From 995c34450e427fb557c9e010c296d69d1b5a8e74 Mon Sep 17 00:00:00 2001 From: James Prestwood Date: Wed, 18 Jan 2023 13:17:59 -0800 Subject: [PATCH] eapol: implement rekey support for authenticator The only changes required was to set the secure bit for message 1, reset the frame retry counter, and change the 2/4 verifier to use the rekey flag rather than ptk_complete. This is because we must set ptk_complete false in order to detect retransmissions of the 4/4 frame. Initiating a rekey can now be done by simply calling eapol_start(). --- src/eapol.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/eapol.c b/src/eapol.c index b338ad2a..5ae1da1d 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -1086,8 +1086,6 @@ static void eapol_send_ptk_1_of_4(struct eapol_sm *sm) handshake_state_new_anonce(sm->handshake); - sm->handshake->ptk_complete = false; - sm->replay_counter++; memset(ek, 0, EAPOL_FRAME_LEN(sm->mic_len)); @@ -1111,6 +1109,13 @@ static void eapol_send_ptk_1_of_4(struct eapol_sm *sm) eapol_key_data_append(ek, sm->mic_len, HANDSHAKE_KDE_PMKID, pmkid, 16); + if (sm->handshake->ptk_complete) { + sm->rekey = true; + sm->handshake->ptk_complete = false; + } + + ek->secure = sm->rekey; + ek->header.packet_len = L_CPU_TO_BE16(EAPOL_FRAME_LEN(sm->mic_len) + EAPOL_KEY_DATA_LEN(ek, sm->mic_len) - 4); @@ -1554,7 +1559,7 @@ static void eapol_handle_ptk_2_of_4(struct eapol_sm *sm, l_debug("ifindex=%u", sm->handshake->ifindex); - if (!eapol_verify_ptk_2_of_4(ek, sm->handshake->ptk_complete)) + if (!eapol_verify_ptk_2_of_4(ek, sm->rekey)) return; if (L_BE64_TO_CPU(ek->key_replay_counter) != sm->replay_counter) @@ -2451,6 +2456,8 @@ static void eapol_eap_complete_cb(enum eap_result result, void *user_data) /* sm->mic_len will have been set in eapol_eap_results_cb */ + sm->frame_retry = 0; + /* Kick off 4-Way Handshake */ eapol_ptk_1_of_4_retry(NULL, sm); } @@ -2842,6 +2849,8 @@ bool eapol_start(struct eapol_sm *sm) if (L_WARN_ON(!sm->handshake->have_pmk)) return false; + sm->frame_retry = 0; + /* Kick off handshake */ eapol_ptk_1_of_4_retry(NULL, sm); }