Re: Encryption problems with nl80211

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2015-10-27 at 15:05 -0500, Dan Williams wrote:
> On Wed, 2015-10-28 at 00:54 +0530, Krishna Chaitanya wrote:
> > On Wed, Oct 28, 2015 at 12:11 AM, Dan Williams <dcbw@xxxxxxxxxx> wrote:
> > > On Tue, 2015-10-27 at 18:16 +0100, simo wrote:
> > >> Hi, I am Simon and I am new in this mail list.
> > >>
> > >> I am experiencing problems enabling encryption key after creating an
> > >> IBSS network through wpa_supplicant.
> > >
> > > It looks like the error is coming from the kernel mac80211/cfg80211 WiFi
> > > stack in nl80211_key_allowed().  That function returns an error if there
> > > is not yet any "current_bss", which is probably the case here.  To me it
> > > looks like a mismatch in expectations between the kernel and
> > > wpa_supplicant about how IBSS WEP is supposed to be configured.
> > >
> > > wpas_start_assoc_cb() - sets up parameters for IBSS create/join
> > > -- kernel cfg80211 has current_bss = NULL
> > > wpas_start_assoc_cb() calls wpa_set_wep_keys()
> > > -- kernel cfg80211 rejects set_keys request because current_bss == NULL
> > > wpas_start_assoc_cb() calls wpa_drv_associate() to being association
> > > -- kernel driver creates new IBSS, sends EVENT_IBSS_JOINED
> > > -- kernel cfg80211 calls __cfg80211_ibss_joined() and sets current_bss
> > >
> > > What's odd is that none of this code in the kernel or supplicant has
> > > really changed since early 2013, so its either been broken for a long
> > > time, or I'm missing something completely about when current_bss gets
> > > set.
> > >
> > > Dan
> > >
> > >> wlan0: Trying to associate with SSID 'my-net-302'
> > >> wlan0: Cancelling scan request
> > >> wlan0: WPA: clearing own WPA/RSN IE
> > >> wlan0: Automatic auth_alg selection: 0x1
> > >> wlan0: WPA: clearing AP WPA IE
> > >> wlan0: WPA: clearing AP RSN IE
> > >> wlan0: WPA: clearing own WPA/RSN IE
> > >> wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=1 addr=(nil) key_idx=0
> > >> set_tx=1 seq_len=0 key_len=5
> > >> nl80211: KEY_DATA - hexdump(len=5): [REMOVED]
> > >> nl80211: set_key failed; err=-67 Link has been severed)
> > >
> > > ^^^ the error
> > > <snip>
> > >
> > >> nl80211: Event message available
> > >> nl80211: Drv Event 43 (NL80211_CMD_JOIN_IBSS) received for wlan0
> > >> nl80211: IBSS 12:24:21:59:87:d0 joined
> > >> nl80211: IBSS-joined on 2412 MHz
> > >> nl80211: Operating frequency for the associated BSS from scan results:
> > >> 2412 MHz
> > >> nl80211: IBSS on frequency 2412 MHz
> > >> wlan0: Event ASSOC (0) received
> > >> wlan0: State: ASSOCIATING -> ASSOCIATED
> > >
> > > Then reports success creating/joining the adhoc network.  But of course,
> > > since the key set failed, the network is not encrypted.
> > set_key after association is successful, the failure before association
> > can be ignored. This is not a problem.
> > 
> > 
> > wlan0: State: ASSOCIATED -> COMPLETED
> > wlan0: Radio work 'connect'@0xfab20 done in 0.603215 seconds
> > wlan0: CTRL-EVENT-CONNECTED - Connection to 12:24:21:59:87:d0 completed
> > [id=0 id_str=]
> > nl80211: Set wlan0 operstate 0->1 (UP)
> > netlink: Operstate: ifindex=3 linkmode=-1 (no change), operstate=6
> > (IF_OPER_UP)
> > wlan0: Cancelling scan request
> > wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=1 addr=(nil) key_idx=0
> > set_tx=1 seq_len=0 key_len=5
> > nl80211: KEY_DATA - hexdump(len=5): [REMOVED]
> > RTM_NEWLINK: ifi_index=3 ifname=wlan0 operstate=6 linkmode=1
> > ifi_family=0 ifi_flags=0x11043 ([UP][RUNNING][LOWER_
> 
> Ah, you are correct.  IIRC some drivers don't really support setting the
> keys after IBSS create though, since they don't have a great way to
> update the IEs after the join has already happened.  I wonder what
> driver the reporter is using?

Before I wrote the above I was actually writing about how some drivers
don't allow setting the encryption key after the IBSS has been
created/joined, using libertas as an example.  libertas firmware
requires the key to be given before/during the join operation otherwise
the IBSS beacons don't have any security stuff in them.

And guess what?  The reporter is using the 'libertas' driver...
cfg80211 support got added to the driver a while back, but I guess it
was somewhat incomplete.  But also, it seems that wpa_supplicant expects
all nl80211/cfg80211 capable drivers to be able to set the key after a
join.  So yay, this just isn't going to work.

Simo, the only recourse here is to use "-D wext" instead of "-D
nl80211", unfortunately...

Dan


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux