SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) group

This was clarified in the draft specification to not be a mandatory
requirement for the AP and STA to enforce, i.e., matching security level
is a recommendation for AP configuration rather than a protocol
requirement.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2020-06-09 22:32:38 +03:00 committed by Jouni Malinen
parent 2e80aeae4a
commit 363dbf1ece
4 changed files with 4 additions and 51 deletions

View file

@ -594,10 +594,6 @@ static int auth_sae_send_commit(struct hostapd_data *hapd,
data = auth_build_sae_commit(hapd, sta, update, status_code); data = auth_build_sae_commit(hapd, sta, update, status_code);
if (!data && sta->sae->tmp && sta->sae->tmp->pw_id) if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER; return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
#ifdef CONFIG_SAE_PK
if (!data && sta->sae->tmp && sta->sae->tmp->reject_group)
return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
#endif /* CONFIG_SAE_PK */
if (data == NULL) if (data == NULL)
return WLAN_STATUS_UNSPECIFIED_FAILURE; return WLAN_STATUS_UNSPECIFIED_FAILURE;
@ -1195,7 +1191,7 @@ static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
static int check_sae_rejected_groups(struct hostapd_data *hapd, static int check_sae_rejected_groups(struct hostapd_data *hapd,
struct sae_data *sae, bool pk) struct sae_data *sae)
{ {
const struct wpabuf *groups; const struct wpabuf *groups;
size_t i, count; size_t i, count;
@ -1216,29 +1212,8 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
group = WPA_GET_LE16(pos); group = WPA_GET_LE16(pos);
pos += 2; pos += 2;
enabled = sae_is_group_enabled(hapd, group); enabled = sae_is_group_enabled(hapd, group);
wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
#ifdef CONFIG_SAE_PK group, enabled ? "enabled" : "disabled");
/* TODO: Could check more explicitly against the matching
* sae_password entry only for the somewhat theoretical case of
* different passwords using different groups for SAE-PK K_AP
* values. */
if (pk) {
struct sae_password_entry *pw;
enabled = false;
for (pw = hapd->conf->sae_passwords; pw;
pw = pw->next) {
if (pw->pk && pw->pk->group == group) {
enabled = true;
break;
}
}
}
#endif /* CONFIG_SAE_PK */
wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s%s",
group, enabled ? "enabled" : "disabled",
pk ? " (PK)" : "");
if (enabled) if (enabled)
return 1; return 1;
} }
@ -1442,9 +1417,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
if (resp != WLAN_STATUS_SUCCESS) if (resp != WLAN_STATUS_SUCCESS)
goto reply; goto reply;
if (check_sae_rejected_groups(hapd, sta->sae, if (check_sae_rejected_groups(hapd, sta->sae)) {
status_code ==
WLAN_STATUS_SAE_PK)) {
resp = WLAN_STATUS_UNSPECIFIED_FAILURE; resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto reply; goto reply;
} }

View file

@ -1392,15 +1392,6 @@ int sae_prepare_commit_pt(struct sae_data *sae, const struct sae_pt *pt,
os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len); os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len);
sae->tmp->ssid_len = pt->ssid_len; sae->tmp->ssid_len = pt->ssid_len;
sae->tmp->ap_pk = pk; sae->tmp->ap_pk = pk;
/* TODO: Could support alternative groups as long as the combination
* meets the requirements. */
if (pk && pk->group != sae->group) {
wpa_printf(MSG_DEBUG,
"SAE-PK: Reject attempt to use group %d since K_AP use group %d",
sae->group, pk->group);
sae->tmp->reject_group = true;
return -1;
}
#endif /* CONFIG_SAE_PK */ #endif /* CONFIG_SAE_PK */
sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0; sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0;
wpabuf_free(sae->tmp->own_rejected_groups); wpabuf_free(sae->tmp->own_rejected_groups);

View file

@ -75,7 +75,6 @@ struct sae_temporary_data {
size_t lambda; size_t lambda;
u8 ssid[32]; u8 ssid[32];
size_t ssid_len; size_t ssid_len;
bool reject_group;
#ifdef CONFIG_TESTING_OPTIONS #ifdef CONFIG_TESTING_OPTIONS
bool omit_pk_elem; bool omit_pk_elem;
#endif /* CONFIG_TESTING_OPTIONS */ #endif /* CONFIG_TESTING_OPTIONS */

View file

@ -686,16 +686,6 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
return -1; return -1;
} }
/* TODO: Could support alternative groups as long as the combination
* meets the requirements. */
if (group != sae->group) {
wpa_printf(MSG_INFO,
"SAE-PK: K_AP group %d does not match SAE group %d",
group, sae->group);
crypto_ec_key_deinit(key);
return -1;
}
wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth", wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth",
key_auth, key_auth_len); key_auth, key_auth_len);