Commit Graph

13851 Commits

Author SHA1 Message Date
Jouni Malinen
c3e4f40cd6 FT: Derive PMKR0Name/PMKR1Name using SHA-384 with AKM 00-0F-AC:13
The AKM 00-0F-AC:13 is supposed to use cryptographic algorithms
consistently, but the current IEEE 802.11 standard is not doing so for
the key names: PMKID (uses SHA-1), PMKR0Name/PMKR1Name (uses SHA-256).
The PMKID case was already implemented with SHA-384 and this commit
replaces use of SHA-256 with SHA-384 for PMKR0Name/PMKR1Name derivation
to be consistent in SHA-384. While this is not compliant with the
current IEEE 802.11 standard, this is clearly needed to meet CNSA Suite
requirements. Matching change is being proposed in REVmd to get the IEEE
802.11 standard to meet the use case requirements.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-06 23:59:46 +03:00
Jouni Malinen
fe102801f6 tests: SAE reauthentication
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-06 23:59:46 +03:00
Jouni Malinen
e8d08cf378 SAE: Do not drop STA entry on reauthentication in infrastructure BSS
A new SAE Commit message should not be allowed to drop an existing STA
entry since the sender of that Commit message cannot be authenticated
before receiving the Confirm message. This is important in particular
when PMF is used since this would provide a potential new path for
forcing a connection to be dropped.

Fix this by allowing a new SAE Authentication instance to be started
when the old instance is in Accepted state and the new Commit message
does not use the same peer-scalar value (checked in
sae_parse_commit_scalar()). When PMF is used, the AP will use SA Query
procedure when receiving the (Re)Association Request frame. In theory,
that step could be skipped in case of SAE Authentication since the
non-AP STA is demonstrating knowledge of the password. Anyway, there is
no allowance for that exception in the IEEE 802.11 standard, so at least
for now, leave this using SA Query procedure just like any other PMF
case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-06 01:22:01 +03:00
Jouni Malinen
ffcaca68d3 tests: FT with different BIP algorithms
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:36 +03:00
Jouni Malinen
ef13b33afc FT: Support BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in STA case
wpa_supplicant was hardcoded to use BIP-CMAC-128 in FT protocol if PMF
was enabled. Extend that to allow the other BIP algorithms to be used as
well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:36 +03:00
Jouni Malinen
ff168f8c23 FT: Support 256-bit IGTK in AP case
hostapd was hardcoded to use 128-bit IGTK in FT protocol (IGTK
subelement in FTE). Extend that to allow 256-bit IGTK (i.e.,
BIP-CMAC-256 and BIP-GMAC-256) to be used as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:36 +03:00
Jouni Malinen
2842987879 tests: FILS+FT with SHA384
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:36 +03:00
Jouni Malinen
2cf36d6085 FT: Handle AssocResp generation failures as fatal errors
Instead of sending out a partially completed frame, abort the
association process if something unexpected happens and remove the STA
entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:36 +03:00
Jouni Malinen
c52626489a tests: Split ap_ft_ap_oom7 into separate test cases
The implementation changes in hostapd FT error path handling in the
follow commit would result in ap_ft_ap_oom7 test case failing. This is
triggered partially by PMF protections and SA Query attempts, so it
looks like it is easier to split each failure case into a separate test
case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:50:01 +03:00
Jouni Malinen
657b4c45a9 FILS: Fix KEK2 use in FT-FILS use cases
When support for KCK2 and KEK2 was added, both keys were derived for
FT-FILS cases, but only KCK2 was actually used. Add similar changes to
use KEK2 to protect GTK/IGTK in FTE with using FT-FILS AKMs.

This fixes AES key wrapping to use the correct key. The change is not
backwards compatible.

Fixes: 2f37387812 ("FILS: Add more complete support for FT-FILS use cases")
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 21:04:54 +03:00
Jouni Malinen
88bf44be42 FT: Fix potential NULL pointer dereference in MDE addition
The bss variable in this function might be NULL, so make the FT MDE
addition case conditional on a BSS entry being available.

Fixes: 3dc3afe298 ("FT: Add MDE to assoc request IEs in connect params")
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
661afb2edd FT: Fix RRB error path handling
When building an RRB message, a failure in wpa_ft_rrb_lin() calls could
have resulted in trying to free an uninitialized pointer. Fix this by
initializing *packet to NULL before going through the initial steps.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
df3bf6870b FT: Debug print of IE parsing element details
This makes it easier to debug issues in processing FT frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
55b3cda775 tests: FT-EAP-SHA384
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
d8e8c992cd FT: Add key management value FT-EAP-SHA384 for wpa_supplicant
This allows wpa_supplicant to be configuted to use the SHA384-based FT
AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
c6f2eceb8b FT: Add key management value FT-EAP-SHA384 for hostapd
This allows hostapd to be configuted to use the SHA384-based FT AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
3d9cd08410 FT: Add support for variable length PMK-R1 receiving in RRB
SHA384-based FT AKM uses longer keys, so the RRB receive processing for
push and pull response messages needs to be able to accept variable
length PMK-R1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
a7968ea568 FT: FTE generation for SHA384-based AKM on AP
The MIC field is now a variable length field, so make FTE generation in
hostapd aware of the two different field lengths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
06f1286607 FT: FTE generation for SHA384-based AKM on STA
The MIC field is now a variable length field, so make FTE generation in
wpa_supplicant aware of the two different field lengths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
9a33737a0b FT: FTE parsing for SHA384-based AKM
The MIC field is now a variable length field, so make the FTE parser
aware of the two different field lengths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:53 +03:00
Jouni Malinen
8c2715b358 FT: Connection settings for SHA384-based AKM
Extend wpa_supplicant to allow SHA384-based FT AKM to be selected for a
connection.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:53 +03:00
Jouni Malinen
994eac7e61 FT: PMK-R0 derivation using SHA384-based AKM
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:53 +03:00
Jouni Malinen
1655e81c97 FT: PMKID derivation using SHA384-based AKM
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:53 +03:00
Jouni Malinen
40a2eb1164 FT: PTK derivation using SHA384-based AKM
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:53 +03:00
Jouni Malinen
7880a6a2b8 FT: PMK-R1 derivation using SHA384-based AKM
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:52 +03:00
Jouni Malinen
b327026a72 FT: FTE MIC calculation using SHA384-based AKM
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:52 +03:00
Jouni Malinen
c49a9d6b99 FT: EAPOL-Key MIC calculation using SHA384-based AKM
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:52 +03:00
Jouni Malinen
9f12271b2a FT: XXKey derivation for SHA384-based AKM
XXKey is the first 384 bits of MSK when using the SHA384-based FT AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:52 +03:00
Jouni Malinen
a3e18dbb6a FT: Support variable length keys
This is a step in adding support for SHA384-based FT AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:52 +03:00
Jouni Malinen
c22bb5bba6 FT: SHA384-based AKM in RSNE processing
This defines key lengths for SHA384-based FT AKM and handles writing and
parsing for RSNE AKMs with the new value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 01:11:41 +03:00
Jouni Malinen
3a11c69e0d EAP-TLS: Derive Session-Id using TLS-Exporter when TLS v1.3 is used
This updates Session-Id derivation with TLS v1.3 per
draft-ietf-emu-eap-tls13-00.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-01 17:58:56 +03:00
Jouni Malinen
925584689b tests: ERP enabled on RADIUS server and peer using EAP-TLS v1.3
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-01 17:53:10 +03:00
Jouni Malinen
2d26434ac7 EAP-TLS server: Fix EMSK derivation with TLS v1.3
The new label string for TLS-Exporter was taken into use for MSK
derivation, but it was missed from EMSK deriation in the server side
implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-01 17:52:18 +03:00
Jouni Malinen
f8aed720e4 EAP-TLS: Update key derivation label per draft-ietf-emu-eap-tls13-00
The label strings used for deriving Key_Material with TLS v1.3 were
changed, so update the implementation to match the new values.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-01 17:41:59 +03:00
Sven Eckelmann
20c2ea412a wpa_supplicant: Fix parsing of max_oper_chwidth
The max_oper_chwidth is parsed in wpa_config_set as INT_RANGE (see
ssid_fields). The actual parsing for INT_RANGE is done by
wpa_config_parse_int which can only store the result as full integer.

max_oper_chwidth is stored as u8 (a single byte) in wpa_ssid. This means
that on little endian systems, the least significant byte of the parsed
value are really stored in the max_oper_chwidth. But on big endian
system, the only most significant byte is stored as max_oper_chwidth.
This means that 0 is always stored because the provided range doesn't
allow any other value for systems with multi-byte-wide integers.

This also means that for common systems with 4-byte-wide integers, the
remaining 3 bytes were written after the actual member of the struct.
This should not have influenced the behavior of succeeding members
because these bytes would have been part of the padding between the
members on most systems.

Increasing its size to a full int fixes the write operations outside of
the member and allows to use the max_oper_chwidth setting on big endian
systems.

Fixes: 0f29bc68d1 ("IBSS/mesh: Add support for VHT80P80 configuration")
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
2018-05-31 16:14:28 +03:00
Jouni Malinen
13f69792b0 tests: Update mesh_oom to match implementation change
The initial direct allocation within wpa_supplicant_mesh_init() was
removed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-31 16:14:28 +03:00
Felix Fietkau
8fd29a0439 mesh: Fix crash with CONFIG_TAXONOMY enabled
wpa_s->ifmsh needs to be allocated using hostapd_alloc_iface() instead
of a direct call to os_zalloc(), otherwise the linked list for station
taxonomy items remains uninitialized, leading to a crash on the first
attempt to traverse that list

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-05-31 13:06:07 +03:00
Mikael Kanstrup
8518326b22 Add some missing driver flags strings
New WPA_DRIVER_FLAGS have been added but corresponding lookup
strings for driver_flags command were never added. Add the
missing strings.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
2018-05-31 13:03:54 +03:00
Jouni Malinen
5fb016a219 tests: WNM Time Advertisement without time zone configuration
This is a regression test for a segfault in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-31 12:55:49 +03:00
Markus Theil
b375b04b67 WNM: Fix time_zone advertisement without time_zone configuration
If time_advertisement=2 is included in hostapd configuration, but
time_zone is unset, the previous implementation tried to write the Time
Zone element into management frames. This resulted in segmentation fault
when trying to dereference a NULL pointer. Fix that by skipping addition
of this element when time_zone parameter is not set.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2018-05-31 12:53:43 +03:00
Peter Oh
0928b62944 nl80211: Allow mesh interface to send channel switch request
Add mesh type to nl80211 channel switch request, so mesh is able to send
the request to kernel drivers.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2018-05-31 12:16:03 +03:00
Jouni Malinen
64224d5871 tests: Hotspot 2.0 OSEN-single-SSID connection
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-05-29 23:34:22 +03:00
Jouni Malinen
f5a602168f HS 2.0: Allow OSEN connection to be used in an RSN BSS
This allows a single BSS/SSID to be used for both data connection and
OSU. In wpa_supplicant configuration, the current proto=OSEN
key_mgmt=OSEN combination is now allowing both the old separate OSEN
BSS/IE and the new RSN-OSEN to be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-05-29 23:34:22 +03:00
Jouni Malinen
8d660a4bac HS 2.0: Allow OSEN connection to be enabled in an RSN BSS
This allows a single BSS/SSID to be used for both data connection and
OSU. Instead of hostapd configuration osen=1, wpa_key_mgmt=OSEN (or more
likely, wpa_key_mgmt=WPA-EAP OSEN) is used to enable this new option.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-05-29 23:34:22 +03:00
xiaofeis
0fe3ede0a4 macsec_qca: Fix byte order of TX SCI port
Before calling HW macsec driver API, be_to_host16() should be used to
reverse the SCI port byte order. This was broken as part of the mka API
changes.

Fixes: 8ebfc7c2ba ("mka: Pass full structures down to macsec drivers' transmit SC ops")
Signed-off-by: xiaofeis <xiaofeis@codeaurora.org>
2018-05-28 22:17:58 +03:00
Jouni Malinen
5e597ed9f0 tests: EAP-pwd with salted passwords
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-28 22:15:20 +03:00
Dan Harkins
22ac3dfebf EAP-pwd: Mask timing of PWE derivation
Run through the hunting-and-pecking loop 40 times to mask the time
necessary to find PWE. The odds of PWE not being found in 40 loops is
roughly 1 in 1 trillion.

Signed-off-by: Dan Harkins <dharkins@lounge.org>
2018-05-28 22:15:15 +03:00
Dan Harkins
b8acd50114 EAP-pwd peer: Add SHA512 hash based salt mechanism
Signed-off-by: Dan Harkins <dharkins@lounge.org>
2018-05-28 22:09:20 +03:00
Dan Harkins
fb3675848c EAP-pwd peer: Add SHA256 hash based salt mechanism
Signed-off-by: Dan Harkins <dharkins@lounge.org>
2018-05-28 22:09:20 +03:00
Dan Harkins
7ef8adc7d8 EAP-pwd peer: Add SHA-1 hash based salt mechanism
Signed-off-by: Dan Harkins <dharkins@lounge.org>
2018-05-28 22:09:20 +03:00