From 363dbf1ece24a2d326d7684c8af55f409eab2a51 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 9 Jun 2020 22:32:38 +0300 Subject: [PATCH] SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) group This was clarified in the draft specification to not be a mandatory requirement for the AP and STA to enforce, i.e., matching security level is a recommendation for AP configuration rather than a protocol requirement. Signed-off-by: Jouni Malinen --- src/ap/ieee802_11.c | 35 ++++------------------------------- src/common/sae.c | 9 --------- src/common/sae.h | 1 - src/common/sae_pk.c | 10 ---------- 4 files changed, 4 insertions(+), 51 deletions(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 8b994d6a5..6723f33dd 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -594,10 +594,6 @@ static int auth_sae_send_commit(struct hostapd_data *hapd, data = auth_build_sae_commit(hapd, sta, update, status_code); if (!data && sta->sae->tmp && sta->sae->tmp->pw_id) return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER; -#ifdef CONFIG_SAE_PK - if (!data && sta->sae->tmp && sta->sae->tmp->reject_group) - return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; -#endif /* CONFIG_SAE_PK */ if (data == NULL) return WLAN_STATUS_UNSPECIFIED_FAILURE; @@ -1195,7 +1191,7 @@ static int sae_is_group_enabled(struct hostapd_data *hapd, int group) static int check_sae_rejected_groups(struct hostapd_data *hapd, - struct sae_data *sae, bool pk) + struct sae_data *sae) { const struct wpabuf *groups; size_t i, count; @@ -1216,29 +1212,8 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd, group = WPA_GET_LE16(pos); pos += 2; enabled = sae_is_group_enabled(hapd, group); - -#ifdef CONFIG_SAE_PK - /* TODO: Could check more explicitly against the matching - * sae_password entry only for the somewhat theoretical case of - * different passwords using different groups for SAE-PK K_AP - * values. */ - if (pk) { - struct sae_password_entry *pw; - - enabled = false; - for (pw = hapd->conf->sae_passwords; pw; - pw = pw->next) { - if (pw->pk && pw->pk->group == group) { - enabled = true; - break; - } - } - } -#endif /* CONFIG_SAE_PK */ - - wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s%s", - group, enabled ? "enabled" : "disabled", - pk ? " (PK)" : ""); + wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s", + group, enabled ? "enabled" : "disabled"); if (enabled) return 1; } @@ -1442,9 +1417,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, if (resp != WLAN_STATUS_SUCCESS) goto reply; - if (check_sae_rejected_groups(hapd, sta->sae, - status_code == - WLAN_STATUS_SAE_PK)) { + if (check_sae_rejected_groups(hapd, sta->sae)) { resp = WLAN_STATUS_UNSPECIFIED_FAILURE; goto reply; } diff --git a/src/common/sae.c b/src/common/sae.c index c8e77aaec..77f3a0e8c 100644 --- a/src/common/sae.c +++ b/src/common/sae.c @@ -1392,15 +1392,6 @@ int sae_prepare_commit_pt(struct sae_data *sae, const struct sae_pt *pt, os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len); sae->tmp->ssid_len = pt->ssid_len; sae->tmp->ap_pk = pk; - /* TODO: Could support alternative groups as long as the combination - * meets the requirements. */ - if (pk && pk->group != sae->group) { - wpa_printf(MSG_DEBUG, - "SAE-PK: Reject attempt to use group %d since K_AP use group %d", - sae->group, pk->group); - sae->tmp->reject_group = true; - return -1; - } #endif /* CONFIG_SAE_PK */ sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0; wpabuf_free(sae->tmp->own_rejected_groups); diff --git a/src/common/sae.h b/src/common/sae.h index 261935fdb..ee3c662c5 100644 --- a/src/common/sae.h +++ b/src/common/sae.h @@ -75,7 +75,6 @@ struct sae_temporary_data { size_t lambda; u8 ssid[32]; size_t ssid_len; - bool reject_group; #ifdef CONFIG_TESTING_OPTIONS bool omit_pk_elem; #endif /* CONFIG_TESTING_OPTIONS */ diff --git a/src/common/sae_pk.c b/src/common/sae_pk.c index 9e02611f7..5ccd601c2 100644 --- a/src/common/sae_pk.c +++ b/src/common/sae_pk.c @@ -686,16 +686,6 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len) return -1; } - /* TODO: Could support alternative groups as long as the combination - * meets the requirements. */ - if (group != sae->group) { - wpa_printf(MSG_INFO, - "SAE-PK: K_AP group %d does not match SAE group %d", - group, sae->group); - crypto_ec_key_deinit(key); - return -1; - } - wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth", key_auth, key_auth_len);