SAE: Use defines for authentication transaction sequence number

Use defined values instead of hardcoded 1 and 2 for the authentication
transaction sequence number of the SAE commit and confirm messages. This
makes the implementation easier to read and has a bit more context on
uses of this field for SAE-specific vs. general (i.e., applied to all
authentication algorithms) cases.

Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index df315a3a5a708416b5aed1f3ff5619ed207b3c55..01573da4f190c2ea863552c0b274def21d175dac 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -400,7 +400,7 @@ static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
 #ifdef CONFIG_SAE
        if (hapd->conf->sae_confirm_immediate == 2 &&
            auth_alg == WLAN_AUTH_SAE) {
-               if (auth_transaction == 1 && sta &&
+               if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT && sta &&
                    (resp == WLAN_STATUS_SUCCESS ||
                     resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
                     resp == WLAN_STATUS_SAE_PK)) {
@@ -412,7 +412,8 @@ static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
                        return WLAN_STATUS_SUCCESS;
                }
 
-               if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
+               if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_CONFIRM &&
+                   sta && sta->sae_postponed_commit) {
                        wpa_printf(MSG_DEBUG,
                                   "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
                        if (hostapd_drv_send_mlme(hapd,
@@ -1268,14 +1269,16 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
 
        *sta_removed = 0;
 
-       if (auth_transaction != 1 && auth_transaction != 2)
+       if (auth_transaction != WLAN_AUTH_TR_SEQ_SAE_COMMIT &&
+           auth_transaction != WLAN_AUTH_TR_SEQ_SAE_CONFIRM)
                return WLAN_STATUS_UNSPECIFIED_FAILURE;
 
        wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
                   MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
                   auth_transaction);
 
-       if (auth_transaction == 1 && sae_proto_instance_disabled(sta)) {
+       if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT &&
+           sae_proto_instance_disabled(sta)) {
                wpa_printf(MSG_DEBUG,
                           "SAE: Protocol instance temporarily disabled - discard received SAE commit");
                return WLAN_STATUS_SUCCESS;
@@ -1283,7 +1286,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
 
        switch (sta->sae->state) {
        case SAE_NOTHING:
-               if (auth_transaction == 1) {
+               if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) {
                        struct sae_temporary_data *tmp = sta->sae->tmp;
                        bool immediate_confirm;
 
@@ -1376,7 +1379,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
                break;
        case SAE_COMMITTED:
                sae_clear_retransmit_timer(hapd, sta);
-               if (auth_transaction == 1) {
+               if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) {
                        if (sae_process_commit(sta->sae) < 0)
                                return WLAN_STATUS_UNSPECIFIED_FAILURE;
 
@@ -1423,7 +1426,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
                break;
        case SAE_CONFIRMED:
                sae_clear_retransmit_timer(hapd, sta);
-               if (auth_transaction == 1) {
+               if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) {
                        if (sae_check_big_sync(hapd, sta))
                                return WLAN_STATUS_SUCCESS;
                        sta->sae->sync++;
@@ -1446,7 +1449,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
                }
                break;
        case SAE_ACCEPTED:
-               if (auth_transaction == 1 &&
+               if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT &&
                    (hapd->conf->mesh & MESH_ENABLED)) {
                        wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
                                   ") doing reauthentication",
@@ -1454,7 +1457,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
                        wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
                        ap_free_sta(hapd, sta);
                        *sta_removed = 1;
-               } else if (auth_transaction == 1) {
+               } else if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) {
                        wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
                        ret = auth_sae_send_commit(hapd, sta, 1, status_code);
                        if (ret)
@@ -1653,7 +1656,8 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
        }
 
 #ifdef CONFIG_TESTING_OPTIONS
-       if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
+       if (hapd->conf->sae_reflection_attack &&
+           auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) {
                wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
                pos = mgmt->u.auth.variable;
                end = ((const u8 *) mgmt) + len;
@@ -1665,7 +1669,8 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
                goto remove_sta;
        }
 
-       if (hapd->conf->sae_commit_override && auth_transaction == 1) {
+       if (hapd->conf->sae_commit_override &&
+           auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) {
                wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
                send_auth_reply(hapd, sta, sta->addr,
                                WLAN_AUTH_SAE,
@@ -1677,7 +1682,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
        }
 #endif /* CONFIG_TESTING_OPTIONS */
        if (!sta->sae) {
-               if (auth_transaction != 1 ||
+               if (auth_transaction != WLAN_AUTH_TR_SEQ_SAE_COMMIT ||
                    !sae_status_success(hapd, status_code)) {
                        wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
                                   status_code);
@@ -1702,7 +1707,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
                sta->mesh_sae_pmksa_caching = 0;
        }
 
-       if (auth_transaction == 1) {
+       if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) {
                const u8 *token = NULL;
                size_t token_len = 0;
                int allow_reuse = 0;
@@ -1884,7 +1889,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 
                resp = sae_sm_step(hapd, sta, auth_transaction,
                                   status_code, allow_reuse, &sta_removed);
-       } else if (auth_transaction == 2) {
+       } else if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_CONFIRM) {
                hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
                               HOSTAPD_LEVEL_DEBUG,
                               "SAE authentication (RX confirm, status=%u (%s))",
@@ -1970,7 +1975,7 @@ reply:
        }
 
 remove_sta:
-       if (auth_transaction == 1)
+       if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT)
                success_status = sae_status_success(hapd, status_code);
        else
                success_status = status_code == WLAN_STATUS_SUCCESS;
@@ -2170,7 +2175,8 @@ void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
        struct wpa_ie_data rsn;
        struct rsn_pmksa_cache_entry *pmksa = NULL;
 
-       if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
+       if (auth_transaction != WLAN_AUTH_TR_SEQ_SAE_COMMIT ||
+           status_code != WLAN_STATUS_SUCCESS)
                return;
 
        end = pos + len;
@@ -3487,8 +3493,9 @@ static void handle_auth(struct hostapd_data *hapd,
 
 #ifdef CONFIG_SAE
        if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
-           (auth_transaction == 1 ||
-            (auth_transaction == 2 && auth_sae_queued_addr(hapd, sa)))) {
+           (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT ||
+            (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_CONFIRM &&
+             auth_sae_queued_addr(hapd, sa)))) {
                /* Handle SAE Authentication commit message through a queue to
                 * provide more control for postponing the needed heavy
                 * processing under a possible DoS attack scenario. In addition,
@@ -7007,7 +7014,8 @@ static void handle_auth_cb(struct hostapd_data *hapd,
 fail:
        success_status = status_code == WLAN_STATUS_SUCCESS;
 #ifdef CONFIG_SAE
-       if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1)
+       if (auth_alg == WLAN_AUTH_SAE &&
+           auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT)
                success_status = sae_status_success(hapd, status_code);
 #endif /* CONFIG_SAE */
        if (!success_status && sta->added_unassoc) {

diff --git a/src/ap/ieee802_11_eht.c b/src/ap/ieee802_11_eht.c
index 9c8655e7ab506d39a8c541e77cf327686562b6e9..0a82a33e6731f4ffb75a0dd27a5c01f5a3d79d57 100644 (file)
--- a/src/ap/ieee802_11_eht.c
+++ b/src/ap/ieee802_11_eht.c
@@ -1062,7 +1062,7 @@ static const u8 * auth_skip_fixed_fields(struct hostapd_data *hapd,
                return pos;
 #ifdef CONFIG_SAE
        case WLAN_AUTH_SAE:
-               if (auth_transaction == 1) {
+               if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) {
                        if (status_code == WLAN_STATUS_SUCCESS) {
                                wpa_printf(MSG_DEBUG,
                                           "EHT: SAE H2E is mandatory for MLD");
@@ -1071,7 +1071,7 @@ static const u8 * auth_skip_fixed_fields(struct hostapd_data *hapd,
 
                        return sae_commit_skip_fixed_fields(mgmt, len, pos,
                                                            status_code);
-               } else if (auth_transaction == 2) {
+               } else if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_CONFIRM) {
                        return sae_confirm_skip_fixed_fields(hapd, mgmt, len,
                                                             pos, status_code);
                }

diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h
index d969f05037cfde23af0a3de3c869a7beadd887b0..33f9c34d1f0e207f8fef089b5ea36ca12ed2adbc 100644 (file)
--- a/src/common/ieee802_11_defs.h
+++ b/src/common/ieee802_11_defs.h
@@ -100,6 +100,10 @@
 #define WLAN_AUTH_PASN                 7
 #define WLAN_AUTH_LEAP                 128
 
+/* Authentication transaction sequence number */
+#define WLAN_AUTH_TR_SEQ_SAE_COMMIT 1
+#define WLAN_AUTH_TR_SEQ_SAE_CONFIRM 2
+
 #define WLAN_AUTH_CHALLENGE_LEN 128
 
 /* IEEE Std 802.11-2024, 9.4.1.4 (Capability Information field) */

diff --git a/src/pasn/pasn_initiator.c b/src/pasn/pasn_initiator.c
index 9a46e0a4ae3ebbd46fe06a492839d784f2d00fe5..7bf6e62325bd5101d7fc993c0fef89ca93e1b5d6 100644 (file)
--- a/src/pasn/pasn_initiator.c
+++ b/src/pasn/pasn_initiator.c
@@ -522,7 +522,7 @@ static struct wpabuf * wpas_pasn_get_wrapped_data(struct pasn_data *pasn)
 #ifdef CONFIG_SAE
                if (pasn->trans_seq == 0)
                        return wpas_pasn_wd_sae_commit(pasn);
-               if (pasn->trans_seq == 2)
+               if (pasn->trans_seq == WLAN_AUTH_TR_SEQ_SAE_CONFIRM)
                        return wpas_pasn_wd_sae_confirm(pasn);
 #endif /* CONFIG_SAE */
                wpa_printf(MSG_ERROR,

diff --git a/wlantest/rx_mgmt.c b/wlantest/rx_mgmt.c
index c2f2c47a06557d7d1a973dba61ea7eaad6d0e32e..13c6cf92150c191c43e905bbe4a614b536c0f2cb 100644 (file)
--- a/wlantest/rx_mgmt.c
+++ b/wlantest/rx_mgmt.c
@@ -1136,7 +1136,7 @@ static void process_sae_auth(struct wlantest *wt, struct wlantest_bss *bss,
                return;
 
        trans = le_to_host16(mgmt->u.auth.auth_transaction);
-       if (trans != 1)
+       if (trans != WLAN_AUTH_TR_SEQ_SAE_COMMIT)
                return;
 
        status = le_to_host16(mgmt->u.auth.status_code);
@@ -1188,7 +1188,8 @@ static void rx_mgmt_auth(struct wlantest *wt, const u8 *data, size_t len)
 
        if (status == WLAN_STATUS_SUCCESS &&
            ((alg == WLAN_AUTH_OPEN && trans == 2) ||
-            (alg == WLAN_AUTH_SAE && trans == 2 && from_ap))) {
+            (alg == WLAN_AUTH_SAE && trans == WLAN_AUTH_TR_SEQ_SAE_CONFIRM &&
+             from_ap))) {
                if (sta->state == STATE1) {
                        add_note(wt, MSG_DEBUG, "STA " MACSTR
                                 " moved to State 2 with " MACSTR,

diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 51dc3b386317eaac565ead0504036cb252b382ad..860b75f92324a1197dd70b3efcbb8ddbfdc29397 100644 (file)
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -1685,7 +1685,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
        wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u "
                "status code %u", auth_transaction, status_code);
 
-       if (auth_transaction == 1 &&
+       if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT &&
            status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
            wpa_s->sme.sae.state == SAE_COMMITTED &&
            ((external && wpa_s->sme.ext_auth_wpa_ssid) ||
@@ -1794,7 +1794,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
                return 0;
        }
 
-       if (auth_transaction == 1 &&
+       if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT &&
            status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
            wpa_s->sme.sae.state == SAE_COMMITTED &&
            ((external && wpa_s->sme.ext_auth_wpa_ssid) ||
@@ -1822,7 +1822,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
                return 0;
        }
 
-       if (auth_transaction == 1 &&
+       if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT &&
            status_code == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
                const u8 *bssid = sa ? sa : wpa_s->pending_bssid;
                struct wpa_ssid *ssid = wpa_s->current_ssid;
@@ -1861,7 +1861,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
                return -2;
        }
 
-       if (auth_transaction == 1) {
+       if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) {
                u16 res;
 
                groups = wpa_s->conf->sae_groups;
@@ -1935,7 +1935,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
                        sme_external_auth_send_sae_confirm(wpa_s, sa);
                }
                return 0;
-       } else if (auth_transaction == 2) {
+       } else if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_CONFIRM) {
                if (status_code != WLAN_STATUS_SUCCESS)
                        return -1;
                wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm");
@@ -2090,7 +2090,8 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
                                   data->auth.ies_len, 0, data->auth.peer,
                                   &ie_offset);
                if (res < 0) {
-                       if (data->auth.auth_transaction == 2 &&
+                       if (data->auth.auth_transaction ==
+                           WLAN_AUTH_TR_SEQ_SAE_CONFIRM &&
                            data->auth.status_code ==
                            WLAN_STATUS_CHALLENGE_FAIL)
                                wpas_notify_sae_password_mismatch(wpa_s);