MLD STA: Fix IGTK and BIGTK MLO KDEs validation

IGTK and BIGTK MLO KDEs should be validated only when the AP sends them
in EAPOL-Key msg 3/4. Though IEEE P802.11be/D2.2 mandates MLO AP to
enable PMF and Beacon Protection features there is no text to mandate a
STA to discard connection when the MLO AP doesn't send IGTK and BIGTK
MLO KDEs in EAPOL-Key msg 3/4 for a link. Also, fix
wpa_sm->mgmt_group_cipher checks before processing MLO IGTK and BIGTK
MLO KDEs.

Fixes: f15cc834cb ("MLD STA: Processing of EAPOL-Key msg 3/4 frame when using MLO")
Fixes: 8f2e493bec ("MLD STA: Validation of MLO KDEs for 4-way handshake EAPOL-Key frames")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
This commit is contained in:
Veerendranath Jakkam 2022-11-11 17:15:52 +05:30 committed by Jouni Malinen
parent 2050130bec
commit b6e226496b

View file

@ -1733,9 +1733,6 @@ static int _mlo_ieee80211w_set_keys(struct wpa_sm *sm, u8 link_id,
{ {
size_t len; size_t len;
if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher))
return 0;
if (ie->mlo_igtk[link_id]) { if (ie->mlo_igtk[link_id]) {
len = wpa_cipher_key_len(sm->mgmt_group_cipher); len = wpa_cipher_key_len(sm->mgmt_group_cipher);
if (ie->mlo_igtk_len[link_id] != if (ie->mlo_igtk_len[link_id] !=
@ -1773,6 +1770,10 @@ static int mlo_ieee80211w_set_keys(struct wpa_sm *sm,
{ {
u8 i; u8 i;
if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
return 0;
for (i = 0; i < MAX_NUM_MLO_LINKS; i++) { for (i = 0; i < MAX_NUM_MLO_LINKS; i++) {
if (!(sm->mlo.valid_links & BIT(i))) if (!(sm->mlo.valid_links & BIT(i)))
continue; continue;
@ -2248,13 +2249,8 @@ static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm,
u8 link_id, u8 link_id,
struct wpa_eapol_ie_parse *ie) struct wpa_eapol_ie_parse *ie)
{ {
if (!ie->mlo_igtk[link_id]) { if (ie->mlo_igtk[link_id] &&
wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
"RSN: IGTK not found for link ID %u", link_id);
return -1;
}
if (ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
(unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) { (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO, wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"RSN MLO: Invalid IGTK KDE length %lu for link ID %u", "RSN MLO: Invalid IGTK KDE length %lu for link ID %u",
@ -2265,13 +2261,8 @@ static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm,
if (!sm->beacon_prot) if (!sm->beacon_prot)
return 0; return 0;
if (!ie->mlo_bigtk[link_id]) { if (ie->mlo_bigtk[link_id] &&
wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
"RSN: BIGTK not found for link ID %u", link_id);
return -1;
}
if (ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
(unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) { (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"RSN MLO: Invalid BIGTK KDE length %lu for link ID %u", "RSN MLO: Invalid BIGTK KDE length %lu for link ID %u",
@ -2343,10 +2334,9 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
goto failed; goto failed;
} }
if (!wpa_sm_pmf_enabled(sm)) if (sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
continue; wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0)
if (wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0)
goto failed; goto failed;
} }