From: Johannes Berg <johannes@sipsolutions.net>
To: Felix Fietkau <nbd@nbd.name>, linux-wireless@vger.kernel.org
Cc: kvalo@codeaurora.org
Subject: Re: [PATCH 8/8] mt76: validate rx CCMP PN
Date: Wed, 24 Jan 2018 16:56:56 +0100 [thread overview]
Message-ID: <1516809416.2508.44.camel@sipsolutions.net> (raw)
In-Reply-To: <20180124151917.70962-8-nbd@nbd.name> (sfid-20180124_161933_713573_40392955)
On Wed, 2018-01-24 at 16:19 +0100, Felix Fietkau wrote:
> Apparently hardware does not perform CCMP PN validation in hardware, so
> we need to take care of this in the driver. This is important for
> protecting against replay attacks
>
> +static int
> +mt76_check_ccmp_pn(struct sk_buff *skb)
> +{
> + struct mt76_rx_status *status = (struct mt76_rx_status *) skb->cb;
> + struct mt76_wcid *wcid = status->wcid;
> + int ret;
> +
> + if (!(status->flag & RX_FLAG_DECRYPTED))
> + return 0;
> +
> + if (!wcid || !wcid->rx_check_pn)
> + return 0;
> +
> + BUILD_BUG_ON(sizeof(status->iv) != sizeof(wcid->rx_key_pn[0]));
> + ret = memcmp(status->iv, wcid->rx_key_pn[status->tid],
> + sizeof(status->iv));
> + if (ret <= 0)
> + return -EINVAL; /* replay */
> +
> + memcpy(wcid->rx_key_pn[status->tid], status->iv, sizeof(status->iv));
> + status->flag |= RX_FLAG_PN_VALIDATED;
You shouldn't do this, try to somehow make it rely on mac80211 instead.
Otherwise, you really have to handle CCMP vs. fragmentation.
johannes
next prev parent reply other threads:[~2018-01-24 15:56 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-24 15:19 [PATCH 1/8] mt76: retry rx polling as long as there is budget left Felix Fietkau
2018-01-24 15:19 ` [PATCH 2/8] mt76: fix TSF value in probe responses Felix Fietkau
2018-01-24 15:19 ` [PATCH 3/8] mt76: add an intermediate struct for rx status information Felix Fietkau
2018-01-24 15:19 ` [PATCH 4/8] mt76: get station pointer by wcid and pass it to mac80211 Felix Fietkau
2018-01-24 15:19 ` [PATCH 5/8] mt76: implement A-MPDU rx reordering in the driver code Felix Fietkau
2018-01-24 15:19 ` [PATCH 6/8] mt76: split mt76_rx_complete Felix Fietkau
2018-01-24 15:19 ` [PATCH 7/8] mt76: pass the per-vif wcid to the core for multicast rx Felix Fietkau
2018-01-24 15:19 ` [PATCH 8/8] mt76: validate rx CCMP PN Felix Fietkau
2018-01-24 15:56 ` Johannes Berg [this message]
2018-01-24 16:11 ` Felix Fietkau
2018-01-24 16:20 ` Johannes Berg
2018-01-24 16:23 ` Felix Fietkau
2018-01-25 10:44 ` [PATCH v2 " Felix Fietkau
2018-01-26 9:21 ` [v2,8/8] " Kalle Valo
2018-01-26 9:20 ` [1/8] mt76: retry rx polling as long as there is budget left Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1516809416.2508.44.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
--cc=nbd@nbd.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.