From 69afb6b395650ebc2fea405efb18d68ad855c1dd Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 22 May 2019 17:42:53 +0300 Subject: [PATCH] FILS: Verify RSNE match between Beacon/Probe Response and (Re)AssocResp IEEE Std 802.11ai-2016 requires the FILS STA to do this check, but this was missing from the initial implementation. The AP side behavior was not described properly in 802.11ai due to a missing change in the (Re)Association Response frame format tables which has resulted in some deployed devices not including the RSNE. For now, use an interoperability workaround to ignore the missing RSNE and only check the payload of the element if it is present in the protected frame. In other words, enforce this validation step only with an AP that implements FILS authentication as described in REVmd while allowing older implementations to skip this check (and the protection against downgrade attacks). This workaround may be removed in the future if it is determined that most deployed APs can be upgraded to add RSNE into the (Re)Association Response frames. Signed-off-by: Jouni Malinen --- src/rsn_supp/wpa.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index e0039fac0..8accb9c80 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -4320,6 +4320,26 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) sm->fils_session, FILS_SESSION_LEN); } + if (!elems.rsn_ie) { + wpa_printf(MSG_DEBUG, + "FILS: No RSNE in (Re)Association Response"); + /* As an interop workaround, allow this for now since IEEE Std + * 802.11ai-2016 did not include all the needed changes to make + * a FILS AP include RSNE in the frame. This workaround might + * eventually be removed and replaced with rejection (goto fail) + * to follow a strict interpretation of the standard. */ + } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt), + sm->ap_rsn_ie, sm->ap_rsn_ie_len, + elems.rsn_ie - 2, elems.rsn_ie_len + 2)) { + wpa_msg(sm->ctx->msg_ctx, MSG_INFO, + "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response"); + wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response", + sm->ap_rsn_ie, sm->ap_rsn_ie_len); + wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response", + elems.rsn_ie, elems.rsn_ie_len); + goto fail; + } + /* TODO: FILS Public Key */ if (!elems.fils_key_confirm) {