From patchwork Fri Aug  5 18:20:30 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Prestwood <prestwoj@gmail.com>
X-Patchwork-Id: 12937616
Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com
 [209.85.210.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 165522563
	for <iwd@lists.linux.dev>; Fri,  5 Aug 2022 18:20:34 +0000 (UTC)
Received: by mail-pf1-f176.google.com with SMTP id d20so2925428pfq.5
        for <iwd@lists.linux.dev>; Fri, 05 Aug 2022 11:20:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc;
        bh=JWJb/B4EsF03cljTvEkQi+mOQhCXXWOMELMxdZxYJhQ=;
        b=NMEqoE0LqD1HNT86AM9jpK/TS+LnKl2c2wBsplXggW/b2yRS2ShdbaQBoA2n8yrH76
         gu7i2tqG9/D7ksQ3DBK/mU0fRQiQd0v+G29B6OHhOCm9a6n8k6Vtr+3sH09YSr0fr89C
         Q3qJFTCaMxfadSoIRvcSgiNGtiVAYqdgpm8chzzO+CHFJ21DRhxK2dwkhT8+vEJqQZUW
         8/ALu3J4sVj+Tp70QET6xE8HoFNAR0yQi8RHU65Ge1miMrRvpoqzvmc6XCa4M3SSyVv/
         1MZL15/lqEUXWDSNy81TxvzFh/60X4GbvsAT77YqGFwfS3xhy3E0fygjxmurDJKKLA0t
         HKVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc;
        bh=JWJb/B4EsF03cljTvEkQi+mOQhCXXWOMELMxdZxYJhQ=;
        b=3YYRInTPFP+D6rRv8pxBXC8lIs/0IBnJonKpsYI4+APc/0gXeU8UwECtkptfcSdohs
         tWccnJA8HTzRseFyhCTPsGNotY8ZflBc1S75jJWuUOEpDY+j2JsPYuoRM6+7VBkkDMYy
         wm/ngVXL8FFWm1NWLt+RKGeST//9Co5/W1NqGL5IhHjcl6jBpqxVOi9PLx0IeDmLuaha
         4KFGX3C2Qiv/q9hGzE51cQ3VsGbrBFVZNKhhSrtAGOVf/TsJqG47dOsO5uhndFzOlvoV
         +v7LNLP+X8az+73YlCo2vdzBzinnXzppVWcm8CJkYSs5w5eRP08DHyIQa2LQHPrhjFds
         GMBQ==
X-Gm-Message-State: ACgBeo2zuOrxb41u+Nc9wh/+j2RmvpXmIZjNR1KxK5zm7xMj0nN2FbQ7
	CK2STdKNL1mXQiLFmc5c5NIPvBpN2q4=
X-Google-Smtp-Source: 
 AA6agR7eznI0ha2/SLcvikQfBLLUX6KGSDGTPuT5on4zH2jLXh/jZgw1G/FQ707j+JG0MpuSXoEvVg==
X-Received: by 2002:a05:6a00:1ac9:b0:52e:7093:fce6 with SMTP id
 f9-20020a056a001ac900b0052e7093fce6mr8008679pfv.50.1659723634248;
        Fri, 05 Aug 2022 11:20:34 -0700 (PDT)
Received: from jprestwo-xps.none ([50.45.187.22])
        by smtp.gmail.com with ESMTPSA id
 i11-20020a17090332cb00b0016d1b708729sm3409871plr.132.2022.08.05.11.20.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 05 Aug 2022 11:20:33 -0700 (PDT)
From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [PATCH 1/2] handshake: add support to work around buggy OWE APs
Date: Fri,  5 Aug 2022 11:20:30 -0700
Message-Id: <20220805182031.651456-1-prestwoj@gmail.com>
X-Mailer: git-send-email 2.34.3
Precedence: bulk
X-Mailing-List: iwd@lists.linux.dev
List-Id: <iwd.lists.linux.dev>
List-Subscribe: <mailto:iwd+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:iwd+unsubscribe@lists.linux.dev>
MIME-Version: 1.0

The early OWE implementation for hostapd always used SHA256 to calculate
the PTK, which violates the spec for group 20 and 21. This bug was in
there long enough for the bug to make it into products and now it must
be worked around here.

If the workaround flag is set, always use SHA256 to calculate the PTK.
---
 src/handshake.c | 3 ++-
 src/handshake.h | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/handshake.c b/src/handshake.c
index 734e997c..91b20bab 100644
--- a/src/handshake.c
+++ b/src/handshake.c
@@ -515,7 +515,8 @@ bool handshake_state_derive_ptk(struct handshake_state *s)
 	s->ptk_complete = false;
 
 	if (s->akm_suite & IE_RSN_AKM_SUITE_OWE) {
-		if (s->pmk_len == 32)
+		/* Work around buggy APs which always use SHA256 for the PTK */
+		if (s->pmk_len == 32 || s->retry_owe_workaround)
 			type = L_CHECKSUM_SHA256;
 		else if (s->pmk_len == 48)
 			type = L_CHECKSUM_SHA384;
diff --git a/src/handshake.h b/src/handshake.h
index 7f597b06..6f48fa34 100644
--- a/src/handshake.h
+++ b/src/handshake.h
@@ -137,6 +137,7 @@ struct handshake_state {
 	bool authenticator_ocvc : 1;
 	bool supplicant_ocvc : 1;
 	bool ext_key_id_capable : 1;
+	bool retry_owe_workaround : 1;
 	uint8_t ssid[32];
 	size_t ssid_len;
 	char *passphrase;

From patchwork Fri Aug  5 18:20:31 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Prestwood <prestwoj@gmail.com>
X-Patchwork-Id: 12937617
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B2D6E2573
	for <iwd@lists.linux.dev>; Fri,  5 Aug 2022 18:20:35 +0000 (UTC)
Received: by mail-pl1-f171.google.com with SMTP id x23so3309811pll.7
        for <iwd@lists.linux.dev>; Fri, 05 Aug 2022 11:20:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc;
        bh=J/dUbknHu+bVYOnxUzACsTLKfh+lZqAI9SHiUsEIH30=;
        b=J3eOL/P4qb4qG037HJLfMLEcTdZn0SqbBS43yuDl/tlWNs+prREygZXxoOAKaPbvI7
         inShVzG01gKHtTtXdouQd0S35lo19yvifuEHP3GbQUMVJRmnShTKk6owSZit+HZ0gpe9
         4+04YrJRerI0KFoZmJwIT6f6lJX2JxMTDYs2RvThjiSnPoX45/VGSRx5xE3sFDXTpdl+
         sq6NmnXCbmPDYOOnijJmJTqAjMzO6bpl9rMcJZq1uJqVIFm8TInYdDSnxbSUwrkht1P/
         puTAnHI7AsPfpVUjsqQgFLyJs15EOglIbLRVjtVtwUFeVASrJ4imT/xutldVjJ7r3FVl
         Bssw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc;
        bh=J/dUbknHu+bVYOnxUzACsTLKfh+lZqAI9SHiUsEIH30=;
        b=n0qKjzcLCxbxzG2oOnWq2w9kScYN49XbULO2tvoczlzMX/o9epld8Fg94Z0kjUnSHw
         36au62/L4JAVn3VONbjfI2p7GsudPpA4AM3hwdfGqD/NUjSgR3bhCCSp8Q3oTSQ6bGnF
         cMnE2jtND0Vs2ge+YOLvqLZR+g3XHe8wx/9zU1Cl+OqCoO/P8NITR67nSWo13qNRQ1Mc
         iOfH18mQmyOS++J8UbiIlgVrLJmUuWOSlba3aVumeH26ZigpZvGOVu+4PSia05dBChvA
         +v6e/plxyPlItAy0SpivwqQbw0AW2MLhDI1gKGf8yo9657CXAjK4+MYp21jgzzI3vxsW
         vbeA==
X-Gm-Message-State: ACgBeo0QWzbNWrPqtJEHEZsI2hP1JkudpoCIcwXvuQQROsRDjVqdV/5G
	Y1fjOl/Haqp0cUN/1kda7qbhlPI7MhM=
X-Google-Smtp-Source: 
 AA6agR7W/FsQ/tcFyzAgCU7KFkFCEjsE45Jnaq/HaxBsdQ8l15cE2x/R6Qc4FHDkoRFZUkPz7X1zvg==
X-Received: by 2002:a17:90b:4d07:b0:1ef:521c:f051 with SMTP id
 mw7-20020a17090b4d0700b001ef521cf051mr17648616pjb.164.1659723634961;
        Fri, 05 Aug 2022 11:20:34 -0700 (PDT)
Received: from jprestwo-xps.none ([50.45.187.22])
        by smtp.gmail.com with ESMTPSA id
 i11-20020a17090332cb00b0016d1b708729sm3409871plr.132.2022.08.05.11.20.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 05 Aug 2022 11:20:34 -0700 (PDT)
From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [PATCH 2/2] eapol: use OWE workaround after two ignored 2/4 messages
Date: Fri,  5 Aug 2022 11:20:31 -0700
Message-Id: <20220805182031.651456-2-prestwoj@gmail.com>
X-Mailer: git-send-email 2.34.3
In-Reply-To: <20220805182031.651456-1-prestwoj@gmail.com>
References: <20220805182031.651456-1-prestwoj@gmail.com>
Precedence: bulk
X-Mailing-List: iwd@lists.linux.dev
List-Id: <iwd.lists.linux.dev>
List-Subscribe: <mailto:iwd+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:iwd+unsubscribe@lists.linux.dev>
MIME-Version: 1.0

If the AP has rejected two 2/4 messages when using OWE assume its buggy
and re-dervive the PTK in a way that it (hopefully) expects.
---
 src/eapol.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/eapol.c b/src/eapol.c
index e8bd5cdb..a393e1b8 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -1161,6 +1161,25 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
 		return;
 	}
 
+	/*
+	 * Work around buggy OWE APs. Early hostapd implementations for OWE
+	 * incorrectly used SHA256 for the PTK derivation even in groups 20 and
+	 * 21 (should be SHA384/512). If we've already sent two 2/4 messages
+	 * without a response and the AKM is OWE assume this workaround is
+	 * needed and re-derive the PTK.
+	 *
+	 * TODO: This could be improved by checking if 2/4 was ACK'ed. If not
+	 *       this could just be a lost packet.
+	 */
+	if (sm->frame_retry >= 2 &&
+			sm->handshake->akm_suite == IE_RSN_AKM_SUITE_OWE &&
+			!sm->handshake->retry_owe_workaround) {
+		sm->handshake->retry_owe_workaround = true;
+
+		if (!handshake_state_derive_ptk(sm->handshake))
+			goto error_unspecified;
+	}
+
 	pmkid = handshake_util_find_pmkid_kde(EAPOL_KEY_DATA(ek, sm->mic_len),
 					EAPOL_KEY_DATA_LEN(ek, sm->mic_len));
 
@@ -1336,6 +1355,8 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
 	l_timeout_remove(sm->eapol_start_timeout);
 	sm->eapol_start_timeout = NULL;
 
+	sm->frame_retry++;
+
 	return;
 
 error_unspecified: