Merge branch 'bugfix/sae_h2e_vulnerability_fix_v5.2' into 'release/v5.2'

fix(wifi): Sae check for invalid rejected group (v5.2) See merge request espressif/esp-idf!33980
2025-03-10 01:29:21 -04:00 · 2024-12-03 14:33:29 +08:00 · 2024-12-03 14:33:29 +08:00 · 0b2e6d68df
commit 0b2e6d68df
parent 1c4a3106dc ce2e5455e8
3 changed files with 134 additions and 1 deletions
--- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c
+++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c
@ -242,6 +242,60 @@ static u8 *wpa3_build_sae_msg(u8 *bssid, u32 sae_msg_type, size_t *sae_msg_len)
    return buf;
 }

+static int wpa3_sae_is_group_enabled(int group)
+{
+    int *groups = NULL;
+    int default_groups[] = { 19, 0 };
+    int i;
+
+    if (!groups) {
+        groups = default_groups;
+    }
+
+    for (i = 0; groups[i] > 0; i++) {
+        if (groups[i] == group) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+static int wpa3_check_sae_rejected_groups(const struct wpabuf *groups)
+{
+    size_t i, count, len;
+    const u8 *pos;
+
+    if (!groups) {
+        return 0;
+    }
+
+    pos = wpabuf_head(groups);
+    len = wpabuf_len(groups);
+    if (len & 1) {
+        wpa_printf(MSG_DEBUG,
+                   "SAE: Invalid length of the Rejected Groups element payload: %zu",
+                   len);
+        return 1;
+    }
+    count = len / 2;
+    for (i = 0; i < count; i++) {
+        int enabled;
+        u16 group;
+
+        group = WPA_GET_LE16(pos);
+        pos += 2;
+        enabled = wpa3_sae_is_group_enabled(group);
+        wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
+                   group, enabled ? "enabled" : "disabled");
+        if (enabled) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
 static int wpa3_parse_sae_commit(u8 *buf, u32 len, u16 status)
 {
    int ret;
@ -278,6 +332,9 @@ static int wpa3_parse_sae_commit(u8 *buf, u32 len, u16 status)
        wpa_printf(MSG_ERROR, "wpa3: could not parse commit(%d)", ret);
        return ret;
    }
+    if (g_sae_data.tmp && wpa3_check_sae_rejected_groups(g_sae_data.tmp->peer_rejected_groups)) {
+        return -1;
+    }

    ret = sae_process_commit(&g_sae_data);
    if (ret) {
--- a/components/wpa_supplicant/src/ap/ieee802_11.c
+++ b/components/wpa_supplicant/src/ap/ieee802_11.c
@ -402,6 +402,65 @@ static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
 }


+static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
+{
+    int *groups = NULL;
+    int default_groups[] = { 19, 0 };
+    int i;
+
+    if (!groups) {
+        groups = default_groups;
+    }
+
+    for (i = 0; groups[i] > 0; i++) {
+        if (groups[i] == group)
+            return 1;
+    }
+
+    return 0;
+}
+
+
+static int check_sae_rejected_groups(struct hostapd_data *hapd,
+				     struct sae_data *sae)
+{
+    const struct wpabuf *groups;
+    size_t i, count, len;
+    const u8 *pos;
+
+    if (!sae->tmp)
+        return 0;
+    groups = sae->tmp->peer_rejected_groups;
+    if (!groups)
+        return 0;
+
+    pos = wpabuf_head(groups);
+    len = wpabuf_len(groups);
+    if (len & 1) {
+        wpa_printf(MSG_DEBUG,
+                  "SAE: Invalid length of the Rejected Groups element payload: %zu",
+                  len);
+        return 1;
+    }
+
+    count = len / 2;
+    for (i = 0; i < count; i++) {
+        int enabled;
+        u16 group;
+
+        group = WPA_GET_LE16(pos);
+        pos += 2;
+        enabled = sae_is_group_enabled(hapd, group);
+        wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
+                  group, enabled ? "enabled" : "disabled");
+        if (enabled)
+            return 1;
+    }
+
+    return 0;
+}
+
+
 int handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
                    u8 *buf, size_t len, u8 *bssid,
                    u16 auth_transaction, u16 status)
@ -495,6 +554,11 @@ int handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
            goto remove_sta;
        }

+        if (check_sae_rejected_groups(hapd, sta->sae)) {
+            resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+            goto reply;
+        }
+
        if (resp != WLAN_STATUS_SUCCESS) {
            goto reply;
        }
--- a/components/wpa_supplicant/src/common/sae.c
+++ b/components/wpa_supplicant/src/common/sae.c
@ -2049,8 +2049,11 @@ static int sae_parse_rejected_groups(struct sae_data *sae,

 	wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame",
 		    *pos, end - *pos);
-	if (!sae_is_rejected_groups_elem(*pos, end))
+	if (!sae_is_rejected_groups_elem(*pos, end)) {
+		wpabuf_free(sae->tmp->peer_rejected_groups);
+		sae->tmp->peer_rejected_groups = NULL;
 		return WLAN_STATUS_SUCCESS;
+	}

 	epos = *pos;
 	epos++; /* skip IE type */
@ -2060,6 +2063,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae,
 	epos++; /* skip ext ID */
 	len--;

+	if (len & 1) {
+		wpa_printf(MSG_DEBUG,
+			   "SAE: Invalid length of the Rejected Groups element payload: %u",
+			   len);
+		return WLAN_STATUS_UNSPECIFIED_FAILURE;
+	}
 	wpabuf_free(sae->tmp->peer_rejected_groups);
 	sae->tmp->peer_rejected_groups = wpabuf_alloc(len);
 	if (!sae->tmp->peer_rejected_groups)
@ -2139,6 +2148,9 @@ u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len,
 		res = sae_parse_rejected_groups(sae, &pos, end);
 		if (res != WLAN_STATUS_SUCCESS)
 			return res;
+	} else {
+		wpabuf_free(sae->tmp->peer_rejected_groups);
+		sae->tmp->peer_rejected_groups = NULL;
 	}

 	/* Optional Anti-Clogging Token Container element */