From 2c3cd560c4938bd12e90b547d29823f8340db9ba Mon Sep 17 00:00:00 2001 From: "tarun.kumar" Date: Tue, 5 May 2026 20:42:27 +0530 Subject: [PATCH] fix(wifi) : Made changes based on more review comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -Require STA DH IE for OWE associations. - Send failures using Association Response (no silent deauth-only path). - Include RSNE in OWE Association Response alongside DH Parameter IE. - Check wpabuf_resize return values when building OWE Assoc Response IEs. - Recognize OWE AKM in RSN IE when CONFIG_OWE_SOFTAP without CONFIG_OWE_STA. - Docs: SoftAP OWE-only; no transition mode; trim misleading OPEN→OWE note. --- components/esp_wifi/lib | 2 +- .../esp_supplicant/src/esp_hostap.c | 21 ++++++--- .../esp_supplicant/src/esp_owe.c | 44 +++++++++++++++++-- .../esp_supplicant/src/esp_owe_i.h | 18 +++++--- components/wpa_supplicant/src/ap/ieee802_11.c | 2 +- .../wpa_supplicant/src/common/wpa_common.c | 4 +- docs/en/api-guides/wifi-security.rst | 8 +--- .../softAP/main/softap_example_main.c | 2 +- 8 files changed, 73 insertions(+), 28 deletions(-) diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib index 5bc1b234885..05dc7ac1d67 160000 --- a/components/esp_wifi/lib +++ b/components/esp_wifi/lib @@ -1 +1 @@ -Subproject commit 5bc1b234885938f265b75e7af3f1bb4036ef95ea +Subproject commit 05dc7ac1d67b3da59973df8238d634f66d686fef diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c b/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c index 9e5e62f855f..0ae318b047f 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c @@ -507,14 +507,21 @@ bool hostap_new_assoc_sta(struct sta_info *sta, uint8_t *bssid, #ifdef CONFIG_OWE_SOFTAP uint8_t owe_enabled = esp_wifi_ap_get_owe_config_internal(); if (status == WLAN_STATUS_SUCCESS && - hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE && + (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) && sta->wpa_sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && - assoc_req->owe_dh && owe_enabled) { - status = owe_process_assoc_req(hapd, sta, assoc_req->owe_dh, assoc_req->owe_ie_len); - if (status == WLAN_STATUS_UNSPECIFIED_FAILURE) { - *reason = wpa_status_to_reason_code(status); - wpa_printf(MSG_ERROR, "OWE : Failed to process assoc req status %d", status); - return false; + owe_enabled) { + if (!assoc_req->owe_dh || assoc_req->owe_ie_len == 0) { + wpa_printf(MSG_ERROR, + "OWE: Association request missing DH Parameter element"); + status = WLAN_STATUS_AKMP_NOT_VALID; + } else { + status = owe_process_assoc_req(hapd, sta, assoc_req->owe_dh, + assoc_req->owe_ie_len); + if (status != WLAN_STATUS_SUCCESS) { + wpa_printf(MSG_ERROR, + "OWE: Failed to process assoc req status %d", + status); + } } } #endif /* CONFIG_OWE_SOFTAP */ diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_owe.c b/components/wpa_supplicant/esp_supplicant/src/esp_owe.c index 13630625eae..99d43c6b7fe 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_owe.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_owe.c @@ -60,7 +60,7 @@ struct wpabuf *esp_owe_build_assoc_resp_dhie(struct hostapd_data *hapd, const u8 return NULL; } - struct wpabuf *owe_buf = wpabuf_alloc(hapd->wpa_auth->wpa_ie_len); + struct wpabuf *owe_buf = wpabuf_alloc(OWE_IE_INIT_LEN); if (!owe_buf) { wpa_printf(MSG_ERROR, "Memory allocation failed for OWE IE"); return NULL; @@ -68,29 +68,65 @@ struct wpabuf *esp_owe_build_assoc_resp_dhie(struct hostapd_data *hapd, const u8 // If PMKSA caching is used, write and return only RSN IE with PMKID if (sta->wpa_sm && sta->wpa_sm->pmksa) { - u8 *pos, buf[128]; + u8 *pos, buf[257]; pos = buf; wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching for Assoc Resp"); pos = wpa_auth_write_assoc_resp_owe(hapd, sta->wpa_sm, pos, buf + sizeof(buf) - pos); - wpabuf_resize(&owe_buf, pos - buf); + if (wpabuf_resize(&owe_buf, pos - buf) < 0) { + wpa_printf(MSG_ERROR, "OWE: wpabuf_resize failed for PMKSA assoc resp"); + wpabuf_free(owe_buf); + *owe_ie_len = 0; + return NULL; + } wpabuf_put_data(owe_buf, buf, pos - buf); *owe_ie_len = pos - buf; return owe_buf; } if (sta->owe_ecdh) { + if (!sta->wpa_sm) { + wpa_printf(MSG_ERROR, "OWE: Missing WPA state machine for assoc resp"); + wpabuf_free(owe_buf); + *owe_ie_len = 0; + return NULL; + } + + u8 buf[257]; + u8 *pos = buf; + + pos = wpa_auth_write_assoc_resp_owe(hapd, sta->wpa_sm, pos, + buf + sizeof(buf) - pos); + size_t rsne_len = (size_t)(pos - buf); + + if (rsne_len == 0 || pos > buf + sizeof(buf)) { + wpa_printf(MSG_ERROR, "OWE: Failed to write RSN IE for assoc resp"); + wpabuf_free(owe_buf); + *owe_ie_len = 0; + return NULL; + } + pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); if (!pub) { wpabuf_free(owe_buf); + *owe_ie_len = 0; return NULL; } wpa_hexdump_buf(MSG_DEBUG, "Own public key", pub); - wpabuf_resize(&owe_buf, OWE_DHIE_LEN); + size_t dh_len = 5 + wpabuf_len(pub); + + if (wpabuf_resize(&owe_buf, rsne_len + dh_len) < 0) { + wpa_printf(MSG_ERROR, "OWE: wpabuf_resize failed for assoc resp IEs"); + wpabuf_free(pub); + wpabuf_free(owe_buf); + *owe_ie_len = 0; + return NULL; + } + wpabuf_put_data(owe_buf, buf, rsne_len); wpabuf_put_u8(owe_buf, WLAN_EID_EXTENSION); wpabuf_put_u8(owe_buf, 1 + 2 + wpabuf_len(pub)); wpabuf_put_u8(owe_buf, WLAN_EID_EXT_OWE_DH_PARAM); diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_owe_i.h b/components/wpa_supplicant/esp_supplicant/src/esp_owe_i.h index fc32924d1d7..971bddd6a56 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_owe_i.h +++ b/components/wpa_supplicant/esp_supplicant/src/esp_owe_i.h @@ -26,13 +26,19 @@ void esp_wifi_register_owe_cb(struct wpa_funcs *wpa_cb); #include "ap/hostapd.h" /* -OWE_DHIE_LEN = 1 byte {WLAN_EID_EXTENSION} - + 1 byte {len of DHIE (1(pub_key len) + 2(dh group) + 32(len of pub_key)) = 35)} - + 1 byte {pub_key len} - + 2 bytes {DH group} - + 32 bytes {public key} -*/ + * OWE_DHIE_LEN: DH Parameter element length for group 19 (secp256r1). + * + * Wire format (IEEE 802.11 Extension element): + * byte 1 WLAN_EID_EXTENSION + * byte 2 length of remainder (extension ID + group + pubkey), typically 35 + * byte 3 WLAN_EID_EXT_OWE_DH_PARAM (extension element ID) + * bytes 4–5 DH group ID (little-endian), e.g. IANA_SECP256R1 (19) + * bytes 6–37 DH public key (32 octets for this group/key representation) + * + * Total = 2 + 35 = 37 octets. + */ #define OWE_DHIE_LEN 37 +#define OWE_IE_INIT_LEN (257 + OWE_DHIE_LEN) /* RSNE + DH IE */ struct wpabuf *esp_owe_build_assoc_resp_dhie(struct hostapd_data *hapd, const u8 *bssid, int *owe_ie_len); #endif /* CONFIG_OWE_SOFTAP */ diff --git a/components/wpa_supplicant/src/ap/ieee802_11.c b/components/wpa_supplicant/src/ap/ieee802_11.c index e59339e917c..187c6757a6e 100644 --- a/components/wpa_supplicant/src/ap/ieee802_11.c +++ b/components/wpa_supplicant/src/ap/ieee802_11.c @@ -793,7 +793,7 @@ int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr, struct rsn_pmksa_cache_entry *entry; - wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (3)", pmk, PMK_LEN); + wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (3)", pmk, pmk_len); entry = pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid, NULL, 0, wpa_auth->addr, addr, session_timeout, NULL, akmp); diff --git a/components/wpa_supplicant/src/common/wpa_common.c b/components/wpa_supplicant/src/common/wpa_common.c index a8448a7c2a9..2b83b5801ca 100644 --- a/components/wpa_supplicant/src/common/wpa_common.c +++ b/components/wpa_supplicant/src/common/wpa_common.c @@ -358,10 +358,10 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s) if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192) return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192; #endif -#ifdef CONFIG_OWE_STA +#if defined(CONFIG_OWE_STA) || defined(CONFIG_OWE_SOFTAP) if(RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OWE) return WPA_KEY_MGMT_OWE; -#endif /* CONFIG_OWE_STA */ +#endif /* CONFIG_OWE_STA || CONFIG_OWE_SOFTAP */ #ifdef CONFIG_DPP if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_DPP) return WPA_KEY_MGMT_DPP; diff --git a/docs/en/api-guides/wifi-security.rst b/docs/en/api-guides/wifi-security.rst index fc6f77625d7..0040f106258 100644 --- a/docs/en/api-guides/wifi-security.rst +++ b/docs/en/api-guides/wifi-security.rst @@ -157,7 +157,7 @@ Enhanced Open™ is used for providing security and privacy to users connecting .. note:: - {IDF_TARGET_NAME} supports Wi-Fi Enhanced Open™ (OWE Transition Mode + OWE Only) in station mode and (OWE Only) in softap mode. + {IDF_TARGET_NAME} supports Wi-Fi Enhanced Open™ in station mode for both OWE Transition Mode and OWE-only networks. In SoftAP mode, only **OWE-only** operation is supported; **OWE Transition Mode is not supported**. Setting up OWE with {IDF_TARGET_NAME} @@ -170,8 +170,4 @@ A configuration option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA` and configurat For softap mode : -A configuration option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_SOFTAP` from menuconfig should be enabled and configuration parameter `authmode` from :cpp:type:`wifi_ap_config_t` should be set to ``WIFI_AUTH_OWE``. - -.. note:: - - In softap mode, if the configuration option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_SOFTAP` is enabled and authmode is set to ``WIFI_AUTH_OPEN``, authmode will be set to ``WIFI_AUTH_OWE`` internally. +A configuration option :ref:`CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_SOFTAP` from menuconfig should be enabled and configuration parameter `authmode` from :cpp:type:`wifi_ap_config_t` should be set to ``WIFI_AUTH_OWE``. SoftAP does not support OWE Transition Mode; configure ``WIFI_AUTH_OWE`` only. diff --git a/examples/wifi/getting_started/softAP/main/softap_example_main.c b/examples/wifi/getting_started/softAP/main/softap_example_main.c index c2bca87431a..9e450fbe080 100644 --- a/examples/wifi/getting_started/softAP/main/softap_example_main.c +++ b/examples/wifi/getting_started/softAP/main/softap_example_main.c @@ -90,7 +90,7 @@ void wifi_init_softap(void) .gtk_rekey_interval = EXAMPLE_GTK_REKEY_INTERVAL, }, }; - if (strlen(EXAMPLE_ESP_WIFI_PASS) == 0) { + if (strlen(EXAMPLE_ESP_WIFI_PASS) == 0 && wifi_config.ap.authmode != WIFI_AUTH_OWE) { wifi_config.ap.authmode = WIFI_AUTH_OPEN; }