Hi,
> -----Original Message-----
> From: Hostap <hostap-bounces@xxxxxxxxxxxxxxxxxxx> On Behalf Of
> Veerendranath Jakkam
> Sent: Saturday, October 01, 2022 11:21
> To: hostap@xxxxxxxxxxxxxxxxxxx
> Cc: quic_vjakkam@xxxxxxxxxxx
> Subject: [PATCH v2 11/17] MLD STA: Add support for validating MLO KDEs for
> 4WHS EAPOL frames
>
> Validate new KDEs defined for MLO connection in EAPOL 1/4 and 3/4 and
> reject the Four-Way handshake frames if any of the new KDE data is not
> matching expected key data.
>
> Signed-off-by: Veerendranath Jakkam <quic_vjakkam@xxxxxxxxxxx>
Snip
> +static int wpa_validate_mlo_kdes(struct wpa_sm *sm,
> + u8 link_id, struct wpa_eapol_ie_parse *ie) {
> + if ((sm->mlo.setup_links & BIT(link_id)) && ie->mlo_igtk[link_id] &&
> + wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
> + ie->mlo_igtk_len[link_id] !=
> RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
> + (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
> + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
> + "WPA MLO: Invalid IGTK KDE length %lu for link ID
> %u",
> + (unsigned long) ie->mlo_igtk_len, link_id);
> + return -1;
> + }
> +
This should be validated only if MFP is negotiated. Also need to fail in case the MLO IGTK was not included etc.
> + if ((sm->mlo.setup_links & BIT(link_id)) && ie->mlo_bigtk[link_id]
> &&
> + ie->mlo_bigtk_len[link_id] !=
> RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
> + (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
> + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
> + "WPA MLO: Invalid BIGTK KDE length %lu for link ID
> %u",
> + (unsigned long) ie->mlo_bigtk_len, link_id);
> + return -1;
> + }
> +
This should be validated only if beacon protection is used. Also need to verify in such a case the MLO BIGTK is present.
Regards,
Ilan.
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
