diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 11324257a..e83347b83 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -479,10 +479,11 @@ int hostapd_setup_sae_pt(struct hostapd_bss_config *conf) struct hostapd_ssid *ssid = &conf->ssid; struct sae_password_entry *pw; - if ((conf->sae_pwe == 0 && !hostapd_sae_pw_id_in_use(conf) && + if ((conf->sae_pwe == SAE_PWE_HUNT_AND_PECK && + !hostapd_sae_pw_id_in_use(conf) && !wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt) && !hostapd_sae_pk_in_use(conf)) || - conf->sae_pwe == 3 || + conf->sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK || !wpa_key_mgmt_sae(conf->wpa_key_mgmt)) return 0; /* PT not needed */ @@ -1211,9 +1212,10 @@ static bool hostapd_config_check_bss_6g(struct hostapd_bss_config *bss) } #ifdef CONFIG_SAE - if (wpa_key_mgmt_sae(bss->wpa_key_mgmt) && !bss->sae_pwe) { + if (wpa_key_mgmt_sae(bss->wpa_key_mgmt) && + bss->sae_pwe == SAE_PWE_HUNT_AND_PECK) { wpa_printf(MSG_INFO, "SAE: Enabling SAE H2E on 6 GHz"); - bss->sae_pwe = 2; + bss->sae_pwe = SAE_PWE_BOTH; } #endif /* CONFIG_SAE */ diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index a196d858f..330c9ed65 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -670,7 +670,7 @@ struct hostapd_bss_config { unsigned int sae_sync; int sae_require_mfp; int sae_confirm_immediate; - int sae_pwe; + enum sae_pwe sae_pwe; int *sae_groups; struct sae_password_entry *sae_passwords; diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c index 19a3afcb8..71c905ba6 100644 --- a/src/ap/drv_callbacks.c +++ b/src/ap/drv_callbacks.c @@ -451,7 +451,7 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, } #endif /* CONFIG_IEEE80211R_AP */ #ifdef CONFIG_SAE - if (hapd->conf->sae_pwe == 2 && + if (hapd->conf->sae_pwe == SAE_PWE_BOTH && sta->auth_alg == WLAN_AUTH_SAE && sta->sae && !sta->sae->h2e && ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len, diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index f0e3c55a9..ba3c6009e 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -115,9 +115,9 @@ u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid) num++; if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) num++; - h2e_required = (hapd->conf->sae_pwe == 1 || + h2e_required = (hapd->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || hostapd_sae_pw_id_in_use(hapd->conf) == 2) && - hapd->conf->sae_pwe != 3 && + hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt); if (h2e_required) num++; @@ -170,9 +170,9 @@ u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid) num++; if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) num++; - h2e_required = (hapd->conf->sae_pwe == 1 || + h2e_required = (hapd->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || hostapd_sae_pw_id_in_use(hapd->conf) == 2) && - hapd->conf->sae_pwe != 3 && + hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt); if (h2e_required) num++; @@ -558,7 +558,7 @@ static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd, #endif /* CONFIG_SAE_PK */ } - if (rx_id && hapd->conf->sae_pwe != 3) + if (rx_id && hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK) use_pt = 1; else if (status_code == WLAN_STATUS_SUCCESS) use_pt = 0; @@ -1099,31 +1099,32 @@ static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta) static int sae_status_success(struct hostapd_data *hapd, u16 status_code) { - int sae_pwe = hapd->conf->sae_pwe; + enum sae_pwe sae_pwe = hapd->conf->sae_pwe; int id_in_use; bool sae_pk = false; id_in_use = hostapd_sae_pw_id_in_use(hapd->conf); - if (id_in_use == 2 && sae_pwe != 3) - sae_pwe = 1; - else if (id_in_use == 1 && sae_pwe == 0) - sae_pwe = 2; + if (id_in_use == 2 && sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK) + sae_pwe = SAE_PWE_HASH_TO_ELEMENT; + else if (id_in_use == 1 && sae_pwe == SAE_PWE_HUNT_AND_PECK) + sae_pwe = SAE_PWE_BOTH; #ifdef CONFIG_SAE_PK sae_pk = hostapd_sae_pk_in_use(hapd->conf); - if (sae_pwe == 0 && sae_pk) - sae_pwe = 2; + if (sae_pwe == SAE_PWE_HUNT_AND_PECK && sae_pk) + sae_pwe = SAE_PWE_BOTH; #endif /* CONFIG_SAE_PK */ - if (sae_pwe == 0 && + if (sae_pwe == SAE_PWE_HUNT_AND_PECK && (hapd->conf->wpa_key_mgmt & (WPA_KEY_MGMT_SAE_EXT_KEY | WPA_KEY_MGMT_FT_SAE_EXT_KEY))) - sae_pwe = 2; + sae_pwe = SAE_PWE_BOTH; - return ((sae_pwe == 0 || sae_pwe == 3) && + return ((sae_pwe == SAE_PWE_HUNT_AND_PECK || + sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK) && status_code == WLAN_STATUS_SUCCESS) || - (sae_pwe == 1 && + (sae_pwe == SAE_PWE_HASH_TO_ELEMENT && (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT || (sae_pk && status_code == WLAN_STATUS_SAE_PK))) || - (sae_pwe == 2 && + (sae_pwe == SAE_PWE_BOTH && (status_code == WLAN_STATUS_SUCCESS || status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT || (sae_pk && status_code == WLAN_STATUS_SAE_PK))); @@ -3849,7 +3850,7 @@ static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; } - if (hapd->conf->sae_pwe == 2 && + if (hapd->conf->sae_pwe == SAE_PWE_BOTH && sta->auth_alg == WLAN_AUTH_SAE && sta->sae && !sta->sae->h2e && ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len, diff --git a/src/ap/ieee802_11_shared.c b/src/ap/ieee802_11_shared.c index eaeaec5d7..ad8afff2a 100644 --- a/src/ap/ieee802_11_shared.c +++ b/src/ap/ieee802_11_shared.c @@ -1062,10 +1062,11 @@ u8 * hostapd_eid_rsnxe(struct hostapd_data *hapd, u8 *eid, size_t len) #endif /* CONFIG_SAE_PK */ if (wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) && - (hapd->conf->sae_pwe == 1 || hapd->conf->sae_pwe == 2 || + (hapd->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || + hapd->conf->sae_pwe == SAE_PWE_BOTH || hostapd_sae_pw_id_in_use(hapd->conf) || sae_pk || wpa_key_mgmt_sae_ext_key(hapd->conf->wpa_key_mgmt)) && - hapd->conf->sae_pwe != 3) { + hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK) { capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E); #ifdef CONFIG_SAE_PK if (sae_pk) diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index b6737a32e..d95b2567e 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -255,7 +255,7 @@ struct wpa_auth_config { unsigned int fils_cache_id_set:1; u8 fils_cache_id[FILS_CACHE_ID_LEN]; #endif /* CONFIG_FILS */ - int sae_pwe; + enum sae_pwe sae_pwe; bool sae_pk; unsigned int secure_ltf:1; diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index 91e4a2560..88d63bb77 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -2736,7 +2736,8 @@ u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos, snonce = NULL; } rsnxe_used = (auth_alg == WLAN_AUTH_FT) && - (conf->sae_pwe == 1 || conf->sae_pwe == 2); + (conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || + conf->sae_pwe == SAE_PWE_BOTH); #ifdef CONFIG_TESTING_OPTIONS if (sm->wpa_auth->conf.ft_rsnxe_used) { rsnxe_used = sm->wpa_auth->conf.ft_rsnxe_used == 1; @@ -3626,7 +3627,8 @@ int wpa_ft_validate_reassoc(struct wpa_state_machine *sm, const u8 *ies, } if (parse.fte_rsnxe_used && - (conf->sae_pwe == 1 || conf->sae_pwe == 2) && + (conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || + conf->sae_pwe == SAE_PWE_BOTH) && !parse.rsnxe) { wpa_printf(MSG_INFO, "FT: FTE indicated that STA uses RSNXE, but RSNXE was not included"); diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index 510708064..250d5a158 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -196,10 +196,10 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf, #endif /* CONFIG_FILS */ wconf->sae_pwe = conf->sae_pwe; sae_pw_id = hostapd_sae_pw_id_in_use(conf); - if (sae_pw_id == 2 && wconf->sae_pwe != 3) - wconf->sae_pwe = 1; - else if (sae_pw_id == 1 && wconf->sae_pwe == 0) - wconf->sae_pwe = 2; + if (sae_pw_id == 2 && wconf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK) + wconf->sae_pwe = SAE_PWE_HASH_TO_ELEMENT; + else if (sae_pw_id == 1 && wconf->sae_pwe == SAE_PWE_HUNT_AND_PECK) + wconf->sae_pwe = SAE_PWE_BOTH; #ifdef CONFIG_SAE_PK wconf->sae_pk = hostapd_sae_pk_in_use(conf); #endif /* CONFIG_SAE_PK */ diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 1c8affa9b..2a1789103 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -405,7 +405,8 @@ int wpa_write_rsnxe(struct wpa_auth_config *conf, u8 *buf, size_t len) size_t flen; if (wpa_key_mgmt_sae(conf->wpa_key_mgmt) && - (conf->sae_pwe == 1 || conf->sae_pwe == 2 || conf->sae_pk || + (conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || + conf->sae_pwe == SAE_PWE_BOTH || conf->sae_pk || wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt))) { capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E); #ifdef CONFIG_SAE_PK diff --git a/src/common/defs.h b/src/common/defs.h index 473534ca5..c0c6dbe84 100644 --- a/src/common/defs.h +++ b/src/common/defs.h @@ -521,4 +521,12 @@ enum frame_encryption { #define MAX_NUM_MLD_LINKS 15 +enum sae_pwe { + SAE_PWE_HUNT_AND_PECK = 0, + SAE_PWE_HASH_TO_ELEMENT = 1, + SAE_PWE_BOTH = 2, + SAE_PWE_FORCE_HUNT_AND_PECK = 3, + SAE_PWE_NOT_SET = 4, +}; + #endif /* DEFS_H */ diff --git a/src/drivers/driver.h b/src/drivers/driver.h index 1c5b2f896..0b019e3af 100644 --- a/src/drivers/driver.h +++ b/src/drivers/driver.h @@ -1250,7 +1250,7 @@ struct wpa_driver_associate_params { * 1 = hash-to-element only * 2 = both hunting-and-pecking loop and hash-to-element enabled */ - int sae_pwe; + enum sae_pwe sae_pwe; /** * disable_eht - Disable EHT for this connection @@ -1599,7 +1599,7 @@ struct wpa_driver_ap_params { * 1 = hash-to-element only * 2 = both hunting-and-pecking loop and hash-to-element enabled */ - int sae_pwe; + enum sae_pwe sae_pwe; /** * FILS Discovery frame minimum interval in TUs diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index ddf61551b..c3e6594f3 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -4535,18 +4535,18 @@ static int nl80211_set_multicast_to_unicast(struct i802_bss *bss, #ifdef CONFIG_SAE -static int nl80211_put_sae_pwe(struct nl_msg *msg, int pwe) +static int nl80211_put_sae_pwe(struct nl_msg *msg, enum sae_pwe pwe) { u8 sae_pwe; wpa_printf(MSG_DEBUG, "nl802111: sae_pwe=%d", pwe); - if (pwe == 0) + if (pwe == SAE_PWE_HUNT_AND_PECK) sae_pwe = NL80211_SAE_PWE_HUNT_AND_PECK; - else if (pwe == 1) + else if (pwe == SAE_PWE_HASH_TO_ELEMENT) sae_pwe = NL80211_SAE_PWE_HASH_TO_ELEMENT; - else if (pwe == 2) + else if (pwe == SAE_PWE_BOTH) sae_pwe = NL80211_SAE_PWE_BOTH; - else if (pwe == 3) + else if (pwe == SAE_PWE_FORCE_HUNT_AND_PECK) return 0; /* special test mode */ else return -1; diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c index eca09f7f4..411596ad1 100644 --- a/src/rsn_supp/wpa_ft.c +++ b/src/rsn_supp/wpa_ft.c @@ -340,7 +340,8 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, *pos++ = WLAN_EID_FAST_BSS_TRANSITION; ftie_len = pos++; rsnxe_used = wpa_key_mgmt_sae(sm->key_mgmt) && anonce && - (sm->sae_pwe == 1 || sm->sae_pwe == 2); + (sm->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || + sm->sae_pwe == SAE_PWE_BOTH); #ifdef CONFIG_TESTING_OPTIONS if (anonce && sm->ft_rsnxe_used) { rsnxe_used = sm->ft_rsnxe_used == 1; @@ -1191,7 +1192,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, } own_rsnxe_used = wpa_key_mgmt_sae(sm->key_mgmt) && - (sm->sae_pwe == 1 || sm->sae_pwe == 2); + (sm->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || + sm->sae_pwe == SAE_PWE_BOTH); if ((sm->ap_rsnxe && !parse.rsnxe && own_rsnxe_used) || (!sm->ap_rsnxe && parse.rsnxe) || (sm->ap_rsnxe && parse.rsnxe && diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h index 2eac13358..ed43cc153 100644 --- a/src/rsn_supp/wpa_i.h +++ b/src/rsn_supp/wpa_i.h @@ -106,7 +106,7 @@ struct wpa_sm { int rsn_enabled; /* Whether RSN is enabled in configuration */ int mfp; /* 0 = disabled, 1 = optional, 2 = mandatory */ int ocv; /* Operating Channel Validation */ - int sae_pwe; /* SAE PWE generation options */ + enum sae_pwe sae_pwe; /* SAE PWE generation options */ unsigned int sae_pk:1; /* whether SAE-PK is used */ unsigned int secure_ltf:1; diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c index c4e660f7a..2d7f68e8f 100644 --- a/src/rsn_supp/wpa_ie.c +++ b/src/rsn_supp/wpa_ie.c @@ -362,7 +362,8 @@ int wpa_gen_rsnxe(struct wpa_sm *sm, u8 *rsnxe, size_t rsnxe_len) size_t flen; if (wpa_key_mgmt_sae(sm->key_mgmt) && - (sm->sae_pwe == 1 || sm->sae_pwe == 2 || sm->sae_pk)) { + (sm->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || + sm->sae_pwe == SAE_PWE_BOTH || sm->sae_pk)) { capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E); #ifdef CONFIG_SAE_PK if (sm->sae_pk) diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h index 46b0d1c6f..87cbb1ea2 100644 --- a/wpa_supplicant/config.h +++ b/wpa_supplicant/config.h @@ -1287,7 +1287,7 @@ struct wpa_config { * 1 = hash-to-element only * 2 = both hunting-and-pecking loop and hash-to-element enabled */ - int sae_pwe; + enum sae_pwe sae_pwe; /** * sae_pmkid_in_assoc - Whether to include PMKID in SAE Assoc Req diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h index 9c9f869a6..b90c4c8f5 100644 --- a/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h @@ -47,7 +47,7 @@ #define DEFAULT_MAX_OPER_CHWIDTH -1 /* Consider global sae_pwe for SAE mechanism for PWE derivation */ -#define DEFAULT_SAE_PWE 4 +#define DEFAULT_SAE_PWE SAE_PWE_NOT_SET struct psk_list_entry { struct dl_list list; @@ -1223,7 +1223,7 @@ struct wpa_ssid { * 1 = hash-to-element only * 2 = both hunting-and-pecking loop and hash-to-element enabled */ - int sae_pwe; + enum sae_pwe sae_pwe; /** * disable_eht - Disable EHT (IEEE 802.11be) for this network diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index 85add06d7..fe8ab50ff 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -967,7 +967,8 @@ static int rate_match(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid, #ifdef CONFIG_SAE if (flagged && ((rate_ie[j] & 0x7f) == BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY)) { - if (wpa_s->conf->sae_pwe == 0 && + if (wpa_s->conf->sae_pwe == + SAE_PWE_HUNT_AND_PECK && !ssid->sae_password_id && wpa_key_mgmt_sae(ssid->key_mgmt)) { if (debug_print) @@ -1401,9 +1402,10 @@ static bool wpa_scan_res_ok(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid, #ifdef CONFIG_SAE /* When using SAE Password Identifier and when operationg on the 6 GHz * band, only H2E is allowed. */ - if ((wpa_s->conf->sae_pwe == 1 || is_6ghz_freq(bss->freq) || - ssid->sae_password_id) && - wpa_s->conf->sae_pwe != 3 && wpa_key_mgmt_sae(ssid->key_mgmt) && + if ((wpa_s->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || + is_6ghz_freq(bss->freq) || ssid->sae_password_id) && + wpa_s->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK && + wpa_key_mgmt_sae(ssid->key_mgmt) && !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) { if (debug_print) wpa_dbg(wpa_s, MSG_DEBUG, diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c index a943174f6..4ef354b69 100644 --- a/wpa_supplicant/p2p_supplicant.c +++ b/wpa_supplicant/p2p_supplicant.c @@ -2103,7 +2103,7 @@ static void wpas_start_wps_go(struct wpa_supplicant *wpa_s, ssid->auth_alg |= WPA_AUTH_ALG_SAE; ssid->key_mgmt = WPA_KEY_MGMT_SAE; ssid->ieee80211w = MGMT_FRAME_PROTECTION_REQUIRED; - ssid->sae_pwe = 1; + ssid->sae_pwe = SAE_PWE_HASH_TO_ELEMENT; wpa_dbg(wpa_s, MSG_DEBUG, "P2P: Use SAE auth_alg and key_mgmt"); } else { p2p_set_6ghz_dev_capab(wpa_s->global->p2p, false); diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index 5698b3da8..73a04bba8 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -186,10 +186,11 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, rsnxe_capa = rsnxe[2]; } - if (ssid->sae_password_id && wpa_s->conf->sae_pwe != 3) + if (ssid->sae_password_id && + wpa_s->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK) use_pt = 1; if (wpa_key_mgmt_sae_ext_key(wpa_s->key_mgmt) && - wpa_s->conf->sae_pwe != 3) + wpa_s->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK) use_pt = 1; #ifdef CONFIG_SAE_PK if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) && @@ -209,12 +210,14 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, } #endif /* CONFIG_SAE_PK */ - if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) { + if (use_pt || wpa_s->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || + wpa_s->conf->sae_pwe == SAE_PWE_BOTH) { use_pt = !!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E)); - if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id || + if ((wpa_s->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || + ssid->sae_password_id || wpa_key_mgmt_sae_ext_key(wpa_s->key_mgmt)) && - wpa_s->conf->sae_pwe != 3 && + wpa_s->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK && !use_pt) { wpa_printf(MSG_DEBUG, "SAE: Cannot use H2E with the selected AP"); diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index a28e90e9e..fa91648d0 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1535,7 +1535,8 @@ static void wpas_update_allowed_key_mgmt(struct wpa_supplicant *wpa_s, return; } - if (wpa_s->conf->sae_pwe) + if (wpa_s->conf->sae_pwe != SAE_PWE_HUNT_AND_PECK && + wpa_s->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK) capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E); #ifdef CONFIG_SAE_PK if (ssid->sae_pk) @@ -1578,7 +1579,8 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, bool skip_default_rsne) { struct wpa_ie_data ie; - int sel, proto, sae_pwe; + int sel, proto; + enum sae_pwe sae_pwe; const u8 *bss_wpa, *bss_rsn, *bss_rsnx, *bss_osen; if (bss) { @@ -1912,12 +1914,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, sae_pwe = wpa_s->conf->sae_pwe; if ((ssid->sae_password_id || wpa_key_mgmt_sae_ext_key(wpa_s->key_mgmt)) && - sae_pwe != 3) - sae_pwe = 1; - if (bss && is_6ghz_freq(bss->freq) && sae_pwe == 0) { + sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK) + sae_pwe = SAE_PWE_HASH_TO_ELEMENT; + if (bss && is_6ghz_freq(bss->freq) && + sae_pwe == SAE_PWE_HUNT_AND_PECK) { wpa_dbg(wpa_s, MSG_DEBUG, "RSN: Enable SAE hash-to-element mode for 6 GHz BSS"); - sae_pwe = 2; + sae_pwe = SAE_PWE_BOTH; } wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SAE_PWE, sae_pwe); #ifdef CONFIG_SAE_PK @@ -2316,10 +2319,10 @@ void wpa_s_setup_sae_pt(struct wpa_config *conf, struct wpa_ssid *ssid) password = ssid->passphrase; if (!password || - (conf->sae_pwe == 0 && !ssid->sae_password_id && + (conf->sae_pwe == SAE_PWE_HUNT_AND_PECK && !ssid->sae_password_id && !wpa_key_mgmt_sae_ext_key(ssid->key_mgmt) && !sae_pk_valid_password(password)) || - conf->sae_pwe == 3) { + conf->sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK) { /* PT derivation not needed */ sae_deinit_pt(ssid->pt); ssid->pt = NULL;