3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-25 17:59:25 +01:00

eapol: netdev: allow rekeys using FT-FILS

Rekeying was overlooked when implementing FT-FILS and there were
many places where the AKM was never checked and the rekey was
failing.
This commit is contained in:
James Prestwood 2021-09-28 15:25:53 -07:00 committed by Denis Kenzior
parent 183a7a18a9
commit e6340996d7
2 changed files with 13 additions and 9 deletions

View File

@ -231,6 +231,11 @@ static size_t eapol_get_mic_length(enum ie_rsn_akm_suite akm, size_t pmk_len)
l_error("Invalid PMK length of %zu for OWE", pmk_len);
return 0;
}
case IE_RSN_AKM_SUITE_FILS_SHA256:
case IE_RSN_AKM_SUITE_FILS_SHA384:
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
return 0;
default:
return 16;
}
@ -254,6 +259,8 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek,
switch (akm) {
case IE_RSN_AKM_SUITE_FILS_SHA256:
case IE_RSN_AKM_SUITE_FILS_SHA384:
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
if (key_data_len < 16)
return NULL;
@ -329,13 +336,16 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek,
break;
case IE_RSN_AKM_SUITE_FILS_SHA256:
case IE_RSN_AKM_SUITE_FILS_SHA384:
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256:
case IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384:
{
struct iovec ad[1];
ad[0].iov_base = (void *)frame;
ad[0].iov_len = key_data - (const uint8_t *)frame;
if (akm == IE_RSN_AKM_SUITE_FILS_SHA256)
if (akm == IE_RSN_AKM_SUITE_FILS_SHA256 || akm ==
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256)
kek_len = 32;
else
kek_len = 64;
@ -1220,10 +1230,7 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
goto error_unspecified;
}
if (sm->handshake->akm_suite &
(IE_RSN_AKM_SUITE_FT_OVER_8021X |
IE_RSN_AKM_SUITE_FT_USING_PSK |
IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256)) {
if (IE_AKM_IS_FT(sm->handshake->akm_suite)) {
/*
* Rebuild the RSNE to include the PMKR1Name and append
* MDE + FTE.

View File

@ -2565,10 +2565,7 @@ process_resp_ies:
netdev->owe_sm = NULL;
}
/* FILS handles its own FT key derivation */
if (fte && !(netdev->handshake->akm_suite &
(IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))) {
if (fte) {
uint32_t kck_len =
handshake_state_get_kck_len(netdev->handshake);
/*