• Jouni Malinen's avatar
    mac80211: Drop unencrypted frames based on key setup · 0c7c10c7
    Jouni Malinen authored
    When using nl80211, we do not have a mechanism to set
    sdata->drop_unencrypted. Currently, this breaks code that is supposed
    to drop unencrypted frames when protection is expected since
    ieee80211_rx_h_decrypt() is optimized to not set rx->key when the
    frame is not protected.
    This patch modifies ieee80211_rx_h_decrypt() to set rx->key for all
    frames and only skip decryption if the frame is not protected. This
    allows ieee80211_drop_unencrypted() to correctly drop frames even if
    drop_unencrypted is not set.
    The changes here are not enough to handle all cases, though. Additional
    patches will be needed to implement proper IEEE 802.1X PAE for station
    mode (currently, this is only used for AP mode) and some additional
    rules are needed for MFP to drop unprotected Robust Action frames prior
    to having PTK and IGTK configured.
    In theory, the unprotected frames could and should be dropped in
    ieee80211_rx_h_decrypt(). However, due to the special case with EAPOL
    frames that have to be allowed to be received unprotected even when
    keys are set, it is simpler to only set rx->key and allow the
    ieee80211_frame_allowed() function to handle the actual dropping of
    data frames after 802.11->802.3 header conversion. In addition,
    unprotected robust management frames are dropped before they are
    Signed-off-by: default avatarJouni Malinen <jouni.malinen@atheros.com>
    Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
rx.c 72.4 KB