From patchwork Wed Jul 19 04:21:04 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Derrick Pallas <pallas@meraki.com>
X-Patchwork-Id: 790738
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133;
	helo=bombadil.infradead.org;
	envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="K+rYtwbO";
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=meraki.com header.i=@meraki.com
	header.b="ZFT2MlBT"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[65.50.211.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3xC3lW26MFz9t16
	for <incoming@patchwork.ozlabs.org>;
	Wed, 19 Jul 2017 14:22:12 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=MjIVz+uk2WE8FQGofO8W1DhZ/Yl/+2FS5pjJOca6OpM=;
	b=K+r
	YtwbO8IPhC1JNXO/ZrPjyCH/Hilad6UYeiw09M/Gl+tCR7oLVqsQuc9/HQQ4BZm82U+0fPvIQRxW1
	eKio5iCv4t/T49AfQprBrzX1tqql9ZHxmu4WO9ci+qLvv8yK7ZaZadrsVKe2hZXBFjBCL2ep1duFh
	nSGWorD2/ExHlGTlFZdDUTl+MPAeWSf1BmFs67rrpSIiN7FTSxtGtUNjRajNQawGHP2ZiSkcaVkFZ
	j1t/TTqCmxl6NsQGwm8YcfScLTOU2Yvm7jqLYx5Tpmpr/L2sF+JCSYIXmqlBpKqODmenG/RzlN1+Q
	iIVy1fcc2An/Rt8v/bydJ0sAFS2Epqg==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1dXgUY-0005Th-LP; Wed, 19 Jul 2017 04:21:42 +0000
Received: from mail-pf0-x236.google.com ([2607:f8b0:400e:c00::236])
	by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))
	id 1dXgUS-0005SW-TW
	for hostap@lists.infradead.org; Wed, 19 Jul 2017 04:21:40 +0000
Received: by mail-pf0-x236.google.com with SMTP id q85so21194673pfq.1
	for <hostap@lists.infradead.org>;
	Tue, 18 Jul 2017 21:21:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meraki.com; s=google;
	h=from:to:cc:subject:date:message-id;
	bh=yd/h5iCqNeRqX+Qoz2K+lJsGw3uXxxwsBjomeLihVcw=;
	b=ZFT2MlBTTNpzP8GvyZtQ4e1G3EDS5+/oqry87LAketUymktNWGXFjaTjl+UiIf1NB5
	GinXioC8UArUSsav+M+Wl1Ith/oid0jefZeq+xXjTaSbwR5hFOix4q9aLd+k4bp1EHJO
	AVi9uGBMsxhQerY2V9/YkUVCOxtWtDU70qn4s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=yd/h5iCqNeRqX+Qoz2K+lJsGw3uXxxwsBjomeLihVcw=;
	b=TC8W1AsNAX6cKIA3pre6YJ6NuYBXn7jUN5iaX3JjHzv6OJXPSwtUPmO9a3PqpfET93
	6PCPCLrM4Js9SuBOOsIlLn6jqereuy8Io+lx1eMxbMj9jB7FQcgPeanjBEmI24GnoYYr
	Sa1ijSqXonR6qGHqLSpr2h1EeJvmnUdNeLO/Z45wMvj8RwChl+TSFW+qDPJjkUGIFq5a
	SUbslsxAi2X7eWulS+yZVXmeLUk11Agx1aakMbxhyJU4Df5M23egWJGiLJm5hTSudRPu
	U7wn9hF3/j/lO8owobW5pCU+ipLz3PjAd9jFdoOxdWZwV0dQNd9BFEoEMPNbScn8DVTJ
	Y0rg==
X-Gm-Message-State: AIVw11032dCUndCAmVhVDNZFVr3CJ6+X5wPT4KYhYNQsYqE8jsgDt490
	xVb3gm5kKK1y1fWa7lLPlg==
X-Received: by 10.101.72.207 with SMTP id o15mr1046963pgs.73.1500438074446;
	Tue, 18 Jul 2017 21:21:14 -0700 (PDT)
Received: from sf100.meraki.com (184-23-135-132.dedicated.static.sonic.net.
	[184.23.135.132]) by smtp.gmail.com with ESMTPSA id
	n9sm1880803pfh.109.2017.07.18.21.21.13
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 18 Jul 2017 21:21:13 -0700 (PDT)
From: Derrick Pallas <pallas@meraki.com>
To: hostap@lists.infradead.org
Subject: [PATCH 1/2] WPA: destroy PMKSA entry when clearing due to
	EAPOL-Start
Date: Tue, 18 Jul 2017 21:21:04 -0700
Message-Id: <20170719042105.21319-1-pallas@meraki.com>
X-Mailer: git-send-email 2.10.2
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20170718_212137_014401_A1C969C4 
X-CRM114-Status: UNSURE (   8.54  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -2.0 (--)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
	Content analysis details:   (-2.0 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
	no
	trust [2607:f8b0:400e:c00:0:0:0:236 listed in] [list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
	mail domains are different
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Derrick Pallas <pallas@meraki.com>
MIME-Version: 1.0
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Specifically, we see the following interaction:

	Reassociation Request ->
	                      <- Reassociation Response
	                      <- EAPOL-Key 1/4
	        EAPOL-Key 2/4 ->
	          EAPOL-Start ->
	                      <- EAPOL-Key 3/4
	        EAPOL-Key 4/4 ->
	          EAPOL-Start ->
	                      <- EAP-Identity Request
	                      <- EAP-Identity Request
	                      <- EAP-Identity Request
	                      <- EAP-Identity Request
	                      <- EAP-Identity Request
	                      <- EAP-Identity Request
	                      <- Disassociate

By the time we process the spurious EAPOL-Start, we have already processed
2/4 and queued 3/4.  The client responds but we receive 4/4 in an invalid
state and the client refuses to respond to EAP-Identity.

We have seen clients that enter this state, eventually disassociate, but
retry only to enter this state again.  Instead, actually destroy the PMKSA
so that on the next association attempt the broken supplicant has a cleaner
slate.  A future commit will address the unnecessary EAP-Identity Requests
prior to Disassociation.

The supplicants we've seen with this bad behavior have only broken
sporadically when waking up and the core issue has been dubbed Groggy
Supplicant Syndrome.

Thanks to Jenny Lin, Abhinav Acharya, & Eric Maassmann for helping debug
this.

Signed-off-by: Derrick Pallas <pallas@meraki.com>
---
 src/ap/wpa_auth.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 863ae83..8110cd7 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -3927,6 +3927,8 @@ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
 {
 	if (sm == NULL || sm->pmksa != entry)
 		return -1;
+	if (sm->wpa_auth->pmksa)
+		pmksa_cache_free_entry(sm->wpa_auth->pmksa, sm->pmksa);
 	sm->pmksa = NULL;
 	return 0;
 }