From: Matthias May <matthias.may@neratec.com>
To: Johannes Berg <johannes@sipsolutions.net>,
Emmanuel Grumbach <egrumbach@gmail.com>,
voncken <cedric.voncken@acksys.fr>
Cc: linux-wireless <linux-wireless@vger.kernel.org>
Subject: Re: Mac80211 : Wpa rekeying issue
Date: Wed, 6 Jan 2016 10:09:37 +0100 [thread overview]
Message-ID: <568CD9D1.6080001@neratec.com> (raw)
In-Reply-To: <1452009029.12357.37.camel@sipsolutions.net>
On 05/01/16 16:50, Johannes Berg wrote:
> On Tue, 2016-01-05 at 11:54 +0100, Matthias May wrote:
>>
>> Not safe as in "access to stuff which has to be locked", or not safe
>> as
>> in "a CCMP replay attack is possible"?
>> When changing this we argumented that since we are not really
>> connected
>> yet, a CCMP replay attack doesn't really make sense.
>>
>
> It's a bit more complicated than my first look suggested, it seems.
>
> However, I'm not sure what effect your patch is supposed to have.
> You're skipping CCMP replay checking and update when not authorized
> yet, at which point the station isn't receiving frames anyway (though
> they'd be checked for all this, they'd later be discarded).
>
> Once it becomes authorized, you do the checks. However, it never
> becomes unauthorized again, even for rekeying, so for the PTK rekeying
> issue at hand it's pretty much a no-op?
>
afaik it solves the issue that when a STA roames from AP1 to AP2, and
key material is installed at different times.
We observed encrypted frames which had a wrong CCMP counter. If the STA
updates it's counter with these frames then depending on the wrong CCMP
value received, up to a few hundred frames were dropped.
Not exactly the same as rekeying but the effect are pretty similar.
> johannes
>
> PS: the comment in your patch is also wrong:
>
>> + /* If we are a station update the ccmp counter only when we are
>> + * authorised. For all other modes always update. */
>> + if (!rx->sta ||
>> + (rx->sta && test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)) ) {
>
> There's no check for "if we are a station" here.
>
Yeah this doesn't make sense.
Also the check on !rx-sta seems superfluous since it's already checked a
few lines above.
Regards
Matthias
next prev parent reply other threads:[~2016-01-06 9:09 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-29 13:01 Mac80211 : Wpa rekeying issue Cedric VONCKEN
2015-12-29 14:19 ` Emmanuel Grumbach
2015-12-29 15:23 ` voncken
2015-12-31 8:12 ` voncken
2015-12-31 8:41 ` Emmanuel Grumbach
2015-12-31 10:15 ` voncken
2015-12-31 15:25 ` Ben Greear
2016-01-05 9:19 ` Johannes Berg
2016-01-05 9:47 ` Matthias May
2016-01-05 9:58 ` Johannes Berg
2016-01-05 10:54 ` Matthias May
2016-01-05 15:50 ` Johannes Berg
2016-01-06 9:09 ` Matthias May [this message]
2016-01-07 21:06 ` Johannes Berg
2016-01-07 21:15 ` Johannes Berg
2016-01-12 11:38 ` Emmanuel Grumbach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=568CD9D1.6080001@neratec.com \
--to=matthias.may@neratec.com \
--cc=cedric.voncken@acksys.fr \
--cc=egrumbach@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.