From: Jouni Malinen Date: Tue, 2 Dec 2025 13:37:54 +0000 (+0200) Subject: SAE: Use defines for authentication transaction sequence number X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa4f2fc969c5f88e47a75fd6e72c1ab777018a6d;p=thirdparty%2Fhostap.git SAE: Use defines for authentication transaction sequence number Use defined values instead of hardcoded 1 and 2 for the authentication transaction sequence number of the SAE commit and confirm messages. This makes the implementation easier to read and has a bit more context on uses of this field for SAE-specific vs. general (i.e., applied to all authentication algorithms) cases. Signed-off-by: Jouni Malinen --- diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index df315a3a5..01573da4f 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -400,7 +400,7 @@ static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta, #ifdef CONFIG_SAE if (hapd->conf->sae_confirm_immediate == 2 && auth_alg == WLAN_AUTH_SAE) { - if (auth_transaction == 1 && sta && + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT && sta && (resp == WLAN_STATUS_SUCCESS || resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT || resp == WLAN_STATUS_SAE_PK)) { @@ -412,7 +412,8 @@ static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta, return WLAN_STATUS_SUCCESS; } - if (auth_transaction == 2 && sta && sta->sae_postponed_commit) { + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_CONFIRM && + sta && sta->sae_postponed_commit) { wpa_printf(MSG_DEBUG, "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm"); if (hostapd_drv_send_mlme(hapd, @@ -1268,14 +1269,16 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, *sta_removed = 0; - if (auth_transaction != 1 && auth_transaction != 2) + if (auth_transaction != WLAN_AUTH_TR_SEQ_SAE_COMMIT && + auth_transaction != WLAN_AUTH_TR_SEQ_SAE_CONFIRM) return WLAN_STATUS_UNSPECIFIED_FAILURE; wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u", MAC2STR(sta->addr), sae_state_txt(sta->sae->state), auth_transaction); - if (auth_transaction == 1 && sae_proto_instance_disabled(sta)) { + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT && + sae_proto_instance_disabled(sta)) { wpa_printf(MSG_DEBUG, "SAE: Protocol instance temporarily disabled - discard received SAE commit"); return WLAN_STATUS_SUCCESS; @@ -1283,7 +1286,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, switch (sta->sae->state) { case SAE_NOTHING: - if (auth_transaction == 1) { + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) { struct sae_temporary_data *tmp = sta->sae->tmp; bool immediate_confirm; @@ -1376,7 +1379,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, break; case SAE_COMMITTED: sae_clear_retransmit_timer(hapd, sta); - if (auth_transaction == 1) { + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) { if (sae_process_commit(sta->sae) < 0) return WLAN_STATUS_UNSPECIFIED_FAILURE; @@ -1423,7 +1426,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, break; case SAE_CONFIRMED: sae_clear_retransmit_timer(hapd, sta); - if (auth_transaction == 1) { + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) { if (sae_check_big_sync(hapd, sta)) return WLAN_STATUS_SUCCESS; sta->sae->sync++; @@ -1446,7 +1449,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, } break; case SAE_ACCEPTED: - if (auth_transaction == 1 && + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT && (hapd->conf->mesh & MESH_ENABLED)) { wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR ") doing reauthentication", @@ -1454,7 +1457,7 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); ap_free_sta(hapd, sta); *sta_removed = 1; - } else if (auth_transaction == 1) { + } else if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) { wpa_printf(MSG_DEBUG, "SAE: Start reauthentication"); ret = auth_sae_send_commit(hapd, sta, 1, status_code); if (ret) @@ -1653,7 +1656,8 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, } #ifdef CONFIG_TESTING_OPTIONS - if (hapd->conf->sae_reflection_attack && auth_transaction == 1) { + if (hapd->conf->sae_reflection_attack && + auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) { wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack"); pos = mgmt->u.auth.variable; end = ((const u8 *) mgmt) + len; @@ -1665,7 +1669,8 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, goto remove_sta; } - if (hapd->conf->sae_commit_override && auth_transaction == 1) { + if (hapd->conf->sae_commit_override && + auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) { wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); send_auth_reply(hapd, sta, sta->addr, WLAN_AUTH_SAE, @@ -1677,7 +1682,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, } #endif /* CONFIG_TESTING_OPTIONS */ if (!sta->sae) { - if (auth_transaction != 1 || + if (auth_transaction != WLAN_AUTH_TR_SEQ_SAE_COMMIT || !sae_status_success(hapd, status_code)) { wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u", status_code); @@ -1702,7 +1707,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, sta->mesh_sae_pmksa_caching = 0; } - if (auth_transaction == 1) { + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) { const u8 *token = NULL; size_t token_len = 0; int allow_reuse = 0; @@ -1884,7 +1889,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, resp = sae_sm_step(hapd, sta, auth_transaction, status_code, allow_reuse, &sta_removed); - } else if (auth_transaction == 2) { + } else if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_CONFIRM) { hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_DEBUG, "SAE authentication (RX confirm, status=%u (%s))", @@ -1970,7 +1975,7 @@ reply: } remove_sta: - if (auth_transaction == 1) + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) success_status = sae_status_success(hapd, status_code); else success_status = status_code == WLAN_STATUS_SUCCESS; @@ -2170,7 +2175,8 @@ void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta, struct wpa_ie_data rsn; struct rsn_pmksa_cache_entry *pmksa = NULL; - if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS) + if (auth_transaction != WLAN_AUTH_TR_SEQ_SAE_COMMIT || + status_code != WLAN_STATUS_SUCCESS) return; end = pos + len; @@ -3487,8 +3493,9 @@ static void handle_auth(struct hostapd_data *hapd, #ifdef CONFIG_SAE if (auth_alg == WLAN_AUTH_SAE && !from_queue && - (auth_transaction == 1 || - (auth_transaction == 2 && auth_sae_queued_addr(hapd, sa)))) { + (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT || + (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_CONFIRM && + auth_sae_queued_addr(hapd, sa)))) { /* Handle SAE Authentication commit message through a queue to * provide more control for postponing the needed heavy * processing under a possible DoS attack scenario. In addition, @@ -7007,7 +7014,8 @@ static void handle_auth_cb(struct hostapd_data *hapd, fail: success_status = status_code == WLAN_STATUS_SUCCESS; #ifdef CONFIG_SAE - if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1) + if (auth_alg == WLAN_AUTH_SAE && + auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) success_status = sae_status_success(hapd, status_code); #endif /* CONFIG_SAE */ if (!success_status && sta->added_unassoc) { diff --git a/src/ap/ieee802_11_eht.c b/src/ap/ieee802_11_eht.c index 9c8655e7a..0a82a33e6 100644 --- a/src/ap/ieee802_11_eht.c +++ b/src/ap/ieee802_11_eht.c @@ -1062,7 +1062,7 @@ static const u8 * auth_skip_fixed_fields(struct hostapd_data *hapd, return pos; #ifdef CONFIG_SAE case WLAN_AUTH_SAE: - if (auth_transaction == 1) { + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) { if (status_code == WLAN_STATUS_SUCCESS) { wpa_printf(MSG_DEBUG, "EHT: SAE H2E is mandatory for MLD"); @@ -1071,7 +1071,7 @@ static const u8 * auth_skip_fixed_fields(struct hostapd_data *hapd, return sae_commit_skip_fixed_fields(mgmt, len, pos, status_code); - } else if (auth_transaction == 2) { + } else if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_CONFIRM) { return sae_confirm_skip_fixed_fields(hapd, mgmt, len, pos, status_code); } diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h index d969f0503..33f9c34d1 100644 --- a/src/common/ieee802_11_defs.h +++ b/src/common/ieee802_11_defs.h @@ -100,6 +100,10 @@ #define WLAN_AUTH_PASN 7 #define WLAN_AUTH_LEAP 128 +/* Authentication transaction sequence number */ +#define WLAN_AUTH_TR_SEQ_SAE_COMMIT 1 +#define WLAN_AUTH_TR_SEQ_SAE_CONFIRM 2 + #define WLAN_AUTH_CHALLENGE_LEN 128 /* IEEE Std 802.11-2024, 9.4.1.4 (Capability Information field) */ diff --git a/src/pasn/pasn_initiator.c b/src/pasn/pasn_initiator.c index 9a46e0a4a..7bf6e6232 100644 --- a/src/pasn/pasn_initiator.c +++ b/src/pasn/pasn_initiator.c @@ -522,7 +522,7 @@ static struct wpabuf * wpas_pasn_get_wrapped_data(struct pasn_data *pasn) #ifdef CONFIG_SAE if (pasn->trans_seq == 0) return wpas_pasn_wd_sae_commit(pasn); - if (pasn->trans_seq == 2) + if (pasn->trans_seq == WLAN_AUTH_TR_SEQ_SAE_CONFIRM) return wpas_pasn_wd_sae_confirm(pasn); #endif /* CONFIG_SAE */ wpa_printf(MSG_ERROR, diff --git a/wlantest/rx_mgmt.c b/wlantest/rx_mgmt.c index c2f2c47a0..13c6cf921 100644 --- a/wlantest/rx_mgmt.c +++ b/wlantest/rx_mgmt.c @@ -1136,7 +1136,7 @@ static void process_sae_auth(struct wlantest *wt, struct wlantest_bss *bss, return; trans = le_to_host16(mgmt->u.auth.auth_transaction); - if (trans != 1) + if (trans != WLAN_AUTH_TR_SEQ_SAE_COMMIT) return; status = le_to_host16(mgmt->u.auth.status_code); @@ -1188,7 +1188,8 @@ static void rx_mgmt_auth(struct wlantest *wt, const u8 *data, size_t len) if (status == WLAN_STATUS_SUCCESS && ((alg == WLAN_AUTH_OPEN && trans == 2) || - (alg == WLAN_AUTH_SAE && trans == 2 && from_ap))) { + (alg == WLAN_AUTH_SAE && trans == WLAN_AUTH_TR_SEQ_SAE_CONFIRM && + from_ap))) { if (sta->state == STATE1) { add_note(wt, MSG_DEBUG, "STA " MACSTR " moved to State 2 with " MACSTR, diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index 51dc3b386..860b75f92 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -1685,7 +1685,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u " "status code %u", auth_transaction, status_code); - if (auth_transaction == 1 && + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT && status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && wpa_s->sme.sae.state == SAE_COMMITTED && ((external && wpa_s->sme.ext_auth_wpa_ssid) || @@ -1794,7 +1794,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, return 0; } - if (auth_transaction == 1 && + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT && status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && wpa_s->sme.sae.state == SAE_COMMITTED && ((external && wpa_s->sme.ext_auth_wpa_ssid) || @@ -1822,7 +1822,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, return 0; } - if (auth_transaction == 1 && + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT && status_code == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) { const u8 *bssid = sa ? sa : wpa_s->pending_bssid; struct wpa_ssid *ssid = wpa_s->current_ssid; @@ -1861,7 +1861,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, return -2; } - if (auth_transaction == 1) { + if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_COMMIT) { u16 res; groups = wpa_s->conf->sae_groups; @@ -1935,7 +1935,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, sme_external_auth_send_sae_confirm(wpa_s, sa); } return 0; - } else if (auth_transaction == 2) { + } else if (auth_transaction == WLAN_AUTH_TR_SEQ_SAE_CONFIRM) { if (status_code != WLAN_STATUS_SUCCESS) return -1; wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm"); @@ -2090,7 +2090,8 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data) data->auth.ies_len, 0, data->auth.peer, &ie_offset); if (res < 0) { - if (data->auth.auth_transaction == 2 && + if (data->auth.auth_transaction == + WLAN_AUTH_TR_SEQ_SAE_CONFIRM && data->auth.status_code == WLAN_STATUS_CHALLENGE_FAIL) wpas_notify_sae_password_mismatch(wpa_s);