From patchwork Sun Mar 21 11:55:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Peer, Ilan" X-Patchwork-Id: 1456280 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=dprAEv4P; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4F3GLM439Qz9sSC for ; Sun, 21 Mar 2021 22:56:11 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:MIME-Version:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Message-Id:Date:Subject:Cc:To:From:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=YZxDePqtHgTmmxTX4HAQGgWkdpvWha2vrch60goip+k=; b=dprAEv4PHW43nsUa3oPJnShaR4 9px/qZ8PDqTJnhHjXSPxXYqUMBnNRgdbJBarlBvbUYJOYgDk5CmcgSjpcUUbVRdBpe0yTuvt8X1+K F99DZp53dBI4nO0uHccaS3Tw+BTEiXQFQSRuzmbGCIsQ0DeHI3xG/2Vq/E36ALmMwzhQV6ziDcSxt M70S3bmwIlfARmM4+Qwv9BD04NyP1bI16oBaUReJ1XAonzRcOw6KAYexfOraBqETL/3rP1FPntiZd e5hlUjvISHzcRHF+bhzf35rFD+eNcGZgSIn5fAuosDlcnNumxua4mG4fXHK3JU1el/Q1aFiBDvXUy NIdc6IHg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lNwgA-009tVY-9z; Sun, 21 Mar 2021 11:55:34 +0000 Received: from mga04.intel.com ([192.55.52.120]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lNwfy-009tTM-Is for hostap@lists.infradead.org; Sun, 21 Mar 2021 11:55:26 +0000 IronPort-SDR: 4pOzqtdypTwxnCcufTddq2ffFVq5q8xOTg/E2uUJhemhWEQHCG/1yTj48yxsP/TcnYqtOEqBMB +kvTo9CYf7PA== X-IronPort-AV: E=McAfee;i="6000,8403,9929"; a="187796386" X-IronPort-AV: E=Sophos;i="5.81,266,1610438400"; d="scan'208";a="187796386" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Mar 2021 04:55:20 -0700 IronPort-SDR: AK5kpfRDexammsbAXbvfjDpylrgtQ0Unxv1d4L7lWZ/TIV0DJjaZ3w0MH59p3bYWiBMEbVpO1e 0F3JbEzsrT7A== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,266,1610438400"; d="scan'208";a="603607599" Received: from jed01615.jer.intel.com ([10.12.217.51]) by fmsmga006.fm.intel.com with ESMTP; 21 Mar 2021 04:55:19 -0700 From: Ilan Peer To: hostap@lists.infradead.org Cc: Ilan Peer Subject: [PATCH v2 1/3] AP: Add support for PASN comeback flow Date: Sun, 21 Mar 2021 13:55:08 +0200 Message-Id: <20210321115510.31582-1-ilan.peer@intel.com> X-Mailer: git-send-email 2.17.1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210321_115523_442931_593160E1 X-CRM114-Status: GOOD ( 19.86 ) X-Spam-Score: -2.3 (--) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Ilan Peer --- hostapd/config_file.c | 2 + hostapd/hostapd.conf | 7 ++++ src/ap/ap_config.c | 5 +++ src/ap/ap_config.h | 6 +++ src/ap/ieee802_11.c | 88 ++++++++++++ [...] Content analysis details: (-2.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [192.55.52.120 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Ilan Peer --- hostapd/config_file.c | 2 + hostapd/hostapd.conf | 7 ++++ src/ap/ap_config.c | 5 +++ src/ap/ap_config.h | 6 +++ src/ap/ieee802_11.c | 88 +++++++++++++++++++++++++++++++++++++++---- 5 files changed, 101 insertions(+), 7 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index fd9bc0e9fc..d73a737821 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -4675,6 +4675,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, line, pos); return 1; } + } else if (os_strcmp(buf, "pasn_comeback_after") == 0) { + bss->pasn_comeback_after = atoi(pos); #endif /* CONFIG_PASN */ } else { wpa_printf(MSG_ERROR, diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index d19db5a154..bb532763b5 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -2051,6 +2051,13 @@ own_ip_addr=127.0.0.1 # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-10 #pasn_groups=19 20 21 +# PASN comeback after. +# In case the AP is temporally unable to handle a PASN authentication exchange, +# this value would indicate to the peer after how many TUs it can try comeback +# and try the PASN exchange again. +# (default: 10 TUs) +# pasn_comeback_after=10 + ##### IEEE 802.11r configuration ############################################## # Mobility Domain identifier (dot11FTMobilityDomainID, MDID) diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 452386b7e5..7b6249bbe5 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -165,6 +165,11 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) #ifdef CONFIG_TESTING_OPTIONS bss->sae_commit_status = -1; #endif /* CONFIG_TESTING_OPTIONS */ + +#ifdef CONFIG_PASN + /* comeback after 10 TUs */ + bss->pasn_comeback_after = 10; +#endif /* CONFIG_PASN */ } diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 8aeb03107a..26bdaf1317 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -880,6 +880,12 @@ struct hostapd_bss_config { #endif /* CONFIG_TESTING_OPTIONS */ int *pasn_groups; + + /* + * The time in TUs after which the non-AP STA is requested to retry the + * PASN authentication + */ + u16 pasn_comeback_after; #endif /* CONFIG_PASN */ unsigned int unsol_bcast_probe_resp_interval; diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 72d102f44e..e31e4710da 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -702,13 +702,15 @@ static int use_anti_clogging(struct hostapd_data *hapd) for (sta = hapd->sta_list; sta; sta = sta->next) { #ifdef CONFIG_SAE - if (!sta->sae) - continue; - if (sta->sae->state != SAE_COMMITTED && - sta->sae->state != SAE_CONFIRMED) - continue; - open++; + if (sta->sae && + (sta->sae->state == SAE_COMMITTED || + sta->sae->state == SAE_CONFIRMED)) + open++; #endif /* CONFIG_SAE */ +#ifdef CONFIG_PASN + if (sta->pasn && sta->pasn->ecdh) + open++; +#endif /* CONFIG_PASN */ if (open >= hapd->conf->anti_clogging_threshold) return 1; } @@ -806,7 +808,8 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, if (buf == NULL) return NULL; - wpabuf_put_le16(buf, group); /* Finite Cyclic Group */ + if (group) + wpabuf_put_le16(buf, group); /* Finite Cyclic Group */ if (h2e) { /* Encapsulate Anti-clogging Token field in a container IE */ @@ -2891,6 +2894,57 @@ pasn_derive_keys(struct hostapd_data *hapd, struct sta_info *sta, } +static void handle_auth_pasn_comeback(struct hostapd_data *hapd, + struct sta_info *sta, u16 group) +{ + struct wpabuf *buf, *comeback; + int ret; + + wpa_printf(MSG_DEBUG, + "PASN: Building comeback frame 2. Comeback after=%u", + hapd->conf->pasn_comeback_after); + + buf = wpabuf_alloc(1500); + if (!buf) + return; + + wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr, + sta->addr, 2, + WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY); + + /* + * Do not include the group as part of the token since it is not going + * to be used + */ + comeback = auth_build_token_req(hapd, 0, sta->addr, 0); + if (!comeback) { + wpa_printf(MSG_DEBUG, + "PASN: Failed sending auth with comeback"); + + wpabuf_free(buf); + return; + } + + wpa_pasn_add_parameter_ie(buf, group, + WPA_PASN_WRAPPED_DATA_NO, + NULL, 0, comeback, + hapd->conf->pasn_comeback_after); + + wpabuf_free(comeback); + comeback = NULL; + + wpa_printf(MSG_DEBUG, + "PASN: comeback: STA=" MACSTR, MAC2STR(sta->addr)); + + ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0, + NULL, 0, 0); + if (ret) + wpa_printf(MSG_INFO, "PASN: Failed to send comeback frame 2"); + + wpabuf_free(buf); +} + + static int handle_auth_pasn_resp(struct hostapd_data *hapd, struct sta_info *sta, struct rsn_pmksa_cache_entry *pmksa, @@ -3133,6 +3187,26 @@ static void handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta, goto send_resp; } + if (pasn_params.comeback) { + wpa_printf(MSG_DEBUG, "PASN: Checking peer comeback token"); + + ret = check_comeback_token(hapd, sta->addr, + pasn_params.comeback, + pasn_params.comeback_len); + + if (ret) { + wpa_printf(MSG_DEBUG, "PASN: Invalid comeback token"); + status = WLAN_STATUS_UNSPECIFIED_FAILURE; + goto send_resp; + } + } else if (use_anti_clogging(hapd)) { + wpa_printf(MSG_DEBUG, "PASN: Response with comeback"); + + handle_auth_pasn_comeback(hapd, sta, pasn_params.group); + ap_free_sta(hapd, sta); + return; + } + sta->pasn->ecdh = crypto_ecdh_init(pasn_params.group); if (!sta->pasn->ecdh) { wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");