Potential Bug in 802.11 Open-Authentication State Machine

Jinghao Shi jinghaos at buffalo.edu
Thu Jan 12 12:49:30 PST 2017


We are conducting a research project that verifies implementations of
802.11 authentication/association state machine. Here is one testing
scenario under which we have observed unexpected behaviors from hostapd. We
want to confirm if our finding is valid.

In the test case, the AUTH response packet (from the AP to the client) is
received by the client but the corresponding ack packet (from client to AP)
is lost. And all the re-transmissions of the AUTH response packet are also
lost. Then the AP will consider the AUTH response packet failed. But the
client thinks the authentication was successful (since it receives the AUTH
response packet). So the client will continue and send the ASSOC request

>From reading the code of hostapd. in
src/ap/ieee802_11.c:handle_auth_cb function,
it seems the success of the AUTH response packet is required for the AP to
consider the client as authenticated (if the AUTH response packet failed
(ok=0), the function will return immediately without setting the
WLAN_STA_AUTH flag of the sta), which makes sense.

However, when open authentication is used, hostapd marks the client as
authenticated as soon as it receives the AUTH request packet (
src/ap/ieee802_11.c:handle_auth). Does this violate the authentication
protocol as the AUTH response packet may not be successful?

I guess the ultimate question is: *should the AP consider the client as
authenticated if the AUTH response packet failed?*

Highly appreciated if somebody can offer clarification.

Jinghao Shi
Ph.D students at University at Buffalo

More information about the Hostap mailing list