-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PW_SID:850639] Basic WPA3 support in AP mode #342
base: workflow
Are you sure you want to change the base?
Conversation
This is taken care of by the individual cache items and if none exist, tar fails.
Add the configuration option AKMSuites under Security so it becomes possible to support both PSK and SAE. This influences the advertised AKMs in the beacon.
On reception of an authentication frame, accept both PSK and SAE as AKM depending on the config. Save the client's AKM for later use.
Don't mark either client as being the authenticator. In the current unit tests, both instances act as clients to test functionality. This ensures the unit does not show an error during the following commits where SAE for AP mode is added.
Refactor code by adding function sae_set_group. This will make the next commits easier where basic SAE support for APs is added.
Refactor code by moving code to the new function sae_calculate_keys. This will make it easier in the next commits to add SAE support for AP mode.
As an AP, the function sae_process_commit will pick the group offered by the client. In a subsuquent commit the offered group will first be verified before calling sae_process_commit. The AP will reply with a Commit frame, calculate current keys, and move to the COMMITTED state.
When receiving a Commit frame in AP mode, first verify that we support the offered group before further processing the frame.
Experimental AP-mode support for receiving a Confirm frame when in the COMMITTED state. The AP will reply with a Confirm frame. Note that when acting as an AP, on reception of a Commit frame, the AP only replies with a Commit frame. The protocols allows to also already send the Confirm frame, but older clients may not support simultaneously receiving a Commit and Confirm frame.
When the client requests SAE authentication, and it is enabled, allocate an auth_proto instance to handle SAE authentication. This also adds a new function to send SAE frames in AP mode that can be used by the auth_proto instance.
Accept association frames that request SAE if SAE is enabled by the AP. When SAE is being used, get the PMK as negoticated by SAE.
Support PTK derivation in case the negotiated AKM requires SHA256. This is needed to support SAE in AP mode.
Support encrypting key data when the cipher is AKM-defined. This is needed to support SAE in AP mode.
Add unit test that simulates client and AP in SAE handshake. Test that both the client and AP complete the SAE handshake.
When wanting to use SAE, confirm that MFP is also supported, and automatically enable MFP. Advertise as MFP capable in the beacon.
To add MFP support in the AP mode, add utility functions to save the IGTK and to add the IGTK to handshake messages.
When SAE with MFP is being used, include the IGTK in message 3 of the 4-way handshake.
When using MFP, generate the IGTK group key on startup, and install it for use. When installing the IGTK, which has either key index 4 or 5, use the appropriate NL80211 flags so it is installed properly.
When a client is connecting, remember whether it supports MFP, and if so, propogate the IGTK to the handshake. Also get the current Receive Sequence Counter (RSC) of the IGTK and propogate it to the handshake.
Fetch PR Prep - Setup ELL Make Distcheck Build - Configure Make Check Make Check w/Valgrind Incremental Build with patches |
Fetch PR GitLint Prep - Setup ELL Make Distcheck Build - Configure Make Check Make Check w/Valgrind Incremental Build with patches Autotest Runner Clang Build |
2192e98
to
43a07cc
Compare
2c7b52e
to
58d64d4
Compare
68d5156
to
953fb5e
Compare
a123040
to
568d50f
Compare
eb06b40
to
9e0bb3e
Compare
Add the configuration option AKMSuites under Security so it becomes
possible to support both PSK and SAE. This influences the advertised
AKMs in the beacon.
src/ap.c | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)