[PATCH 2/2] SAE: Pass SAE password on connect for SAE authentication offload support
Daisuke Mizobuchi
mizo at atmark-techno.com
Tue Jul 18 22:22:27 PDT 2023
From: Chung-Hsien Hsu <stanley.hsu at cypress.com>
Pass SAE password on connect if driver advertises SAE authentication
offload support.
Signed-off-by: Chung-Hsien Hsu <chung-hsien.hsu at infineon.com>
Signed-off-by: Daisuke Mizobuchi <mizo at atmark-techno.com>
---
src/drivers/driver.h | 8 ++++++++
src/drivers/driver_nl80211.c | 26 ++++++++++++++++++++++++--
wpa_supplicant/wpa_supplicant.c | 15 ++++++++++++++-
3 files changed, 46 insertions(+), 3 deletions(-)
diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index 265e442bf..76e0ca5af 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -1121,6 +1121,14 @@ struct wpa_driver_associate_params {
*/
const u8 *psk;
+ /**
+ * sae_password - Password for SAE authentication
+ *
+ * This value is made available only for WPA3-Personal (SAE) and only
+ * for drivers that set WPA_DRIVER_FLAGS2_SAE_OFFLOAD.
+ */
+ const char *sae_password;
+
/**
* drop_unencrypted - Enable/disable unencrypted frame filtering
*
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index e4180daed..a83bfb136 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -6753,8 +6753,12 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv,
if (params->wpa_proto & WPA_PROTO_WPA)
ver |= NL80211_WPA_VERSION_1;
- if (params->wpa_proto & WPA_PROTO_RSN)
- ver |= NL80211_WPA_VERSION_2;
+ if (params->wpa_proto & WPA_PROTO_RSN) {
+ if (params->key_mgmt_suite == WPA_KEY_MGMT_SAE)
+ ver |= NL80211_WPA_VERSION_3;
+ else
+ ver |= NL80211_WPA_VERSION_2;
+ }
wpa_printf(MSG_DEBUG, " * WPA Versions 0x%x", ver);
if (nla_put_u32(msg, NL80211_ATTR_WPA_VERSIONS, ver))
@@ -6926,6 +6930,22 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv,
return -1;
}
+ /* add SAE password in case of SAE authentication offload */
+ if ((params->sae_password || params->passphrase) &&
+ (drv->capa.flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD)) {
+ const char *password;
+ size_t pwd_len;
+
+ password = params->sae_password;
+ if (!password)
+ password = params->passphrase;
+ pwd_len = os_strlen(password);
+ wpa_hexdump_ascii_key(MSG_DEBUG, " * SAE password",
+ (u8 *) password, pwd_len);
+ if (nla_put(msg, NL80211_ATTR_SAE_PASSWORD, pwd_len, password))
+ return -1;
+ }
+
if (nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT))
return -1;
@@ -7044,6 +7064,8 @@ static int wpa_driver_nl80211_try_connect(
algs++;
if (params->auth_alg & WPA_AUTH_ALG_FT)
algs++;
+ if (params->auth_alg & WPA_AUTH_ALG_SAE)
+ algs++;
if (algs > 1) {
wpa_printf(MSG_DEBUG, " * Leave out Auth Type for automatic "
"selection");
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index e0f3240e8..271cb2205 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1761,7 +1761,8 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
sel = ie.key_mgmt & ssid->key_mgmt;
#ifdef CONFIG_SAE
- if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) ||
+ if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
+ !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD) ||
wpas_is_sae_avoided(wpa_s, ssid, &ie))
sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY);
@@ -4260,6 +4261,18 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
params.psk = psk;
}
+ if ((wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD) &&
+ wpa_key_mgmt_sae(params.key_mgmt_suite)) {
+ params.auth_alg = WPA_AUTH_ALG_SAE;
+ if (ssid->sae_password)
+ params.sae_password = ssid->sae_password;
+ else if (ssid->passphrase)
+ params.passphrase = ssid->passphrase;
+
+ if (ssid->psk_set)
+ params.psk = ssid->psk;
+ }
+
params.drop_unencrypted = use_crypt;
params.mgmt_frame_protection = wpas_get_ssid_pmf(wpa_s, ssid);
--
2.30.2
More information about the Hostap
mailing list