From patchwork Sat Sep 17 04:21:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Wolsieffer X-Patchwork-Id: 1678849 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=oGu99Bt5; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=qUfri/hg; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MTyVf4C1Dz1ynm for ; Sat, 17 Sep 2022 14:23:38 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=s/4Y/WogCV26MjDOF++fitwLxLC/lmnBmVloRs/Fe8k=; b=oGu99Bt559gkn8 1RgbNXAgHLxY6CltSLOP3JasfHLfamSegcdmI9wHJjrB3W1liDiOSDtbVVVv5QAYcUZjOxebuF/SZ 30zzEzHMzyX+7v2SXcFDbWKF/B3Cq2TpUr1ys6ez92Dx5F3dN1NLN6g8ZNjVztTXbslrSLiSKr+1F rMpGsdqj8RFx+j1PJ/56HLjkEnf6sNxT8TWBxI0wFMpHc3dfj/Rxc8kz9FBZHxEfbeVGXBpRlpSto 8FsPCu9QxQynbHtd7vqZ+cIe1pdKTMpCOTw9oqWAGjssxalANweFnw2Sm2zAMRMJacyuh1geIaqJk wLbVbDGc5jy/YvPM4WOA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oZPLD-002k4A-SZ; Sat, 17 Sep 2022 04:22:08 +0000 Received: from mail-qk1-x736.google.com ([2607:f8b0:4864:20::736]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oZPL9-002k0I-Lj for hostap@lists.infradead.org; Sat, 17 Sep 2022 04:22:05 +0000 Received: by mail-qk1-x736.google.com with SMTP id u28so14227485qku.2 for ; Fri, 16 Sep 2022 21:22:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date; bh=Y44plGn52i/On26jmoZHMyvXMBNZX3vk2/19E84zrZM=; b=qUfri/hgaXjHA1pxBYnNZJ4JadXThdRasnf6RuV2dIzi43+dyqTaxYZRHTXLnVdVxR ++Po4t1yE5LAca5xH7IuZ1pQ7Dkbp9YF68ocdJT0+q1Yxsx/lwoeqJ3bwvUGo+GRMPvZ Z+MJQp/o/YPJiqg4dj49dAPylh97Y+sKwzo3KieZRDrNQCPXi7D16K24xGiU8h7ZZKBr wdnFZxf0NqvtCUsTUaMTiLT2qxftqUNDEOoqBmMNbgry3738UoqvhW8fErJ6WzDE0A2d r4Mgt/i4LxQVYZXeJvttUA45Uq9iqNFFIvvQmS4jmwAVIDm0bw6sb8hkR0Unn9nL3oGp r5HQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=Y44plGn52i/On26jmoZHMyvXMBNZX3vk2/19E84zrZM=; b=MkxoHZzB67Lt8QysYnKJMw23yx8MA5RLGwX2ZWmCIk+Scqatoql2jf/9nzZDx7W6pP CEawAN58lElIhjbnpEeW83e+WU7N3U2nBvOKhxobL1me/Sj8L6Lc+g9V6ywliJ/3xR0d dxl/t7Oqi2SQbcWOsRF3BH4CQFTbQZ0IN0QH/Wlbrc9DXOFc1nqe5gmW71Q+eQVD7xkB OTPTdW3caWTKRn4ZX6jldp5LP4ccralboCo45IhMzhpvfDQPdYgXLbmbvtOO1DC77ZbX xwYlSLto2JoYv0Xs12xem9mBHRLZoLruly7dzG6tWfIAjWJ05yjT29LuzsIjibbZ6u4Z QCsw== X-Gm-Message-State: ACrzQf2wtp1uJlr0YXk+kCdDuCoUY21kl92Bch3BsTOZ2u5qf1poIFIl 9sRcIehmcFO2I3RTk+n3S3MHnvsuMyKg6Q== X-Google-Smtp-Source: AMsMyM6BvW0w12kcz/atoCgz/eGiUwTHTv6PWwzboZQbH7xLOQvuqPcu909QWX2OChwxndbcnVydTg== X-Received: by 2002:a05:620a:2590:b0:6c9:cdb4:726 with SMTP id x16-20020a05620a259000b006c9cdb40726mr6395157qko.710.1663388521086; Fri, 16 Sep 2022 21:22:01 -0700 (PDT) Received: from Dell-Inspiron-15.. (c-73-149-35-171.hsd1.ma.comcast.net. [73.149.35.171]) by smtp.gmail.com with ESMTPSA id 62-20020a370741000000b006b9ab3364ffsm7124605qkh.11.2022.09.16.21.22.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Sep 2022 21:22:00 -0700 (PDT) From: Ben Wolsieffer To: hostap@lists.infradead.org Cc: Ben Wolsieffer Subject: [PATCH 1/2] Fix external passwords with 4-way handshake offloading Date: Sat, 17 Sep 2022 00:21:01 -0400 Message-Id: <20220917042102.7584-1-benwolsieffer@gmail.com> X-Mailer: git-send-email 2.37.2 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220916_212203_772042_1C6F4DAF X-CRM114-Status: GOOD ( 22.22 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Passphrases/PSKs from external password databases were ignored if 4-way handshake offloading was supported by the driver. This patch splits the PSK loading functionality into a separate function and c [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:736 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [benwolsieffer[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Passphrases/PSKs from external password databases were ignored if 4-way handshake offloading was supported by the driver. This patch splits the PSK loading functionality into a separate function and calls if to get the PSK for handshake offloading. I tested connecting to a WPA2-PSK network with both inline and external passphrases, using the iwlwifi and brcmfmac drivers. Signed-off-by: Ben Wolsieffer --- wpa_supplicant/wpa_supplicant.c | 214 +++++++++++++++++--------------- 1 file changed, 113 insertions(+), 101 deletions(-) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index e085391e2..f4dfd1382 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1346,6 +1346,106 @@ void wpas_set_mgmt_group_cipher(struct wpa_supplicant *wpa_s, wpas_get_ssid_pmf(wpa_s, ssid)); } +/** + * wpa_supplicant_get_psk - Get PSK from config or external database + * @wpa_s: Pointer to wpa_supplicant data + * @bss: Scan results for the selected BSS, or %NULL if not available + * @ssid: Configuration data for the selected network + * @psk: Buffer for the PSK + * + * This function obtains the PSK for a network, either included inline in the + * config or retrieved from an external database. + */ +static int wpa_supplicant_get_psk(struct wpa_supplicant *wpa_s, + struct wpa_bss *bss, struct wpa_ssid *ssid, + u8 *psk) +{ + if (ssid->psk_set) { + wpa_hexdump_key(MSG_MSGDUMP, "PSK (set in config)", ssid->psk, + PMK_LEN); + os_memcpy(psk, ssid->psk, PMK_LEN); + return 0; + } + +#ifndef CONFIG_NO_PBKDF2 + if (bss && ssid->bssid_set && ssid->ssid_len == 0 && ssid->passphrase) { + if (pbkdf2_sha1(ssid->passphrase, bss->ssid, bss->ssid_len, + 4096, psk, PMK_LEN) != 0) { + wpa_msg(wpa_s, MSG_WARNING, "Error in pbkdf2_sha1()"); + return -1; + } + wpa_hexdump_key(MSG_MSGDUMP, "PSK (from passphrase)", + psk, PMK_LEN); + return 0; + } +#endif /* CONFIG_NO_PBKDF2 */ + +#ifdef CONFIG_EXT_PASSWORD + if (ssid->ext_psk) { + struct wpabuf *pw = ext_password_get(wpa_s->ext_pw, + ssid->ext_psk); + char pw_str[64 + 1]; + + if (pw == NULL) { + wpa_msg(wpa_s, MSG_INFO, "EXT PW: No PSK found from " + "external storage"); + return -1; + } + + if (wpabuf_len(pw) < 8 || wpabuf_len(pw) > 64) { + wpa_msg(wpa_s, MSG_INFO, "EXT PW: Unexpected PSK " + "length %d in external storage", + (int) wpabuf_len(pw)); + ext_password_free(pw); + return -1; + } + + os_memcpy(pw_str, wpabuf_head(pw), wpabuf_len(pw)); + pw_str[wpabuf_len(pw)] = '\0'; + +#ifndef CONFIG_NO_PBKDF2 + if (wpabuf_len(pw) >= 8 && wpabuf_len(pw) < 64 && bss) + { + if (pbkdf2_sha1(pw_str, bss->ssid, bss->ssid_len, + 4096, psk, PMK_LEN) != 0) { + wpa_msg(wpa_s, MSG_WARNING, + "Error in pbkdf2_sha1()"); + ext_password_free(pw); + return -1; + } + os_memset(pw_str, 0, sizeof(pw_str)); + wpa_hexdump_key(MSG_MSGDUMP, "PSK (from external " + "passphrase)", + psk, PMK_LEN); + } else +#endif /* CONFIG_NO_PBKDF2 */ + if (wpabuf_len(pw) == 2 * PMK_LEN) { + if (hexstr2bin(pw_str, psk, PMK_LEN) < 0) { + wpa_msg(wpa_s, MSG_INFO, "EXT PW: Invalid PSK " + "hex string"); + os_memset(pw_str, 0, sizeof(pw_str)); + ext_password_free(pw); + return -1; + } + wpa_hexdump_key(MSG_MSGDUMP, "PSK (from external PSK)", + psk, PMK_LEN); + } else { + wpa_msg(wpa_s, MSG_INFO, "EXT PW: No suitable PSK " + "available"); + os_memset(pw_str, 0, sizeof(pw_str)); + ext_password_free(pw); + return -1; + } + + os_memset(pw_str, 0, sizeof(pw_str)); + ext_password_free(pw); + + return 0; + } +#endif /* CONFIG_EXT_PASSWORD */ + + return -1; +} static void wpas_update_allowed_key_mgmt(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) @@ -1884,109 +1984,20 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, WPA_KEY_MGMT_FT_PSK | WPA_KEY_MGMT_PSK_SHA256)) == 0; - if (ssid->psk_set && !sae_only) { - wpa_hexdump_key(MSG_MSGDUMP, "PSK (set in config)", - ssid->psk, PMK_LEN); - wpa_sm_set_pmk(wpa_s->wpa, ssid->psk, PMK_LEN, NULL, - NULL); - psk_set = 1; - } - - if (wpa_key_mgmt_sae(ssid->key_mgmt) && - (ssid->sae_password || ssid->passphrase)) - psk_set = 1; - -#ifndef CONFIG_NO_PBKDF2 - if (bss && ssid->bssid_set && ssid->ssid_len == 0 && - ssid->passphrase && !sae_only) { - u8 psk[PMK_LEN]; - - if (pbkdf2_sha1(ssid->passphrase, bss->ssid, - bss->ssid_len, - 4096, psk, PMK_LEN) != 0) { - wpa_msg(wpa_s, MSG_WARNING, - "Error in pbkdf2_sha1()"); - return -1; - } - wpa_hexdump_key(MSG_MSGDUMP, "PSK (from passphrase)", - psk, PMK_LEN); - wpa_sm_set_pmk(wpa_s->wpa, psk, PMK_LEN, NULL, NULL); - psk_set = 1; - os_memset(psk, 0, sizeof(psk)); - } -#endif /* CONFIG_NO_PBKDF2 */ -#ifdef CONFIG_EXT_PASSWORD - if (ssid->ext_psk && !sae_only) { - struct wpabuf *pw = ext_password_get(wpa_s->ext_pw, - ssid->ext_psk); - char pw_str[64 + 1]; + if (!sae_only) { u8 psk[PMK_LEN]; - - if (pw == NULL) { - wpa_msg(wpa_s, MSG_INFO, "EXT PW: No PSK " - "found from external storage"); - return -1; - } - - if (wpabuf_len(pw) < 8 || wpabuf_len(pw) > 64) { - wpa_msg(wpa_s, MSG_INFO, "EXT PW: Unexpected " - "PSK length %d in external storage", - (int) wpabuf_len(pw)); - ext_password_free(pw); - return -1; - } - - os_memcpy(pw_str, wpabuf_head(pw), wpabuf_len(pw)); - pw_str[wpabuf_len(pw)] = '\0'; - -#ifndef CONFIG_NO_PBKDF2 - if (wpabuf_len(pw) >= 8 && wpabuf_len(pw) < 64 && bss) - { - if (pbkdf2_sha1(pw_str, bss->ssid, - bss->ssid_len, - 4096, psk, PMK_LEN) != 0) { - wpa_msg(wpa_s, MSG_WARNING, - "Error in pbkdf2_sha1()"); - ext_password_free(pw); - return -1; - } - os_memset(pw_str, 0, sizeof(pw_str)); - wpa_hexdump_key(MSG_MSGDUMP, "PSK (from " - "external passphrase)", - psk, PMK_LEN); - wpa_sm_set_pmk(wpa_s->wpa, psk, PMK_LEN, NULL, - NULL); - psk_set = 1; - os_memset(psk, 0, sizeof(psk)); - } else -#endif /* CONFIG_NO_PBKDF2 */ - if (wpabuf_len(pw) == 2 * PMK_LEN) { - if (hexstr2bin(pw_str, psk, PMK_LEN) < 0) { - wpa_msg(wpa_s, MSG_INFO, "EXT PW: " - "Invalid PSK hex string"); - os_memset(pw_str, 0, sizeof(pw_str)); - ext_password_free(pw); - return -1; - } - wpa_hexdump_key(MSG_MSGDUMP, - "PSK (from external PSK)", - psk, PMK_LEN); + if (wpa_supplicant_get_psk(wpa_s, bss, ssid, + psk) >= 0) { wpa_sm_set_pmk(wpa_s->wpa, psk, PMK_LEN, NULL, NULL); psk_set = 1; - os_memset(psk, 0, sizeof(psk)); - } else { - wpa_msg(wpa_s, MSG_INFO, "EXT PW: No suitable " - "PSK available"); - os_memset(pw_str, 0, sizeof(pw_str)); - ext_password_free(pw); - return -1; } - - os_memset(pw_str, 0, sizeof(pw_str)); - ext_password_free(pw); + os_memset(psk, 0, sizeof(psk)); } -#endif /* CONFIG_EXT_PASSWORD */ + + if (wpa_key_mgmt_sae(ssid->key_mgmt) && + (ssid->sae_password || ssid->passphrase)) + psk_set = 1; if (!psk_set) { wpa_msg(wpa_s, MSG_INFO, @@ -3754,6 +3765,7 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit) int use_crypt, ret, bssid_changed; unsigned int cipher_pairwise, cipher_group, cipher_group_mgmt; struct wpa_driver_associate_params params; + u8 psk[PMK_LEN]; #if defined(CONFIG_WEP) || defined(IEEE8021X_EAPOL) int wep_keys_set = 0; #endif /* CONFIG_WEP || IEEE8021X_EAPOL */ @@ -4046,8 +4058,8 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit) (params.allowed_key_mgmts & (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_FT_PSK)))) { params.passphrase = ssid->passphrase; - if (ssid->psk_set) - params.psk = ssid->psk; + if (wpa_supplicant_get_psk(wpa_s, bss, ssid, psk) >= 0) + params.psk = psk; } if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X) && @@ -4070,8 +4082,8 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit) if ((wpa_key_mgmt_wpa_psk_no_sae(params.key_mgmt_suite) || wpa_key_mgmt_wpa_psk_no_sae(params.allowed_key_mgmts)) && - ssid->psk_set) - params.psk = ssid->psk; + wpa_supplicant_get_psk(wpa_s, bss, ssid, psk) >= 0) + params.psk = psk; } params.drop_unencrypted = use_crypt; From patchwork Sat Sep 17 04:21:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Wolsieffer X-Patchwork-Id: 1678848 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=1sbU3rEt; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=frhxqC+4; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MTyVc1pd7z1ynm for ; Sat, 17 Sep 2022 14:23:36 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=jZARNuQRYsumorV89ncRge8ZJtKEiBgWL/f0GqztU2U=; b=1sbU3rEtOZCggP xmFg6jK3NEH32ZS9WFgWmiqkv+22nYXmL+B2wEmIhmi8WGvTCfcG2j3PDVEU2bB05trbq8sptmOc5 yiWMzVXhH/QXyz8X4eM/D8WpCQQjxSvHpdpjxzqTLc+EdWJDBrtsyfvtzsCYbWoYGpNdQhsGYXZNj X+LVRu5pvmVrWmLcqzMck6yrnecBaxUKXJIDrNTuE6q+Y4R2KjCRgyGKHEJTMNe0Yf79cn8f8r+1d EzjYZo2SBqVEp7ntsV68JtkJ9U67ohJeRtdk1kLvwDj2B79reo5C915jBwT1SdPPaY25EHmpC2WTB 6RDXXp6iXoj0RF+YvUdg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oZPLQ-002k8R-5j; Sat, 17 Sep 2022 04:22:20 +0000 Received: from mail-qk1-x729.google.com ([2607:f8b0:4864:20::729]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oZPLB-002k0n-IG for hostap@lists.infradead.org; Sat, 17 Sep 2022 04:22:07 +0000 Received: by mail-qk1-x729.google.com with SMTP id o7so13489025qkj.10 for ; Fri, 16 Sep 2022 21:22:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date; bh=Ts7/ly4zVCuX7mKV45to/V6uATweN6rPaaWaIcu4Jck=; b=frhxqC+4RL90GBtAC9A8Q1JbjFQ8er12aCLIavNt3/I8TltZE5rkxzxcixZwdGQnKs ueOQBPVEZjK+3KecCxL+t0GOpynuu9t6jAutpn1dDsXoSxArmsUScO2bzWUB3vaqP3Hn aLGXZaedlBuNREIrBi700Dm5Q8hxsvpxadZBNeSFBZAdoUGhPqR2QlQGT/YNaMvnJMje x6PC9iUv5qZM+65Ilq/lOCbsBo05upbS87jwSr2LbyoKwQk6zxYY+6XMmDeh7VD2t3iB T6pdo4vdyf2DXxowwhW6BQtG2Z3cqk74dl+lFgP3DBgTAcG+Sx8DKtuWq1OQ0WiOavpB gtPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date; bh=Ts7/ly4zVCuX7mKV45to/V6uATweN6rPaaWaIcu4Jck=; b=YXAGRUxUHeFxaR4M7vFuR5bFI0nKEW2KzTPqRbuxa/FsvfAgeNe/7DQRU+AQ/HEdQm BpMZlFHQD6PUGYOZclbhTirsYN/PNtMLvlXSjzBgU6EWuTvGLZ19d4jFCrjLXP6Gijg6 zDJB9iNJSEX6Igm+Yfou6yHBiRxlVP0u7+iu+ZWlVuqKQ/cMulq07R10I+XUQLR9fdhj WOVe4DLBlO5ewhJolwFC0+Bg9j/5yZreCEz6hvFB0Sv73S03iJaxyTaewb/R6y1YbiaY abVCuavwegljcXdb3y2AT0n/zLuN1AN5Z2W1wLWUz0Txf+x6UdSUeNt1ZGfm5CTTSiBs MZeg== X-Gm-Message-State: ACrzQf1+dEI1v4iDNkuA4qTqz1gs44+UrgR7SU4b18qYlFKoJvD0Edy/ XHXIp/BGVLO97WbZQuHiejWndrjs7avclA== X-Google-Smtp-Source: AMsMyM55EtEI5pJrICDi+UymDtLSYteYXHVynGXZ8SILV/YoVddk4i5B2NWA/10orxihyI6pkyHiQQ== X-Received: by 2002:a05:620a:2584:b0:6ca:bf8e:5e2a with SMTP id x4-20020a05620a258400b006cabf8e5e2amr6479808qko.390.1663388522078; Fri, 16 Sep 2022 21:22:02 -0700 (PDT) Received: from Dell-Inspiron-15.. (c-73-149-35-171.hsd1.ma.comcast.net. [73.149.35.171]) by smtp.gmail.com with ESMTPSA id 62-20020a370741000000b006b9ab3364ffsm7124605qkh.11.2022.09.16.21.22.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Sep 2022 21:22:01 -0700 (PDT) From: Ben Wolsieffer To: hostap@lists.infradead.org Cc: Ben Wolsieffer Subject: [PATCH 2/2] SAE: Fix loading password from external database Date: Sat, 17 Sep 2022 00:21:02 -0400 Message-Id: <20220917042102.7584-2-benwolsieffer@gmail.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220917042102.7584-1-benwolsieffer@gmail.com> References: <20220917042102.7584-1-benwolsieffer@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220916_212205_664077_E81C8ED2 X-CRM114-Status: GOOD ( 16.37 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: There was no support for loading SAE passwords from an external password database. Signed-off-by: Ben Wolsieffer --- wpa_supplicant/sme.c | 64 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 13 deletions(-) Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:729 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [benwolsieffer[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org There was no support for loading SAE passwords from an external password database. Signed-off-by: Ben Wolsieffer --- wpa_supplicant/sme.c | 64 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 13 deletions(-) diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index 41b67f8eb..afbba8edf 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -20,6 +20,7 @@ #include "rsn_supp/wpa.h" #include "rsn_supp/pmksa_cache.h" #include "config.h" +#include "utils/ext_password.h" #include "wpa_supplicant_i.h" #include "driver_i.h" #include "wpas_glue.h" @@ -90,7 +91,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, { struct wpabuf *buf; size_t len; - const char *password; + char *password = NULL; struct wpa_bss *bss; int use_pt = 0; bool use_pk = false; @@ -106,7 +107,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); buf = wpabuf_alloc(4 + wpabuf_len(wpa_s->sae_commit_override)); if (!buf) - return NULL; + goto fail; if (!external) { wpabuf_put_le16(buf, 1); /* Transaction seq# */ wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); @@ -116,12 +117,44 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, } #endif /* CONFIG_TESTING_OPTIONS */ - password = ssid->sae_password; - if (!password) - password = ssid->passphrase; + if (ssid->sae_password) { + password = os_strdup(ssid->sae_password); + if (!password) { + wpa_dbg(wpa_s, MSG_ERROR, "SAE: Failed to allocate " + "password"); + goto fail; + } + } + if (!password && ssid->passphrase) { + password = os_strdup(ssid->passphrase); + if (!password) { + wpa_dbg(wpa_s, MSG_ERROR, "SAE: Failed to allocate " + "password"); + goto fail; + } + } + if (!password && ssid->ext_psk) { + struct wpabuf *pw = ext_password_get(wpa_s->ext_pw, + ssid->ext_psk); + + if (pw == NULL) { + wpa_msg(wpa_s, MSG_INFO, "SAE: No password found from " + "external storage"); + goto fail; + } + + password = os_malloc(wpabuf_len(pw) + 1); + if (!password) { + wpa_dbg(wpa_s, MSG_ERROR, "SAE: Failed to allocate " + "password"); + goto fail; + } + os_memcpy(password, wpabuf_head(pw), wpabuf_len(pw)); + password[wpabuf_len(pw)] = '\0'; + } if (!password) { wpa_printf(MSG_DEBUG, "SAE: No password available"); - return NULL; + goto fail; } if (reuse && wpa_s->sme.sae.tmp && @@ -134,7 +167,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, } if (sme_set_sae_group(wpa_s) < 0) { wpa_printf(MSG_DEBUG, "SAE: Failed to select group"); - return NULL; + goto fail; } bss = wpa_bss_get_bssid_latest(wpa_s, bssid); @@ -171,7 +204,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, if (ssid->sae_pk == SAE_PK_MODE_ONLY && !use_pk) { wpa_printf(MSG_DEBUG, "SAE: Cannot use PK with the selected AP"); - return NULL; + goto fail; } #endif /* CONFIG_SAE_PK */ @@ -184,7 +217,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, !use_pt) { wpa_printf(MSG_DEBUG, "SAE: Cannot use H2E with the selected AP"); - return NULL; + goto fail; } } @@ -192,13 +225,13 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, sae_prepare_commit_pt(&wpa_s->sme.sae, ssid->pt, wpa_s->own_addr, bssid, wpa_s->sme.sae_rejected_groups, NULL) < 0) - return NULL; + goto fail; if (!use_pt && sae_prepare_commit(wpa_s->own_addr, bssid, (u8 *) password, os_strlen(password), &wpa_s->sme.sae) < 0) { wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); - return NULL; + goto fail; } if (wpa_s->sme.sae.tmp) { os_memcpy(wpa_s->sme.sae.tmp->bssid, bssid, ETH_ALEN); @@ -218,7 +251,7 @@ reuse_data: len += 4 + os_strlen(ssid->sae_password_id); buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len); if (buf == NULL) - return NULL; + goto fail; if (!external) { wpabuf_put_le16(buf, 1); /* Transaction seq# */ if (use_pk) @@ -231,14 +264,19 @@ reuse_data: if (sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token, ssid->sae_password_id) < 0) { wpabuf_free(buf); - return NULL; + goto fail; } if (ret_use_pt) *ret_use_pt = use_pt; if (ret_use_pk) *ret_use_pk = use_pk; + str_clear_free(password); return buf; + +fail: + str_clear_free(password); + return NULL; }