SAE-PK: Allow SAE authentication without PK to be disabled

The new wpa_supplicant network profile parameter sae_pk_only=1 can now
be used to disable use of SAE authentication without SAE-PK.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

wpa_supplicant/config.c

@@ -2582,6 +2582,7 @@ static const struct parse_data ssid_fields[] = {
 	{ INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
 	{ INT_RANGE(beacon_prot, 0, 1) },
 	{ INT_RANGE(transition_disable, 0, 255) },
+	{ INT_RANGE(sae_pk_only, 0, 1) },
 };
 
 #undef OFFSET

wpa_supplicant/config_file.c

@@ -937,6 +937,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
 	INT(ft_eap_pmksa_caching);
 	INT(beacon_prot);
 	INT(transition_disable);
+	INT(sae_pk_only);
 #ifdef CONFIG_HT_OVERRIDES
 	INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
 	INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);

wpa_supplicant/config_ssid.h

@@ -1121,6 +1121,15 @@ struct wpa_ssid {
 	 *	OWE)
 	 */
 	u8 transition_disable;
+
+	/**
+	 * sae_pk_only - SAE-PK only mode (disable transition mode)
+	 *
+	 * 0 = enable transition mode (allow SAE authentication without SAE-PK)
+	 * 1 = disable transition mode (allow SAE authentication only with
+	 * SAE-PK)
+	 */
+	int sae_pk_only;
 };
 
 #endif /* CONFIG_SSID_H */

wpa_supplicant/events.c

@@ -1094,6 +1094,9 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 	const u8 *ie;
 	struct wpa_ssid *ssid;
 	int osen, rsn_osen = 0;
+#ifdef CONFIG_SAE
+	u8 rsnxe_capa = 0;
+#endif /* CONFIG_SAE */
 #ifdef CONFIG_MBO
 	const u8 *assoc_disallow;
 #endif /* CONFIG_MBO */
@@ -1113,6 +1116,12 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 	ie = wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE);
 	osen = ie != NULL;
 
+#ifdef CONFIG_SAE
+	ie = wpa_bss_get_ie(bss, WLAN_EID_RSNX);
+	if (ie && ie[1] >= 1)
+		rsnxe_capa = ie[2];
+#endif /* CONFIG_SAE */
+
 	if (debug_print) {
 		wpa_dbg(wpa_s, MSG_DEBUG, "%d: " MACSTR
 			" ssid='%s' wpa_ie_len=%u rsn_ie_len=%u caps=0x%x level=%d freq=%d %s%s%s",
@@ -1349,9 +1358,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 		if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
 		    wpa_s->conf->sae_pwe != 3 &&
 		    wpa_key_mgmt_sae(ssid->key_mgmt) &&
-		    (!(ie = wpa_bss_get_ie(bss, WLAN_EID_RSNX)) ||
-		     ie[1] < 1 ||
-		     !(ie[2] & BIT(WLAN_RSNX_CAPAB_SAE_H2E)))) {
+		    !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
 			if (debug_print)
 				wpa_dbg(wpa_s, MSG_DEBUG,
 					"   skip - SAE H2E required, but not supported by the AP");
@@ -1359,6 +1366,16 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 		}
 #endif /* CONFIG_SAE */
 
+#ifdef CONFIG_SAE_PK
+		if (ssid->sae_pk_only &&
+		    !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK))) {
+			if (debug_print)
+				wpa_dbg(wpa_s, MSG_DEBUG,
+					"   skip - SAE-PK required, but not supported by the AP");
+			continue;
+		}
+#endif /* CONFIG_SAE_PK */
+
 #ifndef CONFIG_IBSS_RSN
 		if (ssid->mode == WPAS_MODE_IBSS &&
 		    !(ssid->key_mgmt & (WPA_KEY_MGMT_NONE |

wpa_supplicant/sme.c

@@ -154,6 +154,12 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
 		use_pt = 1;
 		use_pk = true;
 	}
+
+	if (ssid->sae_pk_only && !use_pk) {
+		wpa_printf(MSG_DEBUG,
+			   "SAE: Cannot use PK with the selected AP");
+		return NULL;
+	}
 #endif /* CONFIG_SAE_PK */
 
 	if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) {

wpa_supplicant/wpa_supplicant.conf

@@ -1472,6 +1472,11 @@ fast_reauth=1
 # 2: do not allow PFS to be used
 #dpp_pfs=0
 
+# SAE-PK only mode (disable transition mode)
+# 0: enable transition mode (allow SAE authentication without SAE-PK)
+# 1: disable transition mode (allow SAE authentication only with SAE-PK)
+#sae_pk_only=0
+
 # MAC address policy
 # 0 = use permanent MAC address
 # 1 = use random MAC address for each ESS connection