Commit graph

18391 commits

Author SHA1 Message Date
Jouni Malinen
5ea7a2f545 DPP: Drop PMKSA entry if AP reject association due to invalid PMKID
This is needed to avoid trying the subsequent connections with the old
PMKID that the AP claims not to hold and continues connection failures.
This was already handled for the SME-in-the-driver case in commit commit
50b77f50e8 ("DPP: Flush PMKSA if an assoc reject without timeout is
received"), but the wpa_supplicant SME case did not have matching
processing.

Add the needed check to avoid recover from cases where the AP has
dropped its PMKSA cache entry. Do this only based on the specific status
code value (53 = invalid PMKID) and only for the PMKSA entry that
triggered this failure to minimize actions taken based on an unprotected
(Re)Association Response frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-20 11:08:26 +02:00
Jouni Malinen
1e602adabb tests: Add PMKSA cache entry again in dpp_akm_sha*
This is going to be needed once wpa_supplicant starts dropping the PMKSA
cache entry on status code 53 (invalid PMKID) rejection of association.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-20 11:08:26 +02:00
Jouni Malinen
f49b604555 tests: Fix pasn-init fuzz tester build
Change of the wpas_pasn_start() prototype did not update the fuzzer
tool.

Fixes: 309765eb66 ("PASN: Use separate variables for BSSID and peer address")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-19 17:21:45 +02:00
Jouni Malinen
4840b45a26 Fix empty pmksa_cache_get()
The addition of the "spa" argument was missed in the empty inline
function.

Fixes: 9ff778fa4b ("Check for own address (SPA) match when finding PMKSA entries")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-19 17:19:49 +02:00
Jouni Malinen
3abd0c4719 SAE: Print rejection of peer element clearly in debug log
Depending on the crypto library, crypto_ec_point_from_bin() can fail if
the element is not on curve, i.e., that error may show up before getting
to the explicit crypto_ec_point_is_on_curve() check. Add a debug print
for that earlier call so that the debug log is clearly identifying
reason for rejecting the SAE commit message.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-10 21:31:14 +02:00
Jouni Malinen
6cb34798f8 tests: SAE-EXT-KEY, H2E, and rejected groups indication
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-10 21:13:05 +02:00
Jouni Malinen
252729d902 tests: Random MAC address with PMKSA caching
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-10 21:13:05 +02:00
Jouni Malinen
9ff778fa4b Check for own address (SPA) match when finding PMKSA entries
This prevents attempts of trying to use PMKSA caching when the existing
entry was created using a different MAC address than the one that is
currently being used. This avoids exposing the longer term PMKID value
when using random MAC addresses for connections.

In practice, similar restriction was already done by flushing the PMKSA
cache entries whenever wpas_update_random_addr() changed the local
address or when the interface was marked down (e.g., for an external
operation to change the MAC address).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-10 21:13:05 +02:00
Jouni Malinen
9f04a9c8dd Store own MAC address (SPA) in supplicant PMKSA cache entries
This is needed to be able to determine whether a PMKSA cache entry is
valid when using changing MAC addresses. This could also be used to
implement a mechanism to restore a previously used MAC address instead
of a new random MAC address.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-10 21:13:05 +02:00
Jouni Malinen
f1f796a39f tests: hostapd dump_msk_file
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-10 21:13:05 +02:00
Vinay Gannevaram
309765eb66 PASN: Use separate variables for BSSID and peer address
Using separate variables for BSSID and peer address is needed to support
Wi-Fi Aware (NAN) use cases where the group address is used as the BSSID
and that could be different from any other peer address. The
infrastructure BSS cases will continue to use the AP's BSSID as both the
peer address and BSSID for the PASN exchanges.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-10 21:12:50 +02:00
Vinay Gannevaram
42f0c44d84 PASN: Use peer address instead of BSSID as the destination for initiator
Rename struct pasn_data::bssid to peer_addr to be better aligned with
different use cases of PASN and its extensions. This is a step towards
having option to use different peer address and BSSID values for NAN use
cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-10 21:03:23 +02:00
Jouni Malinen
153739b4ff wlantest: Clone new PTK to all potentially matching STA entries for MLO
It is possible for there to be multiple STA entries (e.g., one for each
BSS) when a sniffer capture contains multiple associations using MLO.
For such cases, the new PTK information needs to be updated to all
existing STA entries to be able to find the latest TK when decrypting
following frames since the other STA entries might be located first when
trying to figure out how to decrypt a frame.

