From patchwork Fri Nov 10 14:23:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vinayak Yadawad X-Patchwork-Id: 1862418 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=i1Q2DTI8; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=broadcom.com header.i=@broadcom.com header.a=rsa-sha256 header.s=google header.b=J2qaq5YS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SRh0l2DFnz1yRF for ; Sat, 11 Nov 2023 01:24:38 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: MIME-Version:Message-Id:Date:Subject:Cc:To:From:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=wNbjqQ4FC3uYqGOtTVNSnHnQ6cJAJ6vznrFjedSVVP8=; b=i1Q 2DTI8xJZ6PxA/4wyggwYve1rJaplpnMUpiXnpzrHhTbTJEIDGeIoJ8GxvXx3KE6YSa3kUT5cbEag8 d2ojtY41HtYFvDPEicH5TyqlmvA4viitpsU2UmHHZtZ2O6zSmo07cqXen9stlvtF6Nbg/EVZX4Ejh VIlhR1GnFqRtXuPqO31DOvsIBOH6YM/xCE04diM8XzjlC/xYn4qj+pwMnuRbMhhhkcxOGeQm79VAF xHSsUcpQ7WbHtDupYkhrREkA7vU/BpjdiW/jkJ7pyl56BnnvF8tZN9+IclQx+4iFFb7+Lk3xVYO6P F0yRh4CB5YKlMsMofereBulgVDmCI2Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1r1SQJ-008v2O-1T; Fri, 10 Nov 2023 14:23:51 +0000 Received: from mail-pl1-x634.google.com ([2607:f8b0:4864:20::634]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1r1SQE-008v1F-29 for hostap@lists.infradead.org; Fri, 10 Nov 2023 14:23:48 +0000 Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-1ccbb7f79cdso17427585ad.3 for ; Fri, 10 Nov 2023 06:23:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1699626221; x=1700231021; darn=lists.infradead.org; h=mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=SEl3mjH6a0tKrRSoBb+r6Iqc+4FicyufSz/qIEKB76E=; b=J2qaq5YSfyxzvyY9AVJBkya7sw+gwqBZva4nbystJCL7TN6THBqpFqIsaZTYBvzOkP p9Aza5SEXMaNXz3t2lvxsR7hGS4PJlbbYifu9fllzTwOEejop+nwRduUDhTT1ePt5WL1 JtqdoLJ70xDyfJj5A485Rj+/w+IKv9o1WBIjU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699626221; x=1700231021; h=mime-version:message-id:date:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=SEl3mjH6a0tKrRSoBb+r6Iqc+4FicyufSz/qIEKB76E=; b=YT0a8+mEJEauMyGZv77ehllKKLhkJ57uaCAPxvDW42R8pkphyUpgyXlA2cTi8iikNe 5zd8LyExrJ0aIpZsKzl7FIsJ7tv0X6qbM7dEL9wEL9SFdpWEsDvFwX96HYStD8hIYbpT SD6z1rtejTjPQz3S5ySoNSSZCl/rooj4HYu7BxnrXSsKbcoJghpDKe+Y0sCCwc7Dfzog BZpEDA5EXYOuyZ38bilezjZs0cGb2frkBqz/zAhzMTgupQ6aq3TUeuydVXWUzyC57XIk kWawyXyCdSk8u2+C/myWtP71cCM1i5MUZeaHi5CCRg3ezJCGo2zT7gyD1THJ7lf7r3sX 5Abw== X-Gm-Message-State: AOJu0YxjwQls2OQxm844Mygi9QHggV3DpuDH++oinRURN6N9ONOHO61j a48fROwWyjqpTC+x7RjNJ9UccR1XGFhIBkPBcgLffhoaTiWyQivUy7+6ZBRVysJUN/IdmxxukBT LNoAgVc6NCNTSWZa0UVXF+n5jW5xmmkpsyYVe97YjttPzSvdGENAAHoiWktoE84bFQBq9Trf9gC ZQm9DrYeSRWWbZAQ== X-Google-Smtp-Source: AGHT+IGvO/fhypNcesyS7GfT6erd08VVDW7Gcjqyh7foa9y7rH9aCq5hBtlXVTPIfWfseNE1Ufhd4Q== X-Received: by 2002:a17:902:b94b:b0:1cc:1e00:f8af with SMTP id h11-20020a170902b94b00b001cc1e00f8afmr6999606pls.37.1699626220450; Fri, 10 Nov 2023 06:23:40 -0800 (PST) Received: from ibnvda0196.ibn.broadcom.net ([192.19.252.250]) by smtp.gmail.com with ESMTPSA id jj17-20020a170903049100b001b06c106844sm5428701plb.151.2023.11.10.06.23.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Nov 2023 06:23:39 -0800 (PST) From: Vinayak Yadawad To: hostap@lists.infradead.org Cc: jithu.jance@broadcom.com, Vinayak Yadawad Subject: [PATCH 1/1] hostapd: Add support for SAE offload for AP interface Date: Fri, 10 Nov 2023 19:53:06 +0530 Message-Id: <4767c973bd0687c41f7608c3068f1d3231a3e231.1699626113.git.vinayak.yadawad@broadcom.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231110_062346_750394_C3D8D040 X-CRM114-Status: GOOD ( 21.98 ) X-Spam-Score: 0.6 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Driver/Firmware advertising SAE AP offload support would take care of SAE authentication and PMK generation at driver/firmware. This feature requires the driver to be supporting 4way handshake offload [...] Content analysis details: (0.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:634 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 1.0 MIME_NO_TEXT No (properly identified) text body parts -0.2 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Driver/Firmware advertising SAE AP offload support would take care of SAE authentication and PMK generation at driver/firmware. This feature requires the driver to be supporting 4way handshake offload to process the generated PMK at the driver level for 4way handshake. Signed-off-by: Vinayak Yadawad --- src/ap/beacon.c | 27 +++++++++++++++++++++++++++ src/ap/ieee802_11.c | 6 +++--- src/ap/ieee802_11.h | 10 +++++++++- src/ap/wpa_auth.h | 1 + src/ap/wpa_auth_glue.c | 15 +++++++++++++++ src/ap/wpa_auth_ie.c | 29 ++++++++++++++++++++++++----- src/drivers/driver.h | 6 ++++++ src/drivers/driver_nl80211.c | 6 ++++++ src/drivers/driver_nl80211_capa.c | 4 ++++ 9 files changed, 95 insertions(+), 9 deletions(-) diff --git a/src/ap/beacon.c b/src/ap/beacon.c index b88aeb03c..6d775f597 100644 --- a/src/ap/beacon.c +++ b/src/ap/beacon.c @@ -2026,6 +2026,33 @@ int ieee802_11_build_ap_params(struct hostapd_data *hapd, resp = hostapd_probe_resp_offloads(hapd, &resp_len); #endif /* NEED_AP_MLME */ +#ifdef CONFIG_SAE + /* If SAE offload is enabled, provide passphrase to lower layer for + * PMK generation + */ + if ((wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt)) && + (hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_AP)) { + if (hostapd_sae_pk_in_use(hapd->conf)) { + wpa_printf(MSG_ERROR, + "sae_pk not supported with SAE offload"); + return -1; + } + + if (hostapd_sae_pw_id_in_use(hapd->conf)) { + wpa_printf(MSG_ERROR, + "sae pw_id not supported with SAE offlaod"); + return -1; + } + + params->sae_password = sae_get_password(hapd, NULL, NULL, NULL, + NULL, NULL); + if (!params->sae_password) { + wpa_printf(MSG_ERROR, "sae password not configured"); + return -1; + } + } +#endif /* CONFIG_SAE */ + params->head = (u8 *) head; params->head_len = head_len; params->tail = tail; diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index d48185a17..73c4a1106 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -540,7 +540,7 @@ static void sae_set_state(struct sta_info *sta, enum sae_state state, } -static const char * sae_get_password(struct hostapd_data *hapd, +const char * sae_get_password(struct hostapd_data *hapd, struct sta_info *sta, const char *rx_id, struct sae_password_entry **pw_entry, @@ -554,7 +554,7 @@ static const char * sae_get_password(struct hostapd_data *hapd, struct hostapd_sta_wpa_psk_short *psk = NULL; for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) { - if (!is_broadcast_ether_addr(pw->peer_addr) && + if (!is_broadcast_ether_addr(pw->peer_addr) && sta && os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0) continue; if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier)) @@ -573,7 +573,7 @@ static const char * sae_get_password(struct hostapd_data *hapd, pt = hapd->conf->ssid.pt; } - if (!password) { + if (!password && sta) { for (psk = sta->psk; psk; psk = psk->next) { if (psk->is_passphrase) { password = psk->passphrase; diff --git a/src/ap/ieee802_11.h b/src/ap/ieee802_11.h index 8ffce0bf5..8f81c6e7d 100644 --- a/src/ap/ieee802_11.h +++ b/src/ap/ieee802_11.h @@ -20,6 +20,9 @@ struct radius_sta; enum ieee80211_op_mode; enum oper_chan_width; struct ieee802_11_elems; +struct sae_pk; +struct sae_pt; +struct sae_password_entry; int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, struct hostapd_frame_info *fi); @@ -238,5 +241,10 @@ u8 * hostapd_eid_mbssid(struct hostapd_data *hapd, u8 *eid, u8 *end, void punct_update_legacy_bw(u16 bitmap, u8 pri_chan, enum oper_chan_width *width, u8 *seg0, u8 *seg1); bool hostapd_is_mld_ap(struct hostapd_data *hapd); - +#ifdef CONFIG_SAE +const char * sae_get_password(struct hostapd_data *hapd, + struct sta_info *sta, const char *rx_id, + struct sae_password_entry **pw_entry, + struct sae_pt **s_pt, const struct sae_pk **s_pk); +#endif /* CONFIG_SAE */ #endif /* IEEE802_11_H */ diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index 28eea83d8..d6ed6772b 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -395,6 +395,7 @@ struct wpa_auth_callbacks { int (*get_ml_rsn_info)(void *ctx, struct wpa_auth_ml_rsn_info *info); int (*get_ml_key_info)(void *ctx, struct wpa_auth_ml_key_info *info); #endif /* CONFIG_IEEE80211BE */ + int (*get_drv_flags)(void *ctx, u64 *drv_flags, u64 *drv_flags2); }; struct wpa_authenticator * wpa_init(const u8 *addr, diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index 30a72b126..14da825d9 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -1600,6 +1600,20 @@ static int hostapd_wpa_auth_get_ml_key_info(void *ctx, #endif /* CONFIG_IEEE80211BE */ +static int hostapd_wpa_auth_get_drv_flags(void *ctx, + u64 *drv_flags, u64 *drv_flags2) +{ + struct hostapd_data *hapd = ctx; + + if (!drv_flags || !drv_flags2) + return -1; + + *drv_flags = hapd->iface->drv_flags; + *drv_flags2 = hapd->iface->drv_flags2; + + return 0; +} + int hostapd_setup_wpa(struct hostapd_data *hapd) { @@ -1655,6 +1669,7 @@ int hostapd_setup_wpa(struct hostapd_data *hapd) .get_ml_rsn_info = hostapd_wpa_auth_get_ml_rsn_info, .get_ml_key_info = hostapd_wpa_auth_get_ml_key_info, #endif /* CONFIG_IEEE80211BE */ + .get_drv_flags = hostapd_wpa_auth_get_drv_flags, }; const u8 *wpa_ie; size_t wpa_ie_len; diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 9b90e0749..15fb6baaf 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -17,7 +17,7 @@ #include "pmksa_cache_auth.h" #include "wpa_auth_ie.h" #include "wpa_auth_i.h" - +#include "drivers/driver.h" #ifdef CONFIG_RSN_TESTING int rsn_testing = 0; @@ -600,6 +600,14 @@ static int wpa_auth_okc_iter(struct wpa_authenticator *a, void *ctx) return 0; } +static int wpa_auth_get_drv_flags(struct wpa_authenticator *wpa_auth, + u64 *drv_flags, u64 *drv_flags2) +{ + if(!wpa_auth->cb->get_drv_flags) + return -1; + return wpa_auth->cb->get_drv_flags(wpa_auth->cb_ctx, + drv_flags, drv_flags2); +} enum wpa_validate_result wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, @@ -1013,11 +1021,22 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, } #ifdef CONFIG_SAE - if (sm->wpa_key_mgmt == WPA_KEY_MGMT_SAE && data.num_pmkid && - !sm->pmksa) { - wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, + if (sm->wpa_key_mgmt == WPA_KEY_MGMT_SAE) { + u64 drv_flags = 0; + u64 drv_flags2 = 0; + bool ap_sae_offload = false; + + if (!wpa_auth_get_drv_flags(wpa_auth, &drv_flags, + &drv_flags2)) { + ap_sae_offload = + !!(drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_AP); + } + + if (!ap_sae_offload && data.num_pmkid && !sm->pmksa) { + wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, "No PMKSA cache entry found for SAE"); - return WPA_INVALID_PMKID; + return WPA_INVALID_PMKID; + } } #endif /* CONFIG_SAE */ diff --git a/src/drivers/driver.h b/src/drivers/driver.h index 24016b344..292266c29 100644 --- a/src/drivers/driver.h +++ b/src/drivers/driver.h @@ -1809,6 +1809,10 @@ struct wpa_driver_ap_params { * mld_link_id - Link id for MLD BSS's */ u8 mld_link_id; + /** + * sae_password - sae password for SAE offload + */ + const char *sae_password; }; struct wpa_driver_mesh_bss_params { @@ -2281,6 +2285,8 @@ struct wpa_driver_capa { #define WPA_DRIVER_FLAGS2_SCAN_MIN_PREQ 0x0000000000008000ULL /** Driver supports SAE authentication offload in STA mode */ #define WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA 0x0000000000010000ULL +/** Driver support AP SAE authentication offload */ +#define WPA_DRIVER_FLAGS2_SAE_OFFLOAD_AP 0x0000000000020000ULL u64 flags2; #define FULL_AP_CLIENT_STATE_SUPP(drv_flags) \ diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index 8b72d74c5..0a4f33d25 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -5110,6 +5110,12 @@ static int wpa_driver_nl80211_set_ap(void *priv, suites)) goto fail; + if (wpa_key_mgmt_sae(params->key_mgmt_suites) && + (drv->capa.flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_AP) && + params->sae_password && (nla_put(msg, NL80211_ATTR_SAE_PASSWORD, + os_strlen(params->sae_password), params->sae_password))) + goto fail; + if (params->key_mgmt_suites & WPA_KEY_MGMT_IEEE8021X_NO_WPA && (!params->pairwise_ciphers || params->pairwise_ciphers & (WPA_CIPHER_WEP104 | WPA_CIPHER_WEP40)) && diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c index b7d914140..2be1f5cd8 100644 --- a/src/drivers/driver_nl80211_capa.c +++ b/src/drivers/driver_nl80211_capa.c @@ -705,6 +705,10 @@ static void wiphy_info_ext_feature_flags(struct wiphy_info_data *info, if (ext_feature_isset(ext_features, len, NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT)) capa->flags2 |= WPA_DRIVER_FLAGS2_SCAN_MIN_PREQ; + + if (ext_feature_isset(ext_features, len, + NL80211_EXT_FEATURE_SAE_OFFLOAD_AP)) + capa->flags2 |= WPA_DRIVER_FLAGS2_SAE_OFFLOAD_AP; }