AP: guard FT-SAE code with CONFIG_IEEE80211R_AP

Message ID	20220404071312.99989-1-bgalvani@redhat.com
State	Changes Requested
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Beniamino Galvani <bgalvani@redhat.com> To: hostap@lists.infradead.org Cc: Beniamino Galvani <bgalvani@redhat.com> Subject: [PATCH] AP: guard FT-SAE code with CONFIG_IEEE80211R_AP Date: Mon, 4 Apr 2022 09:13:12 +0200 Message-Id: <20220404071312.99989-1-bgalvani@redhat.com> MIME-Version: 1.0 preview: wpa_supplicant doesn't support FT in AP mode, but it still negotiates FT-SAE. This can lead to an authentication failure when the AP is started with key_mgmt="SAE FT-SAE" and the STA supports both. Ensure that FT-SAE is not negotiated when CONFIG_IEEE80211R_AP is not defined. Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [170.10.133.124 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_H5 RBL: Excellent reputation (+5) [170.10.133.124 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	AP: guard FT-SAE code with CONFIG_IEEE80211R_AP \| expand AP: guard FT-SAE code with CONFIG_IEEE80211R_AP

Message ID

20220404071312.99989-1-bgalvani@redhat.com

State

Changes Requested

Headers

From: Beniamino Galvani <bgalvani@redhat.com>
To: hostap@lists.infradead.org
Cc: Beniamino Galvani <bgalvani@redhat.com>
Subject: [PATCH] AP: guard FT-SAE code with CONFIG_IEEE80211R_AP
Date: Mon,  4 Apr 2022 09:13:12 +0200
Message-Id: <20220404071312.99989-1-bgalvani@redhat.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

AP: guard FT-SAE code with CONFIG_IEEE80211R_AP | expand

Commit Message

Beniamino Galvani April 4, 2022, 7:13 a.m. UTC

wpa_supplicant doesn't support FT in AP mode, but it still negotiates
FT-SAE. This can lead to an authentication failure when the AP is
started with key_mgmt="SAE FT-SAE" and the STA supports both.

Ensure that FT-SAE is not negotiated when CONFIG_IEEE80211R_AP is not
defined.

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
---
 src/ap/wpa_auth_ie.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Jouni Malinen April 6, 2022, 8:21 p.m. UTC | #1

On Mon, Apr 04, 2022 at 09:13:12AM +0200, Beniamino Galvani wrote:
> wpa_supplicant doesn't support FT in AP mode, but it still negotiates
> FT-SAE. This can lead to an authentication failure when the AP is
> started with key_mgmt="SAE FT-SAE" and the STA supports both.
> 
> Ensure that FT-SAE is not negotiated when CONFIG_IEEE80211R_AP is not
> defined.

This sounds like hiding the problem with invalid configuration instead
of addressing that more explicitly. Wouldn't it be better to refuse to
start the AP mode operation if it is configured with unsupported
key_mgmt value? I'm not keen on having the configuration indicate
something is enabled when it is actually not in practice.

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 524922e4e..d63cbeb92 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -228,11 +228,13 @@  int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
 		pos += RSN_SELECTOR_LEN;
 		num_suites++;
 	}
+#ifdef CONFIG_IEEE80211R_AP
 	if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE) {
 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE);
 		pos += RSN_SELECTOR_LEN;
 		num_suites++;
 	}
+#endif /* CONFIG_IEEE80211R_AP */
 #endif /* CONFIG_SAE */
 	if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) {
 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B);
@@ -670,8 +672,10 @@  wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 #ifdef CONFIG_SAE
 		else if (data.key_mgmt & WPA_KEY_MGMT_SAE)
 			selector = RSN_AUTH_KEY_MGMT_SAE;
+#ifdef CONFIG_IEEE80211R_AP
 		else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE)
 			selector = RSN_AUTH_KEY_MGMT_FT_SAE;
+#endif /* CONFIG_IEEE80211R_AP */
 #endif /* CONFIG_SAE */
 		else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X)
 			selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
@@ -778,8 +782,10 @@  wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 #ifdef CONFIG_SAE
 	else if (key_mgmt & WPA_KEY_MGMT_SAE)
 		sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE;
+#ifdef CONFIG_IEEE80211R_AP
 	else if (key_mgmt & WPA_KEY_MGMT_FT_SAE)
 		sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE;
+#endif /* CONFIG_IEEE80211R_AP */
 #endif /* CONFIG_SAE */
 	else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X)
 		sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X;

AP: guard FT-SAE code with CONFIG_IEEE80211R_AP

Commit Message

Comments

Patch