[PATCH v2 40/44] AP: Don't process SAE/OWE assoc info on MLD links

Andrei Otcheretianski andrei.otcheretianski at intel.com
Mon May 22 12:34:08 PDT 2023


Only the main link handles SAE authentication, skip it on other links.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski at intel.com>
---
 src/ap/ieee802_11.c | 91 ++++++++++++++++++++++++---------------------
 1 file changed, 48 insertions(+), 43 deletions(-)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index d387921d87..15c0a2b246 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4037,55 +4037,60 @@ static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
 		}
 #endif /* CONFIG_IEEE80211R_AP */
 
+		if (!link) {
 #ifdef CONFIG_SAE
-		if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
-		    sta->sae->state == SAE_ACCEPTED)
-			wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
-
-		if (wpa_auth_uses_sae(sta->wpa_sm) &&
-		    sta->auth_alg == WLAN_AUTH_OPEN) {
-			struct rsn_pmksa_cache_entry *sa;
-			sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
-			if (!sa || !wpa_key_mgmt_sae(sa->akmp)) {
-				wpa_printf(MSG_DEBUG,
-					   "SAE: No PMKSA cache entry found for "
-					   MACSTR, MAC2STR(sta->addr));
-				return WLAN_STATUS_INVALID_PMKID;
+			if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
+			    sta->sae->state == SAE_ACCEPTED)
+				wpa_auth_add_sae_pmkid(sta->wpa_sm,
+						       sta->sae->pmkid);
+
+			if (wpa_auth_uses_sae(sta->wpa_sm) &&
+			    sta->auth_alg == WLAN_AUTH_OPEN) {
+				struct rsn_pmksa_cache_entry *sa;
+				sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
+				if (!sa || !wpa_key_mgmt_sae(sa->akmp)) {
+					wpa_printf(MSG_DEBUG,
+						   "SAE: No PMKSA cache entry found for "
+						   MACSTR, MAC2STR(sta->addr));
+					return WLAN_STATUS_INVALID_PMKID;
+				}
+				wpa_printf(MSG_DEBUG, "SAE: " MACSTR
+					   " using PMKSA caching", MAC2STR(sta->addr));
+			} else if (wpa_auth_uses_sae(sta->wpa_sm) &&
+				   sta->auth_alg != WLAN_AUTH_SAE &&
+				   !(sta->auth_alg == WLAN_AUTH_FT &&
+				     wpa_auth_uses_ft_sae(sta->wpa_sm))) {
+				wpa_printf(MSG_DEBUG, "SAE: " MACSTR
+					   " tried to use SAE AKM after non-SAE auth_alg %u",
+					   MAC2STR(sta->addr), sta->auth_alg);
+				return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
+			}
+
+			if (hapd->conf->sae_pwe == SAE_PWE_BOTH &&
+			    sta->auth_alg == WLAN_AUTH_SAE &&
+			    sta->sae && !sta->sae->h2e &&
+			    ieee802_11_rsnx_capab_len(elems->rsnxe,
+						      elems->rsnxe_len,
+						      WLAN_RSNX_CAPAB_SAE_H2E)) {
+				wpa_printf(MSG_INFO, "SAE: " MACSTR
+					   " indicates support for SAE H2E, but did not use it",
+					   MAC2STR(sta->addr));
+				return WLAN_STATUS_UNSPECIFIED_FAILURE;
 			}
-			wpa_printf(MSG_DEBUG, "SAE: " MACSTR
-				   " using PMKSA caching", MAC2STR(sta->addr));
-		} else if (wpa_auth_uses_sae(sta->wpa_sm) &&
-			   sta->auth_alg != WLAN_AUTH_SAE &&
-			   !(sta->auth_alg == WLAN_AUTH_FT &&
-			     wpa_auth_uses_ft_sae(sta->wpa_sm))) {
-			wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
-				   "SAE AKM after non-SAE auth_alg %u",
-				   MAC2STR(sta->addr), sta->auth_alg);
-			return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
-		}
-
-		if (hapd->conf->sae_pwe == SAE_PWE_BOTH &&
-		    sta->auth_alg == WLAN_AUTH_SAE &&
-		    sta->sae && !sta->sae->h2e &&
-		    ieee802_11_rsnx_capab_len(elems->rsnxe, elems->rsnxe_len,
-					      WLAN_RSNX_CAPAB_SAE_H2E)) {
-			wpa_printf(MSG_INFO, "SAE: " MACSTR
-				   " indicates support for SAE H2E, but did not use it",
-				   MAC2STR(sta->addr));
-			return WLAN_STATUS_UNSPECIFIED_FAILURE;
-		}
 #endif /* CONFIG_SAE */
 
 #ifdef CONFIG_OWE
-		if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
-		    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
-		    elems->owe_dh) {
-			resp = owe_process_assoc_req(hapd, sta, elems->owe_dh,
-						     elems->owe_dh_len);
-			if (resp != WLAN_STATUS_SUCCESS)
-				return resp;
-		}
+			if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
+			    wpa_auth_sta_key_mgmt(sta->wpa_sm) ==
+			    WPA_KEY_MGMT_OWE && elems->owe_dh) {
+				resp = owe_process_assoc_req(hapd, sta,
+							     elems->owe_dh,
+							     elems->owe_dh_len);
+				if (resp != WLAN_STATUS_SUCCESS)
+					return resp;
+			}
 #endif /* CONFIG_OWE */
+		}
 
 #ifdef CONFIG_DPP2
 		dpp_pfs_free(sta->dpp_pfs);
-- 
2.38.1




More information about the Hostap mailing list