On Mon, Feb 21, 2011 at 12:57:08PM +0100, Damien Bergamini wrote: > | Index: ieee80211_pae_output.c > | =================================================================== > | RCS file: /cvs/src/sys/net80211/ieee80211_pae_output.c,v > | retrieving revision 1.16 > | diff -u -p -r1.16 ieee80211_pae_output.c > | --- ieee80211_pae_output.c 5 Jun 2010 15:54:35 -0000 1.16 > | +++ ieee80211_pae_output.c 20 Feb 2011 17:55:51 -0000 > | @@ -417,7 +417,6 @@ ieee80211_send_4way_msg3(struct ieee8021 > | frm = ieee80211_add_rsn(frm, ic, ic->ic_bss); > | /* encapsulate the GTK */ > | frm = ieee80211_add_gtk_kde(frm, ni, k); > | - LE_WRITE_6(key->rsc, k->k_tsc); > | /* encapsulate the IGTK if MFP was negotiated */ > | if (ni->ni_flags & IEEE80211_NODE_MFP) { > | frm = ieee80211_add_igtk_kde(frm, > | @@ -427,6 +426,9 @@ ieee80211_send_4way_msg3(struct ieee8021 > | info |= EAPOL_KEY_ENCRYPTED | EAPOL_KEY_SECURE; > | } else /* WPA */ > | frm = ieee80211_add_wpa(frm, ic, ic->ic_bss); > | + > | + /* RSC = last transmit sequence number for the GTK */ > | + LE_WRITE_6(key->rsc, k->k_tsc); > | > | /* write the key info field */ > | BE_WRITE_2(key->info, info); > > > nack. you'll get a null deref with wpa1 (k is not initialized). > with wpa1, message 3/4 of the 4-way handshake does not carry the > group key (it is sent in message 1/2 of the group key handshake > that follows the 4-way handshake instead). > the TSC of the pairwise key is always 0 in our case, which is > the reason why it is not set here, but used when receiving > msg 3/4 since other implementations may use non-zero values.
Ah, that makes sense. Thanks for clarifying. I'll commit the others when Miod has acked them.