path: root/wpa_supplicant/mesh_rsn.c
Commit message (Collapse)AuthorAgeFilesLines
* SAE: Allow SAE password to be configured separately (STA)Jouni Malinen2017-10-111-3/+8
| | | | | | | | | The new sae_password network profile parameter can now be used to set the SAE password instead of the previously used psk parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in AP modeJouni Malinen2017-10-081-1/+4
| | | | | | | This extends OWE support in hostapd to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add hostapd options wpa_group_update_count and wpa_pairwise_update_countGünther Kelleter2017-02-061-0/+2
| | | | | | | | | | | | | | | wpa_group_update_count and wpa_pairwise_update_count can now be used to set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current hardcoded value (4). Some stations may suffer from frequent deauthentications due to GTK rekey failures: EAPOL 1/2 frame is not answered during the total timeout period of currently ~3.5 seconds. For example, a Galaxy S6 with Android 6.0.1 appears to go into power save mode for up to 5 seconds. Increasing wpa_group_update_count to 6 fixed this issue. Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
* wpa_auth: Make struct wpa_auth_callbacks constJohannes Berg2017-01-291-9/+7
| | | | | | | | | Instead of copying the struct wpa_auth_callbacks, just keep a pointer to it, keep the context pointer separate, and let the user just provide a static const structure. This reduces the attack surface of heap overwrites, since the function pointers move elsewhere. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* mesh: Add MESH_PMKSA_GET/ADD commandsMasashi Honma2017-01-141-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | These commnds are mesh version of PMKSA_GET/ADD commands. So the usage and security risk is similar to them. Refer to commit 3459381dd260e15e7bf768a75cb0b799cc1db33a ('External persistent storage for PMKSA cache entries') also. The MESH_PMKSA_GET command requires peer MAC address or "any" as an argument and outputs appropriate stored PMKSA cache. And the MESH_PMKSA_ADD command receives an output of MESH_PMKSA_GET and re-store the PMKSA cache into wpa_supplicant. By using re-stored PMKSA cache, wpa_supplicant can skip commit message creation which can use significant CPU resources. The output of the MESH_PMKSA_GET command uses the following format: <BSSID> <PMKID> <PMK> <expiration in seconds> The example of MESH_PMKSA_ADD command is this. MESH_PMKSA_ADD 02:00:00:00:03:00 231dc1c9fa2eed0354ea49e8ff2cc2dc cb0f6c9cab358a8146488566ca155421ab4f3ea4a6de2120050c149b797018fe 42930 MESH_PMKSA_ADD 02:00:00:00:04:00 d7e595916611640d3e4e8eac02909c3c eb414a33c74831275f25c2357b3c12e3d8bd2f2aab6cf781d6ade706be71321a 43180 This functionality is disabled by default and can be enabled with CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* FILS: Extend wpa_auth_pmksa_get() to support PMKID matchingJouni Malinen2016-10-221-2/+2
| | | | | | This is needed for FILS processing to enable PMKSA caching. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Extend AES-SIV implementation to support different key lengthsJouni Malinen2016-10-101-2/+2
| | | | | | | | The previous implementation was hardcoded to use 128-bit AES key (AEAD_AES_SIV_CMAC_256). Extend this by allowing AEAD_AES_SIV_CMAC_384 and AEAD_AES_SIV_CMAC_512 with 192-bit and 256-bit AES keys. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* mesh: Indicate OPN_RJCT event if AES-SIV decrypt failsJouni Malinen2016-06-281-1/+1
| | | | | | | | | REVmc/D6.0 (Processing Mesh Peering Open frames for AMPE) mandates the OPN_RJCT event to be invoked if AES-SIV decryption for received Mesh Peering Open frame fails. This allows a Mesh Peering Close frame to be sent in such a case. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Remove GTKdata and IGTKdata from Mesh Peering Confirm/CloseJouni Malinen2016-06-281-2/+29
| | | | | | | | | | | | | | | These optional fields are supposed to be included in the Authenticated Mesh Peering Exchange element only in Mesh Peering Open frames. Previously, these were incorrectly included in Mesh Peering Confirm/Close frames and also required to be present in all these frames. While this commit changes the receive processing to ignore the unexpected extra fields, it should be noted that the previous implementation required the fields to be present and as such, the fixed implementation is not compatible with it for secure mesh. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Mark wpa_state COMPLETED when mesh join has been performedMaital Hahn2016-06-241-1/+0
| | | | | | | | | | In mesh interface, the wpa_supplicant state was either DISCONNECT/SCANNING in non-secured connection or AUTHENTICATING in secured connection. The latter prevented the scan. Update the wpa_supplicant state in mesh to be COMPLETED upon initialization. This is similar to the P2P GO case. Signed-off-by: Maital Hahn <maitalm@ti.com>
* mesh: Avoid use of hardcoded cipherJouni Malinen2016-06-191-13/+19
| | | | | | | | | This moves pairwise, group, and management group ciphers to various mesh data structures to avoid having to hardcode cipher in number of places through the code. While CCMP and BIP are still the hardcoded ciphers, these are now set only in one location. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Clean up AMPE element encoding and parsingJouni Malinen2016-06-191-35/+116
| | | | | | | | | | | | | The AMPE element includes number of optional and variable length fields and those cannot really be represented by a fixed struct ieee80211_ampe_ie. Remove the optional fields from the struct and build/parse these fields separately. This is also adding support for IGTKdata that was completely missing from the previous implementation. In addition, Key RSC for MGTK is now filled in and used when configuring the RX MGTK for a peer. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Use variable length MGTK for RXJouni Malinen2016-06-191-0/+1
| | | | | | | | This extends the data structures to allow variable length MGTK to be stored for RX. This is needed as an initial step towards supporting different cipher suites. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Generate a separate TX IGTK if PMF is enabledJouni Malinen2016-06-191-3/+15
| | | | | | | | | | | Previous implementation was incorrectly using MGTK also as the IGTK and doing this regardless of whether PMF was enabled. IGTK needs to be a independent key and this commit does that at the local TX side. The current AMPE element construction and parsing is quite broken, so this does not get add the IGTKdata field there. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Support variable length TX MGTKJouni Malinen2016-06-191-2/+6
| | | | | | This is an initial step in supporting multiple cipher suites. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Add variable length MTK supportJouni Malinen2016-06-191-1/+2
| | | | | | | This is needed as a part in enabling support for different pairwise ciphers in mesh. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Coding style cleanup for MTK derivationJouni Malinen2016-06-191-16/+22
| | | | | | | Clean up the mesh_rsn_derive_mtk() function by using proper macros and pointer to the location within the context block. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Fix MTK derivation to use AKM suite selectorJouni Malinen2016-06-181-2/+2
| | | | | | | | | mesh_rsn_derive_mtk() was hardcoded to use GCMP (even though CCMP was hardcoded elsewhere) cipher suite selector instead of the selected AKM suite selector. This resulted in incorrect MTK getting derived. Fix this by used the SAE AKM suite selector in the input to the KDF. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Coding style cleanup for AEK derivationJouni Malinen2016-06-181-5/+14
| | | | | | | Clean up the mesh_rsn_derive_aek() function by using proper macros and pointer to the location within the context block. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Fix AEK derivation to use AKM suite selectorJouni Malinen2016-06-181-2/+2
| | | | | | | | | mesh_rsn_derive_aek() was hardcoded to use GCMP (even though CCMP was hardcoded elsewhere) cipher suite selector instead of the selected AKM suite selector. This resulted in incorrect AEK getting derived. Fix this by used the SAE AKM suite selector in the input to the KDF. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Use ieee80211w profile parameterJouni Malinen2016-06-181-2/+9
| | | | | | | | | This is initial step in fixing issues in how PMF configuration for RSN mesh was handled. PMF is an optional capability for mesh and it needs to be configured consistently in both hostapd structures (to get proper RSNE) and key configuration (not included in this commit). Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Use WPA_NONCE_LEN macroJouni Malinen2016-06-181-12/+11
| | | | | | | No need to use the magic value 32 here since there is a generic define for the RSN-related nonce values. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Fix error path handling for RSN (MGTK init)Jouni Malinen2016-05-301-3/+1
| | | | | | | | | wpa_deinit() got called twice if the random_get_bytes() fails to generate the MGTK. This resulted in double-freeing the rsn->auth pointer. Fix this by allowing mesh_rsn_auth_init() handle freeing for all error cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* mesh: Use appropriate BLOCKED state durationMasashi Honma2016-03-201-8/+5
| | | | | | | | | | | | | | Previously, BLOCKED state duration slightly increased up to 3600. Though the BLOCKED state could be canceled by ap_handle_timer(). Because the timer timeouts in ap_max_inactivity(default=300sec) and remove STA objects (the object retains BLOCKED state). This patch re-designs my commit bf51f4f82bdb50356de5501acac53fe1b91a7b86 ('mesh: Fix remaining BLOCKED state after SAE auth failure') to replace mesh_auth_block_duration by ap_max_inactivity and remove incremental duration. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* mesh: Add support for PMKSA cachingMasashi Honma2016-03-201-0/+35
| | | | | | | | | | | | | | | | | | | | | | | | | This patch add functionality of mesh SAE PMKSA caching. If the local STA already has peer's PMKSA entry in the cache, skip SAE authentication and start AMPE with the cached value. If the peer does not support PMKSA caching or does not have the local STA's PMKSA entry in the cache, AMPE will fail and the PMKSA cache entry of the peer will be removed. Then STA retries with ordinary SAE authentication. If the peer does not support PMKSA caching and the local STA uses no_auto_peer=1, the local STA can not retry SAE authentication because NEW_PEER_CANDIDATE event cannot start SAE authentication when no_auto_peer=1. So this patch extends MESH_PEER_ADD command to use duration(sec). Throughout the duration, the local STA can start SAE authentication triggered by NEW_PEER_CANDIDATE even though no_auto_peer=1. This commit requires commit 70c93963edefa37ef84b73efb9d04ea10268341c ('SAE: Fix PMKID calculation for PMKSA cache'). Without that commit, chosen PMK comparison will fail. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* mesh: Check PMKID in AMPE Action framesBob Copeland2015-12-281-0/+7
| | | | | | | | | | | | | From IEEE Std 802.11-2012 13.3.5: If the incoming Mesh Peering Management frame is for AMPE and the Chosen PMK from the received frame contains a PMKID that does not identify a valid mesh PMKSA, the frame shall be silently discarded. We were not checking the PMKID previously, and we also weren't parsing it correctly, so fix both. Signed-off-by: Bob Copeland <me@bobcopeland.com>
* mesh: Fix PMKID to match the standardBob Copeland2015-12-281-4/+1
| | | | | | | | | | | | | | | IEEE Std 802.11-2012 specifies the PMKID for SAE-derived keys as: L((commit-scalar + peer-commit-scalar) mod r, 0, 128) This is already calculated in the SAE code when the PMK is derived, but not saved anywhere. Later, when generating the PMKID for plink action frames, the definition for PMKID from is incorrectly used. Correct this by saving the PMKID when the key is generated and use it subsequently. Signed-off-by: Bob Copeland <me@bobcopeland.com>
* mesh: Fix memory leak on error pathMasashi Honma2015-09-051-0/+1
| | | | Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* mesh: Fix segfault on error pathMasashi Honma2015-09-051-1/+2
| | | | | | | | When wpa_init() in __mesh_rsn_auth_init() failed, empty rsn->auth caused segmentation fault due to NULL pointer dereference when wpa_deinit() was called. Fix this by checking the pointer before executing deinit steps. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* mesh: Rename IE field to clarify its useMasashi Honma2015-09-051-2/+2
| | | | | | This is used only for RSNE. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* mesh: Fix remaining BLOCKED state after SAE auth failureMasashi Honma2015-02-081-2/+15
| | | | | | | | | | | | | | | | | | | When SAE authentication fails, wpa_supplicant retries four times. If all the retries result in failure, SAE state machine enters BLOCKED state. Once it enters this state, wpa_supplicant doesn't retry connection. This commit allow connection retries even if the state machine entered BLOCKED state. There could be an opinion "Is this patch needed? User could know the SAE state machine is in the BLOCKED mode by MESH-SAE-AUTH-BLOCKED event. Then user can retry connection. By user action, SAE state machine can change the state from BLOCKED to another.". Yes, this is a true at the joining mesh STA. However, a STA that is already a member of existing mesh BSS should not retry connection because if the joining mesh STA used wrong password, all the existing STA should do something from UI to retry connection. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* mesh: Add a monitor event on SAE authentication getting blockedMasashi Honma2015-02-071-0/+3
| | | | | | | | Send MESH-SAE-AUTH-BLOCKED event if SAE authentication is blocked. The BLOCK state will finish when a new peer notification event is sent for the same MAC address. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* mesh: Add a monitor event for SAE authentication failureMasashi Honma2015-02-071-0/+2
| | | | | | | | | | SAE authentication fails likely with wrong password. This commit adds a notification of the failure to the upper application (UI) so that the application can notify suspection of a wrong password to the user. The control interface monitor even for this is "MESH-SAE-AUTH-FAILURE addr=<peer>". Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* mesh: Sync plink state with kernelMasashi Honma2015-01-281-1/+1
| | | | | | | | The plink_state exists both wpa_supplicant and kernel. Synchronize them with wpa_mesh_set_plink_state(). Signed-off-by: Kenzoh Nishikawa <Kenzoh.Nishikawa@jp.sony.com> Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* SAE: Centralize function for sending initial COMMITBob Copeland2015-01-101-74/+15
| | | | | | | | | | | | When performing SAE authentication in mesh, one station may initiate authentication by sending a COMMIT as soon as a peer candidate is discovered. Previously we did this in mesh_rsn.c, but this left some of the state initialization in a different part of the code from the rest of the state machine, and we may need to add other initializations here in the future, so move that to a more central function. Signed-off-by: Bob Copeland <me@bobcopeland.com>
* Clean up debug prints to use wpa_printf()Jouni Malinen2014-12-261-1/+2
| | | | | | | This converts most of the remaining perror() and printf() calls from hostapd and wpa_supplicant to use wpa_printf(). Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Check for initialization failuresJouni Malinen2014-11-301-0/+6
| | | | | | | | | It is possible that these location ended up getting called before mesh startup operations had been completed and that could result in dereferencing NULL pointers. Address those error cases by verifying that the needed parameters are available before using them. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Add timer for SAE authentication in RSN meshChun-Yeow Yeoh2014-11-161-0/+35
| | | | | | | | | | | | Add timer to do SAE re-authentication with number of tries defined by MESH_AUTH_RETRY and timeout defined by MESH_AUTH_TIMEOUT. Ignoring the sending of reply message on "SAE confirm before commit" to avoid "ping-pong" issues with other mesh nodes. This is obvious when number of mesh nodes in MBSS reaching 6. Signed-off-by: Chun-Yeow Yeoh <yeohchunyeow@gmail.com> Signed-off-by: Bob Copeland <me@bobcopeland.com>
* mesh: Add mesh robust security networkThomas Pedersen2014-11-161-0/+573
This implementation provides: - Mesh SAE authentication mechanism - Key management (set/get PSK) - Cryptographic key establishment - Enhanced protection mechanisms for robust management frames Signed-off-by: Javier Lopez <jlopex@gmail.com> Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Jason Mobarak <x@jason.mobarak.name> Signed-off-by: Thomas Pedersen <thomas@noack.us>