From patchwork Sat Aug 17 21:14:19 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148795
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="qjgy3Zxc";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="UkOc+rij"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tKs5KgKz9s4Y
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:16:49 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=D/qa/L/kg4H4+mGBCTsTu04E4ACuC8maiNAGyYnURFE=;
	b=qjgy3ZxcB72wB+
	ULOV051+kHGyHCm96GSYM9ubJnPIOHbUDa8jpr3Pa/wQc3xZoTPbw2GZXqEHXDOpfjaHb7cOZEiB6
	XFabiVBt58Mf5MN+Ek8dv6EQL6txC16LGxmjSuLU7bAEFSVI3xFD0CAeaGCxtz2b4xRTdt9yfDIoz
	Vr49lGpIfmg6xEXUIZKr7HAdTsurFkl7B5zhdIwjsMvzEadSPsyQsMPtvIJSA5kljc0YXsKOQuvdZ
	Cmv3oJUKNxnj+Gqm7UZ897gzFS8FT2nli1ec0hvHEwUsUuvSP2PV3I/RDoTd2jVrMzBEL/spqUJjR
	q4gnZWSQZvMB2e4FVVBw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz645-0004ew-JQ; Sat, 17 Aug 2019 21:16:45 +0000
Received: from 4.mo173.mail-out.ovh.net ([46.105.34.219])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023D-CL
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:15 +0000
Received: from player699.ha.ovh.net (unknown [10.109.159.69])
	by mo173.mail-out.ovh.net (Postfix) with ESMTP id 1B6F411406C
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:56 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player699.ha.ovh.net (Postfix) with ESMTPSA id DC0B78E6A39D;
	Sat, 17 Aug 2019 21:14:51 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076490;
	bh=YCyshKMajpUc0199EZwiIRZvPdyp4xj73ADtAPGEGlE=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=UkOc+rijIUc1Wgd0wVZuEHbLmUKzxVqjr9IS4poY2mKFYmCp40MpekDeNSiA29M60
	BQOZRK6Yvkx7fE3nx005a/1APjYqrZwDgbqMFelqmSAydjsV0IfOcBFGTzpDki68bj
	hRXgcTGzq9Ga/8eaV9zGuC0nIWMzMXHw84QPM/Do=
To: j@w1.fi
Subject: [PATCH v3 01/17] nl80211: Migrate to current netlink key message
	format
Date: Sat, 17 Aug 2019 23:14:19 +0200
Message-Id: <20190817211435.158335-2-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7948571867986468092
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141509_764349_8C5129CA 
X-CRM114-Status: GOOD (  18.11  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.34.219 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Linux 2.6.32 (December 2009) introduced an alternate netlink message
format for setting and querying key information, deprecating the older
one.

To allow hostapd/wpa_supplicant to use new features only provided via
the new format this patch migrates all key netlink messages for key
installs and queries to the new format.
Since some parts of the nl80211 driver do already use the new format
this should not change the minimal kernel requirement and only unify the
netlink API usage.

The following netlink attributes have been dropped from all key install
and query functions:

  NL80211_ATTR_KEY_DATA
  NL80211_ATTR_KEY_TYPE
  NL80211_ATTR_KEY_SEQ
  NL80211_ATTR_KEY_IDX
  NL80211_ATTR_KEY_CIPHER
  NL80211_ATTR_KEY_DEFAULT
  NL80211_ATTR_KEY_DEFAULT_MGMT
  NL80211_ATTR_KEY_DEFAULT_TYPES

And replaced by the following attributes nested in NL80211_ATTR_KEY:

  NL80211_KEY_DATA
  NL80211_KEY_TYPE
  NL80211_KEY_SEQ
  NL80211_KEY_IDX
  NL80211_KEY_CIPHER
  NL80211_KEY_DEFAULT
  NL80211_KEY_DEFAULT_MGMT
  NL80211_KEY_DEFAULT_TYPES

But when detecting and reporting michael mic_failures the kernel even
current kernels are still using:
  NL80211_ATTR_KEY_TYPE
  NL80211_ATTR_KEY_SEQ
  NL80211_ATTR_KEY_IDX

Therefore we still have to use them there when processing michael
mic_failures events.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

There is not much to add to the commit log, most of it is straight
forward. But I tried to keep the existing logic and therefore start an
additional key netlink message to be still able to fill in the
information with the existing logic and not the more usual
nla_nest_start().

 src/drivers/driver_nl80211.c | 88 ++++++++++++++++++++++++------------
 1 file changed, 58 insertions(+), 30 deletions(-)

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 7b31b52c7..f6035a17c 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3015,7 +3015,8 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 {
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 	int ifindex;
-	struct nl_msg *msg = NULL;
+	struct nl_msg *msg;
+	struct nl_msg *key_msg;
 	int ret;
 	int tdls = 0;
 
@@ -3049,26 +3050,31 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 	    (drv->capa.flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X))
 		return nl80211_set_pmk(drv, key, key_len, addr);
 
+	key_msg = nlmsg_alloc();
+	if (!key_msg)
+		return -ENOBUFS;
+
 	if (alg == WPA_ALG_NONE) {
 		msg = nl80211_ifindex_msg(drv, ifindex, 0, NL80211_CMD_DEL_KEY);
 		if (!msg)
-			return -ENOBUFS;
+			goto fail2;
 	} else {
 		u32 suite;
 
 		suite = wpa_alg_to_cipher_suite(alg, key_len);
 		if (!suite)
-			goto fail;
+			goto fail2;
 		msg = nl80211_ifindex_msg(drv, ifindex, 0, NL80211_CMD_NEW_KEY);
-		if (!msg ||
-		    nla_put(msg, NL80211_ATTR_KEY_DATA, key_len, key) ||
-		    nla_put_u32(msg, NL80211_ATTR_KEY_CIPHER, suite))
+		if (!msg)
+			goto fail2;
+		if (nla_put(key_msg, NL80211_KEY_DATA, key_len, key) ||
+		    nla_put_u32(key_msg, NL80211_KEY_CIPHER, suite))
 			goto fail;
 		wpa_hexdump_key(MSG_DEBUG, "nl80211: KEY_DATA", key, key_len);
 	}
 
 	if (seq && seq_len) {
-		if (nla_put(msg, NL80211_ATTR_KEY_SEQ, seq_len, seq))
+		if (nla_put(key_msg, NL80211_KEY_SEQ, seq_len, seq))
 			goto fail;
 		wpa_hexdump(MSG_DEBUG, "nl80211: KEY_SEQ", seq, seq_len);
 	}
@@ -3080,7 +3086,7 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 
 		if (alg != WPA_ALG_WEP && key_idx && !set_tx) {
 			wpa_printf(MSG_DEBUG, "   RSN IBSS RX GTK");
-			if (nla_put_u32(msg, NL80211_ATTR_KEY_TYPE,
+			if (nla_put_u32(key_msg, NL80211_KEY_TYPE,
 					NL80211_KEYTYPE_GROUP))
 				goto fail;
 		}
@@ -3089,13 +3095,14 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 
 		wpa_printf(MSG_DEBUG, "   broadcast key");
 
-		types = nla_nest_start(msg, NL80211_ATTR_KEY_DEFAULT_TYPES);
+		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
 		if (!types ||
-		    nla_put_flag(msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
+		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
 			goto fail;
-		nla_nest_end(msg, types);
+		nla_nest_end(key_msg, types);
 	}
-	if (nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
+	if (nla_put_u8(key_msg, NL80211_KEY_IDX, key_idx) ||
+	    nla_put_nested(msg, NL80211_ATTR_KEY, key_msg))
 		goto fail;
 
 	ret = send_and_recv_msgs(drv, msg, NULL, key ? (void *) -1 : NULL);
@@ -3115,34 +3122,43 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 	    !is_broadcast_ether_addr(addr))
 		return ret;
 
+	key_msg = nlmsg_alloc();
+	if (!key_msg)
+		return -ENOBUFS;
+
 	msg = nl80211_ifindex_msg(drv, ifindex, 0, NL80211_CMD_SET_KEY);
-	if (!msg ||
-	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx) ||
-	    nla_put_flag(msg, (alg == WPA_ALG_IGTK ||
-			       alg == WPA_ALG_BIP_GMAC_128 ||
-			       alg == WPA_ALG_BIP_GMAC_256 ||
-			       alg == WPA_ALG_BIP_CMAC_256) ?
-			 NL80211_ATTR_KEY_DEFAULT_MGMT :
-			 NL80211_ATTR_KEY_DEFAULT))
+	if (!msg)
+		goto fail2;
+	if (!key_msg ||
+	    nla_put_u8(key_msg, NL80211_KEY_IDX, key_idx) ||
+	    nla_put_flag(key_msg, (alg == WPA_ALG_IGTK ||
+				   alg == WPA_ALG_BIP_GMAC_128 ||
+				   alg == WPA_ALG_BIP_GMAC_256 ||
+				   alg == WPA_ALG_BIP_CMAC_256) ?
+				   NL80211_KEY_DEFAULT_MGMT :
+				   NL80211_KEY_DEFAULT))
 		goto fail;
 	if (addr && is_broadcast_ether_addr(addr)) {
 		struct nlattr *types;
 
-		types = nla_nest_start(msg, NL80211_ATTR_KEY_DEFAULT_TYPES);
+		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
 		if (!types ||
-		    nla_put_flag(msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
+		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
 			goto fail;
-		nla_nest_end(msg, types);
+		nla_nest_end(key_msg, types);
 	} else if (addr) {
 		struct nlattr *types;
 
-		types = nla_nest_start(msg, NL80211_ATTR_KEY_DEFAULT_TYPES);
+		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
 		if (!types ||
-		    nla_put_flag(msg, NL80211_KEY_DEFAULT_TYPE_UNICAST))
+		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_UNICAST))
 			goto fail;
-		nla_nest_end(msg, types);
+		nla_nest_end(key_msg, types);
 	}
 
+	if (nla_put_nested(msg, NL80211_ATTR_KEY, key_msg))
+		goto fail;
+
 	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
 	if (ret == -ENOENT)
 		ret = 0;
@@ -3154,6 +3170,9 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 fail:
 	nl80211_nlmsg_clear(msg);
 	nlmsg_free(msg);
+fail2:
+	nl80211_nlmsg_clear(key_msg);
+	nlmsg_free(key_msg);
 	return -ENOBUFS;
 }
 
@@ -6183,7 +6202,11 @@ static inline int min_int(int a, int b)
 static int get_key_handler(struct nl_msg *msg, void *arg)
 {
 	struct nlattr *tb[NL80211_ATTR_MAX + 1];
+	struct nlattr *attrs[NL80211_KEY_MAX + 1];
 	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
+	static struct nla_policy key_policy[NL80211_KEY_MAX + 1] = {
+		[NL80211_KEY_SEQ] = { .type = NLA_BINARY },
+	};
 
 	nla_parse(tb, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
 		  genlmsg_attrlen(gnlh, 0), NULL);
@@ -6194,9 +6217,11 @@ static int get_key_handler(struct nl_msg *msg, void *arg)
 	 * the kernel starts sending key notifications.
 	 */
 
-	if (tb[NL80211_ATTR_KEY_SEQ])
-		memcpy(arg, nla_data(tb[NL80211_ATTR_KEY_SEQ]),
-		       min_int(nla_len(tb[NL80211_ATTR_KEY_SEQ]), 6));
+	if (tb[NL80211_ATTR_KEY] &&
+	    !nla_parse_nested(attrs, NL80211_KEY_MAX, tb[NL80211_ATTR_KEY],
+			      key_policy))
+		memcpy(arg, nla_data(attrs[NL80211_KEY_SEQ]),
+		       min_int(nla_len(attrs[NL80211_KEY_SEQ]), 16));
 	nl80211_nlmsg_clear(msg);
 	return NL_SKIP;
 }
@@ -6208,16 +6233,19 @@ static int i802_get_seqnum(const char *iface, void *priv, const u8 *addr,
 	struct i802_bss *bss = priv;
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 	struct nl_msg *msg;
+	struct nlattr *key_attr;
 
 	msg = nl80211_ifindex_msg(drv, if_nametoindex(iface), 0,
 				  NL80211_CMD_GET_KEY);
 	if (!msg ||
 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
-	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, idx)) {
+	    (key_attr = nla_nest_start(msg, NL80211_ATTR_KEY)) ||
+	    nla_put_u8(msg, NL80211_KEY_IDX, idx)) {
 		nlmsg_free(msg);
 		return -ENOBUFS;
 	}
 
+	nla_nest_end(msg, key_attr);
 	memset(seq, 0, 6);
 
 	return send_and_recv_msgs(drv, msg, get_key_handler, seq);

From patchwork Sat Aug 17 21:14:20 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148794
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="N22CO1fD";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="aQoyWJO+"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tKg00jdz9s4Y
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:16:38 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=dnEifhl2tniRdAiZm0+vn6kJnRsHovTLAT+tJYl1qTM=;
	b=N22CO1fDMNrLBw
	EMKyZIDwEHQIZmdHxpy4D+ol2n3KMxcR4EMY5RbuS304VKYRVkR9K9oV0fRZREF/QUBNlPoZ4vej4
	AGn0nzCwOyuFKyarzitLTRu+oi9sTNO8LyJKXs99lqhrAGS0I9d/puwkXCtmj5AJq3c426W6LlOjk
	jXNOwBO5dRwYzIOwsQmEFLq9G1UM3J1c8dKElRu7AX8bxjDkjLzBx3eNUS4QsY++UTfH1dLBlv12V
	hSSBQB4F8MuPuLJ2/PjM4Wez8AQ/G2WS30NrC4ond4skz5cThbuYAjnlNEvkIN9GE1hs1k3JHcNy7
	XbAQUbYIyS5BJyl9G2Ww==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz63v-0004U8-Ij; Sat, 17 Aug 2019 21:16:35 +0000
Received: from 7.mo68.mail-out.ovh.net ([46.105.63.230])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023C-BE
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:14 +0000
Received: from player159.ha.ovh.net (unknown [10.109.143.249])
	by mo68.mail-out.ovh.net (Postfix) with ESMTP id C713A13ECC2
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:56 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player159.ha.ovh.net (Postfix) with ESMTPSA id A6FAF8D1427F;
	Sat, 17 Aug 2019 21:14:51 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076490;
	bh=jXEPCv7Wx6OcOV6fWZSjVOqHBuVrwp5Qp+3Ew713cSY=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=aQoyWJO+aXTCIeLQv+4Hs6oWOXnDLDm/UBu+r5CFuHMXhB304/mvwpbQiXLfpKY7K
	m3oU/S9sABgyMls4lo4H0VLZ+jW2OllMHIm71hTRP6XZcJN+Pzp3aHrMYwWLqtQfcX
	aLKTrDDgpFOZ4hHdaLrZ8GPE6cgc2S8brKKLHYU8=
To: j@w1.fi
Subject: [PATCH v3 02/17] Driver: Introduce key_types and Extended Key ID
	driver flag
Date: Sat, 17 Aug 2019 23:14:20 +0200
Message-Id: <20190817211435.158335-3-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7948571871538388220
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141509_763891_C18C4DB0 
X-CRM114-Status: GOOD (  15.63  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.63.230 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Add the new driver flag WPA_DRIVER_FLAGS_EXTENDED_KEY_ID and
the key_types designated to replace and extend the use of the existing
set_tx boolean in all set_key() functions.

Both changes are required as foundation for the Extended Key ID support
and are only laying some foundation for later patches to build on.

The new - so far unused - key_types are:

  KEY_TYPE_BROADCAST
    Set for any broadcast key which is not a default key.
    Also set to delete default keys. (This basically replaces set_tx=0)

  KEY_TYPE_DEFAULT
    To be set when installing a WEP or a group key without pairwise
    keys. Must not be used when pairwise keys are used. Never set when
    deleting a key. (This basically replaces set_tx=1)

  KEY_TYPE_PAIRWISE:
    Used to distinguish pairwise from broadcast keys. (This is needed
    since Extended Key ID can use keyidx=1 both as pairwise and group
    keys and we need an additional hint to distinguish between them.)

  KEY_TYPE_NO_AUTO_TX
    To be set when installing a pairwise key which must not be used for
    Tx, yet. (New requirement for Extended Key ID support.)

  KEY_TYPE_SET_TX
    To be set when activating Tx for a key installed with
    KEY_TYPE_NO_AUTO_TX.  (Also required for Extended Key ID support.)

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This could be split up in more patches to differentiate between the
set_tx cleanup and Extended Key ID support.
But then I think having the key_types all in one patch is simpler to
follow and then it looks silly to just have a patch for adding
WPA_DRIVER_FLAGS_EXTENDED_KEY_ID...

In the first patches and even while preparing this one I used flags
instead of a enum. But after getting it working it turned out that there
simply is no useful case where we would have to set more than one bit.

 src/common/wpa_common.h |  8 ++++++++
 src/drivers/driver.h    | 19 +++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
index cb511ff0b..415104de9 100644
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -203,6 +203,14 @@ struct wpa_eapol_key {
 #define FILS_ICK_MAX_LEN 48
 #define FILS_FT_MAX_LEN 48
 
+enum key_type {
+	KEY_TYPE_BROADCAST,
+	KEY_TYPE_DEFAULT,
+	KEY_TYPE_PAIRWISE,
+	KEY_TYPE_NO_AUTO_TX,
+	KEY_TYPE_SET_TX,
+};
+
 /**
  * struct wpa_ptk - WPA Pairwise Transient Key
  * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index 2a8459ae3..b74c37f2c 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -1659,6 +1659,8 @@ struct wpa_driver_capa {
 #define WPA_DRIVER_FLAGS_FTM_RESPONDER		0x0100000000000000ULL
 /** Driver support 4-way handshake offload for WPA-Personal */
 #define WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_PSK	0x0200000000000000ULL
+/** Driver supports Extended Key ID */
+#define WPA_DRIVER_FLAGS_EXTENDED_KEY_ID	0x0400000000000000ULL
 	u64 flags;
 
 #define FULL_AP_CLIENT_STATE_SUPP(drv_flags) \
@@ -2290,6 +2292,23 @@ struct wpa_driver_ops {
 	 *	8-byte Rx Mic Key
 	 * @key_len: length of the key buffer in octets (WEP: 5 or 13,
 	 *	TKIP: 32, CCMP/GCMP: 16, IGTK: 16)
+	 * @key_type: Additional instructions for key install:
+	 *	%KEY_TYPE_BROADCAST:
+	 *	  Key is a broadcast but no default key.
+	 *	%KEY_TYPE_DEFAULT:
+	 *	  Key is the default key (not using pairwise keys, WEP or
+	 *	  group key only.) Must not be used when pairwise keys are
+	 *	  also in use.
+	 *	%KEY_TYPE_PAIRWISE:
+	 *	  Normal pairwise key not requiring Extended Key ID actions.
+	 *	%KEY_TYPE_NO_AUTO_TX:
+	 *	  Pairwise Key, but it must not be used for Tx, yet.
+	 *	  Can only be used when the driver supports Extended Key ID.
+	 *	%KEY_TYPE_SET_TX:
+	 *	  Key already installed with %KEY_TYPE_NO_AUTO_TX is selected as
+	 *	  the pairwise Tx key for the STA. Only @ifname, @priv, @addr
+	 *	  and @key_idx must be set and all other arguments have to be
+	 *	  zero or NULL.
 	 *
 	 * Returns: 0 on success, -1 on failure
 	 *

From patchwork Sat Aug 17 21:14:21 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1149151
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="lp0yV3P1";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="FTle1zOY"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46BprJ1hThz9s7T
	for <incoming@patchwork.ozlabs.org>;
	Mon, 19 Aug 2019 19:42:56 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=Foi7qjacawRoG7Y0hstrWulfiC/JSsKrWBD0Sc6SYLM=;
	b=lp0yV3P1OtEN7C
	uuyNc8sODHo3yGiGN/tqktaVerCjsPkDn9bHNCFffT/8gKFxmucLg9Ts5P6A9hbGTqe4DkONW3UMx
	b5hT/s/PPVGdZT1XuJpSAjoxi4Smkvupg0rq6U8wNULlmBI4xcBYDJm0thMsTOEm/MKANWFHoJGiR
	UExHwQZAjcC3b96Qp9eDe1cFpFwQMDo25+PGNeNzyLlr2cm6MX4hkHCT5aqgaAn2xk92Czf3qARL5
	aPk4CSMZqxtsAwyFmlzi5EXZYWigj+9pPlMOs4saTdlutInEjwX43Z/y25BsLsbJjYV6SRQafoJJR
	fG65SNp+lfjegPg9Op9Q==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hzeBa-0006zk-RR; Mon, 19 Aug 2019 09:42:46 +0000
Received: from 2.mo3.mail-out.ovh.net ([46.105.75.36])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023E-Bs
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:18 +0000
Received: from player157.ha.ovh.net (unknown [10.108.57.76])
	by mo3.mail-out.ovh.net (Postfix) with ESMTP id EC3C6224528
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:56 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player157.ha.ovh.net (Postfix) with ESMTPSA id 9CF0C8D8D902;
	Sat, 17 Aug 2019 21:14:51 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076490;
	bh=HDQx5LIJy69mmDkIS/MLaUGluaxUvbToFEJALyaj8FM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=FTle1zOY2jVI6yvosuIqMjhS7avKLR5s0nhVVbYboSRTtG4mvW/VlLDFMv3uyADy9
	S3+edfOd+qfDnjVeA1B6J4LMizDitI8hfvGa+fg7gqXFZwpo8IfCll3xdwUg1kr1P9
	gTo2mf1l5b7M1ogCSFUEMRoULOtLe57OspkFn+rs=
To: j@w1.fi
Subject: [PATCH v3 03/17] Add new argument key_type to all set_key()
	functions
Date: Sat, 17 Aug 2019 23:14:21 +0200
Message-Id: <20190817211435.158335-4-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7948571869502315772
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141509_917017_B62FDC06 
X-CRM114-Status: GOOD (  20.57  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.75.36 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-Mailman-Approved-At: Mon, 19 Aug 2019 02:42:41 -0700
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

This patch is not changing any functionality and just updates the
internal hostapd/wpa_supplicant set_key() functions. It's adding an
additional argument which will be used later to hand over the key_type
information, designated to replace the functionality of set_tx while also
be able to also Extended Key ID.

The new key_type is always set to zero within this patch and only
hostapd_ctrl_set_key() has some additional lines to read and store the
additional argument in the correct - still unused - variable.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

Since set_key() functions are central I see no way how to split it
further. I made it as boring as possible and from a review point it
should be next to irrelevant: The other patches are touching the
interesting parts all again while the rest is simply passing trough the
key_type variable.

 hostapd/ctrl_iface.c            | 37 +++++++++++++++++++++------------
 src/ap/ap_drv_ops.c             |  4 ++--
 src/ap/ap_drv_ops.h             |  2 +-
 src/ap/hostapd.c                |  8 +++----
 src/ap/ieee802_11.c             |  3 ++-
 src/ap/ieee802_1x.c             |  7 ++++---
 src/ap/wpa_auth.c               | 16 +++++++-------
 src/ap/wpa_auth.h               |  3 ++-
 src/ap/wpa_auth_ft.c            |  7 ++++---
 src/ap/wpa_auth_glue.c          |  4 ++--
 src/drivers/driver.h            |  2 +-
 src/drivers/driver_atheros.c    |  3 ++-
 src/drivers/driver_bsd.c        |  3 ++-
 src/drivers/driver_hostap.c     |  3 ++-
 src/drivers/driver_ndis.c       | 12 ++++++-----
 src/drivers/driver_nl80211.c    | 11 ++++++----
 src/drivers/driver_openbsd.c    |  3 ++-
 src/drivers/driver_privsep.c    |  3 ++-
 src/drivers/driver_wext.c       |  8 ++++---
 src/drivers/driver_wext.h       |  3 ++-
 src/rsn_supp/tdls.c             |  6 +++---
 src/rsn_supp/wpa.c              | 15 ++++++-------
 src/rsn_supp/wpa.h              |  2 +-
 src/rsn_supp/wpa_ft.c           |  7 ++++---
 src/rsn_supp/wpa_i.h            |  5 +++--
 tests/hwsim/test_ap_ciphers.py  |  2 +-
 wpa_supplicant/ctrl_iface.c     | 18 ++++++++--------
 wpa_supplicant/driver_i.h       |  6 ++++--
 wpa_supplicant/ibss_rsn.c       | 11 +++++-----
 wpa_supplicant/mesh_mpm.c       |  6 +++---
 wpa_supplicant/mesh_rsn.c       |  9 ++++----
 wpa_supplicant/wpa_supplicant.c |  8 +++----
 wpa_supplicant/wpas_glue.c      | 11 +++++-----
 33 files changed, 143 insertions(+), 105 deletions(-)

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index 0f6dfa13d..3b1fc64b8 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -2122,7 +2122,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					hapd->last_igtk_alg,
 					broadcast_ether_addr,
 					hapd->last_igtk_key_idx, 1, NULL, 0,
-					zero, hapd->last_igtk_len) < 0)
+					zero, hapd->last_igtk_len, 0) < 0)
 			return -1;
 
 		/* Set the previously configured key to reset its TSC */
@@ -2131,7 +2131,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					   broadcast_ether_addr,
 					   hapd->last_igtk_key_idx, 1, NULL, 0,
 					   hapd->last_igtk,
-					   hapd->last_igtk_len);
+					   hapd->last_igtk_len, 0);
 	}
 #endif /* CONFIG_IEEE80211W */
 
@@ -2147,7 +2147,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					hapd->last_gtk_alg,
 					broadcast_ether_addr,
 					hapd->last_gtk_key_idx, 1, NULL, 0,
-					zero, hapd->last_gtk_len) < 0)
+					zero, hapd->last_gtk_len, 0) < 0)
 			return -1;
 
 		/* Set the previously configured key to reset its TSC */
@@ -2155,7 +2155,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					   hapd->last_gtk_alg,
 					   broadcast_ether_addr,
 					   hapd->last_gtk_key_idx, 1, NULL, 0,
-					   hapd->last_gtk, hapd->last_gtk_len);
+					   hapd->last_gtk, hapd->last_gtk_len,
+					   0);
 	}
 
 	sta = ap_get_sta(hapd, addr);
@@ -2172,13 +2173,13 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 	 * in the driver. */
 	if (hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 				sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-				zero, sta->last_tk_len) < 0)
+				zero, sta->last_tk_len, 0) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 				   sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-				   sta->last_tk, sta->last_tk_len);
+				   sta->last_tk, sta->last_tk_len, 0);
 }
 
 
@@ -2188,10 +2189,11 @@ static int hostapd_ctrl_set_key(struct hostapd_data *hapd, const char *cmd)
 	const char *pos = cmd;
 	enum wpa_alg alg;
 	int idx, set_tx;
+	enum key_type key_type;
 	u8 seq[6], key[WPA_TK_MAX_LEN];
 	size_t key_len;
 
-	/* parameters: alg addr idx set_tx seq key */
+	/* parameters: alg addr idx set_tx seq key key_type*/
 
 	alg = atoi(pos);
 	pos = os_strchr(pos, ' ');
@@ -2220,13 +2222,22 @@ static int hostapd_ctrl_set_key(struct hostapd_data *hapd, const char *cmd)
 	if (*pos != ' ')
 		return -1;
 	pos++;
-	key_len = os_strlen(pos) / 2;
+	key_len = (os_strchr(pos, ' ') - pos) / 2;
 	if (hexstr2bin(pos, key, key_len) < 0)
 		return -1;
+	pos += 2 * key_len;
+	if (*pos != ' ')
+		return -1;
+
+	pos++;
+	key_type = atoi(pos);
+	pos = os_strchr(pos, ' ');
+	if (pos)
+		return -1;
 
 	wpa_printf(MSG_INFO, "TESTING: Set key");
 	return hostapd_drv_set_key(hapd->conf->iface, hapd, alg, addr, idx,
-				   set_tx, seq, 6, key, key_len);
+				   set_tx, seq, 6, key, key_len, key_type);
 }
 
 
@@ -2242,7 +2253,7 @@ static void restore_tk(void *ctx1, void *ctx2)
 	 * preventing encryption of a single EAPOL frame. */
 	hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 			    sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-			    sta->last_tk, sta->last_tk_len);
+			    sta->last_tk, sta->last_tk_len, 0);
 }
 
 
@@ -2266,7 +2277,7 @@ static int hostapd_ctrl_resend_m1(struct hostapd_data *hapd, const char *cmd)
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0);
+				    NULL, 0, 0);
 	}
 
 	wpa_printf(MSG_INFO, "TESTING: Send M1 to " MACSTR, MAC2STR(sta->addr));
@@ -2296,7 +2307,7 @@ static int hostapd_ctrl_resend_m3(struct hostapd_data *hapd, const char *cmd)
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0);
+				    NULL, 0, 0);
 	}
 
 	wpa_printf(MSG_INFO, "TESTING: Send M3 to " MACSTR, MAC2STR(sta->addr));
@@ -2326,7 +2337,7 @@ static int hostapd_ctrl_resend_group_m1(struct hostapd_data *hapd,
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0);
+				    NULL, 0, 0);
 	}
 
 	wpa_printf(MSG_INFO,
diff --git a/src/ap/ap_drv_ops.c b/src/ap/ap_drv_ops.c
index c0ededabe..77c457bc2 100644
--- a/src/ap/ap_drv_ops.c
+++ b/src/ap/ap_drv_ops.c
@@ -677,13 +677,13 @@ int hostapd_drv_set_key(const char *ifname, struct hostapd_data *hapd,
 			enum wpa_alg alg, const u8 *addr,
 			int key_idx, int set_tx,
 			const u8 *seq, size_t seq_len,
-			const u8 *key, size_t key_len)
+			const u8 *key, size_t key_len, enum key_type key_type)
 {
 	if (hapd->driver == NULL || hapd->driver->set_key == NULL)
 		return 0;
 	return hapd->driver->set_key(ifname, hapd->drv_priv, alg, addr,
 				     key_idx, set_tx, seq, seq_len, key,
-				     key_len);
+				     key_len, key_type);
 }
 
 
diff --git a/src/ap/ap_drv_ops.h b/src/ap/ap_drv_ops.h
index ca7f7abe0..2c3e8e0f0 100644
--- a/src/ap/ap_drv_ops.h
+++ b/src/ap/ap_drv_ops.h
@@ -90,7 +90,7 @@ int hostapd_drv_set_key(const char *ifname,
 			enum wpa_alg alg, const u8 *addr,
 			int key_idx, int set_tx,
 			const u8 *seq, size_t seq_len,
-			const u8 *key, size_t key_len);
+			const u8 *key, size_t key_len, enum key_type key_type);
 int hostapd_drv_send_mlme(struct hostapd_data *hapd,
 			  const void *msg, size_t len, int noack);
 int hostapd_drv_send_mlme_csa(struct hostapd_data *hapd,
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index bf1975fbd..c0cf9a973 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -293,7 +293,7 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 		return;
 	for (i = 0; i < NUM_WEP_KEYS; i++) {
 		if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i,
-					0, NULL, 0, NULL, 0)) {
+					0, NULL, 0, NULL, 0, 0)) {
 			wpa_printf(MSG_DEBUG, "Failed to clear default "
 				   "encryption keys (ifname=%s keyidx=%d)",
 				   ifname, i);
@@ -304,7 +304,7 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 		for (i = NUM_WEP_KEYS; i < NUM_WEP_KEYS + 2; i++) {
 			if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE,
 						NULL, i, 0, NULL,
-						0, NULL, 0)) {
+						0, NULL, 0, 0)) {
 				wpa_printf(MSG_DEBUG, "Failed to clear "
 					   "default mgmt encryption keys "
 					   "(ifname=%s keyidx=%d)", ifname, i);
@@ -332,7 +332,7 @@ static int hostapd_broadcast_wep_set(struct hostapd_data *hapd)
 	    hostapd_drv_set_key(hapd->conf->iface,
 				hapd, WPA_ALG_WEP, broadcast_ether_addr, idx,
 				1, NULL, 0, ssid->wep.key[idx],
-				ssid->wep.len[idx])) {
+				ssid->wep.len[idx], 0)) {
 		wpa_printf(MSG_WARNING, "Could not set WEP encryption.");
 		errors++;
 	}
@@ -560,7 +560,7 @@ static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd)
 		    hostapd_drv_set_key(iface, hapd, WPA_ALG_WEP, NULL, i,
 					i == hapd->conf->ssid.wep.idx, NULL, 0,
 					hapd->conf->ssid.wep.key[i],
-					hapd->conf->ssid.wep.len[i])) {
+					hapd->conf->ssid.wep.len[i], 0)) {
 			wpa_printf(MSG_WARNING, "Could not set WEP "
 				   "encryption.");
 			return -1;
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index c85a28db4..dfe977b75 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4771,7 +4771,8 @@ static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
 		if (ssid->wep.key[i] &&
 		    hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
 					i == ssid->wep.idx, NULL, 0,
-					ssid->wep.key[i], ssid->wep.len[i])) {
+					ssid->wep.key[i], ssid->wep.len[i],
+					0)) {
 			wpa_printf(MSG_WARNING,
 				   "Could not set WEP keys for WDS interface; %s",
 				   ifname_wds);
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index a7a090190..657fe94a9 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -285,7 +285,8 @@ static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
 		 * has ACKed EAPOL-Key frame */
 		if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
 					sta->addr, 0, 1, NULL, 0, ikey,
-					hapd->conf->individual_wep_key_len)) {
+					hapd->conf->individual_wep_key_len,
+					0)) {
 			wpa_printf(MSG_ERROR, "Could not set individual WEP "
 				   "encryption.");
 		}
@@ -2170,7 +2171,7 @@ static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx)
 				broadcast_ether_addr,
 				eapol->default_wep_key_idx, 1, NULL, 0,
 				eapol->default_wep_key,
-				hapd->conf->default_wep_key_len)) {
+				hapd->conf->default_wep_key_len, 0)) {
 		hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
 			       HOSTAPD_LEVEL_WARNING, "failed to configure a "
 			       "new broadcast key");
@@ -2485,7 +2486,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
 		for (i = 0; i < 4; i++)
 			hostapd_drv_set_key(hapd->conf->iface, hapd,
 					    WPA_ALG_NONE, NULL, i, 0, NULL, 0,
-					    NULL, 0);
+					    NULL, 0, 0);
 
 		ieee802_1x_rekey(hapd, NULL);
 
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 02937d2ee..919ba1f42 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -136,12 +136,13 @@ static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
 				   int vlan_id,
 				   enum wpa_alg alg, const u8 *addr, int idx,
-				   u8 *key, size_t key_len)
+				   u8 *key, size_t key_len,
+				   enum key_type key_type)
 {
 	if (wpa_auth->cb->set_key == NULL)
 		return -1;
 	return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
-				     key, key_len);
+				     key, key_len, key_type);
 }
 
 
@@ -1713,7 +1714,7 @@ void wpa_remove_ptk(struct wpa_state_machine *sm)
 	sm->PTK_valid = FALSE;
 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
 	if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
-			     0))
+			     0, 0))
 		wpa_printf(MSG_DEBUG,
 			   "RSN: PTK removal from the driver failed");
 	sm->pairwise_set = FALSE;
@@ -2747,7 +2748,7 @@ int fils_set_tk(struct wpa_state_machine *sm)
 
 	wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
 	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-			     sm->PTK.tk, klen)) {
+			     sm->PTK.tk, klen, 0)) {
 		wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
 		return -1;
 	}
@@ -3345,7 +3346,7 @@ SM_STATE(WPA_PTK, PTKINITDONE)
 		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
 		int klen = wpa_cipher_key_len(sm->pairwise);
 		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-				     sm->PTK.tk, klen)) {
+				     sm->PTK.tk, klen, 0)) {
 			wpa_sta_disconnect(sm->wpa_auth, sm->addr,
 					   WLAN_REASON_PREV_AUTH_NOT_VALID);
 			return;
@@ -3944,7 +3945,7 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
 	if (wpa_auth_set_key(wpa_auth, group->vlan_id,
 			     wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
 			     broadcast_ether_addr, group->GN,
-			     group->GTK[group->GN - 1], group->GTK_len) < 0)
+			     group->GTK[group->GN - 1], group->GTK_len, 0) < 0)
 		ret = -1;
 
 #ifdef CONFIG_IEEE80211W
@@ -3958,7 +3959,8 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
 		if (ret == 0 &&
 		    wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
 				     broadcast_ether_addr, group->GN_igtk,
-				     group->IGTK[group->GN_igtk - 4], len) < 0)
+				     group->IGTK[group->GN_igtk - 4],
+				     len, 0) < 0)
 			ret = -1;
 	}
 #endif /* CONFIG_IEEE80211W */
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index a348bc25a..cc8ea5aa7 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -258,7 +258,8 @@ struct wpa_auth_callbacks {
 			      int *vlan_id);
 	int (*get_msk)(void *ctx, const u8 *addr, u8 *msk, size_t *len);
 	int (*set_key)(void *ctx, int vlan_id, enum wpa_alg alg,
-		       const u8 *addr, int idx, u8 *key, size_t key_len);
+		       const u8 *addr, int idx, u8 *key, size_t key_len,
+		       enum key_type key_type);
 	int (*get_seqnum)(void *ctx, const u8 *addr, int idx, u8 *seq);
 	int (*send_eapol)(void *ctx, const u8 *addr, const u8 *data,
 			  size_t data_len, int encrypt);
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 696f8d5fa..69ed68244 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -2614,12 +2614,13 @@ u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos,
 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
 				   int vlan_id,
 				   enum wpa_alg alg, const u8 *addr, int idx,
-				   u8 *key, size_t key_len)
+				   u8 *key, size_t key_len,
+				   enum key_type key_type)
 {
 	if (wpa_auth->cb->set_key == NULL)
 		return -1;
 	return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
-				     key, key_len);
+				     key, key_len, key_type);
 }
 
 
@@ -2652,7 +2653,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
 	 * optimized by adding the STA entry earlier.
 	 */
 	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-			     sm->PTK.tk, klen))
+			     sm->PTK.tk, klen, 0))
 		return;
 
 	/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 0800a8748..df900dba7 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -357,7 +357,7 @@ static int hostapd_wpa_auth_get_msk(void *ctx, const u8 *addr, u8 *msk,
 
 static int hostapd_wpa_auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 				    const u8 *addr, int idx, u8 *key,
-				    size_t key_len)
+				    size_t key_len, enum key_type key_type)
 {
 	struct hostapd_data *hapd = ctx;
 	const char *ifname = hapd->conf->iface;
@@ -400,7 +400,7 @@ static int hostapd_wpa_auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	}
 #endif /* CONFIG_TESTING_OPTIONS */
 	return hostapd_drv_set_key(ifname, hapd, alg, addr, idx, 1, NULL, 0,
-				   key, key_len);
+				   key, key_len, key_type);
 }
 
 
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index b74c37f2c..20cd8d26b 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -2333,7 +2333,7 @@ struct wpa_driver_ops {
 	int (*set_key)(const char *ifname, void *priv, enum wpa_alg alg,
 		       const u8 *addr, int key_idx, int set_tx,
 		       const u8 *seq, size_t seq_len,
-		       const u8 *key, size_t key_len);
+		       const u8 *key, size_t key_len, enum key_type key_type);
 
 	/**
 	 * init - Initialize driver interface
diff --git a/src/drivers/driver_atheros.c b/src/drivers/driver_atheros.c
index 840d4ff40..08095865a 100644
--- a/src/drivers/driver_atheros.c
+++ b/src/drivers/driver_atheros.c
@@ -500,7 +500,8 @@ atheros_del_key(void *priv, const u8 *addr, int key_idx)
 static int
 atheros_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 		const u8 *addr, int key_idx, int set_tx, const u8 *seq,
-		size_t seq_len, const u8 *key, size_t key_len)
+		size_t seq_len, const u8 *key, size_t key_len,
+		enum key_type key_type)
 {
 	struct atheros_driver_data *drv = priv;
 	struct ieee80211req_key wk;
diff --git a/src/drivers/driver_bsd.c b/src/drivers/driver_bsd.c
index 82ca0612e..c53155be0 100644
--- a/src/drivers/driver_bsd.c
+++ b/src/drivers/driver_bsd.c
@@ -333,7 +333,8 @@ bsd_ctrl_iface(void *priv, int enable)
 static int
 bsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	    const unsigned char *addr, int key_idx, int set_tx, const u8 *seq,
-	    size_t seq_len, const u8 *key, size_t key_len)
+	    size_t seq_len, const u8 *key, size_t key_len,
+	    enum key_type key_type)
 {
 	struct ieee80211req_key wk;
 #ifdef IEEE80211_KEY_NOREPLAY
diff --git a/src/drivers/driver_hostap.c b/src/drivers/driver_hostap.c
index 186eccbf2..bf22858fb 100644
--- a/src/drivers/driver_hostap.c
+++ b/src/drivers/driver_hostap.c
@@ -399,7 +399,8 @@ static int wpa_driver_hostap_set_key(const char *ifname, void *priv,
 				     enum wpa_alg alg, const u8 *addr,
 				     int key_idx, int set_tx,
 				     const u8 *seq, size_t seq_len,
-				     const u8 *key, size_t key_len)
+				     const u8 *key, size_t key_len,
+				     enum key_type key_type)
 {
 	struct hostap_driver_data *drv = priv;
 	struct prism2_hostapd_param *param;
diff --git a/src/drivers/driver_ndis.c b/src/drivers/driver_ndis.c
index 5b4b9247e..649bc01ea 100644
--- a/src/drivers/driver_ndis.c
+++ b/src/drivers/driver_ndis.c
@@ -932,7 +932,8 @@ static int wpa_driver_ndis_remove_key(struct wpa_driver_ndis_data *drv,
 
 static int wpa_driver_ndis_add_wep(struct wpa_driver_ndis_data *drv,
 				   int pairwise, int key_idx, int set_tx,
-				   const u8 *key, size_t key_len)
+				   const u8 *key, size_t key_len,
+				   enum key_type key_type)
 {
 	NDIS_802_11_WEP *wep;
 	size_t len;
@@ -967,7 +968,8 @@ static int wpa_driver_ndis_set_key(const char *ifname, void *priv,
 				   enum wpa_alg alg, const u8 *addr,
 				   int key_idx, int set_tx,
 				   const u8 *seq, size_t seq_len,
-				   const u8 *key, size_t key_len)
+				   const u8 *key, size_t key_len,
+				   enum key_type key_type)
 {
 	struct wpa_driver_ndis_data *drv = priv;
 	size_t len, i;
@@ -993,7 +995,7 @@ static int wpa_driver_ndis_set_key(const char *ifname, void *priv,
 
 	if (alg == WPA_ALG_WEP) {
 		return wpa_driver_ndis_add_wep(drv, pairwise, key_idx, set_tx,
-					       key, key_len);
+					       key, key_len, key_type);
 	}
 
 	len = 12 + 6 + 6 + 8 + key_len;
@@ -1075,7 +1077,7 @@ wpa_driver_ndis_associate(void *priv,
 						bcast, i,
 						i == params->wep_tx_keyidx,
 						NULL, 0, params->wep_key[i],
-						params->wep_key_len[i]);
+						params->wep_key_len[i], 0);
 		}
 	}
 
@@ -1112,7 +1114,7 @@ wpa_driver_ndis_associate(void *priv,
 			wpa_driver_ndis_set_key(drv->ifname, drv, WPA_ALG_WEP,
 						bcast, 0, 1,
 						NULL, 0, dummy_key,
-						sizeof(dummy_key));
+						sizeof(dummy_key), 0);
 		}
 #endif /* CONFIG_WPS */
 	} else {
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index f6035a17c..1e9514c0c 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3011,7 +3011,8 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 				      enum wpa_alg alg, const u8 *addr,
 				      int key_idx, int set_tx,
 				      const u8 *seq, size_t seq_len,
-				      const u8 *key, size_t key_len)
+				      const u8 *key, size_t key_len,
+				      enum key_type key_type)
 {
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 	int ifindex;
@@ -3483,7 +3484,7 @@ retry:
 					   NULL, i,
 					   i == params->wep_tx_keyidx, NULL, 0,
 					   params->wep_key[i],
-					   params->wep_key_len[i]);
+					   params->wep_key_len[i], 0);
 		if (params->wep_tx_keyidx != i)
 			continue;
 		if (nl_add_key(msg, WPA_ALG_WEP, i, 1, NULL, 0,
@@ -8642,11 +8643,13 @@ static int driver_nl80211_set_key(const char *ifname, void *priv,
 				  enum wpa_alg alg, const u8 *addr,
 				  int key_idx, int set_tx,
 				  const u8 *seq, size_t seq_len,
-				  const u8 *key, size_t key_len)
+				  const u8 *key, size_t key_len,
+				  enum key_type key_type)
 {
 	struct i802_bss *bss = priv;
 	return wpa_driver_nl80211_set_key(ifname, bss, alg, addr, key_idx,
-					  set_tx, seq, seq_len, key, key_len);
+					  set_tx, seq, seq_len, key, key_len,
+					  key_type);
 }
 
 
diff --git a/src/drivers/driver_openbsd.c b/src/drivers/driver_openbsd.c
index c06e75c0f..0d975c4c5 100644
--- a/src/drivers/driver_openbsd.c
+++ b/src/drivers/driver_openbsd.c
@@ -71,7 +71,8 @@ wpa_driver_openbsd_get_capa(void *priv, struct wpa_driver_capa *capa)
 static int
 wpa_driver_openbsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	    const unsigned char *addr, int key_idx, int set_tx, const u8 *seq,
-	    size_t seq_len, const u8 *key, size_t key_len)
+	    size_t seq_len, const u8 *key, size_t key_len,
+	    enum key_type key_type)
 {
 	struct openbsd_driver_data *drv = priv;
 	struct ieee80211_keyavail keyavail;
diff --git a/src/drivers/driver_privsep.c b/src/drivers/driver_privsep.c
index 55cf61885..e3375cd90 100644
--- a/src/drivers/driver_privsep.c
+++ b/src/drivers/driver_privsep.c
@@ -209,7 +209,8 @@ static int wpa_driver_privsep_set_key(const char *ifname, void *priv,
 				      enum wpa_alg alg, const u8 *addr,
 				      int key_idx, int set_tx,
 				      const u8 *seq, size_t seq_len,
-				      const u8 *key, size_t key_len)
+				      const u8 *key, size_t key_len,
+				      enum key_type key_type)
 {
 	struct wpa_driver_privsep_data *drv = priv;
 	struct privsep_cmd_set_key cmd;
diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c
index 4d4a05d0c..ea5d667ed 100644
--- a/src/drivers/driver_wext.c
+++ b/src/drivers/driver_wext.c
@@ -1712,7 +1712,8 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
 				       const u8 *addr, int key_idx,
 				       int set_tx, const u8 *seq,
 				       size_t seq_len,
-				       const u8 *key, size_t key_len)
+				       const u8 *key, size_t key_len,
+				       enum key_type key_type)
 {
 	struct wpa_driver_wext_data *drv = priv;
 	struct iwreq iwr;
@@ -1831,7 +1832,8 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
 int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 			    const u8 *addr, int key_idx,
 			    int set_tx, const u8 *seq, size_t seq_len,
-			    const u8 *key, size_t key_len)
+			    const u8 *key, size_t key_len,
+			    enum key_type key_type)
 {
 	struct wpa_driver_wext_data *drv = priv;
 	struct iwreq iwr;
@@ -1843,7 +1845,7 @@ int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 		   (unsigned long) seq_len, (unsigned long) key_len);
 
 	ret = wpa_driver_wext_set_key_ext(drv, alg, addr, key_idx, set_tx,
-					  seq, seq_len, key, key_len);
+					  seq, seq_len, key, key_len, key_type);
 	if (ret == 0)
 		return 0;
 
diff --git a/src/drivers/driver_wext.h b/src/drivers/driver_wext.h
index b4b5960a7..7e2009079 100644
--- a/src/drivers/driver_wext.h
+++ b/src/drivers/driver_wext.h
@@ -55,7 +55,8 @@ int wpa_driver_wext_set_mode(void *priv, int mode);
 int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 			    const u8 *addr, int key_idx,
 			    int set_tx, const u8 *seq, size_t seq_len,
-			    const u8 *key, size_t key_len);
+			    const u8 *key, size_t key_len,
+			    enum key_type key_type);
 int wpa_driver_wext_scan(void *priv, struct wpa_driver_scan_params *params);
 struct wpa_scan_results * wpa_driver_wext_get_scan_results(void *priv);
 
diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 704c95e68..28048d9fc 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -178,7 +178,7 @@ static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 {
 	if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
-			   0, 0, NULL, 0, NULL, 0) < 0) {
+			   0, 0, NULL, 0, NULL, 0, 0) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
 			   "the driver");
 		return -1;
@@ -227,8 +227,8 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 
 	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
 		   MAC2STR(peer->addr));
-	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
-			   rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
+	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, rsc, sizeof(rsc),
+			   peer->tpk.tk, key_len, 0) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
 			   "driver");
 		return -1;
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index c929e8194..d28843d9f 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -781,7 +781,8 @@ static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
 
 
 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
-				      const struct wpa_eapol_key *key)
+				      const struct wpa_eapol_key *key,
+				      enum key_type key_type)
 {
 	int keylen, rsclen;
 	enum wpa_alg alg;
@@ -826,7 +827,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
 	}
 
 	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
-			   sm->ptk.tk, keylen) < 0) {
+			   sm->ptk.tk, keylen, key_type) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: Failed to set PTK to the "
 			"driver (alg=%d keylen=%d bssid=" MACSTR ")",
@@ -919,7 +920,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 	if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
 		if (wpa_sm_set_key(sm, gd->alg, NULL,
 				   gd->keyidx, 1, key_rsc, gd->key_rsc_len,
-				   _gtk, gd->gtk_len) < 0) {
+				   _gtk, gd->gtk_len, 0) < 0) {
 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 				"WPA: Failed to set GTK to the driver "
 				"(Group only)");
@@ -928,7 +929,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 		}
 	} else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
 				  gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
-				  _gtk, gd->gtk_len) < 0) {
+				  _gtk, gd->gtk_len, 0) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: Failed to set GTK to "
 			"the driver (alg=%d keylen=%d keyidx=%d)",
@@ -1083,7 +1084,7 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
 			   broadcast_ether_addr,
 			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
-			   igtk->igtk, len) < 0) {
+			   igtk->igtk, len, 0) < 0) {
 		if (keyidx == 0x0400 || keyidx == 0x0500) {
 			/* Assume the AP has broken PMF implementation since it
 			 * seems to have swapped the KeyID bytes. The AP cannot
@@ -1532,7 +1533,7 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 	sm->renew_snonce = 1;
 
 	if (key_info & WPA_KEY_INFO_INSTALL) {
-		if (wpa_supplicant_install_ptk(sm, key))
+		if (wpa_supplicant_install_ptk(sm, key, 0))
 			goto failed;
 	}
 
@@ -4458,7 +4459,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
 			sm->ptk.tk, keylen);
 	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
-			   sm->ptk.tk, keylen) < 0) {
+			   sm->ptk.tk, keylen, 0) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
 			MACSTR ")",
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index ae9cd6484..698154b94 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -30,7 +30,7 @@ struct wpa_sm_ctx {
 	int (*set_key)(void *ctx, enum wpa_alg alg,
 		       const u8 *addr, int key_idx, int set_tx,
 		       const u8 *seq, size_t seq_len,
-		       const u8 *key, size_t key_len);
+		       const u8 *key, size_t key_len, enum key_type key_type);
 	void * (*get_network_ctx)(void *ctx);
 	int (*get_bssid)(void *ctx, u8 *bssid);
 	int (*ether_send)(void *ctx, const u8 *dest, u16 proto, const u8 *buf,
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index f698ff4eb..b67874bab 100644
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -412,7 +412,8 @@ static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
 
 	if (wpa_sm_set_key(sm, alg, bssid, 0, 1, null_rsc,
-			   sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen) < 0) {
+			   sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen,
+			   0) < 0) {
 		wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver");
 		return -1;
 	}
@@ -764,7 +765,7 @@ static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem,
 		os_memcpy(gtk + 24, tmp, 8);
 	}
 	if (wpa_sm_set_key(sm, alg, broadcast_ether_addr, keyidx, 0,
-			   gtk_elem + 3, rsc_len, gtk, keylen) < 0) {
+			   gtk_elem + 3, rsc_len, gtk, keylen, 0) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the "
 			   "driver.");
 		return -1;
@@ -832,7 +833,7 @@ static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
 			igtk_len);
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
 			   broadcast_ether_addr, keyidx, 0,
-			   igtk_elem + 2, 6, igtk, igtk_len) < 0) {
+			   igtk_elem + 2, 6, igtk, igtk_len, 0) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the "
 			   "driver.");
 		forced_memzero(igtk, sizeof(igtk));
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index d86734b0d..7423e8aee 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -197,11 +197,12 @@ static inline void wpa_sm_deauthenticate(struct wpa_sm *sm, u16 reason_code)
 static inline int wpa_sm_set_key(struct wpa_sm *sm, enum wpa_alg alg,
 				 const u8 *addr, int key_idx, int set_tx,
 				 const u8 *seq, size_t seq_len,
-				 const u8 *key, size_t key_len)
+				 const u8 *key, size_t key_len,
+				 enum key_type key_type)
 {
 	WPA_ASSERT(sm->ctx->set_key);
 	return sm->ctx->set_key(sm->ctx->ctx, alg, addr, key_idx, set_tx,
-				seq, seq_len, key, key_len);
+				seq, seq_len, key, key_len, key_type);
 }
 
 static inline void * wpa_sm_get_network_ctx(struct wpa_sm *sm)
diff --git a/tests/hwsim/test_ap_ciphers.py b/tests/hwsim/test_ap_ciphers.py
index e10927a9c..cd45c6fd9 100644
--- a/tests/hwsim/test_ap_ciphers.py
+++ b/tests/hwsim/test_ap_ciphers.py
@@ -862,7 +862,7 @@ def test_ap_wpa2_delayed_m1_m3_zero_tk(dev, apdev):
     if "OK" not in hapd.request("RESEND_M3 " + addr):
         raise Exception("RESEND_M3 failed")
 
-    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s" % (addr, 0, 1, 6*"00", 16*"00")):
+    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s 0" % (addr, 0, 1, 6*"00", 16*"00")):
         raise Exception("SET_KEY failed")
     time.sleep(0.1)
     hwsim_utils.test_connectivity(dev[0], hapd, timeout=1, broadcast=False,
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 8efc08d4d..5c7fd87c5 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5237,17 +5237,17 @@ static void wpa_supplicant_ctrl_iface_drop_sa(struct wpa_supplicant *wpa_s)
 {
 	wpa_printf(MSG_DEBUG, "Dropping SA without deauthentication");
 	/* MLME-DELETEKEYS.request */
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, 0, NULL, 0, NULL, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, 0, NULL, 0, NULL, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, 0, NULL, 0, NULL, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, 0, NULL, 0, NULL, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, 0, NULL, 0, NULL, 0, 0);
 #ifdef CONFIG_IEEE80211W
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, 0, NULL, 0, NULL, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, 0, NULL, 0, NULL, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, 0, NULL, 0, NULL, 0, 0);
 #endif /* CONFIG_IEEE80211W */
 
 	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 0, 0, NULL, 0, NULL,
-			0);
+			0, 0);
 	/* MLME-SETPROTECTION.request(None) */
 	wpa_drv_mlme_setprotection(wpa_s, wpa_s->bssid,
 				   MLME_SETPROTECTION_PROTECT_TYPE_NONE,
@@ -9227,13 +9227,13 @@ static int wpas_ctrl_reset_pn(struct wpa_supplicant *wpa_s)
 	 * in the driver. */
 	if (wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
 			    wpa_s->last_tk_key_idx, 1, zero, 6,
-			    zero, wpa_s->last_tk_len) < 0)
+			    zero, wpa_s->last_tk_len, 0) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
 			       wpa_s->last_tk_key_idx, 1, zero, 6,
-			       wpa_s->last_tk, wpa_s->last_tk_len);
+			       wpa_s->last_tk, wpa_s->last_tk_len, 0);
 }
 
 
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index cf9972a6b..efb17c471 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -152,7 +152,8 @@ static inline int wpa_drv_set_key(struct wpa_supplicant *wpa_s,
 				  enum wpa_alg alg, const u8 *addr,
 				  int key_idx, int set_tx,
 				  const u8 *seq, size_t seq_len,
-				  const u8 *key, size_t key_len)
+				  const u8 *key, size_t key_len,
+				  enum key_type key_type)
 {
 	if (alg != WPA_ALG_NONE) {
 		if (key_idx >= 0 && key_idx <= 6)
@@ -163,7 +164,8 @@ static inline int wpa_drv_set_key(struct wpa_supplicant *wpa_s,
 	if (wpa_s->driver->set_key) {
 		return wpa_s->driver->set_key(wpa_s->ifname, wpa_s->drv_priv,
 					      alg, addr, key_idx, set_tx,
-					      seq, seq_len, key, key_len);
+					      seq, seq_len, key, key_len,
+					      key_type);
 	}
 	return -1;
 }
diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c
index 6934c4725..c1d40a9d3 100644
--- a/wpa_supplicant/ibss_rsn.c
+++ b/wpa_supplicant/ibss_rsn.c
@@ -139,7 +139,7 @@ static void ibss_check_rsn_completed(struct ibss_rsn_peer *peer)
 static int supp_set_key(void *ctx, enum wpa_alg alg,
 			const u8 *addr, int key_idx, int set_tx,
 			const u8 *seq, size_t seq_len,
-			const u8 *key, size_t key_len)
+			const u8 *key, size_t key_len, enum key_type key_type)
 {
 	struct ibss_rsn_peer *peer = ctx;
 
@@ -166,7 +166,7 @@ static int supp_set_key(void *ctx, enum wpa_alg alg,
 	if (is_broadcast_ether_addr(addr))
 		addr = peer->addr;
 	return wpa_drv_set_key(peer->ibss_rsn->wpa_s, alg, addr, key_idx,
-			       set_tx, seq, seq_len, key, key_len);
+			       set_tx, seq, seq_len, key, key_len, key_type);
 }
 
 
@@ -295,7 +295,8 @@ static int auth_send_eapol(void *ctx, const u8 *addr, const u8 *data,
 
 
 static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
-			const u8 *addr, int idx, u8 *key, size_t key_len)
+			const u8 *addr, int idx, u8 *key, size_t key_len,
+			enum key_type key_type)
 {
 	struct ibss_rsn *ibss_rsn = ctx;
 	u8 seq[6];
@@ -334,7 +335,7 @@ static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	}
 
 	return wpa_drv_set_key(ibss_rsn->wpa_s, alg, addr, idx,
-			       1, seq, 6, key, key_len);
+			       1, seq, 6, key, key_len, key_type);
 }
 
 
@@ -851,7 +852,7 @@ static void ibss_rsn_handle_auth_1_of_2(struct ibss_rsn *ibss_rsn,
 		wpa_printf(MSG_DEBUG, "RSN: Clear pairwise key for peer "
 			   MACSTR, MAC2STR(addr));
 		wpa_drv_set_key(ibss_rsn->wpa_s, WPA_ALG_NONE, addr, 0, 0,
-				NULL, 0, NULL, 0);
+				NULL, 0, NULL, 0, 0);
 	}
 
 	if (peer &&
diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index 4a163b6eb..041c158e4 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -876,7 +876,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 		wpa_hexdump_key(MSG_DEBUG, "mesh: MTK", sta->mtk, sta->mtk_len);
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->pairwise_cipher),
 				sta->addr, 0, 0, seq, sizeof(seq),
-				sta->mtk, sta->mtk_len);
+				sta->mtk, sta->mtk_len, 0);
 
 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK Key RSC",
 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc));
@@ -885,7 +885,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->group_cipher),
 				sta->addr, sta->mgtk_key_id, 0,
 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc),
-				sta->mgtk, sta->mgtk_len);
+				sta->mgtk, sta->mgtk_len, 0);
 
 		if (sta->igtk_len) {
 			wpa_hexdump_key(MSG_DEBUG, "mesh: RX IGTK Key RSC",
@@ -897,7 +897,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 				wpa_cipher_to_alg(conf->mgmt_group_cipher),
 				sta->addr, sta->igtk_key_id, 0,
 				sta->igtk_rsc, sizeof(sta->igtk_rsc),
-				sta->igtk, sta->igtk_len);
+				sta->igtk, sta->igtk_len, 0);
 		}
 	}
 
diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c
index 4b8d6c469..67090fe56 100644
--- a/wpa_supplicant/mesh_rsn.c
+++ b/wpa_supplicant/mesh_rsn.c
@@ -100,7 +100,8 @@ static const u8 *auth_get_psk(void *ctx, const u8 *addr,
 
 
 static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
-			const u8 *addr, int idx, u8 *key, size_t key_len)
+			const u8 *addr, int idx, u8 *key, size_t key_len,
+			enum key_type key_type)
 {
 	struct mesh_rsn *mesh_rsn = ctx;
 	u8 seq[6];
@@ -118,7 +119,7 @@ static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	wpa_hexdump_key(MSG_DEBUG, "AUTH: set_key - key", key, key_len);
 
 	return wpa_drv_set_key(mesh_rsn->wpa_s, alg, addr, idx,
-			       1, seq, 6, key, key_len);
+			       1, seq, 6, key, key_len, key_type);
 }
 
 
@@ -199,7 +200,7 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 		wpa_drv_set_key(rsn->wpa_s,
 				wpa_cipher_to_alg(rsn->mgmt_group_cipher), NULL,
 				rsn->igtk_key_id, 1,
-				seq, sizeof(seq), rsn->igtk, rsn->igtk_len);
+				seq, sizeof(seq), rsn->igtk, rsn->igtk_len, 0);
 	}
 #endif /* CONFIG_IEEE80211W */
 
@@ -208,7 +209,7 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 			rsn->mgtk, rsn->mgtk_len);
 	wpa_drv_set_key(rsn->wpa_s, wpa_cipher_to_alg(rsn->group_cipher), NULL,
 			rsn->mgtk_key_id, 1, seq, sizeof(seq),
-			rsn->mgtk, rsn->mgtk_len);
+			rsn->mgtk, rsn->mgtk_len, 0);
 
 	return 0;
 }
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index e7a24fc9c..d9d08c1e4 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -142,7 +142,7 @@ int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
 		set = 1;
 		wpa_drv_set_key(wpa_s, WPA_ALG_WEP, NULL,
 				i, i == ssid->wep_tx_keyidx, NULL, 0,
-				ssid->wep_key[i], ssid->wep_key_len[i]);
+				ssid->wep_key[i], ssid->wep_key_len[i], 0);
 	}
 
 	return set;
@@ -200,7 +200,7 @@ int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s,
 	/* TODO: should actually remember the previously used seq#, both for TX
 	 * and RX from each STA.. */
 
-	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, 1, seq, 6, key, keylen);
+	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, 1, seq, 6, key, keylen, 0);
 	os_memset(key, 0, sizeof(key));
 	return ret;
 }
@@ -706,12 +706,12 @@ void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr)
 		if (wpa_s->keys_cleared & BIT(i))
 			continue;
 		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, i, 0, NULL, 0,
-				NULL, 0);
+				NULL, 0, 0);
 	}
 	if (!(wpa_s->keys_cleared & BIT(0)) && addr &&
 	    !is_zero_ether_addr(addr)) {
 		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, 0, NULL, 0, NULL,
-				0);
+				0, 0);
 		/* MLME-SETPROTECTION.request(None) */
 		wpa_drv_mlme_setprotection(
 			wpa_s, addr,
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 62af7f6b1..4d461e645 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -242,7 +242,7 @@ static int wpa_eapol_set_wep_key(void *ctx, int unicast, int keyidx,
 	}
 	return wpa_drv_set_key(wpa_s, WPA_ALG_WEP,
 			       unicast ? wpa_s->bssid : NULL,
-			       keyidx, unicast, NULL, 0, key, keylen);
+			       keyidx, unicast, NULL, 0, key, keylen, 0);
 }
 
 
@@ -341,7 +341,7 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol,
 			"handshake", pmk, pmk_len);
 
 	if (wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, 0, NULL, 0, pmk,
-			    pmk_len)) {
+			    pmk_len, 0)) {
 		wpa_printf(MSG_DEBUG, "Failed to set PMK to the driver");
 	}
 
@@ -488,7 +488,8 @@ static int wpa_supplicant_get_bssid(void *ctx, u8 *bssid)
 static int wpa_supplicant_set_key(void *_wpa_s, enum wpa_alg alg,
 				  const u8 *addr, int key_idx, int set_tx,
 				  const u8 *seq, size_t seq_len,
-				  const u8 *key, size_t key_len)
+				  const u8 *key, size_t key_len,
+				  enum key_type key_type)
 {
 	struct wpa_supplicant *wpa_s = _wpa_s;
 	if (alg == WPA_ALG_TKIP && key_idx == 0 && key_len == 32) {
@@ -513,7 +514,7 @@ static int wpa_supplicant_set_key(void *_wpa_s, enum wpa_alg alg,
 	}
 #endif /* CONFIG_TESTING_OPTIONS */
 	return wpa_drv_set_key(wpa_s, alg, addr, key_idx, set_tx, seq, seq_len,
-			       key, key_len);
+			       key, key_len, key_type);
 }
 
 
@@ -1157,7 +1158,7 @@ static int wpa_supplicant_key_mgmt_set_pmk(void *ctx, const u8 *pmk,
 	if (wpa_s->conf->key_mgmt_offload &&
 	    (wpa_s->drv_flags & WPA_DRIVER_FLAGS_KEY_MGMT_OFFLOAD))
 		return wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, 0,
-				       NULL, 0, pmk, pmk_len);
+				       NULL, 0, pmk, pmk_len, 0);
 	else
 		return 0;
 }

From patchwork Sat Aug 17 21:14:22 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148793
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="Qmtaa/6/";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="BwX/WKVI"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tKV0BhHz9s4Y
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:16:30 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=PVYigTbBwVcLKNkUHABs0xcT6iHsGm3BPRq7HwVGImA=;
	b=Qmtaa/6/o8TsN+
	MUBU4IiQGXihkLAX7qRDSZr4h8CNSBBKmSYGqCl4WJELk0e2NWrbyYVFdttKai1MPP9woRZGfLtvs
	e6XKiEqTGNr+aiapFstBJdunZhJc1Fk622LnxmAvV8GwGGqQ8Ww2cH1pSzxjncAmobOI9pq+fopca
	obAXbUOS66egnTUYqWze/7Z3zQ/5GJUmlT6/UcY1lBHg0mOP7QaYFfW/M1cGpnFGbY2xBAyAGvaMW
	TUlgiJ7VZMlUA+jDRCUjTJFfy/d/PINTvEUHeLqkQygsgUzkcNpbpg4HhaditCyvCoEjJmLqIERpH
	UBAC2HeGP5r8u2tUtw9A==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz63l-0004Jq-MY; Sat, 17 Aug 2019 21:16:25 +0000
Received: from 5.mo4.mail-out.ovh.net ([188.165.44.50])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023F-BO
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:14 +0000
Received: from player798.ha.ovh.net (unknown [10.108.54.141])
	by mo4.mail-out.ovh.net (Postfix) with ESMTP id 3CFC62015A7
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:56 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player798.ha.ovh.net (Postfix) with ESMTPSA id 9D3708FECCDF;
	Sat, 17 Aug 2019 21:14:51 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076490;
	bh=8Zp+2RhrLE4Fw7JCs4vl8ROh1iOaQRrA6OSOkycorJU=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=BwX/WKVIkZ4hCZDq+kSdwvijXxB4ua2eemGfn6XpVBxjsK951kCZ3CVSifvsOK7Vp
	NozAElST+xto66wL8t/sppHPtbttE5THfvGIw2c56XYySfjN0azZRZb/9bgrb3WeqY
	3T3Q7b6StDjgCKuUAFLLABppID4HxpFqYQcmTDrs=
To: j@w1.fi
Subject: [PATCH v3 04/17] hostapd: Set the correct key_type for key installs
Date: Sat, 17 Aug 2019 23:14:22 +0200
Message-Id: <20190817211435.158335-5-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7948571871118695676
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141509_731546_89A17B32 
X-CRM114-Status: GOOD (  13.87  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [188.165.44.50 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

In addition to the existing set_key boolean also set the key_type for
all key installs without using it, yet.

The old signaling via set_tx is deprecated and will be removed via a
separate patch. Till that is done either set_tx or the new key_type can
be used to detect a default key. Having the correct key_types available
allows us to migrate the users of set_tx to the new key_type step by
step.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---
 hostapd/ctrl_iface.c           | 24 ++++++++++++++----------
 src/ap/hostapd.c               | 15 +++++++++------
 src/ap/ieee802_11.c            |  3 ++-
 src/ap/ieee802_1x.c            |  7 ++++---
 src/ap/wpa_auth.c              | 11 ++++++-----
 src/ap/wpa_auth_ft.c           |  2 +-
 tests/hwsim/test_ap_ciphers.py |  2 +-
 7 files changed, 37 insertions(+), 27 deletions(-)

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index 3b1fc64b8..6b202b512 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -2122,7 +2122,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					hapd->last_igtk_alg,
 					broadcast_ether_addr,
 					hapd->last_igtk_key_idx, 1, NULL, 0,
-					zero, hapd->last_igtk_len, 0) < 0)
+					zero, hapd->last_igtk_len,
+					KEY_TYPE_BROADCAST) < 0)
 			return -1;
 
 		/* Set the previously configured key to reset its TSC */
@@ -2131,7 +2132,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					   broadcast_ether_addr,
 					   hapd->last_igtk_key_idx, 1, NULL, 0,
 					   hapd->last_igtk,
-					   hapd->last_igtk_len, 0);
+					   hapd->last_igtk_len,
+					   KEY_TYPE_BROADCAST);
 	}
 #endif /* CONFIG_IEEE80211W */
 
@@ -2147,7 +2149,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					hapd->last_gtk_alg,
 					broadcast_ether_addr,
 					hapd->last_gtk_key_idx, 1, NULL, 0,
-					zero, hapd->last_gtk_len, 0) < 0)
+					zero, hapd->last_gtk_len,
+					KEY_TYPE_BROADCAST) < 0)
 			return -1;
 
 		/* Set the previously configured key to reset its TSC */
@@ -2156,7 +2159,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					   broadcast_ether_addr,
 					   hapd->last_gtk_key_idx, 1, NULL, 0,
 					   hapd->last_gtk, hapd->last_gtk_len,
-					   0);
+					   KEY_TYPE_BROADCAST);
 	}
 
 	sta = ap_get_sta(hapd, addr);
@@ -2173,13 +2176,14 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 	 * in the driver. */
 	if (hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 				sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-				zero, sta->last_tk_len, 0) < 0)
+				zero, sta->last_tk_len, KEY_TYPE_PAIRWISE) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 				   sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-				   sta->last_tk, sta->last_tk_len, 0);
+				   sta->last_tk, sta->last_tk_len,
+				   KEY_TYPE_PAIRWISE);
 }
 
 
@@ -2253,7 +2257,7 @@ static void restore_tk(void *ctx1, void *ctx2)
 	 * preventing encryption of a single EAPOL frame. */
 	hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 			    sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-			    sta->last_tk, sta->last_tk_len, 0);
+			    sta->last_tk, sta->last_tk_len, KEY_TYPE_PAIRWISE);
 }
 
 
@@ -2277,7 +2281,7 @@ static int hostapd_ctrl_resend_m1(struct hostapd_data *hapd, const char *cmd)
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0, 0);
+				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
 	wpa_printf(MSG_INFO, "TESTING: Send M1 to " MACSTR, MAC2STR(sta->addr));
@@ -2307,7 +2311,7 @@ static int hostapd_ctrl_resend_m3(struct hostapd_data *hapd, const char *cmd)
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0, 0);
+				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
 	wpa_printf(MSG_INFO, "TESTING: Send M3 to " MACSTR, MAC2STR(sta->addr));
@@ -2337,7 +2341,7 @@ static int hostapd_ctrl_resend_group_m1(struct hostapd_data *hapd,
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0, 0);
+				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
 	wpa_printf(MSG_INFO,
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index c0cf9a973..3ac84cc14 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -292,8 +292,8 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 	if (!ifname || !hapd->drv_priv)
 		return;
 	for (i = 0; i < NUM_WEP_KEYS; i++) {
-		if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i,
-					0, NULL, 0, NULL, 0, 0)) {
+		if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i, 0,
+					NULL, 0, NULL, 0, KEY_TYPE_BROADCAST)) {
 			wpa_printf(MSG_DEBUG, "Failed to clear default "
 				   "encryption keys (ifname=%s keyidx=%d)",
 				   ifname, i);
@@ -303,8 +303,8 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 	if (hapd->conf->ieee80211w) {
 		for (i = NUM_WEP_KEYS; i < NUM_WEP_KEYS + 2; i++) {
 			if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE,
-						NULL, i, 0, NULL,
-						0, NULL, 0, 0)) {
+						NULL, i, 0, NULL, 0,
+						NULL, 0, KEY_TYPE_BROADCAST)) {
 				wpa_printf(MSG_DEBUG, "Failed to clear "
 					   "default mgmt encryption keys "
 					   "(ifname=%s keyidx=%d)", ifname, i);
@@ -332,7 +332,7 @@ static int hostapd_broadcast_wep_set(struct hostapd_data *hapd)
 	    hostapd_drv_set_key(hapd->conf->iface,
 				hapd, WPA_ALG_WEP, broadcast_ether_addr, idx,
 				1, NULL, 0, ssid->wep.key[idx],
-				ssid->wep.len[idx], 0)) {
+				ssid->wep.len[idx], KEY_TYPE_DEFAULT)) {
 		wpa_printf(MSG_WARNING, "Could not set WEP encryption.");
 		errors++;
 	}
@@ -560,7 +560,10 @@ static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd)
 		    hostapd_drv_set_key(iface, hapd, WPA_ALG_WEP, NULL, i,
 					i == hapd->conf->ssid.wep.idx, NULL, 0,
 					hapd->conf->ssid.wep.key[i],
-					hapd->conf->ssid.wep.len[i], 0)) {
+					hapd->conf->ssid.wep.len[i],
+					i == hapd->conf->ssid.wep.idx ?
+					KEY_TYPE_DEFAULT :
+					KEY_TYPE_BROADCAST)) {
 			wpa_printf(MSG_WARNING, "Could not set WEP "
 				   "encryption.");
 			return -1;
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index dfe977b75..bc2e50eeb 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4772,7 +4772,8 @@ static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
 		    hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
 					i == ssid->wep.idx, NULL, 0,
 					ssid->wep.key[i], ssid->wep.len[i],
-					0)) {
+					i == ssid->wep.idx ? KEY_TYPE_DEFAULT :
+					KEY_TYPE_BROADCAST)) {
 			wpa_printf(MSG_WARNING,
 				   "Could not set WEP keys for WDS interface; %s",
 				   ifname_wds);
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 657fe94a9..29e502e18 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -286,7 +286,7 @@ static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
 		if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
 					sta->addr, 0, 1, NULL, 0, ikey,
 					hapd->conf->individual_wep_key_len,
-					0)) {
+					KEY_TYPE_DEFAULT)) {
 			wpa_printf(MSG_ERROR, "Could not set individual WEP "
 				   "encryption.");
 		}
@@ -2171,7 +2171,8 @@ static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx)
 				broadcast_ether_addr,
 				eapol->default_wep_key_idx, 1, NULL, 0,
 				eapol->default_wep_key,
-				hapd->conf->default_wep_key_len, 0)) {
+				hapd->conf->default_wep_key_len,
+				KEY_TYPE_DEFAULT)) {
 		hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
 			       HOSTAPD_LEVEL_WARNING, "failed to configure a "
 			       "new broadcast key");
@@ -2486,7 +2487,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
 		for (i = 0; i < 4; i++)
 			hostapd_drv_set_key(hapd->conf->iface, hapd,
 					    WPA_ALG_NONE, NULL, i, 0, NULL, 0,
-					    NULL, 0, 0);
+					    NULL, 0, KEY_TYPE_BROADCAST);
 
 		ieee802_1x_rekey(hapd, NULL);
 
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 919ba1f42..ba415bd66 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1714,7 +1714,7 @@ void wpa_remove_ptk(struct wpa_state_machine *sm)
 	sm->PTK_valid = FALSE;
 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
 	if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
-			     0, 0))
+			     0, KEY_TYPE_PAIRWISE))
 		wpa_printf(MSG_DEBUG,
 			   "RSN: PTK removal from the driver failed");
 	sm->pairwise_set = FALSE;
@@ -2748,7 +2748,7 @@ int fils_set_tk(struct wpa_state_machine *sm)
 
 	wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
 	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-			     sm->PTK.tk, klen, 0)) {
+			     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) {
 		wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
 		return -1;
 	}
@@ -3346,7 +3346,7 @@ SM_STATE(WPA_PTK, PTKINITDONE)
 		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
 		int klen = wpa_cipher_key_len(sm->pairwise);
 		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-				     sm->PTK.tk, klen, 0)) {
+				     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) {
 			wpa_sta_disconnect(sm->wpa_auth, sm->addr,
 					   WLAN_REASON_PREV_AUTH_NOT_VALID);
 			return;
@@ -3945,7 +3945,8 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
 	if (wpa_auth_set_key(wpa_auth, group->vlan_id,
 			     wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
 			     broadcast_ether_addr, group->GN,
-			     group->GTK[group->GN - 1], group->GTK_len, 0) < 0)
+			     group->GTK[group->GN - 1], group->GTK_len,
+			     KEY_TYPE_BROADCAST) < 0)
 		ret = -1;
 
 #ifdef CONFIG_IEEE80211W
@@ -3960,7 +3961,7 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
 		    wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
 				     broadcast_ether_addr, group->GN_igtk,
 				     group->IGTK[group->GN_igtk - 4],
-				     len, 0) < 0)
+				     len, KEY_TYPE_BROADCAST) < 0)
 			ret = -1;
 	}
 #endif /* CONFIG_IEEE80211W */
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 69ed68244..0f1a51832 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -2653,7 +2653,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
 	 * optimized by adding the STA entry earlier.
 	 */
 	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-			     sm->PTK.tk, klen, 0))
+			     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE))
 		return;
 
 	/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
diff --git a/tests/hwsim/test_ap_ciphers.py b/tests/hwsim/test_ap_ciphers.py
index cd45c6fd9..a6ba27d99 100644
--- a/tests/hwsim/test_ap_ciphers.py
+++ b/tests/hwsim/test_ap_ciphers.py
@@ -862,7 +862,7 @@ def test_ap_wpa2_delayed_m1_m3_zero_tk(dev, apdev):
     if "OK" not in hapd.request("RESEND_M3 " + addr):
         raise Exception("RESEND_M3 failed")
 
-    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s 0" % (addr, 0, 1, 6*"00", 16*"00")):
+    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s %d" % (addr, 0, 1, 6*"00", 16*"00", 2)):
         raise Exception("SET_KEY failed")
     time.sleep(0.1)
     hwsim_utils.test_connectivity(dev[0], hapd, timeout=1, broadcast=False,

From patchwork Sat Aug 17 21:14:23 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148798
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="Bjo8Onyy";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="hSNKacvT"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tLZ0DtKz9sDQ
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:17:26 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=KGEkAFenmGAoeNybXo0a9AUxgCB3pxZDw8IixeCc4uY=;
	b=Bjo8OnyyJeGWbE
	HOeEgwdN+cFv2O0oaJetGlbpfv6jwPV0xTJFTnDDouOSYG1m2eaOQhkj4CGvNR9a+1t90yjtnaaum
	YkP4kw/DWmVDU0VWlWKfznHFiwGb9YBAtlUgwzFHatiuhGDSkc0jc0mvojKmkwXorLxULKayga19I
	6s5P1lWo2RUQ6uDLQP34izPiZRizqP+B4V2QhwApYVeDNCqke5gYGb/af2pLAi0A8YzEYdJYbPCEd
	ZyaSszyH/zAkipnumxpK+TtKYeLGrItCtJdTDAdWPaV84Y9wfz8Ykq/1nvLox0H+C9f+9UpHs0uV+
	dx1+Y6eRLNgwMNxwGSDg==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz64g-0005IQ-LV; Sat, 17 Aug 2019 21:17:22 +0000
Received: from 5.mo4.mail-out.ovh.net ([188.165.44.50])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023G-CJ
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:16 +0000
Received: from player762.ha.ovh.net (unknown [10.109.160.5])
	by mo4.mail-out.ovh.net (Postfix) with ESMTP id 168252015B3
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:59 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player762.ha.ovh.net (Postfix) with ESMTPSA id B845A8EA52C6;
	Sat, 17 Aug 2019 21:14:55 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076490;
	bh=wf6lHQ3Bi5HmAjRYgbiz/PH4/2GczijGVLriAZo82es=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=hSNKacvT1jULtb2UaHuQrqyrU1kQgKj9O5MeDYlLRavzQnBwwPqY5aPHkO/WDm2N4
	DyPiCYaS6t86FFdaumbaTsqMH3alYWbU5iRKMtZWMBWmdidjT7X18Y9Upb6ox6vt94
	Ko0PpGFHgBbbL3JtuG5NQdnb0x2n2bd6ELx99kwA=
To: j@w1.fi
Subject: [PATCH v3 05/17] wpa_supplicant: Set the correct key_type for key
	installs
Date: Sat, 17 Aug 2019 23:14:23 +0200
Message-Id: <20190817211435.158335-6-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7949697767862639868
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141509_784942_2A5253AB 
X-CRM114-Status: GOOD (  16.14  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [188.165.44.50 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

In addition to the existing set_key boolean also set the key_type for
all key installs without using it, yet.

The old signaling via set_tx is deprecated and will be removed via a
separate patch. Till that is done either set_tx or the new key_type can
be used to detect a default key. Having the correct key_types available
allows us to migrate the users of set_tx to the new key_type step by
step.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---
 src/rsn_supp/tdls.c             |  7 ++++---
 src/rsn_supp/wpa.c              | 12 +++++++-----
 src/rsn_supp/wpa_ft.c           | 11 ++++++-----
 wpa_supplicant/ctrl_iface.c     | 25 ++++++++++++++++---------
 wpa_supplicant/ibss_rsn.c       |  2 +-
 wpa_supplicant/mesh_mpm.c       |  6 +++---
 wpa_supplicant/mesh_rsn.c       |  5 +++--
 wpa_supplicant/wpa_supplicant.c | 11 +++++++----
 wpa_supplicant/wpas_glue.c      |  5 +++--
 9 files changed, 50 insertions(+), 34 deletions(-)

diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 28048d9fc..348c491be 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -178,7 +178,7 @@ static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 {
 	if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
-			   0, 0, NULL, 0, NULL, 0, 0) < 0) {
+			   0, 0, NULL, 0, NULL, 0, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
 			   "the driver");
 		return -1;
@@ -228,7 +228,7 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
 		   MAC2STR(peer->addr));
 	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, rsc, sizeof(rsc),
-			   peer->tpk.tk, key_len, 0) < 0) {
+			   peer->tpk.tk, key_len, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
 			   "driver");
 		return -1;
@@ -2167,7 +2167,8 @@ static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 #endif /* CONFIG_TDLS_TESTING */
 	}
 
-	if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
+	if (peer->reconfig_key &&
+	    wpa_tdls_set_key(sm, peer) < 0) {
 		wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
 			   "driver");
 		return -1;
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index d28843d9f..830c74c8f 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -920,7 +920,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 	if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
 		if (wpa_sm_set_key(sm, gd->alg, NULL,
 				   gd->keyidx, 1, key_rsc, gd->key_rsc_len,
-				   _gtk, gd->gtk_len, 0) < 0) {
+				   _gtk, gd->gtk_len, KEY_TYPE_BROADCAST) < 0) {
 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 				"WPA: Failed to set GTK to the driver "
 				"(Group only)");
@@ -929,7 +929,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 		}
 	} else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
 				  gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
-				  _gtk, gd->gtk_len, 0) < 0) {
+				  _gtk, gd->gtk_len,
+				  gd->tx ? KEY_TYPE_DEFAULT :
+				  KEY_TYPE_BROADCAST) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: Failed to set GTK to "
 			"the driver (alg=%d keylen=%d keyidx=%d)",
@@ -1084,7 +1086,7 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
 			   broadcast_ether_addr,
 			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
-			   igtk->igtk, len, 0) < 0) {
+			   igtk->igtk, len, KEY_TYPE_BROADCAST) < 0) {
 		if (keyidx == 0x0400 || keyidx == 0x0500) {
 			/* Assume the AP has broken PMF implementation since it
 			 * seems to have swapped the KeyID bytes. The AP cannot
@@ -1533,7 +1535,7 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 	sm->renew_snonce = 1;
 
 	if (key_info & WPA_KEY_INFO_INSTALL) {
-		if (wpa_supplicant_install_ptk(sm, key, 0))
+		if (wpa_supplicant_install_ptk(sm, key, KEY_TYPE_PAIRWISE))
 			goto failed;
 	}
 
@@ -4459,7 +4461,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
 			sm->ptk.tk, keylen);
 	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
-			   sm->ptk.tk, keylen, 0) < 0) {
+			   sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
 			MACSTR ")",
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index b67874bab..3b45f669b 100644
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -411,9 +411,8 @@ static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
 
-	if (wpa_sm_set_key(sm, alg, bssid, 0, 1, null_rsc,
-			   sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen,
-			   0) < 0) {
+	if (wpa_sm_set_key(sm, alg, bssid, 0, 1, null_rsc, sizeof(null_rsc),
+			   (u8 *) sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver");
 		return -1;
 	}
@@ -765,7 +764,8 @@ static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem,
 		os_memcpy(gtk + 24, tmp, 8);
 	}
 	if (wpa_sm_set_key(sm, alg, broadcast_ether_addr, keyidx, 0,
-			   gtk_elem + 3, rsc_len, gtk, keylen, 0) < 0) {
+			   gtk_elem + 3, rsc_len, gtk, keylen,
+			   KEY_TYPE_BROADCAST) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the "
 			   "driver.");
 		return -1;
@@ -833,7 +833,8 @@ static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
 			igtk_len);
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
 			   broadcast_ether_addr, keyidx, 0,
-			   igtk_elem + 2, 6, igtk, igtk_len, 0) < 0) {
+			   igtk_elem + 2, 6, igtk, igtk_len,
+			   KEY_TYPE_BROADCAST) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the "
 			   "driver.");
 		forced_memzero(igtk, sizeof(igtk));
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 5c7fd87c5..862f72734 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5237,17 +5237,23 @@ static void wpa_supplicant_ctrl_iface_drop_sa(struct wpa_supplicant *wpa_s)
 {
 	wpa_printf(MSG_DEBUG, "Dropping SA without deauthentication");
 	/* MLME-DELETEKEYS.request */
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, 0, NULL, 0, NULL, 0, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, 0, NULL, 0, NULL, 0, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, 0, NULL, 0, NULL, 0, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
 #ifdef CONFIG_IEEE80211W
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, 0, NULL, 0, NULL, 0, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
 #endif /* CONFIG_IEEE80211W */
 
 	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 0, 0, NULL, 0, NULL,
-			0, 0);
+			0, KEY_TYPE_PAIRWISE);
 	/* MLME-SETPROTECTION.request(None) */
 	wpa_drv_mlme_setprotection(wpa_s, wpa_s->bssid,
 				   MLME_SETPROTECTION_PROTECT_TYPE_NONE,
@@ -9227,13 +9233,14 @@ static int wpas_ctrl_reset_pn(struct wpa_supplicant *wpa_s)
 	 * in the driver. */
 	if (wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
 			    wpa_s->last_tk_key_idx, 1, zero, 6,
-			    zero, wpa_s->last_tk_len, 0) < 0)
+			    zero, wpa_s->last_tk_len, KEY_TYPE_PAIRWISE) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
 			       wpa_s->last_tk_key_idx, 1, zero, 6,
-			       wpa_s->last_tk, wpa_s->last_tk_len, 0);
+			       wpa_s->last_tk, wpa_s->last_tk_len,
+			       KEY_TYPE_PAIRWISE);
 }
 
 
diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c
index c1d40a9d3..0625ddeb4 100644
--- a/wpa_supplicant/ibss_rsn.c
+++ b/wpa_supplicant/ibss_rsn.c
@@ -852,7 +852,7 @@ static void ibss_rsn_handle_auth_1_of_2(struct ibss_rsn *ibss_rsn,
 		wpa_printf(MSG_DEBUG, "RSN: Clear pairwise key for peer "
 			   MACSTR, MAC2STR(addr));
 		wpa_drv_set_key(ibss_rsn->wpa_s, WPA_ALG_NONE, addr, 0, 0,
-				NULL, 0, NULL, 0, 0);
+				NULL, 0, NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
 	if (peer &&
diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index 041c158e4..8664147ac 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -876,7 +876,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 		wpa_hexdump_key(MSG_DEBUG, "mesh: MTK", sta->mtk, sta->mtk_len);
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->pairwise_cipher),
 				sta->addr, 0, 0, seq, sizeof(seq),
-				sta->mtk, sta->mtk_len, 0);
+				sta->mtk, sta->mtk_len, KEY_TYPE_PAIRWISE);
 
 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK Key RSC",
 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc));
@@ -885,7 +885,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->group_cipher),
 				sta->addr, sta->mgtk_key_id, 0,
 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc),
-				sta->mgtk, sta->mgtk_len, 0);
+				sta->mgtk, sta->mgtk_len, KEY_TYPE_BROADCAST);
 
 		if (sta->igtk_len) {
 			wpa_hexdump_key(MSG_DEBUG, "mesh: RX IGTK Key RSC",
@@ -897,7 +897,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 				wpa_cipher_to_alg(conf->mgmt_group_cipher),
 				sta->addr, sta->igtk_key_id, 0,
 				sta->igtk_rsc, sizeof(sta->igtk_rsc),
-				sta->igtk, sta->igtk_len, 0);
+				sta->igtk, sta->igtk_len, KEY_TYPE_BROADCAST);
 		}
 	}
 
diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c
index 67090fe56..e670e259b 100644
--- a/wpa_supplicant/mesh_rsn.c
+++ b/wpa_supplicant/mesh_rsn.c
@@ -200,7 +200,8 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 		wpa_drv_set_key(rsn->wpa_s,
 				wpa_cipher_to_alg(rsn->mgmt_group_cipher), NULL,
 				rsn->igtk_key_id, 1,
-				seq, sizeof(seq), rsn->igtk, rsn->igtk_len, 0);
+				seq, sizeof(seq), rsn->igtk, rsn->igtk_len,
+				KEY_TYPE_BROADCAST);
 	}
 #endif /* CONFIG_IEEE80211W */
 
@@ -209,7 +210,7 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 			rsn->mgtk, rsn->mgtk_len);
 	wpa_drv_set_key(rsn->wpa_s, wpa_cipher_to_alg(rsn->group_cipher), NULL,
 			rsn->mgtk_key_id, 1, seq, sizeof(seq),
-			rsn->mgtk, rsn->mgtk_len, 0);
+			rsn->mgtk, rsn->mgtk_len, KEY_TYPE_BROADCAST);
 
 	return 0;
 }
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index d9d08c1e4..56bba65e8 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -142,7 +142,9 @@ int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
 		set = 1;
 		wpa_drv_set_key(wpa_s, WPA_ALG_WEP, NULL,
 				i, i == ssid->wep_tx_keyidx, NULL, 0,
-				ssid->wep_key[i], ssid->wep_key_len[i], 0);
+				ssid->wep_key[i], ssid->wep_key_len[i],
+				i == ssid->wep_tx_keyidx ? KEY_TYPE_DEFAULT :
+				KEY_TYPE_BROADCAST);
 	}
 
 	return set;
@@ -200,7 +202,8 @@ int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s,
 	/* TODO: should actually remember the previously used seq#, both for TX
 	 * and RX from each STA.. */
 
-	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, 1, seq, 6, key, keylen, 0);
+	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, 1, seq, 6, key, keylen,
+			      KEY_TYPE_BROADCAST);
 	os_memset(key, 0, sizeof(key));
 	return ret;
 }
@@ -706,12 +709,12 @@ void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr)
 		if (wpa_s->keys_cleared & BIT(i))
 			continue;
 		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, i, 0, NULL, 0,
-				NULL, 0, 0);
+				NULL, 0, KEY_TYPE_BROADCAST);
 	}
 	if (!(wpa_s->keys_cleared & BIT(0)) && addr &&
 	    !is_zero_ether_addr(addr)) {
 		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, 0, NULL, 0, NULL,
-				0, 0);
+				0, KEY_TYPE_PAIRWISE);
 		/* MLME-SETPROTECTION.request(None) */
 		wpa_drv_mlme_setprotection(
 			wpa_s, addr,
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 4d461e645..f96608d72 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -242,7 +242,8 @@ static int wpa_eapol_set_wep_key(void *ctx, int unicast, int keyidx,
 	}
 	return wpa_drv_set_key(wpa_s, WPA_ALG_WEP,
 			       unicast ? wpa_s->bssid : NULL,
-			       keyidx, unicast, NULL, 0, key, keylen, 0);
+			       keyidx, unicast, NULL, 0, key, keylen,
+			       unicast ? KEY_TYPE_DEFAULT : KEY_TYPE_BROADCAST);
 }
 
 
@@ -341,7 +342,7 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol,
 			"handshake", pmk, pmk_len);
 
 	if (wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, 0, NULL, 0, pmk,
-			    pmk_len, 0)) {
+			    pmk_len, KEY_TYPE_BROADCAST)) {
 		wpa_printf(MSG_DEBUG, "Failed to set PMK to the driver");
 	}
 

From patchwork Sat Aug 17 21:14:24 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148799
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="cq7fGB2G";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="cmOi6C4q"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tLv2nHCz9sDQ
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:17:43 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=5tl5837K3jDSMDOHPRbIPw6MIvpKsqqBiPngJaxZgkU=;
	b=cq7fGB2GXMz2L8
	nc+a0u7L2jd0TyHjY6X5D+BvJoEdwpi5TBvoAAtntX8D8eajTXJUA+6I0U+7QqGhyh/i+r7MLiDNS
	fBcgQOajG4EE/Uulq/cmC0wDB8ag1PVXu/+YOwVfhuk0a3H2V/ROjVzNQNIaptcQ28uXkl9mDVDnW
	sBnsfLPXApIt8IJLUQtEVs5h+QlahBisHGn1Ct4GZWnLSfeie9JeI3nd9A2mp0dT2cs0qnPR3zodt
	ScFhnpUnpeQStONpycjo1GZZZnWpH5EHHYSxvlA7ybCvACjO3D/wq0Db0QwtmCtJhqf010UdbiLvB
	hC4CbQD9yMji8sYLxFRw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz64x-0005XW-Ak; Sat, 17 Aug 2019 21:17:39 +0000
Received: from 8.mo6.mail-out.ovh.net ([178.33.42.204])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023O-UY
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:17 +0000
Received: from player746.ha.ovh.net (unknown [10.108.35.158])
	by mo6.mail-out.ovh.net (Postfix) with ESMTP id 7DC051DB637
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:59 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player746.ha.ovh.net (Postfix) with ESMTPSA id C811F9015492;
	Sat, 17 Aug 2019 21:14:55 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076490;
	bh=SgkO2Fj1MqKboh7AiFKvCsolOYJs99S0PIHWbQlGjDY=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=cmOi6C4qLuYh1VpxBe84BxP6v/WRowcfowOn8FxQ1maf7QyWUFCqczd9LpRe5/cwK
	RrvLX4pRV3oEEY4sOjv61pKaKS3zoqLvB2cTUlpbxw3tM1ouU0pPGBwovQpJ/HF5Er
	xo4Awsy6x1cfQATrfzTOjbkXZgxtokXtwRmrk2zE=
To: j@w1.fi
Subject: [PATCH v3 06/17] drivers: Migrate drivers from set_tx to key_type
	API
Date: Sat, 17 Aug 2019 23:14:24 +0200
Message-Id: <20190817211435.158335-7-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7949697770401832188
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141510_270183_14660081 
X-CRM114-Status: GOOD (  20.04  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [178.33.42.204 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Migrate all drivers other than nl80211 from set_tx to the key_type API.

This patch assumes that the drivers only used set_tx for default keys
as it was (probably) intended to be used and are not relaying on the
quirks the set_tx usage really has.

The new KEY_TYPE_DEFAULT is only set for WEB default keys and when an AP
is not using pairwise keys, handling all traffic via the group key.

This patch is mostly untested! Only wext got some validation via the
exiting tests in hostapd.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This is in my opinion the most risky part of retiring the set_tx API.
I have zero knowledge about those drivers and the new key_type API is
quite often using KEY_TYPE_BROADCAST where set_tx was set to 1 and I
would not be surprised if this patch cause one or another issue.

Now I really would like to clean up set_tx and fully switch to the new
key_flag. The way the patches are structured we could also keep set_tx
around and only migrate nl80211 to the new API. But this would be quite
confusing and sooner or later someone will mix up the two APIs again...

As a side note: I first "extended" the existing set_tx int which is only
used as boolean as a bit field to carry the additional information in
other bits. But the sometimes incomprehensible usage of set_tx and the
investigation how it should be done instead expanded the scope
drastically. I believe now that migrating away from set_tx via multiple
small patches is simpler to follow and review.

 src/drivers/driver_atheros.c |  6 +++---
 src/drivers/driver_bsd.c     |  8 ++++----
 src/drivers/driver_hostap.c  |  3 ++-
 src/drivers/driver_ndis.c    | 10 ++++++----
 src/drivers/driver_nl80211.c |  5 ++++-
 src/drivers/driver_privsep.c |  6 +++---
 src/drivers/driver_wext.c    | 11 +++++++----
 7 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/src/drivers/driver_atheros.c b/src/drivers/driver_atheros.c
index 08095865a..0c87da6d0 100644
--- a/src/drivers/driver_atheros.c
+++ b/src/drivers/driver_atheros.c
@@ -569,7 +569,7 @@ atheros_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	if (addr == NULL || is_broadcast_ether_addr(addr)) {
 		os_memset(wk.ik_macaddr, 0xff, IEEE80211_ADDR_LEN);
 		wk.ik_keyix = key_idx;
-		if (set_tx)
+		if (key_type == KEY_TYPE_DEFAULT)
 			wk.ik_flags |= IEEE80211_KEY_DEFAULT;
 	} else {
 		os_memcpy(wk.ik_macaddr, addr, IEEE80211_ADDR_LEN);
@@ -581,9 +581,9 @@ atheros_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	ret = set80211priv(drv, IEEE80211_IOCTL_SETKEY, &wk, sizeof(wk));
 	if (ret < 0) {
 		wpa_printf(MSG_DEBUG, "%s: Failed to set key (addr %s"
-			   " key_idx %d alg %d key_len %lu set_tx %d)",
+			   " key_idx %d alg %d key_len %lu key_type %d)",
 			   __func__, ether_sprintf(wk.ik_macaddr), key_idx,
-			   alg, (unsigned long) key_len, set_tx);
+			   alg, (unsigned long) key_len, key_type);
 	}
 
 	return ret;
diff --git a/src/drivers/driver_bsd.c b/src/drivers/driver_bsd.c
index c53155be0..89e4508e7 100644
--- a/src/drivers/driver_bsd.c
+++ b/src/drivers/driver_bsd.c
@@ -341,9 +341,9 @@ bsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	struct bsd_driver_data *drv = priv;
 #endif /* IEEE80211_KEY_NOREPLAY */
 
-	wpa_printf(MSG_DEBUG, "%s: alg=%d addr=%p key_idx=%d set_tx=%d "
+	wpa_printf(MSG_DEBUG, "%s: alg=%d addr=%p key_idx=%d key_type=%d "
 		   "seq_len=%zu key_len=%zu", __func__, alg, addr, key_idx,
-		   set_tx, seq_len, key_len);
+		   key_type, seq_len, key_len);
 
 	if (alg == WPA_ALG_NONE) {
 #ifndef HOSTAPD
@@ -371,7 +371,7 @@ bsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	}
 
 	wk.ik_flags = IEEE80211_KEY_RECV;
-	if (set_tx)
+	if (key_type == KEY_TYPE_DEFAULT)
 		wk.ik_flags |= IEEE80211_KEY_XMIT;
 
 	if (addr == NULL) {
@@ -392,7 +392,7 @@ bsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 				key_idx;
 		}
 	}
-	if (wk.ik_keyix != IEEE80211_KEYIX_NONE && set_tx)
+	if (wk.ik_keyix != IEEE80211_KEYIX_NONE && key_type == KEY_TYPE_DEFAULT)
 		wk.ik_flags |= IEEE80211_KEY_DEFAULT;
 #ifndef HOSTAPD
 #ifdef IEEE80211_KEY_NOREPLAY
diff --git a/src/drivers/driver_hostap.c b/src/drivers/driver_hostap.c
index bf22858fb..454388fe7 100644
--- a/src/drivers/driver_hostap.c
+++ b/src/drivers/driver_hostap.c
@@ -440,7 +440,8 @@ static int wpa_driver_hostap_set_key(const char *ifname, void *priv,
 		os_free(buf);
 		return -1;
 	}
-	param->u.crypt.flags = set_tx ? HOSTAP_CRYPT_FLAG_SET_TX_KEY : 0;
+	param->u.crypt.flags = key_type == KEY_TYPE_DEFAULT ?
+			       HOSTAP_CRYPT_FLAG_SET_TX_KEY : 0;
 	param->u.crypt.idx = key_idx;
 	param->u.crypt.key_len = key_len;
 	memcpy((u8 *) (param + 1), key, key_len);
diff --git a/src/drivers/driver_ndis.c b/src/drivers/driver_ndis.c
index 649bc01ea..2963e1f51 100644
--- a/src/drivers/driver_ndis.c
+++ b/src/drivers/driver_ndis.c
@@ -945,7 +945,7 @@ static int wpa_driver_ndis_add_wep(struct wpa_driver_ndis_data *drv,
 		return -1;
 	wep->Length = len;
 	wep->KeyIndex = key_idx;
-	if (set_tx)
+	if (key_type == KEY_TYPE_DEFAULT)
 		wep->KeyIndex |= 1 << 31;
 #if 0 /* Setting bit30 does not seem to work with some NDIS drivers */
 	if (pairwise)
@@ -1006,7 +1006,7 @@ static int wpa_driver_ndis_set_key(const char *ifname, void *priv,
 
 	nkey->Length = len;
 	nkey->KeyIndex = key_idx;
-	if (set_tx)
+	if (key_type == KEY_TYPE_DEFAULT)
 		nkey->KeyIndex |= 1 << 31;
 	if (pairwise)
 		nkey->KeyIndex |= 1 << 30;
@@ -1077,7 +1077,8 @@ wpa_driver_ndis_associate(void *priv,
 						bcast, i,
 						i == params->wep_tx_keyidx,
 						NULL, 0, params->wep_key[i],
-						params->wep_key_len[i], 0);
+						params->wep_key_len[i],
+						KEY_TYPE_BROADCAST);
 		}
 	}
 
@@ -1114,7 +1115,8 @@ wpa_driver_ndis_associate(void *priv,
 			wpa_driver_ndis_set_key(drv->ifname, drv, WPA_ALG_WEP,
 						bcast, 0, 1,
 						NULL, 0, dummy_key,
-						sizeof(dummy_key), 0);
+						sizeof(dummy_key),
+						KEY_TYPE_BROADCAST);
 		}
 #endif /* CONFIG_WPS */
 	} else {
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 1e9514c0c..3a35a5337 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3484,7 +3484,10 @@ retry:
 					   NULL, i,
 					   i == params->wep_tx_keyidx, NULL, 0,
 					   params->wep_key[i],
-					   params->wep_key_len[i], 0);
+					   params->wep_key_len[i],
+					   i == params->wep_tx_keyidx ?
+					   KEY_TYPE_DEFAULT :
+					   KEY_TYPE_BROADCAST);
 		if (params->wep_tx_keyidx != i)
 			continue;
 		if (nl_add_key(msg, WPA_ALG_WEP, i, 1, NULL, 0,
diff --git a/src/drivers/driver_privsep.c b/src/drivers/driver_privsep.c
index e3375cd90..b3d2ddae0 100644
--- a/src/drivers/driver_privsep.c
+++ b/src/drivers/driver_privsep.c
@@ -215,8 +215,8 @@ static int wpa_driver_privsep_set_key(const char *ifname, void *priv,
 	struct wpa_driver_privsep_data *drv = priv;
 	struct privsep_cmd_set_key cmd;
 
-	wpa_printf(MSG_DEBUG, "%s: priv=%p alg=%d key_idx=%d set_tx=%d",
-		   __func__, priv, alg, key_idx, set_tx);
+	wpa_printf(MSG_DEBUG, "%s: priv=%p alg=%d key_idx=%d key_type=%d",
+		   __func__, priv, alg, key_idx, key_type);
 
 	os_memset(&cmd, 0, sizeof(cmd));
 	cmd.alg = alg;
@@ -225,7 +225,7 @@ static int wpa_driver_privsep_set_key(const char *ifname, void *priv,
 	else
 		os_memset(cmd.addr, 0xff, ETH_ALEN);
 	cmd.key_idx = key_idx;
-	cmd.set_tx = set_tx;
+	cmd.set_tx = key_type == KEY_TYPE_DEFAULT;
 	if (seq && seq_len > 0 && seq_len < sizeof(cmd.seq)) {
 		os_memcpy(cmd.seq, seq, seq_len);
 		cmd.seq_len = seq_len;
diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c
index ea5d667ed..52e8e8d49 100644
--- a/src/drivers/driver_wext.c
+++ b/src/drivers/driver_wext.c
@@ -1740,7 +1740,7 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
 
 	if (addr == NULL || is_broadcast_ether_addr(addr))
 		ext->ext_flags |= IW_ENCODE_EXT_GROUP_KEY;
-	if (set_tx)
+	if (key_type == KEY_TYPE_DEFAULT)
 		ext->ext_flags |= IW_ENCODE_EXT_SET_TX_KEY;
 
 	ext->addr.sa_family = ARPHRD_ETHER;
@@ -1824,6 +1824,9 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
  *	8-byte Rx Mic Key
  * @key_len: Length of the key buffer in octets (WEP: 5 or 13,
  *	TKIP: 32, CCMP: 16)
+ * @key_type: Additional key information. Only KEY_TYPE_DEFAULT is used
+ *	when the driver does not support separate unicast/individual key
+ *	to set the key as the default Tx key
  * Returns: 0 on success, -1 on failure
  *
  * This function uses SIOCSIWENCODEEXT by default, but tries to use
@@ -1839,9 +1842,9 @@ int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	struct iwreq iwr;
 	int ret = 0;
 
-	wpa_printf(MSG_DEBUG, "%s: alg=%d key_idx=%d set_tx=%d seq_len=%lu "
+	wpa_printf(MSG_DEBUG, "%s: alg=%d key_idx=%d key_type=%d seq_len=%lu "
 		   "key_len=%lu",
-		   __FUNCTION__, alg, key_idx, set_tx,
+		   __FUNCTION__, alg, key_idx, key_type,
 		   (unsigned long) seq_len, (unsigned long) key_len);
 
 	ret = wpa_driver_wext_set_key_ext(drv, alg, addr, key_idx, set_tx,
@@ -1875,7 +1878,7 @@ int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 		ret = -1;
 	}
 
-	if (set_tx && alg != WPA_ALG_NONE) {
+	if (key_type == KEY_TYPE_DEFAULT && alg != WPA_ALG_NONE) {
 		os_memset(&iwr, 0, sizeof(iwr));
 		os_strlcpy(iwr.ifr_name, drv->ifname, IFNAMSIZ);
 		iwr.u.encoding.flags = key_idx + 1;

From patchwork Sat Aug 17 21:14:25 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148797
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="e/Bj9jrI";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="oPl5/jzu"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tLN2cmYz9sDQ
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:17:16 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=JumzsJk9x2mxiZfqkkVAzlkw1cRIDI9XcsKk9QFy0S4=;
	b=e/Bj9jrImLwC84
	L+dUGnwa5Uo17Ena6YEDnu6bC5QV0dMozkJ9CygsG4b8bkJtSR+3T7yMHdkiNfiinpedVLs6jPFOg
	sQPZN+XjUru4Rain26xcFipp6n3j4DO/A7gXT3uHczZbq49Vpers6xaSye03dsSLJrtqSRnoubzjU
	zBEPWhsbeXYyopne76w7IvSMBhYNqaVQ56dNFx/P9uNR75plTXcLckm3O98IKGSkx54Z0t+jH/bwt
	SvEaIz5PjXdFWnxeva6f42EZpX2Vf4JRk43lqATARYK8AK35NzUry+BZgDdrtqd2+gdy5XrCvCzg6
	Jv2d71d2I7YTsl15qrog==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz64W-000571-C8; Sat, 17 Aug 2019 21:17:12 +0000
Received: from 10.mo179.mail-out.ovh.net ([46.105.79.46])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023N-Pp
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:16 +0000
Received: from player737.ha.ovh.net (unknown [10.109.143.201])
	by mo179.mail-out.ovh.net (Postfix) with ESMTP id 5A1CD13DCAA
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:59 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player737.ha.ovh.net (Postfix) with ESMTPSA id DAFC7903CBA7;
	Sat, 17 Aug 2019 21:14:55 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076491;
	bh=jvZJZOL/DDuUX1nybVj1DXtCqR86c3T+eY6BoE18cQA=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=oPl5/jzuipKgRTfVvdUGgqkjHwioCKeVYD3rGkeIsv8wmWPZDKk0+QySWZHqaWYp6
	8dUAquTQ17Yy5M2Ul1rFk0odYrzkesWuGqG/kpgF9xYaW+krZiJ0Duh7GGRYQReinr
	CiLZMXm4vr1sQtESFfRgt99zxjwE07xfr8tuXm/Q=
To: j@w1.fi
Subject: [PATCH v3 07/17] nl80211: Switch to the new key_type API & cleanup
Date: Sat, 17 Aug 2019 23:14:25 +0200
Message-Id: <20190817211435.158335-8-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7949697769732709628
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141509_988073_8AC95C52 
X-CRM114-Status: GOOD (  16.72  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.79.46 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Installing WEP and broadcast keys require an additional netlink call
with NL80211_CMD_SET_KEY after key install. wpa_driver_nl80211_set_key()
had a overly complex and not always correctly working method to detect
and make this call, heavily depending on the inconsistently set boolean
set_tx. But nl80211 can deduce the information when to call
NL80211_CMD_SET_KEY without referring to the unreliable set boolean
set_tx.
Therefore stop using set_tx and throw out the workarounds used to
suppress some of the needless NL80211_CMD_SET_KEY calls and only call it
when really needed.

This also stops useless NL80211_CMD_SET_KEY calls when installing a
unicast key in wpa_supplicant, which also has set_tx set set to true and
was not intercepted by the workarounds.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This simply was too big to put into the generic patch to migrate the
drivers to key_type. Nl80211 ist the driver with the most features and
also the strangest hacks...  This patch not only migrating to key_type,
it's also overhauling the key install logic.

The new logic works fine for all test cases and to my best understanding
all dropped code pieces could not have any functions. (Verified against
the kernel code.)

 src/drivers/driver_nl80211.c | 56 +++++++++++++++---------------------
 1 file changed, 23 insertions(+), 33 deletions(-)

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 3a35a5337..3762e9d66 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3018,8 +3018,9 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 	int ifindex;
 	struct nl_msg *msg;
 	struct nl_msg *key_msg;
+	struct nlattr *types;
+	int need_set_key = 0;
 	int ret;
-	int tdls = 0;
 
 	/* Ignore for P2P Device */
 	if (drv->nlmode == NL80211_IFTYPE_P2P_DEVICE)
@@ -3027,13 +3028,12 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 
 	ifindex = if_nametoindex(ifname);
 	wpa_printf(MSG_DEBUG, "%s: ifindex=%d (%s) alg=%d addr=%p key_idx=%d "
-		   "set_tx=%d seq_len=%lu key_len=%lu",
+		   "set_tx=%d seq_len=%lu key_len=%lu key_type=%d",
 		   __func__, ifindex, ifname, alg, addr, key_idx, set_tx,
-		   (unsigned long) seq_len, (unsigned long) key_len);
+		   (unsigned long) seq_len, (unsigned long) key_len, key_type);
 #ifdef CONFIG_TDLS
 	if (key_idx == -1) {
 		key_idx = 0;
-		tdls = 1;
 	}
 #endif /* CONFIG_TDLS */
 
@@ -3085,22 +3085,18 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
 			goto fail;
 
-		if (alg != WPA_ALG_WEP && key_idx && !set_tx) {
+		if (alg != WPA_ALG_WEP && key_type != KEY_TYPE_PAIRWISE) {
 			wpa_printf(MSG_DEBUG, "   RSN IBSS RX GTK");
 			if (nla_put_u32(key_msg, NL80211_KEY_TYPE,
 					NL80211_KEYTYPE_GROUP))
 				goto fail;
 		}
-	} else if (addr && is_broadcast_ether_addr(addr)) {
-		struct nlattr *types;
-
-		wpa_printf(MSG_DEBUG, "   broadcast key");
-
-		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
-		if (!types ||
-		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
-			goto fail;
-		nla_nest_end(key_msg, types);
+	} else if (alg != WPA_ALG_NONE) {
+		/* Default (WEP, GTK or IGTK) key */
+		if (alg != WPA_ALG_WEP || key_type == KEY_TYPE_DEFAULT) {
+			wpa_printf(MSG_DEBUG, "   require SET_KEY");
+			need_set_key = 1;
+		}
 	}
 	if (nla_put_u8(key_msg, NL80211_KEY_IDX, key_idx) ||
 	    nla_put_nested(msg, NL80211_ATTR_KEY, key_msg))
@@ -3114,13 +3110,10 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 			   ret, strerror(-ret));
 
 	/*
-	 * If we failed or don't need to set the default TX key (below),
+	 * If we failed or don't need to set the key as default (below),
 	 * we're done here.
 	 */
-	if (ret || !set_tx || alg == WPA_ALG_NONE || tdls)
-		return ret;
-	if (is_ap_interface(drv->nlmode) && addr &&
-	    !is_broadcast_ether_addr(addr))
+	if (ret || !need_set_key)
 		return ret;
 
 	key_msg = nlmsg_alloc();
@@ -3140,29 +3133,26 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 				   NL80211_KEY_DEFAULT))
 		goto fail;
 	if (addr && is_broadcast_ether_addr(addr)) {
-		struct nlattr *types;
-
+		wpa_printf(MSG_DEBUG, "   broadcast key");
 		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
 		if (!types ||
 		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
 			goto fail;
 		nla_nest_end(key_msg, types);
-	} else if (addr) {
-		struct nlattr *types;
-
-		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
-		if (!types ||
-		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_UNICAST))
-			goto fail;
-		nla_nest_end(key_msg, types);
+	} else if (!addr) {
+		wpa_printf(MSG_DEBUG, "   WEP key");
+	} else {
+		/* need_set_key must only be set for
+		 * zero or broadcast addresses
+		 */
+		wpa_printf(MSG_ERROR,
+			   "Unicast key when not expecting one, abort!");
+		goto fail;
 	}
 
 	if (nla_put_nested(msg, NL80211_ATTR_KEY, key_msg))
 		goto fail;
-
 	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
-	if (ret == -ENOENT)
-		ret = 0;
 	if (ret)
 		wpa_printf(MSG_DEBUG, "nl80211: set_key default failed; "
 			   "err=%d %s)", ret, strerror(-ret));

From patchwork Sat Aug 17 21:14:26 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148803
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="cmuuF+ke";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="EDM33yEN"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tMY29fRz9sDQ
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:18:17 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=69OarQprAkvdhJa9e1CdP9iGCVcPBPMbXpuSxDlysu0=;
	b=cmuuF+keMnDz1w
	V5tStdUHnGSguK0rviBIYI4IO5QoOt/DqWgssyLJmuLzMI2B5hD3XkLifvS/gnwcydXLNK3clEJ8m
	ZumPB3zPgRcrHaWVbqfI/nEOHGxMMXNOn/m25wp22sRpo43LrkVTJYG8yntcPXtW0DEIf9zrFbJuO
	4UiZhxagmKQ6xMsZiCdxYvlqMd0QX8llnfSThy40xo/4b4bW5XHMKxJhnypS2qIS3ZmFvpeUtaClt
	EGU0ma9B75rkmfhqVkasckJJJz+wcHULfW4lIqH8bnmQGYUbWk8tyO0+uhdC35oUXJFWDK8JTXNAd
	rfSRgQUfa+hKXz5Tmdgg==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz65V-00063z-TU; Sat, 17 Aug 2019 21:18:13 +0000
Received: from 19.mo5.mail-out.ovh.net ([46.105.35.78])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62Y-00023Q-Gd
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:17 +0000
Received: from player715.ha.ovh.net (unknown [10.108.57.23])
	by mo5.mail-out.ovh.net (Postfix) with ESMTP id 8A68424A0D4
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:59 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player715.ha.ovh.net (Postfix) with ESMTPSA id D621C8BBF818;
	Sat, 17 Aug 2019 21:14:55 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076491;
	bh=YZgJF0864R7gZ2hZrGGxip+/pYJiP3eddurdTm7PAb4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=EDM33yENjdpPcL+TsLSBDgmOUcGB9WWaSpjrIt2zbLoD2NAbw7D7cCO2qdnbZLK2i
	eowu6WaZsRV/i2NJfWmuu3ukPJvqDTBCxvg5Mfy8yLeEGeblk6TrKiDxrUPLC6qIo5
	EosTQPpDeeZxBwFL/x658zye9RyXd6uThNAj4LMQ=
To: j@w1.fi
Subject: [PATCH v3 08/17] nl80211,wpa_supplicant: Drop outdated tdls hack
Date: Sat, 17 Aug 2019 23:14:26 +0200
Message-Id: <20190817211435.158335-9-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7949697769898056956
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141510_691614_32BE2286 
X-CRM114-Status: GOOD (  12.50  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.35.78 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

wpa_tdls_set_key() did set the key_id to -1 as a signal to handle the
key install a bit different than for other pairwise keys.

Since we cleaned up the install logic with a previous patch this signal
is no longer needed and we can remove the workaround.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

The workaround cleaned up here was not limited nl80211, so a put it into
a separate patch. It just finalizes the nl80211 driver key install
cleanup without breaking anything between the patches.

 src/drivers/driver_nl80211.c | 6 ------
 src/rsn_supp/tdls.c          | 2 +-
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 3762e9d66..7ff912912 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3031,12 +3031,6 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 		   "set_tx=%d seq_len=%lu key_len=%lu key_type=%d",
 		   __func__, ifindex, ifname, alg, addr, key_idx, set_tx,
 		   (unsigned long) seq_len, (unsigned long) key_len, key_type);
-#ifdef CONFIG_TDLS
-	if (key_idx == -1) {
-		key_idx = 0;
-	}
-#endif /* CONFIG_TDLS */
-
 #ifdef CONFIG_DRIVER_NL80211_QCA
 	if (alg == WPA_ALG_PMK &&
 	    (drv->capa.flags & WPA_DRIVER_FLAGS_KEY_MGMT_OFFLOAD)) {
diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 348c491be..01d339290 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -227,7 +227,7 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 
 	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
 		   MAC2STR(peer->addr));
-	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, rsc, sizeof(rsc),
+	if (wpa_sm_set_key(sm, alg, peer->addr, 0, 1, rsc, sizeof(rsc),
 			   peer->tpk.tk, key_len, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
 			   "driver");

From patchwork Sat Aug 17 21:14:27 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148801
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="l4qPgWga";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="B0PXByX9"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tM50TyCz9sN1
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:17:53 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=TilVsLVHRKw56ocZYOFNXYTBIPpd/2kg+9u/g2UbUSU=;
	b=l4qPgWgafH1EbI
	J3L8saM2muSgzAsfXv9yka1X1a670RLAxJAviK7S45jAI0YpDAgwvwuHj8MkUemYnWB3/9mpaloa1
	irT+AWL/U4an5pUfss3Ra9onaZUy7ShA59jlq4LunJ0tEWF8wSYR4GcSTT1XZ/tsmOMhnz+My24rM
	uB6wOH8A7wxxrzvGz2KYBhDV6cfldZMycmZnl+bIcvURN7TlP501g/178GbJUoxsqmQzclc9xknz0
	IT3MAxjHT1kr5Ss9qqtnaopc5ple3yp11VIBLNcAT+gi37Frx73LcQ6jNV26DjI9KMedYIwfdhxfR
	JSy2fur9jqApYiRqRdSw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz657-0005ir-BI; Sat, 17 Aug 2019 21:17:49 +0000
Received: from 10.mo178.mail-out.ovh.net ([46.105.76.150])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023M-NP
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:17 +0000
Received: from player715.ha.ovh.net (unknown [10.108.35.90])
	by mo178.mail-out.ovh.net (Postfix) with ESMTP id 64F147605B
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:59 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player715.ha.ovh.net (Postfix) with ESMTPSA id D59A88BBF817;
	Sat, 17 Aug 2019 21:14:55 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076491;
	bh=JE8PvHsBZ7K1qZ8xEq6TbRd+7d+9t8/bsEqlbkvkRcI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=B0PXByX9s4If7DzwBmjKZKOYUVheuasdt3goFX3Q8M7OkDkpG38EsjlBnSCjZBnop
	GhNiqAeTUXW7jjt2MhajENbrhf0PIfjS5WchFZc8xX0vSmTQQaf5RC1VTgj0DDJuYr
	MiRtfxBs01bd8C056TvazDmAzh1fjq201yLKsWl8=
To: j@w1.fi
Subject: [PATCH v3 09/17] hostapd: Add support for Extended Key ID
Date: Sat, 17 Aug 2019 23:14:27 +0200
Message-Id: <20190817211435.158335-10-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7949697770715553020
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141510_061627_51742D1E 
X-CRM114-Status: GOOD (  24.60  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.76.150 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Add support for Extended Key ID and seamless unicast rekey in hostapd,
based on the description of the mechanism in IEEE 802.11 - 2016.

Extended Key ID allows to rekey PTK keys without the unavoidable MPDU
losses a classical unicast rekey has when the connection is not idle
during rekey.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This is now finally starting the real work on the Extended Key ID
support.

Most is directly based on IEEE 802.11 - 2016 or a obvious consequence.
But the sanity checks and Extended Key ID handling for FT are not.

A Extended Key ID capable AP will have two different keys using keyid 1:
The "usual" broadcast key and a second unicast key. (We already had a
quick mail exchange about that, see
https://marc.info/?l=linux-wireless&m=154427921122092&w=2)

But it's fully backward compatible and can serve client supporting
Extended Key ID and not at the same time.

I can't find any reference how we should handle FT combined with
Extended Key ID. While our beacons announce Extended Key ID support a
"normal" FT handshake never has a 4-way EAPOL handshake and thus there
is no documented way to hand over the KeyID. We could of course then
just agree to use the keyid 0 and start to really use Extended Key ID
with the first rekey. But I prefer to just hand over also the KeyID in
addition to the GTK Key ID. This allows us to also use the keyid 1 as
the initial key and open the door to verify if a remote STA is indeed
able to use Extended Key ID and either fail at the initial connect or
even fall back when not. (More about that in the last patch of the
series.)

 hostapd/config_file.c   |  2 ++
 hostapd/hostapd.conf    | 10 ++++++
 src/ap/ap_config.c      |  1 +
 src/ap/ap_config.h      |  1 +
 src/ap/hs20.c           |  2 ++
 src/ap/wpa_auth.c       | 71 ++++++++++++++++++++++++++++++++++++-----
 src/ap/wpa_auth.h       |  1 +
 src/ap/wpa_auth_ft.c    |  6 +++-
 src/ap/wpa_auth_glue.c  | 32 ++++++++++++++++++-
 src/ap/wpa_auth_i.h     |  3 ++
 src/ap/wpa_auth_ie.c    | 42 +++++++++++++++++++++++-
 src/common/wpa_common.c |  1 +
 src/common/wpa_common.h |  1 +
 13 files changed, 162 insertions(+), 11 deletions(-)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 1ef7d57cc..451b11d2c 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2872,6 +2872,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 		}
 	} else if (os_strcmp(buf, "wpa") == 0) {
 		bss->wpa = atoi(pos);
+	} else if (os_strcmp(buf, "wpa_extended_key_id") == 0) {
+		bss->wpa_extended_key_id = atoi(pos);
 	} else if (os_strcmp(buf, "wpa_group_rekey") == 0) {
 		bss->wpa_group_rekey = atoi(pos);
 		bss->wpa_group_rekey_set = 1;
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index f36e1fa3a..47ad9d12c 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1471,6 +1471,16 @@ own_ip_addr=127.0.0.1
 # wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
 #wpa=2
 
+# Extended Key ID support based on IEEE 802.11-2016
+#
+# Extended Key ID allows to rekey the PTK key without impact for ongoing
+# transmissions
+# When enabled and supported by the driver the AP will offer and support it for
+# stations. (The setting is only relevant with wpa=2)
+# 0 = force off
+# 1 = enable Extended Key ID support when driver supports it (Default)
+#wpa_extended_key_id=1
+
 # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
 # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
 # (8..63 characters) that will be converted to PSK. This conversion uses SSID
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 90348e1dd..b6d6b3f8e 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -61,6 +61,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 	bss->broadcast_key_idx_max = 2;
 	bss->eap_reauth_period = 3600;
 
+	bss->wpa_extended_key_id = 1;
 	bss->wpa_group_rekey = 600;
 	bss->wpa_gmk_rekey = 86400;
 	bss->wpa_group_update_count = 4;
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index daf787e16..f22783d42 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -346,6 +346,7 @@ struct hostapd_bss_config {
 			* algorithms, WPA_AUTH_ALG_{OPEN,SHARED,LEAP} */
 
 	int wpa; /* bitfield of WPA_PROTO_WPA, WPA_PROTO_RSN */
+	int wpa_extended_key_id;
 	int wpa_key_mgmt;
 #ifdef CONFIG_IEEE80211W
 	enum mfp_options ieee80211w;
diff --git a/src/ap/hs20.c b/src/ap/hs20.c
index 532580e7c..791847cbc 100644
--- a/src/ap/hs20.c
+++ b/src/ap/hs20.c
@@ -80,6 +80,8 @@ u8 * hostapd_eid_osen(struct hostapd_data *hapd, u8 *eid)
 		/* 4 PTKSA replay counters when using WMM */
 		capab |= (RSN_NUM_REPLAY_COUNTERS_16 << 2);
 	}
+	if (hapd->conf->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
 #ifdef CONFIG_IEEE80211W
 	if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
 		capab |= WPA_CAPABILITY_MFPC;
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index ba415bd66..0213e97c2 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -755,6 +755,9 @@ static void wpa_request_new_ptk(struct wpa_state_machine *sm)
 	if (sm == NULL)
 		return;
 
+	if (sm->use_extended_key_id)
+		sm->keyidx_active ^= 1; /* flip keyID */
+
 	sm->PTKRequest = TRUE;
 	sm->PTK_valid = 0;
 }
@@ -1459,6 +1462,12 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
 	else
 		version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
 
+	/* Extended Key ID must not be used for TKIP */
+	if (version == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
+		sm->use_extended_key_id = FALSE;
+		sm->keyidx_active = 0;
+	}
+
 	pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
 
 	wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
@@ -1717,6 +1726,11 @@ void wpa_remove_ptk(struct wpa_state_machine *sm)
 			     0, KEY_TYPE_PAIRWISE))
 		wpa_printf(MSG_DEBUG,
 			   "RSN: PTK removal from the driver failed");
+	if (sm->wpa_auth->conf.wpa_extended_key_id &&
+	    wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 1, NULL,
+			     0, KEY_TYPE_PAIRWISE))
+		wpa_printf(MSG_DEBUG,
+			   "RSN: PTK ID1 removal from the driver failed");
 	sm->pairwise_set = FALSE;
 	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
 }
@@ -1775,6 +1789,8 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
 			sm->Init = FALSE;
 			sm->AuthenticationRequest = TRUE;
 			break;
+		} else if (sm->use_extended_key_id) {
+			sm->keyidx_active ^= 1; /* flip keyID */
 		}
 		if (sm->GUpdateStationKeys) {
 			/*
@@ -3142,7 +3158,7 @@ static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos)
 
 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 {
-	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
+	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32], hdr[2];
 	size_t gtk_len, kde_len;
 	struct wpa_group *gsm = sm->group;
 	u8 *wpa_ie;
@@ -3183,6 +3199,18 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
 			"sending 3/4 msg of 4-Way Handshake");
 	if (sm->wpa == WPA_VERSION_WPA2) {
+		if (sm->use_extended_key_id && sm->TimeoutCtr == 1 &&
+		    wpa_auth_set_key(sm->wpa_auth, 0,
+				     wpa_cipher_to_alg(sm->pairwise),
+				     sm->addr,
+				     sm->keyidx_active, sm->PTK.tk,
+				     wpa_cipher_key_len(sm->pairwise),
+				     KEY_TYPE_NO_AUTO_TX)) {
+			wpa_sta_disconnect(sm->wpa_auth, sm->addr,
+					   WLAN_REASON_PREV_AUTH_NOT_VALID);
+			return;
+		}
+
 		/* WPA2 send GTK in the 4-way handshake */
 		secure = 1;
 		gtk = gsm->GTK[gsm->GN - 1];
@@ -3223,6 +3251,10 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 	}
 
 	kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
+
+	if (sm->use_extended_key_id)
+		kde_len += 2 + RSN_SELECTOR_LEN + 2;
+
 	if (gtk)
 		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
 #ifdef CONFIG_IEEE80211R_AP
@@ -3259,10 +3291,15 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 		pos += elen;
 	}
 #endif /* CONFIG_IEEE80211R_AP */
+	hdr[1] = 0;
+
+	if (sm->use_extended_key_id) {
+		hdr[0] = sm->keyidx_active & 0x01;
+		pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
+	}
+
 	if (gtk) {
-		u8 hdr[2];
 		hdr[0] = gtkidx & 0x03;
-		hdr[1] = 0;
 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
 				  gtk, gtk_len);
 	}
@@ -3345,8 +3382,17 @@ SM_STATE(WPA_PTK, PTKINITDONE)
 	if (sm->Pair) {
 		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
 		int klen = wpa_cipher_key_len(sm->pairwise);
-		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-				     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) {
+		if (sm->use_extended_key_id) {
+			if (wpa_auth_set_key(sm->wpa_auth, 0, 0, sm->addr,
+					     sm->keyidx_active, NULL, 0,
+					     KEY_TYPE_SET_TX)) {
+				wpa_sta_disconnect(sm->wpa_auth, sm->addr,
+						   WLAN_REASON_PREV_AUTH_NOT_VALID);
+				return;
+			}
+		} else if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
+					    sm->PTK.tk, klen,
+					    KEY_TYPE_PAIRWISE)) {
 			wpa_sta_disconnect(sm->wpa_auth, sm->addr,
 					   WLAN_REASON_PREV_AUTH_NOT_VALID);
 			return;
@@ -4980,7 +5026,7 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
 		       void (*cb)(void *ctx1, void *ctx2),
 		       void *ctx1, void *ctx2)
 {
-	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
+	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, hdr[2];
 #ifdef CONFIG_IEEE80211W
 	u8 *opos;
 #endif /* CONFIG_IEEE80211W */
@@ -5040,6 +5086,10 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
 	}
 
 	kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
+
+	if (sm->use_extended_key_id)
+		kde_len += 2 + RSN_SELECTOR_LEN + 2;
+
 	if (gtk)
 		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
 #ifdef CONFIG_IEEE80211R_AP
@@ -5072,10 +5122,15 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
 		pos += elen;
 	}
 #endif /* CONFIG_IEEE80211R_AP */
+	hdr[1] = 0;
+
+	if (sm->use_extended_key_id) {
+		hdr[0] = sm->keyidx_active & 0x03;
+		pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
+	}
+
 	if (gtk) {
-		u8 hdr[2];
 		hdr[0] = gtkidx & 0x03;
-		hdr[1] = 0;
 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
 				  gtk, gtk_len);
 	}
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index cc8ea5aa7..f756d492b 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -169,6 +169,7 @@ struct ft_remote_r1kh {
 
 struct wpa_auth_config {
 	int wpa;
+	int wpa_extended_key_id;
 	int wpa_key_mgmt;
 	int wpa_pairwise;
 	int wpa_group;
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 0f1a51832..a870ea799 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -2652,7 +2652,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
 	 * again after association to get the PTK configured, but that could be
 	 * optimized by adding the STA entry earlier.
 	 */
-	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
+	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, sm->keyidx_active,
 			     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE))
 		return;
 
@@ -2891,6 +2891,10 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
 		wpa_printf(MSG_DEBUG, "FT: Failed to parse FT IEs");
 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
 	}
+
+	if (handle_extended_key_id(sm, parse.capabilities))
+		return WLAN_STATUS_UNSPECIFIED_FAILURE;
+
 	use_sha384 = wpa_key_mgmt_sha384(parse.key_mgmt);
 	pmk_r1_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
 
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index df900dba7..0cc824863 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -39,6 +39,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 {
 	os_memset(wconf, 0, sizeof(*wconf));
 	wconf->wpa = conf->wpa;
+	wconf->wpa_extended_key_id = conf->wpa_extended_key_id;
 	wconf->wpa_key_mgmt = conf->wpa_key_mgmt;
 	wconf->wpa_pairwise = conf->wpa_pairwise;
 	wconf->wpa_group = conf->wpa_group;
@@ -369,7 +370,12 @@ static int hostapd_wpa_auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	}
 
 #ifdef CONFIG_TESTING_OPTIONS
-	if (addr && !is_broadcast_ether_addr(addr)) {
+	if (key_type == KEY_TYPE_SET_TX) {
+		/* KEY_TYPE_NO_AUTO_TX installed the key and updated the
+		 * variables. Since KEY_TYPE_SET_TX would overwrite the
+		 * desired information with zeros do nothing.
+		 */
+	} else if (addr && !is_broadcast_ether_addr(addr)) {
 		struct sta_info *sta;
 
 		sta = ap_get_sta(hapd, addr);
@@ -1305,6 +1311,30 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
 		_conf.tx_status = 1;
 	if (hapd->iface->drv_flags & WPA_DRIVER_FLAGS_AP_MLME)
 		_conf.ap_mlme = 1;
+
+	if (_conf.wpa_extended_key_id) {
+		if (_conf.wpa & WPA_PROTO_RSN &&
+		    _conf.rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
+					   WPA_CIPHER_GCMP_256 |
+					   WPA_CIPHER_CCMP_256) &&
+		    hapd->iface->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID) {
+			wpa_msg(hapd->msg_ctx, MSG_INFO,
+				"Enable Extended Key ID support");
+		} else {
+			if (!(hapd->iface->drv_flags &
+			      WPA_DRIVER_FLAGS_EXTENDED_KEY_ID))
+				wpa_msg(hapd->msg_ctx, MSG_INFO,
+					"Extended Key ID not supported by driver");
+			else
+				wpa_msg(hapd->msg_ctx, MSG_INFO,
+					"Extended Key ID requires wpa2 and CCMP/GCMP");
+			_conf.wpa_extended_key_id = 0;
+		}
+	} else if (_conf.wpa & WPA_PROTO_RSN) {
+		wpa_msg(hapd->msg_ctx, MSG_INFO,
+			"Extended Key ID support disabled");
+	}
+
 	hapd->wpa_auth = wpa_init(hapd->own_addr, &_conf, &cb, hapd);
 	if (hapd->wpa_auth == NULL) {
 		wpa_printf(MSG_ERROR, "WPA initialization failed.");
diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
index 4babd0cbb..21c9b082f 100644
--- a/src/ap/wpa_auth_i.h
+++ b/src/ap/wpa_auth_i.h
@@ -61,6 +61,8 @@ struct wpa_state_machine {
 	unsigned int pmk_len;
 	u8 pmkid[PMKID_LEN]; /* valid if pmkid_set == 1 */
 	struct wpa_ptk PTK;
+	u8 keyidx_active;
+	Boolean use_extended_key_id;
 	Boolean PTK_valid;
 	Boolean pairwise_set;
 	Boolean tk_already_set;
@@ -284,6 +286,7 @@ int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
 			   int (*cb)(struct wpa_authenticator *a, void *ctx),
 			   void *cb_ctx);
+int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities);
 
 #ifdef CONFIG_IEEE80211R_AP
 int wpa_write_mdie(struct wpa_auth_config *conf, u8 *buf, size_t len);
diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 2e5c9160d..725c76056 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -286,6 +286,8 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
 		/* 4 PTKSA replay counters when using WMM */
 		capab |= (RSN_NUM_REPLAY_COUNTERS_16 << 2);
 	}
+	if (conf->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
 #ifdef CONFIG_IEEE80211W
 	if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
 		capab |= WPA_CAPABILITY_MFPC;
@@ -411,6 +413,8 @@ static u8 * wpa_write_osen(struct wpa_auth_config *conf, u8 *eid)
 		/* 4 PTKSA replay counters when using WMM */
 		capab |= (RSN_NUM_REPLAY_COUNTERS_16 << 2);
 	}
+	if (conf->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
 #ifdef CONFIG_IEEE80211W
 	if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
 		capab |= WPA_CAPABILITY_MFPC;
@@ -435,8 +439,9 @@ int wpa_auth_gen_wpa_ie(struct wpa_authenticator *wpa_auth)
 {
 	u8 *pos, buf[128];
 	int res;
-
 #ifdef CONFIG_TESTING_OPTIONS
+	struct wpa_ie_data data;
+
 	if (wpa_auth->conf.own_ie_override_len) {
 		wpa_hexdump(MSG_DEBUG, "WPA: Forced own IE(s) for testing",
 			    wpa_auth->conf.own_ie_override,
@@ -449,6 +454,14 @@ int wpa_auth_gen_wpa_ie(struct wpa_authenticator *wpa_auth)
 		os_memcpy(wpa_auth->wpa_ie, wpa_auth->conf.own_ie_override,
 			  wpa_auth->conf.own_ie_override_len);
 		wpa_auth->wpa_ie_len = wpa_auth->conf.own_ie_override_len;
+		if (wpa_parse_wpa_ie_rsn(wpa_auth->wpa_ie,
+					 wpa_auth->wpa_ie_len, &data) ||
+		    !(data.capabilities &
+		       WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST)) {
+			wpa_printf(MSG_DEBUG,
+				   "WPA: Own IE forcing wpa_extended_key_id=0");
+			wpa_auth->conf.wpa_extended_key_id = 0;
+		}
 		return 0;
 	}
 #endif /* CONFIG_TESTING_OPTIONS */
@@ -528,6 +541,31 @@ static int wpa_auth_okc_iter(struct wpa_authenticator *a, void *ctx)
 	return 0;
 }
 
+int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities)
+{
+	struct wpa_auth_config *conf = &sm->wpa_auth->conf;
+
+	if (conf->wpa_extended_key_id &&
+	    capabilities & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) {
+		if (!sm->use_extended_key_id && sm->pairwise_set) {
+			wpa_printf(MSG_DEBUG,
+				   "Can only enable Extended Key ID on initial connect");
+			return -1;
+		} else if (!sm->use_extended_key_id) {
+			sm->use_extended_key_id = TRUE;
+		}
+	} else {
+		if (sm->use_extended_key_id && sm->pairwise_set) {
+			wpa_printf(MSG_DEBUG,
+				   "Already using Extended Key ID, can't stop");
+			return -1;
+		} else if (sm->use_extended_key_id) {
+			sm->use_extended_key_id = FALSE;
+			sm->keyidx_active = 0;
+		}
+	}
+	return 0;
+}
 
 int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 			struct wpa_state_machine *sm, int freq,
@@ -809,6 +847,8 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 	}
 #endif /* CONFIG_IEEE80211W */
 
+	if (handle_extended_key_id(sm, data.capabilities))
+		return WPA_INVALID_IE;
 #ifdef CONFIG_IEEE80211R_AP
 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
 		if (mdie == NULL || mdie_len < MOBILITY_DOMAIN_ID_LEN + 1) {
diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index a7569580f..dc5ae4891 100644
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -963,6 +963,7 @@ int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
 				parse->rsn_pmkid = data.pmkid;
 			parse->key_mgmt = data.key_mgmt;
 			parse->pairwise_cipher = data.pairwise_cipher;
+			parse->capabilities = data.capabilities;
 			if (update_use_sha384) {
 				use_sha384 =
 					wpa_key_mgmt_sha384(parse->key_mgmt);
diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
index 415104de9..ca0acbad4 100644
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -475,6 +475,7 @@ struct wpa_ft_ies {
 	size_t ric_len;
 	int key_mgmt;
 	int pairwise_cipher;
+	int capabilities;
 };
 
 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len, struct wpa_ft_ies *parse,

From patchwork Sat Aug 17 21:14:28 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148788
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="ivu+4vyc";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="sTg0MQAT"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tJP2PKRz9s4Y
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:15:33 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=B+kyeAJCnWt8IFsVPf1qLTrWDPSAt7t+Fk0JdeomFu4=;
	b=ivu+4vyclOgMU3
	4hrkDrm5AToqNlnMKc7qilIKqyvNWLQZ/aiEgGwE8WgeTW95+5GBRNWXKskFcPnz9eaA+g9O87rkJ
	m+FO1AfxYp6Lpa8o/L83/S09hRGozdz1AQK6IKeCLPyfmVO0OhI/kmh0k0I1wypddv6kDU8CQkMih
	AxevKPdduqRMXXwyINKtUfbq10XCz5nJjKUO5uX3GGzjgSmK0CCbw+D0mEGXB8DXS+LK8N8lzaQzd
	7R1xCl5poMSrLdMVtsXaQfWl7YmoydhbeXY6vqPGGICq/ApOwm8lgwHkH2PdJKDH7SX8Ny5wopEjD
	fBolkSw5F5c3e1iHVSuw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62r-0003SF-UA; Sat, 17 Aug 2019 21:15:30 +0000
Received: from 10.mo69.mail-out.ovh.net ([46.105.73.241])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023K-CS
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:12 +0000
Received: from player735.ha.ovh.net (unknown [10.108.42.82])
	by mo69.mail-out.ovh.net (Postfix) with ESMTP id 48D2066FC7
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:59 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player735.ha.ovh.net (Postfix) with ESMTPSA id CAFFE8EC5702;
	Sat, 17 Aug 2019 21:14:55 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076491;
	bh=GPxMXh4BTSVCfPC2Z3ROLKmB0JRrEn1MQ9Xi1NqpfS4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=sTg0MQATPQ/cXUiGu3tVCIZZ+J46Ba7K8343UqBExENN2XF29Wj4NovGUqSF0uwo1
	rTzOeL+0fxeUmU1Wkgr63fXRb/C3pBa1CFQX+YHaAzbLR0N10Xh+yiIumRoidUefR/
	IkuZX+xC4aWvj8RrBgKTAgdDO7jdeREx44DLBLdU=
To: j@w1.fi
Subject: [PATCH v3 10/17] wpa_supplicant: Extended Key ID support for AP
	connections
Date: Sat, 17 Aug 2019 23:14:28 +0200
Message-Id: <20190817211435.158335-11-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7949697770916093180
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-Spam-Note: CRM114 invocation failed
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.73.241 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Implement Extended Key ID for wpa_supplicant based on IEEE 802.11 - 2016
for infrastructure (AP) connections.

This enables wpa_supplicant to detect and use Extended Key ID with
compatible AP's.

This also fixes a off by one error for key deletion: With IEEE 802.11
the highest keyid is 5 and not 6.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This complements the hostapd Extended Key ID support patch and adds
support to wpa_supplicant.

For now we only have the "client" Extended Key ID support covered in
wpa_supplicant. TDLS/mesh extensions are also excluded for now but
besides that it's feature complete. (FILS support is in a separate
patch)

 src/rsn_supp/wpa.c                 | 127 ++++++++++++++++++++++++++---
 src/rsn_supp/wpa.h                 |   5 +-
 src/rsn_supp/wpa_ft.c              |   7 +-
 src/rsn_supp/wpa_i.h               |   3 +
 src/rsn_supp/wpa_ie.c              |  11 +++
 src/rsn_supp/wpa_ie.h              |   1 +
 wpa_supplicant/config.c            |   2 +
 wpa_supplicant/config_file.c       |   1 +
 wpa_supplicant/config_ssid.h       |  10 +++
 wpa_supplicant/ctrl_iface.c        |   3 +
 wpa_supplicant/driver_i.h          |  13 ++-
 wpa_supplicant/wpa_cli.c           |   3 +-
 wpa_supplicant/wpa_supplicant.c    |  27 +++++-
 wpa_supplicant/wpa_supplicant.conf |   5 ++
 wpa_supplicant/wpas_glue.c         |   4 +-
 15 files changed, 201 insertions(+), 21 deletions(-)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 830c74c8f..32114a9d2 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -581,6 +581,53 @@ static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
 			      sm->pairwise_cipher, z, z_len);
 }
 
+static int handle_extended_key_id(struct wpa_sm *sm,
+				  struct wpa_eapol_ie_parse *kde,
+				  const u8 *rsn_ie, size_t rsn_ie_len)
+{
+	struct wpa_ie_data rsn;
+
+	/* IEEE 802.11 - 2016 requires the Extended Key ID
+	 * bit to be set in the RSN capabilities for both STAs
+	 * to enable the feature
+	 */
+	if (sm->wpa_extended_key_id && rsn_ie &&
+	    sm->pairwise_cipher != WPA_CIPHER_TKIP &&
+	    wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &rsn) >= 0 &&
+	    rsn.capabilities & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) {
+		if (!kde->key_id) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
+				"WPA: No KeyID in Extended Key ID handshake");
+			return -1;
+		} else if (kde->key_id[0] & 0xfe) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
+				"WPA: Invalid KeyID");
+			return -1;
+		}
+		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+			"WPA: Using Extended Key ID");
+		sm->keyidx_active = kde->key_id[0];
+		sm->use_extended_key_id = 1;
+	} else {
+		if (kde->key_id && kde->key_id[0]) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
+				"WPA: Non-zero KeyID in legacy handshake");
+			return -1;
+		} else if (kde->key_id) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+				"WPA: KeyID in legacy handshake");
+		} else if (!rsn_ie || sm->pairwise_cipher == WPA_CIPHER_TKIP) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+				"WPA: Extended Key ID requires wpa2 and CCMP/GCMP");
+		}
+		if (sm->wpa_extended_key_id)
+			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+				"WPA: Not using Extended Key ID");
+		sm->keyidx_active = 0;
+		sm->use_extended_key_id = 0;
+	}
+	return 0;
+}
 
 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
 					  const unsigned char *src_addr,
@@ -779,6 +826,14 @@ static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
 	wpa_sm_key_request(sm, 0, 1);
 }
 
+static void wpa_supplicant_ptk_installed(struct wpa_sm *sm)
+{
+	if (sm->wpa_ptk_rekey) {
+		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
+		eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
+				       sm, NULL);
+	}
+}
 
 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
 				      const struct wpa_eapol_key *key,
@@ -826,12 +881,14 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
 		wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
 	}
 
-	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
-			   sm->ptk.tk, keylen, key_type) < 0) {
+	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, key_rsc,
+			   rsclen, sm->ptk.tk, keylen, key_type) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-			"WPA: Failed to set PTK to the "
-			"driver (alg=%d keylen=%d bssid=" MACSTR ")",
-			alg, keylen, MAC2STR(sm->bssid));
+			"WPA: Failed to set PTK to the driver"
+			"(alg=%d keylen=%d bssid=" MACSTR
+			" idx=%d use_extended_key_id=%d key_type=%d)",
+			alg, keylen, MAC2STR(sm->bssid),
+			sm->keyidx_active, sm->use_extended_key_id, key_type);
 		return -1;
 	}
 
@@ -840,12 +897,27 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
 	sm->ptk.tk_len = 0;
 	sm->ptk.installed = 1;
 
-	if (sm->wpa_ptk_rekey) {
-		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
-		eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
-				       sm, NULL);
+	if (key_type != KEY_TYPE_NO_AUTO_TX)
+		wpa_supplicant_ptk_installed(sm);
+
+	return 0;
+}
+
+static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
+{
+	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+		"WPA: Activate PTK (idx=%d bssid=" MACSTR ")",
+		sm->keyidx_active, MAC2STR(sm->bssid));
+
+	if (wpa_sm_set_key(sm, 0, sm->bssid, sm->keyidx_active,
+	    0, 0, 0, NULL, 0, KEY_TYPE_SET_TX) < 0) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
+			"WPA: Failed to activate PTK for Tx (idx=%d bssid="
+			MACSTR ")", sm->keyidx_active, MAC2STR(sm->bssid));
+		return -1;
 	}
 
+	wpa_supplicant_ptk_installed(sm);
 	return 0;
 }
 
@@ -1453,6 +1525,7 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 	wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
 	if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
 		goto failed;
+
 	if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: GTK IE in unencrypted key data");
@@ -1479,6 +1552,9 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 	if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
 		goto failed;
 
+	if (handle_extended_key_id(sm, &ie, ie.rsn_ie, ie.rsn_ie_len))
+		goto failed;
+
 	if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: ANonce from message 1 of 4-Way Handshake "
@@ -1523,6 +1599,10 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 		}
 	}
 #endif /* CONFIG_OCV */
+	if (sm->use_extended_key_id) {
+		if (wpa_supplicant_install_ptk(sm, key, KEY_TYPE_NO_AUTO_TX))
+			goto failed;
+	}
 
 	if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
 				       &sm->ptk) < 0) {
@@ -1535,8 +1615,13 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 	sm->renew_snonce = 1;
 
 	if (key_info & WPA_KEY_INFO_INSTALL) {
-		if (wpa_supplicant_install_ptk(sm, key, KEY_TYPE_PAIRWISE))
+		if (sm->use_extended_key_id) {
+			if (wpa_supplicant_activate_ptk(sm))
+				goto failed;
+		} else if (wpa_supplicant_install_ptk(sm, key,
+						      KEY_TYPE_PAIRWISE)) {
 			goto failed;
+		}
 	}
 
 	if (key_info & WPA_KEY_INFO_SECURE) {
@@ -2650,6 +2735,7 @@ struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
 		return NULL;
 	dl_list_init(&sm->pmksa_candidates);
 	sm->renew_snonce = 1;
+	sm->keyidx_active = 0;
 	sm->ctx = ctx;
 
 	sm->dot11RSNAConfigPMKLifetime = 43200;
@@ -3040,6 +3126,9 @@ int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
 	case WPA_PARAM_PAIRWISE:
 		sm->pairwise_cipher = value;
 		break;
+	case WPA_PARAM_EXTENDED_KEY_ID:
+		sm->wpa_extended_key_id = value;
+		break;
 	case WPA_PARAM_GROUP:
 		sm->group_cipher = value;
 		break;
@@ -3164,6 +3253,9 @@ int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
 
 #ifdef CONFIG_TESTING_OPTIONS
 	if (sm->test_assoc_ie) {
+		struct wpa_eapol_ie_parse ie;
+		struct wpa_ie_data rsn;
+
 		wpa_printf(MSG_DEBUG,
 			   "TESTING: Replace association WPA/RSN IE");
 		if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
@@ -3171,6 +3263,15 @@ int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
 		os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
 			  wpabuf_len(sm->test_assoc_ie));
 		res = wpabuf_len(sm->test_assoc_ie);
+
+		if (wpa_supplicant_parse_ies(wpa_ie, res, &ie) ||
+		    wpa_parse_wpa_ie_rsn(ie.rsn_ie, ie.rsn_ie_len, &rsn) ||
+		    !(rsn.capabilities &
+		      WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST)) {
+			wpa_printf(MSG_DEBUG,
+				   "TESTING: Force disable Extended Key ID");
+			sm->wpa_extended_key_id = 0;
+		}
 	} else
 #endif /* CONFIG_TESTING_OPTIONS */
 	res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
@@ -3400,6 +3501,10 @@ int wpa_sm_has_ptk(struct wpa_sm *sm)
 	return sm->ptk_set;
 }
 
+int wpa_sm_extended_key_id(struct wpa_sm *sm)
+{
+	return sm->wpa_extended_key_id;
+}
 
 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
 {
@@ -4028,6 +4133,8 @@ static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
 #endif /* CONFIG_IEEE80211W */
 	if (sm->ocv)
 		capab |= WPA_CAPABILITY_OCVC;
+	if (sm->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
 	wpabuf_put_le16(buf, capab);
 
 	/* PMKID Count */
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index 698154b94..65ca6262e 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -98,7 +98,8 @@ enum wpa_sm_conf_params {
 	WPA_PARAM_MGMT_GROUP,
 	WPA_PARAM_RSN_ENABLED,
 	WPA_PARAM_MFP,
-	WPA_PARAM_OCV
+	WPA_PARAM_OCV,
+	WPA_PARAM_EXTENDED_KEY_ID
 };
 
 struct rsn_supp_config {
@@ -109,6 +110,7 @@ struct rsn_supp_config {
 	void *eap_conf_ctx;
 	const u8 *ssid;
 	size_t ssid_len;
+	int wpa_extended_key_id;
 	int wpa_ptk_rekey;
 	int p2p;
 	int wpa_rsc_relaxation;
@@ -167,6 +169,7 @@ int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid,
 			const void *network_ctx);
 void wpa_sm_drop_sa(struct wpa_sm *sm);
 int wpa_sm_has_ptk(struct wpa_sm *sm);
+int wpa_sm_extended_key_id(struct wpa_sm *sm);
 
 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr);
 
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index 3b45f669b..4aa862748 100644
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -254,6 +254,8 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
 #endif /* CONFIG_IEEE80211W */
 	if (sm->ocv)
 		capab |= WPA_CAPABILITY_OCVC;
+	if (sm->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
 	WPA_PUT_LE16(pos, capab);
 	pos += 2;
 
@@ -411,8 +413,9 @@ static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
 
-	if (wpa_sm_set_key(sm, alg, bssid, 0, 1, null_rsc, sizeof(null_rsc),
-			   (u8 *) sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
+	if (wpa_sm_set_key(sm, alg, bssid, sm->keyidx_active, 1, null_rsc,
+			   sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen,
+			   KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver");
 		return -1;
 	}
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index 7423e8aee..eee9570ba 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -26,6 +26,7 @@ struct wpa_sm {
 	u8 snonce[WPA_NONCE_LEN];
 	u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
 	int renew_snonce;
+	int keyidx_active;
 	u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
 	int rx_replay_counter_set;
 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
@@ -65,6 +66,8 @@ struct wpa_sm {
 	int wpa_ptk_rekey;
 	int p2p;
 	int wpa_rsc_relaxation;
+	int wpa_extended_key_id;
+	int use_extended_key_id;
 
 	u8 own_addr[ETH_ALEN];
 	const char *ifname;
diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index ae9f4ca24..4016ec71a 100644
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -225,6 +225,9 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
 #endif /* CONFIG_IEEE80211W */
 	if (sm->ocv)
 		capab |= WPA_CAPABILITY_OCVC;
+	if (sm->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
+
 	WPA_PUT_LE16(pos, capab);
 	pos += 2;
 
@@ -417,6 +420,14 @@ static int wpa_parse_generic(const u8 *pos, const u8 *end,
 		return 0;
 	}
 
+	if (pos[1] > RSN_SELECTOR_LEN + 1 &&
+	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_KEYID) {
+		ie->key_id = pos + 2 + RSN_SELECTOR_LEN;
+		wpa_hexdump(MSG_DEBUG, "WPA: KeyID in EAPOL-Key",
+			    pos, pos[1] + 2);
+		return 0;
+	}
+
 	if (pos[1] > RSN_SELECTOR_LEN + 2 &&
 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_GROUPKEY) {
 		ie->gtk = pos + 2 + RSN_SELECTOR_LEN;
diff --git a/src/rsn_supp/wpa_ie.h b/src/rsn_supp/wpa_ie.h
index 9d53973a9..f961e90e4 100644
--- a/src/rsn_supp/wpa_ie.h
+++ b/src/rsn_supp/wpa_ie.h
@@ -17,6 +17,7 @@ struct wpa_eapol_ie_parse {
 	const u8 *rsn_ie;
 	size_t rsn_ie_len;
 	const u8 *pmkid;
+	const u8 *key_id;
 	const u8 *gtk;
 	size_t gtk_len;
 	const u8 *mac_addr;
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index fc1ed4f90..19a213398 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2334,6 +2334,7 @@ static const struct parse_data ssid_fields[] = {
 	{ INT(dot11MeshConfirmTimeout) },
 	{ INT(dot11MeshHoldingTimeout) },
 #endif /* CONFIG_MESH */
+	{ INT(wpa_extended_key_id) },
 	{ INT(wpa_ptk_rekey) },
 	{ INT(group_rekey) },
 	{ STR(bgscan) },
@@ -2854,6 +2855,7 @@ void wpa_config_set_network_defaults(struct wpa_ssid *ssid)
 {
 	ssid->proto = DEFAULT_PROTO;
 	ssid->pairwise_cipher = DEFAULT_PAIRWISE;
+	ssid->wpa_extended_key_id = DEFAULT_EXTENDED_KEY_ID;
 	ssid->group_cipher = DEFAULT_GROUP;
 	ssid->key_mgmt = DEFAULT_KEY_MGMT;
 	ssid->bg_scan_period = DEFAULT_BG_SCAN_PERIOD;
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 91d5caa3f..dadc503eb 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -882,6 +882,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
 	INT_DEF(dot11MeshHoldingTimeout, DEFAULT_MESH_HOLDING_TIMEOUT);
 	INT_DEF(mesh_rssi_threshold, DEFAULT_MESH_RSSI_THRESHOLD);
 #endif /* CONFIG_MESH */
+	INT(wpa_extended_key_id);
 	INT(wpa_ptk_rekey);
 	INT(group_rekey);
 	INT(ignore_broadcast_ssid);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index d5c5c00a9..968b1c040 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -22,6 +22,7 @@
 #define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
 #define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
 #define DEFAULT_FRAGMENT_SIZE 1398
+#define DEFAULT_EXTENDED_KEY_ID 1
 
 #define DEFAULT_BG_SCAN_PERIOD -1
 #define DEFAULT_MESH_MAX_RETRIES 2
@@ -528,6 +529,15 @@ struct wpa_ssid {
 	unsigned int vht_center_freq1;
 	unsigned int vht_center_freq2;
 
+	/** wpa_extended_key_id - Extended Key ID support
+	 *
+	 * IEEE 802.11-2016 optionally allows to use key id 0 and 1 for PTK keys
+	 * default: auto (1)
+	 * 0 = force off. Do not announce or use Extended Key ID.
+	 * 1 = auto. Use Extended Key ID when possible.
+	 */
+	int wpa_extended_key_id;
+
 	/**
 	 * wpa_ptk_rekey - Maximum lifetime for PTK in seconds
 	 *
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 862f72734..e5f7246d1 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5254,6 +5254,9 @@ static void wpa_supplicant_ctrl_iface_drop_sa(struct wpa_supplicant *wpa_s)
 
 	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 0, 0, NULL, 0, NULL,
 			0, KEY_TYPE_PAIRWISE);
+	if (wpa_sm_extended_key_id(wpa_s->wpa))
+		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 1, 0, NULL,
+				0, NULL, 0, KEY_TYPE_PAIRWISE);
 	/* MLME-SETPROTECTION.request(None) */
 	wpa_drv_mlme_setprotection(wpa_s, wpa_s->bssid,
 				   MLME_SETPROTECTION_PROTECT_TYPE_NONE,
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index efb17c471..a63566b7f 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -156,10 +156,19 @@ static inline int wpa_drv_set_key(struct wpa_supplicant *wpa_s,
 				  enum key_type key_type)
 {
 	if (alg != WPA_ALG_NONE) {
-		if (key_idx >= 0 && key_idx <= 6)
+		if (key_idx == 1 &&
+		    (key_type == KEY_TYPE_PAIRWISE ||
+		     key_type == KEY_TYPE_NO_AUTO_TX)) {
+			/* keyidx = 1 can be either a broadcast or - with
+			 * Extended Key ID - an unicast key. Use bit 6 for
+			 * the pairwise keyidx 1.
+			 */
+			wpa_s->keys_cleared &= ~BIT(6);
+		} else if (key_idx >= 0 && key_idx <= 5) {
 			wpa_s->keys_cleared &= ~BIT(key_idx);
-		else
+		} else {
 			wpa_s->keys_cleared = 0;
+		}
 	}
 	if (wpa_s->driver->set_key) {
 		return wpa_s->driver->set_key(wpa_s->ifname, wpa_s->drv_priv,
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 43ac42720..1bad63e08 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -1442,7 +1442,8 @@ static const char *network_fields[] = {
 	"dot11MeshRetryTimeout", "dot11MeshConfirmTimeout",
 	"dot11MeshHoldingTimeout",
 #endif /* CONFIG_MESH */
-	"wpa_ptk_rekey", "bgscan", "ignore_broadcast_ssid",
+	"wpa_extended_key_id", "wpa_ptk_rekey", "bgscan",
+	"ignore_broadcast_ssid",
 #ifdef CONFIG_P2P
 	"go_p2p_dev_addr", "p2p_client_list", "psk_list",
 #endif /* CONFIG_P2P */
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 56bba65e8..d2be5949c 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -699,7 +699,7 @@ void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr)
 	int i, max;
 
 #ifdef CONFIG_IEEE80211W
-	max = 6;
+	max = 5;
 #else /* CONFIG_IEEE80211W */
 	max = 4;
 #endif /* CONFIG_IEEE80211W */
@@ -711,10 +711,15 @@ void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr)
 		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, i, 0, NULL, 0,
 				NULL, 0, KEY_TYPE_BROADCAST);
 	}
-	if (!(wpa_s->keys_cleared & BIT(0)) && addr &&
+	/* Pairwise key idx 1 for Extended Key ID is tracked with bit 6 */
+	if (~wpa_s->keys_cleared & (BIT(0) | BIT(6)) && addr &&
 	    !is_zero_ether_addr(addr)) {
-		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, 0, NULL, 0, NULL,
-				0, KEY_TYPE_PAIRWISE);
+		if (!(wpa_s->keys_cleared & (BIT(0))))
+			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, 0, NULL,
+					0, NULL, 0, KEY_TYPE_PAIRWISE);
+		if (!(wpa_s->keys_cleared & (BIT(6))))
+			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 1, 0, NULL,
+					0, NULL, 0, KEY_TYPE_PAIRWISE);
 		/* MLME-SETPROTECTION.request(None) */
 		wpa_drv_mlme_setprotection(
 			wpa_s, addr,
@@ -1237,6 +1242,20 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
 	int sel, proto;
 	const u8 *bss_wpa, *bss_rsn, *bss_osen;
 
+	if (ssid->mode == WPAS_MODE_INFRA && ssid->wpa_extended_key_id &&
+	    wpa_s->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID) {
+		wpa_msg(wpa_s, MSG_DEBUG, "Enable Extended Key ID support");
+		wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_EXTENDED_KEY_ID, 1);
+	} else {
+		if (ssid->wpa_extended_key_id)
+			wpa_msg(wpa_s, MSG_INFO,
+				"Extended Key ID not supported");
+		else
+			wpa_msg(wpa_s, MSG_DEBUG,
+				"Extended Key ID support disabled");
+		wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_EXTENDED_KEY_ID, 0);
+	}
+
 	if (bss) {
 		bss_wpa = wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE);
 		bss_rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 1159bdcdc..da1828fcd 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1070,6 +1070,11 @@ fast_reauth=1
 # hex without quotation, e.g., 0102030405)
 # wep_tx_keyidx: Default WEP key index (TX) (0..3)
 #
+# wpa_extended_key_id:
+# Support the PTK rekey protocol "Extended Key ID" from IEEE 802.11 - 2016.
+# 0 = force off: Do not announce or use Extended Key ID
+# 1 = auto: Use Extended Key ID when possible (default)
+#
 # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
 # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
 #
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index f96608d72..4b0665826 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -505,7 +505,8 @@ static int wpa_supplicant_set_key(void *_wpa_s, enum wpa_alg alg,
 	}
 #endif /* CONFIG_TESTING_GET_GTK */
 #ifdef CONFIG_TESTING_OPTIONS
-	if (addr && !is_broadcast_ether_addr(addr)) {
+	if (addr && !is_broadcast_ether_addr(addr) &&
+	    key_type != KEY_TYPE_SET_TX) {
 		wpa_s->last_tk_alg = alg;
 		os_memcpy(wpa_s->last_tk_addr, addr, ETH_ALEN);
 		wpa_s->last_tk_key_idx = key_idx;
@@ -1272,6 +1273,7 @@ void wpa_supplicant_rsn_supp_set_config(struct wpa_supplicant *wpa_s,
 #endif /* IEEE8021X_EAPOL */
 		conf.ssid = ssid->ssid;
 		conf.ssid_len = ssid->ssid_len;
+		conf.wpa_extended_key_id = ssid->wpa_extended_key_id;
 		conf.wpa_ptk_rekey = ssid->wpa_ptk_rekey;
 #ifdef CONFIG_P2P
 		if (ssid->p2p_group && wpa_s->current_bss &&

From patchwork Sat Aug 17 21:14:29 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148796
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="EoldTcOt";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="C2xfq+jQ"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tL51Wknz9sBF
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:17:01 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=z5mBPLLJS3/7UigigFuPnt8kH6TngLbhSva4H63HQzQ=;
	b=EoldTcOtvn9cn0
	n6GZaYcZT/Qyz8nI/dhR7A3AZzsFcTB23u/NDGcWyVz+sTvU3avnJQeFn0arupFSUTTdiHjF6qBVe
	zYxEdaudnmE8SdGaGb3hRoiFrTgP2Q4F4RkOg2Ef2WzuUVMplEF6QEBxag1HsTqEeaiUxIDPhqO2X
	R0D5LgAruEorByn5mq7k7kb3I+8LIYWbA9btPRDO+/7L7xc+uM/uO875fcwvdf2I3wHvA1JOetaOY
	9rL9Oy/Ckr7A4oj1IuaYKib6Ha9DO0EyPW11ChXuLuf6LoZUMqBlNOObVscGzYuuO+EwrEH/T9wIq
	vxmqDb10FXtL2kut0vBQ==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz64H-0004rk-Up; Sat, 17 Aug 2019 21:16:58 +0000
Received: from 5.mo4.mail-out.ovh.net ([188.165.44.50])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023H-BZ
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:15 +0000
Received: from player762.ha.ovh.net (unknown [10.109.160.5])
	by mo4.mail-out.ovh.net (Postfix) with ESMTP id 6637E2015C7
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:59 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player762.ha.ovh.net (Postfix) with ESMTPSA id 21E5D8EA52C9;
	Sat, 17 Aug 2019 21:14:56 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076491;
	bh=AVEAXUjMcySWjaLoszV0GhzfSWR3whOa5p4r+Q2n4Ew=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=C2xfq+jQd2jRLGjr+FvBod/Om2vdXqjEbJ4E2DwBh2WFto8wbSvM1Q7oSBZrfaZou
	JQF+ZpFMMIbUgWcxeinmXK6+ooj5mVjRvSUuUmjj3Z5dP4fyllUrKDvi5UQtrGvfI1
	Huqnb4ykjyWS2tCaPEJP21H8aop3tBceb8/3GC1U=
To: j@w1.fi
Subject: [PATCH v3 11/17] tests: Extended Key ID tests
Date: Sat, 17 Aug 2019 23:14:29 +0200
Message-Id: <20190817211435.158335-12-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7949697769268124924
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141509_751821_2390554D 
X-CRM114-Status: GOOD (  13.11  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [188.165.44.50 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Add the needed infrastructure for the Extended Key ID tests, update the
tests overriding RSN Capabilities to work with and without Extended Key
ID support and add additional interoperability tests for Extended Key
ID.

When supported by the platform (hwsim) all tests will use Extended Key
ID when it's allowed while - with the exception of the interoperability
test - continue to work with the classical key install.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

There is of course much more we could test here. Especially wlantest is
a neglected area so far. But then all test using it are also working
when we use Extended Key ID.

Since all exiting tests are with this patch set also working when we use
Extended Key ID. (The last patch of the series uses the keyid 1 for the
initial key, making sure that even tests without rekey are compatible.)

Sample test runs are linked in the cover letter of the series.

 tests/hwsim/hostapd.py       | 19 ++++++++-
 tests/hwsim/test_ap_eap.py   | 20 +++++++++-
 tests/hwsim/test_ap_psk.py   | 76 ++++++++++++++++++++++++++++++++----
 tests/hwsim/test_ocv.py      | 13 ++++--
 tests/hwsim/test_rrm.py      |  7 +++-
 tests/hwsim/wpasupplicant.py |  7 +++-
 wlantest/bss.c               |  4 +-
 wlantest/rx_eapol.c          |  4 ++
 8 files changed, 134 insertions(+), 16 deletions(-)

diff --git a/tests/hwsim/hostapd.py b/tests/hwsim/hostapd.py
index 4430d8055..c8021ffcc 100644
--- a/tests/hwsim/hostapd.py
+++ b/tests/hwsim/hostapd.py
@@ -151,6 +151,7 @@ class Hostapd:
         self.mon.attach()
         self.bssid = None
         self.bssidx = bssidx
+        self.extKeyID = None
 
     def cmd_execute(self, cmd_array, shell=False):
         if self.hostname is None:
@@ -536,7 +537,7 @@ def add_ap(apdev, params, wait_enabled=True, no_enable=False, timeout=30,
             raise Exception("Could not ping hostapd")
         hapd.set_defaults()
         fields = ["ssid", "wpa_passphrase", "nas_identifier", "wpa_key_mgmt",
-                  "wpa",
+                  "wpa", "wpa_extended_key_id",
                   "wpa_pairwise", "rsn_pairwise", "auth_server_addr",
                   "acct_server_addr", "osu_server_uri"]
         for field in fields:
@@ -554,6 +555,16 @@ def add_ap(apdev, params, wait_enabled=True, no_enable=False, timeout=30,
             return hapd
         hapd.enable()
         if wait_enabled:
+            if "wpa" in params and params["wpa"]  == "2":
+                ev = hapd.wait_event(["Extended Key ID"], timeout=5)
+                if ev is None or "requires wpa2" in ev:
+                    hapd.extKeyID = "unused"
+                elif "not supported" in ev:
+                    hapd.extKeyID = "auto-off"
+                elif "disabled" in ev:
+                    hapd.extKeyID = "force-off"
+                else:
+                    hapd.extKeyID = "auto-on"
             ev = hapd.wait_event(["AP-ENABLED", "AP-DISABLED"], timeout=timeout)
             if ev is None:
                 raise Exception("AP startup timed out")
@@ -619,7 +630,7 @@ def terminate(apdev):
     hapd_global = HostapdGlobal(apdev)
     hapd_global.terminate()
 
-def wpa2_params(ssid=None, passphrase=None):
+def wpa2_params(ssid=None, passphrase=None, wpa_extended_key_id="auto"):
     params = {"wpa": "2",
               "wpa_key_mgmt": "WPA-PSK",
               "rsn_pairwise": "CCMP"}
@@ -627,6 +638,10 @@ def wpa2_params(ssid=None, passphrase=None):
         params["ssid"] = ssid
     if passphrase:
         params["wpa_passphrase"] = passphrase
+    if wpa_extended_key_id == "on":
+        params["wpa_extended_key_id"] = "1"
+    elif wpa_extended_key_id == "off":
+        params["wpa_extended_key_id"] = "0"
     return params
 
 def wpa_params(ssid=None, passphrase=None):
diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 2fc6925a1..6fc208d20 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -6535,7 +6535,7 @@ def test_eap_tls_sha384(dev, apdev, params):
 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
     """WPA2-Enterprise AP and association request RSN IE differences"""
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
-    hostapd.add_ap(apdev[0], params)
+    hapd = hostapd.add_ap(apdev[0], params)
 
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
     params["ieee80211w"] = "2"
@@ -6555,6 +6555,17 @@ def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
              ("RSN IE without AKM", "300c0100000fac040100000fac04"),
              ("RSN IE without pairwise", "30060100000fac04"),
              ("RSN IE without group", "30020100")]
+
+    if hapd.extKeyID == "auto-on":
+        tests += [("Normal wpa_supplicant assoc req RSN IE with Extended Key ID",
+                   "30140100000fac040100000fac040100000fac010020"),
+                  ("Extra PMKIDCount field in RSN IE with Extended Key ID",
+                   "30160100000fac040100000fac040100000fac0100200000"),
+                  ("Extra Group Management Cipher Suite in RSN IE with Extended Key ID",
+                   "301a0100000fac040100000fac040100000fac0100200000000fac06"),
+                  ("Extra undefined extension field in RSN IE with Extended Key ID",
+                   "301c0100000fac040100000fac040100000fac0100200000000fac061122")]
+
     for title, ie in tests:
         logger.info(title)
         set_test_assoc_ie(dev[0], ie)
@@ -6569,6 +6580,13 @@ def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
               "30140100000fac040100000fac040100000fac01cc00"),
              ("Group management cipher included in assoc req RSN IE",
               "301a0100000fac040100000fac040100000fac01cc000000000fac06")]
+
+    if hapd.extKeyID == "auto-on":
+        tests += [("Normal wpa_supplicant assoc req RSN IE with Extended Key ID",
+                   "30140100000fac040100000fac040100000fac01cc20"),
+                  ("Group management cipher included in assoc req RSN IE with Extended Key ID",
+                   "301a0100000fac040100000fac040100000fac01cc200000000fac06")]
+
     for title, ie in tests:
         logger.info(title)
         set_test_assoc_ie(dev[0], ie)
diff --git a/tests/hwsim/test_ap_psk.py b/tests/hwsim/test_ap_psk.py
index 2655c960c..9bb996f09 100644
--- a/tests/hwsim/test_ap_psk.py
+++ b/tests/hwsim/test_ap_psk.py
@@ -203,16 +203,56 @@ def _test_ap_wpa2_psk_mem(dev, apdev):
 
 @remote_compatible
 def test_ap_wpa2_ptk_rekey(dev, apdev):
-    """WPA2-PSK AP and PTK rekey enforced by station"""
+    """WPA2-PSK AP and PTK rekey enforced by station without Extended Key ID"""
+    ssid = "test-wpa2-psk"
+    passphrase = 'qwertyuiop'
+    params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase,
+                                 wpa_extended_key_id="off")
+    hapd = hostapd.add_ap(apdev[0], params)
+    dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412",
+                   wpa_extended_key_id="off")
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"])
+    if ev is None:
+        raise Exception("PTK rekey timed out")
+    hwsim_utils.test_connectivity(dev[0], hapd)
+
+def test_ap_wpa2_ptk_extended_key_id_rekey(dev, apdev):
+    """WPA2-PSK AP and PTK rekey enforced by station with Extended Key ID"""
     ssid = "test-wpa2-psk"
     passphrase = 'qwertyuiop'
     params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase)
     hapd = hostapd.add_ap(apdev[0], params)
+    if hapd.extKeyID == "auto-off":
+        raise Exception("Extended Key ID support missing in hwsim")
+
+    dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412",
+                   wpa_extended_key_id="off")
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"])
+    if ev is None:
+        raise Exception("PTK rekey timed out (STA without Extended Key ID)")
+    hwsim_utils.test_connectivity(dev[0], hapd)
+    dev[0].reset()
+
     dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412")
     ev = dev[0].wait_event(["WPA: Key negotiation completed"])
     if ev is None:
-        raise Exception("PTK rekey timed out")
+        raise Exception("PTK rekey timed out (STA with Extended Key ID)")
+    hwsim_utils.test_connectivity(dev[0], hapd)
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"])
+    if ev is None:
+        raise Exception("PTK rekey timed out 2 (STA with Extended Key ID)")
     hwsim_utils.test_connectivity(dev[0], hapd)
+    dev[0].reset()
+
+    params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase,
+                                 wpa_extended_key_id="off")
+    hapd = hostapd.add_ap(apdev[0], params)
+    dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412")
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"])
+    if ev is None:
+        raise Exception("PTK rekey timed out (AP without Extended Key ID")
+    hwsim_utils.test_connectivity(dev[0], hapd)
+    dev[0].reset()
 
 def test_ap_wpa2_ptk_rekey_anonce(dev, apdev):
     """WPA2-PSK AP and PTK rekey enforced by station and ANonce change"""
@@ -1355,10 +1395,15 @@ def eapol_test(apdev, dev, wpa2=True, ieee80211w=0):
                 ieee80211w=str(ieee80211w))
     addr = dev.p2p_interface_addr()
     if wpa2:
-        if ieee80211w == 2:
-            rsne = binascii.unhexlify('30140100000fac040100000fac040100000fac02cc00')
+        if hapd.extKeyID == "auto-on" and ieee80211w == 2:
+            cap = "cc20"
+        elif hapd.extKeyID == "auto-on":
+            cap = "0020"
+        elif ieee80211w == 2:
+            cap = "cc00"
         else:
-            rsne = binascii.unhexlify('30140100000fac040100000fac040100000fac020000')
+            cap = "0000"
+        rsne = binascii.unhexlify('30140100000fac040100000fac040100000fac02'+cap)
     else:
         rsne = binascii.unhexlify('dd160050f20101000050f20201000050f20201000050f202')
     snonce = binascii.unhexlify('1111111111111111111111111111111111111111111111111111111111111111')
@@ -2928,6 +2973,11 @@ def test_ap_wpa2_psk_assoc_rsn(dev, apdev):
               "30140100000fac040100000fac040100000fac020000"),
              ("RSN IE without RSN Capabilities",
               "30120100000fac040100000fac040100000fac02")]
+
+    if hapd.extKeyID == "auto-on":
+        tests += [("Normal wpa_supplicant assoc req RSN IE with Extended Key ID",
+                   "30140100000fac040100000fac040100000fac020020")]
+
     for title, ie in tests:
         logger.info(title)
         set_test_assoc_ie(dev[0], ie)
@@ -2971,9 +3021,13 @@ def test_ap_wpa2_psk_ft_workaround(dev, apdev):
     params['r1_key_holder'] = "000102030405"
     hapd = hostapd.add_ap(apdev[0], params)
 
+    if hapd.extKeyID == "auto-on":
+        ie = "30180100000fac040100000fac040200000fac02000fac040020"
+    else:
+        ie = "30180100000fac040100000fac040200000fac02000fac040000"
+
     # Include both WPA-PSK and FT-PSK AKMs in Association Request frame
-    set_test_assoc_ie(dev[0],
-                      "30180100000fac040100000fac040200000fac02000fac040000")
+    set_test_assoc_ie(dev[0], ie)
     dev[0].connect(ssid, psk=passphrase, scan_freq="2412")
     dev[0].request("REMOVE_NETWORK all")
     dev[0].wait_disconnected()
@@ -2990,6 +3044,14 @@ def test_ap_wpa2_psk_assoc_rsn_pmkid(dev, apdev):
     dev[0].request("REMOVE_NETWORK all")
     dev[0].wait_disconnected()
 
+    if not hapd.extKeyID == "auto-on":
+        return
+
+    set_test_assoc_ie(dev[0], "30260100000fac040100000fac040100000fac0200200100" + 16*'00')
+    dev[0].connect(ssid, psk=passphrase, scan_freq="2412")
+    dev[0].request("REMOVE_NETWORK all")
+    dev[0].wait_disconnected()
+
 def test_ap_wpa_psk_rsn_pairwise(dev, apdev):
     """WPA-PSK AP and only rsn_pairwise set"""
     params = {"ssid": "wpapsk", "wpa": "1", "wpa_key_mgmt": "WPA-PSK",
diff --git a/tests/hwsim/test_ocv.py b/tests/hwsim/test_ocv.py
index 176e17faf..7787a4056 100644
--- a/tests/hwsim/test_ocv.py
+++ b/tests/hwsim/test_ocv.py
@@ -380,10 +380,17 @@ class APConnection:
         self.bssid = apdev['bssid']
         pmk = binascii.unhexlify("c2c6c255af836bed1b3f2f1ded98e052f5ad618bb554e2836757b55854a0eab7")
 
-        if sta_ocv != "0":
-            self.rsne = binascii.unhexlify("301a0100000fac040100000fac040100000fac0280400000000fac06")
+        if self.hapd.extKeyID == "auto-on":
+            if sta_ocv != "0":
+                cap = "8060"
+            else:
+                cap = "8020"
         else:
-            self.rsne = binascii.unhexlify("301a0100000fac040100000fac040100000fac0280000000000fac06")
+            if sta_ocv != "0":
+                cap = "8040"
+            else:
+                cap = "8000"
+        self.rsne = binascii.unhexlify("301a0100000fac040100000fac040100000fac02"+cap+"0000000fac06")
         self.snonce = binascii.unhexlify('1111111111111111111111111111111111111111111111111111111111111111')
 
         dev.connect(self.ssid, raw_psk=self.psk, scan_freq=freq, ocv=sta_ocv,
diff --git a/tests/hwsim/test_rrm.py b/tests/hwsim/test_rrm.py
index c9c8d6103..4f2a323c2 100644
--- a/tests/hwsim/test_rrm.py
+++ b/tests/hwsim/test_rrm.py
@@ -1182,6 +1182,11 @@ def test_rrm_beacon_req_table_rsne(dev, apdev):
     params["rrm_beacon_report"] = "1"
     hapd = hostapd.add_ap(apdev[0], params)
 
+    if hapd.extKeyID == "auto-on":
+        cap = "0c20"
+    else:
+        cap = "0c00"
+
     dev[0].connect("rrm-rsn", psk="12345678", scan_freq="2412")
     addr = dev[0].own_addr()
 
@@ -1196,7 +1201,7 @@ def test_rrm_beacon_req_table_rsne(dev, apdev):
         raise Exception("Reported Frame Body subelement missing")
     if len(report.frame_body) != 12 + 22:
         raise Exception("Unexpected Reported Frame Body subelement length with Reporting Detail 1 and requested element RSNE")
-    if binascii.unhexlify("30140100000fac040100000fac040100000fac020c00") not in report.frame_body:
+    if binascii.unhexlify("30140100000fac040100000fac040100000fac02"+cap) not in report.frame_body:
         raise Exception("Full RSNE not found")
 
 def test_rrm_beacon_req_table_vht(dev, apdev):
diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py
index 8c7e13d02..c02aca409 100644
--- a/tests/hwsim/wpasupplicant.py
+++ b/tests/hwsim/wpasupplicant.py
@@ -1053,13 +1053,18 @@ class WpaSupplicant:
         if tspecs:
             raise Exception("DELTS failed (still in tspec list)")
 
-    def connect(self, ssid=None, ssid2=None, **kwargs):
+    def connect(self, ssid=None, ssid2=None,
+                wpa_extended_key_id="auto", **kwargs):
         logger.info("Connect STA " + self.ifname + " to AP")
         id = self.add_network()
         if ssid:
             self.set_network_quoted(id, "ssid", ssid)
         elif ssid2:
             self.set_network(id, "ssid", ssid2)
+        if wpa_extended_key_id == "on":
+            self.set_network(id, "wpa_extended_key_id", "1")
+        elif wpa_extended_key_id == "off":
+            self.set_network(id, "wpa_extended_key_id", "0")
 
         quoted = ["psk", "identity", "anonymous_identity", "password",
                   "ca_cert", "client_cert", "private_key",
diff --git a/wlantest/bss.c b/wlantest/bss.c
index 298a902c7..08181dc8c 100644
--- a/wlantest/bss.c
+++ b/wlantest/bss.c
@@ -334,7 +334,9 @@ void bss_update(struct wlantest *wt, struct wlantest_bss *bss,
 		   bss->rsn_capab & WPA_CAPABILITY_MFPC ? "MFPC " : "",
 		   bss->rsn_capab & WPA_CAPABILITY_PEERKEY_ENABLED ?
 		   "PEERKEY " : "",
-		   bss->rsn_capab & WPA_CAPABILITY_OCVC ? "OCVC " : "");
+		   bss->rsn_capab & WPA_CAPABILITY_OCVC ? "OCVC " : "",
+		   bss->rsn_capab & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST ?
+		   "Extended Key ID" : "");
 }
 
 
diff --git a/wlantest/rx_eapol.c b/wlantest/rx_eapol.c
index 1af48ec8f..4d692e09a 100644
--- a/wlantest/rx_eapol.c
+++ b/wlantest/rx_eapol.c
@@ -458,6 +458,10 @@ static void learn_kde_keys(struct wlantest *wt, struct wlantest_bss *bss,
 			    ie.rsn_ie, ie.rsn_ie_len);
 	}
 
+	if (ie.key_id) {
+		add_note(wt, MSG_DEBUG, "KeyID %u", ie.key_id[0]);
+	}
+
 	if (ie.gtk) {
 		wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - GTK KDE",
 			    ie.gtk, ie.gtk_len);

From patchwork Sat Aug 17 21:14:30 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148802
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="kLoeu48U";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="m+jld0VE"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tMN0ScZz9sDQ
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:18:08 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=Z2C4pXo+CnfYWrjNDZVr5F3G9lGmHwcjB86C4la9CCI=;
	b=kLoeu48UYJlrV3
	OMxYr3vpuKlsVhNRohlsbYcMpkkowdg+FH+HDcdVLFBolYY63I99dYXryUTWueZfqYDG9awaRfxQW
	5kiTLDiTABLKLZq0Jv7MeO6EKLNNUwvJRVUlYfcOj3Tnsugy5aqDLPw5sQD6a9MMh3mHDYAVDAowr
	IofQcY9wbjIRAUkVmz5hmcAncZYwDBQQU63fN2AjVgPlqyVD4CAqoVHCzUeNQRrRLRJGKXFLfUxRy
	s/7MfBZQ08VfUlMtFB2w0V9I6CeLUR2Ba6I4mE1UseXYlfg3jpxzoty9tPSkSqWYd6Y40inWonj5g
	w+mt4T2c6DYSEvbZlz/A==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz65L-0005uX-Vm; Sat, 17 Aug 2019 21:18:04 +0000
Received: from 17.mo7.mail-out.ovh.net ([188.165.35.227])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62Y-00023P-4b
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:17 +0000
Received: from player687.ha.ovh.net (unknown [10.108.57.14])
	by mo7.mail-out.ovh.net (Postfix) with ESMTP id 97DCF12E9AC
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:59 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player687.ha.ovh.net (Postfix) with ESMTPSA id 30AE68DEF81F;
	Sat, 17 Aug 2019 21:14:56 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076491;
	bh=ZU0Ul4XKVosRSFr9F/MGasQumkYFfX9kZWLDivYmLpY=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=m+jld0VEZ9hLPE+zOwRGVc7d+CsPi2DiO51WwU46Ukm5im3rmkC1iozg/6kDrpkq5
	rZO+xgJ99847aDGb/9Avu6yTj8SbmnDVo6TPI9nhzYUHw5PweYMc2geDFROb/7Ax1a
	0W9GzzNfC74fz0StF8KPgG3thjx7TwstUsYeulfI=
To: j@w1.fi
Subject: [PATCH v3 12/17] hostapd: FILS Extended Key ID support
Date: Sat, 17 Aug 2019 23:14:30 +0200
Message-Id: <20190817211435.158335-13-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7949697767334092028
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141510_321752_567AC01B 
X-CRM114-Status: GOOD (  19.76  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [188.165.35.227 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

IEEE 802.11ai - 2016 is missing any instructions how Extended Key ID
shall be handled combination with it. But there seem to be only two ways:

 1) FILS can only use keyid 0 and the STAs only decide on rekey if they
    can use Extended Key ID.

 2) FILS also checks is Extended Key ID can be used by both STAs and if
    so adds the KeyID KDE in addition to the GTK/IGTK KDEs.

Since the later seems to be a closer to the intent of 802.11ai and there
are no other implementations for Extended Key ID we could be incompatible
to this patch implements 2) for now.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

Now this is a very free interpretation how to handle Extended Key ID in
combination with FILS. Technically it's the same issue as we have for
FT, so I'm using the same (arguable) solution here:

We bypass the 4-way handshake and Extended Key ID is therefore mostly
irrelevant. Neither FILS nor FT make any concession for Extended Key ID
but have a mechanism to get the GTK ID. Which of course can also pass
over the (unicast) KeyID required for Extended Key ID support...

Now the new patch series is rigorously sticking to the key install mode
used at the initial connect: When either the AP or the STA tries to use
anything else than for the connect we kill the connection. By also
adding the KeyID to the KDEs these checks work basically out of the box
and the Extended Key ID flag in the RSN capabilities serves a purpose.

Alternatively we could relax the checks and accept, that we either still
set the Extended Key ID bit in RSN but just assume the keyid is always
zero for FT and FILS or even drop the bit in the RSN capabilities and
relax the sanity checks for FILS and FT.

Since any not Extended Key ID capable STA won't care either way and
there are zero implementations for Extended Key ID we have to stay
compatible with I decided to first try what I consider the cleanest way.

Therefore Unicast KeyIDs have been added to the frames transporting also
the GTK ID. Based on the feedback we either keep or change it.

 src/ap/wpa_auth.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 0213e97c2..10c58c26c 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -2692,6 +2692,15 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
 	wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
 	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
 			    wpabuf_put(plain, WPA_KEY_RSC_LEN));
+
+	hdr[1] = 0;
+	if (sm->use_extended_key_id) {
+		hdr[0] = sm->keyidx_active & 0x01;
+		tmp = wpabuf_put(plain, 0);
+		tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
+		wpabuf_put(plain, tmp2 - tmp);
+	}
+
 	/* GTK KDE */
 	gtk = gsm->GTK[gsm->GN - 1];
 	gtk_len = gsm->GTK_len;
@@ -2708,7 +2717,6 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
 		gtk = dummy_gtk;
 	}
 	hdr[0] = gsm->GN & 0x03;
-	hdr[1] = 0;
 	tmp = wpabuf_put(plain, 0);
 	tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
 			   gtk, gtk_len);
@@ -2754,6 +2762,7 @@ int fils_set_tk(struct wpa_state_machine *sm)
 		wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
 		return -1;
 	}
+
 	if (sm->tk_already_set) {
 		wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
 		return -1;
@@ -2763,7 +2772,7 @@ int fils_set_tk(struct wpa_state_machine *sm)
 	klen = wpa_cipher_key_len(sm->pairwise);
 
 	wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
-	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
+	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, sm->keyidx_active,
 			     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) {
 		wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
 		return -1;

From patchwork Sat Aug 17 21:14:31 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148789
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="E+hObeeG";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="lbw8S/6Z"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tJd5qJqz9s4Y
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:15:45 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=oCN+mIgcfddYb96cNLpmjFCtklHW80AFOMg8CGfkAeQ=;
	b=E+hObeeGVIxL6C
	Dl9Qsk36W3m/10Y+K9qyl1sWrW4SY6OrjN39Gkyyf51zNHp7UyrsAZ7/uH3lP0FlL2B2ynGq72ST0
	eUux5yBHesXnYEd2W/ax8rjspWKwF6JGbA2Hix733nQhp6Zh8FDeNeC41soavAQtXEhAWG9OBRpqf
	tHnXzAtoVyOJNI+rdqOnKArns4T2ezq7iap0g8CJ9w2KvFjxk30ob4KhmsEUuNvtuG+kCgcHqcbJh
	jYnCJ3SKwu486PV0JH7F6XAKX/fDZWuutwlfXRdeg7C9NjyH17zYgalvPy/KdjWtfRCB1x3FbNkKO
	Y+DleqCpvSB00F4pPZXg==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz633-0003cn-NR; Sat, 17 Aug 2019 21:15:41 +0000
Received: from 10.mo173.mail-out.ovh.net ([46.105.74.148])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023I-C7
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:12 +0000
Received: from player158.ha.ovh.net (unknown [10.108.35.158])
	by mo173.mail-out.ovh.net (Postfix) with ESMTP id A9A4C114565
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:59 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player158.ha.ovh.net (Postfix) with ESMTPSA id 4FBA88CE9A03;
	Sat, 17 Aug 2019 21:14:56 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076491;
	bh=YC70BzXiayi6qnnYhlzkMJEZicueN0ukJkLsRKVBY7I=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=lbw8S/6ZC1cucOHQV4KhBbI/1ezcctWY1uGjjGrXxGxQgsSZojszNCXquuzeKh45y
	d7sGb7CfQcJTpGFHLZUZ3CqylKgGps8E4sUTMR62kr1RbwmaNl31I2OvSsFh99qFsk
	oHzzSKIrNB+wFybma5w1dgQqQdGRMGo6SiWkX6Fc=
To: j@w1.fi
Subject: [PATCH v3 13/17] wpa_supplicant: FILS Extended Key ID support
Date: Sat, 17 Aug 2019 23:14:31 +0200
Message-Id: <20190817211435.158335-14-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7949697767615372540
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141509_698375_CACDADA2 
X-CRM114-Status: GOOD (  10.35  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.74.148 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

This implements the matching Extended Key ID support for FILS
compatible to our hostapd interpretation of the standard.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---
 src/rsn_supp/wpa.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 32114a9d2..49b63ba22 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -4382,6 +4382,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 	struct wpa_gtk_data gd;
 	int maxkeylen;
 	struct wpa_eapol_ie_parse kde;
+	struct wpa_ie_data rsn;
 
 	if (!sm || !sm->ptk_set) {
 		wpa_printf(MSG_DEBUG, "FILS: No KEK available");
@@ -4495,8 +4496,6 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 
 #ifdef CONFIG_IEEE80211R
 	if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
-		struct wpa_ie_data rsn;
-
 		/* Check that PMKR1Name derived by the AP matches */
 		if (!elems.rsn_ie ||
 		    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
@@ -4564,11 +4563,16 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 			   keylen, (long unsigned int) sm->ptk.tk_len);
 		goto fail;
 	}
+
+	if (handle_extended_key_id(sm, &kde,
+				   elems.rsn_ie - 2, elems.rsn_ie_len + 2))
+		goto fail;
+
 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
 			sm->ptk.tk, keylen);
-	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
-			   sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
+	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, null_rsc,
+			   rsclen, sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
 			MACSTR ")",

From patchwork Sat Aug 17 21:14:32 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148790
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="FJtl1nS4";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="ywSbmM+t"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tJt4fhpz9s4Y
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:15:58 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=SuU544WO8NKUOljZVKM5XBbMyi392tKMr1eTAHWtx2A=;
	b=FJtl1nS43hkWkn
	1aVdppdrYjOoYow/CkejwQDbVUYvyPR6W5PeSHdMU+k5lgXlhTjh01x8v2vSs8Y3Gt2WWWRmOQm5L
	u/+EQ4QbZs/aT+OR/v9n/H4QDxRsBucUPIsys/6UYdxlahhpFV3tUQ+iFkJvggT3QM/On0UoSmGis
	RRQdFEGIAc4T4+BdIpnIKW/71WviaBL2OmUkKEbZQzp1Xv6naJjdGsg48vqTwkr5vQhoX95UosbUO
	MRVHl2JxH8N4dM1Xda0yFdptoVhAAXnOMeOXNB5P8TpYNBrj+Bq2ycomswQk4TvrmaA21smeu1zMj
	OeYo4b5ioYUmv2+9f79Q==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz63G-0003oG-IQ; Sat, 17 Aug 2019 21:15:54 +0000
Received: from 10.mo178.mail-out.ovh.net ([46.105.76.150])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-00023L-BD
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:13 +0000
Received: from player716.ha.ovh.net (unknown [10.108.54.38])
	by mo178.mail-out.ovh.net (Postfix) with ESMTP id 9DFE87605F
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:14:59 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player716.ha.ovh.net (Postfix) with ESMTPSA id 3FE178D89C47;
	Sat, 17 Aug 2019 21:14:56 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076491;
	bh=KfDikorSNYCCv6QUC/+KIjEBm0BAvxK/0neiyiUu03I=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=ywSbmM+tkJxu9yXq+Y/BWlmhCx8pTuyU62QQ1rg5/x7iWsYhx+qOGTG7LMJcgIU0+
	A29FvfPdrZYV5IxOVo3PYz3FjS6YqpX7CsRsDjqWFzQSBp0wa8TggojqDN3lTFmQCw
	JYydMww3gSNfkInswdAXzsGEdZrvWgYV+L3MrdcA=
To: j@w1.fi
Subject: [PATCH v3 14/17] nl80211: Extended Key ID support
Date: Sat, 17 Aug 2019 23:14:32 +0200
Message-Id: <20190817211435.158335-15-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7949697771102084348
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141509_717495_54F76297 
X-CRM114-Status: GOOD (  12.31  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.76.150 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Nl80211 supports Extended Key ID, implement support for it.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This patch allows hostapd/wpa_supplicant to really use Extended Key ID.

Since so far only linux support Extended Key ID (and only via nl80211)
the other drivers can't be updated.

The patch is close to the end of the series make sure bisecting still
generates working binaries regardless at which patch we split this
series.

 src/drivers/driver_nl80211.c      | 25 ++++++++++++++++++++++---
 src/drivers/driver_nl80211_capa.c |  4 ++++
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 7ff912912..9ef376c56 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3049,7 +3049,11 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 	if (!key_msg)
 		return -ENOBUFS;
 
-	if (alg == WPA_ALG_NONE) {
+	if (key_type == KEY_TYPE_SET_TX) {
+		msg = nl80211_ifindex_msg(drv, ifindex, 0, NL80211_CMD_SET_KEY);
+		if (!msg)
+			goto fail2;
+	} else if (alg == WPA_ALG_NONE) {
 		msg = nl80211_ifindex_msg(drv, ifindex, 0, NL80211_CMD_DEL_KEY);
 		if (!msg)
 			goto fail2;
@@ -3059,16 +3063,18 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 		suite = wpa_alg_to_cipher_suite(alg, key_len);
 		if (!suite)
 			goto fail2;
+
 		msg = nl80211_ifindex_msg(drv, ifindex, 0, NL80211_CMD_NEW_KEY);
 		if (!msg)
 			goto fail2;
+
 		if (nla_put(key_msg, NL80211_KEY_DATA, key_len, key) ||
 		    nla_put_u32(key_msg, NL80211_KEY_CIPHER, suite))
 			goto fail;
 		wpa_hexdump_key(MSG_DEBUG, "nl80211: KEY_DATA", key, key_len);
 	}
 
-	if (seq && seq_len) {
+	if (seq && seq_len && key_type != KEY_TYPE_SET_TX) {
 		if (nla_put(key_msg, NL80211_KEY_SEQ, seq_len, seq))
 			goto fail;
 		wpa_hexdump(MSG_DEBUG, "nl80211: KEY_SEQ", seq, seq_len);
@@ -3079,7 +3085,20 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
 			goto fail;
 
-		if (alg != WPA_ALG_WEP && key_type != KEY_TYPE_PAIRWISE) {
+		if (key_type == KEY_TYPE_NO_AUTO_TX ||
+		    key_type == KEY_TYPE_SET_TX) {
+			wpa_printf(MSG_DEBUG, "nl80211: %s for "
+				   "keyid=%d addr=" MACSTR,
+				   key_type == KEY_TYPE_NO_AUTO_TX ?
+				   "KEY_TYPE_NO_AUTO_TX" : "KEY_TYPE_SET_TX",
+				   key_idx, MAC2STR(addr));
+			if (nla_put_u8(key_msg, NL80211_KEY_MODE,
+				       key_type == KEY_TYPE_NO_AUTO_TX ?
+				       NL80211_KEY_NO_TX :
+				       NL80211_KEY_SET_TX))
+				goto fail;
+		} else if (alg != WPA_ALG_WEP &&
+			   key_type != KEY_TYPE_PAIRWISE) {
 			wpa_printf(MSG_DEBUG, "   RSN IBSS RX GTK");
 			if (nla_put_u32(key_msg, NL80211_KEY_TYPE,
 					NL80211_KEYTYPE_GROUP))
diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c
index 8318b10ab..b4d175f4e 100644
--- a/src/drivers/driver_nl80211_capa.c
+++ b/src/drivers/driver_nl80211_capa.c
@@ -417,6 +417,10 @@ static void wiphy_info_ext_feature_flags(struct wiphy_info_data *info,
 			      NL80211_EXT_FEATURE_DFS_OFFLOAD))
 		capa->flags |= WPA_DRIVER_FLAGS_DFS_OFFLOAD;
 
+	if (ext_feature_isset(ext_features, len,
+			      NL80211_EXT_FEATURE_EXT_KEY_ID))
+		capa->flags |= WPA_DRIVER_FLAGS_EXTENDED_KEY_ID;
+
 #ifdef CONFIG_MBO
 	if (ext_feature_isset(ext_features, len,
 			      NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) &&

From patchwork Sat Aug 17 21:14:33 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148791
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="XiIz4XcM";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="vf28Gcum"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tK45NrNz9s4Y
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:16:08 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=BQ0YhtFv9MHAXrk9SB/sEBiXczWy50wsEaOXAaws9nU=;
	b=XiIz4XcMLMYW0t
	PBzoSJukYzg7S53sQmPsxrjWuETk3fOX7aFi6K+MP6DXwC1jXMg5OzGNRZfnKaYY84Mf4+/cCfxCY
	f4YtcyPV9K1Ozl25zD28EjY3bB/1H7Jl7flhRCijDhpyEJ4JoDuaSX77J1D9SxrOe1kxHrOC5/GcX
	mYWoQDlnHNEKgeo2ehI883lSY3jXQ+ikfq3MjYa6gItkVCJOMPpSoETXvTMYrjhXoLNFwyNTwmr7S
	I4d8tmegJKeItn2KAc61IqFYcLUIpqzQnRf2uJhMjR/OiGQrvXvDDbFd+KnqU4H2+tzj0+pCeqOn2
	2PoP1O6SN7ijpQIAcxEw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz63Q-0003yW-Ie; Sat, 17 Aug 2019 21:16:04 +0000
Received: from 8.mo69.mail-out.ovh.net ([46.105.56.233])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-0002J4-Bo
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:13 +0000
Received: from player746.ha.ovh.net (unknown [10.109.143.210])
	by mo69.mail-out.ovh.net (Postfix) with ESMTP id 0B7B866FCA
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:15:03 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player746.ha.ovh.net (Postfix) with ESMTPSA id B7446901549C;
	Sat, 17 Aug 2019 21:14:59 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076491;
	bh=agejLPzTYEAvv1Q+hkV+2GIq3SxOuGvn9vU2udc/lbQ=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=vf28Gcum0Bj6vDKECHlH2xncTGqovNGy3HIS1adByv1csv5S2qHxcqwr21I3/ZcZN
	jXhfyNBRsyda7XoCpFrYuiBpm+BevKMli4cWqI93TbNw28HrWHAN7pQxnIT+XYG/jX
	32qsjO09JfygBIUB8m/q/DARfuGZU44Lkx/fyPYY=
To: j@w1.fi
Subject: [PATCH v3 15/17] nl80211: Hack for keyidx=1 installs
Date: Sat, 17 Aug 2019 23:14:33 +0200
Message-Id: <20190817211435.158335-16-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7950542194189540604
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141509_739458_254F507B 
X-CRM114-Status: GOOD (  14.89  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.56.233 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

The Extended Key ID implementation in linux don't allow to install
pairwise keys using keyid 1 with one netlink call.

This will probably change in the near future, but till then this patch
works around keyid 1 install problems when using FILS or FT.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This is just a hack - at least for now - to work around a shortcoming in
the Extended Key ID API. With this patch all hostapd tests are working
with the existing API, including FT and FILS.

I'm currently trying to get that fixed in the linux kernel. If this
works out as I hope we can simply not merge this patch. (This will still
leave some kernels around which will have problems for FT and FILS,
assuming we don't decide that we ave to stick to keyid zero for those.)

 src/drivers/driver_nl80211.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 9ef376c56..de82fb79d 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3020,6 +3020,7 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 	struct nl_msg *key_msg;
 	struct nlattr *types;
 	int need_set_key = 0;
+	int hack = 0;
 	int ret;
 
 	/* Ignore for P2P Device */
@@ -3085,6 +3086,13 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
 			goto fail;
 
+		/* Hack to allow keyidx=1 key installs with key_type=0 */
+		if (key_idx == 1 && key_type == KEY_TYPE_PAIRWISE &&
+		    alg != WPA_ALG_NONE) {
+			hack = 1;
+			key_type = KEY_TYPE_NO_AUTO_TX;
+		}
+
 		if (key_type == KEY_TYPE_NO_AUTO_TX ||
 		    key_type == KEY_TYPE_SET_TX) {
 			wpa_printf(MSG_DEBUG, "nl80211: %s for "
@@ -3122,6 +3130,19 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 		wpa_printf(MSG_DEBUG, "nl80211: set_key failed; err=%d %s)",
 			   ret, strerror(-ret));
 
+	if (!ret && hack) {
+		wpa_printf(MSG_DEBUG,
+			   "nl80211: set key hack for KEY_TYPE_SET_TX");
+		ret = wpa_driver_nl80211_set_key(ifname, bss, 0, addr,
+						 key_idx, NULL, 0, NULL, 0,
+						 KEY_TYPE_SET_TX);
+		if (ret)
+			wpa_printf(MSG_DEBUG,
+				   "nl80211: set_key hack failed; err=%d %s)",
+				   ret, strerror(-ret));
+		return ret;
+	}
+
 	/*
 	 * If we failed or don't need to set the key as default (below),
 	 * we're done here.

From patchwork Sat Aug 17 21:14:34 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1149152
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="EZ5bly3J";
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=infradead.org header.i=@infradead.org
	header.b="MLzW8yNT";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="EKFBNuBm"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46Bprf4c84z9sMr
	for <incoming@patchwork.ozlabs.org>;
	Mon, 19 Aug 2019 19:43:14 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=4SAqWOwYZ7bHFaftR0RpMU0D79Df+NX4HeQj9ETSXH8=;
	b=EZ5bly3JlF/hdJ
	b9NjHaoIe+cXAsllHvAcDJOIsh6EJtJoavLbFwLa/J6pT+VSFXPtvnCDMVOBEl/uTksmzk2Fmyz8M
	yeSroZq417E2S3YsT4OTUyAvy/gurQnZp8JuX5x+2Pp79tSg6HfrVTALuCloX3GuJwxTpOivT1Dqo
	reqYHboL4P90sE8mXmDCvt09oaw3HcTeaqDwziYNuiSR0frVd0AgQOKCfD4Di5i7edprU9uyNM2PX
	kvvG6taxh8kDw13ouQszBzIgw5FnUxlkfUf5phFrrAEyZYM6LtpuSyKyw3HyeqB787CQIlpSF2mP7
	Gx5yQwWry7MohF5telcg==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hzeBy-0007FJ-2M; Mon, 19 Aug 2019 09:43:10 +0000
Received: from casper.infradead.org ([2001:8b0:10b:1236::1])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz6Hk-0003E4-No
	for hostap@bombadil.infradead.org; Sat, 17 Aug 2019 21:30:53 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209;
	h=Content-Transfer-Encoding:MIME-Version:
	References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:
	Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
	List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=EoVlm4MiXzoWdSIn0AxMUV/yD3vLJd6jFIHvd4tHhOs=;
	b=MLzW8yNTVPxlJjekKqEq8OMUPV
	NyGHN1OAXdqRyQcNmpD3ZTKoH3tyuJX4Ve0kqjKBY6HS3KGQbcXzsgkA8TJFfsfIdloe77pqyJMZZ
	biV5z8yefmpG6I9kQkwGS/jZtoVHBAfhL2xF+0Cs/TPLHiBH9wIU4Z7vZ/eYUd+mKb5nCDXXgI+qL
	1yuodEFvrklE/Pwjvtn11sf8nc+Px2a/Hb5W/sUGXe/nPghKxlAYIU0bYZ0VYCUYWuI+BcNoiOyBl
	pdBEo5U6jW/eAzpjy2JiQbxYHhbVVB2Kd40TZRVwQbhOerZDfud+dDh4gHxCnQvhnfH/s7M1B7IXB
	20qytHHg==;
Received: from 8.mo69.mail-out.ovh.net ([46.105.56.233])
	by casper.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62s-000172-Mj
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:36 +0000
Received: from player796.ha.ovh.net (unknown [10.109.146.5])
	by mo69.mail-out.ovh.net (Postfix) with ESMTP id 05F4666FAE
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:15:03 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player796.ha.ovh.net (Postfix) with ESMTPSA id A452F8CF45BD;
	Sat, 17 Aug 2019 21:14:59 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076491;
	bh=FPJiwzgwUfjbwrjetCuW0uFR1dwKQKsck5J5Hys8Rjs=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=EKFBNuBmCaDwxKc6wYb039959EeGddqhg50APGceeTThoA/Os+HeupCzDEb1NcJY4
	nCCFglef04reZeqmSgtyuLakvfG3dT5TR+ahPElV5BpC1dSJrIbHYxW8axCWGpQie3
	3Tq6V8C9aWMH1E1OloiDpOogHgykB3fb+tw41MDE=
To: j@w1.fi
Subject: [PATCH v3 16/17] Drop set_tx from all set_key() functions
Date: Sat, 17 Aug 2019 23:14:34 +0200
Message-Id: <20190817211435.158335-17-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7950542194002369788
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_221530_891151_DDE225C2 
X-CRM114-Status: GOOD (  24.98  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on casper.infradead.org summary:
	Content analysis details:   (-0.2 points, 5.0 required)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.56.233 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
X-Mailman-Approved-At: Mon, 19 Aug 2019 02:42:58 -0700
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Remove the no longer used set_tx argument from all set_key(), finalize
the API migration to key_types.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This could be done much sooner in the patch series. Just wanted to keep
it around so you can also run Extended Key ID tests and see what set_tx
was set to. (Since patch 7 of the series set_tx is without any function.)

 hostapd/ctrl_iface.c            | 32 +++++++++++++-------------------
 src/ap/ap_drv_ops.c             |  7 +++----
 src/ap/ap_drv_ops.h             |  5 ++---
 src/ap/hostapd.c                | 10 +++++-----
 src/ap/ieee802_11.c             |  2 +-
 src/ap/ieee802_1x.c             |  6 +++---
 src/ap/wpa_auth_glue.c          |  2 +-
 src/drivers/driver.h            | 12 +++++-------
 src/drivers/driver_atheros.c    |  5 ++---
 src/drivers/driver_bsd.c        |  5 ++---
 src/drivers/driver_hostap.c     |  3 +--
 src/drivers/driver_ndis.c       | 15 ++++++---------
 src/drivers/driver_nl80211.c    | 20 ++++++++------------
 src/drivers/driver_openbsd.c    |  5 ++---
 src/drivers/driver_privsep.c    |  7 +++----
 src/drivers/driver_wext.c       | 14 +++++---------
 src/drivers/driver_wext.h       |  5 ++---
 src/rsn_supp/tdls.c             |  4 ++--
 src/rsn_supp/wpa.c              | 12 ++++++------
 src/rsn_supp/wpa.h              |  2 +-
 src/rsn_supp/wpa_ft.c           |  6 +++---
 src/rsn_supp/wpa_i.h            |  4 ++--
 tests/hwsim/test_ap_ciphers.py  |  2 +-
 wpa_supplicant/ctrl_iface.c     | 20 ++++++++++----------
 wpa_supplicant/driver_i.h       | 11 ++++-------
 wpa_supplicant/ibss_rsn.c       | 12 ++++++------
 wpa_supplicant/mesh_mpm.c       |  6 +++---
 wpa_supplicant/mesh_rsn.c       |  8 ++++----
 wpa_supplicant/preauth_test.c   |  2 +-
 wpa_supplicant/wpa_supplicant.c | 10 +++++-----
 wpa_supplicant/wpas_glue.c      | 10 +++++-----
 31 files changed, 117 insertions(+), 147 deletions(-)

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index 6b202b512..aa86a5c32 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -2121,7 +2121,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 		if (hostapd_drv_set_key(hapd->conf->iface, hapd,
 					hapd->last_igtk_alg,
 					broadcast_ether_addr,
-					hapd->last_igtk_key_idx, 1, NULL, 0,
+					hapd->last_igtk_key_idx, NULL, 0,
 					zero, hapd->last_igtk_len,
 					KEY_TYPE_BROADCAST) < 0)
 			return -1;
@@ -2130,7 +2130,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 		return hostapd_drv_set_key(hapd->conf->iface, hapd,
 					   hapd->last_igtk_alg,
 					   broadcast_ether_addr,
-					   hapd->last_igtk_key_idx, 1, NULL, 0,
+					   hapd->last_igtk_key_idx, NULL, 0,
 					   hapd->last_igtk,
 					   hapd->last_igtk_len,
 					   KEY_TYPE_BROADCAST);
@@ -2148,7 +2148,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 		if (hostapd_drv_set_key(hapd->conf->iface, hapd,
 					hapd->last_gtk_alg,
 					broadcast_ether_addr,
-					hapd->last_gtk_key_idx, 1, NULL, 0,
+					hapd->last_gtk_key_idx, NULL, 0,
 					zero, hapd->last_gtk_len,
 					KEY_TYPE_BROADCAST) < 0)
 			return -1;
@@ -2157,7 +2157,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 		return hostapd_drv_set_key(hapd->conf->iface, hapd,
 					   hapd->last_gtk_alg,
 					   broadcast_ether_addr,
-					   hapd->last_gtk_key_idx, 1, NULL, 0,
+					   hapd->last_gtk_key_idx, NULL, 0,
 					   hapd->last_gtk, hapd->last_gtk_len,
 					   KEY_TYPE_BROADCAST);
 	}
@@ -2175,13 +2175,13 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 	/* First, use a zero key to avoid any possible duplicate key avoidance
 	 * in the driver. */
 	if (hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
-				sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
+				sta->addr, sta->last_tk_key_idx, NULL, 0,
 				zero, sta->last_tk_len, KEY_TYPE_PAIRWISE) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
-				   sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
+				   sta->addr, sta->last_tk_key_idx, NULL, 0,
 				   sta->last_tk, sta->last_tk_len,
 				   KEY_TYPE_PAIRWISE);
 }
@@ -2192,12 +2192,11 @@ static int hostapd_ctrl_set_key(struct hostapd_data *hapd, const char *cmd)
 	u8 addr[ETH_ALEN];
 	const char *pos = cmd;
 	enum wpa_alg alg;
-	int idx, set_tx;
-	enum key_type key_type;
+	int idx, key_type;
 	u8 seq[6], key[WPA_TK_MAX_LEN];
 	size_t key_len;
 
-	/* parameters: alg addr idx set_tx seq key key_type*/
+	/* parameters: alg addr idx seq key key_type */
 
 	alg = atoi(pos);
 	pos = os_strchr(pos, ' ');
@@ -2215,11 +2214,6 @@ static int hostapd_ctrl_set_key(struct hostapd_data *hapd, const char *cmd)
 	if (!pos)
 		return -1;
 	pos++;
-	set_tx = atoi(pos);
-	pos = os_strchr(pos, ' ');
-	if (!pos)
-		return -1;
-	pos++;
 	if (hexstr2bin(pos, seq, sizeof(seq)) < 0)
 		return -1;
 	pos += 2 * 6;
@@ -2241,7 +2235,7 @@ static int hostapd_ctrl_set_key(struct hostapd_data *hapd, const char *cmd)
 
 	wpa_printf(MSG_INFO, "TESTING: Set key");
 	return hostapd_drv_set_key(hapd->conf->iface, hapd, alg, addr, idx,
-				   set_tx, seq, 6, key, key_len, key_type);
+				   seq, 6, key, key_len, key_type);
 }
 
 
@@ -2256,7 +2250,7 @@ static void restore_tk(void *ctx1, void *ctx2)
 	 * in replay protection issues for now since there is no clean way of
 	 * preventing encryption of a single EAPOL frame. */
 	hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
-			    sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
+			    sta->addr, sta->last_tk_key_idx, NULL, 0,
 			    sta->last_tk, sta->last_tk_len, KEY_TYPE_PAIRWISE);
 }
 
@@ -2280,7 +2274,7 @@ static int hostapd_ctrl_resend_m1(struct hostapd_data *hapd, const char *cmd)
 		wpa_printf(MSG_INFO, "TESTING: Clear TK for " MACSTR,
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
-				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
+				    sta->addr, sta->last_tk_key_idx, NULL, 0,
 				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
@@ -2310,7 +2304,7 @@ static int hostapd_ctrl_resend_m3(struct hostapd_data *hapd, const char *cmd)
 		wpa_printf(MSG_INFO, "TESTING: Clear TK for " MACSTR,
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
-				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
+				    sta->addr, sta->last_tk_key_idx, NULL, 0,
 				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
@@ -2340,7 +2334,7 @@ static int hostapd_ctrl_resend_group_m1(struct hostapd_data *hapd,
 		wpa_printf(MSG_INFO, "TESTING: Clear TK for " MACSTR,
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
-				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
+				    sta->addr, sta->last_tk_key_idx, NULL, 0,
 				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
diff --git a/src/ap/ap_drv_ops.c b/src/ap/ap_drv_ops.c
index 77c457bc2..29356b01f 100644
--- a/src/ap/ap_drv_ops.c
+++ b/src/ap/ap_drv_ops.c
@@ -675,14 +675,13 @@ int hostapd_driver_set_noa(struct hostapd_data *hapd, u8 count, int start,
 
 int hostapd_drv_set_key(const char *ifname, struct hostapd_data *hapd,
 			enum wpa_alg alg, const u8 *addr,
-			int key_idx, int set_tx,
-			const u8 *seq, size_t seq_len,
-			const u8 *key, size_t key_len, enum key_type key_type)
+			int key_idx, const u8 *seq, size_t seq_len,
+			const u8 *key, size_t key_len, int key_type)
 {
 	if (hapd->driver == NULL || hapd->driver->set_key == NULL)
 		return 0;
 	return hapd->driver->set_key(ifname, hapd->drv_priv, alg, addr,
-				     key_idx, set_tx, seq, seq_len, key,
+				     key_idx, seq, seq_len, key,
 				     key_len, key_type);
 }
 
diff --git a/src/ap/ap_drv_ops.h b/src/ap/ap_drv_ops.h
index 2c3e8e0f0..47c9b89eb 100644
--- a/src/ap/ap_drv_ops.h
+++ b/src/ap/ap_drv_ops.h
@@ -88,9 +88,8 @@ int hostapd_driver_set_noa(struct hostapd_data *hapd, u8 count, int start,
 int hostapd_drv_set_key(const char *ifname,
 			struct hostapd_data *hapd,
 			enum wpa_alg alg, const u8 *addr,
-			int key_idx, int set_tx,
-			const u8 *seq, size_t seq_len,
-			const u8 *key, size_t key_len, enum key_type key_type);
+			int key_idx, const u8 *seq, size_t seq_len,
+			const u8 *key, size_t key_len, int key_type);
 int hostapd_drv_send_mlme(struct hostapd_data *hapd,
 			  const void *msg, size_t len, int noack);
 int hostapd_drv_send_mlme_csa(struct hostapd_data *hapd,
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 3ac84cc14..5be410c7e 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -292,7 +292,7 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 	if (!ifname || !hapd->drv_priv)
 		return;
 	for (i = 0; i < NUM_WEP_KEYS; i++) {
-		if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i, 0,
+		if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i,
 					NULL, 0, NULL, 0, KEY_TYPE_BROADCAST)) {
 			wpa_printf(MSG_DEBUG, "Failed to clear default "
 				   "encryption keys (ifname=%s keyidx=%d)",
@@ -303,8 +303,8 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 	if (hapd->conf->ieee80211w) {
 		for (i = NUM_WEP_KEYS; i < NUM_WEP_KEYS + 2; i++) {
 			if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE,
-						NULL, i, 0, NULL, 0,
-						NULL, 0, KEY_TYPE_BROADCAST)) {
+						NULL, i, NULL, 0, NULL,
+						0, KEY_TYPE_BROADCAST)) {
 				wpa_printf(MSG_DEBUG, "Failed to clear "
 					   "default mgmt encryption keys "
 					   "(ifname=%s keyidx=%d)", ifname, i);
@@ -331,7 +331,7 @@ static int hostapd_broadcast_wep_set(struct hostapd_data *hapd)
 	if (ssid->wep.default_len &&
 	    hostapd_drv_set_key(hapd->conf->iface,
 				hapd, WPA_ALG_WEP, broadcast_ether_addr, idx,
-				1, NULL, 0, ssid->wep.key[idx],
+				NULL, 0, ssid->wep.key[idx],
 				ssid->wep.len[idx], KEY_TYPE_DEFAULT)) {
 		wpa_printf(MSG_WARNING, "Could not set WEP encryption.");
 		errors++;
@@ -558,7 +558,7 @@ static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd)
 	for (i = 0; i < 4; i++) {
 		if (hapd->conf->ssid.wep.key[i] &&
 		    hostapd_drv_set_key(iface, hapd, WPA_ALG_WEP, NULL, i,
-					i == hapd->conf->ssid.wep.idx, NULL, 0,
+					NULL, 0,
 					hapd->conf->ssid.wep.key[i],
 					hapd->conf->ssid.wep.len[i],
 					i == hapd->conf->ssid.wep.idx ?
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index bc2e50eeb..eeaecee07 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4770,7 +4770,7 @@ static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
 	for (i = 0; i < 4; i++) {
 		if (ssid->wep.key[i] &&
 		    hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
-					i == ssid->wep.idx, NULL, 0,
+					NULL, 0,
 					ssid->wep.key[i], ssid->wep.len[i],
 					i == ssid->wep.idx ? KEY_TYPE_DEFAULT :
 					KEY_TYPE_BROADCAST)) {
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 29e502e18..ba3ea1f7d 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -284,7 +284,7 @@ static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
 		/* TODO: set encryption in TX callback, i.e., only after STA
 		 * has ACKed EAPOL-Key frame */
 		if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
-					sta->addr, 0, 1, NULL, 0, ikey,
+					sta->addr, 0, NULL, 0, ikey,
 					hapd->conf->individual_wep_key_len,
 					KEY_TYPE_DEFAULT)) {
 			wpa_printf(MSG_ERROR, "Could not set individual WEP "
@@ -2169,7 +2169,7 @@ static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx)
 	 * after new broadcast key has been sent to all stations. */
 	if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
 				broadcast_ether_addr,
-				eapol->default_wep_key_idx, 1, NULL, 0,
+				eapol->default_wep_key_idx, NULL, 0,
 				eapol->default_wep_key,
 				hapd->conf->default_wep_key_len,
 				KEY_TYPE_DEFAULT)) {
@@ -2486,7 +2486,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
 	if (hapd->conf->default_wep_key_len) {
 		for (i = 0; i < 4; i++)
 			hostapd_drv_set_key(hapd->conf->iface, hapd,
-					    WPA_ALG_NONE, NULL, i, 0, NULL, 0,
+					    WPA_ALG_NONE, NULL, i, NULL, 0,
 					    NULL, 0, KEY_TYPE_BROADCAST);
 
 		ieee802_1x_rekey(hapd, NULL);
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 0cc824863..dad1a8824 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -405,7 +405,7 @@ static int hostapd_wpa_auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 		hapd->last_gtk_len = key_len;
 	}
 #endif /* CONFIG_TESTING_OPTIONS */
-	return hostapd_drv_set_key(ifname, hapd, alg, addr, idx, 1, NULL, 0,
+	return hostapd_drv_set_key(ifname, hapd, alg, addr, idx, NULL, 0,
 				   key, key_len, key_type);
 }
 
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index 20cd8d26b..25d607b1c 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -2280,8 +2280,6 @@ struct wpa_driver_ops {
 	 *	specified key index is to be cleared
 	 * @key_idx: key index (0..3), usually 0 for unicast keys; 0..4095 for
 	 *	IGTK
-	 * @set_tx: configure this key as the default Tx key (only used when
-	 *	driver does not support separate unicast/individual key
 	 * @seq: sequence number/packet number, seq_len octets, the next
 	 *	packet number to be used for in replay protection; configured
 	 *	for Rx keys (in most cases, this is only used with broadcast
@@ -2317,10 +2315,10 @@ struct wpa_driver_ops {
 	 * addr can be used to determine whether the key is default or
 	 * individual. If only 4 keys are supported, the default key with key
 	 * index 0 is used as the individual key. STA must be configured to use
-	 * it as the default Tx key (set_tx is set) and accept Rx for all the
-	 * key indexes. In most cases, WPA uses only key indexes 1 and 2 for
-	 * broadcast keys, so key index 0 is available for this kind of
-	 * configuration.
+	 * it as the default Tx key (KEY_TYPE_DEFAULT is set) and accept Rx
+	 * for all the key indexes. In most cases, WPA uses only key indexes 1
+	 * and 2 for broadcast keys, so key index 0 is available for this kind
+	 * of configuration.
 	 *
 	 * Please note that TKIP keys include separate TX and RX MIC keys and
 	 * some drivers may expect them in different order than wpa_supplicant
@@ -2331,7 +2329,7 @@ struct wpa_driver_ops {
 	 * example on how this can be done.
 	 */
 	int (*set_key)(const char *ifname, void *priv, enum wpa_alg alg,
-		       const u8 *addr, int key_idx, int set_tx,
+		       const u8 *addr, int key_idx,
 		       const u8 *seq, size_t seq_len,
 		       const u8 *key, size_t key_len, enum key_type key_type);
 
diff --git a/src/drivers/driver_atheros.c b/src/drivers/driver_atheros.c
index 0c87da6d0..3b02f8919 100644
--- a/src/drivers/driver_atheros.c
+++ b/src/drivers/driver_atheros.c
@@ -499,9 +499,8 @@ atheros_del_key(void *priv, const u8 *addr, int key_idx)
 
 static int
 atheros_set_key(const char *ifname, void *priv, enum wpa_alg alg,
-		const u8 *addr, int key_idx, int set_tx, const u8 *seq,
-		size_t seq_len, const u8 *key, size_t key_len,
-		enum key_type key_type)
+		const u8 *addr, int key_idx, const u8 *seq,
+		size_t seq_len, const u8 *key, size_t key_len, int key_type)
 {
 	struct atheros_driver_data *drv = priv;
 	struct ieee80211req_key wk;
diff --git a/src/drivers/driver_bsd.c b/src/drivers/driver_bsd.c
index 89e4508e7..447cf3384 100644
--- a/src/drivers/driver_bsd.c
+++ b/src/drivers/driver_bsd.c
@@ -332,9 +332,8 @@ bsd_ctrl_iface(void *priv, int enable)
 
 static int
 bsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
-	    const unsigned char *addr, int key_idx, int set_tx, const u8 *seq,
-	    size_t seq_len, const u8 *key, size_t key_len,
-	    enum key_type key_type)
+	    const unsigned char *addr, int key_idx, const u8 *seq,
+	    size_t seq_len, const u8 *key, size_t key_len, int key_type)
 {
 	struct ieee80211req_key wk;
 #ifdef IEEE80211_KEY_NOREPLAY
diff --git a/src/drivers/driver_hostap.c b/src/drivers/driver_hostap.c
index 454388fe7..627c6a090 100644
--- a/src/drivers/driver_hostap.c
+++ b/src/drivers/driver_hostap.c
@@ -397,8 +397,7 @@ static int hostapd_ioctl(void *priv, struct prism2_hostapd_param *param,
 
 static int wpa_driver_hostap_set_key(const char *ifname, void *priv,
 				     enum wpa_alg alg, const u8 *addr,
-				     int key_idx, int set_tx,
-				     const u8 *seq, size_t seq_len,
+				     int key_idx, const u8 *seq, size_t seq_len,
 				     const u8 *key, size_t key_len,
 				     enum key_type key_type)
 {
diff --git a/src/drivers/driver_ndis.c b/src/drivers/driver_ndis.c
index 2963e1f51..c7f818b9d 100644
--- a/src/drivers/driver_ndis.c
+++ b/src/drivers/driver_ndis.c
@@ -931,9 +931,8 @@ static int wpa_driver_ndis_remove_key(struct wpa_driver_ndis_data *drv,
 
 
 static int wpa_driver_ndis_add_wep(struct wpa_driver_ndis_data *drv,
-				   int pairwise, int key_idx, int set_tx,
-				   const u8 *key, size_t key_len,
-				   enum key_type key_type)
+				   int pairwise, int key_idx,
+				   const u8 *key, size_t key_len, int key_type)
 {
 	NDIS_802_11_WEP *wep;
 	size_t len;
@@ -966,10 +965,8 @@ static int wpa_driver_ndis_add_wep(struct wpa_driver_ndis_data *drv,
 
 static int wpa_driver_ndis_set_key(const char *ifname, void *priv,
 				   enum wpa_alg alg, const u8 *addr,
-				   int key_idx, int set_tx,
-				   const u8 *seq, size_t seq_len,
-				   const u8 *key, size_t key_len,
-				   enum key_type key_type)
+				   int key_idx, const u8 *seq, size_t seq_len,
+				   const u8 *key, size_t key_len, int key_type)
 {
 	struct wpa_driver_ndis_data *drv = priv;
 	size_t len, i;
@@ -994,8 +991,8 @@ static int wpa_driver_ndis_set_key(const char *ifname, void *priv,
 	}
 
 	if (alg == WPA_ALG_WEP) {
-		return wpa_driver_ndis_add_wep(drv, pairwise, key_idx, set_tx,
-					       key, key_len, key_type);
+		return wpa_driver_ndis_add_wep(drv, pairwise, key_idx, key,
+					       key_len, key_type);
 	}
 
 	len = 12 + 6 + 6 + 8 + key_len;
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index de82fb79d..c8ee95ffa 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3009,10 +3009,9 @@ static int nl80211_set_pmk(struct wpa_driver_nl80211_data *drv,
 
 static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 				      enum wpa_alg alg, const u8 *addr,
-				      int key_idx, int set_tx,
-				      const u8 *seq, size_t seq_len,
-				      const u8 *key, size_t key_len,
-				      enum key_type key_type)
+				      int key_idx, const u8 *seq,
+				      size_t seq_len, const u8 *key,
+				      size_t key_len, enum key_type key_type)
 {
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 	int ifindex;
@@ -3029,8 +3028,8 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 
 	ifindex = if_nametoindex(ifname);
 	wpa_printf(MSG_DEBUG, "%s: ifindex=%d (%s) alg=%d addr=%p key_idx=%d "
-		   "set_tx=%d seq_len=%lu key_len=%lu key_type=%d",
-		   __func__, ifindex, ifname, alg, addr, key_idx, set_tx,
+		   "seq_len=%lu key_len=%lu key_type=%d",
+		   __func__, ifindex, ifname, alg, addr, key_idx,
 		   (unsigned long) seq_len, (unsigned long) key_len, key_type);
 #ifdef CONFIG_DRIVER_NL80211_QCA
 	if (alg == WPA_ALG_PMK &&
@@ -3505,8 +3504,7 @@ retry:
 		if (!params->wep_key[i])
 			continue;
 		wpa_driver_nl80211_set_key(bss->ifname, bss, WPA_ALG_WEP,
-					   NULL, i,
-					   i == params->wep_tx_keyidx, NULL, 0,
+					   NULL, i, NULL, 0,
 					   params->wep_key[i],
 					   params->wep_key_len[i],
 					   i == params->wep_tx_keyidx ?
@@ -8668,15 +8666,13 @@ nl80211_tdls_disable_channel_switch(void *priv, const u8 *addr)
 
 static int driver_nl80211_set_key(const char *ifname, void *priv,
 				  enum wpa_alg alg, const u8 *addr,
-				  int key_idx, int set_tx,
-				  const u8 *seq, size_t seq_len,
+				  int key_idx, const u8 *seq, size_t seq_len,
 				  const u8 *key, size_t key_len,
 				  enum key_type key_type)
 {
 	struct i802_bss *bss = priv;
 	return wpa_driver_nl80211_set_key(ifname, bss, alg, addr, key_idx,
-					  set_tx, seq, seq_len, key, key_len,
-					  key_type);
+					  seq, seq_len, key, key_len, key_type);
 }
 
 
diff --git a/src/drivers/driver_openbsd.c b/src/drivers/driver_openbsd.c
index 0d975c4c5..32180b17d 100644
--- a/src/drivers/driver_openbsd.c
+++ b/src/drivers/driver_openbsd.c
@@ -70,9 +70,8 @@ wpa_driver_openbsd_get_capa(void *priv, struct wpa_driver_capa *capa)
 
 static int
 wpa_driver_openbsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
-	    const unsigned char *addr, int key_idx, int set_tx, const u8 *seq,
-	    size_t seq_len, const u8 *key, size_t key_len,
-	    enum key_type key_type)
+	    const unsigned char *addr, int key_idx, const u8 *seq,
+	    size_t seq_len, const u8 *key, size_t key_len, int key_type)
 {
 	struct openbsd_driver_data *drv = priv;
 	struct ieee80211_keyavail keyavail;
diff --git a/src/drivers/driver_privsep.c b/src/drivers/driver_privsep.c
index b3d2ddae0..b404924ad 100644
--- a/src/drivers/driver_privsep.c
+++ b/src/drivers/driver_privsep.c
@@ -207,10 +207,9 @@ wpa_driver_privsep_get_scan_results2(void *priv)
 
 static int wpa_driver_privsep_set_key(const char *ifname, void *priv,
 				      enum wpa_alg alg, const u8 *addr,
-				      int key_idx, int set_tx,
-				      const u8 *seq, size_t seq_len,
-				      const u8 *key, size_t key_len,
-				      enum key_type key_type)
+				      int key_idx, const u8 *seq,
+				      size_t seq_len, const u8 *key,
+				      size_t key_len, int key_type)
 {
 	struct wpa_driver_privsep_data *drv = priv;
 	struct privsep_cmd_set_key cmd;
diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c
index 52e8e8d49..6ee9a7016 100644
--- a/src/drivers/driver_wext.c
+++ b/src/drivers/driver_wext.c
@@ -1710,8 +1710,7 @@ static int wpa_driver_wext_set_psk(struct wpa_driver_wext_data *drv,
 
 static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
 				       const u8 *addr, int key_idx,
-				       int set_tx, const u8 *seq,
-				       size_t seq_len,
+				       const u8 *seq, size_t seq_len,
 				       const u8 *key, size_t key_len,
 				       enum key_type key_type)
 {
@@ -1812,8 +1811,6 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
  * @addr: Address of the peer STA or ff:ff:ff:ff:ff:ff for
  *	broadcast/default keys
  * @key_idx: key index (0..3), usually 0 for unicast keys
- * @set_tx: Configure this key as the default Tx key (only used when
- *	driver does not support separate unicast/individual key
  * @seq: Sequence number/packet number, seq_len octets, the next
  *	packet number to be used for in replay protection; configured
  *	for Rx keys (in most cases, this is only used with broadcast
@@ -1834,9 +1831,8 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
  */
 int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 			    const u8 *addr, int key_idx,
-			    int set_tx, const u8 *seq, size_t seq_len,
-			    const u8 *key, size_t key_len,
-			    enum key_type key_type)
+			    const u8 *seq, size_t seq_len, const u8 *key,
+			    size_t key_len, enum key_type key_type)
 {
 	struct wpa_driver_wext_data *drv = priv;
 	struct iwreq iwr;
@@ -1847,8 +1843,8 @@ int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 		   __FUNCTION__, alg, key_idx, key_type,
 		   (unsigned long) seq_len, (unsigned long) key_len);
 
-	ret = wpa_driver_wext_set_key_ext(drv, alg, addr, key_idx, set_tx,
-					  seq, seq_len, key, key_len, key_type);
+	ret = wpa_driver_wext_set_key_ext(drv, alg, addr, key_idx, seq,
+					  seq_len, key, key_len, key_type);
 	if (ret == 0)
 		return 0;
 
diff --git a/src/drivers/driver_wext.h b/src/drivers/driver_wext.h
index 7e2009079..1c65b30cc 100644
--- a/src/drivers/driver_wext.h
+++ b/src/drivers/driver_wext.h
@@ -54,9 +54,8 @@ int wpa_driver_wext_set_freq(void *priv, int freq);
 int wpa_driver_wext_set_mode(void *priv, int mode);
 int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 			    const u8 *addr, int key_idx,
-			    int set_tx, const u8 *seq, size_t seq_len,
-			    const u8 *key, size_t key_len,
-			    enum key_type key_type);
+			    const u8 *seq, size_t seq_len, const u8 *key,
+			    size_t key_len, enum key_type key_type);
 int wpa_driver_wext_scan(void *priv, struct wpa_driver_scan_params *params);
 struct wpa_scan_results * wpa_driver_wext_get_scan_results(void *priv);
 
diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 01d339290..46afcb634 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -178,7 +178,7 @@ static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 {
 	if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
-			   0, 0, NULL, 0, NULL, 0, KEY_TYPE_PAIRWISE) < 0) {
+			   0, NULL, 0, NULL, 0, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
 			   "the driver");
 		return -1;
@@ -227,7 +227,7 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 
 	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
 		   MAC2STR(peer->addr));
-	if (wpa_sm_set_key(sm, alg, peer->addr, 0, 1, rsc, sizeof(rsc),
+	if (wpa_sm_set_key(sm, alg, peer->addr, 0, rsc, sizeof(rsc),
 			   peer->tpk.tk, key_len, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
 			   "driver");
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 49b63ba22..c3e6fe52e 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -881,7 +881,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
 		wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
 	}
 
-	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, key_rsc,
+	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, key_rsc,
 			   rsclen, sm->ptk.tk, keylen, key_type) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: Failed to set PTK to the driver"
@@ -910,7 +910,7 @@ static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
 		sm->keyidx_active, MAC2STR(sm->bssid));
 
 	if (wpa_sm_set_key(sm, 0, sm->bssid, sm->keyidx_active,
-	    0, 0, 0, NULL, 0, KEY_TYPE_SET_TX) < 0) {
+	    0, 0, NULL, 0, KEY_TYPE_SET_TX) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
 			"WPA: Failed to activate PTK for Tx (idx=%d bssid="
 			MACSTR ")", sm->keyidx_active, MAC2STR(sm->bssid));
@@ -991,7 +991,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 	}
 	if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
 		if (wpa_sm_set_key(sm, gd->alg, NULL,
-				   gd->keyidx, 1, key_rsc, gd->key_rsc_len,
+				   gd->keyidx, key_rsc, gd->key_rsc_len,
 				   _gtk, gd->gtk_len, KEY_TYPE_BROADCAST) < 0) {
 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 				"WPA: Failed to set GTK to the driver "
@@ -1000,7 +1000,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 			return -1;
 		}
 	} else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
-				  gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
+				  gd->keyidx, key_rsc, gd->key_rsc_len,
 				  _gtk, gd->gtk_len,
 				  gd->tx ? KEY_TYPE_DEFAULT :
 				  KEY_TYPE_BROADCAST) < 0) {
@@ -1157,7 +1157,7 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
 	}
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
 			   broadcast_ether_addr,
-			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
+			   keyidx, igtk->pn, sizeof(igtk->pn),
 			   igtk->igtk, len, KEY_TYPE_BROADCAST) < 0) {
 		if (keyidx == 0x0400 || keyidx == 0x0500) {
 			/* Assume the AP has broken PMF implementation since it
@@ -4571,7 +4571,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
 			sm->ptk.tk, keylen);
-	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, null_rsc,
+	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, null_rsc,
 			   rsclen, sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index 65ca6262e..119993f4b 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -28,7 +28,7 @@ struct wpa_sm_ctx {
 	enum wpa_states (*get_state)(void *ctx);
 	void (*deauthenticate)(void * ctx, u16 reason_code);
 	int (*set_key)(void *ctx, enum wpa_alg alg,
-		       const u8 *addr, int key_idx, int set_tx,
+		       const u8 *addr, int key_idx,
 		       const u8 *seq, size_t seq_len,
 		       const u8 *key, size_t key_len, enum key_type key_type);
 	void * (*get_network_ctx)(void *ctx);
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index 4aa862748..4611886f8 100644
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -413,7 +413,7 @@ static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
 
-	if (wpa_sm_set_key(sm, alg, bssid, sm->keyidx_active, 1, null_rsc,
+	if (wpa_sm_set_key(sm, alg, bssid, sm->keyidx_active, null_rsc,
 			   sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen,
 			   KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver");
@@ -766,7 +766,7 @@ static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem,
 		os_memcpy(gtk + 16, gtk + 24, 8);
 		os_memcpy(gtk + 24, tmp, 8);
 	}
-	if (wpa_sm_set_key(sm, alg, broadcast_ether_addr, keyidx, 0,
+	if (wpa_sm_set_key(sm, alg, broadcast_ether_addr, keyidx,
 			   gtk_elem + 3, rsc_len, gtk, keylen,
 			   KEY_TYPE_BROADCAST) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the "
@@ -835,7 +835,7 @@ static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
 	wpa_hexdump_key(MSG_DEBUG, "FT: IGTK from Reassoc Resp", igtk,
 			igtk_len);
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-			   broadcast_ether_addr, keyidx, 0,
+			   broadcast_ether_addr, keyidx,
 			   igtk_elem + 2, 6, igtk, igtk_len,
 			   KEY_TYPE_BROADCAST) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the "
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index eee9570ba..c0549af0c 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -198,13 +198,13 @@ static inline void wpa_sm_deauthenticate(struct wpa_sm *sm, u16 reason_code)
 }
 
 static inline int wpa_sm_set_key(struct wpa_sm *sm, enum wpa_alg alg,
-				 const u8 *addr, int key_idx, int set_tx,
+				 const u8 *addr, int key_idx,
 				 const u8 *seq, size_t seq_len,
 				 const u8 *key, size_t key_len,
 				 enum key_type key_type)
 {
 	WPA_ASSERT(sm->ctx->set_key);
-	return sm->ctx->set_key(sm->ctx->ctx, alg, addr, key_idx, set_tx,
+	return sm->ctx->set_key(sm->ctx->ctx, alg, addr, key_idx,
 				seq, seq_len, key, key_len, key_type);
 }
 
diff --git a/tests/hwsim/test_ap_ciphers.py b/tests/hwsim/test_ap_ciphers.py
index a6ba27d99..d1c3de46c 100644
--- a/tests/hwsim/test_ap_ciphers.py
+++ b/tests/hwsim/test_ap_ciphers.py
@@ -862,7 +862,7 @@ def test_ap_wpa2_delayed_m1_m3_zero_tk(dev, apdev):
     if "OK" not in hapd.request("RESEND_M3 " + addr):
         raise Exception("RESEND_M3 failed")
 
-    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s %d" % (addr, 0, 1, 6*"00", 16*"00", 2)):
+    if "OK" not in hapd.request("SET_KEY 3 %s %d %s %s %d" % (addr, 0, 6*"00", 16*"00", 2)):
         raise Exception("SET_KEY failed")
     time.sleep(0.1)
     hwsim_utils.test_connectivity(dev[0], hapd, timeout=1, broadcast=False,
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index e5f7246d1..8bf8897c0 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5237,25 +5237,25 @@ static void wpa_supplicant_ctrl_iface_drop_sa(struct wpa_supplicant *wpa_s)
 {
 	wpa_printf(MSG_DEBUG, "Dropping SA without deauthentication");
 	/* MLME-DELETEKEYS.request */
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
 #ifdef CONFIG_IEEE80211W
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
 #endif /* CONFIG_IEEE80211W */
 
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 0, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 0, NULL, 0, NULL,
 			0, KEY_TYPE_PAIRWISE);
 	if (wpa_sm_extended_key_id(wpa_s->wpa))
-		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 1, 0, NULL,
+		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 1, NULL,
 				0, NULL, 0, KEY_TYPE_PAIRWISE);
 	/* MLME-SETPROTECTION.request(None) */
 	wpa_drv_mlme_setprotection(wpa_s, wpa_s->bssid,
@@ -9235,13 +9235,13 @@ static int wpas_ctrl_reset_pn(struct wpa_supplicant *wpa_s)
 	/* First, use a zero key to avoid any possible duplicate key avoidance
 	 * in the driver. */
 	if (wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
-			    wpa_s->last_tk_key_idx, 1, zero, 6,
+			    wpa_s->last_tk_key_idx, zero, 6,
 			    zero, wpa_s->last_tk_len, KEY_TYPE_PAIRWISE) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
-			       wpa_s->last_tk_key_idx, 1, zero, 6,
+			       wpa_s->last_tk_key_idx, zero, 6,
 			       wpa_s->last_tk, wpa_s->last_tk_len,
 			       KEY_TYPE_PAIRWISE);
 }
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index a63566b7f..287b1524f 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -150,10 +150,8 @@ static inline int wpa_drv_get_ssid(struct wpa_supplicant *wpa_s, u8 *ssid)
 
 static inline int wpa_drv_set_key(struct wpa_supplicant *wpa_s,
 				  enum wpa_alg alg, const u8 *addr,
-				  int key_idx, int set_tx,
-				  const u8 *seq, size_t seq_len,
-				  const u8 *key, size_t key_len,
-				  enum key_type key_type)
+				  int key_idx, const u8 *seq, size_t seq_len,
+				  const u8 *key, size_t key_len, int key_type)
 {
 	if (alg != WPA_ALG_NONE) {
 		if (key_idx == 1 &&
@@ -172,9 +170,8 @@ static inline int wpa_drv_set_key(struct wpa_supplicant *wpa_s,
 	}
 	if (wpa_s->driver->set_key) {
 		return wpa_s->driver->set_key(wpa_s->ifname, wpa_s->drv_priv,
-					      alg, addr, key_idx, set_tx,
-					      seq, seq_len, key, key_len,
-					      key_type);
+					      alg, addr, key_idx, seq, seq_len,
+					      key, key_len, key_type);
 	}
 	return -1;
 }
diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c
index 0625ddeb4..2c236851e 100644
--- a/wpa_supplicant/ibss_rsn.c
+++ b/wpa_supplicant/ibss_rsn.c
@@ -137,15 +137,15 @@ static void ibss_check_rsn_completed(struct ibss_rsn_peer *peer)
 
 
 static int supp_set_key(void *ctx, enum wpa_alg alg,
-			const u8 *addr, int key_idx, int set_tx,
+			const u8 *addr, int key_idx,
 			const u8 *seq, size_t seq_len,
 			const u8 *key, size_t key_len, enum key_type key_type)
 {
 	struct ibss_rsn_peer *peer = ctx;
 
 	wpa_printf(MSG_DEBUG, "SUPP: %s(alg=%d addr=" MACSTR " key_idx=%d "
-		   "set_tx=%d)",
-		   __func__, alg, MAC2STR(addr), key_idx, set_tx);
+		   "key_type=%d)",
+		   __func__, alg, MAC2STR(addr), key_idx, key_type);
 	wpa_hexdump(MSG_DEBUG, "SUPP: set_key - seq", seq, seq_len);
 	wpa_hexdump_key(MSG_DEBUG, "SUPP: set_key - key", key, key_len);
 
@@ -166,7 +166,7 @@ static int supp_set_key(void *ctx, enum wpa_alg alg,
 	if (is_broadcast_ether_addr(addr))
 		addr = peer->addr;
 	return wpa_drv_set_key(peer->ibss_rsn->wpa_s, alg, addr, key_idx,
-			       set_tx, seq, seq_len, key, key_len, key_type);
+			       seq, seq_len, key, key_len, key_type);
 }
 
 
@@ -335,7 +335,7 @@ static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	}
 
 	return wpa_drv_set_key(ibss_rsn->wpa_s, alg, addr, idx,
-			       1, seq, 6, key, key_len, key_type);
+			       seq, 6, key, key_len, key_type);
 }
 
 
@@ -851,7 +851,7 @@ static void ibss_rsn_handle_auth_1_of_2(struct ibss_rsn *ibss_rsn,
 		 * still have a pairwise key configured. */
 		wpa_printf(MSG_DEBUG, "RSN: Clear pairwise key for peer "
 			   MACSTR, MAC2STR(addr));
-		wpa_drv_set_key(ibss_rsn->wpa_s, WPA_ALG_NONE, addr, 0, 0,
+		wpa_drv_set_key(ibss_rsn->wpa_s, WPA_ALG_NONE, addr, 0,
 				NULL, 0, NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index 8664147ac..6efbd34e4 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -875,7 +875,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 	if (conf->security & MESH_CONF_SEC_AMPE) {
 		wpa_hexdump_key(MSG_DEBUG, "mesh: MTK", sta->mtk, sta->mtk_len);
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->pairwise_cipher),
-				sta->addr, 0, 0, seq, sizeof(seq),
+				sta->addr, 0, seq, sizeof(seq),
 				sta->mtk, sta->mtk_len, KEY_TYPE_PAIRWISE);
 
 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK Key RSC",
@@ -883,7 +883,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK",
 				sta->mgtk, sta->mgtk_len);
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->group_cipher),
-				sta->addr, sta->mgtk_key_id, 0,
+				sta->addr, sta->mgtk_key_id,
 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc),
 				sta->mgtk, sta->mgtk_len, KEY_TYPE_BROADCAST);
 
@@ -895,7 +895,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 			wpa_drv_set_key(
 				wpa_s,
 				wpa_cipher_to_alg(conf->mgmt_group_cipher),
-				sta->addr, sta->igtk_key_id, 0,
+				sta->addr, sta->igtk_key_id,
 				sta->igtk_rsc, sizeof(sta->igtk_rsc),
 				sta->igtk, sta->igtk_len, KEY_TYPE_BROADCAST);
 		}
diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c
index e670e259b..774b7bd6f 100644
--- a/wpa_supplicant/mesh_rsn.c
+++ b/wpa_supplicant/mesh_rsn.c
@@ -119,7 +119,7 @@ static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	wpa_hexdump_key(MSG_DEBUG, "AUTH: set_key - key", key, key_len);
 
 	return wpa_drv_set_key(mesh_rsn->wpa_s, alg, addr, idx,
-			       1, seq, 6, key, key_len, key_type);
+			       seq, 6, key, key_len, key_type);
 }
 
 
@@ -199,8 +199,8 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 				rsn->igtk, rsn->igtk_len);
 		wpa_drv_set_key(rsn->wpa_s,
 				wpa_cipher_to_alg(rsn->mgmt_group_cipher), NULL,
-				rsn->igtk_key_id, 1,
-				seq, sizeof(seq), rsn->igtk, rsn->igtk_len,
+				rsn->igtk_key_id, seq, sizeof(seq),
+				rsn->igtk, rsn->igtk_len,
 				KEY_TYPE_BROADCAST);
 	}
 #endif /* CONFIG_IEEE80211W */
@@ -209,7 +209,7 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 	wpa_hexdump_key(MSG_DEBUG, "mesh: Own TX MGTK",
 			rsn->mgtk, rsn->mgtk_len);
 	wpa_drv_set_key(rsn->wpa_s, wpa_cipher_to_alg(rsn->group_cipher), NULL,
-			rsn->mgtk_key_id, 1, seq, sizeof(seq),
+			rsn->mgtk_key_id, seq, sizeof(seq),
 			rsn->mgtk, rsn->mgtk_len, KEY_TYPE_BROADCAST);
 
 	return 0;
diff --git a/wpa_supplicant/preauth_test.c b/wpa_supplicant/preauth_test.c
index 3f2da34e5..b0cc977e8 100644
--- a/wpa_supplicant/preauth_test.c
+++ b/wpa_supplicant/preauth_test.c
@@ -125,7 +125,7 @@ static int wpa_supplicant_get_bssid(void *wpa_s, u8 *bssid)
 
 
 static int wpa_supplicant_set_key(void *wpa_s, enum wpa_alg alg,
-				  const u8 *addr, int key_idx, int set_tx,
+				  const u8 *addr, int key_idx,
 				  const u8 *seq, size_t seq_len,
 				  const u8 *key, size_t key_len)
 {
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index d2be5949c..563dc1cd1 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -141,7 +141,7 @@ int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
 
 		set = 1;
 		wpa_drv_set_key(wpa_s, WPA_ALG_WEP, NULL,
-				i, i == ssid->wep_tx_keyidx, NULL, 0,
+				i, NULL, 0,
 				ssid->wep_key[i], ssid->wep_key_len[i],
 				i == ssid->wep_tx_keyidx ? KEY_TYPE_DEFAULT :
 				KEY_TYPE_BROADCAST);
@@ -202,7 +202,7 @@ int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s,
 	/* TODO: should actually remember the previously used seq#, both for TX
 	 * and RX from each STA.. */
 
-	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, 1, seq, 6, key, keylen,
+	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, seq, 6, key, keylen,
 			      KEY_TYPE_BROADCAST);
 	os_memset(key, 0, sizeof(key));
 	return ret;
@@ -708,17 +708,17 @@ void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr)
 	for (i = 0; i < max; i++) {
 		if (wpa_s->keys_cleared & BIT(i))
 			continue;
-		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, i, 0, NULL, 0,
+		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, i, NULL, 0,
 				NULL, 0, KEY_TYPE_BROADCAST);
 	}
 	/* Pairwise key idx 1 for Extended Key ID is tracked with bit 6 */
 	if (~wpa_s->keys_cleared & (BIT(0) | BIT(6)) && addr &&
 	    !is_zero_ether_addr(addr)) {
 		if (!(wpa_s->keys_cleared & (BIT(0))))
-			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, 0, NULL,
+			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, NULL,
 					0, NULL, 0, KEY_TYPE_PAIRWISE);
 		if (!(wpa_s->keys_cleared & (BIT(6))))
-			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 1, 0, NULL,
+			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 1, NULL,
 					0, NULL, 0, KEY_TYPE_PAIRWISE);
 		/* MLME-SETPROTECTION.request(None) */
 		wpa_drv_mlme_setprotection(
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 4b0665826..7b8254ff7 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -242,7 +242,7 @@ static int wpa_eapol_set_wep_key(void *ctx, int unicast, int keyidx,
 	}
 	return wpa_drv_set_key(wpa_s, WPA_ALG_WEP,
 			       unicast ? wpa_s->bssid : NULL,
-			       keyidx, unicast, NULL, 0, key, keylen,
+			       keyidx, NULL, 0, key, keylen,
 			       unicast ? KEY_TYPE_DEFAULT : KEY_TYPE_BROADCAST);
 }
 
@@ -341,7 +341,7 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol,
 	wpa_hexdump_key(MSG_DEBUG, "RSN: Configure PMK for driver-based 4-way "
 			"handshake", pmk, pmk_len);
 
-	if (wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, 0, NULL, 0, pmk,
+	if (wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, NULL, 0, pmk,
 			    pmk_len, KEY_TYPE_BROADCAST)) {
 		wpa_printf(MSG_DEBUG, "Failed to set PMK to the driver");
 	}
@@ -487,7 +487,7 @@ static int wpa_supplicant_get_bssid(void *ctx, u8 *bssid)
 
 
 static int wpa_supplicant_set_key(void *_wpa_s, enum wpa_alg alg,
-				  const u8 *addr, int key_idx, int set_tx,
+				  const u8 *addr, int key_idx,
 				  const u8 *seq, size_t seq_len,
 				  const u8 *key, size_t key_len,
 				  enum key_type key_type)
@@ -515,7 +515,7 @@ static int wpa_supplicant_set_key(void *_wpa_s, enum wpa_alg alg,
 		wpa_s->last_tk_len = key_len;
 	}
 #endif /* CONFIG_TESTING_OPTIONS */
-	return wpa_drv_set_key(wpa_s, alg, addr, key_idx, set_tx, seq, seq_len,
+	return wpa_drv_set_key(wpa_s, alg, addr, key_idx, seq, seq_len,
 			       key, key_len, key_type);
 }
 
@@ -1159,7 +1159,7 @@ static int wpa_supplicant_key_mgmt_set_pmk(void *ctx, const u8 *pmk,
 
 	if (wpa_s->conf->key_mgmt_offload &&
 	    (wpa_s->drv_flags & WPA_DRIVER_FLAGS_KEY_MGMT_OFFLOAD))
-		return wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, 0,
+		return wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0,
 				       NULL, 0, pmk, pmk_len, 0);
 	else
 		return 0;

From patchwork Sat Aug 17 21:14:35 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1148787
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="nOxfy54O";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="YPXzm5zM"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 469tJ73WdNz9sDQ
	for <incoming@patchwork.ozlabs.org>;
	Sun, 18 Aug 2019 07:15:19 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=IQ4wcwry6bQgDTGrLhucZqt4nirfuxobfbZIxe7nG9g=;
	b=nOxfy54OOPYNxY
	S6KNjztuEV/nNxWQtmw3wFnjxQ3bTD59+9zYA7YhCTSYLjcjCWmnRaPpXY6EVP6b7BeHDf4DHP6+s
	PrVLnomz6cLyK8O2MbxmFRVNvRWdcBrDyDMZffGMG2g3N9JH3g74CN1yZ+OyHPrxGF64A1ardiYyC
	waMGzEM4qcYOaIY6KSyeJfFf5BAkbHdO92/aPZa6obUfg6QXfm1Q/cL884I9TyG+lVG6IBg7DDE7T
	54clXBO8EWoDBJAz9kS6ajBUfZH8mveRg+i+s+MhZ9UldHtyJU1hSa/jijZnm1X9HSrJxJ+n6m7p7
	XpeN2feUaE4SwEQoBmFQ==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62b-0003Ji-Ij; Sat, 17 Aug 2019 21:15:13 +0000
Received: from 15.mo3.mail-out.ovh.net ([87.98.150.177])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1hz62X-0002Iw-Bv
	for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:11 +0000
Received: from player746.ha.ovh.net (unknown [10.108.42.75])
	by mo3.mail-out.ovh.net (Postfix) with ESMTP id 0297C224542
	for <hostap@lists.infradead.org>;
	Sat, 17 Aug 2019 23:15:02 +0200 (CEST)
Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157])
	(Authenticated sender: postmaster@awhome.eu)
	by player746.ha.ovh.net (Postfix) with ESMTPSA id A24609015499;
	Sat, 17 Aug 2019 21:14:59 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566076491;
	bh=FGOXBTd7FxaN0hLAJE9/vYvQA82dRkW8p7o0exqcSCo=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=YPXzm5zM9Lruan/gEj+FYqIAZ38DDEor6DVdawjZ3w5hahLSDsHvFsFzjK6h3nePU
	omf/afTUmmvru++azBggkkybQb9SXFIlEmmrGe3YKFg9hAnsTpmwtN+vheCMRMxTnV
	rzcefSKEaG2SNnbzDQ4ljltIhM2gqg/BXGjCEhbk=
To: j@w1.fi
Subject: [PATCH v3 17/17] hostapd: Extended Key ID stress test
Date: Sat, 17 Aug 2019 23:14:35 +0200
Message-Id: <20190817211435.158335-18-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de>
References: <20190817211435.158335-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 7950542195857169660
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190817_141509_723241_4119C2D0 
X-CRM114-Status: GOOD (  18.05  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [87.98.150.177 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Change the default keyid to 1 for the first key install when using
Extended Key ID. This is so far only a fail-early to highlight
compatibility problems for the hostapd tests and in real environments:

Instead of connection problems after the first rekey the initial connect
will not work.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

For now this is has mainly two functions:
1) Grantees that Extended Key ID can really be used at the initial
   connect. Many potential issues are linked to keyid 1 for unicast key,
   so make sure this happens as soon as possible.

2) The existing tests will find many of these issues, even when not
   rekeying the connection

I have some plans to extend that later:
By e.g. starting a EAPOL group handshake directly after the connect we
can verify keyid 1 transport to be really working. If that times out
hostapd could install the key also for keyid 0, disabling Extended Key
ID support and allow the broken STA to still connect to the AP.

This is mostly due to the fact that one of my devices (Samsung Galaxy
Tap S3) set the "Extended Key ID" capability flag when connecting to my
patched AP. The AP therefore assumes the device can handle it. But when
the AP switches the PTK to keyid 1 the device loses the connection.
It looks like the device is just copying the capability (bit) from the
AP. Chances are this affects more Samsung devices...

Now I'm not sure if we really want to deploy such a workaround. It's
probably hard to get rid of and just getting the broken devices fixed
may be the better solution. Of course this workaround would be optional.
I think we could set wpa_extended_key_id to 2 by default and allow the
user to disable the workaround by setting it to 1.

Another option would be to simply drop the patch. After all PTK rekeying
is - based on all devices I could get my hands on - mostly broken. The
chance to have an AP and a STA able to rekey really correctly under load
is as of today really bad. (Maybe 20% success?) Therefore it looks like
rekey is used not very often and when we start with keyid 0 and never
rekey it will also work for most users.
On the other hand I prefer a clean failure to something working on the
brink of failure. So this patch series tries to make sure it fails as
soon as possible.

 src/ap/wpa_auth_ie.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 725c76056..3207990e5 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -553,6 +553,7 @@ int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities)
 			return -1;
 		} else if (!sm->use_extended_key_id) {
 			sm->use_extended_key_id = TRUE;
+			sm->keyidx_active = 1;
 		}
 	} else {
 		if (sm->use_extended_key_id && sm->pairwise_set) {