* [PATCH 9/9] eapol: netdev: allow rekeys using FT-FILS
@ 2021-09-28 21:27 James Prestwood
0 siblings, 0 replies; only message in thread
From: James Prestwood @ 2021-09-28 21:27 UTC (permalink / raw)
To: iwd
[-- Attachment #1: Type: text/plain, Size: 2677 bytes --]
Rekeying was overlooked when implementing FT-FILS and there were
many places where the AKM was never checked and the rekey was
failing.
---
src/eapol.c | 16 ++++++++++++++--
src/netdev.c | 5 +----
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/src/eapol.c b/src/eapol.c
index f0b26ea0..721ffc8d 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -231,6 +231,11 @@ static size_t eapol_get_mic_length(enum ie_rsn_akm_suite akm, size_t pmk_len)
l_error("Invalid PMK length of %zu for OWE", pmk_len);
return 0;
}
+ case IE_RSN_AKM_SUITE_FILS_SHA256:
+ case IE_RSN_AKM_SUITE_FILS_SHA384:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
+ return 0;
default:
return 16;
}
@@ -254,6 +259,8 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek,
switch (akm) {
case IE_RSN_AKM_SUITE_FILS_SHA256:
case IE_RSN_AKM_SUITE_FILS_SHA384:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
if (key_data_len < 16)
return NULL;
@@ -329,13 +336,16 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek,
break;
case IE_RSN_AKM_SUITE_FILS_SHA256:
case IE_RSN_AKM_SUITE_FILS_SHA384:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
{
struct iovec ad[1];
ad[0].iov_base = (void *)frame;
ad[0].iov_len = key_data - (const uint8_t *)frame;
- if (akm == IE_RSN_AKM_SUITE_FILS_SHA256)
+ if (akm == IE_RSN_AKM_SUITE_FILS_SHA256 || akm ==
+ IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)
kek_len = 32;
else
kek_len = 64;
@@ -1223,7 +1233,9 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
if (sm->handshake->akm_suite &
(IE_RSN_AKM_SUITE_FT_OVER_8021X |
IE_RSN_AKM_SUITE_FT_USING_PSK |
- IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256)) {
+ IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
+ IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
+ IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) {
/*
* Rebuild the RSNE to include the PMKR1Name and append
* MDE + FTE.
diff --git a/src/netdev.c b/src/netdev.c
index 603c339d..01cc8477 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -2565,10 +2565,7 @@ process_resp_ies:
netdev->owe_sm = NULL;
}
- /* FILS handles its own FT key derivation */
- if (fte && !(netdev->handshake->akm_suite &
- (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
- IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))) {
+ if (fte) {
uint32_t kck_len =
handshake_state_get_kck_len(netdev->handshake);
/*
--
2.31.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-09-28 21:27 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-28 21:27 [PATCH 9/9] eapol: netdev: allow rekeys using FT-FILS James Prestwood
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.