From patchwork Wed Feb 7 21:16:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wang X-Patchwork-Id: 1896335 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=cA9IuF9u; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=liMW7IP2; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TVXxQ1jxQz23hn for ; Thu, 8 Feb 2024 08:16:58 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Fops7xxMiNvkw2tiDaJzv3FjPGyagxCpXtGi+2wK+Mk=; b=cA9IuF9uRFQJID 6hEWBXE2RdExppcxxhUhs6hjGBSRaNel0yvzJgxaauNZAslSZJ2j03wGAC/33RC89XJP0qXDfRQAr veOBlF6f3BbiriesfGFmHZXVDdEDet3FfQOCZjIbo+DJ3uSqN07NDaf7hkbEVHf9dCqqHf5rviySn RWy6aWM/Bl79keZUTvzlRosMTU8M2d/bcKbqOVwpF3a8+lnOgzIq4PJoUsTzXkUllOrmHSiJ3XyzC 8ZgVJqhCWAM2CK3ot/DOcqhIpLWsmiTfrFM1rOX+tfK8C/P4RJonQuAqaI3wNIiuiboo87nd9jY9R RB7CgmmxrRyt/gjtMs1A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rXpHS-0000000BpFr-3GyD; Wed, 07 Feb 2024 21:16:30 +0000 Received: from mail-wr1-x430.google.com ([2a00:1450:4864:20::430]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rXpHP-0000000BpEt-0f1C for hostap@lists.infradead.org; Wed, 07 Feb 2024 21:16:28 +0000 Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-33b2fba3176so719190f8f.0 for ; Wed, 07 Feb 2024 13:16:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1707340584; x=1707945384; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KPMfHkUROm8E5ve0A4W8IA8qg9q8Zz4lOxazVBMEL94=; b=liMW7IP214fzxXodJrvOZVTM/8F7zTKG8CvY1wlpreI5dQIhCpJADZOmJn8ahi2cDa 7JYrBSrnbYaGTPQPCvPNZHr/e6XaGiIxSZUXdXSiqUE/Jxa5/yoZgSQSUiUcFbe5jQ+f SunatOuOA6oCU4wjqo3JBS1K1haMYv8u/UGvc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707340584; x=1707945384; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KPMfHkUROm8E5ve0A4W8IA8qg9q8Zz4lOxazVBMEL94=; b=F3fkZ6SDmLEIW2YeR9JqnAMjRiX/XERD4lEn1+EBrE3576UHisq+SbOjiOXZvUTCSL gmJpuLfFqXgtrlqk6iyHu6LKnHA977Khvzyhl3KfjPKXn5tNv2bhdaw9LDv6TpbQAzwX KsCzjm6RYnasBbpvt/CKozkQaZA2VmlsNrVAG34u0o/Ppa9reWz8XOQhsJDvH9ktETD5 7loFPDvl9s5Xk5Peo3OX/LBMsDLhnX2uNJVVxSolmfEM8CzlJyEpIbmK7LD7Imgq5SDT C3W8rxUN/g9Q3jqEtFwSjw0nah/bvOZMyQJY1TfW2Da2sAEAEwPo30n2vvuhIW3sEbdM p8ow== X-Gm-Message-State: AOJu0Yzv5PMCKbZ2f4Kd/O0oyrR3DxMayn67HRQ8+zRvLLh+kr4uBylZ v1njeuHrBPK4qHTho+DG9a0JcSZk20lcVxSnjKif9yY8IR6rug/PJtI+wvyDwbdpbDrPtFPVP4Q aiQ== X-Google-Smtp-Source: AGHT+IHBX6QNrSJ1/6mWHe8J0HtEHzq+f9tMRcw7l+gSIJNkTp2oQQyycHHPZj4zlM0gGIPQQ6hmwA== X-Received: by 2002:a5d:6612:0:b0:33b:470b:80d with SMTP id n18-20020a5d6612000000b0033b470b080dmr5038603wru.49.1707340584725; Wed, 07 Feb 2024 13:16:24 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCXJRJL1kwiz7CWeO0kTcfwmZfa4ZsXiryX4s+Cxd92DyasfspY6FFaT6D6WL0Qm4IuD+4LGdMJCLgWf1GYcRpBGkkAgab803UXO Received: from matthewmwangcros2.c.googlers.com.com (230.213.79.34.bc.googleusercontent.com. [34.79.213.230]) by smtp.gmail.com with ESMTPSA id e37-20020a5d5965000000b0033b4f82b301sm1922864wri.3.2024.02.07.13.16.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Feb 2024 13:16:24 -0800 (PST) From: Matthew Wang To: j@w1.fi Cc: hostap@lists.infradead.org, matthewmwang@chromium.org Subject: [PATCH 2/2] Check driver support when selecting AKMs Date: Wed, 7 Feb 2024 21:16:20 +0000 Message-ID: <20240207211620.3917804-2-matthewmwang@chromium.org> X-Mailer: git-send-email 2.43.0.594.gd9cf4e227d-goog In-Reply-To: <20240207211620.3917804-1-matthewmwang@chromium.org> References: <20240207211620.3917804-1-matthewmwang@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240207_131627_223401_EABBA1E5 X-CRM114-Status: GOOD ( 14.68 ) X-Spam-Score: -0.3 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We currently select an AKM even if the driver doesn't support it. Check driver support before selecting an AKM, otherwise fall back. Change-Id: Ib5b13cffa6d993a69db33c2a2cb81480d619bd79 Signed-off-by: Matthew Wang --- wpa_supplicant/wpa_supplicant.c | 64 +++++++++++++++++++++ wpa_supplicant/wpa [...] Content analysis details: (-0.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:430 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 T_SCC_BODY_TEXT_LINE No description available. -0.1 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org We currently select an AKM even if the driver doesn't support it. Check driver support before selecting an AKM, otherwise fall back. Change-Id: Ib5b13cffa6d993a69db33c2a2cb81480d619bd79 Signed-off-by: Matthew Wang --- wpa_supplicant/wpa_supplicant.c | 64 +++++++++++++++++++++---------- wpa_supplicant/wpa_supplicant_i.h | 1 + 2 files changed, 44 insertions(+), 21 deletions(-) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index bec2c9037..9c5955c2b 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1795,7 +1795,8 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, #ifdef CONFIG_IEEE80211R #ifdef CONFIG_SHA384 } else if ((sel & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) && - os_strcmp(wpa_supplicant_get_eap_mode(wpa_s), "LEAP") != 0) { + os_strcmp(wpa_supplicant_get_eap_mode(wpa_s), "LEAP") != 0 && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_802_1X_SHA384)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X_SHA384; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X-SHA384"); @@ -1810,44 +1811,52 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, #endif /* CONFIG_SHA384 */ #endif /* CONFIG_IEEE80211R */ #ifdef CONFIG_SUITEB192 - } else if (sel & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { + } else if ((sel & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B_192)) { wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SUITE_B_192; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X with Suite B (192-bit)"); #endif /* CONFIG_SUITEB192 */ #ifdef CONFIG_SUITEB - } else if (sel & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { + } else if ((sel & WPA_KEY_MGMT_IEEE8021X_SUITE_B) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SUITE_B)) { wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SUITE_B; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X with Suite B"); #endif /* CONFIG_SUITEB */ #ifdef CONFIG_SHA384 - } else if (sel & WPA_KEY_MGMT_IEEE8021X_SHA384) { + } else if ((sel & WPA_KEY_MGMT_IEEE8021X_SHA384) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA384)) { wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA384; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X with SHA384"); #endif /* CONFIG_SHA384 */ #ifdef CONFIG_FILS #ifdef CONFIG_IEEE80211R - } else if (sel & WPA_KEY_MGMT_FT_FILS_SHA384) { + } else if ((sel & WPA_KEY_MGMT_FT_FILS_SHA384) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_FILS_SHA384)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_FILS_SHA384; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT-FILS-SHA384"); #endif /* CONFIG_IEEE80211R */ - } else if (sel & WPA_KEY_MGMT_FILS_SHA384) { + } else if ((sel & WPA_KEY_MGMT_FILS_SHA384) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA384)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FILS_SHA384; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FILS-SHA384"); #ifdef CONFIG_IEEE80211R - } else if (sel & WPA_KEY_MGMT_FT_FILS_SHA256) { + } else if ((sel & WPA_KEY_MGMT_FT_FILS_SHA256) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_FILS_SHA256)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_FILS_SHA256; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT-FILS-SHA256"); #endif /* CONFIG_IEEE80211R */ - } else if (sel & WPA_KEY_MGMT_FILS_SHA256) { + } else if ((sel & WPA_KEY_MGMT_FILS_SHA256) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FILS_SHA256)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FILS_SHA256; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FILS-SHA256"); #endif /* CONFIG_FILS */ #ifdef CONFIG_IEEE80211R } else if ((sel & WPA_KEY_MGMT_FT_IEEE8021X) && - os_strcmp(wpa_supplicant_get_eap_mode(wpa_s), "LEAP") != 0) { + os_strcmp(wpa_supplicant_get_eap_mode(wpa_s), "LEAP") != 0 && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X"); if (!ssid->ft_eap_pmksa_caching && @@ -1860,54 +1869,66 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, } #endif /* CONFIG_IEEE80211R */ #ifdef CONFIG_DPP - } else if (sel & WPA_KEY_MGMT_DPP) { + } else if ((sel & WPA_KEY_MGMT_DPP) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_DPP)) { wpa_s->key_mgmt = WPA_KEY_MGMT_DPP; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT DPP"); #endif /* CONFIG_DPP */ #ifdef CONFIG_SAE - } else if (sel & WPA_KEY_MGMT_FT_SAE_EXT_KEY) { + } else if ((sel & WPA_KEY_MGMT_FT_SAE_EXT_KEY) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_SAE_EXT_KEY)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_SAE_EXT_KEY; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT FT/SAE (ext key)"); - } else if (sel & WPA_KEY_MGMT_SAE_EXT_KEY) { + } else if ((sel & WPA_KEY_MGMT_SAE_EXT_KEY) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE_EXT_KEY)) { wpa_s->key_mgmt = WPA_KEY_MGMT_SAE_EXT_KEY; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT SAE (ext key)"); - } else if (sel & WPA_KEY_MGMT_FT_SAE) { + } else if ((sel & WPA_KEY_MGMT_FT_SAE) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_SAE)) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_SAE; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT FT/SAE"); - } else if (sel & WPA_KEY_MGMT_SAE) { + } else if ((sel & WPA_KEY_MGMT_SAE) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE)) { wpa_s->key_mgmt = WPA_KEY_MGMT_SAE; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT SAE"); #endif /* CONFIG_SAE */ #ifdef CONFIG_IEEE80211R - } else if (sel & WPA_KEY_MGMT_FT_PSK) { + } else if ((sel & WPA_KEY_MGMT_FT_PSK) && + wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT_PSK) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_PSK; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/PSK"); #endif /* CONFIG_IEEE80211R */ - } else if (sel & WPA_KEY_MGMT_IEEE8021X_SHA256) { + } else if ((sel & WPA_KEY_MGMT_IEEE8021X_SHA256) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_802_1X_SHA256)) { wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA256; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X with SHA256"); - } else if (sel & WPA_KEY_MGMT_PSK_SHA256) { + } else if ((sel & WPA_KEY_MGMT_PSK_SHA256) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_PSK_SHA256)) { wpa_s->key_mgmt = WPA_KEY_MGMT_PSK_SHA256; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT PSK with SHA256"); - } else if (sel & WPA_KEY_MGMT_IEEE8021X) { + } else if ((sel & WPA_KEY_MGMT_IEEE8021X) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA)) { wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X"); - } else if (sel & WPA_KEY_MGMT_PSK) { + } else if ((sel & WPA_KEY_MGMT_PSK) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA_PSK)) { wpa_s->key_mgmt = WPA_KEY_MGMT_PSK; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT WPA-PSK"); } else if (sel & WPA_KEY_MGMT_WPA_NONE) { wpa_s->key_mgmt = WPA_KEY_MGMT_WPA_NONE; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT WPA-NONE"); #ifdef CONFIG_HS20 - } else if (sel & WPA_KEY_MGMT_OSEN) { + } else if ((sel & WPA_KEY_MGMT_OSEN) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_OSEN)) { wpa_s->key_mgmt = WPA_KEY_MGMT_OSEN; wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: using KEY_MGMT OSEN"); #endif /* CONFIG_HS20 */ #ifdef CONFIG_OWE - } else if (sel & WPA_KEY_MGMT_OWE) { + } else if ((sel & WPA_KEY_MGMT_OWE) && + (wpa_s->drv_key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_OWE)) { wpa_s->key_mgmt = WPA_KEY_MGMT_OWE; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT OWE"); #endif /* CONFIG_OWE */ @@ -7253,6 +7274,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, wpa_s->drv_flags2 = capa.flags2; wpa_s->drv_enc = capa.enc; wpa_s->drv_ciphers = wpas_drv_enc_to_ciphers(wpa_s->drv_enc); + wpa_s->drv_key_mgmt = capa.key_mgmt; wpa_s->drv_rrm_flags = capa.rrm_flags; wpa_s->drv_max_acl_mac_addrs = capa.max_acl_mac_addrs; wpa_s->probe_resp_offloads = capa.probe_resp_offloads; diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index 55929e667..d5490e513 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -921,6 +921,7 @@ struct wpa_supplicant { u64 drv_flags2; unsigned int drv_enc; unsigned int drv_ciphers; + unsigned int drv_key_mgmt; unsigned int drv_rrm_flags; unsigned int drv_max_acl_mac_addrs;