* [PATCH 1/9] crypto: modify crypto_derive_pmkid to take the hash/key length
2023-04-10 22:01 [PATCH 0/9] Support FT-8021X-SHA384 James Prestwood
@ 2023-04-10 22:01 ` James Prestwood
2023-04-16 18:01 ` Denis Kenzior
2023-04-10 22:01 ` [PATCH 2/9] handshake: include additional sha256 AKMs for PMKID generation James Prestwood
` (7 subsequent siblings)
8 siblings, 1 reply; 13+ messages in thread
From: James Prestwood @ 2023-04-10 22:01 UTC (permalink / raw)
To: iwd; +Cc: James Prestwood
The existing API was limited to SHA1 or SHA256 and assumed a key
length of 32 bytes. Since other AKMs plan to be added update
this to take the checksum/length directly for better flexibility.
---
src/crypto.c | 18 ++++++++++++------
src/crypto.h | 5 +++--
src/eapol.c | 4 ++--
src/handshake.c | 11 ++++++-----
4 files changed, 23 insertions(+), 15 deletions(-)
diff --git a/src/crypto.c b/src/crypto.c
index 840d9ee4..f8aba7d8 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -1116,9 +1116,10 @@ exit:
}
/* Defined in 802.11-2012, Section 11.6.1.3 Pairwise Key Hierarchy */
-bool crypto_derive_pmkid(const uint8_t *pmk,
+bool crypto_derive_pmkid(const uint8_t *pmk, size_t key_len,
const uint8_t *addr1, const uint8_t *addr2,
- uint8_t *out_pmkid, bool use_sha256)
+ uint8_t *out_pmkid,
+ enum l_checksum_type checksum)
{
uint8_t data[20];
@@ -1126,10 +1127,15 @@ bool crypto_derive_pmkid(const uint8_t *pmk,
memcpy(data + 8, addr2, 6);
memcpy(data + 14, addr1, 6);
- if (use_sha256)
- return hmac_sha256(pmk, 32, data, 20, out_pmkid, 16);
- else
- return hmac_sha1(pmk, 32, data, 20, out_pmkid, 16);
+ switch (checksum) {
+ case L_CHECKSUM_SHA1:
+ return hmac_sha1(pmk, key_len, data, 20, out_pmkid, 16);
+ case L_CHECKSUM_SHA256:
+ return hmac_sha256(pmk, key_len, data, 20, out_pmkid, 16);
+ default:
+ l_error("Checksum type %u is not valid", checksum);
+ return false;
+ }
}
enum l_checksum_type crypto_sae_hash_from_ecc_prime_len(enum crypto_sae type,
diff --git a/src/crypto.h b/src/crypto.h
index ed430abb..d2a96655 100644
--- a/src/crypto.h
+++ b/src/crypto.h
@@ -154,9 +154,10 @@ bool crypto_derive_ft_ptk(const uint8_t *pmk_r1, const uint8_t *pmk_r1_name,
bool sha384, uint8_t *out_ptk, size_t ptk_len,
uint8_t *out_ptk_name);
-bool crypto_derive_pmkid(const uint8_t *pmk,
+bool crypto_derive_pmkid(const uint8_t *pmk, size_t key_len,
const uint8_t *addr1, const uint8_t *addr2,
- uint8_t *out_pmkid, bool use_sha256);
+ uint8_t *out_pmkid,
+ enum l_checksum_type checksum);
enum crypto_sae {
CRYPTO_SAE_LOOPING,
diff --git a/src/eapol.c b/src/eapol.c
index 9471d13e..9e8f7c34 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -1103,8 +1103,8 @@ static void eapol_send_ptk_1_of_4(struct eapol_sm *sm)
memcpy(ek->key_nonce, sm->handshake->anonce, sizeof(ek->key_nonce));
/* Write the PMKID KDE into Key Data field unencrypted */
- crypto_derive_pmkid(sm->handshake->pmk, sm->handshake->spa, aa,
- pmkid, false);
+ crypto_derive_pmkid(sm->handshake->pmk, 32, sm->handshake->spa, aa,
+ pmkid, L_CHECKSUM_SHA1);
eapol_key_data_append(ek, sm->mic_len, HANDSHAKE_KDE_PMKID, pmkid, 16);
diff --git a/src/handshake.c b/src/handshake.c
index 734e997c..39a650c5 100644
--- a/src/handshake.c
+++ b/src/handshake.c
@@ -736,7 +736,8 @@ void handshake_state_set_pmkid(struct handshake_state *s, const uint8_t *pmkid)
bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid)
{
- bool use_sha256;
+ enum l_checksum_type sha;
+ size_t key_len = 32;
/* SAE exports pmkid */
if (s->have_pmkid) {
@@ -757,12 +758,12 @@ bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid)
if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
IE_RSN_AKM_SUITE_PSK_SHA256))
- use_sha256 = true;
+ sha = L_CHECKSUM_SHA256;
else
- use_sha256 = false;
+ sha = L_CHECKSUM_SHA1;
- return crypto_derive_pmkid(s->pmk, s->spa, s->aa, out_pmkid,
- use_sha256);
+ return crypto_derive_pmkid(s->pmk, key_len, s->spa, s->aa, out_pmkid,
+ sha);
}
void handshake_state_set_gtk(struct handshake_state *s, const uint8_t *key,
--
2.25.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH 1/9] crypto: modify crypto_derive_pmkid to take the hash/key length
2023-04-10 22:01 ` [PATCH 1/9] crypto: modify crypto_derive_pmkid to take the hash/key length James Prestwood
@ 2023-04-16 18:01 ` Denis Kenzior
0 siblings, 0 replies; 13+ messages in thread
From: Denis Kenzior @ 2023-04-16 18:01 UTC (permalink / raw)
To: James Prestwood, iwd
Hi James,
On 4/10/23 17:01, James Prestwood wrote:
> The existing API was limited to SHA1 or SHA256 and assumed a key
> length of 32 bytes. Since other AKMs plan to be added update
> this to take the checksum/length directly for better flexibility.
> ---
> src/crypto.c | 18 ++++++++++++------
> src/crypto.h | 5 +++--
> src/eapol.c | 4 ++--
> src/handshake.c | 11 ++++++-----
> 4 files changed, 23 insertions(+), 15 deletions(-)
>
<snip>
> @@ -1126,10 +1127,15 @@ bool crypto_derive_pmkid(const uint8_t *pmk,
> memcpy(data + 8, addr2, 6);
> memcpy(data + 14, addr1, 6);
>
> - if (use_sha256)
> - return hmac_sha256(pmk, 32, data, 20, out_pmkid, 16);
> - else
> - return hmac_sha1(pmk, 32, data, 20, out_pmkid, 16);
> + switch (checksum) {
> + case L_CHECKSUM_SHA1:
> + return hmac_sha1(pmk, key_len, data, 20, out_pmkid, 16);
> + case L_CHECKSUM_SHA256:
> + return hmac_sha256(pmk, key_len, data, 20, out_pmkid, 16);
> + default:
> + l_error("Checksum type %u is not valid", checksum);
> + return false;
> + }
Just use l_checksum_new_hmac directly and avoid the switch/case. That way patch
3 is unnecessary.
Regards,
-Denis
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH 2/9] handshake: include additional sha256 AKMs for PMKID generation
2023-04-10 22:01 [PATCH 0/9] Support FT-8021X-SHA384 James Prestwood
2023-04-10 22:01 ` [PATCH 1/9] crypto: modify crypto_derive_pmkid to take the hash/key length James Prestwood
@ 2023-04-10 22:01 ` James Prestwood
2023-04-10 22:01 ` [PATCH 3/9] crypto: add hmac_sha384 support for PMKID derivation James Prestwood
` (6 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: James Prestwood @ 2023-04-10 22:01 UTC (permalink / raw)
To: iwd; +Cc: James Prestwood
The 802.11 spec defines what AKMs should use sha256 to derive the
PMKID. Hostapd commit b6d3fd05e3 changed the PMKID derivation in
accordance with 802.11-2020 which then breaks PMKID validation in
IWD. This breaks FT-PSK/8021x AKMs in IWD if the AP uses this
hostapd version.
Updating IWD to use sha256 in these cases will now break backwards
compatibility with *older* APs, but this will be worked around in
future commits.
---
src/handshake.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/handshake.c b/src/handshake.c
index 39a650c5..82e0c1c2 100644
--- a/src/handshake.c
+++ b/src/handshake.c
@@ -754,10 +754,23 @@ bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid)
* preauthentication, the AKM has not yet been negotiated. In this
* case, the HMAC-SHA1-128 based derivation is used for the PMKID
* calculation."
+ *
+ * 802.11-2020 Table 9-151 defines the hashing algorithm to use
+ * for various AKM's. SHA256 should be used for the following
+ * AKM's (for this API context):
+ *
+ * 00-0F-AC:3 (FT-8021X)
+ * 00-0F-AC:4 (FT-PSK)
+ * 00-0F-AC:5 (8021X-SHA256)
+ * 00-0F-AC:6 (PSK-SHA256)
+ *
+ * (Note SAE/FILS were left out as they generate their own PMKID)
*/
if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
- IE_RSN_AKM_SUITE_PSK_SHA256))
+ IE_RSN_AKM_SUITE_PSK_SHA256 |
+ IE_RSN_AKM_SUITE_FT_OVER_8021X |
+ IE_RSN_AKM_SUITE_FT_USING_PSK))
sha = L_CHECKSUM_SHA256;
else
sha = L_CHECKSUM_SHA1;
--
2.25.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 3/9] crypto: add hmac_sha384 support for PMKID derivation
2023-04-10 22:01 [PATCH 0/9] Support FT-8021X-SHA384 James Prestwood
2023-04-10 22:01 ` [PATCH 1/9] crypto: modify crypto_derive_pmkid to take the hash/key length James Prestwood
2023-04-10 22:01 ` [PATCH 2/9] handshake: include additional sha256 AKMs for PMKID generation James Prestwood
@ 2023-04-10 22:01 ` James Prestwood
2023-04-10 22:01 ` [PATCH 4/9] eapol: add support for FT-8021X-SHA384 James Prestwood
` (5 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: James Prestwood @ 2023-04-10 22:01 UTC (permalink / raw)
To: iwd; +Cc: James Prestwood
SHA384 is required by several AKMs
---
src/crypto.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/crypto.c b/src/crypto.c
index f8aba7d8..6b8a7b1e 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -1132,6 +1132,8 @@ bool crypto_derive_pmkid(const uint8_t *pmk, size_t key_len,
return hmac_sha1(pmk, key_len, data, 20, out_pmkid, 16);
case L_CHECKSUM_SHA256:
return hmac_sha256(pmk, key_len, data, 20, out_pmkid, 16);
+ case L_CHECKSUM_SHA384:
+ return hmac_sha384(pmk, key_len, data, 20, out_pmkid, 16);
default:
l_error("Checksum type %u is not valid", checksum);
return false;
--
2.25.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 4/9] eapol: add support for FT-8021X-SHA384
2023-04-10 22:01 [PATCH 0/9] Support FT-8021X-SHA384 James Prestwood
` (2 preceding siblings ...)
2023-04-10 22:01 ` [PATCH 3/9] crypto: add hmac_sha384 support for PMKID derivation James Prestwood
@ 2023-04-10 22:01 ` James Prestwood
2023-04-10 22:01 ` [PATCH 5/9] handshake: support FT-8021X-SHA384 James Prestwood
` (4 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: James Prestwood @ 2023-04-10 22:01 UTC (permalink / raw)
To: iwd; +Cc: James Prestwood
The SHA384 variant was not being checked for in any of the
MIC calculations/verifications or for EAPoL decryption.
---
src/eapol.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/eapol.c b/src/eapol.c
index 9e8f7c34..f290f40a 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -110,6 +110,9 @@ bool eapol_calculate_mic(enum ie_rsn_akm_suite akm, const uint8_t *kck,
case IE_RSN_AKM_SUITE_OSEN:
return cmac_aes(kck, 16, frame, frame_len,
mic, mic_len);
+ case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384:
+ return hmac_sha384(kck, 24, frame, frame_len,
+ mic, mic_len);
case IE_RSN_AKM_SUITE_OWE:
switch (mic_len) {
case 16:
@@ -164,6 +167,10 @@ bool eapol_verify_mic(enum ie_rsn_akm_suite akm, const uint8_t *kck,
case IE_RSN_AKM_SUITE_OSEN:
checksum = l_checksum_new_cmac_aes(kck, 16);
break;
+ case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384:
+ checksum = l_checksum_new_hmac(L_CHECKSUM_SHA384,
+ kck, 24);
+ break;
case IE_RSN_AKM_SUITE_OWE:
switch (mic_len) {
case 16:
@@ -270,6 +277,7 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek,
case IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256:
case IE_RSN_AKM_SUITE_OWE:
case IE_RSN_AKM_SUITE_OSEN:
+ case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384:
if (key_data_len < 24 || key_data_len % 8)
return NULL;
@@ -315,6 +323,7 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek,
case EAPOL_KEY_DESCRIPTOR_VERSION_AKM_DEFINED:
switch (akm) {
case IE_RSN_AKM_SUITE_OWE:
+ case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384:
switch (mic_len) {
case 16:
kek_len = 16;
--
2.25.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 5/9] handshake: support FT-8021X-SHA384
2023-04-10 22:01 [PATCH 0/9] Support FT-8021X-SHA384 James Prestwood
` (3 preceding siblings ...)
2023-04-10 22:01 ` [PATCH 4/9] eapol: add support for FT-8021X-SHA384 James Prestwood
@ 2023-04-10 22:01 ` James Prestwood
2023-04-10 22:01 ` [PATCH 6/9] handshake: remove hardcoded kek_len for FTE decode James Prestwood
` (3 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: James Prestwood @ 2023-04-10 22:01 UTC (permalink / raw)
To: iwd; +Cc: James Prestwood
This adds the AKM to various places in handshake.c when deriving
keys to support this AKM.
---
src/handshake.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/src/handshake.c b/src/handshake.c
index 82e0c1c2..362ff58a 100644
--- a/src/handshake.c
+++ b/src/handshake.c
@@ -505,6 +505,7 @@ bool handshake_state_derive_ptk(struct handshake_state *s)
return false;
if ((s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
+ IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384 |
IE_RSN_AKM_SUITE_FT_USING_PSK |
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
@@ -524,7 +525,8 @@ bool handshake_state_derive_ptk(struct handshake_state *s)
else
return false;
} else if (s->akm_suite & (IE_RSN_AKM_SUITE_FILS_SHA384 |
- IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))
+ IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384 |
+ IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384))
type = L_CHECKSUM_SHA384;
else if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
IE_RSN_AKM_SUITE_PSK_SHA256 |
@@ -540,6 +542,7 @@ bool handshake_state_derive_ptk(struct handshake_state *s)
ptk_size = handshake_state_get_ptk_size(s);
if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X |
+ IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384 |
IE_RSN_AKM_SUITE_FT_USING_PSK |
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
@@ -549,7 +552,8 @@ bool handshake_state_derive_ptk(struct handshake_state *s)
const uint8_t *xxkey = s->pmk;
size_t xxkey_len = 32;
bool sha384 = (s->akm_suite &
- IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384);
+ (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384 |
+ IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384));
/*
* In a Fast Transition initial mobility domain association
@@ -562,7 +566,10 @@ bool handshake_state_derive_ptk(struct handshake_state *s)
*/
if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X)
xxkey = s->pmk + 32;
- else if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
+ else if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384) {
+ xxkey = s->pmk;
+ xxkey_len = s->pmk_len;
+ } else if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) {
xxkey = s->fils_ft;
xxkey_len = s->fils_ft_len;
@@ -626,7 +633,8 @@ const uint8_t *handshake_state_get_kck(struct handshake_state *s)
size_t handshake_state_get_kck_len(struct handshake_state *s)
{
- if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)
+ if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384 |
+ IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384))
return 24;
return 16;
@@ -767,7 +775,16 @@ bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid)
* (Note SAE/FILS were left out as they generate their own PMKID)
*/
- if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
+ if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384) {
+ sha = L_CHECKSUM_SHA384;
+ /*
+ * According to 12.7.1.6.3 the key length should be:
+ * "the first 384 bits of the MSK". Unfortunately hostapd uses
+ * the PMK length directly which can vary depending on the EAP
+ * method...
