From patchwork Thu Jan 21 15:40:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrei Otcheretianski X-Patchwork-Id: 1429921 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=yWt1D7al; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DM68b4rlBz9sVX for ; Fri, 22 Jan 2021 02:42:23 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=zLvjz3nOnRxR1IK4ZQJmf+Sgc4/e1F2rmhx69qAKOow=; b=yWt1D7alFWZ2W2/35PqKkiwg2 r+c5rf6psTH0RN8N2Cp706wu9RxmYqez48pGNxK31yEzCn4Sys6HT/O4XYJZfckwJtygg0OL8u3SW 6Lk+Zhlr/FHlPBjeMHoRiescxsZkF1DSPTfLWrriQrZtCV54/T5Z48OjMG+vv7vjOjuicqmllpUqM 43t8iXkQiNnHJVVLXZocZVjINcqAKke7rpI0tMAyqDwpvItorM4Y9J0fnJZXdrjRhWKWwNYUQTgxe 85pRPErOQ8D5v62lTQ61kuh/papttVrSMP83dluyr2jaa3k5hbyeEmWrECgzn+WsCPIi9JYREJL7n 01B3MEISQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1l2c59-0000Av-UJ; Thu, 21 Jan 2021 15:41:11 +0000 Received: from mga04.intel.com ([192.55.52.120]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1l2c56-00009A-Fj for hostap@lists.infradead.org; Thu, 21 Jan 2021 15:41:09 +0000 IronPort-SDR: VkAepFo4DtUTQBmRrjjbji49Q4Gco/i0qH4kew6lvR5gRe/E85MGZQM686H9HoftUtB2SEd5PQ F7/NFKcGr+kQ== X-IronPort-AV: E=McAfee;i="6000,8403,9870"; a="176715212" X-IronPort-AV: E=Sophos;i="5.79,364,1602572400"; d="scan'208";a="176715212" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jan 2021 07:41:06 -0800 IronPort-SDR: jctyw2Kjs4ucBQIn0FuyUxsX4y6aDPJGSYWJviJDbPSPkDP8J0a6rFC81TJN+32zT1k8M2Es/5 Xxp2PY0WA6cA== X-IronPort-AV: E=Sophos;i="5.79,364,1602572400"; d="scan'208";a="385350095" Received: from ramilaux-mobl2.ger.corp.intel.com (HELO aotchere-desk.ger.corp.intel.com) ([10.214.246.158]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jan 2021 07:41:04 -0800 From: Andrei Otcheretianski To: hostap@lists.infradead.org Subject: [PATCH 1/2] WPA: Ignore RSNX element in WPA connection Date: Thu, 21 Jan 2021 17:40:33 +0200 Message-Id: <20210121154037.32654-2-andrei.otcheretianski@intel.com> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20210121154037.32654-1-andrei.otcheretianski@intel.com> References: <20210121154037.32654-1-andrei.otcheretianski@intel.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210121_104108_664651_F1DFD1EF X-CRM114-Status: GOOD ( 12.23 ) X-Spam-Score: -2.3 (--) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [192.55.52.120 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andrei Otcheretianski Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org When an AP publishes both RSN, RSNX and WPA IE, it incorrectly removes the RSN IE in the EAPOL 3/4 message if the STA associates with WPA, leaving only RSNXE instead of WPA IE. WPA STA fails to connect to such AP as the WPA IE is missing. Since RSNX is not really needed in non RSN connection, just remove it. In addition, make sure that the non RSN STA doesn't store and validate RSNX element which would be "missing" now in EAPOL 3/4 message. Signed-off-by: Andrei Otcheretianski --- src/ap/wpa_auth.c | 4 ++++ src/rsn_supp/wpa.c | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 82a97468d6..6e0d7097c9 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -3353,6 +3353,8 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING) wpa_ie_len > wpa_ie[1] + 2U && wpa_ie[0] == WLAN_EID_RSN) { /* WPA-only STA, remove RSN IE and possible MDIE */ wpa_ie = wpa_ie + wpa_ie[1] + 2; + if (wpa_ie[0] == WLAN_EID_RSNX) + wpa_ie = wpa_ie + wpa_ie[1] + 2; if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) wpa_ie = wpa_ie + wpa_ie[1] + 2; wpa_ie_len = wpa_ie[1] + 2; @@ -5355,6 +5357,8 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm, wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { /* WPA-only STA, remove RSN IE and possible MDIE */ wpa_ie = wpa_ie + wpa_ie[1] + 2; + if (wpa_ie[0] == WLAN_EID_RSNX) + wpa_ie = wpa_ie + wpa_ie[1] + 2; if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) wpa_ie = wpa_ie + wpa_ie[1] + 2; wpa_ie_len = wpa_ie[1] + 2; diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index e07527ba57..cb7de585f4 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -3701,13 +3701,15 @@ int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len) if (!sm) return -1; - os_free(sm->ap_rsnxe); if (!ie || len == 0) { wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE"); + os_free(sm->ap_rsnxe); sm->ap_rsnxe = NULL; sm->ap_rsnxe_len = 0; - } else { + } else if (sm->proto == WPA_PROTO_RSN) { + /* Store RSNXE for RSN connections only */ wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len); + os_free(sm->ap_rsnxe); sm->ap_rsnxe = os_memdup(ie, len); if (!sm->ap_rsnxe) return -1; From patchwork Thu Jan 21 15:40:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrei Otcheretianski X-Patchwork-Id: 1429920 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=ftasN+LJ; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DM68Z6RTrz9sW1 for ; Fri, 22 Jan 2021 02:42:22 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=e7hWhviZBgqrZ5suydIziwynnKT1OwhDZUxahHP5woA=; b=ftasN+LJKIi8VBv8XZPQqS5PZ BTA8/fdqC41FrWqHtbVivEkW5XHRPkadjISweiSbLeF9IPzirmXg14q1MLR5ZlQJyES28Fd3tTyUv QUCKzIoGy8encTd1DMeeZqi3+C+pKUefPDUyyQEFzKzqXI7PHM5NGWHy4e18NUGLfNbe6woi+02b9 wNyFyt35AqeXkHA6sSJcf1PTPAe1//240cE2ADy3E8s/lPIeMS4P0rUE4X3/G9vb0e6dSjqOQbN5G 4S4g7qU+OT/IEbP72Ckt8MESlV62Odqr6XtoNIDl10W7WBmHlC513KFy8d7SU+UcPofukvPRXYiR/ Dff6RQxcA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1l2c5Z-0000PZ-QA; Thu, 21 Jan 2021 15:41:37 +0000 Received: from mga05.intel.com ([192.55.52.43]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1l2c5X-0000Oc-D5 for hostap@lists.infradead.org; Thu, 21 Jan 2021 15:41:36 +0000 IronPort-SDR: N3zI4Mt8JNetIisjO7PG7tMKTmp7/M2+0iAr6CyaBwhYjU4u/F2+9NdqzzyIzpL7EMZRekIpQP u8RymXZ3nSpg== X-IronPort-AV: E=McAfee;i="6000,8403,9870"; a="264104180" X-IronPort-AV: E=Sophos;i="5.79,364,1602572400"; d="scan'208";a="264104180" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jan 2021 07:41:34 -0800 IronPort-SDR: 4Z0dJsJzhT0jkH89mwKjAgYDSaGUUUG1ZqzyWVDTX80TCSj5r7Ziu2LsULkO2GuZTdOajkXiO/ Syzjug1Fl2Ww== X-IronPort-AV: E=Sophos;i="5.79,364,1602572400"; d="scan'208";a="385350200" Received: from ramilaux-mobl2.ger.corp.intel.com (HELO aotchere-desk.ger.corp.intel.com) ([10.214.246.158]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jan 2021 07:41:33 -0800 From: Andrei Otcheretianski To: hostap@lists.infradead.org Subject: [PATCH 2/2] tests: Add mixed SAE/WPA-PSK AP test Date: Thu, 21 Jan 2021 17:40:37 +0200 Message-Id: <20210121154037.32654-6-andrei.otcheretianski@intel.com> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20210121154037.32654-1-andrei.otcheretianski@intel.com> References: <20210121154037.32654-1-andrei.otcheretianski@intel.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210121_104135_571128_E847589F X-CRM114-Status: UNSURE ( 7.80 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -2.3 (--) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [192.55.52.43 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andrei Otcheretianski Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Verify WPA-PSK/TKIP connection on SAE configured AP. Signed-off-by: Andrei Otcheretianski --- tests/hwsim/test_ap_ciphers.py | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tests/hwsim/test_ap_ciphers.py b/tests/hwsim/test_ap_ciphers.py index d9f827aafc..eea17c1449 100644 --- a/tests/hwsim/test_ap_ciphers.py +++ b/tests/hwsim/test_ap_ciphers.py @@ -414,6 +414,35 @@ def test_ap_cipher_mixed_wpa_wpa2(dev, apdev): hwsim_utils.test_connectivity(dev[1], hapd) hwsim_utils.test_connectivity(dev[0], dev[1]) +@remote_compatible +def test_ap_cipher_wpa_sae(dev, apdev): + """WPA-PSK/TKIP and SAE mixed AP - WPA IE and RSNXE coexistence""" + skip_with_fips(dev[0]) + skip_without_tkip(dev[0]) + ssid = "test-wpa-sae" + passphrase = "12345678" + params = {"ssid": ssid, + "wpa_passphrase": passphrase, + "wpa": "3", + "wpa_key_mgmt": "WPA-PSK SAE", + "rsn_pairwise": "CCMP", + "wpa_pairwise": "TKIP", + "sae_pwe": "1"} + hapd = hostapd.add_ap(apdev[0], params) + dev[0].flush_scan_cache() + + dev[0].connect(ssid, psk=passphrase, proto="WPA", + pairwise="TKIP", group="TKIP", scan_freq="2412") + status = dev[0].get_status() + if status['key_mgmt'] != 'WPA-PSK': + raise Exception("Incorrect key_mgmt reported") + if status['pairwise_cipher'] != 'TKIP': + raise Exception("Incorrect pairwise_cipher reported") + if status['group_cipher'] != 'TKIP': + raise Exception("Incorrect group_cipher reported") + hapd.wait_sta() + hwsim_utils.test_connectivity(dev[0], hapd) + @remote_compatible def test_ap_cipher_bip(dev, apdev): """WPA2-PSK with BIP"""