From owner-freebsd-net@FreeBSD.ORG Thu Feb 4 08:19:09 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BA251065672 for ; Thu, 4 Feb 2010 08:19:09 +0000 (UTC) (envelope-from bschmidt@techwires.net) Received: from mx.techwires.net (mx.techwires.net [IPv6:2001:4d88:100f:1::3]) by mx1.freebsd.org (Postfix) with ESMTP id 1F2E78FC14 for ; Thu, 4 Feb 2010 08:19:09 +0000 (UTC) Received: from jessie.localnet (unknown [212.185.121.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bschmidt) by mx.techwires.net (Postfix) with ESMTPSA id 7FB68145C3 for ; Thu, 4 Feb 2010 09:15:05 +0100 (CET) From: Bernhard Schmidt To: freebsd-net@freebsd.org Date: Thu, 4 Feb 2010 09:15:04 +0100 User-Agent: KMail/1.12.2 (Linux/2.6.31-17-generic; KDE/4.3.2; i686; ; ) MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201002040915.04470.bschmidt@techwires.net> Subject: Software TKIP group rekeying and phase1 issue X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2010 08:19:09 -0000 Hi, When hostapd triggers rekeying of the group key, wpa_supplicant successfully sets the correct new key. On first use of the new key tkip_mixing_phase1() should be applied before decrypting any frames, tkip_decrypt() does this as if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, wh->i_addr2, iv32); ctx->rx_phase1_done = 1; } But, after a rekeying event, neither of this condition match, especially as rx_phase1_done is no longer zero, therefore tkip_mixing_phase1() isn't called which leads to dropped frames with "TKIP ICV mismatch on decrypt" messages. A working solution for that is to set rx_phase1_done to zero inside tkip_setkey(). I'm not sure whether that is the best solution or if it is better to set/reset the wk_keyrsc sequence, at least this diff works for me and few other over at the Forums. Index: sys/net80211/ieee80211_crypto_tkip.c =================================================================== --- sys/net80211/ieee80211_crypto_tkip.c (revision 203242) +++ sys/net80211/ieee80211_crypto_tkip.c (working copy) @@ -144,6 +144,8 @@ tkip_setkey(struct ieee80211_key *k) return 0; } k->wk_keytsc = 1; /* TSC starts at 1 */ + if (k->wk_flags & IEEE80211_KEY_GROUP) + ctx->rx_phase1_done = 0; return 1; } -- Bernhard