Enable FT with SAE
It was already possible to configure hostapd and wpa_supplicant to use FT-SAE for the key management, but number of places were missing proper AKM checks to allow FT to be used with the new AKM. Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
2b00519431
commit
aa189ac9dd
7 changed files with 27 additions and 11 deletions
|
@ -1057,7 +1057,9 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
|
|||
|
||||
#ifdef CONFIG_SAE
|
||||
if (wpa_auth_uses_sae(sta->wpa_sm) &&
|
||||
sta->auth_alg != WLAN_AUTH_SAE) {
|
||||
sta->auth_alg != WLAN_AUTH_SAE &&
|
||||
!(sta->auth_alg == WLAN_AUTH_FT &&
|
||||
wpa_auth_uses_ft_sae(sta->wpa_sm))) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
|
||||
"SAE AKM after non-SAE auth_alg %u",
|
||||
MAC2STR(sta->addr), sta->auth_alg);
|
||||
|
|
|
@ -3095,3 +3095,11 @@ int wpa_auth_uses_sae(struct wpa_state_machine *sm)
|
|||
return 0;
|
||||
return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
|
||||
}
|
||||
|
||||
|
||||
int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
|
||||
{
|
||||
if (sm == NULL)
|
||||
return 0;
|
||||
return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
|
||||
}
|
||||
|
|
|
@ -295,5 +295,6 @@ int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos);
|
|||
int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos);
|
||||
|
||||
int wpa_auth_uses_sae(struct wpa_state_machine *sm);
|
||||
int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm);
|
||||
|
||||
#endif /* WPA_AUTH_H */
|
||||
|
|
|
@ -633,8 +633,7 @@ u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos,
|
|||
|
||||
conf = &sm->wpa_auth->conf;
|
||||
|
||||
if (sm->wpa_key_mgmt != WPA_KEY_MGMT_FT_IEEE8021X &&
|
||||
sm->wpa_key_mgmt != WPA_KEY_MGMT_FT_PSK)
|
||||
if (!wpa_key_mgmt_ft(sm->wpa_key_mgmt))
|
||||
return pos;
|
||||
|
||||
end = pos + max_len;
|
||||
|
|
|
@ -64,7 +64,8 @@ static inline int wpa_key_mgmt_wpa_psk(int akm)
|
|||
return !!(akm & (WPA_KEY_MGMT_PSK |
|
||||
WPA_KEY_MGMT_FT_PSK |
|
||||
WPA_KEY_MGMT_PSK_SHA256 |
|
||||
WPA_KEY_MGMT_SAE));
|
||||
WPA_KEY_MGMT_SAE |
|
||||
WPA_KEY_MGMT_FT_SAE));
|
||||
}
|
||||
|
||||
static inline int wpa_key_mgmt_ft(int akm)
|
||||
|
@ -89,7 +90,8 @@ static inline int wpa_key_mgmt_sha256(int akm)
|
|||
static inline int wpa_key_mgmt_wpa(int akm)
|
||||
{
|
||||
return wpa_key_mgmt_wpa_ieee8021x(akm) ||
|
||||
wpa_key_mgmt_wpa_psk(akm);
|
||||
wpa_key_mgmt_wpa_psk(akm) ||
|
||||
wpa_key_mgmt_sae(akm);
|
||||
}
|
||||
|
||||
static inline int wpa_key_mgmt_wpa_any(int akm)
|
||||
|
|
|
@ -701,6 +701,11 @@ static u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups,
|
|||
return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
if (sae->tmp == NULL) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Group information not yet initialized");
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
}
|
||||
|
||||
if (sae->tmp->dh && !allowed_groups) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Do not allow FFC group %u without "
|
||||
"explicit configuration enabling it", group);
|
||||
|
|
|
@ -207,6 +207,8 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
|
|||
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
|
||||
else if (sm->key_mgmt == WPA_KEY_MGMT_FT_PSK)
|
||||
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
|
||||
else if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE)
|
||||
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE);
|
||||
else {
|
||||
wpa_printf(MSG_WARNING, "FT: Invalid key management type (%d)",
|
||||
sm->key_mgmt);
|
||||
|
@ -400,8 +402,7 @@ int wpa_ft_process_response(struct wpa_sm *sm, const u8 *ies, size_t ies_len,
|
|||
}
|
||||
}
|
||||
|
||||
if (sm->key_mgmt != WPA_KEY_MGMT_FT_IEEE8021X &&
|
||||
sm->key_mgmt != WPA_KEY_MGMT_FT_PSK) {
|
||||
if (!wpa_key_mgmt_ft(sm->key_mgmt)) {
|
||||
wpa_printf(MSG_DEBUG, "FT: Reject FT IEs since FT is not "
|
||||
"enabled for this connection");
|
||||
return -1;
|
||||
|
@ -526,8 +527,7 @@ int wpa_ft_is_completed(struct wpa_sm *sm)
|
|||
if (sm == NULL)
|
||||
return 0;
|
||||
|
||||
if (sm->key_mgmt != WPA_KEY_MGMT_FT_IEEE8021X &&
|
||||
sm->key_mgmt != WPA_KEY_MGMT_FT_PSK)
|
||||
if (!wpa_key_mgmt_ft(sm->key_mgmt))
|
||||
return 0;
|
||||
|
||||
return sm->ft_completed;
|
||||
|
@ -678,8 +678,7 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
|
|||
|
||||
wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len);
|
||||
|
||||
if (sm->key_mgmt != WPA_KEY_MGMT_FT_IEEE8021X &&
|
||||
sm->key_mgmt != WPA_KEY_MGMT_FT_PSK) {
|
||||
if (!wpa_key_mgmt_ft(sm->key_mgmt)) {
|
||||
wpa_printf(MSG_DEBUG, "FT: Reject FT IEs since FT is not "
|
||||
"enabled for this connection");
|
||||
return -1;
|
||||
|
|
Loading…
Reference in a new issue