Commit graph

102 commits

Author SHA1 Message Date
Jouni Malinen
d93abd4a97 SAE: Merge sae_get_rand() error case return statements
These error cases have the exact same outcome, so a single return
statement can be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-23 23:10:36 +03:00
Jouni Malinen
6a58444d27 SAE: Verify that own/peer commit-scalar and COMMIT-ELEMENT are different
This check explicitly for reflection attack and stops authentication
immediately if that is detected instead of continuing to the following
4-way handshake that would fail due to the attacker not knowing the key
from the SAE exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-23 23:10:36 +03:00
Jouni Malinen
4e37dd6c60 SAE: Simplify sae_prepare_commit() error path
There is no need to keep separate "return -1" statements for these error
cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-22 00:38:02 +03:00
Jouni Malinen
4e70bbf1c6 SAE: Clear keys from memory on disassociation
There is no need to keep temporary keys in memory beyond the end of the
association, so explicitly clear any SAE buffers that can contain keys
as soon as such keys are not needed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-29 20:00:02 +02:00
Masashi Honma
a959a3b69d SAE: Fix Anti-Clogging Token request frame format
This commit inserts Finite Cyclic Group to Anti-Clogging Token request
frame because IEEE Std 802.11-2012, Table 8-29 says "Finite Cyclic Group
is present if Status is zero or 76".

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-11-25 16:08:53 +02:00
Masashi Honma
872b754512 mesh: Fix SAE anti-clogging functionality for mesh
The mesh anti-clogging functionality is implemented partially. This
patch fixes to parse anti-clogging request frame and use anti-clogging
token.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-11-25 15:33:04 +02:00
Jouni Malinen
0233dcac5b SAE: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
13c330385a SAE: Fix memory leak in random number generation
If the randomly generated bignum does not meet the validation steps, the
iteration loop in sae_get_rand() did not free the data properly. Fix the
memory leak by freeing the temporary bignum before starting the next
attempt at generating the value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-31 22:24:31 +03:00
Jouni Malinen
b64afe22aa Fix SAE state validation on AP
Confirm-before-commit validation step allowed execution to continue on
error case. This could result in segfault in sae_check_confirm() if the
temporary SAE data was not available (as it would not be, e.g., in case
of an extra SAE confirm message being received after successful
exchange). Fix this by stopping SAE processing immediately after
detecting unexpected state for confirm message. In addition, make the
public sae.c functions verify sae->tmp before dereferencing it to make
this type of bugs less likely to result in critical issues.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-12 17:46:33 +02:00
Jouni Malinen
4414d9ee95 SAE: Fix ECC element y coordinate validation step
prime_len was added to the start pointer twice and because of this, the
actual y coordinate was not verified to be valid. This could also result
in reading beyond the buffer in some cases.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 17:18:17 +02:00
Jouni Malinen
aa189ac9dd Enable FT with SAE
It was already possible to configure hostapd and wpa_supplicant to use
FT-SAE for the key management, but number of places were missing proper
AKM checks to allow FT to be used with the new AKM.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 10:00:31 +02:00
Jouni Malinen
18ca733248 SAE: Fix group selection
Number of regressions had shown up in wpa_supplicant implementation of
SAE group selection due to different integer array termination (-1 in
hostapd, 0 in wpa_supplicant) being used for SAE groups. The
default_groups list did not seem to use any explicit termination value.
In addition, the sae_group_index was not cleared back to 0 properly
whenever a new SAE session was started.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-02 18:07:49 +02:00
Jouni Malinen
bb0122f3e8 SAE: Add forgotten commit element validation step for FFC groups
The peer commit element needs to be validated to pass one of the steps
listed in IEEE 802.11, 11.3.5.4:
scalar-op(r, ELEMENT) = 1 modulo p

Similar step was present for ECC groups, but was missing for FFC groups.
This is needed to avoid dictionary attacks.

Thanks to Michael Roßberg and Sascha Grau for reporting this.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-10 11:45:55 +02:00
Jouni Malinen
0bb229a6e8 SAE: Move commit element validation steps into single location
It is clearer to keep all the validation steps described in IEEE 802.11
11.3.5.4 in a single location instead of splitting this between the
parsing and processing functions.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-10 11:26:22 +02:00
Jouni Malinen
0ef29e0c0b SAE: Move temporary data into a separate data structure
This allows even more memory to be freed when the SAE instance enters
Accepted state. This leaves only the minimal needed memory allocated
during the association which is especially helpful for the AP
implementation where multiple stations may be associated concurrently.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
b4fd3613d3 SAE: Free temporary buffers when moving to Accepted state
Most of the variables are not needed anymore once the SAE instance
has entered Accepted state. Free these to save memory.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
30846fa65f SAE: Remove unnecessary sae_derive_k() wrapper
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
f05dad2090 SAE: Clean up exponent calculation for PWE
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
66fc91ab11 SAE: Share more commit value derivation between FFC and ECC cases
The rand/mask values and commit scalar are derived using the exact same
operations, so only use a separate function for deriving the commit
element.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
75870c933f SAE: Replace comparison to one with crypto_bignum wrapper
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
3b0ffebcda SAE: Rename and move ECC/FFC functions to be next to each other
This makes it easier to see where there is separate implementation for
ECC and FFC groups.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
4ef34a9960 SAE: Remove duplicated SAE field debug dumps
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
ce4479c106 SAE: Store commit elements as EC point or bignum instead of octet string
This avoids unnecessary EC point and bignum initialization steps during
the SAE exchange.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
61bd6a307c SAE: Validate peer commit values as part of parsing the message
There is no need to postpone this validation step to a separate
processing operation for the commit message, so move the minimal
validation tasks into the parsing functions.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
24dc1e2a2c SAE: Split sae_parse_commit() into helper functions
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
b0f6124c1c SAE: Store commit scalars as bignum instead of octet string
This avoids unnecessary bignum initialization steps during the SAE
exchange.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
4df61ba5b9 SAE: Store PWE as EC point or bignum instead of octet string
This avoids unnecessary EC point and bignum initialization steps during
the SAE exchange.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
b1677c393b SAE: Use more generic random bignum generation
Move the bignum comparison part into the bignum library to allow a
single implementation of rand generation for both ECC and FCC based
groups.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
629c56d70a SAE: Store rand value as bignum instead of octet string
This avoids unnecessary bignum initialization steps during the SAE
exchange.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
bf4f5d6570 SAE: Add support for FFC groups that do not use a safe prime
This allows DH groups 22, 23, 24 to be used with SAE.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
fbfb0e65bf SAE: Add support for FFC groups
This allows FFC groups to be used with SAE. Though, these groups are not
included in the default sae_groups value based on what is available
since the FFC groups have the additional requirement of using a safe
prime with the current implementation (or specification of the group
order).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
388f535461 SAE: Maintain bignum of group order and prime in context data
This simplifies operations by not having to create bignum instances
multiple times during SAE exchange.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
625f202a74 SAE: Allow enabled groups to be configured
hostapd.conf sae_groups parameter can now be used to limit the set of
groups that the AP allows for SAE. Similarly, sae_groups parameter is
wpa_supplicant.conf can be used to set the preferred order of groups. By
default, all implemented groups are enabled.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
cd9c2714e7 SAE: Add support for ECC group 21 (521-bit random ECP group)
In addition to the trivial change in adding the new group ientifier,
this required changes to KDF and random number generation to support
cases where the length of the prime in bits is not a multiple of eight.
The binary presentation of the value needs to be shifted so that the
unused most significant bits are the zero padding rather than the extra
bits in the end of the array.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
cbf9f4c642 SAE: Fix PWE loop termination on excessive iterations
The counter>200 check needs to be done before the continue-on-not-found
case to be effective in stopping this loop.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
d5f5fa86e4 SAE: Set pwd-value length based on prime length
The buffer is set based on maximum group prime length, but pwd-value
needs to be correct length for the negotiated group.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
a55f2eef71 SAE: Use EC group context to get the group prime
Do not use the hardcoded group19_prime buffer for this to allow group
negotiation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
09200a1166 SAE: Use EC group context for peer-commit-scalar validation
Do not use the hardcoded group19_order/group19_prime buffers for this to
allow group negotiation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
c5eb5b1999 SAE: Use EC group context for random number generation
Do not use the hardcoded group19_order/group19_prime buffers for this to
allow group negotiation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
ce46ec8df0 SAE: Store the group order in EC context data
This makes the SAE implementation a bit simpler by not having to build
the bignum for group order during execution.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
4925b303db SAE: Use defines for key lengths
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
7babd2539c SAE: Add a define for maximum supported prime length
This can be used to increase buffer sizes when adding support for new
groups.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
12e06dc228 SAE: Use sae->prime_len instead of hardcoded 32
This is needed to allow multiple groups to be supported.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
19a5bd0a25 SAE: Use the EC context from struct sae_data
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
a46d72d7d7 SAE: Maintain EC group context in struct sae_data
This can be used to share same EC group context through the SAE
exchange.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
aadabe7045 SAE: Use crypto wrappers instead of direct OpenSSL calls
This makes the SAE implementation independent of the crypto/bignum
library.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
d136c376f2 SAE: Add support for Anti-Clogging mechanism
hostapd can now be configured to use anti-clogging mechanism based on
the new sae_anti_clogging_threshold parameter (which is
dot11RSNASAEAntiCloggingThreshold in the standard). The token is
generated using a temporary key and the peer station's MAC address.
wpa_supplicant will re-try SAE authentication with the token included if
commit message is rejected with a token request.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
4838ff3ef4 SAE: Do not allow re-use of peer-scalar in a new protocol instance
IEEE Std 802.11-2012, 11.3.8.6.1: If there is a protocol instance for
the peer and it is in Authenticated state, the new Commit Message
shall be dropped if the peer-scalar is identical to the one used in
the existing protocol instance.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
f2e9818f73 SAE: Add processing of the confirm message
This adds validation of the received confirm messages for SAE.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
fb8fcc2950 SAE: Add generation of the confirm message fields
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
146f6c9a00 SAE: Add processing of the commit message
This adds validation of the received commit messages and key derivation
for SAE.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
8e31e9550a SAE: Add generation of the commit message fields
This adds derivation of PWE and the needed commit values so that the
full SAE commit message can be built.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00