[02/11] ap: accept PSK/SAE in auth depending on config

Message ID	20240421125050.6649-3-brandtwjohn@gmail.com (mailing list archive)
State	New
Headers	show Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40942C8DE for <iwd@lists.linux.dev>; Sun, 21 Apr 2024 12:52:32 +0000 (UTC) From: John Brandt <brandtwjohn@gmail.com> To: iwd@lists.linux.dev Cc: John Brandt <brandtwjohn@gmail.com> Subject: [PATCH 02/11] ap: accept PSK/SAE in auth depending on config Date: Sun, 21 Apr 2024 05:50:32 -0700 Message-ID: <20240421125050.6649-3-brandtwjohn@gmail.com> In-Reply-To: <20240421125050.6649-1-brandtwjohn@gmail.com> References: <20240421125050.6649-1-brandtwjohn@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Basic SAE support for AP mode \| expand [00/11] Basic SAE support for AP mode [01/11] ap: ability to advertise PSK and SAE [02/11] ap: accept PSK/SAE in auth depending on config [03/11] sae: add function sae_set_group [04/11] sae: refactor and add function sae_calculate_keys [05/11] sae: make sae_process_commit callable in AP mode [06/11] sae: verify offered group in AP mode [07/11] sae: support reception of Confirm frame by AP [08/11] ap: add support to handle SAE authentication [09/11] ap: enable start of 4-way HS after SAE [10/11] eapol: support PTK derivation with SHA256 [11/11] eapol: encrypt key data for AKM-defined ciphers

Message ID

20240421125050.6649-3-brandtwjohn@gmail.com (mailing list archive)

State

New

Headers

From: John Brandt <brandtwjohn@gmail.com>
To: iwd@lists.linux.dev
Cc: John Brandt <brandtwjohn@gmail.com>
Subject: [PATCH 02/11] ap: accept PSK/SAE in auth depending on config
Date: Sun, 21 Apr 2024 05:50:32 -0700
Message-ID: <20240421125050.6649-3-brandtwjohn@gmail.com>
In-Reply-To: <20240421125050.6649-1-brandtwjohn@gmail.com>
References: <20240421125050.6649-1-brandtwjohn@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Basic SAE support for AP mode | expand

Context	Check	Description
tedd_an/pre-ci_am	success	Success
prestwoj/iwd-ci-gitlint	success	GitLint

Context

Check

Description

tedd_an/pre-ci_am

success

Success

prestwoj/iwd-ci-gitlint

success

GitLint

On reception of an authentication frame, accept both PSK and SAE as AKM depending on the config. Save the client's AKM for later use. --- src/ap.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-)

Comments

James Prestwood April 24, 2024, 12:05 p.m. UTC | #1

Hi John,

On 4/21/24 5:50 AM, John Brandt wrote:
> On reception of an authentication frame, accept both PSK and SAE as AKM
> depending on the config. Save the client's AKM for later use.
> ---
>   src/ap.c | 28 +++++++++++++++++++++-------
>   1 file changed, 21 insertions(+), 7 deletions(-)
>
> diff --git a/src/ap.c b/src/ap.c
> index d50f9e4f..14268551 100644
> --- a/src/ap.c
> +++ b/src/ap.c
> @@ -132,6 +132,7 @@ struct sta_state {
>   	uint8_t *assoc_ies;
>   	size_t assoc_ies_len;
>   	uint8_t *assoc_rsne;
> +	enum ie_rsn_akm_suite akm_suite;
>   	struct eapol_sm *sm;
>   	struct handshake_state *hs;
>   	uint32_t gtk_query_cmd_id;
> @@ -2606,6 +2607,7 @@ static void ap_auth_cb(const struct mmpdu_header *hdr, const void *body,
>   	const uint8_t *from = hdr->address_2;
>   	const uint8_t *bssid = netdev_get_address(ap->netdev);
>   	struct sta_state *sta;
> +	enum ie_rsn_akm_suite akm_suite;
>   
>   	l_info("AP Authentication from %s", util_address_to_string(from));
>   
> @@ -2627,17 +2629,27 @@ static void ap_auth_cb(const struct mmpdu_header *hdr, const void *body,
>   		}
>   	}
>   
> -	/* Only Open System authentication implemented here */
> -	if (L_LE16_TO_CPU(auth->algorithm) !=
> -			MMPDU_AUTH_ALGO_OPEN_SYSTEM) {
> +	if ((ap->akm_suites & IE_RSN_AKM_SUITE_SAE_SHA256) &&
> +	    (L_LE16_TO_CPU(auth->algorithm) == MMPDU_AUTH_ALGO_SAE) ) {
> +		/* When using SAE it must be COMMIT or CONFIRM frame */
> +		if (L_LE16_TO_CPU(auth->transaction_sequence) > 2) {
Probably want to explicitly check for a transaction of 1 or 2. This 
allows zero.
> +			ap_auth_reply(ap, from, MMPDU_REASON_CODE_UNSPECIFIED);
> +			return;
> +		}
> +		akm_suite = IE_RSN_AKM_SUITE_SAE_SHA256;
> +	} else if ((ap->akm_suites & IE_RSN_AKM_SUITE_PSK) &&
> +		   (L_LE16_TO_CPU(auth->algorithm) == MMPDU_AUTH_ALGO_OPEN_SYSTEM) ) {
> +		/* When using PSK it must be Open System authentication */
> +		if (L_LE16_TO_CPU(auth->transaction_sequence) != 1) {
> +			ap_auth_reply(ap, from, MMPDU_REASON_CODE_UNSPECIFIED);
> +			return;
> +		}
> +		akm_suite = IE_RSN_AKM_SUITE_PSK;
> +	} else {
>   		ap_auth_reply(ap, from, MMPDU_REASON_CODE_UNSPECIFIED);
>   		return;
>   	}
>   
> -	if (L_LE16_TO_CPU(auth->transaction_sequence) != 1) {
> -		ap_auth_reply(ap, from, MMPDU_REASON_CODE_UNSPECIFIED);
> -		return;
> -	}
>   
>   	sta = l_queue_find(ap->sta_states, ap_sta_match_addr, from);
>   
> @@ -2666,6 +2678,8 @@ static void ap_auth_cb(const struct mmpdu_header *hdr, const void *body,
>   	if (!ap->sta_states)
>   		ap->sta_states = l_queue_new();
>   
> +	sta->akm_suite = akm_suite;
> +
>   	l_queue_push_tail(ap->sta_states, sta);
>   
>   	/*

