2015-11-13 00:59:26

by Ben Greear

[permalink] [raw]
Subject: Does mac80211 guarantee no data frames are sent to driver until encryption is setup?

A certain firmware tries to do EAPOL inspection and only allow data pkts
to be sent after the 4-way M4 has been sent, for instance.

This was breaking .11r because in that case you don't do the 4-way after
roaming, so the firmware was waiting forever for an M4 to be sent and
thus all tx data was hung.

I managed to get this working by just removing all of the EAPOL inspection from the firmware,
but I am thinking that if the stack will send data packets to the driver
before 4-way auth is completed and keys are set, then maybe I would
be opening up a race where un-encrypted frames could hit the air.

Any idea what protections, if any, the mac80211 stack provides
for this case?

Thanks,
Ben

--
Ben Greear <[email protected]>
Candela Technologies Inc http://www.candelatech.com



2015-11-13 06:14:48

by Janusz Dziedzic

[permalink] [raw]
Subject: Re: Does mac80211 guarantee no data frames are sent to driver until encryption is setup?

On 13 November 2015 at 01:59, Ben Greear <[email protected]> wrote:
> A certain firmware tries to do EAPOL inspection and only allow data pkts
> to be sent after the 4-way M4 has been sent, for instance.
>
> This was breaking .11r because in that case you don't do the 4-way after
> roaming, so the firmware was waiting forever for an M4 to be sent and
> thus all tx data was hung.
>
> I managed to get this working by just removing all of the EAPOL inspection
> from the firmware,
> but I am thinking that if the stack will send data packets to the driver
> before 4-way auth is completed and keys are set, then maybe I would
> be opening up a race where un-encrypted frames could hit the air.
>
> Any idea what protections, if any, the mac80211 stack provides
> for this case?
>
Check WLAN_STA_AUTHORIZED in mac80211.

BR
Janusz

2015-11-13 21:55:01

by Ben Greear

[permalink] [raw]
Subject: Re: Does mac80211 guarantee no data frames are sent to driver until encryption is setup?

On 11/12/2015 10:14 PM, Janusz Dziedzic wrote:
> On 13 November 2015 at 01:59, Ben Greear <[email protected]> wrote:
>> A certain firmware tries to do EAPOL inspection and only allow data pkts
>> to be sent after the 4-way M4 has been sent, for instance.
>>
>> This was breaking .11r because in that case you don't do the 4-way after
>> roaming, so the firmware was waiting forever for an M4 to be sent and
>> thus all tx data was hung.
>>
>> I managed to get this working by just removing all of the EAPOL inspection
>> from the firmware,
>> but I am thinking that if the stack will send data packets to the driver
>> before 4-way auth is completed and keys are set, then maybe I would
>> be opening up a race where un-encrypted frames could hit the air.
>>
>> Any idea what protections, if any, the mac80211 stack provides
>> for this case?
>>
> Check WLAN_STA_AUTHORIZED in mac80211.

Thanks for the hint. Looks like my firmware change should
be perfectly safe in that case.

Thanks,
Ben


--
Ben Greear <[email protected]>
Candela Technologies Inc http://www.candelatech.com