Mirrors/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-06-04 20:26:38 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(wifi) : Made changes based on more review comments

Browse Source 
-Require STA DH IE for OWE associations.
    - Send failures using Association Response (no silent deauth-only path).
    - Include RSNE in OWE Association Response alongside DH Parameter IE.
    - Check wpabuf_resize return values when building OWE Assoc Response IEs.
    - Recognize OWE AKM in RSN IE when CONFIG_OWE_SOFTAP without CONFIG_OWE_STA.
    - Docs: SoftAP OWE-only; no transition mode; trim misleading OPEN→OWE note.
This commit is contained in:
tarun.kumar
2026-05-05 20:42:27 +05:30
parent d698d5345a
commit 2c3cd560c4
8 changed files with 73 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
components/esp_wifi/lib

Submodule components/esp_wifi/lib updated: 5bc1b23488...05dc7ac1d6

21
components/wpa_supplicant/esp_supplicant/src/esp_hostap.c
View File

@@ -507,14 +507,21 @@ bool hostap_new_assoc_sta(struct sta_info *sta, uint8_t *bssid,
#ifdef CONFIG_OWE_SOFTAP
uint8_t owe_enabled = esp_wifi_ap_get_owe_config_internal();
if (status == WLAN_STATUS_SUCCESS &&
hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE &&
(hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
sta->wpa_sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE &&
assoc_req->owe_dh && owe_enabled) {
status = owe_process_assoc_req(hapd, sta, assoc_req->owe_dh, assoc_req->owe_ie_len);
if (status == WLAN_STATUS_UNSPECIFIED_FAILURE) {
*reason = wpa_status_to_reason_code(status);
wpa_printf(MSG_ERROR, "OWE : Failed to process assoc req status %d", status);
return false;
owe_enabled) {
if (!assoc_req->owe_dh || assoc_req->owe_ie_len == 0) {
wpa_printf(MSG_ERROR,
"OWE: Association request missing DH Parameter element");
status = WLAN_STATUS_AKMP_NOT_VALID;
} else {
status = owe_process_assoc_req(hapd, sta, assoc_req->owe_dh,
assoc_req->owe_ie_len);
if (status != WLAN_STATUS_SUCCESS) {
wpa_printf(MSG_ERROR,
"OWE: Failed to process assoc req status %d",
status);
}
}
}
#endif /* CONFIG_OWE_SOFTAP */

44
components/wpa_supplicant/esp_supplicant/src/esp_owe.c
View File

@@ -60,7 +60,7 @@ struct wpabuf *esp_owe_build_assoc_resp_dhie(struct hostapd_data *hapd, const u8
return NULL;
}
struct wpabuf *owe_buf = wpabuf_alloc(hapd->wpa_auth->wpa_ie_len);
struct wpabuf *owe_buf = wpabuf_alloc(OWE_IE_INIT_LEN);
if (!owe_buf) {
wpa_printf(MSG_ERROR, "Memory allocation failed for OWE IE");
return NULL;
@@ -68,29 +68,65 @@ struct wpabuf *esp_owe_build_assoc_resp_dhie(struct hostapd_data *hapd, const u8
// If PMKSA caching is used, write and return only RSN IE with PMKID
if (sta->wpa_sm && sta->wpa_sm->pmksa) {
u8 *pos, buf[128];
u8 *pos, buf[257];
pos = buf;
wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching for Assoc Resp");
pos = wpa_auth_write_assoc_resp_owe(hapd, sta->wpa_sm, pos,
buf + sizeof(buf) - pos);
wpabuf_resize(&owe_buf, pos - buf);
if (wpabuf_resize(&owe_buf, pos - buf) < 0) {
wpa_printf(MSG_ERROR, "OWE: wpabuf_resize failed for PMKSA assoc resp");
wpabuf_free(owe_buf);
*owe_ie_len = 0;
return NULL;
}
wpabuf_put_data(owe_buf, buf, pos - buf);
*owe_ie_len = pos - buf;
return owe_buf;
}
if (sta->owe_ecdh) {
if (!sta->wpa_sm) {
wpa_printf(MSG_ERROR, "OWE: Missing WPA state machine for assoc resp");
wpabuf_free(owe_buf);
*owe_ie_len = 0;
return NULL;
}
u8 buf[257];
u8 *pos = buf;
pos = wpa_auth_write_assoc_resp_owe(hapd, sta->wpa_sm, pos,
buf + sizeof(buf) - pos);
size_t rsne_len = (size_t)(pos - buf);
if (rsne_len == 0 || pos > buf + sizeof(buf)) {
wpa_printf(MSG_ERROR, "OWE: Failed to write RSN IE for assoc resp");
wpabuf_free(owe_buf);
*owe_ie_len = 0;
return NULL;
}
pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
if (!pub) {
wpabuf_free(owe_buf);
*owe_ie_len = 0;
return NULL;
}
wpa_hexdump_buf(MSG_DEBUG, "Own public key", pub);
wpabuf_resize(&owe_buf, OWE_DHIE_LEN);
size_t dh_len = 5 + wpabuf_len(pub);
if (wpabuf_resize(&owe_buf, rsne_len + dh_len) < 0) {
wpa_printf(MSG_ERROR, "OWE: wpabuf_resize failed for assoc resp IEs");
wpabuf_free(pub);
wpabuf_free(owe_buf);
*owe_ie_len = 0;
return NULL;
}
wpabuf_put_data(owe_buf, buf, rsne_len);
wpabuf_put_u8(owe_buf, WLAN_EID_EXTENSION);
wpabuf_put_u8(owe_buf, 1 + 2 + wpabuf_len(pub));
wpabuf_put_u8(owe_buf, WLAN_EID_EXT_OWE_DH_PARAM);

18
components/wpa_supplicant/esp_supplicant/src/esp_owe_i.h
View File

@@ -26,13 +26,19 @@ void esp_wifi_register_owe_cb(struct wpa_funcs *wpa_cb);
#include "ap/hostapd.h"
/*
OWE_DHIE_LEN = 1 byte {WLAN_EID_EXTENSION}
+ 1 byte {len of DHIE (1(pub_key len) + 2(dh group) + 32(len of pub_key)) = 35)}
+ 1 byte {pub_key len}
+ 2 bytes {DH group}
+ 32 bytes {public key}
*/
* OWE_DHIE_LEN: DH Parameter element length for group 19 (secp256r1).
*
* Wire format (IEEE 802.11 Extension element):
* byte 1 WLAN_EID_EXTENSION
* byte 2 length of remainder (extension ID + group + pubkey), typically 35
* byte 3 WLAN_EID_EXT_OWE_DH_PARAM (extension element ID)
* bytes 45 DH group ID (little-endian), e.g. IANA_SECP256R1 (19)
* bytes 637 DH public key (32 octets for this group/key representation)
*
* Total = 2 + 35 = 37 octets.
*/
#define OWE_DHIE_LEN 37
#define OWE_IE_INIT_LEN (257 + OWE_DHIE_LEN) /* RSNE + DH IE */
struct wpabuf *esp_owe_build_assoc_resp_dhie(struct hostapd_data *hapd, const u8 *bssid, int *owe_ie_len);
#endif /* CONFIG_OWE_SOFTAP */

2
components/wpa_supplicant/src/ap/ieee802_11.c
View File

@@ -793,7 +793,7 @@ int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
struct rsn_pmksa_cache_entry *entry;
wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (3)", pmk, PMK_LEN);
wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (3)", pmk, pmk_len);
entry = pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
NULL, 0, wpa_auth->addr, addr, session_timeout,
NULL, akmp);

4
components/wpa_supplicant/src/common/wpa_common.c
View File

@@ -358,10 +358,10 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s)
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192)
return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
#endif
#ifdef CONFIG_OWE_STA
#if defined(CONFIG_OWE_STA) || defined(CONFIG_OWE_SOFTAP)
if(RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OWE)
return WPA_KEY_MGMT_OWE;
#endif /* CONFIG_OWE_STA */
#endif /* CONFIG_OWE_STA || CONFIG_OWE_SOFTAP */
#ifdef CONFIG_DPP
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_DPP)
return WPA_KEY_MGMT_DPP;

8
docs/en/api-guides/wifi-security.rst
View File

@@ -157,7 +157,7 @@ Enhanced Open™ is used for providing security and privacy to users connecting
.. note::
{IDF_TARGET_NAME} supports Wi-Fi Enhanced Open™ (OWE Transition Mode + OWE Only) in station mode and (OWE Only) in softap mode.
{IDF_TARGET_NAME} supports Wi-Fi Enhanced Open™ in station mode for both OWE Transition Mode and OWE-only networks. In SoftAP mode, only **OWE-only** operation is supported; **OWE Transition Mode is not supported**.
Setting up OWE with {IDF_TARGET_NAME}
@@ -170,8 +170,4 @@ A configuration option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA` and configurat
For softap mode :
A configuration option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_SOFTAP` from menuconfig should be enabled and configuration parameter `authmode` from :cpp:type:`wifi_ap_config_t` should be set to ``WIFI_AUTH_OWE``.
.. note::
In softap mode, if the configuration option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_SOFTAP` is enabled and authmode is set to ``WIFI_AUTH_OPEN``, authmode will be set to ``WIFI_AUTH_OWE`` internally.
A configuration option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_SOFTAP` from menuconfig should be enabled and configuration parameter `authmode` from :cpp:type:`wifi_ap_config_t` should be set to ``WIFI_AUTH_OWE``. SoftAP does not support OWE Transition Mode; configure ``WIFI_AUTH_OWE`` only.

2
examples/wifi/getting_started/softAP/main/softap_example_main.c
View File

@@ -90,7 +90,7 @@ void wifi_init_softap(void)
.gtk_rekey_interval = EXAMPLE_GTK_REKEY_INTERVAL,
},
};
if (strlen(EXAMPLE_ESP_WIFI_PASS) == 0) {
if (strlen(EXAMPLE_ESP_WIFI_PASS) == 0 && wifi_config.ap.authmode != WIFI_AUTH_OWE) {
wifi_config.ap.authmode = WIFI_AUTH_OPEN;
}