From c1790a5ff8b68492b3a9097b5d2616b1966d08db Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 13 Jan 2018 03:56:26 +0200 Subject: [PATCH] OWE: Allow station in transition mode to connect to an open BSS If the OWE network profile matches an open network which does not advertise OWE BSS, allow open connection. The new owe_only=1 network profile parameter can be used to disable this transition mode and enforce connection only with OWE networks. Signed-off-by: Jouni Malinen --- wpa_supplicant/config.c | 1 + wpa_supplicant/config_file.c | 1 + wpa_supplicant/config_ssid.h | 9 +++++++++ wpa_supplicant/events.c | 19 ++++++++++++++++++- wpa_supplicant/wpa_supplicant.c | 9 +++++++++ 5 files changed, 38 insertions(+), 1 deletion(-) diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index a0d480ed9..0ee4d2f4c 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2300,6 +2300,7 @@ static const struct parse_data ssid_fields[] = { { STR_LEN(dpp_csign) }, #endif /* CONFIG_DPP */ { INT_RANGE(owe_group, 0, 65535) }, + { INT_RANGE(owe_only, 0, 1) }, }; #undef OFFSET diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 6b7abe2bb..370fe2af0 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -873,6 +873,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) STR(dpp_csign); #endif /* CONFIG_DPP */ INT(owe_group); + INT(owe_only); #ifdef CONFIG_HT_OVERRIDES INT_DEF(disable_ht, DEFAULT_DISABLE_HT); INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40); diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h index 15bfa7c5b..87a45c435 100644 --- a/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h @@ -897,6 +897,15 @@ struct wpa_ssid { * currently supported. */ int owe_group; + + /** + * owe_only - OWE-only mode (disable transition mode) + * + * 0 = enable transition mode (allow connection to either OWE or open + * BSS) + * 1 = disable transition mode (allow connection only with OWE) + */ + int owe_only; }; #endif /* CONFIG_SSID_H */ diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index 26568486f..8e46b76e8 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -487,6 +487,11 @@ static int wpa_supplicant_match_privacy(struct wpa_bss *bss, return 1; #endif /* CONFIG_WPS */ +#ifdef CONFIG_OWE + if ((ssid->key_mgmt & WPA_KEY_MGMT_OWE) && !ssid->owe_only) + return 1; +#endif /* CONFIG_OWE */ + if (has_wep_key(ssid)) privacy = 1; @@ -622,7 +627,8 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, } #ifdef CONFIG_IEEE80211W - if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED) { + if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED && + (!(ssid->key_mgmt & WPA_KEY_MGMT_OWE) || ssid->owe_only)) { if (debug_print) wpa_dbg(wpa_s, MSG_DEBUG, " skip - MFP Required but network not MFP Capable"); @@ -692,6 +698,16 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, return 1; } +#ifdef CONFIG_OWE + if ((ssid->key_mgmt & WPA_KEY_MGMT_OWE) && !ssid->owe_only && + !wpa_ie && !rsn_ie) { + if (debug_print) + wpa_dbg(wpa_s, MSG_DEBUG, + " allow in OWE transition mode"); + return 1; + } +#endif /* CONFIG_OWE */ + if ((ssid->proto & (WPA_PROTO_WPA | WPA_PROTO_RSN)) && wpa_key_mgmt_wpa(ssid->key_mgmt) && proto_match == 0) { if (debug_print) @@ -1137,6 +1153,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s, if (!osen && !wpa && !(ssid->key_mgmt & WPA_KEY_MGMT_NONE) && !(ssid->key_mgmt & WPA_KEY_MGMT_WPS) && + !(ssid->key_mgmt & WPA_KEY_MGMT_OWE) && !(ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA)) { if (debug_print) wpa_dbg(wpa_s, MSG_DEBUG, diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 9bc2c2710..8544aef22 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1261,6 +1261,15 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, WPA_CIPHER_AES_128_CMAC; } #endif /* CONFIG_IEEE80211W */ +#ifdef CONFIG_OWE + if ((ssid->key_mgmt & WPA_KEY_MGMT_OWE) && + !ssid->owe_only && + !bss_wpa && !bss_rsn && !bss_osen) { + wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); + wpa_s->wpa_proto = 0; + return 0; + } +#endif /* CONFIG_OWE */ wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Set cipher suites " "based on configuration"); } else