Hostapd sends unencrypted Data Packets during EAP Handshake on an encrypted Network

Jouni Malinen j at w1.fi
Tue Aug 6 08:18:08 PDT 2019


On Tue, Aug 06, 2019 at 04:40:34PM +0200, Flole wrote:
> I have a WPA2 Enterprise Network configured running hostapd 2.5 and I had a
> device do the EAP Handshake and in the middle of the Handshake there were 2
> packets targeted to that device sent to the Access Point to be forwarded to
> the client (meaning its target IP/Mac was set to the clients IP/Mac). The
> packets were forwarded unencrypted on-air and it is visible in a wifi
> capture in clear text, even though this is a WPA2 Enterprise encrypted
> network. I think under no circumstances should any data packet be sent
> unencrypted, and that sending of the packets should either be delayed or the
> packets should be discarded at that point because the client is not
> currently fully connected.

Just to be clear on this, hostapd does not send these frames, i.e.,
forwarding of data frames is completely outside the scope of hostapd and
it is done by the kernel networking stack and WLAN driver.

Which WLAN hardware (vendor/model) and driver are you using?

> Is this known? Has someone seen something similar? is this intended? Is this
> maybe fixed in a newer version (the changelog doesnt indicate that)?

This sounds like a bug in the driver. hostapd marks specific station as
authorized only after having successfully completed the WPA2 4-way
handshake, i.e., only once the encryption keys are configured. The
kernel code is supposed to drop packets that might show up for
forwarding to a station that has associated, but not yet being marked
authorized.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list