| Message ID | 20200213085112.27376-4-sergey.matyukevich.os@quantenna.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | OWE: cleanup and changes for SME drivers | expand |
On Thu, Feb 13, 2020 at 08:51:24AM +0000, Sergey Matyukevich wrote: > Drivers/cards supporting SME internally may perform OWE offloading to > hostapd. This can be done using EVENT_UPDATE_DH mechanism and appropriate > handler hostapd_notif_update_dh_ie. When this mechanism is in use, then > hostapd creates STA entries for OWE processing and reports DH information > element to driver. After association is completed, driver notifies hostapd > that new STA is ready using EVENT_ASSOC mechanism and appropriate handler > hostapd_notif_assoc. > > Currently the availability of DH IEs is validated in both events by the > function wpa_validate_wpa_ie. However for EVENT_ASSOC this is needed only > for non-SME drivers. For SME drivers this may be redundant since during > processing of OWE offload STA entry has been already added and OWE PMK > has been already created. > > This patch modifies OWE processing so that drivers performing OWE offload > may not pass DH IE in EVENT_ASSOC. For this purpose the following changes > have been introduced. Function wpa_validate_wpa_ie is modified so that it > does not report failure if DH IE is not provided. DH IE availability is > checked in owe_assoc_req_process in the case if previously derived > OWE PMK is not available. Besides, availability of DH IE is verified > in handle_assoc(check_assoc_ies). Why would a driver not pass Diffied-Hellman Parameter element in EVENT_ASSOC? data->assoc_info.req_ies is supposed to include _all_ IEs received in the (Re)Association Request frame. I would not want to make an exception on that if that results in drivers hiding IEs that were included in that frame.
> > Drivers/cards supporting SME internally may perform OWE offloading to > > hostapd. This can be done using EVENT_UPDATE_DH mechanism and appropriate > > handler hostapd_notif_update_dh_ie. When this mechanism is in use, then > > hostapd creates STA entries for OWE processing and reports DH information > > element to driver. After association is completed, driver notifies hostapd > > that new STA is ready using EVENT_ASSOC mechanism and appropriate handler > > hostapd_notif_assoc. > > > > Currently the availability of DH IEs is validated in both events by the > > function wpa_validate_wpa_ie. However for EVENT_ASSOC this is needed only > > for non-SME drivers. For SME drivers this may be redundant since during > > processing of OWE offload STA entry has been already added and OWE PMK > > has been already created. > > > > This patch modifies OWE processing so that drivers performing OWE offload > > may not pass DH IE in EVENT_ASSOC. For this purpose the following changes > > have been introduced. Function wpa_validate_wpa_ie is modified so that it > > does not report failure if DH IE is not provided. DH IE availability is > > checked in owe_assoc_req_process in the case if previously derived > > OWE PMK is not available. Besides, availability of DH IE is verified > > in handle_assoc(check_assoc_ies). > > Why would a driver not pass Diffied-Hellman Parameter element in > EVENT_ASSOC? data->assoc_info.req_ies is supposed to include _all_ IEs > received in the (Re)Association Request frame. I would not want to make > an exception on that if that results in drivers hiding IEs that were > included in that frame. Well, it was not about hiding any IEs. This was just an attempt to soften requirement on firmware and not to pass IEs that are not needed by EVENT_ASSOC in the case of FullMAC driver. IIUC, in the case of OWE offload, DH IE passed in EVENT_ASSOC is not used: its processing is skipped by owe_assoc_req_process since sta->owe_pmk has been obtained and sta->external_dh_updated has been set during processing of EVENT_UPDATE_DH event. Regards, Sergey
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c index 38506a097..f38719bff 100644 --- a/src/ap/drv_callbacks.c +++ b/src/ap/drv_callbacks.c @@ -570,8 +570,7 @@ skip_wpa_check: #ifdef CONFIG_OWE if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) && - wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE && - elems.owe_dh) { + wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) { u8 *npos; npos = owe_assoc_req_process(hapd, sta, @@ -588,6 +587,11 @@ skip_wpa_check: return 0; } + if (!npos && status == WLAN_STATUS_AKMP_NOT_VALID) { + reason = WLAN_REASON_AKMP_NOT_VALID; + goto fail; + } + if (!npos || status != WLAN_STATUS_SUCCESS) goto fail; } diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 68fdba4e0..e61ed595f 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -3352,8 +3352,13 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, #ifdef CONFIG_OWE if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) && - wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE && - elems.owe_dh) { + wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) { + if (!elems.owe_dh) { + wpa_printf(MSG_DEBUG, + "OWE: No Diffie-Hellman Parameter element"); + return WLAN_STATUS_AKMP_NOT_VALID; + } + resp = owe_process_assoc_req(hapd, sta, elems.owe_dh, elems.owe_dh_len); if (resp != WLAN_STATUS_SUCCESS) @@ -3976,6 +3981,12 @@ u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta, return owe_buf; } + if (!owe_dh) { + wpa_printf(MSG_DEBUG, "OWE: No Diffie-Hellman Parameter element"); + *status = WLAN_STATUS_AKMP_NOT_VALID; + return NULL; + } + *status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len); if (*status != WLAN_STATUS_SUCCESS) return NULL; diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 2e6d05910..88b5f9f16 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -842,11 +842,6 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, #endif /* CONFIG_IEEE80211R_AP */ #ifdef CONFIG_OWE - if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && !owe_dh) { - wpa_printf(MSG_DEBUG, - "OWE: No Diffie-Hellman Parameter element"); - return WPA_INVALID_AKMP; - } #ifdef CONFIG_DPP if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && owe_dh) { /* Diffie-Hellman Parameter element can be used with DPP as
Drivers/cards supporting SME internally may perform OWE offloading to hostapd. This can be done using EVENT_UPDATE_DH mechanism and appropriate handler hostapd_notif_update_dh_ie. When this mechanism is in use, then hostapd creates STA entries for OWE processing and reports DH information element to driver. After association is completed, driver notifies hostapd that new STA is ready using EVENT_ASSOC mechanism and appropriate handler hostapd_notif_assoc. Currently the availability of DH IEs is validated in both events by the function wpa_validate_wpa_ie. However for EVENT_ASSOC this is needed only for non-SME drivers. For SME drivers this may be redundant since during processing of OWE offload STA entry has been already added and OWE PMK has been already created. This patch modifies OWE processing so that drivers performing OWE offload may not pass DH IE in EVENT_ASSOC. For this purpose the following changes have been introduced. Function wpa_validate_wpa_ie is modified so that it does not report failure if DH IE is not provided. DH IE availability is checked in owe_assoc_req_process in the case if previously derived OWE PMK is not available. Besides, availability of DH IE is verified in handle_assoc(check_assoc_ies). Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com> --- src/ap/drv_callbacks.c | 8 ++++++-- src/ap/ieee802_11.c | 15 +++++++++++++-- src/ap/wpa_auth_ie.c | 5 ----- 3 files changed, 19 insertions(+), 9 deletions(-)