[PATCH 09/15] AP: Add support for PASN comeback flow

Peer, Ilan ilan.peer at intel.com
Wed Mar 17 16:12:21 GMT 2021 

Hi,

> -----Original Message-----
> From: Jouni Malinen <j at w1.fi>
> Sent: Tuesday, March 16, 2021 18:24
> To: Peer, Ilan <ilan.peer at intel.com>
> Cc: hostap at lists.infradead.org
> Subject: Re: [PATCH 09/15] AP: Add support for PASN comeback flow
> 
> On Mon, Mar 15, 2021 at 02:57:07PM +0200, Ilan Peer wrote:
> >  hostapd/config_file.c |  2 ++
> >  src/ap/ap_config.c    |  5 +++
> >  src/ap/ap_config.h    |  6 ++++
> >  src/ap/ieee802_11.c   | 72
> +++++++++++++++++++++++++++++++++++++++++++
> >  4 files changed, 85 insertions(+)
> 
> > diff --git a/hostapd/config_file.c b/hostapd/config_file.c @@ -4675,6
> > +4675,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
> > +	} else if (os_strcmp(buf, "pasn_comeback_after") == 0) {
> > +		bss->pasn_comeback_after = atoi(pos);
> 
> This should be documented in hostapd/hostapd.conf.
> 

Done.

> > diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index
> > 0b95a3d5c1..4f9a0c2d6e 100644
> > --- a/src/ap/ieee802_11.c
> > +++ b/src/ap/ieee802_11.c
> > @@ -709,6 +709,10 @@ static int use_anti_clogging(struct hostapd_data
> *hapd)
> >  			continue;
> >  		open++;
> >  #endif /* CONFIG_SAE */
> > +#ifdef CONFIG_PASN
> > +		if (sta->pasn && sta->pasn->ecdh)
> > +			open++;
> > +#endif /* CONFIG_PASN */
> >  		if (open >= hapd->conf->anti_clogging_threshold)
> >  			return 1;
> >  	}
> 
> Is this PASN case specifically dependent on sta->sae != NULL? This code will
> not be reached unless there is a pending SAE authentication, so this does not
> look correct to me.. Should this be something like following instead?
> 
> #ifdef CONFIG_SAE
> 	if (sta->sae &&
> 	    (sta->sae->state == SAE_COMMITTED ||
> 	     sta->sae->state == SAE_CONFIRMED))
> 		open++;
> #endif /* CONFIG_SAE */
> #ifdef CONFIG_PASN
> 	if (sta->pasn && sta->pasn->ecdh)
> 		open++;
> #endif /* CONFIG_PASN */
> 	if (open >= hapd->conf->anti_clogging_threshold)
> 		return 1;
> 

Agree. The testing did not cover this since anti_clogging_threshold that was used was always 0.

Sending the fixes soon.

Thanks,

Ilan.

More information about the Hostap mailing list