Re: [PATCH 5/8] cfg80211: Add KEK/nonces for FILS association frames

[PATCH 5/8] cfg80211: Add KEK/nonces for FILS association frames · Jouni Malinen <hidden> · 2016-10-25
[PATCH 7/8] mac80211: FILS AEAD protection for station mode association frames · Jouni Malinen <hidden> · 2016-10-25
Re: [PATCH 7/8] mac80211: FILS AEAD protection for station mode association frames · Johannes Berg <johannes@sipsolutions.net> · 2016-10-26
Re: [PATCH 7/8] mac80211: FILS AEAD protection for station mode association frames · Malinen, Jouni <hidden> · 2016-10-26
[PATCH 6/8] mac80211: Add FILS auth alg mapping · Jouni Malinen <hidden> · 2016-10-25
[PATCH 8/8] mac80211: Claim Fast Initial Link Setup (FILS) support · Jouni Malinen <hidden> · 2016-10-25
Re: [PATCH 8/8] mac80211: Claim Fast Initial Link Setup (FILS) support · Johannes Berg <johannes@sipsolutions.net> · 2016-10-26
Re: [PATCH 8/8] mac80211: Claim Fast Initial Link Setup (FILS) support · Malinen, Jouni <hidden> · 2016-10-26
Re: [PATCH 8/8] mac80211: Claim Fast Initial Link Setup (FILS) support · Johannes Berg <johannes@sipsolutions.net> · 2016-10-26
Re: [PATCH 5/8] cfg80211: Add KEK/nonces for FILS association frames · Johannes Berg <johannes@sipsolutions.net> · 2016-10-26
Re: [PATCH 5/8] cfg80211: Add KEK/nonces for FILS association frames · Malinen, Jouni <hidden> · 2016-10-26

From: Johannes Berg <johannes@sipsolutions.net>
Date: 2016-10-26 05:36:32

+++ b/net/wireless/nl80211.c

@@ -414,6 +414,10 @@ enum nl80211_multicast_groups {

 	[NL80211_ATTR_NAN_MASTER_PREF] = { .type = NLA_U8 },
 	[NL80211_ATTR_NAN_DUAL] = { .type = NLA_U8 },
 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
+	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
+				    .len = FILS_MAX_KEK_LEN },
+	[NL80211_ATTR_FILS_NONCES] = { .type = NLA_BINARY,
+				       .len = 2 * FILS_NONCE_LEN },
 };

If you remove the type = NLA_BINARY and just leave the type zero, then
you'll get *minimum* length validation, rather than limiting the
maximum length. That seems more appropriate for the nonces?

+	if (info->attrs[NL80211_ATTR_FILS_NONCES]) {
+		if (nla_len(info->attrs[NL80211_ATTR_FILS_NONCES])
!=
+		    2 * FILS_NONCE_LEN)
+			return -EINVAL;

You're validating the *exact* length here, which unfortunately nlattr
doesn't support right now, but perhaps we can live with checking that
it's at least that many bytes, and using only 2*nonces? We do that for
most other attributes (like MAC addresses).

Or do we expect to extend this to more than 2 nonces in the future, at
which point we'll need the length?

johannes

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help