Add dynamic reload of RxKH definitions from file

Message ID	BB9923D6-7710-4A4F-8452-0FFF9754E064@gmail.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Dariusz Kopka <darkopka@gmail.com> Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\)) Subject: [PATCH] Add dynamic reload of RxKH definitions from file Message-Id: <BB9923D6-7710-4A4F-8452-0FFF9754E064@gmail.com> Date: Mon, 15 Jan 2024 17:08:40 +0100 Cc: Dariusz Kopka <dariusz@plume.com>, michal@plume.com To: hostap@lists.infradead.org preview: From 09f58a12e50f8e7b09d485b56154f2be0957da21 Mon Sep 17 00:00:00 2001 From: Dariusz Kopka Date: Mon, 15 Jan 2024 14:16:00 +0100 Subject: [PATCH] Add dynamic reload of RxKH definitions from file Hostapd reads the list of Rx Key Holders from hostapd.conf file. However, for systems where topology changes dynamically, the update of RxKHs list is required without reloading the whole configuration [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:32c listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [darkopka[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	Add dynamic reload of RxKH definitions from file \| expand Add dynamic reload of RxKH definitions from file

Message ID

BB9923D6-7710-4A4F-8452-0FFF9754E064@gmail.com

State

Accepted

Headers

From: Dariusz Kopka <darkopka@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
Subject: [PATCH] Add dynamic reload of RxKH definitions from file
Message-Id: <BB9923D6-7710-4A4F-8452-0FFF9754E064@gmail.com>
Date: Mon, 15 Jan 2024 17:08:40 +0100
Cc: Dariusz Kopka <dariusz@plume.com>,
 michal@plume.com
To: hostap@lists.infradead.org
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

Add dynamic reload of RxKH definitions from file | expand

Commit Message

Dariusz Kopka Jan. 15, 2024, 4:08 p.m. UTC

From 09f58a12e50f8e7b09d485b56154f2be0957da21 Mon Sep 17 00:00:00 2001
From: Dariusz Kopka <dariusz@plume.com>
Date: Mon, 15 Jan 2024 14:16:00 +0100
Subject: [PATCH] Add dynamic reload of RxKH definitions from file

Hostapd reads the list of Rx Key Holders from hostapd.conf file.
However, for systems where topology changes dynamically, the update
of RxKHs list is required without reloading the whole configuration.

Here we introduce a new source of RxKH definition with original syntax:
        - rxkh_file - path to a file containing a list of RxKHs.
In addition two cli commands are added:
        - get_rxkhs - returns the list of currently configured RxKHs
        - reload_rxkhs - reloads RxKHs definition from a  file
                         specified in `rxkh_file`

This allows hostapd to properly distribute Rx keys even after topology
change (assuming rxkh_file is updated and reload_rxkhs command issued).

Syntax of rxkh_file is the same as extraction of r0kh and r1kh options
from original hostapd.conf file.

```
r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
```

Signed-off-by: Dariusz Kopka <dariusz@plume.com>
---
 hostapd/config_file.c | 79 +++++++++++++++++++++++++++++++++++++++++++
 hostapd/ctrl_iface.c  | 76 +++++++++++++++++++++++++++++++++++++++++
 hostapd/hostapd.conf  |  6 ++++
 hostapd/hostapd_cli.c | 22 ++++++++++++
 src/ap/ap_config.c    | 53 ++++++++++++++++++-----------
 src/ap/ap_config.h    |  5 +++
 6 files changed, 221 insertions(+), 20 deletions(-)

Comments

Jouni Malinen Jan. 20, 2024, 6:32 p.m. UTC | #1

On Mon, Jan 15, 2024 at 05:08:40PM +0100, Dariusz Kopka wrote:
> Hostapd reads the list of Rx Key Holders from hostapd.conf file.
> However, for systems where topology changes dynamically, the update
> of RxKHs list is required without reloading the whole configuration.
> 
> Here we introduce a new source of RxKH definition with original syntax:
>         - rxkh_file - path to a file containing a list of RxKHs.
> In addition two cli commands are added:
>         - get_rxkhs - returns the list of currently configured RxKHs
>         - reload_rxkhs - reloads RxKHs definition from a  file
>                          specified in `rxkh_file`
> 
> This allows hostapd to properly distribute Rx keys even after topology
> change (assuming rxkh_file is updated and reload_rxkhs command issued).
> 
> Syntax of rxkh_file is the same as extraction of r0kh and r1kh options
> from original hostapd.conf file.
> 
> ```
> r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
> r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
> r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
> r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
> r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
> ```

Thanks, applied.

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 15aaca924..0c1e30604 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -1020,6 +1020,73 @@  static int add_r1kh(struct hostapd_bss_config *bss, char *value)
 
 	return 0;
 }
+
+int hostapd_config_read_rxkh_file(struct hostapd_bss_config *conf,
+				  const char *fname)
+{
+	FILE *f;
+	char buf[256], *pos;
+	int line = 0, errors = 0;
+
+	if (!fname)
+		return 0;
+
+	f = fopen(fname, "r");
+	if (!f) {
+		wpa_printf(MSG_ERROR, "rxkh file '%s' not found.", fname);
+		return -1;
+	}
+
+	while (fgets(buf, sizeof(buf), f)) {
+		line++;
+
+		if (buf[0] == '#')
+			continue;
+		pos = buf;
+		while (*pos != '\0') {
+			if (*pos == '\n') {
+				*pos = '\0';
+				break;
+			}
+			pos++;
+		}
+		if (buf[0] == '\0')
+			continue;
+
+		pos = os_strchr(buf, '=');
+		if (pos == NULL) {
+			wpa_printf(MSG_ERROR, "Line %d: invalid line '%s'",
+				   line, buf);
+			errors++;
+			continue;
+		}
+		*pos = '\0';
+		pos++;
+
+		if (os_strcmp(buf, "r0kh") == 0) {
+			if (add_r0kh(conf, pos) < 0) {
+				wpa_printf(MSG_ERROR, "Line %d: Invalid r0kh '%s'",
+					   line, pos);
+				errors++;
+			}
+		} else if (os_strcmp(buf, "r1kh") == 0) {
+			if (add_r1kh(conf, pos) < 0) {
+				wpa_printf(MSG_ERROR, "Line %d: Invalid r1kh '%s'",
+					   line, pos);
+				errors++;
+			}
+		}
+	}
+
+	fclose(f);
+
+	if (errors) {
+		wpa_printf(MSG_ERROR, "%d errors in configuring rxkhs from "
+			   "'%s'", errors, fname);
+		return -1;
+	}
+	return 0;
+}
 #endif /* CONFIG_IEEE80211R_AP */
 
 
@@ -3098,6 +3165,18 @@  static int hostapd_config_fill(struct hostapd_config *conf,
 				   line, pos);
 			return 1;
 		}
+	} else if (os_strcmp(buf, "rxkh_file") == 0) {
+		os_free(bss->rxkh_file);
+		bss->rxkh_file = os_strdup(pos);
+		if (!bss->rxkh_file) {
+			wpa_printf(MSG_ERROR, "Line %d: allocation failed",
+				   line);
+			return 1;
+		}
+		if (hostapd_config_read_rxkh_file(bss, pos)) {
+			wpa_printf(MSG_DEBUG, "Line %d: failed to read rxkh_file '%s'",
+				   line, pos);
+		}
 	} else if (os_strcmp(buf, "pmk_r1_push") == 0) {
 		bss->pmk_r1_push = atoi(pos);
 	} else if (os_strcmp(buf, "ft_over_ds") == 0) {
diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index 273e7bd7e..913165124 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -974,6 +974,74 @@  static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd,
 }
 
 
+#ifdef CONFIG_IEEE80211R_AP
+static int hostapd_ctrl_iface_get_rxkhs(struct hostapd_data *hapd,
+	char *buf, size_t buflen)
+{
+	int i;
+	int ret;
+	char *pos, *end;
+	struct ft_remote_r0kh *r0kh;
+	struct ft_remote_r1kh *r1kh;
+	struct hostapd_bss_config *conf = hapd->conf;
+
+	pos = buf;
+	end = buf + buflen;
+
+	for(r0kh = conf->r0kh_list; r0kh; r0kh=r0kh->next) {
+		ret = os_snprintf(pos, end - pos, "r0kh=" MACSTR " ",
+				  MAC2STR(r0kh->addr));
+		pos += ret;
+		ret = os_snprintf(pos, r0kh->id_len + 2, "%s ",
+				  r0kh->id);
+		pos += ret;
+		for (i = 0; i<32; i++) {
+			ret = os_snprintf(pos, 3, "%02x", r0kh->key[i]);
+			pos += ret;
+		}
+		ret = os_snprintf(pos, 2, "\n");
+		if (os_snprintf_error(end - pos, ret))
+			return pos - buf;
+		pos += ret;
+	}
+
+	for(r1kh = conf->r1kh_list; r1kh; r1kh=r1kh->next) {
+		ret = os_snprintf(pos, end - pos, "r1kh=" MACSTR " " MACSTR " ",
+			MAC2STR(r1kh->addr), MAC2STR(r1kh->id));
+		pos += ret;
+		for (i = 0; i<32; i++) {
+			ret = os_snprintf(pos, 3, "%02x", r1kh->key[i]);
+			pos += ret;
+		}
+		ret = os_snprintf(pos, 2, "\n");
+		if (os_snprintf_error(end - pos, ret))
+			return pos - buf;
+		pos += ret;
+	}
+
+	return pos - buf;
+}
+
+
+static int hostapd_ctrl_iface_reload_rxkhs(struct hostapd_data *hapd)
+{
+	struct hostapd_bss_config *conf = hapd->conf;
+	int err;
+
+	hostapd_config_clear_rxkhs(conf);
+
+	err = hostapd_config_setup_rxkhs(conf);
+	if (err < 0) {
+		wpa_printf(MSG_ERROR, "Reloading RXKHs failed: %d",
+			   err);
+		return -1;
+	}
+
+	return 0;
+}
+#endif /* CONFIG_IEEE80211R_AP */
+
+
 static int hostapd_ctrl_iface_get_config(struct hostapd_data *hapd,
 					 char *buf, size_t buflen)
 {
@@ -3599,6 +3667,14 @@  static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd,
 	} else if (os_strcmp(buf, "RELOAD_WPA_PSK") == 0) {
 		if (hostapd_ctrl_iface_reload_wpa_psk(hapd))
 			reply_len = -1;
+#ifdef CONFIG_IEEE80211R_AP
+	} else if (os_strcmp(buf, "GET_RXKHS") == 0) {
+		reply_len = hostapd_ctrl_iface_get_rxkhs(hapd, reply,
+							 reply_size);
+	} else if (os_strcmp(buf, "RELOAD_RXKHS") == 0) {
+		if (hostapd_ctrl_iface_reload_rxkhs(hapd))
+			reply_len = -1;
+#endif /* CONFIG_IEEE80211R_AP */
 	} else if (os_strcmp(buf, "RELOAD_BSS") == 0) {
 		if (hostapd_ctrl_iface_reload_bss(hapd))
 			reply_len = -1;
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 1aeeb7353..20ad28565 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -2295,6 +2295,12 @@  own_ip_addr=127.0.0.1
 # list and thus will receive push notifications.
 #r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeeff
 
+# Optionally, the list of RxKHs can be read from a text file. Format is the same
+# as specified above. File shall contain both r0kh and r1kh. Once this variable
+# is set, RxKHs can be reloaded in runtime without bringing down an interface
+# using 'reload_rxkhs' command.
+#rxkh_file=<path>
+
 # Timeout (seconds) for newly discovered R0KH/R1KH (see wildcard entries above)
 # Special values: 0 -> do not expire
 # Warning: do not cache implies no sequence number validation with wildcards
diff --git a/hostapd/hostapd_cli.c b/hostapd/hostapd_cli.c
index be3c23ca9..0db0470a2 100644
--- a/hostapd/hostapd_cli.c
+++ b/hostapd/hostapd_cli.c
@@ -1407,6 +1407,22 @@  static int hostapd_cli_cmd_driver_flags2(struct wpa_ctrl *ctrl, int argc,
 }
 
 
+#ifdef CONFIG_IEEE80211R_AP
+static int hostapd_cli_cmd_get_rxkhs(struct wpa_ctrl *ctrl, int argc,
+				     char *argv[])
+{
+	return wpa_ctrl_command(ctrl, "GET_RXKHS");
+}
+
+static int hostapd_cli_cmd_reload_rxkhs(struct wpa_ctrl *ctrl, int argc,
+					char *argv[])
+{
+	return wpa_ctrl_command(ctrl, "RELOAD_RXKHS");
+}
+
+#endif /* CONFIG_IEEE80211R_AP */
+
+
 #ifdef CONFIG_DPP
 
 static int hostapd_cli_cmd_dpp_qr_code(struct wpa_ctrl *ctrl, int argc,
@@ -1804,6 +1820,12 @@  static const struct hostapd_cli_cmd hostapd_cli_commands[] = {
 	  "<addr> [req_mode=] <measurement request hexdump>  = send a Beacon report request to a station" },
 	{ "reload_wpa_psk", hostapd_cli_cmd_reload_wpa_psk, NULL,
 	  "= reload wpa_psk_file only" },
+#ifdef CONFIG_IEEE80211R_AP
+	{ "reload_rxkhs", hostapd_cli_cmd_reload_rxkhs, NULL,
+	  "= reload R0KHs and R1KHs" },
+	{ "get_rxkhs", hostapd_cli_cmd_get_rxkhs, NULL,
+	  "= get R0KHs and R1KHs" },
+#endif /* CONFIG_IEEE80211R_AP */
 #ifdef ANDROID
 	{ "driver", hostapd_cli_cmd_driver, NULL,
 	  "<driver sub command> [<hex formatted data>] = send driver command data" },
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 040f39e7f..6ffecdaed 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -699,6 +699,36 @@  void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **l)
 }
 
 
+#ifdef CONFIG_IEEE80211R_AP
+int hostapd_config_setup_rxkhs(struct hostapd_bss_config *conf)
+{
+	return hostapd_config_read_rxkh_file(conf, conf->rxkh_file);
+}
+
+void hostapd_config_clear_rxkhs(struct hostapd_bss_config *conf)
+{
+	struct ft_remote_r0kh *r0kh, *r0kh_prev;
+	struct ft_remote_r1kh *r1kh, *r1kh_prev;
+
+	r0kh = conf->r0kh_list;
+	conf->r0kh_list = NULL;
+	while (r0kh) {
+		r0kh_prev = r0kh;
+		r0kh = r0kh->next;
+		os_free(r0kh_prev);
+	}
+
+	r1kh = conf->r1kh_list;
+	conf->r1kh_list = NULL;
+	while (r1kh) {
+		r1kh_prev = r1kh;
+		r1kh = r1kh->next;
+		os_free(r1kh_prev);
+	}
+}
+#endif /* CONFIG_IEEE80211R_AP */
+
+
 static void hostapd_config_free_anqp_elem(struct hostapd_bss_config *conf)
 {
 	struct anqp_element *elem;
@@ -831,26 +861,9 @@  void hostapd_config_free_bss(struct hostapd_bss_config *conf)
 	os_free(conf->time_zone);
 
 #ifdef CONFIG_IEEE80211R_AP
-	{
-		struct ft_remote_r0kh *r0kh, *r0kh_prev;
-		struct ft_remote_r1kh *r1kh, *r1kh_prev;
-
-		r0kh = conf->r0kh_list;
-		conf->r0kh_list = NULL;
-		while (r0kh) {
-			r0kh_prev = r0kh;
-			r0kh = r0kh->next;
-			os_free(r0kh_prev);
-		}
-
-		r1kh = conf->r1kh_list;
-		conf->r1kh_list = NULL;
-		while (r1kh) {
-			r1kh_prev = r1kh;
-			r1kh = r1kh->next;
-			os_free(r1kh_prev);
-		}
-	}
+	hostapd_config_clear_rxkhs(conf);
+	os_free(conf->rxkh_file);
+	conf->rxkh_file = NULL;
 #endif /* CONFIG_IEEE80211R_AP */
 
 #ifdef CONFIG_WPS
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 1d3949559..b5993595d 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -405,6 +405,7 @@  struct hostapd_bss_config {
 	int ft_over_ds;
 	int ft_psk_generate_local;
 	int r1_max_key_lifetime;
+	char *rxkh_file;
 #endif /* CONFIG_IEEE80211R_AP */
 
 	char *ctrl_interface; /* directory for UNIX domain sockets */
@@ -1345,6 +1346,10 @@  void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr);
 void hostapd_config_free_eap_user(struct hostapd_eap_user *user);
 void hostapd_config_free_eap_users(struct hostapd_eap_user *user);
 void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **p);
+int hostapd_config_read_rxkh_file(struct hostapd_bss_config *conf,
+				  const char *fname);
+void hostapd_config_clear_rxkhs(struct hostapd_bss_config *conf);
+int hostapd_config_setup_rxkhs(struct hostapd_bss_config *conf);
 void hostapd_config_free_bss(struct hostapd_bss_config *conf);
 void hostapd_config_free(struct hostapd_config *conf);
 int hostapd_maclist_found(struct mac_acl_entry *list, int num_entries,

Add dynamic reload of RxKH definitions from file

Commit Message

Comments

Patch