[05/11] sae: make sae_process_commit callable in AP mode

Message ID	20240421125050.6649-6-brandtwjohn@gmail.com (mailing list archive)
State	New
Headers	show Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BF50112E5D for <iwd@lists.linux.dev>; Sun, 21 Apr 2024 12:53:38 +0000 (UTC) From: John Brandt <brandtwjohn@gmail.com> To: iwd@lists.linux.dev Cc: John Brandt <brandtwjohn@gmail.com> Subject: [PATCH 05/11] sae: make sae_process_commit callable in AP mode Date: Sun, 21 Apr 2024 05:50:35 -0700 Message-ID: <20240421125050.6649-6-brandtwjohn@gmail.com> In-Reply-To: <20240421125050.6649-1-brandtwjohn@gmail.com> References: <20240421125050.6649-1-brandtwjohn@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Basic SAE support for AP mode \| expand [00/11] Basic SAE support for AP mode [01/11] ap: ability to advertise PSK and SAE [02/11] ap: accept PSK/SAE in auth depending on config [03/11] sae: add function sae_set_group [04/11] sae: refactor and add function sae_calculate_keys [05/11] sae: make sae_process_commit callable in AP mode [06/11] sae: verify offered group in AP mode [07/11] sae: support reception of Confirm frame by AP [08/11] ap: add support to handle SAE authentication [09/11] ap: enable start of 4-way HS after SAE [10/11] eapol: support PTK derivation with SHA256 [11/11] eapol: encrypt key data for AKM-defined ciphers

Message ID

20240421125050.6649-6-brandtwjohn@gmail.com (mailing list archive)

State

New

Headers

From: John Brandt <brandtwjohn@gmail.com>
To: iwd@lists.linux.dev
Cc: John Brandt <brandtwjohn@gmail.com>
Subject: [PATCH 05/11] sae: make sae_process_commit callable in AP mode
Date: Sun, 21 Apr 2024 05:50:35 -0700
Message-ID: <20240421125050.6649-6-brandtwjohn@gmail.com>
In-Reply-To: <20240421125050.6649-1-brandtwjohn@gmail.com>
References: <20240421125050.6649-1-brandtwjohn@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Basic SAE support for AP mode | expand

Context	Check	Description
tedd_an/pre-ci_am	success	Success
prestwoj/iwd-ci-gitlint	success	GitLint

Context

Check

Description

tedd_an/pre-ci_am

success

Success

prestwoj/iwd-ci-gitlint

success

GitLint

Commit Message

John Brandt April 21, 2024, 12:50 p.m. UTC

As an AP, the function sae_process_commit will pick the group offered by
the client. In a subsuquent commit the offered group will first be
verified before calling sae_process_commit. The AP will reply with a
Commit frame, calculate current keys, and move to the COMMITTED state.
---
 src/sae.c | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

Comments

James Prestwood April 24, 2024, 12:08 p.m. UTC | #1

Hi John

On 4/21/24 5:50 AM, John Brandt wrote:
> As an AP, the function sae_process_commit will pick the group offered by
> the client. In a subsuquent commit the offered group will first be
> verified before calling sae_process_commit. The AP will reply with a
> Commit frame, calculate current keys, and move to the COMMITTED state.
> ---
>   src/sae.c | 32 ++++++++++++++++++++------------
>   1 file changed, 20 insertions(+), 12 deletions(-)
>
> diff --git a/src/sae.c b/src/sae.c
> index 314fc28f..2c97d94c 100644
> --- a/src/sae.c
> +++ b/src/sae.c
> @@ -48,6 +48,8 @@ static bool debug;
>   #define SAE_SYNC_MAX		3
>   #define SAE_MAX_ASSOC_RETRY	3
>   
> +static bool sae_send_commit(struct sae_sm *sm, bool retry);
> +
>   #define sae_debug(fmat, ...) \
>   ({	\
>   	if (debug) \
> @@ -797,8 +799,12 @@ static int sae_process_commit(struct sae_sm *sm, const uint8_t *from,
>   					const uint8_t *frame, size_t len)
>   {
>   	uint8_t *ptr = (uint8_t *) frame;
> -	unsigned int nbytes = l_ecc_curve_get_scalar_bytes(sm->curve);
> +	unsigned int nbytes;
> +
> +	if (sm->handshake->authenticator && sae_set_group(sm, l_get_le16(frame)) < 0)
> +		return -1;
>   
> +	nbytes = l_ecc_curve_get_scalar_bytes(sm->curve);
>   	ptr += 2;
>   
>   	sm->p_scalar = l_ecc_scalar_new(sm->curve, ptr, nbytes);
> @@ -824,20 +830,22 @@ static int sae_process_commit(struct sae_sm *sm, const uint8_t *from,
>   	 * it is evidence of a reflection attack) and the t0 (retransmission)
>   	 * timer shall be set.
>   	 */
> -	if (l_ecc_scalars_are_equal(sm->p_scalar, sm->scalar) ||
> -			l_ecc_points_are_equal(sm->p_element, sm->element)) {
> -		l_warn("peer scalar or element matched own, discarding frame");
> +	if ((sm->scalar && l_ecc_scalars_are_equal(sm->p_scalar, sm->scalar)) ||
> +			(sm->element && l_ecc_points_are_equal(sm->p_element, sm->element)))
So we isolated this check to only the supplicant side now, but do we 
also need to do the same check after the keys are calculated for AP mode?
>   		return -ENOMSG;
> -	}
>   
>   	sm->sc++;
>   
> -	sae_calculate_keys(sm);
> -
> -	if (!sae_send_confirm(sm))
> -		return -EPROTO;
> -
> -	sm->state = SAE_STATE_CONFIRMED;
> +	if (sm->handshake->authenticator) {
> +		sae_send_commit(sm, false);
> +		sae_calculate_keys(sm);
> +		sm->state = SAE_STATE_COMMITTED;
> +	} else {
> +		sae_calculate_keys(sm);
> +		if (!sae_send_confirm(sm))
> +			return -EPROTO;
> +		sm->state = SAE_STATE_CONFIRMED;
> +	}
>   
>   	return 0;
>   }
> @@ -1008,7 +1016,7 @@ static int sae_verify_nothing(struct sae_sm *sm, uint16_t transaction,
>   	/*
>   	 * TODO: This does not handle the transition from NOTHING -> CONFIRMED
>   	 * as this is only relevant to the AP or in Mesh mode which is not
> -	 * yet supported.
> +	 * yet fully supported.
>   	 */
>   	if (transaction != SAE_STATE_COMMITTED)
>   		return -EBADMSG;

diff --git a/src/sae.c b/src/sae.c
index 314fc28f..2c97d94c 100644
--- a/src/sae.c
+++ b/src/sae.c
@@ -48,6 +48,8 @@  static bool debug;
 #define SAE_SYNC_MAX		3
 #define SAE_MAX_ASSOC_RETRY	3
 
+static bool sae_send_commit(struct sae_sm *sm, bool retry);
+
 #define sae_debug(fmat, ...) \
 ({	\
 	if (debug) \
@@ -797,8 +799,12 @@  static int sae_process_commit(struct sae_sm *sm, const uint8_t *from,
 					const uint8_t *frame, size_t len)
 {
 	uint8_t *ptr = (uint8_t *) frame;
-	unsigned int nbytes = l_ecc_curve_get_scalar_bytes(sm->curve);
+	unsigned int nbytes;
+
+	if (sm->handshake->authenticator && sae_set_group(sm, l_get_le16(frame)) < 0)
+		return -1;
 
+	nbytes = l_ecc_curve_get_scalar_bytes(sm->curve);
 	ptr += 2;
 
 	sm->p_scalar = l_ecc_scalar_new(sm->curve, ptr, nbytes);
@@ -824,20 +830,22 @@  static int sae_process_commit(struct sae_sm *sm, const uint8_t *from,
 	 * it is evidence of a reflection attack) and the t0 (retransmission)
 	 * timer shall be set.
 	 */
-	if (l_ecc_scalars_are_equal(sm->p_scalar, sm->scalar) ||
-			l_ecc_points_are_equal(sm->p_element, sm->element)) {
-		l_warn("peer scalar or element matched own, discarding frame");
+	if ((sm->scalar && l_ecc_scalars_are_equal(sm->p_scalar, sm->scalar)) ||
+			(sm->element && l_ecc_points_are_equal(sm->p_element, sm->element)))
 		return -ENOMSG;
-	}
 
 	sm->sc++;
 
-	sae_calculate_keys(sm);
-
-	if (!sae_send_confirm(sm))
-		return -EPROTO;
-
-	sm->state = SAE_STATE_CONFIRMED;
+	if (sm->handshake->authenticator) {
+		sae_send_commit(sm, false);
+		sae_calculate_keys(sm);
+		sm->state = SAE_STATE_COMMITTED;
+	} else {
+		sae_calculate_keys(sm);
+		if (!sae_send_confirm(sm))
+			return -EPROTO;
+		sm->state = SAE_STATE_CONFIRMED;
+	}
 
 	return 0;
 }
@@ -1008,7 +1016,7 @@  static int sae_verify_nothing(struct sae_sm *sm, uint16_t transaction,
 	/*
 	 * TODO: This does not handle the transition from NOTHING -> CONFIRMED
 	 * as this is only relevant to the AP or in Mesh mode which is not
-	 * yet supported.
+	 * yet fully supported.
 	 */
 	if (transaction != SAE_STATE_COMMITTED)
 		return -EBADMSG;

[05/11] sae: make sae_process_commit callable in AP mode

Checks

Commit Message

Comments

Patch