From owner-svn-src-head@freebsd.org Fri Jul 20 00:33:37 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D55EE1052412 for ; Fri, 20 Jul 2018 00:33:36 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-yb0-x241.google.com (mail-yb0-x241.google.com [IPv6:2607:f8b0:4002:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 70BE783BF5 for ; Fri, 20 Jul 2018 00:33:36 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-yb0-x241.google.com with SMTP id i9-v6so4010235ybo.5 for ; Thu, 19 Jul 2018 17:33:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=2fm/hqVdhK7TFH8gy8k5ljOFQv8fJI2stKf+nvLIxjY=; b=WF8ydBDtlLqSPTj5hWUxby6CJa7t4cEtemmK7HaURkHgay1LPlnQAhm6Z9SbAiQU0N vPJrzVvJE3ZlzE6IUZD/VF3NCsGQIWzJbr3Ddp6zg5XPr6afL9z3yeErF2G7/+t1pvaN iayFQfahWsufEEymshNtj7FRqgGwP0KtaO20zf2VFqXe3TsgfZYZGKKNOFbS8khq4d85 Knm2EWKG7WRn6EdSRbsVacR6HZUfRnvGLKpIVdt3NxYUkXQTYYfCiTYVEXoqhj5XOPDq DtpQoLdB4GFSYjgpo/oRH5yF+3a0sDw8A/sfAbfbL7BqE+NlauATlYVOesXwo4EC98R+ 2Atw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=2fm/hqVdhK7TFH8gy8k5ljOFQv8fJI2stKf+nvLIxjY=; b=DM/3bmSpxTiIXnNhDWeZ3jG1aIKFCvjPWh/zSHErCavCrfzr/nKXeccl8eWPyZzc4u 2DyQEporaFoXyBdS3V93geLZhW7l6TXBAlULlWRtDYZtJs/ewPrlS5ISPK2cjtjLxWMw Z0Ffu5HdyuhG0EQ626d93PirbFYIMFAxqycZcEXHd6Fv3v3/7BhqtE44/ed1x99Kj/3o O724YkS3HYeFAAA1nkq4w1wDrIjZCQtRj+UgPnCPcQW//lWWbRx39aaoqGz4GCgjI0Qm xs0K5E6BsSnnbyynkKR7AT3bkg7V5sAUh7wi03fZU+55Xl4SW6510KfkVANbz+7hWcTI /3ew== X-Gm-Message-State: AOUpUlEzrWpAqYpEyaIXNGZzbwSENGJk95UdketcoJekEa3HQhs+Y9Nz WTwz10o3RVO6/is9cv3rd/20Iw== X-Google-Smtp-Source: AAOMgpeiMq7KZfjQt8gyaUY0/JlaYQIImAXpGM+QJbDzzySv3tJkt6cCNU98jizBqqG5T1+XGK7V/A== X-Received: by 2002:a25:b225:: with SMTP id i37-v6mr6800145ybj.195.1532046815580; Thu, 19 Jul 2018 17:33:35 -0700 (PDT) Received: from mutt-hbsd (shuri.billingeenvo.p5.tiktalik.io. [37.233.102.65]) by smtp.gmail.com with ESMTPSA id z125-v6sm1120717ywg.57.2018.07.19.17.33.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Jul 2018 17:33:34 -0700 (PDT) Date: Thu, 19 Jul 2018 20:32:55 -0400 From: Shawn Webb To: Kyle Evans Cc: src-committers , svn-src-all@freebsd.org, svn-src-head@freebsd.org, Cy Schubert , "Oleg V. Nauman" , Cy Schubert Subject: Re: svn commit: r336203 - in head: contrib/wpa contrib/wpa/hostapd contrib/wpa/hs20/client contrib/wpa/patches contrib/wpa/src/ap contrib/wpa/src/common contrib/wpa/src/crypto contrib/wpa/src/drivers c... Message-ID: <20180720003255.6dglwhbrnyewowdh@mutt-hbsd> References: <201807192114.w6JLEapA097589@slippy.cwsent.com> <201807192133.w6JLXRX4066519@slippy.cwsent.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="bvk5gnc4ixttbtgj" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20180622 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2018 00:33:37 -0000 --bvk5gnc4ixttbtgj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 19, 2018 at 07:24:46PM -0500, Kyle Evans wrote: > On Thu, Jul 19, 2018 at 6:21 PM, Kyle Evans wrote: > > On Thu, Jul 19, 2018 at 4:33 PM, Cy Schubert wrote: > >> In message <201807192114.w6JLEapA097589@slippy.cwsent.com>, Cy Schubert > >> writes: > >>> In message <17042686.Mc0X0P6XHu@asus.theweb.org.ua>, "Oleg V. Nauman" > >>> writes: > >>> > On Thursday, July 19, 2018 4:54:42 PM EEST Cy Schubert wrote: > >>> > > In message >>> > > il.com> > >>> > > > >>> > > , Kyle Evans writes: > >>> > > > On Thu, Jul 19, 2018 at 7:13 AM, Niclas Zeising > >>> > > > > >>> > > > wrote: > >>> > > > > [ sending this again since I missed the list the first time, = apologie > >>> s > >>> > > > > if > >>> > > > > anyone receives a duplicate ] > >>> > > > > > >>> > > > > On 07/19/18 13:57, Kyle Evans wrote: > >>> > > > >> On Thu, Jul 19, 2018 at 4:51 AM, Alexey Dokuchaev >>> > > >>> > > > >> > >>> > > > >> wrote: > >>> > > > >>> On Thu, Jul 19, 2018 at 11:48:03AM +0300, Andrey V. Elsukov= wrote: > >>> > > > >>>> ... > >>> > > > >>>> Yesterday I updated my notebook (with iwm(4)) and also not= iced tha > >>> t > >>> > > > >>>> wi-fi connection periodically breaks. /etc/rc.d/wpa_suppli= cant > >>> > > > >>>> restart > >>> > > > >>>> wlan0 helps. After your message I reinstalled wpa_supplica= nt from > >>> ol > >>> > d > >>> > > > >>>> source and now it works stable already about 2 hours. > >>> > > > >>> > >>> > > > >>> So, right now, we have broken wpa_supplicant(8) in -CURRENT= ? :-/ > >>> > > > >> > >>> > > > >> Well, "broken". It's incredibly stable outside of rekeying e= vents, a > >>> nd > >>> > > > >> further testing shows that I don't actually notice these dis= connects > >>> > > > >> most of the time because it reassociates fast enough. I noti= ced it t > >>> he > >>> > > > >> first time because apparently I had both SSIDs from my AP un= commente > >>> d > >>> > > > >> in my wpa_supplicant.conf and it decided at that point to co= nnect to > >>> > > > >> the other one, which took a little longer. > >>> > > > >> > >>> > > > >> Contrary to Andrey's report, though, I don't have to kick > >>> > > > >> wpa_supplicant at all. It will reassociate on its own every = single > >>> > > > >> time. > >>> > > > > > >>> > > > > Hi! > >>> > > > > I have the exact same problem as Andrey, with the same driver= =2E I've > >>> no > >>> > t > >>> > > > > investigated very much, but when using the 2.8 wpa_supplicant= the wif > >>> i > >>> > > > > network dies after a little while, and I have to restart it (= usually > >>> > > > > with > >>> > > > > /etc/rc.d/netif restart). Then it works for a little while, = before > >>> > > > > going > >>> > > > > down again. With the old wpa_supplicant I didn't have this p= roblem. > >>> > > > > > >>> > > > > I don't have very much else to add except noting that I'm aff= ected as > >>> > > > > well. > >>> > > > > I haven't had time to debug it properly (which is why I've ne= ver > >>> > > > > reported > >>> > > > > it) > >>> > > > > >>> > > > I plan on trying out the latest from upstream beyond the patch = Cy sent > >>> > > > along earlier to see if it's perhaps been addressed elsewhere i= n the > >>> > > > past two years since this release was made. > >>> > > > >>> > > A point of reference. I've had no issues here with any of the net= works > >>> > > I use. All the networks I use are either WPA-PSK or open. The last > >>> > > WPA-EAP I used was at former $JOB a few years ago. However, at th= e Link > >>> > > Lounge just outside where $JOB is at my wifi would disconnect eve= ry 30 > >>> > > minutes using our old wpa 2.5, requiring a netif restart. 2.6 res= olved > >>> > > that issue. > >>> > > > >>> > > Upline git commit 0adc9b28b39d414d5febfff752f6a1576f785c85 also l= ooks > >>> > > interesting. > >>> > > > >>> > > ommit 0adc9b28b39d414d5febfff752f6a1576f785c85 > >>> > > Author: Jouni Malinen > >>> > > Date: Sun Oct 1 12:32:57 2017 +0300 > >>> > > > >>> > > Fix PTK rekeying to generate a new ANonce > >>> > > > >>> > > The Authenticator state machine path for PTK rekeying ended up > >>> > > bypassing > >>> > > the AUTHENTICATION2 state where a new ANonce is generated whe= n going > >>> > > directly to the PTKSTART state since there is no need to try = to > >>> > > determine the PMK again in such a case. This is far from ideal > >>> > > since the > >>> > > new PTK would depend on a new nonce only from the supplicant. > >>> > > > >>> > > Fix this by generating a new ANonce when moving to the PTKSTA= RT > >>> > > state > >>> > > for the purpose of starting new 4-way handshake to rekey PTK. > >>> > > > >>> > > Signed-off-by: Jouni Malinen > >>> > > > >>> > > > >>> > > I suspect a timeout because reason=3D1 in Kyle's log. > >>> > > >>> > > >>> > I have two systems experienced wifi connection issues after recent= HEAD > >>> > update. > >>> > Both of them experiencing frequent up/down wlan0 events on boot so= wireles > >>> s > >>> > connection can not negotiate DHCP requests, possibly due to fact th= at both > >>> > connecting to the same AP. > >>> > AP capabilities list: > >>> > > >>> > ***** f8:1a:67:56:16:16 1 54M -74:-96 100 EPS WPA WME AT= H WPS > >>> > > >>> > Interesting enough that switching wpa_supplicant to version 2.6 fro= m ports > >>> > fixes that issue completely. > >>> > > >>> > Hopefully it helps. > >>> > > >>> > Thank you. > >>> > >>> I've imported all the patches in the port, from our upline into base. > >>> Some were already committed to > >>> -- > >>> Cheers, > >>> Cy Schubert > >>> FreeBSD UNIX: Web: http://www.FreeBSD.org > >>> > >>> The need of the many outweighs the greed of the few. > >>> base 2.5 others not. This should bring base up to par with the port, > >>> address the remaining security issues, and probably fix this thread t= oo. > >> > >> exmh. I had my cursor in the wrong place when I hit send. > >> > >> I've imported all the patches in the port, from our upline into base. > >> Some were already committed to base 2.5 others not. This should bring > >> base up to par with the port, address the remaining security issues, > >> and probably fix this thread too. > >> > > > > FWIW- with ports 2.6 I've confirmed that instead of the reassociation I= get: > > > > Jul 19 18:17:30 shiva wpa_supplicant[34199]: wlan0: WPA: Group > > rekeying completed with ... [GTK=3DCCMP] > > > > I'll try with base 2.6 now that you've updated with all of these patche= s. >=20 > Alright, base 2.6 is still no good here. I note that there's still > some diff between ports and base [1] (about 252 lines of diff to sort > through, nothing serious... I removed the obviously-for-libressl > diff). >=20 > Some of it looks kind of suspicious, but I'd guess the changes in > ./src/rsn_supp/wpa.c are mostly what make the difference for me. How > much of this really needs to stick around, given that ports > wpa_supplicant is actually pretty stable? (Attempting to read between the lines, forgive me if I misinterpreted.) Some of the systems I've set up recently are more easily set up with wireless. Running a 100ft cable in an office building isn't that fun. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --bvk5gnc4ixttbtgj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAltRLbIACgkQaoRlj1JF bu4LrQ//S/++VBsLDBqvlv61VfI498aW8GGHPtPMvy11yQnPi5y7sRFRjO1U9q6+ 7GKiBlSNAmFxr8ycblWyvAqzs46H3KlwKBIdquBnc+A+sdQj2KaheUEBIuw1bEPd GQ0lqwb9CxJjMDm8TSThmeNgWxtzS1wQNpuc36PuszQvLUwRYHeVphYUeBYUPo9P Ao4C5gB7GVOoJ8quYtoi+XMXOyPkQKO8f2v4tto+GSgulxWC8/UrD7Oy/87GGxbN cIrIDp6+d1tdnz+q5CEo8ib5J6Nex79ENs4Z3hvfGyWz/9LLk6VQxRNdN0K/m1Vr pnJTD37gtwCVnGYs2I9jSkHJV8JTiulRA7ZZiaC5ZQU7rFAFCymx9qdk6+jkPdHi zSbQdoC/J2yEhzMhX39/BKAfgJpOfwtNIn0bszb1mG753aXdrFyDK0rPM7e1hb+Q sWKnBYgjUmMQs01AYMC3gIpy1fZbMgDWA+bCHwQeRloRbFe97E1kA5woIZpxq0jP 4S0Ruuy0QmJat9v+ZRtCqbarHDZXSorC5xPDc414XNyVo9gbH5G856a3ggNxtJfx 8wJVylTDXuNgEhI4J2sAJG7OrUxKRbGoNBsU0IYyWuFdX+tkhvHDn/dcG+3Di+kD sSuFPmWQR9Ret9nSECeWfjBMTbp5/kzgpVO8VRo+NM+fL8FSG3g= =HiYc -----END PGP SIGNATURE----- --bvk5gnc4ixttbtgj--