[PATCH 01/17] wiphy: add wiphy_get_supported_ciphers

[PATCH 01/17] wiphy: add wiphy_get_supported_ciphers

[James Prestwood]

Similar to wiphy_select_cipher but returns all supported ciphers
included in the mask rather than just one.
---
 src/wiphy.c | 5 +++++
 src/wiphy.h | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/src/wiphy.c b/src/wiphy.c
index bb83f814..10514572 100644
--- a/src/wiphy.c
+++ b/src/wiphy.c
@@ -180,6 +180,11 @@ enum ie_rsn_cipher_suite wiphy_select_cipher(struct wiphy *wiphy, uint16_t mask)
 	return 0;
 }
 
+uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask)
+{
+	return wiphy->supported_ciphers & mask;
+}
+
 static bool wiphy_can_connect_sae(struct wiphy *wiphy)
 {
 	/*
diff --git a/src/wiphy.h b/src/wiphy.h
index 2c6bf86b..f8de7e0e 100644
--- a/src/wiphy.h
+++ b/src/wiphy.h
@@ -68,6 +68,8 @@ typedef void (*wiphy_destroy_func_t)(void *user_data);
 
 enum ie_rsn_cipher_suite wiphy_select_cipher(struct wiphy *wiphy,
 							uint16_t mask);
+uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask);
+
 enum ie_rsn_akm_suite wiphy_select_akm(struct wiphy *wiphy,
 					const struct scan_bss *bss,
 					enum security security,
-- 
2.34.3

[PATCH 02/17] ie: add group/pairwise lists of supported ciphers

[James Prestwood]

The validation of these ciphers for station is done when parsing
the BSS RSNE but for AP mode there is no such validation and
potentially any supported cipher could be chosen, even if its
incompatible for the type of key.
---
 src/ie.h | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/ie.h b/src/ie.h
index 53311854..c9a6c783 100644
--- a/src/ie.h
+++ b/src/ie.h
@@ -401,6 +401,25 @@ static inline bool IE_CIPHER_IS_GCMP_CCMP(uint32_t cipher_suite)
 				IE_RSN_CIPHER_SUITE_GCMP_256);
 }
 
+#define IE_GROUP_CIPHERS		\
+(					\
+	IE_RSN_CIPHER_SUITE_TKIP |	\
+	IE_RSN_CIPHER_SUITE_CCMP |	\
+	IE_RSN_CIPHER_SUITE_GCMP |	\
+	IE_RSN_CIPHER_SUITE_GCMP_256 |	\
+	IE_RSN_CIPHER_SUITE_CCMP_256	\
+)
+
+/*
+ * Since WEP is unsupported we can just use the group cipher list with
+ * "Use group cipher" appended
+ */
+#define IE_PAIRWISE_CIPHERS			\
+(						\
+	IE_GROUP_CIPHERS |			\
+	IE_RSN_CIPHER_SUITE_USE_GROUP_CIPHER	\
+)
+
 #define IE_LEN(ie) \
 	((ie) ? (ie)[1] + 2 : 0)
 
-- 
2.34.3

[PATCH 03/17] ap: add profile settings PairwiseCiphers/GroupCipher

[James Prestwood]

These can now be optionally provided in an AP profile and provide a
way to limit what ciphers can be chosen. This still is dependent on
what the hardware supports.
---
 src/ap.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 69 insertions(+), 6 deletions(-)

diff --git a/src/ap.c b/src/ap.c
index 2939a9c1..834fa089 100644
--- a/src/ap.c
+++ b/src/ap.c
@@ -3132,12 +3132,38 @@ static bool ap_load_psk(struct ap_state *ap, const struct l_settings *config)
 	return true;
 }
 
+/*
+ * Note: only PTK/GTK ciphers are supported here since this is all these are
+ *       used for.
+ */
+static enum ie_rsn_cipher_suite ap_string_to_cipher(const char *str)
+{
+	if (!strcmp(str, "UseGroupCipher"))
+		return IE_RSN_CIPHER_SUITE_USE_GROUP_CIPHER;
+	else if (!strcmp(str, "TKIP"))
+		return IE_RSN_CIPHER_SUITE_TKIP;
+	else if (!strcmp(str, "CCMP-128") || !strcmp(str, "CCMP"))
+		return IE_RSN_CIPHER_SUITE_CCMP;
+	else if (!strcmp(str, "GCMP-128") || !strcmp(str, "GCMP"))
+		return IE_RSN_CIPHER_SUITE_GCMP;
+	else if (!strcmp(str, "GCMP-256"))
+		return IE_RSN_CIPHER_SUITE_GCMP_256;
+	else if (!strcmp(str, "CCMP-256"))
+		return IE_RSN_CIPHER_SUITE_CCMP_256;
+	else
+		return 0;
+}
+
 static int ap_load_config(struct ap_state *ap, const struct l_settings *config,
 				bool *out_cck_rates)
 {
+	struct wiphy *wiphy = netdev_get_wiphy(ap->netdev);
 	size_t len;
 	L_AUTO_FREE_VAR(char *, strval) = NULL;
+	_auto_(l_strv_free) char **ciphers_str;
+	uint16_t cipher_mask;
 	int err;
+	int i;
 
 	strval = l_settings_get_string(config, "General", "SSID");
 	if (L_WARN_ON(!strval))
@@ -3212,6 +3238,8 @@ static int ap_load_config(struct ap_state *ap, const struct l_settings *config,
 			l_error("AP [WSC].PrimaryDeviceType format unknown");
 			return -EINVAL;
 		}
+
+		l_free(l_steal_ptr(strval));
 	} else {
 		/* Make ourselves a WFA standard PC by default */
 		ap->wsc_primary_device_type.category = 1;
@@ -3260,6 +3288,47 @@ static int ap_load_config(struct ap_state *ap, const struct l_settings *config,
 	} else
 		*out_cck_rates = true;
 
+	cipher_mask = wiphy_get_supported_ciphers(wiphy, IE_PAIRWISE_CIPHERS);
+	ciphers_str = l_settings_get_string_list(config, "Security",
+						"PairwiseCiphers", ',');
+	for (i = 0; ciphers_str && ciphers_str[i]; i++) {
+		enum ie_rsn_cipher_suite cipher =
+					ap_string_to_cipher(ciphers_str[i]);
+
+		/*
+		 * Constrain list to only values in both supported ciphers and
+		 * the cipher list provided.
+		 */
+		if (!cipher || !(cipher & cipher_mask)) {
+			l_error("Unsupported or unknown cipher %s",
+					ciphers_str[i]);
+			return -ENOTSUP;
+		}
+
+		ap->ciphers |= cipher;
+	}
+
+	/* No list provided, just set to all supported ciphers */
+	if (!ap->ciphers)
+		ap->ciphers = cipher_mask;
+
+	cipher_mask = wiphy_get_supported_ciphers(wiphy, IE_GROUP_CIPHERS);
+
+	strval = l_settings_get_string(config, "Security", "GroupCipher");
+	if (strval) {
+		enum ie_rsn_cipher_suite cipher = ap_string_to_cipher(strval);
+
+		if (!cipher || !(cipher & cipher_mask)) {
+			l_error("Unsupported or unknown cipher %s", strval);
+			return -ENOTSUP;
+		}
+
+		ap->group_cipher = cipher;
+
+		l_free(l_steal_ptr(strval));
+	} else
+		ap->group_cipher = wiphy_select_cipher(wiphy, cipher_mask);
+
 	return 0;
 }
 
@@ -3302,12 +3371,6 @@ struct ap_state *ap_start(struct netdev *netdev, struct l_settings *config,
 
 	err = -EINVAL;
 
-	/* TODO: Add all ciphers supported by wiphy */
-	ap->ciphers = wiphy_select_cipher(wiphy, IE_RSN_CIPHER_SUITE_TKIP |
-						IE_RSN_CIPHER_SUITE_CCMP);
-	ap->group_cipher = wiphy_select_cipher(wiphy,
-						IE_RSN_CIPHER_SUITE_TKIP |
-						IE_RSN_CIPHER_SUITE_CCMP);
 	ap->beacon_interval = 100;
 	ap->networks = l_queue_new();
 
-- 
2.34.3

[PATCH 04/17] p2p: limit ciphers to CCMP/TKIP

[James Prestwood]

The limitation of cipher selection in ap.c was done so to allow p2p to
work. Now with the ability to specify ciphers in the AP config put the
burden on p2p to limit ciphers as it needs.
---
 src/p2p.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/p2p.c b/src/p2p.c
index cfd8560a..ad2ac39f 100644
--- a/src/p2p.c
+++ b/src/p2p.c
@@ -1234,6 +1234,8 @@ static void p2p_group_start(struct p2p_device *dev)
 		((uint64_t) pdt->oui[2] << 24) |
 		((uint64_t) pdt->oui_type << 16) |
 		pdt->subcategory;
+	char *ciphers[] = { "TKIP", "CCMP", NULL };
+	uint16_t cipher;
 
 	l_settings_set_string(config, "General", "SSID", dev->go_group_id.ssid);
 	l_settings_set_uint(config, "General", "Channel", dev->listen_channel);
@@ -1273,6 +1275,19 @@ static void p2p_group_start(struct p2p_device *dev)
 	/* Enable netconfig, set maximum usable DHCP lease time */
 	l_settings_set_uint(config, "IPv4", "LeaseTime", 0x7fffffff);
 
+	l_settings_set_string_list(config, "Security", "PairwiseCiphers",
+					ciphers, ',');
+
+	/* TODO: P2P only plays nice with CCMP or TKIP ciphers currently */
+	cipher = wiphy_select_cipher(dev->wiphy, IE_RSN_CIPHER_SUITE_TKIP |
+						IE_RSN_CIPHER_SUITE_CCMP);
+	if (cipher == IE_RSN_CIPHER_SUITE_CCMP)
+		l_settings_set_string(config, "Security", "GroupCipher",
+					"CCMP");
+	else
+		l_settings_set_string(config, "Security", "GroupCipher",
+					"TKIP");
+
 	dev->capability.group_caps |= P2P_GROUP_CAP_GO;
 	dev->capability.group_caps |= P2P_GROUP_CAP_GROUP_FORMATION;
 	dev->capability.group_caps |= P2P_GROUP_CAP_IP_ALLOCATION;
-- 
2.34.3

[PATCH 05/17] doc: document PairwiseCiphers/GroupCiphers AP settings

[James Prestwood]

---
 src/iwd.ap.rst | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/iwd.ap.rst b/src/iwd.ap.rst
index 5fa23179..ade09e07 100644
--- a/src/iwd.ap.rst
+++ b/src/iwd.ap.rst
@@ -82,6 +82,21 @@ configuration.
        Processed passphrase for this network in the form of a hex-encoded
        32-byte pre-shared key.  Either this or *Passphrase* must be present.
 
+   * - PairwiseCiphers
+     - Comma separated list of pairwise ciphers for the AP supports.
+
+       Values can include: TKIP, CCMP, GCMP, GCMP-256, CCMP-256
+
+       The underlying hardware and IWD's AP implementation must also support the
+       ciphers listed, currently only TKIP and CCMP.
+
+   * - GroupCipher
+     - Group cipher the AP uses
+
+       A single cipher value the AP can use as the group cipher. Values are the
+       same as pairwise ciphers and the same restrictions apply (hardware and
+       IWD implementation must support the cipher)
+
 IPv4 Network Configuration
 --------------------------
 
-- 
2.34.3

[PATCH 06/17] ap: add frequency to AP interface

[James Prestwood]

---
 src/ap.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/ap.c b/src/ap.c
index 834fa089..baf90c1b 100644
--- a/src/ap.c
+++ b/src/ap.c
@@ -3676,6 +3676,9 @@ static void ap_if_event_func(enum ap_event_type type, const void *event_data,
 		l_dbus_property_changed(dbus_get_bus(),
 					netdev_get_path(ap_if->netdev),
 					IWD_AP_INTERFACE, "Name");
+		l_dbus_property_changed(dbus_get_bus(),
+					netdev_get_path(ap_if->netdev),
+					IWD_AP_INTERFACE, "Frequency");
 
 		l_rtnl_set_linkmode_and_operstate(rtnl,
 					netdev_get_ifindex(ap_if->netdev),
@@ -4026,6 +4029,24 @@ static bool ap_dbus_property_get_scanning(struct l_dbus *dbus,
 	return true;
 }
 
+static bool ap_dbus_property_get_freq(struct l_dbus *dbus,
+					struct l_dbus_message *message,
+					struct l_dbus_message_builder *builder,
+					void *user_data)
+{
+	struct ap_if_data *ap_if = user_data;
+	uint32_t freq;
+
+	if (!ap_if->ap || !ap_if->ap->started)
+		return false;
+
+	freq = band_channel_to_freq(ap_if->ap->channel, BAND_FREQ_2_4_GHZ);
+
+	l_dbus_message_builder_append_basic(builder, 'u', &freq);
+
+	return true;
+}
+
 static void ap_setup_interface(struct l_dbus_interface *interface)
 {
 	l_dbus_interface_method(interface, "Start", 0, ap_dbus_start, "",
@@ -4045,6 +4066,8 @@ static void ap_setup_interface(struct l_dbus_interface *interface)
 					ap_dbus_property_get_name, NULL);
 	l_dbus_interface_property(interface, "Scanning", 0, "b",
 					ap_dbus_property_get_scanning, NULL);
+	l_dbus_interface_property(interface, "Frequency", 0, "u",
+					ap_dbus_property_get_freq, NULL);
 }
 
 static void ap_destroy_interface(void *user_data)
-- 
2.34.3

[PATCH 07/17] client: show frequency with ap show

[James Prestwood]

---
 client/ap.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/client/ap.c b/client/ap.c
index b8849a1b..4ce727de 100644
--- a/client/ap.c
+++ b/client/ap.c
@@ -36,6 +36,7 @@ struct ap {
 	bool started;
 	char *name;
 	bool scanning;
+	uint32_t freq;
 };
 
 static void *ap_create(void)
@@ -126,10 +127,35 @@ static const char *get_scanning_tostr(const void *data)
 	return ap->scanning ? "yes" : "no";
 }
 
+static void update_freq(void *data, struct l_dbus_message_iter *variant)
+{
+	struct ap *ap = data;
+	uint32_t value;
+
+	if (!l_dbus_message_iter_get_variant(variant, "u", &value)) {
+		ap->freq = 0;
+
+		return;
+	}
+
+	ap->freq = value;
+}
+
+static const char *get_freq_tostr(const void *data)
+{
+	const struct ap *ap = data;
+	static char str[5];
+
+	sprintf(str, "%u", ap->freq);
+
+	return str;
+}
+
 static const struct proxy_interface_property ap_properties[] = {
 	{ "Started",  "b", update_started,  get_started_tostr },
 	{ "Name",     "s", update_name, get_name_tostr },
 	{ "Scanning", "b", update_scanning, get_scanning_tostr },
+	{ "Frequency", "u", update_freq, get_freq_tostr },
 	{ }
 };
 
-- 
2.34.3

[PATCH 08/17] ap: add PairwiseCiphers/GroupCipher to dbus interface

[James Prestwood]

Expose these values on the DBus interface so clients can view them.
---
 src/ap.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)

diff --git a/src/ap.c b/src/ap.c
index baf90c1b..a6618c23 100644
--- a/src/ap.c
+++ b/src/ap.c
@@ -3154,6 +3154,25 @@ static enum ie_rsn_cipher_suite ap_string_to_cipher(const char *str)
 		return 0;
 }
 
+static char *ap_ciphers_to_string(uint16_t ciphers)
+{
+	uint16_t i;
+	char **list = l_strv_new();
+	char *ret;
+
+	for (i = 0; i < 16; i++) {
+		if (!(ciphers & (1 << i)))
+			continue;
+
+		list = l_strv_append(list,
+					ie_rsn_cipher_suite_to_string(1 << i));
+	}
+
+	ret = l_strjoinv(list, ',');
+	l_strv_free(list);
+	return ret;
+}
+
 static int ap_load_config(struct ap_state *ap, const struct l_settings *config,
 				bool *out_cck_rates)
 {
@@ -3679,6 +3698,12 @@ static void ap_if_event_func(enum ap_event_type type, const void *event_data,
 		l_dbus_property_changed(dbus_get_bus(),
 					netdev_get_path(ap_if->netdev),
 					IWD_AP_INTERFACE, "Frequency");
+		l_dbus_property_changed(dbus_get_bus(),
+					netdev_get_path(ap_if->netdev),
+					IWD_AP_INTERFACE, "PairwiseCiphers");
+		l_dbus_property_changed(dbus_get_bus(),
+					netdev_get_path(ap_if->netdev),
+					IWD_AP_INTERFACE, "GroupCipher");
 
 		l_rtnl_set_linkmode_and_operstate(rtnl,
 					netdev_get_ifindex(ap_if->netdev),
@@ -4047,6 +4072,44 @@ static bool ap_dbus_property_get_freq(struct l_dbus *dbus,
 	return true;
 }
 
+static bool ap_dbus_property_get_pairwise(struct l_dbus *dbus,
+					struct l_dbus_message *message,
+					struct l_dbus_message_builder *builder,
+					void *user_data)
+{
+	struct ap_if_data *ap_if = user_data;
+	char *list;
+
+	if (!ap_if->ap || !ap_if->ap->started)
+		return false;
+
+	list = ap_ciphers_to_string(ap_if->ap->ciphers);
+
+	l_dbus_message_builder_append_basic(builder, 's', list);
+	l_free(list);
+
+	return true;
+}
+
+static bool ap_dbus_property_get_group(struct l_dbus *dbus,
+					struct l_dbus_message *message,
+					struct l_dbus_message_builder *builder,
+					void *user_data)
+{
+	struct ap_if_data *ap_if = user_data;
+	char *cipher;
+
+	if (!ap_if->ap || !ap_if->ap->started)
+		return false;
+
+	cipher = ap_ciphers_to_string(ap_if->ap->group_cipher);
+
+	l_dbus_message_builder_append_basic(builder, 's', cipher);
+	l_free(cipher);
+
+	return true;
+}
+
 static void ap_setup_interface(struct l_dbus_interface *interface)
 {
 	l_dbus_interface_method(interface, "Start", 0, ap_dbus_start, "",
@@ -4068,6 +4131,10 @@ static void ap_setup_interface(struct l_dbus_interface *interface)
 					ap_dbus_property_get_scanning, NULL);
 	l_dbus_interface_property(interface, "Frequency", 0, "u",
 					ap_dbus_property_get_freq, NULL);
+	l_dbus_interface_property(interface, "PairwiseCiphers", 0, "s",
+					ap_dbus_property_get_pairwise, NULL);
+	l_dbus_interface_property(interface, "GroupCipher", 0, "s",
+					ap_dbus_property_get_group, NULL);
 }
 
 static void ap_destroy_interface(void *user_data)
-- 
2.34.3

[PATCH 09/17] client: add ap support for PairwiseCiphers/GroupCipher

[James Prestwood]

---
 client/ap.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/client/ap.c b/client/ap.c
index 4ce727de..f444a12c 100644
--- a/client/ap.c
+++ b/client/ap.c
@@ -37,6 +37,8 @@ struct ap {
 	char *name;
 	bool scanning;
 	uint32_t freq;
+	char *pairwise;
+	char *group;
 };
 
 static void *ap_create(void)
@@ -51,6 +53,12 @@ static void ap_destroy(void *data)
 	if (ap->name)
 		l_free(ap->name);
 
+	if (ap->pairwise)
+		l_free(ap->pairwise);
+
+	if (ap->group)
+		l_free(ap->group);
+
 	l_free(ap);
 }
 
@@ -151,11 +159,67 @@ static const char *get_freq_tostr(const void *data)
 	return str;
 }
 
+static void update_pairwise(void *data, struct l_dbus_message_iter *variant)
+{
+	struct ap *ap = data;
+	char *value;
+
+	if (ap->pairwise)
+		l_free(ap->pairwise);
+
+	if (!l_dbus_message_iter_get_variant(variant, "s", &value)) {
+		ap->pairwise = NULL;
+
+		return;
+	}
+
+	ap->pairwise = l_strdup(value);
+}
+
+static const char *get_pairwise_tostr(const void *data)
+{
+	const struct ap *ap = data;
+
+	if (!ap->pairwise)
+		return "";
+
+	return ap->pairwise;
+}
+
+static void update_group(void *data, struct l_dbus_message_iter *variant)
+{
+	struct ap *ap = data;
+	char *value;
+
+	if (ap->group)
+		l_free(ap->group);
+
+	if (!l_dbus_message_iter_get_variant(variant, "s", &value)) {
+		ap->group = NULL;
+
+		return;
+	}
+
+	ap->group = l_strdup(value);
+}
+
+static const char *get_group_tostr(const void *data)
+{
+	const struct ap *ap = data;
+
+	if (!ap->group)
+		return "";
+
+	return ap->group;
+}
+
 static const struct proxy_interface_property ap_properties[] = {
 	{ "Started",  "b", update_started,  get_started_tostr },
 	{ "Name",     "s", update_name, get_name_tostr },
 	{ "Scanning", "b", update_scanning, get_scanning_tostr },
 	{ "Frequency", "u", update_freq, get_freq_tostr },
+	{ "PairwiseCiphers", "s", update_pairwise, get_pairwise_tostr },
+	{ "GroupCipher", "s", update_group, get_group_tostr },
 	{ }
 };
 
-- 
2.34.3

[PATCH 10/17] hwsim: add remaining ciphers to supported list

[James Prestwood]

This list was not updated when adding the new ciphers which prevented
these ciphers from being disabled.
---
 tools/hwsim.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tools/hwsim.c b/tools/hwsim.c
index 0ace4c0e..7afbe4e7 100644
--- a/tools/hwsim.c
+++ b/tools/hwsim.c
@@ -176,6 +176,12 @@ static const uint32_t hwsim_supported_ciphers[] = {
 	CRYPTO_CIPHER_TKIP,
 	CRYPTO_CIPHER_CCMP,
 	CRYPTO_CIPHER_BIP_CMAC,
+	CRYPTO_CIPHER_GCMP,
+	CRYPTO_CIPHER_GCMP_256,
+	CRYPTO_CIPHER_CCMP_256,
+	CRYPTO_CIPHER_BIP_GMAC,
+	CRYPTO_CIPHER_BIP_GMAC_256,
+	CRYPTO_CIPHER_BIP_CMAC_256,
 };
 static uint32_t hwsim_ciphers[L_ARRAY_SIZE(hwsim_supported_ciphers)];
 static int hwsim_num_ciphers = 0;
-- 
2.34.3

[PATCH 11/17] auto-t: test AP fails to start with unsupported ciphers

[James Prestwood]

If the profile lists unsupported ciphers it should fail to start with
NotSupported.
---
 autotests/testAP-no-support/TestAP2.ap         |  3 +++
 autotests/testAP-no-support/connection_test.py | 12 +++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 autotests/testAP-no-support/TestAP2.ap

diff --git a/autotests/testAP-no-support/TestAP2.ap b/autotests/testAP-no-support/TestAP2.ap
new file mode 100644
index 00000000..32a242ea
--- /dev/null
+++ b/autotests/testAP-no-support/TestAP2.ap
@@ -0,0 +1,3 @@
+[Security]
+Passphrase=secret123
+PairwiseCiphers=CCMP
diff --git a/autotests/testAP-no-support/connection_test.py b/autotests/testAP-no-support/connection_test.py
index 9e5dccbb..e4cb40b5 100644
--- a/autotests/testAP-no-support/connection_test.py
+++ b/autotests/testAP-no-support/connection_test.py
@@ -41,9 +41,19 @@ class Test(unittest.TestCase):
 
         wd.unregister_psk_agent(psk_agent)
 
+    def test_no_ccmp_support(self):
+        wd = IWD(True)
+
+        dev = wd.list_devices(2)[1]
+
+        # Should fail to start since the radio doesn't support CCMP but the
+        # profile only lists CCMP as allowed.
+        with self.assertRaises(iwd.NotSupportedEx):
+            dev.start_ap('TestAP2')
+
     @classmethod
     def setUpClass(cls):
-        pass
+        IWD.copy_to_ap('TestAP2.ap')
 
     @classmethod
     def tearDownClass(cls):
-- 
2.34.3

[PATCH 12/17] auto-t: fix testAP-no-support disabled ciphers

[James Prestwood]

The disabled cipher list contained a '.' instead of ',' which prevented
the subsequent ciphers from being disabled. This was only group management
ciphers so it didn't have any effect on the test.
---
 autotests/testAP-no-support/hw.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/autotests/testAP-no-support/hw.conf b/autotests/testAP-no-support/hw.conf
index 06a9d7c2..7925b15d 100644
--- a/autotests/testAP-no-support/hw.conf
+++ b/autotests/testAP-no-support/hw.conf
@@ -6,4 +6,4 @@ start_iwd=0
 iftype_disable=ap
 
 [rad1]
-cipher_disable=ccmp,bip_cmac,gcmp,gcmp_256,ccmp_256,bip_gmac.bip_gmac_256,bip_cmac_256
+cipher_disable=ccmp,bip_cmac,gcmp,gcmp_256,ccmp_256,bip_gmac,bip_gmac_256,bip_cmac_256
-- 
2.34.3

[PATCH 13/17] netdev: add more info to key setting debug messages

[James Prestwood]

Specify that the ifindex is being printed and print the key ID
as well.
---
 src/netdev.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/netdev.c b/src/netdev.c
index 22288c67..59e73608 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1635,7 +1635,7 @@ static void netdev_set_gtk(struct handshake_state *hs, uint16_t key_index,
 
 	nhs->gtk_installed = false;
 
-	l_debug("%d", netdev->index);
+	l_debug("ifindex=%d key_idx=%u", netdev->index, key_index);
 
 	if (crypto_cipher_key_len(cipher) != gtk_len) {
 		l_error("Unexpected key length: %d", gtk_len);
@@ -1680,7 +1680,7 @@ static void netdev_set_igtk(struct handshake_state *hs, uint16_t key_index,
 
 	nhs->igtk_installed = false;
 
-	l_debug("%d", netdev->index);
+	l_debug("ifindex=%d key_idx=%u", netdev->index, key_index);
 
 	if (crypto_cipher_key_len(cipher) != igtk_len) {
 		l_error("Unexpected key length: %d", igtk_len);
@@ -2054,7 +2054,7 @@ static void netdev_set_tk(struct handshake_state *hs, uint8_t key_index,
 		return;
 	}
 
-	l_debug("%d", netdev->index);
+	l_debug("ifindex=%d key_idx=%u", netdev->index, key_index);
 
 	err = -ENOENT;
 	if (!netdev_copy_tk(tk_buf, tk, cipher, false))
-- 
2.34.3

[PATCH 14/17] netdev: fix key setting for authenticators

[James Prestwood]

The netdev_copy_tk function was being hard coded with authenticator
set to false. This isn't important for any ciphers except TKIP but
now that AP mode supports TKIP it needs to be fixed.
---
 src/netdev.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/netdev.c b/src/netdev.c
index 59e73608..23bbbcf6 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1643,7 +1643,7 @@ static void netdev_set_gtk(struct handshake_state *hs, uint16_t key_index,
 		return;
 	}
 
-	if (!netdev_copy_tk(gtk_buf, gtk, cipher, false)) {
+	if (!netdev_copy_tk(gtk_buf, gtk, cipher, hs->authenticator)) {
 		netdev_setting_keys_failed(nhs, -ENOENT);
 		return;
 	}
@@ -2057,7 +2057,7 @@ static void netdev_set_tk(struct handshake_state *hs, uint8_t key_index,
 	l_debug("ifindex=%d key_idx=%u", netdev->index, key_index);
 
 	err = -ENOENT;
-	if (!netdev_copy_tk(tk_buf, tk, cipher, false))
+	if (!netdev_copy_tk(tk_buf, tk, cipher, hs->authenticator))
 		goto invalid_key;
 
 	msg = netdev_build_cmd_new_key_pairwise(netdev, cipher, addr, tk_buf,
@@ -2091,7 +2091,7 @@ static void netdev_set_ext_tk(struct handshake_state *hs, uint8_t key_idx,
 				L_BE16_TO_CPU(step4->header.packet_len);
 
 	err = -ENOENT;
-	if (!netdev_copy_tk(tk_buf, tk, cipher, false))
+	if (!netdev_copy_tk(tk_buf, tk, cipher, hs->authenticator))
 		goto error;
 
 	msg = netdev_build_cmd_new_rx_key_pairwise(netdev, cipher, addr, tk_buf,
-- 
2.34.3

[PATCH 15/17] nl80211util: add key type/idx to nl80211_parse_attrs

[James Prestwood]

---
 src/nl80211util.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/nl80211util.c b/src/nl80211util.c
index 5ba0097f..da36d936 100644
--- a/src/nl80211util.c
+++ b/src/nl80211util.c
@@ -139,6 +139,17 @@ static bool extract_nested(const void *data, uint16_t len, void *o)
 	return true;
 }
 
+static bool extract_u8(const void *data, uint16_t len, void *o)
+{
+	uint8_t *out = o;
+
+	if (len != 1)
+		return false;
+
+	*out = l_get_u8(data);
+	return true;
+}
+
 static attr_handler handler_for_type(enum nl80211_attrs type)
 {
 	switch (type) {
@@ -146,6 +157,7 @@ static attr_handler handler_for_type(enum nl80211_attrs type)
 		return extract_ifindex;
 	case NL80211_ATTR_WIPHY:
 	case NL80211_ATTR_IFTYPE:
+	case NL80211_ATTR_KEY_TYPE:
 		return extract_uint32;
 	case NL80211_ATTR_WDEV:
 	case NL80211_ATTR_COOKIE:
@@ -170,6 +182,8 @@ static attr_handler handler_for_type(enum nl80211_attrs type)
 		return extract_iovec;
 	case NL80211_ATTR_WIPHY_BANDS:
 		return extract_nested;
+	case NL80211_ATTR_KEY_IDX:
+		return extract_u8;
 	default:
 		break;
 	}
-- 
2.34.3

[PATCH 16/17] netdev: parse michael MIC failure message

[James Prestwood]

This event indicates a security issue. The proper handling would be
to rekey but for now at least provide some information to the user.
---
 src/netdev.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/netdev.c b/src/netdev.c
index 23bbbcf6..ced87191 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -5224,6 +5224,20 @@ static void netdev_channel_switch_event(struct l_genl_msg *msg,
 				&netdev->frequency, netdev->user_data);
 }
 
+static void netdev_michael_mic_failure(struct l_genl_msg *msg,
+					struct netdev *netdev)
+{
+	uint8_t idx;
+	uint32_t type;
+
+	if (nl80211_parse_attrs(msg, NL80211_ATTR_KEY_IDX, &idx,
+				NL80211_ATTR_KEY_TYPE, &type,
+				NL80211_ATTR_UNSPEC) < 0)
+		return;
+
+	l_debug("ifindex=%u key_idx=%u type=%u", netdev->index, idx, type);
+}
+
 static void netdev_mlme_notify(struct l_genl_msg *msg, void *user_data)
 {
 	struct netdev *netdev = NULL;
@@ -5274,6 +5288,9 @@ static void netdev_mlme_notify(struct l_genl_msg *msg, void *user_data)
 	case NL80211_CMD_DEL_STATION:
 		netdev_station_event(msg, netdev, false);
 		break;
+	case NL80211_CMD_MICHAEL_MIC_FAILURE:
+		netdev_michael_mic_failure(msg, netdev);
+		break;
 	}
 }
 
-- 
2.34.3

[PATCH 17/17] auto-t: add AP test for all pairwise/group cipher combos

[James Prestwood]

Iterates through every possible cipher combination and verifies the
AP can authenticate the clients.
---
 autotests/testAP/connection_test.py | 33 ++++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 5 deletions(-)

diff --git a/autotests/testAP/connection_test.py b/autotests/testAP/connection_test.py
index dff415e7..297a8aa2 100644
--- a/autotests/testAP/connection_test.py
+++ b/autotests/testAP/connection_test.py
@@ -1,6 +1,7 @@
 #! /usr/bin/python3
 
 import unittest
+import os
 
 from iwd import IWD
 from config import ctx
@@ -8,6 +9,8 @@ from validation import validate, client_connect
 
 class Test(unittest.TestCase):
     def test_connection_success(self):
+        IWD.copy_to_storage('TestAP1.psk')
+
         wd = IWD(True)
 
         dev1, dev2 = wd.list_devices(2)
@@ -22,6 +25,8 @@ class Test(unittest.TestCase):
         client_connect(wd, dev1, 'TestAP1')
 
     def test_client_start_ap(self):
+        IWD.copy_to_storage('TestAP1.psk')
+
         wd = IWD(True)
 
         dev1, dev2 = wd.list_devices(2)
@@ -39,12 +44,30 @@ class Test(unittest.TestCase):
 
         validate(wd, dev2, dev1, 'TestAP2', 'Password2')
 
-    @classmethod
-    def setUpClass(cls):
-        IWD.copy_to_storage('TestAP1.psk')
+    def test_ciphers(self):
+        ciphers = ['TKIP', 'CCMP', 'GCMP', 'CCMP-256', 'GCMP-256']
+
+        for pairwise in ciphers:
+            for group in ciphers:
+                IWD.copy_to_ap('TestAP2.ap')
+                os.system('echo "PairwiseCiphers=%s" >> /tmp/iwd/ap/TestAP2.ap' % pairwise)
+                os.system('echo "GroupCipher=%s" >> /tmp/iwd/ap/TestAP2.ap' % group)
+
+                wd = IWD(True)
+
+                dev1, dev2 = wd.list_devices(2)
+
+                dev1.start_ap('TestAP2')
+
+                try:
+                    validate(wd, dev2, dev1, 'TestAP2', 'Password2', ip_checks=False)
+                except:
+                    raise Exception("Failed with pairwise=%s group=%s" % (pairwise, group))
+                finally:
+                    IWD.clear_storage()
+                    del wd
 
-    @classmethod
-    def tearDownClass(cls):
+    def tearDown(self):
         IWD.clear_storage()
 
 if __name__ == '__main__':
-- 
2.34.3

Re: [PATCH 06/17] ap: add frequency to AP interface

[Denis Kenzior]

Hi James,

On 11/1/22 15:17, James Prestwood wrote:
> ---
>   src/ap.c | 23 +++++++++++++++++++++++
>   1 file changed, 23 insertions(+)
> 

Looks like you forgot the doc commit for this change.  I added this and applied 
patch 6 and 7.

Regards,
-Denis

Re: [PATCH 10/17] hwsim: add remaining ciphers to supported list

[Denis Kenzior]

Hi James,

On 11/1/22 15:17, James Prestwood wrote:
> This list was not updated when adding the new ciphers which prevented
> these ciphers from being disabled.
> ---
>   tools/hwsim.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 

Applied, thanks.

Regards,
-Denis

Re: [PATCH 12/17] auto-t: fix testAP-no-support disabled ciphers

[Denis Kenzior]

Hi James,

On 11/1/22 15:17, James Prestwood wrote:
> The disabled cipher list contained a '.' instead of ',' which prevented
> the subsequent ciphers from being disabled. This was only group management
> ciphers so it didn't have any effect on the test.
> ---
>   autotests/testAP-no-support/hw.conf | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

Applied, thanks.

Regards,
-Denis

Re: [PATCH 13/17] netdev: add more info to key setting debug messages

[Denis Kenzior]

Hi James,

On 11/1/22 15:17, James Prestwood wrote:
> Specify that the ifindex is being printed and print the key ID
> as well.
> ---
>   src/netdev.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 

Patch 13 and 14 applied, thanks.

Regards,
-Denis

Re: [PATCH 15/17] nl80211util: add key type/idx to nl80211_parse_attrs

[Denis Kenzior]

Hi James,

On 11/1/22 15:17, James Prestwood wrote:
> ---
>   src/nl80211util.c | 14 ++++++++++++++
>   1 file changed, 14 insertions(+)
> 

Patch 15 & 16 applied, thanks.

Regards,
-Denis