The patch series consist of basically five parts: 01-Introduce and add key_type 02-AP: Set the correct key_type for key installs 03-wpa_supplicant: Set the correct key_type for key installs 04-drivers: Migrate drivers from set_tx to key_type API 05-nl80211: Migrate from set_tx to key_type API 06-nl80211,wpa_supplicant: Drop outdated tdls hack 07-Drop set_tx from all set_key() functions 1) The first 7 patches are migrating set_tx to the new key_type API required for Extended Key ID support to install unicast keys for Rx only first. 08-common: Extended Key ID support 09-AP: Add support for Extended Key ID 10-wpa_supplicant: Extended Key ID support 11-tests: Extended Key ID tests 2) The patches 8-11 are handling the Extended Key ID support for hostapd/wpa_supplicant and modify/amend to the existing tests to be able to work correctly with and without Extended Key ID support. 12-AP: FILS Extended Key ID support 13-wpa_supplicant: FILS Extended Key ID support 3) Patches 12 and 13 are trying to close a gap not covered in the official standard. I'm far from sure that this is the correct way and hope we can have a discussion here how to best handle FILS and probably also FT. (The standard does not have any guidance for that, too.) 14-nl80211: Extended Key ID support 4) The patch 14 is adding Extended Key ID support to nl80211, basically activating all the previous Extended Key ID patches when you are using linux 5.2 or greater with a compatible card. As of now all cards using mac80211 and NOT providing the "set_key()" callback are compatible. There is also a patch allowing to use it with most iwlwifi cards: https://patchwork.kernel.org/patch/11101659/ There is an API bug in 5.2 kernels < 5.2.12, preventing unicast keys using keyid 1 to be installed for FILS and FT handshakes. This patch set therefore requires a kernel >= 5.2.12. 15-AP: Extended Key ID stress test 5) The last patch, (15) is kind of optional. So far it's just a proof that everything still works when we use keyid 1 at the initial connect instead of the more traditional keyid 0. I have some ideas to extend that, allowing hostapd to detect broken STAs claiming to be compatible with Extended Key ID - due to broken capability announcement - and still work with APs supporting it. (At least the Samsung Galaxy Tab S3 is setting the RSN capabilities wrong and chances are it's not the only one...) Besides using the hostapd tests I've also verified the functionality using patched iwlwifi drivers with HW crypto offload for both AP and STA. The integration of Extended Key ID support in hostapd/wpa_supplicant tries to maintain full backward compatibility with kernels not supporting Extended Key ID. While this is foreseen in the standard for normal operation it was more challenging for the built-in test cases. Instead of basically doubling all test cases and execute them with and without Extended Key ID support I've just modified all test cases to be able to run with and without Extended Key ID support. All tests will per default use Extended Key ID when supported or silently fall back to the "classical" way to do things. The downside here is, that the same tests executed on a system supporting Extended Key ID will test something slightly different than a system not supporting it... At the moment there are just five special Extended Key ID tests to verify it's being used and we interact correctly with STAs not supporting it. To make it a bit simpler to see what the patches are changing I've uploaded you some files containing multiple full test runs: 1) cf28cfc12-orig.tgz Tests run with a unpatched hostapd (git version cf28cfc12) 2) cf28cfc12-patched.tgz Test run with hwsim supporting Extended Key ID and all patches of this series applied. 3) cf28cfc12-patched-legacy.tgz All patches of this series applied but with Extended Key ID detection sabotaged to force classical rekeys. Each file is roughly 200MB big and can be downloaded here: https://www.awhome.eu/index.php/s/jDQfpZmDGwsLPXA (The test runs from the older patch sets are also available there) All three test runs were using a unpatched 5.3.7-gentoo kernel. Most of the failed tests are related to a wrong Python call to AES encrypt data, missing one argument. (I'm using Python 3.6.9) All failing tests seem to be unrelated to the changes here and can be reproduced without the patches. I've added two extra files in each test directory: - failed.log All tests failed in this run. With a comment when it succeeded when running the test a second time. (But without adding the output from the rerun.) - script.log The output of the actual test run. Version history: Patch version 8: - Dropped the first two (already merged) patches - Rebased to cf28cfc12 and updated commit descriptions - Incorporated changes discussed so far - Moved the "drop set_tx" patch to a more logical place - Included a minor fix for wlantest (non-zero keyID check) Patch version 7 (aka v6a): - Improved TKIP detection (nicer logs and better logic) - Also use config checks for Extended Key ID activation, not only runtime - Simplify runtime checks due to the now existing config checks - Fixes some key_type for both hostap and wpa_supplicant - nl80211 now denies to install a pairwise key with the KEY_TYPE_DEFAULT set and has other minor cleanups - Fixes the bitmask for pairwise keys for consistency (no real effect) - Rewords some log messages Patch version 6: - Added the "missing" patch number 1. Should have been part of V3 but somehow it never got exported from my local tree... - Reverted the incorrect fix for max keyid in the patch "wpa_supplicant: AP Extended Key ID support" - Moved code disabling Extended Key ID for tkip to a better location in patch "hostapd: Add support for Extended Key ID" - Tweaked Extended Key ID configuration handling in "hostapd: Add support for Extended Key ID": It's now automatically disabled - Some minor tweaks to comments and output and a bit more invasive rewording of commit messages Patch version 5: - undo incorrect conversion from "int key_type" to "enum key_type key_type" (this is also an independent variable) - fixed multiple broken "enum key_type" which must be "enum key_type key_type" - undo pointless variable move in "wpa_supplicant: FILS Extended Key ID support" which did break build tests. - again minor fixes to commit messages Patch version 4: - Fixed sequence number key queries (undo invalid switch to new API names.) - get rid of some forgotten "int key_flag" references and switched them over to the correct "enum key_flag key_flag" - Dropped the workaround patch enabling FILS and FT key installs with current released kernels (API is being updated upstream) - removed some stray newlines - reworded Extended Key ID description in wpa_supplicant.conf - minor updates to commit messages - Overhauled and updated commit remarks (nothing critical) Patch version 3: - use key_type (enum) instead of key_flag (bit array) - migrate set_tx to the new key_type API and clean up related workarounds and bugs. - also support Extended Key ID for OSEN, FT and FILS - wpa_supplicant is now checking RSN capabilities instead of the presence of the KeyID KDE to enable Extended Key ID support to follow the wording of the standard - detect and prevent dropping or adding Extended Key ID support on rekey. (Initial connection decides if we can use it.) - Don't use Extended Key ID for TKIP. (Not allowed in the standard.) - also flip KeyIDs for WPA_REAUTH and WPA_REAUTH_EAPOL - fixed many "test-only" bugs (both tests and test only code) - split fixes and extensions in different patches - dropped "GET drv_flags" and handle it differently - better description of the patches Patch version 2: - typo fix in commit message Patch version 1: Initial release Alexander Wetzel (15): Introduce and add key_type AP: Set the correct key_type for key installs wpa_supplicant: Set the correct key_type for key installs drivers: Migrate drivers from set_tx to key_type API nl80211: Migrate from set_tx to key_type API nl80211,wpa_supplicant: Drop outdated tdls hack Drop set_tx from all set_key() functions common: Extended Key ID support AP: Add support for Extended Key ID wpa_supplicant: Extended Key ID support tests: Extended Key ID tests AP: FILS Extended Key ID support wpa_supplicant: FILS Extended Key ID support nl80211: Extended Key ID support AP: Extended Key ID stress test hostapd/config_file.c | 2 + hostapd/ctrl_iface.c | 68 +++++++------ hostapd/hostapd.conf | 10 ++ src/ap/ap_config.c | 10 ++ src/ap/ap_config.h | 1 + src/ap/ap_drv_ops.c | 9 +- src/ap/ap_drv_ops.h | 5 +- src/ap/hostapd.c | 17 ++-- src/ap/hs20.c | 2 + src/ap/ieee802_11.c | 6 +- src/ap/ieee802_1x.c | 14 +-- src/ap/wpa_auth.c | 92 ++++++++++++++--- src/ap/wpa_auth.h | 4 +- src/ap/wpa_auth_ft.c | 13 +-- src/ap/wpa_auth_glue.c | 29 +++++- src/ap/wpa_auth_i.h | 3 + src/ap/wpa_auth_ie.c | 57 ++++++++++- src/common/defs.h | 8 ++ src/common/wpa_common.c | 9 ++ src/common/wpa_common.h | 2 + src/drivers/driver.h | 33 +++++-- src/drivers/driver_atheros.c | 10 +- src/drivers/driver_bsd.c | 13 +-- src/drivers/driver_hostap.c | 9 +- src/drivers/driver_ndis.c | 25 ++--- src/drivers/driver_nl80211.c | 108 ++++++++++---------- src/drivers/driver_nl80211_capa.c | 4 + src/drivers/driver_openbsd.c | 5 +- src/drivers/driver_privsep.c | 12 +-- src/drivers/driver_wext.c | 27 ++--- src/drivers/driver_wext.h | 4 +- src/rsn_supp/tdls.c | 6 +- src/rsn_supp/wpa.c | 152 +++++++++++++++++++++++++---- src/rsn_supp/wpa.h | 7 +- src/rsn_supp/wpa_ft.c | 17 ++-- src/rsn_supp/wpa_i.h | 12 ++- src/rsn_supp/wpa_ie.c | 3 + tests/hwsim/hostapd.py | 20 +++- tests/hwsim/test_ap_ciphers.py | 2 +- tests/hwsim/test_ap_eap.py | 20 +++- tests/hwsim/test_ap_psk.py | 134 +++++++++++++++++++++++-- tests/hwsim/test_ocv.py | 13 ++- tests/hwsim/test_rrm.py | 7 +- tests/hwsim/wpasupplicant.py | 7 +- wlantest/bss.c | 4 +- wlantest/rx_data.c | 6 +- wlantest/rx_eapol.c | 4 + wpa_supplicant/config.c | 2 + wpa_supplicant/config_file.c | 1 + wpa_supplicant/config_ssid.h | 10 ++ wpa_supplicant/ctrl_iface.c | 36 ++++--- wpa_supplicant/driver_i.h | 23 +++-- wpa_supplicant/ibss_rsn.c | 19 ++-- wpa_supplicant/mesh_mpm.c | 12 +-- wpa_supplicant/mesh_rsn.c | 14 +-- wpa_supplicant/preauth_test.c | 2 +- wpa_supplicant/wpa_cli.c | 4 +- wpa_supplicant/wpa_supplicant.c | 41 ++++++-- wpa_supplicant/wpa_supplicant.conf | 5 + wpa_supplicant/wpas_glue.c | 25 +++-- 60 files changed, 913 insertions(+), 306 deletions(-) -- 2.23.0 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
