[ipxe-devel] [ipxe/ipxe] successful wpa handshake (memcmp polarity) (#103)

Bazz notifications at github.com
Tue Jan 14 20:37:39 UTC 2020


Fix memcmp() to return proper standard positive/negative
values for unequal comparisons. Similar to commit 3946aa9. The 
current implementation is backwards (i.e. the functions are returning
negative when they should be positive and vice-versa).

Currently all other consumers of these functions only check the return value
for ==0 or !=0 and so we can safely change the implementation without
breaking things.

However, there is one call that checks the polarity of
`memcmp()`, and that is [wpa_derive_ptk()](https://github.com/ipxe/ipxe/blob/8f1514a00450119b04b08642c55aa674bdf5a4ef/src/net/80211/wpa.c#L290-L305) during the wireless WPA 4-way
handshake. Due to the incorrect memcmp polarity, the WPA handshake
creates an incorrect PTK, and the handshake would fail after step 2.
Undoubtedly, the AP noticed the supplicant failed the mic check. This
commit fixes that issue.

Signed-off-by: Michael Bazzinotti <bazz at bazz1.com>

P.S. This wpa handshake bug is believed to have been longstanding for several years, and based on my current understanding, it possibly dates back to the release of the ipxe wpa feature itself. That makes no sense, but let's look at what I have uncovered. It seems a user encountered the exact same issue in [iPXE forums in 2016](https://forum.ipxe.org/showthread.php?tid=7943): a mic check failure. I realize net booting wirelessly is not popular nor well supported, and in that way bugs can live for a long time without being addressed. HOWEVER!

`wpa_derive_ptk()` would never run successfully unless with a different `memcmp()` function, due to the reversed polarity. How could a single person have ever successfully joined a WPA network using ipxe's `memcmp()`? I assume the code was ran successfully in the past, right? In those cases, was some other `memcmp()` somehow being used? For example, could the system's native memcmp() accidently have been superceding ipxe's?

 In any case, it seems a properly built ipxe that uses its internal `memcmp` could never generate a correct wpa ptk using `wpa_derive_ptk()` ? If you have any additional information to explain why, please by all means. Or join me in a state of wonder. Thanks
You can view, comment on, or merge this pull request online at:

  https://github.com/ipxe/ipxe/pull/103

-- Commit Summary --

  * [libc] Fix memcmp() to return proper values
  * [wpa] fix erroneous dbg printout in wpa_derive_ptk

-- File Changes --

    M src/core/string.c (2)
    M src/net/80211/wpa.c (9)

-- Patch Links --

https://github.com/ipxe/ipxe/pull/103.patch
https://github.com/ipxe/ipxe/pull/103.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/103
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20200114/fe629ede/attachment.htm>


More information about the ipxe-devel mailing list