The Crypto-Binding TLV is included without Intermediate-Result TLV in
this sequence since the server is skipping all inner authentication
methods and is only sending out Result TLV with the Crypto-Binding TLV.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration parameter eap_teap_id can be used to
configure the expected behavior for used identity type.
Signed-off-by: Jouni Malinen <j@w1.fi>
Parse the received Identity-Type TLV and report the used Identity-Type
in response if the request included this TLV. For now, only the
Identity-Type 1 (User) is supported.
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow 100 rounds of EAP messages if there is data being transmitted.
Keep the old 50 round limit for cases where only short EAP messages are
sent (i.e., the likely case of getting stuck in ACK loop).
This allows larger EAP data (e.g., large certificates) to be exchanged
without breaking the workaround for ACK loop interop issues.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use struct eap_config as-is within struct eap_sm and EAPOL authenticator
to avoid having to duplicate all the configuration variables at each
interface. Split the couple of session specific variables into a
separate struct to allow a single const struct eap_config to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
This was already allowed with EAP-PEAP, but EAP-TEAP was hardcoded to
use only the non-expanded EAP types. Extend that to allow vendor EAP
types to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
This was already allowed with EAP-PEAP, but EAP-FAST was hardcoded to
use only the non-expanded EAP types. Extend that to allow vendor EAP
types to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
The implementation was previously hardcoded to allow only the Microsoft
SoH expanded EAP method in Phase 2 in addition to non-expanded EAP
methods. Extend that to allow any vendor EAP method with an expanded
header to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
This was already allowed with EAP-PEAP, but EAP-TTLS was hardcoded to
use only the non-expanded EAP types. Extend that to allow vendor EAP
types to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
This cleans up coding style of the EAP implementation by avoiding
typedef of an enum hiding the type of the variables.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new eap_teap_separate_result=1 hostapd configuration parameter can
be used to test TEAP exchange where the Intermediate-Result TLV and
Crypto-Binding TLV are send in one message exchange while the Result TLV
exchange in done after that in a separate message exchange.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the Crypto-Binding TLV for the last EAP method has been validated
successfully in a previous message exchange with Intermediate-Result TLV
and no new EAP method has been started, Result TLV can be accepted
without an additional Crypto-Binding TLV. This allows the server to go
through additional message exchanges after inner EAP method, if needed.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is not sufficient for the peer to include only the Result TLV if the
server included both the Intermediate-Result TLV and Result TLV.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, only the Result TLV was added when writing Crypto-Binding
TLV response. This is not sufficient, since RFC 7170 require
Intermediate-Result TLV response to be included from the peer if the
server included Intermediate-Result TLV.
Signed-off-by: Jouni Malinen <j@w1.fi>
This version of TLS PRF is needed when using TEAP with TLS ciphersuites
that are defined to use SHA384 instead of SHA256.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previously used single TOD policy was split into two policies:
TOD-STRICT and TOD-TOFU. Report these separately in the
CTRL-EVENT-EAP-PEER-CERT events (tod=1 for TOD-STRICT and tod=2 for
TOD-TOFU).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update Connection Params is intended for drivers that implement
internal SME and expect these updated connection params from
wpa_supplicant. Do not send this request for the drivers using
SME from wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If FT over-the-DS case is enforced through the "FT_DS <BSSID>" control
interface command, the PMF capability check during BSS selection is not
used and that could have allowed PMF to be disabled in the over-the-DS
case even if the local network profile mandated use of PMF. Check
against this explicitly to avoid unexpected cases if the APs within the
same mobility domain are not configured consistently.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit e820cf952f ("MFP: Add MFPR flag into station RSN IE if 802.11w
is mandatory") added indication of MFPR flag in non-FT cases, but forgot
to do so for the FT protocol cases where a different function is used to
build the RSNE. Do the same change now for that FT specific case to get
consistent behavior on indicating PMF configuration state with MFPR.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is not used only with FT, so make the comments less confusing and
include the function in all builds to make it available for
non-FT/non-FILS builds.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
HE (802.11ax) is also supported on 2.4 GHz. And the 2.4 GHz band isn't
supposed to use VHT operations. Some codepaths in wpa_supplicant will
therefore not initialize the freq->bandwidth or the freq->center_freq1/2
members. As a result, the nl80211_put_freq_params() will directly return
an error (-1) or the kernel will return an error due to the invalid
channel definition.
Instead, the channel definitions should be created based on the actual
HT/VHT/none information on 2.4 GHz.
Fixes: ad9a1bfe78 ("nl80211: Share VHT channel configuration for HE")
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
Add vendor command QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY_EXT
and attribute qca_wlan_vendor_attr_avoid_frequency_ext to send structured
avoid frequency data.
This new command is alternative to existing command
QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY since existing command is
using stream of bytes instead of structured data using vendor attributes.
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
As a part of P802.11ax amendment, 6 GHz band operation is added.
Since the 6 GHz channel numbers are overlapping with existing 2.4 GHz
and 5 GHz channel numbers, use frequency to identify unique channel
operation instead of channel number. Channel frequency is unique across
bands.
In the existing QCA vendor interface, wherever missing, add frequency
attributes to identify unique channel operation. In addition, add
comments to document some of the previously missed attributes/values.
Note: If both channel and frequency attributes are present in vendor
command/event and
(a) If both the driver and user-space application supports 6 GHz band
then channel related attributes are deprecated and use frequency
attributes.
(b) If either driver or user-space application or both doesn't
support 6 GHz band then use channel attributes.
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
Add QCA_WLAN_VENDOR_ATTR_SAP_CONFIG_CHANNEL attribute in
enum qca_wlan_vendor_attr_sap_config to use with vendor command
QCA_NL80211_VENDOR_SUBCMD_SET_SAP_CONFIG.
This new attribute is used to restart AP on given channel.
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
Add a QCA vendor sub command QCA_NL80211_VENDOR_SUBCMD_ACS_POLICY
with attributes enum qca_wlan_vendor_attr_acs_config and
enum qca_acs_dfs_mode to configure ACS policy.
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
This enhances the existing vendor command QCA_NL80211_VENDOR_SUBCMD_ROAM
with the following configurations:
1. Set/get/clear roam control
2. Set/get the channels on which the roaming has to be triggered.
3. Set/get the roam scan period.
4. Configure the triggers for roaming.
5. Configure the candidate selection criteria.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
qca_wlan_vendor_attr_roam_subcmd is an enum associated with the
attribute QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD. It represents different
sub command values and these are not the attributes. Hence, rename the
enum to qca_wlan_vendor_roaming_subcmd. Accordingly, the members of this
enum are also renamed to suite the usage.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.
Signed-off-by: Jouni Malinen <j@w1.fi>
Need to update methodState/decision when completing transmission of
fragmented last Phase 2 message.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The KCK, PMK, and PMKID derivation fix broke SAE key derivation for all
FFC groups. Fix that by setting sae->tmp->order_len for FFC groups (it
was only set for ECC groups).
Fixes: ac734a342e ("SAE: Fix KCK, PMK, and PMKID derivation for groups 22, 23, 24")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It looks like EVP_PKEY_derive() may change the returned length of the
buffer from the initial length determination (NULL buffer) to the
fetching of the value. Handle this by updating the secret length based
on the second call instead of the first one. This fixes some cases where
ECDH result has been used with extra data (zeros in the end) with OWE or
FILS PFS.
Signed-off-by: Jouni Malinen <j@w1.fi>
This replaces the separately implemented ECDH operations with a single
helper function to avoid code duplication. In addition, this introduces
a workaround for strange OpenSSL behavior where the first
EVP_PKEY_derive(NULL) call to learn the size of the output shared secret
returns unexpectedly large buffer (72 octets when expected 32 octets for
group 19). It is not known what is causing this, but such behavior seems
to be showing up every now and then at least when running hwsim test
cases under UML and apparently mainly (only?) in the sigma_dut
controller cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
IEEE Std 802.11-2016 is not exactly clear on the encoding of the bit
string that is needed for KCK, PMK, and PMKID derivation, but it seems
to make most sense to encode the (commit-scalar + peer-commit-scalar)
mod r part as a bit string by zero padding it from left to the length of
the order (in full octets).
The previous implementation used the length of the prime (in full
octets). This would work for KCK/PMK, but this results in deriving all
zero PMKIDs for the groups where the size of the order is smaller than
the size of the prime. This is the case for groups 22, 23, and 24.
However, those groups have been marked as being unsuitable for use with
SAE, so this fix should not really have a practical impact anymore.
Anyway, better fix it and document this clearly in the implementation
taken into account the unclarity of the standard in this area.
Signed-off-by: Jouni Malinen <j@w1.fi>
The earlier change to add support for BN_bn2binpad() and
BN_bn2bin_padded() broke this function for cases where no padding is
used (padlen == 0). Those would have always failed after the changes and
the function would return -1. There are no such cases in the current
hostap.git, so this did not have any real issues, but anyway, better fix
this function to match its documentation.
Fixes: 1e237903f5 ("OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if available")
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit d896874f86 ("nl80211: Indicate 802.1X 4-way handshake offload
in connect") used the req_key_mgmt_offload flag to indicate to the
driver that it should offload the 802.1X handshake. However, this field
was existing and used for a different offload API. This causes
wpa_supplicant to send a connect request without the WANT_1X_HS flag and
the subsequent set-pmk is rejected causing the connection to fail. Fix
that by introducing a new flag req_handshake_offload so the offloads are
no longer entangled.
Fixes: d896874f86 ("nl80211: Indicate 802.1X 4-way handshake offload in connect")
Reported-by: Stefan Wahren <wahrenst@gmx.net>
Tested-by: Stefan Wahren <wahrenst@gmx.net>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
The new hostapd configuration option eap_sim_id can now be used to
disable use of pseudonym and/or fast reauthentication with EAP-SIM,
EAP-AKA, and EAP-AKA'.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If the EAP-SIM/AKA server does not provide a new pseudonym and the
locally configured "pseudonym" in anonymous_identity is actually an
anonymous identitity instead of a real EAP-SIM/AKA pseudonym, do not
clear the anonymous_identity network profile parameter. This is needed
to avoid forgetting the anonymous identity when going through
EAP-SIM/AKA authentication and then reverting back to using IMSI-based
(e.g., encrypted) identity.
Fixes: 4df4133917 ("EAP-SIM/AKA: Add support for anonymous@realm")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The relevant flags were only added in Linux 4.6, so we shouldn't
complain because they're missing. Also, they're always missing if a
device is being removed (e.g., 'iw dev wlan0 del', or if the device is
in the process of resetting itself). So kill those 2 birds with 1 stone:
if we can't find the file, just silently skip it.
Also, we probably should *actually* propagate the error if we had a
write failure.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Add an SQLite table for defining per station MAC address version of
radius_auth_req_attr/radius_acct_req_attr information. Create the
necessary table and index where this doesn't exist. Select attributes
from the table keyed by station MAC address and request type (auth or
acct), parse and apply to a RADIUS message.
Add radius_req_attr_sqlite hostapd config option for SQLite database
file. Open/close RADIUS attribute database for a lifetime of a BSS and
invoke functions to add extra attributes during RADIUS auth and
accounting request generation.
Signed-off-by: Terry Burton <tez@terryburton.co.uk>
We will want to parse RADIUS attributes in config file format when
retrieving them from an SQLite database.
Signed-off-by: Terry Burton <tez@terryburton.co.uk>
Previously, check for local MI,MN in a peer's Peers List accepted only
the cases that include the last used MN from an MKPDU sent by the local
device. This was problematic since it was possible to synchronize MKPDU
transmission between two devices in a way that made them always miss the
last MKPDU from the other device before filling in the Peers List.
Relax this matching requirement of "acceptably recent MN" to mean both
the last used MN and the one used just before it (i.e., copied from
either of the last two MKPDUs sent by the local device) are accepted.
While this might help in some real world scenarios in making the
protocol converge more quickly, the main help from this is to fix
consistent hwsim test cases failures in macsec_psk_ns when using UML
with time travel option which happened to practically guarantee the
inconvenient timing of MKPDU transmission/reception that ended up with
the MKPDU processing to see MI,MN with MN being the last used MN minus
1.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Disable groups that use Brainpool curves for now since they leak more
timing information due to the prime not being close to a power of two.
This removes use of groups 28, 29, and 30 from SAE and EAP-pwd.
Signed-off-by: Jouni Malinen <j@w1.fi>
The AP mode fix for removing NL80211_ATTR_STA_WME from
NL80211_CMD_SET_STATION did not consider the TDLS case and that resulted
in incorrectly removing WMM parameters from TDLS STA entry updates. Fix
this by considering the WPA_STA_TDLS_PEER flag similarly to the other
update parameters.
Fixes: 6d14b98fc6 ("nl80211: Do not add WMM parameters when updating an existing STA entry")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is a compiler specific extension and not compliant with the C
standard.
Fixes: 1c16b257a0 ("EAP-SIM: Add Session-Id derivation during fast-reauth")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is a compiler specific extension and not compliant with the C
standard.
Fixes: 5eefa8115b ("EAP-AKA: Add Session-Id derivation during fast-reauth")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new "wpa" and "AKMSuiteSelector" entries in hostapd "STA <addr>"
control interface output can be used to determine the negotiated WPA/RSN
protocol and AKM suite of an associated station.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These SAE, OWE, DPP, and OSEN AKM suite selectors were covered in the
reverse conversion in rsn_key_mgmt_to_bitfield(), but were missing from
wpa_akm_to_suite(). Add them to make AKM suite selector reporting more
accurate in RADIUS Accounting messages (and future users of this
function).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use a shared function to determine the k parameter, i.e., the minimum
number of iterations of the PWE derivation loop, for SAE and EAP-pwd.
This makes it easier to fine-tune the parameter based on the negotiated
group, if desired.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Make the EAP-pwd peer use same default set of allowed groups as the SAE
implementation in wpa_supplicant uses, i.e., the groups 19-21 using NIST
curves P-256, P-384, and P-521. Previously, all groups that were
supported by the crypto library were allowed. In practice, this change
disables use of the Brainpool curves (groups 28-30) with recent OpenSSL
versions.
The default set of groups can be overridden with a new phase1 network
profile parameter, eap_pwd_groups=<list of allowed ranges>. For example,
phase1="eap_pwd_groups=0-65535" would restore previous behavior of
allowing all implemented groups to be used while eap_pwd_groups=19,20
would enable only the groups using NIST curves P-256 and P-384 to be
used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add attributes QCA_WLAN_VENDOR_ATTR_CONFIG_ELNA_BYPASS under
the enum qca_wlan_vendor_attr_config to support set and get
the ELNA bypass.
Signed-off-by: Paul Zhang <paulz@codeaurora.org>
Add a new vendor attribute QCA_WLAN_VENDOR_ATTR_DISCONNECT_IES
to configure disconnect IEs to the driver. Driver shall fill
these IEs in disassoc/deauth frame.
These IEs are expected to be considered only for the next
immediate disconnection (disassoc/deauth frame) originated by
the DUT, irrespective of the entity (user space/driver/firmware)
triggering the disconnection.
The host drivers are not expected to use the IEs set through
this interface for further disconnections after the first immediate
disconnection initiated post the configuration.
If the IEs are also updated through cfg80211 interface (after the
enhancement to cfg80211_disconnect), host driver is expected to
take the union of IEs from both of these interfaces and send in
further disassoc/deauth frames.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a QCA vendor sub command QCA_NL80211_VENDOR_SUBCMD_OEM_DATA
with attributes qca_wlan_vendor_attr_oem_data_params to support
OEM data. It is used to send OEM data binary blobs from
application/service to firmware. The attributes defined in enum
qca_wlan_vendor_attr_oem_data_params are used to deliver the
parameters.
Signed-off-by: Paul Zhang <paulz@codeaurora.org>
The new certificate chain debug dumps used functions that are not
available with LibreSSL or BoringSSL.
Fixes: 857edf4bf4 ("OpenSSL: More debug prints of configured ciphers and certificates")
Signed-off-by: Jouni Malinen <j@w1.fi>
The OPENSSL_VERSION_NUMBER ifdef block left out the local variable that
is needed with all versions. In addition, SSL_set_security_level() is
not available with LibreSSL or BoringSSL.
Fixes: 3ec65a8e38 ("OpenSSL: Allow anon-DH cipher suites to be added for TEAP")
Signed-off-by: Jouni Malinen <j@w1.fi>
The tls_connection_get_cipher_suite() implementation used
SSL_CIPHER_get_protocol_id which was added in OpenSSL 1.1.1. Need to use
compatibility code with older versions.
Fixes: 94714ec341 ("OpenSSL: Add tls_connection_get_cipher_suite()")
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds an encrypted version of a one octet application data payload
to the end of the handshake when TLS v1.3 is used to indicate explicit
termination of the handshake (either after Finished message or after the
optional NewSessionTicket message). The current
draft-ietf-emu-eap-tls13-05 defines this to be a zero length payload,
but since that is not allowed by OpenSSL, use a one octet payload
instead for now with hopes of getting the draft specification updated
instead of having to modify OpenSSL for this.
Signed-off-by: Jouni Malinen <j@w1.fi>
EAP-TLS with TLS 1.3 uses an empty application data record from the
server to indicate end of the exchange, so EAP-TLS peer will need to
check for this special case and finish the exchange with an empty
EAP-TLS (ACK) so that the server can send out EAP-Success.
Signed-off-by: Jouni Malinen <j@w1.fi>
This will hopefully not be needed for EAP-TLS use cases since there
should not really be a middlebox that looks at the TLS layer details in
case of EAP authentication.
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd EAP server can now be configured with two separate server
certificates/keys to enable parallel operations using both RSA and ECC
public keys. The server will pick which one to use based on the client
preferences for the cipher suite (in the TLS ClientHello message). It
should be noted that number of deployed EAP peer implementations do not
filter out the cipher suite list based on their local configuration and
as such, configuration of alternative types of certificates on the
server may result in interoperability issues.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.
This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a new TLS_CONN_* flag to provide a higher level mechanism for adding
(instead of fully replacing) allowed list of TLS ciphersuites for TEAP
provisioning purposes.
Signed-off-by: Jouni Malinen <j@w1.fi>
This implements "tls-unique" derivation per RFC 5929, Section 3. This
will be needed for channel binding, e.g., with EAP-TEAP.
Signed-off-by: Jouni Malinen <j@w1.fi>
The buf[] array is initialized to zeros, so it was already null
terminated since the read() call did not allow the last character of the
buffer to be overwritten. Since that was apparently not enough to make
some static analyzers understand the design, use explicit null
termination after a successful read() call.
Signed-off-by: Jouni Malinen <j@w1.fi>
This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).
Signed-off-by: Jouni Malinen <j@w1.fi>
This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).
Signed-off-by: Jouni Malinen <j@w1.fi>
'sizeof' was not used with os_memmove() for an integer array. This lead
to an issue with part of the preferred channel list not being used.
Fixes: 79329ae0aa ("P2P: Verify local driver preferred frequencies for P2P use cases")
Signed-off-by: Daichi Ueura <daichi.ueura@sony.com>
Mesh points can partially support HE features (when requiring no
controlling STA/AP) as long as hardware supports it. The kernel just
requires support for HE mesh and wpa_supplicant can forward the peer
capabilities to the kernel for further processing.
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
The HE capabilities are no longer per PHY but per iftype on this
specific PHY. It is therefore no longer enough to just parse the AP
capabilities.
The he_capabilities are now duplicated to store all information for
IEEE80211_MODE_* which hostap cares about. The nl80211 driver fills in
this information when the iftype supports HE. The rest of the code still
only uses the IEEE80211_HE_AP portion but can be extended later to also
use other HE capabilities.
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
Declare the variable only once and reuse it instead of openning
unneeded scopes.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
The the mask for PPE threshold present in the HE phy capability byte 6 is
0x80 and not 0x6. This incorrect mask breaks the length calculation and as
result the acceptance of the HE capabilities for STAs which either:
* don't have the PPE threshold present bit set AND the Codebook Size={7,5}
MU Feedback or the Triggered SU Beamforming feedback bit set
* do have the PPE threshold present set AND neither the Codebook Size={7,5}
MU Feedback nor the Triggered SU Beamforming feedback bit set
Fixes: 8f5fc369e2 ("HE: Fix HE Capabilities element variable length encoding")
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
Some compilers have started to warn about this and the use of two loops
with ix 0..pa-1 and 0..pa loop a bit suspicious, so better make sure the
array is initialized with zeros before extracting the terms from it.
Signed-off-by: Jouni Malinen <j@w1.fi>
This does not need to be specific to X.509, so move the BOOLEAN DER
encoding validation into asn1_get_next() to make it apply for all cases
instead of having to have the caller handle this separately.
Signed-off-by: Jouni Malinen <j@w1.fi>
While BER encoding allows any nonzero value to be used for TRUE, DER is
explicitly allowing only the value 0xff. Enforce this constraint in
X.509 parsing to be more strict with what is acceptable.
Signed-off-by: Jouni Malinen <j@w1.fi>
Handling of the optional pathLenConstraint after cA was not done
properly. The position after cA needs to be compared to the end of the
SEQUENCE, not the end of the available buffer, to determine whether the
optional pathLenConstraint is present. In addition, when parsing
pathLenConstraint, the length of the remaining buffer was calculated
incorrectly by not subtracting the length of the header fields needed
for cA. This could result in reading couple of octets beyond the end of
the buffer before rejecting the ASN.1 data as invalid.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15408
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds a CTRL-EVENT-EAP-PEER-CERT even for depth=0 even if a depth >
0 certificate results in peer certificate validation error. Previously,
this case resulted in the upper layers not getting any information about
the used peer certificate. Now that information is available, e.g., to
allow server certificate -based overriding of the trust to be done.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The same len variable can be used for both needs within
ieee802_1x_get_keys() to avoid compiler warning about use of shadowed
variable.
Fixes: 0ee6885dae ("macsec: Store EAP-Key-Name as eapSessionId")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This implements the required functionality in hostapd to facilitate OWE
connection with the AP SME-in-driver cases. Stations can either send DH
IE or PMKID (in RSNE) (or both) in Association Request frame during the
OWE handshake. The drivers that use this offload mechanism do not
interpret this information and instead, pass the same to hostapd for
further processing. hostapd will either validate the PMKID obtained from
the STA or generate DH IE and further indicate the same to the driver.
The driver further sends this information in the Association Response
frame.
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Liangwei Dong <liangwei@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This command/event interface can be used by SME based host drivers that
rely on user space (hostapd/wpa_supplicant) for DH IE
processing/generation. This interface facilitates the OWE connection
with host drivers by offloading DH IE processing to the user space
(hostapd/wpa_supplicant).
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Liangwei Dong <liangwei@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is needed to allow upper layer software to learn the hash of the
server certificate for allowing user to override trust root
configuration.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add tod=1 to CTRL-EVENT-EAP-PEER-CERT events if the peer certificate
includes the TOD policy in the X.509v3 Certificate Policies extension.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This makes it easier to add new information to the callbacks without
having to modify each callback function type in EAPOL and EAP code every
time.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
sscanf() can apparently read beyond the end of the buffer even if the
maximum length of the integer is specified in the format string. Replace
this parsing mechanism with helper functions that use sscanf() with NUL
terminated string to avoid this.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15158
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
src/*/Makefile needs to allow additional CFLAGS values to be provided
from the calling Makefiles so that the clang command line arguments to
enable sanitizers consistently. In addition, it can be useful to be able
to provide CC, CFLAGS, and LDFLAGS from external setup while still
requesing LIBFUZZER=y build. Allow that by not overriding these
variables if they are already set.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The driver automatically starts beacon reporting if it pauses the beacon
reporting for any reason other than disconnection. In specific cases,
userspace may not want the beacon reporting to be automatically resumed
after a pause. Add interface support for userspace to specify driver not
to start beacon reporting automatically after a pause.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If the EAP Session-ID is available, add it into Access-Accept
(EAP-Key-Name attribute). This is needed for MACsec.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It is safer to maintain the old EAPOL version (2) in EAPOL frames that
are not related to MACsec and only update the version to 3 for the
MACsec specific cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add the following vendor attributes under the enum
qca_wlan_vendor_attr_spectral_scan to support the configuration of
Spectral DMA debug.
1. QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_DMA_RING_DEBUG
Enable/disable debug of the Spectral DMA ring
2. QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_DMA_BUFFER_DEBUG
Enable/disable debug of the Spectral DMA buffers
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
SIM-based EAP authentication with IMSI encryption requires a special EAP
Identity response: anonymous@realm. Then the server sends AKA-Identity
request which is answered with the encrypted IMSI. Add logic that
indicates if the special anonymous identity is used. Otherwise, this
field is used for storing the pseudonym.
Test: Connect to Carrier Wi-Fi, verify correct behavior from captures
Test: Connect to non IMSI encrypted EAP-AKA AP, verify pseudonym usage
Signed-off-by: Hai Shalom <haishalom@google.com>
External auth status to the driver includes the PMKID derived as part of
SAE authentication, but this is not valid if PMKSA caching is disabled.
Drivers might not be expecting PMKID when it is not valid. Do not send
the PMKID to the driver in such cases.
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
A driver that uses internal AP SME may need to be able to use the
external_auth status operation in station mode, so do not skip this
solely based on drv->device_ap_sme; instead, use that condition only
when operating in AP mode.
Fix external_auth status in non SME case.
Signed-off-by: Ashok Kumar <aponnaia@codeaurora.org>
With radio work design, send Action frame request will be queued and
wait for p2p-scan to finish, so there is no need to delay send_action.
This change revisits the logic (added before the radio work framework)
in below commits:
3f9285f P2P: Delay send_action call if p2p_scan is in progress
f44ae20 P2P: Drop pending TX frame on new p2p_connect
9d562b7 P2P: Add p2p_unauthorize command
63a965c P2P: Fix after_scan_tx processing during ongoing operations
9a58e52 P2PS: Callback to create pending group after sending PD Response
3433721 P2P: Continue p2p_find after sending non-success Invitation Response
Signed-off-by: Hu Wang <huw@codeaurora.org>
In case the current channel has regulatory WMM limitations, take them
into account when filling the WMM element. Also check if the new WMM
element is different from the previous one and if so change the
parameter_set_count to imply stations to look into it.
Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
ETSI EN 301 893 v2.1.1 (2017-05) standard defines a new channel access
mechanism that all devices (WLAN and LAA) need to comply with.
In previous versions the device was allowed by ETSI to implement
802.11 channel access mechanism based on a set of priority classes
which are taken from 802.11. According of the new standard there
might be some exceptions which require ETSI countries to follow
more restrictive rules. In such a case the AP's wmm IE need to
comply with ETSI limitation. To be able to do so the regulatory
domain passes the new limitation values if needed.
Implement this, by storing it and use it to calculate the new
WMM parameters.
This commit adds determination of regulator limitations to
NL80211_CMD_GET_WIPHY processing so that the information is available
for upper layer implementation to use later when constructing WMM
element.
Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
Add support for injecting frames to a given mesh peer, bypassing the
mpath table lookup using PROBE_MESH_LINK command. This helps to send
data frames over unexercised direct mesh path, which is not selected as
next_hop node. This can be helpful in measuring link metrics.
Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
In the case of the ap_csa_disable test, I frequently see
failures due to the kernel *not* having switched, but the
CSA-STARTED event having been processed, and thus the
frequency having been updated already.
This is wrong at least for AP mode, the frequency we store
for this case internally in nl80211 should only be updated
when the channel switch completes, otherwise we end up in
a situation where the switch is aborted and the kernel is
thus on the old channel, but the internal information has
been updated and every subsequent mgmt-frame TX fails due
to being tagged with the wrong channel.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
GnuTLS backend already accepts CA cert blobs in both DER and PEM
formats. Implement similar trial-and-error handling in OpenSSL backend.
Signed-off-by: Santtu Lakkala <santtu.lakkala@jolla.com>
When a new station is added, let it have some supported rates
(they're empty without this change), using the basic rates
that it must support to connect.
This, together with the kernel-side changes for client-side,
lets us finish the complete auth/assoc handshake with higher
rates than the mandatory ones, without any further config.
However, the downside to this is that a broken station that
doesn't check the basic rates are supported before it tries
to connect will possibly not get any response to its auth
frame.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Add a config option to allow setting a custom Basic NSS/MCS set. As a
default we use single stream HE-MCS 0-7.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Set operating channel bandwidth and center frequencies using the same
attributes for VHT and HE.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Process HE information in (Re)Association Request frames and add HE
elements into (Re)Association Response frames when HE is enabled in the
BSS.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
The HE Capibilities element has dynamic size due to the variable length
and optional fields at the end. Mask out the channel width capabilities
that are less than the configured. Only add the MCS/NSS sets for the
announced channel widths and also add the PPET elements.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
The PPE Thresholds information in the end of the HE Capabilities element
is optional and of variable length. struct he_ppe_threshold was not
really used correctly for encoding this, so remove it and just reserve
enough space for the information.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
This is used for both VHT and HE, so remove the misleading prefix.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
These are used for both VHT and HE, so remove the misleading prefix.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
These are used for both VHT and HE, so remove the misleading prefix.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Bandwidth is used for both VHT and HE here.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
oper_chwidth is used for both VHT and HE here.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
The bandwidth values are shared between VHT and HE mode so remove the
VHT specific prefix.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
These bits might be set by the capabilities read from the kernel, so
mask them out if beamforming is not enabled in the local configuration.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
This copying attempt was added incorrectly since that element is never
actually present in (Re)Association Request frames. It is only valid to
copy that element from the mesh peering frames.
Signed-off-by: Jouni Malinen <j@w1.fi>
gcc 8.3.0 was apparently clever enough to optimize away the previously
used os_memset() to explicitly clear a stack buffer that contains keys
when that clearing happened just before returning from the function.
Since memset_s() is not exactly portable (or commonly available yet..),
use a less robust mechanism that is still pretty likely to prevent
current compilers from optimizing the explicit clearing of the memory
away.
Signed-off-by: Jouni Malinen <j@w1.fi>
Initialize auth_sock and acct_sock to -1 to avoid radius_server_deinit()
attempting to close fd=0 if anything fails in setting up the RADIUS
server.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Session-Id derivation for EAP-AKA in RFC 5247 only explained how the
Session-Id is derived for regular authentication. Jouni reported it as
an errata with text explaining how to derive it during fast
reauthentication.
This patch now exports the Session-Id for EAP-AKA during fast
reauthentication based on this Session-Id = 0x17 || NONCE_S || MAC
construction.
Also documented by Alan Dekok in draft-dekok-emu-eap-session-id.
Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
The Session-Id derivation for EAP-SIM in RFC 5247 only explained how the
Session-Id is derived for regular authentication. Jouni reported it as
an errata with text explaining how to derive it during fast
reauthentication.
This patch now exports the Session-Id for EAP-SIM during fast
reauthentication based on this Session-Id = 0x12 || NONCE_S || MAC
construction.
Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
The rcons[] and Td4s[] array values need to be type cast explicitly to
u32 for the left shift 24 operation to be defined due to the implicit
conversion to int not handling the case where MSB would become 1 without
depending on UB.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14929
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The IE header length check was off-by-one and that could allow the loop
to read one octet beyond the end of the buffer before breaking out in
the second check.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14927
Fixes: 0a66ce3c49 ("WNM: Add support for SSID List element matching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The bootstrapping URI format for DPP was extended during protocol design
to allow a list of channels without having to repeat the same operating
class information for each channel. That change was not included in the
initial implementation of the parser and a channel-list like
"C:81/1,6,11" would not be understood correctly (i.e., only the longer
"C:81/1,81/6,81/11" form would have been parsed correctly).
Fix this by extending the parser to accept both the shorter and longer
form for a list of channels within a single operating class.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
IEEE Std 802.11ai-2016 requires the FILS STA to do this check, but this
was missing from the initial implementation. The AP side behavior was
not described properly in 802.11ai due to a missing change in the
(Re)Association Response frame format tables which has resulted in some
deployed devices not including the RSNE.
For now, use an interoperability workaround to ignore the missing RSNE
and only check the payload of the element if it is present in the
protected frame. In other words, enforce this validation step only with
an AP that implements FILS authentication as described in REVmd while
allowing older implementations to skip this check (and the protection
against downgrade attacks). This workaround may be removed in the future
if it is determined that most deployed APs can be upgraded to add RSNE
into the (Re)Association Response frames.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This AP behavior was missing from IEEE Std 802.11ai-2016, but it is
needed for the RSNE validation to work correctly and for a FILS STA to
be able to perform the mandatory check for RSNE matching when processing
the (Re)Association Response frame (as described in 802.11ai). REVmd
will be updating the standard to cover this AP case, so prepare the
implementation to match that. Without this, a FILS STA might reject
association whenever using FILS authentication.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If OCSP_resp_find_status() fails with the first OCSP_CERTID, the
generation of the second OCSP_CERTID ended up leaking memory. Fix this
by freeing the previously allocated OCSP_CERTID on that code path.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not allow auth->own_protocol_key to be overridden without having
freed the previously stored key in case a test sequence in
dpp_proto_auth_conf_replaced_by_resp is used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not allow auth->peer_protocol_key to be overridden without having
freed the previously stored key in case two Authentication Response
messages are received.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The result of EC_GROUP_dup() needs to be freed, so do so within the
derivation functions for all error cases and in the callers for success
cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use a separate error case handler for eap_pax_mac() failures and memcmp
to avoid wpa_hexdump() calls for the (mainly theoretical) local error
cases in deriving the MAC.
Fixes: b3c2b5d9f7 ("EAP-PAX server: Check hash function results")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is mostly a theoretical case, but since crypto_bignum_rand() could
fail, need to free the allocated struct crypto_bignum *tmp in such a
case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
BN_clear() does not free the BIGNUM; it only clears its value. Fix this
memory leak by using the appropriate BN_clear_free() function instead.
Fixes: b11fa98bcb ("Add explicit checks for peer's DH public key")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
EC_GROUP_new_by_curve_name() allocates memory for the returned pointer,
so need to free this with EC_GROUP_free() before leaving the calling
functions. This was leaking memory when parsing JWK and when performing
PKEX.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
ec_params needs to be freed before returning from the function.
Extension of this function to support BoringSSL introduced this memory
leak and that was later extended to be the only variant and apply to
OpenSSL and LibreSSL cases as well in commit c23e87d0d1 ("OpenSSL:
Replace EVP_PKEY_paramgen() with EC_KEY_new_by_curve_name()").
Fixes: f29761297b ("BoringSSL: Implement crypto_ecdh_init()")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
In practice, some APs have interop issues with the DUT. This sub command
is used to transfer the AP info between the driver and user space. This
works both as a command and event. As a command, it configures the
stored list of APs from user space to firmware; as an event, it
indicates the AP info detected by the firmware to user space for
persistent storage. The attributes defined in enum
qca_vendor_attr_interop_issues_ap are used to deliver the parameters.
Signed-off-by: Paul Zhang <paulz@codeaurora.org>
If none of the sr_control bits are set, we do not neet to add the IE to
the Beacon frame.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
While this should not happen in practical use cases,
wpa_get_ntp_timestamp() could return the same value when called twice in
a row quickly. Work around that case by enforcing a new Replay Counter
value based on stored last value.
Signed-off-by: Jouni Malinen <j@w1.fi>
Update enum qca_wlan_vendor_attr_get_wifi_info to add support for
attribute QCA_WLAN_VENDOR_ATTR_WIFI_INFO_RADIO_INDEX. In addition
update the documentation for qca_wlan_vendor_attr_get_wifi_info and
QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_INFO to fully describe the
operation of the command and the format of the attributes.
Signed-off-by: Jeff Johnson <jjohnson@codeaurora.org>
Add a QCA vendor sub command QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING
to implement beacon reporting feature. Different operations required to
implement this feature can be specified in
QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE.
Userspace requests the driver/firmware to periodically report received
Beacon frames whose BSSID matches the current connected BSS's MAC
address. If userspace requests the driver/firmware to send beacon
reports actively, the driver encapsulates the details of the beacon in
an event and sends it to userspace asynchronously. Otherwise, the driver
will only update the beacon in cfg80211 scan cache but will not send any
event to userspace.
If this command is not issued, the current behavior of the
driver/firmware is to update the cfg80211 scan cache only when there is
a scan issued by the host in progress or whenever there is a change in
IEs of the Beacon frames from the current connected BSS.
The userspace requests the driver/firmware to stop reporting beacons
when reporting is not required anymore. If the driver/firmware is not
able to receive Beacon frames because of other Wi-Fi operations such as
off-channel activities, etc., the driver/firmware sends a pause event to
userspace and stops reporting Beacon frames. The driver/firmware
indicates whether the beacon reporting automatically resumes later by
using the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES flag. If
userspace doesn't want the beacon reporting to be resumed automatically,
userspace can send QCA_WLAN_VENDOR_BEACON_REPORTING_OP_STOP command to
the driver to stop beacon reporting.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds support to hostapd for configuring airtime policy settings for
stations as they connect to the access point. This is the userspace
component of the airtime policy enforcement system PoliFi described in
this paper: https://arxiv.org/abs/1902.03439
The Linux kernel part has been merged into mac80211 for the 5.1 dev
cycle.
The configuration mechanism has three modes: Static, dynamic and limit.
In static mode, weights can be set in the configuration file for
individual MAC addresses, which will be applied when the configured
stations connect.
In dynamic mode, weights are instead set per BSS, which will be scaled
by the number of active stations on that BSS, achieving the desired
aggregate weighing between the configured BSSes. Limit mode works like
dynamic mode, except that any BSS *not* marked as 'limited' is allowed
to exceed its configured share if a per-station fairness share would
assign more airtime to that BSS. See the paper for details on these
modes.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This provides a mechanism for configuring per-STA airtime weight for
airtime policy configuration.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Commit 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and
deprecated APIs") removed a call to ENGINE_load_dynamic() for newer
versions of OpenSSL, asserting that it should happen automatically.
That appears not to be the case, and loading engines now fails because
the dynamic engine isn't present.
Fix it by calling ENGINE_load_builtin_engines(), which works for all
versions of OpenSSL. Also remove the call to ERR_load_ENGINE_strings()
because that should have happened when SSL_load_error_strings() is
called anyway.
Fixes: 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and deprecated APIs")
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Maintain a single array (of struct with two int variables) instead of
two independent arrays (of int) for tracking know ifindexes and reasons
for having added them. The previous implementation tried to maintain two
independent arrays even though they were always required to be of
exactly same length and order. That had resulted in a bug earlier and
the code was not exactly easy to understand either, so replace this with
a single array.
Signed-off-by: Jouni Malinen <j@w1.fi>
Addition of a separate if_indices_reason array broke reallocation
failure checking. drv->if_indices or drv->if_indices_reason could not be
NULL in the place where this check was moved to. Fix that by maintaining
knowledge of reallocation failure in a separate local variable.
Fixes: 732b1d20ec ("nl80211: Clean up ifidx properly if interface in a bridge is removed")
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no point in checking this pointer against NULL after it has
been dereferenced. Move the check to the beginning of the function.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows authenticator side to complete FT initial mobility domain
association using FT-EAP with PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When completing FT initial mobility domain association with EAP, store
XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK
was of no use since it could not be used as the XXKey for another FT
initial mobility domain association using PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows supplicant side to complete FT initial mobility domain
association using FT-EAP with PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When completing FT initial mobility domain association with EAP, store
XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK
was of no use since it could not be used as the XXKey for another FT
initial mobility domain association using PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It is apparently possible to somehow trigger the driver to report a
channel switch event during ACS operation when the interface information
is not yet complete. hapd->iface->current_mode could be NULL in that
case and that would result in process termination due to NULL pointer
dereference.
It should not really be possible to trigger a channel switch during ACS
is running (i.e., before the AP mode operation has been started), but
since that has been seen in an arbitrary test sequence with interface
start/stop operations with various parameters (both valid and invalid),
better prevent a crash here by ignoring the unexpected event instead of
trying to process it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Unexpected CHAN_SWITCH command could get this function using a NULL
pointer if the channel switch was requested while the interface was
already disabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
driver->hapd_deinit() is going to free the memory that the cached
pointers are pointing to, so clear the pointers to avoid possibility of
dereferencing used memory. It seemed to be possible to hit a code path
using those fields by issuing a CHAN_SWITCH command on disabled hostapd
interface in some cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds a ieee80211ax=0/1 line to the STATUS output to indicate
the configuration of ieee80211ax, which similar to ieee80211n and
ieee80211ac.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The first four octets of the element were used as a host byte order u32.
That is not correct on bigendian CPUs, so handle byte swapping needs
properly. Mark the he_oper_params field as le32 to explicitly indicate
the byte order and swap the generated params content based on CPU byte
order.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The current code will always use the size required when all optional
elements are present. This will cause the Linux kernel to consider the
field to be malformed if the elements are not actually flagged as being
present.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Start sharing common SAE and EAP-pwd functionality by adding a new
source code file that can be included into both. This first step is
bringing in a shared function to check whether a group is suitable.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Move the identical function used by both SAE and EAP-pwd to
src/utils/common.c to avoid duplicated implementation.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL
functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid
differences in runtime and memory access patterns depending on the
leading bytes of the BIGNUM value.
OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases
are still using the previous implementation where the BN_num_bytes()
call may result in different memory access pattern.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This reduces timing and memory access pattern differences for an
operation that could depend on the used password.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This reduces timing and memory access pattern differences for an
operation that could depend on the used password.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
SPR allows us to detect OBSS overlaps and allows us to do adaptive CCA
thresholds. For this to work the AP needs to broadcast the element
first.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Properly populate the the HE Capabilities element with the info read
from the kernel.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
According to P802.11ax/D4.0 9.4.2.238 (HE Operation element) the BSS
Color Information field is located after the HE Operation Parameters
field. Fix the ordering of the bit masks/offsets for fields in these 3+1
octets used as a single 32-bit value. With these changes, Wireshark 3.2
is able to properly parse and display Beacon frames.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
IEEE P802.11ax/D4.0 9.4.2.243 "HE Operation element" indicates that the
special value 1023 in the TXOP Duration RTS Threshold field is used to
indicate that TXOP duration-based RTS is disabled. Use that value as the
default instead of the previously used value 0 which would really mean
threshold of 0 usec. Furthermore, the previous implementation did not
allow values larger than 255 to be used for this field while the field
is actually 10 bits in size.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Add code to parse NL80211_BAND_ATTR_IFTYPE_DATA when reading the band
info. This is needed to find out about the local HE capabilities in AP
mode.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
The QCA_NL80211_VENDOR_SUBCMD_GET_HE_CAPABILITIES attributes are not
up-to-date with the latest P802.11ax/D4.0 capabilities and would need to
be updated or replaced. Since the variables from this functionality were
not used for anything in practice, it is easier to simply remove this
functionality completely to avoid issues with upcoming updates to use
upstream nl80211 information to determine HE capabilities.
This is practically reverting the commit ca1ab9db2a ("hostapd: Get
vendor HE capabilities").
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This makes it easier to upper layer components to manage operating
channels in cases where the same radio is shared for both station and AP
mode virtual interfaces.
Signed-off-by: Omer Dagan <omer.dagan@tandemg.com>
Logs involving IEEE 802.11 Status Codes output the Status Code value,
but do not provide any explanation of what the value means. This change
provides a terse explanation of each status code using the latter part
of the Status Code #define names.
Signed-off-by: Alex Khouderchah <akhouderchah@chromium.org>
These cases are for the IEEE 802.11 Status Code and Reason Code and
those fields are unsigned 16 bit values, so use the more appropriate
type consistently. This is mainly to document the uses and to make the
source code easier to understand.
Signed-off-by: Jouni Malinen <j@w1.fi>
Logs involving IEEE 802.11 Reason Codes output the Reason Code value,
but do not provide any explanation of what the value means. This change
provides a terse explanation of each Reason Code using the latter part
of the reason code #define names.
Signed-off-by: Alex Khouderchah <akhouderchah@chromium.org>
The new hostapd configuration parameter dpp_controller can now be used
with the following subparameter values: ipaddr=<IP address>
pkhash=<hexdump>. This adds a new Controller into the configuration
(i.e., more than one can be configured) and all incoming DPP exchanges
that match the specified Controller public key hash are relayed to the
particular Controller.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add initial implementation of DPP-over-TCP. This adds the general TCP
encapsulation routines into the shared src/common/dpp.c implementation.
That functionality will be exposed through hostapd and wpa_supplicant in
the following commits.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be helpful for testing DPP2 Controller functionality (get
pkhash from Controller to Relay).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be used to provide configurable parameter to the global DPP
context. This initial commit introduces the msg_ctx context pointer for
wpa_msg().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.
Signed-off-by: Jouni Malinen <j@w1.fi>
EAP-PAX server implementation could end up reading beyond the end of the
buffer if MSGDUMP level debugging was enabled and a message without the
ICV field was received. Fix this by using more strict message length
validation.
Signed-off-by: Jouni Malinen <j@w1.fi>
While this is mostly theoretical, the hash functions can fail and it is
better for the upper layer code to explicitly check for such failures.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not try to derive a PMK-R0 and PMK-R1 again for the case where an
association was started with FT protocol and PTK is rekeyed using 4-way
handshake. Instead, use the previously derived PMK-R1 to allow a new PTK
to be derived.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not try to derive a PMKID for EAPOL-key msg 1/4 when going through
4-way handshake to rekey PTK during an association that was started
through FT protocol.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is needed to allow PTK rekeying to be performed through 4-way
handshake in an association started through FT protocol.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is needed to avoid leaving some timers (e.g., for PTK rekeying)
running afrer a STA has disassociated.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
FT rules for PTK derivation do not use PMK. Remove the unused argument
to the PTK derivation function.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There is no PMK/PMKID when going through 4-way handshake during an
association started with FT protocol, so need to allow the operation to
proceed even if there is no selected PMKSA cache entry in place.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The PMK and PMKID information from FILS ERP and FILS PMKSA caching needs
to be stored within struct wpa_state_machine for PTK to work. Without
this, PTK derivation would fail and attempt to go through rekeying would
result in disconnection. Furthermore, wpa_rekey_ptk() timer needs to be
started at the completion of FILS association since the place where it
was done for non-FILS cases at the end of 4-way handshake is not reached
when FILS authentication is used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
All nla_put*() operations should be verified to succeed, so check this
recently added one for NL80211_ATTR_EXTERNAL_AUTH_SUPPORT.
Fixes: 236e793e7b ("nl80211: External authentication in driver-based AP SME mode")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit 4b16c15bbc ("EAP-pwd server: Use os_get_random() for
unpredictable token") replaced use of os_random(), i.e., of random(),
with os_get_random(), but forgot to remove the now unused srandom()
call. Clean up the implementation and remove that unneeded code.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Unexpected fragment might result in data->inbuf not being allocated
before processing and that could have resulted in NULL pointer
dereference. Fix that by explicitly checking for data->inbuf to be
available before using it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
data->inbuf allocation might fail and if that were to happen, the next
fragment in the exchange could have resulted in NULL pointer
dereference. Unexpected fragment with more bit might also be able to
trigger this. Fix that by explicitly checking for data->inbuf to be
available before using it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Report failure from getKey() if MSK cannot be derived due to unexpected
sha1_vector() local failure.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There are number of deployed APs with broken PMF implementation where
the IGTK KDE uses swapped bytes in the KeyID field (0x0400 and 0x0500
instead of 4 and 5). Such APs cannot be trusted to implement BIP
correctly or provide a valid IGTK, so do not try to configure this key
with swapped KeyID bytes. Instead, continue without configuring the IGTK
so that the driver can drop any received group-addressed robust
management frames due to missing keys.
Normally, this error behavior would result in us disconnecting, but
there are number of deployed APs with this broken behavior, so as an
interoperability workaround, allow the connection to proceed.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously wpa_supplicant_key_neg_complete() was called before the
attempt to configure the IGTK received from the authenticator. This
could resulted in somewhat surprising sequence of events if IGTK
configuration failed since completion event would be followed by
immediate disconnection event. Reorder these operations so that
completion is reported only if GTK and IGTK are configurated
successfully.
Furthermore, check for missing GTK KDE in case of RSN and handle that
with an explicit disconnection instead of waiting for the AP to deliver
the GTK later.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When processing the NL80211_CMD_PROBE_CLIENT command response, the
nl80211 layer in the kernel sends a response containing the cookie
associated with the client probe request. This response was not handled
by driver_nl80211.c when sending the command, and it was mistakenly
handled as an asynchronous event. This incorrect event did not include
the MAC/ACK attributes, so it was ignored in practice, but nevertheless,
the command response should not be processed as an event.
Fix this by reading the response as part of the sending the command
flow.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Include the MAC address of the peer, knowledge of whether the poll was
ACKed, and cookie into the debug message to make this more useful.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like it is possible for the RECEIVE state to leak memory where
a previously allocated sm->lki is moved to sm->oki while sm->oki is
pointing to not yet freed entry. It is not clear how this can be
triggered, but it has come up in hwsim testing under heavy load.
Free sm->oki if it is still set in RECEIVE before replacing it with
sm->lki to avoid this memory leak.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It is possible for the SAE state machine to remove the STA and free the
sta pointer in the mesh use cases. handle_auth_sae() could have
dereferenced that pointer and used freed memory in some cases. Fix that
by explicitly checking whether the STA was removed.
Fixes: bb598c3bdd ("AP: Add support for full station state")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
ap_free_sta() frees the sta entry, so sta->addr cannot be used after
that call. Fix the sequence of these two calls to avoid use of freed
memory to determine which PMKSA cache entry to remove.
Fixes: 9f2cf23e2e ("mesh: Add support for PMKSA caching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Move event.assoc_info.freq selection to be after the
nl80211_get_assoc_ssid() call so that the current cfg80211 information
on the operating channel can be used should anything unexpected have
happened between the association request and completion of association.
Furthermore, update bss->freq based on assoc_freq to make that
information a bit more useful for station mode. It was already updated
after channel switches during association, but not at the beginning of
association.
Signed-off-by: Jouni Malinen <j@w1.fi>
This fixes some issues where bss->freq could have been used to replace
the current operating channel when sending out a management frame.
bss->freq has not been consistently used to track the current operating
channel in station mode, so it should not be trusted for this type of
uses. Clearing it makes this a bit more robust by at least avoiding the
cases of information from past association being used.
Signed-off-by: Jouni Malinen <j@w1.fi>
None of the ECC groups supported in the implementation had a cofactor
greater than 1, so these checks are unreachable and for all cases, the
cofactor is known to be 1. Furthermore, RFC 5931 explicitly disallow use
of ECC groups with cofactor larger than 1, so this checks cannot be
needed for any curve that is compliant with the RFC.
Remove the unneeded group cofactor checks to simplify the
implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Based on the SAE implementation guidance update to not allow ECC groups
with a prime that is under 256 bits, reject groups 25, 26, and 27 in
EAP-pwd.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like SSL_CTX_set1_curves_list() command alone is not sufficient
to enable ECDH curve selection with older OpenSSL versions for TLS
server, so enable automatic selection first and specify the exact list
of curves after that.
This fixes failures in openssl_ecdh_curves test case when hostapd uses
OpenSSL 1.0.2.
Signed-off-by: Jouni Malinen <j@w1.fi>
The external authentication command and event does not need to copy the
BSSID/SSID values into struct external_auth since those values are used
before returning from the call. Simplify this by using const u8 * to
external data instead of the array with a copy of the external data.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend commit 5ff39c1380 ("SAE: Support external authentication
offload for driver-SME cases") to support external authentication
with drivers that implement AP SME by notifying the status of
SAE authentication to the driver after SAE handshake as the
driver acts as a pass through for the SAE Authentication frames.
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
This extends driver interface to nl80211 by introducing the following
changes,
1. Register for Authenication frames in driver-based AP SME mode.
2. Advertise NL80211_ATTR_EXTERNAL_AUTH_SUPPORT in set_ap when
offloaded SAE authentication is supported.
3. Extend the NL80211_CMD_EXTERNAL_AUTH interface to also send PMKID
so that the drivers can respond to the PMKSA cached connection
attempts from the stations avoiding the need to contact user space
for all PMKID-based connections.
4. Send external auth status to driver only if it is a driver based
SME solution.
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
beacon_set_done did not get reset to zero on disabling interface using
DISABLE control interface command and the subsequent ENABLE command will
caused configuration of Beacon/Probe Response/Association Response frame
IEs twice. The unnecessary two step configuration can be avoided by
resetting beacon_set_done on DISABLE so that ENABLE can bring up the
interface in a single step with fully updated IEs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Binary presentations of element and scalar can be written directly to
the allocated commit message buffer instead of having to first write
them into temporary buffers just to copy them to the actual message
buffer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
RFC 5931 has these conditions as MUST requirements, so better follow
them explicitly even if the rand,mask == 0 or rand+mask == 0 or 1 cases
are very unlikely to occur in practice while generating random values
locally.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds an explicit check for 0 < x,y < prime based on RFC 5931,
2.8.5.2.2 requirement. The earlier checks might have covered this
implicitly, but it is safer to avoid any dependency on implicit checks
and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)
Furthermore, this moves the EAP-pwd element and scalar parsing and
validation steps into shared helper functions so that there is no need
to maintain two separate copies of this common functionality between the
server and peer implementations.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When processing an EAP-pwd Commit frame, the server's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and act as a rogue Access Point (AP) if the
crypto implementation did not verify the validity of the EC point.
Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9499)
The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
When processing an EAP-pwd Commit frame, verify that the peer's scalar
and elliptic curve element differ from the one sent by the server. This
prevents reflection attacks where the adversary reflects the scalar and
element sent by the server. (CVE-2019-9497)
The vulnerability allows an adversary to complete the EAP-pwd handshake
as any user. However, the adversary does not learn the negotiated
session key, meaning the subsequent 4-way handshake would fail. As a
result, this cannot be abused to bypass authentication unless EAP-pwd is
used in non-WLAN cases without any following key exchange that would
require the attacker to learn the MSK.
Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
When processing an EAP-pwd Commit frame, the peer's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and impersonate any user if the crypto
implementation did not verify the validity of the EC point.
Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9498)
The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
Explicitly verify that own and peer commit scalar/element are available
when trying to check SAE confirm message. It could have been possible to
hit a NULL pointer dereference if the peer element could not have been
parsed. (CVE-2019-9496)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Try to avoid showing externally visible timing or memory access
differences regardless of whether the derived pwd-value is smaller than
the group prime.
This is related to CVE-2019-9494.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is an initial step towards making the FFC case use strictly
constant time operations similarly to the ECC case.
sae_test_pwd_seed_ffc() does not yet have constant time behavior,
though.
This is related to CVE-2019-9494.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These groups have significant probability of coming up with pwd-value
that is equal or greater than the prime and as such, need for going
through the PWE derivation loop multiple times. This can result in
sufficient timing different to allow an external observer to determine
how many rounds are needed and that can leak information about the used
password.
Force at least 40 loop rounds for these MODP groups similarly to the ECC
group design to mask timing. This behavior is not described in IEEE Std
802.11-2016 for SAE, but it does not result in different values (i.e.,
only different timing), so such implementation specific countermeasures
can be done without breaking interoperability with other implementation.
Note: These MODP groups 22, 23, and 24 are not considered sufficiently
strong to be used with SAE (or more or less anything else). As such,
they should never be enabled in runtime configuration for any production
use cases. These changes to introduce additional protection to mask
timing is only for completeness of implementation and not an indication
that these groups should be used.
This is related to CVE-2019-9494.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Make the non-failure path in the function proceed without branches based
on r_odd and in constant time to minimize risk of observable differences
in timing or cache use. (CVE-2019-9494)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The QR test result can provide information about the password to an
attacker, so try to minimize differences in how the
sae_test_pwd_seed_ecc() result is used. (CVE-2019-9494)
Use heap memory for the dummy password to allow the same password length
to be used even with long passwords.
Use constant time selection functions to track the real vs. dummy
variables so that the exact same operations can be performed for both QR
test results.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This algorithm could leak information to external observers in form of
timing differences or memory access patterns (cache use). While the
previous implementation had protection against the most visible timing
differences (looping 40 rounds and masking the legendre operation), it
did not protect against memory access patterns between the two possible
code paths in the masking operations. That might be sufficient to allow
an unprivileged process running on the same device to be able to
determine which path is being executed through a cache attack and based
on that, determine information about the used password.
Convert the PWE finding loop to use constant time functions and
identical memory access path without different branches for the QR/QNR
cases to minimize possible side-channel information similarly to the
changes done for SAE authentication. (CVE-2019-9495)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Get rid of the branches that depend on the result of the Legendre
operation. This is needed to avoid leaking information about different
temporary results in blinding mechanisms.
This is related to CVE-2019-9494 and CVE-2019-9495.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These functions can be used to help implement constant time operations
for various cryptographic operations that must minimize externally
observable differences in processing (both in timing and also in
internal cache use, etc.).
This is related to CVE-2019-9494 and CVE-2019-9495.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This helps in reducing measurable timing differences in operations
involving private information. BoringSSL has removed BN_FLG_CONSTTIME
and expects specific constant time functions to be called instead, so a
bit different approach is needed depending on which library is used.
The main operation that needs protection against side channel attacks is
BN_mod_exp() that depends on private keys (the public key validation
step in crypto_dh_derive_secret() is an exception that can use the
faster version since it does not depend on private keys).
crypto_bignum_div() is currently used only in SAE FFC case with not
safe-prime groups and only with values that do not depend on private
keys, so it is not critical to protect it.
crypto_bignum_inverse() is currently used only in SAE FFC PWE
derivation. The additional protection here is targeting only OpenSSL.
BoringSSL may need conversion to using BN_mod_inverse_blinded().
This is related to CVE-2019-9494 and CVE-2019-9495.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These wpa_supplicant network profile parameters could be used to specify
a single match string that would be used against the dNSName items in
subjectAltName or CN. There may be use cases where more than one
alternative match string would be useful, so extend these to allow a
semicolon delimited list of values to be used (e.g.,
"example.org;example.com"). If any of the specified values matches any
of the dNSName/CN values in the server certificate, consider the
certificate as meeting this requirement.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Incorrect gen->type value was used to check whether subjectAltName
contained dNSName entries. This resulted in all domain_match and
domain_suffix_match entries failing to find a match and rejecting the
server certificate. Fix this by checking against the correct type
definition for dNSName.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously the EAP user database had to include a wildcard entry for ERP
to work since the keyName-NAI as User-Name in Access-Request would not
be recognized without such wildcard entry (that could point to any EAP
method). This is not ideal, so add a separate check to allow any stored
ERP keyName-NAI to be used for ERP without any requirement for the EAP
user database to contain a matching entry.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Inclusion of common/dpp.h into hostapd/main.c brought in an undesired
unconditional dependency on OpenSSL header files even for builds where
DPP is not enabled. Fix this by making the dpp.h contents, and in
particular the inclusion of openssl/x509.h, conditional on CONFIG_DPP.
Fixes: 87d8435cf9 ("DPP: Common configurator/bootstrapping data management")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The rules defining which DH groups are suitable for SAE use were
accepted into IEEE 802.11 REVmd based on this document:
https://mentor.ieee.org/802.11/dcn/19/11-19-0387-02-000m-addressing-some-sae-comments.docx
Enforce those rules in production builds of wpa_supplicant and hostapd.
CONFIG_TESTING_OPTIONS=y builds can still be used to select any o the
implemented groups to maintain testing coverage.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
identity_buf may be NULL here. Handle this case explicitly by printing
"N/A" instead relying on snprintf converting this to "(null)" or some
other value based on unexpected NULL pointer.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
While commit 1c156e783d ("Fixed tls_prf() to handle keys with
odd length") added support for keys with odd length, the function
never reached this code as the function would return earlier in
case the key length was odd. Fix this by removing the first check
for the key length.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This commit introduces an attribute
QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_REASON to carry the roam reason code
through QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH event.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Avoid duplicated code in each user of dpp_build_conf_req() by moving the
common encapsulation case into this helper function.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When connected using FT-SAE key mgmt, use PMK from PMKSA cache as XXKey
for PMK-R0 and PMK-R1 derivations. This fixes an issue where FT key
hierarchy could not be established due to missing (not yet configured)
XXKey when using SAE PMKSA caching for the initial mobility domain
association.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
In the case of the driver not supporting full AP mode STA state (i.e.,
not adding a STA entry before association), the QoS parameters are not
allowed to be modified when going through (re)association exchange for a
STA entry that has not been removed from the kernel. cfg80211 would
reject such command to update STA flags, so do not add the WMM parameter
in this case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Ethernet frames have minimum length of 64 octets and shorter frames may
end up getting arbitrary padding in the end. This would result in the
FT/RRB receiver rejecting the frame as an incorrectly protected one.
Work around this by padding the message so that it is never shorter than
the minimum Ethernet frame.
Unfortunately, this padding is apparently not enough with all Ethernet
devices and it is still possible to see extra two octet padding at the
end of the message even if larger frames are used (e.g., showed up with
128 byte frames). For now, work around this by trying to do AES-SIV
decryption with two octets shorter frame (ignore last two octets) if the
first attempt fails.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Merge the practically copy-pasted implementations in wpa_supplicant and
hostapd into a single shared implementation in dpp.c for managing
configurator and boostrapping information. This avoid unnecessary code
duplication and provides a convenient location for adding new global DPP
data.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>