mesh: Generate a separate TX IGTK if PMF is enabled

Previous implementation was incorrectly using MGTK also as the IGTK and
doing this regardless of whether PMF was enabled. IGTK needs to be a
independent key and this commit does that at the local TX side.

The current AMPE element construction and parsing is quite broken, so
this does not get add the IGTKdata field there.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2016-06-18 14:41:59 +03:00
parent 696f792320
commit fccba2c946
2 changed files with 17 additions and 3 deletions

View file

@ -177,9 +177,19 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
if (random_get_bytes(rsn->mgtk, rsn->mgtk_len) < 0)
return -1;
#ifdef CONFIG_IEEE80211W
if (ieee80211w != NO_MGMT_FRAME_PROTECTION) {
if (random_get_bytes(rsn->igtk, 16) < 0)
return -1;
rsn->igtk_len = 16;
/* group mgmt */
wpa_hexdump_key(MSG_DEBUG, "mesh: Own TX IGTK",
rsn->igtk, rsn->igtk_len);
wpa_drv_set_key(rsn->wpa_s, WPA_ALG_IGTK, NULL, 4, 1,
seq, sizeof(seq), rsn->mgtk, sizeof(rsn->mgtk));
seq, sizeof(seq), rsn->igtk, rsn->igtk_len);
}
#endif /* CONFIG_IEEE80211W */
/* group privacy / data frames */
wpa_hexdump_key(MSG_DEBUG, "mesh: Own TX MGTK",
@ -195,6 +205,8 @@ static void mesh_rsn_deinit(struct mesh_rsn *rsn)
{
os_memset(rsn->mgtk, 0, sizeof(rsn->mgtk));
rsn->mgtk_len = 0;
os_memset(rsn->igtk, 0, sizeof(rsn->igtk));
rsn->igtk_len = 0;
if (rsn->auth)
wpa_deinit(rsn->auth);
}

View file

@ -14,6 +14,8 @@ struct mesh_rsn {
struct wpa_authenticator *auth;
u8 mgtk[WPA_TK_MAX_LEN];
size_t mgtk_len;
u8 igtk[WPA_TK_MAX_LEN];
size_t igtk_len;
#ifdef CONFIG_SAE
struct wpabuf *sae_token;
int sae_group_index;