[PATCH 1/2] wpa_supplicant: Always clear SAE rejected groups

Andrei Otcheretianski andrei.otcheretianski at intel.com
Wed May 8 06:42:12 PDT 2024


SAE rejected groups were not cleared in case of re-association to the
same ESS. Since new BSS can support different groups, keeping rejected
groups doesn't make sense and may result in AP rejecting the
authentication. Fix it.
Also, make sure that sme_set_sae_group() doesn't select a
rejected group.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski at intel.com>
---
 src/utils/common.c              | 13 +++++++++++++
 src/utils/common.h              |  1 +
 wpa_supplicant/sme.c            |  3 ++-
 wpa_supplicant/wpa_supplicant.c | 10 ++++++----
 4 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/src/utils/common.c b/src/utils/common.c
index 6acfcbd898..fa9016e5e0 100644
--- a/src/utils/common.c
+++ b/src/utils/common.c
@@ -990,6 +990,19 @@ void int_array_add_unique(int **res, int a)
 }
 
 
+int int_array_includes(int *arr, int val)
+{
+	int i;
+
+	for (i = 0; arr && arr[i]; i++) {
+		if (val == arr[i])
+			return 1;
+	}
+
+	return 0;
+}
+
+
 void str_clear_free(char *str)
 {
 	if (str) {
diff --git a/src/utils/common.h b/src/utils/common.h
index 7d99b29190..3d9320b03c 100644
--- a/src/utils/common.h
+++ b/src/utils/common.h
@@ -577,6 +577,7 @@ size_t int_array_len(const int *a);
 void int_array_concat(int **res, const int *a);
 void int_array_sort_unique(int *a);
 void int_array_add_unique(int **res, int a);
+int int_array_includes(int *arr, int val);
 
 #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
 
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index f6860783e7..b8a9e2541a 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -71,7 +71,8 @@ static int sme_set_sae_group(struct wpa_supplicant *wpa_s, bool external)
 		int group = groups[wpa_s->sme.sae_group_index];
 		if (group <= 0)
 			break;
-		if (sae_set_group(&wpa_s->sme.sae, group) == 0) {
+		if (!int_array_includes(wpa_s->sme.sae_rejected_groups, group) &&
+		    sae_set_group(&wpa_s->sme.sae, group) == 0) {
 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d",
 				wpa_s->sme.sae.group);
 			wpa_s->sme.sae.akmp = external ?
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 25a844c581..f137ddb974 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2480,6 +2480,7 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit);
 void wpa_supplicant_associate(struct wpa_supplicant *wpa_s,
 			      struct wpa_bss *bss, struct wpa_ssid *ssid)
 {
+	bool clear_rejected = true;
 	struct wpa_connect_work *cwork;
 	enum wpas_mac_addr_style rand_style;
 
@@ -2521,14 +2522,15 @@ void wpa_supplicant_associate(struct wpa_supplicant *wpa_s,
 			wmm_ac_save_tspecs(wpa_s);
 #endif /* CONFIG_NO_WMM_AC */
 			wpa_s->reassoc_same_bss = 1;
+			clear_rejected = false;
 		} else if (wpa_s->current_bss && wpa_s->current_bss != bss) {
 			os_get_reltime(&wpa_s->roam_start);
 		}
-	} else {
-#ifdef CONFIG_SAE
-		wpa_s_clear_sae_rejected(wpa_s);
-#endif /* CONFIG_SAE */
 	}
+
+	if (clear_rejected)
+		wpa_s_clear_sae_rejected(wpa_s);
+
 #ifdef CONFIG_SAE
 	wpa_s_setup_sae_pt(wpa_s->conf, ssid, false);
 #endif /* CONFIG_SAE */
-- 
2.43.0




More information about the Hostap mailing list