tests: Fix clearing of IGTK PN in handshake retransmit test functions

When locating the position of the IGTK PN in the key data, we also need to skip the KDE header, in addition to the keyid field. This fixes hostapd RESEND_M3 and RESEND_GROUP_M1 behavior when PMF is negotiated for the association. Previously, the IGTK KDE ended up getting practically hidden since zeroing of the PN ended up clearing the KDE OUI and Type fields. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
6 years ago · 9f917339cc
parent 20daa57b92
commit 9f917339cc
1 changed files with 7 additions and 4 deletions
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@ -4683,8 +4683,9 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
 #ifdef CONFIG_IEEE80211W
 	opos = pos;
 	pos = ieee80211w_kde_add(sm, pos);
-	if (pos - opos >= WPA_IGTK_KDE_PREFIX_LEN) {
-		opos += 2; /* skip keyid */
+	if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
+		/* skip KDE header and keyid */
+		opos += 2 + RSN_SELECTOR_LEN + 2;
 		os_memset(opos, 0, 6); /* clear PN */
 	}
 #endif /* CONFIG_IEEE80211W */
@ -4779,8 +4780,10 @@ int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
 #ifdef CONFIG_IEEE80211W
 		opos = pos;
 		pos = ieee80211w_kde_add(sm, pos);
-		if (pos - opos >= WPA_IGTK_KDE_PREFIX_LEN) {
-			opos += 2; /* skip keyid */
+		if (pos - opos >=
+		    2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
+			/* skip KDE header and keyid */
+			opos += 2 + RSN_SELECTOR_LEN + 2;
 			os_memset(opos, 0, 6); /* clear PN */
 		}
 #endif /* CONFIG_IEEE80211W */