Encryption problems with nl80211

Krishna Chaitanya chaitanya.mgit at gmail.com
Wed Oct 28 08:26:36 PDT 2015 

On Wed, Oct 28, 2015 at 8:32 PM, Dan Williams <dcbw at redhat.com> wrote:
> On Tue, 2015-10-27 at 15:05 -0500, Dan Williams wrote:
>> On Wed, 2015-10-28 at 00:54 +0530, Krishna Chaitanya wrote:
>> > On Wed, Oct 28, 2015 at 12:11 AM, Dan Williams <dcbw at redhat.com> wrote:
>> > > On Tue, 2015-10-27 at 18:16 +0100, simo wrote:
>> > >> Hi, I am Simon and I am new in this mail list.
>> > >>
>> > >> I am experiencing problems enabling encryption key after creating an
>> > >> IBSS network through wpa_supplicant.
>> > >
>> > > It looks like the error is coming from the kernel mac80211/cfg80211 WiFi
>> > > stack in nl80211_key_allowed().  That function returns an error if there
>> > > is not yet any "current_bss", which is probably the case here.  To me it
>> > > looks like a mismatch in expectations between the kernel and
>> > > wpa_supplicant about how IBSS WEP is supposed to be configured.
>> > >
>> > > wpas_start_assoc_cb() - sets up parameters for IBSS create/join
>> > > -- kernel cfg80211 has current_bss = NULL
>> > > wpas_start_assoc_cb() calls wpa_set_wep_keys()
>> > > -- kernel cfg80211 rejects set_keys request because current_bss == NULL
>> > > wpas_start_assoc_cb() calls wpa_drv_associate() to being association
>> > > -- kernel driver creates new IBSS, sends EVENT_IBSS_JOINED
>> > > -- kernel cfg80211 calls __cfg80211_ibss_joined() and sets current_bss
>> > >
>> > > What's odd is that none of this code in the kernel or supplicant has
>> > > really changed since early 2013, so its either been broken for a long
>> > > time, or I'm missing something completely about when current_bss gets
>> > > set.
>> > >
>> > > Dan
>> > >
>> > >> wlan0: Trying to associate with SSID 'my-net-302'
>> > >> wlan0: Cancelling scan request
>> > >> wlan0: WPA: clearing own WPA/RSN IE
>> > >> wlan0: Automatic auth_alg selection: 0x1
>> > >> wlan0: WPA: clearing AP WPA IE
>> > >> wlan0: WPA: clearing AP RSN IE
>> > >> wlan0: WPA: clearing own WPA/RSN IE
>> > >> wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=1 addr=(nil) key_idx=0
>> > >> set_tx=1 seq_len=0 key_len=5
>> > >> nl80211: KEY_DATA - hexdump(len=5): [REMOVED]
>> > >> nl80211: set_key failed; err=-67 Link has been severed)
>> > >
>> > > ^^^ the error
>> > > <snip>
>> > >
>> > >> nl80211: Event message available
>> > >> nl80211: Drv Event 43 (NL80211_CMD_JOIN_IBSS) received for wlan0
>> > >> nl80211: IBSS 12:24:21:59:87:d0 joined
>> > >> nl80211: IBSS-joined on 2412 MHz
>> > >> nl80211: Operating frequency for the associated BSS from scan results:
>> > >> 2412 MHz
>> > >> nl80211: IBSS on frequency 2412 MHz
>> > >> wlan0: Event ASSOC (0) received
>> > >> wlan0: State: ASSOCIATING -> ASSOCIATED
>> > >
>> > > Then reports success creating/joining the adhoc network.  But of course,
>> > > since the key set failed, the network is not encrypted.
>> > set_key after association is successful, the failure before association
>> > can be ignored. This is not a problem.
>> >
>> >
>> > wlan0: State: ASSOCIATED -> COMPLETED
>> > wlan0: Radio work 'connect'@0xfab20 done in 0.603215 seconds
>> > wlan0: CTRL-EVENT-CONNECTED - Connection to 12:24:21:59:87:d0 completed
>> > [id=0 id_str=]
>> > nl80211: Set wlan0 operstate 0->1 (UP)
>> > netlink: Operstate: ifindex=3 linkmode=-1 (no change), operstate=6
>> > (IF_OPER_UP)
>> > wlan0: Cancelling scan request
>> > wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=1 addr=(nil) key_idx=0
>> > set_tx=1 seq_len=0 key_len=5
>> > nl80211: KEY_DATA - hexdump(len=5): [REMOVED]
>> > RTM_NEWLINK: ifi_index=3 ifname=wlan0 operstate=6 linkmode=1
>> > ifi_family=0 ifi_flags=0x11043 ([UP][RUNNING][LOWER_
>>
>> Ah, you are correct.  IIRC some drivers don't really support setting the
>> keys after IBSS create though, since they don't have a great way to
>> update the IEs after the join has already happened.  I wonder what
>> driver the reporter is using?
>
> Before I wrote the above I was actually writing about how some drivers
> don't allow setting the encryption key after the IBSS has been
> created/joined, using libertas as an example.  libertas firmware
> requires the key to be given before/during the join operation otherwise
> the IBSS beacons don't have any security stuff in them.
>
> And guess what?  The reporter is using the 'libertas' driver...
> cfg80211 support got added to the driver a while back, but I guess it
> was somewhat incomplete.  But also, it seems that wpa_supplicant expects
> all nl80211/cfg80211 capable drivers to be able to set the key after a
> join.  So yay, this just isn't going to work.
Its not a problem with wpa_supplicant, it is doing the set_key both before
and after JOIN IBSS. But before joing the cfg80211 fails the set_key due
to no connection. And the driver in this case rejects after JOIN.

> Simo, the only recourse here is to use "-D wext" instead of "-D
> nl80211", unfortunately...
He mentioned earlier that wext is not working, so security cannot be set :-).

More information about the Hostap mailing list