AP MLD: Require same AKM and pairwise cipher for all links

Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Co-developed-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
This commit is contained in:
Rameshkumar Sundaram 2024-03-28 23:46:47 +05:30 committed by Jouni Malinen
parent 8891ebdc1d
commit 84d2a36da0
6 changed files with 27 additions and 9 deletions

View file

@ -528,7 +528,7 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
elems.rsnxe ? elems.rsnxe - 2 : NULL, elems.rsnxe ? elems.rsnxe - 2 : NULL,
elems.rsnxe ? elems.rsnxe_len + 2 : 0, elems.rsnxe ? elems.rsnxe_len + 2 : 0,
elems.mdie, elems.mdie_len, elems.mdie, elems.mdie_len,
elems.owe_dh, elems.owe_dh_len); elems.owe_dh, elems.owe_dh_len, NULL);
reason = WLAN_REASON_INVALID_IE; reason = WLAN_REASON_INVALID_IE;
status = WLAN_STATUS_INVALID_IE; status = WLAN_STATUS_INVALID_IE;
switch (res) { switch (res) {

View file

@ -1882,7 +1882,7 @@ void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
elems.rsn_ie - 2, elems.rsn_ie_len + 2, elems.rsn_ie - 2, elems.rsn_ie_len + 2,
elems.rsnxe ? elems.rsnxe - 2 : NULL, elems.rsnxe ? elems.rsnxe - 2 : NULL,
elems.rsnxe ? elems.rsnxe_len + 2 : 0, elems.rsnxe ? elems.rsnxe_len + 2 : 0,
elems.mdie, elems.mdie_len, NULL, 0); elems.mdie, elems.mdie_len, NULL, 0, NULL);
resp = wpa_res_to_status_code(res); resp = wpa_res_to_status_code(res);
if (resp != WLAN_STATUS_SUCCESS) if (resp != WLAN_STATUS_SUCCESS)
goto fail; goto fail;
@ -3770,7 +3770,7 @@ u16 owe_process_rsn_ie(struct hostapd_data *hapd,
rsn_ie_len += 2; rsn_ie_len += 2;
res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
hapd->iface->freq, rsn_ie, rsn_ie_len, hapd->iface->freq, rsn_ie, rsn_ie_len,
NULL, 0, NULL, 0, owe_dh, owe_dh_len); NULL, 0, NULL, 0, owe_dh, owe_dh_len, NULL);
status = wpa_res_to_status_code(res); status = wpa_res_to_status_code(res);
if (status != WLAN_STATUS_SUCCESS) if (status != WLAN_STATUS_SUCCESS)
goto end; goto end;
@ -3859,6 +3859,8 @@ static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
const u8 *wpa_ie; const u8 *wpa_ie;
size_t wpa_ie_len; size_t wpa_ie_len;
const u8 *p2p_dev_addr = NULL; const u8 *p2p_dev_addr = NULL;
struct hostapd_data *assoc_hapd;
struct sta_info *assoc_sta = NULL;
resp = check_ssid(hapd, sta, elems->ssid, elems->ssid_len); resp = check_ssid(hapd, sta, elems->ssid, elems->ssid_len);
if (resp != WLAN_STATUS_SUCCESS) if (resp != WLAN_STATUS_SUCCESS)
@ -4033,6 +4035,10 @@ static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
wpa_ie_len += 2; wpa_ie_len += 2;
if (!sta->wpa_sm) { if (!sta->wpa_sm) {
if (!link)
assoc_sta = hostapd_ml_get_assoc_sta(
hapd, sta, &assoc_hapd);
sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
sta->addr, sta->addr,
p2p_dev_addr); p2p_dev_addr);
@ -4065,7 +4071,8 @@ static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
elems->rsnxe ? elems->rsnxe_len + 2 : elems->rsnxe ? elems->rsnxe_len + 2 :
0, 0,
elems->mdie, elems->mdie_len, elems->mdie, elems->mdie_len,
elems->owe_dh, elems->owe_dh_len); elems->owe_dh, elems->owe_dh_len,
assoc_sta ? assoc_sta->wpa_sm : NULL);
resp = wpa_res_to_status_code(res); resp = wpa_res_to_status_code(res);
if (resp != WLAN_STATUS_SUCCESS) if (resp != WLAN_STATUS_SUCCESS)
return resp; return resp;

View file

@ -435,7 +435,8 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
const u8 *wpa_ie, size_t wpa_ie_len, const u8 *wpa_ie, size_t wpa_ie_len,
const u8 *rsnxe, size_t rsnxe_len, const u8 *rsnxe, size_t rsnxe_len,
const u8 *mdie, size_t mdie_len, const u8 *mdie, size_t mdie_len,
const u8 *owe_dh, size_t owe_dh_len); const u8 *owe_dh, size_t owe_dh_len,
struct wpa_state_machine *assoc_sm);
int wpa_validate_osen(struct wpa_authenticator *wpa_auth, int wpa_validate_osen(struct wpa_authenticator *wpa_auth,
struct wpa_state_machine *sm, struct wpa_state_machine *sm,
const u8 *osen_ie, size_t osen_ie_len); const u8 *osen_ie, size_t osen_ie_len);

View file

@ -608,7 +608,8 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
const u8 *wpa_ie, size_t wpa_ie_len, const u8 *wpa_ie, size_t wpa_ie_len,
const u8 *rsnxe, size_t rsnxe_len, const u8 *rsnxe, size_t rsnxe_len,
const u8 *mdie, size_t mdie_len, const u8 *mdie, size_t mdie_len,
const u8 *owe_dh, size_t owe_dh_len) const u8 *owe_dh, size_t owe_dh_len,
struct wpa_state_machine *assoc_sm)
{ {
struct wpa_auth_config *conf = &wpa_auth->conf; struct wpa_auth_config *conf = &wpa_auth->conf;
struct wpa_ie_data data; struct wpa_ie_data data;
@ -956,6 +957,15 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
else else
sm->wpa = WPA_VERSION_WPA; sm->wpa = WPA_VERSION_WPA;
if (assoc_sm) {
/* For ML association link STA cannot choose a different
* AKM or pairwise cipher from association STA */
if (sm->wpa_key_mgmt != assoc_sm->wpa_key_mgmt)
return WPA_INVALID_AKMP;
if (sm->pairwise != assoc_sm->pairwise)
return WPA_INVALID_PAIRWISE;
}
#if defined(CONFIG_IEEE80211R_AP) && defined(CONFIG_FILS) #if defined(CONFIG_IEEE80211R_AP) && defined(CONFIG_FILS)
if ((sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256 || if ((sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256 ||
sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384) && sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384) &&

View file

@ -262,7 +262,7 @@ static int auth_init(struct wpa *wpa)
} }
if (wpa_validate_wpa_ie(wpa->auth_group, wpa->auth, 2412, supp_ie, if (wpa_validate_wpa_ie(wpa->auth_group, wpa->auth, 2412, supp_ie,
supp_ie_len, NULL, 0, NULL, 0, NULL, 0) != supp_ie_len, NULL, 0, NULL, 0, NULL, 0, NULL) !=
WPA_IE_OK) { WPA_IE_OK) {
wpa_printf(MSG_DEBUG, "AUTH: wpa_validate_wpa_ie() failed"); wpa_printf(MSG_DEBUG, "AUTH: wpa_validate_wpa_ie() failed");
return -1; return -1;

View file

@ -484,8 +484,8 @@ static int ibss_rsn_auth_init(struct ibss_rsn *ibss_rsn,
"\x00\x0f\xac\x04" "\x00\x0f\xac\x04"
"\x01\x00\x00\x0f\xac\x04" "\x01\x00\x00\x0f\xac\x04"
"\x01\x00\x00\x0f\xac\x02" "\x01\x00\x00\x0f\xac\x02"
"\x00\x00", 22, NULL, 0, NULL, 0, NULL, 0) != "\x00\x00", 22, NULL, 0, NULL, 0, NULL, 0,
WPA_IE_OK) { NULL) != WPA_IE_OK) {
wpa_printf(MSG_DEBUG, "AUTH: wpa_validate_wpa_ie() failed"); wpa_printf(MSG_DEBUG, "AUTH: wpa_validate_wpa_ie() failed");
return -1; return -1;
} }