aboutsummaryrefslogtreecommitdiffstats
path: root/src/rsn_supp
Commit message (Collapse)AuthorAgeFilesLines
* Fix or supress various sparse warningsJohannes Berg2017-01-291-1/+2
| | | | Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* FILS: Allow FILS HLP requests to be addedJouni Malinen2017-01-292-4/+40
| | | | | | | | | | | | The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be added to the (Re)Association Request frame whenever FILS authentication is used. FILS_HLP_REQ_ADD parameters use the following format: <destination MAC address> <hexdump of payload starting from ethertype> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Fix PMK and PMKID derivation from ERPJouni Malinen2017-01-132-4/+33
| | | | | | | | | | | This adds helper functions for deriving PMK and PMKID from ERP exchange in FILS shared key authentication as defined in IEEE Std 802.11ai-2016, 12.12.2.5.2 (PMKSA key derivation with FILS authentication). These functions is used to fix PMK and PMKID derivation which were previously using the rMSK directly as PMK instead of following the FILS protocol to derive PMK with HMAC from nonces and rMSK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Remove trailing whitespaceJouni Malinen2016-12-281-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* PeerKey: Fix STK 4-way handshake regressionJouni Malinen2016-12-181-2/+5
| | | | | | | | | | | | | | | Commit c93b7e18885b07bf198e230019185b50ed622d9f ('RSN: Check result of EAPOL-Key frame send request') forgot to update two PeerKey users of EAPOL-Key TX functions. That resulted in STK handshake failing since message 2/4 and 4/4 TX calls were assumed to have failed when the return value was changed from 0 to a positive value for success case. This resulted in not updating nonce information properly and hitting following error when processing STK 4-way handshake message 3/4: RSN: INonce from message 1 of STK 4-Way Handshake differs from 3 of STK 4-Way Handshake - drop packet (src=<addr>) Signed-off-by: Jouni Malinen <j@w1.fi>
* PeerKey: Fix EAPOL-Key processingJouni Malinen2016-12-183-23/+30
| | | | | | | | | | Commit 6d014ffc6e654e7e802263c55ce568df153a1e1c ('Make struct wpa_eapol_key easier to use with variable length MIC') forgot to update number of EAPOL-Key processing steps for SMK and STK exchanges and broke PeerKey. Fix this by updating the Key Data field pointers to match the new style with variable length Key MIC field. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix wpa_supplicant build error with IEEE8021X_EAPOL unsetFelix Fietkau2016-12-141-0/+13
| | | | | | | Add missing inline stubs for newly added functions. Fixes: 3459381dd260 ("External persistent storage for PMKSA cache entries") Signed-off-by: Felix Fietkau <nbd@nbd.name>
* External persistent storage for PMKSA cache entriesJouni Malinen2016-12-124-8/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds new wpa_supplicant control interface commands PMKSA_GET and PMKSA_ADD that can be used to store PMKSA cache entries in an external persistent storage when terminating a wpa_supplicant process and then restore those entries when starting a new process. The previously added PMKSA-CACHE-ADDED/REMOVED events can be used to help in synchronizing the external storage with the memory-only volatile storage within wpa_supplicant. "PMKSA_GET <network_id>" fetches all stored PMKSA cache entries bound to a specific network profile. The network_id of the current profile is available with the STATUS command (id=<network_id). In addition, the network_id is included in the PMKSA-CACHE-ADDED/REMOVED events. The output of the PMKSA_GET command uses the following format: <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds> <akmp> <opportunistic> For example: 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30240 43200 1 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30240 43200 1 0 The PMKSA_GET command uses the following format: <network_id> <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds> <akmp> <opportunistic> (i.e., "PMKSA_ADD <network_id> " prefix followed by a line of PMKSA_GET output data; however, the reauth_time and expiration values need to be updated by decrementing them by number of seconds between the PMKSA_GET and PMKSA_ADD commands) For example: PMKSA_ADD 0 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30140 43100 1 0 PMKSA_ADD 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30140 43100 1 0 This functionality is disabled be default and can be enabled with CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. It should be noted that this allows any process that has access to the wpa_supplicant control interface to use PMKSA_ADD command to fetch keying material (PMK), so this is for environments in which the control interface access is restricted. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add PMKSA-CACHE-ADDED/REMOVED events to wpa_supplicantJouni Malinen2016-12-124-11/+14
| | | | | | | These allow external program to monitor PMKSA cache updates in preparation to enable external persistent storage of PMKSA cache. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Fix checks on prohibit bitsCedric Izoard2016-10-281-4/+4
| | | | | | | | | | ext_capab/ext_capab_len do not include ID and Length so no extra +2 offset should be used. This fixes a regression from commit faf427645aa79a32ebd8093ff676abfc9d36e951 ('TDLS: Use proper IE parsing routine for non-EAPOL-Key cases') that replaced the IE parser without noticing the difference in the pointer offset. Signed-off-by: Flavia Vanetti <flavia.vanetti@ceva-dsp.com>
* FILS: Association Response processing (STA)Jouni Malinen2016-10-253-0/+182
| | | | | | | Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Add elements to FILS Association Request frameJouni Malinen2016-10-252-0/+52
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Authentication frame processing (STA)Jouni Malinen2016-10-223-0/+141
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Try to use FILS authentication if PMKSA or ERP entry is availableJouni Malinen2016-10-223-0/+95
| | | | | | | | | | If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPA: Add debug print for not-update-own-IEs caseJouni Malinen2016-10-221-0/+4
| | | | | | | This makes it easier to understand debug logs related to own WPA/RSN IE selection. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Handle Group Key msg 1/2 without MIC when using AEAD cipher (STA)Jouni Malinen2016-10-101-2/+3
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Use AEAD cipher to check received EAPOL-Key frames (STA)Jouni Malinen2016-10-101-2/+80
| | | | | | | | | This changes 4-way handshake authenticator processing to decrypt the EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before processing the Key Data field. This replaces Key MIC validation for the cases where AEAD cipher is used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Use AEAD cipher to protect EAPOL-Key frames (STA)Jouni Malinen2016-10-101-9/+85
| | | | | | | | | | | | This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS AKMs) to provide both integrity protection for the EAPOL-Key frame and encryption for the Key Data field. It should be noted that this starts encrypting the Key Data field in EAPOL-Key message 2/4 while it remains unencrypted (but integrity protected) in non-FILS cases. Similarly, the empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* RSN: Pass full PTK to wpa_eapol_key_send() instead of KCK onlyJouni Malinen2016-10-103-25/+25
| | | | | | | This will be needed to be able to implement AEAD cipher support from FILS that will need to use KEK to protect the frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Update EAPOL-Key descriptor version rules for RX (STA)Jouni Malinen2016-10-101-1/+5
| | | | | | FILS AKM uses Key Descriptor version 0 and AEAD cipher. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Set EAPOL-Key Key Info MIC=0 when using AEAD cipher (supplicant)Jouni Malinen2016-10-101-5/+14
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Do not add Key MIC field in supplicant when using AEAD cipherJouni Malinen2016-10-101-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Make struct wpa_eapol_key easier to use with variable length MICJouni Malinen2016-10-103-109/+85
| | | | | | | | | | | | | | | | | | Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the previous fixed length Key MIC field with a variable length field. That change was addressed with an addition of a new struct defined for the second MIC length. This is not really scalable and with FILS coming up with a zero-length MIC case for AEAD, a more thorough change to support variable length MIC is needed. Remove the Key MIC and Key Data Length fields from the struct wpa_eapol_key and find their location based on the MIC length information (which is determined by the AKMP). This change allows the separate struct wpa_eapol_key_192 to be removed since struct wpa_eapol_key will now include only the fixed length fields that are shared with all EAPOL-Key cases in IEEE Std 802.11. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Add AKM definitionsJouni Malinen2016-10-101-0/+12
| | | | | | This adds definitions for the new AKM suite values from P802.11ai/D11.0. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Declare tdls_testing as extern in a header fileJouni Malinen2016-06-231-0/+4
| | | | | | This gets rid of a sparse warning with CONFIG_TDLS_TESTING builds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* RSN: Set EAPOL-Key Request Secure bit to 1 if PTK is setJouni Malinen2016-04-051-1/+1
| | | | | | | | | | | | The Secure bit in the Key Information field of EAPOL-Key frames is supposed to be set to 1 when there is a security association. This was done for other frames, but not for the EAPOL-Key Request frame where supplicant is requesting a new PTK to be derived (either due to Michael MIC failure report Error=1 or for other reasons with Error=0). In practice, EAPOL-Key Request frame is only sent when there is a PTK in place, so all such frames should have Secure=1. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Fix PMKID calculation for PMKSA cacheMasashi Honma2016-02-185-12/+17
| | | | | | | | The SAE PMKID is calculated with IEEE Std 802.11-2012 11.3.5.4, but the PMKID was re-calculated with 11.6.1.3 and saved into PMKSA cache. Fix this to save the PMKID calculated with 11.3.5.4 into the PMKSA cache. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* TDLS: Clean up os_memcmp useJouni Malinen2016-02-161-3/+3
| | | | | | | | | | Ciuple of the nonce comparisons used a strange '!os_memcmp() == 0' to check if the values were different. While this resulted in correct behavior, the construction is not exactly clear and clang has started warning about this (-Wlogical-not-parentheses). Clean this up by using 'os_mecmp() != 0'. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix wpa_supplicant build with IEEE8021X_EAPOL=y and CONFIG_NO_WPA=yJouni Malinen2016-01-154-7/+7
| | | | | | | | The PMKSA caching and RSN pre-authentication components were marked as conditional on IEEE8021X_EAPOL. However, the empty wrappers are needed also in a case IEEE8021X_EAPOL is defined with CONFIG_NO_WPA. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Use wpa_msg() for the "RSN: PMKID mismatch" messageJouni Malinen2015-12-221-1/+1
| | | | | | | | This message is sent at MSG_INFO level and it is supposed to go out even even debug messages were to be removed from the build. As such, use wpa_msg() instead of wpa_dbg() for it. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPA: Explicitly clear the buffer used for decrypting Key DataJouni Malinen2015-12-201-2/+2
| | | | | | | | | | | When AES-WRAP was used to protect the EAPOL-Key Key Data field, this was decrypted using a temporary heap buffer with aes_unwrap(). That buffer was not explicitly cleared, so it was possible for the group keys to remain in memory unnecessarily until the allocated area was reused. Clean this up by clearing the temporary allocation explicitly before freeing it. Signed-off-by: Jouni Malinen <j@w1.fi>
* TDLS: Ignore incoming TDLS Setup Response retriesArik Nemtsov2015-12-181-0/+8
| | | | | | | | | The Setup Response timer is relatively fast (500 ms) and there are instances where it fires on the responder side after the initiator has already sent out the TDLS Setup Confirm frame. Prevent the processing of this stale TDLS Setup Response frame on the initiator side. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
* FT: Fix FTIE generation for 4-way handshake after FT protocol runJouni Malinen2015-12-091-2/+1
| | | | | | | | | | | | | wpa_insert_pmkid() did not support cases where the original RSN IE included any PMKIDs. That case can happen when PTK rekeying through 4-way handshake is used after FT protocol run. Such a 4-way handshake used to fail with wpa_supplicant being unable to build the EAPOL-Key msg 2/4. Fix this by extending wpa_insert_pmkid() to support removal of the old PMKIDs, if needed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add TEST_ASSOC_IE for WPA/RSN IE testing on AP sideJouni Malinen2015-12-063-0/+28
| | | | | | | | | The new wpa_supplicant control interface command "TEST_ASSOC_IE <hexdump>" can now be used to override the WPA/RSN IE for Association Request frame and following 4-way handshake to allow protocol testing of AP side processing of WPA/RSN IE. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix CONFIG_NO_WPA=y buildJouni Malinen2015-11-231-2/+3
| | | | | | | | Number of places were calling functions that are not included in CONFIG_NO_WPA=y build anymore. Comment out such calls. In addition, pull in SHA1 and MD5 for config_internal.c, if needed. Signed-off-by: Jouni Malinen <j@w1.fi>
* RSN: Remove check for proactive_key_caching while setting PMK offloadAmarnath Hullur Subramanyam2015-11-161-2/+0
| | | | | | | | | wpa_sm_key_mgmt_set_pmk() was checking for proactive_key_caching to be enabled before setting the PMK to the driver. This check is not required and would mandate configuration setting of okc or proactive_key_caching for cases which were not necessary. Signed-off-by: Amarnath Hullur Subramanyam <amarnath@qca.qualcomm.com>
* wpa_supplicant: Add GTK RSC relaxation workaroundMax Stepanov2015-11-013-3/+50
| | | | | | | | | | | | | | | | | | | | | | Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
* RSN: Check result of EAPOL-Key frame send requestAvichal Agarwal2015-10-282-24/+21
| | | | | | | | | | | | Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
* TDLS: Do not send error case of TPK M3 if TX failsSunil Dutt2015-10-261-1/+2
| | | | | | | | | There is no point in sending TPK M3 (TDLS Setup Confirm) with a failure status if the first transmission attempt fails. Instead, just return a failure by disabling the link rather than retransmitting the TPK M3 frame with an error status. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* RSN: Avoid undefined behavior in pointer arithmeticJouni Malinen2015-10-252-5/+5
| | | | | | | | | Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
* TDLS: On a TPK timeout, tear down the link before renewal by the initiatorPradeep Reddy POTTETI2015-10-161-1/+7
| | | | | | | | | On TPK lifetime expiration, tear down the direct link before renewing the link in the case of TDLS initiator processing. The expired key cannot be used anymore, so it is better to explicitly tear down the old link first. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix Suite B 192-bit AKM to use proper PMK lengthJouni Malinen2015-10-144-11/+17
| | | | | | | | | | | | | In addition to the PTK length increasing, the length of the PMK was increased (from 256 to 384 bits) for the 00-0f-ac:12 AKM. This part was missing from the initial implementation and a fixed length (256-bit) PMK was used for all AKMs. Fix this by adding more complete support for variable length PMK and use 384 bits from MSK instead of 256 bits when using this AKM. This is not backwards compatible with the earlier implementations. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix TK configuration to the driver in EAPOL-Key 3/4 retry caseJouni Malinen2015-10-012-0/+9
| | | | | | | | | | | | | | | | | | | Commit 7d711541dced759b34313477d5d163e65c5b0131 ('Clear TK part of PTK after driver key configuration') started clearing TK from memory immediately after having configured it to the driver when processing EAPOL-Key message 3/4. While this covered the most common case, it did not take into account the possibility of the authenticator having to retry EAPOL-Key message 3/4 in case the first EAPOL-Key message 4/4 response is lost. That case ended up trying to reinstall the same TK to the driver, but the key was not available anymore. Fix the EAPOL-Key message 3/4 retry case by configuring TK to the driver only once. There was no need to try to set the same key after each EAPOL-Key message 3/4 since TK could not change. If actual PTK rekeying is used, the new TK will be configured once when processing the new EAPOL-Key message 3/4 for the first time. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPA: Do not print GTK in debug log unless requestedJouni Malinen2015-09-091-2/+2
| | | | | | | | The GTK value received in RSN (WPA2) group rekeying did not use the wpa_hexdump_key() version of debug printing that is conditional on -K being included on the command line. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Use proper IE parsing routine for non-EAPOL-Key casesJouni Malinen2015-09-051-6/+9
| | | | | | | | | | | | wpa_supplicant_parse_ies() was never supposed to be used as a generic IE parser, i.e., it is for the specific purpose of parsing EAPOL-Key Key Data IEs and KDEs. TDLS used this function for parsing generic AP IEs and while that works, it resulted in confusing "WPA: Unrecognized EAPOL-Key Key Data IE" debug messages. Clean this up by using ieee802_11_parse_elems() for the cases where generic IEs are being parsed. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add build option to remove all internal RC4 usesJouni Malinen2015-08-021-0/+12
| | | | | | | | | | | | The new CONFIG_NO_RC4=y build option can be used to remove all internal hostapd and wpa_supplicant uses of RC4. It should be noted that external uses (e.g., within a TLS library) do not get disabled when doing this. This removes capability of supporting WPA/TKIP, dynamic WEP keys with IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password changes. Signed-off-by: Jouni Malinen <j@w1.fi>
* RSN: Stop connection attempt on apparent PMK mismatchJouni Malinen2015-07-081-0/+11
| | | | | | | | | | | | | | | | | | | | If WPA2-Enterprise connection with full EAP authentication (i.e., no PMKSA caching used) results in a PMKID that does not match the one the AP/Authenticator indicates in EAPOL-Key msg 1/4, there is not much point in trying to trigger full EAP authentication by sending EAPOL-Start since this sequence was immediately after such full authentication attempt. There are known examples of authentication servers with incorrect MSK derivation when TLS v1.2 is used (e.g., FreeRADIUS 2.2.6 or 3.0.7 when built with OpenSSL 1.0.2). Write a clear debug log entry and also send it to control interface monitors when it looks likely that this case has been hit. After doing that, stop the connection attempt by disassociating instead of trying to send out EAPOL-Start to trigger new EAP authentication round (such another try can be tried with a new association). Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Allow CCMP-256 and GCMP-256 as group ciphersJouni Malinen2015-07-071-3/+1
| | | | | | | | | | The FT-specific check for valid group cipher in wpa_ft_gen_req_ies() was not up-to-date with the current list of supported ciphers. Fix this by using a generic function to determine validity of the cipher. In practice, this adds support for using CCMP-256 and GCMP-256 as the group cipher with FT. Signed-off-by: Jouni Malinen <j@w1.fi>
* Simplify VHT Capabilities element parsingJouni Malinen2015-04-223-6/+4
| | | | | | | Check the element length in the parser and remove the length field from struct ieee802_11_elems since the element is of fixed length. Signed-off-by: Jouni Malinen <j@w1.fi>
* Simplify HT Capabilities element parsingJouni Malinen2015-04-223-6/+3
| | | | | | | Check the element length in the parser and remove the length field from struct ieee802_11_elems since the element is of fixed length. Signed-off-by: Jouni Malinen <j@w1.fi>