int_set(ifp, "mfp", mfp);
++              if (err < 0) {
++                      brcmf_err("mfp error %d\n", err);
++                      goto exit;
++              }
++      }
+       /* set upper-layer auth */
+       err = brcmf_fil_bsscfg_int_set(ifp, "wpa_auth", wpa_auth);
+       if (err < 0) {
+@@ -6149,8 +6275,10 @@ static int brcmf_setup_wiphy(struct wiph
+       wiphy->n_addresses = i;
+       wiphy->signal_type = CFG80211_SIGNAL_TYPE_MBM;
+-      wiphy->cipher_suites = __wl_cipher_suites;
+-      wiphy->n_cipher_suites = ARRAY_SIZE(__wl_cipher_suites);
++      wiphy->cipher_suites = brcmf_cipher_suites;
++      wiphy->n_cipher_suites = ARRAY_SIZE(brcmf_cipher_suites);
++      if (!brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MFP))
++              wiphy->n_cipher_suites--;
+       wiphy->flags |= WIPHY_FLAG_PS_ON_BY_DEFAULT |
+                       WIPHY_FLAG_OFFCHAN_TX |
+                       WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL;
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
+@@ -72,7 +72,7 @@
+ #define BRCMF_VNDR_IE_P2PAF_SHIFT     12
+-#define BRCMF_MAX_DEFAULT_KEYS                4
++#define BRCMF_MAX_DEFAULT_KEYS                6
+ /* beacon loss timeout defaults */
+ #define BRCMF_DEFAULT_BCN_TIMEOUT_ROAM_ON     2
+@@ -107,7 +107,6 @@ struct brcmf_cfg80211_security {
+       u32 auth_type;
+       u32 cipher_pairwise;
+       u32 cipher_group;
+-      u32 wpa_auth;
+ };
+ /**
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -161,6 +161,7 @@ void brcmf_feat_attach(struct brcmf_pub
+               ifp->drvr->feat_flags &= ~BIT(BRCMF_FEAT_MBSS);
+       brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_RSDB, "rsdb_mode");
+       brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_TDLS, "tdls_enable");
++      brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_MFP, "mfp");
+       pfn_mac.version = BRCMF_PFN_MACADDR_CFG_VER;
+       err = brcmf_fil_iovar_data_get(ifp, "pfn_macaddr", &pfn_mac,
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
+@@ -30,6 +30,7 @@
+  * WOWL_ND: WOWL net detect (PNO)
+  * WOWL_GTK: (WOWL) GTK rekeying offload
+  * WOWL_ARP_ND: ARP and Neighbor Discovery offload support during WOWL.
++ * MFP: 802.11w Management Frame Protection.
+  */
+ #define BRCMF_FEAT_LIST \
+       BRCMF_FEAT_DEF(MBSS) \
+@@ -42,7 +43,8 @@
+       BRCMF_FEAT_DEF(SCAN_RANDOM_MAC) \
+       BRCMF_FEAT_DEF(WOWL_ND) \
+       BRCMF_FEAT_DEF(WOWL_GTK) \
+-      BRCMF_FEAT_DEF(WOWL_ARP_ND)
++      BRCMF_FEAT_DEF(WOWL_ARP_ND) \
++      BRCMF_FEAT_DEF(MFP)
+ /*
+  * Quirks:
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+@@ -142,6 +142,10 @@
+ #define BRCMF_RSN_KEK_LENGTH          16
+ #define BRCMF_RSN_REPLAY_LEN          8
++#define BRCMF_MFP_NONE                        0
++#define BRCMF_MFP_CAPABLE             1
++#define BRCMF_MFP_REQUIRED            2
++
+ /* join preference types for join_pref iovar */
+ enum brcmf_join_pref_types {
+       BRCMF_JOIN_PREF_RSSI = 1,
+--- a/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
++++ b/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
+@@ -236,6 +236,8 @@ static inline bool ac_bitmap_tst(u8 bitm
+ #define WPA2_AUTH_RESERVED3   0x0200
+ #define WPA2_AUTH_RESERVED4   0x0400
+ #define WPA2_AUTH_RESERVED5   0x0800
++#define WPA2_AUTH_1X_SHA256   0x1000  /* 1X with SHA256 key derivation */
++#define WPA2_AUTH_PSK_SHA256  0x8000  /* PSK with SHA256 key derivation */
+ #define DOT11_DEFAULT_RTS_LEN         2347
+ #define DOT11_DEFAULT_FRAG_LEN                2346
OpenWrt 15.05 release branch