Prevent ieee80211_get_txkey() from returning the integrity group temporal

key (IGTK) if a node doesn't have management frame protection (MFP) enabled.
The IGTK is not initialized if MFP is disabled, so using it triggers this
panic in ieee80211_encrypt(): panic("invalid key cipher 0x%x", k->k_cipher)

(As far as I can tell, at present, MFP is never enabled.)

Problem reported and fix tested by tj@ on athn(4) hostap

1 files changed, 6 insertions, 7 deletions

diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c
index 046412f9e5c..8ede6e324a4 100644
--- a/sys/net80211/ieee80211_crypto.c
+++ b/sys/net80211/ieee80211_crypto.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ieee80211_crypto.c,v 1.73 2018/04/28 14:46:10 stsp Exp $	*/
+/*	$OpenBSD: ieee80211_crypto.c,v 1.74 2018/09/24 20:14:59 stsp Exp $	*/
 
 /*-
  * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -196,13 +196,12 @@ ieee80211_get_txkey(struct ieee80211com *ic, const struct ieee80211_frame *wh,
 	    ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP)
 		return &ni->ni_pairwise_key;
 
-	if ((ic->ic_flags & IEEE80211_F_WEPON) ||
-	    !IEEE80211_IS_MULTICAST(wh->i_addr1) ||
-	    (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) !=
-	    IEEE80211_FC0_TYPE_MGT)
-		kid = ic->ic_def_txkey;
-	else
+	/* All other cases (including WEP) use a group key. */
+	if (ni->ni_flags & IEEE80211_NODE_MFP)
 		kid = ic->ic_igtk_kid;
+	else
+		kid = ic->ic_def_txkey;
+
 	return &ic->ic_nw_keys[kid];
 }