diff mbox series

[RFC] PMF: Allow Key ID in big endian format to workaround faulty APs

Message ID 20190214124653.24793-1-mikael.kanstrup@sony.com
State RFC
Headers show
Series [RFC] PMF: Allow Key ID in big endian format to workaround faulty APs | expand

Commit Message

Mikael Kanstrup Feb. 14, 2019, 12:46 p.m. UTC 
From: Daisuke Niwa <daisuke.niwa@sony.com>

A few APs out on the market have got the byte order of IGTK key
index wrong making PMF enabled connections fail to connect. The faulty
APs request STAs to configure IGTK with key ID value 1024 or 1280.

IEEE Std 802.11-2016 Chapter 9.4.2.55 "Management MIC element"
define the key ID to be either 4 or 5. All other key IDs are reserved.

Out of spec values get rejected by lower cfg80211 layer set key
operation which in turn brings the connection down.

Looking more closely into the values requested, 4 and 5 in 16-bit
network byte order/big endian byte order happens to correspond to
1024 and 1280 respectively in wireless little endian byte order. As
connect attempts using out of spec values will anyway fail detect
and workaround the problem by reading the incorrect values in big
endian format.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
---
 src/rsn_supp/wpa.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Jouni Malinen Feb. 15, 2019, 10:10 a.m. UTC | #1 
On Thu, Feb 14, 2019 at 01:46:53PM +0100, Mikael Kanstrup wrote:
> A few APs out on the market have got the byte order of IGTK key
> index wrong making PMF enabled connections fail to connect. The faulty
> APs request STAs to configure IGTK with key ID value 1024 or 1280.

> Looking more closely into the values requested, 4 and 5 in 16-bit
> network byte order/big endian byte order happens to correspond to
> 1024 and 1280 respectively in wireless little endian byte order. As
> connect attempts using out of spec values will anyway fail detect
> and workaround the problem by reading the incorrect values in big
> endian format.

Do you have reason to believe that the particular APs with this behavior
have PMF working otherwise? For example, is the IGTK provided by those
APs with this swapped KeyID actually the correct IGTK and if the AP were
to transmit a group-addressed robust management frame, that would be
correctly protected using this IGTK? And maybe more importantly, that
the particular IGTK is not a predictable value where this type of
workaround would result in a security vulnerability.

If the AP does not implement PMF correctly, the best workaround would
likely be to not try to use PMF with that AP. Allowing the association
to go through can result in false sense of security and some upper layer
operations getting unexpected behavior if the station device assume
there is protection for all the robust management frames while that is
not really the case.

Do you have such a broken AP available for testing different types of
workarounds for this issue? My main issue with this item has been that I
have no such AP, so I cannot really fully evaluate the impact of various
possible workarounds for this.
Mikael Kanstrup Feb. 15, 2019, 3:08 p.m. UTC | #2 
>From: Jouni Malinen <j@w1.fi>
>Sent: Feb 15, 2019 11:10
>> A few APs out on the market have got the byte order of IGTK key
>> index wrong making PMF enabled connections fail to connect. The faulty
>> APs request STAs to configure IGTK with key ID value 1024 or 1280.

...
>> and workaround the problem by reading the incorrect values in big
>> endian format.

> Do you have reason to believe that the particular APs with this behavior
> have PMF working otherwise?

Good point. Only limited checks done. For example that AP can handle encrypted
deauth frames.

> is the IGTK provided by those APs with this swapped KeyID actually the
> correct IGTK and if the AP were to transmit a group-addressed robust
> management frame, that would be correctly protected using this IGTK?

I've only been able to get hold of one of these AP models. It's a home router
with limited feature set. No fast bss transition support for example. So was not
able have the AP send any frames that should be encrypted with IGTK and can't
really answer if the IGTK was valid or not.

Looking at that ieee standard I don't think it's obvious which frames should
be encrypted with IGTK. If you know of any common frame types I can check.
Must admit I've mostly looked at PMF as a way to prevent deauth attacks.

> And maybe more importantly, that the particular IGTK is not a predictable
> value where this type of workaround would result in a security vulnerability.

Hard to tell just by looking at the IGTK received. But yeah good point.

> If the AP does not implement PMF correctly, the best workaround would
> likely be to not try to use PMF with that AP.

Right. Maybe this should rather be implemented outside of wpa_supplicant. Like
disabling PMF for the specific network if PMF fails.

> Do you have such a broken AP available for testing different types of
> workarounds for this issue?

I have access to only one that I unfortunately cannot share information about. But I
can get hold of vendor OUI from a couple APs and probably determine brand/model
for a few of them.

> My main issue with this item has been that I have no such AP, so I cannot
> really fully evaluate the impact of various possible workarounds for this.

Understood. I'll try to gather necessary information.

Thanks for feedback!

/Mikael
Jouni Malinen Feb. 15, 2019, 3:35 p.m. UTC | #3 
On Fri, Feb 15, 2019 at 03:08:26PM +0000, Kanstrup, Mikael wrote:
> >From: Jouni Malinen <j@w1.fi>
> 
> > Do you have reason to believe that the particular APs with this behavior
> > have PMF working otherwise?
> 
> Good point. Only limited checks done. For example that AP can handle encrypted
> deauth frames.

OK, so at least it is trying to do PMF and maybe is even successful at
that with unicast frames.

> > is the IGTK provided by those APs with this swapped KeyID actually the
> > correct IGTK and if the AP were to transmit a group-addressed robust
> > management frame, that would be correctly protected using this IGTK?
> 
> I've only been able to get hold of one of these AP models. It's a home router
> with limited feature set. No fast bss transition support for example. So was not
> able have the AP send any frames that should be encrypted with IGTK and can't
> really answer if the IGTK was valid or not.
> 
> Looking at that ieee standard I don't think it's obvious which frames should
> be encrypted with IGTK. If you know of any common frame types I can check.
> Must admit I've mostly looked at PMF as a way to prevent deauth attacks.

BIP/IGTK does not actually encrypt anything; it adds integrity
protection with an extra information element (MME) at the end of the
frame. There are not many frames that this would apply to in practice,
though, and it is possible that there are APs that do not send even a
single group-addressed robust management frame. These frames are:
broadcast Deauthentication/Disassociation frame and broadcast/multicast
Robust Action frames. The former might be sent, e.g., when shutting down
the AP. There are not any currently defined example in use for the
latter.

> > And maybe more importantly, that the particular IGTK is not a predictable
> > value where this type of workaround would result in a security vulnerability.
> 
> Hard to tell just by looking at the IGTK received. But yeah good point.

One option here would be to modify wpa_supplicant_install_igtk() to
ignore wpa_sm_set_key() failure if keyidx is 0x0400 or 0x0500. In other
words, do not configure IGTK at all if the AP is using unexpected KeyID
and the local driver does not support that value instead of trying to
guess that the AP really meant keyidx 4 or 5. Would just need to confirm
that the local driver is rejecting any group-addressed robust management
frame if there is no key configured for the keyidx. The main benefit
here would be in the local driver not getting that IGTK value enabled if
there is a risk of it being predictable value that an attacker could use
to inject frames.

This change would look something like following:

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 86593ab..4a82c86 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1052,7 +1052,12 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
 			   igtk->igtk, len) < 0) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: Failed to configure IGTK to the driver");
-		return -1;
+		/* Work around issues with APs that are know to use incorrect
+		 * byte order for the KeyID field. Leave the IGTK unconfigured
+		 * while allowing unicast PMF to be used.
+		 */
+		if (keyidx != 0x0400 && keyidx != 0x0500)
+			return -1;
 	}
 
 	if (wnm_sleep) {

> > If the AP does not implement PMF correctly, the best workaround would
> > likely be to not try to use PMF with that AP.
> 
> Right. Maybe this should rather be implemented outside of wpa_supplicant. Like
> disabling PMF for the specific network if PMF fails.

Well, wpa_supplicant could do this automatically if PMF is locally
configured to be optional and try to connect again. However, if it is
clear the particular APs actually do implement PMF correctly for unicast
frames, it may make more sense to simply ignore all BIP/IGTK cases.
diff mbox series

Patch

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 86593ab78..32b9b9326 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1024,6 +1024,12 @@  static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
 {
 	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
 	u16 keyidx = WPA_GET_LE16(igtk->keyid);
+	if (keyidx == 1024 || keyidx == 1280) {
+		/* Workaround incorrectly behaving APs that send Key ID in big endian format */
+		wpa_printf(MSG_INFO, "PMF: Workaround - Allow Key ID in big endian format(%d)",
+			   keyidx);
+		keyidx = WPA_GET_BE16(igtk->keyid);
+	}
 
 	/* Detect possible key reinstallation */
 	if ((sm->igtk.igtk_len == len &&