On Wed, Dec 16, 2020 at 01:00:51PM +0200, Ilan Peer wrote:
> PASN: Support PASN with SAE key derivation
> AP: Support PASN with SAE key derivation
> tests: Add PASN tests with SAE
> PASN: Support PASN with FILS key derivation
> AP: Support PASN with FILS key derivation
> tests: Add PASN with FILS tests
> PASN: Support PASN with FT key derivation
> AP: Support PASN with FT key derivation
> tests: Add PASN tests with FT key derivation
Thanks, applied with some cleanup and fixes.
> AP: Rename SAE anti clogging variables and functions
> AP: Move anti clogging handling code
> AP: Add support for PASN comeback flow
> PASN: Add support for comeback flow to the wpa_supplicant
> tests: Add PASN test with comeback flow
As discussed, I'm dropping these versions now. Most of the functionality
would likely be fine as an initial approach, but at minimum, I'd likely
to see the 0 TU Comeback After case being handled within wpa_supplicant
without external work needed and hostapd using that 0 TU value for the
case that depends on too many open exchanges.
I'm attaching the rebased patches I had in my working branch since the
posted versions of these patches would not have applied on top of the
current hostap.git snapshot.
--
Jouni Malinen PGP id EFC895FA
>From cfc7e76cce9adb6ac8c82d7daa0dbc9b2a2a52c0 Mon Sep 17 00:00:00 2001
From: Ilan Peer <ilan.peer@xxxxxxxxx>
Date: Wed, 16 Dec 2020 13:00:58 +0200
Subject: [PATCH 1/5] AP: Rename SAE anti clogging variables and functions
PASN authentication mandates support for comeback flow, which
among others can be used for anti-clogging purposes.
As the SAE support for anti clogging can also be used for PASN,
start modifying the source code so the anti clogging support
can be used for both SAE and PASN.
As a start, rename some variables/functions etc. so that they
would not be SAE specific.
Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx>
---
hostapd/config_file.c | 2 +-
src/ap/ap_config.c | 2 +-
src/ap/ap_config.h | 2 +-
src/ap/hostapd.h | 8 ++---
src/ap/ieee802_11.c | 70 +++++++++++++++++++++++--------------------
5 files changed, 45 insertions(+), 39 deletions(-)
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index cf0853bfdcc7..496cbb06b622 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -4204,7 +4204,7 @@ static int hostapd_config_fill(struct hostapd_config *conf,
if (parse_wpabuf_hex(line, buf, &bss->assocresp_elements, pos))
return 1;
} else if (os_strcmp(buf, "sae_anti_clogging_threshold") == 0) {
- bss->sae_anti_clogging_threshold = atoi(pos);
+ bss->anti_clogging_threshold = atoi(pos);
} else if (os_strcmp(buf, "sae_sync") == 0) {
bss->sae_sync = atoi(pos);
} else if (os_strcmp(buf, "sae_groups") == 0) {
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 84d13512bd7c..502a68f743c6 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -121,7 +121,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
bss->radius_das_time_window = 300;
- bss->sae_anti_clogging_threshold = 5;
+ bss->anti_clogging_threshold = 5;
bss->sae_sync = 5;
bss->gas_frag_limit = 1400;
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index e69132584595..510c26e0d415 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -655,7 +655,7 @@ struct hostapd_bss_config {
struct wpabuf *vendor_elements;
struct wpabuf *assocresp_elements;
- unsigned int sae_anti_clogging_threshold;
+ unsigned int anti_clogging_threshold;
unsigned int sae_sync;
int sae_require_mfp;
int sae_confirm_immediate;
diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h
index 0eff47e1ab08..c10fa970e287 100644
--- a/src/ap/hostapd.h
+++ b/src/ap/hostapd.h
@@ -326,10 +326,10 @@ struct hostapd_data {
#ifdef CONFIG_SAE
/** Key used for generating SAE anti-clogging tokens */
- u8 sae_token_key[8];
- struct os_reltime last_sae_token_key_update;
- u16 sae_token_idx;
- u16 sae_pending_token_idx[256];
+ u8 comeback_key[8];
+ struct os_reltime last_comeback_key_update;
+ u16 comeback_idx;
+ u16 comeback_pending_idx[256];
int dot11RSNASAERetransPeriod; /* msec */
struct dl_list sae_commit_queue; /* struct hostapd_sae_commit_queue */
#endif /* CONFIG_SAE */
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index daf73efb043e..da10fe473897 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -688,12 +688,12 @@ static int auth_sae_send_confirm(struct hostapd_data *hapd,
}
-static int use_sae_anti_clogging(struct hostapd_data *hapd)
+static int use_anti_clogging(struct hostapd_data *hapd)
{
struct sta_info *sta;
unsigned int open = 0;
- if (hapd->conf->sae_anti_clogging_threshold == 0)
+ if (hapd->conf->anti_clogging_threshold == 0)
return 1;
for (sta = hapd->sta_list; sta; sta = sta->next) {
@@ -703,7 +703,7 @@ static int use_sae_anti_clogging(struct hostapd_data *hapd)
sta->sae->state != SAE_CONFIRMED)
continue;
open++;
- if (open >= hapd->conf->sae_anti_clogging_threshold)
+ if (open >= hapd->conf->anti_clogging_threshold)
return 1;
}
@@ -711,18 +711,19 @@ static int use_sae_anti_clogging(struct hostapd_data *hapd)
* there are enough pending commit messages in the processing queue to
* potentially result in too many open sessions. */
if (open + dl_list_len(&hapd->sae_commit_queue) >=
- hapd->conf->sae_anti_clogging_threshold)
+ hapd->conf->anti_clogging_threshold)
return 1;
return 0;
}
-static int sae_token_hash(struct hostapd_data *hapd, const u8 *addr, u8 *idx)
+static int comeback_token_hash(struct hostapd_data *hapd, const u8 *addr,
+ u8 *idx)
{
u8 hash[SHA256_MAC_LEN];
- if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
+ if (hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key),
addr, ETH_ALEN, hash) < 0)
return -1;
*idx = hash[0];
@@ -730,8 +731,8 @@ static int sae_token_hash(struct hostapd_data *hapd, const u8 *addr, u8 *idx)
}
-static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
- const u8 *token, size_t token_len)
+static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr,
+ const u8 *token, size_t token_len)
{
u8 mac[SHA256_MAC_LEN];
const u8 *addrs[2];
@@ -739,11 +740,13 @@ static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
u16 token_idx;
u8 idx;
- if (token_len != SHA256_MAC_LEN || sae_token_hash(hapd, addr, &idx) < 0)
+ if (token_len != SHA256_MAC_LEN ||
+ comeback_token_hash(hapd, addr, &idx) < 0)
return -1;
- token_idx = hapd->sae_pending_token_idx[idx];
+ token_idx = hapd->comeback_pending_idx[idx];
if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
- wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from "
+ wpa_printf(MSG_DEBUG,
+ "Comeback: Invalid anti-clogging token from "
MACSTR " - token_idx 0x%04x, expected 0x%04x",
MAC2STR(addr), WPA_GET_BE16(token), token_idx);
return -1;
@@ -753,12 +756,12 @@ static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
len[0] = ETH_ALEN;
addrs[1] = token;
len[1] = 2;
- if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
+ if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
2, addrs, len, mac) < 0 ||
os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
return -1;
- hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */
+ hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */
return 0;
}
@@ -777,18 +780,19 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
u16 token_idx;
os_get_reltime(&now);
- if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
- os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) ||
