From patchwork Mon Apr 10 22:01:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13206775 Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CFCE76D24 for ; Mon, 10 Apr 2023 22:01:42 +0000 (UTC) Received: by mail-pl1-f181.google.com with SMTP id ik20so5768036plb.3 for ; Mon, 10 Apr 2023 15:01:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681164102; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6V7K1g0yOi2mxId6ry8jEABdwxw9dX/R81b7bI6hj2w=; b=EqnKqHGgLom3GhIUf1oCqrtPi6HXOtZZd1vu/5p2QIW+Hcp+IJfY+SLpl82PtRAAqo vN81LLlnGhvnVrE8O6F5xJDLVGpdYkrwPHtRJLKldwYJW/BQWlXfeRlNmKdxXgGR1Isv hPXsx+rvQNm4XmIirUgv5pdsAI/QZJh5VEJlRJSbT3C59Xej6HLy7buWyQ5kv2x8xbn9 bZIFd/DGSCvJ3LeGtTdrwy3yb9bpDAv/sQ7aUDRbvEL+KfvWzoWCO+Jw4CGAjVUu9eXj /9YuY3gWFLqk6opVNaBayjepn3mXhzJDB7+YJiOf4IKI3XEGH/uVF4AbozHQRXvUj/vX IvEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681164102; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6V7K1g0yOi2mxId6ry8jEABdwxw9dX/R81b7bI6hj2w=; b=oMfLtI2bmCdx05Ai4rayxTFB4TyDpzm5ibtjpK7nVdfT9qPXiPnHc5CQs8UaJvMzHQ n/wSTpBWKksDvbnwVGS3Adks+q4JkJYFF0bxppAS2QEpS0/bdsJvXKrLbQn4HujLWgpZ FaIpISwoJMx7h4FGiL8WtE+pJ7BNxiv9o7lBqIQ/ab+hmtdfAU2+C5d+kgUAJna0azFf vHxM85fvH2SnHNp0w/QD9ZhPUTIyeE0SaTEBpvOGFPujIHhB9dBwq7I0FTV7WFvovXSr f0kTrpa/GPajegvcVUj0RHWJ5Ozj86Y9tUo72G/3U+q2AuprlAhPSayJTbbaGjYODX3X WGJQ== X-Gm-Message-State: AAQBX9dzdXXTshhlLUGLu6+sOLyrvpcdKpxszgMLnLPbpHXXyGw1bmC+ UhbVDeTPDFYh6isJweoRdhqs3rbKolc7vw== X-Google-Smtp-Source: AKy350bnOCFW3bRT2XEfIietC88A0ITEfsknwWivS17g6Vn2FPxb/6bAjhsLSgsVMeBueOqCnf0D7A== X-Received: by 2002:a17:902:e848:b0:19e:6b5f:fda9 with SMTP id t8-20020a170902e84800b0019e6b5ffda9mr14475743plg.16.1681164101827; Mon, 10 Apr 2023 15:01:41 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id s18-20020a170902b19200b001a2806ae2f7sm8263372plr.83.2023.04.10.15.01.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Apr 2023 15:01:41 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 1/9] crypto: modify crypto_derive_pmkid to take the hash/key length Date: Mon, 10 Apr 2023 15:01:27 -0700 Message-Id: <20230410220135.373872-2-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230410220135.373872-1-prestwoj@gmail.com> References: <20230410220135.373872-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The existing API was limited to SHA1 or SHA256 and assumed a key length of 32 bytes. Since other AKMs plan to be added update this to take the checksum/length directly for better flexibility. --- src/crypto.c | 18 ++++++++++++------ src/crypto.h | 5 +++-- src/eapol.c | 4 ++-- src/handshake.c | 11 ++++++----- 4 files changed, 23 insertions(+), 15 deletions(-) diff --git a/src/crypto.c b/src/crypto.c index 840d9ee4..f8aba7d8 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -1116,9 +1116,10 @@ exit: } /* Defined in 802.11-2012, Section 11.6.1.3 Pairwise Key Hierarchy */ -bool crypto_derive_pmkid(const uint8_t *pmk, +bool crypto_derive_pmkid(const uint8_t *pmk, size_t key_len, const uint8_t *addr1, const uint8_t *addr2, - uint8_t *out_pmkid, bool use_sha256) + uint8_t *out_pmkid, + enum l_checksum_type checksum) { uint8_t data[20]; @@ -1126,10 +1127,15 @@ bool crypto_derive_pmkid(const uint8_t *pmk, memcpy(data + 8, addr2, 6); memcpy(data + 14, addr1, 6); - if (use_sha256) - return hmac_sha256(pmk, 32, data, 20, out_pmkid, 16); - else - return hmac_sha1(pmk, 32, data, 20, out_pmkid, 16); + switch (checksum) { + case L_CHECKSUM_SHA1: + return hmac_sha1(pmk, key_len, data, 20, out_pmkid, 16); + case L_CHECKSUM_SHA256: + return hmac_sha256(pmk, key_len, data, 20, out_pmkid, 16); + default: + l_error("Checksum type %u is not valid", checksum); + return false; + } } enum l_checksum_type crypto_sae_hash_from_ecc_prime_len(enum crypto_sae type, diff --git a/src/crypto.h b/src/crypto.h index ed430abb..d2a96655 100644 --- a/src/crypto.h +++ b/src/crypto.h @@ -154,9 +154,10 @@ bool crypto_derive_ft_ptk(const uint8_t *pmk_r1, const uint8_t *pmk_r1_name, bool sha384, uint8_t *out_ptk, size_t ptk_len, uint8_t *out_ptk_name); -bool crypto_derive_pmkid(const uint8_t *pmk, +bool crypto_derive_pmkid(const uint8_t *pmk, size_t key_len, const uint8_t *addr1, const uint8_t *addr2, - uint8_t *out_pmkid, bool use_sha256); + uint8_t *out_pmkid, + enum l_checksum_type checksum); enum crypto_sae { CRYPTO_SAE_LOOPING, diff --git a/src/eapol.c b/src/eapol.c index 9471d13e..9e8f7c34 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -1103,8 +1103,8 @@ static void eapol_send_ptk_1_of_4(struct eapol_sm *sm) memcpy(ek->key_nonce, sm->handshake->anonce, sizeof(ek->key_nonce)); /* Write the PMKID KDE into Key Data field unencrypted */ - crypto_derive_pmkid(sm->handshake->pmk, sm->handshake->spa, aa, - pmkid, false); + crypto_derive_pmkid(sm->handshake->pmk, 32, sm->handshake->spa, aa, + pmkid, L_CHECKSUM_SHA1); eapol_key_data_append(ek, sm->mic_len, HANDSHAKE_KDE_PMKID, pmkid, 16); diff --git a/src/handshake.c b/src/handshake.c index 734e997c..39a650c5 100644 --- a/src/handshake.c +++ b/src/handshake.c @@ -736,7 +736,8 @@ void handshake_state_set_pmkid(struct handshake_state *s, const uint8_t *pmkid) bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid) { - bool use_sha256; + enum l_checksum_type sha; + size_t key_len = 32; /* SAE exports pmkid */ if (s->have_pmkid) { @@ -757,12 +758,12 @@ bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid) if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 | IE_RSN_AKM_SUITE_PSK_SHA256)) - use_sha256 = true; + sha = L_CHECKSUM_SHA256; else - use_sha256 = false; + sha = L_CHECKSUM_SHA1; - return crypto_derive_pmkid(s->pmk, s->spa, s->aa, out_pmkid, - use_sha256); + return crypto_derive_pmkid(s->pmk, key_len, s->spa, s->aa, out_pmkid, + sha); } void handshake_state_set_gtk(struct handshake_state *s, const uint8_t *key, From patchwork Mon Apr 10 22:01:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13206776 Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 284C86FB4 for ; Mon, 10 Apr 2023 22:01:43 +0000 (UTC) Received: by mail-pj1-f53.google.com with SMTP id j8so4319343pjy.4 for ; Mon, 10 Apr 2023 15:01:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681164102; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=K0K8Lmj43PBGXMdgm/treQUpRe5ZPK6+q1fTDzraLa4=; b=CYTm6U673Zsg1GHGXeDGKG/q7vNyiMzQB+nDzAVYtLt2ccIISBXg8nL4VjpOv3wa4d 1JMHdhldBSze7Pc9+yA/Yeyk7y6LFwU0x1i/RHKL8u/d0OZuARpfIuX/qB1IraOjyQeH UYASJYmSFxXwEgvs6MFwxDRU0LrLgWIRe3yLVL1vi4p0PvNzylTS1t3bchFRpkoyIg/+ WTZ6/90KIZkgJ4CxocfonLX1HCqi6oc5sI9PE9KPTOSdUFtLoZQ2VWayr+KCrYM9Ib/R Vsv8dyoCSEEiqkAv/60dQnsAtFag0vX6DXgv3eodQfbL3AP6dkXjnDOtiDpa6+lOWetE yhtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681164102; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=K0K8Lmj43PBGXMdgm/treQUpRe5ZPK6+q1fTDzraLa4=; b=3zdD1Iuk+ggNukIho8v1ghlj+/4hiPHWERxvzLM2V7EbpzpI1CNfRSOeYIyByfTW4+ QBw6g23/6tBxcUSYtysZDVuNefRTQNgJVrQhaAm1KwMqmmMpsn1Mp3B6cIKqEdruinUJ /mORywx5vHYoVzf+VKkuD0i29uP8ZufBGEagLmoL3BfisWvcQSJBpdOP2nMleObXvgtG c0inYgqZbZ4NwTpNjdExdX4+K1b1uqyVvQAsNsUQBYtgyH3x7sLDG5h9q907VOWw8o/8 wrDYKU6sSBmAOMBcfc6BoxEnRVPr3l8XOegCEn8IhqEHA7LB3BRWThV0xcymMKg70JVH QdPg== X-Gm-Message-State: AAQBX9fAurCIc/m28f2pU8RvsKTsHn5UyaXkPDQ8/SwFN03EysOiqPmW IkmpStmo1Ezi4Lmev8MvHQaRCodPw1SuGQ== X-Google-Smtp-Source: AKy350YuwPqsb17CyCJhbedEHn1VQ7BMXNNQ0r2y3G1ryjHslS6gIUolcsLluDpgQoIGH3DbVRxBVw== X-Received: by 2002:a17:903:2347:b0:1a6:413c:4a54 with SMTP id c7-20020a170903234700b001a6413c4a54mr5790505plh.1.1681164102412; Mon, 10 Apr 2023 15:01:42 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id s18-20020a170902b19200b001a2806ae2f7sm8263372plr.83.2023.04.10.15.01.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Apr 2023 15:01:42 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 2/9] handshake: include additional sha256 AKMs for PMKID generation Date: Mon, 10 Apr 2023 15:01:28 -0700 Message-Id: <20230410220135.373872-3-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230410220135.373872-1-prestwoj@gmail.com> References: <20230410220135.373872-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The 802.11 spec defines what AKMs should use sha256 to derive the PMKID. Hostapd commit b6d3fd05e3 changed the PMKID derivation in accordance with 802.11-2020 which then breaks PMKID validation in IWD. This breaks FT-PSK/8021x AKMs in IWD if the AP uses this hostapd version. Updating IWD to use sha256 in these cases will now break backwards compatibility with *older* APs, but this will be worked around in future commits. --- src/handshake.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/handshake.c b/src/handshake.c index 39a650c5..82e0c1c2 100644 --- a/src/handshake.c +++ b/src/handshake.c @@ -754,10 +754,23 @@ bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid) * preauthentication, the AKM has not yet been negotiated. In this * case, the HMAC-SHA1-128 based derivation is used for the PMKID * calculation." + * + * 802.11-2020 Table 9-151 defines the hashing algorithm to use + * for various AKM's. SHA256 should be used for the following + * AKM's (for this API context): + * + * 00-0F-AC:3 (FT-8021X) + * 00-0F-AC:4 (FT-PSK) + * 00-0F-AC:5 (8021X-SHA256) + * 00-0F-AC:6 (PSK-SHA256) + * + * (Note SAE/FILS were left out as they generate their own PMKID) */ if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 | - IE_RSN_AKM_SUITE_PSK_SHA256)) + IE_RSN_AKM_SUITE_PSK_SHA256 | + IE_RSN_AKM_SUITE_FT_OVER_8021X | + IE_RSN_AKM_SUITE_FT_USING_PSK)) sha = L_CHECKSUM_SHA256; else sha = L_CHECKSUM_SHA1; From patchwork Mon Apr 10 22:01:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13206777 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 78F9F79D9 for ; Mon, 10 Apr 2023 22:01:43 +0000 (UTC) Received: by mail-pj1-f51.google.com with SMTP id c3so6850846pjg.1 for ; Mon, 10 Apr 2023 15:01:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681164103; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QNA9Oj0M6msydbKlLkZNs9CH8dYLnbdvvQuG+sEfTsk=; b=QuZsius6JDa+LGnT7xkjJDIGQyQvOvKvY1dYhYjRMMHco91czeV8D+Kd9asawED3B9 2eBV1wxS/gixO1L5V3NSn/2awArfEfytAN5xpJKHKtwg1zs4sU1bnVjCpbTwPC+D54GN v5tXIQAo1Jf+R2QIXQiWrxzwpzwQMWBCZbMANf71zWvPR4SI+Ll+35zZM5ebh/aN16fy G6SfQPQzUm6q1pYejlCopBhZ7cPZcXvz3U62lpMXDJE8D0b3hp4NpZhU+jrRbOqjTMVM fYOo30yUbH45eTSJxDIjHVhMvig0vHuSsuukOlaX9Dk4fYXdXMsC8OK3v7wgA6EzrlZt 6q2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681164103; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QNA9Oj0M6msydbKlLkZNs9CH8dYLnbdvvQuG+sEfTsk=; b=VrLKpaOsrLEllSIAtFUefzf+n7UADSJLyflB7aMmyC+OpszBM+C2FZ/CEzciPUQSGg MXPDJbZXn7FAjzxJp7XaoHRsSJ8cFO1a2wb1pYY4wZcI1pSNsbKwtLrvwzn1EVNQJFA0 DrwhGmkcK4G2B+k2qzSqbiPuUK2fzV6zQQAS1OF9dZOrmBE8eCYu2vOwd01/4nDPJ+cG 7szaOs+QM2lXmK0MyY46vTDb8X50Haj7tJXO5w8XxY695p9LKEujXH5r0lua+kWC6pUp D54jAR52DA8/WJvtGckMtcLYPOm7GTMazTwEbJ5wuGFwJoJ1ySghPMkGDdqVTzrurl3D ieBQ== X-Gm-Message-State: AAQBX9cs2jJbc2cA0Ldgs/MyxjQTrGI2VEaL81ZA8R9ni30WxP6AKR0E Hhk7dWxZy+M0koMCc3yvUcFXctxIwhCFhQ== X-Google-Smtp-Source: AKy350a9Ulc3W+tS+sfeViVT5lzrf10S9zbXk7BsNCRhxJwB0ci5TZ1xE1lVBzOcNdABJIs5B3GWZw== X-Received: by 2002:a17:902:cece:b0:1a1:e364:3452 with SMTP id d14-20020a170902cece00b001a1e3643452mr17780255plg.29.1681164102852; Mon, 10 Apr 2023 15:01:42 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id s18-20020a170902b19200b001a2806ae2f7sm8263372plr.83.2023.04.10.15.01.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Apr 2023 15:01:42 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 3/9] crypto: add hmac_sha384 support for PMKID derivation Date: Mon, 10 Apr 2023 15:01:29 -0700 Message-Id: <20230410220135.373872-4-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230410220135.373872-1-prestwoj@gmail.com> References: <20230410220135.373872-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 SHA384 is required by several AKMs --- src/crypto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/crypto.c b/src/crypto.c index f8aba7d8..6b8a7b1e 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -1132,6 +1132,8 @@ bool crypto_derive_pmkid(const uint8_t *pmk, size_t key_len, return hmac_sha1(pmk, key_len, data, 20, out_pmkid, 16); case L_CHECKSUM_SHA256: return hmac_sha256(pmk, key_len, data, 20, out_pmkid, 16); + case L_CHECKSUM_SHA384: + return hmac_sha384(pmk, key_len, data, 20, out_pmkid, 16); default: l_error("Checksum type %u is not valid", checksum); return false; From patchwork Mon Apr 10 22:01:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13206778 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 27C502F3F for ; Mon, 10 Apr 2023 22:01:44 +0000 (UTC) Received: by mail-pl1-f180.google.com with SMTP id la3so5720087plb.11 for ; Mon, 10 Apr 2023 15:01:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681164103; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aHSUrASB8xUg930vAe2lW4BYfHfUwjeyNGwFHxh21Yk=; b=As+qyPQilk+9Pq+8bBxp9L1IX1hk5E54nkX5hFTFWc6YYTtV5rFj60JpxxmG/PuwGe vsPw31eTiNX8lh9me8cbVFs7mbbf3NBt+9p+Ka0hy3WqAAsLYS6g5DjGqIq31aXE8hq/ Zw/LJsYZWjtQfyj4lMbgY7qEaTEzesCNP+QemS0wZkquh/9zS+nQhEq0CogJLb4ddhvO lDUhixRX1RVzdsTGslHUGxvGnMtQJ0eKFSYTzy8B+w4TLKOZyDzGDkZvhC8elqTdE1HJ 7kHYYAfaV663z1+tGH8QRYEIbxEMv8JZ9o7gCEubOBzArXM1pH6+7M6z2NAuKEhFf0lH wXzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681164103; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aHSUrASB8xUg930vAe2lW4BYfHfUwjeyNGwFHxh21Yk=; b=HzZHoLM2chM0yXeE/+EtZi0ANDUuypnmvudODxnDS55OJlE5ZTmh8Gu4XmHjwGO2MP A44KFmvoXXORTbJdMs1+yRST3cLA7dIdnAoAxBO42MlHi9aWWneCFacPkAYK091sJUi3 44VGIQ/u0PsCIXFUDsn+v65thBbK4kLay35zcWQ1VG04DOmPHCxDKtvo3KH2YhKmGr1R 8qwKfaq1BQF7LCJphtSZ678J/eNTG0HaDJ5JIPZVJen3ZGfR1oQS+VVm2Iy8sqejbftU 9EPMl75CyrtEsV2A7pAkbV/5olWkVVKP1u+/c+pp9ok5l+JNdm0YsJS70i79eJl07CO8 fYGw== X-Gm-Message-State: AAQBX9fUNYxJ11uQE63zZ2+mOJ9h4EisVoxBehb8oOMuNx7Ns0iRGsRe O5x8QdvfvMfG5KNSAfgN85L6cBiJrcHEgw== X-Google-Smtp-Source: AKy350Zl0Q5fcaGZORFcSJ3BB/N+PGZolw0N/x2ZXXWsvEaQjtlRIYCXw+Ser0D6108AaoivhktqRQ== X-Received: by 2002:a17:902:ce85:b0:19e:874e:7275 with SMTP id f5-20020a170902ce8500b0019e874e7275mr17970457plg.23.1681164103445; Mon, 10 Apr 2023 15:01:43 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id s18-20020a170902b19200b001a2806ae2f7sm8263372plr.83.2023.04.10.15.01.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Apr 2023 15:01:43 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 4/9] eapol: add support for FT-8021X-SHA384 Date: Mon, 10 Apr 2023 15:01:30 -0700 Message-Id: <20230410220135.373872-5-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230410220135.373872-1-prestwoj@gmail.com> References: <20230410220135.373872-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The SHA384 variant was not being checked for in any of the MIC calculations/verifications or for EAPoL decryption. --- src/eapol.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/eapol.c b/src/eapol.c index 9e8f7c34..f290f40a 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -110,6 +110,9 @@ bool eapol_calculate_mic(enum ie_rsn_akm_suite akm, const uint8_t *kck, case IE_RSN_AKM_SUITE_OSEN: return cmac_aes(kck, 16, frame, frame_len, mic, mic_len); + case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384: + return hmac_sha384(kck, 24, frame, frame_len, + mic, mic_len); case IE_RSN_AKM_SUITE_OWE: switch (mic_len) { case 16: @@ -164,6 +167,10 @@ bool eapol_verify_mic(enum ie_rsn_akm_suite akm, const uint8_t *kck, case IE_RSN_AKM_SUITE_OSEN: checksum = l_checksum_new_cmac_aes(kck, 16); break; + case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384: + checksum = l_checksum_new_hmac(L_CHECKSUM_SHA384, + kck, 24); + break; case IE_RSN_AKM_SUITE_OWE: switch (mic_len) { case 16: @@ -270,6 +277,7 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek, case IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256: case IE_RSN_AKM_SUITE_OWE: case IE_RSN_AKM_SUITE_OSEN: + case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384: if (key_data_len < 24 || key_data_len % 8) return NULL; @@ -315,6 +323,7 @@ uint8_t *eapol_decrypt_key_data(enum ie_rsn_akm_suite akm, const uint8_t *kek, case EAPOL_KEY_DESCRIPTOR_VERSION_AKM_DEFINED: switch (akm) { case IE_RSN_AKM_SUITE_OWE: + case IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384: switch (mic_len) { case 16: kek_len = 16; From patchwork Mon Apr 10 22:01:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13206779 Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEE008477 for ; Mon, 10 Apr 2023 22:01:44 +0000 (UTC) Received: by mail-pj1-f41.google.com with SMTP id e18-20020a17090ac21200b00246952d917fso4406425pjt.4 for ; Mon, 10 Apr 2023 15:01:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681164104; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kTJW7Z4SgsINy/itTCPc4m4DAYFN2eC4mR95RpKgNPs=; b=Vja9yw6LSa32xGJeaC261Ejmk0n5vlQQuFcv+jp1HM0Cl9CSJ63LFBP8IRNllLCvJB J5i2JyDNfa3SBR+7otUaJGgQi031Q8uarZT1pmU6KgYIDW61vR263OsHnRZl0910PrtM Z/nnrSyfNoOsw0/A8VJIWcova5JdAv89SRCdzIN7WSwXsWV8dMMGAu0sGAZoCU7ZcuzA LK+onmrgRokheXwNIFBeFvIBxqEqzOJuC8z+6AQX/J2Qre+xGyYVZ8UFGI+wxEknhCbC G+3ne9VO5iwFbEwdu5iPfB3zZy7HqPsF/k+uczm3w2s6R7TTyA5NPOdB9czcv/D4Or5u hilA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681164104; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kTJW7Z4SgsINy/itTCPc4m4DAYFN2eC4mR95RpKgNPs=; b=S3ILQXAO6tY6gLDWOy2qQpSKx3yTOuORJ3lvgMathdh3rm5N9DSFi7oo4P20wm04fA Z62xz6N16Mpzll7FBbA5jSrWgr9qwUQBLKVy/XIxOsZPAWvTSXPkiMVoq7TEsn+UBGLq 7hPRslqKBTYfcOp5rDddskzcx0OS2PMHhqek4uNY209UEH2+h6MdNfBkXucHJ4kRlUIq wn1PA1vT3MdniGxe2qwMTn8zjqG+Az176q5qjZpSh5MFofBhf8tE4NX905xNdgXJrP/9 kmva2r3Y20LRFYb+VPKvIlncp6sEIDp98A+j6flPXQ0Bp6C5lVpO5auj5eTNZU/B5kqz MoZQ== X-Gm-Message-State: AAQBX9fZfhQiXc2CI2M6VpymfqlxlKM8CzwyQbmb+vCvPXt5tUDdfWWE pBFLLkePIOXamf+XEjvo9tI7YI4MWjKehw== X-Google-Smtp-Source: AKy350adcZTy6ZkBv+b2dLuTA7AmkQ+Xmued69wLNL2Ec7BHPCnD8cbJESHThF3ExbAXaXHESA8l2g== X-Received: by 2002:a17:903:41c1:b0:1a5:1842:f7da with SMTP id u1-20020a17090341c100b001a51842f7damr12433479ple.6.1681164104028; Mon, 10 Apr 2023 15:01:44 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id s18-20020a170902b19200b001a2806ae2f7sm8263372plr.83.2023.04.10.15.01.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Apr 2023 15:01:43 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 5/9] handshake: support FT-8021X-SHA384 Date: Mon, 10 Apr 2023 15:01:31 -0700 Message-Id: <20230410220135.373872-6-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230410220135.373872-1-prestwoj@gmail.com> References: <20230410220135.373872-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This adds the AKM to various places in handshake.c when deriving keys to support this AKM. --- src/handshake.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/src/handshake.c b/src/handshake.c index 82e0c1c2..362ff58a 100644 --- a/src/handshake.c +++ b/src/handshake.c @@ -505,6 +505,7 @@ bool handshake_state_derive_ptk(struct handshake_state *s) return false; if ((s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X | + IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384 | IE_RSN_AKM_SUITE_FT_USING_PSK | IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 | IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 | @@ -524,7 +525,8 @@ bool handshake_state_derive_ptk(struct handshake_state *s) else return false; } else if (s->akm_suite & (IE_RSN_AKM_SUITE_FILS_SHA384 | - IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) + IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384 | + IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384)) type = L_CHECKSUM_SHA384; else if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 | IE_RSN_AKM_SUITE_PSK_SHA256 | @@ -540,6 +542,7 @@ bool handshake_state_derive_ptk(struct handshake_state *s) ptk_size = handshake_state_get_ptk_size(s); if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_8021X | + IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384 | IE_RSN_AKM_SUITE_FT_USING_PSK | IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 | IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 | @@ -549,7 +552,8 @@ bool handshake_state_derive_ptk(struct handshake_state *s) const uint8_t *xxkey = s->pmk; size_t xxkey_len = 32; bool sha384 = (s->akm_suite & - IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384); + (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384 | + IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384)); /* * In a Fast Transition initial mobility domain association @@ -562,7 +566,10 @@ bool handshake_state_derive_ptk(struct handshake_state *s) */ if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X) xxkey = s->pmk + 32; - else if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 | + else if (s->akm_suite == IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384) { + xxkey = s->pmk; + xxkey_len = s->pmk_len; + } else if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 | IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384)) { xxkey = s->fils_ft; xxkey_len = s->fils_ft_len; @@ -626,7 +633,8 @@ const uint8_t *handshake_state_get_kck(struct handshake_state *s) size_t handshake_state_get_kck_len(struct handshake_state *s) { - if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384) + if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384 | + IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384)) return 24; return 16; @@ -767,7 +775,16 @@ bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid) * (Note SAE/FILS were left out as they generate their own PMKID) */ - if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 | + if (s->akm_suite & IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384) { + sha = L_CHECKSUM_SHA384; + /* + * According to 12.7.1.6.3 the key length should be: + * "the first 384 bits of the MSK". Unfortunately hostapd uses + * the PMK length directly which can vary depending on the EAP + * method... + */ + key_len = s->pmk_len; + } else if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 | IE_RSN_AKM_SUITE_PSK_SHA256 | IE_RSN_AKM_SUITE_FT_OVER_8021X | IE_RSN_AKM_SUITE_FT_USING_PSK)) From patchwork Mon Apr 10 22:01:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13206780 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 83458848B for ; Mon, 10 Apr 2023 22:01:45 +0000 (UTC) Received: by mail-pj1-f49.google.com with SMTP id g3so7145434pja.2 for ; Mon, 10 Apr 2023 15:01:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681164105; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GzyAvla2h/PtWpg1As1BMSo4N4qFyW32W/KmbcinQ6E=; b=hyD7n0Fc5m4EDo094fPJca8QfhmXcSvIPkmGQHnwYZFdLQThjiasj2BqCx57Mh20Di pd2GN/0bB7y+cxddN2/Etk+Tq/QX/UUV+Luk8d7VzBjI2ZMmRmv4yB1lJj+ybB70CWkG EBz3vMpYBxGxjqq5jpxQZ7/NuyKSfGIpc0lCdpGSurYMVzme7WV/g0PCEzcUW7CN5yHQ DbOh+iDo8fJmZbAHOq28KS22KVTosSsnQD4NA869oDHjZHDK8QLsHeCu8hSnKo6JC5uf MaB4McNd5p0BdYx68jKfdgY0JN0BTYHvazRpukBCNm8aRnJFE2aDeF/ExbtejtjykN1g Wdag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681164105; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GzyAvla2h/PtWpg1As1BMSo4N4qFyW32W/KmbcinQ6E=; b=hyidJHwIb8pGoMi8SG/D+ZJ0OAb0w4miMvpJlnpZbaYfH1xLGSaYoTZ1GPBUCI0Hj8 nombHrYO6pwYeuCcYfL57z+ZLkPm8DiXd80VsopFq/Bn3D1M3v1416ItlvMQo3Ctp5og 3yipW2XcC44JpGtzuYoe71QvteYw0tl8ewlHox4gxXjKknb5kX2oY1XWmo6j2QZ2SbEE 4S8o3/zPu0LruDQJV4H179MJvul08P8cSHSUrPL6kTX2ZhgV7qIr2bS3ZM3VvSC7X+Qt 6Jq+O5IKkoDjw6PudgEflUO/iIZcTp1hihmJkNKPMnwee1jglwZ3jk+oRnCMN/RteFFn YbQg== X-Gm-Message-State: AAQBX9fTiUHtbNYNB56ZMxShKHO+pTUC2aTJrUx8myhkP3mJGE+UUlJ5 uM6qnRI0ADCRRTwKVzAhu+nq1x+vLfNVyA== X-Google-Smtp-Source: AKy350addaaIJMGNdr4oEm+3y5RAkDhyPmE9KdHHQOdbw0EZuyMLDmFYu+Z0jV5Bwg10xQjtDZvGEw== X-Received: by 2002:a17:903:234c:b0:1a1:9787:507d with SMTP id c12-20020a170903234c00b001a19787507dmr14748189plh.3.1681164104828; Mon, 10 Apr 2023 15:01:44 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id s18-20020a170902b19200b001a2806ae2f7sm8263372plr.83.2023.04.10.15.01.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Apr 2023 15:01:44 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 6/9] handshake: remove hardcoded kek_len for FTE decode Date: Mon, 10 Apr 2023 15:01:32 -0700 Message-Id: <20230410220135.373872-7-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230410220135.373872-1-prestwoj@gmail.com> References: <20230410220135.373872-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The KEK length should be obtained with the getter to ensure the AKM is taken into account --- src/handshake.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/handshake.c b/src/handshake.c index 362ff58a..70aeda37 100644 --- a/src/handshake.c +++ b/src/handshake.c @@ -1035,7 +1035,7 @@ bool handshake_decode_fte_key(struct handshake_state *s, const uint8_t *wrapped, size_t key_len, uint8_t *key_out) { const uint8_t *kek; - size_t kek_len = 16; + size_t kek_len = handshake_state_get_kek_len(s); size_t padded_len = key_len < 16 ? 16 : align_len(key_len, 8); if (s->akm_suite & (IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 | From patchwork Mon Apr 10 22:01:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13206781 Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1128F2F3F for ; Mon, 10 Apr 2023 22:01:46 +0000 (UTC) Received: by mail-pj1-f44.google.com with SMTP id pc4-20020a17090b3b8400b0024676052044so5988605pjb.1 for ; Mon, 10 Apr 2023 15:01:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681164105; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Fftl90G35wQIDMJQzVx8ImcbDkHItMN2E2yrbFBzmRA=; b=bnWeecI6X95WtaBUWGazHSRcTNTKy5sWHLGbD4A7tof0tbQO6WAfzIiQ1UAwmWmWCG sCQ7L57K6l/DTHzpN7NJKCj0Jo72k7yhvyvRPErxz6j38tDyFYz7IaUDlY4+51b6Awme qCHswXsGPtmhh1Qq8jkl11XZtLtI5Fp5AJ6fREyMleSwfEUb2BOkmTVIpJZDh2T6Xvoq cX/fg7sKnLGuQ4s39QV8n/ZA/q0nunfaSBuBmTNdzUtqkqGf/Zgn157J61nJwqFHzVoM aKrAvRgA+5BLhITc8CvrHsRFsKkJFiWfl3IGblyhpXC8mVxzQcBIcUBZZaKJElpVgh/Y kY3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681164105; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Fftl90G35wQIDMJQzVx8ImcbDkHItMN2E2yrbFBzmRA=; b=MK2nYO3mfK299RetA5PN0K0wd+9RSUFlCVaUfDfYUq4g4M7hfuz5UjtKQ3C+rixXCJ zwbMsnXq/9OdCS+BN2o7N3mWA2ngTsqby+tiWA7I2DXqNpiqZtq2fjdmNmo4xx7RwI5q DyLA6Y5dzGZtwc4nrNWHdaZrvUZjyy4DJ0jFJU71B5e7rudpqysCEUb9TWFzIGxnZINZ ePnBH6i5t3Jn9Cw6KMypwybFqX3UACNmLY+aQ9eerAK3HE3pWmfcCAPu5nzoeW4Df2WC FLArxaPvRBrkfEqd88BK638hRgtH394DNDl5IJm49pY3tY5ZCsmISATXaEm6JT+UR76u IlEg== X-Gm-Message-State: AAQBX9fMldVSOSc3yLssv++D/R48zkwUxRkL4YaTSNzP/HFW1oin70in A1+i7xkN6C+TwOowN0yTw5QmRkBhyrmloA== X-Google-Smtp-Source: AKy350adVRWVURlAQUY4B918gDH4XNQLFtEqiat9EG/J3OJveswUBICDug/tvLoXCkSmzTTqwh4GHg== X-Received: by 2002:a17:902:dacb:b0:1a5:150f:8558 with SMTP id q11-20020a170902dacb00b001a5150f8558mr16186680plx.17.1681164105474; Mon, 10 Apr 2023 15:01:45 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id s18-20020a170902b19200b001a2806ae2f7sm8263372plr.83.2023.04.10.15.01.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Apr 2023 15:01:45 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 7/9] common: add FT-8021X-SHA384 to AKM_IS_8021X Date: Mon, 10 Apr 2023 15:01:33 -0700 Message-Id: <20230410220135.373872-8-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230410220135.373872-1-prestwoj@gmail.com> References: <20230410220135.373872-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Without this the AKM shows up as WEP. --- src/common.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/common.c b/src/common.c index ea7b0ca0..91979423 100644 --- a/src/common.c +++ b/src/common.c @@ -78,6 +78,7 @@ bool security_from_str(const char *str, enum security *security) akm & (IE_RSN_AKM_SUITE_8021X | \ IE_RSN_AKM_SUITE_8021X_SHA256 | \ IE_RSN_AKM_SUITE_FT_OVER_8021X | \ + IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384 | \ IE_RSN_AKM_SUITE_FILS_SHA256 | \ IE_RSN_AKM_SUITE_FILS_SHA384 | \ IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 | \ From patchwork Mon Apr 10 22:01:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13206782 Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C2D108820 for ; Mon, 10 Apr 2023 22:01:46 +0000 (UTC) Received: by mail-pj1-f48.google.com with SMTP id v9so11235528pjk.0 for ; Mon, 10 Apr 2023 15:01:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681164106; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=po88psfApkRhiOaO8e1T1smH/0ARPZGbU3XkdwXaLJM=; b=BmjToActnEcMQ3jQP362941rRkhhWQFSfIOGMY69eiItWCePacsyL4wKWCF0StPU91 E7YYb8erXX9uVoSaSz5Vq8fdnAnQMZflT389wSsNU0SOOTZvVL3iTmy52dN4eFDMbjwo nfOHQVjvQSB+OoOYN6dCNrzxeX8WtZxY/0ZnZAuhcBCEN91Kg9/qbbnnnTLom3/dXKDD LV5w33NDhWB9q2UjUMvTn2qP2CeUkvnHQonWheri3S++W+Z6J+2hkT9fV4f3/bM9pGep PzmADe361tbGPTA1MMsoXOATvs8lLPNucPrlMPQmYyfOdGMHvELUnUsaioAAsd++nstG TKOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681164106; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=po88psfApkRhiOaO8e1T1smH/0ARPZGbU3XkdwXaLJM=; b=qTKe8KEpDuzAJde+dIqjxzXvDdYeX4pKoKX0lKSJtERjXxoTYMihfehuC55uXwhXGj gFLkJdyMn9crzz93kPI/TsU002qZPktzitbwl9MmzIQbYCmFQFmjs+mrvs8JP4Fbr2Ls jPqCIelwLY1pPyVJCz2tQ8xMPR8sqa1awVu6Xq8/0eLrP7yQg91sHiZgBNEBaIGj9XUw VCOm6FaNHR0PPNPHOf7PHJuuKzJUc2Wmh0oiDaL/SnigTQ/TI3G8E2eajU8YzXK75v19 7NdQDrWh8iSouj4LDPEnFBx715c1KHk+q0Qm2NVAZuGS5H2+E+EBoYPiUhblCnlhFt/p XcpQ== X-Gm-Message-State: AAQBX9eCSy+/inNnPGjhweML4nkUrwq0KjiOhxwCM/AL1yLfZnH75lIy NZD289Lj51tmYu0mVzpzmXOyUF9TGSHAuw== X-Google-Smtp-Source: AKy350Zz0epVJ6ab8KFHMrwaJY2Ao7dXONssG8y9AoVUBctXF7mYfAz8HIR4vOrNfk2ydJtLDxk3tQ== X-Received: by 2002:a17:903:2452:b0:1a6:3def:6007 with SMTP id l18-20020a170903245200b001a63def6007mr635699pls.7.1681164106131; Mon, 10 Apr 2023 15:01:46 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id s18-20020a170902b19200b001a2806ae2f7sm8263372plr.83.2023.04.10.15.01.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Apr 2023 15:01:45 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 8/9] wiphy: add FT-8021X-SHA384 to supported AKMs Date: Mon, 10 Apr 2023 15:01:34 -0700 Message-Id: <20230410220135.373872-9-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230410220135.373872-1-prestwoj@gmail.com> References: <20230410220135.373872-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This AKM is now possible to choose from the list. --- src/wiphy.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/wiphy.c b/src/wiphy.c index 2db2d2cd..40ab0a0b 100644 --- a/src/wiphy.c +++ b/src/wiphy.c @@ -281,6 +281,12 @@ enum ie_rsn_akm_suite wiphy_select_akm(struct wiphy *wiphy, return IE_RSN_AKM_SUITE_FILS_SHA256; } + if ((info->akm_suites & + IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384) && + bss->rsne && bss->mde_present && + wiphy->support_cmds_auth_assoc) + return IE_RSN_AKM_SUITE_FT_OVER_8021X_SHA384; + if ((info->akm_suites & IE_RSN_AKM_SUITE_FT_OVER_8021X) && bss->rsne && bss->mde_present && wiphy->support_cmds_auth_assoc) From patchwork Mon Apr 10 22:01:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13206783 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 677732F3F for ; Mon, 10 Apr 2023 22:01:47 +0000 (UTC) Received: by mail-pl1-f175.google.com with SMTP id o2so5878032plg.4 for ; Mon, 10 Apr 2023 15:01:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681164106; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FHHCIa+REkf5NO0B3gbOMDtFmu+SyNSnD9c74Ql0EmE=; b=YqqEMnHTBkepv5oELsOot+meaEsFg8uIfrtEgt/u23GjFy0PLLZ+Bvuhdhs2Jmr8zr OFo8TAw7PJIIzPaf2YGxkWdIPN+N0uJygJm0f0nI/w3AUjPFX2lRNXHqv0mYPVLrmVTI FbRwpY79cAHCn+7NX9GjFVYgZucA19/yYGzmr4bGF75Ir/Knl/RJi0U8k6dQo9g6ZvY8 DHWZvZ5/pZUSulQIHlNGFbTBo2fZwGcZ3/uTGxVNPPFTDONN7snU9hL1NYqrqBt1tTBr 04ILWpDDhYrnFQPRW7pwQYK3GAj1rGkUxBMtkhOAmN7Xtxu4e8plGN8ZdOZ2gIrGY8pW 7ikw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681164106; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FHHCIa+REkf5NO0B3gbOMDtFmu+SyNSnD9c74Ql0EmE=; b=ZF6s29tEaKsRsCML8i0NQjp/bSK1c2tgxSbWQXibnOcc5RC7Ttru1YhKftXqHAVYRe efJQO6wyEWmE00fsJJsBpe99vYqd1txZzhtso34BwvnLERm6+ANIrig6DOR1hhOdKpOh 8+2JihTYFE1Dsr34YofrgydsDih7zcFAoz8caTP4Q8qKVLOUD+QsnDEracreLLxG8BbS 48+FbY+n5YjH6MGEdwuiV43Bj6nQopNqxW/qlk8rHTjUzEXTKIvrBCfUIOZ8z5haSmoa vy4T4DaHCWA+tKlAZ4Pj1felaTUduLv4oriQCyj8ZRz7s0dnj97wm2qQdXo1BUbaVnfm eHKA== X-Gm-Message-State: AAQBX9e8X9HrTW7MBZyTXT7hks4X43vJBT37CbycJ6h3cN3vnE5FxlZb smhBx1K2VS5085kxblorT7Ucw8RBpx4Ifg== X-Google-Smtp-Source: AKy350YgKihs8rhvxa0oa5B4j52cY44ziK2oXqeczBRmHOpPRXkaxrBD9345SDem4tTrN/bf6BURTA== X-Received: by 2002:a17:903:2344:b0:1a1:b65c:dea7 with SMTP id c4-20020a170903234400b001a1b65cdea7mr16791521plh.47.1681164106666; Mon, 10 Apr 2023 15:01:46 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id s18-20020a170902b19200b001a2806ae2f7sm8263372plr.83.2023.04.10.15.01.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Apr 2023 15:01:46 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 9/9] auto-t: update testFT-8021x-roam with SHA384 test Date: Mon, 10 Apr 2023 15:01:35 -0700 Message-Id: <20230410220135.373872-10-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230410220135.373872-1-prestwoj@gmail.com> References: <20230410220135.373872-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 --- autotests/testFT-8021x-roam/connection_test.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/autotests/testFT-8021x-roam/connection_test.py b/autotests/testFT-8021x-roam/connection_test.py index 356a9af2..2a4fe9e1 100644 --- a/autotests/testFT-8021x-roam/connection_test.py +++ b/autotests/testFT-8021x-roam/connection_test.py @@ -10,7 +10,7 @@ from hostapd import HostapdCLI import testutil class Test(unittest.TestCase): - def test_roam_success(self): + def validate(self): wd = IWD(True) device = wd.list_devices(1)[0] @@ -50,6 +50,22 @@ class Test(unittest.TestCase): self.assertRaises(Exception, testutil.test_ifaces_connected, (self.bss_hostapd[0].ifname, device.name, True, True)) + def test_ft_8021x_sha256(self): + self.bss_hostapd[0].set_value('wpa_key_mgmt', 'FT-EAP') + self.bss_hostapd[0].reload() + self.bss_hostapd[1].set_value('wpa_key_mgmt', 'FT-EAP') + self.bss_hostapd[1].reload() + + self.validate() + + def test_ft_8021x_sha3846(self): + self.bss_hostapd[0].set_value('wpa_key_mgmt', 'FT-EAP-SHA384') + self.bss_hostapd[0].reload() + self.bss_hostapd[1].set_value('wpa_key_mgmt', 'FT-EAP-SHA384') + self.bss_hostapd[1].reload() + + self.validate() + def tearDown(self): os.system('ip link set "' + self.bss_hostapd[0].ifname + '" down') os.system('ip link set "' + self.bss_hostapd[1].ifname + '" down')