From patchwork Wed Feb 7 21:16:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wang X-Patchwork-Id: 1896334 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=0XWyLALd; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=D/OU4HgB; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TVXxM279lz23gM for ; Thu, 8 Feb 2024 08:16:55 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=4wndDlygZUFGW4vKXWJ5KUzC5ZfpW+8oGrvvfpXSwxE=; b=0XWyLALd0mwpUW GO3HOe+vVnLdwM2HCujBL7xLoDBwMsTKXIe52wLIrP1xmqL1758CsTkhLYkAoHkKXmRJereyf+WVW iZmgntuXFV3/hjldNMPKmKeekzhy3RJ8gZhb7wErNRWTSkKM6HJnM98fZzJib/oa5x3qBC599X9CN iMUpMQM7NLP3wNpODW5YRSaMPSIenmGpDYTrcVIHz9fOfnGaYCuJ/nbfRN6otBYCy4xPlj24rsuJN PlMwtRyAoj+ippEpeG54tthdbIMeKuDaY4ztG1Ux303EjUU0IcGBZcWYP0I1JXVcEVZk55jBIO2+b iu7YkHdxox7wDiyKZGLQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rXpHR-0000000BpFe-390q; Wed, 07 Feb 2024 21:16:29 +0000 Received: from mail-wm1-x330.google.com ([2a00:1450:4864:20::330]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rXpHO-0000000BpEm-0Uxp for hostap@lists.infradead.org; Wed, 07 Feb 2024 21:16:27 +0000 Received: by mail-wm1-x330.google.com with SMTP id 5b1f17b1804b1-41033a54c87so270235e9.2 for ; Wed, 07 Feb 2024 13:16:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1707340583; x=1707945383; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=CL7y7HNXKKZVxLIrwrlTNwpyixaVVaD3QbCo0+m7Yjc=; b=D/OU4HgBidLF5wto8+e4+brsiQqAsYPPL0O5nbTvacIXsfgNV4BFwpwaObgXqRUtei nR9BC1JEgPmTQFD7e/60DLP3KTwdzKmNB4cp5qUFg+fD1IZQ55tunduYL7LWnwZX9AJu 8S0C7JKsQIshRtklzKMMpjcy8edbCA1rz3+GA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707340583; x=1707945383; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CL7y7HNXKKZVxLIrwrlTNwpyixaVVaD3QbCo0+m7Yjc=; b=wk8fBesjisWtdaCfpwavFMS9fUqusb7Q7WIExnQNcCbnCOMLVBm5zcyRzQT1LzWLYs UaNoJZ3e6f0ctBQAbuimizHE4+uL3ut2nAL5RVj8NxmWy1kbOs87UAB/wI6KqXo4/LML pviSl7D2M0I65m+4xtXpdt+y2x5mDNCo3cEECqwJU6hLfpF24nHlXKWlEdWDCof7waTV iSqHw1v0ktc81Jh+IcOb8Jznt8jBM5hy7hyWwE+8SSEBrKKhY1Egwo+rCz1AEn2yOOCX 9Bcs3DgdZXY80Q0pV1NB8RfxTIn5LAJj3OrEgUNgjEp4tPFyuRJtE0oQcvgtDPagPJHB vOtw== X-Gm-Message-State: AOJu0Yx28VPk0MA2sgdITGGRbDDp4Sldp9sTt1oAy8yhF9WJSvi/A0A3 hi/7f4bCqlZ5JdIWTQ6yzEnLAjggtRxZSCCEMObZikLqocCW8Xdl8BsOdedMww== X-Google-Smtp-Source: AGHT+IHrLYNhpJfkzYYSsgVjC9wdaJhU4bcDMSlyDDoKgv5z9yFdr+5FlwrR2vzoc3Y1mfiPcI0Nbw== X-Received: by 2002:a05:600c:4f54:b0:40f:dc4e:69e8 with SMTP id m20-20020a05600c4f5400b0040fdc4e69e8mr5617074wmq.27.1707340583081; Wed, 07 Feb 2024 13:16:23 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCVa4pAtSQLFHyoZ0RYbM6A9+GeBZS6t/JaJt/2TAYoXhqLfDIJdEM798tzbfK6T86u7olEIjkJto7QYuxSP/uSRZpAn/wvvmhfe Received: from matthewmwangcros2.c.googlers.com.com (230.213.79.34.bc.googleusercontent.com. [34.79.213.230]) by smtp.gmail.com with ESMTPSA id e37-20020a5d5965000000b0033b4f82b301sm1922864wri.3.2024.02.07.13.16.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Feb 2024 13:16:22 -0800 (PST) From: Matthew Wang To: j@w1.fi Cc: hostap@lists.infradead.org, matthewmwang@chromium.org Subject: [PATCH 1/2] Check driver support before selecting ciphers Date: Wed, 7 Feb 2024 21:16:19 +0000 Message-ID: <20240207211620.3917804-1-matthewmwang@chromium.org> X-Mailer: git-send-email 2.43.0.594.gd9cf4e227d-goog MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240207_131626_210888_12BBDE1E X-CRM114-Status: GOOD ( 14.71 ) X-Spam-Score: -0.3 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We currently don't check driver support before selecting pairwise and group ciphers. Check that the driver supports a cipher before selecting it, otherwise fall back. Change-Id: I343b6656bd695d074ed2ac42d35378711ec1426e Signed-off-by: Matthew Wang --- wpa_supplicant/wpa_supplicant.c | 41 ++++++++++++++++++++++++++----- wpa_supplicant/wpa [...] Content analysis details: (-0.