SAE-PK: Transition mode disabled indication processing

Allow AP to disable transition mode for SAE-PK (i.e., prevent SAE
authentication without SAE-PK).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 6bd271e12e73710474d97caf10cefbb5b7cfccfa..ec6d7858d81d1ade54a1ea47c0e0e7c70f43b72f 100644 (file)
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -1268,6 +1268,7 @@ static void wpa_supplicant_transition_disable(void *_wpa_s, u8 bitmap)
        if (!ssid)
                return;
 
+#ifdef CONFIG_SAE
        if ((bitmap & TRANSITION_DISABLE_WPA3_PERSONAL) &&
            wpa_key_mgmt_sae(wpa_s->key_mgmt) &&
            (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)) &&
@@ -1279,6 +1280,24 @@ static void wpa_supplicant_transition_disable(void *_wpa_s, u8 bitmap)
                changed = 1;
        }
 
+       if ((bitmap & TRANSITION_DISABLE_SAE_PK) &&
+           wpa_key_mgmt_sae(wpa_s->key_mgmt) &&
+#ifdef CONFIG_SME
+           wpa_s->sme.sae.state == SAE_ACCEPTED &&
+           wpa_s->sme.sae.pk &&
+#endif /* CONFIG_SME */
+           (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)) &&
+           (!ssid->sae_pk_only ||
+            ssid->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED ||
+            (ssid->group_cipher & WPA_CIPHER_TKIP))) {
+               wpa_printf(MSG_DEBUG,
+                          "SAE-PK: SAE authentication without PK disabled based on AP notification");
+               disable_wpa_wpa2(ssid);
+               ssid->sae_pk_only = 1;
+               changed = 1;
+       }
+#endif /* CONFIG_SAE */
+
        if ((bitmap & TRANSITION_DISABLE_WPA3_ENTERPRISE) &&
            wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt) &&
            (ssid->key_mgmt & (WPA_KEY_MGMT_IEEE8021X |