Commit graph

196 commits

Author SHA1 Message Date
Jouni Malinen
16c511449d FT: Store XXKey/MPMK in PMKSA cache instead of MSK (supplicant)
When completing FT initial mobility domain association with EAP, store
XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK
was of no use since it could not be used as the XXKey for another FT
initial mobility domain association using PMKSA caching.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-28 15:48:58 +03:00
Jouni Malinen
0a1a82db92 FT: Allow 4-way handshake for PTK rekeying to continue without PMK/PMKID
There is no PMK/PMKID when going through 4-way handshake during an
association started with FT protocol, so need to allow the operation to
proceed even if there is no selected PMKSA cache entry in place.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-19 01:05:41 +03:00
Jouni Malinen
824cb5a530 RSN: Ignore IGTK configuration errors with swapped KeyID values
There are number of deployed APs with broken PMF implementation where
the IGTK KDE uses swapped bytes in the KeyID field (0x0400 and 0x0500
instead of 4 and 5). Such APs cannot be trusted to implement BIP
correctly or provide a valid IGTK, so do not try to configure this key
with swapped KeyID bytes. Instead, continue without configuring the IGTK
so that the driver can drop any received group-addressed robust
management frames due to missing keys.

Normally, this error behavior would result in us disconnecting, but
there are number of deployed APs with this broken behavior, so as an
interoperability workaround, allow the connection to proceed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-16 19:31:34 +03:00
Jouni Malinen
dfdabd917a RSN: Report completion only after IGTK configuration
Previously wpa_supplicant_key_neg_complete() was called before the
attempt to configure the IGTK received from the authenticator. This
could resulted in somewhat surprising sequence of events if IGTK
configuration failed since completion event would be followed by
immediate disconnection event. Reorder these operations so that
completion is reported only if GTK and IGTK are configurated
successfully.

Furthermore, check for missing GTK KDE in case of RSN and handle that
with an explicit disconnection instead of waiting for the AP to deliver
the GTK later.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-16 19:31:08 +03:00
Jouni Malinen
10ec6a5f38 DPP2: PFS for PTK derivation
Use Diffie-Hellman key exchange to derivate additional material for
PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element
(defined in OWE RFC 8110) is used in association frames to exchange the
DH public keys. For backwards compatibility, ignore missing
request/response DH parameter and fall back to no PFS in such cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-18 18:32:31 +02:00
Jouni Malinen
ecacd9ccd4 DPP2: Extend wpa_pmk_to_ptk() to support extra Z.x component in context
DPP allows Diffie-Hellman exchange to be used for PFS in PTK derivation.
This requires an additional Z.x (x coordinate of the DH shared secret)
to be passed to wpa_pmk_to_ptk(). This commit adds that to the function
and updates all the callers to pass NULL,0 for that part in preparation
of the DPP specific changes to start using this.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-18 01:31:31 +02:00
Jouni Malinen
b5e57699af FILS+FT: STA mode validation of PMKR1Name in initial MD association
Verify that the AP uses matching PMKR1Name in (Re)Association Response
frame when going through FT initial mobility domain association using
FILS. Thise step was missing from the initial implementation, but is
needed to match the IEEE 802.11ai requirements for explicit confirmation
of the FT key hierarchy (similarly to what is done in FT 4-way handshake
when FILS is not used).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-13 19:15:13 +02:00
Jouni Malinen
525923b1d7 tests: EAPOL-Key fuzzing tool
Add test-eapol program that can be used for fuzzing the EAPOL-Key
Supplicant and Authenticator implementations. This tool can write
Supplicant or Authenticator messages into a file as an initialization
step and for the fuzzing step, that file (with potential modifications)
can be used to replace the internally generated message contents.

The TEST_FUZZ=y build parameter is used to make a special build where a
hardcoded random number generator and hardcoded timestamp are used to
force deterministic behavior for the EAPOL-Key operations. This will
also make the implementation ignore Key MIC and AES keywrap errors to
allow processing of modified messages to continue further.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-11 02:35:29 +02:00
Jouni Malinen
02a0a23939 RSN: Do not start preauthentication timer without candidates
There is no need to schedule the postponed RSN preauthentication start
if there are no candidates. Avoid wasting eloop resources for this.

This is most useful for fuzz testing of the 4-way handshake
implementation to avoid getting stuck waiting for this unnecessary one
second time when using eloop to coordinate the Authenticator and
Supplicant state machines.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-11 02:35:29 +02:00
Mathy Vanhoef
99621dc16c OCV: Include and verify OCI in the FILS handshake
Include and verify the OCI element in FILS (Re)Association Request and
Response frames.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
aed61c4efa OCV: Verify OCI in 4-way and group key handshake
Verify the received OCI element in the 4-way and group key handshakes.
If verification fails, the handshake message is silently dropped.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:42:23 +02:00
Mathy Vanhoef
17c2559caf OCV: Insert OCI in 4-way and group key handshake
If Operating Channel Verification is negotiated, include the OCI KDE
element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both
messages of the group key handshake.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 00:02:14 +02:00
Mathy Vanhoef
55c12f5d37 OCV: Advertise OCV capability in RSN capabilities (STA)
Set the OCV bit in RSN capabilities (RSNE) based on station mode
configuration.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:49:27 +02:00
Johannes Berg
94919da24d RSN: Use COMPACT_MACSTR to match MAC2STR
We shouldn't open-code the %02x... when we have COMPACT_MACSTR.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2018-10-16 12:33:22 +03:00
Jouni Malinen
17d4b77472 RSN: Do not replace existing Suite B PMKSA on 4-way handshake
PMKID derivation with the Suite B AKMs is a special case compared to
other AKMs since that derivation uses KCK instead of PMK as an input.
This means that the PMKSA cache entry can be added only after KCK has
been derived during 4-way handshake. This also means that PMKID would
change every time 4-way handshake is repeated even when maintaining the
same PMK (i.e., during PTK rekeying and new associations even if they
use PMKSA caching).

wpa_supplicant was previously replacing the PMKSA cache entry whenever a
new PMKID was derived. This did not match hostapd expectations on the AP
side since hostapd did not update the PMKSA cache entry after it was
created. Consequently, PMKSA caching could be used only once (assuming
no PTK rekeying happened before that). Fix this by making wpa_supplicant
behave consistently with hostapd, i.e., by adding the Suite B PMKSA
cache entries with the PMKID from the very first 4-way handshake
following PMK derivation and then not updating the PMKID.

IEEE Std 802.11-2016 is somewhat vague in this area and it seems to
allow both cases to be used (initial PMKID or any consecutive PMKID
derived from the same PMK). While both cases could be supported that
would result in significantly more complex implementation and need to
store multiple PMKID values. It looks better to clarify the standard to
explicitly note that only the first PMKID derived after PMK derivation
is used (i.e., match the existing hostapd implementation).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-27 11:37:19 +03:00
Mathy Vanhoef
3e34cfdff6 WPA: Ignore unauthenticated encrypted EAPOL-Key data
Ignore unauthenticated encrypted EAPOL-Key data in supplicant
processing. When using WPA2, these are frames that have the Encrypted
flag set, but not the MIC flag.

When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
not the MIC flag, had their data field decrypted without first verifying
the MIC. In case the data field was encrypted using RC4 (i.e., when
negotiating TKIP as the pairwise cipher), this meant that
unauthenticated but decrypted data would then be processed. An adversary
could abuse this as a decryption oracle to recover sensitive information
in the data field of EAPOL-Key messages (e.g., the group key).
(CVE-2018-14526)

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-08 16:51:35 +03:00
Jouni Malinen
c3e4f40cd6 FT: Derive PMKR0Name/PMKR1Name using SHA-384 with AKM 00-0F-AC:13
The AKM 00-0F-AC:13 is supposed to use cryptographic algorithms
consistently, but the current IEEE 802.11 standard is not doing so for
the key names: PMKID (uses SHA-1), PMKR0Name/PMKR1Name (uses SHA-256).
The PMKID case was already implemented with SHA-384 and this commit
replaces use of SHA-256 with SHA-384 for PMKR0Name/PMKR1Name derivation
to be consistent in SHA-384. While this is not compliant with the
current IEEE 802.11 standard, this is clearly needed to meet CNSA Suite
requirements. Matching change is being proposed in REVmd to get the IEEE
802.11 standard to meet the use case requirements.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-06 23:59:46 +03:00
Jouni Malinen
9a33737a0b FT: FTE parsing for SHA384-based AKM
The MIC field is now a variable length field, so make the FTE parser
aware of the two different field lengths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:53 +03:00
Jouni Malinen
994eac7e61 FT: PMK-R0 derivation using SHA384-based AKM
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:53 +03:00
Jouni Malinen
9f12271b2a FT: XXKey derivation for SHA384-based AKM
XXKey is the first 384 bits of MSK when using the SHA384-based FT AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:52 +03:00
Jouni Malinen
a3e18dbb6a FT: Support variable length keys
This is a step in adding support for SHA384-based FT AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 19:29:52 +03:00
Ahmad Masri
3dc3afe298 FT: Add MDE to assoc request IEs in connect params
Add MDE (mobility domain element) to Association Request frame IEs in
the driver assoc params. wpa_supplicant will add MDE only if the network
profile allows FT, the selected AP supports FT, and the mobility domain
ID matches.

Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
2018-04-20 00:32:49 +03:00
Jouni Malinen
852b2f2738 SAE: Only allow SAE AKMP for PMKSA caching attempts
Explicitly check the PMKSA cache entry to have matching SAE AKMP for the
case where determining whether to use PMKSA caching instead of new SAE
authentication. Previously, only the network context was checked, but a
single network configuration profile could be used with both WPA2-PSK
and SAE, so should check the AKMP as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-09 19:34:44 +03:00
Jouni Malinen
1bd131105b Clear pmk_len more consistently for extra protection
This gives more protection against unexpected behavior if RSN supplicant
code ends up trying to use sm->pmk[] with a stale value. Couple of the
code paths did not clear sm->pmk_len explicitly in cases where the old
PMK is being removed, so cover those cases as well to make sure these
will result in PMK-to-PTK derivation failures rather than use of
incorrect PMK value if such a code path could be reached somehow.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-08 19:44:05 +03:00
Jouni Malinen
d555c39c41 FILS: Fix CONFIG_FILS=y build without CONFIG_IEEE80211R=y
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-26 12:33:52 +03:00
Jouni Malinen
a03f9d17ea SAE: Fix FT-SAE key derivation for a case where PMKID in msg 1/4 matches
Previously, matching PMKSA cache entry ended up clearing XXKey. However,
that XXKey is needed in the specific case where FT-SAE goes through the
initial mobility domain association with SAE authentication. FT-SAE
worked previously since the hostapd side generation of the particular
PMKID value in msg 1/4 was broken, but once that PMKID is fixed,
wpa_supplicant will need this fix to allow FT-SAE to be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-23 18:44:48 +02:00
Jouni Malinen
4bc801ab42 SAE: Fix EAPOL-Key integrity and key-wrap algorithm selection
The SAE AKM 00-0F-AC:8 is supposed to use EAPOL-Key Key Descriptor
Version 0 (AKM-defined) with AES-128-CMAC and NIST AES Key Wrap.
However, the previous implementation ended up using Key Descriptor
Version 2 (HMAC-SHA-1-128 and NIST AES Key Wrap). Fix this by using the
appropriate Key Descriptor Version and integrity algorithm. Use helper
functions to keep the selection clearer and more consistent between
wpa_supplicant and hostapd uses.

Note: This change is not backwards compatible. Both the AP and station
side implementations will need to be updated at the same time to
maintain functionality.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-16 13:36:42 +02:00
andrekorol
a68e0d869f Fix a typo in a comment (the variable is ptk, not pkt)
Signed-off-by: Andre Rossi Korol <anrobits@yahoo.com.br>
2017-10-21 12:02:54 +03:00
Jouni Malinen
c0fe5f125a Clear BSSID information in supplicant state machine on disconnection
This fixes a corner case where RSN pre-authentication candidate from
scan results was ignored if the station was associated with that BSS
just before running the new scan for the connection.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-17 01:15:24 +03:00
Jouni Malinen
a6ea665300 Additional consistentcy checks for PTK component lengths
Verify that TK, KCK, and KEK lengths are set to consistent values within
struct wpa_ptk before using them in supplicant. This is an additional
layer of protection against unexpected states.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-17 00:07:17 +03:00
Jouni Malinen
bb06748f45 Make last received ANonce available through control interface
This makes it easier to debug 4-way handshake implementation issues
without having to use a sniffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 17:47:24 +03:00
Jouni Malinen
b488a12948 Clear PMK length and check for this when deriving PTK
Instead of setting the default PMK length for the cleared PMK, set the
length to 0 and explicitly check for this when deriving PTK to avoid
unexpected key derivation with an all-zeroes key should it be possible
to somehow trigger PTK derivation to happen before PMK derivation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
00583ef111 Add debug prints on PMK configuration in WPA supplicant
This makes it easier to understand the cases where PMK gets configured
based on information from upper layer call (e.g., a PSK).

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Mathy Vanhoef
a00e946c1c WPA: Extra defense against PTK reinstalls in 4-way handshake
Currently, reinstallations of the PTK are prevented by (1) assuring the
same TPTK is only set once as the PTK, and (2) that one particular PTK
is only installed once. This patch makes it more explicit that point (1)
is required to prevent key reinstallations. At the same time, this patch
hardens wpa_supplicant such that future changes do not accidentally
break this property.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-10-16 02:03:47 +03:00
Jouni Malinen
a0bf1b68c0 Remove all PeerKey functionality
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.

This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.

Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
e760851176 FILS: Do not allow multiple (Re)Association Response frames
The driver is expected to not report a second association event without
the station having explicitly request a new association. As such, this
case should not be reachable. However, since reconfiguring the same
pairwise or group keys to the driver could result in nonce reuse issues,
be extra careful here and do an additional state check to avoid this
even if the local driver ends up somehow accepting an unexpected
(Re)Association Response frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
2a9c5217b1 FT: Do not allow multiple Reassociation Response frames
The driver is expected to not report a second association event without
the station having explicitly request a new association. As such, this
case should not be reachable. However, since reconfiguring the same
pairwise or group keys to the driver could result in nonce reuse issues,
be extra careful here and do an additional state check to avoid this
even if the local driver ends up somehow accepting an unexpected
Reassociation Response frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Mathy Vanhoef
53bb18cc8b Prevent installation of an all-zero TK
Properly track whether a PTK has already been installed to the driver
and the TK part cleared from memory. This prevents an attacker from
trying to trick the client into installing an all-zero TK.

This fixes the earlier fix in commit
ad00d64e7d ('Fix TK configuration to the
driver in EAPOL-Key 3/4 retry case') which did not take into account
possibility of an extra message 1/4 showing up between retries of
message 3/4.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-10-16 02:03:47 +03:00
Jouni Malinen
87e2db16ba Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
This extends the protection to track last configured GTK/IGTK value
separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
corner case where these two different mechanisms may get used when the
GTK/IGTK has changed and tracking a single value is not sufficient to
detect a possible key reconfiguration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Mathy Vanhoef
cb5132bb35 Prevent reinstallation of an already in-use group key
Track the current GTK and IGTK that is in use and when receiving a
(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
not install the given key if it is already in use. This prevents an
attacker from trying to trick the client into resetting or lowering the
sequence counter associated to the group key.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2017-10-16 02:03:47 +03:00
Jouni Malinen
5a78c36194 OWE: PMKSA caching in station mode
This extends OWE support in wpa_supplicant to allow PMKSA caching to be
used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-09 12:12:54 +03:00
Jouni Malinen
ec9f483774 OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station
This extends OWE support in wpa_supplicant to allow DH groups 20 and 21
to be used in addition to the mandatory group 19 (NIST P-256). The group
is configured using the new network profile parameter owe_group.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Jouni Malinen
675112df1b OWE: Set PMK length properly on supplicant side
sm->pmk_len was not set when deriving the PMK as part of OWE key
generation. This depending on wpa_sm_set_pmk_from_pmksa() call resetting
the value to the default. While this worked for many cases, this is not
correct and can have issues with network profile selection based on
association information. For example, the OWE transition mode cases
would hit an issue here.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Jouni Malinen
4cada9dcc1 FILS: Add DHss into FILS-Key-Data derivation when using FILS SK+PFS
This part is missing from IEEE Std 802.11ai-2016, but the lack of DHss
here means there would not be proper PFS for the case where PMKSA
caching is used with FILS SK+PFS authentication. This was not really the
intent of the FILS design and that issue was fixed during REVmd work
with the changes proposed in
https://mentor.ieee.org/802.11/dcn/17/11-17-0906-04-000m-fils-fixes.docx
that add DHss into FILS-Key-Data (and PTK, in practice) derivation for
the PMKSA caching case so that a unique ICK, KEK, and TK are derived
even when using the same PMK.

Note: This is not backwards compatible, i.e., this breaks PMKSA caching
with FILS SK+PFS if only STA or AP side implementation is updated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-13 22:17:58 +03:00
Jouni Malinen
3a5954ef98 Add mgmt_group_cipher to wpa_supplicant STATUS command
This can be used to check which management group cipher is used in an
association that uses PMF.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 14:28:24 +03:00
Jouni Malinen
567da5bbd0 DPP: Add new AKM
This new AKM is used with DPP when using the signed Connector to derive
a PMK. Since the KCK, KEK, and MIC lengths are variable within a single
AKM, this needs number of additional changes to get the PMK length
delivered to places that need to figure out the lengths of the PTK
components.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:17 +03:00
Jouni Malinen
7d440a3bc4 FILS: Derive FT key hierarchy on supplicant side for FILS+FT
Derive PMK-R0 and the relevant key names when using FILS authentication
for initial FT mobility domain association. Fill in the FT IEs in
(Re)Association Request frame for this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 22:08:41 +03:00
Jouni Malinen
215eaa748b FILS: Implement FILS-FT derivation
This extends fils_pmk_to_ptk() to allow FILS-FT to be derived. The
callers do not yet use that capability; i.e., actual use will be added
in separate commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 17:04:29 +03:00
Jouni Malinen
e6b6231338 FILS: Fix Key-Auth derivation for SK+PFS for supplicant side
The conditional gSTA and gAP (DH public keys) were not previously
included in Key-Auth derivation, but they are needed for the PFS case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-07 17:04:29 +03:00
Vidyullatha Kanchanapally
b44d1efd28 FILS: Fix key info in GTK rekey EAPOL-Key msg 2/2
While responding to EAPOL-Key message 1/2 with EAPOL-Key message 2/2
when using FILS AKM suites the ENCRYPTED bit is not set in key info of
2/2 which causes AP to drop 2/2. Fix this by setting the ENCRYPTED bit
since FILS AKM based connection uses AEAD encryption/decryption.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-04-10 16:18:11 +03:00