diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 8dc267ef2..b04c65570 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -674,8 +674,12 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value) #ifdef CONFIG_SAE else if (os_strcmp(start, "SAE") == 0) val |= WPA_KEY_MGMT_SAE; + else if (os_strcmp(start, "SAE-EXT-KEY") == 0) + val |= WPA_KEY_MGMT_SAE_EXT_KEY; else if (os_strcmp(start, "FT-SAE") == 0) val |= WPA_KEY_MGMT_FT_SAE; + else if (os_strcmp(start, "FT-SAE-EXT-KEY") == 0) + val |= WPA_KEY_MGMT_FT_SAE_EXT_KEY; #endif /* CONFIG_SAE */ #ifdef CONFIG_SUITEB else if (os_strcmp(start, "WPA-EAP-SUITE-B") == 0) diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c index 32ab3019f..558293095 100644 --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c @@ -861,6 +861,12 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd, return pos - buf; pos += ret; } + if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) { + ret = os_snprintf(pos, end - pos, "FT-SAE-EXT-KEY "); + if (os_snprintf_error(end - pos, ret)) + return pos - buf; + pos += ret; + } #endif /* CONFIG_SAE */ #ifdef CONFIG_FILS if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) { @@ -896,6 +902,12 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd, return pos - buf; pos += ret; } + if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) { + ret = os_snprintf(pos, end - pos, "SAE-EXT-KEY "); + if (os_snprintf_error(end - pos, ret)) + return pos - buf; + pos += ret; + } #endif /* CONFIG_SAE */ if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { ret = os_snprintf(pos, end - pos, "WPA-EAP-SUITE-B "); diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 8806a585a..1d4e5c5be 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -4686,7 +4686,7 @@ static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, sta->auth_alg == WLAN_AUTH_OPEN) { struct rsn_pmksa_cache_entry *sa; sa = wpa_auth_sta_get_pmksa(sta->wpa_sm); - if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) { + if (!sa || !wpa_key_mgmt_sae(sa->akmp)) { wpa_printf(MSG_DEBUG, "SAE: No PMKSA cache entry found for " MACSTR, MAC2STR(sta->addr)); diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 705517b16..0776fae1a 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -5267,7 +5267,8 @@ int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) { if (!sm) return 0; - return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; + return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE || + sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY; } diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 524922e4e..ee7383c51 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -228,11 +228,21 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len, pos += RSN_SELECTOR_LEN; num_suites++; } + if (conf->wpa_key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) { + RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE_EXT_KEY); + pos += RSN_SELECTOR_LEN; + num_suites++; + } if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE) { RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE); pos += RSN_SELECTOR_LEN; num_suites++; } + if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) { + RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY); + pos += RSN_SELECTOR_LEN; + num_suites++; + } #endif /* CONFIG_SAE */ if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B); @@ -670,8 +680,12 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, #ifdef CONFIG_SAE else if (data.key_mgmt & WPA_KEY_MGMT_SAE) selector = RSN_AUTH_KEY_MGMT_SAE; + else if (data.key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) + selector = RSN_AUTH_KEY_MGMT_SAE_EXT_KEY; else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE) selector = RSN_AUTH_KEY_MGMT_FT_SAE; + else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) + selector = RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY; #endif /* CONFIG_SAE */ else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X) selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X; @@ -778,8 +792,12 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, #ifdef CONFIG_SAE else if (key_mgmt & WPA_KEY_MGMT_SAE) sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE; + else if (key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) + sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE_EXT_KEY; else if (key_mgmt & WPA_KEY_MGMT_FT_SAE) sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE; + else if (key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) + sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE_EXT_KEY; #endif /* CONFIG_SAE */ else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X) sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X; diff --git a/src/common/defs.h b/src/common/defs.h index 4e6305382..3c21ab4c1 100644 --- a/src/common/defs.h +++ b/src/common/defs.h @@ -50,12 +50,15 @@ #define WPA_KEY_MGMT_DPP BIT(23) #define WPA_KEY_MGMT_FT_IEEE8021X_SHA384 BIT(24) #define WPA_KEY_MGMT_PASN BIT(25) +#define WPA_KEY_MGMT_SAE_EXT_KEY BIT(26) +#define WPA_KEY_MGMT_FT_SAE_EXT_KEY BIT(27) #define WPA_KEY_MGMT_FT (WPA_KEY_MGMT_FT_PSK | \ WPA_KEY_MGMT_FT_IEEE8021X | \ WPA_KEY_MGMT_FT_IEEE8021X_SHA384 | \ WPA_KEY_MGMT_FT_SAE | \ + WPA_KEY_MGMT_FT_SAE_EXT_KEY | \ WPA_KEY_MGMT_FT_FILS_SHA256 | \ WPA_KEY_MGMT_FT_FILS_SHA384) @@ -88,7 +91,9 @@ static inline int wpa_key_mgmt_wpa_psk(int akm) WPA_KEY_MGMT_FT_PSK | WPA_KEY_MGMT_PSK_SHA256 | WPA_KEY_MGMT_SAE | - WPA_KEY_MGMT_FT_SAE)); + WPA_KEY_MGMT_SAE_EXT_KEY | + WPA_KEY_MGMT_FT_SAE | + WPA_KEY_MGMT_FT_SAE_EXT_KEY)); } static inline int wpa_key_mgmt_ft(int akm) @@ -111,7 +116,15 @@ static inline int wpa_key_mgmt_ft_psk(int akm) static inline int wpa_key_mgmt_sae(int akm) { return !!(akm & (WPA_KEY_MGMT_SAE | - WPA_KEY_MGMT_FT_SAE)); + WPA_KEY_MGMT_SAE_EXT_KEY | + WPA_KEY_MGMT_FT_SAE | + WPA_KEY_MGMT_FT_SAE_EXT_KEY)); +} + +static inline int wpa_key_mgmt_sae_ext_key(int akm) +{ + return !!(akm & (WPA_KEY_MGMT_SAE_EXT_KEY | + WPA_KEY_MGMT_FT_SAE_EXT_KEY)); } static inline int wpa_key_mgmt_fils(int akm) diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c index 587cd88b2..85db3f22c 100644 --- a/src/common/wpa_common.c +++ b/src/common/wpa_common.c @@ -1479,8 +1479,12 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s) #ifdef CONFIG_SAE if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE) return WPA_KEY_MGMT_SAE; + if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE_EXT_KEY) + return WPA_KEY_MGMT_SAE_EXT_KEY; if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE) return WPA_KEY_MGMT_FT_SAE; + if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY) + return WPA_KEY_MGMT_FT_SAE_EXT_KEY; #endif /* CONFIG_SAE */ if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B) return WPA_KEY_MGMT_IEEE8021X_SUITE_B; @@ -2379,8 +2383,12 @@ const char * wpa_key_mgmt_txt(int key_mgmt, int proto) return "WPS"; case WPA_KEY_MGMT_SAE: return "SAE"; + case WPA_KEY_MGMT_SAE_EXT_KEY: + return "SAE-EXT-KEY"; case WPA_KEY_MGMT_FT_SAE: return "FT-SAE"; + case WPA_KEY_MGMT_FT_SAE_EXT_KEY: + return "FT-SAE-EXT-KEY"; case WPA_KEY_MGMT_OSEN: return "OSEN"; case WPA_KEY_MGMT_IEEE8021X_SUITE_B: @@ -2441,8 +2449,12 @@ u32 wpa_akm_to_suite(int akm) return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384; if (akm & WPA_KEY_MGMT_SAE) return RSN_AUTH_KEY_MGMT_SAE; + if (akm & WPA_KEY_MGMT_SAE_EXT_KEY) + return RSN_AUTH_KEY_MGMT_SAE_EXT_KEY; if (akm & WPA_KEY_MGMT_FT_SAE) return RSN_AUTH_KEY_MGMT_FT_SAE; + if (akm & WPA_KEY_MGMT_FT_SAE_EXT_KEY) + return RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY; if (akm & WPA_KEY_MGMT_OWE) return RSN_AUTH_KEY_MGMT_OWE; if (akm & WPA_KEY_MGMT_DPP) @@ -3373,6 +3385,9 @@ int wpa_pasn_add_rsne(struct wpabuf *buf, const u8 *pmkid, int akmp, int cipher) case WPA_KEY_MGMT_SAE: RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE); break; + case WPA_KEY_MGMT_SAE_EXT_KEY: + RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE_EXT_KEY); + break; #endif /* CONFIG_SAE */ #ifdef CONFIG_FILS case WPA_KEY_MGMT_FILS_SHA256: @@ -3586,6 +3601,7 @@ int wpa_pasn_validate_rsne(const struct wpa_ie_data *data) switch (data->key_mgmt) { #ifdef CONFIG_SAE case WPA_KEY_MGMT_SAE: + case WPA_KEY_MGMT_SAE_EXT_KEY: /* fall through */ #endif /* CONFIG_SAE */ #ifdef CONFIG_FILS diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index 7e72fc2aa..460072023 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -3171,7 +3171,9 @@ static int wpa_key_mgmt_to_suites(unsigned int key_mgmt_suites, u32 suites[], __AKM(IEEE8021X_SHA256, 802_1X_SHA256); __AKM(PSK_SHA256, PSK_SHA256); __AKM(SAE, SAE); + __AKM(SAE_EXT_KEY, SAE_EXT_KEY); __AKM(FT_SAE, FT_SAE); + __AKM(FT_SAE_EXT_KEY, FT_SAE_EXT_KEY); __AKM(CCKM, CCKM); __AKM(OSEN, OSEN); __AKM(IEEE8021X_SUITE_B, 802_1X_SUITE_B); @@ -4663,7 +4665,8 @@ static int wpa_driver_nl80211_set_ap(void *priv, if (drv->device_ap_sme) { u32 flags = 0; - if (params->key_mgmt_suites & WPA_KEY_MGMT_SAE) { + if (params->key_mgmt_suites & (WPA_KEY_MGMT_SAE | + WPA_KEY_MGMT_SAE_EXT_KEY)) { /* Add the previously used flag attribute to support * older kernel versions and the newer flag bit for * newer kernels. */ @@ -6249,7 +6252,9 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv, params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 || params->key_mgmt_suite == WPA_KEY_MGMT_PSK_SHA256 || params->key_mgmt_suite == WPA_KEY_MGMT_SAE || + params->key_mgmt_suite == WPA_KEY_MGMT_SAE_EXT_KEY || params->key_mgmt_suite == WPA_KEY_MGMT_FT_SAE || + params->key_mgmt_suite == WPA_KEY_MGMT_FT_SAE_EXT_KEY || params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B || params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 || params->key_mgmt_suite == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 || @@ -6286,9 +6291,15 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv, case WPA_KEY_MGMT_SAE: mgmt = RSN_AUTH_KEY_MGMT_SAE; break; + case WPA_KEY_MGMT_SAE_EXT_KEY: + mgmt = RSN_AUTH_KEY_MGMT_SAE_EXT_KEY; + break; case WPA_KEY_MGMT_FT_SAE: mgmt = RSN_AUTH_KEY_MGMT_FT_SAE; break; + case WPA_KEY_MGMT_FT_SAE_EXT_KEY: + mgmt = RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY; + break; case WPA_KEY_MGMT_IEEE8021X_SUITE_B: mgmt = RSN_AUTH_KEY_MGMT_802_1X_SUITE_B; break; diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 577717611..cf9b21039 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -301,7 +301,8 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm, #ifdef CONFIG_IEEE80211R sm->xxkey_len = 0; #ifdef CONFIG_SAE - if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE && + if ((sm->key_mgmt == WPA_KEY_MGMT_FT_SAE || + sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) && sm->pmk_len == PMK_LEN) { /* Need to allow FT key derivation to proceed with * PMK from SAE being used as the XXKey in cases where diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c index 95c1e73ef..9d4044c14 100644 --- a/src/rsn_supp/wpa_ft.c +++ b/src/rsn_supp/wpa_ft.c @@ -257,6 +257,8 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK); else if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE) RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE); + else if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) + RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY); #ifdef CONFIG_FILS else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256) RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256); diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c index 3ba722f5e..c4e660f7a 100644 --- a/src/rsn_supp/wpa_ie.c +++ b/src/rsn_supp/wpa_ie.c @@ -191,8 +191,12 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len, #ifdef CONFIG_SAE } else if (key_mgmt == WPA_KEY_MGMT_SAE) { RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE); + } else if (key_mgmt == WPA_KEY_MGMT_SAE_EXT_KEY) { + RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE_EXT_KEY); } else if (key_mgmt == WPA_KEY_MGMT_FT_SAE) { RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE); + } else if (key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) { + RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY); #endif /* CONFIG_SAE */ } else if (key_mgmt == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192); diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 082ddd84e..a91c689d0 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -804,8 +804,12 @@ static int wpa_config_parse_key_mgmt(const struct parse_data *data, #ifdef CONFIG_SAE else if (os_strcmp(start, "SAE") == 0) val |= WPA_KEY_MGMT_SAE; + else if (os_strcmp(start, "SAE-EXT-KEY") == 0) + val |= WPA_KEY_MGMT_SAE_EXT_KEY; else if (os_strcmp(start, "FT-SAE") == 0) val |= WPA_KEY_MGMT_FT_SAE; + else if (os_strcmp(start, "FT-SAE-EXT-KEY") == 0) + val |= WPA_KEY_MGMT_FT_SAE_EXT_KEY; #endif /* CONFIG_SAE */ #ifdef CONFIG_HS20 else if (os_strcmp(start, "OSEN") == 0) @@ -1004,6 +1008,16 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, pos += ret; } + if (ssid->key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) { + ret = os_snprintf(pos, end - pos, "%sSAE-EXT-KEY", + pos == buf ? "" : " "); + if (os_snprintf_error(end - pos, ret)) { + end[-1] = '\0'; + return buf; + } + pos += ret; + } + if (ssid->key_mgmt & WPA_KEY_MGMT_FT_SAE) { ret = os_snprintf(pos, end - pos, "%sFT-SAE", pos == buf ? "" : " "); @@ -1013,6 +1027,16 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, } pos += ret; } + + if (ssid->key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) { + ret = os_snprintf(pos, end - pos, "%sFT-SAE-EXT-KEY", + pos == buf ? "" : " "); + if (os_snprintf_error(end - pos, ret)) { + end[-1] = '\0'; + return buf; + } + pos += ret; + } #endif /* CONFIG_SAE */ #ifdef CONFIG_HS20 diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index cacbbf48d..2efb60c6b 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -2816,6 +2816,13 @@ static char * wpa_supplicant_ie_txt(char *pos, char *end, const char *proto, return pos; pos += ret; } + if (data.key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) { + ret = os_snprintf(pos, end - pos, "%sSAE-EXT-KEY", + pos == start ? "" : "+"); + if (os_snprintf_error(end - pos, ret)) + return pos; + pos += ret; + } #ifdef CONFIG_IEEE80211R if (data.key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) { ret = os_snprintf(pos, end - pos, "%sFT/EAP", @@ -2838,6 +2845,13 @@ static char * wpa_supplicant_ie_txt(char *pos, char *end, const char *proto, return pos; pos += ret; } + if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) { + ret = os_snprintf(pos, end - pos, "%sFT/SAE-EXT-KEY", + pos == start ? "" : "+"); + if (os_snprintf_error(end - pos, ret)) + return pos; + pos += ret; + } #endif /* CONFIG_IEEE80211R */ if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) { ret = os_snprintf(pos, end - pos, "%sEAP-SHA256", @@ -3236,7 +3250,8 @@ static int wpa_supplicant_ctrl_iface_mesh_group_add( return -1; } if (ssid->key_mgmt != WPA_KEY_MGMT_NONE && - ssid->key_mgmt != WPA_KEY_MGMT_SAE) { + ssid->key_mgmt != WPA_KEY_MGMT_SAE && + ssid->key_mgmt != WPA_KEY_MGMT_SAE_EXT_KEY) { wpa_printf(MSG_ERROR, "CTRL_IFACE: key_mgmt for mesh network should be open or SAE"); return -1; @@ -10843,6 +10858,8 @@ static int wpas_ctrl_iface_pasn_start(struct wpa_supplicant *wpa_s, char *cmd) #ifdef CONFIG_SAE } else if (os_strcmp(token, "akmp=SAE") == 0) { akmp = WPA_KEY_MGMT_SAE; + } else if (os_strcmp(token, "akmp=SAE-EXT-KEY") == 0) { + akmp = WPA_KEY_MGMT_SAE_EXT_KEY; #endif /* CONFIG_SAE */ #ifdef CONFIG_FILS } else if (os_strcmp(token, "akmp=FILS-SHA256") == 0) { diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c index 0b1002bf1..7e83db223 100644 --- a/wpa_supplicant/dbus/dbus_new_handlers.c +++ b/wpa_supplicant/dbus/dbus_new_handlers.c @@ -5095,7 +5095,7 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( DBusMessageIter iter_dict, variant_iter; const char *group; const char *pairwise[5]; /* max 5 pairwise ciphers is supported */ - const char *key_mgmt[16]; /* max 16 key managements may be supported */ + const char *key_mgmt[18]; /* max 18 key managements may be supported */ int n; if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT, @@ -5145,8 +5145,12 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( #ifdef CONFIG_SAE if (ie_data->key_mgmt & WPA_KEY_MGMT_SAE) key_mgmt[n++] = "sae"; + if (ie_data->key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) + key_mgmt[n++] = "sae-ext-key"; if (ie_data->key_mgmt & WPA_KEY_MGMT_FT_SAE) key_mgmt[n++] = "ft-sae"; + if (ie_data->key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) + key_mgmt[n++] = "ft-sae-ext-key"; #endif /* CONFIG_SAE */ #ifdef CONFIG_OWE if (ie_data->key_mgmt & WPA_KEY_MGMT_OWE) diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index ad22fdb16..4903cd364 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -745,9 +745,9 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s, if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE && pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0, NULL, - wpa_s->key_mgmt == WPA_KEY_MGMT_FT_SAE ? - WPA_KEY_MGMT_FT_SAE : - WPA_KEY_MGMT_SAE) == 0) { + wpa_key_mgmt_sae(wpa_s->key_mgmt) ? + wpa_s->key_mgmt : + (int) WPA_KEY_MGMT_SAE) == 0) { wpa_dbg(wpa_s, MSG_DEBUG, "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication"); wpa_sm_set_pmk_from_pmksa(wpa_s->wpa); diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 9ba4ae9c4..0f35f491a 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1539,7 +1539,8 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, sel = ie.key_mgmt & ssid->key_mgmt; #ifdef CONFIG_SAE if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE)) - sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE); + sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY | + WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY); #endif /* CONFIG_SAE */ #ifdef CONFIG_IEEE80211R if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME | @@ -1615,6 +1616,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT DPP"); #endif /* CONFIG_DPP */ #ifdef CONFIG_SAE + } else if (sel & WPA_KEY_MGMT_FT_SAE_EXT_KEY) { + wpa_s->key_mgmt = WPA_KEY_MGMT_FT_SAE_EXT_KEY; + wpa_dbg(wpa_s, MSG_DEBUG, + "RSN: using KEY_MGMT FT/SAE (ext key)"); + } else if (sel & WPA_KEY_MGMT_SAE_EXT_KEY) { + wpa_s->key_mgmt = WPA_KEY_MGMT_SAE_EXT_KEY; + wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT SAE (ext key)"); } else if (sel & WPA_KEY_MGMT_FT_SAE) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_SAE; wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT FT/SAE");