jeltz
/
hostap
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
hostap/src/rsn_supp/wpa.c

5249 lines
144 KiB
C
Raw Normal View History

Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/*
* WPA Supplicant - WPA state machine and EAPOL-Key processing
FT: Support variable length keys This is a step in adding support for SHA384-based FT AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-04 14:16:54 +02:00
* Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
wpa_supplicant: Add GTK RSC relaxation workaround Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-10-14 11:26:33 +02:00
* Copyright(c) 2015 Intel Deutschland GmbH
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
*
Remove the GPL notification from files contributed by Jouni Malinen Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-11 15:46:35 +01:00
* This software may be distributed under the terms of the BSD license.
* See README for more details.
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
*/
#include "includes.h"
#include "common.h"
FILS: Use AEAD cipher to protect EAPOL-Key frames (STA) This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS AKMs) to provide both integrity protection for the EAPOL-Key frame and encryption for the Key Data field. It should be noted that this starts encrypting the Key Data field in EAPOL-Key message 2/4 while it remains unencrypted (but integrity protected) in non-FILS cases. Similarly, the empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:34:23 +02:00
#include "crypto/aes.h"
Remove src/crypto from default include path In addition, start ordering header file includes to be in more consistent order: system header files, src/utils, src/*, same directory as the *.c file.
2009-11-29 22:04:43 +01:00
#include "crypto/aes_wrap.h"
#include "crypto/crypto.h"
Annotate places depending on strong random numbers This commit adds a new wrapper, random_get_bytes(), that is currently defined to use os_get_random() as is. The places using random_get_bytes() depend on the returned value being strong random number, i.e., something that is infeasible for external device to figure out. These values are used either directly as a key or as nonces/challenges that are used as input for key derivation or authentication. The remaining direct uses of os_get_random() do not need as strong random numbers to function correctly.
2010-11-24 00:05:20 +01:00
#include "crypto/random.h"
FILS: Use AEAD cipher to protect EAPOL-Key frames (STA) This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS AKMs) to provide both integrity protection for the EAPOL-Key frame and encryption for the Key Data field. It should be noted that this starts encrypting the Key Data field in EAPOL-Key message 2/4 while it remains unencrypted (but integrity protected) in non-FILS cases. Similarly, the empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:34:23 +02:00
#include "crypto/aes_siv.h"
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
#include "crypto/sha256.h"
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
#include "crypto/sha384.h"
#include "crypto/sha512.h"
Remove src/crypto from default include path In addition, start ordering header file includes to be in more consistent order: system header files, src/utils, src/*, same directory as the *.c file.
2009-11-29 22:04:43 +01:00
#include "common/ieee802_11_defs.h"
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
#include "common/ieee802_11_common.h"
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:27 +02:00
#include "common/ocv.h"
DPP: Allow version number to be overridden for testing purposes "SET dpp_version_override <ver>" can now be used to request wpa_supplicant and hostapd to support a subset of DPP versions. In practice, the only valid case for now is to fall back from DPP version 2 support to version 1 in builds that include CONFIG_DPP2=y. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 20:07:42 +02:00
#include "common/dpp.h"
OCV: Report OCI validation failures with OCV-FAILURE messages (STA) Convert the previously used text log entries to use the more formal OCV-FAILURE prefix and always send these as control interface events to allow upper layers to get information about unexpected operating channel mismatches. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-29 23:24:15 +02:00
#include "common/wpa_ctrl.h"
FILS: Fix PMK and PMKID derivation from ERP This adds helper functions for deriving PMK and PMKID from ERP exchange in FILS shared key authentication as defined in IEEE Std 802.11ai-2016, 12.12.2.5.2 (PMKSA key derivation with FILS authentication). These functions is used to fix PMK and PMKID derivation which were previously using the rMSK directly as PMK instead of following the FILS protocol to derive PMK with HMAC from nonces and rMSK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 20:06:21 +01:00
#include "eap_common/eap_defs.h"
Remove src/crypto from default include path In addition, start ordering header file includes to be in more consistent order: system header files, src/utils, src/*, same directory as the *.c file.
2009-11-29 22:04:43 +01:00
#include "eapol_supp/eapol_supp_sm.h"
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:27 +02:00
#include "drivers/driver.h"
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
#include "wpa.h"
#include "eloop.h"
#include "preauth.h"
#include "pmksa_cache.h"
#include "wpa_i.h"
#include "wpa_ie.h"
wpa_supplicant: Add GTK RSC relaxation workaround Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-10-14 11:26:33 +02:00
static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/**
* wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
* @sm: Pointer to WPA state machine data from wpa_sm_init()
RSN: Pass full PTK to wpa_eapol_key_send() instead of KCK only This will be needed to be able to implement AEAD cipher support from FILS that will need to use KEK to protect the frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:31:55 +02:00
* @ptk: PTK for Key Confirmation/Encryption Key
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
* @ver: Version field from Key Info
* @dest: Destination address for the frame
* @proto: Ethertype (usually ETH_P_EAPOL)
* @msg: EAPOL-Key message
* @msg_len: Length of message
* @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
RSN: Check result of EAPOL-Key frame send request Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-27 07:47:15 +01:00
* Returns: >= 0 on success, < 0 on failure
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
*/
RSN: Pass full PTK to wpa_eapol_key_send() instead of KCK only This will be needed to be able to implement AEAD cipher support from FILS that will need to use KEK to protect the frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:31:55 +02:00
int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
RSN: Check result of EAPOL-Key frame send request Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-27 07:47:15 +01:00
int ver, const u8 *dest, u16 proto,
u8 *msg, size_t msg_len, u8 *key_mic)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
RSN: Check result of EAPOL-Key frame send request Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-27 07:47:15 +01:00
int ret = -1;
DPP: Add new AKM This new AKM is used with DPP when using the signed Connector to derive a PMK. Since the KCK, KEK, and MIC lengths are variable within a single AKM, this needs number of additional changes to get the PMK length delivered to places that need to figure out the lengths of the PTK components. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 22:48:52 +02:00
size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
Print the algorithms used for EAPOL-Key professing in log This makes it easier to debug crypto algorithm selection for 4-way handshake related functions. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 18:43:39 +01:00
wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
" ver=%d mic_len=%d key_mgmt=0x%x",
MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
Introduced new helper function is_zero_ether_addr() Use this inline function to replace os_memcmp(addr, "\x00\x00\x00\x00\x00\x00", ETH_ALEN) == 0.
2008-06-03 17:08:48 +02:00
if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/*
* Association event was not yet received; try to fetch
* BSSID from the driver.
*/
if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Failed to read BSSID for "
"EAPOL-Key destination address");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
} else {
dest = sm->bssid;
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Use BSSID (" MACSTR
") as the destination for EAPOL-Key",
MAC2STR(dest));
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
}
FILS: Use AEAD cipher to protect EAPOL-Key frames (STA) This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS AKMs) to provide both integrity protection for the EAPOL-Key frame and encryption for the Key Data field. It should be noted that this starts encrypting the Key Data field in EAPOL-Key message 2/4 while it remains unencrypted (but integrity protected) in non-FILS cases. Similarly, the empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:34:23 +02:00
if (mic_len) {
if (key_mic && (!ptk || !ptk->kck_len))
goto out;
if (key_mic &&
wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
msg, msg_len, key_mic)) {
wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
"WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
ver, sm->key_mgmt);
goto out;
}
PeerKey: Fix EAPOL-Key processing Commit 6d014ffc6e654e7e802263c55ce568df153a1e1c ('Make struct wpa_eapol_key easier to use with variable length MIC') forgot to update number of EAPOL-Key processing steps for SMK and STK exchanges and broke PeerKey. Fix this by updating the Key Data field pointers to match the new style with variable length Key MIC field. Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 18:07:29 +01:00
if (ptk)
wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
ptk->kck, ptk->kck_len);
FILS: Use AEAD cipher to protect EAPOL-Key frames (STA) This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS AKMs) to provide both integrity protection for the EAPOL-Key frame and encryption for the Key Data field. It should be noted that this starts encrypting the Key Data field in EAPOL-Key message 2/4 while it remains unencrypted (but integrity protected) in non-FILS cases. Similarly, the empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:34:23 +02:00
wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
key_mic, mic_len);
} else {
#ifdef CONFIG_FILS
/* AEAD cipher - Key MIC field not used */
struct ieee802_1x_hdr *s_hdr, *hdr;
struct wpa_eapol_key *s_key, *key;
u8 *buf, *s_key_data, *key_data;
size_t buf_len = msg_len + AES_BLOCK_SIZE;
size_t key_data_len;
u16 eapol_len;
const u8 *aad[1];
size_t aad_len[1];
if (!ptk || !ptk->kek_len)
goto out;
key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
sizeof(struct wpa_eapol_key) - 2;
buf = os_malloc(buf_len);
if (!buf)
goto out;
os_memcpy(buf, msg, msg_len);
hdr = (struct ieee802_1x_hdr *) buf;
key = (struct wpa_eapol_key *) (hdr + 1);
key_data = ((u8 *) (key + 1)) + 2;
/* Update EAPOL header to include AES-SIV overhead */
eapol_len = be_to_host16(hdr->length);
eapol_len += AES_BLOCK_SIZE;
hdr->length = host_to_be16(eapol_len);
/* Update Key Data Length field to include AES-SIV overhead */
WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
s_hdr = (struct ieee802_1x_hdr *) msg;
s_key = (struct wpa_eapol_key *) (s_hdr + 1);
s_key_data = ((u8 *) (s_key + 1)) + 2;
wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
s_key_data, key_data_len);
wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
/* AES-SIV AAD from EAPOL protocol version field (inclusive) to
* to Key Data (exclusive). */
aad[0] = buf;
aad_len[0] = key_data - buf;
if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
s_key_data, key_data_len,
1, aad, aad_len, key_data) < 0) {
os_free(buf);
goto out;
}
wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
key_data, AES_BLOCK_SIZE + key_data_len);
os_free(msg);
msg = buf;
msg_len = buf_len;
#else /* CONFIG_FILS */
Verify that EAPOL-Key MIC generation succeeds This can now fail, e.g., if trying to use TKIP in FIPS mode.
2009-08-16 21:35:15 +02:00
goto out;
FILS: Use AEAD cipher to protect EAPOL-Key frames (STA) This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS AKMs) to provide both integrity protection for the EAPOL-Key frame and encryption for the Key Data field. It should be noted that this starts encrypting the Key Data field in EAPOL-Key message 2/4 while it remains unencrypted (but integrity protected) in non-FILS cases. Similarly, the empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:34:23 +02:00
#endif /* CONFIG_FILS */
Verify that EAPOL-Key MIC generation succeeds This can now fail, e.g., if trying to use TKIP in FIPS mode.
2009-08-16 21:35:15 +02:00
}
FILS: Use AEAD cipher to protect EAPOL-Key frames (STA) This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS AKMs) to provide both integrity protection for the EAPOL-Key frame and encryption for the Key Data field. It should be noted that this starts encrypting the Key Data field in EAPOL-Key message 2/4 while it remains unencrypted (but integrity protected) in non-FILS cases. Similarly, the empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:34:23 +02:00
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
RSN: Check result of EAPOL-Key frame send request Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-27 07:47:15 +01:00
ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
eapol_sm_notify_tx_eapol_key(sm->eapol);
Verify that EAPOL-Key MIC generation succeeds This can now fail, e.g., if trying to use TKIP in FIPS mode.
2009-08-16 21:35:15 +02:00
out:
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_free(msg);
RSN: Check result of EAPOL-Key frame send request Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-27 07:47:15 +01:00
return ret;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
/**
* wpa_sm_key_request - Send EAPOL-Key Request
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @error: Indicate whether this is an Michael MIC error report
* @pairwise: 1 = error report for pairwise packet, 0 = for group packet
*
* Send an EAPOL-Key Request to the current authenticator. This function is
* used to request rekeying and it is usually called when a local Michael MIC
* failure is detected.
*/
void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
{
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
size_t mic_len, hdrlen, rlen;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
struct wpa_eapol_key *reply;
int key_info, ver;
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaround Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast reconnects. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-10 23:19:09 +01:00
wpa_sm_get_state(sm) == WPA_COMPLETED) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: PTK0 rekey not allowed, reconnecting");
wpa_sm_reconnect(sm);
return;
}
SAE: Fix EAPOL-Key integrity and key-wrap algorithm selection The SAE AKM 00-0F-AC:8 is supposed to use EAPOL-Key Key Descriptor Version 0 (AKM-defined) with AES-128-CMAC and NIST AES Key Wrap. However, the previous implementation ended up using Key Descriptor Version 2 (HMAC-SHA-1-128 and NIST AES Key Wrap). Fix this by using the appropriate Key Descriptor Version and integrity algorithm. Use helper functions to keep the selection clearer and more consistent between wpa_supplicant and hostapd uses. Note: This change is not backwards compatible. Both the AP and station side implementations will need to be updated at the same time to maintain functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-16 12:04:15 +01:00
if (wpa_use_akm_defined(sm->key_mgmt))
HS 2.0R2: Add OSEN client implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:24:05 +02:00
ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
wpa_key_mgmt_sha256(sm->key_mgmt))
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
Add support for using GCMP cipher from IEEE 802.11ad This allows both hostapd and wpa_supplicant to be used to derive and configure keys for GCMP. This is quite similar to CCMP key configuration, but a different cipher suite and somewhat different rules are used in cipher selection. It should be noted that GCMP is not included in default parameters at least for now, so explicit pairwise/group configuration is needed to enable it. This may change in the future to allow GCMP to be selected automatically in cases where CCMP could have been used. This commit does not included changes to WPS or P2P to allow GCMP to be used. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-29 10:52:15 +02:00
else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
else
ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
if (wpa_sm_get_bssid(sm, bssid) < 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"Failed to read BSSID for EAPOL-Key request");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return;
}
DPP: Add new AKM This new AKM is used with DPP when using the signed Connector to derive a PMK. Since the KCK, KEK, and MIC lengths are variable within a single AKM, this needs number of additional changes to get the PMK length delivered to places that need to figure out the lengths of the PTK components. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 22:48:52 +02:00
mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
hdrlen = sizeof(*reply) + mic_len + 2;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
hdrlen, &rlen, (void *) &reply);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (rbuf == NULL)
return;
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
reply->type = (sm->proto == WPA_PROTO_RSN ||
sm->proto == WPA_PROTO_OSEN) ?
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
key_info = WPA_KEY_INFO_REQUEST | ver;
if (sm->ptk_set)
FILS: Set EAPOL-Key Key Info MIC=0 when using AEAD cipher (supplicant) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 23:29:54 +02:00
key_info |= WPA_KEY_INFO_SECURE;
if (sm->ptk_set && mic_len)
key_info |= WPA_KEY_INFO_MIC;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (error)
key_info |= WPA_KEY_INFO_ERROR;
if (pairwise)
key_info |= WPA_KEY_INFO_KEY_TYPE;
WPA_PUT_BE16(reply->key_info, key_info);
WPA_PUT_BE16(reply->key_length, 0);
os_memcpy(reply->replay_counter, sm->request_counter,
WPA_REPLAY_COUNTER_LEN);
inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
mic = (u8 *) (reply + 1);
WPA_PUT_BE16(mic + mic_len, 0);
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
if (!(key_info & WPA_KEY_INFO_MIC))
key_mic = NULL;
else
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
key_mic = mic;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Sending EAPOL-Key Request (error=%d "
"pairwise=%d ptk_set=%d len=%lu)",
error, pairwise, sm->ptk_set, (unsigned long) rlen);
RSN: Pass full PTK to wpa_eapol_key_send() instead of KCK only This will be needed to be able to implement AEAD cipher support from FILS that will need to use KEK to protect the frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:31:55 +02:00
wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
key_mic);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
Add support for offloading key management operations to the driver This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-23 17:21:49 +02:00
static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
{
#ifdef CONFIG_IEEE80211R
if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: Cannot set low order 256 bits of MSK for key management offload");
} else {
#endif /* CONFIG_IEEE80211R */
if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: Cannot set PMK for key management offload");
#ifdef CONFIG_IEEE80211R
}
#endif /* CONFIG_IEEE80211R */
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
const unsigned char *src_addr,
const u8 *pmkid)
{
int abort_cached = 0;
if (pmkid && !sm->cur_pmksa) {
/* When using drivers that generate RSN IE, wpa_supplicant may
* not have enough time to get the association information
* event before receiving this 1/4 message, so try to find a
* matching PMKSA cache entry here. */
Use PMKSA cache entries with only a single network context When looking for PMKSA cache entries to use with a new association, only accept entries created with the same network block that was used to create the cache entry. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-04 11:32:35 +01:00
sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
SAE: Only allow SAE AKMP for PMKSA caching attempts Explicitly check the PMKSA cache entry to have matching SAE AKMP for the case where determining whether to use PMKSA caching instead of new SAE authentication. Previously, only the network context was checked, but a single network configuration profile could be used with both WPA2-PSK and SAE, so should check the AKMP as well. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-08 19:06:40 +02:00
NULL, 0);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (sm->cur_pmksa) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: found matching PMKID from PMKSA cache");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
} else {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: no matching PMKID found");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
abort_cached = 1;
}
}
if (pmkid && sm->cur_pmksa &&
RSN supplicant: Use os_memcmp_const() for hash/password comparisons This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-29 19:15:07 +02:00
os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
wpa_sm_set_pmk_from_pmksa(sm);
wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
sm->pmk, sm->pmk_len);
eapol_sm_notify_cached(sm->eapol);
#ifdef CONFIG_IEEE80211R
sm->xxkey_len = 0;
SAE: Fix FT-SAE key derivation for a case where PMKID in msg 1/4 matches Previously, matching PMKSA cache entry ended up clearing XXKey. However, that XXKey is needed in the specific case where FT-SAE goes through the initial mobility domain association with SAE authentication. FT-SAE worked previously since the hostapd side generation of the particular PMKID value in msg 1/4 was broken, but once that PMKID is fixed, wpa_supplicant will need this fix to allow FT-SAE to be used. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-23 17:42:21 +01:00
#ifdef CONFIG_SAE
if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE &&
sm->pmk_len == PMK_LEN) {
/* Need to allow FT key derivation to proceed with
* PMK from SAE being used as the XXKey in cases where
* the PMKID in msg 1/4 matches the PMKSA entry that was
* just added based on SAE authentication for the
* initial mobility domain association. */
os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
sm->xxkey_len = sm->pmk_len;
}
#endif /* CONFIG_SAE */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
#endif /* CONFIG_IEEE80211R */
Added support for using SHA256-based stronger key derivation for WPA2 IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new AKMPs and clean up AKMP processing with helper functions in defs.h.
2008-08-31 21:57:28 +02:00
} else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
int res, pmk_len;
FT: Store XXKey/MPMK in PMKSA cache instead of MSK (supplicant) When completing FT initial mobility domain association with EAP, store XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK was of no use since it could not be used as the XXKey for another FT initial mobility domain association using PMKSA caching. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-28 14:48:58 +02:00
#ifdef CONFIG_IEEE80211R
u8 buf[2 * PMK_LEN];
#endif /* CONFIG_IEEE80211R */
Fix Suite B 192-bit AKM to use proper PMK length In addition to the PTK length increasing, the length of the PMK was increased (from 256 to 384 bits) for the 00-0f-ac:12 AKM. This part was missing from the initial implementation and a fixed length (256-bit) PMK was used for all AKMs. Fix this by adding more complete support for variable length PMK and use 384 bits from MSK instead of 256 bits when using this AKM. This is not backwards compatible with the earlier implementations. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-14 00:18:11 +02:00
FILS: Fix PMK length for initial connection with FILS SHA384 AKM While the FILS authentication cases were already using the proper PMK length (48 octets instead of the old hardcoded 32 octet), the initial association case had not yet been updated to cover the new FILS SHA384 AKM and ended up using only a 32-octet PMK. Fix that to use 48-octet PMK when using FILS SHA384 AKM. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 20:18:18 +01:00
if (wpa_key_mgmt_sha384(sm->key_mgmt))
Fix Suite B 192-bit AKM to use proper PMK length In addition to the PTK length increasing, the length of the PMK was increased (from 256 to 384 bits) for the 00-0f-ac:12 AKM. This part was missing from the initial implementation and a fixed length (256-bit) PMK was used for all AKMs. Fix this by adding more complete support for variable length PMK and use 384 bits from MSK instead of 256 bits when using this AKM. This is not backwards compatible with the earlier implementations. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-14 00:18:11 +02:00
pmk_len = PMK_LEN_SUITE_B_192;
else
pmk_len = PMK_LEN;
res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (res) {
Fix Suite B 192-bit AKM to use proper PMK length In addition to the PTK length increasing, the length of the PMK was increased (from 256 to 384 bits) for the 00-0f-ac:12 AKM. This part was missing from the initial implementation and a fixed length (256-bit) PMK was used for all AKMs. Fix this by adding more complete support for variable length PMK and use 384 bits from MSK instead of 256 bits when using this AKM. This is not backwards compatible with the earlier implementations. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-14 00:18:11 +02:00
if (pmk_len == PMK_LEN) {
/*
* EAP-LEAP is an exception from other EAP
* methods: it uses only 16-byte PMK.
*/
res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
pmk_len = 16;
}
FT: Store XXKey/MPMK in PMKSA cache instead of MSK (supplicant) When completing FT initial mobility domain association with EAP, store XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK was of no use since it could not be used as the XXKey for another FT initial mobility domain association using PMKSA caching. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-28 14:48:58 +02:00
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
#ifdef CONFIG_IEEE80211R
FT: Store XXKey/MPMK in PMKSA cache instead of MSK (supplicant) When completing FT initial mobility domain association with EAP, store XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK was of no use since it could not be used as the XXKey for another FT initial mobility domain association using PMKSA caching. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-28 14:48:58 +02:00
if (res == 0 &&
eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
sm->xxkey_len = SHA384_MAC_LEN;
} else {
os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
sm->xxkey_len = PMK_LEN;
}
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(buf, sizeof(buf));
FT: Store XXKey/MPMK in PMKSA cache instead of MSK (supplicant) When completing FT initial mobility domain association with EAP, store XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK was of no use since it could not be used as the XXKey for another FT initial mobility domain association using PMKSA caching. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-28 14:48:58 +02:00
if (sm->proto == WPA_PROTO_RSN &&
wpa_key_mgmt_ft(sm->key_mgmt)) {
struct rsn_pmksa_cache_entry *sa = NULL;
const u8 *fils_cache_id = NULL;
#ifdef CONFIG_FILS
if (sm->fils_cache_id_set)
fils_cache_id = sm->fils_cache_id;
#endif /* CONFIG_FILS */
wpa_hexdump_key(MSG_DEBUG,
"FT: Cache XXKey/MPMK",
sm->xxkey, sm->xxkey_len);
sa = pmksa_cache_add(sm->pmksa,
sm->xxkey, sm->xxkey_len,
NULL, NULL, 0,
src_addr, sm->own_addr,
sm->network_ctx,
sm->key_mgmt,
fils_cache_id);
if (!sm->cur_pmksa)
sm->cur_pmksa = sa;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
}
FT: Store XXKey/MPMK in PMKSA cache instead of MSK (supplicant) When completing FT initial mobility domain association with EAP, store XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK was of no use since it could not be used as the XXKey for another FT initial mobility domain association using PMKSA caching. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-28 14:48:58 +02:00
#endif /* CONFIG_IEEE80211R */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (res == 0) {
PMKSA: Set cur_pmksa pointer during initial association cur_pmksa was left to NULL during the initial association. This can result in unexpected behavior, e.g., in expiring PMKSA cache entries since the current entry is not locked in that case. Fix this by updated cur_pmksa when adding the initial PMKSA entry during msg 1/4 processing. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
2012-08-10 17:05:03 +02:00
struct rsn_pmksa_cache_entry *sa = NULL;
FILS: Use FILS Cache Identifier to extend PMKSA applicability This allows PMKSA cache entries for FILS-enabled BSSs to be shared within an ESS when the BSSs advertise the same FILS Cache Identifier value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 11:22:19 +01:00
const u8 *fils_cache_id = NULL;
#ifdef CONFIG_FILS
if (sm->fils_cache_id_set)
fils_cache_id = sm->fils_cache_id;
#endif /* CONFIG_FILS */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
"machines", sm->pmk, pmk_len);
sm->pmk_len = pmk_len;
Add support for offloading key management operations to the driver This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-23 17:21:49 +02:00
wpa_supplicant_key_mgmt_set_pmk(sm);
FT: Disable PMKSA cache for FT-IEEE8021X wpa_supplicant uses XXKEY instead of PMK to derive PMK-R0 and PMK-R1 for FT-IEEE8021X key mgmt. Signed-off-by: Hong Wu <hong.wu@dspg.com>
2011-07-05 19:49:51 +02:00
if (sm->proto == WPA_PROTO_RSN &&
Suite B: PMKID derivation for AKM 00-0F-AC:11 The new AKM uses a different mechanism of deriving the PMKID based on KCK instead of PMK. hostapd was already doing this after the KCK had been derived, but wpa_supplicant functionality needs to be moved from processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 12:22:46 +01:00
!wpa_key_mgmt_suite_b(sm->key_mgmt) &&
FT: Disable PMKSA cache for FT-IEEE8021X wpa_supplicant uses XXKEY instead of PMK to derive PMK-R0 and PMK-R1 for FT-IEEE8021X key mgmt. Signed-off-by: Hong Wu <hong.wu@dspg.com>
2011-07-05 19:49:51 +02:00
!wpa_key_mgmt_ft(sm->key_mgmt)) {
PMKSA: Set cur_pmksa pointer during initial association cur_pmksa was left to NULL during the initial association. This can result in unexpected behavior, e.g., in expiring PMKSA cache entries since the current entry is not locked in that case. Fix this by updated cur_pmksa when adding the initial PMKSA entry during msg 1/4 processing. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
2012-08-10 17:05:03 +02:00
sa = pmksa_cache_add(sm->pmksa,
SAE: Fix PMKID calculation for PMKSA cache The SAE PMKID is calculated with IEEE Std 802.11-2012 11.3.5.4, but the PMKID was re-calculated with 11.6.1.3 and saved into PMKSA cache. Fix this to save the PMKID calculated with 11.3.5.4 into the PMKSA cache. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-02-15 03:23:37 +01:00
sm->pmk, pmk_len, NULL,
Suite B: PMKID derivation for AKM 00-0F-AC:11 The new AKM uses a different mechanism of deriving the PMKID based on KCK instead of PMK. hostapd was already doing this after the KCK had been derived, but wpa_supplicant functionality needs to be moved from processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 12:22:46 +01:00
NULL, 0,
PMKSA: Set cur_pmksa pointer during initial association cur_pmksa was left to NULL during the initial association. This can result in unexpected behavior, e.g., in expiring PMKSA cache entries since the current entry is not locked in that case. Fix this by updated cur_pmksa when adding the initial PMKSA entry during msg 1/4 processing. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
2012-08-10 17:05:03 +02:00
src_addr, sm->own_addr,
sm->network_ctx,
FILS: Use FILS Cache Identifier to extend PMKSA applicability This allows PMKSA cache entries for FILS-enabled BSSs to be shared within an ESS when the BSSs advertise the same FILS Cache Identifier value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 11:22:19 +01:00
sm->key_mgmt,
fils_cache_id);
Moved proto == RSN validation from pmksa_cache.c into the caller
2009-01-13 19:15:06 +01:00
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (!sm->cur_pmksa && pmkid &&
SAE: Only allow SAE AKMP for PMKSA caching attempts Explicitly check the PMKSA cache entry to have matching SAE AKMP for the case where determining whether to use PMKSA caching instead of new SAE authentication. Previously, only the network context was checked, but a single network configuration profile could be used with both WPA2-PSK and SAE, so should check the AKMP as well. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-08 19:06:40 +02:00
pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL,
0)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: the new PMK matches with the "
"PMKID");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
abort_cached = 0;
RSN: Stop connection attempt on apparent PMK mismatch If WPA2-Enterprise connection with full EAP authentication (i.e., no PMKSA caching used) results in a PMKID that does not match the one the AP/Authenticator indicates in EAPOL-Key msg 1/4, there is not much point in trying to trigger full EAP authentication by sending EAPOL-Start since this sequence was immediately after such full authentication attempt. There are known examples of authentication servers with incorrect MSK derivation when TLS v1.2 is used (e.g., FreeRADIUS 2.2.6 or 3.0.7 when built with OpenSSL 1.0.2). Write a clear debug log entry and also send it to control interface monitors when it looks likely that this case has been hit. After doing that, stop the connection attempt by disassociating instead of trying to send out EAPOL-Start to trigger new EAP authentication round (such another try can be tried with a new association). Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-08 19:48:18 +02:00
} else if (sa && !sm->cur_pmksa && pmkid) {
/*
* It looks like the authentication server
* derived mismatching MSK. This should not
* really happen, but bugs happen.. There is not
* much we can do here without knowing what
* exactly caused the server to misbehave.
*/
Use wpa_msg() for the "RSN: PMKID mismatch" message This message is sent at MSG_INFO level and it is supposed to go out even even debug messages were to be removed from the build. As such, use wpa_msg() instead of wpa_dbg() for it. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 10:22:19 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
RSN: Stop connection attempt on apparent PMK mismatch If WPA2-Enterprise connection with full EAP authentication (i.e., no PMKSA caching used) results in a PMKID that does not match the one the AP/Authenticator indicates in EAPOL-Key msg 1/4, there is not much point in trying to trigger full EAP authentication by sending EAPOL-Start since this sequence was immediately after such full authentication attempt. There are known examples of authentication servers with incorrect MSK derivation when TLS v1.2 is used (e.g., FreeRADIUS 2.2.6 or 3.0.7 when built with OpenSSL 1.0.2). Write a clear debug log entry and also send it to control interface monitors when it looks likely that this case has been hit. After doing that, stop the connection attempt by disassociating instead of trying to send out EAPOL-Start to trigger new EAP authentication round (such another try can be tried with a new association). Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-08 19:48:18 +02:00
"RSN: PMKID mismatch - authentication server may have derived different MSK?!");
return -1;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
PMKSA: Set cur_pmksa pointer during initial association cur_pmksa was left to NULL during the initial association. This can result in unexpected behavior, e.g., in expiring PMKSA cache entries since the current entry is not locked in that case. Fix this by updated cur_pmksa when adding the initial PMKSA entry during msg 1/4 processing. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
2012-08-10 17:05:03 +02:00
if (!sm->cur_pmksa)
sm->cur_pmksa = sa;
FT: Allow 4-way handshake for PTK rekeying to continue without PMK/PMKID There is no PMK/PMKID when going through 4-way handshake during an association started with FT protocol, so need to allow the operation to proceed even if there is no selected PMKSA cache entry in place. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-18 23:17:52 +02:00
#ifdef CONFIG_IEEE80211R
} else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
wpa_printf(MSG_DEBUG,
"FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
#endif /* CONFIG_IEEE80211R */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
} else {
Added a separate ctx pointer for wpa_msg() calls in WPA supp This is needed to allow IBSS RSN to use per-peer context while maintaining support for wpa_msg() calls to get *wpa_s as the pointer.
2009-01-17 16:54:40 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
"WPA: Failed to get master session key from "
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
"EAPOL state machines - key handshake "
"aborted");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (sm->cur_pmksa) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: Cancelled PMKSA caching "
"attempt");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->cur_pmksa = NULL;
abort_cached = 1;
Fixed canceling of PMKSA caching with driver generated RSN IE It looks like some Windows NDIS drivers (e.g., Intel) do not clear the PMKID list even when wpa_supplicant explicitly sets the list to be empty. In such a case, the driver ends up trying to use PMKSA caching with the AP and wpa_supplicant may not have the PMK that would be needed to complete 4-way handshake. RSN processing already had some code for aborting PMKSA caching by sending EAPOL-Start. However, this was not triggered in this particular case where the driver generates the RSN IE. With this change, this case is included, too, and the failed PMKSA caching attempt is cleanly canceled and wpa_supplicant can fall back to full EAP authentication.
2008-11-21 14:31:25 +01:00
} else if (!abort_cached) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
}
}
FT: Disable PMKSA cache for FT-IEEE8021X wpa_supplicant uses XXKEY instead of PMK to derive PMK-R0 and PMK-R1 for FT-IEEE8021X key mgmt. Signed-off-by: Hong Wu <hong.wu@dspg.com>
2011-07-05 19:49:51 +02:00
if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
Suite B: PMKID derivation for AKM 00-0F-AC:11 The new AKM uses a different mechanism of deriving the PMKID based on KCK instead of PMK. hostapd was already doing this after the KCK had been derived, but wpa_supplicant functionality needs to be moved from processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 12:22:46 +01:00
!wpa_key_mgmt_suite_b(sm->key_mgmt) &&
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
!wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
{
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/* Send EAPOL-Start to trigger full EAP authentication. */
u8 *buf;
size_t buflen;
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: no PMKSA entry found - trigger "
"full EAP authentication");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
NULL, 0, &buflen, NULL);
if (buf) {
Fix full EAP authentication after PMKSA cache add failure Need to get EAP state machine into a state where it is willing to proceed with a new EAP-Request/Identity if PMKSA cache addition fails after a successful EAP authentication before the initial 4-way handshake can be completed. Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-20 12:36:55 +01:00
/* Set and reset eapFail to allow EAP state machine to
* proceed with new authentication. */
eapol_sm_notify_eap_fail(sm->eapol, true);
eapol_sm_notify_eap_fail(sm->eapol, false);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
buf, buflen);
os_free(buf);
Fix fallback from failed PMKSA caching into full EAP authentication Commit 83935317a78fb4157eb6e5134527b9311dbf7b8c added forced disconnection in case of 4-way handshake failures. However, it should not have changed the case where the supplicant is requesting fallback to full EAP authentication if the PMKID in EAPOL-Key message 1/4 is not know. This case needs to send an EAPOL-Start frame instead of EAPOL-Key message 2/4. This works around a problem with APs that try to force PMKSA caching even when the client does not include PMKID in (re)association request frame to request it. [Bug 355]
2010-05-01 16:35:28 +02:00
return -2;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
return -1;
}
return 0;
}
/**
* wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @dst: Destination address for the frame
* @key: Pointer to the EAPOL-Key frame header
* @ver: Version bits from EAPOL-Key Key Info
* @nonce: Nonce value for the EAPOL-Key frame
* @wpa_ie: WPA/RSN IE
* @wpa_ie_len: Length of the WPA/RSN IE
* @ptk: PTK to use for keyed hash and encryption
RSN: Check result of EAPOL-Key frame send request Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-27 07:47:15 +01:00
* Returns: >= 0 on success, < 0 on failure
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
*/
int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
const struct wpa_eapol_key *key,
int ver, const u8 *nonce,
const u8 *wpa_ie, size_t wpa_ie_len,
struct wpa_ptk *ptk)
{
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
size_t mic_len, hdrlen, rlen;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
struct wpa_eapol_key *reply;
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
u8 *rbuf, *key_mic;
FT: Fix FT 4-Way Handshake to include PMKR1Name in messages 2 and 3 IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain association in an RSN to include PMKR1Name in the PMKID-List field in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be bitwise identical with the values used in Beacon, Probe Response, (Re)association Request frames. The previous versions of wpa_supplicant and hostapd did not add the PMKR1Name value in EAPOL-Key frame and did not accept it if added (due to bitwise comparison of RSN IEs). This commit fixes the implementation to be compliant with the standard by adding the PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and by verifying that the received value matches with the value derived locally. This breaks interoperability with previous wpa_supplicant/hostapd versions.
2010-04-07 20:04:13 +02:00
u8 *rsn_ie_buf = NULL;
FILS: Set EAPOL-Key Key Info MIC=0 when using AEAD cipher (supplicant) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 23:29:54 +02:00
u16 key_info;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (wpa_ie == NULL) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
"cannot generate msg 2/4");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
FT: Fix FT 4-Way Handshake to include PMKR1Name in messages 2 and 3 IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain association in an RSN to include PMKR1Name in the PMKID-List field in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be bitwise identical with the values used in Beacon, Probe Response, (Re)association Request frames. The previous versions of wpa_supplicant and hostapd did not add the PMKR1Name value in EAPOL-Key frame and did not accept it if added (due to bitwise comparison of RSN IEs). This commit fixes the implementation to be compliant with the standard by adding the PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and by verifying that the received value matches with the value derived locally. This breaks interoperability with previous wpa_supplicant/hostapd versions.
2010-04-07 20:04:13 +02:00
#ifdef CONFIG_IEEE80211R
if (wpa_key_mgmt_ft(sm->key_mgmt)) {
int res;
FT: More debug prints for RSNE modification for EAPOL-Key msg 2/4 This buffer was getting corrupted, so add more details to make it clearer what causes the corruption should this type of regression show up again. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-24 17:57:33 +01:00
wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing",
wpa_ie, wpa_ie_len);
FT: Copy MDIE and FTIE from (Re)Association Response into EAPOL-Key 2/4 IEEE Std 802.11r-2008 requires that the message 2 includes FTIE and MDIE from the AP's (Re)Association Response frame in the Key Data field.
2010-04-10 15:48:40 +02:00
/*
* Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
* FTIE from (Re)Association Response.
*/
rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
sm->assoc_resp_ies_len);
FT: Fix FT 4-Way Handshake to include PMKR1Name in messages 2 and 3 IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain association in an RSN to include PMKR1Name in the PMKID-List field in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be bitwise identical with the values used in Beacon, Probe Response, (Re)association Request frames. The previous versions of wpa_supplicant and hostapd did not add the PMKR1Name value in EAPOL-Key frame and did not accept it if added (due to bitwise comparison of RSN IEs). This commit fixes the implementation to be compliant with the standard by adding the PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and by verifying that the received value matches with the value derived locally. This breaks interoperability with previous wpa_supplicant/hostapd versions.
2010-04-07 20:04:13 +02:00
if (rsn_ie_buf == NULL)
return -1;
os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
FT: Fix FTIE generation for 4-way handshake after FT protocol run wpa_insert_pmkid() did not support cases where the original RSN IE included any PMKIDs. That case can happen when PTK rekeying through 4-way handshake is used after FT protocol run. Such a 4-way handshake used to fail with wpa_supplicant being unable to build the EAPOL-Key msg 2/4. Fix this by extending wpa_insert_pmkid() to support removal of the old PMKIDs, if needed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-09 23:06:06 +01:00
res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
FT: Fix FT 4-Way Handshake to include PMKR1Name in messages 2 and 3 IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain association in an RSN to include PMKR1Name in the PMKID-List field in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be bitwise identical with the values used in Beacon, Probe Response, (Re)association Request frames. The previous versions of wpa_supplicant and hostapd did not add the PMKR1Name value in EAPOL-Key frame and did not accept it if added (due to bitwise comparison of RSN IEs). This commit fixes the implementation to be compliant with the standard by adding the PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and by verifying that the received value matches with the value derived locally. This breaks interoperability with previous wpa_supplicant/hostapd versions.
2010-04-07 20:04:13 +02:00
sm->pmk_r1_name);
if (res < 0) {
os_free(rsn_ie_buf);
return -1;
}
FT: More debug prints for RSNE modification for EAPOL-Key msg 2/4 This buffer was getting corrupted, so add more details to make it clearer what causes the corruption should this type of regression show up again. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-24 17:57:33 +01:00
wpa_hexdump(MSG_DEBUG,
"WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE",
rsn_ie_buf, wpa_ie_len);
FT: Copy MDIE and FTIE from (Re)Association Response into EAPOL-Key 2/4 IEEE Std 802.11r-2008 requires that the message 2 includes FTIE and MDIE from the AP's (Re)Association Response frame in the Key Data field.
2010-04-10 15:48:40 +02:00
if (sm->assoc_resp_ies) {
FT: More debug prints for RSNE modification for EAPOL-Key msg 2/4 This buffer was getting corrupted, so add more details to make it clearer what causes the corruption should this type of regression show up again. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-24 17:57:33 +01:00
wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies",
sm->assoc_resp_ies,
sm->assoc_resp_ies_len);
FT: Copy MDIE and FTIE from (Re)Association Response into EAPOL-Key 2/4 IEEE Std 802.11r-2008 requires that the message 2 includes FTIE and MDIE from the AP's (Re)Association Response frame in the Key Data field.
2010-04-10 15:48:40 +02:00
os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
sm->assoc_resp_ies_len);
wpa_ie_len += sm->assoc_resp_ies_len;
}
FT: Fix FT 4-Way Handshake to include PMKR1Name in messages 2 and 3 IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain association in an RSN to include PMKR1Name in the PMKID-List field in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be bitwise identical with the values used in Beacon, Probe Response, (Re)association Request frames. The previous versions of wpa_supplicant and hostapd did not add the PMKR1Name value in EAPOL-Key frame and did not accept it if added (due to bitwise comparison of RSN IEs). This commit fixes the implementation to be compliant with the standard by adding the PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and by verifying that the received value matches with the value derived locally. This breaks interoperability with previous wpa_supplicant/hostapd versions.
2010-04-07 20:04:13 +02:00
wpa_ie = rsn_ie_buf;
}
#endif /* CONFIG_IEEE80211R */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
DPP: Add new AKM This new AKM is used with DPP when using the signed Connector to derive a PMK. Since the KCK, KEK, and MIC lengths are variable within a single AKM, this needs number of additional changes to get the PMK length delivered to places that need to figure out the lengths of the PTK components. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 22:48:52 +02:00
mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
hdrlen = sizeof(*reply) + mic_len + 2;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
NULL, hdrlen + wpa_ie_len,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
&rlen, (void *) &reply);
FT: Fix FT 4-Way Handshake to include PMKR1Name in messages 2 and 3 IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain association in an RSN to include PMKR1Name in the PMKID-List field in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be bitwise identical with the values used in Beacon, Probe Response, (Re)association Request frames. The previous versions of wpa_supplicant and hostapd did not add the PMKR1Name value in EAPOL-Key frame and did not accept it if added (due to bitwise comparison of RSN IEs). This commit fixes the implementation to be compliant with the standard by adding the PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and by verifying that the received value matches with the value derived locally. This breaks interoperability with previous wpa_supplicant/hostapd versions.
2010-04-07 20:04:13 +02:00
if (rbuf == NULL) {
os_free(rsn_ie_buf);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
FT: Fix FT 4-Way Handshake to include PMKR1Name in messages 2 and 3 IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain association in an RSN to include PMKR1Name in the PMKID-List field in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be bitwise identical with the values used in Beacon, Probe Response, (Re)association Request frames. The previous versions of wpa_supplicant and hostapd did not add the PMKR1Name value in EAPOL-Key frame and did not accept it if added (due to bitwise comparison of RSN IEs). This commit fixes the implementation to be compliant with the standard by adding the PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and by verifying that the received value matches with the value derived locally. This breaks interoperability with previous wpa_supplicant/hostapd versions.
2010-04-07 20:04:13 +02:00
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
reply->type = (sm->proto == WPA_PROTO_RSN ||
sm->proto == WPA_PROTO_OSEN) ?
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
FILS: Set EAPOL-Key Key Info MIC=0 when using AEAD cipher (supplicant) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 23:29:54 +02:00
key_info = ver | WPA_KEY_INFO_KEY_TYPE;
if (mic_len)
key_info |= WPA_KEY_INFO_MIC;
FILS: Use AEAD cipher to protect EAPOL-Key frames (STA) This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS AKMs) to provide both integrity protection for the EAPOL-Key frame and encryption for the Key Data field. It should be noted that this starts encrypting the Key Data field in EAPOL-Key message 2/4 while it remains unencrypted (but integrity protected) in non-FILS cases. Similarly, the empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:34:23 +02:00
else
key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
FILS: Set EAPOL-Key Key Info MIC=0 when using AEAD cipher (supplicant) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 23:29:54 +02:00
WPA_PUT_BE16(reply->key_info, key_info);
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
WPA_PUT_BE16(reply->key_length, 0);
else
os_memcpy(reply->key_length, key->key_length, 2);
os_memcpy(reply->replay_counter, key->replay_counter,
WPA_REPLAY_COUNTER_LEN);
WPA: Add more info for EAPOL-Key Nonce/MIC debugging
2011-01-15 15:57:08 +01:00
wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
WPA_REPLAY_COUNTER_LEN);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
key_mic = (u8 *) (reply + 1);
WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
FT: Fix FT 4-Way Handshake to include PMKR1Name in messages 2 and 3 IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain association in an RSN to include PMKR1Name in the PMKID-List field in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be bitwise identical with the values used in Beacon, Probe Response, (Re)association Request frames. The previous versions of wpa_supplicant and hostapd did not add the PMKR1Name value in EAPOL-Key frame and did not accept it if added (due to bitwise comparison of RSN IEs). This commit fixes the implementation to be compliant with the standard by adding the PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and by verifying that the received value matches with the value derived locally. This breaks interoperability with previous wpa_supplicant/hostapd versions.
2010-04-07 20:04:13 +02:00
os_free(rsn_ie_buf);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
RSN: Pass full PTK to wpa_eapol_key_send() instead of KCK only This will be needed to be able to implement AEAD cipher support from FILS that will need to use KEK to protect the frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:31:55 +02:00
return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
key_mic);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
DPP2: PFS for PTK derivation Use Diffie-Hellman key exchange to derivate additional material for PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element (defined in OWE RFC 8110) is used in association frames to exchange the DH public keys. For backwards compatibility, ignore missing request/response DH parameter and fall back to no PFS in such cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-17 22:51:53 +01:00
const u8 *z = NULL;
WPA: Support deriving KDK based on capabilities Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:01:39 +01:00
size_t z_len = 0, kdk_len;
OWE: PTK derivation workaround in STA mode Initial OWE implementation used SHA256 when deriving the PTK for all OWE groups. This was supposed to change to SHA384 for group 20 and SHA512 for group 21. The new owe_ptk_workaround=1 network parameter can be used to enable older behavior mainly for testing purposes. There is no impact to group 19 behavior, but if enabled, this will make group 20 and 21 cases use SHA256-based PTK derivation which will not work with the updated OWE implementation on the AP side. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-23 21:46:51 +01:00
int akmp;
DPP2: PFS for PTK derivation Use Diffie-Hellman key exchange to derivate additional material for PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element (defined in OWE RFC 8110) is used in association frames to exchange the DH public keys. For backwards compatibility, ignore missing request/response DH parameter and fall back to no PFS in such cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-17 22:51:53 +01:00
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
#ifdef CONFIG_IEEE80211R
Added support for using SHA256-based stronger key derivation for WPA2 IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new AKMPs and clean up AKMP processing with helper functions in defs.h.
2008-08-31 21:57:28 +02:00
if (wpa_key_mgmt_ft(sm->key_mgmt))
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
#endif /* CONFIG_IEEE80211R */
DPP2: PFS for PTK derivation Use Diffie-Hellman key exchange to derivate additional material for PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element (defined in OWE RFC 8110) is used in association frames to exchange the DH public keys. For backwards compatibility, ignore missing request/response DH parameter and fall back to no PFS in such cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-17 22:51:53 +01:00
#ifdef CONFIG_DPP2
if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
z = wpabuf_head(sm->dpp_z);
z_len = wpabuf_len(sm->dpp_z);
}
#endif /* CONFIG_DPP2 */
OWE: PTK derivation workaround in STA mode Initial OWE implementation used SHA256 when deriving the PTK for all OWE groups. This was supposed to change to SHA384 for group 20 and SHA512 for group 21. The new owe_ptk_workaround=1 network parameter can be used to enable older behavior mainly for testing purposes. There is no impact to group 19 behavior, but if enabled, this will make group 20 and 21 cases use SHA256-based PTK derivation which will not work with the updated OWE implementation on the AP side. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-23 21:46:51 +01:00
akmp = sm->key_mgmt;
#ifdef CONFIG_OWE
if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE &&
sm->pmk_len > 32) {
wpa_printf(MSG_DEBUG,
"OWE: Force SHA256 for PTK derivation");
OWE: Fix PTK derivation workaround for interoperability The initial implementation of the PTK derivation workaround for interoperability with older OWE implementations forced WPA_KEY_MGMT_PSK_SHA256 to be used for all of PTK derivation. While that is needed for selecting which hash algorithm to use, this was also changing the length of the PTK components and by doing so, did not actually address the backwards compatibility issue. Fix this by forcing SHA256 as the hash algorithm in PTK derivation without changing the PTK length calculation for OWE when owe_ptk_workaround is enabled. Fixes: 65a44e849af9 ("OWE: PTK derivation workaround in AP mode") Fixes: 8b138d28264e ("OWE: PTK derivation workaround in STA mode") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-05 12:20:38 +01:00
akmp |= WPA_KEY_MGMT_PSK_SHA256;
OWE: PTK derivation workaround in STA mode Initial OWE implementation used SHA256 when deriving the PTK for all OWE groups. This was supposed to change to SHA384 for group 20 and SHA512 for group 21. The new owe_ptk_workaround=1 network parameter can be used to enable older behavior mainly for testing purposes. There is no impact to group 19 behavior, but if enabled, this will make group 20 and 21 cases use SHA256-based PTK derivation which will not work with the updated OWE implementation on the AP side. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-23 21:46:51 +01:00
}
#endif /* CONFIG_OWE */
WPA: Support deriving KDK based on capabilities Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:01:39 +01:00
if (sm->force_kdk_derivation ||
Add helper functions for parsing RSNXE capabilities Simplify the implementation by using shared functions for parsing the capabilities instead of using various similar but not exactly identical checks throughout the implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
2021-04-10 11:43:38 +02:00
(sm->secure_ltf &&
ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
WPA: Support deriving KDK based on capabilities Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:01:39 +01:00
kdk_len = WPA_KDK_MAX_LEN;
else
kdk_len = 0;
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
sm->own_addr, sm->bssid, sm->snonce,
OWE: PTK derivation workaround in STA mode Initial OWE implementation used SHA256 when deriving the PTK for all OWE groups. This was supposed to change to SHA384 for group 20 and SHA512 for group 21. The new owe_ptk_workaround=1 network parameter can be used to enable older behavior mainly for testing purposes. There is no impact to group 19 behavior, but if enabled, this will make group 20 and 21 cases use SHA256-based PTK derivation which will not work with the updated OWE implementation on the AP side. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-23 21:46:51 +01:00
key->key_nonce, ptk, akmp,
WPA: Extend the wpa_pmk_to_ptk() function to also derive KDK Extend the wpa_pmk_to_ptk() to also derive Key Derivation Key (KDK), which can later be used for secure LTF measurements. Update the wpa_supplicant and hostapd configuration and the corresponding WPA and WPA Auth state machine, to allow enabling of KDK derivation. For now, use a testing parameter to control whether KDK is derived. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:00:17 +01:00
sm->pairwise_cipher, z, z_len,
WPA: Support deriving KDK based on capabilities Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:01:39 +01:00
kdk_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
static int wpa_handle_ext_key_id(struct wpa_sm *sm,
struct wpa_eapol_ie_parse *kde)
{
if (sm->ext_key_id) {
u16 key_id;
if (!kde->key_id) {
wpa_msg(sm->ctx->msg_ctx,
sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG,
"RSN: No Key ID in Extended Key ID handshake");
sm->keyidx_active = 0;
return sm->use_ext_key_id ? -1 : 0;
}
key_id = kde->key_id[0] & 0x03;
if (key_id > 1) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"RSN: Invalid Extended Key ID: %d", key_id);
return -1;
}
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: Using Extended Key ID %d", key_id);
sm->keyidx_active = key_id;
sm->use_ext_key_id = 1;
} else {
if (kde->key_id && (kde->key_id[0] & 0x03)) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"RSN: Non-zero Extended Key ID Key ID in PTK0 handshake");
return -1;
}
if (kde->key_id) {
/* This is not supposed to be included here, but ignore
* the case of matching Key ID 0 just in case. */
wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: Extended Key ID Key ID 0 in PTK0 handshake");
}
sm->keyidx_active = 0;
sm->use_ext_key_id = 0;
}
return 0;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
const unsigned char *src_addr,
const struct wpa_eapol_key *key,
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
u16 ver, const u8 *key_data,
size_t key_data_len)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
struct wpa_eapol_ie_parse ie;
struct wpa_ptk *ptk;
Fix fallback from failed PMKSA caching into full EAP authentication Commit 83935317a78fb4157eb6e5134527b9311dbf7b8c added forced disconnection in case of 4-way handshake failures. However, it should not have changed the case where the supplicant is requesting fallback to full EAP authentication if the PMKID in EAPOL-Key message 1/4 is not know. This case needs to send an EAPOL-Start frame instead of EAPOL-Key message 2/4. This works around a problem with APs that try to force PMKSA caching even when the client does not include PMKID in (re)association request frame to request it. [Bug 355]
2010-05-01 16:35:28 +02:00
int res;
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
u8 *kde, *kde_buf = NULL;
size_t kde_len;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (wpa_sm_get_network_ctx(sm) == NULL) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
"found (msg 1 of 4)");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return;
}
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
wpa_sm_get_state(sm) == WPA_COMPLETED) {
STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaround Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast reconnects. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-10 23:19:09 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: PTK0 rekey not allowed, reconnecting");
wpa_sm_reconnect(sm);
return;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
"Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_memset(&ie, 0, sizeof(ie));
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/* RSN: msg 1/4 should contain PMKID for the selected PMK */
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
key_data, key_data_len);
if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
Check wpa_supplicant_parse_ies() return value more consistently Reject messages that fail to be parsed instead of trying to use partially parsed information. Signed-hostap: Jouni Malinen <j@w1.fi>
2011-12-04 15:40:06 +01:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (ie.pmkid) {
wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
"Authenticator", ie.pmkid, PMKID_LEN);
}
}
Fix fallback from failed PMKSA caching into full EAP authentication Commit 83935317a78fb4157eb6e5134527b9311dbf7b8c added forced disconnection in case of 4-way handshake failures. However, it should not have changed the case where the supplicant is requesting fallback to full EAP authentication if the PMKID in EAPOL-Key message 1/4 is not know. This case needs to send an EAPOL-Start frame instead of EAPOL-Key message 2/4. This works around a problem with APs that try to force PMKSA caching even when the client does not include PMKID in (re)association request frame to request it. [Bug 355]
2010-05-01 16:35:28 +02:00
res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
if (res == -2) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
"msg 1/4 - requesting full EAP authentication");
Fix fallback from failed PMKSA caching into full EAP authentication Commit 83935317a78fb4157eb6e5134527b9311dbf7b8c added forced disconnection in case of 4-way handshake failures. However, it should not have changed the case where the supplicant is requesting fallback to full EAP authentication if the PMKID in EAPOL-Key message 1/4 is not know. This case needs to send an EAPOL-Start frame instead of EAPOL-Key message 2/4. This works around a problem with APs that try to force PMKSA caching even when the client does not include PMKID in (re)association request frame to request it. [Bug 355]
2010-05-01 16:35:28 +02:00
return;
}
if (res)
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (sm->renew_snonce) {
Annotate places depending on strong random numbers This commit adds a new wrapper, random_get_bytes(), that is currently defined to use os_get_random() as is. The places using random_get_bytes() depend on the returned value being strong random number, i.e., something that is infeasible for external device to figure out. These values are used either directly as a key or as nonces/challenges that are used as input for key derivation or authentication. The remaining direct uses of os_get_random() do not need as strong random numbers to function correctly.
2010-11-24 00:05:20 +01:00
if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
Added a separate ctx pointer for wpa_msg() calls in WPA supp This is needed to allow IBSS RSN to use per-peer context while maintaining support for wpa_msg() calls to get *wpa_s as the pointer.
2009-01-17 16:54:40 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
"WPA: Failed to get random data for SNonce");
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
sm->renew_snonce = 0;
wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
sm->snonce, WPA_NONCE_LEN);
}
/* Calculate PTK which will be stored as a temporary PTK until it has
* been verified when processing message 3/4. */
ptk = &sm->tptk;
Clear PMK length and check for this when deriving PTK Instead of setting the default PMK length for the cleared PMK, set the length to 0 and explicitly check for this when deriving PTK to avoid unexpected key derivation with an all-zeroes key should it be possible to somehow trigger PTK derivation to happen before PMK derivation. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-08 12:18:02 +02:00
if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
goto failed;
Fix PTK derivation for CCMP-256 and GCMP-256 Incorrect PTK length was used in PMK-to-PTK derivation and the Michael MIC TX/RX key swapping code was incorrectly executed for these ciphers on supplicant side. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-11 14:00:09 +01:00
if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
Reduce the amount of time PTK/TPTK/GTK is kept in memory Some of the buffers used to keep a copy of PTK/TPTK/GTK in the supplicant implementation maintained a copy of the keys longer than necessary. Clear these buffers to zero when the key is not needed anymore to minimize the amount of time key material is kept in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-16 00:27:10 +02:00
u8 buf[8];
Fix PTK derivation for CCMP-256 and GCMP-256 Incorrect PTK length was used in PMK-to-PTK derivation and the Michael MIC TX/RX key swapping code was incorrectly executed for these ciphers on supplicant side. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-11 14:00:09 +01:00
/* Supplicant: swap tx/rx Mic keys */
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
os_memcpy(buf, &ptk->tk[16], 8);
os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
os_memcpy(&ptk->tk[24], buf, 8);
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(buf, sizeof(buf));
Fix PTK derivation for CCMP-256 and GCMP-256 Incorrect PTK length was used in PMK-to-PTK derivation and the Michael MIC TX/RX key swapping code was incorrectly executed for these ciphers on supplicant side. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-11 14:00:09 +01:00
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->tptk_set = 1;
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
kde = sm->assoc_wpa_ie;
kde_len = sm->assoc_wpa_ie_len;
SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4 Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg 2/4 when using SAE with hash-to-element mechanism enabled. This allows the AP to verify that there was no downgrade attack when both PWE derivation mechanisms are enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 15:54:05 +02:00
kde_buf = os_malloc(kde_len +
2 + RSN_SELECTOR_LEN + 3 +
sm->assoc_rsnxe_len +
DPP2: Add DPP KDE into EAPOL-Key msg 2/4 when using DPP AKM Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 18:53:07 +02:00
2 + RSN_SELECTOR_LEN + 1 +
2 + RSN_SELECTOR_LEN + 2);
SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4 Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg 2/4 when using SAE with hash-to-element mechanism enabled. This allows the AP to verify that there was no downgrade attack when both PWE derivation mechanisms are enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 15:54:05 +02:00
if (!kde_buf)
goto failed;
os_memcpy(kde_buf, kde, kde_len);
kde = kde_buf;
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:27 +02:00
#ifdef CONFIG_OCV
if (wpa_sm_ocv_enabled(sm)) {
struct wpa_channel_info ci;
u8 *pos;
SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4 Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg 2/4 when using SAE with hash-to-element mechanism enabled. This allows the AP to verify that there was no downgrade attack when both PWE derivation mechanisms are enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 15:54:05 +02:00
pos = kde + kde_len;
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:27 +02:00
if (wpa_sm_channel_info(sm, &ci) != 0) {
wpa_printf(MSG_WARNING,
"Failed to get channel info for OCI element in EAPOL-Key 2/4");
goto failed;
}
OCV: Add support to override channel info OCI element (STA) To support the STA testbed role, the STA has to use specified channel information in OCI element sent to the AP in EAPOL-Key msg 2/4, SA Query Request, and SA Query Response frames. Add override parameters to use the specified channel while populating OCI element in all these frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-08 19:59:04 +02:00
#ifdef CONFIG_TESTING_OPTIONS
if (sm->oci_freq_override_eapol) {
wpa_printf(MSG_INFO,
"TEST: Override OCI KDE frequency %d -> %d MHz",
ci.frequency, sm->oci_freq_override_eapol);
ci.frequency = sm->oci_freq_override_eapol;
}
#endif /* CONFIG_TESTING_OPTIONS */
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:27 +02:00
if (ocv_insert_oci_kde(&ci, &pos) < 0)
goto failed;
kde_len = pos - kde;
}
#endif /* CONFIG_OCV */
SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4 Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg 2/4 when using SAE with hash-to-element mechanism enabled. This allows the AP to verify that there was no downgrade attack when both PWE derivation mechanisms are enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 15:54:05 +02:00
if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
kde_len += sm->assoc_rsnxe_len;
}
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
#ifdef CONFIG_P2P
if (sm->p2p) {
SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4 Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg 2/4 when using SAE with hash-to-element mechanism enabled. This allows the AP to verify that there was no downgrade attack when both PWE derivation mechanisms are enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 15:54:05 +02:00
u8 *pos;
wpa_printf(MSG_DEBUG,
"P2P: Add IP Address Request KDE into EAPOL-Key 2/4");
pos = kde + kde_len;
*pos++ = WLAN_EID_VENDOR_SPECIFIC;
*pos++ = RSN_SELECTOR_LEN + 1;
RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
pos += RSN_SELECTOR_LEN;
*pos++ = 0x01;
kde_len = pos - kde;
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
}
#endif /* CONFIG_P2P */
DPP2: Add DPP KDE into EAPOL-Key msg 2/4 when using DPP AKM Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 18:53:07 +02:00
#ifdef CONFIG_DPP2
DPP: Allow version number to be overridden for testing purposes "SET dpp_version_override <ver>" can now be used to request wpa_supplicant and hostapd to support a subset of DPP versions. In practice, the only valid case for now is to fall back from DPP version 2 support to version 1 in builds that include CONFIG_DPP2=y. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 20:07:42 +02:00
if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) {
DPP2: Add DPP KDE into EAPOL-Key msg 2/4 when using DPP AKM Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 18:53:07 +02:00
u8 *pos;
wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4");
pos = kde + kde_len;
*pos++ = WLAN_EID_VENDOR_SPECIFIC;
*pos++ = RSN_SELECTOR_LEN + 2;
RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP);
pos += RSN_SELECTOR_LEN;
DPP: Allow version number to be overridden for testing purposes "SET dpp_version_override <ver>" can now be used to request wpa_supplicant and hostapd to support a subset of DPP versions. In practice, the only valid case for now is to fall back from DPP version 2 support to version 1 in builds that include CONFIG_DPP2=y. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 20:07:42 +02:00
*pos++ = DPP_VERSION; /* Protocol Version */
DPP2: Add DPP KDE into EAPOL-Key msg 2/4 when using DPP AKM Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 18:53:07 +02:00
*pos = 0; /* Flags */
if (sm->dpp_pfs == 0)
*pos |= DPP_KDE_PFS_ALLOWED;
else if (sm->dpp_pfs == 1)
*pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED;
pos++;
kde_len = pos - kde;
}
#endif /* CONFIG_DPP2 */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
RSN: Check result of EAPOL-Key frame send request Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-27 07:47:15 +01:00
kde, kde_len, ptk) < 0)
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
os_free(kde_buf);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
return;
failed:
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
os_free(kde_buf);
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
{
struct wpa_sm *sm = eloop_ctx;
rsn_preauth_candidate_process(sm);
}
static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
const u8 *addr, int secure)
{
Added a separate ctx pointer for wpa_msg() calls in WPA supp This is needed to allow IBSS RSN to use per-peer context while maintaining support for wpa_msg() calls to get *wpa_s as the pointer.
2009-01-17 16:54:40 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Key negotiation completed with "
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
wpa_cipher_txt(sm->pairwise_cipher),
wpa_cipher_txt(sm->group_cipher));
wpa_sm_cancel_auth_timeout(sm);
wpa_sm_set_state(sm, WPA_COMPLETED);
if (secure) {
wpa_sm_mlme_setprotection(
sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
RSN supp: Convert Boolean to C99 bool Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 00:04:24 +02:00
eapol_sm_notify_portValid(sm->eapol, true);
OWE: Define and parse OWE AKM selector This adds a new RSN AKM "OWE". Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-11 23:32:23 +01:00
if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
DPP: Add new AKM This new AKM is used with DPP when using the signed Connector to derive a PMK. Since the KCK, KEK, and MIC lengths are variable within a single AKM, this needs number of additional changes to get the PMK length delivered to places that need to figure out the lengths of the PTK components. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 22:48:52 +02:00
sm->key_mgmt == WPA_KEY_MGMT_DPP ||
OWE: Define and parse OWE AKM selector This adds a new RSN AKM "OWE". Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-11 23:32:23 +01:00
sm->key_mgmt == WPA_KEY_MGMT_OWE)
RSN supp: Convert Boolean to C99 bool Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 00:04:24 +02:00
eapol_sm_notify_eap_success(sm->eapol, true);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/*
* Start preauthentication after a short wait to avoid a
* possible race condition between the data receive and key
* configuration after the 4-Way Handshake. This increases the
Fix typos found by codespell Signed-off-by: Pavel Roskin <proski@gnu.org>
2011-09-21 23:43:59 +02:00
* likelihood of the first preauth EAPOL-Start frame getting to
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
* the target AP.
*/
RSN: Do not start preauthentication timer without candidates There is no need to schedule the postponed RSN preauthentication start if there are no candidates. Avoid wasting eloop resources for this. This is most useful for fuzz testing of the 4-way handshake implementation to avoid getting stuck waiting for this unnecessary one second time when using eloop to coordinate the Authenticator and Supplicant state machines. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-10 12:41:10 +01:00
if (!dl_list_empty(&sm->pmksa_candidates))
eloop_register_timeout(1, 0, wpa_sm_start_preauth,
sm, NULL);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: Authenticator accepted "
"opportunistic PMKSA entry - marking it valid");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->cur_pmksa->opportunistic = 0;
}
#ifdef CONFIG_IEEE80211R
Added support for using SHA256-based stronger key derivation for WPA2 IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new AKMPs and clean up AKMP processing with helper functions in defs.h.
2008-08-31 21:57:28 +02:00
if (wpa_key_mgmt_ft(sm->key_mgmt)) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/* Prepare for the next transition */
FT: Copy FT Capability and Policy to MDIE from target AP This sets the FT Capability and Policy field in the MDIE to the values received from the target AP (if available). This fixes the MDIE contents during FT Protocol, but the correct value may not yet be used in initial mobility domain association.
2010-04-09 15:26:20 +02:00
wpa_ft_prepare_auth_request(sm, NULL);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
#endif /* CONFIG_IEEE80211R */
}
Added support for enforcing frequent PTK rekeying Added a new configuration option, wpa_ptk_rekey, that can be used to enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP deficiencies. This can be set either by the Authenticator (to initiate periodic 4-way handshake to rekey PTK) or by the Supplicant (to request Authenticator to rekey PTK). With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP keys will not be used for more than 10 minutes which may make some attacks against TKIP more difficult to implement.
2008-11-06 18:57:21 +01:00
static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
{
struct wpa_sm *sm = eloop_ctx;
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
Added support for enforcing frequent PTK rekeying Added a new configuration option, wpa_ptk_rekey, that can be used to enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP deficiencies. This can be set either by the Authenticator (to initiate periodic 4-way handshake to rekey PTK) or by the Supplicant (to request Authenticator to rekey PTK). With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP keys will not be used for more than 10 minutes which may make some attacks against TKIP more difficult to implement.
2008-11-06 18:57:21 +01:00
wpa_sm_key_request(sm, 0, 1);
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
Introduce and add key_flag Add the new set_key() parameter "key_flag" to provide more specific description of what type of a key is being configured. This is needed to be able to add support for "Extended Key ID for Individually Addressed Frames" from IEEE Std 802.11-2016. In addition, this may be used to replace the set_tx boolean eventually once all the driver wrappers have moved to using the new key_flag. The following flag are defined: KEY_FLAG_MODIFY Set when an already installed key must be updated. So far the only use-case is changing RX/TX status of installed keys. Must not be set when deleting a key. KEY_FLAG_DEFAULT Set when the key is also a default key. Must not be set when deleting a key. (This is the replacement for set_tx.) KEY_FLAG_RX The key is valid for RX. Must not be set when deleting a key. KEY_FLAG_TX The key is valid for TX. Must not be set when deleting a key. KEY_FLAG_GROUP The key is a broadcast or group key. KEY_FLAG_PAIRWISE The key is a pairwise key. KEY_FLAG_PMK The key is a Pairwise Master Key (PMK). Predefined and needed flag combinations so far are: KEY_FLAG_GROUP_RX_TX WEP key not used as default key (yet). KEY_FLAG_GROUP_RX_TX_DEFAULT Default WEP or WPA-NONE key. KEY_FLAG_GROUP_RX GTK key valid for RX only. KEY_FLAG_GROUP_TX_DEFAULT GTK key valid for TX only, immediately taking over TX. KEY_FLAG_PAIRWISE_RX_TX Pairwise key immediately becoming the active pairwise key. KEY_FLAG_PAIRWISE_RX Pairwise key not yet valid for TX. (Only usable with Extended Key ID support.) KEY_FLAG_PAIRWISE_RX_TX_MODIFY Enable TX for a pairwise key installed with KEY_FLAG_PAIRWISE_RX. KEY_FLAG_RX_TX Not a valid standalone key type and can only used in combination with other flags to mark a key for RX/TX. This commit is not changing any functionality. It just adds the new key_flag to all hostapd/wpa_supplicant set_key() functions without using it, yet. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-04 23:10:04 +01:00
const struct wpa_eapol_key *key,
enum key_flag key_flag)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
int keylen, rsclen;
Get rid of unnecessary typedefs for enums.
2009-12-26 09:35:08 +01:00
enum wpa_alg alg;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
const u8 *key_rsc;
Prevent installation of an all-zero TK Properly track whether a PTK has already been installed to the driver and the TK part cleared from memory. This prevents an attacker from trying to trick the client into installing an all-zero TK. This fixes the earlier fix in commit ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the driver in EAPOL-Key 3/4 retry case') which did not take into account possibility of an extra message 1/4 showing up between retries of message 3/4. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-09-29 04:22:51 +02:00
if (sm->ptk.installed) {
Fix TK configuration to the driver in EAPOL-Key 3/4 retry case Commit 7d711541dced759b34313477d5d163e65c5b0131 ('Clear TK part of PTK after driver key configuration') started clearing TK from memory immediately after having configured it to the driver when processing EAPOL-Key message 3/4. While this covered the most common case, it did not take into account the possibility of the authenticator having to retry EAPOL-Key message 3/4 in case the first EAPOL-Key message 4/4 response is lost. That case ended up trying to reinstall the same TK to the driver, but the key was not available anymore. Fix the EAPOL-Key message 3/4 retry case by configuring TK to the driver only once. There was no need to try to set the same key after each EAPOL-Key message 3/4 since TK could not change. If actual PTK rekeying is used, the new TK will be configured once when processing the new EAPOL-Key message 3/4 for the first time. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-01 17:51:04 +02:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Do not re-install same PTK to the driver");
return 0;
}
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Installing PTK to the driver");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
"Suite: NONE - do not use pairwise keys");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return 0;
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
}
if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Unsupported pairwise cipher %d",
sm->pairwise_cipher);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
alg = wpa_cipher_to_alg(sm->pairwise_cipher);
keylen = wpa_cipher_key_len(sm->pairwise_cipher);
Additional consistentcy checks for PTK component lengths Verify that TK, KCK, and KEK lengths are set to consistent values within struct wpa_ptk before using them in supplicant. This is an additional layer of protection against unexpected states. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 23:01:11 +02:00
if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
keylen, (long unsigned int) sm->ptk.tk_len);
return -1;
}
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
key_rsc = null_rsc;
} else {
key_rsc = key->key_rsc;
wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
}
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, key_rsc,
rsclen, sm->ptk.tk, keylen,
Introduce and add key_flag Add the new set_key() parameter "key_flag" to provide more specific description of what type of a key is being configured. This is needed to be able to add support for "Extended Key ID for Individually Addressed Frames" from IEEE Std 802.11-2016. In addition, this may be used to replace the set_tx boolean eventually once all the driver wrappers have moved to using the new key_flag. The following flag are defined: KEY_FLAG_MODIFY Set when an already installed key must be updated. So far the only use-case is changing RX/TX status of installed keys. Must not be set when deleting a key. KEY_FLAG_DEFAULT Set when the key is also a default key. Must not be set when deleting a key. (This is the replacement for set_tx.) KEY_FLAG_RX The key is valid for RX. Must not be set when deleting a key. KEY_FLAG_TX The key is valid for TX. Must not be set when deleting a key. KEY_FLAG_GROUP The key is a broadcast or group key. KEY_FLAG_PAIRWISE The key is a pairwise key. KEY_FLAG_PMK The key is a Pairwise Master Key (PMK). Predefined and needed flag combinations so far are: KEY_FLAG_GROUP_RX_TX WEP key not used as default key (yet). KEY_FLAG_GROUP_RX_TX_DEFAULT Default WEP or WPA-NONE key. KEY_FLAG_GROUP_RX GTK key valid for RX only. KEY_FLAG_GROUP_TX_DEFAULT GTK key valid for TX only, immediately taking over TX. KEY_FLAG_PAIRWISE_RX_TX Pairwise key immediately becoming the active pairwise key. KEY_FLAG_PAIRWISE_RX Pairwise key not yet valid for TX. (Only usable with Extended Key ID support.) KEY_FLAG_PAIRWISE_RX_TX_MODIFY Enable TX for a pairwise key installed with KEY_FLAG_PAIRWISE_RX. KEY_FLAG_RX_TX Not a valid standalone key type and can only used in combination with other flags to mark a key for RX/TX. This commit is not changing any functionality. It just adds the new key_flag to all hostapd/wpa_supplicant set_key() functions without using it, yet. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-04 23:10:04 +01:00
KEY_FLAG_PAIRWISE | key_flag) < 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
"WPA: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
MACSTR " idx=%d key_flag=0x%x)",
alg, keylen, MAC2STR(sm->bssid),
sm->keyidx_active, key_flag);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
Added support for enforcing frequent PTK rekeying Added a new configuration option, wpa_ptk_rekey, that can be used to enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP deficiencies. This can be set either by the Authenticator (to initiate periodic 4-way handshake to rekey PTK) or by the Supplicant (to request Authenticator to rekey PTK). With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP keys will not be used for more than 10 minutes which may make some attacks against TKIP more difficult to implement.
2008-11-06 18:57:21 +01:00
WPA: Add PTKSA cache to wpa_supplicant for PASN PASN requires to store the PTK derived during PASN authentication so it can later be used for secure LTF etc. This is also true for a PTK derived during regular connection. Add an instance of a PTKSA cache for each wpa_supplicant interface when PASN is enabled in build configuration. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:00:27 +01:00
wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
Clear TK part of PTK after driver key configuration There is no need for wpa_supplicant to maintain a copy of the TK part of PTK after this has been configured to the driver, so clear that from heap memory and only maintain KEK and KCK during association to allow additional EAPOL-Key handshakes. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-29 12:03:01 +01:00
/* TK is not needed anymore in supplicant */
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
Additional consistentcy checks for PTK component lengths Verify that TK, KCK, and KEK lengths are set to consistent values within struct wpa_ptk before using them in supplicant. This is an additional layer of protection against unexpected states. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 23:01:11 +02:00
sm->ptk.tk_len = 0;
Prevent installation of an all-zero TK Properly track whether a PTK has already been installed to the driver and the TK part cleared from memory. This prevents an attacker from trying to trick the client into installing an all-zero TK. This fixes the earlier fix in commit ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the driver in EAPOL-Key 3/4 retry case') which did not take into account possibility of an extra message 1/4 showing up between retries of message 3/4. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-09-29 04:22:51 +02:00
sm->ptk.installed = 1;
Clear TK part of PTK after driver key configuration There is no need for wpa_supplicant to maintain a copy of the TK part of PTK after this has been configured to the driver, so clear that from heap memory and only maintain KEK and KCK during association to allow additional EAPOL-Key handshakes. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-29 12:03:01 +01:00
Added support for enforcing frequent PTK rekeying Added a new configuration option, wpa_ptk_rekey, that can be used to enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP deficiencies. This can be set either by the Authenticator (to initiate periodic 4-way handshake to rekey PTK) or by the Supplicant (to request Authenticator to rekey PTK). With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP keys will not be used for more than 10 minutes which may make some attacks against TKIP more difficult to implement.
2008-11-06 18:57:21 +01:00
if (sm->wpa_ptk_rekey) {
eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
sm, NULL);
}
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
return 0;
}
static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
{
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Activate PTK (idx=%d bssid=" MACSTR ")",
sm->keyidx_active, MAC2STR(sm->bssid));
Added support for enforcing frequent PTK rekeying Added a new configuration option, wpa_ptk_rekey, that can be used to enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP deficiencies. This can be set either by the Authenticator (to initiate periodic 4-way handshake to rekey PTK) or by the Supplicant (to request Authenticator to rekey PTK). With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP keys will not be used for more than 10 minutes which may make some attacks against TKIP more difficult to implement.
2008-11-06 18:57:21 +01:00
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
if (wpa_sm_set_key(sm, 0, sm->bssid, sm->keyidx_active, 0, NULL, 0,
NULL, 0, KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Failed to activate PTK for TX (idx=%d bssid="
MACSTR ")", sm->keyidx_active, MAC2STR(sm->bssid));
return -1;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return 0;
}
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
int group_cipher,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
int keylen, int maxkeylen,
Get rid of unnecessary typedefs for enums.
2009-12-26 09:35:08 +01:00
int *key_rsc_len,
enum wpa_alg *alg)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
int klen;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
*alg = wpa_cipher_to_alg(group_cipher);
if (*alg == WPA_ALG_NONE) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Unsupported Group Cipher %d",
group_cipher);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
*key_rsc_len = wpa_cipher_rsc_len(group_cipher);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
klen = wpa_cipher_key_len(group_cipher);
if (keylen != klen || maxkeylen < klen) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Unsupported %s Group Cipher key length %d (%d)",
wpa_cipher_txt(group_cipher), keylen, maxkeylen);
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
return -1;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
return 0;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
struct wpa_gtk_data {
Get rid of unnecessary typedefs for enums.
2009-12-26 09:35:08 +01:00
enum wpa_alg alg;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
int tx, key_rsc_len, keyidx;
u8 gtk[32];
int gtk_len;
};
static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
const struct wpa_gtk_data *gd,
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
const u8 *key_rsc, int wnm_sleep)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
const u8 *_gtk = gd->gtk;
u8 gtk_buf[32];
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
/* Detect possible key reinstallation */
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
(sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
sm->gtk_wnm_sleep.gtk_len) == 0)) {
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
gd->keyidx, gd->tx, gd->gtk_len);
return 0;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
gd->keyidx, gd->tx, gd->gtk_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
if (sm->group_cipher == WPA_CIPHER_TKIP) {
/* Swap Tx/Rx keys for Michael MIC */
os_memcpy(gtk_buf, gd->gtk, 16);
os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
_gtk = gtk_buf;
}
if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
Use set_key addr to distinguish default and multicast keys Previously, both NULL and ff:ff:ff:ff:ff:ff addr were used in various places to indicate default/broadcast keys. Make this more consistent and useful by defining NULL to mean default key (i.e., used both for unicast and broadcast) and ff:ff:ff:ff:ff:ff to indicate broadcast key (i.e., used only with broadcast).
2011-01-09 18:44:28 +01:00
if (wpa_sm_set_key(sm, gd->alg, NULL,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
gd->keyidx, 1, key_rsc, gd->key_rsc_len,
Introduce and add key_flag Add the new set_key() parameter "key_flag" to provide more specific description of what type of a key is being configured. This is needed to be able to add support for "Extended Key ID for Individually Addressed Frames" from IEEE Std 802.11-2016. In addition, this may be used to replace the set_tx boolean eventually once all the driver wrappers have moved to using the new key_flag. The following flag are defined: KEY_FLAG_MODIFY Set when an already installed key must be updated. So far the only use-case is changing RX/TX status of installed keys. Must not be set when deleting a key. KEY_FLAG_DEFAULT Set when the key is also a default key. Must not be set when deleting a key. (This is the replacement for set_tx.) KEY_FLAG_RX The key is valid for RX. Must not be set when deleting a key. KEY_FLAG_TX The key is valid for TX. Must not be set when deleting a key. KEY_FLAG_GROUP The key is a broadcast or group key. KEY_FLAG_PAIRWISE The key is a pairwise key. KEY_FLAG_PMK The key is a Pairwise Master Key (PMK). Predefined and needed flag combinations so far are: KEY_FLAG_GROUP_RX_TX WEP key not used as default key (yet). KEY_FLAG_GROUP_RX_TX_DEFAULT Default WEP or WPA-NONE key. KEY_FLAG_GROUP_RX GTK key valid for RX only. KEY_FLAG_GROUP_TX_DEFAULT GTK key valid for TX only, immediately taking over TX. KEY_FLAG_PAIRWISE_RX_TX Pairwise key immediately becoming the active pairwise key. KEY_FLAG_PAIRWISE_RX Pairwise key not yet valid for TX. (Only usable with Extended Key ID support.) KEY_FLAG_PAIRWISE_RX_TX_MODIFY Enable TX for a pairwise key installed with KEY_FLAG_PAIRWISE_RX. KEY_FLAG_RX_TX Not a valid standalone key type and can only used in combination with other flags to mark a key for RX/TX. This commit is not changing any functionality. It just adds the new key_flag to all hostapd/wpa_supplicant set_key() functions without using it, yet. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-04 23:10:04 +01:00
_gtk, gd->gtk_len,
KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Failed to set GTK to the driver "
"(Group only)");
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(gtk_buf, sizeof(gtk_buf));
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
Use set_key addr to distinguish default and multicast keys Previously, both NULL and ff:ff:ff:ff:ff:ff addr were used in various places to indicate default/broadcast keys. Make this more consistent and useful by defining NULL to mean default key (i.e., used both for unicast and broadcast) and ff:ff:ff:ff:ff:ff to indicate broadcast key (i.e., used only with broadcast).
2011-01-09 18:44:28 +01:00
} else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
Introduce and add key_flag Add the new set_key() parameter "key_flag" to provide more specific description of what type of a key is being configured. This is needed to be able to add support for "Extended Key ID for Individually Addressed Frames" from IEEE Std 802.11-2016. In addition, this may be used to replace the set_tx boolean eventually once all the driver wrappers have moved to using the new key_flag. The following flag are defined: KEY_FLAG_MODIFY Set when an already installed key must be updated. So far the only use-case is changing RX/TX status of installed keys. Must not be set when deleting a key. KEY_FLAG_DEFAULT Set when the key is also a default key. Must not be set when deleting a key. (This is the replacement for set_tx.) KEY_FLAG_RX The key is valid for RX. Must not be set when deleting a key. KEY_FLAG_TX The key is valid for TX. Must not be set when deleting a key. KEY_FLAG_GROUP The key is a broadcast or group key. KEY_FLAG_PAIRWISE The key is a pairwise key. KEY_FLAG_PMK The key is a Pairwise Master Key (PMK). Predefined and needed flag combinations so far are: KEY_FLAG_GROUP_RX_TX WEP key not used as default key (yet). KEY_FLAG_GROUP_RX_TX_DEFAULT Default WEP or WPA-NONE key. KEY_FLAG_GROUP_RX GTK key valid for RX only. KEY_FLAG_GROUP_TX_DEFAULT GTK key valid for TX only, immediately taking over TX. KEY_FLAG_PAIRWISE_RX_TX Pairwise key immediately becoming the active pairwise key. KEY_FLAG_PAIRWISE_RX Pairwise key not yet valid for TX. (Only usable with Extended Key ID support.) KEY_FLAG_PAIRWISE_RX_TX_MODIFY Enable TX for a pairwise key installed with KEY_FLAG_PAIRWISE_RX. KEY_FLAG_RX_TX Not a valid standalone key type and can only used in combination with other flags to mark a key for RX/TX. This commit is not changing any functionality. It just adds the new key_flag to all hostapd/wpa_supplicant set_key() functions without using it, yet. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-04 23:10:04 +01:00
_gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Failed to set GTK to "
"the driver (alg=%d keylen=%d keyidx=%d)",
gd->alg, gd->gtk_len, gd->keyidx);
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(gtk_buf, sizeof(gtk_buf));
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(gtk_buf, sizeof(gtk_buf));
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
if (wnm_sleep) {
sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
sm->gtk_wnm_sleep.gtk_len);
} else {
sm->gtk.gtk_len = gd->gtk_len;
os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
}
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return 0;
}
static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
int tx)
{
if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
/* Ignore Tx bit for GTK if a pairwise key is used. One AP
* seemed to set this bit (incorrectly, since Tx is only when
* doing Group Key only APs) and without this workaround, the
* data connection does not work because wpa_supplicant
* configured non-zero keyidx to be used for unicast. */
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Tx bit set for GTK, but pairwise "
"keys are used - ignore Tx bit");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return 0;
}
return tx;
}
wpa_supplicant: Add GTK RSC relaxation workaround Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-10-14 11:26:33 +02:00
static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
const u8 *rsc)
{
int rsclen;
if (!sm->wpa_rsc_relaxation)
return 0;
rsclen = wpa_cipher_rsc_len(sm->group_cipher);
/*
* Try to detect RSC (endian) corruption issue where the AP sends
* the RSC bytes in EAPOL-Key message in the wrong order, both if
* it's actually a 6-byte field (as it should be) and if it treats
* it as an 8-byte field.
* An AP model known to have this bug is the Sapido RB-1632.
*/
if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
rsc[0], rsc[1], rsc[2], rsc[3],
rsc[4], rsc[5], rsc[6], rsc[7]);
return 1;
}
return 0;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
const struct wpa_eapol_key *key,
const u8 *gtk, size_t gtk_len,
int key_info)
{
struct wpa_gtk_data gd;
wpa_supplicant: Add GTK RSC relaxation workaround Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-10-14 11:26:33 +02:00
const u8 *key_rsc;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/*
* IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
* GTK KDE format:
* KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
* Reserved [bits 0-7]
* GTK
*/
os_memset(&gd, 0, sizeof(gd));
wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
gtk, gtk_len);
if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
return -1;
gd.keyidx = gtk[0] & 0x3;
gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
!!(gtk[0] & BIT(2)));
gtk += 2;
gtk_len -= 2;
os_memcpy(gd.gtk, gtk, gtk_len);
gd.gtk_len = gtk_len;
wpa_supplicant: Add GTK RSC relaxation workaround Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-10-14 11:26:33 +02:00
key_rsc = key->key_rsc;
if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
key_rsc = null_rsc;
Initial handling of GTK-not-used cipher suite This prepares wpa_supplicant for accepting cases where the AP does not use group addressed frames. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:24:05 +02:00
if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
(wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
gtk_len, gtk_len,
&gd.key_rsc_len, &gd.alg) ||
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: Failed to install GTK");
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(&gd, sizeof(gd));
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(&gd, sizeof(gd));
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return 0;
}
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
const struct wpa_igtk_kde *igtk,
int wnm_sleep)
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
{
size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
u16 keyidx = WPA_GET_LE16(igtk->keyid);
/* Detect possible key reinstallation */
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
if ((sm->igtk.igtk_len == len &&
os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
(sm->igtk_wnm_sleep.igtk_len == len &&
os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
sm->igtk_wnm_sleep.igtk_len) == 0)) {
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
keyidx);
return 0;
}
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
RSN: Use COMPACT_MACSTR to match MAC2STR We shouldn't open-code the %02x... when we have COMPACT_MACSTR. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2018-08-22 18:49:03 +02:00
"WPA: IGTK keyid %d pn " COMPACT_MACSTR,
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
keyidx, MAC2STR(igtk->pn));
wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
if (keyidx > 4095) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Invalid IGTK KeyID %d", keyidx);
return -1;
}
if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
broadcast_ether_addr,
keyidx, 0, igtk->pn, sizeof(igtk->pn),
Introduce and add key_flag Add the new set_key() parameter "key_flag" to provide more specific description of what type of a key is being configured. This is needed to be able to add support for "Extended Key ID for Individually Addressed Frames" from IEEE Std 802.11-2016. In addition, this may be used to replace the set_tx boolean eventually once all the driver wrappers have moved to using the new key_flag. The following flag are defined: KEY_FLAG_MODIFY Set when an already installed key must be updated. So far the only use-case is changing RX/TX status of installed keys. Must not be set when deleting a key. KEY_FLAG_DEFAULT Set when the key is also a default key. Must not be set when deleting a key. (This is the replacement for set_tx.) KEY_FLAG_RX The key is valid for RX. Must not be set when deleting a key. KEY_FLAG_TX The key is valid for TX. Must not be set when deleting a key. KEY_FLAG_GROUP The key is a broadcast or group key. KEY_FLAG_PAIRWISE The key is a pairwise key. KEY_FLAG_PMK The key is a Pairwise Master Key (PMK). Predefined and needed flag combinations so far are: KEY_FLAG_GROUP_RX_TX WEP key not used as default key (yet). KEY_FLAG_GROUP_RX_TX_DEFAULT Default WEP or WPA-NONE key. KEY_FLAG_GROUP_RX GTK key valid for RX only. KEY_FLAG_GROUP_TX_DEFAULT GTK key valid for TX only, immediately taking over TX. KEY_FLAG_PAIRWISE_RX_TX Pairwise key immediately becoming the active pairwise key. KEY_FLAG_PAIRWISE_RX Pairwise key not yet valid for TX. (Only usable with Extended Key ID support.) KEY_FLAG_PAIRWISE_RX_TX_MODIFY Enable TX for a pairwise key installed with KEY_FLAG_PAIRWISE_RX. KEY_FLAG_RX_TX Not a valid standalone key type and can only used in combination with other flags to mark a key for RX/TX. This commit is not changing any functionality. It just adds the new key_flag to all hostapd/wpa_supplicant set_key() functions without using it, yet. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-04 23:10:04 +01:00
igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) {
RSN: Ignore IGTK configuration errors with swapped KeyID values There are number of deployed APs with broken PMF implementation where the IGTK KDE uses swapped bytes in the KeyID field (0x0400 and 0x0500 instead of 4 and 5). Such APs cannot be trusted to implement BIP correctly or provide a valid IGTK, so do not try to configure this key with swapped KeyID bytes. Instead, continue without configuring the IGTK so that the driver can drop any received group-addressed robust management frames due to missing keys. Normally, this error behavior would result in us disconnecting, but there are number of deployed APs with this broken behavior, so as an interoperability workaround, allow the connection to proceed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-16 11:06:28 +02:00
if (keyidx == 0x0400 || keyidx == 0x0500) {
/* Assume the AP has broken PMF implementation since it
* seems to have swapped the KeyID bytes. The AP cannot
* be trusted to implement BIP correctly or provide a
* valid IGTK, so do not try to configure this key with
* swapped KeyID bytes. Instead, continue without
* configuring the IGTK so that the driver can drop any
* received group-addressed robust management frames due
* to missing keys.
*
* Normally, this error behavior would result in us
* disconnecting, but there are number of deployed APs
* with this broken behavior, so as an interoperability
* workaround, allow the connection to proceed. */
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
} else {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Failed to configure IGTK to the driver");
return -1;
}
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
}
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
if (wnm_sleep) {
sm->igtk_wnm_sleep.igtk_len = len;
os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
sm->igtk_wnm_sleep.igtk_len);
} else {
sm->igtk.igtk_len = len;
os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
}
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
return 0;
}
Configure received BIGTK on station/supplicant side Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:06:26 +01:00
static int wpa_supplicant_install_bigtk(struct wpa_sm *sm,
const struct wpa_bigtk_kde *bigtk,
int wnm_sleep)
{
size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
u16 keyidx = WPA_GET_LE16(bigtk->keyid);
/* Detect possible key reinstallation */
if ((sm->bigtk.bigtk_len == len &&
os_memcmp(sm->bigtk.bigtk, bigtk->bigtk,
sm->bigtk.bigtk_len) == 0) ||
(sm->bigtk_wnm_sleep.bigtk_len == len &&
os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
sm->bigtk_wnm_sleep.bigtk_len) == 0)) {
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)",
keyidx);
return 0;
}
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: BIGTK keyid %d pn " COMPACT_MACSTR,
keyidx, MAC2STR(bigtk->pn));
wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len);
if (keyidx < 6 || keyidx > 7) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Invalid BIGTK KeyID %d", keyidx);
return -1;
}
if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
broadcast_ether_addr,
keyidx, 0, bigtk->pn, sizeof(bigtk->pn),
bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Failed to configure BIGTK to the driver");
return -1;
}
if (wnm_sleep) {
sm->bigtk_wnm_sleep.bigtk_len = len;
os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
sm->bigtk_wnm_sleep.bigtk_len);
} else {
sm->bigtk.bigtk_len = len;
os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len);
}
return 0;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
static int ieee80211w_set_keys(struct wpa_sm *sm,
struct wpa_eapol_ie_parse *ie)
{
Configure received BIGTK on station/supplicant side Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:06:26 +01:00
size_t len;
common: Allow WPA_CIPHER_GTK_NOT_USED as a valid group management cipher PASN authentication requires that group management cipher suite would be set to 00-0F-AC:7 in the RSNE, so consider it as a valid group management cipher and adjust the code accordingly. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:00:16 +01:00
if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return 0;
if (ie->igtk) {
const struct wpa_igtk_kde *igtk;
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
Allow management group cipher to be configured This allows hostapd to set a different management group cipher than the previously hardcoded default BIP (AES-128-CMAC). The new configuration file parameter group_mgmt_cipher can be set to BIP-GMAC-128, BIP-GMAC-256, or BIP-CMAC-256 to select one of the ciphers defined in IEEE Std 802.11ac-2013. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-12 19:26:37 +01:00
len = wpa_cipher_key_len(sm->mgmt_group_cipher);
if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
igtk = (const struct wpa_igtk_kde *) ie->igtk;
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
Configure received BIGTK on station/supplicant side Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:06:26 +01:00
if (ie->bigtk && sm->beacon_prot) {
const struct wpa_bigtk_kde *bigtk;
len = wpa_cipher_key_len(sm->mgmt_group_cipher);
if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len)
return -1;
bigtk = (const struct wpa_bigtk_kde *) ie->bigtk;
if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0)
return -1;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return 0;
}
static void wpa_report_ie_mismatch(struct wpa_sm *sm,
const char *reason, const u8 *src_addr,
const u8 *wpa_ie, size_t wpa_ie_len,
const u8 *rsn_ie, size_t rsn_ie_len)
{
Added a separate ctx pointer for wpa_msg() calls in WPA supp This is needed to allow IBSS RSN to use per-peer context while maintaining support for wpa_msg() calls to get *wpa_s as the pointer.
2009-01-17 16:54:40 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
reason, MAC2STR(src_addr));
if (sm->ap_wpa_ie) {
wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
sm->ap_wpa_ie, sm->ap_wpa_ie_len);
}
if (wpa_ie) {
if (!sm->ap_wpa_ie) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: No WPA IE in Beacon/ProbeResp");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
wpa_ie, wpa_ie_len);
}
if (sm->ap_rsn_ie) {
wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
sm->ap_rsn_ie, sm->ap_rsn_ie_len);
}
if (rsn_ie) {
if (!sm->ap_rsn_ie) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: No RSN IE in Beacon/ProbeResp");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
rsn_ie, rsn_ie_len);
}
Use deauthentication instead of disassociation on RSN element mismatch Even though the standard currently describes disassociation to be used for RSN element mismatch between Beacon/Probe Response frames and EAPOL-Key msg 3/4, this is unnecessary difference from other cases that deauthenticate. In addition, there is no point in leaving the 802.11 Authentication in place in this case. To keep things simpler, use deauthentication here to get rid of the only use of wpa_sm_disassociate(). Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-05 16:01:07 +01:00
wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
Split EAPOL-Key msg 3/4 Key Data validation into helper functions
2010-04-10 20:55:29 +02:00
#ifdef CONFIG_IEEE80211R
static int ft_validate_mdie(struct wpa_sm *sm,
const unsigned char *src_addr,
FT: Verify that MDIE and FTIE matches between AssocResp and EAPOL-Key 3/4
2010-04-10 21:06:13 +02:00
struct wpa_eapol_ie_parse *ie,
const u8 *assoc_resp_mdie)
Split EAPOL-Key msg 3/4 Key Data validation into helper functions
2010-04-10 20:55:29 +02:00
{
struct rsn_mdie *mdie;
mdie = (struct rsn_mdie *) (ie->mdie + 2);
if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
os_memcmp(mdie->mobility_domain, sm->mobility_domain,
MOBILITY_DOMAIN_ID_LEN) != 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
"not match with the current mobility domain");
Split EAPOL-Key msg 3/4 Key Data validation into helper functions
2010-04-10 20:55:29 +02:00
return -1;
}
FT: Verify that MDIE and FTIE matches between AssocResp and EAPOL-Key 3/4
2010-04-10 21:06:13 +02:00
if (assoc_resp_mdie &&
(assoc_resp_mdie[1] != ie->mdie[1] ||
os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
FT: Verify that MDIE and FTIE matches between AssocResp and EAPOL-Key 3/4
2010-04-10 21:06:13 +02:00
wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
ie->mdie, 2 + ie->mdie[1]);
wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
return -1;
}
return 0;
}
static int ft_validate_ftie(struct wpa_sm *sm,
const unsigned char *src_addr,
struct wpa_eapol_ie_parse *ie,
const u8 *assoc_resp_ftie)
{
if (ie->ftie == NULL) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"FT: No FTIE in EAPOL-Key msg 3/4");
FT: Verify that MDIE and FTIE matches between AssocResp and EAPOL-Key 3/4
2010-04-10 21:06:13 +02:00
return -1;
}
if (assoc_resp_ftie == NULL)
return 0;
if (assoc_resp_ftie[1] != ie->ftie[1] ||
os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
FT: Verify that MDIE and FTIE matches between AssocResp and EAPOL-Key 3/4
2010-04-10 21:06:13 +02:00
wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
ie->ftie, 2 + ie->ftie[1]);
wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
return -1;
}
Split EAPOL-Key msg 3/4 Key Data validation into helper functions
2010-04-10 20:55:29 +02:00
return 0;
}
static int ft_validate_rsnie(struct wpa_sm *sm,
const unsigned char *src_addr,
struct wpa_eapol_ie_parse *ie)
{
struct wpa_ie_data rsn;
if (!ie->rsn_ie)
return 0;
/*
* Verify that PMKR1Name from EAPOL-Key message 3/4
* matches with the value we derived.
*/
if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
"FT 4-way handshake message 3/4");
Split EAPOL-Key msg 3/4 Key Data validation into helper functions
2010-04-10 20:55:29 +02:00
return -1;
}
RSN supplicant: Use os_memcmp_const() for hash/password comparisons This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-29 19:15:07 +02:00
if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
{
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"FT: PMKR1Name mismatch in "
"FT 4-way handshake message 3/4");
Split EAPOL-Key msg 3/4 Key Data validation into helper functions
2010-04-10 20:55:29 +02:00
wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
rsn.pmkid, WPA_PMK_NAME_LEN);
wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
sm->pmk_r1_name, WPA_PMK_NAME_LEN);
return -1;
}
return 0;
}
static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
const unsigned char *src_addr,
struct wpa_eapol_ie_parse *ie)
{
FT: Verify that MDIE and FTIE matches between AssocResp and EAPOL-Key 3/4
2010-04-10 21:06:13 +02:00
const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
if (sm->assoc_resp_ies) {
pos = sm->assoc_resp_ies;
end = pos + sm->assoc_resp_ies_len;
RSN: Avoid undefined behavior in pointer arithmetic Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-18 16:16:39 +02:00
while (end - pos > 2) {
if (2 + pos[1] > end - pos)
FT: Verify that MDIE and FTIE matches between AssocResp and EAPOL-Key 3/4
2010-04-10 21:06:13 +02:00
break;
switch (*pos) {
case WLAN_EID_MOBILITY_DOMAIN:
mdie = pos;
break;
case WLAN_EID_FAST_BSS_TRANSITION:
ftie = pos;
break;
}
pos += 2 + pos[1];
}
}
if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
Split EAPOL-Key msg 3/4 Key Data validation into helper functions
2010-04-10 20:55:29 +02:00
ft_validate_rsnie(sm, src_addr, ie) < 0)
return -1;
return 0;
}
#endif /* CONFIG_IEEE80211R */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
const unsigned char *src_addr,
struct wpa_eapol_ie_parse *ie)
{
if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: No WPA/RSN IE for this AP known. "
"Trying to get from scan results");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (wpa_sm_get_beacon_ie(sm) < 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Could not find AP from "
"the scan results");
RSN: Stop 4-way handshake if scan results are not available While there may have initially been cases where the RSNE from Beacon/Probe Response frames was not available from some drivers, it is now more valuable to notice if such a case were to be hit with drivers that are always expected to have such information available. As such, make it a fatal error if the scan results for the current AP are not available to check the RSNE/RSNXE in EAPOL-Key msg 3/4. Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 12:11:50 +01:00
return -1;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
RSN: Stop 4-way handshake if scan results are not available While there may have initially been cases where the RSNE from Beacon/Probe Response frames was not available from some drivers, it is now more valuable to notice if such a case were to be hit with drivers that are always expected to have such information available. As such, make it a fatal error if the scan results for the current AP are not available to check the RSNE/RSNXE in EAPOL-Key msg 3/4. Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 12:11:50 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Found the current AP from updated scan results");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
(sm->ap_wpa_ie || sm->ap_rsn_ie)) {
wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
"with IE in Beacon/ProbeResp (no IE?)",
src_addr, ie->wpa_ie, ie->wpa_ie_len,
ie->rsn_ie, ie->rsn_ie_len);
return -1;
}
if ((ie->wpa_ie && sm->ap_wpa_ie &&
(ie->wpa_ie_len != sm->ap_wpa_ie_len ||
os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
(ie->rsn_ie && sm->ap_rsn_ie &&
FT: Fix FT 4-Way Handshake to include PMKR1Name in messages 2 and 3 IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain association in an RSN to include PMKR1Name in the PMKID-List field in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be bitwise identical with the values used in Beacon, Probe Response, (Re)association Request frames. The previous versions of wpa_supplicant and hostapd did not add the PMKR1Name value in EAPOL-Key frame and did not accept it if added (due to bitwise comparison of RSN IEs). This commit fixes the implementation to be compliant with the standard by adding the PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and by verifying that the received value matches with the value derived locally. This breaks interoperability with previous wpa_supplicant/hostapd versions.
2010-04-07 20:04:13 +02:00
wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
sm->ap_rsn_ie, sm->ap_rsn_ie_len,
ie->rsn_ie, ie->rsn_ie_len))) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
"with IE in Beacon/ProbeResp",
src_addr, ie->wpa_ie, ie->wpa_ie_len,
ie->rsn_ie, ie->rsn_ie_len);
return -1;
}
if (sm->proto == WPA_PROTO_WPA &&
ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
wpa_report_ie_mismatch(sm, "Possible downgrade attack "
"detected - RSN was enabled and RSN IE "
"was in msg 3/4, but not in "
"Beacon/ProbeResp",
src_addr, ie->wpa_ie, ie->wpa_ie_len,
ie->rsn_ie, ie->rsn_ie_len);
return -1;
}
RSN: Validate RSNXE match in EAPOL-Key msg 3/4 only when RSN is used This is needed to avoid the corner case of local RSNXE aware station being configured to behave as WPA(v1)-only STA when the AP might not include RSNXE in EAPOL-Key msg 3/4. Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-06 10:19:55 +01:00
if (sm->proto == WPA_PROTO_RSN &&
((sm->ap_rsnxe && !ie->rsnxe) ||
(!sm->ap_rsnxe && ie->rsnxe) ||
(sm->ap_rsnxe && ie->rsnxe &&
(sm->ap_rsnxe_len != ie->rsnxe_len ||
os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
RSN: Verify RSNXE match between Beacon/ProbeResp and EAPOL-Key msg 3/4 If the AP advertises RSN Extension element, it has to be advertised consistently in the unprotected (Beacon and Probe Response) and protected (EAPOL-Key msg 3/4) frames. Verify that this is the case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-06 13:51:31 +02:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
Report RSNXE mismatch in EAPOL-Key msg 3/4 more consistently with RSNE Use the same reason code to indicate that IE different in 4-way handshake and also print a hexdump of RSNXE in both Beacon/ProbeResp and EAPOL-Key msg 3/4 in the log. Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 16:05:01 +01:00
wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
sm->ap_rsnxe, sm->ap_rsnxe_len);
wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
ie->rsnxe, ie->rsnxe_len);
wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
RSN: Verify RSNXE match between Beacon/ProbeResp and EAPOL-Key msg 3/4 If the AP advertises RSN Extension element, it has to be advertised consistently in the unprotected (Beacon and Probe Response) and protected (EAPOL-Key msg 3/4) frames. Verify that this is the case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-06 13:51:31 +02:00
return -1;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
#ifdef CONFIG_IEEE80211R
Split EAPOL-Key msg 3/4 Key Data validation into helper functions
2010-04-10 20:55:29 +02:00
if (wpa_key_mgmt_ft(sm->key_mgmt) &&
wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
return -1;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
#endif /* CONFIG_IEEE80211R */
return 0;
}
/**
* wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @dst: Destination address for the frame
* @key: Pointer to the EAPOL-Key frame header
* @ver: Version bits from EAPOL-Key Key Info
* @key_info: Key Info
* @ptk: PTK to use for keyed hash and encryption
RSN: Check result of EAPOL-Key frame send request Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-27 07:47:15 +01:00
* Returns: >= 0 on success, < 0 on failure
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
*/
int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
const struct wpa_eapol_key *key,
u16 ver, u16 key_info,
struct wpa_ptk *ptk)
{
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
size_t mic_len, hdrlen, rlen;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
struct wpa_eapol_key *reply;
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
u8 *rbuf, *key_mic;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
DPP: Add new AKM This new AKM is used with DPP when using the signed Connector to derive a PMK. Since the KCK, KEK, and MIC lengths are variable within a single AKM, this needs number of additional changes to get the PMK length delivered to places that need to figure out the lengths of the PTK components. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 22:48:52 +02:00
mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
hdrlen = sizeof(*reply) + mic_len + 2;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
hdrlen, &rlen, (void *) &reply);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (rbuf == NULL)
return -1;
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
reply->type = (sm->proto == WPA_PROTO_RSN ||
sm->proto == WPA_PROTO_OSEN) ?
