esp_wifi: Always connect Station in PMF mode if possible

While using esp_wifi_set_config, flag pmf_capable defaults to 0.
Users may not bother to enable it, which prevents connection to a
WPA3 AP. Or the AP may reset into WPA3 mode failing the re-connection.
To ensure better security, deprecate the pmf_capable flag and set it to
true internally.
This commit is contained in:
Nachiket Kukade 2022-02-07 11:31:26 +05:30
parent 000d3823bb
commit 659306b243
9 changed files with 28 additions and 51 deletions

View File

@ -215,7 +215,7 @@ typedef enum {
/** Configuration structure for Protected Management Frame */
typedef struct {
bool capable; /**< Advertizes support for Protected Management Frame. Device will prefer to connect in PMF mode if other device also advertizes PMF capability. */
bool capable; /**< Deprecated variable. Device will always connect in PMF mode if other device also advertizes PMF capability. */
bool required; /**< Advertizes that Protected Management Frame is required. Device will not associate to non-PMF capable devices. */
} wifi_pmf_config_t;

@ -1 +1 @@
Subproject commit 5a4e7d21a14522f8b584832ec6b89626b7916b50
Subproject commit 5a0d2aee49633b1a0c0374c2a01ed8c2a10e2fe4

View File

@ -170,7 +170,6 @@ static int esp_dpp_handle_config_obj(struct dpp_authentication *auth,
os_memcpy(wifi_cfg->sta.password, conf->passphrase,
sizeof(wifi_cfg->sta.password));
if (conf->akm == DPP_AKM_PSK_SAE) {
wifi_cfg->sta.pmf_cfg.capable = true;
wifi_cfg->sta.pmf_cfg.required = true;
}
}

View File

@ -25,31 +25,12 @@ An attacker can use eavesdropping and packet injection to send spoofed (de)authe
PMF provides protection against these attacks by encrypting unicast management frames and providing integrity checks for broadcast management frames. These include deauthentication, disassociation and robust management frames. It also provides Secure Association (SA) teardown mechanism to prevent spoofed association/authentication frames from disconnecting already connected clients.
API & Usage
+++++++++++
There are 3 types of PMF configuration modes on both Station and AP side -
- PMF Optional
- PMF Required
- PMF Disabled
:cpp:func:`esp_wifi_set_config` can be used to configure PMF mode by setting appropriate flags in `pmf_cfg` parameter. Currently, PMF is supported only in Station mode.
While setting up a Station, configure PMF using two flags ``capable`` and ``required`` like below.
.. code-block:: c
wifi_config_t wifi_config = {
.sta = {
.ssid = EXAMPLE_WIFI_SSID,
.password = EXAMPLE_WIFI_PASSWORD,
.pmf_cfg = {
.capable = true,
.required = false
}
}
};
{IDF_TARGET_NAME} supports three modes of PMF by combination of these two flags -
- PMF Optional : ``.capable = true, .required = false``
- PMF Required : ``.capable = true, .required = true``
- PMF Disabled : ``.capable = false, .required = false``
Depending on what AP side PMF Mode is, the resulting connnection will behave differently. The table below summarises all possible outcomes -
Depending on the PMF configuration on Station and AP side, the resulting connection will behave differently. Below table summarises all possible outcomes.
+--------------+------------------------+---------------------------+
| STA Setting | AP Setting | Outcome |
@ -67,7 +48,27 @@ While setting up a Station, configure PMF using two flags ``capable`` and ``requ
| PMF Disabled | PMF Required | AP refuses Connection |
+--------------+------------------------+---------------------------+
PMF Optional Mode, which is shown in the example of ``wifi_confit_t``, is suggested to be used in all Station configurations. This is to take the additional security benefit of PMF whenever possible without breaking connections with legacy AP's.
API & Usage
+++++++++++
{IDF_TARGET_NAME} supports PMF only in Station mode. Station defaults to PMF Optional mode and disabling PMF is not possible. For even higher security, PMF required mode can be enabled by setting the ``required`` flag in `pmf_cfg` while using the :cpp:func:`esp_wifi_set_config` API. This will result in Station only connecting to a PMF enabled AP and rejecting all other AP's. An example of this configuration is given below.
.. code-block:: c
wifi_config_t wifi_config = {
.sta = {
.ssid = EXAMPLE_WIFI_SSID,
.password = EXAMPLE_WIFI_PASSWORD,
.pmf_cfg = {
.required = true
}
}
};
.. attention::
``capable`` flag in `pmf_cfg` is deprecated and set to true internally. This is to take the additional security benefit of PMF whenever possible.
WPA3-Personal
-------------

View File

@ -123,11 +123,6 @@ void wifi_init_sta(void)
* However these modes are deprecated and not advisable to be used. Incase your Access point
* doesn't support WPA2, these mode can be enabled by commenting below line */
.threshold.authmode = WIFI_AUTH_WPA2_PSK,
.pmf_cfg = {
.capable = true,
.required = false
},
},
};
ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) );

View File

@ -141,11 +141,6 @@ void wifi_init_sta(void)
* However these modes are deprecated and not advisable to be used. Incase your Access point
* doesn't support WPA2, these mode can be enabled by commenting below line */
.threshold.authmode = WIFI_AUTH_WPA2_PSK,
.pmf_cfg = {
.capable = true,
.required = false
},
},
};
ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) );

View File

@ -96,11 +96,6 @@ void wifi_init_sta(void)
* However these modes are deprecated and not advisable to be used. Incase your Access point
* doesn't support WPA2, these mode can be enabled by commenting below line */
.threshold.authmode = WIFI_AUTH_WPA2_PSK,
.pmf_cfg = {
.capable = true,
.required = false
},
},
};
ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) );

View File

@ -161,7 +161,6 @@ static bool wifi_cmd_sta_join(const char *ssid, const char *pass)
int bits = xEventGroupWaitBits(wifi_event_group, CONNECTED_BIT, 0, 1, 0);
wifi_config_t wifi_config = { 0 };
wifi_config.sta.pmf_cfg.capable = true;
strlcpy((char *) wifi_config.sta.ssid, ssid, sizeof(wifi_config.sta.ssid));
if (pass) {

View File

@ -122,15 +122,8 @@ static void initialise_wifi(void)
wifi_config_t wifi_config = {
.sta = {
.ssid = EXAMPLE_WIFI_SSID,
#if defined(CONFIG_EXAMPLE_WPA3_ENTERPRISE)
.pmf_cfg = {
.capable = true,
.required = false
},
#endif
#if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
.pmf_cfg = {
.capable = true,
.required = true
},
#endif