From: Vinay Gannevaram Date: Wed, 28 Sep 2022 22:31:00 +0000 (+0530) Subject: PASN: Remove hapd dependency for SAE and FILS wrapped data X-Git-Tag: hostap_2_11~1599 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1fa266e99d97ca8bb2fe5a58491ef6b11ba3da6d;p=thirdparty%2Fhostap.git PASN: Remove hapd dependency for SAE and FILS wrapped data This makes hostapd use the struct defines from pasn_common.h so that the same struct is shared with wpa_supplicant. Signed-off-by: Jouni Malinen --- diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index f392daef8..7fca45c53 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -2391,17 +2391,14 @@ int ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta, #ifdef CONFIG_PASN #ifdef CONFIG_SAE -static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd, - struct sta_info *sta, +static int pasn_wd_handle_sae_commit(struct wpas_pasn *pasn, + const u8 *own_addr, const u8 *peer_addr, struct wpabuf *wd) { - struct wpas_pasn *pasn = sta->pasn; - const char *password; const u8 *data; size_t buf_len; u16 res, alg, seq, status; int groups[] = { pasn->group, 0 }; - struct sae_pt *pt = NULL; int ret; if (!wd) @@ -2438,13 +2435,12 @@ static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd, return -1; } - password = sae_get_password(hapd, sta, NULL, NULL, &pt, NULL); - if (!password || !pt) { + if (!pasn->password || !pasn->pt) { wpa_printf(MSG_DEBUG, "PASN: No SAE PT found"); return -1; } - ret = sae_prepare_commit_pt(&pasn->sae, pt, hapd->own_addr, sta->addr, + ret = sae_prepare_commit_pt(&pasn->sae, pasn->pt, own_addr, peer_addr, NULL, NULL); if (ret) { wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit"); @@ -2471,11 +2467,9 @@ static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd, } -static int pasn_wd_handle_sae_confirm(struct hostapd_data *hapd, - struct sta_info *sta, - struct wpabuf *wd) +static int pasn_wd_handle_sae_confirm(struct wpas_pasn *pasn, + const u8 *peer_addr, struct wpabuf *wd) { - struct wpas_pasn *pasn = sta->pasn; const u8 *data; size_t buf_len; u16 res, alg, seq, status; @@ -2517,17 +2511,23 @@ static int pasn_wd_handle_sae_confirm(struct hostapd_data *hapd, * PASN/SAE should only be allowed with future PASN only. For now do not * restrict this only for PASN. */ - wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr, - pasn->sae.pmk, pasn->sae.pmk_len, - pasn->sae.pmkid, pasn->sae.akmp); + if (pasn->disable_pmksa_caching) + return 0; + + wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", + pasn->sae.pmk, pasn->sae.pmk_len); + if (!pasn->sae.akmp) + pasn->sae.akmp = WPA_KEY_MGMT_SAE; + + pmksa_cache_auth_add(pasn->pmksa, pasn->sae.pmk, pasn->sae.pmk_len, + pasn->sae.pmkid, NULL, 0, pasn->own_addr, + peer_addr, 0, NULL, pasn->sae.akmp); return 0; } -static struct wpabuf * pasn_get_sae_wd(struct hostapd_data *hapd, - struct sta_info *sta) +static struct wpabuf * pasn_get_sae_wd(struct wpas_pasn *pasn) { - struct wpas_pasn *pasn = sta->pasn; struct wpabuf *buf = NULL; u8 *len_ptr; size_t len; @@ -2569,10 +2569,8 @@ static struct wpabuf * pasn_get_sae_wd(struct hostapd_data *hapd, #ifdef CONFIG_FILS -static struct wpabuf * pasn_get_fils_wd(struct hostapd_data *hapd, - struct sta_info *sta) +static struct wpabuf * pasn_get_fils_wd(struct wpas_pasn *pasn) { - struct wpas_pasn *pasn = sta->pasn; struct pasn_fils *fils = &pasn->fils; struct wpabuf *buf = NULL; @@ -2823,16 +2821,15 @@ static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta, #endif /* CONFIG_FILS */ -static struct wpabuf * pasn_get_wrapped_data(struct hostapd_data *hapd, - struct sta_info *sta) +static struct wpabuf * pasn_get_wrapped_data(struct wpas_pasn *pasn) { - switch (sta->pasn->akmp) { + switch (pasn->akmp) { case WPA_KEY_MGMT_PASN: /* no wrapped data */ return NULL; case WPA_KEY_MGMT_SAE: #ifdef CONFIG_SAE - return pasn_get_sae_wd(hapd, sta); + return pasn_get_sae_wd(pasn); #else /* CONFIG_SAE */ wpa_printf(MSG_ERROR, "PASN: SAE: Cannot derive wrapped data"); @@ -2841,7 +2838,7 @@ static struct wpabuf * pasn_get_wrapped_data(struct hostapd_data *hapd, case WPA_KEY_MGMT_FILS_SHA256: case WPA_KEY_MGMT_FILS_SHA384: #ifdef CONFIG_FILS - return pasn_get_fils_wd(hapd, sta); + return pasn_get_fils_wd(pasn); #endif /* CONFIG_FILS */ /* fall through */ case WPA_KEY_MGMT_FT_PSK: @@ -2850,12 +2847,34 @@ static struct wpabuf * pasn_get_wrapped_data(struct hostapd_data *hapd, default: wpa_printf(MSG_ERROR, "PASN: TODO: Wrapped data for akmp=0x%x", - sta->pasn->akmp); + pasn->akmp); return NULL; } } +static void hapd_initialize_pasn(struct hostapd_data *hapd, + struct sta_info *sta) +{ + struct wpas_pasn *pasn = sta->pasn; + + pasn->cb_ctx = hapd; + pasn->wpa_key_mgmt = hapd->conf->wpa_key_mgmt; + pasn->rsn_pairwise = hapd->conf->rsn_pairwise; + pasn->derive_kdk = hapd->iface->drv_flags2 & + WPA_DRIVER_FLAGS2_SEC_LTF_AP; +#ifdef CONFIG_TESTING_OPTIONS + pasn->corrupt_mic = hapd->conf->pasn_corrupt_mic; + if (hapd->conf->force_kdk_derivation) + pasn->derive_kdk = true; +#endif /* CONFIG_TESTING_OPTIONS */ + pasn->password = sae_get_password(hapd, sta, NULL, NULL, &pasn->pt, + NULL); + pasn->disable_pmksa_caching = hapd->conf->disable_pmksa_caching; + pasn->pmksa = wpa_auth_get_pmksa_cache(hapd->wpa_auth); +} + + static int pasn_set_keys_from_cache(struct hostapd_data *hapd, const u8 *own_addr, const u8 *sta_addr, int cipher, int akmp) @@ -3055,7 +3074,7 @@ static int handle_auth_pasn_resp(struct hostapd_data *hapd, /* No need to derive PMK if PMKSA is given */ if (!pmksa) - wrapped_data_buf = pasn_get_wrapped_data(hapd, sta); + wrapped_data_buf = pasn_get_wrapped_data(sta->pasn); else sta->pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO; @@ -3333,7 +3352,9 @@ static void handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta, #ifdef CONFIG_SAE if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) { - ret = pasn_wd_handle_sae_commit(hapd, sta, + ret = pasn_wd_handle_sae_commit(sta->pasn, + hapd->own_addr, + sta->addr, wrapped_data); if (ret) { wpa_printf(MSG_DEBUG, @@ -3534,7 +3555,7 @@ static void handle_auth_pasn_3(struct hostapd_data *hapd, struct sta_info *sta, #ifdef CONFIG_SAE if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) { - ret = pasn_wd_handle_sae_confirm(hapd, sta, + ret = pasn_wd_handle_sae_confirm(sta->pasn, sta->addr, wrapped_data); if (ret) { wpa_printf(MSG_DEBUG, @@ -3600,6 +3621,7 @@ static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta, return; } + hapd_initialize_pasn(hapd, sta); handle_auth_pasn_1(hapd, sta, mgmt, len); } else if (trans_seq == 3) { if (!sta->pasn) { diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 7ccc4d11d..da1ff377d 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -5103,6 +5103,15 @@ int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth, #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ +struct rsn_pmksa_cache * +wpa_auth_get_pmksa_cache(struct wpa_authenticator *wpa_auth) +{ + if (!wpa_auth || !wpa_auth->pmksa) + return NULL; + return wpa_auth->pmksa; +} + + struct rsn_pmksa_cache_entry * wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, const u8 *pmkid) diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index 64e661640..5f51c434c 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -448,6 +448,8 @@ wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk, const u8 *pmkid, int expiration); int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth, struct rsn_pmksa_cache_entry *entry); +struct rsn_pmksa_cache * +wpa_auth_get_pmksa_cache(struct wpa_authenticator *wpa_auth); struct rsn_pmksa_cache_entry * wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, const u8 *pmkid); diff --git a/src/pasn/pasn_common.h b/src/pasn/pasn_common.h index f9839359f..5cb6a0c09 100644 --- a/src/pasn/pasn_common.h +++ b/src/pasn/pasn_common.h @@ -93,6 +93,13 @@ struct wpas_pasn { u8 wrapped_data_format; struct wpabuf *secret; + /* Reponder */ + int wpa_key_mgmt; + int rsn_pairwise; + bool derive_kdk; + const char *password; + int disable_pmksa_caching; + /** * send_mgmt - Function handler to transmit a Management frame * @ctx: Callback context from cb_ctx diff --git a/wpa_supplicant/pasn_supplicant.c b/wpa_supplicant/pasn_supplicant.c index 93b57a8f0..5247df22d 100644 --- a/wpa_supplicant/pasn_supplicant.c +++ b/wpa_supplicant/pasn_supplicant.c @@ -1143,6 +1143,7 @@ static void wpa_pasn_reset(struct wpas_pasn *pasn) pasn->corrupt_mic = 0; #endif /* CONFIG_TESTING_OPTIONS */ pasn->network_id = 0; + pasn->derive_kdk = false; }