If a sniffer capture does not include FCS for each frame, but may
included frames with invalid FCS, it would be possible for wlantest to
try to decrypt the first received frame and fail (e.g., due to CCMP MIC
mismatch) because that particular frame was corrupted and then ignore
the following retry of that frame as a duplicate even if that retry has
different payload (e.g., if its reception did not show corruption).
Work around this by skipping duplicate frame detection immediately
following a decryption failure.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
DPP allows Diffie-Hellman exchange to be used for PFS in PTK derivation.
This requires an additional Z.x (x coordinate of the DH shared secret)
to be passed to wpa_pmk_to_ptk(). This commit adds that to the function
and updates all the callers to pass NULL,0 for that part in preparation
of the DPP specific changes to start using this.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit aab6612836 ('wlantest: Search
bss/sta entry more thoroughly for 4-address frames') allowed wlantest to
find a STA entry in this type of cases, but it was still possible for
that STA entry to be the one that has no derived PTK while the STA entry
for the other side of the link might have the derived PTK available.
Extend this BSS/STA selection mechanism to use sta->ptk_set to determine
which STA entry is more useful for decryption, i.e., select the one with
a known PTK.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previous design worked for the case where only one of the devices was
beaconing, but failed in one direction to find the PTK if both devices
beaconed. Fix this by checking the A1/A2 fields in both directions if
the first pick fails to find the sta entry.
In addition, select the proper rsc value (rsc_tods vs. rsc_fromds) based
on A2 (TA) value for ToDS+FromDS frames to avoid reporting incorrect
replay issues.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wlantest used to ignore RSN/WPA/OSEN element in (Re)Association Request
frame if no Beacon frame had been seen from the AP before the
association exchange. This could result in not being able to derive keys
properly. Work around this by skipping that step if the BSS entry is not
yet complete.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The length of the TK is available within struct wpa_ptk, so there is no
need to try to maintain it separately in wlantest.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This changes wlantest behavior to mark CCMP/TKIP replays for more cases
in case a device is resetting its TSC. Previously, the RSC check got
cleared on the first marked replay and the following packets were not
marked as replays if they continued incrementing the PN even if that PN
was below the highest value received with this key at some point in the
past.
Signed-off-by: Jouni Malinen <j@w1.fi>
This covers the case where 4-address Data frames are exchanged between
an AP and an associated station.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This part is missing from IEEE Std 802.11ai-2016, but the lack of DHss
here means there would not be proper PFS for the case where PMKSA
caching is used with FILS SK+PFS authentication. This was not really the
intent of the FILS design and that issue was fixed during REVmd work
with the changes proposed in
https://mentor.ieee.org/802.11/dcn/17/11-17-0906-04-000m-fils-fixes.docx
that add DHss into FILS-Key-Data (and PTK, in practice) derivation for
the PMKSA caching case so that a unique ICK, KEK, and TK are derived
even when using the same PMK.
Note: This is not backwards compatible, i.e., this breaks PMKSA caching
with FILS SK+PFS if only STA or AP side implementation is updated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Try to derive PTK when FILS shared key authentication is used without
PFS. The list of available PMKs is interpreted as rMSK for this purpose
and PMK and PTK is derived from that. If the resulting PTK (KEK) can be
used to decrypt the encrypted parts of (Re)Association Request/Response
frames, mark the PTK as derived so that encrypted frames during the
association can be decrypted. In addition, write a decrypted version of
the (Re)Association Request/Response frames into the output file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This new AKM is used with DPP when using the signed Connector to derive
a PMK. Since the KCK, KEK, and MIC lengths are variable within a single
AKM, this needs number of additional changes to get the PMK length
delivered to places that need to figure out the lengths of the PTK
components.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This was only written to pcapng files if both pcap and pcapng writing
was requested. Fix this for the case where only a pcapng file is being
written.
Signed-off-by: Jouni Malinen <j@w1.fi>
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.
