SAE-PK: Transition mode disabled indication processing

Allow AP to disable transition mode for SAE-PK (i.e., prevent SAE authentication without SAE-PK). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-06 12:06:59 +03:00 · 2020-06-06 12:06:59 +03:00 · 8d1cbaaff7
commit 8d1cbaaff7
parent 7937160d24
1 changed files with 19 additions and 0 deletions
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@ -1268,6 +1268,7 @@ static void wpa_supplicant_transition_disable(void *_wpa_s, u8 bitmap)
 	if (!ssid)
 		return;

+#ifdef CONFIG_SAE
 	if ((bitmap & TRANSITION_DISABLE_WPA3_PERSONAL) &&
 	    wpa_key_mgmt_sae(wpa_s->key_mgmt) &&
 	    (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)) &&
@ -1279,6 +1280,24 @@ static void wpa_supplicant_transition_disable(void *_wpa_s, u8 bitmap)
 		changed = 1;
 	}

+	if ((bitmap & TRANSITION_DISABLE_SAE_PK) &&
+	    wpa_key_mgmt_sae(wpa_s->key_mgmt) &&
+#ifdef CONFIG_SME
+	    wpa_s->sme.sae.state == SAE_ACCEPTED &&
+	    wpa_s->sme.sae.pk &&
+#endif /* CONFIG_SME */
+	    (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)) &&
+	    (!ssid->sae_pk_only ||
+	     ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED ||
+	     (ssid->group_cipher & WPA_CIPHER_TKIP))) {
+		wpa_printf(MSG_DEBUG,
+			   "SAE-PK: SAE authentication without PK disabled based on AP notification");
+		disable_wpa_wpa2(ssid);
+		ssid->sae_pk_only = 1;
+		changed = 1;
+	}
+#endif /* CONFIG_SAE */
+
 	if ((bitmap & TRANSITION_DISABLE_WPA3_ENTERPRISE) &&
 	    wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt) &&
 	    (ssid->key_mgmt & (WPA_KEY_MGMT_IEEE8021X |