From patchwork Wed Dec 6 18:48:35 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Greear X-Patchwork-Id: 845288 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="ZRX5yauz"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ysSN72yfwz9s72 for ; Thu, 7 Dec 2017 05:49:59 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=5+STgHCzMqJakwYz8l6T+xZ5amRqrEuSXXfeeDYDGUw=; b=ZRX 5yauzDNIzJri7hsoU1xdah+JsimCbpPxrArvui71Zij01YNY6zaoGiTB5Z8DcyXazA/oy6V0HXlTa w8UtOFYke27sMA/VkNawxpu3Fg/YhG5d7oC990RmJUzX/BHmbVXyNYMU+m/q98S8+s1QA9Oy6qUSO QmMGH8OpW/WL0+zpNF0PCJnYtgmBcsGhLxMwD08PbJh2OGMaERBAsR9kZdm/u86DQsGKr5Oy+Zv3m M79MGPfPcIrrnejpd/nTWNrr53XotedaXb7Aqh6oHvNILIuAcv9BPyyWnpTYFDdCjv3Zyo/UFKCXY hg1hhrfzNkHRKMzui5C2GDeQBlJzQcg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1eMelH-0004zS-C2; Wed, 06 Dec 2017 18:49:39 +0000 Received: from mail2.candelatech.com ([208.74.158.173]) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1eMeks-0004NQ-DI for hostap@lists.infradead.org; Wed, 06 Dec 2017 18:49:16 +0000 Received: from build-f21.candelatech.com (firewall.candelatech.com [50.251.239.81]) by mail2.candelatech.com (Postfix) with ESMTP id 1D76840A959; Wed, 6 Dec 2017 10:48:50 -0800 (PST) From: greearb@candelatech.com To: hostap@lists.infradead.org Subject: [PATCH] hostapd: add logging around michael-mic related failures. Date: Wed, 6 Dec 2017 10:48:35 -0800 Message-Id: <1512586115-16259-1-git-send-email-greearb@candelatech.com> X-Mailer: git-send-email 2.1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20171206_104914_520262_FA98BB51 X-CRM114-Status: UNSURE ( 7.76 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -1.9 (-) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-1.9 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ben Greear MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Ben Greear This can help one understand better why stations are failing to associate. Signed-off-by: Ben Greear --- src/ap/ieee802_11.c | 33 ++++++++++++++++++++++----------- src/ap/tkip_countermeasures.c | 4 ++++ 2 files changed, 26 insertions(+), 11 deletions(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 7f45db5..435b78d 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -288,7 +288,7 @@ static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta, static int send_auth_reply(struct hostapd_data *hapd, const u8 *dst, const u8 *bssid, u16 auth_alg, u16 auth_transaction, u16 resp, - const u8 *ies, size_t ies_len) + const u8 *ies, size_t ies_len, const char* dbg) { struct ieee80211_mgmt *reply; u8 *buf; @@ -315,9 +315,9 @@ static int send_auth_reply(struct hostapd_data *hapd, os_memcpy(reply->u.auth.variable, ies, ies_len); wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR - " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu)", + " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)", MAC2STR(dst), auth_alg, auth_transaction, - resp, (unsigned long) ies_len); + resp, (unsigned long) ies_len, dbg); if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0) wpa_printf(MSG_INFO, "send_auth_reply: send failed"); else @@ -339,7 +339,7 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid, int reply_res; reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT, - auth_transaction, status, ies, ies_len); + auth_transaction, status, ies, ies_len, "auth-ft-finish"); sta = ap_get_sta(hapd, dst); if (sta == NULL) @@ -428,7 +428,7 @@ static int auth_sae_send_commit(struct hostapd_data *hapd, reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1, WLAN_STATUS_SUCCESS, wpabuf_head(data), - wpabuf_len(data)); + wpabuf_len(data), "sae-send-commit"); wpabuf_free(data); @@ -449,7 +449,7 @@ static int auth_sae_send_confirm(struct hostapd_data *hapd, reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2, WLAN_STATUS_SUCCESS, wpabuf_head(data), - wpabuf_len(data)); + wpabuf_len(data), "sae-send-confirm"); wpabuf_free(data); @@ -810,7 +810,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, pos = mgmt->u.auth.variable; end = ((const u8 *) mgmt) + len; send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, - auth_transaction, resp, pos, end - pos); + auth_transaction, resp, pos, end - pos, "auth-sae-reflection-attack"); goto remove_sta; } @@ -819,7 +819,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, auth_transaction, resp, wpabuf_head(hapd->conf->sae_commit_override), - wpabuf_len(hapd->conf->sae_commit_override)); + wpabuf_len(hapd->conf->sae_commit_override), "sae-commit-override"); goto remove_sta; } #endif /* CONFIG_TESTING_OPTIONS */ @@ -983,7 +983,7 @@ reply: send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, auth_transaction, resp, data ? wpabuf_head(data) : (u8 *) "", - data ? wpabuf_len(data) : 0); + data ? wpabuf_len(data) : 0, "auth-sae"); } remove_sta: @@ -1507,7 +1507,7 @@ static void handle_auth_fils_finish(struct hostapd_data *hapd, WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK; send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp, data ? wpabuf_head(data) : (u8 *) "", - data ? wpabuf_len(data) : 0); + data ? wpabuf_len(data) : 0, "auth-fils-finish"); wpabuf_free(data); if (resp == WLAN_STATUS_SUCCESS) { @@ -1697,6 +1697,8 @@ static void handle_auth(struct hostapd_data *hapd, #endif /* CONFIG_NO_RC4 */ if (hapd->tkip_countermeasures) { + wpa_printf(MSG_DEBUG, + "Michael-MIC failure (tkip-countermeasures)"); resp = WLAN_REASON_MICHAEL_MIC_FAILURE; goto fail; } @@ -1800,6 +1802,8 @@ static void handle_auth(struct hostapd_data *hapd, hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout, &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui); if (res == HOSTAPD_ACL_REJECT) { + wpa_printf(MSG_DEBUG, + "ieee802_11_allowed_address returned REJECT"); resp = WLAN_STATUS_UNSPECIFIED_FAILURE; goto fail; } @@ -1850,6 +1854,8 @@ static void handle_auth(struct hostapd_data *hapd, sta = ap_sta_add(hapd, mgmt->sa); if (!sta) { + wpa_printf(MSG_DEBUG, + "ap_sta_add failed"); resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; goto fail; } @@ -1861,6 +1867,8 @@ static void handle_auth(struct hostapd_data *hapd, hapd, sta, res, session_timeout, acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui); if (res) { + wpa_printf(MSG_DEBUG, + "ieee802_11_set_radios_info failed"); resp = WLAN_STATUS_UNSPECIFIED_FAILURE; goto fail; } @@ -1929,6 +1937,9 @@ static void handle_auth(struct hostapd_data *hapd, case WLAN_AUTH_SHARED_KEY: resp = auth_shared_key(hapd, sta, auth_transaction, challenge, fc & WLAN_FC_ISWEP); + if (resp != 0) + wpa_printf(MSG_DEBUG, + "auth_shared_key had failure: %d", resp); sta->auth_alg = WLAN_AUTH_SHARED_KEY; mlme_authenticate_indication(hapd, sta); if (sta->challenge && auth_transaction == 1) { @@ -1999,7 +2010,7 @@ static void handle_auth(struct hostapd_data *hapd, reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg, auth_transaction + 1, resp, resp_ies, - resp_ies_len); + resp_ies_len, "handle-auth"); if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS || reply_res != WLAN_STATUS_SUCCESS)) { diff --git a/src/ap/tkip_countermeasures.c b/src/ap/tkip_countermeasures.c index 4725e2b..857d2f7 100644 --- a/src/ap/tkip_countermeasures.c +++ b/src/ap/tkip_countermeasures.c @@ -71,6 +71,10 @@ int michael_mic_failure(struct hostapd_data *hapd, const u8 *addr, int local) struct os_reltime now; int ret = 0; + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, + HOSTAPD_LEVEL_INFO, + "Michael MIC failure detected in received frame, local: %d", local); + if (addr && local) { struct sta_info *sta = ap_get_sta(hapd, addr); if (sta != NULL) {