- hapd->sae_token_idx == 0xffff) {
- if (random_get_bytes(hapd->sae_token_key,
- sizeof(hapd->sae_token_key)) < 0)
+ if (!os_reltime_initialized(&hapd->last_comeback_key_update) ||
+ os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) ||
+ hapd->comeback_idx == 0xffff) {
+ if (random_get_bytes(hapd->comeback_key,
+ sizeof(hapd->comeback_key)) < 0)
return NULL;
- wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
- hapd->sae_token_key, sizeof(hapd->sae_token_key));
- hapd->last_sae_token_key_update = now;
- hapd->sae_token_idx = 0;
- os_memset(hapd->sae_pending_token_idx, 0,
- sizeof(hapd->sae_pending_token_idx));
+ wpa_hexdump(MSG_DEBUG,
+ "Comeback: Updated token key",
+ hapd->comeback_key, sizeof(hapd->comeback_key));
+ hapd->last_comeback_key_update = now;
+ hapd->comeback_idx = 0;
+ os_memset(hapd->comeback_pending_idx, 0,
+ sizeof(hapd->comeback_pending_idx));
}
buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
@@ -804,15 +808,16 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
}
- if (sae_token_hash(hapd, addr, &p_idx) < 0) {
+ if (comeback_token_hash(hapd, addr, &p_idx) < 0) {
wpabuf_free(buf);
return NULL;
}
- token_idx = hapd->sae_pending_token_idx[p_idx];
+
+ token_idx = hapd->comeback_pending_idx[p_idx];
if (!token_idx) {
- hapd->sae_token_idx++;
- token_idx = hapd->sae_token_idx;
- hapd->sae_pending_token_idx[p_idx] = token_idx;
+ hapd->comeback_idx++;
+ token_idx = hapd->comeback_idx;
+ hapd->comeback_pending_idx[p_idx] = token_idx;
}
WPA_PUT_BE16(idx, token_idx);
token = wpabuf_put(buf, SHA256_MAC_LEN);
@@ -820,7 +825,7 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
len[0] = ETH_ALEN;
addrs[1] = idx;
len[1] = sizeof(idx);
- if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
+ if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
2, addrs, len, token) < 0) {
wpabuf_free(buf);
return NULL;
@@ -1451,7 +1456,8 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
goto remove_sta;
}
- if (token && check_sae_token(hapd, sta->addr, token, token_len)
+ if (token &&
+ check_comeback_token(hapd, sta->addr, token, token_len)
< 0) {
wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
"incorrect token from " MACSTR,
@@ -1468,7 +1474,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
goto reply;
}
- if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) {
+ if (!token && use_anti_clogging(hapd) && !allow_reuse) {
int h2e = 0;
wpa_printf(MSG_DEBUG,
--
2.25.1
>From 86b434b1eeff3cfcb1c3b61c03428790248629f3 Mon Sep 17 00:00:00 2001
From: Ilan Peer <ilan.peer@xxxxxxxxx>
Date: Wed, 16 Dec 2020 13:00:59 +0200
Subject: [PATCH 2/5] AP: Enable anti clogging handling code in PASN builds
without SAE
The anti-clogging code was under CONFIG_SAE. Change this so it can be
used both with CONFIG_SAE and CONFIG_PSAN.
Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx>
---
src/ap/ieee802_11.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index da10fe473897..80a4e5df1695 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -687,6 +687,10 @@ static int auth_sae_send_confirm(struct hostapd_data *hapd,
return reply_res;
}
+#endif /* CONFIG_SAE */
+
+
+#if defined(CONFIG_SAE) || defined(CONFIG_PASN)
static int use_anti_clogging(struct hostapd_data *hapd)
{
@@ -697,22 +701,26 @@ static int use_anti_clogging(struct hostapd_data *hapd)
return 1;
for (sta = hapd->sta_list; sta; sta = sta->next) {
+#ifdef CONFIG_SAE
if (!sta->sae)
continue;
if (sta->sae->state != SAE_COMMITTED &&
sta->sae->state != SAE_CONFIRMED)
continue;
open++;
+#endif /* CONFIG_SAE */
if (open >= hapd->conf->anti_clogging_threshold)
return 1;
}
+#ifdef CONFIG_SAE
/* In addition to already existing open SAE sessions, check whether