diff --git a/src/ap.c b/src/ap.c
index d50f9e4f..14268551 100644
--- a/src/ap.c
+++ b/src/ap.c
@@ -132,6 +132,7 @@  struct sta_state {
 	uint8_t *assoc_ies;
 	size_t assoc_ies_len;
 	uint8_t *assoc_rsne;
+	enum ie_rsn_akm_suite akm_suite;
 	struct eapol_sm *sm;
 	struct handshake_state *hs;
 	uint32_t gtk_query_cmd_id;
@@ -2606,6 +2607,7 @@  static void ap_auth_cb(const struct mmpdu_header *hdr, const void *body,
 	const uint8_t *from = hdr->address_2;
 	const uint8_t *bssid = netdev_get_address(ap->netdev);
 	struct sta_state *sta;
+	enum ie_rsn_akm_suite akm_suite;
 
 	l_info("AP Authentication from %s", util_address_to_string(from));
 
@@ -2627,17 +2629,27 @@  static void ap_auth_cb(const struct mmpdu_header *hdr, const void *body,
 		}
 	}
 
-	/* Only Open System authentication implemented here */
-	if (L_LE16_TO_CPU(auth->algorithm) !=
-			MMPDU_AUTH_ALGO_OPEN_SYSTEM) {
+	if ((ap->akm_suites & IE_RSN_AKM_SUITE_SAE_SHA256) &&
+	    (L_LE16_TO_CPU(auth->algorithm) == MMPDU_AUTH_ALGO_SAE) ) {
+		/* When using SAE it must be COMMIT or CONFIRM frame */
+		if (L_LE16_TO_CPU(auth->transaction_sequence) > 2) {
+			ap_auth_reply(ap, from, MMPDU_REASON_CODE_UNSPECIFIED);
+			return;
+		}
+		akm_suite = IE_RSN_AKM_SUITE_SAE_SHA256;
+	} else if ((ap->akm_suites & IE_RSN_AKM_SUITE_PSK) &&
+		   (L_LE16_TO_CPU(auth->algorithm) == MMPDU_AUTH_ALGO_OPEN_SYSTEM) ) {
+		/* When using PSK it must be Open System authentication */
+		if (L_LE16_TO_CPU(auth->transaction_sequence) != 1) {
+			ap_auth_reply(ap, from, MMPDU_REASON_CODE_UNSPECIFIED);
+			return;
+		}
+		akm_suite = IE_RSN_AKM_SUITE_PSK;
+	} else {
 		ap_auth_reply(ap, from, MMPDU_REASON_CODE_UNSPECIFIED);
 		return;
 	}
 
-	if (L_LE16_TO_CPU(auth->transaction_sequence) != 1) {
-		ap_auth_reply(ap, from, MMPDU_REASON_CODE_UNSPECIFIED);
-		return;
-	}
 
 	sta = l_queue_find(ap->sta_states, ap_sta_match_addr, from);
 
@@ -2666,6 +2678,8 @@  static void ap_auth_cb(const struct mmpdu_header *hdr, const void *body,
 	if (!ap->sta_states)
 		ap->sta_states = l_queue_new();
 
+	sta->akm_suite = akm_suite;
+
 	l_queue_push_tail(ap->sta_states, sta);
 
 	/*

[02/11] ap: accept PSK/SAE in auth depending on config

Checks

Commit Message

Comments

Patch