[32/40] AP: Rename SAE anti clogging variables and functions

Message ID	20191215093438.10120-33-ilan.peer@intel.com
State	Changes Requested
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Ilan Peer <ilan.peer@intel.com> To: hostap@lists.infradead.org Subject: [PATCH 32/40] AP: Rename SAE anti clogging variables and functions Date: Sun, 15 Dec 2019 11:34:30 +0200 Message-Id: <20191215093438.10120-33-ilan.peer@intel.com> In-Reply-To: <20191215093438.10120-1-ilan.peer@intel.com> References: <20191215093438.10120-1-ilan.peer@intel.com> summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [192.55.52.43 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record Precedence: list Cc: Ilan Peer <ilan.peer@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	Support for Pre association Security Negotiation (PASN) \| expand [00/40] Support for Pre association Security Negotiation (PASN) [02/40] driver: Extend send_mlme() with wait option [03/40] nl80211: Allow off-channel in send_mlme() [04/40] nl80211: Allow Tx status for authentication frames [05/40] nl80211: Always register for Rx authentication frames with PASN [06/40] WPA: Extend the wpa_pmk_to_ptk() function to also derive HLTK [07/40] FT: Extend the wpa_pmk_r1_to_ptk() function to also derive HLTK [08/40] WPA: Extend the fils_pmk_to_ptk() function to also derive HLTK [09/40] PASN: Add functions to compute PTK, MIC and hash [10/40] crypto: Add a function to get the ECDH prime len [11/40] WPA: Rename FILS wrapped data [12/40] common: Add support for element defragmentation [13/40] PASN: Add some specification definitions [14/40] PASN: Add common authentication frame build/validation functions [15/40] common: Add PASN parsing to ieee802_11_parse_extension() [16/40] common: Allow WPA_CIPHER_GTK_NOT_USED in RSNE parsing [17/40] WPA: Add a function to get PMKSA cache entry [18/40] WPA: Add PTKSA cache implementation [19/40] WPA: Add PTKSA cache to wpa_supplicant for PASN [20/40] PASN: Add support for PASN processing to the wpa_supplicant [21/40] ctrl_iface: Add support for PASN authentication [22/40] AP: Add support for configuring PASN [23/40] WPA_AUTH: Add PTKSA cache to hostapd [24/40] AP: Add support for PASN processing to the SME [25/40] tests: Add PASN test coverage [26/40] PASN: Support PASN with SAE key derivation [27/40] AP: Support PASN with SAE key derivation [28/40] tests: Add PASN tests with SAE [29/40] PASN: Support PASN with FILS key derivation [30/40] AP: Support PASN with FILS key derivation [31/40] tests: Add PASN with FILS tests [32/40] AP: Rename SAE anti clogging variables and functions [33/40] AP: Move anti clogging handling code [34/40] AP: Add support for PASN comeback flow [35/40] PASN: Add support for comeback flow to the wpa_supplicant [36/40] tests: Add PASN test with comeback flow [37/40] PASN: Support PASN with FT key derivation [38/40] AP: Support PASN with FT key derivation [39/40] tests: Add PASN tests with FT key derivation [40/40] tests: Add module tests for PASN PTK derivation

diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 90c24d806b..e8b1d544d2 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -4178,8 +4178,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, } else if (os_strcmp(buf, "assocresp_elements") == 0) { if (parse_wpabuf_hex(line, buf, &bss->assocresp_elements, pos)) return 1; - } else if (os_strcmp(buf, "sae_anti_clogging_threshold") == 0) { - bss->sae_anti_clogging_threshold = atoi(pos); + } else if (os_strcmp(buf, "anti_clogging_threshold") == 0) { + bss->anti_clogging_threshold = atoi(pos); } else if (os_strcmp(buf, "sae_sync") == 0) { bss->sae_sync = atoi(pos); } else if (os_strcmp(buf, "sae_groups") == 0) { diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index c6a63c6ca7..72ee55d2e4 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -111,7 +111,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) bss->radius_das_time_window = 300; - bss->sae_anti_clogging_threshold = 5; + bss->anti_clogging_threshold = 5; bss->sae_sync = 5; bss->gas_frag_limit = 1400; diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index af9e86fb6e..473bf869ba 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -648,7 +648,7 @@ struct hostapd_bss_config { struct wpabuf *vendor_elements; struct wpabuf *assocresp_elements; - unsigned int sae_anti_clogging_threshold; + unsigned int anti_clogging_threshold; unsigned int sae_sync; int sae_require_mfp; int sae_confirm_immediate; diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h index f5a7a5b658..d82ac08c7b 100644 --- a/src/ap/hostapd.h +++ b/src/ap/hostapd.h @@ -318,10 +318,10 @@ struct hostapd_data { #ifdef CONFIG_SAE /** Key used for generating SAE anti-clogging tokens */ - u8 sae_token_key[8]; - struct os_reltime last_sae_token_key_update; - u16 sae_token_idx; - u16 sae_pending_token_idx[256]; + u8 comeback_key[8]; + struct os_reltime last_comeback_key_update; + u16 comeback_idx; + u16 comeback_pending_idx[256]; int dot11RSNASAERetransPeriod; /* msec */ struct dl_list sae_commit_queue; /* struct hostapd_sae_commit_queue */ #endif /* CONFIG_SAE */ diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 6b36ec0d84..20d65b257f 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -584,12 +584,12 @@ static int auth_sae_send_confirm(struct hostapd_data *hapd, } -static int use_sae_anti_clogging(struct hostapd_data *hapd) +static int use_anti_clogging(struct hostapd_data *hapd) { struct sta_info *sta; unsigned int open = 0; - if (hapd->conf->sae_anti_clogging_threshold == 0) + if (hapd->conf->anti_clogging_threshold == 0) return 1; for (sta = hapd->sta_list; sta; sta = sta->next) { @@ -599,7 +599,7 @@ static int use_sae_anti_clogging(struct hostapd_data *hapd) sta->sae->state != SAE_CONFIRMED) continue; open++; - if (open >= hapd->conf->sae_anti_clogging_threshold) + if (open >= hapd->conf->anti_clogging_threshold) return 1; } @@ -607,25 +607,25 @@ static int use_sae_anti_clogging(struct hostapd_data *hapd) * there are enough pending commit messages in the processing queue to * potentially result in too many open sessions. */ if (open + dl_list_len(&hapd->sae_commit_queue) >= - hapd->conf->sae_anti_clogging_threshold) + hapd->conf->anti_clogging_threshold) return 1; return 0; } -static u8 sae_token_hash(struct hostapd_data *hapd, const u8 *addr) +static u8 comeback_token_hash(struct hostapd_data *hapd, const u8 *addr) { u8 hash[SHA256_MAC_LEN]; - hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key), + hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key), addr, ETH_ALEN, hash); return hash[0]; } -static int check_sae_token(struct hostapd_data *hapd, const u8 *addr, - const u8 *token, size_t token_len) +static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr, + const u8 *token, size_t token_len) { u8 mac[SHA256_MAC_LEN]; const u8 *addrs[2]; @@ -635,10 +635,11 @@ static int check_sae_token(struct hostapd_data *hapd, const u8 *addr, if (token_len != SHA256_MAC_LEN) return -1; - idx = sae_token_hash(hapd, addr); - token_idx = hapd->sae_pending_token_idx[idx]; + idx = comeback_token_hash(hapd, addr); + token_idx = hapd->comeback_pending_idx[idx]; if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) { - wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from " + wpa_printf(MSG_DEBUG, + "Comeback: Invalid anti-clogging token from " MACSTR " - token_idx 0x%04x, expected 0x%04x", MAC2STR(addr), WPA_GET_BE16(token), token_idx); return -1; @@ -648,12 +649,12 @@ static int check_sae_token(struct hostapd_data *hapd, const u8 *addr, len[0] = ETH_ALEN; addrs[1] = token; len[1] = 2; - if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key), + if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key), 2, addrs, len, mac) < 0 || os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0) return -1; - hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */ + hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */ return 0; } @@ -672,18 +673,19 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, u16 token_idx; os_get_reltime(&now); - if (!os_reltime_initialized(&hapd->last_sae_token_key_update) || - os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) || - hapd->sae_token_idx == 0xffff) { - if (random_get_bytes(hapd->sae_token_key, - sizeof(hapd->sae_token_key)) < 0) + if (!os_reltime_initialized(&hapd->last_comeback_key_update) || + os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) || + hapd->comeback_idx == 0xffff) { + if (random_get_bytes(hapd->comeback_key, + sizeof(hapd->comeback_key)) < 0) return NULL; - wpa_hexdump(MSG_DEBUG, "SAE: Updated token key", - hapd->sae_token_key, sizeof(hapd->sae_token_key)); - hapd->last_sae_token_key_update = now; - hapd->sae_token_idx = 0; - os_memset(hapd->sae_pending_token_idx, 0, - sizeof(hapd->sae_pending_token_idx)); + wpa_hexdump(MSG_DEBUG, + "Comeback: Updated token key", + hapd->comeback_key, sizeof(hapd->comeback_key)); + hapd->last_comeback_key_update = now; + hapd->comeback_idx = 0; + os_memset(hapd->comeback_pending_idx, 0, + sizeof(hapd->comeback_pending_idx)); } buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN); @@ -692,12 +694,12 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, wpabuf_put_le16(buf, group); /* Finite Cyclic Group */ - p_idx = sae_token_hash(hapd, addr); - token_idx = hapd->sae_pending_token_idx[p_idx]; + p_idx = comeback_token_hash(hapd, addr); + token_idx = hapd->comeback_pending_idx[p_idx]; if (!token_idx) { - hapd->sae_token_idx++; - token_idx = hapd->sae_token_idx; - hapd->sae_pending_token_idx[p_idx] = token_idx; + hapd->comeback_idx++; + token_idx = hapd->comeback_idx; + hapd->comeback_pending_idx[p_idx] = token_idx; } WPA_PUT_BE16(idx, token_idx); token = wpabuf_put(buf, SHA256_MAC_LEN); @@ -705,7 +707,7 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, len[0] = ETH_ALEN; addrs[1] = idx; len[1] = sizeof(idx); - if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key), + if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key), 2, addrs, len, token) < 0) { wpabuf_free(buf); return NULL; @@ -1305,7 +1307,8 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, goto remove_sta; } - if (token && check_sae_token(hapd, sta->addr, token, token_len) + if (token && check_comeback_token(hapd, sta->addr, token, + token_len) < 0) { wpa_printf(MSG_DEBUG, "SAE: Drop commit message with " "incorrect token from " MACSTR, @@ -1324,7 +1327,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, goto reply; } - if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) { + if (!token && use_anti_clogging(hapd) && !allow_reuse) { wpa_printf(MSG_DEBUG, "SAE: Request anti-clogging token from " MACSTR, MAC2STR(sta->addr)); diff --git a/tests/hwsim/test_sae.py b/tests/hwsim/test_sae.py index 7e9120c355..6b386c60b0 100644 --- a/tests/hwsim/test_sae.py +++ b/tests/hwsim/test_sae.py @@ -258,7 +258,7 @@ def test_sae_anti_clogging(dev, apdev): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678") params['wpa_key_mgmt'] = 'SAE' - params['sae_anti_clogging_threshold'] = '1' + params['anti_clogging_threshold'] = '1' hostapd.add_ap(apdev[0], params) dev[0].request("SET sae_groups ") @@ -279,7 +279,7 @@ def test_sae_forced_anti_clogging(dev, apdev): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678") params['wpa_key_mgmt'] = 'SAE WPA-PSK' - params['sae_anti_clogging_threshold'] = '0' + params['anti_clogging_threshold'] = '0' hostapd.add_ap(apdev[0], params) dev[2].connect("test-sae", psk="12345678", scan_freq="2412") for i in range(0, 2): @@ -293,7 +293,7 @@ def test_sae_mixed(dev, apdev): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678") params['wpa_key_mgmt'] = 'SAE WPA-PSK' - params['sae_anti_clogging_threshold'] = '0' + params['anti_clogging_threshold'] = '0' hapd = hostapd.add_ap(apdev[0], params) dev[2].connect("test-sae", psk="12345678", scan_freq="2412") @@ -1671,7 +1671,7 @@ def test_sae_forced_anti_clogging_pw_id(dev, apdev): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae") params['wpa_key_mgmt'] = 'SAE' - params['sae_anti_clogging_threshold'] = '0' + params['anti_clogging_threshold'] = '0' params['sae_password'] = 'secret|id=' + 29*'A' hostapd.add_ap(apdev[0], params) for i in range(0, 2):

[32/40] AP: Rename SAE anti clogging variables and functions

Commit Message

Patch