>Synopsis: <Athn driver or net80211 stack not prioritizing incoming WPA >handshake frames properly> >Category: <Athn driver or net80211> >Environment: System : OpenBSD 7.0 Details : OpenBSD 7.0-current (GENERIC.MP) #251 ad...@router.my.domain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64 Machine : amd64 >Description: <When Athn is used as a wireless access point and one wireless client is downloading a snapshot other wireless clients cannot complete WPA handshake.> >How-To-Repeat: <1. Run athn as wireless access point in 11n or 11g mode. 2. Connect one wireless client and download a snapshot. 3. While first wireless client is performing a download try connecting another wireless client that has not already been authenticated and connection fails. Note this behavior occurs regardless of the following wireless clients - OpenBSD, Iphone, Windows. Several current amd64 snapshots were tested on an APU4 router with wle200nx pci wireless card over a period of several weeks this month including 7.0 amd64 GENERIC.MP#251. Running "ifconfig athn0 debug" during the problematic behavior yields: athn0: sending auth to xx on channel 3 mode 11n athn0: station xx newly authenticated (open) athn0: sending assoc_resp to xx on channel 3 mode 11n athn0: sending msg 1/4 of the 4-way handshake to xx athn0: sending msg 1/4 of the 4-way handshake to xx athn0: sending msg 1/4 of the 4-way handshake to xx athn0: station xx deauthenticate (reason 15) athn0: sending deauth to xx on channel 3 mode 11n > >Fix: < stsp@ clarified that reason code 15 meant a timeout was reached and that 802.11 standard required 100 ms timeout for every response to make replay attacks harder. He suggested: 1. Putting AP in 11g mode to disable tx aggregation on clients and reduce buffering of received frames in the AP, reducing the interrupt load individual clients are able to produce on the AP. Putting AP in 11g mode, however, did not change the handshake failure. 2. Compile a custom kernel patched to use a larger timeout for 4-way handshake packets. [changed timeout_add_msec(&ni->ni_eapol_to,100) to timeout_add_msec(&ni->ni_eapol_to,1000) in /cvs/src/sys/net80211/ieee80211_pae_output.c] This allowed the 4-way handshake to complete. stsp@ analysis prior to tests 1 and 2 above: It seems that the athn driver or net80211 stack does not prioritize incoming frames involved in WPA handshakes properly. Under load, handshake packets could be delayed as a result of buffering and processing packets from aggregated frames sent by clients which are using 11n Tx aggregation. There could also be a high interrupt load on the system while sustaining such traffic, delaying processing of the response frame. If this is indeed the reason for this issue, then prioritizing WPA handshake packets in the receive path of the driver would be right proper fix. [referring to suggestion 2 above] ...If raising this timeout works around the problem then we know for sure that we need to implement proper prioritization of such responses in the driver. >