RSNO: Generate IGTK if any of the RSN variants has PMF enabled

With RSN overriding enabled, AP can be configured to set MFPC to 0 and
MFPR to 0 in the RSNE and MFPC to 1 and MFPR to 1 in the RSNOE and
RSNO2E. IGTK generation, configuration to the driver, and inclusion of
the IGTK KDE in 4-way handshake should also take into account the
management frame protection settings in the override variants.

Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 4bc6b3abcce5385ebe88a607f3555b5382be6449..3510dcc0f23374a7f68a9a4b22ee2d9ca83a119f 100644 (file)
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -358,7 +358,7 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd,
                                   ifname, i);
                }
        }
-       if (hapd->conf->ieee80211w) {
+       if (ap_pmf_enabled(hapd->conf)) {
                for (i = NUM_WEP_KEYS; i < NUM_WEP_KEYS + 2; i++) {
                        if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE,
                                                NULL, i, 0, 0, NULL,

diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h
index 0cb5e14a1ebd564a0201f5d91b4905ddfc13989d..c96db5065862dc3876dc0110ed7912c84944c520 100644 (file)
--- a/src/ap/hostapd.h
+++ b/src/ap/hostapd.h
@@ -890,4 +890,11 @@ static inline bool hostapd_mld_is_first_bss(struct hostapd_data *hapd)
 
 u16 hostapd_get_punct_bitmap(struct hostapd_data *hapd);
 
+static inline bool ap_pmf_enabled(struct hostapd_bss_config *conf)
+{
+       return conf->ieee80211w != NO_MGMT_FRAME_PROTECTION ||
+               conf->rsn_override_mfp != NO_MGMT_FRAME_PROTECTION ||
+               conf->rsn_override_mfp_2 != NO_MGMT_FRAME_PROTECTION;
+}
+
 #endif /* HOSTAPD_H */

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index bf91237a3c5a95255e8ab06fd258bb96297c1a7e..b224ee8e2aa58db07b602e0bd7867c52af32fba9 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -5587,7 +5587,7 @@ static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
        wpa_hexdump_key(MSG_DEBUG, "GTK",
                        group->GTK[group->GN - 1], group->GTK_len);
 
-       if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
+       if (wpa_auth_pmf_enabled(conf)) {
                len = wpa_cipher_key_len(conf->group_mgmt_cipher);
                os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
                inc_byte_array(group->Counter, WPA_NONCE_LEN);
@@ -5600,7 +5600,7 @@ static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
        }
 
        if (!wpa_auth->non_tx_beacon_prot &&
-           conf->ieee80211w == NO_MGMT_FRAME_PROTECTION)
+            !wpa_auth_pmf_enabled(conf))
                return ret;
        if (!conf->beacon_prot)
                return ret;
@@ -5921,7 +5921,7 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
                             KEY_FLAG_GROUP_TX_DEFAULT) < 0)
                ret = -1;
 
-       if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
+       if (wpa_auth_pmf_enabled(conf)) {
                enum wpa_alg alg;
                size_t len;
 

diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 9514e55b7f557118cabead35ec2e7f8d5948cbe4..a1786b3eea99a900f06559953000320be353f406 100644 (file)
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -686,4 +686,11 @@ void wpa_release_link_auth_ref(struct wpa_state_machine *sm,
                    sm->mld_links[link_id].wpa_auth &&                  \
                    sm->wpa_auth != sm->mld_links[link_id].wpa_auth)
 
+static inline bool wpa_auth_pmf_enabled(struct wpa_auth_config *conf)
+{
+       return conf->ieee80211w != NO_MGMT_FRAME_PROTECTION ||
+               conf->rsn_override_mfp != NO_MGMT_FRAME_PROTECTION ||
+               conf->rsn_override_mfp_2 != NO_MGMT_FRAME_PROTECTION;
+}
+
 #endif /* WPA_AUTH_H */

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index ce7f90aff22668d9254fa279585547c768156fdd..06ef2fb9821feeec48ad1a8bc21600fd24d012ac 100644 (file)
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -1156,7 +1156,7 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
        }
 #endif /* CONFIG_OCV */
 
-       if (wpa_auth->conf.ieee80211w == NO_MGMT_FRAME_PROTECTION ||
+       if (!wpa_auth_pmf_enabled(conf) ||
            !(data.capabilities & WPA_CAPABILITY_MFPC))
                sm->mgmt_frame_prot = 0;
        else