[noup] hostap: Add WPA-PSK-SHA384 and FT-PSK-SHA384 key management#149
[noup] hostap: Add WPA-PSK-SHA384 and FT-PSK-SHA384 key management#149kapbh wants to merge 1 commit into
Conversation
Introduce WPA_KEY_MGMT_PSK_SHA384 and WPA_KEY_MGMT_FT_PSK_SHA384 and wire them through config parsing, RSN AKM mapping, and RSN IE generation for SHA-384 based PSK and fast-transition PSK suites. Signed-off-by: Kapil Bhatt <kapil.bhatt@nordicsemi.no> Assisted-by: Claude:Auto
There was a problem hiding this comment.
Pull request overview
This PR introduces new WPA key management bitfields for SHA-384 based PSK suites (PSK-SHA384 and FT-PSK-SHA384) and wires them into config parsing, RSN AKM selector mapping, and RSN IE generation paths.
Changes:
- Add
WPA_KEY_MGMT_PSK_SHA384andWPA_KEY_MGMT_FT_PSK_SHA384bit definitions and include them in PSK-related helper masks. - Extend wpa_supplicant config parsing/writing to accept and emit
WPA-PSK-SHA384andFT-PSK-SHA384. - Extend RSN AKM selector mapping and supplicant RSN IE generation to encode/decode the new SHA-384 PSK AKMs.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| wpa_supplicant/config.c | Parse and write new WPA-PSK-SHA384 / FT-PSK-SHA384 key_mgmt tokens (guarded by CONFIG_SHA384). |
| src/rsn_supp/wpa_ie.c | Add RSN IE AKM selector generation for PSK-SHA384 and FT-PSK-SHA384. |
| src/common/wpa_common.c | Map new RSN AKM selectors to bitfields and extend AKM-to-suite selection. |
| src/common/defs.h | Define new key mgmt bits and extend PSK helper bitmasks. |
Comments suppressed due to low confidence (1)
src/common/defs.h:105
- wpa_key_mgmt_ft_psk() still only matches WPA_KEY_MGMT_FT_PSK. With the new WPA_KEY_MGMT_FT_PSK_SHA384 bit, this helper will return false and FT-PSK-specific code paths may not run for FT-PSK-SHA384 connections.
WPA_KEY_MGMT_PSK_SHA384 |
WPA_KEY_MGMT_FT_PSK_SHA384 |
WPA_KEY_MGMT_SAE |
WPA_KEY_MGMT_SAE_EXT_KEY |
WPA_KEY_MGMT_FT_SAE |
WPA_KEY_MGMT_FT_SAE_EXT_KEY));
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| static inline int wpa_key_mgmt_wpa_psk_no_sae(int akm) | ||
| { | ||
| return !!(akm & (WPA_KEY_MGMT_PSK | | ||
| WPA_KEY_MGMT_FT_PSK | | ||
| WPA_KEY_MGMT_PSK_SHA256)); | ||
| WPA_KEY_MGMT_PSK_SHA256 | | ||
| WPA_KEY_MGMT_PSK_SHA384 | | ||
| WPA_KEY_MGMT_FT_PSK_SHA384)); |
| if (akm & WPA_KEY_MGMT_FT_PSK_SHA384) | ||
| return RSN_AUTH_KEY_MGMT_FT_PSK_SHA384; | ||
| if (akm & WPA_KEY_MGMT_FT_PSK) |
| #define WPA_KEY_MGMT_IEEE8021X_SHA384 BIT(28) | ||
| #define WPA_KEY_MGMT_FT_PSK_SHA384 BIT(29) | ||
| #define WPA_KEY_MGMT_PSK_SHA384 BIT(30) | ||
|
|
||
|
|
||
| #define WPA_KEY_MGMT_FT (WPA_KEY_MGMT_FT_PSK | \ | ||
| WPA_KEY_MGMT_FT_IEEE8021X | \ | ||
| WPA_KEY_MGMT_FT_IEEE8021X_SHA384 | \ | ||
| WPA_KEY_MGMT_FT_PSK_SHA384 | \ | ||
| WPA_KEY_MGMT_FT_SAE | \ |
|
Can you clarify the use case before this goes further? A couple of concerns: 1. Justification / 2. The patch is functionally incomplete — it will not actually work. It wires up AKM negotiation (config parse/write, RSN AKM ↔ bit mapping, RSN IE emission) but not the cryptography. Specifically:
Since Zephyr uses the software crypto path (MbedTLS, no offload), this code is actually exercised — a 4-way handshake with these AKMs would derive keys with SHA-1 and wrong lengths and fail MIC verification. So even for its stated purpose the patch is non-functional as written. Given both points, I'd hold this until (a) the use case is documented in the commit message, and (b) if it's genuinely needed, the crypto side is completed to match. Happy to help scope (b) if the use case checks out. |
|
This non-zephyr specific change which touches the supplicant core code, it should be push to supplicant upstream first |
Introduce WPA_KEY_MGMT_PSK_SHA384 and WPA_KEY_MGMT_FT_PSK_SHA384 and wire them through config parsing, RSN AKM mapping, and RSN IE generation for SHA-384 based PSK and fast-transition PSK suites.
Assisted-by: Claude:Auto