From nobody Tue May 14 22:00:39 2024
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Vf9K85S28z5L5G5;
	Tue, 14 May 2024 22:00:44 +0000 (UTC)
	(envelope-from bz@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Vf9K84wdGz4Vk5;
	Tue, 14 May 2024 22:00:44 +0000 (UTC)
	(envelope-from bz@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1715724044;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=7sqy2K42pNZek+lEkfNpy0AARPd3H8a794oyiCWOEUw=;
	b=ihvYUDEMmyIFk6LffO6ufYLIVZ7HFiRPOJH79nbCkdm2lxok2PrPGUUUs0/wCPf+WI904a
	ynLTAPCWdcPYpKcqBRYvKjds2C9XBljH/Z0embXCA2Zl/hBca4A5Ur8U0ff1FwTfdb8Ui1
	oR036XGtWVlxJ8D3ru++RNxzTWHj+dEsRHDAeVdQCHDMhyLlTZWUnXfgYYHAp3RA4poLth
	WbH1Cw9icmgyJy1I9xTqdD2tGQRYLQAc2UAIz+PU0hxoHA5jKDRqwUVwknlRcqAyORWUwB
	VwWmVfb+GtddMdjh7efqLj53VVULBzbg3EszOg7S+iGej5cQjMlmsdPCkpvFZw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1715724044; a=rsa-sha256; cv=none;
	b=iEf9lvCcTap+gZANeJNatdhfoeaQ6Cy/xAox+IikVp1rsliulMNLTzKCGABALVDvrc20zP
	BAJn+NWthPSYARkfYD1mpjjWYTs62HVsUVcNsz7nFks/Zm8LwGPtse7eL+JuzMRnW3Qf/j
	tLzlepcXEtN1KIQQkZI1jujzrudC2P6N7rIBm0/0pODpApV29R90cMWMEdMuhkzLW6prbY
	dEndksB8+Tfb+yFNuqwPvLPoZuwaHFHelRySRuVK5f858pATCyDWjwL5ivpKC3MFX2uh+O
	tCvF10Al8Qk5X/6blIWWvO9ZYmteTDmJsCchhEe2Ri6vJ9RJa8hi0YPi6y47Dw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1715724044;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=7sqy2K42pNZek+lEkfNpy0AARPd3H8a794oyiCWOEUw=;
	b=tuBox7f5w4/yPtPS/ZtCgCgK3AjGdQY1qteSQOei1iZm8s+5ZQIxKPWCJnjOMUTPj90b27
	XMr3GNlVOS8xrJxyQk2daIBhl+1VroyJ4e1o0xnJ4e4JpFlUpzOGaEMdvsu5cByYkGvFeN
	zp5jcJVZjC3Pfkq6R92crBAd8ImqfExikMF8huumJ7K517tgn6UGVsBHo91pKswH2ilCXu
	XiJ/f7awcD4u4FBbZZnNdmKxqtRVB54+p9XvrAD8tIpGD4fC1vYJ4L8N9qqRqKo98v4mJW
	myNypWJSw6tLaw1/6Czdzi84jtEqn3850QGUaWKW3v275cQNlVjbZoaP5PKTMw==
Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:13b:39f::9f:25])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mx1.sbone.de", Issuer "SBone.DE Root Certificate Authority" (not verified))
	(Authenticated sender: bz/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4Vf9K8384wz1873;
	Tue, 14 May 2024 22:00:44 +0000 (UTC)
	(envelope-from bz@FreeBSD.org)
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.sbone.de (Postfix) with ESMTPS id D3F838D4A126;
	Tue, 14 May 2024 22:00:42 +0000 (UTC)
Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPS id AFB1A2D029D8;
	Tue, 14 May 2024 22:00:41 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025])
	by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024)
	with ESMTP id wdKoiHiyvUpQ; Tue, 14 May 2024 22:00:40 +0000 (UTC)
Received: from strong-iwl0.sbone.de (strong-iwl0.sbone.de [IPv6:fde9:577b:c1a9:4902:b66b:fcff:fef3:e3d2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPSA id E55E52D029D2;
	Tue, 14 May 2024 22:00:39 +0000 (UTC)
Date: Tue, 14 May 2024 22:00:39 +0000 (UTC)
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: Adrian Chadd <adrian@FreeBSD.org>
cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, 
    dev-commits-src-main@FreeBSD.org
Subject: Re: git: c7f5f140bfdd - main - net80211: add initial key  management
 suites from 802.11-2016, APIs to register them
In-Reply-To: <202405142139.44ELdoev094470@gitrepo.freebsd.org>
Message-ID: <o11p0p04-990n-rn2q-qp82-12rn0r8768qn@SerrOFQ.bet>
References: <202405142139.44ELdoev094470@gitrepo.freebsd.org>
X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed

On Tue, 14 May 2024, Adrian Chadd wrote:

> The branch main has been updated by adrian:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=c7f5f140bfdde730dcd4380ac364a084488c962f
>
> commit c7f5f140bfdde730dcd4380ac364a084488c962f
> Author:     Adrian Chadd <adrian@FreeBSD.org>
> AuthorDate: 2024-04-23 21:59:43 +0000
> Commit:     Adrian Chadd <adrian@FreeBSD.org>
> CommitDate: 2024-05-14 21:39:33 +0000
>
>    net80211: add initial key management suites from 802.11-2016, APIs to register them
>
>    The WPA1/WPA2 driver capabilities aren't really enough in today's world.
>    There are a /lot/ more key management suites to support!
>
>    So, add initial support for net80211 and drivers to announce what
>    key management suites are supported.  These are the list from 802.11-2016
>    section 9.4.2.25.3 (AKM suites.)
>
>    The flags are for software supported key management.
>
>    Drivers may support more key management suites and are welcome to
>    announce more; net80211 will only announce ones that we know
>    net80211 knows "enough" about to support correctly.
>
>    There /are/ other suites that may be interesting to some people in
>    the future that are not part of this set - eg if anyone ever
>    wants to support the Chinese WAPI standard - so this bitmap is not
>    specifically just the AKM suites in the RSN OUI.
>
>    This should eventually be communicated up to the wpa_supplicant and
>    hostapd via a replacement driver/vap capabilities call so they know
>    what to enable rather than just IEEE80211_C_WPA1 / IEEE80211_C_WPA2.
>
>    Differential Revision:  https://reviews.freebsd.org/D44919
>    Reviewed by:    bz

No.  Leaving a comment doesn't mean Reviewed.
Especially if it gets changed again after.


> ---
> sys/net80211/_ieee80211.h       | 21 +++++++++++++++++++++
> sys/net80211/ieee80211.c        | 12 ++++++++++++
> sys/net80211/ieee80211_crypto.c | 35 +++++++++++++++++++++++++++++++++++
> sys/net80211/ieee80211_crypto.h |  2 ++
> sys/net80211/ieee80211_var.h    |  4 ++++
> 5 files changed, 74 insertions(+)
>
> diff --git a/sys/net80211/_ieee80211.h b/sys/net80211/_ieee80211.h
> index 1ac9328714f7..5c7e6110026d 100644
> --- a/sys/net80211/_ieee80211.h
> +++ b/sys/net80211/_ieee80211.h
> @@ -536,6 +536,27 @@ struct ieee80211_mimo_info {
> 	"\21AMPDU\22AMSDU\23HT\24SMPS\25RIFS\32TXLDPC\33RXAMSDUAMPDU" \
> 	"\34TXAMSDUAMPDU"
>
> +/*
> + * AKM (key management) suite capability list.
> + *
> + * These represent what's in 802.11-2016 - Table 9-133 - AKM Suite Selectors.
> + * Note that they do not match what the table values are, in case other key
> + * management suites want to be added with different OUIs.
> + */
> +#define	IEEE80211_KEYMGMT_RSN_UNSPEC_802_1X		0x00000001 /* RSN suite 1 */
> +#define	IEEE80211_KEYMGMT_RSN_PSK_OVER_802_1X		0x00000002 /* RSN suite 2 */
> +#define	IEEE80211_KEYMGMT_RSN_FT_OVER_802_1X		0x00000004 /* RSN suite 3 */
> +#define	IEEE80211_KEYMGMT_RSN_FT_PSK			0x00000008 /* RSN suite 4 */
> +#define	IEEE80211_KEYMGMT_RSN_802_1X_SHA256		0x00000010 /* RSN suite 5 */
> +#define	IEEE80211_KEYMGMT_RSN_PSK_SHA256		0x00000020 /* RSN suite 6 */
> +#define	IEEE80211_KEYMGMT_RSN_TPK_HANDSHAKE		0x00000040 /* RSN suite 7 */
> +#define	IEEE80211_KEYMGMT_RSN_SAE			0x00000080 /* RSN suite 8 */
> +#define	IEEE80211_KEYMGMT_RSN_FT_SAE			0x00000100 /* RSN suite 9 */
> +#define	IEEE80211_KEYMGMT_RSN_APPEERKEY_SHA256		0x00000200 /* RSN suite 10 */
> +#define	IEEE80211_KEYMGMT_RSN_802_1X_SUITE_B		0x00000400 /* RSN suite 11 */
> +#define	IEEE80211_KEYMGMT_RSN_802_1X_SUITE_B_192	0x00000800 /* RSN suite 12 */
> +#define	IEEE80211_KEYMGMT_RSN_FT_802_1X_SHA384		0x00001000 /* RSN suite 13 */
> +
> /*
>  * RX status notification - which fields are valid.
>  */
> diff --git a/sys/net80211/ieee80211.c b/sys/net80211/ieee80211.c
> index 1c82493274bb..ecb46e08713c 100644
> --- a/sys/net80211/ieee80211.c
> +++ b/sys/net80211/ieee80211.c
> @@ -456,6 +456,18 @@ ieee80211_set_hardware_ciphers(struct ieee80211com *ic,
> 	ieee80211_crypto_set_supported_hardware_ciphers(ic, cipher_suite);
> }
>
> +/*
> + * Called by drivers during attach to set the supported
> + * key management suites by the driver/hardware.
> + */
> +void
> +ieee80211_set_driver_keymgmt_suites(struct ieee80211com *ic,
> +    uint32_t keymgmt_set)
> +{
> +	ieee80211_crypto_set_supported_driver_keymgmt(ic,
> +	    keymgmt_set);
> +}
> +
> struct ieee80211com *
> ieee80211_find_com(const char *name)
> {
> diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c
> index 3659d3f7c79a..829653ff1335 100644
> --- a/sys/net80211/ieee80211_crypto.c
> +++ b/sys/net80211/ieee80211_crypto.c
> @@ -154,6 +154,25 @@ ieee80211_crypto_attach(struct ieee80211com *ic)
> 	 */
> 	ic->ic_sw_cryptocaps = IEEE80211_CRYPTO_WEP |
> 	    IEEE80211_CRYPTO_TKIP | IEEE80211_CRYPTO_AES_CCM;
> +
> +	/*
> +	 * Default set of key management types supported by net80211.
> +	 *
> +	 * These are supported by software net80211 and announced/
> +	 * driven by hostapd + wpa_supplicant.
> +	 *
> +	 * Drivers doing full supplicant offload must not set
> +	 * anything here.
> +	 *
> +	 * Note that IEEE80211_C_WPA1 and IEEE80211_C_WPA2 are the
> +	 * "old" style way of drivers announcing key management
> +	 * capabilities.  There are many, many more key management
> +	 * suites in 802.11-2016 (see 9.4.2.25.3 - AKM suites.)
> +	 * For now they still need to be set - these flags are checked
> +	 * when assembling a beacon to reserve space for the WPA
> +	 * vendor IE (WPA 1) and RSN IE (WPA 2).
> +	 */
> +	ic->ic_sw_keymgmtcaps = 0;
> }
>
> /*
> @@ -184,6 +203,22 @@ ieee80211_crypto_set_supported_hardware_ciphers(struct ieee80211com *ic,
> 	ic->ic_cryptocaps = cipher_set;
> }
>
> +/*
> + * Set the supported software key management by the driver.
> + *
> + * These are the key management suites that are supported via
> + * the driver via hostapd/wpa_supplicant.
> + *
> + * Key management which is completely offloaded (ie, the supplicant
> + * runs in hardware/firmware) must not be set here.
> + */
> +void
> +ieee80211_crypto_set_supported_driver_keymgmt(struct ieee80211com *ic,
> +    uint32_t keymgmt_set)
> +{
> +
> +	ic->ic_sw_keymgmtcaps = keymgmt_set;
> +}
>
> /*
>  * Setup crypto support for a vap.
> diff --git a/sys/net80211/ieee80211_crypto.h b/sys/net80211/ieee80211_crypto.h
> index e09b822289d7..b69df0cff3bd 100644
> --- a/sys/net80211/ieee80211_crypto.h
> +++ b/sys/net80211/ieee80211_crypto.h
> @@ -184,6 +184,8 @@ void	ieee80211_crypto_set_supported_software_ciphers(struct ieee80211com *,
> 	    uint32_t cipher_set);
> void	ieee80211_crypto_set_supported_hardware_ciphers(struct ieee80211com *,
> 	    uint32_t cipher_set);
> +void	ieee80211_crypto_set_supported_driver_keymgmt(struct ieee80211com *,
> +	    uint32_t keymgmt_set);
> void	ieee80211_crypto_vattach(struct ieee80211vap *);
> void	ieee80211_crypto_vdetach(struct ieee80211vap *);
> int	ieee80211_crypto_newkey(struct ieee80211vap *,
> diff --git a/sys/net80211/ieee80211_var.h b/sys/net80211/ieee80211_var.h
> index 21fdff0b88a3..9273b43a5823 100644
> --- a/sys/net80211/ieee80211_var.h
> +++ b/sys/net80211/ieee80211_var.h
> @@ -167,6 +167,8 @@ struct ieee80211com {
> 	uint32_t		ic_sw_cryptocaps;
> 	uint32_t		ic_cryptocaps;	/* hardware crypto caps */
> 						/* set of mode capabilities */
> +				/* driver/net80211 sw KEYMGMT capabilities */
> +	uint32_t		ic_sw_keymgmtcaps;
> 	uint8_t			ic_modecaps[IEEE80211_MODE_BYTES];
> 	uint8_t			ic_promisc;	/* vap's needing promisc mode */
> 	uint8_t			ic_allmulti;	/* vap's needing all multicast*/
> @@ -755,6 +757,8 @@ void	ieee80211_set_software_ciphers(struct ieee80211com *,
> 	    uint32_t cipher_suite);
> void	ieee80211_set_hardware_ciphers(struct ieee80211com *,
> 	    uint32_t cipher_suite);
> +void	ieee80211_set_driver_keymgmt_suites(struct ieee80211com *ic,
> +	    uint32_t keymgmt_set);
> int	ieee80211_vap_setup(struct ieee80211com *, struct ieee80211vap *,
> 		const char name[IFNAMSIZ], int unit,
> 		enum ieee80211_opmode opmode, int flags,
>

-- 
Bjoern A. Zeeb                                                     r15:7