From: Denis Kenzior <denkenz@gmail.com>
To: James Prestwood <prestwoj@gmail.com>, iwd@lists.linux.dev
Subject: Re: [PATCH v3 1/4] network: add support for SAE password identifiers
Date: Wed, 13 Dec 2023 10:05:39 -0600 [thread overview]
Message-ID: <04898517-9cc0-4dc7-8e65-7f4b2335e3fb@gmail.com> (raw)
In-Reply-To: <20231207140049.2614514-1-prestwoj@gmail.com>
Hi James,
On 12/7/23 08:00, James Prestwood wrote:
> Adds a new network profile setting [Security].PasswordIdentifier.
> When set (and the BSS enables SAE password identifiers) the network
> and handshake object will read this and use it for the SAE
> exchange.
>
> Loading the PSK will fail if:
> - there is no password identifier set and the BSS sets the
> "exclusive" bit.
> - there is a password identifier set and the BSS does not set
> the "in-use" bit.
> ---
> src/network.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 48 insertions(+), 1 deletion(-)
>
> v3:
> * fix outdated commit description
>
> diff --git a/src/network.c b/src/network.c
> index 79f964b2..70a5434b 100644
> --- a/src/network.c
> +++ b/src/network.c
<snip>
> @@ -641,6 +657,31 @@ static int network_load_psk(struct network *network, struct scan_bss *bss)
> psk_len = 0;
> }
>
> + if (is_sae) {
> + /*
> + * Fail if:
> + * - the BSS exclusively uses password IDs and the profile
> + * does not have one set.
> + * - the BSS does not use password IDs and the profile has
> + * one set.
> + *
> + * In theory you could have a network with a mix of BSS's that
> + * use IDs and those that don't, but this is a strange
> + * configuration (arguably broken).
> + */
> + if (bss->sae_pw_id_exclusive && !password_id) {
> + l_error("[Security].PasswordIdentifier is not set but "
> + "BSS requires SAE password identifiers");
> + return -ENOKEY;
> + }
> +
> + if (!bss->sae_pw_id_used && password_id) {
> + l_debug("[Security].PasswordIdentifier set but BSS "
> + "does not not use password identifiers");
> + return -ENOKEY;
> + }
So I thought the plan was to check this at handshake build time, not here?
> + }
> +
> /* PSK can be generated from the passphrase but not the other way */
> if (!psk || is_sae) {
> if (!passphrase)
Regards,
-Denis
prev parent reply other threads:[~2023-12-13 16:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-07 14:00 [PATCH v3 1/4] network: add support for SAE password identifiers James Prestwood
2023-12-07 14:00 ` [PATCH v3 2/4] doc: document [Security].PasswordIdentifier James Prestwood
2023-12-07 14:00 ` [PATCH v3 3/4] auto-t: add H2E password identifier test James Prestwood
2023-12-07 14:00 ` [PATCH v3 4/4] auto-t: throw exception if executable is missing James Prestwood
2023-12-13 16:05 ` Denis Kenzior [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=04898517-9cc0-4dc7-8e65-7f4b2335e3fb@gmail.com \
--to=denkenz@gmail.com \
--cc=iwd@lists.linux.dev \
--cc=prestwoj@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).