From patchwork Sat Sep 28 18:18:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Wetzel X-Patchwork-Id: 1168883 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=wetzel-home.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="Qd28naru"; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=wetzel-home.de header.i=@wetzel-home.de header.b="sKs4YFDY"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46gcQM4nCsz9sNk for ; Sun, 29 Sep 2019 04:19:55 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=y8wgBAL1pAGyWXcfVRb+2GRGLs/j4w4lyX7cxYmaCtQ=; b=Qd28narukhB91G XExOT6P6jxkfXTizl2HmsBrR72TAtN4ZDeyUeML13a/XIfJ7aropfLGbGgH9YpaqLfTNFcS3ublYM olfRUvZs65mZ21FKVBlQ8kODViwDtGuVrF7Om51VlTYpmaBDFDsL6Ua8sgC9hoA1icma77kJKOSrx 9I+qbi2x/wq2uDhqpjKzsPTMskie7YzYYBysWozC+oCxU6qsiPK4vTNuYbcKrGgh7i2r1CVHXtkQQ sfl4zqE++wAAN7to7idGMX/guJqOgTq573QpL8VHtuW1oUJXy0VfFpYKqg1hOtqeiSrmxSUtqsG0/ mnieOFx8K13t5M/eL6fw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.2 #3 (Red Hat Linux)) id 1iEHJv-0001bB-Ov; Sat, 28 Sep 2019 18:19:51 +0000 Received: from 3.mo178.mail-out.ovh.net ([46.105.44.197]) by bombadil.infradead.org with esmtps (Exim 4.92.2 #3 (Red Hat Linux)) id 1iEHJL-00010S-UG for hostap@lists.infradead.org; Sat, 28 Sep 2019 18:19:19 +0000 Received: from player776.ha.ovh.net (unknown [10.108.57.53]) by mo178.mail-out.ovh.net (Postfix) with ESMTP id 6AC4476428 for ; Sat, 28 Sep 2019 20:19:09 +0200 (CEST) Received: from awhome.eu (p4FF9144D.dip0.t-ipconnect.de [79.249.20.77]) (Authenticated sender: postmaster@awhome.eu) by player776.ha.ovh.net (Postfix) with ESMTPSA id 912AEA50F54F; Sat, 28 Sep 2019 18:19:03 +0000 (UTC) From: Alexander Wetzel DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1569694743; bh=g1EVvZ89fjNFTiYyykFiNXXEtVrZX5chGHIHDdegf48=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=sKs4YFDYuh0EcgwRvULNy2cEc6/SPY1j5OfV836R2q1+qdOSS8dndrBVRt7mTsgZy s5wLoG7hXA0G8alV41tUt/YU6dRQ7Sp8rCfOU9HuM+drKr/xbkYD0ccqTS3aLlzEmj ma2olg7NG547c/BBk++w9d0ysd176zGa2Ev9zEeU= To: j@w1.fi Subject: [PATCH v6a 4/7] Fixes for hostapd: Add support for Extended Key ID Date: Sat, 28 Sep 2019 20:18:04 +0200 Message-Id: <20190928181807.180530-5-alexander@wetzel-home.de> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190928181807.180530-1-alexander@wetzel-home.de> References: <20190928181807.180530-1-alexander@wetzel-home.de> MIME-Version: 1.0 X-Ovh-Tracer-Id: 11825326722827754748 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedrfeekgdduvddvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenuc X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190928_111916_119637_F3580CF6 X-CRM114-Status: GOOD ( 15.06 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [46.105.44.197 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Wetzel , hostap@lists.infradead.org, luca@coelho.fi, johannes@sipsolutions.net Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org This is a correction on top of: [PATCH v6 10/17] hostapd: Add support for Extended Key ID Changes: - Fix too wide bit masks. Which are not really needed but already in use for GTK key IDs. (We could drop them all) - merge TKIP handling into handle_extended_key_id() - Check configuration settings and disable Extended key ID when configuration settings don't allow it. - Which allows us to drop some tests from handle_extended_key_id() - Update log/debug messages (some needed for tests) Signed-off-by: Alexander Wetzel --- src/ap/ap_config.c | 2 +- src/ap/wpa_auth.c | 2 +- src/ap/wpa_auth_glue.c | 15 +++------------ src/ap/wpa_auth_ie.c | 33 ++++++++++++++++++++------------- 4 files changed, 25 insertions(+), 27 deletions(-) diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index a7b91fad8..c080f7064 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -1099,7 +1099,7 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss, bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP | WPA_CIPHER_GCMP_256))) { wpa_printf(MSG_ERROR, - "Extended Key ID support requires wpa2 and CCMP/GCMP"); + "Extended Key ID support requires WPA2 and CCMP/GCMP, disabling it"); bss->wpa_extended_key_id = 0; } diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 1ecb9b491..26725a7df 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -5095,7 +5095,7 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm, hdr[1] = 0; if (sm->use_extended_key_id) { - hdr[0] = sm->keyidx_active & 0x03; + hdr[0] = sm->keyidx_active & 0x01; pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0); } diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index 5a55f799c..f45443257 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -1307,21 +1307,12 @@ int hostapd_setup_wpa(struct hostapd_data *hapd) _conf.ap_mlme = 1; if (_conf.wpa_extended_key_id) { - if (_conf.wpa & WPA_PROTO_RSN && - _conf.rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | - WPA_CIPHER_GCMP_256 | - WPA_CIPHER_CCMP_256) && - hapd->iface->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID) { + if (hapd->iface->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID) { wpa_msg(hapd->msg_ctx, MSG_INFO, "Enable Extended Key ID support"); } else { - if (!(hapd->iface->drv_flags & - WPA_DRIVER_FLAGS_EXTENDED_KEY_ID)) - wpa_msg(hapd->msg_ctx, MSG_INFO, - "Extended Key ID not supported by driver"); - else - wpa_msg(hapd->msg_ctx, MSG_INFO, - "Extended Key ID requires wpa2 and CCMP/GCMP"); + wpa_msg(hapd->msg_ctx, MSG_INFO, + "Extended Key ID not supported by driver"); _conf.wpa_extended_key_id = 0; } } else if (_conf.wpa & WPA_PROTO_RSN) { diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 2e3204f5d..e914c5587 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -538,21 +538,34 @@ int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities) struct wpa_auth_config *conf = &sm->wpa_auth->conf; if (conf->wpa_extended_key_id && + sm->pairwise != WPA_CIPHER_TKIP && capabilities & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) { if (!sm->use_extended_key_id && sm->pairwise_set) { - wpa_printf(MSG_DEBUG, - "Can only enable Extended Key ID on initial connect"); + wpa_printf(MSG_ERROR, "STA " MACSTR + " tries to start using Extended Key ID on rekey", + MAC2STR(sm->addr)); return -1; } else if (!sm->use_extended_key_id) { + wpa_printf(MSG_DEBUG, "STA " MACSTR + " supports Extended Key ID", + MAC2STR(sm->addr)); sm->use_extended_key_id = TRUE; sm->keyidx_active = 1; + } else if (!sm->pairwise_set) { + wpa_printf(MSG_DEBUG, "STA " MACSTR + " is not supporting Extended Key ID", + MAC2STR(sm->addr)); } } else { if (sm->use_extended_key_id && sm->pairwise_set) { - wpa_printf(MSG_DEBUG, - "Already using Extended Key ID, can't stop"); + wpa_printf(MSG_ERROR, "STA " MACSTR + " is using Extended Key ID, can't rekey without it", + MAC2STR(sm->addr)); return -1; - } else if (sm->use_extended_key_id) { + } else if (!sm->pairwise_set) { + wpa_printf(MSG_DEBUG, "STA " MACSTR + " can't use Extended Key ID support", + MAC2STR(sm->addr)); sm->use_extended_key_id = FALSE; sm->keyidx_active = 0; } @@ -834,8 +847,6 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, return WPA_MGMT_FRAME_PROTECTION_VIOLATION; } - if (handle_extended_key_id(sm, data.capabilities)) - return WPA_INVALID_IE; #ifdef CONFIG_IEEE80211R_AP if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { if (mdie == NULL || mdie_len < MOBILITY_DOMAIN_ID_LEN + 1) { @@ -885,12 +896,8 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, else sm->wpa = WPA_VERSION_WPA; - /* Extended Key ID must not be used for TKIP */ - if (sm->use_extended_key_id && sm->pairwise == WPA_CIPHER_TKIP) { - sm->use_extended_key_id = FALSE; - sm->keyidx_active = 0; - } - + if (handle_extended_key_id(sm, data.capabilities)) + return WPA_INVALID_IE; #if defined(CONFIG_IEEE80211R_AP) && defined(CONFIG_FILS) if ((sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256 ||