mesh: Indicate OPN_RJCT event if AES-SIV decrypt fails

REVmc/D6.0 14.5.5.2.2 (Processing Mesh Peering Open frames for AMPE)
mandates the OPN_RJCT event to be invoked if AES-SIV decryption for
received Mesh Peering Open frame fails. This allows a Mesh Peering Close
frame to be sent in such a case.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index f445b6c..8afdc16 100644 (file)
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -1144,13 +1144,23 @@ void mesh_mpm_action_rx(struct wpa_supplicant *wpa_s,
        if (!sta->my_lid)
                mesh_mpm_init_link(wpa_s, sta);
 
        if (!sta->my_lid)
                mesh_mpm_init_link(wpa_s, sta);
 

-       if ((mconf->security & MESH_CONF_SEC_AMPE) &&
-           mesh_rsn_process_ampe(wpa_s, sta, &elems,
-                                 &mgmt->u.action.category,
-                                 peer_mgmt_ie.chosen_pmk,
-                                 ies, ie_len)) {
-               wpa_printf(MSG_DEBUG, "MPM: RSN process rejected frame");
-               return;
+       if (mconf->security & MESH_CONF_SEC_AMPE) {
+               int res;
+
+               res = mesh_rsn_process_ampe(wpa_s, sta, &elems,
+                                           &mgmt->u.action.category,
+                                           peer_mgmt_ie.chosen_pmk,
+                                           ies, ie_len);
+               if (res) {
+                       wpa_printf(MSG_DEBUG,
+                                  "MPM: RSN process rejected frame (res=%d)",
+                                  res);
+                       if (action_field == PLINK_OPEN && res == -2) {
+                               /* AES-SIV decryption failed */
+                               mesh_mpm_fsm(wpa_s, sta, OPN_RJCT);
+                       }
+                       return;
+               }

        }
 
        if (sta->plink_state == PLINK_BLOCKED) {
        }
 
        if (sta->plink_state == PLINK_BLOCKED) {

diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c
index cc600e2..27ab8cb 100644 (file)
--- a/wpa_supplicant/mesh_rsn.c
+++ b/wpa_supplicant/mesh_rsn.c
@@ -653,7 +653,7 @@ int mesh_rsn_process_ampe(struct wpa_supplicant *wpa_s, struct sta_info *sta,
        if (aes_siv_decrypt(sta->aek, crypt, crypt_len, 3,
                            aad, aad_len, ampe_buf)) {
                wpa_printf(MSG_ERROR, "Mesh RSN: frame verification failed!");
        if (aes_siv_decrypt(sta->aek, crypt, crypt_len, 3,
                            aad, aad_len, ampe_buf)) {
                wpa_printf(MSG_ERROR, "Mesh RSN: frame verification failed!");

-               ret = -1;
+               ret = -2;

                goto free;
        }
 
                goto free;
        }