From patchwork Tue Aug 14 10:42:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Wetzel X-Patchwork-Id: 10565327 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3C5AB1515 for ; Tue, 14 Aug 2018 10:43:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2A8AA28D5B for ; Tue, 14 Aug 2018 10:43:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1EAE728DA3; Tue, 14 Aug 2018 10:43:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7054328D88 for ; Tue, 14 Aug 2018 10:43:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732190AbeHNNaK (ORCPT ); Tue, 14 Aug 2018 09:30:10 -0400 Received: from 3.mo179.mail-out.ovh.net ([178.33.251.175]:60376 "EHLO 3.mo179.mail-out.ovh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729567AbeHNNaK (ORCPT ); Tue, 14 Aug 2018 09:30:10 -0400 Received: from player694.ha.ovh.net (unknown [10.109.160.253]) by mo179.mail-out.ovh.net (Postfix) with ESMTP id B5348E1AB5 for ; Tue, 14 Aug 2018 12:43:32 +0200 (CEST) Received: from awhome.eu (p4FF910D8.dip0.t-ipconnect.de [79.249.16.216]) (Authenticated sender: postmaster@awhome.eu) by player694.ha.ovh.net (Postfix) with ESMTPSA id 761742C00B2; Tue, 14 Aug 2018 12:43:31 +0200 (CEST) From: Alexander Wetzel DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1534243404; bh=T1FrQUoiL7z4ZRwc+ofJK+dP919xm2cvruBQBGTXv2Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=VILw2NDMj92icIPuPgmdHl5Fnsy978+O6gI1+Mf/DB1QuHoXfRO3TZRMhTAYojHyO BztWsGuA7Zs5gQjEkRwFRFboOK2OhLnf2B6xxbvsqVm5nQTepLpH75t17hMBGILeqg iCdAcaD1Kwh3BHnmvFqYl6ZrOzEyWq2l8A2D+WWU= To: johannes@sipsolutions.net Cc: linux-wireless@vger.kernel.org, Alexander Wetzel Subject: [PATCH v6 1/3] nl80211: Add ATOMIC_KEY_REPLACE API Date: Tue, 14 Aug 2018 12:42:53 +0200 Message-Id: <20180814104255.4183-2-alexander@wetzel-home.de> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180814104255.4183-1-alexander@wetzel-home.de> References: <20180814104255.4183-1-alexander@wetzel-home.de> X-Ovh-Tracer-Id: 12849895638445006023 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtjedrudehgdeffecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemuceftddtnecu Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Drivers able to correctly replace a in-use key should set NL80211_EXT_FEATURE_ATOMIC_KEY_REPLACE to allow the userspace (e.g. hostapd or wpa_supplicant) to rekey PTK keys. The userspace must detect a PTK rekey attempt and only go ahead with the rekey when the driver has set this flag. If the driver is not supporting the feature the userspace either must not replace the PTK key or perform a full re-association. Ignoring this flag and continuing to rekey the connection can still work but has to be considered insecure and broken. It can leak cleartext packets or freeze the connection and is only supported to allow the userspace to be updated. Signed-off-by: Alexander Wetzel Reviewed-by: Denis Kenzior --- include/uapi/linux/nl80211.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h index 7acc16f34942..b41b9ade0449 100644 --- a/include/uapi/linux/nl80211.h +++ b/include/uapi/linux/nl80211.h @@ -5224,6 +5224,11 @@ enum nl80211_feature_flags { * except for supported rates from the probe request content if requested * by the %NL80211_SCAN_FLAG_MIN_PREQ_CONTENT flag. * + * @NL80211_EXT_FEATURE_ATOMIC_KEY_REPLACE: Driver/device confirm that they are + * able to rekey an in-use key correctly. Userspace must not rekey PTK keys + * if this flag is not set. Ignoring this can leak clear text packets and/or + * freeze the connection. + * * @NUM_NL80211_EXT_FEATURES: number of extended features. * @MAX_NL80211_EXT_FEATURES: highest