Updated MFP defines based on IEEE 802.11w/D6.0 and use new MFPC/MFPR

This adds most of the new frame format and identifier definitions from IEEE 802.11w/D6.0. In addition, the RSN IE capability field values for MFP is replaced with the new two-bit version with MFPC (capable) and MFPR (required) processing.
2024-11-28 18:28:23 -05:00 · 2008-08-30 14:59:39 +03:00 · 2008-08-30 14:59:39 +03:00 · 0b60b0aaad
commit 0b60b0aaad
parent b3f240bc0e
7 changed files with 43 additions and 17 deletions
--- a/hostapd/wpa_auth_ie.c
+++ b/hostapd/wpa_auth_ie.c
@ -208,8 +208,11 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
 		capab |= (RSN_NUM_REPLAY_COUNTERS_16 << 2);
 	}
 #ifdef CONFIG_IEEE80211W
-	if (conf->ieee80211w != WPA_NO_IEEE80211W)
-		capab |= WPA_CAPABILITY_MGMT_FRAME_PROTECTION;
+	if (conf->ieee80211w != WPA_NO_IEEE80211W) {
+		capab |= WPA_CAPABILITY_MFPC;
+		if (conf->ieee80211w == IEEE80211W_REQUIRED)
+			capab |= WPA_CAPABILITY_MFPR;
+	}
 #endif /* CONFIG_IEEE80211W */
 	WPA_PUT_LE16(pos, capab);
 	pos += 2;
@ -580,8 +583,7 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,

 #ifdef CONFIG_IEEE80211W
 	if (wpa_auth->conf.ieee80211w == WPA_IEEE80211W_REQUIRED) {
-		if (!(data.capabilities &
-		      WPA_CAPABILITY_MGMT_FRAME_PROTECTION)) {
+		if (!(data.capabilities & WPA_CAPABILITY_MFPC)) {
 			wpa_printf(MSG_DEBUG, "Management frame protection "
 				   "required, but client did not enable it");
 			return WPA_MGMT_FRAME_PROTECTION_VIOLATION;
@ -601,7 +603,7 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 	}

 	if (wpa_auth->conf.ieee80211w == WPA_NO_IEEE80211W ||
-	    !(data.capabilities & WPA_CAPABILITY_MGMT_FRAME_PROTECTION))
+	    !(data.capabilities & WPA_CAPABILITY_MFPC))
 		sm->mgmt_frame_prot = 0;
 	else
 		sm->mgmt_frame_prot = 1;
--- a/src/common/ieee802_11_defs.h
+++ b/src/common/ieee802_11_defs.h
@ -92,7 +92,7 @@
 #define WLAN_CAPABILITY_SHORT_SLOT_TIME BIT(10)
 #define WLAN_CAPABILITY_DSSS_OFDM BIT(13)

-/* Status codes */
+/* Status codes (IEEE 802.11-2007, 7.3.1.9, Table 7-23) */
 #define WLAN_STATUS_SUCCESS 0
 #define WLAN_STATUS_UNSPECIFIED_FAILURE 1
 #define WLAN_STATUS_CAPS_UNSUPPORTED 10
@ -112,10 +112,12 @@
 #define WLAN_STATUS_SPEC_MGMT_REQUIRED 22
 #define WLAN_STATUS_PWR_CAPABILITY_NOT_VALID 23
 #define WLAN_STATUS_SUPPORTED_CHANNEL_NOT_VALID 24
-/* 802.11g */
+/* IEEE 802.11g */
 #define WLAN_STATUS_ASSOC_DENIED_NO_SHORT_SLOT_TIME 25
 #define WLAN_STATUS_ASSOC_DENIED_NO_ER_PBCC 26
 #define WLAN_STATUS_ASSOC_DENIED_NO_DSSS_OFDM 27
+/* IEEE 802.11w */
+#define WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY 30
 /* IEEE 802.11i */
 #define WLAN_STATUS_INVALID_IE 40
 #define WLAN_STATUS_GROUP_CIPHER_NOT_VALID 41
@ -136,7 +138,7 @@
 #define WLAN_STATUS_INVALID_MDIE 55
 #define WLAN_STATUS_INVALID_FTIE 56

-/* Reason codes */
+/* Reason codes (IEEE 802.11-2007, 7.3.1.7, Table 7-22) */
 #define WLAN_REASON_UNSPECIFIED 1
 #define WLAN_REASON_PREV_AUTH_NOT_VALID 2
 #define WLAN_REASON_DEAUTH_LEAVING 3
@ -146,7 +148,7 @@
 #define WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA 7
 #define WLAN_REASON_DISASSOC_STA_HAS_LEFT 8
 #define WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH 9
-/* 802.11h */
+/* IEEE 802.11h */
 #define WLAN_REASON_PWR_CAPABILITY_NOT_VALID 10
 #define WLAN_REASON_SUPPORTED_CHANNEL_NOT_VALID 11
 /* IEEE 802.11i */
@ -162,6 +164,9 @@
 #define WLAN_REASON_INVALID_RSN_IE_CAPAB 22
 #define WLAN_REASON_IEEE_802_1X_AUTH_FAILED 23
 #define WLAN_REASON_CIPHER_SUITE_REJECTED 24
+/* IEEE 802.11w */
+#define WLAN_REASON_INVALID_GROUP_MGMT_CIPHER 25
+#define WLAN_REASON_ROBUST_MGMT_FRAME_POLICY_VIOLATION 26


 /* Information Element IDs */
@ -199,16 +204,19 @@
 #define WLAN_EID_20_40_BSS_COEXISTENCE 72
 #define WLAN_EID_20_40_BSS_INTOLERANT 73
 #define WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS 74
+#define WLAN_EID_MMIE 76
+#define WLAN_EID_ASSOC_COMEBACK_TIME 77
 #define WLAN_EID_VENDOR_SPECIFIC 221


-/* Action frame categories */
+/* Action frame categories (IEEE 802.11-2007, 7.3.1.11, Table 7-24) */
 #define WLAN_ACTION_SPECTRUM_MGMT 0
 #define WLAN_ACTION_QOS 1
 #define WLAN_ACTION_DLS 2
 #define WLAN_ACTION_BLOCK_ACK 3
 #define WLAN_ACTION_RADIO_MEASUREMENT 5
 #define WLAN_ACTION_FT 6
+#define WLAN_ACTION_PING 8


 #ifdef _MSC_VER
@ -306,6 +314,14 @@ struct ieee80211_mgmt {
 					le16 status_code;
 					u8 variable[0]; /* FT Request */
 				} STRUCT_PACKED ft_action_resp;
+				struct {
+					u8 action;
+					u8 transaction_id[16];
+				} STRUCT_PACKED ping_req;
+				struct {
+					u8 action;
+					u8 transaction_id[16];
+				} STRUCT_PACKED ping_resp;
 			} u;
 		} STRUCT_PACKED action;
 	} u;
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@ -54,6 +54,9 @@
 #define RSN_AUTH_KEY_MGMT_FT_802_1X RSN_SELECTOR(0x00, 0x0f, 0xac, 3)
 #define RSN_AUTH_KEY_MGMT_FT_PSK RSN_SELECTOR(0x00, 0x0f, 0xac, 4)
 #endif /* CONFIG_IEEE80211R */
+#define RSN_AUTH_KEY_MGMT_802_1X_SHA256 RSN_SELECTOR(0x00, 0x0f, 0xac, 5)
+#define RSN_AUTH_KEY_MGMT_PSK_SHA256 RSN_SELECTOR(0x00, 0x0f, 0xac, 6)
+
 #define RSN_CIPHER_SUITE_NONE RSN_SELECTOR(0x00, 0x0f, 0xac, 0)
 #define RSN_CIPHER_SUITE_WEP40 RSN_SELECTOR(0x00, 0x0f, 0xac, 1)
 #define RSN_CIPHER_SUITE_TKIP RSN_SELECTOR(0x00, 0x0f, 0xac, 2)
@ -107,7 +110,11 @@

 /* IEEE 802.11, 7.3.2.25.3 RSN Capabilities */
 #define WPA_CAPABILITY_PREAUTH BIT(0)
-#define WPA_CAPABILITY_MGMT_FRAME_PROTECTION BIT(7)
+#define WPA_CAPABILITY_NO_PAIRWISE BIT(1)
+/* B2-B3: PTKSA Replay Counter */
+/* B4-B5: GTKSA Replay Counter */
+#define WPA_CAPABILITY_MFPR BIT(6)
+#define WPA_CAPABILITY_MFPC BIT(7)
 #define WPA_CAPABILITY_PEERKEY_ENABLED BIT(9)


@ -273,6 +280,7 @@ struct rsn_ftie {
 #define FTIE_SUBELEM_R1KH_ID 1
 #define FTIE_SUBELEM_GTK 2
 #define FTIE_SUBELEM_R0KH_ID 3
+#define FTIE_SUBELEM_IGTK 4

 #endif /* CONFIG_IEEE80211R */

--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@ -193,7 +193,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
 	capab = 0;
 #ifdef CONFIG_IEEE80211W
 	if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC)
-		capab |= WPA_CAPABILITY_MGMT_FRAME_PROTECTION;
+		capab |= WPA_CAPABILITY_MFPC;
 #endif /* CONFIG_IEEE80211W */
 	WPA_PUT_LE16(pos, capab);
 	pos += 2;
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@ -327,7 +327,7 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
 	capab = 0;
 #ifdef CONFIG_IEEE80211W
 	if (mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC)
-		capab |= WPA_CAPABILITY_MGMT_FRAME_PROTECTION;
+		capab |= WPA_CAPABILITY_MFPC;
 #endif /* CONFIG_IEEE80211W */
 	WPA_PUT_LE16(pos, capab);
 	pos += 2;
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@ -309,8 +309,8 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_ssid *ssid,
 		}

 #ifdef CONFIG_IEEE80211W
-		if (!(ie.capabilities & WPA_CAPABILITY_MGMT_FRAME_PROTECTION)
-		    && ssid->ieee80211w == IEEE80211W_REQUIRED) {
+		if (!(ie.capabilities & WPA_CAPABILITY_MFPC) &&
+		    ssid->ieee80211w == IEEE80211W_REQUIRED) {
 			wpa_printf(MSG_DEBUG, "   skip RSN IE - no mgmt frame "
 				   "protection");
 			break;
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@ -676,7 +676,7 @@ static int wpa_supplicant_suites_from_ai(struct wpa_supplicant *wpa_s,
 	}

 #ifdef CONFIG_IEEE80211W
-	if (!(ie->capabilities & WPA_CAPABILITY_MGMT_FRAME_PROTECTION) &&
+	if (!(ie->capabilities & WPA_CAPABILITY_MFPC) &&
 	    ssid->ieee80211w == IEEE80211W_REQUIRED) {
 		wpa_msg(wpa_s, MSG_INFO, "WPA: Driver associated with an AP "
 			"that does not support management frame protection - "
@ -845,7 +845,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
 #ifdef CONFIG_IEEE80211W
 	sel = ie.mgmt_group_cipher;
 	if (ssid->ieee80211w == NO_IEEE80211W ||
-	    !(ie.capabilities & WPA_CAPABILITY_MGMT_FRAME_PROTECTION))
+	    !(ie.capabilities & WPA_CAPABILITY_MFPC))
 		sel = 0;
 	if (sel & WPA_CIPHER_AES_128_CMAC) {
 		wpa_s->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;