~alpine/aports

community/iwd: add fixes for FT connect and EAP-PEAP v1 PROPOSED

Milan P. Stanić <mps@arvanta.net>
Milan P. Stanić: 1
 community/iwd: add fixes for FT connect and EAP-PEAP

 3 files changed, 173 insertions(+), 1 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.alpinelinux.org/~alpine/aports/patches/648/mbox | git am -3
Learn more about email & git

[alpine-aports] [PATCH] community/iwd: add fixes for FT connect and EAP-PEAP Export this patch

Milan P. Stanić <mps@arvanta.net>
---
 community/iwd/APKBUILD                |  6 +-
 community/iwd/fix-EAP-PEAP.patch      | 73 ++++++++++++++++++++
 community/iwd/fix-FT-connecting.patch | 95 +++++++++++++++++++++++++++
 3 files changed, 173 insertions(+), 1 deletion(-)
 create mode 100644 community/iwd/fix-EAP-PEAP.patch
 create mode 100644 community/iwd/fix-FT-connecting.patch

diff --git a/community/iwd/APKBUILD b/community/iwd/APKBUILD
index c10a9f68c5..ff73037fef 100644
--- a/community/iwd/APKBUILD
+++ b/community/iwd/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Milan P. Stanić <mps@arvanta.net>
pkgname=iwd
pkgver=0.17
pkgrel=0
pkgrel=1
pkgdesc="Internet Wireless Daemon"
url="https://iwd.wiki.kernel.org/"
arch="all"
@@ -12,6 +12,8 @@ checkdepends="coreutils"
subpackages="$pkgname-doc $pkgname-openrc"
source="https://mirrors.edge.kernel.org/pub/linux/network/wireless/$pkgname-${pkgver}.tar.gz
	dbus-netdev-group.patch
	fix-FT-connecting.patch
	fix-EAP-PEAP.patch
	iwd.initd
	"
builddir="$srcdir/$pkgname-${pkgver}"
@@ -46,4 +48,6 @@ package() {

sha512sums="b698c022633dd0618a37584f365af5f28dc96015c6b0d85cb652cfe36d1ef0c53b27a8b0e2be8ef36e982ce0a10f59b67bf2f679b3a25782aba2422f09753e4a  iwd-0.17.tar.gz
7d3bc26b558ebfd22335b946f09abd5326e885275979c617af7def1468ade23ba7605f3b13aaf91836035c130aaec04be0ff2708a898f3ae835e0eef4e78fa0e  dbus-netdev-group.patch
f4887fee305ec9c082d748e4f2d8574072d75a6511ecc8e6bedc4b1d72aa48a91a37d33fcb9c5fcd8b817b900383fedf15562fea53d03dd1068bbb0b4db2acfa  fix-FT-connecting.patch
2b047d677a1e660ba3af43b41ec3596ddcd50b6088427c380bd13dc549f8ced7fe47f58106e2839cc9cf1af0401d7d2236fdb227d9232af42d7420c3a36b4294  fix-EAP-PEAP.patch
1a913fa19a76a18d92b8f44cb5b4b99a64b4e2f7d2b4a486bf1ba2f939aea7dcca772fca91483011ada58aaa3addc29c76ececd708b2187e57f72aa040ac77e6  iwd.initd"
diff --git a/community/iwd/fix-EAP-PEAP.patch b/community/iwd/fix-EAP-PEAP.patch
new file mode 100644
index 0000000000..90c918cfb4
--- /dev/null
+++ b/community/iwd/fix-EAP-PEAP.patch
@@ -0,0 +1,73 @@
From b768e26f1d40674cfc2d37df8c3a34444ccce530 Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Thu, 18 Apr 2019 10:46:37 -0500
Subject: [PATCH] Revert "mschaputil: use util_get_username"

This reverts commit 1e337259ceb9de011f188e4376f1171a4c9cc43c.

Using util_get_username was wrong in this context.  MSCHAPv2 expects us
to only strip the domain name from identities of the form
domain\identity.  util_get_username would also strip identities of the
form username@domain.com.
---
 Makefile.am      |  1 -
 src/mschaputil.c | 17 +++++++++++++++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index bd68d0f0..ef0d9442 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -427,7 +427,6 @@ unit_test_wsc_LDADD = $(ell_ldadd)
 unit_test_eap_mschapv2_SOURCES = src/eap-mschapv2.h src/eap-mschapv2.c \
 				src/eap.c src/eap.h src/eap-private.h \
 				src/mschaputil.h src/mschaputil.c \
-				src/util.h src/util.c \
 				unit/test-eap-mschapv2.c
 unit_test_eap_mschapv2_LDADD = $(ell_ldadd)
 
diff --git a/src/mschaputil.c b/src/mschaputil.c
index 05e24f1f..b1ccf630 100644
--- a/src/mschaputil.c
+++ b/src/mschaputil.c
@@ -28,7 +28,6 @@
 
 #include "src/missing.h"
 #include "src/mschaputil.h"
-#include "src/util.h"
 
 /**
  * Internal function for generate_nt_response.
@@ -126,6 +125,20 @@ cleanup:
 	return r;
 }
 
+static const char *mschapv2_exlude_domain_name(const char *username)
+{
+	const char *c;
+
+	for (c = username; *c; c++) {
+		if (*c != '\\')
+			continue;
+
+		return c + 1;
+	}
+
+	return username;
+}
+
 /**
  * Internal function to generate the challenge used in nt_response
  * https://tools.ietf.org/html/rfc2759
@@ -148,7 +161,7 @@ static bool mschapv2_challenge_hash(const uint8_t *peer_challenge,
 	if (!check)
 		return false;
 
-	username = util_get_username(username);
+	username = mschapv2_exlude_domain_name(username);
 
 	l_checksum_update(check, peer_challenge, 16);
 	l_checksum_update(check, server_challenge, 16);
-- 
2.21.0

diff --git a/community/iwd/fix-FT-connecting.patch b/community/iwd/fix-FT-connecting.patch
new file mode 100644
index 0000000000..d1f16daac2
--- /dev/null
+++ b/community/iwd/fix-FT-connecting.patch
@@ -0,0 +1,95 @@
From edade7f19c8c29eabba5e2ed7308fe2d6d831c80 Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Mon, 15 Apr 2019 15:32:28 -0500
Subject: [PATCH] netdev: Fix handshake failures on FT-PSK + FullMac

The latest refactoring ended up assuming that FT related elements would
be handled in netdev_associate_event.  However, FullMac cards (that do
not generate netdev_associate_event) could still connect using FT AKMs
and perform the Initial mobility association.  In such cases the FTE
element was required but ended up not being set into the handshake.
This caused the handshake to fail during PTK 1_of_4 processing.

Fix this by making sure that FTE + related info is set into the
handshake, albeit with a lower sanity checking level since the
elements have been processed by the firmware already.

Note that it is currently impossible for actual FTs to be performed on
FullMac cards, so the extra logic and sanity checking to handle these
can be skipped.
---
 src/netdev.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/src/netdev.c b/src/netdev.c
index b5c7be94..56fc67c9 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1753,6 +1753,8 @@ static void netdev_connect_event(struct l_genl_msg *msg, struct netdev *netdev)
 	const uint8_t *ies = NULL;
 	size_t ies_len = 0;
 	struct ie_tlv_iter iter;
+	const uint8_t *resp_ies = NULL;
+	size_t resp_ies_len;
 
 	l_debug("");
 
@@ -1786,6 +1788,10 @@ static void netdev_connect_event(struct l_genl_msg *msg, struct netdev *netdev)
 			ies = data;
 			ies_len = len;
 			break;
+		case NL80211_ATTR_RESP_IE:
+			resp_ies = data;
+			resp_ies_len = len;
+			break;
 		}
 	}
 
@@ -1834,6 +1840,44 @@ static void netdev_connect_event(struct l_genl_msg *msg, struct netdev *netdev)
 		}
 	}
 
+	if (resp_ies) {
+		const uint8_t *fte = NULL;
+		struct ie_ft_info ft_info;
+
+		ie_tlv_iter_init(&iter, resp_ies, resp_ies_len);
+
+		while (ie_tlv_iter_next(&iter)) {
+			data = ie_tlv_iter_get_data(&iter);
+
+			switch (ie_tlv_iter_get_tag(&iter)) {
+			case IE_TYPE_FAST_BSS_TRANSITION:
+				fte = data - 2;
+				break;
+			}
+		}
+
+		if (fte) {
+			/*
+			 * If we are here, then most likely we have a FullMac
+			 * hw performing initial mobility association.  We need
+			 * to set the FTE element or the handshake will fail
+			 * The firmware accepted the FTE element, so do not
+			 * sanitize the contents and just assume they're okay.
+			 */
+			if (ie_parse_fast_bss_transition_from_data(fte,
+						fte[1] + 2, &ft_info) >= 0) {
+				handshake_state_set_fte(netdev->handshake, fte);
+				handshake_state_set_kh_ids(netdev->handshake,
+							ft_info.r0khid,
+							ft_info.r0khid_len,
+							ft_info.r1khid);
+			} else {
+				l_info("CMD_CONNECT Succeeded, but parsing FTE"
+					" failed.  Expect handshake failure");
+			}
+		}
+	}
+
 	if (netdev->sm) {
 		/*
 		 * Start processing EAPoL frames now that the state machine
-- 
2.21.0

-- 
2.20.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---