On Tue, 14 May 2024, Adrian Chadd wrote:
The branch main has been updated by adrian:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c7f5f140bfdde730dcd4380ac364a084488c962f
commit c7f5f140bfdde730dcd4380ac364a084488c962f
Author: Adrian Chadd <adr...@freebsd.org>
AuthorDate: 2024-04-23 21:59:43 +0000
Commit: Adrian Chadd <adr...@freebsd.org>
CommitDate: 2024-05-14 21:39:33 +0000
net80211: add initial key management suites from 802.11-2016, APIs to
register them
The WPA1/WPA2 driver capabilities aren't really enough in today's world.
There are a /lot/ more key management suites to support!
So, add initial support for net80211 and drivers to announce what
key management suites are supported. These are the list from 802.11-2016
section 9.4.2.25.3 (AKM suites.)
The flags are for software supported key management.
Drivers may support more key management suites and are welcome to
announce more; net80211 will only announce ones that we know
net80211 knows "enough" about to support correctly.
There /are/ other suites that may be interesting to some people in
the future that are not part of this set - eg if anyone ever
wants to support the Chinese WAPI standard - so this bitmap is not
specifically just the AKM suites in the RSN OUI.
This should eventually be communicated up to the wpa_supplicant and
hostapd via a replacement driver/vap capabilities call so they know
what to enable rather than just IEEE80211_C_WPA1 / IEEE80211_C_WPA2.
Differential Revision: https://reviews.freebsd.org/D44919
Reviewed by: bz
No. Leaving a comment doesn't mean Reviewed.
Especially if it gets changed again after.
---
sys/net80211/_ieee80211.h | 21 +++++++++++++++++++++
sys/net80211/ieee80211.c | 12 ++++++++++++
sys/net80211/ieee80211_crypto.c | 35 +++++++++++++++++++++++++++++++++++
sys/net80211/ieee80211_crypto.h | 2 ++
sys/net80211/ieee80211_var.h | 4 ++++
5 files changed, 74 insertions(+)
diff --git a/sys/net80211/_ieee80211.h b/sys/net80211/_ieee80211.h
index 1ac9328714f7..5c7e6110026d 100644
--- a/sys/net80211/_ieee80211.h
+++ b/sys/net80211/_ieee80211.h
@@ -536,6 +536,27 @@ struct ieee80211_mimo_info {
"\21AMPDU\22AMSDU\23HT\24SMPS\25RIFS\32TXLDPC\33RXAMSDUAMPDU" \
"\34TXAMSDUAMPDU"
+/*
+ * AKM (key management) suite capability list.
+ *
+ * These represent what's in 802.11-2016 - Table 9-133 - AKM Suite Selectors.
+ * Note that they do not match what the table values are, in case other key
+ * management suites want to be added with different OUIs.
+ */
+#define IEEE80211_KEYMGMT_RSN_UNSPEC_802_1X 0x00000001 /*
RSN suite 1 */
+#define IEEE80211_KEYMGMT_RSN_PSK_OVER_802_1X 0x00000002 /*
RSN suite 2 */
+#define IEEE80211_KEYMGMT_RSN_FT_OVER_802_1X 0x00000004 /*
RSN suite 3 */
+#define IEEE80211_KEYMGMT_RSN_FT_PSK 0x00000008 /*
RSN suite 4 */
+#define IEEE80211_KEYMGMT_RSN_802_1X_SHA256 0x00000010 /*
RSN suite 5 */
+#define IEEE80211_KEYMGMT_RSN_PSK_SHA256 0x00000020 /*
RSN suite 6 */
+#define IEEE80211_KEYMGMT_RSN_TPK_HANDSHAKE 0x00000040 /*
RSN suite 7 */
+#define IEEE80211_KEYMGMT_RSN_SAE 0x00000080 /*
RSN suite 8 */
+#define IEEE80211_KEYMGMT_RSN_FT_SAE 0x00000100 /*
RSN suite 9 */
+#define IEEE80211_KEYMGMT_RSN_APPEERKEY_SHA256 0x00000200 /*
RSN suite 10 */
+#define IEEE80211_KEYMGMT_RSN_802_1X_SUITE_B 0x00000400 /*
RSN suite 11 */
+#define IEEE80211_KEYMGMT_RSN_802_1X_SUITE_B_192 0x00000800 /*
RSN suite 12 */
+#define IEEE80211_KEYMGMT_RSN_FT_802_1X_SHA384 0x00001000 /*
RSN suite 13 */
+
/*
* RX status notification - which fields are valid.
*/
diff --git a/sys/net80211/ieee80211.c b/sys/net80211/ieee80211.c
index 1c82493274bb..ecb46e08713c 100644
--- a/sys/net80211/ieee80211.c
+++ b/sys/net80211/ieee80211.c
@@ -456,6 +456,18 @@ ieee80211_set_hardware_ciphers(struct ieee80211com *ic,
ieee80211_crypto_set_supported_hardware_ciphers(ic, cipher_suite);
}
+/*
+ * Called by drivers during attach to set the supported
+ * key management suites by the driver/hardware.
+ */
+void
+ieee80211_set_driver_keymgmt_suites(struct ieee80211com *ic,
+ uint32_t keymgmt_set)
+{
+ ieee80211_crypto_set_supported_driver_keymgmt(ic,
+ keymgmt_set);
+}
+
struct ieee80211com *
ieee80211_find_com(const char *name)
{
diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c
index 3659d3f7c79a..829653ff1335 100644
--- a/sys/net80211/ieee80211_crypto.c
+++ b/sys/net80211/ieee80211_crypto.c
@@ -154,6 +154,25 @@ ieee80211_crypto_attach(struct ieee80211com *ic)
*/
ic->ic_sw_cryptocaps = IEEE80211_CRYPTO_WEP |
IEEE80211_CRYPTO_TKIP | IEEE80211_CRYPTO_AES_CCM;
+
+ /*
+ * Default set of key management types supported by net80211.
+ *
+ * These are supported by software net80211 and announced/
+ * driven by hostapd + wpa_supplicant.
+ *
+ * Drivers doing full supplicant offload must not set
+ * anything here.
+ *
+ * Note that IEEE80211_C_WPA1 and IEEE80211_C_WPA2 are the
+ * "old" style way of drivers announcing key management
+ * capabilities. There are many, many more key management
+ * suites in 802.11-2016 (see 9.4.2.25.3 - AKM suites.)
+ * For now they still need to be set - these flags are checked
+ * when assembling a beacon to reserve space for the WPA
+ * vendor IE (WPA 1) and RSN IE (WPA 2).
+ */
+ ic->ic_sw_keymgmtcaps = 0;
}
/*
@@ -184,6 +203,22 @@ ieee80211_crypto_set_supported_hardware_ciphers(struct
ieee80211com *ic,
ic->ic_cryptocaps = cipher_set;
}
+/*
+ * Set the supported software key management by the driver.
+ *
+ * These are the key management suites that are supported via
+ * the driver via hostapd/wpa_supplicant.
+ *
+ * Key management which is completely offloaded (ie, the supplicant
+ * runs in hardware/firmware) must not be set here.
+ */
+void
+ieee80211_crypto_set_supported_driver_keymgmt(struct ieee80211com *ic,
+ uint32_t keymgmt_set)
+{
+
+ ic->ic_sw_keymgmtcaps = keymgmt_set;
+}
/*
* Setup crypto support for a vap.
diff --git a/sys/net80211/ieee80211_crypto.h b/sys/net80211/ieee80211_crypto.h
index e09b822289d7..b69df0cff3bd 100644
--- a/sys/net80211/ieee80211_crypto.h
+++ b/sys/net80211/ieee80211_crypto.h
@@ -184,6 +184,8 @@ void
ieee80211_crypto_set_supported_software_ciphers(struct ieee80211com *,
uint32_t cipher_set);
void ieee80211_crypto_set_supported_hardware_ciphers(struct ieee80211com *,
uint32_t cipher_set);
+void ieee80211_crypto_set_supported_driver_keymgmt(struct ieee80211com *,
+ uint32_t keymgmt_set);
void ieee80211_crypto_vattach(struct ieee80211vap *);
void ieee80211_crypto_vdetach(struct ieee80211vap *);
int ieee80211_crypto_newkey(struct ieee80211vap *,
diff --git a/sys/net80211/ieee80211_var.h b/sys/net80211/ieee80211_var.h
index 21fdff0b88a3..9273b43a5823 100644
--- a/sys/net80211/ieee80211_var.h
+++ b/sys/net80211/ieee80211_var.h
@@ -167,6 +167,8 @@ struct ieee80211com {
uint32_t ic_sw_cryptocaps;
uint32_t ic_cryptocaps; /* hardware crypto caps */
/* set of mode capabilities */
+ /* driver/net80211 sw KEYMGMT capabilities */
+ uint32_t ic_sw_keymgmtcaps;
uint8_t ic_modecaps[IEEE80211_MODE_BYTES];
uint8_t ic_promisc; /* vap's needing promisc mode */
uint8_t ic_allmulti; /* vap's needing all multicast*/
@@ -755,6 +757,8 @@ void ieee80211_set_software_ciphers(struct
ieee80211com *,
uint32_t cipher_suite);
void ieee80211_set_hardware_ciphers(struct ieee80211com *,
uint32_t cipher_suite);
+void ieee80211_set_driver_keymgmt_suites(struct ieee80211com *ic,
+ uint32_t keymgmt_set);
int ieee80211_vap_setup(struct ieee80211com *, struct ieee80211vap *,
const char name[IFNAMSIZ], int unit,
enum ieee80211_opmode opmode, int flags,
--
Bjoern A. Zeeb r15:7