[PATCH] Add BSSID into blacklist and do not clean blacklist while countermeasures running.

Bartosz Markowski bartosz.markowski
Wed Apr 27 02:46:20 PDT 2011

 wpa_supplicant/events.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index a3153aa..7655f91 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -657,7 +657,7 @@ wpa_supplicant_pick_network(struct wpa_supplicant *wpa_=
-		if (selected =3D=3D NULL && wpa_s->blacklist) {
+		if (selected =3D=3D NULL && wpa_s->blacklist && !wpa_s->countermeasures)=
 			wpa_dbg(wpa_s, MSG_DEBUG, "No APs found - clear "
 				"blacklist and try again");
@@ -1477,6 +1477,10 @@ wpa_supplicant_event_michael_mic_failure(struct wpa_=
supplicant *wpa_s,
 		/* initialize countermeasures */
 		wpa_s->countermeasures =3D 1;
+		/* add bssid to blacklist */
+		wpa_blacklist_add(wpa_s, wpa_s->bssid);
 		wpa_msg(wpa_s, MSG_WARNING, "TKIP countermeasures started");


-----Original Message-----
From: hostap-bounces at lists.shmoo.com [mailto:hostap-bounces at lists.shmoo.com=
] On Behalf Of Bartosz.Markowski at tieto.com
Sent: 22 kwietnia 2011 11:52
To: j at w1.fi; hostap at lists.shmoo.com
Subject: RE: MIC failure question


Thanks for quick answer. One more question. I do not understand how blockin=
g all connections should be done.
In wpa_supplicant_pick_network(), if there's no valid AP in the list, it st=
ill tries to clear blacklisted APs and try to associate anyway.

wpa_supplicant: wlan0: No APs found - clear blacklist and try again
wpa_supplicant: Removed BSSID 00:1e:be:8e:3d:40 from blacklist (clear)

Other thing is that when I hit the MIC failure twice within 60s and TKIP co=
untermeasures starts + wpa_supplicant_deauthenticate called

I get 'wpa_supplicant: Added BSSID 00:00:00:00:00:00 into blacklist'
Is this correct behaviour or MAC is being overwritten (errased) to quickly?


-----Original Message-----
From: hostap-bounces at lists.shmoo.com [mailto:hostap-bounces at lists.shmoo.com=
] On Behalf Of Jouni Malinen
Sent: 22 kwietnia 2011 10:57
To: hostap at lists.shmoo.com
Subject: Re: MIC failure question

On Fri, Apr 22, 2011 at 10:54:40AM +0300, Bartosz.Markowski at tieto.com wrote=
> In current implementaiton of wpa_supplicant_event_michael_mic_failure() f=
unction there's TODO comment.
> /* TODO: mark the AP rejected for 60 second. STA is
>  * allowed to associate with another AP.. */
> Is there a reason that this not been implemented - some blocking issues?

No one seems to have been interested enough in optimizing this to allow oth=
er APs to be used and blocking all connections is simpler. It is not like T=
KIP countermeasures are supposed to be showing up frequently, so it does no=
t look like there is much benefit from using time on making this any more c=
omplex. And if this were to be triggered more frequently, time would likely=
 be better spent on trying to fix whatever is causing the Michael MIC failu=
res anyway.

Jouni Malinen                                            PGP id EFC895FA
HostAP mailing list
HostAP at lists.shmoo.com
HostAP mailing list
HostAP at lists.shmoo.com

More information about the Hostap mailing list