SAE: Use H2E unconditionally with the new AKM suites

The new SAE AKM suites are defined to use H2E, so ignore the sae_pwe
value when these AKM suites are used similarly to the way H2E gets
enabled when SAE Password Identifiers are used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 63af3d04726b8f3bae28dec09cd1ab1d5f7a3338..d2d8b95f9d7c453e5fa993887829661dce940309 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -480,6 +480,7 @@ int hostapd_setup_sae_pt(struct hostapd_bss_config *conf)
        struct sae_password_entry *pw;
 
        if ((conf->sae_pwe == 0 && !hostapd_sae_pw_id_in_use(conf) &&
+            !wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt) &&
             !hostapd_sae_pk_in_use(conf)) ||
            conf->sae_pwe == 3 ||
            !wpa_key_mgmt_sae(conf->wpa_key_mgmt))

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 639d21d120407c9b80c4fc8dd45218957a01fe17..e9288bed93bf214ac5cfef2a25a35670e484b7a6 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1234,6 +1234,10 @@ static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
        if (sae_pwe == 0 && sae_pk)
                sae_pwe = 2;
 #endif /* CONFIG_SAE_PK */
+       if (sae_pwe == 0 &&
+           (hapd->conf->wpa_key_mgmt &
+            (WPA_KEY_MGMT_SAE_EXT_KEY | WPA_KEY_MGMT_FT_SAE_EXT_KEY)))
+               sae_pwe = 2;
 
        return ((sae_pwe == 0 || sae_pwe == 3) &&
                status_code == WLAN_STATUS_SUCCESS) ||

diff --git a/src/ap/ieee802_11_shared.c b/src/ap/ieee802_11_shared.c
index 74c8d4439f1bd826ec19c239913c13f0caf4fe4b..72f59113f7a7a1179497a8510b945d257379266a 100644 (file)
--- a/src/ap/ieee802_11_shared.c
+++ b/src/ap/ieee802_11_shared.c
@@ -1064,7 +1064,8 @@ u8 * hostapd_eid_rsnxe(struct hostapd_data *hapd, u8 *eid, size_t len)
 
        if (wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
            (hapd->conf->sae_pwe == 1 || hapd->conf->sae_pwe == 2 ||
-            hostapd_sae_pw_id_in_use(hapd->conf) || sae_pk) &&
+            hostapd_sae_pw_id_in_use(hapd->conf) || sae_pk ||
+            wpa_key_mgmt_sae_ext_key(hapd->conf->wpa_key_mgmt)) &&
            hapd->conf->sae_pwe != 3) {
                capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E);
 #ifdef CONFIG_SAE_PK

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index ee7383c51a9d6703b283f320be806367616e7faa..1c8affa9b77c4d0d7f59eb36c94a8ae55218296c 100644 (file)
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -405,7 +405,8 @@ int wpa_write_rsnxe(struct wpa_auth_config *conf, u8 *buf, size_t len)
        size_t flen;
 
        if (wpa_key_mgmt_sae(conf->wpa_key_mgmt) &&
-           (conf->sae_pwe == 1 || conf->sae_pwe == 2 || conf->sae_pk)) {
+           (conf->sae_pwe == 1 || conf->sae_pwe == 2 || conf->sae_pk ||
+            wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt))) {
                capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E);
 #ifdef CONFIG_SAE_PK
                if (conf->sae_pk)

diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index f8de1628beb9611efde6c17d24688ae85503be8e..2dad36ddc7e9970b0403e2a35ba9f2677bd2711b 100644 (file)
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -154,6 +154,9 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
 
        if (ssid->sae_password_id && wpa_s->conf->sae_pwe != 3)
                use_pt = 1;
+       if (wpa_key_mgmt_sae_ext_key(wpa_s->key_mgmt) &&
+           wpa_s->conf->sae_pwe != 3)
+               use_pt = 1;
 #ifdef CONFIG_SAE_PK
        if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) &&
            ssid->sae_pk != SAE_PK_MODE_DISABLED &&
@@ -175,7 +178,8 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
        if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) {
                use_pt = !!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E));
 
-               if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
+               if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id ||
+                    wpa_key_mgmt_sae_ext_key(wpa_s->key_mgmt)) &&
                    wpa_s->conf->sae_pwe != 3 &&
                    !use_pt) {
                        wpa_printf(MSG_DEBUG,

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 0f35f491aa9bb108639672c5b0c44082a1b29a41..3130653ca7b3addf9ff36138f87912aae96e46e9 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1687,7 +1687,9 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
                wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_OCV, ssid->ocv);
 #endif /* CONFIG_OCV */
        sae_pwe = wpa_s->conf->sae_pwe;
-       if (ssid->sae_password_id && sae_pwe != 3)
+       if ((ssid->sae_password_id ||
+            wpa_key_mgmt_sae_ext_key(wpa_s->key_mgmt)) &&
+           sae_pwe != 3)
                sae_pwe = 1;
        wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_SAE_PWE, sae_pwe);
 #ifdef CONFIG_SAE_PK
@@ -2159,6 +2161,7 @@ static void wpa_s_setup_sae_pt(struct wpa_config *conf, struct wpa_ssid *ssid)
 
        if (!password ||
            (conf->sae_pwe == 0 && !ssid->sae_password_id &&
+            !wpa_key_mgmt_sae_ext_key(ssid->key_mgmt) &
             !sae_pk_valid_password(password)) ||
            conf->sae_pwe == 3) {
                /* PT derivation not needed */