From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [PATCH 1/2] handshake: include additional sha256 AKMs for PMKID generation
Date: Tue, 4 Apr 2023 13:38:22 -0700 [thread overview]
Message-ID: <20230404203823.384260-1-prestwoj@gmail.com> (raw)
The 802.11 spec defines what AKMs should use sha256 to derive the
PMKID. Hostapd commit b6d3fd05e3 changed the PMKID derivation in
accordance with 802.11-2020 which then breaks PMKID validation in
IWD. This breaks FT-PSK/8021x AKMs in IWD if the AP uses this
hostapd version.
Updating IWD to use sha256 in these cases will now break backwards
compatibility with *older* APs, but this will be worked around in
future commits.
---
src/handshake.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/handshake.c b/src/handshake.c
index 734e997c..e4c856bb 100644
--- a/src/handshake.c
+++ b/src/handshake.c
@@ -753,10 +753,23 @@ bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid)
* preauthentication, the AKM has not yet been negotiated. In this
* case, the HMAC-SHA1-128 based derivation is used for the PMKID
* calculation."
+ *
+ * 802.11-2020 Table 9-151 defines the hashing algorithm to use
+ * for various AKM's. SHA256 should be used for the following
+ * AKM's (for this API context):
+ *
+ * 00-0F-AC:3 (FT-8021X)
+ * 00-0F-AC:4 (FT-PSK)
+ * 00-0F-AC:5 (8021X-SHA256)
+ * 00-0F-AC:6 (PSK-SHA256)
+ *
+ * (Note SAE/FILS were left out as they generate their own PMKID)
*/
if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
- IE_RSN_AKM_SUITE_PSK_SHA256))
+ IE_RSN_AKM_SUITE_PSK_SHA256 |
+ IE_RSN_AKM_SUITE_FT_OVER_8021X |
+ IE_RSN_AKM_SUITE_FT_USING_PSK))
use_sha256 = true;
else
use_sha256 = false;
--
2.25.1
next reply other threads:[~2023-04-04 20:38 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-04 20:38 James Prestwood [this message]
2023-04-04 20:38 ` [PATCH 2/2] eapol: warn rather than reject invalid PMKID (for EAP) James Prestwood
2023-04-09 17:22 ` Denis Kenzior
2023-04-09 17:21 ` [PATCH 1/2] handshake: include additional sha256 AKMs for PMKID generation Denis Kenzior
2023-04-10 17:10 ` James Prestwood
2023-04-16 16:37 ` Denis Kenzior
2023-04-17 19:35 ` James Prestwood
2023-04-23 23:05 ` Denis Kenzior
2023-09-05 16:33 ` Johnson, Bryce
2023-09-05 16:52 ` James Prestwood
2023-09-05 19:09 ` James Prestwood
2023-09-07 20:40 ` Johnson, Bryce
2023-09-08 13:33 ` James Prestwood
2023-09-08 14:01 ` Johnson, Bryce
2023-09-08 14:11 ` James Prestwood
2023-09-26 15:16 ` Bryce Johnson
2023-09-26 15:51 ` James Prestwood
2023-09-26 16:54 ` Bryce Johnson
2023-09-26 17:13 ` James Prestwood
2023-09-26 19:18 ` Denis Kenzior
2023-09-27 15:56 ` Bryce Johnson
2023-09-27 16:13 ` James Prestwood
2023-09-27 16:47 ` Denis Kenzior
2023-09-27 16:53 ` James Prestwood
2023-09-27 16:40 ` Denis Kenzior
2023-04-09 17:23 ` Denis Kenzior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230404203823.384260-1-prestwoj@gmail.com \
--to=prestwoj@gmail.com \
--cc=iwd@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).