[PATCH V2 0/9] nl80211: add support for PTK/GTK handshake offload

Johannes Berg johannes at sipsolutions.net
Fri Jun 9 02:08:04 PDT 2017 

Hi Arend,

Sorry about the delay.

> > Then you have to support NEW_KEY (AP case) and then using NEW_KEY
> > to
> > detect whether or not a wpa_s configuration option to not use
> > offloaded
> > 4-way-HS can be used will not work correctly.
> > 
> > I don't really see that this is a sensible configuration, but I
> > could
> > imagine it existing if somebody "bolted on" AP functionality for a
> > client-side chipset or something like that.

> So I want to get back to this as to assure we have the same
> understanding. First off, the proposed offloads are STA-only. 

Right. But we at least also want to have them for AP mode, which
answers your below question.

> So if a
> driver supports STA and AP mode and the 4-way-HS offload, we could
> already have the case you describe here. So not really a "bolted on"
> scenario I would say.

But if you say you don't have it in AP mode, or you didn't even think
about it in AP mode yet, then I think you're right and the "bolted on"
part doesn't really apply (*).

However, this does mean that checking for NEW_KEY support _isn't_
sufficient to understand whether or not the device also supports doing
the 4-way-HS in the host, because the device might _not_ support that
in client mode, yet implement NEW_KEY for AP mode, right?

In any case - I don't think this changes much my opinion. I think that
newer wpa_s should always use the offload where available, and if
there's a debug option to turn that off, and that debug option causes
failures because the driver rejects the NEW_KEY command, rather than
causing an up-front configuration failure because wpa_s knows that the
NEW_KEY wouldn't be supported, then I don't think for a debug option
that makes a big difference. For something that higher layers might
need to set, it would make a difference - but that's not at stake here.

johannes

(*) my line of thinking was that if you have the necessary state
machine for client in the firmware, then it's not a huge step to also
have it for AP, since you have the crypto primitives for it

More information about the Hostap mailing list