SAE: Allow AP behavior for SAE Confirm to be configured

hostapd is by default waiting STA to send SAE Confirm before sending the
SAE Confirm. This can now be configured with sae_confirm_immediate=1
resulting in hostapd sending out SAE Confirm immediately after sending
SAE Commit.

These are the two different message sequences:

sae_confirm_immediate=0
STA->AP: SAE Commit
AP->STA: SAE Commit
STA->AP: SAE Confirm
AP->STA: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response

sae_confirm_immediate=1
STA->AP: SAE Commit
AP->STA: SAE Commit
AP->STA: SAE Confirm
STA->AP: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index cce5d35917aa65dc55c20e9ae47461d23aa7e505..e6033e7ab4385a75865e309355719445fe058e1f 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -4182,6 +4182,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
                }
        } else if (os_strcmp(buf, "sae_require_mfp") == 0) {
                bss->sae_require_mfp = atoi(pos);
+       } else if (os_strcmp(buf, "sae_confirm_immediate") == 0) {
+               bss->sae_confirm_immediate = atoi(pos);
        } else if (os_strcmp(buf, "local_pwr_constraint") == 0) {
                int val = atoi(pos);
                if (val < 0 || val > 255) {

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 6f26578043ce78e1cd15dce70c0a26782197a9ba..326f967a5c93f0c122f24230efab71613f63263f 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1743,6 +1743,13 @@ own_ip_addr=127.0.0.1
 # MFP while SAE stations are required to negotiate MFP if sae_require_mfp=1.
 #sae_require_mfp=0
 
+# SAE Confirm behavior
+# By default, AP will send out only SAE Commit message in response to a received
+# SAE Commit message. This parameter can be set to 1 to override that behavior
+# to send both SAE Commit and SAE Confirm messages without waiting for the STA
+# to send its SAE Confirm message first.
+#sae_confirm_immediate=0
+
 # FILS Cache Identifier (16-bit value in hexdump format)
 #fils_cache_id=0011
 

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 6b15a3ebdd066623ad8cd981b97ec12e324fad8d..346a7dd1bc6189b2d9a1b8cefee3cb10a1201c93 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -649,6 +649,7 @@ struct hostapd_bss_config {
        unsigned int sae_anti_clogging_threshold;
        unsigned int sae_sync;
        int sae_require_mfp;
+       int sae_confirm_immediate;
        int *sae_groups;
        struct sae_password_entry *sae_passwords;
 

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 2ef490b8bfb911c7d4364309c872c22dc969d8ac..0152cf5631f1faafe9115b951ecd02eb7eaa77e5 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -787,14 +787,17 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
                                return WLAN_STATUS_UNSPECIFIED_FAILURE;
 
                        /*
-                        * In mesh case, both Commit and Confirm can be sent
-                        * immediately. In infrastructure BSS, only a single
-                        * Authentication frame (Commit) is expected from the AP
-                        * here and the second one (Confirm) will be sent once
-                        * the STA has sent its second Authentication frame
-                        * (Confirm).
+                        * In mesh case, both Commit and Confirm are sent
+                        * immediately. In infrastructure BSS, by default, only
+                        * a single Authentication frame (Commit) is expected
+                        * from the AP here and the second one (Confirm) will
+                        * be sent once the STA has sent its second
+                        * Authentication frame (Confirm). This behavior can be
+                        * overridden with explicit configuration so that the
+                        * infrastructure BSS case sends both frames together.
                         */
-                       if (hapd->conf->mesh & MESH_ENABLED) {
+                       if ((hapd->conf->mesh & MESH_ENABLED) ||
+                           hapd->conf->sae_confirm_immediate) {
                                /*
                                 * Send both Commit and Confirm immediately
                                 * based on SAE finite state machine