FT: Do not check for WLAN_STA_AUTHORIZED for FT over-the-DS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When hostapd 2.7 is configured for FT over-the-DS mode, performing an
FT roam back to a previously-connected AP gives the following error in
hostapd:

nl80211: NL80211_CMD_SET_STATION result: -22 (Invalid argument)
wlan01: STA 06:05:04:03:02:01 IEEE 802.11: Could not set STA to kernel driver

This results in hostapd refusing the reassociation request with code
17 (Association denied because AP is unable to handle additional
associated stations).  The kernel driver in this case is the ath10k
(4.19).

In add_associated_sta() in ieee802_11.c, there is a conditional that
resets the wpa sm (required for FT over-the-DS mode as there is no
authentication frame to reset the wpa sm), but only if the STA is not
authorized.  The STA is not authorized when performing an FT roam to a
new AP, but it is authorized when roaming back to a
previously-connected AP.  Therefore, any FT over-the-DS roams to new
APs will work correctly, and FT over-the-DS roams to
previously-connected (authorized) APs will fail.

The patch below appears to fix this issue, validated after performing
several thousand FT over-the-air and over-the-DS roams with our
automated test bed.  However, I am hesitant to submit it in this form
as it may affect FILS (which we are not currently using) or possibly
KRACK:

diff -Naur orig/hostap_2_7/src/ap/ieee802_11.c
new/hostap_2_7/src/ap/ieee802_11.c
--- orig/hostap_2_7/src/ap/ieee802_11.c 2018-12-02 12:34:59.000000000 -0700
+++ new/hostap_2_7/src/ap/ieee802_11.c 2018-12-28 23:41:00.394507047 -0700
@@ -2808,10 +2808,11 @@
   * TK has been configured since the TX/RX PN must not be reset to 0 for
   * the same key.
   */
- if (!sta->added_unassoc &&
-     (!(sta->flags & WLAN_STA_AUTHORIZED) ||
+
+        /* do not check for WLAN_STA_AUTHORIZED for FT-over-the-DS */
+ if (!sta->added_unassoc ||
       (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
-       !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
+       !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm))) {
  hostapd_drv_sta_remove(hapd, sta->addr);
  wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
  set = 0;

Not sure if FT roaming to a previous AP is included in the unit tests.
If not, it might be a good idea to add it.

Best regards,

Dennis Bland

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux