Message ID | 20170719042105.21319-2-pallas@meraki.com |
---|---|
State | New |
Headers | show
Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="GVs3KDvj"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=meraki.com header.i=@meraki.com header.b="krBwfNo/"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xC3lW24RYz9s0g for <incoming@patchwork.ozlabs.org>; Wed, 19 Jul 2017 14:22:12 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=tMYBS8XH5OYf/uztvnV/BtwKmABkAIYHPYQy2MCDdRs=; b=GVs3KDvjLz5eDruChK4KqyztEH DP445XjIY6P7Tak/sBRhOrGSshhlOQRRZuYsnvr91eKszhoVLGTP3/uHwRuJHBfx8JJO30n9xQmDp EAJ6pD69pHF4GNuBcnHIYrDM/+ZQLI+Vt61t8D47soF0bk/DtHe2tVqv7YixjACddhV2spPD2XsBp ZE4WeqyDaWBSlVHNxkEbi/caahmFFiZ8Hmn6HshClMN3F4tydyjUpRsOhVnLuILFYMz38jJWfPE5w cGYqOR4LbwKDTxDZjbdVwqBh3mZedWFaSJJ2+L4sTyKFbjUINBKH6EUgXwwxcJSBBUaM+4Rpz6Zal e3YCWJPA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dXgUc-0005WO-Kd; Wed, 19 Jul 2017 04:21:46 +0000 Received: from mail-pf0-x22c.google.com ([2607:f8b0:400e:c00::22c]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1dXgUV-0005SZ-HM for hostap@lists.infradead.org; Wed, 19 Jul 2017 04:21:40 +0000 Received: by mail-pf0-x22c.google.com with SMTP id s70so12066501pfs.0 for <hostap@lists.infradead.org>; Tue, 18 Jul 2017 21:21:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meraki.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ASTZbc2giVEfpX0ANPy0oLNipJNQ6Vl8r5QAiyPDB4w=; b=krBwfNo/RNbESp+10jIVW5aRKW+fMCeDj7mhM4ZwInns6+n4qWos6YTW3avAgs4KT1 N0hNsNiYEFuCdR05AbATzyq5Fbhl7SjrDvBjGx0gaZZQV55Odjlm52WiQkMohsxaAE/x rIYwlTlril91e777wOvpd30RcUk8VA3MzT8AA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ASTZbc2giVEfpX0ANPy0oLNipJNQ6Vl8r5QAiyPDB4w=; b=fl0Ft0WNjaVtRH5KAmlA89HVzvNqBqaMey0u+uTkTd0VXJHhyO0CYc7VHXWkIob3XY 4+YHK3qm/RCduApsYL5EhmQJfHuGur5A5vl06/EGeMVvJ74NvYtPxS8DYB2KzElIaOYJ ssKxOizQhh6EKdgWfZEzSsJMRDK+qeE86KxWgQ985z5HQ4Cf5/N1e1QIYdJxIJ03cjCg y0h0cz92SBNIER701K1JdxV0rCS5IH/+4N+Icy/fpgxVH44SXwyLhZAn75ghsI2xjmKe ysaQag45PBPoGH+4Q+sqgaBRiUyEIqPFEdXXPPVdoPY6kfIGErYGvPAqXQZLeecy6XRT 0N/Q== X-Gm-Message-State: AIVw111h6jzfCECvUPA/1gIKj9v70HhsXk+C85iNaYDsCmgtcECclsnx eKHTi3cOPk92fODtfjmrQA== X-Received: by 10.84.130.108 with SMTP id 99mr1135789plc.76.1500438075839; Tue, 18 Jul 2017 21:21:15 -0700 (PDT) Received: from sf100.meraki.com (184-23-135-132.dedicated.static.sonic.net. [184.23.135.132]) by smtp.gmail.com with ESMTPSA id n9sm1880803pfh.109.2017.07.18.21.21.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 18 Jul 2017 21:21:14 -0700 (PDT) From: Derrick Pallas <pallas@meraki.com> To: hostap@lists.infradead.org Subject: [PATCH 2/2] WPA: disassociate client on invalid EAP-Key state Date: Tue, 18 Jul 2017 21:21:05 -0700 Message-Id: <20170719042105.21319-2-pallas@meraki.com> X-Mailer: git-send-email 2.10.2 In-Reply-To: <20170719042105.21319-1-pallas@meraki.com> References: <20170719042105.21319-1-pallas@meraki.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170718_212139_609275_4C429F4F X-CRM114-Status: UNSURE ( 9.20 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -2.0 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2607:f8b0:400e:c00:0:0:0:22c listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: <hostap.lists.infradead.org> List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>, <mailto:hostap-request@lists.infradead.org?subject=unsubscribe> List-Archive: <http://lists.infradead.org/pipermail/hostap/> List-Post: <mailto:hostap@lists.infradead.org> List-Help: <mailto:hostap-request@lists.infradead.org?subject=help> List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>, <mailto:hostap-request@lists.infradead.org?subject=subscribe> Cc: Derrick Pallas <pallas@meraki.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org |
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 8110cd7..39fbf6c 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -1174,6 +1174,7 @@ continue_processing: "received EAPOL-Key msg 4/4 in " "invalid state (%d) - dropped", sm->wpa_ptk_state); + wpa_sta_disconnect(wpa_auth, sm->addr); return; } break; @@ -1184,6 +1185,7 @@ continue_processing: "received EAPOL-Key msg 2/2 in " "invalid state (%d) - dropped", sm->wpa_ptk_group_state); + wpa_sta_disconnect(wpa_auth, sm->addr); return; } break;
A previous commit addressed broken supplicants in Disassociation loops by destroying PMKSAs when receiving a spurious EAPOL-Start. After that change, the STA recovers and Associates after a full EAP. The Disassociation does not happen until after multiple EAP-Identity requests are ignored by the STA, which takes more than a minute. This change shortens that recovery time to a few seconds by proactively Disassociating the STA when it receiving EAPOL-Key 2/4 or 4/4 in an invalid state. The supplicants we've seen with this bad behavior have only broken sporadically when waking up, so a few seconds is reasonable. Consequently, the core issue has been dubbed Groggy Supplicant Syndrome. Signed-off-by: Derrick Pallas <pallas@meraki.com> --- src/ap/wpa_auth.c | 2 ++ 1 file changed, 2 insertions(+)