SAE-PK: Allow automatic SAE-PK to be disabled
This replaces the previously used sae_pk_only configuration parameter with a more generic sae_pk that can be used to specify how SAE-PK is negotiated. The default behavior (sae_pk=0) is to automatically negotiate SAE-PK whenever the AP supports it and the password is in appropriate format. sae_pk=1 allows only SAE-PK to be used and sae_pk=2 disables SAE-PK completely. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
85ca13ebcf
commit
9ad010c290
7 changed files with 27 additions and 16 deletions
|
@ -2582,7 +2582,7 @@ static const struct parse_data ssid_fields[] = {
|
||||||
{ INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
|
{ INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
|
||||||
{ INT_RANGE(beacon_prot, 0, 1) },
|
{ INT_RANGE(beacon_prot, 0, 1) },
|
||||||
{ INT_RANGE(transition_disable, 0, 255) },
|
{ INT_RANGE(transition_disable, 0, 255) },
|
||||||
{ INT_RANGE(sae_pk_only, 0, 1) },
|
{ INT_RANGE(sae_pk, 0, 2) },
|
||||||
};
|
};
|
||||||
|
|
||||||
#undef OFFSET
|
#undef OFFSET
|
||||||
|
|
|
@ -937,7 +937,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
|
||||||
INT(ft_eap_pmksa_caching);
|
INT(ft_eap_pmksa_caching);
|
||||||
INT(beacon_prot);
|
INT(beacon_prot);
|
||||||
INT(transition_disable);
|
INT(transition_disable);
|
||||||
INT(sae_pk_only);
|
INT(sae_pk);
|
||||||
#ifdef CONFIG_HT_OVERRIDES
|
#ifdef CONFIG_HT_OVERRIDES
|
||||||
INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
|
INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
|
||||||
INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);
|
INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);
|
||||||
|
|
|
@ -62,6 +62,12 @@ enum wpas_mode {
|
||||||
WPAS_MODE_MESH = 5,
|
WPAS_MODE_MESH = 5,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
enum sae_pk_mode {
|
||||||
|
SAE_PK_MODE_AUTOMATIC = 0,
|
||||||
|
SAE_PK_MODE_ONLY = 1,
|
||||||
|
SAE_PK_MODE_DISABLED = 2,
|
||||||
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* struct wpa_ssid - Network configuration data
|
* struct wpa_ssid - Network configuration data
|
||||||
*
|
*
|
||||||
|
@ -1123,13 +1129,14 @@ struct wpa_ssid {
|
||||||
u8 transition_disable;
|
u8 transition_disable;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* sae_pk_only - SAE-PK only mode (disable transition mode)
|
* sae_pk - SAE-PK mode
|
||||||
*
|
* 0 = automatic SAE/SAE-PK selection based on password; enable
|
||||||
* 0 = enable transition mode (allow SAE authentication without SAE-PK)
|
* transition mode (allow SAE authentication without SAE-PK)
|
||||||
* 1 = disable transition mode (allow SAE authentication only with
|
* 1 = SAE-PK only (disable transition mode; allow SAE authentication
|
||||||
* SAE-PK)
|
* only with SAE-PK)
|
||||||
|
* 2 = disable SAE-PK (allow SAE authentication only without SAE-PK)
|
||||||
*/
|
*/
|
||||||
int sae_pk_only;
|
enum sae_pk_mode sae_pk;
|
||||||
};
|
};
|
||||||
|
|
||||||
#endif /* CONFIG_SSID_H */
|
#endif /* CONFIG_SSID_H */
|
||||||
|
|
|
@ -1367,7 +1367,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
|
||||||
#endif /* CONFIG_SAE */
|
#endif /* CONFIG_SAE */
|
||||||
|
|
||||||
#ifdef CONFIG_SAE_PK
|
#ifdef CONFIG_SAE_PK
|
||||||
if (ssid->sae_pk_only &&
|
if (ssid->sae_pk == SAE_PK_MODE_ONLY &&
|
||||||
!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK))) {
|
!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK))) {
|
||||||
if (debug_print)
|
if (debug_print)
|
||||||
wpa_dbg(wpa_s, MSG_DEBUG,
|
wpa_dbg(wpa_s, MSG_DEBUG,
|
||||||
|
|
|
@ -150,12 +150,13 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
|
||||||
use_pt = 1;
|
use_pt = 1;
|
||||||
#ifdef CONFIG_SAE_PK
|
#ifdef CONFIG_SAE_PK
|
||||||
if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) &&
|
if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) &&
|
||||||
|
ssid->sae_pk != SAE_PK_MODE_DISABLED &&
|
||||||
ssid->sae_password && sae_pk_valid_password(ssid->sae_password)) {
|
ssid->sae_password && sae_pk_valid_password(ssid->sae_password)) {
|
||||||
use_pt = 1;
|
use_pt = 1;
|
||||||
use_pk = true;
|
use_pk = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ssid->sae_pk_only && !use_pk) {
|
if (ssid->sae_pk == SAE_PK_MODE_ONLY && !use_pk) {
|
||||||
wpa_printf(MSG_DEBUG,
|
wpa_printf(MSG_DEBUG,
|
||||||
"SAE: Cannot use PK with the selected AP");
|
"SAE: Cannot use PK with the selected AP");
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
|
@ -1516,10 +1516,13 @@ fast_reauth=1
|
||||||
# bit 3 (0x08): Enhanced Open (disable use of open network; require
|
# bit 3 (0x08): Enhanced Open (disable use of open network; require
|
||||||
# OWE)
|
# OWE)
|
||||||
|
|
||||||
# SAE-PK only mode (disable transition mode)
|
# SAE-PK mode
|
||||||
# 0: enable transition mode (allow SAE authentication without SAE-PK)
|
# 0: automatic SAE/SAE-PK selection based on password; enable
|
||||||
# 1: disable transition mode (allow SAE authentication only with SAE-PK)
|
# transition mode (allow SAE authentication without SAE-PK)
|
||||||
#sae_pk_only=0
|
# 1: SAE-PK only (disable transition mode; allow SAE authentication
|
||||||
|
# only with SAE-PK)
|
||||||
|
# 2: disable SAE-PK (allow SAE authentication only without SAE-PK)
|
||||||
|
#sae_pk=0
|
||||||
|
|
||||||
# MAC address policy
|
# MAC address policy
|
||||||
# 0 = use permanent MAC address
|
# 0 = use permanent MAC address
|
||||||
|
|
|
@ -1301,13 +1301,13 @@ static void wpa_supplicant_transition_disable(void *_wpa_s, u8 bitmap)
|
||||||
wpa_s->sme.sae.pk &&
|
wpa_s->sme.sae.pk &&
|
||||||
#endif /* CONFIG_SME */
|
#endif /* CONFIG_SME */
|
||||||
(ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)) &&
|
(ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)) &&
|
||||||
(!ssid->sae_pk_only ||
|
(ssid->sae_pk != SAE_PK_MODE_ONLY ||
|
||||||
ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED ||
|
ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED ||
|
||||||
(ssid->group_cipher & WPA_CIPHER_TKIP))) {
|
(ssid->group_cipher & WPA_CIPHER_TKIP))) {
|
||||||
wpa_printf(MSG_DEBUG,
|
wpa_printf(MSG_DEBUG,
|
||||||
"SAE-PK: SAE authentication without PK disabled based on AP notification");
|
"SAE-PK: SAE authentication without PK disabled based on AP notification");
|
||||||
disable_wpa_wpa2(ssid);
|
disable_wpa_wpa2(ssid);
|
||||||
ssid->sae_pk_only = 1;
|
ssid->sae_pk = SAE_PK_MODE_ONLY;
|
||||||
changed = 1;
|
changed = 1;
|
||||||
}
|
}
|
||||||
#endif /* CONFIG_SAE */
|
#endif /* CONFIG_SAE */
|
||||||
|
|
Loading…
Reference in a new issue