AP MLD: Require same AKM and pairwise cipher for all links

Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Co-developed-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 853801a8b8fbd166b380571089ce399200c98220..e026d9a6e05b9648d915294cc2e2d8a4c366b380 100644 (file)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -528,7 +528,7 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
                                          elems.rsnxe ? elems.rsnxe - 2 : NULL,
                                          elems.rsnxe ? elems.rsnxe_len + 2 : 0,
                                          elems.mdie, elems.mdie_len,
-                                         elems.owe_dh, elems.owe_dh_len);
+                                         elems.owe_dh, elems.owe_dh_len, NULL);
                reason = WLAN_REASON_INVALID_IE;
                status = WLAN_STATUS_INVALID_IE;
                switch (res) {

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 1a2e44e85f0033f716ce40720fd26e4a70adc5e9..6ef32568b90f61cbcec6eda1aef3952fee98369b 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1882,7 +1882,7 @@ void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
                                  elems.rsn_ie - 2, elems.rsn_ie_len + 2,
                                  elems.rsnxe ? elems.rsnxe - 2 : NULL,
                                  elems.rsnxe ? elems.rsnxe_len + 2 : 0,
-                                 elems.mdie, elems.mdie_len, NULL, 0);
+                                 elems.mdie, elems.mdie_len, NULL, 0, NULL);
        resp = wpa_res_to_status_code(res);
        if (resp != WLAN_STATUS_SUCCESS)
                goto fail;
@@ -3770,7 +3770,7 @@ u16 owe_process_rsn_ie(struct hostapd_data *hapd,
        rsn_ie_len += 2;
        res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
                                  hapd->iface->freq, rsn_ie, rsn_ie_len,
-                                 NULL, 0, NULL, 0, owe_dh, owe_dh_len);
+                                 NULL, 0, NULL, 0, owe_dh, owe_dh_len, NULL);
        status = wpa_res_to_status_code(res);
        if (status != WLAN_STATUS_SUCCESS)
                goto end;
@@ -3859,6 +3859,8 @@ static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
        const u8 *wpa_ie;
        size_t wpa_ie_len;
        const u8 *p2p_dev_addr = NULL;
+       struct hostapd_data *assoc_hapd;
+       struct sta_info *assoc_sta = NULL;
 
        resp = check_ssid(hapd, sta, elems->ssid, elems->ssid_len);
        if (resp != WLAN_STATUS_SUCCESS)
@@ -4033,6 +4035,10 @@ static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
                wpa_ie_len += 2;
 
                if (!sta->wpa_sm) {
+                       if (!link)
+                               assoc_sta = hostapd_ml_get_assoc_sta(
+                                       hapd, sta, &assoc_hapd);
+
                        sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
                                                        sta->addr,
                                                        p2p_dev_addr);
@@ -4065,7 +4071,8 @@ static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
                                          elems->rsnxe ? elems->rsnxe_len + 2 :
                                          0,
                                          elems->mdie, elems->mdie_len,
-                                         elems->owe_dh, elems->owe_dh_len);
+                                         elems->owe_dh, elems->owe_dh_len,
+                                         assoc_sta ? assoc_sta->wpa_sm : NULL);
                resp = wpa_res_to_status_code(res);
                if (resp != WLAN_STATUS_SUCCESS)
                        return resp;

diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 396fc4906f2ddfb6fffcc7f0e91d237fc74fe74e..117ac1d48bf0e14e79c9474fc8a87bad32f5c76f 100644 (file)
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -435,7 +435,8 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
                    const u8 *wpa_ie, size_t wpa_ie_len,
                    const u8 *rsnxe, size_t rsnxe_len,
                    const u8 *mdie, size_t mdie_len,
-                   const u8 *owe_dh, size_t owe_dh_len);
+                   const u8 *owe_dh, size_t owe_dh_len,
+                   struct wpa_state_machine *assoc_sm);
 int wpa_validate_osen(struct wpa_authenticator *wpa_auth,
                      struct wpa_state_machine *sm,
                      const u8 *osen_ie, size_t osen_ie_len);

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index a5f2861c97c9ac2c8ccc4d044b1bae9b53dc6859..5a17f7c34321a631492610c8333ad582b3760092 100644 (file)
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -608,7 +608,8 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
                    const u8 *wpa_ie, size_t wpa_ie_len,
                    const u8 *rsnxe, size_t rsnxe_len,
                    const u8 *mdie, size_t mdie_len,
-                   const u8 *owe_dh, size_t owe_dh_len)
+                   const u8 *owe_dh, size_t owe_dh_len,
+                   struct wpa_state_machine *assoc_sm)
 {
        struct wpa_auth_config *conf = &wpa_auth->conf;
        struct wpa_ie_data data;
@@ -956,6 +957,15 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
        else
                sm->wpa = WPA_VERSION_WPA;
 
+       if (assoc_sm) {
+               /* For ML association link STA cannot choose a different
+                * AKM or pairwise cipher from association STA */
+               if (sm->wpa_key_mgmt != assoc_sm->wpa_key_mgmt)
+                       return WPA_INVALID_AKMP;
+               if (sm->pairwise != assoc_sm->pairwise)
+                       return WPA_INVALID_PAIRWISE;
+       }
+
 #if defined(CONFIG_IEEE80211R_AP) && defined(CONFIG_FILS)
        if ((sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256 ||
             sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384) &&

diff --git a/tests/fuzzing/eapol-key-auth/eapol-key-auth.c b/tests/fuzzing/eapol-key-auth/eapol-key-auth.c
index bb46422c6dbc10c0cb0593d828eda95149624e7a..17f69fd769b98edac0b57e2c7fcbfb041967609e 100644 (file)
--- a/tests/fuzzing/eapol-key-auth/eapol-key-auth.c
+++ b/tests/fuzzing/eapol-key-auth/eapol-key-auth.c
@@ -262,7 +262,7 @@ static int auth_init(struct wpa *wpa)
        }
 
        if (wpa_validate_wpa_ie(wpa->auth_group, wpa->auth, 2412, supp_ie,
-                               supp_ie_len, NULL, 0, NULL, 0, NULL, 0) !=
+                               supp_ie_len, NULL, 0, NULL, 0, NULL, 0, NULL) !=
            WPA_IE_OK) {
                wpa_printf(MSG_DEBUG, "AUTH: wpa_validate_wpa_ie() failed");
                return -1;

diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c
index 554268a47f55d7c026f624db0b44d687c85cdf11..25039a0f98c5529f3ce166c690f8bc6ab3570589 100644 (file)
--- a/wpa_supplicant/ibss_rsn.c
+++ b/wpa_supplicant/ibss_rsn.c
@@ -484,8 +484,8 @@ static int ibss_rsn_auth_init(struct ibss_rsn *ibss_rsn,
                                "\x00\x0f\xac\x04"
                                "\x01\x00\x00\x0f\xac\x04"
                                "\x01\x00\x00\x0f\xac\x02"
-                               "\x00\x00", 22, NULL, 0, NULL, 0, NULL, 0) !=
-           WPA_IE_OK) {
+                               "\x00\x00", 22, NULL, 0, NULL, 0, NULL, 0,
+                               NULL) != WPA_IE_OK) {
                wpa_printf(MSG_DEBUG, "AUTH: wpa_validate_wpa_ie() failed");
                return -1;
        }