SAE: Allow AP behavior for SAE Confirm to be configured

hostapd is by default waiting STA to send SAE Confirm before sending the
SAE Confirm. This can now be configured with sae_confirm_immediate=1
resulting in hostapd sending out SAE Confirm immediately after sending
SAE Commit.

These are the two different message sequences:

sae_confirm_immediate=0
STA->AP: SAE Commit
AP->STA: SAE Commit
STA->AP: SAE Confirm
AP->STA: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response

sae_confirm_immediate=1
STA->AP: SAE Commit
AP->STA: SAE Commit
AP->STA: SAE Confirm
STA->AP: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-10-10 15:38:26 +03:00 committed by Jouni Malinen
parent d6a7de60c8
commit f7fe055224
4 changed files with 20 additions and 7 deletions

View file

@ -4182,6 +4182,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
} }
} else if (os_strcmp(buf, "sae_require_mfp") == 0) { } else if (os_strcmp(buf, "sae_require_mfp") == 0) {
bss->sae_require_mfp = atoi(pos); bss->sae_require_mfp = atoi(pos);
} else if (os_strcmp(buf, "sae_confirm_immediate") == 0) {
bss->sae_confirm_immediate = atoi(pos);
} else if (os_strcmp(buf, "local_pwr_constraint") == 0) { } else if (os_strcmp(buf, "local_pwr_constraint") == 0) {
int val = atoi(pos); int val = atoi(pos);
if (val < 0 || val > 255) { if (val < 0 || val > 255) {

View file

@ -1743,6 +1743,13 @@ own_ip_addr=127.0.0.1
# MFP while SAE stations are required to negotiate MFP if sae_require_mfp=1. # MFP while SAE stations are required to negotiate MFP if sae_require_mfp=1.
#sae_require_mfp=0 #sae_require_mfp=0
# SAE Confirm behavior
# By default, AP will send out only SAE Commit message in response to a received
# SAE Commit message. This parameter can be set to 1 to override that behavior
# to send both SAE Commit and SAE Confirm messages without waiting for the STA
# to send its SAE Confirm message first.
#sae_confirm_immediate=0
# FILS Cache Identifier (16-bit value in hexdump format) # FILS Cache Identifier (16-bit value in hexdump format)
#fils_cache_id=0011 #fils_cache_id=0011

View file

@ -649,6 +649,7 @@ struct hostapd_bss_config {
unsigned int sae_anti_clogging_threshold; unsigned int sae_anti_clogging_threshold;
unsigned int sae_sync; unsigned int sae_sync;
int sae_require_mfp; int sae_require_mfp;
int sae_confirm_immediate;
int *sae_groups; int *sae_groups;
struct sae_password_entry *sae_passwords; struct sae_password_entry *sae_passwords;

View file

@ -787,14 +787,17 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
return WLAN_STATUS_UNSPECIFIED_FAILURE; return WLAN_STATUS_UNSPECIFIED_FAILURE;
/* /*
* In mesh case, both Commit and Confirm can be sent * In mesh case, both Commit and Confirm are sent
* immediately. In infrastructure BSS, only a single * immediately. In infrastructure BSS, by default, only
* Authentication frame (Commit) is expected from the AP * a single Authentication frame (Commit) is expected
* here and the second one (Confirm) will be sent once * from the AP here and the second one (Confirm) will
* the STA has sent its second Authentication frame * be sent once the STA has sent its second
* (Confirm). * Authentication frame (Confirm). This behavior can be
* overridden with explicit configuration so that the
* infrastructure BSS case sends both frames together.
*/ */
if (hapd->conf->mesh & MESH_ENABLED) { if ((hapd->conf->mesh & MESH_ENABLED) ||
hapd->conf->sae_confirm_immediate) {
/* /*
* Send both Commit and Confirm immediately * Send both Commit and Confirm immediately
* based on SAE finite state machine * based on SAE finite state machine