aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2020-06-06 08:42:59 (GMT)
committerJouni Malinen <j@w1.fi>2020-06-06 12:18:13 (GMT)
commit1c846d647e13923cfd1170068e5c944606041656 (patch)
treed1089f93b0c5f5d6f1987e0cf6e94c03ef70124f
parentb96a4fa99650eac63497b707fb823a1a3065399b (diff)
downloadhostap-1c846d647e13923cfd1170068e5c944606041656.zip
hostap-1c846d647e13923cfd1170068e5c944606041656.tar.gz
hostap-1c846d647e13923cfd1170068e5c944606041656.tar.bz2
SAE-PK: Allow SAE authentication without PK to be disabled
The new wpa_supplicant network profile parameter sae_pk_only=1 can now be used to disable use of SAE authentication without SAE-PK. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--wpa_supplicant/config.c1
-rw-r--r--wpa_supplicant/config_file.c1
-rw-r--r--wpa_supplicant/config_ssid.h9
-rw-r--r--wpa_supplicant/events.c23
-rw-r--r--wpa_supplicant/sme.c6
-rw-r--r--wpa_supplicant/wpa_supplicant.conf5
6 files changed, 42 insertions, 3 deletions
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 49b25f1..86373ad 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2582,6 +2582,7 @@ static const struct parse_data ssid_fields[] = {
{ INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
{ INT_RANGE(beacon_prot, 0, 1) },
{ INT_RANGE(transition_disable, 0, 255) },
+ { INT_RANGE(sae_pk_only, 0, 1) },
};
#undef OFFSET
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index a69c4cc..9a1c39c 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -937,6 +937,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
INT(ft_eap_pmksa_caching);
INT(beacon_prot);
INT(transition_disable);
+ INT(sae_pk_only);
#ifdef CONFIG_HT_OVERRIDES
INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 1e2c322..730282f 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -1121,6 +1121,15 @@ struct wpa_ssid {
* OWE)
*/
u8 transition_disable;
+
+ /**
+ * sae_pk_only - SAE-PK only mode (disable transition mode)
+ *
+ * 0 = enable transition mode (allow SAE authentication without SAE-PK)
+ * 1 = disable transition mode (allow SAE authentication only with
+ * SAE-PK)
+ */
+ int sae_pk_only;
};
#endif /* CONFIG_SSID_H */
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index f0f9189..dd83ddc 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -1094,6 +1094,9 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
const u8 *ie;
struct wpa_ssid *ssid;
int osen, rsn_osen = 0;
+#ifdef CONFIG_SAE
+ u8 rsnxe_capa = 0;
+#endif /* CONFIG_SAE */
#ifdef CONFIG_MBO
const u8 *assoc_disallow;
#endif /* CONFIG_MBO */
@@ -1113,6 +1116,12 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
ie = wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE);
osen = ie != NULL;
+#ifdef CONFIG_SAE
+ ie = wpa_bss_get_ie(bss, WLAN_EID_RSNX);
+ if (ie && ie[1] >= 1)
+ rsnxe_capa = ie[2];
+#endif /* CONFIG_SAE */
+
if (debug_print) {
wpa_dbg(wpa_s, MSG_DEBUG, "%d: " MACSTR
" ssid='%s' wpa_ie_len=%u rsn_ie_len=%u caps=0x%x level=%d freq=%d %s%s%s",
@@ -1349,9 +1358,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
wpa_s->conf->sae_pwe != 3 &&
wpa_key_mgmt_sae(ssid->key_mgmt) &&
- (!(ie = wpa_bss_get_ie(bss, WLAN_EID_RSNX)) ||
- ie[1] < 1 ||
- !(ie[2] & BIT(WLAN_RSNX_CAPAB_SAE_H2E)))) {
+ !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
if (debug_print)
wpa_dbg(wpa_s, MSG_DEBUG,
" skip - SAE H2E required, but not supported by the AP");
@@ -1359,6 +1366,16 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
}
#endif /* CONFIG_SAE */
+#ifdef CONFIG_SAE_PK
+ if (ssid->sae_pk_only &&
+ !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK))) {
+ if (debug_print)
+ wpa_dbg(wpa_s, MSG_DEBUG,
+ " skip - SAE-PK required, but not supported by the AP");
+ continue;
+ }
+#endif /* CONFIG_SAE_PK */
+
#ifndef CONFIG_IBSS_RSN
if (ssid->mode == WPAS_MODE_IBSS &&
!(ssid->key_mgmt & (WPA_KEY_MGMT_NONE |
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 3ad0065..1d34783 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -154,6 +154,12 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
use_pt = 1;
use_pk = true;
}
+
+ if (ssid->sae_pk_only && !use_pk) {
+ wpa_printf(MSG_DEBUG,
+ "SAE: Cannot use PK with the selected AP");
+ return NULL;
+ }
#endif /* CONFIG_SAE_PK */
if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) {
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 3b90567..45a811f 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1472,6 +1472,11 @@ fast_reauth=1
# 2: do not allow PFS to be used
#dpp_pfs=0
+# SAE-PK only mode (disable transition mode)
+# 0: enable transition mode (allow SAE authentication without SAE-PK)
+# 1: disable transition mode (allow SAE authentication only with SAE-PK)
+#sae_pk_only=0
+
# MAC address policy
# 0 = use permanent MAC address
# 1 = use random MAC address for each ESS connection