* [patch 2/2] d80211: fix wep_tfm race
@ 2006-10-20 9:20 Hong Liu
0 siblings, 0 replies; 2+ messages in thread
From: Hong Liu @ 2006-10-20 9:20 UTC (permalink / raw)
To: Jiri Benc; +Cc: John W. Linville, netdev
The TX/RX path all use the local->wep_tfm to encrypt and decrypt
packets. Each {en|de}crypt operation need set a new RC4key,
this may corrupt the previous set key that is still being used.
Thus cause a lot of decrypton error or encryption with the wrong key.
Use two tfm (tx_tfm and rx_tfm) to avoid this race.
Signed-off-by: Hong Liu <hong.liu@intel.com>
---
net/d80211/ieee80211_i.h | 3 ++-
net/d80211/wep.c | 18 +++++++++++++-----
net/d80211/wpa.c | 6 ++++--
3 files changed, 19 insertions(+), 8 deletions(-)
634c9615ce3cd06dc7f6aff05e43e61490a53472
diff --git a/net/d80211/ieee80211_i.h b/net/d80211/ieee80211_i.h
index 425fc9b..152b41a 100644
--- a/net/d80211/ieee80211_i.h
+++ b/net/d80211/ieee80211_i.h
@@ -402,7 +402,8 @@ #define IEEE80211_IRQSAFE_QUEUE_LIMIT 12
int long_retry_limit; /* dot11LongRetryLimit */
int short_preamble; /* use short preamble with IEEE 802.11b */
- struct crypto_tfm *wep_tfm;
+ struct crypto_tfm *wep_tx_tfm;
+ struct crypto_tfm *wep_rx_tfm;
u32 wep_iv;
int key_tx_rx_threshold; /* number of times any key can be used in TX
* or RX before generating a rekey
diff --git a/net/d80211/wep.c b/net/d80211/wep.c
index 22c2e53..06e0230 100644
--- a/net/d80211/wep.c
+++ b/net/d80211/wep.c
@@ -26,16 +26,23 @@ int ieee80211_wep_init(struct ieee80211_
/* start WEP IV from a random value */
get_random_bytes(&local->wep_iv, WEP_IV_LEN);
- local->wep_tfm = crypto_alloc_tfm("arc4", 0);
- if (!local->wep_tfm)
+ local->wep_tx_tfm = crypto_alloc_tfm("arc4", 0);
+ if (!local->wep_tx_tfm)
return -ENOMEM;
+ local->wep_rx_tfm = crypto_alloc_tfm("arc4", 0);
+ if (!local->wep_rx_tfm) {
+ crypto_free_tfm(local->wep_tx_tfm);
+ return -ENOMEM;
+ }
+
return 0;
}
void ieee80211_wep_free(struct ieee80211_local *local)
{
- crypto_free_tfm(local->wep_tfm);
+ crypto_free_tfm(local->wep_tx_tfm);
+ crypto_free_tfm(local->wep_rx_tfm);
}
static inline int ieee80211_wep_weak_iv(u32 iv, int keylen)
@@ -172,7 +179,8 @@ int ieee80211_wep_encrypt(struct ieee802
/* Add room for ICV */
skb_put(skb, WEP_ICV_LEN);
- ieee80211_wep_encrypt_data(local->wep_tfm, rc4key, klen, iv + WEP_IV_LEN, len);
+ ieee80211_wep_encrypt_data(local->wep_tx_tfm, rc4key, klen,
+ iv + WEP_IV_LEN, len);
kfree(rc4key);
@@ -252,7 +260,7 @@ int ieee80211_wep_decrypt(struct ieee802
/* Copy rest of the WEP key (the secret part) */
memcpy(rc4key + 3, key->key, key->keylen);
- if (ieee80211_wep_decrypt_data(local->wep_tfm, rc4key, klen,
+ if (ieee80211_wep_decrypt_data(local->wep_rx_tfm, rc4key, klen,
skb->data + hdrlen + WEP_IV_LEN,
len)) {
printk(KERN_DEBUG "WEP decrypt failed (ICV)\n");
diff --git a/net/d80211/wpa.c b/net/d80211/wpa.c
index 5e62464..ef707ad 100644
--- a/net/d80211/wpa.c
+++ b/net/d80211/wpa.c
@@ -352,7 +352,8 @@ #endif /* CONFIG_HOSTAPD_WPA_TESTING */
skb_put(skb, TKIP_ICV_LEN);
hdr = (struct ieee80211_hdr *) skb->data;
- ieee80211_tkip_encrypt_data(tx->local->wep_tfm, key, pos, len, hdr->addr2);
+ ieee80211_tkip_encrypt_data(tx->local->wep_tx_tfm,
+ key, pos, len, hdr->addr2);
return 0;
}
@@ -495,7 +496,8 @@ #endif /* CONFIG_HOSTAPD_WPA_TESTING */
hwaccel = 1;
}
- res = ieee80211_tkip_decrypt_data(rx->local->wep_tfm, key, skb->data + hdrlen,
+ res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm,
+ key, skb->data + hdrlen,
skb->len - hdrlen, rx->sta->addr,
hwaccel, rx->u.rx.queue);
if (res != TKIP_DECRYPT_OK || wpa_test) {
--
1.3.3
^ permalink raw reply related [flat|nested] 2+ messages in thread* [patch 2/2] d80211: fix wep_tfm race
@ 2006-10-20 9:20 Hong Liu
0 siblings, 0 replies; 2+ messages in thread
From: Hong Liu @ 2006-10-20 9:20 UTC (permalink / raw)
To: Jiri Benc; +Cc: John W. Linville, netdev
The TX/RX path all use the local->wep_tfm to encrypt and decrypt
packets. Each {en|de}crypt operation need set a new RC4key,
this may corrupt the previous set key that is still being used.
Thus cause a lot of decrypton error or encryption with the wrong key.
Use two tfm (tx_tfm and rx_tfm) to avoid this race.
Signed-off-by: Hong Liu <hong.liu@intel.com>
---
net/d80211/ieee80211_i.h | 3 ++-
net/d80211/wep.c | 18 +++++++++++++-----
net/d80211/wpa.c | 6 ++++--
3 files changed, 19 insertions(+), 8 deletions(-)
634c9615ce3cd06dc7f6aff05e43e61490a53472
diff --git a/net/d80211/ieee80211_i.h b/net/d80211/ieee80211_i.h
index 425fc9b..152b41a 100644
--- a/net/d80211/ieee80211_i.h
+++ b/net/d80211/ieee80211_i.h
@@ -402,7 +402,8 @@ #define IEEE80211_IRQSAFE_QUEUE_LIMIT 12
int long_retry_limit; /* dot11LongRetryLimit */
int short_preamble; /* use short preamble with IEEE 802.11b */
- struct crypto_tfm *wep_tfm;
+ struct crypto_tfm *wep_tx_tfm;
+ struct crypto_tfm *wep_rx_tfm;
u32 wep_iv;
int key_tx_rx_threshold; /* number of times any key can be used in TX
* or RX before generating a rekey
diff --git a/net/d80211/wep.c b/net/d80211/wep.c
index 22c2e53..06e0230 100644
--- a/net/d80211/wep.c
+++ b/net/d80211/wep.c
@@ -26,16 +26,23 @@ int ieee80211_wep_init(struct ieee80211_
/* start WEP IV from a random value */
get_random_bytes(&local->wep_iv, WEP_IV_LEN);
- local->wep_tfm = crypto_alloc_tfm("arc4", 0);
- if (!local->wep_tfm)
+ local->wep_tx_tfm = crypto_alloc_tfm("arc4", 0);
+ if (!local->wep_tx_tfm)
return -ENOMEM;
+ local->wep_rx_tfm = crypto_alloc_tfm("arc4", 0);
+ if (!local->wep_rx_tfm) {
+ crypto_free_tfm(local->wep_tx_tfm);
+ return -ENOMEM;
+ }
+
return 0;
}
void ieee80211_wep_free(struct ieee80211_local *local)
{
- crypto_free_tfm(local->wep_tfm);
+ crypto_free_tfm(local->wep_tx_tfm);
+ crypto_free_tfm(local->wep_rx_tfm);
}
static inline int ieee80211_wep_weak_iv(u32 iv, int keylen)
@@ -172,7 +179,8 @@ int ieee80211_wep_encrypt(struct ieee802
/* Add room for ICV */
skb_put(skb, WEP_ICV_LEN);
- ieee80211_wep_encrypt_data(local->wep_tfm, rc4key, klen, iv + WEP_IV_LEN, len);
+ ieee80211_wep_encrypt_data(local->wep_tx_tfm, rc4key, klen,
+ iv + WEP_IV_LEN, len);
kfree(rc4key);
@@ -252,7 +260,7 @@ int ieee80211_wep_decrypt(struct ieee802
/* Copy rest of the WEP key (the secret part) */
memcpy(rc4key + 3, key->key, key->keylen);
- if (ieee80211_wep_decrypt_data(local->wep_tfm, rc4key, klen,
+ if (ieee80211_wep_decrypt_data(local->wep_rx_tfm, rc4key, klen,
skb->data + hdrlen + WEP_IV_LEN,
len)) {
printk(KERN_DEBUG "WEP decrypt failed (ICV)\n");
diff --git a/net/d80211/wpa.c b/net/d80211/wpa.c
index 5e62464..ef707ad 100644
--- a/net/d80211/wpa.c
+++ b/net/d80211/wpa.c
@@ -352,7 +352,8 @@ #endif /* CONFIG_HOSTAPD_WPA_TESTING */
skb_put(skb, TKIP_ICV_LEN);
hdr = (struct ieee80211_hdr *) skb->data;
- ieee80211_tkip_encrypt_data(tx->local->wep_tfm, key, pos, len, hdr->addr2);
+ ieee80211_tkip_encrypt_data(tx->local->wep_tx_tfm,
+ key, pos, len, hdr->addr2);
return 0;
}
@@ -495,7 +496,8 @@ #endif /* CONFIG_HOSTAPD_WPA_TESTING */
hwaccel = 1;
}
- res = ieee80211_tkip_decrypt_data(rx->local->wep_tfm, key, skb->data + hdrlen,
+ res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm,
+ key, skb->data + hdrlen,
skb->len - hdrlen, rx->sta->addr,
hwaccel, rx->u.rx.queue);
if (res != TKIP_DECRYPT_OK || wpa_test) {
--
1.3.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-10-20 9:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-20 9:20 [patch 2/2] d80211: fix wep_tfm race Hong Liu
-- strict thread matches above, loose matches on Subject: below --
2006-10-20 9:20 Hong Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).