Message ID | 20190915200837.196283-18-alexander@wetzel-home.de |
---|---|
State | Superseded |
Headers | show
Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=wetzel-home.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="ZGw5x6Yq"; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=wetzel-home.de header.i=@wetzel-home.de header.b="wJt9eMhZ"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46WgWb02nDz9sNx for <incoming@patchwork.ozlabs.org>; Mon, 16 Sep 2019 06:11:55 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=CtIPET83nk3hSgEgbWLOj8+FIW3R/h42Nny3RrRgI6A=; b=ZGw5x6YqRL2GSy gSDn4fYHF5CXNV1hncExi1+pyhIlgl/pF+0HbQnheAtfiYCOz4LZl1zTDeIRGR7gY6r3T8F6KvhKS 6PG7JJzSKcJXie0rs7DkU4IBmNQitr4ZHDwDmhQZ5unWaeitYJYLp8K6zTL+1Vq9YQb23/iMCLlKO hPpwXIQxOa6ovToJJYqb6brs1x5sqIvbYnMCy239yd540SK3Ev1IAVTACA3TOgdEZO/NvTiCTlMSU P55f33E5lekjMGIo7eFE4WjwimMhaeVpKTiOry291OjusCtUv4Qf/LJ61s3+BUpHHFOkk0Fxl5lG0 cGAhjCo30eNf7SzKmEyQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.2 #3 (Red Hat Linux)) id 1i9asC-00019F-8e; Sun, 15 Sep 2019 20:11:52 +0000 Received: from 19.mo3.mail-out.ovh.net ([178.32.98.231]) by bombadil.infradead.org with esmtps (Exim 4.92.2 #3 (Red Hat Linux)) id 1i9apv-0006Mm-DQ for hostap@lists.infradead.org; Sun, 15 Sep 2019 20:09:37 +0000 Received: from player729.ha.ovh.net (unknown [10.109.159.248]) by mo3.mail-out.ovh.net (Postfix) with ESMTP id 7CDFE225EED for <hostap@lists.infradead.org>; Sun, 15 Sep 2019 22:09:23 +0200 (CEST) Received: from awhome.eu (p57B7E67F.dip0.t-ipconnect.de [87.183.230.127]) (Authenticated sender: postmaster@awhome.eu) by player729.ha.ovh.net (Postfix) with ESMTPSA id 1EFFA9FB8902; Sun, 15 Sep 2019 20:09:20 +0000 (UTC) From: Alexander Wetzel <alexander@wetzel-home.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1568578151; bh=eJVP5dw1P+qURl6QycrDdGDl9ksuzzy7pBhcGypY6Zs=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=wJt9eMhZawTjijNL5lhNPP5aTr0RCrQh4NM1SYZNdJ2r6dLQ2WaJQIowIfuPJuHt8 xKHvUwqLNaFdzDdRb2QIkFgJ7X3wmIsBc3/Ts8/G+puqhoK2vdNZzZGgCjB40srUab gqVJm2RPYZxGr8Js5Lady4TrOTtZOn0wdkmsjycY= To: j@w1.fi Subject: [PATCH v6 17/17] hostapd: Extended Key ID stress test Date: Sun, 15 Sep 2019 22:08:37 +0200 Message-Id: <20190915200837.196283-18-alexander@wetzel-home.de> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190915200837.196283-1-alexander@wetzel-home.de> References: <20190915200837.196283-1-alexander@wetzel-home.de> MIME-Version: 1.0 X-Ovh-Tracer-Id: 11129239106496896252 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedruddugddugeejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenuc X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190915_130931_601049_5DF30CC8 X-CRM114-Status: GOOD ( 21.07 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [178.32.98.231 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: <hostap.lists.infradead.org> List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>, <mailto:hostap-request@lists.infradead.org?subject=unsubscribe> List-Archive: <http://lists.infradead.org/pipermail/hostap/> List-Post: <mailto:hostap@lists.infradead.org> List-Help: <mailto:hostap-request@lists.infradead.org?subject=help> List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>, <mailto:hostap-request@lists.infradead.org?subject=subscribe> Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org, luca@coelho.fi, johannes@sipsolutions.net Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org |
Series |
Support seamless PTK rekeys with Extended Key ID
|
expand
|
diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 833abe14a..2e3204f5d 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -545,6 +545,7 @@ int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities) return -1; } else if (!sm->use_extended_key_id) { sm->use_extended_key_id = TRUE; + sm->keyidx_active = 1; } } else { if (sm->use_extended_key_id && sm->pairwise_set) {
Change the default keyid to 1 for the first pairwise key when using Extended Key ID. This is so far only intended to cause compatibility problems as soon as possible and not delay them till we rekey. When a broken STA claims to be compatible with Extended Key ID it will still assume keyid 0 is being used for the first key and never be able to communicate with our AP supporting Extended Key ID. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de> --- For now this is has mainly two functions: 1) Guarantees that Extended Key ID can really be used at the initial connect. Many potential issues are linked to the usage of keyid 1 for a unicast key, so make sure this happens as soon as possible. 2) The existing tests will find many of these issues, even when not rekeying the connection I have some plans to extend that later: By e.g. starting a EAPOL group handshake directly after the connect we can verify if the keyid 1 transport is really working. When the handshake times out hostapd could install the same key for keyid 0, disabling Extended Key ID support and allow the broken STA to still communicate with the BSS. This idea is mostly based to the fact that one of my devices (Samsung Galaxy Tap S3) is setting the "Extended Key ID" capability flag wrong. The AP therefore (correctly) starts using it. But when the AP rekeys the PTK is losing the connection. It looks like the device is just copying the capability bit from the AP RSN. And chances are more devices have the same bug... I'm not sure if we really want to deploy such a workaround. It's probably hard to get rid of and just getting the broken devices fixed is be the better solution. But till that is done users will wonder why it's not working, so handling that outside of the standard may be better. Of course the workaround would be optional: I think we could set wpa_extended_key_id to 2 by default and allow the user to disable the workaround by setting it to 1. Another option would be to simply drop the patch or use it only creating binaries for testing. (CONFIG_TESTING_OPTIONS) After all PTK rekeying is - based on all devices I could get my hands on - mostly broken. The chance to have an AP and a STA able to rekey really correctly under load is as of today really bad. (Maybe 20% success rate?) Therefore it looks like rekey is not used very often and when we start with keyid 0 and never rekey it will also work for most users. On the other hand I prefer a clean failure to something working on the brink of failure: So this patch series tries to make sure it fails as soon as possible. src/ap/wpa_auth_ie.c | 1 + 1 file changed, 1 insertion(+)