[v2,14/18] ap: move toward requiring MFP when using SAE

Message ID	20240506003518.320176-15-brandtwjohn@gmail.com (mailing list archive)
State	New
Headers	show Received: from mail-oi1-f172.google.com (mail-oi1-f172.google.com [209.85.167.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA364B673 for <iwd@lists.linux.dev>; Mon, 6 May 2024 00:50:24 +0000 (UTC) From: John Brandt <brandtwjohn@gmail.com> To: iwd@lists.linux.dev Cc: John Brandt <brandtwjohn@gmail.com> Subject: [PATCH v2 14/18] ap: move toward requiring MFP when using SAE Date: Sun, 5 May 2024 17:30:37 -0700 Message-ID: <20240506003518.320176-15-brandtwjohn@gmail.com> In-Reply-To: <20240506003518.320176-1-brandtwjohn@gmail.com> References: <20240506003518.320176-1-brandtwjohn@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Basic WPA3 support in AP mode \| expand [v2,00/18] Basic WPA3 support in AP mode [v2,01/18] ap: ability to advertise PSK and SAE [v2,02/18] ap: accept PSK/SAE in auth depending on config [v2,03/18] unit: fix SAE unit tests [v2,04/18] sae: add function sae_set_group [v2,05/18] sae: refactor and add function sae_calculate_keys [v2,06/18] sae: make sae_process_commit callable in AP mode [v2,07/18] sae: verify offered group in AP mode [v2,08/18] sae: support reception of Confirm frame by AP [v2,09/18] ap: add support to handle SAE authentication [v2,10/18] ap: enable start of 4-way HS after SAE [v2,11/18] eapol: support PTK derivation with SHA256 [v2,12/18] eapol: encrypt key data for AKM-defined ciphers [v2,13/18] unit: add unit test for SAE AP mode [v2,14/18] ap: move toward requiring MFP when using SAE [v2,15/18] handshake: add functions to save and set IGTK [v2,16/18] eapol: include IGTK in 4-way handshake as AP [v2,17/18] ap: generate IGTK on startup if MFP is enabled [v2,18/18] ap: propogate IGTK and RSC to handshake

Message ID

20240506003518.320176-15-brandtwjohn@gmail.com (mailing list archive)

State

New

Headers

From: John Brandt <brandtwjohn@gmail.com>
To: iwd@lists.linux.dev
Cc: John Brandt <brandtwjohn@gmail.com>
Subject: [PATCH v2 14/18] ap: move toward requiring MFP when using SAE
Date: Sun,  5 May 2024 17:30:37 -0700
Message-ID: <20240506003518.320176-15-brandtwjohn@gmail.com>
In-Reply-To: <20240506003518.320176-1-brandtwjohn@gmail.com>
References: <20240506003518.320176-1-brandtwjohn@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Basic WPA3 support in AP mode | expand

Context	Check	Description
tedd_an/pre-ci_am	success	Success
prestwoj/iwd-ci-gitlint	success	GitLint

Context

Check

Description

tedd_an/pre-ci_am

success

Success

prestwoj/iwd-ci-gitlint

success

GitLint

Commit Message

John Brandt May 6, 2024, 12:30 a.m. UTC

When wanting to use SAE, confirm that MFP is also supported, and
automatically enable MFP. Advertise as MFP capable in the beacon.
---
 src/ap.c    | 13 +++++++++++--
 src/wiphy.c |  2 +-
 src/wiphy.h |  2 ++
 3 files changed, 14 insertions(+), 3 deletions(-)

Comments

Denis Kenzior May 7, 2024, 4:12 p.m. UTC | #1

Hi John,

On 5/5/24 7:30 PM, John Brandt wrote:
> When wanting to use SAE, confirm that MFP is also supported, and
> automatically enable MFP. Advertise as MFP capable in the beacon.
> ---
>   src/ap.c    | 13 +++++++++++--
>   src/wiphy.c |  2 +-
>   src/wiphy.h |  2 ++
>   3 files changed, 14 insertions(+), 3 deletions(-)
> 
> diff --git a/src/ap.c b/src/ap.c
> index ae406e16..8cebef42 100644
> --- a/src/ap.c
> +++ b/src/ap.c
> @@ -82,6 +82,7 @@ struct ap_state {
>   
>   	unsigned int ciphers;
>   	enum ie_rsn_cipher_suite group_cipher;
> +	enum ie_rsn_cipher_suite group_management_cipher;
>   	unsigned int akm_suites;
>   	uint32_t beacon_interval;
>   	struct l_uintset *rates;
> @@ -93,6 +94,7 @@ struct ap_state {
>   	struct l_timeout *wsc_pbc_timeout;
>   	uint16_t wsc_dpid;
>   	uint8_t wsc_uuid_r[16];
> +	bool mfpc;
>   
>   	uint16_t last_aid;
>   	struct l_queue *sta_states;
> @@ -639,6 +641,9 @@ static void ap_set_rsn_info(struct ap_state *ap, struct ie_rsn_info *rsn)
>   	rsn->akm_suites = ap->akm_suites;
>   	rsn->pairwise_ciphers = ap->ciphers;
>   	rsn->group_cipher = ap->group_cipher;
> +
> +	rsn->group_management_cipher = ap->group_management_cipher;
> +	rsn->mfpc = ap->mfpc;
>   }
>   
>   static void ap_wsc_exit_pbc(struct ap_state *ap)
> @@ -3916,9 +3921,13 @@ static int ap_load_config(struct ap_state *ap, const struct l_settings *config,
>   	for (i = 0; akms_str && akms_str[i]; i++) {
>   		if (!strcmp(akms_str[i], "PSK"))
>   			ap->akm_suites |= IE_RSN_AKM_SUITE_PSK;
> -		else if (!strcmp(akms_str[i], "SAE"))
> +		else if (!strcmp(akms_str[i], "SAE")) {
> +			if (!wiphy_can_connect_sae(wiphy))

wiphy_can_connect_sae checks NL80211_FEATURE_SAE and 
NL80211_EXT_FEATURE_SAE_OFFLOAD bit, which is for clients only.  The AP 
equivalent is NL80211_EXT_FEATURE_SAE_OFFLOAD_AP.  Refer to linux/nl80211.h for 
more details.  You're probably better off using wiphy_get_supported_ciphers instead.

> +				return -ENOTSUP;
>   			ap->akm_suites |= IE_RSN_AKM_SUITE_SAE_SHA256;
> -		else {
> +			ap->group_management_cipher = IE_RSN_CIPHER_SUITE_BIP_CMAC;
> +			ap->mfpc = true;
> +		} else {
>   			l_warn("Unsupported or unknown AKM suite %s",
>   					akms_str[i]);
>   			return -ENOTSUP;

Regards,
-Denis

diff --git a/src/ap.c b/src/ap.c
index ae406e16..8cebef42 100644
--- a/src/ap.c
+++ b/src/ap.c
@@ -82,6 +82,7 @@  struct ap_state {
 
 	unsigned int ciphers;
 	enum ie_rsn_cipher_suite group_cipher;
+	enum ie_rsn_cipher_suite group_management_cipher;
 	unsigned int akm_suites;
 	uint32_t beacon_interval;
 	struct l_uintset *rates;
@@ -93,6 +94,7 @@  struct ap_state {
 	struct l_timeout *wsc_pbc_timeout;
 	uint16_t wsc_dpid;
 	uint8_t wsc_uuid_r[16];
+	bool mfpc;
 
 	uint16_t last_aid;
 	struct l_queue *sta_states;
@@ -639,6 +641,9 @@  static void ap_set_rsn_info(struct ap_state *ap, struct ie_rsn_info *rsn)
 	rsn->akm_suites = ap->akm_suites;
 	rsn->pairwise_ciphers = ap->ciphers;
 	rsn->group_cipher = ap->group_cipher;
+
+	rsn->group_management_cipher = ap->group_management_cipher;
+	rsn->mfpc = ap->mfpc;
 }
 
 static void ap_wsc_exit_pbc(struct ap_state *ap)
@@ -3916,9 +3921,13 @@  static int ap_load_config(struct ap_state *ap, const struct l_settings *config,
 	for (i = 0; akms_str && akms_str[i]; i++) {
 		if (!strcmp(akms_str[i], "PSK"))
 			ap->akm_suites |= IE_RSN_AKM_SUITE_PSK;
-		else if (!strcmp(akms_str[i], "SAE"))
+		else if (!strcmp(akms_str[i], "SAE")) {
+			if (!wiphy_can_connect_sae(wiphy))
+				return -ENOTSUP;
 			ap->akm_suites |= IE_RSN_AKM_SUITE_SAE_SHA256;
-		else {
+			ap->group_management_cipher = IE_RSN_CIPHER_SUITE_BIP_CMAC;
+			ap->mfpc = true;
+		} else {
 			l_warn("Unsupported or unknown AKM suite %s",
 					akms_str[i]);
 			return -ENOTSUP;
diff --git a/src/wiphy.c b/src/wiphy.c
index fb36ebb2..fb30e7a6 100644
--- a/src/wiphy.c
+++ b/src/wiphy.c
@@ -195,7 +195,7 @@  uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask)
 	return wiphy->supported_ciphers & mask;
 }
 
-static bool wiphy_can_connect_sae(struct wiphy *wiphy)
+bool wiphy_can_connect_sae(struct wiphy *wiphy)
 {
 	/*
 	 * WPA3 Specification version 3, Section 2.2:
diff --git a/src/wiphy.h b/src/wiphy.h
index bc82a007..9472b253 100644
--- a/src/wiphy.h
+++ b/src/wiphy.h
@@ -72,6 +72,8 @@  enum ie_rsn_cipher_suite wiphy_select_cipher(struct wiphy *wiphy,
 							uint16_t mask);
 uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask);
 
+bool wiphy_can_connect_sae(struct wiphy *wiphy);
+
 enum ie_rsn_akm_suite wiphy_select_akm(struct wiphy *wiphy,
 					const struct scan_bss *bss,
 					enum security security,

[v2,14/18] ap: move toward requiring MFP when using SAE

Checks

Commit Message

Comments

Patch