The mechanical conversions all over the code were done with
the following spatch:
@@
expression SIZE, SRC;
expression a;
@@
-a = os_malloc(SIZE);
+a = os_memdup(SRC, SIZE);
<...
if (!a) {...}
...>
-os_memcpy(a, SRC, SIZE);
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The new AEAD AKM option in FILS sets the MIC bit in EAPOL-Key frames to
0 for some ciphers, so the determination of EAPOL-Key frame types needs
changes to work with these cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the
previous fixed length Key MIC field with a variable length field. That
change was addressed with an addition of a new struct defined for the
second MIC length. This is not really scalable and with FILS coming up
with a zero-length MIC case for AEAD, a more thorough change to support
variable length MIC is needed.
Remove the Key MIC and Key Data Length fields from the struct
wpa_eapol_key and find their location based on the MIC length
information (which is determined by the AKMP). This change allows the
separate struct wpa_eapol_key_192 to be removed since struct
wpa_eapol_key will now include only the fixed length fields that are
shared with all EAPOL-Key cases in IEEE Std 802.11.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows the CRC-32 routine to be shared for other purposes in
addition to the WEP/TKIP/FCS within wlantest.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is no strong need for pulling in linux/if_ether.h here since all
that is needed if ETH_P_IP and we already cover multiple other ETH_P_*
values in utils/common.h.
Signed-off-by: Jouni Malinen <j@w1.fi>
The addition operator is of higher precedence than the ternary
conditional and the construction here needs to use parentheses to
calculate the buffer length properly when generating test frames with
BIP protection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to do live parsing of captured pcap files from
wlantest without having to rename and restart the capture file. Packet
writes are flushed to disk after each packet if -N is included in the
command line.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds minimal support for deriving keys for FT-PSK to allow the
initial mobility domain association to be analyzed in more detail.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
By analysing objdump output some read only structures were found in
.data section. To help compiler further optimize code declare these
as const.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
Remove the length field from struct ieee802_11_elems since the only
allowed element length is five and that is checked by the parser.
Signed-off-by: Jouni Malinen <j@w1.fi>
tdls_verify_mic() and tdls_verify_mic_teardown() could have tried to
read the 16-octet FTIE MIC when processing a TDLS frame even if the
received FTIE is truncated. At least in theory, this could result in
reading couple of octets beyond the frame buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
These functions did not verify that the received frame is long enough to
contain the beginning of the variable length IE area. A truncated frame
could have caused a segmentation fault due to reading beyond the buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
This modifies struct wpa_ptk to allow the length of KCK and KEK to be
stored. This is needed to allow longer keys to be used, e.g., with
Suite B 192-bit level.
Signed-off-by: Jouni Malinen <j@w1.fi>
This converts most of the remaining perror() and printf() calls from
hostapd and wpa_supplicant to use wpa_printf().
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds support for AKM 00-0F-AC:11 to specify the integrity and
key-wrap algorithms for EAPOL-Key frames using the new design where
descriptor version is set to 0 and algorithms are determined based on
AKM.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds definitions for the 128-bit level Suite B AKM 00-0F-AC:11. The
functionality itself is not yet complete, i.e., this commit only
includes parts to negotiate the new AKM.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds kek_len argument to aes_wrap() and aes_unwrap() functions and
allows AES to be initialized with 192 and 256 bit KEK in addition to
the previously supported 128 bit KEK.
The test vectors in test-aes.c are extended to cover all the test
vectors from RFC 3394.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows Hotspot 2.0 OSEN connection to be analyzed more
conveniently. The frames from an OSEN association can now be decrypted
using an MSK file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Rather than ignoring packets with a minimal 8-byte radiotap
header, which may occur elsewhere, tag generated (decrypted)
packets with an empty vendor namespace tag and ignore those.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Update the radiotap parser to the latest version of the
http://git.sipsolutions.net/radiotap.git/ library to get
parsing for vendor namespaces.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
These were somewhat more hidden to avoid direct use, but there are now
numerous places where these are needed and more justification to make
the extern int declarations available from wpa_debug.h. In addition,
this avoids some warnings from sparse.
Signed-hostap: Jouni Malinen <j@w1.fi>
Relative time shouldn't be calculated based on gettimeofday
because that clock can jump (e.g., when the time is adjusted
by the system administrator.)
On systems where that is available, use CLOCK_BOOTTIME (on
fairly recent Linux systems, this clock takes into account
the time spend suspended) or CLOCK_MONOTONIC (on Linux and
some POSIX systems, this clock is just freely running with
no adjustments.)
Reported-by: Holger Schurig <holgerschurig@gmail.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Some of the MIC validation steps were not logged in the pcapng notes.
Add these to make the entries more consistent and to provide more
information to ease debugging.
Signed-hostap: Jouni Malinen <j@w1.fi>
A text file with a hexdump of PTK (KCK|KEK=TK with 48 octets for CCMP or
64 octets for TKIP or alternative 16 or 32 octet TK for CCMP/TKIP) can
now be read from a file specified with the -T command line argument. If
the current known PTK fails to decrypt a frame (or if no current PTK is
known) all listed PTKs are iterated to see if any of them matches.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows wlantest debug log output to be directed to a file so that
RELOG command can be used to rotate files more easily than stdout.
Signed-hostap: Jouni Malinen <j@w1.fi>
Verify the expected value against P802.11ac/D7.0 CCMP-256, GCMP-256,
BIP-GMAC-128, and BIP-GMAC-256 test vectors.
Signed-hostap: Jouni Malinen <j@w1.fi>
IEEE Std 802.11ad-2012 includes two test vectors for GCMP. Verify both
of those and also verify that the results match the values in the
standard instead of just verifying that decrypted frame matches
original.
Signed-hostap: Jouni Malinen <j@w1.fi>
When writing pcap-ng files, always include a radiotap
header even if there wasn't one in the input. For now
just drop prism headers, I don't have any to test.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Some corner cases may result in both directions of TDLS tracking context
existing. If that is the case, the incorrect one may end up getting
picked when figuring out which TK to use for decryption or fix
statistics counter to increment. Fix this by preferring the context that
has TDLS link up.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds debug information from wlantest into pcapng frame comments to
make the information more convenient to use, e.g., in Wireshark.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new -n<file> command line argument can be used to request wlantest
to write all read or captured frames into a pcapng file. This is similar
to the -w argument, but with pcapng allowing per-frame comments to be
embedded in the file.
Signed-hostap: Jouni Malinen <j@w1.fi>
Injecting protected broadcast frames fails because of the unnecessary
null check for sta. In case of broadcast frames sta can be null, so
remove the check.
Reported-by: Janardhan R <janardhanr@posedge.com>
Signed-hostap: Chaitanya T K <chaitanyatk@posedge.com>
TK was incorrectly truncated in a way that resulted in CCMP (128-bit
key) encryption being used in practice.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When using DLT_IEEE802_11 datalink type in a pcap file, wlantest will now
add a radiotap header to the re-written pcap file to make sure all frames
in the output file will include the radiotap header.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When using DLT_IEEE802_11 datalink type in a pcap file, wlantest can now
be instructed to assume there is an FCS included in the frame by adding
the new -F command line argument. This will make wlantest validate the
FCS and strip it from the frame before processing.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed to allow capture files from the mac80211 cooked monitor
mode interface to be processed properly. Without this, the locally
generated frames may not get processed.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is a generic AES CCM implementation that can be used for other
purposes than just implementing CCMP, so it fits better in a separate
file in src/crypto.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds 192-bit and 256-bit key support to the internal AES
implementation and extends the AES-GCM functions to accept key length to
enable longer AES key use.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is a generic AES GCM and GMAC implementation that can be used for
other purposes than just implementing GCMP, so it fits better in a
separate file in src/crypto.
Signed-hostap: Jouni Malinen <j@w1.fi>
There is no need to allocate a temporary buffer and build GHASH input
data into it. Instead, ghash() is trivial to split into update part that
can be called separately for each segment.
Signed-hostap: Jouni Malinen <j@w1.fi>
GCMP encodes length of AAD differently, so remove the unnecessary
code that got copied from the CCMP implementation.
Signed-hostap: Jouni Malinen <j@w1.fi>
This version can generate CCMP and TKIP test vectors that match with
the IEEE Std 802.11-2012, Annex M.6.3 and M.6.4.
Signed-hostap: Jouni Malinen <j@w1.fi>
The WPA/RSN IE in EAPOL-Key 2/4 is more reliable than the one in
(Re)Association Request frame. Update the STA info base don the
EAPOL-Key frame so that the correct cipher information is used
even if the (Re)Association Request frame is missing or corrupted
in the capture.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>