On Sun, Feb 16, 2020 at 06:02:06PM +0300, Sergey Matyukevich wrote: > Meanwhile, following your logic, existing hostapd code has the same issue > with possible conflict between kernel and hostapd configuration. Hostapd > may have SAE/OWE bit, but now it does not inform kernel about it. Yes, that's a known issue that was waiting for someone to get motivated enough to address the cfg80211/nl80211 side of this.. The main difference with the previous state was, though, in not being able to hit the limit that would make the full command itself fail, i.e., not breaking this for any driver that does not use information from NL80211_MAX_NR_AKM_SUITES. > So, unless I am missing something, it looks like checking the total amount > of suites and appropriate error is needed anyway: > diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c > @@ -4202,9 +4202,15 @@ static int wpa_driver_nl80211_set_ap(void *priv, > + if (params->key_mgmt_suites & WPA_KEY_MGMT_SAE) > + suites[num_suites++] = RSN_AUTH_KEY_MGMT_SAE; > + if (params->key_mgmt_suites & WPA_KEY_MGMT_OWE) > + suites[num_suites++] = RSN_AUTH_KEY_MGMT_OWE; > + > + /* any other suites here ? */ Yes, lots of them.. > + if (num_suites && (num_suites > NL80211_MAX_NR_AKM_SUITES || > nla_put(msg, NL80211_ATTR_AKM_SUITES, num_suites * sizeof(u32), > - suites)) > + suites))) > goto fail; This is not acceptable. This would break all cases where more than two AKMs are used. That must not happen for drivers that do not use NL80211_ATTR_AKM_SUITES. > Later on, fixed NL80211_MAX_NR_AKM_SUITES can be replaced by the wiphy > specific value configured by a driver and passed by cfg80211 to hostapd. Yes, this part can be done separately and should indeed be done. As far as the temporary workaround is concerned, I applied this change to handle all cases where at most two AKM suites are configured: https://w1.fi/cgit/hostap/commit/?id=dd74ddd0dff67c59e416bee9f764b27044a2ade5 This does not work with more than two AKM suites if the driver needs NL80211_ATTR_AKM_SUITES, but continues to work fine if the driver does not need that. It would be nicer to be able to reject the cases where this attribute is known to be needed, but cannot be added, but that does not seem to be something that could be easily determined with the current cfg80211 design, so this may be the best that can be done for now. Once the kernel extension becomes available, this can be addressed by working fine with new kernel versions but falling back to this removal of attribute for cases where things may or may not work based on the driver needs. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
