SAE: Special test mode sae_pwe=3 for looping with password identifier

The new sae_pwe=3 mode can be used to test non-compliant behavior with
SAE Password Identifiers. This can be used to force use of
hunting-and-pecking loop for PWE derivation when Password Identifier is
used. This is not allowed by the standard and as such, this
functionality is aimed at compliance testing.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 799d8f4da02f895b6685d2b7f53c180596d40fc3..27c4b48e4c56edd03fd39380531131fb3bcd5b43 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -442,6 +442,7 @@ int hostapd_setup_sae_pt(struct hostapd_bss_config *conf)
        struct sae_password_entry *pw;
 
        if ((conf->sae_pwe == 0 && !hostapd_sae_pw_id_in_use(conf)) ||
+           conf->sae_pwe == 3 ||
            !wpa_key_mgmt_sae(conf->wpa_key_mgmt))
                return 0; /* PT not needed */
 

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 237549b56cdf978156abc647f2dc45f1e49e7f47..c93872da418702182e7c431bcd86a4710cc4aca9 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -101,6 +101,7 @@ u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
                num++;
        h2e_required = (hapd->conf->sae_pwe == 1 ||
                        hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
+               hapd->conf->sae_pwe != 3 &&
                wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
        if (h2e_required)
                num++;
@@ -155,6 +156,7 @@ u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
                num++;
        h2e_required = (hapd->conf->sae_pwe == 1 ||
                        hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
+               hapd->conf->sae_pwe != 3 &&
                wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
        if (h2e_required)
                num++;
@@ -456,7 +458,7 @@ static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
                use_pt = sta->sae->tmp->h2e;
        }
 
-       if (rx_id)
+       if (rx_id && hapd->conf->sae_pwe != 3)
                use_pt = 1;
        else if (status_code == WLAN_STATUS_SUCCESS)
                use_pt = 0;
@@ -1079,12 +1081,12 @@ static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
        int id_in_use;
 
        id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
-       if (id_in_use == 2)
+       if (id_in_use == 2 && sae_pwe != 3)
                sae_pwe = 1;
        else if (id_in_use == 1 && sae_pwe == 0)
                sae_pwe = 2;
 
-       return (sae_pwe == 0 &&
+       return ((sae_pwe == 0 || sae_pwe == 3) &&
                status_code == WLAN_STATUS_SUCCESS) ||
                (sae_pwe == 1 &&
                 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) ||

diff --git a/src/ap/ieee802_11_shared.c b/src/ap/ieee802_11_shared.c
index 5b14694eab8357b7ed545c200a905f4e8b0d4cfc..a947bd9d1b7622a9fc7f39294a49cb4febfe700d 100644 (file)
--- a/src/ap/ieee802_11_shared.c
+++ b/src/ap/ieee802_11_shared.c
@@ -1016,6 +1016,7 @@ u8 * hostapd_eid_rsnxe(struct hostapd_data *hapd, u8 *eid, size_t len)
            !wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) ||
            (hapd->conf->sae_pwe != 1 && hapd->conf->sae_pwe != 2 &&
             !hostapd_sae_pw_id_in_use(hapd->conf)) ||
+           hapd->conf->sae_pwe == 3 ||
            len < 3)
                return pos;
 

diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 066d7c5fe813948960bf0219fa62c8d8442d4fde..894c1a1b24d7a95f34e4dc1f3e97df02484867ca 100644 (file)
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -158,7 +158,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 #endif /* CONFIG_FILS */
        wconf->sae_pwe = conf->sae_pwe;
        sae_pw_id = hostapd_sae_pw_id_in_use(conf);
-       if (sae_pw_id == 2)
+       if (sae_pw_id == 2 && wconf->sae_pwe != 3)
                wconf->sae_pwe = 1;
        else if (sae_pw_id == 1 && wconf->sae_pwe == 0)
                wconf->sae_pwe = 2;

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 1bc798b89347bbbffa5b6f09b4297ef17a18d95d..b83c36ae9dfa3c71d29cb3cae951d5d3121c28ca 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -4999,7 +4999,7 @@ static const struct global_parse_data global_fields[] = {
        { INT(okc), 0 },
        { INT(pmf), 0 },
        { FUNC(sae_groups), 0 },
-       { INT_RANGE(sae_pwe, 0, 2), 0 },
+       { INT_RANGE(sae_pwe, 0, 3), 0 },
        { INT_RANGE(sae_pmkid_in_assoc, 0, 1), 0 },
        { INT(dtim_period), 0 },
        { INT(beacon_int), 0 },

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 12e22e84e0ff9e910aa4d64de7347a1875ae796a..ba03d9f1f95b0755f263cd3225a57c696a5c66c6 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -1301,6 +1301,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 
 #ifdef CONFIG_SAE
                if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
+                   wpa_s->conf->sae_pwe != 3 &&
                    wpa_key_mgmt_sae(ssid->key_mgmt) &&
                    (!(ie = wpa_bss_get_ie(bss, WLAN_EID_RSNX)) ||
                     ie[1] < 1 ||

diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 64b22c451590e31443d06d0bdf7bc95a48978c48..81151a7fb710a0b0a63f281ed954d58e3bbf4377 100644 (file)
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -131,7 +131,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
                return NULL;
        }
 
-       if (ssid->sae_password_id)
+       if (ssid->sae_password_id && wpa_s->conf->sae_pwe != 3)
                use_pt = 1;
 
        if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) {
@@ -146,6 +146,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
                }
 
                if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
+                   wpa_s->conf->sae_pwe != 3 &&
                    !use_pt) {
                        wpa_printf(MSG_DEBUG,
                                   "SAE: Cannot use H2E with the selected AP");

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index aa7e1d09a271eec4d974921b17f56fca6d6d38f9..09f971c5bb2521b0f8333a38062c613d39bc5262 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1618,7 +1618,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
        wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_OCV, ssid->ocv);
 #endif /* CONFIG_OCV */
        sae_pwe = wpa_s->conf->sae_pwe;
-       if (ssid->sae_password_id)
+       if (ssid->sae_password_id && sae_pwe != 3)
                sae_pwe = 1;
        wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SAE_PWE, sae_pwe);
 
@@ -1996,7 +1996,8 @@ static void wpa_s_setup_sae_pt(struct wpa_config *conf, struct wpa_ssid *ssid)
        if (!password)
                password = ssid->passphrase;
 
-       if ((conf->sae_pwe == 0 && !ssid->sae_password_id) || !password) {
+       if ((conf->sae_pwe == 0 && !ssid->sae_password_id) || !password ||
+           conf->sae_pwe == 3) {
                /* PT derivation not needed */
                sae_deinit_pt(ssid->pt);
                ssid->pt = NULL;