3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-09 21:49:23 +01:00
Commit Graph

66 Commits

Author SHA1 Message Date
James Prestwood
63b0778c99 handshake: add callback for extended key IDs
The procedure for setting extended key IDs is different from the
single PTK key. The key ID is toggled between 0 and 1 and the new
key is set as RX only, then set to RX/TX after message 4/4 goes
out.

Since netdev needs to set this new key before sending message 4,
eapol can include a built message which netdev will store if
required (i.e. using PAE).
2021-10-08 08:40:29 -05:00
James Prestwood
fba3b90c11 handshake: add flags/key index for extended key IDs
ext_key_id_capable indicates the handshake has set the capability bit
in the RSN info. This will only be set if the AP also has the capability
set.

active_tk_index is the key index the AP chose in message 3. This is
now used for both legacy (always zero) and extended key IDs.
2021-10-08 08:39:27 -05:00
James Prestwood
1187fcbf42 handshake: free chandef if already set
This can happen with FT, since the handshake object is reused.
2021-09-23 17:46:57 -05:00
Denis Kenzior
8ada894f70 handshake: Add OCV utilities
Add a utility for setting the OCI obtained from the hardware (prior to
handshake starting) as well as a utility to validate the OCI obtained
from the peer.
2021-09-21 15:39:07 -05:00
Denis Kenzior
5e631c8af8 handshake: Refactor ie setters
Calling handshake_state_setup_own_ciphers from within
handshate_state_set_authenticator_ie was misleading.  In all cases the
supplicant chooses the AKM.  This worked since our AP code only ever
advertises a single AKM, but would not work in the general case.

Similarly, the supplicant would choose which authentication type to use
by either sending the WPA1 or WPA2 IE (or OSEN).  Thus the setting of
the related variables in handshake_state_set_authenticator_ie was also
incorrect.  In iwd, the supplicant_ie would be set after the
authenticator_ie, so these settings would be overwritten in most cases.

Refactor these two setters so that the supplicant's chosen rsn_info
would be used to drive the handshake.
2021-09-20 15:19:27 -05:00
Denis Kenzior
c235c9fa54 handshake: Only bitwise compare when needed
handshake_util_ap_ie_matches() is used to make sure that the RSN element
received from the Authenticator during handshake / association response
is the same as the one advertised in Beacon/Probe Response frames.  This
utility tries to bitwise compare the element first, and only if that
fails, compares RSN members individually.

For FT, bitwise comparison will always fail since the PMKID has to be
included by the Authenticator in any RSN IEs included in Authenticate
& Association Response frames.

Perform the bitwise comparison as an optimization only during processing
of eapol message 3/4.  Also keep the parsed rsn information for future
use and to possibly avoid re-parsing it during later checks.
2021-09-17 09:19:26 -05:00
Denis Kenzior
77d2d79ac2 handshake: Also check OCVC bit 2021-09-17 08:22:40 -05:00
Andrew Zaborowski
d383a49b7b station, netdev: Enable FILS IP Address Assignment
Send and receive the FILS IP Address Assignment IEs during association.
As implemented this would work independently of FILS although the only
AP software handling this mechanism without FILS is likely IWD itself.

No support is added for handling the IP assignment information sent from
the server after the initial Association Request/Response frames, i.e.
the information is only used if it is received directly in the
Association Response without the "response pending" bit, otherwise the
DHCP client will be started.
2021-08-31 10:04:36 -05:00
Denis Kenzior
f24cfa481b handshake: Add setter for vendor IEs
Some connections, like Hotspot require additional IEs to be used during
the Association.  These are now passed as 'extra_ies' when invoking
netdev_connect, however they are also needed during ReAssociation and FT
to such APs.

Additionally, it may be that Hotspot-enabled APs will start utilizing
FILS or SAE.  In these cases the extra_ies need to be accounted for
somehow, either by making a copy in handshake_state, netdev, or the
auth_proto itself.  Similarly, P2P which heavily uses vendor IEs can be
used over SAE in the future.

Since a copy of these IEs is needed, might as well store them in
handshake_state itself for easy book-keeping by network/station.
2021-08-06 14:04:25 -05:00
James Prestwood
95574e4538 handshake: unref erp_cache when handshake is freed
This makes the erp_cache ownership more consisten rather than
relying on the ERP state to free the cache.
2021-08-03 16:29:30 -05:00
Denis Kenzior
f7b59750d0 handshake: Add handshake_util_find_kde 2021-07-27 14:02:43 -05:00
Denis Kenzior
6470601a34 handshake: Add support for RSNXE
Allow handshake_state to track Authenticator & Supplicant RSN Extension
elements (RSNXE)s.
2021-07-14 09:55:49 -05:00
Denis Kenzior
37bc48add4 handshake: Optimize replacement of IEs
During processing of Connect events by netdev, some of these elements
might be updated even when already set.  Instead of issuing
l_free/l_memdup each time, check and see whether the elements are
bitwise identical first.
2021-07-14 09:55:49 -05:00
Denis Kenzior
de04e6d723 handshake: Allow adding of ECC SAE-PT points 2021-07-14 09:55:49 -05:00
Andrew Zaborowski
074bc52717 eapol,ap: Remove assumption of single cipher in authenticator IE
Allow the user of the eapol_sm & handshake_state APIs to have multiple
pairwise ciphers listed in the authenticator IE.
2021-02-01 10:06:21 -06:00
Denis Kenzior
1cc7346d6a handshake: Change signature of (i)gtk setters 2020-04-02 00:41:02 -05:00
James Prestwood
972762b116 handshake: fix OWE PTK derivation
This bug has been in here since OWE was written, but a similar bug also
existed in hostapd which allowed the PTK derivation to be identical.
In January 2020 hostapd fixed this bug, which now makes IWD incompatible
when using group 20 or 21.

This patch fixes the bug for IWD, so now OWE should be compatible with
recent hostapd version. This will break compatibility with old hostapd
versions which still have this bug.
2020-03-20 23:50:55 -05:00
Torstein Husebø
759dbdd37f treewide: fix typos 2020-01-21 16:03:28 -06:00
Andrew Zaborowski
0cccbea904 handshake: Convert handshake event callbacks variadic functions
Convert the handshake event callback type to use variable argument
list to allow for more flexibility in event-specific arguments
passed to the callbacks.

Note the uint16_t reason code is promoted to an int when using variable
arguments so va_arg(args, int) has to be used.
2019-10-30 14:24:05 -05:00
Marcel Holtmann
152b56a12a treewide: Move the Intel copyright forward to 2019 2019-10-25 00:43:08 +02:00
Denis Kenzior
d984c605f7 handshake: Add handshake_state_set_protocol_version 2019-07-15 21:45:12 -05:00
James Prestwood
058d65c686 handshake: handle OSEN AKM when setting IEs 2019-06-10 18:21:57 -05:00
James Prestwood
039ae3659b eapol: handshake: add OSEN AKM
The handshake procedure for OSEN is part of the 'AKM_DEFINED' group
of AKMs.
2019-06-07 17:10:49 -05:00
James Prestwood
75e6ee98f3 handshake: simplify IE setters
The handshake object had 4 setters for authenticator/supplicant IE.
Since the IE ultimately gets put into the same buffer, there really
only needs to be a single setter for authenticator/supplicant. The
handshake object can deal with parsing to decide what kind of IE it
is (WPA or RSN).
2019-06-07 14:22:36 -05:00
James Prestwood
5d2b995175 handshake: update FT derivation functions for FILS-FT
FILS-FT could derive a longer PMKR0/R1 key, as well as uses a special
xxkey that it derives during FILS.
2019-05-22 16:15:23 -05:00
James Prestwood
0e9ed03e60 handshake: update key getters for FILS-FT
FILS-FT is a special case with respect to the PTK keys. The KCK getter
was updated to handle both FT-FILS AKMs, by returning the offset in
the PTK to the special KCK generated during FILS. A getter for the KCK
length was added, which handles the SHA384 variant. The PTK size was
also updated since FILS-FT can generate an additional 56 bytes of PTK
2019-05-22 16:14:51 -05:00
James Prestwood
bc381bd8c3 crypto: update FT derivation functions to use sha384
FILS-FT requires the SHA384 KDF to derive the FT keys
2019-05-22 16:14:14 -05:00
James Prestwood
aafb3fa7ed handshake: add key for FILS-FT in handshake_state
FILS derives its own FT key, for use as xxkey during fast transition.
2019-05-22 16:14:01 -05:00
James Prestwood
e109e1b1cf crypto: pass xxkey length for crypto_derive_pmk_r0
FILS-FT has a special derivation for xxkey, and depending on AKM
the key may be 32 or 48 bytes long.
2019-05-22 16:13:57 -05:00
James Prestwood
028e755d42 handshake: allow SHA384 PTK derivation (for FILS)
For FILS rekeys, we still derive the PTK using the 4-way handshake.
And for FILS-SHA384 we need the SHA384 KDF variant when deriving.

This change adds both FILS-SHA256 and FILS-SHA384 to the checks
for determining the SHA variant.
2019-04-26 12:28:51 -05:00
James Prestwood
62097e7d82 crypto: allow PTK derivation using SHA384
crypto_derive_pairwise_ptk was taking a boolean to decide whether to
use SHA1 or SHA256, but for FILS SHA384 may also be required for
rekeys depending on the AKM.

crypto_derive_pairwise_ptk was changed to take l_checksum_type instead
of a boolean to allow for all 3 SHA types.
2019-04-26 12:28:40 -05:00
James Prestwood
17e3a5ee3c handshake: add setter for PTK
With FILS support coming there needs to be a way to set the PTK directly.
Other AKMs derive the PTK via the 4-way handshake, but FILS computes the
PTK on its own.
2019-04-18 10:55:24 -05:00
James Prestwood
e940fc9282 handshake: add handshake_state_get_kek_len 2019-04-17 19:33:51 -05:00
James Prestwood
e15cb7133a handshake: handle FILS AKMs in handshake_get_key_sizes 2019-04-05 12:07:34 -05:00
Marcel Holtmann
3f3e778719 build: Add support for including fallbacks for missing defines 2019-04-03 18:34:22 +02:00
Andrew Zaborowski
f76e10799f eapol,handshake: Memzero copies of secrets 2019-03-19 11:20:40 -05:00
Andrew Zaborowski
8dfb8e9207 handshake: Remove unused handshake_state_get_8021x_config 2019-02-08 13:42:44 -06:00
James Prestwood
2a7a756c9f handshake: add flag and setter to disallow rekeying 2019-01-28 15:36:51 -06:00
James Prestwood
90c39afd61 handshake: add OWE to get_ptk_size
OWE defines KEK/KCK lengths depending on group. This change adds a
case into handshake_get_key_sizes. With OWE we can determine the
key lengths based on the PMK length in the handshake.
2019-01-17 15:20:28 -06:00
James Prestwood
2c82d6b223 crypto: pass PMK length to crypto_derive_pairwise_ptk
Right now the PMK is hard coded to 32 bytes, which works for the vast
majority of cases. The only outlier is OWE which can generate a PMK
of 32, 48 or 64 bytes depending on the ECC group used. The PMK length
is already stored in the handshake, so now we can just pass that to
crypto_derive_pairwise_ptk
2019-01-17 15:20:28 -06:00
James Prestwood
6771a06463 crypto/handshake/eapol: Allow other PTK lengths
The crypto_ptk was hard coded for 16 byte KCK/KEK. Depending on the
AKM these can be up to 32 bytes. This changes completely removes the
crypto_ptk struct and adds getters to the handshake object for the
kck and kek. Like before the PTK is derived into a continuous buffer,
and the kck/kek getters take care of returning the proper key offset
depending on AKM.

To allow for larger than 16 byte keys aes_unwrap needed to be
modified to take the kek length.
2019-01-17 15:20:28 -06:00
James Prestwood
8e7da821f9 handshake: store PMK length
Non-802.11 AKMs can define their own key lengths. Currently only OWE does
this, and the MIC/KEK/KCK lengths will be determined by the PMK length so
we need to save it.
2019-01-15 14:57:53 -06:00
James Prestwood
60555ece3b handshake: added OWE AKM to handshake_state_derive_ptk 2018-11-16 17:03:06 -06:00
Marcel Holtmann
554e4f55db build: Fix includes for using with -std=c99 compiler option 2018-11-01 22:37:11 +01:00
Marcel Holtmann
52f7f1dea2 handshake: Use full include path local includes 2018-10-26 21:27:01 +02:00
Andrew Zaborowski
e4873dea5a handshake: Use enum handshake_kde in find_kde()
Since we have all the KDE types defined in enum handshake_kde use that
instead of uint8_t buffers containing the same values.
2018-09-24 14:24:41 -05:00
Andrew Zaborowski
7c779956ac handshake: Add handshake_util_build_gtk_kde utility 2018-09-24 14:24:41 -05:00
Andrew Zaborowski
68e612573e handshake: Add GTK data to handshake_state
Add places to store the GTK data, index and RSC in struct
handshake_state and add a setter function for these fields.  We may want
to also convert install_gtk to use these fields similar to install_ptk.
2018-09-24 14:24:41 -05:00
Andrew Zaborowski
5f3cdc2093 handshake: Rename own_ie/ap_ie and related setters
To avoid confusion in case of an authenticator side handshake_state
structure and eapol_sm structure, rename own_ie to supplicant_ie and
ap_ie to authenticator_ie.  Also rename
handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call
handshake_state_setup_own_ciphers.  As a result
handshake_state_set_authenticator, if needed, should be called before
handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-27 11:42:45 -05:00
James Prestwood
2036d36313 handshake: introduce authenticator bit
Both SAE and adhoc can benefit from knowing whether the handshake state
is an authenticator or a supplicant. It will allow both to easily
obtain the remote address rather than sorting out if aa/spa match the
devices own address.
2018-08-15 12:40:35 -05:00