On Sun, Mar 01, 2020 at 09:10:14PM +0100, Alexander Wetzel wrote: > Probably not relevant but since I mostly learned what WEP can and can't do > by reading the code: > WEP only can use max four keys (KeyID 0..3) regardless how many of them are > unicast and broadcast, correct? We can't e.g. install four broadcast and > four unicast keys and thus have eight keys active? (I think that would > actual work at the moment with at least mac80211.) As far as the IEEE 802.11 standard is concerned, there can be four default keys (KeyID 0..3) and one mapping (pairwise) key per peer-STA (KeyID 0). There is no constraint on using KeyID for both a mapping key (of which there can be multiple on the AP side and one on the STA side) and a default key. So yes, there could be a default key with KeyID 0 and a key mapping key with the same KeyID 0 and the receiver would need to be able to determine which key to use based on whether the Address 1 value in the frame header is a broadcast/multicast address. I do not know whether anyone has actually ever deployed a device that uses this combination, though. > I never thought I would have to learn the in and outs of WEP to get Extended > Key ID implemented:-) But then we nearly have figured it out the main > problem seems to be semantic now. Let's see what you think of the next patch > and have a special eye on WEP handling there... I don't think it is completely accurate since use of KEY_FLAG_GROUP* with a WEP default key looks confusing to me. Those default keys can be used for both unicast and multicast/broadcast frames. That said, I don't think I want to spend any more effort with WEP, so I think I can live with this until such time that I get to remove all WEP related code from hostap.git.. ;-) PS. The IEEE 802.11 standard defines a cipher suite selector 00-0F-AC:0 "Use group cipher suite". When this cipher suite is used as the pairwise cipher suite, no pairwise cipher is configured. Instead, the group cipher is used for both multicast/broadcast and unicast frames. So there is actually a defined corner case where that comment about regarding WEP default keys does actually apply to RSN as well. I'm only mentioning this here for completeness sake for anyone who really wants to understand all the possible combinations that have been defined. Use of that 00-0F-AC:0 cipher suite selector is strongly discouraged nowadays. It was defined only as a temporary solution to allow software-only update on some devices from WEP to TKIP. In practice, I don't think this ever got deployed, so it is fine to ignore this. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
