[PATCH 4/4] wpa_supplicant: Add GTK RSC relaxation workaround
Peer, Ilan
ilan.peer at intel.com
Sun Nov 1 23:51:15 PST 2015
>
> On Wed, Oct 14, 2015 at 12:26:33PM +0300, Ilan Peer wrote:
> > Some APs may send RSC octets in EAP message 3 of 4-Way Handshake or in
> > EAP message 1 of Group Key Handshake in the opposite order. Thus,
> > after a successful EAP authentication the TSC values of received
> > multicast packets, such as DHCP, don't match the RSC one and as a
> > result these packets are dropped on replay attack TSC verification. An
> > example of such AP is Sapido RB-1732.
> >
> > Workaournd this by setting RSC octets to 0 on GTK installation if the
> > AP RSC value is identified as a potentially having the byte order issue.
> > The wpa_rsc_relaxation global configuration property allows to disable
> > the GTK RSC workaround if it's not needed.
>
> Thanks, applied with some fixes and cleanup.
>
> > +static int wpa_supplicant_get_wpa_rsc_relaxation(const struct wpa_sm
> > +*sm) {
> > + if (sm->ctx->get_wpa_rsc_relaxation)
> > + return sm->ctx->get_wpa_rsc_relaxation(sm->ctx->ctx);
> > + return 0;
> > +}
>
> There is no need to add a separate function pointer and callback for this;
> there is already a mechanism for updating WPA/RSN configuration
> parameters for each connection. I replaced this callback mechanism with a
> new such configuration parameter.
>
I'll remember this in the future.
> > +static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
> > + const u8 *rsc)
> > +{
> > + int rsclen;
> > +
> > + if (wpa_supplicant_get_wpa_rsc_relaxation(sm))
> > + return 0;
>
> This logic looks reversed, i.e., that needs to be "if
> (!wpa_supplicant_get_wpa_rsc_relaxation(sm))"..
>
Yep. Thanks for catching this.
Thanks,
Ilan.
More information about the Hostap
mailing list