[v8,10/15] wpa_supplicant: Extended Key ID support

Message ID	20191031091901.2889-11-alexander@wetzel-home.de
State	Changes Requested
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> sender: postmaster@awhome.eu) by player779.ha.ovh.net (Postfix) with ESMTPSA id 6B4B5B7F3C7D; Thu, 31 Oct 2019 09:19:44 +0000 (UTC) From: Alexander Wetzel <alexander@wetzel-home.de> To: j@w1.fi Subject: [Patch v8 10/15] wpa_supplicant: Extended Key ID support Date: Thu, 31 Oct 2019 10:18:56 +0100 Message-Id: <20191031091901.2889-11-alexander@wetzel-home.de> In-Reply-To: <20191031091901.2889-1-alexander@wetzel-home.de> References: <20191031091901.2889-1-alexander@wetzel-home.de> MIME-Version: 1.0 summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [87.98.165.38 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Precedence: list Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org, luca@coelho.fi, johannes@sipsolutions.net Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	Support seamless PTK rekeys with Extended Key ID \| expand [v8,00/15] Support seamless PTK rekeys with Extended Key ID [v8,01/15] Introduce and add key_type [v8,02/15] AP: Set the correct key_type for key installs [v8,03/15] wpa_supplicant: Set the correct key_type for key installs [v8,04/15] drivers: Migrate drivers from set_tx to key_type API [v8,05/15] nl80211: Migrate from set_tx to key_type API [v8,06/15] nl80211,wpa_supplicant: Drop outdated tdls hack [v8,07/15] Drop set_tx from all set_key() functions [v8,08/15] common: Extended Key ID support [v8,09/15] AP: Add support for Extended Key ID [v8,10/15] wpa_supplicant: Extended Key ID support [v8,11/15] tests: Extended Key ID tests [v8,12/15] AP: FILS Extended Key ID support [v8,13/15] wpa_supplicant: FILS Extended Key ID support [v8,14/15] nl80211: Extended Key ID support [v8,15/15] AP: Extended Key ID stress test

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 7039556d9..73c547f01 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -581,6 +581,53 @@ static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr, sm->pairwise_cipher, z, z_len); } +static int handle_extended_key_id(struct wpa_sm *sm, + struct wpa_eapol_ie_parse *kde, + const u8 *rsn_ie, size_t rsn_ie_len) +{ + struct wpa_ie_data rsn; + + /* IEEE 802.11 - 2016 requires the Extended Key ID + * bit to be set in the RSN capabilities for both STAs + * to use it with CCMP/GCMP + */ + if (sm->wpa_extended_key_id && rsn_ie && + sm->pairwise_cipher != WPA_CIPHER_TKIP && + wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &rsn) >= 0 && + rsn.capabilities & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) { + if (!kde->key_id) { + wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, + "WPA: No KeyID in Extended Key ID handshake"); + return -1; + } else if (kde->key_id[0] & 0xfe) { + wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, + "WPA: Invalid KeyID: %d", kde->key_id[0]); + return -1; + } + wpa_msg(sm->ctx->msg_ctx, MSG_INFO, + "WPA: Using Extended Key ID"); + sm->keyidx_active = kde->key_id[0]; + sm->use_extended_key_id = 1; + } else { + if (kde->key_id && kde->key_id[0]) { + wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, + "WPA: Non-zero KeyID in legacy handshake"); + return -1; + } else if (kde->key_id) { + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, + "WPA: KeyID in legacy handshake"); + } else if (!rsn_ie || sm->pairwise_cipher == WPA_CIPHER_TKIP) { + wpa_msg(sm->ctx->msg_ctx, MSG_INFO, + "WPA: Extended Key ID requires wpa2 and CCMP/GCMP"); + } + if (sm->wpa_extended_key_id) + wpa_msg(sm->ctx->msg_ctx, MSG_INFO, + "WPA: Not using Extended Key ID"); + sm->keyidx_active = 0; + sm->use_extended_key_id = 0; + } + return 0; +} static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, const unsigned char *src_addr, @@ -779,6 +826,14 @@ static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx) wpa_sm_key_request(sm, 0, 1); } +static void wpa_supplicant_ptk_installed(struct wpa_sm *sm) +{ + if (sm->wpa_ptk_rekey) { + eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); + eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk, + sm, NULL); + } +} static int wpa_supplicant_install_ptk(struct wpa_sm *sm, const struct wpa_eapol_key *key, @@ -826,12 +881,14 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen); } - if (wpa_sm_set_key(sm, alg, sm->bssid, 0, key_rsc, rsclen, - sm->ptk.tk, keylen, key_type) < 0) { + if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, key_rsc, + rsclen, sm->ptk.tk, keylen, key_type) < 0) { wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, - "WPA: Failed to set PTK to the " - "driver (alg=%d keylen=%d bssid=" MACSTR ")", - alg, keylen, MAC2STR(sm->bssid)); + "WPA: Failed to set PTK to the driver" + "(alg=%d keylen=%d bssid=" MACSTR + " idx=%d use_extended_key_id=%d key_type=%d)", + alg, keylen, MAC2STR(sm->bssid), + sm->keyidx_active, sm->use_extended_key_id, key_type); return -1; } @@ -840,12 +897,27 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, sm->ptk.tk_len = 0; sm->ptk.installed = 1; - if (sm->wpa_ptk_rekey) { - eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); - eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk, - sm, NULL); + if (key_type != KEY_TYPE_NO_AUTO_TX) + wpa_supplicant_ptk_installed(sm); + + return 0; +} + +static int wpa_supplicant_activate_ptk(struct wpa_sm *sm) +{ + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, + "WPA: Activate PTK (idx=%d bssid=" MACSTR ")", + sm->keyidx_active, MAC2STR(sm->bssid)); + + if (wpa_sm_set_key(sm, 0, sm->bssid, sm->keyidx_active, + 0, 0, NULL, 0, KEY_TYPE_SET_TX) < 0) { + wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, + "WPA: Failed to activate PTK for Tx (idx=%d bssid=" + MACSTR ")", sm->keyidx_active, MAC2STR(sm->bssid)); + return -1; } + wpa_supplicant_ptk_installed(sm); return 0; } @@ -1481,6 +1553,9 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm, if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0) goto failed; + if (handle_extended_key_id(sm, &ie, ie.rsn_ie, ie.rsn_ie_len)) + goto failed; + if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: ANonce from message 1 of 4-Way Handshake " @@ -1525,6 +1600,10 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm, } } #endif /* CONFIG_OCV */ + if (sm->use_extended_key_id) { + if (wpa_supplicant_install_ptk(sm, key, KEY_TYPE_NO_AUTO_TX)) + goto failed; + } if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info, &sm->ptk) < 0) { @@ -1537,8 +1616,13 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm, sm->renew_snonce = 1; if (key_info & WPA_KEY_INFO_INSTALL) { - if (wpa_supplicant_install_ptk(sm, key, KEY_TYPE_PAIRWISE)) + if (sm->use_extended_key_id) { + if (wpa_supplicant_activate_ptk(sm)) + goto failed; + } else if (wpa_supplicant_install_ptk(sm, key, + KEY_TYPE_PAIRWISE)) { goto failed; + } } if (key_info & WPA_KEY_INFO_SECURE) { @@ -2645,6 +2729,7 @@ struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx) return NULL; dl_list_init(&sm->pmksa_candidates); sm->renew_snonce = 1; + sm->keyidx_active = 0; sm->ctx = ctx; sm->dot11RSNAConfigPMKLifetime = 43200; @@ -3035,6 +3120,9 @@ int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param, case WPA_PARAM_PAIRWISE: sm->pairwise_cipher = value; break; + case WPA_PARAM_EXTENDED_KEY_ID: + sm->wpa_extended_key_id = value; + break; case WPA_PARAM_GROUP: sm->group_cipher = value; break; @@ -3160,6 +3248,9 @@ int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie, #ifdef CONFIG_TESTING_OPTIONS if (sm->test_assoc_ie) { + struct wpa_eapol_ie_parse ie; + struct wpa_ie_data rsn; + wpa_printf(MSG_DEBUG, "TESTING: Replace association WPA/RSN IE"); if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie)) @@ -3167,6 +3258,15 @@ int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie, os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie), wpabuf_len(sm->test_assoc_ie)); res = wpabuf_len(sm->test_assoc_ie); + + if (wpa_supplicant_parse_ies(wpa_ie, res, &ie) || + wpa_parse_wpa_ie_rsn(ie.rsn_ie, ie.rsn_ie_len, &rsn) || + !(rsn.capabilities & + WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST)) { + wpa_printf(MSG_DEBUG, + "TESTING: Force disable Extended Key ID"); + sm->wpa_extended_key_id = 0; + } } else #endif /* CONFIG_TESTING_OPTIONS */ res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len); @@ -3504,6 +3604,10 @@ int wpa_sm_has_ptk(struct wpa_sm *sm) return sm->ptk_set; } +int wpa_sm_extended_key_id(struct wpa_sm *sm) +{ + return sm->wpa_extended_key_id; +} void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr) { @@ -4130,6 +4234,8 @@ static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf) capab |= WPA_CAPABILITY_MFPR; if (sm->ocv) capab |= WPA_CAPABILITY_OCVC; + if (sm->wpa_extended_key_id) + capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST; wpabuf_put_le16(buf, capab); /* PMKID Count */ diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h index 6913dd39d..5788c2ce6 100644 --- a/src/rsn_supp/wpa.h +++ b/src/rsn_supp/wpa.h @@ -100,6 +100,7 @@ enum wpa_sm_conf_params { WPA_PARAM_MFP, WPA_PARAM_OCV, WPA_PARAM_SAE_PWE, + WPA_PARAM_EXTENDED_KEY_ID }; struct rsn_supp_config { @@ -110,6 +111,7 @@ struct rsn_supp_config { void *eap_conf_ctx; const u8 *ssid; size_t ssid_len; + int wpa_extended_key_id; int wpa_ptk_rekey; int p2p; int wpa_rsc_relaxation; @@ -172,6 +174,7 @@ int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, const void *network_ctx); void wpa_sm_drop_sa(struct wpa_sm *sm); int wpa_sm_has_ptk(struct wpa_sm *sm); +int wpa_sm_extended_key_id(struct wpa_sm *sm); void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr); diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c index 179a60563..525368e53 100644 --- a/src/rsn_supp/wpa_ft.c +++ b/src/rsn_supp/wpa_ft.c @@ -256,6 +256,8 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, capab |= WPA_CAPABILITY_MFPR; if (sm->ocv) capab |= WPA_CAPABILITY_OCVC; + if (sm->wpa_extended_key_id) + capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST; WPA_PUT_LE16(pos, capab); pos += 2; @@ -422,8 +424,9 @@ static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid) alg = wpa_cipher_to_alg(sm->pairwise_cipher); keylen = wpa_cipher_key_len(sm->pairwise_cipher); - if (wpa_sm_set_key(sm, alg, bssid, 0, null_rsc, sizeof(null_rsc), - (u8 *) sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) { + if (wpa_sm_set_key(sm, alg, bssid, sm->keyidx_active, null_rsc, + sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen, + KEY_TYPE_PAIRWISE) < 0) { wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver"); return -1; } diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h index c1d2ea5e4..2ecb60a5e 100644 --- a/src/rsn_supp/wpa_i.h +++ b/src/rsn_supp/wpa_i.h @@ -26,6 +26,7 @@ struct wpa_sm { u8 snonce[WPA_NONCE_LEN]; u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ int renew_snonce; + int keyidx_active; u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; int rx_replay_counter_set; u8 request_counter[WPA_REPLAY_COUNTER_LEN]; @@ -63,6 +64,8 @@ struct wpa_sm { int wpa_ptk_rekey; int p2p; int wpa_rsc_relaxation; + int wpa_extended_key_id; + int use_extended_key_id; u8 own_addr[ETH_ALEN]; const char *ifname; diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c index 03c0d7e85..c93b76bdc 100644 --- a/src/rsn_supp/wpa_ie.c +++ b/src/rsn_supp/wpa_ie.c @@ -221,6 +221,9 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len, capab |= WPA_CAPABILITY_MFPR; if (sm->ocv) capab |= WPA_CAPABILITY_OCVC; + if (sm->wpa_extended_key_id) + capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST; + WPA_PUT_LE16(pos, capab); pos += 2; diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 33b35056b..2bd7e0653 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2494,6 +2494,7 @@ static const struct parse_data ssid_fields[] = { { INT(dot11MeshConfirmTimeout) }, { INT(dot11MeshHoldingTimeout) }, #endif /* CONFIG_MESH */ + { INT(wpa_extended_key_id) }, { INT(wpa_ptk_rekey) }, { INT(group_rekey) }, { STR(bgscan) }, @@ -3016,6 +3017,7 @@ void wpa_config_set_network_defaults(struct wpa_ssid *ssid) { ssid->proto = DEFAULT_PROTO; ssid->pairwise_cipher = DEFAULT_PAIRWISE; + ssid->wpa_extended_key_id = DEFAULT_EXTENDED_KEY_ID; ssid->group_cipher = DEFAULT_GROUP; ssid->key_mgmt = DEFAULT_KEY_MGMT; ssid->bg_scan_period = DEFAULT_BG_SCAN_PERIOD; diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index cf4b7bc6e..c2a3423f4 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -899,6 +899,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) INT_DEF(dot11MeshHoldingTimeout, DEFAULT_MESH_HOLDING_TIMEOUT); INT_DEF(mesh_rssi_threshold, DEFAULT_MESH_RSSI_THRESHOLD); #endif /* CONFIG_MESH */ + INT(wpa_extended_key_id); INT(wpa_ptk_rekey); INT(group_rekey); INT(ignore_broadcast_ssid); diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h index 98db1fe1a..62f1df463 100644 --- a/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h @@ -22,6 +22,7 @@ #define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP) #define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP) #define DEFAULT_FRAGMENT_SIZE 1398 +#define DEFAULT_EXTENDED_KEY_ID 1 #define DEFAULT_BG_SCAN_PERIOD -1 #define DEFAULT_MESH_MAX_RETRIES 2 @@ -545,6 +546,15 @@ struct wpa_ssid { unsigned int vht_center_freq1; unsigned int vht_center_freq2; + /** wpa_extended_key_id - Extended Key ID support + * + * IEEE 802.11-2016 optionally allows to use key id 0 and 1 for PTK keys + * default: auto (1) + * 0 = force off. Do not announce or use Extended Key ID. + * 1 = auto. Use Extended Key ID when possible. + */ + int wpa_extended_key_id; + /** * wpa_ptk_rekey - Maximum lifetime for PTK in seconds * diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index 1bcb757e2..8c13abfbb 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -5264,6 +5264,9 @@ static void wpa_supplicant_ctrl_iface_drop_sa(struct wpa_supplicant *wpa_s) wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 0, NULL, 0, NULL, 0, KEY_TYPE_PAIRWISE); + if (wpa_sm_extended_key_id(wpa_s->wpa)) + wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 1, NULL, + 0, NULL, 0, KEY_TYPE_PAIRWISE); /* MLME-SETPROTECTION.request(None) */ wpa_drv_mlme_setprotection(wpa_s, wpa_s->bssid, MLME_SETPROTECTION_PROTECT_TYPE_NONE, diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h index 0ac2361b1..24f2ea3e6 100644 --- a/wpa_supplicant/driver_i.h +++ b/wpa_supplicant/driver_i.h @@ -155,10 +155,19 @@ static inline int wpa_drv_set_key(struct wpa_supplicant *wpa_s, enum key_type key_type) { if (alg != WPA_ALG_NONE) { - if (key_idx >= 0 && key_idx <= 6) + if (key_idx == 1 && + (key_type == KEY_TYPE_PAIRWISE || + key_type == KEY_TYPE_NO_AUTO_TX)) { + /* keyidx = 1 can be either a broadcast or - with + * Extended Key ID - an unicast key. Use bit 6 for + * the pairwise keyidx 1. + */ + wpa_s->keys_cleared &= ~BIT(6); + } else if (key_idx >= 0 && key_idx <= 5) { wpa_s->keys_cleared &= ~BIT(key_idx); - else + } else { wpa_s->keys_cleared = 0; + } } if (wpa_s->driver->set_key) { return wpa_s->driver->set_key(wpa_s->ifname, wpa_s->drv_priv, diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c index 47cec0b10..2df73de6d 100644 --- a/wpa_supplicant/wpa_cli.c +++ b/wpa_supplicant/wpa_cli.c @@ -1437,8 +1437,8 @@ static const char *network_fields[] = { "dot11MeshRetryTimeout", "dot11MeshConfirmTimeout", "dot11MeshHoldingTimeout", #endif /* CONFIG_MESH */ - "wpa_ptk_rekey", "bgscan", "ignore_broadcast_ssid", - "enable_edmg", "edmg_channel", + "wpa_extended_key_id", "wpa_ptk_rekey", "bgscan", + "ignore_broadcast_ssid", "enable_edmg", "edmg_channel", #ifdef CONFIG_P2P "go_p2p_dev_addr", "p2p_client_list", "psk_list", #endif /* CONFIG_P2P */ diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 09eb27561..a64121772 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -706,10 +706,15 @@ void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr) wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, i, NULL, 0, NULL, 0, KEY_TYPE_BROADCAST); } - if (!(wpa_s->keys_cleared & BIT(0)) && addr && + /* Pairwise key idx 1 for Extended Key ID is tracked with bit 6 */ + if (~wpa_s->keys_cleared & (BIT(0) | BIT(6)) && addr && !is_zero_ether_addr(addr)) { - wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, NULL, 0, NULL, - 0, KEY_TYPE_PAIRWISE); + if (!(wpa_s->keys_cleared & (BIT(0)))) + wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, NULL, + 0, NULL, 0, KEY_TYPE_PAIRWISE); + if (!(wpa_s->keys_cleared & (BIT(6)))) + wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 1, NULL, + 0, NULL, 0, KEY_TYPE_PAIRWISE); /* MLME-SETPROTECTION.request(None) */ wpa_drv_mlme_setprotection( wpa_s, addr, @@ -1241,6 +1246,23 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, int sel, proto; const u8 *bss_wpa, *bss_rsn, *bss_rsnx, *bss_osen; + if (ssid->mode == WPAS_MODE_INFRA && ssid->wpa_extended_key_id && + ssid->proto & WPA_PROTO_RSN && + ssid->pairwise_cipher & (WPA_CIPHER_CCMP | WPA_CIPHER_CCMP_256 | + WPA_CIPHER_GCMP | WPA_CIPHER_GCMP_256) && + wpa_s->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID) { + wpa_msg(wpa_s, MSG_INFO, "Enable Extended Key ID support"); + wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_EXTENDED_KEY_ID, 1); + } else { + if (ssid->wpa_extended_key_id) + wpa_msg(wpa_s, MSG_INFO, + "Extended Key ID not supported"); + else + wpa_msg(wpa_s, MSG_DEBUG, + "Extended Key ID support disabled"); + wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_EXTENDED_KEY_ID, 0); + } + if (bss) { bss_wpa = wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE); bss_rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index ba511b9cb..f64eca023 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1098,6 +1098,11 @@ fast_reauth=1 # hex without quotation, e.g., 0102030405) # wep_tx_keyidx: Default WEP key index (TX) (0..3) # +# wpa_extended_key_id: +# Support the unicast rekey protocol "Extended Key ID" from IEEE 802.11 - 2016. +# 0 = force off: Do not announce or use Extended Key ID +# 1 = auto: Use Extended Key ID when possible (default) +# # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. # diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c index 2487bb55a..0355c7588 100644 --- a/wpa_supplicant/wpas_glue.c +++ b/wpa_supplicant/wpas_glue.c @@ -510,7 +510,8 @@ static int wpa_supplicant_set_key(void *_wpa_s, enum wpa_alg alg, } #endif /* CONFIG_TESTING_GET_GTK */ #ifdef CONFIG_TESTING_OPTIONS - if (addr && !is_broadcast_ether_addr(addr)) { + if (addr && !is_broadcast_ether_addr(addr) && + key_type != KEY_TYPE_SET_TX) { wpa_s->last_tk_alg = alg; os_memcpy(wpa_s->last_tk_addr, addr, ETH_ALEN); wpa_s->last_tk_key_idx = key_idx; @@ -1277,6 +1278,7 @@ void wpa_supplicant_rsn_supp_set_config(struct wpa_supplicant *wpa_s, #endif /* IEEE8021X_EAPOL */ conf.ssid = ssid->ssid; conf.ssid_len = ssid->ssid_len; + conf.wpa_extended_key_id = ssid->wpa_extended_key_id; conf.wpa_ptk_rekey = ssid->wpa_ptk_rekey; #ifdef CONFIG_P2P if (ssid->p2p_group && wpa_s->current_bss &&

[v8,10/15] wpa_supplicant: Extended Key ID support

Commit Message

Comments

Patch