From a8517c132c58d7e7d733abbdc1312f88d03780df Mon Sep 17 00:00:00 2001 From: Ilan Peer Date: Tue, 23 May 2023 13:14:54 +0300 Subject: [PATCH] Add support for AKM suite 00-0F-AC:23 Add support for Authentication negotiated over IEEE Std 802.1X with key derivation function using SHA-384. Signed-off-by: Ilan Peer --- hostapd/config_file.c | 4 ++++ hostapd/ctrl_iface.c | 8 +++++++ src/ap/wpa_auth_ie.c | 15 +++++++++++++ src/common/defs.h | 7 +++++-- src/common/wpa_common.c | 28 +++++++++++++++++++------ src/drivers/driver_nl80211.c | 10 +++++++-- src/rsn_supp/preauth.c | 3 ++- src/rsn_supp/wpa.c | 2 ++ src/rsn_supp/wpa_ie.c | 4 ++++ wlantest/bss.c | 4 +++- wlantest/ctrl.c | 3 +++ wlantest/sta.c | 4 +++- wpa_supplicant/config.c | 16 ++++++++++++++ wpa_supplicant/ctrl_iface.c | 10 +++++++++ wpa_supplicant/dbus/dbus_new_handlers.c | 6 +++++- wpa_supplicant/dpp_supplicant.c | 2 +- wpa_supplicant/wpa_supplicant.c | 13 ++++++++++-- wpa_supplicant/wpas_glue.c | 3 ++- 18 files changed, 124 insertions(+), 18 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 4f3050841..7cf0ccfbe 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -667,6 +667,10 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value) val |= WPA_KEY_MGMT_FT_IEEE8021X_SHA384; #endif /* CONFIG_SHA384 */ #endif /* CONFIG_IEEE80211R_AP */ +#ifdef CONFIG_SHA384 + else if (os_strcmp(start, "WPA-EAP-SHA384") == 0) + val |= WPA_KEY_MGMT_IEEE8021X_SHA384; +#endif /* CONFIG_SHA384 */ else if (os_strcmp(start, "WPA-PSK-SHA256") == 0) val |= WPA_KEY_MGMT_PSK_SHA256; else if (os_strcmp(start, "WPA-EAP-SHA256") == 0) diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c index 83efdee15..f91bb1bcb 100644 --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c @@ -956,6 +956,14 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd, pos += ret; } #endif /* CONFIG_DPP */ +#ifdef CONFIG_SHA384 + if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) { + ret = os_snprintf(pos, end - pos, "WPA-EAP-SHA384 "); + if (os_snprintf_error(end - pos, ret)) + return pos - buf; + pos += ret; + } +#endif /* CONFIG_SHA384 */ if (pos > buf && *(pos - 1) == ' ') { *(pos - 1) = '\0'; diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 43ccec9be..9b90e0749 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -212,6 +212,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len, num_suites++; } #endif /* CONFIG_IEEE80211R_AP */ +#ifdef CONFIG_SHA384 + if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) { + RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA384); + pos += RSN_SELECTOR_LEN; + num_suites++; + } +#endif /* CONFIG_SHA384 */ if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) { RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA256); pos += RSN_SELECTOR_LEN; @@ -705,6 +712,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, else if (data.key_mgmt & WPA_KEY_MGMT_OSEN) selector = RSN_AUTH_KEY_MGMT_OSEN; #endif /* CONFIG_HS20 */ +#ifdef CONFIG_SHA384 + else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) + selector = RSN_AUTH_KEY_MGMT_802_1X_SHA384; +#endif /* CONFIG_SHA384 */ wpa_auth->dot11RSNAAuthenticationSuiteSelected = selector; selector = wpa_cipher_to_suite(WPA_PROTO_RSN, @@ -787,6 +798,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, else if (key_mgmt & WPA_KEY_MGMT_FT_PSK) sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_PSK; #endif /* CONFIG_IEEE80211R_AP */ +#ifdef CONFIG_SHA384 + else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) + sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA384; +#endif /* CONFIG_SHA384 */ else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA256; else if (key_mgmt & WPA_KEY_MGMT_PSK_SHA256) diff --git a/src/common/defs.h b/src/common/defs.h index c0c6dbe84..8cca094e8 100644 --- a/src/common/defs.h +++ b/src/common/defs.h @@ -52,6 +52,7 @@ #define WPA_KEY_MGMT_PASN BIT(25) #define WPA_KEY_MGMT_SAE_EXT_KEY BIT(26) #define WPA_KEY_MGMT_FT_SAE_EXT_KEY BIT(27) +#define WPA_KEY_MGMT_IEEE8021X_SHA384 BIT(28) #define WPA_KEY_MGMT_FT (WPA_KEY_MGMT_FT_PSK | \ @@ -75,7 +76,8 @@ static inline int wpa_key_mgmt_wpa_ieee8021x(int akm) WPA_KEY_MGMT_FILS_SHA256 | WPA_KEY_MGMT_FILS_SHA384 | WPA_KEY_MGMT_FT_FILS_SHA256 | - WPA_KEY_MGMT_FT_FILS_SHA384)); + WPA_KEY_MGMT_FT_FILS_SHA384 | + WPA_KEY_MGMT_IEEE8021X_SHA384)); } static inline int wpa_key_mgmt_wpa_psk_no_sae(int akm) @@ -153,7 +155,8 @@ static inline int wpa_key_mgmt_sha384(int akm) return !!(akm & (WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 | WPA_KEY_MGMT_FT_IEEE8021X_SHA384 | WPA_KEY_MGMT_FILS_SHA384 | - WPA_KEY_MGMT_FT_FILS_SHA384)); + WPA_KEY_MGMT_FT_FILS_SHA384 | + WPA_KEY_MGMT_IEEE8021X_SHA384)); } static inline int wpa_key_mgmt_suite_b(int akm) diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c index ead724baf..d897e0eca 100644 --- a/src/common/wpa_common.c +++ b/src/common/wpa_common.c @@ -26,6 +26,7 @@ static unsigned int wpa_kck_len(int akmp, size_t pmk_len) { switch (akmp) { case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: + case WPA_KEY_MGMT_IEEE8021X_SHA384: case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: return 24; case WPA_KEY_MGMT_FILS_SHA256: @@ -71,6 +72,7 @@ static unsigned int wpa_kek_len(int akmp, size_t pmk_len) case WPA_KEY_MGMT_FILS_SHA256: case WPA_KEY_MGMT_FT_FILS_SHA256: case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: + case WPA_KEY_MGMT_IEEE8021X_SHA384: return 32; case WPA_KEY_MGMT_DPP: return pmk_len <= 32 ? 16 : 32; @@ -105,6 +107,7 @@ unsigned int wpa_mic_len(int akmp, size_t pmk_len) switch (akmp) { case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: + case WPA_KEY_MGMT_IEEE8021X_SHA384: return 24; case WPA_KEY_MGMT_FILS_SHA256: case WPA_KEY_MGMT_FILS_SHA384: @@ -135,6 +138,7 @@ int wpa_use_akm_defined(int akmp) akmp == WPA_KEY_MGMT_OWE || akmp == WPA_KEY_MGMT_DPP || akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 || + akmp == WPA_KEY_MGMT_IEEE8021X_SHA384 || wpa_key_mgmt_sae(akmp) || wpa_key_mgmt_suite_b(akmp) || wpa_key_mgmt_fils(akmp); @@ -173,6 +177,7 @@ int wpa_use_aes_key_wrap(int akmp) return akmp == WPA_KEY_MGMT_OSEN || akmp == WPA_KEY_MGMT_OWE || akmp == WPA_KEY_MGMT_DPP || + akmp == WPA_KEY_MGMT_IEEE8021X_SHA384 || wpa_key_mgmt_ft(akmp) || wpa_key_mgmt_sha256(akmp) || wpa_key_mgmt_sae(akmp) || @@ -331,15 +336,18 @@ int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver, os_memcpy(mic, hash, key_len); break; #endif /* CONFIG_DPP */ -#if defined(CONFIG_IEEE80211R) && defined(CONFIG_SHA384) +#ifdef CONFIG_SHA384 + case WPA_KEY_MGMT_IEEE8021X_SHA384: +#ifdef CONFIG_IEEE80211R case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: +#endif /* CONFIG_IEEE80211R */ wpa_printf(MSG_DEBUG, - "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - FT 802.1X SHA384)"); + "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - 802.1X SHA384)"); if (hmac_sha384(key, key_len, buf, len, hash)) return -1; os_memcpy(mic, hash, 24); break; -#endif /* CONFIG_IEEE80211R && CONFIG_SHA384 */ +#endif /* CONFIG_SHA384 */ default: wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC algorithm not known (AKM-defined - akmp=0x%x)", @@ -454,14 +462,14 @@ int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label, ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len + ptk->kdk_len; if (wpa_key_mgmt_sha384(akmp)) { -#if defined(CONFIG_SUITEB192) || defined(CONFIG_FILS) +#ifdef CONFIG_SHA384 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)"); if (sha384_prf(pmk, pmk_len, label, data, data_len, tmp, ptk_len) < 0) return -1; -#else /* CONFIG_SUITEB192 || CONFIG_FILS */ +#else /* CONFIG_SHA384 */ return -1; -#endif /* CONFIG_SUITEB192 || CONFIG_FILS */ +#endif /* CONFIG_SHA384 */ } else if (wpa_key_mgmt_sha256(akmp)) { wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)"); if (sha256_prf(pmk, pmk_len, label, data, data_len, @@ -1771,6 +1779,10 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s) return WPA_KEY_MGMT_FT_IEEE8021X_SHA384; #endif /* CONFIG_SHA384 */ #endif /* CONFIG_IEEE80211R */ +#ifdef CONFIG_SHA384 + if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA384) + return WPA_KEY_MGMT_IEEE8021X_SHA384; +#endif /* CONFIG_SHA384 */ if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256) return WPA_KEY_MGMT_IEEE8021X_SHA256; if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256) @@ -2787,6 +2799,8 @@ const char * wpa_key_mgmt_txt(int key_mgmt, int proto) return "DPP"; case WPA_KEY_MGMT_PASN: return "PASN"; + case WPA_KEY_MGMT_IEEE8021X_SHA384: + return "WPA2-EAP-SHA384"; default: return "UNKNOWN"; } @@ -2801,6 +2815,8 @@ u32 wpa_akm_to_suite(int akm) return RSN_AUTH_KEY_MGMT_FT_802_1X; if (akm & WPA_KEY_MGMT_FT_PSK) return RSN_AUTH_KEY_MGMT_FT_PSK; + if (akm & WPA_KEY_MGMT_IEEE8021X_SHA384) + return RSN_AUTH_KEY_MGMT_802_1X_SHA384; if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256) return RSN_AUTH_KEY_MGMT_802_1X_SHA256; if (akm & WPA_KEY_MGMT_IEEE8021X) diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index 25bae2805..d686dbd45 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -3284,6 +3284,7 @@ static int wpa_key_mgmt_to_suites(unsigned int key_mgmt_suites, u32 suites[], __AKM(OWE, OWE); __AKM(DPP, DPP); __AKM(FT_IEEE8021X_SHA384, FT_802_1X_SHA384); + __AKM(IEEE8021X_SHA384, 802_1X_SHA384); #undef __AKM return num_suites; @@ -6503,7 +6504,8 @@ retry: if (params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X || params->key_mgmt_suite == WPA_KEY_MGMT_PSK || params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 || - params->key_mgmt_suite == WPA_KEY_MGMT_PSK_SHA256) { + params->key_mgmt_suite == WPA_KEY_MGMT_PSK_SHA256 || + params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA384) { wpa_printf(MSG_DEBUG, " * control port"); if (nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT)) goto fail; @@ -6803,7 +6805,8 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv, params->key_mgmt_suite == WPA_KEY_MGMT_FT_FILS_SHA256 || params->key_mgmt_suite == WPA_KEY_MGMT_FT_FILS_SHA384 || params->key_mgmt_suite == WPA_KEY_MGMT_OWE || - params->key_mgmt_suite == WPA_KEY_MGMT_DPP) { + params->key_mgmt_suite == WPA_KEY_MGMT_DPP || + params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA384) { u32 *mgmt; unsigned int akm_count = 1, i; @@ -6887,6 +6890,9 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv, case WPA_KEY_MGMT_DPP: mgmt[0] = RSN_AUTH_KEY_MGMT_DPP; break; + case WPA_KEY_MGMT_IEEE8021X_SHA384: + mgmt[0] = RSN_AUTH_KEY_MGMT_802_1X_SHA384; + break; case WPA_KEY_MGMT_PSK: default: mgmt[0] = RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X; diff --git a/src/rsn_supp/preauth.c b/src/rsn_supp/preauth.c index 8f86820a7..1a288844a 100644 --- a/src/rsn_supp/preauth.c +++ b/src/rsn_supp/preauth.c @@ -54,7 +54,8 @@ static int rsn_preauth_key_mgmt(int akmp) return !!(akmp & (WPA_KEY_MGMT_IEEE8021X | WPA_KEY_MGMT_IEEE8021X_SHA256 | WPA_KEY_MGMT_IEEE8021X_SUITE_B | - WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)); + WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 | + WPA_KEY_MGMT_IEEE8021X_SHA384)); } diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 856fe09e6..6d448d071 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -3828,6 +3828,8 @@ static u32 wpa_key_mgmt_suite(struct wpa_sm *sm) return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B; case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192; + case WPA_KEY_MGMT_IEEE8021X_SHA384: + return RSN_AUTH_KEY_MGMT_802_1X_SHA384; default: return 0; } diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c index 2a6c79b26..d1510aad7 100644 --- a/src/rsn_supp/wpa_ie.c +++ b/src/rsn_supp/wpa_ie.c @@ -230,6 +230,10 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len, } else if (key_mgmt & WPA_KEY_MGMT_OSEN) { RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OSEN); #endif /* CONFIG_HS20 */ +#ifdef CONFIG_SHA384 + } else if (key_mgmt == WPA_KEY_MGMT_IEEE8021X_SHA384) { + RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA384); +#endif /* CONFIG_SHA384 */ } else { wpa_printf(MSG_WARNING, "Invalid key management type (%d).", key_mgmt); diff --git a/wlantest/bss.c b/wlantest/bss.c index 01c9c6242..7b669966f 100644 --- a/wlantest/bss.c +++ b/wlantest/bss.c @@ -335,7 +335,7 @@ void bss_update(struct wlantest *wt, struct wlantest_bss *bss, "pairwise=%s%s%s%s%s%s%s" "group=%s%s%s%s%s%s%s%s%s" "mgmt_group_cipher=%s%s%s%s%s" - "key_mgmt=%s%s%s%s%s%s%s%s%s%s%s%s%s%s" + "key_mgmt=%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s" "rsn_capab=%s%s%s%s%s%s%s%s%s%s", MAC2STR(bss->bssid), bss->proto == 0 ? "OPEN " : "", @@ -387,6 +387,8 @@ void bss_update(struct wlantest *wt, struct wlantest_bss *bss, "EAP-SUITE-B " : "", bss->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 ? "EAP-SUITE-B-192 " : "", + bss->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384 ? + "EAP-SHA384 " : "", bss->rsn_capab & WPA_CAPABILITY_PREAUTH ? "PREAUTH " : "", bss->rsn_capab & WPA_CAPABILITY_NO_PAIRWISE ? "NO_PAIRWISE " : "", diff --git a/wlantest/ctrl.c b/wlantest/ctrl.c index 587a0d3e1..68a2b410c 100644 --- a/wlantest/ctrl.c +++ b/wlantest/ctrl.c @@ -957,6 +957,9 @@ static void info_print_key_mgmt(char *buf, size_t len, int key_mgmt) if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) pos += os_snprintf(pos, end - pos, "%sEAP-SUITE-B-192", pos == buf ? "" : " "); + if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) + pos += os_snprintf(pos, end - pos, "%sEAP-SHA384", + pos == buf ? "" : " "); } diff --git a/wlantest/sta.c b/wlantest/sta.c index 6c6c6235a..dc23e5457 100644 --- a/wlantest/sta.c +++ b/wlantest/sta.c @@ -252,7 +252,7 @@ skip_rsn_wpa: wpa_printf(MSG_INFO, "STA " MACSTR " proto=%s%s%s%s" "pairwise=%s%s%s%s%s%s%s" - "key_mgmt=%s%s%s%s%s%s%s%s%s%s%s%s%s%s" + "key_mgmt=%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s" "rsn_capab=%s%s%s%s%s%s%s%s%s%s", MAC2STR(sta->addr), sta->proto == 0 ? "OPEN " : "", @@ -286,6 +286,8 @@ skip_rsn_wpa: "EAP-SUITE-B " : "", sta->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 ? "EAP-SUITE-B-192 " : "", + sta->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384 ? + "EAP-SHA384 " : "", sta->rsn_capab & WPA_CAPABILITY_PREAUTH ? "PREAUTH " : "", sta->rsn_capab & WPA_CAPABILITY_NO_PAIRWISE ? "NO_PAIRWISE " : "", diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 15feba95d..a554b7b5c 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -793,6 +793,10 @@ static int wpa_config_parse_key_mgmt(const struct parse_data *data, val |= WPA_KEY_MGMT_FT_IEEE8021X_SHA384; #endif /* CONFIG_SHA384 */ #endif /* CONFIG_IEEE80211R */ +#ifdef CONFIG_SHA384 + else if (os_strcmp(start, "WPA-EAP-SHA384") == 0) + val |= WPA_KEY_MGMT_IEEE8021X_SHA384; +#endif /* CONFIG_SHA384 */ else if (os_strcmp(start, "WPA-PSK-SHA256") == 0) val |= WPA_KEY_MGMT_PSK_SHA256; else if (os_strcmp(start, "WPA-EAP-SHA256") == 0) @@ -965,6 +969,18 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, #endif /* CONFIG_SHA384 */ #endif /* CONFIG_IEEE80211R */ +#ifdef CONFIG_SHA384 + if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) { + ret = os_snprintf(pos, end - pos, "%sWPA-EAP-SHA384", + pos == buf ? "" : " "); + if (os_snprintf_error(end - pos, ret)) { + end[-1] = '\0'; + return buf; + } + pos += ret; + } +#endif /* CONFIG_SHA384 */ + if (ssid->key_mgmt & WPA_KEY_MGMT_PSK_SHA256) { ret = os_snprintf(pos, end - pos, "%sWPA-PSK-SHA256", pos == buf ? "" : " "); diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index 604b969d1..a68802e49 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -2967,6 +2967,16 @@ static char * wpa_supplicant_ie_txt(char *pos, char *end, const char *proto, pos += ret; } +#ifdef CONFIG_SHA384 + if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) { + ret = os_snprintf(pos, end - pos, "%sEAP-SHA384", + pos == start ? "" : "+"); + if (os_snprintf_error(end - pos, ret)) + return pos; + pos += ret; + } +#endif /* CONFIG_SHA384 */ + pos = wpa_supplicant_cipher_txt(pos, end, data.pairwise_cipher); if (data.capabilities & WPA_CAPABILITY_PREAUTH) { diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c index cd1a59a11..f9c59a182 100644 --- a/wpa_supplicant/dbus/dbus_new_handlers.c +++ b/wpa_supplicant/dbus/dbus_new_handlers.c @@ -5303,7 +5303,7 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( DBusMessageIter iter_dict, variant_iter; const char *group; const char *pairwise[5]; /* max 5 pairwise ciphers is supported */ - const char *key_mgmt[18]; /* max 18 key managements may be supported */ + const char *key_mgmt[19]; /* max 19 key managements may be supported */ int n; if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT, @@ -5366,6 +5366,10 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( #endif /* CONFIG_OWE */ if (ie_data->key_mgmt & WPA_KEY_MGMT_NONE) key_mgmt[n++] = "wpa-none"; +#ifdef CONFIG_SHA384 + if (ie_data->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) + key_mgmt[n++] = "wpa-eap-sha384"; +#endif /* CONFIG_SHA384 */ if (!wpa_dbus_dict_append_string_array(&iter_dict, "KeyMgmt", key_mgmt, n)) diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c index afadd789f..a436fa564 100644 --- a/wpa_supplicant/dpp_supplicant.c +++ b/wpa_supplicant/dpp_supplicant.c @@ -1362,7 +1362,7 @@ static struct wpa_ssid * wpas_dpp_add_network(struct wpa_supplicant *wpa_s, ssid->key_mgmt = WPA_KEY_MGMT_IEEE8021X | WPA_KEY_MGMT_IEEE8021X_SHA256 | - WPA_KEY_MGMT_IEEE8021X_SHA256; + WPA_KEY_MGMT_IEEE8021X_SHA384; ssid->ieee80211w = MGMT_FRAME_PROTECTION_OPTIONAL; if (conf->cacert) { diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 4c305830c..24f41c9ba 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1804,6 +1804,12 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT 802.1X with Suite B"); #endif /* CONFIG_SUITEB */ +#ifdef CONFIG_SHA384 + } else if (sel & WPA_KEY_MGMT_IEEE8021X_SHA384) { + wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA384; + wpa_dbg(wpa_s, MSG_DEBUG, + "WPA: using KEY_MGMT 802.1X with SHA384"); +#endif /* CONFIG_SHA384 */ #ifdef CONFIG_FILS #ifdef CONFIG_IEEE80211R } else if (sel & WPA_KEY_MGMT_FT_FILS_SHA384) { @@ -4282,14 +4288,17 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit) (params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X || params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 || params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B || - params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)) + params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 || + params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA384)) params.req_handshake_offload = 1; if (wpa_s->conf->key_mgmt_offload) { if (params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X || params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 || params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B || - params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) + params.key_mgmt_suite == + WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 || + params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA384) params.req_key_mgmt_offload = ssid->proactive_key_caching < 0 ? wpa_s->conf->okc : ssid->proactive_key_caching; diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c index 80ac7c820..1d9ad4ba4 100644 --- a/wpa_supplicant/wpas_glue.c +++ b/wpa_supplicant/wpas_glue.c @@ -1332,7 +1332,8 @@ void wpas_transition_disable(struct wpa_supplicant *wpa_s, u8 bitmap) wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt) && (ssid->key_mgmt & (WPA_KEY_MGMT_IEEE8021X | WPA_KEY_MGMT_FT_IEEE8021X | - WPA_KEY_MGMT_IEEE8021X_SHA256)) && + WPA_KEY_MGMT_IEEE8021X_SHA256 | + WPA_KEY_MGMT_IEEE8021X_SHA384)) && (ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED || (ssid->group_cipher & WPA_CIPHER_TKIP))) { disable_wpa_wpa2(ssid);