From patchwork Wed Jan 11 20:15:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13097208 Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 089DAA92A for ; Wed, 11 Jan 2023 20:15:49 +0000 (UTC) Received: by mail-pf1-f179.google.com with SMTP id y5so12272280pfe.2 for ; Wed, 11 Jan 2023 12:15:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0PhbWZIfEvWzt7cyzIxARUzjXNgE5uSqiPKpq6EG0s4=; b=K478G6n8sEjzbS3q4wHPSWlAMDa6icTJlXwxKvRfuzKN3CgNS1rjaUoukPnd/sayQJ SxwtmCAg6OUrAH/KD9hA1yqnJpuPQOW0DTWfo8Zvktoty+ueX8T2eBJ4paexu7/GAnFd +YRIGBQKBtHoHGsfS3wOKrB2U51htXoAP409sQG35/HkFX/eLhlHdd1e7OtWWefH9G/O U2uQQDvZc0s5EzSedWW5lSbxypCFbVFiCzz32H+IeduyUyTmNMkC7M8y1Fsd4lJUZEfH DhSSFG5pRHvWabWLit13fA4r4+EjqgqFVDLe0b4OAq05XouSooABNn04KQW2TACzpKEW aG6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0PhbWZIfEvWzt7cyzIxARUzjXNgE5uSqiPKpq6EG0s4=; b=1NtvNUp8FeBJcWDvamrS18/lzgaHZQdwCQ8pNk/b/+9aQwJQiEqn76czZF79RmG3QH 55n//eyGUDGtDVDhyNinKRfx4gGZ3xF414E828/Riu/fRmnaSzl24AmGXcyxjHU9nand sZm/Z/3Ub5VoKkfvoyvLkHzhaTowjw3++1akPXGgO9Dbm+jtX/o7r7eAqeohbUGHuE3M h7OvHKx80cwqac/hCECzpVNAzbWUGl4YX9DwLUJIkkBK/wIO2pxa2CY7rtklhnEBvb9G D7oDKRStYBToQfGzT4AsBkA2vvWJNRlIJBgjKmZCad6dwZuGhYFbKf3+G83OANlJcjlH /4FQ== X-Gm-Message-State: AFqh2krGAa/HiBZvJIZxgzoQ1zE3skZuFtmmb+QeP5VobjEfE3hDPp3b bDKGl5VrdED+R4dHds4wF61hgocu+UY= X-Google-Smtp-Source: AMrXdXuBKyDueaukBUbcQFHc3T21rEURBF8eOdx/ZBajAoc3+bwDwa1agMlFrucX7aIbER+5YCjMZw== X-Received: by 2002:a62:1b42:0:b0:581:eca3:fd05 with SMTP id b63-20020a621b42000000b00581eca3fd05mr43377754pfb.16.1673468149265; Wed, 11 Jan 2023 12:15:49 -0800 (PST) Received: from jprestwo-xps.none ([50.39.160.234]) by smtp.gmail.com with ESMTPSA id i6-20020aa796e6000000b005884d68d54fsm6733904pfq.1.2023.01.11.12.15.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 12:15:48 -0800 (PST) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 1/9] eapol: set secure on message 2/4 properly Date: Wed, 11 Jan 2023 12:15:35 -0800 Message-Id: <20230111201543.397692-1-prestwoj@gmail.com> X-Mailer: git-send-email 2.34.3 Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The second handshake message was hard coded with the secure bit as zero but for rekeys the secure bit should be set to 1. Fix this by changing the 2/4 builder to take a boolean which will set the bit properly. It should be noted that hostapd doesn't check this bit so EAPoL worked just fine, but IWD's checks are more strict. --- src/eapol.c | 12 +++++++----- src/eapol.h | 3 ++- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/eapol.c b/src/eapol.c index c7480c11..593daf41 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -766,11 +766,12 @@ struct eapol_key *eapol_create_ptk_2_of_4( size_t extra_len, const uint8_t *extra_data, bool is_wpa, - size_t mic_len) + size_t mic_len, + bool secure) { - return eapol_create_common(protocol, version, false, key_replay_counter, - snonce, extra_len, extra_data, 1, - is_wpa, mic_len); + return eapol_create_common(protocol, version, secure, + key_replay_counter, snonce, extra_len, + extra_data, 1, is_wpa, mic_len); } struct eapol_key *eapol_create_ptk_4_of_4( @@ -1326,7 +1327,8 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm, ek->key_descriptor_version, L_BE64_TO_CPU(ek->key_replay_counter), sm->handshake->snonce, ies_len, ies, - sm->handshake->wpa_ie, sm->mic_len); + sm->handshake->wpa_ie, sm->mic_len, + sm->rekey); kck = handshake_state_get_kck(sm->handshake); diff --git a/src/eapol.h b/src/eapol.h index 8d8d5252..43dc224d 100644 --- a/src/eapol.h +++ b/src/eapol.h @@ -83,7 +83,8 @@ struct eapol_key *eapol_create_ptk_2_of_4( size_t extra_len, const uint8_t *extra_data, bool is_wpa, - size_t mic_len); + size_t mic_len, + bool secure); struct eapol_key *eapol_create_ptk_4_of_4( enum eapol_protocol_version protocol, From patchwork Wed Jan 11 20:15:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13097209 Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0689A93F for ; Wed, 11 Jan 2023 20:15:50 +0000 (UTC) Received: by mail-pg1-f181.google.com with SMTP id e10so11318677pgc.9 for ; Wed, 11 Jan 2023 12:15:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YiJQKoVId5PRibCpM16GPW2xF6/XdPVnxc6Vsf+XtHo=; b=XjnmiNwnIeqspFa1Rie/PZGAk79mWSuUxFhiMsIJj4qVFFQMEQoq0syxLXMSJVkL1i bxtE/K31YER3XnCKJh3bbiXCn4mM83ln9syGWcWM8Qk5vwEVoUv/Ajcp6zR69tvCseR/ /2chHcA6/8SvGt2JbHjtRyNrDZI34AxGenZ0q4OZ2cZs1mScXqfqndWN7MnDN0EoTXYt IKLzhZp37mTq7jgjQPf/24KE6u/wJkskVf2H3RnV89mn7cCs+UZQ/+GNqns3QDV+Js+e MRBSNRZPxaylqt/+CA/rPCv4FItadNHdNc7KTLSE6hfEqmjzlP+Da6j7iIBb6m5J8bPz 0VyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YiJQKoVId5PRibCpM16GPW2xF6/XdPVnxc6Vsf+XtHo=; b=f0D8Sz4/HpIo8nzWcYaZmqsNkmviFSlgp9+f6pMqUd5+/9vgWzR3UGF0C8CWNcmKRH rN+jeko5iYIZRstk63ICyxy4B76aPxY0CtlgKVD6B/C/wD2nBh2frYQ5X+RktI9K3fuu hqYNeoXqVkAJL2kuNNXnbzAM69e9FM9gg/9oUOaPbnohWz/tUBt7ErggdKhmKCGrBCdJ ozLI/Z7lKcY2Bl1zX00e7Rj4N6JdgNm0Ww/gpGinSshstGcYK7ZkhnyK6DA2leHC5Mwc eqGVX5v4q6p2Bh4PlrOgJgXjJKpTIuc6uBAzFATk8F8K0wWhpDai4pir0vxloxM5Eaw+ 71Vg== X-Gm-Message-State: AFqh2krvmGXz/2IO22lMJbHo2mi8psjtWcZVV/VFf9aALoLaDABC0SWo n3TWxy50Fvp+lIIhTWgCjsOvadB6Z9I= X-Google-Smtp-Source: AMrXdXsfFMEgdky+8RD0tOMzbNZ3iFTtH3ePoNKhl5iGLL86MuOugcOCRUr7NoRO/maRKX9gdQx9Eg== X-Received: by 2002:a05:6a00:2165:b0:575:fd73:fc94 with SMTP id r5-20020a056a00216500b00575fd73fc94mr69746391pff.23.1673468150074; Wed, 11 Jan 2023 12:15:50 -0800 (PST) Received: from jprestwo-xps.none ([50.39.160.234]) by smtp.gmail.com with ESMTPSA id i6-20020aa796e6000000b005884d68d54fsm6733904pfq.1.2023.01.11.12.15.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 12:15:49 -0800 (PST) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 2/9] unit: update test-eapol with API change Date: Wed, 11 Jan 2023 12:15:36 -0800 Message-Id: <20230111201543.397692-2-prestwoj@gmail.com> X-Mailer: git-send-email 2.34.3 In-Reply-To: <20230111201543.397692-1-prestwoj@gmail.com> References: <20230111201543.397692-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 --- unit/test-eapol.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/unit/test-eapol.c b/unit/test-eapol.c index 227e485f..563541f5 100644 --- a/unit/test-eapol.c +++ b/unit/test-eapol.c @@ -1793,7 +1793,7 @@ static void eapol_4way_test(const void *data) eapol_key_test_4.key_replay_counter, snonce, eapol_key_test_4.key_data_len, eapol_key_data_4 + EAPOL_FRAME_LEN(16), - false, 16); + false, 16, false); assert(frame); assert(eapol_calculate_mic(IE_RSN_AKM_SUITE_PSK, ptk, frame, mic, 16)); @@ -1878,7 +1878,7 @@ static void eapol_wpa2_handshake_test(const void *data) eapol_key_test_8.key_replay_counter, snonce, eapol_key_test_8.key_data_len, eapol_key_data_8 + EAPOL_FRAME_LEN(16), - false, 16); + false, 16, false); assert(frame); assert(eapol_calculate_mic(IE_RSN_AKM_SUITE_PSK, ptk, frame, mic, 16)); @@ -2008,7 +2008,7 @@ static void eapol_wpa_handshake_test(const void *data) eapol_key_test_14.key_replay_counter, snonce, eapol_key_test_14.key_data_len, eapol_key_data_14 + EAPOL_FRAME_LEN(16), - true, 16); + true, 16, false); assert(frame); assert(eapol_calculate_mic(IE_RSN_AKM_SUITE_PSK, ptk, frame, mic, 16)); From patchwork Wed Jan 11 20:15:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13097210 Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D9150A92A for ; Wed, 11 Jan 2023 20:15:51 +0000 (UTC) Received: by mail-pf1-f173.google.com with SMTP id 200so6099545pfx.7 for ; Wed, 11 Jan 2023 12:15:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=E/5PfonUEwLvry0avI55HtYv4B5pUTSVS8msxgmwlNs=; b=E/FlAStB9cH9tkARYrjsQK759y3FN6z9lXAiG5GOl4TmuO5ItoDfOoSoSlzbA/iPFo vuHtlksujRyfz+al9KimbLemjFTNajv15mXwoq4yrCUgpyBl/O9FmVaA+GP0pJyZ4rfG r0XWSRjrPJHt1Tcu/A45I99yzHNl5HssOBAtG/y10wJ807t0JGwh06GuheGwvchgslff 7pMe+UXznb+QC5s2ZtczTjSP3Sto8elgEeGl+T9BbXTofJvAxZnXY7fnkKmUSc4mFSPi G9gNDbQJ3NNBPIWR2iSdk2aw07srqMD4mkMTcECwA2ywP46HV7FYEEXjvJHbYjjF0Caf 4nxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E/5PfonUEwLvry0avI55HtYv4B5pUTSVS8msxgmwlNs=; b=bZrMZlR6LhR/PUeaujHMMt7XIr7tGv21SJtwpLmvEmmSiBwZqDY5HKtjlKMUupfEzi 96oi/XDSrc9Ij3iIaRQJpBCwfAFsGczr+OCKghZhwyyFK4FnZ0r4Pf6ojAedosmNA0S1 xxp4Brbtqka0k0mSfDTry6xu8bNm1mf4Z4J/4LHTIovuyLWfhl1vpmRKCgqKChNiXmIt n3fITWWZRWdaJSr8ykeQsFS4W5Idzhhe3BmB6JV9tYK3oFrx8kRgdcXT48hSZl1va666 6XwhZk71ZG0d3KzvVIKRZvTvrLw5buRkann+EU2M5neiRirW+a/CySikN8UpyygLBhDi vg/w== X-Gm-Message-State: AFqh2kr7uBikH9vVnfAqsMp6wIFZ+XznJRcld0ZgAMtNxE8KkfZcjk9H ldmlkqQ3JOCdZ20vedsWSSWXgxfc2/M= X-Google-Smtp-Source: AMrXdXscmRiPaagDjwP5vGCj4dJS1W0Sr+WqKeBHEvrzP1jH8fSEL0hf30RdcuhAp+4+44Q6Smn9uw== X-Received: by 2002:a05:6a00:27a5:b0:583:63eb:581e with SMTP id bd37-20020a056a0027a500b0058363eb581emr18766429pfb.18.1673468151072; Wed, 11 Jan 2023 12:15:51 -0800 (PST) Received: from jprestwo-xps.none ([50.39.160.234]) by smtp.gmail.com with ESMTPSA id i6-20020aa796e6000000b005884d68d54fsm6733904pfq.1.2023.01.11.12.15.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 12:15:50 -0800 (PST) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 3/9] eapol: implement rekey support for authenticator Date: Wed, 11 Jan 2023 12:15:37 -0800 Message-Id: <20230111201543.397692-3-prestwoj@gmail.com> X-Mailer: git-send-email 2.34.3 In-Reply-To: <20230111201543.397692-1-prestwoj@gmail.com> References: <20230111201543.397692-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The only changes required was to set the secure bit for message 1, reset the frame retry counter, and don't explicitly set ptk_complete to false Initiating a rekey can now be done by simply calling eapol_start(). --- src/eapol.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/eapol.c b/src/eapol.c index 593daf41..d31116b6 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -1087,8 +1087,6 @@ static void eapol_send_ptk_1_of_4(struct eapol_sm *sm) handshake_state_new_anonce(sm->handshake); - sm->handshake->ptk_complete = false; - sm->replay_counter++; memset(ek, 0, EAPOL_FRAME_LEN(sm->mic_len)); @@ -1112,6 +1110,11 @@ static void eapol_send_ptk_1_of_4(struct eapol_sm *sm) eapol_key_data_append(ek, sm->mic_len, HANDSHAKE_KDE_PMKID, pmkid, 16); + if (sm->handshake->ptk_complete) { + ek->secure = true; + sm->rekey = true; + } + ek->header.packet_len = L_CPU_TO_BE16(EAPOL_FRAME_LEN(sm->mic_len) + EAPOL_KEY_DATA_LEN(ek, sm->mic_len) - 4); @@ -2129,7 +2132,8 @@ static void eapol_handle_ptk_4_of_4(struct eapol_sm *sm, * This might be a retransmission, so accept but don't install * the keys again. */ - if (!sm->handshake->ptk_complete) + if (!sm->handshake->ptk_complete || + (sm->handshake->ptk_complete && sm->rekey)) handshake_state_install_ptk(sm->handshake); sm->handshake->ptk_complete = true; @@ -2483,6 +2487,8 @@ static void eapol_eap_complete_cb(enum eap_result result, void *user_data) /* sm->mic_len will have been set in eapol_eap_results_cb */ + sm->frame_retry = 0; + /* Kick off 4-Way Handshake */ eapol_ptk_1_of_4_retry(NULL, sm); } @@ -2874,6 +2880,8 @@ bool eapol_start(struct eapol_sm *sm) if (L_WARN_ON(!sm->handshake->have_pmk)) return false; + sm->frame_retry = 0; + /* Kick off handshake */ eapol_ptk_1_of_4_retry(NULL, sm); } From patchwork Wed Jan 11 20:15:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13097211 Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 911E5A93F for ; Wed, 11 Jan 2023 20:15:52 +0000 (UTC) Received: by mail-pf1-f179.google.com with SMTP id y5so12272385pfe.2 for ; Wed, 11 Jan 2023 12:15:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=5ZHkgmj/3JvSEaxBPaEKJm2kAF473q3CKZ7/Z8Kv2+c=; b=QFuCPOCKHQZmU/OnALSY+0E2oRVAbVgc+4Xzlkrp/mG1U9KPXdEtwNPR98YkFmm5PP xA9UDGN3iTu6roUTRU5T2utvctpKjlO3HdtG1r1rSNSl3z1OCGgGng8/rRi3PB+sf5v6 uTU/4Fok+c5yJpVRyEIuJpKI+Cl77pYj1FXJOkuIwsqtw0rKMl9/B58MpYgj/FuPtsE5 flt86Mnf43766L656LYO1Fl0DJm9jUAiREWSYzOXdCn+55MBWZQspJTsH8SvKYsQ8Xze w0CxaHN8+kcSsT3D4NV4guVnfbEUHGCy1SbYF3CeWWPoUHBV8LmA8bd7j9qdFq5vjPou wQ3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5ZHkgmj/3JvSEaxBPaEKJm2kAF473q3CKZ7/Z8Kv2+c=; b=Rq6vi6c+v21WAAMzEzbwOtExKqvLR9+pnBD+HMIqLkEOzgpxC+yIdiM7QNA6zj/nQm +J/kEs8pYfsjijtucUWqkLp+jTTkjyA4EHnpBZsZrhGy1Q8VmS55OR+Jed8xYoNpQnzO KFnOOHaVXYsfgBLq+owkKuS7deznnXj/whVZqhi0Z7bwjt3bXsqjJ/5Umy7W5CkS77hk ReofJdyPLY2Y9xvNLo70H0WhMH0+b1GzJCLJaUMYyg89zyxfmGkK4UHm6aEBue3b/V/K jmxl9gJP0pFogQ2GFVr1gniEtcERGT3L0JI+Q7AeHQfCV+hXNKN9kFoMCKaHvAvQspyV f0rw== X-Gm-Message-State: AFqh2kqGpzNJacehh48KXU14ZG5FFKsos7CyAOviH13IKiJKWDhEu9NV sIiMZVWoM/WsEtqSi4Vc3+vrC+XEfgQ= X-Google-Smtp-Source: AMrXdXtZjQNvngDnQZYmoz2MFQNYRzpW8eoHi9sWIuvfQjpL7jQhl+qQ2zeDM63eqQ3YBWb0QQ+EPg== X-Received: by 2002:aa7:824d:0:b0:587:749c:c0d8 with SMTP id e13-20020aa7824d000000b00587749cc0d8mr12046482pfn.5.1673468152082; Wed, 11 Jan 2023 12:15:52 -0800 (PST) Received: from jprestwo-xps.none ([50.39.160.234]) by smtp.gmail.com with ESMTPSA id i6-20020aa796e6000000b005884d68d54fsm6733904pfq.1.2023.01.11.12.15.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 12:15:51 -0800 (PST) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 4/9] handshake: add event for rekey success Date: Wed, 11 Jan 2023 12:15:38 -0800 Message-Id: <20230111201543.397692-4-prestwoj@gmail.com> X-Mailer: git-send-email 2.34.3 In-Reply-To: <20230111201543.397692-1-prestwoj@gmail.com> References: <20230111201543.397692-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Rekeys for station mode don't need to know when complete since there is nothing to do once done. AP mode on the other hand needs to know if the rekey was successful in order to reset/set the next rekey timer. --- src/handshake.h | 1 + src/station.c | 1 + 2 files changed, 2 insertions(+) diff --git a/src/handshake.h b/src/handshake.h index f2321634..863ffac7 100644 --- a/src/handshake.h +++ b/src/handshake.h @@ -60,6 +60,7 @@ enum handshake_event { HANDSHAKE_EVENT_EAP_NOTIFY, HANDSHAKE_EVENT_TRANSITION_DISABLE, HANDSHAKE_EVENT_P2P_IP_REQUEST, + HANDSHAKE_EVENT_REKEY_COMPLETE, }; typedef void (*handshake_event_func_t)(struct handshake_state *hs, diff --git a/src/station.c b/src/station.c index bad067c8..ad5ad724 100644 --- a/src/station.c +++ b/src/station.c @@ -1015,6 +1015,7 @@ static void station_handshake_event(struct handshake_state *hs, case HANDSHAKE_EVENT_SETTING_KEYS_FAILED: case HANDSHAKE_EVENT_EAP_NOTIFY: case HANDSHAKE_EVENT_P2P_IP_REQUEST: + case HANDSHAKE_EVENT_REKEY_COMPLETE: /* * currently we don't care about any other events. The * netdev_connect_cb will notify us when the connection is From patchwork Wed Jan 11 20:15:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13097212 Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AB4BDBD02 for ; Wed, 11 Jan 2023 20:15:53 +0000 (UTC) Received: by mail-pg1-f172.google.com with SMTP id g68so10235656pgc.11 for ; Wed, 11 Jan 2023 12:15:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OOpUwcyrz0ATzGlmpL7zkrzuMoHEmFqhkbqFm+yf8fM=; b=lpZ83E8xxbWqvIyfBM/Aabi8wMueIK4x/WHzkGZD3wUILrA054HBDqzpjL128iR0yB AFCM/Q8YIxxzIx0N5rKqN74O2a0t6by+vUJeaNypkcvF8rYdWgC1oBsEuWamrqLm2QHH RKGX9P5xPuz4T8qaJuuK2UPo//Dhp1+lXajLS+rXb0pIGLvGt0umePvcJMc30CSSbh2O K8ZC7JyAdp6/5DLKGeFg0obS+tsxsMFAvrVchvZQgBKDolYd4WyuRwupenoN4B8GkMZi zMTFj3o5Y+R1O08ndd3d886a1qqg14693t69NQrA5b7cBSufvsr7B8pUesTqdOu2i4p4 qqRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OOpUwcyrz0ATzGlmpL7zkrzuMoHEmFqhkbqFm+yf8fM=; b=ZJKutiiwq6DYe2r9QlIjh+rXigB5EOMGVcEW3w7wjum9xuT0Q9evCvIXvaW8CRWCYV RraUfQEbZhMYoEy0TVcgdMT8oPrY5bVxlaDS1Vne8Q+Hq82JUdhAzK4wIay6IPKWypVu vquaKUoNniNb1DiTzopxpRgCg7k3eoz7dlFjZyw6T7ASRFvXKZcFdOa4Mqyiwj+S0vL+ Nvt3xnmXaNj2RYPsDdHCD3oYOaSsF58i0o7gL1w0gYvwFm8CneIAVee8zQZwVSEeAs76 VcpJh3kNqJ8icyOw8EG0x9fOWSrP2/JX58Y5zkVf3Km+3RsmJZngqeXcTozwp6i1tX+s gr/A== X-Gm-Message-State: AFqh2kovPcxhNQoBSKbza4t0UTMDlRxVLjESRn9VlHTG4GlUz1oyTQN0 UcpvwGx+PGdJ6B9NEPHG14UPaee5p70= X-Google-Smtp-Source: AMrXdXul5AvVZxE9T+zQL1E4lSUPZFe9GQRbvVaPwyFcG1s/7dve55Rs9VHmzABezkF1cdibXih3Zw== X-Received: by 2002:aa7:93ad:0:b0:58a:9619:9b30 with SMTP id x13-20020aa793ad000000b0058a96199b30mr3676955pff.10.1673468152969; Wed, 11 Jan 2023 12:15:52 -0800 (PST) Received: from jprestwo-xps.none ([50.39.160.234]) by smtp.gmail.com with ESMTPSA id i6-20020aa796e6000000b005884d68d54fsm6733904pfq.1.2023.01.11.12.15.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 12:15:52 -0800 (PST) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 5/9] netdev: unset ptk_installed flag for TK Date: Wed, 11 Jan 2023 12:15:39 -0800 Message-Id: <20230111201543.397692-5-prestwoj@gmail.com> X-Mailer: git-send-email 2.34.3 In-Reply-To: <20230111201543.397692-1-prestwoj@gmail.com> References: <20230111201543.397692-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When the TK is installed the 'ptk_installed' flag was never set to zero. For initial associations this was fine (already zero) but for rekeys the flag needs to be unset so try_handshake_complete knows if the key was installed. This is consistent with how gtk/igtk keys work as well. --- src/netdev.