linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Johannes Berg <johannes@sipsolutions.net>
To: Emmanuel Grumbach <egrumbach@gmail.com>
Cc: Jouni Malinen <j@w1.fi>, linux-wireless <linux-wireless@vger.kernel.org>
Subject: Re: mac80211 drops packet with old IV after rekeying
Date: Sun, 17 May 2015 21:25:56 +0200	[thread overview]
Message-ID: <1431890756.2129.13.camel@sipsolutions.net> (raw)
In-Reply-To: <CANUX_P0byd4Q+1gjiBmoGqd_hESUH_YVCD6iPx0_d6aw_r3JSw@mail.gmail.com> (sfid-20150517_202334_293302_FFD28DB5)

On Sun, 2015-05-17 at 21:23 +0300, Emmanuel Grumbach wrote:

> One thing that I still haven't understood here is how can we get to a
> situation in which we already parsed the EAPOL of the GTK re-keying,
> but not a data frame that must have been sent before the EAPOL?
> The Rx path is serialized after all. I'd expect maybe to loose frames
> because we are still using the old key while the new key has been sent
> and not to get to the situation where:
> 
> data: old Key PN = 997
> data: old Key PN = 998
> data: old Key PN = 999
> set new key PN = 0
> data: old Key PN = 1000
> (new key's PN gets set to 1000 ** BUG **)
> data: new Key PN = 1 <DROPPED>

Yeah, this is the situation. How it happens is like this:
(* - data, # - control)


 * data RX in HW, decrypt w/ old key, PN=998
 * data RX in mac80211 - PN <= 998 [old key]
 # set key pointer to new key
 * data RX in HW, decrypt w/ old key, PN=999
 * data RX in mac80211 - PN <= 999 [new key!! - PROBLEM FOR NEXT FRAME]
 # delete old key from HW crypto
 # add new key to HW crypto

Perhaps then the easier way to solve it would be to simply delete HW
crypto *before* changing the key pointer. Somewhat similar, but perhaps
simpler, than my previous patch. This would end up with the scenario
like this:

 * data RX in HW, decrypt w/ old key, PN=998
 * data RX in mac80211 - PN <= 998 [old key]
 # delete old key from HW crypto
 # set key pointer to new key
 * data RX in HW, decryption possible
 * data RX in mac80211, decrypt fails [old key was used, new key is
valid]
 # add new key to HW crypto

The problem with that approach is how to handle drivers that *must* use
HW crypto, like ath10k, and cannot fall back to software crypto. For
those, having a state where a key is valid in software but not uploaded
to hardware is basically an invalid state.

Then again, we can probably accept that for the transition period, as
the result really would only be to indicate to mac80211 that unencrypted
frames must not be accepted (key pointer exists.)

That'd look something like this:
http://p.sipsolutions.net/941c1a69a9c54a73.txt

johannes


  reply	other threads:[~2015-05-17 19:26 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-15  6:48 mac80211 drops packet with old IV after rekeying Emmanuel Grumbach
2015-05-15  7:25 ` Johannes Berg
2015-05-15  7:52   ` Emmanuel Grumbach
2015-05-15 18:35     ` Johannes Berg
2015-05-16 18:18       ` Emmanuel Grumbach
2015-05-16 19:57         ` Johannes Berg
2015-05-17 16:05           ` Jouni Malinen
2015-05-17 18:23             ` Emmanuel Grumbach
2015-05-17 19:25               ` Johannes Berg [this message]
2015-05-17 19:49                 ` Emmanuel Grumbach
2015-05-17 20:05                   ` Johannes Berg
2015-05-17 20:13                     ` Emmanuel Grumbach
2015-05-17 20:22                       ` Johannes Berg
2015-05-18  6:14                         ` Peer, Ilan
2015-05-18  8:03                           ` Janusz Dziedzic
2015-05-18 14:40                             ` Ben Greear
2015-05-18 15:02                           ` Johannes Berg
2015-05-18 19:34                             ` Emmanuel Grumbach
2015-05-18 19:47                             ` Alexander Wetzel
2015-05-18 21:55                               ` Johannes Berg
2015-05-20 20:55                                 ` mac80211 drops packet with old IV after rekeying - workaround patch for CCMP Alexander Wetzel
2015-05-21  7:11                                   ` Johannes Berg
2015-05-17 19:14             ` mac80211 drops packet with old IV after rekeying Johannes Berg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1431890756.2129.13.camel@sipsolutions.net \
    --to=johannes@sipsolutions.net \
    --cc=egrumbach@gmail.com \
    --cc=j@w1.fi \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).