| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
key (IGTK) if a node doesn't have management frame protection (MFP) enabled.
The IGTK is not initialized if MFP is disabled, so using it triggers this
panic in ieee80211_encrypt(): panic("invalid key cipher 0x%x", k->k_cipher)
(As far as I can tell, at present, MFP is never enabled.)
Problem reported and fix tested by tj@ on athn(4) hostap
|
| |
|
|
|
|
|
|
| |
The WEP key index is stored in ic_def_txkey. The iGTK ("integrity group key")
index is specific to WPA. The previous code happened to always select WEP key
index 0 since the iGTK index is not yet used by any driver.
ok phessler@
|
| |
|
|
|
|
| |
type then panic immediately instead of silently dropping packets.
ok phessler@
|
| |
|
|
|
|
|
| |
with an access point. Prevents false positive 'reused group key'
warnings in dmesg when re-associating to the same access point.
Problem reported by tb@
ok tb@
|
| |
|
|
| |
OK stsp@
|
| |
|
|
| |
ok stsp
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is time for this legacy of WEP to die (remember WEP?).
The 802.11-2012 standard says:
The use of TKIP is deprecated. The TKIP algorithm is unsuitable for
the purposes of this standard.
TKIP has numerous problems. One of which is that TKIP allows a denial of
service attack which can be triggered by any client. Report 2 Michael MIC
failures to a TKIP AP to trigger "TKIP countermeasures". The AP is now
required by the 802.11 standard to lock everyone out for at least 60 seconds.
The network will remain unusable for as long as such MIC failure reports
are sent twice per minute.
TKIP remains available for interoperability purposes, for now.
It must be enabled manually with ifconfig(8).
Prompted by discussion with Mathy Vanhoef.
ok deraadt@ sthen@ reyk@
|
| |
|
|
|
|
|
|
|
|
| |
The previous code would disable the AP until next reboot upon MIC failure.
Instead, disable the AP for 60 seconds, as required by the 802.11 standard.
I randomly added a bit of time (up to 120 seconds total) just because we can.
Problem reported by Mathy Vanhoef, thanks!
ok deraadt@
random input reyk@
|
| |
|
|
|
|
|
|
|
| |
This header is only needed because <netinet/if_ether.h> declares a
structure that needs it. But it turns out that <net/if.h> already
includes it as workaround.
A proper solution would be to stop declarting "struct ether_arp"
there. But no driver should need this header.
|
| | |
|
| |
|
|
| |
to include that than rdnvar.h. ok deraadt dlg
|
| |
|
|
| |
ok mpi@ kspillner@
|
| |
|
|
| |
after discussions with beck deraadt kettenis.
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
|
| |
explicit_bzero() where required
ok markus mikeb
|
| |
|
|
|
|
| |
timingsafe_bcmp().
ok deraadt@; committed over WPA.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some supplicants will autoselect 802.1X without giving users the
possibility to choose between PSK or 802.1X.
Similarly, no longer announce `PSK with SHA-256 based KDF' AKMP (defined
in Draft 802.11w) by default in the RSN IE of beacons and probe responses
as it confuses some broken supplicants. This kind of sacrifies security
for interoperability with shitty (but unfortunately widespread) clients
that do not follow the 802.11 standard properly.
This fixes associations from Intel PROSet on XP and also reportedly fixes
some Mac OS clients. I will likely make `psk-sha256' configurable through
ifconfig wpaakms after the 4.5 release.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- implement A-MPDU frames buffering and reordering
- implement A-MSDU decapsulation
- process/send ADDBA Request, ADDBA Response and DELBA action frames
- process Block Ack Request control frames (including MTBAR)
- implement PBAC support (Protected Block Ack)
- add some incomplete HT Capabilities and HT Operation IEs parsing
Add more Management Frame Protection bits based on 802.11w Draft 7.0:
- implement SA Query procedure (both AP and STA)
- cleanup BIP
Fix some bugs:
- fix check for WEP key length that otherwise caused a stack smash in
ieee80211_wep_encrypt (pointed out by Xavier Santolaria on macppc)
- properly stop EAPOL timeout: fixes a panic that occured in HostAP mode
when turning the interface down while a 4-way handshake is in progress
(pointed out by Doughertys)
Did some code cleanup too.
The HT bits are currently not compiled in (IEEE80211_NO_HT is defined)
because they won't be ready until after the next release and I didn't
want to grow the kernel or to inadvertently introduce new bugs.
They are here such that other people can look at the code.
Notice that I had to add an extra parameter to ic_send_mgmt() for
action frames, that is why there are small changes in drivers defining
their own ic_send_mgmt() handler.
Sorry for the not very incremental diff but this has been sitting in
my tree for too long now.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will be required for future WPA-Enterprise support (802.1X).
Add ieee80211_needs_auth() function (not implemented yet) to
notify the userland 802.1X PACP machine when an 802.1X port
becomes enabled (that is after successfull 802.11 Open System
authentication).
Add SIOCS80211KEYRUN and SIOCS80211KEYAVAIL ioctls so that the
PACP state machine can kick the 802.11 key state machine and
install PMKs obtained from 802.1X (pre-)authentication.
Enable SHA-256 based AKMPs by default while I'm here (TGw).
This uses SHA-256 for key-derivation (instead of SHA1), AES-128-CMAC
for data integrity, and AES Key Wrap for data protection of EAPOL-Key
frames. An OpenBSD AP will always advertise this capability and an
OpenBSD STA will always prefer SHA-256 based AKMPs over SHA1 based
ones if both are supported by an AP.
|
| |
|
|
|
|
|
|
|
| |
remove IBSS and HostAP support from net80211 and 802.11 drivers.
it can be used to shrink RAMDISK kernels for instance (like what
was done for wi(4)).
it also has the benefit of highlighting what is specific to IBSS
and HostAP modes in the code.
the cost is that we now have two code paths to maintain.
|
| | |
|
| | |
|
| |
|
|
|
| |
from MMIE etc...
this code can't be triggered as no drivers claim MFP capability yet.
|
| | |
|
| | |
|
| |
|
|
|
| |
MIC is computed using AES-128-CMAC instead of HMAC-SHA1).
add a SHA-256 based key derivation function (not used yet).
|
| | |
|
| |
|
|
|
|
| |
indices 0-3 will be used for group data keys while indices 4-5 will
be used for integrity group keys.
add a ic_rsngroupmgmtcipher field too.
|
| |
|
|
| |
which makes things easier to track.
|
| |
|
|
|
| |
pass the AKMP so we can support other key derivation functions in the
future.
|
| | |
|
| |
|
|
| |
this must not be included by drivers.
|
| |
|
|
| |
constified.
|
| | |
|
| |
|
|
|
|
| |
- add a ieee80211_recv_action() function (will be used later)
- some cleanup, remove unused prototypes, get rid of the
IEEE80211_VERIFY_* macros
|
| |
|
|
|
|
|
|
|
|
|
| |
crc in addition to the existing "oneshot" mode and use them to replace
ieee80211_crc_update() with the new ether_crc32_le_update(). Saves 1k
kernel bss + some code.
Mark the new ether_crc32_[lb]e_update functions as __pure for a
~25x speedup (on my i386 at least).
feedback and ok damien@
|
| |
|
|
|
|
| |
attaches instead of at every attach.
discussed with deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.
Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.
This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.
In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.
The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)
The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher
wpa-psk(8) can be used to generate keys from passphrases.
tested by many@
ok deraadt@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
- discard all EAPOL-Key frames with an unknown descriptor version.
- when receiving message 3/4 of the 4-way handshake, do not install
the PTK if the INSTALL bit is not set. this fixes 4-way handshake
with APs using group keys only.
- similarly, do not mark the 802.1X port as valid if the SECURE bit
is not set (it will be marked as valid after group key handshake).
|
| | |
|
| |
|
|
|
|
|
| |
transmitting a frame to a given node.
change ieee80211_encrypt() so that it now takes the key as parameter.
this change is required because drivers doing hardware crypto need to
know what key is being used.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tx/Rx MIC for TKIP.
- add two functions to map a PTK and a GTK to an IEEE 802.11 key and
use them in ieee80211_input.c instead of duplicating the same code.
properly set Tx/Rx MIC in the IEEE 802.11 key in the case of TKIP.
- add ic_psk to struct ieee80211com to store the pre-shared key.
- fix setting of the SECURE bit in outgoing EAPOL-Key frames.
- when receiving msg 2 of the 4-way handshake, deauthenticate the
station if the RSN IE does not match that of the (Re)Association
request.
- before parsing an RSN or WPA IE, check that there's enough room for
the version field (2 bytes) which is mandatory.
- various tweaks while i'm here.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
a station is using WPA1 or RSN descriptors.
make sure that a station that advertises WPA1 capability in an IE
uses the WPA1 EAPOL-Key descriptor type and not the RSN one.
fix construction of EAPOL-Key frames for WPA1.
i can now successfuly complete a 4-way and group-key handshake
with both a WPA1 and a WPA2 access point.
add some TKIP encapsulation code (no SW crypto yet).
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
can handle multiple ciphers (the key to use is determined automatically
by these functions based on the frame's destination address).
add ieee80211_ccmp_encrypt() and ieee80211_ccmp_decrypt().
those two functions only do encapsulation/decapsulation of CCMP frames
for now (they don't do SW crypto). they will help to test things with
drivers that can do HW crypto.
add a ni_pairwise_key field to struct ieee80211_node to actually install
the pairwise transient key.
install the GTK in ic_nw_keys[].
|
| |
|
|
|
|
| |
RSN uses a GTK KDE while WPA1 stores the GTK in the EAPOL-Key frame
data field (encrypted) and uses some bits in the info field.
split ieee80211_recv_group_msg1() in two separate functions.
|
| |
|
|
|
|
|
|
|
| |
so use that too and remove a check in ieee80211_recv_eapol().
WPA1 stores the group key id into bits 4-5 of the EAPOL-Key frame info
field and uses bit 6 to indicate if the key is Rx/Tx or Rx only.
remove a check in ieee80211_eapol_key_decrypt() because WPA1 encrypts
the payload of message 1 of the group-key handshake without setting the
encrypted bit in the info field.
|
| |
|
|
|
|
|
|
| |
this simplifies ieee80211_eapol_key_mic() and ieee80211_eapol_key_check_mic()
quite a bit.
set the EAPOL-Key body length before computing the MIC since the MIC is
computed with the 802.1X header too.
add a missing htons() while i'm here.
|
| |
|
|
|
|
|
|
| |
and a 64-bit receive sequence counter (for group keys).
add a ieee80211_cipher_keylen() function to retrieve the key length
in bytes used by a specific cipher.
account for 802.1X header size when computing the Key MIC.
some cleanup in comments and variable names while i'm here.
|
| | |
|
stsp
mikeb
tb
mpi
tedu
jsg
deraadt
matthew
damien
djm