Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-01-18 10:54:03 -05:00
Code Issues Projects Releases Wiki Activity

SAE: Special test mode sae_pwe=3 for looping with password identifier

Browse Source 
The new sae_pwe=3 mode can be used to test non-compliant behavior with
SAE Password Identifiers. This can be used to force use of
hunting-and-pecking loop for PWE derivation when Password Identifier is
used. This is not allowed by the standard and as such, this
functionality is aimed at compliance testing.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2020-02-10 04:59:10 +02:00
parent d57349d4b8
commit 641d79f165
8 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/ap/ap_config.c
View File

@ -442,6 +442,7 @@ int hostapd_setup_sae_pt(struct hostapd_bss_config *conf)
struct sae_password_entry *pw; struct sae_password_entry *pw;
if ((conf->sae_pwe == 0 && !hostapd_sae_pw_id_in_use(conf)) || if ((conf->sae_pwe == 0 && !hostapd_sae_pw_id_in_use(conf)) ||
conf->sae_pwe == 3 ||
!wpa_key_mgmt_sae(conf->wpa_key_mgmt)) !wpa_key_mgmt_sae(conf->wpa_key_mgmt))
return 0; /* PT not needed */ return 0; /* PT not needed */

8
src/ap/ieee802_11.c
View File

@ -101,6 +101,7 @@ u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
num++; num++;
h2e_required = (hapd->conf->sae_pwe == 1 || h2e_required = (hapd->conf->sae_pwe == 1 ||
hostapd_sae_pw_id_in_use(hapd->conf) == 2) && hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
hapd->conf->sae_pwe != 3 &&
wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt); wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
if (h2e_required) if (h2e_required)
num++; num++;
@ -155,6 +156,7 @@ u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
num++; num++;
h2e_required = (hapd->conf->sae_pwe == 1 || h2e_required = (hapd->conf->sae_pwe == 1 ||
hostapd_sae_pw_id_in_use(hapd->conf) == 2) && hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
hapd->conf->sae_pwe != 3 &&
wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt); wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
if (h2e_required) if (h2e_required)
num++; num++;
@ -456,7 +458,7 @@ static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
use_pt = sta->sae->tmp->h2e; use_pt = sta->sae->tmp->h2e;
} }
if (rx_id) if (rx_id && hapd->conf->sae_pwe != 3)
use_pt = 1; use_pt = 1;
else if (status_code == WLAN_STATUS_SUCCESS) else if (status_code == WLAN_STATUS_SUCCESS)
use_pt = 0; use_pt = 0;
@ -1079,12 +1081,12 @@ static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
int id_in_use; int id_in_use;
id_in_use = hostapd_sae_pw_id_in_use(hapd->conf); id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
if (id_in_use == 2) if (id_in_use == 2 && sae_pwe != 3)
sae_pwe = 1; sae_pwe = 1;
else if (id_in_use == 1 && sae_pwe == 0) else if (id_in_use == 1 && sae_pwe == 0)
sae_pwe = 2; sae_pwe = 2;
return (sae_pwe == 0 && return ((sae_pwe == 0 || sae_pwe == 3) &&
status_code == WLAN_STATUS_SUCCESS) || status_code == WLAN_STATUS_SUCCESS) ||
(sae_pwe == 1 && (sae_pwe == 1 &&
status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) || status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) ||

1
src/ap/ieee802_11_shared.c
View File

@ -1016,6 +1016,7 @@ u8 * hostapd_eid_rsnxe(struct hostapd_data *hapd, u8 *eid, size_t len)
!wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) || !wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) ||
(hapd->conf->sae_pwe != 1 && hapd->conf->sae_pwe != 2 && (hapd->conf->sae_pwe != 1 && hapd->conf->sae_pwe != 2 &&
!hostapd_sae_pw_id_in_use(hapd->conf)) || !hostapd_sae_pw_id_in_use(hapd->conf)) ||
hapd->conf->sae_pwe == 3 ||
len < 3) len < 3)
return pos; return pos;

2
src/ap/wpa_auth_glue.c
View File

@ -158,7 +158,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
wconf->sae_pwe = conf->sae_pwe; wconf->sae_pwe = conf->sae_pwe;
sae_pw_id = hostapd_sae_pw_id_in_use(conf); sae_pw_id = hostapd_sae_pw_id_in_use(conf);
if (sae_pw_id == 2) if (sae_pw_id == 2 && wconf->sae_pwe != 3)
wconf->sae_pwe = 1; wconf->sae_pwe = 1;
else if (sae_pw_id == 1 && wconf->sae_pwe == 0) else if (sae_pw_id == 1 && wconf->sae_pwe == 0)
wconf->sae_pwe = 2; wconf->sae_pwe = 2;

2
wpa_supplicant/config.c
View File

@ -4999,7 +4999,7 @@ static const struct global_parse_data global_fields[] = {
{ INT(okc), 0 }, { INT(okc), 0 },
{ INT(pmf), 0 }, { INT(pmf), 0 },
{ FUNC(sae_groups), 0 }, { FUNC(sae_groups), 0 },
{ INT_RANGE(sae_pwe, 0, 2), 0 }, { INT_RANGE(sae_pwe, 0, 3), 0 },
{ INT_RANGE(sae_pmkid_in_assoc, 0, 1), 0 }, { INT_RANGE(sae_pmkid_in_assoc, 0, 1), 0 },
{ INT(dtim_period), 0 }, { INT(dtim_period), 0 },
{ INT(beacon_int), 0 }, { INT(beacon_int), 0 },

1
wpa_supplicant/events.c
View File

@ -1301,6 +1301,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) && if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
wpa_s->conf->sae_pwe != 3 &&
wpa_key_mgmt_sae(ssid->key_mgmt) && wpa_key_mgmt_sae(ssid->key_mgmt) &&
(!(ie = wpa_bss_get_ie(bss, WLAN_EID_RSNX)) || (!(ie = wpa_bss_get_ie(bss, WLAN_EID_RSNX)) ||
ie[1] < 1 || ie[1] < 1 ||

3
wpa_supplicant/sme.c
View File

@ -131,7 +131,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
return NULL; return NULL;
} }
if (ssid->sae_password_id) if (ssid->sae_password_id && wpa_s->conf->sae_pwe != 3)
use_pt = 1; use_pt = 1;
if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) { if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) {
@ -146,6 +146,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
} }
if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) && if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
wpa_s->conf->sae_pwe != 3 &&
!use_pt) { !use_pt) {
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"SAE: Cannot use H2E with the selected AP"); "SAE: Cannot use H2E with the selected AP");

5
wpa_supplicant/wpa_supplicant.c
View File

@ -1618,7 +1618,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_OCV, ssid->ocv); wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_OCV, ssid->ocv);
#endif /* CONFIG_OCV */ #endif /* CONFIG_OCV */
sae_pwe = wpa_s->conf->sae_pwe; sae_pwe = wpa_s->conf->sae_pwe;
if (ssid->sae_password_id) if (ssid->sae_password_id && sae_pwe != 3)
sae_pwe = 1; sae_pwe = 1;
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SAE_PWE, sae_pwe); wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SAE_PWE, sae_pwe);
@ -1996,7 +1996,8 @@ static void wpa_s_setup_sae_pt(struct wpa_config *conf, struct wpa_ssid *ssid)
if (!password) if (!password)
password = ssid->passphrase; password = ssid->passphrase;
if ((conf->sae_pwe == 0 && !ssid->sae_password_id) || !password) { if ((conf->sae_pwe == 0 && !ssid->sae_password_id) || !password ||
conf->sae_pwe == 3) {
/* PT derivation not needed */ /* PT derivation not needed */
sae_deinit_pt(ssid->pt); sae_deinit_pt(ssid->pt);
ssid->pt = NULL; ssid->pt = NULL;