FT: SHA384-based AKM in RSNE processing

This defines key lengths for SHA384-based FT AKM and handles writing and
parsing for RSNE AKMs with the new value.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index e0753c6ed297f3d1a7b875b866b888e16b750f92..bf1240a925568a064ce9f209712c4e0b18119fe1 100644 (file)
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -1,6 +1,6 @@
 /*
  * hostapd - IEEE 802.11r - Fast BSS Transition
- * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2018, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -2563,6 +2563,10 @@ static int wpa_ft_set_key_mgmt(struct wpa_state_machine *sm,
        }
        if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X)
                sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X;
+#ifdef CONFIG_SHA384
+       else if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X_SHA384)
+               sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
+#endif /* CONFIG_SHA384 */
        else if (key_mgmt & WPA_KEY_MGMT_FT_PSK)
                sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_PSK;
 #ifdef CONFIG_FILS

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index d538de1635ad1d54fa8bf1a9b377b5331982e68d..421dd5a6fccc0ce38f5b95a5fd59cb278e70f010 100644 (file)
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -1,6 +1,6 @@
 /*
  * hostapd - WPA/RSN IE and KDE definitions
- * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2018, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -170,6 +170,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
                pos += RSN_SELECTOR_LEN;
                num_suites++;
        }
+#ifdef CONFIG_SHA384
+       if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) {
+               RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384);
+               pos += RSN_SELECTOR_LEN;
+               num_suites++;
+       }
+#endif /* CONFIG_SHA384 */
        if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_PSK) {
                RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
                pos += RSN_SELECTOR_LEN;
@@ -566,6 +573,10 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
                        selector = RSN_AUTH_KEY_MGMT_FILS_SHA256;
 #endif /* CONFIG_FILS */
 #ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_SHA384
+               else if (data.key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X_SHA384)
+                       selector = RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384;
+#endif /* CONFIG_SHA384 */
                else if (data.key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X)
                        selector = RSN_AUTH_KEY_MGMT_FT_802_1X;
                else if (data.key_mgmt & WPA_KEY_MGMT_FT_PSK)
@@ -672,6 +683,10 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
                sm->wpa_key_mgmt = WPA_KEY_MGMT_FILS_SHA256;
 #endif /* CONFIG_FILS */
 #ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_SHA384
+       else if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X_SHA384)
+               sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
+#endif /* CONFIG_SHA384 */
        else if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X)
                sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X;
        else if (key_mgmt & WPA_KEY_MGMT_FT_PSK)

diff --git a/src/common/defs.h b/src/common/defs.h
index 21f1d1cd882d01dbaf097f6251a192e4d0c89e23..c968cd6cb82a5e46e20356821eb364714022e1d7 100644 (file)
--- a/src/common/defs.h
+++ b/src/common/defs.h
@@ -1,6 +1,6 @@
 /*
  * WPA Supplicant - Common definitions
- * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2018, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -57,11 +57,13 @@ typedef enum { FALSE = 0, TRUE = 1 } Boolean;
 #define WPA_KEY_MGMT_FT_FILS_SHA384 BIT(21)
 #define WPA_KEY_MGMT_OWE BIT(22)
 #define WPA_KEY_MGMT_DPP BIT(23)
+#define WPA_KEY_MGMT_FT_IEEE8021X_SHA384 BIT(24)
 
 static inline int wpa_key_mgmt_wpa_ieee8021x(int akm)
 {
        return !!(akm & (WPA_KEY_MGMT_IEEE8021X |
                         WPA_KEY_MGMT_FT_IEEE8021X |
+                        WPA_KEY_MGMT_FT_IEEE8021X_SHA384 |
                         WPA_KEY_MGMT_CCKM |
                         WPA_KEY_MGMT_OSEN |
                         WPA_KEY_MGMT_IEEE8021X_SHA256 |
@@ -86,6 +88,7 @@ static inline int wpa_key_mgmt_ft(int akm)
 {
        return !!(akm & (WPA_KEY_MGMT_FT_PSK |
                         WPA_KEY_MGMT_FT_IEEE8021X |
+                        WPA_KEY_MGMT_FT_IEEE8021X_SHA384 |
                         WPA_KEY_MGMT_FT_SAE |
                         WPA_KEY_MGMT_FT_FILS_SHA256 |
                         WPA_KEY_MGMT_FT_FILS_SHA384));
@@ -125,6 +128,7 @@ static inline int wpa_key_mgmt_sha256(int akm)
 static inline int wpa_key_mgmt_sha384(int akm)
 {
        return !!(akm & (WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 |
+                        WPA_KEY_MGMT_FT_IEEE8021X_SHA384 |
                         WPA_KEY_MGMT_FILS_SHA384 |
                         WPA_KEY_MGMT_FT_FILS_SHA384));
 }

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index 6587b29c455afeb2598b348705311318f03659a8..d13f3000cecafc677ab99158009c70d2b85e9441 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -1,6 +1,6 @@
 /*
  * WPA/RSN - Shared functions for supplicant and authenticator
- * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -25,6 +25,7 @@ static unsigned int wpa_kck_len(int akmp, size_t pmk_len)
 {
        switch (akmp) {
        case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
+       case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
                return 24;
        case WPA_KEY_MGMT_FILS_SHA256:
        case WPA_KEY_MGMT_FT_FILS_SHA256:
@@ -65,6 +66,7 @@ static unsigned int wpa_kek_len(int akmp, size_t pmk_len)
        case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
        case WPA_KEY_MGMT_FILS_SHA256:
        case WPA_KEY_MGMT_FT_FILS_SHA256:
+       case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
                return 32;
        case WPA_KEY_MGMT_DPP:
                return pmk_len <= 32 ? 16 : 32;
@@ -95,6 +97,7 @@ unsigned int wpa_mic_len(int akmp, size_t pmk_len)
 {
        switch (akmp) {
        case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
+       case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
                return 24;
        case WPA_KEY_MGMT_FILS_SHA256:
        case WPA_KEY_MGMT_FILS_SHA384:
@@ -121,6 +124,7 @@ int wpa_use_akm_defined(int akmp)
        return akmp == WPA_KEY_MGMT_OSEN ||
                akmp == WPA_KEY_MGMT_OWE ||
                akmp == WPA_KEY_MGMT_DPP ||
+               akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 ||
                wpa_key_mgmt_sae(akmp) ||
                wpa_key_mgmt_suite_b(akmp) ||
                wpa_key_mgmt_fils(akmp);
@@ -1009,6 +1013,10 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s)
                return WPA_KEY_MGMT_FT_IEEE8021X;
        if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK)
                return WPA_KEY_MGMT_FT_PSK;
+#ifdef CONFIG_SHA384
+       if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384)
+               return WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
+#endif /* CONFIG_SHA384 */
 #endif /* CONFIG_IEEE80211R */
 #ifdef CONFIG_IEEE80211W
        if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256)
@@ -1776,6 +1784,8 @@ const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
 #ifdef CONFIG_IEEE80211R
        case WPA_KEY_MGMT_FT_IEEE8021X:
                return "FT-EAP";
+       case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
+               return "FT-EAP-SHA384";
        case WPA_KEY_MGMT_FT_PSK:
                return "FT-PSK";
 #endif /* CONFIG_IEEE80211R */
@@ -1817,6 +1827,8 @@ const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
 
 u32 wpa_akm_to_suite(int akm)
 {
+       if (akm & WPA_KEY_MGMT_FT_IEEE8021X_SHA384)
+               return RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384;
        if (akm & WPA_KEY_MGMT_FT_IEEE8021X)
                return RSN_AUTH_KEY_MGMT_FT_802_1X;
        if (akm & WPA_KEY_MGMT_FT_PSK)

diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
index cb56c0c11aff20d50b6963a1f061828de6935682..30f6e5b8e5d8f0f46def78ceeafa1fc13aef4aa3 100644 (file)
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -1,6 +1,6 @@
 /*
  * WPA definitions shared between hostapd and wpa_supplicant
- * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -62,8 +62,7 @@ WPA_CIPHER_BIP_CMAC_256)
 #define RSN_AUTH_KEY_MGMT_FT_SAE RSN_SELECTOR(0x00, 0x0f, 0xac, 9)
 #define RSN_AUTH_KEY_MGMT_802_1X_SUITE_B RSN_SELECTOR(0x00, 0x0f, 0xac, 11)
 #define RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192 RSN_SELECTOR(0x00, 0x0f, 0xac, 12)
-#define RSN_AUTH_KEY_MGMT_FT_802_1X_SUITE_B_192 \
-RSN_SELECTOR(0x00, 0x0f, 0xac, 13)
+#define RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384 RSN_SELECTOR(0x00, 0x0f, 0xac, 13)
 #define RSN_AUTH_KEY_MGMT_FILS_SHA256 RSN_SELECTOR(0x00, 0x0f, 0xac, 14)
 #define RSN_AUTH_KEY_MGMT_FILS_SHA384 RSN_SELECTOR(0x00, 0x0f, 0xac, 15)
 #define RSN_AUTH_KEY_MGMT_FT_FILS_SHA256 RSN_SELECTOR(0x00, 0x0f, 0xac, 16)

diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index 5eadd1592409dc645d4c0348bcea2c2c3d83e836..77b00bda75a7e912011e6ec9e8446671014d5aae 100644 (file)
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -1,6 +1,6 @@
 /*
  * WPA Supplicant - IEEE 802.11r - Fast BSS Transition
- * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2018, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -202,6 +202,10 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
        /* Authenticated Key Management Suite List */
        if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X)
                RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
+#ifdef CONFIG_SHA384
+       else if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X_SHA384)
+               RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384);
+#endif /* CONFIG_SHA384 */
        else if (sm->key_mgmt == WPA_KEY_MGMT_FT_PSK)
                RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
        else if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE)

diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index f8b0cafab1c4ff59f546be09b70a0e5ce84377e8..a3410d15447a4306fb55d37bd99395b23a55503e 100644 (file)
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -1,6 +1,6 @@
 /*
  * wpa_supplicant - WPA/RSN IE and KDE processing
- * Copyright (c) 2003-2015, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -161,6 +161,10 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
 #ifdef CONFIG_IEEE80211R
        } else if (key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
                RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
+#ifdef CONFIG_SHA384
+       } else if (key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X_SHA384) {
+               RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384);
+#endif /* CONFIG_SHA384 */
        } else if (key_mgmt == WPA_KEY_MGMT_FT_PSK) {
                RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
 #endif /* CONFIG_IEEE80211R */