DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

SAE: Use H2E whenever Password Identifier is used

Browse source 
IEEE P802.11-REVmd was modified to require H2E to be used whenever
Password Identifier is used with SAE.

See this document for more details of the approved changes:
https://mentor.ieee.org/802.11/dcn/19/11-19-2154-02-000m-sae-anti-clogging-token.docx

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2020-01-20 21:15:04 +02:00 committed by Jouni Malinen
parent 6a673d0fb0
commit e36a5894d0
9 changed files with 60 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/ap/ap_config.c
View file

@ -441,7 +441,8 @@ int hostapd_setup_sae_pt(struct hostapd_bss_config *conf)
struct hostapd_ssid *ssid = &conf->ssid;
struct sae_password_entry *pw;
if (conf->sae_pwe == 0 || !wpa_key_mgmt_sae(conf->wpa_key_mgmt))
if ((conf->sae_pwe == 0 && !hostapd_sae_pw_id_in_use(conf)) ||
!wpa_key_mgmt_sae(conf->wpa_key_mgmt))
return 0; /* PT not needed */
sae_deinit_pt(ssid->pt);

40
src/ap/ieee802_11.c
View file

@ -88,6 +88,7 @@ u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
{
u8 *pos = eid;
int i, num, count;
int h2e_required;
if (hapd->iface->current_rates == NULL)
return eid;
@ -98,8 +99,10 @@ u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
num++;
if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
num++;
if (hapd->conf->sae_pwe == 1 &&
wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt))
h2e_required = (hapd->conf->sae_pwe == 1 ||
hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
if (h2e_required)
num++;
if (num > 8) {
/* rest of the rates are encoded in Extended supported
@ -127,9 +130,7 @@ u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
}
if (hapd->conf->sae_pwe == 1 &&
wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
count < 8) {
if (h2e_required && count < 8) {
count++;
*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
}
@ -142,6 +143,7 @@ u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
{
u8 *pos = eid;
int i, num, count;
int h2e_required;
if (hapd->iface->current_rates == NULL)
return eid;
@ -151,8 +153,10 @@ u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
num++;
if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
num++;
if (hapd->conf->sae_pwe == 1 &&
wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt))
h2e_required = (hapd->conf->sae_pwe == 1 ||
hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
if (h2e_required)
num++;
if (num <= 8)
return eid;
@ -183,8 +187,7 @@ u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
}
if (hapd->conf->sae_pwe == 1 &&
wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt)) {
if (h2e_required) {
count++;
if (count > 8)
*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
@ -453,7 +456,9 @@ static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
use_pt = sta->sae->tmp->h2e;
}
if (status_code == WLAN_STATUS_SUCCESS)
if (rx_id)
use_pt = 1;
else if (status_code == WLAN_STATUS_SUCCESS)
use_pt = 0;
else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT)
use_pt = 1;
@ -1060,11 +1065,20 @@ static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
{
return (hapd->conf->sae_pwe == 0 &&
int sae_pwe = hapd->conf->sae_pwe;
int id_in_use;
id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
if (id_in_use == 2)
sae_pwe = 1;
else if (id_in_use == 1 && sae_pwe == 0)
sae_pwe = 2;
return (sae_pwe == 0 &&
status_code == WLAN_STATUS_SUCCESS) ||
(hapd->conf->sae_pwe == 1 &&
(sae_pwe == 1 &&
status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) ||
(hapd->conf->sae_pwe == 2 &&
(sae_pwe == 2 &&
(status_code == WLAN_STATUS_SUCCESS ||
status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT));
}

3
src/ap/ieee802_11_shared.c
View file

@ -1014,7 +1014,8 @@ u8 * hostapd_eid_rsnxe(struct hostapd_data *hapd, u8 *eid, size_t len)
if (!(hapd->conf->wpa & WPA_PROTO_RSN) ||
!wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) ||
(hapd->conf->sae_pwe != 1 && hapd->conf->sae_pwe != 2) ||
(hapd->conf->sae_pwe != 1 && hapd->conf->sae_pwe != 2 &&
!hostapd_sae_pw_id_in_use(hapd->conf)) ||
len < 3)
return pos;

7
src/ap/wpa_auth_glue.c
View file

@ -37,6 +37,8 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
struct hostapd_config *iconf,
struct wpa_auth_config *wconf)
{
int sae_pw_id;
os_memset(wconf, 0, sizeof(*wconf));
wconf->wpa = conf->wpa;
wconf->wpa_key_mgmt = conf->wpa_key_mgmt;
@ -155,6 +157,11 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
FILS_CACHE_ID_LEN);
#endif /* CONFIG_FILS */
wconf->sae_pwe = conf->sae_pwe;
sae_pw_id = hostapd_sae_pw_id_in_use(conf);
if (sae_pw_id == 2)
wconf->sae_pwe = 1;
else if (sae_pw_id == 1 && wconf->sae_pwe == 0)
wconf->sae_pwe = 2;
}