From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [PATCH v2 1/4] eapol: implement rekey support for authenticator
Date: Thu, 12 Jan 2023 11:32:09 -0800 [thread overview]
Message-ID: <20230112193212.568476-1-prestwoj@gmail.com> (raw)
The only changes required was to set the secure bit for message 1,
reset the frame retry counter, and change the 2/4 verifier to use
the rekey flag rather than ptk_complete. This is because we must
set ptk_complete false in order to detect retransmissions of the
4/4 frame.
Initiating a rekey can now be done by simply calling eapol_start().
---
src/eapol.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/eapol.c b/src/eapol.c
index 22b2d5d1..2048a87d 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -1086,8 +1086,6 @@ static void eapol_send_ptk_1_of_4(struct eapol_sm *sm)
handshake_state_new_anonce(sm->handshake);
- sm->handshake->ptk_complete = false;
-
sm->replay_counter++;
memset(ek, 0, EAPOL_FRAME_LEN(sm->mic_len));
@@ -1111,6 +1109,12 @@ static void eapol_send_ptk_1_of_4(struct eapol_sm *sm)
eapol_key_data_append(ek, sm->mic_len, HANDSHAKE_KDE_PMKID, pmkid, 16);
+ if (sm->handshake->ptk_complete) {
+ ek->secure = true;
+ sm->rekey = true;
+ sm->handshake->ptk_complete = false;
+ }
+
ek->header.packet_len = L_CPU_TO_BE16(EAPOL_FRAME_LEN(sm->mic_len) +
EAPOL_KEY_DATA_LEN(ek, sm->mic_len) - 4);
@@ -1589,7 +1593,7 @@ static void eapol_handle_ptk_2_of_4(struct eapol_sm *sm,
l_debug("ifindex=%u", sm->handshake->ifindex);
- if (!eapol_verify_ptk_2_of_4(ek, sm->handshake->ptk_complete))
+ if (!eapol_verify_ptk_2_of_4(ek, sm->rekey))
return;
if (L_BE64_TO_CPU(ek->key_replay_counter) != sm->replay_counter)
@@ -2482,6 +2486,8 @@ static void eapol_eap_complete_cb(enum eap_result result, void *user_data)
/* sm->mic_len will have been set in eapol_eap_results_cb */
+ sm->frame_retry = 0;
+
/* Kick off 4-Way Handshake */
eapol_ptk_1_of_4_retry(NULL, sm);
}
@@ -2873,6 +2879,8 @@ bool eapol_start(struct eapol_sm *sm)
if (L_WARN_ON(!sm->handshake->have_pmk))
return false;
+ sm->frame_retry = 0;
+
/* Kick off handshake */
eapol_ptk_1_of_4_retry(NULL, sm);
}
--
2.34.3
next reply other threads:[~2023-01-12 19:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-12 19:32 James Prestwood [this message]
2023-01-12 19:32 ` [PATCH v2 2/4] eapol: detect message 2/4 retransmits James Prestwood
2023-01-13 15:16 ` Denis Kenzior
2023-01-12 19:32 ` [PATCH v2 3/4] ap: support PTK rekeys James Prestwood
2023-01-13 15:35 ` Denis Kenzior
2023-01-12 19:32 ` [PATCH v2 4/4] doc: Document RekeyTimeout for AP profiles James Prestwood
2023-01-13 15:19 ` Denis Kenzior
2023-01-13 15:13 ` [PATCH v2 1/4] eapol: implement rekey support for authenticator Denis Kenzior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230112193212.568476-1-prestwoj@gmail.com \
--to=prestwoj@gmail.com \
--cc=iwd@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).