Message ID | 20190824160505.5548-17-alexander@wetzel-home.de |
---|---|
State | Superseded |
Headers | show
Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=wetzel-home.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="tS1jeZjo"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=infradead.org header.i=@infradead.org header.b="DB/OY2Fa"; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=wetzel-home.de header.i=@wetzel-home.de header.b="afkmCJYf"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46G36j1hc8z9s3Z for <incoming@patchwork.ozlabs.org>; Sun, 25 Aug 2019 02:06:37 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=HXlA6lE9TQSoiIJF0gsPwERssFhi0ZauxNrFifw77So=; b=tS1jeZjozBNwzC EybbieLG4pZFjr9gY5NSybfN9+kp+j78Hbf50ljnvf38TsA5RxLNvwmIRc5I5rqRHjPk5b5tXDtzE GxgFirtB9OGDergOE4SIAZovpyTdMFGTY93CxK2WKvsFfUna1XTxQHunW0R0VPI2MsM2X/RdQHvhQ Xd9dFULKHC49AyocIbtY29LTUSo/d+TX1Q0RKuKN6zq91spvaYG24rWNmYBgHisJI8QpkXqcPazYk d9DOkqxp0tzPZL5L6jX9WXITP/TOTZOqPlfuFOvSuXOppmdgrOgF87gJP+5zUO9xCviut25gijYpX LSmucuUNyALxZpiJRJcw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1i1YYj-0005tv-Ju; Sat, 24 Aug 2019 16:06:33 +0000 Received: from casper.infradead.org ([2001:8b0:10b:1236::1]) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1i1YY8-0005Mv-AY for hostap@bombadil.infradead.org; Sat, 24 Aug 2019 16:05:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=tMHSOweCh/uuWtaTx4qIlZovkm2d0kalO7VxcimP9Rc=; b=DB/OY2FaMgyD97/+dyTioz8sug DAyPBCSK1ob3+JsRKY72ps9xQcuPfSbpuyIjBnKr2/1LRd1jkXj9wRjANmpTu2WCKPuzhR9uVVfYv K/NOU7aMupYOzEONNyisjH57/ptr3s4NNSjyV+P1wHRMvYyFmgcNshrMwwxe3aoGyK+8GNkTxwCxV vyFWZwvwhxdpR9vesV6FbIsioon0g2XoV9dY7JscvGyqiTAlBUeYC+RMbskVP0l60N6bvNd05o0bZ AYSwIaca7Fie5XIRI6g9WdhNCzI4rGaiV0UyyhPTgX5rEfqaAkwssozvz/QHrPB25NviIZq7rWsij ObowytQA==; Received: from 3.mo178.mail-out.ovh.net ([46.105.44.197]) by casper.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1i1YYP-0000mK-0M for hostap@lists.infradead.org; Sat, 24 Aug 2019 16:06:15 +0000 Received: from player731.ha.ovh.net (unknown [10.108.35.159]) by mo178.mail-out.ovh.net (Postfix) with ESMTP id 0CDBE7618E for <hostap@lists.infradead.org>; Sat, 24 Aug 2019 18:05:43 +0200 (CEST) Received: from awhome.eu (p57B7E04C.dip0.t-ipconnect.de [87.183.224.76]) (Authenticated sender: postmaster@awhome.eu) by player731.ha.ovh.net (Postfix) with ESMTPSA id 2247F8E7876A; Sat, 24 Aug 2019 16:05:40 +0000 (UTC) From: Alexander Wetzel <alexander@wetzel-home.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1566662731; bh=XIWg1+YbDymfiV7imXdYGNMfqapC9wRFHhqAYysoP8s=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=afkmCJYfwNGypoX6TeL/MJsuXSfJoBHYyZUbVVYCZtl8+4hG9mYvVn9JhpqOOVBbf o4hm+LB/eK73EKb1HsLr2a07usYjR5saUdbSzzl7ewmrKr3z1ZhjawmS8ma4qEiveg jwCEY7o8pEyojClVGnaANWV+RRz9zJst0uTQc0fU= To: j@w1.fi Subject: [PATCH v4 16/16] hostapd: Extended Key ID stress test Date: Sat, 24 Aug 2019 18:05:05 +0200 Message-Id: <20190824160505.5548-17-alexander@wetzel-home.de> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190824160505.5548-1-alexander@wetzel-home.de> References: <20190824160505.5548-1-alexander@wetzel-home.de> MIME-Version: 1.0 X-Ovh-Tracer-Id: 6942017353148538108 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduvddrudehtddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190824_170613_097185_E6914504 X-CRM114-Status: GOOD ( 23.32 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on casper.infradead.org summary: Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [46.105.44.197 listed in list.dnswl.org] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: <hostap.lists.infradead.org> List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>, <mailto:hostap-request@lists.infradead.org?subject=unsubscribe> List-Archive: <http://lists.infradead.org/pipermail/hostap/> List-Post: <mailto:hostap@lists.infradead.org> List-Help: <mailto:hostap-request@lists.infradead.org?subject=help> List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>, <mailto:hostap-request@lists.infradead.org?subject=subscribe> Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org, luca@coelho.fi, johannes@sipsolutions.net Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org |
Series |
Support seamless PTK rekeys with Extended Key ID
|
expand
|
diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 725c76056..3207990e5 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -553,6 +553,7 @@ int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities) return -1; } else if (!sm->use_extended_key_id) { sm->use_extended_key_id = TRUE; + sm->keyidx_active = 1; } } else { if (sm->use_extended_key_id && sm->pairwise_set) {
Change the default keyid to 1 for the first pairwise key when using Extended Key ID. This is so far only intended to cause compatibility problems as soon as possible and not delay them depending on the rekey interval. A broken STA may claim to be compatible with Extended Key ID and will simply assume keyid 0 for each key install. Instead of causing connection problems after the first rekey we move these to the initial connect by starting with the more risky keyid 1. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de> --- For now this is has mainly two functions: 1) Guarantees that Extended Key ID can really be used at the initial connect. Many potential issues are linked to the usage of keyid 1 for a unicast key, so make sure this happens as soon as possible. 2) The existing tests will find many of these issues, even when not rekeying the connection I have some plans to extend that later: By e.g. starting a EAPOL group handshake directly after the connect we can verify if the keyid 1 transport is really working. When the handshake times out hostapd could install the same key for keyid 0, disabling Extended Key ID support and allow the broken STA to work with the AP. This idea is mostly based to the fact that one of my devices (Samsung Galaxy Tap S3) is setting the "Extended Key ID" capability flag wrong. The AP therefore (correctly) assumes the device can handle it. When the AP rekeys the PTK and uses the keyid 1 the device is losing the connection. It looks like the device is just copying the capability (bit) from the AP RSN. Chances are this affects more (Samsung) devices. Now I'm not sure if we really want to deploy such a workaround. It's probably hard to get rid of and just getting the broken devices fixed may be the better solution. Of course the workaround would be optional: I think we could set wpa_extended_key_id to 2 by default and allow the user to disable the workaround by setting it to 1. Another option would be to simply drop the patch or make it testing only. After all PTK rekeying is - based on all devices I could get my hands on - mostly broken. The chance to have an AP and a STA able to rekey really correctly under load is as of today really bad. (Maybe 20% success rate?) Therefore it looks like rekey is not used very often and when we start with keyid 0 and never rekey it will also work for most users. On the other hand I prefer a clean failure to something working on the brink of failure: So this patch series tries to make sure it fails as soon as possible. src/ap/wpa_auth_ie.c | 1 + 1 file changed, 1 insertion(+)