On Mon, Feb 24, 2020 at 11:14:34AM +0200, Ilan Peer wrote:
> PASN authentication requires that group management cipher suite
> would be set to 00-0F-AC:7 in the RSN IE, so allow this value
> when parsing and validating the RSN IE.
Can you please point me to the location in P802.11az/D2.0 that describes
this?
> diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
> @@ -1369,7 +1369,8 @@ int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
>
> if (left >= 4) {
> data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
> - if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) {
> + if (data->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
> + !wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) {
> wpa_printf(MSG_DEBUG,
> "%s: Unsupported management group cipher 0x%x (%08x)",
> __func__, data->mgmt_group_cipher,
This looks problematic for PMF.. Are you sure this does not result in
unexpected behavior for BIP with Robust Management frames? This would
likely need some changes in other locations and clear understanding on
what to expect to happen with IGTK. The drivers would need to be able to
drop any unprotected group-addressed Robust Management frame in such
configuration. That would depend on there being an IGTK configured. That
would either need to be a random value from the AP or a random value
generated by wpa_supplicant internally if no IGTK is received from the
AP.
As far as consistent implementation is concerned, that check for
WPA_CIPHER_GTK_NOT_USED would belong in wpa_cipher_valid_mgmt_group()
similarly to the way this is handled with wpa_cipher_valid_group().
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
