From patchwork Fri Jan 22 14:58:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Peter_=C3=85strand?= X-Patchwork-Id: 1430400 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=BxzV2ZNc; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DMj8l6VYrz9s2g for ; Sat, 23 Jan 2021 01:59:35 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:List-Subscribe:List-Help: List-Post:List-Archive:List-Unsubscribe:List-Id:Content-ID:Content-Type: MIME-Version:Message-ID:Subject:To:From:Date:Reply-To:Cc: Content-Transfer-Encoding:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=jCwlxu7dQxw1QnxH9dcFFOUC/ey/c8Yf5tdrHK3zIzA=; b=BxzV2ZNcni3Phg FVR0S6mWRfcPrfoEJl7MRjyd/eKiC7fkU3yeaw9AnnWaNVEeMHC9beKdJabcXzKy3JDwMorc06n6w 6UWCpAus+vU7UOg/LiwW19g7fQxleEgcnZMp0OPmfRppazfNWVfc3dRwQIrunHtDU3q6IRW4qti5j PRO4wCRfD+tNn9wOMrWu8cA3/1lklRjliELAfmMEVIhX8PdJSiWvqVQCKWuIwVMp8vRhQkw6qFiCT Ql70YubM01IB/XBKgwoiefTl39oK26Jv2YNKG12Y0P+Wyid09yc9eeuV2ZYBrUFq4EIlHPpUVRppM UcGAiR+gqtNe7Gh7G74g==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1l2xtI-0003lh-NO; Fri, 22 Jan 2021 14:58:24 +0000 Received: from mail.lysator.liu.se ([2001:6b0:17:f0a0::3]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1l2xtG-0003ku-DX for hostap@lists.infradead.org; Fri, 22 Jan 2021 14:58:23 +0000 Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 4B62A40008 for ; Fri, 22 Jan 2021 15:58:21 +0100 (CET) Received: by mail.lysator.liu.se (Postfix, from userid 1004) id 3921C4000A; Fri, 22 Jan 2021 15:58:21 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on bernadotte.lysator.liu.se X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,AWL autolearn=disabled version=3.4.2 X-Spam-Score: -1.0 Received: from sara.hytechdrive.se (h-170-152-149.A163.priv.bahnhof.se [81.170.152.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.lysator.liu.se (Postfix) with ESMTPSA id 4DC4940008 for ; Fri, 22 Jan 2021 15:58:20 +0100 (CET) Date: Fri, 22 Jan 2021 15:58:20 +0100 (CET) From: =?utf-8?q?Peter_=C3=85strand?= To: "hostap@lists.infradead.org" Subject: [PATCH 3/6] wpa_supplicant: Added support for multiple global sae_passwords Message-ID: <11e347ec-7b47-e139-4ddf-97c77def21a@lysator.liu.se> MIME-Version: 1.0 Content-ID: <189d4e49-3d-1fc9-9cc9-3673ef62b49@lysator.liu.se> X-Virus-Scanned: ClamAV using ClamSMTP X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210122_095822_690653_557837BD X-CRM114-Status: GOOD ( 27.89 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Currently only for AP mode. Signed-off-by: Peter Astrand --- wpa_supplicant/ap.c | 4 ++++ wpa_supplicant/config.c | 19 +++++++++++++++++ wpa_supplicant/config.h | 6 ++++++ wpa_supplicant/wpa_supplicant.conf | 33 ++++++++++++++++++++++++++++++ 4 files changed, 62 insertions(+) diff --git a/wpa_supplicant/ap.c b/wpa_supplicant/ap.c index ac88a7dc9..e0185ac2d 100644 --- a/wpa_supplicant/ap.c +++ b/wpa_supplicant/ap.c @@ -475,6 +475,10 @@ static int wpa_supplicant_conf_ap(struct wpa_supplicant *wpa_s, #endif /* CONFIG_WEP */ } #ifdef CONFIG_SAE + + /* Add all global SAE passwords */ + bss->sae_passwords = wpa_s->conf->sae_passwords; + if (ssid->sae_password) { struct sae_password_entry *pw; diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 0aa92a28c..b125acce2 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -19,6 +19,7 @@ #include "p2p/p2p.h" #include "fst/fst.h" #include "config.h" +#include "ap/ap_config.h" #if !defined(CONFIG_CTRL_IFACE) && defined(CONFIG_NO_CONFIG_WRITE) @@ -4849,6 +4850,20 @@ static int wpa_config_process_sae_groups( } +#ifdef CONFIG_SAE +static int wpa_config_process_sae_password( + const struct global_parse_data *data, + struct wpa_config *config, int line, const char *pos) +{ + if (hostapd_parse_sae_password(&config->sae_passwords, false, pos) < 0) { + return -1; + } + + return 0; +} +#endif /* CONFIG_SAE */ + + static int wpa_config_process_ap_vendor_elements( const struct global_parse_data *data, struct wpa_config *config, int line, const char *pos) @@ -4965,6 +4980,7 @@ static int wpa_config_get_ipv4(const char *name, struct wpa_config *config, #define FUNC(f) #f, wpa_config_process_ ## f, NULL, OFFSET(f), NULL, NULL #define FUNC_NO_VAR(f) #f, wpa_config_process_ ## f, NULL, NULL, NULL, NULL +#define FUNC_NAMED_VAR(f, v) #f, wpa_config_process_ ## f, NULL, OFFSET(v), NULL, NULL #define _INT(f) #f, wpa_global_config_parse_int, wpa_config_get_int, OFFSET(f) #define INT(f) _INT(f), NULL, NULL #define INT_RANGE(f, min, max) _INT(f), (void *) min, (void *) max @@ -5098,6 +5114,9 @@ static const struct global_parse_data global_fields[] = { { FUNC(sae_groups), 0 }, { INT_RANGE(sae_pwe, 0, 3), 0 }, { INT_RANGE(sae_pmkid_in_assoc, 0, 1), 0 }, +#ifdef CONFIG_SAE + { FUNC_NAMED_VAR(sae_password, sae_passwords), 0 }, +#endif { INT(dtim_period), 0 }, { INT(beacon_int), 0 }, { FUNC(ap_vendor_elements), 0 }, diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h index d128cd9bf..8c776cf82 100644 --- a/wpa_supplicant/config.h +++ b/wpa_supplicant/config.h @@ -1200,6 +1200,12 @@ struct wpa_config { */ int sae_pwe; + + /** + * sae_password entries - added to a list of available passwords + */ + struct sae_password_entry *sae_passwords; + /** * sae_pmkid_in_assoc - Whether to include PMKID in SAE Assoc Req */ diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 46f78755d..46a49cbce 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -409,6 +409,39 @@ fast_reauth=1 # RSN. #pmf=0 +# SAE password +# This parameter can be used to set passwords for SAE, in addition to +# a sae_password in a network block. +# +# Each sae_password entry is added to a list of available passwords. This +# corresponds to the dot11RSNAConfigPasswordValueEntry. sae_password value +# starts with the password (dot11RSNAConfigPasswordCredential). That value can +# be followed by optional peer MAC address (dot11RSNAConfigPasswordPeerMac) and +# by optional password identifier (dot11RSNAConfigPasswordIdentifier). In +# addition, an optional VLAN ID specification can be used to bind the station +# to the specified VLAN whenever the specific SAE password entry is used. +# +# If the peer MAC address is not included or is set to the wildcard address +# (ff:ff:ff:ff:ff:ff), the entry is available for any station to use. If a +# specific peer MAC address is included, only a station with that MAC address +# is allowed to use the entry. +# +# If the password identifier (with non-zero length) is included, the entry is +# limited to be used only with that specified identifier. + +# The last matching (based on peer MAC address and identifier) entry is used to +# select which password to use. Setting sae_password to an empty string has a +# special meaning of removing all previously added entries. +# +# sae_password uses the following encoding: +#[|mac=][|vlanid=] +#[|pk=][|id=] +# Examples: +#sae_password=secret +#sae_password=really secret|mac=ff:ff:ff:ff:ff:ff +#sae_password=example secret|mac=02:03:04:05:06:07|id=pw identifier +#sae_password=example secret|vlanid=3|id=pw identifier + # Enabled SAE finite cyclic groups in preference order # By default (if this parameter is not set), the mandatory group 19 (ECC group # defined over a 256-bit prime order field, NIST P-256) is preferred and groups