security question

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* security question
@ 2007-11-21  8:01 mabbas
  2007-11-21 15:17 ` wpa_supplicant/key deletion with all-zeroes mac (was: security question) Johannes Berg
  0 siblings, 1 reply; 6+ messages in thread
From: mabbas @ 2007-11-21  8:01 UTC (permalink / raw)
  To: linux-wireless; +Cc: Dan Williams, linville, Johannes Berg

Hi

When I connect to an AP with wpa, then I receive deauth frame, 
ieee80211_rx_mgmt_deauth will be called, which will call 
ieee80211_set_associated(dev, ifsta, 0); to disconnect. In function 
ieee80211_set_associated, it calls wireless_send_event with SIOCGIWAP 
event and memset(wrqu.ap_addr.sa_data, 0, ETH_ALEN). wpa_supplicant will 
receives this event then call mac80211 to remove any old security key, 
the problem it will pass 00:00:00:00:00:00 as station address. 
ieee80211_set_encryption will fail since there are no station with 
00:00:00:00:00:00. This will leave the old key which causes the problems 
in the next reconnection.

Below is the work around to this problem, I am not very familiar with 
security in mac80211 so I appreciate any comment on how to fix this 
problem the right way.

Mohamed

diff --git a/net/mac80211/ieee80211_ioctl.c b/net/mac80211/ieee80211_ioctl.c
index c84a26e..e08df5e 100644
--- a/net/mac80211/ieee80211_ioctl.c
+++ b/net/mac80211/ieee80211_ioctl.c
@@ -97,7 +97,10 @@ static int ieee80211_set_encryption(struct net_device *dev, u8 *sta_addr,
 			return -EINVAL;
 		}

-		sta = sta_info_get(local, sta_addr);
+		if (is_zero_ether_addr(sta_addr))
+			sta = sta_info_get(local, sdata->u.sta.bssid);
+		else
+			sta = sta_info_get(local, sta_addr);
 		if (!sta) {
 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
 			printk(KERN_DEBUG "%s: set_encrypt - unknown addr "

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* wpa_supplicant/key deletion with all-zeroes mac (was: security question)
  2007-11-21  8:01 security question mabbas
@ 2007-11-21 15:17 ` Johannes Berg
  2007-11-22  4:37   ` Jouni Malinen
  0 siblings, 1 reply; 6+ messages in thread
From: Johannes Berg @ 2007-11-21 15:17 UTC (permalink / raw)
  To: mabbas; +Cc: linux-wireless, Dan Williams, linville, Jouni Malinen

[-- Attachment #1: Type: text/plain, Size: 1436 bytes --]

Hi,

> When I connect to an AP with wpa, then I receive deauth frame, 
> ieee80211_rx_mgmt_deauth will be called, which will call 
> ieee80211_set_associated(dev, ifsta, 0); to disconnect. In function 
> ieee80211_set_associated, it calls wireless_send_event with SIOCGIWAP 
> event and memset(wrqu.ap_addr.sa_data, 0, ETH_ALEN). wpa_supplicant will 
> receives this event then call mac80211 to remove any old security key, 
> the problem it will pass 00:00:00:00:00:00 as station address. 
> ieee80211_set_encryption will fail since there are no station with 
> 00:00:00:00:00:00. This will leave the old key which causes the problems 
> in the next reconnection.

Interesting. I'd think this is a wpa_supplicant bug, Jouni, how is the
security wext stuff supposed to work here?

> diff --git a/net/mac80211/ieee80211_ioctl.c b/net/mac80211/ieee80211_ioctl.c
> index c84a26e..e08df5e 100644
> --- a/net/mac80211/ieee80211_ioctl.c
> +++ b/net/mac80211/ieee80211_ioctl.c
> @@ -97,7 +97,10 @@ static int ieee80211_set_encryption(struct net_device *dev, u8 *sta_addr,
>  			return -EINVAL;
>  		}
>  
> -		sta = sta_info_get(local, sta_addr);
> +		if (is_zero_ether_addr(sta_addr))
> +			sta = sta_info_get(local, sdata->u.sta.bssid);
> +		else
> +			sta = sta_info_get(local, sta_addr);
>  		if (!sta) {
>  #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
>  			printk(KERN_DEBUG "%s: set_encrypt - unknown addr "
> 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wpa_supplicant/key deletion with all-zeroes mac (was: security question)
  2007-11-21 15:17 ` wpa_supplicant/key deletion with all-zeroes mac (was: security question) Johannes Berg
@ 2007-11-22  4:37   ` Jouni Malinen
  2007-11-22  5:30     ` wpa_supplicant/key deletion with all-zeroes mac mabbas
  2007-11-22 12:55     ` wpa_supplicant/key deletion with all-zeroes mac (was: security question) Johannes Berg
  0 siblings, 2 replies; 6+ messages in thread
From: Jouni Malinen @ 2007-11-22  4:37 UTC (permalink / raw)
  To: Johannes Berg; +Cc: mabbas, linux-wireless, Dan Williams, linville

On Wed, Nov 21, 2007 at 04:17:34PM +0100, Johannes Berg wrote:

> > When I connect to an AP with wpa, then I receive deauth frame, 
> > ieee80211_rx_mgmt_deauth will be called, which will call 
> > ieee80211_set_associated(dev, ifsta, 0); to disconnect. In function 
> > ieee80211_set_associated, it calls wireless_send_event with SIOCGIWAP 
> > event and memset(wrqu.ap_addr.sa_data, 0, ETH_ALEN).

This sounds correct.

> > wpa_supplicant will 
> > receives this event then call mac80211 to remove any old security key, 
> > the problem it will pass 00:00:00:00:00:00 as station address. 

This sounds broken. wpa_supplicant should remove the key for the
previous BSSID.

> > ieee80211_set_encryption will fail since there are no station with 
> > 00:00:00:00:00:00. This will leave the old key which causes the problems 
> > in the next reconnection.

This sounds correct behavior.

> Interesting. I'd think this is a wpa_supplicant bug, Jouni, how is the
> security wext stuff supposed to work here?

Agreed, this sounds like a bug in wpa_supplicant. Unicast keys should be
removed with their correct address. I think this used to work, but maybe
some of the changes in BSSID processing in disassociation cases caused
the old BSSID to be forgotten.

> > diff --git a/net/mac80211/ieee80211_ioctl.c b/net/mac80211/ieee80211_ioctl.c
> > @@ -97,7 +97,10 @@ static int ieee80211_set_encryption(struct net_device *dev, u8 *sta_addr,
> > -		sta = sta_info_get(local, sta_addr);
> > +		if (is_zero_ether_addr(sta_addr))
> > +			sta = sta_info_get(local, sdata->u.sta.bssid);
> > +		else
> > +			sta = sta_info_get(local, sta_addr);

NAK. I don't think this is the correct fix here.

-- 
Jouni Malinen                                            PGP id EFC895FA

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wpa_supplicant/key deletion with all-zeroes mac
  2007-11-22  4:37   ` Jouni Malinen
@ 2007-11-22  5:30     ` mabbas
  2007-11-22 12:55     ` wpa_supplicant/key deletion with all-zeroes mac (was: security question) Johannes Berg
  1 sibling, 0 replies; 6+ messages in thread
From: mabbas @ 2007-11-22  5:30 UTC (permalink / raw)
  To: Jouni Malinen; +Cc: Johannes Berg, linux-wireless, Dan Williams, linville

Jouni Malinen wrote:
> On Wed, Nov 21, 2007 at 04:17:34PM +0100, Johannes Berg wrote:
>
>   
>>> When I connect to an AP with wpa, then I receive deauth frame, 
>>> ieee80211_rx_mgmt_deauth will be called, which will call 
>>> ieee80211_set_associated(dev, ifsta, 0); to disconnect. In function 
>>> ieee80211_set_associated, it calls wireless_send_event with SIOCGIWAP 
>>> event and memset(wrqu.ap_addr.sa_data, 0, ETH_ALEN).
>>>       
>
> This sounds correct.
>
>   
>>> wpa_supplicant will 
>>> receives this event then call mac80211 to remove any old security key, 
>>> the problem it will pass 00:00:00:00:00:00 as station address. 
>>>       
>
> This sounds broken. wpa_supplicant should remove the key for the
> previous BSSID.
>
>   
>>> ieee80211_set_encryption will fail since there are no station with 
>>> 00:00:00:00:00:00. This will leave the old key which causes the problems 
>>> in the next reconnection.
>>>       
>
> This sounds correct behavior.
>
>   
>> Interesting. I'd think this is a wpa_supplicant bug, Jouni, how is the
>> security wext stuff supposed to work here?
>>     
>
> Agreed, this sounds like a bug in wpa_supplicant. Unicast keys should be
> removed with their correct address. I think this used to work, but maybe
> some of the changes in BSSID processing in disassociation cases caused
> the old BSSID to be forgotten.
>
>   
>>> diff --git a/net/mac80211/ieee80211_ioctl.c b/net/mac80211/ieee80211_ioctl.c
>>> @@ -97,7 +97,10 @@ static int ieee80211_set_encryption(struct net_device *dev, u8 *sta_addr,
>>> -		sta = sta_info_get(local, sta_addr);
>>> +		if (is_zero_ether_addr(sta_addr))
>>> +			sta = sta_info_get(local, sdata->u.sta.bssid);
>>> +		else
>>> +			sta = sta_info_get(local, sta_addr);
>>>       
>
> NAK. I don't think this is the correct fix here.
>
>   
I agree I just included this workaround to illustrated what I did to 
make it work. 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wpa_supplicant/key deletion with all-zeroes mac (was: security question)
  2007-11-22  4:37   ` Jouni Malinen
  2007-11-22  5:30     ` wpa_supplicant/key deletion with all-zeroes mac mabbas
@ 2007-11-22 12:55     ` Johannes Berg
  2007-11-24 20:00       ` Jouni Malinen
  1 sibling, 1 reply; 6+ messages in thread
From: Johannes Berg @ 2007-11-22 12:55 UTC (permalink / raw)
  To: Jouni Malinen; +Cc: mabbas, linux-wireless, Dan Williams, linville

[-- Attachment #1: Type: text/plain, Size: 721 bytes --]


> > > wpa_supplicant will 
> > > receives this event then call mac80211 to remove any old security key, 
> > > the problem it will pass 00:00:00:00:00:00 as station address. 
> 
> This sounds broken. wpa_supplicant should remove the key for the
> previous BSSID.


> > Interesting. I'd think this is a wpa_supplicant bug, Jouni, how is the
> > security wext stuff supposed to work here?
> 
> Agreed, this sounds like a bug in wpa_supplicant. Unicast keys should be
> removed with their correct address. I think this used to work, but maybe
> some of the changes in BSSID processing in disassociation cases caused
> the old BSSID to be forgotten.

Can you look into it then please?

Thanks,
johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wpa_supplicant/key deletion with all-zeroes mac (was: security question)
  2007-11-22 12:55     ` wpa_supplicant/key deletion with all-zeroes mac (was: security question) Johannes Berg
@ 2007-11-24 20:00       ` Jouni Malinen
  0 siblings, 0 replies; 6+ messages in thread
From: Jouni Malinen @ 2007-11-24 20:00 UTC (permalink / raw)
  To: Johannes Berg; +Cc: mabbas, linux-wireless, Dan Williams, linville

On Thu, Nov 22, 2007 at 01:55:26PM +0100, Johannes Berg wrote:

> > > > wpa_supplicant will 
> > > > receives this event then call mac80211 to remove any old security key, 
> > > > the problem it will pass 00:00:00:00:00:00 as station address. 

> Can you look into it then please?

It looks like this was fixed more than a year ago.. Which wpa_supplicant
version was used here? Can the problem be reproduced on something more
recent (e.g., 0.5.8 or the current 0.6.x snapshot)? If yes, I would like
to see debug log from wpa_supplicant showing what exactly happens.

The fix was to reorder clearing of the BSSID:
http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=3103d0a7f91a48ebfa0d08c6599babd0c556e6a9

-- 
Jouni Malinen                                            PGP id EFC895FA

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2007-11-24 20:00 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-21  8:01 security question mabbas
2007-11-21 15:17 ` wpa_supplicant/key deletion with all-zeroes mac (was: security question) Johannes Berg
2007-11-22  4:37   ` Jouni Malinen
2007-11-22  5:30     ` wpa_supplicant/key deletion with all-zeroes mac mabbas
2007-11-22 12:55     ` wpa_supplicant/key deletion with all-zeroes mac (was: security question) Johannes Berg
2007-11-24 20:00       ` Jouni Malinen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).