From patchwork Thu Sep 30 07:37:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xing Song X-Patchwork-Id: 12527527 X-Patchwork-Delegate: nbd@nbd.name Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8FDC4C433F5 for ; Thu, 30 Sep 2021 07:38:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 762D8613A0 for ; Thu, 30 Sep 2021 07:38:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348737AbhI3Hjp (ORCPT ); Thu, 30 Sep 2021 03:39:45 -0400 Received: from mailgw02.mediatek.com ([1.203.163.81]:24579 "EHLO mailgw02.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1348783AbhI3Hjn (ORCPT ); Thu, 30 Sep 2021 03:39:43 -0400 X-UUID: ec0d25b12e25429a99139e1374b57ae1-20210930 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=hdVH/FfnZus1GUan8Vi1chx+4kTao6AmMOXIKsLSzvw=; b=U4LdvuRvRwlTdmsDrLYCWHz6+DOnkU1axPo8wjwC1UaxweNcY13tMvLEdkMCbgL+F3Phyw8RRC7Lr5hw1iHjFR1/d5Zx0pZjN1vuJdTutLUcby5mOWDTlQQke48cCugeY2xa15ELWmQhLuTmp6V6In95Lx6jvYT33dC3MzCVLYE=; X-UUID: ec0d25b12e25429a99139e1374b57ae1-20210930 Received: from mtkcas36.mediatek.inc [(172.27.7.253)] by mailgw02.mediatek.com (envelope-from ) (mailgw01.mediatek.com ESMTP with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256) with ESMTP id 1123434750; Thu, 30 Sep 2021 15:37:57 +0800 Received: from MTKCAS32.mediatek.inc (172.27.4.184) by MTKMBS31N2.mediatek.inc (172.27.4.87) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 30 Sep 2021 15:37:41 +0800 Received: from mcddlt001.gcn.mediatek.inc (10.19.240.15) by MTKCAS32.mediatek.inc (172.27.4.170) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Thu, 30 Sep 2021 15:37:41 +0800 From: Xing Song To: Felix Fietkau CC: Lorenzo Bianconi , Shayne Chen , Ryder Lee , Evelyn Tsai , , , Xing Song Subject: [PATCH] mt76: use a separate CCMP PN receive counter for management frames Date: Thu, 30 Sep 2021 15:37:37 +0800 Message-ID: <20210930073737.146789-1-xing.song@mediatek.com> X-Mailer: git-send-email 2.17.0 MIME-Version: 1.0 X-TM-SNTS-SMTP: 3A44D0BB44E9B51AC5356A502F2DFBDAEF6EBEC57AAB601A95621F9D3F742AC92000:8 X-MTK: N Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org When received frame is decryped by hardware, CCMP PN is checked by mt76. When management frame protection (IEEE 802.11w) is used, we must use a separate counter for tracking received CCMP packet number for the management frames. The previously used counter was shared with data frames and that can cause problems in detecting replays incorrectly for robust management frames. Add a new counter just for robust management frames to avoid this issue. Signed-off-by: Xing Song --- drivers/net/wireless/mediatek/mt76/mac80211.c | 27 ++++++++++++++++--- drivers/net/wireless/mediatek/mt76/mt76.h | 2 +- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c index bbe7ba64ccd2..419b8e75739a 100644 --- a/drivers/net/wireless/mediatek/mt76/mac80211.c +++ b/drivers/net/wireless/mediatek/mt76/mac80211.c @@ -788,10 +788,17 @@ void mt76_wcid_key_setup(struct mt76_dev *dev, struct mt76_wcid *wcid, return; wcid->rx_check_pn = true; + + /* data frame */ for (i = 0; i < IEEE80211_NUM_TIDS; i++) { ieee80211_get_key_rx_seq(key, i, &seq); memcpy(wcid->rx_key_pn[i], seq.ccmp.pn, sizeof(seq.ccmp.pn)); } + + /* robust management frame */ + ieee80211_get_key_rx_seq(key, -1, &seq); + memcpy(wcid->rx_key_pn[i], seq.ccmp.pn, sizeof(seq.ccmp.pn)); + } EXPORT_SYMBOL(mt76_wcid_key_setup); @@ -844,7 +851,7 @@ mt76_check_ccmp_pn(struct sk_buff *skb) struct mt76_rx_status *status = (struct mt76_rx_status *)skb->cb; struct mt76_wcid *wcid = status->wcid; struct ieee80211_hdr *hdr; - u8 tidno = status->qos_ctl & IEEE80211_QOS_CTL_TID_MASK; + int security_idx; int ret; if (!(status->flag & RX_FLAG_DECRYPTED)) @@ -853,24 +860,36 @@ mt76_check_ccmp_pn(struct sk_buff *skb) if (!wcid || !wcid->rx_check_pn) return 0; + hdr = mt76_skb_get_hdr(skb); if (!(status->flag & RX_FLAG_IV_STRIPPED)) { /* * Validate the first fragment both here and in mac80211 * All further fragments will be validated by mac80211 only. */ - hdr = mt76_skb_get_hdr(skb); if (ieee80211_is_frag(hdr) && !ieee80211_is_first_frag(hdr->frame_control)) return 0; } + /* IEEE 802.11-2020, 12.5.3.4.4 "PN and replay detection" c): + * + * the recipient shall maintain a single replay counter for received + * individually addressed robust Management frames that are received + * with the To DS subfield equal to 0, [...] + */ + if (ieee80211_is_mgmt(hdr->frame_control) && + !ieee80211_has_tods(hdr->frame_control)) + security_idx = IEEE80211_NUM_TIDS; + else + security_idx = status->qos_ctl & IEEE80211_QOS_CTL_TID_MASK; + BUILD_BUG_ON(sizeof(status->iv) != sizeof(wcid->rx_key_pn[0])); - ret = memcmp(status->iv, wcid->rx_key_pn[tidno], + ret = memcmp(status->iv, wcid->rx_key_pn[security_idx], sizeof(status->iv)); if (ret <= 0) return -EINVAL; /* replay */ - memcpy(wcid->rx_key_pn[tidno], status->iv, sizeof(status->iv)); + memcpy(wcid->rx_key_pn[security_idx], status->iv, sizeof(status->iv)); if (status->flag & RX_FLAG_IV_STRIPPED) status->flag |= RX_FLAG_PN_VALIDATED; diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h index 783ea555fa60..104a01704208 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76.h +++ b/drivers/net/wireless/mediatek/mt76/mt76.h @@ -255,7 +255,7 @@ struct mt76_wcid { u8 amsdu:1; u8 rx_check_pn; - u8 rx_key_pn[IEEE80211_NUM_TIDS][6]; + u8 rx_key_pn[IEEE80211_NUM_TIDS + 1][6]; u16 cipher; u32 tx_info;