mbox series

[00/25] Add support for Operating Channel Validation (OCV)

Message ID 20180806194643.1328-1-Mathy.Vanhoef@cs.kuleuven.be
Headers show
Series Add support for Operating Channel Validation (OCV) | expand

Message

Mathy Vanhoef Aug. 6, 2018, 7:46 p.m. UTC 
This patchset adds support for Operating Channel Validation (OCV). The
main idea of this feature is to verify the current operating channel
when connecting to a network. This prevent multi-channel
Man-in-the-middle attacks. A detailed description of this feature can be
found here:
https://mentor.ieee.org/802.11/dcn/17/11-17-1807-12-000m-defense-against-multi-channel-mitm-attacks-via-operating-channel-validation.docx

Points to pay attention to:
- The channel bandwidth that an AP uses to send frames to an associated
  STA is derived from IEs in the association request. Feedback on this
  would be good (see commit "Add function to derive Tx parameters to a
  specific STA").
- The code assumes that a client will use the maximum bandwidth as
  returned by NL80211_ATTR_WIPHY_FREQ to transmit frames (see commit
  "Add driver API to get current channel parameters"). It would be good
  to double check that this is indeed the case.
- A kernel patch is needed to let clients correctly handle SA Query
  Requests that contain an OCI element. See commit "Include and verify
  OCI in SA Query frames" for details.
- After a channel switch, the AP is supposed to deauthenticate clients
  that did not initiate a SA Query. This is not yet implemented, and
  currently left as a TODO in the code. Not implementing this does not
  negatively affect reliability, it only reduces the security benefits.
- I've included a bunch of automated tests. Some of these currently use
  reset_ap, but it seems that function is not always reliable? Sometimes
  a test fails, but when running again the test succeeds.


Maty Vanhoef (25):
  Add driver API to get current channel parameters
  Make channel_info available to the supplicant state machine
  Make channel_info and get_sta available to authenticator
  Add utility function to derive operating class and channel
  Add functions to convert channel bandwidth to an integer
  Store the VHT Operation element of an associated STA
  OCV: Add configs for channel validation support
  OCV: Add utility functions to insert OCI elements
  OCV: insert OCI in 4-way and group key handshake
  OCV: Parse all types of OCI information elements
  OCV: Add function to verify a received OCI element
  OCV: Add function to derive Tx parameters to a specific STA
  OCV: Verify OCI in 4-way and group key handshake
  OCV: Include and verify OCI in the FT handshake
  OCV: Include and verify OCI in WNM-Sleep Exit frames
  OCV: Include and verify OCI in SA Query frames
  OCV: Perform a SA Query after a channel switch
  OCV: Include and verify OCI in the FILS handshake
  OCV: Include and verify OCI in the AMPE handshake
  OCV: Test OCI validation in the 4-way and group key handshake
  OCV: Test OCI validation in the FT handshake
  OCV: Test OCI validation in the FILS handshake
  OCV: Test OCI validation in SA Query frames
  OCV: Test OCI validation in WNM-Sleep Exit frames
  OCV: Test OCI validation in the AMPE handshake

 hostapd/Android.mk                        |   6 +
 hostapd/Makefile                          |   6 +
 hostapd/android.config                    |   3 +
 hostapd/config_file.c                     |   6 +
 hostapd/defconfig                         |   3 +
 hostapd/hostapd.conf                      |   7 +
 src/ap/ap_config.c                        |   9 +
 src/ap/ap_config.h                        |   4 +
 src/ap/ap_drv_ops.h                       |   8 +
 src/ap/drv_callbacks.c                    |   7 +-
 src/ap/hs20.c                             |   4 +
 src/ap/ieee802_11.c                       |  37 +-
 src/ap/ieee802_11.h                       |   6 +-
 src/ap/ieee802_11_shared.c                | 183 ++++++-
 src/ap/ieee802_11_vht.c                   |  23 +
 src/ap/sta_info.c                         |   1 +
 src/ap/sta_info.h                         |   1 +
 src/ap/wnm_ap.c                           |  78 ++-
 src/ap/wpa_auth.c                         | 262 +++++++++-
 src/ap/wpa_auth.h                         |  15 +
 src/ap/wpa_auth_ft.c                      |  64 +++
 src/ap/wpa_auth_glue.c                    |  20 +
 src/ap/wpa_auth_i.h                       |   3 +
 src/ap/wpa_auth_ie.c                      |  43 +-
 src/ap/wpa_auth_ie.h                      |   4 +
 src/common/ieee802_11_common.c            |  59 +++
 src/common/ieee802_11_common.h            |   7 +
 src/common/ieee802_11_defs.h              |   3 +
 src/common/ocv.c                          | 168 +++++++
 src/common/ocv.h                          |  40 ++
 src/common/wpa_common.c                   |   6 +
 src/common/wpa_common.h                   |   9 +-
 src/drivers/driver.h                      |  29 ++
 src/drivers/driver_common.c               |  19 +
 src/drivers/driver_nl80211.c              |  66 +++
 src/drivers/driver_nl80211.h              |   2 +
 src/rsn_supp/wpa.c                        | 158 +++++-
 src/rsn_supp/wpa.h                        |  11 +-
 src/rsn_supp/wpa_ft.c                     |  43 ++
 src/rsn_supp/wpa_i.h                      |   9 +
 src/rsn_supp/wpa_ie.c                     |  13 +
 src/rsn_supp/wpa_ie.h                     |   4 +
 tests/hwsim/example-hostapd.config        |   2 +
 tests/hwsim/example-wpa_supplicant.config |   2 +
 tests/hwsim/test_ap_ft.py                 |  37 +-
 tests/hwsim/test_ap_pmf.py                |  55 +++
 tests/hwsim/test_fils.py                  |  56 +++
 tests/hwsim/test_ocv.py                   | 577 ++++++++++++++++++++++
 tests/hwsim/test_wnm.py                   | 121 +++++
 tests/hwsim/test_wpas_mesh.py             | 103 +++-
 tests/hwsim/wpasupplicant.py              |   2 +-
 wlantest/Makefile                         |   1 +
 wlantest/bss.c                            |   5 +-
 wlantest/ctrl.c                           |   3 +
 wlantest/sta.c                            |  11 +-
 wpa_supplicant/Android.mk                 |   6 +
 wpa_supplicant/Makefile                   |   6 +
 wpa_supplicant/android.config             |   3 +
 wpa_supplicant/ap.c                       |   4 +
 wpa_supplicant/config.c                   |  39 ++
 wpa_supplicant/config_file.c              |   9 +
 wpa_supplicant/config_ssid.h              |  11 +
 wpa_supplicant/ctrl_iface.c               |   4 +
 wpa_supplicant/defconfig                  |   5 +-
 wpa_supplicant/driver_i.h                 |   8 +
 wpa_supplicant/events.c                   |   1 +
 wpa_supplicant/mesh.c                     |   3 +
 wpa_supplicant/mesh_mpm.c                 |  71 +++
 wpa_supplicant/mesh_rsn.c                 |   8 +-
 wpa_supplicant/sme.c                      | 135 ++++-
 wpa_supplicant/sme.h                      |   1 +
 wpa_supplicant/wnm_sta.c                  |  79 ++-
 wpa_supplicant/wpa_supplicant.c           |   3 +
 wpa_supplicant/wpa_supplicant.conf        |   7 +
 wpa_supplicant/wpas_glue.c                |   8 +
 wpa_supplicant/wpas_glue.h                |   1 +
 76 files changed, 2762 insertions(+), 74 deletions(-)
 create mode 100644 src/common/ocv.c
 create mode 100644 src/common/ocv.h
 create mode 100644 tests/hwsim/test_ocv.py

Comments

Jouni Malinen Dec. 17, 2018, 3:12 p.m. UTC | #1 
On Mon, Aug 06, 2018 at 03:46:18PM -0400, Mathy Vanhoef wrote:
> This patchset adds support for Operating Channel Validation (OCV). The
> main idea of this feature is to verify the current operating channel
> when connecting to a network. This prevent multi-channel
> Man-in-the-middle attacks. A detailed description of this feature can be
> found here:
> https://mentor.ieee.org/802.11/dcn/17/11-17-1807-12-000m-defense-against-multi-channel-mitm-attacks-via-operating-channel-validation.docx

Thanks, applied with cleanup and fixes.

> - I've included a bunch of automated tests. Some of these currently use
>   reset_ap, but it seems that function is not always reliable? Sometimes
>   a test fails, but when running again the test succeeds.

reset_ap() sequences seemed to trigger some kernel warnings that made
the test cases fail for me all the time. I fixed those by using
hapd.disable() followed by adding the AP with new configuration. In
addition, the station side needed to be quite a bit more careful to
avoid hitting issues with old scan results (i.e., explicitly clear the
scan results whenever the AP configuration changes).
Mathy Vanhoef Dec. 19, 2018, 11:48 a.m. UTC | #2 
Great to see this being included, thanks for cleaning up the patches!

On Mon, 17 Dec 2018 17:12:21 +0200
Jouni Malinen <j@w1.fi> wrote:

> On Mon, Aug 06, 2018 at 03:46:18PM -0400, Mathy Vanhoef wrote:
> > This patchset adds support for Operating Channel Validation (OCV). The
> > main idea of this feature is to verify the current operating channel
> > when connecting to a network. This prevent multi-channel
> > Man-in-the-middle attacks. A detailed description of this feature can be
> > found here:
> > https://mentor.ieee.org/802.11/dcn/17/11-17-1807-12-000m-defense-against-multi-channel-mitm-attacks-via-operating-channel-validation.docx  
> 
> Thanks, applied with cleanup and fixes.
> 
> > - I've included a bunch of automated tests. Some of these currently use
> >   reset_ap, but it seems that function is not always reliable? Sometimes
> >   a test fails, but when running again the test succeeds.  
> 
> reset_ap() sequences seemed to trigger some kernel warnings that made
> the test cases fail for me all the time. I fixed those by using
> hapd.disable() followed by adding the AP with new configuration. In
> addition, the station side needed to be quite a bit more careful to
> avoid hitting issues with old scan results (i.e., explicitly clear the
> scan results whenever the AP configuration changes).
>