From patchwork Sat Aug 17 21:14:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Wetzel X-Patchwork-Id: 1148792 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=wetzel-home.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="M75GcUqQ"; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=wetzel-home.de header.i=@wetzel-home.de header.b="JoJ45FUv"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 469tKG21nPz9s4Y for ; Sun, 18 Aug 2019 07:16:18 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=kYgc2B7RDkP8+DmC7EO1D0Z7yEJ7eYHrnPkVpFI3Unw=; b=M75GcUqQkd9T2T eWuLZpDn8izmAmZw3C+90OpNQ01sF8PTRiCowf7m6HF7jQ3jNudcvVWLYeX7wg9jDdc61+IdYimLq nU0CTpkK+iy0msPoB5LdXCLdP19HI+nyn5VRnfEmTYe2WtLzwgZBK9k0rZT80d0D+puKgGXbMBGAE RIRR1cG3K10y9hj2KG/R5WwUwLcaP6L7b0C015JQtNK3r6HQ+QoEjlIP6Cwy1v29I9wJ0mwp/fNZ6 Ac5Oa0kv1F5SFWNexaJySo8+Ouw0usGd+Bt7i2/yVmROXUpnRu8KbaXUO24u9TwUVhwabCc03LUuY ez7gFAsUMcNBYm2VVn3Q==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1hz63a-00049Z-W9; Sat, 17 Aug 2019 21:16:15 +0000 Received: from 7.mo68.mail-out.ovh.net ([46.105.63.230]) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hz62X-00023B-Bi for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:13 +0000 Received: from player696.ha.ovh.net (unknown [10.108.35.232]) by mo68.mail-out.ovh.net (Postfix) with ESMTP id BB2D913E9B8 for ; Sat, 17 Aug 2019 23:14:56 +0200 (CEST) Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157]) (Authenticated sender: postmaster@awhome.eu) by player696.ha.ovh.net (Postfix) with ESMTPSA id E43818FD75ED; Sat, 17 Aug 2019 21:14:51 +0000 (UTC) From: Alexander Wetzel DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1566076490; bh=4TCXUEYHSD8bFBSpc4njD5jomeCqcrp3UXVOP7QPD5s=; h=From:To:Cc:Subject:Date; b=JoJ45FUvcsD0ERSjEMHcAcv5QVU695GL+IMAnwPFnPF9TfL5xm5J7gcL7wzl66Goy 1mLOOvl1qwnZq/LWNyhCMQiDZ/wIONITdeVGxb0Va6wU2+KeqQZtY/mMgHFuMcqM1s oEsLRySNNCwW/3dqrSPoMAYUFbJOcdnHHPaH+MJ4= To: j@w1.fi Subject: [PATCH v3 00/17] Support seamless PTK rekeys with Extended Key ID Date: Sat, 17 Aug 2019 23:14:18 +0200 Message-Id: <20190817211435.158335-1-alexander@wetzel-home.de> X-Mailer: git-send-email 2.22.0 MIME-Version: 1.0 X-Ovh-Tracer-Id: 7948571867682512124 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190817_141509_761177_68B187B9 X-CRM114-Status: GOOD ( 29.65 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [46.105.63.230 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Wetzel , hostap@lists.infradead.org, luca@coelho.fi, johannes@sipsolutions.net Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Extended Key ID for Individually Addressed Frames has been added to the IEEE 802.11 - 2012 standard to allow STAs to rekey the pairwise key without an interruption for ongoing data traffic but so far there are no implementations using it. A good and easy to follow introduction to Extended Key ID can be found here: https://mentor.ieee.org/802.11/dcn/10/11-10-0313-01-000m-rekeying-protocol-fix.ppt In a nutshell Extended Key ID is just allowing to also use keyid 1 for pairwise keys: Therefore we can have two pairwise keys in paralell, allowing to switch between them comparable how it's already done for GTK and IGTK keys. All implementations of IEEE 802.11 without Extended Key ID only use the keyid 0 for unicast MPDUs and since each STA can only have a single unicast key active at any time without a window able to handle both old and the new key at the same time. When rekeying the unicast key under load MPDU losses are unavoidable: Each STA will get MPDUs encrypted with a key either no longer installed or not installed, yet. In both cases the remote STA will be unable to decrypt the MPDUs and drop them. (Since only the decryption fails and the frames are still acknowledged these are truly lost and it's up to e.g. tcp to retransmit them.) Especially on high speed connections this can easily affect a few dozen MPDUs, causing tcp to drastically throttle the speed or causing dropouts in voice or video transmissions even for "correct" implementations of the standard. (Most implementations are not correct and make matter much worse, but that's not really relevant for this patch series.) This patch series aims to implement Extended Key ID for both hostapd and wpa_supplicant and finally allow us to rekey unicast keys with virtually no MPDU loss and no (noticeable) performance impact at all. While there are still ways to extend or improve this patch set it's already quite complex and I believe this to be good enough to be merged as it is. Or in other words: It's high time I get some feedback on what I'm cooking here:-) Since Extended Key ID breaks the long-standing agreement that there can be only one active pairwise key using keyid 0 and also has to delay the Tx usage of a key from the key install this must be supported by the driver. So far Extended Key ID is only supported for linux kernels >=5.2 and cards only supporting SW crypto. This patch series has been developed using hwsim (works out of the box with a kernel >= 5.2.0) and two iwlwifi cards. (All cards prior below the current 22000 should work with a trivial patch as of today.) Some early versions were also tested with ath9, but the required mac80211 to support that card were not merged upstream and I abandoned that approach for now. The patch series consist of basically five parts: 1) The first 8 patches are addressing issues not directly tied to the Extended Key ID support. More details are directly in the individual patch descriptions, but they are primarily related to deprecating the set_tx boolean used in various set_key() functions and replace it with something more flexible and able to handle also Extended Key ID key installs: 01-nl80211: Migrate to current netlink key message format 02-Driver: Introduce key_types and Extended Key ID driver flag 03-Add new argument key_type to all set_key() functions 04-hostapd: Set the correct key_type for key installs 05-wpa_supplicant: Set the correct key_type for key installs 06-drivers: Migrate drivers from set_tx to key_type API 07-nl80211: Switch to the new key_type API & cleanup 08-nl80211,wpa_supplicant: Drop outdated tdls hack 2) The patches 9-11 are finally the Extended Key ID support for hostapd/wpa_supplicant and fix/amend to the existing tests to be able to work properly with and without Extended Key ID: 09-hostapd: Add support for Extended Key ID 10-wpa_supplicant: Extended Key ID support for AP connections 11-tests: Extended Key ID tests 3) Patches 12 and 13 are trying to close a gap not covered in the official standard. But I'm far from sure that this is the correct way and hope we can have a discussion here how to best handle FILS and probably also FT. (The standard is not having any guidance here...) 12-hostapd: FILS Extended Key ID support 13-wpa_supplicant: FILS Extended Key ID support 4) The patches 14+15 are finally adding Extended Key ID support to nl80211, basically activating all the previous Extended Key ID patches. But only patch 14 is really to be consider for merge: Patch 15 is just a hack to work around overly restrictive key install check in the linux kernels currently supporting Extended Key ID. I'm currently trying to fix that upstream and hope we can simply drop the patch. 14-nl80211: Extended Key ID support 15-nl80211: Hack for keyidx=1 installs 5) The last two patches, (16+17) are optional. Patch 16 is finishing the work the first 8 patches started. But since redesigning the set_tx API is the most invasive part of the patch series it is sometimes interesting to see how the old set_tx key calls would have performed. Patch 17 is so far just a proof that everything still works when we use keyid 1 at the initial connect instead of the more traditional keyid 0. I have some plans to extend that, allowing hostapd to detect broken STAs claiming to be compatible with Extended Key ID due to a broken capability handling and automatically stop using it. (At least the Samsung Galaxy Tab S3 is setting the RSN capabilities wrong and chances are there are others...) 16-Drop set_tx from all set_key() functions 17-hostapd: Extended Key ID stress test Besides the test cases I'm also using it on real hardware with iwlwifi with rekeys all 30s. To use Extended Key ID or see how the tests in hostapd are interacting with it you need at least a 5.2 linux kernel. Using a kernel without Extended Key ID support is useful to check that the changes are backward compatible. (I guess I could extend the tests to simulate a run without Extended Key ID, but then that would basically double the runtime... So for now there are just some generic Extended Key ID tests checking rekey is working with and without it and all other tests are just switching over to Extended Key ID when they do not actively opt out.) To make it a bit simpler to see what the patches are changing I've uploaded you a tgz containing three full test runs: 1) head-2019-08-17 Tests run with a unpatched hostapd (542913943) 2) patched-2019-08-17 Test run with hwsim supporting Extended Key ID and all patches of the series applied. 3) patched-legacy-2019-08-17 Also all patches applied, but Extended Key ID detection sabotaged, so it's using the classical unicast rekey procedure. You can download the roughly 560MB big file here: https://www.awhome.eu/index.php/s/8HQXpY4qf4CmHGs All tests were executed running wt-2019-08-06 from wireless-testing. (The kernel has three additional patched on top of the official version to use Extended Key ID with iwlwifi, my proposed patch to fix the Extended Key ID install checks in cfg80211 and a debug patch with printk's informing me when installing or activating any PTK. Most of the failed tests are related to a wrong Python call to AES encrypt data, missing one argument. (I'm using Python 3.6.9) I've added two extra files in each test directory: - failed.log All tests failed in this run. With a comment when it worked when trying the test a second time. (But without adding the output of the rerun.) - script.log The output of the actual test run. Compared to version 2 of the patch series the following changes have been made: - use key_type (enum) instead of key_flag (bit array) - migrate set_tx to the new key_type API and clean up related workarounds and bugs. - also support Extended Key ID for OSEN, FT and FILS - wpa_supplicant is now checking RSN capabilities instead of the presence of the KeyID KDE to enable Extended Key ID support to follow the wording of the standard - detect and prevent dropping or adding Extended Key ID support on rekey. (Initial connection decides if we can use it.) - Don't enable Extended Key ID for TKIP. (Not allowed in the standard.) - also flip KeyIDs for WPA_REAUTH and WPA_REAUTH_EAPOL - fixed many "test-only" bugs (both tests and test code) - split fixes and extensions in different patches - dropped "GET drv_flags" and handle it differently - better description of the patches Alexander Wetzel (17): nl80211: Migrate to current netlink key message format Driver: Introduce key_types and Extended Key ID driver flag Add new argument key_type to all set_key() functions hostapd: Set the correct key_type for key installs wpa_supplicant: Set the correct key_type for key installs drivers: Migrate drivers from set_tx to key_type API nl80211: Switch to the new key_type API & cleanup nl80211,wpa_supplicant: Drop outdated tdls hack hostapd: Add support for Extended Key ID wpa_supplicant: Extended Key ID support for AP connections tests: Extended Key ID tests hostapd: FILS Extended Key ID support wpa_supplicant: FILS Extended Key ID support nl80211: Extended Key ID support nl80211: Hack for keyidx=1 installs Drop set_tx from all set_key() functions hostapd: Extended Key ID stress test Alexander Wetzel (17): nl80211: Migrate to current netlink key message format Driver: Introduce key_types and Extended Key ID driver flag Add new argument key_type to all set_key() functions hostapd: Set the correct key_type for key installs wpa_supplicant: Set the correct key_type for key installs drivers: Migrate drivers from set_tx to key_type API nl80211: Switch to the new key_type API & cleanup nl80211,wpa_supplicant: Drop outdated tdls hack hostapd: Add support for Extended Key ID wpa_supplicant: Extended Key ID support for AP connections tests: Extended Key ID tests hostapd: FILS Extended Key ID support wpa_supplicant: FILS Extended Key ID support nl80211: Extended Key ID support nl80211: Hack for keyidx=1 installs Drop set_tx from all set_key() functions hostapd: Extended Key ID stress test hostapd/config_file.c | 2 + hostapd/ctrl_iface.c | 67 ++++++---- hostapd/hostapd.conf | 10 ++ src/ap/ap_config.c | 1 + src/ap/ap_config.h | 1 + src/ap/ap_drv_ops.c | 9 +- src/ap/ap_drv_ops.h | 5 +- src/ap/hostapd.c | 17 ++- src/ap/hs20.c | 2 + src/ap/ieee802_11.c | 6 +- src/ap/ieee802_1x.c | 14 +- src/ap/wpa_auth.c | 99 +++++++++++--- src/ap/wpa_auth.h | 4 +- src/ap/wpa_auth_ft.c | 13 +- src/ap/wpa_auth_glue.c | 38 +++++- src/ap/wpa_auth_i.h | 3 + src/ap/wpa_auth_ie.c | 43 +++++- src/common/wpa_common.c | 1 + src/common/wpa_common.h | 9 ++ src/drivers/driver.h | 33 +++-- src/drivers/driver_atheros.c | 10 +- src/drivers/driver_bsd.c | 12 +- src/drivers/driver_hostap.c | 9 +- src/drivers/driver_ndis.c | 23 ++-- src/drivers/driver_nl80211.c | 204 ++++++++++++++++++----------- src/drivers/driver_nl80211_capa.c | 4 + src/drivers/driver_openbsd.c | 4 +- src/drivers/driver_privsep.c | 12 +- src/drivers/driver_wext.c | 27 ++-- src/drivers/driver_wext.h | 4 +- src/rsn_supp/tdls.c | 9 +- src/rsn_supp/wpa.c | 156 +++++++++++++++++++--- src/rsn_supp/wpa.h | 9 +- src/rsn_supp/wpa_ft.c | 17 ++- src/rsn_supp/wpa_i.h | 12 +- src/rsn_supp/wpa_ie.c | 11 ++ src/rsn_supp/wpa_ie.h | 1 + tests/hwsim/hostapd.py | 19 ++- tests/hwsim/test_ap_ciphers.py | 2 +- tests/hwsim/test_ap_eap.py | 20 ++- tests/hwsim/test_ap_psk.py | 76 ++++++++++- tests/hwsim/test_ocv.py | 13 +- tests/hwsim/test_rrm.py | 7 +- tests/hwsim/wpasupplicant.py | 7 +- wlantest/bss.c | 4 +- wlantest/rx_eapol.c | 4 + wpa_supplicant/config.c | 2 + wpa_supplicant/config_file.c | 1 + wpa_supplicant/config_ssid.h | 10 ++ wpa_supplicant/ctrl_iface.c | 34 +++-- wpa_supplicant/driver_i.h | 22 +++- wpa_supplicant/ibss_rsn.c | 19 +-- wpa_supplicant/mesh_mpm.c | 12 +- wpa_supplicant/mesh_rsn.c | 14 +- wpa_supplicant/preauth_test.c | 2 +- wpa_supplicant/wpa_cli.c | 3 +- wpa_supplicant/wpa_supplicant.c | 40 ++++-- wpa_supplicant/wpa_supplicant.conf | 5 + wpa_supplicant/wpas_glue.c | 24 ++-- 59 files changed, 915 insertions(+), 326 deletions(-)