From patchwork Thu Dec 21 11:38:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrei Otcheretianski X-Patchwork-Id: 1878669 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=EsrzPrMl; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256 header.s=Intel header.b=FyP0esu3; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SwLTl4Vx8z23dF for ; Thu, 21 Dec 2023 04:41:47 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=m3h3M8DPIy8RbrBrQkWy1ElHsBnpjFN3ku5ypdie0sc=; b=EsrzPrMl6cHwBZ nsCySaLfrl0IGZhQ1RTJ4wzzrSqHwkh8HQRvmiZHl9cVio8Cu2N0fmHAzNs8yuYNu1tDTCNrtnFxL BswYNVvnXzqoBIRiaU3u7mTHhI7jLZBHRgGqVmk5ZLB0OryHeIGB22QwB6yG+CIIL0jTS1avjZMiq YpUB8Ebxi52yPmQvvGF4jJqwqul7faMMs7XNhy7mwXjgTKBVIuvJxzoZQ2Euh5ba+w9mDbANrfcNY 9pDD6raibjA3G0jg/bKneti53HUyNNP+xKIIt06DQkAxgu9gD3Rvh/SWfYrc0Ke2pNOPnilPkCi5p DCN/06az+keV2ZHDh+jA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rG0Yq-000by1-2O; Wed, 20 Dec 2023 17:40:48 +0000 Received: from mgamail.intel.com ([198.175.65.13]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rG0Yn-000bws-0V for hostap@lists.infradead.org; Wed, 20 Dec 2023 17:40:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1703094045; x=1734630045; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=VHHS7d6UYtUJ8scB9vGYs3CPNhFXkTjWg9tPLlbskqY=; b=FyP0esu3dtTeVIyVDdKTYyrYWoYZypP5C3IWeWu1Fjw/d+QJA8+ilMeX kZSskcblq7wTcBHMCZgF69xHE73+ICSZTZSx5RDtCXNF8xgbymtI6t5R6 YwyPqaQ7AuWsH7eIPBHs8sqHJae9R/vWBmRUlbpZwppOZPCyJuNKr9tU1 i8uj4Bp7WY1UTQi9JH3pwvUIkRKpdqH2CpIE8aGmgC9E3Mi/OHfs3vm2K HEE6fQ2/6R9RMozJi5Sowlkwjg6XSj4xq7XvSXDdNGCUZkWz/TRuOQhn7 F6uYDyCN4JIrmd38Dqmu1ftryyhT3HqhAacv9Z7mSPIATt1FgCEm0dQQB w==; X-IronPort-AV: E=McAfee;i="6600,9927,10930"; a="2941220" X-IronPort-AV: E=Sophos;i="6.04,291,1695711600"; d="scan'208";a="2941220" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orvoesa105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Dec 2023 09:40:39 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10930"; a="752639016" X-IronPort-AV: E=Sophos;i="6.04,291,1695711600"; d="scan'208";a="752639016" Received: from unknown (HELO WEIS0042.iil.intel.com) ([10.12.217.211]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Dec 2023 09:40:38 -0800 From: Andrei Otcheretianski To: hostap@lists.infradead.org Cc: Ilan Peer Subject: [PATCH 1/2] AP: Use the MLD address for SAE authentication Date: Thu, 21 Dec 2023 13:38:06 +0200 Message-ID: <20231221113807.610501-1-andrei.otcheretianski@intel.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231220_094045_263953_6CBC2DD0 X-CRM114-Status: UNSURE ( 9.68 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 2.1 (++) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Ilan Peer In cases of SAE failure, the mgmt->sa was used for sending the authentication frame. Fix the code to use the station address (which is the MLD address in cases of AP MLD). Content analysis details: (2.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 2.5 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.2 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Ilan Peer In cases of SAE failure, the mgmt->sa was used for sending the authentication frame. Fix the code to use the station address (which is the MLD address in cases of AP MLD). Signed-off-by: Ilan Peer --- src/ap/ieee802_11.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index a65287d77e..faaf0549af 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -1278,7 +1278,8 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, pos = mgmt->u.auth.variable; end = ((const u8 *) mgmt) + len; resp = status_code; - send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, + send_auth_reply(hapd, sta, sta->addr, mgmt->bssid, + WLAN_AUTH_SAE, auth_transaction, resp, pos, end - pos, "auth-sae-reflection-attack"); goto remove_sta; @@ -1286,7 +1287,8 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, if (hapd->conf->sae_commit_override && auth_transaction == 1) { wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); - send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, + send_auth_reply(hapd, sta, sta->addr, mgmt->bssid, + WLAN_AUTH_SAE, auth_transaction, resp, wpabuf_head(hapd->conf->sae_commit_override), wpabuf_len(hapd->conf->sae_commit_override), @@ -1557,7 +1559,8 @@ reply: data = wpabuf_alloc_copy(pos, 2); sae_sme_send_external_auth_status(hapd, sta, resp); - send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, + send_auth_reply(hapd, sta, sta->addr, mgmt->bssid, + WLAN_AUTH_SAE, auth_transaction, resp, data ? wpabuf_head(data) : (u8 *) "", data ? wpabuf_len(data) : 0, "auth-sae"); From patchwork Thu Dec 21 11:38:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrei Otcheretianski X-Patchwork-Id: 1878668 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Qgs+LTRP; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256 header.s=Intel header.b=e2y9muBv; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SwLTl4Nxkz20LT for ; Thu, 21 Dec 2023 04:41:47 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=A/txiwjTvMYGMaMnKI9MDiFJDyc4h8WukxRkepnGbc4=; b=Qgs+LTRPNlyGtU SpAN2NcB/AjyiLLRQgKAEuFpouuOM5eD4bzetvSduFZT5sYX7IVg+iVVUG3Fp2e71q6tt7hVxKnPc lg41Fktq6ecYoZHPVPiGGWiv0HFUgzvwFfmCchdpADVf1IVNH0Hnu/CLyT7/mxLMe36XXv2im93pi zWbloHWQBou7ADRxocvaJn1uZj3iSRcbI+XfYZsVmkoWsc4flmKGplND36TxQ0sYRkie+ubb/COd6 K07cyHtMYecT4tt/OSVExx9yVgaFWhODysCL+W0GWCWAziELNgeVUhm4/uBEGhAJQppYT84qhIv9k 5CnPcPqpXTbdN4cdnP/A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rG0Yr-000byD-2A; Wed, 20 Dec 2023 17:40:49 +0000 Received: from mgamail.intel.com ([198.175.65.13]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rG0Yn-000bx2-0V for hostap@lists.infradead.org; Wed, 20 Dec 2023 17:40:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1703094045; x=1734630045; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=5A3OgPJhaRURy3Dd1Di+Q31hgewTwQRmADW9Iy1wcsw=; b=e2y9muBvE/CQ6UEBKKtatn5wJr3yFJDwAkcgXz1Me5Fk6FS9rDpP1QER 0QA0/d3e6fO3m3YhCOMqwr5zcQx6WdXbufaO4skbziiih42RMXW1PexGs KpEGHJtSSxY/c1D66p4sgEYcU4RFCIw3NqIdIzBZsgs0keksx0Kul6SfQ sMlAnkyPAiDPRLbsMEQ5rvpFga7O7B+jYwgwJlJNG7Sbp1UB7zltuoFtz 2LW+lhGD3Miu032c1A68gWcaelncaonQxIkOg1qnHi2f9jf+FdYTbadee +fnByECtVcznrlAqilMyA9EV0yKT5+dGva2n/NhnXfPTI23gEir0jAUsC g==; X-IronPort-AV: E=McAfee;i="6600,9927,10930"; a="2941247" X-IronPort-AV: E=Sophos;i="6.04,291,1695711600"; d="scan'208";a="2941247" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orvoesa105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Dec 2023 09:40:44 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10930"; a="752639070" X-IronPort-AV: E=Sophos;i="6.04,291,1695711600"; d="scan'208";a="752639070" Received: from unknown (HELO WEIS0042.iil.intel.com) ([10.12.217.211]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Dec 2023 09:40:42 -0800 From: Andrei Otcheretianski To: hostap@lists.infradead.org Cc: Ilan Peer Subject: [PATCH 2/2] tests: Extend MLD SAE test to cover failed authentication Date: Thu, 21 Dec 2023 13:38:07 +0200 Message-ID: <20231221113807.610501-2-andrei.otcheretianski@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231221113807.610501-1-andrei.otcheretianski@intel.com> References: <20231221113807.610501-1-andrei.otcheretianski@intel.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231220_094045_264116_997CB57B X-CRM114-Status: UNSURE ( 7.71 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 2.1 (++) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Ilan Peer Signed-off-by: Ilan Peer --- tests/hwsim/test_eht.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/hwsim/test_eht.py b/tests/hwsim/test_eht.py index b799fcd855..430cf9406a 100644 --- a/tests/hwsim/test_eht.py +++ b/tests/hwsim/test_eht.py @@ -427,12 +427,21 @@ def run_eht_mld_sae [...] Content analysis details: (2.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 2.5 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.2 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Ilan Peer Signed-off-by: Ilan Peer --- tests/hwsim/test_eht.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/hwsim/test_eht.py b/tests/hwsim/test_eht.py index b799fcd855..430cf9406a 100644 --- a/tests/hwsim/test_eht.py +++ b/tests/hwsim/test_eht.py @@ -427,12 +427,21 @@ def run_eht_mld_sae_two_links(dev, apdev, beacon_prot="1"): hapd1 = eht_mld_enable_ap(hapd_iface, params) wpas.set("sae_pwe", "1") + + # the first authentication attempt would use group 20 and the authentication is expected + # to fail. The next authentication should use group 19 and succeed. + wpas.request("SET sae_groups 20 19") + wpas.connect(ssid, sae_password=passphrase, scan_freq="2412 2437", key_mgmt="SAE", ieee80211w="2", beacon_prot="1") eht_verify_status(wpas, hapd0, 2412, 20, is_ht=True, mld=True, valid_links=3, active_links=3) eht_verify_wifi_version(wpas) + + if wpas.get_status_field('sae_group') != '19': + raise Exception("Expected SAE group not used") + traffic_test(wpas, hapd0) traffic_test(wpas, hapd1)