Mesh: Support BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256
diff mbox series

Message ID CACYaJDQW9wTFX8zoKMn-VMVPVomvd5CzDYSXjPTXSjQQt4M-Fw@mail.gmail.com
State New
Headers show
Series
  • Mesh: Support BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256
Related show

Commit Message

Ouden.Biz Lin Aug. 6, 2019, 5:33 a.m. UTC
Dear There,

Mesh was hardcoded to use BIP-CMAC-128 if PMF was enabled.
We hope to extend that to allow the other BIP algorithms to be used.

1) Assign the WPA_CIPHER_BIT_* by the ssid->group_mgmt cipher
2) The maximum size of AMPE IE is 160 bytes, not 96 bytes, plus the
two bytes of the IE header.
   The 64 bytes added are MGTK [variable] and IGTK [variable] at the
256 bits crypto.

Please help to confirm that. Thank you.

  if (type != PLINK_CLOSE && wpa_s->mesh_ht_enabled) {

Comments

Bob Copeland Aug. 7, 2019, 3:26 p.m. UTC | #1
On Tue, Aug 06, 2019 at 01:33:15PM +0800, Ouden.Biz Lin wrote:
> Dear There,

Hi!

> 2) The maximum size of AMPE IE is 160 bytes, not 96 bytes, plus the
> two bytes of the IE header.
>    The 64 bytes added are MGTK [variable] and IGTK [variable] at the
> 256 bits crypto.
> 
> Please help to confirm that. Thank you.

AMPE max size is (discounting first 2 bytes):
  pairwise suite (4) +
  local nonce (32) +
  peer nonce (32) +
  *key replay counter (8) +
  MGTK:
    MGTK (16),
    key rsc (8),
    key expiration (4)
  IGTK:
    key id (2),
    IPN (6),
    IGTK (16)

*only for mesh group key inform frame, we don't use it currently

  = 128

So, yes, the current code using 96 is already wrong, as it doesn't account
for IGTK size: it should be 120 today (because Key Replay Counter is unused).

Using 256-bit keys should add another 32 bytes on top of that so we could use
152 here.  160 is correct if we include Key Replay Counter.

> +#ifdef CONFIG_IEEE80211W
> + if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
> + if (ssid->group_mgmt_cipher &
> + WPA_CIPHER_BIP_GMAC_256)

The formatting here is rather hard to read, in my opinion.

Question, is there a check somewhere that peers are using the
same cipher suite for management protection?  I looked for
it but didn't see it.  Possibly matches_local() should be
comparing the RSNEs when processing peering open frames?

Patch
diff mbox series

diff --git a/wpa_supplicant/mesh.c b/wpa_supplicant/mesh.c
index 7354c1b79..7dcd6f96c 100644
--- a/wpa_supplicant/mesh.c
+++ b/wpa_supplicant/mesh.c
@@ -116,8 +116,26 @@  static struct mesh_conf *
mesh_config_create(struct wpa_supplicant *wpa_s,
  }

  conf->group_cipher = cipher;
- if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION)
- conf->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
+
+#ifdef CONFIG_IEEE80211W
+ if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
+ if (ssid->group_mgmt_cipher &
+ WPA_CIPHER_BIP_GMAC_256)
+ conf->mgmt_group_cipher =
+ WPA_CIPHER_BIP_GMAC_256;
+ else if (ssid->group_mgmt_cipher &
+ WPA_CIPHER_BIP_CMAC_256)
+ conf->mgmt_group_cipher =
+ WPA_CIPHER_BIP_CMAC_256;
+ else if (ssid->group_mgmt_cipher &
+ WPA_CIPHER_BIP_GMAC_128)
+ conf->mgmt_group_cipher =
+ WPA_CIPHER_BIP_GMAC_128;
+ else
+ conf->mgmt_group_cipher =
+ WPA_CIPHER_AES_128_CMAC;
+ }
+#endif /* CONFIG_IEEE80211W */

  /* defaults */
  conf->mesh_pp_id = MESH_PATH_PROTOCOL_HWMP;
diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index 4a163b6eb..01b970715 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -231,7 +231,7 @@  static void mesh_mpm_send_plink_action(struct
wpa_supplicant *wpa_s,
    2 + 32 + /* mesh ID */
    2 + 7 +  /* mesh config */
    2 + 24 + /* peering management */
-   2 + 96 + /* AMPE */
+   2 + 160 + /* AMPE */
    2 + 16;  /* MIC */
 #ifdef CONFIG_IEEE80211N