From: James Prestwood <prestwoj at gmail.com>
To: iwd at lists.01.org
Subject: [PATCH v2 5/5] eapol: netdev: allow rekeys using FT-FILS
Date: Tue, 28 Sep 2021 15:05:07 -0700 [thread overview]
Message-ID: <20210928220507.944851-5-prestwoj@gmail.com> (raw)
In-Reply-To: 20210928220507.944851-1-prestwoj@gmail.com
[-- Attachment #1: Type: text/plain, Size: 2677 bytes --]
Rekeying was overlooked when implementing FT-FILS and there were
many places where the AKM was never checked and the rekey was
failing.
---
src/eapol.c | 16 ++++++++++++++--
src/netdev.c | 5 +----
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/src/eapol.c b/src/eapol.c
index 8dce9a68..c7aa4172 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -231,6 +231,11 @@ static size_t eapol_get_mic_length(enum ie_rsn_akm_suite akm, size_t pmk_len)
l_error("Invalid PMK length of %zu for OWE", pmk_len);
return 0;
}
+ case IE_RSN_AKM_SUITE_FILS_SHA256:
+ case IE_RSN_AKM_SUITE_FILS_SHA384:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
+ return 0;
default:
return 16;
}
@@ -254,6 +259,8 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek,
switch (akm) {
case IE_RSN_AKM_SUITE_FILS_SHA256:
case IE_RSN_AKM_SUITE_FILS_SHA384:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
if (key_data_len < 16)
return NULL;
@@ -329,13 +336,16 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek,
break;
case IE_RSN_AKM_SUITE_FILS_SHA256:
case IE_RSN_AKM_SUITE_FILS_SHA384:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
+ case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
{
struct iovec ad[1];
ad[0].iov_base = (void *)frame;
ad[0].iov_len = key_data - (const uint8_t *)frame;
- if (akm == IE_RSN_AKM_SUITE_FILS_SHA256)
+ if (akm == IE_RSN_AKM_SUITE_FILS_SHA256 || akm ==
+ IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)
kek_len = 32;
else
kek_len = 64;
@@ -1223,7 +1233,9 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
if (sm->handshake->akm_suite &
(IE_RSN_AKM_SUITE_FT_OVER_8021X |
IE_RSN_AKM_SUITE_FT_USING_PSK |
- IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256)) {
+ IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 |
+ IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
+ IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) {
/*
* Rebuild the RSNE to include the PMKR1Name and append
* MDE + FTE.
diff --git a/src/netdev.c b/src/netdev.c
index de6af614..c6867ce3 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -2565,10 +2565,7 @@ process_resp_ies:
netdev->owe_sm = NULL;
}
- /* FILS handles its own FT key derivation */
- if (fte && !(netdev->handshake->akm_suite &
- (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
- IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))) {
+ if (fte) {
uint32_t kck_len =
handshake_state_get_kck_len(netdev->handshake);
/*
--
2.31.1
reply other threads:[~2021-09-28 22:05 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210928220507.944851-5-prestwoj@gmail.com \
--to=unknown@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.