OWE: Define and parse OWE AKM selector

This adds a new RSN AKM "OWE".

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2017-03-12 00:32:23 +02:00
parent 9c7aac738b
commit a1ea1b4522
15 changed files with 79 additions and 10 deletions

View file

@ -710,6 +710,10 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value)
val |= WPA_KEY_MGMT_FT_FILS_SHA384; val |= WPA_KEY_MGMT_FT_FILS_SHA384;
#endif /* CONFIG_IEEE80211R_AP */ #endif /* CONFIG_IEEE80211R_AP */
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
#ifdef CONFIG_OWE
else if (os_strcmp(start, "OWE") == 0)
val |= WPA_KEY_MGMT_OWE;
#endif /* CONFIG_OWE */
else { else {
wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'", wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'",
line, start); line, start);

View file

@ -1100,6 +1100,15 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd,
} }
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
#ifdef CONFIG_OWE
if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) {
ret = os_snprintf(pos, end - pos, "OWE ");
if (os_snprintf_error(end - pos, ret))
return pos - buf;
pos += ret;
}
#endif /* CONFIG_OWE */
if (pos > buf && *(pos - 1) == ' ') { if (pos > buf && *(pos - 1) == ' ') {
*(pos - 1) = '\0'; *(pos - 1) = '\0';
pos--; pos--;

View file

@ -973,7 +973,8 @@ void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf,
} }
key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { if (key_mgmt != -1 &&
(wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE)) {
wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - "
"STA is using PSK"); "STA is using PSK");
return; return;
@ -1116,7 +1117,8 @@ void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
} }
key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { if (key_mgmt != -1 &&
(wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE)) {
wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK");
/* /*
* Clear any possible EAPOL authenticator state to support * Clear any possible EAPOL authenticator state to support

View file

@ -1809,7 +1809,8 @@ SM_STATE(WPA_PTK, INITIALIZE)
wpa_remove_ptk(sm); wpa_remove_ptk(sm);
wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
sm->TimeoutCtr = 0; sm->TimeoutCtr = 0;
if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
wpa_auth_set_eapol(sm->wpa_auth, sm->addr, wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
WPA_EAPOL_authorized, 0); WPA_EAPOL_authorized, 0);
} }
@ -2882,7 +2883,8 @@ SM_STATE(WPA_PTK, PTKINITDONE)
sm->wpa_auth, sm); sm->wpa_auth, sm);
} }
if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
wpa_auth_set_eapol(sm->wpa_auth, sm->addr, wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
WPA_EAPOL_authorized, 1); WPA_EAPOL_authorized, 1);
} }
@ -2951,7 +2953,8 @@ SM_STEP(WPA_PTK)
wpa_auth_get_eapol(sm->wpa_auth, sm->addr, wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
WPA_EAPOL_keyRun) > 0) WPA_EAPOL_keyRun) > 0)
SM_ENTER(WPA_PTK, INITPMK); SM_ENTER(WPA_PTK, INITPMK);
else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
/* FIX: && 802.1X::keyRun */) /* FIX: && 802.1X::keyRun */)
SM_ENTER(WPA_PTK, INITPSK); SM_ENTER(WPA_PTK, INITPSK);
break; break;

View file

@ -234,6 +234,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
} }
#endif /* CONFIG_IEEE80211R_AP */ #endif /* CONFIG_IEEE80211R_AP */
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
#ifdef CONFIG_OWE
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OWE);
pos += RSN_SELECTOR_LEN;
num_suites++;
}
#endif /* CONFIG_OWE */
#ifdef CONFIG_RSN_TESTING #ifdef CONFIG_RSN_TESTING
if (rsn_testing) { if (rsn_testing) {
@ -567,6 +574,10 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X; selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
else if (data.key_mgmt & WPA_KEY_MGMT_PSK) else if (data.key_mgmt & WPA_KEY_MGMT_PSK)
selector = RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X; selector = RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X;
#ifdef CONFIG_OWE
else if (data.key_mgmt & WPA_KEY_MGMT_OWE)
selector = RSN_AUTH_KEY_MGMT_OWE;
#endif /* CONFIG_OWE */
wpa_auth->dot11RSNAAuthenticationSuiteSelected = selector; wpa_auth->dot11RSNAAuthenticationSuiteSelected = selector;
selector = wpa_cipher_to_suite(WPA_PROTO_RSN, selector = wpa_cipher_to_suite(WPA_PROTO_RSN,
@ -659,6 +670,10 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X) else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X)
sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X; sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X;
#ifdef CONFIG_OWE
else if (key_mgmt & WPA_KEY_MGMT_OWE)
sm->wpa_key_mgmt = WPA_KEY_MGMT_OWE;
#endif /* CONFIG_OWE */
else else
sm->wpa_key_mgmt = WPA_KEY_MGMT_PSK; sm->wpa_key_mgmt = WPA_KEY_MGMT_PSK;

View file

@ -55,6 +55,7 @@ typedef enum { FALSE = 0, TRUE = 1 } Boolean;
#define WPA_KEY_MGMT_FILS_SHA384 BIT(19) #define WPA_KEY_MGMT_FILS_SHA384 BIT(19)
#define WPA_KEY_MGMT_FT_FILS_SHA256 BIT(20) #define WPA_KEY_MGMT_FT_FILS_SHA256 BIT(20)
#define WPA_KEY_MGMT_FT_FILS_SHA384 BIT(21) #define WPA_KEY_MGMT_FT_FILS_SHA384 BIT(21)
#define WPA_KEY_MGMT_OWE BIT(22)
static inline int wpa_key_mgmt_wpa_ieee8021x(int akm) static inline int wpa_key_mgmt_wpa_ieee8021x(int akm)
{ {
@ -136,7 +137,8 @@ static inline int wpa_key_mgmt_wpa(int akm)
return wpa_key_mgmt_wpa_ieee8021x(akm) || return wpa_key_mgmt_wpa_ieee8021x(akm) ||
wpa_key_mgmt_wpa_psk(akm) || wpa_key_mgmt_wpa_psk(akm) ||
wpa_key_mgmt_fils(akm) || wpa_key_mgmt_fils(akm) ||
wpa_key_mgmt_sae(akm); wpa_key_mgmt_sae(akm) ||
akm == WPA_KEY_MGMT_OWE;
} }
static inline int wpa_key_mgmt_wpa_any(int akm) static inline int wpa_key_mgmt_wpa_any(int akm)

View file

@ -765,6 +765,10 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s)
return WPA_KEY_MGMT_FT_FILS_SHA256; return WPA_KEY_MGMT_FT_FILS_SHA256;
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384) if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384)
return WPA_KEY_MGMT_FT_FILS_SHA384; return WPA_KEY_MGMT_FT_FILS_SHA384;
#ifdef CONFIG_OWE
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OWE)
return WPA_KEY_MGMT_OWE;
#endif /* CONFIG_OWE */
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN) if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN)
return WPA_KEY_MGMT_OSEN; return WPA_KEY_MGMT_OSEN;
return 0; return 0;

