Re: [PATCH 2/2] drivers: nl80211: indicate 802.1X 4-way handshake offload in connect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Jan 07, 2019 at 12:14:41PM +0100, Arend van Spriel wrote:
> Upon issuing a connect request we need to indicate that we want the
> driver to offload the 802.1X 4-way handshake for us. Indicate it if
> the driver capability supports the offload.

Thanks, applied.

> Here the patch to indicate to the driver that it should offload the 802.1X
> handshake. I am not entirely sure about all the key management suites that
> are to be considered as 802.1X offload. I reused the req_key_mgmt_offload flag
> as it sounded like a nice fit, but not sure if that could cause issues. At
> least with the brcmfmac it seems to work as intended.

req_key_mgmt_offload sounds fine for this. As far as the AKM suites are
concerned:

> diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
> @@ -3113,6 +3113,13 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
> +	if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X) &&
> +	    (params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X ||
> +	     params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 ||
> +	     params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B ||
> +	     params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 ||
> +	     params.key_mgmt_suite == WPA_KEY_MGMT_FT_IEEE8021X))
> +		params.req_key_mgmt_offload = 1;

I dropped WPA_KEY_MGMT_FT_IEEE8021X for now since the initial mobility
domain association in FT has different rules for 4-way handshake and key
derivation. I would not be surprised if there are drivers that don't
support offload for it even if they can handle other AKMs. At minimum,
I'd prefer to add this only once someone has actually confirmed it
working (and also allowing FT protocol to be used after the initial
mobility domain association). FILS AKMs might also be here for the
initial connection, but same comment about testing preference applies
for it as well. Other AKMs might also work (e.g., OWE, OSEN), but need
testing and potentially new driver capability indication flags/lists..

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux