RE: [PATCH 09/12] common: Allow WPA_CIPHER_GTK_NOT_USED in RSNE parsing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> -----Original Message-----
> From: Jouni Malinen <j@xxxxx>
> Sent: Sunday, March 01, 2020 00:06
> To: Peer, Ilan <ilan.peer@xxxxxxxxx>
> Cc: hostap@xxxxxxxxxxxxxxxxxxx
> Subject: Re: [PATCH 09/12] common: Allow WPA_CIPHER_GTK_NOT_USED in
> RSNE parsing
> 
> On Mon, Feb 24, 2020 at 11:14:34AM +0200, Ilan Peer wrote:
> > PASN authentication requires that group management cipher suite would
> > be set to 00-0F-AC:7 in the RSN IE, so allow this value when parsing
> > and validating the RSN IE.
> 
> Can you please point me to the location in P802.11az/D2.0 that describes
> this?
> 

See section 12.13.2.2 (PASN Frame Construction and Processing).

> > diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
> @@
> > -1369,7 +1369,8 @@ int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t
> > rsn_ie_len,
> >
> >  	if (left >= 4) {
> >  		data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
> > -		if (!wpa_cipher_valid_mgmt_group(data-
> >mgmt_group_cipher)) {
> > +		if (data->mgmt_group_cipher !=
> WPA_CIPHER_GTK_NOT_USED &&
> > +		    !wpa_cipher_valid_mgmt_group(data-
> >mgmt_group_cipher)) {
> >  			wpa_printf(MSG_DEBUG,
> >  				   "%s: Unsupported management group
> cipher 0x%x (%08x)",
> >  				   __func__, data->mgmt_group_cipher,
> 
> This looks problematic for PMF.. Are you sure this does not result in
> unexpected behavior for BIP with Robust Management frames? This would
> likely need some changes in other locations and clear understanding on what
> to expect to happen with IGTK. The drivers would need to be able to drop
> any unprotected group-addressed Robust Management frame in such
> configuration. That would depend on there being an IGTK configured. That
> would either need to be a random value from the AP or a random value
> generated by wpa_supplicant internally if no IGTK is received from the AP.
> 

I'm not sure about this. From what I understand, during PASN not multicast
frames are allowed, so drivers are expected to drop any multicast frames.

> As far as consistent implementation is concerned, that check for
> WPA_CIPHER_GTK_NOT_USED would belong in
> wpa_cipher_valid_mgmt_group() similarly to the way this is handled with
> wpa_cipher_valid_group().

Ok. I'll move it there and see if other changes are required. 

Thanks,

Ilan.

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux