[PATCH] wpa_supplicant: Wait for eapol 4/4 tx-status before setting key.

[Jouni Malinen]

On Tue, Jun 13, 2017 at 11:29:16AM -0700, greearb at candelatech.com wrote:
> Supplicant is using generic L2 send function for EAPOL
> messages which doesn't give back status whether frame has been
> acked or not. It can lead to wrong wpa states when EAPOL 4/4
> is lost i.e. client is in connected state but keys aren't
> established on AP side.
> Fix that by using nl80211_send_eapol_data as for AP side
> and check in conneced state that 4/4 EAPOL has been acked.

That part about tracking TX status sounds fine..

> As a combined improvement, do not actually set the keys until
> we receive notification that the 4/4 message was sent.  This fixes
> races in ath10k CT firmware, and may eventually let other firmware
> remove hacks that were needed to work around this key-setting
> race.

However, this is going to the wrong direction to work around an issue.
The pairwise key (TK) needs to be set sooner, not later; but only for RX
first. Delaying setting of the TK for RX will introduce more issues with
Action frame RX when using PMF. There are number of cases where the AP
sends a protected Action frame immediately after receiving the EAPOL-Key
msg 4/4. Any extra delay on the station side will increase likelihood of
dropping such frames. The correct way to fix this is to finally provide
means for setting RX-only key that is then converted to TX+RX at a
suitable point in time. In practice, doing EAPOL over nl80211 with extra
flags for controlling whether to encrypt (and even more complicated,
whether to use the previous key during PTK rekeying) may end up being
the easiest way of fixing this.

-- 
Jouni Malinen                                            PGP id EFC895FA