FT: Do not allow multiple Reassociation Response frames

The driver is expected to not report a second association event without
the station having explicitly request a new association. As such, this
case should not be reachable. However, since reconfiguring the same
pairwise or group keys to the driver could result in nonce reuse issues,
be extra careful here and do an additional state check to avoid this
even if the local driver ends up somehow accepting an unexpected
Reassociation Response frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2017-09-22 12:06:37 +03:00
parent adae51f8b9
commit 2a9c5217b1
3 changed files with 12 additions and 0 deletions

View File

@ -2639,6 +2639,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
#ifdef CONFIG_FILS #ifdef CONFIG_FILS
sm->fils_completed = 0; sm->fils_completed = 0;
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
#ifdef CONFIG_IEEE80211R
sm->ft_reassoc_completed = 0;
#endif /* CONFIG_IEEE80211R */
/* Keys are not needed in the WPA state machine anymore */ /* Keys are not needed in the WPA state machine anymore */
wpa_sm_drop_sa(sm); wpa_sm_drop_sa(sm);

View File

@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
u16 capab; u16 capab;
sm->ft_completed = 0; sm->ft_completed = 0;
sm->ft_reassoc_completed = 0;
buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
2 + sm->r0kh_id_len + ric_ies_len + 100; 2 + sm->r0kh_id_len + ric_ies_len + 100;
@ -687,6 +688,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
return -1; return -1;
} }
if (sm->ft_reassoc_completed) {
wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
return 0;
}
if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
return -1; return -1;
@ -787,6 +793,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
return -1; return -1;
} }
sm->ft_reassoc_completed = 1;
if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
return -1; return -1;

View File

@ -128,6 +128,7 @@ struct wpa_sm {
size_t r0kh_id_len; size_t r0kh_id_len;
u8 r1kh_id[FT_R1KH_ID_LEN]; u8 r1kh_id[FT_R1KH_ID_LEN];
int ft_completed; int ft_completed;
int ft_reassoc_completed;
int over_the_ds_in_progress; int over_the_ds_in_progress;
u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
int set_ptk_after_assoc; int set_ptk_after_assoc;