Merge branch 'feature/sae_pk_transition_disable_v5.1' into 'release/v5.1'

feat(esp_wifi): Add support for SAE-PK, OWE and WPA3 transition disable (Backport v5.1)

See merge request espressif/esp-idf!31378

components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -140,7 +140,6 @@ struct wpa_funcs {
     void (*wpa_config_done)(void);
     uint8_t *(*owe_build_dhie)(uint16_t group);
     int (*owe_process_assoc_resp)(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_ie, size_t dh_len);
-    int (*wpa_sta_set_ap_rsnxe)(const u8 *rsnxe, size_t rsnxe_ie_len);
 };
 
 struct wpa2_funcs {
@@ -289,12 +288,15 @@ bool esp_wifi_is_ft_enabled_internal(uint8_t if_index);
 uint8_t esp_wifi_sta_get_config_sae_pk_internal(void);
 void esp_wifi_sta_disable_sae_pk_internal(void);
 void esp_wifi_sta_disable_wpa2_authmode_internal(void);
+void esp_wifi_sta_disable_owe_trans_internal(void);
 uint8_t esp_wifi_ap_get_max_sta_conn(void);
 uint8_t esp_wifi_get_config_sae_pwe_h2e_internal(uint8_t ifx);
 bool esp_wifi_ap_notify_node_sae_auth_done(uint8_t *mac);
 bool esp_wifi_ap_is_sta_sae_reauth_node(uint8_t *mac);
 uint8_t* esp_wifi_sta_get_sae_identifier_internal(void);
 bool esp_wifi_eb_tx_status_success_internal(void *eb);
-uint8_t* esp_wifi_sta_get_rsnxe(void);
+uint8_t* esp_wifi_sta_get_rsnxe(u8 *bssid);
+esp_err_t esp_wifi_sta_connect_internal(const uint8_t *bssid);
+void esp_wifi_enable_sae_pk_only_mode_internal(void);
 
 #endif /* _ESP_WIFI_DRIVER_H_ */

components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c

@@ -38,10 +38,10 @@ static esp_err_t wpa3_build_sae_commit(u8 *bssid, size_t *sae_msg_len)
     const u8 *rsnxe;
     u8 rsnxe_capa = 0;
 
-    rsnxe = esp_wifi_sta_get_rsnxe();
-    if (rsnxe && rsnxe[1] >= 1) {
-        rsnxe_capa = rsnxe[2];
-    }
+   rsnxe = esp_wifi_sta_get_rsnxe(bssid);
+   if (rsnxe && rsnxe[1] >= 1) {
+       rsnxe_capa = rsnxe[2];
+   }
 
 #ifdef CONFIG_SAE_PK
     bool use_pk = false;

components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c

@@ -214,7 +214,8 @@ int wpa_sta_connect(uint8_t *bssid)
         esp_set_assoc_ie((uint8_t *)bssid, NULL, 0, false);
     }
 
-    return 0;
+    ret = esp_wifi_sta_connect_internal(bssid);
+    return ret;
 }
 
 void wpa_config_done(void)
@@ -433,7 +434,6 @@ int esp_supplicant_init(void)
     wpa_cb->wpa_config_bss = NULL;//wpa_config_bss;
     wpa_cb->wpa_michael_mic_failure = wpa_michael_mic_failure;
     wpa_cb->wpa_config_done = wpa_config_done;
-    wpa_cb->wpa_sta_set_ap_rsnxe = wpa_sm_set_ap_rsnxe;
 
     esp_wifi_register_wpa3_ap_cb(wpa_cb);
     esp_wifi_register_wpa3_cb(wpa_cb);

components/wpa_supplicant/esp_supplicant/src/esp_wpas_glue.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -93,12 +93,36 @@ int hostapd_send_eapol(const u8 *source, const u8 *sta_addr,
 
 }
 
-void wpa_supplicant_transition_disable(void *sm, u8 bitmap)
+static void disable_wpa_wpa2(void)
+{
+    esp_wifi_sta_disable_wpa2_authmode_internal();
+}
+
+void wpa_supplicant_transition_disable(struct wpa_sm *sm, u8 bitmap)
 {
     wpa_printf(MSG_DEBUG, "TRANSITION_DISABLE %02x", bitmap);
 
-    if (bitmap & TRANSITION_DISABLE_WPA3_PERSONAL) {
-        esp_wifi_sta_disable_wpa2_authmode_internal();
+    if  ((bitmap & TRANSITION_DISABLE_WPA3_PERSONAL) &&
+          wpa_key_mgmt_sae(sm->key_mgmt)) {
+        disable_wpa_wpa2();
+    }
+
+    if ((bitmap & TRANSITION_DISABLE_SAE_PK) &&
+        wpa_key_mgmt_sae(sm->key_mgmt)) {
+        wpa_printf(MSG_INFO,
+            "SAE-PK: SAE authentication without PK disabled based on AP notification");
+        disable_wpa_wpa2();
+        esp_wifi_enable_sae_pk_only_mode_internal();
+    }
+
+    if ((bitmap & TRANSITION_DISABLE_WPA3_ENTERPRISE) &&
+        wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) {
+        disable_wpa_wpa2();
+    }
+
+    if ((bitmap & TRANSITION_DISABLE_ENHANCED_OPEN) &&
+        wpa_key_mgmt_owe(sm->key_mgmt)) {
+        esp_wifi_sta_disable_owe_trans_internal();
     }
 }
 

components/wpa_supplicant/esp_supplicant/src/esp_wpas_glue.h

@@ -31,7 +31,7 @@ void wpa_free_eapol(u8 *buffer);
 int wpa_ether_send(void *ctx, const u8 *dest, u16 proto,
                    const u8 *data, size_t data_len);
 
-void wpa_supplicant_transition_disable(void *sm, u8 bitmap);
+void wpa_supplicant_transition_disable(struct wpa_sm *sm, u8 bitmap);
 
 int hostapd_send_eapol(const u8 *source, const u8 *sta_addr,
 		       const u8 *data, size_t data_len);

components/wpa_supplicant/src/common/wpa_common.h

@@ -325,6 +325,9 @@ struct rsn_rdie {
 /* WFA Transition Disable KDE (using OUI_WFA) */
 /* Transition Disable Bitmap bits */
 #define TRANSITION_DISABLE_WPA3_PERSONAL BIT(0)
+#define TRANSITION_DISABLE_SAE_PK BIT(1)
+#define TRANSITION_DISABLE_WPA3_ENTERPRISE BIT(2)
+#define TRANSITION_DISABLE_ENHANCED_OPEN BIT(3)
 
 #ifdef CONFIG_IEEE80211R
 int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr,

components/wpa_supplicant/src/rsn_supp/wpa.c

@@ -2442,6 +2442,10 @@ int wpa_set_bss(char *macddr, char * bssid, u8 pairwise_cipher, u8 group_cipher,
     if (res < 0)
         return -1;
     sm->assoc_wpa_ie_len = res;
+
+    const u8 *rsnxe;
+    rsnxe = esp_wifi_sta_get_rsnxe((u8*)bssid);
+    wpa_sm_set_ap_rsnxe(rsnxe, rsnxe ? (rsnxe[1] + 2) : 0);
     res = wpa_gen_rsnxe(sm, assoc_rsnxe, assoc_rsnxe_len);
     if (res < 0)
         return -1;