Verify group key configuration for WPA group

If configuration of the group key to the driver fails, move the WPA
group into failed state and indication group setup error to avoid cases
where AP could look like it is working even through the keys are not set
correctly.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 03b15c24a99232535d8f513cad0241f08eace13a..1f0b061855075c18f7e69c81f006e1a74cf064ff 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -437,6 +437,8 @@ int wpa_init_keys(struct wpa_authenticator *wpa_auth)
        wpa_group_sm_step(wpa_auth, group);
        group->GInit = FALSE;
        wpa_group_sm_step(wpa_auth, group);
+       if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
+               return -1;
        return 0;
 }
 
@@ -516,6 +518,9 @@ wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
 {
        struct wpa_state_machine *sm;
 
+       if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
+               return NULL;
+
        sm = os_zalloc(sizeof(struct wpa_state_machine));
        if (sm == NULL)
                return NULL;
@@ -2587,6 +2592,29 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
 }
 
 
+static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
+{
+       if (sm->group == ctx) {
+               wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
+                          " for discconnection due to fatal failure",
+                          MAC2STR(sm->addr));
+               sm->Disconnect = TRUE;
+       }
+
+       return 0;
+}
+
+
+static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
+                                   struct wpa_group *group)
+{
+       wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
+       group->changed = TRUE;
+       group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
+       wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
+}
+
+
 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
                                 struct wpa_group *group)
 {
@@ -2595,8 +2623,10 @@ static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
        group->changed = TRUE;
        group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
 
-       if (wpa_group_config_group_keys(wpa_auth, group) < 0)
+       if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
+               wpa_group_fatal_failure(wpa_auth, group);
                return -1;
+       }
 
        return 0;
 }
@@ -2607,6 +2637,8 @@ static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
 {
        if (group->GInit) {
                wpa_group_gtk_init(wpa_auth, group);
+       } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
+               /* Do not allow group operations */
        } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
                   group->GTKAuthenticator) {
                wpa_group_setkeysdone(wpa_auth, group);
@@ -3015,6 +3047,9 @@ int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
        if (sm->group == group)
                return 0;
 
+       if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
+               return -1;
+
        wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
                   "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
 

diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
index 12e59bc4dc3b1fcc702fff326300293fd9e42adf..9736874f13bc393504343790372778b11be68e5a 100644 (file)
--- a/src/ap/wpa_auth_i.h
+++ b/src/ap/wpa_auth_i.h
@@ -139,7 +139,8 @@ struct wpa_group {
 
        enum {
                WPA_GROUP_GTK_INIT = 0,
-               WPA_GROUP_SETKEYS, WPA_GROUP_SETKEYSDONE
+               WPA_GROUP_SETKEYS, WPA_GROUP_SETKEYSDONE,
+               WPA_GROUP_FATAL_FAILURE
        } wpa_group_state;
 
        u8 GMK[WPA_GMK_LEN];