RSNO: Allow RSNXE to be omitted

Add an explicit rsn_override_omit_rsnxe=1 configuration parameter to
allow the RSNXE to be omitted when using the RSNXOE and wanting to
minimize interoperability issues with STAs that might recognize the
RSNXE, but not handle it correctly, e.g., when multiple octets of
payload is included.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2024-07-23 21:20:45 +00:00 committed by Jouni Malinen
parent 92374d59d4
commit 8b2ddfdbb6
7 changed files with 54 additions and 2 deletions

View file

@ -3244,6 +3244,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
os_free(bss->rsn_preauth_interfaces);
bss->rsn_preauth_interfaces = os_strdup(pos);
#endif /* CONFIG_RSN_PREAUTH */
} else if (os_strcmp(buf, "rsn_override_omit_rsnxe") == 0) {
bss->rsn_override_omit_rsnxe = atoi(pos);
} else if (os_strcmp(buf, "peerkey") == 0) {
wpa_printf(MSG_INFO,
"Line %d: Obsolete peerkey parameter ignored", line);

View file

@ -2333,6 +2333,15 @@ own_ip_addr=127.0.0.1
#rsn_override_pairwise_2
#rsn_override_mfp_2
#
# The RSNXE is normally included if any of the extended RSN capabilities is
# enabled/supported. When using RSN overriding, a separate RSNXOE is included
# and it may be more interoperable to omit the RSNXE completely. This
# configuration parameter can be used to do that.
# 0 = Include the RSNXE if any extended RSN capability is enabled/supported
# (default).
# 1 = Do not include the RSNXE.
#rsn_override_omit_rsnxe=0
#
# Example configuration for WPA2-Personal/PMF-optional in RSNE and
# WPA3-Personal/PMF-required/MLO in override elements
#wpa_key_mgmt=WPA-PSK

View file

@ -396,6 +396,8 @@ struct hostapd_bss_config {
int rsn_preauth;
char *rsn_preauth_interfaces;
int rsn_override_omit_rsnxe;
#ifdef CONFIG_IEEE80211R_AP
/* IEEE 802.11r - Fast BSS Transition */
u8 mobility_domain[MOBILITY_DOMAIN_ID_LEN];

View file

@ -301,6 +301,8 @@ struct wpa_auth_config {
#endif /* CONFIG_IEEE80211BE */
bool ssid_protection;
int rsn_override_omit_rsnxe;
};
typedef enum {

View file

@ -234,6 +234,8 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
wconf->no_disconnect_on_group_keyerror =
conf->bss_max_idle && conf->ap_max_inactivity &&
conf->no_disconnect_on_group_keyerror;
wconf->rsn_override_omit_rsnxe = conf->rsn_override_omit_rsnxe;
}

View file

@ -658,6 +658,9 @@ int wpa_auth_gen_wpa_ie(struct wpa_authenticator *wpa_auth)
if (res < 0)
return res;
pos += res;
if (wpa_auth->conf.rsn_override_omit_rsnxe)
res = 0;
else
res = wpa_write_rsnxe(&wpa_auth->conf, pos,
buf + sizeof(buf) - pos);
if (res < 0)

View file

@ -214,3 +214,35 @@ def test_rsn_override_connect_cmd(dev, apdev):
wpas.set("rsn_overriding", "1")
wpas.connect(ssid, psk="12345678", key_mgmt="WPA-PSK-SHA256",
ieee80211w="2", scan_freq="2412")
def test_rsn_override_omit_rsnxe(dev, apdev):
"""RSN overriding with RSNXE explicitly omitted"""
check_sae_capab(dev[0])
ssid = "test-rsn-override"
params = hostapd.wpa2_params(ssid=ssid,
passphrase="12345678",
ieee80211w='1')
params['rsn_override_key_mgmt'] = 'SAE SAE-EXT-KEY'
params['rsn_override_pairwise'] = 'CCMP GCMP-256'
params['rsn_override_mfp'] = '2'
params['beacon_prot'] = '1'
params['sae_groups'] = '19 20'
params['sae_require_mfp'] = '1'
params['sae_pwe'] = '2'
params['ssid_protection'] = '1'
params['rsn_override_omit_rsnxe'] = '1'
hapd = hostapd.add_ap(apdev[0], params)
bssid = hapd.own_addr()
try:
dev[0].set("rsn_overriding", "1")
dev[0].scan_for_bss(bssid, freq=2412)
dev[0].set("sae_pwe", "2")
dev[0].set("sae_groups", "")
dev[0].connect(ssid, sae_password="12345678", key_mgmt="SAE",
ieee80211w="2", ssid_protection="1",
scan_freq="2412")
finally:
dev[0].set("sae_pwe", "0")
dev[0].set("rsn_overriding", "0")