Return-path: Received: from s3.sipsolutions.net ([5.9.151.49]:42098 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751428AbbEPT5M (ORCPT ); Sat, 16 May 2015 15:57:12 -0400 Message-ID: <1431806229.2120.6.camel@sipsolutions.net> (sfid-20150516_215716_331653_5302EBE1) Subject: Re: mac80211 drops packet with old IV after rekeying From: Johannes Berg To: Emmanuel Grumbach Cc: linux-wireless Date: Sat, 16 May 2015 21:57:09 +0200 In-Reply-To: (sfid-20150516_201855_046994_2FA7ED12) References: <1431674716.2426.2.camel@sipsolutions.net> <1431714949.2117.0.camel@sipsolutions.net> (sfid-20150516_201855_046994_2FA7ED12) Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org List-ID: On Sat, 2015-05-16 at 21:18 +0300, Emmanuel Grumbach wrote: > I don't get it. I might have misunderstood your previous mail, but I > thought that you were saying the key index was meant to solve this: > the peer could know what key was used based on the key index written > in the frame (I guess it is there somehow) so that the Rx handling > code can know that the jump in the PN is due to a rekeying and not use > any heuristic. I though you meant that the Txing side had a poor > implementation because it reused the same key index before and after > the rekeying which can obviously lead to problems. > Now you seem to say that changing the key index upon rekeying is not > allowed by spec? > What is it good for then? The key index is used for GTK rekeying. The spec makes no provision for seamless PTK rekeying, it's simply not supported. There was/is work in progress to actually change that, but I haven't seen anything definitive. Jouni might know more. > Again - I am just trying to close this bug, not to learn this subject. > I can learn by reading spec / reading code and less by wasting your > time :) As I said, I believe at this point the only way to fix this bug is to try to drop *old* key packets immediately, but it's difficult to ensure this. Effectively, it would require synchronising RX vs. key installation. Using SW crypto will avoid this problem, because as I described in my first email, the only reason (I can think of anyway) is that there's a race between HW decrypt and SW key install. In the case of SW crypto, there's a definitive link between the actual key and the PN because the frame would fail to decrypt (and thus be dropped) if the wrong key was used. The problem only happens in HW crypto with software PN because the two are linked by the key index only. This (entirely untested) patch might also help: http://p.sipsolutions.net/3f082fae8a023bbc.txt johannes