Extend pmf_in_use() to be aware of affiliated links on non-AP MLD

The target MAC address needs to be checked against all the AP MLD link addresses and the MLD MAC address to cover all possible cases. This is needed to be able to correctly use Protected Dual of Public Action frames during an ML association. Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 12:24:00 +02:00 · 2024-01-13 12:24:00 +02:00 · 29814ee968
commit 29814ee968
parent 6ea81f3238
2 changed files with 11 additions and 3 deletions
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@ -8637,9 +8637,16 @@ bool wpas_is_sae_avoided(struct wpa_supplicant *wpa_s,
 int pmf_in_use(struct wpa_supplicant *wpa_s, const u8 *addr)
 {
 	if (wpa_s->current_ssid == NULL ||
-	    wpa_s->wpa_state < WPA_4WAY_HANDSHAKE ||
-	    os_memcmp(addr, wpa_s->bssid, ETH_ALEN) != 0)
+	    wpa_s->wpa_state < WPA_4WAY_HANDSHAKE)
 		return 0;
+	if (wpa_s->valid_links) {
+		if (os_memcmp(addr, wpa_s->ap_mld_addr, ETH_ALEN) != 0 &&
+		    !wpas_ap_link_address(wpa_s, addr))
+			return 0;
+	} else {
+		if (os_memcmp(addr, wpa_s->bssid, ETH_ALEN) != 0)
+			return 0;
+	}
 	return wpa_sm_pmf_enabled(wpa_s->wpa);
 }

@ -9311,7 +9318,7 @@ wpa_drv_get_scan_results2(struct wpa_supplicant *wpa_s)
 }


-static bool wpas_ap_link_address(struct wpa_supplicant *wpa_s, const u8 *addr)
+bool wpas_ap_link_address(struct wpa_supplicant *wpa_s, const u8 *addr)
 {
 	int i;

--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@ -1989,5 +1989,6 @@ void wpas_pasn_auth_work_done(struct wpa_supplicant *wpa_s, int status);
 bool wpas_is_6ghz_supported(struct wpa_supplicant *wpa_s, bool only_enabled);

 bool wpa_is_non_eht_scs_traffic_desc_supported(struct wpa_bss *bss);
+bool wpas_ap_link_address(struct wpa_supplicant *wpa_s, const u8 *addr);

 #endif /* WPA_SUPPLICANT_I_H */