SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) group

This was clarified in the draft specification to not be a mandatory
requirement for the AP and STA to enforce, i.e., matching security level
is a recommendation for AP configuration rather than a protocol
requirement.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 8b994d6a59041e6ca74e36e4fabcc1a2115806eb..6723f33ddd8a52dc40b6ef7aaf867faadbc2ea97 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -594,10 +594,6 @@ static int auth_sae_send_commit(struct hostapd_data *hapd,
        data = auth_build_sae_commit(hapd, sta, update, status_code);
        if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
                return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
-#ifdef CONFIG_SAE_PK
-       if (!data && sta->sae->tmp && sta->sae->tmp->reject_group)
-               return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
-#endif /* CONFIG_SAE_PK */
        if (data == NULL)
                return WLAN_STATUS_UNSPECIFIED_FAILURE;
 
@@ -1195,7 +1191,7 @@ static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
 
 
 static int check_sae_rejected_groups(struct hostapd_data *hapd,
-                                    struct sae_data *sae, bool pk)
+                                    struct sae_data *sae)
 {
        const struct wpabuf *groups;
        size_t i, count;
@@ -1216,29 +1212,8 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
                group = WPA_GET_LE16(pos);
                pos += 2;
                enabled = sae_is_group_enabled(hapd, group);
-
-#ifdef CONFIG_SAE_PK
-               /* TODO: Could check more explicitly against the matching
-                * sae_password entry only for the somewhat theoretical case of
-                * different passwords using different groups for SAE-PK K_AP
-                * values. */
-               if (pk) {
-                       struct sae_password_entry *pw;
-
-                       enabled = false;
-                       for (pw = hapd->conf->sae_passwords; pw;
-                            pw = pw->next) {
-                               if (pw->pk && pw->pk->group == group) {
-                                       enabled = true;
-                                       break;
-                               }
-                       }
-               }
-#endif /* CONFIG_SAE_PK */
-
-               wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s%s",
-                          group, enabled ? "enabled" : "disabled",
-                          pk ? " (PK)" : "");
+               wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
+                          group, enabled ? "enabled" : "disabled");
                if (enabled)
                        return 1;
        }
@@ -1442,9 +1417,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
                if (resp != WLAN_STATUS_SUCCESS)
                        goto reply;
 
-               if (check_sae_rejected_groups(hapd, sta->sae,
-                                             status_code ==
-                                             WLAN_STATUS_SAE_PK)) {
+               if (check_sae_rejected_groups(hapd, sta->sae)) {
                        resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
                        goto reply;
                }

diff --git a/src/common/sae.c b/src/common/sae.c
index c8e77aaec21a57c2f88110b070d3bba04ac21a52..77f3a0e8c13b15c479928eab2cd5efead99acd97 100644 (file)
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -1392,15 +1392,6 @@ int sae_prepare_commit_pt(struct sae_data *sae, const struct sae_pt *pt,
        os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len);
        sae->tmp->ssid_len = pt->ssid_len;
        sae->tmp->ap_pk = pk;
-       /* TODO: Could support alternative groups as long as the combination
-        * meets the requirements. */
-       if (pk && pk->group != sae->group) {
-               wpa_printf(MSG_DEBUG,
-                          "SAE-PK: Reject attempt to use group %d since K_AP use group %d",
-                          sae->group, pk->group);
-               sae->tmp->reject_group = true;
-               return -1;
-       }
 #endif /* CONFIG_SAE_PK */
        sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0;
        wpabuf_free(sae->tmp->own_rejected_groups);

diff --git a/src/common/sae.h b/src/common/sae.h
index 261935fdbe6a95c7edd93f27679a6f958ef14e2d..ee3c662c589da8c0141c3cd44b7ebec1fd566788 100644 (file)
--- a/src/common/sae.h
+++ b/src/common/sae.h
@@ -75,7 +75,6 @@ struct sae_temporary_data {
        size_t lambda;
        u8 ssid[32];
        size_t ssid_len;
-       bool reject_group;
 #ifdef CONFIG_TESTING_OPTIONS
        bool omit_pk_elem;
 #endif /* CONFIG_TESTING_OPTIONS */

diff --git a/src/common/sae_pk.c b/src/common/sae_pk.c
index 9e02611f74ed383f6db3c2547f5f7f9cca790a6a..5ccd601c2b33445f2097e0fea285de7e199de50d 100644 (file)
--- a/src/common/sae_pk.c
+++ b/src/common/sae_pk.c
@@ -686,16 +686,6 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
                return -1;
        }
 
-       /* TODO: Could support alternative groups as long as the combination
-        * meets the requirements. */
-       if (group != sae->group) {
-               wpa_printf(MSG_INFO,
-                          "SAE-PK: K_AP group %d does not match SAE group %d",
-                          group, sae->group);
-               crypto_ec_key_deinit(key);
-               return -1;
-       }
-
        wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth",
                    key_auth, key_auth_len);