[PATCH 7/9] BSS: MLD: Add verification for the pairwise cipher
Benjamin Berg
benjamin at sipsolutions.net
Wed Jun 18 05:35:29 PDT 2025
From: Benjamin Berg <benjamin.berg at intel.com>
Check that there is a valid pairwise cipher for an EHT AP. Also verify
that each potential link has a pairwise cipher in common with the
association link.
Signed-off-by: Benjamin Berg <benjamin.berg at intel.com>
---
wpa_supplicant/bss.c | 51 +++++++++++++++++++++++++++++++++-----------
1 file changed, 38 insertions(+), 13 deletions(-)
diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index ce250655a5..e4fa8ee6d2 100644
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -1686,14 +1686,15 @@ wpa_bss_parse_ml_rnr_ap_info(struct wpa_supplicant *wpa_s,
* @bss: BSS table entry
* Returns: true if the BSS configuration matches local profile and the elements
* meet MLO requirements, false otherwise
- * @key_mgmt: Pointer to store key management
* @rsne_type_p: Type of RSNE to validate. If -1 is given, choose as per the
* presence of RSN elements (association link); otherwise, validate
* against the requested type (other affiliated links).
+ * @ref_wpa_ie: WPA IE data from the main link to compare against
*/
static bool
wpa_bss_validate_rsne_ml(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid,
- struct wpa_bss *bss, int *key_mgmt, int *rsne_type_p)
+ struct wpa_bss *bss, int *rsne_type_p,
+ struct wpa_ie_data *ref_wpa_ie)
{
struct ieee802_11_elems elems;
struct wpa_ie_data wpa_ie;
@@ -1744,14 +1745,41 @@ wpa_bss_validate_rsne_ml(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid,
wpa_ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_FT_PSK |
WPA_KEY_MGMT_PSK_SHA256);
+ if (!(wpa_ie.key_mgmt & ssid->key_mgmt)) {
+ wpa_dbg(wpa_s, MSG_DEBUG,
+ "MLD: No valid key management");
+ return false;
+ }
wpa_dbg(wpa_s, MSG_DEBUG, "MLD: key_mgmt=0x%x", wpa_ie.key_mgmt);
- if (key_mgmt)
- *key_mgmt = wpa_ie.key_mgmt;
+ wpa_ie.pairwise_cipher &= ~(WPA_CIPHER_NONE | WPA_CIPHER_WEP40 |
+ WPA_CIPHER_WEP104 | WPA_CIPHER_TKIP);
+ if (!(wpa_ie.pairwise_cipher & ssid->pairwise_cipher)) {
+ wpa_dbg(wpa_s, MSG_DEBUG,
+ "MLD: No valid pairwise cipher");
+ return false;
+ }
+
+ if (*rsne_type_p == -1) {
+ memcpy(ref_wpa_ie, &wpa_ie, sizeof(wpa_ie));
+
+ *rsne_type_p = rsne_type;
+ } else {
+ /* Verifying the neighbor given rsne_type_p and ref_wpa_ie */
+ if (!(wpa_ie.key_mgmt & ref_wpa_ie->key_mgmt)) {
+ wpa_dbg(wpa_s, MSG_DEBUG,
+ "MLD: neighbor without common AKM");
+ return false;
+ }
- *rsne_type_p = rsne_type;
+ if (!(wpa_ie.pairwise_cipher & ref_wpa_ie->pairwise_cipher)) {
+ wpa_dbg(wpa_s, MSG_DEBUG,
+ "MLD: neighbor without common pairwise cipher");
+ return false;
+ }
+ }
- return !!(wpa_ie.key_mgmt & ssid->key_mgmt);
+ return true;
}
@@ -1771,7 +1799,8 @@ u16 wpa_bss_get_usable_links(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid,
u16 *missing_links)
{
- int rsne_type, key_mgmt;
+ struct wpa_ie_data wpa_ie;
+ int rsne_type;
u16 usable_links = 0;
u8 link_id;
@@ -1780,8 +1809,7 @@ u16 wpa_bss_get_usable_links(struct wpa_supplicant *wpa_s,
rsne_type = -1;
if (ssid &&
- !wpa_bss_validate_rsne_ml(wpa_s, ssid, bss, &key_mgmt,
- &rsne_type)) {
+ !wpa_bss_validate_rsne_ml(wpa_s, ssid, bss, &rsne_type, &wpa_ie)) {
wpa_dbg(wpa_s, MSG_DEBUG, "MLD: No valid key management");
return 0;
}
@@ -1860,8 +1888,6 @@ u16 wpa_bss_get_usable_links(struct wpa_supplicant *wpa_s,
}
if (ssid) {
- int neigh_key_mgmt;
-
/* As per IEEE P802.11be/D7.0, 12.6.2 (RSNA selection), all APs
* affiliated with an AP MLD shall advertise at least one common
* AKM suite selector in the AKM Suite List field of an RSNE or
@@ -1869,8 +1895,7 @@ u16 wpa_bss_get_usable_links(struct wpa_supplicant *wpa_s,
* configuration with the association link.
*/
if (!wpa_bss_validate_rsne_ml(wpa_s, ssid, neigh_bss,
- &neigh_key_mgmt, &rsne_type) ||
- !(key_mgmt & neigh_key_mgmt)) {
+ &rsne_type, &wpa_ie)) {
wpa_printf(MSG_DEBUG,
"MLD: Discard link %u due to RSN parameter mismatch",
link_id);
--
2.49.0
More information about the Hostap
mailing list