3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-20 12:39:25 +01:00
Commit Graph

262 Commits

Author SHA1 Message Date
James Prestwood
93b49a72ac eapol: add PMK installer support
802.1x offloading needs a way to call SET_PMK after EAP finishes.
In the same manner as set_tk/gtk/igtk a new 'install_pmk' function
was added which eapol can call into after EAP completes.
2021-04-09 11:32:21 -05:00
Denis Kenzior
3284ed4e8e eapol: Work around an apparent GCC 8.3 bug
With GCC 8.3 on Rasberry Pi, iwd sends invalid EAPoL 1_of_4 packets:

< PAE: len 99                                                          8.785095
    Interface Index: 27
    EAPoL: len 99
        Protocol Version: 2 (802.1X-2004)
        Type: 3 (Key)
        Length: 95
        Checking mic len 16
        Frame len 99
        key data len 22
        Checking mic len 24
        Frame len 107
        Bad MIC len, malformed packet?
        02 03 00 5f 02 00 8a 00 10 00 00 00 00 00 00 00  ..._............
        02 94 40 a3 da c3 2b aa b7 a6 a5 5f 25 0a ae 74  ..@...+...._%..t
        b0 8d e2 62 9c 90 c9 e9 fd a5 33 1b e1 b4 9b 81  ...b......3.....
        42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  B...............
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        00 00 16

The trouble seems to be that eapol_key_data_append() correctly sets the
key_data_length field (the last 2 bytes of the message), but the actual
packet_length is not being set properly.

Dropping to O0 optimization level results in GCC correctly computing
the packet length.
2021-04-07 16:47:40 -05:00
Denis Kenzior
d958239da9 eapol: Don't ignore EAPoL protocol version 2010
Some newer Cisco APs seem to send this protocol version by default
2021-03-22 17:47:53 -05:00
Denis Kenzior
3dae0592b0 eapol: Use bit_field from ell 2021-03-11 22:33:06 -06:00
Denis Kenzior
7de5b4adef treewide: replace util_mem_is_zero with l_memeqzero 2021-03-09 15:40:35 -06:00
Andrew Zaborowski
074bc52717 eapol,ap: Remove assumption of single cipher in authenticator IE
Allow the user of the eapol_sm & handshake_state APIs to have multiple
pairwise ciphers listed in the authenticator IE.
2021-02-01 10:06:21 -06:00
Andrew Zaborowski
159afd7f18 eapol: IP Allocation KDE support authenticator side
Again the hs->support_ip_allocation flag is used for two purposes here,
first the user signals whether to support this mechanism through this
flag, then it reads the flag to find out if an IP was allocated.
2020-09-14 11:45:15 -05:00
Andrew Zaborowski
ddf111d2c4 eapol: IP Allocation KDE support
Support IP allocation during the 4-Way Handshake as defined in the P2P
spec.  This is the supplicant side implementation.

The API requires the user to set hs->support_ip_allocation true before
eapol_start().  On HANDSHAKE_EVENT_COMPLETE, if this same flag is still
set, we've received the IP lease, the netmask and the authenticator's
IP from the authenticator and there's no need to start DHCP.  If the
flag is cleared, the user needs to use DHCP.
2020-09-14 11:45:12 -05:00
Andrew Zaborowski
2231179b97 eapol: Handle the use_eapol_start flag on authenticator
Reuse this flag on the authenticator side with a slightly different
meaning: when it's true we're forced to wait for the EAPoL-Start before
sending the first EAPoL-EAP frame to the supplicant, such as is required
in a WSC enrollee registration when the Association Request didn't have
a v2.0 WSC IE.
2020-08-28 10:29:36 -05:00
Andrew Zaborowski
e4b1d4202f eap: Re-send Identity Request on EAPoL-Start
It looks like clients sometimes miss our unsolicited Identity Request
and need a resend.
2020-08-27 13:53:12 -05:00
Andrew Zaborowski
4c64e0d560 eapol: Basic EAP support in authenticator mode
Handle EAPoL-EAP frames using our eap.c methods in authenticator mode
same as we do on the supplicant side.  The user (ap.c) will only need to
set a valid 8021x_settings in the handshake object, same as on the
supplicant side.
2020-08-17 09:33:51 -05:00
Andrew Zaborowski
1f910f84b4 eapol: Use eapol_start in authenticator mode too
On the supplicant side eapol_register would only register the eapol_sm
on a given netdev to start receiving frames and an eapol_start call is
required for the state machine to start executing.  On the authenticator
side we shouldn't have the "early frame" problem but there's no reason
for the semantics of the two methods to be different.  Somehow we were
doing everything in eapol_register and not using eapol_start if
hs->authenticator was true, so bring this in line with the supplicant
side and require eapol_start to be called also from ap.c.
2020-08-17 09:25:50 -05:00
Andrew Zaborowski
8a5861d3f5 eapol: Use eapol_sm_write in authenticator mode
Throughout the supplicant mode we'd use the eapol_sm_write wrapper but
in the authenticator mode we'd call __eapol_tx_packet directly.  Adapt
eapol_sm_write to use the right destination address and use it
consistently.
2020-08-13 10:14:21 -05:00
Andrew Zaborowski
225a28f364 eapol: Don't try setting protocol_version in eapol_rx_auth_packet
In authenticator mode we'll always have protocol_version set from the
start so the condition is always going to be false.
2020-08-13 10:14:05 -05:00
Andrew Zaborowski
b40d7460b3 eapol: Don't re-build the AP RSNE in authenticator mode
sm->handshake already contains our RSN/WPA IE so there's no need to
rebuild it for msg 3/4, especially since we hardcode the fact that we
only support one pairwise cipher.  If we start declaring more supported
ciphers and need to include a second RSNE we can first parse
sm->hs->authenticator_ie into a struct ir_rsn_info, overwrite the cipher
and rebuild it from that struct.

This way we duplicate less code and we hardcode fewer facts about the AP
in eapol.c which also helps in adding EAP-WSC.
2020-08-13 10:12:07 -05:00
Andrew Zaborowski
69259b3a3f eapol: Use the require_handshake flag for FILS
In both FT or FILS EAPoL isn't used for the initial handshake and only
for the later re-keys.  For FT we added the
eapol_sm_set_require_handshake mechanism to tell EAPoL to not require
the initial handshake and we can re-use it for FILS.
2020-08-13 10:10:54 -05:00
Mathy Vanhoef
f22ba5aebb eapol: prevent key reinstallation on retransmitted Msg4/4
Currently an adversary can retransmit EAPOL Msg4/4 to make the AP
reinstall the PTK. Against older Linux kernels this can subsequently
be used to decrypt, replay, and possibly decrypt frames. See the
KRACK attacks research at krackattacks.com for attack scenarios.
In this case no machine-in-the-middle position is needed to trigger
the key reinstallation.

Fix this by using the ptk_complete boolean to track when the 4-way
handshake has completed (similar to its usage for clients). When
receiving a retransmitted Msg4/4 accept this frame but do not reinstall
the PTK.

Credits to Chris M. Stone, Sam Thomas, and Tom Chothia of Birmingham
University to help discover this issue.
2020-08-12 09:51:20 -05:00
Rosen Penev
a47609acbe iwd: remove unnecessary semicolons
Found with clang's -Wextra-semi-stmt
2020-04-08 21:02:15 -05:00
Denis Kenzior
5576722d29 eapol: Make sure igtk key index is uint16_t
Fixes: 1cc7346d6a ("handshake: Change signature of (i)gtk setters")
2020-04-02 18:16:56 -05:00
James Prestwood
0381361c81 eapol: fix use of non-ascii apostrophe 2019-11-21 14:00:35 -06:00
Marcel Holtmann
ab5742bb32 module: Move declarations into separate header file 2019-11-07 23:40:13 +01:00
Andrew Zaborowski
0651c2c430 eapol: Drop unused eapol_sm_set_event_func 2019-10-30 14:34:20 -05:00
Andrew Zaborowski
dcf419ee7f eapol: Move the EAP events to handshake event handler
On EAP events, call the handshake_event handler with the new event type
HANDSHAKE_EVENT_EAP_NOTIFY isntead of the eapol_event callback.

This allows the handler to be set before calling
netdev_connect/netdev_connect_wsc.  It's also in theory more type-safe
because we don't need the cast in netdev_connect_wsc anymore.
2019-10-30 14:26:09 -05:00
Andrew Zaborowski
0cccbea904 handshake: Convert handshake event callbacks variadic functions
Convert the handshake event callback type to use variable argument
list to allow for more flexibility in event-specific arguments
passed to the callbacks.

Note the uint16_t reason code is promoted to an int when using variable
arguments so va_arg(args, int) has to be used.
2019-10-30 14:24:05 -05:00
Marcel Holtmann
152b56a12a treewide: Move the Intel copyright forward to 2019 2019-10-25 00:43:08 +02:00
Denis Kenzior
d4d35c7872 eapol: Use CamelCase for [EAPoL] settings 2019-10-24 15:58:08 -05:00
James Prestwood
0d9c9274d9 eapol: do not parse RSN for WPA1 in 1 of 4
A recent change checked the return value of ie_parse_rsne_from_data
inside the ptk 1/4 handler. This seemed safe, but actually caused
the eapol unit test to fail.

The reason was because eapol was parsing the IEs assuming they were
an RSN, when they could be a WPA IE (WPA1 not WPA2). The WPA case
does not end up using the rsn_info at all, so having rsn_info
uninitialized did not pose a problem. After adding the return value
check it was found this fails every time for WPA1.

Since the rsn_info is not needed for WPA1 we can only do the RSN
parse for WPA2 and leave rsn_info uninitialized.
2019-10-17 18:48:18 -05:00
James Prestwood
de3a267d03 eapol: check return of ie_parse_rsne_from_data 2019-10-16 21:24:25 -05:00
James Prestwood
91c449d74a eapol: reorder eapol_sm_free
Technically there's no problem here as l_queue_remove does not
dereference the pointer.  Still, it confuses certain static analysis
tools in the current form. Reordering this will not change the behavior
at all.
2019-10-16 21:16:28 -05:00
James Prestwood
369c5fbd0b eapol: utilize IWD_MODULE
This converts eapol to using IWD modules. The init/exit APIs did need
to remain exposed for unit tests.

Netdev was updated to depend on eapol.
2019-10-11 15:36:45 -05:00
Denis Kenzior
b3881b84c1 eapol: Propagate noencrypt and use it
We were not using or taking into account the noencrypt flag obtained
from the kernel via CONTROL_PORT events.  For the most part this still
worked as the kernel would never include NO_ENCRYPT flag (due to a bug).
However, this was actually incorrect and led to loss of synchronization
between the AP and STA 4-Way handshake state machines when certain
packets were lost and had to be re-transmitted.
2019-08-27 20:50:07 -05:00
Andrew Zaborowski
9a9ff9f2f3 eapol: Don't l_queue_remove from state_machines while destroying it
We do an l_queue_destroy(state_machines, eapol_sm_destroy) so don't
l_queue_remove from state_machines inside eapol_sm_destroy.
2019-08-23 09:32:57 -05:00
Marcel Holtmann
f41d85112e eapol: Make global variables static 2019-08-15 19:32:37 +02:00
Marcel Holtmann
884dcbab92 eapol: Remove unused global variable 2019-08-15 19:31:54 +02:00
Denis Kenzior
0f6d1ece78 eapol: Remove eapol_sm_set_protocol_version
Handshake state will now pick reasonable defaults
2019-07-15 21:45:58 -05:00
James Prestwood
d3baec4eee eapol: add eapol_find_osen
The OSEN AKM uses the vendor specific IE, so when finding the RSNE
element we need to handle it specially to ensure that its both
a vendor specific element and it matches the WFA OUI since other
vendor specific elements may be included.
2019-06-10 18:22:44 -05:00
James Prestwood
039ae3659b eapol: handshake: add OSEN AKM
The handshake procedure for OSEN is part of the 'AKM_DEFINED' group
of AKMs.
2019-06-07 17:10:49 -05:00
James Prestwood
4097a49669 eapol: add FILS-FT AKMs to eapol_start
This will prevent FILS-FT from starting the 4-way handshake as it
does for regular FILS
2019-05-22 16:29:23 -05:00
James Prestwood
869cac4bec eapol: remove eapol_set_started, no longer needed 2019-05-03 14:37:11 -05:00
James Prestwood
d02c038a0d eapol: allow FILS to use eapol_start
A new eapol API was added specifically for FILS (eapol_set_started). Since
either way is special cased for FILS, its a bit cleaner to just check the
AKM inside eapol_start and, if FILS, dont start any timeouts or start the
handshake (effectively what eapol_set_started was doing).
2019-05-03 14:08:28 -05:00
James Prestwood
6ac189315a eapol: allow FILS PTK rekeys
As with FILS GTK rekeys, the PTK rekeys use AES-SIV to encrypt and
do not use a MIC
2019-04-26 16:06:53 -05:00
James Prestwood
83212f9b23 eapol: change eapol_create_common to support FILS
FILS needs to allocate an extra 16 bytes of key data for the AES-SIV
vector. Instead of leaving it up to the caller to figure this out (as
was done with the GTK builder) eapol_create_common can allocate the
extra space since it knows the MIC length.

This also updates _create_gtk_2_of_2 as it no longer needs to create
an extra data array.
2019-04-26 14:00:12 -05:00
James Prestwood
4f7d7684a3 eapol: add common function for AES-SIV
To avoid duplicate code in PTK/GTK rekeys a common function was
added which performs the encryption in place in the key frame.
2019-04-26 12:36:37 -05:00
James Prestwood
2fd755c285 eapol: update eapol_key_handle to work with FILS rekeys
Since FILS does not use a MIC, the 1/4 handler would always get called
for FILS PTK rekeys. We can use the fact that message 1/4 has no MIC as
well as no encrypted data to determine which packet it is. Both no MIC
and no encrypted data means its message 1/4. Anything else is 3/4.
2019-04-26 12:35:53 -05:00
James Prestwood
62097e7d82 crypto: allow PTK derivation using SHA384
crypto_derive_pairwise_ptk was taking a boolean to decide whether to
use SHA1 or SHA256, but for FILS SHA384 may also be required for
rekeys depending on the AKM.

crypto_derive_pairwise_ptk was changed to take l_checksum_type instead
of a boolean to allow for all 3 SHA types.
2019-04-26 12:28:40 -05:00
James Prestwood
733679ff7f eapol: Update _verify_ptk_3_of_4 to work with no MIC
A similar change was made to _verify_gtk_1_of_2 in order for
verification to work when no MIC is being used (FILS rekeys)
2019-04-26 12:24:42 -05:00
James Prestwood
349acf292f eapol: fix kek length for FILS rekeys (SHA384)
FILS-SHA384 got overlooked and the kek length was being hard coded
to 32 bytes when encrypting the key data. There was also one occurence
where the kek_len was just being set incorrectly.
2019-04-17 19:33:55 -05:00
James Prestwood
799a29d37c eapol: only check for snonce if MIC is used
In eapol_key_handle, 'have_snonce' is checked before decrypting the
key data. For FILS, there will be no snonce so this check can be
skipped if mic_len == 0.
2019-04-17 18:40:46 -05:00
James Prestwood
c21f3cd2a4 eapol: allow FILS GTK handshake
The GTK handshake for FILS uses AES-SIV to encrypt the key data, and
does away with the MIC completely. Now, when finalizing the 2/2 GTK
packet we check the MIC length, and if zero we assume FILS is being
used and we use AES-SIV to encrypt the key data.

For FILS, there is no actual data being encrypted for GTK 2/2 (hence
why the input data length is zero). This results in only the SIV
being generated, which essentially serves the same purpose as a MIC.
2019-04-17 18:40:46 -05:00
James Prestwood
a6640f1b7a eapol: allow eapol_decrypt_key_data to work with FILS
FILS falls under the 'AKM defined' key descriptor, and uses AES-SIV.
2019-04-17 18:40:46 -05:00