From: Matthias May <matthias.may@neratec.com>
To: Johannes Berg <johannes@sipsolutions.net>,
Emmanuel Grumbach <egrumbach@gmail.com>,
voncken <cedric.voncken@acksys.fr>
Cc: linux-wireless <linux-wireless@vger.kernel.org>
Subject: Re: Mac80211 : Wpa rekeying issue
Date: Wed, 6 Jan 2016 10:09:37 +0100 [thread overview]
Message-ID: <568CD9D1.6080001@neratec.com> (raw)
In-Reply-To: <1452009029.12357.37.camel@sipsolutions.net>
On 05/01/16 16:50, Johannes Berg wrote:
> On Tue, 2016-01-05 at 11:54 +0100, Matthias May wrote:
>>
>> Not safe as in "access to stuff which has to be locked", or not safe
>> as
>> in "a CCMP replay attack is possible"?
>> When changing this we argumented that since we are not really
>> connected
>> yet, a CCMP replay attack doesn't really make sense.
>>
>
> It's a bit more complicated than my first look suggested, it seems.
>
> However, I'm not sure what effect your patch is supposed to have.
> You're skipping CCMP replay checking and update when not authorized
> yet, at which point the station isn't receiving frames anyway (though
> they'd be checked for all this, they'd later be discarded).
>
> Once it becomes authorized, you do the checks. However, it never
> becomes unauthorized again, even for rekeying, so for the PTK rekeying
> issue at hand it's pretty much a no-op?
>
afaik it solves the issue that when a STA roames from AP1 to AP2, and
key material is installed at different times.
We observed encrypted frames which had a wrong CCMP counter. If the STA
updates it's counter with these frames then depending on the wrong CCMP
value received, up to a few hundred frames were dropped.
Not exactly the same as rekeying but the effect are pretty similar.
> johannes
>
> PS: the comment in your patch is also wrong:
>
>> + /* If we are a station update the ccmp counter only when we are
>> + * authorised. For all other modes always update. */
>> + if (!rx->sta ||
>> + (rx->sta && test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)) ) {
>
> There's no check for "if we are a station" here.
>
Yeah this doesn't make sense.
Also the check on !rx-sta seems superfluous since it's already checked a
few lines above.
Regards
Matthias
next prev parent reply other threads:[~2016-01-06 9:09 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-29 13:01 Mac80211 : Wpa rekeying issue Cedric VONCKEN
2015-12-29 14:19 ` Emmanuel Grumbach
2015-12-29 15:23 ` voncken
2015-12-31 8:12 ` voncken
2015-12-31 8:41 ` Emmanuel Grumbach
2015-12-31 10:15 ` voncken
2015-12-31 15:25 ` Ben Greear
2016-01-05 9:19 ` Johannes Berg
2016-01-05 9:47 ` Matthias May
2016-01-05 9:58 ` Johannes Berg
2016-01-05 10:54 ` Matthias May
2016-01-05 15:50 ` Johannes Berg
2016-01-06 9:09 ` Matthias May [this message]
2016-01-07 21:06 ` Johannes Berg
2016-01-07 21:15 ` Johannes Berg
2016-01-12 11:38 ` Emmanuel Grumbach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=568CD9D1.6080001@neratec.com \
--to=matthias.may@neratec.com \
--cc=cedric.voncken@acksys.fr \
--cc=egrumbach@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).