From 3a8dd390c9de3781efdee379809448d5c4ff9640 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 20 Jun 2018 13:04:31 +0300 Subject: [PATCH] SAE: Allow authentication restart on AP In the infrastructure BSS case, the AP needs to clear pending SAE state if a new Commit message is received when already in Committed state. This allows the non-AP STA to negotiate a new group if it ends up trying to go through SAE authentication again before the AP side has removed the previous STA entry. This fixes an issue where a kernel update changed something in SAE timing or authentication sequence and started failing the sae_bignum_failure hwsim test case. Signed-off-by: Jouni Malinen --- src/ap/ieee802_11.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index a1a037311..d7e7210f7 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -953,6 +953,20 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, if (status_code != WLAN_STATUS_SUCCESS) goto remove_sta; + if (!(hapd->conf->mesh & MESH_ENABLED) && + sta->sae->state == SAE_COMMITTED) { + /* This is needed in the infrastructure BSS case to + * address a sequence where a STA entry may remain in + * hostapd across two attempts to do SAE authentication + * by the same STA. The second attempt may end up trying + * to use a different group and that would not be + * allowed if we remain in Committed state with the + * previously set parameters. */ + sae_set_state(sta, SAE_NOTHING, + "Clear existing state to allow restart"); + sae_clear_data(sta->sae); + } + resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable, ((const u8 *) mgmt) + len - mgmt->u.auth.variable, &token,