SAE-PK: Allow automatic SAE-PK to be disabled

This replaces the previously used sae_pk_only configuration parameter with a more generic sae_pk that can be used to specify how SAE-PK is negotiated. The default behavior (sae_pk=0) is to automatically negotiate SAE-PK whenever the AP supports it and the password is in appropriate format. sae_pk=1 allows only SAE-PK to be used and sae_pk=2 disables SAE-PK completely. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-07 11:53:26 +03:00 · 2020-06-07 11:53:26 +03:00 · 9ad010c290
commit 9ad010c290
parent 85ca13ebcf
7 changed files with 27 additions and 16 deletions
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@ -2582,7 +2582,7 @@ static const struct parse_data ssid_fields[] = {
 	{ INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
 	{ INT_RANGE(beacon_prot, 0, 1) },
 	{ INT_RANGE(transition_disable, 0, 255) },
-	{ INT_RANGE(sae_pk_only, 0, 1) },
+	{ INT_RANGE(sae_pk, 0, 2) },
 };

 #undef OFFSET
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@ -937,7 +937,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
 	INT(ft_eap_pmksa_caching);
 	INT(beacon_prot);
 	INT(transition_disable);
-	INT(sae_pk_only);
+	INT(sae_pk);
 #ifdef CONFIG_HT_OVERRIDES
 	INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
 	INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@ -62,6 +62,12 @@ enum wpas_mode {
 	WPAS_MODE_MESH = 5,
 };

+enum sae_pk_mode {
+	SAE_PK_MODE_AUTOMATIC = 0,
+	SAE_PK_MODE_ONLY = 1,
+	SAE_PK_MODE_DISABLED = 2,
+};
+
 /**
 * struct wpa_ssid - Network configuration data
 *
@ -1123,13 +1129,14 @@ struct wpa_ssid {
 	u8 transition_disable;

 	/**
-	 * sae_pk_only - SAE-PK only mode (disable transition mode)
-	 *
-	 * 0 = enable transition mode (allow SAE authentication without SAE-PK)
-	 * 1 = disable transition mode (allow SAE authentication only with
-	 * SAE-PK)
+	 * sae_pk - SAE-PK mode
+	 * 0 = automatic SAE/SAE-PK selection based on password; enable
+	 * transition mode (allow SAE authentication without SAE-PK)
+	 * 1 = SAE-PK only (disable transition mode; allow SAE authentication
+	 * only with SAE-PK)
+	 * 2 = disable SAE-PK (allow SAE authentication only without SAE-PK)
 	 */
-	int sae_pk_only;
+	enum sae_pk_mode sae_pk;
 };

 #endif /* CONFIG_SSID_H */
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@ -1367,7 +1367,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 #endif /* CONFIG_SAE */

 #ifdef CONFIG_SAE_PK
-		if (ssid->sae_pk_only &&
+		if (ssid->sae_pk == SAE_PK_MODE_ONLY &&
 		    !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK))) {
 			if (debug_print)
 				wpa_dbg(wpa_s, MSG_DEBUG,
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@ -150,12 +150,13 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
 		use_pt = 1;
 #ifdef CONFIG_SAE_PK
 	if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) &&
+	    ssid->sae_pk != SAE_PK_MODE_DISABLED &&
 	    ssid->sae_password && sae_pk_valid_password(ssid->sae_password)) {
 		use_pt = 1;
 		use_pk = true;
 	}

-	if (ssid->sae_pk_only && !use_pk) {
+	if (ssid->sae_pk == SAE_PK_MODE_ONLY && !use_pk) {
 		wpa_printf(MSG_DEBUG,
 			   "SAE: Cannot use PK with the selected AP");
 		return NULL;
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@ -1516,10 +1516,13 @@ fast_reauth=1
 # bit 3 (0x08): Enhanced Open (disable use of open network; require
 #	OWE)

-# SAE-PK only mode (disable transition mode)
-# 0: enable transition mode (allow SAE authentication without SAE-PK)
-# 1: disable transition mode (allow SAE authentication only with SAE-PK)
-#sae_pk_only=0
+# SAE-PK mode
+# 0: automatic SAE/SAE-PK selection based on password; enable
+#    transition mode (allow SAE authentication without SAE-PK)
+# 1: SAE-PK only (disable transition mode; allow SAE authentication
+#    only with SAE-PK)
+# 2: disable SAE-PK (allow SAE authentication only without SAE-PK)
+#sae_pk=0

 # MAC address policy
 # 0 = use permanent MAC address
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@ -1301,13 +1301,13 @@ static void wpa_supplicant_transition_disable(void *_wpa_s, u8 bitmap)
 	    wpa_s->sme.sae.pk &&
 #endif /* CONFIG_SME */
 	    (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)) &&
-	    (!ssid->sae_pk_only ||
+	    (ssid->sae_pk != SAE_PK_MODE_ONLY ||
 	     ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED ||
 	     (ssid->group_cipher & WPA_CIPHER_TKIP))) {
 		wpa_printf(MSG_DEBUG,
 			   "SAE-PK: SAE authentication without PK disabled based on AP notification");
 		disable_wpa_wpa2(ssid);
-		ssid->sae_pk_only = 1;
+		ssid->sae_pk = SAE_PK_MODE_ONLY;
 		changed = 1;
 	}
 #endif /* CONFIG_SAE */