From 6498351670c0d6f20266cce4f9009ebf911f98d7 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 12 Mar 2017 22:59:52 +0200 Subject: [PATCH] FILS: Check FILS Indication element against local network profile Do not try to use FILS authentication unless the AP indicates support for the type the local network profile enforces. Signed-off-by: Jouni Malinen --- wpa_supplicant/sme.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c index 5ab56c827..046a2db84 100644 --- a/wpa_supplicant/sme.c +++ b/wpa_supplicant/sme.c @@ -557,6 +557,37 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s, * networks). */ if (params.auth_alg == WPA_AUTH_ALG_OPEN && wpa_key_mgmt_fils(ssid->key_mgmt)) { + const u8 *indic; + u16 fils_info; + + /* + * Check FILS Indication element (FILS Information field) bits + * indicating supported authentication algorithms against local + * configuration (ssid->fils_dh_group). Try to use FILS + * authentication only if the AP supports the combination in the + * network profile. */ + indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION); + if (!indic || indic[1] < 2) { + wpa_printf(MSG_DEBUG, "SME: " MACSTR + " does not include FILS Indication element - cannot use FILS authentication with it", + MAC2STR(bss->bssid)); + goto no_fils; + } + + fils_info = WPA_GET_LE16(indic + 2); + if (ssid->fils_dh_group == 0 && !(fils_info & BIT(9))) { + wpa_printf(MSG_DEBUG, "SME: " MACSTR + " does not support FILS SK without PFS - cannot use FILS authentication with it", + MAC2STR(bss->bssid)); + goto no_fils; + } + if (ssid->fils_dh_group != 0 && !(fils_info & BIT(10))) { + wpa_printf(MSG_DEBUG, "SME: " MACSTR + " does not support FILS SK with PFS - cannot use FILS authentication with it", + MAC2STR(bss->bssid)); + goto no_fils; + } + if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0, wpa_bss_get_fils_cache_id(bss)) == @@ -582,6 +613,7 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s, wpa_s->sme.auth_alg = auth_alg; } } +no_fils: #endif /* CONFIG_FILS */ wpa_supplicant_cancel_sched_scan(wpa_s);