From patchwork Wed Jan 16 12:35:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Micha=C5=82_Kazior?= X-Patchwork-Id: 1025798 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="cuwHWXF7"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="LalobS10"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43fmsc2ksLz9sD9 for ; Wed, 16 Jan 2019 23:36:20 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=FLhEP3iKjYcWYsCadGN/PVjR9RblbgG04heZZ7Bf3WE=; b=cuwHWXF7yr6H9j sHVzZeLEmjCGO0YlTrLdpOjLSkB0+6Jb9b4LA5xZGcal+g2wvKKHBDfPsuLFoDt/7xF7CGIIEa682 ijbXjAq48+aqa+FTdoY0KE4H7iKwro1P7DIgLi4yZYxSbYCKOX7EvKTsE5DIcjXIMGMmyNfut8x0v uzYN0yJlO7N1lGHFDtOLb8QWaRLVDgeZm08yjN/1r2PkMwdThKeeU4Wwg/Hg0NJ9NCDqA7/gldSi6 JZHoUXPgWlWxK5leDeqUOfaW2T8axIgSmzKLrgZfSNE7qWyj++DAgXfQrbZFjUGws55g3MkFWvpH8 z8hRFquLpdqX378nUr9A==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gjkQT-0006H7-Hu; Wed, 16 Jan 2019 12:36:09 +0000 Received: from mail-lf1-x142.google.com ([2a00:1450:4864:20::142]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gjkQQ-0006Fp-7A for hostap@lists.infradead.org; Wed, 16 Jan 2019 12:36:07 +0000 Received: by mail-lf1-x142.google.com with SMTP id p6so4778949lfc.1 for ; Wed, 16 Jan 2019 04:36:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=gGl1XZ2YjgISNT6MvTJuDV2pn4kNnLhi6R58BnDWX94=; b=LalobS105FmPXkw3R93WdUTF0qRzPAwmwW1tAnvlQ3XY6Nq1Z+w9sfQxJK6jdcXjZG 9X+i4G8dlPUML4AkvKYifqCQYSEJ5qUY2M2sgY9Z5OEzH8tHwfBvgp7skCijyG/n8940 FNEnX27TfJ3tHcW1gvMr72z54WpLMSC4PgnxXKJ2KPJMy9+eA2GQzKRf3d0aZV76snlk 1jFaZiFvrSnKbWpOuy1H1V1miMgh67JsruvJ7cBFuxrtby55SyPeb9qe1bAFUlGnfj+c jErfEWTRpW7+xbh76o17WdVtPGplOFmdpN1I6jfk7vL+pM/cqQxt0qazP7lLKtHqFVek +78g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gGl1XZ2YjgISNT6MvTJuDV2pn4kNnLhi6R58BnDWX94=; b=j83BfBwfzGkeoirNpxAxbe7bvT2dQGZJfRjO44Xy4wob16/boGdlojW45KHppt7NKa 5dvn8ygJo6+tkvq0wMez0YW4JX2pvQOHNROPJcTZztqrMAQtCSmeEZxBSmwtw6ePlVzK Ayu9jfJvO4uGPztV8tEZYmPqEDVfOnjEUGghe4BlufdggBZj7P3KCtoT/g9yeTN2+I+G VpphBYBHECpkE1mB8zfGiMCHiNukmDJHAq7zerJw713NhqaE45062eMp5y5Gl9ASO3nQ kMIvAu7C8goUoAhoKgccY5Zppb9Oil8PgfXNogDgS2gQ0YHEZJkZ6QCEnyJ887L1b1Q6 nkGA== X-Gm-Message-State: AJcUukdUyVB3M9vxLe22OfCSIMeooOMakTeUKrmF+S/3JeFL2XrG2nrc RBPHvZBaO8kp5/1K1IhYeHzeaeiBXLQ= X-Google-Smtp-Source: ALg8bN68DNrZIQ0ATvn2PO2Yrtns3/kFBGjFL3U5dJAfEKJDn4Z/F+QFh3N4DR9pPt2Yg+d+dI7QuQ== X-Received: by 2002:a19:2584:: with SMTP id l126mr6526422lfl.69.1547642163474; Wed, 16 Jan 2019 04:36:03 -0800 (PST) Received: from thin.lan ([78.9.128.6]) by smtp.gmail.com with ESMTPSA id g12-v6sm988680lja.74.2019.01.16.04.36.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Jan 2019 04:36:02 -0800 (PST) From: Michal Kazior To: hostap@lists.infradead.org Subject: [PATCH 1/3] AP: expose pmk outside of wpa code Date: Wed, 16 Jan 2019 13:35:18 +0100 Message-Id: <20190116123520.17602-2-kazikcz@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190116123520.17602-1-kazikcz@gmail.com> References: <20181121213836.28701-1-kazikcz@gmail.com> <20190116123520.17602-1-kazikcz@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190116_043606_265383_C511C476 X-CRM114-Status: GOOD ( 10.75 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:142 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (kazikcz[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michal Kazior , carlitonueno@gmail.com Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Michal Kazior This doesn't change any behavior on its own. It's going to be used to expose per-station keyids and allow reloading passphrases in runtime. Signed-off-by: Michal Kazior --- Notes: v1: - introduced src/ap/wpa_auth.c | 11 +++++++++++ src/ap/wpa_auth.h | 1 + src/ap/wpa_auth_ft.c | 2 ++ 3 files changed, 14 insertions(+) diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 34969e79e..b7cd2d706 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -860,6 +860,8 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, data, data_len) == 0) { + os_memcpy(sm->PMK, pmk, pmk_len); + sm->pmk_len = pmk_len; ok = 1; break; } @@ -2675,6 +2677,8 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, sm->last_rx_eapol_key, sm->last_rx_eapol_key_len) == 0) { + os_memcpy(sm->PMK, pmk, pmk_len); + sm->pmk_len = pmk_len; ok = 1; break; } @@ -3963,6 +3967,13 @@ int wpa_auth_get_pairwise(struct wpa_state_machine *sm) } +const u8 *wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len) +{ + *len = sm->pmk_len; + return sm->PMK; +} + + int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) { if (sm == NULL) diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index fad5536f7..7e82068e3 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -339,6 +339,7 @@ int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen); void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth); int wpa_auth_pairwise_set(struct wpa_state_machine *sm); int wpa_auth_get_pairwise(struct wpa_state_machine *sm); +const u8 *wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len); int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index e8d46ab0d..391fe465a 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -2596,6 +2596,8 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, os_memcpy(out_pmk_r1, pmk_r1, PMK_LEN); if (out_pairwise) *out_pairwise = pairwise; + os_memcpy(sm->PMK, pmk, PMK_LEN); + sm->pmk_len = PMK_LEN; if (out_vlan && wpa_ft_get_vlan(sm->wpa_auth, sm->addr, out_vlan) < 0) { wpa_printf(MSG_DEBUG, "FT: vlan not available for STA " From patchwork Wed Jan 16 12:35:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Micha=C5=82_Kazior?= X-Patchwork-Id: 1025801 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="gNtJA1cP"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="qzIfTt1R"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43fmt11cQCz9sD9 for ; Wed, 16 Jan 2019 23:36:41 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=5FA+xbtljH50GwP3B+/Pwr7qrQae4XWf7EFcK66lB1M=; b=gNtJA1cPCNZaDq x6z2LEc5ad9D8eIsIH0ggOHwvsbdPDv5w6/P3CW2YaEqiz9Ubrv9IXoK/VgjoDru9yXRq6SHGMvBn xa+98Vn1qv/76eXMV78oayQHRlWz1c9ffcKsVuleHcGwheVm6u6n7YSSWw9D8kenbmD9OcWLF6leU JLrKbIgq6O8gRivbfdU0oAX6Nt0YuxAWuam/yNGXgOBBPFpE3fkSVov2jWC/VHFLGwVsLthUwBe/L J8eRHQyteq7VFRjggbjMiuGezgm4rqKgL3n1Ufk7oHnGfQRNnC4urLOwloXF7lOsZ76othjGZYgTs 9n4sR/7xkTkrDTFuL6yQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gjkQp-0006gc-T0; Wed, 16 Jan 2019 12:36:31 +0000 Received: from mail-lf1-x132.google.com ([2a00:1450:4864:20::132]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gjkQS-0006GK-8r for hostap@lists.infradead.org; Wed, 16 Jan 2019 12:36:09 +0000 Received: by mail-lf1-x132.google.com with SMTP id y11so4758749lfj.4 for ; Wed, 16 Jan 2019 04:36:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=1f/n+/7MIaB4wefSnlRfDnBKlwf2gqABk7JOD091oI0=; b=qzIfTt1R3iN9rc3C9Nko8Jbkd9+DyUezCdBeUVG3LKCLDqZpIJKdcy20TmFkBZlERN wgo4DrWWaT98xOsvhLN5PSa7pg2op1E1WP6ZwRdepEtzgpZPKr7LhTSWRHR5NsRYs0bZ EBoaLYHmSHjROTrpPx/5RuDMgfPdxndP0tQZVlokENc3O1XtONN8bQ782hlfOZfWssJj OlhCt58XHc1ZqqqoiwVCV2xViVpsl4B+j5sr+mroer8qiuOn4dShWyX/gW4/gNDi4Z4S MErciXmJGygUXz5xVvFJbSz/FS1u4kWL0CTevu697BUqOSsuN5RTpUCBjpcgZabM4Et3 qaPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1f/n+/7MIaB4wefSnlRfDnBKlwf2gqABk7JOD091oI0=; b=TX1/9K7SKmth9HEkMVwDl4vsNXy/gFk3wc8AnCLYOdwyXy9OkynXhxff+I5fh7ZFiz 6bfhbDPTjaNEMRxwIBlv6Wws0PqThCW+QJMDGABAyFKFcAYNmTfGIYB2yRq/lAw6jxXw S3TvsyalInmmX1fL7IE2t+5k6GOhJLhKL42LiB31zn73wsHHIm3ptdd65T6expGKij8Y M5A2miQVOqgytE5YzaycNKLlMZuhoQTZADkSfSCSGax0/wqJFm77j0WGLRF0ad008qFZ eBofe4Zs9VKLetCuzZB4/4cGJVzM0xAT+UqHbyMj0dim4UohgxClO/aOGqetGA7cJOSh Vwzg== X-Gm-Message-State: AJcUukfI2MxvkHhF1fGeh+h9AMXeOzXe0g9QC8nsHwCdEaHnaigHzZmA ClFEyHVVcSat9M4kIVSeel1OtlIADLQ= X-Google-Smtp-Source: ALg8bN4XjWwu9A7fcKQI/Ew8+9tRRp+0D4N6eXoDhD0xs7C4bWRx+6phpwK+oTpIAKfD2gIyjYp9Kg== X-Received: by 2002:a19:41c4:: with SMTP id o187mr7051364lfa.32.1547642164884; Wed, 16 Jan 2019 04:36:04 -0800 (PST) Received: from thin.lan ([78.9.128.6]) by smtp.gmail.com with ESMTPSA id g12-v6sm988680lja.74.2019.01.16.04.36.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Jan 2019 04:36:04 -0800 (PST) From: Michal Kazior To: hostap@lists.infradead.org Subject: [PATCH 2/3] AP: allow identifying which passphrase station used with wpa_psk_file Date: Wed, 16 Jan 2019 13:35:19 +0100 Message-Id: <20190116123520.17602-3-kazikcz@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190116123520.17602-1-kazikcz@gmail.com> References: <20181121213836.28701-1-kazikcz@gmail.com> <20190116123520.17602-1-kazikcz@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190116_043608_312119_796097F9 X-CRM114-Status: GOOD ( 18.93 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:132 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (kazikcz[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michal Kazior , carlitonueno@gmail.com Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Michal Kazior It is now possible to optionally specify keyid for each wpa_psk_file entry: keyid=something 00:00:00:00:00:00 secretpassphrase When station connects and the passphrase it used has an associated keyid it will be appended to the AP-STA-CONNECTED event string: wlan0: AP-STA-CONNECTED 00:36:76:21:dc:7b keyid=something It's also possible to retrieve it through cli: $ hostapd_cli all_sta Selected interface 'ap0' 00:36:76:21:dc:7b ... keyid=something New hostap is able to read old wpa_psk_file. However old hostap will not be able to read new wpa_psk_file if it includes keyids. Signed-off-by: Michal Kazior --- Notes: v1: - add keyid=xx parsing to wpa_psk_file - use keyid instead of PMK - re-use AP-STA-CONNECTED event by appending keyid=xx (similar to p2p's ip_addr=) instead of introducing a new event string - split out the pmk part to a separate patch since it's independentaly re-usable by this patch and the reload_wpa_psk patch src/ap/ap_config.c | 49 +++++++++++++++++++++++++++++++++++++----- src/ap/ap_config.h | 2 ++ src/ap/ctrl_iface_ap.c | 5 +++++ src/ap/sta_info.c | 45 ++++++++++++++++++++++++++++++++++---- src/ap/sta_info.h | 2 ++ 5 files changed, 94 insertions(+), 9 deletions(-) diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index f9b6f2959..46169a786 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -248,6 +248,12 @@ static int hostapd_config_read_wpa_psk(const char *fname, { FILE *f; char buf[128], *pos; + const char *keyid; + char *context; + char *context2; + char *token; + char *name; + char *value; int line = 0, ret = 0, len, ok; u8 addr[ETH_ALEN]; struct hostapd_wpa_psk *psk; @@ -277,9 +283,31 @@ static int hostapd_config_read_wpa_psk(const char *fname, if (buf[0] == '\0') continue; - if (hwaddr_aton(buf, addr)) { + context = NULL; + keyid = NULL; + while ((token = str_token(buf, " ", &context))) { + if (!os_strchr(token, '=')) + break; + context2 = NULL; + name = str_token(token, "=", &context2); + value = str_token(token, "", &context2) ?: ""; + if (!strcmp(name, "keyid")) { + keyid = value; + } else { + wpa_printf(MSG_ERROR, + "Unrecognized '%s=%s' on line %d in '%s'", + name, value, line, fname); + ret = -1; + break; + } + } + + if (ret == -1) + break; + + if (hwaddr_aton(token ?: "", addr)) { wpa_printf(MSG_ERROR, "Invalid MAC address '%s' on " - "line %d in '%s'", buf, line, fname); + "line %d in '%s'", token, line, fname); ret = -1; break; } @@ -295,15 +323,14 @@ static int hostapd_config_read_wpa_psk(const char *fname, else os_memcpy(psk->addr, addr, ETH_ALEN); - pos = buf + 17; - if (*pos == '\0') { + pos = str_token(buf, "", &context); + if (!pos) { wpa_printf(MSG_ERROR, "No PSK on line %d in '%s'", line, fname); os_free(psk); ret = -1; break; } - pos++; ok = 0; len = os_strlen(pos); @@ -322,6 +349,18 @@ static int hostapd_config_read_wpa_psk(const char *fname, break; } + if (keyid) { + len = os_strlcpy(psk->keyid, keyid, sizeof(psk->keyid)); + if (len >= sizeof(psk->keyid)) { + wpa_printf(MSG_ERROR, + "PSK keyid too long on line %d in '%s'", + line, fname); + os_free(psk); + ret = -1; + break; + } + } + psk->next = ssid->wpa_psk; ssid->wpa_psk = psk; } diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 778366d49..2cbb66201 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -132,6 +132,7 @@ struct hostapd_vlan { }; #define PMK_LEN 32 +#define KEYID_LEN 32 #define MIN_PASSPHRASE_LEN 8 #define MAX_PASSPHRASE_LEN 63 struct hostapd_sta_wpa_psk_short { @@ -145,6 +146,7 @@ struct hostapd_sta_wpa_psk_short { struct hostapd_wpa_psk { struct hostapd_wpa_psk *next; int group; + char keyid[KEYID_LEN]; u8 psk[PMK_LEN]; u8 addr[ETH_ALEN]; u8 p2p_dev_addr[ETH_ALEN]; diff --git a/src/ap/ctrl_iface_ap.c b/src/ap/ctrl_iface_ap.c index 21b813ee1..ee417d01e 100644 --- a/src/ap/ctrl_iface_ap.c +++ b/src/ap/ctrl_iface_ap.c @@ -207,6 +207,7 @@ static int hostapd_ctrl_iface_sta_mib(struct hostapd_data *hapd, char *buf, size_t buflen) { int len, res, ret, i; + const char *keyid; if (!sta) return 0; @@ -341,6 +342,10 @@ static int hostapd_ctrl_iface_sta_mib(struct hostapd_data *hapd, len += ret; } + keyid = ap_sta_wpa_get_keyid(hapd, sta); + if (keyid) + len += os_snprintf(buf + len, buflen - len, "keyid=%s\n", keyid); + return len; } diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c index 179cf43b6..0b9273e5e 100644 --- a/src/ap/sta_info.c +++ b/src/ap/sta_info.c @@ -1165,6 +1165,34 @@ void ap_sta_stop_sa_query(struct hostapd_data *hapd, struct sta_info *sta) #endif /* CONFIG_IEEE80211W */ +const char *ap_sta_wpa_get_keyid(struct hostapd_data *hapd, + struct sta_info *sta) +{ + struct hostapd_wpa_psk *psk; + struct hostapd_ssid *ssid; + const u8 *pmk; + int pmk_len; + + ssid = &hapd->conf->ssid; + + pmk = wpa_auth_get_pmk(sta->wpa_sm, &pmk_len); + if (!pmk) + return NULL; + if (pmk_len != PMK_LEN) + return NULL; + + for (psk = ssid->wpa_psk; psk; psk = psk->next) + if (!os_memcmp(pmk, psk->psk, PMK_LEN)) + break; + if (!psk) + return NULL; + if (!strlen(psk->keyid)) + return NULL; + + return psk->keyid; +} + + void ap_sta_set_authorized(struct hostapd_data *hapd, struct sta_info *sta, int authorized) { @@ -1203,7 +1231,10 @@ void ap_sta_set_authorized(struct hostapd_data *hapd, struct sta_info *sta, sta->addr, authorized, dev_addr); if (authorized) { + const char *keyid; + char keyid_buf[100]; char ip_addr[100]; + keyid_buf[0] = '\0'; ip_addr[0] = '\0'; #ifdef CONFIG_P2P if (wpa_auth_get_ip_addr(sta->wpa_sm, ip_addr_buf) == 0) { @@ -1214,14 +1245,20 @@ void ap_sta_set_authorized(struct hostapd_data *hapd, struct sta_info *sta, } #endif /* CONFIG_P2P */ - wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_CONNECTED "%s%s", - buf, ip_addr); + keyid = ap_sta_wpa_get_keyid(hapd, sta); + if (keyid) { + os_snprintf(keyid_buf, sizeof(keyid_buf), + " keyid=%s", keyid); + } + + wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_CONNECTED "%s%s%s", + buf, ip_addr, keyid_buf); if (hapd->msg_ctx_parent && hapd->msg_ctx_parent != hapd->msg_ctx) wpa_msg_no_global(hapd->msg_ctx_parent, MSG_INFO, - AP_STA_CONNECTED "%s%s", - buf, ip_addr); + AP_STA_CONNECTED "%s%s%s", + buf, ip_addr, keyid_buf); } else { wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_DISCONNECTED "%s", buf); diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h index 9cac6f157..b7fd60809 100644 --- a/src/ap/sta_info.h +++ b/src/ap/sta_info.h @@ -320,6 +320,8 @@ int ap_sta_set_vlan(struct hostapd_data *hapd, struct sta_info *sta, void ap_sta_start_sa_query(struct hostapd_data *hapd, struct sta_info *sta); void ap_sta_stop_sa_query(struct hostapd_data *hapd, struct sta_info *sta); int ap_check_sa_query_timeout(struct hostapd_data *hapd, struct sta_info *sta); +const char *ap_sta_wpa_get_keyid(struct hostapd_data *hapd, + struct sta_info *sta); void ap_sta_disconnect(struct hostapd_data *hapd, struct sta_info *sta, const u8 *addr, u16 reason); From patchwork Wed Jan 16 12:35:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Micha=C5=82_Kazior?= X-Patchwork-Id: 1025800 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="ROnPvue4"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="jG9yPFHE"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43fmss1CqCz9sD9 for ; Wed, 16 Jan 2019 23:36:33 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=w9z/6u8uxM8p4EjTVm7v9ECu6CKuLYqDvc4UVf/Mk1o=; b=ROnPvue4OaFB2n SvMrocdrMG3wi3I8uWNCosO/u3RYm0mmiFpuxNPvGlbSkGuhzYf7YtcKBYHX9dFQnPcnJeqSrUuqo o1/sJg5hbvRZuDOSPMoRQ5qahvGzebRXfaMA23NJD3ssOwyh7pbMFKACd7+5cithJbg/HQCS+M3BD SDwiW5fVEBuaqQbXFr6JmMAoTJHKwm4HcnoOk8MPYbq2zbU+6M10eIiDP5uQ7hACS5TkQdDFXIQCn FzNNvOfv9K9hH9s0RPJURnSi/Hba8NRtlb6tNCfM+8KZZc+NYPLZd6zKZ1kU9OfK30Zmly569DHQG ripOdbVa8AtAZp4Ktjew==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gjkQg-0006VE-TX; Wed, 16 Jan 2019 12:36:22 +0000 Received: from mail-lf1-x133.google.com ([2a00:1450:4864:20::133]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gjkQS-0006GL-Gg for hostap@lists.infradead.org; Wed, 16 Jan 2019 12:36:09 +0000 Received: by mail-lf1-x133.google.com with SMTP id i26so4786091lfc.0 for ; Wed, 16 Jan 2019 04:36:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=pZnY18AXesJgI5WXALLSReW+N0LExhzh0BUfkfHoHjU=; b=jG9yPFHEJWoDadWuyh4acQrglIw9FWMahuBwnsHcDchumN84WLbwkHprJ+PKrD7Lil g2K2phEJH4401CU4i8KscWI8vFh8uGUBYna6xojAHZLNvrG0mw5T5hMn8wWURDjA2J7W nKsTSGQngWq4GfuyH/SNpycRd+4QjLCN6jW3r15r1BoKmf4XRYnAvSIOdGrmMWQdZXbl Vee2yGTsH7VHQa3XhvytvCIjfn1fpbcP1rGkLWH+Z6Jehzk3x/Yvdq91uthJx5keuaLj IHh85urTvsGpNP7cG5r7fssSGHAVolIF5zEUugAGrFQCq3/BAmo1ym+SqojriKy97oX4 s1qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=pZnY18AXesJgI5WXALLSReW+N0LExhzh0BUfkfHoHjU=; b=gXSv24LCzEG0kCnTIizKnsA++YAJ4DKFake9X1rek60bSKPHsaRNoxSW7CMhLbQdKW XjpS+zhjIdH48vDFpBaEOb+TdFSdOL7ik05bHHAE6oQMk3AT6WVJkTP+CeR+7wCdF/Pr CcZXQuXtbojRzWBvrREqQ/WJ8vqXEUBN768JeSgFjBpae78VZpcKoX3SthCA7KlonJD1 RW35+JFjKWOUxjsiyZemytVtYkjA+z6+a1clQ1Cksb5XKoGfUGm28L1T7g8EQEZVa2VK w+6ecBLTjkgX9HZ58q21d2YHQZQLcWdakgspu8iFMS/LkHkWFEgUfCZD7Nf+pzFBL9Go kIPw== X-Gm-Message-State: AJcUukfqAosxGhkHMmx0Q5YPjGx+xZ0aerix/sRa40/SbqjXOmr/pmdD bSEB0ZLgioxEQHjENPZYWXKPvQ2tZ/Q= X-Google-Smtp-Source: ALg8bN4yZmgS9yK7gbn2OaupD1eLk6WwUy+00zjH3dJPrKaG3c9aJnrYCgJWQxBJrIuFhqTfKf86wQ== X-Received: by 2002:a19:6719:: with SMTP id b25mr6504080lfc.38.1547642165974; Wed, 16 Jan 2019 04:36:05 -0800 (PST) Received: from thin.lan ([78.9.128.6]) by smtp.gmail.com with ESMTPSA id g12-v6sm988680lja.74.2019.01.16.04.36.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Jan 2019 04:36:05 -0800 (PST) From: Michal Kazior To: hostap@lists.infradead.org Subject: [PATCH 3/3] AP: add wpa_psk_file reloading in runtime Date: Wed, 16 Jan 2019 13:35:20 +0100 Message-Id: <20190116123520.17602-4-kazikcz@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190116123520.17602-1-kazikcz@gmail.com> References: <20181121213836.28701-1-kazikcz@gmail.com> <20190116123520.17602-1-kazikcz@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190116_043608_548763_1A8B656E X-CRM114-Status: GOOD ( 13.56 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:133 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (kazikcz[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michal Kazior , carlitonueno@gmail.com Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Michal Kazior The wpa_psk_file can now be modified and hostapd can be told to re-read it with: $ hostapd_cli reload_wpa_psk It must be noted special care must be taken if WPS is configured (wps_state=2, eap_server=1) because WPS appends PMKs to the wpa_psk_file. Signed-off-by: Michal Kazior --- Notes: v1: - use hostapd_config_clear_wpa_psk() instead of hand crafted for() loop, so now it also does a memset before freeing like the rest of the code - tweak commit log hostapd/ctrl_iface.c | 56 +++++++++++++++++++++++++++++++++++++++++++ hostapd/hostapd_cli.c | 9 +++++++ 2 files changed, 65 insertions(+) diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c index e539a0902..059e03cb2 100644 --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c @@ -1488,6 +1488,59 @@ static int hostapd_ctrl_iface_disable(struct hostapd_iface *iface) } +static int hostapd_ctrl_iface_kick_mismatch_psk_sta_iter(struct hostapd_data *hapd, + struct sta_info *sta, + void *ctx) +{ + struct hostapd_wpa_psk *psk; + const u8 *pmk; + int pmk_len; + int pmk_match; + int sta_match; + int bss_match; + int reason; + + pmk = wpa_auth_get_pmk(sta->wpa_sm, &pmk_len); + + for (psk = hapd->conf->ssid.wpa_psk; pmk && psk; psk = psk->next) { + pmk_match = PMK_LEN == pmk_len && !os_memcmp(psk->psk, pmk, pmk_len); + sta_match = psk->group == 0 && !os_memcmp(sta->addr, psk->addr, ETH_ALEN); + bss_match = psk->group == 1; + + if (pmk_match && (sta_match || bss_match)) + return 0; + } + + wpa_printf(MSG_INFO, "STA " MACSTR " password no longer valid, kicking", MAC2STR(sta->addr)); + reason = WLAN_REASON_PREV_AUTH_NOT_VALID; + hostapd_drv_sta_deauth(hapd, sta->addr, reason); + ap_sta_deauthenticate(hapd, sta, reason); + + return 0; +} + + +static int hostapd_ctrl_iface_reload_wpa_psk(struct hostapd_data *hapd) +{ + struct hostapd_bss_config *conf = hapd->conf; + int err; + + hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk); + + err = hostapd_setup_wpa_psk(conf); + if (err < 0) { + wpa_printf(MSG_ERROR, "Reloading WPA-PSK passwords failed: %d", err); + return -1; + } + + ap_for_each_sta(hapd, + hostapd_ctrl_iface_kick_mismatch_psk_sta_iter, + NULL); + + return 0; +} + + #ifdef CONFIG_TESTING_OPTIONS static int hostapd_ctrl_iface_radar(struct hostapd_data *hapd, char *cmd) @@ -3013,6 +3066,9 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd, } else if (os_strncmp(buf, "ENABLE", 6) == 0) { if (hostapd_ctrl_iface_enable(hapd->iface)) reply_len = -1; + } else if (os_strncmp(buf, "RELOAD_WPA_PSK", 14) == 0) { + if (hostapd_ctrl_iface_reload_wpa_psk(hapd)) + reply_len = -1; } else if (os_strncmp(buf, "RELOAD", 6) == 0) { if (hostapd_ctrl_iface_reload(hapd->iface)) reply_len = -1; diff --git a/hostapd/hostapd_cli.c b/hostapd/hostapd_cli.c index fbec5d246..7e9cee1bb 100644 --- a/hostapd/hostapd_cli.c +++ b/hostapd/hostapd_cli.c @@ -903,6 +903,13 @@ static int hostapd_cli_cmd_hs20_deauth_req(struct wpa_ctrl *ctrl, int argc, } +static int hostapd_cli_cmd_reload_wpa_psk(struct wpa_ctrl *ctrl, int argc, + char *argv[]) +{ + return wpa_ctrl_command(ctrl, "RELOAD_WPA_PSK"); +} + + static int hostapd_cli_cmd_quit(struct wpa_ctrl *ctrl, int argc, char *argv[]) { hostapd_cli_quit = 1; @@ -1651,6 +1658,8 @@ static const struct hostapd_cli_cmd hostapd_cli_commands[] = { "=Add/Delete/Show/Clear deny MAC ACL" }, { "poll_sta", hostapd_cli_cmd_poll_sta, hostapd_complete_stations, " = poll a STA to check connectivity with a QoS null frame" }, + { "reload_wpa_psk", hostapd_cli_cmd_reload_wpa_psk, NULL, + "=reload wpa_psk_file only" }, { NULL, NULL, NULL, NULL } };