From: Jouni Malinen Date: Thu, 15 Aug 2024 17:39:03 +0000 (+0300) Subject: RSNO: Do not enforce SNonce cookie and RSN Selection match if RSNO not used X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=66d8ac8cccbcb6551f24c7049fe45d7bf92ece10;p=thirdparty%2Fhostap.git RSNO: Do not enforce SNonce cookie and RSN Selection match if RSNO not used A STA that supports RSN overriding will always use the SNonce cookie. An AP that does not advertise RSN overriding elements must not enforce that SNonce cookie is used with RSN Selection element since a STA includes the latter only when it sees the AP advertising RSN overriding elements. Signed-off-by: Jouni Malinen --- diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 3562ca1b8..093aea23a 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -3920,14 +3920,16 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) #endif /* CONFIG_IEEE80211R_AP */ /* Verify RSN Selection element for RSN overriding */ - if ((rsn_is_snonce_cookie(sm->SNonce) && !kde.rsn_selection) || - (!rsn_is_snonce_cookie(sm->SNonce) && kde.rsn_selection) || - (sm->rsn_selection && !kde.rsn_selection) || - (!sm->rsn_selection && kde.rsn_selection) || - (sm->rsn_selection && kde.rsn_selection && - (sm->rsn_selection_len != kde.rsn_selection_len || - os_memcmp(sm->rsn_selection, kde.rsn_selection, - sm->rsn_selection_len) != 0))) { + if ((wpa_auth->conf.rsn_override_key_mgmt || + wpa_auth->conf.rsn_override_key_mgmt_2) && + ((rsn_is_snonce_cookie(sm->SNonce) && !kde.rsn_selection) || + (!rsn_is_snonce_cookie(sm->SNonce) && kde.rsn_selection) || + (sm->rsn_selection && !kde.rsn_selection) || + (!sm->rsn_selection && kde.rsn_selection) || + (sm->rsn_selection && kde.rsn_selection && + (sm->rsn_selection_len != kde.rsn_selection_len || + os_memcmp(sm->rsn_selection, kde.rsn_selection, + sm->rsn_selection_len) != 0)))) { wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO, "RSN Selection element from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4"); wpa_printf(MSG_DEBUG,