RSN: Ignore IGTK configuration errors with swapped KeyID values

There are number of deployed APs with broken PMF implementation where
the IGTK KDE uses swapped bytes in the KeyID field (0x0400 and 0x0500
instead of 4 and 5). Such APs cannot be trusted to implement BIP
correctly or provide a valid IGTK, so do not try to configure this key
with swapped KeyID bytes. Instead, continue without configuring the IGTK
so that the driver can drop any received group-addressed robust
management frames due to missing keys.

Normally, this error behavior would result in us disconnecting, but
there are number of deployed APs with this broken behavior, so as an
interoperability workaround, allow the connection to proceed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index eabe88bc07b26440d565d13c123ea04b87e41f4f..899a430893bd797986cf1a6dec0a5ac81c372d38 100644 (file)
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1058,9 +1058,27 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
                           broadcast_ether_addr,
                           keyidx, 0, igtk->pn, sizeof(igtk->pn),
                           igtk->igtk, len) < 0) {
-               wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-                       "WPA: Failed to configure IGTK to the driver");
-               return -1;
+               if (keyidx == 0x0400 || keyidx == 0x0500) {
+                       /* Assume the AP has broken PMF implementation since it
+                        * seems to have swapped the KeyID bytes. The AP cannot
+                        * be trusted to implement BIP correctly or provide a
+                        * valid IGTK, so do not try to configure this key with
+                        * swapped KeyID bytes. Instead, continue without
+                        * configuring the IGTK so that the driver can drop any
+                        * received group-addressed robust management frames due
+                        * to missing keys.
+                        *
+                        * Normally, this error behavior would result in us
+                        * disconnecting, but there are number of deployed APs
+                        * with this broken behavior, so as an interoperability
+                        * workaround, allow the connection to proceed. */
+                       wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+                               "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
+               } else {
+                       wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+                               "WPA: Failed to configure IGTK to the driver");
+                       return -1;
+               }
        }
 
        if (wnm_sleep) {