iw: connect: Add support for WPA3 SAE association

If the driver advertises NL80211_EXT_FEATURE_SAE_OFFLOAD, pass the
SAE password and let it handle SAE.

Added extra auth and key option to connect since SAE requires a separate
AUTHTYPE and a password instead of pre-shared keys.

Signed-off-by: Wonseok Kim <wonseok.kim@morsemicro.com>
Link: https://patch.msgid.link/20251008044847.16966-1-wonseok.kim@morsemicro.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/connect.c b/connect.c
index 33e1a5fb83c49518851b9a8c0e8f9cf0ab9bf826..14a8a7b4a44f84f6815ff773094c3ee678a41fa5 100644 (file)
--- a/connect.c
+++ b/connect.c
@@ -63,6 +63,10 @@ static int iw_conn(struct nl80211_state *state,
                        NLA_PUT_U32(msg, NL80211_ATTR_AUTH_TYPE,
                            NL80211_AUTHTYPE_SHARED_KEY);
                        need_key = true;
+               } else if (strcmp(argv[0], "sae") == 0) {
+                       NLA_PUT_U32(msg, NL80211_ATTR_AUTH_TYPE,
+                           NL80211_AUTHTYPE_SAE);
+                       need_key = true;
                } else {
                        return 1;
                }
@@ -229,6 +233,10 @@ static int iw_auth(struct nl80211_state *state,
                NLA_PUT_U32(msg, NL80211_ATTR_AUTH_TYPE,
                            NL80211_AUTHTYPE_SHARED_KEY);
                need_key = true;
+       } else if (strcmp(argv[0], "sae") == 0) {
+               NLA_PUT_U32(msg, NL80211_ATTR_AUTH_TYPE,
+                           NL80211_AUTHTYPE_SAE);
+               need_key = true;
        } else {
                return 1;
        }

diff --git a/util.c b/util.c
index a96fbf968244970685b75044b112bef5d7471bba..06c334702340b05c3cb18af2a6b6103da76d9510 100644 (file)
--- a/util.c
+++ b/util.c
@@ -285,6 +285,9 @@ static int parse_akm_suite(const char *cipher_str)
                return 0x000FAC03;
        if (!strcmp(cipher_str, "PSK/SHA-256"))
                return 0x000FAC06;
+       if (!strcmp(cipher_str, "SAE"))
+               return 0x000FAC08;
+
        return -EINVAL;
 }
 
@@ -373,6 +376,25 @@ int parse_keys(struct nl_msg *msg, char **argv[], int *argc)
                return 0;
        }
 
+       if (!memcmp(&arg[pos], "sae_pwd", 7)) {
+               pos += 7;
+               if (arg[pos] != ':')
+                       goto explain;
+               pos++;
+
+               NLA_PUT_U32(msg, NL80211_ATTR_WPA_VERSIONS, NL80211_WPA_VERSION_3);
+               NLA_PUT(msg, NL80211_ATTR_SAE_PASSWORD, strlen(&arg[pos]), &arg[pos]);
+               NLA_PUT_U32(msg, NL80211_ATTR_AUTH_TYPE, NL80211_AUTHTYPE_SAE);
+               NLA_PUT_U32(msg, NL80211_ATTR_AKM_SUITES, parse_akm_suite("SAE"));
+               NLA_PUT_U32(msg, NL80211_ATTR_CIPHER_SUITE_GROUP, parse_cipher_suite("CCMP"));
+               NLA_PUT_U32(msg, NL80211_ATTR_CIPHER_SUITES_PAIRWISE, parse_cipher_suite("CCMP"));
+
+               *argv += 1;
+               *argc -= 1;
+
+               return 0;
+       }
+
        NLA_PUT_FLAG(msg, NL80211_ATTR_PRIVACY);
 
        keys = nla_nest_start(msg, NL80211_ATTR_KEYS);
@@ -453,10 +475,12 @@ int parse_keys(struct nl_msg *msg, char **argv[], int *argc)
                        "           or 10 or 26 hex digits\n"
                        "for example: d:2:6162636465 is the same as d:2:abcde\n"
                        "or psk:data <AKM Suite> <pairwise CIPHER> <groupwise CIPHER> where\n"
-                       "  'data' is the PSK (output of wpa_passphrase and the CIPHER can be CCMP or GCMP\n"
+                       "  'data' is the PSK (output of wpa_passphrase and the CIPHER can be CCMP or GCMP)\n"
                        "for example: psk:0123456789abcdef PSK CCMP CCMP\n"
                        "The allowed AKM suites are PSK, FT/PSK, PSK/SHA-256\n"
-                       "The allowed Cipher suites are TKIP, CCMP, GCMP, GCMP-256, CCMP-256\n");
+                       "The allowed Cipher suites are TKIP, CCMP, GCMP, GCMP-256, CCMP-256\n"
+                       "or sae_pwd:data where 'data' is the password\n"
+                       "for example: sae_pwd:foobar\n");
        return 2;
 }