DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Add support for AKM suite 00-0F-AC:23

Browse source 
Add support for Authentication negotiated over IEEE Std 802.1X
with key derivation function using SHA-384.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This commit is contained in:
Ilan Peer 2023-05-23 13:14:54 +03:00 committed by Jouni Malinen
parent 005b0ce367
commit a8517c132c
18 changed files with 124 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
hostapd/config_file.c
View file

@ -667,6 +667,10 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value)
val |= WPA_KEY_MGMT_FT_IEEE8021X_SHA384; val |= WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
#endif /* CONFIG_SHA384 */ #endif /* CONFIG_SHA384 */
#endif /* CONFIG_IEEE80211R_AP */ #endif /* CONFIG_IEEE80211R_AP */
#ifdef CONFIG_SHA384
else if (os_strcmp(start, "WPA-EAP-SHA384") == 0)
val |= WPA_KEY_MGMT_IEEE8021X_SHA384;
#endif /* CONFIG_SHA384 */
else if (os_strcmp(start, "WPA-PSK-SHA256") == 0) else if (os_strcmp(start, "WPA-PSK-SHA256") == 0)
val |= WPA_KEY_MGMT_PSK_SHA256; val |= WPA_KEY_MGMT_PSK_SHA256;
else if (os_strcmp(start, "WPA-EAP-SHA256") == 0) else if (os_strcmp(start, "WPA-EAP-SHA256") == 0)

8
hostapd/ctrl_iface.c
View file

@ -956,6 +956,14 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd,
pos += ret; pos += ret;
} }
#endif /* CONFIG_DPP */ #endif /* CONFIG_DPP */
#ifdef CONFIG_SHA384
if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) {
ret = os_snprintf(pos, end - pos, "WPA-EAP-SHA384 ");
if (os_snprintf_error(end - pos, ret))
return pos - buf;
pos += ret;
}
#endif /* CONFIG_SHA384 */
if (pos > buf && *(pos - 1) == ' ') { if (pos > buf && *(pos - 1) == ' ') {
*(pos - 1) = '\0'; *(pos - 1) = '\0';

15
src/ap/wpa_auth_ie.c
View file

@ -212,6 +212,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
num_suites++; num_suites++;
} }
#endif /* CONFIG_IEEE80211R_AP */ #endif /* CONFIG_IEEE80211R_AP */
#ifdef CONFIG_SHA384
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA384);
pos += RSN_SELECTOR_LEN;
num_suites++;
}
#endif /* CONFIG_SHA384 */
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) { if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA256); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA256);
pos += RSN_SELECTOR_LEN; pos += RSN_SELECTOR_LEN;
@ -705,6 +712,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
else if (data.key_mgmt & WPA_KEY_MGMT_OSEN) else if (data.key_mgmt & WPA_KEY_MGMT_OSEN)
selector = RSN_AUTH_KEY_MGMT_OSEN; selector = RSN_AUTH_KEY_MGMT_OSEN;
#endif /* CONFIG_HS20 */ #endif /* CONFIG_HS20 */
#ifdef CONFIG_SHA384
else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384)
selector = RSN_AUTH_KEY_MGMT_802_1X_SHA384;
#endif /* CONFIG_SHA384 */
wpa_auth->dot11RSNAAuthenticationSuiteSelected = selector; wpa_auth->dot11RSNAAuthenticationSuiteSelected = selector;
selector = wpa_cipher_to_suite(WPA_PROTO_RSN, selector = wpa_cipher_to_suite(WPA_PROTO_RSN,
@ -787,6 +798,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
else if (key_mgmt & WPA_KEY_MGMT_FT_PSK) else if (key_mgmt & WPA_KEY_MGMT_FT_PSK)
sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_PSK; sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_PSK;
#endif /* CONFIG_IEEE80211R_AP */ #endif /* CONFIG_IEEE80211R_AP */
#ifdef CONFIG_SHA384
else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384)
sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA384;
#endif /* CONFIG_SHA384 */
else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256)
sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA256; sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA256;
else if (key_mgmt & WPA_KEY_MGMT_PSK_SHA256) else if (key_mgmt & WPA_KEY_MGMT_PSK_SHA256)

7
src/common/defs.h
View file

@ -52,6 +52,7 @@
#define WPA_KEY_MGMT_PASN BIT(25) #define WPA_KEY_MGMT_PASN BIT(25)
#define WPA_KEY_MGMT_SAE_EXT_KEY BIT(26) #define WPA_KEY_MGMT_SAE_EXT_KEY BIT(26)
#define WPA_KEY_MGMT_FT_SAE_EXT_KEY BIT(27) #define WPA_KEY_MGMT_FT_SAE_EXT_KEY BIT(27)
#define WPA_KEY_MGMT_IEEE8021X_SHA384 BIT(28)
#define WPA_KEY_MGMT_FT (WPA_KEY_MGMT_FT_PSK | \ #define WPA_KEY_MGMT_FT (WPA_KEY_MGMT_FT_PSK | \
@ -75,7 +76,8 @@ static inline int wpa_key_mgmt_wpa_ieee8021x(int akm)
WPA_KEY_MGMT_FILS_SHA256 | WPA_KEY_MGMT_FILS_SHA256 |
WPA_KEY_MGMT_FILS_SHA384 | WPA_KEY_MGMT_FILS_SHA384 |
WPA_KEY_MGMT_FT_FILS_SHA256 | WPA_KEY_MGMT_FT_FILS_SHA256 |
WPA_KEY_MGMT_FT_FILS_SHA384)); WPA_KEY_MGMT_FT_FILS_SHA384 |
WPA_KEY_MGMT_IEEE8021X_SHA384));
} }
static inline int wpa_key_mgmt_wpa_psk_no_sae(int akm) static inline int wpa_key_mgmt_wpa_psk_no_sae(int akm)
@ -153,7 +155,8 @@ static inline int wpa_key_mgmt_sha384(int akm)
return !!(akm & (WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 | return !!(akm & (WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 |
WPA_KEY_MGMT_FT_IEEE8021X_SHA384 | WPA_KEY_MGMT_FT_IEEE8021X_SHA384 |
WPA_KEY_MGMT_FILS_SHA384 | WPA_KEY_MGMT_FILS_SHA384 |
WPA_KEY_MGMT_FT_FILS_SHA384)); WPA_KEY_MGMT_FT_FILS_SHA384 |
WPA_KEY_MGMT_IEEE8021X_SHA384));
} }
static inline int wpa_key_mgmt_suite_b(int akm) static inline int wpa_key_mgmt_suite_b(int akm)

28
src/common/wpa_common.c
View file

@ -26,6 +26,7 @@ static unsigned int wpa_kck_len(int akmp, size_t pmk_len)
{ {
switch (akmp) { switch (akmp) {
case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
case WPA_KEY_MGMT_IEEE8021X_SHA384:
case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
return 24; return 24;
case WPA_KEY_MGMT_FILS_SHA256: case WPA_KEY_MGMT_FILS_SHA256:
@ -71,6 +72,7 @@ static unsigned int wpa_kek_len(int akmp, size_t pmk_len)
case WPA_KEY_MGMT_FILS_SHA256: case WPA_KEY_MGMT_FILS_SHA256:
case WPA_KEY_MGMT_FT_FILS_SHA256: case WPA_KEY_MGMT_FT_FILS_SHA256:
case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
case WPA_KEY_MGMT_IEEE8021X_SHA384:
return 32; return 32;
case WPA_KEY_MGMT_DPP: case WPA_KEY_MGMT_DPP:
return pmk_len <= 32 ? 16 : 32; return pmk_len <= 32 ? 16 : 32;
@ -105,6 +107,7 @@ unsigned int wpa_mic_len(int akmp, size_t pmk_len)
switch (akmp) { switch (akmp) {
case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
case WPA_KEY_MGMT_IEEE8021X_SHA384:
return 24; return 24;
case WPA_KEY_MGMT_FILS_SHA256: case WPA_KEY_MGMT_FILS_SHA256:
case WPA_KEY_MGMT_FILS_SHA384: case WPA_KEY_MGMT_FILS_SHA384:
@ -135,6 +138,7 @@ int wpa_use_akm_defined(int akmp)
akmp == WPA_KEY_MGMT_OWE || akmp == WPA_KEY_MGMT_OWE ||
akmp == WPA_KEY_MGMT_DPP || akmp == WPA_KEY_MGMT_DPP ||
akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 || akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 ||
akmp == WPA_KEY_MGMT_IEEE8021X_SHA384 ||
wpa_key_mgmt_sae(akmp) || wpa_key_mgmt_sae(akmp) ||
wpa_key_mgmt_suite_b(akmp) || wpa_key_mgmt_suite_b(akmp) ||
wpa_key_mgmt_fils(akmp); wpa_key_mgmt_fils(akmp);
@ -173,6 +177,7 @@ int wpa_use_aes_key_wrap(int akmp)
return akmp == WPA_KEY_MGMT_OSEN || return akmp == WPA_KEY_MGMT_OSEN ||
akmp == WPA_KEY_MGMT_OWE || akmp == WPA_KEY_MGMT_OWE ||
akmp == WPA_KEY_MGMT_DPP || akmp == WPA_KEY_MGMT_DPP ||
akmp == WPA_KEY_MGMT_IEEE8021X_SHA384 ||
wpa_key_mgmt_ft(akmp) || wpa_key_mgmt_ft(akmp) ||
wpa_key_mgmt_sha256(akmp) || wpa_key_mgmt_sha256(akmp) ||
wpa_key_mgmt_sae(akmp) || wpa_key_mgmt_sae(akmp) ||
@ -331,15 +336,18 @@ int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver,
os_memcpy(mic, hash, key_len); os_memcpy(mic, hash, key_len);
break; break;
#endif /* CONFIG_DPP */ #endif /* CONFIG_DPP */
#if defined(CONFIG_IEEE80211R) && defined(CONFIG_SHA384) #ifdef CONFIG_SHA384
case WPA_KEY_MGMT_IEEE8021X_SHA384:
#ifdef CONFIG_IEEE80211R
case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
#endif /* CONFIG_IEEE80211R */
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - FT 802.1X SHA384)"); "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - 802.1X SHA384)");
if (hmac_sha384(key, key_len, buf, len, hash)) if (hmac_sha384(key, key_len, buf, len, hash))
return -1; return -1;
os_memcpy(mic, hash, 24); os_memcpy(mic, hash, 24);
break; break;
#endif /* CONFIG_IEEE80211R && CONFIG_SHA384 */ #endif /* CONFIG_SHA384 */
default: default:
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"WPA: EAPOL-Key MIC algorithm not known (AKM-defined - akmp=0x%x)", "WPA: EAPOL-Key MIC algorithm not known (AKM-defined - akmp=0x%x)",
@ -454,14 +462,14 @@ int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len + ptk->kdk_len; ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len + ptk->kdk_len;
if (wpa_key_mgmt_sha384(akmp)) { if (wpa_key_mgmt_sha384(akmp)) {
#if defined(CONFIG_SUITEB192) || defined(CONFIG_FILS) #ifdef CONFIG_SHA384
wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)"); wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
if (sha384_prf(pmk, pmk_len, label, data, data_len, if (sha384_prf(pmk, pmk_len, label, data, data_len,
tmp, ptk_len) < 0) tmp, ptk_len) < 0)
return -1; return -1;
#else /* CONFIG_SUITEB192 || CONFIG_FILS */ #else /* CONFIG_SHA384 */
return -1; return -1;
#endif /* CONFIG_SUITEB192 || CONFIG_FILS */ #endif /* CONFIG_SHA384 */
} else if (wpa_key_mgmt_sha256(akmp)) { } else if (wpa_key_mgmt_sha256(akmp)) {
wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)"); wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
if (sha256_prf(pmk, pmk_len, label, data, data_len, if (sha256_prf(pmk, pmk_len, label, data, data_len,
@ -1771,6 +1779,10 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s)
return WPA_KEY_MGMT_FT_IEEE8021X_SHA384; return WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
#endif /* CONFIG_SHA384 */ #endif /* CONFIG_SHA384 */
#endif /* CONFIG_IEEE80211R */ #endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_SHA384
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA384)
return WPA_KEY_MGMT_IEEE8021X_SHA384;
#endif /* CONFIG_SHA384 */
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256) if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256)
return WPA_KEY_MGMT_IEEE8021X_SHA256; return WPA_KEY_MGMT_IEEE8021X_SHA256;
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256) if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256)
@ -2787,6 +2799,8 @@ const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
return "DPP"; return "DPP";
case WPA_KEY_MGMT_PASN: case WPA_KEY_MGMT_PASN:
return "PASN"; return "PASN";
case WPA_KEY_MGMT_IEEE8021X_SHA384:
return "WPA2-EAP-SHA384";
default: default:
return "UNKNOWN"; return "UNKNOWN";
} }
@ -2801,6 +2815,8 @@ u32 wpa_akm_to_suite(int akm)
return RSN_AUTH_KEY_MGMT_FT_802_1X; return RSN_AUTH_KEY_MGMT_FT_802_1X;
if (akm & WPA_KEY_MGMT_FT_PSK) if (akm & WPA_KEY_MGMT_FT_PSK)
return RSN_AUTH_KEY_MGMT_FT_PSK; return RSN_AUTH_KEY_MGMT_FT_PSK;
if (akm & WPA_KEY_MGMT_IEEE8021X_SHA384)
return RSN_AUTH_KEY_MGMT_802_1X_SHA384;
if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256) if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256)
return RSN_AUTH_KEY_MGMT_802_1X_SHA256; return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
if (akm & WPA_KEY_MGMT_IEEE8021X) if (akm & WPA_KEY_MGMT_IEEE8021X)

10
src/drivers/driver_nl80211.c
View file

@ -3284,6 +3284,7 @@ static int wpa_key_mgmt_to_suites(unsigned int key_mgmt_suites, u32 suites[],
__AKM(OWE, OWE); __AKM(OWE, OWE);
__AKM(DPP, DPP); __AKM(DPP, DPP);
__AKM(FT_IEEE8021X_SHA384, FT_802_1X_SHA384); __AKM(FT_IEEE8021X_SHA384, FT_802_1X_SHA384);
__AKM(IEEE8021X_SHA384, 802_1X_SHA384);
#undef __AKM #undef __AKM
return num_suites; return num_suites;
@ -6503,7 +6504,8 @@ retry:
if (params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X || if (params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X ||
params->key_mgmt_suite == WPA_KEY_MGMT_PSK || params->key_mgmt_suite == WPA_KEY_MGMT_PSK ||
params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 || params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 ||
params->key_mgmt_suite == WPA_KEY_MGMT_PSK_SHA256) { params->key_mgmt_suite == WPA_KEY_MGMT_PSK_SHA256 ||
params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA384) {
wpa_printf(MSG_DEBUG, " * control port"); wpa_printf(MSG_DEBUG, " * control port");
if (nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT)) if (nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT))
goto fail; goto fail;
@ -6803,7 +6805,8 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv,
params->key_mgmt_suite == WPA_KEY_MGMT_FT_FILS_SHA256 || params->key_mgmt_suite == WPA_KEY_MGMT_FT_FILS_SHA256 ||
params->key_mgmt_suite == WPA_KEY_MGMT_FT_FILS_SHA384 || params->key_mgmt_suite == WPA_KEY_MGMT_FT_FILS_SHA384 ||
params->key_mgmt_suite == WPA_KEY_MGMT_OWE || params->key_mgmt_suite == WPA_KEY_MGMT_OWE ||
params->key_mgmt_suite == WPA_KEY_MGMT_DPP) { params->key_mgmt_suite == WPA_KEY_MGMT_DPP ||
params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA384) {
u32 *mgmt; u32 *mgmt;
unsigned int akm_count = 1, i; unsigned int akm_count = 1, i;
@ -6887,6 +6890,9 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv,
case WPA_KEY_MGMT_DPP: case WPA_KEY_MGMT_DPP:
mgmt[0] = RSN_AUTH_KEY_MGMT_DPP; mgmt[0] = RSN_AUTH_KEY_MGMT_DPP;
break; break;
case WPA_KEY_MGMT_IEEE8021X_SHA384:
mgmt[0] = RSN_AUTH_KEY_MGMT_802_1X_SHA384;
break;
case WPA_KEY_MGMT_PSK: case WPA_KEY_MGMT_PSK:
default: default:
mgmt[0] = RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X; mgmt[0] = RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X;

3
src/rsn_supp/preauth.c
View file

@ -54,7 +54,8 @@ static int rsn_preauth_key_mgmt(int akmp)
return !!(akmp & (WPA_KEY_MGMT_IEEE8021X | return !!(akmp & (WPA_KEY_MGMT_IEEE8021X |
WPA_KEY_MGMT_IEEE8021X_SHA256 | WPA_KEY_MGMT_IEEE8021X_SHA256 |
WPA_KEY_MGMT_IEEE8021X_SUITE_B | WPA_KEY_MGMT_IEEE8021X_SUITE_B |
WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)); WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 |
WPA_KEY_MGMT_IEEE8021X_SHA384));
} }

2
src/rsn_supp/wpa.c
View file

@ -3828,6 +3828,8 @@ static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B; return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192; return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
case WPA_KEY_MGMT_IEEE8021X_SHA384:
return RSN_AUTH_KEY_MGMT_802_1X_SHA384;
default: default:
return 0; return 0;
} }

4
src/rsn_supp/wpa_ie.c
View file

@ -230,6 +230,10 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
} else if (key_mgmt & WPA_KEY_MGMT_OSEN) { } else if (key_mgmt & WPA_KEY_MGMT_OSEN) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OSEN); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OSEN);
#endif /* CONFIG_HS20 */ #endif /* CONFIG_HS20 */
#ifdef CONFIG_SHA384
} else if (key_mgmt == WPA_KEY_MGMT_IEEE8021X_SHA384) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA384);
#endif /* CONFIG_SHA384 */
} else { } else {
wpa_printf(MSG_WARNING, "Invalid key management type (%d).", wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
key_mgmt); key_mgmt);

4
wlantest/bss.c
View file

@ -335,7 +335,7 @@ void bss_update(struct wlantest *wt, struct wlantest_bss *bss,
"pairwise=%s%s%s%s%s%s%s" "pairwise=%s%s%s%s%s%s%s"
"group=%s%s%s%s%s%s%s%s%s" "group=%s%s%s%s%s%s%s%s%s"
"mgmt_group_cipher=%s%s%s%s%s" "mgmt_group_cipher=%s%s%s%s%s"
"key_mgmt=%s%s%s%s%s%s%s%s%s%s%s%s%s%s" "key_mgmt=%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
"rsn_capab=%s%s%s%s%s%s%s%s%s%s", "rsn_capab=%s%s%s%s%s%s%s%s%s%s",
MAC2STR(bss->bssid), MAC2STR(bss->bssid),
bss->proto == 0 ? "OPEN " : "", bss->proto == 0 ? "OPEN " : "",
@ -387,6 +387,8 @@ void bss_update(struct wlantest *wt, struct wlantest_bss *bss,
"EAP-SUITE-B " : "", "EAP-SUITE-B " : "",
bss->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 ? bss->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 ?
"EAP-SUITE-B-192 " : "", "EAP-SUITE-B-192 " : "",
bss->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384 ?
"EAP-SHA384 " : "",
bss->rsn_capab & WPA_CAPABILITY_PREAUTH ? "PREAUTH " : "", bss->rsn_capab & WPA_CAPABILITY_PREAUTH ? "PREAUTH " : "",
bss->rsn_capab & WPA_CAPABILITY_NO_PAIRWISE ? bss->rsn_capab & WPA_CAPABILITY_NO_PAIRWISE ?
"NO_PAIRWISE " : "", "NO_PAIRWISE " : "",

3
wlantest/ctrl.c
View file

@ -957,6 +957,9 @@ static void info_print_key_mgmt(char *buf, size_t len, int key_mgmt)
if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
pos += os_snprintf(pos, end - pos, "%sEAP-SUITE-B-192", pos += os_snprintf(pos, end - pos, "%sEAP-SUITE-B-192",
pos == buf ? "" : " "); pos == buf ? "" : " ");
if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384)
pos += os_snprintf(pos, end - pos, "%sEAP-SHA384",
pos == buf ? "" : " ");
} }

4
wlantest/sta.c
View file

@ -252,7 +252,7 @@ skip_rsn_wpa:
wpa_printf(MSG_INFO, "STA " MACSTR wpa_printf(MSG_INFO, "STA " MACSTR
" proto=%s%s%s%s" " proto=%s%s%s%s"
"pairwise=%s%s%s%s%s%s%s" "pairwise=%s%s%s%s%s%s%s"
"key_mgmt=%s%s%s%s%s%s%s%s%s%s%s%s%s%s" "key_mgmt=%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
"rsn_capab=%s%s%s%s%s%s%s%s%s%s", "rsn_capab=%s%s%s%s%s%s%s%s%s%s",
MAC2STR(sta->addr), MAC2STR(sta->addr),
sta->proto == 0 ? "OPEN " : "", sta->proto == 0 ? "OPEN " : "",
@ -286,6 +286,8 @@ skip_rsn_wpa:
"EAP-SUITE-B " : "", "EAP-SUITE-B " : "",
sta->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 ? sta->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 ?
"EAP-SUITE-B-192 " : "", "EAP-SUITE-B-192 " : "",
sta->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384 ?
"EAP-SHA384 " : "",
sta->rsn_capab & WPA_CAPABILITY_PREAUTH ? "PREAUTH " : "", sta->rsn_capab & WPA_CAPABILITY_PREAUTH ? "PREAUTH " : "",
sta->rsn_capab & WPA_CAPABILITY_NO_PAIRWISE ? sta->rsn_capab & WPA_CAPABILITY_NO_PAIRWISE ?
"NO_PAIRWISE " : "", "NO_PAIRWISE " : "",

16
wpa_supplicant/config.c
View file

@ -793,6 +793,10 @@ static int wpa_config_parse_key_mgmt(const struct parse_data *data,
val |= WPA_KEY_MGMT_FT_IEEE8021X_SHA384; val |= WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
#endif /* CONFIG_SHA384 */ #endif /* CONFIG_SHA384 */
#endif /* CONFIG_IEEE80211R */ #endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_SHA384
else if (os_strcmp(start, "WPA-EAP-SHA384") == 0)
val |= WPA_KEY_MGMT_IEEE8021X_SHA384;
#endif /* CONFIG_SHA384 */
else if (os_strcmp(start, "WPA-PSK-SHA256") == 0) else if (os_strcmp(start, "WPA-PSK-SHA256") == 0)
val |= WPA_KEY_MGMT_PSK_SHA256; val |= WPA_KEY_MGMT_PSK_SHA256;
else if (os_strcmp(start, "WPA-EAP-SHA256") == 0) else if (os_strcmp(start, "WPA-EAP-SHA256") == 0)
@ -965,6 +969,18 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data,
#endif /* CONFIG_SHA384 */ #endif /* CONFIG_SHA384 */
#endif /* CONFIG_IEEE80211R */ #endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_SHA384
if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) {
ret = os_snprintf(pos, end - pos, "%sWPA-EAP-SHA384",
pos == buf ? "" : " ");
if (os_snprintf_error(end - pos, ret)) {
end[-1] = '\0';
return buf;
}
pos += ret;
}
#endif /* CONFIG_SHA384 */
if (ssid->key_mgmt & WPA_KEY_MGMT_PSK_SHA256) { if (ssid->key_mgmt & WPA_KEY_MGMT_PSK_SHA256) {
ret = os_snprintf(pos, end - pos, "%sWPA-PSK-SHA256", ret = os_snprintf(pos, end - pos, "%sWPA-PSK-SHA256",
pos == buf ? "" : " "); pos == buf ? "" : " ");

10
wpa_supplicant/ctrl_iface.c
View file

@ -2967,6 +2967,16 @@ static char * wpa_supplicant_ie_txt(char *pos, char *end, const char *proto,
pos += ret; pos += ret;
} }
#ifdef CONFIG_SHA384
if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384) {
ret = os_snprintf(pos, end - pos, "%sEAP-SHA384",
pos == start ? "" : "+");
if (os_snprintf_error(end - pos, ret))
return pos;
pos += ret;
}
#endif /* CONFIG_SHA384 */
pos = wpa_supplicant_cipher_txt(pos, end, data.pairwise_cipher); pos = wpa_supplicant_cipher_txt(pos, end, data.pairwise_cipher);
if (data.capabilities & WPA_CAPABILITY_PREAUTH) { if (data.capabilities & WPA_CAPABILITY_PREAUTH) {

6
wpa_supplicant/dbus/dbus_new_handlers.c
View file

@ -5303,7 +5303,7 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop(
DBusMessageIter iter_dict, variant_iter; DBusMessageIter iter_dict, variant_iter;
const char *group; const char *group;
const char *pairwise[5]; /* max 5 pairwise ciphers is supported */ const char *pairwise[5]; /* max 5 pairwise ciphers is supported */
const char *key_mgmt[18]; /* max 18 key managements may be supported */ const char *key_mgmt[19]; /* max 19 key managements may be supported */
int n; int n;
if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT, if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT,
@ -5366,6 +5366,10 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop(
#endif /* CONFIG_OWE */ #endif /* CONFIG_OWE */
if (ie_data->key_mgmt & WPA_KEY_MGMT_NONE) if (ie_data->key_mgmt & WPA_KEY_MGMT_NONE)
key_mgmt[n++] = "wpa-none"; key_mgmt[n++] = "wpa-none";
#ifdef CONFIG_SHA384
if (ie_data->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA384)
key_mgmt[n++] = "wpa-eap-sha384";
#endif /* CONFIG_SHA384 */
if (!wpa_dbus_dict_append_string_array(&iter_dict, "KeyMgmt", if (!wpa_dbus_dict_append_string_array(&iter_dict, "KeyMgmt",
key_mgmt, n)) key_mgmt, n))

2
wpa_supplicant/dpp_supplicant.c
View file

@ -1362,7 +1362,7 @@ static struct wpa_ssid * wpas_dpp_add_network(struct wpa_supplicant *wpa_s,
ssid->key_mgmt = WPA_KEY_MGMT_IEEE8021X | ssid->key_mgmt = WPA_KEY_MGMT_IEEE8021X |
WPA_KEY_MGMT_IEEE8021X_SHA256 | WPA_KEY_MGMT_IEEE8021X_SHA256 |
WPA_KEY_MGMT_IEEE8021X_SHA256; WPA_KEY_MGMT_IEEE8021X_SHA384;
ssid->ieee80211w = MGMT_FRAME_PROTECTION_OPTIONAL; ssid->ieee80211w = MGMT_FRAME_PROTECTION_OPTIONAL;
if (conf->cacert) { if (conf->cacert) {

13
wpa_supplicant/wpa_supplicant.c
View file

@ -1804,6 +1804,12 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
wpa_dbg(wpa_s, MSG_DEBUG, wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using KEY_MGMT 802.1X with Suite B"); "WPA: using KEY_MGMT 802.1X with Suite B");
#endif /* CONFIG_SUITEB */ #endif /* CONFIG_SUITEB */
#ifdef CONFIG_SHA384
} else if (sel & WPA_KEY_MGMT_IEEE8021X_SHA384) {
wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA384;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using KEY_MGMT 802.1X with SHA384");
#endif /* CONFIG_SHA384 */
#ifdef CONFIG_FILS #ifdef CONFIG_FILS
#ifdef CONFIG_IEEE80211R #ifdef CONFIG_IEEE80211R
} else if (sel & WPA_KEY_MGMT_FT_FILS_SHA384) { } else if (sel & WPA_KEY_MGMT_FT_FILS_SHA384) {
@ -4282,14 +4288,17 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
(params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X || (params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X ||
params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 || params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 ||
params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B || params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B ||
params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)) params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 ||
params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA384))
params.req_handshake_offload = 1; params.req_handshake_offload = 1;
if (wpa_s->conf->key_mgmt_offload) { if (wpa_s->conf->key_mgmt_offload) {
if (params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X || if (params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X ||
params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 || params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 ||
params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B || params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B ||
params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) params.key_mgmt_suite ==
WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 ||
params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA384)
params.req_key_mgmt_offload = params.req_key_mgmt_offload =
ssid->proactive_key_caching < 0 ? ssid->proactive_key_caching < 0 ?
wpa_s->conf->okc : ssid->proactive_key_caching; wpa_s->conf->okc : ssid->proactive_key_caching;

3
wpa_supplicant/wpas_glue.c
View file

@ -1332,7 +1332,8 @@ void wpas_transition_disable(struct wpa_supplicant *wpa_s, u8 bitmap)
wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt) && wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt) &&
(ssid->key_mgmt & (WPA_KEY_MGMT_IEEE8021X | (ssid->key_mgmt & (WPA_KEY_MGMT_IEEE8021X |
WPA_KEY_MGMT_FT_IEEE8021X | WPA_KEY_MGMT_FT_IEEE8021X |
WPA_KEY_MGMT_IEEE8021X_SHA256)) && WPA_KEY_MGMT_IEEE8021X_SHA256 |
WPA_KEY_MGMT_IEEE8021X_SHA384)) &&
(ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED || (ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED ||
(ssid->group_cipher & WPA_CIPHER_TKIP))) { (ssid->group_cipher & WPA_CIPHER_TKIP))) {
disable_wpa_wpa2(ssid); disable_wpa_wpa2(ssid);