Jouni Malinen [Sat, 14 Oct 2017 09:15:52 +0000 (12:15 +0300)]
wlantest: Do not update RSC on replays
This changes wlantest behavior to mark CCMP/TKIP replays for more cases
in case a device is resetting its TSC. Previously, the RSC check got
cleared on the first marked replay and the following packets were not
marked as replays if they continued incrementing the PN even if that PN
was below the highest value received with this key at some point in the
past.
Jouni Malinen [Sun, 8 Oct 2017 10:18:02 +0000 (13:18 +0300)]
Clear PMK length and check for this when deriving PTK
Instead of setting the default PMK length for the cleared PMK, set the
length to 0 and explicitly check for this when deriving PTK to avoid
unexpected key derivation with an all-zeroes key should it be possible
to somehow trigger PTK derivation to happen before PMK derivation.
Mathy Vanhoef [Thu, 5 Oct 2017 21:53:01 +0000 (23:53 +0200)]
WPA: Extra defense against PTK reinstalls in 4-way handshake
Currently, reinstallations of the PTK are prevented by (1) assuring the
same TPTK is only set once as the PTK, and (2) that one particular PTK
is only installed once. This patch makes it more explicit that point (1)
is required to prevent key reinstallations. At the same time, this patch
hardens wpa_supplicant such that future changes do not accidentally
break this property.
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.
This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.
Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.
FILS: Do not allow multiple (Re)Association Response frames
The driver is expected to not report a second association event without
the station having explicitly request a new association. As such, this
case should not be reachable. However, since reconfiguring the same
pairwise or group keys to the driver could result in nonce reuse issues,
be extra careful here and do an additional state check to avoid this
even if the local driver ends up somehow accepting an unexpected
(Re)Association Response frame.
tests: Fix wnm_action_proto_no_pmf to have active WNM_SLEEP operation
The previous designed worked since wpa_supplicant did not track pending
request state. With such tracking added, this test case needs to make
sure there is a pending operation when injecting the invalid response.
Jouni Malinen [Fri, 25 Aug 2017 13:24:18 +0000 (16:24 +0300)]
FILS: Accept another (Re)Association Request frame during an association
The previous implementation ended up starting a new EAPOL-Key 4-way
handshake if the STA were to attempt to perform another association.
This resulted in immediate disconnection since the PTK was not ready for
configuring FILS TK at the point when EAPOL-Key msg 1/4 is sent out.
This is better than alloing the association to continue with the same TK
reconfigured, but not really ideal.
Address this potential sequence by not starting a new 4-way handshake on
the additional association attempt. Instead, allow the association to
complete, but do so without reconfiguring the TK to avoid potential
issues with PN reuse with the same TK.
Jouni Malinen [Fri, 4 Aug 2017 10:14:57 +0000 (13:14 +0300)]
Add MGMT_TX_STATUS_PROCESS command for testing purposes
This allows ext_mgmt_frame_handling=1 cases with hostapd to process TX
status events based on external processing. This is useful for increased
test coverage of management frame processing.
FT: Do not allow multiple Reassociation Response frames
The driver is expected to not report a second association event without
the station having explicitly request a new association. As such, this
case should not be reachable. However, since reconfiguring the same
pairwise or group keys to the driver could result in nonce reuse issues,
be extra careful here and do an additional state check to avoid this
even if the local driver ends up somehow accepting an unexpected
Reassociation Response frame.
WNM: Ignore WNM-Sleep Mode Response without pending request
Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
Mode Response if WNM-Sleep Mode has not been used') started ignoring the
response when no WNM-Sleep Mode Request had been used during the
association. This can be made tighter by clearing the used flag when
successfully processing a response. This adds an additional layer of
protection against unexpected retransmissions of the response frame.
Do not try to reconfigure the same TPK-TK to the driver after it has
been successfully configured. This is an explicit check to avoid issues
related to resetting the TX/RX packet number. There was already a check
for this for TPK M2 (retries of that message are ignored completely), so
that behavior does not get modified.
For TPK M3, the TPK-TK could have been reconfigured, but that was
followed by immediate teardown of the link due to an issue in updating
the STA entry. Furthermore, for TDLS with any real security (i.e.,
ignoring open/WEP), the TPK message exchange is protected on the AP path
and simple replay attacks are not feasible.
As an additional corner case, make sure the local nonce gets updated if
the peer uses a very unlikely "random nonce" of all zeros.
Jouni Malinen [Sun, 1 Oct 2017 09:32:57 +0000 (12:32 +0300)]
Fix PTK rekeying to generate a new ANonce
The Authenticator state machine path for PTK rekeying ended up bypassing
the AUTHENTICATION2 state where a new ANonce is generated when going
directly to the PTKSTART state since there is no need to try to
determine the PMK again in such a case. This is far from ideal since the
new PTK would depend on a new nonce only from the supplicant.
Fix this by generating a new ANonce when moving to the PTKSTART state
for the purpose of starting new 4-way handshake to rekey PTK.
Properly track whether a PTK has already been installed to the driver
and the TK part cleared from memory. This prevents an attacker from
trying to trick the client into installing an all-zero TK.
This fixes the earlier fix in commit ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
driver in EAPOL-Key 3/4 retry case') which did not take into account
possibility of an extra message 1/4 showing up between retries of
message 3/4.
Jouni Malinen [Sun, 1 Oct 2017 09:12:24 +0000 (12:12 +0300)]
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
This extends the protection to track last configured GTK/IGTK value
separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
corner case where these two different mechanisms may get used when the
GTK/IGTK has changed and tracking a single value is not sufficient to
detect a possible key reconfiguration.
Prevent reinstallation of an already in-use group key
Track the current GTK and IGTK that is in use and when receiving a
(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
not install the given key if it is already in use. This prevents an
attacker from trying to trick the client into resetting or lowering the
sequence counter associated to the group key.
Do not reinstall TK to the driver during Reassociation Response frame
processing if the first attempt of setting the TK succeeded. This avoids
issues related to clearing the TX/RX PN that could result in reusing
same PN values for transmitted frames (e.g., due to CCM nonce reuse and
also hitting replay protection on the receiver) and accepting replayed
frames on RX side.
This issue was introduced by the commit 0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
authenticator') which allowed wpa_ft_install_ptk() to be called multiple
times with the same PTK. While the second configuration attempt is
needed with some drivers, it must be done only if the first attempt
failed.
Jouni Malinen [Wed, 11 Oct 2017 20:09:16 +0000 (23:09 +0300)]
SAE: Allow SAE password to be configured separately (STA)
The new sae_password network profile parameter can now be used to set
the SAE password instead of the previously used psk parameter. This
allows shorter than 8 characters and longer than 63 characters long
passwords to be used.
Jouni Malinen [Wed, 11 Oct 2017 20:07:08 +0000 (23:07 +0300)]
SAE: Allow SAE password to be configured separately (AP)
The new sae_password hostapd configuration parameter can now be used to
set the SAE password instead of the previously used wpa_passphrase
parameter. This allows shorter than 8 characters and longer than 63
characters long passwords to be used. In addition, this makes it
possible to configure a BSS with both WPA-PSK and SAE enabled to use
different passphrase/password based on which AKM is selected.
Jouni Malinen [Wed, 11 Oct 2017 15:19:03 +0000 (18:19 +0300)]
DPP: Fix static analyzer warnings in key generation and JWK construction
Memory allocation failures could have resulted in error paths that
dereference a NULL pointer or double-freeing memory. Fix this by
explicitly clearing the freed pointer and checking allocation results.
Sunil Dutt [Sun, 8 Oct 2017 05:33:21 +0000 (11:03 +0530)]
P2P: Prefer 5/60 GHz band over 2.4 GHz during GO configuration
Previously, wpas_p2p_select_go_freq_no_pref() ended up selecting a 2.4
GHz band channel first before even considering 5 or 60 GHz channels.
This was likely done more or less by accident rather than by design when
the 5 GHz and 60 GHz band extensions were added. It seems reasonable to
enhance this by reordering the code to start with 5 and 60 GHz operating
classes and move to 2.4 GHz band only if no channel was available in 5
or 60 GHz bands for P2P GO use.
This does have some potential interop issues with 2.4 GHz only peer
devices when starting up an autonomous GO (i.e., without there being
prior knowledge of channels that the peers support). Upper layers are
expected to enforce 2.4 GHz selection if that is needed for some use
cases.
Jouni Malinen [Tue, 10 Oct 2017 16:00:57 +0000 (19:00 +0300)]
OWE: Allow set of enabled DH groups to be limited on AP
The new hostapd configuration parameter owe_groups can be used to
specify a subset of the allowed DH groups as a space separated list of
group identifiers.
Jouni Malinen [Tue, 10 Oct 2017 15:26:29 +0000 (18:26 +0300)]
OWE: Allow DH Parameters element to be overridden for testing purposes
This allows CONFIG_TESTING_OPTIONS=y builds of wpa_supplicant to
override the OWE DH Parameters element in (Re)Association Request frames
with arbitrary data specified with the "VENDOR_ELEM_ADD 13 <IE>"
command. This is only for testing purposes.
Jouni Malinen [Mon, 9 Oct 2017 10:38:15 +0000 (13:38 +0300)]
OWE: Transition mode information based on BSS ifname
The owe_transition_bssid and owe_transition_ssid parameters can now be
replace with owe_transition_ifname to clone the BSSID/SSID information
automatically in case the same hostapd process manages both the OWE and
open BSS for transition mode.
Jouni Malinen [Mon, 9 Oct 2017 09:35:14 +0000 (12:35 +0300)]
OWE: Support station SME-in-driver case
Previously, only the SME-in-wpa_supplicant case was supported. This
extends that to cover the drivers that implement SME internally (e.g.,
through the cfg80211 Connect command).
Jouni Malinen [Sun, 8 Oct 2017 13:39:08 +0000 (16:39 +0300)]
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station
This extends OWE support in wpa_supplicant to allow DH groups 20 and 21
to be used in addition to the mandatory group 19 (NIST P-256). The group
is configured using the new network profile parameter owe_group.
Jouni Malinen [Sun, 8 Oct 2017 10:49:45 +0000 (13:49 +0300)]
OWE: Include RSNE in (Re)Association Response frame
This is not normally done in RSN, but RFC 8110 seems to imply that AP
has to include OWE AKM in the RSNE within these frames. So, add the RSNE
to (Re)Association Response frames when OWE is being negotiated.
Jouni Malinen [Sun, 8 Oct 2017 09:29:33 +0000 (12:29 +0300)]
OWE: Set PMK length properly on supplicant side
sm->pmk_len was not set when deriving the PMK as part of OWE key
generation. This depending on wpa_sm_set_pmk_from_pmksa() call resetting
the value to the default. While this worked for many cases, this is not
correct and can have issues with network profile selection based on
association information. For example, the OWE transition mode cases
would hit an issue here.
hostapd: Update HE capabilities and HE operation definition
Replace vendor-specific elements for HE capabilities and HE operation
elements with the P802.11ax defined element values. This version is
based on P802.11ax/D1.4.
This adds new wpa_supplicant configuration parameters (go_interworking,
go_access_network_type, go_internet, go_venue_group, go_venue_type) to
add a possibility of configuring the P2P GO to advertise Interworking
element.
Add TX/RX rate info and signal strength into STA output
These allow external programs to fetch the TX and RX rate information
and signal strength for a specific STA through the hostapd control
interface command "STA <addr>". The values of these attributes are
filled in the response of nl80211 command NL80211_CMD_GET_STATION.
Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
Lior David [Thu, 28 Sep 2017 18:55:09 +0000 (21:55 +0300)]
WPS: Do not increment wildcard_uuid when pin is locked
Commit 84751b98c151f70c322b6b7f70d967400e147852 ('WPS: Allow wildcard
UUID PIN to be used twice') relaxed the constraints on how many time a
wildcard PIN can be used to allow two attempts. However, it did this in
a way that could result in concurrent attempts resulting in the wildcard
PIN being invalidated even without the second attempt actually going as
far as trying to use the PIN and a WPS protocol run.
wildcard_uuid is a flag/counter set for wildcard PINs and it is
incremented whenever the PIN is retrieved by wps_registrar_get_pin().
Eventually it causes the wildcard PIN to be released, effectively
limiting the number of registration attempts with a wildcard PIN.
With the previous implementation, when the PIN is in use and locked
(PIN_LOCKED), it is not returned from wps_registrar_get_pin() but
wildcard_uuid is still incremented which can cause the PIN to be
released earlier and stations will have fewer registration attempts with
it. Fix this scenario by only incrementing wildcard_uuid if the PIN is
actually going to be returned and used.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
vamsi krishna [Thu, 31 Aug 2017 08:45:18 +0000 (14:15 +0530)]
OCE: Update default scan IEs when OCE is enabled/disabled
Update the default scan IEs when OCE is enabled/disabled to the
driver/firmware, so that the correct IEs will be sent out by the
driver/firmware in Probe Request frames.
Jouni Malinen [Sun, 1 Oct 2017 15:45:07 +0000 (18:45 +0300)]
tests: Update server and user certificates (2017)
The previous versions expired, so need to re-sign these to fix number of
the EAP test cases. In addition, add a shell script (update.sh) and the
needed CA files to automate this full update process.
Vendor flags for 11ax channel property flags for use with external ACS
Add 802.11ax channel property flags for use with external ACS (QCA
vendor command). Use the remaining available bits in
qca_wlan_vendor_channel_prop_flags for the first few 11ax flags. Then
add qca_wlan_vendor_channel_prop_flags_2 as a continuation of
qca_wlan_vendor_channel_prop_flags and add the remaining 11ax flags
there. Note that qca_wlan_vendor_channel_prop_flags_ext is not used
since it is currently not intended for holding such information. Rather
it is meant for holding additional control information related to
features such as DFS, CSA, etc.
Add group_mgmt network parameter for PMF cipher selection
The new wpa_supplicant network parameter group_mgmt can be used to
specify which group management ciphers (AES-128-CMAC, BIP-GMAC-128,
BIP-GMAC-256, BIP-CMAC-256) are allowed for the network. If not
specified, the current behavior is maintained (i.e., follow what the AP
advertises). The parameter can list multiple space separate ciphers.
Michael Braun [Thu, 17 Aug 2017 23:14:28 +0000 (01:14 +0200)]
PAE: Validate input before pointer
ieee802_1x_kay_decode_mkpdu() calls ieee802_1x_mka_i_in_peerlist()
before body_len has been checked on all segments.
ieee802_1x_kay_decode_mkpdu() and ieee802_1x_mka_i_in_peerlist() might
continue and thus underflow left_len even if it finds left_len to small
(or before checking).
Additionally, ieee802_1x_mka_dump_peer_body() might perform out of bound
reads in this case.
Fix this by checking left_len and aborting if too small early.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Vamsi Krishna [Wed, 30 Aug 2017 13:26:43 +0000 (18:56 +0530)]
FILS: Vendor attribute to disable driver FILS features
The FILS features on STA needs to be disabled for testing purposes to
verify the APUT behavior with non-FILS STAs. Add a QCA vendor attribute
for doing so.
TDLS: Update the comments related to TPK derivation
Update these comments based on IEEE Std 802.11-2016 to get rid of the
already resolved TODO comment regarding duplicated N_KEY use. The
implementation does not need any changes since it was already following
the fixed version in the current standard.
There was a race condition on the sequence where iface.AbortScan() is
immediately followed by iface.Scan(). If the driver event
(NL80211_CMD_SCAN_ABORTED) arrived after the following new scan request,
the D-Bus operation failed. This is not what this test case is trying to
check, so wait for an indication of the previous scan having terminated
properly before issuing the next scan.
FILS: Check req_ies for NULL pointer in hostapd_notif_assoc()
Add checking for NULL req_ies when FILS processing a driver ASSOC event
in hostapd_notif_assoc(). This was already done in number of old code
paths, but the newer FILS path did not handle this. Though, it is
unlikely that this code path would be reachable in practice since this
is all within sta->auth_alg == WLAN_AUTH_FILS_* check.
OpenSSL: Force RSA 3072-bit DH prime size limit for Suite B
Reject a DHE handshake if the server uses a DH prime that does not have
sufficient length to meet the Suite B 192-bit level requirement (<= 3k
(3072) bits).
OpenSSL: Add option to disable ECDHE with Suite B RSA
The hostapd.conf tls_flags=[SUITEB-NO-ECDH] and wpa_supplicant network
profile phase1="tls_suiteb_no_ecdh=1" can now be used to configure Suite
B RSA constraints with ECDHE disabled. This is mainly to allow
the DHE TLS cipher suite to be tested.
OpenSSL: Force RSA 3072-bit key size limit for Suite B
Reject a peer certificate chain if it includes an RSA public key that
does not use sufficient key length to meet the Suite B 192-bit level
requirement (<= 3k (3072) bits).
Suite B: Add tls_suiteb=1 parameter for RSA 3k key case
This adds phase1 parameter tls_suiteb=1 into wpa_supplicant
configuration to allow TLS library (only OpenSSL supported for now) to
use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys.
Fix EAPOL-Key version check for a corner case with Suite B AKM
While the Suite B AKM is not really going to be used with CCMP-128 or
GCMP-128 cipher, this corner case could be fixed if it is useful for
some testing purposes. Allow that special case to skip the HMAC-SHA1
check based on CCMP/GCMP cipher and use the following AKM-defined check
instead.
FILS: Add DHss into FILS-Key-Data derivation when using FILS SK+PFS
This part is missing from IEEE Std 802.11ai-2016, but the lack of DHss
here means there would not be proper PFS for the case where PMKSA
caching is used with FILS SK+PFS authentication. This was not really the
intent of the FILS design and that issue was fixed during REVmd work
with the changes proposed in
https://mentor.ieee.org/802.11/dcn/17/11-17-0906-04-000m-fils-fixes.docx
that add DHss into FILS-Key-Data (and PTK, in practice) derivation for
the PMKSA caching case so that a unique ICK, KEK, and TK are derived
even when using the same PMK.
Note: This is not backwards compatible, i.e., this breaks PMKSA caching
with FILS SK+PFS if only STA or AP side implementation is updated.
FILS: Update PMKID derivation rules for ERP key hierarchy establishment
IEEE Std 802.11ai-2016 had missed a change in the Pairwise key hierarchy
clause (12.7.1.3 in IEEE Std 802.11-2016) and due to that, the previous
implementation ended up using HMAC-SHA-1 -based PMKID derivation. This
was not really the intent of the FILS design and that issue was fixed
during REVmd work with the changes proposed in
https://mentor.ieee.org/802.11/dcn/17/11-17-0906-04-000m-fils-fixes.docx
that change FILS cases to use HMAC-SHA-256 and HMAC-SHA-384 based on the
negotiated AKM.
Update the implementation to match the new design. This changes the
rsn_pmkid() function to take in the more generic AKMP identifier instead
of a boolean identifying whether SHA256 is used.
Note: This is not backwards compatible, i.e., this breaks PMKSA caching
based on the initial ERP key hierarchy setup if only STA or AP side
implementation is updated. PMKSA caching based on FILS authentication
exchange is not impacted by this, though.