diff mbox series

[v2,08/18] sae: support reception of Confirm frame by AP

Message ID 20240506003518.320176-9-brandtwjohn@gmail.com (mailing list archive)
State New
Headers show
Series Basic WPA3 support in AP mode | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
prestwoj/iwd-ci-gitlint success GitLint

Commit Message

John Brandt May 6, 2024, 12:30 a.m. UTC 
Experimental AP-mode support for receiving a Confirm frame when in the
COMMITTED state. The AP will reply with a Confirm frame.

Note that when acting as an AP, on reception of a Commit frame, the AP
only replies with a Commit frame. The protocols allows to also already
send the Confirm frame, but older clients may not support simultaneously
receiving a Commit and Confirm frame.
---
 src/sae.c | 48 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 35 insertions(+), 13 deletions(-)

Comments

Denis Kenzior May 7, 2024, 3:51 p.m. UTC | #1 
Hi John,

On 5/5/24 7:30 PM, John Brandt wrote:
> Experimental AP-mode support for receiving a Confirm frame when in the
> COMMITTED state. The AP will reply with a Confirm frame.
> 
> Note that when acting as an AP, on reception of a Commit frame, the AP
> only replies with a Commit frame. The protocols allows to also already
> send the Confirm frame, but older clients may not support simultaneously
> receiving a Commit and Confirm frame.
> ---
>   src/sae.c | 48 +++++++++++++++++++++++++++++++++++-------------
>   1 file changed, 35 insertions(+), 13 deletions(-)
> 

I went ahead and applied this patch as well after re-flowing some lines that 
were > 80 characters.

Regards,
-Denis
diff mbox series

Patch

diff --git a/src/sae.c b/src/sae.c
index 7405a561..3ad28fab 100644
--- a/src/sae.c
+++ b/src/sae.c
@@ -930,9 +930,13 @@  static int sae_process_confirm(struct sae_sm *sm, const uint8_t *from,
 
 	sm->state = SAE_STATE_ACCEPTED;
 
-	sae_debug("Sending Associate to "MAC, MAC_STR(sm->handshake->aa));
-
-	sm->tx_assoc(sm->user_data);
+	if (!sm->handshake->authenticator) {
+		sae_debug("Sending Associate to "MAC, MAC_STR(sm->handshake->aa));
+		sm->tx_assoc(sm->user_data);
+	} else {
+		if (!sae_send_confirm(sm))
+			return -EPROTO;
+	}
 
 	return 0;
 }
@@ -1083,16 +1087,34 @@  static int sae_verify_committed(struct sae_sm *sm, uint16_t transaction,
 	unsigned int skip;
 	struct ie_tlv_iter iter;
 
-	/*
-	 * Upon receipt of a Con event...
-	 * Then the protocol instance checks the value of Sync. If it
-	 * is greater than dot11RSNASAESync, the protocol instance shall send a
-	 * Del event to the parent process and transition back to Nothing state.
-	 * If Sync is not greater than dot11RSNASAESync, the protocol instance
-	 * shall increment Sync, transmit the last SAE Commit message sent to
-	 * the peer...
-	 */
-	if (transaction == SAE_STATE_CONFIRMED) {
+	if (sm->handshake->authenticator && transaction == SAE_STATE_CONFIRMED) {
+		enum l_checksum_type hash =
+			crypto_sae_hash_from_ecc_prime_len(sm->sae_type,
+				l_ecc_curve_get_scalar_bytes(sm->curve));
+		size_t hash_len = l_checksum_digest_length(hash);
+
+		if (len < hash_len + 2) {
+			l_error("SAE: Confirm packet too short");
+			return -EBADMSG;
+		}
+
+		/*
+		 * TODO: Add extra functionality such as supporting anti-clogging
+		 * tokens and tracking rejected groups. Note that the cryptographic
+		 * confirm field value will be checked at a later point.
+		 */
+
+		return 0;
+	} else if (transaction == SAE_STATE_CONFIRMED) {
+		/*
+		 * Upon receipt of a Con event...
+		 * Then the protocol instance checks the value of Sync. If it
+		 * is greater than dot11RSNASAESync, the protocol instance shall send a
+		 * Del event to the parent process and transition back to Nothing state.
+		 * If Sync is not greater than dot11RSNASAESync, the protocol instance
+		 * shall increment Sync, transmit the last SAE Commit message sent to
+		 * the peer...
+		 */
 		if (sm->sync > SAE_SYNC_MAX)
 			return -ETIMEDOUT;