mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-25 00:38:24 -05:00
DPP: Add akm=sae and akm=psk+sae support in Enrollee role
This allows DPP to be used for enrolling credentials for SAE networks in addition to the legacy PSK (WPA-PSK) case. In addition, enable FT-PSK and FT-SAE cases automatically. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
af872d9d88
commit
5dd745b738
@ -711,6 +711,8 @@ static void hostapd_dpp_gas_resp_cb(void *ctx, const u8 *addr, u8 dialog_token,
|
|||||||
}
|
}
|
||||||
|
|
||||||
wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_CONF_RECEIVED);
|
wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_CONF_RECEIVED);
|
||||||
|
wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_CONFOBJ_AKM "%s",
|
||||||
|
dpp_akm_str(auth->akm));
|
||||||
if (auth->ssid_len)
|
if (auth->ssid_len)
|
||||||
wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_CONFOBJ_SSID "%s",
|
wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_CONFOBJ_SSID "%s",
|
||||||
wpa_ssid_txt(auth->ssid, auth->ssid_len));
|
wpa_ssid_txt(auth->ssid, auth->ssid_len));
|
||||||
|
|||||||
@ -4517,6 +4517,11 @@ static int dpp_parse_cred_legacy(struct dpp_authentication *auth,
|
|||||||
os_strlcpy(auth->passphrase, pass->string,
|
os_strlcpy(auth->passphrase, pass->string,
|
||||||
sizeof(auth->passphrase));
|
sizeof(auth->passphrase));
|
||||||
} else if (psk_hex && psk_hex->type == JSON_STRING) {
|
} else if (psk_hex && psk_hex->type == JSON_STRING) {
|
||||||
|
if (auth->akm == DPP_AKM_SAE) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"DPP: Unexpected psk_hex with akm=sae");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
if (os_strlen(psk_hex->string) != PMK_LEN * 2 ||
|
if (os_strlen(psk_hex->string) != PMK_LEN * 2 ||
|
||||||
hexstr2bin(psk_hex->string, auth->psk, PMK_LEN) < 0) {
|
hexstr2bin(psk_hex->string, auth->psk, PMK_LEN) < 0) {
|
||||||
wpa_printf(MSG_DEBUG, "DPP: Invalid psk_hex encoding");
|
wpa_printf(MSG_DEBUG, "DPP: Invalid psk_hex encoding");
|
||||||
@ -4530,6 +4535,12 @@ static int dpp_parse_cred_legacy(struct dpp_authentication *auth,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ((auth->akm == DPP_AKM_SAE || auth->akm == DPP_AKM_PSK_SAE) &&
|
||||||
|
!auth->passphrase[0]) {
|
||||||
|
wpa_printf(MSG_DEBUG, "DPP: No pass for sae found");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5092,6 +5103,37 @@ fail:
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
const char * dpp_akm_str(enum dpp_akm akm)
|
||||||
|
{
|
||||||
|
switch (akm) {
|
||||||
|
case DPP_AKM_DPP:
|
||||||
|
return "dpp";
|
||||||
|
case DPP_AKM_PSK:
|
||||||
|
return "psk";
|
||||||
|
case DPP_AKM_SAE:
|
||||||
|
return "sae";
|
||||||
|
case DPP_AKM_PSK_SAE:
|
||||||
|
return "psk+sae";
|
||||||
|
default:
|
||||||
|
return "??";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static enum dpp_akm dpp_akm_from_str(const char *akm)
|
||||||
|
{
|
||||||
|
if (os_strcmp(akm, "psk") == 0)
|
||||||
|
return DPP_AKM_PSK;
|
||||||
|
if (os_strcmp(akm, "sae") == 0)
|
||||||
|
return DPP_AKM_SAE;
|
||||||
|
if (os_strcmp(akm, "psk+sae") == 0)
|
||||||
|
return DPP_AKM_PSK_SAE;
|
||||||
|
if (os_strcmp(akm, "dpp") == 0)
|
||||||
|
return DPP_AKM_DPP;
|
||||||
|
return DPP_AKM_UNKNOWN;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int dpp_parse_conf_obj(struct dpp_authentication *auth,
|
static int dpp_parse_conf_obj(struct dpp_authentication *auth,
|
||||||
const u8 *conf_obj, u16 conf_obj_len)
|
const u8 *conf_obj, u16 conf_obj_len)
|
||||||
{
|
{
|
||||||
@ -5149,10 +5191,13 @@ static int dpp_parse_conf_obj(struct dpp_authentication *auth,
|
|||||||
dpp_auth_fail(auth, "No cred::akm string value found");
|
dpp_auth_fail(auth, "No cred::akm string value found");
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
if (os_strcmp(token->string, "psk") == 0) {
|
auth->akm = dpp_akm_from_str(token->string);
|
||||||
|
|
||||||
|
if (auth->akm == DPP_AKM_PSK || auth->akm == DPP_AKM_SAE ||
|
||||||
|
auth->akm == DPP_AKM_PSK_SAE) {
|
||||||
if (dpp_parse_cred_legacy(auth, cred) < 0)
|
if (dpp_parse_cred_legacy(auth, cred) < 0)
|
||||||
goto fail;
|
goto fail;
|
||||||
} else if (os_strcmp(token->string, "dpp") == 0) {
|
} else if (auth->akm == DPP_AKM_DPP) {
|
||||||
if (dpp_parse_cred_dpp(auth, cred) < 0)
|
if (dpp_parse_cred_dpp(auth, cred) < 0)
|
||||||
goto fail;
|
goto fail;
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@ -136,6 +136,14 @@ struct dpp_pkex {
|
|||||||
unsigned int freq;
|
unsigned int freq;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
enum dpp_akm {
|
||||||
|
DPP_AKM_UNKNOWN,
|
||||||
|
DPP_AKM_DPP,
|
||||||
|
DPP_AKM_PSK,
|
||||||
|
DPP_AKM_SAE,
|
||||||
|
DPP_AKM_PSK_SAE
|
||||||
|
};
|
||||||
|
|
||||||
struct dpp_configuration {
|
struct dpp_configuration {
|
||||||
u8 ssid[32];
|
u8 ssid[32];
|
||||||
size_t ssid_len;
|
size_t ssid_len;
|
||||||
@ -201,6 +209,7 @@ struct dpp_authentication {
|
|||||||
char passphrase[64];
|
char passphrase[64];
|
||||||
u8 psk[PMK_LEN];
|
u8 psk[PMK_LEN];
|
||||||
int psk_set;
|
int psk_set;
|
||||||
|
enum dpp_akm akm;
|
||||||
struct wpabuf *net_access_key;
|
struct wpabuf *net_access_key;
|
||||||
os_time_t net_access_key_expiry;
|
os_time_t net_access_key_expiry;
|
||||||
struct wpabuf *c_sign_key;
|
struct wpabuf *c_sign_key;
|
||||||
@ -361,6 +370,7 @@ struct wpabuf * dpp_alloc_msg(enum dpp_public_action_frame_type type,
|
|||||||
const u8 * dpp_get_attr(const u8 *buf, size_t len, u16 req_id, u16 *ret_len);
|
const u8 * dpp_get_attr(const u8 *buf, size_t len, u16 req_id, u16 *ret_len);
|
||||||
int dpp_check_attrs(const u8 *buf, size_t len);
|
int dpp_check_attrs(const u8 *buf, size_t len);
|
||||||
int dpp_key_expired(const char *timestamp, os_time_t *expiry);
|
int dpp_key_expired(const char *timestamp, os_time_t *expiry);
|
||||||
|
const char * dpp_akm_str(enum dpp_akm akm);
|
||||||
void dpp_configurator_free(struct dpp_configurator *conf);
|
void dpp_configurator_free(struct dpp_configurator *conf);
|
||||||
struct dpp_configurator *
|
struct dpp_configurator *
|
||||||
dpp_keygen_configurator(const char *curve, const u8 *privkey,
|
dpp_keygen_configurator(const char *curve, const u8 *privkey,
|
||||||
|
|||||||
@ -160,6 +160,7 @@ extern "C" {
|
|||||||
#define DPP_EVENT_CONF_RECEIVED "DPP-CONF-RECEIVED "
|
#define DPP_EVENT_CONF_RECEIVED "DPP-CONF-RECEIVED "
|
||||||
#define DPP_EVENT_CONF_SENT "DPP-CONF-SENT "
|
#define DPP_EVENT_CONF_SENT "DPP-CONF-SENT "
|
||||||
#define DPP_EVENT_CONF_FAILED "DPP-CONF-FAILED "
|
#define DPP_EVENT_CONF_FAILED "DPP-CONF-FAILED "
|
||||||
|
#define DPP_EVENT_CONFOBJ_AKM "DPP-CONFOBJ-AKM "
|
||||||
#define DPP_EVENT_CONFOBJ_SSID "DPP-CONFOBJ-SSID "
|
#define DPP_EVENT_CONFOBJ_SSID "DPP-CONFOBJ-SSID "
|
||||||
#define DPP_EVENT_CONFOBJ_PASS "DPP-CONFOBJ-PASS "
|
#define DPP_EVENT_CONFOBJ_PASS "DPP-CONFOBJ-PASS "
|
||||||
#define DPP_EVENT_CONFOBJ_PSK "DPP-CONFOBJ-PSK "
|
#define DPP_EVENT_CONFOBJ_PSK "DPP-CONFOBJ-PSK "
|
||||||
|
|||||||
@ -1108,7 +1108,13 @@ static struct wpa_ssid * wpas_dpp_add_network(struct wpa_supplicant *wpa_s,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!auth->connector) {
|
if (!auth->connector) {
|
||||||
ssid->key_mgmt = WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_PSK_SHA256;
|
ssid->key_mgmt = 0;
|
||||||
|
if (auth->akm == DPP_AKM_PSK || auth->akm == DPP_AKM_PSK_SAE)
|
||||||
|
ssid->key_mgmt |= WPA_KEY_MGMT_PSK |
|
||||||
|
WPA_KEY_MGMT_PSK_SHA256 | WPA_KEY_MGMT_FT_PSK;
|
||||||
|
if (auth->akm == DPP_AKM_SAE || auth->akm == DPP_AKM_PSK_SAE)
|
||||||
|
ssid->key_mgmt |= WPA_KEY_MGMT_SAE |
|
||||||
|
WPA_KEY_MGMT_FT_SAE;
|
||||||
ssid->ieee80211w = 1;
|
ssid->ieee80211w = 1;
|
||||||
if (auth->passphrase[0]) {
|
if (auth->passphrase[0]) {
|
||||||
if (wpa_config_set_quoted(ssid, "psk",
|
if (wpa_config_set_quoted(ssid, "psk",
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user