3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-10-31 17:19:22 +01:00
Commit Graph

291 Commits

Author SHA1 Message Date
Andrew Zaborowski
0651c2c430 eapol: Drop unused eapol_sm_set_event_func 2019-10-30 14:34:20 -05:00
Andrew Zaborowski
dcf419ee7f eapol: Move the EAP events to handshake event handler
On EAP events, call the handshake_event handler with the new event type
HANDSHAKE_EVENT_EAP_NOTIFY isntead of the eapol_event callback.

This allows the handler to be set before calling
netdev_connect/netdev_connect_wsc.  It's also in theory more type-safe
because we don't need the cast in netdev_connect_wsc anymore.
2019-10-30 14:26:09 -05:00
Andrew Zaborowski
0cccbea904 handshake: Convert handshake event callbacks variadic functions
Convert the handshake event callback type to use variable argument
list to allow for more flexibility in event-specific arguments
passed to the callbacks.

Note the uint16_t reason code is promoted to an int when using variable
arguments so va_arg(args, int) has to be used.
2019-10-30 14:24:05 -05:00
Marcel Holtmann
152b56a12a treewide: Move the Intel copyright forward to 2019 2019-10-25 00:43:08 +02:00
Denis Kenzior
d4d35c7872 eapol: Use CamelCase for [EAPoL] settings 2019-10-24 15:58:08 -05:00
James Prestwood
0d9c9274d9 eapol: do not parse RSN for WPA1 in 1 of 4
A recent change checked the return value of ie_parse_rsne_from_data
inside the ptk 1/4 handler. This seemed safe, but actually caused
the eapol unit test to fail.

The reason was because eapol was parsing the IEs assuming they were
an RSN, when they could be a WPA IE (WPA1 not WPA2). The WPA case
does not end up using the rsn_info at all, so having rsn_info
uninitialized did not pose a problem. After adding the return value
check it was found this fails every time for WPA1.

Since the rsn_info is not needed for WPA1 we can only do the RSN
parse for WPA2 and leave rsn_info uninitialized.
2019-10-17 18:48:18 -05:00
James Prestwood
de3a267d03 eapol: check return of ie_parse_rsne_from_data 2019-10-16 21:24:25 -05:00
James Prestwood
91c449d74a eapol: reorder eapol_sm_free
Technically there's no problem here as l_queue_remove does not
dereference the pointer.  Still, it confuses certain static analysis
tools in the current form. Reordering this will not change the behavior
at all.
2019-10-16 21:16:28 -05:00
James Prestwood
369c5fbd0b eapol: utilize IWD_MODULE
This converts eapol to using IWD modules. The init/exit APIs did need
to remain exposed for unit tests.

Netdev was updated to depend on eapol.
2019-10-11 15:36:45 -05:00
Denis Kenzior
b3881b84c1 eapol: Propagate noencrypt and use it
We were not using or taking into account the noencrypt flag obtained
from the kernel via CONTROL_PORT events.  For the most part this still
worked as the kernel would never include NO_ENCRYPT flag (due to a bug).
However, this was actually incorrect and led to loss of synchronization
between the AP and STA 4-Way handshake state machines when certain
packets were lost and had to be re-transmitted.
2019-08-27 20:50:07 -05:00
Andrew Zaborowski
9a9ff9f2f3 eapol: Don't l_queue_remove from state_machines while destroying it
We do an l_queue_destroy(state_machines, eapol_sm_destroy) so don't
l_queue_remove from state_machines inside eapol_sm_destroy.
2019-08-23 09:32:57 -05:00
Marcel Holtmann
f41d85112e eapol: Make global variables static 2019-08-15 19:32:37 +02:00
Marcel Holtmann
884dcbab92 eapol: Remove unused global variable 2019-08-15 19:31:54 +02:00
Denis Kenzior
0f6d1ece78 eapol: Remove eapol_sm_set_protocol_version
Handshake state will now pick reasonable defaults
2019-07-15 21:45:58 -05:00
James Prestwood
d3baec4eee eapol: add eapol_find_osen
The OSEN AKM uses the vendor specific IE, so when finding the RSNE
element we need to handle it specially to ensure that its both
a vendor specific element and it matches the WFA OUI since other
vendor specific elements may be included.
2019-06-10 18:22:44 -05:00
James Prestwood
039ae3659b eapol: handshake: add OSEN AKM
The handshake procedure for OSEN is part of the 'AKM_DEFINED' group
of AKMs.
2019-06-07 17:10:49 -05:00
James Prestwood
4097a49669 eapol: add FILS-FT AKMs to eapol_start
This will prevent FILS-FT from starting the 4-way handshake as it
does for regular FILS
2019-05-22 16:29:23 -05:00
James Prestwood
869cac4bec eapol: remove eapol_set_started, no longer needed 2019-05-03 14:37:11 -05:00
James Prestwood
d02c038a0d eapol: allow FILS to use eapol_start
A new eapol API was added specifically for FILS (eapol_set_started). Since
either way is special cased for FILS, its a bit cleaner to just check the
AKM inside eapol_start and, if FILS, dont start any timeouts or start the
handshake (effectively what eapol_set_started was doing).
2019-05-03 14:08:28 -05:00
James Prestwood
6ac189315a eapol: allow FILS PTK rekeys
As with FILS GTK rekeys, the PTK rekeys use AES-SIV to encrypt and
do not use a MIC
2019-04-26 16:06:53 -05:00
James Prestwood
83212f9b23 eapol: change eapol_create_common to support FILS
FILS needs to allocate an extra 16 bytes of key data for the AES-SIV
vector. Instead of leaving it up to the caller to figure this out (as
was done with the GTK builder) eapol_create_common can allocate the
extra space since it knows the MIC length.

This also updates _create_gtk_2_of_2 as it no longer needs to create
an extra data array.
2019-04-26 14:00:12 -05:00
James Prestwood
4f7d7684a3 eapol: add common function for AES-SIV
To avoid duplicate code in PTK/GTK rekeys a common function was
added which performs the encryption in place in the key frame.
2019-04-26 12:36:37 -05:00
James Prestwood
2fd755c285 eapol: update eapol_key_handle to work with FILS rekeys
Since FILS does not use a MIC, the 1/4 handler would always get called
for FILS PTK rekeys. We can use the fact that message 1/4 has no MIC as
well as no encrypted data to determine which packet it is. Both no MIC
and no encrypted data means its message 1/4. Anything else is 3/4.
2019-04-26 12:35:53 -05:00
James Prestwood
62097e7d82 crypto: allow PTK derivation using SHA384
crypto_derive_pairwise_ptk was taking a boolean to decide whether to
use SHA1 or SHA256, but for FILS SHA384 may also be required for
rekeys depending on the AKM.

crypto_derive_pairwise_ptk was changed to take l_checksum_type instead
of a boolean to allow for all 3 SHA types.
2019-04-26 12:28:40 -05:00
James Prestwood
733679ff7f eapol: Update _verify_ptk_3_of_4 to work with no MIC
A similar change was made to _verify_gtk_1_of_2 in order for
verification to work when no MIC is being used (FILS rekeys)
2019-04-26 12:24:42 -05:00
James Prestwood
349acf292f eapol: fix kek length for FILS rekeys (SHA384)
FILS-SHA384 got overlooked and the kek length was being hard coded
to 32 bytes when encrypting the key data. There was also one occurence
where the kek_len was just being set incorrectly.
2019-04-17 19:33:55 -05:00
James Prestwood
799a29d37c eapol: only check for snonce if MIC is used
In eapol_key_handle, 'have_snonce' is checked before decrypting the
key data. For FILS, there will be no snonce so this check can be
skipped if mic_len == 0.
2019-04-17 18:40:46 -05:00
James Prestwood
c21f3cd2a4 eapol: allow FILS GTK handshake
The GTK handshake for FILS uses AES-SIV to encrypt the key data, and
does away with the MIC completely. Now, when finalizing the 2/2 GTK
packet we check the MIC length, and if zero we assume FILS is being
used and we use AES-SIV to encrypt the key data.

For FILS, there is no actual data being encrypted for GTK 2/2 (hence
why the input data length is zero). This results in only the SIV
being generated, which essentially serves the same purpose as a MIC.
2019-04-17 18:40:46 -05:00
James Prestwood
a6640f1b7a eapol: allow eapol_decrypt_key_data to work with FILS
FILS falls under the 'AKM defined' key descriptor, and uses AES-SIV.
2019-04-17 18:40:46 -05:00
James Prestwood
368d6714b9 eapol: allow _create_gtk_2_of_2 to work without MIC
FILS does not use a MIC, as well as requires encrypted data on GTK 2/2.
This updates eapol_create_gtk_2_of_2 to pass in extra data to
eapol_create_common, which will reserve room for this encrypted data.
Extra data is only reserved if mic_len == 0.
2019-04-17 18:40:46 -05:00
James Prestwood
ca63ac2342 eapol: allow eapol_create_common to work with no MIC
FILS does not use a MIC in EAPoL frames and also requires encrypted
data on all EAPoL frames. In the common builder the mic_len is now
checked and the flags are set appropriately.
2019-04-17 18:40:46 -05:00
James Prestwood
62e20ca285 eapol: pass mic_len in gtk 1/2 verify
FILS authentication does away with the MIC, so checking for key_mic
in the eapol key frame does not allow FILS to work. Now we pass in
the mic_len to eapol_verify_gtk_1_of_2, and if it is non-zero we can
check that the MIC is present in the frame.
2019-04-17 18:40:46 -05:00
James Prestwood
82eeef1c29 eapol: add eapol_set_started
FILS does not require an eapol_sm for authentication, but rekeys
are still performed using the 4-way handshake. Because of this
FILS needs to create a eapol_sm in a 'started' state, but without
calling eapol_start as this will initialize EAP and create handshake
timeouts.

This allows EAPoL to wait for any 4-way packets, and handle them
as rekeys.
2019-04-17 18:40:46 -05:00
James Prestwood
433373fe28 eapol: cache ERP keys on EAP success 2019-04-17 17:06:25 -05:00
James Prestwood
e963e64f9b eap: export session ID as key materials
ERP/FILS requires the session ID which is derived internally to an
EAP method.
2019-04-10 16:55:29 -05:00
Denis Kenzior
b97d3f2a82 eapol: Use l_container_of 2019-04-03 11:49:36 -05:00
Marcel Holtmann
3f3e778719 build: Add support for including fallbacks for missing defines 2019-04-03 18:34:22 +02:00
Denis Kenzior
570abd7bfb eapol: Convert memsets to explicit_bzero
We were wiping out certain secrets via memset.  Convert them to
explicit_bzero just in case the compiler decides to optimize them out.
2019-03-19 11:25:22 -05:00
Andrew Zaborowski
f76e10799f eapol,handshake: Memzero copies of secrets 2019-03-19 11:20:40 -05:00
James Prestwood
0288c537a2 eapol: have eapol_encrypt_key_data return length/error
Since eapol_encrypt_key_data already calculates the key data length and
encodes it into the key frame, we can just return this length and avoid
having to obtain it again from the frame.
2019-03-18 18:02:37 -05:00
Denis Kenzior
bd7f8bf613 eapol: Relax message 2 / 4 key_length check
Seems certain Apple implementations set the key length to 16, even
though it should be 0.
2019-02-07 10:13:17 -06:00
James Prestwood
8edaa23f8a eapol: emit HANDSHAKE_EVENT_REKEY_FAILED
If we receive handshake message 1/4 after we are already connected
the AP is attempting to rekey. This may not be allowed and if not
we do not process the rekey and emit HANDSHAKE_EVENT_REKEY_FAILED
so any listeners can handle accordingly.
2019-01-28 15:38:47 -06:00
James Prestwood
d79b2b28ec eapol: use HMAC-SHA384 for OWE in MIC calculation 2019-01-17 15:20:28 -06:00
James Prestwood
532c9a5521 eapol: Add OWE cases for different key lengths
In preparation for OWE supporting multiple groups eapol needed some
additional cases to handle the OWE AKM since OWE dictates the KEK,
KCK and MIC key lengths (depending on group).
2019-01-17 15:20:28 -06:00
James Prestwood
2c82d6b223 crypto: pass PMK length to crypto_derive_pairwise_ptk
Right now the PMK is hard coded to 32 bytes, which works for the vast
majority of cases. The only outlier is OWE which can generate a PMK
of 32, 48 or 64 bytes depending on the ECC group used. The PMK length
is already stored in the handshake, so now we can just pass that to
crypto_derive_pairwise_ptk
2019-01-17 15:20:28 -06:00
James Prestwood
6771a06463 crypto/handshake/eapol: Allow other PTK lengths
The crypto_ptk was hard coded for 16 byte KCK/KEK. Depending on the
AKM these can be up to 32 bytes. This changes completely removes the
crypto_ptk struct and adds getters to the handshake object for the
kck and kek. Like before the PTK is derived into a continuous buffer,
and the kck/kek getters take care of returning the proper key offset
depending on AKM.

To allow for larger than 16 byte keys aes_unwrap needed to be
modified to take the kek length.
2019-01-17 15:20:28 -06:00
James Prestwood
374b367ba4 eapol: allow 16, 24 and 32 byte MIC lengths
The MIC length was hard coded to 16 bytes everywhere, and since several
AKMs require larger MIC's (24/32) this needed to change. The main issue
was that the MIC was hard coded to 16 bytes inside eapol_key. Instead
of doing this, the MIC, key_data_length, and key_data elements were all
bundled into key_data[0]. In order to retrieve the MIC, key_data_len,
or key_data several macros were introduced which account for the MIC
length provided.

A consequence of this is that all the verify functions inside eapol now
require the MIC length as a parameter because without it they cannot
determine the byte offset of key_data or key_data_length.

The MIC length for a given handshake is set inside the SM when starting
EAPoL. This length is determined by the AKM for the handshake.
2019-01-17 15:20:28 -06:00
Denis Kenzior
e256cbaba9 eapol: Don't memcpy if no extra data
As reported by the sanitizer:

src/eapol.c:574:2: runtime error: null pointer passed as argument 2,
	which is declared to never be null
2019-01-11 17:10:47 -06:00
Denis Kenzior
12189fcf39 conf: Increase default eapool handshake timeout 2019-01-09 21:13:53 -06:00
Andrew Zaborowski
6bf365d9a4 eapol: Check handshake_state_get_pmkid return value
Don't proceed with the handshake if handshake_state_get_pmkid fails
(shouldn't happen, but it's an error situation)
2018-12-19 10:05:16 -06:00
Denis Kenzior
52771de1a5 eapol: Further relax PMKID check
If we haven't sent a PMKID, and we're not running EAP, then ignore
whatever PMKID the AP sends us.  Frequently the APs send us garbage in
this field.  For PSK and related AKMs, if the PMK is wrong, then we
simply fail to generate a proper MIC and the handshake would fail at a
later stage anyway.
2018-11-28 19:06:33 -06:00
James Prestwood
126993b9e3 eapol: Add OWE to MIC calculate/verify
This allows eapol to work with the OWE AKM type. Similar shortcuts were
taken as with SAE since, for now, both only support a single ECC group.
2018-11-16 17:02:13 -06:00
James Prestwood
1d62f4ec0e eapol: remove unused public eapol functions from header
After moving AP EAPoL code into eapol.c there were a few functions that
no longer needed to be public API's. These were changed to static's and
the header definition was removed.
2018-11-02 14:05:44 -05:00
Marcel Holtmann
554e4f55db build: Fix includes for using with -std=c99 compiler option 2018-11-01 22:37:11 +01:00
Marcel Holtmann
013bae6d3d eapol: Make eapol_frame_watch_{add,remove} functions static 2018-11-01 10:27:22 +01:00
James Prestwood
e678d6655f netdev: signal handshake complete after setting all keys
Currently, netdev triggers the HANDSHAKE_COMPLETE event after completing
the SET_STATION (after setting the pairwise key). Depending on the timing
this may happen before the GTK/IGTK are set which will result in group
traffic not working initially (the GTK/IGTK would still get set, but group
traffic would not work immediately after DBus said you were connected, this
mainly poses a problem with autotests).

In order to fix this, several flags were added in netdev_handshake_state:
ptk_installed, gtk_installed, igtk_installed, and completed. Each of these
flags are set true when their respective keys are set, and in each key
callback we try to trigger the handshake complete event (assuming all the
flags are true). Initially the gtk/igtk flags are set to true, for reasons
explained below.

In the WPA2 case, all the key setter functions are called sequentially from
eapol. With this change, the PTK is now set AFTER the gtk/igtk. This is
because the gtk/igtk are optional and only set if group traffic is allowed.
If the gtk/igtk are not used, we set the PTK and can immediately trigger the
handshake complete event (since gtk_installed/igtk_installed are initialized
as true). When the gtk/igtk are being set, we immediately set their flags to
false and wait for their callbacks in addition to the PTK callback. Doing it
this way handles both group traffic and non group traffic paths.

WPA1 throws a wrench into this since the group keys are obtained in a
separate handshake. For this case a new flag was added to the handshake_state,
'wait_for_gtk'. This allows netdev to set the PTK after the initial 4-way,
but still wait for the gtk/igtk setters to get called before triggering the
handshake complete event. As a precaution, netdev sets a timeout that will
trigger if the gtk/igtk setters are never called. In this case we can still
complete the connection, but print a warning that group traffic will not be
allowed.
2018-10-26 15:26:49 -05:00
Marcel Holtmann
3fa63ede50 eapol: Use full include path local includes 2018-10-26 21:31:52 +02:00
Andrew Zaborowski
8632b81397 eapol: Add GTK data to msg 3/4 of the handshake 2018-09-24 14:53:41 -05:00
James Prestwood
8064cb599a ie: introduce IE_AKM_IS_SAE macro
To prepare for FT over SAE, several case/if statements needed to include
IE_RSN_AKM_SUITE_FT_OVER_SAE. Also a new macro was introduced to remove
duplicate if statement code checking for both FT_OVER_SAE and SAE AKM's.
2018-09-21 11:26:05 -05:00
Marcel Holtmann
1e37ef31fe eapol: Move eapol_key_validate() into eapolutil helper 2018-09-14 17:31:42 +02:00
Andrew Zaborowski
5f3cdc2093 handshake: Rename own_ie/ap_ie and related setters
To avoid confusion in case of an authenticator side handshake_state
structure and eapol_sm structure, rename own_ie to supplicant_ie and
ap_ie to authenticator_ie.  Also rename
handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call
handshake_state_setup_own_ciphers.  As a result
handshake_state_set_authenticator, if needed, should be called before
handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-27 11:42:45 -05:00
Andrew Zaborowski
ddbc49538e ap: Drop a RSNE check
After EAPOL logic was moved to eapol.c a check was added to
ap_associate_sta_cb to bitwise compare the AP's RSNE to the RSNE
received in the (Re)Association frame.  There is as far as I know no
reason for them to be the same (although they are in our autotest) and
if there was a reason we'd rather validate the (Re)Association RSNE
immediately when received.  We also must set different RSNEs as the
"own" (supplicant) and "ap" RSNEs in the handshake_state for validation
of step 2/4 in eapol.c (fixes wpa_supplicant's and MS Windows
connections being rejected)
2018-08-23 22:03:38 -05:00
James Prestwood
986f66a3c6 eapol: removed authenticator bit and auth register
This removes the authenticator bit in eapol_sm as well as unifies
eapol_register_authenticator and eapol_register. Taking advantage
of the handshake state authenticator bit we no longer have a need
for 2 separate register functions.

ap, and adhoc were also updated to set the authenticator bit in
the handshake and only use eapol_register to register their sm's.

netdev was updated to use the authenticator bit when choosing the
correct key address for adhoc.
2018-08-15 12:40:38 -05:00
James Prestwood
43b70b37d9 eapol: added key description type 0
This also required passing in the akm suite in case the key description
version was zero. In the zero case the akm must be checked. For now this
only supports the SAE akm.
2018-08-09 15:05:56 -05:00
Denis Kenzior
efecce772f eapol: Fix memory allocation issues
When the EAPOL-Key data field is encrypted using AES Wrap, check
that the data field is large enough before calculating the expected
plaintext length.

Previously, if the encrypted data field was smaller than 8 bytes, an
integer underflow would occur when calculating the expected plaintext
data length. This would cause iwd to try to allocate a huge amount of
memory, which causes it to abort and terminate. If the data field was
equal to 8 bytes, iwd would try to allocate 0 bytes of memory, making
l_new return NULL, which subsequently causes iwd to crash on a NULL
pointer deference.

Reported-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-07-16 10:51:13 -05:00
Denis Kenzior
7f844a2520 eapol: Relax key_iv checks
Many APs don't send properly zerod key_iv elements in EAPoL-Key frames.
In the past iwd has complained, but this broken behavior is so
prevalent, that it is likely a lost cause.

This patch takes out these warnings
2018-07-01 20:57:38 -05:00
Denis Kenzior
1c9a1ea46d eapol: Handle all zero PMKID 2018-07-01 20:48:11 -05:00
James Prestwood
92f1ceb3ce netdev/eapol: removed eapol deauthenticate
This removes the need for the eapol/netdev deauthenticate function.
netdev_handshake_failed was exposed so device.c could issue the
disconnect.
2018-06-27 16:17:14 -05:00
James Prestwood
9d4f1b4ca6 eapol: moved AP authenticator into eapol
Includes:
 - support for handling ptk 2/4 and 4/4. Also sending 1/4 and 3/4.
 - new API to register an authenticator SM. This automatically
   sends 1/4 to kick off authentication with an sta.
2018-06-22 14:40:20 -05:00
James Prestwood
aac00bf33a handshake: remove handshake related netdev events
Handshake related netdev events were removed in favor of
handshake events. Now events will be emitted on the handshake
object related to the 4-way handshake and key settings. Events
are:

HANDSHAKE_EVENT_STARTED
HANDSHAKE_EVENT_SETTING_KEYS
HANDSHAKE_EVENT_COMPLETE
HANDSHAKE_EVENT_FAILED

Right now, since netdev only operates in station mode, nothing
listens for COMPLETE/FAILED, as device/wsc gets notified by the
connect_cb when the connection was successful. The COMPLETE/
FAILED were added in preperation for AP moving into eapol/netdev.
2018-06-22 14:21:50 -05:00
Denis Kenzior
9bcb2b75ac eapol: On success, reset EAP state
Instead of destroying the EAP object, just reset its state in case the
EAP process completed successfully.  This allows EAP Reauthentication to
work.
2018-05-30 15:09:42 -05:00
Denis Kenzior
c31cf5d383 eapol: Fully separate eapol transport details
With the introduction of Control Port Over NL80211 feature, the
transport details need to be moved out of eapol and into netdev.c.
Whether a given WiFi hardware supports transfer of Control Port packets
over NL80211 is Wiphy and kernel version related, so the transport
decisions need to be made elsewhere.
2018-05-01 11:14:04 -05:00
James Prestwood
50eae9bf87 eapol: process config setting for handshake timeout
The eapol handshake timeout can now be configured in main.conf
(/etc/iwd/main.conf) using the key eapol_handshake_timeout. This
allows the user to configure a long timeout if debugging.
2018-04-02 13:54:25 -05:00
Andrew Zaborowski
5a17c2275f eapol: Make sure rsn_info is initialized in eapol_handle_ptk_1_of_4
After an EAP exchange rsn_info would be uninitialized and in the FT case
we'd use it to generate the step 2 IEs which would cause an RSNE
mismatch during FT handshake.
2018-03-15 11:40:17 -05:00
Andrew Zaborowski
8b534ba067 eapol: In FT-EAP use all 64 bytes of the MSK
Until now we'd save the second 32 bytes of the MSK as the PMK and use
that for the PMK-R0 as well as the PMKID calculation.  The PMKID
actually uses the first 32 bytes of the PMK while the PMK-R0's XXKey
input maps to the second 32 bytes.  Add a pmk_len parameter to
handshake_state_set_pmk to handle that.  Update the eapol_eap_results_cb
802.11 quotes to the 2016 version.
2018-03-15 11:40:17 -05:00
Andrew Zaborowski
7e8e8b2ac2 eapol: Stop eapol timeout after step 3/4
Move the cancelling of the eapol timeout from the end of step 1 to
step 3 to guard the whole handshake.  At the end of step 1 stop the
EAPOL-Start timeout for the case of 802.1X authentication + a cached
PMKSA (not used yet.)
2018-02-13 12:46:27 -06:00
Tim Kourt
3f4b5a98f5 eapol: provide feedback from eapol_start, refactor 2017-10-30 08:51:28 -05:00
Andrew Zaborowski
ffcda135d2 eapol: Check for "No Group Traffic" group cipher suite 2017-10-23 11:14:40 -05:00
Denis Kenzior
2c565019c7 eapol: Silence uninitialized var warnings 2017-10-20 07:41:56 -05:00
Denis Kenzior
7f8f45220e eapol: Do not install the same GTK/IGTK
Track the contents and size of the GTK and IGTK and if the Authenticator
(or an adversary) tries to set the same GTK/IGTK, process the packet
normally but do not resubmit the GTK/IGTK to the kernel.
2017-10-19 16:47:35 -05:00
Denis Kenzior
cd7af67aac eapol: Tighten up GTK/IGTK KDE validation
GTK KDE was being checked for being a minimum of 6 bytes.  Not quite
sure why since the minimum GTK key length is 16 bytes for CCMP.
Similarly make sure that the maximum length is not more than 32, which
is currently the largest key size (TKIP)
2017-10-19 16:47:35 -05:00
Denis Kenzior
c93a52c066 eapol: Handle retransmissions 2017-10-19 16:47:29 -05:00
Denis Kenzior
f07164b2ef eapol: Remove unneeded {} 2017-10-18 20:40:10 -05:00
Denis Kenzior
ac5d8c2b34 eapol: Reword comment 2017-10-18 20:39:31 -05:00
Denis Kenzior
bee04b179e eapol: Fail handshake if MIC calculation fails
This is a bizarre case since MIC calculation succeeded for the incoming
packet.  But just in case MIC calculation fails for the outgoing packet,
kill the handshake.
2017-10-18 20:38:54 -05:00
Denis Kenzior
c1a0e844b0 eapol: Tighten up replay counter handling 2017-10-18 20:31:49 -05:00
Denis Kenzior
ffbf10fa31 eapol: Remove erroneous comments
The comments quoted sections of the specification that indicated STA
behavior for verifying Message 3 of 4 or GTK 1 of 2.  But in reality the
code directly below simply calculated the MIC for Message 4 of 4 or GTK
2 of 2.
2017-10-16 14:41:57 -05:00
Andrew Zaborowski
dae0abbac8 eapol: Use frame watches for preauth_sm 2017-10-12 11:14:59 -05:00
Andrew Zaborowski
cc4da26f69 eapol: Use frame watches for eapol_sm, refactor
Use eapol_frame_watch_add/eapol_frame_watch_remove in eapol_sm, while
there simplify the early_frame logic and confirm sender address for
received frames.
2017-10-12 11:13:51 -05:00
Andrew Zaborowski
89c2f14683 eapol: Add eapol_append_key_data utility
Add a utility to append a KDE to the key_data field in an EAPoL frame.
The KDE types enum is actually added to handshake.h because we've got
the utilities for finding those KDEs in a buffer there.  The new
function is specific to EAPoL-Key frames though and perhaps to simple to
be split across handshake.c and eapol.c.  Also it didn't seem useful to
use the ie_tlv_builder here.
2017-09-22 12:38:42 -05:00
Andrew Zaborowski
275cc2789d eapol: Make eapol_find_rsne non-static
EAPoL server can reuse this function.
2017-09-12 14:29:25 -05:00
Andrew Zaborowski
6be08a3604 eapol: Add eapol_tx_frame
Allow other files to send EAPoL frames.
2017-09-07 16:16:45 -05:00
Andrew Zaborowski
f05c3c30d1 eapol: Add eapol_frame_watch_add / remove
Allow other files to receive EAPoL frames on specified interfaces.
2017-09-07 16:16:42 -05:00
Andrew Zaborowski
303683c89f mpdu: Refactor mpdu structs
Refactor management frame structures to take into account optional
presence of some parts of the header:
 * drop the single structure for management header and body since
   the body offset is variable.
 * add mmpdu_get_body to locate the start of frame body.
 * drop the union of different management frame type bodies.
 * prefix names specific to management frames with "mmpdu" instead
   of "mpdu" including any enums based on 802.11-2012 section 8.4.
 * move the FC field to the mmpdu_header structure.
2017-08-31 15:11:30 -05:00
Andrew Zaborowski
66325e8c9b eapol: Implement eapol_encrypt_key_data
Add a function to do the inverse of eapol_decrypt_key_data to be used in
eapol server.  Only AES-based versions supported.
2017-08-31 13:21:05 -05:00
Andrew Zaborowski
092ede1147 eapol: Stricter length check in eapol_decrypt_key_data
The plaintext key_data + padding must be at least 16 bytes so the
AES-encrypted key_data must be at least 24 bytes.
2017-08-30 22:42:20 -05:00
Andrew Zaborowski
eda160de12 eapol: Set a timeout for preauthentication
Wait 1 second for the first EAP frame to be received, after that wait up
to 3 seconds for all of EAP to complete.
2017-08-25 11:26:26 -05:00
Andrew Zaborowski
23af935e7b eapol: Add eapol_sm_set_require_handshake
Function to allow netdev.c to explicitly tell eapol.c whether to expect
EAP / 4-Way handshake.  This is to potentially make the code more
descriptive, until now we'd look at sm->handshake->ptk_complete to see
if a new PTK was needed.

A 4-Way handshake is required on  association to an AP except after FT.
2017-08-21 18:35:00 -05:00
Andrew Zaborowski
faba9d509a eapol: After EAP skip the RSNE PMKID check in step 1/4
Skip the matching of the PMKID KDE to the PMKID list in the RSNE if
we've seen a new EAP authentication before the step 1/4 was received.
That would mean that the server had not accepted the PMKIDs we submitted
and we performed a new 8021X authentication, producing a new PMKSA which
won't be on the list in the RSNE.
2017-05-04 10:50:29 -05:00
Andrew Zaborowski
b910784e83 eapol: Add preauth_sm class, drop eapol_sm.preauth
Remove the preauthentication support code from the normal eapol_sm
methods and add a separate simplified class that only handles EAP
packets.
2017-05-01 11:13:32 -05:00