[PATCH] Do not use SAE key_mgmt without PMF

Jeffery Miller jefferymiller at google.com
Tue Oct 18 16:49:34 PDT 2022

On Sun, Oct 16, 2022 at 10:34 AM Jouni Malinen <j at w1.fi> wrote:
> On Tue, Oct 11, 2022 at 09:49:18PM +0000, Jeffery Miller wrote:
> > Add `sae_check_mfp` network option to limit SAE when PMF will
> > not be selected for the connection.
> > Avoids SAE when the hardware is not capable of PMF.
> > Avoids SAE on capable hardware when the AP does not enable PMF.
> Why would this be done? IEEE Std 802.11-2020 allows SAE to be used
> regardless of whether management frame protection is enabled.
> WPA3-Personal may have this type of a restriction, but that is not the
> only way SAE would be allowed to be used and as such, I'm not keen on
> enforcing this unconditionally.

It isn't intended to be enforced by default without the new option.
The changelog comment is misleading.
One goal is to enable a similar behavior as the pmf=1 global flag allowing
avoidance of SAE based on the lack of device PMF capabilities. Allowing
the decision to be enabled in wpa_supplicant instead of requiring the network
configuration to be aware of the capabilities.

> If these type of functionality is needed from the WPA3 view point, it
> could be fine to add this using a global parameter that would enable
> this behavior while leaving the existing behavior (SAE allowed without
> PMF) to continue to be the default.

It is a better fit for a global option where SAE allowed without PMF is still
the default.
I will submit a new version where it is a global instead of per-network change.

More information about the Hostap mailing list