[PATCH] hostapd: SAE check confirm fail status code

Mert Ekren mert.ekren at airties.com
Mon Oct 24 23:29:10 PDT 2022


Hello,

When STA password check fails in wpa3 AP, there's an ambiguous response "WLAN_STATUS_UNSPECIFIED_FAILURE" in hostapd. There's a pre-defined status "CHALLENGE_FAILURE" in standard for this case.

IEEE 802.11-2022 says that status code CHALLENGE_FAILURE, needs to be sent in case the verification action fails for SAE-CONFIRM frame from a STA:"An SAE Confirm message, with a status code not equal to SUCCESS, shall indicate that a peer rejects a previously sent SAE Confirm message. An SAE Confirm message that was not successfully verified is indicated with a status code of CHALLENGE_FAILURE" .
Hostapd, however, does not implement this status code. In ieee802_11.c the function “sae_check_confirm” is called and in case of verification failure (-1 is returned), the response is set to WLAN_STATUS_UNSPECIFIED_FAILURE (status code = 1). This is not correct and should be modified as:


diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 761abd7ce..f211dbc5c 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1561,7 +1561,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
                        }

                        if (sae_check_confirm(sta->sae, var, var_len) < 0) {
-                               resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+                               resp = WLAN_STATUS_CHALLENGE_FAIL;
                                goto reply;
                        }
                        sta->sae->rc = peer_send_confirm;



mert
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone.



More information about the Hostap mailing list