[PATCH/RFC] improve overlap detection and handling for P2P PBC

Hi,

I've been struggling to get my prototype P2P device to work with Samsung
Galaxy SII. The connection establishment kept failing with WPS_FAILURE and
it turned out to be due to overlap detected:

01-03 01:27:26.140 E/wpa_supplicant( 2455): WPS: Requested UUID -
hexdump(len=16): 22 21 02 03 04 05 06 07 08 09 1a 1b 1c 1d 1e 1f
01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: Consider PBC session with
06:46:65:d3:4a:54
01-03 01:27:26.140 E/wpa_supplicant( 2455): WPS: UUID-E - hexdump(len=16):
22 21 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: New Enrollee
01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: 2 active PBC session(s)
found
01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: PBC overlap - deny PBC
negotiation

So Galaxy changes UUID for PBC negotiation but the thing is, it could have
been considered to be the same session because the MAC address is the same.
There is a mechanism to do so for P2P connections in wpa_supplicant but it
doesn't work because P2P MAC address is not passed over
to wps_registrar_skip_overlap(). This patch adds that and also fixes the
PBC session removal after the negotiation (the current version leaves the
session in the list if it doesn't match UUID, I suggest that we remove all
sessions for the given MAC).

Looks like tabs have been messed up here but I hope it's okay since this is
an RFC anyway. If it's fine, I'll make a respin with tabs unexpanded.

Thanks,
   Vitaly
Den 29 nov 2011 17:36 skrev "Vitaly Wool" <vitalywool@gmail.com>:

> Hi,
>
> I've been struggling to get my prototype P2P device to work with Samsung
> Galaxy SII. The connection establishment kept failing with WPS_FAILURE and
> it turned out to be due to overlap detected:
>
> 01-03 01:27:26.140 E/wpa_supplicant( 2455): WPS: Requested UUID -
> hexdump(len=16): 22 21 02 03 04 05 06 07 08 09 1a 1b 1c 1d 1e 1f
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: Consider PBC session with
> 06:46:65:d3:4a:54
> 01-03 01:27:26.140 E/wpa_supplicant( 2455): WPS: UUID-E - hexdump(len=16):
> 22 21 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: New Enrollee
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: 2 active PBC session(s)
> found
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: PBC overlap - deny PBC
> negotiation
>
> So Galaxy changes UUID for PBC negotiation but the thing is, it could have
> been considered to be the same session because the MAC address is the same.
> There is a mechanism to do so for P2P connections in wpa_supplicant but it
> doesn't work because P2P MAC address is not passed over
> to wps_registrar_skip_overlap(). This patch adds that and also fixes the
> PBC session removal after the negotiation (the current version leaves the
> session in the list if it doesn't match UUID, I suggest that we remove all
> sessions for the given MAC).
>
> diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c
> index 4a49197..eed29e2 100644
> --- a/src/wps/wps_registrar.c
> +++ b/src/wps/wps_registrar.c
> @@ -310,13 +310,16 @@ static void wps_registrar_add_pbc_session(struct
> wps_registrar *reg,
>
>
>  static void wps_registrar_remove_pbc_session(struct wps_registrar *reg,
> -     const u8 *uuid_e)
> +     const u8 *uuid_e,
> +     const u8 *p2p_dev_addr)
>  {
>   struct wps_pbc_session *pbc, *prev = NULL, *tmp;
>
>   pbc = reg->pbc_sessions;
>   while (pbc) {
> - if (os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0) {
> + if (os_memcmp(pbc->uuid_e, uuid_e, WPS_UUID_LEN) == 0 ||
> +    (!is_zero_ether_addr(reg->p2p_dev_addr) &&
> +     !os_memcmp(reg->p2p_dev_addr, p2p_dev_addr, ETH_ALEN))) {
>   if (prev)
>   prev->next = pbc->next;
>   else
> @@ -3035,7 +3038,8 @@ static enum wps_process_res
> wps_process_wsc_done(struct wps_data *wps,
>
>   if (wps->pbc) {
>   wps_registrar_remove_pbc_session(wps->wps->registrar,
> - wps->uuid_e);
> + wps->uuid_e,
> + wps->p2p_dev_addr);
>   wps_registrar_pbc_completed(wps->wps->registrar);
>   } else {
>   wps_registrar_pin_completed(wps->wps->registrar);
> diff --git a/wpa_supplicant/p2p_supplicant.c
> b/wpa_supplicant/p2p_supplicant.c
> index c6484af..1700ace 100644
> --- a/wpa_supplicant/p2p_supplicant.c
> +++ b/wpa_supplicant/p2p_supplicant.c
> @@ -689,7 +689,7 @@ static void p2p_go_configured(void *ctx, void *data)
>   }
>   if (params->wps_method == WPS_PBC)
>   wpa_supplicant_ap_wps_pbc(wpa_s, params->peer_interface_addr,
> -  NULL);
> +  params->peer_device_addr);
>   else if (wpa_s->p2p_pin[0])
>   wpa_supplicant_ap_wps_pin(wpa_s, params->peer_interface_addr,
>    wpa_s->p2p_pin, NULL, 0);
>

On Tue, Nov 29, 2011 at 05:36:26PM +0100, Vitaly Wool wrote:
> I've been struggling to get my prototype P2P device to work with Samsung
> Galaxy SII. The connection establishment kept failing with WPS_FAILURE and
> it turned out to be due to overlap detected:
> 
> 01-03 01:27:26.140 E/wpa_supplicant( 2455): WPS: Requested UUID -
> hexdump(len=16): 22 21 02 03 04 05 06 07 08 09 1a 1b 1c 1d 1e 1f
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: Consider PBC session with
> 06:46:65:d3:4a:54
> 01-03 01:27:26.140 E/wpa_supplicant( 2455): WPS: UUID-E - hexdump(len=16):
> 22 21 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: New Enrollee
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: 2 active PBC session(s)
> found
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: PBC overlap - deny PBC
> negotiation

Argh.. Is that the way this device works with a deployed software? That
is a known bug in that specific WPS implementation and I was hoping that
it would never get released in a real end user product.

This is so broken on multiple levels.. Those UUIDs are supposed to be
unique for each device (good luck with those hardcoded values being
unique) and only a single UUID can be used by the device, but this
device is using two different ones..

> So Galaxy changes UUID for PBC negotiation but the thing is, it could have
> been considered to be the same session because the MAC address is the same.

Well, yes, it could have, but this is so horribly broken that I would
like to just not allow it to use PBC.

> There is a mechanism to do so for P2P connections in wpa_supplicant but it
> doesn't work because P2P MAC address is not passed over
> to wps_registrar_skip_overlap(). This patch adds that and also fixes the
> PBC session removal after the negotiation (the current version leaves the
> session in the list if it doesn't match UUID, I suggest that we remove all
> sessions for the given MAC).

Could you please confirm that you are seeing this broken behavior with a
deployed end user product and there are large number of those deployed?
I don't think I would agree with all these changes since they break the
way PBC overlap detection is supposed to work. If this bad behavior
shows up in huge number of end user devices, it may be justifiable to
add a workaround for it, but I want to limit the scope of how far the
workaround goes in disabling overlap detection.

Hi Jouni,

On Tue, Nov 29, 2011 at 7:20 PM, Jouni Malinen <j@w1.fi> wrote:

> On Tue, Nov 29, 2011 at 05:36:26PM +0100, Vitaly Wool wrote:
> > I've been struggling to get my prototype P2P device to work with Samsung
> > Galaxy SII. The connection establishment kept failing with WPS_FAILURE
> and
> > it turned out to be due to overlap detected:
> >
> > 01-03 01:27:26.140 E/wpa_supplicant( 2455): WPS: Requested UUID -
> > hexdump(len=16): 22 21 02 03 04 05 06 07 08 09 1a 1b 1c 1d 1e 1f
> > 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: Consider PBC session
> with
> > 06:46:65:d3:4a:54
> > 01-03 01:27:26.140 E/wpa_supplicant( 2455): WPS: UUID-E -
> hexdump(len=16):
> > 22 21 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
> > 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: New Enrollee
> > 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: 2 active PBC session(s)
> > found
> > 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: PBC overlap - deny PBC
> > negotiation
>
> Argh.. Is that the way this device works with a deployed software? That
> is a known bug in that specific WPS implementation and I was hoping that
> it would never get released in a real end user product.
>
> This is so broken on multiple levels.. Those UUIDs are supposed to be
> unique for each device (good luck with those hardcoded values being
> unique) and only a single UUID can be used by the device, but this
> device is using two different ones..
>
> > So Galaxy changes UUID for PBC negotiation but the thing is, it could
> have
> > been considered to be the same session because the MAC address is the
> same.
>
> Well, yes, it could have, but this is so horribly broken that I would
> like to just not allow it to use PBC.
>

Right, but OTOH, if we have this overlap detection skipping mechanism is
present in wpa_supplicant, let's either use it or drop it. I'd suggest that
we used it, maybe under a configuration option of some kind, maybe
producing warning messages in logs but still.


>
> > There is a mechanism to do so for P2P connections in wpa_supplicant but
> it
> > doesn't work because P2P MAC address is not passed over
> > to wps_registrar_skip_overlap(). This patch adds that and also fixes the
> > PBC session removal after the negotiation (the current version leaves the
> > session in the list if it doesn't match UUID, I suggest that we remove
> all
> > sessions for the given MAC).
>
> Could you please confirm that you are seeing this broken behavior with a
> deployed end user product and there are large number of those deployed?
> I don't think I would agree with all these changes since they break the
> way PBC overlap detection is supposed to work. If this bad behavior
> shows up in huge number of end user devices, it may be justifiable to
> add a workaround for it, but I want to limit the scope of how far the
> workaround goes in disabling overlap detection.
>
>
This broken behavior is seen with Samsung Galaxy SII, which is one of the
top 5 smartphone bestsellers all over the world, and it's gotten all the
latest updates. I'm not 100% sure yet but it looks like LG970 has gotten
the same problem, so it's fair to say that all the Wi-Fi Direct enabled
smartphones currently widely available on the market have got this problem.

Thanks,
   Vitaly

Hi Jouni,

On Tue, Nov 29, 2011 at 10:46 PM, Vitaly Wool <vitalywool@gmail.com> wrote:

>
> This broken behavior is seen with Samsung Galaxy SII, which is one of the
> top 5 smartphone bestsellers all over the world, and it's gotten all the
> latest updates. I'm not 100% sure yet but it looks like LG970 has gotten
> the same problem, so it's fair to say that all the Wi-Fi Direct enabled
> smartphones currently widely available on the market have got this problem.
>
>
just confirming the same behavior of LG970, and thus my last statement from
the previous mail is correct. Basically it means that we need this
workaround, even though I can surely see how ugly it is.

Thanks,
   Vitaly

On Tue, Nov 29, 2011 at 05:36:26PM +0100, Vitaly Wool wrote:
> I've been struggling to get my prototype P2P device to work with Samsung
> Galaxy SII. The connection establishment kept failing with WPS_FAILURE and
> it turned out to be due to overlap detected:
> 
> 01-03 01:27:26.140 E/wpa_supplicant( 2455): WPS: Requested UUID -
> hexdump(len=16): 22 21 02 03 04 05 06 07 08 09 1a 1b 1c 1d 1e 1f
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: Consider PBC session with
> 06:46:65:d3:4a:54
> 01-03 01:27:26.140 E/wpa_supplicant( 2455): WPS: UUID-E - hexdump(len=16):
> 22 21 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: New Enrollee
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: 2 active PBC session(s)
> found
> 01-03 01:27:26.140 D/wpa_supplicant( 2455): WPS: PBC overlap - deny PBC
> negotiation

Could you please confirm whether the Probe Response frames with these
two UUIDs are using the same MAC address as the sender? I've seen a case
where both the MAC address and the UUID used different values even when
they came from a single device..

Hi Jouni,

On Tue, Dec 6, 2011 at 7:10 PM, Jouni Malinen <j@w1.fi> wrote:

>
> Could you please confirm whether the Probe Response frames with these
> two UUIDs are using the same MAC address as the sender? I've seen a case
> where both the MAC address and the UUID used different values even when
> they came from a single device..
>
>
MAC addresses are the same, and P2P device address is the same as well
(though different from the MAC) and well, otherwise my patch wouldn't work.

FWIW, the patch just provides a symmetry, one can run "wps_pbc
xx:xx:xx:xx:xx:xx" from wpa_cli which will result in skipping overlap
detection, so why don't we do that for P2P?

Thanks,
   Vitaly

On Sat, Dec 10, 2011 at 12:00:21PM +0100, Vitaly Wool wrote:
> MAC addresses are the same, and P2P device address is the same as well
> (though different from the MAC) and well, otherwise my patch wouldn't work.

Thanks. I've seen a much worse case of this with the same UUID values,
but different MAC addresses..

> FWIW, the patch just provides a symmetry, one can run "wps_pbc
> xx:xx:xx:xx:xx:xx" from wpa_cli which will result in skipping overlap
> detection, so why don't we do that for P2P?

There is a long history behind this, but yes, it sounds reasonable to
allow this. I don't exactly agree with this being an "improvement" of
overlap detection, but well, that is easy to change for the commit
message ;-). I have actually looked at working around the worse case in
the past and just had to gave up there. That's why I wanted to make sure
this is a smaller subset of the issue and something that can actually be
resolved without completely disabling overlap detection.