On Wed, 2023-07-19 at 14:22 +0900, Daisuke Mizobuchi wrote:
> From: Chung-Hsien Hsu <stanley.hsu@xxxxxxxxxxx>
>
> Pass SAE password on connect if driver advertises SAE authentication
> offload support.
>
> Signed-off-by: Chung-Hsien Hsu <chung-hsien.hsu@xxxxxxxxxxxx>
> Signed-off-by: Daisuke Mizobuchi <mizo@xxxxxxxxxxxxxxxxx>
> ---
> src/drivers/driver.h | 8 ++++++++
> src/drivers/driver_nl80211.c | 26 ++++++++++++++++++++++++--
> wpa_supplicant/wpa_supplicant.c | 15 ++++++++++++++-
> 3 files changed, 46 insertions(+), 3 deletions(-)
>
> diff --git a/src/drivers/driver.h b/src/drivers/driver.h
> index 265e442bf..76e0ca5af 100644
> --- a/src/drivers/driver.h
> +++ b/src/drivers/driver.h
> @@ -1121,6 +1121,14 @@ struct wpa_driver_associate_params {
> */
> const u8 *psk;
>
> + /**
> + * sae_password - Password for SAE authentication
> + *
> + * This value is made available only for WPA3-Personal (SAE) and only
> + * for drivers that set WPA_DRIVER_FLAGS2_SAE_OFFLOAD.
> + */
> + const char *sae_password;
> +
> /**
> * drop_unencrypted - Enable/disable unencrypted frame filtering
> *
> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> index e4180daed..a83bfb136 100644
> --- a/src/drivers/driver_nl80211.c
> +++ b/src/drivers/driver_nl80211.c
> @@ -6753,8 +6753,12 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv,
>
> if (params->wpa_proto & WPA_PROTO_WPA)
> ver |= NL80211_WPA_VERSION_1;
> - if (params->wpa_proto & WPA_PROTO_RSN)
> - ver |= NL80211_WPA_VERSION_2;
> + if (params->wpa_proto & WPA_PROTO_RSN) {
> + if (params->key_mgmt_suite == WPA_KEY_MGMT_SAE)
> + ver |= NL80211_WPA_VERSION_3;
> + else
> + ver |= NL80211_WPA_VERSION_2;
> + }
>
> wpa_printf(MSG_DEBUG, " * WPA Versions 0x%x", ver);
> if (nla_put_u32(msg, NL80211_ATTR_WPA_VERSIONS, ver))
> @@ -6926,6 +6930,22 @@ static int nl80211_connect_common(struct wpa_driver_nl80211_data *drv,
> return -1;
> }
>
> + /* add SAE password in case of SAE authentication offload */
> + if ((params->sae_password || params->passphrase) &&
> + (drv->capa.flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD)) {
> + const char *password;
> + size_t pwd_len;
> +
> + password = params->sae_password;
> + if (!password)
> + password = params->passphrase;
> + pwd_len = os_strlen(password);
> + wpa_hexdump_ascii_key(MSG_DEBUG, " * SAE password",
> + (u8 *) password, pwd_len);
> + if (nla_put(msg, NL80211_ATTR_SAE_PASSWORD, pwd_len, password))
> + return -1;
This seems to be incompatible with sae_password_id, or at least things
that offload SAE cannot currently offload the password ID. Is that
correct?
If so, should the patch also raise a warning for the ssid block/config
if sae_password_id is specified, but the device is using SAE offload?
Dan
> + }
> +
> if (nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT))
> return -1;
>
> @@ -7044,6 +7064,8 @@ static int wpa_driver_nl80211_try_connect(
> algs++;
> if (params->auth_alg & WPA_AUTH_ALG_FT)
> algs++;
> + if (params->auth_alg & WPA_AUTH_ALG_SAE)
> + algs++;
> if (algs > 1) {
> wpa_printf(MSG_DEBUG, " * Leave out Auth Type for automatic "
> "selection");
> diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
> index e0f3240e8..271cb2205 100644
> --- a/wpa_supplicant/wpa_supplicant.c
> +++ b/wpa_supplicant/wpa_supplicant.c
> @@ -1761,7 +1761,8 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
>
> sel = ie.key_mgmt & ssid->key_mgmt;
> #ifdef CONFIG_SAE
> - if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) ||
> + if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> + !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD) ||
> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> @@ -4260,6 +4261,18 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
> params.psk = psk;
> }
>
> + if ((wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD) &&
> + wpa_key_mgmt_sae(params.key_mgmt_suite)) {
> + params.auth_alg = WPA_AUTH_ALG_SAE;
> + if (ssid->sae_password)
> + params.sae_password = ssid->sae_password;
> + else if (ssid->passphrase)
> + params.passphrase = ssid->passphrase;
> +
> + if (ssid->psk_set)
> + params.psk = ssid->psk;
> + }
> +
> params.drop_unencrypted = use_crypt;
>
> params.mgmt_frame_protection = wpas_get_ssid_pmf(wpa_s, ssid);
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
