Mesh: Support BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256

Message ID	CACYaJDQW9wTFX8zoKMn-VMVPVomvd5CzDYSXjPTXSjQQt4M-Fw@mail.gmail.com
State	RFC
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> MIME-Version: 1.0 From: "Ouden.Biz Lin" <ouden.biz@gmail.com> Date: Tue, 6 Aug 2019 13:33:15 +0800 Message-ID: <CACYaJDQW9wTFX8zoKMn-VMVPVomvd5CzDYSXjPTXSjQQt4M-Fw@mail.gmail.com> Subject: Mesh: Support BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 To: hostap@lists.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:12b listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (ouden.biz[at]gmail.com) -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	Mesh: Support BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 \| expand Mesh: Support BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256

Message ID

CACYaJDQW9wTFX8zoKMn-VMVPVomvd5CzDYSXjPTXSjQQt4M-Fw@mail.gmail.com

State

RFC

Headers

MIME-Version: 1.0
From: "Ouden.Biz Lin" <ouden.biz@gmail.com>
Date: Tue, 6 Aug 2019 13:33:15 +0800
Message-ID: <CACYaJDQW9wTFX8zoKMn-VMVPVomvd5CzDYSXjPTXSjQQt4M-Fw@mail.gmail.com>
Subject: Mesh: Support BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256
To: hostap@lists.infradead.org
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

Mesh: Support BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 | expand

Commit Message

Ouden Lin Aug. 6, 2019, 5:33 a.m. UTC

Dear There,

Mesh was hardcoded to use BIP-CMAC-128 if PMF was enabled.
We hope to extend that to allow the other BIP algorithms to be used.

1) Assign the WPA_CIPHER_BIT_* by the ssid->group_mgmt cipher
2) The maximum size of AMPE IE is 160 bytes, not 96 bytes, plus the
two bytes of the IE header.
   The 64 bytes added are MGTK [variable] and IGTK [variable] at the
256 bits crypto.

Please help to confirm that. Thank you.

  if (type != PLINK_CLOSE && wpa_s->mesh_ht_enabled) {

Comments

Bob Copeland Aug. 7, 2019, 3:26 p.m. UTC | #1

On Tue, Aug 06, 2019 at 01:33:15PM +0800, Ouden.Biz Lin wrote:
> Dear There,

Hi!

> 2) The maximum size of AMPE IE is 160 bytes, not 96 bytes, plus the
> two bytes of the IE header.
>    The 64 bytes added are MGTK [variable] and IGTK [variable] at the
> 256 bits crypto.
> 
> Please help to confirm that. Thank you.

AMPE max size is (discounting first 2 bytes):
  pairwise suite (4) +
  local nonce (32) +
  peer nonce (32) +
  *key replay counter (8) +
  MGTK:
    MGTK (16),
    key rsc (8),
    key expiration (4)
  IGTK:
    key id (2),
    IPN (6),
    IGTK (16)

*only for mesh group key inform frame, we don't use it currently

  = 128

So, yes, the current code using 96 is already wrong, as it doesn't account
for IGTK size: it should be 120 today (because Key Replay Counter is unused).

Using 256-bit keys should add another 32 bytes on top of that so we could use
152 here.  160 is correct if we include Key Replay Counter.

> +#ifdef CONFIG_IEEE80211W
> + if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
> + if (ssid->group_mgmt_cipher &
> + WPA_CIPHER_BIP_GMAC_256)

The formatting here is rather hard to read, in my opinion.

Question, is there a check somewhere that peers are using the
same cipher suite for management protection?  I looked for
it but didn't see it.  Possibly matches_local() should be
comparing the RSNEs when processing peering open frames?

diff --git a/wpa_supplicant/mesh.c b/wpa_supplicant/mesh.c
index 7354c1b79..7dcd6f96c 100644
--- a/wpa_supplicant/mesh.c
+++ b/wpa_supplicant/mesh.c
@@ -116,8 +116,26 @@  static struct mesh_conf *
mesh_config_create(struct wpa_supplicant *wpa_s,
  }

  conf->group_cipher = cipher;
- if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION)
- conf->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
+
+#ifdef CONFIG_IEEE80211W
+ if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
+ if (ssid->group_mgmt_cipher &
+ WPA_CIPHER_BIP_GMAC_256)
+ conf->mgmt_group_cipher =
+ WPA_CIPHER_BIP_GMAC_256;
+ else if (ssid->group_mgmt_cipher &
+ WPA_CIPHER_BIP_CMAC_256)
+ conf->mgmt_group_cipher =
+ WPA_CIPHER_BIP_CMAC_256;
+ else if (ssid->group_mgmt_cipher &
+ WPA_CIPHER_BIP_GMAC_128)
+ conf->mgmt_group_cipher =
+ WPA_CIPHER_BIP_GMAC_128;
+ else
+ conf->mgmt_group_cipher =
+ WPA_CIPHER_AES_128_CMAC;
+ }
+#endif /* CONFIG_IEEE80211W */

  /* defaults */
  conf->mesh_pp_id = MESH_PATH_PROTOCOL_HWMP;
diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index 4a163b6eb..01b970715 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -231,7 +231,7 @@  static void mesh_mpm_send_plink_action(struct
wpa_supplicant *wpa_s,
    2 + 32 + /* mesh ID */
    2 + 7 +  /* mesh config */
    2 + 24 + /* peering management */
-   2 + 96 + /* AMPE */
+   2 + 160 + /* AMPE */
    2 + 16;  /* MIC */
 #ifdef CONFIG_IEEE80211N

Mesh: Support BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256

Commit Message

Comments

Patch