RSN: Ignore IGTK configuration errors with swapped KeyID values

There are number of deployed APs with broken PMF implementation where
the IGTK KDE uses swapped bytes in the KeyID field (0x0400 and 0x0500
instead of 4 and 5). Such APs cannot be trusted to implement BIP
correctly or provide a valid IGTK, so do not try to configure this key
with swapped KeyID bytes. Instead, continue without configuring the IGTK
so that the driver can drop any received group-addressed robust
management frames due to missing keys.

Normally, this error behavior would result in us disconnecting, but
there are number of deployed APs with this broken behavior, so as an
interoperability workaround, allow the connection to proceed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-04-16 12:06:28 +03:00 committed by Jouni Malinen
parent dfdabd917a
commit 824cb5a530

View file

@ -1058,10 +1058,28 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
broadcast_ether_addr,
keyidx, 0, igtk->pn, sizeof(igtk->pn),
igtk->igtk, len) < 0) {
if (keyidx == 0x0400 || keyidx == 0x0500) {
/* Assume the AP has broken PMF implementation since it
* seems to have swapped the KeyID bytes. The AP cannot
* be trusted to implement BIP correctly or provide a
* valid IGTK, so do not try to configure this key with
* swapped KeyID bytes. Instead, continue without
* configuring the IGTK so that the driver can drop any
* received group-addressed robust management frames due
* to missing keys.
*
* Normally, this error behavior would result in us
* disconnecting, but there are number of deployed APs
* with this broken behavior, so as an interoperability
* workaround, allow the connection to proceed. */
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
} else {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Failed to configure IGTK to the driver");
return -1;
}
}
if (wnm_sleep) {
sm->igtk_wnm_sleep.igtk_len = len;