From 1c846d647e13923cfd1170068e5c944606041656 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Sat, 6 Jun 2020 11:42:59 +0300
Subject: [PATCH] SAE-PK: Allow SAE authentication without PK to be disabled

The new wpa_supplicant network profile parameter sae_pk_only=1 can now
be used to disable use of SAE authentication without SAE-PK.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
 wpa_supplicant/config.c            |  1 +
 wpa_supplicant/config_file.c       |  1 +
 wpa_supplicant/config_ssid.h       |  9 +++++++++
 wpa_supplicant/events.c            | 23 ++++++++++++++++++++---
 wpa_supplicant/sme.c               |  6 ++++++
 wpa_supplicant/wpa_supplicant.conf |  5 +++++
 6 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 49b25f124..86373ad05 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2582,6 +2582,7 @@ static const struct parse_data ssid_fields[] = {
 	{ INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
 	{ INT_RANGE(beacon_prot, 0, 1) },
 	{ INT_RANGE(transition_disable, 0, 255) },
+	{ INT_RANGE(sae_pk_only, 0, 1) },
 };
 
 #undef OFFSET
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index a69c4cc6d..9a1c39cc7 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -937,6 +937,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
 	INT(ft_eap_pmksa_caching);
 	INT(beacon_prot);
 	INT(transition_disable);
+	INT(sae_pk_only);
 #ifdef CONFIG_HT_OVERRIDES
 	INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
 	INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 1e2c32268..730282f3b 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -1121,6 +1121,15 @@ struct wpa_ssid {
 	 *	OWE)
 	 */
 	u8 transition_disable;
+
+	/**
+	 * sae_pk_only - SAE-PK only mode (disable transition mode)
+	 *
+	 * 0 = enable transition mode (allow SAE authentication without SAE-PK)
+	 * 1 = disable transition mode (allow SAE authentication only with
+	 * SAE-PK)
+	 */
+	int sae_pk_only;
 };
 
 #endif /* CONFIG_SSID_H */
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index f0f91892f..dd83ddce2 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -1094,6 +1094,9 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 	const u8 *ie;
 	struct wpa_ssid *ssid;
 	int osen, rsn_osen = 0;
+#ifdef CONFIG_SAE
+	u8 rsnxe_capa = 0;
+#endif /* CONFIG_SAE */
 #ifdef CONFIG_MBO
 	const u8 *assoc_disallow;
 #endif /* CONFIG_MBO */
@@ -1113,6 +1116,12 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 	ie = wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE);
 	osen = ie != NULL;
 
+#ifdef CONFIG_SAE
+	ie = wpa_bss_get_ie(bss, WLAN_EID_RSNX);
+	if (ie && ie[1] >= 1)
+		rsnxe_capa = ie[2];
+#endif /* CONFIG_SAE */
+
 	if (debug_print) {
 		wpa_dbg(wpa_s, MSG_DEBUG, "%d: " MACSTR
 			" ssid='%s' wpa_ie_len=%u rsn_ie_len=%u caps=0x%x level=%d freq=%d %s%s%s",
@@ -1349,9 +1358,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 		if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
 		    wpa_s->conf->sae_pwe != 3 &&
 		    wpa_key_mgmt_sae(ssid->key_mgmt) &&
-		    (!(ie = wpa_bss_get_ie(bss, WLAN_EID_RSNX)) ||
-		     ie[1] < 1 ||
-		     !(ie[2] & BIT(WLAN_RSNX_CAPAB_SAE_H2E)))) {
+		    !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
 			if (debug_print)
 				wpa_dbg(wpa_s, MSG_DEBUG,
 					"   skip - SAE H2E required, but not supported by the AP");
@@ -1359,6 +1366,16 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 		}
 #endif /* CONFIG_SAE */
 
+#ifdef CONFIG_SAE_PK
+		if (ssid->sae_pk_only &&
+		    !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK))) {
+			if (debug_print)
+				wpa_dbg(wpa_s, MSG_DEBUG,
+					"   skip - SAE-PK required, but not supported by the AP");
+			continue;
+		}
+#endif /* CONFIG_SAE_PK */
+
 #ifndef CONFIG_IBSS_RSN
 		if (ssid->mode == WPAS_MODE_IBSS &&
 		    !(ssid->key_mgmt & (WPA_KEY_MGMT_NONE |
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 3ad006528..1d347839a 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -154,6 +154,12 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
 		use_pt = 1;
 		use_pk = true;
 	}
+
+	if (ssid->sae_pk_only && !use_pk) {
+		wpa_printf(MSG_DEBUG,
+			   "SAE: Cannot use PK with the selected AP");
+		return NULL;
+	}
 #endif /* CONFIG_SAE_PK */
 
 	if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) {
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 3b9056770..45a811f64 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1472,6 +1472,11 @@ fast_reauth=1
 # 2: do not allow PFS to be used
 #dpp_pfs=0
 
+# SAE-PK only mode (disable transition mode)
+# 0: enable transition mode (allow SAE authentication without SAE-PK)
+# 1: disable transition mode (allow SAE authentication only with SAE-PK)
+#sae_pk_only=0
+
 # MAC address policy
 # 0 = use permanent MAC address
 # 1 = use random MAC address for each ESS connection