Kernel
/
iwd
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git
3
0
Fork 0
Code Releases Activity

eapol: pass mic_len in gtk 1/2 verify 

FILS authentication does away with the MIC, so checking for key_mic
in the eapol key frame does not allow FILS to work. Now we pass in
the mic_len to eapol_verify_gtk_1_of_2, and if it is non-zero we can
check that the MIC is present in the frame.
This commit is contained in:
James Prestwood 2019-04-17 15:16:39 -07:00 committed by Denis Kenzior
parent 82eeef1c29
commit 62e20ca285
3 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/eapol.c
View File

@ -534,7 +534,8 @@ bool eapol_verify_ptk_4_of_4(const struct eapol_key *ek, bool is_wpa)
if (ek->install) \ if (ek->install) \
return false \ return false \
bool eapol_verify_gtk_1_of_2(const struct eapol_key *ek, bool is_wpa) bool eapol_verify_gtk_1_of_2(const struct eapol_key *ek, bool is_wpa,
size_t mic_len)
{ {
uint16_t key_len; uint16_t key_len;
@ -543,7 +544,7 @@ bool eapol_verify_gtk_1_of_2(const struct eapol_key *ek, bool is_wpa)
if (!ek->key_ack) if (!ek->key_ack)
return false; return false;
if (!ek->key_mic) if (mic_len && !ek->key_mic)
return false; return false;
if (!ek->secure) if (!ek->secure)
@ -1683,7 +1684,7 @@ static void eapol_handle_gtk_1_of_2(struct eapol_sm *sm,
size_t igtk_len; size_t igtk_len;
uint8_t igtk_key_index; uint8_t igtk_key_index;
if (!eapol_verify_gtk_1_of_2(ek, sm->handshake->wpa_ie)) { if (!eapol_verify_gtk_1_of_2(ek, sm->handshake->wpa_ie, sm->mic_len)) {
handshake_failed(sm, MMPDU_REASON_CODE_UNSPECIFIED); handshake_failed(sm, MMPDU_REASON_CODE_UNSPECIFIED);
return; return;
} }

3
src/eapol.h
View File

@ -65,7 +65,8 @@ bool eapol_verify_ptk_1_of_4(const struct eapol_key *ek, size_t mic_len);
bool eapol_verify_ptk_2_of_4(const struct eapol_key *ek); bool eapol_verify_ptk_2_of_4(const struct eapol_key *ek);
bool eapol_verify_ptk_3_of_4(const struct eapol_key *ek, bool is_wpa); bool eapol_verify_ptk_3_of_4(const struct eapol_key *ek, bool is_wpa);
bool eapol_verify_ptk_4_of_4(const struct eapol_key *ek, bool is_wpa); bool eapol_verify_ptk_4_of_4(const struct eapol_key *ek, bool is_wpa);
bool eapol_verify_gtk_1_of_2(const struct eapol_key *ek, bool is_wpa); bool eapol_verify_gtk_1_of_2(const struct eapol_key *ek, bool is_wpa,
size_t mic_len);
bool eapol_verify_gtk_2_of_2(const struct eapol_key *ek, bool is_wpa); bool eapol_verify_gtk_2_of_2(const struct eapol_key *ek, bool is_wpa);
struct eapol_key *eapol_create_ptk_2_of_4( struct eapol_key *eapol_create_ptk_2_of_4(

4
unit/test-eapol.c
View File

@ -1920,7 +1920,7 @@ static void eapol_wpa2_handshake_test(const void *data)
gtk_step1 = eapol_key_validate(eapol_key_data_11, gtk_step1 = eapol_key_validate(eapol_key_data_11,
sizeof(eapol_key_data_11), 16); sizeof(eapol_key_data_11), 16);
assert(gtk_step1); assert(gtk_step1);
assert(eapol_verify_gtk_1_of_2(gtk_step1, false)); assert(eapol_verify_gtk_1_of_2(gtk_step1, false, 16));
decrypted_key_data = eapol_decrypt_key_data(IE_RSN_AKM_SUITE_PSK, decrypted_key_data = eapol_decrypt_key_data(IE_RSN_AKM_SUITE_PSK,
ptk + 16, gtk_step1, ptk + 16, gtk_step1,
@ -2046,7 +2046,7 @@ static void eapol_wpa_handshake_test(const void *data)
gtk_step1 = eapol_key_validate(eapol_key_data_17, gtk_step1 = eapol_key_validate(eapol_key_data_17,
sizeof(eapol_key_data_17), 16); sizeof(eapol_key_data_17), 16);
assert(gtk_step1); assert(gtk_step1);
assert(eapol_verify_gtk_1_of_2(gtk_step1, true)); assert(eapol_verify_gtk_1_of_2(gtk_step1, true, 16));
decrypted_key_data = eapol_decrypt_key_data(IE_RSN_AKM_SUITE_PSK, decrypted_key_data = eapol_decrypt_key_data(IE_RSN_AKM_SUITE_PSK,
ptk + 16, gtk_step1, ptk + 16, gtk_step1,