diff options
Diffstat (limited to 'main/hostapd/0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch')
| -rw-r--r-- | main/hostapd/0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/main/hostapd/0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch b/main/hostapd/0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch new file mode 100644 index 0000000000..a7e6d37fb1 --- /dev/null +++ b/main/hostapd/0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch @@ -0,0 +1,59 @@ +From db54db11aec763b6fc74715c36e0f9de0d65e206 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Mon, 8 Apr 2019 18:01:07 +0300 +Subject: [PATCH] SAE: Reject unsuitable groups based on REVmd changes + +The rules defining which DH groups are suitable for SAE use were +accepted into IEEE 802.11 REVmd based on this document: +https://mentor.ieee.org/802.11/dcn/19/11-19-0387-02-000m-addressing-some-sae-comments.docx + +Enforce those rules in production builds of wpa_supplicant and hostapd. +CONFIG_TESTING_OPTIONS=y builds can still be used to select any o the +implemented groups to maintain testing coverage. + +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/common/sae.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/src/common/sae.c b/src/common/sae.c +index 981e788dc..8129a7c15 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -17,10 +17,33 @@ + #include "sae.h" + + ++static int sae_suitable_group(int group) ++{ ++#ifdef CONFIG_TESTING_OPTIONS ++ /* Allow all groups for testing purposes in non-production builds. */ ++ return 1; ++#else /* CONFIG_TESTING_OPTIONS */ ++ /* Enforce REVmd rules on which SAE groups are suitable for production ++ * purposes: FFC groups whose prime is >= 3072 bits and ECC groups ++ * defined over a prime field whose prime is >= 256 bits. Furthermore, ++ * ECC groups defined over a characteristic 2 finite field and ECC ++ * groups with a co-factor greater than 1 are not suitable. */ ++ return group == 19 || group == 20 || group == 21 || ++ group == 28 || group == 29 || group == 30 || ++ group == 15 || group == 16 || group == 17 || group == 18; ++#endif /* CONFIG_TESTING_OPTIONS */ ++} ++ ++ + int sae_set_group(struct sae_data *sae, int group) + { + struct sae_temporary_data *tmp; + ++ if (!sae_suitable_group(group)) { ++ wpa_printf(MSG_DEBUG, "SAE: Reject unsuitable group %d", group); ++ return -1; ++ } ++ + sae_clear_data(sae); + tmp = sae->tmp = os_zalloc(sizeof(*tmp)); + if (tmp == NULL) +-- +2.22.0 + |