From patchwork Wed May  8 13:42:12 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
X-Patchwork-Id: 1933079
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=ZnoQnsvy;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256
 header.s=Intel header.b=iUcW7Q2I;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.infradead.org
 (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;
 envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
 receiver=patchwork.ozlabs.org)
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:3::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4VZGbh1g54z20fc
	for <incoming@patchwork.ozlabs.org>; Wed,  8 May 2024 23:44:45 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=pAHbBncK/8CsN/z2kwcxG9EhnNaLytVuIpGu6RHT7ms=; b=ZnoQnsvyo7FVtP
	NE4RAEqDMoc/d2HQ3UuKrN1I817XlAbqreKYI5ia9fh0mdY8pHLLbA6kHuahhEJ4cQaux/Nj4+J6M
	x4iAWDu7oc0JYfrQZyCgnBzEmIlFR15np0+k9SmPC/BAeljDNyL5lDbyMaYBkycL/RVTmiGGVRdpp
	n9JVbgiNZC9Zj17MLDS5/GlJ+YPI8abIdxh0QrMR9VbxpH1E3IyseiXveCTPXcxw+Rxd3PAc8100B
	O6HkVb+xeMpRGqOx/NxijjTfml1habAyJe8rdykRzrsKs1Iq9P8M9U43z3fDJ+iBXQXlwNzBrlKhu
	X2s57I7v0BOFSttx5Yog==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux))
	id 1s4hag-0000000FhT9-0O6R;
	Wed, 08 May 2024 13:44:14 +0000
Received: from mgamail.intel.com ([192.198.163.17])
	by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux))
	id 1s4haZ-0000000FhPt-1x0A
	for hostap@lists.infradead.org;
	Wed, 08 May 2024 13:44:12 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1715175847; x=1746711847;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=Ia8/cwAIG2R+0mHVn7++bfNNAhl6DWNungMJoKFl5Tg=;
  b=iUcW7Q2IDNnZtHxs/H/wnNoLgnan+aIoasHf1fZDYHFUL8sZomRIqcNG
   v0wUKP0m/yyOyAa17k16FFRnhWeB1uRAIl8i2LXEjotP6Hmg2T41o+etZ
   TjOYF5PcPKAgneonIUqGl1aK1GCdzuz19/OJ13etc5KXVSFcn7Y3uRCeA
   aptzwgosCtWGVGWXoiWhP5IBvrT3eSbjYH07cRU+pwLBAo5XHBRDtvwmV
   9w7MSSRHqZkxiq4xN9Q0Mbs/A2rUUBjLUnvUK5lC9msOny+KnmLibdBkw
   W4jQ47tShq6xdwtrN27V9ktwXIA/iufWebV4u1d9wdrcgQkd32sjqG+g4
   g==;
X-CSE-ConnectionGUID: ThgpS7XCT1acC9FeUhrvcg==
X-CSE-MsgGUID: Sp3Fk7HWQsKUibDvBysp6g==
X-IronPort-AV: E=McAfee;i="6600,9927,11066"; a="10905725"
X-IronPort-AV: E=Sophos;i="6.08,145,1712646000";
   d="scan'208";a="10905725"
Received: from orviesa008.jf.intel.com ([10.64.159.148])
  by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 08 May 2024 06:44:01 -0700
X-CSE-ConnectionGUID: qD8EGH2lSUy/i0wIx/h7IQ==
X-CSE-MsgGUID: EFDEqMJ/RjGArvW83WztvA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.08,145,1712646000";
   d="scan'208";a="29473838"
Received: from weis0042.iil.intel.com ([10.12.217.211])
  by orviesa008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 08 May 2024 06:44:00 -0700
From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
To: hostap@lists.infradead.org
Cc: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Subject: [PATCH 1/2] wpa_supplicant: Always clear SAE rejected groups
Date: Wed,  8 May 2024 16:42:12 +0300
Message-ID: <20240508134213.3913209-1-andrei.otcheretianski@intel.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20240508_064407_534672_9F24508E 
X-CRM114-Status: GOOD (  16.46  )
X-Spam-Score: -3.1 (---)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  SAE rejected groups were not cleared in case of
 re-association
    to the same ESS. Since new BSS can support different groups,
 keeping rejected
    groups doesn't make sense and may result in AP rejecting th [...]
 Content analysis details:   (-3.1 points, 5.0 required)
  pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
                             medium trust
                             [192.198.163.17 listed in list.dnswl.org]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK
 signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's
                             domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.6 DKIMWL_WL_HIGH         DKIMwl.org - High trust sender
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=subscribe>
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

SAE rejected groups were not cleared in case of re-association to the
same ESS. Since new BSS can support different groups, keeping rejected
groups doesn't make sense and may result in AP rejecting the
authentication. Fix it.
Also, make sure that sme_set_sae_group() doesn't select a
rejected group.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
---
 src/utils/common.c              | 13 +++++++++++++
 src/utils/common.h              |  1 +
 wpa_supplicant/sme.c            |  3 ++-
 wpa_supplicant/wpa_supplicant.c | 10 ++++++----
 4 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/src/utils/common.c b/src/utils/common.c
index 6acfcbd898..fa9016e5e0 100644
--- a/src/utils/common.c
+++ b/src/utils/common.c
@@ -990,6 +990,19 @@ void int_array_add_unique(int **res, int a)
 }
 
 
+int int_array_includes(int *arr, int val)
+{
+	int i;
+
+	for (i = 0; arr && arr[i]; i++) {
+		if (val == arr[i])
+			return 1;
+	}
+
+	return 0;
+}
+
+
 void str_clear_free(char *str)
 {
 	if (str) {
diff --git a/src/utils/common.h b/src/utils/common.h
index 7d99b29190..3d9320b03c 100644
--- a/src/utils/common.h
+++ b/src/utils/common.h
@@ -577,6 +577,7 @@ size_t int_array_len(const int *a);
 void int_array_concat(int **res, const int *a);
 void int_array_sort_unique(int *a);
 void int_array_add_unique(int **res, int a);
+int int_array_includes(int *arr, int val);
 
 #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
 
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index f6860783e7..b8a9e2541a 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -71,7 +71,8 @@ static int sme_set_sae_group(struct wpa_supplicant *wpa_s, bool external)
 		int group = groups[wpa_s->sme.sae_group_index];
 		if (group <= 0)
 			break;
-		if (sae_set_group(&wpa_s->sme.sae, group) == 0) {
+		if (!int_array_includes(wpa_s->sme.sae_rejected_groups, group) &&
+		    sae_set_group(&wpa_s->sme.sae, group) == 0) {
 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d",
 				wpa_s->sme.sae.group);
 			wpa_s->sme.sae.akmp = external ?
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 25a844c581..f137ddb974 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2480,6 +2480,7 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit);
 void wpa_supplicant_associate(struct wpa_supplicant *wpa_s,
 			      struct wpa_bss *bss, struct wpa_ssid *ssid)
 {
+	bool clear_rejected = true;
 	struct wpa_connect_work *cwork;
 	enum wpas_mac_addr_style rand_style;
 
@@ -2521,14 +2522,15 @@ void wpa_supplicant_associate(struct wpa_supplicant *wpa_s,
 			wmm_ac_save_tspecs(wpa_s);
 #endif /* CONFIG_NO_WMM_AC */
 			wpa_s->reassoc_same_bss = 1;
+			clear_rejected = false;
 		} else if (wpa_s->current_bss && wpa_s->current_bss != bss) {
 			os_get_reltime(&wpa_s->roam_start);
 		}
-	} else {
-#ifdef CONFIG_SAE
-		wpa_s_clear_sae_rejected(wpa_s);
-#endif /* CONFIG_SAE */
 	}
+
+	if (clear_rejected)
+		wpa_s_clear_sae_rejected(wpa_s);
+
 #ifdef CONFIG_SAE
 	wpa_s_setup_sae_pt(wpa_s->conf, ssid, false);
 #endif /* CONFIG_SAE */