- Refuse PTK0 rekey directly at EAPOL#1
- Add wpa_deny_ptk0_rekey to AP get_config() output when needed
- updated AP and wpa_supplicant config file comments.
Signed-off-by: Alexander Wetzel <alexander@xxxxxxxxxxxxxx>
---
This are some fixes I've in my local tree on top of what you just have
merged.
Of course the config file text updates are not really relevant but I
tried to tune down the overly complex initial version and want to
present these now as an alternative.
I've also added the chunks with CONFIG_NO_SCAN_PROCESSING to learn why
we can drop those chunks. How is the fast reconnect working with
CONFIG_NO_SCAN_PROCESSING enabled and wpa_supplicant_connect() not
compiled in? Just curious...
Alexander
hostapd/ctrl_iface.c | 8 ++++++++
hostapd/hostapd.conf | 22 ++++------------------
src/rsn_supp/wpa.c | 7 +++++++
wpa_supplicant/events.c | 6 ++++--
wpa_supplicant/wpa_supplicant.conf | 24 +++++-------------------
5 files changed, 28 insertions(+), 39 deletions(-)
diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index a1e4abd3c..81a655918 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -1254,6 +1254,14 @@ static int hostapd_ctrl_iface_get_config(struct hostapd_data *hapd,
pos += ret;
}
+ if (hapd->conf->wpa && hapd->conf->wpa_deny_ptk0_rekey) {
+ ret = os_snprintf(pos, end - pos, "wpa_deny_ptk0_rekey=%d\n",
+ hapd->conf->wpa_deny_ptk0_rekey);
+ if (os_snprintf_error(end - pos, ret))
+ return pos - buf;
+ pos += ret;
+ }
+
if ((hapd->conf->wpa & WPA_PROTO_RSN) && hapd->conf->rsn_pairwise) {
ret = os_snprintf(pos, end - pos, "rsn_pairwise_cipher=");
if (os_snprintf_error(end - pos, ret))
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 0f8461d49..bc5d1a7f6 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1618,24 +1618,10 @@ own_ip_addr=127.0.0.1
# Workaround for PTK rekey issues
#
-# Rekeying the PTK without using "Extended Key ID for Individually Addressed
-# Frames" (two different Key ID values for pairwise keys) can, depending on the
-# used cards/drivers, impact the security and stability of connections. Both
-# ends can accidentally trick one end to drop all packets send by it until the
-# connection is torn down or rekeyed again. Additionally, some drivers may
-# skip/break the encryption for the time window the key is updated (normally a
-# few milliseconds).
-#
-# To avoid such issues, hostapd can now replace all PTK rekeys using only keyid
-# 0 (PTK0 rekeys) with disconnection that forces the remote stations to
-# reconnect instead.
-#
-# EAP reauthentication depends on replacing the PTK and is therefore just
-# another way to rekey the PTK and is affected by this parameter, too.
-#
-# "Extended Key ID for Individually Addressed Frames" is avoiding the issues
-# using two separate keys and this parameter will be ignored when using it
-# (i.e., PTK rekeying is allowed regardless of this parameter value).
+# PTK0 rekeys (rekeying the PTK without "Extended Key ID for Individually
+# Addressed Frames") can degrade the security and stability with some cards.
+# To avoid such issues hostapd can replace those PTK rekeys (including EAP
+# reauthentications) with disconnects.
#
# Available options:
# 0 = always rekey when configured/instructed (default)
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 263e2108a..18717e637 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -625,6 +625,13 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
"found (msg 1 of 4)");
return;
}
+ if (sm->wpa_deny_ptk0_rekey &&
+ wpa_sm_get_state(sm) == WPA_COMPLETED) {
+ wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+ "WPA: PTK0 rekey not allowed, reconnecting");
+ wpa_sm_reconnect(sm);
+ return;
+ }
if (sm->wpa_deny_ptk0_rekey && wpa_sm_get_state(sm) == WPA_COMPLETED) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 2851ffc81..045f83381 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3316,15 +3316,16 @@ static void wpa_supplicant_event_disassoc_finish(struct wpa_supplicant *wpa_s,
fast_reconnect->ssid_len) &&
!wpas_temp_disabled(wpa_s, fast_reconnect_ssid) &&
!wpa_is_bss_tmp_disallowed(wpa_s, fast_reconnect)) {
-#ifndef CONFIG_NO_SCAN_PROCESSING
wpa_dbg(wpa_s, MSG_DEBUG, "Try to reconnect to the same BSS");
if (wpa_supplicant_connect(wpa_s, fast_reconnect,
fast_reconnect_ssid) < 0) {
+#ifndef CONFIG_NO_SCAN_PROCESSING
/* Recover through full scan */
wpa_supplicant_req_scan(wpa_s, 0, 100000);
- }
#endif /* CONFIG_NO_SCAN_PROCESSING */
+ }
} else if (fast_reconnect) {
+#ifndef CONFIG_NO_SCAN_PROCESSING
/*
* Could not reconnect to the same BSS due to network being
* disabled. Use a new scan to match the alternative behavior
@@ -3332,6 +3333,7 @@ static void wpa_supplicant_event_disassoc_finish(struct wpa_supplicant *wpa_s,
* way that enforces disabled network rules.
*/
wpa_supplicant_req_scan(wpa_s, 0, 100000);
+#endif /* CONFIG_NO_SCAN_PROCESSING */
}
}
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 15121c386..7b5f33cbb 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1101,25 +1101,11 @@ fast_reauth=1
# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
#
-# wpa_deny_ptk0_rekey: Control PTK0 rekeying
-#
-# Rekeying the PTK without using "Extended Key ID for Individually Addressed
-# Frames" (two different Key ID values for pairwise keys) can, depending on the
-# used cards/drivers, impact the security and stability of connections. Both
-# ends can accidentally trick one end to drop all packets send by it until the
-# connection is torn down or rekeyed again. Additionally, some drivers may
-# skip/break the encryption for the time window the key is updated (normally a
-# few milliseconds).
-#
-# To avoid such issues, wpa_supplicant can now replace all PTK rekeys using only
-# keyid 0 (PTK0 rekeys) with fast reconnects.
-#
-# EAP reauthentication depends on replacing the PTK and is therefore just
-# another way to rekey the PTK and is affected by the parameter, too.
-#
-# "Extended Key ID for Individually Addressed Frames" is avoiding the issues
-# using two separate keys and this parameter will be ignored when using it
-# (i.e., PTK rekeying is allowed regardless of this parameter value).
+# wpa_deny_ptk0_rekey: Workaround for PTK rekey issues
+# PTK0 rekeys (using only one Key ID value for pairwise keys) can degrade the
+# security and stability with some cards.
+# To avoid the issues wpa_supplicant can replace those PTK rekeys (including Eap
+# reauthentications) with fast reconnects.)
#
# Available options:
# 0 = always rekey when configured/instructed (default)
--
2.25.1
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
