HS 2.0: Allow OSEN connection to be enabled in an RSN BSS

This allows a single BSS/SSID to be used for both data connection and
OSU. Instead of hostapd configuration osen=1, wpa_key_mgmt=OSEN (or more
likely, wpa_key_mgmt=WPA-EAP OSEN) is used to enable this new option.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2018-05-29 20:09:53 +03:00 committed by Jouni Malinen
parent 0fe3ede0a4
commit 8d660a4bac
3 changed files with 27 additions and 4 deletions

View file

@ -813,6 +813,10 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value)
else if (os_strcmp(start, "DPP") == 0) else if (os_strcmp(start, "DPP") == 0)
val |= WPA_KEY_MGMT_DPP; val |= WPA_KEY_MGMT_DPP;
#endif /* CONFIG_DPP */ #endif /* CONFIG_DPP */
#ifdef CONFIG_HS20
else if (os_strcmp(start, "OSEN") == 0)
val |= WPA_KEY_MGMT_OSEN;
#endif /* CONFIG_HS20 */
else { else {
wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'", wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'",
line, start); line, start);

View file

@ -2515,7 +2515,8 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
/* GTK KDE */ /* GTK KDE */
gtk = gsm->GTK[gsm->GN - 1]; gtk = gsm->GTK[gsm->GN - 1];
gtk_len = gsm->GTK_len; gtk_len = gsm->GTK_len;
if (sm->wpa_auth->conf.disable_gtk) { if (sm->wpa_auth->conf.disable_gtk ||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
/* /*
* Provide unique random GTK to each STA to prevent use * Provide unique random GTK to each STA to prevent use
* of GTK in the BSS. * of GTK in the BSS.
@ -2831,7 +2832,8 @@ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
else else
os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
if (sm->wpa_auth->conf.disable_gtk) { if (sm->wpa_auth->conf.disable_gtk ||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
/* /*
* Provide unique random IGTK to each STA to prevent use of * Provide unique random IGTK to each STA to prevent use of
* IGTK in the BSS. * IGTK in the BSS.
@ -2909,7 +2911,8 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
secure = 1; secure = 1;
gtk = gsm->GTK[gsm->GN - 1]; gtk = gsm->GTK[gsm->GN - 1];
gtk_len = gsm->GTK_len; gtk_len = gsm->GTK_len;
if (sm->wpa_auth->conf.disable_gtk) { if (sm->wpa_auth->conf.disable_gtk ||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
/* /*
* Provide unique random GTK to each STA to prevent use * Provide unique random GTK to each STA to prevent use
* of GTK in the BSS. * of GTK in the BSS.
@ -3285,7 +3288,8 @@ SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
"sending 1/2 msg of Group Key Handshake"); "sending 1/2 msg of Group Key Handshake");
gtk = gsm->GTK[gsm->GN - 1]; gtk = gsm->GTK[gsm->GN - 1];
if (sm->wpa_auth->conf.disable_gtk) { if (sm->wpa_auth->conf.disable_gtk ||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
/* /*
* Provide unique random GTK to each STA to prevent use * Provide unique random GTK to each STA to prevent use
* of GTK in the BSS. * of GTK in the BSS.

View file

@ -248,6 +248,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
num_suites++; num_suites++;
} }
#endif /* CONFIG_DPP */ #endif /* CONFIG_DPP */
#ifdef CONFIG_HS20
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_OSEN) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OSEN);
pos += RSN_SELECTOR_LEN;
num_suites++;
}
#endif /* CONFIG_HS20 */
#ifdef CONFIG_RSN_TESTING #ifdef CONFIG_RSN_TESTING
if (rsn_testing) { if (rsn_testing) {
@ -588,6 +595,10 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
else if (data.key_mgmt & WPA_KEY_MGMT_DPP) else if (data.key_mgmt & WPA_KEY_MGMT_DPP)
selector = RSN_AUTH_KEY_MGMT_DPP; selector = RSN_AUTH_KEY_MGMT_DPP;
#endif /* CONFIG_DPP */ #endif /* CONFIG_DPP */
#ifdef CONFIG_HS20
else if (data.key_mgmt & WPA_KEY_MGMT_OSEN)
selector = RSN_AUTH_KEY_MGMT_OSEN;
#endif /* CONFIG_HS20 */
wpa_auth->dot11RSNAAuthenticationSuiteSelected = selector; wpa_auth->dot11RSNAAuthenticationSuiteSelected = selector;
selector = wpa_cipher_to_suite(WPA_PROTO_RSN, selector = wpa_cipher_to_suite(WPA_PROTO_RSN,
@ -688,6 +699,10 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
else if (key_mgmt & WPA_KEY_MGMT_DPP) else if (key_mgmt & WPA_KEY_MGMT_DPP)
sm->wpa_key_mgmt = WPA_KEY_MGMT_DPP; sm->wpa_key_mgmt = WPA_KEY_MGMT_DPP;
#endif /* CONFIG_DPP */ #endif /* CONFIG_DPP */
#ifdef CONFIG_HS20
else if (key_mgmt & WPA_KEY_MGMT_OSEN)
sm->wpa_key_mgmt = WPA_KEY_MGMT_OSEN;
#endif /* CONFIG_HS20 */
else else
sm->wpa_key_mgmt = WPA_KEY_MGMT_PSK; sm->wpa_key_mgmt = WPA_KEY_MGMT_PSK;