* there are enough pending commit messages in the processing queue to
* potentially result in too many open sessions. */
if (open + dl_list_len(&hapd->sae_commit_queue) >=
hapd->conf->anti_clogging_threshold)
return 1;
+#endif /* CONFIG_SAE */
return 0;
}
@@ -835,6 +843,10 @@ static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
return buf;
}
+#endif /* defined(CONFIG_SAE) || defined(CONFIG_PASN) */
+
+
+#ifdef CONFIG_SAE
static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
{
--
2.25.1
>From 6184f5030e9fe74f6f3d27e420b09c8371173061 Mon Sep 17 00:00:00 2001
From: Ilan Peer <ilan.peer@xxxxxxxxx>
Date: Wed, 16 Dec 2020 13:01:00 +0200
Subject: [PATCH 3/5] AP: Add support for PASN comeback flow
Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx>
---
src/ap/ieee802_11.c | 69 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 69 insertions(+)
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 80a4e5df1695..a492f5177666 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -709,6 +709,10 @@ static int use_anti_clogging(struct hostapd_data *hapd)
continue;
open++;
#endif /* CONFIG_SAE */
+#ifdef CONFIG_PASN
+ if (sta->pasn && sta->pasn->ecdh)
+ open++;
+#endif /* CONFIG_PASN */
if (open >= hapd->conf->anti_clogging_threshold)
return 1;
}
@@ -2888,6 +2892,50 @@ pasn_derive_keys(struct hostapd_data *hapd, struct sta_info *sta,
}
+static void handle_auth_pasn_comeback(struct hostapd_data *hapd,
+ struct sta_info *sta)
+{
+ struct wpabuf *buf, *comeback;
+ int ret;
+
+ wpa_printf(MSG_DEBUG, "PASN: Building comeback frame 2");
+
+ buf = wpabuf_alloc(1500);
+ if (!buf)
+ return;
+
+ wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
+ sta->addr, 2,
+ WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY);
+
+ comeback = auth_build_token_req(hapd, sta->pasn->group, sta->addr, 0);
+ if (!comeback) {
+ wpa_printf(MSG_DEBUG,
+ "PASN: Failed sending auth with comeback");
+
+ wpabuf_free(buf);
+ return;
+ }
+
+ wpa_pasn_add_parameter_ie(buf, sta->pasn->group,
+ WPA_PASN_WRAPPED_DATA_NO,
+ NULL, comeback, 10);
+
+ wpabuf_free(comeback);
+ comeback = NULL;
+
+ wpa_printf(MSG_DEBUG,
+ "PASN: comeback: STA=" MACSTR, MAC2STR(sta->addr));
+
+ ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
+ NULL, 0, 0);
+ if (ret)
+ wpa_printf(MSG_INFO, "PASN: Failed to send comeback frame 2");
+
+ wpabuf_free(buf);
+}
+
+
static int handle_auth_pasn_resp(struct hostapd_data *hapd,
struct sta_info *sta,
struct rsn_pmksa_cache_entry *pmksa,
@@ -3107,6 +3155,27 @@ static void handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta,
goto send_resp;
}
+ if (pasn_params.comeback) {
+ wpa_printf(MSG_DEBUG, "PASN: Checking peer comeback token");
+
+ /* The token includes 2 bytes for the group, so skip them */
+ ret = check_comeback_token(hapd, sta->addr,
+ pasn_params.comeback + 2,
+ pasn_params.comeback_len - 2);
+
+ if (ret) {
+ wpa_printf(MSG_DEBUG, "PASN: Invalid comeback token");
+ status = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ goto send_resp;
+ }
+ } else if (use_anti_clogging(hapd)) {
+ wpa_printf(MSG_DEBUG, "PASN: Response with comeback");
+
+ handle_auth_pasn_comeback(hapd, sta);
+ ap_free_sta(hapd, sta);
+ return;
+ }
+
sta->pasn->ecdh = crypto_ecdh_init(pasn_params.group);
if (!sta->pasn->ecdh) {
wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
--
2.25.1
>From c5613e859327a4cff8ac7a96f8f3550016efccc2 Mon Sep 17 00:00:00 2001
From: Ilan Peer <ilan.peer@xxxxxxxxx>
Date: Wed, 16 Dec 2020 13:01:01 +0200
Subject: [PATCH 4/5] PASN: Add support for comeback flow to the wpa_supplicant
Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx>
---
wpa_supplicant/ctrl_iface.c | 26 +++++++++-