In addition to the PTK, copy the MLD MAC addresses to the other STA and
BSS entries to make sure the latest values are used when trying to
decrypt frames.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-09 22:55:35 +02:00
Veerendranath Jakkam
15583802b9 nl80211: Allow up to 64-byte PMK in NL80211_CMD_SET_PMKSA
Kernel commit 22e76844c566 - ("ieee80211: Increase PMK maximum length to
 64 bytes") increased the maximum allowed length for NL80211_ATTR_PMK to
64 bytes. Thus, allow sending 64 bytes PMK in NL80211_CMD_SET_PMKSA and
if NL80211_CMD_SET_PMKSA fails with ERANGE try NL80211_CMD_SET_PMKSA
again without PMK. Also, skip sending PMK when PMK length is greater
than 64 bytes.

This is needed for some newer cases like DPP with NIST P-521 and
SAE-EXT-KEY with group 21. The kernel change from 48 to 64 octets is
from February 2018, so the new limit should be available in most cases
that might want to use these new mechanisms. Maintain a backwards
compatible fallback option for now to cover some earlier needs for DPP.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-09 13:21:46 +02:00
Jouni Malinen
1e0b7379d6 tests: FT with mobility domain changes
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-09 00:54:41 +02:00
Jouni Malinen
bbe5f0c1eb FT: Do not try to use FT protocol between mobility domains
wpa_supplicant has support for only a single FT key hierarchy and as
such, cannot use more than a single mobility domain at a time. Do not
allow FT protocol to be started if there is a request to reassociate to
a different BSS within the same ESS if that BSS is in a different
mobility domain. This results in the initial mobility domain association
being used whenever moving to another mobility domain.

While it would be possible to add support for multiple FT key hierachies
and multiple mobility domains in theory, there does not yet seem to be
sufficient justification to add the complexity needed for that due to
limited, if any, deployment of such networks. As such, it is simplest to
just prevent these attempts for now and start with a clean initial
mobility domain association.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-09 00:54:41 +02:00
Utkarsh Soni
b92f61885c Don't use default RSNE/RSNXE when the driver indicates cross SSID roaming
During cross SSID roaming wpa_supplicant ended up using the default
RSNE/RSNXE in EAPOL-Key msg 2/4 though the driver indicated
(Re)Association Request frame elements without RSNE/RSNXE. This causes
RSNE/RSNXE mismatch between (Re)Association Request frame and EAPOL-Key
msg 2/4.

To avoid this skip copying the default RSNE/RSNXE if the driver
indicates the actually used (Re)Association Request frame elements in
the association event.

Signed-off-by: Utkarsh Soni <quic_usoni@quicinc.com>
2022-11-08 16:01:12 +02:00
Jouni Malinen
d7febe33f6 MLO: Remove unnecessary debug prints about clearing AP RSNE/RSNXE
There is no help from seeing 32 lines of debug prints about clearing
AP's RSNE/RSNXE information for each potential link when such
information has not been set in the first place. These were printed even
when there is no use of MLO whatsoever, so get rid of the prints for any
case where the value has not yet been set.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-08 14:35:35 +02:00
Rhythm Patwa
16d913bfd8 Define AFC vendor commands and events
Wi-Fi Alliance specification for Automated Frequency Coordination (AFC)
system ensures that the Standard Power Wi-Fi devices can operate in 6
GHz spectrum under favorable conditions, without any interference with
the incumbent devices.

Add support for vendor command/events and corresponding
attributes to define the interface for exchanging AFC requests and
responses between the driver and a userspace application.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-07 21:09:09 +02:00
Jouni Malinen
46f5cf9280 OpenSSL: Fix additional HPKE corner cases
Commit 820211245b ("OpenSSL: Fix HPKE in some corner cases") increased
the buffer size for EVP_PKEY_derive() by 16 octets, but it turns out
that OpenSSL might need significantly more room in some cases. Replace a
fixed length buffer with dynamic query for the maximum size and
allocated buffer to cover that need.

This showed up using the following test case sequence:
dbus_pkcs11 module_wpa_supplicant

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-07 18:01:33 +02:00
Jouni Malinen
0ccb3b6cf2 tests: External password storage for SAE
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-07 14:02:55 +02:00
Ben Wolsieffer
bdc35acd5a SAE: Allow loading of the password from an external database
There was no support for loading SAE passwords from an external password
database.

Signed-off-by: Ben Wolsieffer <benwolsieffer@gmail.com>
2022-11-07 14:02:55 +02:00
Ben Wolsieffer
48dd8994ac Fix external passwords with 4-way handshake offloading
Passphrases/PSKs from external password databases were ignored if 4-way
handshake offloading was supported by the driver. Split the PSK loading
functionality into a separate function and calls if to get the PSK for
handshake offloading.

I tested connecting to a WPA2-PSK network with both inline and external
passphrases, using the iwlwifi and brcmfmac drivers.

Signed-off-by: Ben Wolsieffer <benwolsieffer@gmail.com>
2022-11-07 14:02:55 +02:00
Gioele Barabucci
e5a7c852cc systemd: Use interface name in description of interface-specific units
In a system with multiple interfaces, the boot messages as well as the
status information provided by `systemctl` can be confusing without
an immediate way to differentiate between the different interfaces.

Fix this by adding the interface name to the unit description.

Signed-off-by: Gioele Barabucci <gioele@svario.it>
2022-11-07 14:02:55 +02:00
Jouni Malinen
a0628f8a50 OpenSSL: Remove unused assignment from HPKE expand
The length of labeled_info is determined separately, so there is no need
to increment the pos pointer after the final entry has been added.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-07 14:02:55 +02:00
Jouni Malinen
3e1a04afa1 nl80211: Check that attribute addition succeeds in offloaded PASN case
Check nla_put_flag() return value to be consistent with other nla_put*()
uses.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-07 14:02:55 +02:00
Jouni Malinen
0658a22ef1 GAS: Try to make buffer length determination easier for static analyzers
The received frame buffer was already verified to be long enough to
include the Advertisement Protocol element and that element was verified
to have a valid length value, but use of adv_proto[1] in another
function may have been too difficult to figure out for analyzers.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-07 14:02:28 +02:00
Jouni Malinen
271ce71c7a FT: Fix PMK-R0 derivation for FT-SAE-EXT-KEY with SHA512
Not only the hash[] array, but also the r0_key_data[] array needs to be
extended in size to fit the longer key and salt.

Fixes: a76a314c15 ("FT: Extend PMK-R0 derivation for FT-SAE-EXT-KEY")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-07 00:29:39 +02:00
Rohan Dutta
2f61d703a1 MLD STA: Group key handshake processing for GTK/IGTK/BIGTK rekeying
Add support for group rekeying in MLO connection. Parse per link MLO
GTK/IGTK/BIGTK KDEs from Group Key msg 1/2 and configure to the driver.

Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 23:36:49 +02:00
Rohan Dutta
f0760aa6dd MLD STA: Use AP MLD address as destination for 4-way handshake EAPOL-Key frames
Use AP MLD address as the destination address for EAPOL-Key 4-way
handshake frames since authenticator/supplicant operates above MLD. The
driver/firmware will use RA/TA based on the link used for transmitting
the EAPOL frames.

Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 23:36:49 +02:00
Veerendranath Jakkam
8f2e493bec MLD STA: Validation of MLO KDEs for 4-way handshake EAPOL-Key frames
Validate new KDEs defined for MLO connection in EAPOL-Key msg 1/4 and
3/4 and reject the 4-way handshake frames if any of the new KDE data is
not matching expected key data.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 23:36:49 +02:00
Veerendranath Jakkam
f15cc834cb MLD STA: Processing of EAPOL-Key msg 3/4 frame when using MLO
Process EAPOL-Key msg 3/4 and configure PTK and per-link GTK/IGTK/BIGTK
keys to the driver when MLO is used.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 23:36:49 +02:00
Veerendranath Jakkam
08512e5f35 MLD STA: Extend key configuration functions to support Link ID
Add support to specify a Link ID for set key operation for MLO
connection. This does not change the existing uses and only provides the
mechanism for extension in following commits.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 23:36:49 +02:00
Rohan Dutta
a4adb2f3e1 MLD STA: Configure TK to the driver using AP MLD address
Configure TK to the driver with AP MLD address with MLO is used. Current
changes are handling only EAPOL-Key 4-way handshake and FILS
authentication cases, i.e., FT protocol case needs to be addressed
separately.

Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 23:36:49 +02:00
Veerendranath Jakkam
fa5cad61a4 MLD STA: Use AP MLD address in PMKSA entry
Use the AP MLD address instead of the BSSID of a link as the
authenticator address in the PMKSA entry.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 23:36:36 +02:00
Rohan Dutta
052bf8a51b MLD STA: Use AP MLD address to derive pairwise keys
Use AP MLD address to derive pairwise keys for MLO connection. Current
changes are handling only PTK derivation during EAPOL-Key 4-way
handshake and FILS authentication, i.e., FT protocol case needs to be
addressed separately.

Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 18:29:36 +02:00
Veerendranath Jakkam
e784372564 MLD STA: Add MLO KDEs for EAPOL-Key msg 2/4 and 4/4
Add new KDEs introduced for MLO connection as specified in
12.7.2 EAPOL-Key frames, IEEE P802.11be/D2.2.
- Add MAC and MLO Link KDE for each own affliated link (other than the
  link on which association happened) in EAPOL-Key msg 2/4.
- Add MAC KDE in 4/4 EAPOL frame.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 18:19:22 +02:00
Veerendranath Jakkam
472a0b8d60 MLD STA: Set MLO connection info to wpa_sm
Update the following MLO connection information to wpa_sm:
- AP MLD address and link ID of the (re)association link.
- Bitmap of requested links and accepted links
- Own link address for each requested link
- AP link address, RSNE and RSNXE for each requested link

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 18:04:09 +02:00
Veerendranath Jakkam
cc2236299f nl80211: Get all requested MLO links information from (re)association events
Currently only accepted MLO links information is getting parsed from
(re)association events. Add support to parse all the requested MLO links
information including rejected links. Get the rejected MLO links
information from netlink attributes if the kernel supports indicating
per link status. Otherwise get the rejected MLO links information by
parsing (Re)association Request and Response frame elements.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 17:49:09 +02:00
Jouni Malinen
66d7f554e2 tests: Fuzz testing for PASN
Add test tools for fuzzing PASN initiator and responder handling of
received PASN Authentication frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-06 17:22:14 +02:00
Jouni Malinen
2e840fb2ab tests: Fix CC and CFLAGS default processing for fuzzing
"make LIBFUZZER=y" was supposed to set CC and CFLAGS to working values
by default if not overridden by something external. That did not seem to
work since the defaults from the other build system components ended up
setting these variables before the checks here. Fix this by replacing
the known default values for non-fuzzing builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-06 17:11:47 +02:00
Jouni Malinen
1ca5c2ec2a PASN: Fix spelling of RSNE in debug messages
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-06 17:11:47 +02:00
Jouni Malinen
a43536a72b PASN: Verify explicitly that elements are present before parsing
Make sure the elements were present before trying to parse them. This
was already done for most cases, but be consistent and check each item
explicitly before use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-06 17:10:45 +02:00
Jouni Malinen
7e38524076 PASN: Fix MIC check not to modify const data
The previous version was using typecasting to ignore const marking for
the input buffer to be able to clear the MIC field for MIC calculation.
That is not really appropriate and could result in issues in the future
if the input data cannot be modified. Fix this by using an allocated
copy of the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-06 16:52:06 +02:00
Jouni Malinen
8481c75091 PASN: Fix Authentication frame checks
The way type and subtype of the FC field was checked does not really
work correctly. Fix those to check all bits of the subfields. This does
not really make any practical difference, though, since the caller was
already checking this.

