[PATCH v2 11/17] MLD STA: Add support for validating MLO KDEs for 4WHS EAPOL frames

Peer, Ilan ilan.peer at intel.com
Mon Oct 3 05:30:16 PDT 2022


Hi,

> -----Original Message-----
> From: Hostap <hostap-bounces at lists.infradead.org> On Behalf Of
> Veerendranath Jakkam
> Sent: Saturday, October 01, 2022 11:21
> To: hostap at lists.infradead.org
> Cc: quic_vjakkam at quicinc.com
> Subject: [PATCH v2 11/17] MLD STA: Add support for validating MLO KDEs for
> 4WHS EAPOL frames
> 
> Validate new KDEs defined for MLO connection in EAPOL 1/4 and 3/4 and
> reject the Four-Way handshake frames if any of the new KDE data is not
> matching expected key data.
> 
> Signed-off-by: Veerendranath Jakkam <quic_vjakkam at quicinc.com>

Snip 

> +static int wpa_validate_mlo_kdes(struct wpa_sm *sm,
> +				 u8 link_id, struct wpa_eapol_ie_parse *ie) {
> +	if ((sm->mlo.setup_links & BIT(link_id)) && ie->mlo_igtk[link_id] &&
> +	    wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
> +	    ie->mlo_igtk_len[link_id] !=
> RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
> +	    (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
> +		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
> +			"WPA MLO: Invalid IGTK KDE length %lu for link ID
> %u",
> +			(unsigned long) ie->mlo_igtk_len, link_id);
> +		return -1;
> +	}
> +

This should be validated only if MFP is negotiated. Also need to fail in case the MLO IGTK was not included etc.

> +	if ((sm->mlo.setup_links & BIT(link_id)) && ie->mlo_bigtk[link_id]
> &&
> +	    ie->mlo_bigtk_len[link_id] !=
> RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
> +	    (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
> +		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
> +			"WPA MLO: Invalid BIGTK KDE length %lu for link ID
> %u",
> +			(unsigned long) ie->mlo_bigtk_len, link_id);
> +		return -1;
> +	}
> +

This should be validated only if beacon protection is used. Also need to verify in such a case the MLO BIGTK is present.

Regards,

Ilan.



More information about the Hostap mailing list