Commit graph

17734 commits

Author SHA1 Message Date
Orr Mazor
16e755754f Add -q flag to hostapd in order to control log level
This allows the debugging level to be reduced from hostapd command line
similarly to the already existing flag in wpa_supplicant.

Signed-off-by: Orr Mazor <o.mazor@genexis.eu>
2022-05-07 21:37:08 +03:00
Jouni Malinen
29dcebea70 tests: WPA2-EAP AP with PMF and EAP frame injection
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:08 +03:00
Jouni Malinen
8690374439 Discard unencrypted EAPOL/EAP when TK is set and PMF is enabled (AP)
RSN design is supposed to encrypt all Data frames, including EAPOL
frames, once the TK has been configured. However, there are deployed
implementations that do not really follow this design and there are
various examples from the older uses of EAPOL frame where those frames
were not encrypted. As such, strict filtering of unencrypted EAPOL
frames might results in undesired interoperation issues.

However, some of the most important cases of missing EAPOL frame
encryption should be possible to handle without causing too significant
issues. These are for cases where an attacker could potentially cause an
existing association to be dropped when PMF is used. EAPOL-Start and
EAPOL-Logoff are potential candidate for such attacks since those frames
could be used to terminate an authentication or initiate a new EAP
authentication. Such an attack could result in the station ending up
disconnecting or at minimum, getting into somewhat mismatching state
with the AP.

Drop EAPOL-Start/Logoff/EAP frames on the AP/Authenticator when it is
known that it was not encrypted but should have been and when PMF is
enabled. While it would be correct to drop this even without PMF, that
does not provide any significant benefit since it is trivial to force
disconnection in no-PMF cases. It should also be noted that not all
drivers provide information about the encryption status of the EAPOL
frames and this change has no impact with drivers that do not indicate
whether the frame was encrypted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:08 +03:00
Jouni Malinen
3c2fbe9f56 Discard unencrypted EAPOL-EAP when TK is set and PMF is enabled
RSN design is supposed to encrypt all Data frames, including EAPOL
frames, once the TK has been configured. However, there are deployed
implementations that do not really follow this design and there are
various examples from the older uses of EAPOL frame where those frames
were not encrypted. As such, strict filtering of unencrypted EAPOL
frames might results in undesired interoperation issues.

However, some of the most important cases of missing EAPOL frame
encryption should be possible to handle without causing too significant
issues. These are for cases where an attacker could potentially cause an
existing association to be dropped when PMF is used. EAP-Request is one
potential candidate for such attacks since that frame could be used to
initiate a new EAP authentication and the AP/Authenticator might not
allow that to complete or a large number of EAP-Request frames could be
injected to exceed the maximum number of EAP frames. Such an attack
could result in the station ending up disconnecting or at minimum,
getting into somewhat mismatching state with the AP.

Drop EAPOL-EAP frames when it is known that it was not encrypted but
should have been and when PMF is enabled. While it would be correct to
drop this even without PMF, that does not provide any significant
benefit since it is trivial to force disconnection in no-PMF cases. It
should also be noted that not all drivers provide information about the
encryption status of the EAPOL frames and this change has no impact with
drivers that do not indicate whether the frame was encrypted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:08 +03:00
Jouni Malinen
872a57500c Discard unencrypted EAPOL-Key msg 1/4 when TK is set and PMF is enabled
RSN design is supposed to encrypt all Data frames, including EAPOL
frames, once the TK has been configured. However, there are deployed
implementations that do not really follow this design and there are
various examples from the older uses of EAPOL frame where those frames
were not encrypted. As such, strict filtering of unencrypted EAPOL
frames might results in undesired interoperation issues.

However, some of the most important cases of missing EAPOL frame
encryption should be possible to handle without causing too significant
issues. These are for cases where an attacker could potentially cause an
existing association to be dropped when PMF is used. EAPOL-Key msg 1/4
is one potential candidate for such attacks since that frame could be
used to initiate a 4-way handshake that the real AP might never complete
and the station might end up disconnecting because of that or at
minimum, getting into somewhat mismatching state with the AP.

Drop EAPOL-Key msg 1/4 when it is known that it was not encrypted but
should have been and when PMF is enabled. While it would be correct to
drop this even without PMF, that does not provide any significant
benefit since it is trivial to force disconnection in no-PMF cases. It
should also be noted that not all drivers provide information about the
encryption status of the EAPOL frames and this change has no impact with
drivers that do not indicate whether the frame was encrypted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:08 +03:00
Jouni Malinen
e6c0e12158 Do not prevent Michael MIC error report based on disallowed PTK0 rekey
EAPOL-Key Request frame with Error=1 is not really a request for a new
key, so allow that frame to be sent even if PTK0 rekey is not allowed
since the supplicant is required to report Michael MIC errors to the
authenticator.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:08 +03:00
Jouni Malinen
18c0ac8901 Provide information about the encryption status of received EAPOL frames
This information was already available from the nl80211 control port RX
path, but it was not provided to upper layers within wpa_supplicant and
hostapd. It can be helpful, so parse the information from the driver
event.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:03 +03:00
Jouni Malinen
7ee814201b FILS: Set pairwise_set when configuring TK after association
sm->pairwise_set needs to be set whenever the TK has been configured to
the driver to request following EAPOL frames to be encrypted (or more
specifically, not to request them to not be encrypted). The FILS case
missed this setting and that could result in rekeying or
reauthentication in an associated started with FILS not working
correctly.

Fixes: da24c5aa1c ("FILS: Set TK after association (AP)")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 20:36:49 +03:00
Jouni Malinen
98278c0de0 Fix no_encrypt flag in control port TX for rekeying
The wpa_supplicant check for whether a TK is configured into the driver
was broken during the time this information is needed for rekeying or
reauthenticating with another 4-way handshake. sm->ptk.installed is not
set at the point the EAPOL-Key msg 4/4 is sent and while that means the
initial 4-way handshake needs to prevent encryption, the consecutive
4-way handshake must not be doing that since the old key (TK) is still
in the driver. Fix this so that the EAPOL-Key msg 4/4 during rekeying
does not get transmitted without encryption.

Fixes: a79ed06871 ("Add no_encrypt flag for control port TX")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 18:54:09 +03:00
Jouni Malinen
8bbd62afe4 tests: PMF and EAPOL-Key msg 1/4 injection
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 18:54:09 +03:00
Domien Schepers
b1172c19e1 WPA: Discard EAPOL-Key msg 1/4 with corrupted information elements
Currently a corrupted handshake message 1/4 causes the client to
disconnect from the network. This can lead to a denial-of-service
vulnerability allowing an adversary to forcibly disconnect a client from
protected networks even when Wi-Fi Management Frame Protection (MFP) is
enforced if the driver allows unencrypted EAPOL-Key frames to be
received after key configuration..

Fix this by discarding the corrupted handshake message 1/4.

This issue was discovered by Domien Schepers (Northeastern University)
and Mathy Vanhoef (imec-DistriNet, KU Leuven).

Signed-off-by: Domien Schepers <schepers.d@northeastern.edu>
2022-05-07 18:54:09 +03:00
Jouni Malinen
f8967ece23 tests: Do not require disconnection in ap_wpa2_psk_supp_proto_msg_1_invalid_kde
The wpa_supplicant implementation for this functionality is going to be
changed to not require disconnection, so prepare the test case to not
fail.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 18:54:09 +03:00
Jouni Malinen
4f0cff704b tests: WPA2-PSK with PMF and Association Request frame injection
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 18:54:09 +03:00
Jouni Malinen
7a7a4ea578 Check need for SA Query/assoc comeback before updating RSNE parameters
wpa_validate_wpa_ie() might update sm->* values, so it should not be
allowed for an existing STA entry if that STA has negotiated MFP to be
used for the association. Fix this by first checking whether an SA Query
procedure needs to be initiated. In particular, this prevents a
potential bypass of the disconnection protection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-07 18:52:13 +03:00
Veerendranath Jakkam
9d07b9447e tests: EHT open connection
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:26:05 +03:00
Veerendranath Jakkam
27e828d728 ACS: Send EHT enabled info to driver
The driver can consider EHT specific parameters such as the puncture
pattern for ACS when this flag attribute is indicated by userspace.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:25:44 +03:00
Veerendranath Jakkam
82066bd367 nl80211: Don't force VHT channel definition with EHT
Add a check to avoid sending VHT channel definition when EHT is enabled
in the 2.4 GHz band since the 2.4 GHz band isn't supposed to use VHT
operations. Also add EHT enabled info into debug prints.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:23:51 +03:00
Veerendranath Jakkam
43fe1ce35d EHT: Add [EHT] flag into AP mode STA command
This indicates whether an associated stations supports EHT.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:21:35 +03:00
Veerendranath Jakkam
696ad5c2d7 EHT: Indicate wifi_generation=7 in wpa_supplicant STATUS output
This adds wifi_generation=7 line to the STATUS output if the driver
reports (Re)Association Request frame and (Re)Association Response frame
information elements in the association or connection event with EHT
capability IEs.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:21:04 +03:00
Veerendranath Jakkam
4994c41f22 EHT: Indicate ieee80211be configuration in hostapd STATUS output
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:20:15 +03:00
Veerendranath Jakkam
50d8837106 EHT: Fix invalid length checking for EHT Capability element
Do not consider optional octets maximum lengths when validating EHT
fixed fields length. Furthermore, do not use the first two octets of the
PPE Thresholds field without explicitly confirming that these octets
were included in the element and fix PPE Thresholds field length
calculation.

Fixes: a6d1b4c46c ("EHT: Process (Re)Association Request frame capabilities")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:19:56 +03:00
Veerendranath Jakkam
6c7b2be424 SAE: Send real status code to the driver when AP rejects external auth
Send the status code from the AP authentication response instead of
sending the hardcoded WLAN_STATUS_UNSPECIFIED_FAILURE when the external
SAE authentication failure is due to an explicit rejection by the AP.
This will allow the driver to indicate the correct status in connect
response.

For example, an AP can send WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA in
SAE authentication response. With this change the driver gets the real
status for the SAE authentication failure and it can fill the correct
status in the connect response event.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:08:16 +03:00
Sunil Ravi
2c78f11a9f Fix compilation due to forward declaration of macaddr_acl
enum macaddr_acl is forward declared in wpa_supplicant/ap.h.
c++ compiler doesn't allow forward declaration. So to fix the
compilation error, moved the enum macaddr_acl declaration out
of struct hostapd_bss_config.

Signed-off-by: Sunil Ravi <sunilravi@google.com>
2022-05-05 13:04:13 +03:00
Jouni Malinen
c8e822801d OpenSSL: Fix build with old library versions that do not support TLS 1.3
The OCSP check here is specific to TLS 1.3 and the TLS1_3_VERSION value
is not available in older library versions. Comment this check out from
such cases since it is not applicable with such an old library.

Fixes: 10746875e2 ("OpenSSL: Allow no OCSP response when resuming a session with TLS 1.3")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-05 13:04:13 +03:00
Jouni Malinen
c24e18e5c5 LibreSSL: Fix compilation issue with TLS 1.3 session ticket limit
LibreSSL does not seem have SSL_CTX_set_num_tickets(), so comment out
these not really critical calls when building with that library.

Fixes: 81e2498889 ("OpenSSL: Limit the number of TLS 1.3 session tickets to one")
Fixes: decac7cd1e ("OpenSSL: Do not send out a TLS 1.3 session ticket if caching disabled")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-05 13:03:59 +03:00
Jouni Malinen
eb5e639856 LibreSSL: Fix compilation issue with RSA-OAEP
EVP_PKEY_CTX_set_rsa_oaep_md() does not seem to be available in
LibreSSL, so for now, comment out this functionality whenever building
with that library.

Fixes: 36b11bbcff ("OpenSSL: RSA-OAEP-SHA-256 encryption/decryption")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-05 13:02:12 +03:00
Sunil Ravi
5d56cf1c71 BoringSSL: Fix compilation error due to TLS 1.3 session tickets
SSL_CTX_set_num_tickets() is not available in boringSSL.
So protect the call to SSL_CTX_set_num_tickets() under
!defined(OPENSSL_IS_BORINGSSL) to fix the compilation error.

Fixes: decac7cd1e ("OpenSSL: Do not send out a TLS 1.3 session ticket if caching disabled")
Fixes: 81e2498889 ("OpenSSL: Limit the number of TLS 1.3 session tickets to one")
Signed-off-by: Sunil Ravi <sunilravi@google.com>
2022-05-05 13:01:33 +03:00
Jouni Malinen
a561d12d24 EAP peer status notification for server not supporting RFC 5746
Add a notification message to indicate reason for TLS handshake failure
due to the server not supporting safe renegotiation (RFC 5746).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-05 00:21:46 +03:00
Jouni Malinen
566ce69a8d EAP peer: Workaround for servers that do not support safe TLS renegotiation
The TLS protocol design for renegotiation was identified to have a
significant security flaw in 2009 and an extension to secure this design
was published in 2010 (RFC 5746). However, some old RADIUS
authentication servers without support for this are still used commonly.

This is obviously not good from the security view point, but since there
are cases where the user of a network service has no realistic means for
getting the authentication server upgraded, TLS handshake may still need
to be allowed to be able to use the network.

OpenSSL 3.0 disabled the client side workaround by default and this
resulted in issues connection to some networks with insecure
authentication servers. With OpenSSL 3.0, the client is now enforcing
security by refusing to authenticate with such servers. The pre-3.0
behavior of ignoring this issue and leaving security to the server can
now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1.
This should be used only when having to connect to a network that has an
insecure authentication server that cannot be upgraded.

The old (pre-2010) TLS renegotiation mechanism might open security
vulnerabilities if the authentication server were to allow TLS
renegotiation to be initiated. While this is unlikely to cause real
issues with EAP-TLS, there might be cases where use of PEAP or TTLS with
an authentication server that does not support RFC 5746 might result in
a security vulnerability.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-05 00:20:19 +03:00
Jouni Malinen
ccb3206b61 Fix tls_connection_set_success_data() in TLS library wrappers
Some of the TLS library wrappers defined only an empty function for
tls_connection_set_success_data(). That could result in memory leaks in
TLS server cases, so update these to do the minimal thing and free the
provided buffer as unused.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-04 00:05:09 +03:00
Jouni Malinen
decac7cd1e OpenSSL: Do not send out a TLS 1.3 session ticket if caching disabled
Do not provide TLS 1.3 session tickets if session caching is disabled.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-02 18:07:50 +03:00
Jouni Malinen
05406f7ae8 EAP-PEAP server: Fix TLS 1.3 move to Phase 2 without a new session ticket
When a new session ticket is not issued to the peer, Phase 2 identity
request need to be sent out as a response to the Finished message from
the peer. Fix this to allow the TLS server to be configured to not send
out a new session ticket when using TLS 1.3.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-02 18:07:50 +03:00
Jouni Malinen
10746875e2 OpenSSL: Allow no OCSP response when resuming a session with TLS 1.3
TLS 1.3 sends the OCSP response with the server Certificate message.
Since that Certificate message is not sent when resuming a session,
there can be no new OCSP response. Allow this since the OCSP response
was validated when checking the initial certificate exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-02 18:07:43 +03:00
Jouni Malinen
2be1bcaf74 EAP-TLS peer: Fix protected success indication check for resumed session
The internal flag prot_success_received was not cleared between the
sessions and that resulted in the resumed session not mandating the
protected success indication to be received. Fix this by clearing the
internal flag so that the EAP-TLS handshake using session resumption
with TLS 1.3 takes care of the required check before marking the
authentication successfully completed. This will make the EAP-TLS peer
reject an EAP-Success message should it be received without the
protected success indication.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-02 17:16:44 +03:00
Jouni Malinen
1c66276d9a EAP-TLS server: Send final TLS message for resumed session with TLS 1.3
The final message with NewSessionTicket and ApplicationData(0x00) was
already generated, but that was not sent out due the session considered
to be already completed. Fix this by actually sending out that message
to allow the peer to receive the new session ticket and protected
success indication when using resuming a session with TLS 1.3.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-02 17:16:44 +03:00
Jouni Malinen
81e2498889 OpenSSL: Limit the number of TLS 1.3 session tickets to one
One session ticket is sufficient for EAP-TLS, so do not bother
generating more than a single session ticket.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-02 17:16:39 +03:00
Yegor Yefremov
d26247c3de wpa_supplicant/README-WPS: Beautifications
Fix grammar, remove spaces, and new lines.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-05-01 18:24:23 +03:00
Alexander Clouter
a8d058c939 OpenSSL: SSLKEYLOGFILE capability to allow Wireshark TLS decoding
A port of the trivial patch I wrote for FreeRADIUS to allow TLS decoding
in Wireshark for hostapd/wpa_supplicant:

df0eb0a884

Signed-off-by: Alexander Clouter <alex@coremem.com>
2022-05-01 18:23:59 +03:00
Juliusz Sosinowicz
3890fa5031 tests: Enable additional TLS test cases with wolfSSL
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:27:11 +03:00
Juliusz Sosinowicz
23f389068e wolfSSL: Fix OCSP stapling
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:27:04 +03:00
Juliusz Sosinowicz
a2971f8d8e wolfSSL: Allow TLS version 1.3 to be disabled
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:26:59 +03:00
Juliusz Sosinowicz
a40e48fbe1 wolfSSL: Fix TLS 1.3 session handling
Uses the changes to wolfSSL found in
https://github.com/wolfSSL/wolfssl/pull/5078

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:26:52 +03:00
Juliusz Sosinowicz
0c3f68f2a0 wolfSSL: Check for the too-short-password error in pbkdf2_sha1()
This may fail with FIPS builds because the FIPS requirement is that the
password must be at least 14 characters.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:13:34 +03:00
Juliusz Sosinowicz
ca26224815 Check the return of pbkdf2_sha1() for errors
pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:13:31 +03:00
Juliusz Sosinowicz
013cd694d9 wolfSSL: Fixes for FIPS builds
Some API is not available when using FIPS. We need to allocate memory
and initialize the structs directly.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:04:16 +03:00
Juliusz Sosinowicz
9d5f8168fc wolfSSL: Register a FIPS callback
Register a callback with wolfCrypt_SetCb_fips to inform the user of
errors in the wolfCrypt FIPS module.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:03:50 +03:00
Juliusz Sosinowicz
b3333a9f4c tests: Add a note for wolfSSL testing with Brainpool curves
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:02:31 +03:00
Juliusz Sosinowicz
8f36e6c0f4 wolfSSL: Implement crypto_ec_key wrappers
These are needed to support SAEK-PK with the wolfSSL backend.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:01:34 +03:00
Juliusz Sosinowicz
1f7e10177a wolfSSL: Add missing free calls for wolfSSL structs
In some configurations the wc_Init*() functions may either allocate
memory or other system resources. These resources need to be freed.

Co-authored-by: JacobBarthelmeh <jacob@wolfssl.com>
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 16:35:36 +03:00
Juliusz Sosinowicz
ec1cd91e72 wolfSSL: Support both DER and PEM blobs
Add support for loading private keys and certificates in both PEM and
DER formats with wolfSSL.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 16:34:39 +03:00