Bug in selection algorithm when dynamically changing AP from WEP to WPA2 personal

Naoumenko, PaulX paulx.naoumenko at intel.com
Thu Jul 18 09:25:17 EDT 2013


HI all,

I noticed a wrong behavior in the supplicant's algorithm for selecting networks.



Here is the scenario:

First, a connection to a wep access point.

Here are its characteristics (Android framework trace):



07-16 15:08:42.259 I/WifiConfigStore( 463): Current config: ID: 0 SSID: "Paulx" BSSID: null PRIO: 0

07-16 15:08:42.259 I/WifiConfigStore( 463): KeyMgmt: NONE Protocols: WPA RSN

07-16 15:08:42.259 I/WifiConfigStore( 463): AuthAlgorithms: OPEN SHARED

07-16 15:08:42.259 I/WifiConfigStore( 463): PairwiseCiphers: TKIP CCMP

07-16 15:08:42.259 I/WifiConfigStore( 463): GroupCiphers: WEP40 WEP104 TKIP CCMP

07-16 15:08:42.259 I/WifiConfigStore( 463): PSK:

07-16 15:08:42.259 I/WifiConfigStore( 463): eap:

07-16 15:08:42.259 I/WifiConfigStore( 463): phase1:

07-16 15:08:42.259 I/WifiConfigStore( 463): phase2:

07-16 15:08:42.259 I/WifiConfigStore( 463): identity:

07-16 15:08:42.259 I/WifiConfigStore( 463): anonymous_identity:

07-16 15:08:42.259 I/WifiConfigStore( 463): password: *

07-16 15:08:42.259 I/WifiConfigStore( 463): client_cert:

07-16 15:08:42.259 I/WifiConfigStore( 463): engine: 0

07-16 15:08:42.259 I/WifiConfigStore( 463): engine_id:

07-16 15:08:42.259 I/WifiConfigStore( 463): key_id:

07-16 15:08:42.259 I/WifiConfigStore( 463): ca_cert:

07-16 15:08:42.259 I/WifiConfigStore( 463): pcsc:

07-16 15:08:42.259 I/WifiConfigStore( 463): pac_file:

07-16 15:08:42.259 I/WifiConfigStore( 463): IP assignment: DHCP

07-16 15:08:42.259 I/WifiConfigStore( 463): Proxy settings: NONE

07-16 15:08:42.259 I/WifiConfigStore( 463): LinkAddresses: [] Routes: [] DnsAddresses: []



I dynamically change the access point's security and switch to wpa2 personal:



Characteristics are:



07-16 15:53:31.315 I/WifiConfigStore( 463): Current config: ID: 0 SSID: "Paulx" BSSID: null PRIO: 0

07-16 15:53:31.315 I/WifiConfigStore( 463): KeyMgmt: WPA_PSK Protocols: WPA RSN

07-16 15:53:31.315 I/WifiConfigStore( 463): AuthAlgorithms:

07-16 15:53:31.315 I/WifiConfigStore( 463): PairwiseCiphers: TKIP CCMP

07-16 15:53:31.315 I/WifiConfigStore( 463): GroupCiphers: WEP40 WEP104 TKIP CCMP

07-16 15:53:31.315 I/WifiConfigStore( 463): PSK: *

07-16 15:53:31.315 I/WifiConfigStore( 463): eap:

07-16 15:53:31.315 I/WifiConfigStore( 463): phase1:

07-16 15:53:31.315 I/WifiConfigStore( 463): phase2:

07-16 15:53:31.315 I/WifiConfigStore( 463): identity:

07-16 15:53:31.315 I/WifiConfigStore( 463): anonymous_identity:

07-16 15:53:31.315 I/WifiConfigStore( 463): password: *

07-16 15:53:31.315 I/WifiConfigStore( 463): client_cert:

07-16 15:53:31.315 I/WifiConfigStore( 463): engine: 0

07-16 15:53:31.315 I/WifiConfigStore( 463): engine_id:

07-16 15:53:31.315 I/WifiConfigStore( 463): key_id:

07-16 15:53:31.315 I/WifiConfigStore( 463): ca_cert:

07-16 15:53:31.315 I/WifiConfigStore( 463): pcsc:

07-16 15:53:31.315 I/WifiConfigStore( 463): pac_file:

07-16 15:53:31.315 I/WifiConfigStore( 463): IP assignment: DHCP

07-16 15:53:31.315 I/WifiConfigStore( 463): Proxy settings: NONE

07-16 15:53:31.315 I/WifiConfigStore( 463): LinkAddresses: [] Routes: [] DnsAddresses: []





So it has the same ssid, the same bssid, the same protocols, pairwise ciphers and group ciphers. The only difference here is the difference between key management. A bit wise operator between the scanned keymgmt and the remembered keymgmt returns 0.





What happens is : first the station is deauthenticated from the wep Ap (obviously), but when the wpa2 ap appears in the scan results, the supplicant tries to connect to this ap as if it was the prevously remembered WEP one. The association fails but the supplicant keeps trying to reconnect to this wrong AP 10 times before it is disabled.

What is wrong here is that the wpa_scan_res_match function, and specifically wpa_supplicant_ssid_bss_match does not manage to filter out this particular case. I think that after all the tests performed in wpa_supplicant_ssid_bss_match, if the key management is different, we can safely say that the scanned ap and the remembered one are two different networks and that the supplicant should not think that it can connect to the newly appeared wpa2 AP.



What are your comments about this issue?





Thanks,


Paul Naoumenko
---------------------------------------------------------------------
Intel Corporation SAS (French simplified joint stock company)
Registered headquarters: "Les Montalets"- 2, rue de Paris, 
92196 Meudon Cedex, France
Registration Number:  302 456 199 R.C.S. NANTERRE
Capital: 4,572,000 Euros

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20130718/5e1fabaa/attachment.htm>


More information about the HostAP mailing list