SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) group

This was clarified in the draft specification to not be a mandatory
requirement for the AP and STA to enforce, i.e., matching security level
is a recommendation for AP configuration rather than a protocol
requirement.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

src/ap/ieee802_11.c

@@ -594,10 +594,6 @@ static int auth_sae_send_commit(struct hostapd_data *hapd,
 	data = auth_build_sae_commit(hapd, sta, update, status_code);
 	if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
 		return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
-#ifdef CONFIG_SAE_PK
-	if (!data && sta->sae->tmp && sta->sae->tmp->reject_group)
-		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
-#endif /* CONFIG_SAE_PK */
 	if (data == NULL)
 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
 
@@ -1195,7 +1191,7 @@ static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
 
 
 static int check_sae_rejected_groups(struct hostapd_data *hapd,
-				     struct sae_data *sae, bool pk)
+				     struct sae_data *sae)
 {
 	const struct wpabuf *groups;
 	size_t i, count;
@@ -1216,29 +1212,8 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
 		group = WPA_GET_LE16(pos);
 		pos += 2;
 		enabled = sae_is_group_enabled(hapd, group);
-
-#ifdef CONFIG_SAE_PK
-		/* TODO: Could check more explicitly against the matching
-		 * sae_password entry only for the somewhat theoretical case of
-		 * different passwords using different groups for SAE-PK K_AP
-		 * values. */
-		if (pk) {
-			struct sae_password_entry *pw;
-
-			enabled = false;
-			for (pw = hapd->conf->sae_passwords; pw;
-			     pw = pw->next) {
-				if (pw->pk && pw->pk->group == group) {
-					enabled = true;
-					break;
-				}
-			}
-		}
-#endif /* CONFIG_SAE_PK */
-
-		wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s%s",
-			   group, enabled ? "enabled" : "disabled",
-			   pk ? " (PK)" : "");
+		wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
+			   group, enabled ? "enabled" : "disabled");
 		if (enabled)
 			return 1;
 	}
@@ -1442,9 +1417,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 		if (resp != WLAN_STATUS_SUCCESS)
 			goto reply;
 
-		if (check_sae_rejected_groups(hapd, sta->sae,
-					      status_code ==
-					      WLAN_STATUS_SAE_PK)) {
+		if (check_sae_rejected_groups(hapd, sta->sae)) {
 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
 			goto reply;
 		}

src/common/sae.c

@@ -1392,15 +1392,6 @@ int sae_prepare_commit_pt(struct sae_data *sae, const struct sae_pt *pt,
 	os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len);
 	sae->tmp->ssid_len = pt->ssid_len;
 	sae->tmp->ap_pk = pk;
-	/* TODO: Could support alternative groups as long as the combination
-	 * meets the requirements. */
-	if (pk && pk->group != sae->group) {
-		wpa_printf(MSG_DEBUG,
-			   "SAE-PK: Reject attempt to use group %d since K_AP use group %d",
-			   sae->group, pk->group);
-		sae->tmp->reject_group = true;
-		return -1;
-	}
 #endif /* CONFIG_SAE_PK */
 	sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0;
 	wpabuf_free(sae->tmp->own_rejected_groups);

src/common/sae.h

@@ -75,7 +75,6 @@ struct sae_temporary_data {
 	size_t lambda;
 	u8 ssid[32];
 	size_t ssid_len;
-	bool reject_group;
 #ifdef CONFIG_TESTING_OPTIONS
 	bool omit_pk_elem;
 #endif /* CONFIG_TESTING_OPTIONS */

src/common/sae_pk.c

@@ -686,16 +686,6 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 		return -1;
 	}
 
-	/* TODO: Could support alternative groups as long as the combination
-	 * meets the requirements. */
-	if (group != sae->group) {
-		wpa_printf(MSG_INFO,
-			   "SAE-PK: K_AP group %d does not match SAE group %d",
-			   group, sae->group);
-		crypto_ec_key_deinit(key);
-		return -1;
-	}
-
 	wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth",
 		    key_auth, key_auth_len);