3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-22 21:22:37 +01:00

eapol: In FT-EAP use all 64 bytes of the MSK

Until now we'd save the second 32 bytes of the MSK as the PMK and use
that for the PMK-R0 as well as the PMKID calculation.  The PMKID
actually uses the first 32 bytes of the PMK while the PMK-R0's XXKey
input maps to the second 32 bytes.  Add a pmk_len parameter to
handshake_state_set_pmk to handle that.  Update the eapol_eap_results_cb
802.11 quotes to the 2016 version.
This commit is contained in:
Andrew Zaborowski 2018-03-15 12:06:53 +01:00 committed by Denis Kenzior
parent 436e95d599
commit 8b534ba067
4 changed files with 38 additions and 23 deletions

View File

@ -731,7 +731,8 @@ static struct handshake_state *device_handshake_setup(struct device *device,
} }
if (security == SECURITY_PSK) if (security == SECURITY_PSK)
handshake_state_set_pmk(hs, network_get_psk(network)); handshake_state_set_pmk(hs, network_get_psk(network),
32);
else else
handshake_state_set_8021x_config(hs, handshake_state_set_8021x_config(hs,
network_get_settings(network)); network_get_settings(network));
@ -898,7 +899,7 @@ static void device_preauthenticate_cb(struct netdev *netdev,
uint8_t rsne_buf[300]; uint8_t rsne_buf[300];
struct ie_rsn_info rsn_info; struct ie_rsn_info rsn_info;
handshake_state_set_pmk(new_hs, pmk); handshake_state_set_pmk(new_hs, pmk, 32);
handshake_state_set_authenticator_address(new_hs, handshake_state_set_authenticator_address(new_hs,
device->preauth_bssid); device->preauth_bssid);
handshake_state_set_supplicant_address(new_hs, handshake_state_set_supplicant_address(new_hs,

View File

@ -1624,8 +1624,6 @@ static void eapol_eap_results_cb(const uint8_t *msk_data, size_t msk_len,
void *user_data) void *user_data)
{ {
struct eapol_sm *sm = user_data; struct eapol_sm *sm = user_data;
ssize_t pmk_len;
const uint8_t *pmk_data;
l_debug("EAP key material received"); l_debug("EAP key material received");
@ -1634,34 +1632,35 @@ static void eapol_eap_results_cb(const uint8_t *msk_data, size_t msk_len,
* "When not using a PSK, the PMK is derived from the AAA key. * "When not using a PSK, the PMK is derived from the AAA key.
* The PMK shall be computed as the first 256 bits (bits 0255) * The PMK shall be computed as the first 256 bits (bits 0255)
* of the AAA key: PMK L(PTK, 0, 256)." * of the AAA key: PMK L(PTK, 0, 256)."
* 802.11 11.6.1.3: * 802.11-2016 12.7.1.3:
* "When not using a PSK, the PMK is derived from the MSK. * "When not using a PSK, the PMK is derived from the MSK.
* The PMK shall be computed as the first 256 bits (bits 0255) * The PMK shall be computed as the first PMK_bits bits
* of the MSK: PMK L(MSK, 0, 256)." * (bits 0 to PMK_bits1) of the MSK: PMK = L(MSK, 0, PMK_bits)."
* RFC5247 explains AAA-Key refers to the MSK and confirms the * RFC5247 explains AAA-Key refers to the MSK and confirms the
* first 32 bytes of the MSK are used. MSK is at least 64 octets * first 32 bytes of the MSK are used. MSK is at least 64 octets
* long per RFC3748. Note WEP derives the PTK from MSK differently. * long per RFC3748. Note WEP derives the PTK from MSK differently.
* *
* In a Fast Transition initial mobility domain association the PMK * In a Fast Transition initial mobility domain association the PMK
* maps to the XXKey except with EAP: * maps to the XXKey, except with EAP:
* 802.11 11.6.1.7.3: * 802.11-2016 12.7.1.7.3:
* "If the AKM negotiated is 00-0F-AC:3, then XXKey shall be the * "If the AKM negotiated is 00-0F-AC:3, then [...] XXKey shall be
* second 256 bits of the MSK (which is derived from the IEEE * the second 256 bits of the MSK (which is derived from the IEEE
* 802.1X authentication), i.e., XXKey = L(MSK, 256, 256)." * 802.1X authentication), i.e., XXKey = L(MSK, 256, 256)."
* So we need to save the first 64 bytes at minimum.
*/ */
if (sm->handshake->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X) { if (sm->handshake->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X) {
pmk_len = (ssize_t) msk_len - 32; if (msk_len < 64)
pmk_data = msk_data + 32; goto msk_short;
} else { } else {
pmk_len = msk_len; if (msk_len < 32)
pmk_data = msk_data; goto msk_short;
} }
if (pmk_len < 32) if (msk_len > sizeof(sm->handshake->pmk))
goto msk_short; msk_len = sizeof(sm->handshake->pmk);
handshake_state_set_pmk(sm->handshake, pmk_data); handshake_state_set_pmk(sm->handshake, msk_data, msk_len);
return; return;

View File

@ -103,9 +103,10 @@ void handshake_state_set_authenticator_address(struct handshake_state *s,
memcpy(s->aa, aa, sizeof(s->aa)); memcpy(s->aa, aa, sizeof(s->aa));
} }
void handshake_state_set_pmk(struct handshake_state *s, const uint8_t *pmk) void handshake_state_set_pmk(struct handshake_state *s, const uint8_t *pmk,
size_t pmk_len)
{ {
memcpy(s->pmk, pmk, sizeof(s->pmk)); memcpy(s->pmk, pmk, pmk_len);
s->have_pmk = true; s->have_pmk = true;
} }
@ -278,11 +279,24 @@ bool handshake_state_derive_ptk(struct handshake_state *s)
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256)) { IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256)) {
uint16_t mdid; uint16_t mdid;
uint8_t ptk_name[16]; uint8_t ptk_name[16];
const uint8_t *xxkey = s->pmk;
/*
* In a Fast Transition initial mobility domain association
* the PMK maps to the XXKey, except with EAP:
* 802.11-2016 12.7.1.7.3:
* "If the AKM negotiated is 00-0F-AC:3, then [...] XXKey
* shall be the second 256 bits of the MSK (which is
* derived from the IEEE 802.1X authentication), i.e.,
* XXKey = L(MSK, 256, 256)."
*/
if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X)
xxkey = s->pmk + 32;
ie_parse_mobility_domain_from_data(s->mde, s->mde[1] + 2, ie_parse_mobility_domain_from_data(s->mde, s->mde[1] + 2,
&mdid, NULL, NULL); &mdid, NULL, NULL);
if (!crypto_derive_pmk_r0(s->pmk, s->ssid, s->ssid_len, mdid, if (!crypto_derive_pmk_r0(xxkey, s->ssid, s->ssid_len, mdid,
s->r0khid, s->r0khid_len, s->r0khid, s->r0khid_len,
s->spa, s->spa,
s->pmk_r0, s->pmk_r0_name)) s->pmk_r0, s->pmk_r0_name))

View File

@ -72,7 +72,7 @@ struct handshake_state {
enum ie_rsn_cipher_suite group_cipher; enum ie_rsn_cipher_suite group_cipher;
enum ie_rsn_cipher_suite group_management_cipher; enum ie_rsn_cipher_suite group_management_cipher;
enum ie_rsn_akm_suite akm_suite; enum ie_rsn_akm_suite akm_suite;
uint8_t pmk[32]; uint8_t pmk[64];
uint8_t snonce[32]; uint8_t snonce[32];
uint8_t anonce[32]; uint8_t anonce[32];
uint8_t ptk[64]; uint8_t ptk[64];
@ -102,7 +102,8 @@ void handshake_state_set_supplicant_address(struct handshake_state *s,
void handshake_state_set_authenticator_address(struct handshake_state *s, void handshake_state_set_authenticator_address(struct handshake_state *s,
const uint8_t *aa); const uint8_t *aa);
void handshake_state_set_user_data(struct handshake_state *s, void *user_data); void handshake_state_set_user_data(struct handshake_state *s, void *user_data);
void handshake_state_set_pmk(struct handshake_state *s, const uint8_t *pmk); void handshake_state_set_pmk(struct handshake_state *s, const uint8_t *pmk,
size_t pmk_len);
void handshake_state_set_8021x_config(struct handshake_state *s, void handshake_state_set_8021x_config(struct handshake_state *s,
struct l_settings *settings); struct l_settings *settings);
struct l_settings *handshake_state_get_8021x_config(struct handshake_state *s); struct l_settings *handshake_state_get_8021x_config(struct handshake_state *s);