community/iwd: add fixes for FT connect and EAP-PEAP

3 files changed, 173 insertions, 1 deletions

diff --git a/community/iwd/APKBUILD b/community/iwd/APKBUILD
index c10a9f68c5..ff73037fef 100644
--- a/community/iwd/APKBUILD
+++ b/community/iwd/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Milan P. Stanić <mps@arvanta.net>
 pkgname=iwd
 pkgver=0.17
-pkgrel=0
+pkgrel=1
 pkgdesc="Internet Wireless Daemon"
 url="https://iwd.wiki.kernel.org/"
 arch="all"
@@ -12,6 +12,8 @@ checkdepends="coreutils"
 subpackages="$pkgname-doc $pkgname-openrc"
 source="https://mirrors.edge.kernel.org/pub/linux/network/wireless/$pkgname-${pkgver}.tar.gz
 	dbus-netdev-group.patch
+	fix-FT-connecting.patch
+	fix-EAP-PEAP.patch
 	iwd.initd
 	"
 builddir="$srcdir/$pkgname-${pkgver}"
@@ -46,4 +48,6 @@ package() {
 
 sha512sums="b698c022633dd0618a37584f365af5f28dc96015c6b0d85cb652cfe36d1ef0c53b27a8b0e2be8ef36e982ce0a10f59b67bf2f679b3a25782aba2422f09753e4a  iwd-0.17.tar.gz
 7d3bc26b558ebfd22335b946f09abd5326e885275979c617af7def1468ade23ba7605f3b13aaf91836035c130aaec04be0ff2708a898f3ae835e0eef4e78fa0e  dbus-netdev-group.patch
+f4887fee305ec9c082d748e4f2d8574072d75a6511ecc8e6bedc4b1d72aa48a91a37d33fcb9c5fcd8b817b900383fedf15562fea53d03dd1068bbb0b4db2acfa  fix-FT-connecting.patch
+2b047d677a1e660ba3af43b41ec3596ddcd50b6088427c380bd13dc549f8ced7fe47f58106e2839cc9cf1af0401d7d2236fdb227d9232af42d7420c3a36b4294  fix-EAP-PEAP.patch
 1a913fa19a76a18d92b8f44cb5b4b99a64b4e2f7d2b4a486bf1ba2f939aea7dcca772fca91483011ada58aaa3addc29c76ececd708b2187e57f72aa040ac77e6  iwd.initd"
diff --git a/community/iwd/fix-EAP-PEAP.patch b/community/iwd/fix-EAP-PEAP.patch
new file mode 100644
index 0000000000..90c918cfb4
--- /dev/null
+++ b/community/iwd/fix-EAP-PEAP.patch
@@ -0,0 +1,73 @@
+From b768e26f1d40674cfc2d37df8c3a34444ccce530 Mon Sep 17 00:00:00 2001
+From: Denis Kenzior <denkenz@gmail.com>
+Date: Thu, 18 Apr 2019 10:46:37 -0500
+Subject: [PATCH] Revert "mschaputil: use util_get_username"
+
+This reverts commit 1e337259ceb9de011f188e4376f1171a4c9cc43c.
+
+Using util_get_username was wrong in this context.  MSCHAPv2 expects us
+to only strip the domain name from identities of the form
+domain\identity.  util_get_username would also strip identities of the
+form username@domain.com.
+---
+ Makefile.am      |  1 -
+ src/mschaputil.c | 17 +++++++++++++++--
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index bd68d0f0..ef0d9442 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -427,7 +427,6 @@ unit_test_wsc_LDADD = $(ell_ldadd)
+ unit_test_eap_mschapv2_SOURCES = src/eap-mschapv2.h src/eap-mschapv2.c \
+ 				src/eap.c src/eap.h src/eap-private.h \
+ 				src/mschaputil.h src/mschaputil.c \
+-				src/util.h src/util.c \
+ 				unit/test-eap-mschapv2.c
+ unit_test_eap_mschapv2_LDADD = $(ell_ldadd)
+ 
+diff --git a/src/mschaputil.c b/src/mschaputil.c
+index 05e24f1f..b1ccf630 100644
+--- a/src/mschaputil.c
++++ b/src/mschaputil.c
+@@ -28,7 +28,6 @@
+ 
+ #include "src/missing.h"
+ #include "src/mschaputil.h"
+-#include "src/util.h"
+ 
+ /**
+  * Internal function for generate_nt_response.
+@@ -126,6 +125,20 @@ cleanup:
+ 	return r;
+ }
+ 
++static const char *mschapv2_exlude_domain_name(const char *username)
++{
++	const char *c;
++
++	for (c = username; *c; c++) {
++		if (*c != '\\')
++			continue;
++
++		return c + 1;
++	}
++
++	return username;
++}
++
+ /**
+  * Internal function to generate the challenge used in nt_response
+  * https://tools.ietf.org/html/rfc2759
+@@ -148,7 +161,7 @@ static bool mschapv2_challenge_hash(const uint8_t *peer_challenge,
+ 	if (!check)
+ 		return false;
+ 
+-	username = util_get_username(username);
++	username = mschapv2_exlude_domain_name(username);
+ 
+ 	l_checksum_update(check, peer_challenge, 16);
+ 	l_checksum_update(check, server_challenge, 16);
+-- 
+2.21.0
+
diff --git a/community/iwd/fix-FT-connecting.patch b/community/iwd/fix-FT-connecting.patch
new file mode 100644
index 0000000000..d1f16daac2
--- /dev/null
+++ b/community/iwd/fix-FT-connecting.patch
@@ -0,0 +1,95 @@
+From edade7f19c8c29eabba5e2ed7308fe2d6d831c80 Mon Sep 17 00:00:00 2001
+From: Denis Kenzior <denkenz@gmail.com>
+Date: Mon, 15 Apr 2019 15:32:28 -0500
+Subject: [PATCH] netdev: Fix handshake failures on FT-PSK + FullMac
+
+The latest refactoring ended up assuming that FT related elements would
+be handled in netdev_associate_event.  However, FullMac cards (that do
+not generate netdev_associate_event) could still connect using FT AKMs
+and perform the Initial mobility association.  In such cases the FTE
+element was required but ended up not being set into the handshake.
+This caused the handshake to fail during PTK 1_of_4 processing.
+
+Fix this by making sure that FTE + related info is set into the
+handshake, albeit with a lower sanity checking level since the
+elements have been processed by the firmware already.
+
+Note that it is currently impossible for actual FTs to be performed on
+FullMac cards, so the extra logic and sanity checking to handle these
+can be skipped.
+---
+ src/netdev.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+diff --git a/src/netdev.c b/src/netdev.c
+index b5c7be94..56fc67c9 100644
+--- a/src/netdev.c
++++ b/src/netdev.c
+@@ -1753,6 +1753,8 @@ static void netdev_connect_event(struct l_genl_msg *msg, struct netdev *netdev)
+ 	const uint8_t *ies = NULL;
+ 	size_t ies_len = 0;
+ 	struct ie_tlv_iter iter;
++	const uint8_t *resp_ies = NULL;
++	size_t resp_ies_len;
+ 
+ 	l_debug("");
+ 
+@@ -1786,6 +1788,10 @@ static void netdev_connect_event(struct l_genl_msg *msg, struct netdev *netdev)
+ 			ies = data;
+ 			ies_len = len;
+ 			break;
++		case NL80211_ATTR_RESP_IE:
++			resp_ies = data;
++			resp_ies_len = len;
++			break;
+ 		}
+ 	}
+ 
+@@ -1834,6 +1840,44 @@ static void netdev_connect_event(struct l_genl_msg *msg, struct netdev *netdev)
+ 		}
+ 	}
+ 
++	if (resp_ies) {
++		const uint8_t *fte = NULL;
++		struct ie_ft_info ft_info;
++
++		ie_tlv_iter_init(&iter, resp_ies, resp_ies_len);
++
++		while (ie_tlv_iter_next(&iter)) {
++			data = ie_tlv_iter_get_data(&iter);
++
++			switch (ie_tlv_iter_get_tag(&iter)) {
++			case IE_TYPE_FAST_BSS_TRANSITION:
++				fte = data - 2;
++				break;
++			}
++		}
++
++		if (fte) {
++			/*
++			 * If we are here, then most likely we have a FullMac
++			 * hw performing initial mobility association.  We need
++			 * to set the FTE element or the handshake will fail
++			 * The firmware accepted the FTE element, so do not
++			 * sanitize the contents and just assume they're okay.
++			 */
++			if (ie_parse_fast_bss_transition_from_data(fte,
++						fte[1] + 2, &ft_info) >= 0) {
++				handshake_state_set_fte(netdev->handshake, fte);
++				handshake_state_set_kh_ids(netdev->handshake,
++							ft_info.r0khid,
++							ft_info.r0khid_len,
++							ft_info.r1khid);
++			} else {
++				l_info("CMD_CONNECT Succeeded, but parsing FTE"
++					" failed.  Expect handshake failure");
++			}
++		}
++	}
++
+ 	if (netdev->sm) {
+ 		/*
+ 		 * Start processing EAPoL frames now that the state machine
+-- 
+2.21.0
+