From 9ad010c2908fab6ce6b8ffed449f3cec24172cce Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 7 Jun 2020 11:53:26 +0300 Subject: [PATCH] SAE-PK: Allow automatic SAE-PK to be disabled This replaces the previously used sae_pk_only configuration parameter with a more generic sae_pk that can be used to specify how SAE-PK is negotiated. The default behavior (sae_pk=0) is to automatically negotiate SAE-PK whenever the AP supports it and the password is in appropriate format. sae_pk=1 allows only SAE-PK to be used and sae_pk=2 disables SAE-PK completely. Signed-off-by: Jouni Malinen --- wpa_supplicant/config.c | 2 +- wpa_supplicant/config_file.c | 2 +- wpa_supplicant/config_ssid.h | 19 +++++++++++++------ wpa_supplicant/events.c | 2 +- wpa_supplicant/sme.c | 3 ++- wpa_supplicant/wpa_supplicant.conf | 11 +++++++---- wpa_supplicant/wpas_glue.c | 4 ++-- 7 files changed, 27 insertions(+), 16 deletions(-) diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 86373ad05..a9726e2d6 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2582,7 +2582,7 @@ static const struct parse_data ssid_fields[] = { { INT_RANGE(ft_eap_pmksa_caching, 0, 1) }, { INT_RANGE(beacon_prot, 0, 1) }, { INT_RANGE(transition_disable, 0, 255) }, - { INT_RANGE(sae_pk_only, 0, 1) }, + { INT_RANGE(sae_pk, 0, 2) }, }; #undef OFFSET diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 9a1c39cc7..1ca254813 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -937,7 +937,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) INT(ft_eap_pmksa_caching); INT(beacon_prot); INT(transition_disable); - INT(sae_pk_only); + INT(sae_pk); #ifdef CONFIG_HT_OVERRIDES INT_DEF(disable_ht, DEFAULT_DISABLE_HT); INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40); diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h index 730282f3b..2c08c0218 100644 --- a/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h @@ -62,6 +62,12 @@ enum wpas_mode { WPAS_MODE_MESH = 5, }; +enum sae_pk_mode { + SAE_PK_MODE_AUTOMATIC = 0, + SAE_PK_MODE_ONLY = 1, + SAE_PK_MODE_DISABLED = 2, +}; + /** * struct wpa_ssid - Network configuration data * @@ -1123,13 +1129,14 @@ struct wpa_ssid { u8 transition_disable; /** - * sae_pk_only - SAE-PK only mode (disable transition mode) - * - * 0 = enable transition mode (allow SAE authentication without SAE-PK) - * 1 = disable transition mode (allow SAE authentication only with - * SAE-PK) + * sae_pk - SAE-PK mode + * 0 = automatic SAE/SAE-PK selection based on password; enable + * transition mode (allow SAE authentication without SAE-PK) + * 1 = SAE-PK only (disable transition mode; allow SAE authentication + * only with SAE-PK) + * 2 = disable SAE-PK (allow SAE authentication only without SAE-PK) */ - int sae_pk_only; + enum sae_pk_mode sae_pk; }; #endif /* CONFIG_SSID_H */ diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index dd83ddce2..99940d95c 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -1367,7 +1367,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s, #endif /* CONFIG_SAE */ #ifdef CONFIG_SAE_PK - if (ssid->sae_pk_only && + if (ssid->sae_pk == SAE_PK_MODE_ONLY && !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK))) { if (debug_print) wpa_dbg(wpa_s, MSG_DEBUG, diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index fa18f9893..f45bab27a 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -150,12 +150,13 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, use_pt = 1; #ifdef CONFIG_SAE_PK if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) && + ssid->sae_pk != SAE_PK_MODE_DISABLED && ssid->sae_password && sae_pk_valid_password(ssid->sae_password)) { use_pt = 1; use_pk = true; } - if (ssid->sae_pk_only && !use_pk) { + if (ssid->sae_pk == SAE_PK_MODE_ONLY && !use_pk) { wpa_printf(MSG_DEBUG, "SAE: Cannot use PK with the selected AP"); return NULL; diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index bf8a6dd5a..125083414 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1516,10 +1516,13 @@ fast_reauth=1 # bit 3 (0x08): Enhanced Open (disable use of open network; require # OWE) -# SAE-PK only mode (disable transition mode) -# 0: enable transition mode (allow SAE authentication without SAE-PK) -# 1: disable transition mode (allow SAE authentication only with SAE-PK) -#sae_pk_only=0 +# SAE-PK mode +# 0: automatic SAE/SAE-PK selection based on password; enable +# transition mode (allow SAE authentication without SAE-PK) +# 1: SAE-PK only (disable transition mode; allow SAE authentication +# only with SAE-PK) +# 2: disable SAE-PK (allow SAE authentication only without SAE-PK) +#sae_pk=0 # MAC address policy # 0 = use permanent MAC address diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c index bafcb00e0..a9a66baad 100644 --- a/wpa_supplicant/wpas_glue.c +++ b/wpa_supplicant/wpas_glue.c @@ -1301,13 +1301,13 @@ static void wpa_supplicant_transition_disable(void *_wpa_s, u8 bitmap) wpa_s->sme.sae.pk && #endif /* CONFIG_SME */ (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)) && - (!ssid->sae_pk_only || + (ssid->sae_pk != SAE_PK_MODE_ONLY || ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED || (ssid->group_cipher & WPA_CIPHER_TKIP))) { wpa_printf(MSG_DEBUG, "SAE-PK: SAE authentication without PK disabled based on AP notification"); disable_wpa_wpa2(ssid); - ssid->sae_pk_only = 1; + ssid->sae_pk = SAE_PK_MODE_ONLY; changed = 1; } #endif /* CONFIG_SAE */