From owner-freebsd-net@FreeBSD.ORG Sat Feb 6 22:39:49 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 924541065670 for ; Sat, 6 Feb 2010 22:39:49 +0000 (UTC) (envelope-from bschmidt@techwires.net) Received: from mx.techwires.net (mx.techwires.net [IPv6:2001:4d88:100f:1::3]) by mx1.freebsd.org (Postfix) with ESMTP id 29D928FC1F for ; Sat, 6 Feb 2010 22:39:49 +0000 (UTC) Received: from maja.lab.techwires.net (dslb-088-065-054-096.pools.arcor-ip.net [88.65.54.96]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bschmidt) by mx.techwires.net (Postfix) with ESMTPSA id D66A214E70; Sat, 6 Feb 2010 23:39:47 +0100 (CET) Received: from maja.lab.techwires.net (localhost [127.0.0.1]) by maja.lab.techwires.net (8.14.4/8.14.4) with ESMTP id o16MdhvD036260; Sat, 6 Feb 2010 23:39:43 +0100 (CET) (envelope-from bschmidt@techwires.net) Received: (from bschmidt@localhost) by maja.lab.techwires.net (8.14.4/8.14.4/Submit) id o16MdhM0036167; Sat, 6 Feb 2010 23:39:43 +0100 (CET) (envelope-from bschmidt@techwires.net) X-Authentication-Warning: maja.lab.techwires.net: bschmidt set sender to bschmidt@techwires.net using -f From: Bernhard Schmidt To: freebsd-net@freebsd.org Date: Sat, 6 Feb 2010 23:39:41 +0100 User-Agent: KMail/1.12.4 (FreeBSD/9.0-CURRENT; KDE/4.3.4; amd64; ; ) References: <201002040915.04470.bschmidt@techwires.net> <4B6DE57F.7060104@errno.com> In-Reply-To: <4B6DE57F.7060104@errno.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201002062339.42721.bschmidt@techwires.net> Cc: Subject: Re: Software TKIP group rekeying and phase1 issue X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Feb 2010 22:39:49 -0000 On Saturday 06 February 2010 22:56:15 Sam Leffler wrote: > Bernhard Schmidt wrote: > > Hi, > > > > When hostapd triggers rekeying of the group key, wpa_supplicant > > successfully sets the correct new key. On first use of the new key > > tkip_mixing_phase1() should be applied before decrypting any frames, > > tkip_decrypt() does this as > > > > if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { > > tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, > > wh->i_addr2, iv32); > > ctx->rx_phase1_done = 1; > > } > > > > But, after a rekeying event, neither of this condition match, especially > > as rx_phase1_done is no longer zero, therefore tkip_mixing_phase1() isn't > > called which leads to dropped frames with "TKIP ICV mismatch on decrypt" > > messages. > > > > A working solution for that is to set rx_phase1_done to zero inside > > tkip_setkey(). I'm not sure whether that is the best solution or if it is > > better to set/reset the wk_keyrsc sequence, at least this diff works for > > me and few other over at the Forums. > > > > Index: sys/net80211/ieee80211_crypto_tkip.c > > =================================================================== > > --- sys/net80211/ieee80211_crypto_tkip.c (revision 203242) > > +++ sys/net80211/ieee80211_crypto_tkip.c (working copy) > > @@ -144,6 +144,8 @@ tkip_setkey(struct ieee80211_key *k) > > return 0; > > } > > k->wk_keytsc = 1; /* TSC starts at 1 */ > > + if (k->wk_flags & IEEE80211_KEY_GROUP) > > + ctx->rx_phase1_done = 0; > > return 1; > > } > > Reseting this flag in setkey looks right but why only for group keys? I > don't think you want to reset the keyrsc unless instructed; if I recall > a new RSC may be sent down by the authenticator when plumbing a key--but > it's been a while since I looked at this. > > Have you looked at other implementations? Doing that for all keys is probably right, have to test that. I did look at other implementation, they do zero out (tkip_ctx *)ctx inside tkip_setkey() and restore part of its content from the key, which has the side effect that rx_phase1_done also zero. No one handles that case intentionally. -- Bernhard