[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    Re: 3 small net80211 fixes
From:       Stefan Sperling <stsp () openbsd ! org>
Date:       2011-02-21 12:12:16
Message-ID: 20110221121216.GA26692 () ted ! stsp ! name
[Download RAW message or body]

On Mon, Feb 21, 2011 at 12:57:08PM +0100, Damien Bergamini wrote:
> | Index: ieee80211_pae_output.c
> | ===================================================================
> | RCS file: /cvs/src/sys/net80211/ieee80211_pae_output.c,v
> | retrieving revision 1.16
> | diff -u -p -r1.16 ieee80211_pae_output.c
> | --- ieee80211_pae_output.c	5 Jun 2010 15:54:35 -0000	1.16
> | +++ ieee80211_pae_output.c	20 Feb 2011 17:55:51 -0000
> | @@ -417,7 +417,6 @@ ieee80211_send_4way_msg3(struct ieee8021
> |  		frm = ieee80211_add_rsn(frm, ic, ic->ic_bss);
> |  		/* encapsulate the GTK */
> |  		frm = ieee80211_add_gtk_kde(frm, ni, k);
> | -		LE_WRITE_6(key->rsc, k->k_tsc);
> |  		/* encapsulate the IGTK if MFP was negotiated */
> |  		if (ni->ni_flags & IEEE80211_NODE_MFP) {
> |  			frm = ieee80211_add_igtk_kde(frm,
> | @@ -427,6 +426,9 @@ ieee80211_send_4way_msg3(struct ieee8021
> |  		info |= EAPOL_KEY_ENCRYPTED | EAPOL_KEY_SECURE;
> |  	} else	/* WPA */
> |  		frm = ieee80211_add_wpa(frm, ic, ic->ic_bss);
> | +
> | +	/* RSC = last transmit sequence number for the GTK */
> | +	LE_WRITE_6(key->rsc, k->k_tsc);
> |  
> |  	/* write the key info field */
> |  	BE_WRITE_2(key->info, info);
> 
> 
> nack.  you'll get a null deref with wpa1 (k is not initialized).
> with wpa1, message 3/4 of the 4-way handshake does not carry the
> group key (it is sent in message 1/2 of the group key handshake
> that follows the 4-way handshake instead).
> the TSC of the pairwise key is always 0 in our case, which is
> the reason why it is not set here, but used when receiving
> msg 3/4 since other implementations may use non-zero values.

Ah, that makes sense. Thanks for clarifying.

I'll commit the others when Miod has acked them.

[prev in list] [next in list] [prev in thread] [next in thread]