From: Johannes Berg <johannes@sipsolutions.net>
To: linville@tuxdriver.com
Cc: linux-wireless@vger.kernel.org, flamingice@sourmilk.net
Subject: [patch 07/12] mac80211: fix TKIP IV update
Date: Wed, 26 Sep 2007 15:19:45 +0200 [thread overview]
Message-ID: <20070926132134.337214000@sipsolutions.net> (raw)
In-Reply-To: 20070926131938.575572000@sipsolutions.net
The TKIP IV should be updated only after MMIC verification,
this patch changes it to be at that spot.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
---
net/mac80211/ieee80211_i.h | 2 ++
net/mac80211/tkip.c | 16 ++++++++++------
net/mac80211/tkip.h | 3 ++-
net/mac80211/wpa.c | 8 +++++++-
4 files changed, 21 insertions(+), 8 deletions(-)
--- wireless-dev.orig/net/mac80211/ieee80211_i.h 2007-09-25 23:29:36.561571777 +0200
+++ wireless-dev/net/mac80211/ieee80211_i.h 2007-09-25 23:29:37.921572374 +0200
@@ -153,6 +153,8 @@ struct ieee80211_txrx_data {
int sent_ps_buffered;
int queue;
int load;
+ u32 tkip_iv32;
+ u16 tkip_iv16;
} rx;
} u;
};
--- wireless-dev.orig/net/mac80211/tkip.c 2007-09-25 23:28:21.111571506 +0200
+++ wireless-dev/net/mac80211/tkip.c 2007-09-25 23:29:37.921572374 +0200
@@ -238,7 +238,8 @@ void ieee80211_tkip_encrypt_data(struct
int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
struct ieee80211_key *key,
u8 *payload, size_t payload_len, u8 *ta,
- int only_iv, int queue)
+ int only_iv, int queue,
+ u32 *out_iv32, u16 *out_iv16)
{
u32 iv32;
u32 iv16;
@@ -332,11 +333,14 @@ int ieee80211_tkip_decrypt_data(struct c
res = ieee80211_wep_decrypt_data(tfm, rc4key, 16, pos, payload_len - 12);
done:
if (res == TKIP_DECRYPT_OK) {
- /* FIX: these should be updated only after Michael MIC has been
- * verified */
- /* Record previously received IV */
- key->u.tkip.iv32_rx[queue] = iv32;
- key->u.tkip.iv16_rx[queue] = iv16;
+ /*
+ * Record previously received IV, will be copied into the
+ * key information after MIC verification. It is possible
+ * that we don't catch replays of fragments but that's ok
+ * because the Michael MIC verication will then fail.
+ */
+ *out_iv32 = iv32;
+ *out_iv16 = iv16;
}
return res;
--- wireless-dev.orig/net/mac80211/tkip.h 2007-09-25 23:28:21.151572971 +0200
+++ wireless-dev/net/mac80211/tkip.h 2007-09-25 23:29:37.931571561 +0200
@@ -31,6 +31,7 @@ enum {
int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
struct ieee80211_key *key,
u8 *payload, size_t payload_len, u8 *ta,
- int only_iv, int queue);
+ int only_iv, int queue,
+ u32 *out_iv32, u16 *out_iv16);
#endif /* TKIP_H */
--- wireless-dev.orig/net/mac80211/wpa.c 2007-09-25 23:29:35.111582139 +0200
+++ wireless-dev/net/mac80211/wpa.c 2007-09-25 23:29:37.931571561 +0200
@@ -175,6 +175,10 @@ ieee80211_rx_h_michael_mic_verify(struct
/* remove Michael MIC from payload */
skb_trim(skb, skb->len - MICHAEL_MIC_LEN);
+ /* update IV in key information to be able to detect replays */
+ rx->key->u.tkip.iv32_rx[rx->u.rx.queue] = rx->u.rx.tkip_iv32;
+ rx->key->u.tkip.iv16_rx[rx->u.rx.queue] = rx->u.rx.tkip_iv16;
+
return TXRX_CONTINUE;
}
@@ -315,7 +319,9 @@ ieee80211_crypto_tkip_decrypt(struct iee
res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm,
key, skb->data + hdrlen,
skb->len - hdrlen, rx->sta->addr,
- hwaccel, rx->u.rx.queue);
+ hwaccel, rx->u.rx.queue,
+ &rx->u.rx.tkip_iv32,
+ &rx->u.rx.tkip_iv16);
if (res != TKIP_DECRYPT_OK || wpa_test) {
printk(KERN_DEBUG "%s: TKIP decrypt failed for RX frame from "
"%s (res=%d)\n",
--
next prev parent reply other threads:[~2007-09-26 13:24 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-26 13:19 [patch 00/12] mac80211 fixes, updates, preparations for hostapd tree Johannes Berg
2007-09-26 13:19 ` [patch 01/12] mac80211: pass frames to monitor interfaces early Johannes Berg
2007-09-26 13:19 ` [patch 02/12] mac80211: consolidate decryption Johannes Berg
2007-09-26 13:19 ` [patch 03/12] mac80211: consolidate encryption Johannes Berg
2007-09-26 13:19 ` [patch 04/12] mac80211: remove ieee80211_wep_get_keyidx Johannes Berg
2007-09-26 13:19 ` [patch 05/12] mac80211: fix vlan bug Johannes Berg
2007-09-26 13:19 ` [patch 06/12] mac80211: fix sparse warning Johannes Berg
2007-09-26 13:19 ` Johannes Berg [this message]
2007-09-26 13:19 ` [patch 08/12] cfg80211: fix initialisation if built-in Johannes Berg
2007-09-26 13:19 ` [patch 09/12] mac80211: fix iff_promiscs, iff_allmultis race Johannes Berg
2007-09-26 13:19 ` [patch 10/12] mac80211: remove all prism2 ioctls Johannes Berg
2007-09-26 13:19 ` [patch 11/12] mac80211: remove management interface Johannes Berg
2007-09-27 20:58 ` John W. Linville
2007-09-28 10:48 ` Johannes Berg
2007-09-28 12:01 ` [patch 11a/12] mac80211: add "invalid" interface type Johannes Berg
2007-09-28 12:02 ` [patch 11b/12] mac80211: remove management interface Johannes Berg
2007-09-26 13:19 ` [patch 12/12] mac80211: remove generic IE for AP interfaces Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070926132134.337214000@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=flamingice@sourmilk.net \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).