aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add testing functionality for resetting PN/IPN for configured keysJouni Malinen2017-10-168-0/+184
| | | | | | | | | | | | | This can be used to test replay protection. The "RESET_PN" command in wpa_supplicant and "RESET_PN <addr>" command in hostapd resets the local counters to zero for the last configured key. For hostapd, the address parameter specifies which STA this operation is for or selects GTK ("ff:ff:ff:ff:ff:ff") or IGTK ("ff:ff:ff:ff:ff:ff IGTK"). This functionality is for testing purposes and included only in builds with CONFIG_TESTING_OPTIONS=y. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Comment out during-association TK-in-memory checksJouni Malinen2017-10-165-10/+10
| | | | | | | TK needs to be maintained in memory for additional testing functionality, so for now, comment out these checks. Signed-off-by: Jouni Malinen <j@w1.fi>
* wlantest: Do not update RSC on replaysJouni Malinen2017-10-161-2/+8
| | | | | | | | | | | This changes wlantest behavior to mark CCMP/TKIP replays for more cases in case a device is resetting its TSC. Previously, the RSC check got cleared on the first marked replay and the following packets were not marked as replays if they continued incrementing the PN even if that PN was below the highest value received with this key at some point in the past. Signed-off-by: Jouni Malinen <j@w1.fi>
* Clear PMK length and check for this when deriving PTKJouni Malinen2017-10-152-3/+9
| | | | | | | | | Instead of setting the default PMK length for the cleared PMK, set the length to 0 and explicitly check for this when deriving PTK to avoid unexpected key derivation with an all-zeroes key should it be possible to somehow trigger PTK derivation to happen before PMK derivation. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add debug prints on PMK configuration in WPA supplicantJouni Malinen2017-10-151-0/+6
| | | | | | | This makes it easier to understand the cases where PMK gets configured based on information from upper layer call (e.g., a PSK). Signed-off-by: Jouni Malinen <j@w1.fi>
* WPA: Extra defense against PTK reinstalls in 4-way handshakeMathy Vanhoef2017-10-151-0/+8
| | | | | | | | | | | Currently, reinstallations of the PTK are prevented by (1) assuring the same TPTK is only set once as the PTK, and (2) that one particular PTK is only installed once. This patch makes it more explicit that point (1) is required to prevent key reinstallations. At the same time, this patch hardens wpa_supplicant such that future changes do not accidentally break this property. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* tests: 4-way handshake msg 3/4 replay with extra msg 1/4Jouni Malinen2017-10-151-0/+293
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove all PeerKey functionalityJouni Malinen2017-10-1545-2092/+43
| | | | | | | | | | | | | | | | | | | | | | | | This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Remove peerkey testingJouni Malinen2017-10-152-207/+0
| | | | | | This is in preparation of complete removal of the PeerKey functionality. Signed-off-by: Jouni Malinen <j@w1.fi>
* FILS: Do not allow multiple (Re)Association Response framesJouni Malinen2017-10-151-0/+6
| | | | | | | | | | | | The driver is expected to not report a second association event without the station having explicitly request a new association. As such, this case should not be reachable. However, since reconfiguring the same pairwise or group keys to the driver could result in nonce reuse issues, be extra careful here and do an additional state check to avoid this even if the local driver ends up somehow accepting an unexpected (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Fix wnm_action_proto_no_pmf to have active WNM_SLEEP operationJouni Malinen2017-10-151-0/+5
| | | | | | | | The previous designed worked since wpa_supplicant did not track pending request state. With such tracking added, this test case needs to make sure there is a pending operation when injecting the invalid response. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Delayed EAPOL-Key msg 3/4 replaying attackJouni Malinen2017-10-151-0/+75
| | | | | | | This hits the new wpa_supplicant code path that rejects reconfiguration of the same GTK. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Replayed FILS association requestJouni Malinen2017-10-151-0/+91
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* FILS: Accept another (Re)Association Request frame during an associationJouni Malinen2017-10-154-2/+23
| | | | | | | | | | | | | | | | The previous implementation ended up starting a new EAPOL-Key 4-way handshake if the STA were to attempt to perform another association. This resulted in immediate disconnection since the PTK was not ready for configuring FILS TK at the point when EAPOL-Key msg 1/4 is sent out. This is better than alloing the association to continue with the same TK reconfigured, but not really ideal. Address this potential sequence by not starting a new 4-way handshake on the additional association attempt. Instead, allow the association to complete, but do so without reconfiguring the TK to avoid potential issues with PN reuse with the same TK. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Allow wpa_supplicant to maintain GTK in memory during associationJouni Malinen2017-10-155-15/+10
| | | | | | | This is needed to allow GTK configuration triggers to verify whether the key has changed. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: WPA2-PSK-FT AP and replayed Reassociation Request frameJouni Malinen2017-10-151-0/+87
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Add MGMT_TX_STATUS_PROCESS command for testing purposesJouni Malinen2017-10-152-2/+75
| | | | | | | | This allows ext_mgmt_frame_handling=1 cases with hostapd to process TX status events based on external processing. This is useful for increased test coverage of management frame processing. Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Do not allow multiple Reassociation Response framesJouni Malinen2017-10-153-0/+12
| | | | | | | | | | | | The driver is expected to not report a second association event without the station having explicitly request a new association. As such, this case should not be reachable. However, since reconfiguring the same pairwise or group keys to the driver could result in nonce reuse issues, be extra careful here and do an additional state check to avoid this even if the local driver ends up somehow accepting an unexpected Reassociation Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Ignore WNM-Sleep Mode Response without pending requestJouni Malinen2017-10-151-1/+3
| | | | | | | | | | | Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode has not been used') started ignoring the response when no WNM-Sleep Mode Request had been used during the association. This can be made tighter by clearing the used flag when successfully processing a response. This adds an additional layer of protection against unexpected retransmissions of the response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
* TDLS: Reject TPK-TK reconfigurationJouni Malinen2017-10-151-2/+36
| | | | | | | | | | | | | | | | | | | Do not try to reconfigure the same TPK-TK to the driver after it has been successfully configured. This is an explicit check to avoid issues related to resetting the TX/RX packet number. There was already a check for this for TPK M2 (retries of that message are ignored completely), so that behavior does not get modified. For TPK M3, the TPK-TK could have been reconfigured, but that was followed by immediate teardown of the link due to an issue in updating the STA entry. Furthermore, for TDLS with any real security (i.e., ignoring open/WEP), the TPK message exchange is protected on the AP path and simple replay attacks are not feasible. As an additional corner case, make sure the local nonce gets updated if the peer uses a very unlikely "random nonce" of all zeros. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix PTK rekeying to generate a new ANonceJouni Malinen2017-10-151-3/+21
| | | | | | | | | | | | | The Authenticator state machine path for PTK rekeying ended up bypassing the AUTHENTICATION2 state where a new ANonce is generated when going directly to the PTKSTART state since there is no need to try to determine the PMK again in such a case. This is far from ideal since the new PTK would depend on a new nonce only from the supplicant. Fix this by generating a new ANonce when moving to the PTKSTART state for the purpose of starting new 4-way handshake to rekey PTK. Signed-off-by: Jouni Malinen <j@w1.fi>
* Prevent installation of an all-zero TKMathy Vanhoef2017-10-153-4/+4
| | | | | | | | | | | | | | Properly track whether a PTK has already been installed to the driver and the TK part cleared from memory. This prevents an attacker from trying to trick the client into installing an all-zero TK. This fixes the earlier fix in commit ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the driver in EAPOL-Key 3/4 retry case') which did not take into account possibility of an extra message 1/4 showing up between retries of message 3/4. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode casesJouni Malinen2017-10-152-16/+41
| | | | | | | | | | This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Signed-off-by: Jouni Malinen <j@w1.fi>
* Prevent reinstallation of an already in-use group keyMathy Vanhoef2017-10-153-45/+88
| | | | | | | | | | Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* hostapd: Avoid key reinstallation in FT handshakeMathy Vanhoef2017-10-155-4/+37
| | | | | | | | | | | | | | | | | | Do not reinstall TK to the driver during Reassociation Response frame processing if the first attempt of setting the TK succeeded. This avoids issues related to clearing the TX/RX PN that could result in reusing same PN values for transmitted frames (e.g., due to CCM nonce reuse and also hitting replay protection on the receiver) and accepting replayed frames on RX side. This issue was introduced by the commit 0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in authenticator') which allowed wpa_ft_install_ptk() to be called multiple times with the same PTK. While the second configuration attempt is needed with some drivers, it must be done only if the first attempt failed. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* tests: sigma_dut ap_get_mac_addressJouni Malinen2017-10-111-0/+7
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Remove forgotten developer debug printsJouni Malinen2017-10-111-6/+0
| | | | | | | These were used during initial implementation testing and were not supposed to get committed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: sigma_dut SAE and long passwordJouni Malinen2017-10-111-0/+46
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: SAE with sae_passwordJouni Malinen2017-10-112-1/+45
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* SAE: Allow SAE password to be configured separately (STA)Jouni Malinen2017-10-118-6/+39
| | | | | | | | | The new sae_password network profile parameter can now be used to set the SAE password instead of the previously used psk parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* SAE: Allow SAE password to be configured separately (AP)Jouni Malinen2017-10-115-3/+21
| | | | | | | | | | | The new sae_password hostapd configuration parameter can now be used to set the SAE password instead of the previously used wpa_passphrase parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. In addition, this makes it possible to configure a BSS with both WPA-PSK and SAE enabled to use different passphrase/password based on which AKM is selected. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Do not mark DFS channel as invalid if DFS is offloaded to driverSunil Dutt2017-10-111-2/+6
| | | | | | | | While considering the movement of P2P GO from its current operating channel, do not mark a DFS channel as invalid if DFS is offloaded to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Fix static analyzer warnings in key generation and JWK constructionJouni Malinen2017-10-111-3/+4
| | | | | | | | Memory allocation failures could have resulted in error paths that dereference a NULL pointer or double-freeing memory. Fix this by explicitly clearing the freed pointer and checking allocation results. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Prefer 5/60 GHz band over 2.4 GHz during GO configurationSunil Dutt2017-10-111-24/+24
| | | | | | | | | | | | | | | | | | Previously, wpas_p2p_select_go_freq_no_pref() ended up selecting a 2.4 GHz band channel first before even considering 5 or 60 GHz channels. This was likely done more or less by accident rather than by design when the 5 GHz and 60 GHz band extensions were added. It seems reasonable to enhance this by reordering the code to start with 5 and 60 GHz operating classes and move to 2.4 GHz band only if no channel was available in 5 or 60 GHz bands for P2P GO use. This does have some potential interop issues with 2.4 GHz only peer devices when starting up an autonomous GO (i.e., without there being prior knowledge of channels that the peers support). Upper layers are expected to enforce 2.4 GHz selection if that is needed for some use cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Add the forgotten files for owe_transition_mode_multi_bssJouni Malinen2017-10-112-0/+28
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: sigma_dut controlled AP with OWE and transition modeJouni Malinen2017-10-101-0/+23
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: sigma_dut controlled AP with OWE and ECGroupIDJouni Malinen2017-10-101-1/+36
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Opportunistic Wireless Encryption and limited group setJouni Malinen2017-10-101-0/+28
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Allow set of enabled DH groups to be limited on APJouni Malinen2017-10-105-1/+46
| | | | | | | | The new hostapd configuration parameter owe_groups can be used to specify a subset of the allowed DH groups as a space separated list of group identifiers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: sigma_dut OWE with invalid DH Param elementJouni Malinen2017-10-101-0/+14
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Opportunistic Wireless Encryption and unsupported groupJouni Malinen2017-10-101-0/+31
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Allow DH Parameters element to be overridden for testing purposesJouni Malinen2017-10-103-0/+41
| | | | | | | | | This allows CONFIG_TESTING_OPTIONS=y builds of wpa_supplicant to override the OWE DH Parameters element in (Re)Association Request frames with arbitrary data specified with the "VENDOR_ELEM_ADD 13 <IE>" command. This is only for testing purposes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Remove op_cl and ch_list from DPPJouni Malinen2017-10-091-1/+1
| | | | | | These were removed from the protocol. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add the crypto suite field to the framesJouni Malinen2017-10-093-13/+26
| | | | | | | This additional field was added to DPP Public Action frames in DPP tech spec v0.2.3 to support cryptographic agility in the future. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Remove DPP C-sign-key expiry testingJouni Malinen2017-10-091-7/+1
| | | | | | This was removed from the protocol. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Remove C-sign-key expiryJouni Malinen2017-10-099-95/+6
| | | | | | This was removed in DPP tech spec v0.2.3. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Explicitly delete the PKEX secret element K upon generation of zJouni Malinen2017-10-091-8/+15
| | | | | | This was added as an explicit requirement in DPP tech spec 0.2.3. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Rename PKEX secret element from Z to KJouni Malinen2017-10-091-24/+24
| | | | | | | This matches the change in the DPP tech spec to make this less likely to be confused with the shared secret z. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Verify that PKEX Qi is not the point-at-infinityJouni Malinen2017-10-091-0/+4
| | | | | | This was added as an explicit requirement in DPP tech spec v0.2.3. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: sigma_dut with OWEJouni Malinen2017-10-091-0/+66
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>