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
key_info &= WPA_KEY_INFO_SECURE;
FILS: Set EAPOL-Key Key Info MIC=0 when using AEAD cipher (supplicant) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 23:29:54 +02:00
key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
if (mic_len)
key_info |= WPA_KEY_INFO_MIC;
FILS: Use AEAD cipher to protect EAPOL-Key frames (STA) This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS AKMs) to provide both integrity protection for the EAPOL-Key frame and encryption for the Key Data field. It should be noted that this starts encrypting the Key Data field in EAPOL-Key message 2/4 while it remains unencrypted (but integrity protected) in non-FILS cases. Similarly, the empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:34:23 +02:00
else
key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
WPA_PUT_BE16(reply->key_info, key_info);
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
WPA_PUT_BE16(reply->key_length, 0);
else
os_memcpy(reply->key_length, key->key_length, 2);
os_memcpy(reply->replay_counter, key->replay_counter,
WPA_REPLAY_COUNTER_LEN);
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
key_mic = (u8 *) (reply + 1);
WPA_PUT_BE16(key_mic + mic_len, 0);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
RSN: Pass full PTK to wpa_eapol_key_send() instead of KCK only This will be needed to be able to implement AEAD cipher support from FILS that will need to use KEK to protect the frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:31:55 +02:00
return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
key_mic);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
const struct wpa_eapol_key *key,
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
u16 ver, const u8 *key_data,
size_t key_data_len)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
u16 key_info, keylen;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
struct wpa_eapol_ie_parse ie;
wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way "
"Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
key_info = WPA_GET_BE16(key->key_info);
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
Check wpa_supplicant_parse_ies() return value more consistently Reject messages that fail to be parsed instead of trying to use partially parsed information. Signed-hostap: Jouni Malinen <j@w1.fi>
2011-12-04 15:40:06 +01:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: GTK IE in unencrypted key data");
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: IGTK KDE in unencrypted key data");
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
Allow management group cipher to be configured This allows hostapd to set a different management group cipher than the previously hardcoded default BIP (AES-128-CMAC). The new configuration file parameter group_mgmt_cipher can be set to BIP-GMAC-128, BIP-GMAC-256, or BIP-CMAC-256 to select one of the ciphers defined in IEEE Std 802.11ac-2013. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-12 19:26:37 +01:00
if (ie.igtk &&
common: Allow WPA_CIPHER_GTK_NOT_USED as a valid group management cipher PASN authentication requires that group management cipher suite would be set to 00-0F-AC:7 in the RSNE, so consider it as a valid group management cipher and adjust the code accordingly. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:00:16 +01:00
sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
Allow management group cipher to be configured This allows hostapd to set a different management group cipher than the previously hardcoded default BIP (AES-128-CMAC). The new configuration file parameter group_mgmt_cipher can be set to BIP-GMAC-128, BIP-GMAC-256, or BIP-CMAC-256 to select one of the ciphers defined in IEEE Std 802.11ac-2013. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-12 19:26:37 +01:00
wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
(unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Invalid IGTK KDE length %lu",
(unsigned long) ie.igtk_len);
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
if (wpa_handle_ext_key_id(sm, &ie))
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: ANonce from message 1 of 4-Way Handshake "
"differs from 3 of 4-Way Handshake - drop packet (src="
MACSTR ")", MAC2STR(sm->bssid));
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
keylen = WPA_GET_BE16(key->key_length);
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Invalid %s key length %d (src=" MACSTR
")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
MAC2STR(sm->bssid));
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
#ifdef CONFIG_P2P
if (ie.ip_addr_alloc) {
os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
}
#endif /* CONFIG_P2P */
OCV: Verify OCI in 4-way and group key handshake Verify the received OCI element in the 4-way and group key handshakes. If verification fails, the handshake message is silently dropped. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:31 +02:00
#ifdef CONFIG_OCV
if (wpa_sm_ocv_enabled(sm)) {
struct wpa_channel_info ci;
if (wpa_sm_channel_info(sm, &ci) != 0) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
return;
}
if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
channel_width_to_int(ci.chanwidth),
OCV: Use more granular error codes for OCI validation failures Enhance the return values of ocv_verify_tx_params with enum to indicate different OCI verification failures to caller. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-09-02 20:55:28 +02:00
ci.seg1_idx) != OCI_SUCCESS) {
OCV: Report OCI validation failures with OCV-FAILURE messages (STA) Convert the previously used text log entries to use the more formal OCV-FAILURE prefix and always send these as control interface events to allow upper layers to get information about unexpected operating channel mismatches. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-29 23:24:15 +02:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
"addr=" MACSTR " frame=eapol-key-m3 error=%s",
MAC2STR(sm->bssid), ocv_errorstr);
OCV: Verify OCI in 4-way and group key handshake Verify the received OCI element in the 4-way and group key handshakes. If verification fails, the handshake message is silently dropped. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:31 +02:00
return;
}
}
#endif /* CONFIG_OCV */
DPP2: Detect PFS downgrade attack while processing EAPOL-Key msg 3/4 Do not allow association to continue if the local configuration enables PFS and the station indicates it supports PFS, but PFS was not negotiated for the association. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 19:06:57 +02:00
#ifdef CONFIG_DPP2
DPP: Allow version number to be overridden for testing purposes "SET dpp_version_override <ver>" can now be used to request wpa_supplicant and hostapd to support a subset of DPP versions. In practice, the only valid case for now is to fall back from DPP version 2 support to version 1 in builds that include CONFIG_DPP2=y. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 20:07:42 +02:00
if (DPP_VERSION > 1 && ie.dpp_kde) {
DPP2: Detect PFS downgrade attack while processing EAPOL-Key msg 3/4 Do not allow association to continue if the local configuration enables PFS and the station indicates it supports PFS, but PFS was not negotiated for the association. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 19:06:57 +02:00
wpa_printf(MSG_DEBUG,
"DPP: peer Protocol Version %u Flags 0x%x",
ie.dpp_kde[0], ie.dpp_kde[1]);
if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 &&
(ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) {
wpa_printf(MSG_INFO,
"DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
goto failed;
}
}
#endif /* CONFIG_DPP2 */
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
if (sm->use_ext_key_id &&
wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX))
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
RSN: Check result of EAPOL-Key frame send request Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-27 07:47:15 +01:00
&sm->ptk) < 0) {
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/* SNonce was successfully used in msg 3/4, so mark it to be renewed
* for the next 4-Way Handshake. If msg 3 is received again, the old
* SNonce will still be used to avoid changing PTK. */
sm->renew_snonce = 1;
if (key_info & WPA_KEY_INFO_INSTALL) {
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
int res;
if (sm->use_ext_key_id)
res = wpa_supplicant_activate_ptk(sm);
else
res = wpa_supplicant_install_ptk(sm, key,
KEY_FLAG_RX_TX);
if (res)
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
if (key_info & WPA_KEY_INFO_SECURE) {
wpa_sm_mlme_setprotection(
sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
RSN supp: Convert Boolean to C99 bool Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 00:04:24 +02:00
eapol_sm_notify_portValid(sm->eapol, true);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
Initial handling of GTK-not-used cipher suite This prepares wpa_supplicant for accepting cases where the AP does not use group addressed frames. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:24:05 +02:00
if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
RSN: Report completion only after IGTK configuration Previously wpa_supplicant_key_neg_complete() was called before the attempt to configure the IGTK received from the authenticator. This could resulted in somewhat surprising sequence of events if IGTK configuration failed since completion event would be followed by immediate disconnection event. Reorder these operations so that completion is reported only if GTK and IGTK are configurated successfully. Furthermore, check for missing GTK KDE in case of RSN and handle that with an explicit disconnection instead of waiting for the AP to deliver the GTK later. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-16 10:51:43 +02:00
/* No GTK to be set to the driver */
} else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"RSN: No GTK KDE included in EAPOL-Key msg 3/4");
goto failed;
Initial handling of GTK-not-used cipher suite This prepares wpa_supplicant for accepting cases where the AP does not use group addressed frames. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:24:05 +02:00
} else if (ie.gtk &&
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_supplicant_pairwise_gtk(sm, key,
ie.gtk, ie.gtk_len, key_info) < 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"RSN: Failed to configure GTK");
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
if (ieee80211w_set_keys(sm, &ie) < 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"RSN: Failed to configure IGTK");
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
}
RSN: Report completion only after IGTK configuration Previously wpa_supplicant_key_neg_complete() was called before the attempt to configure the IGTK received from the authenticator. This could resulted in somewhat surprising sequence of events if IGTK configuration failed since completion event would be followed by immediate disconnection event. Reorder these operations so that completion is reported only if GTK and IGTK are configurated successfully. Furthermore, check for missing GTK KDE in case of RSN and handle that with an explicit disconnection instead of waiting for the AP to deliver the GTK later. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-16 10:51:43 +02:00
if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
wpa_supplicant_key_neg_complete(sm, sm->bssid,
key_info & WPA_KEY_INFO_SECURE);
Set GTK rekey offload information after initial group key handshake The GTK rekey offload information was sent to the driver immediately after the 4-way handshake which ended up being before the initial group key exchange in the case of WPA (v1). This could result in even that initial GTK handshake being offloaded and wpa_supplicant being left in WPA_GROUP_HANDSHAKE state. Fix this by postponing the operation to happen only after the full set of initial EAPOL-Key exchanges have been completed (i.e., in the existing location for WPA2 and a after the group key handshake for WPA). Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-30 10:41:40 +01:00
if (ie.gtk)
wpa_sm_set_rekey_offload(sm);
nl80211: Support GTK rekey offload Add support to wpa_supplicant for device-based GTK rekeying. In order to support that, pass the KEK, KCK, and replay counter to the driver, and handle rekey events that update the latter. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2011-07-12 20:22:51 +02:00
RSN: Do not replace existing Suite B PMKSA on 4-way handshake PMKID derivation with the Suite B AKMs is a special case compared to other AKMs since that derivation uses KCK instead of PMK as an input. This means that the PMKSA cache entry can be added only after KCK has been derived during 4-way handshake. This also means that PMKID would change every time 4-way handshake is repeated even when maintaining the same PMK (i.e., during PTK rekeying and new associations even if they use PMKSA caching). wpa_supplicant was previously replacing the PMKSA cache entry whenever a new PMKID was derived. This did not match hostapd expectations on the AP side since hostapd did not update the PMKSA cache entry after it was created. Consequently, PMKSA caching could be used only once (assuming no PTK rekeying happened before that). Fix this by making wpa_supplicant behave consistently with hostapd, i.e., by adding the Suite B PMKSA cache entries with the PMKID from the very first 4-way handshake following PMK derivation and then not updating the PMKID. IEEE Std 802.11-2016 is somewhat vague in this area and it seems to allow both cases to be used (initial PMKID or any consecutive PMKID derived from the same PMK). While both cases could be supported that would result in significantly more complex implementation and need to store multiple PMKID values. It looks better to clarify the standard to explicitly note that only the first PMKID derived after PMK derivation is used (i.e., match the existing hostapd implementation). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-27 10:37:19 +02:00
/* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
* calculated only after KCK has been derived. Though, do not replace an
* existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
* to avoid unnecessary changes of PMKID while continuing to use the
* same PMK. */
if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
!sm->cur_pmksa) {
Suite B: PMKID derivation for AKM 00-0F-AC:11 The new AKM uses a different mechanism of deriving the PMKID based on KCK instead of PMK. hostapd was already doing this after the KCK had been derived, but wpa_supplicant functionality needs to be moved from processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 12:22:46 +01:00
struct rsn_pmksa_cache_entry *sa;
SAE: Fix PMKID calculation for PMKSA cache The SAE PMKID is calculated with IEEE Std 802.11-2012 11.3.5.4, but the PMKID was re-calculated with 11.6.1.3 and saved into PMKSA cache. Fix this to save the PMKID calculated with 11.3.5.4 into the PMKSA cache. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-02-15 03:23:37 +01:00
sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
sm->ptk.kck, sm->ptk.kck_len,
Suite B: PMKID derivation for AKM 00-0F-AC:11 The new AKM uses a different mechanism of deriving the PMKID based on KCK instead of PMK. hostapd was already doing this after the KCK had been derived, but wpa_supplicant functionality needs to be moved from processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 12:22:46 +01:00
sm->bssid, sm->own_addr,
FILS: Use FILS Cache Identifier to extend PMKSA applicability This allows PMKSA cache entries for FILS-enabled BSSs to be shared within an ESS when the BSSs advertise the same FILS Cache Identifier value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 11:22:19 +01:00
sm->network_ctx, sm->key_mgmt, NULL);
Suite B: PMKID derivation for AKM 00-0F-AC:11 The new AKM uses a different mechanism of deriving the PMKID based on KCK instead of PMK. hostapd was already doing this after the KCK had been derived, but wpa_supplicant functionality needs to be moved from processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 12:22:46 +01:00
if (!sm->cur_pmksa)
sm->cur_pmksa = sa;
}
Process Transition Disable KDE in station mode Check whether the Transition Disable KDE is received from an authenticated AP and if so, whether it contains valid indication for disabling a transition mode. If that is the case, update the local network profile by removing the less secure options. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-25 23:10:16 +01:00
if (ie.transition_disable)
wpa_sm_transition_disable(sm, ie.transition_disable[0]);
Reject Group Key message 1/2 prior to completion of 4-way handshake Previously, it would have been possible to complete RSN connection by skipping the msg 3/4 and 4/4 completely. This would have resulted in pairwise key not being configured. This is obviously not supposed to happen in practice and could result in unexpected behavior, so reject group key message before the initial 4-way handshake has been completed. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-07 11:58:19 +01:00
sm->msg_3_of_4_ok = 1;
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
return;
failed:
wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
const u8 *keydata,
size_t keydatalen,
u16 key_info,
struct wpa_gtk_data *gd)
{
int maxkeylen;
struct wpa_eapol_ie_parse ie;
Make GTK length validation for RSN Group 1/2 easier to analyze This extends the changes in commit c397eff82894 ("Make GTK length validation easier to analyze") to cover the RSN case as well as the WPA. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 19:23:48 +01:00
u16 gtk_len;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Mark RSN msg 1/2 key data debug dump as key material This debug print can include GTK and IGTK, so use wpa_hexdump_key() instead of wpa_hexdump() for it to avoid undesired exposure of keys in debug log. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-17 10:35:35 +01:00
wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
keydata, keydatalen);
Check wpa_supplicant_parse_ies() return value more consistently Reject messages that fail to be parsed instead of trying to use partially parsed information. Signed-hostap: Jouni Malinen <j@w1.fi>
2011-12-04 15:40:06 +01:00
if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0)
return -1;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: GTK IE in unencrypted key data");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
if (ie.gtk == NULL) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: No GTK IE in Group Key msg 1/2");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
Make GTK length validation for RSN Group 1/2 easier to analyze This extends the changes in commit c397eff82894 ("Make GTK length validation easier to analyze") to cover the RSN case as well as the WPA. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 19:23:48 +01:00
gtk_len = ie.gtk_len;
if (gtk_len < 2) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2",
gtk_len);
return -1;
}
gtk_len -= 2;
if (gtk_len > sizeof(gd->gtk)) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"RSN: Too long GTK in GTK KDE (len=%u)", gtk_len);
return -1;
}
maxkeylen = gd->gtk_len = gtk_len;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
OCV: Verify OCI in 4-way and group key handshake Verify the received OCI element in the 4-way and group key handshakes. If verification fails, the handshake message is silently dropped. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:31 +02:00
#ifdef CONFIG_OCV
if (wpa_sm_ocv_enabled(sm)) {
struct wpa_channel_info ci;
if (wpa_sm_channel_info(sm, &ci) != 0) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
return -1;
}
if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
channel_width_to_int(ci.chanwidth),
OCV: Use more granular error codes for OCI validation failures Enhance the return values of ocv_verify_tx_params with enum to indicate different OCI verification failures to caller. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-09-02 20:55:28 +02:00
ci.seg1_idx) != OCI_SUCCESS) {
OCV: Report OCI validation failures with OCV-FAILURE messages (STA) Convert the previously used text log entries to use the more formal OCV-FAILURE prefix and always send these as control interface events to allow upper layers to get information about unexpected operating channel mismatches. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-29 23:24:15 +02:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
"addr=" MACSTR " frame=eapol-key-g1 error=%s",
MAC2STR(sm->bssid), ocv_errorstr);
OCV: Verify OCI in 4-way and group key handshake Verify the received OCI element in the 4-way and group key handshakes. If verification fails, the handshake message is silently dropped. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:31 +02:00
return -1;
}
}
#endif /* CONFIG_OCV */
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
Make GTK length validation for RSN Group 1/2 easier to analyze This extends the changes in commit c397eff82894 ("Make GTK length validation easier to analyze") to cover the RSN case as well as the WPA. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 19:23:48 +01:00
gtk_len, maxkeylen,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
&gd->key_rsc_len, &gd->alg))
return -1;
WPA: Do not print GTK in debug log unless requested The GTK value received in RSN (WPA2) group rekeying did not use the wpa_hexdump_key() version of debug printing that is conditional on -K being included on the command line. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:35:06 +02:00
wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
Make GTK length validation for RSN Group 1/2 easier to analyze This extends the changes in commit c397eff82894 ("Make GTK length validation easier to analyze") to cover the RSN case as well as the WPA. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 19:23:48 +01:00
ie.gtk, 2 + gtk_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
gd->keyidx = ie.gtk[0] & 0x3;
gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
!!(ie.gtk[0] & BIT(2)));
Make GTK length validation for RSN Group 1/2 easier to analyze This extends the changes in commit c397eff82894 ("Make GTK length validation easier to analyze") to cover the RSN case as well as the WPA. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 19:23:48 +01:00
os_memcpy(gd->gtk, ie.gtk + 2, gtk_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (ieee80211w_set_keys(sm, &ie) < 0)
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"RSN: Failed to configure IGTK");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return 0;
}
static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
const struct wpa_eapol_key *key,
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
const u8 *key_data,
size_t key_data_len, u16 key_info,
u16 ver, struct wpa_gtk_data *gd)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
size_t maxkeylen;
Make GTK length validation easier to analyze Bounds checking for gd->gtk_len in wpa_supplicant_check_group_cipher() was apparently too complex for some static analyzers. Use a local variable and a more explicit validation step to avoid false report. (CID 62864) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-05 22:05:11 +01:00
u16 gtk_len;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Make GTK length validation easier to analyze Bounds checking for gd->gtk_len in wpa_supplicant_check_group_cipher() was apparently too complex for some static analyzers. Use a local variable and a more explicit validation step to avoid false report. (CID 62864) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-05 22:05:11 +01:00
gtk_len = WPA_GET_BE16(key->key_length);
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
maxkeylen = key_data_len;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
if (maxkeylen < 8) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Too short maxkeylen (%lu)",
(unsigned long) maxkeylen);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
maxkeylen -= 8;
}
Make GTK length validation easier to analyze Bounds checking for gd->gtk_len in wpa_supplicant_check_group_cipher() was apparently too complex for some static analyzers. Use a local variable and a more explicit validation step to avoid false report. (CID 62864) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-05 22:05:11 +01:00
if (gtk_len > maxkeylen ||
wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
gtk_len, maxkeylen,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
&gd->key_rsc_len, &gd->alg))
return -1;
Make GTK length validation easier to analyze Bounds checking for gd->gtk_len in wpa_supplicant_check_group_cipher() was apparently too complex for some static analyzers. Use a local variable and a more explicit validation step to avoid false report. (CID 62864) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-05 22:05:11 +01:00
gd->gtk_len = gtk_len;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
WPA_KEY_INFO_KEY_INDEX_SHIFT;
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
Add build option to remove all internal RC4 uses The new CONFIG_NO_RC4=y build option can be used to remove all internal hostapd and wpa_supplicant uses of RC4. It should be noted that external uses (e.g., within a TLS library) do not get disabled when doing this. This removes capability of supporting WPA/TKIP, dynamic WEP keys with IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password changes. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 22:37:07 +02:00
#ifdef CONFIG_NO_RC4
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: RC4 not supported in the build");
return -1;
#else /* CONFIG_NO_RC4 */
Reduce the amount of time PTK/TPTK/GTK is kept in memory Some of the buffers used to keep a copy of PTK/TPTK/GTK in the supplicant implementation maintained a copy of the keys longer than necessary. Clear these buffers to zero when the key is not needed anymore to minimize the amount of time key material is kept in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-16 00:27:10 +02:00
u8 ek[32];
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
if (key_data_len > sizeof(gd->gtk)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: RC4 key data too long (%lu)",
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
(unsigned long) key_data_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
Reduce the amount of time PTK/TPTK/GTK is kept in memory Some of the buffers used to keep a copy of PTK/TPTK/GTK in the supplicant implementation maintained a copy of the keys longer than necessary. Clear these buffers to zero when the key is not needed anymore to minimize the amount of time key material is kept in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-16 00:27:10 +02:00
os_memcpy(ek, key->key_iv, 16);
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
os_memcpy(gd->gtk, key_data, key_data_len);
if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(ek, sizeof(ek));
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
"WPA: RC4 failed");
Verify that RC4 operation succeeds
2009-08-16 21:28:40 +02:00
return -1;
}
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(ek, sizeof(ek));
Add build option to remove all internal RC4 uses The new CONFIG_NO_RC4=y build option can be used to remove all internal hostapd and wpa_supplicant uses of RC4. It should be noted that external uses (e.g., within a TLS library) do not get disabled when doing this. This removes capability of supporting WPA/TKIP, dynamic WEP keys with IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password changes. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 22:37:07 +02:00
#endif /* CONFIG_NO_RC4 */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
} else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
if (maxkeylen % 8) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Unsupported AES-WRAP len %lu",
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
(unsigned long) maxkeylen);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
if (maxkeylen > sizeof(gd->gtk)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: AES-WRAP key data "
"too long (keydatalen=%lu maxkeylen=%lu)",
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
(unsigned long) key_data_len,
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
(unsigned long) maxkeylen);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
key_data, gd->gtk)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: AES unwrap failed - could not decrypt "
"GTK");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
} else {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Unsupported key_info type %d", ver);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
sm, !!(key_info & WPA_KEY_INFO_TXRX));
return 0;
}
static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
const struct wpa_eapol_key *key,
int ver, u16 key_info)
{
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
size_t mic_len, hdrlen, rlen;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
struct wpa_eapol_key *reply;
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
u8 *rbuf, *key_mic;
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:27 +02:00
size_t kde_len = 0;
#ifdef CONFIG_OCV
if (wpa_sm_ocv_enabled(sm))
kde_len = OCV_OCI_KDE_LEN;
#endif /* CONFIG_OCV */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
DPP: Add new AKM This new AKM is used with DPP when using the signed Connector to derive a PMK. Since the KCK, KEK, and MIC lengths are variable within a single AKM, this needs number of additional changes to get the PMK length delivered to places that need to figure out the lengths of the PTK components. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 22:48:52 +02:00
mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
hdrlen = sizeof(*reply) + mic_len + 2;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:27 +02:00
hdrlen + kde_len, &rlen, (void *) &reply);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (rbuf == NULL)
return -1;
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
reply->type = (sm->proto == WPA_PROTO_RSN ||
sm->proto == WPA_PROTO_OSEN) ?
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
FILS: Set EAPOL-Key Key Info MIC=0 when using AEAD cipher (supplicant) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 23:29:54 +02:00
key_info |= ver | WPA_KEY_INFO_SECURE;
if (mic_len)
key_info |= WPA_KEY_INFO_MIC;
FILS: Fix key info in GTK rekey EAPOL-Key msg 2/2 While responding to EAPOL-Key message 1/2 with EAPOL-Key message 2/2 when using FILS AKM suites the ENCRYPTED bit is not set in key info of 2/2 which causes AP to drop 2/2. Fix this by setting the ENCRYPTED bit since FILS AKM based connection uses AEAD encryption/decryption. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-04-10 12:25:59 +02:00
else
key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
WPA_PUT_BE16(reply->key_info, key_info);
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
WPA_PUT_BE16(reply->key_length, 0);
else
os_memcpy(reply->key_length, key->key_length, 2);
os_memcpy(reply->replay_counter, key->replay_counter,
WPA_REPLAY_COUNTER_LEN);
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
key_mic = (u8 *) (reply + 1);
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:27 +02:00
WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
#ifdef CONFIG_OCV
if (wpa_sm_ocv_enabled(sm)) {
struct wpa_channel_info ci;
u8 *pos;
if (wpa_sm_channel_info(sm, &ci) != 0) {
wpa_printf(MSG_WARNING,
"Failed to get channel info for OCI element in EAPOL-Key 2/2");
os_free(rbuf);
return -1;
}
OCV: OCI channel override support for testing (STA) Add override parameters to use the specified channel while populating OCI element in EAPOL-Key group msg 2/2, FT reassoc request, FILS assoc request and WNM sleep request frames. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-06-26 10:19:14 +02:00
#ifdef CONFIG_TESTING_OPTIONS
if (sm->oci_freq_override_eapol_g2) {
wpa_printf(MSG_INFO,
"TEST: Override OCI KDE frequency %d -> %d MHz",
ci.frequency,
sm->oci_freq_override_eapol_g2);
ci.frequency = sm->oci_freq_override_eapol_g2;
}
#endif /* CONFIG_TESTING_OPTIONS */
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:27 +02:00
pos = key_mic + mic_len + 2; /* Key Data */
if (ocv_insert_oci_kde(&ci, &pos) < 0) {
os_free(rbuf);
return -1;
}
}
#endif /* CONFIG_OCV */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
RSN: Pass full PTK to wpa_eapol_key_send() instead of KCK only This will be needed to be able to implement AEAD cipher support from FILS that will need to use KEK to protect the frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 11:31:55 +02:00
return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
rbuf, rlen, key_mic);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
const unsigned char *src_addr,
const struct wpa_eapol_key *key,
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
const u8 *key_data,
size_t key_data_len, u16 ver)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
u16 key_info;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
int rekey, ret;
struct wpa_gtk_data gd;
wpa_supplicant: Add GTK RSC relaxation workaround Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-10-14 11:26:33 +02:00
const u8 *key_rsc;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
FILS: Fix GTK rekey by accepting EAPOL-Key msg 1/2 with FILS AKM GTK rekeying was rejected if a prior 4-way handshake is not done. Fix this by allowing GTK rekey to happen in case of a FILS connection since it does not involve a 4-way handshake. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-04-10 12:25:59 +02:00
if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
Reject Group Key message 1/2 prior to completion of 4-way handshake Previously, it would have been possible to complete RSN connection by skipping the msg 3/4 and 4/4 completely. This would have resulted in pairwise key not being configured. This is obviously not supposed to happen in practice and could result in unexpected behavior, so reject group key message before the initial 4-way handshake has been completed. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-07 11:58:19 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Group Key Handshake started prior to completion of 4-way handshake");
goto failed;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_memset(&gd, 0, sizeof(gd));
rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
"Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
key_info = WPA_GET_BE16(key->key_info);
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
key_data_len, key_info,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
&gd);
} else {
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
key_data_len,
key_info, ver, &gd);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
if (ret)
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_supplicant: Add GTK RSC relaxation workaround Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-10-14 11:26:33 +02:00
key_rsc = key->key_rsc;
if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
key_rsc = null_rsc;
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
RSN: Check result of EAPOL-Key frame send request Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-27 07:47:15 +01:00
wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
goto failed;
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(&gd, sizeof(gd));
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (rekey) {
Added a separate ctx pointer for wpa_msg() calls in WPA supp This is needed to allow IBSS RSN to use per-peer context while maintaining support for wpa_msg() calls to get *wpa_s as the pointer.
2009-01-17 16:54:40 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
"completed with " MACSTR " [GTK=%s]",
MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
wpa_sm_cancel_auth_timeout(sm);
wpa_sm_set_state(sm, WPA_COMPLETED);
} else {
wpa_supplicant_key_neg_complete(sm, sm->bssid,
key_info &
WPA_KEY_INFO_SECURE);
}
Set GTK rekey offload information after initial group key handshake The GTK rekey offload information was sent to the driver immediately after the 4-way handshake which ended up being before the initial group key exchange in the case of WPA (v1). This could result in even that initial GTK handshake being offloaded and wpa_supplicant being left in WPA_GROUP_HANDSHAKE state. Fix this by postponing the operation to happen only after the full set of initial EAPOL-Key exchanges have been completed (i.e., in the existing location for WPA2 and a after the group key handshake for WPA). Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-30 10:41:40 +01:00
wpa_sm_set_rekey_offload(sm);
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
return;
failed:
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(&gd, sizeof(gd));
Disconnect if 4-way handshake processing fails There is no point in trying to continue if a 4-way handshake frame is discarded or if PTK/GTK/IGTK configuration fails. Force the client to disconnect in such a case to avoid confusing user by claiming the connection was successfully completed.
2009-04-20 10:35:21 +02:00
wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
struct wpa_eapol_key *key,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
u16 ver,
const u8 *buf, size_t len)
{
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
int ok = 0;
DPP: Add new AKM This new AKM is used with DPP when using the signed Connector to derive a PMK. Since the KCK, KEK, and MIC lengths are variable within a single AKM, this needs number of additional changes to get the PMK length delivered to places that need to figure out the lengths of the PTK components. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 22:48:52 +02:00
size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
os_memcpy(mic, key + 1, mic_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (sm->tptk_set) {
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
os_memset(key + 1, 0, mic_len);
Additional consistentcy checks for PTK component lengths Verify that TK, KCK, and KEK lengths are set to consistent values within struct wpa_ptk before using them in supplicant. This is an additional layer of protection against unexpected states. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 23:01:11 +02:00
if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
sm->key_mgmt,
ver, buf, len, (u8 *) (key + 1)) < 0 ||
os_memcmp_const(mic, key + 1, mic_len) != 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Invalid EAPOL-Key MIC "
"when using TPTK - ignoring TPTK");
tests: EAPOL-Key fuzzing tool Add test-eapol program that can be used for fuzzing the EAPOL-Key Supplicant and Authenticator implementations. This tool can write Supplicant or Authenticator messages into a file as an initialization step and for the fuzzing step, that file (with potential modifications) can be used to replace the internally generated message contents. The TEST_FUZZ=y build parameter is used to make a special build where a hardcoded random number generator and hardcoded timestamp are used to force deterministic behavior for the EAPOL-Key operations. This will also make the implementation ignore Key MIC and AES keywrap errors to allow processing of modified messages to continue further. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-10 16:02:49 +01:00
#ifdef TEST_FUZZ
wpa_printf(MSG_INFO,
"TEST: Ignore Key MIC failure for fuzz testing");
goto continue_fuzz;
#endif /* TEST_FUZZ */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
} else {
tests: EAPOL-Key fuzzing tool Add test-eapol program that can be used for fuzzing the EAPOL-Key Supplicant and Authenticator implementations. This tool can write Supplicant or Authenticator messages into a file as an initialization step and for the fuzzing step, that file (with potential modifications) can be used to replace the internally generated message contents. The TEST_FUZZ=y build parameter is used to make a special build where a hardcoded random number generator and hardcoded timestamp are used to force deterministic behavior for the EAPOL-Key operations. This will also make the implementation ignore Key MIC and AES keywrap errors to allow processing of modified messages to continue further. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-10 16:02:49 +01:00
#ifdef TEST_FUZZ
continue_fuzz:
#endif /* TEST_FUZZ */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
ok = 1;
sm->tptk_set = 0;
sm->ptk_set = 1;
os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
Reduce the amount of time PTK/TPTK/GTK is kept in memory Some of the buffers used to keep a copy of PTK/TPTK/GTK in the supplicant implementation maintained a copy of the keys longer than necessary. Clear these buffers to zero when the key is not needed anymore to minimize the amount of time key material is kept in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-16 00:27:10 +02:00
os_memset(&sm->tptk, 0, sizeof(sm->tptk));
WPA: Extra defense against PTK reinstalls in 4-way handshake Currently, reinstallations of the PTK are prevented by (1) assuring the same TPTK is only set once as the PTK, and (2) that one particular PTK is only installed once. This patch makes it more explicit that point (1) is required to prevent key reinstallations. At the same time, this patch hardens wpa_supplicant such that future changes do not accidentally break this property. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-10-05 23:53:01 +02:00
/*
* This assures the same TPTK in sm->tptk can never be
Fix a typo in a comment (the variable is ptk, not pkt) Signed-off-by: Andre Rossi Korol <anrobits@yahoo.com.br>
2017-10-17 13:34:14 +02:00
* copied twice to sm->ptk as the new PTK. In
WPA: Extra defense against PTK reinstalls in 4-way handshake Currently, reinstallations of the PTK are prevented by (1) assuring the same TPTK is only set once as the PTK, and (2) that one particular PTK is only installed once. This patch makes it more explicit that point (1) is required to prevent key reinstallations. At the same time, this patch hardens wpa_supplicant such that future changes do not accidentally break this property. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-10-05 23:53:01 +02:00
* combination with the installed flag in the wpa_ptk
* struct, this assures the same PTK is only installed
* once.
*/
sm->renew_snonce = 1;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
}
if (!ok && sm->ptk_set) {
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
os_memset(key + 1, 0, mic_len);
Additional consistentcy checks for PTK component lengths Verify that TK, KCK, and KEK lengths are set to consistent values within struct wpa_ptk before using them in supplicant. This is an additional layer of protection against unexpected states. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 23:01:11 +02:00
if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
sm->key_mgmt,
ver, buf, len, (u8 *) (key + 1)) < 0 ||
os_memcmp_const(mic, key + 1, mic_len) != 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Invalid EAPOL-Key MIC - "
"dropping packet");
tests: EAPOL-Key fuzzing tool Add test-eapol program that can be used for fuzzing the EAPOL-Key Supplicant and Authenticator implementations. This tool can write Supplicant or Authenticator messages into a file as an initialization step and for the fuzzing step, that file (with potential modifications) can be used to replace the internally generated message contents. The TEST_FUZZ=y build parameter is used to make a special build where a hardcoded random number generator and hardcoded timestamp are used to force deterministic behavior for the EAPOL-Key operations. This will also make the implementation ignore Key MIC and AES keywrap errors to allow processing of modified messages to continue further. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-10 16:02:49 +01:00
#ifdef TEST_FUZZ
wpa_printf(MSG_INFO,
"TEST: Ignore Key MIC failure for fuzz testing");
goto continue_fuzz2;
#endif /* TEST_FUZZ */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
tests: EAPOL-Key fuzzing tool Add test-eapol program that can be used for fuzzing the EAPOL-Key Supplicant and Authenticator implementations. This tool can write Supplicant or Authenticator messages into a file as an initialization step and for the fuzzing step, that file (with potential modifications) can be used to replace the internally generated message contents. The TEST_FUZZ=y build parameter is used to make a special build where a hardcoded random number generator and hardcoded timestamp are used to force deterministic behavior for the EAPOL-Key operations. This will also make the implementation ignore Key MIC and AES keywrap errors to allow processing of modified messages to continue further. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-10 16:02:49 +01:00
#ifdef TEST_FUZZ
continue_fuzz2:
#endif /* TEST_FUZZ */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
ok = 1;
}
if (!ok) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Could not verify EAPOL-Key MIC - "
"dropping packet");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
os_memcpy(sm->rx_replay_counter, key->replay_counter,
WPA_REPLAY_COUNTER_LEN);
sm->rx_replay_counter_set = 1;
return 0;
}
/* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
struct wpa_eapol_key *key,
size_t mic_len, u16 ver,
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
u8 *key_data, size_t *key_data_len)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
key_data, *key_data_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (!sm->ptk_set) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: PTK not available, cannot decrypt EAPOL-Key Key "
"Data");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
/* Decrypt key data here so that this operation does not need
* to be implemented separately for each message type. */
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
Add build option to remove all internal RC4 uses The new CONFIG_NO_RC4=y build option can be used to remove all internal hostapd and wpa_supplicant uses of RC4. It should be noted that external uses (e.g., within a TLS library) do not get disabled when doing this. This removes capability of supporting WPA/TKIP, dynamic WEP keys with IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password changes. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 22:37:07 +02:00
#ifdef CONFIG_NO_RC4
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: RC4 not supported in the build");
return -1;
#else /* CONFIG_NO_RC4 */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
u8 ek[32];
Print the algorithms used for EAPOL-Key professing in log This makes it easier to debug crypto algorithm selection for 4-way handshake related functions. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 18:43:39 +01:00
wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_memcpy(ek, key->key_iv, 16);
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(ek, sizeof(ek));
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
"WPA: RC4 failed");
Verify that RC4 operation succeeds
2009-08-16 21:28:40 +02:00
return -1;
}
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(ek, sizeof(ek));
Add build option to remove all internal RC4 uses The new CONFIG_NO_RC4=y build option can be used to remove all internal hostapd and wpa_supplicant uses of RC4. It should be noted that external uses (e.g., within a TLS library) do not get disabled when doing this. This removes capability of supporting WPA/TKIP, dynamic WEP keys with IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password changes. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 22:37:07 +02:00
#endif /* CONFIG_NO_RC4 */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
} else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
HS 2.0R2: Add OSEN client implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:24:05 +02:00
ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
SAE: Fix EAPOL-Key integrity and key-wrap algorithm selection The SAE AKM 00-0F-AC:8 is supposed to use EAPOL-Key Key Descriptor Version 0 (AKM-defined) with AES-128-CMAC and NIST AES Key Wrap. However, the previous implementation ended up using Key Descriptor Version 2 (HMAC-SHA-1-128 and NIST AES Key Wrap). Fix this by using the appropriate Key Descriptor Version and integrity algorithm. Use helper functions to keep the selection clearer and more consistent between wpa_supplicant and hostapd uses. Note: This change is not backwards compatible. Both the AP and station side implementations will need to be updated at the same time to maintain functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-16 12:04:15 +01:00
wpa_use_aes_key_wrap(sm->key_mgmt)) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
u8 *buf;
Print the algorithms used for EAPOL-Key professing in log This makes it easier to debug crypto algorithm selection for 4-way handshake related functions. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 18:43:39 +01:00
wpa_printf(MSG_DEBUG,
"WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
(unsigned int) sm->ptk.kek_len);
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
if (*key_data_len < 8 || *key_data_len % 8) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
"WPA: Unsupported AES-WRAP len %u",
(unsigned int) *key_data_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
*key_data_len -= 8; /* AES-WRAP adds 8 bytes */
buf = os_malloc(*key_data_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (buf == NULL) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: No memory for AES-UNWRAP buffer");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
tests: EAPOL-Key fuzzing tool Add test-eapol program that can be used for fuzzing the EAPOL-Key Supplicant and Authenticator implementations. This tool can write Supplicant or Authenticator messages into a file as an initialization step and for the fuzzing step, that file (with potential modifications) can be used to replace the internally generated message contents. The TEST_FUZZ=y build parameter is used to make a special build where a hardcoded random number generator and hardcoded timestamp are used to force deterministic behavior for the EAPOL-Key operations. This will also make the implementation ignore Key MIC and AES keywrap errors to allow processing of modified messages to continue further. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-10 16:02:49 +01:00
#ifdef TEST_FUZZ
os_memset(buf, 0x11, *key_data_len);
#endif /* TEST_FUZZ */
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
key_data, buf)) {
tests: EAPOL-Key fuzzing tool Add test-eapol program that can be used for fuzzing the EAPOL-Key Supplicant and Authenticator implementations. This tool can write Supplicant or Authenticator messages into a file as an initialization step and for the fuzzing step, that file (with potential modifications) can be used to replace the internally generated message contents. The TEST_FUZZ=y build parameter is used to make a special build where a hardcoded random number generator and hardcoded timestamp are used to force deterministic behavior for the EAPOL-Key operations. This will also make the implementation ignore Key MIC and AES keywrap errors to allow processing of modified messages to continue further. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-10 16:02:49 +01:00
#ifdef TEST_FUZZ
wpa_printf(MSG_INFO,
"TEST: Ignore AES unwrap failure for fuzz testing");
goto continue_fuzz;
#endif /* TEST_FUZZ */
WPA: Explicitly clear the buffer used for decrypting Key Data When AES-WRAP was used to protect the EAPOL-Key Key Data field, this was decrypted using a temporary heap buffer with aes_unwrap(). That buffer was not explicitly cleared, so it was possible for the group keys to remain in memory unnecessarily until the allocated area was reused. Clean this up by clearing the temporary allocation explicitly before freeing it. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 09:52:30 +01:00
bin_clear_free(buf, *key_data_len);
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: AES unwrap failed - "
"could not decrypt EAPOL-Key key data");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
tests: EAPOL-Key fuzzing tool Add test-eapol program that can be used for fuzzing the EAPOL-Key Supplicant and Authenticator implementations. This tool can write Supplicant or Authenticator messages into a file as an initialization step and for the fuzzing step, that file (with potential modifications) can be used to replace the internally generated message contents. The TEST_FUZZ=y build parameter is used to make a special build where a hardcoded random number generator and hardcoded timestamp are used to force deterministic behavior for the EAPOL-Key operations. This will also make the implementation ignore Key MIC and AES keywrap errors to allow processing of modified messages to continue further. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-10 16:02:49 +01:00
#ifdef TEST_FUZZ
continue_fuzz:
#endif /* TEST_FUZZ */
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
os_memcpy(key_data, buf, *key_data_len);
WPA: Explicitly clear the buffer used for decrypting Key Data When AES-WRAP was used to protect the EAPOL-Key Key Data field, this was decrypted using a temporary heap buffer with aes_unwrap(). That buffer was not explicitly cleared, so it was possible for the group keys to remain in memory unnecessarily until the allocated area was reused. Clean this up by clearing the temporary allocation explicitly before freeing it. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 09:52:30 +01:00
bin_clear_free(buf, *key_data_len);
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
} else {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Unsupported key_info type %d", ver);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
key_data, *key_data_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return 0;
}
/**
* wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
* @sm: Pointer to WPA state machine data from wpa_sm_init()
*/
void wpa_sm_aborted_cached(struct wpa_sm *sm)
{
if (sm && sm->cur_pmksa) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: Cancelling PMKSA caching attempt");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->cur_pmksa = NULL;
}
}
FILS: Flush external-PMKSA when connection fails without ERP keys External applications can store PMKSA entries persistently and reconfigure them to wpa_supplicant after restart. This can result in wpa_supplicant having a PMKSA for FILS authentication without having matching ERP keys for it which would prevent the previously added mechanism for dropping FILS PMKSA entries to recover from rejected association attempts. Fix this by clearing PMKSA entries configured by external applications upon FILS connection failure even when ERP keys are not available. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-01 20:09:06 +02:00
void wpa_sm_aborted_external_cached(struct wpa_sm *sm)
{
if (sm && sm->cur_pmksa && sm->cur_pmksa->external) {
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: Cancelling external PMKSA caching attempt");
sm->cur_pmksa = NULL;
}
}
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
static void wpa_eapol_key_dump(struct wpa_sm *sm,
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
const struct wpa_eapol_key *key,
unsigned int key_data_len,
const u8 *mic, unsigned int mic_len)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
#ifndef CONFIG_NO_STDOUT_DEBUG
u16 key_info = WPA_GET_BE16(key->key_info);
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
" key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
(key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
WPA_KEY_INFO_KEY_INDEX_SHIFT,
(key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
" key_length=%u key_data_length=%u",
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
WPA_GET_BE16(key->key_length), key_data_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_hexdump(MSG_DEBUG, " replay_counter",
key->replay_counter, WPA_REPLAY_COUNTER_LEN);
wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
#endif /* CONFIG_NO_STDOUT_DEBUG */
}
FILS: Use AEAD cipher to check received EAPOL-Key frames (STA) This changes 4-way handshake authenticator processing to decrypt the EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before processing the Key Data field. This replaces Key MIC validation for the cases where AEAD cipher is used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 16:57:09 +02:00
#ifdef CONFIG_FILS
static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
size_t *key_data_len)
{
struct wpa_ptk *ptk;
struct ieee802_1x_hdr *hdr;
struct wpa_eapol_key *key;
u8 *pos, *tmp;
const u8 *aad[1];
size_t aad_len[1];
if (*key_data_len < AES_BLOCK_SIZE) {
wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
return -1;
}
if (sm->tptk_set)
ptk = &sm->tptk;
else if (sm->ptk_set)
ptk = &sm->ptk;
else
return -1;
hdr = (struct ieee802_1x_hdr *) buf;
key = (struct wpa_eapol_key *) (hdr + 1);
pos = (u8 *) (key + 1);
pos += 2; /* Pointing at the Encrypted Key Data field */
tmp = os_malloc(*key_data_len);
if (!tmp)
return -1;
/* AES-SIV AAD from EAPOL protocol version field (inclusive) to
* to Key Data (exclusive). */
aad[0] = buf;
aad_len[0] = pos - buf;
if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
1, aad, aad_len, tmp) < 0) {
wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
bin_clear_free(tmp, *key_data_len);
return -1;
}
/* AEAD decryption and validation completed successfully */
(*key_data_len) -= AES_BLOCK_SIZE;
wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
tmp, *key_data_len);
/* Replace Key Data field with the decrypted version */
os_memcpy(pos, tmp, *key_data_len);
pos -= 2; /* Key Data Length field */
WPA_PUT_BE16(pos, *key_data_len);
bin_clear_free(tmp, *key_data_len);
if (sm->tptk_set) {
sm->tptk_set = 0;
sm->ptk_set = 1;
os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
os_memset(&sm->tptk, 0, sizeof(sm->tptk));
}
os_memcpy(sm->rx_replay_counter, key->replay_counter,
WPA_REPLAY_COUNTER_LEN);
sm->rx_replay_counter_set = 1;
return 0;
}
#endif /* CONFIG_FILS */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/**
* wpa_sm_rx_eapol - Process received WPA EAPOL frames
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @src_addr: Source MAC address of the EAPOL packet
* @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
* @len: Length of the EAPOL frame
* Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
*
* This function is called for each received EAPOL frame. Other than EAPOL-Key
* frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
* only processing WPA and WPA2 EAPOL-Key frames.
*
* The received EAPOL-Key packets are validated and valid packets are replied
* to. In addition, key material (PTK, GTK) is configured at the end of a
* successful key handshake.
*/
int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
const u8 *buf, size_t len)
{
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
size_t plen, data_len, key_data_len;
Clean up EAPOL-Key processing Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header validation steps using the original message buffer and re-allocate and copy the frame only if this is a valid EAPOL frame that contains an EAPOL-Key. This makes the implementation easier to understand and saves unnecessary memory allocations and copying should other types of EAPOL frames get here. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:31:14 +02:00
const struct ieee802_1x_hdr *hdr;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
struct wpa_eapol_key *key;
u16 key_info, ver;
Clean up EAPOL-Key processing Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header validation steps using the original message buffer and re-allocate and copy the frame only if this is a valid EAPOL frame that contains an EAPOL-Key. This makes the implementation easier to understand and saves unnecessary memory allocations and copying should other types of EAPOL frames get here. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:31:14 +02:00
u8 *tmp = NULL;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
int ret = -1;
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
u8 *mic, *key_data;
Fix EAPOL-Key msg 1/4 processing in a corner case If reassoc_same_bss_optim=1 is used to optimize reassociation back to the same BSS, it was possible for sm->pmk_len to be 0 due to a disconnection event getting processed after sending out the reassociation request. This resulted in wpa_sm_rx_eapol() calling wpa_mic_len() with incorrect PMK length when PMKSA caching was being attempted. That resulted in incorrect mic_len getting determined and not finding the correct Key Data Length field value. This could result in failing to complete 4-way handshake successfully. Fix this by updating the current PMK length based on the selected PMKSA cache entry if sm->pmk_len is not set when processing EAPOL-Key msg 1/4. Signed-off-by: Jouni Malinen <j@w1.fi>
2020-08-22 13:00:34 +02:00
size_t mic_len, keyhdrlen, pmk_len;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
#ifdef CONFIG_IEEE80211R
sm->ft_completed = 0;
#endif /* CONFIG_IEEE80211R */
Fix EAPOL-Key msg 1/4 processing in a corner case If reassoc_same_bss_optim=1 is used to optimize reassociation back to the same BSS, it was possible for sm->pmk_len to be 0 due to a disconnection event getting processed after sending out the reassociation request. This resulted in wpa_sm_rx_eapol() calling wpa_mic_len() with incorrect PMK length when PMKSA caching was being attempted. That resulted in incorrect mic_len getting determined and not finding the correct Key Data Length field value. This could result in failing to complete 4-way handshake successfully. Fix this by updating the current PMK length based on the selected PMKSA cache entry if sm->pmk_len is not set when processing EAPOL-Key msg 1/4. Signed-off-by: Jouni Malinen <j@w1.fi>
2020-08-22 13:00:34 +02:00
pmk_len = sm->pmk_len;
if (!pmk_len && sm->cur_pmksa)
pmk_len = sm->cur_pmksa->pmk_len;
mic_len = wpa_mic_len(sm->key_mgmt, pmk_len);
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
keyhdrlen = sizeof(*key) + mic_len + 2;
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
if (len < sizeof(*hdr) + keyhdrlen) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: EAPOL frame too short to be a WPA "
"EAPOL-Key (len %lu, expecting at least %lu)",
(unsigned long) len,
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
(unsigned long) sizeof(*hdr) + keyhdrlen);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return 0;
}
Clean up EAPOL-Key processing Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header validation steps using the original message buffer and re-allocate and copy the frame only if this is a valid EAPOL frame that contains an EAPOL-Key. This makes the implementation easier to understand and saves unnecessary memory allocations and copying should other types of EAPOL frames get here. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:31:14 +02:00
hdr = (const struct ieee802_1x_hdr *) buf;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
plen = be_to_host16(hdr->length);
data_len = plen + sizeof(*hdr);
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"IEEE 802.1X RX: version=%d type=%d length=%lu",
hdr->version, hdr->type, (unsigned long) plen);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (hdr->version < EAPOL_VERSION) {
/* TODO: backwards compatibility */
}
if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: EAPOL frame (type %u) discarded, "
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
"not a Key frame", hdr->type);
ret = 0;
goto out;
}
Clean up EAPOL-Key processing Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header validation steps using the original message buffer and re-allocate and copy the frame only if this is a valid EAPOL frame that contains an EAPOL-Key. This makes the implementation easier to understand and saves unnecessary memory allocations and copying should other types of EAPOL frames get here. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:31:14 +02:00
wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: EAPOL frame payload size %lu "
"invalid (frame size %lu)",
(unsigned long) plen, (unsigned long) len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
ret = 0;
goto out;
}
Clean up EAPOL-Key processing Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header validation steps using the original message buffer and re-allocate and copy the frame only if this is a valid EAPOL frame that contains an EAPOL-Key. This makes the implementation easier to understand and saves unnecessary memory allocations and copying should other types of EAPOL frames get here. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:31:14 +02:00
if (data_len < len) {
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: ignoring %lu bytes after the IEEE 802.1X data",
(unsigned long) len - data_len);
}
/*
* Make a copy of the frame since we need to modify the buffer during
* MAC validation and Key Data decryption.
*/
Use os_memdup() This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 10:17:23 +01:00
tmp = os_memdup(buf, data_len);
Clean up EAPOL-Key processing Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header validation steps using the original message buffer and re-allocate and copy the frame only if this is a valid EAPOL frame that contains an EAPOL-Key. This makes the implementation easier to understand and saves unnecessary memory allocations and copying should other types of EAPOL frames get here. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:31:14 +02:00
if (tmp == NULL)
goto out;
key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
mic = (u8 *) (key + 1);
key_data = mic + mic_len + 2;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
{
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: EAPOL-Key type (%d) unknown, discarded",
key->type);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
ret = 0;
goto out;
}
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
key_data_len = WPA_GET_BE16(mic + mic_len);
wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
if (key_data_len > plen - keyhdrlen) {
Clean up EAPOL-Key processing Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header validation steps using the original message buffer and re-allocate and copy the frame only if this is a valid EAPOL frame that contains an EAPOL-Key. This makes the implementation easier to understand and saves unnecessary memory allocations and copying should other types of EAPOL frames get here. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:31:14 +02:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
"frame - key_data overflow (%u > %u)",
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
(unsigned int) key_data_len,
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
(unsigned int) (plen - keyhdrlen));
Clean up EAPOL-Key processing Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header validation steps using the original message buffer and re-allocate and copy the frame only if this is a valid EAPOL frame that contains an EAPOL-Key. This makes the implementation easier to understand and saves unnecessary memory allocations and copying should other types of EAPOL frames get here. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:31:14 +02:00
goto out;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
Clean up EAPOL-Key processing Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header validation steps using the original message buffer and re-allocate and copy the frame only if this is a valid EAPOL frame that contains an EAPOL-Key. This makes the implementation easier to understand and saves unnecessary memory allocations and copying should other types of EAPOL frames get here. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:31:14 +02:00
eapol_sm_notify_lower_layer_success(sm->eapol, 0);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
key_info = WPA_GET_BE16(key->key_info);
ver = key_info & WPA_KEY_INFO_TYPE_MASK;
if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
HS 2.0R2: Add OSEN client implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:24:05 +02:00
ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
SAE: Fix EAPOL-Key integrity and key-wrap algorithm selection The SAE AKM 00-0F-AC:8 is supposed to use EAPOL-Key Key Descriptor Version 0 (AKM-defined) with AES-128-CMAC and NIST AES Key Wrap. However, the previous implementation ended up using Key Descriptor Version 2 (HMAC-SHA-1-128 and NIST AES Key Wrap). Fix this by using the appropriate Key Descriptor Version and integrity algorithm. Use helper functions to keep the selection clearer and more consistent between wpa_supplicant and hostapd uses. Note: This change is not backwards compatible. Both the AP and station side implementations will need to be updated at the same time to maintain functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-16 12:04:15 +01:00
!wpa_use_akm_defined(sm->key_mgmt)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Unsupported EAPOL-Key descriptor version %d",
ver);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
goto out;
}
SAE: Fix EAPOL-Key integrity and key-wrap algorithm selection The SAE AKM 00-0F-AC:8 is supposed to use EAPOL-Key Key Descriptor Version 0 (AKM-defined) with AES-128-CMAC and NIST AES Key Wrap. However, the previous implementation ended up using Key Descriptor Version 2 (HMAC-SHA-1-128 and NIST AES Key Wrap). Fix this by using the appropriate Key Descriptor Version and integrity algorithm. Use helper functions to keep the selection clearer and more consistent between wpa_supplicant and hostapd uses. Note: This change is not backwards compatible. Both the AP and station side implementations will need to be updated at the same time to maintain functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-16 12:04:15 +01:00
if (wpa_use_akm_defined(sm->key_mgmt) &&
Suite B: Select EAPOL-Key integrity and key-wrap algorithms based on AKM This adds support for AKM 00-0F-AC:11 to specify the integrity and key-wrap algorithms for EAPOL-Key frames using the new design where descriptor version is set to 0 and algorithms are determined based on AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 14:40:02 +01:00
ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
ver);
goto out;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
#ifdef CONFIG_IEEE80211R
Added support for using SHA256-based stronger key derivation for WPA2 IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new AKMPs and clean up AKMP processing with helper functions in defs.h.
2008-08-31 21:57:28 +02:00
if (wpa_key_mgmt_ft(sm->key_mgmt)) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
SAE: Fix EAPOL-Key integrity and key-wrap algorithm selection The SAE AKM 00-0F-AC:8 is supposed to use EAPOL-Key Key Descriptor Version 0 (AKM-defined) with AES-128-CMAC and NIST AES Key Wrap. However, the previous implementation ended up using Key Descriptor Version 2 (HMAC-SHA-1-128 and NIST AES Key Wrap). Fix this by using the appropriate Key Descriptor Version and integrity algorithm. Use helper functions to keep the selection clearer and more consistent between wpa_supplicant and hostapd uses. Note: This change is not backwards compatible. Both the AP and station side implementations will need to be updated at the same time to maintain functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-16 12:04:15 +01:00
if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
!wpa_use_akm_defined(sm->key_mgmt)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"FT: AP did not use AES-128-CMAC");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
goto out;
}
} else
#endif /* CONFIG_IEEE80211R */
Added support for using SHA256-based stronger key derivation for WPA2 IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new AKMPs and clean up AKMP processing with helper functions in defs.h.
2008-08-31 21:57:28 +02:00
if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
HS 2.0R2: Add OSEN client implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:24:05 +02:00
if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
SAE: Fix EAPOL-Key integrity and key-wrap algorithm selection The SAE AKM 00-0F-AC:8 is supposed to use EAPOL-Key Key Descriptor Version 0 (AKM-defined) with AES-128-CMAC and NIST AES Key Wrap. However, the previous implementation ended up using Key Descriptor Version 2 (HMAC-SHA-1-128 and NIST AES Key Wrap). Fix this by using the appropriate Key Descriptor Version and integrity algorithm. Use helper functions to keep the selection clearer and more consistent between wpa_supplicant and hostapd uses. Note: This change is not backwards compatible. Both the AP and station side implementations will need to be updated at the same time to maintain functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-16 12:04:15 +01:00
!wpa_use_akm_defined(sm->key_mgmt)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: AP did not use the "
"negotiated AES-128-CMAC");
Added support for using SHA256-based stronger key derivation for WPA2 IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new AKMPs and clean up AKMP processing with helper functions in defs.h.
2008-08-31 21:57:28 +02:00
goto out;
}
Remove CONFIG_IEEE80211W build parameter Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 16:17:31 +02:00
} else if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
!wpa_use_akm_defined(sm->key_mgmt) &&
ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: CCMP is used, but EAPOL-Key "
"descriptor version (%d) is not 2", ver);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (sm->group_cipher != WPA_CIPHER_CCMP &&
!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
/* Earlier versions of IEEE 802.11i did not explicitly
* require version 2 descriptor for all EAPOL-Key
* packets, so allow group keys to use version 1 if
* CCMP is not used for them. */
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Backwards compatibility: allow invalid "
"version for non-CCMP group keys");
Work around AP misbehavior on EAPOL-Key descriptor version It looks like some APs are incorrectly selecting descriptor version 3 (AES-128-CMAC) for EAPOL-Key frames when version 2 (HMAC-SHA1) was expected to be used. This is likely triggered by an attempt to negotiate PMF with SHA1-based AKM. Since AES-128-CMAC is considered stronger than HMAC-SHA1, allow the incorrect, but stronger, option to be used in these cases to avoid interoperability issues with deployed APs. This issue shows up with "WPA: CCMP is used, but EAPOL-Key descriptor version (3) is not 2" in debug log. With the new workaround, this issue is ignored and "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used" is written to the log. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-14 19:57:05 +01:00
} else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
} else
goto out;
Fix validation of RSN EAPOL-Key version for GCMP with PMF If PMF was enabled, the validation step for EAPOL-Key descriptor version ended up rejecting the message if GCMP had been negotiated as the pairwise cipher. Fix this by making the GCMP check skipped similarly to the CCMP case if a SHA256-based AKM is used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-02 16:03:33 +02:00
} else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
SAE: Fix EAPOL-Key integrity and key-wrap algorithm selection The SAE AKM 00-0F-AC:8 is supposed to use EAPOL-Key Key Descriptor Version 0 (AKM-defined) with AES-128-CMAC and NIST AES Key Wrap. However, the previous implementation ended up using Key Descriptor Version 2 (HMAC-SHA-1-128 and NIST AES Key Wrap). Fix this by using the appropriate Key Descriptor Version and integrity algorithm. Use helper functions to keep the selection clearer and more consistent between wpa_supplicant and hostapd uses. Note: This change is not backwards compatible. Both the AP and station side implementations will need to be updated at the same time to maintain functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-16 12:04:15 +01:00
!wpa_use_akm_defined(sm->key_mgmt) &&
Fix validation of RSN EAPOL-Key version for GCMP with PMF If PMF was enabled, the validation step for EAPOL-Key descriptor version ended up rejecting the message if GCMP had been negotiated as the pairwise cipher. Fix this by making the GCMP check skipped similarly to the CCMP case if a SHA256-based AKM is used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-02 16:03:33 +02:00
ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
Add support for using GCMP cipher from IEEE 802.11ad This allows both hostapd and wpa_supplicant to be used to derive and configure keys for GCMP. This is quite similar to CCMP key configuration, but a different cipher suite and somewhat different rules are used in cipher selection. It should be noted that GCMP is not included in default parameters at least for now, so explicit pairwise/group configuration is needed to enable it. This may change in the future to allow GCMP to be selected automatically in cases where CCMP could have been used. This commit does not included changes to WPS or P2P to allow GCMP to be used. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-29 10:52:15 +02:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: GCMP is used, but EAPOL-Key "
"descriptor version (%d) is not 2", ver);
goto out;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
Remove all PeerKey functionality This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-09-22 13:59:13 +02:00
if (sm->rx_replay_counter_set &&
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_memcmp(key->replay_counter, sm->rx_replay_counter,
WPA_REPLAY_COUNTER_LEN) <= 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: EAPOL-Key Replay Counter did not increase - "
"dropping packet");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
goto out;
}
Remove all PeerKey functionality This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-09-22 13:59:13 +02:00
if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Unsupported SMK bit in key_info");
goto out;
}
if (!(key_info & WPA_KEY_INFO_ACK)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: No Ack bit in key_info");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
goto out;
}
if (key_info & WPA_KEY_INFO_REQUEST) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: EAPOL-Key with Request bit - dropped");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
goto out;
}
Remove all PeerKey functionality This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-09-22 13:59:13 +02:00
if ((key_info & WPA_KEY_INFO_MIC) &&
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
goto out;
FILS: Use AEAD cipher to check received EAPOL-Key frames (STA) This changes 4-way handshake authenticator processing to decrypt the EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before processing the Key Data field. This replaces Key MIC validation for the cases where AEAD cipher is used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 16:57:09 +02:00
#ifdef CONFIG_FILS
if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
goto out;
}
#endif /* CONFIG_FILS */
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
FILS: Use AEAD cipher to check received EAPOL-Key frames (STA) This changes 4-way handshake authenticator processing to decrypt the EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before processing the Key Data field. This replaces Key MIC validation for the cases where AEAD cipher is used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 16:57:09 +02:00
(key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
WPA: Ignore unauthenticated encrypted EAPOL-Key data Ignore unauthenticated encrypted EAPOL-Key data in supplicant processing. When using WPA2, these are frames that have the Encrypted flag set, but not the MIC flag. When using WPA2, EAPOL-Key frames that had the Encrypted flag set but not the MIC flag, had their data field decrypted without first verifying the MIC. In case the data field was encrypted using RC4 (i.e., when negotiating TKIP as the pairwise cipher), this meant that unauthenticated but decrypted data would then be processed. An adversary could abuse this as a decryption oracle to recover sensitive information in the data field of EAPOL-Key messages (e.g., the group key). (CVE-2018-14526) Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-07-15 01:25:53 +02:00
/*
* Only decrypt the Key Data field if the frame's authenticity
* was verified. When using AES-SIV (FILS), the MIC flag is not
* set, so this check should only be performed if mic_len != 0
* which is the case in this code branch.
*/
if (!(key_info & WPA_KEY_INFO_MIC)) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
goto out;
}
Make struct wpa_eapol_key easier to use with variable length MIC Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-02 21:55:03 +02:00
if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
ver, key_data,
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
&key_data_len))
Clean up EAPOL-Key processing Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header validation steps using the original message buffer and re-allocate and copy the frame only if this is a valid EAPOL frame that contains an EAPOL-Key. This makes the implementation easier to understand and saves unnecessary memory allocations and copying should other types of EAPOL frames get here. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:31:14 +02:00
goto out;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
if (key_info & WPA_KEY_INFO_KEY_TYPE) {
if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Ignored EAPOL-Key (Pairwise) with "
"non-zero key index");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
goto out;
}
Remove all PeerKey functionality This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-09-22 13:59:13 +02:00
if (key_info & (WPA_KEY_INFO_MIC |
WPA_KEY_INFO_ENCR_KEY_DATA)) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/* 3/4 4-Way Handshake */
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
key_data_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
} else {
/* 1/4 4-Way Handshake */
wpa_supplicant_process_1_of_4(sm, src_addr, key,
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
ver, key_data,
key_data_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
} else {
FILS: Handle Group Key msg 1/2 without MIC when using AEAD cipher (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 17:26:25 +02:00
if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
(!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/* 1/2 Group Key Handshake */
wpa_supplicant_process_1_of_2(sm, src_addr, key,
Clean up EAPOL-Key Key Data processing Use a single location in wpa_sm_rx_eapol() for preparing the pointer to the Key Data field and to its validated length instead of fetching that information in number of processing functions separately. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 18:02:46 +02:00
key_data, key_data_len,
ver);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
} else {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
FILS: Handle Group Key msg 1/2 without MIC when using AEAD cipher (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-03 17:26:25 +02:00
"WPA: EAPOL-Key (Group) without Mic/Encr bit - "
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
"dropped");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
}
ret = 1;
out:
Clear GTK from memory as soon as it is not needed anymore It was possible for the decrypted EAPOL-Key Key Data field to remain in heap after the temporary buffer was freed. Explicitly clear that buffer before freeing it to minimize the time GTK remains in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-29 14:41:03 +01:00
bin_clear_free(tmp, data_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return ret;
}
#ifdef CONFIG_CTRL_IFACE
static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
{
switch (sm->key_mgmt) {
case WPA_KEY_MGMT_IEEE8021X:
HS 2.0R2 AP: Add OSEN implementation Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-07-23 20:25:21 +02:00
return ((sm->proto == WPA_PROTO_RSN ||
sm->proto == WPA_PROTO_OSEN) ?
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
case WPA_KEY_MGMT_PSK:
return (sm->proto == WPA_PROTO_RSN ?
RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
#ifdef CONFIG_IEEE80211R
case WPA_KEY_MGMT_FT_IEEE8021X:
return RSN_AUTH_KEY_MGMT_FT_802_1X;
case WPA_KEY_MGMT_FT_PSK:
return RSN_AUTH_KEY_MGMT_FT_PSK;
#endif /* CONFIG_IEEE80211R */
Added support for using SHA256-based stronger key derivation for WPA2 IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new AKMPs and clean up AKMP processing with helper functions in defs.h.
2008-08-31 21:57:28 +02:00
case WPA_KEY_MGMT_IEEE8021X_SHA256:
return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
case WPA_KEY_MGMT_PSK_SHA256:
return RSN_AUTH_KEY_MGMT_PSK_SHA256;
Reserve AKM and cipher suite values These values are used with WAPI and CCX and reserving the definitions here reduces the number of merge conflicts with repositories that include these functions. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-30 19:26:55 +02:00
case WPA_KEY_MGMT_CCKM:
return (sm->proto == WPA_PROTO_RSN ?
RSN_AUTH_KEY_MGMT_CCKM:
WPA_AUTH_KEY_MGMT_CCKM);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
case WPA_KEY_MGMT_WPA_NONE:
return WPA_AUTH_KEY_MGMT_NONE;
Suite B: Add AKM 00-0F-AC:11 This adds definitions for the 128-bit level Suite B AKM 00-0F-AC:11. The functionality itself is not yet complete, i.e., this commit only includes parts to negotiate the new AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 12:20:51 +01:00
case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
Add Suite B 192-bit AKM WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 22:32:01 +01:00
case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
default:
return 0;
}
}
#define RSN_SUITE "%02x-%02x-%02x-%d"
#define RSN_SUITE_ARG(s) \
((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
/**
* wpa_sm_get_mib - Dump text list of MIB entries
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @buf: Buffer for the list
* @buflen: Length of the buffer
* Returns: Number of bytes written to buffer
*
* This function is used fetch dot11 MIB variables.
*/
int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
{
char pmkid_txt[PMKID_LEN * 2 + 1];
RSN supp: Convert Boolean to C99 bool Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 00:04:24 +02:00
bool rsna;
int ret;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
size_t len;
if (sm->cur_pmksa) {
wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
sm->cur_pmksa->pmkid, PMKID_LEN);
} else
pmkid_txt[0] = '\0';
RSN supp: Convert Boolean to C99 bool Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 00:04:24 +02:00
rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
sm->proto == WPA_PROTO_RSN;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
ret = os_snprintf(buf, buflen,
"dot11RSNAOptionImplemented=TRUE\n"
"dot11RSNAPreauthenticationImplemented=TRUE\n"
"dot11RSNAEnabled=%s\n"
"dot11RSNAPreauthenticationEnabled=%s\n"
"dot11RSNAConfigVersion=%d\n"
"dot11RSNAConfigPairwiseKeysSupported=5\n"
"dot11RSNAConfigGroupCipherSize=%d\n"
"dot11RSNAConfigPMKLifetime=%d\n"
"dot11RSNAConfigPMKReauthThreshold=%d\n"
"dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
"dot11RSNAConfigSATimeout=%d\n",
rsna ? "TRUE" : "FALSE",
rsna ? "TRUE" : "FALSE",
RSN_VERSION,
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
wpa_cipher_key_len(sm->group_cipher) * 8,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->dot11RSNAConfigPMKLifetime,
sm->dot11RSNAConfigPMKReauthThreshold,
sm->dot11RSNAConfigSATimeout);
Check os_snprintf() result more consistently - automatic 1 This converts os_snprintf() result validation cases to use os_snprintf_error() where the exact rule used in os_snprintf_error() was used. These changes were done automatically with spatch using the following semantic patch: @@ identifier E1; expression E2,E3,E4,E5,E6; statement S1; @@ ( E1 = os_snprintf(E2, E3, ...); | int E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else if (E6) E1 = os_snprintf(E2, E3, ...); else E1 = 0; | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else if (E6) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... E1 = os_snprintf(E2, E3, ...); } ) ? os_free(E4); - if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \)) + if (os_snprintf_error(E3, E1)) ( S1 | { ... } ) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 10:15:51 +01:00
if (os_snprintf_error(buflen, ret))
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return 0;
len = ret;
ret = os_snprintf(
buf + len, buflen - len,
"dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
"dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
"dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
"dot11RSNAPMKIDUsed=%s\n"
"dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
"dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
"dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
"dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
"dot11RSNA4WayHandshakeFailures=%u\n",
RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
sm->pairwise_cipher)),
RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
sm->group_cipher)),
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
pmkid_txt,
RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
Move WPA cipher information into a shared location Try to share most of the cipher information like key and RSC lengths and suite selector conversions, etc. in wpa_common.c to avoid having similar code throughout the WPA implementation for handling cipher specific behavior. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 10:53:54 +02:00
RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
sm->pairwise_cipher)),
RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
sm->group_cipher)),
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->dot11RSNA4WayHandshakeFailures);
Check os_snprintf() result more consistently - manual This converts os_snprintf() result validation cases to use os_snprintf_error() for cases that were note covered by spatch and semantic patches. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-07 11:52:59 +01:00
if (!os_snprintf_error(buflen - len, ret))
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
len += ret;
return (int) len;
}
#endif /* CONFIG_CTRL_IFACE */
static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
PMKSA: Make deauthentication due to cache entry removal more granular Expiry can always trigger a deauthentication, but otherwise, deauthentication should only happen when the *current* cache entry is removed and not being replaced. It should not happen when the current PMK just happens to match the PMK of the entry being removed, since multiple entries can have the same PMK when OKC is used and these entries are often removed at different times. This fixes an issue where eviction of the oldest inactive entry due to adding a newer entry to a full cache caused a deauthentication when the entry being removed had the same PMK as the current entry. Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 20:27:18 +01:00
void *ctx, enum pmksa_free_reason reason)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
struct wpa_sm *sm = ctx;
PMKSA: Make deauthentication due to cache entry removal more granular Expiry can always trigger a deauthentication, but otherwise, deauthentication should only happen when the *current* cache entry is removed and not being replaced. It should not happen when the current PMK just happens to match the PMK of the entry being removed, since multiple entries can have the same PMK when OKC is used and these entries are often removed at different times. This fixes an issue where eviction of the oldest inactive entry due to adding a newer entry to a full cache caused a deauthentication when the entry being removed had the same PMK as the current entry. Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 20:27:18 +01:00
int deauth = 0;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
PMKSA: Make deauthentication due to cache entry removal more granular Expiry can always trigger a deauthentication, but otherwise, deauthentication should only happen when the *current* cache entry is removed and not being replaced. It should not happen when the current PMK just happens to match the PMK of the entry being removed, since multiple entries can have the same PMK when OKC is used and these entries are often removed at different times. This fixes an issue where eviction of the oldest inactive entry due to adding a newer entry to a full cache caused a deauthentication when the entry being removed had the same PMK as the current entry. Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 20:27:18 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
MACSTR " reason=%d", MAC2STR(entry->aa), reason);
if (sm->cur_pmksa == entry) {
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: %s current PMKSA entry",
reason == PMKSA_REPLACE ? "replaced" : "removed");
pmksa_cache_clear_current(sm);
/*
* If an entry is simply being replaced, there's no need to
* deauthenticate because it will be immediately re-added.
* This happens when EAP authentication is completed again
* (reauth or failed PMKSA caching attempt).
*/
if (reason != PMKSA_REPLACE)
deauth = 1;
}
if (reason == PMKSA_EXPIRE &&
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
(sm->pmk_len == entry->pmk_len &&
os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
PMKSA: Make deauthentication due to cache entry removal more granular Expiry can always trigger a deauthentication, but otherwise, deauthentication should only happen when the *current* cache entry is removed and not being replaced. It should not happen when the current PMK just happens to match the PMK of the entry being removed, since multiple entries can have the same PMK when OKC is used and these entries are often removed at different times. This fixes an issue where eviction of the oldest inactive entry due to adding a newer entry to a full cache caused a deauthentication when the entry being removed had the same PMK as the current entry. Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 20:27:18 +01:00
"RSN: deauthenticating due to expired PMK");
pmksa_cache_clear_current(sm);
deauth = 1;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
PMKSA: Make deauthentication due to cache entry removal more granular Expiry can always trigger a deauthentication, but otherwise, deauthentication should only happen when the *current* cache entry is removed and not being replaced. It should not happen when the current PMK just happens to match the PMK of the entry being removed, since multiple entries can have the same PMK when OKC is used and these entries are often removed at different times. This fixes an issue where eviction of the oldest inactive entry due to adding a newer entry to a full cache caused a deauthentication when the entry being removed had the same PMK as the current entry. Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 20:27:18 +01:00
if (deauth) {
Clear pmk_len more consistently for extra protection This gives more protection against unexpected behavior if RSN supplicant code ends up trying to use sm->pmk[] with a stale value. Couple of the code paths did not clear sm->pmk_len explicitly in cases where the old PMK is being removed, so cover those cases as well to make sure these will result in PMK-to-PTK derivation failures rather than use of incorrect PMK value if such a code path could be reached somehow. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-08 18:42:52 +02:00
sm->pmk_len = 0;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_memset(sm->pmk, 0, sizeof(sm->pmk));
wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
}
}
/**
* wpa_sm_init - Initialize WPA state machine
* @ctx: Context pointer for callbacks; this needs to be an allocated buffer
* Returns: Pointer to the allocated WPA state machine data
*
* This function is used to allocate a new WPA state machine and the returned
* value is passed to all WPA state machine calls.
*/
struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
{
struct wpa_sm *sm;
sm = os_zalloc(sizeof(*sm));
if (sm == NULL)
return NULL;
Convert RSN pre-authentication to use struct dl_list
2010-01-06 20:23:15 +01:00
dl_list_init(&sm->pmksa_candidates);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->renew_snonce = 1;
sm->ctx = ctx;
sm->dot11RSNAConfigPMKLifetime = 43200;
sm->dot11RSNAConfigPMKReauthThreshold = 70;
sm->dot11RSNAConfigSATimeout = 60;
sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm);
if (sm->pmksa == NULL) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
"RSN: PMKSA cache initialization failed");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_free(sm);
return NULL;
}
return sm;
}
/**
* wpa_sm_deinit - Deinitialize WPA state machine
* @sm: Pointer to WPA state machine data from wpa_sm_init()
*/
void wpa_sm_deinit(struct wpa_sm *sm)
{
if (sm == NULL)
return;
pmksa_cache_deinit(sm->pmksa);
eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
Added support for enforcing frequent PTK rekeying Added a new configuration option, wpa_ptk_rekey, that can be used to enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP deficiencies. This can be set either by the Authenticator (to initiate periodic 4-way handshake to rekey PTK) or by the Supplicant (to request Authenticator to rekey PTK). With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP keys will not be used for more than 10 minutes which may make some attacks against TKIP more difficult to implement.
2008-11-06 18:57:21 +01:00
eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_free(sm->assoc_wpa_ie);
SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4 Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg 2/4 when using SAE with hash-to-element mechanism enabled. This allows the AP to verify that there was no downgrade attack when both PWE derivation mechanisms are enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 15:54:05 +02:00
os_free(sm->assoc_rsnxe);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_free(sm->ap_wpa_ie);
os_free(sm->ap_rsn_ie);
RSN: Verify RSNXE match between Beacon/ProbeResp and EAPOL-Key msg 3/4 If the AP advertises RSN Extension element, it has to be advertised consistently in the unprotected (Beacon and Probe Response) and protected (EAPOL-Key msg 3/4) frames. Verify that this is the case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-06 13:51:31 +02:00
os_free(sm->ap_rsnxe);
Clear temporary keys from WPA supplicant state machine when not needed PMK and PTK are not needed in the supplicant state machine after disassociation since core wpa_supplicant will reconfigure them for the next association. As such, clear these from heap in wpa_sm_notify_disassoc() to reduce time and number of places storing key material in memory. In addition, clear FT keys in case of CONFIG_IEEE80211R=y build (sm->xxkey stored a copy of PSK in case of FT-PSK). Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-29 12:00:03 +01:00
wpa_sm_drop_sa(sm);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_free(sm->ctx);
FT: Copy MDIE and FTIE from (Re)Association Response into EAPOL-Key 2/4 IEEE Std 802.11r-2008 requires that the message 2 includes FTIE and MDIE from the AP's (Re)Association Response frame in the Key Data field.
2010-04-10 15:48:40 +02:00
#ifdef CONFIG_IEEE80211R
os_free(sm->assoc_resp_ies);
#endif /* CONFIG_IEEE80211R */
Add TEST_ASSOC_IE for WPA/RSN IE testing on AP side The new wpa_supplicant control interface command "TEST_ASSOC_IE <hexdump>" can now be used to override the WPA/RSN IE for Association Request frame and following 4-way handshake to allow protocol testing of AP side processing of WPA/RSN IE. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-06 18:30:59 +01:00
#ifdef CONFIG_TESTING_OPTIONS
wpabuf_free(sm->test_assoc_ie);
#endif /* CONFIG_TESTING_OPTIONS */
FILS: Fix wpa_supplicant compilation errors This change fixes the following compilation error: wpa.c:2465: error: undefined reference to 'crypto_ecdh_deinit' in builds where CONFIG_ECC does not get defined. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-23 11:41:22 +01:00
#ifdef CONFIG_FILS_SK_PFS
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
crypto_ecdh_deinit(sm->fils_ecdh);
FILS: Fix wpa_supplicant compilation errors This change fixes the following compilation error: wpa.c:2465: error: undefined reference to 'crypto_ecdh_deinit' in builds where CONFIG_ECC does not get defined. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-23 11:41:22 +01:00
#endif /* CONFIG_FILS_SK_PFS */
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
#ifdef CONFIG_FILS
wpabuf_free(sm->fils_ft_ies);
#endif /* CONFIG_FILS */
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
#ifdef CONFIG_OWE
crypto_ecdh_deinit(sm->owe_ecdh);
#endif /* CONFIG_OWE */
DPP2: PFS for PTK derivation Use Diffie-Hellman key exchange to derivate additional material for PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element (defined in OWE RFC 8110) is used in association frames to exchange the DH public keys. For backwards compatibility, ignore missing request/response DH parameter and fall back to no PFS in such cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-17 22:51:53 +01:00
#ifdef CONFIG_DPP2
wpabuf_clear_free(sm->dpp_z);
#endif /* CONFIG_DPP2 */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_free(sm);
}
/**
* wpa_sm_notify_assoc - Notify WPA state machine about association
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @bssid: The BSSID of the new association
*
* This function is called to let WPA state machine know that the connection
* was established.
*/
void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
{
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
int clear_keys = 1;
Delete PTK SA on (re)association if this is not part of a Fast BSS Transition. This fixes a potential issue where an incorrectly behaving AP could send a group key update using the old (now invalid after reassociate) PTK. This could also happen if there is a race condition between reporting received EAPOL frames and association events.
2008-03-12 10:18:57 +01:00
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (sm == NULL)
return;
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Association event - clear replay counter");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
os_memcpy(sm->bssid, bssid, ETH_ALEN);
os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
sm->rx_replay_counter_set = 0;
sm->renew_snonce = 1;
if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
rsn_preauth_deinit(sm);
#ifdef CONFIG_IEEE80211R
Delete PTK SA on (re)association if this is not part of a Fast BSS Transition. This fixes a potential issue where an incorrectly behaving AP could send a group key update using the old (now invalid after reassociate) PTK. This could also happen if there is a race condition between reporting received EAPOL frames and association events.
2008-03-12 10:18:57 +01:00
if (wpa_ft_is_completed(sm)) {
FT: Clean EAPOL supp portValid to force re-entry to AUTHENTICATED This fixed FT-over-DS to end up in Authorized state when the EAPOL PAE state machine re-enters AUTHENTICATED.
2010-03-13 20:40:44 +01:00
/*
* Clear portValid to kick EAPOL state machine to re-enter
* AUTHENTICATED state to get the EAPOL port Authorized.
*/
RSN supp: Convert Boolean to C99 bool Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 00:04:24 +02:00
eapol_sm_notify_portValid(sm->eapol, false);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
/* Prepare for the next transition */
FT: Copy FT Capability and Policy to MDIE from target AP This sets the FT Capability and Policy field in the MDIE to the values received from the target AP (if available). This fixes the MDIE contents during FT Protocol, but the correct value may not yet be used in initial mobility domain association.
2010-04-09 15:26:20 +02:00
wpa_ft_prepare_auth_request(sm, NULL);
Delete PTK SA on (re)association if this is not part of a Fast BSS Transition. This fixes a potential issue where an incorrectly behaving AP could send a group key update using the old (now invalid after reassociate) PTK. This could also happen if there is a race condition between reporting received EAPOL frames and association events.
2008-03-12 10:18:57 +01:00
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
clear_keys = 0;
FT: Allow 4-way handshake for PTK rekeying to continue without PMK/PMKID There is no PMK/PMKID when going through 4-way handshake during an association started with FT protocol, so need to allow the operation to proceed even if there is no selected PMKSA cache entry in place. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-18 23:17:52 +02:00
sm->ft_protocol = 1;
} else {
sm->ft_protocol = 0;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
#endif /* CONFIG_IEEE80211R */
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
#ifdef CONFIG_FILS
if (sm->fils_completed) {
/*
* Clear portValid to kick EAPOL state machine to re-enter
* AUTHENTICATED state to get the EAPOL port Authorized.
*/
wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
clear_keys = 0;
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
}
#endif /* CONFIG_FILS */
Delete PTK SA on (re)association if this is not part of a Fast BSS Transition. This fixes a potential issue where an incorrectly behaving AP could send a group key update using the old (now invalid after reassociate) PTK. This could also happen if there is a race condition between reporting received EAPOL frames and association events.
2008-03-12 10:18:57 +01:00
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
if (clear_keys) {
Delete PTK SA on (re)association if this is not part of a Fast BSS Transition. This fixes a potential issue where an incorrectly behaving AP could send a group key update using the old (now invalid after reassociate) PTK. This could also happen if there is a race condition between reporting received EAPOL frames and association events.
2008-03-12 10:18:57 +01:00
/*
* IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
* this is not part of a Fast BSS Transition.
*/
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
Delete PTK SA on (re)association if this is not part of a Fast BSS Transition. This fixes a potential issue where an incorrectly behaving AP could send a group key update using the old (now invalid after reassociate) PTK. This could also happen if there is a race condition between reporting received EAPOL frames and association events.
2008-03-12 10:18:57 +01:00
sm->ptk_set = 0;
Reduce the amount of time PTK/TPTK/GTK is kept in memory Some of the buffers used to keep a copy of PTK/TPTK/GTK in the supplicant implementation maintained a copy of the keys longer than necessary. Clear these buffers to zero when the key is not needed anymore to minimize the amount of time key material is kept in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-16 00:27:10 +02:00
os_memset(&sm->ptk, 0, sizeof(sm->ptk));
Delete PTK SA on (re)association if this is not part of a Fast BSS Transition. This fixes a potential issue where an incorrectly behaving AP could send a group key update using the old (now invalid after reassociate) PTK. This could also happen if there is a race condition between reporting received EAPOL frames and association events.
2008-03-12 10:18:57 +01:00
sm->tptk_set = 0;
Reduce the amount of time PTK/TPTK/GTK is kept in memory Some of the buffers used to keep a copy of PTK/TPTK/GTK in the supplicant implementation maintained a copy of the keys longer than necessary. Clear these buffers to zero when the key is not needed anymore to minimize the amount of time key material is kept in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-16 00:27:10 +02:00
os_memset(&sm->tptk, 0, sizeof(sm->tptk));
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
os_memset(&sm->gtk, 0, sizeof(sm->gtk));
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
os_memset(&sm->igtk, 0, sizeof(sm->igtk));
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
Delete PTK SA on (re)association if this is not part of a Fast BSS Transition. This fixes a potential issue where an incorrectly behaving AP could send a group key update using the old (now invalid after reassociate) PTK. This could also happen if there is a race condition between reporting received EAPOL frames and association events.
2008-03-12 10:18:57 +01:00
}
TDLS: Clear peer entries on association/disassociation Since the TDLS links are allowed only to STAs that are in the same BSS with us, clear all peer data whenever the BSS may have changed.
2011-01-21 19:51:55 +01:00
#ifdef CONFIG_TDLS
wpa_tdls_assoc(sm);
#endif /* CONFIG_TDLS */
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
#ifdef CONFIG_P2P
os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
#endif /* CONFIG_P2P */
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
sm->keyidx_active = 0;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
/**
* wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
* @sm: Pointer to WPA state machine data from wpa_sm_init()
*
* This function is called to let WPA state machine know that the connection
* was lost. This will abort any existing pre-authentication session.
*/
void wpa_sm_notify_disassoc(struct wpa_sm *sm)
{
Clear RSN timers for preauth and PTK rekeying on disassociation Previously, it was possible for the wpa_sm_start_preauth() and wpa_sm_rekey_ptk() eloop callbacks to remain active after disconnection and potentially continue to be used for the next association. This is not correct behavior, so explicitly cancel these timeouts to avoid unexpected attempts to complete RSN preauthentication or to request PTK to be rekeyed. It was possible to trigger this issue, e.g., by running the following hwsim test case sequence: ap_wpa2_ptk_rekey ap_ft_sae_over_ds Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-06 17:40:28 +01:00
eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
rsn_preauth_deinit(sm);
PMKSA: Clear current cache entry on disassociation Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 20:53:55 +01:00
pmksa_cache_clear_current(sm);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
sm->dot11RSNA4WayHandshakeFailures++;
TDLS: Clear peer entries on association/disassociation Since the TDLS links are allowed only to STAs that are in the same BSS with us, clear all peer data whenever the BSS may have changed.
2011-01-21 19:51:55 +01:00
#ifdef CONFIG_TDLS
wpa_tdls_disassoc(sm);
#endif /* CONFIG_TDLS */
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
#ifdef CONFIG_FILS
sm->fils_completed = 0;
#endif /* CONFIG_FILS */
FT: Do not allow multiple Reassociation Response frames The driver is expected to not report a second association event without the station having explicitly request a new association. As such, this case should not be reachable. However, since reconfiguring the same pairwise or group keys to the driver could result in nonce reuse issues, be extra careful here and do an additional state check to avoid this even if the local driver ends up somehow accepting an unexpected Reassociation Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-09-22 11:06:37 +02:00
#ifdef CONFIG_IEEE80211R
sm->ft_reassoc_completed = 0;
FT: Allow 4-way handshake for PTK rekeying to continue without PMK/PMKID There is no PMK/PMKID when going through 4-way handshake during an association started with FT protocol, so need to allow the operation to proceed even if there is no selected PMKSA cache entry in place. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-18 23:17:52 +02:00
sm->ft_protocol = 0;
FT: Do not allow multiple Reassociation Response frames The driver is expected to not report a second association event without the station having explicitly request a new association. As such, this case should not be reachable. However, since reconfiguring the same pairwise or group keys to the driver could result in nonce reuse issues, be extra careful here and do an additional state check to avoid this even if the local driver ends up somehow accepting an unexpected Reassociation Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-09-22 11:06:37 +02:00
#endif /* CONFIG_IEEE80211R */
Clear temporary keys from WPA supplicant state machine when not needed PMK and PTK are not needed in the supplicant state machine after disassociation since core wpa_supplicant will reconfigure them for the next association. As such, clear these from heap in wpa_sm_notify_disassoc() to reduce time and number of places storing key material in memory. In addition, clear FT keys in case of CONFIG_IEEE80211R=y build (sm->xxkey stored a copy of PSK in case of FT-PSK). Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-29 12:00:03 +01:00
/* Keys are not needed in the WPA state machine anymore */
wpa_sm_drop_sa(sm);
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
sm->keyidx_active = 0;
Reject Group Key message 1/2 prior to completion of 4-way handshake Previously, it would have been possible to complete RSN connection by skipping the msg 3/4 and 4/4 completely. This would have resulted in pairwise key not being configured. This is obviously not supposed to happen in practice and could result in unexpected behavior, so reject group key message before the initial 4-way handshake has been completed. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-07 11:58:19 +01:00
sm->msg_3_of_4_ok = 0;
Clear BSSID information in supplicant state machine on disconnection This fixes a corner case where RSN pre-authentication candidate from scan results was ignored if the station was associated with that BSS just before running the new scan for the connection. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-17 00:15:24 +02:00
os_memset(sm->bssid, 0, ETH_ALEN);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
/**
* wpa_sm_set_pmk - Set PMK
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @pmk: The new PMK
* @pmk_len: The length of the new PMK in bytes
SAE: Fix PMKID calculation for PMKSA cache The SAE PMKID is calculated with IEEE Std 802.11-2012 11.3.5.4, but the PMKID was re-calculated with 11.6.1.3 and saved into PMKSA cache. Fix this to save the PMKID calculated with 11.3.5.4 into the PMKSA cache. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-02-15 03:23:37 +01:00
* @pmkid: Calculated PMKID
SAE: Add support for PMKSA caching on the station side This makes wpa_supplicant SME create PMKSA cache entries from SAE authentication and try to use PMKSA caching if an entry is found for the AP. If the AP rejects the attempt, fall back to SAE authentication is used. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-18 12:02:02 +02:00
* @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
*
* Configure the PMK for WPA state machine.
*/
SAE: Add support for PMKSA caching on the station side This makes wpa_supplicant SME create PMKSA cache entries from SAE authentication and try to use PMKSA caching if an entry is found for the AP. If the AP rejects the attempt, fall back to SAE authentication is used. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-18 12:02:02 +02:00
void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
SAE: Fix PMKID calculation for PMKSA cache The SAE PMKID is calculated with IEEE Std 802.11-2012 11.3.5.4, but the PMKID was re-calculated with 11.6.1.3 and saved into PMKSA cache. Fix this to save the PMKID calculated with 11.3.5.4 into the PMKSA cache. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-02-15 03:23:37 +01:00
const u8 *pmkid, const u8 *bssid)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
{
if (sm == NULL)
return;
Add debug prints on PMK configuration in WPA supplicant This makes it easier to understand the cases where PMK gets configured based on information from upper layer call (e.g., a PSK). Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-08 11:21:21 +02:00
wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
pmk, pmk_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->pmk_len = pmk_len;
os_memcpy(sm->pmk, pmk, pmk_len);
#ifdef CONFIG_IEEE80211R
/* Set XXKey to be PSK for FT key derivation */
sm->xxkey_len = pmk_len;
os_memcpy(sm->xxkey, pmk, pmk_len);
#endif /* CONFIG_IEEE80211R */
SAE: Add support for PMKSA caching on the station side This makes wpa_supplicant SME create PMKSA cache entries from SAE authentication and try to use PMKSA caching if an entry is found for the AP. If the AP rejects the attempt, fall back to SAE authentication is used. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-18 12:02:02 +02:00
if (bssid) {
SAE: Fix PMKID calculation for PMKSA cache The SAE PMKID is calculated with IEEE Std 802.11-2012 11.3.5.4, but the PMKID was re-calculated with 11.6.1.3 and saved into PMKSA cache. Fix this to save the PMKID calculated with 11.3.5.4 into the PMKSA cache. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-02-15 03:23:37 +01:00
pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
Suite B: PMKID derivation for AKM 00-0F-AC:11 The new AKM uses a different mechanism of deriving the PMKID based on KCK instead of PMK. hostapd was already doing this after the KCK had been derived, but wpa_supplicant functionality needs to be moved from processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 12:22:46 +01:00
bssid, sm->own_addr,
FILS: Use FILS Cache Identifier to extend PMKSA applicability This allows PMKSA cache entries for FILS-enabled BSSs to be shared within an ESS when the BSSs advertise the same FILS Cache Identifier value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 11:22:19 +01:00
sm->network_ctx, sm->key_mgmt, NULL);
SAE: Add support for PMKSA caching on the station side This makes wpa_supplicant SME create PMKSA cache entries from SAE authentication and try to use PMKSA caching if an entry is found for the AP. If the AP rejects the attempt, fall back to SAE authentication is used. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-18 12:02:02 +02:00
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
/**
* wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
* @sm: Pointer to WPA state machine data from wpa_sm_init()
*
* Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
* will be cleared.
*/
void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
{
if (sm == NULL)
return;
if (sm->cur_pmksa) {
Add debug prints on PMK configuration in WPA supplicant This makes it easier to understand the cases where PMK gets configured based on information from upper layer call (e.g., a PSK). Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-08 11:21:21 +02:00
wpa_hexdump_key(MSG_DEBUG,
"WPA: Set PMK based on current PMKSA",
sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->pmk_len = sm->cur_pmksa->pmk_len;
os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
} else {
Add debug prints on PMK configuration in WPA supplicant This makes it easier to understand the cases where PMK gets configured based on information from upper layer call (e.g., a PSK). Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-08 11:21:21 +02:00
wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
Clear PMK length and check for this when deriving PTK Instead of setting the default PMK length for the cleared PMK, set the length to 0 and explicitly check for this when deriving PTK to avoid unexpected key derivation with an all-zeroes key should it be possible to somehow trigger PTK derivation to happen before PMK derivation. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-08 12:18:02 +02:00
sm->pmk_len = 0;
os_memset(sm->pmk, 0, PMK_LEN_MAX);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
}
/**
* wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @fast_reauth: Whether fast reauthentication (EAP) is allowed
*/
void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
{
if (sm)
sm->fast_reauth = fast_reauth;
}
/**
* wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @scard_ctx: Context pointer for smartcard related callback functions
*/
void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
{
if (sm == NULL)
return;
sm->scard_ctx = scard_ctx;
if (sm->preauth_eapol)
eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
}
/**
Fix a typo in a comment Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-23 22:05:24 +01:00
* wpa_sm_set_config - Notification of current configuration change
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @config: Pointer to current network configuration
*
* Notify WPA state machine that configuration has changed. config will be
* stored as a backpointer to network configuration. This can be %NULL to clear
* the stored pointed.
*/
void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
{
if (!sm)
return;
if (config) {
Make proactive key caching working again Function 'wpa_sm_set_config' used the argument 'config' as the network context which is a pointer to a local variable of the function 'wpa_supplicant_rsn_supp_set_config'. This is one reason why no proactive key was generated. This network context never matched with the network context saved in the pmksa cache entries. The structure 'rsn_supp_config' has already a member 'network_ctx' which is now filled in by this patch with 'ssid'. Signed-off-by: Michael Bernhard <michael.bernhard@bfh.ch>
2008-07-06 09:50:53 +02:00
sm->network_ctx = config->network_ctx;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
sm->proactive_key_caching = config->proactive_key_caching;
sm->eap_workaround = config->eap_workaround;
sm->eap_conf_ctx = config->eap_conf_ctx;
if (config->ssid) {
os_memcpy(sm->ssid, config->ssid, config->ssid_len);
sm->ssid_len = config->ssid_len;
} else
sm->ssid_len = 0;
Added support for enforcing frequent PTK rekeying Added a new configuration option, wpa_ptk_rekey, that can be used to enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP deficiencies. This can be set either by the Authenticator (to initiate periodic 4-way handshake to rekey PTK) or by the Supplicant (to request Authenticator to rekey PTK). With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP keys will not be used for more than 10 minutes which may make some attacks against TKIP more difficult to implement.
2008-11-06 18:57:21 +01:00
sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
sm->p2p = config->p2p;
wpa_supplicant: Add GTK RSC relaxation workaround Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-10-14 11:26:33 +02:00
sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
OWE: PTK derivation workaround in STA mode Initial OWE implementation used SHA256 when deriving the PTK for all OWE groups. This was supposed to change to SHA384 for group 20 and SHA512 for group 21. The new owe_ptk_workaround=1 network parameter can be used to enable older behavior mainly for testing purposes. There is no impact to group 19 behavior, but if enabled, this will make group 20 and 21 cases use SHA256-based PTK derivation which will not work with the updated OWE implementation on the AP side. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-23 21:46:51 +01:00
sm->owe_ptk_workaround = config->owe_ptk_workaround;
WPA: Support deriving KDK based on capabilities Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:01:39 +01:00
sm->force_kdk_derivation = config->force_kdk_derivation;
FILS: Use FILS Cache Identifier to extend PMKSA applicability This allows PMKSA cache entries for FILS-enabled BSSs to be shared within an ESS when the BSSs advertise the same FILS Cache Identifier value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 11:22:19 +01:00
#ifdef CONFIG_FILS
if (config->fils_cache_id) {
sm->fils_cache_id_set = 1;
os_memcpy(sm->fils_cache_id, config->fils_cache_id,
FILS_CACHE_ID_LEN);
} else {
sm->fils_cache_id_set = 0;
}
#endif /* CONFIG_FILS */
Set beacon protection config irrespective of macro CONFIG_FILS This was not supposed to be conditional on CONFIG_FILS. Fixes: ecbf59e6931f ("wpa_supplicant configuration for Beacon protection") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 01:39:30 +01:00
sm->beacon_prot = config->beacon_prot;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
} else {
Make proactive key caching working again Function 'wpa_sm_set_config' used the argument 'config' as the network context which is a pointer to a local variable of the function 'wpa_supplicant_rsn_supp_set_config'. This is one reason why no proactive key was generated. This network context never matched with the network context saved in the pmksa cache entries. The structure 'rsn_supp_config' has already a member 'network_ctx' which is now filled in by this patch with 'ssid'. Signed-off-by: Michael Bernhard <michael.bernhard@bfh.ch>
2008-07-06 09:50:53 +02:00
sm->network_ctx = NULL;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->allowed_pairwise_cipher = 0;
sm->proactive_key_caching = 0;
sm->eap_workaround = 0;
sm->eap_conf_ctx = NULL;
sm->ssid_len = 0;
Added support for enforcing frequent PTK rekeying Added a new configuration option, wpa_ptk_rekey, that can be used to enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP deficiencies. This can be set either by the Authenticator (to initiate periodic 4-way handshake to rekey PTK) or by the Supplicant (to request Authenticator to rekey PTK). With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP keys will not be used for more than 10 minutes which may make some attacks against TKIP more difficult to implement.
2008-11-06 18:57:21 +01:00
sm->wpa_ptk_rekey = 0;
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
sm->p2p = 0;
wpa_supplicant: Add GTK RSC relaxation workaround Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-10-14 11:26:33 +02:00
sm->wpa_rsc_relaxation = 0;
OWE: PTK derivation workaround in STA mode Initial OWE implementation used SHA256 when deriving the PTK for all OWE groups. This was supposed to change to SHA384 for group 20 and SHA512 for group 21. The new owe_ptk_workaround=1 network parameter can be used to enable older behavior mainly for testing purposes. There is no impact to group 19 behavior, but if enabled, this will make group 20 and 21 cases use SHA256-based PTK derivation which will not work with the updated OWE implementation on the AP side. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-23 21:46:51 +01:00
sm->owe_ptk_workaround = 0;
wpa_supplicant configuration for Beacon protection Add a new wpa_supplicant network profile configuration parameter beacon_prot=<0/1> to allow Beacon protection to be enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:16:55 +01:00
sm->beacon_prot = 0;
WPA: Support deriving KDK based on capabilities Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:01:39 +01:00
sm->force_kdk_derivation = false;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
}
/**
* wpa_sm_set_own_addr - Set own MAC address
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @addr: Own MAC address
*/
void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
{
if (sm)
os_memcpy(sm->own_addr, addr, ETH_ALEN);
}
/**
* wpa_sm_set_ifname - Set network interface name
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @ifname: Interface name
* @bridge_ifname: Optional bridge interface name (for pre-auth)
*/
void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
const char *bridge_ifname)
{
if (sm) {
sm->ifname = ifname;
sm->bridge_ifname = bridge_ifname;
}
}
/**
* wpa_sm_set_eapol - Set EAPOL state machine pointer
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
*/
void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
{
if (sm)
sm->eapol = eapol;
}
/**
* wpa_sm_set_param - Set WPA state machine parameters
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @param: Parameter field
* @value: Parameter value
* Returns: 0 on success, -1 on failure
*/
int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
unsigned int value)
{
int ret = 0;
if (sm == NULL)
return -1;
switch (param) {
case RSNA_PMK_LIFETIME:
if (value > 0)
sm->dot11RSNAConfigPMKLifetime = value;
else
ret = -1;
break;
case RSNA_PMK_REAUTH_THRESHOLD:
if (value > 0 && value <= 100)
sm->dot11RSNAConfigPMKReauthThreshold = value;
else
ret = -1;
break;
case RSNA_SA_TIMEOUT:
if (value > 0)
sm->dot11RSNAConfigSATimeout = value;
else
ret = -1;
break;
case WPA_PARAM_PROTO:
sm->proto = value;
break;
case WPA_PARAM_PAIRWISE:
sm->pairwise_cipher = value;
break;
case WPA_PARAM_GROUP:
sm->group_cipher = value;
break;
case WPA_PARAM_KEY_MGMT:
sm->key_mgmt = value;
break;
case WPA_PARAM_MGMT_GROUP:
sm->mgmt_group_cipher = value;
break;
case WPA_PARAM_RSN_ENABLED:
sm->rsn_enabled = value;
break;
MFP: Add MFPR flag into station RSN IE if 802.11w is mandatory
2010-03-29 19:48:01 +02:00
case WPA_PARAM_MFP:
sm->mfp = value;
break;
OCV: Advertise OCV capability in RSN capabilities (STA) Set the OCV bit in RSN capabilities (RSNE) based on station mode configuration. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:25 +02:00
case WPA_PARAM_OCV:
sm->ocv = value;
break;
SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4 Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg 2/4 when using SAE with hash-to-element mechanism enabled. This allows the AP to verify that there was no downgrade attack when both PWE derivation mechanisms are enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 15:54:05 +02:00
case WPA_PARAM_SAE_PWE:
sm->sae_pwe = value;
break;
SAE-PK: Advertise RSNXE capability bit in STA mode Set the SAE-PK capability bit in RSNXE when sending out (Re)Association Request frame for a network profile that allows use of SAE-PK. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-10 11:22:59 +02:00
case WPA_PARAM_SAE_PK:
sm->sae_pk = value;
break;
STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaround Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast reconnects. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-10 23:19:09 +01:00
case WPA_PARAM_DENY_PTK0_REKEY:
sm->wpa_deny_ptk0_rekey = value;
break;
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
case WPA_PARAM_EXT_KEY_ID:
sm->ext_key_id = value;
break;
case WPA_PARAM_USE_EXT_KEY_ID:
sm->use_ext_key_id = value;
break;
FT: Testing override for RSNXE Used subfield in FTE Allow wpa_supplicant to be requested to override the RSNXE Used subfield in FT reassociation case for testing purposes with "SET ft_rsnxe_used <0/1/2>" where 0 = no override, 1 = override to 1, and 2 = override to 0. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-14 12:48:43 +02:00
#ifdef CONFIG_TESTING_OPTIONS
case WPA_PARAM_FT_RSNXE_USED:
sm->ft_rsnxe_used = value;
break;
OCV: Add support to override channel info OCI element (STA) To support the STA testbed role, the STA has to use specified channel information in OCI element sent to the AP in EAPOL-Key msg 2/4, SA Query Request, and SA Query Response frames. Add override parameters to use the specified channel while populating OCI element in all these frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-08 19:59:04 +02:00
case WPA_PARAM_OCI_FREQ_EAPOL:
sm->oci_freq_override_eapol = value;
break;
OCV: OCI channel override support for testing (STA) Add override parameters to use the specified channel while populating OCI element in EAPOL-Key group msg 2/2, FT reassoc request, FILS assoc request and WNM sleep request frames. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-06-26 10:19:14 +02:00
case WPA_PARAM_OCI_FREQ_EAPOL_G2:
sm->oci_freq_override_eapol_g2 = value;
break;
case WPA_PARAM_OCI_FREQ_FT_ASSOC:
sm->oci_freq_override_ft_assoc = value;
break;
case WPA_PARAM_OCI_FREQ_FILS_ASSOC:
sm->oci_freq_override_fils_assoc = value;
break;
FT: Testing override for RSNXE Used subfield in FTE Allow wpa_supplicant to be requested to override the RSNXE Used subfield in FT reassociation case for testing purposes with "SET ft_rsnxe_used <0/1/2>" where 0 = no override, 1 = override to 1, and 2 = override to 0. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-14 12:48:43 +02:00
#endif /* CONFIG_TESTING_OPTIONS */
DPP2: Add DPP KDE into EAPOL-Key msg 2/4 when using DPP AKM Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 18:53:07 +02:00
#ifdef CONFIG_DPP2
case WPA_PARAM_DPP_PFS:
sm->dpp_pfs = value;
break;
#endif /* CONFIG_DPP2 */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
default:
break;
}
return ret;
}
/**
* wpa_sm_get_status - Get WPA state machine
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @buf: Buffer for status information
* @buflen: Maximum buffer length
* @verbose: Whether to include verbose status information
* Returns: Number of bytes written to buf.
*
* Query WPA state machine for status information. This function fills in
* a text area with current status information. If the buffer (buf) is not
* large enough, status information will be truncated to fit the buffer.
*/
int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
int verbose)
{
char *pos = buf, *end = buf + buflen;
int ret;
ret = os_snprintf(pos, end - pos,
"pairwise_cipher=%s\n"
"group_cipher=%s\n"
"key_mgmt=%s\n",
wpa_cipher_txt(sm->pairwise_cipher),
wpa_cipher_txt(sm->group_cipher),
wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
Check os_snprintf() result more consistently - automatic 1 This converts os_snprintf() result validation cases to use os_snprintf_error() where the exact rule used in os_snprintf_error() was used. These changes were done automatically with spatch using the following semantic patch: @@ identifier E1; expression E2,E3,E4,E5,E6; statement S1; @@ ( E1 = os_snprintf(E2, E3, ...); | int E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else if (E6) E1 = os_snprintf(E2, E3, ...); else E1 = 0; | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else if (E6) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... E1 = os_snprintf(E2, E3, ...); } ) ? os_free(E4); - if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \)) + if (os_snprintf_error(E3, E1)) ( S1 | { ... } ) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 10:15:51 +01:00
if (os_snprintf_error(end - pos, ret))
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return pos - buf;
pos += ret;
Indicate if PMF was negotiated for the connection Add pmf=1/2 to wpa_supplicant STATUS command output to indicate that PMF was negotiated for the connect (1 = optional in this BSS, 2 = required in this BSS). Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 21:45:17 +01:00
DPP2: Indicate if PFS was used in control interface STATUS The new "dpp_pfs=1" entry can be used to determine whether PFS was used during derivation of PTK when DPP AKM is negotiated for an association. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 16:36:59 +02:00
#ifdef CONFIG_DPP2
if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n");
if (os_snprintf_error(end - pos, ret))
return pos - buf;
pos += ret;
}
#endif /* CONFIG_DPP2 */
Indicate if PMF was negotiated for the connection Add pmf=1/2 to wpa_supplicant STATUS command output to indicate that PMF was negotiated for the connect (1 = optional in this BSS, 2 = required in this BSS). Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 21:45:17 +01:00
if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
struct wpa_ie_data rsn;
if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
>= 0 &&
rsn.capabilities & (WPA_CAPABILITY_MFPR |
WPA_CAPABILITY_MFPC)) {
Add mgmt_group_cipher to wpa_supplicant STATUS command This can be used to check which management group cipher is used in an association that uses PMF. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 13:28:24 +02:00
ret = os_snprintf(pos, end - pos, "pmf=%d\n"
"mgmt_group_cipher=%s\n",
Indicate if PMF was negotiated for the connection Add pmf=1/2 to wpa_supplicant STATUS command output to indicate that PMF was negotiated for the connect (1 = optional in this BSS, 2 = required in this BSS). Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 21:45:17 +01:00
(rsn.capabilities &
Add mgmt_group_cipher to wpa_supplicant STATUS command This can be used to check which management group cipher is used in an association that uses PMF. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 13:28:24 +02:00
WPA_CAPABILITY_MFPR) ? 2 : 1,
wpa_cipher_txt(
sm->mgmt_group_cipher));
Check os_snprintf() result more consistently - automatic 1 This converts os_snprintf() result validation cases to use os_snprintf_error() where the exact rule used in os_snprintf_error() was used. These changes were done automatically with spatch using the following semantic patch: @@ identifier E1; expression E2,E3,E4,E5,E6; statement S1; @@ ( E1 = os_snprintf(E2, E3, ...); | int E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else if (E6) E1 = os_snprintf(E2, E3, ...); else E1 = 0; | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else if (E6) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... E1 = os_snprintf(E2, E3, ...); } ) ? os_free(E4); - if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \)) + if (os_snprintf_error(E3, E1)) ( S1 | { ... } ) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 10:15:51 +01:00
if (os_snprintf_error(end - pos, ret))
Indicate if PMF was negotiated for the connection Add pmf=1/2 to wpa_supplicant STATUS command output to indicate that PMF was negotiated for the connect (1 = optional in this BSS, 2 = required in this BSS). Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 21:45:17 +01:00
return pos - buf;
pos += ret;
}
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return pos - buf;
}
WNM: Make ESS Disassoc Imminent event more convenient to use Define a proper event prefix and include additional information to allow ESS Dissassociation Imminent event to be used in a wpa_cli action script. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-04-21 01:48:10 +02:00
int wpa_sm_pmf_enabled(struct wpa_sm *sm)
{
struct wpa_ie_data rsn;
if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
return 0;
if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
return 1;
return 0;
}
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
int wpa_sm_ext_key_id(struct wpa_sm *sm)
{
return sm ? sm->ext_key_id : 0;
}
int wpa_sm_ext_key_id_active(struct wpa_sm *sm)
{
return sm ? sm->use_ext_key_id : 0;
}
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:27 +02:00
int wpa_sm_ocv_enabled(struct wpa_sm *sm)
{
struct wpa_ie_data rsn;
if (!sm->ocv || !sm->ap_rsn_ie)
return 0;
return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len,
&rsn) >= 0 &&
(rsn.capabilities & WPA_CAPABILITY_OCVC);
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/**
* wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @wpa_ie: Pointer to buffer for WPA/RSN IE
* @wpa_ie_len: Pointer to the length of the wpa_ie buffer
* Returns: 0 on success, -1 on failure
*/
int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
size_t *wpa_ie_len)
{
int res;
if (sm == NULL)
return -1;
Add TEST_ASSOC_IE for WPA/RSN IE testing on AP side The new wpa_supplicant control interface command "TEST_ASSOC_IE <hexdump>" can now be used to override the WPA/RSN IE for Association Request frame and following 4-way handshake to allow protocol testing of AP side processing of WPA/RSN IE. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-06 18:30:59 +01:00
#ifdef CONFIG_TESTING_OPTIONS
if (sm->test_assoc_ie) {
wpa_printf(MSG_DEBUG,
"TESTING: Replace association WPA/RSN IE");
if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
return -1;
os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
wpabuf_len(sm->test_assoc_ie));
res = wpabuf_len(sm->test_assoc_ie);
} else
#endif /* CONFIG_TESTING_OPTIONS */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
if (res < 0)
return -1;
*wpa_ie_len = res;
wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
wpa_ie, *wpa_ie_len);
if (sm->assoc_wpa_ie == NULL) {
/*
* Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
* the correct version of the IE even if PMKSA caching is
* aborted (which would remove PMKID from IE generation).
*/
Use os_memdup() This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 10:17:23 +01:00
sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (sm->assoc_wpa_ie == NULL)
return -1;
sm->assoc_wpa_ie_len = *wpa_ie_len;
WPA: Add debug print for not-update-own-IEs case This makes it easier to understand debug logs related to own WPA/RSN IE selection. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 21:47:30 +02:00
} else {
wpa_hexdump(MSG_DEBUG,
"WPA: Leave previously set WPA IE default",
sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
}
return 0;
}
/**
* wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @ie: Pointer to IE data (starting from id)
* @len: IE length
* Returns: 0 on success, -1 on failure
*
* Inform WPA state machine about the WPA/RSN IE used in (Re)Association
* Request frame. The IE will be used to override the default value generated
* with wpa_sm_set_assoc_wpa_ie_default().
*/
int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
{
if (sm == NULL)
return -1;
os_free(sm->assoc_wpa_ie);
if (ie == NULL || len == 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: clearing own WPA/RSN IE");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->assoc_wpa_ie = NULL;
sm->assoc_wpa_ie_len = 0;
} else {
wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
Use os_memdup() This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 10:17:23 +01:00
sm->assoc_wpa_ie = os_memdup(ie, len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (sm->assoc_wpa_ie == NULL)
return -1;
sm->assoc_wpa_ie_len = len;
}
return 0;
}
SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4 Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg 2/4 when using SAE with hash-to-element mechanism enabled. This allows the AP to verify that there was no downgrade attack when both PWE derivation mechanisms are enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 15:54:05 +02:00
/**
* wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @rsnxe: Pointer to buffer for RSNXE
* @rsnxe_len: Pointer to the length of the rsne buffer
* Returns: 0 on success, -1 on failure
*/
int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe,
size_t *rsnxe_len)
{
int res;
if (!sm)
return -1;
res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len);
if (res < 0)
return -1;
*rsnxe_len = res;
wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len);
if (sm->assoc_rsnxe) {
wpa_hexdump(MSG_DEBUG,
"RSN: Leave previously set RSNXE default",
sm->assoc_rsnxe, sm->assoc_rsnxe_len);
} else if (*rsnxe_len > 0) {
/*
* Make a copy of the RSNXE so that 4-Way Handshake gets the
* correct version of the IE even if it gets changed.
*/
sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len);
if (!sm->assoc_rsnxe)
return -1;
sm->assoc_rsnxe_len = *rsnxe_len;
}
return 0;
}
/**
* wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @ie: Pointer to IE data (starting from id)
* @len: IE length
* Returns: 0 on success, -1 on failure
*
* Inform WPA state machine about the RSNXE used in (Re)Association Request
* frame. The IE will be used to override the default value generated
* with wpa_sm_set_assoc_rsnxe_default().
*/
int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
{
if (!sm)
return -1;
os_free(sm->assoc_rsnxe);
if (!ie || len == 0) {
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: clearing own RSNXE");
sm->assoc_rsnxe = NULL;
sm->assoc_rsnxe_len = 0;
} else {
wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len);
sm->assoc_rsnxe = os_memdup(ie, len);
if (!sm->assoc_rsnxe)
return -1;
sm->assoc_rsnxe_len = len;
}
return 0;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/**
* wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @ie: Pointer to IE data (starting from id)
* @len: IE length
* Returns: 0 on success, -1 on failure
*
* Inform WPA state machine about the WPA IE used in Beacon / Probe Response
* frame.
*/
int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
{
if (sm == NULL)
return -1;
os_free(sm->ap_wpa_ie);
if (ie == NULL || len == 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: clearing AP WPA IE");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->ap_wpa_ie = NULL;
sm->ap_wpa_ie_len = 0;
} else {
wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
Use os_memdup() This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 10:17:23 +01:00
sm->ap_wpa_ie = os_memdup(ie, len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (sm->ap_wpa_ie == NULL)
return -1;
sm->ap_wpa_ie_len = len;
}
return 0;
}
/**
* wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @ie: Pointer to IE data (starting from id)
* @len: IE length
* Returns: 0 on success, -1 on failure
*
* Inform WPA state machine about the RSN IE used in Beacon / Probe Response
* frame.
*/
int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
{
if (sm == NULL)
return -1;
os_free(sm->ap_rsn_ie);
if (ie == NULL || len == 0) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: clearing AP RSN IE");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
sm->ap_rsn_ie = NULL;
sm->ap_rsn_ie_len = 0;
} else {
wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
Use os_memdup() This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 10:17:23 +01:00
sm->ap_rsn_ie = os_memdup(ie, len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
if (sm->ap_rsn_ie == NULL)
return -1;
sm->ap_rsn_ie_len = len;
}
return 0;
}
RSN: Verify RSNXE match between Beacon/ProbeResp and EAPOL-Key msg 3/4 If the AP advertises RSN Extension element, it has to be advertised consistently in the unprotected (Beacon and Probe Response) and protected (EAPOL-Key msg 3/4) frames. Verify that this is the case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-06 13:51:31 +02:00
/**
* wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @ie: Pointer to IE data (starting from id)
* @len: IE length
* Returns: 0 on success, -1 on failure
*
* Inform WPA state machine about the RSNXE used in Beacon / Probe Response
* frame.
*/
int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
{
if (!sm)
return -1;
os_free(sm->ap_rsnxe);
if (!ie || len == 0) {
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE");
sm->ap_rsnxe = NULL;
sm->ap_rsnxe_len = 0;
} else {
wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
sm->ap_rsnxe = os_memdup(ie, len);
if (!sm->ap_rsnxe)
return -1;
sm->ap_rsnxe_len = len;
}
return 0;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
/**
* wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @data: Pointer to data area for parsing results
* Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
*
* Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
* parsed data into data.
*/
int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
{
Avoid theoretical NULL pointer dereference from debug code The change to use wpa_dbg() in wpa_sm_parse_own_wpa_ie() could result in a NULL pointer dereference if the function were called when WPA state machine has not been initialized. While this cannot really happen in practice, it is better to be prepared for that since that was the case before the wpa_dbg() change.
2011-04-14 01:32:07 +02:00
if (sm == NULL)
return -1;
if (sm->assoc_wpa_ie == NULL) {
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: No WPA/RSN IE available from association info");
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-28 02:34:43 +01:00
return -1;
}
if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
return -2;
return 0;
}
Removed wpa_sm dereference from pmksa_cache_list()
2009-01-13 19:22:42 +01:00
int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
{
return pmksa_cache_list(sm->pmksa, buf, len);
}
Add a drop_sa command to allow 802.11w testing This drops PTK and PMK without notifying the AP.
2010-03-30 00:42:04 +02:00
External persistent storage for PMKSA cache entries This adds new wpa_supplicant control interface commands PMKSA_GET and PMKSA_ADD that can be used to store PMKSA cache entries in an external persistent storage when terminating a wpa_supplicant process and then restore those entries when starting a new process. The previously added PMKSA-CACHE-ADDED/REMOVED events can be used to help in synchronizing the external storage with the memory-only volatile storage within wpa_supplicant. "PMKSA_GET <network_id>" fetches all stored PMKSA cache entries bound to a specific network profile. The network_id of the current profile is available with the STATUS command (id=<network_id). In addition, the network_id is included in the PMKSA-CACHE-ADDED/REMOVED events. The output of the PMKSA_GET command uses the following format: <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds> <akmp> <opportunistic> For example: 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30240 43200 1 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30240 43200 1 0 The PMKSA_GET command uses the following format: <network_id> <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds> <akmp> <opportunistic> (i.e., "PMKSA_ADD <network_id> " prefix followed by a line of PMKSA_GET output data; however, the reauth_time and expiration values need to be updated by decrementing them by number of seconds between the PMKSA_GET and PMKSA_ADD commands) For example: PMKSA_ADD 0 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30140 43100 1 0 PMKSA_ADD 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30140 43100 1 0 This functionality is disabled be default and can be enabled with CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. It should be noted that this allows any process that has access to the wpa_supplicant control interface to use PMKSA_ADD command to fetch keying material (PMK), so this is for environments in which the control interface access is restricted. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 22:47:04 +01:00
struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
{
return pmksa_cache_head(sm->pmksa);
}
struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
struct rsn_pmksa_cache_entry * entry)
{
return pmksa_cache_add_entry(sm->pmksa, entry);
}
FILS: Update PMKSA cache with FILS shared key offload Add a new PMKSA cache entry within wpa_supplicant if a driver event from offloaded FILS shared key authentication indicates a new PMKSA entry was created. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-22 11:40:05 +01:00
void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
const u8 *pmkid, const u8 *bssid,
const u8 *fils_cache_id)
{
sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
bssid, sm->own_addr, sm->network_ctx,
sm->key_mgmt, fils_cache_id);
}
DPP: Add new AKM This new AKM is used with DPP when using the signed Connector to derive a PMK. Since the KCK, KEK, and MIC lengths are variable within a single AKM, this needs number of additional changes to get the PMK length delivered to places that need to figure out the lengths of the PTK components. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 22:48:52 +02:00
int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid,
const void *network_ctx)
{
SAE: Only allow SAE AKMP for PMKSA caching attempts Explicitly check the PMKSA cache entry to have matching SAE AKMP for the case where determining whether to use PMKSA caching instead of new SAE authentication. Previously, only the network context was checked, but a single network configuration profile could be used with both WPA2-PSK and SAE, so should check the AKMP as well. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-08 19:06:40 +02:00
return pmksa_cache_get(sm->pmksa, bssid, NULL, network_ctx, 0) != NULL;
DPP: Add new AKM This new AKM is used with DPP when using the signed Connector to derive a PMK. Since the KCK, KEK, and MIC lengths are variable within a single AKM, this needs number of additional changes to get the PMK length delivered to places that need to figure out the lengths of the PTK components. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 22:48:52 +02:00
}
WPA: Add a function to get PMKSA cache entry Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:00:25 +01:00
struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm,
const u8 *aa,
const u8 *pmkid,
const void *network_ctx,
int akmp)
{
return pmksa_cache_get(sm->pmksa, aa, pmkid, network_ctx, akmp);
}
Add a drop_sa command to allow 802.11w testing This drops PTK and PMK without notifying the AP.
2010-03-30 00:42:04 +02:00
void wpa_sm_drop_sa(struct wpa_sm *sm)
{
Use wpa_msg() instead of wpa_printf() This converts number of debugging messages to use wpa_msg() in order to allow the interface name to be shown with the messages. A new function, wpa_dbg(), is introduced to allow CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is otherwise identical with wpa_msg(), but it gets compiled out if stdout debugging is disabled.
2011-02-10 19:14:46 +01:00
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
Add a drop_sa command to allow 802.11w testing This drops PTK and PMK without notifying the AP.
2010-03-30 00:42:04 +02:00
sm->ptk_set = 0;
sm->tptk_set = 0;
Clear pmk_len more consistently for extra protection This gives more protection against unexpected behavior if RSN supplicant code ends up trying to use sm->pmk[] with a stale value. Couple of the code paths did not clear sm->pmk_len explicitly in cases where the old PMK is being removed, so cover those cases as well to make sure these will result in PMK-to-PTK derivation failures rather than use of incorrect PMK value if such a code path could be reached somehow. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-08 18:42:52 +02:00
sm->pmk_len = 0;
Add a drop_sa command to allow 802.11w testing This drops PTK and PMK without notifying the AP.
2010-03-30 00:42:04 +02:00
os_memset(sm->pmk, 0, sizeof(sm->pmk));
os_memset(&sm->ptk, 0, sizeof(sm->ptk));
os_memset(&sm->tptk, 0, sizeof(sm->tptk));
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
os_memset(&sm->gtk, 0, sizeof(sm->gtk));
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
os_memset(&sm->igtk, 0, sizeof(sm->igtk));
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
Clear temporary keys from WPA supplicant state machine when not needed PMK and PTK are not needed in the supplicant state machine after disassociation since core wpa_supplicant will reconfigure them for the next association. As such, clear these from heap in wpa_sm_notify_disassoc() to reduce time and number of places storing key material in memory. In addition, clear FT keys in case of CONFIG_IEEE80211R=y build (sm->xxkey stored a copy of PSK in case of FT-PSK). Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-29 12:00:03 +01:00
#ifdef CONFIG_IEEE80211R
os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
FT: Support variable length keys This is a step in adding support for SHA384-based FT AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-04 14:16:54 +02:00
sm->xxkey_len = 0;
Clear temporary keys from WPA supplicant state machine when not needed PMK and PTK are not needed in the supplicant state machine after disassociation since core wpa_supplicant will reconfigure them for the next association. As such, clear these from heap in wpa_sm_notify_disassoc() to reduce time and number of places storing key material in memory. In addition, clear FT keys in case of CONFIG_IEEE80211R=y build (sm->xxkey stored a copy of PSK in case of FT-PSK). Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-29 12:00:03 +01:00
os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
FT: Support variable length keys This is a step in adding support for SHA384-based FT AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-04 14:16:54 +02:00
sm->pmk_r0_len = 0;
Clear temporary keys from WPA supplicant state machine when not needed PMK and PTK are not needed in the supplicant state machine after disassociation since core wpa_supplicant will reconfigure them for the next association. As such, clear these from heap in wpa_sm_notify_disassoc() to reduce time and number of places storing key material in memory. In addition, clear FT keys in case of CONFIG_IEEE80211R=y build (sm->xxkey stored a copy of PSK in case of FT-PSK). Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-29 12:00:03 +01:00
os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
FT: Support variable length keys This is a step in adding support for SHA384-based FT AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-04 14:16:54 +02:00
sm->pmk_r1_len = 0;
PASN: Support PASN with FT key derivation Add support for PASN authentication with FT key derivation: - As IEEE P802.11az/D2.6 states that wrapped data is optional and is only needed for further validation of the FT security parameters, do not include them in the first PASN frame. - PASN with FT key derivation requires knowledge of the PMK-R1 and PMK-R1-Name for the target AP. As the WPA state machine stores PMK-R1, etc. only for the currently associated AP, store the mapping of BSSID to R1KH-ID for each previous association, so the R1KH-ID could be used to derive PMK-R1 and PMK-R1-Name. Do so instead of storing the PMK-R1 to avoid maintaining keys that might not be used. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:01:03 +01:00
#ifdef CONFIG_PASN
os_free(sm->pasn_r1kh);
sm->pasn_r1kh = NULL;
sm->n_pasn_r1kh = 0;
#endif /* CONFIG_PASN */
Clear temporary keys from WPA supplicant state machine when not needed PMK and PTK are not needed in the supplicant state machine after disassociation since core wpa_supplicant will reconfigure them for the next association. As such, clear these from heap in wpa_sm_notify_disassoc() to reduce time and number of places storing key material in memory. In addition, clear FT keys in case of CONFIG_IEEE80211R=y build (sm->xxkey stored a copy of PSK in case of FT-PSK). Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-29 12:00:03 +01:00
#endif /* CONFIG_IEEE80211R */
Add a drop_sa command to allow 802.11w testing This drops PTK and PMK without notifying the AP.
2010-03-30 00:42:04 +02:00
}
SME: Do not try to use FT over-the-air if PTK is not available
2010-04-10 21:39:49 +02:00
int wpa_sm_has_ptk(struct wpa_sm *sm)
{
if (sm == NULL)
return 0;
return sm->ptk_set;
}
nl80211: Support GTK rekey offload Add support to wpa_supplicant for device-based GTK rekeying. In order to support that, pass the KEK, KCK, and replay counter to the driver, and handle rekey events that update the latter. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2011-07-12 20:22:51 +02:00
Add no_encrypt flag for control port TX In order to correctly encrypt rekeying frames, wpa_supplicant now checks if a PTK is currently installed and sets the corresponding encrypt option for tx_control_port(). Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-03 16:17:42 +01:00
int wpa_sm_has_ptk_installed(struct wpa_sm *sm)
{
if (!sm)
return 0;
return sm->ptk.installed;
}
nl80211: Support GTK rekey offload Add support to wpa_supplicant for device-based GTK rekeying. In order to support that, pass the KEK, KCK, and replay counter to the driver, and handle rekey events that update the latter. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2011-07-12 20:22:51 +02:00
void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
{
os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
}
Flush PMKSA cache entries and invalidate EAP state on network changes If a network configuration block is removed or modified, flush all PMKSA cache entries that were created using that network configuration. Similarly, invalidate EAP state (fast re-auth). The special case for OKC on wpa_supplicant reconfiguration (network_ctx pointer change) is now addressed as part of the PMKSA cache flushing, so it does not need a separate mechanism for clearing the network_ctx values in the PMKSA cache.
2011-09-07 16:46:00 +02:00
void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
{
FILS: Flush external-PMKSA when connection fails without ERP keys External applications can store PMKSA entries persistently and reconfigure them to wpa_supplicant after restart. This can result in wpa_supplicant having a PMKSA for FILS authentication without having matching ERP keys for it which would prevent the previously added mechanism for dropping FILS PMKSA entries to recover from rejected association attempts. Fix this by clearing PMKSA entries configured by external applications upon FILS connection failure even when ERP keys are not available. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-01 20:09:06 +02:00
pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false);
}
void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
{
pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true);
Flush PMKSA cache entries and invalidate EAP state on network changes If a network configuration block is removed or modified, flush all PMKSA cache entries that were created using that network configuration. Similarly, invalidate EAP state (fast re-auth). The special case for OKC on wpa_supplicant reconfiguration (network_ctx pointer change) is now addressed as part of the PMKSA cache flushing, so it does not need a separate mechanism for clearing the network_ctx values in the PMKSA cache.
2011-09-07 16:46:00 +02:00
}
WNM: Add WNM-Sleep Mode for station mode Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-02-26 16:27:19 +01:00
WNM: Use CONFIG_WNM more consistently Replace CONFIG_IEEE80211V with CONFIG_WNM to get more consistent build options for WNM-Sleep Mode operations. Previously it was possible to define CONFIG_IEEE80211V without CONFIG_WNM which would break the build. In addition, IEEE 802.11v has been merged into IEEE Std 802.11-2012 and WNM is a better term to use for this new functionality anyway. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 17:22:54 +01:00
#ifdef CONFIG_WNM
WNM: Add WNM-Sleep Mode for station mode Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-02-26 16:27:19 +01:00
int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
{
u16 keyinfo;
u8 keylen; /* plaintext key len */
u8 *key_rsc;
if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
Reduce the amount of time PTK/TPTK/GTK is kept in memory Some of the buffers used to keep a copy of PTK/TPTK/GTK in the supplicant implementation maintained a copy of the keys longer than necessary. Clear these buffers to zero when the key is not needed anymore to minimize the amount of time key material is kept in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-16 00:27:10 +02:00
struct wpa_gtk_data gd;
os_memset(&gd, 0, sizeof(gd));
keylen = wpa_cipher_key_len(sm->group_cipher);
gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
gd.alg = wpa_cipher_to_alg(sm->group_cipher);
if (gd.alg == WPA_ALG_NONE) {
wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
return -1;
}
WNM: Add WNM-Sleep Mode for station mode Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-02-26 16:27:19 +01:00
key_rsc = buf + 5;
WNM: Fix GTK/IGTK parsing for WNM-Sleep Mode Response frame These fields do not use AES keywrap. Instead, they are protected with management frame protection (and not included if PMF is disabled). Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 11:48:34 +01:00
keyinfo = WPA_GET_LE16(buf + 2);
WNM: Add WNM-Sleep Mode for station mode Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-02-26 16:27:19 +01:00
gd.gtk_len = keylen;
if (gd.gtk_len != buf[4]) {
wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
gd.gtk_len, buf[4]);
return -1;
}
gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
WNM: Fix GTK/IGTK parsing for WNM-Sleep Mode Response frame These fields do not use AES keywrap. Instead, they are protected with management frame protection (and not included if PMF is disabled). Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 11:48:34 +01:00
os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
WNM: Add WNM-Sleep Mode for station mode Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-02-26 16:27:19 +01:00
wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
gd.gtk, gd.gtk_len);
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(&gd, sizeof(gd));
WNM: Add WNM-Sleep Mode for station mode Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-02-26 16:27:19 +01:00
wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
"WNM mode");
return -1;
}
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(&gd, sizeof(gd));
WNM: Add WNM-Sleep Mode for station mode Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-02-26 16:27:19 +01:00
} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-07-12 16:03:24 +02:00
const struct wpa_igtk_kde *igtk;
igtk = (const struct wpa_igtk_kde *) (buf + 2);
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
WNM: Add WNM-Sleep Mode for station mode Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-02-26 16:27:19 +01:00
return -1;
Configure received BIGTK on station/supplicant side Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:06:26 +01:00
} else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) {
const struct wpa_bigtk_kde *bigtk;
bigtk = (const struct wpa_bigtk_kde *) (buf + 2);
if (sm->beacon_prot &&
wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0)
return -1;
WNM: Add WNM-Sleep Mode for station mode Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-02-26 16:27:19 +01:00
} else {
wpa_printf(MSG_DEBUG, "Unknown element id");
return -1;
}
return 0;
}
WNM: Use CONFIG_WNM more consistently Replace CONFIG_IEEE80211V with CONFIG_WNM to get more consistent build options for WNM-Sleep Mode operations. Previously it was possible to define CONFIG_IEEE80211V without CONFIG_WNM which would break the build. In addition, IEEE 802.11v has been merged into IEEE Std 802.11-2012 and WNM is a better term to use for this new functionality anyway. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 17:22:54 +01:00
#endif /* CONFIG_WNM */
Fix PeerKey 4-way handshake The earlier changes to buffer EAPOL frames when not associated to avoid race conditions (especially commit 3ab35a660364dc68eaebfc0df6130071bbee6be5 but maybe something even before that) broke PeerKey 4-way handshake. Fix this by using a separate check before the race condition workaround to process PeerKey 4-way handshake EAPOL-Key messages differently. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 10:40:23 +01:00
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 18:13:31 +01:00
#ifdef CONFIG_P2P
int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
{
if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
return -1;
os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
return 0;
}
#endif /* CONFIG_P2P */
Add support for offloading key management operations to the driver This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-23 17:21:49 +02:00
void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
{
if (rx_replay_counter == NULL)
return;
os_memcpy(sm->rx_replay_counter, rx_replay_counter,
WPA_REPLAY_COUNTER_LEN);
sm->rx_replay_counter_set = 1;
wpa_printf(MSG_DEBUG, "Updated key replay counter");
}
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
const u8 *ptk_kck, size_t ptk_kck_len,
const u8 *ptk_kek, size_t ptk_kek_len)
Add support for offloading key management operations to the driver This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-23 17:21:49 +02:00
{
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
sm->ptk.kck_len = ptk_kck_len;
Add support for offloading key management operations to the driver This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-23 17:21:49 +02:00
wpa_printf(MSG_DEBUG, "Updated PTK KCK");
}
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 15:49:18 +01:00
if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
sm->ptk.kek_len = ptk_kek_len;
Add support for offloading key management operations to the driver This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-23 17:21:49 +02:00
wpa_printf(MSG_DEBUG, "Updated PTK KEK");
}
sm->ptk_set = 1;
}
Add TEST_ASSOC_IE for WPA/RSN IE testing on AP side The new wpa_supplicant control interface command "TEST_ASSOC_IE <hexdump>" can now be used to override the WPA/RSN IE for Association Request frame and following 4-way handshake to allow protocol testing of AP side processing of WPA/RSN IE. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-06 18:30:59 +01:00
#ifdef CONFIG_TESTING_OPTIONS
Make last received ANonce available through control interface This makes it easier to debug 4-way handshake implementation issues without having to use a sniffer. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-14 16:58:11 +02:00
Add TEST_ASSOC_IE for WPA/RSN IE testing on AP side The new wpa_supplicant control interface command "TEST_ASSOC_IE <hexdump>" can now be used to override the WPA/RSN IE for Association Request frame and following 4-way handshake to allow protocol testing of AP side processing of WPA/RSN IE. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-06 18:30:59 +01:00
void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
{
wpabuf_free(sm->test_assoc_ie);
sm->test_assoc_ie = buf;
}
Make last received ANonce available through control interface This makes it easier to debug 4-way handshake implementation issues without having to use a sniffer. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-14 16:58:11 +02:00
const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
{
return sm->anonce;
}
Add TEST_ASSOC_IE for WPA/RSN IE testing on AP side The new wpa_supplicant control interface command "TEST_ASSOC_IE <hexdump>" can now be used to override the WPA/RSN IE for Association Request frame and following 4-way handshake to allow protocol testing of AP side processing of WPA/RSN IE. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-06 18:30:59 +01:00
#endif /* CONFIG_TESTING_OPTIONS */
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
FT: Add MDE to assoc request IEs in connect params Add MDE (mobility domain element) to Association Request frame IEs in the driver assoc params. wpa_supplicant will add MDE only if the network profile allows FT, the selected AP supports FT, and the mobility domain ID matches. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
2018-04-16 12:52:27 +02:00
unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
{
return sm->key_mgmt;
}
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
#ifdef CONFIG_FILS
FILS: Add MDE into Authentication frame for FILS+FT When using FILS for FT initial mobility domain association, add MDE to the Authentication frame from the STA to indicate this special case for FILS authentication. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-04-02 12:22:52 +02:00
struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
{
struct wpabuf *buf = NULL;
struct wpabuf *erp_msg;
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
struct wpabuf *pub = NULL;
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
if (!erp_msg && !sm->cur_pmksa) {
wpa_printf(MSG_DEBUG,
"FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
goto fail;
}
wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
erp_msg != NULL, sm->cur_pmksa != NULL);
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
sm->fils_completed = 0;
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
if (!sm->assoc_wpa_ie) {
wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
goto fail;
}
if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
goto fail;
wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
sm->fils_nonce, FILS_NONCE_LEN);
wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
sm->fils_session, FILS_SESSION_LEN);
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
#ifdef CONFIG_FILS_SK_PFS
sm->fils_dh_group = dh_group;
if (dh_group) {
crypto_ecdh_deinit(sm->fils_ecdh);
sm->fils_ecdh = crypto_ecdh_init(dh_group);
if (!sm->fils_ecdh) {
wpa_printf(MSG_INFO,
"FILS: Could not initialize ECDH with group %d",
dh_group);
goto fail;
}
pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
if (!pub)
goto fail;
wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
pub);
sm->fils_dh_elem_len = wpabuf_len(pub);
}
#endif /* CONFIG_FILS_SK_PFS */
buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
(pub ? wpabuf_len(pub) : 0));
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
if (!buf)
goto fail;
/* Fields following the Authentication algorithm number field */
/* Authentication Transaction seq# */
wpabuf_put_le16(buf, 1);
/* Status Code */
wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
/* TODO: FILS PK */
#ifdef CONFIG_FILS_SK_PFS
if (dh_group) {
/* Finite Cyclic Group */
wpabuf_put_le16(buf, dh_group);
/* Element */
wpabuf_put_buf(buf, pub);
}
#endif /* CONFIG_FILS_SK_PFS */
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
/* RSNE */
wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
FILS: Add MDE into Authentication frame for FILS+FT When using FILS for FT initial mobility domain association, add MDE to the Authentication frame from the STA to indicate this special case for FILS authentication. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-04-02 12:22:52 +02:00
if (md) {
/* MDE when using FILS for FT initial association */
struct rsn_mdie *mdie;
wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
wpabuf_put_u8(buf, sizeof(*mdie));
mdie = wpabuf_put(buf, sizeof(*mdie));
os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
mdie->ft_capab = 0;
}
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
/* FILS Nonce */
wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
/* Element ID Extension */
wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
/* FILS Session */
wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
/* Element ID Extension */
wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
WPA: Rename FILS wrapped data IEEE P802.11az/D2.0 renamed the FILS Wrapped Data element, removing the FILS prefix. Change the code accordingly. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-24 10:14:32 +01:00
/* Wrapped Data */
FILS: Fix PMK and PMKID derivation from ERP This adds helper functions for deriving PMK and PMKID from ERP exchange in FILS shared key authentication as defined in IEEE Std 802.11ai-2016, 12.12.2.5.2 (PMKSA key derivation with FILS authentication). These functions is used to fix PMK and PMKID derivation which were previously using the rMSK directly as PMK instead of following the FILS protocol to derive PMK with HMAC from nonces and rMSK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 20:06:21 +01:00
sm->fils_erp_pmkid_set = 0;
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
if (erp_msg) {
wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
/* Element ID Extension */
WPA: Rename FILS wrapped data IEEE P802.11az/D2.0 renamed the FILS Wrapped Data element, removing the FILS prefix. Change the code accordingly. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-24 10:14:32 +01:00
wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
wpabuf_put_buf(buf, erp_msg);
FILS: Fix PMK and PMKID derivation from ERP This adds helper functions for deriving PMK and PMKID from ERP exchange in FILS shared key authentication as defined in IEEE Std 802.11ai-2016, 12.12.2.5.2 (PMKSA key derivation with FILS authentication). These functions is used to fix PMK and PMKID derivation which were previously using the rMSK directly as PMK instead of following the FILS protocol to derive PMK with HMAC from nonces and rMSK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 20:06:21 +01:00
/* Calculate pending PMKID here so that we do not need to
* maintain a copy of the EAP-Initiate/Reauth message. */
if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
wpabuf_len(erp_msg),
sm->fils_erp_pmkid) == 0)
sm->fils_erp_pmkid_set = 1;
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
}
wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
buf);
fail:
wpabuf_free(erp_msg);
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
wpabuf_free(pub);
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
return buf;
}
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
FILS: Fix BSSID in reassociation case The RSN supplicant implementation needs to be updated to use the new BSSID whenever doing FILS authentication. Previously, this was only done when notifying association and that was too late for the case of reassociation. Fix this by providing the new BSSID when calling fils_process_auth(). This makes PTK derivation use the correct BSSID. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 11:25:02 +01:00
int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
size_t len)
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
{
const u8 *pos, *end;
struct ieee802_11_elems elems;
struct wpa_ie_data rsn;
int pmkid_match = 0;
u8 ick[FILS_ICK_MAX_LEN];
size_t ick_len;
int res;
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
struct wpabuf *dh_ss = NULL;
FILS: Fix Key-Auth derivation for SK+PFS for supplicant side The conditional gSTA and gAP (DH public keys) were not previously included in Key-Auth derivation, but they are needed for the PFS case. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 16:02:47 +02:00
const u8 *g_sta = NULL;
size_t g_sta_len = 0;
const u8 *g_ap = NULL;
WPA: Support deriving KDK based on capabilities Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:01:39 +01:00
size_t g_ap_len = 0, kdk_len;
FILS: Fix Key-Auth derivation for SK+PFS for supplicant side The conditional gSTA and gAP (DH public keys) were not previously included in Key-Auth derivation, but they are needed for the PFS case. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 16:02:47 +02:00
struct wpabuf *pub = NULL;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
FILS: Fix BSSID in reassociation case The RSN supplicant implementation needs to be updated to use the new BSSID whenever doing FILS authentication. Previously, this was only done when notifying association and that was too late for the case of reassociation. Fix this by providing the new BSSID when calling fils_process_auth(). This makes PTK derivation use the correct BSSID. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 11:25:02 +01:00
os_memcpy(sm->bssid, bssid, ETH_ALEN);
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
data, len);
pos = data;
end = data + len;
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
/* TODO: FILS PK */
#ifdef CONFIG_FILS_SK_PFS
if (sm->fils_dh_group) {
u16 group;
/* Using FILS PFS */
/* Finite Cyclic Group */
if (end - pos < 2) {
wpa_printf(MSG_DEBUG,
"FILS: No room for Finite Cyclic Group");
goto fail;
}
group = WPA_GET_LE16(pos);
pos += 2;
if (group != sm->fils_dh_group) {
wpa_printf(MSG_DEBUG,
"FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
group, sm->fils_dh_group);
goto fail;
}
/* Element */
if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
wpa_printf(MSG_DEBUG, "FILS: No room for Element");
goto fail;
}
if (!sm->fils_ecdh) {
wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
goto fail;
}
dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
sm->fils_dh_elem_len);
if (!dh_ss) {
wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
goto fail;
}
wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
FILS: Fix Key-Auth derivation for SK+PFS for supplicant side The conditional gSTA and gAP (DH public keys) were not previously included in Key-Auth derivation, but they are needed for the PFS case. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 16:02:47 +02:00
g_ap = pos;
g_ap_len = sm->fils_dh_elem_len;
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
pos += sm->fils_dh_elem_len;
}
#endif /* CONFIG_FILS_SK_PFS */
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
}
/* RSNE */
wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
elems.rsn_ie_len);
if (!elems.rsn_ie ||
wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
&rsn) < 0) {
wpa_printf(MSG_DEBUG, "FILS: No RSN element");
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
}
if (!elems.fils_nonce) {
wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
}
os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
FILS: Fix CONFIG_FILS=y build without CONFIG_IEEE80211R=y Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-26 11:33:52 +02:00
#ifdef CONFIG_IEEE80211R
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
if (wpa_key_mgmt_ft(sm->key_mgmt)) {
struct wpa_ft_ies parse;
if (!elems.mdie || !elems.ftie) {
wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
goto fail;
}
FT: FTE parsing for SHA384-based AKM The MIC field is now a variable length field, so make the FTE parser aware of the two different field lengths. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-04 14:16:54 +02:00
if (wpa_ft_parse_ies(pos, end - pos, &parse,
wpa_key_mgmt_sha384(sm->key_mgmt)) < 0) {
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
goto fail;
}
if (!parse.r0kh_id) {
wpa_printf(MSG_DEBUG,
"FILS+FT: No R0KH-ID subelem in FTE");
goto fail;
}
os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
sm->r0kh_id_len = parse.r0kh_id_len;
wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
sm->r0kh_id, sm->r0kh_id_len);
if (!parse.r1kh_id) {
wpa_printf(MSG_DEBUG,
"FILS+FT: No R1KH-ID subelem in FTE");
goto fail;
}
os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
sm->r1kh_id, FT_R1KH_ID_LEN);
/* TODO: Check MDE and FTE payload */
wpabuf_free(sm->fils_ft_ies);
sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
2 + elems.ftie_len);
if (!sm->fils_ft_ies)
goto fail;
wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
2 + elems.mdie_len);
wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
2 + elems.ftie_len);
} else {
wpabuf_free(sm->fils_ft_ies);
sm->fils_ft_ies = NULL;
}
FILS: Fix CONFIG_FILS=y build without CONFIG_IEEE80211R=y Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-26 11:33:52 +02:00
#endif /* CONFIG_IEEE80211R */
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
/* PMKID List */
if (rsn.pmkid && rsn.num_pmkid > 0) {
wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
if (rsn.num_pmkid != 1) {
wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
}
wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
{
wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
sm->cur_pmksa->pmkid, PMKID_LEN);
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
}
wpa_printf(MSG_DEBUG,
"FILS: Matching PMKID - continue using PMKSA caching");
pmkid_match = 1;
}
if (!pmkid_match && sm->cur_pmksa) {
wpa_printf(MSG_DEBUG,
"FILS: No PMKID match - cannot use cached PMKSA entry");
sm->cur_pmksa = NULL;
}
/* FILS Session */
if (!elems.fils_session) {
wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
}
wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
FILS_SESSION_LEN);
if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
!= 0) {
wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
sm->fils_session, FILS_SESSION_LEN);
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
}
WPA: Rename FILS wrapped data IEEE P802.11az/D2.0 renamed the FILS Wrapped Data element, removing the FILS prefix. Change the code accordingly. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-24 10:14:32 +01:00
/* Wrapped Data */
if (!sm->cur_pmksa && elems.wrapped_data) {
FILS: Fix PMK and PMKID derivation from ERP This adds helper functions for deriving PMK and PMKID from ERP exchange in FILS shared key authentication as defined in IEEE Std 802.11ai-2016, 12.12.2.5.2 (PMKSA key derivation with FILS authentication). These functions is used to fix PMK and PMKID derivation which were previously using the rMSK directly as PMK instead of following the FILS protocol to derive PMK with HMAC from nonces and rMSK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 20:06:21 +01:00
u8 rmsk[ERP_MAX_KEY_LEN];
size_t rmsk_len;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
WPA: Rename FILS wrapped data IEEE P802.11az/D2.0 renamed the FILS Wrapped Data element, removing the FILS prefix. Change the code accordingly. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-24 10:14:32 +01:00
elems.wrapped_data,
elems.wrapped_data_len);
eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data,
elems.wrapped_data_len);
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
if (eapol_sm_failed(sm->eapol))
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
FILS: Fix PMK and PMKID derivation from ERP This adds helper functions for deriving PMK and PMKID from ERP exchange in FILS shared key authentication as defined in IEEE Std 802.11ai-2016, 12.12.2.5.2 (PMKSA key derivation with FILS authentication). These functions is used to fix PMK and PMKID derivation which were previously using the rMSK directly as PMK instead of following the FILS protocol to derive PMK with HMAC from nonces and rMSK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 20:06:21 +01:00
rmsk_len = ERP_MAX_KEY_LEN;
res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
if (res == PMK_LEN) {
rmsk_len = PMK_LEN;
res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
}
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
if (res)
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
FILS: Fix PMK and PMKID derivation from ERP This adds helper functions for deriving PMK and PMKID from ERP exchange in FILS shared key authentication as defined in IEEE Std 802.11ai-2016, 12.12.2.5.2 (PMKSA key derivation with FILS authentication). These functions is used to fix PMK and PMKID derivation which were previously using the rMSK directly as PMK instead of following the FILS protocol to derive PMK with HMAC from nonces and rMSK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 20:06:21 +01:00
res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
sm->fils_nonce, sm->fils_anonce,
dh_ss ? wpabuf_head(dh_ss) : NULL,
dh_ss ? wpabuf_len(dh_ss) : 0,
FILS: Fix PMK and PMKID derivation from ERP This adds helper functions for deriving PMK and PMKID from ERP exchange in FILS shared key authentication as defined in IEEE Std 802.11ai-2016, 12.12.2.5.2 (PMKSA key derivation with FILS authentication). These functions is used to fix PMK and PMKID derivation which were previously using the rMSK directly as PMK instead of following the FILS protocol to derive PMK with HMAC from nonces and rMSK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 20:06:21 +01:00
sm->pmk, &sm->pmk_len);
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(rmsk, sizeof(rmsk));
FILS: Add DHss into FILS-Key-Data derivation when using FILS SK+PFS This part is missing from IEEE Std 802.11ai-2016, but the lack of DHss here means there would not be proper PFS for the case where PMKSA caching is used with FILS SK+PFS authentication. This was not really the intent of the FILS design and that issue was fixed during REVmd work with the changes proposed in https://mentor.ieee.org/802.11/dcn/17/11-17-0906-04-000m-fils-fixes.docx that add DHss into FILS-Key-Data (and PTK, in practice) derivation for the PMKSA caching case so that a unique ICK, KEK, and TK are derived even when using the same PMK. Note: This is not backwards compatible, i.e., this breaks PMKSA caching with FILS SK+PFS if only STA or AP side implementation is updated. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-13 20:36:05 +02:00
/* Don't use DHss in PTK derivation if PMKSA caching is not
* used. */
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
wpabuf_clear_free(dh_ss);
dh_ss = NULL;
FILS: Add DHss into FILS-Key-Data derivation when using FILS SK+PFS This part is missing from IEEE Std 802.11ai-2016, but the lack of DHss here means there would not be proper PFS for the case where PMKSA caching is used with FILS SK+PFS authentication. This was not really the intent of the FILS design and that issue was fixed during REVmd work with the changes proposed in https://mentor.ieee.org/802.11/dcn/17/11-17-0906-04-000m-fils-fixes.docx that add DHss into FILS-Key-Data (and PTK, in practice) derivation for the PMKSA caching case so that a unique ICK, KEK, and TK are derived even when using the same PMK. Note: This is not backwards compatible, i.e., this breaks PMKSA caching with FILS SK+PFS if only STA or AP side implementation is updated. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-13 20:36:05 +02:00
FILS: Stop processing if fils_rmsk_to_pmk() fails While the key derivation steps are not expected to fail, this was already done on the AP side, so do the same in the STA side. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-05 13:38:07 +01:00
if (res)
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Fix PMK and PMKID derivation from ERP This adds helper functions for deriving PMK and PMKID from ERP exchange in FILS shared key authentication as defined in IEEE Std 802.11ai-2016, 12.12.2.5.2 (PMKSA key derivation with FILS authentication). These functions is used to fix PMK and PMKID derivation which were previously using the rMSK directly as PMK instead of following the FILS protocol to derive PMK with HMAC from nonces and rMSK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 20:06:21 +01:00
if (!sm->fils_erp_pmkid_set) {
wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Fix PMK and PMKID derivation from ERP This adds helper functions for deriving PMK and PMKID from ERP exchange in FILS shared key authentication as defined in IEEE Std 802.11ai-2016, 12.12.2.5.2 (PMKSA key derivation with FILS authentication). These functions is used to fix PMK and PMKID derivation which were previously using the rMSK directly as PMK instead of following the FILS protocol to derive PMK with HMAC from nonces and rMSK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 20:06:21 +01:00
}
wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
PMKID_LEN);
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
FILS: Fix PMK and PMKID derivation from ERP This adds helper functions for deriving PMK and PMKID from ERP exchange in FILS shared key authentication as defined in IEEE Std 802.11ai-2016, 12.12.2.5.2 (PMKSA key derivation with FILS authentication). These functions is used to fix PMK and PMKID derivation which were previously using the rMSK directly as PMK instead of following the FILS protocol to derive PMK with HMAC from nonces and rMSK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 20:06:21 +01:00
sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
sm->fils_erp_pmkid, NULL, 0,
sm->bssid, sm->own_addr,
FILS: Use FILS Cache Identifier to extend PMKSA applicability This allows PMKSA cache entries for FILS-enabled BSSs to be shared within an ESS when the BSSs advertise the same FILS Cache Identifier value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 11:22:19 +01:00
sm->network_ctx, sm->key_mgmt,
NULL);
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
}
if (!sm->cur_pmksa) {
wpa_printf(MSG_DEBUG,
"FILS: No remaining options to continue FILS authentication");
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
}
WPA: Support deriving KDK based on capabilities Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:01:39 +01:00
if (sm->force_kdk_derivation ||
Add helper functions for parsing RSNXE capabilities Simplify the implementation by using shared functions for parsing the capabilities instead of using various similar but not exactly identical checks throughout the implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
2021-04-10 11:43:38 +02:00
(sm->secure_ltf &&
ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
WPA: Support deriving KDK based on capabilities Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:01:39 +01:00
kdk_len = WPA_KDK_MAX_LEN;
else
kdk_len = 0;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid,
FILS: Add DHss into FILS-Key-Data derivation when using FILS SK+PFS This part is missing from IEEE Std 802.11ai-2016, but the lack of DHss here means there would not be proper PFS for the case where PMKSA caching is used with FILS SK+PFS authentication. This was not really the intent of the FILS design and that issue was fixed during REVmd work with the changes proposed in https://mentor.ieee.org/802.11/dcn/17/11-17-0906-04-000m-fils-fixes.docx that add DHss into FILS-Key-Data (and PTK, in practice) derivation for the PMKSA caching case so that a unique ICK, KEK, and TK are derived even when using the same PMK. Note: This is not backwards compatible, i.e., this breaks PMKSA caching with FILS SK+PFS if only STA or AP side implementation is updated. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-13 20:36:05 +02:00
sm->fils_nonce, sm->fils_anonce,
dh_ss ? wpabuf_head(dh_ss) : NULL,
dh_ss ? wpabuf_len(dh_ss) : 0,
&sm->ptk, ick, &ick_len,
sm->key_mgmt, sm->pairwise_cipher,
FILS: Extend the fils_pmk_to_ptk() function to also derive KDK Extend the fils_pmk_to_ptk() to also derive Key Derivation Key (KDK) which can later be used for secure LTF measurements. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:00:19 +01:00
sm->fils_ft, &sm->fils_ft_len,
WPA: Support deriving KDK based on capabilities Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:01:39 +01:00
kdk_len) < 0) {
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
goto fail;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
}
FILS: Add DHss into FILS-Key-Data derivation when using FILS SK+PFS This part is missing from IEEE Std 802.11ai-2016, but the lack of DHss here means there would not be proper PFS for the case where PMKSA caching is used with FILS SK+PFS authentication. This was not really the intent of the FILS design and that issue was fixed during REVmd work with the changes proposed in https://mentor.ieee.org/802.11/dcn/17/11-17-0906-04-000m-fils-fixes.docx that add DHss into FILS-Key-Data (and PTK, in practice) derivation for the PMKSA caching case so that a unique ICK, KEK, and TK are derived even when using the same PMK. Note: This is not backwards compatible, i.e., this breaks PMKSA caching with FILS SK+PFS if only STA or AP side implementation is updated. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-13 20:36:05 +02:00
wpabuf_clear_free(dh_ss);
dh_ss = NULL;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
sm->ptk_set = 1;
sm->tptk_set = 0;
os_memset(&sm->tptk, 0, sizeof(sm->tptk));
FILS: Fix Key-Auth derivation for SK+PFS for supplicant side The conditional gSTA and gAP (DH public keys) were not previously included in Key-Auth derivation, but they are needed for the PFS case. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 16:02:47 +02:00
#ifdef CONFIG_FILS_SK_PFS
if (sm->fils_dh_group) {
if (!sm->fils_ecdh) {
wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
goto fail;
}
pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
if (!pub)
goto fail;
wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
g_sta = wpabuf_head(pub);
g_sta_len = wpabuf_len(pub);
if (!g_ap) {
wpa_printf(MSG_INFO, "FILS: gAP not available");
goto fail;
}
wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
}
#endif /* CONFIG_FILS_SK_PFS */
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
sm->fils_anonce, sm->own_addr, sm->bssid,
FILS: Fix Key-Auth derivation for SK+PFS for supplicant side The conditional gSTA and gAP (DH public keys) were not previously included in Key-Auth derivation, but they are needed for the PFS case. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 16:02:47 +02:00
g_sta, g_sta_len, g_ap, g_ap_len,
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
sm->key_mgmt, sm->fils_key_auth_sta,
sm->fils_key_auth_ap,
&sm->fils_key_auth_len);
FILS: Fix Key-Auth derivation for SK+PFS for supplicant side The conditional gSTA and gAP (DH public keys) were not previously included in Key-Auth derivation, but they are needed for the PFS case. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 16:02:47 +02:00
wpabuf_free(pub);
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(ick, sizeof(ick));
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
return res;
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
fail:
FILS: Fix Key-Auth derivation for SK+PFS for supplicant side The conditional gSTA and gAP (DH public keys) were not previously included in Key-Auth derivation, but they are needed for the PFS case. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 16:02:47 +02:00
wpabuf_free(pub);
FILS: Add FILS SK auth PFS support in STA mode This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 21:45:35 +01:00
wpabuf_clear_free(dh_ss);
return -1;
FILS: Authentication frame processing (STA) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 23:14:13 +02:00
}
FILS: Add elements to FILS Association Request frame Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-08 19:58:53 +02:00
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
#ifdef CONFIG_IEEE80211R
static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
{
struct rsn_ie_hdr *rsnie;
u16 capab;
u8 *pos;
FT: PMK-R0 derivation using SHA384-based AKM Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-04 14:16:54 +02:00
int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
/* RSNIE[PMKR0Name/PMKR1Name] */
rsnie = wpabuf_put(buf, sizeof(*rsnie));
rsnie->elem_id = WLAN_EID_RSN;
WPA_PUT_LE16(rsnie->version, RSN_VERSION);
/* Group Suite Selector */
if (!wpa_cipher_valid_group(sm->group_cipher)) {
wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
sm->group_cipher);
return -1;
}
pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
sm->group_cipher));
/* Pairwise Suite Count */
wpabuf_put_le16(buf, 1);
/* Pairwise Suite List */
if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
sm->pairwise_cipher);
return -1;
}
pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
sm->pairwise_cipher));
/* Authenticated Key Management Suite Count */
wpabuf_put_le16(buf, 1);
/* Authenticated Key Management Suite List */
pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
else {
wpa_printf(MSG_WARNING,
"FILS+FT: Invalid key management type (%d)",
sm->key_mgmt);
return -1;
}
/* RSN Capabilities */
capab = 0;
FILS+FT: Fix MFPR flag in RSNE during FILS exchange for FT Commit e820cf952f29 ("MFP: Add MFPR flag into station RSN IE if 802.11w is mandatory") added indication of MFPR flag in non-FT cases and was further extended to cover FT protocol in commit ded56f2fafb0 ("FT: Fix MFPR flag in RSNE during FT protocol"). Similar fix is needed for FILS+FT as well. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-27 00:49:36 +02:00
if (sm->mfp)
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
capab |= WPA_CAPABILITY_MFPC;
FILS+FT: Fix MFPR flag in RSNE during FILS exchange for FT Commit e820cf952f29 ("MFP: Add MFPR flag into station RSN IE if 802.11w is mandatory") added indication of MFPR flag in non-FT cases and was further extended to cover FT protocol in commit ded56f2fafb0 ("FT: Fix MFPR flag in RSNE during FT protocol"). Similar fix is needed for FILS+FT as well. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-27 00:49:36 +02:00
if (sm->mfp == 2)
capab |= WPA_CAPABILITY_MFPR;
OCV: Advertise OCV capability in RSN capabilities (STA) Set the OCV bit in RSN capabilities (RSNE) based on station mode configuration. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:25 +02:00
if (sm->ocv)
capab |= WPA_CAPABILITY_OCVC;
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
if (sm->ext_key_id)
capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
wpabuf_put_le16(buf, capab);
/* PMKID Count */
wpabuf_put_le16(buf, 1);
/* PMKID List [PMKR1Name] */
wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
sm->fils_ft, sm->fils_ft_len);
wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
sm->r0kh_id, sm->r0kh_id_len);
if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
sm->ssid_len, sm->mobility_domain,
sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
FT: PMK-R0 derivation using SHA384-based AKM Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-04 14:16:54 +02:00
sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0) {
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
return -1;
}
FT: PMK-R0 derivation using SHA384-based AKM Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-04 14:16:54 +02:00
sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
MAC2STR(sm->r1kh_id));
pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
FILS+FT: STA mode validation of PMKR1Name in initial MD association Verify that the AP uses matching PMKR1Name in (Re)Association Response frame when going through FT initial mobility domain association using FILS. Thise step was missing from the initial implementation, but is needed to match the IEEE 802.11ai requirements for explicit confirmation of the FT key hierarchy (similarly to what is done in FT 4-way handshake when FILS is not used). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-13 18:13:49 +01:00
sm->pmk_r1_name, use_sha384) < 0) {
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
return -1;
}
FILS+FT: STA mode validation of PMKR1Name in initial MD association Verify that the AP uses matching PMKR1Name in (Re)Association Response frame when going through FT initial mobility domain association using FILS. Thise step was missing from the initial implementation, but is needed to match the IEEE 802.11ai requirements for explicit confirmation of the FT key hierarchy (similarly to what is done in FT 4-way handshake when FILS is not used). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-13 18:13:49 +01:00
os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
/* Management Group Cipher Suite */
pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
}
rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
return 0;
}
#endif /* CONFIG_IEEE80211R */
FILS: Add elements to FILS Association Request frame Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-08 19:58:53 +02:00
struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
size_t *kek_len, const u8 **snonce,
FILS: Allow FILS HLP requests to be added The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be added to the (Re)Association Request frame whenever FILS authentication is used. FILS_HLP_REQ_ADD parameters use the following format: <destination MAC address> <hexdump of payload starting from ethertype> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-29 13:07:20 +01:00
const u8 **anonce,
const struct wpabuf **hlp,
unsigned int num_hlp)
FILS: Add elements to FILS Association Request frame Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-08 19:58:53 +02:00
{
struct wpabuf *buf;
FILS: Allow FILS HLP requests to be added The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be added to the (Re)Association Request frame whenever FILS authentication is used. FILS_HLP_REQ_ADD parameters use the following format: <destination MAC address> <hexdump of payload starting from ethertype> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-29 13:07:20 +01:00
size_t len;
unsigned int i;
FILS: Add elements to FILS Association Request frame Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-08 19:58:53 +02:00
FILS: Allow FILS HLP requests to be added The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be added to the (Re)Association Request frame whenever FILS authentication is used. FILS_HLP_REQ_ADD parameters use the following format: <destination MAC address> <hexdump of payload starting from ethertype> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-29 13:07:20 +01:00
len = 1000;
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
#ifdef CONFIG_IEEE80211R
if (sm->fils_ft_ies)
len += wpabuf_len(sm->fils_ft_ies);
if (wpa_key_mgmt_ft(sm->key_mgmt))
len += 256;
#endif /* CONFIG_IEEE80211R */
FILS: Allow FILS HLP requests to be added The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be added to the (Re)Association Request frame whenever FILS authentication is used. FILS_HLP_REQ_ADD parameters use the following format: <destination MAC address> <hexdump of payload starting from ethertype> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-29 13:07:20 +01:00
for (i = 0; hlp && i < num_hlp; i++)
len += 10 + wpabuf_len(hlp[i]);
buf = wpabuf_alloc(len);
FILS: Add elements to FILS Association Request frame Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-08 19:58:53 +02:00
if (!buf)
return NULL;
FILS: Derive FT key hierarchy on supplicant side for FILS+FT Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 11:00:27 +02:00
#ifdef CONFIG_IEEE80211R
if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
/* MDE and FTE when using FILS+FT */
wpabuf_put_buf(buf, sm->fils_ft_ies);
/* RSNE with PMKR1Name in PMKID field */
if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
wpabuf_free(buf);
return NULL;
}
}
#endif /* CONFIG_IEEE80211R */
FILS: Add elements to FILS Association Request frame Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-08 19:58:53 +02:00
/* FILS Session */
wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
/* Element ID Extension */
wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
/* Everything after FILS Session element gets encrypted in the driver
* with KEK. The buffer returned from here is the plaintext version. */
/* TODO: FILS Public Key */
/* FILS Key Confirm */
wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
/* Element ID Extension */
wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
FILS: Allow FILS HLP requests to be added The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be added to the (Re)Association Request frame whenever FILS authentication is used. FILS_HLP_REQ_ADD parameters use the following format: <destination MAC address> <hexdump of payload starting from ethertype> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-29 13:07:20 +01:00
/* FILS HLP Container */
for (i = 0; hlp && i < num_hlp; i++) {
const u8 *pos = wpabuf_head(hlp[i]);
size_t left = wpabuf_len(hlp[i]);
wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
if (left <= 254)
len = 1 + left;
else
len = 255;
wpabuf_put_u8(buf, len); /* Length */
/* Element ID Extension */
wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
/* Destination MAC Address, Source MAC Address, HLP Packet.
* HLP Packet is in MSDU format (i.e., included the LLC/SNAP
* header when LPD is used). */
wpabuf_put_data(buf, pos, len - 1);
pos += len - 1;
left -= len - 1;
while (left) {
wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
len = left > 255 ? 255 : left;
wpabuf_put_u8(buf, len);
wpabuf_put_data(buf, pos, len);
pos += len;
left -= len;
}
}
FILS: Add elements to FILS Association Request frame Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-08 19:58:53 +02:00
/* TODO: FILS IP Address Assignment */
OCV: Include and verify OCI in the FILS handshake Include and verify the OCI element in FILS (Re)Association Request and Response frames. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:36 +02:00
#ifdef CONFIG_OCV
if (wpa_sm_ocv_enabled(sm)) {
struct wpa_channel_info ci;
u8 *pos;
if (wpa_sm_channel_info(sm, &ci) != 0) {
wpa_printf(MSG_WARNING,
"FILS: Failed to get channel info for OCI element");
wpabuf_free(buf);
return NULL;
}
OCV: OCI channel override support for testing (STA) Add override parameters to use the specified channel while populating OCI element in EAPOL-Key group msg 2/2, FT reassoc request, FILS assoc request and WNM sleep request frames. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-06-26 10:19:14 +02:00
#ifdef CONFIG_TESTING_OPTIONS
if (sm->oci_freq_override_fils_assoc) {
wpa_printf(MSG_INFO,
"TEST: Override OCI KDE frequency %d -> %d MHz",
ci.frequency,
sm->oci_freq_override_fils_assoc);
ci.frequency = sm->oci_freq_override_fils_assoc;
}
#endif /* CONFIG_TESTING_OPTIONS */
OCV: Include and verify OCI in the FILS handshake Include and verify the OCI element in FILS (Re)Association Request and Response frames. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:36 +02:00
pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
if (ocv_insert_extended_oci(&ci, pos) < 0) {
wpabuf_free(buf);
return NULL;
}
}
#endif /* CONFIG_OCV */
FILS: Add elements to FILS Association Request frame Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-08 19:58:53 +02:00
wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
*kek = sm->ptk.kek;
*kek_len = sm->ptk.kek_len;
wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
*snonce = sm->fils_nonce;
wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
*snonce, FILS_NONCE_LEN);
*anonce = sm->fils_anonce;
wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
*anonce, FILS_NONCE_LEN);
return buf;
}
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
FILS: Parse and report received FILS HLP Containers from response The new FILS-HLP-RX control interface event is now used to report received FILS HLP responses from (Re)Association Response frame as a response to the HLP requests configured with FILS_HLP_REQ_ADD. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-31 20:21:24 +01:00
static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
{
const u8 *pos, *end;
wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
if (len < 2 * ETH_ALEN)
return;
pos = resp + 2 * ETH_ALEN;
end = resp + len;
if (end - pos >= 6 &&
os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
pos += 6; /* Remove SNAP/LLC header */
wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
}
static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
size_t len)
{
const u8 *end = pos + len;
u8 *tmp, *tmp_pos;
/* Check if there are any FILS HLP Container elements */
while (end - pos >= 2) {
if (2 + pos[1] > end - pos)
return;
if (pos[0] == WLAN_EID_EXTENSION &&
pos[1] >= 1 + 2 * ETH_ALEN &&
pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
break;
pos += 2 + pos[1];
}
if (end - pos < 2)
return; /* No FILS HLP Container elements */
tmp = os_malloc(end - pos);
if (!tmp)
return;
while (end - pos >= 2) {
if (2 + pos[1] > end - pos ||
pos[0] != WLAN_EID_EXTENSION ||
pos[1] < 1 + 2 * ETH_ALEN ||
pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
break;
tmp_pos = tmp;
os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
tmp_pos += pos[1] - 1;
pos += 2 + pos[1];
/* Add possible fragments */
while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
2 + pos[1] <= end - pos) {
os_memcpy(tmp_pos, pos + 2, pos[1]);
tmp_pos += pos[1];
pos += 2 + pos[1];
}
fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
}
os_free(tmp);
}
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
{
const struct ieee80211_mgmt *mgmt;
const u8 *end, *ie_start;
struct ieee802_11_elems elems;
int keylen, rsclen;
enum wpa_alg alg;
struct wpa_gtk_data gd;
int maxkeylen;
struct wpa_eapol_ie_parse kde;
if (!sm || !sm->ptk_set) {
wpa_printf(MSG_DEBUG, "FILS: No KEK available");
return -1;
}
if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
return -1;
}
FILS: Do not allow multiple (Re)Association Response frames The driver is expected to not report a second association event without the station having explicitly request a new association. As such, this case should not be reachable. However, since reconfiguring the same pairwise or group keys to the driver could result in nonce reuse issues, be extra careful here and do an additional state check to avoid this even if the local driver ends up somehow accepting an unexpected (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-09-22 10:52:55 +02:00
if (sm->fils_completed) {
wpa_printf(MSG_DEBUG,
"FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
return -1;
}
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
resp, len);
mgmt = (const struct ieee80211_mgmt *) resp;
if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
return -1;
end = resp + len;
/* Same offset for Association Response and Reassociation Response */
ie_start = mgmt->u.assoc_resp.variable;
if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
ParseFailed) {
wpa_printf(MSG_DEBUG,
"FILS: Failed to parse decrypted elements");
goto fail;
}
if (!elems.fils_session) {
wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
return -1;
}
if (os_memcmp(elems.fils_session, sm->fils_session,
FILS_SESSION_LEN) != 0) {
wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
elems.fils_session, FILS_SESSION_LEN);
wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
sm->fils_session, FILS_SESSION_LEN);
}
FILS: Verify RSNE match between Beacon/Probe Response and (Re)AssocResp IEEE Std 802.11ai-2016 requires the FILS STA to do this check, but this was missing from the initial implementation. The AP side behavior was not described properly in 802.11ai due to a missing change in the (Re)Association Response frame format tables which has resulted in some deployed devices not including the RSNE. For now, use an interoperability workaround to ignore the missing RSNE and only check the payload of the element if it is present in the protected frame. In other words, enforce this validation step only with an AP that implements FILS authentication as described in REVmd while allowing older implementations to skip this check (and the protection against downgrade attacks). This workaround may be removed in the future if it is determined that most deployed APs can be upgraded to add RSNE into the (Re)Association Response frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-22 16:42:53 +02:00
if (!elems.rsn_ie) {
wpa_printf(MSG_DEBUG,
"FILS: No RSNE in (Re)Association Response");
/* As an interop workaround, allow this for now since IEEE Std
* 802.11ai-2016 did not include all the needed changes to make
* a FILS AP include RSNE in the frame. This workaround might
* eventually be removed and replaced with rejection (goto fail)
* to follow a strict interpretation of the standard. */
} else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
sm->ap_rsn_ie, sm->ap_rsn_ie_len,
elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
sm->ap_rsn_ie, sm->ap_rsn_ie_len);
wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
elems.rsn_ie, elems.rsn_ie_len);
goto fail;
}
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
/* TODO: FILS Public Key */
if (!elems.fils_key_confirm) {
wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
goto fail;
}
if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
wpa_printf(MSG_DEBUG,
"FILS: Unexpected Key-Auth length %d (expected %d)",
elems.fils_key_confirm_len,
(int) sm->fils_key_auth_len);
goto fail;
}
if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
sm->fils_key_auth_len) != 0) {
wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
elems.fils_key_confirm,
elems.fils_key_confirm_len);
wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
sm->fils_key_auth_ap, sm->fils_key_auth_len);
goto fail;
}
OCV: Include and verify OCI in the FILS handshake Include and verify the OCI element in FILS (Re)Association Request and Response frames. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:36 +02:00
#ifdef CONFIG_OCV
if (wpa_sm_ocv_enabled(sm)) {
struct wpa_channel_info ci;
if (wpa_sm_channel_info(sm, &ci) != 0) {
wpa_printf(MSG_WARNING,
"Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
goto fail;
}
if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
channel_width_to_int(ci.chanwidth),
OCV: Use more granular error codes for OCI validation failures Enhance the return values of ocv_verify_tx_params with enum to indicate different OCI verification failures to caller. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-09-02 20:55:28 +02:00
ci.seg1_idx) != OCI_SUCCESS) {
OCV: Report OCI validation failures with OCV-FAILURE messages (STA) Convert the previously used text log entries to use the more formal OCV-FAILURE prefix and always send these as control interface events to allow upper layers to get information about unexpected operating channel mismatches. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-29 23:24:15 +02:00
wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
"addr=" MACSTR " frame=fils-assoc error=%s",
MAC2STR(sm->bssid), ocv_errorstr);
OCV: Include and verify OCI in the FILS handshake Include and verify the OCI element in FILS (Re)Association Request and Response frames. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 21:46:36 +02:00
goto fail;
}
}
#endif /* CONFIG_OCV */
FILS+FT: STA mode validation of PMKR1Name in initial MD association Verify that the AP uses matching PMKR1Name in (Re)Association Response frame when going through FT initial mobility domain association using FILS. Thise step was missing from the initial implementation, but is needed to match the IEEE 802.11ai requirements for explicit confirmation of the FT key hierarchy (similarly to what is done in FT 4-way handshake when FILS is not used). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-13 18:13:49 +01:00
#ifdef CONFIG_IEEE80211R
if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
struct wpa_ie_data rsn;
/* Check that PMKR1Name derived by the AP matches */
if (!elems.rsn_ie ||
wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
&rsn) < 0 ||
!rsn.pmkid || rsn.num_pmkid != 1 ||
os_memcmp(rsn.pmkid, sm->pmk_r1_name,
WPA_PMK_NAME_LEN) != 0) {
wpa_printf(MSG_DEBUG,
"FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
goto fail;
}
}
#endif /* CONFIG_IEEE80211R */
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
/* Key Delivery */
if (!elems.key_delivery) {
wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
goto fail;
}
/* Parse GTK and set the key to the driver */
os_memset(&gd, 0, sizeof(gd));
if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
elems.key_delivery_len - WPA_KEY_RSC_LEN,
&kde) < 0) {
wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
goto fail;
}
if (!kde.gtk) {
wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
goto fail;
}
maxkeylen = gd.gtk_len = kde.gtk_len - 2;
if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
gd.gtk_len, maxkeylen,
&gd.key_rsc_len, &gd.alg))
goto fail;
wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
gd.keyidx = kde.gtk[0] & 0x3;
gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
!!(kde.gtk[0] & BIT(2)));
if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
(unsigned long) kde.gtk_len - 2);
goto fail;
}
os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 11:12:24 +02:00
if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
goto fail;
}
if (ieee80211w_set_keys(sm, &kde) < 0) {
wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
goto fail;
}
alg = wpa_cipher_to_alg(sm->pairwise_cipher);
keylen = wpa_cipher_key_len(sm->pairwise_cipher);
Additional consistentcy checks for PTK component lengths Verify that TK, KCK, and KEK lengths are set to consistent values within struct wpa_ptk before using them in supplicant. This is an additional layer of protection against unexpected states. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 23:01:11 +02:00
if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
keylen, (long unsigned int) sm->ptk.tk_len);
goto fail;
}
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
sm->ptk.tk, keylen);
if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
Introduce and add key_flag Add the new set_key() parameter "key_flag" to provide more specific description of what type of a key is being configured. This is needed to be able to add support for "Extended Key ID for Individually Addressed Frames" from IEEE Std 802.11-2016. In addition, this may be used to replace the set_tx boolean eventually once all the driver wrappers have moved to using the new key_flag. The following flag are defined: KEY_FLAG_MODIFY Set when an already installed key must be updated. So far the only use-case is changing RX/TX status of installed keys. Must not be set when deleting a key. KEY_FLAG_DEFAULT Set when the key is also a default key. Must not be set when deleting a key. (This is the replacement for set_tx.) KEY_FLAG_RX The key is valid for RX. Must not be set when deleting a key. KEY_FLAG_TX The key is valid for TX. Must not be set when deleting a key. KEY_FLAG_GROUP The key is a broadcast or group key. KEY_FLAG_PAIRWISE The key is a pairwise key. KEY_FLAG_PMK The key is a Pairwise Master Key (PMK). Predefined and needed flag combinations so far are: KEY_FLAG_GROUP_RX_TX WEP key not used as default key (yet). KEY_FLAG_GROUP_RX_TX_DEFAULT Default WEP or WPA-NONE key. KEY_FLAG_GROUP_RX GTK key valid for RX only. KEY_FLAG_GROUP_TX_DEFAULT GTK key valid for TX only, immediately taking over TX. KEY_FLAG_PAIRWISE_RX_TX Pairwise key immediately becoming the active pairwise key. KEY_FLAG_PAIRWISE_RX Pairwise key not yet valid for TX. (Only usable with Extended Key ID support.) KEY_FLAG_PAIRWISE_RX_TX_MODIFY Enable TX for a pairwise key installed with KEY_FLAG_PAIRWISE_RX. KEY_FLAG_RX_TX Not a valid standalone key type and can only used in combination with other flags to mark a key for RX/TX. This commit is not changing any functionality. It just adds the new key_flag to all hostapd/wpa_supplicant set_key() functions without using it, yet. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-04 23:10:04 +01:00
sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) {
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
MACSTR ")",
alg, keylen, MAC2STR(sm->bssid));
goto fail;
}
WPA: Add PTKSA cache to wpa_supplicant for PASN PASN requires to store the PTK derived during PASN authentication so it can later be used for secure LTF etc. This is also true for a PTK derived during regular connection. Add an instance of a PTKSA cache for each wpa_supplicant interface when PASN is enabled in build configuration. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:00:27 +01:00
wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
/* TODO: TK could be cleared after auth frame exchange now that driver
* takes care of association frame encryption/decryption. */
/* TK is not needed anymore in supplicant */
os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
Additional consistentcy checks for PTK component lengths Verify that TK, KCK, and KEK lengths are set to consistent values within struct wpa_ptk before using them in supplicant. This is an additional layer of protection against unexpected states. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 23:01:11 +02:00
sm->ptk.tk_len = 0;
Prevent installation of an all-zero TK Properly track whether a PTK has already been installed to the driver and the TK part cleared from memory. This prevents an attacker from trying to trick the client into installing an all-zero TK. This fixes the earlier fix in commit ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the driver in EAPOL-Key 3/4 retry case') which did not take into account possibility of an extra message 1/4 showing up between retries of message 3/4. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-09-29 04:22:51 +02:00
sm->ptk.installed = 1;
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
FILS: Parse and report received FILS HLP Containers from response The new FILS-HLP-RX control interface event is now used to report received FILS HLP responses from (Re)Association Response frame as a response to the HLP requests configured with FILS_HLP_REQ_ADD. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-31 20:21:24 +01:00
/* FILS HLP Container */
fils_process_hlp_container(sm, ie_start, end - ie_start);
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
/* TODO: FILS IP Address Assignment */
wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
sm->fils_completed = 1;
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(&gd, sizeof(gd));
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
Process Transition Disable KDE in station mode Check whether the Transition Disable KDE is received from an authenticated AP and if so, whether it contains valid indication for disabling a transition mode. If that is the case, update the local network profile by removing the less secure options. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-25 23:10:16 +01:00
if (kde.transition_disable)
wpa_sm_transition_disable(sm, kde.transition_disable[0]);
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
return 0;
fail:
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(&gd, sizeof(gd));
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
return -1;
}
FILS: Track completion with FILS shared key authentication offload Update the internal fils_completed state when offloading FILS shared key authentication to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-22 11:40:05 +01:00
void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
{
if (sm)
sm->fils_completed = !!set;
}
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
#endif /* CONFIG_FILS */
int wpa_fils_is_completed(struct wpa_sm *sm)
{
#ifdef CONFIG_FILS
return sm && sm->fils_completed;
#else /* CONFIG_FILS */
return 0;
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 14:32:07 +02:00
#endif /* CONFIG_FILS */
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 16:34:13 +02:00
}
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
#ifdef CONFIG_OWE
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
{
struct wpabuf *ie = NULL, *pub = NULL;
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
size_t prime_len;
if (group == 19)
prime_len = 32;
else if (group == 20)
prime_len = 48;
else if (group == 21)
prime_len = 66;
else
return NULL;
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
crypto_ecdh_deinit(sm->owe_ecdh);
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
sm->owe_ecdh = crypto_ecdh_init(group);
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
if (!sm->owe_ecdh)
goto fail;
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
sm->owe_group = group;
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
pub = wpabuf_zeropad(pub, prime_len);
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
if (!pub)
goto fail;
ie = wpabuf_alloc(5 + wpabuf_len(pub));
if (!ie)
goto fail;
wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
wpabuf_put_le16(ie, group);
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
wpabuf_put_buf(ie, pub);
wpabuf_free(pub);
wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
ie);
return ie;
fail:
wpabuf_free(pub);
crypto_ecdh_deinit(sm->owe_ecdh);
sm->owe_ecdh = NULL;
return NULL;
}
OWE: PMKSA caching in station mode This extends OWE support in wpa_supplicant to allow PMKSA caching to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-09 11:08:57 +02:00
int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
const u8 *resp_ies, size_t resp_ies_len)
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
{
struct ieee802_11_elems elems;
u16 group;
struct wpabuf *secret, *pub, *hkey;
int res;
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
const char *info = "OWE Key Generation";
const u8 *addr[2];
size_t len[2];
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
size_t hash_len, prime_len;
OWE: PMKSA caching in station mode This extends OWE support in wpa_supplicant to allow PMKSA caching to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-09 11:08:57 +02:00
struct wpa_ie_data data;
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
if (!resp_ies ||
ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
OWE: PMKSA caching in station mode This extends OWE support in wpa_supplicant to allow PMKSA caching to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-09 11:08:57 +02:00
ParseFailed) {
wpa_printf(MSG_INFO,
"OWE: Could not parse Association Response frame elements");
return -1;
}
if (sm->cur_pmksa && elems.rsn_ie &&
wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
&data) == 0 &&
data.num_pmkid == 1 && data.pmkid &&
os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
wpa_sm_set_pmk_from_pmksa(sm);
return 0;
}
if (!elems.owe_dh) {
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
wpa_printf(MSG_INFO,
"OWE: No Diffie-Hellman Parameter element found in Association Response frame");
return -1;
}
group = WPA_GET_LE16(elems.owe_dh);
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
if (group != sm->owe_group) {
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
wpa_printf(MSG_INFO,
"OWE: Unexpected Diffie-Hellman group in response: %u",
group);
return -1;
}
if (!sm->owe_ecdh) {
wpa_printf(MSG_INFO, "OWE: No ECDH state available");
return -1;
}
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
if (group == 19)
prime_len = 32;
else if (group == 20)
prime_len = 48;
else if (group == 21)
prime_len = 66;
else
return -1;
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
elems.owe_dh + 2,
elems.owe_dh_len - 2);
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
secret = wpabuf_zeropad(secret, prime_len);
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
if (!secret) {
wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
return -1;
}
wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
/* prk = HKDF-extract(C | A | group, z) */
pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
if (!pub) {
wpabuf_clear_free(secret);
return -1;
}
/* PMKID = Truncate-128(Hash(C | A)) */
addr[0] = wpabuf_head(pub);
len[0] = wpabuf_len(pub);
addr[1] = elems.owe_dh + 2;
len[1] = elems.owe_dh_len - 2;
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
if (group == 19) {
res = sha256_vector(2, addr, len, pmkid);
hash_len = SHA256_MAC_LEN;
} else if (group == 20) {
res = sha384_vector(2, addr, len, pmkid);
hash_len = SHA384_MAC_LEN;
} else if (group == 21) {
res = sha512_vector(2, addr, len, pmkid);
hash_len = SHA512_MAC_LEN;
} else {
res = -1;
hash_len = 0;
}
pub = wpabuf_zeropad(pub, prime_len);
if (res < 0 || !pub) {
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
wpabuf_free(pub);
wpabuf_clear_free(secret);
return -1;
}
hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
if (!hkey) {
wpabuf_free(pub);
wpabuf_clear_free(secret);
return -1;
}
wpabuf_put_buf(hkey, pub); /* C */
wpabuf_free(pub);
wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
wpabuf_put_le16(hkey, sm->owe_group); /* group */
if (group == 19)
res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
wpabuf_head(secret), wpabuf_len(secret), prk);
else if (group == 20)
res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
wpabuf_head(secret), wpabuf_len(secret), prk);
else if (group == 21)
res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
wpabuf_head(secret), wpabuf_len(secret), prk);
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
wpabuf_clear_free(hkey);
wpabuf_clear_free(secret);
if (res < 0)
return -1;
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
/* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
if (group == 19)
res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
os_strlen(info), sm->pmk, hash_len);
else if (group == 20)
res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
os_strlen(info), sm->pmk, hash_len);
else if (group == 21)
res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
os_strlen(info), sm->pmk, hash_len);
More forceful clearing of stack memory with keys gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 23:47:17 +02:00
forced_memzero(prk, SHA512_MAC_LEN);
Clear pmk_len more consistently for extra protection This gives more protection against unexpected behavior if RSN supplicant code ends up trying to use sm->pmk[] with a stale value. Couple of the code paths did not clear sm->pmk_len explicitly in cases where the old PMK is being removed, so cover those cases as well to make sure these will result in PMK-to-PTK derivation failures rather than use of incorrect PMK value if such a code path could be reached somehow. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-08 18:42:52 +02:00
if (res < 0) {
sm->pmk_len = 0;
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
return -1;
Clear pmk_len more consistently for extra protection This gives more protection against unexpected behavior if RSN supplicant code ends up trying to use sm->pmk[] with a stale value. Couple of the code paths did not clear sm->pmk_len explicitly in cases where the old PMK is being removed, so cover those cases as well to make sure these will result in PMK-to-PTK derivation failures rather than use of incorrect PMK value if such a code path could be reached somehow. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-08 18:42:52 +02:00
}
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
sm->pmk_len = hash_len;
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 15:39:08 +02:00
wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
OWE: PMKSA caching in station mode This extends OWE support in wpa_supplicant to allow PMKSA caching to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-09 11:08:57 +02:00
pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
NULL);
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 10:53:21 +01:00
return 0;
}
#endif /* CONFIG_OWE */
FILS: Update cache identifier on association This is needed when offloading FILS shared key to the drivers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-22 11:40:05 +01:00
void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
{
#ifdef CONFIG_FILS
if (sm && fils_cache_id) {
sm->fils_cache_id_set = 1;
os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
}
#endif /* CONFIG_FILS */
}
DPP2: PFS for PTK derivation Use Diffie-Hellman key exchange to derivate additional material for PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element (defined in OWE RFC 8110) is used in association frames to exchange the DH public keys. For backwards compatibility, ignore missing request/response DH parameter and fall back to no PFS in such cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-17 22:51:53 +01:00
#ifdef CONFIG_DPP2
void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
{
if (sm) {
wpabuf_clear_free(sm->dpp_z);
sm->dpp_z = z ? wpabuf_dup(z) : NULL;
}
}
#endif /* CONFIG_DPP2 */
PASN: Support PASN with SAE key derivation Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 12:00:52 +01:00
#ifdef CONFIG_PASN
void wpa_pasn_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
const u8 *pmkid, const u8 *bssid, int key_mgmt)
{
sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
bssid, sm->own_addr, NULL,
key_mgmt, 0);
}
#endif /* CONFIG_PASN */