RSNO: Always enable SNonce cookie and RSN Override elements validation

Always set SNonce cookie and enable RSN Override elements validation irrespective of the RSN Selection element usage in (Re)Association Request frame when RSN overriding supported. Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2025-10-04 11:00:58 +02:00 · 2024-08-13 23:42:48 +05:30
parent 5e1e2cd4ea
commit 1848be2f06
3 changed files with 33 additions and 4 deletions
--- a/components/wpa_supplicant/src/rsn_supp/wpa.c
+++ b/components/wpa_supplicant/src/rsn_supp/wpa.c
@@ -733,7 +733,7 @@ void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
            wpa_printf(MSG_DEBUG, "WPA: Failed to get random data for SNonce");
            goto failed;
        }
-        if (sm->rsn_override != RSN_OVERRIDE_NOT_USED)
+        if (wpa_sm_rsn_overriding_supported(sm))
            rsn_set_snonce_cookie(sm->snonce);
        sm->renew_snonce = 0;
        wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
@@ -1215,8 +1215,7 @@ static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
        return -1;
    }

-    if (sm->proto == WPA_PROTO_RSN &&
-            sm->rsn_override != RSN_OVERRIDE_NOT_USED) {
+    if (sm->proto == WPA_PROTO_RSN && wpa_sm_rsn_overriding_supported(sm)) {
        if ((sm->ap_rsne_override && !ie->rsne_override) ||
                (!sm->ap_rsne_override && ie->rsne_override) ||
                (sm->ap_rsne_override && ie->rsne_override &&
@@ -2286,12 +2285,36 @@ int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
        case WPA_PARAM_RSN_OVERRIDE:
            sm->rsn_override = value;
            break;
+        case WPA_PARAM_RSN_OVERRIDE_SUPPORT:
+            sm->rsn_override_support = value;
+            break;
        default:
            break;
    }
    return ret;
 }

+static const u8 * wpa_sm_get_ap_rsne(struct wpa_sm *sm, size_t *len)
+{
+    if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE) {
+        *len = sm->ap_rsne_override_len;
+        return sm->ap_rsne_override;
+    }
+
+    *len = sm->ap_rsn_ie_len;
+    return sm->ap_rsn_ie;
+}
+
+bool wpa_sm_rsn_overriding_supported(struct wpa_sm *sm)
+{
+    const u8 *rsne;
+    size_t rsne_len;
+
+    rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
+
+    return sm->rsn_override_support && rsne;
+}
+
 #ifdef ESP_SUPPLICANT
 /**
 * wpa_sm_notify_assoc - Notify WPA state machine about association
@@ -2574,6 +2597,8 @@ int wpa_set_bss(uint8_t *macddr, uint8_t *bssid, u8 pairwise_cipher, u8 group_ci
        return -1;
    }
    pos += assoc_ie_len;
+    wpa_sm_set_param(sm, WPA_PARAM_RSN_OVERRIDE_SUPPORT,
+            esp_wifi_wpa3_compatible_mode_enabled(WIFI_IF_STA));
    wpa_sm_set_param(sm, WPA_PARAM_RSN_OVERRIDE,
            RSN_OVERRIDE_NOT_USED);
    ie = esp_wifi_sta_get_ie(bssid, WLAN_EID_RSN);
@@ -2601,7 +2626,7 @@ int wpa_set_bss(uint8_t *macddr, uint8_t *bssid, u8 pairwise_cipher, u8 group_ci
        *pos = variant;
        assoc_ie_len += 2 + 4 + 1;
    }
-
+    wpa_hexdump(MSG_DEBUG, "WPA: ASSOC IE LEN", assoc_ie, assoc_ie_len);
    esp_set_assoc_ie(bssid, assoc_ie, assoc_ie_len, true);

    if (sm->ap_rsnxe != NULL) {
--- a/components/wpa_supplicant/src/rsn_supp/wpa.h
+++ b/components/wpa_supplicant/src/rsn_supp/wpa.h
@@ -37,6 +37,7 @@ struct l2_ethhdr {

 enum wpa_sm_conf_params {
    WPA_PARAM_RSN_OVERRIDE,
+    WPA_PARAM_RSN_OVERRIDE_SUPPORT,
 };

 void wpa_sm_set_state(enum wpa_states state);
--- a/components/wpa_supplicant/src/rsn_supp/wpa_i.h
+++ b/components/wpa_supplicant/src/rsn_supp/wpa_i.h
@@ -128,6 +128,7 @@ struct wpa_sm {
    int (*wpa_sm_wps_disable)(void);
    esp_err_t (*wpa_sm_eap_disable)(void);

+    bool rsn_override_support;
    enum wpa_rsn_override rsn_override;
 };

@@ -220,4 +221,6 @@ int wpa_sm_rx_eapol(u8 *src_addr, u8 *buf, u32 len);

 int wpa_derive_ptk_ft(struct wpa_sm *sm, const unsigned char *src_addr,
                      const struct wpa_eapol_key *key, struct wpa_ptk *ptk);
+
+bool wpa_sm_rsn_overriding_supported(struct wpa_sm *sm);
 #endif /* WPA_I_H */