SAE-PK: Allow SAE authentication without PK to be disabled

The new wpa_supplicant network profile parameter sae_pk_only=1 can now
be used to disable use of SAE authentication without SAE-PK.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 49b25f12452cbc2539513ff27a16b1e524277279..86373ad056f7f893e389790701aee214ec7cc5a5 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2582,6 +2582,7 @@ static const struct parse_data ssid_fields[] = {
        { INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
        { INT_RANGE(beacon_prot, 0, 1) },
        { INT_RANGE(transition_disable, 0, 255) },
+       { INT_RANGE(sae_pk_only, 0, 1) },
 };
 
 #undef OFFSET

diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index a69c4cc6dbc1c005b686c272e6d6a6e88f7464e9..9a1c39cc70f67e84d47d058e0a4420d7525d8fb6 100644 (file)
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -937,6 +937,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
        INT(ft_eap_pmksa_caching);
        INT(beacon_prot);
        INT(transition_disable);
+       INT(sae_pk_only);
 #ifdef CONFIG_HT_OVERRIDES
        INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
        INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);

diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 1e2c322686de5202872a85342d73a496cafea37e..730282f3bd908d4e52f7cde9d6f86f487437a2bb 100644 (file)
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -1121,6 +1121,15 @@ struct wpa_ssid {
         *      OWE)
         */
        u8 transition_disable;
+
+       /**
+        * sae_pk_only - SAE-PK only mode (disable transition mode)
+        *
+        * 0 = enable transition mode (allow SAE authentication without SAE-PK)
+        * 1 = disable transition mode (allow SAE authentication only with
+        * SAE-PK)
+        */
+       int sae_pk_only;
 };
 
 #endif /* CONFIG_SSID_H */

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index f0f91892f0a2598a020fa8289c7eb087819154ee..dd83ddce24e2c48d6e80812958d4236a4426a145 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -1094,6 +1094,9 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
        const u8 *ie;
        struct wpa_ssid *ssid;
        int osen, rsn_osen = 0;
+#ifdef CONFIG_SAE
+       u8 rsnxe_capa = 0;
+#endif /* CONFIG_SAE */
 #ifdef CONFIG_MBO
        const u8 *assoc_disallow;
 #endif /* CONFIG_MBO */
@@ -1113,6 +1116,12 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
        ie = wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE);
        osen = ie != NULL;
 
+#ifdef CONFIG_SAE
+       ie = wpa_bss_get_ie(bss, WLAN_EID_RSNX);
+       if (ie && ie[1] >= 1)
+               rsnxe_capa = ie[2];
+#endif /* CONFIG_SAE */
+
        if (debug_print) {
                wpa_dbg(wpa_s, MSG_DEBUG, "%d: " MACSTR
                        " ssid='%s' wpa_ie_len=%u rsn_ie_len=%u caps=0x%x level=%d freq=%d %s%s%s",
@@ -1349,9 +1358,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
                if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
                    wpa_s->conf->sae_pwe != 3 &&
                    wpa_key_mgmt_sae(ssid->key_mgmt) &&
-                   (!(ie = wpa_bss_get_ie(bss, WLAN_EID_RSNX)) ||
-                    ie[1] < 1 ||
-                    !(ie[2] & BIT(WLAN_RSNX_CAPAB_SAE_H2E)))) {
+                   !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
                        if (debug_print)
                                wpa_dbg(wpa_s, MSG_DEBUG,
                                        "   skip - SAE H2E required, but not supported by the AP");
@@ -1359,6 +1366,16 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
                }
 #endif /* CONFIG_SAE */
 
+#ifdef CONFIG_SAE_PK
+               if (ssid->sae_pk_only &&
+                   !(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK))) {
+                       if (debug_print)
+                               wpa_dbg(wpa_s, MSG_DEBUG,
+                                       "   skip - SAE-PK required, but not supported by the AP");
+                       continue;
+               }
+#endif /* CONFIG_SAE_PK */
+
 #ifndef CONFIG_IBSS_RSN
                if (ssid->mode == WPAS_MODE_IBSS &&
                    !(ssid->key_mgmt & (WPA_KEY_MGMT_NONE |

diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 3ad00652855b88649f763f8d8bb3d1da0ba18059..1d347839aa9a1e2f3d19f92328521095893b1f74 100644 (file)
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -154,6 +154,12 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
                use_pt = 1;
                use_pk = true;
        }
+
+       if (ssid->sae_pk_only && !use_pk) {
+               wpa_printf(MSG_DEBUG,
+                          "SAE: Cannot use PK with the selected AP");
+               return NULL;
+       }
 #endif /* CONFIG_SAE_PK */
 
        if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) {

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 3b9056770f314baee49075a4ab6dabb4752c68a9..45a811f6486e717fcc7c983bef36c7a7c607423a 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1472,6 +1472,11 @@ fast_reauth=1
 # 2: do not allow PFS to be used
 #dpp_pfs=0
 
+# SAE-PK only mode (disable transition mode)
+# 0: enable transition mode (allow SAE authentication without SAE-PK)
+# 1: disable transition mode (allow SAE authentication only with SAE-PK)
+#sae_pk_only=0
+
 # MAC address policy
 # 0 = use permanent MAC address
 # 1 = use random MAC address for each ESS connection