extended feature index. */ @@ -5259,6 +5264,7 @@ enum nl80211_ext_feature_index { NL80211_EXT_FEATURE_TXQS, NL80211_EXT_FEATURE_SCAN_RANDOM_SN, NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT, + NL80211_EXT_FEATURE_ATOMIC_KEY_REPLACE, /* add new features before the definition below */ NUM_NL80211_EXT_FEATURES, From patchwork Tue Aug 14 10:42:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Wetzel X-Patchwork-Id: 10565611 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D6FB415A6 for ; Tue, 14 Aug 2018 13:09:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C872728DCE for ; Tue, 14 Aug 2018 13:09:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BCC3628E64; Tue, 14 Aug 2018 13:09:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8FC5A28DCE for ; Tue, 14 Aug 2018 13:09:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732733AbeHNP4i (ORCPT ); Tue, 14 Aug 2018 11:56:38 -0400 Received: from 2.mo1.mail-out.ovh.net ([178.32.119.250]:41777 "EHLO 2.mo1.mail-out.ovh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732621AbeHNP4h (ORCPT ); Tue, 14 Aug 2018 11:56:37 -0400 X-Greylist: delayed 7825 seconds by postgrey-1.27 at vger.kernel.org; Tue, 14 Aug 2018 11:56:35 EDT Received: from player792.ha.ovh.net (unknown [10.109.143.216]) by mo1.mail-out.ovh.net (Postfix) with ESMTP id 70754119C59 for ; Tue, 14 Aug 2018 12:43:34 +0200 (CEST) Received: from awhome.eu (p4FF910D8.dip0.t-ipconnect.de [79.249.16.216]) (Authenticated sender: postmaster@awhome.eu) by player792.ha.ovh.net (Postfix) with ESMTPSA id 1FA7EA00A5; Tue, 14 Aug 2018 12:43:33 +0200 (CEST) From: Alexander Wetzel DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1534243405; bh=mxK0J+Bz7jq10gceLXmH220M2Fj5XEB8tViAN26qng8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=sQi725L4DZ6KPmv4AYWUJhY9okPhdTi7ZWWGvAoZR4d99EKb7W0coSNqUOrmIqQ9Q kXWOc//aBlJJciXMqFE4Y5ryIfY749N3wkvOv21ca27/0LHPEbiqwtuEFJMHLM9ax5 bbiCQr8heNxhJR7sI3oUs3CVvgfKHYNVNRUerC1I= To: johannes@sipsolutions.net Cc: linux-wireless@vger.kernel.org, Alexander Wetzel Subject: [PATCH v6 2/3] mac80211: Define new driver callback replace_key Date: Tue, 14 Aug 2018 12:42:54 +0200 Message-Id: <20180814104255.4183-3-alexander@wetzel-home.de> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180814104255.4183-1-alexander@wetzel-home.de> References: <20180814104255.4183-1-alexander@wetzel-home.de> X-Ovh-Tracer-Id: 12850458590877981895 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtjedrudehgdeffecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemuceftddtnecu Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Define the new driver callback replace_key in mac80211 for future use. Drivers able to replace a in-use key should implement this new callback to allow mac80211 drivers to securely use PTK rekeying. On return of the function drivers must guarantee they: - Did not send out any frames for the key unencrypted during the replace, - will not send out packets queued to them prior to the call encrypted with the new key - and will no longer hand over any frames which were decrypted by the old key to mac80211 when not also handling PN (IV) in the driver. Packets handed over to the driver after the callback has returned are expected to be send out encrypted with the new key and retransmissions must either be dropped or continue to use the old key. Mac80211 will not hand over packets for the key being replaced while the callback is running. All other packets will still be handed over. If the driver can't handle that the driver is allowed to call functions like ieee80211_stop_queues from the callback. Signed-off-by: Alexander Wetzel --- include/net/mac80211.h | 15 +++++++++++++++ net/mac80211/driver-ops.h | 20 ++++++++++++++++++++ net/mac80211/main.c | 5 +++++ net/mac80211/trace.h | 39 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+) diff --git a/include/net/mac80211.h b/include/net/mac80211.h index 5790f55c241d..7d13cd10b7d7 100644 --- a/include/net/mac80211.h +++ b/include/net/mac80211.h @@ -3137,6 +3137,17 @@ enum ieee80211_reconfig_type { * Returns a negative error code if the key can't be added. * The callback can sleep. * + * @replace_key: Replace an exiting in use key with a new one while guaranteeing + * to not leak clear text packets. Implementing this callback will enable + * mac80211 to announce NL80211_EXT_FEATURE_ATOMIC_KEY_REPLACE. + * Packets already queued must not be send out encrypted with the new key + * and packets decoded with the old key must not be handed over to mac80211 + * when the driver is not checking IV/ICV itself once the callback has been + * completed. + * Mac80211 will log an error when asked to use replace a PTK key + * without replace_key but will still perform the then potentially + * insecure action via set_key for backward compatibility for now. + * * @update_tkip_key: See the section "Hardware crypto acceleration" * This callback will be called in the context of Rx. Called for drivers * which set IEEE80211_KEY_FLAG_TKIP_REQ_RX_P1_KEY. @@ -3585,6 +3596,10 @@ struct ieee80211_ops { int (*set_key)(struct ieee80211_hw *hw, enum set_key_cmd cmd, struct ieee80211_vif *vif, struct ieee80211_sta *sta, struct ieee80211_key_conf *key); + int (*replace_key)(struct ieee80211_hw *hw, + struct ieee80211_vif *vif, struct ieee80211_sta *sta, + struct ieee80211_key_conf *old, + struct ieee80211_key_conf *new); void (*update_tkip_key)(struct ieee80211_hw *hw, struct ieee80211_vif *vif, struct ieee80211_key_conf *conf, diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h index 8f6998091d26..ebd7f1463336 100644 --- a/net/mac80211/driver-ops.h +++ b/net/mac80211/driver-ops.h @@ -255,6 +255,26 @@ static inline int drv_set_key(struct ieee80211_local *local, return ret; } +static inline int drv_replace_key(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + struct ieee80211_sta *sta, + struct ieee80211_key_conf *old_key, + struct ieee80211_key_conf *new_key) +{ + int ret; + + might_sleep(); + + sdata = get_bss_sdata(sdata); + if (!check_sdata_in_driver(sdata)) + return -EIO; + + trace_drv_replace_key(local, sdata, sta, old_key, new_key); + ret = local->ops->replace_key(&local->hw, &sdata->vif, sta, old_key, new_key); + trace_drv_return_int(local, ret); + return ret; +} + static inline void drv_update_tkip_key(struct ieee80211_local *local, struct ieee80211_sub_if_data *sdata, struct ieee80211_key_conf *conf, diff --git a/net/mac80211/main.c b/net/mac80211/main.c index 4fb2709cb527..84cc8005c19a 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -572,9 +572,14 @@ struct ieee80211_hw *ieee80211_alloc_hw_nm(size_t priv_data_len, NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT); } + if (ops->replace_key) + wiphy_ext_feature_set(wiphy, + NL80211_EXT_FEATURE_ATOMIC_KEY_REPLACE); + if (!ops->set_key) wiphy->flags |= WIPHY_FLAG_IBSS_RSN; + if (ops->wake_tx_queue) wiphy_ext_feature_set(wiphy, NL80211_EXT_FEATURE_TXQS); diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h index 0ab69a1964f8..f93e00f1ae4d 100644 --- a/net/mac80211/trace.h +++ b/net/mac80211/trace.h @@ -603,6 +603,45 @@ TRACE_EVENT(drv_set_key, ) ); +TRACE_EVENT(drv_replace_key, + TP_PROTO(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + struct ieee80211_sta *sta, + struct ieee80211_key_conf *old_key, + struct ieee80211_key_conf *new_key), + + TP_ARGS(local, sdata, sta, old_key, new_key), + + TP_STRUCT__entry( + LOCAL_ENTRY + VIF_ENTRY + STA_ENTRY + KEY_ENTRY + __field(u32, cipher2) + __field(u8, hw_key_idx2) + __field(u8, flags2) + __field(s8, keyidx2) + ), + + TP_fast_assign( + LOCAL_ASSIGN; + VIF_ASSIGN; + STA_ASSIGN; + KEY_ASSIGN(old_key); + __entry->cipher2 = new_key->cipher; + __entry->flags2 = new_key->flags; + __entry->keyidx2 = new_key->keyidx; + __entry->hw_key_idx2 = new_key->hw_key_idx; + ), + + TP_printk( + LOCAL_PR_FMT VIF_PR_FMT STA_PR_FMT KEY_PR_FMT + " cipher2:0x%x, flags2=%#x, keyidx2=%d, hw_key_idx2=%d", + LOCAL_PR_ARG, VIF_PR_ARG, STA_PR_ARG, KEY_PR_ARG, + __entry->cipher2, __entry->flags2, __entry->keyidx2, __entry->hw_key_idx2 + ) +); + TRACE_EVENT(drv_update_tkip_key, TP_PROTO(struct ieee80211_local *local, struct ieee80211_sub_if_data *sdata, From patchwork Tue Aug 14 10:42:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Wetzel X-Patchwork-Id: 10565329 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CD7F51515 for ; Tue, 14 Aug 2018 10:43:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BAD1328D5B for ; Tue, 14 Aug 2018 10:43:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AF1ED28DA3; Tue, 14 Aug 2018 10:43:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C9A7528D5B for ; Tue, 14 Aug 2018 10:43:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732135AbeHNNaN (ORCPT ); Tue, 14 Aug 2018 09:30:13 -0400 Received: from 7.mo178.mail-out.ovh.net ([46.105.58.91]:49685 "EHLO 7.mo178.mail-out.ovh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732230AbeHNNaN (ORCPT ); Tue, 14 Aug 2018 09:30:13 -0400 Received: from player739.ha.ovh.net (unknown [10.109.146.163]) by mo178.mail-out.ovh.net (Postfix) with ESMTP id 7EF6426BD1 for ; Tue, 14 Aug 2018 12:43:34 +0200 (CEST) Received: from awhome.eu (p4FF910D8.dip0.t-ipconnect.de [79.249.16.216]) (Authenticated sender: postmaster@awhome.eu) by player739.ha.ovh.net (Postfix) with ESMTPSA id 441324A00A6; Tue, 14 Aug 2018 12:43:33 +0200 (CEST) From: Alexander Wetzel DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1534243407; bh=Hpe8yRYnk1X0dxiXIgLYTtOioP9+uvd+JhsSWtj2uMQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=XxpYFjLiH33KVRAB1UXqBhEFefVuaeST1ox0PKmY0qQV4fMF0D46yCVKpbPfEmt0E ny6bTDKqkVrl4Dca+DRkSzCN/lo3OQbweegfCj9fd7vGk9/TRpQVbHGmCWBhX2xjkL HjJbryQeAX4FNM7XSU9Ed0HpcF+mrMGonGwLlV9o= To: johannes@sipsolutions.net Cc: linux-wireless@vger.kernel.org, Alexander Wetzel Subject: [PATCH v6 3/3] mac80211: Fix PTK rekey freezes and cleartext leaks Date: Tue, 14 Aug 2018 12:42:55 +0200 Message-Id: <20180814104255.4183-4-alexander@wetzel-home.de> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180814104255.4183-1-alexander@wetzel-home.de> References: <20180814104255.4183-1-alexander@wetzel-home.de> X-Ovh-Tracer-Id: 12850458589468630215 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtjedrudehgdeffecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemuceftddtnecu Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Rekeying PTK keys without "Extended Key ID for Individually Addressed Frames" did use a procedure not suitable to replace in-use keys and could caused the following issues: 1) Freeze caused by incoming packets: If the local STA installed the key prior to the remote STA we still had the old key active in the hardware with mac80211 already operating on the new key. Therefore there was a window where the card could still hand over packets decoded with the old key to mac80211, bumping the new PN (IV) value