Add a AP mode event message for possible PSK/passphrase mismatch

If the AP/Authenticator receives an EAPOL-Key msg 2/4 for an association
that negotiated use of PSK and the EAPOL-Key MIC does not match, it is
likely that the station is trying to use incorrect PSK/passphrase.
Report this with "AP-STA-POSSIBLE-PSK-MISMATCH <STA addr>" control
interface event.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2015-03-19 13:14:21 +02:00 committed by Jouni Malinen
parent a14a5f244a
commit 2c50246078
4 changed files with 24 additions and 1 deletions

View file

@ -67,6 +67,14 @@ static inline int wpa_auth_mic_failure_report(
} }
static inline void wpa_auth_psk_failure_report(
struct wpa_authenticator *wpa_auth, const u8 *addr)
{
if (wpa_auth->cb.psk_failure_report)
wpa_auth->cb.psk_failure_report(wpa_auth->cb.ctx, addr);
}
static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
const u8 *addr, wpa_eapol_variable var, const u8 *addr, wpa_eapol_variable var,
int value) int value)
@ -1985,7 +1993,7 @@ static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
{ {
struct wpa_ptk PTK; struct wpa_ptk PTK;
int ok = 0; int ok = 0, psk_found = 0;
const u8 *pmk = NULL; const u8 *pmk = NULL;
SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
@ -2001,6 +2009,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
sm->p2p_dev_addr, pmk); sm->p2p_dev_addr, pmk);
if (pmk == NULL) if (pmk == NULL)
break; break;
psk_found = 1;
} else } else
pmk = sm->PMK; pmk = sm->PMK;
@ -2020,6 +2029,8 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
if (!ok) { if (!ok) {
wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
"invalid MIC in msg 2/4 of 4-Way Handshake"); "invalid MIC in msg 2/4 of 4-Way Handshake");
if (psk_found)
wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
return; return;
} }

View file

@ -189,6 +189,7 @@ struct wpa_auth_callbacks {
const char *txt); const char *txt);
void (*disconnect)(void *ctx, const u8 *addr, u16 reason); void (*disconnect)(void *ctx, const u8 *addr, u16 reason);
int (*mic_failure_report)(void *ctx, const u8 *addr); int (*mic_failure_report)(void *ctx, const u8 *addr);
void (*psk_failure_report)(void *ctx, const u8 *addr);
void (*set_eapol)(void *ctx, const u8 *addr, wpa_eapol_variable var, void (*set_eapol)(void *ctx, const u8 *addr, wpa_eapol_variable var,
int value); int value);
int (*get_eapol)(void *ctx, const u8 *addr, wpa_eapol_variable var); int (*get_eapol)(void *ctx, const u8 *addr, wpa_eapol_variable var);

View file

@ -11,6 +11,7 @@
#include "utils/common.h" #include "utils/common.h"
#include "common/ieee802_11_defs.h" #include "common/ieee802_11_defs.h"
#include "common/sae.h" #include "common/sae.h"
#include "common/wpa_ctrl.h"
#include "eapol_auth/eapol_auth_sm.h" #include "eapol_auth/eapol_auth_sm.h"
#include "eapol_auth/eapol_auth_sm_i.h" #include "eapol_auth/eapol_auth_sm_i.h"
#include "eap_server/eap.h" #include "eap_server/eap.h"
@ -144,6 +145,14 @@ static int hostapd_wpa_auth_mic_failure_report(void *ctx, const u8 *addr)
} }
static void hostapd_wpa_auth_psk_failure_report(void *ctx, const u8 *addr)
{
struct hostapd_data *hapd = ctx;
wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POSSIBLE_PSK_MISMATCH MACSTR,
MAC2STR(addr));
}
static void hostapd_wpa_auth_set_eapol(void *ctx, const u8 *addr, static void hostapd_wpa_auth_set_eapol(void *ctx, const u8 *addr,
wpa_eapol_variable var, int value) wpa_eapol_variable var, int value)
{ {
@ -579,6 +588,7 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
cb.logger = hostapd_wpa_auth_logger; cb.logger = hostapd_wpa_auth_logger;
cb.disconnect = hostapd_wpa_auth_disconnect; cb.disconnect = hostapd_wpa_auth_disconnect;
cb.mic_failure_report = hostapd_wpa_auth_mic_failure_report; cb.mic_failure_report = hostapd_wpa_auth_mic_failure_report;
cb.psk_failure_report = hostapd_wpa_auth_psk_failure_report;
cb.set_eapol = hostapd_wpa_auth_set_eapol; cb.set_eapol = hostapd_wpa_auth_set_eapol;
cb.get_eapol = hostapd_wpa_auth_get_eapol; cb.get_eapol = hostapd_wpa_auth_get_eapol;
cb.get_psk = hostapd_wpa_auth_get_psk; cb.get_psk = hostapd_wpa_auth_get_psk;

View file

@ -227,6 +227,7 @@ extern "C" {
#define WPS_EVENT_AP_PIN_DISABLED "WPS-AP-PIN-DISABLED " #define WPS_EVENT_AP_PIN_DISABLED "WPS-AP-PIN-DISABLED "
#define AP_STA_CONNECTED "AP-STA-CONNECTED " #define AP_STA_CONNECTED "AP-STA-CONNECTED "
#define AP_STA_DISCONNECTED "AP-STA-DISCONNECTED " #define AP_STA_DISCONNECTED "AP-STA-DISCONNECTED "
#define AP_STA_POSSIBLE_PSK_MISMATCH "AP-STA-POSSIBLE-PSK-MISMATCH "
#define AP_REJECTED_MAX_STA "AP-REJECTED-MAX-STA " #define AP_REJECTED_MAX_STA "AP-REJECTED-MAX-STA "
#define AP_REJECTED_BLOCKED_STA "AP-REJECTED-BLOCKED-STA " #define AP_REJECTED_BLOCKED_STA "AP-REJECTED-BLOCKED-STA "