Count WPA-EAP-SHA256 as WPA3 if ieee80211w is set

Addresses openwrt#8
wryun · Mar 19, 2024 · 956b44b · 956b44b
1 parent 8ffb8bf
commit 956b44b
Showing 1 changed file with 56 additions and 1 deletion.
diff --git a/iwinfo_nl80211.c b/iwinfo_nl80211.c
@@ -1771,7 +1771,8 @@ static const struct {
 	{ "EAP-SUITE-B-192", 4, IWINFO_KMGMT_8021x },
 	{ "EAP-SUITE-B",     4, IWINFO_KMGMT_8021x },
 	{ "EAP-SHA384",      4, IWINFO_KMGMT_8021x },
-	{ "EAP-SHA256",      0, IWINFO_KMGMT_8021x },
+	/* SHA256 counts as WPA3 as long as 80211w is enabled; we check this elsewhere. */
+	{ "EAP-SHA256",      4, IWINFO_KMGMT_8021x },
 	{ "PSK-SHA256",      0, IWINFO_KMGMT_PSK },
 	{ "NONE",            0, IWINFO_KMGMT_NONE },
 	{ "None",            0, IWINFO_KMGMT_NONE },
@@ -1871,6 +1872,7 @@ static int nl80211_get_encryption(const char *ifname, char *buf)
 	uint8_t wpa_version = 0;
 	char wpa[2], wpa_key_mgmt[64], wpa_pairwise[16], wpa_groupwise[16];
 	char auth_algs[2], wep_key0[27], wep_key1[27], wep_key2[27], wep_key3[27];
+	char ieee80211w[2], pmf[2];
 	char mode[16];
 
 	struct iwinfo_crypto_entry *c = (struct iwinfo_crypto_entry *)buf;
@@ -1880,6 +1882,7 @@ static int nl80211_get_encryption(const char *ifname, char *buf)
 			"pairwise_cipher", wpa_pairwise,  sizeof(wpa_pairwise),
 			"group_cipher",    wpa_groupwise, sizeof(wpa_groupwise),
 			"key_mgmt",        wpa_key_mgmt,  sizeof(wpa_key_mgmt),
+			"pmf",             pmf,           sizeof(pmf),
 			"mode",            mode,          sizeof(mode)))
 	{
 		/* WEP or Open */
@@ -1930,6 +1933,31 @@ static int nl80211_get_encryption(const char *ifname, char *buf)
 
 			parse_wpa_suites(p, wpa_version, &c->wpa_version, &c->auth_suites);
 
+			/* If parse_wpa_suites has identified it as possibly WPA3-Enterprise.
+			 *
+			 * Strictly:
+			 *  ieee80211w=2 && wpa_key_mgmt=WPA-EAP-SHA256 => WPA3-Enterprise
+			 *  ieee80211w=1 && wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256 => WPA3-Enterprise transition
+			 *
+			 * I'm guessing that when getting the status from the wpa_supplicant side, pmf=2 if you
+			 * have actually connected with ieee80211w.
+			 * Here we just try to aggressively downgrade
+			 * (i.e. if no MFP, definitely not WPA3-Enterprise, and if not required MFP then
+			 * we count it as transition mode).
+			 */
+			if ((c->wpa_version & 4) && (c->auth_suites & IWINFO_KMGMT_8021x)) {
+				switch (atoi(pmf)) {
+				default: /* If no ieee80211w (0 or unset), can't be WPA3. */
+					c->wpa_version &= ~4;
+					c->wpa_version |= wpa_version;
+					break;
+				case 1: /* ieee80211w optional => WPA3-Enterprise Transition mode. */
+					c->wpa_version |= wpa_version;
+					break;
+				case 2: /* ieee80211w required => WPA3-Enterprise (assuming no other ciphers). */
+					break;
+				}
+			}
 			c->enabled = !!(c->wpa_version && c->auth_suites);
 		}
 
@@ -1941,6 +1969,7 @@ static int nl80211_get_encryption(const char *ifname, char *buf)
 				"wpa",          wpa,          sizeof(wpa),
 				"wpa_key_mgmt", wpa_key_mgmt, sizeof(wpa_key_mgmt),
 				"wpa_pairwise", wpa_pairwise, sizeof(wpa_pairwise),
+				"ieee80211w",   ieee80211w,   sizeof(ieee80211w),
 				"auth_algs",    auth_algs,    sizeof(auth_algs),
 				"wep_key0",     wep_key0,     sizeof(wep_key0),
 				"wep_key1",     wep_key1,     sizeof(wep_key1),
@@ -1994,6 +2023,32 @@ static int nl80211_get_encryption(const char *ifname, char *buf)
 			c->enabled = (c->auth_algs && c->pair_ciphers) ? 1 : 0;
 		}
 
+		/* If parse_wpa_suites has identified it as possibly WPA3-Enterprise.
+		 *
+		 * Strictly:
+		 *  ieee80211w=2 && wpa_key_mgmt=WPA-EAP-SHA256 => WPA3-Enterprise
+		 *  ieee80211w=1 && wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256 => WPA3-Enterprise transition
+		 *
+		 * Here we just try to aggressively downgrade
+		 * (i.e. if no MFP, definitely not WPA3-Enterprise, and if not required MFP then
+		 * we count it as transition mode). This _will_ allow some invalid configurations through
+		 * and count certain undefined configurations as WPA2/WPA3
+		 * (e.g. WPA-EAP-SHA256 only and ieee80211=1).
+		 */
+		if ((c->wpa_version & 4) && (c->auth_suites & IWINFO_KMGMT_8021x)) {
+			switch (atoi(ieee80211w)) {
+			default: /* If no ieee80211w (0 or unset), can't be WPA3. */
+				c->wpa_version &= ~4;
+				c->wpa_version |= atoi(wpa);
+				break;
+			case 1: /* ieee80211w optional => WPA3-Enterprise Transition mode. */
+				c->wpa_version |= atoi(wpa);
+				break;
+			case 2: /* ieee80211w required => WPA3-Enterprise (assuming no other ciphers). */
+				break;
+			}
+		}
+
 		c->group_ciphers = c->pair_ciphers;
 
 		return 0;