From 0b60b0aaadaeec905d8e07a56b88cdfa83cad300 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 30 Aug 2008 14:59:39 +0300 Subject: [PATCH] Updated MFP defines based on IEEE 802.11w/D6.0 and use new MFPC/MFPR This adds most of the new frame format and identifier definitions from IEEE 802.11w/D6.0. In addition, the RSN IE capability field values for MFP is replaced with the new two-bit version with MFPC (capable) and MFPR (required) processing. --- hostapd/wpa_auth_ie.c | 12 +++++++----- src/common/ieee802_11_defs.h | 26 +++++++++++++++++++++----- src/common/wpa_common.h | 10 +++++++++- src/rsn_supp/wpa_ft.c | 2 +- src/rsn_supp/wpa_ie.c | 2 +- wpa_supplicant/events.c | 4 ++-- wpa_supplicant/wpa_supplicant.c | 4 ++-- 7 files changed, 43 insertions(+), 17 deletions(-) diff --git a/hostapd/wpa_auth_ie.c b/hostapd/wpa_auth_ie.c index 7af753161..78b069399 100644 --- a/hostapd/wpa_auth_ie.c +++ b/hostapd/wpa_auth_ie.c @@ -208,8 +208,11 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len, capab |= (RSN_NUM_REPLAY_COUNTERS_16 << 2); } #ifdef CONFIG_IEEE80211W - if (conf->ieee80211w != WPA_NO_IEEE80211W) - capab |= WPA_CAPABILITY_MGMT_FRAME_PROTECTION; + if (conf->ieee80211w != WPA_NO_IEEE80211W) { + capab |= WPA_CAPABILITY_MFPC; + if (conf->ieee80211w == IEEE80211W_REQUIRED) + capab |= WPA_CAPABILITY_MFPR; + } #endif /* CONFIG_IEEE80211W */ WPA_PUT_LE16(pos, capab); pos += 2; @@ -580,8 +583,7 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, #ifdef CONFIG_IEEE80211W if (wpa_auth->conf.ieee80211w == WPA_IEEE80211W_REQUIRED) { - if (!(data.capabilities & - WPA_CAPABILITY_MGMT_FRAME_PROTECTION)) { + if (!(data.capabilities & WPA_CAPABILITY_MFPC)) { wpa_printf(MSG_DEBUG, "Management frame protection " "required, but client did not enable it"); return WPA_MGMT_FRAME_PROTECTION_VIOLATION; @@ -601,7 +603,7 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, } if (wpa_auth->conf.ieee80211w == WPA_NO_IEEE80211W || - !(data.capabilities & WPA_CAPABILITY_MGMT_FRAME_PROTECTION)) + !(data.capabilities & WPA_CAPABILITY_MFPC)) sm->mgmt_frame_prot = 0; else sm->mgmt_frame_prot = 1; diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h index 7cbe7ae71..a42cb1a60 100644 --- a/src/common/ieee802_11_defs.h +++ b/src/common/ieee802_11_defs.h @@ -92,7 +92,7 @@ #define WLAN_CAPABILITY_SHORT_SLOT_TIME BIT(10) #define WLAN_CAPABILITY_DSSS_OFDM BIT(13) -/* Status codes */ +/* Status codes (IEEE 802.11-2007, 7.3.1.9, Table 7-23) */ #define WLAN_STATUS_SUCCESS 0 #define WLAN_STATUS_UNSPECIFIED_FAILURE 1 #define WLAN_STATUS_CAPS_UNSUPPORTED 10 @@ -112,10 +112,12 @@ #define WLAN_STATUS_SPEC_MGMT_REQUIRED 22 #define WLAN_STATUS_PWR_CAPABILITY_NOT_VALID 23 #define WLAN_STATUS_SUPPORTED_CHANNEL_NOT_VALID 24 -/* 802.11g */ +/* IEEE 802.11g */ #define WLAN_STATUS_ASSOC_DENIED_NO_SHORT_SLOT_TIME 25 #define WLAN_STATUS_ASSOC_DENIED_NO_ER_PBCC 26 #define WLAN_STATUS_ASSOC_DENIED_NO_DSSS_OFDM 27 +/* IEEE 802.11w */ +#define WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY 30 /* IEEE 802.11i */ #define WLAN_STATUS_INVALID_IE 40 #define WLAN_STATUS_GROUP_CIPHER_NOT_VALID 41 @@ -136,7 +138,7 @@ #define WLAN_STATUS_INVALID_MDIE 55 #define WLAN_STATUS_INVALID_FTIE 56 -/* Reason codes */ +/* Reason codes (IEEE 802.11-2007, 7.3.1.7, Table 7-22) */ #define WLAN_REASON_UNSPECIFIED 1 #define WLAN_REASON_PREV_AUTH_NOT_VALID 2 #define WLAN_REASON_DEAUTH_LEAVING 3 @@ -146,7 +148,7 @@ #define WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA 7 #define WLAN_REASON_DISASSOC_STA_HAS_LEFT 8 #define WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH 9 -/* 802.11h */ +/* IEEE 802.11h */ #define WLAN_REASON_PWR_CAPABILITY_NOT_VALID 10 #define WLAN_REASON_SUPPORTED_CHANNEL_NOT_VALID 11 /* IEEE 802.11i */ @@ -162,6 +164,9 @@ #define WLAN_REASON_INVALID_RSN_IE_CAPAB 22 #define WLAN_REASON_IEEE_802_1X_AUTH_FAILED 23 #define WLAN_REASON_CIPHER_SUITE_REJECTED 24 +/* IEEE 802.11w */ +#define WLAN_REASON_INVALID_GROUP_MGMT_CIPHER 25 +#define WLAN_REASON_ROBUST_MGMT_FRAME_POLICY_VIOLATION 26 /* Information Element IDs */ @@ -199,16 +204,19 @@ #define WLAN_EID_20_40_BSS_COEXISTENCE 72 #define WLAN_EID_20_40_BSS_INTOLERANT 73 #define WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS 74 +#define WLAN_EID_MMIE 76 +#define WLAN_EID_ASSOC_COMEBACK_TIME 77 #define WLAN_EID_VENDOR_SPECIFIC 221 -/* Action frame categories */ +/* Action frame categories (IEEE 802.11-2007, 7.3.1.11, Table 7-24) */ #define WLAN_ACTION_SPECTRUM_MGMT 0 #define WLAN_ACTION_QOS 1 #define WLAN_ACTION_DLS 2 #define WLAN_ACTION_BLOCK_ACK 3 #define WLAN_ACTION_RADIO_MEASUREMENT 5 #define WLAN_ACTION_FT 6 +#define WLAN_ACTION_PING 8 #ifdef _MSC_VER @@ -306,6 +314,14 @@ struct ieee80211_mgmt { le16 status_code; u8 variable[0]; /* FT Request */ } STRUCT_PACKED ft_action_resp; + struct { + u8 action; + u8 transaction_id[16]; + } STRUCT_PACKED ping_req; + struct { + u8 action; + u8 transaction_id[16]; + } STRUCT_PACKED ping_resp; } u; } STRUCT_PACKED action; } u; diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h index 9b9e39e35..fa5a154aa 100644 --- a/src/common/wpa_common.h +++ b/src/common/wpa_common.h @@ -54,6 +54,9 @@ #define RSN_AUTH_KEY_MGMT_FT_802_1X RSN_SELECTOR(0x00, 0x0f, 0xac, 3) #define RSN_AUTH_KEY_MGMT_FT_PSK RSN_SELECTOR(0x00, 0x0f, 0xac, 4) #endif /* CONFIG_IEEE80211R */ +#define RSN_AUTH_KEY_MGMT_802_1X_SHA256 RSN_SELECTOR(0x00, 0x0f, 0xac, 5) +#define RSN_AUTH_KEY_MGMT_PSK_SHA256 RSN_SELECTOR(0x00, 0x0f, 0xac, 6) + #define RSN_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x0f, 0xac, 0) #define RSN_CIPHER_SUITE_WEP40 RSN_SELECTOR(0x00, 0x0f, 0xac, 1) #define RSN_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x0f, 0xac, 2) @@ -107,7 +110,11 @@ /* IEEE 802.11, 7.3.2.25.3 RSN Capabilities */ #define WPA_CAPABILITY_PREAUTH BIT(0) -#define WPA_CAPABILITY_MGMT_FRAME_PROTECTION BIT(7) +#define WPA_CAPABILITY_NO_PAIRWISE BIT(1) +/* B2-B3: PTKSA Replay Counter */ +/* B4-B5: GTKSA Replay Counter */ +#define WPA_CAPABILITY_MFPR BIT(6) +#define WPA_CAPABILITY_MFPC BIT(7) #define WPA_CAPABILITY_PEERKEY_ENABLED BIT(9) @@ -273,6 +280,7 @@ struct rsn_ftie { #define FTIE_SUBELEM_R1KH_ID 1 #define FTIE_SUBELEM_GTK 2 #define FTIE_SUBELEM_R0KH_ID 3 +#define FTIE_SUBELEM_IGTK 4 #endif /* CONFIG_IEEE80211R */ diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c index a5060a624..7cc11e67e 100644 --- a/src/rsn_supp/wpa_ft.c +++ b/src/rsn_supp/wpa_ft.c @@ -193,7 +193,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, capab = 0; #ifdef CONFIG_IEEE80211W if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) - capab |= WPA_CAPABILITY_MGMT_FRAME_PROTECTION; + capab |= WPA_CAPABILITY_MFPC; #endif /* CONFIG_IEEE80211W */ WPA_PUT_LE16(pos, capab); pos += 2; diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c index b3bb8d814..94a542dd0 100644 --- a/src/rsn_supp/wpa_ie.c +++ b/src/rsn_supp/wpa_ie.c @@ -327,7 +327,7 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len, capab = 0; #ifdef CONFIG_IEEE80211W if (mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) - capab |= WPA_CAPABILITY_MGMT_FRAME_PROTECTION; + capab |= WPA_CAPABILITY_MFPC; #endif /* CONFIG_IEEE80211W */ WPA_PUT_LE16(pos, capab); pos += 2; diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index 66a98c217..a3859c4e3 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -309,8 +309,8 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_ssid *ssid, } #ifdef CONFIG_IEEE80211W - if (!(ie.capabilities & WPA_CAPABILITY_MGMT_FRAME_PROTECTION) - && ssid->ieee80211w == IEEE80211W_REQUIRED) { + if (!(ie.capabilities & WPA_CAPABILITY_MFPC) && + ssid->ieee80211w == IEEE80211W_REQUIRED) { wpa_printf(MSG_DEBUG, " skip RSN IE - no mgmt frame " "protection"); break; diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 5fb4f16f3..bffc0bead 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -676,7 +676,7 @@ static int wpa_supplicant_suites_from_ai(struct wpa_supplicant *wpa_s, } #ifdef CONFIG_IEEE80211W - if (!(ie->capabilities & WPA_CAPABILITY_MGMT_FRAME_PROTECTION) && + if (!(ie->capabilities & WPA_CAPABILITY_MFPC) && ssid->ieee80211w == IEEE80211W_REQUIRED) { wpa_msg(wpa_s, MSG_INFO, "WPA: Driver associated with an AP " "that does not support management frame protection - " @@ -845,7 +845,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, #ifdef CONFIG_IEEE80211W sel = ie.mgmt_group_cipher; if (ssid->ieee80211w == NO_IEEE80211W || - !(ie.capabilities & WPA_CAPABILITY_MGMT_FRAME_PROTECTION)) + !(ie.capabilities & WPA_CAPABILITY_MFPC)) sel = 0; if (sel & WPA_CIPHER_AES_128_CMAC) { wpa_s->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;