[PATCH 1/5] eapol: choose key descriptor version in AP mode

[PATCH 1/5] eapol: choose key descriptor version in AP mode

[James Prestwood]

The key descriptor version was hard coded to HMAC_SHA1_AES which
is correct when using IE_RSN_AKM_SUITE_PSK + CCMP. ap.c hard
codes the PSK AKM but still uses wiphy to select the cipher. In
theory there could be hardware that only supports TKIP which
would then make IWD non-compliant since a different key descriptor
version should be used with PSK + TKIP (HMAC_MD5_ARC4).

Now use a helper to sort out which key descriptor should be used
given the AKM and cipher suite.
---
 src/eapol.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/eapol.c b/src/eapol.c
index c6439bb1..44ffb220 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -1062,6 +1062,7 @@ static void eapol_send_ptk_1_of_4(struct eapol_sm *sm)
 	enum crypto_cipher cipher = ie_rsn_cipher_suite_to_cipher(
 				sm->handshake->pairwise_cipher);
 	uint8_t pmkid[16];
+	uint8_t key_descriptor_version;
 
 	handshake_state_new_anonce(sm->handshake);
 
@@ -1073,8 +1074,11 @@ static void eapol_send_ptk_1_of_4(struct eapol_sm *sm)
 	ek->header.protocol_version = sm->protocol_version;
 	ek->header.packet_type = 0x3;
 	ek->descriptor_type = EAPOL_DESCRIPTOR_TYPE_80211;
-	/* Must be HMAC-SHA1-128 + AES when using CCMP with PSK or 8021X */
-	ek->key_descriptor_version = EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_SHA1_AES;
+	L_WARN_ON(eapol_key_descriptor_version_from_akm(
+				sm->handshake->akm_suite,
+				sm->handshake->pairwise_cipher,
+				&key_descriptor_version) < 0);
+	ek->key_descriptor_version = key_descriptor_version;
 	ek->key_type = true;
 	ek->key_ack = true;
 	ek->key_length = L_CPU_TO_BE16(crypto_cipher_key_len(cipher));
@@ -1358,6 +1362,7 @@ static void eapol_send_ptk_3_of_4(struct eapol_sm *sm)
 				sm->handshake->group_cipher);
 	const uint8_t *kck;
 	const uint8_t *kek;
+	uint8_t key_descriptor_version;
 
 	sm->replay_counter++;
 
@@ -1365,8 +1370,11 @@ static void eapol_send_ptk_3_of_4(struct eapol_sm *sm)
 	ek->header.protocol_version = sm->protocol_version;
 	ek->header.packet_type = 0x3;
 	ek->descriptor_type = EAPOL_DESCRIPTOR_TYPE_80211;
-	/* Must be HMAC-SHA1-128 + AES when using CCMP with PSK or 8021X */
-	ek->key_descriptor_version = EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_SHA1_AES;
+	L_WARN_ON(eapol_key_descriptor_version_from_akm(
+				sm->handshake->akm_suite,
+				sm->handshake->pairwise_cipher,
+				&key_descriptor_version) < 0);
+	ek->key_descriptor_version = key_descriptor_version;
 	ek->key_type = true;
 	ek->install = true;
 	ek->key_ack = true;
-- 
2.34.3

[PATCH 2/5] auto-t: fix get_ordered_network if hostapd isn't running

[James Prestwood]

This API optimizes scanning to run tests quickly by only scanning
the frequencies which hostapd is using. But if a test doesn't use
hostapd this API raises an uncaught exception.

Check if hostapd is being used, and if not just do a full scan.
---
 autotests/util/iwd.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/autotests/util/iwd.py b/autotests/util/iwd.py
index a9df0dca..a9e2f2f5 100755
--- a/autotests/util/iwd.py
+++ b/autotests/util/iwd.py
@@ -519,7 +519,8 @@ class Device(IWDDBusAbstract):
         IWD._wait_for_object_condition(self, condition)
 
         try:
-            if full_scan:
+            # Do a full scan if instructed or if hostapd isn't being used
+            if full_scan or not ctx.hostapd:
                 self.scan()
             else:
                 self.debug_scan(ctx.get_frequencies())
-- 
2.34.3

[PATCH 3/5] auto-t: allow printing devices in AP mode

[James Prestwood]

The __str__ function assumed station mode which throws an exception
if the device is in AP mode. Fix this as well as print out the mode
the device is in.
---
 autotests/util/iwd.py | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/autotests/util/iwd.py b/autotests/util/iwd.py
index a9e2f2f5..9e96382a 100755
--- a/autotests/util/iwd.py
+++ b/autotests/util/iwd.py
@@ -690,14 +690,17 @@ class Device(IWDDBusAbstract):
         return self._device_provisioning.stop()
 
     def __str__(self, prefix = ''):
-        return prefix + 'Device: ' + self.device_path + '\n'\
+        s = prefix + 'Device: ' + self.device_path + '\n'\
                + prefix + '\tName:\t\t' + self.name + '\n'\
-               + prefix + '\tAddress:\t' + self.address + '\n'\
-               + prefix + '\tState:\t\t' + str(self.state) + '\n'\
+               + prefix + '\tAddress:\t' + self.address + '\n' \
                + prefix + '\tPowered:\t' + str(self.powered) + '\n'\
-               + prefix + '\tConnected net:\t' + str(self.connected_network) +\
-                                                                            '\n'
+               + prefix + '\tMode:\t\t' + self._properties['Mode'] + '\n'
 
+        if self._properties['Mode'] == 'station':
+            s += prefix + '\tState:\t\t' + str(self.state) + '\n'\
+               + prefix + '\tConnected net:\t' + str(self.connected_network) + '\n'
+
+        return s
 
 class Network(IWDDBusAbstract):
     '''Class represents a network object: net.connman.iwd.Network'''
-- 
2.34.3

[PATCH 4/5] unit: test-arc4: test RC4 both directions

[James Prestwood]

Tests that the data both encrypts and decrypts.
---
 unit/test-arc4.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/unit/test-arc4.c b/unit/test-arc4.c
index bfc5009c..a9e0ef1d 100644
--- a/unit/test-arc4.c
+++ b/unit/test-arc4.c
@@ -92,6 +92,8 @@ static void arc4_skip_test(const void *data)
 
 	assert(arc4_skip(test->key, 16, test->offset, buf, sizeof(buf), buf));
 	assert(!memcmp(buf, test->result, sizeof(buf)));
+	assert(arc4_skip(test->key, 16, test->offset, buf, sizeof(buf), buf));
+	assert(l_memeqzero(buf, 16));
 }
 
 int main(int argc, char *argv[])
-- 
2.34.3

[PATCH 5/5] eapol: add TKIP support in AP mode

[James Prestwood]

Though TKIP is deprecated and insecure its trivial to support it in
AP mode as we already do in station. This is only to allow AP mode
for old hardware that may only support TKIP. If the hardware supports
any higher level cipher that will be chosen automatically.
---
 src/eapol.c | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/eapol.c b/src/eapol.c
index 44ffb220..4a1abd28 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -390,11 +390,31 @@ static int eapol_encrypt_key_data(const uint8_t *kek, uint8_t *key_data,
 				size_t key_data_len,
 				struct eapol_key *out_frame, size_t mic_len)
 {
+	uint8_t key[32];
+	bool ret;
+
 	switch (out_frame->key_descriptor_version) {
 	case EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_MD5_ARC4:
-		/* Not supported */
-		return -ENOTSUP;
+		/*
+		 * Not following the spec to generate the IV. The spec outlines
+		 * a procedure where a 32 byte buffer is held and incremented
+		 * each time nonces are created, and the IV comes from this
+		 * buffer. In the end randomizing the IV every time should be
+		 * just as good. This is how we handle the GTK in AP mode.
+		 */
+		l_getrandom(out_frame->eapol_key_iv, 16);
+
+		memcpy(key, out_frame->eapol_key_iv, 16);
+		memcpy(key + 16, kek, 16);
 
+		ret = arc4_skip(key, 32, 256, key_data, key_data_len,
+				EAPOL_KEY_DATA(out_frame, mic_len));
+		explicit_bzero(key, sizeof(key));
+
+		if (!ret)
+			return -ENOTSUP;
+
+		break;
 	case EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_SHA1_AES:
 	case EAPOL_KEY_DESCRIPTOR_VERSION_AES_128_CMAC_AES:
 		if (key_data_len < 16 || key_data_len % 8)
-- 
2.34.3

Re: [PATCH 1/5] eapol: choose key descriptor version in AP mode

[Denis Kenzior]

Hi James,

On 10/26/22 13:56, James Prestwood wrote:
> The key descriptor version was hard coded to HMAC_SHA1_AES which
> is correct when using IE_RSN_AKM_SUITE_PSK + CCMP. ap.c hard
> codes the PSK AKM but still uses wiphy to select the cipher. In
> theory there could be hardware that only supports TKIP which
> would then make IWD non-compliant since a different key descriptor
> version should be used with PSK + TKIP (HMAC_MD5_ARC4).
> 
> Now use a helper to sort out which key descriptor should be used
> given the AKM and cipher suite.
> ---
>   src/eapol.c | 16 ++++++++++++----
>   1 file changed, 12 insertions(+), 4 deletions(-)
> 

All applied, thanks.

Regards,
-Denis