Skip to content

Commit

Permalink
mesh: move the SAE state earlier
Browse files Browse the repository at this point in the history 
Perhaps, due to reception of SAE frame from another peer while
in SAE_NOTHING state.

This seems to solve the following segmentation fault:

authentication: STA=00:1b:b1:07:9a:2b auth_alg=3 auth_transaction=2 status_code=0 wep=0
hostapd_logger: STA 00:1b:b1:07:9a:2b - SAE confirm before commit
hostapd_logger: STA 00:1b:b1:07:9a:2b - SAE authentication (RX confirm)
SAE: peer-send-confirm 0

Program received signal SIGSEGV, Segmentation fault.
0xb7e48eb7 in EC_POINT_get_affine_coordinates_GFp () from /lib/i386-linux-gnu/libcrypto.so.1.0.0
(gdb)
(gdb) bt
      at ../src/crypto/crypto_openssl.c:1133
      element2=0x8114208, confirm=0xbfffed3c "\200\376\020\b\204\355\377\277") at ../src/common/sae.c:940
      at ../src/ap/ieee802_11.c:524
      at ../src/drivers/driver_nl80211.c:1334
      ack=0x0, cookie=0x0, sig=0x8112754) at ../src/drivers/driver_nl80211.c:1518
      at ../src/drivers/driver_nl80211.c:2438

Signed-off-by: Chun-Yeow Yeoh <[email protected]>
  • Loading branch information
@chunyeow
chunyeow committed Mar 29, 2013
1 parent a793d98 commit 52987c3
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions wpa_supplicant/mesh_rsn.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -269,12 +269,12 @@ int mesh_rsn_auth_sae_sta(struct wpa_supplicant *wpa_s,
sta->sae->state = SAE_NOTHING;
}

sta->sae->state = SAE_COMMITTED;

buf = mesh_rsn_build_sae_commit(wpa_s, ssid, sta);
if (!buf)
return -1;

sta->sae->state = SAE_COMMITTED;

wpa_msg(wpa_s, MSG_DEBUG,
"AUTH: started authentication with SAE peer: "
MACSTR, MAC2STR(sta->addr));
Expand Down

5 comments on commit 52987c3

@twpedersen
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, this commit breaks SAE authentication with authsae.

@chunyeow
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After further investigation, it seems that this patch has not change the sta->sae->state, moving it early instead causes the SAE state remain in SAE_NOTHING here.

The following segmentation fault here happened if I run 3 or 4 mesh nodes if SAE state is moved to SAE_COMMITTED.

authentication: STA=00:0b:6b:7d:e3:b9 auth_alg=3 auth_transaction=2 status_code=0 wep=0
hostapd_logger: STA 00:0b:6b:7d:e3:b9 - SAE authentication (RX confirm)
SAE: peer-send-confirm 0
Program received signal SIGSEGV, Segmentation fault.
0xb7e48eb7 in EC_POINT_get_affine_coordinates_GFp () from /lib/i386-linux-gnu/libcrypto.so.1.0.0
(gdb) backtrace
#0 0xb7e48eb7 in EC_POINT_get_affine_coordinates_GFp () from /lib/i386-linux-gnu/libcrypto.so.1.0.0
#1 0x0809636d in crypto_ec_point_to_bin (e=0x81128b0, point=0x0, x=0xbfffebd4 ",\361\377\277x\377\377\377\031", y=0xbfffebf4 "")

at ../src/crypto/crypto_openssl.c:1133

#2 0x080593f3 in sae_cn_confirm_ecc (sae=0x810edb0, sc=0x8113f3e "", scalar1=0x0, element1=0x0, scalar2=0x8112f08,

element2=0x81137b0, confirm=0xbfffed2c "\b@\021\bt\355\377\277") at ../src/common/sae.c:943

#3 0x080597ba in sae_check_confirm (sae=0x810edb0, data=0x8113f3e "", len=34) at ../src/common/sae.c:1023
#4 0x08084f23 in handle_auth_sae (hapd=0x8111170, sta=0x8112740, mgmt=0x8113f20, len=64, auth_transaction=2 '\002')

at ../src/ap/ieee802_11.c:525

#5 0x08085b0d in handle_auth (hapd=0x8111170, mgmt=0x8113f20, len=64) at ../src/ap/ieee802_11.c:781
#6 0x08087c75 in ieee802_11_mgmt (hapd=0x8111170, buf=0x8113f20 "\260", len=64, fi=0xbfffef94) at ../src/ap/ieee802_11.c:1767
#7 0x080674c8 in mesh_mpm_mgmt_rx (wpa_s=0x810d2a8, rx_mgmt=0xbffff07c) at mesh_mpm.c:421
#8 0x080b31de in wpa_supplicant_event (ctx=0x810d2a8, event=EVENT_RX_MGMT, data=0xbffff07c) at events.c:2636
#9 0x080bade6 in mlme_event_mgmt (drv=0x810dc50, freq=0x8113f0c, sig=0x8113f14, frame=0x8113f20 "\260", len=64)

at ../src/drivers/driver_nl80211.c:1334

#10 0x080bb65c in mlme_event (drv=0x810dc50, cmd=NL80211_CMD_FRAME, frame=0x8113f1c, addr=0x0, timed_out=0x0, freq=0x8113f0c,

ack=0x0, cookie=0x0, sig=0x8113f14) at ../src/drivers/driver_nl80211.c:1518

#11 0x080bdd27 in process_bss_event (msg=0x810e378, arg=0x810dd44) at ../src/drivers/driver_nl80211.c:2409
#12 0xb7f8dc1b in nl_recvmsgs () from /usr/lib/i386-linux-gnu/libnl.so.1
#13 0x080bddcb in wpa_driver_nl80211_event_receive (sock=7, eloop_ctx=0x810dea8, handle=0x8111c38)

at ../src/drivers/driver_nl80211.c:2438

#14 0x08053b85 in eloop_sock_table_dispatch (table=0x810c968, fds=0x810e728) at ../src/utils/eloop.c:393
#15 0x08054495 in eloop_run () at ../src/utils/eloop.c:769
#16 0x080add1e in wpa_supplicant_run (global=0x810d1d8) at wpa_supplicant.c:3310
#17 0x080b72b5 in main (argc=8, argv=0xbffff6e4) at main.c:297

It is mainly due to the NULL pointer of peer_commit_scalar ... in sae_check_confirm due to sae_parse_commit is not called before.

But, yes, it seems that it breaks the SAE authentication with authsae.

@twpedersen
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry it wasn't clear from your comment: even with this patch you still see a segfault?

@chunyeow
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this patch, no segfault but actually the SAE state is still remain as SAE_NOTHING based on my printf statement after mesh_rsn_build_sae_commit.

So this patch works as well in my case:
https://gist.github.com/chunyeow/2e0d9c2a4f15aacf3c10

@chunyeow
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am currently working on to solve this problem and will submit the patches once the testing is done.

Please sign in to comment.