Re: git: c7f5f140bfdd - main - net80211: add initial key management suites from 802.11-2016, APIs to register them
Date: Tue, 14 May 2024 22:00:39 UTC
On Tue, 14 May 2024, Adrian Chadd wrote: > The branch main has been updated by adrian: > > URL: https://cgit.FreeBSD.org/src/commit/?id=c7f5f140bfdde730dcd4380ac364a084488c962f > > commit c7f5f140bfdde730dcd4380ac364a084488c962f > Author: Adrian Chadd <adrian@FreeBSD.org> > AuthorDate: 2024-04-23 21:59:43 +0000 > Commit: Adrian Chadd <adrian@FreeBSD.org> > CommitDate: 2024-05-14 21:39:33 +0000 > > net80211: add initial key management suites from 802.11-2016, APIs to register them > > The WPA1/WPA2 driver capabilities aren't really enough in today's world. > There are a /lot/ more key management suites to support! > > So, add initial support for net80211 and drivers to announce what > key management suites are supported. These are the list from 802.11-2016 > section 9.4.2.25.3 (AKM suites.) > > The flags are for software supported key management. > > Drivers may support more key management suites and are welcome to > announce more; net80211 will only announce ones that we know > net80211 knows "enough" about to support correctly. > > There /are/ other suites that may be interesting to some people in > the future that are not part of this set - eg if anyone ever > wants to support the Chinese WAPI standard - so this bitmap is not > specifically just the AKM suites in the RSN OUI. > > This should eventually be communicated up to the wpa_supplicant and > hostapd via a replacement driver/vap capabilities call so they know > what to enable rather than just IEEE80211_C_WPA1 / IEEE80211_C_WPA2. > > Differential Revision: https://reviews.freebsd.org/D44919 > Reviewed by: bz No. Leaving a comment doesn't mean Reviewed. Especially if it gets changed again after. > --- > sys/net80211/_ieee80211.h | 21 +++++++++++++++++++++ > sys/net80211/ieee80211.c | 12 ++++++++++++ > sys/net80211/ieee80211_crypto.c | 35 +++++++++++++++++++++++++++++++++++ > sys/net80211/ieee80211_crypto.h | 2 ++ > sys/net80211/ieee80211_var.h | 4 ++++ > 5 files changed, 74 insertions(+) > > diff --git a/sys/net80211/_ieee80211.h b/sys/net80211/_ieee80211.h > index 1ac9328714f7..5c7e6110026d 100644 > --- a/sys/net80211/_ieee80211.h > +++ b/sys/net80211/_ieee80211.h > @@ -536,6 +536,27 @@ struct ieee80211_mimo_info { > "\21AMPDU\22AMSDU\23HT\24SMPS\25RIFS\32TXLDPC\33RXAMSDUAMPDU" \ > "\34TXAMSDUAMPDU" > > +/* > + * AKM (key management) suite capability list. > + * > + * These represent what's in 802.11-2016 - Table 9-133 - AKM Suite Selectors. > + * Note that they do not match what the table values are, in case other key > + * management suites want to be added with different OUIs. > + */ > +#define IEEE80211_KEYMGMT_RSN_UNSPEC_802_1X 0x00000001 /* RSN suite 1 */ > +#define IEEE80211_KEYMGMT_RSN_PSK_OVER_802_1X 0x00000002 /* RSN suite 2 */ > +#define IEEE80211_KEYMGMT_RSN_FT_OVER_802_1X 0x00000004 /* RSN suite 3 */ > +#define IEEE80211_KEYMGMT_RSN_FT_PSK 0x00000008 /* RSN suite 4 */ > +#define IEEE80211_KEYMGMT_RSN_802_1X_SHA256 0x00000010 /* RSN suite 5 */ > +#define IEEE80211_KEYMGMT_RSN_PSK_SHA256 0x00000020 /* RSN suite 6 */ > +#define IEEE80211_KEYMGMT_RSN_TPK_HANDSHAKE 0x00000040 /* RSN suite 7 */ > +#define IEEE80211_KEYMGMT_RSN_SAE 0x00000080 /* RSN suite 8 */ > +#define IEEE80211_KEYMGMT_RSN_FT_SAE 0x00000100 /* RSN suite 9 */ > +#define IEEE80211_KEYMGMT_RSN_APPEERKEY_SHA256 0x00000200 /* RSN suite 10 */ > +#define IEEE80211_KEYMGMT_RSN_802_1X_SUITE_B 0x00000400 /* RSN suite 11 */ > +#define IEEE80211_KEYMGMT_RSN_802_1X_SUITE_B_192 0x00000800 /* RSN suite 12 */ > +#define IEEE80211_KEYMGMT_RSN_FT_802_1X_SHA384 0x00001000 /* RSN suite 13 */ > + > /* > * RX status notification - which fields are valid. > */ > diff --git a/sys/net80211/ieee80211.c b/sys/net80211/ieee80211.c > index 1c82493274bb..ecb46e08713c 100644 > --- a/sys/net80211/ieee80211.c > +++ b/sys/net80211/ieee80211.c > @@ -456,6 +456,18 @@ ieee80211_set_hardware_ciphers(struct ieee80211com *ic, > ieee80211_crypto_set_supported_hardware_ciphers(ic, cipher_suite); > } > > +/* > + * Called by drivers during attach to set the supported > + * key management suites by the driver/hardware. > + */ > +void > +ieee80211_set_driver_keymgmt_suites(struct ieee80211com *ic, > + uint32_t keymgmt_set) > +{ > + ieee80211_crypto_set_supported_driver_keymgmt(ic, > + keymgmt_set); > +} > + > struct ieee80211com * > ieee80211_find_com(const char *name) > { > diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c > index 3659d3f7c79a..829653ff1335 100644 > --- a/sys/net80211/ieee80211_crypto.c > +++ b/sys/net80211/ieee80211_crypto.c > @@ -154,6 +154,25 @@ ieee80211_crypto_attach(struct ieee80211com *ic) > */ > ic->ic_sw_cryptocaps = IEEE80211_CRYPTO_WEP | > IEEE80211_CRYPTO_TKIP | IEEE80211_CRYPTO_AES_CCM; > + > + /* > + * Default set of key management types supported by net80211. > + * > + * These are supported by software net80211 and announced/ > + * driven by hostapd + wpa_supplicant. > + * > + * Drivers doing full supplicant offload must not set > + * anything here. > + * > + * Note that IEEE80211_C_WPA1 and IEEE80211_C_WPA2 are the > + * "old" style way of drivers announcing key management > + * capabilities. There are many, many more key management > + * suites in 802.11-2016 (see 9.4.2.25.3 - AKM suites.) > + * For now they still need to be set - these flags are checked > + * when assembling a beacon to reserve space for the WPA > + * vendor IE (WPA 1) and RSN IE (WPA 2). > + */ > + ic->ic_sw_keymgmtcaps = 0; > } > > /* > @@ -184,6 +203,22 @@ ieee80211_crypto_set_supported_hardware_ciphers(struct ieee80211com *ic, > ic->ic_cryptocaps = cipher_set; > } > > +/* > + * Set the supported software key management by the driver. > + * > + * These are the key management suites that are supported via > + * the driver via hostapd/wpa_supplicant. > + * > + * Key management which is completely offloaded (ie, the supplicant > + * runs in hardware/firmware) must not be set here. > + */ > +void > +ieee80211_crypto_set_supported_driver_keymgmt(struct ieee80211com *ic, > + uint32_t keymgmt_set) > +{ > + > + ic->ic_sw_keymgmtcaps = keymgmt_set; > +} > > /* > * Setup crypto support for a vap. > diff --git a/sys/net80211/ieee80211_crypto.h b/sys/net80211/ieee80211_crypto.h > index e09b822289d7..b69df0cff3bd 100644 > --- a/sys/net80211/ieee80211_crypto.h > +++ b/sys/net80211/ieee80211_crypto.h > @@ -184,6 +184,8 @@ void ieee80211_crypto_set_supported_software_ciphers(struct ieee80211com *, > uint32_t cipher_set); > void ieee80211_crypto_set_supported_hardware_ciphers(struct ieee80211com *, > uint32_t cipher_set); > +void ieee80211_crypto_set_supported_driver_keymgmt(struct ieee80211com *, > + uint32_t keymgmt_set); > void ieee80211_crypto_vattach(struct ieee80211vap *); > void ieee80211_crypto_vdetach(struct ieee80211vap *); > int ieee80211_crypto_newkey(struct ieee80211vap *, > diff --git a/sys/net80211/ieee80211_var.h b/sys/net80211/ieee80211_var.h > index 21fdff0b88a3..9273b43a5823 100644 > --- a/sys/net80211/ieee80211_var.h > +++ b/sys/net80211/ieee80211_var.h > @@ -167,6 +167,8 @@ struct ieee80211com { > uint32_t ic_sw_cryptocaps; > uint32_t ic_cryptocaps; /* hardware crypto caps */ > /* set of mode capabilities */ > + /* driver/net80211 sw KEYMGMT capabilities */ > + uint32_t ic_sw_keymgmtcaps; > uint8_t ic_modecaps[IEEE80211_MODE_BYTES]; > uint8_t ic_promisc; /* vap's needing promisc mode */ > uint8_t ic_allmulti; /* vap's needing all multicast*/ > @@ -755,6 +757,8 @@ void ieee80211_set_software_ciphers(struct ieee80211com *, > uint32_t cipher_suite); > void ieee80211_set_hardware_ciphers(struct ieee80211com *, > uint32_t cipher_suite); > +void ieee80211_set_driver_keymgmt_suites(struct ieee80211com *ic, > + uint32_t keymgmt_set); > int ieee80211_vap_setup(struct ieee80211com *, struct ieee80211vap *, > const char name[IFNAMSIZ], int unit, > enum ieee80211_opmode opmode, int flags, > -- Bjoern A. Zeeb r15:7