Drivers/cards supporting SME internally may perform OWE offloading to
hostapd. This can be done using EVENT_UPDATE_DH mechanism and appropriate
handler hostapd_notif_update_dh_ie. When this mechanism is in use, then
hostapd creates STA entries for OWE processing and reports DH information
element to driver. After association is completed, driver notifies hostapd
that new STA is ready using EVENT_ASSOC mechanism and appropriate handler
hostapd_notif_assoc.
Currently the availability of DH IEs is validated in both events by the
function wpa_validate_wpa_ie. However for EVENT_ASSOC this is needed only
for non-SME drivers. For SME drivers this may be redundant since during
processing of OWE offload STA entry has been already added and OWE PMK
has been already created.
This patch modifies OWE processing so that drivers performing OWE offload
may not pass DH IE in EVENT_ASSOC. For this purpose the following changes
have been introduced. Function wpa_validate_wpa_ie is modified so that it
does not report failure if DH IE is not provided. DH IE availability is
checked in owe_assoc_req_process in the case if previously derived
OWE PMK is not available. Besides, availability of DH IE is verified
in handle_assoc(check_assoc_ies).
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@xxxxxxxxxxxxx>
---
src/ap/drv_callbacks.c | 8 ++++++--
src/ap/ieee802_11.c | 15 +++++++++++++--
src/ap/wpa_auth_ie.c | 5 -----
3 files changed, 19 insertions(+), 9 deletions(-)
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 38506a097..f38719bff 100644
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -570,8 +570,7 @@ skip_wpa_check:
#ifdef CONFIG_OWE
if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
- wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
- elems.owe_dh) {
+ wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
u8 *npos;
npos = owe_assoc_req_process(hapd, sta,
@@ -588,6 +587,11 @@ skip_wpa_check:
return 0;
}
+ if (!npos && status == WLAN_STATUS_AKMP_NOT_VALID) {
+ reason = WLAN_REASON_AKMP_NOT_VALID;
+ goto fail;
+ }
+
if (!npos || status != WLAN_STATUS_SUCCESS)
goto fail;
}
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 68fdba4e0..e61ed595f 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -3352,8 +3352,13 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
#ifdef CONFIG_OWE
if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
- wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
- elems.owe_dh) {
+ wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
+ if (!elems.owe_dh) {
+ wpa_printf(MSG_DEBUG,
+ "OWE: No Diffie-Hellman Parameter element");
+ return WLAN_STATUS_AKMP_NOT_VALID;
+ }
+
resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
elems.owe_dh_len);
if (resp != WLAN_STATUS_SUCCESS)
@@ -3976,6 +3981,12 @@ u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
return owe_buf;
}
+ if (!owe_dh) {
+ wpa_printf(MSG_DEBUG, "OWE: No Diffie-Hellman Parameter element");
+ *status = WLAN_STATUS_AKMP_NOT_VALID;
+ return NULL;
+ }
+
*status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
if (*status != WLAN_STATUS_SUCCESS)
return NULL;
diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 2e6d05910..88b5f9f16 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -842,11 +842,6 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
#endif /* CONFIG_IEEE80211R_AP */
#ifdef CONFIG_OWE
- if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && !owe_dh) {
- wpa_printf(MSG_DEBUG,
- "OWE: No Diffie-Hellman Parameter element");
- return WPA_INVALID_AKMP;
- }
#ifdef CONFIG_DPP
if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && owe_dh) {
/* Diffie-Hellman Parameter element can be used with DPP as
--
2.11.0
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
