From patchwork Thu Apr  8 09:06:20 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Peer, Ilan" <ilan.peer@intel.com>
X-Patchwork-Id: 1463689
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.infradead.org
 (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org;
 envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=desiato.20200630 header.b=WCxMtK3T;
	dkim-atps=neutral
Received: from desiato.infradead.org (desiato.infradead.org
 [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4FGFlb3zxDz9sWQ
	for <incoming@patchwork.ozlabs.org>; Thu,  8 Apr 2021 19:07:39 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding
	:Content-Type:MIME-Version:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:Message-Id:Date:Subject:Cc:To:From:Reply-To:
	Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
	Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner;
	bh=cvNt0nPgO8DpXG8VrAj/Pnob71lKppiF/bSl8P2zMMc=; b=WCxMtK3TJdegqw2k52SrkmbFew
	pREeabuFlRA8K3wlQEkESBZyCrmJXr8ckmt590nFKhjvOWuZS7WbrniQiVFVLIljgHUG/Wn29uclI
	jXmLzGBRsqwRRBC5QfG4Y0MCmZUQkzlcUawu9hpgJY4DAcZ0CEsaJjVPPITDpA7dzLw3Da/wYfEkZ
	hXGyP2JxnUj/3Pn0yfFsjEd1uI7sLAhzM9E/P1EPjnqMrnQx1cNkF6fXl3QOPiRFRC4KnWAeuiOqB
	WX8NREGNHITNGCCkCSFni/vutV0W8Cq04I+yT5oIkEn7gZJGS2+G4Mkuurp/4abVl8RH9W3V2SEJm
	0TV60UhA==;
Received: from localhost ([::1] helo=desiato.infradead.org)
	by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux))
	id 1lUQcl-007Q6F-Qg; Thu, 08 Apr 2021 09:06:53 +0000
Received: from mga09.intel.com ([134.134.136.24])
 by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux))
 id 1lUQca-007Q3u-SJ
 for hostap@lists.infradead.org; Thu, 08 Apr 2021 09:06:43 +0000
IronPort-SDR: 
 bw64JT+XCBe2k42zCiBtaC8mIP3aWkup9ffhH4JZr3HOMXDv57CTRCZZl3uB/wZkrWTe6BmfMF
 R9QuifxynxyQ==
X-IronPort-AV: E=McAfee;i="6000,8403,9947"; a="193609764"
X-IronPort-AV: E=Sophos;i="5.82,205,1613462400"; d="scan'208";a="193609764"
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
 by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 08 Apr 2021 02:06:36 -0700
IronPort-SDR: 
 F7O4NAb4uCREIEeRLwPgGm6mJbPLz0vjnsOn1s67olnxD9+xml3iUoevvPatrW0m6OcSy4YxOr
 nxS1jLYxYVug==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.82,205,1613462400"; d="scan'208";a="441676004"
Received: from jed01615.jer.intel.com ([10.12.217.51])
 by fmsmga004.fm.intel.com with ESMTP; 08 Apr 2021 02:06:34 -0700
From: Ilan Peer <ilan.peer@intel.com>
To: hostap@lists.infradead.org
Cc: Ilan Peer <ilan.peer@intel.com>
Subject: [PATCH 1/5] PASN: Derive KDK only when required
Date: Thu,  8 Apr 2021 12:06:20 +0300
Message-Id: <20210408090624.9490-1-ilan.peer@intel.com>
X-Mailer: git-send-email 2.17.1
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210408_100641_265183_7F03FB7D 
X-CRM114-Status: GOOD (  13.06  )
X-Spam-Score: -2.3 (--)
X-Spam-Report: Spam detection software,
 running on the system "desiato.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: When a PTK derivation is done as part of PASN authentication
 flow, a KDK derivation should be done iff higher layer protocol is supported
 by both parties. Fix the code accordingly, so KDK would be derived iff both
 sides support Secure LTF.
 Content analysis details:   (-2.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [134.134.136.24 listed in list.dnswl.org]
 0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [134.134.136.24 listed in wl.mailspike.net]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

When a PTK derivation is done as part of PASN authentication
flow, a KDK derivation should be done iff higher layer protocol
is supported by both parties.

Fix the code accordingly, so KDK would be derived iff both sides
support Secure LTF.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
---
 src/ap/ieee802_11.c               | 15 +++++++++++++--
 src/ap/sta_info.h                 |  1 +
 wpa_supplicant/pasn_supplicant.c  | 15 ++++++++++++++-
 wpa_supplicant/wpa_supplicant_i.h |  1 +
 4 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 877d03e3aa..e4dd2b4b3f 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2646,7 +2646,7 @@ static void pasn_fils_auth_resp(struct hostapd_data *hapd,
 			      wpabuf_head(pasn->secret),
 			      wpabuf_len(pasn->secret),
 			      &sta->pasn->ptk, sta->pasn->akmp,
-			      sta->pasn->cipher, WPA_KDK_MAX_LEN);
+			      sta->pasn->cipher, sta->pasn->kdk_len);
 	if (ret) {
 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
 		goto fail;
@@ -2883,7 +2883,7 @@ pasn_derive_keys(struct hostapd_data *hapd, struct sta_info *sta,
 	ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
 			      wpabuf_head(secret), wpabuf_len(secret),
 			      &sta->pasn->ptk, sta->pasn->akmp,
-			      sta->pasn->cipher, WPA_KDK_MAX_LEN);
+			      sta->pasn->cipher, sta->pasn->kdk_len);
 	if (ret) {
 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
 		return -1;
@@ -3151,6 +3151,17 @@ static void handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta,
 	sta->pasn->akmp = rsn_data.key_mgmt;
 	sta->pasn->cipher = rsn_data.pairwise_cipher;
 
+	if (hapd->conf->force_kdk_derivation ||
+	    ((hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF) &&
+	     elems.rsnxe && elems.rsnxe_len >= 2 &&
+	     (WPA_GET_LE16(elems.rsnxe) & BIT(WLAN_RSNX_CAPAB_SECURE_LTF)))) {
+		sta->pasn->kdk_len = WPA_KDK_MAX_LEN;
+	} else {
+		sta->pasn->kdk_len = 0;
+	}
+
+	wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", sta->pasn->kdk_len);
+
 	if (!elems.pasn_params || !elems.pasn_params_len) {
 		wpa_printf(MSG_DEBUG,
 			   "PASN: No PASN Parameters element found");
diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h
index efa48e7e3d..27e72f9a01 100644
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -88,6 +88,7 @@ struct pasn_data {
 	u16 group;
 	u8 trans_seq;
 	u8 wrapped_data_format;
+	size_t kdk_len;
 
 	u8 hash[SHA384_MAC_LEN];
 	struct wpa_ptk ptk;
diff --git a/wpa_supplicant/pasn_supplicant.c b/wpa_supplicant/pasn_supplicant.c
index 53ba21c5a8..c0db686dfe 100644
--- a/wpa_supplicant/pasn_supplicant.c
+++ b/wpa_supplicant/pasn_supplicant.c
@@ -1052,6 +1052,19 @@ static int wpas_pasn_start(struct wpa_supplicant *wpa_s, const u8 *bssid,
 	pasn->cipher = cipher;
 	pasn->group = group;
 	pasn->freq = freq;
+
+	if (wpa_s->conf->force_kdk_derivation ||
+	    (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF &&
+	     beacon_rsnxe && beacon_rsnxe_len >= 4 &&
+	     (WPA_GET_LE16(beacon_rsnxe + 2) &
+	      BIT(WLAN_RSNX_CAPAB_SECURE_LTF)))) {
+		pasn->kdk_len = WPA_KDK_MAX_LEN;
+	} else {
+		pasn->kdk_len = 0;
+	}
+
+	wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", pasn->kdk_len);
+
 	os_memcpy(pasn->bssid, bssid, ETH_ALEN);
 
 	wpa_printf(MSG_DEBUG,
@@ -1480,7 +1493,7 @@ int wpas_pasn_auth_rx(struct wpa_supplicant *wpa_s,
 			      wpa_s->own_addr, pasn->bssid,
 			      wpabuf_head(secret), wpabuf_len(secret),
 			      &pasn->ptk, pasn->akmp, pasn->cipher,
-			      WPA_KDK_MAX_LEN);
+			      pasn->kdk_len);
 	if (ret) {
 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
 		goto fail;
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index 8813ddb710..49007cfc2e 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -539,6 +539,7 @@ struct wpas_pasn {
 	int cipher;
 	u16 group;
 	int freq;
+	size_t kdk_len;
 
 	u8 trans_seq;
 	u8 status;

From patchwork Thu Apr  8 09:06:21 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Peer, Ilan" <ilan.peer@intel.com>
X-Patchwork-Id: 1463691
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.infradead.org
 (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org;
 envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=desiato.20200630 header.b=KjTfdvWk;
	dkim-atps=neutral
Received: from desiato.infradead.org (desiato.infradead.org
 [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4FGFld5bPnz9sWH
	for <incoming@patchwork.ozlabs.org>; Thu,  8 Apr 2021 19:07:41 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding
	:Content-Type:MIME-Version:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:References:In-Reply-To:Message-Id:Date:Subject:Cc:To
	:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=b1+17vCg2k7F3X9owDjttookrli8uULdy09SG4JIrc4=; b=KjTfdvWkjVs4k+r4oJGFlO7B4a
	ugi50EonjxjAHepcACNRLVLN3ft1uFNIpt+tMnMeW6lu4gPPdZoS9BJHWsQBGipleSu2JnZ4C1w9a
	AYrp+IdnKFdQiDLM39axz9ggRYSvI34kk6lVxgch9EINxRZmbsksea3/xdZBVgocpIo+EWsi6x2zc
	J/rZboeIFT6/Idcb2X6ZwKQKMsu1Z4W8Tno6mR5Im5NB9tOJZAIMAk9dAJ9QHp1ZG6E2XiDfkRvcR
	J2len6vp4B5QLU8jXTpHGuXwArar2I1a0HknZlCU7BHZv4z0itYoPCZImF7u7X9iwYcoxxh73OVDO
	swc8APfg==;
Received: from localhost ([::1] helo=desiato.infradead.org)
	by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux))
	id 1lUQcg-007Q5g-KJ; Thu, 08 Apr 2021 09:06:46 +0000
Received: from mga09.intel.com ([134.134.136.24])
 by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux))
 id 1lUQca-007Q4A-SK
 for hostap@lists.infradead.org; Thu, 08 Apr 2021 09:06:43 +0000
IronPort-SDR: 
 mm24O7MEH6Nk9NAUpnQg+3SmIxN/iChBtFt1BbeeCWZ+dAezlHleBQfrvkxKboVU2FHB0i57Ev
 Zx5+YLvQjXzQ==
X-IronPort-AV: E=McAfee;i="6000,8403,9947"; a="193609766"
X-IronPort-AV: E=Sophos;i="5.82,205,1613462400"; d="scan'208";a="193609766"
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
 by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 08 Apr 2021 02:06:37 -0700
IronPort-SDR: 
 cewvQZF1i/w4r2GyKQyGjU+6Mvfb70FxADow+gsxzemJ4nn2j7mDiXziOn/oUdoDAAsm/lbtj6
 uuvHC0cfn9NA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.82,205,1613462400"; d="scan'208";a="441676016"
Received: from jed01615.jer.intel.com ([10.12.217.51])
 by fmsmga004.fm.intel.com with ESMTP; 08 Apr 2021 02:06:36 -0700
From: Ilan Peer <ilan.peer@intel.com>
To: hostap@lists.infradead.org
Cc: Ilan Peer <ilan.peer@intel.com>
Subject: [PATCH 2/5] tests: Add coverage for PASN authentication with KDK
 derivation
Date: Thu,  8 Apr 2021 12:06:21 +0300
Message-Id: <20210408090624.9490-2-ilan.peer@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210408090624.9490-1-ilan.peer@intel.com>
References: <20210408090624.9490-1-ilan.peer@intel.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210408_100641_447043_5D689B08 
X-CRM114-Status: UNSURE (   7.85  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -2.3 (--)
X-Spam-Report: Spam detection software,
 running on the system "desiato.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Signed-off-by: Ilan Peer <ilan.peer@intel.com> ---
 tests/hwsim/test_pasn.py | 17 +++++++++++++++++ 1 file changed,
 17 insertions(+) diff --git a/tests/hwsim/test_pasn.py
 b/tests/hwsim/test_pasn.py index bf9343833b..150a21d01b 100644 ---
 a/tests/hwsim/test_pasn.py
 +++ b/tests/hwsim/test_pasn.py @@ -803,3 +803,20 @@ def test_pasn_co [...]
 Content analysis details:   (-2.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [134.134.136.24 listed in list.dnswl.org]
 0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [134.134.136.24 listed in wl.mailspike.net]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
---
 tests/hwsim/test_pasn.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/tests/hwsim/test_pasn.py b/tests/hwsim/test_pasn.py
index bf9343833b..150a21d01b 100644
--- a/tests/hwsim/test_pasn.py
+++ b/tests/hwsim/test_pasn.py
@@ -803,3 +803,20 @@ def test_pasn_comeback_multi(dev, apdev):
             raise Exception("PASN: unexpected status")
 
         check_pasn_ptk(dev[i], hapd, "CCMP")
+
+def test_pasn_kdk_derivation(dev, apdev):
+    """PASN authentication with forced KDK derivation"""
+    check_pasn_capab(dev[0])
+
+    params = pasn_ap_params("PASN", "CCMP", "19")
+    hapd0 = start_pasn_ap(apdev[0], params)
+
+    params['force_kdk_derivation'] = "1"
+    hapd1 = start_pasn_ap(apdev[1], params)
+
+    try:
+        check_pasn_akmp_cipher(dev[0], hapd0, "PASN", "CCMP")
+        dev[0].set("force_kdk_derivation", "1")
+        check_pasn_akmp_cipher(dev[0], hapd1, "PASN", "CCMP")
+    finally:
+        dev[0].set("force_kdk_derivation", "0")

From patchwork Thu Apr  8 09:06:22 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Peer, Ilan" <ilan.peer@intel.com>
X-Patchwork-Id: 1463688
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.infradead.org
 (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org;
 envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=desiato.20200630 header.b=BeaVDfs8;
	dkim-atps=neutral
Received: from desiato.infradead.org (desiato.infradead.org
 [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4FGFlW3S3Qz9sWH
	for <incoming@patchwork.ozlabs.org>; Thu,  8 Apr 2021 19:07:35 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding
	:Content-Type:MIME-Version:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:References:In-Reply-To:Message-Id:Date:Subject:Cc:To
	:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=xyEPiA0Z18hs4oCBSXC4mBBpk12LOdKk/GXqX1DQahg=; b=BeaVDfs8b/NiuegCLPAJFOZnT5
	talukV4PRMA9J8F41N5vAOlHCoeDmumMXPlTD1jHbZT8o5wFxBe59XGNq1ujJ0w+uZ7OPZEzqFcWT
	i/SgpNd+Oc2M77wVjuDyscz1vA/gWlrpakPIrpG/nvm+H5tUg3DM4Z26ksREoPB+ag4hxilMXWomT
	0JVPv5Btb2Gwc9ZXjxTNSvmfDDRASgvRdkm1Xd/8fy3bbxzZvoHCCc+praRyayicX/alt7elWkwWV
	PGtGRu9XPrEKAsn694U+oRl/Ohha0Un5tk4xc6CoK5opda6KI/PouZIAoNxDnhTuu2ORCH+cjvFfh
	fepPtauA==;
Received: from localhost ([::1] helo=desiato.infradead.org)
	by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux))
	id 1lUQcs-007Q7V-Kl; Thu, 08 Apr 2021 09:06:58 +0000
Received: from mga09.intel.com ([134.134.136.24])
 by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux))
 id 1lUQcc-007Q4F-0I
 for hostap@lists.infradead.org; Thu, 08 Apr 2021 09:06:45 +0000
IronPort-SDR: 
 KiM+3mNcDCUn+sbgZCwvFvcZZW1/Hr6Dt64mtO7CLFB/zOmoVN435NBaWVQmJDkqVNCG9OE9vj
 TDxnLMGqDTRw==
X-IronPort-AV: E=McAfee;i="6000,8403,9947"; a="193609768"
X-IronPort-AV: E=Sophos;i="5.82,205,1613462400"; d="scan'208";a="193609768"
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
 by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 08 Apr 2021 02:06:38 -0700
IronPort-SDR: 
 Q+DIJiNK0HeZu9LrpzoBuMYrJYP28/6hsbFkOQYeQuR7tUssb5Ar1Jg94lmp67DYZ5LxGWik+k
 sgksNl2Wd36g==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.82,205,1613462400"; d="scan'208";a="441676025"
Received: from jed01615.jer.intel.com ([10.12.217.51])
 by fmsmga004.fm.intel.com with ESMTP; 08 Apr 2021 02:06:37 -0700
From: Ilan Peer <ilan.peer@intel.com>
To: hostap@lists.infradead.org
Cc: Ilan Peer <ilan.peer@intel.com>
Subject: [PATCH 3/5] tests: Use the correct SSID in PASN SAE tests
Date: Thu,  8 Apr 2021 12:06:22 +0300
Message-Id: <20210408090624.9490-3-ilan.peer@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210408090624.9490-1-ilan.peer@intel.com>
References: <20210408090624.9490-1-ilan.peer@intel.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210408_100642_406557_B3333B03 
X-CRM114-Status: UNSURE (   9.47  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -2.3 (--)
X-Spam-Report: Spam detection software,
 running on the system "desiato.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Signed-off-by: Ilan Peer <ilan.peer@intel.com> ---
 tests/hwsim/test_pasn.py
 | 6 +++--- 1 file changed, 3 insertions(+),
 3 deletions(-) diff --git a/tests/hwsim/test_pasn.py
 b/tests/hwsim/test_pasn.py index 150a21d01b..19c88966bc 100644 ---
 a/tests/hwsim/test_pasn.py
 +++ b/tests/hwsim/test_pasn.py @@ -386,7 +386,7 @@ def test_pasn_sae [...]
 Content analysis details:   (-2.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [134.134.136.24 listed in list.dnswl.org]
 0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [134.134.136.24 listed in wl.mailspike.net]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
---
 tests/hwsim/test_pasn.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/hwsim/test_pasn.py b/tests/hwsim/test_pasn.py
index 150a21d01b..19c88966bc 100644
--- a/tests/hwsim/test_pasn.py
+++ b/tests/hwsim/test_pasn.py
@@ -386,7 +386,7 @@ def test_pasn_sae(dev, apdev):
     params['wpa_key_mgmt'] = 'SAE PASN'
     hapd = start_pasn_ap(apdev[0], params)
 
-    dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
+    dev[0].connect("test-pasn-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
                    only_add_network=True)
 
     # first test with a valid PSK
@@ -750,7 +750,7 @@ def test_pasn_comeback_after_0_sae(dev, apdev):
     params['pasn_comeback_after'] = '0'
     hapd = start_pasn_ap(apdev[0], params)
 
-    dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
+    dev[0].connect("test-pasn-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
                    only_add_network=True)
 
     # first test with a valid PSK
@@ -784,7 +784,7 @@ def test_pasn_comeback_multi(dev, apdev):
     for i in range(0, 2):
         dev[i].flush_scan_cache()
         dev[i].scan(type="ONLY", freq=2412)
-        id[i] = dev[i].connect("test-sae", psk="12345678", key_mgmt="SAE",
+        id[i] = dev[i].connect("test-pasn-sae", psk="12345678", key_mgmt="SAE",
                                scan_freq="2412", only_add_network=True)
 
     for i in range(0, 2):

From patchwork Thu Apr  8 09:06:23 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Peer, Ilan" <ilan.peer@intel.com>
X-Patchwork-Id: 1463692
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.infradead.org
 (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org;
 envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=desiato.20200630 header.b=mC500LV3;
	dkim-atps=neutral
Received: from desiato.infradead.org (desiato.infradead.org
 [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4FGFlg6Yqtz9sTD
	for <incoming@patchwork.ozlabs.org>; Thu,  8 Apr 2021 19:07:43 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding
	:Content-Type:MIME-Version:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:References:In-Reply-To:Message-Id:Date:Subject:Cc:To
	:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=9M0VUg/lkQu9u6Xh59yHB7o2tevgD3BDByL1z7K8cCE=; b=mC500LV3lGyOVKgoGfrDzIhGoX
	oXgv7plznJCdvG5qKCk10Q6z6anvuoa2srWkG+8taGsKdaYRWGt0ZKpqpSRAA4HxMKlWqvBOT6pK9
	QZ5RI0+QIQbEOtixZsCHSJE9G2sZbnSwJzK068ItPUMndz0dFcDMZdCDoBKpeDO2KH2Ao/hOq+3zw
	uKoiQDQvRxfuM6uIV+X0Y5zMQZz3hJBqn5FvJX4qDMX3ZyRL0wh+p5uMo2zQzZy4ZUgAmHii4mwgQ
	iNATJBvRUATkOHvpp3gqBaR6xfmejGdskDnV8H1gFvKqZGNMyTy3HOfM4PvmXNic0D6T1fplQhIoh
	VoPAFRHQ==;
Received: from localhost ([::1] helo=desiato.infradead.org)
	by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux))
	id 1lUQd5-007Q9Z-Br; Thu, 08 Apr 2021 09:07:11 +0000
Received: from mga09.intel.com ([134.134.136.24])
 by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux))
 id 1lUQce-007Q4A-79
 for hostap@lists.infradead.org; Thu, 08 Apr 2021 09:06:46 +0000
IronPort-SDR: 
 +irhAFweFqANvJbM4aeJkUpgdzESqFiDmzlVkNuxafiNfYSPpzqpKsI37DejYMq8xHwiqu19xE
 Snf3bt3rZTng==
X-IronPort-AV: E=McAfee;i="6000,8403,9947"; a="193609772"
X-IronPort-AV: E=Sophos;i="5.82,205,1613462400"; d="scan'208";a="193609772"
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
 by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 08 Apr 2021 02:06:39 -0700
IronPort-SDR: 
 qC73akZE7gUOmREXuO5M5PNnxwCDhwlANMlHgIloKDTzqMCgDV7VLFwJXiDvWIkIenW2j5DI+z
 J14qEx9XBShg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.82,205,1613462400"; d="scan'208";a="441676034"
Received: from jed01615.jer.intel.com ([10.12.217.51])
 by fmsmga004.fm.intel.com with ESMTP; 08 Apr 2021 02:06:38 -0700
From: Ilan Peer <ilan.peer@intel.com>
To: hostap@lists.infradead.org
Cc: Ilan Peer <ilan.peer@intel.com>
Subject: [PATCH 4/5] tests: Update PASN tests with SAE to use sae_pwe=2
Date: Thu,  8 Apr 2021 12:06:23 +0300
Message-Id: <20210408090624.9490-4-ilan.peer@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210408090624.9490-1-ilan.peer@intel.com>
References: <20210408090624.9490-1-ilan.peer@intel.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210408_100644_629710_19BB90B6 
X-CRM114-Status: UNSURE (   9.96  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -2.3 (--)
X-Spam-Report: Spam detection software,
 running on the system "desiato.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: As a preparation for changing wpa_supplicant and hostapd
 implementation
 to use SAE H2E only. Signed-off-by: Ilan Peer <ilan.peer@intel.com> ---
 tests/hwsim/test_pasn.py
 | 118 ++++++++++++++++++++++++ 1 file changed, 73 insertions(+),
 45 deletions(-)
 Content analysis details:   (-2.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [134.134.136.24 listed in list.dnswl.org]
 0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [134.134.136.24 listed in wl.mailspike.net]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

As a preparation for changing wpa_supplicant and hostapd
implementation to use SAE H2E only.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
---
 tests/hwsim/test_pasn.py | 118 ++++++++++++++++++++++++---------------
 1 file changed, 73 insertions(+), 45 deletions(-)

diff --git a/tests/hwsim/test_pasn.py b/tests/hwsim/test_pasn.py
index 19c88966bc..10175b300b 100644
--- a/tests/hwsim/test_pasn.py
+++ b/tests/hwsim/test_pasn.py
@@ -232,18 +232,23 @@ def test_pasn_sae_pmksa_cache(dev, apdev):
     params = hostapd.wpa2_params(ssid="test-sae",
                                  passphrase="12345678")
     params['wpa_key_mgmt'] = 'SAE PASN'
+    params['sae_pwe'] = "2"
     hapd = start_pasn_ap(apdev[0], params)
 
-    dev[0].set("sae_groups", "19")
-    dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412")
+    try:
+        dev[0].set("sae_groups", "19")
+        dev[0].set("sae_pwe", "2")
+        dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412")
 
-    hapd.wait_sta()
-    hwsim_utils.test_connectivity(dev[0], hapd)
+        hapd.wait_sta()
+        hwsim_utils.test_connectivity(dev[0], hapd)
 
-    dev[0].request("DISCONNECT")
-    dev[0].wait_disconnected()
+        dev[0].request("DISCONNECT")
+        dev[0].wait_disconnected()
 
-    check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP")
+        check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP")
+    finally:
+        dev[0].set("sae_pwe", "0")
 
 def check_pasn_fils_pmksa_cache(dev, apdev, params, key_mgmt):
     check_fils_capa(dev[0])
@@ -299,16 +304,19 @@ def test_pasn_sae_kdk(dev, apdev):
         params = hostapd.wpa2_params(ssid="test-sae",
                                      passphrase="12345678")
         params['wpa_key_mgmt'] = 'SAE PASN'
+        params['sae_pwe'] = "2"
         params['force_kdk_derivation'] = "1"
         hapd = start_pasn_ap(apdev[0], params)
 
         dev[0].set("force_kdk_derivation", "1")
+        dev[0].set("sae_pwe", "2")
         dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
                        scan_freq="2412")
 
         check_pasn_ptk(dev[0], hapd, "CCMP", clear_keys=False)
     finally:
         dev[0].set("force_kdk_derivation", "0")
+        dev[0].set("sae_pwe", "0")
 
 
 def check_pasn_fils_kdk(dev, apdev, params, key_mgmt):
@@ -384,23 +392,28 @@ def test_pasn_sae(dev, apdev):
     params = hostapd.wpa2_params(ssid="test-pasn-sae",
                                  passphrase="12345678")
     params['wpa_key_mgmt'] = 'SAE PASN'
+    params['sae_pwe'] = "2"
     hapd = start_pasn_ap(apdev[0], params)
 
-    dev[0].connect("test-pasn-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
-                   only_add_network=True)
+    try:
+        dev[0].set("sae_pwe", "2")
+        dev[0].connect("test-pasn-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
+                       only_add_network=True)
 
-    # first test with a valid PSK
-    check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP", nid="0")
+        # first test with a valid PSK
+        check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP", nid="0")
 
-    # And now with PMKSA caching
-    check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP")
+        # And now with PMKSA caching
+        check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP")
 
-    # And now with a wrong passphrase
-    if "FAIL" in dev[0].request("PMKSA_FLUSH"):
-        raise Exception("PMKSA_FLUSH failed")
+        # And now with a wrong passphrase
+        if "FAIL" in dev[0].request("PMKSA_FLUSH"):
+            raise Exception("PMKSA_FLUSH failed")
 
-    dev[0].set_network_quoted(0, "psk", "12345678787")
-    check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP", status=1, nid="0")
+        dev[0].set_network_quoted(0, "psk", "12345678787")
+        check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP", status=1, nid="0")
+    finally:
+        dev[0].set("sae_pwe", "0")
 
 @remote_compatible
 def test_pasn_sae_while_connected_same_channel(dev, apdev):
@@ -412,18 +425,23 @@ def test_pasn_sae_while_connected_same_channel(dev, apdev):
                                  passphrase="12345678")
     hapd = hostapd.add_ap(apdev[0], params)
 
-    dev[0].connect("test-pasn-wpa2-psk", psk="12345678", scan_freq="2412")
+    try:
+        dev[0].set("sae_pwe", "2")
+        dev[0].connect("test-pasn-wpa2-psk", psk="12345678", scan_freq="2412")
 
-    params = hostapd.wpa2_params(ssid="test-pasn-sae",
-                                 passphrase="12345678")
+        params = hostapd.wpa2_params(ssid="test-pasn-sae",
+                                     passphrase="12345678")
 
-    params['wpa_key_mgmt'] = 'SAE PASN'
-    hapd = start_pasn_ap(apdev[1], params)
+        params['wpa_key_mgmt'] = 'SAE PASN'
+        params['sae_pwe'] = "2"
+        hapd = start_pasn_ap(apdev[1], params)
 
-    dev[0].connect("test-pasn-sae", psk="12345678", key_mgmt="SAE",
-                   scan_freq="2412", only_add_network=True)
+        dev[0].connect("test-pasn-sae", psk="12345678", key_mgmt="SAE",
+                       scan_freq="2412", only_add_network=True)
 
-    check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP", nid="1")
+        check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP", nid="1")
+    finally:
+        dev[0].set("sae_pwe", "0")
 
 @remote_compatible
 def test_pasn_sae_while_connected_diff_channel(dev, apdev):
@@ -443,18 +461,23 @@ def test_pasn_sae_while_connected_diff_channel(dev, apdev):
         params['channel'] = "6"
         hapd = hostapd.add_ap(apdev[0], params)
 
-        wpas.connect("test-pasn-wpa2-psk", psk="12345678", scan_freq="2437")
+        try:
+            wpas.set("sae_pwe", "2")
+            wpas.connect("test-pasn-wpa2-psk", psk="12345678", scan_freq="2437")
 
-        params = hostapd.wpa2_params(ssid="test-pasn-sae",
-                                     passphrase="12345678")
+            params = hostapd.wpa2_params(ssid="test-pasn-sae",
+                                         passphrase="12345678")
 
-        params['wpa_key_mgmt'] = 'SAE PASN'
-        hapd = start_pasn_ap(apdev[1], params)
+            params['wpa_key_mgmt'] = 'SAE PASN'
+            params['sae_pwe'] = "2"
+            hapd = start_pasn_ap(apdev[1], params)
 
-        wpas.connect("test-pasn-sae", psk="12345678", key_mgmt="SAE",
-                       scan_freq="2412", only_add_network=True)
+            wpas.connect("test-pasn-sae", psk="12345678", key_mgmt="SAE",
+                           scan_freq="2412", only_add_network=True)
 
-        check_pasn_akmp_cipher(wpas, hapd, "SAE", "CCMP", nid="1")
+            check_pasn_akmp_cipher(wpas, hapd, "SAE", "CCMP", nid="1")
+        finally:
+            wpas.set("sae_pwe", "0")
 
 def pasn_fils_setup(wpas, apdev, params, key_mgmt):
     check_fils_capa(wpas)
@@ -748,23 +771,28 @@ def test_pasn_comeback_after_0_sae(dev, apdev):
     params['wpa_key_mgmt'] = 'SAE PASN'
     params['anti_clogging_threshold'] = '0'
     params['pasn_comeback_after'] = '0'
+    params['sae_pwe'] = "2"
     hapd = start_pasn_ap(apdev[0], params)
 
-    dev[0].connect("test-pasn-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
-                   only_add_network=True)
+    try:
+        dev[0].set("sae_pwe", "2")
+        dev[0].connect("test-pasn-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
+                       only_add_network=True)
 
-    # first test with a valid PSK
-    check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP", nid="0")
+        # first test with a valid PSK
+        check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP", nid="0")
 
-    # And now with PMKSA caching
-    check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP")
+        # And now with PMKSA caching
+        check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP")
 
-    # And now with a wrong passphrase
-    if "FAIL" in dev[0].request("PMKSA_FLUSH"):
-        raise Exception("PMKSA_FLUSH failed")
+        # And now with a wrong passphrase
+        if "FAIL" in dev[0].request("PMKSA_FLUSH"):
+            raise Exception("PMKSA_FLUSH failed")
 
-    dev[0].set_network_quoted(0, "psk", "12345678787")
-    check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP", status=1, nid="0")
+        dev[0].set_network_quoted(0, "psk", "12345678787")
+        check_pasn_akmp_cipher(dev[0], hapd, "SAE", "CCMP", status=1, nid="0")
+    finally:
+        dev[0].set("sae_pwe", "0")
 
 @remote_compatible
 def test_pasn_comeback_multi(dev, apdev):

From patchwork Thu Apr  8 09:06:24 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Peer, Ilan" <ilan.peer@intel.com>
X-Patchwork-Id: 1463690
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.infradead.org
 (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org;
 envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=desiato.20200630 header.b=n940q+Mu;
	dkim-atps=neutral
Received: from desiato.infradead.org (desiato.infradead.org
 [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4FGFlb3rPvz9sWH
	for <incoming@patchwork.ozlabs.org>; Thu,  8 Apr 2021 19:07:39 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding
	:Content-Type:MIME-Version:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:References:In-Reply-To:Message-Id:Date:Subject:Cc:To
	:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=d6rCg4VCoyCnrMDskVnOgHBU+6kE/BYrQGe2nIN//ww=; b=n940q+MuQKk6DoVY2lb7JSiAOV
	HHorhD472Wm+poei8cdvymMNdSLJDL3SLaNNo1zi4D33QgrT/AbthqihSd8p/cDJAtyp2JyeBaLgb
	4+k4zpbl7ocQcyZXDvr7xj68dPsJlRSj4fr1UMvV884UHNKl/Sb5G2bu+Sm3JtCnkbR3OFY460onp
	FJsyQRvTnYJW0NqzDoTp1BI1XwNFmk6aVIWXOiaIzQJ1EsBWD05EaJfbxOqKCVu5WnaUyXyVDUTwu
	EjC6zlu+LiEGSalByNi+Z8iZr4Xw1umJvOxBA6nIOqSMfAKe03lS2LQXkpEF8dY5TmQrBjPrgGJN2
	hc2PJn/g==;
Received: from localhost ([::1] helo=desiato.infradead.org)
	by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux))
	id 1lUQcz-007Q8D-IM; Thu, 08 Apr 2021 09:07:05 +0000
Received: from mga09.intel.com ([134.134.136.24])
 by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux))
 id 1lUQce-007Q3u-Fp
 for hostap@lists.infradead.org; Thu, 08 Apr 2021 09:06:46 +0000
IronPort-SDR: 
 LOeFnoY1lh9JTCmsd7JYfn+9M6PSSmpdcwl7JMsPAAYDeKJbDIJnygBTlvlmylPYHo6xWWHmAi
 86O9NPLd8/kg==
X-IronPort-AV: E=McAfee;i="6000,8403,9947"; a="193609777"
X-IronPort-AV: E=Sophos;i="5.82,205,1613462400"; d="scan'208";a="193609777"
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
 by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 08 Apr 2021 02:06:40 -0700
IronPort-SDR: 
 5F8wsoZ/JjmXax3+h5H1co2MNX1Nhq+/bEVid/gTXsURyCBrWkaavt4j/cDouZE6Ero9h+7cOE
 jZvbOK1Ds0lg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.82,205,1613462400"; d="scan'208";a="441676049"
Received: from jed01615.jer.intel.com ([10.12.217.51])
 by fmsmga004.fm.intel.com with ESMTP; 08 Apr 2021 02:06:39 -0700
From: Ilan Peer <ilan.peer@intel.com>
To: hostap@lists.infradead.org
Cc: Ilan Peer <ilan.peer@intel.com>
Subject: [PATCH 5/5] PASN: Change PASN flows to use SAE H2E only
Date: Thu,  8 Apr 2021 12:06:24 +0300
Message-Id: <20210408090624.9490-5-ilan.peer@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210408090624.9490-1-ilan.peer@intel.com>
References: <20210408090624.9490-1-ilan.peer@intel.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210408_100644_902294_2D1F3351 
X-CRM114-Status: GOOD (  18.19  )
X-Spam-Score: -2.3 (--)
X-Spam-Report: Spam detection software,
 running on the system "desiato.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Do so for both wpa_supplicant and hostapd. Signed-off-by:
 Ilan Peer <ilan.peer@intel.com> --- src/ap/ieee802_11.c | 20 ++++-----
 wpa_supplicant/pasn_supplicant.c
 | 77 +++++++++++++++++++++++--------- 2 files changed, 65 insertions(+),
 32 delet [...]
 Content analysis details:   (-2.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [134.134.136.24 listed in list.dnswl.org]
 0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [134.134.136.24 listed in wl.mailspike.net]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Do so for both wpa_supplicant and hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
---
 src/ap/ieee802_11.c              | 20 ++++-----
 wpa_supplicant/pasn_supplicant.c | 77 +++++++++++++++++++++++---------
 2 files changed, 65 insertions(+), 32 deletions(-)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index e4dd2b4b3f..9cd225b26d 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2383,11 +2383,12 @@ static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd,
 				     struct wpabuf *wd)
 {
 	struct pasn_data *pasn = sta->pasn;
-	const char *password = NULL;
+	const char *password;
 	const u8 *data;
 	size_t buf_len;
 	u16 res, alg, seq, status;
 	int groups[] = { pasn->group, 0 };
+	struct sae_pt *pt = NULL;
 	int ret;
 
 	if (!wd)
@@ -2409,8 +2410,8 @@ static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd,
 	wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u",
 		   alg, seq, status);
 
-	/* TODO: SAE H2E */
-	if (alg != WLAN_AUTH_SAE || seq != 1 || status != WLAN_STATUS_SUCCESS) {
+	if (alg != WLAN_AUTH_SAE || seq != 1 || status !=
+	    WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
 		wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit");
 		return -1;
 	}
@@ -2424,15 +2425,14 @@ static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd,
 		return -1;
 	}
 
-	password = sae_get_password(hapd, sta, NULL, NULL, NULL, NULL);
-	if (!password) {
-		wpa_printf(MSG_DEBUG, "PASN: No SAE password found");
+	password = sae_get_password(hapd, sta, NULL, NULL, &pt, NULL);
+	if (!password || !pt) {
+		wpa_printf(MSG_DEBUG, "PASN: No SAE PT found");
 		return -1;
 	}
 
-	ret = sae_prepare_commit(hapd->own_addr, sta->addr,
-				 (const u8 *) password, os_strlen(password), 0,
-				 &pasn->sae);
+	ret = sae_prepare_commit_pt(&pasn->sae, pt, hapd->own_addr, sta->addr,
+				    NULL, NULL);
 	if (ret) {
 		wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
 		return -1;
@@ -2529,7 +2529,7 @@ static struct wpabuf * pasn_get_sae_wd(struct hostapd_data *hapd,
 	len_ptr = wpabuf_put(buf, 2);
 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
 	wpabuf_put_le16(buf, 1);
-	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
+	wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
 
 	/* Write the actual commit and update the length accordingly */
 	sae_write_commit(&pasn->sae, buf, NULL, 0);
diff --git a/wpa_supplicant/pasn_supplicant.c b/wpa_supplicant/pasn_supplicant.c
index c0db686dfe..3df3aa4707 100644
--- a/wpa_supplicant/pasn_supplicant.c
+++ b/wpa_supplicant/pasn_supplicant.c
@@ -102,30 +102,17 @@ static struct wpabuf * wpas_pasn_wd_sae_commit(struct wpa_supplicant *wpa_s)
 {
 	struct wpas_pasn *pasn = &wpa_s->pasn;
 	struct wpabuf *buf = NULL;
-	const char *password = NULL;
 	int ret;
 
-	if (pasn->ssid) {
-		password = pasn->ssid->sae_password;
-		if (!password)
-			password = pasn->ssid->passphrase;
-	}
-
-	if (!password) {
-		wpa_printf(MSG_DEBUG, "PASN: SAE without a password");
-		return NULL;
-	}
-
 	ret = sae_set_group(&pasn->sae, pasn->group);
 	if (ret) {
 		wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
 		return NULL;
 	}
 
-	/* TODO: SAE H2E */
-	ret = sae_prepare_commit(wpa_s->own_addr, pasn->bssid,
-				 (const u8 *) password, os_strlen(password), 0,
-				 &pasn->sae);
+	ret = sae_prepare_commit_pt(&pasn->sae, pasn->ssid->pt,
+				    wpa_s->own_addr, pasn->bssid,
+				    NULL, NULL);
 	if (ret) {
 		wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
 		return NULL;
@@ -140,7 +127,7 @@ static struct wpabuf * wpas_pasn_wd_sae_commit(struct wpa_supplicant *wpa_s)
 
 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
 	wpabuf_put_le16(buf, 1);
-	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
+	wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
 
 	sae_write_commit(&pasn->sae, buf, NULL, 0);
 	pasn->sae.state = SAE_COMMITTED;
@@ -186,14 +173,14 @@ static int wpas_pasn_wd_sae_rx(struct wpa_supplicant *wpa_s, struct wpabuf *wd)
 	wpa_printf(MSG_DEBUG, "PASN: SAE: commit: alg=%u, seq=%u, status=%u",
 		   alg, seq, status);
 
-	/* TODO: SAE H2E */
-	if (alg != WLAN_AUTH_SAE || seq != 1 || status != WLAN_STATUS_SUCCESS) {
+	if (alg != WLAN_AUTH_SAE || seq != 1 ||
+	    status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
 		wpa_printf(MSG_DEBUG, "PASN: SAE: dropping peer commit");
 		return -1;
 	}
 
 	res = sae_parse_commit(&pasn->sae, data + 6, len - 6, NULL, 0, groups,
-			       0);
+			       1);
 	if (res != WLAN_STATUS_SUCCESS) {
 		wpa_printf(MSG_DEBUG, "PASN: SAE failed parsing commit");
 		return -1;
@@ -271,8 +258,33 @@ static struct wpabuf * wpas_pasn_wd_sae_confirm(struct wpa_supplicant *wpa_s)
 	return buf;
 }
 
-#endif /* CONFIG_SAE */
 
+static int wpas_pasn_sae_setup_pt(struct wpa_supplicant *wpa_s,
+				  struct wpa_ssid *ssid, int group)
+{
+	const char *password = ssid->sae_password;
+	int groups[2] = { group, 0 };
+
+	if (!password)
+		password = ssid->passphrase;
+
+	if (!password) {
+		wpa_printf(MSG_DEBUG, "PASN: SAE without a password");
+		return -1;
+	}
+
+	/* PT already derived */
+	if (ssid->pt)
+		return 0;
+
+	ssid->pt = sae_derive_pt(groups, ssid->ssid, ssid->ssid_len,
+				 (const u8 *)password, os_strlen(password),
+				 ssid->sae_password_id);
+
+	return ssid->pt ? 0 : -1;
+}
+
+#endif /* CONFIG_SAE */
 
 #ifdef CONFIG_FILS
 
@@ -718,8 +730,9 @@ static struct wpabuf * wpas_pasn_build_auth_1(struct wpa_supplicant *wpa_s,
 		goto fail;
 
 	/* Add own RNSXE */
-	/* TODO: How to handle protected TWT and SAE H2E? */
 	capab = 0;
+	if (wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2)
+		capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E);
 	if (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF)
 		capab |= BIT(WLAN_RSNX_CAPAB_SECURE_LTF);
 	if (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_RTT)
@@ -1008,6 +1021,26 @@ static int wpas_pasn_start(struct wpa_supplicant *wpa_s, const u8 *bssid,
 				   "PASN: No network profile found for SAE");
 			return -1;
 		}
+
+		if (wpa_s->conf->sae_pwe != 1 && wpa_s->conf->sae_pwe != 2) {
+			wpa_printf(MSG_DEBUG,
+				   "PASN: SAE H2E not enabled in configuration");
+			return -1;
+		}
+
+		if (beacon_rsnxe_len < 3 ||
+		    !(beacon_rsnxe[2] & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
+			wpa_printf(MSG_DEBUG,
+				   "PASN: AP does not support SAE H2E");
+			return -1;
+		}
+
+		if (wpas_pasn_sae_setup_pt(wpa_s, ssid, group) < 0) {
+			wpa_printf(MSG_DEBUG,
+				   "PASN: Failed to derive PT");
+			return -1;
+		}
+
 		pasn->sae.state = SAE_NOTHING;
 		pasn->sae.send_confirm = 0;
 		pasn->ssid = ssid;