From: Jouni Malinen <j@w1.fi>
Date: Sun, 28 Jun 2015 18:40:37 +0000 (+0300)
Subject: Reject the initial 4-way handshake if initial GTK setup fails
X-Git-Tag: hostap_2_5~498
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aac1efec3448e4f4289276064ccc6cf528bdc33c;p=thirdparty%2Fhostap.git

Reject the initial 4-way handshake if initial GTK setup fails

This makes the AP/Authenticator design more robust against unexpected
failures in random number generation.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index f23a57a09..996946511 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1841,9 +1841,13 @@ static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
 		group->reject_4way_hs_for_entropy = FALSE;
 	}
 
-	wpa_group_init_gmk_and_counter(wpa_auth, group);
-	wpa_gtk_update(wpa_auth, group);
-	wpa_group_config_group_keys(wpa_auth, group);
+	if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
+	    wpa_gtk_update(wpa_auth, group) < 0 ||
+	    wpa_group_config_group_keys(wpa_auth, group) < 0) {
+		wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
+		group->first_sta_seen = FALSE;
+		group->reject_4way_hs_for_entropy = TRUE;
+	}
 }