SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) group
This was clarified in the draft specification to not be a mandatory requirement for the AP and STA to enforce, i.e., matching security level is a recommendation for AP configuration rather than a protocol requirement. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
2e80aeae4a
commit
363dbf1ece
4 changed files with 4 additions and 51 deletions
|
@ -594,10 +594,6 @@ static int auth_sae_send_commit(struct hostapd_data *hapd,
|
||||||
data = auth_build_sae_commit(hapd, sta, update, status_code);
|
data = auth_build_sae_commit(hapd, sta, update, status_code);
|
||||||
if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
|
if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
|
||||||
return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
|
return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
|
||||||
#ifdef CONFIG_SAE_PK
|
|
||||||
if (!data && sta->sae->tmp && sta->sae->tmp->reject_group)
|
|
||||||
return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
|
|
||||||
#endif /* CONFIG_SAE_PK */
|
|
||||||
if (data == NULL)
|
if (data == NULL)
|
||||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||||
|
|
||||||
|
@ -1195,7 +1191,7 @@ static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
|
||||||
|
|
||||||
|
|
||||||
static int check_sae_rejected_groups(struct hostapd_data *hapd,
|
static int check_sae_rejected_groups(struct hostapd_data *hapd,
|
||||||
struct sae_data *sae, bool pk)
|
struct sae_data *sae)
|
||||||
{
|
{
|
||||||
const struct wpabuf *groups;
|
const struct wpabuf *groups;
|
||||||
size_t i, count;
|
size_t i, count;
|
||||||
|
@ -1216,29 +1212,8 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
|
||||||
group = WPA_GET_LE16(pos);
|
group = WPA_GET_LE16(pos);
|
||||||
pos += 2;
|
pos += 2;
|
||||||
enabled = sae_is_group_enabled(hapd, group);
|
enabled = sae_is_group_enabled(hapd, group);
|
||||||
|
wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
|
||||||
#ifdef CONFIG_SAE_PK
|
group, enabled ? "enabled" : "disabled");
|
||||||
/* TODO: Could check more explicitly against the matching
|
|
||||||
* sae_password entry only for the somewhat theoretical case of
|
|
||||||
* different passwords using different groups for SAE-PK K_AP
|
|
||||||
* values. */
|
|
||||||
if (pk) {
|
|
||||||
struct sae_password_entry *pw;
|
|
||||||
|
|
||||||
enabled = false;
|
|
||||||
for (pw = hapd->conf->sae_passwords; pw;
|
|
||||||
pw = pw->next) {
|
|
||||||
if (pw->pk && pw->pk->group == group) {
|
|
||||||
enabled = true;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif /* CONFIG_SAE_PK */
|
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s%s",
|
|
||||||
group, enabled ? "enabled" : "disabled",
|
|
||||||
pk ? " (PK)" : "");
|
|
||||||
if (enabled)
|
if (enabled)
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
@ -1442,9 +1417,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
|
||||||
if (resp != WLAN_STATUS_SUCCESS)
|
if (resp != WLAN_STATUS_SUCCESS)
|
||||||
goto reply;
|
goto reply;
|
||||||
|
|
||||||
if (check_sae_rejected_groups(hapd, sta->sae,
|
if (check_sae_rejected_groups(hapd, sta->sae)) {
|
||||||
status_code ==
|
|
||||||
WLAN_STATUS_SAE_PK)) {
|
|
||||||
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
|
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||||
goto reply;
|
goto reply;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1392,15 +1392,6 @@ int sae_prepare_commit_pt(struct sae_data *sae, const struct sae_pt *pt,
|
||||||
os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len);
|
os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len);
|
||||||
sae->tmp->ssid_len = pt->ssid_len;
|
sae->tmp->ssid_len = pt->ssid_len;
|
||||||
sae->tmp->ap_pk = pk;
|
sae->tmp->ap_pk = pk;
|
||||||
/* TODO: Could support alternative groups as long as the combination
|
|
||||||
* meets the requirements. */
|
|
||||||
if (pk && pk->group != sae->group) {
|
|
||||||
wpa_printf(MSG_DEBUG,
|
|
||||||
"SAE-PK: Reject attempt to use group %d since K_AP use group %d",
|
|
||||||
sae->group, pk->group);
|
|
||||||
sae->tmp->reject_group = true;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
#endif /* CONFIG_SAE_PK */
|
#endif /* CONFIG_SAE_PK */
|
||||||
sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0;
|
sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0;
|
||||||
wpabuf_free(sae->tmp->own_rejected_groups);
|
wpabuf_free(sae->tmp->own_rejected_groups);
|
||||||
|
|
|
@ -75,7 +75,6 @@ struct sae_temporary_data {
|
||||||
size_t lambda;
|
size_t lambda;
|
||||||
u8 ssid[32];
|
u8 ssid[32];
|
||||||
size_t ssid_len;
|
size_t ssid_len;
|
||||||
bool reject_group;
|
|
||||||
#ifdef CONFIG_TESTING_OPTIONS
|
#ifdef CONFIG_TESTING_OPTIONS
|
||||||
bool omit_pk_elem;
|
bool omit_pk_elem;
|
||||||
#endif /* CONFIG_TESTING_OPTIONS */
|
#endif /* CONFIG_TESTING_OPTIONS */
|
||||||
|
|
|
@ -686,16 +686,6 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* TODO: Could support alternative groups as long as the combination
|
|
||||||
* meets the requirements. */
|
|
||||||
if (group != sae->group) {
|
|
||||||
wpa_printf(MSG_INFO,
|
|
||||||
"SAE-PK: K_AP group %d does not match SAE group %d",
|
|
||||||
group, sae->group);
|
|
||||||
crypto_ec_key_deinit(key);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth",
|
wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth",
|
||||||
key_auth, key_auth_len);
|
key_auth, key_auth_len);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue