aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2020-06-09 19:32:38 (GMT)
committerJouni Malinen <j@w1.fi>2020-06-10 09:46:49 (GMT)
commit363dbf1ece24a2d326d7684c8af55f409eab2a51 (patch)
treed32094184118ed94a1bb8f0ce97d44446ac27074
parent2e80aeae4a021443c35ae03be082128f1f644b73 (diff)
downloadhostap-363dbf1ece24a2d326d7684c8af55f409eab2a51.zip
hostap-363dbf1ece24a2d326d7684c8af55f409eab2a51.tar.gz
hostap-363dbf1ece24a2d326d7684c8af55f409eab2a51.tar.bz2
SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) group
This was clarified in the draft specification to not be a mandatory requirement for the AP and STA to enforce, i.e., matching security level is a recommendation for AP configuration rather than a protocol requirement. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--src/ap/ieee802_11.c35
-rw-r--r--src/common/sae.c9
-rw-r--r--src/common/sae.h1
-rw-r--r--src/common/sae_pk.c10
4 files changed, 4 insertions, 51 deletions
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 8b994d6..6723f33 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -594,10 +594,6 @@ static int auth_sae_send_commit(struct hostapd_data *hapd,
data = auth_build_sae_commit(hapd, sta, update, status_code);
if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
-#ifdef CONFIG_SAE_PK
- if (!data && sta->sae->tmp && sta->sae->tmp->reject_group)
- return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
-#endif /* CONFIG_SAE_PK */
if (data == NULL)
return WLAN_STATUS_UNSPECIFIED_FAILURE;
@@ -1195,7 +1191,7 @@ static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
static int check_sae_rejected_groups(struct hostapd_data *hapd,
- struct sae_data *sae, bool pk)
+ struct sae_data *sae)
{
const struct wpabuf *groups;
size_t i, count;
@@ -1216,29 +1212,8 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
group = WPA_GET_LE16(pos);
pos += 2;
enabled = sae_is_group_enabled(hapd, group);
-
-#ifdef CONFIG_SAE_PK
- /* TODO: Could check more explicitly against the matching
- * sae_password entry only for the somewhat theoretical case of
- * different passwords using different groups for SAE-PK K_AP
- * values. */
- if (pk) {
- struct sae_password_entry *pw;
-
- enabled = false;
- for (pw = hapd->conf->sae_passwords; pw;
- pw = pw->next) {
- if (pw->pk && pw->pk->group == group) {
- enabled = true;
- break;
- }
- }
- }
-#endif /* CONFIG_SAE_PK */
-
- wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s%s",
- group, enabled ? "enabled" : "disabled",
- pk ? " (PK)" : "");
+ wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
+ group, enabled ? "enabled" : "disabled");
if (enabled)
return 1;
}
@@ -1442,9 +1417,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
if (resp != WLAN_STATUS_SUCCESS)
goto reply;
- if (check_sae_rejected_groups(hapd, sta->sae,
- status_code ==
- WLAN_STATUS_SAE_PK)) {
+ if (check_sae_rejected_groups(hapd, sta->sae)) {
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto reply;
}
diff --git a/src/common/sae.c b/src/common/sae.c
index c8e77aa..77f3a0e 100644
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -1392,15 +1392,6 @@ int sae_prepare_commit_pt(struct sae_data *sae, const struct sae_pt *pt,
os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len);
sae->tmp->ssid_len = pt->ssid_len;
sae->tmp->ap_pk = pk;
- /* TODO: Could support alternative groups as long as the combination
- * meets the requirements. */
- if (pk && pk->group != sae->group) {
- wpa_printf(MSG_DEBUG,
- "SAE-PK: Reject attempt to use group %d since K_AP use group %d",
- sae->group, pk->group);
- sae->tmp->reject_group = true;
- return -1;
- }
#endif /* CONFIG_SAE_PK */
sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0;
wpabuf_free(sae->tmp->own_rejected_groups);
diff --git a/src/common/sae.h b/src/common/sae.h
index 261935f..ee3c662 100644
--- a/src/common/sae.h
+++ b/src/common/sae.h
@@ -75,7 +75,6 @@ struct sae_temporary_data {
size_t lambda;
u8 ssid[32];
size_t ssid_len;
- bool reject_group;
#ifdef CONFIG_TESTING_OPTIONS
bool omit_pk_elem;
#endif /* CONFIG_TESTING_OPTIONS */
diff --git a/src/common/sae_pk.c b/src/common/sae_pk.c
index 9e02611..5ccd601 100644
--- a/src/common/sae_pk.c
+++ b/src/common/sae_pk.c
@@ -686,16 +686,6 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
return -1;
}
- /* TODO: Could support alternative groups as long as the combination
- * meets the requirements. */
- if (group != sae->group) {
- wpa_printf(MSG_INFO,
- "SAE-PK: K_AP group %d does not match SAE group %d",
- group, sae->group);
- crypto_ec_key_deinit(key);
- return -1;
- }
-
wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth",
key_auth, key_auth_len);