Regarding status code in initial SAE confirm message

James Prestwood prestwoj at gmail.com
Wed Sep 8 12:56:17 PDT 2021 

Hi,

On Wed, 2021-09-08 at 19:44 +0000, RAGHAVENDRA SADARAMACHANDRA
(rsadaram) wrote:
> Hi James,
> 
>    Thanks for the response. 
>    Reg - " If hostapd receives a confirm with non-success status code
> it treats that as the peer rejecting" =====> Peer rejecting of which
> frame? In client and AP case, client is the one which first sends SAE
> confirm. Here there is no previous confirm message for the client to
> reject. Spec mentioned about rejection of previous SAE confirm
> message.

Ah ok I see where you're coming from now. I think this would be more a
question to the spec writers than anything... but yes I agree the spec
does not line out what to do in this case.

Personally I would expect to reject the peers connection all together
like hostapd does.

Also, I wouldn't expect an initial confirm message with a non-success
status code to actually contain a confirm hash. The only context that
makes sense is if the peer is rejecting the connection entirely.

Thanks,
James

> 
> -Raghu
> 
> 
> On 9/8/21, 12:30 PM, "James Prestwood" <prestwoj at gmail.com> wrote:
> 
>     Hi,
> 
>     On Wed, 2021-09-08 at 19:08 +0000, RAGHAVENDRA SADARAMACHANDRA
>     (rsadaram) wrote:
>     > Any info on below query?
>     > 
>     > On 9/3/21, 11:13 PM, "RAGHAVENDRA SADARAMACHANDRA (rsadaram)"
>     > <rsadaram at cisco.com> wrote:
>     > 
>     >     Hi All,
>     > 
>     >     What's the importance/use of status code in initial confirm
>     > message from the client. Do we need to check for status code ==
>     > success in confirm message from the client.
>     > 
>     >     Spec does not talk about status code in initial confirm
> message.
> 
>     I don't think the spec cares about "initial confirm" vs any other
>     confirm. Its just a confirm message.
> 
>     > It mentions: An SAE Confirm message, with a status code not
> equal to
>     > SUCCESS, shall indicate that a peer rejects a previously sent
> SAE
>     > Confirm message. An SAE Confirm message that was not
> successfully
>     > verified is indicated with a status code of CHALLENGE_FAILURE. 
> 
>     How does that not describe the intended behavior? If hostapd
> receives a
>     confirm with non-success status code it treats that as the peer
>     rejecting. Seems reasonable to me.
> 
>     > 
>     > 
>     >                } else if (auth_transaction == 2) {
>     >                     hostapd_logger(hapd, sta->addr,
>     > HOSTAPD_MODULE_IEEE80211,
>     >                                    HOSTAPD_LEVEL_DEBUG,
>     >                                    "SAE authentication (RX
> confirm,
>     > status=%u (%s))",
>     >                                    status_code,
>     > status2str(status_code));
>     >                     if (status_code != WLAN_STATUS_SUCCESS)
>     >                             goto remove_sta;
>     > 
>     > 
>     >     -Raghu
>     > 
>     > 
>     > _______________________________________________
>     > Hostap mailing list
>     > Hostap at lists.infradead.org
>     > http://lists.infradead.org/mailman/listinfo/hostap
> 
> 
>

More information about the Hostap mailing list