(sending this mail again with signed-off-by tag)
Hello,
When STA password check fails in wpa3 AP, there's an ambiguous response "WLAN_STATUS_UNSPECIFIED_FAILURE" in hostapd. There's a pre-defined status "CHALLENGE_FAILURE" in standard for this case.
IEEE 802.11-2022 says that status code CHALLENGE_FAILURE, needs to be sent in case the verification action fails for SAE-CONFIRM frame from a STA:"An SAE Confirm message, with a status code not equal to SUCCESS, shall indicate that a peer rejects a previously sent SAE Confirm message. An SAE Confirm message that was not successfully verified is indicated with a status code of CHALLENGE_FAILURE" .
Hostapd, however, does not implement this status code. In ieee802_11.c the function “sae_check_confirm” is called and in case of verification failure (-1 is returned), the response is set to WLAN_STATUS_UNSPECIFIED_FAILURE (status code = 1). This is not correct and should be modified as:
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 761abd7ce..f211dbc5c 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1561,7 +1561,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
}
if (sae_check_confirm(sta->sae, var, var_len) < 0) {
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ resp = WLAN_STATUS_CHALLENGE_FAIL;
goto reply;
}
sta->sae->rc = peer_send_confirm;
Signed-off-by: Koen Van Oost <koen.vanoost@xxxxxxxxxxx>
Signed-off-by: Mert Ekren <mert.ekren@xxxxxxxxxxx>
=============
From: Jouni Malinen <j@xxxxx>
Sent: Saturday, November 5, 2022 1:54 PM
To: Mert Ekren <mert.ekren@xxxxxxxxxxx>
Cc: hostap@xxxxxxxxxxxxxxxxxxx <hostap@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [PATCH] hostapd: SAE check confirm fail status code
On Tue, Oct 25, 2022 at 06:29:10AM +0000, Mert Ekren wrote:
> When STA password check fails in wpa3 AP, there's an ambiguous response "WLAN_STATUS_UNSPECIFIED_FAILURE" in hostapd. There's a pre-defined status "CHALLENGE_FAILURE" in standard for this case.
>
> IEEE 802.11-2022 says that status code CHALLENGE_FAILURE, needs to be sent in case the verification action fails for SAE-CONFIRM frame from a STA:"An SAE Confirm message, with a status code not equal to SUCCESS, shall indicate that a peer rejects a previously sent SAE Confirm message. An SAE Confirm message that was not successfully verified is indicated with a status code of CHALLENGE_FAILURE" .
> Hostapd, however, does not implement this status code. In ieee802_11.c the function “sae_check_confirm” is called and in case of verification failure (-1 is returned), the response is set to WLAN_STATUS_UNSPECIFIED_FAILURE (status code = 1). This is not correct and should be modified as:
>
>
> diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
Could you please send this again with the Signed-off-by: line added to
the end of the commit message as described in the top level
CONTRIBUTIONS file?
--
Jouni Malinen PGP id EFC895FA
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone.
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
