Discard EAPOL-Key request without Secure=1

EAPOL-Key request is accepted only if the MIC has been verified, so PTK
must have already been derived and Secure=1 needs to be used. Check the
Secure bit explicitly for completeness even though the MIC verification
is already taking care of validating that the sender is in the
possession of valid keys.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index b07f1364712ef0d811920932a427d0d4a4f772e2..79ecd4e5b17649c50e91f4f2a4ea51e8f7e711e8 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1516,6 +1516,12 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
        }
 
        if (key_info & WPA_KEY_INFO_REQUEST) {
+               if (!(key_info & WPA_KEY_INFO_SECURE)) {
+                       wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
+                                       LOGGER_INFO,
+                                       "received EAPOL-Key request without Secure=1");
+                       goto out;
+               }
                if (sm->MICVerified) {
                        sm->req_replay_counter_used = 1;
                        os_memcpy(sm->req_replay_counter, key->replay_counter,