SAE: Internal WPA_KEY_MGMT_* defines for extended key AKMs

Define new WPA_KEY_MGMT_* values for the new SAE AKM suite selectors
with variable length keys. This includes updates to various mapping and
checking of the SAE key_mgmt values.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2022-07-24 22:05:37 +03:00 committed by Jouni Malinen
parent 5c8a714b18
commit 91df8c9c65
16 changed files with 147 additions and 12 deletions

View file

@ -674,8 +674,12 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value)
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
else if (os_strcmp(start, "SAE") == 0) else if (os_strcmp(start, "SAE") == 0)
val |= WPA_KEY_MGMT_SAE; val |= WPA_KEY_MGMT_SAE;
else if (os_strcmp(start, "SAE-EXT-KEY") == 0)
val |= WPA_KEY_MGMT_SAE_EXT_KEY;
else if (os_strcmp(start, "FT-SAE") == 0) else if (os_strcmp(start, "FT-SAE") == 0)
val |= WPA_KEY_MGMT_FT_SAE; val |= WPA_KEY_MGMT_FT_SAE;
else if (os_strcmp(start, "FT-SAE-EXT-KEY") == 0)
val |= WPA_KEY_MGMT_FT_SAE_EXT_KEY;
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
#ifdef CONFIG_SUITEB #ifdef CONFIG_SUITEB
else if (os_strcmp(start, "WPA-EAP-SUITE-B") == 0) else if (os_strcmp(start, "WPA-EAP-SUITE-B") == 0)

View file

@ -861,6 +861,12 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd,
return pos - buf; return pos - buf;
pos += ret; pos += ret;
} }
if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) {
ret = os_snprintf(pos, end - pos, "FT-SAE-EXT-KEY ");
if (os_snprintf_error(end - pos, ret))
return pos - buf;
pos += ret;
}
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
#ifdef CONFIG_FILS #ifdef CONFIG_FILS
if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) { if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) {
@ -896,6 +902,12 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd,
return pos - buf; return pos - buf;
pos += ret; pos += ret;
} }
if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) {
ret = os_snprintf(pos, end - pos, "SAE-EXT-KEY ");
if (os_snprintf_error(end - pos, ret))
return pos - buf;
pos += ret;
}
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) {
ret = os_snprintf(pos, end - pos, "WPA-EAP-SUITE-B "); ret = os_snprintf(pos, end - pos, "WPA-EAP-SUITE-B ");

View file

@ -4686,7 +4686,7 @@ static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
sta->auth_alg == WLAN_AUTH_OPEN) { sta->auth_alg == WLAN_AUTH_OPEN) {
struct rsn_pmksa_cache_entry *sa; struct rsn_pmksa_cache_entry *sa;
sa = wpa_auth_sta_get_pmksa(sta->wpa_sm); sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) { if (!sa || !wpa_key_mgmt_sae(sa->akmp)) {
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"SAE: No PMKSA cache entry found for " "SAE: No PMKSA cache entry found for "
MACSTR, MAC2STR(sta->addr)); MACSTR, MAC2STR(sta->addr));

View file

@ -5267,7 +5267,8 @@ int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
{ {
if (!sm) if (!sm)
return 0; return 0;
return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE ||
sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY;
} }

View file

@ -228,11 +228,21 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
pos += RSN_SELECTOR_LEN; pos += RSN_SELECTOR_LEN;
num_suites++; num_suites++;
} }
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE_EXT_KEY);
pos += RSN_SELECTOR_LEN;
num_suites++;
}
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE) { if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE);
pos += RSN_SELECTOR_LEN; pos += RSN_SELECTOR_LEN;
num_suites++; num_suites++;
} }
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY);
pos += RSN_SELECTOR_LEN;
num_suites++;
}
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B);
@ -670,8 +680,12 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
else if (data.key_mgmt & WPA_KEY_MGMT_SAE) else if (data.key_mgmt & WPA_KEY_MGMT_SAE)
selector = RSN_AUTH_KEY_MGMT_SAE; selector = RSN_AUTH_KEY_MGMT_SAE;
else if (data.key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY)
selector = RSN_AUTH_KEY_MGMT_SAE_EXT_KEY;
else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE) else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE)
selector = RSN_AUTH_KEY_MGMT_FT_SAE; selector = RSN_AUTH_KEY_MGMT_FT_SAE;
else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY)
selector = RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY;
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X) else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X)
selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X; selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
@ -778,8 +792,12 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
else if (key_mgmt & WPA_KEY_MGMT_SAE) else if (key_mgmt & WPA_KEY_MGMT_SAE)
sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE; sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE;
else if (key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY)
sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE_EXT_KEY;
else if (key_mgmt & WPA_KEY_MGMT_FT_SAE) else if (key_mgmt & WPA_KEY_MGMT_FT_SAE)
sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE; sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE;
else if (key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY)
sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE_EXT_KEY;
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X) else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X)
sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X; sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X;

View file

@ -50,12 +50,15 @@
#define WPA_KEY_MGMT_DPP BIT(23) #define WPA_KEY_MGMT_DPP BIT(23)
#define WPA_KEY_MGMT_FT_IEEE8021X_SHA384 BIT(24) #define WPA_KEY_MGMT_FT_IEEE8021X_SHA384 BIT(24)
#define WPA_KEY_MGMT_PASN BIT(25) #define WPA_KEY_MGMT_PASN BIT(25)
#define WPA_KEY_MGMT_SAE_EXT_KEY BIT(26)
#define WPA_KEY_MGMT_FT_SAE_EXT_KEY BIT(27)
#define WPA_KEY_MGMT_FT (WPA_KEY_MGMT_FT_PSK | \ #define WPA_KEY_MGMT_FT (WPA_KEY_MGMT_FT_PSK | \
WPA_KEY_MGMT_FT_IEEE8021X | \ WPA_KEY_MGMT_FT_IEEE8021X | \
WPA_KEY_MGMT_FT_IEEE8021X_SHA384 | \ WPA_KEY_MGMT_FT_IEEE8021X_SHA384 | \
WPA_KEY_MGMT_FT_SAE | \ WPA_KEY_MGMT_FT_SAE | \
WPA_KEY_MGMT_FT_SAE_EXT_KEY | \
WPA_KEY_MGMT_FT_FILS_SHA256 | \ WPA_KEY_MGMT_FT_FILS_SHA256 | \
WPA_KEY_MGMT_FT_FILS_SHA384) WPA_KEY_MGMT_FT_FILS_SHA384)
@ -88,7 +91,9 @@ static inline int wpa_key_mgmt_wpa_psk(int akm)
WPA_KEY_MGMT_FT_PSK | WPA_KEY_MGMT_FT_PSK |
WPA_KEY_MGMT_PSK_SHA256 | WPA_KEY_MGMT_PSK_SHA256 |
WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE |
WPA_KEY_MGMT_FT_SAE)); WPA_KEY_MGMT_SAE_EXT_KEY |
WPA_KEY_MGMT_FT_SAE |
WPA_KEY_MGMT_FT_SAE_EXT_KEY));
} }
static inline int wpa_key_mgmt_ft(int akm) static inline int wpa_key_mgmt_ft(int akm)
@ -111,7 +116,15 @@ static inline int wpa_key_mgmt_ft_psk(int akm)
static inline int wpa_key_mgmt_sae(int akm) static inline int wpa_key_mgmt_sae(int akm)
{ {
return !!(akm & (WPA_KEY_MGMT_SAE | return !!(akm & (WPA_KEY_MGMT_SAE |
WPA_KEY_MGMT_FT_SAE)); WPA_KEY_MGMT_SAE_EXT_KEY |
WPA_KEY_MGMT_FT_SAE |
WPA_KEY_MGMT_FT_SAE_EXT_KEY));
}
static inline int wpa_key_mgmt_sae_ext_key(int akm)
{
return !!(akm & (WPA_KEY_MGMT_SAE_EXT_KEY |
WPA_KEY_MGMT_FT_SAE_EXT_KEY));
} }
static inline int wpa_key_mgmt_fils(int akm) static inline int wpa_key_mgmt_fils(int akm)

View file

@ -1479,8 +1479,12 @@ static int rsn_key_mgmt_to_bitfield(const u8 *s)
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE) if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE)
return WPA_KEY_MGMT_SAE; return WPA_KEY_MGMT_SAE;
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE_EXT_KEY)
return WPA_KEY_MGMT_SAE_EXT_KEY;
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE) if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE)
return WPA_KEY_MGMT_FT_SAE; return WPA_KEY_MGMT_FT_SAE;
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY)
return WPA_KEY_MGMT_FT_SAE_EXT_KEY;
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B) if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B)
return WPA_KEY_MGMT_IEEE8021X_SUITE_B; return WPA_KEY_MGMT_IEEE8021X_SUITE_B;
@ -2379,8 +2383,12 @@ const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
return "WPS"; return "WPS";
case WPA_KEY_MGMT_SAE: case WPA_KEY_MGMT_SAE:
return "SAE"; return "SAE";
case WPA_KEY_MGMT_SAE_EXT_KEY:
return "SAE-EXT-KEY";
case WPA_KEY_MGMT_FT_SAE: case WPA_KEY_MGMT_FT_SAE:
return "FT-SAE"; return "FT-SAE";
case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
return "FT-SAE-EXT-KEY";
case WPA_KEY_MGMT_OSEN: case WPA_KEY_MGMT_OSEN:
return "OSEN"; return "OSEN";
case WPA_KEY_MGMT_IEEE8021X_SUITE_B: case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
@ -2441,8 +2449,12 @@ u32 wpa_akm_to_suite(int akm)
return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384; return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384;
if (akm & WPA_KEY_MGMT_SAE) if (akm & WPA_KEY_MGMT_SAE)
return RSN_AUTH_KEY_MGMT_SAE; return RSN_AUTH_KEY_MGMT_SAE;
if (akm & WPA_KEY_MGMT_SAE_EXT_KEY)
return RSN_AUTH_KEY_MGMT_SAE_EXT_KEY;
if (akm & WPA_KEY_MGMT_FT_SAE) if (akm & WPA_KEY_MGMT_FT_SAE)
return RSN_AUTH_KEY_MGMT_FT_SAE; return RSN_AUTH_KEY_MGMT_FT_SAE;
if (akm & WPA_KEY_MGMT_FT_SAE_EXT_KEY)
return RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY;
if (akm & WPA_KEY_MGMT_OWE) if (akm & WPA_KEY_MGMT_OWE)
return RSN_AUTH_KEY_MGMT_OWE; return RSN_AUTH_KEY_MGMT_OWE;
if (akm & WPA_KEY_MGMT_DPP) if (akm & WPA_KEY_MGMT_DPP)
@ -3373,6 +3385,9 @@ int wpa_pasn_add_rsne(struct wpabuf *buf, const u8 *pmkid, int akmp, int cipher)
case WPA_KEY_MGMT_SAE: case WPA_KEY_MGMT_SAE:
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE);
break; break;
case WPA_KEY_MGMT_SAE_EXT_KEY:
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE_EXT_KEY);
break;
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
#ifdef CONFIG_FILS #ifdef CONFIG_FILS
case WPA_KEY_MGMT_FILS_SHA256: case WPA_KEY_MGMT_FILS_SHA256:
@ -3586,6 +3601,7 @@ int wpa_pasn_validate_rsne(const struct wpa_ie_data *data)
switch (data->key_mgmt) { switch (data->key_mgmt) {
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
case WPA_KEY_MGMT_SAE: case WPA_KEY_MGMT_SAE:
case WPA_KEY_MGMT_SAE_EXT_KEY:
/* fall through */ /* fall through */
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
#ifdef CONFIG_FILS #ifdef CONFIG_FILS

View file

@ -3171,7 +3171,9 @@ static int wpa_key_mgmt_to_suites(unsigned int key_mgmt_suites, u32 suites[],
__AKM(IEEE8021X_SHA256, 802_1X_SHA256); __AKM(IEEE8021X_SHA256, 802_1X_SHA256);
__AKM(PSK_SHA256, PSK_SHA256); __AKM(PSK_SHA256, PSK_SHA256);
__AKM(SAE, SAE); __AKM(SAE, SAE);
__AKM(SAE_EXT_KEY, SAE_EXT_KEY);
__AKM(FT_SAE, FT_SAE); __AKM(FT_SAE, FT_SAE);
__AKM(FT_SAE_EXT_KEY, FT_SAE_EXT_KEY);
__AKM(CCKM, CCKM); __AKM(CCKM, CCKM);
__AKM(OSEN, OSEN); __AKM(OSEN, OSEN);
__AKM(IEEE8021X_SUITE_B, 802_1X_SUITE_B); __AKM(IEEE8021X_SUITE_B, 802_1X_SUITE_B);
@ -4663,7 +4665,8 @@ static int wpa_driver_nl80211_set_ap(void *priv,
if (drv->device_ap_sme) { if (drv->device_ap_sme) {
u32 flags = 0; u32 flags = 0;
if (params->key_mgmt_suites & WPA_KEY_MGMT_SAE) { if (params->key_mgmt_suites & (WPA_KEY_MGMT_SAE |
WPA_KEY_MGMT_SAE_EXT_KEY)) {
/* Add the previously used flag attribute to support /* Add the previously used flag attribute to support
* older kernel versions and the newer flag bit for * older kernel versions and the newer flag bit for
* newer kernels. */ * newer kernels. */
@ -6249,7 +6252,9 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv,
params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 || params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 ||
params->key_mgmt_suite == WPA_KEY_MGMT_PSK_SHA256 || params->key_mgmt_suite == WPA_KEY_MGMT_PSK_SHA256 ||
params->key_mgmt_suite == WPA_KEY_MGMT_SAE || params->key_mgmt_suite == WPA_KEY_MGMT_SAE ||
params->key_mgmt_suite == WPA_KEY_MGMT_SAE_EXT_KEY ||
params->key_mgmt_suite == WPA_KEY_MGMT_FT_SAE || params->key_mgmt_suite == WPA_KEY_MGMT_FT_SAE ||
params->key_mgmt_suite == WPA_KEY_MGMT_FT_SAE_EXT_KEY ||
params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B || params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B ||
params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 || params->key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 ||
params->key_mgmt_suite == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 || params->key_mgmt_suite == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 ||
@ -6286,9 +6291,15 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv,
case WPA_KEY_MGMT_SAE: case WPA_KEY_MGMT_SAE:
mgmt = RSN_AUTH_KEY_MGMT_SAE; mgmt = RSN_AUTH_KEY_MGMT_SAE;
break; break;
case WPA_KEY_MGMT_SAE_EXT_KEY:
mgmt = RSN_AUTH_KEY_MGMT_SAE_EXT_KEY;
break;
case WPA_KEY_MGMT_FT_SAE: case WPA_KEY_MGMT_FT_SAE:
mgmt = RSN_AUTH_KEY_MGMT_FT_SAE; mgmt = RSN_AUTH_KEY_MGMT_FT_SAE;
break; break;
case WPA_KEY_MGMT_FT_SAE_EXT_KEY:
mgmt = RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY;
break;
case WPA_KEY_MGMT_IEEE8021X_SUITE_B: case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
mgmt = RSN_AUTH_KEY_MGMT_802_1X_SUITE_B; mgmt = RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
break; break;

View file

@ -301,7 +301,8 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
#ifdef CONFIG_IEEE80211R #ifdef CONFIG_IEEE80211R
sm->xxkey_len = 0; sm->xxkey_len = 0;
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE && if ((sm->key_mgmt == WPA_KEY_MGMT_FT_SAE ||
sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) &&
sm->pmk_len == PMK_LEN) { sm->pmk_len == PMK_LEN) {
/* Need to allow FT key derivation to proceed with /* Need to allow FT key derivation to proceed with
* PMK from SAE being used as the XXKey in cases where * PMK from SAE being used as the XXKey in cases where

View file

@ -257,6 +257,8 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
else if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE) else if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE)
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE);
else if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY)
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY);
#ifdef CONFIG_FILS #ifdef CONFIG_FILS
else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256) else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);

View file

@ -191,8 +191,12 @@ static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
} else if (key_mgmt == WPA_KEY_MGMT_SAE) { } else if (key_mgmt == WPA_KEY_MGMT_SAE) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE);
} else if (key_mgmt == WPA_KEY_MGMT_SAE_EXT_KEY) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE_EXT_KEY);
} else if (key_mgmt == WPA_KEY_MGMT_FT_SAE) { } else if (key_mgmt == WPA_KEY_MGMT_FT_SAE) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE);
} else if (key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY);
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
} else if (key_mgmt == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { } else if (key_mgmt == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192); RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192);

View file

@ -804,8 +804,12 @@ static int wpa_config_parse_key_mgmt(const struct parse_data *data,
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
else if (os_strcmp(start, "SAE") == 0) else if (os_strcmp(start, "SAE") == 0)
val |= WPA_KEY_MGMT_SAE; val |= WPA_KEY_MGMT_SAE;
else if (os_strcmp(start, "SAE-EXT-KEY") == 0)
val |= WPA_KEY_MGMT_SAE_EXT_KEY;
else if (os_strcmp(start, "FT-SAE") == 0) else if (os_strcmp(start, "FT-SAE") == 0)
val |= WPA_KEY_MGMT_FT_SAE; val |= WPA_KEY_MGMT_FT_SAE;
else if (os_strcmp(start, "FT-SAE-EXT-KEY") == 0)
val |= WPA_KEY_MGMT_FT_SAE_EXT_KEY;
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
#ifdef CONFIG_HS20 #ifdef CONFIG_HS20
else if (os_strcmp(start, "OSEN") == 0) else if (os_strcmp(start, "OSEN") == 0)
@ -1004,6 +1008,16 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data,
pos += ret; pos += ret;
} }
if (ssid->key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) {
ret = os_snprintf(pos, end - pos, "%sSAE-EXT-KEY",
pos == buf ? "" : " ");
if (os_snprintf_error(end - pos, ret)) {
end[-1] = '\0';
return buf;
}
pos += ret;
}
if (ssid->key_mgmt & WPA_KEY_MGMT_FT_SAE) { if (ssid->key_mgmt & WPA_KEY_MGMT_FT_SAE) {
ret = os_snprintf(pos, end - pos, "%sFT-SAE", ret = os_snprintf(pos, end - pos, "%sFT-SAE",
pos == buf ? "" : " "); pos == buf ? "" : " ");
@ -1013,6 +1027,16 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data,
} }
pos += ret; pos += ret;
} }
if (ssid->key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) {
ret = os_snprintf(pos, end - pos, "%sFT-SAE-EXT-KEY",
pos == buf ? "" : " ");
if (os_snprintf_error(end - pos, ret)) {
end[-1] = '\0';
return buf;
}
pos += ret;
}
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
#ifdef CONFIG_HS20 #ifdef CONFIG_HS20

View file

@ -2816,6 +2816,13 @@ static char * wpa_supplicant_ie_txt(char *pos, char *end, const char *proto,
return pos; return pos;
pos += ret; pos += ret;
} }
if (data.key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY) {
ret = os_snprintf(pos, end - pos, "%sSAE-EXT-KEY",
pos == start ? "" : "+");
if (os_snprintf_error(end - pos, ret))
return pos;
pos += ret;
}
#ifdef CONFIG_IEEE80211R #ifdef CONFIG_IEEE80211R
if (data.key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) { if (data.key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) {
ret = os_snprintf(pos, end - pos, "%sFT/EAP", ret = os_snprintf(pos, end - pos, "%sFT/EAP",
@ -2838,6 +2845,13 @@ static char * wpa_supplicant_ie_txt(char *pos, char *end, const char *proto,
return pos; return pos;
pos += ret; pos += ret;
} }
if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY) {
ret = os_snprintf(pos, end - pos, "%sFT/SAE-EXT-KEY",
pos == start ? "" : "+");
if (os_snprintf_error(end - pos, ret))
return pos;
pos += ret;
}
#endif /* CONFIG_IEEE80211R */ #endif /* CONFIG_IEEE80211R */
if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) { if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) {
ret = os_snprintf(pos, end - pos, "%sEAP-SHA256", ret = os_snprintf(pos, end - pos, "%sEAP-SHA256",
@ -3236,7 +3250,8 @@ static int wpa_supplicant_ctrl_iface_mesh_group_add(
return -1; return -1;
} }
if (ssid->key_mgmt != WPA_KEY_MGMT_NONE && if (ssid->key_mgmt != WPA_KEY_MGMT_NONE &&
ssid->key_mgmt != WPA_KEY_MGMT_SAE) { ssid->key_mgmt != WPA_KEY_MGMT_SAE &&
ssid->key_mgmt != WPA_KEY_MGMT_SAE_EXT_KEY) {
wpa_printf(MSG_ERROR, wpa_printf(MSG_ERROR,
"CTRL_IFACE: key_mgmt for mesh network should be open or SAE"); "CTRL_IFACE: key_mgmt for mesh network should be open or SAE");
return -1; return -1;
@ -10843,6 +10858,8 @@ static int wpas_ctrl_iface_pasn_start(struct wpa_supplicant *wpa_s, char *cmd)
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
} else if (os_strcmp(token, "akmp=SAE") == 0) { } else if (os_strcmp(token, "akmp=SAE") == 0) {
akmp = WPA_KEY_MGMT_SAE; akmp = WPA_KEY_MGMT_SAE;
} else if (os_strcmp(token, "akmp=SAE-EXT-KEY") == 0) {
akmp = WPA_KEY_MGMT_SAE_EXT_KEY;
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
#ifdef CONFIG_FILS #ifdef CONFIG_FILS
} else if (os_strcmp(token, "akmp=FILS-SHA256") == 0) { } else if (os_strcmp(token, "akmp=FILS-SHA256") == 0) {

View file

@ -5095,7 +5095,7 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop(
DBusMessageIter iter_dict, variant_iter; DBusMessageIter iter_dict, variant_iter;
const char *group; const char *group;
const char *pairwise[5]; /* max 5 pairwise ciphers is supported */ const char *pairwise[5]; /* max 5 pairwise ciphers is supported */
const char *key_mgmt[16]; /* max 16 key managements may be supported */ const char *key_mgmt[18]; /* max 18 key managements may be supported */
int n; int n;
if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT, if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT,
@ -5145,8 +5145,12 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop(
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
if (ie_data->key_mgmt & WPA_KEY_MGMT_SAE) if (ie_data->key_mgmt & WPA_KEY_MGMT_SAE)
key_mgmt[n++] = "sae"; key_mgmt[n++] = "sae";
if (ie_data->key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY)
key_mgmt[n++] = "sae-ext-key";
if (ie_data->key_mgmt & WPA_KEY_MGMT_FT_SAE) if (ie_data->key_mgmt & WPA_KEY_MGMT_FT_SAE)
key_mgmt[n++] = "ft-sae"; key_mgmt[n++] = "ft-sae";
if (ie_data->key_mgmt & WPA_KEY_MGMT_FT_SAE_EXT_KEY)
key_mgmt[n++] = "ft-sae-ext-key";
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
#ifdef CONFIG_OWE #ifdef CONFIG_OWE
if (ie_data->key_mgmt & WPA_KEY_MGMT_OWE) if (ie_data->key_mgmt & WPA_KEY_MGMT_OWE)

View file

@ -745,9 +745,9 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE && if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE &&
pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0, pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0,
NULL, NULL,
wpa_s->key_mgmt == WPA_KEY_MGMT_FT_SAE ? wpa_key_mgmt_sae(wpa_s->key_mgmt) ?
WPA_KEY_MGMT_FT_SAE : wpa_s->key_mgmt :
WPA_KEY_MGMT_SAE) == 0) { (int) WPA_KEY_MGMT_SAE) == 0) {
wpa_dbg(wpa_s, MSG_DEBUG, wpa_dbg(wpa_s, MSG_DEBUG,
"PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication"); "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication");
wpa_sm_set_pmk_from_pmksa(wpa_s->wpa); wpa_sm_set_pmk_from_pmksa(wpa_s->wpa);

View file

@ -1539,7 +1539,8 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
sel = ie.key_mgmt & ssid->key_mgmt; sel = ie.key_mgmt & ssid->key_mgmt;
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE)) if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE))
sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE); sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY);
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
#ifdef CONFIG_IEEE80211R #ifdef CONFIG_IEEE80211R
if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME | if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
@ -1615,6 +1616,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT DPP"); wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT DPP");
#endif /* CONFIG_DPP */ #endif /* CONFIG_DPP */
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
} else if (sel & WPA_KEY_MGMT_FT_SAE_EXT_KEY) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_SAE_EXT_KEY;
wpa_dbg(wpa_s, MSG_DEBUG,
"RSN: using KEY_MGMT FT/SAE (ext key)");
} else if (sel & WPA_KEY_MGMT_SAE_EXT_KEY) {
wpa_s->key_mgmt = WPA_KEY_MGMT_SAE_EXT_KEY;
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT SAE (ext key)");
} else if (sel & WPA_KEY_MGMT_FT_SAE) { } else if (sel & WPA_KEY_MGMT_FT_SAE) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_SAE; wpa_s->key_mgmt = WPA_KEY_MGMT_FT_SAE;
wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT FT/SAE"); wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using KEY_MGMT FT/SAE");