All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 9/9] eapol: netdev: allow rekeys using FT-FILS
@ 2021-09-28 21:27 James Prestwood
  0 siblings, 0 replies; only message in thread
From: James Prestwood @ 2021-09-28 21:27 UTC (permalink / raw)
  To: iwd

[-- Attachment #1: Type: text/plain, Size: 2677 bytes --]

Rekeying was overlooked when implementing FT-FILS and there were
many places where the AKM was never checked and the rekey was
failing.
---
 src/eapol.c  | 16 ++++++++++++++--
 src/netdev.c |  5 +----
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/eapol.c b/src/eapol.c
index f0b26ea0..721ffc8d 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -231,6 +231,11 @@ static size_t eapol_get_mic_length(enum ie_rsn_akm_suite akm, size_t pmk_len)
 			l_error("Invalid PMK length of %zu for OWE", pmk_len);
 			return 0;
 		}
+	case IE_RSN_AKM_SUITE_FILS_SHA256:
+	case IE_RSN_AKM_SUITE_FILS_SHA384:
+	case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
+	case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
+		return 0;
 	default:
 		return 16;
 	}
@@ -254,6 +259,8 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek,
 		switch (akm) {
 		case IE_RSN_AKM_SUITE_FILS_SHA256:
 		case IE_RSN_AKM_SUITE_FILS_SHA384:
+		case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
+		case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
 			if (key_data_len < 16)
 				return NULL;
 
@@ -329,13 +336,16 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek,
 			break;
 		case IE_RSN_AKM_SUITE_FILS_SHA256:
 		case IE_RSN_AKM_SUITE_FILS_SHA384:
+		case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
+		case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
 		{
 			struct iovec ad[1];
 
 			ad[0].iov_base = (void *)frame;
 			ad[0].iov_len = key_data - (const uint8_t *)frame;
 
-			if (akm == IE_RSN_AKM_SUITE_FILS_SHA256)
+			if (akm == IE_RSN_AKM_SUITE_FILS_SHA256 || akm ==
+					IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)
 				kek_len = 32;
 			else
 				kek_len = 64;
@@ -1223,7 +1233,9 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
 	if (sm->handshake->akm_suite &
 			(IE_RSN_AKM_SUITE_FT_OVER_8021X |
 			 IE_RSN_AKM_SUITE_FT_USING_PSK |
-			 IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256)) {
+			 IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
+			 IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
+			 IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) {
 		/*
 		 * Rebuild the RSNE to include the PMKR1Name and append
 		 * MDE + FTE.
diff --git a/src/netdev.c b/src/netdev.c
index 603c339d..01cc8477 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -2565,10 +2565,7 @@ process_resp_ies:
 			netdev->owe_sm = NULL;
 		}
 
-		/* FILS handles its own FT key derivation */
-		if (fte && !(netdev->handshake->akm_suite &
-				(IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
-				IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))) {
+		if (fte) {
 			uint32_t kck_len =
 				handshake_state_get_kck_len(netdev->handshake);
 			/*
-- 
2.31.1

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2021-09-28 21:27 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-28 21:27 [PATCH 9/9] eapol: netdev: allow rekeys using FT-FILS James Prestwood

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.