AP MLD: Fix ML STA wpa_group update during rekey

At present, group key update is not confined only on the association
link as originally intended. Hence, ensure now that the group key update
is only performed on the association link for non-AP MLDs.

This was missed during adding support for group rekeying for MLO.

Fixes: 12acda633b50 ("AP MLD: Support group rekeying for MLO")
Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index a34563ce444b39f8944e33c64c56bedba3cc5cdc..a729ef27e1abe2ee71f5cd40359092edfc3e3849 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -5611,11 +5611,38 @@ static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
 
 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
 {
-       if (ctx != NULL && ctx != sm->group)
+       struct wpa_authenticator *wpa_auth = sm->wpa_auth;
+       struct wpa_group *group = sm->group;
+#ifdef CONFIG_IEEE80211BE
+       int link_id;
+
+       for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
+               if (!sm->mld_links[link_id].valid)
+                       continue;
+               if (sm->mld_links[link_id].wpa_auth &&
+                   sm->mld_links[link_id].wpa_auth->group == ctx) {
+                       group = sm->mld_links[link_id].wpa_auth->group;
+                       wpa_auth = sm->mld_links[link_id].wpa_auth;
+                       break;
+               }
+       }
+#endif /* CONFIG_IEEE80211BE */
+
+       if (ctx && ctx != group)
                return 0;
 
+#ifdef CONFIG_IEEE80211BE
+       /* For ML STA, run rekey on the association link and send G1 with keys
+        * for all links. This is based on assumption that MLD level
+        * Authenticator updates group keys on all affiliated links in one shot
+        * and not independently or concurrently for separate links. */
+       if (sm->mld_assoc_link_id >= 0 &&
+           sm->mld_assoc_link_id != wpa_auth->link_id)
+               return 0;
+#endif /* CONFIG_IEEE80211BE */
+
        if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
-               wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
+               wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
                                LOGGER_DEBUG,
                                "Not in PTKINITDONE; skip Group Key update");
                sm->GUpdateStationKeys = false;
@@ -5627,7 +5654,7 @@ static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
                 * Since we clear the GKeyDoneStations before the loop, the
                 * station needs to be counted here anyway.
                 */
-               wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
+               wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
                                LOGGER_DEBUG,
                                "GUpdateStationKeys was already set when marking station for GTK rekeying");
        }
@@ -5637,6 +5664,11 @@ static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
                return 0;
 
        sm->group->GKeyDoneStations++;
+#ifdef CONFIG_IEEE80211BE
+       for_each_sm_auth(sm, link_id)
+               sm->mld_links[link_id].wpa_auth->group->GKeyDoneStations++;
+#endif /* CONFIG_IEEE80211BE */
+
        sm->GUpdateStationKeys = true;
 
        wpa_sm_step(sm);