Hi, > -----Original Message----- > From: Hostap <hostap-bounces@xxxxxxxxxxxxxxxxxxx> On Behalf Of > Veerendranath Jakkam > Sent: Saturday, October 01, 2022 11:21 > To: hostap@xxxxxxxxxxxxxxxxxxx > Cc: quic_vjakkam@xxxxxxxxxxx > Subject: [PATCH v2 11/17] MLD STA: Add support for validating MLO KDEs for > 4WHS EAPOL frames > > Validate new KDEs defined for MLO connection in EAPOL 1/4 and 3/4 and > reject the Four-Way handshake frames if any of the new KDE data is not > matching expected key data. > > Signed-off-by: Veerendranath Jakkam <quic_vjakkam@xxxxxxxxxxx> Snip > +static int wpa_validate_mlo_kdes(struct wpa_sm *sm, > + u8 link_id, struct wpa_eapol_ie_parse *ie) { > + if ((sm->mlo.setup_links & BIT(link_id)) && ie->mlo_igtk[link_id] && > + wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) && > + ie->mlo_igtk_len[link_id] != > RSN_MLO_IGTK_KDE_PREFIX_LENGTH + > + (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) { > + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, > + "WPA MLO: Invalid IGTK KDE length %lu for link ID > %u", > + (unsigned long) ie->mlo_igtk_len, link_id); > + return -1; > + } > + This should be validated only if MFP is negotiated. Also need to fail in case the MLO IGTK was not included etc. > + if ((sm->mlo.setup_links & BIT(link_id)) && ie->mlo_bigtk[link_id] > && > + ie->mlo_bigtk_len[link_id] != > RSN_MLO_BIGTK_KDE_PREFIX_LENGTH + > + (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) { > + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, > + "WPA MLO: Invalid BIGTK KDE length %lu for link ID > %u", > + (unsigned long) ie->mlo_bigtk_len, link_id); > + return -1; > + } > + This should be validated only if beacon protection is used. Also need to verify in such a case the MLO BIGTK is present. Regards, Ilan. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap