Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2340387pxk; Sat, 19 Sep 2020 23:46:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzBKIP5z9FyjM4+15L0DXn+SHa8XQo0UZsd0OEJxyInZrFPs70CZzqT43S0n9mdYLLXGgsZ X-Received: by 2002:a17:906:170e:: with SMTP id c14mr32389216eje.275.1600584402807; Sat, 19 Sep 2020 23:46:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600584402; cv=none; d=google.com; s=arc-20160816; b=skEMRjGdA5u0gWdweFdT5oT0iGHonH2DsXSUGxIgSdOtiotekO8owiR4pcc39Uf4aB plsUHHP4agsBEFhEl1f9Ne2mvFbpyspwij56tPmn9eX6vs2NYreoKHtf/onZ05wrKIHg Hr2Ce13kyPQy9wwjG45TBYb55pIOh0LZ8HtXm3ma2x1lh1KUGMr0j45ZyXHAb3n39YMq g92PZDQ2+izmgBOMOcAujv6SoM9vqRyabpVd0X4KsOgQxT4/i7FFVkuS3d3BldF6fKh/ x+Na3B0A1KA0jQSTB2/6eqUv26VmgfpUrZ/QVMr6EgDNn1jLdJMaktcMEyDnHFxHUfIl iAcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:dkim-signature:subject; bh=yP5WTTI/dPI13WTPFGh9VeoLEpIyXtYVo4U1pEblNj0=; b=cDXyLo45OD1Ej6mwhkPhbG8qRzHKlAhb6p93TmJUUVO7802DW9fgABppxdAGSNbHSj eKmCI+M7KXzkc62SdySnsTyAeWFjr6FmWsSp7qJqlAD8xoCCvWuNIv7ItLM7xNc+/ZCD L99QDHkcuEwnBrLX+CKevkvrwrhf2eXHf/zopX7GWbVQOI8yN3DFSHxCCE/s3GO5QCpV oPz4uPEcZRm7cbLuHVBWSCzTLNh+ovHfprc8zI1Hi4E914g3w9BRcZUbXIg0abRPOX/S qrpwdASpyCC5ObPzrF55+AMSnRRnloURzi963sJn1q3csrvm+pLw0GtJJwAoVHZSqGmw y87Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@wetzel-home.de header.s=wetzel-home header.b=mnKCEIGK; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=wetzel-home.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i5si5915230edg.212.2020.09.19.23.46.06; Sat, 19 Sep 2020 23:46:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@wetzel-home.de header.s=wetzel-home header.b=mnKCEIGK; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=wetzel-home.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726201AbgITGp5 (ORCPT + 99 others); Sun, 20 Sep 2020 02:45:57 -0400 Received: from 2.mo174.mail-out.ovh.net ([178.33.110.43]:36769 "EHLO 2.mo174.mail-out.ovh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726192AbgITGp5 (ORCPT ); Sun, 20 Sep 2020 02:45:57 -0400 X-Greylist: delayed 516 seconds by postgrey-1.27 at vger.kernel.org; Sun, 20 Sep 2020 02:45:55 EDT Received: from mxplan8.mail.ovh.net (unknown [10.109.143.129]) by mo174.mail-out.ovh.net (Postfix) with ESMTPS id 99ED0439A055; Sun, 20 Sep 2020 08:37:17 +0200 (CEST) Received: from awhome.eu (37.59.142.98) by mxplan8.mail.ovh.net (172.16.2.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2044.4; Sun, 20 Sep 2020 08:37:16 +0200 Authentication-Results: garm.ovh; auth=pass (GARM-98R002774a8836-a19b-4ee0-a5b9-9a61e6672be2, 75D883B0022EFA271CE7F5B6A0DE1F071752B67A) smtp.auth=postmaster@awhome.eu Subject: Re: [PATCH] iwlwifi: add NL80211_EXT_FEATURE_CAN_REPLACE_PTK0 support DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1600583836; bh=POXWF4OyPPRWU933sGcUJx9/7cgyl0ot2PqDgbBEw0I=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=mnKCEIGKgrTC58xZDvzwtY0w09nSLKkUvLFV5iWmCqi8Mx3ZAUAAocPoYqbPzxBx7 sQ0JDO8bMP2daJTXp7TYeDS5QiLw9AJhbSD6yQWLfMQKZYZuf5g4t8Vi240qxqcHSo MV579LJzxcLPJ6rKLF7xDEJquYUhqfAxtyngqMyg= To: Johannes Berg , "linux-wireless@vger.kernel.org" Cc: "luciano.coelho@intel.com" , "emmanuel.grumbach@intel.com" , "linuxwifi@intel.com" References: <20200918171301.6942-1-alexander@wetzel-home.de> From: Alexander Wetzel Message-ID: Date: Sun, 20 Sep 2020 08:37:15 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Ovh-Tracer-GUID: 7f968c6e-1140-45f6-abaf-5c2d1c376797 X-Ovh-Tracer-Id: 17914474895445597347 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedujedrtdelgddutdehucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepuffvfhfhkffffgggjggtgfesthejredttdefjeenucfhrhhomheptehlvgigrghnuggvrhcuhggvthiivghluceorghlvgigrghnuggvrhesfigvthiivghlqdhhohhmvgdruggvqeenucggtffrrghtthgvrhhnpedtteduudehkedvgfdujeetjedugfelgeefueelueeiueeiteeugeeljeeuieeiteenucfkpheptddrtddrtddrtddpfeejrdehledrudegvddrleeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhpqdhouhhtpdhhvghlohepmhigphhlrghnkedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvtheptddrtddrtddrtddpmhgrihhlfhhrohhmpegrlhgvgigrnhguvghrseifvghtiigvlhdqhhhomhgvrdguvgdprhgtphhtthhopehlihhnuhigqdifihhrvghlvghsshesvhhgvghrrdhkvghrnhgvlhdrohhrgh Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org >> >> + /* GCMP and 256 bit CCMP keys the key can't be copied into the >> + * MPDU struct ieee80211_tx_info. We therefore must flush the >> + * queues to ensure there are no MPDUs left which are referring >> + * to the outgoing key. >> + */ >> + if (key->flags & IEEE80211_KEY_FLAG_PAIRWISE && >> + (key->cipher == WLAN_CIPHER_SUITE_GCMP || >> + key->cipher == WLAN_CIPHER_SUITE_GCMP_256 || >> + key->cipher == WLAN_CIPHER_SUITE_CCMP_256)) { >> + ieee80211_stop_queues(hw); >> + iwl_mvm_mac_flush(hw, vif, 0, true); >> + ieee80211_wake_queues(hw); >> + } > > Shouldn't the wake be after installing the new key? Otherwise new frames > can race and be there again? mac80211 is taking care of that and has already stopped queuing new MPDUs which would use the key by setting KEY_FLAG_TAINTED on it. So for a PTK0 rekey we are fine, mac80211 won't queue frames with the key under deletion. But I think we should start setting KEY_FLAG_TAINTED for *any* PTK deletion to make sure we are not sending out MPDUs with a zero key or something like that. This is a special kind of a rekey case we missed so far but should be trival cover that, too. That is then basically taking care about the generic Kr00k vulnerability some months ago. Now I'm not aware of we have any mitigations in the code for that but when we set KEY_FLAG_TAINTED for key deletions any driver which is able to rekey PTK0 correctly can't be affected by Kr00k any longer. I'll look into that in the next days and prepare a patch for mac8011 to discuss that. Alexander