path: root/src/rsn_supp
Commit message (Collapse)AuthorAgeFilesLines
* RSN: Set EAPOL-Key Request Secure bit to 1 if PTK is setJouni Malinen2016-04-051-1/+1
| | | | | | | | | | | | The Secure bit in the Key Information field of EAPOL-Key frames is supposed to be set to 1 when there is a security association. This was done for other frames, but not for the EAPOL-Key Request frame where supplicant is requesting a new PTK to be derived (either due to Michael MIC failure report Error=1 or for other reasons with Error=0). In practice, EAPOL-Key Request frame is only sent when there is a PTK in place, so all such frames should have Secure=1. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Fix PMKID calculation for PMKSA cacheMasashi Honma2016-02-185-12/+17
| | | | | | | | The SAE PMKID is calculated with IEEE Std 802.11-2012, but the PMKID was re-calculated with and saved into PMKSA cache. Fix this to save the PMKID calculated with into the PMKSA cache. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* TDLS: Clean up os_memcmp useJouni Malinen2016-02-161-3/+3
| | | | | | | | | | Ciuple of the nonce comparisons used a strange '!os_memcmp() == 0' to check if the values were different. While this resulted in correct behavior, the construction is not exactly clear and clang has started warning about this (-Wlogical-not-parentheses). Clean this up by using 'os_mecmp() != 0'. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix wpa_supplicant build with IEEE8021X_EAPOL=y and CONFIG_NO_WPA=yJouni Malinen2016-01-154-7/+7
| | | | | | | | The PMKSA caching and RSN pre-authentication components were marked as conditional on IEEE8021X_EAPOL. However, the empty wrappers are needed also in a case IEEE8021X_EAPOL is defined with CONFIG_NO_WPA. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Use wpa_msg() for the "RSN: PMKID mismatch" messageJouni Malinen2015-12-221-1/+1
| | | | | | | | This message is sent at MSG_INFO level and it is supposed to go out even even debug messages were to be removed from the build. As such, use wpa_msg() instead of wpa_dbg() for it. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPA: Explicitly clear the buffer used for decrypting Key DataJouni Malinen2015-12-201-2/+2
| | | | | | | | | | | When AES-WRAP was used to protect the EAPOL-Key Key Data field, this was decrypted using a temporary heap buffer with aes_unwrap(). That buffer was not explicitly cleared, so it was possible for the group keys to remain in memory unnecessarily until the allocated area was reused. Clean this up by clearing the temporary allocation explicitly before freeing it. Signed-off-by: Jouni Malinen <j@w1.fi>
* TDLS: Ignore incoming TDLS Setup Response retriesArik Nemtsov2015-12-181-0/+8
| | | | | | | | | The Setup Response timer is relatively fast (500 ms) and there are instances where it fires on the responder side after the initiator has already sent out the TDLS Setup Confirm frame. Prevent the processing of this stale TDLS Setup Response frame on the initiator side. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
* FT: Fix FTIE generation for 4-way handshake after FT protocol runJouni Malinen2015-12-091-2/+1
| | | | | | | | | | | | | wpa_insert_pmkid() did not support cases where the original RSN IE included any PMKIDs. That case can happen when PTK rekeying through 4-way handshake is used after FT protocol run. Such a 4-way handshake used to fail with wpa_supplicant being unable to build the EAPOL-Key msg 2/4. Fix this by extending wpa_insert_pmkid() to support removal of the old PMKIDs, if needed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add TEST_ASSOC_IE for WPA/RSN IE testing on AP sideJouni Malinen2015-12-063-0/+28
| | | | | | | | | The new wpa_supplicant control interface command "TEST_ASSOC_IE <hexdump>" can now be used to override the WPA/RSN IE for Association Request frame and following 4-way handshake to allow protocol testing of AP side processing of WPA/RSN IE. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix CONFIG_NO_WPA=y buildJouni Malinen2015-11-231-2/+3
| | | | | | | | Number of places were calling functions that are not included in CONFIG_NO_WPA=y build anymore. Comment out such calls. In addition, pull in SHA1 and MD5 for config_internal.c, if needed. Signed-off-by: Jouni Malinen <j@w1.fi>
* RSN: Remove check for proactive_key_caching while setting PMK offloadAmarnath Hullur Subramanyam2015-11-161-2/+0
| | | | | | | | | wpa_sm_key_mgmt_set_pmk() was checking for proactive_key_caching to be enabled before setting the PMK to the driver. This check is not required and would mandate configuration setting of okc or proactive_key_caching for cases which were not necessary. Signed-off-by: Amarnath Hullur Subramanyam <amarnath@qca.qualcomm.com>
* wpa_supplicant: Add GTK RSC relaxation workaroundMax Stepanov2015-11-013-3/+50
| | | | | | | | | | | | | | | | | | | | | | Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
* RSN: Check result of EAPOL-Key frame send requestAvichal Agarwal2015-10-282-24/+21
| | | | | | | | | | | | Provide information on whether EAPOL-Key frame was sent successfully to kernel for transmittion. wpa_eapol_key_send() will return >= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4, wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED only after verifying that the msg 4/4 was sent to kernel for transmission successfully. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
* TDLS: Do not send error case of TPK M3 if TX failsSunil Dutt2015-10-261-1/+2
| | | | | | | | | There is no point in sending TPK M3 (TDLS Setup Confirm) with a failure status if the first transmission attempt fails. Instead, just return a failure by disabling the link rather than retransmitting the TPK M3 frame with an error status. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* RSN: Avoid undefined behavior in pointer arithmeticJouni Malinen2015-10-252-5/+5
| | | | | | | | | Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
* TDLS: On a TPK timeout, tear down the link before renewal by the initiatorPradeep Reddy POTTETI2015-10-161-1/+7
| | | | | | | | | On TPK lifetime expiration, tear down the direct link before renewing the link in the case of TDLS initiator processing. The expired key cannot be used anymore, so it is better to explicitly tear down the old link first. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix Suite B 192-bit AKM to use proper PMK lengthJouni Malinen2015-10-144-11/+17
| | | | | | | | | | | | | In addition to the PTK length increasing, the length of the PMK was increased (from 256 to 384 bits) for the 00-0f-ac:12 AKM. This part was missing from the initial implementation and a fixed length (256-bit) PMK was used for all AKMs. Fix this by adding more complete support for variable length PMK and use 384 bits from MSK instead of 256 bits when using this AKM. This is not backwards compatible with the earlier implementations. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix TK configuration to the driver in EAPOL-Key 3/4 retry caseJouni Malinen2015-10-012-0/+9
| | | | | | | | | | | | | | | | | | | Commit 7d711541dced759b34313477d5d163e65c5b0131 ('Clear TK part of PTK after driver key configuration') started clearing TK from memory immediately after having configured it to the driver when processing EAPOL-Key message 3/4. While this covered the most common case, it did not take into account the possibility of the authenticator having to retry EAPOL-Key message 3/4 in case the first EAPOL-Key message 4/4 response is lost. That case ended up trying to reinstall the same TK to the driver, but the key was not available anymore. Fix the EAPOL-Key message 3/4 retry case by configuring TK to the driver only once. There was no need to try to set the same key after each EAPOL-Key message 3/4 since TK could not change. If actual PTK rekeying is used, the new TK will be configured once when processing the new EAPOL-Key message 3/4 for the first time. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPA: Do not print GTK in debug log unless requestedJouni Malinen2015-09-091-2/+2
| | | | | | | | The GTK value received in RSN (WPA2) group rekeying did not use the wpa_hexdump_key() version of debug printing that is conditional on -K being included on the command line. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Use proper IE parsing routine for non-EAPOL-Key casesJouni Malinen2015-09-051-6/+9
| | | | | | | | | | | | wpa_supplicant_parse_ies() was never supposed to be used as a generic IE parser, i.e., it is for the specific purpose of parsing EAPOL-Key Key Data IEs and KDEs. TDLS used this function for parsing generic AP IEs and while that works, it resulted in confusing "WPA: Unrecognized EAPOL-Key Key Data IE" debug messages. Clean this up by using ieee802_11_parse_elems() for the cases where generic IEs are being parsed. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add build option to remove all internal RC4 usesJouni Malinen2015-08-021-0/+12
| | | | | | | | | | | | The new CONFIG_NO_RC4=y build option can be used to remove all internal hostapd and wpa_supplicant uses of RC4. It should be noted that external uses (e.g., within a TLS library) do not get disabled when doing this. This removes capability of supporting WPA/TKIP, dynamic WEP keys with IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password changes. Signed-off-by: Jouni Malinen <j@w1.fi>
* RSN: Stop connection attempt on apparent PMK mismatchJouni Malinen2015-07-081-0/+11
| | | | | | | | | | | | | | | | | | | | If WPA2-Enterprise connection with full EAP authentication (i.e., no PMKSA caching used) results in a PMKID that does not match the one the AP/Authenticator indicates in EAPOL-Key msg 1/4, there is not much point in trying to trigger full EAP authentication by sending EAPOL-Start since this sequence was immediately after such full authentication attempt. There are known examples of authentication servers with incorrect MSK derivation when TLS v1.2 is used (e.g., FreeRADIUS 2.2.6 or 3.0.7 when built with OpenSSL 1.0.2). Write a clear debug log entry and also send it to control interface monitors when it looks likely that this case has been hit. After doing that, stop the connection attempt by disassociating instead of trying to send out EAPOL-Start to trigger new EAP authentication round (such another try can be tried with a new association). Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Allow CCMP-256 and GCMP-256 as group ciphersJouni Malinen2015-07-071-3/+1
| | | | | | | | | | The FT-specific check for valid group cipher in wpa_ft_gen_req_ies() was not up-to-date with the current list of supported ciphers. Fix this by using a generic function to determine validity of the cipher. In practice, this adds support for using CCMP-256 and GCMP-256 as the group cipher with FT. Signed-off-by: Jouni Malinen <j@w1.fi>
* Simplify VHT Capabilities element parsingJouni Malinen2015-04-223-6/+4
| | | | | | | Check the element length in the parser and remove the length field from struct ieee802_11_elems since the element is of fixed length. Signed-off-by: Jouni Malinen <j@w1.fi>
* Simplify HT Capabilities element parsingJouni Malinen2015-04-223-6/+3
| | | | | | | Check the element length in the parser and remove the length field from struct ieee802_11_elems since the element is of fixed length. Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Check FT, MD, and Timeout Interval length in the parserJouni Malinen2015-04-221-2/+4
| | | | | | | | All the existing users of these elements were already validating the element length. However, it is clearer to validate this already at the parser for extra layer of protection for any future changes. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Add eapol-fuzzerJouni Malinen2015-04-221-3/+25
| | | | | | | This program can be used to run fuzzing tests for areas related to EAPOL frame parsing and processing on the supplicant side. Signed-off-by: Jouni Malinen <j@w1.fi>
* Show OSEN key management properly in scan resultsBen Greear2015-03-251-0/+3
| | | | | | | | | | | | | | Old code defaulted to WEP for an AP advertising OSEN. Show as OSEN instead. Re-use most of the RSN parsing logic since all but the header is the same. Example output: [root@ath9k-f lanforge]# ./local/bin/wpa_cli -i sta0 scan_results bssid / frequency / signal level / flags / ssid 00:0e:8e:6f:40:49 2462 -23 [OSEN-OSEN-CCMP][ESS] ben-138 Signed-off-by: Ben Greear <greearb@candelatech.com>
* Reject Group Key message 1/2 prior to completion of 4-way handshakeJouni Malinen2015-03-072-0/+10
| | | | | | | | | | Previously, it would have been possible to complete RSN connection by skipping the msg 3/4 and 4/4 completely. This would have resulted in pairwise key not being configured. This is obviously not supposed to happen in practice and could result in unexpected behavior, so reject group key message before the initial 4-way handshake has been completed. Signed-off-by: Jouni Malinen <j@w1.fi>
* Clear RSN timers for preauth and PTK rekeying on disassociationJouni Malinen2015-03-061-0/+2
| | | | | | | | | | | | | | Previously, it was possible for the wpa_sm_start_preauth() and wpa_sm_rekey_ptk() eloop callbacks to remain active after disconnection and potentially continue to be used for the next association. This is not correct behavior, so explicitly cancel these timeouts to avoid unexpected attempts to complete RSN preauthentication or to request PTK to be rekeyed. It was possible to trigger this issue, e.g., by running the following hwsim test case sequence: ap_wpa2_ptk_rekey ap_ft_sae_over_ds Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Ignore extra padding in all packetsArik Nemtsov2015-02-211-12/+27
| | | | | | | | | | Some APs (e.g., Cisco 1260) sometimes add padding to the end of short TDLS management packets and that can look like invalid IEs. This was allowed on M3 and discovery packets, but not in others. Allow it for the other packets as well, since required IEs are verified in the code anyway. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
* Fix resource leaks on rsn_preauth_init() error pathsJouni Malinen2015-01-311-3/+16
| | | | | | | The l2_packet instances were not freed on some of the rsn_preauth_init() error paths. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add Suite B 192-bit AKMJouni Malinen2015-01-266-48/+111
| | | | | | | WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into use as the key management method. Signed-off-by: Jouni Malinen <j@w1.fi>
* Preparations for variable length KCK and KEKJouni Malinen2015-01-266-138/+135
| | | | | | | | This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
* TDLS: Fix an interface addition error pathJouni Malinen2015-01-071-0/+2
| | | | | | | | It is possible for wpa_tdls_teardown_peers() to be called with sm == NULL in case interface addition fails before the WPA state machine is initialized. Signed-off-by: Jouni Malinen <j@w1.fi>
* TDLS: Propagate enable/disable channel-switch commands to driverArik Nemtsov2015-01-043-2/+119
| | | | | | | | | | | | The supplicant code does not try to control the actual channel of the radio at any point. It simply passes the target peer and channel parameters to the driver. It's the driver's responsibility to periodically initiate TDLS channel-switch operations when TDLS channel-switching is enabled. Allow enable/disable operations to be invoked via the control interface. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
* TDLS: Track TDLS channel switch prohibition in BSSArik Nemtsov2015-01-042-14/+37
| | | | | | | Mark an appropriate sm flag when TDLS switch is prohibited by the AP. Populate the flag upon association with the AP. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
* TDLS: Add channel-switch capability flagArik Nemtsov2015-01-043-4/+11
| | | | | | | Propagate a driver TDLS channel-switch support bit from nl80211 to TDLS code. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
* Clear GTK from memory as soon as it is not needed anymoreJouni Malinen2014-12-291-1/+3
| | | | | | | | It was possible for the decrypted EAPOL-Key Key Data field to remain in heap after the temporary buffer was freed. Explicitly clear that buffer before freeing it to minimize the time GTK remains in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
* Clear TK part of PTK after driver key configurationJouni Malinen2014-12-291-0/+4
| | | | | | | | | There is no need for wpa_supplicant to maintain a copy of the TK part of PTK after this has been configured to the driver, so clear that from heap memory and only maintain KEK and KCK during association to allow additional EAPOL-Key handshakes. Signed-off-by: Jouni Malinen <j@w1.fi>
* Clear temporary keys from WPA supplicant state machine when not neededJouni Malinen2014-12-291-2/+9
| | | | | | | | | | | | PMK and PTK are not needed in the supplicant state machine after disassociation since core wpa_supplicant will reconfigure them for the next association. As such, clear these from heap in wpa_sm_notify_disassoc() to reduce time and number of places storing key material in memory. In addition, clear FT keys in case of CONFIG_IEEE80211R=y build (sm->xxkey stored a copy of PSK in case of FT-PSK). Signed-off-by: Jouni Malinen <j@w1.fi>
* Check os_snprintf() result more consistently - manualJouni Malinen2014-12-081-1/+1
| | | | | | | | This converts os_snprintf() result validation cases to use os_snprintf_error() for cases that were note covered by spatch and semantic patches. Signed-off-by: Jouni Malinen <j@w1.fi>
* Check os_snprintf() result more consistently - automatic 1Jouni Malinen2014-12-083-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This converts os_snprintf() result validation cases to use os_snprintf_error() where the exact rule used in os_snprintf_error() was used. These changes were done automatically with spatch using the following semantic patch: @@ identifier E1; expression E2,E3,E4,E5,E6; statement S1; @@ ( E1 = os_snprintf(E2, E3, ...); | int E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else if (E6) E1 = os_snprintf(E2, E3, ...); else E1 = 0; | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else if (E6) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... E1 = os_snprintf(E2, E3, ...); } ) ? os_free(E4); - if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \)) + if (os_snprintf_error(E3, E1)) ( S1 | { ... } ) Signed-off-by: Jouni Malinen <j@w1.fi>
* Make GTK length validation easier to analyzeJouni Malinen2014-12-061-3/+6
| | | | | | | | | Bounds checking for gd->gtk_len in wpa_supplicant_check_group_cipher() was apparently too complex for some static analyzers. Use a local variable and a more explicit validation step to avoid false report. (CID 62864) Signed-off-by: Jouni Malinen <j@w1.fi>
* Suite B: Select EAPOL-Key integrity and key-wrap algorithms based on AKMJouni Malinen2014-11-162-11/+25
| | | | | | | | | This adds support for AKM 00-0F-AC:11 to specify the integrity and key-wrap algorithms for EAPOL-Key frames using the new design where descriptor version is set to 0 and algorithms are determined based on AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
* Suite B: PMKID derivation for AKM 00-0F-AC:11Jouni Malinen2014-11-164-3/+31
| | | | | | | | | The new AKM uses a different mechanism of deriving the PMKID based on KCK instead of PMK. hostapd was already doing this after the KCK had been derived, but wpa_supplicant functionality needs to be moved from processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available. Signed-off-by: Jouni Malinen <j@w1.fi>
* Suite B: Add AKM 00-0F-AC:11Jouni Malinen2014-11-164-2/+8
| | | | | | | | This adds definitions for the 128-bit level Suite B AKM 00-0F-AC:11. The functionality itself is not yet complete, i.e., this commit only includes parts to negotiate the new AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
* Work around AP misbehavior on EAPOL-Key descriptor versionJouni Malinen2014-11-141-0/+3
| | | | | | | | | | | | | | | | | | | It looks like some APs are incorrectly selecting descriptor version 3 (AES-128-CMAC) for EAPOL-Key frames when version 2 (HMAC-SHA1) was expected to be used. This is likely triggered by an attempt to negotiate PMF with SHA1-based AKM. Since AES-128-CMAC is considered stronger than HMAC-SHA1, allow the incorrect, but stronger, option to be used in these cases to avoid interoperability issues with deployed APs. This issue shows up with "WPA: CCMP is used, but EAPOL-Key descriptor version (3) is not 2" in debug log. With the new workaround, this issue is ignored and "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used" is written to the log. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add support for offloading key management operations to the driverChet Lanctot2014-10-233-0/+71
| | | | | | | | | This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* SAE: Add support for PMKSA caching on the station sideJouni Malinen2014-10-182-2/+10
| | | | | | | | | This makes wpa_supplicant SME create PMKSA cache entries from SAE authentication and try to use PMKSA caching if an entry is found for the AP. If the AP rejects the attempt, fall back to SAE authentication is used. Signed-off-by: Jouni Malinen <j@w1.fi>