RSNO: Do not enforce SNonce cookie and RSN Selection match if RSNO not used

A STA that supports RSN overriding will always use the SNonce cookie. An
AP that does not advertise RSN overriding elements must not enforce that
SNonce cookie is used with RSN Selection element since a STA includes
the latter only when it sees the AP advertising RSN overriding elements.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2024-08-15 20:39:03 +03:00 committed by Jouni Malinen
parent 70b8f64faf
commit 66d8ac8ccc

View file

@ -3920,14 +3920,16 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
#endif /* CONFIG_IEEE80211R_AP */ #endif /* CONFIG_IEEE80211R_AP */
/* Verify RSN Selection element for RSN overriding */ /* Verify RSN Selection element for RSN overriding */
if ((rsn_is_snonce_cookie(sm->SNonce) && !kde.rsn_selection) || if ((wpa_auth->conf.rsn_override_key_mgmt ||
wpa_auth->conf.rsn_override_key_mgmt_2) &&
((rsn_is_snonce_cookie(sm->SNonce) && !kde.rsn_selection) ||
(!rsn_is_snonce_cookie(sm->SNonce) && kde.rsn_selection) || (!rsn_is_snonce_cookie(sm->SNonce) && kde.rsn_selection) ||
(sm->rsn_selection && !kde.rsn_selection) || (sm->rsn_selection && !kde.rsn_selection) ||
(!sm->rsn_selection && kde.rsn_selection) || (!sm->rsn_selection && kde.rsn_selection) ||
(sm->rsn_selection && kde.rsn_selection && (sm->rsn_selection && kde.rsn_selection &&
(sm->rsn_selection_len != kde.rsn_selection_len || (sm->rsn_selection_len != kde.rsn_selection_len ||
os_memcmp(sm->rsn_selection, kde.rsn_selection, os_memcmp(sm->rsn_selection, kde.rsn_selection,
sm->rsn_selection_len) != 0))) { sm->rsn_selection_len) != 0)))) {
wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
"RSN Selection element from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4"); "RSN Selection element from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4");
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,