From patchwork Sat Nov 26 02:39:12 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Will Glynn <will@willglynn.com>
X-Patchwork-Id: 699442
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2001:1868:205::9])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3tQcch4gDxz9vDY
	for <incoming@patchwork.ozlabs.org>;
	Sat, 26 Nov 2016 13:40:35 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=willglynn.com header.i=@willglynn.com
	header.b="O+pMj9w7";
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=amazonses.com header.i=@amazonses.com
	header.b="DNIfnEvN"; dkim-atps=neutral
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux))
	id 1cAStw-0007Al-1E; Sat, 26 Nov 2016 02:39:40 +0000
Received: from a8-73.smtp-out.amazonses.com ([54.240.8.73])
	by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat
	Linux)) id 1cASts-0006V5-Ne
	for hostap@lists.infradead.org; Sat, 26 Nov 2016 02:39:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=565u53g3eoohqwwb5p6744uq6eq2hfjt; d=willglynn.com; t=1480127952;
	h=From:To:Subject:Date:Message-Id;
	bh=9Is8fDCLf0s+eeB7uervjx4oVEXERgXyLWfyW04U1jo=;
	b=O+pMj9w7gSKDk0lI8A/MqH0sodfrVbNFryEF94K//FR8T3v8/ErZH/LLDNZxAaFe
	4ooSTJobomwTJVlzK3CAF2SZAvvXQXddC/lE6TAu1Dka45uiQKryC/0pU2jzDftQGV5
	erkSe9cQEoTpQkEZnOezkhzIf2NUXgD0Caf5wvpg=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1480127952;
	h=From:To:Subject:Date:Message-Id:Feedback-ID;
	bh=9Is8fDCLf0s+eeB7uervjx4oVEXERgXyLWfyW04U1jo=;
	b=DNIfnEvN9M1g/vkqp2JC7/4RtzHYX7DKX+4JIWlj+8Hk2j4CKNULeF3q370Gca8Q
	dqa0piZApWeQQ+ZPZx3CXozd43LxHKgBYoU1hYoGlcM7kYSxdUiEhCgdDzzyOGT8x5f
	JXvEe2sQ/+RiIcN/4eYf84pYd8gYCHpOkn8P7duY=
From: Will Glynn <will@willglynn.com>
To: hostap@lists.infradead.org
Subject: [PATCH] FT: Check for FT associations attempting non-FT auth
Date: Sat, 26 Nov 2016 02:39:12 +0000
Message-ID: 
 <010001589e80343b-e60cfe20-5fd5-4b75-b6c7-aff7890dd769-000000@email.amazonses.com>
X-Mailer: git-send-email 2.10.0
X-SES-Outgoing: 2016.11.26-54.240.8.73
Feedback-ID: 
 1.us-east-1.TDe79XS65W7WjQgTIimFPesgKDGBERrSi2u6VWr3n+A=:AmazonSES
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20161125_183937_273348_DAFA36A4 
X-CRM114-Status: UNSURE (   6.51  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -3.4 (---)
X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary:
	Content analysis details:   (-3.4 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
	no trust [54.240.8.73 listed in list.dnswl.org]
	0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
	mail domains are different
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay
	domain -0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
	[54.240.8.73 listed in wl.mailspike.net]
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

IEEE 802.11-2012 section 12.4.2 states that if an MDE is present in an
association request but the RSNE uses a non-FT AKM suite, the access point
must reject the association using code 43 ("Invalid AKMP").

wpa_validate_wpa_ie() now checks for this condition.

Signed-off-by: Will Glynn <will@willglynn.com>
---
 src/ap/wpa_auth_ie.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 1df3009..507c096 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -716,6 +716,13 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 				    "MDIE", mdie, MOBILITY_DOMAIN_ID_LEN);
 			return WPA_INVALID_MDIE;
 		}
+	} else {
+		/* non-FT key management; ensure we're not illegally attempting FT */
+		if (mdie != NULL) {
+			wpa_printf(MSG_DEBUG, "RSN: Trying to use non-FT AKM suite, but "
+				   "MDIE included");
+			return WPA_INVALID_AKMP;
+		}
 	}
 #endif /* CONFIG_IEEE80211R_AP */