Furthermore, use a helper function to avoid having to maintain two
copies of this same functionality.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-06 11:42:58 +02:00
Beniamino Galvani
f899d7f378 dbus: Apply PMK properties immediately
Currently, PMK parameters in the WPA state machine are set from
configuration only when the interface is initialized. If those
parameters are changed later via D-Bus, the new values don't have any
effect.

Call wpa_sm_set_param() when PMK-related D-Bus properties are changed
to immediately apply the new value; the control interface also does
something similar.

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2022-11-05 17:49:41 +02:00
Jeffery Miller
c6f8af507e Add option to disable SAE key_mgmt without PMF
Add the `sae_check_mfp` global option to limit SAE when PMF will
not be selected for the connection.
With this option SAE is avoided when the hardware is not capable
of PMF due to missing ciphers.
With this option SAE is avoided on capable hardware when the AP
does not enable PMF.

Allows falling back to PSK on drivers with the
WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher
necessary for PMF. This enables configurations that can fall back
to WPA-PSK and avoid problems associating with APs configured
with `sae_require_mfp=1`.

Useful when `pmf=1` and `sae_check_mfp=1` are enabled and networks
are configured with ieee80211w=3 (default) and key_mgmt="WPA-PSK SAE".
In this configuration if the device is unable to use PMF due to
lacking BIP group ciphers it will avoid SAE and fallback to
WPA-PSK for that connection.

Signed-off-by: Jeffery Miller <jefferymiller@google.com>
2022-11-05 17:48:17 +02:00
Glenn Strauss
7ad757ec01 Document crypto_ec_key_get_subject_public_key() to use compressed format
Document in src/crypto/crypto.h that compressed point format is expected
in DER produced by crypto_ec_key_get_subject_public_key(). This is the
format needed for both SAE-PK and DPP use cases that are the current
users of this function.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-11-05 17:31:51 +02:00
Jouni Malinen
6527a76566 DPP: Stop listen mode for chirp-initiated Authentication exchange
Stop listen mode if there is not sufficient time remaining to complete
the Authentication exchange within the current remain-on-channel
operation. This speeds up the operation and avoids some timeouts that
could prevent the provisioning step from completing. This addresses an
issue that was found in the following test case sequence:
dpp_controller_relay_discover dpp_chirp_ap_5g

Similar mechanism was already used for Reconfig Announcement frames, so
reuse that for this case with Presence Announcement frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-05 17:25:15 +02:00
Matthew Wang
2e73394426 P2P: Discount current operating frequency when scanning new connection
When scanning for a new connection, we currently optimize by scanning
all frequencies only when our MCC capabilities will allow an additional
operating frequency, and scan only the existing operating frequencies
otherwise. This is problematic when there the current operating
frequency singularly accounts for one of the shared radio frequencies
because we should be able to switch operating frequencies without adding
to the channel count. Fix this.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2022-11-05 13:43:06 +02:00