From patchwork Mon Jun 19 22:57:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13285001 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6097EEA0 for ; Mon, 19 Jun 2023 22:57:55 +0000 (UTC) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-30fcde6a73cso3426333f8f.2 for ; Mon, 19 Jun 2023 15:57:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687215473; x=1689807473; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ZzK9HZ6uVpjhY0i2Nrf/F/crkrhfQ8PjuaxZlnz7Kwo=; b=RYJI9x+JcSjNI0R5udgVhy43RDdea6QAnQ++vgtizBre3OPJ/ObpAueqkueClslRdD nWGXeW1lNcEZI1AtwMT7aAWAakhKn9kzjmJXr0oXWx8gfegXWlj7HthyA3Zy8Jr/HVxU KLWE8s1+xk0zghbQe+K9yKIlHJYDnFx1rYATv6f8IK/W4ugNi+0budwxKDSfLChtV6Bv K7PbJ4XG/WhnQ2UFvKp8NdbWuWVU6ZuG7kshkK5fODYwHHuFZH9MQRL3tO7VpVyt6/4u CCfb8kdW1Ml9tUyI4eGIBEhg36oqwgOnYZZavyvngsZ+icQ7LNfS7fB3HPO5euJYjVtm aVBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687215473; x=1689807473; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZzK9HZ6uVpjhY0i2Nrf/F/crkrhfQ8PjuaxZlnz7Kwo=; b=NpMbGar6WFwMR85ZdCYWGMJktjIlgFV+cw02DllaLmYcwN2Q5CUMTWRgXmFLMHaKOn SR+Oi/dkmdPgjlRkG46TZ52ghfxgao7FoZyG+HRNbCc1c4SeS4wvcPVHLch0D/pB7C4N Si08qnqbeTNKh1M4Rk06/uEEApQmaxoG211A3kU7TfEUFr+hJDPu1ywZ3HRxMjMnvubO 2pK4jwtuITStXrKB6tOuX748tXm5SLUJgkK0wXq1QAy334SzUjjmdQudU3r1Uk91xdKe nGnCPHOoBGMTra0xVJVPYrWfZr5RMPCGqCyUl8mnlC78Fw/NJJzGUoWSTLtMineJQdyu QIhQ== X-Gm-Message-State: AC+VfDyaly7SgBpnbx+5yyyrBnsjVX4P8nQQ3YleL1kbbLmNwOTEBesH DP5wngYWWglak9YPlFPtyquFlrmo+VSRtg== X-Google-Smtp-Source: ACHHUZ74PiMyCQAJ37Rl+hfhtlINHNbd1uOzrn1/Du2v1HZosuQQ5yzh3lH8wzectvbn9kyEu6pD8A== X-Received: by 2002:a5d:58d8:0:b0:311:1475:3295 with SMTP id o24-20020a5d58d8000000b0031114753295mr7723840wrf.17.1687215472815; Mon, 19 Jun 2023 15:57:52 -0700 (PDT) Received: from LOCLAP699.dhl-toledo.locus ([195.55.200.178]) by smtp.gmail.com with ESMTPSA id z11-20020a5d4c8b000000b0030c4d8930b1sm571946wrs.91.2023.06.19.15.57.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jun 2023 15:57:52 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 1/6] handshake: add force_sha1 flag to handshake_state_get_pmkid() Date: Mon, 19 Jun 2023 15:57:41 -0700 Message-Id: <20230619225746.462791-1-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To prepare adding FT_OVER_8021X to the SHA256 list for PMKID derivation, add a flag to force SHA1 to be used with preauthentication. The spec dictates that preauth must use SHA1 but this isn't consistent with PMKID derivation in all other cases for the FT_OVER_8021X AKM. --- src/eapol.c | 2 +- src/handshake.c | 7 ++++--- src/handshake.h | 3 ++- src/station.c | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/src/eapol.c b/src/eapol.c index 37f5eaaa..354b8fe7 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -1236,7 +1236,7 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm, } else if (pmkid) { uint8_t own_pmkid[16]; - if (!handshake_state_get_pmkid(sm->handshake, own_pmkid)) + if (!handshake_state_get_pmkid(sm->handshake, own_pmkid, false)) goto error_unspecified; if (l_secure_memcmp(pmkid, own_pmkid, 16)) { diff --git a/src/handshake.c b/src/handshake.c index cd9b3082..7f749632 100644 --- a/src/handshake.c +++ b/src/handshake.c @@ -734,7 +734,8 @@ void handshake_state_set_pmkid(struct handshake_state *s, const uint8_t *pmkid) s->have_pmkid = true; } -bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid) +bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid, + bool force_sha1) { bool use_sha256; @@ -755,8 +756,8 @@ bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid) * calculation." */ - if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 | - IE_RSN_AKM_SUITE_PSK_SHA256)) + if (!force_sha1 && (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 | + IE_RSN_AKM_SUITE_PSK_SHA256))) use_sha256 = true; else use_sha256 = false; diff --git a/src/handshake.h b/src/handshake.h index 863ffac7..d9505593 100644 --- a/src/handshake.h +++ b/src/handshake.h @@ -269,7 +269,8 @@ void handshake_state_install_igtk(struct handshake_state *s, void handshake_state_override_pairwise_cipher(struct handshake_state *s, enum ie_rsn_cipher_suite pairwise); -bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid); +bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid, + bool force_sha1); bool handshake_decode_fte_key(struct handshake_state *s, const uint8_t *wrapped, size_t key_len, uint8_t *key_out); diff --git a/src/station.c b/src/station.c index f830ab7a..2e819460 100644 --- a/src/station.c +++ b/src/station.c @@ -2236,7 +2236,7 @@ static void station_preauthenticate_cb(struct netdev *netdev, new_hs->supplicant_ie[1] + 2, &rsn_info); - handshake_state_get_pmkid(new_hs, pmkid); + handshake_state_get_pmkid(new_hs, pmkid, true); rsn_info.num_pmkids = 1; rsn_info.pmkids = pmkid; From patchwork Mon Jun 19 22:57:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13285002 Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CFC48D2E4 for ; Mon, 19 Jun 2023 22:57:56 +0000 (UTC) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-311275efaf8so2676235f8f.3 for ; Mon, 19 Jun 2023 15:57:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687215474; x=1689807474; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TQfxvlD3gUCUznP/r83BfpPTdjYni+gQnWezYrWXOTA=; b=oxR2ak5/eKwk0CNa838Je5xUFBVQA1lxPvJyk+NjiCnTDODjZAxCFUQpv2QQYrv/UB k8+f0njh+uIQVu8R+zbBgSnWXI6He3N7pjjxYMbFoeF1rcgxovV7bRAUnsfSD0yTcc8c s7DPCBlvVt+nXq6gCWSod994AX/cdvf4M9N8YsOPUJrlnAWqrpvcf5raTModMGmCdvIw t4kaMprVHbaWmd48f6fVC37ROWLLv3Fzu30ZKU8G5dEGvqXq1TzaFc9Zt8B+M6KU1cv3 UAEiHH5ktm1MvJT3B7kqdBZkYi3HnOK+vIgzHfuIX0PSW1DnVyH2Aru0pzIzSr/lcNGO 4kLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687215474; x=1689807474; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TQfxvlD3gUCUznP/r83BfpPTdjYni+gQnWezYrWXOTA=; b=El1NsT/5nv24OMK3b3IyvUuqffiYuHmZ9bV4lzoKr/wH6CgDg7EFOt0C/E77vs3vrB QQgkttp9gXeOCld+2mfTP8/TTphTGJj6VmEqrsiIFUNrJP9IPKRfyXHLPB8XpMfcmxJn Z2HlHky8fJrciXg1Wrbg0OFWpMhkPxKbLWgYG0EKgITq1MbVHm8glccIt80wR+j0TkdH iOTlc8dKxZ02qyyc1PNE0xIvtKA8htNILpBcmzKUSO3UiwJIk2uyz9YHOj823iJPK2LO aWXZUoC1k5Rbo1zD3OwJhtrzpexlCXLgCpYQprTdo3IOqtUHk7BAefHvqHI6XJ58sfi2 313Q== X-Gm-Message-State: AC+VfDzA8Rl+nK9VRZJNRMuGwuyLEyqnnMb6h9pXYTMUfUoHNrbuJPIS OmPdcutOSqrBk2Vos1DDnQLWiurcEoQKhA== X-Google-Smtp-Source: ACHHUZ5Gzq3N2wUHxMS8kdfdyQ9CVJMZGkKivDtbKue8CNFkXBLlkhVgBUYhUlMB5K9r9rnjjhU5Eg== X-Received: by 2002:a5d:6e42:0:b0:306:31fb:1c3e with SMTP id j2-20020a5d6e42000000b0030631fb1c3emr6420327wrz.26.1687215474694; Mon, 19 Jun 2023 15:57:54 -0700 (PDT) Received: from LOCLAP699.dhl-toledo.locus ([195.55.200.178]) by smtp.gmail.com with ESMTPSA id z11-20020a5d4c8b000000b0030c4d8930b1sm571946wrs.91.2023.06.19.15.57.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jun 2023 15:57:54 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 2/6] handshake: add FT_OVER_8021X AKM for SHA256 PMKID derivation Date: Mon, 19 Jun 2023 15:57:42 -0700 Message-Id: <20230619225746.462791-2-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230619225746.462791-1-prestwoj@gmail.com> References: <20230619225746.462791-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Hostapd commit b6d3fd05e3 changed the PMKID derivation in accordance with 802.11-2020 which then breaks PMKID validation in IWD. This breaks the FT-8021x AKM in IWD if the AP uses this hostapd version since the PMKID doesn't validate during EAPoL. This updates the PMKID derivation to use the correct SHA hash for this AKM, and following patches will address backwards compatibility with older hostapd versions. --- src/handshake.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/handshake.c b/src/handshake.c index 7f749632..bbab5ab6 100644 --- a/src/handshake.c +++ b/src/handshake.c @@ -757,7 +757,8 @@ bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid, */ if (!force_sha1 && (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 | - IE_RSN_AKM_SUITE_PSK_SHA256))) + IE_RSN_AKM_SUITE_PSK_SHA256 | + IE_RSN_AKM_SUITE_FT_OVER_8021X))) use_sha256 = true; else use_sha256 = false; From patchwork Mon Jun 19 22:57:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13285003 Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2AA6CD2E4 for ; Mon, 19 Jun 2023 22:57:58 +0000 (UTC) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-3f9083d8849so33104165e9.0 for ; Mon, 19 Jun 2023 15:57:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687215477; x=1689807477; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EjiAf1ogG1XoOQLG7t0A3h4MTRmYKSBcLCckxVd0mk4=; b=boyY/9IRKH9vbkHLkGjZP+jQVBB/fX2Co++XnC3XwQbjXFx+4UZBUvF68zOAliWnUe DM6pDbv288WSA40Z7SNDAzcDf73PWgIihEdKB+n+d/IwdbpbgdRhBSh5PkU+WyYNjATi Id8cxO+ndFYtgg/mVvilrlKw6ig+1EPJjetLF+Z39ly1swxu6LtfDxFNQUW7fBlggneK G8HTe2qlglVK/hwW9bkFEdOzokpG3mEpU86yQvAK8njUgq8x/fls3wXSXlZ8VjxLPl/p hPE1hFHceYs9jQ8ENHlg+yMLdL9/b2++uF3vsV42xzobvJo4HcY8p9r/1HcjZ/f6lT58 rkpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687215477; x=1689807477; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EjiAf1ogG1XoOQLG7t0A3h4MTRmYKSBcLCckxVd0mk4=; b=a1yySOcvsv2UROblHc0Ei0hGZFrCogs7I5ws8Dg7UAumJJZeCF7HEyHw1Pz+wMWkrc BwBr4WLZH8D4dt5ZZ9FFVmgWRirm+K42JKVjWDXLtegmEQotYbZJycihaIiH+BX0GYHV kavpQQjjwNoT6t1tshzKMTpj6qQ8VmRhPTsGYvxqqeTwaxLi8y9frJsxb0yB01omALQb cUX/jk1RRNcM2+5PXIS7i5/w+C+FBDuETKgIXSe0ts3VB2mN5vzYZKWsQHmcKzosGDll HLhcBtHL88ZFTOHalZR9PLAkxeMN8ZAFHFHCNzhN7RDPQRPfLZk2YdKQwrlgGM0tZV6b fMyA== X-Gm-Message-State: AC+VfDxErjM9IGAO6jPeIODeEIKoIAWd5IaUJN3MSsWyA1OS0lQaHdVb tpxowa/vO1sa+wbXoVUJYj0SLfFodMjEtA== X-Google-Smtp-Source: ACHHUZ7uPCBatwen48Qpp7SfjuKOPDdf5bLTR17dh3T9m0wWwX8MFlKMcjVcZy7lNG6hsfQDvcRw3g== X-Received: by 2002:a7b:cbd7:0:b0:3f9:ab2:dd91 with SMTP id n23-20020a7bcbd7000000b003f90ab2dd91mr5763985wmi.27.1687215476452; Mon, 19 Jun 2023 15:57:56 -0700 (PDT) Received: from LOCLAP699.dhl-toledo.locus ([195.55.200.178]) by smtp.gmail.com with ESMTPSA id z11-20020a5d4c8b000000b0030c4d8930b1sm571946wrs.91.2023.06.19.15.57.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jun 2023 15:57:56 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 3/6] handshake: add handshake_state_pmkid_matches Date: Mon, 19 Jun 2023 15:57:43 -0700 Message-Id: <20230619225746.462791-3-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230619225746.462791-1-prestwoj@gmail.com> References: <20230619225746.462791-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This will check if the given PMKID matches the derived PMKID. This has been exposed as its own API in order to handle the case of the PMKID being derived using the 'legacy' spec derivation, specifically with the FT-8021X AKM. The spec was updated to be more clear on what hash algorithm to use but older hostapd version use the old derivation. This handles both and will allow EAPoL to accept the PMKID in either case. --- src/handshake.c | 26 ++++++++++++++++++++++++++ src/handshake.h | 3 ++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/src/handshake.c b/src/handshake.c index bbab5ab6..7438c85a 100644 --- a/src/handshake.c +++ b/src/handshake.c @@ -767,6 +767,32 @@ bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid, use_sha256); } +bool handshake_state_pmkid_matches(struct handshake_state *s, + const uint8_t *check) +{ + uint8_t own_pmkid[16]; + + if (!handshake_state_get_pmkid(s, own_pmkid, false)) + return false; + + if (l_secure_memcmp(own_pmkid, check, 16)) { + if (s->akm_suite != IE_RSN_AKM_SUITE_FT_OVER_8021X) + return false; + /* + * Recent hostapd versions (commit b6d3fd05e3) changed the PMKID + * derivation for the FT-8021x AKM to use SHA256. This may be + * the issue here so try the SHA1 derivation before giving up. + */ + + if (!handshake_state_get_pmkid(s, own_pmkid, true)) + return false; + + return l_secure_memcmp(own_pmkid, check, 16) == 0; + } + + return true; +} + void handshake_state_set_gtk(struct handshake_state *s, const uint8_t *key, unsigned int key_index, const uint8_t *rsc) { diff --git a/src/handshake.h b/src/handshake.h index d9505593..3e3841bf 100644 --- a/src/handshake.h +++ b/src/handshake.h @@ -271,7 +271,8 @@ void handshake_state_override_pairwise_cipher(struct handshake_state *s, bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid, bool force_sha1); - +bool handshake_state_pmkid_matches(struct handshake_state *s, + const uint8_t *check); bool handshake_decode_fte_key(struct handshake_state *s, const uint8_t *wrapped, size_t key_len, uint8_t *key_out); From patchwork Mon Jun 19 22:57:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13285004 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C74C1D2FB for ; Mon, 19 Jun 2023 22:58:00 +0000 (UTC) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-3f97e08b012so20647685e9.3 for ; Mon, 19 Jun 2023 15:58:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687215479; x=1689807479; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EetHERUSVE/jo2x4c9w/dzXdOb9U8pYkDW98AbHEVLU=; b=U7JjxaF+rMlDUS6YOgIrQKFTVl16C6om/rJuOofpHgInF5W9ALAwqPjftwgpsVL1b2 7Hd4P6tcj72CRWNSZ0OhsR6Q4xMg/ILRaDFl7ymPhgZ/KZyrnJ99BEje9nz/iFQXNZp7 S9UXSD90h9YdAI4u0Lg45kDuiyUh3rA/oG/qGXDBu9W5p0zZCcmeSrfaaw2hs7x8cO/O oZ4t6BiVFhkq8gK4wMj8TXiNnFZFC1FBOAVkJxtwo/QnuVP915t1y+agPrqrEshlfTnT 3wpx1vm3UVDUuzewQurJXETWKw0TJbLftGIMj6Gn7BDlyA01uoHZk7hlhSCO/QT3KAMV OfmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687215479; x=1689807479; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EetHERUSVE/jo2x4c9w/dzXdOb9U8pYkDW98AbHEVLU=; b=Fgw27Alk3xEf39X+0e1NFkXpo74QU2He/TuXgQ/CW28geBPBp8DWa+jOFIjGWlZs/r EE+dWWO4YNiDO5M0IAANFyQiG5SwwdhfWNLW9/+PZKu7EG7+CO/8+YcxfwEdgFfRq0VM pCoB0WJaZJDmwRAjRD3SVKukOa1Gtky6iR1Gjic2bkcG+dCnYoJ4bkD52lZgZbhR6PlD 4Cews5L5Q+b7Fe1NYPBtoVyKhjlcqVg04uPGEegjwLg+OFd6QzajWlJ/qFZiMGuiCIa6 zAn8pKLb5RgNsB+7iZaOwC7aafrxWX5ok5GCNqO8WUNQVDqIhw0v+TANcdm9ilGmhEtq 7DKQ== X-Gm-Message-State: AC+VfDzxYs6lMPuR9UDxs1EHA042WmPDiw8B9sxLtQU4m5PNLYKqnfFR 4UNcPuvtwqb3lMETh7d6cTIjWYTC+ByAGg== X-Google-Smtp-Source: ACHHUZ4OhKaob5A7qWnuGJ2laNkR+H4Ju9FqNTPYtjFHM62fvKwoER7blaoG8iVJY64vSjwxO0kSjA== X-Received: by 2002:a5d:4a45:0:b0:30f:b9a2:92c5 with SMTP id v5-20020a5d4a45000000b0030fb9a292c5mr9238187wrs.49.1687215478228; Mon, 19 Jun 2023 15:57:58 -0700 (PDT) Received: from LOCLAP699.dhl-toledo.locus ([195.55.200.178]) by smtp.gmail.com with ESMTPSA id z11-20020a5d4c8b000000b0030c4d8930b1sm571946wrs.91.2023.06.19.15.57.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jun 2023 15:57:57 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 4/6] eapol: use handshake_state_pmkid_matches Date: Mon, 19 Jun 2023 15:57:44 -0700 Message-Id: <20230619225746.462791-4-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230619225746.462791-1-prestwoj@gmail.com> References: <20230619225746.462791-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This allows compatibility with older hostapd versions using the SHA1 derivation for the FT-8021X AKM. --- src/eapol.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/eapol.c b/src/eapol.c index 354b8fe7..7db6148e 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -1234,12 +1234,7 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm, if (!found) goto error_unspecified; } else if (pmkid) { - uint8_t own_pmkid[16]; - - if (!handshake_state_get_pmkid(sm->handshake, own_pmkid, false)) - goto error_unspecified; - - if (l_secure_memcmp(pmkid, own_pmkid, 16)) { + if (!handshake_state_pmkid_matches(sm->handshake, pmkid)) { l_debug("Authenticator sent a PMKID that didn't match"); /* From patchwork Mon Jun 19 22:57:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13285005 Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14EBFD2E4 for ; Mon, 19 Jun 2023 22:58:01 +0000 (UTC) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-311367a3e12so2821654f8f.2 for ; Mon, 19 Jun 2023 15:58:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687215480; x=1689807480; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hC9aV+z0cPBb/pu6keGlOyYh+Nkai9ZUzUT65FfpSIM=; b=qvoseiuJLjY6KSUcWhrdu4spqkRB4Por0tG6cLWW9cNY2Rp+30QA1KjXodWaiGBepq kzCgoXvgl9+HHPIqvnbgVqPzPsw4ZZ3wnV00Y4Ir1DTa/MIutFB7YRS/SnAQHmaJ+v2B +uG1Wg7uUl5gpHNUEi9TyRLvg04+SiysRbqxIs2WbxlnvrAoJJzp8QQ8GVdPy95cYEo8 VXiV4PKWyOGvQgtuWw+JQMIa8bStswZlbb/dm4oy+017ZAewzrZsNVQlnKoTDBYfFobv AVrOdmCp6+k67JyqLsQ/CCix8zTwp5GxcVC0dqUPhm9GcSFh4uJ2M56e23tXh+XzsbAt E3Ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687215480; x=1689807480; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hC9aV+z0cPBb/pu6keGlOyYh+Nkai9ZUzUT65FfpSIM=; b=iku7jlMaDdjSM8LVKJCCsPBAA+dq69LnJn7rrsDnzb2D/ZAI1fLvG6Tmf5yzSySE5B 6C39g34FC6PPLN9s5NDJf2ETvcVgMk1COllSva2BpjvOHEfTf9V6oarl+ivCVm5HsRe1 hyFcrfGihJ/Kf/6rJQRm+ArXATyseOvFYjDYUM4KVvSsF2Afv/ZE9fTn+e7xDaVFRAvt hUFZNO9i+BQKG1JxmkqQLyUWsOGA0JR07yfKO4BMpaXoH0KXnh7IysD3sTnTboB6HBRi u0gmTpAQTxxp5nkqk1T/snuzrX9bpjX7giefKdGUn/JI+LtP0OWHwNQFYRynLJ8550NW IUKg== X-Gm-Message-State: AC+VfDxqaED/vIfi09Uj86W7851QtibnP+Fs9m+pW7tEhUf3bgzIgUfN qYw00M+17hT4LM2DQZnpzzb3j1dP2nr3Aw== X-Google-Smtp-Source: ACHHUZ6xA6pd/jrGNTV8oknLvTp+ouzd1DCG0a02Kg8xpeM+icUzMzHwGUE+Xd0e4uQFe/JcS2iHMg== X-Received: by 2002:a5d:6145:0:b0:30f:c4ca:e9d6 with SMTP id y5-20020a5d6145000000b0030fc4cae9d6mr8509467wrt.54.1687215480017; Mon, 19 Jun 2023 15:58:00 -0700 (PDT) Received: from LOCLAP699.dhl-toledo.locus ([195.55.200.178]) by smtp.gmail.com with ESMTPSA id z11-20020a5d4c8b000000b0030c4d8930b1sm571946wrs.91.2023.06.19.15.57.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jun 2023 15:57:59 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 5/6] auto-t: add comment about FILS rekeys Date: Mon, 19 Jun 2023 15:57:45 -0700 Message-Id: <20230619225746.462791-5-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230619225746.462791-1-prestwoj@gmail.com> References: <20230619225746.462791-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 FILS rekeys were fixed in hostapd somewhat recently but older versions will fail this test. Document that so we don't get confused when running tests against older hostapd versions. --- autotests/testFILS/fils_256_test.py | 4 ++++ autotests/testFILS/fils_384_test.py | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/autotests/testFILS/fils_256_test.py b/autotests/testFILS/fils_256_test.py index 7018f0f2..ca20f683 100644 --- a/autotests/testFILS/fils_256_test.py +++ b/autotests/testFILS/fils_256_test.py @@ -55,6 +55,10 @@ class Test(unittest.TestCase): testutil.test_iface_operstate() testutil.test_ifaces_connected(device.name, hapd.ifname) + # + # TODO: If this is failing its likely due to an older hostapd version + # not containing commit 7ee814201b72 + # hapd.rekey(device.address) device.disconnect() diff --git a/autotests/testFILS/fils_384_test.py b/autotests/testFILS/fils_384_test.py index ce8904df..5ff6ec36 100644 --- a/autotests/testFILS/fils_384_test.py +++ b/autotests/testFILS/fils_384_test.py @@ -55,6 +55,10 @@ class Test(unittest.TestCase): testutil.test_iface_operstate() testutil.test_ifaces_connected(device.name, hapd.ifname) + # + # TODO: If this is failing its likely due to an older hostapd version + # not containing commit 7ee814201b72 + # hapd.rekey(device.address) device.disconnect() From patchwork Mon Jun 19 22:57:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13285006 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 028D8D2E4 for ; Mon, 19 Jun 2023 22:58:03 +0000 (UTC) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-3f9b4a71623so8288935e9.1 for ; Mon, 19 Jun 2023 15:58:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687215482; x=1689807482; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=b0lYLqzByAZTJFEn/TlsLOYNelhZstoZ7vdHZpy3xS4=; b=owVlbh3IDKmWBkqfIGPMX8U16LWo736nMtKqVwiZ2rrd6WSTiyzqpitDB5DXwkAuiC 5z5oQHcF0zEg3svEt5zbH2u8dPI8zVoBbALuqK2plJdeADivbMctsqur7WqEMr+NV+wK VVc96k2rInmNfmz4XTy95ZhU62tYWHKx3W9ldhV1xC9/b6kPSJg6HaUo2uHDqWtU1jOK w0wbvocRXYZ3TMtAHqctg+uhCqGP6DCBX7ZwaKZ50LnrknTwVgdN2W4J5dSJ00TL0SyO +cC8C+u9g016tjdQQ2oB6DVEwxy3KgSZNpWJWvoNHQEzR83m3ikEU4EMyt4mRp8NE0q5 P6rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687215482; x=1689807482; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=b0lYLqzByAZTJFEn/TlsLOYNelhZstoZ7vdHZpy3xS4=; b=TY80ln0Z2veZVg1bKm5zJZ4B9QJi8v9GxCOUq6bm2/Xp1A0MT0JyYzPsebZUxCTH6E BOduOLlEzog2IdY0PeNB9qQhrRlq6oRyvMlWEYGJAgx2FYSNunybFajIIf2l0MEkpRYP QUxYGMxoM2GOOjWjwJM2gIpiRuM6A+xZyhN8b3/J8YxeCam2B5F5NeGasBFMfAuqqgB7 t+gtbczhg4eLRd5hdQowF57P9KUffy/mwYyANxd+h5VgongZMPjgeXcyOMFppI2UPk6j FWvz6kcIcTmXc5UmFXyqnv/PQRJrFRhf3p6tmDj7koS7enfcq9vwqvgjAUM71NWjMaEB RA0g== X-Gm-Message-State: AC+VfDyyHevqG2+tIyFIC6v+VPVAIt1oXCk/4cUvpbt2bHFsT7zMIAtK VR/STv3KvepaMoIoMbeF9mtwLGaurLoyTQ== X-Google-Smtp-Source: ACHHUZ7oZbp10iVlaGM8B3sYDSeQH65MRY5NCLuzBfrdPURpyPqcQRJwTTsLE7egVXSrA5CIGYfKQg== X-Received: by 2002:a05:600c:3797:b0:3f8:f749:efae with SMTP id o23-20020a05600c379700b003f8f749efaemr6935732wmr.33.1687215481878; Mon, 19 Jun 2023 15:58:01 -0700 (PDT) Received: from LOCLAP699.dhl-toledo.locus ([195.55.200.178]) by smtp.gmail.com with ESMTPSA id z11-20020a5d4c8b000000b0030c4d8930b1sm571946wrs.91.2023.06.19.15.58.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jun 2023 15:58:01 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 6/6] auto-t: fix testNetconfig lease parsing Date: Mon, 19 Jun 2023 15:57:46 -0700 Message-Id: <20230619225746.462791-6-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230619225746.462791-1-prestwoj@gmail.com> References: <20230619225746.462791-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The parsing code was breaking out of the loop on the first comment which is incorrect and causes only part of the file to be parsed. Its odd this hasn't popped up until now but its likely due to differing dhcpd versions, some which add comments and others that do not. --- autotests/testNetconfig/connection_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autotests/testNetconfig/connection_test.py b/autotests/testNetconfig/connection_test.py index cf90993a..aed35bee 100644 --- a/autotests/testNetconfig/connection_test.py +++ b/autotests/testNetconfig/connection_test.py @@ -276,7 +276,7 @@ class Test(unittest.TestCase): elif quote or ch not in ' \t\r\n;{}#': token += ch if ch == '#': - break + continue elif ch == '{': stack.append([]) elif ch == '}':