Commit graph

14492 commits

Author SHA1 Message Date
Jouni Malinen
16d4f10691 EAP-pwd: Check element x,y coordinates explicitly
This adds an explicit check for 0 < x,y < prime based on RFC 5931,
2.8.5.2.2 requirement. The earlier checks might have covered this
implicitly, but it is safer to avoid any dependency on implicit checks
and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)

Furthermore, this moves the EAP-pwd element and scalar parsing and
validation steps into shared helper functions so that there is no need
to maintain two separate copies of this common functionality between the
server and peer implementations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Mathy Vanhoef
8ad8585f91 EAP-pwd client: Verify received scalar and element
When processing an EAP-pwd Commit frame, the server's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and act as a rogue Access Point (AP) if the
crypto implementation did not verify the validity of the EC point.

Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9499)

The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.

Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
2019-04-09 17:11:15 +03:00
Mathy Vanhoef
d63edfa902 EAP-pwd server: Detect reflection attacks
When processing an EAP-pwd Commit frame, verify that the peer's scalar
and elliptic curve element differ from the one sent by the server. This
prevents reflection attacks where the adversary reflects the scalar and
element sent by the server. (CVE-2019-9497)

The vulnerability allows an adversary to complete the EAP-pwd handshake
as any user. However, the adversary does not learn the negotiated
session key, meaning the subsequent 4-way handshake would fail. As a
result, this cannot be abused to bypass authentication unless EAP-pwd is
used in non-WLAN cases without any following key exchange that would
require the attacker to learn the MSK.

Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
2019-04-09 17:11:15 +03:00
Mathy Vanhoef
70ff850e89 EAP-pwd server: Verify received scalar and element
When processing an EAP-pwd Commit frame, the peer's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and impersonate any user if the crypto
implementation did not verify the validity of the EC point.

Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9498)

The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.

Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
2019-04-09 17:11:15 +03:00
Jouni Malinen
ac8fa9ef19 SAE: Fix confirm message validation in error cases
Explicitly verify that own and peer commit scalar/element are available
when trying to check SAE confirm message. It could have been possible to
hit a NULL pointer dereference if the peer element could not have been
parsed. (CVE-2019-9496)

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
cff138b074 SAE: Use constant time operations in sae_test_pwd_seed_ffc()
Try to avoid showing externally visible timing or memory access
differences regardless of whether the derived pwd-value is smaller than
the group prime.

This is related to CVE-2019-9494.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
f8f20717f8 SAE: Use const_time selection for PWE in FFC
This is an initial step towards making the FFC case use strictly
constant time operations similarly to the ECC case.
sae_test_pwd_seed_ffc() does not yet have constant time behavior,
though.

This is related to CVE-2019-9494.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
90839597cc SAE: Mask timing of MODP groups 22, 23, 24
These groups have significant probability of coming up with pwd-value
that is equal or greater than the prime and as such, need for going
through the PWE derivation loop multiple times. This can result in
sufficient timing different to allow an external observer to determine
how many rounds are needed and that can leak information about the used
password.

Force at least 40 loop rounds for these MODP groups similarly to the ECC
group design to mask timing. This behavior is not described in IEEE Std
802.11-2016 for SAE, but it does not result in different values (i.e.,
only different timing), so such implementation specific countermeasures
can be done without breaking interoperability with other implementation.

Note: These MODP groups 22, 23, and 24 are not considered sufficiently
strong to be used with SAE (or more or less anything else). As such,
they should never be enabled in runtime configuration for any production
use cases. These changes to introduce additional protection to mask
timing is only for completeness of implementation and not an indication
that these groups should be used.

This is related to CVE-2019-9494.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
362704dda0 SAE: Avoid branches in is_quadratic_residue_blind()
Make the non-failure path in the function proceed without branches based
on r_odd and in constant time to minimize risk of observable differences
in timing or cache use. (CVE-2019-9494)

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
6513db3e96 SAE: Minimize timing differences in PWE derivation
The QR test result can provide information about the password to an
attacker, so try to minimize differences in how the
sae_test_pwd_seed_ecc() result is used. (CVE-2019-9494)

Use heap memory for the dummy password to allow the same password length
to be used even with long passwords.

Use constant time selection functions to track the real vs. dummy
variables so that the exact same operations can be performed for both QR
test results.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
aaf65feac6 EAP-pwd: Use constant time and memory access for finding the PWE
This algorithm could leak information to external observers in form of
timing differences or memory access patterns (cache use). While the
previous implementation had protection against the most visible timing
differences (looping 40 rounds and masking the legendre operation), it
did not protect against memory access patterns between the two possible
code paths in the masking operations. That might be sufficient to allow
an unprivileged process running on the same device to be able to
determine which path is being executed through a cache attack and based
on that, determine information about the used password.

Convert the PWE finding loop to use constant time functions and
identical memory access path without different branches for the QR/QNR
cases to minimize possible side-channel information similarly to the
changes done for SAE authentication. (CVE-2019-9495)

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
c93461c1d9 OpenSSL: Use constant time selection for crypto_bignum_legendre()
Get rid of the branches that depend on the result of the Legendre
operation. This is needed to avoid leaking information about different
temporary results in blinding mechanisms.

This is related to CVE-2019-9494 and CVE-2019-9495.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
6e34f618d3 Add helper functions for constant time operations
These functions can be used to help implement constant time operations
for various cryptographic operations that must minimize externally
observable differences in processing (both in timing and also in
internal cache use, etc.).

This is related to CVE-2019-9494 and CVE-2019-9495.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
d42c477cc7 OpenSSL: Use constant time operations for private bignums
This helps in reducing measurable timing differences in operations
involving private information. BoringSSL has removed BN_FLG_CONSTTIME
and expects specific constant time functions to be called instead, so a
bit different approach is needed depending on which library is used.

The main operation that needs protection against side channel attacks is
BN_mod_exp() that depends on private keys (the public key validation
step in crypto_dh_derive_secret() is an exception that can use the
faster version since it does not depend on private keys).

crypto_bignum_div() is currently used only in SAE FFC case with not
safe-prime groups and only with values that do not depend on private
keys, so it is not critical to protect it.

crypto_bignum_inverse() is currently used only in SAE FFC PWE
derivation. The additional protection here is targeting only OpenSSL.
BoringSSL may need conversion to using BN_mod_inverse_blinded().

This is related to CVE-2019-9494 and CVE-2019-9495.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
3ffeb7d8c8 tests: Test cases for X.509 certificate checking
This makes it easier to test various X.509 certificate validation steps
with the server certificate being generated and signed using pyOpenSSL
dynamically.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 16:24:38 +03:00
Jouni Malinen
242e857285 Extend domain_match and domain_suffix_match to allow list of values
These wpa_supplicant network profile parameters could be used to specify
a single match string that would be used against the dNSName items in
subjectAltName or CN. There may be use cases where more than one
alternative match string would be useful, so extend these to allow a
semicolon delimited list of values to be used (e.g.,
"example.org;example.com"). If any of the specified values matches any
of the dNSName/CN values in the server certificate, consider the
certificate as meeting this requirement.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 16:24:38 +03:00
Jouni Malinen
dcc0ccd5b0 wolfSSL: Fix dNSName matching with domain_match and domain_suffix_match
Incorrect gen->type value was used to check whether subjectAltName
contained dNSName entries. This resulted in all domain_match and
domain_suffix_match entries failing to find a match and rejecting the
server certificate. Fix this by checking against the correct type
definition for dNSName.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 16:24:38 +03:00
Jouni Malinen
83f13e4ff6 tests: Fix build without CONFIG_SAE
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 16:24:38 +03:00
Jouni Malinen
85b3bb6cc7 tests: ERP enabled on RADIUS server and peer and no wildcard user
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 00:12:35 +03:00
Jouni Malinen
3580ed8266 RADIUS server: Accept ERP keyName-NAI as user identity
Previously the EAP user database had to include a wildcard entry for ERP
to work since the keyName-NAI as User-Name in Access-Request would not
be recognized without such wildcard entry (that could point to any EAP
method). This is not ideal, so add a separate check to allow any stored
ERP keyName-NAI to be used for ERP without any requirement for the EAP
user database to contain a matching entry.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 00:10:20 +03:00
Jouni Malinen
8f5b1c40bd tests: scan_multi_bssid_check_ie to allow for Multi BSSID Index IE
cfg80211 was modified to allow the Multiple BSSID Index element to be
included in the IEs for a nontransmitted BSS. Update the validation step
in this test case to allow that different with the IEs in the Beacon
frame (transmitted BSS).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-08 23:44:45 +03:00
Jouni Malinen
bbde461d7e Fix a typo in the Multiple BSSID Index element ID define
This was not used anywhere, so just rename the define to fix the typo.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-08 23:42:12 +03:00
Jouni Malinen
1326cb7653 DPP: Fix a regression in non-DPP, non-OpenSSL builds
Inclusion of common/dpp.h into hostapd/main.c brought in an undesired
unconditional dependency on OpenSSL header files even for builds where
DPP is not enabled. Fix this by making the dpp.h contents, and in
particular the inclusion of openssl/x509.h, conditional on CONFIG_DPP.

Fixes: 87d8435cf9 ("DPP: Common configurator/bootstrapping data management")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-08 18:13:19 +03:00
Jouni Malinen
db54db11ae SAE: Reject unsuitable groups based on REVmd changes
The rules defining which DH groups are suitable for SAE use were
accepted into IEEE 802.11 REVmd based on this document:
https://mentor.ieee.org/802.11/dcn/19/11-19-0387-02-000m-addressing-some-sae-comments.docx

Enforce those rules in production builds of wpa_supplicant and hostapd.
CONFIG_TESTING_OPTIONS=y builds can still be used to select any o the
implemented groups to maintain testing coverage.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-08 18:11:00 +03:00
Jouni Malinen
8e607b1b62 tests: Change most SAE test cases to use suitable groups
Reduce testing dependency on the unsuitable groups so that a test case
against a production build would not fail the test case unnecessarily.
This is in preparation of making production builds
(CONFIG_TESTING_OPTIONS not defined) of wpa_supplicant hostapd disable
all DH groups that have been indicated as being unsuitable.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-08 18:03:59 +03:00
Andrei Otcheretianski
6bb9d9a8db AP: Avoid NULL use with snprintf string
identity_buf may be NULL here. Handle this case explicitly by printing
"N/A" instead relying on snprintf converting this to "(null)" or some
other value based on unexpected NULL pointer.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-04-06 18:49:26 +03:00
Andrei Otcheretianski
f6b5b6bb4f tests: Skip DPP configuration test
Skip wpas_config_file_key_mgmt if DPP is not supported.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-04-06 17:14:38 +03:00
Ilan Peer
0a42f1eded scan: Use normal scans after connection failure
In case of connection attempt failure, set 'normal_scans'
to zero, as otherwise it is possible that scheduled scan
would be used and not normal scan, which might delay the
next connection attempt.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2019-04-06 17:13:10 +03:00
Andrei Otcheretianski
0f7db7743d tests: Flush correct iface in P2PS stale group removal tests
FLUSH should be done on P2P device interface, otherwise the networks are
not removed. Fix that.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-04-06 17:06:38 +03:00
Brendan Jackman
bbed23aee6 hostapd: Reduce minimum beacon interval from 15 to 10 TUs
Very short beacon intervals can be useful for certain scenarios such
as minimising association time on PBSSs. Linux supports a minimum of
10[1] so let's reduce the minimum to match that.

[1] https://elixir.bootlin.com/linux/latest/ident/cfg80211_validate_beacon_int

Signed-off-by: Brendan Jackman <brendan.jackman@bluwireless.co.uk>
2019-04-06 17:05:09 +03:00
Ilan Peer
0487967153 OWE: Fix a possible memory leak on error path
Properly handle the case where OWE IE is allocated, but
there is no space left to add it in the WPA IE buffer.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2019-04-06 17:02:13 +03:00
Ilan Peer
277fa92b37 crypto: Fix unreachable code in tls_prf_sha1_md5()
While commit 1c156e783d ("Fixed tls_prf() to handle keys with
odd length") added support for keys with odd length, the function
never reached this code as the function would return earlier in
case the key length was odd. Fix this by removing the first check
for the key length.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2019-04-06 17:00:07 +03:00
Jouni Malinen
78ed42d8a2 tests: ERP/FILS with external hostapd process as RADIUS server
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-06 16:47:38 +03:00
Jouni Malinen
3d93e26e66 tests: SAE test vector from IEEE P802.11-REVmd/D2.1, Annex J.10
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-06 13:26:15 +03:00
Sunil Dutt
e5711b6181 Add a QCA vendor attribute to carry the reason for roaming
This commit introduces an attribute
QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_REASON to carry the roam reason code
through QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH event.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-05 21:15:16 +03:00
Ankita Bajaj
005585d602 nl80211: Add SAE, FT-SAE, FT-EAP-SHA384 AKMs in connect request
This is needed for full MAC drivers that use NL80211_CMD_CONNECT
for issuing connect request.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-05 21:02:37 +03:00
Peng Xu
edcaf16f9e P2P: Enable HE for both 2G and 5G bands
Previously HE was only enabled for a 2G P2P GO. This change enables HE
for both 2G and 5G P2P GO.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-05 20:59:48 +03:00
Ankita Bajaj
822c756e8c MBO: Update connect params with new MBO attributes to driver
MBO attributes Non-preferred channel list and Cellular capabilities are
updated using WNM-Notification Request frame to the current connected
BSS. These same attributes need to be added in the (Re)Association
Request frame sent by the station when roaming, including the case where
the driver/firmware takes care of SME/MLME operations during roaming, so
we need to update the MBO IE to the driver.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-05 20:56:03 +03:00
Ankita Bajaj
74f8e768f2 MBO: Always include Non-preferred Channel Report attribute in AssocReq
Include the Non-preferred Channel Report attribute in (Re)Association
Request frames even when the MBO STA has no non-preferred channels in
any operating classes. In case of no non-preferred channels the
attribute length field shall be set to zero and the Operating Class,
Channel List, Preference and Reason Code fields shall not be included.
This indicates to the MBO AP that the MBO STA has no non-preferred
channels access all supported operating classes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-05 20:43:59 +03:00
Jouni Malinen
bd23daa8e6 DPP: Move GAS encapsulation into dpp_build_conf_req()
Avoid duplicated code in each user of dpp_build_conf_req() by moving the
common encapsulation case into this helper function.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-03 19:10:47 +03:00
Jouni Malinen
be609c6fc6 SAE: Fix commit message override with external authentication
Do not add duplicate Transaction Sequence and Status Code fields when
using test functionality to override SAE commit message.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-01 13:28:26 +03:00
Jouni Malinen
d08ef5798d tests: sigma_dut controlled AP with PSK, SAE, FT
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-01 13:28:26 +03:00
Jouni Malinen
9af1eea37a Prefer FT-SAE over FT-PSK if both are enabled
FT-SAE is considered stronger than FT-PSK, so prefer it over FT-PSK
similarly to how SAE is preferred over WPA-PSK.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-28 03:27:35 +02:00
Jouni Malinen
853bd19f22 Add more debug prints on suite selector selection
This makes it a bit easier to figure out why wpa_supplicant selects a
specific cipher/AKM for association.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-28 02:58:00 +02:00
Jouni Malinen
659f7954f4 tests: WPA2-EAP-FT with SHA384 using REASSOCIATE
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-28 01:57:10 +02:00
Jouni Malinen
6d77014e71 Suite B: Prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192
If both of these AKMs are enabled in the wpa_supplicant network profile
and the target AP advertises support for both, prefer the FT version
over the non-FT version to allow FT to be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-28 01:57:10 +02:00
Jouni Malinen
1211031a60 tests: WPA2-FT-SAE AP and PMKSA caching for initial MD association
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-27 04:04:16 +02:00
Jouni Malinen
ab3aebcce5 SAE: Fix PMKSA cache entry search for FT-SAE case
Previously, PMKSA cache entries were search for AKM=SAE and that did not
find an entry that was created with FT-SAE when trying to use FT-SAE
again. That resulted in having to use full SAE authentication instead of
the faster PMKSA caching alternative.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-27 04:03:12 +02:00
Jouni Malinen
253ce212ee Add AKM info in the debug message noting PMKSA caching entry addition
This is useful for debugging issues where an expected PMKSA cache entry
is not found.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-27 04:02:19 +02:00
vamsi krishna
6fe3f0f798 FT-SAE: Use PMK as XXKey in AP when SAE PMKSA caching is used
When connected using FT-SAE key mgmt, use PMK from PMKSA cache as XXKey
for PMK-R0 and PMK-R1 derivations. This fixes an issue where FT key
hierarchy could not be established due to missing (not yet configured)
XXKey when using SAE PMKSA caching for the initial mobility domain
association.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-27 04:01:26 +02:00