From f7fe0552249a0cb10904421b0b04d0604b49f1bf Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 10 Oct 2019 15:38:26 +0300 Subject: [PATCH] SAE: Allow AP behavior for SAE Confirm to be configured hostapd is by default waiting STA to send SAE Confirm before sending the SAE Confirm. This can now be configured with sae_confirm_immediate=1 resulting in hostapd sending out SAE Confirm immediately after sending SAE Commit. These are the two different message sequences: sae_confirm_immediate=0 STA->AP: SAE Commit AP->STA: SAE Commit STA->AP: SAE Confirm AP->STA: SAE Confirm STA->AP: Association Request AP->STA: Association Response sae_confirm_immediate=1 STA->AP: SAE Commit AP->STA: SAE Commit AP->STA: SAE Confirm STA->AP: SAE Confirm STA->AP: Association Request AP->STA: Association Response Signed-off-by: Jouni Malinen --- hostapd/config_file.c | 2 ++ hostapd/hostapd.conf | 7 +++++++ src/ap/ap_config.h | 1 + src/ap/ieee802_11.c | 17 ++++++++++------- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index cce5d3591..e6033e7ab 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -4182,6 +4182,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, } } else if (os_strcmp(buf, "sae_require_mfp") == 0) { bss->sae_require_mfp = atoi(pos); + } else if (os_strcmp(buf, "sae_confirm_immediate") == 0) { + bss->sae_confirm_immediate = atoi(pos); } else if (os_strcmp(buf, "local_pwr_constraint") == 0) { int val = atoi(pos); if (val < 0 || val > 255) { diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 6f2657804..326f967a5 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1743,6 +1743,13 @@ own_ip_addr=127.0.0.1 # MFP while SAE stations are required to negotiate MFP if sae_require_mfp=1. #sae_require_mfp=0 +# SAE Confirm behavior +# By default, AP will send out only SAE Commit message in response to a received +# SAE Commit message. This parameter can be set to 1 to override that behavior +# to send both SAE Commit and SAE Confirm messages without waiting for the STA +# to send its SAE Confirm message first. +#sae_confirm_immediate=0 + # FILS Cache Identifier (16-bit value in hexdump format) #fils_cache_id=0011 diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 6b15a3ebd..346a7dd1b 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -649,6 +649,7 @@ struct hostapd_bss_config { unsigned int sae_anti_clogging_threshold; unsigned int sae_sync; int sae_require_mfp; + int sae_confirm_immediate; int *sae_groups; struct sae_password_entry *sae_passwords; diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 2ef490b8b..0152cf563 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -787,14 +787,17 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, return WLAN_STATUS_UNSPECIFIED_FAILURE; /* - * In mesh case, both Commit and Confirm can be sent - * immediately. In infrastructure BSS, only a single - * Authentication frame (Commit) is expected from the AP - * here and the second one (Confirm) will be sent once - * the STA has sent its second Authentication frame - * (Confirm). + * In mesh case, both Commit and Confirm are sent + * immediately. In infrastructure BSS, by default, only + * a single Authentication frame (Commit) is expected + * from the AP here and the second one (Confirm) will + * be sent once the STA has sent its second + * Authentication frame (Confirm). This behavior can be + * overridden with explicit configuration so that the + * infrastructure BSS case sends both frames together. */ - if (hapd->conf->mesh & MESH_ENABLED) { + if ((hapd->conf->mesh & MESH_ENABLED) || + hapd->conf->sae_confirm_immediate) { /* * Send both Commit and Confirm immediately * based on SAE finite state machine