PTK msg 3/4 bug
Chris Zimmermann
cbzimmermann
Fri May 12 10:08:31 PDT 2006
I'm using v0.5.3 of hostapd and have found an issue doing WPA2-PSK,
with the WPA/RSN IE sent in PTK message 3/4 from the AP to the STA.
The 802.11i specification says that the WPA/RSN IE sent in the 802.11
beacon/probe-rsp message be sent in PTK msg 3/4. It doesn't seem
like both the WPA and RSN IE should get sent to an STA in this message.
There is an issue with the RSN case. When doing WPA, hostapd has
code for removing the RSN IE and sending only the WPA IE. But there
is no provision for the converse situation. While this works for
Windows clients, it causes an issue with Mac clients. The Mac client
expects to see only the WPA or RSN IE, based upon the IE sent in the
802.11 assoc-req.
Based on what I am seeing in wpa_gen_wpa_ie(), the RSN IE is always
generated first, followed by the WPA IE. Despite this, I modified
the code handle the case where the WPA/RSN IEs could be in any order
(in case hostapd ever asks the driver for the IE[s], rather than
generating it...since some drivers don't actually allow/handle the
optional IEs to be set).
The change is in
File: wpa.c
Function: SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
Old code
if (sm->wpa == WPA_VERSION_WPA &&
(sm->wpa_auth->conf.wpa & HOSTAPD_WPA_VERSION_WPA2) &&
wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
/* WPA-only STA, remove RSN IE */
wpa_ie = wpa_ie + wpa_ie[1] + 2;
wpa_ie_len = wpa_ie[1] + 2;
}
My changes
if (wpa_ie_len > wpa_ie[1] + 2) {
if (sm->wpa == WPA_VERSION_WPA) {
if (wpa_ie[0] == WLAN_EID_RSN) {
wpa_ie = wpa_ie + wpa_ie[1] + 2;
wpa_ie_len = wpa_ie[1] + 2;
}
else {
wpa_ie_len = wpa_ie[1] + 2;
}
}
else if (sm->wpa == WPA_VERSION_WPA2) {
if (wpa_ie[0] == WLAN_EID_GENERIC) {
wpa_ie = wpa_ie + wpa_ie[1] + 2;
wpa_ie_len = wpa_ie[1] + 2;
}
else {
wpa_ie_len = wpa_ie[1] + 2;
}
}
}
This fixed the issue with Mac clients, and doesn't seem to break
Windows clients.
Thanks,
Chris
--
Chris Zimmermann
cbzimmermann at mac.com
More information about the Hostap
mailing list