RSN: Verify RSNXE match between (Re)AssocReq and EAPOL-Key msg 2/4

If the STA advertises RSN Extension element, it has to be advertised
consistently in the unprotected ((Re)Association Request) and protected
(EAPOL-Key msg 2/4) frames. Verify that this is the case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index aaea5841f12e225bf497b2ddca7a9f97f58f1249..7b690d730d23100d21a43ca6895869150f815a98 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -2937,6 +2937,22 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
                                   WLAN_REASON_PREV_AUTH_NOT_VALID);
                return;
        }
+       if ((!sm->rsnxe && kde.rsnxe) ||
+           (sm->rsnxe && !kde.rsnxe) ||
+           (sm->rsnxe && kde.rsnxe &&
+            (sm->rsnxe_len != kde.rsnxe_len ||
+             os_memcmp(sm->rsnxe, kde.rsnxe, sm->rsnxe_len) != 0))) {
+               wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
+                               "RSNXE from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4");
+               wpa_hexdump(MSG_DEBUG, "RSNXE in AssocReq",
+                           sm->rsnxe, sm->rsnxe_len);
+               wpa_hexdump(MSG_DEBUG, "RSNXE in EAPOL-Key msg 2/4",
+                           kde.rsnxe, kde.rsnxe_len);
+               /* MLME-DEAUTHENTICATE.request */
+               wpa_sta_disconnect(wpa_auth, sm->addr,
+                                  WLAN_REASON_PREV_AUTH_NOT_VALID);
+               return;
+       }
 #ifdef CONFIG_OCV
        if (wpa_auth_uses_ocv(sm)) {
                struct wpa_channel_info ci;