Message ID | 20190817211435.158335-18-alexander@wetzel-home.de |
---|---|
State | Superseded |
Headers | show
Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=wetzel-home.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="nOxfy54O"; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=wetzel-home.de header.i=@wetzel-home.de header.b="YPXzm5zM"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 469tJ73WdNz9sDQ for <incoming@patchwork.ozlabs.org>; Sun, 18 Aug 2019 07:15:19 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=IQ4wcwry6bQgDTGrLhucZqt4nirfuxobfbZIxe7nG9g=; b=nOxfy54OOPYNxY S6KNjztuEV/nNxWQtmw3wFnjxQ3bTD59+9zYA7YhCTSYLjcjCWmnRaPpXY6EVP6b7BeHDf4DHP6+s PrVLnomz6cLyK8O2MbxmFRVNvRWdcBrDyDMZffGMG2g3N9JH3g74CN1yZ+OyHPrxGF64A1ardiYyC waMGzEM4qcYOaIY6KSyeJfFf5BAkbHdO92/aPZa6obUfg6QXfm1Q/cL884I9TyG+lVG6IBg7DDE7T 54clXBO8EWoDBJAz9kS6ajBUfZH8mveRg+i+s+MhZ9UldHtyJU1hSa/jijZnm1X9HSrJxJ+n6m7p7 XpeN2feUaE4SwEQoBmFQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1hz62b-0003Ji-Ij; Sat, 17 Aug 2019 21:15:13 +0000 Received: from 15.mo3.mail-out.ovh.net ([87.98.150.177]) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hz62X-0002Iw-Bv for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:11 +0000 Received: from player746.ha.ovh.net (unknown [10.108.42.75]) by mo3.mail-out.ovh.net (Postfix) with ESMTP id 0297C224542 for <hostap@lists.infradead.org>; Sat, 17 Aug 2019 23:15:02 +0200 (CEST) Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157]) (Authenticated sender: postmaster@awhome.eu) by player746.ha.ovh.net (Postfix) with ESMTPSA id A24609015499; Sat, 17 Aug 2019 21:14:59 +0000 (UTC) From: Alexander Wetzel <alexander@wetzel-home.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1566076491; bh=FGOXBTd7FxaN0hLAJE9/vYvQA82dRkW8p7o0exqcSCo=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=YPXzm5zM9Lruan/gEj+FYqIAZ38DDEor6DVdawjZ3w5hahLSDsHvFsFzjK6h3nePU omf/afTUmmvru++azBggkkybQb9SXFIlEmmrGe3YKFg9hAnsTpmwtN+vheCMRMxTnV rzcefSKEaG2SNnbzDQ4ljltIhM2gqg/BXGjCEhbk= To: j@w1.fi Subject: [PATCH v3 17/17] hostapd: Extended Key ID stress test Date: Sat, 17 Aug 2019 23:14:35 +0200 Message-Id: <20190817211435.158335-18-alexander@wetzel-home.de> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de> References: <20190817211435.158335-1-alexander@wetzel-home.de> MIME-Version: 1.0 X-Ovh-Tracer-Id: 7950542195857169660 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190817_141509_723241_4119C2D0 X-CRM114-Status: GOOD ( 18.05 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [87.98.150.177 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: <hostap.lists.infradead.org> List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>, <mailto:hostap-request@lists.infradead.org?subject=unsubscribe> List-Archive: <http://lists.infradead.org/pipermail/hostap/> List-Post: <mailto:hostap@lists.infradead.org> List-Help: <mailto:hostap-request@lists.infradead.org?subject=help> List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>, <mailto:hostap-request@lists.infradead.org?subject=subscribe> Cc: Alexander Wetzel <alexander@wetzel-home.de>, hostap@lists.infradead.org, luca@coelho.fi, johannes@sipsolutions.net Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org |
Series |
Support seamless PTK rekeys with Extended Key ID
|
expand
|
diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 725c76056..3207990e5 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -553,6 +553,7 @@ int handle_extended_key_id(struct wpa_state_machine *sm, int capabilities) return -1; } else if (!sm->use_extended_key_id) { sm->use_extended_key_id = TRUE; + sm->keyidx_active = 1; } } else { if (sm->use_extended_key_id && sm->pairwise_set) {
Change the default keyid to 1 for the first key install when using Extended Key ID. This is so far only a fail-early to highlight compatibility problems for the hostapd tests and in real environments: Instead of connection problems after the first rekey the initial connect will not work. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de> --- For now this is has mainly two functions: 1) Grantees that Extended Key ID can really be used at the initial connect. Many potential issues are linked to keyid 1 for unicast key, so make sure this happens as soon as possible. 2) The existing tests will find many of these issues, even when not rekeying the connection I have some plans to extend that later: By e.g. starting a EAPOL group handshake directly after the connect we can verify keyid 1 transport to be really working. If that times out hostapd could install the key also for keyid 0, disabling Extended Key ID support and allow the broken STA to still connect to the AP. This is mostly due to the fact that one of my devices (Samsung Galaxy Tap S3) set the "Extended Key ID" capability flag when connecting to my patched AP. The AP therefore assumes the device can handle it. But when the AP switches the PTK to keyid 1 the device loses the connection. It looks like the device is just copying the capability (bit) from the AP. Chances are this affects more Samsung devices... Now I'm not sure if we really want to deploy such a workaround. It's probably hard to get rid of and just getting the broken devices fixed may be the better solution. Of course this workaround would be optional. I think we could set wpa_extended_key_id to 2 by default and allow the user to disable the workaround by setting it to 1. Another option would be to simply drop the patch. After all PTK rekeying is - based on all devices I could get my hands on - mostly broken. The chance to have an AP and a STA able to rekey really correctly under load is as of today really bad. (Maybe 20% success?) Therefore it looks like rekey is used not very often and when we start with keyid 0 and never rekey it will also work for most users. On the other hand I prefer a clean failure to something working on the brink of failure. So this patch series tries to make sure it fails as soon as possible. src/ap/wpa_auth_ie.c | 1 + 1 file changed, 1 insertion(+)