[PATCH 4/4] wpa_supplicant: Add GTK RSC relaxation workaround
Jouni Malinen
j at w1.fi
Sun Nov 1 11:45:18 PST 2015
On Wed, Oct 14, 2015 at 12:26:33PM +0300, Ilan Peer wrote:
> Some APs may send RSC octets in EAP message 3 of 4-Way Handshake or in
> EAP message 1 of Group Key Handshake in the opposite order. Thus, after a
> successful EAP authentication the TSC values of received multicast packets,
> such as DHCP, don't match the RSC one and as a result these packets are
> dropped on replay attack TSC verification. An example of such AP is
> Sapido RB-1732.
>
> Workaournd this by setting RSC octets to 0 on GTK installation if the AP
> RSC value is identified as a potentially having the byte order issue.
> The wpa_rsc_relaxation global configuration property allows to disable
> the GTK RSC workaround if it's not needed.
Thanks, applied with some fixes and cleanup.
> +static int wpa_supplicant_get_wpa_rsc_relaxation(const struct wpa_sm *sm)
> +{
> + if (sm->ctx->get_wpa_rsc_relaxation)
> + return sm->ctx->get_wpa_rsc_relaxation(sm->ctx->ctx);
> + return 0;
> +}
There is no need to add a separate function pointer and callback for
this; there is already a mechanism for updating WPA/RSN configuration
parameters for each connection. I replaced this callback mechanism with
a new such configuration parameter.
> +static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
> + const u8 *rsc)
> +{
> + int rsclen;
> +
> + if (wpa_supplicant_get_wpa_rsc_relaxation(sm))
> + return 0;
This logic looks reversed, i.e., that needs to be "if
(!wpa_supplicant_get_wpa_rsc_relaxation(sm))"..
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list