The bandwidth values are shared between VHT and HE mode so remove the
VHT specific prefix.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
These bits might be set by the capabilities read from the kernel, so
mask them out if beamforming is not enabled in the local configuration.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
This copying attempt was added incorrectly since that element is never
actually present in (Re)Association Request frames. It is only valid to
copy that element from the mesh peering frames.
Signed-off-by: Jouni Malinen <j@w1.fi>
gcc 8.3.0 was apparently clever enough to optimize away the previously
used os_memset() to explicitly clear a stack buffer that contains keys
when that clearing happened just before returning from the function.
Since memset_s() is not exactly portable (or commonly available yet..),
use a less robust mechanism that is still pretty likely to prevent
current compilers from optimizing the explicit clearing of the memory
away.
Signed-off-by: Jouni Malinen <j@w1.fi>
Initialize auth_sock and acct_sock to -1 to avoid radius_server_deinit()
attempting to close fd=0 if anything fails in setting up the RADIUS
server.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Session-Id derivation for EAP-AKA in RFC 5247 only explained how the
Session-Id is derived for regular authentication. Jouni reported it as
an errata with text explaining how to derive it during fast
reauthentication.
This patch now exports the Session-Id for EAP-AKA during fast
reauthentication based on this Session-Id = 0x17 || NONCE_S || MAC
construction.
Also documented by Alan Dekok in draft-dekok-emu-eap-session-id.
Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
The Session-Id derivation for EAP-SIM in RFC 5247 only explained how the
Session-Id is derived for regular authentication. Jouni reported it as
an errata with text explaining how to derive it during fast
reauthentication.
This patch now exports the Session-Id for EAP-SIM during fast
reauthentication based on this Session-Id = 0x12 || NONCE_S || MAC
construction.
Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
The rcons[] and Td4s[] array values need to be type cast explicitly to
u32 for the left shift 24 operation to be defined due to the implicit
conversion to int not handling the case where MSB would become 1 without
depending on UB.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14929
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The IE header length check was off-by-one and that could allow the loop
to read one octet beyond the end of the buffer before breaking out in
the second check.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14927
Fixes: 0a66ce3c49 ("WNM: Add support for SSID List element matching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The bootstrapping URI format for DPP was extended during protocol design
to allow a list of channels without having to repeat the same operating
class information for each channel. That change was not included in the
initial implementation of the parser and a channel-list like
"C:81/1,6,11" would not be understood correctly (i.e., only the longer
"C:81/1,81/6,81/11" form would have been parsed correctly).
Fix this by extending the parser to accept both the shorter and longer
form for a list of channels within a single operating class.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
IEEE Std 802.11ai-2016 requires the FILS STA to do this check, but this
was missing from the initial implementation. The AP side behavior was
not described properly in 802.11ai due to a missing change in the
(Re)Association Response frame format tables which has resulted in some
deployed devices not including the RSNE.
For now, use an interoperability workaround to ignore the missing RSNE
and only check the payload of the element if it is present in the
protected frame. In other words, enforce this validation step only with
an AP that implements FILS authentication as described in REVmd while
allowing older implementations to skip this check (and the protection
against downgrade attacks). This workaround may be removed in the future
if it is determined that most deployed APs can be upgraded to add RSNE
into the (Re)Association Response frames.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This AP behavior was missing from IEEE Std 802.11ai-2016, but it is
needed for the RSNE validation to work correctly and for a FILS STA to
be able to perform the mandatory check for RSNE matching when processing
the (Re)Association Response frame (as described in 802.11ai). REVmd
will be updating the standard to cover this AP case, so prepare the
implementation to match that. Without this, a FILS STA might reject
association whenever using FILS authentication.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If OCSP_resp_find_status() fails with the first OCSP_CERTID, the
generation of the second OCSP_CERTID ended up leaking memory. Fix this
by freeing the previously allocated OCSP_CERTID on that code path.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not allow auth->own_protocol_key to be overridden without having
freed the previously stored key in case a test sequence in
dpp_proto_auth_conf_replaced_by_resp is used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not allow auth->peer_protocol_key to be overridden without having
freed the previously stored key in case two Authentication Response
messages are received.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The result of EC_GROUP_dup() needs to be freed, so do so within the
derivation functions for all error cases and in the callers for success
cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use a separate error case handler for eap_pax_mac() failures and memcmp
to avoid wpa_hexdump() calls for the (mainly theoretical) local error
cases in deriving the MAC.
Fixes: b3c2b5d9f7 ("EAP-PAX server: Check hash function results")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is mostly a theoretical case, but since crypto_bignum_rand() could
fail, need to free the allocated struct crypto_bignum *tmp in such a
case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
BN_clear() does not free the BIGNUM; it only clears its value. Fix this
memory leak by using the appropriate BN_clear_free() function instead.
Fixes: b11fa98bcb ("Add explicit checks for peer's DH public key")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
EC_GROUP_new_by_curve_name() allocates memory for the returned pointer,
so need to free this with EC_GROUP_free() before leaving the calling
functions. This was leaking memory when parsing JWK and when performing
PKEX.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
ec_params needs to be freed before returning from the function.
Extension of this function to support BoringSSL introduced this memory
leak and that was later extended to be the only variant and apply to
OpenSSL and LibreSSL cases as well in commit c23e87d0d1 ("OpenSSL:
Replace EVP_PKEY_paramgen() with EC_KEY_new_by_curve_name()").
Fixes: f29761297b ("BoringSSL: Implement crypto_ecdh_init()")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
In practice, some APs have interop issues with the DUT. This sub command
is used to transfer the AP info between the driver and user space. This
works both as a command and event. As a command, it configures the
stored list of APs from user space to firmware; as an event, it
indicates the AP info detected by the firmware to user space for
persistent storage. The attributes defined in enum
qca_vendor_attr_interop_issues_ap are used to deliver the parameters.
Signed-off-by: Paul Zhang <paulz@codeaurora.org>
If none of the sr_control bits are set, we do not neet to add the IE to
the Beacon frame.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
While this should not happen in practical use cases,
wpa_get_ntp_timestamp() could return the same value when called twice in
a row quickly. Work around that case by enforcing a new Replay Counter
value based on stored last value.
Signed-off-by: Jouni Malinen <j@w1.fi>
Update enum qca_wlan_vendor_attr_get_wifi_info to add support for
attribute QCA_WLAN_VENDOR_ATTR_WIFI_INFO_RADIO_INDEX. In addition
update the documentation for qca_wlan_vendor_attr_get_wifi_info and
QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_INFO to fully describe the
operation of the command and the format of the attributes.
Signed-off-by: Jeff Johnson <jjohnson@codeaurora.org>
Add a QCA vendor sub command QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING
to implement beacon reporting feature. Different operations required to
implement this feature can be specified in
QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE.
Userspace requests the driver/firmware to periodically report received
Beacon frames whose BSSID matches the current connected BSS's MAC
address. If userspace requests the driver/firmware to send beacon
reports actively, the driver encapsulates the details of the beacon in
an event and sends it to userspace asynchronously. Otherwise, the driver
will only update the beacon in cfg80211 scan cache but will not send any
event to userspace.
If this command is not issued, the current behavior of the
driver/firmware is to update the cfg80211 scan cache only when there is
a scan issued by the host in progress or whenever there is a change in
IEs of the Beacon frames from the current connected BSS.
The userspace requests the driver/firmware to stop reporting beacons
when reporting is not required anymore. If the driver/firmware is not
able to receive Beacon frames because of other Wi-Fi operations such as
off-channel activities, etc., the driver/firmware sends a pause event to
userspace and stops reporting Beacon frames. The driver/firmware
indicates whether the beacon reporting automatically resumes later by
using the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES flag. If
userspace doesn't want the beacon reporting to be resumed automatically,
userspace can send QCA_WLAN_VENDOR_BEACON_REPORTING_OP_STOP command to
the driver to stop beacon reporting.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds support to hostapd for configuring airtime policy settings for
stations as they connect to the access point. This is the userspace
component of the airtime policy enforcement system PoliFi described in
this paper: https://arxiv.org/abs/1902.03439
The Linux kernel part has been merged into mac80211 for the 5.1 dev
cycle.
The configuration mechanism has three modes: Static, dynamic and limit.
In static mode, weights can be set in the configuration file for
individual MAC addresses, which will be applied when the configured
stations connect.
In dynamic mode, weights are instead set per BSS, which will be scaled
by the number of active stations on that BSS, achieving the desired
aggregate weighing between the configured BSSes. Limit mode works like
dynamic mode, except that any BSS *not* marked as 'limited' is allowed
to exceed its configured share if a per-station fairness share would
assign more airtime to that BSS. See the paper for details on these
modes.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This provides a mechanism for configuring per-STA airtime weight for
airtime policy configuration.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Commit 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and
deprecated APIs") removed a call to ENGINE_load_dynamic() for newer
versions of OpenSSL, asserting that it should happen automatically.
That appears not to be the case, and loading engines now fails because
the dynamic engine isn't present.
Fix it by calling ENGINE_load_builtin_engines(), which works for all
versions of OpenSSL. Also remove the call to ERR_load_ENGINE_strings()
because that should have happened when SSL_load_error_strings() is
called anyway.
Fixes: 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and deprecated APIs")
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Maintain a single array (of struct with two int variables) instead of
two independent arrays (of int) for tracking know ifindexes and reasons
for having added them. The previous implementation tried to maintain two
independent arrays even though they were always required to be of
exactly same length and order. That had resulted in a bug earlier and
the code was not exactly easy to understand either, so replace this with
a single array.
Signed-off-by: Jouni Malinen <j@w1.fi>
Addition of a separate if_indices_reason array broke reallocation
failure checking. drv->if_indices or drv->if_indices_reason could not be
NULL in the place where this check was moved to. Fix that by maintaining
knowledge of reallocation failure in a separate local variable.
Fixes: 732b1d20ec ("nl80211: Clean up ifidx properly if interface in a bridge is removed")
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no point in checking this pointer against NULL after it has
been dereferenced. Move the check to the beginning of the function.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows authenticator side to complete FT initial mobility domain
association using FT-EAP with PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When completing FT initial mobility domain association with EAP, store
XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK
was of no use since it could not be used as the XXKey for another FT
initial mobility domain association using PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows supplicant side to complete FT initial mobility domain
association using FT-EAP with PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When completing FT initial mobility domain association with EAP, store
XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK
was of no use since it could not be used as the XXKey for another FT
initial mobility domain association using PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It is apparently possible to somehow trigger the driver to report a
channel switch event during ACS operation when the interface information
is not yet complete. hapd->iface->current_mode could be NULL in that
case and that would result in process termination due to NULL pointer
dereference.
It should not really be possible to trigger a channel switch during ACS
is running (i.e., before the AP mode operation has been started), but
since that has been seen in an arbitrary test sequence with interface
start/stop operations with various parameters (both valid and invalid),
better prevent a crash here by ignoring the unexpected event instead of
trying to process it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Unexpected CHAN_SWITCH command could get this function using a NULL
pointer if the channel switch was requested while the interface was
already disabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
driver->hapd_deinit() is going to free the memory that the cached
pointers are pointing to, so clear the pointers to avoid possibility of
dereferencing used memory. It seemed to be possible to hit a code path
using those fields by issuing a CHAN_SWITCH command on disabled hostapd
interface in some cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds a ieee80211ax=0/1 line to the STATUS output to indicate
the configuration of ieee80211ax, which similar to ieee80211n and
ieee80211ac.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The first four octets of the element were used as a host byte order u32.
That is not correct on bigendian CPUs, so handle byte swapping needs
properly. Mark the he_oper_params field as le32 to explicitly indicate
the byte order and swap the generated params content based on CPU byte
order.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The current code will always use the size required when all optional
elements are present. This will cause the Linux kernel to consider the
field to be malformed if the elements are not actually flagged as being
present.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Start sharing common SAE and EAP-pwd functionality by adding a new
source code file that can be included into both. This first step is
bringing in a shared function to check whether a group is suitable.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Move the identical function used by both SAE and EAP-pwd to
src/utils/common.c to avoid duplicated implementation.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL
functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid
differences in runtime and memory access patterns depending on the
leading bytes of the BIGNUM value.
OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases
are still using the previous implementation where the BN_num_bytes()
call may result in different memory access pattern.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This reduces timing and memory access pattern differences for an
operation that could depend on the used password.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This reduces timing and memory access pattern differences for an
operation that could depend on the used password.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
SPR allows us to detect OBSS overlaps and allows us to do adaptive CCA
thresholds. For this to work the AP needs to broadcast the element
first.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Properly populate the the HE Capabilities element with the info read
from the kernel.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
According to P802.11ax/D4.0 9.4.2.238 (HE Operation element) the BSS
Color Information field is located after the HE Operation Parameters
field. Fix the ordering of the bit masks/offsets for fields in these 3+1
octets used as a single 32-bit value. With these changes, Wireshark 3.2
is able to properly parse and display Beacon frames.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
IEEE P802.11ax/D4.0 9.4.2.243 "HE Operation element" indicates that the
special value 1023 in the TXOP Duration RTS Threshold field is used to
indicate that TXOP duration-based RTS is disabled. Use that value as the
default instead of the previously used value 0 which would really mean
threshold of 0 usec. Furthermore, the previous implementation did not
allow values larger than 255 to be used for this field while the field
is actually 10 bits in size.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Add code to parse NL80211_BAND_ATTR_IFTYPE_DATA when reading the band
info. This is needed to find out about the local HE capabilities in AP
mode.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
The QCA_NL80211_VENDOR_SUBCMD_GET_HE_CAPABILITIES attributes are not
up-to-date with the latest P802.11ax/D4.0 capabilities and would need to
be updated or replaced. Since the variables from this functionality were
not used for anything in practice, it is easier to simply remove this
functionality completely to avoid issues with upcoming updates to use
upstream nl80211 information to determine HE capabilities.
This is practically reverting the commit ca1ab9db2a ("hostapd: Get
vendor HE capabilities").
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This makes it easier to upper layer components to manage operating
channels in cases where the same radio is shared for both station and AP
mode virtual interfaces.
Signed-off-by: Omer Dagan <omer.dagan@tandemg.com>
Logs involving IEEE 802.11 Status Codes output the Status Code value,
but do not provide any explanation of what the value means. This change
provides a terse explanation of each status code using the latter part
of the Status Code #define names.
Signed-off-by: Alex Khouderchah <akhouderchah@chromium.org>
These cases are for the IEEE 802.11 Status Code and Reason Code and
those fields are unsigned 16 bit values, so use the more appropriate
type consistently. This is mainly to document the uses and to make the
source code easier to understand.
Signed-off-by: Jouni Malinen <j@w1.fi>
Logs involving IEEE 802.11 Reason Codes output the Reason Code value,
but do not provide any explanation of what the value means. This change
provides a terse explanation of each Reason Code using the latter part
of the reason code #define names.
Signed-off-by: Alex Khouderchah <akhouderchah@chromium.org>
The new hostapd configuration parameter dpp_controller can now be used
with the following subparameter values: ipaddr=<IP address>
pkhash=<hexdump>. This adds a new Controller into the configuration
(i.e., more than one can be configured) and all incoming DPP exchanges
that match the specified Controller public key hash are relayed to the
particular Controller.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add initial implementation of DPP-over-TCP. This adds the general TCP
encapsulation routines into the shared src/common/dpp.c implementation.
That functionality will be exposed through hostapd and wpa_supplicant in
the following commits.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be helpful for testing DPP2 Controller functionality (get
pkhash from Controller to Relay).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be used to provide configurable parameter to the global DPP
context. This initial commit introduces the msg_ctx context pointer for
wpa_msg().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.
Signed-off-by: Jouni Malinen <j@w1.fi>
EAP-PAX server implementation could end up reading beyond the end of the
buffer if MSGDUMP level debugging was enabled and a message without the
ICV field was received. Fix this by using more strict message length
validation.
Signed-off-by: Jouni Malinen <j@w1.fi>
While this is mostly theoretical, the hash functions can fail and it is
better for the upper layer code to explicitly check for such failures.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not try to derive a PMK-R0 and PMK-R1 again for the case where an
association was started with FT protocol and PTK is rekeyed using 4-way
handshake. Instead, use the previously derived PMK-R1 to allow a new PTK
to be derived.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not try to derive a PMKID for EAPOL-key msg 1/4 when going through
4-way handshake to rekey PTK during an association that was started
through FT protocol.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is needed to allow PTK rekeying to be performed through 4-way
handshake in an association started through FT protocol.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is needed to avoid leaving some timers (e.g., for PTK rekeying)
running afrer a STA has disassociated.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
FT rules for PTK derivation do not use PMK. Remove the unused argument
to the PTK derivation function.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There is no PMK/PMKID when going through 4-way handshake during an
association started with FT protocol, so need to allow the operation to
proceed even if there is no selected PMKSA cache entry in place.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The PMK and PMKID information from FILS ERP and FILS PMKSA caching needs
to be stored within struct wpa_state_machine for PTK to work. Without
this, PTK derivation would fail and attempt to go through rekeying would
result in disconnection. Furthermore, wpa_rekey_ptk() timer needs to be
started at the completion of FILS association since the place where it
was done for non-FILS cases at the end of 4-way handshake is not reached
when FILS authentication is used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
All nla_put*() operations should be verified to succeed, so check this
recently added one for NL80211_ATTR_EXTERNAL_AUTH_SUPPORT.
Fixes: 236e793e7b ("nl80211: External authentication in driver-based AP SME mode")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit 4b16c15bbc ("EAP-pwd server: Use os_get_random() for
unpredictable token") replaced use of os_random(), i.e., of random(),
with os_get_random(), but forgot to remove the now unused srandom()
call. Clean up the implementation and remove that unneeded code.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Unexpected fragment might result in data->inbuf not being allocated
before processing and that could have resulted in NULL pointer
dereference. Fix that by explicitly checking for data->inbuf to be
available before using it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
data->inbuf allocation might fail and if that were to happen, the next
fragment in the exchange could have resulted in NULL pointer
dereference. Unexpected fragment with more bit might also be able to
trigger this. Fix that by explicitly checking for data->inbuf to be
available before using it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Report failure from getKey() if MSK cannot be derived due to unexpected
sha1_vector() local failure.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There are number of deployed APs with broken PMF implementation where
the IGTK KDE uses swapped bytes in the KeyID field (0x0400 and 0x0500
instead of 4 and 5). Such APs cannot be trusted to implement BIP
correctly or provide a valid IGTK, so do not try to configure this key
with swapped KeyID bytes. Instead, continue without configuring the IGTK
so that the driver can drop any received group-addressed robust
management frames due to missing keys.
Normally, this error behavior would result in us disconnecting, but
there are number of deployed APs with this broken behavior, so as an
interoperability workaround, allow the connection to proceed.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously wpa_supplicant_key_neg_complete() was called before the
attempt to configure the IGTK received from the authenticator. This
could resulted in somewhat surprising sequence of events if IGTK
configuration failed since completion event would be followed by
immediate disconnection event. Reorder these operations so that
completion is reported only if GTK and IGTK are configurated
successfully.
Furthermore, check for missing GTK KDE in case of RSN and handle that
with an explicit disconnection instead of waiting for the AP to deliver
the GTK later.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When processing the NL80211_CMD_PROBE_CLIENT command response, the
nl80211 layer in the kernel sends a response containing the cookie
associated with the client probe request. This response was not handled
by driver_nl80211.c when sending the command, and it was mistakenly
handled as an asynchronous event. This incorrect event did not include
the MAC/ACK attributes, so it was ignored in practice, but nevertheless,
the command response should not be processed as an event.
Fix this by reading the response as part of the sending the command
flow.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Include the MAC address of the peer, knowledge of whether the poll was
ACKed, and cookie into the debug message to make this more useful.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like it is possible for the RECEIVE state to leak memory where
a previously allocated sm->lki is moved to sm->oki while sm->oki is
pointing to not yet freed entry. It is not clear how this can be
triggered, but it has come up in hwsim testing under heavy load.
Free sm->oki if it is still set in RECEIVE before replacing it with
sm->lki to avoid this memory leak.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It is possible for the SAE state machine to remove the STA and free the
sta pointer in the mesh use cases. handle_auth_sae() could have
dereferenced that pointer and used freed memory in some cases. Fix that
by explicitly checking whether the STA was removed.
Fixes: bb598c3bdd ("AP: Add support for full station state")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
ap_free_sta() frees the sta entry, so sta->addr cannot be used after
that call. Fix the sequence of these two calls to avoid use of freed
memory to determine which PMKSA cache entry to remove.
Fixes: 9f2cf23e2e ("mesh: Add support for PMKSA caching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Move event.assoc_info.freq selection to be after the
nl80211_get_assoc_ssid() call so that the current cfg80211 information
on the operating channel can be used should anything unexpected have
happened between the association request and completion of association.
Furthermore, update bss->freq based on assoc_freq to make that
information a bit more useful for station mode. It was already updated
after channel switches during association, but not at the beginning of
association.
Signed-off-by: Jouni Malinen <j@w1.fi>
This fixes some issues where bss->freq could have been used to replace
the current operating channel when sending out a management frame.
bss->freq has not been consistently used to track the current operating
channel in station mode, so it should not be trusted for this type of
uses. Clearing it makes this a bit more robust by at least avoiding the
cases of information from past association being used.
Signed-off-by: Jouni Malinen <j@w1.fi>
None of the ECC groups supported in the implementation had a cofactor
greater than 1, so these checks are unreachable and for all cases, the
cofactor is known to be 1. Furthermore, RFC 5931 explicitly disallow use
of ECC groups with cofactor larger than 1, so this checks cannot be
needed for any curve that is compliant with the RFC.
Remove the unneeded group cofactor checks to simplify the
implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Based on the SAE implementation guidance update to not allow ECC groups
with a prime that is under 256 bits, reject groups 25, 26, and 27 in
EAP-pwd.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like SSL_CTX_set1_curves_list() command alone is not sufficient
to enable ECDH curve selection with older OpenSSL versions for TLS
server, so enable automatic selection first and specify the exact list
of curves after that.
This fixes failures in openssl_ecdh_curves test case when hostapd uses
OpenSSL 1.0.2.
Signed-off-by: Jouni Malinen <j@w1.fi>
The external authentication command and event does not need to copy the
BSSID/SSID values into struct external_auth since those values are used
before returning from the call. Simplify this by using const u8 * to
external data instead of the array with a copy of the external data.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend commit 5ff39c1380 ("SAE: Support external authentication
offload for driver-SME cases") to support external authentication
with drivers that implement AP SME by notifying the status of
SAE authentication to the driver after SAE handshake as the
driver acts as a pass through for the SAE Authentication frames.
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
This extends driver interface to nl80211 by introducing the following
changes,
1. Register for Authenication frames in driver-based AP SME mode.
2. Advertise NL80211_ATTR_EXTERNAL_AUTH_SUPPORT in set_ap when
offloaded SAE authentication is supported.
3. Extend the NL80211_CMD_EXTERNAL_AUTH interface to also send PMKID
so that the drivers can respond to the PMKSA cached connection
attempts from the stations avoiding the need to contact user space
for all PMKID-based connections.
4. Send external auth status to driver only if it is a driver based
SME solution.
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
beacon_set_done did not get reset to zero on disabling interface using
DISABLE control interface command and the subsequent ENABLE command will
caused configuration of Beacon/Probe Response/Association Response frame
IEs twice. The unnecessary two step configuration can be avoided by
resetting beacon_set_done on DISABLE so that ENABLE can bring up the
interface in a single step with fully updated IEs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Binary presentations of element and scalar can be written directly to
the allocated commit message buffer instead of having to first write
them into temporary buffers just to copy them to the actual message
buffer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
RFC 5931 has these conditions as MUST requirements, so better follow
them explicitly even if the rand,mask == 0 or rand+mask == 0 or 1 cases
are very unlikely to occur in practice while generating random values
locally.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds an explicit check for 0 < x,y < prime based on RFC 5931,
2.8.5.2.2 requirement. The earlier checks might have covered this
implicitly, but it is safer to avoid any dependency on implicit checks
and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)
Furthermore, this moves the EAP-pwd element and scalar parsing and
validation steps into shared helper functions so that there is no need
to maintain two separate copies of this common functionality between the
server and peer implementations.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When processing an EAP-pwd Commit frame, the server's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and act as a rogue Access Point (AP) if the
crypto implementation did not verify the validity of the EC point.
Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9499)
The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
When processing an EAP-pwd Commit frame, verify that the peer's scalar
and elliptic curve element differ from the one sent by the server. This
prevents reflection attacks where the adversary reflects the scalar and
element sent by the server. (CVE-2019-9497)
The vulnerability allows an adversary to complete the EAP-pwd handshake
as any user. However, the adversary does not learn the negotiated
session key, meaning the subsequent 4-way handshake would fail. As a
result, this cannot be abused to bypass authentication unless EAP-pwd is
used in non-WLAN cases without any following key exchange that would
require the attacker to learn the MSK.
Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
When processing an EAP-pwd Commit frame, the peer's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and impersonate any user if the crypto
implementation did not verify the validity of the EC point.
Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9498)
The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
Explicitly verify that own and peer commit scalar/element are available
when trying to check SAE confirm message. It could have been possible to
hit a NULL pointer dereference if the peer element could not have been
parsed. (CVE-2019-9496)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Try to avoid showing externally visible timing or memory access
differences regardless of whether the derived pwd-value is smaller than
the group prime.
This is related to CVE-2019-9494.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is an initial step towards making the FFC case use strictly
constant time operations similarly to the ECC case.
sae_test_pwd_seed_ffc() does not yet have constant time behavior,
though.
This is related to CVE-2019-9494.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These groups have significant probability of coming up with pwd-value
that is equal or greater than the prime and as such, need for going
through the PWE derivation loop multiple times. This can result in
sufficient timing different to allow an external observer to determine
how many rounds are needed and that can leak information about the used
password.
Force at least 40 loop rounds for these MODP groups similarly to the ECC
group design to mask timing. This behavior is not described in IEEE Std
802.11-2016 for SAE, but it does not result in different values (i.e.,
only different timing), so such implementation specific countermeasures
can be done without breaking interoperability with other implementation.
Note: These MODP groups 22, 23, and 24 are not considered sufficiently
strong to be used with SAE (or more or less anything else). As such,
they should never be enabled in runtime configuration for any production
use cases. These changes to introduce additional protection to mask
timing is only for completeness of implementation and not an indication
that these groups should be used.
This is related to CVE-2019-9494.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Make the non-failure path in the function proceed without branches based
on r_odd and in constant time to minimize risk of observable differences
in timing or cache use. (CVE-2019-9494)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The QR test result can provide information about the password to an
attacker, so try to minimize differences in how the
sae_test_pwd_seed_ecc() result is used. (CVE-2019-9494)
Use heap memory for the dummy password to allow the same password length
to be used even with long passwords.
Use constant time selection functions to track the real vs. dummy
variables so that the exact same operations can be performed for both QR
test results.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This algorithm could leak information to external observers in form of
timing differences or memory access patterns (cache use). While the
previous implementation had protection against the most visible timing
differences (looping 40 rounds and masking the legendre operation), it
did not protect against memory access patterns between the two possible
code paths in the masking operations. That might be sufficient to allow
an unprivileged process running on the same device to be able to
determine which path is being executed through a cache attack and based
on that, determine information about the used password.
Convert the PWE finding loop to use constant time functions and
identical memory access path without different branches for the QR/QNR
cases to minimize possible side-channel information similarly to the
changes done for SAE authentication. (CVE-2019-9495)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Get rid of the branches that depend on the result of the Legendre
operation. This is needed to avoid leaking information about different
temporary results in blinding mechanisms.
This is related to CVE-2019-9494 and CVE-2019-9495.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These functions can be used to help implement constant time operations
for various cryptographic operations that must minimize externally
observable differences in processing (both in timing and also in
internal cache use, etc.).
This is related to CVE-2019-9494 and CVE-2019-9495.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This helps in reducing measurable timing differences in operations
involving private information. BoringSSL has removed BN_FLG_CONSTTIME
and expects specific constant time functions to be called instead, so a
bit different approach is needed depending on which library is used.
The main operation that needs protection against side channel attacks is
BN_mod_exp() that depends on private keys (the public key validation
step in crypto_dh_derive_secret() is an exception that can use the
faster version since it does not depend on private keys).
crypto_bignum_div() is currently used only in SAE FFC case with not
safe-prime groups and only with values that do not depend on private
keys, so it is not critical to protect it.
crypto_bignum_inverse() is currently used only in SAE FFC PWE
derivation. The additional protection here is targeting only OpenSSL.
BoringSSL may need conversion to using BN_mod_inverse_blinded().
This is related to CVE-2019-9494 and CVE-2019-9495.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These wpa_supplicant network profile parameters could be used to specify
a single match string that would be used against the dNSName items in
subjectAltName or CN. There may be use cases where more than one
alternative match string would be useful, so extend these to allow a
semicolon delimited list of values to be used (e.g.,
"example.org;example.com"). If any of the specified values matches any
of the dNSName/CN values in the server certificate, consider the
certificate as meeting this requirement.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Incorrect gen->type value was used to check whether subjectAltName
contained dNSName entries. This resulted in all domain_match and
domain_suffix_match entries failing to find a match and rejecting the
server certificate. Fix this by checking against the correct type
definition for dNSName.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously the EAP user database had to include a wildcard entry for ERP
to work since the keyName-NAI as User-Name in Access-Request would not
be recognized without such wildcard entry (that could point to any EAP
method). This is not ideal, so add a separate check to allow any stored
ERP keyName-NAI to be used for ERP without any requirement for the EAP
user database to contain a matching entry.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Inclusion of common/dpp.h into hostapd/main.c brought in an undesired
unconditional dependency on OpenSSL header files even for builds where
DPP is not enabled. Fix this by making the dpp.h contents, and in
particular the inclusion of openssl/x509.h, conditional on CONFIG_DPP.
Fixes: 87d8435cf9 ("DPP: Common configurator/bootstrapping data management")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The rules defining which DH groups are suitable for SAE use were
accepted into IEEE 802.11 REVmd based on this document:
https://mentor.ieee.org/802.11/dcn/19/11-19-0387-02-000m-addressing-some-sae-comments.docx
Enforce those rules in production builds of wpa_supplicant and hostapd.
CONFIG_TESTING_OPTIONS=y builds can still be used to select any o the
implemented groups to maintain testing coverage.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
identity_buf may be NULL here. Handle this case explicitly by printing
"N/A" instead relying on snprintf converting this to "(null)" or some
other value based on unexpected NULL pointer.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
While commit 1c156e783d ("Fixed tls_prf() to handle keys with
odd length") added support for keys with odd length, the function
never reached this code as the function would return earlier in
case the key length was odd. Fix this by removing the first check
for the key length.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This commit introduces an attribute
QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_REASON to carry the roam reason code
through QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH event.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Avoid duplicated code in each user of dpp_build_conf_req() by moving the
common encapsulation case into this helper function.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When connected using FT-SAE key mgmt, use PMK from PMKSA cache as XXKey
for PMK-R0 and PMK-R1 derivations. This fixes an issue where FT key
hierarchy could not be established due to missing (not yet configured)
XXKey when using SAE PMKSA caching for the initial mobility domain
association.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
In the case of the driver not supporting full AP mode STA state (i.e.,
not adding a STA entry before association), the QoS parameters are not
allowed to be modified when going through (re)association exchange for a
STA entry that has not been removed from the kernel. cfg80211 would
reject such command to update STA flags, so do not add the WMM parameter
in this case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Ethernet frames have minimum length of 64 octets and shorter frames may
end up getting arbitrary padding in the end. This would result in the
FT/RRB receiver rejecting the frame as an incorrectly protected one.
Work around this by padding the message so that it is never shorter than
the minimum Ethernet frame.
Unfortunately, this padding is apparently not enough with all Ethernet
devices and it is still possible to see extra two octet padding at the
end of the message even if larger frames are used (e.g., showed up with
128 byte frames). For now, work around this by trying to do AES-SIV
decryption with two octets shorter frame (ignore last two octets) if the
first attempt fails.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
