jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

FILS: Verify RSNE match between Beacon/Probe Response and (Re)AssocResp

Browse source 
IEEE Std 802.11ai-2016 requires the FILS STA to do this check, but this
was missing from the initial implementation. The AP side behavior was
not described properly in 802.11ai due to a missing change in the
(Re)Association Response frame format tables which has resulted in some
deployed devices not including the RSNE.

For now, use an interoperability workaround to ignore the missing RSNE
and only check the payload of the element if it is present in the
protected frame. In other words, enforce this validation step only with
an AP that implements FILS authentication as described in REVmd while
allowing older implementations to skip this check (and the protection
against downgrade attacks). This workaround may be removed in the future
if it is determined that most deployed APs can be upgraded to add RSNE
into the (Re)Association Response frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-05-22 17:42:53 +03:00 committed by Jouni Malinen
parent 831d8c9cf5
commit 69afb6b395
1 changed files with 20 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
src/rsn_supp/wpa.c
View file

@ -4320,6 +4320,26 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
sm->fils_session, FILS_SESSION_LEN);
}
if (!elems.rsn_ie) {
wpa_printf(MSG_DEBUG,
"FILS: No RSNE in (Re)Association Response");
/* As an interop workaround, allow this for now since IEEE Std
* 802.11ai-2016 did not include all the needed changes to make
* a FILS AP include RSNE in the frame. This workaround might
* eventually be removed and replaced with rejection (goto fail)
* to follow a strict interpretation of the standard. */
} else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
sm->ap_rsn_ie, sm->ap_rsn_ie_len,
elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
"FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
sm->ap_rsn_ie, sm->ap_rsn_ie_len);
wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
elems.rsn_ie, elems.rsn_ie_len);
goto fail;
}
/* TODO: FILS Public Key */
if (!elems.fils_key_confirm) {