From: Jouni Malinen Date: Mon, 30 Jan 2023 21:09:53 +0000 (+0200) Subject: SAE: Update PT value at later point for SME cases, if needed X-Git-Tag: hostap_2_11~1327 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf124a03d58d9a6758f797a8cc99ec0d30b2b0e2;p=thirdparty%2Fhostap.git SAE: Update PT value at later point for SME cases, if needed It was possible to hit a case where the SAE PT had not yet been derived, e.g., when using P2P group re-invocation. Update PT use at the time authentication is started, if needed, to avoid this. While this is not really ideal from the externally observable timing view point, this is done only for the case where there is no other option available with a dynamically changing network configuration for P2P. Similar design was already in place for the SAE offload-from-driver (external auth) case. Signed-off-by: Jouni Malinen --- diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index 1fffebbdd..a728a0fff 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -234,6 +234,8 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, } } + if (use_pt && !ssid->pt) + wpa_s_setup_sae_pt(wpa_s->conf, ssid, true); if (use_pt && sae_prepare_commit_pt(&wpa_s->sme.sae, ssid->pt, wpa_s->own_addr, addr, @@ -1399,7 +1401,7 @@ static int sme_handle_external_auth_start(struct wpa_supplicant *wpa_s, os_memcmp(ssid_str, ssid->ssid, ssid_str_len) == 0 && wpa_key_mgmt_sae(ssid->key_mgmt)) { /* Make sure PT is derived */ - wpa_s_setup_sae_pt(wpa_s->conf, ssid); + wpa_s_setup_sae_pt(wpa_s->conf, ssid, false); wpa_s->sme.ext_auth_wpa_ssid = ssid; break; } diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 5abed88c0..61aa55f81 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -2322,7 +2322,8 @@ int wpas_update_random_addr_disassoc(struct wpa_supplicant *wpa_s) } -void wpa_s_setup_sae_pt(struct wpa_config *conf, struct wpa_ssid *ssid) +void wpa_s_setup_sae_pt(struct wpa_config *conf, struct wpa_ssid *ssid, + bool force) { #ifdef CONFIG_SAE int *groups = conf->sae_groups; @@ -2339,6 +2340,7 @@ void wpa_s_setup_sae_pt(struct wpa_config *conf, struct wpa_ssid *ssid) if (!password || (conf->sae_pwe == SAE_PWE_HUNT_AND_PECK && !ssid->sae_password_id && !wpa_key_mgmt_sae_ext_key(ssid->key_mgmt) && + !force && !sae_pk_valid_password(password)) || conf->sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK) { /* PT derivation not needed */ @@ -2451,7 +2453,7 @@ void wpa_supplicant_associate(struct wpa_supplicant *wpa_s, #endif /* CONFIG_SAE */ } #ifdef CONFIG_SAE - wpa_s_setup_sae_pt(wpa_s->conf, ssid); + wpa_s_setup_sae_pt(wpa_s->conf, ssid, false); #endif /* CONFIG_SAE */ if (rand_style > WPAS_MAC_ADDR_STYLE_PERMANENT) { @@ -4722,7 +4724,7 @@ void wpa_supplicant_select_network(struct wpa_supplicant *wpa_s, wpa_s->last_owe_group = 0; if (ssid) { ssid->owe_transition_bss_select_count = 0; - wpa_s_setup_sae_pt(wpa_s->conf, ssid); + wpa_s_setup_sae_pt(wpa_s->conf, ssid, false); } if (wpa_s->connect_without_scan || diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index da8152560..06dcde199 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -1805,7 +1805,8 @@ static inline int wpas_mode_to_ieee80211_mode(enum wpas_mode mode) int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid); int wpas_get_ssid_pmf(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid); int pmf_in_use(struct wpa_supplicant *wpa_s, const u8 *addr); -void wpa_s_setup_sae_pt(struct wpa_config *conf, struct wpa_ssid *ssid); +void wpa_s_setup_sae_pt(struct wpa_config *conf, struct wpa_ssid *ssid, + bool force); bool wpas_is_sae_avoided(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid,