DPP2: Allow AP to require or reject PFS

The new hostapd configuration parameter dpp_pfs can be used to specify
how PFS is applied to associations. The default behavior (dpp_pfs=0)
remains same as it was previously, i.e., allow the station to decide
whether to use PFS. PFS use can now be required (dpp_pfs=1) or rejected
(dpp_pfs=2).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2020-03-28 12:33:48 +02:00 committed by Jouni Malinen
parent ca57d5f553
commit 7c021dec3a
8 changed files with 41 additions and 1 deletions

View file

@ -4410,6 +4410,16 @@ static int hostapd_config_fill(struct hostapd_config *conf,
return 1; return 1;
} else if (os_strcmp(buf, "dpp_configurator_connectivity") == 0) { } else if (os_strcmp(buf, "dpp_configurator_connectivity") == 0) {
bss->dpp_configurator_connectivity = atoi(pos); bss->dpp_configurator_connectivity = atoi(pos);
} else if (os_strcmp(buf, "dpp_pfs") == 0) {
int val = atoi(pos);
if (val < 0 || val > 2) {
wpa_printf(MSG_ERROR,
"Line %d: Invalid dpp_pfs value '%s'",
line, pos);
return -1;
}
bss->dpp_pfs = val;
#endif /* CONFIG_DPP2 */ #endif /* CONFIG_DPP2 */
#endif /* CONFIG_DPP */ #endif /* CONFIG_DPP */
#ifdef CONFIG_OWE #ifdef CONFIG_OWE

View file

@ -2309,6 +2309,12 @@ own_ip_addr=127.0.0.1
# 1: advertise that a Configurator is available # 1: advertise that a Configurator is available
#dpp_configurator_connectivity=0 #dpp_configurator_connectivity=0
# DPP PFS
# 0: allow PFS to be used or not used (default)
# 1: require PFS to be used (note: not compatible with DPP R1)
# 2: do not allow PFS to be used
#dpp_pfs=0
#### TDLS (IEEE 802.11z-2010) ################################################# #### TDLS (IEEE 802.11z-2010) #################################################
# Prohibit use of TDLS in this BSS # Prohibit use of TDLS in this BSS

View file

@ -741,6 +741,7 @@ struct hostapd_bss_config {
#ifdef CONFIG_DPP2 #ifdef CONFIG_DPP2
struct dpp_controller_conf *dpp_controller; struct dpp_controller_conf *dpp_controller;
int dpp_configurator_connectivity; int dpp_configurator_connectivity;
int dpp_pfs;
#endif /* CONFIG_DPP2 */ #endif /* CONFIG_DPP2 */
#endif /* CONFIG_DPP */ #endif /* CONFIG_DPP */

View file

@ -375,6 +375,10 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
reason = WLAN_REASON_INVALID_PMKID; reason = WLAN_REASON_INVALID_PMKID;
status = WLAN_STATUS_INVALID_PMKID; status = WLAN_STATUS_INVALID_PMKID;
break; break;
case WPA_DENIED_OTHER_REASON:
reason = WLAN_REASON_UNSPECIFIED;
status = WLAN_STATUS_ASSOC_DENIED_UNSPEC;
break;
} }
if (status != WLAN_STATUS_SUCCESS) { if (status != WLAN_STATUS_SUCCESS) {
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,

View file

@ -1638,6 +1638,8 @@ static u16 wpa_res_to_status_code(enum wpa_validate_result res)
return WLAN_STATUS_INVALID_IE; return WLAN_STATUS_INVALID_IE;
case WPA_INVALID_PMKID: case WPA_INVALID_PMKID:
return WLAN_STATUS_INVALID_PMKID; return WLAN_STATUS_INVALID_PMKID;
case WPA_DENIED_OTHER_REASON:
return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
} }
return WLAN_STATUS_INVALID_IE; return WLAN_STATUS_INVALID_IE;
} }

View file

@ -252,6 +252,9 @@ struct wpa_auth_config {
int sae_pwe; int sae_pwe;
int owe_ptk_workaround; int owe_ptk_workaround;
u8 transition_disable; u8 transition_disable;
#ifdef CONFIG_DPP2
int dpp_pfs;
#endif /* CONFIG_DPP2 */
}; };
typedef enum { typedef enum {
@ -335,7 +338,8 @@ enum wpa_validate_result {
WPA_IE_OK, WPA_INVALID_IE, WPA_INVALID_GROUP, WPA_INVALID_PAIRWISE, WPA_IE_OK, WPA_INVALID_IE, WPA_INVALID_GROUP, WPA_INVALID_PAIRWISE,
WPA_INVALID_AKMP, WPA_NOT_ENABLED, WPA_ALLOC_FAIL, WPA_INVALID_AKMP, WPA_NOT_ENABLED, WPA_ALLOC_FAIL,
WPA_MGMT_FRAME_PROTECTION_VIOLATION, WPA_INVALID_MGMT_GROUP_CIPHER, WPA_MGMT_FRAME_PROTECTION_VIOLATION, WPA_INVALID_MGMT_GROUP_CIPHER,
WPA_INVALID_MDIE, WPA_INVALID_PROTO, WPA_INVALID_PMKID WPA_INVALID_MDIE, WPA_INVALID_PROTO, WPA_INVALID_PMKID,
WPA_DENIED_OTHER_REASON
}; };
enum wpa_validate_result enum wpa_validate_result

View file

@ -196,6 +196,9 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
wconf->owe_ptk_workaround = conf->owe_ptk_workaround; wconf->owe_ptk_workaround = conf->owe_ptk_workaround;
#endif /* CONFIG_OWE */ #endif /* CONFIG_OWE */
wconf->transition_disable = conf->transition_disable; wconf->transition_disable = conf->transition_disable;
#ifdef CONFIG_DPP2
wconf->dpp_pfs = conf->dpp_pfs;
#endif /* CONFIG_DPP2 */
} }

View file

@ -864,6 +864,16 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
} }
#endif /* CONFIG_OWE */ #endif /* CONFIG_OWE */
#ifdef CONFIG_DPP2
if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP &&
((conf->dpp_pfs == 1 && !owe_dh) ||
(conf->dpp_pfs == 2 && owe_dh))) {
wpa_printf(MSG_DEBUG, "DPP: PFS %s",
conf->dpp_pfs == 1 ? "required" : "not allowed");
return WPA_DENIED_OTHER_REASON;
}
#endif /* CONFIG_DPP2 */
sm->pairwise = wpa_pick_pairwise_cipher(ciphers, 0); sm->pairwise = wpa_pick_pairwise_cipher(ciphers, 0);
if (sm->pairwise < 0) if (sm->pairwise < 0)
return WPA_INVALID_PAIRWISE; return WPA_INVALID_PAIRWISE;