From patchwork Thu Dec  7 17:14:49 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ben Greear <greearb@candelatech.com>
X-Patchwork-Id: 845714
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133;
	helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="F2C3kwOz";
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=infradead.org header.i=@infradead.org
	header.b="CGrCX9Vd"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[65.50.211.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3yt2gn3SYKz9ryQ
	for <incoming@patchwork.ozlabs.org>;
	Fri,  8 Dec 2017 04:35:33 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=NZRcBHKBKjXMB9SYHSbQeJ72UTxmleCq9QWIrcRXRlE=;
	b=F2C
	3kwOzpfuukopndMxO8SOEv31dHmgP/pDqFW8Q+uCOL0l8I/15HyyhS83721zc/Hd35jcpgHtS4G8B
	QM04Yr8cn4JYFK05BApRZNvhHJH+Ehp1VS0w9FfdBzL5O/y1Q2pT+jEy4szNuPBFw0vFq7yNPHs2U
	+n+OyarWMQNG8iiqGAAbfId+KqOCncWqDGRQGaHpmWS0f83Y9Yt97AZEAyhw7+kLcZcjzhiltYjky
	vI93yI5wIUrZenXZzn7OyPa9DSmqIDf+3biBmuHvqQqy/Qr4FGkHJfRUNljuo0VPkbHnfs1jsWrgv
	2xgPwnUv9isZCvxM4zSsGjozATpVw+w==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1eN04f-0005kJ-JE; Thu, 07 Dec 2017 17:35:05 +0000
Received: from merlin.infradead.org ([2001:8b0:10b:1231::1])
	by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))
	id 1eN047-0004zv-CB
	for hostap@bombadil.infradead.org; Thu, 07 Dec 2017 17:34:31 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=merlin.20170209;
	h=Message-Id:Date:Subject:Cc:To:From:
	Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:
	Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
	Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
	List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=JQ2gxVyh2fLAoNms/waFtJLBdCPm1bipsSivCMOl8Ic=;
	b=CGrCX9VdSNd6zmSxShKuqtri+
	yp2u9ria/uPU3UFbLzsSVvZy2VxZ/5dmQgxUD21qmKVVtGt5fHzL9ihGHXjAp186vm7YJMqNLHv8W
	fsj8PzQv8FIJcrsHqUK5VcCk1h5aUQtfbTe0so1EFunYgl+MBkjzyD3yj8SWyr2N84G2jJyxq013G
	ARe1ETrjIC5KSBUhsV3HjEEvMv0MP7MN4Nh6ajjlcHcCijr5PN6EZJQa1gATATFPUsL4X6S7d7yQI
	q/8bfftPfWUq/KUKCgG+7DW48ppzmB2C76Isv0QBo0dXFHPq2sBrI/coxUIm0jZd/OJvHY1MVWUwc
	OL+4kbzwg==;
Received: from mail2.candelatech.com ([208.74.158.173])
	by merlin.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1eMzlX-00018X-9C
	for hostap@lists.infradead.org; Thu, 07 Dec 2017 17:15:21 +0000
Received: from build-f21.candelatech.com (firewall.candelatech.com
	[50.251.239.81])
	by mail2.candelatech.com (Postfix) with ESMTP id EE9D240A5C4;
	Thu,  7 Dec 2017 09:14:52 -0800 (PST)
From: greearb@candelatech.com
To: hostap@lists.infradead.org
Subject: [PATCH v2] hostapd: add logging around michael-mic related failures.
Date: Thu,  7 Dec 2017 09:14:49 -0800
Message-Id: <1512666889-16714-1-git-send-email-greearb@candelatech.com>
X-Mailer: git-send-email 2.1.0
X-Spam-Note: CRM114 invocation failed
X-Spam-Score: -1.9 (-)
X-Spam-Report: SpamAssassin version 3.4.1 on merlin.infradead.org summary:
	Content analysis details:   (-1.9 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
	domain
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Ben Greear <greearb@candelatech.com>
MIME-Version: 1.0
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

From: Ben Greear <greearb@candelatech.com>

This can help one understand better why stations are failing
to associate.

Signed-off-by: Ben Greear <greearb@candelatech.com>
---

v2:  Fix 'radios' typo found by M. Braun

 src/ap/ieee802_11.c           | 33 ++++++++++++++++++++++-----------
 src/ap/tkip_countermeasures.c |  4 ++++
 2 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index db161cf..b6892b7 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -288,7 +288,7 @@ static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
 static int send_auth_reply(struct hostapd_data *hapd,
 			   const u8 *dst, const u8 *bssid,
 			   u16 auth_alg, u16 auth_transaction, u16 resp,
-			   const u8 *ies, size_t ies_len)
+			   const u8 *ies, size_t ies_len, const char* dbg)
 {
 	struct ieee80211_mgmt *reply;
 	u8 *buf;
@@ -315,9 +315,9 @@ static int send_auth_reply(struct hostapd_data *hapd,
 		os_memcpy(reply->u.auth.variable, ies, ies_len);
 
 	wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
-		   " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu)",
+		   " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
 		   MAC2STR(dst), auth_alg, auth_transaction,
-		   resp, (unsigned long) ies_len);
+		   resp, (unsigned long) ies_len, dbg);
 	if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0)
 		wpa_printf(MSG_INFO, "send_auth_reply: send failed");
 	else
@@ -339,7 +339,7 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
 	int reply_res;
 
 	reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT,
-				    auth_transaction, status, ies, ies_len);
+				    auth_transaction, status, ies, ies_len, "auth-ft-finish");
 
 	sta = ap_get_sta(hapd, dst);
 	if (sta == NULL)
@@ -428,7 +428,7 @@ static int auth_sae_send_commit(struct hostapd_data *hapd,
 
 	reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1,
 				    WLAN_STATUS_SUCCESS, wpabuf_head(data),
-				    wpabuf_len(data));
+				    wpabuf_len(data), "sae-send-commit");
 
 	wpabuf_free(data);
 
@@ -449,7 +449,7 @@ static int auth_sae_send_confirm(struct hostapd_data *hapd,
 
 	reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2,
 				    WLAN_STATUS_SUCCESS, wpabuf_head(data),
-				    wpabuf_len(data));
+				    wpabuf_len(data), "sae-send-confirm");
 
 	wpabuf_free(data);
 
@@ -810,7 +810,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 		pos = mgmt->u.auth.variable;
 		end = ((const u8 *) mgmt) + len;
 		send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
-				auth_transaction, resp, pos, end - pos);
+				auth_transaction, resp, pos, end - pos, "auth-sae-reflection-attack");
 		goto remove_sta;
 	}
 
@@ -819,7 +819,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 		send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
 				auth_transaction, resp,
 				wpabuf_head(hapd->conf->sae_commit_override),
-				wpabuf_len(hapd->conf->sae_commit_override));
+				wpabuf_len(hapd->conf->sae_commit_override), "sae-commit-override");
 		goto remove_sta;
 	}
 #endif /* CONFIG_TESTING_OPTIONS */
@@ -983,7 +983,7 @@ reply:
 		send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
 				auth_transaction, resp,
 				data ? wpabuf_head(data) : (u8 *) "",
-				data ? wpabuf_len(data) : 0);
+				data ? wpabuf_len(data) : 0, "auth-sae");
 	}
 
 remove_sta:
@@ -1507,7 +1507,7 @@ static void handle_auth_fils_finish(struct hostapd_data *hapd,
 		WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
 	send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp,
 			data ? wpabuf_head(data) : (u8 *) "",
-			data ? wpabuf_len(data) : 0);
+			data ? wpabuf_len(data) : 0, "auth-fils-finish");
 	wpabuf_free(data);
 
 	if (resp == WLAN_STATUS_SUCCESS) {
@@ -1698,6 +1698,8 @@ static void handle_auth(struct hostapd_data *hapd,
 
 	if (hapd->tkip_countermeasures) {
 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+		wpa_printf(MSG_DEBUG,
+			   "Michael-MIC failure (tkip-countermeasures)");
 		goto fail;
 	}
 
@@ -1800,6 +1802,8 @@ static void handle_auth(struct hostapd_data *hapd,
 		hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout,
 		&acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui);
 	if (res == HOSTAPD_ACL_REJECT) {
+		wpa_printf(MSG_DEBUG,
+			   "ieee802_11_allowed_address returned REJECT");
 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
 		goto fail;
 	}
@@ -1850,6 +1854,8 @@ static void handle_auth(struct hostapd_data *hapd,
 
 		sta = ap_sta_add(hapd, mgmt->sa);
 		if (!sta) {
+			wpa_printf(MSG_DEBUG,
+				   "ap_sta_add failed");
 			resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
 			goto fail;
 		}
@@ -1861,6 +1867,8 @@ static void handle_auth(struct hostapd_data *hapd,
 		hapd, sta, res, session_timeout, acct_interim_interval,
 		&vlan_id, &psk, &identity, &radius_cui);
 	if (res) {
+		wpa_printf(MSG_DEBUG,
+			   "ieee802_11_set_radius_info failed");
 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
 		goto fail;
 	}
@@ -1929,6 +1937,9 @@ static void handle_auth(struct hostapd_data *hapd,
 	case WLAN_AUTH_SHARED_KEY:
 		resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
 				       fc & WLAN_FC_ISWEP);
+		if (resp != 0)
+			wpa_printf(MSG_DEBUG,
+				   "auth_shared_key had failure: %d", resp);
 		sta->auth_alg = WLAN_AUTH_SHARED_KEY;
 		mlme_authenticate_indication(hapd, sta);
 		if (sta->challenge && auth_transaction == 1) {
@@ -1999,7 +2010,7 @@ static void handle_auth(struct hostapd_data *hapd,
 
 	reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg,
 				    auth_transaction + 1, resp, resp_ies,
-				    resp_ies_len);
+				    resp_ies_len, "handle-auth");
 
 	if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
 					  reply_res != WLAN_STATUS_SUCCESS)) {
diff --git a/src/ap/tkip_countermeasures.c b/src/ap/tkip_countermeasures.c
index 4725e2b..857d2f7 100644
--- a/src/ap/tkip_countermeasures.c
+++ b/src/ap/tkip_countermeasures.c
@@ -71,6 +71,10 @@ int michael_mic_failure(struct hostapd_data *hapd, const u8 *addr, int local)
 	struct os_reltime now;
 	int ret = 0;
 
+	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+		       HOSTAPD_LEVEL_INFO,
+		       "Michael MIC failure detected in received frame, local: %d", local);
+
 	if (addr && local) {
 		struct sta_info *sta = ap_get_sta(hapd, addr);
 		if (sta != NULL) {