PTK msg 3/4 bug

Chris Zimmermann cbzimmermann at mac.com
Fri May 12 13:08:31 EDT 2006


I'm using v0.5.3 of hostapd and have found an issue doing WPA2-PSK,  
with the WPA/RSN IE sent in PTK message 3/4 from the AP to the STA.

The 802.11i specification says that the WPA/RSN IE sent in the 802.11  
beacon/probe-rsp message be sent in PTK msg 3/4.  It doesn't seem  
like both the WPA and RSN IE should get sent to an STA in this message.

There is an issue with the RSN case.  When doing WPA, hostapd has  
code for removing the RSN IE and sending only the WPA IE.  But there  
is no provision for the converse situation.  While this works for  
Windows clients, it causes an issue with Mac clients.  The Mac client  
expects to see only the WPA or RSN IE, based upon the IE sent in the  
802.11 assoc-req.

Based on what I am seeing in wpa_gen_wpa_ie(), the RSN IE is always  
generated first, followed by the WPA IE.  Despite this, I modified  
the code handle the case where the WPA/RSN IEs could be in any order  
(in case hostapd ever asks the driver for the IE[s], rather than  
generating it...since some drivers don't actually allow/handle the  
optional IEs to be set).

The change is in
	File: wpa.c
	Function: SM_STATE(WPA_PTK, PTKINITNEGOTIATING)

Old code

	if (sm->wpa == WPA_VERSION_WPA &&
	    (sm->wpa_auth->conf.wpa & HOSTAPD_WPA_VERSION_WPA2) &&
	    wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
		/* WPA-only STA, remove RSN IE */
		wpa_ie = wpa_ie + wpa_ie[1] + 2;
		wpa_ie_len = wpa_ie[1] + 2;
	}

My changes

	if (wpa_ie_len > wpa_ie[1] + 2) {
		if (sm->wpa == WPA_VERSION_WPA) {
			if (wpa_ie[0] == WLAN_EID_RSN) {
				wpa_ie = wpa_ie + wpa_ie[1] + 2;
				wpa_ie_len = wpa_ie[1] + 2;
			}
			else {
				wpa_ie_len = wpa_ie[1] + 2;
			}
		}
		else if (sm->wpa == WPA_VERSION_WPA2) {
			if (wpa_ie[0] == WLAN_EID_GENERIC) {
				wpa_ie = wpa_ie + wpa_ie[1] + 2;
				wpa_ie_len = wpa_ie[1] + 2;
			}
			else {
				wpa_ie_len = wpa_ie[1] + 2;
			}
		}
	}

This fixed the issue with Mac clients, and doesn't seem to break  
Windows clients.

Thanks,
Chris

-- 
Chris Zimmermann
cbzimmermann at mac.com






More information about the HostAP mailing list