diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index e6ce26d4a..6e59f2d84 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -1018,6 +1018,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, if (!wpa_use_aes_cmac(sm) && !wpa_key_mgmt_fils(sm->wpa_key_mgmt) && + sm->wpa_key_mgmt != WPA_KEY_MGMT_OWE && ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, @@ -1028,7 +1029,8 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, } if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || - wpa_key_mgmt_fils(sm->wpa_key_mgmt)) && + wpa_key_mgmt_fils(sm->wpa_key_mgmt) || + sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) && ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); @@ -1419,6 +1421,7 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, if (force_version) version = force_version; else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || + sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE || wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || wpa_key_mgmt_fils(sm->wpa_key_mgmt)) version = WPA_KEY_INFO_TYPE_AKM_DEFINED; @@ -1444,6 +1447,7 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, key_data_len = kde_len; if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || + sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { @@ -1546,6 +1550,7 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", buf, key_data_len); if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || + sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c index e3b38a15b..4d5d499f6 100644 --- a/src/common/wpa_common.c +++ b/src/common/wpa_common.c @@ -136,6 +136,15 @@ int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver, os_memcpy(mic, hash, 24); break; #endif /* CONFIG_SUITEB192 */ +#ifdef CONFIG_OWE + case WPA_KEY_MGMT_OWE: + wpa_printf(MSG_DEBUG, + "WPA: EAPOL-Key MIC using HMAC-SHA256 (AKM-defined - OWE)"); + if (hmac_sha256(key, key_len, buf, len, hash)) + return -1; + os_memcpy(mic, hash, MD5_MAC_LEN); + break; +#endif /* CONFIG_OWE */ default: wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC algorithm not known (AKM-defined - akmp=0x%x)", @@ -218,7 +227,7 @@ int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label, #else /* CONFIG_SUITEB192 || CONFIG_FILS */ return -1; #endif /* CONFIG_SUITEB192 || CONFIG_FILS */ - } else if (wpa_key_mgmt_sha256(akmp)) { + } else if (wpa_key_mgmt_sha256(akmp) || akmp == WPA_KEY_MGMT_OWE) { #ifdef CONFIG_IEEE80211W wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)"); if (sha256_prf(pmk, pmk_len, label, data, sizeof(data), diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 877706df1..d3fd8ef50 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -1737,6 +1737,7 @@ static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm, #endif /* CONFIG_NO_RC4 */ } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || ver == WPA_KEY_INFO_TYPE_AES_128_CMAC || + sm->key_mgmt == WPA_KEY_MGMT_OWE || sm->key_mgmt == WPA_KEY_MGMT_OSEN || wpa_key_mgmt_suite_b(sm->key_mgmt)) { u8 *buf; @@ -2018,6 +2019,7 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES && !wpa_key_mgmt_suite_b(sm->key_mgmt) && !wpa_key_mgmt_fils(sm->key_mgmt) && + sm->key_mgmt != WPA_KEY_MGMT_OWE && sm->key_mgmt != WPA_KEY_MGMT_OSEN) { wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Unsupported EAPOL-Key descriptor version %d", @@ -2034,7 +2036,8 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, } if ((wpa_key_mgmt_suite_b(sm->key_mgmt) || - wpa_key_mgmt_fils(sm->key_mgmt)) && + wpa_key_mgmt_fils(sm->key_mgmt) || + sm->key_mgmt == WPA_KEY_MGMT_OWE) && ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)", @@ -2068,6 +2071,7 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, if (sm->pairwise_cipher == WPA_CIPHER_CCMP && !wpa_key_mgmt_suite_b(sm->key_mgmt) && !wpa_key_mgmt_fils(sm->key_mgmt) && + sm->key_mgmt != WPA_KEY_MGMT_OWE && ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: CCMP is used, but EAPOL-Key "