Check whether an error is reported from any of the functions that could
in theory fail and if so, do not proceed with the partially filled SAE
commit buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Only one peer-commit-scalar value was stored for a specific STA (i.e.,
one per MAC address) and that value got replaced when the next SAE
Authentication exchange was started. This ended up breaking the check
against re-use of peer-commit-scalar from an Accepted instance when
anti-clogging token was requested. The first SAE commit message (the one
without anti-clogging token) ended up overwriting the cached
peer-commit-scalar value while leaving that instance in Accepted state.
The second SAE commit message (with anti-clogging token) added ended up
getting rejected if it used the same value again (and re-use is expected
in this particular case where the value was not used in Accepted
instance).
Fix this by using a separate pointer for storing the peer-commit-scalar
value that was used in an Accepted instance. There is no need to
allocate memory for two values, i.e., it is sufficient to maintain
separate pointers to the value and move the stored value to the special
Accepted state pointer when moving to the Accepted state.
This fixes issues where a peer STA ends up running back-to-back SAE
authentication within couple of seconds, i.e., without hostapd timing
out the STA entry for a case where anti-clogging token is required.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
IEEE Std 802.11-2016 is not exactly clear on the encoding of the bit
string that is needed for KCK, PMK, and PMKID derivation, but it seems
to make most sense to encode the (commit-scalar + peer-commit-scalar)
mod r part as a bit string by zero padding it from left to the length of
the order (in full octets).
The previous implementation used the length of the prime (in full
octets). This would work for KCK/PMK, but this results in deriving all
zero PMKIDs for the groups where the size of the order is smaller than
the size of the prime. This is the case for groups 22, 23, and 24.
However, those groups have been marked as being unsuitable for use with
SAE, so this fix should not really have a practical impact anymore.
Anyway, better fix it and document this clearly in the implementation
taken into account the unclarity of the standard in this area.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not start SAE authentication from scratch when the AP requests
anti-clogging token to be used. Instead, use the previously generated
PWE as-is if the retry is for the same AP and the same group. This saves
unnecessary processing on the station side in case the AP is under heavy
SAE authentiation load.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new sae_password parameter [|vlanid=<VLAN ID>] can now be used to
assign stations to a specific VLAN based on which SAE Password
Identifier they use. This is similar to the WPA2-Enterprise case where
the RADIUS server can assign stations to different VLANs and the
WPA2-Personal case where vlanid parameter in wpa_psk_file is used.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the SAE implementation in both infrastructure and mesh BSS
cases to allow an optional Password Identifier to be used. This uses the
mechanism added in P802.11REVmd/D1.0. The Password Identifier is
configured in a wpa_supplicant network profile as a new string parameter
sae_password_id. In hostapd configuration, the existing sae_password
parameter has been extended to allow the password identifier (and also a
peer MAC address) to be set. In addition, multiple sae_password entries
can now be provided to hostapd to allow multiple per-peer and
per-identifier passwords to be set.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This implements the behavior described in IEEE Std 802.11-2016,
12.4.8.6.6 (Protocol instance behavior - Accepted state) to silently
discard received Confirm message in the Accepted state if the new
message does not use an incremented send-confirm value or if the special
2^16-1 value is used. This avoids unnecessary processing of
retransmitted Confirm messages.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd.conf parameter sae_sync (default: 5) can now be used to
configure the dot11RSNASAESync value to specify the maximum number of
synchronization errors that are allowed to happen prior to
disassociation of the offending SAE peer.
Signed-off-by: Jouni Malinen <j@w1.fi>
IEEE Std 802.11-2012 11.3.5.4 specifies the PMKID for SAE-derived keys
as:
L((commit-scalar + peer-commit-scalar) mod r, 0, 128)
This is already calculated in the SAE code when the PMK is derived, but
not saved anywhere. Later, when generating the PMKID for plink action
frames, the definition for PMKID from 11.6.1.3 is incorrectly used.
Correct this by saving the PMKID when the key is generated and use it
subsequently.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
This check explicitly for reflection attack and stops authentication
immediately if that is detected instead of continuing to the following
4-way handshake that would fail due to the attacker not knowing the key
from the SAE exchange.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add the t0 retransmission timer as specified by IEEE Std 802.11-2012,
11.3.8.4. This makes SAE much more likely to succeed in the case of lost
frames.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
This commit inserts Finite Cyclic Group to Anti-Clogging Token request
frame because IEEE Std 802.11-2012, Table 8-29 says "Finite Cyclic Group
is present if Status is zero or 76".
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The mesh anti-clogging functionality is implemented partially. This
patch fixes to parse anti-clogging request frame and use anti-clogging
token.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This allows even more memory to be freed when the SAE instance enters
Accepted state. This leaves only the minimal needed memory allocated
during the association which is especially helpful for the AP
implementation where multiple stations may be associated concurrently.
Signed-hostap: Jouni Malinen <j@w1.fi>
Most of the variables are not needed anymore once the SAE instance
has entered Accepted state. Free these to save memory.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows FFC groups to be used with SAE. Though, these groups are not
included in the default sae_groups value based on what is available
since the FFC groups have the additional requirement of using a safe
prime with the current implementation (or specification of the group
order).
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd.conf sae_groups parameter can now be used to limit the set of
groups that the AP allows for SAE. Similarly, sae_groups parameter is
wpa_supplicant.conf can be used to set the preferred order of groups. By
default, all implemented groups are enabled.
Signed-hostap: Jouni Malinen <j@w1.fi>
In addition to the trivial change in adding the new group ientifier,
this required changes to KDF and random number generation to support
cases where the length of the prime in bits is not a multiple of eight.
The binary presentation of the value needs to be shifted so that the
unused most significant bits are the zero padding rather than the extra
bits in the end of the array.
Signed-hostap: Jouni Malinen <j@w1.fi>
In addition to the mandatory group 19 (256-bit random ECP group) add
support for groups 20 (384-bit), 25 (192-bit), and 26 (224-bit).
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd can now be configured to use anti-clogging mechanism based on
the new sae_anti_clogging_threshold parameter (which is
dot11RSNASAEAntiCloggingThreshold in the standard). The token is
generated using a temporary key and the peer station's MAC address.
wpa_supplicant will re-try SAE authentication with the token included if
commit message is rejected with a token request.
Signed-hostap: Jouni Malinen <j@w1.fi>
The enum values for struct sae_data::state now match the protocol
instance states as defined in IEEE Std 802.11-2012, 11.3.8.2.2
Signed-hostap: Jouni Malinen <j@w1.fi>
