This patch series was previously called "Support seamless PTK rekeys with Extended Key ID" and is addressing issues in the v8 version but is now also fundamentally changing PTK rekeying without Extended Key ID. I originally planned to submit that as a stand alone patch series but there are some interactions between the two where it's useful to see how they are envisioned to act together. So the PTK0 rekey handling is now just tagged to the beginning of the series. The Extended Key ID patches build on top of it and together should finally address PTK rekeying in the best way possible: We refuse to rekey a PTK and enforce a reconnect when asked to do so when not using Extended Key ID. This is still problematic, especially for AP mode where we can't control how fast the reconnect will be. And knowing that there is next to no chance Extended Key ID can be used... Unfortunately it seems to be the only way to handle all the broken drivers not able to rekey out in the wild. And with the knowledge that at least one card/driver is compromising the security (ath9k with mac80211 from any kernel < 4.20) it looks like we'll be better off to only rekey when we are either sure it's safe or the user is explicit instructing us to do so. The assumption is now, that PTK rekeying is hardly done and there are even fewer setups where this is really working as it should. The most likely users rekeying the PTK are the ones running one of the WPA-EAP modes, which at least in some cases (e.g. hostapd and also some Cisco concentrators) reauthenticate by default every hour. The other big - but still minor compared to the point above - change in v9 of the series is the already discussed "fix" for the proposed key_type API to a solution based on flags. The series also assume that the ap_rsn_ie variable is no longer cleared during the connection handshakes for OWE, e.g. by applying the patch wpa_supplicant: Don't incorrectly clear ie scan data or the more aggressive variant wpa_supplicant: Correct IE validation when beacons don't have any Without that some OWE connection will fail when both ends agree to use Extended Key ID. Patch version 9: - By default refuse to rekey PTKs without Extended Key ID, enforcing a reconnect but allow the user to control the bahavior - Replace the problematic key_flag API with a more flexible and correct key_flag API - proper integration of PTK rekey handling - handle_extended_key_id() for wpa_supplicant no longer needs the rsn_ie as an argument and uses the ap_rsn_ie instead. - take over wpa_extended_key_id setting when starting an AP from wpa_supplicant. - OSEN/HS20 Extended Key ID support preparations have been removed. They seems to be incompatible to each other. - added proper config variable checks - Updated documentation (config files and in the code) - Some minor tweaks to nl80211 key install handling and logging - Rekey timer now starts after installing the pairwise key for RX (not when we set it for RX/TX) - simplified the Extended Key ID detection and handling in the tests - merged and reordered some patches and chunks - rebased to ecd54bace - updated commit subjects and logs Patch version 8: - Dropped the first two (already merged) patches - Rebased to cf28cfc12 and updated commit descriptions - Incorporated changes discussed so far - Moved the "drop set_tx" patch to a more logical place - Included a minor fix for wlantest (non-zero keyID check) Patch version 7 (aka v6a): - Improved TKIP detection (nicer logs and better logic) - Also use config checks for Extended Key ID activation, not only runtime - Simplify runtime checks due to the now existing config checks - Fixes some key_type for both hostap and wpa_supplicant - nl80211 now denies to install a pairwise key with the KEY_TYPE_DEFAULT set and has other minor cleanups - Fixes the bitmask for pairwise keys for consistency (no real effect) - Rewords some log messages Patch version 6: - Added the "missing" patch number 1. Should have been part of V3 but somehow it never got exported from my local tree... - Reverted the incorrect fix for max keyid in the patch "wpa_supplicant: AP Extended Key ID support" - Moved code disabling Extended Key ID for tkip to a better location in patch "hostapd: Add support for Extended Key ID" - Tweaked Extended Key ID configuration handling in "hostapd: Add support for Extended Key ID": It's now automatically disabled - Some minor tweaks to comments and output and a bit more invasive rewording of commit messages Patch version 5: - undo incorrect conversion from "int key_type" to "enum key_type key_type" (this is also an independent variable) - fixed multiple broken "enum key_type" which must be "enum key_type key_type" - undo pointless variable move in "wpa_supplicant: FILS Extended Key ID support" which did break build tests. - again minor fixes to commit messages Patch version 4: - Fixed sequence number key queries (undo invalid switch to new API names.) - get rid of some forgotten "int key_flag" references and switched them over to the correct "enum key_flag key_flag" - Dropped the workaround patch enabling FILS and FT key installs with current released kernels (API is being updated upstream) - removed some stray newlines - reworded Extended Key ID description in wpa_supplicant.conf - minor updates to commit messages - Overhauled and updated commit remarks (nothing critical) Patch version 3: - use key_type (enum) instead of key_flag (bit array) - migrate set_tx to the new key_type API and clean up related workarounds and bugs. - also support Extended Key ID for OSEN, FT and FILS - wpa_supplicant is now checking RSN capabilities instead of the presence of the KeyID KDE to enable Extended Key ID support to follow the wording of the standard - detect and prevent dropping or adding Extended Key ID support on rekey. (Initial connection decides if we can use it.) - Don't use Extended Key ID for TKIP. (Not allowed in the standard.) - also flip KeyIDs for WPA_REAUTH and WPA_REAUTH_EAPOL - fixed many "test-only" bugs (both tests and test only code) - split fixes and extensions in different patches - dropped "GET drv_flags" and handle it differently - better description of the patches Patch version 2: - typo fix in commit message Patch version 1: Initial release Alexander Wetzel (16): nl80211: Add support for CAN_REPLACE_PTK0 AP: Address PTK rekey issues wpa_supplicant: Address PTK rekey issues tests: Allow PTK0 rekey for tests Introduce and add key_flag nl80211: Migrate from set_tx to key_flag API nl80211,wpa_supplicant: Drop outdated tdls hack drivers: Migrate drivers from set_tx to key_flag API Drop set_tx from all set_key() functions AP: Support Extended Key ID wpa_supplicant: Support Extended Key ID tests: Extended Key ID tests AP: FILS Extended Key ID support wpa_supplicant: FILS Extended Key ID support nl80211: Extended Key ID support AP: Let PTK keys default to keyid 1 when supported hostapd/config_file.c | 18 ++ hostapd/ctrl_iface.c | 72 ++++---- hostapd/hostapd.conf | 43 +++++ src/ap/ap_config.c | 11 ++ src/ap/ap_config.h | 2 + src/ap/ap_drv_ops.c | 9 +- src/ap/ap_drv_ops.h | 5 +- src/ap/hostapd.c | 18 +- src/ap/ieee802_11.c | 7 +- src/ap/ieee802_1x.c | 14 +- src/ap/wpa_auth.c | 119 ++++++++++--- src/ap/wpa_auth.h | 5 +- src/ap/wpa_auth_ft.c | 12 +- src/ap/wpa_auth_glue.c | 40 ++++- src/ap/wpa_auth_i.h | 3 + src/ap/wpa_auth_ie.c | 55 +++++- src/common/defs.h | 28 +++ src/common/wpa_common.c | 9 + src/common/wpa_common.h | 2 + src/drivers/driver.h | 59 ++++++- src/drivers/driver_atheros.c | 10 +- src/drivers/driver_bsd.c | 13 +- src/drivers/driver_hostap.c | 9 +- src/drivers/driver_ndis.c | 27 +-- src/drivers/driver_nl80211.c | 107 ++++++------ src/drivers/driver_nl80211_capa.c | 8 + src/drivers/driver_openbsd.c | 5 +- src/drivers/driver_privsep.c | 12 +- src/drivers/driver_wext.c | 26 +-- src/drivers/driver_wext.h | 4 +- src/eapol_supp/eapol_supp_sm.c | 15 ++ src/eapol_supp/eapol_supp_sm.h | 8 + src/rsn_supp/tdls.c | 7 +- src/rsn_supp/wpa.c | 168 ++++++++++++++++-- src/rsn_supp/wpa.h | 23 ++- src/rsn_supp/wpa_ft.c | 17 +- src/rsn_supp/wpa_i.h | 19 ++- src/rsn_supp/wpa_ie.c | 3 + tests/hwsim/hostapd.py | 19 ++- tests/hwsim/multi-bss-iface-per_sta_vif.conf | 2 + tests/hwsim/multi-bss-iface.conf | 2 + tests/hwsim/test_ap_ciphers.py | 13 +- tests/hwsim/test_ap_eap.py | 66 +++++++- tests/hwsim/test_ap_ft.py | 1 + tests/hwsim/test_ap_pmf.py | 1 + tests/hwsim/test_ap_psk.py | 169 ++++++++++++++++++- tests/hwsim/test_ocv.py | 13 +- tests/hwsim/test_rrm.py | 7 +- tests/hwsim/wpasupplicant.py | 6 +- wlantest/bss.c | 4 +- wlantest/rx_data.c | 6 +- wlantest/rx_eapol.c | 4 + wpa_supplicant/ap.c | 2 + wpa_supplicant/config.c | 4 + wpa_supplicant/config_file.c | 2 + wpa_supplicant/config_ssid.h | 21 +++ wpa_supplicant/ctrl_iface.c | 37 ++-- wpa_supplicant/driver_i.h | 18 +- wpa_supplicant/events.c | 16 +- wpa_supplicant/ibss_rsn.c | 28 +-- wpa_supplicant/mesh_mpm.c | 15 +- wpa_supplicant/mesh_rsn.c | 14 +- wpa_supplicant/notify.c | 11 ++ wpa_supplicant/notify.h | 1 + wpa_supplicant/preauth_test.c | 2 +- wpa_supplicant/wpa_cli.c | 5 +- wpa_supplicant/wpa_supplicant.c | 71 +++++++- wpa_supplicant/wpa_supplicant.conf | 31 ++++ wpa_supplicant/wpa_supplicant_i.h | 3 + wpa_supplicant/wpas_glue.c | 42 +++-- 70 files changed, 1331 insertions(+), 317 deletions(-) -- 2.24.1 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
