path: root/wpa_supplicant/mesh_rsn.c
diff options
authorBob Copeland <me@bobcopeland.com>2015-12-27 02:20:52 (GMT)
committerJouni Malinen <j@w1.fi>2015-12-28 15:21:08 (GMT)
commitb2817cd5c2ee87d2b4812155bee82d74d331b5aa (patch)
tree23fce798654e837f3f3df53819a087f43b5cd4b1 /wpa_supplicant/mesh_rsn.c
parent6c33eed3ee7fd6bd9c561295e001a6b63adbb88d (diff)
mesh: Check PMKID in AMPE Action frames
From IEEE Std 802.11-2012 13.3.5: If the incoming Mesh Peering Management frame is for AMPE and the Chosen PMK from the received frame contains a PMKID that does not identify a valid mesh PMKSA, the frame shall be silently discarded. We were not checking the PMKID previously, and we also weren't parsing it correctly, so fix both. Signed-off-by: Bob Copeland <me@bobcopeland.com>
Diffstat (limited to 'wpa_supplicant/mesh_rsn.c')
1 files changed, 7 insertions, 0 deletions
diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c
index 8150ff1..5d88274 100644
--- a/wpa_supplicant/mesh_rsn.c
+++ b/wpa_supplicant/mesh_rsn.c
@@ -500,6 +500,7 @@ free:
int mesh_rsn_process_ampe(struct wpa_supplicant *wpa_s, struct sta_info *sta,
struct ieee802_11_elems *elems, const u8 *cat,
+ const u8 *chosen_pmk,
const u8 *start, size_t elems_len)
int ret = 0;
@@ -513,6 +514,12 @@ int mesh_rsn_process_ampe(struct wpa_supplicant *wpa_s, struct sta_info *sta,
const size_t aad_len[] = { ETH_ALEN, ETH_ALEN,
(elems->mic - 2) - cat };
+ if (chosen_pmk && os_memcmp(chosen_pmk, sta->sae->pmkid, PMKID_LEN)) {
+ wpa_msg(wpa_s, MSG_DEBUG,
+ "Mesh RSN: Invalid PMKID (Chosen PMK did not match calculated PMKID)");
+ return -1;
+ }
if (!elems->mic || elems->mic_len < AES_BLOCK_SIZE) {
wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: missing mic ie");
return -1;