]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 70b8f64)
RSNO: Do not enforce SNonce cookie and RSN Selection match if RSNO not used
authorJouni Malinen <quic_jouni@quicinc.com>
Thu, 15 Aug 2024 17:39:03 +0000 (20:39 +0300)
committerJouni Malinen <j@w1.fi>
Thu, 15 Aug 2024 17:45:55 +0000 (20:45 +0300)
A STA that supports RSN overriding will always use the SNonce cookie. An
AP that does not advertise RSN overriding elements must not enforce that
SNonce cookie is used with RSN Selection element since a STA includes
the latter only when it sees the AP advertising RSN overriding elements.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
src/ap/wpa_auth.c patch | blob | blame | history

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 3562ca1b81ad545bd94fff1b5251e3b042454e5b..093aea23aa071e8b193e78d84521edaaa0815fb5 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -3920,14 +3920,16 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
 #endif /* CONFIG_IEEE80211R_AP */
 
        /* Verify RSN Selection element for RSN overriding */
-       if ((rsn_is_snonce_cookie(sm->SNonce) && !kde.rsn_selection) ||
-           (!rsn_is_snonce_cookie(sm->SNonce) && kde.rsn_selection) ||
-           (sm->rsn_selection && !kde.rsn_selection) ||
-           (!sm->rsn_selection && kde.rsn_selection) ||
-           (sm->rsn_selection && kde.rsn_selection &&
-            (sm->rsn_selection_len != kde.rsn_selection_len ||
-             os_memcmp(sm->rsn_selection, kde.rsn_selection,
-                       sm->rsn_selection_len) != 0))) {
+       if ((wpa_auth->conf.rsn_override_key_mgmt ||
+            wpa_auth->conf.rsn_override_key_mgmt_2) &&
+           ((rsn_is_snonce_cookie(sm->SNonce) && !kde.rsn_selection) ||
+            (!rsn_is_snonce_cookie(sm->SNonce) && kde.rsn_selection) ||
+            (sm->rsn_selection && !kde.rsn_selection) ||
+            (!sm->rsn_selection && kde.rsn_selection) ||
+            (sm->rsn_selection && kde.rsn_selection &&
+             (sm->rsn_selection_len != kde.rsn_selection_len ||
+              os_memcmp(sm->rsn_selection, kde.rsn_selection,
+                        sm->rsn_selection_len) != 0)))) {
                wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
                                "RSN Selection element from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4");
                wpa_printf(MSG_DEBUG,
Unnamed repository; edit this file 'description' to name the repository.