OWE: Define and parse OWE AKM selector
This adds a new RSN AKM "OWE". Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
9c7aac738b
commit
a1ea1b4522
15 changed files with 79 additions and 10 deletions
|
|
@ -710,6 +710,10 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value)
|
|||
val |= WPA_KEY_MGMT_FT_FILS_SHA384;
|
||||
#endif /* CONFIG_IEEE80211R_AP */
|
||||
#endif /* CONFIG_FILS */
|
||||
#ifdef CONFIG_OWE
|
||||
else if (os_strcmp(start, "OWE") == 0)
|
||||
val |= WPA_KEY_MGMT_OWE;
|
||||
#endif /* CONFIG_OWE */
|
||||
else {
|
||||
wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'",
|
||||
line, start);
|
||||
|
|
|
|||
|
|
@ -1100,6 +1100,15 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd,
|
|||
}
|
||||
#endif /* CONFIG_FILS */
|
||||
|
||||
#ifdef CONFIG_OWE
|
||||
if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) {
|
||||
ret = os_snprintf(pos, end - pos, "OWE ");
|
||||
if (os_snprintf_error(end - pos, ret))
|
||||
return pos - buf;
|
||||
pos += ret;
|
||||
}
|
||||
#endif /* CONFIG_OWE */
|
||||
|
||||
if (pos > buf && *(pos - 1) == ' ') {
|
||||
*(pos - 1) = '\0';
|
||||
pos--;
|
||||
|
|
|
|||
|
|
@ -973,7 +973,8 @@ void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf,
|
|||
}
|
||||
|
||||
key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
|
||||
if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) {
|
||||
if (key_mgmt != -1 &&
|
||||
(wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE)) {
|
||||
wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - "
|
||||
"STA is using PSK");
|
||||
return;
|
||||
|
|
@ -1116,7 +1117,8 @@ void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
|
|||
}
|
||||
|
||||
key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
|
||||
if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) {
|
||||
if (key_mgmt != -1 &&
|
||||
(wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE)) {
|
||||
wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK");
|
||||
/*
|
||||
* Clear any possible EAPOL authenticator state to support
|
||||
|
|
|
|||
|
|
@ -1809,7 +1809,8 @@ SM_STATE(WPA_PTK, INITIALIZE)
|
|||
wpa_remove_ptk(sm);
|
||||
wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
|
||||
sm->TimeoutCtr = 0;
|
||||
if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
|
||||
if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
|
||||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
|
||||
wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
|
||||
WPA_EAPOL_authorized, 0);
|
||||
}
|
||||
|
|
@ -2882,7 +2883,8 @@ SM_STATE(WPA_PTK, PTKINITDONE)
|
|||
sm->wpa_auth, sm);
|
||||
}
|
||||
|
||||
if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
|
||||
if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
|
||||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
|
||||
wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
|
||||
WPA_EAPOL_authorized, 1);
|
||||
}
|
||||
|
|
@ -2951,7 +2953,8 @@ SM_STEP(WPA_PTK)
|
|||
wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
|
||||
WPA_EAPOL_keyRun) > 0)
|
||||
SM_ENTER(WPA_PTK, INITPMK);
|
||||
else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
|
||||
else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
|
||||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
|
||||
/* FIX: && 802.1X::keyRun */)
|
||||
SM_ENTER(WPA_PTK, INITPSK);
|
||||
break;
|
||||
|
|
|
|||
|
|
@ -234,6 +234,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
|
|||
}
|
||||
#endif /* CONFIG_IEEE80211R_AP */
|
||||
#endif /* CONFIG_FILS */
|
||||
#ifdef CONFIG_OWE
|
||||
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) {
|
||||
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OWE);
|
||||
pos += RSN_SELECTOR_LEN;
|
||||
num_suites++;
|
||||
}
|
||||
#endif /* CONFIG_OWE */
|
||||
|
||||
#ifdef CONFIG_RSN_TESTING
|
||||
if (rsn_testing) {
|
||||
|
|
@ -567,6 +574,10 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
|
|||
selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
|
||||
else if (data.key_mgmt & WPA_KEY_MGMT_PSK)
|
||||
selector = RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X;
|
||||
#ifdef CONFIG_OWE
|
||||
else if (data.key_mgmt & WPA_KEY_MGMT_OWE)
|
||||
selector = RSN_AUTH_KEY_MGMT_OWE;
|
||||
#endif /* CONFIG_OWE */
|
||||
wpa_auth->dot11RSNAAuthenticationSuiteSelected = selector;
|
||||
|
||||
selector = wpa_cipher_to_suite(WPA_PROTO_RSN,
|
||||
|
|
@ -659,6 +670,10 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
|
|||
#endif /* CONFIG_SAE */
|
||||
else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X)
|
||||
sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X;
|
||||
#ifdef CONFIG_OWE
|
||||
else if (key_mgmt & WPA_KEY_MGMT_OWE)
|
||||
sm->wpa_key_mgmt = WPA_KEY_MGMT_OWE;
|
||||
#endif /* CONFIG_OWE */
|
||||
else
|
||||
sm->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
|
||||
|
||||
|
|
|
|||
|
|
@ -55,6 +55,7 @@ typedef enum { FALSE = 0, TRUE = 1 } Boolean;
|
|||
#define WPA_KEY_MGMT_FILS_SHA384 BIT(19)
|
||||
#define WPA_KEY_MGMT_FT_FILS_SHA256 BIT(20)
|
||||
#define WPA_KEY_MGMT_FT_FILS_SHA384 BIT(21)
|
||||
#define WPA_KEY_MGMT_OWE BIT(22)
|
||||
|
||||
static inline int wpa_key_mgmt_wpa_ieee8021x(int akm)
|
||||
{
|
||||
|
|
@ -136,7 +137,8 @@ static inline int wpa_key_mgmt_wpa(int akm)
|
|||
return wpa_key_mgmt_wpa_ieee8021x(akm) ||
|
||||
wpa_key_mgmt_wpa_psk(akm) ||
|
||||
wpa_key_mgmt_fils(akm) ||
|
||||
wpa_key_mgmt_sae(akm);
|
||||
wpa_key_mgmt_sae(akm) ||
|
||||
akm == WPA_KEY_MGMT_OWE;
|
||||
}
|
||||
|
||||
static inline int wpa_key_mgmt_wpa_any(int akm)
|
||||
|
|
|
|||
|
|
@ -765,6 +765,10 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s)
|
|||
return WPA_KEY_MGMT_FT_FILS_SHA256;
|
||||
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384)
|
||||
return WPA_KEY_MGMT_FT_FILS_SHA384;
|
||||
#ifdef CONFIG_OWE
|
||||
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OWE)
|
||||
return WPA_KEY_MGMT_OWE;
|
||||
#endif /* CONFIG_OWE */
|
||||
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN)
|
||||
return WPA_KEY_MGMT_OSEN;
|
||||
return 0;
|
||||
|
|
|
|||
|
|
@ -63,6 +63,7 @@ RSN_SELECTOR(0x00, 0x0f, 0xac, 13)
|
|||
#define RSN_AUTH_KEY_MGMT_FILS_SHA384 RSN_SELECTOR(0x00, 0x0f, 0xac, 15)
|
||||
#define RSN_AUTH_KEY_MGMT_FT_FILS_SHA256 RSN_SELECTOR(0x00, 0x0f, 0xac, 16)
|
||||
#define RSN_AUTH_KEY_MGMT_FT_FILS_SHA384 RSN_SELECTOR(0x00, 0x0f, 0xac, 17)
|
||||
#define RSN_AUTH_KEY_MGMT_OWE RSN_SELECTOR(0x00, 0x0f, 0xac, 18)
|
||||
#define RSN_AUTH_KEY_MGMT_CCKM RSN_SELECTOR(0x00, 0x40, 0x96, 0x00)
|
||||
#define RSN_AUTH_KEY_MGMT_OSEN RSN_SELECTOR(0x50, 0x6f, 0x9a, 0x01)
|
||||
|
||||
|
|
|
|||
|
|
@ -652,7 +652,8 @@ static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
|
|||
sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
|
||||
MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
|
||||
eapol_sm_notify_portValid(sm->eapol, TRUE);
|
||||
if (wpa_key_mgmt_wpa_psk(sm->key_mgmt))
|
||||
if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
|
||||
sm->key_mgmt == WPA_KEY_MGMT_OWE)
|
||||
eapol_sm_notify_eap_success(sm->eapol, TRUE);
|
||||
/*
|
||||
* Start preauthentication after a short wait to avoid a
|
||||
|
|
|
|||
|
|
@ -192,6 +192,10 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
|
|||
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
|
||||
#endif /* CONFIG_IEEE80211R */
|
||||
#endif /* CONFIG_FILS */
|
||||
#ifdef CONFIG_OWE
|
||||
} else if (key_mgmt & WPA_KEY_MGMT_OWE) {
|
||||
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OWE);
|
||||
#endif /* CONFIG_OWE */
|
||||
} else {
|
||||
wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
|
||||
key_mgmt);
|
||||
|
|
|
|||
|
|
@ -732,6 +732,10 @@ static int wpa_config_parse_key_mgmt(const struct parse_data *data,
|
|||
val |= WPA_KEY_MGMT_FT_FILS_SHA384;
|
||||
#endif /* CONFIG_IEEE80211R */
|
||||
#endif /* CONFIG_FILS */
|
||||
#ifdef CONFIG_OWE
|
||||
else if (os_strcmp(start, "OWE") == 0)
|
||||
val |= WPA_KEY_MGMT_OWE;
|
||||
#endif /* CONFIG_OWE */
|
||||
else {
|
||||
wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'",
|
||||
line, start);
|
||||
|
|
|
|||
|
|
@ -2578,6 +2578,16 @@ static char * wpa_supplicant_ie_txt(char *pos, char *end, const char *proto,
|
|||
#endif /* CONFIG_IEEE80211R */
|
||||
#endif /* CONFIG_FILS */
|
||||
|
||||
#ifdef CONFIG_OWE
|
||||
if (data.key_mgmt & WPA_KEY_MGMT_OWE) {
|
||||
ret = os_snprintf(pos, end - pos, "%sOWE",
|
||||
pos == start ? "" : "+");
|
||||
if (os_snprintf_error(end - pos, ret))
|
||||
return pos;
|
||||
pos += ret;
|
||||
}
|
||||
#endif /* CONFIG_OWE */
|
||||
|
||||
if (data.key_mgmt & WPA_KEY_MGMT_OSEN) {
|
||||
ret = os_snprintf(pos, end - pos, "%sOSEN",
|
||||
pos == start ? "" : "+");
|
||||
|
|
|
|||
|
|
@ -302,7 +302,8 @@ void wpa_supplicant_mark_disassoc(struct wpa_supplicant *wpa_s)
|
|||
|
||||
eapol_sm_notify_portEnabled(wpa_s->eapol, FALSE);
|
||||
eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
|
||||
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt))
|
||||
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
|
||||
wpa_s->key_mgmt == WPA_KEY_MGMT_OWE)
|
||||
eapol_sm_notify_eap_success(wpa_s->eapol, FALSE);
|
||||
wpa_s->ap_ies_from_associnfo = 0;
|
||||
wpa_s->current_ssid = NULL;
|
||||
|
|
@ -2521,7 +2522,8 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
|
|||
eapol_sm_notify_portEnabled(wpa_s->eapol, FALSE);
|
||||
eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
|
||||
}
|
||||
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) || ft_completed ||
|
||||
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
|
||||
wpa_s->key_mgmt == WPA_KEY_MGMT_OWE || ft_completed ||
|
||||
already_authorized)
|
||||
eapol_sm_notify_eap_success(wpa_s->eapol, FALSE);
|
||||
/* 802.1X::portControl = Auto */
|
||||
|
|
|
|||
|
|
@ -997,7 +997,8 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
|
|||
* TODO: should notify EAPOL SM about changes in opensc_engine_path,
|
||||
* pkcs11_engine_path, pkcs11_module_path, openssl_ciphers.
|
||||
*/
|
||||
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) {
|
||||
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
|
||||
wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) {
|
||||
/*
|
||||
* Clear forced success to clear EAP state for next
|
||||
* authentication.
|
||||
|
|
@ -1333,6 +1334,11 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
|
|||
wpa_s->key_mgmt = WPA_KEY_MGMT_OSEN;
|
||||
wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: using KEY_MGMT OSEN");
|
||||
#endif /* CONFIG_HS20 */
|
||||
#ifdef CONFIG_OWE
|
||||
} else if (sel & WPA_KEY_MGMT_OWE) {
|
||||
wpa_s->key_mgmt = WPA_KEY_MGMT_OWE;
|
||||
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT OWE");
|
||||
#endif /* CONFIG_OWE */
|
||||
} else {
|
||||
wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select "
|
||||
"authenticated key management type");
|
||||
|
|
@ -3575,6 +3581,7 @@ void wpa_supplicant_rx_eapol(void *ctx, const u8 *src_addr,
|
|||
|
||||
os_memcpy(wpa_s->last_eapol_src, src_addr, ETH_ALEN);
|
||||
if (!wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) &&
|
||||
wpa_s->key_mgmt != WPA_KEY_MGMT_OWE &&
|
||||
eapol_sm_rx_eapol(wpa_s->eapol, src_addr, buf, len) > 0)
|
||||
return;
|
||||
wpa_drv_poll(wpa_s);
|
||||
|
|
|
|||
|
|
@ -146,6 +146,7 @@ static int wpa_supplicant_eapol_send(void *ctx, int type, const u8 *buf,
|
|||
* extra copy here */
|
||||
|
||||
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
|
||||
wpa_s->key_mgmt == WPA_KEY_MGMT_OWE ||
|
||||
wpa_s->key_mgmt == WPA_KEY_MGMT_NONE) {
|
||||
/* Current SSID is not using IEEE 802.1X/EAP, so drop possible
|
||||
* EAPOL frames (mainly, EAPOL-Start) from EAPOL state
|
||||
|
|
|
|||
Loading…
Reference in a new issue