[PATCH v6a 4/7] Fixes for hostapd: Add support for Extended Key ID

Alexander Wetzel <alexander@xxxxxxxxxxxxxx> · Sat, 28 Sep 2019 20:18:04 +0200

This is a correction on top of:
[PATCH v6 10/17] hostapd: Add support for Extended Key ID

Changes:
 - Fix too wide bit masks. Which are not really needed but
   already in use for GTK key IDs. (We could drop them all)
 - merge TKIP handling into handle_extended_key_id()
 - Check configuration settings and disable Extended key ID when
   configuration settings don't allow it.
 - Which allows us to drop some tests from handle_extended_key_id()
 - Update log/debug messages (some needed for tests)

Signed-off-by: Alexander Wetzel <alexander@xxxxxxxxxxxxxx>
---
 src/ap/ap_config.c     |  2 +-
 src/ap/wpa_auth.c      |  2 +-
 src/ap/wpa_auth_glue.c | 15 +++------------
 src/ap/wpa_auth_ie.c   | 33 ++++++++++++++++++++-------------
 4 files changed, 25 insertions(+), 27 deletions(-)

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index a7b91fad8..c080f7064 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -1099,7 +1099,7 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
 	      bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_CCMP_256 |
 				   WPA_CIPHER_GCMP | WPA_CIPHER_GCMP_256))) {
 		wpa_printf(MSG_ERROR,
-			   "Extended Key ID support requires wpa2 and CCMP/GCMP");
+			   "Extended Key ID support requires WPA2 and CCMP/GCMP, disabling it");
 		bss->wpa_extended_key_id = 0;
 	}
 
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 1ecb9b491..26725a7df 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -5095,7 +5095,7 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
 	hdr[1] = 0;
 
 	if (sm->use_extended_key_id) {
-		hdr[0] = sm->keyidx_active & 0x03;
+		hdr[0] = sm->keyidx_active & 0x01;
 		pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
 	}
 
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 5a55f799c..f45443257 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -1307,21 +1307,12 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
 		_conf.ap_mlme = 1;
 
 	if (_conf.wpa_extended_key_id) {
-		if (_conf.wpa & WPA_PROTO_RSN &&
-		    _conf.rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
-					   WPA_CIPHER_GCMP_256 |
-					   WPA_CIPHER_CCMP_256) &&
-		    hapd->iface->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID) {
+		if (hapd->iface->drv_flags & WPA_DRIVER_FLAGS_EXTENDED_KEY_ID) {
 			wpa_msg(hapd->msg_ctx, MSG_INFO,
 				"Enable Extended Key ID support");
 		} else {
-			if (!(hapd->iface->drv_flags &
-			      WPA_DRIVER_FLAGS_EXTENDED_KEY_ID))
-				wpa_msg(hapd->msg_ctx, MSG_INFO,
-					"Extended Key ID not supported by driver");
-			else
-				wpa_msg(hapd->msg_ctx, MSG_INFO,
-					"Extended Key ID requires wpa2 and CCMP/GCMP");
+			wpa_msg(hapd->msg_ctx, MSG_INFO,
+				"Extended Key ID not supported by driver");
 			_conf.wpa_extended_key_id = 0;
 		}
 	} else if (_conf.wpa & WPA_PROTO_RSN) {
diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 2e3204f5d..e914c5587 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -538,21 +538,34 @@ int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities)
 	struct wpa_auth_config *conf = &sm->wpa_auth->conf;
 
 	if (conf->wpa_extended_key_id &&
+	    sm->pairwise != WPA_CIPHER_TKIP &&
 	    capabilities & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) {
 		if (!sm->use_extended_key_id && sm->pairwise_set) {
-			wpa_printf(MSG_DEBUG,
-				   "Can only enable Extended Key ID on initial connect");
+			wpa_printf(MSG_ERROR, "STA " MACSTR
+				   " tries to start using Extended Key ID on rekey",
+				   MAC2STR(sm->addr));
 			return -1;
 		} else if (!sm->use_extended_key_id) {
+			wpa_printf(MSG_DEBUG, "STA " MACSTR
+				   " supports Extended Key ID",
+				   MAC2STR(sm->addr));
 			sm->use_extended_key_id = TRUE;
 			sm->keyidx_active = 1;
+		} else if (!sm->pairwise_set) {
+			wpa_printf(MSG_DEBUG, "STA " MACSTR
+				   " is not supporting Extended Key ID",
+				   MAC2STR(sm->addr));
 		}
 	} else {
 		if (sm->use_extended_key_id && sm->pairwise_set) {
-			wpa_printf(MSG_DEBUG,
-				   "Already using Extended Key ID, can't stop");
+			wpa_printf(MSG_ERROR, "STA " MACSTR
+				   " is using Extended Key ID, can't rekey without it",
+				   MAC2STR(sm->addr));
 			return -1;
-		} else if (sm->use_extended_key_id) {
+		} else if (!sm->pairwise_set) {
+			wpa_printf(MSG_DEBUG, "STA " MACSTR
+				   " can't use Extended Key ID support",
+				   MAC2STR(sm->addr));
 			sm->use_extended_key_id = FALSE;
 			sm->keyidx_active = 0;
 		}
@@ -834,8 +847,6 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 		    return WPA_MGMT_FRAME_PROTECTION_VIOLATION;
 	}
 
-	if (handle_extended_key_id(sm, data.capabilities))
-		return WPA_INVALID_IE;
 #ifdef CONFIG_IEEE80211R_AP
 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
 		if (mdie == NULL || mdie_len < MOBILITY_DOMAIN_ID_LEN + 1) {
@@ -885,12 +896,8 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 	else
 		sm->wpa = WPA_VERSION_WPA;
 
-	/* Extended Key ID must not be used for TKIP */
-	if (sm->use_extended_key_id && sm->pairwise == WPA_CIPHER_TKIP) {
-		sm->use_extended_key_id = FALSE;
-		sm->keyidx_active = 0;
-	}
-
+	if (handle_extended_key_id(sm, data.capabilities))
+		return WPA_INVALID_IE;
 
 #if defined(CONFIG_IEEE80211R_AP) && defined(CONFIG_FILS)
 	if ((sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256 ||
-- 
2.23.0


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap






