From patchwork Sat Aug 24 16:04:50 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152693
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="nT4HZVU5";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="TTib6SqW"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G38t0FJ9z9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:08:30 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=tIooCVQa22zINCjYUCf4XYwAhHdsIuqvEVhnfVAl4zE=;
	b=nT4HZVU51Ar3x1
	HpmH+dx91YTBp61bu4VZFUB8HMuy2J5eXQO0mFxIIFZDscZC+Qc6sXEx/bVGJnF7TQ32KK099o5O4
	HjWqAly/6fgI3jfIZbcA5eAUKixVxbIFyPCUweGi9n+KKMYsalrreHnWFHcRvcIuXZbxQ8SZsFzAX
	qvGVzFm+dF+5IZtoXOp/Cl6qXbYS84ATy1TTvNpdnsWykWJzEvNyIzIEAna9jsbZLc74UeOVJ2RXq
	SrVAkIOwlYiLDfp07VivP2WUUc7mvIf68cO+AwzZTSZcAwZNICwYHJp4h8I4GmKYcLCW2OlBsC5hQ
	Xh+WeelTsY2wrI8chQEQ==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YaY-0007cE-FX; Sat, 24 Aug 2019 16:08:26 +0000
Received: from 14.mo4.mail-out.ovh.net ([46.105.40.29])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005JG-C8
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:58 +0000
Received: from player711.ha.ovh.net (unknown [10.108.57.140])
	by mo4.mail-out.ovh.net (Postfix) with ESMTP id 31BA0200762
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:36 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player711.ha.ovh.net (Postfix) with ESMTPSA id 1F0B18FFA634;
	Sat, 24 Aug 2019 16:05:31 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662730;
	bh=JjOhTsqN1A2nHnToYFhSA3Xq0o2Txvamcde/zcoLMuo=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=TTib6SqWDkxyTQx3bixQUpY/TBFaIN7yQrL+rEhWIK5ibXoUA+ljn9EPzPfhnCIgj
	zGFMtwiuGiTFrs2ICK01e92IpAvkGCDMoybeIdD1L5ifrtYgfvRZjXXBsMxME9k+tt
	9D3CyBVGABD5RfOUniG0VV0J9GfzGKbuLSWprRt4=
To: j@w1.fi
Subject: [PATCH v4 01/16] nl80211: Migrate to current netlink key message
	format
Date: Sat, 24 Aug 2019 18:04:50 +0200
Message-Id: <20190824160505.5548-2-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6939765554929212668
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_090552_765442_155120AD 
X-CRM114-Status: GOOD (  17.32  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.40.29 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Linux 2.6.32 (December 2009) introduced an alternate netlink message
format for setting and installing keys, deprecating the older one.

To allow hostapd/wpa_supplicant to use new features only provided via
the new format this patch migrates all key netlink messages for key
installs to the new format.
Since some parts of the nl80211 driver do already use the new format
this should not change the minimal kernel requirement and only unify the
netlink API usage.

The following netlink attributes have been dropped for key install
functions:

  NL80211_ATTR_KEY_DATA
  NL80211_ATTR_KEY_TYPE
  NL80211_ATTR_KEY_SEQ
  NL80211_ATTR_KEY_IDX
  NL80211_ATTR_KEY_CIPHER
  NL80211_ATTR_KEY_DEFAULT
  NL80211_ATTR_KEY_DEFAULT_MGMT
  NL80211_ATTR_KEY_DEFAULT_TYPES

And replaced by the following attributes nested in NL80211_ATTR_KEY:

  NL80211_KEY_DATA
  NL80211_KEY_TYPE
  NL80211_KEY_SEQ
  NL80211_KEY_IDX
  NL80211_KEY_CIPHER
  NL80211_KEY_DEFAULT
  NL80211_KEY_DEFAULT_MGMT
  NL80211_KEY_DEFAULT_TYPES

When getting michael mic_failures notifications or querying a key
sequence number the kernel continues to use the old attributes:
  NL80211_ATTR_KEY_TYPE
  NL80211_ATTR_KEY_SEQ
  NL80211_ATTR_KEY_IDX

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

There is not much to add to the commit log, most of it is straight
forward. But I tried to keep the existing logic and therefore start an
additional key netlink message to be able only merged into the main one
prior to sending the message. This allows to fill in the information
with the existing logic and avoids the restructuring of everything to be
able to use nla_nest_start().

 src/drivers/driver_nl80211.c | 71 +++++++++++++++++++++++-------------
 1 file changed, 45 insertions(+), 26 deletions(-)

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 7b31b52c7..2e3c9115c 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3015,7 +3015,8 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 {
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 	int ifindex;
-	struct nl_msg *msg = NULL;
+	struct nl_msg *msg;
+	struct nl_msg *key_msg;
 	int ret;
 	int tdls = 0;
 
@@ -3049,26 +3050,31 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 	    (drv->capa.flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X))
 		return nl80211_set_pmk(drv, key, key_len, addr);
 
+	key_msg = nlmsg_alloc();
+	if (!key_msg)
+		return -ENOBUFS;
+
 	if (alg == WPA_ALG_NONE) {
 		msg = nl80211_ifindex_msg(drv, ifindex, 0, NL80211_CMD_DEL_KEY);
 		if (!msg)
-			return -ENOBUFS;
+			goto fail2;
 	} else {
 		u32 suite;
 
 		suite = wpa_alg_to_cipher_suite(alg, key_len);
 		if (!suite)
-			goto fail;
+			goto fail2;
 		msg = nl80211_ifindex_msg(drv, ifindex, 0, NL80211_CMD_NEW_KEY);
-		if (!msg ||
-		    nla_put(msg, NL80211_ATTR_KEY_DATA, key_len, key) ||
-		    nla_put_u32(msg, NL80211_ATTR_KEY_CIPHER, suite))
+		if (!msg)
+			goto fail2;
+		if (nla_put(key_msg, NL80211_KEY_DATA, key_len, key) ||
+		    nla_put_u32(key_msg, NL80211_KEY_CIPHER, suite))
 			goto fail;
 		wpa_hexdump_key(MSG_DEBUG, "nl80211: KEY_DATA", key, key_len);
 	}
 
 	if (seq && seq_len) {
-		if (nla_put(msg, NL80211_ATTR_KEY_SEQ, seq_len, seq))
+		if (nla_put(key_msg, NL80211_KEY_SEQ, seq_len, seq))
 			goto fail;
 		wpa_hexdump(MSG_DEBUG, "nl80211: KEY_SEQ", seq, seq_len);
 	}
@@ -3080,7 +3086,7 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 
 		if (alg != WPA_ALG_WEP && key_idx && !set_tx) {
 			wpa_printf(MSG_DEBUG, "   RSN IBSS RX GTK");
-			if (nla_put_u32(msg, NL80211_ATTR_KEY_TYPE,
+			if (nla_put_u32(key_msg, NL80211_KEY_TYPE,
 					NL80211_KEYTYPE_GROUP))
 				goto fail;
 		}
@@ -3089,13 +3095,14 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 
 		wpa_printf(MSG_DEBUG, "   broadcast key");
 
-		types = nla_nest_start(msg, NL80211_ATTR_KEY_DEFAULT_TYPES);
+		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
 		if (!types ||
-		    nla_put_flag(msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
+		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
 			goto fail;
-		nla_nest_end(msg, types);
+		nla_nest_end(key_msg, types);
 	}
-	if (nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
+	if (nla_put_u8(key_msg, NL80211_KEY_IDX, key_idx) ||
+	    nla_put_nested(msg, NL80211_ATTR_KEY, key_msg))
 		goto fail;
 
 	ret = send_and_recv_msgs(drv, msg, NULL, key ? (void *) -1 : NULL);
@@ -3115,34 +3122,43 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 	    !is_broadcast_ether_addr(addr))
 		return ret;
 
+	key_msg = nlmsg_alloc();
+	if (!key_msg)
+		return -ENOBUFS;
+
 	msg = nl80211_ifindex_msg(drv, ifindex, 0, NL80211_CMD_SET_KEY);
-	if (!msg ||
-	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx) ||
-	    nla_put_flag(msg, (alg == WPA_ALG_IGTK ||
-			       alg == WPA_ALG_BIP_GMAC_128 ||
-			       alg == WPA_ALG_BIP_GMAC_256 ||
-			       alg == WPA_ALG_BIP_CMAC_256) ?
-			 NL80211_ATTR_KEY_DEFAULT_MGMT :
-			 NL80211_ATTR_KEY_DEFAULT))
+	if (!msg)
+		goto fail2;
+	if (!key_msg ||
+	    nla_put_u8(key_msg, NL80211_KEY_IDX, key_idx) ||
+	    nla_put_flag(key_msg, (alg == WPA_ALG_IGTK ||
+				   alg == WPA_ALG_BIP_GMAC_128 ||
+				   alg == WPA_ALG_BIP_GMAC_256 ||
+				   alg == WPA_ALG_BIP_CMAC_256) ?
+				   NL80211_KEY_DEFAULT_MGMT :
+				   NL80211_KEY_DEFAULT))
 		goto fail;
 	if (addr && is_broadcast_ether_addr(addr)) {
 		struct nlattr *types;
 
-		types = nla_nest_start(msg, NL80211_ATTR_KEY_DEFAULT_TYPES);
+		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
 		if (!types ||
-		    nla_put_flag(msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
+		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
 			goto fail;
-		nla_nest_end(msg, types);
+		nla_nest_end(key_msg, types);
 	} else if (addr) {
 		struct nlattr *types;
 
-		types = nla_nest_start(msg, NL80211_ATTR_KEY_DEFAULT_TYPES);
+		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
 		if (!types ||
-		    nla_put_flag(msg, NL80211_KEY_DEFAULT_TYPE_UNICAST))
+		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_UNICAST))
 			goto fail;
-		nla_nest_end(msg, types);
+		nla_nest_end(key_msg, types);
 	}
 
+	if (nla_put_nested(msg, NL80211_ATTR_KEY, key_msg))
+		goto fail;
+
 	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
 	if (ret == -ENOENT)
 		ret = 0;
@@ -3154,6 +3170,9 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 fail:
 	nl80211_nlmsg_clear(msg);
 	nlmsg_free(msg);
+fail2:
+	nl80211_nlmsg_clear(key_msg);
+	nlmsg_free(key_msg);
 	return -ENOBUFS;
 }
 

From patchwork Sat Aug 24 16:04:51 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152692
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="giLn+8WK";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="V0l5Fhmz"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G38b5kQKz9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:08:15 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=BEwWNEgEiCPh/rP1uz1rJET9s3ZPIl4w2bFLDYavC2o=;
	b=giLn+8WKXOax0m
	vbi2l/dYltM3Dc2DQWDqYKfAGnKDgKtrS680mX/5iJzCbyntd0TOO9WtERU0n50UDdCcKdAdn0WpX
	tSTplgeF+sfTx3vNAnOpkF9mevpUG9edgrs5PX/h/K4Y5qbEex/qrRxHi7cnly7WqLnPBL6wBpgjN
	MKHpwfO0lWdF/0n1jzz7zGfUdxmtLOMAgWRHUWhD0SJnKeC0RzKcrcb6My6HtGtcXw+YYH/AxOXHx
	3Hn3s6DeTQ+nvnWOS3RCzETrEsNixVfXRrupJZ3uv7UOUHD+7W6m4HfXQIsjO+wX38TLZM9ksrf0z
	WKpSSSehmEwSRVEUMSzQ==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YaK-0007Ox-Ii; Sat, 24 Aug 2019 16:08:12 +0000
Received: from 12.mo1.mail-out.ovh.net ([87.98.162.229])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005JD-By
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:58 +0000
Received: from player758.ha.ovh.net (unknown [10.108.54.209])
	by mo1.mail-out.ovh.net (Postfix) with ESMTP id D9F7F18BABE
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:36 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player758.ha.ovh.net (Postfix) with ESMTPSA id 1EB3E91D88A3;
	Sat, 24 Aug 2019 16:05:31 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662730;
	bh=Fv7z+94qiXGfQKyWZMM5z42ywHfxs+6gLmXLiLCxW4Y=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=V0l5FhmzSOVn+cWu30haaVJK69pGDqIQgjdKP9fCFyc/mHqiDrAMBZaAs6Va1ypfM
	WqZ/L1UNrvnCrsUrVVLqLGP54mLr2cOrgAMSy6KI0nhv376WO74s+Aq37aO+1dI+Eu
	4FRagjPXheR8MZ5S9tlsduZtiWfxx7BwGYy7YW0w=
To: j@w1.fi
Subject: [PATCH v4 02/16] Driver: Introduce key_types and Extended Key ID
	driver flag
Date: Sat, 24 Aug 2019 18:04:51 +0200
Message-Id: <20190824160505.5548-3-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6939765551020973308
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_090552_754157_EF6E7DF1 
X-CRM114-Status: GOOD (  15.71  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [87.98.162.229 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Add the new driver flag WPA_DRIVER_FLAGS_EXTENDED_KEY_ID and
the key_types designated to replace and extend the use of the existing
set_tx boolean in all set_key() functions.

Both changes are required as foundation for the Extended Key ID support
and later patches will build on it.

The new - so far unused - key_types are:

  KEY_TYPE_BROADCAST
    To be set when installing a broadcast key which is not also a default
    key. (This basically replaces set_tx=0)

  KEY_TYPE_DEFAULT
    To be set when installing a WEP or a group key without pairwise
    keys. Must not be used when pairwise keys are used. Never set when
    deleting a key. (This basically replaces set_tx=1)

  KEY_TYPE_PAIRWISE:
    Used to distinguish pairwise from broadcast keys. (This is needed
    since Extended Key ID can use keyidx=1 both as pairwise and group
    keys and we need an additional hint to distinguish between them.)

  KEY_TYPE_NO_AUTO_TX
    To be set when installing a pairwise key which must not be used for
    Tx, yet. (New requirement for Extended Key ID support.)

  KEY_TYPE_SET_TX
    To be set when activating Tx for a key already installed with
    KEY_TYPE_NO_AUTO_TX. (Also required for Extended Key ID support.)

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This could be split up in more patches to clearly differentiate between
"set_tx cleanup" and "Extended Key ID support".
But then I think having the key_types all in one patch is simpler to
follow and it looks silly to then just have a patch for adding
WPA_DRIVER_FLAGS_EXTENDED_KEY_ID...

I started out using key_flags instead an enum here. But after getting it
working it turned out that there simply is no useful case where we would
have to set more than one bit. If someone sees a better and less
invasive way we can of course do that. (In the RFC version I morphed
- incompeltly - set_tx to key_flags but that was just a half-step. See
https://patchwork.ozlabs.org/project/hostap/list/?series=75270)

 src/common/wpa_common.h |  8 ++++++++
 src/drivers/driver.h    | 19 +++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
index cb511ff0b..415104de9 100644
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -203,6 +203,14 @@ struct wpa_eapol_key {
 #define FILS_ICK_MAX_LEN 48
 #define FILS_FT_MAX_LEN 48
 
+enum key_type {
+	KEY_TYPE_BROADCAST,
+	KEY_TYPE_DEFAULT,
+	KEY_TYPE_PAIRWISE,
+	KEY_TYPE_NO_AUTO_TX,
+	KEY_TYPE_SET_TX,
+};
+
 /**
  * struct wpa_ptk - WPA Pairwise Transient Key
  * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index 2a8459ae3..b74c37f2c 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -1659,6 +1659,8 @@ struct wpa_driver_capa {
 #define WPA_DRIVER_FLAGS_FTM_RESPONDER		0x0100000000000000ULL
 /** Driver support 4-way handshake offload for WPA-Personal */
 #define WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_PSK	0x0200000000000000ULL
+/** Driver supports Extended Key ID */
+#define WPA_DRIVER_FLAGS_EXTENDED_KEY_ID	0x0400000000000000ULL
 	u64 flags;
 
 #define FULL_AP_CLIENT_STATE_SUPP(drv_flags) \
@@ -2290,6 +2292,23 @@ struct wpa_driver_ops {
 	 *	8-byte Rx Mic Key
 	 * @key_len: length of the key buffer in octets (WEP: 5 or 13,
 	 *	TKIP: 32, CCMP/GCMP: 16, IGTK: 16)
+	 * @key_type: Additional instructions for key install:
+	 *	%KEY_TYPE_BROADCAST:
+	 *	  Key is a broadcast but no default key.
+	 *	%KEY_TYPE_DEFAULT:
+	 *	  Key is the default key (not using pairwise keys, WEP or
+	 *	  group key only.) Must not be used when pairwise keys are
+	 *	  also in use.
+	 *	%KEY_TYPE_PAIRWISE:
+	 *	  Normal pairwise key not requiring Extended Key ID actions.
+	 *	%KEY_TYPE_NO_AUTO_TX:
+	 *	  Pairwise Key, but it must not be used for Tx, yet.
+	 *	  Can only be used when the driver supports Extended Key ID.
+	 *	%KEY_TYPE_SET_TX:
+	 *	  Key already installed with %KEY_TYPE_NO_AUTO_TX is selected as
+	 *	  the pairwise Tx key for the STA. Only @ifname, @priv, @addr
+	 *	  and @key_idx must be set and all other arguments have to be
+	 *	  zero or NULL.
 	 *
 	 * Returns: 0 on success, -1 on failure
 	 *

From patchwork Sat Aug 24 16:04:52 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152698
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="GLeS9WJ1";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="KoT9Jsq0"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G3WY1nrtz9sMr
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:24:41 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=7f9ezJkd9oF2/9OHx76uyKOr9BEzXrKCM36Ndu/95EQ=;
	b=GLeS9WJ1TGckNN
	AHGI9aOhJk9XMABkdaxpykNKMqb5NzV/5Amqj9gBdl38VeOXHPwXR74i9RBB7EvCBfptL5HDtrd+r
	WWxXhbO9yH+7tdvPfiy7hIZVPfREcIj82eYPvoUtQxybysES5D6lhU9dXW9aGGan6a/sf81I4/RTn
	v7Qk+lmChju4ZgO8t/wIccZM5ISpBw5e52+TGANev7xD2W4NO5XThVCr9kNEqfIuySClvy5MaGNWS
	7mbcMPpcZ+F6EHl2oeCp0nyIYWmir35T/vhZh5OiLG+pTEolbLleMWR8Q9EW3fWLs+Gu8jb7Nnl7o
	8EyuIEleQQCiWU5eQ8qg==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YqD-0004mx-S9; Sat, 24 Aug 2019 16:24:37 +0000
Received: from 3.mo177.mail-out.ovh.net ([46.105.36.172])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005JF-Bf
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:06:02 +0000
Received: from player770.ha.ovh.net (unknown [10.109.160.40])
	by mo177.mail-out.ovh.net (Postfix) with ESMTP id 29B9B107D5D
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:36 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player770.ha.ovh.net (Postfix) with ESMTPSA id 1E907917C0CA;
	Sat, 24 Aug 2019 16:05:31 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662730;
	bh=Fdqi5FFZbSVWAaGch+WpawYfmFY8Sz5QPnOdx54h2lk=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=KoT9Jsq036PVsYwLy7PHs9WZfAapz6Lsf3eiFDBmXQZiQQC3+LcVuQpHADIcGKke8
	Hi45G3IkrNYV6pSxKCVz6kgKqtHgk2lwnPWYnv1ObAp3RPqHOkw4dQiQIHLaX7axiS
	4xq8sbgYjA9dv6ap9SlD3HT7YVhQSI6qr0AlEYEI=
To: j@w1.fi
Subject: [PATCH v4 03/16] Add new argument key_type to all set_key()
	functions
Date: Sat, 24 Aug 2019 18:04:52 +0200
Message-Id: <20190824160505.5548-4-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6940047026975546620
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_090552_921835_20B32ED2 
X-CRM114-Status: GOOD (  20.17  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.36.172 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Mailman-Approved-At: Sat, 24 Aug 2019 09:24:32 -0700
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

This patch is not changing any functionality and just updates the
internal hostapd/wpa_supplicant set_key() functions. It's adding an
additional argument which will be used later to hand over the key_type
information. This is designated to replace the functionality of set_tx
and also be able to handle Extended Key ID.

The new key_type is always set to zero within this patch and only
hostapd_ctrl_set_key() has some additional lines to read and store the
new argument in the correct - still unused - variable.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

Since set_key() functions are central I see no way how to split it
further. I made it as boring as possible and from a review point it
should be next to irrelevant: The other patches are touching the
interesting parts all again while the rest is simply passing trough the
key_type variable.

 hostapd/ctrl_iface.c                          | 37 ++++++++++++-------
 src/ap/ap_drv_ops.c                           |  4 +-
 src/ap/ap_drv_ops.h                           |  2 +-
 src/ap/hostapd.c                              |  8 ++--
 src/ap/ieee802_11.c                           |  3 +-
 src/ap/ieee802_1x.c                           |  7 ++--
 src/ap/wpa_auth.c                             | 16 ++++----
 src/ap/wpa_auth.h                             |  3 +-
 src/ap/wpa_auth_ft.c                          |  7 ++--
 src/ap/wpa_auth_glue.c                        |  4 +-
 src/crypto/crypto_libtomcrypt.c               |  2 +-
 src/drivers/driver.h                          |  4 +-
 src/drivers/driver_atheros.c                  |  3 +-
 src/drivers/driver_bsd.c                      |  3 +-
 src/drivers/driver_hostap.c                   |  3 +-
 src/drivers/driver_ndis.c                     | 12 +++---
 src/drivers/driver_nl80211.c                  | 11 ++++--
 src/drivers/driver_openbsd.c                  |  3 +-
 src/drivers/driver_privsep.c                  |  3 +-
 src/drivers/driver_wext.c                     |  8 ++--
 src/drivers/driver_wext.h                     |  3 +-
 src/rsn_supp/tdls.c                           |  6 +--
 src/rsn_supp/wpa.c                            | 15 ++++----
 src/rsn_supp/wpa.h                            |  4 +-
 src/rsn_supp/wpa_ft.c                         |  7 ++--
 src/rsn_supp/wpa_i.h                          |  8 ++--
 tests/fuzzing/eapol-key-supp/eapol-key-supp.c |  2 +-
 tests/hwsim/test_ap_ciphers.py                |  2 +-
 tests/test-eapol.c                            |  2 +-
 wpa_supplicant/ctrl_iface.c                   | 18 ++++-----
 wpa_supplicant/driver_i.h                     |  8 ++--
 wpa_supplicant/ibss_rsn.c                     | 13 ++++---
 wpa_supplicant/mesh_mpm.c                     |  6 +--
 wpa_supplicant/mesh_rsn.c                     |  9 +++--
 wpa_supplicant/preauth_test.c                 |  2 +-
 wpa_supplicant/wpa_supplicant.c               |  8 ++--
 wpa_supplicant/wpas_glue.c                    | 13 ++++---
 37 files changed, 154 insertions(+), 115 deletions(-)

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index 0f6dfa13d..ea1e8771d 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -2122,7 +2122,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					hapd->last_igtk_alg,
 					broadcast_ether_addr,
 					hapd->last_igtk_key_idx, 1, NULL, 0,
-					zero, hapd->last_igtk_len) < 0)
+					zero, hapd->last_igtk_len, 0) < 0)
 			return -1;
 
 		/* Set the previously configured key to reset its TSC */
@@ -2131,7 +2131,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					   broadcast_ether_addr,
 					   hapd->last_igtk_key_idx, 1, NULL, 0,
 					   hapd->last_igtk,
-					   hapd->last_igtk_len);
+					   hapd->last_igtk_len, 0);
 	}
 #endif /* CONFIG_IEEE80211W */
 
@@ -2147,7 +2147,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					hapd->last_gtk_alg,
 					broadcast_ether_addr,
 					hapd->last_gtk_key_idx, 1, NULL, 0,
-					zero, hapd->last_gtk_len) < 0)
+					zero, hapd->last_gtk_len, 0) < 0)
 			return -1;
 
 		/* Set the previously configured key to reset its TSC */
@@ -2155,7 +2155,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					   hapd->last_gtk_alg,
 					   broadcast_ether_addr,
 					   hapd->last_gtk_key_idx, 1, NULL, 0,
-					   hapd->last_gtk, hapd->last_gtk_len);
+					   hapd->last_gtk, hapd->last_gtk_len,
+					   0);
 	}
 
 	sta = ap_get_sta(hapd, addr);
@@ -2172,13 +2173,13 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 	 * in the driver. */
 	if (hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 				sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-				zero, sta->last_tk_len) < 0)
+				zero, sta->last_tk_len, 0) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 				   sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-				   sta->last_tk, sta->last_tk_len);
+				   sta->last_tk, sta->last_tk_len, 0);
 }
 
 
@@ -2187,11 +2188,12 @@ static int hostapd_ctrl_set_key(struct hostapd_data *hapd, const char *cmd)
 	u8 addr[ETH_ALEN];
 	const char *pos = cmd;
 	enum wpa_alg alg;
+	enum key_type key_type;
 	int idx, set_tx;
 	u8 seq[6], key[WPA_TK_MAX_LEN];
 	size_t key_len;
 
-	/* parameters: alg addr idx set_tx seq key */
+	/* parameters: alg addr idx set_tx seq key key_type*/
 
 	alg = atoi(pos);
 	pos = os_strchr(pos, ' ');
@@ -2220,13 +2222,22 @@ static int hostapd_ctrl_set_key(struct hostapd_data *hapd, const char *cmd)
 	if (*pos != ' ')
 		return -1;
 	pos++;
-	key_len = os_strlen(pos) / 2;
+	key_len = (os_strchr(pos, ' ') - pos) / 2;
 	if (hexstr2bin(pos, key, key_len) < 0)
 		return -1;
+	pos += 2 * key_len;
+	if (*pos != ' ')
+		return -1;
+
+	pos++;
+	key_type = atoi(pos);
+	pos = os_strchr(pos, ' ');
+	if (pos)
+		return -1;
 
 	wpa_printf(MSG_INFO, "TESTING: Set key");
 	return hostapd_drv_set_key(hapd->conf->iface, hapd, alg, addr, idx,
-				   set_tx, seq, 6, key, key_len);
+				   set_tx, seq, 6, key, key_len, key_type);
 }
 
 
@@ -2242,7 +2253,7 @@ static void restore_tk(void *ctx1, void *ctx2)
 	 * preventing encryption of a single EAPOL frame. */
 	hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 			    sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-			    sta->last_tk, sta->last_tk_len);
+			    sta->last_tk, sta->last_tk_len, 0);
 }
 
 
@@ -2266,7 +2277,7 @@ static int hostapd_ctrl_resend_m1(struct hostapd_data *hapd, const char *cmd)
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0);
+				    NULL, 0, 0);
 	}
 
 	wpa_printf(MSG_INFO, "TESTING: Send M1 to " MACSTR, MAC2STR(sta->addr));
@@ -2296,7 +2307,7 @@ static int hostapd_ctrl_resend_m3(struct hostapd_data *hapd, const char *cmd)
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0);
+				    NULL, 0, 0);
 	}
 
 	wpa_printf(MSG_INFO, "TESTING: Send M3 to " MACSTR, MAC2STR(sta->addr));
@@ -2326,7 +2337,7 @@ static int hostapd_ctrl_resend_group_m1(struct hostapd_data *hapd,
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0);
+				    NULL, 0, 0);
 	}
 
 	wpa_printf(MSG_INFO,
diff --git a/src/ap/ap_drv_ops.c b/src/ap/ap_drv_ops.c
index c0ededabe..77c457bc2 100644
--- a/src/ap/ap_drv_ops.c
+++ b/src/ap/ap_drv_ops.c
@@ -677,13 +677,13 @@ int hostapd_drv_set_key(const char *ifname, struct hostapd_data *hapd,
 			enum wpa_alg alg, const u8 *addr,
 			int key_idx, int set_tx,
 			const u8 *seq, size_t seq_len,
-			const u8 *key, size_t key_len)
+			const u8 *key, size_t key_len, enum key_type key_type)
 {
 	if (hapd->driver == NULL || hapd->driver->set_key == NULL)
 		return 0;
 	return hapd->driver->set_key(ifname, hapd->drv_priv, alg, addr,
 				     key_idx, set_tx, seq, seq_len, key,
-				     key_len);
+				     key_len, key_type);
 }
 
 
diff --git a/src/ap/ap_drv_ops.h b/src/ap/ap_drv_ops.h
index ca7f7abe0..2c3e8e0f0 100644
--- a/src/ap/ap_drv_ops.h
+++ b/src/ap/ap_drv_ops.h
@@ -90,7 +90,7 @@ int hostapd_drv_set_key(const char *ifname,
 			enum wpa_alg alg, const u8 *addr,
 			int key_idx, int set_tx,
 			const u8 *seq, size_t seq_len,
-			const u8 *key, size_t key_len);
+			const u8 *key, size_t key_len, enum key_type key_type);
 int hostapd_drv_send_mlme(struct hostapd_data *hapd,
 			  const void *msg, size_t len, int noack);
 int hostapd_drv_send_mlme_csa(struct hostapd_data *hapd,
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index bf1975fbd..c0cf9a973 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -293,7 +293,7 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 		return;
 	for (i = 0; i < NUM_WEP_KEYS; i++) {
 		if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i,
-					0, NULL, 0, NULL, 0)) {
+					0, NULL, 0, NULL, 0, 0)) {
 			wpa_printf(MSG_DEBUG, "Failed to clear default "
 				   "encryption keys (ifname=%s keyidx=%d)",
 				   ifname, i);
@@ -304,7 +304,7 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 		for (i = NUM_WEP_KEYS; i < NUM_WEP_KEYS + 2; i++) {
 			if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE,
 						NULL, i, 0, NULL,
-						0, NULL, 0)) {
+						0, NULL, 0, 0)) {
 				wpa_printf(MSG_DEBUG, "Failed to clear "
 					   "default mgmt encryption keys "
 					   "(ifname=%s keyidx=%d)", ifname, i);
@@ -332,7 +332,7 @@ static int hostapd_broadcast_wep_set(struct hostapd_data *hapd)
 	    hostapd_drv_set_key(hapd->conf->iface,
 				hapd, WPA_ALG_WEP, broadcast_ether_addr, idx,
 				1, NULL, 0, ssid->wep.key[idx],
-				ssid->wep.len[idx])) {
+				ssid->wep.len[idx], 0)) {
 		wpa_printf(MSG_WARNING, "Could not set WEP encryption.");
 		errors++;
 	}
@@ -560,7 +560,7 @@ static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd)
 		    hostapd_drv_set_key(iface, hapd, WPA_ALG_WEP, NULL, i,
 					i == hapd->conf->ssid.wep.idx, NULL, 0,
 					hapd->conf->ssid.wep.key[i],
-					hapd->conf->ssid.wep.len[i])) {
+					hapd->conf->ssid.wep.len[i], 0)) {
 			wpa_printf(MSG_WARNING, "Could not set WEP "
 				   "encryption.");
 			return -1;
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index c85a28db4..dfe977b75 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4771,7 +4771,8 @@ static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
 		if (ssid->wep.key[i] &&
 		    hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
 					i == ssid->wep.idx, NULL, 0,
-					ssid->wep.key[i], ssid->wep.len[i])) {
+					ssid->wep.key[i], ssid->wep.len[i],
+					0)) {
 			wpa_printf(MSG_WARNING,
 				   "Could not set WEP keys for WDS interface; %s",
 				   ifname_wds);
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index a7a090190..657fe94a9 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -285,7 +285,8 @@ static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
 		 * has ACKed EAPOL-Key frame */
 		if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
 					sta->addr, 0, 1, NULL, 0, ikey,
-					hapd->conf->individual_wep_key_len)) {
+					hapd->conf->individual_wep_key_len,
+					0)) {
 			wpa_printf(MSG_ERROR, "Could not set individual WEP "
 				   "encryption.");
 		}
@@ -2170,7 +2171,7 @@ static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx)
 				broadcast_ether_addr,
 				eapol->default_wep_key_idx, 1, NULL, 0,
 				eapol->default_wep_key,
-				hapd->conf->default_wep_key_len)) {
+				hapd->conf->default_wep_key_len, 0)) {
 		hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
 			       HOSTAPD_LEVEL_WARNING, "failed to configure a "
 			       "new broadcast key");
@@ -2485,7 +2486,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
 		for (i = 0; i < 4; i++)
 			hostapd_drv_set_key(hapd->conf->iface, hapd,
 					    WPA_ALG_NONE, NULL, i, 0, NULL, 0,
-					    NULL, 0);
+					    NULL, 0, 0);
 
 		ieee802_1x_rekey(hapd, NULL);
 
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 02937d2ee..919ba1f42 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -136,12 +136,13 @@ static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
 				   int vlan_id,
 				   enum wpa_alg alg, const u8 *addr, int idx,
-				   u8 *key, size_t key_len)
+				   u8 *key, size_t key_len,
+				   enum key_type key_type)
 {
 	if (wpa_auth->cb->set_key == NULL)
 		return -1;
 	return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
-				     key, key_len);
+				     key, key_len, key_type);
 }
 
 
@@ -1713,7 +1714,7 @@ void wpa_remove_ptk(struct wpa_state_machine *sm)
 	sm->PTK_valid = FALSE;
 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
 	if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
-			     0))
+			     0, 0))
 		wpa_printf(MSG_DEBUG,
 			   "RSN: PTK removal from the driver failed");
 	sm->pairwise_set = FALSE;
@@ -2747,7 +2748,7 @@ int fils_set_tk(struct wpa_state_machine *sm)
 
 	wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
 	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-			     sm->PTK.tk, klen)) {
+			     sm->PTK.tk, klen, 0)) {
 		wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
 		return -1;
 	}
@@ -3345,7 +3346,7 @@ SM_STATE(WPA_PTK, PTKINITDONE)
 		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
 		int klen = wpa_cipher_key_len(sm->pairwise);
 		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-				     sm->PTK.tk, klen)) {
+				     sm->PTK.tk, klen, 0)) {
 			wpa_sta_disconnect(sm->wpa_auth, sm->addr,
 					   WLAN_REASON_PREV_AUTH_NOT_VALID);
 			return;
@@ -3944,7 +3945,7 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
 	if (wpa_auth_set_key(wpa_auth, group->vlan_id,
 			     wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
 			     broadcast_ether_addr, group->GN,
-			     group->GTK[group->GN - 1], group->GTK_len) < 0)
+			     group->GTK[group->GN - 1], group->GTK_len, 0) < 0)
 		ret = -1;
 
 #ifdef CONFIG_IEEE80211W
@@ -3958,7 +3959,8 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
 		if (ret == 0 &&
 		    wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
 				     broadcast_ether_addr, group->GN_igtk,
-				     group->IGTK[group->GN_igtk - 4], len) < 0)
+				     group->IGTK[group->GN_igtk - 4],
+				     len, 0) < 0)
 			ret = -1;
 	}
 #endif /* CONFIG_IEEE80211W */
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index a348bc25a..cc8ea5aa7 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -258,7 +258,8 @@ struct wpa_auth_callbacks {
 			      int *vlan_id);
 	int (*get_msk)(void *ctx, const u8 *addr, u8 *msk, size_t *len);
 	int (*set_key)(void *ctx, int vlan_id, enum wpa_alg alg,
-		       const u8 *addr, int idx, u8 *key, size_t key_len);
+		       const u8 *addr, int idx, u8 *key, size_t key_len,
+		       enum key_type key_type);
 	int (*get_seqnum)(void *ctx, const u8 *addr, int idx, u8 *seq);
 	int (*send_eapol)(void *ctx, const u8 *addr, const u8 *data,
 			  size_t data_len, int encrypt);
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 696f8d5fa..69ed68244 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -2614,12 +2614,13 @@ u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos,
 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
 				   int vlan_id,
 				   enum wpa_alg alg, const u8 *addr, int idx,
-				   u8 *key, size_t key_len)
+				   u8 *key, size_t key_len,
+				   enum key_type key_type)
 {
 	if (wpa_auth->cb->set_key == NULL)
 		return -1;
 	return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
-				     key, key_len);
+				     key, key_len, key_type);
 }
 
 
@@ -2652,7 +2653,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
 	 * optimized by adding the STA entry earlier.
 	 */
 	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-			     sm->PTK.tk, klen))
+			     sm->PTK.tk, klen, 0))
 		return;
 
 	/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 0800a8748..df900dba7 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -357,7 +357,7 @@ static int hostapd_wpa_auth_get_msk(void *ctx, const u8 *addr, u8 *msk,
 
 static int hostapd_wpa_auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 				    const u8 *addr, int idx, u8 *key,
-				    size_t key_len)
+				    size_t key_len, enum key_type key_type)
 {
 	struct hostapd_data *hapd = ctx;
 	const char *ifname = hapd->conf->iface;
@@ -400,7 +400,7 @@ static int hostapd_wpa_auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	}
 #endif /* CONFIG_TESTING_OPTIONS */
 	return hostapd_drv_set_key(ifname, hapd, alg, addr, idx, 1, NULL, 0,
-				   key, key_len);
+				   key, key_len, key_type);
 }
 
 
diff --git a/src/crypto/crypto_libtomcrypt.c b/src/crypto/crypto_libtomcrypt.c
index ed30efa02..70b7f3389 100644
--- a/src/crypto/crypto_libtomcrypt.c
+++ b/src/crypto/crypto_libtomcrypt.c
@@ -550,7 +550,7 @@ static int pkcs1_generate_encryption_block(u8 block_type, size_t modlen,
 }
 
 
-static int crypto_rsa_encrypt_pkcs1(int block_type, rsa_key *key, int key_type,
+static int crypto_rsa_encrypt_pkcs1(int block_type, rsa_key *key, enum key_type,
 				    const u8 *in, size_t inlen,
 				    u8 *out, size_t *outlen)
 {
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index b74c37f2c..de10490ab 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -2333,7 +2333,7 @@ struct wpa_driver_ops {
 	int (*set_key)(const char *ifname, void *priv, enum wpa_alg alg,
 		       const u8 *addr, int key_idx, int set_tx,
 		       const u8 *seq, size_t seq_len,
-		       const u8 *key, size_t key_len);
+		       const u8 *key, size_t key_len, enum key_type key_type);
 
 	/**
 	 * init - Initialize driver interface
@@ -2560,7 +2560,7 @@ struct wpa_driver_ops {
 	 * based on configured keys.
 	 */
 	int (*mlme_setprotection)(void *priv, const u8 *addr, int protect_type,
-				  int key_type);
+				  enum key_type);
 
 	/**
 	 * get_hw_feature_data - Get hardware support data (channels and rates)
diff --git a/src/drivers/driver_atheros.c b/src/drivers/driver_atheros.c
index 840d4ff40..08095865a 100644
--- a/src/drivers/driver_atheros.c
+++ b/src/drivers/driver_atheros.c
@@ -500,7 +500,8 @@ atheros_del_key(void *priv, const u8 *addr, int key_idx)
 static int
 atheros_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 		const u8 *addr, int key_idx, int set_tx, const u8 *seq,
-		size_t seq_len, const u8 *key, size_t key_len)
+		size_t seq_len, const u8 *key, size_t key_len,
+		enum key_type key_type)
 {
 	struct atheros_driver_data *drv = priv;
 	struct ieee80211req_key wk;
diff --git a/src/drivers/driver_bsd.c b/src/drivers/driver_bsd.c
index 82ca0612e..c53155be0 100644
--- a/src/drivers/driver_bsd.c
+++ b/src/drivers/driver_bsd.c
@@ -333,7 +333,8 @@ bsd_ctrl_iface(void *priv, int enable)
 static int
 bsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	    const unsigned char *addr, int key_idx, int set_tx, const u8 *seq,
-	    size_t seq_len, const u8 *key, size_t key_len)
+	    size_t seq_len, const u8 *key, size_t key_len,
+	    enum key_type key_type)
 {
 	struct ieee80211req_key wk;
 #ifdef IEEE80211_KEY_NOREPLAY
diff --git a/src/drivers/driver_hostap.c b/src/drivers/driver_hostap.c
index 186eccbf2..bf22858fb 100644
--- a/src/drivers/driver_hostap.c
+++ b/src/drivers/driver_hostap.c
@@ -399,7 +399,8 @@ static int wpa_driver_hostap_set_key(const char *ifname, void *priv,
 				     enum wpa_alg alg, const u8 *addr,
 				     int key_idx, int set_tx,
 				     const u8 *seq, size_t seq_len,
-				     const u8 *key, size_t key_len)
+				     const u8 *key, size_t key_len,
+				     enum key_type key_type)
 {
 	struct hostap_driver_data *drv = priv;
 	struct prism2_hostapd_param *param;
diff --git a/src/drivers/driver_ndis.c b/src/drivers/driver_ndis.c
index 5b4b9247e..649bc01ea 100644
--- a/src/drivers/driver_ndis.c
+++ b/src/drivers/driver_ndis.c
@@ -932,7 +932,8 @@ static int wpa_driver_ndis_remove_key(struct wpa_driver_ndis_data *drv,
 
 static int wpa_driver_ndis_add_wep(struct wpa_driver_ndis_data *drv,
 				   int pairwise, int key_idx, int set_tx,
-				   const u8 *key, size_t key_len)
+				   const u8 *key, size_t key_len,
+				   enum key_type key_type)
 {
 	NDIS_802_11_WEP *wep;
 	size_t len;
@@ -967,7 +968,8 @@ static int wpa_driver_ndis_set_key(const char *ifname, void *priv,
 				   enum wpa_alg alg, const u8 *addr,
 				   int key_idx, int set_tx,
 				   const u8 *seq, size_t seq_len,
-				   const u8 *key, size_t key_len)
+				   const u8 *key, size_t key_len,
+				   enum key_type key_type)
 {
 	struct wpa_driver_ndis_data *drv = priv;
 	size_t len, i;
@@ -993,7 +995,7 @@ static int wpa_driver_ndis_set_key(const char *ifname, void *priv,
 
 	if (alg == WPA_ALG_WEP) {
 		return wpa_driver_ndis_add_wep(drv, pairwise, key_idx, set_tx,
-					       key, key_len);
+					       key, key_len, key_type);
 	}
 
 	len = 12 + 6 + 6 + 8 + key_len;
@@ -1075,7 +1077,7 @@ wpa_driver_ndis_associate(void *priv,
 						bcast, i,
 						i == params->wep_tx_keyidx,
 						NULL, 0, params->wep_key[i],
-						params->wep_key_len[i]);
+						params->wep_key_len[i], 0);
 		}
 	}
 
@@ -1112,7 +1114,7 @@ wpa_driver_ndis_associate(void *priv,
 			wpa_driver_ndis_set_key(drv->ifname, drv, WPA_ALG_WEP,
 						bcast, 0, 1,
 						NULL, 0, dummy_key,
-						sizeof(dummy_key));
+						sizeof(dummy_key), 0);
 		}
 #endif /* CONFIG_WPS */
 	} else {
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 2e3c9115c..97c655521 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3011,7 +3011,8 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 				      enum wpa_alg alg, const u8 *addr,
 				      int key_idx, int set_tx,
 				      const u8 *seq, size_t seq_len,
-				      const u8 *key, size_t key_len)
+				      const u8 *key, size_t key_len,
+				      enum key_type key_type)
 {
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 	int ifindex;
@@ -3483,7 +3484,7 @@ retry:
 					   NULL, i,
 					   i == params->wep_tx_keyidx, NULL, 0,
 					   params->wep_key[i],
-					   params->wep_key_len[i]);
+					   params->wep_key_len[i], 0);
 		if (params->wep_tx_keyidx != i)
 			continue;
 		if (nl_add_key(msg, WPA_ALG_WEP, i, 1, NULL, 0,
@@ -8633,11 +8634,13 @@ static int driver_nl80211_set_key(const char *ifname, void *priv,
 				  enum wpa_alg alg, const u8 *addr,
 				  int key_idx, int set_tx,
 				  const u8 *seq, size_t seq_len,
-				  const u8 *key, size_t key_len)
+				  const u8 *key, size_t key_len,
+				  enum key_type key_type)
 {
 	struct i802_bss *bss = priv;
 	return wpa_driver_nl80211_set_key(ifname, bss, alg, addr, key_idx,
-					  set_tx, seq, seq_len, key, key_len);
+					  set_tx, seq, seq_len, key, key_len,
+					  key_type);
 }
 
 
diff --git a/src/drivers/driver_openbsd.c b/src/drivers/driver_openbsd.c
index c06e75c0f..0d975c4c5 100644
--- a/src/drivers/driver_openbsd.c
+++ b/src/drivers/driver_openbsd.c
@@ -71,7 +71,8 @@ wpa_driver_openbsd_get_capa(void *priv, struct wpa_driver_capa *capa)
 static int
 wpa_driver_openbsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	    const unsigned char *addr, int key_idx, int set_tx, const u8 *seq,
-	    size_t seq_len, const u8 *key, size_t key_len)
+	    size_t seq_len, const u8 *key, size_t key_len,
+	    enum key_type key_type)
 {
 	struct openbsd_driver_data *drv = priv;
 	struct ieee80211_keyavail keyavail;
diff --git a/src/drivers/driver_privsep.c b/src/drivers/driver_privsep.c
index 55cf61885..e3375cd90 100644
--- a/src/drivers/driver_privsep.c
+++ b/src/drivers/driver_privsep.c
@@ -209,7 +209,8 @@ static int wpa_driver_privsep_set_key(const char *ifname, void *priv,
 				      enum wpa_alg alg, const u8 *addr,
 				      int key_idx, int set_tx,
 				      const u8 *seq, size_t seq_len,
-				      const u8 *key, size_t key_len)
+				      const u8 *key, size_t key_len,
+				      enum key_type key_type)
 {
 	struct wpa_driver_privsep_data *drv = priv;
 	struct privsep_cmd_set_key cmd;
diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c
index 4d4a05d0c..ea5d667ed 100644
--- a/src/drivers/driver_wext.c
+++ b/src/drivers/driver_wext.c
@@ -1712,7 +1712,8 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
 				       const u8 *addr, int key_idx,
 				       int set_tx, const u8 *seq,
 				       size_t seq_len,
-				       const u8 *key, size_t key_len)
+				       const u8 *key, size_t key_len,
+				       enum key_type key_type)
 {
 	struct wpa_driver_wext_data *drv = priv;
 	struct iwreq iwr;
@@ -1831,7 +1832,8 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
 int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 			    const u8 *addr, int key_idx,
 			    int set_tx, const u8 *seq, size_t seq_len,
-			    const u8 *key, size_t key_len)
+			    const u8 *key, size_t key_len,
+			    enum key_type key_type)
 {
 	struct wpa_driver_wext_data *drv = priv;
 	struct iwreq iwr;
@@ -1843,7 +1845,7 @@ int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 		   (unsigned long) seq_len, (unsigned long) key_len);
 
 	ret = wpa_driver_wext_set_key_ext(drv, alg, addr, key_idx, set_tx,
-					  seq, seq_len, key, key_len);
+					  seq, seq_len, key, key_len, key_type);
 	if (ret == 0)
 		return 0;
 
diff --git a/src/drivers/driver_wext.h b/src/drivers/driver_wext.h
index b4b5960a7..7e2009079 100644
--- a/src/drivers/driver_wext.h
+++ b/src/drivers/driver_wext.h
@@ -55,7 +55,8 @@ int wpa_driver_wext_set_mode(void *priv, int mode);
 int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 			    const u8 *addr, int key_idx,
 			    int set_tx, const u8 *seq, size_t seq_len,
-			    const u8 *key, size_t key_len);
+			    const u8 *key, size_t key_len,
+			    enum key_type key_type);
 int wpa_driver_wext_scan(void *priv, struct wpa_driver_scan_params *params);
 struct wpa_scan_results * wpa_driver_wext_get_scan_results(void *priv);
 
diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 704c95e68..28048d9fc 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -178,7 +178,7 @@ static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 {
 	if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
-			   0, 0, NULL, 0, NULL, 0) < 0) {
+			   0, 0, NULL, 0, NULL, 0, 0) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
 			   "the driver");
 		return -1;
@@ -227,8 +227,8 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 
 	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
 		   MAC2STR(peer->addr));
-	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
-			   rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
+	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, rsc, sizeof(rsc),
+			   peer->tpk.tk, key_len, 0) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
 			   "driver");
 		return -1;
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index c929e8194..d28843d9f 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -781,7 +781,8 @@ static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
 
 
 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
-				      const struct wpa_eapol_key *key)
+				      const struct wpa_eapol_key *key,
+				      enum key_type key_type)
 {
 	int keylen, rsclen;
 	enum wpa_alg alg;
@@ -826,7 +827,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
 	}
 
 	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
-			   sm->ptk.tk, keylen) < 0) {
+			   sm->ptk.tk, keylen, key_type) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: Failed to set PTK to the "
 			"driver (alg=%d keylen=%d bssid=" MACSTR ")",
@@ -919,7 +920,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 	if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
 		if (wpa_sm_set_key(sm, gd->alg, NULL,
 				   gd->keyidx, 1, key_rsc, gd->key_rsc_len,
-				   _gtk, gd->gtk_len) < 0) {
+				   _gtk, gd->gtk_len, 0) < 0) {
 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 				"WPA: Failed to set GTK to the driver "
 				"(Group only)");
@@ -928,7 +929,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 		}
 	} else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
 				  gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
-				  _gtk, gd->gtk_len) < 0) {
+				  _gtk, gd->gtk_len, 0) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: Failed to set GTK to "
 			"the driver (alg=%d keylen=%d keyidx=%d)",
@@ -1083,7 +1084,7 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
 			   broadcast_ether_addr,
 			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
-			   igtk->igtk, len) < 0) {
+			   igtk->igtk, len, 0) < 0) {
 		if (keyidx == 0x0400 || keyidx == 0x0500) {
 			/* Assume the AP has broken PMF implementation since it
 			 * seems to have swapped the KeyID bytes. The AP cannot
@@ -1532,7 +1533,7 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 	sm->renew_snonce = 1;
 
 	if (key_info & WPA_KEY_INFO_INSTALL) {
-		if (wpa_supplicant_install_ptk(sm, key))
+		if (wpa_supplicant_install_ptk(sm, key, 0))
 			goto failed;
 	}
 
@@ -4458,7 +4459,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
 			sm->ptk.tk, keylen);
 	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
-			   sm->ptk.tk, keylen) < 0) {
+			   sm->ptk.tk, keylen, 0) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
 			MACSTR ")",
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index ae9cd6484..60ced0a74 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -30,7 +30,7 @@ struct wpa_sm_ctx {
 	int (*set_key)(void *ctx, enum wpa_alg alg,
 		       const u8 *addr, int key_idx, int set_tx,
 		       const u8 *seq, size_t seq_len,
-		       const u8 *key, size_t key_len);
+		       const u8 *key, size_t key_len, enum key_type key_type);
 	void * (*get_network_ctx)(void *ctx);
 	int (*get_bssid)(void *ctx, u8 *bssid);
 	int (*ether_send)(void *ctx, const u8 *dest, u16 proto, const u8 *buf,
@@ -48,7 +48,7 @@ struct wpa_sm_ctx {
 	const struct wpa_config_blob * (*get_config_blob)(void *ctx,
 							  const char *name);
 	int (*mlme_setprotection)(void *ctx, const u8 *addr,
-				  int protection_type, int key_type);
+				  int protection_type, enum key_type);
 	int (*update_ft_ies)(void *ctx, const u8 *md, const u8 *ies,
 			     size_t ies_len);
 	int (*send_ft_action)(void *ctx, u8 action, const u8 *target_ap,
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index f698ff4eb..b67874bab 100644
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -412,7 +412,8 @@ static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
 
 	if (wpa_sm_set_key(sm, alg, bssid, 0, 1, null_rsc,
-			   sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen) < 0) {
+			   sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen,
+			   0) < 0) {
 		wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver");
 		return -1;
 	}
@@ -764,7 +765,7 @@ static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem,
 		os_memcpy(gtk + 24, tmp, 8);
 	}
 	if (wpa_sm_set_key(sm, alg, broadcast_ether_addr, keyidx, 0,
-			   gtk_elem + 3, rsc_len, gtk, keylen) < 0) {
+			   gtk_elem + 3, rsc_len, gtk, keylen, 0) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the "
 			   "driver.");
 		return -1;
@@ -832,7 +833,7 @@ static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
 			igtk_len);
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
 			   broadcast_ether_addr, keyidx, 0,
-			   igtk_elem + 2, 6, igtk, igtk_len) < 0) {
+			   igtk_elem + 2, 6, igtk, igtk_len, 0) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the "
 			   "driver.");
 		forced_memzero(igtk, sizeof(igtk));
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index d86734b0d..a22d3d156 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -197,11 +197,12 @@ static inline void wpa_sm_deauthenticate(struct wpa_sm *sm, u16 reason_code)
 static inline int wpa_sm_set_key(struct wpa_sm *sm, enum wpa_alg alg,
 				 const u8 *addr, int key_idx, int set_tx,
 				 const u8 *seq, size_t seq_len,
-				 const u8 *key, size_t key_len)
+				 const u8 *key, size_t key_len,
+				 enum key_type key_type)
 {
 	WPA_ASSERT(sm->ctx->set_key);
 	return sm->ctx->set_key(sm->ctx->ctx, alg, addr, key_idx, set_tx,
-				seq, seq_len, key, key_len);
+				seq, seq_len, key, key_len, key_type);
 }
 
 static inline void * wpa_sm_get_network_ctx(struct wpa_sm *sm)
@@ -264,7 +265,8 @@ static inline int wpa_sm_remove_pmkid(struct wpa_sm *sm, void *network_ctx,
 }
 
 static inline int wpa_sm_mlme_setprotection(struct wpa_sm *sm, const u8 *addr,
-					    int protect_type, int key_type)
+					    int protect_type,
+					    enum key_type key_type)
 {
 	WPA_ASSERT(sm->ctx->mlme_setprotection);
 	return sm->ctx->mlme_setprotection(sm->ctx->ctx, addr, protect_type,
diff --git a/tests/fuzzing/eapol-key-supp/eapol-key-supp.c b/tests/fuzzing/eapol-key-supp/eapol-key-supp.c
index eb565d7cf..8545f54b9 100644
--- a/tests/fuzzing/eapol-key-supp/eapol-key-supp.c
+++ b/tests/fuzzing/eapol-key-supp/eapol-key-supp.c
@@ -187,7 +187,7 @@ static int supp_set_key(void *ctx, enum wpa_alg alg,
 
 
 static int supp_mlme_setprotection(void *ctx, const u8 *addr,
-				   int protection_type, int key_type)
+				   int protection_type, enum key_type)
 {
 	wpa_printf(MSG_DEBUG, "SUPP: %s(addr=" MACSTR " protection_type=%d "
 		   "key_type=%d)",
diff --git a/tests/hwsim/test_ap_ciphers.py b/tests/hwsim/test_ap_ciphers.py
index e10927a9c..cd45c6fd9 100644
--- a/tests/hwsim/test_ap_ciphers.py
+++ b/tests/hwsim/test_ap_ciphers.py
@@ -862,7 +862,7 @@ def test_ap_wpa2_delayed_m1_m3_zero_tk(dev, apdev):
     if "OK" not in hapd.request("RESEND_M3 " + addr):
         raise Exception("RESEND_M3 failed")
 
-    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s" % (addr, 0, 1, 6*"00", 16*"00")):
+    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s 0" % (addr, 0, 1, 6*"00", 16*"00")):
         raise Exception("SET_KEY failed")
     time.sleep(0.1)
     hwsim_utils.test_connectivity(dev[0], hapd, timeout=1, broadcast=False,
diff --git a/tests/test-eapol.c b/tests/test-eapol.c
index 0dd65e489..93c76552f 100644
--- a/tests/test-eapol.c
+++ b/tests/test-eapol.c
@@ -249,7 +249,7 @@ static int supp_set_key(void *ctx, enum wpa_alg alg,
 
 
 static int supp_mlme_setprotection(void *ctx, const u8 *addr,
-				   int protection_type, int key_type)
+				   int protection_type, enum key_type)
 {
 	wpa_printf(MSG_DEBUG, "SUPP: %s(addr=" MACSTR " protection_type=%d "
 		   "key_type=%d)",
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 8efc08d4d..5c7fd87c5 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5237,17 +5237,17 @@ static void wpa_supplicant_ctrl_iface_drop_sa(struct wpa_supplicant *wpa_s)
 {
 	wpa_printf(MSG_DEBUG, "Dropping SA without deauthentication");
 	/* MLME-DELETEKEYS.request */
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, 0, NULL, 0, NULL, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, 0, NULL, 0, NULL, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, 0, NULL, 0, NULL, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, 0, NULL, 0, NULL, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, 0, NULL, 0, NULL, 0, 0);
 #ifdef CONFIG_IEEE80211W
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, 0, NULL, 0, NULL, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, 0, NULL, 0, NULL, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, 0, NULL, 0, NULL, 0, 0);
 #endif /* CONFIG_IEEE80211W */
 
 	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 0, 0, NULL, 0, NULL,
-			0);
+			0, 0);
 	/* MLME-SETPROTECTION.request(None) */
 	wpa_drv_mlme_setprotection(wpa_s, wpa_s->bssid,
 				   MLME_SETPROTECTION_PROTECT_TYPE_NONE,
@@ -9227,13 +9227,13 @@ static int wpas_ctrl_reset_pn(struct wpa_supplicant *wpa_s)
 	 * in the driver. */
 	if (wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
 			    wpa_s->last_tk_key_idx, 1, zero, 6,
-			    zero, wpa_s->last_tk_len) < 0)
+			    zero, wpa_s->last_tk_len, 0) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
 			       wpa_s->last_tk_key_idx, 1, zero, 6,
-			       wpa_s->last_tk, wpa_s->last_tk_len);
+			       wpa_s->last_tk, wpa_s->last_tk_len, 0);
 }
 
 
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index cf9972a6b..c93cca59b 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -152,7 +152,8 @@ static inline int wpa_drv_set_key(struct wpa_supplicant *wpa_s,
 				  enum wpa_alg alg, const u8 *addr,
 				  int key_idx, int set_tx,
 				  const u8 *seq, size_t seq_len,
-				  const u8 *key, size_t key_len)
+				  const u8 *key, size_t key_len,
+				  enum key_type key_type)
 {
 	if (alg != WPA_ALG_NONE) {
 		if (key_idx >= 0 && key_idx <= 6)
@@ -163,7 +164,8 @@ static inline int wpa_drv_set_key(struct wpa_supplicant *wpa_s,
 	if (wpa_s->driver->set_key) {
 		return wpa_s->driver->set_key(wpa_s->ifname, wpa_s->drv_priv,
 					      alg, addr, key_idx, set_tx,
-					      seq, seq_len, key, key_len);
+					      seq, seq_len, key, key_len,
+					      key_type);
 	}
 	return -1;
 }
@@ -274,7 +276,7 @@ static inline int wpa_drv_set_operstate(struct wpa_supplicant *wpa_s,
 
 static inline int wpa_drv_mlme_setprotection(struct wpa_supplicant *wpa_s,
 					     const u8 *addr, int protect_type,
-					     int key_type)
+					     enum key_type key_type)
 {
 	if (wpa_s->driver->mlme_setprotection)
 		return wpa_s->driver->mlme_setprotection(wpa_s->drv_priv, addr,
diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c
index 6934c4725..a11ae857f 100644
--- a/wpa_supplicant/ibss_rsn.c
+++ b/wpa_supplicant/ibss_rsn.c
@@ -139,7 +139,7 @@ static void ibss_check_rsn_completed(struct ibss_rsn_peer *peer)
 static int supp_set_key(void *ctx, enum wpa_alg alg,
 			const u8 *addr, int key_idx, int set_tx,
 			const u8 *seq, size_t seq_len,
-			const u8 *key, size_t key_len)
+			const u8 *key, size_t key_len, enum key_type key_type)
 {
 	struct ibss_rsn_peer *peer = ctx;
 
@@ -166,7 +166,7 @@ static int supp_set_key(void *ctx, enum wpa_alg alg,
 	if (is_broadcast_ether_addr(addr))
 		addr = peer->addr;
 	return wpa_drv_set_key(peer->ibss_rsn->wpa_s, alg, addr, key_idx,
-			       set_tx, seq, seq_len, key, key_len);
+			       set_tx, seq, seq_len, key, key_len, key_type);
 }
 
 
@@ -178,7 +178,7 @@ static void * supp_get_network_ctx(void *ctx)
 
 
 static int supp_mlme_setprotection(void *ctx, const u8 *addr,
-				   int protection_type, int key_type)
+				   int protection_type, enum key_type key_type)
 {
 	wpa_printf(MSG_DEBUG, "SUPP: %s(addr=" MACSTR " protection_type=%d "
 		   "key_type=%d)",
@@ -295,7 +295,8 @@ static int auth_send_eapol(void *ctx, const u8 *addr, const u8 *data,
 
 
 static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
-			const u8 *addr, int idx, u8 *key, size_t key_len)
+			const u8 *addr, int idx, u8 *key, size_t key_len,
+			enum key_type key_type)
 {
 	struct ibss_rsn *ibss_rsn = ctx;
 	u8 seq[6];
@@ -334,7 +335,7 @@ static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	}
 
 	return wpa_drv_set_key(ibss_rsn->wpa_s, alg, addr, idx,
-			       1, seq, 6, key, key_len);
+			       1, seq, 6, key, key_len, key_type);
 }
 
 
@@ -851,7 +852,7 @@ static void ibss_rsn_handle_auth_1_of_2(struct ibss_rsn *ibss_rsn,
 		wpa_printf(MSG_DEBUG, "RSN: Clear pairwise key for peer "
 			   MACSTR, MAC2STR(addr));
 		wpa_drv_set_key(ibss_rsn->wpa_s, WPA_ALG_NONE, addr, 0, 0,
-				NULL, 0, NULL, 0);
+				NULL, 0, NULL, 0, 0);
 	}
 
 	if (peer &&
diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index 4a163b6eb..041c158e4 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -876,7 +876,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 		wpa_hexdump_key(MSG_DEBUG, "mesh: MTK", sta->mtk, sta->mtk_len);
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->pairwise_cipher),
 				sta->addr, 0, 0, seq, sizeof(seq),
-				sta->mtk, sta->mtk_len);
+				sta->mtk, sta->mtk_len, 0);
 
 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK Key RSC",
 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc));
@@ -885,7 +885,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->group_cipher),
 				sta->addr, sta->mgtk_key_id, 0,
 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc),
-				sta->mgtk, sta->mgtk_len);
+				sta->mgtk, sta->mgtk_len, 0);
 
 		if (sta->igtk_len) {
 			wpa_hexdump_key(MSG_DEBUG, "mesh: RX IGTK Key RSC",
@@ -897,7 +897,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 				wpa_cipher_to_alg(conf->mgmt_group_cipher),
 				sta->addr, sta->igtk_key_id, 0,
 				sta->igtk_rsc, sizeof(sta->igtk_rsc),
-				sta->igtk, sta->igtk_len);
+				sta->igtk, sta->igtk_len, 0);
 		}
 	}
 
diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c
index 4b8d6c469..67090fe56 100644
--- a/wpa_supplicant/mesh_rsn.c
+++ b/wpa_supplicant/mesh_rsn.c
@@ -100,7 +100,8 @@ static const u8 *auth_get_psk(void *ctx, const u8 *addr,
 
 
 static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
-			const u8 *addr, int idx, u8 *key, size_t key_len)
+			const u8 *addr, int idx, u8 *key, size_t key_len,
+			enum key_type key_type)
 {
 	struct mesh_rsn *mesh_rsn = ctx;
 	u8 seq[6];
@@ -118,7 +119,7 @@ static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	wpa_hexdump_key(MSG_DEBUG, "AUTH: set_key - key", key, key_len);
 
 	return wpa_drv_set_key(mesh_rsn->wpa_s, alg, addr, idx,
-			       1, seq, 6, key, key_len);
+			       1, seq, 6, key, key_len, key_type);
 }
 
 
@@ -199,7 +200,7 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 		wpa_drv_set_key(rsn->wpa_s,
 				wpa_cipher_to_alg(rsn->mgmt_group_cipher), NULL,
 				rsn->igtk_key_id, 1,
-				seq, sizeof(seq), rsn->igtk, rsn->igtk_len);
+				seq, sizeof(seq), rsn->igtk, rsn->igtk_len, 0);
 	}
 #endif /* CONFIG_IEEE80211W */
 
@@ -208,7 +209,7 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 			rsn->mgtk, rsn->mgtk_len);
 	wpa_drv_set_key(rsn->wpa_s, wpa_cipher_to_alg(rsn->group_cipher), NULL,
 			rsn->mgtk_key_id, 1, seq, sizeof(seq),
-			rsn->mgtk, rsn->mgtk_len);
+			rsn->mgtk, rsn->mgtk_len, 0);
 
 	return 0;
 }
diff --git a/wpa_supplicant/preauth_test.c b/wpa_supplicant/preauth_test.c
index 3f2da34e5..b2c65b60b 100644
--- a/wpa_supplicant/preauth_test.c
+++ b/wpa_supplicant/preauth_test.c
@@ -136,7 +136,7 @@ static int wpa_supplicant_set_key(void *wpa_s, enum wpa_alg alg,
 
 static int wpa_supplicant_mlme_setprotection(void *wpa_s, const u8 *addr,
 					     int protection_type,
-					     int key_type)
+					     enum key_type)
 {
 	printf("%s - not implemented\n", __func__);
 	return -1;
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index e7a24fc9c..d9d08c1e4 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -142,7 +142,7 @@ int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
 		set = 1;
 		wpa_drv_set_key(wpa_s, WPA_ALG_WEP, NULL,
 				i, i == ssid->wep_tx_keyidx, NULL, 0,
-				ssid->wep_key[i], ssid->wep_key_len[i]);
+				ssid->wep_key[i], ssid->wep_key_len[i], 0);
 	}
 
 	return set;
@@ -200,7 +200,7 @@ int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s,
 	/* TODO: should actually remember the previously used seq#, both for TX
 	 * and RX from each STA.. */
 
-	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, 1, seq, 6, key, keylen);
+	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, 1, seq, 6, key, keylen, 0);
 	os_memset(key, 0, sizeof(key));
 	return ret;
 }
@@ -706,12 +706,12 @@ void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr)
 		if (wpa_s->keys_cleared & BIT(i))
 			continue;
 		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, i, 0, NULL, 0,
-				NULL, 0);
+				NULL, 0, 0);
 	}
 	if (!(wpa_s->keys_cleared & BIT(0)) && addr &&
 	    !is_zero_ether_addr(addr)) {
 		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, 0, NULL, 0, NULL,
-				0);
+				0, 0);
 		/* MLME-SETPROTECTION.request(None) */
 		wpa_drv_mlme_setprotection(
 			wpa_s, addr,
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 62af7f6b1..e4978e0ac 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -242,7 +242,7 @@ static int wpa_eapol_set_wep_key(void *ctx, int unicast, int keyidx,
 	}
 	return wpa_drv_set_key(wpa_s, WPA_ALG_WEP,
 			       unicast ? wpa_s->bssid : NULL,
-			       keyidx, unicast, NULL, 0, key, keylen);
+			       keyidx, unicast, NULL, 0, key, keylen, 0);
 }
 
 
@@ -341,7 +341,7 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol,
 			"handshake", pmk, pmk_len);
 
 	if (wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, 0, NULL, 0, pmk,
-			    pmk_len)) {
+			    pmk_len, 0)) {
 		wpa_printf(MSG_DEBUG, "Failed to set PMK to the driver");
 	}
 
@@ -488,7 +488,8 @@ static int wpa_supplicant_get_bssid(void *ctx, u8 *bssid)
 static int wpa_supplicant_set_key(void *_wpa_s, enum wpa_alg alg,
 				  const u8 *addr, int key_idx, int set_tx,
 				  const u8 *seq, size_t seq_len,
-				  const u8 *key, size_t key_len)
+				  const u8 *key, size_t key_len,
+				  enum key_type key_type)
 {
 	struct wpa_supplicant *wpa_s = _wpa_s;
 	if (alg == WPA_ALG_TKIP && key_idx == 0 && key_len == 32) {
@@ -513,13 +514,13 @@ static int wpa_supplicant_set_key(void *_wpa_s, enum wpa_alg alg,
 	}
 #endif /* CONFIG_TESTING_OPTIONS */
 	return wpa_drv_set_key(wpa_s, alg, addr, key_idx, set_tx, seq, seq_len,
-			       key, key_len);
+			       key, key_len, key_type);
 }
 
 
 static int wpa_supplicant_mlme_setprotection(void *wpa_s, const u8 *addr,
 					     int protection_type,
-					     int key_type)
+					     enum key_type key_type)
 {
 	return wpa_drv_mlme_setprotection(wpa_s, addr, protection_type,
 					  key_type);
@@ -1157,7 +1158,7 @@ static int wpa_supplicant_key_mgmt_set_pmk(void *ctx, const u8 *pmk,
 	if (wpa_s->conf->key_mgmt_offload &&
 	    (wpa_s->drv_flags & WPA_DRIVER_FLAGS_KEY_MGMT_OFFLOAD))
 		return wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, 0,
-				       NULL, 0, pmk, pmk_len);
+				       NULL, 0, pmk, pmk_len, 0);
 	else
 		return 0;
 }

From patchwork Sat Aug 24 16:04:53 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152696
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="q41rGR0M";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="vmv6uhzN"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G39d1ThDz9s7T
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:09:09 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=tfpJurLEsN4bBk9JV3Ji0CtRcrI4RG+fReB85Ynfgtw=;
	b=q41rGR0MEJEWJ2
	UaDoksa+xC6dBYu5eWgPslYQd9r3aATQ8KBmpA52g738dxQfd4MFY2e/HqsTszB1fqPg81WuZU3mx
	yMYmdmP/bGOH3/pkum7owvkWp5iTMv+QYsuZyfKpZRT2w/Jw1AbI2pJEG8k183VOG97P0V07x+cRl
	GEUnp2NQTweRUcgbr3kk/fdSD64NqZroUHKxD+0h1CR5uAaVYT9hRWlOP5R9WeRSEak0C97izmrG7
	v4cc6X0NHpgBz5inaX3IptIEnyKcn9st3LmxlM2DJ+ucMnnEjCLfZcahiQVixkqP9EaKs71/ThnJh
	k4lixHPw8BIyCxtki0hQ==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1Yb8-0008FY-T8; Sat, 24 Aug 2019 16:09:02 +0000
Received: from 19.mo3.mail-out.ovh.net ([178.32.98.231])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005JH-B7
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:59 +0000
Received: from player755.ha.ovh.net (unknown [10.108.42.174])
	by mo3.mail-out.ovh.net (Postfix) with ESMTP id 20C30223529
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:36 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player755.ha.ovh.net (Postfix) with ESMTPSA id 1F3F792CE820;
	Sat, 24 Aug 2019 16:05:31 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662730;
	bh=S5bkbS4h1B8SvvwJZ455G+cyiCP2LA2YfzJdNlhoARk=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=vmv6uhzNzbAZddTpmts5V2xj4cAPPMzhWcdHdocgcT8Q3rTqKQcXy+YzDX4N05d1h
	45XapQ/kos2BbwAPmkAjd421FDOLVIWgwWBsHUf3KAHuoQnmacwRsx2ELgQmw3qsXy
	BFfnvhbYorPMfzwKay7hfOOBHPiXK5+uVHuTUOZI=
To: j@w1.fi
Subject: [PATCH v4 04/16] hostapd: Set the correct key_type for key installs
Date: Sat, 24 Aug 2019 18:04:53 +0200
Message-Id: <20190824160505.5548-5-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6940047028214897916
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_090552_759047_5A49832F 
X-CRM114-Status: GOOD (  12.92  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [178.32.98.231 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

In addition to the set_key "boolean" this also sets the corresponding
new key_type for all key installs.

Till all drivers are migrated to the new key_type both variables will
provide the information required to them.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---
 hostapd/ctrl_iface.c           | 24 ++++++++++++++----------
 src/ap/hostapd.c               | 15 +++++++++------
 src/ap/ieee802_11.c            |  3 ++-
 src/ap/ieee802_1x.c            |  7 ++++---
 src/ap/wpa_auth.c              | 11 ++++++-----
 src/ap/wpa_auth_ft.c           |  2 +-
 tests/hwsim/test_ap_ciphers.py |  2 +-
 7 files changed, 37 insertions(+), 27 deletions(-)

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index ea1e8771d..1d849c1ff 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -2122,7 +2122,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					hapd->last_igtk_alg,
 					broadcast_ether_addr,
 					hapd->last_igtk_key_idx, 1, NULL, 0,
-					zero, hapd->last_igtk_len, 0) < 0)
+					zero, hapd->last_igtk_len,
+					KEY_TYPE_BROADCAST) < 0)
 			return -1;
 
 		/* Set the previously configured key to reset its TSC */
@@ -2131,7 +2132,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					   broadcast_ether_addr,
 					   hapd->last_igtk_key_idx, 1, NULL, 0,
 					   hapd->last_igtk,
-					   hapd->last_igtk_len, 0);
+					   hapd->last_igtk_len,
+					   KEY_TYPE_BROADCAST);
 	}
 #endif /* CONFIG_IEEE80211W */
 
@@ -2147,7 +2149,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					hapd->last_gtk_alg,
 					broadcast_ether_addr,
 					hapd->last_gtk_key_idx, 1, NULL, 0,
-					zero, hapd->last_gtk_len, 0) < 0)
+					zero, hapd->last_gtk_len,
+					KEY_TYPE_BROADCAST) < 0)
 			return -1;
 
 		/* Set the previously configured key to reset its TSC */
@@ -2156,7 +2159,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 					   broadcast_ether_addr,
 					   hapd->last_gtk_key_idx, 1, NULL, 0,
 					   hapd->last_gtk, hapd->last_gtk_len,
-					   0);
+					   KEY_TYPE_BROADCAST);
 	}
 
 	sta = ap_get_sta(hapd, addr);
@@ -2173,13 +2176,14 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 	 * in the driver. */
 	if (hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 				sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-				zero, sta->last_tk_len, 0) < 0)
+				zero, sta->last_tk_len, KEY_TYPE_PAIRWISE) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 				   sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-				   sta->last_tk, sta->last_tk_len, 0);
+				   sta->last_tk, sta->last_tk_len,
+				   KEY_TYPE_PAIRWISE);
 }
 
 
@@ -2253,7 +2257,7 @@ static void restore_tk(void *ctx1, void *ctx2)
 	 * preventing encryption of a single EAPOL frame. */
 	hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
 			    sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
-			    sta->last_tk, sta->last_tk_len, 0);
+			    sta->last_tk, sta->last_tk_len, KEY_TYPE_PAIRWISE);
 }
 
 
@@ -2277,7 +2281,7 @@ static int hostapd_ctrl_resend_m1(struct hostapd_data *hapd, const char *cmd)
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0, 0);
+				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
 	wpa_printf(MSG_INFO, "TESTING: Send M1 to " MACSTR, MAC2STR(sta->addr));
@@ -2307,7 +2311,7 @@ static int hostapd_ctrl_resend_m3(struct hostapd_data *hapd, const char *cmd)
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0, 0);
+				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
 	wpa_printf(MSG_INFO, "TESTING: Send M3 to " MACSTR, MAC2STR(sta->addr));
@@ -2337,7 +2341,7 @@ static int hostapd_ctrl_resend_group_m1(struct hostapd_data *hapd,
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
 				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
-				    NULL, 0, 0);
+				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
 	wpa_printf(MSG_INFO,
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index c0cf9a973..3ac84cc14 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -292,8 +292,8 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 	if (!ifname || !hapd->drv_priv)
 		return;
 	for (i = 0; i < NUM_WEP_KEYS; i++) {
-		if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i,
-					0, NULL, 0, NULL, 0, 0)) {
+		if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i, 0,
+					NULL, 0, NULL, 0, KEY_TYPE_BROADCAST)) {
 			wpa_printf(MSG_DEBUG, "Failed to clear default "
 				   "encryption keys (ifname=%s keyidx=%d)",
 				   ifname, i);
@@ -303,8 +303,8 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 	if (hapd->conf->ieee80211w) {
 		for (i = NUM_WEP_KEYS; i < NUM_WEP_KEYS + 2; i++) {
 			if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE,
-						NULL, i, 0, NULL,
-						0, NULL, 0, 0)) {
+						NULL, i, 0, NULL, 0,
+						NULL, 0, KEY_TYPE_BROADCAST)) {
 				wpa_printf(MSG_DEBUG, "Failed to clear "
 					   "default mgmt encryption keys "
 					   "(ifname=%s keyidx=%d)", ifname, i);
@@ -332,7 +332,7 @@ static int hostapd_broadcast_wep_set(struct hostapd_data *hapd)
 	    hostapd_drv_set_key(hapd->conf->iface,
 				hapd, WPA_ALG_WEP, broadcast_ether_addr, idx,
 				1, NULL, 0, ssid->wep.key[idx],
-				ssid->wep.len[idx], 0)) {
+				ssid->wep.len[idx], KEY_TYPE_DEFAULT)) {
 		wpa_printf(MSG_WARNING, "Could not set WEP encryption.");
 		errors++;
 	}
@@ -560,7 +560,10 @@ static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd)
 		    hostapd_drv_set_key(iface, hapd, WPA_ALG_WEP, NULL, i,
 					i == hapd->conf->ssid.wep.idx, NULL, 0,
 					hapd->conf->ssid.wep.key[i],
-					hapd->conf->ssid.wep.len[i], 0)) {
+					hapd->conf->ssid.wep.len[i],
+					i == hapd->conf->ssid.wep.idx ?
+					KEY_TYPE_DEFAULT :
+					KEY_TYPE_BROADCAST)) {
 			wpa_printf(MSG_WARNING, "Could not set WEP "
 				   "encryption.");
 			return -1;
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index dfe977b75..bc2e50eeb 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4772,7 +4772,8 @@ static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
 		    hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
 					i == ssid->wep.idx, NULL, 0,
 					ssid->wep.key[i], ssid->wep.len[i],
-					0)) {
+					i == ssid->wep.idx ? KEY_TYPE_DEFAULT :
+					KEY_TYPE_BROADCAST)) {
 			wpa_printf(MSG_WARNING,
 				   "Could not set WEP keys for WDS interface; %s",
 				   ifname_wds);
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 657fe94a9..29e502e18 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -286,7 +286,7 @@ static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
 		if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
 					sta->addr, 0, 1, NULL, 0, ikey,
 					hapd->conf->individual_wep_key_len,
-					0)) {
+					KEY_TYPE_DEFAULT)) {
 			wpa_printf(MSG_ERROR, "Could not set individual WEP "
 				   "encryption.");
 		}
@@ -2171,7 +2171,8 @@ static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx)
 				broadcast_ether_addr,
 				eapol->default_wep_key_idx, 1, NULL, 0,
 				eapol->default_wep_key,
-				hapd->conf->default_wep_key_len, 0)) {
+				hapd->conf->default_wep_key_len,
+				KEY_TYPE_DEFAULT)) {
 		hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
 			       HOSTAPD_LEVEL_WARNING, "failed to configure a "
 			       "new broadcast key");
@@ -2486,7 +2487,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
 		for (i = 0; i < 4; i++)
 			hostapd_drv_set_key(hapd->conf->iface, hapd,
 					    WPA_ALG_NONE, NULL, i, 0, NULL, 0,
-					    NULL, 0, 0);
+					    NULL, 0, KEY_TYPE_BROADCAST);
 
 		ieee802_1x_rekey(hapd, NULL);
 
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 919ba1f42..ba415bd66 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1714,7 +1714,7 @@ void wpa_remove_ptk(struct wpa_state_machine *sm)
 	sm->PTK_valid = FALSE;
 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
 	if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
-			     0, 0))
+			     0, KEY_TYPE_PAIRWISE))
 		wpa_printf(MSG_DEBUG,
 			   "RSN: PTK removal from the driver failed");
 	sm->pairwise_set = FALSE;
@@ -2748,7 +2748,7 @@ int fils_set_tk(struct wpa_state_machine *sm)
 
 	wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
 	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-			     sm->PTK.tk, klen, 0)) {
+			     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) {
 		wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
 		return -1;
 	}
@@ -3346,7 +3346,7 @@ SM_STATE(WPA_PTK, PTKINITDONE)
 		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
 		int klen = wpa_cipher_key_len(sm->pairwise);
 		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-				     sm->PTK.tk, klen, 0)) {
+				     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) {
 			wpa_sta_disconnect(sm->wpa_auth, sm->addr,
 					   WLAN_REASON_PREV_AUTH_NOT_VALID);
 			return;
@@ -3945,7 +3945,8 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
 	if (wpa_auth_set_key(wpa_auth, group->vlan_id,
 			     wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
 			     broadcast_ether_addr, group->GN,
-			     group->GTK[group->GN - 1], group->GTK_len, 0) < 0)
+			     group->GTK[group->GN - 1], group->GTK_len,
+			     KEY_TYPE_BROADCAST) < 0)
 		ret = -1;
 
 #ifdef CONFIG_IEEE80211W
@@ -3960,7 +3961,7 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
 		    wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
 				     broadcast_ether_addr, group->GN_igtk,
 				     group->IGTK[group->GN_igtk - 4],
-				     len, 0) < 0)
+				     len, KEY_TYPE_BROADCAST) < 0)
 			ret = -1;
 	}
 #endif /* CONFIG_IEEE80211W */
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 69ed68244..0f1a51832 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -2653,7 +2653,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
 	 * optimized by adding the STA entry earlier.
 	 */
 	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-			     sm->PTK.tk, klen, 0))
+			     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE))
 		return;
 
 	/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
diff --git a/tests/hwsim/test_ap_ciphers.py b/tests/hwsim/test_ap_ciphers.py
index cd45c6fd9..a6ba27d99 100644
--- a/tests/hwsim/test_ap_ciphers.py
+++ b/tests/hwsim/test_ap_ciphers.py
@@ -862,7 +862,7 @@ def test_ap_wpa2_delayed_m1_m3_zero_tk(dev, apdev):
     if "OK" not in hapd.request("RESEND_M3 " + addr):
         raise Exception("RESEND_M3 failed")
 
-    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s 0" % (addr, 0, 1, 6*"00", 16*"00")):
+    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s %d" % (addr, 0, 1, 6*"00", 16*"00", 2)):
         raise Exception("SET_KEY failed")
     time.sleep(0.1)
     hwsim_utils.test_connectivity(dev[0], hapd, timeout=1, broadcast=False,

From patchwork Sat Aug 24 16:04:54 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152682
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="s7UGxtKT";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="LF8BI/t3"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G3680DgHz9sDB
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:06:07 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=6LiI2VjjOqU7E+xWNAgklTqkzk9cyUurL6KaCv+yelY=;
	b=s7UGxtKTrINbgo
	X3ilKOgq3SuIx6z+61h+DDKnpCFHedUnGqMkwIHWM2xydOMLIOiO3cixIjPLw2mZTiVfiWubPH2Sy
	uupb2way9RiuwYxuat6JlhRZQyvrHSpkF03zPnxlBeCf9BEOS1CT1eQxWpOeMkyYtTkFzymF9B8W5
	NstVJHJdETnOfohlZ3aujvWjZxsCD8w0mjVqFj+OoaAsnS/I3+A5iZHpR6LL+kZIo4WXubugrORYr
	Jzb+SOD86sckvRd5CpD/nFJfrLYPsFxD9KyD4aADb7+Sg7imtWmkX+2QJe8ichrzUCLKz+jWhT8u5
	nMfBrVj5jqHAL+YAoBDw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YYA-0005NB-7q; Sat, 24 Aug 2019 16:05:58 +0000
Received: from 3.mo173.mail-out.ovh.net ([46.105.34.1])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005Je-Bq
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:54 +0000
Received: from player688.ha.ovh.net (unknown [10.109.143.223])
	by mo173.mail-out.ovh.net (Postfix) with ESMTP id 41A4F116885
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:41 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player688.ha.ovh.net (Postfix) with ESMTPSA id D6F3A900E82E;
	Sat, 24 Aug 2019 16:05:36 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662730;
	bh=oP9S7mxX4z+4Tt+2nHpFl3rWNKRG04qj14wgf9Qf5Qg=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=LF8BI/t3/HrZ9uArdUP2fMDlMJcX2L8BrEToI9sHOF89u10J7dvbQpOL19wNnEbyQ
	sH3foPXagIfW46dQsqF9Dhbfoa985ILbAbPVFKgBJVPUiHG8P/TcRY9mqDMoWRLWzg
	hXgCiH1H8y8SN5N9ySo4nnaRVso8ZMx4iga0SLe0=
To: j@w1.fi
Subject: [PATCH v4 05/16] wpa_supplicant: Set the correct key_type for key
	installs
Date: Sat, 24 Aug 2019 18:04:54 +0200
Message-Id: <20190824160505.5548-6-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6941454400741383420
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-Spam-Note: CRM114 invocation failed
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.34.1 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

In addition to the set_key "boolean" this also sets the corresponding 
new key_type for all key installs. 

Till all drivers are migrated to the new key_type both variables will 
provide the information required to them.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---
 src/rsn_supp/tdls.c             |  7 ++++---
 src/rsn_supp/wpa.c              | 12 +++++++-----
 src/rsn_supp/wpa_ft.c           | 11 ++++++-----
 wpa_supplicant/ctrl_iface.c     | 25 ++++++++++++++++---------
 wpa_supplicant/ibss_rsn.c       |  2 +-
 wpa_supplicant/mesh_mpm.c       |  6 +++---
 wpa_supplicant/mesh_rsn.c       |  5 +++--
 wpa_supplicant/wpa_supplicant.c | 11 +++++++----
 wpa_supplicant/wpas_glue.c      |  5 +++--
 9 files changed, 50 insertions(+), 34 deletions(-)

diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 28048d9fc..348c491be 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -178,7 +178,7 @@ static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 {
 	if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
-			   0, 0, NULL, 0, NULL, 0, 0) < 0) {
+			   0, 0, NULL, 0, NULL, 0, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
 			   "the driver");
 		return -1;
@@ -228,7 +228,7 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
 		   MAC2STR(peer->addr));
 	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, rsc, sizeof(rsc),
-			   peer->tpk.tk, key_len, 0) < 0) {
+			   peer->tpk.tk, key_len, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
 			   "driver");
 		return -1;
@@ -2167,7 +2167,8 @@ static int wpa_tdls_enable_link(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 #endif /* CONFIG_TDLS_TESTING */
 	}
 
-	if (peer->reconfig_key && wpa_tdls_set_key(sm, peer) < 0) {
+	if (peer->reconfig_key &&
+	    wpa_tdls_set_key(sm, peer) < 0) {
 		wpa_printf(MSG_INFO, "TDLS: Could not configure key to the "
 			   "driver");
 		return -1;
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index d28843d9f..830c74c8f 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -920,7 +920,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 	if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
 		if (wpa_sm_set_key(sm, gd->alg, NULL,
 				   gd->keyidx, 1, key_rsc, gd->key_rsc_len,
-				   _gtk, gd->gtk_len, 0) < 0) {
+				   _gtk, gd->gtk_len, KEY_TYPE_BROADCAST) < 0) {
 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 				"WPA: Failed to set GTK to the driver "
 				"(Group only)");
@@ -929,7 +929,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 		}
 	} else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
 				  gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
-				  _gtk, gd->gtk_len, 0) < 0) {
+				  _gtk, gd->gtk_len,
+				  gd->tx ? KEY_TYPE_DEFAULT :
+				  KEY_TYPE_BROADCAST) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: Failed to set GTK to "
 			"the driver (alg=%d keylen=%d keyidx=%d)",
@@ -1084,7 +1086,7 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
 			   broadcast_ether_addr,
 			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
-			   igtk->igtk, len, 0) < 0) {
+			   igtk->igtk, len, KEY_TYPE_BROADCAST) < 0) {
 		if (keyidx == 0x0400 || keyidx == 0x0500) {
 			/* Assume the AP has broken PMF implementation since it
 			 * seems to have swapped the KeyID bytes. The AP cannot
@@ -1533,7 +1535,7 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 	sm->renew_snonce = 1;
 
 	if (key_info & WPA_KEY_INFO_INSTALL) {
-		if (wpa_supplicant_install_ptk(sm, key, 0))
+		if (wpa_supplicant_install_ptk(sm, key, KEY_TYPE_PAIRWISE))
 			goto failed;
 	}
 
@@ -4459,7 +4461,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
 			sm->ptk.tk, keylen);
 	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
-			   sm->ptk.tk, keylen, 0) < 0) {
+			   sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
 			MACSTR ")",
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index b67874bab..3b45f669b 100644
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -411,9 +411,8 @@ static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
 
-	if (wpa_sm_set_key(sm, alg, bssid, 0, 1, null_rsc,
-			   sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen,
-			   0) < 0) {
+	if (wpa_sm_set_key(sm, alg, bssid, 0, 1, null_rsc, sizeof(null_rsc),
+			   (u8 *) sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver");
 		return -1;
 	}
@@ -765,7 +764,8 @@ static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem,
 		os_memcpy(gtk + 24, tmp, 8);
 	}
 	if (wpa_sm_set_key(sm, alg, broadcast_ether_addr, keyidx, 0,
-			   gtk_elem + 3, rsc_len, gtk, keylen, 0) < 0) {
+			   gtk_elem + 3, rsc_len, gtk, keylen,
+			   KEY_TYPE_BROADCAST) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the "
 			   "driver.");
 		return -1;
@@ -833,7 +833,8 @@ static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
 			igtk_len);
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
 			   broadcast_ether_addr, keyidx, 0,
-			   igtk_elem + 2, 6, igtk, igtk_len, 0) < 0) {
+			   igtk_elem + 2, 6, igtk, igtk_len,
+			   KEY_TYPE_BROADCAST) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the "
 			   "driver.");
 		forced_memzero(igtk, sizeof(igtk));
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 5c7fd87c5..862f72734 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5237,17 +5237,23 @@ static void wpa_supplicant_ctrl_iface_drop_sa(struct wpa_supplicant *wpa_s)
 {
 	wpa_printf(MSG_DEBUG, "Dropping SA without deauthentication");
 	/* MLME-DELETEKEYS.request */
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, 0, NULL, 0, NULL, 0, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, 0, NULL, 0, NULL, 0, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, 0, NULL, 0, NULL, 0, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
 #ifdef CONFIG_IEEE80211W
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, 0, NULL, 0, NULL, 0, 0);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, 0, NULL, 0, NULL, 0, 0);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, 0, NULL, 0, NULL,
+			0, KEY_TYPE_BROADCAST);
 #endif /* CONFIG_IEEE80211W */
 
 	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 0, 0, NULL, 0, NULL,
-			0, 0);
+			0, KEY_TYPE_PAIRWISE);
 	/* MLME-SETPROTECTION.request(None) */
 	wpa_drv_mlme_setprotection(wpa_s, wpa_s->bssid,
 				   MLME_SETPROTECTION_PROTECT_TYPE_NONE,
@@ -9227,13 +9233,14 @@ static int wpas_ctrl_reset_pn(struct wpa_supplicant *wpa_s)
 	 * in the driver. */
 	if (wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
 			    wpa_s->last_tk_key_idx, 1, zero, 6,
-			    zero, wpa_s->last_tk_len, 0) < 0)
+			    zero, wpa_s->last_tk_len, KEY_TYPE_PAIRWISE) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
 			       wpa_s->last_tk_key_idx, 1, zero, 6,
-			       wpa_s->last_tk, wpa_s->last_tk_len, 0);
+			       wpa_s->last_tk, wpa_s->last_tk_len,
+			       KEY_TYPE_PAIRWISE);
 }
 
 
diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c
index a11ae857f..049e3f26e 100644
--- a/wpa_supplicant/ibss_rsn.c
+++ b/wpa_supplicant/ibss_rsn.c
@@ -852,7 +852,7 @@ static void ibss_rsn_handle_auth_1_of_2(struct ibss_rsn *ibss_rsn,
 		wpa_printf(MSG_DEBUG, "RSN: Clear pairwise key for peer "
 			   MACSTR, MAC2STR(addr));
 		wpa_drv_set_key(ibss_rsn->wpa_s, WPA_ALG_NONE, addr, 0, 0,
-				NULL, 0, NULL, 0, 0);
+				NULL, 0, NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
 	if (peer &&
diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index 041c158e4..8664147ac 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -876,7 +876,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 		wpa_hexdump_key(MSG_DEBUG, "mesh: MTK", sta->mtk, sta->mtk_len);
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->pairwise_cipher),
 				sta->addr, 0, 0, seq, sizeof(seq),
-				sta->mtk, sta->mtk_len, 0);
+				sta->mtk, sta->mtk_len, KEY_TYPE_PAIRWISE);
 
 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK Key RSC",
 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc));
@@ -885,7 +885,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->group_cipher),
 				sta->addr, sta->mgtk_key_id, 0,
 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc),
-				sta->mgtk, sta->mgtk_len, 0);
+				sta->mgtk, sta->mgtk_len, KEY_TYPE_BROADCAST);
 
 		if (sta->igtk_len) {
 			wpa_hexdump_key(MSG_DEBUG, "mesh: RX IGTK Key RSC",
@@ -897,7 +897,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 				wpa_cipher_to_alg(conf->mgmt_group_cipher),
 				sta->addr, sta->igtk_key_id, 0,
 				sta->igtk_rsc, sizeof(sta->igtk_rsc),
-				sta->igtk, sta->igtk_len, 0);
+				sta->igtk, sta->igtk_len, KEY_TYPE_BROADCAST);
 		}
 	}
 
diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c
index 67090fe56..e670e259b 100644
--- a/wpa_supplicant/mesh_rsn.c
+++ b/wpa_supplicant/mesh_rsn.c
@@ -200,7 +200,8 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 		wpa_drv_set_key(rsn->wpa_s,
 				wpa_cipher_to_alg(rsn->mgmt_group_cipher), NULL,
 				rsn->igtk_key_id, 1,
-				seq, sizeof(seq), rsn->igtk, rsn->igtk_len, 0);
+				seq, sizeof(seq), rsn->igtk, rsn->igtk_len,
+				KEY_TYPE_BROADCAST);
 	}
 #endif /* CONFIG_IEEE80211W */
 
@@ -209,7 +210,7 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 			rsn->mgtk, rsn->mgtk_len);
 	wpa_drv_set_key(rsn->wpa_s, wpa_cipher_to_alg(rsn->group_cipher), NULL,
 			rsn->mgtk_key_id, 1, seq, sizeof(seq),
-			rsn->mgtk, rsn->mgtk_len, 0);
+			rsn->mgtk, rsn->mgtk_len, KEY_TYPE_BROADCAST);
 
 	return 0;
 }
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index d9d08c1e4..56bba65e8 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -142,7 +142,9 @@ int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
 		set = 1;
 		wpa_drv_set_key(wpa_s, WPA_ALG_WEP, NULL,
 				i, i == ssid->wep_tx_keyidx, NULL, 0,
-				ssid->wep_key[i], ssid->wep_key_len[i], 0);
+				ssid->wep_key[i], ssid->wep_key_len[i],
+				i == ssid->wep_tx_keyidx ? KEY_TYPE_DEFAULT :
+				KEY_TYPE_BROADCAST);
 	}
 
 	return set;
@@ -200,7 +202,8 @@ int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s,
 	/* TODO: should actually remember the previously used seq#, both for TX
 	 * and RX from each STA.. */
 
-	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, 1, seq, 6, key, keylen, 0);
+	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, 1, seq, 6, key, keylen,
+			      KEY_TYPE_BROADCAST);
 	os_memset(key, 0, sizeof(key));
 	return ret;
 }
@@ -706,12 +709,12 @@ void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr)
 		if (wpa_s->keys_cleared & BIT(i))
 			continue;
 		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, i, 0, NULL, 0,
-				NULL, 0, 0);
+				NULL, 0, KEY_TYPE_BROADCAST);
 	}
 	if (!(wpa_s->keys_cleared & BIT(0)) && addr &&
 	    !is_zero_ether_addr(addr)) {
 		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, 0, NULL, 0, NULL,
-				0, 0);
+				0, KEY_TYPE_PAIRWISE);
 		/* MLME-SETPROTECTION.request(None) */
 		wpa_drv_mlme_setprotection(
 			wpa_s, addr,
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index e4978e0ac..8aa555a1d 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -242,7 +242,8 @@ static int wpa_eapol_set_wep_key(void *ctx, int unicast, int keyidx,
 	}
 	return wpa_drv_set_key(wpa_s, WPA_ALG_WEP,
 			       unicast ? wpa_s->bssid : NULL,
-			       keyidx, unicast, NULL, 0, key, keylen, 0);
+			       keyidx, unicast, NULL, 0, key, keylen,
+			       unicast ? KEY_TYPE_DEFAULT : KEY_TYPE_BROADCAST);
 }
 
 
@@ -341,7 +342,7 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol,
 			"handshake", pmk, pmk_len);
 
 	if (wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, 0, NULL, 0, pmk,
-			    pmk_len, 0)) {
+			    pmk_len, KEY_TYPE_BROADCAST)) {
 		wpa_printf(MSG_DEBUG, "Failed to set PMK to the driver");
 	}
 

From patchwork Sat Aug 24 16:04:55 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152694
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="iOW1Iv5e";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="KY6Nh4Ih"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G39733LLz9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:08:43 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=poplAyszjmNsO4myqVVowhfhHyrpplPCnGBwouh4l3o=;
	b=iOW1Iv5eDttVSn
	S8bCy1+djcy3+8rf/moUX6o7s76rNDLwYfvyEceUs8/0P+jPKppBVPOlDn5Mfoj8c8RFbWg6hYdNY
	4vF7bhxoPo54SPvOYPAG9V3wpZd1qbHimFh0ekTs89OIBv/aRrAAX4ry4NSBMOEEYYdq5Fx0s8UPG
	X4rBv2DyCoHuOZlSMm59qcKKbWeHM0yODWvzt4dkuY4Pbx+nqbCBWQTJxifap7vfQnUidD+kk80eA
	dXTLJJHgUarw3K3rwaWBZdJCcchRGdTuvpqV3+tNDFWzKNHWTCWX0AraL8ay84h58vaOE1Mq+w5o7
	G0mKtvnG7mmciWBRvkwg==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1Yal-0007nz-Hy; Sat, 24 Aug 2019 16:08:39 +0000
Received: from 6.mo173.mail-out.ovh.net ([46.105.43.93])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005Jc-BZ
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:59 +0000
Received: from player158.ha.ovh.net (unknown [10.108.54.67])
	by mo173.mail-out.ovh.net (Postfix) with ESMTP id DF22211686C
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:39 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player158.ha.ovh.net (Postfix) with ESMTPSA id 515E08FB4A80;
	Sat, 24 Aug 2019 16:05:36 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662730;
	bh=YNHOCk9R4w3FRcmWdzqIF8SrKblVNY7M4YONfNP7hA0=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=KY6Nh4IhgiTZ2tRLAxoSiKB+P+uBSXoAZk+7mCvOpomMHwyWGYxbUeoz/OPsVdFEK
	yMHv0JYZr3UALMxe3bRSqBWZBjZzBm7U5Dx0wX0J9XBByVecWTvugHhgplDAUCd0Wh
	r3BVO+h9CQvb8Vp3F5yjFPC87U56evliwvYc1GYg=
To: j@w1.fi
Subject: [PATCH v4 06/16] drivers: Migrate drivers from set_tx to key_type
	API
Date: Sat, 24 Aug 2019 18:04:55 +0200
Message-Id: <20190824160505.5548-7-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6940891452256427260
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_090552_755932_D75D524B 
X-CRM114-Status: GOOD (  20.07  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.43.93 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Migrate all drivers except nl80211 from set_tx to key_type.

This patch assumes that the drivers only used set_tx for default keys
as it was (probably) intended to be used and are not relaying on the
quirks set_tx really has.

The new KEY_TYPE_DEFAULT is only set for WEP default keys and when an AP
is not using pairwise keys, handling all traffic only via a group key.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This is in my opinion the most risky part of retiring the set_tx API.
I have zero knowledge about those drivers and the new key_type API is
quite often using KEY_TYPE_BROADCAST where set_tx was set to 1. While
the changes are logical I would not be surprised if this patch would
cause one or another issue when using WEP or the default key.

Now I really would like to clean up set_tx and fully switch to the new
key_flag to not clutter the API. The way the patches are structured we
could also keep set_tx around and only migrate nl80211 to the new API.
But this would be quite confusing and sooner or later someone will mix
up the two APIs again, making it even worse to fix next time.

As a side note: I first "extended" the existing set_tx int which is only
used as boolean as a bit field to carry the additional information in
other bits. But the sometimes incomprehensible usage of set_tx and the
investigation how it should be done instead expanded the scope
drastically. I believe now that migrating away from set_tx via multiple
small patches is simpler to follow and review. For the older approach
see https://patchwork.ozlabs.org/project/hostap/list/?series=75270.

 src/drivers/driver_atheros.c |  6 +++---
 src/drivers/driver_bsd.c     |  8 ++++----
 src/drivers/driver_hostap.c  |  3 ++-
 src/drivers/driver_ndis.c    | 10 ++++++----
 src/drivers/driver_nl80211.c |  5 ++++-
 src/drivers/driver_privsep.c |  6 +++---
 src/drivers/driver_wext.c    | 11 +++++++----
 7 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/src/drivers/driver_atheros.c b/src/drivers/driver_atheros.c
index 08095865a..0c87da6d0 100644
--- a/src/drivers/driver_atheros.c
+++ b/src/drivers/driver_atheros.c
@@ -569,7 +569,7 @@ atheros_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	if (addr == NULL || is_broadcast_ether_addr(addr)) {
 		os_memset(wk.ik_macaddr, 0xff, IEEE80211_ADDR_LEN);
 		wk.ik_keyix = key_idx;
-		if (set_tx)
+		if (key_type == KEY_TYPE_DEFAULT)
 			wk.ik_flags |= IEEE80211_KEY_DEFAULT;
 	} else {
 		os_memcpy(wk.ik_macaddr, addr, IEEE80211_ADDR_LEN);
@@ -581,9 +581,9 @@ atheros_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	ret = set80211priv(drv, IEEE80211_IOCTL_SETKEY, &wk, sizeof(wk));
 	if (ret < 0) {
 		wpa_printf(MSG_DEBUG, "%s: Failed to set key (addr %s"
-			   " key_idx %d alg %d key_len %lu set_tx %d)",
+			   " key_idx %d alg %d key_len %lu key_type %d)",
 			   __func__, ether_sprintf(wk.ik_macaddr), key_idx,
-			   alg, (unsigned long) key_len, set_tx);
+			   alg, (unsigned long) key_len, key_type);
 	}
 
 	return ret;
diff --git a/src/drivers/driver_bsd.c b/src/drivers/driver_bsd.c
index c53155be0..89e4508e7 100644
--- a/src/drivers/driver_bsd.c
+++ b/src/drivers/driver_bsd.c
@@ -341,9 +341,9 @@ bsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	struct bsd_driver_data *drv = priv;
 #endif /* IEEE80211_KEY_NOREPLAY */
 
-	wpa_printf(MSG_DEBUG, "%s: alg=%d addr=%p key_idx=%d set_tx=%d "
+	wpa_printf(MSG_DEBUG, "%s: alg=%d addr=%p key_idx=%d key_type=%d "
 		   "seq_len=%zu key_len=%zu", __func__, alg, addr, key_idx,
-		   set_tx, seq_len, key_len);
+		   key_type, seq_len, key_len);
 
 	if (alg == WPA_ALG_NONE) {
 #ifndef HOSTAPD
@@ -371,7 +371,7 @@ bsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	}
 
 	wk.ik_flags = IEEE80211_KEY_RECV;
-	if (set_tx)
+	if (key_type == KEY_TYPE_DEFAULT)
 		wk.ik_flags |= IEEE80211_KEY_XMIT;
 
 	if (addr == NULL) {
@@ -392,7 +392,7 @@ bsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 				key_idx;
 		}
 	}
-	if (wk.ik_keyix != IEEE80211_KEYIX_NONE && set_tx)
+	if (wk.ik_keyix != IEEE80211_KEYIX_NONE && key_type == KEY_TYPE_DEFAULT)
 		wk.ik_flags |= IEEE80211_KEY_DEFAULT;
 #ifndef HOSTAPD
 #ifdef IEEE80211_KEY_NOREPLAY
diff --git a/src/drivers/driver_hostap.c b/src/drivers/driver_hostap.c
index bf22858fb..454388fe7 100644
--- a/src/drivers/driver_hostap.c
+++ b/src/drivers/driver_hostap.c
@@ -440,7 +440,8 @@ static int wpa_driver_hostap_set_key(const char *ifname, void *priv,
 		os_free(buf);
 		return -1;
 	}
-	param->u.crypt.flags = set_tx ? HOSTAP_CRYPT_FLAG_SET_TX_KEY : 0;
+	param->u.crypt.flags = key_type == KEY_TYPE_DEFAULT ?
+			       HOSTAP_CRYPT_FLAG_SET_TX_KEY : 0;
 	param->u.crypt.idx = key_idx;
 	param->u.crypt.key_len = key_len;
 	memcpy((u8 *) (param + 1), key, key_len);
diff --git a/src/drivers/driver_ndis.c b/src/drivers/driver_ndis.c
index 649bc01ea..2963e1f51 100644
--- a/src/drivers/driver_ndis.c
+++ b/src/drivers/driver_ndis.c
@@ -945,7 +945,7 @@ static int wpa_driver_ndis_add_wep(struct wpa_driver_ndis_data *drv,
 		return -1;
 	wep->Length = len;
 	wep->KeyIndex = key_idx;
-	if (set_tx)
+	if (key_type == KEY_TYPE_DEFAULT)
 		wep->KeyIndex |= 1 << 31;
 #if 0 /* Setting bit30 does not seem to work with some NDIS drivers */
 	if (pairwise)
@@ -1006,7 +1006,7 @@ static int wpa_driver_ndis_set_key(const char *ifname, void *priv,
 
 	nkey->Length = len;
 	nkey->KeyIndex = key_idx;
-	if (set_tx)
+	if (key_type == KEY_TYPE_DEFAULT)
 		nkey->KeyIndex |= 1 << 31;
 	if (pairwise)
 		nkey->KeyIndex |= 1 << 30;
@@ -1077,7 +1077,8 @@ wpa_driver_ndis_associate(void *priv,
 						bcast, i,
 						i == params->wep_tx_keyidx,
 						NULL, 0, params->wep_key[i],
-						params->wep_key_len[i], 0);
+						params->wep_key_len[i],
+						KEY_TYPE_BROADCAST);
 		}
 	}
 
@@ -1114,7 +1115,8 @@ wpa_driver_ndis_associate(void *priv,
 			wpa_driver_ndis_set_key(drv->ifname, drv, WPA_ALG_WEP,
 						bcast, 0, 1,
 						NULL, 0, dummy_key,
-						sizeof(dummy_key), 0);
+						sizeof(dummy_key),
+						KEY_TYPE_BROADCAST);
 		}
 #endif /* CONFIG_WPS */
 	} else {
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 97c655521..290da9d5e 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3484,7 +3484,10 @@ retry:
 					   NULL, i,
 					   i == params->wep_tx_keyidx, NULL, 0,
 					   params->wep_key[i],
-					   params->wep_key_len[i], 0);
+					   params->wep_key_len[i],
+					   i == params->wep_tx_keyidx ?
+					   KEY_TYPE_DEFAULT :
+					   KEY_TYPE_BROADCAST);
 		if (params->wep_tx_keyidx != i)
 			continue;
 		if (nl_add_key(msg, WPA_ALG_WEP, i, 1, NULL, 0,
diff --git a/src/drivers/driver_privsep.c b/src/drivers/driver_privsep.c
index e3375cd90..b3d2ddae0 100644
--- a/src/drivers/driver_privsep.c
+++ b/src/drivers/driver_privsep.c
@@ -215,8 +215,8 @@ static int wpa_driver_privsep_set_key(const char *ifname, void *priv,
 	struct wpa_driver_privsep_data *drv = priv;
 	struct privsep_cmd_set_key cmd;
 
-	wpa_printf(MSG_DEBUG, "%s: priv=%p alg=%d key_idx=%d set_tx=%d",
-		   __func__, priv, alg, key_idx, set_tx);
+	wpa_printf(MSG_DEBUG, "%s: priv=%p alg=%d key_idx=%d key_type=%d",
+		   __func__, priv, alg, key_idx, key_type);
 
 	os_memset(&cmd, 0, sizeof(cmd));
 	cmd.alg = alg;
@@ -225,7 +225,7 @@ static int wpa_driver_privsep_set_key(const char *ifname, void *priv,
 	else
 		os_memset(cmd.addr, 0xff, ETH_ALEN);
 	cmd.key_idx = key_idx;
-	cmd.set_tx = set_tx;
+	cmd.set_tx = key_type == KEY_TYPE_DEFAULT;
 	if (seq && seq_len > 0 && seq_len < sizeof(cmd.seq)) {
 		os_memcpy(cmd.seq, seq, seq_len);
 		cmd.seq_len = seq_len;
diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c
index ea5d667ed..52e8e8d49 100644
--- a/src/drivers/driver_wext.c
+++ b/src/drivers/driver_wext.c
@@ -1740,7 +1740,7 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
 
 	if (addr == NULL || is_broadcast_ether_addr(addr))
 		ext->ext_flags |= IW_ENCODE_EXT_GROUP_KEY;
-	if (set_tx)
+	if (key_type == KEY_TYPE_DEFAULT)
 		ext->ext_flags |= IW_ENCODE_EXT_SET_TX_KEY;
 
 	ext->addr.sa_family = ARPHRD_ETHER;
@@ -1824,6 +1824,9 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
  *	8-byte Rx Mic Key
  * @key_len: Length of the key buffer in octets (WEP: 5 or 13,
  *	TKIP: 32, CCMP: 16)
+ * @key_type: Additional key information. Only KEY_TYPE_DEFAULT is used
+ *	when the driver does not support separate unicast/individual key
+ *	to set the key as the default Tx key
  * Returns: 0 on success, -1 on failure
  *
  * This function uses SIOCSIWENCODEEXT by default, but tries to use
@@ -1839,9 +1842,9 @@ int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 	struct iwreq iwr;
 	int ret = 0;
 
-	wpa_printf(MSG_DEBUG, "%s: alg=%d key_idx=%d set_tx=%d seq_len=%lu "
+	wpa_printf(MSG_DEBUG, "%s: alg=%d key_idx=%d key_type=%d seq_len=%lu "
 		   "key_len=%lu",
-		   __FUNCTION__, alg, key_idx, set_tx,
+		   __FUNCTION__, alg, key_idx, key_type,
 		   (unsigned long) seq_len, (unsigned long) key_len);
 
 	ret = wpa_driver_wext_set_key_ext(drv, alg, addr, key_idx, set_tx,
@@ -1875,7 +1878,7 @@ int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 		ret = -1;
 	}
 
-	if (set_tx && alg != WPA_ALG_NONE) {
+	if (key_type == KEY_TYPE_DEFAULT && alg != WPA_ALG_NONE) {
 		os_memset(&iwr, 0, sizeof(iwr));
 		os_strlcpy(iwr.ifr_name, drv->ifname, IFNAMSIZ);
 		iwr.u.encoding.flags = key_idx + 1;

From patchwork Sat Aug 24 16:04:56 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152687
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="Ybl7wXcn";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="uGnE06HU"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G37T5H7Yz9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:07:17 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=L8Vejn3p5lhuWWz2U6s0L7VsQaEiN5X9ro0N+RqHVj4=;
	b=Ybl7wXcn1k4Tk5
	iP6Ev5/f24iPZjNpO13oCCK0zFr27StrdAjaDTBkP2uxVleygI9AwIt502nQiLwaJfY+5/wSFfn5v
	9HVjcQSP/0Naysamlb5lG1xnWoXp2K5G3sFgli7W4ax+8YQHUNyVh9mSdeUVTMPnuxxDAXhNMRKSV
	xyvxWjqKlBeFjlwIbFcAJ1jXFc6ki3k3HCVvN4DmYHrFHMQdzKhTIDvhBtvEKQ0lSIGDtrC5Yrqrd
	gBwK3dGQ+5Wjwz9yqdpE3jtPAY0INNNGL8eJLg2oa/LkV73gaGmpTY53NCk90Y9OM8RrC1PhIUCpV
	cpWCsicYHK5ZiSlIM9lw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YZN-0006S6-Ib; Sat, 24 Aug 2019 16:07:13 +0000
Received: from 3.mo69.mail-out.ovh.net ([188.165.52.203])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005Jf-Cg
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:56 +0000
Received: from player690.ha.ovh.net (unknown [10.108.42.239])
	by mo69.mail-out.ovh.net (Postfix) with ESMTP id 2B83E6710E
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:41 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player690.ha.ovh.net (Postfix) with ESMTPSA id A6CFC8F8C6B6;
	Sat, 24 Aug 2019 16:05:36 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662730;
	bh=netJkSlymW6nznJgtNKU23ON2SgLukziGtLO33HraG4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=uGnE06HUTovSBo/b26cPtUeaghqz23Z9BZV9Lq1uKEZiLKUwjjE7IA7AhcmEt2N7H
	8k4Fd/MzMTAvlTCru/NVtvpFhxyskNhJL8dPcJWvKgcZ2eSyTkXgVqAuYqRKxKLixa
	rmhddKeMZz4g34mZvNlNSEIXb3rgAmJ5BKiU7SAg=
To: j@w1.fi
Subject: [PATCH v4 07/16] nl80211: Switch to the new key_type API & cleanup
Date: Sat, 24 Aug 2019 18:04:56 +0200
Message-Id: <20190824160505.5548-8-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6941172928809737468
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_090552_704163_8CA76069 
X-CRM114-Status: GOOD (  15.70  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Installing WEP and broadcast keys requires an additional netlink call
(NL80211_CMD_SET_KEY) after the key has been installed.

wpa_driver_nl80211_set_key() had a overly complex and not always
correct method to detect that, heavily depending on set_tx.
But nl80211 can deduce the need to call NL80211_CMD_SET_KEY without
referring to the unpredictable set "boolean" set_tx.
Therefore stop using set_tx and throw out workarounds linked to it.

This also stops pointless NL80211_CMD_SET_KEY calls when installing
unicast keys in wpa_supplicant.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This simply is too big to put into the generic patch migrating the
drivers to key_type. Nl80211 is the driver supporting the most features
and also using the strangest hacks...

This patch is not only migrating to key_type, it's a general overhaul of
the key install logic.
The new logic works fine for all test cases and to my understanding all
dropped code pieces could not have had any function.  (Verified against
the kernel code.)

 src/drivers/driver_nl80211.c | 56 +++++++++++++++---------------------
 1 file changed, 23 insertions(+), 33 deletions(-)

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 290da9d5e..1e4ef80bc 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3018,8 +3018,9 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 	int ifindex;
 	struct nl_msg *msg;
 	struct nl_msg *key_msg;
+	struct nlattr *types;
+	int need_set_key = 0;
 	int ret;
-	int tdls = 0;
 
 	/* Ignore for P2P Device */
 	if (drv->nlmode == NL80211_IFTYPE_P2P_DEVICE)
@@ -3027,13 +3028,12 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 
 	ifindex = if_nametoindex(ifname);
 	wpa_printf(MSG_DEBUG, "%s: ifindex=%d (%s) alg=%d addr=%p key_idx=%d "
-		   "set_tx=%d seq_len=%lu key_len=%lu",
+		   "set_tx=%d seq_len=%lu key_len=%lu key_type=%d",
 		   __func__, ifindex, ifname, alg, addr, key_idx, set_tx,
-		   (unsigned long) seq_len, (unsigned long) key_len);
+		   (unsigned long) seq_len, (unsigned long) key_len, key_type);
 #ifdef CONFIG_TDLS
 	if (key_idx == -1) {
 		key_idx = 0;
-		tdls = 1;
 	}
 #endif /* CONFIG_TDLS */
 
@@ -3085,22 +3085,18 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
 			goto fail;
 
-		if (alg != WPA_ALG_WEP && key_idx && !set_tx) {
+		if (alg != WPA_ALG_WEP && key_type != KEY_TYPE_PAIRWISE) {
 			wpa_printf(MSG_DEBUG, "   RSN IBSS RX GTK");
 			if (nla_put_u32(key_msg, NL80211_KEY_TYPE,
 					NL80211_KEYTYPE_GROUP))
 				goto fail;
 		}
-	} else if (addr && is_broadcast_ether_addr(addr)) {
-		struct nlattr *types;
-
-		wpa_printf(MSG_DEBUG, "   broadcast key");
-
-		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
-		if (!types ||
-		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
-			goto fail;
-		nla_nest_end(key_msg, types);
+	} else if (alg != WPA_ALG_NONE) {
+		/* Default (WEP, GTK or IGTK) key */
+		if (alg != WPA_ALG_WEP || key_type == KEY_TYPE_DEFAULT) {
+			wpa_printf(MSG_DEBUG, "   require SET_KEY");
+			need_set_key = 1;
+		}
 	}
 	if (nla_put_u8(key_msg, NL80211_KEY_IDX, key_idx) ||
 	    nla_put_nested(msg, NL80211_ATTR_KEY, key_msg))
@@ -3114,13 +3110,10 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 			   ret, strerror(-ret));
 
 	/*
-	 * If we failed or don't need to set the default TX key (below),
+	 * If we failed or don't need to set the key as default (below),
 	 * we're done here.
 	 */
-	if (ret || !set_tx || alg == WPA_ALG_NONE || tdls)
-		return ret;
-	if (is_ap_interface(drv->nlmode) && addr &&
-	    !is_broadcast_ether_addr(addr))
+	if (ret || !need_set_key)
 		return ret;
 
 	key_msg = nlmsg_alloc();
@@ -3140,29 +3133,26 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 				   NL80211_KEY_DEFAULT))
 		goto fail;
 	if (addr && is_broadcast_ether_addr(addr)) {
-		struct nlattr *types;
-
+		wpa_printf(MSG_DEBUG, "   broadcast key");
 		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
 		if (!types ||
 		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST))
 			goto fail;
 		nla_nest_end(key_msg, types);
-	} else if (addr) {
-		struct nlattr *types;
-
-		types = nla_nest_start(key_msg, NL80211_KEY_DEFAULT_TYPES);
-		if (!types ||
-		    nla_put_flag(key_msg, NL80211_KEY_DEFAULT_TYPE_UNICAST))
-			goto fail;
-		nla_nest_end(key_msg, types);
+	} else if (!addr) {
+		wpa_printf(MSG_DEBUG, "   WEP key");
+	} else {
+		/* need_set_key must only be set for
+		 * zero or broadcast addresses
+		 */
+		wpa_printf(MSG_ERROR,
+			   "Unicast key when not expecting one, abort!");
+		goto fail;
 	}
 
 	if (nla_put_nested(msg, NL80211_ATTR_KEY, key_msg))
 		goto fail;
-
 	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
-	if (ret == -ENOENT)
-		ret = 0;
 	if (ret)
 		wpa_printf(MSG_DEBUG, "nl80211: set_key default failed; "
 			   "err=%d %s)", ret, strerror(-ret));

From patchwork Sat Aug 24 16:04:57 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152691
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="U1pqmpKi";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="heEMnhJi"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G38P6FgFz9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:08:05 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=YWAJW18NdE36DIxt6bcow7LRpfbA2S7L8q6kePIijkM=;
	b=U1pqmpKiJPbsxx
	cTIV3DCgo9Ey/tDr0oXfTYYpfMWmE1aef9y9mL8IFTk5l5A8JHnM+mU88AUz7kbhLM70+MUaTMwxw
	kqrfc8fI6NgBXu7WIziRNH8OKenkhVlxQEX7W7ycOD4cb8nAi8WjdpaPoEuK5pJ+lVKWeKps2O5Ti
	4nBPTZTTdlxyG3yIjeHs0KWpfM/moqt7jf4y6K5PbD73MiUPDdFyKPtsJj84I056P+oB1x5sEAtdn
	x47Knml+J95KoB4N1hTvznZOqX7ucB2F/RkS++62YVjGMAk3FfWj22UHzs2JpRYiSBuDtHHdNT703
	MxPTuCTi9+lMnSiwV3FQ==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YaA-0007Ea-3b; Sat, 24 Aug 2019 16:08:02 +0000
Received: from 8.mo3.mail-out.ovh.net ([87.98.172.249])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005JZ-Ce
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:57 +0000
Received: from player798.ha.ovh.net (unknown [10.109.160.217])
	by mo3.mail-out.ovh.net (Postfix) with ESMTP id 3E932223764
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:40 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player798.ha.ovh.net (Postfix) with ESMTPSA id 79D6092B81CE;
	Sat, 24 Aug 2019 16:05:36 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662730;
	bh=BMM1KW4Vporf+RUU+OvYAdQcRH/2cN9APmTfpS9uDR8=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=heEMnhJihqZlEbdnp3iAzCT0z/yUog3YuvOYDg67gPhlwXJdfZSNhDUks8MnXuCSB
	NBEPgHW9/tDB9jQTJKJWFagQB7dn4ttmp/q7s+5vzqYlvYkq9Fnf+2jZP+SLmS1Fyz
	+0fd8JYFetLJxaR7LQkMdJmjPgCTYP2WCuGt4LFI=
To: j@w1.fi
Subject: [PATCH v4 08/16] nl80211,wpa_supplicant: Drop outdated tdls hack
Date: Sat, 24 Aug 2019 18:04:57 +0200
Message-Id: <20190824160505.5548-9-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6941172927263874300
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_090552_756981_75142676 
X-CRM114-Status: GOOD (  12.15  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [87.98.172.249 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

wpa_tdls_set_key() did set key_id to -1 as a signal to handle the key
install a bit different than for other pairwise keys.

Since we cleaned up the key install logic with a previous patch this is
no longer needed and can be removed.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

The workaround cleaned up here is not limited to nl80211, so I put it
into a separate patch. It just finalizes the nl80211 driver key install
cleanup without breaking anything between the patches.

 src/drivers/driver_nl80211.c | 6 ------
 src/rsn_supp/tdls.c          | 2 +-
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 1e4ef80bc..a2f039b3e 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3031,12 +3031,6 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 		   "set_tx=%d seq_len=%lu key_len=%lu key_type=%d",
 		   __func__, ifindex, ifname, alg, addr, key_idx, set_tx,
 		   (unsigned long) seq_len, (unsigned long) key_len, key_type);
-#ifdef CONFIG_TDLS
-	if (key_idx == -1) {
-		key_idx = 0;
-	}
-#endif /* CONFIG_TDLS */
-
 #ifdef CONFIG_DRIVER_NL80211_QCA
 	if (alg == WPA_ALG_PMK &&
 	    (drv->capa.flags & WPA_DRIVER_FLAGS_KEY_MGMT_OFFLOAD)) {
diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 348c491be..01d339290 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -227,7 +227,7 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 
 	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
 		   MAC2STR(peer->addr));
-	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, rsc, sizeof(rsc),
+	if (wpa_sm_set_key(sm, alg, peer->addr, 0, 1, rsc, sizeof(rsc),
 			   peer->tpk.tk, key_len, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
 			   "driver");

From patchwork Sat Aug 24 16:04:58 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152683
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="WkLBgcS8";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="LHreLHwQ"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G36K5Gxbz9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:06:17 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=9sKlSPl471IErL4uNCUT9HiYKAfxnzjRcO322V3G7bE=;
	b=WkLBgcS8H+1n6g
	xYhBdNXhM8XJ7vc00ZakOe07XydsXYDEH1RTABih9SU49pgfRqRbUmMUXC06V+ZFRg5DQdtImd3u0
	wxtHkbVfSxjTlnAF/lBp5Dji5275G5p0GbL6pfdAJqDfNsv2c430X2wQ8tN/bwKICPb3hGA9eGd/4
	8ZJBATDOORDmWkrE70NXFrHFOc+JP6zuom18UlZBffeTMhPrN0FmjJRWPOPOfbhxeG/LzuUA7uoeX
	teklCTHsf7I6bsuGYodtX49ZDR4l/k01angpw7YuVizKHMFcgOlkQlH2H2dUXdkvdGQ8Fq1A2VAt4
	pUzQ0fBjESpMHElpOnVw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YYO-0005Up-VQ; Sat, 24 Aug 2019 16:06:13 +0000
Received: from 1.mo4.mail-out.ovh.net ([178.33.248.196])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005Jr-BN
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:55 +0000
Received: from player737.ha.ovh.net (unknown [10.108.57.76])
	by mo4.mail-out.ovh.net (Postfix) with ESMTP id 2DF5C200C2C
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:43 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player737.ha.ovh.net (Postfix) with ESMTPSA id 20141930616B;
	Sat, 24 Aug 2019 16:05:36 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662731;
	bh=PVLuHCVmr2MPmNk/9kuwhGiVSp8/DLrwDOtuFlHj8ko=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=LHreLHwQPGYSZ6ezWueQclIpltXMUBxU0L14Eohtgp0B8X9Dtwioly91iRp1tYyjs
	tMzzDRNfwAGkSFVd+GMLCUDmDh3cckjCY6zIi1VC2FdKrQVhyw/6qg4ZaB/IHjjhIT
	kkFPAI7E9JJEOfS5DRb5nKxKnmHLwfLnDiDCHn5I=
To: j@w1.fi
Subject: [PATCH v4 09/16] hostapd: Add support for Extended Key ID
Date: Sat, 24 Aug 2019 18:04:58 +0200
Message-Id: <20190824160505.5548-10-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6942017354684112124
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-Spam-Note: CRM114 invocation failed
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [178.33.248.196 listed in list.dnswl.org]
	-0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
	[178.33.248.196 listed in wl.mailspike.net]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Add support for Extended Key ID in hostapd based on IEEE 802.11 - 2016.

Extended Key ID allows to rekey PTK keys without the otherwise
unavoidable MPDU losses on a busy link. The standard is fully backward
compatible, allowing an AP to server STA's with and without support for
it.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This is now finally starting the real work on the Extended Key ID
support.

Most is directly based on IEEE 802.11 - 2016 or an obvious consequence.
But the sanity checks for Extended Key ID and how we handle FT with it
are not.

A Extended Key ID capable AP will have two different keys using keyid 1:
The "usual" broadcast key and a second unicast key. (We already had a
quick mail exchange about that, see
https://marc.info/?l=linux-wireless&m=154427921122092&w=2)

It's fully backward compatible and can serve client supporting Extended
Key ID and not at the same time.

I can't find any reference how we should handle FT combined with
Extended Key ID. While our beacons announce Extended Key ID support a
"normal" FT handshake never has a 4-way EAPOL handshake and thus there
is no documented way to hand over the KeyID. We could of course then
just agree to use the keyid 0 and to really start to use Extended Key ID
with the first rekey. But I prefer to just also hand over the KeyID in
addition to the GTK Key ID: This allows us to also use the keyid 1 with
the initial key and open the door to verify if a remote STA is indeed
able to use Extended Key ID and either fail at the initial connect or
even fall back when not. (More about that in the last patch of the
series.)

 hostapd/config_file.c   |  2 ++
 hostapd/hostapd.conf    | 10 ++++++
 src/ap/ap_config.c      |  1 +
 src/ap/ap_config.h      |  1 +
 src/ap/hs20.c           |  2 ++
 src/ap/wpa_auth.c       | 71 ++++++++++++++++++++++++++++++++++++-----
 src/ap/wpa_auth.h       |  1 +
 src/ap/wpa_auth_ft.c    |  6 +++-
 src/ap/wpa_auth_glue.c  | 32 ++++++++++++++++++-
 src/ap/wpa_auth_i.h     |  3 ++
 src/ap/wpa_auth_ie.c    | 42 +++++++++++++++++++++++-
 src/common/wpa_common.c |  1 +
 src/common/wpa_common.h |  1 +
 13 files changed, 162 insertions(+), 11 deletions(-)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 1ef7d57cc..451b11d2c 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2872,6 +2872,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 		}
 	} else if (os_strcmp(buf, "wpa") == 0) {
 		bss->wpa = atoi(pos);
+	} else if (os_strcmp(buf, "wpa_extended_key_id") == 0) {
+		bss->wpa_extended_key_id = atoi(pos);
 	} else if (os_strcmp(buf, "wpa_group_rekey") == 0) {
 		bss->wpa_group_rekey = atoi(pos);
 		bss->wpa_group_rekey_set = 1;
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index f36e1fa3a..47ad9d12c 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1471,6 +1471,16 @@ own_ip_addr=127.0.0.1
 # wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
 #wpa=2
 
+# Extended Key ID support based on IEEE 802.11-2016
+#
+# Extended Key ID allows to rekey the PTK key without impact for ongoing
+# transmissions
+# When enabled and supported by the driver the AP will offer and support it for
+# stations. (The setting is only relevant with wpa=2)
+# 0 = force off
+# 1 = enable Extended Key ID support when driver supports it (Default)
+#wpa_extended_key_id=1
+
 # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
 # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
 # (8..63 characters) that will be converted to PSK. This conversion uses SSID
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 90348e1dd..b6d6b3f8e 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -61,6 +61,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 	bss->broadcast_key_idx_max = 2;
 	bss->eap_reauth_period = 3600;
 
+	bss->wpa_extended_key_id = 1;
 	bss->wpa_group_rekey = 600;
 	bss->wpa_gmk_rekey = 86400;
 	bss->wpa_group_update_count = 4;
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index daf787e16..f22783d42 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -346,6 +346,7 @@ struct hostapd_bss_config {
 			* algorithms, WPA_AUTH_ALG_{OPEN,SHARED,LEAP} */
 
 	int wpa; /* bitfield of WPA_PROTO_WPA, WPA_PROTO_RSN */
+	int wpa_extended_key_id;
 	int wpa_key_mgmt;
 #ifdef CONFIG_IEEE80211W
 	enum mfp_options ieee80211w;
diff --git a/src/ap/hs20.c b/src/ap/hs20.c
index 532580e7c..791847cbc 100644
--- a/src/ap/hs20.c
+++ b/src/ap/hs20.c
@@ -80,6 +80,8 @@ u8 * hostapd_eid_osen(struct hostapd_data *hapd, u8 *eid)
 		/* 4 PTKSA replay counters when using WMM */
 		capab |= (RSN_NUM_REPLAY_COUNTERS_16 << 2);
 	}
+	if (hapd->conf->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
 #ifdef CONFIG_IEEE80211W
 	if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
 		capab |= WPA_CAPABILITY_MFPC;
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index ba415bd66..0213e97c2 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -755,6 +755,9 @@ static void wpa_request_new_ptk(struct wpa_state_machine *sm)
 	if (sm == NULL)
 		return;
 
+	if (sm->use_extended_key_id)
+		sm->keyidx_active ^= 1; /* flip keyID */
+
 	sm->PTKRequest = TRUE;
 	sm->PTK_valid = 0;
 }
@@ -1459,6 +1462,12 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
 	else
 		version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
 
+	/* Extended Key ID must not be used for TKIP */
+	if (version == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {
+		sm->use_extended_key_id = FALSE;
+		sm->keyidx_active = 0;
+	}
+
 	pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
 
 	wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
@@ -1717,6 +1726,11 @@ void wpa_remove_ptk(struct wpa_state_machine *sm)
 			     0, KEY_TYPE_PAIRWISE))
 		wpa_printf(MSG_DEBUG,
 			   "RSN: PTK removal from the driver failed");
+	if (sm->wpa_auth->conf.wpa_extended_key_id &&
+	    wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 1, NULL,
+			     0, KEY_TYPE_PAIRWISE))
+		wpa_printf(MSG_DEBUG,
+			   "RSN: PTK ID1 removal from the driver failed");
 	sm->pairwise_set = FALSE;
 	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
 }
@@ -1775,6 +1789,8 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
 			sm->Init = FALSE;
 			sm->AuthenticationRequest = TRUE;
 			break;
+		} else if (sm->use_extended_key_id) {
+			sm->keyidx_active ^= 1; /* flip keyID */
 		}
 		if (sm->GUpdateStationKeys) {
 			/*
@@ -3142,7 +3158,7 @@ static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos)
 
 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 {
-	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
+	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32], hdr[2];
 	size_t gtk_len, kde_len;
 	struct wpa_group *gsm = sm->group;
 	u8 *wpa_ie;
@@ -3183,6 +3199,18 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
 			"sending 3/4 msg of 4-Way Handshake");
 	if (sm->wpa == WPA_VERSION_WPA2) {
+		if (sm->use_extended_key_id && sm->TimeoutCtr == 1 &&
+		    wpa_auth_set_key(sm->wpa_auth, 0,
+				     wpa_cipher_to_alg(sm->pairwise),
+				     sm->addr,
+				     sm->keyidx_active, sm->PTK.tk,
+				     wpa_cipher_key_len(sm->pairwise),
+				     KEY_TYPE_NO_AUTO_TX)) {
+			wpa_sta_disconnect(sm->wpa_auth, sm->addr,
+					   WLAN_REASON_PREV_AUTH_NOT_VALID);
+			return;
+		}
+
 		/* WPA2 send GTK in the 4-way handshake */
 		secure = 1;
 		gtk = gsm->GTK[gsm->GN - 1];
@@ -3223,6 +3251,10 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 	}
 
 	kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
+
+	if (sm->use_extended_key_id)
+		kde_len += 2 + RSN_SELECTOR_LEN + 2;
+
 	if (gtk)
 		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
 #ifdef CONFIG_IEEE80211R_AP
@@ -3259,10 +3291,15 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 		pos += elen;
 	}
 #endif /* CONFIG_IEEE80211R_AP */
+	hdr[1] = 0;
+
+	if (sm->use_extended_key_id) {
+		hdr[0] = sm->keyidx_active & 0x01;
+		pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
+	}
+
 	if (gtk) {
-		u8 hdr[2];
 		hdr[0] = gtkidx & 0x03;
-		hdr[1] = 0;
 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
 				  gtk, gtk_len);
 	}
@@ -3345,8 +3382,17 @@ SM_STATE(WPA_PTK, PTKINITDONE)
 	if (sm->Pair) {
 		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
 		int klen = wpa_cipher_key_len(sm->pairwise);
-		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
-				     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) {
+		if (sm->use_extended_key_id) {
+			if (wpa_auth_set_key(sm->wpa_auth, 0, 0, sm->addr,
+					     sm->keyidx_active, NULL, 0,
+					     KEY_TYPE_SET_TX)) {
+				wpa_sta_disconnect(sm->wpa_auth, sm->addr,
+						   WLAN_REASON_PREV_AUTH_NOT_VALID);
+				return;
+			}
+		} else if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
+					    sm->PTK.tk, klen,
+					    KEY_TYPE_PAIRWISE)) {
 			wpa_sta_disconnect(sm->wpa_auth, sm->addr,
 					   WLAN_REASON_PREV_AUTH_NOT_VALID);
 			return;
@@ -4980,7 +5026,7 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
 		       void (*cb)(void *ctx1, void *ctx2),
 		       void *ctx1, void *ctx2)
 {
-	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
+	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, hdr[2];
 #ifdef CONFIG_IEEE80211W
 	u8 *opos;
 #endif /* CONFIG_IEEE80211W */
@@ -5040,6 +5086,10 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
 	}
 
 	kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
+
+	if (sm->use_extended_key_id)
+		kde_len += 2 + RSN_SELECTOR_LEN + 2;
+
 	if (gtk)
 		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
 #ifdef CONFIG_IEEE80211R_AP
@@ -5072,10 +5122,15 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
 		pos += elen;
 	}
 #endif /* CONFIG_IEEE80211R_AP */
+	hdr[1] = 0;
+
+	if (sm->use_extended_key_id) {
+		hdr[0] = sm->keyidx_active & 0x03;
+		pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
+	}
+
 	if (gtk) {
-		u8 hdr[2];
 		hdr[0] = gtkidx & 0x03;
-		hdr[1] = 0;
 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
 				  gtk, gtk_len);
 	}
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index cc8ea5aa7..f756d492b 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -169,6 +169,7 @@ struct ft_remote_r1kh {
 
 struct wpa_auth_config {
 	int wpa;
+	int wpa_extended_key_id;
 	int wpa_key_mgmt;
 	int wpa_pairwise;
 	int wpa_group;
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 0f1a51832..a870ea799 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -2652,7 +2652,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
 	 * again after association to get the PTK configured, but that could be
 	 * optimized by adding the STA entry earlier.
 	 */
-	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
+	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, sm->keyidx_active,
 			     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE))
 		return;
 
@@ -2891,6 +2891,10 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
 		wpa_printf(MSG_DEBUG, "FT: Failed to parse FT IEs");
 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
 	}
+
+	if (handle_extended_key_id(sm, parse.capabilities))
+		return WLAN_STATUS_UNSPECIFIED_FAILURE;
+
 	use_sha384 = wpa_key_mgmt_sha384(parse.key_mgmt);
 	pmk_r1_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
 
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index df900dba7..0cc824863 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -39,6 +39,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 {
 	os_memset(wconf, 0, sizeof(*wconf));
 	wconf->wpa = conf->wpa;
+	wconf->wpa_extended_key_id = conf->wpa_extended_key_id;
 	wconf->wpa_key_mgmt = conf->wpa_key_mgmt;
 	wconf->wpa_pairwise = conf->wpa_pairwise;
 	wconf->wpa_group = conf->wpa_group;
@@ -369,7 +370,12 @@ static int hostapd_wpa_auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	}
 
 #ifdef CONFIG_TESTING_OPTIONS
-	if (addr && !is_broadcast_ether_addr(addr)) {
+	if (key_type == KEY_TYPE_SET_TX) {
+		/* KEY_TYPE_NO_AUTO_TX installed the key and updated the
+		 * variables. Since KEY_TYPE_SET_TX would overwrite the
+		 * desired information with zeros do nothing.
+		 */
+	} else if (addr && !is_broadcast_ether_addr(addr)) {
 		struct sta_info *sta;
 
 		sta = ap_get_sta(hapd, addr);
@@ -1305,6 +1311,30 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
 		_conf.tx_status = 1;
 	if (hapd->iface->drv_flags & WPA_DRIVER_FLAGS_AP_MLME)
 		_conf.ap_mlme = 1;
+
+	if (_conf.wpa_extended_key_id) {
+		if (_conf.wpa & WPA_PROTO_RSN &&
+		    _conf.rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
+					   WPA_CIPHER_GCMP_256 |
+					   WPA_CIPHER_CCMP_256) &&
+		    hapd->iface->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID) {
+			wpa_msg(hapd->msg_ctx, MSG_INFO,
+				"Enable Extended Key ID support");
+		} else {
+			if (!(hapd->iface->drv_flags &
+			      WPA_DRIVER_FLAGS_EXTENDED_KEY_ID))
+				wpa_msg(hapd->msg_ctx, MSG_INFO,
+					"Extended Key ID not supported by driver");
+			else
+				wpa_msg(hapd->msg_ctx, MSG_INFO,
+					"Extended Key ID requires wpa2 and CCMP/GCMP");
+			_conf.wpa_extended_key_id = 0;
+		}
+	} else if (_conf.wpa & WPA_PROTO_RSN) {
+		wpa_msg(hapd->msg_ctx, MSG_INFO,
+			"Extended Key ID support disabled");
+	}
+
 	hapd->wpa_auth = wpa_init(hapd->own_addr, &_conf, &cb, hapd);
 	if (hapd->wpa_auth == NULL) {
 		wpa_printf(MSG_ERROR, "WPA initialization failed.");
diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
index 4babd0cbb..21c9b082f 100644
--- a/src/ap/wpa_auth_i.h
+++ b/src/ap/wpa_auth_i.h
@@ -61,6 +61,8 @@ struct wpa_state_machine {
 	unsigned int pmk_len;
 	u8 pmkid[PMKID_LEN]; /* valid if pmkid_set == 1 */
 	struct wpa_ptk PTK;
+	u8 keyidx_active;
+	Boolean use_extended_key_id;
 	Boolean PTK_valid;
 	Boolean pairwise_set;
 	Boolean tk_already_set;
@@ -284,6 +286,7 @@ int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
 			   int (*cb)(struct wpa_authenticator *a, void *ctx),
 			   void *cb_ctx);
+int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities);
 
 #ifdef CONFIG_IEEE80211R_AP
 int wpa_write_mdie(struct wpa_auth_config *conf, u8 *buf, size_t len);
diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 2e5c9160d..725c76056 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -286,6 +286,8 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
 		/* 4 PTKSA replay counters when using WMM */
 		capab |= (RSN_NUM_REPLAY_COUNTERS_16 << 2);
 	}
+	if (conf->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
 #ifdef CONFIG_IEEE80211W
 	if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
 		capab |= WPA_CAPABILITY_MFPC;
@@ -411,6 +413,8 @@ static u8 * wpa_write_osen(struct wpa_auth_config *conf, u8 *eid)
 		/* 4 PTKSA replay counters when using WMM */
 		capab |= (RSN_NUM_REPLAY_COUNTERS_16 << 2);
 	}
+	if (conf->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
 #ifdef CONFIG_IEEE80211W
 	if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
 		capab |= WPA_CAPABILITY_MFPC;
@@ -435,8 +439,9 @@ int wpa_auth_gen_wpa_ie(struct wpa_authenticator *wpa_auth)
 {
 	u8 *pos, buf[128];
 	int res;
-
 #ifdef CONFIG_TESTING_OPTIONS
+	struct wpa_ie_data data;
+
 	if (wpa_auth->conf.own_ie_override_len) {
 		wpa_hexdump(MSG_DEBUG, "WPA: Forced own IE(s) for testing",
 			    wpa_auth->conf.own_ie_override,
@@ -449,6 +454,14 @@ int wpa_auth_gen_wpa_ie(struct wpa_authenticator *wpa_auth)
 		os_memcpy(wpa_auth->wpa_ie, wpa_auth->conf.own_ie_override,
 			  wpa_auth->conf.own_ie_override_len);
 		wpa_auth->wpa_ie_len = wpa_auth->conf.own_ie_override_len;
+		if (wpa_parse_wpa_ie_rsn(wpa_auth->wpa_ie,
+					 wpa_auth->wpa_ie_len, &data) ||
+		    !(data.capabilities &
+		       WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST)) {
+			wpa_printf(MSG_DEBUG,
+				   "WPA: Own IE forcing wpa_extended_key_id=0");
+			wpa_auth->conf.wpa_extended_key_id = 0;
+		}
 		return 0;
 	}
 #endif /* CONFIG_TESTING_OPTIONS */
@@ -528,6 +541,31 @@ static int wpa_auth_okc_iter(struct wpa_authenticator *a, void *ctx)
 	return 0;
 }
 
+int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities)
+{
+	struct wpa_auth_config *conf = &sm->wpa_auth->conf;
+
+	if (conf->wpa_extended_key_id &&
+	    capabilities & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) {
+		if (!sm->use_extended_key_id && sm->pairwise_set) {
+			wpa_printf(MSG_DEBUG,
+				   "Can only enable Extended Key ID on initial connect");
+			return -1;
+		} else if (!sm->use_extended_key_id) {
+			sm->use_extended_key_id = TRUE;
+		}
+	} else {
+		if (sm->use_extended_key_id && sm->pairwise_set) {
+			wpa_printf(MSG_DEBUG,
+				   "Already using Extended Key ID, can't stop");
+			return -1;
+		} else if (sm->use_extended_key_id) {
+			sm->use_extended_key_id = FALSE;
+			sm->keyidx_active = 0;
+		}
+	}
+	return 0;
+}
 
 int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 			struct wpa_state_machine *sm, int freq,
@@ -809,6 +847,8 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 	}
 #endif /* CONFIG_IEEE80211W */
 
+	if (handle_extended_key_id(sm, data.capabilities))
+		return WPA_INVALID_IE;
 #ifdef CONFIG_IEEE80211R_AP
 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
 		if (mdie == NULL || mdie_len < MOBILITY_DOMAIN_ID_LEN + 1) {
diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index a7569580f..dc5ae4891 100644
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -963,6 +963,7 @@ int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
 				parse->rsn_pmkid = data.pmkid;
 			parse->key_mgmt = data.key_mgmt;
 			parse->pairwise_cipher = data.pairwise_cipher;
+			parse->capabilities = data.capabilities;
 			if (update_use_sha384) {
 				use_sha384 =
 					wpa_key_mgmt_sha384(parse->key_mgmt);
diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
index 415104de9..ca0acbad4 100644
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -475,6 +475,7 @@ struct wpa_ft_ies {
 	size_t ric_len;
 	int key_mgmt;
 	int pairwise_cipher;
+	int capabilities;
 };
 
 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len, struct wpa_ft_ies *parse,

From patchwork Sat Aug 24 16:04:59 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152690
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="S72+hlhD";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="IXMFKxQU"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G38760cKz9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:07:51 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=2ra0LPfBHmlzgolBr1XsCz4shbUTMj7i0TSotS/zPtk=;
	b=S72+hlhDPG8Brb
	UBPZ8RmhxB+PD3N2y4USLEbs4BLYB9/QcQ5cW1Ib2bfLwdzvogYUGhXBVpkJrfKtGYXqyqxfOcH0B
	7OFDD+7cUEMxCT/45c2yG8Aggomh73i+2VdU8EAY3Mv/hm8dvSKe1AkPnmXF6clyah5Ny4uXmI/eh
	reA8vOpg7wCMbUTaKPjgAj8y7HP3i2GbGWYEY+LTn5i62QouKFwgytYURr8UwuutUYAZyHmg2Pxl+
	XHKmhV8zbWtkBPR95hq/ctq4XO77B/7F57p3LuQ7WVP6Je1NvsZeZNeJlpvpGrwsB5FY5qZ2sTaEt
	iPXHG2I1/x3Dp0wLRW7w==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YZw-0006xy-16; Sat, 24 Aug 2019 16:07:48 +0000
Received: from 4.mo7.mail-out.ovh.net ([178.32.122.254])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005Ji-Cf
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:57 +0000
Received: from player159.ha.ovh.net (unknown [10.108.42.83])
	by mo7.mail-out.ovh.net (Postfix) with ESMTP id 6630F12E0E1
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:41 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player159.ha.ovh.net (Postfix) with ESMTPSA id E95AE8FE2078;
	Sat, 24 Aug 2019 16:05:36 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662731;
	bh=S5/7tWEv7G3k7Ibf/5o5uDgi7qxZtAxLnRimatHUSGs=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=IXMFKxQURu1apd/cY0C6Uai68gc0wZT9uRF6+7ymBgLe+TF9U9o8jhSl5sDmUNfoc
	2coQMJLbXVwF9vyp0D2ESTWSCaFZhcO2kkxoplB71LZ15BRPvrufLhbU4EV6PXCT8c
	enOCsRi/FZiOl20RMOHh9QwgqToywvrlduEA9DNg=
To: j@w1.fi
Subject: [PATCH v4 10/16] wpa_supplicant: AP Extended Key ID support
Date: Sat, 24 Aug 2019 18:04:59 +0200
Message-Id: <20190824160505.5548-11-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6941454404488535292
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-Spam-Note: CRM114 invocation failed
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [178.32.122.254 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Add support for Extended Key ID in hostapd based on IEEE 802.11 - 2016
for infrastructure (AP) connections.

This also fixes an off by one error for key tracking and deletion:
Even within IEEE 802.11w the highest keyid is 5 and not 6.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This complements the hostapd Extended Key ID patch and adds support
for it also to wpa_supplicant.

For now we only have the "client" Extended Key ID support covered in
wpa_supplicant. IBSS/TDLS/mesh extensions are also missing for now but
besides that it's feature complete. (FILS support is in a separate
patch)

 src/rsn_supp/wpa.c                 | 126 ++++++++++++++++++++++++++---
 src/rsn_supp/wpa.h                 |   5 +-
 src/rsn_supp/wpa_ft.c              |   7 +-
 src/rsn_supp/wpa_i.h               |   3 +
 src/rsn_supp/wpa_ie.c              |  11 +++
 src/rsn_supp/wpa_ie.h              |   1 +
 wpa_supplicant/config.c            |   2 +
 wpa_supplicant/config_file.c       |   1 +
 wpa_supplicant/config_ssid.h       |  10 +++
 wpa_supplicant/ctrl_iface.c        |   3 +
 wpa_supplicant/driver_i.h          |  13 ++-
 wpa_supplicant/wpa_cli.c           |   3 +-
 wpa_supplicant/wpa_supplicant.c    |  27 ++++++-
 wpa_supplicant/wpa_supplicant.conf |   5 ++
 wpa_supplicant/wpas_glue.c         |   4 +-
 15 files changed, 200 insertions(+), 21 deletions(-)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 830c74c8f..de463cba6 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -581,6 +581,53 @@ static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
 			      sm->pairwise_cipher, z, z_len);
 }
 
+static int handle_extended_key_id(struct wpa_sm *sm,
+				  struct wpa_eapol_ie_parse *kde,
+				  const u8 *rsn_ie, size_t rsn_ie_len)
+{
+	struct wpa_ie_data rsn;
+
+	/* IEEE 802.11 - 2016 requires the Extended Key ID
+	 * bit to be set in the RSN capabilities for both STAs
+	 * to enable the feature
+	 */
+	if (sm->wpa_extended_key_id && rsn_ie &&
+	    sm->pairwise_cipher != WPA_CIPHER_TKIP &&
+	    wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &rsn) >= 0 &&
+	    rsn.capabilities & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) {
+		if (!kde->key_id) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
+				"WPA: No KeyID in Extended Key ID handshake");
+			return -1;
+		} else if (kde->key_id[0] & 0xfe) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
+				"WPA: Invalid KeyID");
+			return -1;
+		}
+		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+			"WPA: Using Extended Key ID");
+		sm->keyidx_active = kde->key_id[0];
+		sm->use_extended_key_id = 1;
+	} else {
+		if (kde->key_id && kde->key_id[0]) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
+				"WPA: Non-zero KeyID in legacy handshake");
+			return -1;
+		} else if (kde->key_id) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+				"WPA: KeyID in legacy handshake");
+		} else if (!rsn_ie || sm->pairwise_cipher == WPA_CIPHER_TKIP) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+				"WPA: Extended Key ID requires wpa2 and CCMP/GCMP");
+		}
+		if (sm->wpa_extended_key_id)
+			wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+				"WPA: Not using Extended Key ID");
+		sm->keyidx_active = 0;
+		sm->use_extended_key_id = 0;
+	}
+	return 0;
+}
 
 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
 					  const unsigned char *src_addr,
@@ -779,6 +826,14 @@ static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
 	wpa_sm_key_request(sm, 0, 1);
 }
 
+static void wpa_supplicant_ptk_installed(struct wpa_sm *sm)
+{
+	if (sm->wpa_ptk_rekey) {
+		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
+		eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
+				       sm, NULL);
+	}
+}
 
 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
 				      const struct wpa_eapol_key *key,
@@ -826,12 +881,14 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
 		wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
 	}
 
-	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
-			   sm->ptk.tk, keylen, key_type) < 0) {
+	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, key_rsc,
+			   rsclen, sm->ptk.tk, keylen, key_type) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-			"WPA: Failed to set PTK to the "
-			"driver (alg=%d keylen=%d bssid=" MACSTR ")",
-			alg, keylen, MAC2STR(sm->bssid));
+			"WPA: Failed to set PTK to the driver"
+			"(alg=%d keylen=%d bssid=" MACSTR
+			" idx=%d use_extended_key_id=%d key_type=%d)",
+			alg, keylen, MAC2STR(sm->bssid),
+			sm->keyidx_active, sm->use_extended_key_id, key_type);
 		return -1;
 	}
 
@@ -840,12 +897,27 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
 	sm->ptk.tk_len = 0;
 	sm->ptk.installed = 1;
 
-	if (sm->wpa_ptk_rekey) {
-		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
-		eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
-				       sm, NULL);
+	if (key_type != KEY_TYPE_NO_AUTO_TX)
+		wpa_supplicant_ptk_installed(sm);
+
+	return 0;
+}
+
+static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
+{
+	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+		"WPA: Activate PTK (idx=%d bssid=" MACSTR ")",
+		sm->keyidx_active, MAC2STR(sm->bssid));
+
+	if (wpa_sm_set_key(sm, 0, sm->bssid, sm->keyidx_active,
+	    0, 0, 0, NULL, 0, KEY_TYPE_SET_TX) < 0) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
+			"WPA: Failed to activate PTK for Tx (idx=%d bssid="
+			MACSTR ")", sm->keyidx_active, MAC2STR(sm->bssid));
+		return -1;
 	}
 
+	wpa_supplicant_ptk_installed(sm);
 	return 0;
 }
 
@@ -1479,6 +1551,9 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 	if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
 		goto failed;
 
+	if (handle_extended_key_id(sm, &ie, ie.rsn_ie, ie.rsn_ie_len))
+		goto failed;
+
 	if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: ANonce from message 1 of 4-Way Handshake "
@@ -1523,6 +1598,10 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 		}
 	}
 #endif /* CONFIG_OCV */
+	if (sm->use_extended_key_id) {
+		if (wpa_supplicant_install_ptk(sm, key, KEY_TYPE_NO_AUTO_TX))
+			goto failed;
+	}
 
 	if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
 				       &sm->ptk) < 0) {
@@ -1535,8 +1614,13 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 	sm->renew_snonce = 1;
 
 	if (key_info & WPA_KEY_INFO_INSTALL) {
-		if (wpa_supplicant_install_ptk(sm, key, KEY_TYPE_PAIRWISE))
+		if (sm->use_extended_key_id) {
+			if (wpa_supplicant_activate_ptk(sm))
+				goto failed;
+		} else if (wpa_supplicant_install_ptk(sm, key,
+						      KEY_TYPE_PAIRWISE)) {
 			goto failed;
+		}
 	}
 
 	if (key_info & WPA_KEY_INFO_SECURE) {
@@ -2650,6 +2734,7 @@ struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
 		return NULL;
 	dl_list_init(&sm->pmksa_candidates);
 	sm->renew_snonce = 1;
+	sm->keyidx_active = 0;
 	sm->ctx = ctx;
 
 	sm->dot11RSNAConfigPMKLifetime = 43200;
@@ -3040,6 +3125,9 @@ int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
 	case WPA_PARAM_PAIRWISE:
 		sm->pairwise_cipher = value;
 		break;
+	case WPA_PARAM_EXTENDED_KEY_ID:
+		sm->wpa_extended_key_id = value;
+		break;
 	case WPA_PARAM_GROUP:
 		sm->group_cipher = value;
 		break;
@@ -3164,6 +3252,9 @@ int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
 
 #ifdef CONFIG_TESTING_OPTIONS
 	if (sm->test_assoc_ie) {
+		struct wpa_eapol_ie_parse ie;
+		struct wpa_ie_data rsn;
+
 		wpa_printf(MSG_DEBUG,
 			   "TESTING: Replace association WPA/RSN IE");
 		if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
@@ -3171,6 +3262,15 @@ int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
 		os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
 			  wpabuf_len(sm->test_assoc_ie));
 		res = wpabuf_len(sm->test_assoc_ie);
+
+		if (wpa_supplicant_parse_ies(wpa_ie, res, &ie) ||
+		    wpa_parse_wpa_ie_rsn(ie.rsn_ie, ie.rsn_ie_len, &rsn) ||
+		    !(rsn.capabilities &
+		      WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST)) {
+			wpa_printf(MSG_DEBUG,
+				   "TESTING: Force disable Extended Key ID");
+			sm->wpa_extended_key_id = 0;
+		}
 	} else
 #endif /* CONFIG_TESTING_OPTIONS */
 	res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
@@ -3400,6 +3500,10 @@ int wpa_sm_has_ptk(struct wpa_sm *sm)
 	return sm->ptk_set;
 }
 
+int wpa_sm_extended_key_id(struct wpa_sm *sm)
+{
+	return sm->wpa_extended_key_id;
+}
 
 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
 {
@@ -4028,6 +4132,8 @@ static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
 #endif /* CONFIG_IEEE80211W */
 	if (sm->ocv)
 		capab |= WPA_CAPABILITY_OCVC;
+	if (sm->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
 	wpabuf_put_le16(buf, capab);
 
 	/* PMKID Count */
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index 60ced0a74..a93617c59 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -98,7 +98,8 @@ enum wpa_sm_conf_params {
 	WPA_PARAM_MGMT_GROUP,
 	WPA_PARAM_RSN_ENABLED,
 	WPA_PARAM_MFP,
-	WPA_PARAM_OCV
+	WPA_PARAM_OCV,
+	WPA_PARAM_EXTENDED_KEY_ID
 };
 
 struct rsn_supp_config {
@@ -109,6 +110,7 @@ struct rsn_supp_config {
 	void *eap_conf_ctx;
 	const u8 *ssid;
 	size_t ssid_len;
+	int wpa_extended_key_id;
 	int wpa_ptk_rekey;
 	int p2p;
 	int wpa_rsc_relaxation;
@@ -167,6 +169,7 @@ int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid,
 			const void *network_ctx);
 void wpa_sm_drop_sa(struct wpa_sm *sm);
 int wpa_sm_has_ptk(struct wpa_sm *sm);
+int wpa_sm_extended_key_id(struct wpa_sm *sm);
 
 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr);
 
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index 3b45f669b..4aa862748 100644
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -254,6 +254,8 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
 #endif /* CONFIG_IEEE80211W */
 	if (sm->ocv)
 		capab |= WPA_CAPABILITY_OCVC;
+	if (sm->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
 	WPA_PUT_LE16(pos, capab);
 	pos += 2;
 
@@ -411,8 +413,9 @@ static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
 
-	if (wpa_sm_set_key(sm, alg, bssid, 0, 1, null_rsc, sizeof(null_rsc),
-			   (u8 *) sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
+	if (wpa_sm_set_key(sm, alg, bssid, sm->keyidx_active, 1, null_rsc,
+			   sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen,
+			   KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver");
 		return -1;
 	}
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index a22d3d156..e4d07c1ff 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -26,6 +26,7 @@ struct wpa_sm {
 	u8 snonce[WPA_NONCE_LEN];
 	u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
 	int renew_snonce;
+	int keyidx_active;
 	u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
 	int rx_replay_counter_set;
 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
@@ -65,6 +66,8 @@ struct wpa_sm {
 	int wpa_ptk_rekey;
 	int p2p;
 	int wpa_rsc_relaxation;
+	int wpa_extended_key_id;
+	int use_extended_key_id;
 
 	u8 own_addr[ETH_ALEN];
 	const char *ifname;
diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index ae9f4ca24..4016ec71a 100644
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -225,6 +225,9 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
 #endif /* CONFIG_IEEE80211W */
 	if (sm->ocv)
 		capab |= WPA_CAPABILITY_OCVC;
+	if (sm->wpa_extended_key_id)
+		capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
+
 	WPA_PUT_LE16(pos, capab);
 	pos += 2;
 
@@ -417,6 +420,14 @@ static int wpa_parse_generic(const u8 *pos, const u8 *end,
 		return 0;
 	}
 
+	if (pos[1] > RSN_SELECTOR_LEN + 1 &&
+	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_KEYID) {
+		ie->key_id = pos + 2 + RSN_SELECTOR_LEN;
+		wpa_hexdump(MSG_DEBUG, "WPA: KeyID in EAPOL-Key",
+			    pos, pos[1] + 2);
+		return 0;
+	}
+
 	if (pos[1] > RSN_SELECTOR_LEN + 2 &&
 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_GROUPKEY) {
 		ie->gtk = pos + 2 + RSN_SELECTOR_LEN;
diff --git a/src/rsn_supp/wpa_ie.h b/src/rsn_supp/wpa_ie.h
index 9d53973a9..f961e90e4 100644
--- a/src/rsn_supp/wpa_ie.h
+++ b/src/rsn_supp/wpa_ie.h
@@ -17,6 +17,7 @@ struct wpa_eapol_ie_parse {
 	const u8 *rsn_ie;
 	size_t rsn_ie_len;
 	const u8 *pmkid;
+	const u8 *key_id;
 	const u8 *gtk;
 	size_t gtk_len;
 	const u8 *mac_addr;
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index fc1ed4f90..19a213398 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2334,6 +2334,7 @@ static const struct parse_data ssid_fields[] = {
 	{ INT(dot11MeshConfirmTimeout) },
 	{ INT(dot11MeshHoldingTimeout) },
 #endif /* CONFIG_MESH */
+	{ INT(wpa_extended_key_id) },
 	{ INT(wpa_ptk_rekey) },
 	{ INT(group_rekey) },
 	{ STR(bgscan) },
@@ -2854,6 +2855,7 @@ void wpa_config_set_network_defaults(struct wpa_ssid *ssid)
 {
 	ssid->proto = DEFAULT_PROTO;
 	ssid->pairwise_cipher = DEFAULT_PAIRWISE;
+	ssid->wpa_extended_key_id = DEFAULT_EXTENDED_KEY_ID;
 	ssid->group_cipher = DEFAULT_GROUP;
 	ssid->key_mgmt = DEFAULT_KEY_MGMT;
 	ssid->bg_scan_period = DEFAULT_BG_SCAN_PERIOD;
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 91d5caa3f..dadc503eb 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -882,6 +882,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
 	INT_DEF(dot11MeshHoldingTimeout, DEFAULT_MESH_HOLDING_TIMEOUT);
 	INT_DEF(mesh_rssi_threshold, DEFAULT_MESH_RSSI_THRESHOLD);
 #endif /* CONFIG_MESH */
+	INT(wpa_extended_key_id);
 	INT(wpa_ptk_rekey);
 	INT(group_rekey);
 	INT(ignore_broadcast_ssid);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index d5c5c00a9..968b1c040 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -22,6 +22,7 @@
 #define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
 #define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
 #define DEFAULT_FRAGMENT_SIZE 1398
+#define DEFAULT_EXTENDED_KEY_ID 1
 
 #define DEFAULT_BG_SCAN_PERIOD -1
 #define DEFAULT_MESH_MAX_RETRIES 2
@@ -528,6 +529,15 @@ struct wpa_ssid {
 	unsigned int vht_center_freq1;
 	unsigned int vht_center_freq2;
 
+	/** wpa_extended_key_id - Extended Key ID support
+	 *
+	 * IEEE 802.11-2016 optionally allows to use key id 0 and 1 for PTK keys
+	 * default: auto (1)
+	 * 0 = force off. Do not announce or use Extended Key ID.
+	 * 1 = auto. Use Extended Key ID when possible.
+	 */
+	int wpa_extended_key_id;
+
 	/**
 	 * wpa_ptk_rekey - Maximum lifetime for PTK in seconds
 	 *
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 862f72734..e5f7246d1 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5254,6 +5254,9 @@ static void wpa_supplicant_ctrl_iface_drop_sa(struct wpa_supplicant *wpa_s)
 
 	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 0, 0, NULL, 0, NULL,
 			0, KEY_TYPE_PAIRWISE);
+	if (wpa_sm_extended_key_id(wpa_s->wpa))
+		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 1, 0, NULL,
+				0, NULL, 0, KEY_TYPE_PAIRWISE);
 	/* MLME-SETPROTECTION.request(None) */
 	wpa_drv_mlme_setprotection(wpa_s, wpa_s->bssid,
 				   MLME_SETPROTECTION_PROTECT_TYPE_NONE,
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index c93cca59b..662a1000a 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -156,10 +156,19 @@ static inline int wpa_drv_set_key(struct wpa_supplicant *wpa_s,
 				  enum key_type key_type)
 {
 	if (alg != WPA_ALG_NONE) {
-		if (key_idx >= 0 && key_idx <= 6)
+		if (key_idx == 1 &&
+		    (key_type == KEY_TYPE_PAIRWISE ||
+		     key_type == KEY_TYPE_NO_AUTO_TX)) {
+			/* keyidx = 1 can be either a broadcast or - with
+			 * Extended Key ID - an unicast key. Use bit 6 for
+			 * the pairwise keyidx 1.
+			 */
+			wpa_s->keys_cleared &= ~BIT(6);
+		} else if (key_idx >= 0 && key_idx <= 5) {
 			wpa_s->keys_cleared &= ~BIT(key_idx);
-		else
+		} else {
 			wpa_s->keys_cleared = 0;
+		}
 	}
 	if (wpa_s->driver->set_key) {
 		return wpa_s->driver->set_key(wpa_s->ifname, wpa_s->drv_priv,
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 43ac42720..1bad63e08 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -1442,7 +1442,8 @@ static const char *network_fields[] = {
 	"dot11MeshRetryTimeout", "dot11MeshConfirmTimeout",
 	"dot11MeshHoldingTimeout",
 #endif /* CONFIG_MESH */
-	"wpa_ptk_rekey", "bgscan", "ignore_broadcast_ssid",
+	"wpa_extended_key_id", "wpa_ptk_rekey", "bgscan",
+	"ignore_broadcast_ssid",
 #ifdef CONFIG_P2P
 	"go_p2p_dev_addr", "p2p_client_list", "psk_list",
 #endif /* CONFIG_P2P */
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 56bba65e8..d2be5949c 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -699,7 +699,7 @@ void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr)
 	int i, max;
 
 #ifdef CONFIG_IEEE80211W
-	max = 6;
+	max = 5;
 #else /* CONFIG_IEEE80211W */
 	max = 4;
 #endif /* CONFIG_IEEE80211W */
@@ -711,10 +711,15 @@ void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr)
 		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, i, 0, NULL, 0,
 				NULL, 0, KEY_TYPE_BROADCAST);
 	}
-	if (!(wpa_s->keys_cleared & BIT(0)) && addr &&
+	/* Pairwise key idx 1 for Extended Key ID is tracked with bit 6 */
+	if (~wpa_s->keys_cleared & (BIT(0) | BIT(6)) && addr &&
 	    !is_zero_ether_addr(addr)) {
-		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, 0, NULL, 0, NULL,
-				0, KEY_TYPE_PAIRWISE);
+		if (!(wpa_s->keys_cleared & (BIT(0))))
+			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, 0, NULL,
+					0, NULL, 0, KEY_TYPE_PAIRWISE);
+		if (!(wpa_s->keys_cleared & (BIT(6))))
+			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 1, 0, NULL,
+					0, NULL, 0, KEY_TYPE_PAIRWISE);
 		/* MLME-SETPROTECTION.request(None) */
 		wpa_drv_mlme_setprotection(
 			wpa_s, addr,
@@ -1237,6 +1242,20 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
 	int sel, proto;
 	const u8 *bss_wpa, *bss_rsn, *bss_osen;
 
+	if (ssid->mode == WPAS_MODE_INFRA && ssid->wpa_extended_key_id &&
+	    wpa_s->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID) {
+		wpa_msg(wpa_s, MSG_DEBUG, "Enable Extended Key ID support");
+		wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_EXTENDED_KEY_ID, 1);
+	} else {
+		if (ssid->wpa_extended_key_id)
+			wpa_msg(wpa_s, MSG_INFO,
+				"Extended Key ID not supported");
+		else
+			wpa_msg(wpa_s, MSG_DEBUG,
+				"Extended Key ID support disabled");
+		wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_EXTENDED_KEY_ID, 0);
+	}
+
 	if (bss) {
 		bss_wpa = wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE);
 		bss_rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 1159bdcdc..b6a1ed2fd 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1070,6 +1070,11 @@ fast_reauth=1
 # hex without quotation, e.g., 0102030405)
 # wep_tx_keyidx: Default WEP key index (TX) (0..3)
 #
+# wpa_extended_key_id:
+# Support the unicast rekey protocol "Extended Key ID" from IEEE 802.11 - 2016.
+# 0 = force off: Do not announce or use Extended Key ID
+# 1 = auto: Use Extended Key ID when possible (default)
+#
 # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
 # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
 #
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 8aa555a1d..252c1ff8c 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -505,7 +505,8 @@ static int wpa_supplicant_set_key(void *_wpa_s, enum wpa_alg alg,
 	}
 #endif /* CONFIG_TESTING_GET_GTK */
 #ifdef CONFIG_TESTING_OPTIONS
-	if (addr && !is_broadcast_ether_addr(addr)) {
+	if (addr && !is_broadcast_ether_addr(addr) &&
+	    key_type != KEY_TYPE_SET_TX) {
 		wpa_s->last_tk_alg = alg;
 		os_memcpy(wpa_s->last_tk_addr, addr, ETH_ALEN);
 		wpa_s->last_tk_key_idx = key_idx;
@@ -1272,6 +1273,7 @@ void wpa_supplicant_rsn_supp_set_config(struct wpa_supplicant *wpa_s,
 #endif /* IEEE8021X_EAPOL */
 		conf.ssid = ssid->ssid;
 		conf.ssid_len = ssid->ssid_len;
+		conf.wpa_extended_key_id = ssid->wpa_extended_key_id;
 		conf.wpa_ptk_rekey = ssid->wpa_ptk_rekey;
 #ifdef CONFIG_P2P
 		if (ssid->p2p_group && wpa_s->current_bss &&

From patchwork Sat Aug 24 16:05:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152688
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="f+BGzf5v";
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=infradead.org header.i=@infradead.org
	header.b="cXB29GG3";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="Wv52zRnA"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G37k12MNz9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:07:30 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=NiwgV18wIakd8RlY9nfX0v+/bS29kPp7qiQUBPZQYsQ=;
	b=f+BGzf5vDaHD1g
	B9nf/eC7BYVWT543T5VkgHvC+xaC+JHYeT24pp7D8PX5tdk6f6UJSs3lnd86ry5O4E+A4G0KZPQZh
	QlBVllpwdB/PaPzGH94AguCSuhmPPlQR7TwVPlmWb7DeXIYStOmqcCsv7lx1BP5cdiaNSveIoxvqG
	9VGbhisgYcWkd/aLylMc04ZKowg4u90pB6GIUaERFpPU7YmmhdH6E80s9jhcrzBPWFDwWdWZYeWKo
	tTM79+b8tllGH+aNo3LCyixReqkNCRqIiUS0tOeiXCC94BXDnD07LuJbxuTMe6RAHUIhAjXWu0wgJ
	2pLdask85WX1bj/Q6W/Q==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YZY-0006cc-Pd; Sat, 24 Aug 2019 16:07:24 +0000
Received: from merlin.infradead.org ([2001:8b0:10b:1231::1])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY8-0005Mp-Hy
	for hostap@bombadil.infradead.org; Sat, 24 Aug 2019 16:05:57 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=merlin.20170209;
	h=Content-Transfer-Encoding:MIME-Version:
	References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:
	Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
	List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=qYzU1Y9Wvq0e5sVqSF3KsFQ/SPiVgML2otVXMyFbvWg=;
	b=cXB29GG3cEdPap0O/jLGIOHL9k
	ye5TzgTywLOTlr5q9ZHOY03l6Av0pVsfU10TPq1zdzt+I4daGPCM3TJw7eBLAFU7Qzy9IcQdrK5hJ
	88elo8EeIK66O0H1kEYc+MF+LnHvT2mmXiyDpowOTC38Fu4S/pjcCA0dGN7ieJ3bRTH4SReEUcrSZ
	aob8N8zHWETsR2MfLabOSi0U16D2a1cc0oYri1XC6n3B8BJP0bWClzB1qdJKswGuxT3XkzLYH0arg
	7BP2mYayaxXXfIelngr5LXEm9t2IYAxnoVANSvHDoYvXcjeNdWhE1EknS+M1rObIgD9ifdYQRs1of
	rmxMU3Zg==;
Received: from 19.mo4.mail-out.ovh.net ([87.98.179.66])
	by merlin.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY5-0007RE-Fa
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:54 +0000
Received: from player728.ha.ovh.net (unknown [10.109.146.76])
	by mo4.mail-out.ovh.net (Postfix) with ESMTP id 33708200A21
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:40 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player728.ha.ovh.net (Postfix) with ESMTPSA id D9E1E900E934;
	Sat, 24 Aug 2019 16:05:36 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662731;
	bh=6kvNnP8SpXaiuAWzvLTJWRCA6G4su6XeospJVKzkBMc=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=Wv52zRnArbIhE/Wk/kvubNtZQLQp/Yaou9pmjR9R9u6vPw8kgTg1kT7sfYvAQEEuT
	4LJGhPU/qqF9Cdh6F0ts5Q0XUGccskH5ueHxoAWk9Bg4lnDkJKSBsWjwFDfFUD/io/
	WiSDBK4oDxWkTqqckllKMrpi705AjgltvTLdvqAg=
To: j@w1.fi
Subject: [PATCH v4 11/16] tests: Extended Key ID tests
Date: Sat, 24 Aug 2019 18:05:00 +0200
Message-Id: <20190824160505.5548-12-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6941172928194616572
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-Spam-Note: CRM114 invocation failed
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on merlin.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [87.98.179.66 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Add the needed infrastructure for the Extended Key ID tests, update the
tests overriding RSN Capabilities to work with and without Extended Key
ID support and add additional interoperability tests for Extended Key
ID.

When supported by the platform (hwsim) all tests will use Extended Key
ID by default while staying backward compatible.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

There is of course much more we could test here. Especially wlantest is
a neglected area so far. But then any tests using it are also working
when we use Extended Key ID as it is.

Sample test runs are linked in the cover letter of the series.

 tests/hwsim/hostapd.py       | 19 ++++++++-
 tests/hwsim/test_ap_eap.py   | 20 +++++++++-
 tests/hwsim/test_ap_psk.py   | 76 ++++++++++++++++++++++++++++++++----
 tests/hwsim/test_ocv.py      | 13 ++++--
 tests/hwsim/test_rrm.py      |  7 +++-
 tests/hwsim/wpasupplicant.py |  7 +++-
 wlantest/bss.c               |  4 +-
 wlantest/rx_eapol.c          |  4 ++
 8 files changed, 134 insertions(+), 16 deletions(-)

diff --git a/tests/hwsim/hostapd.py b/tests/hwsim/hostapd.py
index 4430d8055..c8021ffcc 100644
--- a/tests/hwsim/hostapd.py
+++ b/tests/hwsim/hostapd.py
@@ -151,6 +151,7 @@ class Hostapd:
         self.mon.attach()
         self.bssid = None
         self.bssidx = bssidx
+        self.extKeyID = None
 
     def cmd_execute(self, cmd_array, shell=False):
         if self.hostname is None:
@@ -536,7 +537,7 @@ def add_ap(apdev, params, wait_enabled=True, no_enable=False, timeout=30,
             raise Exception("Could not ping hostapd")
         hapd.set_defaults()
         fields = ["ssid", "wpa_passphrase", "nas_identifier", "wpa_key_mgmt",
-                  "wpa",
+                  "wpa", "wpa_extended_key_id",
                   "wpa_pairwise", "rsn_pairwise", "auth_server_addr",
                   "acct_server_addr", "osu_server_uri"]
         for field in fields:
@@ -554,6 +555,16 @@ def add_ap(apdev, params, wait_enabled=True, no_enable=False, timeout=30,
             return hapd
         hapd.enable()
         if wait_enabled:
+            if "wpa" in params and params["wpa"]  == "2":
+                ev = hapd.wait_event(["Extended Key ID"], timeout=5)
+                if ev is None or "requires wpa2" in ev:
+                    hapd.extKeyID = "unused"
+                elif "not supported" in ev:
+                    hapd.extKeyID = "auto-off"
+                elif "disabled" in ev:
+                    hapd.extKeyID = "force-off"
+                else:
+                    hapd.extKeyID = "auto-on"
             ev = hapd.wait_event(["AP-ENABLED", "AP-DISABLED"], timeout=timeout)
             if ev is None:
                 raise Exception("AP startup timed out")
@@ -619,7 +630,7 @@ def terminate(apdev):
     hapd_global = HostapdGlobal(apdev)
     hapd_global.terminate()
 
-def wpa2_params(ssid=None, passphrase=None):
+def wpa2_params(ssid=None, passphrase=None, wpa_extended_key_id="auto"):
     params = {"wpa": "2",
               "wpa_key_mgmt": "WPA-PSK",
               "rsn_pairwise": "CCMP"}
@@ -627,6 +638,10 @@ def wpa2_params(ssid=None, passphrase=None):
         params["ssid"] = ssid
     if passphrase:
         params["wpa_passphrase"] = passphrase
+    if wpa_extended_key_id == "on":
+        params["wpa_extended_key_id"] = "1"
+    elif wpa_extended_key_id == "off":
+        params["wpa_extended_key_id"] = "0"
     return params
 
 def wpa_params(ssid=None, passphrase=None):
diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 2fc6925a1..6fc208d20 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -6535,7 +6535,7 @@ def test_eap_tls_sha384(dev, apdev, params):
 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
     """WPA2-Enterprise AP and association request RSN IE differences"""
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
-    hostapd.add_ap(apdev[0], params)
+    hapd = hostapd.add_ap(apdev[0], params)
 
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
     params["ieee80211w"] = "2"
@@ -6555,6 +6555,17 @@ def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
              ("RSN IE without AKM", "300c0100000fac040100000fac04"),
              ("RSN IE without pairwise", "30060100000fac04"),
              ("RSN IE without group", "30020100")]
+
+    if hapd.extKeyID == "auto-on":
+        tests += [("Normal wpa_supplicant assoc req RSN IE with Extended Key ID",
+                   "30140100000fac040100000fac040100000fac010020"),
+                  ("Extra PMKIDCount field in RSN IE with Extended Key ID",
+                   "30160100000fac040100000fac040100000fac0100200000"),
+                  ("Extra Group Management Cipher Suite in RSN IE with Extended Key ID",
+                   "301a0100000fac040100000fac040100000fac0100200000000fac06"),
+                  ("Extra undefined extension field in RSN IE with Extended Key ID",
+                   "301c0100000fac040100000fac040100000fac0100200000000fac061122")]
+
     for title, ie in tests:
         logger.info(title)
         set_test_assoc_ie(dev[0], ie)
@@ -6569,6 +6580,13 @@ def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
               "30140100000fac040100000fac040100000fac01cc00"),
              ("Group management cipher included in assoc req RSN IE",
               "301a0100000fac040100000fac040100000fac01cc000000000fac06")]
+
+    if hapd.extKeyID == "auto-on":
+        tests += [("Normal wpa_supplicant assoc req RSN IE with Extended Key ID",
+                   "30140100000fac040100000fac040100000fac01cc20"),
+                  ("Group management cipher included in assoc req RSN IE with Extended Key ID",
+                   "301a0100000fac040100000fac040100000fac01cc200000000fac06")]
+
     for title, ie in tests:
         logger.info(title)
         set_test_assoc_ie(dev[0], ie)
diff --git a/tests/hwsim/test_ap_psk.py b/tests/hwsim/test_ap_psk.py
index 2655c960c..9bb996f09 100644
--- a/tests/hwsim/test_ap_psk.py
+++ b/tests/hwsim/test_ap_psk.py
@@ -203,16 +203,56 @@ def _test_ap_wpa2_psk_mem(dev, apdev):
 
 @remote_compatible
 def test_ap_wpa2_ptk_rekey(dev, apdev):
-    """WPA2-PSK AP and PTK rekey enforced by station"""
+    """WPA2-PSK AP and PTK rekey enforced by station without Extended Key ID"""
+    ssid = "test-wpa2-psk"
+    passphrase = 'qwertyuiop'
+    params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase,
+                                 wpa_extended_key_id="off")
+    hapd = hostapd.add_ap(apdev[0], params)
+    dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412",
+                   wpa_extended_key_id="off")
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"])
+    if ev is None:
+        raise Exception("PTK rekey timed out")
+    hwsim_utils.test_connectivity(dev[0], hapd)
+
+def test_ap_wpa2_ptk_extended_key_id_rekey(dev, apdev):
+    """WPA2-PSK AP and PTK rekey enforced by station with Extended Key ID"""
     ssid = "test-wpa2-psk"
     passphrase = 'qwertyuiop'
     params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase)
     hapd = hostapd.add_ap(apdev[0], params)
+    if hapd.extKeyID == "auto-off":
+        raise Exception("Extended Key ID support missing in hwsim")
+
+    dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412",
+                   wpa_extended_key_id="off")
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"])
+    if ev is None:
+        raise Exception("PTK rekey timed out (STA without Extended Key ID)")
+    hwsim_utils.test_connectivity(dev[0], hapd)
+    dev[0].reset()
+
     dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412")
     ev = dev[0].wait_event(["WPA: Key negotiation completed"])
     if ev is None:
-        raise Exception("PTK rekey timed out")
+        raise Exception("PTK rekey timed out (STA with Extended Key ID)")
+    hwsim_utils.test_connectivity(dev[0], hapd)
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"])
+    if ev is None:
+        raise Exception("PTK rekey timed out 2 (STA with Extended Key ID)")
     hwsim_utils.test_connectivity(dev[0], hapd)
+    dev[0].reset()
+
+    params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase,
+                                 wpa_extended_key_id="off")
+    hapd = hostapd.add_ap(apdev[0], params)
+    dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412")
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"])
+    if ev is None:
+        raise Exception("PTK rekey timed out (AP without Extended Key ID")
+    hwsim_utils.test_connectivity(dev[0], hapd)
+    dev[0].reset()
 
 def test_ap_wpa2_ptk_rekey_anonce(dev, apdev):
     """WPA2-PSK AP and PTK rekey enforced by station and ANonce change"""
@@ -1355,10 +1395,15 @@ def eapol_test(apdev, dev, wpa2=True, ieee80211w=0):
                 ieee80211w=str(ieee80211w))
     addr = dev.p2p_interface_addr()
     if wpa2:
-        if ieee80211w == 2:
-            rsne = binascii.unhexlify('30140100000fac040100000fac040100000fac02cc00')
+        if hapd.extKeyID == "auto-on" and ieee80211w == 2:
+            cap = "cc20"
+        elif hapd.extKeyID == "auto-on":
+            cap = "0020"
+        elif ieee80211w == 2:
+            cap = "cc00"
         else:
-            rsne = binascii.unhexlify('30140100000fac040100000fac040100000fac020000')
+            cap = "0000"
+        rsne = binascii.unhexlify('30140100000fac040100000fac040100000fac02'+cap)
     else:
         rsne = binascii.unhexlify('dd160050f20101000050f20201000050f20201000050f202')
     snonce = binascii.unhexlify('1111111111111111111111111111111111111111111111111111111111111111')
@@ -2928,6 +2973,11 @@ def test_ap_wpa2_psk_assoc_rsn(dev, apdev):
               "30140100000fac040100000fac040100000fac020000"),
              ("RSN IE without RSN Capabilities",
               "30120100000fac040100000fac040100000fac02")]
+
+    if hapd.extKeyID == "auto-on":
+        tests += [("Normal wpa_supplicant assoc req RSN IE with Extended Key ID",
+                   "30140100000fac040100000fac040100000fac020020")]
+
     for title, ie in tests:
         logger.info(title)
         set_test_assoc_ie(dev[0], ie)
@@ -2971,9 +3021,13 @@ def test_ap_wpa2_psk_ft_workaround(dev, apdev):
     params['r1_key_holder'] = "000102030405"
     hapd = hostapd.add_ap(apdev[0], params)
 
+    if hapd.extKeyID == "auto-on":
+        ie = "30180100000fac040100000fac040200000fac02000fac040020"
+    else:
+        ie = "30180100000fac040100000fac040200000fac02000fac040000"
+
     # Include both WPA-PSK and FT-PSK AKMs in Association Request frame
-    set_test_assoc_ie(dev[0],
-                      "30180100000fac040100000fac040200000fac02000fac040000")
+    set_test_assoc_ie(dev[0], ie)
     dev[0].connect(ssid, psk=passphrase, scan_freq="2412")
     dev[0].request("REMOVE_NETWORK all")
     dev[0].wait_disconnected()
@@ -2990,6 +3044,14 @@ def test_ap_wpa2_psk_assoc_rsn_pmkid(dev, apdev):
     dev[0].request("REMOVE_NETWORK all")
     dev[0].wait_disconnected()
 
+    if not hapd.extKeyID == "auto-on":
+        return
+
+    set_test_assoc_ie(dev[0], "30260100000fac040100000fac040100000fac0200200100" + 16*'00')
+    dev[0].connect(ssid, psk=passphrase, scan_freq="2412")
+    dev[0].request("REMOVE_NETWORK all")
+    dev[0].wait_disconnected()
+
 def test_ap_wpa_psk_rsn_pairwise(dev, apdev):
     """WPA-PSK AP and only rsn_pairwise set"""
     params = {"ssid": "wpapsk", "wpa": "1", "wpa_key_mgmt": "WPA-PSK",
diff --git a/tests/hwsim/test_ocv.py b/tests/hwsim/test_ocv.py
index 176e17faf..7787a4056 100644
--- a/tests/hwsim/test_ocv.py
+++ b/tests/hwsim/test_ocv.py
@@ -380,10 +380,17 @@ class APConnection:
         self.bssid = apdev['bssid']
         pmk = binascii.unhexlify("c2c6c255af836bed1b3f2f1ded98e052f5ad618bb554e2836757b55854a0eab7")
 
-        if sta_ocv != "0":
-            self.rsne = binascii.unhexlify("301a0100000fac040100000fac040100000fac0280400000000fac06")
+        if self.hapd.extKeyID == "auto-on":
+            if sta_ocv != "0":
+                cap = "8060"
+            else:
+                cap = "8020"
         else:
-            self.rsne = binascii.unhexlify("301a0100000fac040100000fac040100000fac0280000000000fac06")
+            if sta_ocv != "0":
+                cap = "8040"
+            else:
+                cap = "8000"
+        self.rsne = binascii.unhexlify("301a0100000fac040100000fac040100000fac02"+cap+"0000000fac06")
         self.snonce = binascii.unhexlify('1111111111111111111111111111111111111111111111111111111111111111')
 
         dev.connect(self.ssid, raw_psk=self.psk, scan_freq=freq, ocv=sta_ocv,
diff --git a/tests/hwsim/test_rrm.py b/tests/hwsim/test_rrm.py
index c9c8d6103..4f2a323c2 100644
--- a/tests/hwsim/test_rrm.py
+++ b/tests/hwsim/test_rrm.py
@@ -1182,6 +1182,11 @@ def test_rrm_beacon_req_table_rsne(dev, apdev):
     params["rrm_beacon_report"] = "1"
     hapd = hostapd.add_ap(apdev[0], params)
 
+    if hapd.extKeyID == "auto-on":
+        cap = "0c20"
+    else:
+        cap = "0c00"
+
     dev[0].connect("rrm-rsn", psk="12345678", scan_freq="2412")
     addr = dev[0].own_addr()
 
@@ -1196,7 +1201,7 @@ def test_rrm_beacon_req_table_rsne(dev, apdev):
         raise Exception("Reported Frame Body subelement missing")
     if len(report.frame_body) != 12 + 22:
         raise Exception("Unexpected Reported Frame Body subelement length with Reporting Detail 1 and requested element RSNE")
-    if binascii.unhexlify("30140100000fac040100000fac040100000fac020c00") not in report.frame_body:
+    if binascii.unhexlify("30140100000fac040100000fac040100000fac02"+cap) not in report.frame_body:
         raise Exception("Full RSNE not found")
 
 def test_rrm_beacon_req_table_vht(dev, apdev):
diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py
index 8c7e13d02..c02aca409 100644
--- a/tests/hwsim/wpasupplicant.py
+++ b/tests/hwsim/wpasupplicant.py
@@ -1053,13 +1053,18 @@ class WpaSupplicant:
         if tspecs:
             raise Exception("DELTS failed (still in tspec list)")
 
-    def connect(self, ssid=None, ssid2=None, **kwargs):
+    def connect(self, ssid=None, ssid2=None,
+                wpa_extended_key_id="auto", **kwargs):
         logger.info("Connect STA " + self.ifname + " to AP")
         id = self.add_network()
         if ssid:
             self.set_network_quoted(id, "ssid", ssid)
         elif ssid2:
             self.set_network(id, "ssid", ssid2)
+        if wpa_extended_key_id == "on":
+            self.set_network(id, "wpa_extended_key_id", "1")
+        elif wpa_extended_key_id == "off":
+            self.set_network(id, "wpa_extended_key_id", "0")
 
         quoted = ["psk", "identity", "anonymous_identity", "password",
                   "ca_cert", "client_cert", "private_key",
diff --git a/wlantest/bss.c b/wlantest/bss.c
index 298a902c7..08181dc8c 100644
--- a/wlantest/bss.c
+++ b/wlantest/bss.c
@@ -334,7 +334,9 @@ void bss_update(struct wlantest *wt, struct wlantest_bss *bss,
 		   bss->rsn_capab & WPA_CAPABILITY_MFPC ? "MFPC " : "",
 		   bss->rsn_capab & WPA_CAPABILITY_PEERKEY_ENABLED ?
 		   "PEERKEY " : "",
-		   bss->rsn_capab & WPA_CAPABILITY_OCVC ? "OCVC " : "");
+		   bss->rsn_capab & WPA_CAPABILITY_OCVC ? "OCVC " : "",
+		   bss->rsn_capab & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST ?
+		   "Extended Key ID" : "");
 }
 
 
diff --git a/wlantest/rx_eapol.c b/wlantest/rx_eapol.c
index 1af48ec8f..4d692e09a 100644
--- a/wlantest/rx_eapol.c
+++ b/wlantest/rx_eapol.c
@@ -458,6 +458,10 @@ static void learn_kde_keys(struct wlantest *wt, struct wlantest_bss *bss,
 			    ie.rsn_ie, ie.rsn_ie_len);
 	}
 
+	if (ie.key_id) {
+		add_note(wt, MSG_DEBUG, "KeyID %u", ie.key_id[0]);
+	}
+
 	if (ie.gtk) {
 		wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - GTK KDE",
 			    ie.gtk, ie.gtk_len);

From patchwork Sat Aug 24 16:05:01 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152689
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="m4zS7aWU";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="DiyyaOFc"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G37x0sS1z9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:07:41 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=MnYq0fAu1gFWTU6hyZZ0YJxmm6/zQfq3rtrlZSzuo4w=;
	b=m4zS7aWUgtnqdB
	8zUERXFBDVT4lqveQIXODK1JKHoudwO4C8cmVyauMXaB2tQ9EByb+bxcbZX6mSKlQDGXeN/dDJz9s
	t24iYtAp2VAjT2uUGyG9X+wdzUxLdgSBew0hqoSABgLEA3pp6Fnh5FsjvZ3XHYnBbS6J+dJUBrIpC
	2dEZuX4Tut2gyOCIF3WH5/1rqeHZdqpt5HEG3Vtnh4Gw9SrIl3+t8wWrfnkxYNI5CBU+wo8OF2OWL
	NjgHv/0BZ/WU03YuC0+Pfg1c0DFw4LXXzx5n+C5VOCRKsOvKAtvap1Gk0ZiI0WnQgsxQIpgEYaJFM
	J8IIaIr85pkmUxF6sxsA==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YZk-0006mv-Ss; Sat, 24 Aug 2019 16:07:36 +0000
Received: from 7.mo179.mail-out.ovh.net ([46.105.61.94])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005Js-BJ
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:57 +0000
Received: from player692.ha.ovh.net (unknown [10.109.160.153])
	by mo179.mail-out.ovh.net (Postfix) with ESMTP id ED20713F095
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:42 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player692.ha.ovh.net (Postfix) with ESMTPSA id 3A4808F5F1F4;
	Sat, 24 Aug 2019 16:05:36 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662731;
	bh=TIUy3mdw2R1L+vQNHpsO8Pi3P/Wsnwz/cOrxKHvmS40=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=DiyyaOFcZQxdik+hGl6OBY1kOMoJZ6uLLxi9Cs2mEO1fKigHy7+bZkLNNb5tanv2n
	SQGxVYyuRXqOvYco3AISUFg4FYTXYNJc//cXPYkKDzNKMaQ/6pqzNWJYrzEukGBZlE
	4Y08eh3TyjGTaum1RWf0yWjBftYwRyLWIIdOio5s=
To: j@w1.fi
Subject: [PATCH v4 12/16] hostapd: FILS Extended Key ID support
Date: Sat, 24 Aug 2019 18:05:01 +0200
Message-Id: <20190824160505.5548-13-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6941735877228895484
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_090552_739786_B517B470 
X-CRM114-Status: GOOD (  18.83  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.61.94 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

IEEE 802.11ai - 2016 is missing any instructions how to handle it in
combination with Extended Key ID. There are two obvious ways:

 1) FILS can only use keyid 0 and the STAs decide on rekey if they can
    use Extended Key ID or not.

 2) FILS also checks if Extended Key ID can be used by both STAs and
    adds the KeyID KDE when it's being used in the initial handshake.

The later seems to be closer to the intent of 802.11ai and since there
are no other implementations for Extended Key ID to consider this patch
implements option 2) for now.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

Now this is a very free interpretation of how to handle Extended Key ID
in combination with FILS. Technically it's the same issue as we have for
FT, so I'm using the same (arguable) solution here:

We bypass the 4-way handshake and Extended Key ID is therefore mostly
irrelevant. Neither FILS nor FT discuss Extended Key ID at all but both
have a mechanism to hand over/get the GTK ID. Which of course can also
pass over the (unicast) KeyID required for Extended Key ID support...

Now the new patch series is rigorously sticking to the key install mode
used at the initial connect: When either the AP or the STA tries to use
anything else than for the connect we kill the connection. By also
adding the KeyID to the KDEs these checks work basically out of the box
and the Extended Key ID flag in the RSN capabilities serves a purpose.

Alternatively we could relax the checks and accept that we either still
set the Extended Key ID bit in RSN but just assume the keyid is always
zero for FT and FILS or even drop the bit in the RSN capabilities and
relax the sanity checks for FILS and FT accordingly.

Since not Extended Key ID capable STAs won't care either way and
there are zero implementations for Extended Key ID we have to stay
compatible with I decided to first try what I consider the cleanest way.

Therefore Unicast KeyIDs have been added to the frames transporting also
the GTK ID. Based on the feedback we either keep or change it.

 src/ap/wpa_auth.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 0213e97c2..af3b855fb 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -2692,6 +2692,15 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
 	wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
 	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
 			    wpabuf_put(plain, WPA_KEY_RSC_LEN));
+
+	hdr[1] = 0;
+	if (sm->use_extended_key_id) {
+		hdr[0] = sm->keyidx_active & 0x01;
+		tmp = wpabuf_put(plain, 0);
+		tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
+		wpabuf_put(plain, tmp2 - tmp);
+	}
+
 	/* GTK KDE */
 	gtk = gsm->GTK[gsm->GN - 1];
 	gtk_len = gsm->GTK_len;
@@ -2708,7 +2717,6 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
 		gtk = dummy_gtk;
 	}
 	hdr[0] = gsm->GN & 0x03;
-	hdr[1] = 0;
 	tmp = wpabuf_put(plain, 0);
 	tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
 			   gtk, gtk_len);
@@ -2763,7 +2771,7 @@ int fils_set_tk(struct wpa_state_machine *sm)
 	klen = wpa_cipher_key_len(sm->pairwise);
 
 	wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
-	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
+	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, sm->keyidx_active,
 			     sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) {
 		wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
 		return -1;

From patchwork Sat Aug 24 16:05:02 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152686
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="Dz9h7I9O";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="W5dCsUE8"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G37G48qbz9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:07:06 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=HlN2L9OK4cEjK0qEghQMbk+8CPQ3I3yQUWKVhcyuQVo=;
	b=Dz9h7I9OcG7ERw
	dM0cwKJ03SmtTijwUrk7+Bli/TsUBhMsa3e2IZo7LKifKHFe97LAH6ly4dRbafbRDp8/LP6hXWACm
	P7nQ0bS8L9o5bOwKeRtr6AvNaxLFas6veHh/6BCAUbw9bpiPzOb/y3oZ0ge0T7h513zzOjV6ha6Po
	UobTkzF1YhBMlXtpEzB5/e/vKr33l7R6hGCNQx4KCYhNIVMFRtoGtjDDsr4D1d1/WQnA6+HImsO9n
	9dNWG9zapZEZzUlpQdFyyDkf5k5EQ13ny3MD85fdWq7ERrrnwdC+sU1q3dlJVqQcGZZvfMpPq6f8E
	Cr7DjUJxsPMSugRCrcmg==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YZC-0006HE-CI; Sat, 24 Aug 2019 16:07:02 +0000
Received: from 8.mo3.mail-out.ovh.net ([87.98.172.249])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005Jg-Ch
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:56 +0000
Received: from player716.ha.ovh.net (unknown [10.109.160.232])
	by mo3.mail-out.ovh.net (Postfix) with ESMTP id DCEDD2236F7
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:41 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player716.ha.ovh.net (Postfix) with ESMTPSA id 8DC7B90591E2;
	Sat, 24 Aug 2019 16:05:36 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662731;
	bh=K6igskvVXWKoE8wiFsaZ2K8dQMBgAjzeKPMYXL4w5Ho=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=W5dCsUE8MNuzhVVMWrAACq5nDGRwtsXDH/CCjPwlL3W+XADGwZegVDJkOaaIj3HTI
	f+Q2gDQ0o7IM36uRe9WyI71VKgL264TDrMTEvI15ohzn04yzy2j8vrQsSuHgU8C516
	eAqm2OFKF0sTuNa7pEWVcJ3ZYgJtLiwCzjoxqXmQ=
To: j@w1.fi
Subject: [PATCH v4 13/16] wpa_supplicant: FILS Extended Key ID support
Date: Sat, 24 Aug 2019 18:05:02 +0200
Message-Id: <20190824160505.5548-14-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6941454404841184508
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_090552_746796_4B4C1C4E 
X-CRM114-Status: GOOD (  10.34  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [87.98.172.249 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

This implements the FILS Extended Key ID support in wpa_supplicant
compatible to our implementation for hostapd:
When supporting Extended Key ID the KeyID for the pairwise key id must
be also in the FILS handshake.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---
 src/rsn_supp/wpa.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index de463cba6..269adcb94 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -4381,6 +4381,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 	struct wpa_gtk_data gd;
 	int maxkeylen;
 	struct wpa_eapol_ie_parse kde;
+	struct wpa_ie_data rsn;
 
 	if (!sm || !sm->ptk_set) {
 		wpa_printf(MSG_DEBUG, "FILS: No KEK available");
@@ -4494,8 +4495,6 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 
 #ifdef CONFIG_IEEE80211R
 	if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
-		struct wpa_ie_data rsn;
-
 		/* Check that PMKR1Name derived by the AP matches */
 		if (!elems.rsn_ie ||
 		    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
@@ -4563,11 +4562,16 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 			   keylen, (long unsigned int) sm->ptk.tk_len);
 		goto fail;
 	}
+
+	if (handle_extended_key_id(sm, &kde,
+				   elems.rsn_ie - 2, elems.rsn_ie_len + 2))
+		goto fail;
+
 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
 			sm->ptk.tk, keylen);
-	if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
-			   sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
+	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, null_rsc,
+			   rsclen, sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
 			MACSTR ")",

From patchwork Sat Aug 24 16:05:03 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152685
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="CAL8bXFa";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="kEtFx6Kc"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G36z5yhyz9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:06:51 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=2S3h7d5ucc4JOng1tBqAZZUFFHUM6lGudkfyMYWEDtc=;
	b=CAL8bXFauuiGg+
	7AFaAKZDCpvYRoI5sKQwT6R39omLaqqfa4NE1EJ/60iGdZaKsP5eyJK7ByfLemXTbSBZfan3ulmF/
	CLHEugSKUcMcj9T1FT8Pv7A/um54PgroLDdOKZEhdF/8CrKvkDtZvFNdncYVrZmOVRLyEOaaqfwq/
	ZkW57vmQkPPV7qUCMlpMFSNFH4I/6h7dmIxpjiTFh4TXtWx2yfAqcp5cK4ZMRr3G45qQFlW/O4Qsi
	UNeJm+cBJBcW8uA5mrM//llmQnwl34BBb3lDkZdC2+MF5sVS13PBD2K55PIqqp7lH6yHdEuXwR7DO
	oCJqeoimQUs0Gn0Yy08Q==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YYx-000669-Mv; Sat, 24 Aug 2019 16:06:48 +0000
Received: from 4.mo177.mail-out.ovh.net ([46.105.37.72])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY4-0005Jd-Br
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:05:56 +0000
Received: from player691.ha.ovh.net (unknown [10.108.54.59])
	by mo177.mail-out.ovh.net (Postfix) with ESMTP id DC9B2107F4E
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:40 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player691.ha.ovh.net (Postfix) with ESMTPSA id F0D5A92CE417;
	Sat, 24 Aug 2019 16:05:36 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662731;
	bh=4nJOaOCzm8Nnn6x8YT1OmaRs1KBmJofQ+9wRS55a/xU=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=kEtFx6KccXuffO0awbK6EjLOR3+r0BjIAfHETyFF8DDNAF2vlQegtqe+3Ppl7ydTL
	Ahw27gfOmEnXc/AA1OPs9p5SxVHIQ5UoZ6lB0JJQQSwisAf07AYPJCrHYLhp/UsLgt
	bVgdeKaGYYtIQWzRp3DS8EdXsUYxMjnAgwMRLloY=
To: j@w1.fi
Subject: [PATCH v4 14/16] nl80211: Extended Key ID support
Date: Sat, 24 Aug 2019 18:05:03 +0200
Message-Id: <20190824160505.5548-15-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6941172927765224700
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_090552_728438_5AD9773A 
X-CRM114-Status: GOOD (  11.87  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.2 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.37.72 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Nl80211 supports Extended Key ID. Make the required changes to the
nl80211 driver to use it.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This patch allows hostapd/wpa_supplicant to start using Extended Key ID.

Since so far only linux support Extended Key ID (and only via nl80211)
the other drivers can't be updated.

The patch is close to the end of the series make sure bisecting still
generates working binaries regardless at which patch we split this
series.

 src/drivers/driver_nl80211.c      | 23 ++++++++++++++++++++---
 src/drivers/driver_nl80211_capa.c |  4 ++++
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index a2f039b3e..4c1dd0ec4 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3049,7 +3049,11 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 	if (!key_msg)
 		return -ENOBUFS;
 
-	if (alg == WPA_ALG_NONE) {
+	if (key_type == KEY_TYPE_SET_TX) {
+		msg = nl80211_ifindex_msg(drv, ifindex, 0, NL80211_CMD_SET_KEY);
+		if (!msg)
+			goto fail2;
+	} else if (alg == WPA_ALG_NONE) {
 		msg = nl80211_ifindex_msg(drv, ifindex, 0, NL80211_CMD_DEL_KEY);
 		if (!msg)
 			goto fail2;
@@ -3068,7 +3072,7 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 		wpa_hexdump_key(MSG_DEBUG, "nl80211: KEY_DATA", key, key_len);
 	}
 
-	if (seq && seq_len) {
+	if (seq && seq_len && key_type != KEY_TYPE_SET_TX) {
 		if (nla_put(key_msg, NL80211_KEY_SEQ, seq_len, seq))
 			goto fail;
 		wpa_hexdump(MSG_DEBUG, "nl80211: KEY_SEQ", seq, seq_len);
@@ -3079,7 +3083,20 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
 			goto fail;
 
-		if (alg != WPA_ALG_WEP && key_type != KEY_TYPE_PAIRWISE) {
+		if (key_type == KEY_TYPE_NO_AUTO_TX ||
+		    key_type == KEY_TYPE_SET_TX) {
+			wpa_printf(MSG_DEBUG, "nl80211: %s for "
+				   "keyid=%d addr=" MACSTR,
+				   key_type == KEY_TYPE_NO_AUTO_TX ?
+				   "KEY_TYPE_NO_AUTO_TX" : "KEY_TYPE_SET_TX",
+				   key_idx, MAC2STR(addr));
+			if (nla_put_u8(key_msg, NL80211_KEY_MODE,
+				       key_type == KEY_TYPE_NO_AUTO_TX ?
+				       NL80211_KEY_NO_TX :
+				       NL80211_KEY_SET_TX))
+				goto fail;
+		} else if (alg != WPA_ALG_WEP &&
+			   key_type != KEY_TYPE_PAIRWISE) {
 			wpa_printf(MSG_DEBUG, "   RSN IBSS RX GTK");
 			if (nla_put_u32(key_msg, NL80211_KEY_TYPE,
 					NL80211_KEYTYPE_GROUP))
diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c
index 8318b10ab..b4d175f4e 100644
--- a/src/drivers/driver_nl80211_capa.c
+++ b/src/drivers/driver_nl80211_capa.c
@@ -417,6 +417,10 @@ static void wiphy_info_ext_feature_flags(struct wiphy_info_data *info,
 			      NL80211_EXT_FEATURE_DFS_OFFLOAD))
 		capa->flags |= WPA_DRIVER_FLAGS_DFS_OFFLOAD;
 
+	if (ext_feature_isset(ext_features, len,
+			      NL80211_EXT_FEATURE_EXT_KEY_ID))
+		capa->flags |= WPA_DRIVER_FLAGS_EXTENDED_KEY_ID;
+
 #ifdef CONFIG_MBO
 	if (ext_feature_isset(ext_features, len,
 			      NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) &&

From patchwork Sat Aug 24 16:05:04 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152697
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="raKea9EA";
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=infradead.org header.i=@infradead.org
	header.b="UKleOktL";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="LYdjh3J0"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G3WS0W2hz9s7T
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:24:32 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=dNnCEp0f7dbl1Jkp6qMs968uhhkv07sy9SeNpMZ5XEM=;
	b=raKea9EAmKstVh
	sdCc+nMwZScI9IAWvN2lAVDmMRufAEcmIh9UNSjysyHaCQM4B3Y3QfTdUJ8udhC0RlO3iHfwhCRan
	ZH272ju2FLfnj7NFnZ2mbKz33/YzvtHbaBXHRaowUvRzhoqD57yIq5QZ04MMfVxXFoh4mLoGr3maN
	B2d4yGn8z56VkHCoI64MJJuaNViZALGF3geZsWg3jH2fM6BH5978N9z8dInbCSBEgiRwkTfWdt89Q
	yNiToFqlOP4bnp1FzA3N5CVpELkFYu1i+Wqidufl08zkqdb2VJnQlhRujTs3NdiwPbgJY+w+CpNhZ
	0WVGHP8ZpP14mM7NgYyQ==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1Yq3-0004dF-NR; Sat, 24 Aug 2019 16:24:27 +0000
Received: from casper.infradead.org ([2001:8b0:10b:1236::1])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YYA-0005Na-8W
	for hostap@bombadil.infradead.org; Sat, 24 Aug 2019 16:05:58 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209;
	h=Content-Transfer-Encoding:MIME-Version:
	References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:
	Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
	List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=Z+svFxLiG1lZ+YUHk0v8RbUrtk37YvOhlB1kmdWelJE=;
	b=UKleOktLCa2eQCHavQVIb458gq
	2HtW/2L0fBwa3RhFib4mEHiAb+5OukHIZ0r3B1WkQe2WLaPgQg9turGg817aKwfH5ooiP2sztshLJ
	MHvrkBNsUXHcH0hmntxwluUC3UKC/9sQbDEDGncfDKYTLCQOmApMqRO2IewJHk5eR81UCFfka3oUv
	xO27rSJgzEHA+UexhZd2wHIE3mtvqKW089B2keznh6QqwDhvpakHsg60b0QyaXu4vs+y39fmsw5Rl
	grboItXXUNNCkRxl1W5EIixngpP5zvWJOeF0CB4W5t76SVeExBa9D4NS6mSBj3xlPJmrbKVh05WX/
	KGuAaKOA==;
Received: from 6.mo3.mail-out.ovh.net ([188.165.43.173])
	by casper.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YYP-0000mJ-0F
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:06:17 +0000
Received: from player795.ha.ovh.net (unknown [10.109.160.251])
	by mo3.mail-out.ovh.net (Postfix) with ESMTP id C7326223828
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:44 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player795.ha.ovh.net (Postfix) with ESMTPSA id 6609D903D0C9;
	Sat, 24 Aug 2019 16:05:40 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662731;
	bh=sWbmflERyrAVX8St6LbGaQiKYHzDZX5W2GP3Ti9eZJ8=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=LYdjh3J0iDFCvEkhLwyQZMWBqVK1cxy+ejcCHDFrzYT0h8uXHBl3YTYloYQnjYlGv
	+LPhDEq6QXmkApCF+Ay7lt9VBvdIJR+MTPtz0bOSkRQfE5K6vLWRqoTdZHEM1Gt2gV
	qRMCAObExDZmjSsDZlb3zUB/B85onvCdmKMV38AE=
To: j@w1.fi
Subject: [PATCH v4 15/16] Drop set_tx from all set_key() functions
Date: Sat, 24 Aug 2019 18:05:04 +0200
Message-Id: <20190824160505.5548-16-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6942298828286926076
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_170613_123076_BC72B2FB 
X-CRM114-Status: GOOD (  24.71  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on casper.infradead.org summary:
	Content analysis details:   (-0.2 points, 5.0 required)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [188.165.43.173 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
X-Mailman-Approved-At: Sat, 24 Aug 2019 09:24:25 -0700
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Remove the no longer used set_tx argument from all set_key(), finalize
the API migration to key_types.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

This could be done much sooner in the patch series. I just wanted to
keep set_tx around as long as possible to compare key_flag API
decisions to what set_tx would have done.
(Since patch 7 of the series set_tx is unused.)

 hostapd/ctrl_iface.c            | 31 +++++++++++++------------------
 src/ap/ap_drv_ops.c             |  5 ++---
 src/ap/ap_drv_ops.h             |  3 +--
 src/ap/hostapd.c                | 10 +++++-----
 src/ap/ieee802_11.c             |  2 +-
 src/ap/ieee802_1x.c             |  6 +++---
 src/ap/wpa_auth_glue.c          |  2 +-
 src/drivers/driver.h            | 12 +++++-------
 src/drivers/driver_atheros.c    |  5 ++---
 src/drivers/driver_bsd.c        |  5 ++---
 src/drivers/driver_hostap.c     |  3 +--
 src/drivers/driver_ndis.c       |  9 ++++-----
 src/drivers/driver_nl80211.c    | 20 ++++++++------------
 src/drivers/driver_openbsd.c    |  5 ++---
 src/drivers/driver_privsep.c    |  7 +++----
 src/drivers/driver_wext.c       | 14 +++++---------
 src/drivers/driver_wext.h       |  5 ++---
 src/rsn_supp/tdls.c             |  4 ++--
 src/rsn_supp/wpa.c              | 12 ++++++------
 src/rsn_supp/wpa.h              |  2 +-
 src/rsn_supp/wpa_ft.c           |  6 +++---
 src/rsn_supp/wpa_i.h            |  4 ++--
 tests/hwsim/test_ap_ciphers.py  |  2 +-
 wpa_supplicant/ctrl_iface.c     | 20 ++++++++++----------
 wpa_supplicant/driver_i.h       |  8 +++-----
 wpa_supplicant/ibss_rsn.c       | 12 ++++++------
 wpa_supplicant/mesh_mpm.c       |  6 +++---
 wpa_supplicant/mesh_rsn.c       |  8 ++++----
 wpa_supplicant/preauth_test.c   |  2 +-
 wpa_supplicant/wpa_supplicant.c | 10 +++++-----
 wpa_supplicant/wpas_glue.c      | 10 +++++-----
 31 files changed, 112 insertions(+), 138 deletions(-)

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index 1d849c1ff..4c1b1ad91 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -2121,7 +2121,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 		if (hostapd_drv_set_key(hapd->conf->iface, hapd,
 					hapd->last_igtk_alg,
 					broadcast_ether_addr,
-					hapd->last_igtk_key_idx, 1, NULL, 0,
+					hapd->last_igtk_key_idx, NULL, 0,
 					zero, hapd->last_igtk_len,
 					KEY_TYPE_BROADCAST) < 0)
 			return -1;
@@ -2130,7 +2130,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 		return hostapd_drv_set_key(hapd->conf->iface, hapd,
 					   hapd->last_igtk_alg,
 					   broadcast_ether_addr,
-					   hapd->last_igtk_key_idx, 1, NULL, 0,
+					   hapd->last_igtk_key_idx, NULL, 0,
 					   hapd->last_igtk,
 					   hapd->last_igtk_len,
 					   KEY_TYPE_BROADCAST);
@@ -2148,7 +2148,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 		if (hostapd_drv_set_key(hapd->conf->iface, hapd,
 					hapd->last_gtk_alg,
 					broadcast_ether_addr,
-					hapd->last_gtk_key_idx, 1, NULL, 0,
+					hapd->last_gtk_key_idx, NULL, 0,
 					zero, hapd->last_gtk_len,
 					KEY_TYPE_BROADCAST) < 0)
 			return -1;
@@ -2157,7 +2157,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 		return hostapd_drv_set_key(hapd->conf->iface, hapd,
 					   hapd->last_gtk_alg,
 					   broadcast_ether_addr,
-					   hapd->last_gtk_key_idx, 1, NULL, 0,
+					   hapd->last_gtk_key_idx, NULL, 0,
 					   hapd->last_gtk, hapd->last_gtk_len,
 					   KEY_TYPE_BROADCAST);
 	}
@@ -2175,13 +2175,13 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd)
 	/* First, use a zero key to avoid any possible duplicate key avoidance
 	 * in the driver. */
 	if (hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
-				sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
+				sta->addr, sta->last_tk_key_idx, NULL, 0,
 				zero, sta->last_tk_len, KEY_TYPE_PAIRWISE) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
-				   sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
+				   sta->addr, sta->last_tk_key_idx, NULL, 0,
 				   sta->last_tk, sta->last_tk_len,
 				   KEY_TYPE_PAIRWISE);
 }
@@ -2193,11 +2193,11 @@ static int hostapd_ctrl_set_key(struct hostapd_data *hapd, const char *cmd)
 	const char *pos = cmd;
 	enum wpa_alg alg;
 	enum key_type key_type;
-	int idx, set_tx;
+	int idx;
 	u8 seq[6], key[WPA_TK_MAX_LEN];
 	size_t key_len;
 
-	/* parameters: alg addr idx set_tx seq key key_type*/
+	/* parameters: alg addr idx seq key key_type */
 
 	alg = atoi(pos);
 	pos = os_strchr(pos, ' ');
@@ -2215,11 +2215,6 @@ static int hostapd_ctrl_set_key(struct hostapd_data *hapd, const char *cmd)
 	if (!pos)
 		return -1;
 	pos++;
-	set_tx = atoi(pos);
-	pos = os_strchr(pos, ' ');
-	if (!pos)
-		return -1;
-	pos++;
 	if (hexstr2bin(pos, seq, sizeof(seq)) < 0)
 		return -1;
 	pos += 2 * 6;
@@ -2241,7 +2236,7 @@ static int hostapd_ctrl_set_key(struct hostapd_data *hapd, const char *cmd)
 
 	wpa_printf(MSG_INFO, "TESTING: Set key");
 	return hostapd_drv_set_key(hapd->conf->iface, hapd, alg, addr, idx,
-				   set_tx, seq, 6, key, key_len, key_type);
+				   seq, 6, key, key_len, key_type);
 }
 
 
@@ -2256,7 +2251,7 @@ static void restore_tk(void *ctx1, void *ctx2)
 	 * in replay protection issues for now since there is no clean way of
 	 * preventing encryption of a single EAPOL frame. */
 	hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg,
-			    sta->addr, sta->last_tk_key_idx, 1, NULL, 0,
+			    sta->addr, sta->last_tk_key_idx, NULL, 0,
 			    sta->last_tk, sta->last_tk_len, KEY_TYPE_PAIRWISE);
 }
 
@@ -2280,7 +2275,7 @@ static int hostapd_ctrl_resend_m1(struct hostapd_data *hapd, const char *cmd)
 		wpa_printf(MSG_INFO, "TESTING: Clear TK for " MACSTR,
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
-				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
+				    sta->addr, sta->last_tk_key_idx, NULL, 0,
 				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
@@ -2310,7 +2305,7 @@ static int hostapd_ctrl_resend_m3(struct hostapd_data *hapd, const char *cmd)
 		wpa_printf(MSG_INFO, "TESTING: Clear TK for " MACSTR,
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
-				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
+				    sta->addr, sta->last_tk_key_idx, NULL, 0,
 				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
@@ -2340,7 +2335,7 @@ static int hostapd_ctrl_resend_group_m1(struct hostapd_data *hapd,
 		wpa_printf(MSG_INFO, "TESTING: Clear TK for " MACSTR,
 			   MAC2STR(sta->addr));
 		hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE,
-				    sta->addr, sta->last_tk_key_idx, 0, NULL, 0,
+				    sta->addr, sta->last_tk_key_idx, NULL, 0,
 				    NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
diff --git a/src/ap/ap_drv_ops.c b/src/ap/ap_drv_ops.c
index 77c457bc2..283e4ab24 100644
--- a/src/ap/ap_drv_ops.c
+++ b/src/ap/ap_drv_ops.c
@@ -675,14 +675,13 @@ int hostapd_driver_set_noa(struct hostapd_data *hapd, u8 count, int start,
 
 int hostapd_drv_set_key(const char *ifname, struct hostapd_data *hapd,
 			enum wpa_alg alg, const u8 *addr,
-			int key_idx, int set_tx,
-			const u8 *seq, size_t seq_len,
+			int key_idx, const u8 *seq, size_t seq_len,
 			const u8 *key, size_t key_len, enum key_type key_type)
 {
 	if (hapd->driver == NULL || hapd->driver->set_key == NULL)
 		return 0;
 	return hapd->driver->set_key(ifname, hapd->drv_priv, alg, addr,
-				     key_idx, set_tx, seq, seq_len, key,
+				     key_idx, seq, seq_len, key,
 				     key_len, key_type);
 }
 
diff --git a/src/ap/ap_drv_ops.h b/src/ap/ap_drv_ops.h
index 2c3e8e0f0..2a5fb39ad 100644
--- a/src/ap/ap_drv_ops.h
+++ b/src/ap/ap_drv_ops.h
@@ -88,8 +88,7 @@ int hostapd_driver_set_noa(struct hostapd_data *hapd, u8 count, int start,
 int hostapd_drv_set_key(const char *ifname,
 			struct hostapd_data *hapd,
 			enum wpa_alg alg, const u8 *addr,
-			int key_idx, int set_tx,
-			const u8 *seq, size_t seq_len,
+			int key_idx, const u8 *seq, size_t seq_len,
 			const u8 *key, size_t key_len, enum key_type key_type);
 int hostapd_drv_send_mlme(struct hostapd_data *hapd,
 			  const void *msg, size_t len, int noack);
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 3ac84cc14..5be410c7e 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -292,7 +292,7 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 	if (!ifname || !hapd->drv_priv)
 		return;
 	for (i = 0; i < NUM_WEP_KEYS; i++) {
-		if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i, 0,
+		if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i,
 					NULL, 0, NULL, 0, KEY_TYPE_BROADCAST)) {
 			wpa_printf(MSG_DEBUG, "Failed to clear default "
 				   "encryption keys (ifname=%s keyidx=%d)",
@@ -303,8 +303,8 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
 	if (hapd->conf->ieee80211w) {
 		for (i = NUM_WEP_KEYS; i < NUM_WEP_KEYS + 2; i++) {
 			if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE,
-						NULL, i, 0, NULL, 0,
-						NULL, 0, KEY_TYPE_BROADCAST)) {
+						NULL, i, NULL, 0, NULL,
+						0, KEY_TYPE_BROADCAST)) {
 				wpa_printf(MSG_DEBUG, "Failed to clear "
 					   "default mgmt encryption keys "
 					   "(ifname=%s keyidx=%d)", ifname, i);
@@ -331,7 +331,7 @@ static int hostapd_broadcast_wep_set(struct hostapd_data *hapd)
 	if (ssid->wep.default_len &&
 	    hostapd_drv_set_key(hapd->conf->iface,
 				hapd, WPA_ALG_WEP, broadcast_ether_addr, idx,
-				1, NULL, 0, ssid->wep.key[idx],
+				NULL, 0, ssid->wep.key[idx],
 				ssid->wep.len[idx], KEY_TYPE_DEFAULT)) {
 		wpa_printf(MSG_WARNING, "Could not set WEP encryption.");
 		errors++;
@@ -558,7 +558,7 @@ static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd)
 	for (i = 0; i < 4; i++) {
 		if (hapd->conf->ssid.wep.key[i] &&
 		    hostapd_drv_set_key(iface, hapd, WPA_ALG_WEP, NULL, i,
-					i == hapd->conf->ssid.wep.idx, NULL, 0,
+					NULL, 0,
 					hapd->conf->ssid.wep.key[i],
 					hapd->conf->ssid.wep.len[i],
 					i == hapd->conf->ssid.wep.idx ?
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index bc2e50eeb..eeaecee07 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4770,7 +4770,7 @@ static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
 	for (i = 0; i < 4; i++) {
 		if (ssid->wep.key[i] &&
 		    hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
-					i == ssid->wep.idx, NULL, 0,
+					NULL, 0,
 					ssid->wep.key[i], ssid->wep.len[i],
 					i == ssid->wep.idx ? KEY_TYPE_DEFAULT :
 					KEY_TYPE_BROADCAST)) {
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 29e502e18..ba3ea1f7d 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -284,7 +284,7 @@ static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
 		/* TODO: set encryption in TX callback, i.e., only after STA
 		 * has ACKed EAPOL-Key frame */
 		if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
-					sta->addr, 0, 1, NULL, 0, ikey,
+					sta->addr, 0, NULL, 0, ikey,
 					hapd->conf->individual_wep_key_len,
 					KEY_TYPE_DEFAULT)) {
 			wpa_printf(MSG_ERROR, "Could not set individual WEP "
@@ -2169,7 +2169,7 @@ static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx)
 	 * after new broadcast key has been sent to all stations. */
 	if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
 				broadcast_ether_addr,
-				eapol->default_wep_key_idx, 1, NULL, 0,
+				eapol->default_wep_key_idx, NULL, 0,
 				eapol->default_wep_key,
 				hapd->conf->default_wep_key_len,
 				KEY_TYPE_DEFAULT)) {
@@ -2486,7 +2486,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
 	if (hapd->conf->default_wep_key_len) {
 		for (i = 0; i < 4; i++)
 			hostapd_drv_set_key(hapd->conf->iface, hapd,
-					    WPA_ALG_NONE, NULL, i, 0, NULL, 0,
+					    WPA_ALG_NONE, NULL, i, NULL, 0,
 					    NULL, 0, KEY_TYPE_BROADCAST);
 
 		ieee802_1x_rekey(hapd, NULL);
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 0cc824863..dad1a8824 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -405,7 +405,7 @@ static int hostapd_wpa_auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 		hapd->last_gtk_len = key_len;
 	}
 #endif /* CONFIG_TESTING_OPTIONS */
-	return hostapd_drv_set_key(ifname, hapd, alg, addr, idx, 1, NULL, 0,
+	return hostapd_drv_set_key(ifname, hapd, alg, addr, idx, NULL, 0,
 				   key, key_len, key_type);
 }
 
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index de10490ab..e1782848c 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -2280,8 +2280,6 @@ struct wpa_driver_ops {
 	 *	specified key index is to be cleared
 	 * @key_idx: key index (0..3), usually 0 for unicast keys; 0..4095 for
 	 *	IGTK
-	 * @set_tx: configure this key as the default Tx key (only used when
-	 *	driver does not support separate unicast/individual key
 	 * @seq: sequence number/packet number, seq_len octets, the next
 	 *	packet number to be used for in replay protection; configured
 	 *	for Rx keys (in most cases, this is only used with broadcast
@@ -2317,10 +2315,10 @@ struct wpa_driver_ops {
 	 * addr can be used to determine whether the key is default or
 	 * individual. If only 4 keys are supported, the default key with key
 	 * index 0 is used as the individual key. STA must be configured to use
-	 * it as the default Tx key (set_tx is set) and accept Rx for all the
-	 * key indexes. In most cases, WPA uses only key indexes 1 and 2 for
-	 * broadcast keys, so key index 0 is available for this kind of
-	 * configuration.
+	 * it as the default Tx key (KEY_TYPE_DEFAULT is set) and accept Rx
+	 * for all the key indexes. In most cases, WPA uses only key indexes 1
+	 * and 2 for broadcast keys, so key index 0 is available for this kind
+	 * of configuration.
 	 *
 	 * Please note that TKIP keys include separate TX and RX MIC keys and
 	 * some drivers may expect them in different order than wpa_supplicant
@@ -2331,7 +2329,7 @@ struct wpa_driver_ops {
 	 * example on how this can be done.
 	 */
 	int (*set_key)(const char *ifname, void *priv, enum wpa_alg alg,
-		       const u8 *addr, int key_idx, int set_tx,
+		       const u8 *addr, int key_idx,
 		       const u8 *seq, size_t seq_len,
 		       const u8 *key, size_t key_len, enum key_type key_type);
 
diff --git a/src/drivers/driver_atheros.c b/src/drivers/driver_atheros.c
index 0c87da6d0..be2d761fc 100644
--- a/src/drivers/driver_atheros.c
+++ b/src/drivers/driver_atheros.c
@@ -499,9 +499,8 @@ atheros_del_key(void *priv, const u8 *addr, int key_idx)
 
 static int
 atheros_set_key(const char *ifname, void *priv, enum wpa_alg alg,
-		const u8 *addr, int key_idx, int set_tx, const u8 *seq,
-		size_t seq_len, const u8 *key, size_t key_len,
-		enum key_type key_type)
+		const u8 *addr, int key_idx, const u8 *seq,
+		size_t seq_len, const u8 *key, size_t key_len, enum key_type)
 {
 	struct atheros_driver_data *drv = priv;
 	struct ieee80211req_key wk;
diff --git a/src/drivers/driver_bsd.c b/src/drivers/driver_bsd.c
index 89e4508e7..9ef1c2443 100644
--- a/src/drivers/driver_bsd.c
+++ b/src/drivers/driver_bsd.c
@@ -332,9 +332,8 @@ bsd_ctrl_iface(void *priv, int enable)
 
 static int
 bsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
-	    const unsigned char *addr, int key_idx, int set_tx, const u8 *seq,
-	    size_t seq_len, const u8 *key, size_t key_len,
-	    enum key_type key_type)
+	    const unsigned char *addr, int key_idx, const u8 *seq,
+	    size_t seq_len, const u8 *key, size_t key_len, enum key_type)
 {
 	struct ieee80211req_key wk;
 #ifdef IEEE80211_KEY_NOREPLAY
diff --git a/src/drivers/driver_hostap.c b/src/drivers/driver_hostap.c
index 454388fe7..627c6a090 100644
--- a/src/drivers/driver_hostap.c
+++ b/src/drivers/driver_hostap.c
@@ -397,8 +397,7 @@ static int hostapd_ioctl(void *priv, struct prism2_hostapd_param *param,
 
 static int wpa_driver_hostap_set_key(const char *ifname, void *priv,
 				     enum wpa_alg alg, const u8 *addr,
-				     int key_idx, int set_tx,
-				     const u8 *seq, size_t seq_len,
+				     int key_idx, const u8 *seq, size_t seq_len,
 				     const u8 *key, size_t key_len,
 				     enum key_type key_type)
 {
diff --git a/src/drivers/driver_ndis.c b/src/drivers/driver_ndis.c
index 2963e1f51..0e95740c7 100644
--- a/src/drivers/driver_ndis.c
+++ b/src/drivers/driver_ndis.c
@@ -931,7 +931,7 @@ static int wpa_driver_ndis_remove_key(struct wpa_driver_ndis_data *drv,
 
 
 static int wpa_driver_ndis_add_wep(struct wpa_driver_ndis_data *drv,
-				   int pairwise, int key_idx, int set_tx,
+				   int pairwise, int key_idx,
 				   const u8 *key, size_t key_len,
 				   enum key_type key_type)
 {
@@ -966,8 +966,7 @@ static int wpa_driver_ndis_add_wep(struct wpa_driver_ndis_data *drv,
 
 static int wpa_driver_ndis_set_key(const char *ifname, void *priv,
 				   enum wpa_alg alg, const u8 *addr,
-				   int key_idx, int set_tx,
-				   const u8 *seq, size_t seq_len,
+				   int key_idx, const u8 *seq, size_t seq_len,
 				   const u8 *key, size_t key_len,
 				   enum key_type key_type)
 {
@@ -994,8 +993,8 @@ static int wpa_driver_ndis_set_key(const char *ifname, void *priv,
 	}
 
 	if (alg == WPA_ALG_WEP) {
-		return wpa_driver_ndis_add_wep(drv, pairwise, key_idx, set_tx,
-					       key, key_len, key_type);
+		return wpa_driver_ndis_add_wep(drv, pairwise, key_idx, key,
+					       key_len, key_type);
 	}
 
 	len = 12 + 6 + 6 + 8 + key_len;
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 4c1dd0ec4..94469391c 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3009,10 +3009,9 @@ static int nl80211_set_pmk(struct wpa_driver_nl80211_data *drv,
 
 static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 				      enum wpa_alg alg, const u8 *addr,
-				      int key_idx, int set_tx,
-				      const u8 *seq, size_t seq_len,
-				      const u8 *key, size_t key_len,
-				      enum key_type key_type)
+				      int key_idx, const u8 *seq,
+				      size_t seq_len, const u8 *key,
+				      size_t key_len, enum key_type key_type)
 {
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 	int ifindex;
@@ -3028,8 +3027,8 @@ static int wpa_driver_nl80211_set_key(const char *ifname, struct i802_bss *bss,
 
 	ifindex = if_nametoindex(ifname);
 	wpa_printf(MSG_DEBUG, "%s: ifindex=%d (%s) alg=%d addr=%p key_idx=%d "
-		   "set_tx=%d seq_len=%lu key_len=%lu key_type=%d",
-		   __func__, ifindex, ifname, alg, addr, key_idx, set_tx,
+		   "seq_len=%lu key_len=%lu key_type=%d",
+		   __func__, ifindex, ifname, alg, addr, key_idx,
 		   (unsigned long) seq_len, (unsigned long) key_len, key_type);
 #ifdef CONFIG_DRIVER_NL80211_QCA
 	if (alg == WPA_ALG_PMK &&
@@ -3482,8 +3481,7 @@ retry:
 		if (!params->wep_key[i])
 			continue;
 		wpa_driver_nl80211_set_key(bss->ifname, bss, WPA_ALG_WEP,
-					   NULL, i,
-					   i == params->wep_tx_keyidx, NULL, 0,
+					   NULL, i, NULL, 0,
 					   params->wep_key[i],
 					   params->wep_key_len[i],
 					   i == params->wep_tx_keyidx ?
@@ -8636,15 +8634,13 @@ nl80211_tdls_disable_channel_switch(void *priv, const u8 *addr)
 
 static int driver_nl80211_set_key(const char *ifname, void *priv,
 				  enum wpa_alg alg, const u8 *addr,
-				  int key_idx, int set_tx,
-				  const u8 *seq, size_t seq_len,
+				  int key_idx, const u8 *seq, size_t seq_len,
 				  const u8 *key, size_t key_len,
 				  enum key_type key_type)
 {
 	struct i802_bss *bss = priv;
 	return wpa_driver_nl80211_set_key(ifname, bss, alg, addr, key_idx,
-					  set_tx, seq, seq_len, key, key_len,
-					  key_type);
+					  seq, seq_len, key, key_len, key_type);
 }
 
 
diff --git a/src/drivers/driver_openbsd.c b/src/drivers/driver_openbsd.c
index 0d975c4c5..93b6a8001 100644
--- a/src/drivers/driver_openbsd.c
+++ b/src/drivers/driver_openbsd.c
@@ -70,9 +70,8 @@ wpa_driver_openbsd_get_capa(void *priv, struct wpa_driver_capa *capa)
 
 static int
 wpa_driver_openbsd_set_key(const char *ifname, void *priv, enum wpa_alg alg,
-	    const unsigned char *addr, int key_idx, int set_tx, const u8 *seq,
-	    size_t seq_len, const u8 *key, size_t key_len,
-	    enum key_type key_type)
+	    const unsigned char *addr, int key_idx, const u8 *seq,
+	    size_t seq_len, const u8 *key, size_t key_len, enum key_type)
 {
 	struct openbsd_driver_data *drv = priv;
 	struct ieee80211_keyavail keyavail;
diff --git a/src/drivers/driver_privsep.c b/src/drivers/driver_privsep.c
index b3d2ddae0..5ea58b576 100644
--- a/src/drivers/driver_privsep.c
+++ b/src/drivers/driver_privsep.c
@@ -207,10 +207,9 @@ wpa_driver_privsep_get_scan_results2(void *priv)
 
 static int wpa_driver_privsep_set_key(const char *ifname, void *priv,
 				      enum wpa_alg alg, const u8 *addr,
-				      int key_idx, int set_tx,
-				      const u8 *seq, size_t seq_len,
-				      const u8 *key, size_t key_len,
-				      enum key_type key_type)
+				      int key_idx, const u8 *seq,
+				      size_t seq_len, const u8 *key,
+				      size_t key_len, enum key_type)
 {
 	struct wpa_driver_privsep_data *drv = priv;
 	struct privsep_cmd_set_key cmd;
diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c
index 52e8e8d49..6ee9a7016 100644
--- a/src/drivers/driver_wext.c
+++ b/src/drivers/driver_wext.c
@@ -1710,8 +1710,7 @@ static int wpa_driver_wext_set_psk(struct wpa_driver_wext_data *drv,
 
 static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
 				       const u8 *addr, int key_idx,
-				       int set_tx, const u8 *seq,
-				       size_t seq_len,
+				       const u8 *seq, size_t seq_len,
 				       const u8 *key, size_t key_len,
 				       enum key_type key_type)
 {
@@ -1812,8 +1811,6 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
  * @addr: Address of the peer STA or ff:ff:ff:ff:ff:ff for
  *	broadcast/default keys
  * @key_idx: key index (0..3), usually 0 for unicast keys
- * @set_tx: Configure this key as the default Tx key (only used when
- *	driver does not support separate unicast/individual key
  * @seq: Sequence number/packet number, seq_len octets, the next
  *	packet number to be used for in replay protection; configured
  *	for Rx keys (in most cases, this is only used with broadcast
@@ -1834,9 +1831,8 @@ static int wpa_driver_wext_set_key_ext(void *priv, enum wpa_alg alg,
  */
 int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 			    const u8 *addr, int key_idx,
-			    int set_tx, const u8 *seq, size_t seq_len,
-			    const u8 *key, size_t key_len,
-			    enum key_type key_type)
+			    const u8 *seq, size_t seq_len, const u8 *key,
+			    size_t key_len, enum key_type key_type)
 {
 	struct wpa_driver_wext_data *drv = priv;
 	struct iwreq iwr;
@@ -1847,8 +1843,8 @@ int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 		   __FUNCTION__, alg, key_idx, key_type,
 		   (unsigned long) seq_len, (unsigned long) key_len);
 
-	ret = wpa_driver_wext_set_key_ext(drv, alg, addr, key_idx, set_tx,
-					  seq, seq_len, key, key_len, key_type);
+	ret = wpa_driver_wext_set_key_ext(drv, alg, addr, key_idx, seq,
+					  seq_len, key, key_len, key_type);
 	if (ret == 0)
 		return 0;
 
diff --git a/src/drivers/driver_wext.h b/src/drivers/driver_wext.h
index 7e2009079..1c65b30cc 100644
--- a/src/drivers/driver_wext.h
+++ b/src/drivers/driver_wext.h
@@ -54,9 +54,8 @@ int wpa_driver_wext_set_freq(void *priv, int freq);
 int wpa_driver_wext_set_mode(void *priv, int mode);
 int wpa_driver_wext_set_key(const char *ifname, void *priv, enum wpa_alg alg,
 			    const u8 *addr, int key_idx,
-			    int set_tx, const u8 *seq, size_t seq_len,
-			    const u8 *key, size_t key_len,
-			    enum key_type key_type);
+			    const u8 *seq, size_t seq_len, const u8 *key,
+			    size_t key_len, enum key_type key_type);
 int wpa_driver_wext_scan(void *priv, struct wpa_driver_scan_params *params);
 struct wpa_scan_results * wpa_driver_wext_get_scan_results(void *priv);
 
diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 01d339290..46afcb634 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -178,7 +178,7 @@ static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
 static int wpa_tdls_del_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 {
 	if (wpa_sm_set_key(sm, WPA_ALG_NONE, peer->addr,
-			   0, 0, NULL, 0, NULL, 0, KEY_TYPE_PAIRWISE) < 0) {
+			   0, NULL, 0, NULL, 0, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to delete TPK-TK from "
 			   "the driver");
 		return -1;
@@ -227,7 +227,7 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
 
 	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
 		   MAC2STR(peer->addr));
-	if (wpa_sm_set_key(sm, alg, peer->addr, 0, 1, rsc, sizeof(rsc),
+	if (wpa_sm_set_key(sm, alg, peer->addr, 0, rsc, sizeof(rsc),
 			   peer->tpk.tk, key_len, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
 			   "driver");
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 269adcb94..add92658f 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -881,7 +881,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
 		wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
 	}
 
-	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, key_rsc,
+	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, key_rsc,
 			   rsclen, sm->ptk.tk, keylen, key_type) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: Failed to set PTK to the driver"
@@ -910,7 +910,7 @@ static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
 		sm->keyidx_active, MAC2STR(sm->bssid));
 
 	if (wpa_sm_set_key(sm, 0, sm->bssid, sm->keyidx_active,
-	    0, 0, 0, NULL, 0, KEY_TYPE_SET_TX) < 0) {
+	    0, 0, NULL, 0, KEY_TYPE_SET_TX) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
 			"WPA: Failed to activate PTK for Tx (idx=%d bssid="
 			MACSTR ")", sm->keyidx_active, MAC2STR(sm->bssid));
@@ -991,7 +991,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 	}
 	if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
 		if (wpa_sm_set_key(sm, gd->alg, NULL,
-				   gd->keyidx, 1, key_rsc, gd->key_rsc_len,
+				   gd->keyidx, key_rsc, gd->key_rsc_len,
 				   _gtk, gd->gtk_len, KEY_TYPE_BROADCAST) < 0) {
 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 				"WPA: Failed to set GTK to the driver "
@@ -1000,7 +1000,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 			return -1;
 		}
 	} else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
-				  gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
+				  gd->keyidx, key_rsc, gd->key_rsc_len,
 				  _gtk, gd->gtk_len,
 				  gd->tx ? KEY_TYPE_DEFAULT :
 				  KEY_TYPE_BROADCAST) < 0) {
@@ -1157,7 +1157,7 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
 	}
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
 			   broadcast_ether_addr,
-			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
+			   keyidx, igtk->pn, sizeof(igtk->pn),
 			   igtk->igtk, len, KEY_TYPE_BROADCAST) < 0) {
 		if (keyidx == 0x0400 || keyidx == 0x0500) {
 			/* Assume the AP has broken PMF implementation since it
@@ -4570,7 +4570,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
 			sm->ptk.tk, keylen);
-	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, null_rsc,
+	if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, null_rsc,
 			   rsclen, sm->ptk.tk, keylen, KEY_TYPE_PAIRWISE) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index a93617c59..e40605d3a 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -28,7 +28,7 @@ struct wpa_sm_ctx {
 	enum wpa_states (*get_state)(void *ctx);
 	void (*deauthenticate)(void * ctx, u16 reason_code);
 	int (*set_key)(void *ctx, enum wpa_alg alg,
-		       const u8 *addr, int key_idx, int set_tx,
+		       const u8 *addr, int key_idx,
 		       const u8 *seq, size_t seq_len,
 		       const u8 *key, size_t key_len, enum key_type key_type);
 	void * (*get_network_ctx)(void *ctx);
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index 4aa862748..4611886f8 100644
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -413,7 +413,7 @@ static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
 
-	if (wpa_sm_set_key(sm, alg, bssid, sm->keyidx_active, 1, null_rsc,
+	if (wpa_sm_set_key(sm, alg, bssid, sm->keyidx_active, null_rsc,
 			   sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen,
 			   KEY_TYPE_PAIRWISE) < 0) {
 		wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver");
@@ -766,7 +766,7 @@ static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem,
 		os_memcpy(gtk + 16, gtk + 24, 8);
 		os_memcpy(gtk + 24, tmp, 8);
 	}
-	if (wpa_sm_set_key(sm, alg, broadcast_ether_addr, keyidx, 0,
+	if (wpa_sm_set_key(sm, alg, broadcast_ether_addr, keyidx,
 			   gtk_elem + 3, rsc_len, gtk, keylen,
 			   KEY_TYPE_BROADCAST) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the "
@@ -835,7 +835,7 @@ static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
 	wpa_hexdump_key(MSG_DEBUG, "FT: IGTK from Reassoc Resp", igtk,
 			igtk_len);
 	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-			   broadcast_ether_addr, keyidx, 0,
+			   broadcast_ether_addr, keyidx,
 			   igtk_elem + 2, 6, igtk, igtk_len,
 			   KEY_TYPE_BROADCAST) < 0) {
 		wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the "
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index e4d07c1ff..dad66d08e 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -198,13 +198,13 @@ static inline void wpa_sm_deauthenticate(struct wpa_sm *sm, u16 reason_code)
 }
 
 static inline int wpa_sm_set_key(struct wpa_sm *sm, enum wpa_alg alg,
-				 const u8 *addr, int key_idx, int set_tx,
+				 const u8 *addr, int key_idx,
 				 const u8 *seq, size_t seq_len,
 				 const u8 *key, size_t key_len,
 				 enum key_type key_type)
 {
 	WPA_ASSERT(sm->ctx->set_key);
-	return sm->ctx->set_key(sm->ctx->ctx, alg, addr, key_idx, set_tx,
+	return sm->ctx->set_key(sm->ctx->ctx, alg, addr, key_idx,
 				seq, seq_len, key, key_len, key_type);
 }
 
diff --git a/tests/hwsim/test_ap_ciphers.py b/tests/hwsim/test_ap_ciphers.py
index a6ba27d99..d1c3de46c 100644
--- a/tests/hwsim/test_ap_ciphers.py
+++ b/tests/hwsim/test_ap_ciphers.py
@@ -862,7 +862,7 @@ def test_ap_wpa2_delayed_m1_m3_zero_tk(dev, apdev):
     if "OK" not in hapd.request("RESEND_M3 " + addr):
         raise Exception("RESEND_M3 failed")
 
-    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s %d" % (addr, 0, 1, 6*"00", 16*"00", 2)):
+    if "OK" not in hapd.request("SET_KEY 3 %s %d %s %s %d" % (addr, 0, 6*"00", 16*"00", 2)):
         raise Exception("SET_KEY failed")
     time.sleep(0.1)
     hwsim_utils.test_connectivity(dev[0], hapd, timeout=1, broadcast=False,
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index e5f7246d1..8bf8897c0 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5237,25 +5237,25 @@ static void wpa_supplicant_ctrl_iface_drop_sa(struct wpa_supplicant *wpa_s)
 {
 	wpa_printf(MSG_DEBUG, "Dropping SA without deauthentication");
 	/* MLME-DELETEKEYS.request */
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 0, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 1, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 2, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 3, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
 #ifdef CONFIG_IEEE80211W
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 4, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, 5, NULL, 0, NULL,
 			0, KEY_TYPE_BROADCAST);
 #endif /* CONFIG_IEEE80211W */
 
-	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 0, 0, NULL, 0, NULL,
+	wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 0, NULL, 0, NULL,
 			0, KEY_TYPE_PAIRWISE);
 	if (wpa_sm_extended_key_id(wpa_s->wpa))
-		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 1, 0, NULL,
+		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, wpa_s->bssid, 1, NULL,
 				0, NULL, 0, KEY_TYPE_PAIRWISE);
 	/* MLME-SETPROTECTION.request(None) */
 	wpa_drv_mlme_setprotection(wpa_s, wpa_s->bssid,
@@ -9235,13 +9235,13 @@ static int wpas_ctrl_reset_pn(struct wpa_supplicant *wpa_s)
 	/* First, use a zero key to avoid any possible duplicate key avoidance
 	 * in the driver. */
 	if (wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
-			    wpa_s->last_tk_key_idx, 1, zero, 6,
+			    wpa_s->last_tk_key_idx, zero, 6,
 			    zero, wpa_s->last_tk_len, KEY_TYPE_PAIRWISE) < 0)
 		return -1;
 
 	/* Set the previously configured key to reset its TSC/RSC */
 	return wpa_drv_set_key(wpa_s, wpa_s->last_tk_alg, wpa_s->last_tk_addr,
-			       wpa_s->last_tk_key_idx, 1, zero, 6,
+			       wpa_s->last_tk_key_idx, zero, 6,
 			       wpa_s->last_tk, wpa_s->last_tk_len,
 			       KEY_TYPE_PAIRWISE);
 }
diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h
index 662a1000a..01618b857 100644
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -150,8 +150,7 @@ static inline int wpa_drv_get_ssid(struct wpa_supplicant *wpa_s, u8 *ssid)
 
 static inline int wpa_drv_set_key(struct wpa_supplicant *wpa_s,
 				  enum wpa_alg alg, const u8 *addr,
-				  int key_idx, int set_tx,
-				  const u8 *seq, size_t seq_len,
+				  int key_idx, const u8 *seq, size_t seq_len,
 				  const u8 *key, size_t key_len,
 				  enum key_type key_type)
 {
@@ -172,9 +171,8 @@ static inline int wpa_drv_set_key(struct wpa_supplicant *wpa_s,
 	}
 	if (wpa_s->driver->set_key) {
 		return wpa_s->driver->set_key(wpa_s->ifname, wpa_s->drv_priv,
-					      alg, addr, key_idx, set_tx,
-					      seq, seq_len, key, key_len,
-					      key_type);
+					      alg, addr, key_idx, seq, seq_len,
+					      key, key_len, key_type);
 	}
 	return -1;
 }
diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c
index 049e3f26e..0cfa15f05 100644
--- a/wpa_supplicant/ibss_rsn.c
+++ b/wpa_supplicant/ibss_rsn.c
@@ -137,15 +137,15 @@ static void ibss_check_rsn_completed(struct ibss_rsn_peer *peer)
 
 
 static int supp_set_key(void *ctx, enum wpa_alg alg,
-			const u8 *addr, int key_idx, int set_tx,
+			const u8 *addr, int key_idx,
 			const u8 *seq, size_t seq_len,
 			const u8 *key, size_t key_len, enum key_type key_type)
 {
 	struct ibss_rsn_peer *peer = ctx;
 
 	wpa_printf(MSG_DEBUG, "SUPP: %s(alg=%d addr=" MACSTR " key_idx=%d "
-		   "set_tx=%d)",
-		   __func__, alg, MAC2STR(addr), key_idx, set_tx);
+		   "key_type=%d)",
+		   __func__, alg, MAC2STR(addr), key_idx, key_type);
 	wpa_hexdump(MSG_DEBUG, "SUPP: set_key - seq", seq, seq_len);
 	wpa_hexdump_key(MSG_DEBUG, "SUPP: set_key - key", key, key_len);
 
@@ -166,7 +166,7 @@ static int supp_set_key(void *ctx, enum wpa_alg alg,
 	if (is_broadcast_ether_addr(addr))
 		addr = peer->addr;
 	return wpa_drv_set_key(peer->ibss_rsn->wpa_s, alg, addr, key_idx,
-			       set_tx, seq, seq_len, key, key_len, key_type);
+			       seq, seq_len, key, key_len, key_type);
 }
 
 
@@ -335,7 +335,7 @@ static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	}
 
 	return wpa_drv_set_key(ibss_rsn->wpa_s, alg, addr, idx,
-			       1, seq, 6, key, key_len, key_type);
+			       seq, 6, key, key_len, key_type);
 }
 
 
@@ -851,7 +851,7 @@ static void ibss_rsn_handle_auth_1_of_2(struct ibss_rsn *ibss_rsn,
 		 * still have a pairwise key configured. */
 		wpa_printf(MSG_DEBUG, "RSN: Clear pairwise key for peer "
 			   MACSTR, MAC2STR(addr));
-		wpa_drv_set_key(ibss_rsn->wpa_s, WPA_ALG_NONE, addr, 0, 0,
+		wpa_drv_set_key(ibss_rsn->wpa_s, WPA_ALG_NONE, addr, 0,
 				NULL, 0, NULL, 0, KEY_TYPE_PAIRWISE);
 	}
 
diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index 8664147ac..6efbd34e4 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -875,7 +875,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 	if (conf->security & MESH_CONF_SEC_AMPE) {
 		wpa_hexdump_key(MSG_DEBUG, "mesh: MTK", sta->mtk, sta->mtk_len);
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->pairwise_cipher),
-				sta->addr, 0, 0, seq, sizeof(seq),
+				sta->addr, 0, seq, sizeof(seq),
 				sta->mtk, sta->mtk_len, KEY_TYPE_PAIRWISE);
 
 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK Key RSC",
@@ -883,7 +883,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 		wpa_hexdump_key(MSG_DEBUG, "mesh: RX MGTK",
 				sta->mgtk, sta->mgtk_len);
 		wpa_drv_set_key(wpa_s, wpa_cipher_to_alg(conf->group_cipher),
-				sta->addr, sta->mgtk_key_id, 0,
+				sta->addr, sta->mgtk_key_id,
 				sta->mgtk_rsc, sizeof(sta->mgtk_rsc),
 				sta->mgtk, sta->mgtk_len, KEY_TYPE_BROADCAST);
 
@@ -895,7 +895,7 @@ static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s,
 			wpa_drv_set_key(
 				wpa_s,
 				wpa_cipher_to_alg(conf->mgmt_group_cipher),
-				sta->addr, sta->igtk_key_id, 0,
+				sta->addr, sta->igtk_key_id,
 				sta->igtk_rsc, sizeof(sta->igtk_rsc),
 				sta->igtk, sta->igtk_len, KEY_TYPE_BROADCAST);
 		}
diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c
index e670e259b..774b7bd6f 100644
--- a/wpa_supplicant/mesh_rsn.c
+++ b/wpa_supplicant/mesh_rsn.c
@@ -119,7 +119,7 @@ static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
 	wpa_hexdump_key(MSG_DEBUG, "AUTH: set_key - key", key, key_len);
 
 	return wpa_drv_set_key(mesh_rsn->wpa_s, alg, addr, idx,
-			       1, seq, 6, key, key_len, key_type);
+			       seq, 6, key, key_len, key_type);
 }
 
 
@@ -199,8 +199,8 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 				rsn->igtk, rsn->igtk_len);
 		wpa_drv_set_key(rsn->wpa_s,
 				wpa_cipher_to_alg(rsn->mgmt_group_cipher), NULL,
-				rsn->igtk_key_id, 1,
-				seq, sizeof(seq), rsn->igtk, rsn->igtk_len,
+				rsn->igtk_key_id, seq, sizeof(seq),
+				rsn->igtk, rsn->igtk_len,
 				KEY_TYPE_BROADCAST);
 	}
 #endif /* CONFIG_IEEE80211W */
@@ -209,7 +209,7 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
 	wpa_hexdump_key(MSG_DEBUG, "mesh: Own TX MGTK",
 			rsn->mgtk, rsn->mgtk_len);
 	wpa_drv_set_key(rsn->wpa_s, wpa_cipher_to_alg(rsn->group_cipher), NULL,
-			rsn->mgtk_key_id, 1, seq, sizeof(seq),
+			rsn->mgtk_key_id, seq, sizeof(seq),
 			rsn->mgtk, rsn->mgtk_len, KEY_TYPE_BROADCAST);
 
 	return 0;
diff --git a/wpa_supplicant/preauth_test.c b/wpa_supplicant/preauth_test.c
index b2c65b60b..07e9d85fd 100644
--- a/wpa_supplicant/preauth_test.c
+++ b/wpa_supplicant/preauth_test.c
@@ -125,7 +125,7 @@ static int wpa_supplicant_get_bssid(void *wpa_s, u8 *bssid)
 
 
 static int wpa_supplicant_set_key(void *wpa_s, enum wpa_alg alg,
-				  const u8 *addr, int key_idx, int set_tx,
+				  const u8 *addr, int key_idx,
 				  const u8 *seq, size_t seq_len,
 				  const u8 *key, size_t key_len)
 {
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index d2be5949c..563dc1cd1 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -141,7 +141,7 @@ int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
 
 		set = 1;
 		wpa_drv_set_key(wpa_s, WPA_ALG_WEP, NULL,
-				i, i == ssid->wep_tx_keyidx, NULL, 0,
+				i, NULL, 0,
 				ssid->wep_key[i], ssid->wep_key_len[i],
 				i == ssid->wep_tx_keyidx ? KEY_TYPE_DEFAULT :
 				KEY_TYPE_BROADCAST);
@@ -202,7 +202,7 @@ int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s,
 	/* TODO: should actually remember the previously used seq#, both for TX
 	 * and RX from each STA.. */
 
-	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, 1, seq, 6, key, keylen,
+	ret = wpa_drv_set_key(wpa_s, alg, NULL, 0, seq, 6, key, keylen,
 			      KEY_TYPE_BROADCAST);
 	os_memset(key, 0, sizeof(key));
 	return ret;
@@ -708,17 +708,17 @@ void wpa_clear_keys(struct wpa_supplicant *wpa_s, const u8 *addr)
 	for (i = 0; i < max; i++) {
 		if (wpa_s->keys_cleared & BIT(i))
 			continue;
-		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, i, 0, NULL, 0,
+		wpa_drv_set_key(wpa_s, WPA_ALG_NONE, NULL, i, NULL, 0,
 				NULL, 0, KEY_TYPE_BROADCAST);
 	}
 	/* Pairwise key idx 1 for Extended Key ID is tracked with bit 6 */
 	if (~wpa_s->keys_cleared & (BIT(0) | BIT(6)) && addr &&
 	    !is_zero_ether_addr(addr)) {
 		if (!(wpa_s->keys_cleared & (BIT(0))))
-			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, 0, NULL,
+			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 0, NULL,
 					0, NULL, 0, KEY_TYPE_PAIRWISE);
 		if (!(wpa_s->keys_cleared & (BIT(6))))
-			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 1, 0, NULL,
+			wpa_drv_set_key(wpa_s, WPA_ALG_NONE, addr, 1, NULL,
 					0, NULL, 0, KEY_TYPE_PAIRWISE);
 		/* MLME-SETPROTECTION.request(None) */
 		wpa_drv_mlme_setprotection(
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 252c1ff8c..716cb7276 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -242,7 +242,7 @@ static int wpa_eapol_set_wep_key(void *ctx, int unicast, int keyidx,
 	}
 	return wpa_drv_set_key(wpa_s, WPA_ALG_WEP,
 			       unicast ? wpa_s->bssid : NULL,
-			       keyidx, unicast, NULL, 0, key, keylen,
+			       keyidx, NULL, 0, key, keylen,
 			       unicast ? KEY_TYPE_DEFAULT : KEY_TYPE_BROADCAST);
 }
 
@@ -341,7 +341,7 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol,
 	wpa_hexdump_key(MSG_DEBUG, "RSN: Configure PMK for driver-based 4-way "
 			"handshake", pmk, pmk_len);
 
-	if (wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, 0, NULL, 0, pmk,
+	if (wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, NULL, 0, pmk,
 			    pmk_len, KEY_TYPE_BROADCAST)) {
 		wpa_printf(MSG_DEBUG, "Failed to set PMK to the driver");
 	}
@@ -487,7 +487,7 @@ static int wpa_supplicant_get_bssid(void *ctx, u8 *bssid)
 
 
 static int wpa_supplicant_set_key(void *_wpa_s, enum wpa_alg alg,
-				  const u8 *addr, int key_idx, int set_tx,
+				  const u8 *addr, int key_idx,
 				  const u8 *seq, size_t seq_len,
 				  const u8 *key, size_t key_len,
 				  enum key_type key_type)
@@ -515,7 +515,7 @@ static int wpa_supplicant_set_key(void *_wpa_s, enum wpa_alg alg,
 		wpa_s->last_tk_len = key_len;
 	}
 #endif /* CONFIG_TESTING_OPTIONS */
-	return wpa_drv_set_key(wpa_s, alg, addr, key_idx, set_tx, seq, seq_len,
+	return wpa_drv_set_key(wpa_s, alg, addr, key_idx, seq, seq_len,
 			       key, key_len, key_type);
 }
 
@@ -1159,7 +1159,7 @@ static int wpa_supplicant_key_mgmt_set_pmk(void *ctx, const u8 *pmk,
 
 	if (wpa_s->conf->key_mgmt_offload &&
 	    (wpa_s->drv_flags & WPA_DRIVER_FLAGS_KEY_MGMT_OFFLOAD))
-		return wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0, 0,
+		return wpa_drv_set_key(wpa_s, WPA_ALG_PMK, NULL, 0,
 				       NULL, 0, pmk, pmk_len, 0);
 	else
 		return 0;

From patchwork Sat Aug 24 16:05:05 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Wetzel <alexander@wetzel-home.de>
X-Patchwork-Id: 1152684
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=wetzel-home.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="tS1jeZjo";
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=infradead.org header.i=@infradead.org
	header.b="DB/OY2Fa";
	dkim=fail reason="signature verification failed" (1024-bit key;
	secure) header.d=wetzel-home.de header.i=@wetzel-home.de
	header.b="afkmCJYf"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46G36j1hc8z9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Aug 2019 02:06:37 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=HXlA6lE9TQSoiIJF0gsPwERssFhi0ZauxNrFifw77So=;
	b=tS1jeZjozBNwzC
	EybbieLG4pZFjr9gY5NSybfN9+kp+j78Hbf50ljnvf38TsA5RxLNvwmIRc5I5rqRHjPk5b5tXDtzE
	GxgFirtB9OGDergOE4SIAZovpyTdMFGTY93CxK2WKvsFfUna1XTxQHunW0R0VPI2MsM2X/RdQHvhQ
	Xd9dFULKHC49AyocIbtY29LTUSo/d+TX1Q0RKuKN6zq91spvaYG24rWNmYBgHisJI8QpkXqcPazYk
	d9DOkqxp0tzPZL5L6jX9WXITP/TOTZOqPlfuFOvSuXOppmdgrOgF87gJP+5zUO9xCviut25gijYpX
	LSmucuUNyALxZpiJRJcw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YYj-0005tv-Ju; Sat, 24 Aug 2019 16:06:33 +0000
Received: from casper.infradead.org ([2001:8b0:10b:1236::1])
	by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YY8-0005Mv-AY
	for hostap@bombadil.infradead.org; Sat, 24 Aug 2019 16:05:56 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209;
	h=Content-Transfer-Encoding:MIME-Version:
	References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:
	Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
	List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=tMHSOweCh/uuWtaTx4qIlZovkm2d0kalO7VxcimP9Rc=;
	b=DB/OY2FaMgyD97/+dyTioz8sug
	DAyPBCSK1ob3+JsRKY72ps9xQcuPfSbpuyIjBnKr2/1LRd1jkXj9wRjANmpTu2WCKPuzhR9uVVfYv
	K/NOU7aMupYOzEONNyisjH57/ptr3s4NNSjyV+P1wHRMvYyFmgcNshrMwwxe3aoGyK+8GNkTxwCxV
	vyFWZwvwhxdpR9vesV6FbIsioon0g2XoV9dY7JscvGyqiTAlBUeYC+RMbskVP0l60N6bvNd05o0bZ
	AYSwIaca7Fie5XIRI6g9WdhNCzI4rGaiV0UyyhPTgX5rEfqaAkwssozvz/QHrPB25NviIZq7rWsij
	ObowytQA==;
Received: from 3.mo178.mail-out.ovh.net ([46.105.44.197])
	by casper.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux))
	id 1i1YYP-0000mK-0M
	for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:06:15 +0000
Received: from player731.ha.ovh.net (unknown [10.108.35.159])
	by mo178.mail-out.ovh.net (Postfix) with ESMTP id 0CDBE7618E
	for <hostap@lists.infradead.org>;
	Sat, 24 Aug 2019 18:05:43 +0200 (CEST)
Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76])
	(Authenticated sender: postmaster@awhome.eu)
	by player731.ha.ovh.net (Postfix) with ESMTPSA id 2247F8E7876A;
	Sat, 24 Aug 2019 16:05:40 +0000 (UTC)
From: Alexander Wetzel <alexander@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
	s=wetzel-home; t=1566662731;
	bh=XIWg1+YbDymfiV7imXdYGNMfqapC9wRFHhqAYysoP8s=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=afkmCJYfwNGypoX6TeL/MJsuXSfJoBHYyZUbVVYCZtl8+4hG9mYvVn9JhpqOOVBbf
	o4hm+LB/eK73EKb1HsLr2a07usYjR5saUdbSzzl7ewmrKr3z1ZhjawmS8ma4qEiveg
	jwCEY7o8pEyojClVGnaANWV+RRz9zJst0uTQc0fU=
To: j@w1.fi
Subject: [PATCH v4 16/16] hostapd: Extended Key ID stress test
Date: Sat, 24 Aug 2019 18:05:05 +0200
Message-Id: <20190824160505.5548-17-alexander@wetzel-home.de>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de>
References: <20190824160505.5548-1-alexander@wetzel-home.de>
MIME-Version: 1.0
X-Ovh-Tracer-Id: 6942017353148538108
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190824_170613_097185_E6914504 
X-CRM114-Status: GOOD (  23.32  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on casper.infradead.org summary:
	Content analysis details:   (-0.2 points, 5.0 required)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [46.105.44.197 listed in list.dnswl.org]
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org,
	luca@coelho.fi, johannes@sipsolutions.net
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Change the default keyid to 1 for the first pairwise key when using
Extended Key ID. This is so far only intended to cause compatibility
problems as soon as possible and not delay them depending on the rekey
interval.
A broken STA may claim to be compatible with Extended Key ID and will
simply assume keyid 0 for each key install.

Instead of causing connection problems after the first rekey we move
these to the initial connect by starting with the more risky keyid 1.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---

For now this is has mainly two functions:
1) Guarantees that Extended Key ID can really be used at the initial
   connect. Many potential issues are linked to the usage of keyid 1
   for a unicast key, so make sure this happens as soon as possible.

2) The existing tests will find many of these issues, even when not
   rekeying the connection

I have some plans to extend that later:
By e.g. starting a EAPOL group handshake directly after the connect we
can verify if the keyid 1 transport is really working. When the
handshake times out hostapd could install the same key for keyid 0,
disabling Extended Key ID support and allow the broken STA to work with
the AP.

This idea is mostly based to the fact that one of my devices (Samsung
Galaxy Tap S3) is setting the "Extended Key ID" capability flag wrong.
The AP therefore (correctly) assumes the device can handle it. When the
AP rekeys the PTK and uses the keyid 1 the device is losing the
connection.  It looks like the device is just copying the capability
(bit) from the AP RSN. Chances are this affects more (Samsung) devices.

Now I'm not sure if we really want to deploy such a workaround. It's
probably hard to get rid of and just getting the broken devices fixed
may be the better solution. Of course the workaround would be optional:
I think we could set wpa_extended_key_id to 2 by default and allow the
user to disable the workaround by setting it to 1.

Another option would be to simply drop the patch or make it testing only.
After all PTK rekeying is - based on all devices I could get my hands on
- mostly broken. The chance to have an AP and a STA able to rekey really
correctly under load is as of today really bad. (Maybe 20% success rate?)
Therefore it looks like rekey is not used very often and when we start
with keyid 0 and never rekey it will also work for most users.

On the other hand I prefer a clean failure to something working on the
brink of failure: So this patch series tries to make sure it fails as
soon as possible.

 src/ap/wpa_auth_ie.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 725c76056..3207990e5 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -553,6 +553,7 @@ int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities)
 			return -1;
 		} else if (!sm->use_extended_key_id) {
 			sm->use_extended_key_id = TRUE;
+			sm->keyidx_active = 1;
 		}
 	} else {
 		if (sm->use_extended_key_id && sm->pairwise_set) {