From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [PATCH v3 1/4] network: add support for SAE password identifiers
Date: Thu, 7 Dec 2023 06:00:46 -0800 [thread overview]
Message-ID: <20231207140049.2614514-1-prestwoj@gmail.com> (raw)
Adds a new network profile setting [Security].PasswordIdentifier.
When set (and the BSS enables SAE password identifiers) the network
and handshake object will read this and use it for the SAE
exchange.
Loading the PSK will fail if:
- there is no password identifier set and the BSS sets the
"exclusive" bit.
- there is a password identifier set and the BSS does not set
the "in-use" bit.
---
src/network.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 48 insertions(+), 1 deletion(-)
v3:
* fix outdated commit description
diff --git a/src/network.c b/src/network.c
index 79f964b2..70a5434b 100644
--- a/src/network.c
+++ b/src/network.c
@@ -70,6 +70,7 @@ struct network {
struct network_info *info;
unsigned char *psk;
char *passphrase;
+ char *password_identifier;
struct l_ecc_point *sae_pt_19; /* SAE PT for Group 19 */
struct l_ecc_point *sae_pt_20; /* SAE PT for Group 20 */
unsigned int agent_request;
@@ -124,6 +125,13 @@ static void network_reset_passphrase(struct network *network)
network->passphrase = NULL;
}
+ if (network->password_identifier) {
+ explicit_bzero(network->password_identifier,
+ strlen(network->password_identifier));
+ l_free(network->password_identifier);
+ network->password_identifier = NULL;
+ }
+
if (network->sae_pt_19) {
l_ecc_point_free(network->sae_pt_19);
network->sae_pt_19 = NULL;
@@ -317,7 +325,8 @@ static struct l_ecc_point *network_generate_sae_pt(struct network *network,
l_debug("Generating PT for Group %u", group);
pt = crypto_derive_sae_pt_ecc(group, network->ssid,
- network->passphrase, NULL);
+ network->passphrase,
+ network->password_identifier);
if (!pt)
l_warn("SAE PT generation for Group %u failed", group);
@@ -462,6 +471,10 @@ static int network_set_handshake_secrets_psk(struct network *network,
handshake_state_set_passphrase(hs, network->passphrase);
+ if (network->password_identifier)
+ handshake_state_set_password_identifier(hs,
+ network->password_identifier);
+
if (ie_rsnxe_capable(hs->authenticator_rsnxe,
IE_RSNX_SAE_H2E)) {
l_debug("Authenticator is SAE H2E capable");
@@ -631,6 +644,9 @@ static int network_load_psk(struct network *network, struct scan_bss *bss)
_auto_(l_free) char *passphrase =
l_settings_get_string(network->settings,
"Security", "Passphrase");
+ _auto_(l_free) char *password_id =
+ l_settings_get_string(network->settings, "Security",
+ "PasswordIdentifier");
_auto_(l_free) char *path =
storage_get_network_file_path(security, ssid);
@@ -641,6 +657,31 @@ static int network_load_psk(struct network *network, struct scan_bss *bss)
psk_len = 0;
}
+ if (is_sae) {
+ /*
+ * Fail if:
+ * - the BSS exclusively uses password IDs and the profile
+ * does not have one set.
+ * - the BSS does not use password IDs and the profile has
+ * one set.
+ *
+ * In theory you could have a network with a mix of BSS's that
+ * use IDs and those that don't, but this is a strange
+ * configuration (arguably broken).
+ */
+ if (bss->sae_pw_id_exclusive && !password_id) {
+ l_error("[Security].PasswordIdentifier is not set but "
+ "BSS requires SAE password identifiers");
+ return -ENOKEY;
+ }
+
+ if (!bss->sae_pw_id_used && password_id) {
+ l_debug("[Security].PasswordIdentifier set but BSS "
+ "does not not use password identifiers");
+ return -ENOKEY;
+ }
+ }
+
/* PSK can be generated from the passphrase but not the other way */
if (!psk || is_sae) {
if (!passphrase)
@@ -655,6 +696,7 @@ static int network_load_psk(struct network *network, struct scan_bss *bss)
network_reset_passphrase(network);
network_reset_psk(network);
network->passphrase = l_steal_ptr(passphrase);
+ network->password_identifier = l_steal_ptr(password_id);
if (network_settings_load_pt_ecc(network, path,
19, &network->sae_pt_19) > 0)
@@ -726,6 +768,11 @@ static void network_settings_save(struct network *network,
l_settings_set_string(settings, "Security", "Passphrase",
network->passphrase);
+ if (network->password_identifier)
+ l_settings_set_string(settings, "Security",
+ "PasswordIdentifier",
+ network->password_identifier);
+
if (network->sae_pt_19)
network_settings_save_sae_pt_ecc(settings, network->sae_pt_19);
--
2.34.1
next reply other threads:[~2023-12-07 14:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-07 14:00 James Prestwood [this message]
2023-12-07 14:00 ` [PATCH v3 2/4] doc: document [Security].PasswordIdentifier James Prestwood
2023-12-07 14:00 ` [PATCH v3 3/4] auto-t: add H2E password identifier test James Prestwood
2023-12-07 14:00 ` [PATCH v3 4/4] auto-t: throw exception if executable is missing James Prestwood
2023-12-13 16:05 ` [PATCH v3 1/4] network: add support for SAE password identifiers Denis Kenzior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231207140049.2614514-1-prestwoj@gmail.com \
--to=prestwoj@gmail.com \
--cc=iwd@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox