From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [PATCH v2 1/4] network: add support for SAE password identifiers
Date: Thu, 7 Dec 2023 05:48:19 -0800 [thread overview]
Message-ID: <20231207134822.2458827-1-prestwoj@gmail.com> (raw)
Adds a new network profile setting [Security].PasswordIdentifier.
When set (and the BSS enables SAE password identifiers) the network
and handshake object will read this and use it for the SAE
exchange.
Loading the PSK will fail if there is no password identifier set
and the BSS sets the "exclusive" bit. If a password identifier is
set and the BSS doesn't indicate support the setting will be ignored
(with a debug print).
---
src/network.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 48 insertions(+), 1 deletion(-)
diff --git a/src/network.c b/src/network.c
index 79f964b2..70a5434b 100644
--- a/src/network.c
+++ b/src/network.c
@@ -70,6 +70,7 @@ struct network {
struct network_info *info;
unsigned char *psk;
char *passphrase;
+ char *password_identifier;
struct l_ecc_point *sae_pt_19; /* SAE PT for Group 19 */
struct l_ecc_point *sae_pt_20; /* SAE PT for Group 20 */
unsigned int agent_request;
@@ -124,6 +125,13 @@ static void network_reset_passphrase(struct network *network)
network->passphrase = NULL;
}
+ if (network->password_identifier) {
+ explicit_bzero(network->password_identifier,
+ strlen(network->password_identifier));
+ l_free(network->password_identifier);
+ network->password_identifier = NULL;
+ }
+
if (network->sae_pt_19) {
l_ecc_point_free(network->sae_pt_19);
network->sae_pt_19 = NULL;
@@ -317,7 +325,8 @@ static struct l_ecc_point *network_generate_sae_pt(struct network *network,
l_debug("Generating PT for Group %u", group);
pt = crypto_derive_sae_pt_ecc(group, network->ssid,
- network->passphrase, NULL);
+ network->passphrase,
+ network->password_identifier);
if (!pt)
l_warn("SAE PT generation for Group %u failed", group);
@@ -462,6 +471,10 @@ static int network_set_handshake_secrets_psk(struct network *network,
handshake_state_set_passphrase(hs, network->passphrase);
+ if (network->password_identifier)
+ handshake_state_set_password_identifier(hs,
+ network->password_identifier);
+
if (ie_rsnxe_capable(hs->authenticator_rsnxe,
IE_RSNX_SAE_H2E)) {
l_debug("Authenticator is SAE H2E capable");
@@ -631,6 +644,9 @@ static int network_load_psk(struct network *network, struct scan_bss *bss)
_auto_(l_free) char *passphrase =
l_settings_get_string(network->settings,
"Security", "Passphrase");
+ _auto_(l_free) char *password_id =
+ l_settings_get_string(network->settings, "Security",
+ "PasswordIdentifier");
_auto_(l_free) char *path =
storage_get_network_file_path(security, ssid);
@@ -641,6 +657,31 @@ static int network_load_psk(struct network *network, struct scan_bss *bss)
psk_len = 0;
}
+ if (is_sae) {
+ /*
+ * Fail if:
+ * - the BSS exclusively uses password IDs and the profile
+ * does not have one set.
+ * - the BSS does not use password IDs and the profile has
+ * one set.
+ *
+ * In theory you could have a network with a mix of BSS's that
+ * use IDs and those that don't, but this is a strange
+ * configuration (arguably broken).
+ */
+ if (bss->sae_pw_id_exclusive && !password_id) {
+ l_error("[Security].PasswordIdentifier is not set but "
+ "BSS requires SAE password identifiers");
+ return -ENOKEY;
+ }
+
+ if (!bss->sae_pw_id_used && password_id) {
+ l_debug("[Security].PasswordIdentifier set but BSS "
+ "does not not use password identifiers");
+ return -ENOKEY;
+ }
+ }
+
/* PSK can be generated from the passphrase but not the other way */
if (!psk || is_sae) {
if (!passphrase)
@@ -655,6 +696,7 @@ static int network_load_psk(struct network *network, struct scan_bss *bss)
network_reset_passphrase(network);
network_reset_psk(network);
network->passphrase = l_steal_ptr(passphrase);
+ network->password_identifier = l_steal_ptr(password_id);
if (network_settings_load_pt_ecc(network, path,
19, &network->sae_pt_19) > 0)
@@ -726,6 +768,11 @@ static void network_settings_save(struct network *network,
l_settings_set_string(settings, "Security", "Passphrase",
network->passphrase);
+ if (network->password_identifier)
+ l_settings_set_string(settings, "Security",
+ "PasswordIdentifier",
+ network->password_identifier);
+
if (network->sae_pt_19)
network_settings_save_sae_pt_ecc(settings, network->sae_pt_19);
--
2.34.1
next reply other threads:[~2023-12-07 13:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-07 13:48 James Prestwood [this message]
2023-12-07 13:48 ` [PATCH v2 2/4] doc: document [Security].PasswordIdentifier James Prestwood
2023-12-07 13:48 ` [PATCH v2 3/4] auto-t: add H2E password identifier test James Prestwood
2023-12-07 13:48 ` [PATCH v2 4/4] auto-t: throw exception if executable is missing James Prestwood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231207134822.2458827-1-prestwoj@gmail.com \
--to=prestwoj@gmail.com \
--cc=iwd@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox