[1/9] eapol: set secure on message 2/4 properly

Message ID	20230111201543.397692-1-prestwoj@gmail.com (mailing list archive)
State	New
Headers	show Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 089DAA92A for <iwd@lists.linux.dev>; Wed, 11 Jan 2023 20:15:49 +0000 (UTC) From: James Prestwood <prestwoj@gmail.com> To: iwd@lists.linux.dev Cc: James Prestwood <prestwoj@gmail.com> Subject: [PATCH 1/9] eapol: set secure on message 2/4 properly Date: Wed, 11 Jan 2023 12:15:35 -0800 Message-Id: <20230111201543.397692-1-prestwoj@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[1/9] eapol: set secure on message 2/4 properly \| expand [1/9] eapol: set secure on message 2/4 properly [2/9] unit: update test-eapol with API change [3/9] eapol: implement rekey support for authenticator [4/9] handshake: add event for rekey success [5/9] netdev: unset ptk_installed flag for TK [6/9] netdev: support HANDSHAKE_EVENT_REKEY_COMPLETE [7/9] eapol: relax secure bit check on 2/4 [8/9] ap: support PTK rekeys [9/9] doc: Document RekeyTimeout for AP profiles

Message ID

20230111201543.397692-1-prestwoj@gmail.com (mailing list archive)

State

New

Headers

From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [PATCH 1/9] eapol: set secure on message 2/4 properly
Date: Wed, 11 Jan 2023 12:15:35 -0800
Message-Id: <20230111201543.397692-1-prestwoj@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[1/9] eapol: set secure on message 2/4 properly | expand

Context	Check	Description
tedd_an/pre-ci_am	success	Success
prestwoj/iwd-alpine-ci-fetch	success	Fetch PR
prestwoj/iwd-ci-fetch	success	Fetch PR
prestwoj/iwd-ci-gitlint	success	GitLint
prestwoj/iwd-ci-makedistcheck	success	Make Distcheck
prestwoj/iwd-alpine-ci-makedistcheck	success	Make Distcheck
prestwoj/iwd-ci-build	success	Build - Configure
prestwoj/iwd-alpine-ci-build	success	Build - Configure
prestwoj/iwd-ci-clang	success	clang PASS
prestwoj/iwd-ci-incremental_build	fail	Make FAIL (patch 0): unit/test-eapol.c: In function ‘eapol_4way_test’: unit/test-eapol.c:1791:17: error: too few arguments to function ‘eapol_create_ptk_2_of_4’ 1791 \| frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2001, \| ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 \| struct eapol_key eapol_create_ptk_2_of_4( \| ^~~~~~~~~~~~~~~~~~~~~~~ unit/test-eapol.c: In function ‘eapol_wpa2_handshake_test’: unit/test-eapol.c:1876:17: error: too few arguments to function ‘eapol_create_ptk_2_of_4’ 1876 \| frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2004, \| ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 \| struct eapol_key eapol_create_ptk_2_of_4( \| ^~~~~~~~~~~~~~~~~~~~~~~ unit/test-eapol.c: In function ‘eapol_wpa_handshake_test’: unit/test-eapol.c:2006:17: error: too few arguments to function ‘eapol_create_ptk_2_of_4’ 2006 \| frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2004, \| ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 \| struct eapol_key eapol_create_ptk_2_of_4( \| ^~~~~~~~~~~~~~~~~~~~~~~ make[1]: [Makefile:2407: unit/test-eapol.o] Error 1 make[1]: * Waiting for unfinished jobs.... make: *** [Makefile:1586: all] Error 2
prestwoj/iwd-ci-makecheckvalgrind	success	Make Check w/Valgrind
prestwoj/iwd-ci-makecheck	success	Make Check
prestwoj/iwd-alpine-ci-makecheckvalgrind	success	Make Check w/Valgrind
prestwoj/iwd-alpine-ci-makecheck	success	Make Check
prestwoj/iwd-alpine-ci-incremental_build	fail	Make FAIL (patch 0): unit/test-eapol.c: In function 'eapol_4way_test': unit/test-eapol.c:1791:17: error: too few arguments to function 'eapol_create_ptk_2_of_4' 1791 \| frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2001, \| ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 \| struct eapol_key eapol_create_ptk_2_of_4( \| ^~~~~~~~~~~~~~~~~~~~~~~ unit/test-eapol.c: In function 'eapol_wpa2_handshake_test': unit/test-eapol.c:1876:17: error: too few arguments to function 'eapol_create_ptk_2_of_4' 1876 \| frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2004, \| ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 \| struct eapol_key eapol_create_ptk_2_of_4( \| ^~~~~~~~~~~~~~~~~~~~~~~ unit/test-eapol.c: In function 'eapol_wpa_handshake_test': unit/test-eapol.c:2006:17: error: too few arguments to function 'eapol_create_ptk_2_of_4' 2006 \| frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2004, \| ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 \| struct eapol_key eapol_create_ptk_2_of_4( \| ^~~~~~~~~~~~~~~~~~~~~~~ make[1]: [Makefile:2408: unit/test-eapol.o] Error 1 make[1]: * Waiting for unfinished jobs.... make: *** [Makefile:1587: all] Error 2
prestwoj/iwd-ci-testrunner	success	test-runner PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

prestwoj/iwd-alpine-ci-fetch

success

Fetch PR

prestwoj/iwd-ci-fetch

success

Fetch PR

prestwoj/iwd-ci-gitlint

success

GitLint

prestwoj/iwd-ci-makedistcheck

success

Make Distcheck

prestwoj/iwd-alpine-ci-makedistcheck

success

Make Distcheck

prestwoj/iwd-ci-build

success

Build - Configure

prestwoj/iwd-alpine-ci-build

success

Build - Configure

prestwoj/iwd-ci-clang

success

clang PASS

prestwoj/iwd-ci-incremental_build

fail

Make FAIL (patch 0): unit/test-eapol.c: In function ‘eapol_4way_test’: unit/test-eapol.c:1791:17: error: too few arguments to function ‘eapol_create_ptk_2_of_4’ 1791 | frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2001, | ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 | struct eapol_key *eapol_create_ptk_2_of_4( | ^~~~~~~~~~~~~~~~~~~~~~~ unit/test-eapol.c: In function ‘eapol_wpa2_handshake_test’: unit/test-eapol.c:1876:17: error: too few arguments to function ‘eapol_create_ptk_2_of_4’ 1876 | frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2004, | ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 | struct eapol_key *eapol_create_ptk_2_of_4( | ^~~~~~~~~~~~~~~~~~~~~~~ unit/test-eapol.c: In function ‘eapol_wpa_handshake_test’: unit/test-eapol.c:2006:17: error: too few arguments to function ‘eapol_create_ptk_2_of_4’ 2006 | frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2004, | ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 | struct eapol_key *eapol_create_ptk_2_of_4( | ^~~~~~~~~~~~~~~~~~~~~~~ make[1]: *** [Makefile:2407: unit/test-eapol.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make: *** [Makefile:1586: all] Error 2

prestwoj/iwd-ci-makecheckvalgrind

success

Make Check w/Valgrind

prestwoj/iwd-ci-makecheck

success

Make Check

prestwoj/iwd-alpine-ci-makecheckvalgrind

success

Make Check w/Valgrind

prestwoj/iwd-alpine-ci-makecheck

success

Make Check

prestwoj/iwd-alpine-ci-incremental_build

fail

Make FAIL (patch 0): unit/test-eapol.c: In function 'eapol_4way_test': unit/test-eapol.c:1791:17: error: too few arguments to function 'eapol_create_ptk_2_of_4' 1791 | frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2001, | ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 | struct eapol_key *eapol_create_ptk_2_of_4( | ^~~~~~~~~~~~~~~~~~~~~~~ unit/test-eapol.c: In function 'eapol_wpa2_handshake_test': unit/test-eapol.c:1876:17: error: too few arguments to function 'eapol_create_ptk_2_of_4' 1876 | frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2004, | ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 | struct eapol_key *eapol_create_ptk_2_of_4( | ^~~~~~~~~~~~~~~~~~~~~~~ unit/test-eapol.c: In function 'eapol_wpa_handshake_test': unit/test-eapol.c:2006:17: error: too few arguments to function 'eapol_create_ptk_2_of_4' 2006 | frame = eapol_create_ptk_2_of_4(EAPOL_PROTOCOL_VERSION_2004, | ^~~~~~~~~~~~~~~~~~~~~~~ In file included from unit/test-eapol.c:34: ./src/eapol.h:78:19: note: declared here 78 | struct eapol_key *eapol_create_ptk_2_of_4( | ^~~~~~~~~~~~~~~~~~~~~~~ make[1]: *** [Makefile:2408: unit/test-eapol.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make: *** [Makefile:1587: all] Error 2

prestwoj/iwd-ci-testrunner

success

test-runner PASS

Commit Message

James Prestwood Jan. 11, 2023, 8:15 p.m. UTC

The second handshake message was hard coded with the secure bit as
zero but for rekeys the secure bit should be set to 1. Fix this by
changing the 2/4 builder to take a boolean which will set the bit
properly.

It should be noted that hostapd doesn't check this bit so EAPoL
worked just fine, but IWD's checks are more strict.
---
 src/eapol.c | 12 +++++++-----
 src/eapol.h |  3 ++-
 2 files changed, 9 insertions(+), 6 deletions(-)

Comments

Denis Kenzior Jan. 11, 2023, 10:05 p.m. UTC | #1

Hi James,

On 1/11/23 14:15, James Prestwood wrote:
> The second handshake message was hard coded with the secure bit as
> zero but for rekeys the secure bit should be set to 1. Fix this by
> changing the 2/4 builder to take a boolean which will set the bit
> properly.
> 
> It should be noted that hostapd doesn't check this bit so EAPoL
> worked just fine, but IWD's checks are more strict.
> ---
>   src/eapol.c | 12 +++++++-----
>   src/eapol.h |  3 ++-
>   2 files changed, 9 insertions(+), 6 deletions(-)
> 

Patch 1 & 2 applied, thanks.

Regards,
-Denis

diff --git a/src/eapol.c b/src/eapol.c
index c7480c11..593daf41 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -766,11 +766,12 @@  struct eapol_key *eapol_create_ptk_2_of_4(
 				size_t extra_len,
 				const uint8_t *extra_data,
 				bool is_wpa,
-				size_t mic_len)
+				size_t mic_len,
+				bool secure)
 {
-	return eapol_create_common(protocol, version, false, key_replay_counter,
-					snonce, extra_len, extra_data, 1,
-					is_wpa, mic_len);
+	return eapol_create_common(protocol, version, secure,
+					key_replay_counter, snonce, extra_len,
+					extra_data, 1, is_wpa, mic_len);
 }
 
 struct eapol_key *eapol_create_ptk_4_of_4(
@@ -1326,7 +1327,8 @@  static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
 					ek->key_descriptor_version,
 					L_BE64_TO_CPU(ek->key_replay_counter),
 					sm->handshake->snonce, ies_len, ies,
-					sm->handshake->wpa_ie, sm->mic_len);
+					sm->handshake->wpa_ie, sm->mic_len,
+					sm->rekey);
 
 	kck = handshake_state_get_kck(sm->handshake);
 
diff --git a/src/eapol.h b/src/eapol.h
index 8d8d5252..43dc224d 100644
--- a/src/eapol.h
+++ b/src/eapol.h
@@ -83,7 +83,8 @@  struct eapol_key *eapol_create_ptk_2_of_4(
 				size_t extra_len,
 				const uint8_t *extra_data,
 				bool is_wpa,
-				size_t mic_len);
+				size_t mic_len,
+				bool secure);
 
 struct eapol_key *eapol_create_ptk_4_of_4(
 				enum eapol_protocol_version protocol,

[1/9] eapol: set secure on message 2/4 properly

Checks

Commit Message

Comments

Patch