HS 2.0: Allow OSEN connection to be enabled in an RSN BSS

This allows a single BSS/SSID to be used for both data connection and
OSU. Instead of hostapd configuration osen=1, wpa_key_mgmt=OSEN (or more
likely, wpa_key_mgmt=WPA-EAP OSEN) is used to enable this new option.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index ebd1c49ffe4a8681d7d0111f2cefa061e5c7fe06..412f61f0de16e9706f1a871a00a324807e877a0e 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -813,6 +813,10 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value)
                else if (os_strcmp(start, "DPP") == 0)
                        val |= WPA_KEY_MGMT_DPP;
 #endif /* CONFIG_DPP */
+#ifdef CONFIG_HS20
+               else if (os_strcmp(start, "OSEN") == 0)
+                       val |= WPA_KEY_MGMT_OSEN;
+#endif /* CONFIG_HS20 */
                else {
                        wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'",
                                   line, start);

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index f9fe6e67e402dff5061afd3a33518f2c14185ba0..0cf57b8d75423ff23d14da952d36c73b928dd287 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -2515,7 +2515,8 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
        /* GTK KDE */
        gtk = gsm->GTK[gsm->GN - 1];
        gtk_len = gsm->GTK_len;
-       if (sm->wpa_auth->conf.disable_gtk) {
+       if (sm->wpa_auth->conf.disable_gtk ||
+           sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
                /*
                 * Provide unique random GTK to each STA to prevent use
                 * of GTK in the BSS.
@@ -2831,7 +2832,8 @@ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
        else
                os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
        os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
-       if (sm->wpa_auth->conf.disable_gtk) {
+       if (sm->wpa_auth->conf.disable_gtk ||
+           sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
                /*
                 * Provide unique random IGTK to each STA to prevent use of
                 * IGTK in the BSS.
@@ -2909,7 +2911,8 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
                secure = 1;
                gtk = gsm->GTK[gsm->GN - 1];
                gtk_len = gsm->GTK_len;
-               if (sm->wpa_auth->conf.disable_gtk) {
+               if (sm->wpa_auth->conf.disable_gtk ||
+                   sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
                        /*
                         * Provide unique random GTK to each STA to prevent use
                         * of GTK in the BSS.
@@ -3285,7 +3288,8 @@ SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
                        "sending 1/2 msg of Group Key Handshake");
 
        gtk = gsm->GTK[gsm->GN - 1];
-       if (sm->wpa_auth->conf.disable_gtk) {
+       if (sm->wpa_auth->conf.disable_gtk ||
+           sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
                /*
                 * Provide unique random GTK to each STA to prevent use
                 * of GTK in the BSS.

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index e4610d1a2073308650432af55c4bed46788eb9c5..d538de1635ad1d54fa8bf1a9b377b5331982e68d 100644 (file)
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -248,6 +248,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
                num_suites++;
        }
 #endif /* CONFIG_DPP */
+#ifdef CONFIG_HS20
+       if (conf->wpa_key_mgmt & WPA_KEY_MGMT_OSEN) {
+               RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OSEN);
+               pos += RSN_SELECTOR_LEN;
+               num_suites++;
+       }
+#endif /* CONFIG_HS20 */
 
 #ifdef CONFIG_RSN_TESTING
        if (rsn_testing) {
@@ -588,6 +595,10 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
                else if (data.key_mgmt & WPA_KEY_MGMT_DPP)
                        selector = RSN_AUTH_KEY_MGMT_DPP;
 #endif /* CONFIG_DPP */
+#ifdef CONFIG_HS20
+               else if (data.key_mgmt & WPA_KEY_MGMT_OSEN)
+                       selector = RSN_AUTH_KEY_MGMT_OSEN;
+#endif /* CONFIG_HS20 */
                wpa_auth->dot11RSNAAuthenticationSuiteSelected = selector;
 
                selector = wpa_cipher_to_suite(WPA_PROTO_RSN,
@@ -688,6 +699,10 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
        else if (key_mgmt & WPA_KEY_MGMT_DPP)
                sm->wpa_key_mgmt = WPA_KEY_MGMT_DPP;
 #endif /* CONFIG_DPP */
+#ifdef CONFIG_HS20
+       else if (key_mgmt & WPA_KEY_MGMT_OSEN)
+               sm->wpa_key_mgmt = WPA_KEY_MGMT_OSEN;
+#endif /* CONFIG_HS20 */
        else
                sm->wpa_key_mgmt = WPA_KEY_MGMT_PSK;