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:330 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 T_SCC_BODY_TEXT_LINE No description available. -0.1 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org We currently don't check driver support before selecting pairwise and group ciphers. Check that the driver supports a cipher before selecting it, otherwise fall back. Change-Id: I343b6656bd695d074ed2ac42d35378711ec1426e Signed-off-by: Matthew Wang --- wpa_supplicant/wpa_supplicant.c | 41 ++++++++++++++++++++++++++----- wpa_supplicant/wpa_supplicant_i.h | 1 + 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 172a863cb..bec2c9037 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1747,10 +1747,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_s->group_cipher = WPA_CIPHER_NONE; wpa_s->pairwise_cipher = WPA_CIPHER_NONE; #else /* CONFIG_NO_WPA */ - sel = ie.group_cipher & ssid->group_cipher; + sel = ie.group_cipher & ssid->group_cipher & wpa_s->drv_ciphers; wpa_dbg(wpa_s, MSG_DEBUG, - "WPA: AP group 0x%x network profile group 0x%x; available group 0x%x", - ie.group_cipher, ssid->group_cipher, sel); + "WPA: AP group 0x%x network profile group 0x%x driver supported ciphers 0x%x; available group 0x%x", + ie.group_cipher, ssid->group_cipher, wpa_s->drv_ciphers, sel); wpa_s->group_cipher = wpa_pick_group_cipher(sel); if (wpa_s->group_cipher < 0) { wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select group " @@ -1760,10 +1760,11 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using GTK %s", wpa_cipher_txt(wpa_s->group_cipher)); - sel = ie.pairwise_cipher & ssid->pairwise_cipher; + sel = ie.pairwise_cipher & ssid->pairwise_cipher & wpa_s->drv_ciphers; wpa_dbg(wpa_s, MSG_DEBUG, - "WPA: AP pairwise 0x%x network profile pairwise 0x%x; available pairwise 0x%x", - ie.pairwise_cipher, ssid->pairwise_cipher, sel); + "WPA: AP pairwise 0x%x network profile pairwise 0x%x driver supported ciphers 0x%x; available pairwise 0x%x", + ie.pairwise_cipher, ssid->pairwise_cipher, wpa_s->drv_ciphers, + sel); wpa_s->pairwise_cipher = wpa_pick_pairwise_cipher(sel, 1); if (wpa_s->pairwise_cipher < 0) { wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select pairwise " @@ -7040,6 +7041,33 @@ static void wpas_gas_server_tx(void *ctx, int freq, const u8 *da, #endif /* CONFIG_GAS_SERVER */ +static unsigned int wpas_drv_enc_to_ciphers(unsigned int drv_enc) +{ + unsigned int ciphers = 0; + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP40) + ciphers |= WPA_CIPHER_WEP40; + if (drv_enc & WPA_DRIVER_CAPA_ENC_WEP104) + ciphers |= WPA_CIPHER_WEP104; + if (drv_enc & WPA_DRIVER_CAPA_ENC_TKIP) + ciphers |= WPA_CIPHER_TKIP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP) + ciphers |= WPA_CIPHER_CCMP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP) + ciphers |= WPA_CIPHER_GCMP; + if (drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256) + ciphers |= WPA_CIPHER_GCMP_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_CCMP_256) + ciphers |= WPA_CIPHER_CCMP_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_128) + ciphers |= WPA_CIPHER_BIP_GMAC_128; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_GMAC_256) + ciphers |= WPA_CIPHER_BIP_GMAC_256; + if (drv_enc & WPA_DRIVER_CAPA_ENC_BIP_CMAC_256) + ciphers |= WPA_CIPHER_BIP_CMAC_256; + return ciphers; +} + + static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, const struct wpa_interface *iface) { @@ -7224,6 +7252,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, wpa_s->drv_flags = capa.flags; wpa_s->drv_flags2 = capa.flags2; wpa_s->drv_enc = capa.enc; + wpa_s->drv_ciphers = wpas_drv_enc_to_ciphers(wpa_s->drv_enc); wpa_s->drv_rrm_flags = capa.rrm_flags; wpa_s->drv_max_acl_mac_addrs = capa.max_acl_mac_addrs; wpa_s->probe_resp_offloads = capa.probe_resp_offloads; diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index 933fc3626..55929e667 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -920,6 +920,7 @@ struct wpa_supplicant { u64 drv_flags; u64 drv_flags2; unsigned int drv_enc; + unsigned int drv_ciphers; unsigned int drv_rrm_flags; unsigned int drv_max_acl_mac_addrs; From patchwork Wed Feb 7 21:16:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wang X-Patchwork-Id: 1896335 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=cA9IuF9u; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=liMW7IP2; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TVXxQ1jxQz23hn for ; Thu, 8 Feb 2024 08:16:58 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Fops7xxMiNvkw2tiDaJzv3FjPGyagxCpXtGi+2wK+Mk=; b=cA9IuF9uRFQJID 6hEWBXE2RdExppcxxhUhs6hjGBSRaNel0yvzJgxaauNZAslSZJ2j03wGAC/33RC89XJP0qXDfRQAr veOBlF6f3BbiriesfGFmHZXVDdEDet3FfQOCZjIbo+DJ3uSqN07NDaf7hkbEVHf9dCqqHf5rviySn RWy6aWM/Bl79keZUTvzlRosMTU8M2d/bcKbqOVwpF3a8+lnOgzIq4PJoUsTzXkUllOrmHSiJ3XyzC 8ZgVJqhCWAM2CK3ot/DOcqhIpLWsmiTfrFM1rOX+tfK8C/P4RJonQuAqaI3wNIiuiboo87nd9jY9R RB7CgmmxrRyt/gjtMs1A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rXpHS-0000000BpFr-3GyD; Wed, 07 Feb 2024 21:16:30 +0000 Received: from mail-wr1-x430.google.com ([2a00:1450:4864:20::430]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rXpHP-0000000BpEt-0f1C for hostap@lists.infradead.org; Wed, 07 Feb 2024 21:16:28 +0000 Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-33b2fba3176so719190f8f.0 for ; Wed, 07 Feb 2024 13:16:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1707340584; x=1707945384; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KPMfHkUROm8E5ve0A4W8IA8qg9q8Zz4lOxazVBMEL94=; b=liMW7IP214fzxXodJrvOZVTM/8F7zTKG8CvY1wlpreI5dQIhCpJADZOmJn8ahi2cDa 7JYrBSrnbYaGTPQPCvPNZHr/e6XaGiIxSZUXdXSiqUE/Jxa5/yoZgSQSUiUcFbe5jQ+f SunatOuOA6oCU4wjqo3JBS1K1haMYv8u/UGvc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707340584; x=1707945384; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KPMfHkUROm8E5ve0A4W8IA8qg9q8Zz4lOxazVBMEL94=; b=F3fkZ6SDmLEIW2YeR9JqnAMjRiX/XERD4lEn1+EBrE3576UHisq+SbOjiOXZvUTCSL gmJpuLfFqXgtrlqk6iyHu6LKnHA977Khvzyhl3KfjPKXn5tNv2bhdaw9LDv6TpbQAzwX KsCzjm6RYnasBbpvt/CKozkQaZA2VmlsNrVAG34u0o/Ppa9reWz8XOQhsJDvH9ktETD5 7loFPDvl9s5Xk5Peo3OX/LBMsDLhnX2uNJVVxSolmfEM8CzlJyEpIbmK7LD7Imgq5SDT C3W8rxUN/g9Q3jqEtFwSjw0nah/bvOZMyQJY1TfW2Da2sAEAEwPo30n2vvuhIW3sEbdM p8ow== X-Gm-Message-State: AOJu0Yzv5PMCKbZ2f4Kd/O0oyrR3DxMayn67HRQ8+zRvLLh+kr4uBylZ v1njeuHrBPK4qHTho+DG9a0JcSZk20lcVxSnjKif9yY8IR6rug/PJtI+wvyDwbdpbDrPtFPVP4Q aiQ== X-Google-Smtp-Source: AGHT+IHBX6QNrSJ1/6mWHe8J0HtEHzq+f9tMRcw7l+gSIJNkTp2oQQyycHHPZj4zlM0gGIPQQ6hmwA== X-Received: by 2002:a5d:6612:0:b0:33b:470b:80d with SMTP id n18-20020a5d6612000000b0033b470b080dmr5038603wru.49.1707340584725; Wed, 07 Feb 2024 13:16:24 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCXJRJL1kwiz7CWeO0kTcfwmZfa4ZsXiryX4s+Cxd92DyasfspY6FFaT6D6WL0Qm4IuD+4LGdMJCLgWf1GYcRpBGkkAgab803UXO Received: from matthewmwangcros2.c.googlers.com.com (230.213.79.34.bc.googleusercontent.com. [34.79.213.230]) by smtp.gmail.com with ESMTPSA id e37-20020a5d5965000000b0033b4f82b301sm1922864wri.3.2024.02.07.13.16.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Feb 2024 13:16:24 -0800 (PST) From: Matthew Wang To: j@w1.fi Cc: hostap@lists.infradead.org, matthewmwang@chromium.org Subject: [PATCH 2/2] Check driver support when selecting AKMs Date: Wed, 7 Feb 2024 21:16:20 +0000 Message-ID: <20240207211620.3917804-2-matthewmwang@chromium.org> X-Mailer: git-send-email 2.43.0.594.gd9cf4e227d-goog In-Reply-To: <20240207211620.3917804-1-matthewmwang@chromium.org> References: <20240207211620.3917804-1-matthewmwang@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240207_131627_223401_EABBA1E5 X-CRM114-Status: GOOD ( 14.68 ) X-Spam-Score: -0.3 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We currently select an AKM even if the driver doesn't support it. Check driver support before selecting an AKM, otherwise fall back. Change-Id: Ib5b13cffa6d993a69db33c2a2cb81480d619bd79 Signed-off-by: Matthew Wang --- wpa_supplicant/wpa_supplicant.c | 64 +++++++++++++++++++++ wpa_supplicant/wpa [...] Content analysis details: (-0.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:430 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 T_SCC_BODY_TEXT_LINE No description available. -0.1 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org We currently select an AKM even if the driver doesn't support it. Check driver support before selecting an AKM, otherwise fall back. Change-Id: Ib5b13cffa6d993a69db33c2a2cb81480d619bd79 Signed-off-by: Matthew Wang --- wpa_supplicant/wpa_supplicant.c | 64 +++++++++++++++++++++---------- wpa_supplicant/wpa_supplicant_i.h | 1 + 2 files changed, 44 insertions(+), 21 deletions(-) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index bec2c9037..9c5955c2b 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1795,7 +1795,8 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, #ifdef CONFIG_IEEE80211R #ifdef CONFIG_SHA384 } else if ((sel & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) && - os_strcmp(wpa_supplicant_get_eap_mode(wpa_s), "LEAP") != 0) { + os_strcmp(wpa_supplicant_get_eap_mode(wpa_s), "LEAP") != 0 && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_802_1X_SHA384)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X_SHA384; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X-SHA384"); @@ -1810,44 +1811,52 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, #endif /* CONFIG_SHA384 */ #endif /* CONFIG_IEEE80211R */ #ifdef CONFIG_SUITEB192 - } else if (sel & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { + } else if ((sel & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B_192)) { wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SUITE_B_192; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X with Suite B (192-bit)"); #endif /* CONFIG_SUITEB192 */ #ifdef CONFIG_SUITEB - } else if (sel & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { + } else if ((sel & WPA_KEY_MGMT_IEEE8021X_SUITE_B) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B)) { wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SUITE_B; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X with Suite B"); #endif /* CONFIG_SUITEB */ #ifdef CONFIG_SHA384 - } else if (sel & WPA_KEY_MGMT_IEEE8021X_SHA384) { + } else if ((sel & WPA_KEY_MGMT_IEEE8021X_SHA384) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA384)) { wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA384; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X with SHA384"); #endif /* CONFIG_SHA384 */ #ifdef CONFIG_FILS #ifdef CONFIG_IEEE80211R - } else if (sel & WPA_KEY_MGMT_FT_FILS_SHA384) { + } else if ((sel & WPA_KEY_MGMT_FT_FILS_SHA384) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_FILS_SHA384)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_FILS_SHA384; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT-FILS-SHA384"); #endif /* CONFIG_IEEE80211R */ - } else if (sel & WPA_KEY_MGMT_FILS_SHA384) { + } else if ((sel & WPA_KEY_MGMT_FILS_SHA384) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA384)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FILS_SHA384; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FILS-SHA384"); #ifdef CONFIG_IEEE80211R - } else if (sel & WPA_KEY_MGMT_FT_FILS_SHA256) { + } else if ((sel & WPA_KEY_MGMT_FT_FILS_SHA256) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_FILS_SHA256)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_FILS_SHA256; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT-FILS-SHA256"); #endif /* CONFIG_IEEE80211R */ - } else if (sel & WPA_KEY_MGMT_FILS_SHA256) { + } else if ((sel & WPA_KEY_MGMT_FILS_SHA256) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA256)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FILS_SHA256; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FILS-SHA256"); #endif /* CONFIG_FILS */ #ifdef CONFIG_IEEE80211R } else if ((sel & WPA_KEY_MGMT_FT_IEEE8021X) && - os_strcmp(wpa_supplicant_get_eap_mode(wpa_s), "LEAP") != 0) { + os_strcmp(wpa_supplicant_get_eap_mode(wpa_s), "LEAP") != 0 && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X"); if (!ssid->ft_eap_pmksa_caching && @@ -1860,54 +1869,66 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, } #endif /* CONFIG_IEEE80211R */ #ifdef CONFIG_DPP - } else if (sel & WPA_KEY_MGMT_DPP) { + } else if ((sel & WPA_KEY_MGMT_DPP) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_DPP)) { wpa_s->key_mgmt = WPA_KEY_MGMT_DPP; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT DPP"); #endif /* CONFIG_DPP */ #ifdef CONFIG_SAE - } else if (sel & WPA_KEY_MGMT_FT_SAE_EXT_KEY) { + } else if ((sel & WPA_KEY_MGMT_FT_SAE_EXT_KEY) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_SAE_EXT_KEY)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_SAE_EXT_KEY; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT FT/SAE (ext key)"); - } else if (sel & WPA_KEY_MGMT_SAE_EXT_KEY) { + } else if ((sel & WPA_KEY_MGMT_SAE_EXT_KEY) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE_EXT_KEY)) { wpa_s->key_mgmt = WPA_KEY_MGMT_SAE_EXT_KEY; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT SAE (ext key)"); - } else if (sel & WPA_KEY_MGMT_FT_SAE) { + } else if ((sel & WPA_KEY_MGMT_FT_SAE) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_SAE)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_SAE; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT FT/SAE"); - } else if (sel & WPA_KEY_MGMT_SAE) { + } else if ((sel & WPA_KEY_MGMT_SAE) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE)) { wpa_s->key_mgmt = WPA_KEY_MGMT_SAE; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT SAE"); #endif /* CONFIG_SAE */ #ifdef CONFIG_IEEE80211R - } else if (sel & WPA_KEY_MGMT_FT_PSK) { + } else if ((sel & WPA_KEY_MGMT_FT_PSK) && + wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_PSK) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_PSK; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/PSK"); #endif /* CONFIG_IEEE80211R */ - } else if (sel & WPA_KEY_MGMT_IEEE8021X_SHA256) { + } else if ((sel & WPA_KEY_MGMT_IEEE8021X_SHA256) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_802_1X_SHA256)) { wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA256; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X with SHA256"); - } else if (sel & WPA_KEY_MGMT_PSK_SHA256) { + } else if ((sel & WPA_KEY_MGMT_PSK_SHA256) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_PSK_SHA256)) { wpa_s->key_mgmt = WPA_KEY_MGMT_PSK_SHA256; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT PSK with SHA256"); - } else if (sel & WPA_KEY_MGMT_IEEE8021X) { + } else if ((sel & WPA_KEY_MGMT_IEEE8021X) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA)) { wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X"); - } else if (sel & WPA_KEY_MGMT_PSK) { + } else if ((sel & WPA_KEY_MGMT_PSK) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA_PSK)) { wpa_s->key_mgmt = WPA_KEY_MGMT_PSK; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT WPA-PSK"); } else if (sel & WPA_KEY_MGMT_WPA_NONE) { wpa_s->key_mgmt = WPA_KEY_MGMT_WPA_NONE; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT WPA-NONE"); #ifdef CONFIG_HS20 - } else if (sel & WPA_KEY_MGMT_OSEN) { + } else if ((sel & WPA_KEY_MGMT_OSEN) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_OSEN)) { wpa_s->key_mgmt = WPA_KEY_MGMT_OSEN; wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: using KEY_MGMT OSEN"); #endif /* CONFIG_HS20 */ #ifdef CONFIG_OWE - } else if (sel & WPA_KEY_MGMT_OWE) { + } else if ((sel & WPA_KEY_MGMT_OWE) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_OWE)) { wpa_s->key_mgmt = WPA_KEY_MGMT_OWE; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT OWE"); #endif /* CONFIG_OWE */ @@ -7253,6 +7274,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, wpa_s->drv_flags2 = capa.flags2; wpa_s->drv_enc = capa.enc; wpa_s->drv_ciphers = wpas_drv_enc_to_ciphers(wpa_s->drv_enc); + wpa_s->drv_key_mgmt = capa.key_mgmt; wpa_s->drv_rrm_flags = capa.rrm_flags; wpa_s->drv_max_acl_mac_addrs = capa.max_acl_mac_addrs; wpa_s->probe_resp_offloads = capa.probe_resp_offloads; diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index 55929e667..d5490e513 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -921,6 +921,7 @@ struct wpa_supplicant { u64 drv_flags2; unsigned int drv_enc; unsigned int drv_ciphers; + unsigned int drv_key_mgmt; unsigned int drv_rrm_flags; unsigned int drv_max_acl_mac_addrs;