OWE: Allow set of enabled DH groups to be limited on AP

The new hostapd configuration parameter owe_groups can be used to
specify a subset of the allowed DH groups as a space separated list of
group identifiers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index ac08b7bdafa236c6ff14567a765e5b3fa31eacfe..fd3ad0a734735d30b147c39e535ccb8123aecf06 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -3795,7 +3795,13 @@ static int hostapd_config_fill(struct hostapd_config *conf,
        } else if (os_strcmp(buf, "owe_transition_ifname") == 0) {
                os_strlcpy(bss->owe_transition_ifname, pos,
                           sizeof(bss->owe_transition_ifname));
-
+       } else if (os_strcmp(buf, "owe_groups") == 0) {
+               if (hostapd_parse_intlist(&bss->owe_groups, pos)) {
+                       wpa_printf(MSG_ERROR,
+                                  "Line %d: Invalid owe_groups value '%s'",
+                                  line, pos);
+                       return 1;
+               }
 #endif /* CONFIG_OWE */
        } else {
                wpa_printf(MSG_ERROR,

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index f0e553ca146735fed4253fcbcabc6c1f5ea292a3..d2e884c59b628431fe8959aa83bbbd530afc490c 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1407,6 +1407,15 @@ own_ip_addr=127.0.0.1
 # 1-65535 DH Group to use for FILS PFS
 #fils_dh_group=0
 
+# OWE DH groups
+# OWE implementations are required to support group 19 (NIST P-256). All groups
+# that are supported by the implementation (e.g., groups 19, 20, and 21 when
+# using OpenSSL) are enabled by default. This configuration parameter can be
+# used to specify a limited set of allowed groups. The group values are listed
+# in the IANA registry:
+# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-10
+#owe_groups=19 20 21
+
 # OWE transition mode configuration
 # Pointer to the matching open/OWE BSS
 #owe_transition_bssid=<bssid>

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index b12cb197636820946ee74fe66fccb1f3c5b6e69c..0e1ab02b54e2d3e93ee7f7bc3a69c9ca4ea24806 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -610,6 +610,9 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
        wpabuf_free(conf->assocresp_elements);
 
        os_free(conf->sae_groups);
+#ifdef CONFIG_OWE
+       os_free(conf->owe_groups);
+#endif /* CONFIG_OWE */
 
        os_free(conf->wowlan_triggers);
 

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index ac459471cb3f4e63bfe29e39e6f41d5861b5b4a8..76929250ad764cf389672f2ab338d4171bb4eb52 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -649,6 +649,7 @@ struct hostapd_bss_config {
        u8 owe_transition_ssid[SSID_MAX_LEN];
        size_t owe_transition_ssid_len;
        char owe_transition_ifname[IFNAMSIZ + 1];
+       int *owe_groups;
 #endif /* CONFIG_OWE */
 };
 

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 7e30219f08ac2e07b6db3dfd4fda71627daea283..e0edcc53c81296e1a731d4ada06f81dffa8c0f92 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2128,6 +2128,27 @@ static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
 
 
 #ifdef CONFIG_OWE
+
+static int owe_group_supported(struct hostapd_data *hapd, u16 group)
+{
+       int i;
+       int *groups = hapd->conf->owe_groups;
+
+       if (group != 19 && group != 20 && group != 21)
+               return 0;
+
+       if (!groups)
+               return 1;
+
+       for (i = 0; groups[i] > 0; i++) {
+               if (groups[i] == group)
+                       return 1;
+       }
+
+       return 0;
+}
+
+
 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
                                 struct sta_info *sta, const u8 *owe_dh,
                                 u8 owe_dh_len)
@@ -2147,6 +2168,10 @@ static u16 owe_process_assoc_req(struct hostapd_data *hapd,
        }
 
        group = WPA_GET_LE16(owe_dh);
+       if (!owe_group_supported(hapd, group)) {
+               wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
+               return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
+       }
        if (group == 19)
                prime_len = 32;
        else if (group == 20)
@@ -2265,6 +2290,7 @@ static u16 owe_process_assoc_req(struct hostapd_data *hapd,
 
        return WLAN_STATUS_SUCCESS;
 }
+
 #endif /* CONFIG_OWE */