[v2,4/9] ft: add FTE/RSNE building to ft_prepare_handshake

Message ID	20231206150708.2080336-5-prestwoj@gmail.com (mailing list archive)
State	New
Headers	show Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D436F3F8FE for <iwd@lists.linux.dev>; Wed, 6 Dec 2023 15:07:19 +0000 (UTC) From: James Prestwood <prestwoj@gmail.com> To: iwd@lists.linux.dev Cc: James Prestwood <prestwoj@gmail.com> Subject: [PATCH v2 4/9] ft: add FTE/RSNE building to ft_prepare_handshake Date: Wed, 6 Dec 2023 07:07:03 -0800 Message-Id: <20231206150708.2080336-5-prestwoj@gmail.com> In-Reply-To: <20231206150708.2080336-1-prestwoj@gmail.com> References: <20231206150708.2080336-1-prestwoj@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Reassoc/FT roaming unification \| expand [v2,0/9] Reassoc/FT roaming unification [v2,1/9] auto-t: add explicit stop() to IWD class [v2,2/9] auto-t: add association timeout test [v2,3/9] auto-t: only call set_value for changed values in default() [v2,4/9] ft: add FTE/RSNE building to ft_prepare_handshake [v2,5/9] ft: add ft_handshake_setup [v2,6/9] netdev: add netdev_ft_reassociate [v2,7/9] station: use netdev_ft_reassociate [v2,8/9] ft: remove ft_associate and helpers [v2,9/9] netdev: station: remove NETDEV_EVENT_FT_ROAMED

Context	Check	Description
tedd_an/pre-ci_am	success	Success
prestwoj/iwd-ci-gitlint	success	GitLint

James Prestwood Dec. 6, 2023, 3:07 p.m. UTC

In preparation to remove ft_associate build the FTE/RSNE in
ft_prepare_handshake and set into the handshake object directly.
---
 src/ft.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 82 insertions(+), 2 deletions(-)

Denis Kenzior Dec. 6, 2023, 4:36 p.m. UTC | #1

Hi James,

On 12/6/23 09:07, James Prestwood wrote:
> In preparation to remove ft_associate build the FTE/RSNE in
> ft_prepare_handshake and set into the handshake object directly.
> ---
>   src/ft.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++--
>   1 file changed, 82 insertions(+), 2 deletions(-)
> 

<snip>

> @@ -931,6 +937,80 @@ static void ft_prepare_handshake(struct ft_info *info,
>   						info->ft_info.r1khid);
>   
>   	handshake_state_derive_ptk(hs);
> +
> +	/*
> +	 * Rebuild the RSNE to include the PMKR1Name and append
> +	 * MDE + FTE.
> +	 *
> +	 * 12.8.4: "If present, the RSNE shall be set as follows:
> +	 * - Version field shall be set to 1.
> +	 * - PMKID Count field shall be set to 1.
> +	 * - PMKID field shall contain the PMKR1Name.
> +	 * - All other fields shall be as specified in 8.4.2.27
> +	 *   and 11.5.3."
> +	 */
> +	if (ie_parse_rsne_from_data(hs->supplicant_ie,
> +					hs->supplicant_ie[1] + 2,
> +					&rsn_info) < 0)
> +		return false;
> +
> +	rsn_info.num_pmkids = 1;
> +	rsn_info.pmkids = hs->pmk_r1_name;
> +	/* Always set OCVC false for FT for now */
> +	rsn_info.ocvc = false;
> +	rsne = alloca(256);
> +
> +	ie_build_rsne(&rsn_info, rsne);
> +	handshake_state_set_supplicant_ie(hs, rsne);

This is probably safe since we over-write the supplicant ie in 
netdev_connect_event() -> parse_request_ies()

> +
> +	/*
> +	 * 12.8.4: "If present, the FTE shall be set as follows:
> +	 * - ANonce, SNonce, R0KH-ID, and R1KH-ID shall be set to
> +	 *   the values contained in the second message of this
> +	 *   sequence.
> +	 * - The Element Count field of the MIC Control field shall
> +	 *   be set to the number of elements protected in this
> +	 *   frame (variable).
> +	 * [...]
> +	 * - All other fields shall be set to 0."
> +	 */
> +	memset(&ft_info, 0, sizeof(ft_info));
> +	ft_info.mic_element_count = 3;
> +	memcpy(ft_info.r0khid, hs->r0khid, hs->r0khid_len);
> +	ft_info.r0khid_len = hs->r0khid_len;
> +	memcpy(ft_info.r1khid, hs->r1khid, 6);
> +	ft_info.r1khid_present = true;
> +	memcpy(ft_info.anonce, hs->anonce, 32);
> +	memcpy(ft_info.snonce, hs->snonce, 32);
> +
> +	/*
> +	 * IEEE 802.11-2020 Section 13.7.1 FT reassociation in an RSN
> +	 *
> +	 * "If dot11RSNAOperatingChannelValidationActivated is true and
> +	 *  the FTO indicates OCVC capability, the target AP shall
> +	 *  ensure that OCI subelement of the FTE matches by ensuring
> +	 *  that all of the following are true:
> +	 *      - OCI subelement is present
> +	 *      - Channel information in the OCI matches current
> +	 *        operating channel parameters (see 12.2.9)"
> +	 */
> +	if (hs->supplicant_ocvc && hs->chandef) {
> +		oci_from_chandef(hs->chandef, ft_info.oci);
> +		ft_info.oci_present = true;
> +	}
> +
> +	fte = alloca(256);
> +	ie_build_fast_bss_transition(&ft_info, kck_len, fte);
> +
> +	if (!ft_calculate_fte_mic(hs, 5, rsne, fte, NULL, ft_info.mic))
> +		return false;
> +
> +	/* Rebuild the FT IE now with the MIC included */
> +	ie_build_fast_bss_transition(&ft_info, kck_len, fte);
> +
> +	handshake_state_set_fte(hs, fte);

However, this is less clear to me.  Looking at how FILS and FT uses this API, it 
seems that set_fte is meant for the authenticator FTE element?  So I think 
rekeying after FT would be broken by this change.

> +
> +	return true;
>   }
>   
>   static bool ft_send_action(struct wiphy_radio_work_item *work)

Regards,
-Denis

James Prestwood Dec. 6, 2023, 5:08 p.m. UTC | #2

Hi Denis,

On 12/6/23 08:36, Denis Kenzior wrote:
> Hi James,
>
> On 12/6/23 09:07, James Prestwood wrote:
>> In preparation to remove ft_associate build the FTE/RSNE in
>> ft_prepare_handshake and set into the handshake object directly.
>> ---
>>   src/ft.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++--
>>   1 file changed, 82 insertions(+), 2 deletions(-)
>>
>
> <snip>
>> +    fte = alloca(256);
>> +    ie_build_fast_bss_transition(&ft_info, kck_len, fte);
>> +
>> +    if (!ft_calculate_fte_mic(hs, 5, rsne, fte, NULL, ft_info.mic))
>> +        return false;
>> +
>> +    /* Rebuild the FT IE now with the MIC included */
>> +    ie_build_fast_bss_transition(&ft_info, kck_len, fte);
>> +
>> +    handshake_state_set_fte(hs, fte);
>
> However, this is less clear to me.  Looking at how FILS and FT uses 
> this API, it seems that set_fte is meant for the authenticator FTE 
> element?  So I think rekeying after FT would be broken by this change.

Good question. Rekeys do appear to work as-is but you are right, FILS/FT 
uses set_fte() for the authenticators element, but eapol seems to use 
hs->fte for building message 2/4, as well as checks that the handshakes 
FTE matches what the authenticator sends in 3/4. maybe this is actually 
a bug in eapol? I think the reason everything "works" is because the FTE 
should be the same between both peers.

We may want to refactor and do:

handshake_state_set_authenticator_fte()

handshake_state_set_supplicant_fte()

Thanks,

James

>
>> +
>> +    return true;
>>   }
>>     static bool ft_send_action(struct wiphy_radio_work_item *work)
>
> Regards,
> -Denis

Denis Kenzior Dec. 6, 2023, 5:14 p.m. UTC | #3

Hi James,

>>> +    handshake_state_set_fte(hs, fte);
>>
>> However, this is less clear to me.  Looking at how FILS and FT uses this API, 
>> it seems that set_fte is meant for the authenticator FTE element?  So I think 
>> rekeying after FT would be broken by this change.
> 
> Good question. Rekeys do appear to work as-is but you are right, FILS/FT uses 
> set_fte() for the authenticators element, but eapol seems to use hs->fte for 

I'm pretty sure the intent was for the FTE element to be from the authenticator.

> building message 2/4, as well as checks that the handshakes FTE matches what the 

I'll have to look at how ptk_2_of_4 uses it.  Memory is fuzzy now.  Need to open 
the spec.

> authenticator sends in 3/4. maybe this is actually a bug in eapol? I think the 
> reason everything "works" is because the FTE should be the same between both peers.

Yes, but also we have logic in: netdev_connect_event() that sets the FTE from 
the response IEs.  So that's probably how things end up working in the end.

> 
> We may want to refactor and do:
> 
> handshake_state_set_authenticator_fte()
> 
> handshake_state_set_supplicant_fte()

Yeah, that seems reasonable.

Regards,
-Denis

James Prestwood Dec. 6, 2023, 5:59 p.m. UTC | #4

On 12/6/23 09:14, Denis Kenzior wrote:
> Hi James,
>
>>>> +    handshake_state_set_fte(hs, fte);
>>>
>>> However, this is less clear to me.  Looking at how FILS and FT uses 
>>> this API, it seems that set_fte is meant for the authenticator FTE 
>>> element?  So I think rekeying after FT would be broken by this change.
>>
>> Good question. Rekeys do appear to work as-is but you are right, 
>> FILS/FT uses set_fte() for the authenticators element, but eapol 
>> seems to use hs->fte for 
>
> I'm pretty sure the intent was for the FTE element to be from the 
> authenticator.
>
>> building message 2/4, as well as checks that the handshakes FTE 
>> matches what the 
>
> I'll have to look at how ptk_2_of_4 uses it.  Memory is fuzzy now.  
> Need to open the spec.

All I could find quickly was:

12.7.6.3 4-way handshake message 2

"and that the FTE and MDE are the same as those provided in the AP’s 
(Re)Association Response frame"

So it does appear for EAPoL its the authenticators FTE.

>
>> authenticator sends in 3/4. maybe this is actually a bug in eapol? I 
>> think the reason everything "works" is because the FTE should be the 
>> same between both peers.
>
> Yes, but also we have logic in: netdev_connect_event() that sets the 
> FTE from the response IEs.  So that's probably how things end up 
> working in the end.
>
>>
>> We may want to refactor and do:
>>
>> handshake_state_set_authenticator_fte()
>>
>> handshake_state_set_supplicant_fte()
>
> Yeah, that seems reasonable.
>
> Regards,
> -Denis

[v2,4/9] ft: add FTE/RSNE building to ft_prepare_handshake

Checks

Commit Message

Comments

Patch