From patchwork Fri Jun 24 21:05:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 1648176 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=ePfBUrUk; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=Ad1hN90M; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4LV8rH3LmDz9sG2 for ; Sat, 25 Jun 2022 07:09:19 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=WdjMD9EIyTlE6NRxSaNja7wQ0FGBxNIghptribng6Yw=; b=ePfBUrUkWeAtXT XmUU+lk0Ze3UP2m8rdT4jzWz2XKkFVrzZRb7U+5Aa9lVZz9tZwSKy1Xz3GNjPPtchR+dvyaWM0jWf rt8z1WlK2YPx5iZVkgDnsw3TYWiBwW01TWqFUduDOWXKxObxzu9QAKvp4el/We5k+MhSIDkzQ9QvK TNLtWJ9s33zjuE7fX1hIbt6nxKC5i+HWMOzCqX3Evz8btnTxUD0OLmMv6u5ZRwpu9vBPz9qRZrKJd QuwjPypp1DT4wVE+8dvb1iSNhZnsqWDT25MnvEeZ+tc/1jGF3HUJRBbhSDtx/dBVJhOdgLWi+mtHr 3vgc1Vygi4YhuRgsR9KQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1o4qX6-003pCT-KC; Fri, 24 Jun 2022 21:08:04 +0000 Received: from mail-pg1-x531.google.com ([2607:f8b0:4864:20::531]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1o4qX4-003pC7-5R for hostap@lists.infradead.org; Fri, 24 Jun 2022 21:08:03 +0000 Received: by mail-pg1-x531.google.com with SMTP id e63so3483745pgc.5 for ; Fri, 24 Jun 2022 14:08:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=M4oOfwTq9dTVoYzhunAqVqbLkUfgIhI9MBsziJblZPU=; b=Ad1hN90MY4TESdJPKgBo2NzCkd+ZybCpTMMZlZOEYBKQXAlxP51VrN8ARCQHRRLLiV yCAs0YLIhVC7nDGafFGtWvA8Ul4oWKbWa4I6uWJG0acrWOgZkxgxQiaRxqt6mLtjxE4N evAaajIozZHGcei05Iuf59Q0I258yLrU6KWU0PCMfEesbqflOaheZoNRnZ5w3pRp2Ps+ 82Q2By34YYVS8diEhDleHHrKlY3wwIgXxZipFvR1l1Bt6vGDGiR0EKzUcVkv9u5V1SFn SIc7MLRxSVuhDUzw9yut42d/zygUGw/faCtBCtJf6oUBqBg7OV8pkbKl2k6bCctUqPds eLUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=M4oOfwTq9dTVoYzhunAqVqbLkUfgIhI9MBsziJblZPU=; b=wme1F7fM/s7/7ju2mQcOsctlv7FMBF0UHid7/IgY+Sr7AwzCiic7hFwuLNuWOf9v2Y ahfh3qQv88+iHnMNjMNerYF6V39QLagvehMOvJyisnvXi+sngIcRG57hrQzbQBPMwqqI a409+JDK5IfWIcoPId5r2pkCdZJHJN0jtec39pAVaKf9m1DyTSg8E9W0sSBEY7lnjvIH UThiIDpfQnFxAWgU7+DzguvWMRifuWaoY4E9oNEcohic5nyGTRvYWHJrbXqTTvDaYfEV 3Xcxklc6rPBd9FIBlS7GVOhGYCzo6U8pRDDkbVnBHOI3e4gbVznDPHFuqmcanOW4Ueok AreA== X-Gm-Message-State: AJIora8uy2MfMKXO81uEbcYCpfQFJPD/TNt9aE1lht1MrVpRk/NJw+/0 Nia3F+a0IXNn354boyPXMd5TL9UVpEw= X-Google-Smtp-Source: AGRyM1shAoREGDMsWn9571ERb2k9VbqrHr8qyoMQzs9qsK2X8pUOTZhS8YHgqKh1D+oKjMUWpFRi1g== X-Received: by 2002:a05:6a00:811:b0:525:50c2:4c2f with SMTP id m17-20020a056a00081100b0052550c24c2fmr922317pfk.62.1656104880297; Fri, 24 Jun 2022 14:08:00 -0700 (PDT) Received: from localhost.localdomain ([50.45.187.22]) by smtp.gmail.com with ESMTPSA id r14-20020a17090a560e00b001eca01f4860sm2271644pjf.12.2022.06.24.14.07.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 Jun 2022 14:07:59 -0700 (PDT) From: James Prestwood To: hostap@lists.infradead.org Cc: James Prestwood Subject: [PATCH] fils: set sm->pairwise_set after setting TK to driver Date: Fri, 24 Jun 2022 14:05:52 -0700 Message-Id: <20220624210552.1890987-1-prestwoj@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220624_140802_262468_DBA17070 X-CRM114-Status: GOOD ( 10.47 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: After FILS completed there was no path to setting sm->pairwise_set since the 4-way handshake is not done for FILS. This posed a problem on rekeys because the EAPoL frames would be sent without transpo [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:531 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [prestwoj[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org After FILS completed there was no path to setting sm->pairwise_set since the 4-way handshake is not done for FILS. This posed a problem on rekeys because the EAPoL frames would be sent without transport encryption. Since there is in fact a PMK set in the driver all frames should be sent with transport encryption even for a rekey. This patch sets sm->pairwise_set true after the TK is set into the driver after FILS completes which allows a future rekey to use encryption. --- src/ap/wpa_auth.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 6d60f2629..6942764de 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -2869,6 +2869,7 @@ int fils_set_tk(struct wpa_state_machine *sm) return -1; } sm->tk_already_set = true; + sm->pairwise_set = true; wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise, dot11RSNAConfigPMKLifetime, &sm->PTK);