[PATCH 04/10] network: add support for SAE password identifiers

Wireless Daemon for Linux
 help / color / mirror / Atom feed

From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [PATCH 04/10] network: add support for SAE password identifiers
Date: Tue,  5 Dec 2023 07:46:41 -0800	[thread overview]
Message-ID: <20231205154647.1778389-4-prestwoj@gmail.com> (raw)
In-Reply-To: <20231205154647.1778389-1-prestwoj@gmail.com>

Adds a new network profile setting [Security].PasswordIdentifier.
When set (and the BSS enables SAE password identifiers) the network
and handshake object will read this and use it for the SAE
exchange.

Loading the PSK will fail if there is no password identifier set
and the BSS sets the "exclusive" bit. If a password identifier is
set and the BSS doesn't indicate support the setting will be ignored
(with a debug print).
---
 src/network.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/src/network.c b/src/network.c
index 79f964b2..d422b282 100644
--- a/src/network.c
+++ b/src/network.c
@@ -70,6 +70,7 @@ struct network {
 	struct network_info *info;
 	unsigned char *psk;
 	char *passphrase;
+	char *password_identifier;
 	struct l_ecc_point *sae_pt_19; /* SAE PT for Group 19 */
 	struct l_ecc_point *sae_pt_20; /* SAE PT for Group 20 */
 	unsigned int agent_request;
@@ -124,6 +125,13 @@ static void network_reset_passphrase(struct network *network)
 		network->passphrase = NULL;
 	}
 
+	if (network->password_identifier) {
+		explicit_bzero(network->password_identifier,
+				strlen(network->password_identifier));
+		l_free(network->password_identifier);
+		network->password_identifier = NULL;
+	}
+
 	if (network->sae_pt_19) {
 		l_ecc_point_free(network->sae_pt_19);
 		network->sae_pt_19 = NULL;
@@ -317,7 +325,8 @@ static struct l_ecc_point *network_generate_sae_pt(struct network *network,
 	l_debug("Generating PT for Group %u", group);
 
 	pt = crypto_derive_sae_pt_ecc(group, network->ssid,
-						network->passphrase, NULL);
+						network->passphrase,
+						network->password_identifier);
 	if (!pt)
 		l_warn("SAE PT generation for Group %u failed", group);
 
@@ -462,6 +471,10 @@ static int network_set_handshake_secrets_psk(struct network *network,
 
 		handshake_state_set_passphrase(hs, network->passphrase);
 
+		if (network->password_identifier)
+			handshake_state_set_password_identifier(hs,
+						network->password_identifier);
+
 		if (ie_rsnxe_capable(hs->authenticator_rsnxe,
 							IE_RSNX_SAE_H2E)) {
 			l_debug("Authenticator is SAE H2E capable");
@@ -631,6 +644,9 @@ static int network_load_psk(struct network *network, struct scan_bss *bss)
 	_auto_(l_free) char *passphrase =
 			l_settings_get_string(network->settings,
 						"Security", "Passphrase");
+	_auto_(l_free) char *password_id =
+			l_settings_get_string(network->settings, "Security",
+						"PasswordIdentifier");
 	_auto_(l_free) char *path =
 		storage_get_network_file_path(security, ssid);
 
@@ -641,6 +657,32 @@ static int network_load_psk(struct network *network, struct scan_bss *bss)
 		psk_len = 0;
 	}
 
+	/*
+	 * Sort out if the password identifier is required, should be used, "
+	 * or should be ignored.
+	 */
+	if (is_sae) {
+		if (bss->sae_pw_id_exclusive && !password_id) {
+			l_error("BSS requires SAE password identifiers, check "
+				"[Security].PasswordIdentifier");
+			return -ENOKEY;
+		}
+
+		/*
+		 * If the profile contains a password identifier but the network
+		 * does not support it IWD will still attempt to connect. The
+		 * caveat here is if the connection is successful the sync will
+		 * remove the password identifier entry. Though this might be
+		 * unexpected to the user, retaining this (invalid) setting
+		 * isn't worth special casing.
+		 */
+		if (!bss->sae_pw_id_used && password_id) {
+			l_debug("[Security].PasswordIdentifier set but BSS "
+				"does not not use password identifiers");
+			l_free(l_steal_ptr(password_id));
+		}
+	}
+
 	/* PSK can be generated from the passphrase but not the other way */
 	if (!psk || is_sae) {
 		if (!passphrase)
@@ -655,6 +697,7 @@ static int network_load_psk(struct network *network, struct scan_bss *bss)
 	network_reset_passphrase(network);
 	network_reset_psk(network);
 	network->passphrase = l_steal_ptr(passphrase);
+	network->password_identifier = l_steal_ptr(password_id);
 
 	if (network_settings_load_pt_ecc(network, path,
 						19, &network->sae_pt_19) > 0)
@@ -726,6 +769,11 @@ static void network_settings_save(struct network *network,
 		l_settings_set_string(settings, "Security", "Passphrase",
 					network->passphrase);
 
+	if (network->password_identifier)
+		l_settings_set_string(settings, "Security",
+					"PasswordIdentifier",
+					network->password_identifier);
+
 	if (network->sae_pt_19)
 		network_settings_save_sae_pt_ecc(settings, network->sae_pt_19);
 
-- 
2.34.1

next prev parent reply	other threads:[~2023-12-05 15:46 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-05 15:46 [PATCH 01/10] scan: parse password identifier/exclusive bits James Prestwood
2023-12-05 15:46 ` [PATCH 02/10] network: pass scan_bss into network_load_psk James Prestwood
2023-12-05 15:46 ` [PATCH 03/10] handshake: add password identifier/setter James Prestwood
2023-12-05 15:46 ` James Prestwood [this message]
2023-12-06 17:08   ` [PATCH 04/10] network: add support for SAE password identifiers Denis Kenzior
2023-12-06 18:44     ` James Prestwood
2023-12-06 19:44       ` Denis Kenzior
2023-12-06 19:53         ` James Prestwood
2023-12-05 15:46 ` [PATCH 05/10] sae: include password identifier IE in commit James Prestwood
2023-12-05 15:46 ` [PATCH 06/10] doc: document [Security].PasswordIdentifier James Prestwood
2023-12-05 15:46 ` [PATCH 07/10] auto-t: add H2E password identifier test James Prestwood
2023-12-05 15:46 ` [PATCH 08/10] mpdu: add unknown password identifier status James Prestwood
2023-12-05 15:46 ` [PATCH 09/10] sae: add debugging for incorrect password identifier James Prestwood
2023-12-05 15:46 ` [PATCH 10/10] auto-t: throw exception if executable is missing James Prestwood
2023-12-06 17:00 ` [PATCH 01/10] scan: parse password identifier/exclusive bits Denis Kenzior

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:79f964b dfblob:d422b28 )
 OR (
bs:"[PATCH 04/10] network: add support for SAE password identifiers" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231205154647.1778389-4-prestwoj@gmail.com \
    --to=prestwoj@gmail.com \
    --cc=iwd@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox