Navigation

← Previous Changeset
Next Changeset →

Changeset 1357

Timestamp:

12/14/05 11:36:27 (6 years ago)

Author:

mrenzmann

Message:

As reported by Jouni Malinen in #132, MadWifi reported only one IE
even if the AP announced both WPA IE (WPA) and RSN IE (WPA2). In
such cases MadWifi preferred WPA2, which prevents the userspace
supplicant from being able to do proper downgrade attack protection
and restricts configuration options for the user.

This is now fixed by saving and reporting both IEs if
necessary.

Signed-off-by: Charles Bovy <charles@bovy.nl>

Files:

trunk/net80211/ieee80211_input.c (modified) (22 diffs)
trunk/net80211/ieee80211_node.c (modified) (3 diffs)
trunk/net80211/ieee80211_node.h (modified) (1 diff)
trunk/net80211/ieee80211_scan.h (modified) (2 diffs)
trunk/net80211/ieee80211_scan_sta.c (modified) (1 diff)
trunk/net80211/ieee80211_wireless.c (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/net80211/ieee80211_input.c

r1336	r1357
1641	1641	static int
1642	1642	ieee80211_parse_wpa(struct ieee80211vap vap, u_int8_t frm,
1643		struct ieee80211_rsnparms rsn, const struct ieee80211_frame wh)
	1643	struct ieee80211_rsnparms rsn_parm, const struct ieee80211_frame wh)
1644	1644	{
1645	1645	u_int8_t len = frm[1];
…	…
1677	1677
1678	1678	/* multicast/group cipher */
1679		w = wpa_cipher(frm, &rsn->rsn_mcastkeylen);
1680		if (w != rsn->rsn_mcastcipher) {
	1679	w = wpa_cipher(frm, &rsn_parm->rsn_mcastkeylen);
	1680	if (w != rsn_parm->rsn_mcastcipher) {
1681	1681	IEEE80211_DISCARD_IE(vap,
1682	1682	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1683	1683	wh, "WPA", "mcast cipher mismatch; got %u, expected %u",
1684		w, rsn->rsn_mcastcipher);
	1684	w, rsn_parm->rsn_mcastcipher);
1685	1685	return IEEE80211_REASON_IE_INVALID;
1686	1686	}
…	…
1699	1699	w = 0;
1700	1700	for (; n > 0; n--) {
1701		w \|= 1<<wpa_cipher(frm, &rsn->rsn_ucastkeylen);
	1701	w \|= 1<<wpa_cipher(frm, &rsn_parm->rsn_ucastkeylen);
1702	1702	frm += 4, len -= 4;
1703	1703	}
1704		w &= rsn->rsn_ucastcipherset;
	1704	w &= rsn_parm->rsn_ucastcipherset;
1705	1705	if (w == 0) {
1706	1706	IEEE80211_DISCARD_IE(vap,
…	…
1710	1710	}
1711	1711	if (w & (1<<IEEE80211_CIPHER_TKIP))
1712		rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
	1712	rsn_parm->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1713	1713	else
1714		rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
	1714	rsn_parm->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1715	1715
1716	1716	/* key management algorithms */
…	…
1729	1729	frm += 4, len -= 4;
1730	1730	}
1731		w &= rsn->rsn_keymgmtset;
	1731	w &= rsn_parm->rsn_keymgmtset;
1732	1732	if (w == 0) {
1733	1733	IEEE80211_DISCARD_IE(vap,
…	…
1737	1737	}
1738	1738	if (w & WPA_ASE_8021X_UNSPEC)
1739		rsn->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
	1739	rsn_parm->rsn_keymgmt = WPA_ASE_8021X_UNSPEC;
1740	1740	else
1741		rsn->rsn_keymgmt = WPA_ASE_8021X_PSK;
	1741	rsn_parm->rsn_keymgmt = WPA_ASE_8021X_PSK;
1742	1742
1743	1743	if (len > 2) /* optional capabilities */
1744		rsn->rsn_caps = LE_READ_2(frm);
	1744	rsn_parm->rsn_caps = LE_READ_2(frm);
1745	1745
1746	1746	return 0;
…	…
1809	1809	static int
1810	1810	ieee80211_parse_rsn(struct ieee80211vap vap, u_int8_t frm,
1811		struct ieee80211_rsnparms rsn, const struct ieee80211_frame wh)
	1811	struct ieee80211_rsnparms rsn_parm, const struct ieee80211_frame wh)
1812	1812	{
1813	1813	u_int8_t len = frm[1];
…	…
1844	1844
1845	1845	/* multicast/group cipher */
1846		w = rsn_cipher(frm, &rsn->rsn_mcastkeylen);
1847		if (w != rsn->rsn_mcastcipher) {
	1846	w = rsn_cipher(frm, &rsn_parm->rsn_mcastkeylen);
	1847	if (w != rsn_parm->rsn_mcastcipher) {
1848	1848	IEEE80211_DISCARD_IE(vap,
1849	1849	IEEE80211_MSG_ELEMID \| IEEE80211_MSG_WPA,
1850	1850	wh, "RSN", "mcast cipher mismatch; got %u, expected %u",
1851		w, rsn->rsn_mcastcipher);
	1851	w, rsn_parm->rsn_mcastcipher);
1852	1852	return IEEE80211_REASON_IE_INVALID;
1853	1853	}
…	…
1866	1866	w = 0;
1867	1867	for (; n > 0; n--) {
1868		w \|= 1<<rsn_cipher(frm, &rsn->rsn_ucastkeylen);
	1868	w \|= 1<<rsn_cipher(frm, &rsn_parm->rsn_ucastkeylen);
1869	1869	frm += 4, len -= 4;
1870	1870	}
1871		w &= rsn->rsn_ucastcipherset;
	1871	w &= rsn_parm->rsn_ucastcipherset;
1872	1872	if (w == 0) {
1873	1873	IEEE80211_DISCARD_IE(vap,
…	…
1877	1877	}
1878	1878	if (w & (1<<IEEE80211_CIPHER_TKIP))
1879		rsn->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
	1879	rsn_parm->rsn_ucastcipher = IEEE80211_CIPHER_TKIP;
1880	1880	else
1881		rsn->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
	1881	rsn_parm->rsn_ucastcipher = IEEE80211_CIPHER_AES_CCM;
1882	1882
1883	1883	/* key management algorithms */
…	…
1896	1896	frm += 4, len -= 4;
1897	1897	}
1898		w &= rsn->rsn_keymgmtset;
	1898	w &= rsn_parm->rsn_keymgmtset;
1899	1899	if (w == 0) {
1900	1900	IEEE80211_DISCARD_IE(vap,
…	…
1904	1904	}
1905	1905	if (w & RSN_ASE_8021X_UNSPEC)
1906		rsn->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
	1906	rsn_parm->rsn_keymgmt = RSN_ASE_8021X_UNSPEC;
1907	1907	else
1908		rsn->rsn_keymgmt = RSN_ASE_8021X_PSK;
	1908	rsn_parm->rsn_keymgmt = RSN_ASE_8021X_PSK;
1909	1909
1910	1910	/* optional RSN capabilities */
1911	1911	if (len > 2)
1912		rsn->rsn_caps = LE_READ_2(frm);
	1912	rsn_parm->rsn_caps = LE_READ_2(frm);
1913	1913	/* XXXPMKID */
1914	1914
…	…
2201	2201	struct ieee80211_frame *wh;
2202	2202	u_int8_t frm, efrm;
2203		u_int8_t ssid, rates, xrates, wpa, wme, ath;
	2203	u_int8_t ssid, rates, xrates, wpa, rsn, wme, *ath;
2204	2204	u_int8_t rate;
2205	2205	int reassoc, resp, allocbs;
…	…
2299	2299	break;
2300	2300	case IEEE80211_ELEMID_RSN:
2301		scan.~~wpa~~ = frm;
	2301	scan.rsn = frm;
2302	2302	break;
2303	2303	case IEEE80211_ELEMID_VENDOR:
…	…
2674	2674	case IEEE80211_FC0_SUBTYPE_REASSOC_REQ: {
2675	2675	u_int16_t capinfo, bintval;
2676		struct ieee80211_rsnparms rsn;
	2676	struct ieee80211_rsnparms rsn_parm;
2677	2677	u_int8_t reason;
2678	2678
…	…
2716	2716	if (reassoc)
2717	2717	frm += 6; /* ignore current AP info */
2718		ssid = rates = xrates = wpa = wme = ath = NULL;
	2718	ssid = rates = xrates = wpa = rsn = wme = ath = NULL;
2719	2719	while (frm < efrm) {
2720	2720	switch (*frm) {
…	…
2731	2731	case IEEE80211_ELEMID_RSN:
2732	2732	if (vap->iv_flags & IEEE80211_F_WPA2)
2733		~~wpa~~ = frm;
	2733	rsn = frm;
2734	2734	else
2735	2735	IEEE80211_DPRINTF(vap,
…	…
2790	2790	}
2791	2791
2792		if (~~wpa~~ != NULL) {
	2792	if (rsn != NULL) {
2793	2793	/*
2794	2794	* Parse WPA information element. Note that
…	…
2798	2798	* installed below after the association is assured.
2799	2799	*/
2800		rsn = ni->ni_rsn;
2801		if (~~wpa~~[0] != IEEE80211_ELEMID_RSN)
2802		reason = ieee80211_parse_wpa(vap, ~~wpa, &rsn~~, wh);
	2800	rsn_parm = ni->ni_rsn;
	2801	if (rsn[0] != IEEE80211_ELEMID_RSN)
	2802	reason = ieee80211_parse_wpa(vap, rsn, &rsn_parm, wh);
2803	2803	else
2804		reason = ieee80211_parse_rsn(vap, ~~wpa, &rsn~~, wh);
	2804	reason = ieee80211_parse_rsn(vap, rsn, &rsn_parm, wh);
2805	2805	if (reason != 0) {
2806	2806	IEEE80211_SEND_MGMT(ni,
…	…
2815	2815	wh->i_addr2,
2816	2816	"%s ie: mc %u/%u uc %u/%u key %u caps 0x%x",
2817		~~wpa~~[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN",
2818		rsn~~.rsn_mcastcipher, rsn~~.rsn_mcastkeylen,
2819		rsn~~.rsn_ucastcipher, rsn~~.rsn_ucastkeylen,
2820		rsn~~.rsn_keymgmt, rsn~~.rsn_caps);
	2817	rsn[0] != IEEE80211_ELEMID_RSN ? "WPA" : "RSN",
	2818	rsn_parm.rsn_mcastcipher, rsn_parm.rsn_mcastkeylen,
	2819	rsn_parm.rsn_ucastcipher, rsn_parm.rsn_ucastkeylen,
	2820	rsn_parm.rsn_keymgmt, rsn_parm.rsn_caps);
2821	2821	}
2822	2822	/* discard challenge after association */
…	…
2887	2887	* for applications that require it.
2888	2888	*/
2889		~~ni->ni_rsn = rsn;~~
2890	2889	ieee80211_saveie(&ni->ni_wpa_ie, wpa);
2891	2890	} else if (ni->ni_wpa_ie != NULL) {
…	…
2895	2894	FREE(ni->ni_wpa_ie, M_DEVBUF);
2896	2895	ni->ni_wpa_ie = NULL;
	2896	}
	2897	if (rsn != NULL) {
	2898	/*
	2899	* Record WPA/RSN parameters for station, mark
	2900	* node as using WPA and record information element
	2901	* for applications that require it.
	2902	*/
	2903	ni->ni_rsn = rsn_parm;
	2904	ieee80211_saveie(&ni->ni_rsn_ie, rsn);
	2905	} else if (ni->ni_rsn_ie != NULL) {
	2906	/*
	2907	* Flush any state from a previous association.
	2908	*/
	2909	FREE(ni->ni_rsn_ie, M_DEVBUF);
	2910	ni->ni_rsn_ie = NULL;
2897	2911	}
2898	2912	if (wme != NULL) {

trunk/net80211/ieee80211_node.c

r1336	r1357
647	647	if (se->se_wpa_ie != NULL)
648	648	ieee80211_saveie(&ni->ni_wpa_ie, se->se_wpa_ie);
	649	if (se->se_rsn_ie != NULL)
	650	ieee80211_saveie(&ni->ni_rsn_ie, se->se_rsn_ie);
649	651	if (se->se_wme_ie != NULL)
650	652	ieee80211_saveie(&ni->ni_wme_ie, se->se_wme_ie);
…	…
792	794	if (ni->ni_wpa_ie != NULL)
793	795	FREE(ni->ni_wpa_ie, M_DEVBUF);
	796	if (ni->ni_rsn_ie != NULL)
	797	FREE(ni->ni_rsn_ie, M_DEVBUF);
794	798	if (ni->ni_wme_ie != NULL)
795	799	FREE(ni->ni_wme_ie, M_DEVBUF);
…	…
1178	1182	if (sp->wpa != NULL)
1179	1183	ieee80211_saveie(&ni->ni_wpa_ie, sp->wpa);
	1184	if (sp->rsn != NULL)
	1185	ieee80211_saveie(&ni->ni_rsn_ie, sp->rsn);
1180	1186	if (sp->ath != NULL)
1181	1187	ieee80211_saveath(ni, sp->ath);

trunk/net80211/ieee80211_node.h

r1294	r1357
123	123	u_int16_t ni_vlan; /* vlan tag */
124	124	u_int32_t ni_challenge; / shared-key challenge */
125		u_int8_t ni_wpa_ie; / captured WPA/RSN ie */
	125	u_int8_t ni_wpa_ie; / captured WPA ie */
	126	u_int8_t ni_rsn_ie; / captured RSN ie */
126	127	u_int8_t ni_wme_ie; / captured WME ie */
127	128	u_int8_t ni_ath_ie; / captured Atheros ie */

trunk/net80211/ieee80211_scan.h

r1175	r1357
145	145	u_int8_t *doth;
146	146	u_int8_t *wpa;
	147	u_int8_t *rsn;
147	148	u_int8_t *wme;
148	149	u_int8_t *ath;
…	…
173	174	int8_t se_rssi; /* avg'd recv ssi */
174	175	u_int8_t se_dtimperiod; /* DTIM period */
175		u_int8_t se_wpa_ie; / captured WPA/RSN ie */
	176	u_int8_t se_wpa_ie; / captured WPA ie */
	177	u_int8_t se_rsn_ie; / captured RSN ie */
176	178	u_int8_t se_wme_ie; / captured WME ie */
177	179	u_int8_t se_ath_ie; / captured Atheros ie */

trunk/net80211/ieee80211_scan_sta.c

r1336	r1357
273	273	saveie(&ise->se_wme_ie, sp->wme);
274	274	saveie(&ise->se_wpa_ie, sp->wpa);
	275	saveie(&ise->se_rsn_ie, sp->rsn);
275	276	saveie(&ise->se_ath_ie, sp->ath);
276	277

trunk/net80211/ieee80211_wireless.c

r1356	r1357
1433	1433	current_ev = iwe_stream_add_point(current_ev, end_buf, &iwe, buf);
1434	1434
1435		if (se->se_~~wpa~~_ie != NULL) {
	1435	if (se->se_rsn_ie != NULL) {
1436	1436	static const char rsn_leader[] = "rsn_ie=";
1437		~~static const char wpa_leader[] = "wpa_ie=";~~
1438	1437
1439	1438	memset(&iwe, 0, sizeof(iwe));
1440	1439	iwe.cmd = IWEVCUSTOM;
1441		if (se->se_~~wpa~~_ie[0] == IEEE80211_ELEMID_RSN)
	1440	if (se->se_rsn_ie[0] == IEEE80211_ELEMID_RSN)
1442	1441	iwe.u.data.length = encode_ie(buf, sizeof(buf),
1443		se->se_~~wpa_ie, se->se_wpa~~_ie[1]+2,
	1442	se->se_rsn_ie, se->se_rsn_ie[1]+2,
1444	1443	rsn_leader, sizeof(rsn_leader)-1);
1445		else
	1444	if (iwe.u.data.length != 0)
	1445	current_ev = iwe_stream_add_point(current_ev, end_buf,
	1446	&iwe, buf);
	1447	}
	1448	if (se->se_wpa_ie != NULL) {
	1449	static const char wpa_leader[] = "wpa_ie=";
	1450
	1451	memset(&iwe, 0, sizeof(iwe));
	1452	iwe.cmd = IWEVCUSTOM;
1446	1453	iwe.u.data.length = encode_ie(buf, sizeof(buf),
1447	1454	se->se_wpa_ie, se->se_wpa_ie[1]+2,

Download in other formats:

Unified Diff