Verify group key configuration for WPA group
If configuration of the group key to the driver fails, move the WPA group into failed state and indication group setup error to avoid cases where AP could look like it is working even through the keys are not set correctly. Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
30675c3416
commit
7d7f7be2e5
2 changed files with 38 additions and 2 deletions
|
|
@ -437,6 +437,8 @@ int wpa_init_keys(struct wpa_authenticator *wpa_auth)
|
|||
wpa_group_sm_step(wpa_auth, group);
|
||||
group->GInit = FALSE;
|
||||
wpa_group_sm_step(wpa_auth, group);
|
||||
if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -516,6 +518,9 @@ wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
|
|||
{
|
||||
struct wpa_state_machine *sm;
|
||||
|
||||
if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
|
||||
return NULL;
|
||||
|
||||
sm = os_zalloc(sizeof(struct wpa_state_machine));
|
||||
if (sm == NULL)
|
||||
return NULL;
|
||||
|
|
@ -2587,6 +2592,29 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
|
|||
}
|
||||
|
||||
|
||||
static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
|
||||
{
|
||||
if (sm->group == ctx) {
|
||||
wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
|
||||
" for discconnection due to fatal failure",
|
||||
MAC2STR(sm->addr));
|
||||
sm->Disconnect = TRUE;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
|
||||
struct wpa_group *group)
|
||||
{
|
||||
wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
|
||||
group->changed = TRUE;
|
||||
group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
|
||||
wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
|
||||
}
|
||||
|
||||
|
||||
static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
|
||||
struct wpa_group *group)
|
||||
{
|
||||
|
|
@ -2595,8 +2623,10 @@ static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
|
|||
group->changed = TRUE;
|
||||
group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
|
||||
|
||||
if (wpa_group_config_group_keys(wpa_auth, group) < 0)
|
||||
if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
|
||||
wpa_group_fatal_failure(wpa_auth, group);
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -2607,6 +2637,8 @@ static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
|
|||
{
|
||||
if (group->GInit) {
|
||||
wpa_group_gtk_init(wpa_auth, group);
|
||||
} else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
|
||||
/* Do not allow group operations */
|
||||
} else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
|
||||
group->GTKAuthenticator) {
|
||||
wpa_group_setkeysdone(wpa_auth, group);
|
||||
|
|
@ -3015,6 +3047,9 @@ int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
|
|||
if (sm->group == group)
|
||||
return 0;
|
||||
|
||||
if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
|
||||
return -1;
|
||||
|
||||
wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
|
||||
"machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
|
||||
|
||||
|
|
|
|||
|
|
@ -139,7 +139,8 @@ struct wpa_group {
|
|||
|
||||
enum {
|
||||
WPA_GROUP_GTK_INIT = 0,
|
||||
WPA_GROUP_SETKEYS, WPA_GROUP_SETKEYSDONE
|
||||
WPA_GROUP_SETKEYS, WPA_GROUP_SETKEYSDONE,
|
||||
WPA_GROUP_FATAL_FAILURE
|
||||
} wpa_group_state;
|
||||
|
||||
u8 GMK[WPA_GMK_LEN];
|
||||
|
|
|
|||
Loading…
Reference in a new issue