[PATCH 09/12] MLD STA: Add support for validating MLO KDEs for 4WHS EAPOL frames

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Validate new KDEs defined for MLO connection in EAPOL 1/4 and 3/4 and
reject the Four-Way handshake frames if any of the new KDE data is not
matching expected key data.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@xxxxxxxxxxx>
---
 src/rsn_supp/wpa.c | 147 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 147 insertions(+)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 96adc4817..9a4e0ebee 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -785,6 +785,14 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
 		}
 	}
 
+	if (sm->valid_links &&
+	    (!ie.mac_addr || ie.mac_addr_len < ETH_ALEN ||
+	     os_memcmp(ie.mac_addr, sm->ap_mld_addr, ETH_ALEN))) {
+		wpa_printf(MSG_INFO,
+			  "RSN MLO: Discard EAPOL-Key msg 1/4 with invalid MAC address KDE");
+		return;
+	}
+
 	res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
 	if (res == -2) {
 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
@@ -2092,6 +2100,131 @@ int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
 }
 
 
+static int wpa_supplicant_validate_link_kde(struct wpa_sm *sm,
+					    u8 link_id,
+					    const u8 *link_kde,
+					    size_t link_kde_len)
+{
+	struct wpa_mlo_link_hdr *link_kde_hdr;
+	size_t rsn_ie_len = 0, rsnxe_len = 0;
+	const u8 *rsn_ie = NULL, *rsnxe = NULL;
+
+	if (!link_kde || link_kde_len < sizeof(*link_kde_hdr)) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+			"WPA MLO: Invalid link KDE for link ID %d",
+			link_id);
+		return -1;
+	}
+
+	link_kde_hdr = (struct wpa_mlo_link_hdr *) link_kde;
+
+	if (os_memcmp(sm->links[link_id].bssid, link_kde_hdr->mac, ETH_ALEN)) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+			"WPA MLO: Link MAC address not matching with assoc response");
+		return -1;
+	}
+
+	if (link_kde_hdr->rsne_present) {
+		rsn_ie = link_kde + sizeof(*link_kde_hdr);
+		if (link_kde_len < (sizeof(*link_kde_hdr) + 2) ||
+		    link_kde_len < (sizeof(*link_kde_hdr) + 2 + rsn_ie[1]))
+			return -1;
+
+		rsn_ie_len = rsn_ie[1] + 2;
+	}
+
+	if (link_kde_hdr->rsnxe_present) {
+		rsnxe = link_kde + sizeof(*link_kde_hdr) + rsn_ie_len;
+		if (link_kde_len < (sizeof(*link_kde_hdr) + rsn_ie_len + 2) ||
+		    link_kde_len < (sizeof(*link_kde_hdr) + rsn_ie_len + 2 +
+				    rsnxe[1]))
+			return -1;
+
+		rsnxe_len = rsnxe[1] + 2;
+	}
+
+	if (sm->links[link_id].ap_rsn_ie == NULL) {
+		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+			"WPA MLO: No RSN IE AP link ID %u known. "
+			"Trying to get from scan results", link_id);
+		if (wpa_sm_get_link_beacon_ie(sm, link_id) < 0) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+				"WPA MLO: Could not find AP from "
+				"the scan results");
+			return -1;
+		}
+		wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
+			"WPA MLO: Found the current AP from updated scan results");
+	}
+
+	if (rsn_ie == NULL && sm->links[link_id].ap_rsn_ie) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+			"WPA MLO: IE in 3/4 msg does not match with IE in Beacon/ProbeResp (no IE?) for link ID %u",
+			link_id);
+		return -1;
+	}
+
+	if (rsn_ie && sm->links[link_id].ap_rsn_ie &&
+	    wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
+			       sm->links[link_id].ap_rsn_ie,
+			       sm->links[link_id].ap_rsn_ie_len,
+			       rsn_ie, rsn_ie_len)) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+			"WPA MLO: IE in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
+			link_id);
+		wpa_hexdump(MSG_INFO, "RSNE in Beacon/ProbeResp",
+			    sm->links[link_id].ap_rsnxe,
+			    sm->links[link_id].ap_rsnxe_len);
+		wpa_hexdump(MSG_INFO, "RSNE in EAPOL-Key msg 3/4",
+			    rsn_ie, rsn_ie_len);
+		return -1;
+	}
+
+	if ((sm->links[link_id].ap_rsnxe && !rsnxe) ||
+	    (!sm->links[link_id].ap_rsnxe && rsnxe) ||
+	    (sm->links[link_id].ap_rsnxe && rsnxe &&
+	     (sm->links[link_id].ap_rsnxe_len != rsnxe_len ||
+	      os_memcmp(sm->links[link_id].ap_rsnxe, rsnxe,
+			sm->links[link_id].ap_rsnxe_len) != 0))) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+			"WPA MLO: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u",
+			link_id);
+		wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
+			    sm->links[link_id].ap_rsnxe,
+			    sm->links[link_id].ap_rsnxe_len);
+		wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
+			    rsnxe, rsnxe_len);
+		wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
+		return -1;
+	}
+
+	return 0;
+}
+
+
+static int wpa_validate_mlo_kdes(struct wpa_sm *sm,
+				 u8 link_id, struct wpa_eapol_ie_parse *ie)
+{
+	if (ie->mlo_igtk[link_id] &&
+	    sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
+	    wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
+	    ie->mlo_igtk_len[link_id] != sizeof(struct wpa_mlo_igtk_hdr) +
+	    (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+			"WPA MLO: Invalid IGTK KDE length %lu for link ID %u",
+			(unsigned long) ie->mlo_igtk_len, link_id);
+		return -1;
+	}
+
+	if (wpa_supplicant_validate_link_kde(sm, link_id,
+					     ie->mlo_link[link_id],
+					     ie->mlo_link_len[link_id]))
+		return -1;
+
+	return 0;
+}
+
+
 static void wpa_supplicant_process_mlo_3_of_4(struct wpa_sm *sm,
 					      const struct wpa_eapol_key *key,
 					      u16 ver, const u8 *key_data,
@@ -2099,6 +2232,7 @@ static void wpa_supplicant_process_mlo_3_of_4(struct wpa_sm *sm,
 {
 	u16 key_info, keylen;
 	struct wpa_eapol_ie_parse ie;
+	int i;
 
 	wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
 	wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA MLO: RX message 3 of 4-Way "
@@ -2121,6 +2255,19 @@ static void wpa_supplicant_process_mlo_3_of_4(struct wpa_sm *sm,
 		goto failed;
 	}
 
+	if (!ie.mac_addr || ie.mac_addr_len < ETH_ALEN ||
+	    os_memcmp(ie.mac_addr, sm->ap_mld_addr, ETH_ALEN)) {
+		wpa_printf(MSG_DEBUG, "RSN MLO: Invalid MAC address KDE");
+		goto failed;
+	}
+
+	for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
+		if (!(sm->valid_links & BIT(i)))
+			continue;
+
+		if (wpa_validate_mlo_kdes(sm, i, &ie))
+			goto failed;
+	}
 
 #ifdef CONFIG_IEEE80211R
 	if (wpa_key_mgmt_ft(sm->key_mgmt) &&
-- 
2.25.1


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux