From 69259b3a3f9029990db84f7ad6cb2e6cdb7c120d Mon Sep 17 00:00:00 2001 From: Andrew Zaborowski Date: Thu, 13 Aug 2020 02:50:12 +0200 Subject: [PATCH] eapol: Use the require_handshake flag for FILS In both FT or FILS EAPoL isn't used for the initial handshake and only for the later re-keys. For FT we added the eapol_sm_set_require_handshake mechanism to tell EAPoL to not require the initial handshake and we can re-use it for FILS. --- src/eapol.c | 10 ---------- src/netdev.c | 16 +++++++++++----- 2 files changed, 11 insertions(+), 15 deletions(-) diff --git a/src/eapol.c b/src/eapol.c index e3581cfe..29cd106d 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -2399,16 +2399,6 @@ bool eapol_start(struct eapol_sm *sm) sm->started = true; - /* - * FILS only uses the 4-way for rekeys, so only started needs to be set, - * then we wait for a rekey. - */ - if (sm->handshake->akm_suite & (IE_RSN_AKM_SUITE_FILS_SHA256 | - IE_RSN_AKM_SUITE_FILS_SHA384 | - IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384 | - IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)) - return true; - if (sm->require_handshake) sm->timeout = l_timeout_create(eapol_4way_handshake_time, eapol_timeout, sm, NULL); diff --git a/src/netdev.c b/src/netdev.c index 9e2690d3..5d3aa862 100644 --- a/src/netdev.c +++ b/src/netdev.c @@ -2071,6 +2071,12 @@ static void netdev_associate_event(struct l_genl_msg *msg, if (netdev->ap) { ret = auth_proto_rx_associate(netdev->ap, frame, frame_len); if (ret == 0) { + bool fils = !!(netdev->handshake->akm_suite & + (IE_RSN_AKM_SUITE_FILS_SHA256 | + IE_RSN_AKM_SUITE_FILS_SHA384 | + IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384 | + IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)); + auth_proto_free(netdev->ap); netdev->ap = NULL; @@ -2081,15 +2087,15 @@ static void netdev_associate_event(struct l_genl_msg *msg, netdev->ignore_connect_event = false; /* - * If in FT we need to prevent the 4-way handshake from - * happening, and instead just wait for rekeys + * If in FT and/or FILS we don't force an initial 4-way + * handshake and instead just keep the EAPoL state + * machine for the rekeys. */ - if (netdev->in_ft) { + if (netdev->in_ft || fils) eapol_sm_set_require_handshake(netdev->sm, false); - netdev->in_ft = false; - } + netdev->in_ft = false; return; } else if (ret == -EAGAIN) { /*