The MIC length depends on the negotiated group when SAE-EXT-KEY or OWE
key_mgmt is used. wlantest can determine the group if the capture file
includes the group negotiation, i.e., the initial association when a PMK
was created. However, if the capture file includes only an association
using PMKSA caching, the group information is not available. This can
result in inability to be able to process the EAPOL-Key frames (e.g.,
with the "Truncated EAPOL-Key from" message).
If the negotiated group is not known and an EAPOL-Key frame length does
not seem to match the default expectations for group 19, check whether
the alternative lengths for group 20 or 21 would result in a frame that
seems to have valid length. If so, update the STA entry with the guessed
group and continue processing the EAPOL-Key frames based on this.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The "Updated AP MLD MAC Address from EAPOL-Key 1/4" can be confusing
when there is actually no change.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The Key MIC field is of variable length when using OWE, so determine the
correct length based on which group was negotiated for OWE during
association.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is needed to derive the PTK correct when Secure LTF support is used
and the additional KDK component needs to be taken into account.
Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Prefer a BSS entry that has a matching STA entry when processing
EAPOL-Key frames. This avoids issues where some combination of MLD
and/or link addresses are used in a sequence that could end up
generating two separate STA entries for the same non-AP MLD.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The BSSID (RA/TA) might differ from SA/DA for the AP, so print it as
well in the debug entry for EAPOL-Key frames.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
It is possible for there to be multiple STA entries (e.g., one for each
BSS) when a sniffer capture contains multiple associations using MLO.
For such cases, the new PTK information needs to be updated to all
existing STA entries to be able to find the latest TK when decrypting
following frames since the other STA entries might be located first when
trying to figure out how to decrypt a frame.
In addition to the PTK, copy the MLD MAC addresses to the other STA and
BSS entries to make sure the latest values are used when trying to
decrypt frames.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Extend wlantest capabilities to cover the new SAE-EXT-KEY AKM and
variable length MIC field and key lengths for it based on the used SAE
group.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Update bss entries for all affiliated links whenever learning
GTK/IGTK/BIGTK from EAPOL-Key msg 3/4 or group msg 1/2.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow a single STA entry to be found for a non-AP MLD regardless of
which link MAC address was used to transmit/receive it.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Check the Beacon/Probe Response frame RSNE against the RSNE within the
MLO Link KDE for the current affiliated link instead of RSNE when
processing the EAPOL-Key msg 3/4 Key Data field.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Make this easier to understand by using the appropriately named function
to parse KDEs/IEs in the Key Data field of EAPOL-Key frames instead of
using the wrapper function that is there just to provide the old
function name for wpa_supplicant.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
SA/DA in EAPOL-Key frames might not be the BSSID when MLO is used. Check
for these cases to avoid adding unexpected BSS entries for AP MLD
instead of the per-link BSS entry. This is needed to be able to find the
derived keys when decrypting protected frames.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
IEEE P802.11be adds the MAC Address KDE into the EAPOL-Key msg 4/4 when
MLO is used and as such, the previously used check for Key Data Length
value 0 is not sufficient for recognizing the EAPOL-Key msg 4/4 anymore.
Also check for an all zero Key Nonce value since that field is supposed
to be zero in EAPOL-Key msg 4/4 and it has to be a random value in
EAPOL-Key msg 2/4.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When MLO is used, the MLD MAC addresses of the AP MLD and non-AP MLD are
used as the Authenticator and Supplicant addresses. Update PTK
derivation to use this information to work with MLO.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
IEEE P802.11be indicates the MLD MAC addresses, i.e., the Authenticator
and Supplicant addresses, in the MAC Address KDE in EAPOL-Key msg 1/4
and 2/4. Learn those addresses so that wlantest can be extended to
support MLO.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The change to support variable length PMK in wlantest missed couple of
places where the PMK length did not get used or set properly. In
particular, this ended up breaking FT key derivation for the case where
a passphrase was used to derive a potential per-BSS PMK. Fix this by
setting and using the PMK length properly.
Fixes: 6c29d95a90 ("wlantest: Support variable length PMK")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This resulted in an attempt to dereference a NULL pointer since sta_addr
is not known in this type of a case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend the wpa_pmk_r1_to_ptk() to also derive Key Derivation
Key (KDK), which can later be used for secure LTF measurements.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Extend the wpa_pmk_to_ptk() to also derive Key Derivation
Key (KDK), which can later be used for secure LTF measurements.
Update the wpa_supplicant and hostapd configuration and the
corresponding WPA and WPA Auth state machine, to allow enabling of KDK
derivation. For now, use a testing parameter to control whether KDK is
derived.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The case where a single 0xdd octet without any 0x00 octets is used as
padding was addressed incorrectly and that ended up truncating one octet
of the actual plaintext version of the Key Data value. Fix this by
removing the unnecessary change to the p pointer before calculating the
new length since p is already pointing to one past the last octet of the
full plaintext.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
We're doing a sort of bounds check, based on the previous loop, but only
after we've already tried to read off the end.
This squashes some ASAN errors I'm seeing when running the ap_ft hwsim
test module.
Signed-off-by: Brian Norris <briannorris@chromium.org>
If no Beacon or Probe Response frame has been seen in the capture, use
the IEs from EAPOL-Key msg 3/4 to set up BSS information.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous implementation tried to update STA IE information based on
EAPOL-Key msg 2/4 to be able to handle captures that do not include the
(Re)Association Request frame. This was not sufficient (OSEN was not
included) and was done too late (the parsed information is needed for
PMK-to-PTK derivation).
Move the IE update step to happen before trying to derive the PTK if no
(Re)Association Request frame has been seen.
Signed-off-by: Jouni Malinen <j@w1.fi>
Fetch the BIGTK from EAPOL-Key msg 3/4 and use it to validate MME in
Beacon frames when the AP uses Beacon protection.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Track PMK-R0/PMK-R0-Name from the initial mobility domain association
and derive PMK-R1/PTK when the station uses FT protocol. This allows
frames from additional roaming cases to be decrypted.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
DPP allows Diffie-Hellman exchange to be used for PFS in PTK derivation.
This requires an additional Z.x (x coordinate of the DH shared secret)
to be passed to wpa_pmk_to_ptk(). This commit adds that to the function
and updates all the callers to pass NULL,0 for that part in preparation
of the DPP specific changes to start using this.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The length of the TK is available within struct wpa_ptk, so there is no
need to try to maintain it separately in wlantest.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This new AKM is used with DPP when using the signed Connector to derive
a PMK. Since the KCK, KEK, and MIC lengths are variable within a single
AKM, this needs number of additional changes to get the PMK length
delivered to places that need to figure out the lengths of the PTK
components.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This was only written to pcapng files if both pcap and pcapng writing
was requested. Fix this for the case where only a pcapng file is being
written.
Signed-off-by: Jouni Malinen <j@w1.fi>
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.
The mechanical conversions all over the code were done with
the following spatch:
@@
expression SIZE, SRC;
expression a;
@@
-a = os_malloc(SIZE);
+a = os_memdup(SRC, SIZE);
<...
if (!a) {...}
...>
-os_memcpy(a, SRC, SIZE);
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The new AEAD AKM option in FILS sets the MIC bit in EAPOL-Key frames to
0 for some ciphers, so the determination of EAPOL-Key frame types needs
changes to work with these cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the
previous fixed length Key MIC field with a variable length field. That
change was addressed with an addition of a new struct defined for the
second MIC length. This is not really scalable and with FILS coming up
with a zero-length MIC case for AEAD, a more thorough change to support
variable length MIC is needed.
Remove the Key MIC and Key Data Length fields from the struct
wpa_eapol_key and find their location based on the MIC length
information (which is determined by the AKMP). This change allows the
separate struct wpa_eapol_key_192 to be removed since struct
wpa_eapol_key will now include only the fixed length fields that are
shared with all EAPOL-Key cases in IEEE Std 802.11.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds minimal support for deriving keys for FT-PSK to allow the
initial mobility domain association to be analyzed in more detail.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This modifies struct wpa_ptk to allow the length of KCK and KEK to be
stored. This is needed to allow longer keys to be used, e.g., with
Suite B 192-bit level.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds support for AKM 00-0F-AC:11 to specify the integrity and
key-wrap algorithms for EAPOL-Key frames using the new design where
descriptor version is set to 0 and algorithms are determined based on
AKM.
Signed-off-by: Jouni Malinen <j@w1.fi>