On Sat, Mar 07, 2020 at 08:52:50PM +0100, Alexander Wetzel wrote: > I was more thinking about an attack: Utilize the fact that wpa_supplicant > can be tricked into clearing the variables and clear the way to a downgrade > attack. (I don't see a real attack vector, just a way to bypass some of the > RSN checks for OWE.) Clearing the AP's RSNE/RSNXE during association event handling should not really bypass such checks since the same information is available from scan results that can be fetched again when going through 4-way handshake. The expectation here is that even if the driver were to be doing BSS and network selection, it have to make the scan results available for the current BSS after having completed association. This OWE transition mode case was just a special corner case for that which happened to have the same issue with changing SSID in two places. > Yea, sorry. The share expired after one month. I shared it again: > https://www.awhome.eu/index.php/s/fataWRskGzoqmFN Thanks. It turns out that there was indeed two separate issues with the exact same reason behind them, i.e., both two possible paths for fetching the AP's RSNE/RSNXE information from Beacon/Probe Response frames failed when the SSID changed in the way it does in OWE transition mode (but not in any other case). > > > 637 nl80211: Received scan results (3 BSSes) > > > 638 nl80211: Scan results indicate BSS status with 02:00:00:00:03:00 as associated > > > --- but we don't get them and as a result bypass the (also broken?) IE mismatch check > > > 647 wlan0: WPA: Could not find AP from the scan results > > > > That looks strange and is not something I see in my tests. That scan > > result has to be there in both wpa_supplicant and cfg80211 for the > > Strange that it looks different in your test runs... Actually, I do see it now that I compared this against your full log. Those "missing" lines between those log entries above made me not notice this in my own logs. > I did not dig deeper into that and you know the code much better than me so > I assume the issue is now fixed. For the cfg80211-based drivers that use wpa_supplicant for selecting the network, yes, but for theoretical other cases maybe not (not that I'm aware of any such theoretical other case with support for OWE transition mode existing today).. > But what function has then ap_ies_from_associnfo? I assumed that the intend > was to make sure only beacon RSN can be stored, so we have the beacon data > handy when needed. It is used by other driver interfaces, e.g., NDIS on Windows, where the association event carries Beacon/Probe Response frame IEs for the AP. That functionality is not there in nl80211 (at least in the current version). > As it is I could not find any obvious protection to not update the variables > with data taken from non-beacon frames, risking that when we try to compare > e.g. an eapol RSN against a beacon we are using non-beacon data. I'm not sure what this "non-beacon frames" is referring to. The AP IEs are set based on scan results, i.e., Beacon and Probe Response frames, in all these different cases. And as far as the other issue with the scan results not being available when processing msg 3/4 is concerned, this takes care of that: [PATCH] OWE: Allow BSS entry with different SSID to be used in transition mode Similarly to the wpa_supplicant_select_config() case, wpa_get_beacon_ie() needs to handle the special case for OWE transition mode where the SSID in the network profile does not match the SSID of the OWE BSS (that has a hidden, random SSID). Accept such a BSS in case the current scan results needs to be fetched for verifying EAPOL-Key msg 3/4 IEs. Signed-off-by: Jouni Malinen <j@xxxxx> --- wpa_supplicant/wpas_glue.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c index 7162f8f1fe7c..39b05b2b902a 100644 --- a/wpa_supplicant/wpas_glue.c +++ b/wpa_supplicant/wpas_glue.c @@ -398,6 +398,13 @@ static int wpa_get_beacon_ie(struct wpa_supplicant *wpa_s) curr = bss; break; } +#ifdef CONFIG_OWE + if (ssid && (ssid->key_mgmt & WPA_KEY_MGMT_OWE) && + (bss->flags & WPA_BSS_OWE_TRANSITION)) { + curr = bss; + break; + } +#endif /* CONFIG_OWE */ } if (curr) { -- 2.20.1 -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap