FILS: Verify RSNE match between Beacon/Probe Response and (Re)AssocResp

IEEE Std 802.11ai-2016 requires the FILS STA to do this check, but this
was missing from the initial implementation. The AP side behavior was
not described properly in 802.11ai due to a missing change in the
(Re)Association Response frame format tables which has resulted in some
deployed devices not including the RSNE.

For now, use an interoperability workaround to ignore the missing RSNE
and only check the payload of the element if it is present in the
protected frame. In other words, enforce this validation step only with
an AP that implements FILS authentication as described in REVmd while
allowing older implementations to skip this check (and the protection
against downgrade attacks). This workaround may be removed in the future
if it is determined that most deployed APs can be upgraded to add RSNE
into the (Re)Association Response frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index e0039fac04cc394eb042cdfabc649d159c9ce633..8accb9c80d9ee47d033c2539a30c57325d415bb6 100644 (file)
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -4320,6 +4320,26 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
                            sm->fils_session, FILS_SESSION_LEN);
        }
 
+       if (!elems.rsn_ie) {
+               wpa_printf(MSG_DEBUG,
+                          "FILS: No RSNE in (Re)Association Response");
+               /* As an interop workaround, allow this for now since IEEE Std
+                * 802.11ai-2016 did not include all the needed changes to make
+                * a FILS AP include RSNE in the frame. This workaround might
+                * eventually be removed and replaced with rejection (goto fail)
+                * to follow a strict interpretation of the standard. */
+       } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
+                                     sm->ap_rsn_ie, sm->ap_rsn_ie_len,
+                                     elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
+               wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+                       "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
+               wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
+                           sm->ap_rsn_ie, sm->ap_rsn_ie_len);
+               wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
+                           elems.rsn_ie, elems.rsn_ie_len);
+               goto fail;
+       }
+
        /* TODO: FILS Public Key */
 
        if (!elems.fils_key_confirm) {