Re: WPA regression (was: CVS commit: src/dist/wpa)

[Brett Lymn <blymn%baesystems.com.au@localhost>]

On Wed, Jan 30, 2008 at 12:52:07AM +0100, Jukka Salmi wrote:
> 
> If your AP doesn't run hostapd or you don't have access to it, try
> running wpa_supplicant with option -dd and without -B; as soon as
> rekeying fails you should see "Added BSSID XXX into blacklist", where
> XXX is your AP's BSSID.
> 
> At least that's what I'm currently seeing, as soon as the first rekeying
> takes place...
>

what I see after the rekeying is:

 WPA: EAPOL frame too short to be a WPA EAPOL-Key (len 46, expecting at least 
99)

looking at the code it looks like the return value from
wpa_sm_rx_eapol() is ignored in wpa_supplicant_rx_eapol() and there
does not appear to be a timeout if the EAPOL-key fails.

I brute forced a fix by checking the return from wpa_sm_rx_eapol() and
if it is 0 then force a complete reauthentication.  I am sure this is
not the correct fix but it seems to go a long way towards stopping my
wireless network breaking every time a rekeying is performed.
Attached is a diff to wpa_supplicant.c in src/dist/wpa/wpa_supplicant.

-- 
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

Index: wpa_supplicant.c
===================================================================
RCS file: /cvsroot/src/dist/wpa/wpa_supplicant/wpa_supplicant.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 wpa_supplicant.c
--- wpa_supplicant.c    26 Jan 2008 21:39:50 -0000      1.1.1.1
+++ wpa_supplicant.c    30 Jan 2008 13:36:58 -0000
@@ -1453,9 +1453,17 @@
            eapol_sm_rx_eapol(wpa_s->eapol, src_addr, buf, len) > 0)
                return;
        wpa_drv_poll(wpa_s);
-       if (!wpa_s->driver_4way_handshake)
-               wpa_sm_rx_eapol(wpa_s->wpa, src_addr, buf, len);
-       else if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X ||
+       if (!wpa_s->driver_4way_handshake) {
+               if (wpa_sm_rx_eapol(wpa_s->wpa, src_addr, buf, len) == 0)
+                       /* failed the rx eapol, restart the auth */
+                       wpa_supplicant_req_auth_timeout(
+                               wpa_s,
+                               (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X ||
+                                wpa_s->key_mgmt == 
WPA_KEY_MGMT_IEEE8021X_NO_WPA ||
+                                wpa_s->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) ?
+                               70 : 10, 0);
+
+       } else if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X ||
                 wpa_s->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
                /*
                 * Set portValid = TRUE here since we are going to skip 4-way