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/netdev.c b/src/netdev.c index cda8d183..fc8a2afa 100644 --- a/src/netdev.c +++ b/src/netdev.c @@ -2024,6 +2024,8 @@ static void netdev_set_tk(struct handshake_state *hs, uint8_t key_index, const uint8_t *addr = netdev_choose_key_address(nhs); int err; + nhs->ptk_installed = false; + /* * WPA1 does the group handshake after the 4-way finishes so we can't * rely on the gtk/igtk being set immediately after the ptk. Since From patchwork Wed Jan 11 20:15:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13097213 Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 927C5BD06 for ; Wed, 11 Jan 2023 20:15:54 +0000 (UTC) Received: by mail-pf1-f179.google.com with SMTP id a184so12263144pfa.9 for ; Wed, 11 Jan 2023 12:15:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=22kTbGaMDJhajhzHzyU9XKZVfETLpPxDyUmUv4lMAxI=; b=FufYQAdLBK5h/Lobot140en0wF3DGmj77Bxp5Z+Cceubp/H4iZUnAr2Vm3sTT9Nneq FZLDHTyxDNfzt/wKthBBhRspCZYRtcNzO1GVfRJqu8lKCTDZXF1jB9xOSCICMq7xAuS9 9TzBkF21YhnVHXdiJd/W52YhpBNSh3Obp25uk3rYSiU4lk1tX8wq1R13TYTuRTugHP9A jrrXmPxArVjbioDWcAJZ8GjPIapZzZypEsBWIsbKvfJ19zIB+9UkPzOnZNV8Bo1meC5+ mVJ+wr5nUv1Gt4Bh6R7WNbVc8+LSprAMq4bg9+Vok6i4/kRjmBRe4XbFQGvySQ2u+tLQ xyew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=22kTbGaMDJhajhzHzyU9XKZVfETLpPxDyUmUv4lMAxI=; b=DOhVQLodmussAc1q8w/NGLKOIFrvkh6ow9mFRqB/E7Qkqp+FPoklRzd3O8lS/R33g9 hWASCjftLi8iQ5Pt/lQeP807+Vt0ybaM+NpEOuUvA+99g8H8pBPz9vXPo6iNc+EnNKTv sgrlSvznyevTq6C9h0dgOUlrW3NToV0DOmN9f3RwWTxPNc301mhRnM6QGYMm6Jt3Icw4 Hkg8wC0DGlAviaR8Ym8xhrmjb1JcaWUc5wkHe6Mq8ds3j2wrCdcaGO8OkV5VI9d2dihv pked3UjxL5CRBgjgI7jZO6OtXI5HYDaUwbFTkMkiQ7DVl5q4WNyf45RQfz0IQDrKCByq 1/oA== X-Gm-Message-State: AFqh2kqQOtfI7qGkJOMf69sOyIkJM5dXHqtc5Ot1LOc7NhL8kbRdSvvi 2+jsYhPEvUut77QY2IkKB5orrjFwExA= X-Google-Smtp-Source: AMrXdXvjH/xkYSY7NeqEDhT5pSqglhm9Es9ztxj76lgwKKqGh50xkyjbG5yRBNSR2OV7EY+ZNKHQJQ== X-Received: by 2002:a05:6a00:1d99:b0:588:4e84:5b67 with SMTP id z25-20020a056a001d9900b005884e845b67mr3765054pfw.30.1673468153887; Wed, 11 Jan 2023 12:15:53 -0800 (PST) Received: from jprestwo-xps.none ([50.39.160.234]) by smtp.gmail.com with ESMTPSA id i6-20020aa796e6000000b005884d68d54fsm6733904pfq.1.2023.01.11.12.15.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 12:15:53 -0800 (PST) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 6/9] netdev: support HANDSHAKE_EVENT_REKEY_COMPLETE Date: Wed, 11 Jan 2023 12:15:40 -0800 Message-Id: <20230111201543.397692-6-prestwoj@gmail.com> X-Mailer: git-send-email 2.34.3 In-Reply-To: <20230111201543.397692-1-prestwoj@gmail.com> References: <20230111201543.397692-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In try_handshake_complete() we return early if all the keys had been installed before (initial associations). For rekeys we can now emit the REKEY_COMPLETE event which lets AP mode reset the rekey timer for that station. --- src/netdev.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/netdev.c b/src/netdev.c index fc8a2afa..035dbd00 100644 --- a/src/netdev.c +++ b/src/netdev.c @@ -1469,8 +1469,13 @@ static void netdev_setting_keys_failed(struct netdev_handshake_state *nhs, static void try_handshake_complete(struct netdev_handshake_state *nhs) { - if (nhs->ptk_installed && nhs->gtk_installed && nhs->igtk_installed && - !nhs->complete) { + if (nhs->ptk_installed && nhs->gtk_installed && nhs->igtk_installed) { + if (nhs->complete) { + handshake_event(&nhs->super, + HANDSHAKE_EVENT_REKEY_COMPLETE); + return; + } + nhs->complete = true; if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE)) From patchwork Wed Jan 11 20:15:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13097214 Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54839BD02 for ; Wed, 11 Jan 2023 20:15:55 +0000 (UTC) Received: by mail-pg1-f179.google.com with SMTP id 36so11319001pgp.10 for ; Wed, 11 Jan 2023 12:15:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kxTylj1+B/tRyvCyNloTDqGnsGWuMshyD1prRpecyDQ=; b=UaWU3HDLVZ5rfEt+x/8/1RsfTGrQh1c7sJesetAsb5b8QyUmLkio/VyQb2eCH4GiPV tcW4RZwkAnNCs6Im9beKet64/vtQtKxXpRkq/zkLhny1wfYVhR1gCGHqNmll6gkm6/1N M5ETUNFLJW4RIk0BamNtvz+rWnNJwoctlTejXbALs4cqIkPDSOQVT2xKLs7Irfh2pH3f l5cmvYmCFP2TittuwHD9vcvSMNU0VMM9qwMfAOoUTln0sutxmmvEl4l6JgmK1HQudg90 yOEGKpdu7RVwKoHgsp7+HbEjSiuARxLD3qvR3vCR5ICd4Szz8Gdm90CagzaK1QSz0H0o AFgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kxTylj1+B/tRyvCyNloTDqGnsGWuMshyD1prRpecyDQ=; b=jjrx7XSsBE2HWmC2MVbqjFZYcN62HTmAttBH4Cwbh9D1yyjsKas/hE7+mMOijTenhe ubkqeV8PG/hPBXKL6mUztNx96z+3cHTU1R8lLpcjdazaEPnSH8z3UKSHpiqprkK5DWiK 5mdig1edVWtGZllVc0xJ23j6uNah3hht+ORkPaNDG75+8OsLD4cj+1X4lEXuRTbMDzS9 IXhx+onk6xGt4XJflJBApPy4K3UcwwGrkuKrsHR6uWQR9N0i0zJ18Uu8zvaADXM2FOTq Whr7THu2JYPT2jtwbA0WSYMMTXkh24YHh4Pyf8N/F5Avs276zboAaJ/p4FEDdCkFAYXk 9U6A== X-Gm-Message-State: AFqh2kqv8cGO5BWe3tBWbZufUVArRnGE8zOg1pFLqIq6yEsRL30t4LeN UffUZHlRDTS+mbLrYcCWOSx0tO/2HQ4= X-Google-Smtp-Source: AMrXdXusqsp0SK1ra9wR1ypN9WcOJhQBUXPUIC0M1tGGz3E5HLIOBt3/2BciK/v+O7BCsvOl/NsURA== X-Received: by 2002:a62:7bd8:0:b0:580:963d:8064 with SMTP id w207-20020a627bd8000000b00580963d8064mr3526632pfc.20.1673468154689; Wed, 11 Jan 2023 12:15:54 -0800 (PST) Received: from jprestwo-xps.none ([50.39.160.234]) by smtp.gmail.com with ESMTPSA id i6-20020aa796e6000000b005884d68d54fsm6733904pfq.1.2023.01.11.12.15.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 12:15:54 -0800 (PST) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 7/9] eapol: relax secure bit check on 2/4 Date: Wed, 11 Jan 2023 12:15:41 -0800 Message-Id: <20230111201543.397692-7-prestwoj@gmail.com> X-Mailer: git-send-email 2.34.3 In-Reply-To: <20230111201543.397692-1-prestwoj@gmail.com> References: <20230111201543.397692-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Old wpa_supplicant versions do not set the secure bit on 2/4 during rekeys which causes IWD to reject the message and eventually time out. Modern versions do set it correctly but even Android 13 (Pixel 5a) still uses an ancient version of wpa_supplicant which does not set the bit. Relax this check and instead just print a warning but allow the message to be processed. --- src/eapol.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/eapol.c b/src/eapol.c index d31116b6..55c4b6d8 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -512,8 +512,7 @@ bool eapol_verify_ptk_2_of_4(const struct eapol_key *ek, bool ptk_complete) if (!ek->key_mic) return false; - if (ek->secure != ptk_complete) - return false; + L_WARN_ON(ek->secure != ptk_complete); if (ek->encrypted_key_data) return false; From patchwork Wed Jan 11 20:15:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13097215 Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 21B7DBD0A for ; Wed, 11 Jan 2023 20:15:56 +0000 (UTC) Received: by mail-pg1-f173.google.com with SMTP id q9so11334589pgq.5 for ; Wed, 11 Jan 2023 12:15:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=nqEd37xqg0TIhk91S9sCwhQq6FfXz5qJsZccc77fNOs=; b=VtilxXzwXfIOBoNQPvS1m7bG+VnFYSFopEYjLxiK/iN3gruiVfR5OE066YthHdolzi btlNFdwzMK3yA+6dcIsFabDzwHo5yKloaXjfb5BdJJ3/Ja7mEU8O72UkPzgCfvFISN/E CtLCeo8Ow6oYOfBkt9kH10wbiDZKF3TfX5WySBFX2E4TfqZ1F1/4C4E38Qm2t4IN7VRo hz8XW/WzGKLCPysCy8SyEDFcm+H1mLmB9+WPEgnJHaCufeMlzxmcRR5QCHb5KWIbj4Cs LtQN4ib4s/SfQjDxWADkF+QzSQ/mWlfy9yKswuwncGTYQ51Hfc+Ii3kZsmX14fvy9/yX E0hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nqEd37xqg0TIhk91S9sCwhQq6FfXz5qJsZccc77fNOs=; b=6GmE4J1d+31IDzGzZVtaKq2TgJedS2Xz7KtE+j87bKstzf5adfRbQKktBpwf6fHbhW 8cwNFG9E+RF7UqWT39LpZtOauHoiPdlQe3rH8e4ZRCmun1wPSFmVu0JHsqU0FbPWj4+Q gQZD/Ez+i2vkJeg7LeKT7EkaBKFQBBU9SgaPlC7OWNQh4DcYHgRc65NzOh4oA7VRfa2I EWMLX5Isia83Kk9K0MINCUqYOi7hIymu3Fd4c7i81kqW+vAfxlHDZ54zC7h5spqDsFPl jslDFYICKIv5PaeGFU6xEvUZ9S3Iud3JU/PmwLZpG3iEO5N7uzkuZbeLCefUn90LZ+Xw DPPQ== X-Gm-Message-State: AFqh2kpKFQnENCcy+R4xejKdmPaUm3PzMxX0Ll+gz4N4EigZMBjbvjvT gBbkVVRkf0TwsNiXV3ZBh6WT2ikXSeQ= X-Google-Smtp-Source: AMrXdXvNUTIxdN9Oh+5jIufMLa/z9097/GhWXjjoSqU/Yc3FPVh/oNsSwiS9XNB7t0MkukhHkFga5Q== X-Received: by 2002:a05:6a00:1c:b0:58b:4ae0:c761 with SMTP id h28-20020a056a00001c00b0058b4ae0c761mr5339386pfk.34.1673468155408; Wed, 11 Jan 2023 12:15:55 -0800 (PST) Received: from jprestwo-xps.none ([50.39.160.234]) by smtp.gmail.com with ESMTPSA id i6-20020aa796e6000000b005884d68d54fsm6733904pfq.1.2023.01.11.12.15.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 12:15:54 -0800 (PST) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 8/9] ap: support PTK rekeys Date: Wed, 11 Jan 2023 12:15:42 -0800 Message-Id: <20230111201543.397692-8-prestwoj@gmail.com> X-Mailer: git-send-email 2.34.3 In-Reply-To: <20230111201543.397692-1-prestwoj@gmail.com> References: <20230111201543.397692-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This adds support for rekeys to AP mode. A single timer is used and reset to the next station needing a rekey. A default rekey timer of 600 seconds is used unless the profile sets a timeout. --- src/ap.c | 114 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) diff --git a/src/ap.c b/src/ap.c index 1d937103..ef819724 100644 --- a/src/ap.c +++ b/src/ap.c @@ -60,6 +60,8 @@ #include "src/band.h" #include "src/common.h" +#define AP_DEFAULT_REKEY_SECONDS 600 + struct ap_state { struct netdev *netdev; struct l_genl_family *nl80211; @@ -106,6 +108,9 @@ struct ap_state { struct l_dbus_message *scan_pending; struct l_queue *networks; + struct l_timeout *rekey_timeout; + unsigned int rekey_time; + bool started : 1; bool gtk_set : 1; bool netconfig_set_addr4 : 1; @@ -137,6 +142,7 @@ struct sta_state { bool wsc_v2; struct l_dhcp_lease *ip_alloc_lease; bool ip_alloc_sent; + uint64_t rekey_time; bool ht_support : 1; bool ht_greenfield : 1; @@ -345,6 +351,11 @@ static void ap_reset(struct ap_state *ap) l_queue_destroy(ap->networks, l_free); ap->networks = NULL; } + + if (ap->rekey_timeout) { + l_timeout_remove(ap->rekey_timeout); + ap->rekey_timeout = NULL; + } } static bool ap_event_done(struct ap_state *ap, bool prev_in_event) @@ -377,6 +388,8 @@ static bool ap_event(struct ap_state *ap, enum ap_event_type event, return ap_event_done(ap, prev); } +static void ap_reset_rekey_timeout(struct ap_state *ap); + static void ap_del_station(struct sta_state *sta, uint16_t reason, bool disassociate) { @@ -439,6 +452,89 @@ static void ap_del_station(struct sta_state *sta, uint16_t reason, ap_event_done(ap, prev); } + + ap_reset_rekey_timeout(ap); +} + +static void ap_start_rekey(struct ap_state *ap, struct sta_state *sta) +{ + l_debug("Rekey STA "MAC, MAC_STR(sta->addr)); + + eapol_start(sta->sm); +} + +static void ap_rekey_timeout(struct l_timeout *timeout, void *user_data) +{ + struct ap_state *ap = user_data; + + l_timeout_remove(timeout); + + ap_reset_rekey_timeout(ap); +} + +/* + * Used to initiate any rekeys which are due and reset the rekey timer to the + * next soonest station needing a rekey. + * + * TODO: Could adapt this to also take into account the next GTK rekey and + * service that as well. But GTK rekeys are not yet supported in AP mode. + */ +static void ap_reset_rekey_timeout(struct ap_state *ap) +{ + const struct l_queue_entry *e; + uint64_t now = l_time_now(); + uint64_t next = 0; + + if (!ap->rekey_time) + return; + + /* Find the station(s) that need a rekey and start it */ + for (e = l_queue_get_entries(ap->sta_states); e; e = e->next) { + struct sta_state *sta = e->data; + + if (!sta->associated || !sta->rsna) + continue; + + if (l_time_before(now, sta->rekey_time)) { + uint64_t diff = l_time_diff(now, sta->rekey_time); + + /* Finding the next rekey time */ + if (next < diff) + next = diff; + + continue; + } + + ap_start_rekey(ap, sta); + } + + /* + * Set the next rekey to the station needing it the soonest, or NULL + * if a single station and wait until the rekey is complete to reset + * the timer. + */ + if (next) + ap->rekey_timeout = l_timeout_create(l_time_to_secs(next), + ap_rekey_timeout, ap, NULL); + else + ap->rekey_timeout = NULL; +} + +static void ap_set_sta_rekey_timer(struct ap_state *ap, struct sta_state *sta) +{ + if (!ap->rekey_time) + return; + + sta->rekey_time = l_time_now() + ap->rekey_time - 1; + + /* + * First/only station authenticated, set rekey timer. Any more stations + * will just set their rekey time and be serviced by the single callback + */ + if (!ap->rekey_timeout) + ap->rekey_timeout = l_timeout_create( + l_time_to_secs(ap->rekey_time), + ap_rekey_timeout, ap, NULL); } static bool ap_sta_match_addr(const void *a, const void *b) @@ -479,6 +575,8 @@ static void ap_new_rsna(struct sta_state *sta) sta->rsna = true; + ap_set_sta_rekey_timer(ap, sta); + event_data.mac = sta->addr; event_data.assoc_ies = sta->assoc_ies; event_data.assoc_ies_len = sta->assoc_ies_len; @@ -1372,6 +1470,9 @@ static void ap_handshake_event(struct handshake_state *hs, sta->hs->go_ip_addr = IP4_FROM_STR(own_addr_str); break; } + case HANDSHAKE_EVENT_REKEY_COMPLETE: + ap_set_sta_rekey_timer(ap, sta); + return; default: break; } @@ -3628,6 +3729,19 @@ static int ap_load_config(struct ap_state *ap, const struct l_settings *config, l_strfreev(strvval); } + if (l_settings_has_key(config, "General", "RekeyTimeout")) { + unsigned int uintval; + + if (!l_settings_get_uint(config, "General", + "RekeyTimeout", &uintval)) { + l_error("AP [General].RekeyTimeout is not valid"); + return -EINVAL; + } + + ap->rekey_time = uintval * L_USEC_PER_SEC; + } else + ap->rekey_time = AP_DEFAULT_REKEY_SECONDS * L_USEC_PER_SEC; + /* * Since 5GHz won't ever support only CCK rates we can ignore this * setting on that band. From patchwork Wed Jan 11 20:15:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13097216 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F0C14BD02 for ; Wed, 11 Jan 2023 20:15:56 +0000 (UTC) Received: by mail-pj1-f45.google.com with SMTP id m7-20020a17090a730700b00225ebb9cd01so21237605pjk.3 for ; Wed, 11 Jan 2023 12:15:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XOA1KJtJe0EYrXWOZX9o8wFbgdeUO4B/DZqAfRPT/Pw=; b=eq/SFB7ZjLhoMbOum9o9kVAQU8htNtdvVOa0IW8ZiSWR/syGjEJHuc5fdut6/xG3+/ sHU6fw7fmj0mEizkTxAkRQsWbcDJRHTrRYtSzUPw0rYjINJYlFg+RJPMsvfzvO2C9Hjv 2zQAFxPmtH++43HfmMRf8U3OrD8k9MRf2O3eZb3U/qCAryvCltCQRpMw8KmoYCgX5/kC Ud3CKjslOg2pG9gsLjYkvI69UawZ13+roKdCXK+mpvBEoHAxZ1E+IkQ72KHewhxDi7TX QMP5oVRYJ5fZtNshgQsulsS97OZkco0kLjwEB/ln/Yy/4jbm5m5dCnAFoBVo3adaTc20 ROBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XOA1KJtJe0EYrXWOZX9o8wFbgdeUO4B/DZqAfRPT/Pw=; b=dQf2Bt9MS3zpsdv64FpZoD2wAZy55L12Wnf0TqYRU3jSMWC+fNR0azSR/MDQJGOXRq KXoNqehzmRWd/2/USQXkGtaq9fvG/msZmcjickdjEq6WFDkodEfsCrd7RQqPwHzozBSe faiwoKmseZD/utx/ypMS+vBqjrWUvIBFQsNjUG1unPq3y68YpQ5WoF9qr22T9OEeCtKT x97bJa+GPnloco2nS09BMp7BG+81zybMAzbKuwNynJHebk1Z5+bIOQIeT0g2r8v273yy 7vXthWioHveJHoJkGinTirsgac8FQ9eLYoMkZVgCqyxZJ5W4idnSFuc44Scl7A8vvRrK MKYw== X-Gm-Message-State: AFqh2kqudIggQYR413ybe/FazcQDSi9fhhSuGej3mdY/LpmA/VNjH+8N pUcOTnGACC8Ey4PunPvRdxv69XY28yM= X-Google-Smtp-Source: AMrXdXuCkYw5AngWzbQzmMhL9vieRxZx+S8NQ47g4JLfnjBJqjY8Dwlu+81AADeBrAxoKcpE71G+TQ== X-Received: by 2002:a05:6a20:6901:b0:b5:c353:d97b with SMTP id q1-20020a056a20690100b000b5c353d97bmr17146053pzj.50.1673468156254; Wed, 11 Jan 2023 12:15:56 -0800 (PST) Received: from jprestwo-xps.none ([50.39.160.234]) by smtp.gmail.com with ESMTPSA id i6-20020aa796e6000000b005884d68d54fsm6733904pfq.1.2023.01.11.12.15.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 12:15:55 -0800 (PST) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 9/9] doc: Document RekeyTimeout for AP profiles Date: Wed, 11 Jan 2023 12:15:43 -0800 Message-Id: <20230111201543.397692-9-prestwoj@gmail.com> X-Mailer: git-send-email 2.34.3 In-Reply-To: <20230111201543.397692-1-prestwoj@gmail.com> References: <20230111201543.397692-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 --- src/iwd.ap.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/iwd.ap.rst b/src/iwd.ap.rst index 823aba99..ce402f91 100644 --- a/src/iwd.ap.rst +++ b/src/iwd.ap.rst @@ -67,6 +67,13 @@ The group ``[General]`` contains general AP configuration. ensure the country is set, and that the desired frequency/channel is unrestricted. + * - RekeyTimeout + - Timeout for PTK rekeys (seconds) + + The time interval at which the AP starts a rekey for a given station. If + not provided a default value of 600 seconds is used. A value of 0 will + disable PTK rekeys completely. + Network Authentication Settings -------------------------------