RSNO: Generate IGTK if any of the RSN variants has PMF enabled

With RSN overriding enabled, AP can be configured to set MFPC to 0 and MFPR to 0 in the RSNE and MFPC to 1 and MFPR to 1 in the RSNOE and RSNO2E. IGTK generation, configuration to the driver, and inclusion of the IGTK KDE in 4-way handshake should also take into account the management frame protection settings in the override variants. Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
2025-10-03 18:40:59 +02:00 · 2025-01-03 11:23:22 +05:30
parent c3d6a1ce73
commit e8a19841f4
3 changed files with 8 additions and 3 deletions
--- a/components/wpa_supplicant/src/ap/wpa_auth.c
+++ b/components/wpa_supplicant/src/ap/wpa_auth.c
@@ -2381,7 +2381,7 @@ static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
            group->GTK[group->GN - 1], group->GTK_len);

 #ifdef CONFIG_IEEE80211W
-    if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
+    if (wpa_auth_pmf_enabled(&wpa_auth->conf)) {
        len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
        memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
        inc_byte_array(group->Counter, WPA_NONCE_LEN);
@@ -2577,7 +2577,7 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
        ret = -1;

 #ifdef CONFIG_IEEE80211W
-    if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION &&
+    if (wpa_auth_pmf_enabled(&wpa_auth->conf) &&
        wpa_auth_set_key(wpa_auth, group->vlan_id, WIFI_WPA_ALG_IGTK,
                 broadcast_ether_addr, group->GN_igtk,
                 group->IGTK[group->GN_igtk - 4],
--- a/components/wpa_supplicant/src/ap/wpa_auth.h
+++ b/components/wpa_supplicant/src/ap/wpa_auth.h
@@ -310,5 +310,10 @@ void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
 			    const u8 *sta_addr);
 void wpa_auth_set_rsn_selection(struct wpa_state_machine *sm, const u8 *ie,
                               size_t len);
+static inline bool wpa_auth_pmf_enabled(struct wpa_auth_config *conf)
+{
+       return conf->ieee80211w != NO_MGMT_FRAME_PROTECTION ||
+               conf->rsn_override_mfp != NO_MGMT_FRAME_PROTECTION;
+}

 #endif /* WPA_AUTH_H */
--- a/components/wpa_supplicant/src/ap/wpa_auth_ie.c
+++ b/components/wpa_supplicant/src/ap/wpa_auth_ie.c
@@ -751,7 +751,7 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 	}
 #endif /* CONFIG_SAE */

-	if (wpa_auth->conf.ieee80211w == NO_MGMT_FRAME_PROTECTION ||
+	if (!wpa_auth_pmf_enabled(&wpa_auth->conf) ||
 	    !(data.capabilities & WPA_CAPABILITY_MFPC))
 		sm->mgmt_frame_prot = 0;
 	else