Retansmitted associate requests with OWE

James Prestwood prestwoj at gmail.com
Tue Mar 29 15:23:18 PDT 2022 

Hi,

I have observed some behavior related to OWE where hostapd and the
station cannot connect if the associate request ACK is never received
by the station:

1. Station sends Association request
2. Hostapd receives this, derives its side of the keys and replies
3. Station never receives an ACK from the association request, kernel
retransmits.
4. Hostapd receives the retransmit, treats it as a new association and
re-derives the keys.
5. Station gets hostapd's first Association response via CMD_CONNECT,
unknown what ever happened to the second association response, likely
dropped by the kernel since it already sent CMD_CONNECT to userspace.
6. Now the STA derives its keys based on hostapd's first association
response, and hostapd derived its keys based on its second. This
results in the 4-way failing.

I can think of only two possible ways to fix this:

a) Have the kernel tell userspace of the retransmit, and of a new
association response (an additional CMD_CONNECT event?). This assumes
the second response actually made it and wasn't lost. This would end up
being quite a burden on both the kernel and userspace to handle this
case. Better would be...

b) Have hostapd treat additional association requests as retransmits.
For OWE specifically you can all but guarantee it was a retransmit if
the DH IE is identical.

I can't seem to find anything in 802.11 about retransmitting management
frames, so hostapd isn't doing anything wrong as far as the spec is
concerned... But I think the behavior could be improved by treating
identical associate requests as retransmits.

Below is a log of the behavior (just the two association requests).

Thanks,
James


nl80211: Event message available
nl80211: BSS Event 59 (NL80211_CMD_FRAME) received for wln1
nl80211: MLME event 59 (NL80211_CMD_FRAME) on wln1(02:00:00:00:f1:00)
A1=02:00:00:00:f1:00 A2=02:00:00:00:04:00
nl80211: MLME event frame - hexdump(len=144): 00 00 3a 01 02 00 00 00
f1 00 02 00 00 00 04 00 02 00 00 00 f1 00 10 00 31 14 05 00 00 0a 6f 77
65 2d 68 69 64 64 65 6e 01 04 02 04 0b 16 21 02 00 14 30 14 01 00 00 0f
ac 04 01 00 00 0f ac 04 01 00 00 0f ac 12 80 00 46 05 70 00 00 00 00 7f
0a 04 00 48 00 01 00 00 40 00 01 ff 33 20 14 00 1a 42 02 07 6d 8c bf 5b
4f b0 c7 3a 76 54 11 74 77 88 50 fd 2c 9e 33 ac 56 f8 5c 92 34 c4 14 37
a8 63 50 5a 3c 4a 72 02 63 03 fc 5e 60 3e 1b 99
nl80211: Frame event
nl80211: RX frame da=02:00:00:00:f1:00 sa=02:00:00:00:04:00
bssid=02:00:00:00:f1:00 freq=2412 ssi_signal=-30 fc=0x0 seq_ctrl=0x10
stype=0 (WLAN_FC_STYPE_ASSOC_REQ) len=144
wln1: Event RX_MGMT (18) received
mgmt::assoc_req
association request: STA=02:00:00:00:04:00 capab_info=0x1431
listen_interval=5 seq_ctrl=0x10
OWE: DH shared secret - hexdump(len=48): 69 b3 37 8a 66 32 77 58 f7 09
29 19 0a b6 2d 72 3b da 78 ef 5c f9 3e 72 6c a1 19 c9 f5 12 46 da a7 47
a2 f2 43 e3 31 ff cb a7 4d cb 5b 6a 00 97
OWE: prk - hexdump(len=48): 7e a5 bc f2 04 a9 bd 88 96 ea 51 0e 44 5a
2a 5d bc 2f a3 d0 9c 73 7e f0 92 fb 8f 6d 90 d6 f1 ab e4 a5 d6 4d da 3b
8c a8 1a 00 ff c2 a2 08 7f ef
OWE: PMK - hexdump(len=48): 0a 4c 39 38 9c fb f6 78 34 73 7d f8 3e 55
09 ac 80 74 df 6c 32 09 94 a3 27 f9 9e bf be 21 cd 26 c9 93 b1 03 fe b1
80 c9 7f 84 ac 1a 61 79 0a b1
OWE: PMKID - hexdump(len=16): 92 24 fd 91 53 3c ae a7 22 5d 3e e0 2d b3
7b 73
RSN: Cache PMK (2) - hexdump(len=32): 0a 4c 39 38 9c fb f6 78 34 73 7d
f8 3e 55 09 ac 80 74 df 6c 32 09 94 a3 27 f9 9e bf be 21 cd 26
RSN: added PMKSA cache entry for 02:00:00:00:04:00
RSN: added PMKID - hexdump(len=16): 92 24 fd 91 53 3c ae a7 22 5d 3e e0
2d b3 7b 73
  new AID 1
wln1: STA 02:00:00:00:04:00 IEEE 802.11: association OK (aid 1)
Add associated STA 02:00:00:00:04:00 (added_unassoc=1 auth_alg=0
ft_over_ds=0 reassoc=0 authorized=0 ft_tk=0 fils_tk=0)
nl80211: Set STA 02:00:00:00:04:00
  * supported rates - hexdump(len=4): 02 04 0b 16
  * capability=0x1431
  * aid=1
  * listen_interval=5
  * flags set=0xb4 mask=0xb4
nl80211: send_mlme - da=02:00:00:00:04:00 noack=0 freq=0 no_cck=0
offchanok=0 wait_time=0 no_encrypt=0 fc=0x10 (WLAN_FC_STYPE_ASSOC_RESP)
nlmode=3
nl80211: send_mlme - Use bss->freq=2412
nl80211: send_mlme -> send_frame_cmd
nl80211: CMD_FRAME freq=2412 wait=0 no_cck=0 no_ack=0 offchanok=0
CMD_FRAME - hexdump(len=126): 10 00 00 00 02 00 00 00 04 00 02 00 00 00
f1 00 02 00 00 00 f1 00 00 00 11 00 00 00 01 c0 01 04 82 84 0b 16 30 14
01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 12 80 00 7f 08 04 00
40 02 00 00 00 40 5a 03 24 01 00 ff 33 20 14 00 8f 92 f6 29 68 27 be 82
cc f8 19 de 8b 2f c6 fc 54 7a 4b e5 c4 fa 24 dd fe b0 62 a6 ce 70 43 a1
b3 5a 7c 4d 7e 0e 4a a7 a8 fb 32 8d ad 0d 62 b5
nl80211: Frame TX command accepted; cookie 0x1c
nl80211: Event message available
nl80211: BSS Event 59 (NL80211_CMD_FRAME) received for wln1
nl80211: MLME event 59 (NL80211_CMD_FRAME) on wln1(02:00:00:00:f1:00)
A1=02:00:00:00:f1:00 A2=02:00:00:00:04:00
nl80211: MLME event frame - hexdump(len=144): 00 00 3a 01 02 00 00 00
f1 00 02 00 00 00 04 00 02 00 00 00 f1 00 20 00 31 14 05 00 00 0a 6f 77
65 2d 68 69 64 64 65 6e 01 04 02 04 0b 16 21 02 00 14 30 14 01 00 00 0f
ac 04 01 00 00 0f ac 04 01 00 00 0f ac 12 80 00 46 05 70 00 00 00 00 7f
0a 04 00 48 00 01 00 00 40 00 01 ff 33 20 14 00 1a 42 02 07 6d 8c bf 5b
4f b0 c7 3a 76 54 11 74 77 88 50 fd 2c 9e 33 ac 56 f8 5c 92 34 c4 14 37
a8 63 50 5a 3c 4a 72 02 63 03 fc 5e 60 3e 1b 99
nl80211: Frame event
nl80211: RX frame da=02:00:00:00:f1:00 sa=02:00:00:00:04:00
bssid=02:00:00:00:f1:00 freq=2412 ssi_signal=-30 fc=0x0 seq_ctrl=0x20
stype=0 (WLAN_FC_STYPE_ASSOC_REQ) len=144
wln1: Event RX_MGMT (18) received
mgmt::assoc_req
association request: STA=02:00:00:00:04:00 capab_info=0x1431
listen_interval=5 seq_ctrl=0x20
OWE: DH shared secret - hexdump(len=48): 5f 35 1f f4 c0 12 52 25 19 6d
23 9b 9f 32 ce 71 85 63 3f 5c 00 67 8d f8 ab 3b c3 a9 45 c3 c7 e6 3d fb
7b e6 ce 51 b6 7e d9 45 e7 4b 49 1f ab a5
OWE: prk - hexdump(len=48): a9 c2 82 30 2d 3e d0 e3 fc 12 54 00 c0 14
43 20 5c c2 09 f8 cb 61 5a 5b 70 fa db 5d ef d3 7e 9f c6 6a f1 8a 6a 8a
9f cd dc b3 08 f5 0e 1d 63 00
OWE: PMK - hexdump(len=48): 97 24 46 fa 14 b7 ab 49 d9 4b 79 0e 60 03
07 ef be 7a a0 3d 5e 7d 5d ec 4a d6 72 81 69 5e 1c 56 78 3c 3a 87 bb 6b
ee 8a ea cc c1 75 e2 02 69 4d
OWE: PMKID - hexdump(len=16): ea ec 26 0b 5a 2f 8a 32 03 dd f5 30 a0 1e
29 fd
RSN: Cache PMK (2) - hexdump(len=32): 97 24 46 fa 14 b7 ab 49 d9 4b 79
0e 60 03 07 ef be 7a a0 3d 5e 7d 5d ec 4a d6 72 81 69 5e 1c 56
RSN: added PMKSA cache entry for 02:00:00:00:04:00
RSN: added PMKID - hexdump(len=16): ea ec 26 0b 5a 2f 8a 32 03 dd f5 30
a0 1e 29 fd
  old AID 1
wln1: STA 02:00:00:00:04:00 IEEE 802.11: association OK (aid 1)
Add associated STA 02:00:00:00:04:00 (added_unassoc=0 auth_alg=0
ft_over_ds=0 reassoc=0 authorized=0 ft_tk=0 fils_tk=0)
nl80211: sta_remove -> DEL_STATION wln1 02:00:00:00:04:00 --> 0
(Success)
wln1: STA 02:00:00:00:04:00 WPA: event 8 notification
nl80211: Add STA 02:00:00:00:04:00
  * supported rates - hexdump(len=4): 02 04 0b 16
  * capability=0x1431
  * aid=1
  * listen_interval=5
  * flags set=0xb4 mask=0xb4
nl80211: send_mlme - da=02:00:00:00:04:00 noack=0 freq=0 no_cck=0
offchanok=0 wait_time=0 no_encrypt=0 fc=0x10 (WLAN_FC_STYPE_ASSOC_RESP)
nlmode=3
nl80211: send_mlme - Use bss->freq=2412
nl80211: send_mlme -> send_frame_cmd
nl80211: CMD_FRAME freq=2412 wait=0 no_cck=0 no_ack=0 offchanok=0
CMD_FRAME - hexdump(len=126): 10 00 00 00 02 00 00 00 04 00 02 00 00 00
f1 00 02 00 00 00 f1 00 00 00 11 00 00 00 01 c0 01 04 82 84 0b 16 30 14
01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 12 80 00 7f 08 04 00
40 02 00 00 00 40 5a 03 24 01 00 ff 33 20 14 00 d6 65 94 1e 4f 40 e0 85
8a 2f c4 9b 78 fa c8 0c e6 7e 15 cb 1f 68 ca 8e c4 dd 3a 18 71 4f 8d 4f
4d 5c 49 57 24 05 58 72 fd fd 17 b2 a7 43 75 7d
nl80211: Frame TX command accepted; cookie 0x1d

More information about the Hostap mailing list