From: Sai Pratyusha Magam Date: Fri, 3 Jan 2025 05:53:22 +0000 (+0530) Subject: RSNO: Generate IGTK if any of the RSN variants has PMF enabled X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12f1edc9e94a9fe4134a73e1510e9df3dbe3bf46;p=thirdparty%2Fhostap.git RSNO: Generate IGTK if any of the RSN variants has PMF enabled With RSN overriding enabled, AP can be configured to set MFPC to 0 and MFPR to 0 in the RSNE and MFPC to 1 and MFPR to 1 in the RSNOE and RSNO2E. IGTK generation, configuration to the driver, and inclusion of the IGTK KDE in 4-way handshake should also take into account the management frame protection settings in the override variants. Signed-off-by: Sai Pratyusha Magam --- diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index 4bc6b3abc..3510dcc0f 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -358,7 +358,7 @@ static void hostapd_broadcast_key_clear_iface(struct hostapd_data *hapd, ifname, i); } } - if (hapd->conf->ieee80211w) { + if (ap_pmf_enabled(hapd->conf)) { for (i = NUM_WEP_KEYS; i < NUM_WEP_KEYS + 2; i++) { if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_NONE, NULL, i, 0, 0, NULL, diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h index 0cb5e14a1..c96db5065 100644 --- a/src/ap/hostapd.h +++ b/src/ap/hostapd.h @@ -890,4 +890,11 @@ static inline bool hostapd_mld_is_first_bss(struct hostapd_data *hapd) u16 hostapd_get_punct_bitmap(struct hostapd_data *hapd); +static inline bool ap_pmf_enabled(struct hostapd_bss_config *conf) +{ + return conf->ieee80211w != NO_MGMT_FRAME_PROTECTION || + conf->rsn_override_mfp != NO_MGMT_FRAME_PROTECTION || + conf->rsn_override_mfp_2 != NO_MGMT_FRAME_PROTECTION; +} + #endif /* HOSTAPD_H */ diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index bf91237a3..b224ee8e2 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -5587,7 +5587,7 @@ static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, wpa_hexdump_key(MSG_DEBUG, "GTK", group->GTK[group->GN - 1], group->GTK_len); - if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { + if (wpa_auth_pmf_enabled(conf)) { len = wpa_cipher_key_len(conf->group_mgmt_cipher); os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); inc_byte_array(group->Counter, WPA_NONCE_LEN); @@ -5600,7 +5600,7 @@ static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, } if (!wpa_auth->non_tx_beacon_prot && - conf->ieee80211w == NO_MGMT_FRAME_PROTECTION) + !wpa_auth_pmf_enabled(conf)) return ret; if (!conf->beacon_prot) return ret; @@ -5921,7 +5921,7 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, KEY_FLAG_GROUP_TX_DEFAULT) < 0) ret = -1; - if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { + if (wpa_auth_pmf_enabled(conf)) { enum wpa_alg alg; size_t len; diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index 9514e55b7..a1786b3ee 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -686,4 +686,11 @@ void wpa_release_link_auth_ref(struct wpa_state_machine *sm, sm->mld_links[link_id].wpa_auth && \ sm->wpa_auth != sm->mld_links[link_id].wpa_auth) +static inline bool wpa_auth_pmf_enabled(struct wpa_auth_config *conf) +{ + return conf->ieee80211w != NO_MGMT_FRAME_PROTECTION || + conf->rsn_override_mfp != NO_MGMT_FRAME_PROTECTION || + conf->rsn_override_mfp_2 != NO_MGMT_FRAME_PROTECTION; +} + #endif /* WPA_AUTH_H */ diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index ce7f90aff..06ef2fb98 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -1156,7 +1156,7 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, } #endif /* CONFIG_OCV */ - if (wpa_auth->conf.ieee80211w == NO_MGMT_FRAME_PROTECTION || + if (!wpa_auth_pmf_enabled(conf) || !(data.capabilities & WPA_CAPABILITY_MFPC)) sm->mgmt_frame_prot = 0; else