hostapd: Require EAPOL-Key type to match with selected protocol

Previously, we would have allowed both the WPA and RSN EAPOL-Key
types to be used regardless of whether the association is using
WPA or RSN/WPA2. This shouldn't result in any significant problems
on the Authenticator side, but anyway, we should check the type and
ignore the EAPOL-Key frames that used unexpected type.

diff --git a/hostapd/wpa.c b/hostapd/wpa.c
index 64bc6b3..5ec7211 100644 (file)
--- a/hostapd/wpa.c
+++ b/hostapd/wpa.c
@@ -620,6 +620,22 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
                return;
        }
 
+       if (sm->wpa == WPA_VERSION_WPA2) {
+               if (key->type != EAPOL_KEY_TYPE_RSN) {
+                       wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
+                                  "unexpected type %d in RSN mode",
+                                  key->type);
+                       return;
+               }
+       } else {
+               if (key->type != EAPOL_KEY_TYPE_WPA) {
+                       wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
+                                  "unexpected type %d in WPA mode",
+                                  key->type);
+                       return;
+               }
+       }
+
        /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
         * are set */