[19/40] WPA: Add PTKSA cache to wpa_supplicant for PASN

Message ID	20191215093438.10120-20-ilan.peer@intel.com
State	Changes Requested
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Ilan Peer <ilan.peer@intel.com> To: hostap@lists.infradead.org Subject: [PATCH 19/40] WPA: Add PTKSA cache to wpa_supplicant for PASN Date: Sun, 15 Dec 2019 11:34:17 +0200 Message-Id: <20191215093438.10120-20-ilan.peer@intel.com> In-Reply-To: <20191215093438.10120-1-ilan.peer@intel.com> References: <20191215093438.10120-1-ilan.peer@intel.com> summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [192.55.52.120 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record Precedence: list Cc: Ilan Peer <ilan.peer@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	Support for Pre association Security Negotiation (PASN) \| expand [00/40] Support for Pre association Security Negotiation (PASN) [02/40] driver: Extend send_mlme() with wait option [03/40] nl80211: Allow off-channel in send_mlme() [04/40] nl80211: Allow Tx status for authentication frames [05/40] nl80211: Always register for Rx authentication frames with PASN [06/40] WPA: Extend the wpa_pmk_to_ptk() function to also derive HLTK [07/40] FT: Extend the wpa_pmk_r1_to_ptk() function to also derive HLTK [08/40] WPA: Extend the fils_pmk_to_ptk() function to also derive HLTK [09/40] PASN: Add functions to compute PTK, MIC and hash [10/40] crypto: Add a function to get the ECDH prime len [11/40] WPA: Rename FILS wrapped data [12/40] common: Add support for element defragmentation [13/40] PASN: Add some specification definitions [14/40] PASN: Add common authentication frame build/validation functions [15/40] common: Add PASN parsing to ieee802_11_parse_extension() [16/40] common: Allow WPA_CIPHER_GTK_NOT_USED in RSNE parsing [17/40] WPA: Add a function to get PMKSA cache entry [18/40] WPA: Add PTKSA cache implementation [19/40] WPA: Add PTKSA cache to wpa_supplicant for PASN [20/40] PASN: Add support for PASN processing to the wpa_supplicant [21/40] ctrl_iface: Add support for PASN authentication [22/40] AP: Add support for configuring PASN [23/40] WPA_AUTH: Add PTKSA cache to hostapd [24/40] AP: Add support for PASN processing to the SME [25/40] tests: Add PASN test coverage [26/40] PASN: Support PASN with SAE key derivation [27/40] AP: Support PASN with SAE key derivation [28/40] tests: Add PASN tests with SAE [29/40] PASN: Support PASN with FILS key derivation [30/40] AP: Support PASN with FILS key derivation [31/40] tests: Add PASN with FILS tests [32/40] AP: Rename SAE anti clogging variables and functions [33/40] AP: Move anti clogging handling code [34/40] AP: Add support for PASN comeback flow [35/40] PASN: Add support for comeback flow to the wpa_supplicant [36/40] tests: Add PASN test with comeback flow [37/40] PASN: Support PASN with FT key derivation [38/40] AP: Support PASN with FT key derivation [39/40] tests: Add PASN tests with FT key derivation [40/40] tests: Add module tests for PASN PTK derivation

Message ID

20191215093438.10120-20-ilan.peer@intel.com

State

Changes Requested

Headers

From: Ilan Peer <ilan.peer@intel.com>
To: hostap@lists.infradead.org
Subject: [PATCH 19/40] WPA: Add PTKSA cache to wpa_supplicant for PASN
Date: Sun, 15 Dec 2019 11:34:17 +0200
Message-Id: <20191215093438.10120-20-ilan.peer@intel.com>
In-Reply-To: <20191215093438.10120-1-ilan.peer@intel.com>
References: <20191215093438.10120-1-ilan.peer@intel.com>
Precedence: list
Cc: Ilan Peer <ilan.peer@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

Support for Pre association Security Negotiation (PASN) | expand

Commit Message

Peer, Ilan Dec. 15, 2019, 9:34 a.m. UTC

PASN requires to store the PTK derived during PASN authentication
so it can later be used for secure LTF etc. This is also true
for a PTK derived during regular connection.

Add an instance of a PTKSA cache for each wpa_supplicant
interface when PASN is enabled in build configuration.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
---
 src/rsn_supp/wpa.c                |  6 ++++++
 src/rsn_supp/wpa.h                |  2 ++
 src/rsn_supp/wpa_ft.c             |  2 ++
 src/rsn_supp/wpa_i.h              |  8 ++++++++
 wpa_supplicant/Makefile           |  2 ++
 wpa_supplicant/events.c           |  3 +++
 wpa_supplicant/wpa_supplicant.c   |  3 +++
 wpa_supplicant/wpa_supplicant_i.h |  2 ++
 wpa_supplicant/wpas_glue.c        | 29 ++++++++++++++++++++++++++---
 9 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index f63c9f4787..552e548279 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -835,6 +835,9 @@  static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
 		return -1;
 	}
 
+	wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
+			 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
+
 	/* TK is not needed anymore in supplicant */
 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
 	sm->ptk.tk_len = 0;
@@ -4580,6 +4583,9 @@  int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 		goto fail;
 	}
 
+	wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
+			 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
+
 	/* TODO: TK could be cleared after auth frame exchange now that driver
 	 * takes care of association frame encryption/decryption. */
 	/* TK is not needed anymore in supplicant */
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index 162cdefbf0..a23b3a612f 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -84,6 +84,8 @@  struct wpa_sm_ctx {
 	void (*fils_hlp_rx)(void *ctx, const u8 *dst, const u8 *src,
 			    const u8 *pkt, size_t pkt_len);
 	int (*channel_info)(void *ctx, struct wpa_channel_info *ci);
+	void (*store_ptk)(void *ctx, u8 *addr, int cipher,
+			  u32 life_time, struct wpa_ptk *ptk);
 };
 
 
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index bf8166036b..aeec4194eb 100644
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -429,6 +429,8 @@  static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
 		return -1;
 	}
 
+	wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
+			 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
 	return 0;
 }
 
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index 27fed89573..f99e2b6f16 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -416,6 +416,14 @@  static inline int wpa_sm_channel_info(struct wpa_sm *sm,
 	return sm->ctx->channel_info(sm->ctx->ctx, ci);
 }
 
+static inline void wpa_sm_store_ptk(struct wpa_sm *sm,
+				    u8 *addr, int cipher,
+				    u32 life_time, struct wpa_ptk *ptk)
+{
+	if (sm->ctx->store_ptk)
+		sm->ctx->store_ptk(sm->ctx->ctx, addr, cipher, life_time,
+				   ptk);
+}
 
 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
 		       int ver, const u8 *dest, u16 proto,
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index fea7fc66ff..765f43c580 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -387,6 +387,8 @@  NEED_HMAC_SHA256_KDF=y
 NEED_HMAC_SHA384_KDF=y
 NEED_SHA256=y
 NEED_SHA384=y
+OBJS += ../src/common/ptksa_cache.o
+CFLAGS += -DCONFIG_PTKSA_CACHE
 endif
 
 ifdef CONFIG_WIFI_DISPLAY
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 852f41e40d..5d2c072782 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -49,6 +49,7 @@ 
 #include "mesh_mpm.h"
 #include "wmm_ac.h"
 #include "dpp_supplicant.h"
+#include "common/ptksa_cache.h"
 
 
 #define MAX_OWE_TRANSITION_BSS_SELECT_COUNT 5
@@ -3182,6 +3183,8 @@  static void wpa_supplicant_event_disassoc_finish(struct wpa_supplicant *wpa_s,
 	if (wpa_s->wpa_state >= WPA_AUTHENTICATING)
 		wpas_connection_failed(wpa_s, bssid);
 	wpa_sm_notify_disassoc(wpa_s->wpa);
+	ptksa_cache_flush(wpa_s->ptksa, wpa_s->bssid, WPA_CIPHER_NONE);
+
 	if (locally_generated)
 		wpa_s->disconnect_reason = -reason_code;
 	else
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 0fee3c951a..c6dc7a0ea8 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -63,6 +63,7 @@ 
 #include "wpas_kay.h"
 #include "mesh.h"
 #include "dpp_supplicant.h"
+#include "common/ptksa_cache.h"
 #ifdef CONFIG_MESH
 #include "ap/ap_config.h"
 #include "ap/hostapd.h"
@@ -535,6 +536,8 @@  static void wpa_supplicant_cleanup(struct wpa_supplicant *wpa_s)
 
 	wmm_ac_clear_saved_tspecs(wpa_s);
 	pmksa_candidate_free(wpa_s->wpa);
+	ptksa_cache_deinit(wpa_s->ptksa);
+	wpa_s->ptksa = NULL;
 	wpa_sm_deinit(wpa_s->wpa);
 	wpa_s->wpa = NULL;
 	wpa_blacklist_clear(wpa_s);
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index db46c02ce1..4c7ee128d4 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -600,6 +600,8 @@  struct wpa_supplicant {
 	int interface_removed; /* whether the network interface has been
 				* removed */
 	struct wpa_sm *wpa;
+	struct ptksa_cache *ptksa;
+
 	struct eapol_sm *eapol;
 
 	struct ctrl_iface_priv *ctrl_iface;
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 43c0153c62..63d7a656ab 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -28,7 +28,7 @@ 
 #include "scan.h"
 #include "notify.h"
 #include "wpas_kay.h"
-
+#include "common/ptksa_cache.h"
 
 #ifndef CONFIG_NO_CONFIG_BLOBS
 #if defined(IEEE8021X_EAPOL) || !defined(CONFIG_NO_WPA)
@@ -1193,6 +1193,15 @@  static int wpa_supplicant_channel_info(void *_wpa_s,
 	return wpa_drv_channel_info(wpa_s, ci);
 }
 
+
+static void wpa_supplicant_store_ptk(void *ctx, u8 *addr, int cipher,
+				     u32 life_time, struct wpa_ptk *ptk)
+{
+	struct wpa_supplicant *wpa_s = ctx;
+
+	ptksa_cache_add(wpa_s->ptksa, addr, cipher, life_time, ptk);
+}
+
 #endif /* CONFIG_NO_WPA */
 
 
@@ -1200,9 +1209,20 @@  int wpa_supplicant_init_wpa(struct wpa_supplicant *wpa_s)
 {
 #ifndef CONFIG_NO_WPA
 	struct wpa_sm_ctx *ctx;
+
+	wpa_s->ptksa = ptksa_cache_init();
+	if (!wpa_s->ptksa) {
+		wpa_printf(MSG_ERROR, "Failed to allocate PTKSA");
+		return -1;
+	}
+
 	ctx = os_zalloc(sizeof(*ctx));
 	if (ctx == NULL) {
 		wpa_printf(MSG_ERROR, "Failed to allocate WPA context.");
+
+		ptksa_cache_deinit(wpa_s->ptksa);
+		wpa_s->ptksa = NULL;
+
 		return -1;
 	}
 
@@ -1244,12 +1264,15 @@  int wpa_supplicant_init_wpa(struct wpa_supplicant *wpa_s)
 	ctx->key_mgmt_set_pmk = wpa_supplicant_key_mgmt_set_pmk;
 	ctx->fils_hlp_rx = wpa_supplicant_fils_hlp_rx;
 	ctx->channel_info = wpa_supplicant_channel_info;
+	ctx->store_ptk = wpa_supplicant_store_ptk;
 
 	wpa_s->wpa = wpa_sm_init(ctx);
 	if (wpa_s->wpa == NULL) {
-		wpa_printf(MSG_ERROR, "Failed to initialize WPA state "
-			   "machine");
+		wpa_printf(MSG_ERROR,
+			   "Failed to initialize WPA state machine");
 		os_free(ctx);
+		ptksa_cache_deinit(wpa_s->ptksa);
+		wpa_s->ptksa = NULL;
 		return -1;
 	}
 #endif /* CONFIG_NO_WPA */

[19/40] WPA: Add PTKSA cache to wpa_supplicant for PASN

Commit Message

Patch