[v2,17/18] ap: generate IGTK on startup if MFP is enabled

Message ID	20240506003518.320176-18-brandtwjohn@gmail.com (mailing list archive)
State	New
Headers	show Received: from mail-oi1-f175.google.com (mail-oi1-f175.google.com [209.85.167.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B3C9AB673 for <iwd@lists.linux.dev>; Mon, 6 May 2024 00:51:02 +0000 (UTC) From: John Brandt <brandtwjohn@gmail.com> To: iwd@lists.linux.dev Cc: John Brandt <brandtwjohn@gmail.com> Subject: [PATCH v2 17/18] ap: generate IGTK on startup if MFP is enabled Date: Sun, 5 May 2024 17:30:40 -0700 Message-ID: <20240506003518.320176-18-brandtwjohn@gmail.com> In-Reply-To: <20240506003518.320176-1-brandtwjohn@gmail.com> References: <20240506003518.320176-1-brandtwjohn@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Basic WPA3 support in AP mode \| expand [v2,00/18] Basic WPA3 support in AP mode [v2,01/18] ap: ability to advertise PSK and SAE [v2,02/18] ap: accept PSK/SAE in auth depending on config [v2,03/18] unit: fix SAE unit tests [v2,04/18] sae: add function sae_set_group [v2,05/18] sae: refactor and add function sae_calculate_keys [v2,06/18] sae: make sae_process_commit callable in AP mode [v2,07/18] sae: verify offered group in AP mode [v2,08/18] sae: support reception of Confirm frame by AP [v2,09/18] ap: add support to handle SAE authentication [v2,10/18] ap: enable start of 4-way HS after SAE [v2,11/18] eapol: support PTK derivation with SHA256 [v2,12/18] eapol: encrypt key data for AKM-defined ciphers [v2,13/18] unit: add unit test for SAE AP mode [v2,14/18] ap: move toward requiring MFP when using SAE [v2,15/18] handshake: add functions to save and set IGTK [v2,16/18] eapol: include IGTK in 4-way handshake as AP [v2,17/18] ap: generate IGTK on startup if MFP is enabled [v2,18/18] ap: propogate IGTK and RSC to handshake

Message ID

20240506003518.320176-18-brandtwjohn@gmail.com (mailing list archive)

State

New

Headers

From: John Brandt <brandtwjohn@gmail.com>
To: iwd@lists.linux.dev
Cc: John Brandt <brandtwjohn@gmail.com>
Subject: [PATCH v2 17/18] ap: generate IGTK on startup if MFP is enabled
Date: Sun,  5 May 2024 17:30:40 -0700
Message-ID: <20240506003518.320176-18-brandtwjohn@gmail.com>
In-Reply-To: <20240506003518.320176-1-brandtwjohn@gmail.com>
References: <20240506003518.320176-1-brandtwjohn@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Basic WPA3 support in AP mode | expand

Context	Check	Description
tedd_an/pre-ci_am	success	Success
prestwoj/iwd-ci-gitlint	success	GitLint

Context

Check

Description

tedd_an/pre-ci_am

success

Success

prestwoj/iwd-ci-gitlint

success

GitLint

Commit Message

John Brandt May 6, 2024, 12:30 a.m. UTC

When using MFP, generate the IGTK group key on startup, and install it
for use. When installing the IGTK, which has either key index 4 or 5,
use the appropriate NL80211 flags so it is installed properly.
---
 src/ap.c          | 61 +++++++++++++++++++++++++++++++++++++++++++----
 src/nl80211util.c |  7 +++++-
 2 files changed, 63 insertions(+), 5 deletions(-)

diff --git a/src/ap.c b/src/ap.c
index 8cebef42..f598c173 100644
--- a/src/ap.c
+++ b/src/ap.c
@@ -90,6 +90,8 @@  struct ap_state {
 	uint32_t mlme_watch;
 	uint8_t gtk[CRYPTO_MAX_GTK_LEN];
 	uint8_t gtk_index;
+	uint8_t igtk[CRYPTO_MAX_GTK_LEN];
+	uint8_t igtk_index;
 	struct l_queue *wsc_pbc_probes;
 	struct l_timeout *wsc_pbc_timeout;
 	uint16_t wsc_dpid;
@@ -116,6 +118,7 @@  struct ap_state {
 
 	bool started : 1;
 	bool gtk_set : 1;
+	bool igtk_set : 1;
 	bool netconfig_set_addr4 : 1;
 	bool in_event : 1;
 	bool free_pending : 1;
@@ -1656,7 +1659,7 @@  static void ap_start_eap_wsc(struct sta_state *sta)
 	ap_start_handshake(sta, wait_for_eapol_start, NULL);
 }
 
-static struct l_genl_msg *ap_build_cmd_del_key(struct ap_state *ap)
+static struct l_genl_msg *ap_build_cmd_del_key(struct ap_state *ap, uint8_t index)
 {
 	uint32_t ifindex = netdev_get_ifindex(ap->netdev);
 	struct l_genl_msg *msg;
@@ -1665,7 +1668,7 @@  static struct l_genl_msg *ap_build_cmd_del_key(struct ap_state *ap)
 
 	l_genl_msg_append_attr(msg, NL80211_ATTR_IFINDEX, 4, &ifindex);
 	l_genl_msg_enter_nested(msg, NL80211_ATTR_KEY);
-	l_genl_msg_append_attr(msg, NL80211_KEY_IDX, 1, &ap->gtk_index);
+	l_genl_msg_append_attr(msg, NL80211_KEY_IDX, 1, &index);
 	l_genl_msg_leave_nested(msg);
 
 	return msg;
@@ -1709,7 +1712,7 @@  static void ap_gtk_op_cb(struct l_genl_msg *msg, void *user_data)
 			cmd == NL80211_CMD_SET_KEY ? "SET_KEY" :
 			"DEL_KEY";
 
-		l_error("%s failed for the GTK: %i",
+		l_error("%s failed for the (I)GTK: %i",
 			cmd_name, l_genl_msg_get_error(msg));
 	}
 }
@@ -1797,6 +1800,39 @@  static void ap_associate_sta_cb(struct l_genl_msg *msg, void *user_data)
 		ap->gtk_set = true;
 	}
 
+	if (ap->mfpc && !ap->igtk_set) {
+		enum crypto_cipher group_management_cipher =
+			ie_rsn_cipher_suite_to_cipher(ap->group_management_cipher);
+		int igtk_len = crypto_cipher_key_len(group_management_cipher);
+
+		l_getrandom(ap->igtk, igtk_len);
+		ap->igtk_index = 4;
+
+		msg = nl80211_build_new_key_group(
+						netdev_get_ifindex(ap->netdev),
+						group_management_cipher, ap->igtk_index,
+						ap->igtk, igtk_len, NULL,
+						0, NULL);
+
+		if (!l_genl_family_send(ap->nl80211, msg, ap_gtk_op_cb, NULL,
+					NULL)) {
+			l_genl_msg_unref(msg);
+			l_error("Issuing NEW_KEY failed");
+			goto error;
+		}
+
+		msg = nl80211_build_set_key(netdev_get_ifindex(ap->netdev),
+						ap->igtk_index);
+		if (!l_genl_family_send(ap->nl80211, msg, ap_gtk_op_cb, NULL,
+					NULL)) {
+			l_genl_msg_unref(msg);
+			l_error("Issuing SET_KEY failed");
+			goto error;
+		}
+
+		ap->igtk_set = true;
+	}
+
 	if (ap->group_cipher == IE_RSN_CIPHER_SUITE_NO_GROUP_TRAFFIC)
 		ap_start_rsna(sta, NULL);
 	else {
@@ -4137,10 +4173,27 @@  void ap_shutdown(struct ap_state *ap, ap_stopped_func_t stopped_func,
 
 	ap_reset(ap);
 
+	if (ap->igtk_set) {
+		ap->igtk_set = false;
+
+		cmd = ap_build_cmd_del_key(ap, ap->igtk_index);
+		if (!cmd) {
+			l_error("ap_build_cmd_del_key failed");
+			goto free_ap;
+		}
+
+		if (!l_genl_family_send(ap->nl80211, cmd, ap_gtk_op_cb, NULL,
+					NULL)) {
+			l_genl_msg_unref(cmd);
+			l_error("Issuing DEL_KEY failed");
+			goto free_ap;
+		}
+	}
+
 	if (ap->gtk_set) {
 		ap->gtk_set = false;
 
-		cmd = ap_build_cmd_del_key(ap);
+		cmd = ap_build_cmd_del_key(ap, ap->gtk_index);
 		if (!cmd) {
 			l_error("ap_build_cmd_del_key failed");
 			goto free_ap;
diff --git a/src/nl80211util.c b/src/nl80211util.c
index 3f9a43ac..289a73f6 100644
--- a/src/nl80211util.c
+++ b/src/nl80211util.c
@@ -486,14 +486,19 @@  struct l_genl_msg *nl80211_build_set_station_unauthorized(uint32_t ifindex,
 struct l_genl_msg *nl80211_build_set_key(uint32_t ifindex, uint8_t key_index)
 {
 	struct l_genl_msg *msg;
+	int key_type;
 
 	msg = l_genl_msg_new_sized(NL80211_CMD_SET_KEY, 128);
 
 	l_genl_msg_append_attr(msg, NL80211_ATTR_IFINDEX, 4, &ifindex);
 
+	key_type = NL80211_KEY_DEFAULT;
+	if (key_index == 4 || key_index == 5)
+		key_type = NL80211_KEY_DEFAULT_MGMT;
+
 	l_genl_msg_enter_nested(msg, NL80211_ATTR_KEY);
 	l_genl_msg_append_attr(msg, NL80211_KEY_IDX, 1, &key_index);
-	l_genl_msg_append_attr(msg, NL80211_KEY_DEFAULT, 0, NULL);
+	l_genl_msg_append_attr(msg, key_type, 0, NULL);
 	l_genl_msg_enter_nested(msg, NL80211_KEY_DEFAULT_TYPES);
 	l_genl_msg_append_attr(msg, NL80211_KEY_DEFAULT_TYPE_MULTICAST,
 				0, NULL);

[v2,17/18] ap: generate IGTK on startup if MFP is enabled

Checks

Commit Message

Patch