SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) group
This was clarified in the draft specification to not be a mandatory requirement for the AP and STA to enforce, i.e., matching security level is a recommendation for AP configuration rather than a protocol requirement. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
2e80aeae4a
commit
363dbf1ece
4 changed files with 4 additions and 51 deletions
|
@ -594,10 +594,6 @@ static int auth_sae_send_commit(struct hostapd_data *hapd,
|
|||
data = auth_build_sae_commit(hapd, sta, update, status_code);
|
||||
if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
|
||||
return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
|
||||
#ifdef CONFIG_SAE_PK
|
||||
if (!data && sta->sae->tmp && sta->sae->tmp->reject_group)
|
||||
return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
|
||||
#endif /* CONFIG_SAE_PK */
|
||||
if (data == NULL)
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
|
||||
|
@ -1195,7 +1191,7 @@ static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
|
|||
|
||||
|
||||
static int check_sae_rejected_groups(struct hostapd_data *hapd,
|
||||
struct sae_data *sae, bool pk)
|
||||
struct sae_data *sae)
|
||||
{
|
||||
const struct wpabuf *groups;
|
||||
size_t i, count;
|
||||
|
@ -1216,29 +1212,8 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
|
|||
group = WPA_GET_LE16(pos);
|
||||
pos += 2;
|
||||
enabled = sae_is_group_enabled(hapd, group);
|
||||
|
||||
#ifdef CONFIG_SAE_PK
|
||||
/* TODO: Could check more explicitly against the matching
|
||||
* sae_password entry only for the somewhat theoretical case of
|
||||
* different passwords using different groups for SAE-PK K_AP
|
||||
* values. */
|
||||
if (pk) {
|
||||
struct sae_password_entry *pw;
|
||||
|
||||
enabled = false;
|
||||
for (pw = hapd->conf->sae_passwords; pw;
|
||||
pw = pw->next) {
|
||||
if (pw->pk && pw->pk->group == group) {
|
||||
enabled = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif /* CONFIG_SAE_PK */
|
||||
|
||||
wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s%s",
|
||||
group, enabled ? "enabled" : "disabled",
|
||||
pk ? " (PK)" : "");
|
||||
wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
|
||||
group, enabled ? "enabled" : "disabled");
|
||||
if (enabled)
|
||||
return 1;
|
||||
}
|
||||
|
@ -1442,9 +1417,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
|
|||
if (resp != WLAN_STATUS_SUCCESS)
|
||||
goto reply;
|
||||
|
||||
if (check_sae_rejected_groups(hapd, sta->sae,
|
||||
status_code ==
|
||||
WLAN_STATUS_SAE_PK)) {
|
||||
if (check_sae_rejected_groups(hapd, sta->sae)) {
|
||||
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
goto reply;
|
||||
}
|
||||
|
|
|
@ -1392,15 +1392,6 @@ int sae_prepare_commit_pt(struct sae_data *sae, const struct sae_pt *pt,
|
|||
os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len);
|
||||
sae->tmp->ssid_len = pt->ssid_len;
|
||||
sae->tmp->ap_pk = pk;
|
||||
/* TODO: Could support alternative groups as long as the combination
|
||||
* meets the requirements. */
|
||||
if (pk && pk->group != sae->group) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"SAE-PK: Reject attempt to use group %d since K_AP use group %d",
|
||||
sae->group, pk->group);
|
||||
sae->tmp->reject_group = true;
|
||||
return -1;
|
||||
}
|
||||
#endif /* CONFIG_SAE_PK */
|
||||
sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0;
|
||||
wpabuf_free(sae->tmp->own_rejected_groups);
|
||||
|
|
|
@ -75,7 +75,6 @@ struct sae_temporary_data {
|
|||
size_t lambda;
|
||||
u8 ssid[32];
|
||||
size_t ssid_len;
|
||||
bool reject_group;
|
||||
#ifdef CONFIG_TESTING_OPTIONS
|
||||
bool omit_pk_elem;
|
||||
#endif /* CONFIG_TESTING_OPTIONS */
|
||||
|
|
|
@ -686,16 +686,6 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
|
|||
return -1;
|
||||
}
|
||||
|
||||
/* TODO: Could support alternative groups as long as the combination
|
||||
* meets the requirements. */
|
||||
if (group != sae->group) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"SAE-PK: K_AP group %d does not match SAE group %d",
|
||||
group, sae->group);
|
||||
crypto_ec_key_deinit(key);
|
||||
return -1;
|
||||
}
|
||||
|
||||
wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth",
|
||||
key_auth, key_auth_len);
|
||||
|
||||
|
|
Loading…
Reference in a new issue