SAE: Add group 20 in default groups when AP started with SAE-EXT-KEY

hostapd used to always enable only the group 19 when SAE groups were not
configured explicitly in hostapd.conf. This may cause undesired
connection delay with STAs which use group 20 as the primary group with
SAE-EXT-KEY AKM during SAE authentication attempt.

To avoid this, enable group 20 in default groups when AP supports
SAE-EXT-KEY and SAE groups have not been configured explicitly in
hostapd.conf.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index c6aa496106134fec80d7dc5e7e6aaa5ca69f39b7..160809a27e151a308dd0118474a0b47d14b1c486 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -491,6 +491,8 @@ int hostapd_setup_sae_pt(struct hostapd_bss_config *conf)
 #ifdef CONFIG_SAE
        struct hostapd_ssid *ssid = &conf->ssid;
        struct sae_password_entry *pw;
+       int *groups = conf->sae_groups;
+       int default_groups[] = { 19, 0, 0 };
 
        if ((conf->sae_pwe == SAE_PWE_HUNT_AND_PECK &&
             !hostapd_sae_pw_id_in_use(conf) &&
@@ -504,11 +506,18 @@ int hostapd_setup_sae_pt(struct hostapd_bss_config *conf)
                              conf->rsn_override_key_mgmt_2))
                return 0; /* PT not needed */
 
+       if (!groups) {
+               groups = default_groups;
+               if (wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt |
+                                            conf->rsn_override_key_mgmt |
+                                            conf->rsn_override_key_mgmt_2))
+                       default_groups[1] = 20;
+       }
+
        sae_deinit_pt(ssid->pt);
        ssid->pt = NULL;
        if (ssid->wpa_passphrase) {
-               ssid->pt = sae_derive_pt(conf->sae_groups, ssid->ssid,
-                                        ssid->ssid_len,
+               ssid->pt = sae_derive_pt(groups, ssid->ssid, ssid->ssid_len,
                                         (const u8 *) ssid->wpa_passphrase,
                                         os_strlen(ssid->wpa_passphrase),
                                         NULL);
@@ -518,8 +527,7 @@ int hostapd_setup_sae_pt(struct hostapd_bss_config *conf)
 
        for (pw = conf->sae_passwords; pw; pw = pw->next) {
                sae_deinit_pt(pw->pt);
-               pw->pt = sae_derive_pt(conf->sae_groups, ssid->ssid,
-                                      ssid->ssid_len,
+               pw->pt = sae_derive_pt(groups, ssid->ssid, ssid->ssid_len,
                                       (const u8 *) pw->password,
                                       os_strlen(pw->password),
                                       pw->identifier);

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index fd1de5ebcd63091fad5ab7888478fca23696b4f6..c1d3532bbdc44bc0005f69cef42378d37e3925d7 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1173,16 +1173,23 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
 {
        struct sae_data *sae = sta->sae;
-       int i, *groups = hapd->conf->sae_groups;
-       int default_groups[] = { 19, 0 };
+       struct hostapd_bss_config *conf = hapd->conf;
+       int i, *groups = conf->sae_groups;
+       int default_groups[] = { 19, 0, 0 };
 
        if (sae->state != SAE_COMMITTED)
                return;
 
        wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
 
-       if (!groups)
+       if (!groups) {
                groups = default_groups;
+               if (wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt |
+                                            conf->rsn_override_key_mgmt |
+                                            conf->rsn_override_key_mgmt_2))
+                       default_groups[1] = 20;
+       }
+
        for (i = 0; groups[i] > 0; i++) {
                if (sae->group == groups[i])
                        break;
@@ -1247,12 +1254,18 @@ static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
 
 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
 {
-       int *groups = hapd->conf->sae_groups;
-       int default_groups[] = { 19, 0 };
+       struct hostapd_bss_config *conf = hapd->conf;
+       int *groups = conf->sae_groups;
+       int default_groups[] = { 19, 0, 0 };
        int i;
 
-       if (!groups)
+       if (!groups) {
                groups = default_groups;
+               if (wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt |
+                                            conf->rsn_override_key_mgmt |
+                                            conf->rsn_override_key_mgmt_2))
+                       default_groups[1] = 20;
+       }
 
        for (i = 0; groups[i] > 0; i++) {
                if (groups[i] == group)
@@ -1309,14 +1322,20 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 {
        int resp = WLAN_STATUS_SUCCESS;
        struct wpabuf *data = NULL;
-       int *groups = hapd->conf->sae_groups;
-       int default_groups[] = { 19, 0 };
+       struct hostapd_bss_config *conf = hapd->conf;
+       int *groups = conf->sae_groups;
+       int default_groups[] = { 19, 0, 0 };
        const u8 *pos, *end;
        int sta_removed = 0;
        bool success_status;
 
-       if (!groups)
+       if (!groups) {
                groups = default_groups;
+               if (wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt |
+                                            conf->rsn_override_key_mgmt |
+                                            conf->rsn_override_key_mgmt_2))
+                       default_groups[1] = 20;
+       }
 
 #ifdef CONFIG_TESTING_OPTIONS
        if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {