Re: [PATCH] wpa_supplicant: Don't incorrectly clear ie scan data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Mar 07, 2020 at 08:52:50PM +0100, Alexander Wetzel wrote:
> I was more thinking about an attack: Utilize the fact that wpa_supplicant
> can be tricked into clearing the variables and clear the way to a downgrade
> attack. (I don't see a real attack vector, just a way to bypass some of the
> RSN checks for OWE.)

Clearing the AP's RSNE/RSNXE during association event handling should
not really bypass such checks since the same information is available
from scan results that can be fetched again when going through 4-way
handshake. The expectation here is that even if the driver were to be
doing BSS and network selection, it have to make the scan results
available for the current BSS after having completed association.

This OWE transition mode case was just a special corner case for that
which happened to have the same issue with changing SSID in two places.

> Yea, sorry. The share expired after one month. I shared it again:
> https://www.awhome.eu/index.php/s/fataWRskGzoqmFN

Thanks. It turns out that there was indeed two separate issues with the
exact same reason behind them, i.e., both two possible paths for
fetching the AP's RSNE/RSNXE information from Beacon/Probe Response
frames failed when the SSID changed in the way it does in OWE transition
mode (but not in any other case).

> > > 637	nl80211: Received scan results (3 BSSes)
> > > 638	nl80211: Scan results indicate BSS status with 02:00:00:00:03:00 as associated
> > > --- but we don't get them and as a result bypass the (also broken?) IE mismatch check
> > > 647	wlan0: WPA: Could not find AP from the scan results
> > 
> > That looks strange and is not something I see in my tests. That scan
> > result has to be there in both wpa_supplicant and cfg80211 for the
> 
> Strange that it looks different in your test runs...

Actually, I do see it now that I compared this against your full log.
Those "missing" lines between those log entries above made me not notice
this in my own logs.

> I did not dig deeper into that and you know the code much better than me so
> I assume the issue is now fixed.

For the cfg80211-based drivers that use wpa_supplicant for selecting the
network, yes, but for theoretical other cases maybe not (not that I'm
aware of any such theoretical other case with support for OWE transition
mode existing today)..

> But what function has then ap_ies_from_associnfo? I assumed that the intend
> was to make sure only beacon RSN can be stored, so we have the beacon data
> handy when needed.

It is used by other driver interfaces, e.g., NDIS on Windows, where the
association event carries Beacon/Probe Response frame IEs for the AP.
That functionality is not there in nl80211 (at least in the current
version).

> As it is I could not find any obvious protection to not update the variables
> with data taken from non-beacon frames, risking that when we try to compare
> e.g. an eapol RSN against a beacon we are using non-beacon data.

I'm not sure what this "non-beacon frames" is referring to. The AP IEs
are set based on scan results, i.e., Beacon and Probe Response frames,
in all these different cases.


And as far as the other issue with the scan results not being available
when processing msg 3/4 is concerned, this takes care of that:

[PATCH] OWE: Allow BSS entry with different SSID to be used in transition mode

Similarly to the wpa_supplicant_select_config() case,
wpa_get_beacon_ie() needs to handle the special case for OWE transition
mode where the SSID in the network profile does not match the SSID of
the OWE BSS (that has a hidden, random SSID). Accept such a BSS in case
the current scan results needs to be fetched for verifying EAPOL-Key msg
3/4 IEs.

Signed-off-by: Jouni Malinen <j@xxxxx>
---
 wpa_supplicant/wpas_glue.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 7162f8f1fe7c..39b05b2b902a 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -398,6 +398,13 @@ static int wpa_get_beacon_ie(struct wpa_supplicant *wpa_s)
 			curr = bss;
 			break;
 		}
+#ifdef CONFIG_OWE
+		if (ssid && (ssid->key_mgmt & WPA_KEY_MGMT_OWE) &&
+		    (bss->flags & WPA_BSS_OWE_TRANSITION)) {
+			curr = bss;
+			break;
+		}
+#endif /* CONFIG_OWE */
 	}
 
 	if (curr) {
-- 
2.20.1

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux