RSN-IE mismatch and WPA2 preauth

[Zimmermann, Christopher Brian Chris]

More pre-authentication fun.

I'm using two APs; both from the WPA2/WMM testbed.  One is from Gateway
(Instant802 Self-Managed AP) and the other is a Broadcom reference
design.  

The problem I am seeing is that the capabilities field in the RSN-IE for
each is different.  The Gateway AP (00:e0:b8:76:27:16 ) sets the
capabilities field to 0x003D, and the Broadcom AP (00:10:18:90:20:78 )
sets it to 0x0001.  

This causes a pre-authenticated AP to fail at message 3/4.

Log snippets:

I associate to the Broadcom AP
WPA: Key negotiation completed with 00:10:18:90:20:78 [PTK=CCMP
GTK=CCMP]

I pre-authenticate to the Gateway AP
RSN: pre-authentication with 00:e0:b8:76:27:16 completed successfully

I turn off the radio on the Broadcom AP to force pre-auth to the
gateway...
WPA: IE in 3/4 msg does not match with IE in Beacon/ProbeResp
(src=00:e0:b8:76:27:16)
WPA: RSN IE in Beacon/ProbeResp - hexdump(len=22): 30 14 01 00 00 0f ac
04 01 00 00 0f ac 04 01 00 00 0f ac 01 01 00
WPA: RSN IE in 3/4 msg - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00
00 0f ac 04 01 00 00 0f ac 01 3d 00

It appears that wpa_supplicant does not keep the probe-rsp RSN-IE around
for multiple APs, just the one it originally associates to.  At a quick
inspection: 

wpa_supplicant_set_suites() is called with a valid bss (scan result
information)  From the scope of wpa_supplicant_associate().  When this
happens, the bss->rsn_ie is stored into the wpa_s->ap_rsn_ie element.
It seems to me this bug would exhibit itself even under normal roaming,
not just under pre-authentication.  

Should the ap_rsn_ie's be kept around, at least in the struct
rsn_pmksa_candidate, and then copied into the wpa_s element under the
scope of EVENT_ASSOCINFO reporting to wpa_supplicant_event()?  

This seems like a logical way of fixing it, but may not be the best way
for the wpa_supplicant architecture on a whole.

Thanks,
Chris

Chris Zimmermann
Senior Software Engineer, Agere Systems
cbzimmermann at agere.com