[PATCH] Do not use SAE key_mgmt without PMF
Jouni Malinen
j at w1.fi
Sun Oct 16 08:34:18 PDT 2022
On Tue, Oct 11, 2022 at 09:49:18PM +0000, Jeffery Miller wrote:
> Add `sae_check_mfp` network option to limit SAE when PMF will
> not be selected for the connection.
> Avoids SAE when the hardware is not capable of PMF.
> Avoids SAE on capable hardware when the AP does not enable PMF.
Why would this be done? IEEE Std 802.11-2020 allows SAE to be used
regardless of whether management frame protection is enabled.
WPA3-Personal may have this type of a restriction, but that is not the
only way SAE would be allowed to be used and as such, I'm not keen on
enforcing this unconditionally.
> Allows falling back to PSK on drivers with the
> WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher
> necessary for PMF. This enables configurations that can fall back
> to WPA-PSK and avoid associating problems to APs configured
> with `sae_require_mfp=1`.
>
> Useful with networks configured with ieee80211w unspecified (default),
> sae_check_mfp=1, key_mgmt="WPA-PSK SAE" and the wpa supplicant global
> `pmf=1`. In this configuration if the device is unable to use
> PMF due to lacking BIP group ciphers it will disable SAE and fallback to
> WPA-PSK.
If these type of functionality is needed from the WPA3 view point, it
could be fine to add this using a global parameter that would enable
this behavior while leaving the existing behavior (SAE allowed without
PMF) to continue to be the default.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list