From b2817cd5c2ee87d2b4812155bee82d74d331b5aa Mon Sep 17 00:00:00 2001 From: Bob Copeland Date: Sat, 26 Dec 2015 21:20:52 -0500 Subject: [PATCH] mesh: Check PMKID in AMPE Action frames From IEEE Std 802.11-2012 13.3.5: If the incoming Mesh Peering Management frame is for AMPE and the Chosen PMK from the received frame contains a PMKID that does not identify a valid mesh PMKSA, the frame shall be silently discarded. We were not checking the PMKID previously, and we also weren't parsing it correctly, so fix both. Signed-off-by: Bob Copeland --- wpa_supplicant/mesh_mpm.c | 3 ++- wpa_supplicant/mesh_rsn.c | 7 +++++++ wpa_supplicant/mesh_rsn.h | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c index 7ebd4d2e6..3259151a5 100644 --- a/wpa_supplicant/mesh_mpm.c +++ b/wpa_supplicant/mesh_mpm.c @@ -74,8 +74,8 @@ static int mesh_mpm_parse_peer_mgmt(struct wpa_supplicant *wpa_s, /* remove optional PMK at end */ if (len >= 16) { - len -= 16; mpm_ie->pmk = ie + len - 16; + len -= 16; } if ((action_field == PLINK_OPEN && len != 4) || @@ -1014,6 +1014,7 @@ void mesh_mpm_action_rx(struct wpa_supplicant *wpa_s, if ((mconf->security & MESH_CONF_SEC_AMPE) && mesh_rsn_process_ampe(wpa_s, sta, &elems, &mgmt->u.action.category, + peer_mgmt_ie.pmk, ies, ie_len)) { wpa_printf(MSG_DEBUG, "MPM: RSN process rejected frame"); return; diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c index 8150ff197..5d88274b8 100644 --- a/wpa_supplicant/mesh_rsn.c +++ b/wpa_supplicant/mesh_rsn.c @@ -500,6 +500,7 @@ free: int mesh_rsn_process_ampe(struct wpa_supplicant *wpa_s, struct sta_info *sta, struct ieee802_11_elems *elems, const u8 *cat, + const u8 *chosen_pmk, const u8 *start, size_t elems_len) { int ret = 0; @@ -513,6 +514,12 @@ int mesh_rsn_process_ampe(struct wpa_supplicant *wpa_s, struct sta_info *sta, const size_t aad_len[] = { ETH_ALEN, ETH_ALEN, (elems->mic - 2) - cat }; + if (chosen_pmk && os_memcmp(chosen_pmk, sta->sae->pmkid, PMKID_LEN)) { + wpa_msg(wpa_s, MSG_DEBUG, + "Mesh RSN: Invalid PMKID (Chosen PMK did not match calculated PMKID)"); + return -1; + } + if (!elems->mic || elems->mic_len < AES_BLOCK_SIZE) { wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: missing mic ie"); return -1; diff --git a/wpa_supplicant/mesh_rsn.h b/wpa_supplicant/mesh_rsn.h index b1471b2de..89601d407 100644 --- a/wpa_supplicant/mesh_rsn.h +++ b/wpa_supplicant/mesh_rsn.h @@ -30,6 +30,7 @@ int mesh_rsn_protect_frame(struct mesh_rsn *rsn, struct sta_info *sta, const u8 *cat, struct wpabuf *buf); int mesh_rsn_process_ampe(struct wpa_supplicant *wpa_s, struct sta_info *sta, struct ieee802_11_elems *elems, const u8 *cat, + const u8 *chosen_pmk, const u8 *start, size_t elems_len); void mesh_auth_timer(void *eloop_ctx, void *user_data);