espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-10-03 18:40:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

RSNO: Generate IGTK if any of the RSN variants has PMF enabled

Browse Source 
With RSN overriding enabled, AP can be configured to set MFPC to 0 and
MFPR to 0 in the RSNE and MFPC to 1 and MFPR to 1 in the RSNOE and
RSNO2E. IGTK generation, configuration to the driver, and inclusion of
the IGTK KDE in 4-way handshake should also take into account the
management frame protection settings in the override variants.

Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
This commit is contained in:
Sai Pratyusha Magam
2025-01-03 11:23:22 +05:30
committed by Kapil Gupta
parent c3d6a1ce73
commit e8a19841f4
3 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
components/wpa_supplicant/src/ap/wpa_auth.c
View File

@@ -2381,7 +2381,7 @@ static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
group->GTK[group->GN - 1], group->GTK_len); group->GTK[group->GN - 1], group->GTK_len);
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { if (wpa_auth_pmf_enabled(&wpa_auth->conf)) {
len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
inc_byte_array(group->Counter, WPA_NONCE_LEN); inc_byte_array(group->Counter, WPA_NONCE_LEN);
@@ -2577,7 +2577,7 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
ret = -1; ret = -1;
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION && if (wpa_auth_pmf_enabled(&wpa_auth->conf) &&
wpa_auth_set_key(wpa_auth, group->vlan_id, WIFI_WPA_ALG_IGTK, wpa_auth_set_key(wpa_auth, group->vlan_id, WIFI_WPA_ALG_IGTK,
broadcast_ether_addr, group->GN_igtk, broadcast_ether_addr, group->GN_igtk,
group->IGTK[group->GN_igtk - 4], group->IGTK[group->GN_igtk - 4],

5
components/wpa_supplicant/src/ap/wpa_auth.h
View File

@@ -310,5 +310,10 @@ void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
const u8 *sta_addr); const u8 *sta_addr);
void wpa_auth_set_rsn_selection(struct wpa_state_machine *sm, const u8 *ie, void wpa_auth_set_rsn_selection(struct wpa_state_machine *sm, const u8 *ie,
size_t len); size_t len);
static inline bool wpa_auth_pmf_enabled(struct wpa_auth_config *conf)
{
return conf->ieee80211w != NO_MGMT_FRAME_PROTECTION ||
conf->rsn_override_mfp != NO_MGMT_FRAME_PROTECTION;
}
#endif /* WPA_AUTH_H */ #endif /* WPA_AUTH_H */

2
components/wpa_supplicant/src/ap/wpa_auth_ie.c
View File

@@ -751,7 +751,7 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
} }
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE */
if (wpa_auth->conf.ieee80211w == NO_MGMT_FRAME_PROTECTION || if (!wpa_auth_pmf_enabled(&wpa_auth->conf) ||
!(data.capabilities & WPA_CAPABILITY_MFPC)) !(data.capabilities & WPA_CAPABILITY_MFPC))
sm->mgmt_frame_prot = 0; sm->mgmt_frame_prot = 0;
else else