[PATCH 1/2] mac80211: Ignore replay for IBSS interfaces

[PATCH 1/2] mac80211: Ignore replay for IBSS interfaces

[Benoit Papillault]

Using WPA-NONE, the same key is used on multiple stations. As such, with
at least 3 nodes, a node will receive frames from the other 2 nodes and
frames from one of those nodes will be ignored since they are being
detected as replayed.

Note: WPA-NONE is not specified in 802.11i. Instead WPA2 should be used,
but it is not currently implemented.

Signed-off-by: Benoit Papillault <benoit.papillault@free.fr>
---
 net/mac80211/tkip.c |    6 +++++-
 net/mac80211/wpa.c  |   10 +++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/tkip.c b/net/mac80211/tkip.c
index 7ef491e..f7e0062 100644
--- a/net/mac80211/tkip.c
+++ b/net/mac80211/tkip.c
@@ -234,6 +234,7 @@ int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
 	u8 rc4key[16], keyid, *pos = payload;
 	int res;
 	const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY];
+	bool tkip_decrypt_replay = 0;
 
 	if (payload_len < 12)
 		return -1;
@@ -271,7 +272,7 @@ int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
 		       iv32, iv16, key->u.tkip.rx[queue].iv32,
 		       key->u.tkip.rx[queue].iv16);
 #endif
-		return TKIP_DECRYPT_REPLAY;
+		tkip_decrypt_replay = 1;
 	}
 
 	if (only_iv) {
@@ -338,5 +339,8 @@ int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
 		*out_iv16 = iv16;
 	}
 
+	if (tkip_decrypt_replay)
+		return TKIP_DECRYPT_REPLAY;
+
 	return res;
 }
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index f4971cd..da1186d 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -242,7 +242,9 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
 					  hdr->addr1, hwaccel, rx->queue,
 					  &rx->tkip_iv32,
 					  &rx->tkip_iv16);
-	if (res != TKIP_DECRYPT_OK || wpa_test)
+	if ((res != TKIP_DECRYPT_OK || wpa_test) &&
+	    !(res == TKIP_DECRYPT_REPLAY &&
+	      rx->sdata->vif.type != NL80211_IFTYPE_ADHOC))
 		return RX_DROP_UNUSABLE;
 
 	/* Trim ICV */
@@ -453,7 +455,8 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
 
 	ccmp_hdr2pn(pn, skb->data + hdrlen);
 
-	if (memcmp(pn, key->u.ccmp.rx_pn[rx->queue], CCMP_PN_LEN) <= 0) {
+	if ((memcmp(pn, key->u.ccmp.rx_pn[rx->queue], CCMP_PN_LEN) <= 0) &&
+	    (rx->sdata->vif.type != NL80211_IFTYPE_ADHOC)) {
 		key->u.ccmp.replays++;
 		return RX_DROP_UNUSABLE;
 	}
@@ -576,7 +579,8 @@ ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
 
 	bip_ipn_swap(ipn, mmie->sequence_number);
 
-	if (memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) {
+	if ((memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) &&
+	    (rx->sdata->vif.type != NL80211_IFTYPE_ADHOC)) {
 		key->u.aes_cmac.replays++;
 		return RX_DROP_UNUSABLE;
 	}
-- 
1.5.6.5

[PATCH 2/2] mac80211: Fix WPA-NONE for RX unicast frames

[Benoit Papillault]

This patch might have side effect which needs to be studied

Signed-off-by: Benoit Papillault <benoit.papillault@free.fr>
---
 net/mac80211/rx.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 22ae6ee..f73fe9b 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -923,6 +923,13 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
 		rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
 
 		/*
+		 * Using WPA-NONE in IBSS, all frames, be it unicast or
+		 * multicast (including broadcast) are encrypted with the
+		 * same group key. In this case, we should not reset the key
+		 * to NULL
+		 */
+#if 0
+		/*
 		 * RSNA-protected unicast frames should always be sent with
 		 * pairwise or station-to-station keys, but for WEP we allow
 		 * using a key index as well.
@@ -930,6 +937,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
 		if (rx->key && rx->key->conf.alg != ALG_WEP &&
 		    !is_multicast_ether_addr(hdr->addr1))
 			rx->key = NULL;
+#endif
 	}
 
 	if (rx->key) {
-- 
1.5.6.5

Re: [PATCH 2/2] mac80211: Fix WPA-NONE for RX unicast frames

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 1134 bytes --]

On Mon, 2010-02-15 at 00:32 +0100, Benoit Papillault wrote:
> This patch might have side effect which needs to be studied
> 
> Signed-off-by: Benoit Papillault <benoit.papillault@free.fr>
> ---
>  net/mac80211/rx.c |    8 ++++++++
>  1 files changed, 8 insertions(+), 0 deletions(-)
> 
> diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
> index 22ae6ee..f73fe9b 100644
> --- a/net/mac80211/rx.c
> +++ b/net/mac80211/rx.c
> @@ -923,6 +923,13 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data
> *rx)
>  		rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
>  
>  		/*
> +		 * Using WPA-NONE in IBSS, all frames, be it unicast or
> +		 * multicast (including broadcast) are encrypted with the
> +		 * same group key. In this case, we should not reset the key
> +		 * to NULL
> +		 */
> +#if 0
> +		/*
>  		 * RSNA-protected unicast frames should always be sent with
>  		 * pairwise or station-to-station keys, but for WEP we allow
>  		 * using a key index as well.

#if 0 is never a good idea, and that code is certainly needed.

Don't send bad patches like this with [PATCH] tag please.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [PATCH 1/2] mac80211: Ignore replay for IBSS interfaces

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 2495 bytes --]

On Mon, 2010-02-15 at 00:32 +0100, Benoit Papillault wrote:
> Using WPA-NONE, the same key is used on multiple stations. As such,
> with
> at least 3 nodes, a node will receive frames from the other 2 nodes
> and
> frames from one of those nodes will be ignored since they are being
> detected as replayed.
> 
> Note: WPA-NONE is not specified in 802.11i. Instead WPA2 should be
> used,
> but it is not currently implemented.
> 
> Signed-off-by: Benoit Papillault <benoit.papillault@free.fr>
> ---
>  net/mac80211/tkip.c |    6 +++++-
>  net/mac80211/wpa.c  |   10 +++++++---
>  2 files changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/net/mac80211/tkip.c b/net/mac80211/tkip.c
> index 7ef491e..f7e0062 100644
> --- a/net/mac80211/tkip.c
> +++ b/net/mac80211/tkip.c
> @@ -234,6 +234,7 @@ int ieee80211_tkip_decrypt_data(struct
> crypto_blkcipher *tfm,
>  	u8 rc4key[16], keyid, *pos = payload;
>  	int res;
>  	const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY];
> +	bool tkip_decrypt_replay = 0;
>  
>  	if (payload_len < 12)
>  		return -1;
> @@ -271,7 +272,7 @@ int ieee80211_tkip_decrypt_data(struct
> crypto_blkcipher *tfm,
>  		       iv32, iv16, key->u.tkip.rx[queue].iv32,
>  		       key->u.tkip.rx[queue].iv16);
>  #endif
> -		return TKIP_DECRYPT_REPLAY;
> +		tkip_decrypt_replay = 1;
>  	}
>  
>  	if (only_iv) {
> @@ -338,5 +339,8 @@ int ieee80211_tkip_decrypt_data(struct
> crypto_blkcipher *tfm,
>  		*out_iv16 = iv16;
>  	}
>  
> +	if (tkip_decrypt_replay)
> +		return TKIP_DECRYPT_REPLAY;
> +
>  	return res;
>  }
> diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
> index f4971cd..da1186d 100644
> --- a/net/mac80211/wpa.c
> +++ b/net/mac80211/wpa.c
> @@ -242,7 +242,9 @@ ieee80211_crypto_tkip_decrypt(struct
> ieee80211_rx_data *rx)
>  					  hdr->addr1, hwaccel, rx->queue,
>  					  &rx->tkip_iv32,
>  					  &rx->tkip_iv16);
> -	if (res != TKIP_DECRYPT_OK || wpa_test)
> +	if ((res != TKIP_DECRYPT_OK || wpa_test) &&
> +	    !(res == TKIP_DECRYPT_REPLAY &&
> +	      rx->sdata->vif.type != NL80211_IFTYPE_ADHOC))
>  		return RX_DROP_UNUSABLE;

NACK. This will clearly _break_ any proper RSN implementation. WPA-NONE
is the non-standard thing here, so requiring that somebody wanting to
implement proper RSN fix this doesn't seem right to me. And RSN
shouldn't actually be hard to implement with the events that we have now
-- it might just be a userspace thing.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [PATCH 1/2] mac80211: Ignore replay for IBSS interfaces

[Benoit PAPILLAULT]

Johannes Berg a écrit :
> On Mon, 2010-02-15 at 00:32 +0100, Benoit Papillault wrote:
>   
>> Using WPA-NONE, the same key is used on multiple stations. As such,
>> with
>> at least 3 nodes, a node will receive frames from the other 2 nodes
>> and
>> frames from one of those nodes will be ignored since they are being
>> detected as replayed.
>>
>> Note: WPA-NONE is not specified in 802.11i. Instead WPA2 should be
>> used,
>> but it is not currently implemented.
>>
>> Signed-off-by: Benoit Papillault <benoit.papillault@free.fr>
>> ---
>>  net/mac80211/tkip.c |    6 +++++-
>>  net/mac80211/wpa.c  |   10 +++++++---
>>  2 files changed, 12 insertions(+), 4 deletions(-)
>>
>> diff --git a/net/mac80211/tkip.c b/net/mac80211/tkip.c
>> index 7ef491e..f7e0062 100644
>> --- a/net/mac80211/tkip.c
>> +++ b/net/mac80211/tkip.c
>> @@ -234,6 +234,7 @@ int ieee80211_tkip_decrypt_data(struct
>> crypto_blkcipher *tfm,
>>  	u8 rc4key[16], keyid, *pos = payload;
>>  	int res;
>>  	const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY];
>> +	bool tkip_decrypt_replay = 0;
>>  
>>  	if (payload_len < 12)
>>  		return -1;
>> @@ -271,7 +272,7 @@ int ieee80211_tkip_decrypt_data(struct
>> crypto_blkcipher *tfm,
>>  		       iv32, iv16, key->u.tkip.rx[queue].iv32,
>>  		       key->u.tkip.rx[queue].iv16);
>>  #endif
>> -		return TKIP_DECRYPT_REPLAY;
>> +		tkip_decrypt_replay = 1;
>>  	}
>>  
>>  	if (only_iv) {
>> @@ -338,5 +339,8 @@ int ieee80211_tkip_decrypt_data(struct
>> crypto_blkcipher *tfm,
>>  		*out_iv16 = iv16;
>>  	}
>>  
>> +	if (tkip_decrypt_replay)
>> +		return TKIP_DECRYPT_REPLAY;
>> +
>>  	return res;
>>  }
>> diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
>> index f4971cd..da1186d 100644
>> --- a/net/mac80211/wpa.c
>> +++ b/net/mac80211/wpa.c
>> @@ -242,7 +242,9 @@ ieee80211_crypto_tkip_decrypt(struct
>> ieee80211_rx_data *rx)
>>  					  hdr->addr1, hwaccel, rx->queue,
>>  					  &rx->tkip_iv32,
>>  					  &rx->tkip_iv16);
>> -	if (res != TKIP_DECRYPT_OK || wpa_test)
>> +	if ((res != TKIP_DECRYPT_OK || wpa_test) &&
>> +	    !(res == TKIP_DECRYPT_REPLAY &&
>> +	      rx->sdata->vif.type != NL80211_IFTYPE_ADHOC))
>>  		return RX_DROP_UNUSABLE;
>>     
>
> NACK. This will clearly _break_ any proper RSN implementation. WPA-NONE
> is the non-standard thing here, so requiring that somebody wanting to
> implement proper RSN fix this doesn't seem right to me. And RSN
> shouldn't actually be hard to implement with the events that we have now
> -- it might just be a userspace thing.
>
> johannes
>   
Right. This patch disable replay protection. RSN is indeed the correct 
solution, but it's out of reach for me (no time, no skills). As such, I 
thought that WPA-NONE could be useful in the interim.

Jouni : I would appreciate your input here. What's the status of IBSS 
RSN? How much time/skills would be required to implement it?

Regards,
Benoit

Re: [PATCH 1/2] mac80211: Ignore replay for IBSS interfaces

[Jouni Malinen]

On Mon, Feb 15, 2010 at 11:41:05PM +0100, Benoit PAPILLAULT wrote:
> Right. This patch disable replay protection. RSN is indeed the
> correct solution, but it's out of reach for me (no time, no skills).
> As such, I thought that WPA-NONE could be useful in the interim.

I do not think it is acceptable to introduce anything that disables
replay protection.

> Jouni : I would appreciate your input here. What's the status of
> IBSS RSN? How much time/skills would be required to implement it?

The key management side (4-way handshakes) should all be in place now
and the main missing part is in being able to configure all the GTKs
(one per peer) and use the GTKs properly (i.e., match the key per addr2
when addr1 is broadcast/multicast). A good initial step would be to
hardcode mac80211 to use software encryption and extend that to support
multiple GTKs. Once that is working, we can see whether some of the
drivers would be able to do CCMP in hardware for such key configuration.

-- 
Jouni Malinen                                            PGP id EFC895FA

Re: [PATCH 1/2] mac80211: Ignore replay for IBSS interfaces

[Benoit PAPILLAULT]

Jouni Malinen a écrit :
> On Mon, Feb 15, 2010 at 11:41:05PM +0100, Benoit PAPILLAULT wrote:
>   
>> Right. This patch disable replay protection. RSN is indeed the
>> correct solution, but it's out of reach for me (no time, no skills).
>> As such, I thought that WPA-NONE could be useful in the interim.
>>     
>
> I do not think it is acceptable to introduce anything that disables
> replay protection.
>   
I know but WPA-NONE is what is implemented in some commercial products...
>   
>> Jouni : I would appreciate your input here. What's the status of
>> IBSS RSN? How much time/skills would be required to implement it?
>>     
>
> The key management side (4-way handshakes) should all be in place now
> and the main missing part is in being able to configure all the GTKs
> (one per peer) and use the GTKs properly (i.e., match the key per addr2
> when addr1 is broadcast/multicast). A good initial step would be to
> hardcode mac80211 to use software encryption and extend that to support
> multiple GTKs. Once that is working, we can see whether some of the
> drivers would be able to do CCMP in hardware for such key configuration.
>
>   
Ah. That's very good news! So wpa_supplicant is already OK and the only 
changes needed is in mac80211 then? and it's related to the GTK use? 
Could you point to me to a sample wpa_supplicant configuration file so I 
can try that out.

Thanks for the information.

Regards,
Benoit