From b787d1621451db8373ea9691c597ec3bdfcead66 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Thu, 10 Oct 2024 12:10:21 +0300
Subject: [PATCH] FILS: Verify RSNXE when processing (Re)Association Response
 frame

IEEE Std 802.11ai-2016 did not cover this since the RSNXE did not exist
at the time FILS was designed and IEEE Std 802.11-2020 did not seem to
catch this case either. However, the AP's RSNXE should be verified in
FILS in a similar manner to how the AP's RSNE is verified.

Add code to verify the RSNXE in FILS. However, since this has not been
clear in the standard and there has been hostapd releases that might
omit the RSNXE from (Re)Association Response frame when the STA does not
include the RSNXE in (Re)Association Request frame, do not reject
association based on this comparison result if the STA did not include
an RSNXE in the (Re)Association Request frame. This workaround might be
removed in the future.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---
 src/rsn_supp/wpa.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index e0ebca64e..e127093ca 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -6712,6 +6712,29 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
 		goto fail;
 	}
 
+	if ((sm->ap_rsnxe && !elems.rsnxe) ||
+	    (!sm->ap_rsnxe && elems.rsnxe) ||
+	    (sm->ap_rsnxe && elems.rsnxe && sm->ap_rsnxe_len >= 2 &&
+	     (sm->ap_rsnxe_len != 2U + elems.rsnxe_len ||
+	      os_memcmp(sm->ap_rsnxe + 2, elems.rsnxe, sm->ap_rsnxe_len - 2) !=
+	      0))) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+			"FILS: RSNXE mismatch between Beacon/Probe Response and (Re)Association Response");
+		wpa_hexdump(MSG_INFO, "FILS: RSNXE in Beacon/Probe Response",
+			    sm->ap_rsnxe, sm->ap_rsnxe_len);
+		wpa_hexdump(MSG_INFO, "RSNXE in (Re)Association Response",
+			    elems.rsnxe, elems.rsnxe_len);
+		/* As an interop workaround, allow this for now if we did not
+		 * include the RSNXE in (Re)Association Request frame since
+		 * IEEE Std 802.11-2020 does not say anything about verifying
+		 * the RSNXE in FILS cases and there have been hostapd releases
+		 * that might omit the RSNXE in cases where the STA did not
+		 * include it in the Association Request frame. This workaround
+		 * might eventually be removed. */
+		if (sm->assoc_rsnxe && sm->assoc_rsnxe_len)
+			goto fail;
+	}
+
 	/* TODO: FILS Public Key */
 
 	if (!elems.fils_key_confirm) {
-- 
2.47.2