> On Thu, Feb 13, 2020 at 04:32:44PM +0000, Sergey Matyukevich wrote: > > Thanks for clarification. Lets assume that we would like to support > > at least pure OWE or SAE configuration for the time being. Then > > what do you think about the change along the following lines: > > > > diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c > > @@ -4202,6 +4202,12 @@ static int wpa_driver_nl80211_set_ap(void *priv, > > suites[num_suites++] = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X; > > if (params->key_mgmt_suites & WPA_KEY_MGMT_PSK) > > suites[num_suites++] = RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X; > > + if (num_suites < NL80211_MAX_NR_AKM_SUITES && > > + params->key_mgmt_suites & WPA_KEY_MGMT_SAE) > > + suites[num_suites++] = RSN_AUTH_KEY_MGMT_SAE; > > + if (num_suites < NL80211_MAX_NR_AKM_SUITES && > > + params->key_mgmt_suites & WPA_KEY_MGMT_OWE) > > + suites[num_suites++] = RSN_AUTH_KEY_MGMT_OWE; > > if (num_suites && > > nla_put(msg, NL80211_ATTR_AKM_SUITES, num_suites * sizeof(u32), > > suites)) > > This can result in conflicting configuration since anything beyond > NL80211_MAX_NR_AKM_SUITES would be ignored from kernel side > configuration while hostapd internally would have additional AKMs > enabled. I don't think this would be a good thing to do. > > Really, this needs cfg80211 to be extended to allow more AKM suites to > be configured. If any workaround is needed before that happens, I think > the only acceptable approach would be to allow cases where only one or > two AKMs are enabled in the configuration. In other words, > wpa_driver_nl80211_set_ap() could be extended with SAE and OWE (and > other AKM suites for that matter) as long as it does not pass > NL80211_ATTR_AKM_SUITES, to the kernel if more than > NL80211_MAX_NR_AKM_SUITES suites are enabled. Ok. That make total sense. I will take a look at the required cfg80211 changes. Meanwhile, following your logic, existing hostapd code has the same issue with possible conflict between kernel and hostapd configuration. Hostapd may have SAE/OWE bit, but now it does not inform kernel about it. So, unless I am missing something, it looks like checking the total amount of suites and appropriate error is needed anyway: diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index f1c98b90b..f2c43e80a 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -4202,9 +4202,15 @@ static int wpa_driver_nl80211_set_ap(void *priv, suites[num_suites++] = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X; if (params->key_mgmt_suites & WPA_KEY_MGMT_PSK) suites[num_suites++] = RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X; - if (num_suites && + if (params->key_mgmt_suites & WPA_KEY_MGMT_SAE) + suites[num_suites++] = RSN_AUTH_KEY_MGMT_SAE; + if (params->key_mgmt_suites & WPA_KEY_MGMT_OWE) + suites[num_suites++] = RSN_AUTH_KEY_MGMT_OWE; + + /* any other suites here ? */ + + if (num_suites && (num_suites > NL80211_MAX_NR_AKM_SUITES || nla_put(msg, NL80211_ATTR_AKM_SUITES, num_suites * sizeof(u32), - suites)) + suites))) goto fail; Later on, fixed NL80211_MAX_NR_AKM_SUITES can be replaced by the wiphy specific value configured by a driver and passed by cfg80211 to hostapd. Thoughts ? Comments ? Regards, Sergey _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
