3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-29 05:39:24 +01:00
Commit Graph

309 Commits

Author SHA1 Message Date
James Prestwood
82eeef1c29 eapol: add eapol_set_started
FILS does not require an eapol_sm for authentication, but rekeys
are still performed using the 4-way handshake. Because of this
FILS needs to create a eapol_sm in a 'started' state, but without
calling eapol_start as this will initialize EAP and create handshake
timeouts.

This allows EAPoL to wait for any 4-way packets, and handle them
as rekeys.
2019-04-17 18:40:46 -05:00
James Prestwood
433373fe28 eapol: cache ERP keys on EAP success 2019-04-17 17:06:25 -05:00
James Prestwood
e963e64f9b eap: export session ID as key materials
ERP/FILS requires the session ID which is derived internally to an
EAP method.
2019-04-10 16:55:29 -05:00
Denis Kenzior
b97d3f2a82 eapol: Use l_container_of 2019-04-03 11:49:36 -05:00
Marcel Holtmann
3f3e778719 build: Add support for including fallbacks for missing defines 2019-04-03 18:34:22 +02:00
Denis Kenzior
570abd7bfb eapol: Convert memsets to explicit_bzero
We were wiping out certain secrets via memset.  Convert them to
explicit_bzero just in case the compiler decides to optimize them out.
2019-03-19 11:25:22 -05:00
Andrew Zaborowski
f76e10799f eapol,handshake: Memzero copies of secrets 2019-03-19 11:20:40 -05:00
James Prestwood
0288c537a2 eapol: have eapol_encrypt_key_data return length/error
Since eapol_encrypt_key_data already calculates the key data length and
encodes it into the key frame, we can just return this length and avoid
having to obtain it again from the frame.
2019-03-18 18:02:37 -05:00
Denis Kenzior
bd7f8bf613 eapol: Relax message 2 / 4 key_length check
Seems certain Apple implementations set the key length to 16, even
though it should be 0.
2019-02-07 10:13:17 -06:00
James Prestwood
8edaa23f8a eapol: emit HANDSHAKE_EVENT_REKEY_FAILED
If we receive handshake message 1/4 after we are already connected
the AP is attempting to rekey. This may not be allowed and if not
we do not process the rekey and emit HANDSHAKE_EVENT_REKEY_FAILED
so any listeners can handle accordingly.
2019-01-28 15:38:47 -06:00
James Prestwood
d79b2b28ec eapol: use HMAC-SHA384 for OWE in MIC calculation 2019-01-17 15:20:28 -06:00
James Prestwood
532c9a5521 eapol: Add OWE cases for different key lengths
In preparation for OWE supporting multiple groups eapol needed some
additional cases to handle the OWE AKM since OWE dictates the KEK,
KCK and MIC key lengths (depending on group).
2019-01-17 15:20:28 -06:00
James Prestwood
2c82d6b223 crypto: pass PMK length to crypto_derive_pairwise_ptk
Right now the PMK is hard coded to 32 bytes, which works for the vast
majority of cases. The only outlier is OWE which can generate a PMK
of 32, 48 or 64 bytes depending on the ECC group used. The PMK length
is already stored in the handshake, so now we can just pass that to
crypto_derive_pairwise_ptk
2019-01-17 15:20:28 -06:00
James Prestwood
6771a06463 crypto/handshake/eapol: Allow other PTK lengths
The crypto_ptk was hard coded for 16 byte KCK/KEK. Depending on the
AKM these can be up to 32 bytes. This changes completely removes the
crypto_ptk struct and adds getters to the handshake object for the
kck and kek. Like before the PTK is derived into a continuous buffer,
and the kck/kek getters take care of returning the proper key offset
depending on AKM.

To allow for larger than 16 byte keys aes_unwrap needed to be
modified to take the kek length.
2019-01-17 15:20:28 -06:00
James Prestwood
374b367ba4 eapol: allow 16, 24 and 32 byte MIC lengths
The MIC length was hard coded to 16 bytes everywhere, and since several
AKMs require larger MIC's (24/32) this needed to change. The main issue
was that the MIC was hard coded to 16 bytes inside eapol_key. Instead
of doing this, the MIC, key_data_length, and key_data elements were all
bundled into key_data[0]. In order to retrieve the MIC, key_data_len,
or key_data several macros were introduced which account for the MIC
length provided.

A consequence of this is that all the verify functions inside eapol now
require the MIC length as a parameter because without it they cannot
determine the byte offset of key_data or key_data_length.

The MIC length for a given handshake is set inside the SM when starting
EAPoL. This length is determined by the AKM for the handshake.
2019-01-17 15:20:28 -06:00
Denis Kenzior
e256cbaba9 eapol: Don't memcpy if no extra data
As reported by the sanitizer:

src/eapol.c:574:2: runtime error: null pointer passed as argument 2,
	which is declared to never be null
2019-01-11 17:10:47 -06:00
Denis Kenzior
12189fcf39 conf: Increase default eapool handshake timeout 2019-01-09 21:13:53 -06:00
Andrew Zaborowski
6bf365d9a4 eapol: Check handshake_state_get_pmkid return value
Don't proceed with the handshake if handshake_state_get_pmkid fails
(shouldn't happen, but it's an error situation)
2018-12-19 10:05:16 -06:00
Denis Kenzior
52771de1a5 eapol: Further relax PMKID check
If we haven't sent a PMKID, and we're not running EAP, then ignore
whatever PMKID the AP sends us.  Frequently the APs send us garbage in
this field.  For PSK and related AKMs, if the PMK is wrong, then we
simply fail to generate a proper MIC and the handshake would fail at a
later stage anyway.
2018-11-28 19:06:33 -06:00
James Prestwood
126993b9e3 eapol: Add OWE to MIC calculate/verify
This allows eapol to work with the OWE AKM type. Similar shortcuts were
taken as with SAE since, for now, both only support a single ECC group.
2018-11-16 17:02:13 -06:00
James Prestwood
1d62f4ec0e eapol: remove unused public eapol functions from header
After moving AP EAPoL code into eapol.c there were a few functions that
no longer needed to be public API's. These were changed to static's and
the header definition was removed.
2018-11-02 14:05:44 -05:00
Marcel Holtmann
554e4f55db build: Fix includes for using with -std=c99 compiler option 2018-11-01 22:37:11 +01:00
Marcel Holtmann
013bae6d3d eapol: Make eapol_frame_watch_{add,remove} functions static 2018-11-01 10:27:22 +01:00
James Prestwood
e678d6655f netdev: signal handshake complete after setting all keys
Currently, netdev triggers the HANDSHAKE_COMPLETE event after completing
the SET_STATION (after setting the pairwise key). Depending on the timing
this may happen before the GTK/IGTK are set which will result in group
traffic not working initially (the GTK/IGTK would still get set, but group
traffic would not work immediately after DBus said you were connected, this
mainly poses a problem with autotests).

In order to fix this, several flags were added in netdev_handshake_state:
ptk_installed, gtk_installed, igtk_installed, and completed. Each of these
flags are set true when their respective keys are set, and in each key
callback we try to trigger the handshake complete event (assuming all the
flags are true). Initially the gtk/igtk flags are set to true, for reasons
explained below.

In the WPA2 case, all the key setter functions are called sequentially from
eapol. With this change, the PTK is now set AFTER the gtk/igtk. This is
because the gtk/igtk are optional and only set if group traffic is allowed.
If the gtk/igtk are not used, we set the PTK and can immediately trigger the
handshake complete event (since gtk_installed/igtk_installed are initialized
as true). When the gtk/igtk are being set, we immediately set their flags to
false and wait for their callbacks in addition to the PTK callback. Doing it
this way handles both group traffic and non group traffic paths.

WPA1 throws a wrench into this since the group keys are obtained in a
separate handshake. For this case a new flag was added to the handshake_state,
'wait_for_gtk'. This allows netdev to set the PTK after the initial 4-way,
but still wait for the gtk/igtk setters to get called before triggering the
handshake complete event. As a precaution, netdev sets a timeout that will
trigger if the gtk/igtk setters are never called. In this case we can still
complete the connection, but print a warning that group traffic will not be
allowed.
2018-10-26 15:26:49 -05:00
Marcel Holtmann
3fa63ede50 eapol: Use full include path local includes 2018-10-26 21:31:52 +02:00
Andrew Zaborowski
8632b81397 eapol: Add GTK data to msg 3/4 of the handshake 2018-09-24 14:53:41 -05:00
James Prestwood
8064cb599a ie: introduce IE_AKM_IS_SAE macro
To prepare for FT over SAE, several case/if statements needed to include
IE_RSN_AKM_SUITE_FT_OVER_SAE. Also a new macro was introduced to remove
duplicate if statement code checking for both FT_OVER_SAE and SAE AKM's.
2018-09-21 11:26:05 -05:00
Marcel Holtmann
1e37ef31fe eapol: Move eapol_key_validate() into eapolutil helper 2018-09-14 17:31:42 +02:00
Andrew Zaborowski
5f3cdc2093 handshake: Rename own_ie/ap_ie and related setters
To avoid confusion in case of an authenticator side handshake_state
structure and eapol_sm structure, rename own_ie to supplicant_ie and
ap_ie to authenticator_ie.  Also rename
handshake_state_set_{own,ap}_{rsn,wpa} and fix when we call
handshake_state_setup_own_ciphers.  As a result
handshake_state_set_authenticator, if needed, should be called before
handshake_state_set_{own,ap}_{rsn,wpa}.
2018-08-27 11:42:45 -05:00
Andrew Zaborowski
ddbc49538e ap: Drop a RSNE check
After EAPOL logic was moved to eapol.c a check was added to
ap_associate_sta_cb to bitwise compare the AP's RSNE to the RSNE
received in the (Re)Association frame.  There is as far as I know no
reason for them to be the same (although they are in our autotest) and
if there was a reason we'd rather validate the (Re)Association RSNE
immediately when received.  We also must set different RSNEs as the
"own" (supplicant) and "ap" RSNEs in the handshake_state for validation
of step 2/4 in eapol.c (fixes wpa_supplicant's and MS Windows
connections being rejected)
2018-08-23 22:03:38 -05:00
James Prestwood
986f66a3c6 eapol: removed authenticator bit and auth register
This removes the authenticator bit in eapol_sm as well as unifies
eapol_register_authenticator and eapol_register. Taking advantage
of the handshake state authenticator bit we no longer have a need
for 2 separate register functions.

ap, and adhoc were also updated to set the authenticator bit in
the handshake and only use eapol_register to register their sm's.

netdev was updated to use the authenticator bit when choosing the
correct key address for adhoc.
2018-08-15 12:40:38 -05:00
James Prestwood
43b70b37d9 eapol: added key description type 0
This also required passing in the akm suite in case the key description
version was zero. In the zero case the akm must be checked. For now this
only supports the SAE akm.
2018-08-09 15:05:56 -05:00
Denis Kenzior
efecce772f eapol: Fix memory allocation issues
When the EAPOL-Key data field is encrypted using AES Wrap, check
that the data field is large enough before calculating the expected
plaintext length.

Previously, if the encrypted data field was smaller than 8 bytes, an
integer underflow would occur when calculating the expected plaintext
data length. This would cause iwd to try to allocate a huge amount of
memory, which causes it to abort and terminate. If the data field was
equal to 8 bytes, iwd would try to allocate 0 bytes of memory, making
l_new return NULL, which subsequently causes iwd to crash on a NULL
pointer deference.

Reported-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-07-16 10:51:13 -05:00
Denis Kenzior
7f844a2520 eapol: Relax key_iv checks
Many APs don't send properly zerod key_iv elements in EAPoL-Key frames.
In the past iwd has complained, but this broken behavior is so
prevalent, that it is likely a lost cause.

This patch takes out these warnings
2018-07-01 20:57:38 -05:00
Denis Kenzior
1c9a1ea46d eapol: Handle all zero PMKID 2018-07-01 20:48:11 -05:00
James Prestwood
92f1ceb3ce netdev/eapol: removed eapol deauthenticate
This removes the need for the eapol/netdev deauthenticate function.
netdev_handshake_failed was exposed so device.c could issue the
disconnect.
2018-06-27 16:17:14 -05:00
James Prestwood
9d4f1b4ca6 eapol: moved AP authenticator into eapol
Includes:
 - support for handling ptk 2/4 and 4/4. Also sending 1/4 and 3/4.
 - new API to register an authenticator SM. This automatically
   sends 1/4 to kick off authentication with an sta.
2018-06-22 14:40:20 -05:00
James Prestwood
aac00bf33a handshake: remove handshake related netdev events
Handshake related netdev events were removed in favor of
handshake events. Now events will be emitted on the handshake
object related to the 4-way handshake and key settings. Events
are:

HANDSHAKE_EVENT_STARTED
HANDSHAKE_EVENT_SETTING_KEYS
HANDSHAKE_EVENT_COMPLETE
HANDSHAKE_EVENT_FAILED

Right now, since netdev only operates in station mode, nothing
listens for COMPLETE/FAILED, as device/wsc gets notified by the
connect_cb when the connection was successful. The COMPLETE/
FAILED were added in preperation for AP moving into eapol/netdev.
2018-06-22 14:21:50 -05:00
Denis Kenzior
9bcb2b75ac eapol: On success, reset EAP state
Instead of destroying the EAP object, just reset its state in case the
EAP process completed successfully.  This allows EAP Reauthentication to
work.
2018-05-30 15:09:42 -05:00
Denis Kenzior
c31cf5d383 eapol: Fully separate eapol transport details
With the introduction of Control Port Over NL80211 feature, the
transport details need to be moved out of eapol and into netdev.c.
Whether a given WiFi hardware supports transfer of Control Port packets
over NL80211 is Wiphy and kernel version related, so the transport
decisions need to be made elsewhere.
2018-05-01 11:14:04 -05:00
James Prestwood
50eae9bf87 eapol: process config setting for handshake timeout
The eapol handshake timeout can now be configured in main.conf
(/etc/iwd/main.conf) using the key eapol_handshake_timeout. This
allows the user to configure a long timeout if debugging.
2018-04-02 13:54:25 -05:00
Andrew Zaborowski
5a17c2275f eapol: Make sure rsn_info is initialized in eapol_handle_ptk_1_of_4
After an EAP exchange rsn_info would be uninitialized and in the FT case
we'd use it to generate the step 2 IEs which would cause an RSNE
mismatch during FT handshake.
2018-03-15 11:40:17 -05:00
Andrew Zaborowski
8b534ba067 eapol: In FT-EAP use all 64 bytes of the MSK
Until now we'd save the second 32 bytes of the MSK as the PMK and use
that for the PMK-R0 as well as the PMKID calculation.  The PMKID
actually uses the first 32 bytes of the PMK while the PMK-R0's XXKey
input maps to the second 32 bytes.  Add a pmk_len parameter to
handshake_state_set_pmk to handle that.  Update the eapol_eap_results_cb
802.11 quotes to the 2016 version.
2018-03-15 11:40:17 -05:00
Andrew Zaborowski
7e8e8b2ac2 eapol: Stop eapol timeout after step 3/4
Move the cancelling of the eapol timeout from the end of step 1 to
step 3 to guard the whole handshake.  At the end of step 1 stop the
EAPOL-Start timeout for the case of 802.1X authentication + a cached
PMKSA (not used yet.)
2018-02-13 12:46:27 -06:00
Tim Kourt
3f4b5a98f5 eapol: provide feedback from eapol_start, refactor 2017-10-30 08:51:28 -05:00
Andrew Zaborowski
ffcda135d2 eapol: Check for "No Group Traffic" group cipher suite 2017-10-23 11:14:40 -05:00
Denis Kenzior
2c565019c7 eapol: Silence uninitialized var warnings 2017-10-20 07:41:56 -05:00
Denis Kenzior
7f8f45220e eapol: Do not install the same GTK/IGTK
Track the contents and size of the GTK and IGTK and if the Authenticator
(or an adversary) tries to set the same GTK/IGTK, process the packet
normally but do not resubmit the GTK/IGTK to the kernel.
2017-10-19 16:47:35 -05:00
Denis Kenzior
cd7af67aac eapol: Tighten up GTK/IGTK KDE validation
GTK KDE was being checked for being a minimum of 6 bytes.  Not quite
sure why since the minimum GTK key length is 16 bytes for CCMP.
Similarly make sure that the maximum length is not more than 32, which
is currently the largest key size (TKIP)
2017-10-19 16:47:35 -05:00
Denis Kenzior
c93a52c066 eapol: Handle retransmissions 2017-10-19 16:47:29 -05:00
Denis Kenzior
f07164b2ef eapol: Remove unneeded {} 2017-10-18 20:40:10 -05:00
Denis Kenzior
ac5d8c2b34 eapol: Reword comment 2017-10-18 20:39:31 -05:00
Denis Kenzior
bee04b179e eapol: Fail handshake if MIC calculation fails
This is a bizarre case since MIC calculation succeeded for the incoming
packet.  But just in case MIC calculation fails for the outgoing packet,
kill the handshake.
2017-10-18 20:38:54 -05:00
Denis Kenzior
c1a0e844b0 eapol: Tighten up replay counter handling 2017-10-18 20:31:49 -05:00
Denis Kenzior
ffbf10fa31 eapol: Remove erroneous comments
The comments quoted sections of the specification that indicated STA
behavior for verifying Message 3 of 4 or GTK 1 of 2.  But in reality the
code directly below simply calculated the MIC for Message 4 of 4 or GTK
2 of 2.
2017-10-16 14:41:57 -05:00
Andrew Zaborowski
dae0abbac8 eapol: Use frame watches for preauth_sm 2017-10-12 11:14:59 -05:00
Andrew Zaborowski
cc4da26f69 eapol: Use frame watches for eapol_sm, refactor
Use eapol_frame_watch_add/eapol_frame_watch_remove in eapol_sm, while
there simplify the early_frame logic and confirm sender address for
received frames.
2017-10-12 11:13:51 -05:00
Andrew Zaborowski
89c2f14683 eapol: Add eapol_append_key_data utility
Add a utility to append a KDE to the key_data field in an EAPoL frame.
The KDE types enum is actually added to handshake.h because we've got
the utilities for finding those KDEs in a buffer there.  The new
function is specific to EAPoL-Key frames though and perhaps to simple to
be split across handshake.c and eapol.c.  Also it didn't seem useful to
use the ie_tlv_builder here.
2017-09-22 12:38:42 -05:00
Andrew Zaborowski
275cc2789d eapol: Make eapol_find_rsne non-static
EAPoL server can reuse this function.
2017-09-12 14:29:25 -05:00
Andrew Zaborowski
6be08a3604 eapol: Add eapol_tx_frame
Allow other files to send EAPoL frames.
2017-09-07 16:16:45 -05:00
Andrew Zaborowski
f05c3c30d1 eapol: Add eapol_frame_watch_add / remove
Allow other files to receive EAPoL frames on specified interfaces.
2017-09-07 16:16:42 -05:00
Andrew Zaborowski
303683c89f mpdu: Refactor mpdu structs
Refactor management frame structures to take into account optional
presence of some parts of the header:
 * drop the single structure for management header and body since
   the body offset is variable.
 * add mmpdu_get_body to locate the start of frame body.
 * drop the union of different management frame type bodies.
 * prefix names specific to management frames with "mmpdu" instead
   of "mpdu" including any enums based on 802.11-2012 section 8.4.
 * move the FC field to the mmpdu_header structure.
2017-08-31 15:11:30 -05:00
Andrew Zaborowski
66325e8c9b eapol: Implement eapol_encrypt_key_data
Add a function to do the inverse of eapol_decrypt_key_data to be used in
eapol server.  Only AES-based versions supported.
2017-08-31 13:21:05 -05:00
Andrew Zaborowski
092ede1147 eapol: Stricter length check in eapol_decrypt_key_data
The plaintext key_data + padding must be at least 16 bytes so the
AES-encrypted key_data must be at least 24 bytes.
2017-08-30 22:42:20 -05:00
Andrew Zaborowski
eda160de12 eapol: Set a timeout for preauthentication
Wait 1 second for the first EAP frame to be received, after that wait up
to 3 seconds for all of EAP to complete.
2017-08-25 11:26:26 -05:00
Andrew Zaborowski
23af935e7b eapol: Add eapol_sm_set_require_handshake
Function to allow netdev.c to explicitly tell eapol.c whether to expect
EAP / 4-Way handshake.  This is to potentially make the code more
descriptive, until now we'd look at sm->handshake->ptk_complete to see
if a new PTK was needed.

A 4-Way handshake is required on  association to an AP except after FT.
2017-08-21 18:35:00 -05:00
Andrew Zaborowski
faba9d509a eapol: After EAP skip the RSNE PMKID check in step 1/4
Skip the matching of the PMKID KDE to the PMKID list in the RSNE if
we've seen a new EAP authentication before the step 1/4 was received.
That would mean that the server had not accepted the PMKIDs we submitted
and we performed a new 8021X authentication, producing a new PMKSA which
won't be on the list in the RSNE.
2017-05-04 10:50:29 -05:00
Andrew Zaborowski
b910784e83 eapol: Add preauth_sm class, drop eapol_sm.preauth
Remove the preauthentication support code from the normal eapol_sm
methods and add a separate simplified class that only handles EAP
packets.
2017-05-01 11:13:32 -05:00
Andrew Zaborowski
48966f57e8 eapol: Only send EAPOL-Start on step 1/4 if really needed
Currently we'd send EAPOL-Start whenever EAP was configured and we
received an EAPOL-Key before EAP negotiation.  Instead only do that if
we know we can't respond to the 4-Way handshake because we don't have
a PMK yet or the PMKID doesn't match.  Require a PMKID in step 1/4 if
we'd sent a list of PMKIDs in our RSNE.
2017-04-21 14:16:25 -05:00
Andrew Zaborowski
c0ae9e3577 eapol: Receive frames with the Preauthentication ethertype
Modify the packet filter to also accept frames with ethertype of 0x88c7
and pass the ethertype value to __eapol_rx_packet so it can filter out
the frames where this value doesn't match the sm->preauth flag.
2017-04-18 11:42:45 -05:00
Andrew Zaborowski
0a4bd616c2 eapol: Use the Preauthentication ethertype in eapol_write
Select the right ether type for the eapol frame in eapol_write and pass
it to pae_write.
2017-04-18 11:41:24 -05:00
Andrew Zaborowski
4e9ed2d686 eapol: Add eapol_start_preauthentication
Add a wrapper for eapol_start that sets the sm->preauth flag and sends
the EAPOL-Start frame immediately to skip the timeout since we know
that the supplicant has to initiate the authentication.
2017-04-18 11:09:26 -05:00
Andrew Zaborowski
1392a80d34 eapol: Further relax gtk 1/2 msg key length check
Accept any of 0, 16, 32 with WPA or WPA2, update comment.
2017-03-14 10:28:06 -05:00
Andrew Zaborowski
b0167f2469 eapol: Define and use IEEE80211_MAX_DATA_LEN
The same constant will be used in multiple places so define it in a
header file.
2017-03-10 10:01:33 -06:00
Andrew Zaborowski
76246d0145 eapol: Don't send EAPOL-Start without EAP
Fix 1a64c4b771 by setting use_eapol_start
by default only when 8021x authentication is configured.  Otherwise we'd
be sending EAPOL-Start even for WPA2 Personal possibly after the 4-Way
Handshake success.
2017-02-27 12:04:31 -06:00
Denis Kenzior
7ad261fef7 util: Move mem_is_zero to util 2017-02-21 16:45:41 -06:00
Andrew Zaborowski
1e70af0179 eapol: Relax GTK 1/2 msg Key Length validation
Since caab23f192085e6c8e47c41fc1ae9f795d1cbe86 hostapd is going to set
this bit to zero for RSN networks but both values will obviously be in
use.  Only check the value if is_wpa is true - in this case check the
value is exactly 16, see hostapd commit:

commit caab23f192085e6c8e47c41fc1ae9f795d1cbe86
Author: Jouni Malinen <j@w1.fi>
Date:   Sun Feb 5 13:52:43 2017 +0200

Set EAPOL-Key Key Length field to 0 for group message 1/2 in RSN

P802.11i/D3.0 described the Key Length as having value 16 for the group
key handshake. However, this was changed to 0 in the published IEEE Std
802.11i-2004 amendment (and still remains 0 in the current standard IEEE
Std 802.11-2016). We need to maintain the non-zero value for WPA (v1)
cases, but the RSN case can be changed to 0 to be closer to the current
standard.
2017-02-08 15:45:12 -06:00
Andrew Zaborowski
e4c5b4b517 eapol: Don't start timeout if handshake already done
Don't start the handshake timeout in eapol_start if either
handshake->ptk_complete is set (handshake already done) or
handshake->have_snonce is set (steps 1&2 done).  This accounts for
eapol_start being called after a Fast Transition when a 4-Way handshake
is not expected.
2017-01-31 15:47:23 -06:00
Andrew Zaborowski
8d8b1c1baf handshake: Split the install_igtk igtk parameter in 2 buffers
Split the igtk parameter to handshake_state_install_igtk into one
parameter for the actual IGTK buffer and one for the IPN buffer instead
of requiring the caller to have them both in one continuous buffer.
With FT protocol, one is received encrypted and the other in plain text.
2017-01-31 11:59:02 -06:00
Andrew Zaborowski
367f1ec798 eapol: Free sm->timeout when it expires 2017-01-31 11:45:54 -06:00
Andrew Zaborowski
3f3e60e415 eapol: Check the MSK size supplied by EAP
Despite RFC3748 mandating MSKs to be at least 256 bits some EAP methods
return shorter MSKs.  Since we call handshake_failed when the MSK is too
short, EAP methods have to be careful with their calls to set_key_material
because it may result in a call to the method's .remove method.

EAP-TLS and EAP-TTLS can't handle that currently and would be difficult to
adapt because of the TLS internals but they always set msk_len to 64 so
handshake_failed will not be called.
2017-01-06 13:24:03 -06:00
Denis Kenzior
221a8f9218 eapol: Fix IGTK key index extraction 2016-12-13 09:25:21 -06:00
Denis Kenzior
fea29229f3 eapol: Fix IGTK key index extraction
IGTK key index is a 2-byte little-endian field, not a bit field.  This
makes sense since IGTK key id can only be 4 or 5.
2016-12-12 22:07:31 -06:00
Andrew Zaborowski
1a64c4b771 eapol: Send EAPOL-Start if AP starts 4-Way Handshake
Make the use of EAPOL-Start the default and send it when configured for
8021x and either we receive no EAPOL-EAP from from the AP before
timeout, or if the AP tries to start a 4-Way Handshake.
2016-11-18 14:10:17 -06:00
Denis Kenzior
413287d5cf eapol: Relax VERIFY_IS_ZERO condition
On certain routers, the 4-Way handshake message 3 of 4 contains a key iv
field which is not zero as it is supposed to.  This causes us to fail
the handshake.

Since the iv field is not utilized in this particular case, it is safe
to simply warn rather than fail the handshake outright.
2016-11-18 14:04:07 -06:00
Denis Kenzior
d03f23200a eap: Load MTU settings from iwd.conf 2016-11-15 16:44:07 -06:00
Andrew Zaborowski
e32ffc4d98 eapol: Use handshake_state to store state
Remove the keys and other data from struct eapol_sm, update device.c,
netdev.c and wsc.c to use the handshake_state object instead of
eapol_sm.  This also gets rid of eapol_cancel and the ifindex parameter
in some of the eapol functions where sm->handshake->ifindex can be
used instead.
2016-11-03 10:23:58 -05:00
Andrew Zaborowski
d03f4d72f1 eapol: Handle FT-version of step 3 of 4-way handshake 2016-11-03 10:04:34 -05:00
Andrew Zaborowski
9d54a3082e eapol: Build FT-version step 2 of 4-way handshake
If an FT AKM suite is selected, build the FT version of the step 2
of the 4-way handshake frame.  Step 1 is same as non-FT version.
2016-11-03 10:03:45 -05:00
Andrew Zaborowski
0d2e5b9849 eapol: Add setters for the FT handshake input data
Add space in the eapol_sm struct for the pieces of information required
for the FT 4-Way Handshake and add setters for device.c and netdev.c to
be able to provide the data.
2016-11-03 10:01:41 -05:00
Andrew Zaborowski
424ceb58a3 eapol: Drop len parameter to eapol_sm_set_rsn/wpa
The len parameter was only used so it could be validated against ie[1],
but since it was not checked to be > 2, it must have been validated
already, the check was redundant.  In any case all users directly
passed ie[1] as len anyway.  This makes it consistent with the ie
parsers and builders which didn't require a length.
2016-10-29 23:09:10 -05:00
Rahul Rahul
c16ae02056 eapol: refactor eapol_find_kde and add install_igtk 2016-10-26 16:34:52 -05:00
Denis Kenzior
cc2052d33e eapol: In case of timeout, mark as NULL 2016-10-15 16:26:41 -05:00
Andrew Zaborowski
c548898635 eapol: Cache early EAPoL frames until ready to process
Split eapol_start into two calls, one to register the state machine so
that the PAE read handler knows not to discard frames for that ifindex,
and eapol_start to actually start processing the frames.  This is needed
because, as per the comment in netdev.c, due to scheduling the PAE
socket read handler may trigger before the CMD_CONNECT event handler,
which needs to parse the FTE from the Associate Response frame and
supply it to the eapol SM before it can do anything with the message 1
of 4 of the FT handshake.

Another issue is that depending on the driver or timing, the underlying
link might not be marked as 'ready' by the kernel.  In this case, our
response to Message 1 of the 4-way Handshake is written and accepted by
the kernel, but gets dropped on the floor internally.  Which leads to
timeouts if the AP doesn't retransmit.
2016-10-15 16:25:37 -05:00
Denis Kenzior
d8cb8d7810 eapol: Default to EAPoL 2001 if unset
If protocol auto-detection is enabled (e.g. protocol_version is zero),
default to EAPOL 2001 version for EAPOL-Start messages.
2016-10-11 02:33:46 -05:00
Denis Kenzior
91d35987fd eapol: Add provision to use EAPOL-Start 2016-10-11 01:36:48 -05:00
Andrew Zaborowski
09861f4ebe eapol: Free the checksum in eapol_verify_mic 2016-10-04 14:11:42 -05:00
Andrew Zaborowski
721be04f95 eapol: Pass actual PTK size to crypto_derive_pairwise_ptk()
It doesn't matter for crypto_derive_pairwise_ptk in non-SHA256 mode
but in the FT PTK derivation function, as well as in SHA256 mode all
bytes of the output do actually change with the PTK size.
2016-10-04 14:10:23 -05:00
Denis Kenzior
db8794460f eapol: Remove io argument from eapol_start 2016-09-13 17:37:13 -05:00
Denis Kenzior
9fde037b8f eapol: Add eapol_sm_set_event_func 2016-09-13 13:30:54 -05:00
Denis Kenzior
baf72d7f86 eapol: Move to a single PAE socket
We used to open a socket for each wireless interface.  This patch uses a
single socket with an attached BPF to handle all EAPoL traffic via a
single file descriptor.
2016-09-12 10:02:04 -05:00
Andrew Zaborowski
1b1bf3cf65 eapol: On EAP success save the second 256 bits of MSK 2016-09-06 14:07:35 -05:00
Denis Kenzior
bcfaad2b62 eapol: Make EAP packets use sm->protocol_version
Instead of hard-coding the EAPoL version to 2004 for all EAP packets,
use the version from eapol_sm.
2016-08-10 16:37:39 -05:00
Denis Kenzior
abc44fe98a eapol: Use switch-case instead of if
The if statement was shorter, but a bit less readable.
2016-08-10 16:36:14 -05:00
Denis Kenzior
34a537652a eapol: Store protocol version in eapol_sm
Instead of one global protocol_version, we now store it inside eapol_sm.
This allows us to use the same protocol version for our response as the
request from the authenticator.

For unit tests where we had protocol version mismatches, a new method is
introduced to explicitly set the protocol version to use.
2016-08-10 16:32:45 -05:00
Denis Kenzior
169222fb96 eapol: warn if state machine list isn't empty 2016-07-20 15:34:21 -05:00
Denis Kenzior
943acddb49 eapol: Refactor eapol tx path 2016-06-28 18:45:49 -05:00
Denis Kenzior
efe5bed7c5 netdev: Move eapol_read to eapol.c 2016-06-28 18:18:47 -05:00
Denis Kenzior
b6d651dda8 eapol: Move eapol_start 2016-06-28 17:26:03 -05:00
Denis Kenzior
e059ee01a7 eapol: Move eapol_cancel 2016-06-28 17:26:03 -05:00
Rahul Rahul
fb339bcc76 eapol: helper functions for REKEY_OFFLOAD 2016-06-22 18:44:17 -05:00
Denis Kenzior
b93ae37325 eapol: Add eapol_sm_get_own_ie 2016-06-14 19:57:21 -05:00
Denis Kenzior
6d81e0a172 eapol: Add eapol_sm_get_group_cipher 2016-06-14 19:57:21 -05:00
Denis Kenzior
c1ff686ed6 eapol: Add eapol_sm_get_pairwise_cipher 2016-06-14 19:57:21 -05:00
Denis Kenzior
30d1673ba4 eapol: Add support for SHA-256 based AKMs 2016-02-10 19:18:56 -06:00
Denis Kenzior
c35409d73c eapol: Update to the new API 2016-02-10 16:55:15 -06:00
Denis Kenzior
3320d31ead sha1: Remove sha1.[ch] 2016-02-10 14:36:14 -06:00
Denis Kenzior
342ad9c61c eapol: Add clarifying comment 2015-11-03 16:26:34 -06:00
Andrew Zaborowski
14020b2aa6 eapol: Handle EAPoL-EAP packets 2015-11-02 21:45:43 -06:00
Andrew Zaborowski
2bccb7e7dc eapol: Remove user_data from __eapol_rx_packet args
Instead of passing the user_data parameter in every __eapol_rx_packet
call to be used by EAPOL in all tx_packet calls, add
eapol_sm_set_tx_user_data function that sets the value of user_data for
all subsequent tx_packet calls.  This way tx_packet can be called from
places that are not necessarily inside an __eapol_rx_packet call.
2015-11-02 21:40:21 -06:00
Andrew Zaborowski
ef9b6f41ce eapol: Separate EAPOL header from struct eapol_key
This is needed so we can better handle sending and receiving EAPoL
packets other than EAPoL-Key.
2015-11-02 21:40:21 -06:00
Denis Kenzior
f1d81cd3c5 eapol: Remove unneded TODO comment 2015-06-08 10:46:48 -05:00
Denis Kenzior
99cdb860c0 eapol: Simplify install_tk callback 2015-05-21 21:10:21 -05:00
Denis Kenzior
e93dd44607 eapol: Simplify GTK install callback
Instead of passing in the RSN/WPA elements, simply pass in the
configured cipher.  This will make the implementation of the install_gtk
callback much simpler.
2015-05-21 21:08:47 -05:00
Denis Kenzior
9992d3aeda eapol: Extract & keep track of desired ciphers
When our own WPA IE or RSN IE are set, extract group and pairwise
ciphers.  These ciphers are the ones we desire to use for the secure
connection.
2015-05-19 00:05:53 -05:00
Denis Kenzior
12551b52ff eapol: Sanity check 2nd RSNE
If the second (optional) RSN element is included in Step 3/4 of the
4-way handshake, parse it and perform basic sanity checks
2015-05-18 23:49:11 -05:00
Denis Kenzior
8593ebaad4 eapol: Set wpa_key_id in WPA1 Step 2 of 2 2015-05-18 14:45:09 -05:00
Andrew Zaborowski
a227d0b00f eapol: In GTK step 2 of 2, secure bit is always 1 2015-05-18 12:50:50 -05:00
Andrew Zaborowski
a84d232eb1 eapol: Accept 32-byte keys in verify_ptk_3_of_4
TKIP key data is 32 bytes long.
2015-05-18 12:37:34 -05:00
Denis Kenzior
619448cacc eapol: Sanity check wpa_key_id field a bit more 2015-05-05 22:26:11 -05:00
Denis Kenzior
9793054a0a eapol: Update TODO comment 2015-05-05 22:19:45 -05:00
Denis Kenzior
a38b6f1f9a eapol: Add missing newline 2015-05-05 22:18:35 -05:00
Denis Kenzior
8f3fd6e47d eapol: Add eapol_verify_gtk_2_of_2 2015-05-05 22:04:21 -05:00
Denis Kenzior
2ba7867e9f eapol: Drop unneded check in verify_ptk_4_of_4
Step 4 is always sent without encrypted Key Data according to Section
11.6.6.5.  In the case of WPA, Encrypted Key Data field is reserved, and
should always be 0.  Thus it is safe to drop the !is_wpa condition.
2015-05-05 22:01:53 -05:00
Denis Kenzior
bb17f5df94 eapol: Add sanity checking of the install bit 2015-05-05 21:50:35 -05:00
Andrew Zaborowski
0ea28ba5ad eapol: Generate new snonce on new 4-Way Handshake
Make sure that we handle PTK rekeying.
2015-05-05 21:22:38 -05:00
Andrew Zaborowski
a7846aee85 eapol: WPA-specific handshake quirks
To support WPA allow the legacy EAPOL-Key frame formats.
2015-05-05 21:22:31 -05:00
Andrew Zaborowski
a8c0f20510 eapol: Handle the Group Key Handshake 2015-05-05 21:10:07 -05:00
Andrew Zaborowski
169aa04570 eapol: Free eapol_sm even if callback is null
If deauthenticate callback was not provided, the state machine was not
being freed / removed.
2015-04-29 08:54:53 -05:00
Andrew Zaborowski
4a27563b5a eapol: Fix key-IV check in EAPOL-Key verification
The comment correctly states the IV is 0 for version 2, but the
check was actually for version 1.
2015-04-29 08:54:47 -05:00
Andrzej Zaborowski
c22d22f5e5 eapol: Remove eapol_sm's from queue when destroying.
Prevents a double-free.
2015-04-17 10:40:10 -05:00
Denis Kenzior
bc98bc9ecb eapol: Add functions to set own/ap WPA IEs
If EAPoL is being run for in WPA mode, then instead of RSN elements, the
WPA elements are required.
2015-04-10 23:46:58 -05:00
Denis Kenzior
445ad55796 eapol: Start a handshake timer
We start a timer.  This handles the case that the Authenticator does
not send us the first message of the 4-way handshake, or disappears
before sending us the 3rd message.
2015-03-29 22:44:08 -05:00
Denis Kenzior
e2badc9828 eapol: Call deauthenticate callback 2015-03-29 22:32:09 -05:00
Denis Kenzior
9f17b71375 eapol: Add eapol_cancel 2015-03-29 20:58:40 -05:00
Denis Kenzior
cf3681efbe eapol: Add comment for handling MIC failures 2015-03-29 20:57:58 -05:00
Denis Kenzior
f31407dd46 eapol: Add deauthenticate callback 2015-03-29 20:30:14 -05:00
Denis Kenzior
6ec364cb86 eapol: Add __eapol_set_gtk_install_func 2015-03-25 23:28:22 -05:00
Denis Kenzior
bf5a6a3999 eapol: Add __eapol_set_install_tk_func 2015-03-25 22:35:12 -05:00
Denis Kenzior
ddcbb3f2a8 eapol: Add eapol_sm_set_user_data 2015-03-25 22:34:05 -05:00