git.ipfire.org Git - thirdparty/hostap.git/commit

author	Jouni Malinen <jouni.malinen@atheros.com>
	Tue, 29 Mar 2011 14:39:12 +0000 (17:39 +0300)
committer	Jouni Malinen <j@w1.fi>
	Tue, 29 Mar 2011 14:39:12 +0000 (17:39 +0300)
commit	e4bf4db907a8a2d0496d1a184f2574c7f7f1f7f1
tree	93a3090a4f7dfb1d5016f9165de9c5e456805621	tree \| snapshot
parent	2fee890af75fb05a69f41b01faa590b75fa7327c	commit \| diff

Work around SNonce updates on EAPOL-Key 1/4 retransmission

Some deployed supplicants update their SNonce for every receive
EAPOL-Key message 1/4 even when these messages happen during the
same 4-way handshake. Furthermore, some of these supplicants fail
to use the first SNonce that they sent and derive an incorrect PTK
using another SNonce that does not match with what the authenticator
is using from the first received message 2/4. This results in
failed 4-way handshake whenever the EAPOL-Key 1/4 retransmission
timeout is reached. The timeout for the first retry is fixed to
100 ms in the IEEE 802.11 standard and that seems to be short
enough to make it difficult for some stations to get the response
out before retransmission.

Work around this issue by increasing the initial EAPOL-Key 1/4
timeout by 1000 ms (i.e., total timeout of 1100 ms) if the station
acknowledges reception of the EAPOL-Key frame. If the driver does
not indicate TX status for EAPOL frames, use longer initial
timeout (1000 ms) unconditionally.

src/ap/ieee802_1x.c		diff \| blob \| blame \| history
src/ap/wpa_auth.c		diff \| blob \| blame \| history
src/ap/wpa_auth.h		diff \| blob \| blame \| history
src/ap/wpa_auth_glue.c		diff \| blob \| blame \| history
src/ap/wpa_auth_i.h		diff \| blob \| blame \| history