From patchwork Sun Sep 15 20:08:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Wetzel X-Patchwork-Id: 1162539 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=wetzel-home.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="nSkBDdda"; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=wetzel-home.de header.i=@wetzel-home.de header.b="LZ1zoxhl"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46WgV90DvXz9sNx for ; Mon, 16 Sep 2019 06:10:41 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=kdOa6AsUTv7jzmWWgXRRRwmM5p17C06JjWgIlxQoVL0=; b=nSkBDddaai7uvT P1S3wS20bVEVwPiKZPHJ8iJow0ef2S4IhqFITiTCJ9cN+/53QL/T+xcaX/7Q9fXf8n9SzxG8rpx7R G0+kVw8TlRMZg4/cSFhArmkvAkXHSv+nQV+LNI+pS+NHQ6/58hXOkDxF7rfGeJhvGkB0L8uGGg4Ih VQK/U8mOTuN5HPJyZx1gSwMOKn7XAlW/8Jz0cDCNCuZzICJ8/PuFr5ezGio/yNwHUVekfcyndTNYV HpqE1xOnPuy1OuCV9H5h7QArY29Wnss+2NmET49C8INkDGZFsb5ec4MloigvJHogRtlWjq8dI5fEy ZgZ4b4sVKETm5XvA2mkg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.2 #3 (Red Hat Linux)) id 1i9ar0-0008S4-CH; Sun, 15 Sep 2019 20:10:38 +0000 Received: from 13.mo7.mail-out.ovh.net ([87.98.150.175]) by bombadil.infradead.org with esmtps (Exim 4.92.2 #3 (Red Hat Linux)) id 1i9apt-0006Me-Mr for hostap@lists.infradead.org; Sun, 15 Sep 2019 20:09:34 +0000 Received: from player698.ha.ovh.net (unknown [10.109.160.76]) by mo7.mail-out.ovh.net (Postfix) with ESMTP id 00492131F6A for ; Sun, 15 Sep 2019 22:09:19 +0200 (CEST) Received: from awhome.eu (p57B7E67F.dip0.t-ipconnect.de [87.183.230.127]) (Authenticated sender: postmaster@awhome.eu) by player698.ha.ovh.net (Postfix) with ESMTPSA id 5C72D9D05DE0; Sun, 15 Sep 2019 20:09:16 +0000 (UTC) From: Alexander Wetzel DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1568578151; bh=1ndVi1vankweSqqVNblsaGXZjtA5I0KN+TXkQ6RYA7A=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=LZ1zoxhlvjOOmcpDql0NY2VBYvHWdwpwRAwxDuzQHDpljs/PBi7mjifrBVMcWciyX SEDxXzM1UkSoQtvEW65nlNsXckRbk3i5DZsfS+FRKr+REcg7XS4xiiM4nXBczJ3APd 9uaIOpicD7/nkH8WrL8G2FTy/FXZ461peBkaFlss= To: j@w1.fi Subject: [PATCH v6 05/17] hostapd: Set the correct key_type for key installs Date: Sun, 15 Sep 2019 22:08:25 +0200 Message-Id: <20190915200837.196283-6-alexander@wetzel-home.de> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190915200837.196283-1-alexander@wetzel-home.de> References: <20190915200837.196283-1-alexander@wetzel-home.de> MIME-Version: 1.0 X-Ovh-Tracer-Id: 11128113204617682172 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedruddugddugeejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenuc X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190915_130930_078426_709F761D X-CRM114-Status: GOOD ( 13.73 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [87.98.150.175 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Wetzel , hostap@lists.infradead.org, luca@coelho.fi, johannes@sipsolutions.net Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org In addition to the set_key boolean this also sets the corresponding new variable key_type for all key installs. Till set_tx is dropped drivers can use either set_tx or key_flag, allowing to seamless migrate to key_flag. Signed-off-by: Alexander Wetzel --- hostapd/ctrl_iface.c | 24 ++++++++++++++---------- src/ap/hostapd.c | 15 +++++++++------ src/ap/ieee802_11.c | 3 ++- src/ap/ieee802_1x.c | 7 ++++--- src/ap/wpa_auth.c | 11 ++++++----- src/ap/wpa_auth_ft.c | 2 +- tests/hwsim/test_ap_ciphers.py | 2 +- 7 files changed, 37 insertions(+), 27 deletions(-) diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c index 7255f6ed6..dd1fd42f7 100644 --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c @@ -2117,7 +2117,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd) hapd->last_igtk_alg, broadcast_ether_addr, hapd->last_igtk_key_idx, 1, NULL, 0, - zero, hapd->last_igtk_len, 0) < 0) + zero, hapd->last_igtk_len, + KEY_TYPE_BROADCAST) < 0) return -1; /* Set the previously configured key to reset its TSC */ @@ -2126,7 +2127,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd) broadcast_ether_addr, hapd->last_igtk_key_idx, 1, NULL, 0, hapd->last_igtk, - hapd->last_igtk_len, 0); + hapd->last_igtk_len, + KEY_TYPE_BROADCAST); } if (is_broadcast_ether_addr(addr)) { @@ -2141,7 +2143,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd) hapd->last_gtk_alg, broadcast_ether_addr, hapd->last_gtk_key_idx, 1, NULL, 0, - zero, hapd->last_gtk_len, 0) < 0) + zero, hapd->last_gtk_len, + KEY_TYPE_BROADCAST) < 0) return -1; /* Set the previously configured key to reset its TSC */ @@ -2150,7 +2153,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd) broadcast_ether_addr, hapd->last_gtk_key_idx, 1, NULL, 0, hapd->last_gtk, hapd->last_gtk_len, - 0); + KEY_TYPE_BROADCAST); } sta = ap_get_sta(hapd, addr); @@ -2167,13 +2170,14 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd) * in the driver. */ if (hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg, sta->addr, sta->last_tk_key_idx, 1, NULL, 0, - zero, sta->last_tk_len, 0) < 0) + zero, sta->last_tk_len, KEY_TYPE_PAIRWISE) < 0) return -1; /* Set the previously configured key to reset its TSC/RSC */ return hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg, sta->addr, sta->last_tk_key_idx, 1, NULL, 0, - sta->last_tk, sta->last_tk_len, 0); + sta->last_tk, sta->last_tk_len, + KEY_TYPE_PAIRWISE); } @@ -2247,7 +2251,7 @@ static void restore_tk(void *ctx1, void *ctx2) * preventing encryption of a single EAPOL frame. */ hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg, sta->addr, sta->last_tk_key_idx, 1, NULL, 0, - sta->last_tk, sta->last_tk_len, 0); + sta->last_tk, sta->last_tk_len, KEY_TYPE_PAIRWISE); } @@ -2271,7 +2275,7 @@ static int hostapd_ctrl_resend_m1(struct hostapd_data *hapd, const char *cmd) MAC2STR(sta->addr)); hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE, sta->addr, sta->last_tk_key_idx, 0, NULL, 0, - NULL, 0, 0); + NULL, 0, KEY_TYPE_PAIRWISE); } wpa_printf(MSG_INFO, "TESTING: Send M1 to " MACSTR, MAC2STR(sta->addr)); @@ -2301,7 +2305,7 @@ static int hostapd_ctrl_resend_m3(struct hostapd_data *hapd, const char *cmd) MAC2STR(sta->addr)); hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE, sta->addr, sta->last_tk_key_idx, 0, NULL, 0, - NULL, 0, 0); + NULL, 0, KEY_TYPE_PAIRWISE); } wpa_printf(MSG_INFO, "TESTING: Send M3 to " MACSTR, MAC2STR(sta->addr)); @@ -2331,7 +2335,7 @@ static int hostapd_ctrl_resend_group_m1(struct hostapd_data *hapd, MAC2STR(sta->addr)); hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE, sta->addr, sta->last_tk_key_idx, 0, NULL, 0, - NULL, 0, 0); + NULL, 0, KEY_TYPE_PAIRWISE); } wpa_printf(MSG_INFO, diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index 53a2bec8f..480fc706e 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -291,8 +291,8 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd, if (!ifname || !hapd->drv_priv) return; for (i = 0; i < NUM_WEP_KEYS; i++) { - if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i, - 0, NULL, 0, NULL, 0, 0)) { + if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i, 0, + NULL, 0, NULL, 0, KEY_TYPE_BROADCAST)) { wpa_printf(MSG_DEBUG, "Failed to clear default " "encryption keys (ifname=%s keyidx=%d)", ifname, i); @@ -301,8 +301,8 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd, if (hapd->conf->ieee80211w) { for (i = NUM_WEP_KEYS; i < NUM_WEP_KEYS + 2; i++) { if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, - NULL, i, 0, NULL, - 0, NULL, 0, 0)) { + NULL, i, 0, NULL, 0, + NULL, 0, KEY_TYPE_BROADCAST)) { wpa_printf(MSG_DEBUG, "Failed to clear " "default mgmt encryption keys " "(ifname=%s keyidx=%d)", ifname, i); @@ -329,7 +329,7 @@ static int hostapd_broadcast_wep_set(struct hostapd_data *hapd) hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, broadcast_ether_addr, idx, 1, NULL, 0, ssid->wep.key[idx], - ssid->wep.len[idx], 0)) { + ssid->wep.len[idx], KEY_TYPE_DEFAULT)) { wpa_printf(MSG_WARNING, "Could not set WEP encryption."); errors++; } @@ -555,7 +555,10 @@ static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd) hostapd_drv_set_key(iface, hapd, WPA_ALG_WEP, NULL, i, i == hapd->conf->ssid.wep.idx, NULL, 0, hapd->conf->ssid.wep.key[i], - hapd->conf->ssid.wep.len[i], 0)) { + hapd->conf->ssid.wep.len[i], + i == hapd->conf->ssid.wep.idx ? + KEY_TYPE_DEFAULT : + KEY_TYPE_BROADCAST)) { wpa_printf(MSG_WARNING, "Could not set WEP " "encryption."); return -1; diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index b60a61ff3..aa6931fd8 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -4771,7 +4771,8 @@ static void hostapd_set_wds_encryption(struct hostapd_data *hapd, hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i, i == ssid->wep.idx, NULL, 0, ssid->wep.key[i], ssid->wep.len[i], - 0)) { + i == ssid->wep.idx ? KEY_TYPE_DEFAULT : + KEY_TYPE_BROADCAST)) { wpa_printf(MSG_WARNING, "Could not set WEP keys for WDS interface; %s", ifname_wds); diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 1a94b0c44..8174ca8d0 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -286,7 +286,7 @@ static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, sta->addr, 0, 1, NULL, 0, ikey, hapd->conf->individual_wep_key_len, - 0)) { + KEY_TYPE_DEFAULT)) { wpa_printf(MSG_ERROR, "Could not set individual WEP encryption"); } @@ -2180,7 +2180,8 @@ static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) broadcast_ether_addr, eapol->default_wep_key_idx, 1, NULL, 0, eapol->default_wep_key, - hapd->conf->default_wep_key_len, 0)) { + hapd->conf->default_wep_key_len, + KEY_TYPE_DEFAULT)) { hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, HOSTAPD_LEVEL_WARNING, "failed to configure a new broadcast key"); @@ -2472,7 +2473,7 @@ int ieee802_1x_init(struct hostapd_data *hapd) for (i = 0; i < 4; i++) hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE, NULL, i, 0, NULL, 0, - NULL, 0, 0); + NULL, 0, KEY_TYPE_BROADCAST); ieee802_1x_rekey(hapd, NULL); diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index f64658264..521d18030 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -1714,7 +1714,7 @@ void wpa_remove_ptk(struct wpa_state_machine *sm) sm->PTK_valid = FALSE; os_memset(&sm->PTK, 0, sizeof(sm->PTK)); if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, - 0, 0)) + 0, KEY_TYPE_PAIRWISE)) wpa_printf(MSG_DEBUG, "RSN: PTK removal from the driver failed"); sm->pairwise_set = FALSE; @@ -2746,7 +2746,7 @@ int fils_set_tk(struct wpa_state_machine *sm) wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver"); if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, - sm->PTK.tk, klen, 0)) { + sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) { wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver"); return -1; } @@ -3327,7 +3327,7 @@ SM_STATE(WPA_PTK, PTKINITDONE) enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); int klen = wpa_cipher_key_len(sm->pairwise); if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, - sm->PTK.tk, klen, 0)) { + sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) { wpa_sta_disconnect(sm->wpa_auth, sm->addr, WLAN_REASON_PREV_AUTH_NOT_VALID); return; @@ -3919,7 +3919,8 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, if (wpa_auth_set_key(wpa_auth, group->vlan_id, wpa_cipher_to_alg(wpa_auth->conf.wpa_group), broadcast_ether_addr, group->GN, - group->GTK[group->GN - 1], group->GTK_len, 0) < 0) + group->GTK[group->GN - 1], group->GTK_len, + KEY_TYPE_BROADCAST) < 0) ret = -1; if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { @@ -3933,7 +3934,7 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, wpa_auth_set_key(wpa_auth, group->vlan_id, alg, broadcast_ether_addr, group->GN_igtk, group->IGTK[group->GN_igtk - 4], - len, 0) < 0) + len, KEY_TYPE_BROADCAST) < 0) ret = -1; } diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index 77ddc024c..eb61b97f0 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -2649,7 +2649,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) * optimized by adding the STA entry earlier. */ if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, - sm->PTK.tk, klen, 0)) + sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) return; /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ diff --git a/tests/hwsim/test_ap_ciphers.py b/tests/hwsim/test_ap_ciphers.py index cd45c6fd9..a6ba27d99 100644 --- a/tests/hwsim/test_ap_ciphers.py +++ b/tests/hwsim/test_ap_ciphers.py @@ -862,7 +862,7 @@ def test_ap_wpa2_delayed_m1_m3_zero_tk(dev, apdev): if "OK" not in hapd.request("RESEND_M3 " + addr): raise Exception("RESEND_M3 failed") - if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s 0" % (addr, 0, 1, 6*"00", 16*"00")): + if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s %d" % (addr, 0, 1, 6*"00", 16*"00", 2)): raise Exception("SET_KEY failed") time.sleep(0.1) hwsim_utils.test_connectivity(dev[0], hapd, timeout=1, broadcast=False,