SAE-PK: Allow automatic SAE-PK to be disabled

This replaces the previously used sae_pk_only configuration parameter
with a more generic sae_pk that can be used to specify how SAE-PK is
negotiated. The default behavior (sae_pk=0) is to automatically
negotiate SAE-PK whenever the AP supports it and the password is in
appropriate format. sae_pk=1 allows only SAE-PK to be used and sae_pk=2
disables SAE-PK completely.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2020-06-07 11:53:26 +03:00 committed by Jouni Malinen
parent 85ca13ebcf
commit 9ad010c290
7 changed files with 27 additions and 16 deletions

View file

@ -2582,7 +2582,7 @@ static const struct parse_data ssid_fields[] = {
{ INT_RANGE(ft_eap_pmksa_caching, 0, 1) }, { INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
{ INT_RANGE(beacon_prot, 0, 1) }, { INT_RANGE(beacon_prot, 0, 1) },
{ INT_RANGE(transition_disable, 0, 255) }, { INT_RANGE(transition_disable, 0, 255) },
{ INT_RANGE(sae_pk_only, 0, 1) }, { INT_RANGE(sae_pk, 0, 2) },
}; };
#undef OFFSET #undef OFFSET

View file

@ -937,7 +937,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
INT(ft_eap_pmksa_caching); INT(ft_eap_pmksa_caching);
INT(beacon_prot); INT(beacon_prot);
INT(transition_disable); INT(transition_disable);
INT(sae_pk_only); INT(sae_pk);
#ifdef CONFIG_HT_OVERRIDES #ifdef CONFIG_HT_OVERRIDES
INT_DEF(disable_ht, DEFAULT_DISABLE_HT); INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40); INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);

View file

@ -62,6 +62,12 @@ enum wpas_mode {
WPAS_MODE_MESH = 5, WPAS_MODE_MESH = 5,
}; };
enum sae_pk_mode {
SAE_PK_MODE_AUTOMATIC = 0,
SAE_PK_MODE_ONLY = 1,
SAE_PK_MODE_DISABLED = 2,
};
/** /**
* struct wpa_ssid - Network configuration data * struct wpa_ssid - Network configuration data
* *
@ -1123,13 +1129,14 @@ struct wpa_ssid {
u8 transition_disable; u8 transition_disable;
/** /**
* sae_pk_only - SAE-PK only mode (disable transition mode) * sae_pk - SAE-PK mode
* * 0 = automatic SAE/SAE-PK selection based on password; enable
* 0 = enable transition mode (allow SAE authentication without SAE-PK) * transition mode (allow SAE authentication without SAE-PK)
* 1 = disable transition mode (allow SAE authentication only with * 1 = SAE-PK only (disable transition mode; allow SAE authentication
* SAE-PK) * only with SAE-PK)
* 2 = disable SAE-PK (allow SAE authentication only without SAE-PK)
*/ */
int sae_pk_only; enum sae_pk_mode sae_pk;
}; };
#endif /* CONFIG_SSID_H */ #endif /* CONFIG_SSID_H */

View file

@ -1367,7 +1367,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
#ifdef CONFIG_SAE_PK #ifdef CONFIG_SAE_PK
if (ssid->sae_pk_only && if (ssid->sae_pk == SAE_PK_MODE_ONLY &&
!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK))) { !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK))) {
if (debug_print) if (debug_print)
wpa_dbg(wpa_s, MSG_DEBUG, wpa_dbg(wpa_s, MSG_DEBUG,

View file

@ -150,12 +150,13 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
use_pt = 1; use_pt = 1;
#ifdef CONFIG_SAE_PK #ifdef CONFIG_SAE_PK
if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) && if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) &&
ssid->sae_pk != SAE_PK_MODE_DISABLED &&
ssid->sae_password && sae_pk_valid_password(ssid->sae_password)) { ssid->sae_password && sae_pk_valid_password(ssid->sae_password)) {
use_pt = 1; use_pt = 1;
use_pk = true; use_pk = true;
} }
if (ssid->sae_pk_only && !use_pk) { if (ssid->sae_pk == SAE_PK_MODE_ONLY && !use_pk) {
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"SAE: Cannot use PK with the selected AP"); "SAE: Cannot use PK with the selected AP");
return NULL; return NULL;

View file

@ -1516,10 +1516,13 @@ fast_reauth=1
# bit 3 (0x08): Enhanced Open (disable use of open network; require # bit 3 (0x08): Enhanced Open (disable use of open network; require
# OWE) # OWE)
# SAE-PK only mode (disable transition mode) # SAE-PK mode
# 0: enable transition mode (allow SAE authentication without SAE-PK) # 0: automatic SAE/SAE-PK selection based on password; enable
# 1: disable transition mode (allow SAE authentication only with SAE-PK) # transition mode (allow SAE authentication without SAE-PK)
#sae_pk_only=0 # 1: SAE-PK only (disable transition mode; allow SAE authentication
# only with SAE-PK)
# 2: disable SAE-PK (allow SAE authentication only without SAE-PK)
#sae_pk=0
# MAC address policy # MAC address policy
# 0 = use permanent MAC address # 0 = use permanent MAC address

View file

@ -1301,13 +1301,13 @@ static void wpa_supplicant_transition_disable(void *_wpa_s, u8 bitmap)
wpa_s->sme.sae.pk && wpa_s->sme.sae.pk &&
#endif /* CONFIG_SME */ #endif /* CONFIG_SME */
(ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)) && (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)) &&
(!ssid->sae_pk_only || (ssid->sae_pk != SAE_PK_MODE_ONLY ||
ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED || ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED ||
(ssid->group_cipher & WPA_CIPHER_TKIP))) { (ssid->group_cipher & WPA_CIPHER_TKIP))) {
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"SAE-PK: SAE authentication without PK disabled based on AP notification"); "SAE-PK: SAE authentication without PK disabled based on AP notification");
disable_wpa_wpa2(ssid); disable_wpa_wpa2(ssid);
ssid->sae_pk_only = 1; ssid->sae_pk = SAE_PK_MODE_ONLY;
changed = 1; changed = 1;
} }
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */