Re: [PATCH] MFP: Don't use MFP if it is optional and not supported by hardware

Jouni Malinen <j@xxxxx> · Sun, 6 Jan 2019 16:49:00 +0200

On Sat, Jan 05, 2019 at 12:39:46PM +0100, Markus Theil wrote:
> Currently, NetworkManager sends ieee80211w=1 for every connection,
> if wpa_supplicant has pmf support enabled/compiled in. If the used
> NIC does not support BIP ciphers, adding the IGTK fails.

That is a bit unfortunate in this context.. The better way of doing this
would have been setting the global pmf=1 parameter and not having
per-network profile parameters. That combination is already covering
this case of no driver support, i.e., pmf=1 was designed in a way that
it would fall back to no MFP if there is no driver support.

> This patch circumvents this, by ignoring ieee80211w=1 (optional MFP)
> if hardware support is not given. Making NetworkManager aware of
> per-interface MFP support would be the cleaner solution of course.

This patch is doing quite a bit more than that, though..

> diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
> @@ -6828,7 +6828,9 @@ int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
>  int wpas_get_ssid_pmf(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
>  {
>  #ifdef CONFIG_IEEE80211W
> -	if (ssid == NULL || ssid->ieee80211w == MGMT_FRAME_PROTECTION_DEFAULT) {
> +	if (ssid == NULL ||
> +		ssid->ieee80211w == MGMT_FRAME_PROTECTION_DEFAULT ||
> +		ssid->ieee80211w == MGMT_FRAME_PROTECTION_OPTIONAL) {
>  		if (wpa_s->conf->pmf == MGMT_FRAME_PROTECTION_OPTIONAL &&
>  		    !(wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_BIP)) {
>  			/*

This first if block ends in "return wpa_s->conf->pmf". In other words,
this patch would end up overriding network profile specific
ssid->ieee80211w with the global default wpa_s->conf->pmf if
ieee80211w=1 (optional) is used in the network profile. This applies in
case of all drivers where PMF is supported.

That is not a desired changed since it can result in quite incorrect
behavior. If the goal is to override ieee80211w=1 in the network
profile, that would need to be done at the end of this function just
before return ssid->ieee80211w instead of modifying this special case of
MGMT_FRAME_PROTECTION_DEFAULT (i.e., no explicit ieee80211w parameter in
the network profile).

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap