Fix validation of RSN EAPOL-Key version for GCMP with PMF

If PMF was enabled, the validation step for EAPOL-Key descriptor version
ended up rejecting the message if GCMP had been negotiated as the
pairwise cipher. Fix this by making the GCMP check skipped similarly to
the CCMP case if a SHA256-based AKM is used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index d45f5dc1c742feb0ed341267067acca8f13d217d..ba2a8c87d5ed8fbc8cfdc63f05c162e6d41db9b2 100644 (file)
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1734,9 +1734,8 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
                                "version for non-CCMP group keys");
                } else
                        goto out;
-       }
-       if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
-           ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
+       } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
+                  ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
                wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
                        "WPA: GCMP is used, but EAPOL-Key "
                        "descriptor version (%d) is not 2", ver);