[OpenWrt-Devel,2/3] hosap: Add ibss-key-mgt patch from upstream.

Submitted by Ben Greear on Jan. 19, 2017, 11:14 p.m.

Details

Message ID 1484867675-27303-2-git-send-email-greearb@candelatech.com
State New
Headers show

Commit Message

Ben Greear Jan. 19, 2017, 11:14 p.m.
From: Ben Greear <greearb@candelatech.com>

Signed-off-by: Ben Greear <greearb@candelatech.com>
---
 ...fix-tk-clearing-on-athentication-frame-rx.patch | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 network/services/hostapd/patches/900-fix-tk-clearing-on-athentication-frame-rx.patch

Comments

Felix Fietkau Jan. 20, 2017, 10:05 a.m.
On 2017-01-20 00:14, greearb@candelatech.com wrote:
> From: Ben Greear <greearb@candelatech.com>
> 
> Signed-off-by: Ben Greear <greearb@candelatech.com>
That fix has been in the tree for a few days already :)

- Felix
Felix Fietkau Jan. 20, 2017, 10:06 a.m.
On 2017-01-20 11:05, Felix Fietkau wrote:
> On 2017-01-20 00:14, greearb@candelatech.com wrote:
>> From: Ben Greear <greearb@candelatech.com>
>> 
>> Signed-off-by: Ben Greear <greearb@candelatech.com>
> That fix has been in the tree for a few days already :)
Sorry, i meant in the LEDE tree. You could just backport it from there.

- Felix
Ben Greear Jan. 20, 2017, 1:44 p.m.
On 01/20/2017 02:06 AM, Felix Fietkau wrote:
> On 2017-01-20 11:05, Felix Fietkau wrote:
>> On 2017-01-20 00:14, greearb@candelatech.com wrote:
>>> From: Ben Greear <greearb@candelatech.com>
>>>
>>> Signed-off-by: Ben Greear <greearb@candelatech.com>
>> That fix has been in the tree for a few days already :)
> Sorry, i meant in the LEDE tree. You could just backport it from there.

I am unlikely to really use openWrt much, but since I was hacking on it,
I figured I would post the patches in case someone else can use them
(or in case I purge my tree and need to search email for my patches some day :))

Thanks,
Ben

Patch hide | download patch | download mbox

diff --git a/network/services/hostapd/patches/900-fix-tk-clearing-on-athentication-frame-rx.patch b/network/services/hostapd/patches/900-fix-tk-clearing-on-athentication-frame-rx.patch
new file mode 100644
index 0000000..a148640
--- /dev/null
+++ b/network/services/hostapd/patches/900-fix-tk-clearing-on-athentication-frame-rx.patch
@@ -0,0 +1,42 @@ 
+[PATCH] RSN IBSS: Fix TK clearing on Authentication frame RX
+
+When wpa_supplicant was processing a received Authentication frame (seq
+1) from a peer STA for which there was already a TK configured to the
+driver, debug log claimed that the PTK gets cleared, but the actual
+call to clear the key was actually dropped due to AUTH vs. SUPP set_key
+selection. Fix this by explicitly clearing the TK in case it was set
+and an Authentication frame (seq 1) is received.
+
+This fixes some cases where EAPOL-Key frames were sent encrypted using
+the old key when a peer STA restarted itself and lost the key and had to
+re-join the IBSS. Previously, that state required timing out the 4-way
+handshake and Deauthentication frame exchange to recover.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ wpa_supplicant/ibss_rsn.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c
+index 53d7d57..c29d8d3 100644
+--- a/wpa_supplicant/ibss_rsn.c
++++ b/wpa_supplicant/ibss_rsn.c
+@@ -832,6 +832,18 @@
+ 		   MAC2STR(addr));
+ 
+ 	if (peer &&
++        peer->authentication_status & (IBSS_RSN_SET_PTK_SUPP |
++                       IBSS_RSN_SET_PTK_AUTH)) {
++        /* Clear the TK for this pair to allow recovery from the case
++         * where the peer STA has restarted and lost its key while we
++         * still have a pairwise key configured. */
++        wpa_printf(MSG_DEBUG, "RSN: Clear pairwise key for peer "
++               MACSTR, MAC2STR(addr));
++        wpa_drv_set_key(ibss_rsn->wpa_s, WPA_ALG_NONE, addr, 0, 0,
++                NULL, 0, NULL, 0);
++    }
++
++	if (peer && 
+ 	    peer->authentication_status & IBSS_RSN_AUTH_EAPOL_BY_PEER) {
+ 		if (peer->own_auth_tx.sec) {
+ 			struct os_reltime now, diff;