From: KeithG <ys3al35l@gmail.com>
To: James Prestwood <prestwoj@gmail.com>
Cc: John Brandt <brandtwjohn@gmail.com>, iwd@lists.linux.dev
Subject: Re: [PATCH 00/11] Basic SAE support for AP mode
Date: Tue, 30 Apr 2024 18:27:14 -0500 [thread overview]
Message-ID: <CAG17S_Mw90_LsvHdWix0hhfFAZG3V6_7-hPDJc=DCU72ckOekA@mail.gmail.com> (raw)
In-Reply-To: <6d9bac04-4522-49b3-879c-809b7e4f533f@gmail.com>
James,
When this is ready to go, I can test on my Pis...
Just need to know how to tell AP mode how to use wpa3/sae
Keith
Keith
On Mon, Apr 29, 2024 at 7:04 AM James Prestwood <prestwoj@gmail.com> wrote:
>
> Hi John,
>
> On 4/28/24 5:04 PM, John Brandt wrote:
> >
> >
> > On 4/24/24 05:07, James Prestwood wrote:
> >>
> >> On 4/22/24 6:52 AM, James Prestwood wrote:
> >>> Hi John,
> >>>
> >>> On 4/21/24 5:50 AM, John Brandt wrote:
> >>>> This set of patches adds basic SAE support for IWD in AP mode. It has
> >>>> been tested by connecting to IWD AP using wpa_supplicant. Note that
> >>>> this
> >>>> does not yet correspond to WPA3, since WPA3 would also require the
> >>>> support of Management Frame Protection.
> >>>>
> >>>> Normal client functionality has also been confirmed to still work.
> >>>> After
> >>>> applying these patches it remains possible for IWD client to
> >>>> connect to
> >>>> WPA3/SAE network.
> >>>>
> >>>> Remaining TODOs are to include better sanity-checking of received
> >>>> frames.
> >>>
> >>> I took a quick pass and I'm impressed you took the initiative to
> >>> implement this. I do need to take a closer look from the spec side
> >>> of things but overall it looks good.
> >>>
> >>> Assuming we are compliant with the spec my only concern merging this
> >>> would be the TODOs. You do mention this is experimental and certain
> >>> checks are not done, but you'd be surprised at the number of people
> >>> using IWD in AP mode. The minute we merge this we're going to have
> >>> people using it, which in its current form would be insecure. I
> >>> think we first need to get the frame verification implemented as
> >>> well as MFP. But anyways, this is a good start and I'll give it a
> >>> full review when I have some time, hopefully this week.
> >>>
> >>> Thanks,
> >>>
> >>> James
> >>
> >> Reviewed. I also forgot to mention the CI we have showed test-sae
> >> failed after your patches, so that will need to be addressed as well.
> >> I keep getting reminded I need to also email the patch submitter.
> >>
> >> Thanks,
> >>
> >> James
> >
> > Thanks, I've mostly incorporated the feedback, and also added extra
> > frame checks. I can post the v2 version later this week.
> >
> > I'm unsure whether I'll also have the time to experiment with MFP.
> > Maybe it's possible to already add SAE support without yet mentioning
> > WPA3 for the AP mode?
>
> MFP may be sort of automatic, it is for station mode. All IWD does is
> some minimal validation since it has an explicit profile setting to
> enable/disable/require MFP. It also checks the cipher support related to
> MFP. But I think for AP mode all you'd need to do is ensure that
> connecting stations are capable of MFP when connecting via WPA3. And set
> the proper bits in the RSNE.
>
> Thanks,
>
> James
>
> >
> >>>
> >>>>
> >>>> John Brandt (11):
> >>>> ap: ability to advertise PSK and SAE
> >>>> ap: accept PSK/SAE in auth depending on config
> >>>> sae: add function sae_set_group
> >>>> sae: refactor and add function sae_calculate_keys
> >>>> sae: make sae_process_commit callable in AP mode
> >>>> sae: verify offered group in AP mode
> >>>> sae: support reception of Confirm frame by AP
> >>>> ap: add support to handle SAE authentication
> >>>> ap: enable start of 4-way HS after SAE
> >>>> eapol: support PTK derivation with SHA256
> >>>> eapol: encrypt key data for AKM-defined ciphers
> >>>>
> >>>> src/ap.c | 135 +++++++++++++++++++++++++++++++++-------
> >>>> src/eapol.c | 58 ++++++++++++-----
> >>>> src/sae.c | 175
> >>>> +++++++++++++++++++++++++++++++++-------------------
> >>>> 3 files changed, 265 insertions(+), 103 deletions(-)
> >>>>
>
prev parent reply other threads:[~2024-04-30 23:27 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-21 12:50 [PATCH 00/11] Basic SAE support for AP mode John Brandt
2024-04-21 12:50 ` [PATCH 01/11] ap: ability to advertise PSK and SAE John Brandt
2024-04-21 12:50 ` [PATCH 02/11] ap: accept PSK/SAE in auth depending on config John Brandt
2024-04-24 12:05 ` James Prestwood
2024-04-21 12:50 ` [PATCH 03/11] sae: add function sae_set_group John Brandt
2024-04-24 12:05 ` James Prestwood
2024-04-21 12:50 ` [PATCH 04/11] sae: refactor and add function sae_calculate_keys John Brandt
2024-04-24 12:06 ` James Prestwood
2024-04-21 12:50 ` [PATCH 05/11] sae: make sae_process_commit callable in AP mode John Brandt
2024-04-24 12:08 ` James Prestwood
2024-04-21 12:50 ` [PATCH 06/11] sae: verify offered group " John Brandt
2024-04-21 12:50 ` [PATCH 07/11] sae: support reception of Confirm frame by AP John Brandt
2024-04-24 12:08 ` James Prestwood
2024-04-21 12:50 ` [PATCH 08/11] ap: add support to handle SAE authentication John Brandt
2024-04-24 12:06 ` James Prestwood
2024-04-21 12:50 ` [PATCH 09/11] ap: enable start of 4-way HS after SAE John Brandt
2024-04-21 12:50 ` [PATCH 10/11] eapol: support PTK derivation with SHA256 John Brandt
2024-04-21 12:50 ` [PATCH 11/11] eapol: encrypt key data for AKM-defined ciphers John Brandt
2024-04-22 13:52 ` [PATCH 00/11] Basic SAE support for AP mode James Prestwood
2024-04-24 12:07 ` James Prestwood
2024-04-29 0:04 ` John Brandt
2024-04-29 12:00 ` James Prestwood
2024-04-30 23:27 ` KeithG [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAG17S_Mw90_LsvHdWix0hhfFAZG3V6_7-hPDJc=DCU72ckOekA@mail.gmail.com' \
--to=ys3al35l@gmail.com \
--cc=brandtwjohn@gmail.com \
--cc=iwd@lists.linux.dev \
--cc=prestwoj@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).