DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

FT: Discard EAPOL-Start frames when FT was used for association

Browse source 
When FT is used, reauthentication to generate a new PMK-R0 would be
complicated since the current AP might not be the one with which the
currently used PMK-R0 was generated. IEEE Std 802.11-2020, 13.4.2 (FT
initial mobility domain association in an RSN) mandates STA to perform a
new FT initial mobility domain association whenever its Supplicant would
trigger sending of an EAPOL-Start frame.

Discard received EAPOL-Start frames from STAs that use FT to avoid
unexpected behavior. This is important in particular if a driver were to
allow unprotected EAPOL-Start frames to be processed when TK has been
configured.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2024-09-12 22:26:24 +03:00 committed by Jouni Malinen
parent f543599156
commit c97168f58a
1 changed files with 21 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
src/ap/ieee802_1x.c
View file

@ -1252,6 +1252,27 @@ void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf,
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
HOSTAPD_LEVEL_DEBUG,
"received EAPOL-Start from STA");
#ifdef CONFIG_IEEE80211R_AP
if (hapd->conf->wpa && sta->wpa_sm &&
(wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) ||
sta->auth_alg == WLAN_AUTH_FT)) {
/* When FT is used, reauthentication to generate a new
* PMK-R0 would be complicated since the current AP
* might not be the one with which the currently used
* PMK-R0 was generated. IEEE Std 802.11-2020, 13.4.2
* (FT initial mobility domain association in an RSN)
* mandates STA to perform a new FT initial mobility
* domain association whenever its Supplicant would
* trigger sending of an EAPOL-Start frame. As such,
* this EAPOL-Start frame should not have been sent.
* Discard it to avoid unexpected behavior. */
hostapd_logger(hapd, sta->addr,
HOSTAPD_MODULE_IEEE8021X,
HOSTAPD_LEVEL_DEBUG,
"discard unexpected EAPOL-Start from STA that uses FT");
break;
}
#endif /* CONFIG_IEEE80211R_AP */
sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
if (pmksa) {