Date: Fri, 29 Oct 2004 22:02:28 GMT From: Sam Leffler <sam@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 63954 for review Message-ID: <200410292202.i9TM2SlM001674@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=63954 Change 63954 by sam@sam_ebb on 2004/10/29 22:01:31 Correct key selection for multicast frames with WPA: by covnention the group key is set as the default tx key so we need to use that (when define) for mcast frames and we should NOT use it as a fallback for unicast frames. This fixes problems with incorrectly encrypting EAPOL traffic when a unicast key is defined and not encrypting multicast traffic when operating as a WPA-enabled ap. Affected files ... .. //depot/projects/wifi/sys/net80211/ieee80211_output.c#5 edit Differences ... ==== //depot/projects/wifi/sys/net80211/ieee80211_output.c#5 (text+ko) ==== @@ -217,22 +217,30 @@ } /* - * Return the transmit key to use in sending a frame to - * the specified destination. Multicast traffic always - * uses the group key. Otherwise if a unicast key is - * set we use that. When no unicast key is set we fall - * back to the default transmit key. + * Return the transmit key to use in sending a frame to the specified + * destination. Multicast traffic always uses the group key which is + * installed the default tx key. Otherwise if a unicast key is set + * we use that. When no unicast key is set we fall back to the default + * transmit key unless WPA is enabled in which case there should be + * a unicast frame so we don't want to use a default key (which in + * this case is the group/multicast key). */ static inline struct ieee80211_key * ieee80211_crypto_getkey(struct ieee80211com *ic, const u_int8_t mac[IEEE80211_ADDR_LEN], struct ieee80211_node *ni) { #define KEY_UNDEFINED(k) ((k).wk_cipher == &ieee80211_cipher_none) - if (IEEE80211_IS_MULTICAST(mac) || KEY_UNDEFINED(ni->ni_ucastkey)) { + if (IEEE80211_IS_MULTICAST(mac)) { if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE || KEY_UNDEFINED(ic->ic_nw_keys[ic->ic_def_txkey])) return NULL; return &ic->ic_nw_keys[ic->ic_def_txkey]; + } else if (KEY_UNDEFINED(ni->ni_ucastkey)) { + if ((ic->ic_flags & IEEE80211_F_WPA) || + ic->ic_def_txkey == IEEE80211_KEYIX_NONE || + KEY_UNDEFINED(ic->ic_nw_keys[ic->ic_def_txkey])) + return NULL; + return &ic->ic_nw_keys[ic->ic_def_txkey]; } else { return &ni->ni_ucastkey; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410292202.i9TM2SlM001674>