[PATCH] Do not use SAE key_mgmt without PMF

Jouni Malinen j at w1.fi
Sun Oct 16 08:34:18 PDT 2022

On Tue, Oct 11, 2022 at 09:49:18PM +0000, Jeffery Miller wrote:
> Add `sae_check_mfp` network option to limit SAE when PMF will
> not be selected for the connection.
> Avoids SAE when the hardware is not capable of PMF.
> Avoids SAE on capable hardware when the AP does not enable PMF.

Why would this be done? IEEE Std 802.11-2020 allows SAE to be used
regardless of whether management frame protection is enabled.
WPA3-Personal may have this type of a restriction, but that is not the
only way SAE would be allowed to be used and as such, I'm not keen on
enforcing this unconditionally.

> Allows falling back to PSK on drivers with the
> WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher
> necessary for PMF. This enables configurations that can fall back
> to WPA-PSK and avoid associating problems to APs configured
> with `sae_require_mfp=1`.
> Useful with networks configured with ieee80211w unspecified (default),
> sae_check_mfp=1, key_mgmt="WPA-PSK SAE" and the wpa supplicant global
> `pmf=1`. In this configuration if the device is unable to use
> PMF due to lacking BIP group ciphers it will disable SAE and fallback to

If these type of functionality is needed from the WPA3 view point, it
could be fine to add this using a global parameter that would enable
this behavior while leaving the existing behavior (SAE allowed without
PMF) to continue to be the default.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list