OWE: Allow station in transition mode to connect to an open BSS

If the OWE network profile matches an open network which does not
advertise OWE BSS, allow open connection. The new owe_only=1 network
profile parameter can be used to disable this transition mode and
enforce connection only with OWE networks.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index a0d480ed91cc681d02e132e1711ec3d8912e5bdc..0ee4d2f4cb6fa4da76ee815eba68425e9aa3a7a9 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2300,6 +2300,7 @@ static const struct parse_data ssid_fields[] = {
        { STR_LEN(dpp_csign) },
 #endif /* CONFIG_DPP */
        { INT_RANGE(owe_group, 0, 65535) },
+       { INT_RANGE(owe_only, 0, 1) },
 };
 
 #undef OFFSET

diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 6b7abe2bb587a65c8754c9711851fe592c99e241..370fe2af0b42b594d6af4ca100a7a58b05d249ab 100644 (file)
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -873,6 +873,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
        STR(dpp_csign);
 #endif /* CONFIG_DPP */
        INT(owe_group);
+       INT(owe_only);
 #ifdef CONFIG_HT_OVERRIDES
        INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
        INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);

diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 15bfa7c5b2ae2258446f4423cad23a807b59bf4d..87a45c435268fdba67922fbeec9d999facd6dfff 100644 (file)
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -897,6 +897,15 @@ struct wpa_ssid {
         * currently supported.
         */
        int owe_group;
+
+       /**
+        * owe_only - OWE-only mode (disable transition mode)
+        *
+        * 0 = enable transition mode (allow connection to either OWE or open
+        *      BSS)
+        * 1 = disable transition mode (allow connection only with OWE)
+        */
+       int owe_only;
 };
 
 #endif /* CONFIG_SSID_H */

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 26568486f94a47d7ab1990a70d62ac57b9e57460..8e46b76e8521413b4a94750aafef00e52a7bb819 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -487,6 +487,11 @@ static int wpa_supplicant_match_privacy(struct wpa_bss *bss,
                return 1;
 #endif /* CONFIG_WPS */
 
+#ifdef CONFIG_OWE
+       if ((ssid->key_mgmt & WPA_KEY_MGMT_OWE) && !ssid->owe_only)
+               return 1;
+#endif /* CONFIG_OWE */
+
        if (has_wep_key(ssid))
                privacy = 1;
 
@@ -622,7 +627,8 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
        }
 
 #ifdef CONFIG_IEEE80211W
-       if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED) {
+       if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED &&
+           (!(ssid->key_mgmt & WPA_KEY_MGMT_OWE) || ssid->owe_only)) {
                if (debug_print)
                        wpa_dbg(wpa_s, MSG_DEBUG,
                                "   skip - MFP Required but network not MFP Capable");
@@ -692,6 +698,16 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s,
                return 1;
        }
 
+#ifdef CONFIG_OWE
+       if ((ssid->key_mgmt & WPA_KEY_MGMT_OWE) && !ssid->owe_only &&
+           !wpa_ie && !rsn_ie) {
+               if (debug_print)
+                       wpa_dbg(wpa_s, MSG_DEBUG,
+                               "   allow in OWE transition mode");
+               return 1;
+       }
+#endif /* CONFIG_OWE */
+
        if ((ssid->proto & (WPA_PROTO_WPA | WPA_PROTO_RSN)) &&
            wpa_key_mgmt_wpa(ssid->key_mgmt) && proto_match == 0) {
                if (debug_print)
@@ -1137,6 +1153,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
                if (!osen && !wpa &&
                    !(ssid->key_mgmt & WPA_KEY_MGMT_NONE) &&
                    !(ssid->key_mgmt & WPA_KEY_MGMT_WPS) &&
+                   !(ssid->key_mgmt & WPA_KEY_MGMT_OWE) &&
                    !(ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA)) {
                        if (debug_print)
                                wpa_dbg(wpa_s, MSG_DEBUG,

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 9bc2c2710aaf0a17c64d213dd5956a425939fcb1..8544aef22dcbd29c31752759ee05b9a1c5649dc5 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1261,6 +1261,15 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
                                                WPA_CIPHER_AES_128_CMAC;
                        }
 #endif /* CONFIG_IEEE80211W */
+#ifdef CONFIG_OWE
+                       if ((ssid->key_mgmt & WPA_KEY_MGMT_OWE) &&
+                           !ssid->owe_only &&
+                           !bss_wpa && !bss_rsn && !bss_osen) {
+                               wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
+                               wpa_s->wpa_proto = 0;
+                               return 0;
+                       }
+#endif /* CONFIG_OWE */
                        wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Set cipher suites "
                                "based on configuration");
                } else