@@ -1099,7 +1099,7 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_CCMP_256 |
WPA_CIPHER_GCMP | WPA_CIPHER_GCMP_256))) {
wpa_printf(MSG_ERROR,
- "Extended Key ID support requires wpa2 and CCMP/GCMP");
+ "Extended Key ID support requires WPA2 and CCMP/GCMP, disabling it");
bss->wpa_extended_key_id = 0;
}
@@ -5095,7 +5095,7 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
hdr[1] = 0;
if (sm->use_extended_key_id) {
- hdr[0] = sm->keyidx_active & 0x03;
+ hdr[0] = sm->keyidx_active & 0x01;
pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
}
@@ -1307,21 +1307,12 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
_conf.ap_mlme = 1;
if (_conf.wpa_extended_key_id) {
- if (_conf.wpa & WPA_PROTO_RSN &&
- _conf.rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
- WPA_CIPHER_GCMP_256 |
- WPA_CIPHER_CCMP_256) &&
- hapd->iface->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID) {
+ if (hapd->iface->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID) {
wpa_msg(hapd->msg_ctx, MSG_INFO,
"Enable Extended Key ID support");
} else {
- if (!(hapd->iface->drv_flags &
- WPA_DRIVER_FLAGS_EXTENDED_KEY_ID))
- wpa_msg(hapd->msg_ctx, MSG_INFO,
- "Extended Key ID not supported by driver");
- else
- wpa_msg(hapd->msg_ctx, MSG_INFO,
- "Extended Key ID requires wpa2 and CCMP/GCMP");
+ wpa_msg(hapd->msg_ctx, MSG_INFO,
+ "Extended Key ID not supported by driver");
_conf.wpa_extended_key_id = 0;
}
} else if (_conf.wpa & WPA_PROTO_RSN) {
@@ -538,21 +538,34 @@ int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities)
struct wpa_auth_config *conf = &sm->wpa_auth->conf;
if (conf->wpa_extended_key_id &&
+ sm->pairwise != WPA_CIPHER_TKIP &&
capabilities & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) {
if (!sm->use_extended_key_id && sm->pairwise_set) {
- wpa_printf(MSG_DEBUG,
- "Can only enable Extended Key ID on initial connect");
+ wpa_printf(MSG_ERROR, "STA " MACSTR
+ " tries to start using Extended Key ID on rekey",
+ MAC2STR(sm->addr));
return -1;
} else if (!sm->use_extended_key_id) {
+ wpa_printf(MSG_DEBUG, "STA " MACSTR
+ " supports Extended Key ID",
+ MAC2STR(sm->addr));
sm->use_extended_key_id = TRUE;
sm->keyidx_active = 1;
+ } else if (!sm->pairwise_set) {
+ wpa_printf(MSG_DEBUG, "STA " MACSTR
+ " is not supporting Extended Key ID",
+ MAC2STR(sm->addr));
}
} else {
if (sm->use_extended_key_id && sm->pairwise_set) {
- wpa_printf(MSG_DEBUG,
- "Already using Extended Key ID, can't stop");
+ wpa_printf(MSG_ERROR, "STA " MACSTR
+ " is using Extended Key ID, can't rekey without it",
+ MAC2STR(sm->addr));
return -1;
- } else if (sm->use_extended_key_id) {
+ } else if (!sm->pairwise_set) {
+ wpa_printf(MSG_DEBUG, "STA " MACSTR
+ " can't use Extended Key ID support",
+ MAC2STR(sm->addr));
sm->use_extended_key_id = FALSE;
sm->keyidx_active = 0;
}
@@ -834,8 +847,6 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
return WPA_MGMT_FRAME_PROTECTION_VIOLATION;
}
- if (handle_extended_key_id(sm, data.capabilities))
- return WPA_INVALID_IE;
#ifdef CONFIG_IEEE80211R_AP
if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
if (mdie == NULL || mdie_len < MOBILITY_DOMAIN_ID_LEN + 1) {
@@ -885,12 +896,8 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
else
sm->wpa = WPA_VERSION_WPA;
- /* Extended Key ID must not be used for TKIP */
- if (sm->use_extended_key_id && sm->pairwise == WPA_CIPHER_TKIP) {
- sm->use_extended_key_id = FALSE;
- sm->keyidx_active = 0;
- }
-
+ if (handle_extended_key_id(sm, data.capabilities))
+ return WPA_INVALID_IE;
#if defined(CONFIG_IEEE80211R_AP) && defined(CONFIG_FILS)
if ((sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256 ||
This is a correction on top of: [PATCH v6 10/17] hostapd: Add support for Extended Key ID Changes: - Fix too wide bit masks. Which are not really needed but already in use for GTK key IDs. (We could drop them all) - merge TKIP handling into handle_extended_key_id() - Check configuration settings and disable Extended key ID when configuration settings don't allow it. - Which allows us to drop some tests from handle_extended_key_id() - Update log/debug messages (some needed for tests) Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de> --- src/ap/ap_config.c | 2 +- src/ap/wpa_auth.c | 2 +- src/ap/wpa_auth_glue.c | 15 +++------------ src/ap/wpa_auth_ie.c | 33 ++++++++++++++++++++------------- 4 files changed, 25 insertions(+), 27 deletions(-)