[PATCH 2/2] SAE: Pass SAE password on connect for SAE authentication offload support

Dan Williams dcbw at redhat.com
Sat Aug 19 18:47:17 PDT 2023 

On Wed, 2023-07-19 at 14:22 +0900, Daisuke Mizobuchi wrote:
> From: Chung-Hsien Hsu <stanley.hsu at cypress.com>
> 
> Pass SAE password on connect if driver advertises SAE authentication
> offload support.
> 
> Signed-off-by: Chung-Hsien Hsu <chung-hsien.hsu at infineon.com>
> Signed-off-by: Daisuke Mizobuchi <mizo at atmark-techno.com>
> ---
>  src/drivers/driver.h            |  8 ++++++++
>  src/drivers/driver_nl80211.c    | 26 ++++++++++++++++++++++++--
>  wpa_supplicant/wpa_supplicant.c | 15 ++++++++++++++-
>  3 files changed, 46 insertions(+), 3 deletions(-)
> 
> diff --git a/src/drivers/driver.h b/src/drivers/driver.h
> index 265e442bf..76e0ca5af 100644
> --- a/src/drivers/driver.h
> +++ b/src/drivers/driver.h
> @@ -1121,6 +1121,14 @@ struct wpa_driver_associate_params {
>          */
>         const u8 *psk;
>  
> +       /**
> +        * sae_password - Password for SAE authentication
> +        *
> +        * This value is made available only for WPA3-Personal (SAE) and only
> +        * for drivers that set WPA_DRIVER_FLAGS2_SAE_OFFLOAD.
> +        */
> +       const char *sae_password;
> +
>         /**
>          * drop_unencrypted - Enable/disable unencrypted frame filtering
>          *
> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> index e4180daed..a83bfb136 100644
> --- a/src/drivers/driver_nl80211.c
> +++ b/src/drivers/driver_nl80211.c
> @@ -6753,8 +6753,12 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv,
>  
>                 if (params->wpa_proto & WPA_PROTO_WPA)
>                         ver |= NL80211_WPA_VERSION_1;
> -               if (params->wpa_proto & WPA_PROTO_RSN)
> -                       ver |= NL80211_WPA_VERSION_2;
> +               if (params->wpa_proto & WPA_PROTO_RSN) {
> +                       if (params->key_mgmt_suite == WPA_KEY_MGMT_SAE)
> +                               ver |= NL80211_WPA_VERSION_3;
> +                       else
> +                               ver |= NL80211_WPA_VERSION_2;
> +               }
>  
>                 wpa_printf(MSG_DEBUG, "  * WPA Versions 0x%x", ver);
>                 if (nla_put_u32(msg, NL80211_ATTR_WPA_VERSIONS, ver))
> @@ -6926,6 +6930,22 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv,
>                         return -1;
>         }
>  
> +       /* add SAE password in case of SAE authentication offload */
> +       if ((params->sae_password || params->passphrase) &&
> +           (drv->capa.flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD)) {
> +               const char *password;
> +               size_t pwd_len;
> +
> +               password = params->sae_password;
> +               if (!password)
> +                       password = params->passphrase;
> +               pwd_len = os_strlen(password);
> +               wpa_hexdump_ascii_key(MSG_DEBUG, "  * SAE password",
> +                                     (u8 *) password, pwd_len);
> +               if (nla_put(msg, NL80211_ATTR_SAE_PASSWORD, pwd_len, password))
> +                       return -1;

This seems to be incompatible with sae_password_id, or at least things
that offload SAE cannot currently offload the password ID. Is that
correct?

If so, should the patch also raise a warning for the ssid block/config
if sae_password_id is specified, but the device is using SAE offload?


Dan

> +       }
> +
>         if (nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT))
>                 return -1;
>  
> @@ -7044,6 +7064,8 @@ static int wpa_driver_nl80211_try_connect(
>                 algs++;
>         if (params->auth_alg & WPA_AUTH_ALG_FT)
>                 algs++;
> +       if (params->auth_alg & WPA_AUTH_ALG_SAE)
> +               algs++;
>         if (algs > 1) {
>                 wpa_printf(MSG_DEBUG, "  * Leave out Auth Type for automatic "
>                            "selection");
> diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
> index e0f3240e8..271cb2205 100644
> --- a/wpa_supplicant/wpa_supplicant.c
> +++ b/wpa_supplicant/wpa_supplicant.c
> @@ -1761,7 +1761,8 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
>  
>         sel = ie.key_mgmt & ssid->key_mgmt;
>  #ifdef CONFIG_SAE
> -       if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) ||
> +       if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> +           !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD) ||
>             wpas_is_sae_avoided(wpa_s, ssid, &ie))
>                 sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
>                          WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> @@ -4260,6 +4261,18 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
>                         params.psk = psk;
>         }
>  
> +       if ((wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD) &&
> +           wpa_key_mgmt_sae(params.key_mgmt_suite)) {
> +               params.auth_alg = WPA_AUTH_ALG_SAE;
> +               if (ssid->sae_password)
> +                       params.sae_password = ssid->sae_password;
> +               else if (ssid->passphrase)
> +                       params.passphrase = ssid->passphrase;
> +
> +               if (ssid->psk_set)
> +                       params.psk = ssid->psk;
> +       }
> +
>         params.drop_unencrypted = use_crypt;
>  
>         params.mgmt_frame_protection = wpas_get_ssid_pmf(wpa_s, ssid);

More information about the Hostap mailing list