From 588848651a88dfc4c4f7c7199dbcda89b17f7a33 Mon Sep 17 00:00:00 2001 From: James Prestwood Date: Fri, 22 Mar 2019 10:09:04 -0700 Subject: [PATCH] wiphy: enforce MFP requirement on SAE connections wiphy_select_akm will now check if BIP is supported, and if MFPR is set in the scan_bss before returning either SAE AKMs. This will allow fallback to another PSK AKM (e.g. hybrid APs) if any of the requirements are not met. --- src/wiphy.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/wiphy.c b/src/wiphy.c index 6c1cf38c..dd5a11c9 100644 --- a/src/wiphy.c +++ b/src/wiphy.c @@ -122,16 +122,20 @@ enum ie_rsn_akm_suite wiphy_select_akm(struct wiphy *wiphy, } else if (security == SECURITY_PSK) { /* * Prefer connecting to SAE/WPA3 network, but only if SAE is - * supported. This allows us to connect to a hybrid WPA2/WPA3 - * AP even if SAE/WPA3 is not supported. + * supported, we are MFP capable, and the AP has set the MFPR + * bit. If any of these conditions are not met, we can fallback + * to WPA2 (if the AKM is present). */ - if (info.akm_suites & IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256 && - wiphy_has_feature(wiphy, NL80211_FEATURE_SAE)) - return IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256; + if (wiphy->supported_ciphers & IE_RSN_CIPHER_SUITE_BIP && + wiphy_has_feature(wiphy, NL80211_FEATURE_SAE) && + info.mfpr) { + if (info.akm_suites & + IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256) + return IE_RSN_AKM_SUITE_FT_OVER_SAE_SHA256; - if (info.akm_suites & IE_RSN_AKM_SUITE_SAE_SHA256 && - wiphy_has_feature(wiphy, NL80211_FEATURE_SAE)) - return IE_RSN_AKM_SUITE_SAE_SHA256; + if (info.akm_suites & IE_RSN_AKM_SUITE_SAE_SHA256) + return IE_RSN_AKM_SUITE_SAE_SHA256; + } if ((info.akm_suites & IE_RSN_AKM_SUITE_FT_USING_PSK) && bss->rsne && bss->mde_present)