SAE: Verify that STA negotiated H2E if it claims to support it

If a STA indicates support for SAE H2E in RSNXE and H2E is enabled in
the AP configuration, require H2E to be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-10-18 12:38:11 +03:00 committed by Jouni Malinen
parent 74866f5378
commit 898b6d58f3
2 changed files with 26 additions and 0 deletions

View file

@ -16,6 +16,7 @@
#include "common/ieee802_11_common.h"
#include "common/wpa_ctrl.h"
#include "common/dpp.h"
#include "common/sae.h"
#include "crypto/random.h"
#include "p2p/p2p.h"
#include "wps/wps.h"
@ -398,6 +399,20 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
}
}
#endif /* CONFIG_IEEE80211R_AP */
#ifdef CONFIG_SAE
if (hapd->conf->sae_pwe == 2 &&
sta->auth_alg == WLAN_AUTH_SAE &&
sta->sae && sta->sae->tmp && !sta->sae->tmp->h2e &&
elems.rsnxe && elems.rsnxe_len >= 1 &&
(elems.rsnxe[0] & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
wpa_printf(MSG_INFO, "SAE: " MACSTR
" indicates support for SAE H2E, but did not use it",
MAC2STR(sta->addr));
status = WLAN_STATUS_UNSPECIFIED_FAILURE;
reason = WLAN_REASON_UNSPECIFIED;
goto fail;
}
#endif /* CONFIG_SAE */
} else if (hapd->conf->wps_state) {
#ifdef CONFIG_WPS
struct wpabuf *wps;

View file

@ -3252,6 +3252,17 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
MAC2STR(sta->addr), sta->auth_alg);
return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
}
if (hapd->conf->sae_pwe == 2 &&
sta->auth_alg == WLAN_AUTH_SAE &&
sta->sae && sta->sae->tmp && !sta->sae->tmp->h2e &&
elems.rsnxe && elems.rsnxe_len >= 1 &&
(elems.rsnxe[0] & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
wpa_printf(MSG_INFO, "SAE: " MACSTR
" indicates support for SAE H2E, but did not use it",
MAC2STR(sta->addr));
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
#endif /* CONFIG_SAE */
#ifdef CONFIG_OWE