[RFC] hostapd: MFP: Handle auth request from an associated station

Ilan Peer ilan.peer at intel.com
Sat Jun 18 11:24:46 PDT 2016 

From: Beni Lev <beni.lev at intel.com>

One of the purposes of the MFP mechanism is to protect from an attacker
to cause a disconnection of a STA connected to an AP.
Such an attack can be done by injecting an auth request on behalf of
the connected STA.

In the current implementation, when an auth request is received
from an associated station, the station might be removed and re-added,
keys are freed and more changes to the station are made.
In order to protect such a station that uses MFP from being kicked out
by an auth request injection, just reply to the auth request without changing
the sta's state.

In the case that the STA wants to reassociate, the STA will proceed to association.
In this case, the AP will send an assoc response with code 30(rejected temporarily),
an initiate an SA query. Since the sta will fail this, as it is not
associated anymore, the AP will deauth the STA, and the STA will go over the whole
process again, but this time not as an associated STA.

In case of an injection attack, the attacker may proceed with association request
injection, in this case, the SA query will succeed, all this without having any
change to the STA's state.

Signed-off-by: Beni Lev <beni.lev at intel.com>
---
 src/ap/ieee802_11.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index f6fca67..f3807b1 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1181,6 +1181,20 @@ static void handle_auth(struct hostapd_data *hapd,
 			return;
 		}
 #endif /* CONFIG_MESH */
+#ifdef CONFIG_IEEE80211W
+		/* TODO: handle other authentication algorithms */
+		if (sta->flags & WLAN_STA_MFP && ap_sta_is_authorized(sta) &&
+		    auth_alg == WLAN_AUTH_OPEN) {
+			wpa_printf(MSG_WARNING, "STA " MACSTR
+				   " got authentication frame while already authorized and uses MFP - reply without changing STA's state",
+				   MAC2STR(mgmt->sa));
+
+			send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg,
+					auth_transaction + 1, resp, resp_ies,
+					resp_ies_len);
+			return;
+		}
+#endif /* CONFIG_IEEE80211W */
 	} else {
 #ifdef CONFIG_MESH
 		if (hapd->conf->mesh & MESH_ENABLED) {
-- 
2.5.0

More information about the Hostap mailing list