From 956b44bda8e43282084a128d2d12f9e7121605af Mon Sep 17 00:00:00 2001 From: James Haggerty Date: Tue, 19 Mar 2024 10:43:35 +1100 Subject: [PATCH] Count WPA-EAP-SHA256 as WPA3 if ieee80211w is set Addresses #8 --- iwinfo_nl80211.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/iwinfo_nl80211.c b/iwinfo_nl80211.c index 2200249..902efa4 100644 --- a/iwinfo_nl80211.c +++ b/iwinfo_nl80211.c @@ -1771,7 +1771,8 @@ static const struct { { "EAP-SUITE-B-192", 4, IWINFO_KMGMT_8021x }, { "EAP-SUITE-B", 4, IWINFO_KMGMT_8021x }, { "EAP-SHA384", 4, IWINFO_KMGMT_8021x }, - { "EAP-SHA256", 0, IWINFO_KMGMT_8021x }, + /* SHA256 counts as WPA3 as long as 80211w is enabled; we check this elsewhere. */ + { "EAP-SHA256", 4, IWINFO_KMGMT_8021x }, { "PSK-SHA256", 0, IWINFO_KMGMT_PSK }, { "NONE", 0, IWINFO_KMGMT_NONE }, { "None", 0, IWINFO_KMGMT_NONE }, @@ -1871,6 +1872,7 @@ static int nl80211_get_encryption(const char *ifname, char *buf) uint8_t wpa_version = 0; char wpa[2], wpa_key_mgmt[64], wpa_pairwise[16], wpa_groupwise[16]; char auth_algs[2], wep_key0[27], wep_key1[27], wep_key2[27], wep_key3[27]; + char ieee80211w[2], pmf[2]; char mode[16]; struct iwinfo_crypto_entry *c = (struct iwinfo_crypto_entry *)buf; @@ -1880,6 +1882,7 @@ static int nl80211_get_encryption(const char *ifname, char *buf) "pairwise_cipher", wpa_pairwise, sizeof(wpa_pairwise), "group_cipher", wpa_groupwise, sizeof(wpa_groupwise), "key_mgmt", wpa_key_mgmt, sizeof(wpa_key_mgmt), + "pmf", pmf, sizeof(pmf), "mode", mode, sizeof(mode))) { /* WEP or Open */ @@ -1930,6 +1933,31 @@ static int nl80211_get_encryption(const char *ifname, char *buf) parse_wpa_suites(p, wpa_version, &c->wpa_version, &c->auth_suites); + /* If parse_wpa_suites has identified it as possibly WPA3-Enterprise. + * + * Strictly: + * ieee80211w=2 && wpa_key_mgmt=WPA-EAP-SHA256 => WPA3-Enterprise + * ieee80211w=1 && wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256 => WPA3-Enterprise transition + * + * I'm guessing that when getting the status from the wpa_supplicant side, pmf=2 if you + * have actually connected with ieee80211w. + * Here we just try to aggressively downgrade + * (i.e. if no MFP, definitely not WPA3-Enterprise, and if not required MFP then + * we count it as transition mode). + */ + if ((c->wpa_version & 4) && (c->auth_suites & IWINFO_KMGMT_8021x)) { + switch (atoi(pmf)) { + default: /* If no ieee80211w (0 or unset), can't be WPA3. */ + c->wpa_version &= ~4; + c->wpa_version |= wpa_version; + break; + case 1: /* ieee80211w optional => WPA3-Enterprise Transition mode. */ + c->wpa_version |= wpa_version; + break; + case 2: /* ieee80211w required => WPA3-Enterprise (assuming no other ciphers). */ + break; + } + } c->enabled = !!(c->wpa_version && c->auth_suites); } @@ -1941,6 +1969,7 @@ static int nl80211_get_encryption(const char *ifname, char *buf) "wpa", wpa, sizeof(wpa), "wpa_key_mgmt", wpa_key_mgmt, sizeof(wpa_key_mgmt), "wpa_pairwise", wpa_pairwise, sizeof(wpa_pairwise), + "ieee80211w", ieee80211w, sizeof(ieee80211w), "auth_algs", auth_algs, sizeof(auth_algs), "wep_key0", wep_key0, sizeof(wep_key0), "wep_key1", wep_key1, sizeof(wep_key1), @@ -1994,6 +2023,32 @@ static int nl80211_get_encryption(const char *ifname, char *buf) c->enabled = (c->auth_algs && c->pair_ciphers) ? 1 : 0; } + /* If parse_wpa_suites has identified it as possibly WPA3-Enterprise. + * + * Strictly: + * ieee80211w=2 && wpa_key_mgmt=WPA-EAP-SHA256 => WPA3-Enterprise + * ieee80211w=1 && wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256 => WPA3-Enterprise transition + * + * Here we just try to aggressively downgrade + * (i.e. if no MFP, definitely not WPA3-Enterprise, and if not required MFP then + * we count it as transition mode). This _will_ allow some invalid configurations through + * and count certain undefined configurations as WPA2/WPA3 + * (e.g. WPA-EAP-SHA256 only and ieee80211=1). + */ + if ((c->wpa_version & 4) && (c->auth_suites & IWINFO_KMGMT_8021x)) { + switch (atoi(ieee80211w)) { + default: /* If no ieee80211w (0 or unset), can't be WPA3. */ + c->wpa_version &= ~4; + c->wpa_version |= atoi(wpa); + break; + case 1: /* ieee80211w optional => WPA3-Enterprise Transition mode. */ + c->wpa_version |= atoi(wpa); + break; + case 2: /* ieee80211w required => WPA3-Enterprise (assuming no other ciphers). */ + break; + } + } + c->group_ciphers = c->pair_ciphers; return 0;