From nobody Tue May 14 21:39:50 2024
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Vf8s31k3dz5L3yW;
	Tue, 14 May 2024 21:39:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Vf8s26pzLz4SSB;
	Tue, 14 May 2024 21:39:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1715722791;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=d+uF6v6Lt1euVMt4nwW7xhbTcu2P7qBrN5bAKzkbb+E=;
	b=ms82i+f57PmN2mveL+b49BbNQXFDzi7mZNITbS+nnG3kgen5EEEKpgyF7Xe+6NhpS1VKn4
	DSf/TVqh1nPSlhbKtmxRSPias4HtCoRI1XTtaovOSm+H0Yi9FbbNrP8wD8orBoaEX203R6
	VIxRyN9D5S0HXaEosxMon/gVMXNluE4AjNCZ4qiydSoUanSR362bL21jin14OtWrHZhL/O
	59QevCsLyrYGmSKJb/AJlAzsNcFi5C3alb9z+wiv7vPQm9Jb5c1YJ/ySBAREDLoVbWvcwb
	TPEv37+GW4yIM0JQ9JkuwT/cXraqsGKkVBnzc5CW4CQENR8o+K4FkTHWCdi8fg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1715722791; a=rsa-sha256; cv=none;
	b=rBgF9J005mWyj4EktAm3kcwjp/Bqhb5+6h3QI6QUzLsCDr8xYtc7lNagM/wcAp7jMN2WT2
	B+trAf3rmP6RMc3byAbdfx+72vyqL96qlpP6mMUPWBcakkWoGbtRHxEy3aLbBrkr9YAAzt
	gAGkoFwABuJFE8pyhKTh0GE3oq37QU0rcaH2hLhWQ7PpUYrTSEx6/MeH0n5QzGG9ayCgqL
	Q4nzV8oXwTw1190OpqMrszEIaDQ/crhrui7UKlTskEGjwH4bR1lQZXsRZDgONe3n64KPeo
	ZBUYm5YazIOYoFLUKmOn0Y4nMKY4rBBRAhgUFR5JY8YoYNEkNMJryyfKoPhgcw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1715722791;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=d+uF6v6Lt1euVMt4nwW7xhbTcu2P7qBrN5bAKzkbb+E=;
	b=KYKIsNZN+izySPXC4ZMyqj0/zG61q7EVKiibyhexaw3UBzycVELSkbE6zYv5DQsFWUHjGC
	YyoOBoJT7Glfh/PlnaYrqjhUr9JkLgXLn/xIWFLUFQTjVZth+MCtHqfn7ZQVmgyFalomIU
	3cF79adXsLRt+pJje02HOUaOfefnZjFEdcL7Nf46y/HjMNUuAE8bydGQaDtTbuK+39EhPf
	X6C4nntlNhwziJ/jTGeZevMp+IfTfBzgsZIxkrRbYg7IdHgWtTfN9a94eU48LCJOeKT4dw
	4j9SQ6IuapBtEvc/WOVjYhqoKEmFcZDH+NQZoAk2hTtj+yhBlh+SLwoo6oMarQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Vf8s26QTtznj4;
	Tue, 14 May 2024 21:39:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 44ELdo09094473;
	Tue, 14 May 2024 21:39:50 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 44ELdoev094470;
	Tue, 14 May 2024 21:39:50 GMT
	(envelope-from git)
Date: Tue, 14 May 2024 21:39:50 GMT
Message-Id: <202405142139.44ELdoev094470@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Adrian Chadd <adrian@FreeBSD.org>
Subject: git: c7f5f140bfdd - main - net80211: add initial key
  management suites from 802.11-2016, APIs to register them
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: adrian
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: c7f5f140bfdde730dcd4380ac364a084488c962f
Auto-Submitted: auto-generated

The branch main has been updated by adrian:

URL: https://cgit.FreeBSD.org/src/commit/?id=c7f5f140bfdde730dcd4380ac364a084488c962f

commit c7f5f140bfdde730dcd4380ac364a084488c962f
Author:     Adrian Chadd <adrian@FreeBSD.org>
AuthorDate: 2024-04-23 21:59:43 +0000
Commit:     Adrian Chadd <adrian@FreeBSD.org>
CommitDate: 2024-05-14 21:39:33 +0000

    net80211: add initial key management suites from 802.11-2016, APIs to register them
    
    The WPA1/WPA2 driver capabilities aren't really enough in today's world.
    There are a /lot/ more key management suites to support!
    
    So, add initial support for net80211 and drivers to announce what
    key management suites are supported.  These are the list from 802.11-2016
    section 9.4.2.25.3 (AKM suites.)
    
    The flags are for software supported key management.
    
    Drivers may support more key management suites and are welcome to
    announce more; net80211 will only announce ones that we know
    net80211 knows "enough" about to support correctly.
    
    There /are/ other suites that may be interesting to some people in
    the future that are not part of this set - eg if anyone ever
    wants to support the Chinese WAPI standard - so this bitmap is not
    specifically just the AKM suites in the RSN OUI.
    
    This should eventually be communicated up to the wpa_supplicant and
    hostapd via a replacement driver/vap capabilities call so they know
    what to enable rather than just IEEE80211_C_WPA1 / IEEE80211_C_WPA2.
    
    Differential Revision:  https://reviews.freebsd.org/D44919
    Reviewed by:    bz
---
 sys/net80211/_ieee80211.h       | 21 +++++++++++++++++++++
 sys/net80211/ieee80211.c        | 12 ++++++++++++
 sys/net80211/ieee80211_crypto.c | 35 +++++++++++++++++++++++++++++++++++
 sys/net80211/ieee80211_crypto.h |  2 ++
 sys/net80211/ieee80211_var.h    |  4 ++++
 5 files changed, 74 insertions(+)

diff --git a/sys/net80211/_ieee80211.h b/sys/net80211/_ieee80211.h
index 1ac9328714f7..5c7e6110026d 100644
--- a/sys/net80211/_ieee80211.h
+++ b/sys/net80211/_ieee80211.h
@@ -536,6 +536,27 @@ struct ieee80211_mimo_info {
 	"\21AMPDU\22AMSDU\23HT\24SMPS\25RIFS\32TXLDPC\33RXAMSDUAMPDU" \
 	"\34TXAMSDUAMPDU"
 
+/*
+ * AKM (key management) suite capability list.
+ *
+ * These represent what's in 802.11-2016 - Table 9-133 - AKM Suite Selectors.
+ * Note that they do not match what the table values are, in case other key
+ * management suites want to be added with different OUIs.
+ */
+#define	IEEE80211_KEYMGMT_RSN_UNSPEC_802_1X		0x00000001 /* RSN suite 1 */
+#define	IEEE80211_KEYMGMT_RSN_PSK_OVER_802_1X		0x00000002 /* RSN suite 2 */
+#define	IEEE80211_KEYMGMT_RSN_FT_OVER_802_1X		0x00000004 /* RSN suite 3 */
+#define	IEEE80211_KEYMGMT_RSN_FT_PSK			0x00000008 /* RSN suite 4 */
+#define	IEEE80211_KEYMGMT_RSN_802_1X_SHA256		0x00000010 /* RSN suite 5 */
+#define	IEEE80211_KEYMGMT_RSN_PSK_SHA256		0x00000020 /* RSN suite 6 */
+#define	IEEE80211_KEYMGMT_RSN_TPK_HANDSHAKE		0x00000040 /* RSN suite 7 */
+#define	IEEE80211_KEYMGMT_RSN_SAE			0x00000080 /* RSN suite 8 */
+#define	IEEE80211_KEYMGMT_RSN_FT_SAE			0x00000100 /* RSN suite 9 */
+#define	IEEE80211_KEYMGMT_RSN_APPEERKEY_SHA256		0x00000200 /* RSN suite 10 */
+#define	IEEE80211_KEYMGMT_RSN_802_1X_SUITE_B		0x00000400 /* RSN suite 11 */
+#define	IEEE80211_KEYMGMT_RSN_802_1X_SUITE_B_192	0x00000800 /* RSN suite 12 */
+#define	IEEE80211_KEYMGMT_RSN_FT_802_1X_SHA384		0x00001000 /* RSN suite 13 */
+
 /*
  * RX status notification - which fields are valid.
  */
diff --git a/sys/net80211/ieee80211.c b/sys/net80211/ieee80211.c
index 1c82493274bb..ecb46e08713c 100644
--- a/sys/net80211/ieee80211.c
+++ b/sys/net80211/ieee80211.c
@@ -456,6 +456,18 @@ ieee80211_set_hardware_ciphers(struct ieee80211com *ic,
 	ieee80211_crypto_set_supported_hardware_ciphers(ic, cipher_suite);
 }
 
