FT: Check for FT associations attempting non-FT auth

Message ID	010001589e80343b-e60cfe20-5fd5-4b75-b6c7-aff7890dd769-000000@email.amazonses.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Will Glynn <will@willglynn.com> To: hostap@lists.infradead.org Subject: [PATCH] FT: Check for FT associations attempting non-FT auth Date: Sat, 26 Nov 2016 02:39:12 +0000 Message-ID: <010001589e80343b-e60cfe20-5fd5-4b75-b6c7-aff7890dd769-000000@email.amazonses.com> Feedback-ID: 1.us-east-1.TDe79XS65W7WjQgTIimFPesgKDGBERrSi2u6VWr3n+A=:AmazonSES summary: Content analysis details: (-3.4 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [54.240.8.73 listed in list.dnswl.org] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [54.240.8.73 listed in wl.mailspike.net] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Message ID

010001589e80343b-e60cfe20-5fd5-4b75-b6c7-aff7890dd769-000000@email.amazonses.com

State

Accepted

Headers

From: Will Glynn <will@willglynn.com>
To: hostap@lists.infradead.org
Subject: [PATCH] FT: Check for FT associations attempting non-FT auth
Date: Sat, 26 Nov 2016 02:39:12 +0000
Message-ID: <010001589e80343b-e60cfe20-5fd5-4b75-b6c7-aff7890dd769-000000@email.amazonses.com>
Feedback-ID: 1.us-east-1.TDe79XS65W7WjQgTIimFPesgKDGBERrSi2u6VWr3n+A=:AmazonSES
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Commit Message

Will Glynn Nov. 26, 2016, 2:39 a.m. UTC

IEEE 802.11-2012 section 12.4.2 states that if an MDE is present in an
association request but the RSNE uses a non-FT AKM suite, the access point
must reject the association using code 43 ("Invalid AKMP").

wpa_validate_wpa_ie() now checks for this condition.

Signed-off-by: Will Glynn <will@willglynn.com>
---
 src/ap/wpa_auth_ie.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Jouni Malinen Nov. 29, 2016, 11:01 p.m. UTC | #1

On Sat, Nov 26, 2016 at 02:39:12AM +0000, Will Glynn wrote:
> IEEE 802.11-2012 section 12.4.2 states that if an MDE is present in an
> association request but the RSNE uses a non-FT AKM suite, the access point
> must reject the association using code 43 ("Invalid AKMP").
> 
> wpa_validate_wpa_ie() now checks for this condition.

Thanks, applied.

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 1df3009..507c096 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -716,6 +716,13 @@  int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 				    "MDIE", mdie, MOBILITY_DOMAIN_ID_LEN);
 			return WPA_INVALID_MDIE;
 		}
+	} else {
+		/* non-FT key management; ensure we're not illegally attempting FT */
+		if (mdie != NULL) {
+			wpa_printf(MSG_DEBUG, "RSN: Trying to use non-FT AKM suite, but "
+				   "MDIE included");
+			return WPA_INVALID_AKMP;
+		}
 	}
 #endif /* CONFIG_IEEE80211R_AP */

FT: Check for FT associations attempting non-FT auth

Commit Message

Comments

Patch