* [PATCH] Register EAPOL frame listeners earlier
@ 2024-03-26 23:11 jeremy.whiting
2024-03-27 11:51 ` James Prestwood
0 siblings, 1 reply; 9+ messages in thread
From: jeremy.whiting @ 2024-03-26 23:11 UTC (permalink / raw)
To: iwd; +Cc: ed.smith, alvaro.soliverez
From: Ed Smith <ed.smith@collabora.com>
If we register the main EAPOL frame listener as late as the associate
event, it may not observe ptk_1_of_4. This defeats handling for early
messages in eapol_rx_packet, which only sees messages once it has been
registered.
If we move registration to the authenticate event, then the EAPOL
frame listeners should observe all messages, without any possible
races. Note that the messages are not actually processed until
eapol_start() is called, and we haven't moved that call site. All
that's changing here is how early EAPOL messages can be observed.
---
src/netdev.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/netdev.c b/src/netdev.c
index 09fac959..fc84c398 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -2982,8 +2982,13 @@ static void netdev_authenticate_event(struct l_genl_msg *msg,
NULL, netdev->user_data);
/* We have sent another CMD_AUTHENTICATE / CMD_ASSOCIATE */
- if (ret == 0 || ret == -EAGAIN)
+ if (ret == 0 || ret == -EAGAIN) {
+ if (!netdev->sm) {
+ netdev->sm = eapol_sm_new(netdev->handshake);
+ eapol_register(netdev->sm);
+ }
return;
+ }
retry = kernel_will_retry_auth(status_code,
L_CPU_TO_LE16(auth->algorithm),
@@ -3099,9 +3104,6 @@ static void netdev_associate_event(struct l_genl_msg *msg,
netdev->ap = NULL;
}
- netdev->sm = eapol_sm_new(netdev->handshake);
- eapol_register(netdev->sm);
-
/* Just in case this was a retry */
netdev->ignore_connect_event = false;
--
2.44.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH] Register EAPOL frame listeners earlier
2024-03-26 23:11 [PATCH] Register EAPOL frame listeners earlier jeremy.whiting
@ 2024-03-27 11:51 ` James Prestwood
2024-03-27 18:53 ` Jeremy Whiting
0 siblings, 1 reply; 9+ messages in thread
From: James Prestwood @ 2024-03-27 11:51 UTC (permalink / raw)
To: jeremy.whiting, iwd; +Cc: ed.smith, alvaro.soliverez
Hi Jeremy,
On 3/26/24 4:11 PM, jeremy.whiting@collabora.com wrote:
> From: Ed Smith <ed.smith@collabora.com>
>
> If we register the main EAPOL frame listener as late as the associate
> event, it may not observe ptk_1_of_4. This defeats handling for early
> messages in eapol_rx_packet, which only sees messages once it has been
> registered.
>
> If we move registration to the authenticate event, then the EAPOL
> frame listeners should observe all messages, without any possible
> races. Note that the messages are not actually processed until
> eapol_start() is called, and we haven't moved that call site. All
> that's changing here is how early EAPOL messages can be observed.
> ---
> src/netdev.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/src/netdev.c b/src/netdev.c
> index 09fac959..fc84c398 100644
> --- a/src/netdev.c
> +++ b/src/netdev.c
> @@ -2982,8 +2982,13 @@ static void netdev_authenticate_event(struct l_genl_msg *msg,
> NULL, netdev->user_data);
>
> /* We have sent another CMD_AUTHENTICATE / CMD_ASSOCIATE */
> - if (ret == 0 || ret == -EAGAIN)
> + if (ret == 0 || ret == -EAGAIN) {
> + if (!netdev->sm) {
> + netdev->sm = eapol_sm_new(netdev->handshake);
> + eapol_register(netdev->sm);
> + }
> return;
> + }
>
> retry = kernel_will_retry_auth(status_code,
> L_CPU_TO_LE16(auth->algorithm),
> @@ -3099,9 +3104,6 @@ static void netdev_associate_event(struct l_genl_msg *msg,
> netdev->ap = NULL;
> }
>
> - netdev->sm = eapol_sm_new(netdev->handshake);
> - eapol_register(netdev->sm);
> -
> /* Just in case this was a retry */
> netdev->ignore_connect_event = false;
>
I need to have the CI email the original sender so you get notified, but
as Denis mentioned this still breaks FT because IWD does not use the
conventional CMD_AUTHENTICATE and instead sends an auth frame using
CMD_FRAME. This means that there is no authenticate event at all when FT
is involved. Because of this, no SM gets created (with this patch) which
breaks rekeys.
After FT authentication netdev_ft_reassociate() is called which issues
the CMD_CONNECT call (this triggers association). So I think you would
need to both create the SM similar to where you did here, as well as
after it gets destroyed in here:
https://git.kernel.org/pub/scm/network/wireless/iwd.git/tree/src/netdev.c#n4279
For reference, this is the CI output with this patch:
**Autotest Runner**
Test ID: testrunner
Desc: Runs IWD's autotest framework
Duration: 1868.49 seconds
**Result: FAIL**
Output:
```
testFT-8021x-roam,testFT-FILS,testNetconfigRoam,testPSK-roam,testSAE-roam
Thanks,
James
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH] Register EAPOL frame listeners earlier
2024-03-27 11:51 ` James Prestwood
@ 2024-03-27 18:53 ` Jeremy Whiting
2024-03-27 19:10 ` James Prestwood
0 siblings, 1 reply; 9+ messages in thread
From: Jeremy Whiting @ 2024-03-27 18:53 UTC (permalink / raw)
To: James Prestwood; +Cc: iwd, ed.smith, alvaro.soliverez
On Wednesday, March 27, 2024 05:51 AM MDT, James Prestwood <prestwoj@gmail.com> wrote:
> Hi Jeremy,
>
> On 3/26/24 4:11 PM, jeremy.whiting@collabora.com wrote:
> > From: Ed Smith <ed.smith@collabora.com>
> >
> > If we register the main EAPOL frame listener as late as the associate
> > event, it may not observe ptk_1_of_4. This defeats handling for early
> > messages in eapol_rx_packet, which only sees messages once it has been
> > registered.
> >
> > If we move registration to the authenticate event, then the EAPOL
> > frame listeners should observe all messages, without any possible
> > races. Note that the messages are not actually processed until
> > eapol_start() is called, and we haven't moved that call site. All
> > that's changing here is how early EAPOL messages can be observed.
> > ---
> > src/netdev.c | 10 ++++++----
> > 1 file changed, 6 insertions(+), 4 deletions(-)
> >
> > diff --git a/src/netdev.c b/src/netdev.c
> > index 09fac959..fc84c398 100644
> > --- a/src/netdev.c
> > +++ b/src/netdev.c
> > @@ -2982,8 +2982,13 @@ static void netdev_authenticate_event(struct l_genl_msg *msg,
> > NULL, netdev->user_data);
> >
> > /* We have sent another CMD_AUTHENTICATE / CMD_ASSOCIATE */
> > - if (ret == 0 || ret == -EAGAIN)
> > + if (ret == 0 || ret == -EAGAIN) {
> > + if (!netdev->sm) {
> > + netdev->sm = eapol_sm_new(netdev->handshake);
> > + eapol_register(netdev->sm);
> > + }
> > return;
> > + }
> >
> > retry = kernel_will_retry_auth(status_code,
> > L_CPU_TO_LE16(auth->algorithm),
> > @@ -3099,9 +3104,6 @@ static void netdev_associate_event(struct l_genl_msg *msg,
> > netdev->ap = NULL;
> > }
> >
> > - netdev->sm = eapol_sm_new(netdev->handshake);
> > - eapol_register(netdev->sm);
> > -
> > /* Just in case this was a retry */
> > netdev->ignore_connect_event = false;
> >
>
> I need to have the CI email the original sender so you get notified, but
> as Denis mentioned this still breaks FT because IWD does not use the
> conventional CMD_AUTHENTICATE and instead sends an auth frame using
> CMD_FRAME. This means that there is no authenticate event at all when FT
> is involved. Because of this, no SM gets created (with this patch) which
> breaks rekeys.
>
> After FT authentication netdev_ft_reassociate() is called which issues
> the CMD_CONNECT call (this triggers association). So I think you would
> need to both create the SM similar to where you did here, as well as
> after it gets destroyed in here:
I think I see. I've got a couple of questions though.
1. How if possible can I run the CI tests locally?
2. Should I instead just change the eapol_register that we removed from _associate_event to keep doing the _register if netdev->sm is null?
i.e. Change the patch from removing the 2 lines to wrapping them in
if (!netdev->sm) {
}
At any rate I just sent a new patch with the suggested addition of registering after freeing in netdev_ft_reassociate. I can test that this afternoon, or try the other approach as well.
thanks,
Jeremy
>
> https://git.kernel.org/pub/scm/network/wireless/iwd.git/tree/src/netdev.c#n4279
>
> For reference, this is the CI output with this patch:
>
> **Autotest Runner**
> Test ID: testrunner
> Desc: Runs IWD's autotest framework
> Duration: 1868.49 seconds
> **Result: FAIL**
>
> Output:
> ```
> testFT-8021x-roam,testFT-FILS,testNetconfigRoam,testPSK-roam,testSAE-roam
>
> Thanks,
>
> James
>
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH] Register EAPOL frame listeners earlier
2024-03-27 18:53 ` Jeremy Whiting
@ 2024-03-27 19:10 ` James Prestwood
0 siblings, 0 replies; 9+ messages in thread
From: James Prestwood @ 2024-03-27 19:10 UTC (permalink / raw)
To: Jeremy Whiting; +Cc: iwd, ed.smith, alvaro.soliverez
Hi Jeremy,
On 3/27/24 11:53 AM, Jeremy Whiting wrote:
> On Wednesday, March 27, 2024 05:51 AM MDT, James Prestwood <prestwoj@gmail.com> wrote:
>
>> Hi Jeremy,
>>
>> On 3/26/24 4:11 PM, jeremy.whiting@collabora.com wrote:
>>> From: Ed Smith <ed.smith@collabora.com>
>>>
>>> If we register the main EAPOL frame listener as late as the associate
>>> event, it may not observe ptk_1_of_4. This defeats handling for early
>>> messages in eapol_rx_packet, which only sees messages once it has been
>>> registered.
>>>
>>> If we move registration to the authenticate event, then the EAPOL
>>> frame listeners should observe all messages, without any possible
>>> races. Note that the messages are not actually processed until
>>> eapol_start() is called, and we haven't moved that call site. All
>>> that's changing here is how early EAPOL messages can be observed.
>>> ---
>>> src/netdev.c | 10 ++++++----
>>> 1 file changed, 6 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/src/netdev.c b/src/netdev.c
>>> index 09fac959..fc84c398 100644
>>> --- a/src/netdev.c
>>> +++ b/src/netdev.c
>>> @@ -2982,8 +2982,13 @@ static void netdev_authenticate_event(struct l_genl_msg *msg,
>>> NULL, netdev->user_data);
>>>
>>> /* We have sent another CMD_AUTHENTICATE / CMD_ASSOCIATE */
>>> - if (ret == 0 || ret == -EAGAIN)
>>> + if (ret == 0 || ret == -EAGAIN) {
>>> + if (!netdev->sm) {
>>> + netdev->sm = eapol_sm_new(netdev->handshake);
>>> + eapol_register(netdev->sm);
>>> + }
>>> return;
>>> + }
>>>
>>> retry = kernel_will_retry_auth(status_code,
>>> L_CPU_TO_LE16(auth->algorithm),
>>> @@ -3099,9 +3104,6 @@ static void netdev_associate_event(struct l_genl_msg *msg,
>>> netdev->ap = NULL;
>>> }
>>>
>>> - netdev->sm = eapol_sm_new(netdev->handshake);
>>> - eapol_register(netdev->sm);
>>> -
>>> /* Just in case this was a retry */
>>> netdev->ignore_connect_event = false;
>>>
>> I need to have the CI email the original sender so you get notified, but
>> as Denis mentioned this still breaks FT because IWD does not use the
>> conventional CMD_AUTHENTICATE and instead sends an auth frame using
>> CMD_FRAME. This means that there is no authenticate event at all when FT
>> is involved. Because of this, no SM gets created (with this patch) which
>> breaks rekeys.
>>
>> After FT authentication netdev_ft_reassociate() is called which issues
>> the CMD_CONNECT call (this triggers association). So I think you would
>> need to both create the SM similar to where you did here, as well as
>> after it gets destroyed in here:
> I think I see. I've got a couple of questions though.
>
> 1. How if possible can I run the CI tests locally?
I'll be the first to admit, the documentation isn't great. But:
https://git.kernel.org/pub/scm/network/wireless/iwd.git/tree/doc/test-runner.txt
> 2. Should I instead just change the eapol_register that we removed from _associate_event to keep doing the _register if netdev->sm is null?
> i.e. Change the patch from removing the 2 lines to wrapping them in
> if (!netdev->sm) {
> }
That also could work. I would just comment it, since its really just to
serve FT. Explicitly creating it in netdev_ft_reassociate may be more
clear. Maybe Denis has a preference.
>
> At any rate I just sent a new patch with the suggested addition of registering after freeing in netdev_ft_reassociate. I can test that this afternoon, or try the other approach as well.
>
> thanks,
> Jeremy
>
>> https://git.kernel.org/pub/scm/network/wireless/iwd.git/tree/src/netdev.c#n4279
>>
>> For reference, this is the CI output with this patch:
>>
>> **Autotest Runner**
>> Test ID: testrunner
>> Desc: Runs IWD's autotest framework
>> Duration: 1868.49 seconds
>> **Result: FAIL**
>>
>> Output:
>> ```
>> testFT-8021x-roam,testFT-FILS,testNetconfigRoam,testPSK-roam,testSAE-roam
>>
>> Thanks,
>>
>> James
>>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] Register EAPOL frame listeners earlier
@ 2024-03-27 18:49 jeremy.whiting
2024-03-27 21:01 ` Denis Kenzior
0 siblings, 1 reply; 9+ messages in thread
From: jeremy.whiting @ 2024-03-27 18:49 UTC (permalink / raw)
To: iwd; +Cc: ed.smith, alvaro.soliverez
From: Ed Smith <ed.smith@collabora.com>
If we register the main EAPOL frame listener as late as the associate
event, it may not observe ptk_1_of_4. This defeats handling for early
messages in eapol_rx_packet, which only sees messages once it has been
registered.
If we move registration to the authenticate event, then the EAPOL
frame listeners should observe all messages, without any possible
races. Note that the messages are not actually processed until
eapol_start() is called, and we haven't moved that call site. All
that's changing here is how early EAPOL messages can be observed.
---
src/netdev.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/src/netdev.c b/src/netdev.c
index 09fac959..886a85f5 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -2896,6 +2896,14 @@ static bool kernel_will_retry_auth(uint16_t status_code,
return false;
}
+static void netdev_ensure_registered(struct netdev *netdev)
+{
+ if (!netdev->sm) {
+ netdev->sm = eapol_sm_new(netdev->handshake);
+ eapol_register(netdev->sm);
+ }
+}
+
static void netdev_authenticate_event(struct l_genl_msg *msg,
struct netdev *netdev)
{
@@ -2982,8 +2990,10 @@ static void netdev_authenticate_event(struct l_genl_msg *msg,
NULL, netdev->user_data);
/* We have sent another CMD_AUTHENTICATE / CMD_ASSOCIATE */
- if (ret == 0 || ret == -EAGAIN)
+ if (ret == 0 || ret == -EAGAIN) {
+ netdev_ensure_registered(netdev);
return;
+ }
retry = kernel_will_retry_auth(status_code,
L_CPU_TO_LE16(auth->algorithm),
@@ -3099,9 +3109,6 @@ static void netdev_associate_event(struct l_genl_msg *msg,
netdev->ap = NULL;
}
- netdev->sm = eapol_sm_new(netdev->handshake);
- eapol_register(netdev->sm);
-
/* Just in case this was a retry */
netdev->ignore_connect_event = false;
@@ -4279,6 +4286,8 @@ int netdev_ft_reassociate(struct netdev *netdev,
if (netdev->sm) {
eapol_sm_free(netdev->sm);
netdev->sm = NULL;
+
+ netdev_ensure_registered(netdev);
}
msg = netdev_build_cmd_associate_common(netdev);
--
2.44.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH] Register EAPOL frame listeners earlier
2024-03-27 18:49 jeremy.whiting
@ 2024-03-27 21:01 ` Denis Kenzior
0 siblings, 0 replies; 9+ messages in thread
From: Denis Kenzior @ 2024-03-27 21:01 UTC (permalink / raw)
To: jeremy.whiting, iwd; +Cc: ed.smith, alvaro.soliverez
Hi Jeremy/Ed,
On 3/27/24 13:49, jeremy.whiting@collabora.com wrote:
> From: Ed Smith <ed.smith@collabora.com>
>
> If we register the main EAPOL frame listener as late as the associate
> event, it may not observe ptk_1_of_4. This defeats handling for early
> messages in eapol_rx_packet, which only sees messages once it has been
> registered.
>
> If we move registration to the authenticate event, then the EAPOL
> frame listeners should observe all messages, without any possible
> races. Note that the messages are not actually processed until
> eapol_start() is called, and we haven't moved that call site. All
> that's changing here is how early EAPOL messages can be observed.
> ---
> src/netdev.c | 17 +++++++++++++----
> 1 file changed, 13 insertions(+), 4 deletions(-)
>
Can we please use patch versioning? I can't keep track which version of this
patch I'm looking at now.
> diff --git a/src/netdev.c b/src/netdev.c
> index 09fac959..886a85f5 100644
> --- a/src/netdev.c
> +++ b/src/netdev.c
> @@ -2896,6 +2896,14 @@ static bool kernel_will_retry_auth(uint16_t status_code,
> return false;
> }
>
> +static void netdev_ensure_registered(struct netdev *netdev)
The naming could use some work. What is being registered?
> +{
> + if (!netdev->sm) {
I would do:
if (L_WARN_ON(netdev->sm))
return;
....
> + netdev->sm = eapol_sm_new(netdev->handshake);
> + eapol_register(netdev->sm);
> + }
> +}
> +
> static void netdev_authenticate_event(struct l_genl_msg *msg,
> struct netdev *netdev)
> {
> @@ -2982,8 +2990,10 @@ static void netdev_authenticate_event(struct l_genl_msg *msg,
> NULL, netdev->user_data);
>
> /* We have sent another CMD_AUTHENTICATE / CMD_ASSOCIATE */
> - if (ret == 0 || ret == -EAGAIN)
> + if (ret == 0 || ret == -EAGAIN) {
> + netdev_ensure_registered(netdev);
Nit: The whole point of EAGAIN is that we're not proceeding to the next stage.
See src/auth-proto.h. You should only be trying to create eapol_sm when we do.
> return;
> + }
>
> retry = kernel_will_retry_auth(status_code,
> L_CPU_TO_LE16(auth->algorithm),
Regards,
-Denis
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] Register EAPOL frame listeners earlier
@ 2024-03-25 23:41 jeremy.whiting
2024-03-26 0:00 ` Jeremy Whiting
2024-03-26 4:42 ` Denis Kenzior
0 siblings, 2 replies; 9+ messages in thread
From: jeremy.whiting @ 2024-03-25 23:41 UTC (permalink / raw)
To: iwd; +Cc: ed.smith, alvaro.soliverez
From: Ed Smith <ed.smith@collabora.com>
If we register the main EAPOL frame listener as late as the associate
event, it may not observe ptk_1_of_4. This defeats handling for early
messages in eapol_rx_packet, which only sees messages once it has been
registered.
If we move registration to the authenticate event, then the EAPOL
frame listeners should observe all messages, without any possible
races. Note that the messages are not actually processed until
eapol_start() is called, and we haven't moved that call site. All
that's changing here is how early EAPOL messages can be observed.
---
src/netdev.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/netdev.c b/src/netdev.c
index 09fac959..d6dc7004 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -3011,6 +3011,11 @@ static void netdev_authenticate_event(struct l_genl_msg *msg,
}
}
+ if (!netdev->sm) {
+ netdev->sm = eapol_sm_new(netdev->handshake);
+ eapol_register(netdev->sm);
+ }
+
auth_error:
netdev_connect_failed(netdev, NETDEV_RESULT_AUTHENTICATION_FAILED,
status_code);
@@ -3099,9 +3104,6 @@ static void netdev_associate_event(struct l_genl_msg *msg,
netdev->ap = NULL;
}
- netdev->sm = eapol_sm_new(netdev->handshake);
- eapol_register(netdev->sm);
-
/* Just in case this was a retry */
netdev->ignore_connect_event = false;
--
2.44.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH] Register EAPOL frame listeners earlier
2024-03-25 23:41 jeremy.whiting
@ 2024-03-26 0:00 ` Jeremy Whiting
2024-03-26 4:42 ` Denis Kenzior
1 sibling, 0 replies; 9+ messages in thread
From: Jeremy Whiting @ 2024-03-26 0:00 UTC (permalink / raw)
To: iwd; +Cc: ed.smith, alvaro.soliverez
Hello all,
Hold on this change. I just tested on the device itself and found with
this change I'm unable to connect to either my usual wifi setup (home
isp router) or the ios hotspot. Will discuss tomorrow with Ed but I
think moving it after all the possible auth failures is making it never
happen at all in some cases.
BR,
Jeremy
On 3/25/24 17:41, jeremy.whiting@collabora.com wrote:
> From: Ed Smith <ed.smith@collabora.com>
>
> If we register the main EAPOL frame listener as late as the associate
> event, it may not observe ptk_1_of_4. This defeats handling for early
> messages in eapol_rx_packet, which only sees messages once it has been
> registered.
>
> If we move registration to the authenticate event, then the EAPOL
> frame listeners should observe all messages, without any possible
> races. Note that the messages are not actually processed until
> eapol_start() is called, and we haven't moved that call site. All
> that's changing here is how early EAPOL messages can be observed.
> ---
> src/netdev.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/src/netdev.c b/src/netdev.c
> index 09fac959..d6dc7004 100644
> --- a/src/netdev.c
> +++ b/src/netdev.c
> @@ -3011,6 +3011,11 @@ static void netdev_authenticate_event(struct l_genl_msg *msg,
> }
> }
>
> + if (!netdev->sm) {
> + netdev->sm = eapol_sm_new(netdev->handshake);
> + eapol_register(netdev->sm);
> + }
> +
> auth_error:
> netdev_connect_failed(netdev, NETDEV_RESULT_AUTHENTICATION_FAILED,
> status_code);
> @@ -3099,9 +3104,6 @@ static void netdev_associate_event(struct l_genl_msg *msg,
> netdev->ap = NULL;
> }
>
> - netdev->sm = eapol_sm_new(netdev->handshake);
> - eapol_register(netdev->sm);
> -
> /* Just in case this was a retry */
> netdev->ignore_connect_event = false;
>
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH] Register EAPOL frame listeners earlier
2024-03-25 23:41 jeremy.whiting
2024-03-26 0:00 ` Jeremy Whiting
@ 2024-03-26 4:42 ` Denis Kenzior
1 sibling, 0 replies; 9+ messages in thread
From: Denis Kenzior @ 2024-03-26 4:42 UTC (permalink / raw)
To: jeremy.whiting, iwd; +Cc: ed.smith, alvaro.soliverez
Hi,
On 3/25/24 18:41, jeremy.whiting@collabora.com wrote:
> From: Ed Smith <ed.smith@collabora.com>
>
> If we register the main EAPOL frame listener as late as the associate
> event, it may not observe ptk_1_of_4. This defeats handling for early
> messages in eapol_rx_packet, which only sees messages once it has been
> registered.
>
Out of curiosity, is this driver using CONTROL_PORT_OVER_NL80211 ?
You should really talk to the vendor about getting the firmware fixed. Why are
EAPoL packets making it out before the Association event?
> If we move registration to the authenticate event, then the EAPOL
> frame listeners should observe all messages, without any possible
> races. Note that the messages are not actually processed until
> eapol_start() is called, and we haven't moved that call site. All
> that's changing here is how early EAPOL messages can be observed.
> ---
> src/netdev.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/src/netdev.c b/src/netdev.c
> index 09fac959..d6dc7004 100644
> --- a/src/netdev.c
> +++ b/src/netdev.c
> @@ -3011,6 +3011,11 @@ static void netdev_authenticate_event(struct l_genl_msg *msg,
> }
> }
>
> + if (!netdev->sm) {
> + netdev->sm = eapol_sm_new(netdev->handshake);
> + eapol_register(netdev->sm);
> + }
> +
You can't really do this here. In the case of SAE (wpa3-personal), a successful
transition from authenticate -> associate returns early:
/* We have sent another CMD_AUTHENTICATE / CMD_ASSOCIATE */
if (ret == 0 || ret == -EAGAIN)
return;
It is probably a good idea to only create the eapol_sm state machine once the
transition to Associate has happened (in other words, ret == 0). However...
> auth_error:
> netdev_connect_failed(netdev, NETDEV_RESULT_AUTHENTICATION_FAILED,
> status_code);
> @@ -3099,9 +3104,6 @@ static void netdev_associate_event(struct l_genl_msg *msg,
> netdev->ap = NULL;
> }
>
> - netdev->sm = eapol_sm_new(netdev->handshake);
> - eapol_register(netdev->sm);
> -
netdev_authenticate_event doesn't cover FT cases, so most likely this simple
removal here will result in FT being broken, or rather re-keys after FT. Thus
special care must be taken for FT.
> /* Just in case this was a retry */
> netdev->ignore_connect_event = false;
>
Your original patch was took care of both cases, albeit in a brute force way.
Regards,
-Denis
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-03-27 21:01 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-26 23:11 [PATCH] Register EAPOL frame listeners earlier jeremy.whiting
2024-03-27 11:51 ` James Prestwood
2024-03-27 18:53 ` Jeremy Whiting
2024-03-27 19:10 ` James Prestwood
-- strict thread matches above, loose matches on Subject: below --
2024-03-27 18:49 jeremy.whiting
2024-03-27 21:01 ` Denis Kenzior
2024-03-25 23:41 jeremy.whiting
2024-03-26 0:00 ` Jeremy Whiting
2024-03-26 4:42 ` Denis Kenzior
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.