[PATCH 2/6] peap: Delay key installation until success of Phase 2

Wireless Daemon for Linux
 help / color / mirror / Atom feed

From: Tim Kourt <tim.a.kourt@linux.intel.com>
To: iwd@lists.01.org
Subject: [PATCH 2/6] peap: Delay key installation until success of Phase 2
Date: Thu, 05 Dec 2019 13:13:50 -0800	[thread overview]
Message-ID: <20191205211354.19075-2-tim.a.kourt@linux.intel.com> (raw)
In-Reply-To: <20191205211354.19075-1-tim.a.kourt@linux.intel.com>

[-- Attachment #1: Type: text/plain, Size: 3320 bytes --]

Previously, the key was installed once the runnel was created
despite the outcome of the second authentication phase. Now, the
key installation is delayed until the successful completion of
the second authentication phase. This excludes the unnecessary
operations in the case of a failure and key reinstallation with
cypro-binding in use.
---
 src/eap-peap.c | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/src/eap-peap.c b/src/eap-peap.c
index c400ddee..eb0b0c5f 100644
--- a/src/eap-peap.c
+++ b/src/eap-peap.c
@@ -43,6 +43,8 @@
 
 struct peap_state {
 	struct eap_state *phase2;
+
+	uint8_t key[128];
 };
 
 static void eap_peap_phase2_send_response(const uint8_t *pdu, size_t pdu_len,
@@ -66,6 +68,7 @@ static void eap_peap_phase2_send_response(const uint8_t *pdu, size_t pdu_len,
 static void eap_peap_phase2_complete(enum eap_result result, void *user_data)
 {
 	struct eap_state *eap = user_data;
+	struct peap_state *peap_state;
 
 	l_debug("result: %d", result);
 
@@ -94,6 +97,12 @@ static void eap_peap_phase2_complete(enum eap_result result, void *user_data)
 		return;
 	}
 
+	peap_state = eap_tls_common_get_variant_data(eap);
+
+	eap_set_key_material(eap, peap_state->key + 0, 64, NULL, 0, NULL,
+								0, NULL, 0);
+	explicit_bzero(peap_state->key, sizeof(peap_state->key));
+
 	eap_method_success(eap);
 }
 
@@ -174,6 +183,7 @@ static void eap_extensions_handle_request(struct eap_state *eap,
 							const uint8_t *pkt,
 							size_t len)
 {
+	struct peap_state *peap_state;
 	uint8_t response[EAP_EXTENSIONS_HEADER_LEN +
 					EAP_EXTENSIONS_AVP_HEADER_LEN + 2];
 	int r = eap_extensions_handle_result_avp(eap, pkt, len, response);
@@ -199,13 +209,19 @@ static void eap_extensions_handle_request(struct eap_state *eap,
 		return;
 	}
 
+	peap_state = eap_tls_common_get_variant_data(eap);
+
+	eap_set_key_material(eap, peap_state->key + 0, 64, NULL, 0, NULL,
+								0, NULL, 0);
+	explicit_bzero(peap_state->key, sizeof(peap_state->key));
+
 	eap_method_success(eap);
 }
 
 static bool eap_peap_tunnel_ready(struct eap_state *eap,
 						const char *peer_identity)
 {
-	uint8_t msk_emsk[128];
+	struct peap_state *peap_state = eap_tls_common_get_variant_data(eap);
 
 	/*
 	* PEAPv1: draft-josefsson-pppext-eap-tls-eap-05, Section 2.1.1
@@ -217,10 +233,7 @@ static bool eap_peap_tunnel_ready(struct eap_state *eap,
 
 	/* MSK, EMSK and challenge derivation */
 	eap_tls_common_tunnel_prf_get_bytes(eap, true, "client EAP encryption",
-								msk_emsk, 128);
-
-	eap_set_key_material(eap, msk_emsk + 0, 64, NULL, 0, NULL, 0, NULL, 0);
-	explicit_bzero(msk_emsk, sizeof(msk_emsk));
+						peap_state->key, 128);
 
 	eap_tls_common_send_empty_response(eap);
 
@@ -286,6 +299,8 @@ static void eap_peap_state_reset(void *variant_data)
 		return;
 
 	eap_reset(peap_state->phase2);
+
+	explicit_bzero(peap_state->key, sizeof(peap_state->key));
 }
 
 static void eap_peap_state_destroy(void *variant_data)
@@ -298,6 +313,8 @@ static void eap_peap_state_destroy(void *variant_data)
 	eap_reset(peap_state->phase2);
 	eap_free(peap_state->phase2);
 
+	explicit_bzero(peap_state->key, sizeof(peap_state->key));
+
 	l_free(peap_state);
 }
 
-- 
2.13.6

next prev parent reply	other threads:[~2019-12-05 21:13 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-05 21:13 [PATCH 1/6] peap: Introduce PEAP state Tim Kourt
2019-12-05 21:13 ` Tim Kourt [this message]
2019-12-05 21:13 ` [PATCH 3/6] peap: Rename AVPs to TLVs Tim Kourt
2019-12-05 21:13 ` [PATCH 4/6] peap: Extend EAP Extensions to handle multiple TLVs Tim Kourt
2019-12-09  7:46   ` Denis Kenzior
2019-12-05 21:13 ` [PATCH 5/6] crypto: Add support for PRF+ SHA1 Tim Kourt
2019-12-09  7:47   ` Denis Kenzior
2019-12-05 21:13 ` [PATCH 6/6] peap: Add support for Crypto-Binding in PEAPv0 Tim Kourt
2019-12-09  8:00   ` Denis Kenzior
2019-12-09  7:40 ` [PATCH 1/6] peap: Introduce PEAP state Denis Kenzior

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c400dde dfblob:eb0b0c5 )
 OR (
bs:"[PATCH 2/6] peap: Delay key installation until success of Phase 2" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191205211354.19075-2-tim.a.kourt@linux.intel.com \
    --to=tim.a.kourt@linux.intel.com \
    --cc=iwd@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox