On Tue, Oct 11, 2022 at 09:49:18PM +0000, Jeffery Miller wrote: > Add `sae_check_mfp` network option to limit SAE when PMF will > not be selected for the connection. > Avoids SAE when the hardware is not capable of PMF. > Avoids SAE on capable hardware when the AP does not enable PMF. Why would this be done? IEEE Std 802.11-2020 allows SAE to be used regardless of whether management frame protection is enabled. WPA3-Personal may have this type of a restriction, but that is not the only way SAE would be allowed to be used and as such, I'm not keen on enforcing this unconditionally. > Allows falling back to PSK on drivers with the > WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher > necessary for PMF. This enables configurations that can fall back > to WPA-PSK and avoid associating problems to APs configured > with `sae_require_mfp=1`. > > Useful with networks configured with ieee80211w unspecified (default), > sae_check_mfp=1, key_mgmt="WPA-PSK SAE" and the wpa supplicant global > `pmf=1`. In this configuration if the device is unable to use > PMF due to lacking BIP group ciphers it will disable SAE and fallback to > WPA-PSK. If these type of functionality is needed from the WPA3 view point, it could be fine to add this using a global parameter that would enable this behavior while leaving the existing behavior (SAE allowed without PMF) to continue to be the default. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap