aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2020-06-07 08:53:26 (GMT)
committerJouni Malinen <j@w1.fi>2020-06-07 08:55:16 (GMT)
commit9ad010c2908fab6ce6b8ffed449f3cec24172cce (patch)
tree86706881b18e8de5c816dd22c053383267c0eb20
parent85ca13ebcf155046bf9bf486c2f4f7e0e247fc2a (diff)
downloadhostap-9ad010c2908fab6ce6b8ffed449f3cec24172cce.zip
hostap-9ad010c2908fab6ce6b8ffed449f3cec24172cce.tar.gz
hostap-9ad010c2908fab6ce6b8ffed449f3cec24172cce.tar.bz2
SAE-PK: Allow automatic SAE-PK to be disabled
This replaces the previously used sae_pk_only configuration parameter with a more generic sae_pk that can be used to specify how SAE-PK is negotiated. The default behavior (sae_pk=0) is to automatically negotiate SAE-PK whenever the AP supports it and the password is in appropriate format. sae_pk=1 allows only SAE-PK to be used and sae_pk=2 disables SAE-PK completely. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--wpa_supplicant/config.c2
-rw-r--r--wpa_supplicant/config_file.c2
-rw-r--r--wpa_supplicant/config_ssid.h19
-rw-r--r--wpa_supplicant/events.c2
-rw-r--r--wpa_supplicant/sme.c3
-rw-r--r--wpa_supplicant/wpa_supplicant.conf11
-rw-r--r--wpa_supplicant/wpas_glue.c4
7 files changed, 27 insertions, 16 deletions
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 86373ad..a9726e2 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2582,7 +2582,7 @@ static const struct parse_data ssid_fields[] = {
{ INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
{ INT_RANGE(beacon_prot, 0, 1) },
{ INT_RANGE(transition_disable, 0, 255) },
- { INT_RANGE(sae_pk_only, 0, 1) },
+ { INT_RANGE(sae_pk, 0, 2) },
};
#undef OFFSET
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 9a1c39c..1ca2548 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -937,7 +937,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
INT(ft_eap_pmksa_caching);
INT(beacon_prot);
INT(transition_disable);
- INT(sae_pk_only);
+ INT(sae_pk);
#ifdef CONFIG_HT_OVERRIDES
INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 730282f..2c08c02 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -62,6 +62,12 @@ enum wpas_mode {
WPAS_MODE_MESH = 5,
};
+enum sae_pk_mode {
+ SAE_PK_MODE_AUTOMATIC = 0,
+ SAE_PK_MODE_ONLY = 1,
+ SAE_PK_MODE_DISABLED = 2,
+};
+
/**
* struct wpa_ssid - Network configuration data
*
@@ -1123,13 +1129,14 @@ struct wpa_ssid {
u8 transition_disable;
/**
- * sae_pk_only - SAE-PK only mode (disable transition mode)
- *
- * 0 = enable transition mode (allow SAE authentication without SAE-PK)
- * 1 = disable transition mode (allow SAE authentication only with
- * SAE-PK)
+ * sae_pk - SAE-PK mode
+ * 0 = automatic SAE/SAE-PK selection based on password; enable
+ * transition mode (allow SAE authentication without SAE-PK)
+ * 1 = SAE-PK only (disable transition mode; allow SAE authentication
+ * only with SAE-PK)
+ * 2 = disable SAE-PK (allow SAE authentication only without SAE-PK)
*/
- int sae_pk_only;
+ enum sae_pk_mode sae_pk;
};
#endif /* CONFIG_SSID_H */
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index dd83ddc..99940d9 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -1367,7 +1367,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
#endif /* CONFIG_SAE */
#ifdef CONFIG_SAE_PK
- if (ssid->sae_pk_only &&
+ if (ssid->sae_pk == SAE_PK_MODE_ONLY &&
!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK))) {
if (debug_print)
wpa_dbg(wpa_s, MSG_DEBUG,
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index fa18f98..f45bab2 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -150,12 +150,13 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
use_pt = 1;
#ifdef CONFIG_SAE_PK
if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) &&
+ ssid->sae_pk != SAE_PK_MODE_DISABLED &&
ssid->sae_password && sae_pk_valid_password(ssid->sae_password)) {
use_pt = 1;
use_pk = true;
}
- if (ssid->sae_pk_only && !use_pk) {
+ if (ssid->sae_pk == SAE_PK_MODE_ONLY && !use_pk) {
wpa_printf(MSG_DEBUG,
"SAE: Cannot use PK with the selected AP");
return NULL;
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index bf8a6dd..1250834 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1516,10 +1516,13 @@ fast_reauth=1
# bit 3 (0x08): Enhanced Open (disable use of open network; require
# OWE)
-# SAE-PK only mode (disable transition mode)
-# 0: enable transition mode (allow SAE authentication without SAE-PK)
-# 1: disable transition mode (allow SAE authentication only with SAE-PK)
-#sae_pk_only=0
+# SAE-PK mode
+# 0: automatic SAE/SAE-PK selection based on password; enable
+# transition mode (allow SAE authentication without SAE-PK)
+# 1: SAE-PK only (disable transition mode; allow SAE authentication
+# only with SAE-PK)
+# 2: disable SAE-PK (allow SAE authentication only without SAE-PK)
+#sae_pk=0
# MAC address policy
# 0 = use permanent MAC address
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index bafcb00..a9a66ba 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -1301,13 +1301,13 @@ static void wpa_supplicant_transition_disable(void *_wpa_s, u8 bitmap)
wpa_s->sme.sae.pk &&
#endif /* CONFIG_SME */
(ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)) &&
- (!ssid->sae_pk_only ||
+ (ssid->sae_pk != SAE_PK_MODE_ONLY ||
ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED ||
(ssid->group_cipher & WPA_CIPHER_TKIP))) {
wpa_printf(MSG_DEBUG,
"SAE-PK: SAE authentication without PK disabled based on AP notification");
disable_wpa_wpa2(ssid);
- ssid->sae_pk_only = 1;
+ ssid->sae_pk = SAE_PK_MODE_ONLY;
changed = 1;
}
#endif /* CONFIG_SAE */