[PATCH v2 1/2] sae: check return on sae_send_commit()

[PATCH v2 1/2] sae: check return on sae_send_commit()

[James Prestwood]

If this fails, in some cases, -EAGAIN would be returned up to netdev
which would then assume a retry would be done automatically. This
would not in fact happen since it was an internal SAE failure which
would result in the connect method return to never get sent.

Now if sae_send_commit() fails, return -EPROTO which will cause
netdev to fail the connection.
---
 src/sae.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/sae.c b/src/sae.c
index 3305dfdc..87e64041 100644
--- a/src/sae.c
+++ b/src/sae.c
@@ -994,7 +994,8 @@ static int sae_process_anti_clogging(struct sae_sm *sm, const uint8_t *ptr,
 	sm->token_len = len;
 	sm->sync = 0;
 
-	sae_send_commit(sm, true);
+	if (L_WARN_ON(!sae_send_commit(sm, true)))
+		return -EPROTO;
 
 	return -EAGAIN;
 }
@@ -1074,7 +1075,9 @@ static int sae_verify_committed(struct sae_sm *sm, uint16_t transaction,
 			return -ETIMEDOUT;
 
 		sm->sync++;
-		sae_send_commit(sm, true);
+
+		if (L_WARN_ON(!sae_send_commit(sm, true)))
+			return -EPROTO;
 
 		return -EAGAIN;
 	}
@@ -1129,7 +1132,9 @@ static int sae_verify_committed(struct sae_sm *sm, uint16_t transaction,
 				sm->group);
 
 		sm->sync = 0;
-		sae_send_commit(sm, false);
+
+		if (L_WARN_ON(!sae_send_commit(sm, false)))
+			return -EPROTO;
 
 		return -EAGAIN;
 	}
@@ -1294,7 +1299,8 @@ static int sae_verify_confirmed(struct sae_sm *sm, uint16_t trans,
 	sm->sync++;
 	sm->sc++;
 
-	sae_send_commit(sm, true);
+	if (L_WARN_ON(!sae_send_commit(sm, true)))
+		return -EPROTO;
 
 	if (!sae_send_confirm(sm))
 		return -EPROTO;
-- 
2.34.1

[PATCH v2 2/2] sae: prevent groups 21, 25, and 26 from being used

[James Prestwood]

These groups are not working reliably and until that is fixed they
should be disabled.
---
 src/sae.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/sae.c b/src/sae.c
index 87e64041..9ffdf648 100644
--- a/src/sae.c
+++ b/src/sae.c
@@ -169,6 +169,14 @@ static int sae_choose_next_group(struct sae_sm *sm)
 				!sm->handshake->ecc_sae_pts[sm->group_retry])
 			continue;
 
+		/*
+		 * TODO: Groups for P192, P224 and P521 are currently
+		 * non-functional with SAE. Until this is fixed we need to
+		 * avoid these groups from being used.
+		 */
+		if (group == 21 || group == 25 || group == 26)
+			continue;
+
 		break;
 	}
 
-- 
2.34.1

Re: [PATCH v2 1/2] sae: check return on sae_send_commit()

[Denis Kenzior]

Hi James,

On 5/28/25 2:27 PM, James Prestwood wrote:
> If this fails, in some cases, -EAGAIN would be returned up to netdev
> which would then assume a retry would be done automatically. This
> would not in fact happen since it was an internal SAE failure which
> would result in the connect method return to never get sent.
> 
> Now if sae_send_commit() fails, return -EPROTO which will cause
> netdev to fail the connection.
> ---
>   src/sae.c | 14 ++++++++++----
>   1 file changed, 10 insertions(+), 4 deletions(-)
> 

Applied, thanks.

Regards,
-Denis