[Madwifi-devel] Re: [Madwifi-cvs] revision 1527 committed by kelmo
Status: Beta
Brought to you by:
otaku
From: Jouni M. <jkm...@cc...> - 2006-04-24 18:13:44
|
On Mon, Apr 24, 2006 at 01:57:45PM -0400, Brian Eaton wrote: > Jouni, while we've got you looking at the madwifi code, could you > offer your opinion on the handling of unencrypted EAPOL frames? > > /* > * The wext API says that user space gets to decide whether EAPOL frames are > * supposed to be encrypted or in cleartext. Hmm.. It is saying whether unencrypted EAPOL frames should be allowed to be received. It does not say whether EAPOL frames are to be encrypted or not. > The code in WPA supplicant > * indicates that if the AP is using 802.1x authentication but not WPA for > * key mgmt the eapol frames should be encrypted. No it does not. Or if it does, please let me know where so that I can fix it. The comment in driver_wext.c: /* Allow unencrypted EAPOL messages even if pairwise keys are set when * not using WPA. IEEE 802.1X specifies that these frames are not * encrypted, but WPA encrypts them when pairwise keys are in use. */ If AP is using IEEE 802.1X authentication without WPA, all EAPOL frames are unencrypted. If AP is using WPA/WPA2 (with PSK or 802.1X/EAP), EAPOL frames are unencrypted before pairwise keys are set, but they will be encrypted after pairwise keys are set (e.g., Group Key handshake and rekeying/reauthentication). > * or if wpa_supplicant is doing the wrong thing. But if I let wpa_supplicant > * tell madwifi to drop unencrypted eapol frames, it breaks the authentication. Unencrypted EAPOL frames should be dropped only if pairwise keys are configured. -- Jouni Malinen PGP id EFC895FA |