From: Sai Pratyusha Magam Date: Wed, 26 Nov 2025 04:34:34 +0000 (+0530) Subject: Skip BIGTK generation for non-zero ID VLAN groups X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5ec1bae5646345a4a65f9ebd6ee70d112dbc78b6;p=thirdparty%2Fhostap.git Skip BIGTK generation for non-zero ID VLAN groups Beacon frames transmitted by the AP are per BSS and not per VLAN. So skip BIGTK generation and configuration to the driver for groups that have a non-zero VLAN ID. For stations associating on non-zero VLAN IDs, in EAPOL-Key msg 3/4 and group handshake message 1, populate the BIGTK from the default VLAN group. Signed-off-by: Sai Pratyusha Magam --- diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index d64ca62b3..49268b21e 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -4193,6 +4193,11 @@ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) NULL, 0); forced_memzero(&igtk, sizeof(igtk)); + if (gsm->vlan_id) { + wpa_printf(MSG_DEBUG, "Fetch BIGTK from default VLAN"); + gsm = wpa_auth->group; + } + if (wpa_auth->conf.tx_bss_auth) { wpa_auth = wpa_auth->conf.tx_bss_auth; conf = &wpa_auth->conf; @@ -4333,6 +4338,11 @@ void wpa_auth_ml_get_key_info(struct wpa_authenticator *a, if (!beacon_prot) return; + if (gsm->vlan_id) { + wpa_printf(MSG_DEBUG, "Fetch BIGTK from default VLAN"); + gsm = a->group; + } + if (a->conf.tx_bss_auth) { a = a->conf.tx_bss_auth; gsm = a->group; @@ -5812,6 +5822,11 @@ static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, group->IGTK[group->GN_igtk - 4], len); } + /* Skip BIGTK generation for groups with a non-zero VLAN ID since only + * a single BIGTK is shared for all VLANs in a BSS. */ + if (group->vlan_id) + return ret; + if (!wpa_auth->non_tx_beacon_prot && !wpa_auth_pmf_enabled(conf)) return ret; @@ -6140,7 +6155,10 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, KEY_FLAG_GROUP_TX_DEFAULT) < 0) ret = -1; - if (ret || !conf->beacon_prot) + /* Skip setting of BIGTK for groups with a non-zero VLAN ID + * since only a single BIGTK is shared for all VLANs in a BSS. + */ + if (ret || !conf->beacon_prot || group->vlan_id) return ret; if (wpa_auth->conf.tx_bss_auth) { wpa_auth = wpa_auth->conf.tx_bss_auth;