Mac80211 : Wpa rekeying issue

Mac80211 : Wpa rekeying issue

[Cedric VONCKEN]

Hi, 

My test plateform is:
2 equipements
Both equipment used compat version 2015-07-21 from openwrt.
Both equipment used security WPA2

The equipment #1 is an AP.
	The Group rekey interval is set to 3601s 
	The Pair rekey interval set to 50s (I reduced this value to show
the issue often)
	The Master rekey interval is set to 86400 s.

The equipment #2 is a sta+wds

I used a 5GHz channel to have a free channel (without other AP)
I connected a computer on each equipment.

To reproduce the issue:
	I ran iperf udp@50Mbps from computer connected to the AP to the
computer connected to the sta. After several WPA2 rekeying, iperf server
side didn't received any frame.

I investigated in the driver. All packets are dropped in sta side,
because the function ieee80211_crypto_ccmp_decrypt return
Rx_DROP_UNUSABLE. This function return this code because the test
if(memcmp(pn,key->u.ccmp.rx_pn[queue],IEEE8021_CCMP_PN_LEN) <=0) return
true.

Have you any idea to fix this issue?

Thanks for your help.

Cedric.

Re: Mac80211 : Wpa rekeying issue

[Emmanuel Grumbach]

On Tue, Dec 29, 2015 at 3:01 PM, Cedric VONCKEN
<cedric.voncken@acksys.fr> wrote:
> Hi,
>
> My test plateform is:
> 2 equipements
> Both equipment used compat version 2015-07-21 from openwrt.
> Both equipment used security WPA2
>
> The equipment #1 is an AP.
>         The Group rekey interval is set to 3601s
>         The Pair rekey interval set to 50s (I reduced this value to show
> the issue often)
>         The Master rekey interval is set to 86400 s.
>
> The equipment #2 is a sta+wds
>
> I used a 5GHz channel to have a free channel (without other AP)
> I connected a computer on each equipment.
>
> To reproduce the issue:
>         I ran iperf udp@50Mbps from computer connected to the AP to the
> computer connected to the sta. After several WPA2 rekeying, iperf server
> side didn't received any frame.
>
> I investigated in the driver. All packets are dropped in sta side,
> because the function ieee80211_crypto_ccmp_decrypt return
> Rx_DROP_UNUSABLE. This function return this code because the test
> if(memcmp(pn,key->u.ccmp.rx_pn[queue],IEEE8021_CCMP_PN_LEN) <=0) return
> true.
>
> Have you any idea to fix this issue?
>

I don't remember exactly what we had, but you may look at
http://permalink.gmane.org/gmane.linux.kernel.wireless.general/137742

RE: Mac80211 : Wpa rekeying issue

[voncken]

	> -----Message d'origine-----
> De : Emmanuel Grumbach [mailto:egrumbach@gmail.com]
> Envoyé : mardi 29 décembre 2015 15:20
> À : Cedric VONCKEN
> Cc : linux-wireless
> Objet : Re: Mac80211 : Wpa rekeying issue
> 
> On Tue, Dec 29, 2015 at 3:01 PM, Cedric VONCKEN <cedric.voncken@acksys.fr>
> wrote:
> > Hi,
> >
> > My test plateform is:
> > 2 equipements
> > Both equipment used compat version 2015-07-21 from openwrt.
> > Both equipment used security WPA2
> >
> > The equipment #1 is an AP.
> >         The Group rekey interval is set to 3601s
> >         The Pair rekey interval set to 50s (I reduced this value to
> > show the issue often)
> >         The Master rekey interval is set to 86400 s.
> >
> > The equipment #2 is a sta+wds
> >
> > I used a 5GHz channel to have a free channel (without other AP) I
> > connected a computer on each equipment.
> >
> > To reproduce the issue:
> >         I ran iperf udp@50Mbps from computer connected to the AP to
> > the computer connected to the sta. After several WPA2 rekeying, iperf
> > server side didn't received any frame.
> >
> > I investigated in the driver. All packets are dropped in sta side,
> > because the function ieee80211_crypto_ccmp_decrypt return
> > Rx_DROP_UNUSABLE. This function return this code because the test
> > if(memcmp(pn,key->u.ccmp.rx_pn[queue],IEEE8021_CCMP_PN_LEN) <=0)
> > return true.
> >
> > Have you any idea to fix this issue?
> >
> 
> I don't remember exactly what we had, but you may look at
> http://permalink.gmane.org/gmane.linux.kernel.wireless.general/137742

Thanks for the link, I think I'm in the same situation.

How can I fix this issue?

Because the patch sent by Alexander Wetzel was rejected by Johannes (for security reason), and if I disable the hw crypto I will have performance issue.

RE: Mac80211 : Wpa rekeying issue

[voncken]

[-- Attachment #1: Type: text/plain, Size: 2698 bytes --]

	Hi, 

I'm not a WPA expert and security expert, 

Could you explain why the patch sent by Alexander Wetzel break the security properties of this code?

The Alexander's patch is in attachment.

Thanks for your help.

> -----Message d'origine-----
> De : linux-wireless-owner@vger.kernel.org [mailto:linux-wireless-
> owner@vger.kernel.org] De la part de voncken
> Envoyé : mardi 29 décembre 2015 16:24
> À : 'Emmanuel Grumbach'
> Cc : 'linux-wireless'; 'Johannes Berg'
> Objet : RE: Mac80211 : Wpa rekeying issue
> 
> 	> -----Message d'origine-----
> > De : Emmanuel Grumbach [mailto:egrumbach@gmail.com] Envoyé : mardi 29
> > décembre 2015 15:20 À : Cedric VONCKEN Cc : linux-wireless Objet : Re:
> > Mac80211 : Wpa rekeying issue
> >
> > On Tue, Dec 29, 2015 at 3:01 PM, Cedric VONCKEN
> > <cedric.voncken@acksys.fr>
> > wrote:
> > > Hi,
> > >
> > > My test plateform is:
> > > 2 equipements
> > > Both equipment used compat version 2015-07-21 from openwrt.
> > > Both equipment used security WPA2
> > >
> > > The equipment #1 is an AP.
> > >         The Group rekey interval is set to 3601s
> > >         The Pair rekey interval set to 50s (I reduced this value to
> > > show the issue often)
> > >         The Master rekey interval is set to 86400 s.
> > >
> > > The equipment #2 is a sta+wds
> > >
> > > I used a 5GHz channel to have a free channel (without other AP) I
> > > connected a computer on each equipment.
> > >
> > > To reproduce the issue:
> > >         I ran iperf udp@50Mbps from computer connected to the AP to
> > > the computer connected to the sta. After several WPA2 rekeying,
> > > iperf server side didn't received any frame.
> > >
> > > I investigated in the driver. All packets are dropped in sta side,
> > > because the function ieee80211_crypto_ccmp_decrypt return
> > > Rx_DROP_UNUSABLE. This function return this code because the test
> > > if(memcmp(pn,key->u.ccmp.rx_pn[queue],IEEE8021_CCMP_PN_LEN) <=0)
> > > return true.
> > >
> > > Have you any idea to fix this issue?
> > >
> >
> > I don't remember exactly what we had, but you may look at
> > http://permalink.gmane.org/gmane.linux.kernel.wireless.general/137742
> 
> Thanks for the link, I think I'm in the same situation.
> 
> How can I fix this issue?
> 
> Because the patch sent by Alexander Wetzel was rejected by Johannes (for
> security reason), and if I disable the hw crypto I will have performance
> issue.
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless"
> in the body of a message to majordomo@vger.kernel.org More majordomo info
> at  http://vger.kernel.org/majordomo-info.html

[-- Attachment #2: fix1.patch --]
[-- Type: application/octet-stream, Size: 3731 bytes --]

diff -ur linux-4.0.4-gentoo/net/mac80211/key.h linux-4.0.4-gentoo_patched/net/mac80211/key.h
--- linux-4.0.4-gentoo/net/mac80211/key.h	2015-04-13 00:12:50.000000000 +0200
+++ linux-4.0.4-gentoo_patched/net/mac80211/key.h	2015-05-20 13:16:06.370256697 +0200
@@ -84,12 +84,14 @@
 			 * Management frames.
 			 */
 			u8 rx_pn[IEEE80211_NUM_TIDS + 1][IEEE80211_CCMP_PN_LEN];
+			u8 rx_pn_old[IEEE80211_NUM_TIDS + 1][IEEE80211_CCMP_PN_LEN];
 			struct crypto_aead *tfm;
 			u32 replays; /* dot11RSNAStatsCCMPReplays */
 		} ccmp;
 		struct {
 			atomic64_t tx_pn;
 			u8 rx_pn[IEEE80211_CMAC_PN_LEN];
+			u8 rx_pn_old[IEEE80211_CMAC_PN_LEN];
 			struct crypto_cipher *tfm;
 			u32 replays; /* dot11RSNAStatsCMACReplays */
 			u32 icverrors; /* dot11RSNAStatsCMACICVErrors */
@@ -97,6 +99,7 @@
 		struct {
 			atomic64_t tx_pn;
 			u8 rx_pn[IEEE80211_GMAC_PN_LEN];
+			u8 rx_pn_old[IEEE80211_GMAC_PN_LEN];
 			struct crypto_aead *tfm;
 			u32 replays; /* dot11RSNAStatsCMACReplays */
 			u32 icverrors; /* dot11RSNAStatsCMACICVErrors */
@@ -109,12 +112,14 @@
 			 * Management frames.
 			 */
 			u8 rx_pn[IEEE80211_NUM_TIDS + 1][IEEE80211_GCMP_PN_LEN];
+			u8 rx_pn_old[IEEE80211_NUM_TIDS + 1][IEEE80211_GCMP_PN_LEN];
 			struct crypto_aead *tfm;
 			u32 replays; /* dot11RSNAStatsGCMPReplays */
 		} gcmp;
 		struct {
 			/* generic cipher scheme */
 			u8 rx_pn[IEEE80211_NUM_TIDS + 1][MAX_PN_LEN];
+			u8 rx_pn_old[IEEE80211_NUM_TIDS + 1][MAX_PN_LEN];
 		} gen;
 	} u;
 
diff -ur linux-4.0.4-gentoo/net/mac80211/wpa.c linux-4.0.4-gentoo_patched/net/mac80211/wpa.c
--- linux-4.0.4-gentoo/net/mac80211/wpa.c	2015-04-13 00:12:50.000000000 +0200
+++ linux-4.0.4-gentoo_patched/net/mac80211/wpa.c	2015-05-20 21:43:25.529721066 +0200
@@ -495,6 +495,7 @@
 	struct sk_buff *skb = rx->skb;
 	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 	u8 pn[IEEE80211_CCMP_PN_LEN];
+	static u8 zero[IEEE80211_CCMP_PN_LEN];
 	int data_len;
 	int queue;
 
@@ -525,6 +526,31 @@
 		return RX_DROP_UNUSABLE;
 	}
 
+	/* HACK: try to work around race when replacing PSK with enabled hardware offload on AP or STA */
+	if (unlikely(memcmp(key->u.ccmp.rx_pn[queue], zero, IEEE80211_CCMP_PN_LEN) == 0 )) {
+
+		printk ("DDD - rx_pn is zero, virgin key detected! pl=%x\n", pn[IEEE80211_CCMP_PN_LEN-1]);
+		print_hex_dump_debug("cnt: ", DUMP_PREFIX_OFFSET, IEEE80211_CCMP_PN_LEN, 1, key->u.ccmp.rx_pn[queue], IEEE80211_CCMP_PN_LEN, false);
+		print_hex_dump_debug("pn : ", DUMP_PREFIX_OFFSET, IEEE80211_CCMP_PN_LEN, 1, pn, IEEE80211_CCMP_PN_LEN, false);
+
+		if ((memcmp(pn, zero, IEEE80211_CCMP_PN_LEN -1) == 0) && pn[IEEE80211_CCMP_PN_LEN-1] <= 10) {
+			/* pn is <=10 , we can start using the new counter */
+			printk ("DDD - set new pn\n");
+			memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN);
+		} else if (memcmp(pn, key->u.ccmp.rx_pn_old[queue], IEEE80211_CCMP_PN_LEN) <= 0) {
+			printk ("DDD - attack!\n");
+			/* reply attack during rekey operation, guess it will really hard to do that... */
+			key->u.ccmp.replays++; /* we count it as an reply anyway...*/
+			return RX_DROP_UNUSABLE; 
+		} else {	
+			printk ("DDD - prevent poisening \n");
+			memcpy(key->u.ccmp.rx_pn_old[queue], pn, IEEE80211_CCMP_PN_LEN);
+		}
+	} else {
+			
+		memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN);
+	}
+
 	if (!(status->flag & RX_FLAG_DECRYPTED)) {
 		u8 aad[2 * AES_BLOCK_SIZE];
 		u8 b_0[AES_BLOCK_SIZE];
@@ -539,8 +565,6 @@
 			return RX_DROP_UNUSABLE;
 	}
 
-	memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN);
-
 	/* Remove CCMP header and MIC */
 	if (pskb_trim(skb, skb->len - mic_len))
 		return RX_DROP_UNUSABLE;

Re: Mac80211 : Wpa rekeying issue

[Emmanuel Grumbach]

On Thu, Dec 31, 2015 at 10:12 AM, voncken <cedric.voncken@acksys.fr> wrote:
>
>         Hi,
>
> I'm not a WPA expert and security expert,
>
> Could you explain why the patch sent by Alexander Wetzel break the security properties of this code?
>
> The Alexander's patch is in attachment.
>
> Thanks for your help.

It simply disables the replay attack detection :)
You could receive the same (encrypted) packet twice and not throw away
the second one.
The author of the patch never said that this patch is a "fix", it is
rather a debug step to understand what happens.

PTK rekeying is a problem from the spec point of view. In Intel, we
did inquiries and in the end we understood that what we should really
do whenever we get to a situation where we need to rekey the PTK is to
disconnect and reconnect. Only weird configuration allow to change the
PTK more frequently than after X packet (don't remember what X is bu
something like 2^32 which is big enough to hold the connection for
days...).

IIRC, Intel devices don't have problems in Tx while we rekey because
we give the key material along with the packet itself, so that we
can't get to a situation where we have old PN and new key. The Atheros
devices separate the key material and the Tx packet (which is a
perfectly valid design decision), but this introduce the possibility
to use the old PN with a new key meaning that the recipient could
decrypt the packet after the new key has been installed, but it would
also update the PN to be high and discard all the next packets that
will come with a new (low) PN.
So essentially, this is a bug in the TX'ing side. Fixing it requires
to hit the performance which is not something people are willing to
do, when the bug is really in the spec.
That's what I remember, but I may be wrong.

>
> > -----Message d'origine-----
> > De : linux-wireless-owner@vger.kernel.org [mailto:linux-wireless-
> > owner@vger.kernel.org] De la part de voncken
> > Envoyé : mardi 29 décembre 2015 16:24
> > À : 'Emmanuel Grumbach'
> > Cc : 'linux-wireless'; 'Johannes Berg'
> > Objet : RE: Mac80211 : Wpa rekeying issue
> >
> >       > -----Message d'origine-----
> > > De : Emmanuel Grumbach [mailto:egrumbach@gmail.com] Envoyé : mardi 29
> > > décembre 2015 15:20 À : Cedric VONCKEN Cc : linux-wireless Objet : Re:
> > > Mac80211 : Wpa rekeying issue
> > >
> > > On Tue, Dec 29, 2015 at 3:01 PM, Cedric VONCKEN
> > > <cedric.voncken@acksys.fr>
> > > wrote:
> > > > Hi,
> > > >
> > > > My test plateform is:
> > > > 2 equipements
> > > > Both equipment used compat version 2015-07-21 from openwrt.
> > > > Both equipment used security WPA2
> > > >
> > > > The equipment #1 is an AP.
> > > >         The Group rekey interval is set to 3601s
> > > >         The Pair rekey interval set to 50s (I reduced this value to
> > > > show the issue often)
> > > >         The Master rekey interval is set to 86400 s.
> > > >
> > > > The equipment #2 is a sta+wds
> > > >
> > > > I used a 5GHz channel to have a free channel (without other AP) I
> > > > connected a computer on each equipment.
> > > >
> > > > To reproduce the issue:
> > > >         I ran iperf udp@50Mbps from computer connected to the AP to
> > > > the computer connected to the sta. After several WPA2 rekeying,
> > > > iperf server side didn't received any frame.
> > > >
> > > > I investigated in the driver. All packets are dropped in sta side,
> > > > because the function ieee80211_crypto_ccmp_decrypt return
> > > > Rx_DROP_UNUSABLE. This function return this code because the test
> > > > if(memcmp(pn,key->u.ccmp.rx_pn[queue],IEEE8021_CCMP_PN_LEN) <=0)
> > > > return true.
> > > >
> > > > Have you any idea to fix this issue?
> > > >
> > >
> > > I don't remember exactly what we had, but you may look at
> > > http://permalink.gmane.org/gmane.linux.kernel.wireless.general/137742
> >
> > Thanks for the link, I think I'm in the same situation.
> >
> > How can I fix this issue?
> >
> > Because the patch sent by Alexander Wetzel was rejected by Johannes (for
> > security reason), and if I disable the hw crypto I will have performance
> > issue.
> >
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-wireless"
> > in the body of a message to majordomo@vger.kernel.org More majordomo info
> > at  http://vger.kernel.org/majordomo-info.html

RE: Mac80211 : Wpa rekeying issue

[voncken]

> >
> >         Hi,
> >
> > I'm not a WPA expert and security expert,
> >
> > Could you explain why the patch sent by Alexander Wetzel break the
> security properties of this code?
> >
> > The Alexander's patch is in attachment.
> >
> > Thanks for your help.
> 
> It simply disables the replay attack detection :) You could receive the
> same (encrypted) packet twice and not throw away the second one.
> The author of the patch never said that this patch is a "fix", it is rather
> a debug step to understand what happens.
> 
> PTK rekeying is a problem from the spec point of view. In Intel, we did
> inquiries and in the end we understood that what we should really do
> whenever we get to a situation where we need to rekey the PTK is to
> disconnect and reconnect. Only weird configuration allow to change the PTK
> more frequently than after X packet (don't remember what X is bu something
> like 2^32 which is big enough to hold the connection for days...).
> 
> IIRC, Intel devices don't have problems in Tx while we rekey because we
> give the key material along with the packet itself, so that we can't get to
> a situation where we have old PN and new key. The Atheros devices separate
> the key material and the Tx packet (which is a perfectly valid design
> decision), but this introduce the possibility to use the old PN with a new
> key meaning that the recipient could decrypt the packet after the new key
> has been installed, but it would also update the PN to be high and discard
> all the next packets that will come with a new (low) PN.
> So essentially, this is a bug in the TX'ing side. Fixing it requires to hit
> the performance which is not something people are willing to do, when the
> bug is really in the spec.
> That's what I remember, but I may be wrong.
> 
Thanks for your answer.
Do you know if we can have the same issue with ATH10K chipset?

Re: Mac80211 : Wpa rekeying issue

[Ben Greear]

On 12/31/2015 02:15 AM, voncken wrote:

> Thanks for your answer.
> Do you know if we can have the same issue with ATH10K chipset?

Someone else reported re-keying problems with ath10k recently, and
it appears to be a bug in in upstream firmware, probably related to
the same issue that keeps 802.11r from working in some upstream
firmware...

Thanks,
Ben

-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

Re: Mac80211 : Wpa rekeying issue

[Johannes Berg]

On Thu, 2015-12-31 at 10:41 +0200, Emmanuel Grumbach wrote:

> It simply disables the replay attack detection :)
> You could receive the same (encrypted) packet twice and not throw
> away the second one.

Correct.

> PTK rekeying is a problem from the spec point of view. 

Which was/is being addressed too, with different key index being
allowed now. We just haven't implemented it yet, and in the case at
hand the AP also won't be requesting it and the enhancement wouldn't be
used anyway.

> In Intel, we
> did inquiries and in the end we understood that what we should really
> do whenever we get to a situation where we need to rekey the PTK is
> to disconnect and reconnect. Only weird configuration allow to change
> the PTK more frequently than after X packet (don't remember what X is
> but something like 2^32 which is big enough to hold the connection
> for days...).

wpa_supplicant could easily disconnect.

> IIRC, Intel devices don't have problems in Tx while we rekey because
> we give the key material along with the packet itself, so that we
> can't get to a situation where we have old PN and new key.

Yeah, that's my recollection as well. Emmanuel, remember though we're
going to change this, which could become problematic. We might want to
implement the disconnection once we change it, and also implement the
new spec way of PTK rekeying (with key index).

>  The Atheros
> devices separate the key material and the Tx packet (which is a
> perfectly valid design decision), but this introduce the possibility
> to use the old PN with a new key meaning that the recipient could
> decrypt the packet after the new key has been installed, but it would
> also update the PN to be high and discard all the next packets that
> will come with a new (low) PN.
> So essentially, this is a bug in the TX'ing side. Fixing it requires
> to hit the performance which is not something people are willing to
> do, when the bug is really in the spec.
> That's what I remember, but I may be wrong.

It matches what I remember too :)

johannes

Re: Mac80211 : Wpa rekeying issue

[Matthias May]

[-- Attachment #1: Type: text/plain, Size: 5295 bytes --]

On 31/12/15 09:41, Emmanuel Grumbach wrote:
> On Thu, Dec 31, 2015 at 10:12 AM, voncken <cedric.voncken@acksys.fr> wrote:
>>
>>          Hi,
>>
>> I'm not a WPA expert and security expert,
>>
>> Could you explain why the patch sent by Alexander Wetzel break the security properties of this code?
>>
>> The Alexander's patch is in attachment.
>>
>> Thanks for your help.
>
> It simply disables the replay attack detection :)
> You could receive the same (encrypted) packet twice and not throw away
> the second one.
> The author of the patch never said that this patch is a "fix", it is
> rather a debug step to understand what happens.
>
> PTK rekeying is a problem from the spec point of view. In Intel, we
> did inquiries and in the end we understood that what we should really
> do whenever we get to a situation where we need to rekey the PTK is to
> disconnect and reconnect. Only weird configuration allow to change the
> PTK more frequently than after X packet (don't remember what X is bu
> something like 2^32 which is big enough to hold the connection for
> days...).
>
> IIRC, Intel devices don't have problems in Tx while we rekey because
> we give the key material along with the packet itself, so that we
> can't get to a situation where we have old PN and new key. The Atheros
> devices separate the key material and the Tx packet (which is a
> perfectly valid design decision), but this introduce the possibility
> to use the old PN with a new key meaning that the recipient could
> decrypt the packet after the new key has been installed, but it would
> also update the PN to be high and discard all the next packets that
> will come with a new (low) PN.
> So essentially, this is a bug in the TX'ing side. Fixing it requires
> to hit the performance which is not something people are willing to
> do, when the bug is really in the spec.
> That's what I remember, but I may be wrong.

We've encountered exactly this problem in a mix of devices where one 
applies key material faster than the other. (ath9k and aquilla)
As a workaround we check on the STA if we are authorized when 
updating/checking CCMP. (see attached patches)
Not sure what the performance impact of that is.
Is this something which might be interesting to upstream?

>
>>
>>> -----Message d'origine-----
>>> De : linux-wireless-owner@vger.kernel.org [mailto:linux-wireless-
>>> owner@vger.kernel.org] De la part de voncken
>>> Envoyé : mardi 29 décembre 2015 16:24
>>> À : 'Emmanuel Grumbach'
>>> Cc : 'linux-wireless'; 'Johannes Berg'
>>> Objet : RE: Mac80211 : Wpa rekeying issue
>>>
>>>        > -----Message d'origine-----
>>>> De : Emmanuel Grumbach [mailto:egrumbach@gmail.com] Envoyé : mardi 29
>>>> décembre 2015 15:20 À : Cedric VONCKEN Cc : linux-wireless Objet : Re:
>>>> Mac80211 : Wpa rekeying issue
>>>>
>>>> On Tue, Dec 29, 2015 at 3:01 PM, Cedric VONCKEN
>>>> <cedric.voncken@acksys.fr>
>>>> wrote:
>>>>> Hi,
>>>>>
>>>>> My test plateform is:
>>>>> 2 equipements
>>>>> Both equipment used compat version 2015-07-21 from openwrt.
>>>>> Both equipment used security WPA2
>>>>>
>>>>> The equipment #1 is an AP.
>>>>>          The Group rekey interval is set to 3601s
>>>>>          The Pair rekey interval set to 50s (I reduced this value to
>>>>> show the issue often)
>>>>>          The Master rekey interval is set to 86400 s.
>>>>>
>>>>> The equipment #2 is a sta+wds
>>>>>
>>>>> I used a 5GHz channel to have a free channel (without other AP) I
>>>>> connected a computer on each equipment.
>>>>>
>>>>> To reproduce the issue:
>>>>>          I ran iperf udp@50Mbps from computer connected to the AP to
>>>>> the computer connected to the sta. After several WPA2 rekeying,
>>>>> iperf server side didn't received any frame.
>>>>>
>>>>> I investigated in the driver. All packets are dropped in sta side,
>>>>> because the function ieee80211_crypto_ccmp_decrypt return
>>>>> Rx_DROP_UNUSABLE. This function return this code because the test
>>>>> if(memcmp(pn,key->u.ccmp.rx_pn[queue],IEEE8021_CCMP_PN_LEN) <=0)
>>>>> return true.
>>>>>
>>>>> Have you any idea to fix this issue?
>>>>>
>>>>
>>>> I don't remember exactly what we had, but you may look at
>>>> http://permalink.gmane.org/gmane.linux.kernel.wireless.general/137742
>>>
>>> Thanks for the link, I think I'm in the same situation.
>>>
>>> How can I fix this issue?
>>>
>>> Because the patch sent by Alexander Wetzel was rejected by Johannes (for
>>> security reason), and if I disable the hw crypto I will have performance
>>> issue.
>>>
>>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-wireless"
>>> in the body of a message to majordomo@vger.kernel.org More majordomo info
>>> at  http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


-- 
Matthias May
Software Engineer

Neratec Solutions AG
Postfach 83, CH-8608 Bubikon, Switzerland
Direct: +41 55 253 2074
Office: +41 55 253 2000
Fax:    +41 55 253 2070
email:  matthias.may@neratec.com
Web:   www.neratec.com

[-- Attachment #2: CC0031-dont-check-ccmp-replay-when-not-authorized.patch --]
[-- Type: text/x-patch, Size: 500 bytes --]

diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index feb547d..c2adb0d 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -522,7 +522,9 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx,
 		queue = rx->security_idx;
 
 		if (memcmp(pn, key->u.ccmp.rx_pn[queue],
-			   IEEE80211_CCMP_PN_LEN) <= 0) {
+			   IEEE80211_CCMP_PN_LEN) <= 0 &&
+			   !(rx->sta && !test_sta_flag(rx->sta,
+					WLAN_STA_AUTHORIZED))) {
 			key->u.ccmp.replays++;
 			return RX_DROP_UNUSABLE;
 		}

[-- Attachment #3: CC0031-dont-update-ccmp-replay-when-not-authorized.patch --]
[-- Type: text/x-patch, Size: 647 bytes --]

diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index e115175..dc9c084 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -538,7 +538,13 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx,
 				return RX_DROP_UNUSABLE;
 		}
 
-		memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN);
+		/* If we are a station update the ccmp counter only when we are
+		 * authorised. For all other modes always update. */
+		if (!rx->sta ||
+		    (rx->sta && test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)) ) {
+			memcpy(key->u.ccmp.rx_pn[queue],
+			       pn, IEEE80211_CCMP_PN_LEN);
+		}
 	}
 
 	/* Remove CCMP header and MIC */

Re: Mac80211 : Wpa rekeying issue

[Johannes Berg]

On Tue, 2016-01-05 at 10:47 +0100, Matthias May wrote:

> 
> We've encountered exactly this problem in a mix of devices where one 
> applies key material faster than the other. (ath9k and aquilla)
> As a workaround we check on the STA if we are authorized when 
> updating/checking CCMP. (see attached patches)
> 

Those don't really seem safe to use either.

johannes

Re: Mac80211 : Wpa rekeying issue

[Matthias May]

On 05/01/16 10:58, Johannes Berg wrote:
> On Tue, 2016-01-05 at 10:47 +0100, Matthias May wrote:
>
>>
>> We've encountered exactly this problem in a mix of devices where one
>> applies key material faster than the other. (ath9k and aquilla)
>> As a workaround we check on the STA if we are authorized when
>> updating/checking CCMP. (see attached patches)
>>
>
> Those don't really seem safe to use either.
>
> johannes
>

Not safe as in "access to stuff which has to be locked", or not safe as 
in "a CCMP replay attack is possible"?
When changing this we argumented that since we are not really connected 
yet, a CCMP replay attack doesn't really make sense.

Matthias

Re: Mac80211 : Wpa rekeying issue

[Johannes Berg]

On Tue, 2016-01-05 at 11:54 +0100, Matthias May wrote:
> 
> Not safe as in "access to stuff which has to be locked", or not safe
> as 
> in "a CCMP replay attack is possible"?
> When changing this we argumented that since we are not really
> connected 
> yet, a CCMP replay attack doesn't really make sense.
> 

It's a bit more complicated than my first look suggested, it seems.

However, I'm not sure what effect your patch is supposed to have.
You're skipping CCMP replay checking and update when not authorized
yet, at which point the station isn't receiving frames anyway (though
they'd be checked for all this, they'd later be discarded).

Once it becomes authorized, you do the checks. However, it never
becomes unauthorized again, even for rekeying, so for the PTK rekeying
issue at hand it's pretty much a no-op?

johannes

PS: the comment in your patch is also wrong:

> +               /* If we are a station update the ccmp counter only when we are
> +                * authorised. For all other modes always update. */
> +               if (!rx->sta ||
> +                   (rx->sta && test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)) ) {

There's no check for "if we are a station" here.

Re: Mac80211 : Wpa rekeying issue

[Matthias May]

On 05/01/16 16:50, Johannes Berg wrote:
> On Tue, 2016-01-05 at 11:54 +0100, Matthias May wrote:
>>
>> Not safe as in "access to stuff which has to be locked", or not safe
>> as
>> in "a CCMP replay attack is possible"?
>> When changing this we argumented that since we are not really
>> connected
>> yet, a CCMP replay attack doesn't really make sense.
>>
>
> It's a bit more complicated than my first look suggested, it seems.
>
> However, I'm not sure what effect your patch is supposed to have.
> You're skipping CCMP replay checking and update when not authorized
> yet, at which point the station isn't receiving frames anyway (though
> they'd be checked for all this, they'd later be discarded).
>
> Once it becomes authorized, you do the checks. However, it never
> becomes unauthorized again, even for rekeying, so for the PTK rekeying
> issue at hand it's pretty much a no-op?
>
afaik it solves the issue that when a STA roames from AP1 to AP2, and 
key material is installed at different times.
We observed encrypted frames which had a wrong CCMP counter. If the STA 
updates it's counter with these frames then depending on the wrong CCMP 
value received, up to a few hundred frames were dropped.
Not exactly the same as rekeying but the effect are pretty similar.

> johannes
>
> PS: the comment in your patch is also wrong:
>
>> +               /* If we are a station update the ccmp counter only when we are
>> +                * authorised. For all other modes always update. */
>> +               if (!rx->sta ||
>> +                   (rx->sta && test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)) ) {
>
> There's no check for "if we are a station" here.
>
Yeah this doesn't make sense.
Also the check on !rx-sta seems superfluous since it's already checked a 
few lines above.

Regards
Matthias

Re: Mac80211 : Wpa rekeying issue

[Johannes Berg]

On Wed, 2016-01-06 at 10:09 +0100, Matthias May wrote:
> 
> afaik it solves the issue that when a STA roames from AP1 to AP2, and
> key material is installed at different times.
> We observed encrypted frames which had a wrong CCMP counter. If the
> STA 
> updates it's counter with these frames then depending on the wrong
> CCMP 
> value received, up to a few hundred frames were dropped.

I don't really see how it has any effect there either, since in that
case the old key material should be deleted long before the new one is
installed, so the cross-over that causes the PN update problem with
rekeying can't happen?

> Not exactly the same as rekeying but the effect are pretty similar.

Ignoring the discussion about the effect of the patch in roaming, the
patch really can't do anything for rekeying since the station never
goes back to !authorized in that case, so it can't really be relevant
for this thread.

johannes

Re: Mac80211 : Wpa rekeying issue

[Johannes Berg]

On Thu, 2015-12-31 at 10:41 +0200, Emmanuel Grumbach wrote:
> 
> So essentially, this is a bug in the TX'ing side. Fixing it requires
> to hit the performance which is not something people are willing to
> do, when the bug is really in the spec.
> 

I wonder if, for most devices, this is really true?

We could, after all, remove the key from hardware acceleration before
we replace it logically in software, avoiding the problem [1], like
this:

https://p.sipsolutions.net/a71aa559c27998c7.txt
(completely untested!)

This would slightly increase the window of time in which devices like
ath10k that require hardware crypto drop the frame entirely, but that
seems quite reasonable?


[1] assuming the driver doesn't return from the set_key() method while
it still has frames that might have been decrypted with that key; which
again is clearly true for iwlwifi due to the combined data/firmware
command design, but maybe not fully guaranteed for ath9k

Re: Mac80211 : Wpa rekeying issue

[Emmanuel Grumbach]

On Thu, Jan 7, 2016 at 11:15 PM, Johannes Berg
<johannes@sipsolutions.net> wrote:
>
> On Thu, 2015-12-31 at 10:41 +0200, Emmanuel Grumbach wrote:
> >
> > So essentially, this is a bug in the TX'ing side. Fixing it requires
> > to hit the performance which is not something people are willing to
> > do, when the bug is really in the spec.
> >
>
> I wonder if, for most devices, this is really true?
>
> We could, after all, remove the key from hardware acceleration before
> we replace it logically in software, avoiding the problem [1], like
> this:
>
> https://p.sipsolutions.net/a71aa559c27998c7.txt
> (completely untested!)
>
> This would slightly increase the window of time in which devices like
> ath10k that require hardware crypto drop the frame entirely, but that
> seems quite reasonable?

Yes - it looks reasonable. At least, worth being tested :)

>
>
> [1] assuming the driver doesn't return from the set_key() method while
> it still has frames that might have been decrypted with that key; which
> again is clearly true for iwlwifi due to the combined data/firmware
> command design, but maybe not fully guaranteed for ath9k