+/*
+ * Called by drivers during attach to set the supported
+ * key management suites by the driver/hardware.
+ */
+void
+ieee80211_set_driver_keymgmt_suites(struct ieee80211com *ic,
+    uint32_t keymgmt_set)
+{
+	ieee80211_crypto_set_supported_driver_keymgmt(ic,
+	    keymgmt_set);
+}
+
 struct ieee80211com *
 ieee80211_find_com(const char *name)
 {
diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c
index 3659d3f7c79a..829653ff1335 100644
--- a/sys/net80211/ieee80211_crypto.c
+++ b/sys/net80211/ieee80211_crypto.c
@@ -154,6 +154,25 @@ ieee80211_crypto_attach(struct ieee80211com *ic)
 	 */
 	ic->ic_sw_cryptocaps = IEEE80211_CRYPTO_WEP |
 	    IEEE80211_CRYPTO_TKIP | IEEE80211_CRYPTO_AES_CCM;
+
+	/*
+	 * Default set of key management types supported by net80211.
+	 *
+	 * These are supported by software net80211 and announced/
+	 * driven by hostapd + wpa_supplicant.
+	 *
+	 * Drivers doing full supplicant offload must not set
+	 * anything here.
+	 *
+	 * Note that IEEE80211_C_WPA1 and IEEE80211_C_WPA2 are the
+	 * "old" style way of drivers announcing key management
+	 * capabilities.  There are many, many more key management
+	 * suites in 802.11-2016 (see 9.4.2.25.3 - AKM suites.)
+	 * For now they still need to be set - these flags are checked
+	 * when assembling a beacon to reserve space for the WPA
+	 * vendor IE (WPA 1) and RSN IE (WPA 2).
+	 */
+	ic->ic_sw_keymgmtcaps = 0;
 }
 
 /*
@@ -184,6 +203,22 @@ ieee80211_crypto_set_supported_hardware_ciphers(struct ieee80211com *ic,
 	ic->ic_cryptocaps = cipher_set;
 }
 
+/*
+ * Set the supported software key management by the driver.
+ *
+ * These are the key management suites that are supported via
+ * the driver via hostapd/wpa_supplicant.
+ *
+ * Key management which is completely offloaded (ie, the supplicant
+ * runs in hardware/firmware) must not be set here.
+ */
+void
+ieee80211_crypto_set_supported_driver_keymgmt(struct ieee80211com *ic,
+    uint32_t keymgmt_set)
+{
+
+	ic->ic_sw_keymgmtcaps = keymgmt_set;
+}
 
 /*
  * Setup crypto support for a vap.
diff --git a/sys/net80211/ieee80211_crypto.h b/sys/net80211/ieee80211_crypto.h
index e09b822289d7..b69df0cff3bd 100644
--- a/sys/net80211/ieee80211_crypto.h
+++ b/sys/net80211/ieee80211_crypto.h
@@ -184,6 +184,8 @@ void	ieee80211_crypto_set_supported_software_ciphers(struct ieee80211com *,
 	    uint32_t cipher_set);
 void	ieee80211_crypto_set_supported_hardware_ciphers(struct ieee80211com *,
 	    uint32_t cipher_set);
+void	ieee80211_crypto_set_supported_driver_keymgmt(struct ieee80211com *,
+	    uint32_t keymgmt_set);
 void	ieee80211_crypto_vattach(struct ieee80211vap *);
 void	ieee80211_crypto_vdetach(struct ieee80211vap *);
 int	ieee80211_crypto_newkey(struct ieee80211vap *,
diff --git a/sys/net80211/ieee80211_var.h b/sys/net80211/ieee80211_var.h
index 21fdff0b88a3..9273b43a5823 100644
--- a/sys/net80211/ieee80211_var.h
+++ b/sys/net80211/ieee80211_var.h
@@ -167,6 +167,8 @@ struct ieee80211com {
 	uint32_t		ic_sw_cryptocaps;
 	uint32_t		ic_cryptocaps;	/* hardware crypto caps */
 						/* set of mode capabilities */
+				/* driver/net80211 sw KEYMGMT capabilities */
+	uint32_t		ic_sw_keymgmtcaps;
 	uint8_t			ic_modecaps[IEEE80211_MODE_BYTES];
 	uint8_t			ic_promisc;	/* vap's needing promisc mode */
 	uint8_t			ic_allmulti;	/* vap's needing all multicast*/
@@ -755,6 +757,8 @@ void	ieee80211_set_software_ciphers(struct ieee80211com *,
 	    uint32_t cipher_suite);
 void	ieee80211_set_hardware_ciphers(struct ieee80211com *,
 	    uint32_t cipher_suite);
+void	ieee80211_set_driver_keymgmt_suites(struct ieee80211com *ic,
+	    uint32_t keymgmt_set);
 int	ieee80211_vap_setup(struct ieee80211com *, struct ieee80211vap *,
 		const char name[IFNAMSIZ], int unit,
 		enum ieee80211_opmode opmode, int flags,