diff --git a/hostapd/config_file.c b/hostapd/config_file.c index ac08b7bda..fd3ad0a73 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -3795,7 +3795,13 @@ static int hostapd_config_fill(struct hostapd_config *conf, } else if (os_strcmp(buf, "owe_transition_ifname") == 0) { os_strlcpy(bss->owe_transition_ifname, pos, sizeof(bss->owe_transition_ifname)); - + } else if (os_strcmp(buf, "owe_groups") == 0) { + if (hostapd_parse_intlist(&bss->owe_groups, pos)) { + wpa_printf(MSG_ERROR, + "Line %d: Invalid owe_groups value '%s'", + line, pos); + return 1; + } #endif /* CONFIG_OWE */ } else { wpa_printf(MSG_ERROR, diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index f0e553ca1..d2e884c59 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1407,6 +1407,15 @@ own_ip_addr=127.0.0.1 # 1-65535 DH Group to use for FILS PFS #fils_dh_group=0 +# OWE DH groups +# OWE implementations are required to support group 19 (NIST P-256). All groups +# that are supported by the implementation (e.g., groups 19, 20, and 21 when +# using OpenSSL) are enabled by default. This configuration parameter can be +# used to specify a limited set of allowed groups. The group values are listed +# in the IANA registry: +# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-10 +#owe_groups=19 20 21 + # OWE transition mode configuration # Pointer to the matching open/OWE BSS #owe_transition_bssid= diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index b12cb1976..0e1ab02b5 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -610,6 +610,9 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf) wpabuf_free(conf->assocresp_elements); os_free(conf->sae_groups); +#ifdef CONFIG_OWE + os_free(conf->owe_groups); +#endif /* CONFIG_OWE */ os_free(conf->wowlan_triggers); diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index ac459471c..76929250a 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -649,6 +649,7 @@ struct hostapd_bss_config { u8 owe_transition_ssid[SSID_MAX_LEN]; size_t owe_transition_ssid_len; char owe_transition_ifname[IFNAMSIZ + 1]; + int *owe_groups; #endif /* CONFIG_OWE */ }; diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 7e30219f0..e0edcc53c 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -2128,6 +2128,27 @@ static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta, #ifdef CONFIG_OWE + +static int owe_group_supported(struct hostapd_data *hapd, u16 group) +{ + int i; + int *groups = hapd->conf->owe_groups; + + if (group != 19 && group != 20 && group != 21) + return 0; + + if (!groups) + return 1; + + for (i = 0; groups[i] > 0; i++) { + if (groups[i] == group) + return 1; + } + + return 0; +} + + static u16 owe_process_assoc_req(struct hostapd_data *hapd, struct sta_info *sta, const u8 *owe_dh, u8 owe_dh_len) @@ -2147,6 +2168,10 @@ static u16 owe_process_assoc_req(struct hostapd_data *hapd, } group = WPA_GET_LE16(owe_dh); + if (!owe_group_supported(hapd, group)) { + wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group); + return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; + } if (group == 19) prime_len = 32; else if (group == 20) @@ -2265,6 +2290,7 @@ static u16 owe_process_assoc_req(struct hostapd_data *hapd, return WLAN_STATUS_SUCCESS; } + #endif /* CONFIG_OWE */