[v8,02/15] AP: Set the correct key_type for key installs

Message ID	20191031091901.2889-3-alexander@wetzel-home.de
State	Changes Requested
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> sender: postmaster@awhome.eu) by player750.ha.ovh.net (Postfix) with ESMTPSA id 73907B945630; Thu, 31 Oct 2019 09:19:27 +0000 (UTC) From: Alexander Wetzel <alexander@wetzel-home.de> To: j@w1.fi Subject: [Patch v8 02/15] AP: Set the correct key_type for key installs Date: Thu, 31 Oct 2019 10:18:48 +0100 Message-Id: <20191031091901.2889-3-alexander@wetzel-home.de> In-Reply-To: <20191031091901.2889-1-alexander@wetzel-home.de> References: <20191031091901.2889-1-alexander@wetzel-home.de> MIME-Version: 1.0 summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [46.105.56.78 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Precedence: list Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org, luca@coelho.fi, johannes@sipsolutions.net Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	Support seamless PTK rekeys with Extended Key ID \| expand [v8,00/15] Support seamless PTK rekeys with Extended Key ID [v8,01/15] Introduce and add key_type [v8,02/15] AP: Set the correct key_type for key installs [v8,03/15] wpa_supplicant: Set the correct key_type for key installs [v8,04/15] drivers: Migrate drivers from set_tx to key_type API [v8,05/15] nl80211: Migrate from set_tx to key_type API [v8,06/15] nl80211,wpa_supplicant: Drop outdated tdls hack [v8,07/15] Drop set_tx from all set_key() functions [v8,08/15] common: Extended Key ID support [v8,09/15] AP: Add support for Extended Key ID [v8,10/15] wpa_supplicant: Extended Key ID support [v8,11/15] tests: Extended Key ID tests [v8,12/15] AP: FILS Extended Key ID support [v8,13/15] wpa_supplicant: FILS Extended Key ID support [v8,14/15] nl80211: Extended Key ID support [v8,15/15] AP: Extended Key ID stress test

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c index 961a35f2d..4f047623a 100644 --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c @@ -2122,7 +2122,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd) hapd->last_igtk_alg, broadcast_ether_addr, hapd->last_igtk_key_idx, 1, NULL, 0, - zero, hapd->last_igtk_len, 0) < 0) + zero, hapd->last_igtk_len, + KEY_TYPE_BROADCAST) < 0) return -1; /* Set the previously configured key to reset its TSC */ @@ -2131,7 +2132,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd) broadcast_ether_addr, hapd->last_igtk_key_idx, 1, NULL, 0, hapd->last_igtk, - hapd->last_igtk_len, 0); + hapd->last_igtk_len, + KEY_TYPE_BROADCAST); } if (is_broadcast_ether_addr(addr)) { @@ -2146,7 +2148,8 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd) hapd->last_gtk_alg, broadcast_ether_addr, hapd->last_gtk_key_idx, 1, NULL, 0, - zero, hapd->last_gtk_len, 0) < 0) + zero, hapd->last_gtk_len, + KEY_TYPE_BROADCAST) < 0) return -1; /* Set the previously configured key to reset its TSC */ @@ -2155,7 +2158,7 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd) broadcast_ether_addr, hapd->last_gtk_key_idx, 1, NULL, 0, hapd->last_gtk, hapd->last_gtk_len, - 0); + KEY_TYPE_BROADCAST); } sta = ap_get_sta(hapd, addr); @@ -2172,13 +2175,14 @@ static int hostapd_ctrl_reset_pn(struct hostapd_data *hapd, const char *cmd) * in the driver. */ if (hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg, sta->addr, sta->last_tk_key_idx, 1, NULL, 0, - zero, sta->last_tk_len, 0) < 0) + zero, sta->last_tk_len, KEY_TYPE_PAIRWISE) < 0) return -1; /* Set the previously configured key to reset its TSC/RSC */ return hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg, sta->addr, sta->last_tk_key_idx, 1, NULL, 0, - sta->last_tk, sta->last_tk_len, 0); + sta->last_tk, sta->last_tk_len, + KEY_TYPE_PAIRWISE); } @@ -2252,7 +2256,7 @@ static void restore_tk(void *ctx1, void *ctx2) * preventing encryption of a single EAPOL frame. */ hostapd_drv_set_key(hapd->conf->iface, hapd, sta->last_tk_alg, sta->addr, sta->last_tk_key_idx, 1, NULL, 0, - sta->last_tk, sta->last_tk_len, 0); + sta->last_tk, sta->last_tk_len, KEY_TYPE_PAIRWISE); } @@ -2276,7 +2280,7 @@ static int hostapd_ctrl_resend_m1(struct hostapd_data *hapd, const char *cmd) MAC2STR(sta->addr)); hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE, sta->addr, sta->last_tk_key_idx, 0, NULL, 0, - NULL, 0, 0); + NULL, 0, KEY_TYPE_PAIRWISE); } wpa_printf(MSG_INFO, "TESTING: Send M1 to " MACSTR, MAC2STR(sta->addr)); @@ -2306,7 +2310,7 @@ static int hostapd_ctrl_resend_m3(struct hostapd_data *hapd, const char *cmd) MAC2STR(sta->addr)); hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE, sta->addr, sta->last_tk_key_idx, 0, NULL, 0, - NULL, 0, 0); + NULL, 0, KEY_TYPE_PAIRWISE); } wpa_printf(MSG_INFO, "TESTING: Send M3 to " MACSTR, MAC2STR(sta->addr)); @@ -2336,7 +2340,7 @@ static int hostapd_ctrl_resend_group_m1(struct hostapd_data *hapd, MAC2STR(sta->addr)); hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE, sta->addr, sta->last_tk_key_idx, 0, NULL, 0, - NULL, 0, 0); + NULL, 0, KEY_TYPE_PAIRWISE); } wpa_printf(MSG_INFO, diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index 316d1e833..e6dc149e4 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -291,8 +291,8 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd, if (!ifname || !hapd->drv_priv) return; for (i = 0; i < NUM_WEP_KEYS; i++) { - if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i, - 0, NULL, 0, NULL, 0, 0)) { + if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i, 0, + NULL, 0, NULL, 0, KEY_TYPE_BROADCAST)) { wpa_printf(MSG_DEBUG, "Failed to clear default " "encryption keys (ifname=%s keyidx=%d)", ifname, i); @@ -301,8 +301,8 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd, if (hapd->conf->ieee80211w) { for (i = NUM_WEP_KEYS; i < NUM_WEP_KEYS + 2; i++) { if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, - NULL, i, 0, NULL, - 0, NULL, 0, 0)) { + NULL, i, 0, NULL, 0, + NULL, 0, KEY_TYPE_BROADCAST)) { wpa_printf(MSG_DEBUG, "Failed to clear " "default mgmt encryption keys " "(ifname=%s keyidx=%d)", ifname, i); @@ -329,7 +329,7 @@ static int hostapd_broadcast_wep_set(struct hostapd_data *hapd) hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, broadcast_ether_addr, idx, 1, NULL, 0, ssid->wep.key[idx], - ssid->wep.len[idx], 0)) { + ssid->wep.len[idx], KEY_TYPE_DEFAULT)) { wpa_printf(MSG_WARNING, "Could not set WEP encryption."); errors++; } @@ -555,7 +555,10 @@ static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd) hostapd_drv_set_key(iface, hapd, WPA_ALG_WEP, NULL, i, i == hapd->conf->ssid.wep.idx, NULL, 0, hapd->conf->ssid.wep.key[i], - hapd->conf->ssid.wep.len[i], 0)) { + hapd->conf->ssid.wep.len[i], + i == hapd->conf->ssid.wep.idx ? + KEY_TYPE_DEFAULT : + KEY_TYPE_BROADCAST)) { wpa_printf(MSG_WARNING, "Could not set WEP " "encryption."); return -1; diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index a4f3aa72f..245f2bb23 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -4901,7 +4901,8 @@ static void hostapd_set_wds_encryption(struct hostapd_data *hapd, hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i, i == ssid->wep.idx, NULL, 0, ssid->wep.key[i], ssid->wep.len[i], - 0)) { + i == ssid->wep.idx ? KEY_TYPE_DEFAULT : + KEY_TYPE_BROADCAST)) { wpa_printf(MSG_WARNING, "Could not set WEP keys for WDS interface; %s", ifname_wds); diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 1a94b0c44..a1f049235 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -286,7 +286,7 @@ static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, sta->addr, 0, 1, NULL, 0, ikey, hapd->conf->individual_wep_key_len, - 0)) { + KEY_TYPE_PAIRWISE)) { wpa_printf(MSG_ERROR, "Could not set individual WEP encryption"); } @@ -2180,7 +2180,8 @@ static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) broadcast_ether_addr, eapol->default_wep_key_idx, 1, NULL, 0, eapol->default_wep_key, - hapd->conf->default_wep_key_len, 0)) { + hapd->conf->default_wep_key_len, + KEY_TYPE_DEFAULT)) { hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, HOSTAPD_LEVEL_WARNING, "failed to configure a new broadcast key"); @@ -2472,7 +2473,7 @@ int ieee802_1x_init(struct hostapd_data *hapd) for (i = 0; i < 4; i++) hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_NONE, NULL, i, 0, NULL, 0, - NULL, 0, 0); + NULL, 0, KEY_TYPE_BROADCAST); ieee802_1x_rekey(hapd, NULL); diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 30c575880..27acec0bd 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -1715,7 +1715,7 @@ void wpa_remove_ptk(struct wpa_state_machine *sm) sm->PTK_valid = FALSE; os_memset(&sm->PTK, 0, sizeof(sm->PTK)); if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, - 0, 0)) + 0, KEY_TYPE_PAIRWISE)) wpa_printf(MSG_DEBUG, "RSN: PTK removal from the driver failed"); sm->pairwise_set = FALSE; @@ -2747,7 +2747,7 @@ int fils_set_tk(struct wpa_state_machine *sm) wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver"); if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, - sm->PTK.tk, klen, 0)) { + sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) { wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver"); return -1; } @@ -3344,7 +3344,7 @@ SM_STATE(WPA_PTK, PTKINITDONE) enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); int klen = wpa_cipher_key_len(sm->pairwise); if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, - sm->PTK.tk, klen, 0)) { + sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) { wpa_sta_disconnect(sm->wpa_auth, sm->addr, WLAN_REASON_PREV_AUTH_NOT_VALID); return; @@ -3936,7 +3936,8 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, if (wpa_auth_set_key(wpa_auth, group->vlan_id, wpa_cipher_to_alg(wpa_auth->conf.wpa_group), broadcast_ether_addr, group->GN, - group->GTK[group->GN - 1], group->GTK_len, 0) < 0) + group->GTK[group->GN - 1], group->GTK_len, + KEY_TYPE_BROADCAST) < 0) ret = -1; if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { @@ -3950,7 +3951,7 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, wpa_auth_set_key(wpa_auth, group->vlan_id, alg, broadcast_ether_addr, group->GN_igtk, group->IGTK[group->GN_igtk - 4], - len, 0) < 0) + len, KEY_TYPE_BROADCAST) < 0) ret = -1; } diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index 0898ddae2..0d22aeccc 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -2659,7 +2659,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) * optimized by adding the STA entry earlier. */ if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, - sm->PTK.tk, klen, 0)) + sm->PTK.tk, klen, KEY_TYPE_PAIRWISE)) return; /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ diff --git a/tests/hwsim/test_ap_ciphers.py b/tests/hwsim/test_ap_ciphers.py index cd45c6fd9..a6ba27d99 100644 --- a/tests/hwsim/test_ap_ciphers.py +++ b/tests/hwsim/test_ap_ciphers.py @@ -862,7 +862,7 @@ def test_ap_wpa2_delayed_m1_m3_zero_tk(dev, apdev): if "OK" not in hapd.request("RESEND_M3 " + addr): raise Exception("RESEND_M3 failed") - if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s 0" % (addr, 0, 1, 6*"00", 16*"00")): + if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s %d" % (addr, 0, 1, 6*"00", 16*"00", 2)): raise Exception("SET_KEY failed") time.sleep(0.1) hwsim_utils.test_connectivity(dev[0], hapd, timeout=1, broadcast=False,

[v8,02/15] AP: Set the correct key_type for key installs

Commit Message

Patch