Verify that EAPOL-Key MIC generation succeeds

This can now fail, e.g., if trying to use TKIP in FIPS mode.

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index dd860d8..4d56c49 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -50,10 +50,10 @@ int wpa_eapol_key_mic(const u8 *key, int ver, const u8 *buf, size_t len,
 
        switch (ver) {
        case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
-               hmac_md5(key, 16, buf, len, mic);
-               break;
+               return hmac_md5(key, 16, buf, len, mic);
        case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
-               hmac_sha1(key, 16, buf, len, hash);
+               if (hmac_sha1(key, 16, buf, len, hash))
+                       return -1;
                os_memcpy(mic, hash, MD5_MAC_LEN);
                break;
 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index ff84c92..d6f84ff 100644 (file)
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -119,11 +119,16 @@ void wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck,
                                   MAC2STR(dest));
                }
        }
-       if (key_mic)
-               wpa_eapol_key_mic(kck, ver, msg, msg_len, key_mic);
+       if (key_mic &&
+           wpa_eapol_key_mic(kck, ver, msg, msg_len, key_mic)) {
+               wpa_printf(MSG_ERROR, "WPA: Failed to generate EAPOL-Key "
+                          "version %d MIC", ver);
+               goto out;
+       }
        wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
        wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
        eapol_sm_notify_tx_eapol_key(sm->eapol);
+out:
        os_free(msg);
 }