WPS: Allow AP SAE configuration to be added automatically for PSK
The new hostapd configuration parameter wps_cred_add_sae=1 can be used to request hostapd to add SAE configuration whenever WPS is used to configure the AP to use WPA2-PSK and the credential includes a passphrase (instead of PSK). This can be used to enable WPA3-Personal transition mode with both SAE and PSK enabled and PMF enabled for PSK and required for SAE associations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
b9cd4f5e75
commit
fc30f99b34
4 changed files with 50 additions and 1 deletions
|
|
@ -3612,6 +3612,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
|
|||
}
|
||||
} else if (os_strcmp(buf, "wps_cred_processing") == 0) {
|
||||
bss->wps_cred_processing = atoi(pos);
|
||||
} else if (os_strcmp(buf, "wps_cred_add_sae") == 0) {
|
||||
bss->wps_cred_add_sae = atoi(pos);
|
||||
} else if (os_strcmp(buf, "ap_settings") == 0) {
|
||||
os_free(bss->ap_settings);
|
||||
bss->ap_settings =
|
||||
|
|
|
|||
|
|
@ -1942,6 +1942,14 @@ own_ip_addr=127.0.0.1
|
|||
# the configuration appropriately in this case.
|
||||
#wps_cred_processing=0
|
||||
|
||||
# Whether to enable SAE (WPA3-Personal transition mode) automatically for
|
||||
# WPA2-PSK credentials received using WPS.
|
||||
# 0 = only add the explicitly listed WPA2-PSK configuration (default)
|
||||
# 1 = add both the WPA2-PSK and SAE configuration and enable PMF so that the
|
||||
# AP gets configured in WPA3-Personal transition mode (supports both
|
||||
# WPA2-Personal (PSK) and WPA3-Personal (SAE) clients).
|
||||
#wps_cred_add_sae=0
|
||||
|
||||
# AP Settings Attributes for M7
|
||||
# By default, hostapd generates the AP Settings Attributes for M7 based on the
|
||||
# current configuration. It is possible to override this by providing a file
|
||||
|
|
|
|||
|
|
@ -464,6 +464,7 @@ struct hostapd_bss_config {
|
|||
u8 *extra_cred;
|
||||
size_t extra_cred_len;
|
||||
int wps_cred_processing;
|
||||
int wps_cred_add_sae;
|
||||
int force_per_enrollee_psk;
|
||||
u8 *ap_settings;
|
||||
size_t ap_settings_len;
|
||||
|
|
|
|||
|
|
@ -354,6 +354,18 @@ static int hapd_wps_reconfig_in_memory(struct hostapd_data *hapd,
|
|||
bss->wpa_pairwise,
|
||||
bss->rsn_pairwise);
|
||||
|
||||
if (hapd->conf->wps_cred_add_sae &&
|
||||
(cred->auth_type & WPS_AUTH_WPA2PSK) &&
|
||||
cred->key_len != 2 * PMK_LEN) {
|
||||
bss->wpa_key_mgmt |= WPA_KEY_MGMT_SAE;
|
||||
#ifdef CONFIG_IEEE80211W
|
||||
if (bss->ieee80211w == NO_MGMT_FRAME_PROTECTION)
|
||||
bss->ieee80211w =
|
||||
MGMT_FRAME_PROTECTION_OPTIONAL;
|
||||
bss->sae_require_mfp = 1;
|
||||
#endif /* CONFIG_IEEE80211W */
|
||||
}
|
||||
|
||||
if (cred->key_len >= 8 && cred->key_len < 64) {
|
||||
os_free(bss->ssid.wpa_passphrase);
|
||||
bss->ssid.wpa_passphrase = os_zalloc(cred->key_len + 1);
|
||||
|
|
@ -401,6 +413,7 @@ static int hapd_wps_cred_cb(struct hostapd_data *hapd, void *ctx)
|
|||
char buf[1024];
|
||||
int multi_bss;
|
||||
int wpa;
|
||||
int pmf_changed = 0;
|
||||
|
||||
if (hapd->wps == NULL)
|
||||
return 0;
|
||||
|
|
@ -520,6 +533,10 @@ static int hapd_wps_cred_cb(struct hostapd_data *hapd, void *ctx)
|
|||
|
||||
if (wpa) {
|
||||
char *prefix;
|
||||
#ifdef CONFIG_IEEE80211W
|
||||
int sae = 0;
|
||||
#endif /* CONFIG_IEEE80211W */
|
||||
|
||||
fprintf(nconf, "wpa=%d\n", wpa);
|
||||
|
||||
fprintf(nconf, "wpa_key_mgmt=");
|
||||
|
|
@ -528,10 +545,30 @@ static int hapd_wps_cred_cb(struct hostapd_data *hapd, void *ctx)
|
|||
fprintf(nconf, "WPA-EAP");
|
||||
prefix = " ";
|
||||
}
|
||||
if (cred->auth_type & (WPS_AUTH_WPA2PSK | WPS_AUTH_WPAPSK))
|
||||
if (cred->auth_type & (WPS_AUTH_WPA2PSK | WPS_AUTH_WPAPSK)) {
|
||||
fprintf(nconf, "%sWPA-PSK", prefix);
|
||||
prefix = " ";
|
||||
}
|
||||
if (hapd->conf->wps_cred_add_sae &&
|
||||
(cred->auth_type & WPS_AUTH_WPA2PSK) &&
|
||||
cred->key_len != 2 * PMK_LEN) {
|
||||
fprintf(nconf, "%sSAE", prefix);
|
||||
#ifdef CONFIG_IEEE80211W
|
||||
sae = 1;
|
||||
#endif /* CONFIG_IEEE80211W */
|
||||
}
|
||||
fprintf(nconf, "\n");
|
||||
|
||||
#ifdef CONFIG_IEEE80211W
|
||||
if (sae && hapd->conf->ieee80211w == NO_MGMT_FRAME_PROTECTION) {
|
||||
fprintf(nconf, "ieee80211w=%d\n",
|
||||
MGMT_FRAME_PROTECTION_OPTIONAL);
|
||||
pmf_changed = 1;
|
||||
}
|
||||
if (sae)
|
||||
fprintf(nconf, "sae_require_mfp=1\n");
|
||||
#endif /* CONFIG_IEEE80211W */
|
||||
|
||||
fprintf(nconf, "wpa_pairwise=");
|
||||
prefix = "";
|
||||
if (cred->encr_type & WPS_ENCR_AES) {
|
||||
|
|
@ -585,6 +622,7 @@ static int hapd_wps_cred_cb(struct hostapd_data *hapd, void *ctx)
|
|||
str_starts(buf, "wep_default_key=") ||
|
||||
str_starts(buf, "wep_key") ||
|
||||
str_starts(buf, "wps_state=") ||
|
||||
(pmf_changed && str_starts(buf, "ieee80211w=")) ||
|
||||
str_starts(buf, "wpa=") ||
|
||||
str_starts(buf, "wpa_psk=") ||
|
||||
str_starts(buf, "wpa_pairwise=") ||
|
||||
|
|
|
|||
Loading…
Reference in a new issue