+ */
+ key_len = s->pmk_len;
+ } else if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
IE_RSN_AKM_SUITE_PSK_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_8021X |
IE_RSN_AKM_SUITE_FT_USING_PSK))
--
2.25.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 6/9] handshake: remove hardcoded kek_len for FTE decode
2023-04-10 22:01 [PATCH 0/9] Support FT-8021X-SHA384 James Prestwood
` (4 preceding siblings ...)
2023-04-10 22:01 ` [PATCH 5/9] handshake: support FT-8021X-SHA384 James Prestwood
@ 2023-04-10 22:01 ` James Prestwood
2023-04-16 18:01 ` Denis Kenzior
2023-04-10 22:01 ` [PATCH 7/9] common: add FT-8021X-SHA384 to AKM_IS_8021X James Prestwood
` (2 subsequent siblings)
8 siblings, 1 reply; 13+ messages in thread
From: James Prestwood @ 2023-04-10 22:01 UTC (permalink / raw)
To: iwd; +Cc: James Prestwood
The KEK length should be obtained with the getter to ensure the
AKM is taken into account
---
src/handshake.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/handshake.c b/src/handshake.c
index 362ff58a..70aeda37 100644
--- a/src/handshake.c
+++ b/src/handshake.c
@@ -1035,7 +1035,7 @@ bool handshake_decode_fte_key(struct handshake_state *s, const uint8_t *wrapped,
size_t key_len, uint8_t *key_out)
{
const uint8_t *kek;
- size_t kek_len = 16;
+ size_t kek_len = handshake_state_get_kek_len(s);
size_t padded_len = key_len < 16 ? 16 : align_len(key_len, 8);
if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
--
2.25.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 7/9] common: add FT-8021X-SHA384 to AKM_IS_8021X
2023-04-10 22:01 [PATCH 0/9] Support FT-8021X-SHA384 James Prestwood
` (5 preceding siblings ...)
2023-04-10 22:01 ` [PATCH 6/9] handshake: remove hardcoded kek_len for FTE decode James Prestwood
@ 2023-04-10 22:01 ` James Prestwood
2023-04-16 18:01 ` Denis Kenzior
2023-04-10 22:01 ` [PATCH 8/9] wiphy: add FT-8021X-SHA384 to supported AKMs James Prestwood
2023-04-10 22:01 ` [PATCH 9/9] auto-t: update testFT-8021x-roam with SHA384 test James Prestwood
8 siblings, 1 reply; 13+ messages in thread
From: James Prestwood @ 2023-04-10 22:01 UTC (permalink / raw)
To: iwd; +Cc: James Prestwood
Without this the AKM shows up as WEP.
---
src/common.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/common.c b/src/common.c
index ea7b0ca0..91979423 100644
--- a/src/common.c
+++ b/src/common.c
@@ -78,6 +78,7 @@ bool security_from_str(const char *str, enum security *security)
akm & (IE_RSN_AKM_SUITE_8021X | \
IE_RSN_AKM_SUITE_8021X_SHA256 | \
IE_RSN_AKM_SUITE_FT_OVER_8021X | \
+ IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384 | \
IE_RSN_AKM_SUITE_FILS_SHA256 | \
IE_RSN_AKM_SUITE_FILS_SHA384 | \
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 | \
--
2.25.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 8/9] wiphy: add FT-8021X-SHA384 to supported AKMs
2023-04-10 22:01 [PATCH 0/9] Support FT-8021X-SHA384 James Prestwood
` (6 preceding siblings ...)
2023-04-10 22:01 ` [PATCH 7/9] common: add FT-8021X-SHA384 to AKM_IS_8021X James Prestwood
@ 2023-04-10 22:01 ` James Prestwood
2023-04-10 22:01 ` [PATCH 9/9] auto-t: update testFT-8021x-roam with SHA384 test James Prestwood
8 siblings, 0 replies; 13+ messages in thread
From: James Prestwood @ 2023-04-10 22:01 UTC (permalink / raw)
To: iwd; +Cc: James Prestwood
This AKM is now possible to choose from the list.
---
src/wiphy.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/wiphy.c b/src/wiphy.c
index 2db2d2cd..40ab0a0b 100644
--- a/src/wiphy.c
+++ b/src/wiphy.c
@@ -281,6 +281,12 @@ enum ie_rsn_akm_suite wiphy_select_akm(struct wiphy *wiphy,
return IE_RSN_AKM_SUITE_FILS_SHA256;
}
+ if ((info->akm_suites &
+ IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384) &&
+ bss->rsne && bss->mde_present &&
+ wiphy->support_cmds_auth_assoc)
+ return IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384;
+
if ((info->akm_suites & IE_RSN_AKM_SUITE_FT_OVER_8021X) &&
bss->rsne && bss->mde_present &&
wiphy->support_cmds_auth_assoc)
--
2.25.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 9/9] auto-t: update testFT-8021x-roam with SHA384 test
2023-04-10 22:01 [PATCH 0/9] Support FT-8021X-SHA384 James Prestwood
` (7 preceding siblings ...)
2023-04-10 22:01 ` [PATCH 8/9] wiphy: add FT-8021X-SHA384 to supported AKMs James Prestwood
@ 2023-04-10 22:01 ` James Prestwood
8 siblings, 0 replies; 13+ messages in thread
From: James Prestwood @ 2023-04-10 22:01 UTC (permalink / raw)
To: iwd; +Cc: James Prestwood
---
autotests/testFT-8021x-roam/connection_test.py | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/autotests/testFT-8021x-roam/connection_test.py b/autotests/testFT-8021x-roam/connection_test.py
index 356a9af2..2a4fe9e1 100644
--- a/autotests/testFT-8021x-roam/connection_test.py
+++ b/autotests/testFT-8021x-roam/connection_test.py
@@ -10,7 +10,7 @@ from hostapd import HostapdCLI
import testutil
class Test(unittest.TestCase):
- def test_roam_success(self):
+ def validate(self):
wd = IWD(True)
device = wd.list_devices(1)[0]
@@ -50,6 +50,22 @@ class Test(unittest.TestCase):
self.assertRaises(Exception, testutil.test_ifaces_connected,
(self.bss_hostapd[0].ifname, device.name, True, True))
+ def test_ft_8021x_sha256(self):
+ self.bss_hostapd[0].set_value('wpa_key_mgmt', 'FT-EAP')
+ self.bss_hostapd[0].reload()
+ self.bss_hostapd[1].set_value('wpa_key_mgmt', 'FT-EAP')
+ self.bss_hostapd[1].reload()
+
+ self.validate()
+
+ def test_ft_8021x_sha3846(self):
+ self.bss_hostapd[0].set_value('wpa_key_mgmt', 'FT-EAP-SHA384')
+ self.bss_hostapd[0].reload()
+ self.bss_hostapd[1].set_value('wpa_key_mgmt', 'FT-EAP-SHA384')
+ self.bss_hostapd[1].reload()
+
+ self.validate()
+
def tearDown(self):
os.system('ip link set "' + self.bss_hostapd[0].ifname + '" down')
os.system('ip link set "' + self.bss_hostapd[1].ifname + '" down')
--
2.25.1
^ permalink raw reply related [flat|nested] 13+ messages in thread