wpa_supplicant/pasn_supplicant.c | 84 +++++++++++++++++++++++++++----
wpa_supplicant/wpa_supplicant_i.h | 6 ++-
3 files changed, 103 insertions(+), 13 deletions(-)
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index da198b938ba3..80c1df8de205 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -10464,7 +10464,9 @@ static int wpas_ctrl_iface_pasn_start(struct wpa_supplicant *wpa_s, char *cmd)
u8 bssid[ETH_ALEN];
int akmp = -1, cipher = -1, got_bssid = 0;
u16 group = 0xFFFF;
- int id = 0;
+ u8 *comeback = NULL;
+ size_t comeback_len = 0;
+ int id = 0, ret;
/*
* Entry format: bssid=<BSSID> akmp=<AKMP> cipher=<CIPHER> group=<group>
@@ -10506,6 +10508,21 @@ static int wpas_ctrl_iface_pasn_start(struct wpa_supplicant *wpa_s, char *cmd)
group = atoi(token + 6);
} else if (os_strncmp(token, "nid=", 4) == 0) {
id = atoi(token + 4);
+ } else if (os_strncmp(token, "comeback=", 9) == 0) {
+ comeback_len = os_strlen(token + 9);
+
+ if (!comeback_len || comeback_len % 2)
+ return -1;
+
+ comeback_len /= 2;
+ comeback = os_malloc(comeback_len);
+ if (!comeback)
+ return -1;
+
+ if (hexstr2bin(token + 9, comeback, comeback_len)) {
+ os_free(comeback);
+ return -1;
+ }
} else {
wpa_printf(MSG_DEBUG,
"CTRL: PASN Invalid parameter: '%s'",
@@ -10516,10 +10533,15 @@ static int wpas_ctrl_iface_pasn_start(struct wpa_supplicant *wpa_s, char *cmd)
if (!got_bssid || akmp == -1 || cipher == -1 || group == 0xFFFF) {
wpa_printf(MSG_DEBUG,"CTRL: PASN missing parameter");
+ os_free(comeback);
return -1;
}
- return wpas_pasn_auth_start(wpa_s, bssid, akmp, cipher, group, id);
+ ret = wpas_pasn_auth_start(wpa_s, bssid, akmp, cipher, group, id,
+ comeback, comeback_len);
+
+ os_free(comeback);
+ return ret;
}
#endif /* CONFIG_PASN */
diff --git a/wpa_supplicant/pasn_supplicant.c b/wpa_supplicant/pasn_supplicant.c
index 736a6c7d6f96..642bcea3c5ca 100644
--- a/wpa_supplicant/pasn_supplicant.c
+++ b/wpa_supplicant/pasn_supplicant.c
@@ -33,6 +33,7 @@ struct wpa_pasn_auth_work {
int cipher;
u16 group;
int network_id;
+ struct wpabuf *comeback;
};
@@ -56,8 +57,30 @@ static void wpas_pasn_cancel_auth_work(struct wpa_supplicant *wpa_s)
static void wpas_pasn_auth_status(struct wpa_supplicant *wpa_s, const u8 *bssid,
- int akmp, int cipher, u8 status)
+ int akmp, int cipher, u8 status,
+ struct wpabuf *comeback,
+ u16 comeback_after)
{
+ if (comeback) {
+ size_t comeback_len = wpabuf_len(comeback);
+ char *comeback_txt = os_malloc(comeback_len * 2 + 1);
+
+ if (comeback_txt) {
+ wpa_snprintf_hex(comeback_txt, comeback_len * 2 + 1,
+ wpabuf_head(comeback), comeback_len);
+
+ wpa_msg(wpa_s, MSG_INFO, PASN_AUTH_STATUS MACSTR
+ " akmp=%s, status=%u comeback_after=%u"
+ " comeback=%s",
+ MAC2STR(bssid),
+ wpa_key_mgmt_txt(akmp, WPA_PROTO_RSN),
+ status, comeback_after, comeback_txt);
+
+ os_free(comeback_txt);
+ return;
+ }
+ }
+
wpa_msg(wpa_s, MSG_INFO,
PASN_AUTH_STATUS MACSTR " akmp=%s, status=%u",
MAC2STR(bssid), wpa_key_mgmt_txt(akmp, WPA_PROTO_RSN),
@@ -612,7 +635,8 @@ static u8 wpas_pasn_get_wrapped_data_format(struct wpas_pasn *pasn)
}
-static struct wpabuf * wpas_pasn_build_auth_1(struct wpa_supplicant *wpa_s)
+static struct wpabuf * wpas_pasn_build_auth_1(struct wpa_supplicant *wpa_s,
+ struct wpabuf *comeback)
{
struct wpas_pasn *pasn = &wpa_s->pasn;
struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
@@ -680,7 +704,7 @@ static struct wpabuf * wpas_pasn_build_auth_1(struct wpa_supplicant *wpa_s)
wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
- pubkey, NULL, -1);
+ pubkey, comeback, -1);
if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
goto fail;
@@ -821,6 +845,10 @@ static void wpas_pasn_reset(struct wpa_supplicant *wpa_s)
wpabuf_free(pasn->beacon_rsne_rsnxe);
pasn->beacon_rsne_rsnxe = NULL;
+ wpabuf_free(pasn->comeback);
+ pasn->comeback = NULL;
+ pasn->comeback_after = 0;
+
#ifdef CONFIG_SAE
sae_clear_data(&pasn->sae);
#endif /* CONFIG_SAE */
@@ -939,7 +967,7 @@ static int wpas_pasn_start(struct wpa_supplicant *wpa_s, const u8 *bssid,
int akmp, int cipher, u16 group, int freq,
const u8 *beacon_rsne, u8 beacon_rsne_len,
const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
- int network_id)
+ int network_id, struct wpabuf *comeback)
{
struct wpas_pasn *pasn = &wpa_s->pasn;
struct wpa_ssid *ssid = NULL;
@@ -1016,7 +1044,7 @@ static int wpas_pasn_start(struct wpa_supplicant *wpa_s, const u8 *bssid,
MAC2STR(pasn->bssid), pasn->akmp, pasn->cipher,
pasn->group);
- frame = wpas_pasn_build_auth_1(wpa_s);
+ frame = wpas_pasn_build_auth_1(wpa_s, comeback);
if (!frame) {
wpa_printf(MSG_DEBUG, "PASN: Failed building 1st auth frame");
goto fail;
@@ -1098,6 +1126,8 @@ static void wpas_pasn_auth_start_cb(struct wpa_radio_work *work, int deinit)
wpa_s, NULL);
wpa_s->pasn_auth_work = NULL;
}
+
+ wpabuf_free(awork->comeback);
os_free(awork);
return;
}
@@ -1125,16 +1155,22 @@ static void wpas_pasn_auth_start_cb(struct wpa_radio_work *work, int deinit)
ret = wpas_pasn_start(wpa_s, awork->bssid, awork->akmp, awork->cipher,
awork->group, bss->freq, rsne, *(rsne + 1) + 2,
rsnxe, rsnxe ? *(rsnxe + 1) + 2 : 0,
- awork->network_id);
+ awork->network_id, awork->comeback);
if (ret) {
wpa_printf(MSG_DEBUG,
"PASN: Failed to start PASN authentication");
goto fail;
}
+ /* comeback token is no longer needed at this stage */
+ wpabuf_free(awork->comeback);
+ awork->comeback = NULL;
+
wpa_s->pasn_auth_work = work;
return;
fail:
+ wpabuf_free(awork->comeback);
+ awork->comeback = NULL;
os_free(awork);
work->ctx = NULL;
radio_work_done(work);
@@ -1142,7 +1178,8 @@ fail:
int wpas_pasn_auth_start(struct wpa_supplicant *wpa_s, const u8 *bssid,
- int akmp, int cipher, u16 group, int network_id)
+ int akmp, int cipher, u16 group, int network_id,
+ const u8 *comeback, size_t comeback_len)
{
struct wpa_pasn_auth_work *awork;
struct wpa_bss *bss;
@@ -1188,8 +1225,19 @@ int wpas_pasn_auth_start(struct wpa_supplicant *wpa_s, const u8 *bssid,
awork->group = group;
awork->network_id = network_id;
+ if (comeback && comeback_len) {
+ awork->comeback = wpabuf_alloc(comeback_len);
+ if (!awork->comeback) {
+ os_free(awork);
+ return -1;
+ }
+
+ wpabuf_put_data(awork->comeback, comeback, comeback_len);
+ }
+
if (radio_add_work(wpa_s, bss->freq, "pasn-start-auth", 1,
wpas_pasn_auth_start_cb, awork) < 0) {
+ wpabuf_free(awork->comeback);
os_free(awork);
return -1;
}
@@ -1209,7 +1257,8 @@ void wpas_pasn_auth_stop(struct wpa_supplicant *wpa_s)
wpa_printf(MSG_DEBUG, "PASN: Stopping authentication");
wpas_pasn_auth_status(wpa_s, pasn->bssid, pasn->akmp, pasn->cipher,
- pasn->status);
+ pasn->status, pasn->comeback,
+ pasn->comeback_after);
wpas_pasn_reset(wpa_s);
}
@@ -1308,10 +1357,21 @@ int wpas_pasn_auth_rx(struct wpa_supplicant *wpa_s,
goto fail;
}
- /* TODO: handle comeback flow */
if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
wpa_printf(MSG_DEBUG,
"PASN: Authentication temporarily rejected");
+
+ if (pasn_params.comeback && pasn_params.comeback_len) {
+ pasn->comeback = wpabuf_alloc(pasn_params.comeback_len);
+ if (pasn->comeback) {
+ wpabuf_put_data(pasn->comeback,
+ pasn_params.comeback,
+ pasn_params.comeback_len);
+ pasn->comeback_after = pasn_params.after;
+ }
+ }
+
+ pasn->status = status;
goto fail;
}
@@ -1437,7 +1497,11 @@ fail:
* the frame and terminate the authentication exchange. However, better
* reply to the AP with an error status.
*/
- pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ if (status == WLAN_STATUS_SUCCESS)
+ pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ else
+ pasn->status = status;
+
wpas_pasn_auth_stop(wpa_s);
return -1;
}
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index 0ce7447fe728..bea940642f00 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -546,6 +546,9 @@ struct wpas_pasn {
struct wpa_ptk ptk;
struct crypto_ecdh *ecdh;
+ struct wpabuf *comeback;
+ u16 comeback_after;
+
#ifdef CONFIG_SAE
struct sae_data sae;
#endif /* CONFIG_SAE */
@@ -1712,7 +1715,8 @@ void wpas_handle_assoc_resp_mscs(struct wpa_supplicant *wpa_s, const u8 *bssid,
int wpas_pasn_auth_start(struct wpa_supplicant *wpa_s,
const u8 *bssid, int akmp, int cipher,
- u16 group, int network_id);
+ u16 group, int network_id,
+ const u8 *comeback, size_t comeback_len);
void wpas_pasn_auth_stop(struct wpa_supplicant *wpa_s);
int wpas_pasn_auth_tx_status(struct wpa_supplicant *wpa_s,
const u8 *data, size_t data_len, u8 acked);
--
2.25.1
>From 5fac471620bd34be0814a6a6af421b72406ad3cf Mon Sep 17 00:00:00 2001
From: Ilan Peer <ilan.peer@xxxxxxxxx>
Date: Wed, 16 Dec 2020 13:01:02 +0200
Subject: [PATCH 5/5] tests: Add PASN test with comeback flow
Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx>
---
tests/hwsim/test_pasn.py | 42 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/tests/hwsim/test_pasn.py b/tests/hwsim/test_pasn.py
index 157d15955074..68b08e15796e 100644
--- a/tests/hwsim/test_pasn.py
+++ b/tests/hwsim/test_pasn.py
@@ -21,6 +21,7 @@ from utils import *
from hwsim import HWSimRadio
from test_erp import check_erp_capa, start_erp_as
from test_fils import check_fils_capa
+import re
from test_ap_ft import run_roams, ft_params1, ft_params2
def check_pasn_capab(dev):
@@ -538,6 +539,47 @@ def test_pasn_fils_sha384_connected_diff_channel(dev, apdev, params):
"""PASN FILS authentication using SHA-384 while connected diff channel"""
check_pasn_fils_connected_diff_channel(dev, apdev, params, "FILS-SHA384")
+@remote_compatible
+def test_pasn_comeback(dev, apdev, params):
+ """ PASN authentication with comeback flow """
+ check_pasn_capab(dev[0])
+
+ params = pasn_ap_params("PASN", "CCMP", "19")
+ params['sae_anti_clogging_threshold'] = '0'
+ hapd = hostapd.add_ap(apdev[0], params)
+
+ dev[0].scan(type="ONLY", freq=2412)
+ cmd = "PASN_START bssid=%s akmp=PASN cipher=CCMP group=19" % (hapd.own_addr())
+
+ resp = dev[0].request(cmd)
+ if "OK" not in resp:
+ raise Exception("Failed to start PASN authentication")
+
+ ev = dev[0].wait_event(["PASN-AUTH-STATUS"], 3)
+ if not ev:
+ raise Exception("PASN: PASN-AUTH-STATUS not seen")
+
+ if hapd.own_addr() + " akmp=PASN, status=30 comeback_after=" not in ev:
+ raise Exception("PASN: unexpected status")
+
+ comeback = re.split("comeback=", ev)[1]
+
+ cmd = "PASN_START bssid=%s akmp=PASN cipher=CCMP group=19 comeback=%s" % \
+ (hapd.own_addr(), comeback)
+
+ resp = dev[0].request(cmd)
+ if "OK" not in resp:
+ raise Exception("Failed to start PASN authentication")
+
+ ev = dev[0].wait_event(["PASN-AUTH-STATUS"], 3)
+ if not ev:
+ raise Exception("PASN: PASN-AUTH-STATUS not seen")
+
+ if hapd.own_addr() + " akmp=PASN, status=0" not in ev:
+ raise Exception("PASN: unexpected status with comeback token")
+
+ check_pasn_ptk(dev[0], hapd, "CCMP")
+
def test_pasn_ft_psk(dev, apdev):
"""PASN authentication with FT-PSK"""
check_pasn_capab(dev[0])
--
2.25.1
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
