[06/11] sae: verify offered group in AP mode

Message ID	20240421125050.6649-7-brandtwjohn@gmail.com (mailing list archive)
State	New
Headers	show Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E64B134BD for <iwd@lists.linux.dev>; Sun, 21 Apr 2024 12:53:44 +0000 (UTC) From: John Brandt <brandtwjohn@gmail.com> To: iwd@lists.linux.dev Cc: John Brandt <brandtwjohn@gmail.com> Subject: [PATCH 06/11] sae: verify offered group in AP mode Date: Sun, 21 Apr 2024 05:50:36 -0700 Message-ID: <20240421125050.6649-7-brandtwjohn@gmail.com> In-Reply-To: <20240421125050.6649-1-brandtwjohn@gmail.com> References: <20240421125050.6649-1-brandtwjohn@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Basic SAE support for AP mode \| expand [00/11] Basic SAE support for AP mode [01/11] ap: ability to advertise PSK and SAE [02/11] ap: accept PSK/SAE in auth depending on config [03/11] sae: add function sae_set_group [04/11] sae: refactor and add function sae_calculate_keys [05/11] sae: make sae_process_commit callable in AP mode [06/11] sae: verify offered group in AP mode [07/11] sae: support reception of Confirm frame by AP [08/11] ap: add support to handle SAE authentication [09/11] ap: enable start of 4-way HS after SAE [10/11] eapol: support PTK derivation with SHA256 [11/11] eapol: encrypt key data for AKM-defined ciphers

Message ID

20240421125050.6649-7-brandtwjohn@gmail.com (mailing list archive)

State

New

Headers

From: John Brandt <brandtwjohn@gmail.com>
To: iwd@lists.linux.dev
Cc: John Brandt <brandtwjohn@gmail.com>
Subject: [PATCH 06/11] sae: verify offered group in AP mode
Date: Sun, 21 Apr 2024 05:50:36 -0700
Message-ID: <20240421125050.6649-7-brandtwjohn@gmail.com>
In-Reply-To: <20240421125050.6649-1-brandtwjohn@gmail.com>
References: <20240421125050.6649-1-brandtwjohn@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Basic SAE support for AP mode | expand

Context	Check	Description
tedd_an/pre-ci_am	success	Success
prestwoj/iwd-ci-gitlint	success	GitLint

Context

Check

Description

tedd_an/pre-ci_am

success

Success

prestwoj/iwd-ci-gitlint

success

GitLint

Commit Message

John Brandt April 21, 2024, 12:50 p.m. UTC

When receiving a Commit frame in AP mode, first verify that we support
the offered group before further processing the frame.
---
 src/sae.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/sae.c b/src/sae.c
index 2c97d94c..8a1e311a 100644
--- a/src/sae.c
+++ b/src/sae.c
@@ -214,6 +214,18 @@  static int sae_valid_group(struct sae_sm *sm, unsigned int group)
 	return -ENOENT;
 }
 
+static int sae_supported_group(struct sae_sm *sm, unsigned int group)
+{
+	const unsigned int *ecc_groups = l_ecc_supported_ike_groups();
+	unsigned int i;
+
+	for (i = 0; ecc_groups[i]; i++)
+		if (ecc_groups[i] == group)
+			return true;
+
+	return false;
+}
+
 static bool sae_pwd_seed(const uint8_t *addr1, const uint8_t *addr2,
 				uint8_t *base, size_t base_len,
 				uint8_t counter, uint8_t *out)
@@ -1029,7 +1041,8 @@  static int sae_verify_nothing(struct sae_sm *sm, uint16_t transaction,
 		return -EBADMSG;
 
 	/* reject with unsupported group */
-	if (l_get_le16(frame) != sm->group)
+	if ((sm->handshake->authenticator && sae_supported_group(sm, l_get_le16(frame)) < 0) ||
+	    (!sm->handshake->authenticator && l_get_le16(frame) != sm->group))
 		return sae_reject(sm, SAE_STATE_COMMITTED,
 				MMPDU_STATUS_CODE_UNSUPP_FINITE_CYCLIC_GROUP);

[06/11] sae: verify offered group in AP mode

Checks

Commit Message

Patch