Bug in selection algorithm when dynamically changing AP from WEP to WPA2 personal

Jouni Malinen j at w1.fi
Sat Jul 20 10:15:06 EDT 2013


On Thu, Jul 18, 2013 at 01:25:17PM +0000, Naoumenko, PaulX wrote:
> I noticed a wrong behavior in the supplicant's algorithm for selecting networks.

I'm not sure I understood the exact case you were describing since the
debug log was quite limited. Getting a proper debug log from
wpa_supplicant would be much more helpful.

> I dynamically change the access point's security and switch to wpa2 personal:

> So it has the same ssid, the same bssid, the same protocols, pairwise ciphers and group ciphers. The only difference here is the difference between key management. A bit wise operator between the scanned keymgmt and the remembered keymgmt returns 0.

Please note that a WPA2-Personal AP looks like a WEP AP for a station
that is using WEP (i.e., the Privacy bit is set and a WEP STA would not
know about WPA/RSN element).

> What happens is : first the station is deauthenticated from the wep Ap (obviously), but when the wpa2 ap appears in the scan results, the supplicant tries to connect to this ap as if it was the prevously remembered WEP one. The association fails but the supplicant keeps trying to reconnect to this wrong AP 10 times before it is disabled.

If you have a WEP network configuration enabled, wpa_supplicant will try
to use it with a matching network and that WPA2-Personal AP with such
configuration would match.

> What is wrong here is that the wpa_scan_res_match function, and specifically wpa_supplicant_ssid_bss_match does not manage to filter out this particular case. I think that after all the tests performed in wpa_supplicant_ssid_bss_match, if the key management is different, we can safely say that the scanned ap and the remembered one are two different networks and that the supplicant should not think that it can connect to the newly appeared wpa2 AP.

If you do not want to use WEP, you should not leave a WEP network
enabled in wpa_supplicant.. By design, wpa_supplicant will not use
WPA/RSN elements if it is configured to use WEP (i.e., this
configuration is interpreted as a request to behave like a WEP station
that is not aware of WPA/RSN). If you have two networks enabled with one
of them configured for WEP and the other one for WPA/WPA2-Personal, the
current wpa_supplicant version should disable the WEP network
temporarily based on a connection failure and try to connect with the
WPA/WPA2 network block after that. If that is not working, please
provide a wpa_supplicant debug log showing this.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list