View file

@ -63,6 +63,7 @@ RSN_SELECTOR(0x00, 0x0f, 0xac, 13)
#define RSN_AUTH_KEY_MGMT_FILS_SHA384 RSN_SELECTOR(0x00, 0x0f, 0xac, 15) #define RSN_AUTH_KEY_MGMT_FILS_SHA384 RSN_SELECTOR(0x00, 0x0f, 0xac, 15)
#define RSN_AUTH_KEY_MGMT_FT_FILS_SHA256 RSN_SELECTOR(0x00, 0x0f, 0xac, 16) #define RSN_AUTH_KEY_MGMT_FT_FILS_SHA256 RSN_SELECTOR(0x00, 0x0f, 0xac, 16)
#define RSN_AUTH_KEY_MGMT_FT_FILS_SHA384 RSN_SELECTOR(0x00, 0x0f, 0xac, 17) #define RSN_AUTH_KEY_MGMT_FT_FILS_SHA384 RSN_SELECTOR(0x00, 0x0f, 0xac, 17)
#define RSN_AUTH_KEY_MGMT_OWE RSN_SELECTOR(0x00, 0x0f, 0xac, 18)
#define RSN_AUTH_KEY_MGMT_CCKM RSN_SELECTOR(0x00, 0x40, 0x96, 0x00) #define RSN_AUTH_KEY_MGMT_CCKM RSN_SELECTOR(0x00, 0x40, 0x96, 0x00)
#define RSN_AUTH_KEY_MGMT_OSEN RSN_SELECTOR(0x50, 0x6f, 0x9a, 0x01) #define RSN_AUTH_KEY_MGMT_OSEN RSN_SELECTOR(0x50, 0x6f, 0x9a, 0x01)

View file

@ -652,7 +652,8 @@ static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX, sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
eapol_sm_notify_portValid(sm->eapol, TRUE); eapol_sm_notify_portValid(sm->eapol, TRUE);
if (wpa_key_mgmt_wpa_psk(sm->key_mgmt)) if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
sm->key_mgmt == WPA_KEY_MGMT_OWE)
eapol_sm_notify_eap_success(sm->eapol, TRUE); eapol_sm_notify_eap_success(sm->eapol, TRUE);
/* /*
* Start preauthentication after a short wait to avoid a * Start preauthentication after a short wait to avoid a

View file

@ -192,6 +192,10 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
#endif /* CONFIG_IEEE80211R */ #endif /* CONFIG_IEEE80211R */
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
#ifdef CONFIG_OWE
} else if (key_mgmt & WPA_KEY_MGMT_OWE) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OWE);
#endif /* CONFIG_OWE */
} else { } else {
wpa_printf(MSG_WARNING, "Invalid key management type (%d).", wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
key_mgmt); key_mgmt);

View file

@ -732,6 +732,10 @@ static int wpa_config_parse_key_mgmt(const struct parse_data *data,
val |= WPA_KEY_MGMT_FT_FILS_SHA384; val |= WPA_KEY_MGMT_FT_FILS_SHA384;
#endif /* CONFIG_IEEE80211R */ #endif /* CONFIG_IEEE80211R */
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
#ifdef CONFIG_OWE
else if (os_strcmp(start, "OWE") == 0)
val |= WPA_KEY_MGMT_OWE;
#endif /* CONFIG_OWE */
else { else {
wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'", wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'",
line, start); line, start);

View file

@ -2578,6 +2578,16 @@ static char * wpa_supplicant_ie_txt(char *pos, char *end, const char *proto,
#endif /* CONFIG_IEEE80211R */ #endif /* CONFIG_IEEE80211R */
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
#ifdef CONFIG_OWE
if (data.key_mgmt & WPA_KEY_MGMT_OWE) {
ret = os_snprintf(pos, end - pos, "%sOWE",
pos == start ? "" : "+");
if (os_snprintf_error(end - pos, ret))
return pos;
pos += ret;
}
#endif /* CONFIG_OWE */
if (data.key_mgmt & WPA_KEY_MGMT_OSEN) { if (data.key_mgmt & WPA_KEY_MGMT_OSEN) {
ret = os_snprintf(pos, end - pos, "%sOSEN", ret = os_snprintf(pos, end - pos, "%sOSEN",
pos == start ? "" : "+"); pos == start ? "" : "+");

View file

@ -302,7 +302,8 @@ void wpa_supplicant_mark_disassoc(struct wpa_supplicant *wpa_s)
eapol_sm_notify_portEnabled(wpa_s->eapol, FALSE); eapol_sm_notify_portEnabled(wpa_s->eapol, FALSE);
eapol_sm_notify_portValid(wpa_s->eapol, FALSE); eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
wpa_s->key_mgmt == WPA_KEY_MGMT_OWE)
eapol_sm_notify_eap_success(wpa_s->eapol, FALSE); eapol_sm_notify_eap_success(wpa_s->eapol, FALSE);
wpa_s->ap_ies_from_associnfo = 0; wpa_s->ap_ies_from_associnfo = 0;
wpa_s->current_ssid = NULL; wpa_s->current_ssid = NULL;
@ -2521,7 +2522,8 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
eapol_sm_notify_portEnabled(wpa_s->eapol, FALSE); eapol_sm_notify_portEnabled(wpa_s->eapol, FALSE);
eapol_sm_notify_portValid(wpa_s->eapol, FALSE); eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
} }
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) || ft_completed || if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
wpa_s->key_mgmt == WPA_KEY_MGMT_OWE || ft_completed ||
already_authorized) already_authorized)
eapol_sm_notify_eap_success(wpa_s->eapol, FALSE); eapol_sm_notify_eap_success(wpa_s->eapol, FALSE);
/* 802.1X::portControl = Auto */ /* 802.1X::portControl = Auto */

View file

@ -997,7 +997,8 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
* TODO: should notify EAPOL SM about changes in opensc_engine_path, * TODO: should notify EAPOL SM about changes in opensc_engine_path,
* pkcs11_engine_path, pkcs11_module_path, openssl_ciphers. * pkcs11_engine_path, pkcs11_module_path, openssl_ciphers.
*/ */
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) { if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) {
/* /*
* Clear forced success to clear EAP state for next * Clear forced success to clear EAP state for next
* authentication. * authentication.
@ -1333,6 +1334,11 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
wpa_s->key_mgmt = WPA_KEY_MGMT_OSEN; wpa_s->key_mgmt = WPA_KEY_MGMT_OSEN;
wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: using KEY_MGMT OSEN"); wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: using KEY_MGMT OSEN");
#endif /* CONFIG_HS20 */ #endif /* CONFIG_HS20 */
#ifdef CONFIG_OWE
} else if (sel & WPA_KEY_MGMT_OWE) {
wpa_s->key_mgmt = WPA_KEY_MGMT_OWE;
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT OWE");
#endif /* CONFIG_OWE */
} else { } else {
wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select " wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to select "
"authenticated key management type"); "authenticated key management type");
@ -3575,6 +3581,7 @@ void wpa_supplicant_rx_eapol(void *ctx, const u8 *src_addr,
os_memcpy(wpa_s->last_eapol_src, src_addr, ETH_ALEN); os_memcpy(wpa_s->last_eapol_src, src_addr, ETH_ALEN);
if (!wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) && if (!wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) &&
wpa_s->key_mgmt != WPA_KEY_MGMT_OWE &&
eapol_sm_rx_eapol(wpa_s->eapol, src_addr, buf, len) > 0) eapol_sm_rx_eapol(wpa_s->eapol, src_addr, buf, len) > 0)
return; return;
wpa_drv_poll(wpa_s); wpa_drv_poll(wpa_s);

View file

@ -146,6 +146,7 @@ static int wpa_supplicant_eapol_send(void *ctx, int type, const u8 *buf,
* extra copy here */ * extra copy here */
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) || if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
wpa_s->key_mgmt == WPA_KEY_MGMT_OWE ||
wpa_s->key_mgmt == WPA_KEY_MGMT_NONE) { wpa_s->key_mgmt == WPA_KEY_MGMT_NONE) {
/* Current SSID is not using IEEE 802.1X/EAP, so drop possible /* Current SSID is not using IEEE 802.1X/EAP, so drop possible
* EAPOL frames (mainly, EAPOL-Start) from EAPOL state * EAPOL frames (mainly, EAPOL-Start) from EAPOL state