MLD STA: Fix IGTK and BIGTK MLO KDEs validation
IGTK and BIGTK MLO KDEs should be validated only when the AP sends them in EAPOL-Key msg 3/4. Though IEEE P802.11be/D2.2 mandates MLO AP to enable PMF and Beacon Protection features there is no text to mandate a STA to discard connection when the MLO AP doesn't send IGTK and BIGTK MLO KDEs in EAPOL-Key msg 3/4 for a link. Also, fix wpa_sm->mgmt_group_cipher checks before processing MLO IGTK and BIGTK MLO KDEs. Fixes:f15cc834cb
("MLD STA: Processing of EAPOL-Key msg 3/4 frame when using MLO") Fixes:8f2e493bec
("MLD STA: Validation of MLO KDEs for 4-way handshake EAPOL-Key frames") Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
This commit is contained in:
parent
2050130bec
commit
b6e226496b
1 changed files with 11 additions and 21 deletions
|
@ -1733,9 +1733,6 @@ static int _mlo_ieee80211w_set_keys(struct wpa_sm *sm, u8 link_id,
|
|||
{
|
||||
size_t len;
|
||||
|
||||
if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher))
|
||||
return 0;
|
||||
|
||||
if (ie->mlo_igtk[link_id]) {
|
||||
len = wpa_cipher_key_len(sm->mgmt_group_cipher);
|
||||
if (ie->mlo_igtk_len[link_id] !=
|
||||
|
@ -1773,6 +1770,10 @@ static int mlo_ieee80211w_set_keys(struct wpa_sm *sm,
|
|||
{
|
||||
u8 i;
|
||||
|
||||
if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
|
||||
sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
|
||||
return 0;
|
||||
|
||||
for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
|
||||
if (!(sm->mlo.valid_links & BIT(i)))
|
||||
continue;
|
||||
|
@ -2248,13 +2249,8 @@ static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm,
|
|||
u8 link_id,
|
||||
struct wpa_eapol_ie_parse *ie)
|
||||
{
|
||||
if (!ie->mlo_igtk[link_id]) {
|
||||
wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
|
||||
"RSN: IGTK not found for link ID %u", link_id);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
|
||||
if (ie->mlo_igtk[link_id] &&
|
||||
ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
|
||||
(unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
|
||||
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
|
||||
"RSN MLO: Invalid IGTK KDE length %lu for link ID %u",
|
||||
|
@ -2265,13 +2261,8 @@ static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm,
|
|||
if (!sm->beacon_prot)
|
||||
return 0;
|
||||
|
||||
if (!ie->mlo_bigtk[link_id]) {
|
||||
wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
|
||||
"RSN: BIGTK not found for link ID %u", link_id);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
|
||||
if (ie->mlo_bigtk[link_id] &&
|
||||
ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
|
||||
(unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
|
||||
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
|
||||
"RSN MLO: Invalid BIGTK KDE length %lu for link ID %u",
|
||||
|
@ -2343,10 +2334,9 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
|
|||
goto failed;
|
||||
}
|
||||
|
||||
if (!wpa_sm_pmf_enabled(sm))
|
||||
continue;
|
||||
|
||||
if (wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0)
|
||||
if (sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
|
||||
wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
|
||||
wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0)
|
||||
goto failed;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue