git.ipfire.org Git - thirdparty/hostap.git/commit

author	Jeffery Miller <jefferymiller@google.com>
	Tue, 25 Oct 2022 19:35:10 +0000 (19:35 +0000)
committer	Jouni Malinen <j@w1.fi>
	Sat, 5 Nov 2022 15:48:17 +0000 (17:48 +0200)
commit	c6f8af507eae658f58de39d15003d3a4f865da1c
tree	c6a74bccdfcf31a7744e834f5a8824621c101a95	tree
parent	7ad757ec01daafc0f719414450305fc2a9615a28	commit \| diff

Add option to disable SAE key_mgmt without PMF

Add the `sae_check_mfp` global option to limit SAE when PMF will
not be selected for the connection.
With this option SAE is avoided when the hardware is not capable
of PMF due to missing ciphers.
With this option SAE is avoided on capable hardware when the AP
does not enable PMF.

Allows falling back to PSK on drivers with the
WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher
necessary for PMF. This enables configurations that can fall back
to WPA-PSK and avoid problems associating with APs configured
with `sae_require_mfp=1`.

Useful when `pmf=1` and `sae_check_mfp=1` are enabled and networks
are configured with ieee80211w=3 (default) and key_mgmt="WPA-PSK SAE".
In this configuration if the device is unable to use PMF due to
lacking BIP group ciphers it will avoid SAE and fallback to
WPA-PSK for that connection.

Signed-off-by: Jeffery Miller <jefferymiller@google.com>

tests/hwsim/test_sae.py		diff \| blob \| blame \| history
wpa_supplicant/config.c		diff \| blob \| blame \| history
wpa_supplicant/config.h		diff \| blob \| blame \| history
wpa_supplicant/config_file.c		diff \| blob \| blame \| history
wpa_supplicant/sme.c		diff \| blob \| blame \| history
wpa_supplicant/wpa_cli.c		diff \| blob \| blame \| history
wpa_supplicant/wpa_supplicant.c		diff \| blob \| blame \| history
wpa_supplicant/wpa_supplicant.conf		diff \| blob \| blame \| history
wpa_supplicant/wpa_supplicant_i.h		diff \| blob \| blame \| history