git.ipfire.org Git - thirdparty/hostap.git/commit

author	Sai Pratyusha Magam <smagam@qti.qualcomm.com>
	Mon, 8 Dec 2025 00:16:49 +0000 (05:46 +0530)
committer	Jouni Malinen <j@w1.fi>
	Fri, 23 Jan 2026 11:58:31 +0000 (13:58 +0200)
commit	47fa843b1a2dcb0006c3ab014dc110ec64b629f7
tree	46c32fc4236dd3e9c9f92fd1eb7eae606b0bc03c	tree \| snapshot
parent	13f0e68d93546c1f1a851d6ec1b1528bf800cae1	commit \| diff

MBSSID: Re-initialize group keys on the first STA seen in the MBSSID set

In the current implementation, group keys are re-initialized for the
first station association (first_sta_seen) in the BSS. In a scenario
where the non-transmitting BSS sees a client association before the
transmitting BSS, group keys (GTK/IGTK) are re-initialized in
wpa_gtk_update() for the non-Tx BSS. It is checked if a BIGTK key is
already set on the Tx BSS (bigtk_set). Since BIGTK was set for the Tx
BSS during its bringup time, it simply returns from wpa_gtk_update() for
the non-Tx BSS.

If this is followed by the first station association on the Tx BSS, a
new BIGTK key is generated for the Tx BSS in wpa_gtk_update() and the
same is installed to the driver. This would mean that the Beacon frames
are being sent using the new BIGTK that is not known to the stations
associated to the non-Tx BSSs, posing the risk for a potential beacon
miss due to beacon protection validation failures.

Fix this by allowing re-initialization of group keys if and only if it
is the first station association seen across the entire MBSSID set.

Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>

src/ap/wpa_auth.c		diff \| blob \| blame \| history
src/ap/wpa_auth.h		diff \| blob \| blame \| history
src/ap/wpa_auth_glue.c		diff \| blob \| blame \| history