Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72A2CC10F0E for ; Tue, 9 Apr 2019 19:59:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E5B3420833 for ; Tue, 9 Apr 2019 19:59:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=wetzel-home.de header.i=@wetzel-home.de header.b="d5v6FQb3" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726530AbfDIT7F (ORCPT ); Tue, 9 Apr 2019 15:59:05 -0400 Received: from 7.mo178.mail-out.ovh.net ([46.105.58.91]:49824 "EHLO 7.mo178.mail-out.ovh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726412AbfDIT7F (ORCPT ); Tue, 9 Apr 2019 15:59:05 -0400 X-Greylist: delayed 600 seconds by postgrey-1.27 at vger.kernel.org; Tue, 09 Apr 2019 15:59:05 EDT Received: from player735.ha.ovh.net (unknown [10.109.160.244]) by mo178.mail-out.ovh.net (Postfix) with ESMTP id 4CC9F59FE4 for ; Tue, 9 Apr 2019 21:39:53 +0200 (CEST) Received: from awhome.eu (p57B7E5B2.dip0.t-ipconnect.de [87.183.229.178]) (Authenticated sender: postmaster@awhome.eu) by player735.ha.ovh.net (Postfix) with ESMTPSA id 8273549B9878; Tue, 9 Apr 2019 19:39:51 +0000 (UTC) Subject: Re: [PATCH v2 0/4] Extended Key ID support DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1554838790; bh=ftBqBSPFRob/UZmhWOEZ3jWRZKhgkrVjGu7bX9rnBPQ=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=d5v6FQb3cKfB8pYeIpOywNHMB5dmJSa6Qnr7Pn1vPc1zNxvpx0JQkpSugfh91454Y 9laZsM9rrMhZDeKUu9YzPlKpH462Tl9ShcyKok02nnwbViw+PJMzkFfh9pzX14/yVj tA/XjhPrfsA3Sid5Gzk3o0seL+YswmPtf6y5yA0k= To: Johannes Berg Cc: linux-wireless@vger.kernel.org References: <20190319203410.25145-1-alexander@wetzel-home.de> <98e1f8942056486669c6295323ef09763fd2ec0a.camel@sipsolutions.net> From: Alexander Wetzel Message-ID: Date: Tue, 9 Apr 2019 21:39:50 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <98e1f8942056486669c6295323ef09763fd2ec0a.camel@sipsolutions.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Ovh-Tracer-Id: 17656643816126291143 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduuddrudehgddugedtucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddm Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Am 08.04.19 um 21:57 schrieb Johannes Berg: > On Tue, 2019-03-19 at 21:34 +0100, Alexander Wetzel wrote: >> This patch series adds support for IEEE 802.11-2016 Extended Key ID >> support. Compared to the last RFC there are again quite some API >> changes, but also some bug fixes. (The bug fixes I remember are outlined >> in the different patches.) > > FWIW, I've applied the first two patches here. > > I'd really like you to continue with only that for now, and (try to) get > hostapd/wpa_supplicant changes upstream, perhaps with corresponding > hwsim tests. That way, we can see this working live. That's splendid:-) I'll try to get the hostapd/wpa_supplicant patches finalized in the next weeks. Hopefully I have something to submit here once the Extended Key ID API is in mainline immediately. But if you or someone else want to run some tests prior to that. I've updated the patches available here with the ones I'm currently using: https://www.awhome.eu/index.php/s/AJJXBLsZmzHdxpX They are fully functional and I'm using them on my main AP and workstation for months now. They are on top of the current hostapd HEAD and should not cause any regressions. They are also comparable simple to port between versions. The code we touch here has not been changed in any relevant way since I started working on the patches. Just really copy nl80211_copy.h from the kernel... A sad side note: I'm pretty sure I've already found one broken Wlan implementation: Samsung Galaxy Tap S3 This device seems to just copy the RSN Capability (bit) from the AP and then fails when the AP rekeys the connection and starts using keyid 1... But it's probably a Samsung specific bug, other Android devices - including a Google Pixel 3 - don't "lie" in the RSN and are using "legacy" key installs as they should. > > We briefly discussed this at the wireless workshop, and the general > feeling seems to have been that the compat mode is probably not really > worthwhile, but I haven't quite made up my mind on that. I would like to be able to support Extended Key ID for the the Atheros cards < ath10k... Maybe that gets the attention of someone who can fix the ath10k firmware to also support it, hopefully in NATIVE mode:-) But I see that the COMPAT mode may not be worth the added complexity in the long term. Which reminds me: One potential follow up on the COMPAT code would be seamless Rx during rekey even when not using Extended Key ID. It would need some slight of hand but I think it's possible. Basically we just would have to try the second key also if the first one did not decode the MPTU. So far I've shelved any plans into that direction as too complex for too little gain. And after all people should just start using Extended Key ID instead. After all that's the point of having standards... > Still, having tests and being able to check it out would help a lot, > also as part of perhaps building a case for compat mode. Besides some review of the patches with my improved 802.11/code understanding the only thing missing in the current wpa_supplicant/hostapd patches *are* the test cases. The existing rekey tests are already working fine with Extended Key ID. Separating Extended Key ID rekey from "legacy" rekeys tests is probably half of the work here... With the patches you merged and the linked hostapd/wpa_supplicant patches any (WPA2) rekey test will use Extended Key ID. (They won't test any of the really interesting code pathes in the kernel, trough. No A-MPDU, no TX-Pull and of course no HW crypto or RX/TX fast path if I remember it right.) Thanks, Alexander