WLAN Authentication and Privacy Infrastructure (WAPI) is a Chinese National Standard for Wireless LANs. WAPI became China’s mandatory national standard in May, 2003 by AQSIQ (General Administration of Quality Supervision, Inspection and Quarantine of the People’s Republic of China). For a few years now it has been impossible to implement WAPI on Linux due to the proprietary nature of the specification and the classification of the SMS4 encryption algorithm. On 2005 the 'National body of China' tried to clarify via the ISO/IEC WAPI N33 that their WAPI ISO proposal was in compliance with ISO's standardization process, they argued that "WAPI defines the interface of cipher algorithm according to the ISO’s common regulation of cipher algorithm". Essentially they argued that their ISO proposal allowed countries to choose the encryption algorithm used, SMS4 was just one optional encryption algorithm and since it was classified it would be used only in China. Eventually though the WAPI ISO proposal was rejected.
In January 2006 the SMS4 encryption algorithm was declassified. In October, 2009 the 'National body of China' resubmitted WAPI for ISO standardization. With the declassification of SMS4 and the intent behind the National body of China of making WAPI an ISO standard we should be able implement a full WAPI solution on Linux using public documentation as reference. The new ISO submission was voted on on in January 2010 with a majority of votes in favor for the ISO proposal. The major opponents were the US and UK standardization bodies with comments concerned over the unsynchronized effort this would create given that the ISO/IEC 8802-11 tends to be updated based on IEEE's own 802.11 group.
Despite the issues with the standardization bodies the ISO proposal got a majority favorable vote which means we likely need to support WAPI upstream somehow. Market-wise there is not much evidence of WAPI being used anywhere except sometimes in China. Even in China WAPI does not seem to be exclusively used. For this reason WAPI will help those users in China connect and sell products where WAPI is required.
There are two components to WAPI:
- wpa_supplicant changes - this has yet to be implemented
- mac80211 changes - these are merged already, if you use hardware SMS4 support
Some hardware supports the SMS4 encryption algorithm in hardware, we can start off supporting those devices first. We need to scope out the effort required for the supplicant changes.
The WAPI ISO proposal is to provide a alternative security mechanism by trying to annex the Annex ISO/IEC8802‐11. The ISO/IEC8802‐11 is the international standardization of the IEEE-802.11 work, and as such annexing ISO/IEC8802‐11 without first updating the respective IEEE-802.11 standards can create interoperability with future 802.11 working group amendments such as IEEE 802.11e/j/k/n/r/w and work in progress amendments such as IEEE 802.11 p/s/u/v/z/aa/ac/ad.
Due to the possible current/future interoperability/conflict issues with WAPI and IEEE if WAPI gets added upstream and into wpa_supplicant it must be a selectable option which can be disabled.
cfg80211 WAPI API
You should be able to use a WAPI supplicant with cfg80211 as of 2.6.3x (fill me in) kernel. This section documents how you can accomplish this.
cfg80211 WAPI STA mode API
All APIs required for WAPI for STA mode are in place on cfg80211/nl80211. Refer to NL80211_ATTR_CONTROL_PORT_ETHERTYPE and NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT. You would give those to the assoc() or connect() command and then wapi uses wpi-sms4, but that's just a regular cipher. For example, wl12xx has support for that in HW so it advertises it, refer to it's main.c cipher_suites:
#define WL1271_CIPHER_SUITE_GEM 0x00147201
This is really WPI-SMS4
001472 (base 16) China Broadband Wireless IP Standard Group
cfg80211 WAPI AP mode API
AP mode probably needs some work to also use the port-ethertype/port-no-encrypt thing if you wanted that.
When implementing WAPI you'll likely want to read