[PATCH] Ignore RSNX IE if the scan result does not contain one.

[Stefan Dösinger]

This fixes a regression introduced in wpa_supplicant 2.10 that prevents
ipw2x00 cards from connecting to mixed WPA2/3 networks.

The driver does not handle WLAN_EID_RSNX elements (see libipw_rx.c,
libipw_parse_info_param), but my WPA2/3 mixed mode AP operated by
hostapd on OpenWRT sends it in EAPOL, which is handled by wpa_supplicant
without driver involvement.
---
 src/rsn_supp/wpa.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index f5319c606..be01d1384 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -2220,12 +2220,23 @@ static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
 		return -1;
 	}
 
-	if (sm->proto == WPA_PROTO_RSN &&
-	    ((sm->ap_rsnxe && !ie->rsnxe) ||
-	     (!sm->ap_rsnxe && ie->rsnxe) ||
-	     (sm->ap_rsnxe && ie->rsnxe &&
-	      (sm->ap_rsnxe_len != ie->rsnxe_len ||
-	       os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
+	if (sm->proto == WPA_PROTO_RSN && !sm->ap_rsnxe && ie->rsnxe) {
+		/* This happens when connecting to a WPA 2/3 transition mode
+		 * AP with drivers that do not understand WLAN_EID_RSNX, e.g.
+		 * ipw2x00. Print a warning but continue.
+		 */
+		wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "Possible downgrade "
+					   "attack or old driver detected - RSNX was "
+					   "enabled and RSNX IE was in msg 3/4, but "
+					   "not in Beacon/ProbeResp (src=" MACSTR ")",
+					   MAC2STR(src_addr));
+		wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
+					   ie->rsnxe, ie->rsnxe_len);
+	}
+
+	if (sm->proto == WPA_PROTO_RSN && sm->ap_rsnxe &&
+	    (!ie->rsnxe || sm->ap_rsnxe_len != ie->rsnxe_len ||
+		 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
 			"WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
 		wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
-- 
2.49.1