to an incorrect high number and tricking the local replay detection to drop all packets sent with the new key. 2) Freeze caused by outgoing packets: If mac80211 was providing the PN (IV) and handed over a cleartext packets for encryption to the hardware prior to a key change the driver/card could have processed the queued packets after switching to the new key. This immediately bumped the PN value on the remote STA to an incorrect high number, which then discarded all packets using correct PNs we sent after that. 3) Freeze caused by RX aggregation reorder buffer: An aggregation session started with the old key and ending after the switch to the new key also bumped the PN to an incorrect high number, freezing the connection quite similar to 1). 4) Freeze caused by repeating lost frames in an aggregation session: A driver could repeat a lost frame and encrypt it with the new key while in a TX aggregation session without updating the PN for the new key. This also could freeze connections similar to 2). 5) Clear text leak: Removing encryption offload from the card cleared the encryption offload flag only after the card had removed the key. The driver/card could therefore get unencrypted packets from mac80211 while no longer be instructed to encrypt them. To prevent those issues the key install logic has been overhauled. We now stop queuing packets to the driver while replacing the key, replace the key first in the HW and stop/block new aggregation sessions during the rekey. This will only work correctly with drivers implementing replace_key or with a userspace honoring NL80211_EXT_FEATURE_ATOMIC_KEY_REPLACE. If the driver is not implementing replace_key all three issues can still occur and the userspace must not try to rekey the PTK key. If asked to do that anyhow mac80211 will fall back to an best-we-can-do approach which should avoid the issues for at least some drivers and inform the user about the potential issues via a kernel message. The core of the fix changes the key install procedure from: - atomic switch over to the new key in mac80211 - remove the old key in the HW (stops encryption offloading, fall back to SW encryption with a potential clear text packet leak in between) - delete the inactive old key in mac80211 - enable HW for encryption offloading (ending software encryption) to: - if it's a PTK mark the old key as tainted to drop TX packets with the outgoing key - replace the key in HW with the new one, using the new driver callback "replace_key" if it's availabe or by simulating it with existing calls if not - atomic switch over to the new key in mac80211 (allow TX with the key again) - delete the inactive old key in mac80211 The logic behind the updated key install sequence: With the new sequence the HW will be unable to decode packets encrypted with the old key prior to switching to the new key in mac80211. Locking down TX during the rekey makes sure that there are no outgoing packets while the driver and card are switching to the new key. The driver is allowed to hand over packets decrypted with either the new or the old key till "replace_key" returns. But all packets queued prior to calling the callback must be either still be send out encrypted with the old key or be dropped. Even with that a RX aggregation session started prior to the rekey and completed after can still dump frames received with the old key at mac80211 after it switched over to the new key. This is side stepped by stopping all aggregation sessions when we replace a PTK key and are using key offloading. (The only alternative seems be to discard all frames of the aggregation session running during rekey. Due to retransmits and reorder we can't differenciate between packets send with the old or the new key without deploying extreme efforts.) Stopping TX aggregation sessions - instead of only RX - also avoides the need to get the PNs (IVs) updated in frames prepared for the old key and retransmitted after the switch to the new key. And it improves the combatibility when the remote STA is not handling rekeys as it should. When using SW crypto aggregation sessions are not stopped. Mac80211 won't be able to decode the dangerous packets and discard them. At least as long as the remote STA is not also messing up and indeed updating the PN. Signed-off-by: Alexander Wetzel --- net/mac80211/key.c | 131 ++++++++++++++++++++++++++++++++++++++------- net/mac80211/tx.c | 4 ++ 2 files changed, 115 insertions(+), 20 deletions(-) diff --git a/net/mac80211/key.c b/net/mac80211/key.c index c054ac85793c..c77f32fe0473 100644 --- a/net/mac80211/key.c +++ b/net/mac80211/key.c @@ -248,6 +248,7 @@ static void ieee80211_key_disable_hw_accel(struct ieee80211_key *key) (key->conf.flags & IEEE80211_KEY_FLAG_RESERVE_TAILROOM))) increment_tailroom_need_count(sdata); + key->flags &= ~KEY_FLAG_UPLOADED_TO_HARDWARE; ret = drv_set_key(key->local, DISABLE_KEY, sdata, sta ? &sta->sta : NULL, &key->conf); @@ -256,8 +257,86 @@ static void ieee80211_key_disable_hw_accel(struct ieee80211_key *key) "failed to remove key (%d, %pM) from hardware (%d)\n", key->conf.keyidx, sta ? sta->sta.addr : bcast_addr, ret); +} - key->flags &= ~KEY_FLAG_UPLOADED_TO_HARDWARE; +static int ieee80211_hw_key_replace(struct ieee80211_key *old_key, + struct ieee80211_key *new_key, + bool ptk0rekey) +{ + struct ieee80211_sub_if_data *sdata; + struct ieee80211_local *local; + struct sta_info *sta; + int ret; + + /* Aggregation sessions are also ok when running on SW crypto. + * A broken remote STA may have issues not observed with HW + * crypto, though. Nevertheless bypass the complete procedure. + */ + if (!(old_key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)) + return 0; + + assert_key_lock(old_key->local); + sta = old_key->sta; + + /* PTK only using key ID 0 needs special handling on rekey */ + if (new_key && sta && ptk0rekey) { + local = old_key->local; + sdata = old_key->sdata; + + /* Stop TX till we are on the new key */ + old_key->flags |= KEY_FLAG_TAINTED; + ieee80211_clear_fast_xmit(sta); + + /* Aggregation sessions during rekey are complicated due to + * the reorder buffer. Side step that by blocking aggregation + * and tear down running connections. + */ + if (ieee80211_hw_check(&local->hw, AMPDU_AGGREGATION)) { + set_sta_flag(sta, WLAN_STA_BLOCK_BA); + ieee80211_sta_tear_down_BA_sessions(sta, + AGG_STOP_LOCAL_REQUEST); + } + + if (new_key->local->ops->replace_key) { + ret = drv_replace_key(old_key->local, sdata, + &sta->sta, &old_key->conf, + &new_key->conf); + if (!ret) + new_key->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE; + else + sdata_err(sdata, + "failed to replace key (%d) for " \ + "STA (%pM) in hardware: ret=(%d)\n", + old_key->conf.keyidx, + sta->sta.addr, + ret); + + old_key->flags &= ~KEY_FLAG_UPLOADED_TO_HARDWARE; + } else { + sdata_info(sdata, + "Userspace requested a PTK rekey for STA " \ + "%pM while feature not supported! " \ + "This may leak clear text packets or " \ + "freeze the connection.", + sta->sta.addr); + /* Flushing the driver queues *may* prevent cleartext + * leaks and freezes if supported by the driver. + */ + ieee80211_flush_queues(old_key->local, + old_key->sdata, + false); + ieee80211_key_disable_hw_accel(old_key); + ret = ieee80211_key_enable_hw_accel(new_key); + } + } else { + ieee80211_key_disable_hw_accel(old_key); + if (new_key) + ret = ieee80211_key_enable_hw_accel(new_key); + else + ret = 0; + } + + return ret; } static void __ieee80211_set_default_key(struct ieee80211_sub_if_data *sdata, @@ -316,38 +395,56 @@ void ieee80211_set_default_mgmt_key(struct ieee80211_sub_if_data *sdata, } -static void ieee80211_key_replace(struct ieee80211_sub_if_data *sdata, +static int ieee80211_key_replace(struct ieee80211_sub_if_data *sdata, struct sta_info *sta, bool pairwise, struct ieee80211_key *old, struct ieee80211_key *new) { int idx; + int ret; bool defunikey, defmultikey, defmgmtkey; /* caller must provide at least one old/new */ if (WARN_ON(!new && !old)) - return; + return 0; if (new) list_add_tail_rcu(&new->list, &sdata->key_list); WARN_ON(new && old && new->conf.keyidx != old->conf.keyidx); - if (old) + if (old) { idx = old->conf.keyidx; - else + /* TODO: proper implement and test "Extended Key ID for + * Individually Addressed Frames" from IEEE 802.11-2016. + * Till then always assume only key ID 0 is used for + * pairwise keys.*/ + ret = ieee80211_hw_key_replace(old, new, pairwise); + } else { idx = new->conf.keyidx; + if (new && !new->local->wowlan) + ret = ieee80211_key_enable_hw_accel(new); + else + ret = 0; + } + + if (ret) + return ret; if (sta) { if (pairwise) { rcu_assign_pointer(sta->ptk[idx], new); sta->ptk_idx = idx; - ieee80211_check_fast_xmit(sta); + if (new) { + clear_sta_flag(sta, WLAN_STA_BLOCK_BA); + ieee80211_check_fast_xmit(sta); + } } else { rcu_assign_pointer(sta->gtk[idx], new); } - ieee80211_check_fast_rx(sta); + if (new) + ieee80211_check_fast_rx(sta); } else { defunikey = old && old == key_mtx_dereference(sdata->local, @@ -380,6 +477,8 @@ static void ieee80211_key_replace(struct ieee80211_sub_if_data *sdata, if (old) list_del_rcu(&old->list); + + return 0; } struct ieee80211_key * @@ -575,9 +674,6 @@ static void ieee80211_key_free_common(struct ieee80211_key *key) static void __ieee80211_key_destroy(struct ieee80211_key *key, bool delay_tailroom) { - if (key->local) - ieee80211_key_disable_hw_accel(key); - if (key->local) { struct ieee80211_sub_if_data *sdata = key->sdata; @@ -654,7 +750,6 @@ int ieee80211_key_link(struct ieee80211_key *key, struct ieee80211_sub_if_data *sdata, struct sta_info *sta) { - struct ieee80211_local *local = sdata->local; struct ieee80211_key *old_key; int idx = key->conf.keyidx; bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; @@ -691,17 +786,13 @@ int ieee80211_key_link(struct ieee80211_key *key, increment_tailroom_need_count(sdata); - ieee80211_key_replace(sdata, sta, pairwise, old_key, key); - ieee80211_key_destroy(old_key, delay_tailroom); - - ieee80211_debugfs_key_add(key); + ret = ieee80211_key_replace(sdata, sta, pairwise, old_key, key); - if (!local->wowlan) { - ret = ieee80211_key_enable_hw_accel(key); - if (ret) - ieee80211_key_free(key, delay_tailroom); + if (!ret) { + ieee80211_debugfs_key_add(key); + ieee80211_key_destroy(old_key, delay_tailroom); } else { - ret = 0; + ieee80211_key_free(key, delay_tailroom); } out: diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index cd332e3e1134..5c79b3c2a7e1 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -2951,6 +2951,10 @@ void ieee80211_check_fast_xmit(struct sta_info *sta) if (!(build.key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)) goto out; + /* Key is being removed */ + if (build.key->flags & KEY_FLAG_TAINTED) + goto out; + switch (build.key->conf.cipher) { case WLAN_CIPHER_SUITE_CCMP: case WLAN_CIPHER_SUITE_CCMP_256: