From patchwork Tue May 11 10:56:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Micha=C5=82_Kazior?= X-Patchwork-Id: 1477118 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=W71/a/qN; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=infradead.org header.i=@infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=knrwhxph; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=QFS8GcH6; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FfdLR29sQz9sWk for ; Tue, 11 May 2021 22:59:59 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=49T+GG8aTMoVmrQgUgSwwAroPI3lw1okVpv9mRzvDis=; b=W71/a/qNh/4bTo7vui/dtooGJ zZSajhtULl4iR34PHNTYn+kCkdt22JOZsEdtJT7SnYFCWzIVZ+0KKOqMvqOTQULwj5a+K9dhkR1CL nM2gnvONsnx7e/3mODGLUeB4VdjyfsyVhslBRfMbI7ieNq8UyS2x1ADBa9qDZAXXLD/PuygAGrIkr BxYACsL5NV8QdmKvnL4xlQpoqr9EmIPZuZ+9QsTCI/guu6Xwk/ZzS5nty9n9AuUjKtWnDtjNUnlBP IaMY8MJRHCvGQ7GdWrVSShI8RHxkKky7f4to9FLKbYWlGNq0wmwPYdRWpr2jsQZebsRN2OAMypdmG SBFl7MwmA==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lgRya-00HXEe-Mq; Tue, 11 May 2021 12:59:04 +0000 Received: from bombadil.infradead.org ([2607:7c80:54:e::133]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lgQ3x-00H2Un-DE for hostap@desiato.infradead.org; Tue, 11 May 2021 10:56:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender :Reply-To:Content-Type:Content-ID:Content-Description; bh=swGfT4XG5l9QQAD6Ob5FVF1rVQJSFq0lPvQX4RlU5wo=; b=knrwhxphdFualJR3AkT5z/tCx4 gbTr2eZDQCfhKaf/cnlh5rVDa9QhYmSMXGXwlzDsFTYwVcb9Ra69SPVKKvPRE+10C+sfkxqZIVbQ3 BEroG36YwOoNZyxzM542dMG9kJp6tMH8+JyZaan4/G6RPqmSxASr9EmJDUeiWLJ5U0Sj9C1jd3oVt MoFhtkOa5ncxC8R2OFUEWnoqQ9WBCHZOFLxrWtRBISGpNuTdnrNk8IDlXgZZ2baJOjzT0957XtVlp xzuIK0iPgr1G2hDkFHV6OgvD5oONP7J8BJlPOxwhIOCNKL/ytRZQnXIPzT1gQGe0efCyYWEjI0XmU +3SElwmA==; Received: from mail-lj1-x233.google.com ([2a00:1450:4864:20::233]) by bombadil.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lgQ3u-009Uu9-CT for hostap@lists.infradead.org; Tue, 11 May 2021 10:56:27 +0000 Received: by mail-lj1-x233.google.com with SMTP id b7so24563927ljr.4 for ; Tue, 11 May 2021 03:56:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=swGfT4XG5l9QQAD6Ob5FVF1rVQJSFq0lPvQX4RlU5wo=; b=QFS8GcH6xEw5SClu2Hh/5/MD6Iqe6WzYigJ7IyfHnjGUaLruVsOE02rXNH/U9UFKop o5Y3U54yt/eoij8dGpUNwifFjwOLsUIc9lgLjeSTO6LwcMq1iDcUk+R7uMUMVeCUCBDx 914vYuXd2Vsm9y0Qj0/WmCjr7a3vHOMzix7e6rcAadZLt5u78T8ixhGfeTkImx3wlrJ/ BBQ+AOvBp/4VBCK5ktl7QYlGd7Q5kHl8BrXFMDGgu2huDg7yLIGuZX/1t2k7gvHZONQV h7yNob4OBwW2q+F3el8IkKFZCXStisN7P3ZGi7MfBxs+92oUuXVqFPqT1t57B1fSwg9x 8iDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=swGfT4XG5l9QQAD6Ob5FVF1rVQJSFq0lPvQX4RlU5wo=; b=T8/PYK030+KbwfLz5ceEWVtkyR84SMPFL7++B7Wne2/NeBbd1QVzy00P0vkND7QlI0 IDrQmGHpU0R/qg3ya7XH1JY7sT80/yYimbKE8nhMo2unpoVauyxX+09sPiLxDyQ2sX/W EZIwJp0Z/qAG1UDSzSHKxkg7KwwNiWoQqWsZ3StPjsgShw1cnfyMx0nIPeLnQth6y1ej EGO0r7+nODyoevQpHeKIw4OHVukESQn3mweih1YyDuM/fD+Pe4Feoe+gIJiDRtTobLsR SLfbke4SUv9N1XmDVL0Wxwdi31bmBppeAf8nVRk8K7bpWpRDjnQgA5ib7pBEUmCX37di U2Qw== X-Gm-Message-State: AOAM532vMoJAenQqPfms2cVRZVqgi4Xn7TofrpYCmnmzRmyddscbD3Ga kzv28jKAzXFMNRdC5Csnyhqn4eKEIxM= X-Google-Smtp-Source: ABdhPJzJBz1SrrOdHOAH1Jc//vpHotzOlnD9rCc7/S+4+80WdraGb9ulxYB8xLWuHY3zD8McuXWzdg== X-Received: by 2002:a2e:5347:: with SMTP id t7mr16785978ljd.464.1620730583472; Tue, 11 May 2021 03:56:23 -0700 (PDT) Received: from drun:home-michalkazior-docker-linux-alpine.pl.plumewifi.com ([2a03:4b00:0:4:692:26ff:fed9:4198]) by smtp.gmail.com with ESMTPSA id 8sm1393303ljj.138.2021.05.11.03.56.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 May 2021 03:56:22 -0700 (PDT) From: Michal Kazior To: hostap@lists.infradead.org Cc: Michal Kazior Subject: [PATCHv3 1/3] DPP: move DPP_EVENT_AUTH_SUCCESS to a helper Date: Tue, 11 May 2021 10:56:16 +0000 Message-Id: <20210511105618.72497-1-kazikcz@gmail.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210430132032.5965-1-kazikcz@gmail.com> References: <20210430132032.5965-1-kazikcz@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210511_035626_473869_6EEB2E8A X-CRM114-Status: GOOD ( 15.76 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Michal Kazior This event is generated in a couple of places. It'll be easier to extend the event with additional metadata if it's generated in a single place. Signed-off-by: Michal Kazior --- Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:233 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [kazikcz[at]gmail.com] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Michal Kazior This event is generated in a couple of places. It'll be easier to extend the event with additional metadata if it's generated in a single place. Signed-off-by: Michal Kazior --- Notes: v3: - moved dpp_notify_auth_success() outside of CONFIG_DPP2, where it was inadvertantly placed v2: - added to avoid code duplication - [patchset] the v1 patch became a series src/ap/dpp_hostapd.c | 6 ++---- src/common/dpp.c | 7 +++++++ src/common/dpp.h | 1 + src/common/dpp_tcp.c | 3 +-- wpa_supplicant/dpp_supplicant.c | 4 ++-- 5 files changed, 13 insertions(+), 8 deletions(-) diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c index 93ffd8cf7..f0b4bc034 100644 --- a/src/ap/dpp_hostapd.c +++ b/src/ap/dpp_hostapd.c @@ -1023,8 +1023,7 @@ static void hostapd_dpp_start_gas_client(struct hostapd_data *hapd) static void hostapd_dpp_auth_success(struct hostapd_data *hapd, int initiator) { wpa_printf(MSG_DEBUG, "DPP: Authentication succeeded"); - wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_AUTH_SUCCESS "init=%d", - initiator); + dpp_notify_auth_success(hapd->dpp_auth, initiator); #ifdef CONFIG_TESTING_OPTIONS if (dpp_test == DPP_TEST_STOP_AT_AUTH_CONF) { wpa_printf(MSG_INFO, @@ -1992,8 +1991,7 @@ hostapd_dpp_gas_req_handler(struct hostapd_data *hapd, const u8 *sa, * from TX status handler, but since there was no such handler * call yet, simply send out the event message and proceed with * exchange. */ - wpa_msg(hapd->msg_ctx, MSG_INFO, - DPP_EVENT_AUTH_SUCCESS "init=1"); + dpp_notify_auth_success(hapd->dpp_auth, 1); hapd->dpp_auth_ok_on_ack = 0; } diff --git a/src/common/dpp.c b/src/common/dpp.c index 3c8c7682d..847e77c81 100644 --- a/src/common/dpp.c +++ b/src/common/dpp.c @@ -4391,6 +4391,13 @@ void dpp_global_deinit(struct dpp_global *dpp) } +void dpp_notify_auth_success(struct dpp_authentication *auth, int initiator) +{ + wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_AUTH_SUCCESS "init=%d", + initiator); +} + + #ifdef CONFIG_DPP2 struct wpabuf * dpp_build_presence_announcement(struct dpp_bootstrap_info *bi) diff --git a/src/common/dpp.h b/src/common/dpp.h index 75de3cae9..ba2ef53de 100644 --- a/src/common/dpp.h +++ b/src/common/dpp.h @@ -699,6 +699,7 @@ struct dpp_global_config { struct dpp_global * dpp_global_init(struct dpp_global_config *config); void dpp_global_clear(struct dpp_global *dpp); void dpp_global_deinit(struct dpp_global *dpp); +void dpp_notify_auth_success(struct dpp_authentication *auth, int initiator); /* dpp_reconfig.c */ diff --git a/src/common/dpp_tcp.c b/src/common/dpp_tcp.c index c373f1077..0ad209081 100644 --- a/src/common/dpp_tcp.c +++ b/src/common/dpp_tcp.c @@ -307,8 +307,7 @@ static void dpp_controller_auth_success(struct dpp_connection *conn, return; wpa_printf(MSG_DEBUG, "DPP: Authentication succeeded"); - wpa_msg(conn->msg_ctx, MSG_INFO, - DPP_EVENT_AUTH_SUCCESS "init=%d", initiator); + dpp_notify_auth_success(auth, initiator); #ifdef CONFIG_TESTING_OPTIONS if (dpp_test == DPP_TEST_STOP_AT_AUTH_CONF) { wpa_printf(MSG_INFO, diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c index 40ef8aeb5..289c60bc8 100644 --- a/wpa_supplicant/dpp_supplicant.c +++ b/wpa_supplicant/dpp_supplicant.c @@ -1763,7 +1763,7 @@ static void wpas_dpp_start_gas_client(struct wpa_supplicant *wpa_s) static void wpas_dpp_auth_success(struct wpa_supplicant *wpa_s, int initiator) { wpa_printf(MSG_DEBUG, "DPP: Authentication succeeded"); - wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_AUTH_SUCCESS "init=%d", initiator); + dpp_notify_auth_success(wpa_s->dpp_auth, initiator); #ifdef CONFIG_TESTING_OPTIONS if (dpp_test == DPP_TEST_STOP_AT_AUTH_CONF) { wpa_printf(MSG_INFO, @@ -2959,7 +2959,7 @@ wpas_dpp_gas_req_handler(void *ctx, void *resp_ctx, const u8 *sa, * TX status handler, but since there was no such handler call * yet, simply send out the event message and proceed with * exchange. */ - wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_AUTH_SUCCESS "init=1"); + dpp_notify_auth_success(auth, 1); wpa_s->dpp_auth_ok_on_ack = 0; } From patchwork Tue May 11 10:56:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Micha=C5=82_Kazior?= X-Patchwork-Id: 1477119 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=fU+QoNJN; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=infradead.org header.i=@infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Jc2YPFtr; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=Q+PbNZu7; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FfdLq6sdGz9sWT for ; Tue, 11 May 2021 23:00:19 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=RDRpNJPyyRBuj3uTUdJD8HW3yfTwoGjoNFXHgvgy3AI=; b=fU+QoNJNWmbIjmRRcT6XstbI0 6BrR/fmtksA1LBRd7i+sNAKDe9yN0eTSU3Jch74eXKWNV4FiWjjrgB7BhBK+47yHNKn/8GjnCqwkh 6tNAKFAzdWKo1upOjT7vLrxu55fbgzZZb0vaL1KDrXkn+URNHgu4hwb/0U9WkbkkcOh6bwse+JGRe 2D6KtS0wNlNUIphsw2eS1V1eVx0IRuMfsBgXasNFzcVMBTGxscpR5FLaw06ew7OO9ieY4fE9/y743 +Z+p9aU0AUASZRGXhEYQPMWowTRQSYAEa2BP+NzHTZvDhx/ZC3bRbp6ZcncSCHMTEJzGNUw0gPA1c eA1JQDBUw==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lgRyq-00HXHr-Px; Tue, 11 May 2021 12:59:20 +0000 Received: from bombadil.infradead.org ([2607:7c80:54:e::133]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lgQ3y-00H2V0-BB for hostap@desiato.infradead.org; Tue, 11 May 2021 10:56:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender :Reply-To:Content-Type:Content-ID:Content-Description; bh=/PF7KfPL+aDCzdJ4MMX0vpTrxcZxZTdVzRzyFth436U=; b=Jc2YPFtrqeroKLbrkXWjdxlNkT DDf+w6vjCJRhbPuLkXbTZ6cYk8kVfa5yYlgDwp6o7l/AxqcTdDfHSV2VTsK2d+BayU9kglt4zq+E9 pjqY03ryiHYINnDXvH3Mzhr5pAg+MAmigt/ruuLmLjae9DmrZhI2XcYCKHRBefjnIBFBSBwJfbwUQ XJ7xPY+A28Dd0mwarPn2Kx3c/NpNU1NilM5RinNdzOkCrhz7HEJ8WIN2Ha8tY0Wc9azb2yXQWH+i3 Qe+abzPn+pNeFTo25rNlMAOJhiCw6ZiEajCzAiFJEaeKbKferalw4XvGPX+0LzSenVvWLo1DBNuNx pbkFMz7Q==; Received: from mail-lf1-x132.google.com ([2a00:1450:4864:20::132]) by bombadil.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lgQ3u-009UuB-MF for hostap@lists.infradead.org; Tue, 11 May 2021 10:56:28 +0000 Received: by mail-lf1-x132.google.com with SMTP id x19so28023077lfa.2 for ; Tue, 11 May 2021 03:56:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/PF7KfPL+aDCzdJ4MMX0vpTrxcZxZTdVzRzyFth436U=; b=Q+PbNZu74a5gfyhohLE2Lc0W0tTjjHWKGuAajQ/LE3s7hS6sIzyC/5sdDZmN7z8st6 21/2GwVGEg8Qqz0GQilOjnP0n5nEys5Gy8qle9vMdeid3u4WIeiw/eZ77WPACUT06rIf LeY7AjQ2ytHOeyT/I93+bl8o31/5WRoydp8keEy9kNeot4HUDVig1gXQDz/H2krOeOBF kllQ5DjLj1bj0Ha1Y3DQ0Dg1TriJPz4S3yzj3qDSeyNbQ32bKn/dKApvoBv0BC1G9oo1 OZZ0LoT9IZ7TZ8DxwpECMx6qylAdC6zZ6HZCMIYV0Ezw9vwd6q20AUJeEzuuZyaZRkCE Kg8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/PF7KfPL+aDCzdJ4MMX0vpTrxcZxZTdVzRzyFth436U=; b=UKB55t+OJ4legOFI4e/cJLrVAGSJSBqI9H/kbfPfdChjNJi8/Z1KyQkKft341mGfb+ Bz/gA9LIjgH0J1KynrCWO3WC4fxpFxF5uCvZhN4Rj9gpr5zFTVbCdDhz5Z143qKuQqcd qqcju1KALrGE6vDNPgZI0q8SO9NCRrb2+oZFiQKoHCUPTeJOVTRrp09K1HvEdsP27pDQ 76RGBpRai55yiH7LwF3msTWNTTFkZX3/d6nFruY7y4wbJE8QOHrcfChC8GsymDJzUmTn k0lOOV+buZSptrGzMWzl1Dtwd2Yu6S0h5bjJfQcni/yy+Ox2FuGFQx9NC38InDoM6hXr ZpQQ== X-Gm-Message-State: AOAM531Eh08t9MWUzoE2ZQ8zVMCywzUdKcNT1CCpa+zGp1W2sXJGzJLQ 7Czwp95QGeQwICbAUBD1X1yhO5JoWT4= X-Google-Smtp-Source: ABdhPJzN5zqG0vbt+Nb3rN5JS9VQEDBMsAFBLs0bWzqMWv6X3OnjkfULdu+rwHZKteqz6fPaPxKOgA== X-Received: by 2002:a19:f00c:: with SMTP id p12mr20479549lfc.502.1620730584621; Tue, 11 May 2021 03:56:24 -0700 (PDT) Received: from drun:home-michalkazior-docker-linux-alpine.pl.plumewifi.com ([2a03:4b00:0:4:692:26ff:fed9:4198]) by smtp.gmail.com with ESMTPSA id 8sm1393303ljj.138.2021.05.11.03.56.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 May 2021 03:56:24 -0700 (PDT) From: Michal Kazior To: hostap@lists.infradead.org Cc: Michal Kazior Subject: [PATCHv3 2/3] DPP: expose enrollee pubkey hash for identification Date: Tue, 11 May 2021 10:56:17 +0000 Message-Id: <20210511105618.72497-2-kazikcz@gmail.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210511105618.72497-1-kazikcz@gmail.com> References: <20210430132032.5965-1-kazikcz@gmail.com> <20210511105618.72497-1-kazikcz@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210511_035626_764338_41FFB75E X-CRM114-Status: GOOD ( 22.66 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Michal Kazior Just like with WPA-PSK and keyids it may be desired to identify connecting clients to provide additional network filtering. This does: Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:132 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [kazikcz[at]gmail.com] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Michal Kazior Just like with WPA-PSK and keyids it may be desired to identify connecting clients to provide additional network filtering. This does: - extend DPP_EVENT_AUTH_SUCCESS to expose public key hash of the peer so the system can pick it up and use for identification later - store public key hash in PMKSA from DPP Network Intro for later use - extend sta mib to print out the dpp_pkhash from PMKSA if present - extend AP_STA_CONNECTED to include the dpp_pkhash from PMKSA if present Signed-off-by: Michal Kazior --- Notes: v3: - remove unnecessary empty newline in dpp_auth.c - fix memleak of peer_key after dpp_peer_intro() by making it hand over the pkhash instead of key (this also avoids openssl code in dpp_hostapd.c) - dont duplicate dpp_pkhash string if its 0 length so that NULL checks can actually skip some logic v2: - fixed type warnings (char vs u8) - dropped "hostap" salt for the pkhash - dropped DPP_EVENT_AUTH_PK_HASH and reused DPP_EVENT_AUTH_SUCCESS (as a result this fixed some cases where PK_HASH wasn't signalled as expected) - adjusted commit log src/ap/ctrl_iface_ap.c | 8 +++++++ src/ap/dpp_hostapd.c | 8 ++++--- src/ap/pmksa_cache_auth.c | 1 + src/ap/pmksa_cache_auth.h | 1 + src/ap/sta_info.c | 24 +++++++++++++++++---- src/ap/sta_info.h | 2 ++ src/ap/wpa_auth.c | 33 +++++++++++++++++++++++++++++ src/ap/wpa_auth.h | 4 ++++ src/common/dpp.c | 15 ++++++++++--- src/common/dpp.h | 4 +++- src/common/dpp_crypto.c | 37 +++++++++++++++++++++++++++++++++ wpa_supplicant/dpp_supplicant.c | 2 +- 12 files changed, 127 insertions(+), 12 deletions(-) diff --git a/src/ap/ctrl_iface_ap.c b/src/ap/ctrl_iface_ap.c index 28e40ba9c..e663a60cb 100644 --- a/src/ap/ctrl_iface_ap.c +++ b/src/ap/ctrl_iface_ap.c @@ -208,6 +208,7 @@ static int hostapd_ctrl_iface_sta_mib(struct hostapd_data *hapd, { int len, res, ret, i; const char *keyid; + const char *dpp_pkhash; if (!sta) return 0; @@ -377,6 +378,13 @@ static int hostapd_ctrl_iface_sta_mib(struct hostapd_data *hapd, len += ret; } + dpp_pkhash = ap_sta_wpa_get_dpp_pkhash(hapd, sta); + if (dpp_pkhash) { + ret = os_snprintf(buf + len, buflen - len, "dpp_pkhash=%s\n", dpp_pkhash); + if (!os_snprintf_error(buflen - len, ret)) + len += ret; + } + return len; } diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c index f0b4bc034..46b031003 100644 --- a/src/ap/dpp_hostapd.c +++ b/src/ap/dpp_hostapd.c @@ -1587,6 +1587,7 @@ static void hostapd_dpp_rx_peer_disc_req(struct hostapd_data *hapd, os_time_t expire; int expiration; enum dpp_status_error res; + char pkhash[SHA256_MAC_LEN*2 + 1]; wpa_printf(MSG_DEBUG, "DPP: Peer Discovery Request from " MACSTR, MAC2STR(src)); @@ -1631,7 +1632,8 @@ static void hostapd_dpp_rx_peer_disc_req(struct hostapd_data *hapd, wpabuf_len(hapd->conf->dpp_netaccesskey), wpabuf_head(hapd->conf->dpp_csign), wpabuf_len(hapd->conf->dpp_csign), - connector, connector_len, &expire); + connector, connector_len, &expire, + pkhash, sizeof(pkhash)); if (res == 255) { wpa_printf(MSG_INFO, "DPP: Network Introduction protocol resulted in internal failure (peer " @@ -1654,9 +1656,9 @@ static void hostapd_dpp_rx_peer_disc_req(struct hostapd_data *hapd, else expiration = 0; - if (wpa_auth_pmksa_add2(hapd->wpa_auth, src, intro.pmk, intro.pmk_len, + if (wpa_auth_pmksa_add3(hapd->wpa_auth, src, intro.pmk, intro.pmk_len, intro.pmkid, expiration, - WPA_KEY_MGMT_DPP) < 0) { + WPA_KEY_MGMT_DPP, pkhash) < 0) { wpa_printf(MSG_ERROR, "DPP: Failed to add PMKSA cache entry"); return; } diff --git a/src/ap/pmksa_cache_auth.c b/src/ap/pmksa_cache_auth.c index fe5f81717..29d2b500a 100644 --- a/src/ap/pmksa_cache_auth.c +++ b/src/ap/pmksa_cache_auth.c @@ -40,6 +40,7 @@ static void _pmksa_cache_free_entry(struct rsn_pmksa_cache_entry *entry) { os_free(entry->vlan_desc); os_free(entry->identity); + os_free(entry->dpp_pkhash); wpabuf_free(entry->cui); #ifndef CONFIG_NO_RADIUS radius_free_class(&entry->radius_class); diff --git a/src/ap/pmksa_cache_auth.h b/src/ap/pmksa_cache_auth.h index 2ef217435..59e7e698f 100644 --- a/src/ap/pmksa_cache_auth.h +++ b/src/ap/pmksa_cache_auth.h @@ -23,6 +23,7 @@ struct rsn_pmksa_cache_entry { int akmp; /* WPA_KEY_MGMT_* */ u8 spa[ETH_ALEN]; + char *dpp_pkhash; u8 *identity; size_t identity_len; struct wpabuf *cui; diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c index ccd1ed931..9a80efd4d 100644 --- a/src/ap/sta_info.c +++ b/src/ap/sta_info.c @@ -1260,6 +1260,13 @@ const char * ap_sta_wpa_get_keyid(struct hostapd_data *hapd, } +const char * ap_sta_wpa_get_dpp_pkhash(struct hostapd_data *hapd, + struct sta_info *sta) +{ + return wpa_auth_get_dpp_pkhash(sta->wpa_sm); +} + + void ap_sta_set_authorized(struct hostapd_data *hapd, struct sta_info *sta, int authorized) { @@ -1298,10 +1305,13 @@ void ap_sta_set_authorized(struct hostapd_data *hapd, struct sta_info *sta, sta->addr, authorized, dev_addr); if (authorized) { + const char *dpp_pkhash; const char *keyid; + char dpp_pkhash_buf[100]; char keyid_buf[100]; char ip_addr[100]; + dpp_pkhash_buf[0] = '\0'; keyid_buf[0] = '\0'; ip_addr[0] = '\0'; #ifdef CONFIG_P2P @@ -1319,14 +1329,20 @@ void ap_sta_set_authorized(struct hostapd_data *hapd, struct sta_info *sta, " keyid=%s", keyid); } - wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_CONNECTED "%s%s%s", - buf, ip_addr, keyid_buf); + dpp_pkhash = ap_sta_wpa_get_dpp_pkhash(hapd, sta); + if (dpp_pkhash) { + os_snprintf(dpp_pkhash_buf, sizeof(dpp_pkhash_buf), + " dpp_pkhash=%s", dpp_pkhash); + } + + wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_CONNECTED "%s%s%s%s", + buf, ip_addr, keyid_buf, dpp_pkhash_buf); if (hapd->msg_ctx_parent && hapd->msg_ctx_parent != hapd->msg_ctx) wpa_msg_no_global(hapd->msg_ctx_parent, MSG_INFO, - AP_STA_CONNECTED "%s%s%s", - buf, ip_addr, keyid_buf); + AP_STA_CONNECTED "%s%s%s%s", + buf, ip_addr, keyid_buf, dpp_pkhash_buf); } else { wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_DISCONNECTED "%s", buf); diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h index 27e72f9a0..254e4f39f 100644 --- a/src/ap/sta_info.h +++ b/src/ap/sta_info.h @@ -385,6 +385,8 @@ void ap_sta_stop_sa_query(struct hostapd_data *hapd, struct sta_info *sta); int ap_check_sa_query_timeout(struct hostapd_data *hapd, struct sta_info *sta); const char * ap_sta_wpa_get_keyid(struct hostapd_data *hapd, struct sta_info *sta); +const char * ap_sta_wpa_get_dpp_pkhash(struct hostapd_data *hapd, + struct sta_info *sta); void ap_sta_disconnect(struct hostapd_data *hapd, struct sta_info *sta, const u8 *addr, u16 reason); diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 59cd46aa4..f6575acdb 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -4681,6 +4681,16 @@ const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len) } +const char * wpa_auth_get_dpp_pkhash(struct wpa_state_machine *sm) +{ + if (!sm) + return NULL; + if (!sm->pmksa) + return NULL; + return sm->pmksa->dpp_pkhash; +} + + int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) { if (!sm) @@ -4842,6 +4852,29 @@ int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr, } +int wpa_auth_pmksa_add3(struct wpa_authenticator *wpa_auth, const u8 *addr, + const u8 *pmk, size_t pmk_len, const u8 *pmkid, + int session_timeout, int akmp, const char *dpp_pkhash) +{ + struct rsn_pmksa_cache_entry *entry; + + if (wpa_auth->conf.disable_pmksa_caching) + return -1; + + wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (2)", pmk, PMK_LEN); + entry = pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid, + NULL, 0, wpa_auth->addr, addr, session_timeout, + NULL, akmp); + if (!entry) + return -1; + + if (dpp_pkhash && os_strlen(dpp_pkhash) > 0) + entry->dpp_pkhash = os_strdup(dpp_pkhash); + + return 0; +} + + void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, const u8 *sta_addr) { diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index eaa2cafc8..7dc80fded 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -401,6 +401,7 @@ void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth); int wpa_auth_pairwise_set(struct wpa_state_machine *sm); int wpa_auth_get_pairwise(struct wpa_state_machine *sm); const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len); +const char * wpa_auth_get_dpp_pkhash(struct wpa_state_machine *sm); int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); @@ -425,6 +426,9 @@ void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid); int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr, const u8 *pmk, size_t pmk_len, const u8 *pmkid, int session_timeout, int akmp); +int wpa_auth_pmksa_add3(struct wpa_authenticator *wpa_auth, const u8 *addr, + const u8 *pmk, size_t pmk_len, const u8 *pmkid, + int session_timeout, int akmp, const char *dpp_pkhash); void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, const u8 *sta_addr); int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, diff --git a/src/common/dpp.c b/src/common/dpp.c index 847e77c81..56c442d6d 100644 --- a/src/common/dpp.c +++ b/src/common/dpp.c @@ -3665,7 +3665,8 @@ dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector, const u8 *net_access_key, size_t net_access_key_len, const u8 *csign_key, size_t csign_key_len, const u8 *peer_connector, size_t peer_connector_len, - os_time_t *expiry) + os_time_t *expiry, + char *peer_key_hash, size_t peer_key_hash_len) { struct json_token *root = NULL, *netkey, *token; struct json_token *own_root = NULL; @@ -3770,6 +3771,9 @@ dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector, goto fail; } + if (peer_key_hash) + dpp_get_pubkey_hash(peer_key, peer_key_hash, peer_key_hash_len); + ret = DPP_STATUS_OK; fail: if (ret != DPP_STATUS_OK) @@ -4393,8 +4397,13 @@ void dpp_global_deinit(struct dpp_global *dpp) void dpp_notify_auth_success(struct dpp_authentication *auth, int initiator) { - wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_AUTH_SUCCESS "init=%d", - initiator); + char hex[SHA256_MAC_LEN*2 + 1]; + + os_memset(hex, 0, sizeof(hex)); + dpp_get_pubkey_hash(auth->peer_protocol_key, hex, sizeof(hex)); + + wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_AUTH_SUCCESS "init=%d pkhash=%s", + initiator, hex); } diff --git a/src/common/dpp.h b/src/common/dpp.h index ba2ef53de..fffb7a37f 100644 --- a/src/common/dpp.h +++ b/src/common/dpp.h @@ -594,7 +594,8 @@ dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector, const u8 *net_access_key, size_t net_access_key_len, const u8 *csign_key, size_t csign_key_len, const u8 *peer_connector, size_t peer_connector_len, - os_time_t *expiry); + os_time_t *expiry, + char *peer_key_hash, size_t peer_key_hash_len); struct dpp_pkex * dpp_pkex_init(void *msg_ctx, struct dpp_bootstrap_info *bi, const u8 *own_mac, const char *identifier, @@ -732,6 +733,7 @@ struct dpp_reconfig_id * dpp_gen_reconfig_id(const u8 *csign_key, size_t pp_key_len); int dpp_update_reconfig_id(struct dpp_reconfig_id *id); void dpp_free_reconfig_id(struct dpp_reconfig_id *id); +int dpp_get_pubkey_hash(EVP_PKEY *key, char *hexstr, size_t len); #endif /* CONFIG_DPP */ #endif /* DPP_H */ diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c index c75fc7871..c1e6c43ee 100644 --- a/src/common/dpp_crypto.c +++ b/src/common/dpp_crypto.c @@ -520,6 +520,43 @@ EVP_PKEY * dpp_set_pubkey_point(EVP_PKEY *group_key, const u8 *buf, size_t len) } +int dpp_get_pubkey_hash(EVP_PKEY *key, char *hexstr, size_t len) +{ + unsigned char *der = NULL; + const u8 *args[1]; + size_t lens[1]; + u8 buf[SHA256_MAC_LEN]; + EC_KEY *eckey; + int der_len; + int res = 0; + + os_memset(buf, 0, sizeof(buf)); + os_memset(hexstr, 0, len); + + if (!key) + return -1; + + eckey = EVP_PKEY_get1_EC_KEY(key); + if (!eckey) + return -1; + + der_len = i2d_EC_PUBKEY(eckey, &der); + if (der_len > 0) { + args[0] = der; + lens[0] = der_len; + + if (sha256_vector(1, args, lens, buf) < 0) + res = -1; + + } + OPENSSL_free(der); + EC_KEY_free(eckey); + + wpa_snprintf_hex(hexstr, len, buf, sizeof(buf)); + return res; +} + + EVP_PKEY * dpp_gen_keypair(const struct dpp_curve_params *curve) { EVP_PKEY_CTX *kctx = NULL; diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c index 289c60bc8..b0a11bc4d 100644 --- a/wpa_supplicant/dpp_supplicant.c +++ b/wpa_supplicant/dpp_supplicant.c @@ -2437,7 +2437,7 @@ static void wpas_dpp_rx_peer_disc_resp(struct wpa_supplicant *wpa_s, ssid->dpp_netaccesskey_len, ssid->dpp_csign, ssid->dpp_csign_len, - connector, connector_len, &expiry); + connector, connector_len, &expiry, NULL, 0); if (res != DPP_STATUS_OK) { wpa_printf(MSG_INFO, "DPP: Network Introduction protocol resulted in failure");