From owner-freebsd-net@FreeBSD.ORG Sat Feb 6 21:56:18 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35459106566B for ; Sat, 6 Feb 2010 21:56:18 +0000 (UTC) (envelope-from sam@errno.com) Received: from ebb.errno.com (ebb.errno.com [69.12.149.25]) by mx1.freebsd.org (Postfix) with ESMTP id CA9348FC19 for ; Sat, 6 Feb 2010 21:56:17 +0000 (UTC) Received: from ice.local ([10.0.0.115]) (authenticated bits=0) by ebb.errno.com (8.13.6/8.12.6) with ESMTP id o16LuFs5024991 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 6 Feb 2010 13:56:16 -0800 (PST) (envelope-from sam@errno.com) Message-ID: <4B6DE57F.7060104@errno.com> Date: Sat, 06 Feb 2010 13:56:15 -0800 From: Sam Leffler User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Bernhard Schmidt References: <201002040915.04470.bschmidt@techwires.net> In-Reply-To: <201002040915.04470.bschmidt@techwires.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-sonic.net-Metrics: ebb.errno.com; whitelist Cc: freebsd-net@freebsd.org Subject: Re: Software TKIP group rekeying and phase1 issue X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Feb 2010 21:56:18 -0000 Bernhard Schmidt wrote: > Hi, > > When hostapd triggers rekeying of the group key, wpa_supplicant successfully > sets the correct new key. On first use of the new key tkip_mixing_phase1() > should be applied before decrypting any frames, tkip_decrypt() does this as > > if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { > tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, > wh->i_addr2, iv32); > ctx->rx_phase1_done = 1; > } > > But, after a rekeying event, neither of this condition match, especially as > rx_phase1_done is no longer zero, therefore tkip_mixing_phase1() isn't called > which leads to dropped frames with "TKIP ICV mismatch on decrypt" messages. > > A working solution for that is to set rx_phase1_done to zero inside > tkip_setkey(). I'm not sure whether that is the best solution or if it is > better to set/reset the wk_keyrsc sequence, at least this diff works for me > and few other over at the Forums. > > Index: sys/net80211/ieee80211_crypto_tkip.c > =================================================================== > --- sys/net80211/ieee80211_crypto_tkip.c (revision 203242) > +++ sys/net80211/ieee80211_crypto_tkip.c (working copy) > @@ -144,6 +144,8 @@ tkip_setkey(struct ieee80211_key *k) > return 0; > } > k->wk_keytsc = 1; /* TSC starts at 1 */ > + if (k->wk_flags & IEEE80211_KEY_GROUP) > + ctx->rx_phase1_done = 0; > return 1; > } > Reseting this flag in setkey looks right but why only for group keys? I don't think you want to reset the keyrsc unless instructed; if I recall a new RSC may be sent down by the authenticator when plumbing a key--but it's been a while since I looked at this. Have you looked at other implementations? Sam