SAE: Special test mode sae_pwe=3 for looping with password identifier

The new sae_pwe=3 mode can be used to test non-compliant behavior with SAE Password Identifiers. This can be used to force use of hunting-and-pecking loop for PWE derivation when Password Identifier is used. This is not allowed by the standard and as such, this functionality is aimed at compliance testing. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-10 04:59:10 +02:00 · 2020-02-10 04:59:10 +02:00 · 641d79f165
commit 641d79f165
parent d57349d4b8
8 changed files with 15 additions and 8 deletions
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@ -442,6 +442,7 @@ int hostapd_setup_sae_pt(struct hostapd_bss_config *conf)
 	struct sae_password_entry *pw;

 	if ((conf->sae_pwe == 0 && !hostapd_sae_pw_id_in_use(conf)) ||
+	    conf->sae_pwe == 3 ||
 	    !wpa_key_mgmt_sae(conf->wpa_key_mgmt))
 		return 0; /* PT not needed */

--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@ -101,6 +101,7 @@ u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
 		num++;
 	h2e_required = (hapd->conf->sae_pwe == 1 ||
 			hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
+		hapd->conf->sae_pwe != 3 &&
 		wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
 	if (h2e_required)
 		num++;
@ -155,6 +156,7 @@ u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
 		num++;
 	h2e_required = (hapd->conf->sae_pwe == 1 ||
 			hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
+		hapd->conf->sae_pwe != 3 &&
 		wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
 	if (h2e_required)
 		num++;
@ -456,7 +458,7 @@ static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
 		use_pt = sta->sae->tmp->h2e;
 	}

-	if (rx_id)
+	if (rx_id && hapd->conf->sae_pwe != 3)
 		use_pt = 1;
 	else if (status_code == WLAN_STATUS_SUCCESS)
 		use_pt = 0;
@ -1079,12 +1081,12 @@ static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
 	int id_in_use;

 	id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
-	if (id_in_use == 2)
+	if (id_in_use == 2 && sae_pwe != 3)
 		sae_pwe = 1;
 	else if (id_in_use == 1 && sae_pwe == 0)
 		sae_pwe = 2;

-	return (sae_pwe == 0 &&
+	return ((sae_pwe == 0 || sae_pwe == 3) &&
 		status_code == WLAN_STATUS_SUCCESS) ||
 		(sae_pwe == 1 &&
 		 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) ||
--- a/src/ap/ieee802_11_shared.c
+++ b/src/ap/ieee802_11_shared.c
@ -1016,6 +1016,7 @@ u8 * hostapd_eid_rsnxe(struct hostapd_data *hapd, u8 *eid, size_t len)
 	    !wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) ||
 	    (hapd->conf->sae_pwe != 1 && hapd->conf->sae_pwe != 2 &&
 	     !hostapd_sae_pw_id_in_use(hapd->conf)) ||
+	    hapd->conf->sae_pwe == 3 ||
 	    len < 3)
 		return pos;

--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@ -158,7 +158,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 #endif /* CONFIG_FILS */
 	wconf->sae_pwe = conf->sae_pwe;
 	sae_pw_id = hostapd_sae_pw_id_in_use(conf);
-	if (sae_pw_id == 2)
+	if (sae_pw_id == 2 && wconf->sae_pwe != 3)
 		wconf->sae_pwe = 1;
 	else if (sae_pw_id == 1 && wconf->sae_pwe == 0)
 		wconf->sae_pwe = 2;