[PATCH 1/2] Minor PTK0 Rekey updates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 - Refuse PTK0 rekey directly at EAPOL#1
 - Add wpa_deny_ptk0_rekey to AP get_config() output when needed
 - updated AP and wpa_supplicant config file comments.

Signed-off-by: Alexander Wetzel <alexander@xxxxxxxxxxxxxx>
---

This are some fixes I've in my local tree on top of what you just have
merged.

Of course the config file text updates are not really relevant but I
tried to tune down the overly complex initial version and want to
present these now as an alternative.

I've also added the chunks with CONFIG_NO_SCAN_PROCESSING to learn why
we can drop those chunks. How is the fast reconnect working with
CONFIG_NO_SCAN_PROCESSING enabled and wpa_supplicant_connect() not
compiled in? Just curious...

Alexander

 hostapd/ctrl_iface.c               |  8 ++++++++
 hostapd/hostapd.conf               | 22 ++++------------------
 src/rsn_supp/wpa.c                 |  7 +++++++
 wpa_supplicant/events.c            |  6 ++++--
 wpa_supplicant/wpa_supplicant.conf | 24 +++++-------------------
 5 files changed, 28 insertions(+), 39 deletions(-)

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index a1e4abd3c..81a655918 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -1254,6 +1254,14 @@ static int hostapd_ctrl_iface_get_config(struct hostapd_data *hapd,
 		pos += ret;
 	}
 
+	if (hapd->conf->wpa && hapd->conf->wpa_deny_ptk0_rekey) {
+		ret = os_snprintf(pos, end - pos, "wpa_deny_ptk0_rekey=%d\n",
+				  hapd->conf->wpa_deny_ptk0_rekey);
+		if (os_snprintf_error(end - pos, ret))
+			return pos - buf;
+		pos += ret;
+	}
+
 	if ((hapd->conf->wpa & WPA_PROTO_RSN) && hapd->conf->rsn_pairwise) {
 		ret = os_snprintf(pos, end - pos, "rsn_pairwise_cipher=");
 		if (os_snprintf_error(end - pos, ret))
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 0f8461d49..bc5d1a7f6 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1618,24 +1618,10 @@ own_ip_addr=127.0.0.1
 
 # Workaround for PTK rekey issues
 #
-# Rekeying the PTK without using "Extended Key ID for Individually Addressed
-# Frames" (two different Key ID values for pairwise keys) can, depending on the
-# used cards/drivers, impact the security and stability of connections. Both
-# ends can accidentally trick one end to drop all packets send by it until the
-# connection is torn down or rekeyed again. Additionally, some drivers may
-# skip/break the encryption for the time window the key is updated (normally a
-# few milliseconds).
-#
-# To avoid such issues, hostapd can now replace all PTK rekeys using only keyid
-# 0 (PTK0 rekeys) with disconnection that forces the remote stations to
-# reconnect instead.
-#
-# EAP reauthentication depends on replacing the PTK and is therefore just
-# another way to rekey the PTK and is affected by this parameter, too.
-#
-# "Extended Key ID for Individually Addressed Frames" is avoiding the issues
-# using two separate keys and this parameter will be ignored when using it
-# (i.e., PTK rekeying is allowed regardless of this parameter value).
+# PTK0 rekeys (rekeying the PTK without "Extended Key ID for Individually
+# Addressed Frames") can degrade the security and stability with some cards.
+# To avoid such issues hostapd can replace those PTK rekeys (including EAP
+# reauthentications) with disconnects.
 #
 # Available options:
 # 0 = always rekey when configured/instructed (default)
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 263e2108a..18717e637 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -625,6 +625,13 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
 			"found (msg 1 of 4)");
 		return;
 	}
+	if (sm->wpa_deny_ptk0_rekey &&
+	    wpa_sm_get_state(sm) == WPA_COMPLETED) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+			"WPA: PTK0 rekey not allowed, reconnecting");
+		wpa_sm_reconnect(sm);
+		return;
+	}
 
 	if (sm->wpa_deny_ptk0_rekey && wpa_sm_get_state(sm) == WPA_COMPLETED) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 2851ffc81..045f83381 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3316,15 +3316,16 @@ static void wpa_supplicant_event_disassoc_finish(struct wpa_supplicant *wpa_s,
 			     fast_reconnect->ssid_len) &&
 	    !wpas_temp_disabled(wpa_s, fast_reconnect_ssid) &&
 	    !wpa_is_bss_tmp_disallowed(wpa_s, fast_reconnect)) {
-#ifndef CONFIG_NO_SCAN_PROCESSING
 		wpa_dbg(wpa_s, MSG_DEBUG, "Try to reconnect to the same BSS");
 		if (wpa_supplicant_connect(wpa_s, fast_reconnect,
 					   fast_reconnect_ssid) < 0) {
+#ifndef CONFIG_NO_SCAN_PROCESSING
 			/* Recover through full scan */
 			wpa_supplicant_req_scan(wpa_s, 0, 100000);
-		}
 #endif /* CONFIG_NO_SCAN_PROCESSING */
+		}
 	} else if (fast_reconnect) {
+#ifndef CONFIG_NO_SCAN_PROCESSING
 		/*
 		 * Could not reconnect to the same BSS due to network being
 		 * disabled. Use a new scan to match the alternative behavior
@@ -3332,6 +3333,7 @@ static void wpa_supplicant_event_disassoc_finish(struct wpa_supplicant *wpa_s,
 		 * way that enforces disabled network rules.
 		 */
 		wpa_supplicant_req_scan(wpa_s, 0, 100000);
+#endif /* CONFIG_NO_SCAN_PROCESSING */
 	}
 }
 
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 15121c386..7b5f33cbb 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1101,25 +1101,11 @@ fast_reauth=1
 # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
 # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
 #
-# wpa_deny_ptk0_rekey: Control PTK0 rekeying
-#
-# Rekeying the PTK without using "Extended Key ID for Individually Addressed
-# Frames" (two different Key ID values for pairwise keys) can, depending on the
-# used cards/drivers, impact the security and stability of connections. Both
-# ends can accidentally trick one end to drop all packets send by it until the
-# connection is torn down or rekeyed again. Additionally, some drivers may
-# skip/break the encryption for the time window the key is updated (normally a
-# few milliseconds).
-#
-# To avoid such issues, wpa_supplicant can now replace all PTK rekeys using only
-# keyid 0 (PTK0 rekeys) with fast reconnects.
-#
-# EAP reauthentication depends on replacing the PTK and is therefore just
-# another way to rekey the PTK and is affected by the parameter, too.
-#
-# "Extended Key ID for Individually Addressed Frames" is avoiding the issues
-# using two separate keys and this parameter will be ignored when using it
-# (i.e., PTK rekeying is allowed regardless of this parameter value).
+# wpa_deny_ptk0_rekey: Workaround for PTK rekey issues
+# PTK0 rekeys (using only one Key ID value for pairwise keys) can degrade the
+# security and stability with some cards.
+# To avoid the issues wpa_supplicant can replace those PTK rekeys (including Eap
+# reauthentications) with fast reconnects.)
 #
 # Available options:
 # 0 = always rekey when configured/instructed (default)
-- 
2.25.1


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux