>Synopsis: <Athn driver or net80211 stack not prioritizing incoming WPA
>handshake frames properly>
>Category: <Athn driver or net80211>
>Environment:
System : OpenBSD 7.0
Details : OpenBSD 7.0-current (GENERIC.MP) #251
ad...@router.my.domain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
<When Athn is used as a wireless access point and one wireless client
is downloading a snapshot other wireless clients cannot complete WPA handshake.>
>How-To-Repeat:
<1. Run athn as wireless access point in 11n or 11g mode.
2. Connect one wireless client and download a snapshot.
3. While first wireless client is performing a download try
connecting another wireless client that has not already been authenticated and
connection fails.
Note this behavior occurs regardless of the following wireless clients -
OpenBSD, Iphone, Windows. Several current amd64 snapshots were tested on an
APU4 router with wle200nx pci wireless card over a period of several weeks this
month including 7.0 amd64 GENERIC.MP#251.
Running "ifconfig athn0 debug" during the problematic behavior yields:
athn0: sending auth to xx on channel 3 mode 11n
athn0: station xx newly authenticated (open)
athn0: sending assoc_resp to xx on channel 3 mode 11n
athn0: sending msg 1/4 of the 4-way handshake to xx
athn0: sending msg 1/4 of the 4-way handshake to xx
athn0: sending msg 1/4 of the 4-way handshake to xx
athn0: station xx deauthenticate (reason 15)
athn0: sending deauth to xx on channel 3 mode 11n
>
>Fix:
< stsp@ clarified that reason code 15 meant a timeout was reached and
that 802.11 standard required 100 ms timeout for every response to make replay
attacks harder.
He suggested:
1. Putting AP in 11g mode to disable tx aggregation on clients and reduce
buffering of received frames in the AP, reducing the interrupt load individual
clients are able to produce on the AP.
Putting AP in 11g mode, however, did not change the handshake failure.
2. Compile a custom kernel patched to use a larger timeout for 4-way handshake
packets.
[changed timeout_add_msec(&ni->ni_eapol_to,100) to
timeout_add_msec(&ni->ni_eapol_to,1000) in
/cvs/src/sys/net80211/ieee80211_pae_output.c]
This allowed the 4-way handshake to complete.
stsp@ analysis prior to tests 1 and 2 above:
It seems that the athn driver or net80211 stack does not prioritize incoming
frames involved in WPA handshakes properly. Under load, handshake packets
could be delayed as a result of buffering and processing packets from
aggregated frames sent by clients which are using 11n Tx aggregation. There
could also be a high interrupt load on the system while sustaining such
traffic, delaying processing of the response frame.
If this is indeed the reason for this issue, then prioritizing WPA handshake
packets in the receive path of the driver would be right proper fix.
[referring to suggestion 2 above]
...If raising this timeout works around the problem then we know for sure that
we need to implement proper prioritization of such responses in the driver.
>
