[PATCH v6 05/17] hostapd: Set the correct key_type for key installs

Alexander Wetzel alexander at wetzel-home.de
Sat Sep 28 09:24:22 PDT 2019

>>> diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
>>> @@ -286,7 +286,7 @@ static void ieee802_1x_tx_key(struct hostapd_data 
>>> *hapd, struct sta_info *sta)
>>>           if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
>>>                       sta->addr, 0, 1, NULL, 0, ikey,
>>>                       hapd->conf->individual_wep_key_len,
>>> -                    0)) {
>>> +                    KEY_TYPE_DEFAULT)) {
>> Why would this use KEY_TYPE_DEFAULT instead of KEY_TYPE_PAIRWISE? This
>> operation is configuring a unicast WEP key for the specific station.
>> Sure, it was not called pairwise before RSN was added to the standard,
>> but this is a WEP key that is used for unicast frames only and there is
>> a separate WEP key from group-addressed frames.
> I'm on really thin ice with WEP. But since set_tx is set to one here the 
> intend seems to be to install the WEP key also as a default WEP key for 
> the STA. So I mapped it to the equivalent, making sure there is a 
> default key with WEP. Using KEY_TYPE_PAIRWISE will skip the 
> NL80211_KEY_DEFAULT call for the key. Now the original code was doing 
> that... If that's not required we can change it.

I noticed that setting KEY_TYPE_DEFAULT and an sta addr seems to be an 
invalid combination. At least the nl80211 driver is not handling this 
combination and executes the same code as for KEY_TYPE_PAIRWISE.

So we really should use KEY_TYPE_PAIRWISE here. And maybe add a sanity 
check for set_key blocking the not implemented combination.

I've included that in the patch set I was working on and finally will 
send out in a few minutes.

>>> diff --git a/tests/hwsim/test_ap_ciphers.py 
>>> b/tests/hwsim/test_ap_ciphers.py
>>> @@ -862,7 +862,7 @@ def test_ap_wpa2_delayed_m1_m3_zero_tk(dev, apdev):
>>> -    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s 0" % 
>>> (addr, 0, 1, 6*"00", 16*"00")):
>>> +    if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s %d" % 
>>> (addr, 0, 1, 6*"00", 16*"00", 2)):
>> I'm moving this and the other related changes in 4/17 into a separate
>> patch (i.e., 4/17 uses 0 for everything as the key_type and does not
>> have the exception for hostapd_ctrl_set_key()).
> Don't understand the reasoning for that, so just a quick explanation 
> what I do here:
> 4/17 just added the variable key_type and added the "0" prior to the 
> "%", so so tests can still be executed. Here I replace the "0" with "2" 
> - which is KEY_TYPE_PAIRWISE for tests. (And start setting the value 
> like the other variables.)

Maybe one additional comment here:
It's irrelevant which patch sets the key_type to 2, it just must be done 
after 4/17 and prior to 7/17 when we don't want to break the tests 
between the patches.


More information about the Hostap mailing list