From e81ec0962d02ced1727fe0097b2545cefaa5ab92 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 24 Jul 2022 22:20:58 +0300 Subject: [PATCH] SAE: Use H2E unconditionally with the new AKM suites The new SAE AKM suites are defined to use H2E, so ignore the sae_pwe value when these AKM suites are used similarly to the way H2E gets enabled when SAE Password Identifiers are used. Signed-off-by: Jouni Malinen --- src/ap/ap_config.c | 1 + src/ap/ieee802_11.c | 4 ++++ src/ap/ieee802_11_shared.c | 3 ++- src/ap/wpa_auth_ie.c | 3 ++- wpa_supplicant/sme.c | 6 +++++- wpa_supplicant/wpa_supplicant.c | 5 ++++- 6 files changed, 18 insertions(+), 4 deletions(-) diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 63af3d047..d2d8b95f9 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -480,6 +480,7 @@ int hostapd_setup_sae_pt(struct hostapd_bss_config *conf) struct sae_password_entry *pw; if ((conf->sae_pwe == 0 && !hostapd_sae_pw_id_in_use(conf) && + !wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt) && !hostapd_sae_pk_in_use(conf)) || conf->sae_pwe == 3 || !wpa_key_mgmt_sae(conf->wpa_key_mgmt)) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 639d21d12..e9288bed9 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -1234,6 +1234,10 @@ static int sae_status_success(struct hostapd_data *hapd, u16 status_code) if (sae_pwe == 0 && sae_pk) sae_pwe = 2; #endif /* CONFIG_SAE_PK */ + if (sae_pwe == 0 && + (hapd->conf->wpa_key_mgmt & + (WPA_KEY_MGMT_SAE_EXT_KEY | WPA_KEY_MGMT_FT_SAE_EXT_KEY))) + sae_pwe = 2; return ((sae_pwe == 0 || sae_pwe == 3) && status_code == WLAN_STATUS_SUCCESS) || diff --git a/src/ap/ieee802_11_shared.c b/src/ap/ieee802_11_shared.c index 74c8d4439..72f59113f 100644 --- a/src/ap/ieee802_11_shared.c +++ b/src/ap/ieee802_11_shared.c @@ -1064,7 +1064,8 @@ u8 * hostapd_eid_rsnxe(struct hostapd_data *hapd, u8 *eid, size_t len) if (wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) && (hapd->conf->sae_pwe == 1 || hapd->conf->sae_pwe == 2 || - hostapd_sae_pw_id_in_use(hapd->conf) || sae_pk) && + hostapd_sae_pw_id_in_use(hapd->conf) || sae_pk || + wpa_key_mgmt_sae_ext_key(hapd->conf->wpa_key_mgmt)) && hapd->conf->sae_pwe != 3) { capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E); #ifdef CONFIG_SAE_PK diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index ee7383c51..1c8affa9b 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -405,7 +405,8 @@ int wpa_write_rsnxe(struct wpa_auth_config *conf, u8 *buf, size_t len) size_t flen; if (wpa_key_mgmt_sae(conf->wpa_key_mgmt) && - (conf->sae_pwe == 1 || conf->sae_pwe == 2 || conf->sae_pk)) { + (conf->sae_pwe == 1 || conf->sae_pwe == 2 || conf->sae_pk || + wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt))) { capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E); #ifdef CONFIG_SAE_PK if (conf->sae_pk) diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index f8de1628b..2dad36ddc 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -154,6 +154,9 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, if (ssid->sae_password_id && wpa_s->conf->sae_pwe != 3) use_pt = 1; + if (wpa_key_mgmt_sae_ext_key(wpa_s->key_mgmt) && + wpa_s->conf->sae_pwe != 3) + use_pt = 1; #ifdef CONFIG_SAE_PK if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) && ssid->sae_pk != SAE_PK_MODE_DISABLED && @@ -175,7 +178,8 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) { use_pt = !!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E)); - if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) && + if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id || + wpa_key_mgmt_sae_ext_key(wpa_s->key_mgmt)) && wpa_s->conf->sae_pwe != 3 && !use_pt) { wpa_printf(MSG_DEBUG, diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 0f35f491a..3130653ca 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1687,7 +1687,9 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_OCV, ssid->ocv); #endif /* CONFIG_OCV */ sae_pwe = wpa_s->conf->sae_pwe; - if (ssid->sae_password_id && sae_pwe != 3) + if ((ssid->sae_password_id || + wpa_key_mgmt_sae_ext_key(wpa_s->key_mgmt)) && + sae_pwe != 3) sae_pwe = 1; wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SAE_PWE, sae_pwe); #ifdef CONFIG_SAE_PK @@ -2159,6 +2161,7 @@ static void wpa_s_setup_sae_pt(struct wpa_config *conf, struct wpa_ssid *ssid) if (!password || (conf->sae_pwe == 0 && !ssid->sae_password_id && + !wpa_key_mgmt_sae_ext_key(ssid->key_mgmt) & !sae_pk_valid_password(password)) || conf->sae_pwe == 3) { /* PT derivation not needed */