Re: Question on setting key right after the EAPOL 4/4 is sent.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/09/2017 02:47 PM, Janusz Dziedzic wrote:

2017-06-09 22:18 GMT+02:00 Ben Greear <greearb@xxxxxxxxxxxxxxx>:

On 06/09/2017 01:01 PM, Johannes Berg wrote:


On Fri, 2017-06-09 at 06:46 -0700, Ben Greear wrote:


However, the solution is far simpler! Once you have nl80211 PAE
transport, you can easily even set the key before transmitting the
packet and simply indicate that this particular packet should _not_
be encrypted regardless of key presence.



My ath10k firmware cannot deal with a case like this:

pkt is enqueued before key is set
key is set
pkt is transmitted (incorrectly)

This is because of how the tid's header-length variables are set up
and modified when the keys are set, and I don't see any good way to
fix this.



That seems awful, and anyway will not work with the mentioned non-IEEE
protocols that require not encrypting the rekeying frames even when
keys have been set up.

I don't know what to tell you here, I think it'd be best if you fix
that.



The case that fails is basically any packet that is currently
enqueued in the firmware when the key is set is transmitted incorrectly or
not at all.
And, maybe this is only for DATA tids.

Otherwise, the no-encrypt logic should work fine.  So, it is just the race
with the EAPOL 4/4 and set-key that causes issues as far as I can tell.

It looks like the EAPOL 4/4 and set-key race is fixable without too much
effort,
so I think I will focus on that for now instead of further hacking special
case logic into the firmware.


Ben, as I remember correctly there is a flag,
WMI_PEER_NEED_PTK_4_WAY

This fix race (you describe) in the firmware/hw.
For 636 firmware, where we tested STA mode really hard (5 years ago),
that works perfect.
So, I am not sure why this flag don't work correctly with your firmware.


I removed/ignored this flag/logic to make .11r work (in 10.1.4-mumble),
just possibly .11r worked before in the 636 firmware.



Regarding EAPOL frames I am not sure you will have real/correct ACK. I
remember in case of mgmt frames FW always return ACK - but probably
you will check that.


I fixed the rx-status, but really, valid or not, it would at least fix the race
to wait to get the status.


I also fight with some EAPOL frames, but forgot why ... Seems my brain
removed this information for some reason :-)


The firmware code was nasty in this regard...I wouldn't try to remember
it if I were you :)

Thanks,
Ben


--
Ben Greear <greearb@xxxxxxxxxxxxxxx>
Candela Technologies Inc  http://www.candelatech.com


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux