[PATCH] authsae: install mgtk TX key once on startup

Thomas Pedersen Sun, 11 Dec 2011 18:43:42 -0800

Hey Guys,

The following patch seems to allow new secure peer links to be established
without any disruption in service, following Chun-Yeow and Fabrice's
description in
http://www.mail-archive.com/[email protected]/msg01198.html. Thanks
for characterizing this.


Previously authsae was reinstalling it's own mgtk TX key each time a new peer
link was established. Now we just do it once during the initialization phase,
which should be OK since AFAIK there is no rekeying currently implemented.

github.com is currently down, so you'll have to apply this manually for now.

Please let me know if this resolves your issue.

Regards,
Thomas

---
 ampe.c                |    8 --------
 ampe.h                |   10 ++++++++--
 linux/meshd-nl80211.c |   14 ++++++--------
 3 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/ampe.c b/ampe.c
index 7bdaf09..373d73b 100644
--- a/ampe.c
+++ b/ampe.c
@@ -72,15 +72,9 @@
 #define MESH_SECURITY_INCONSISTENT_PARAMS       59
 #define MESH_SECURITY_INVALID_CAPABILITY        60
 
-static unsigned char meshid[32];
-static unsigned char meshid_len;
-static unsigned char mgtk_tx[16];
-static struct ampe_config config;
 static const unsigned char akm_suite_selector[4] = { 0x0, 0xf, 0xac, 0x8 };    
 /*  SAE  */
 static const unsigned char pw_suite_selector[4] = { 0x0, 0xf, 0xac, 0x4 };     
/*  CCMP  */
 static const unsigned char null_nonce[32] = { 0 };
-static unsigned char *sta_fixed_ies;
-static unsigned char sta_fixed_ies_len;
 
 /*  For debugging use */
 static const char *mplstates[] = {
@@ -637,7 +631,6 @@ static void fsm_step(struct candidate *cand, enum 
plink_event event)
             derive_mtk(cand);
             estab_peer_link(cand->peer_mac,
                     cand->mtk, sizeof(cand->mtk),
-                    mgtk_tx, sizeof(mgtk_tx),
                     cand->mgtk, sizeof(cand->mgtk),
                     cand->mgtk_expiration,
                     cand->sup_rates,
@@ -669,7 +662,6 @@ static void fsm_step(struct candidate *cand, enum 
plink_event event)
                        cand->link_state = PLINK_ESTAB;
             estab_peer_link(cand->peer_mac,
                     cand->mtk, sizeof(cand->mtk),
-                    mgtk_tx, sizeof(mgtk_tx),
                     cand->mgtk, sizeof(cand->mgtk),
                     cand->mgtk_expiration, cand->sup_rates,
                     cand->sup_rates_len,
diff --git a/ampe.h b/ampe.h
index c94e750..5ffe287 100644
--- a/ampe.h
+++ b/ampe.h
@@ -1,6 +1,13 @@
 #ifndef __AMPE_H
 #define __AMPE_H
 
+unsigned char meshid[32];
+unsigned char meshid_len;
+unsigned char mgtk_tx[16];
+struct ampe_config config;
+unsigned char *sta_fixed_ies;
+unsigned char sta_fixed_ies_len;
+
 enum plink_state {
     PLINK_LISTEN,
     PLINK_OPN_SNT,
@@ -27,8 +34,7 @@ int start_peer_link(unsigned char *peer_mac, unsigned char 
*me, void *cookie);
 
 /*  and implements these:  */
 void estab_peer_link(unsigned char *peer, unsigned char *mtk,
-        int mtk_len, unsigned char *mgtk, int mgtk_len,
-        unsigned char *peer_mgtk, int peer_mgtk_len,
+        int mtk_len, unsigned char *peer_mgtk, int peer_mgtk_len,
         unsigned int mgtk_expiration,
         unsigned char *sup_rates,
         unsigned short sup_rates_len,
diff --git a/linux/meshd-nl80211.c b/linux/meshd-nl80211.c
index eb97a2d..dc1f167 100644
--- a/linux/meshd-nl80211.c
+++ b/linux/meshd-nl80211.c
@@ -905,7 +905,6 @@ nla_put_failure:
 
 void estab_peer_link(unsigned char *peer,
         unsigned char *mtk, int mtk_len,
-        unsigned char *mgtk, int mgtk_len,
         unsigned char *peer_mgtk, int peer_mgtk_len,
         unsigned int mgtk_expiration,
         unsigned char *rates,
@@ -914,7 +913,7 @@ void estab_peer_link(unsigned char *peer,
 {
     assert(cookie == &nlcfg);
 
-    assert(mtk_len == 16 && mgtk_len == 16 && peer_mgtk_len == 16);
+    assert(mtk_len == 16 && peer_mgtk_len == 16);
 
     if (peer) {
         sae_debug(MESHD_DEBUG, "estab with " MACSTR "\n", MAC2STR(peer));
@@ -925,12 +924,6 @@ void estab_peer_link(unsigned char *peer,
         /* key to encrypt/decrypt unicast data AND mgmt traffic to/from this 
peer */
            install_key(&nlcfg, peer, CIPHER_CCMP, NL80211_KEYTYPE_PAIRWISE, 0, 
mtk);
 
-        /* key to protect integrity of multicast mgmt frames tx*/
-           install_key(&nlcfg, NULL, CIPHER_AES_CMAC, NL80211_KEYTYPE_GROUP, 
4, mgtk);
-
-        /* key to encrypt multicast data traffic */
-           install_key(&nlcfg, NULL, CIPHER_CCMP, NL80211_KEYTYPE_GROUP, 0, 
mgtk);
-
         /* key to decrypt multicast data traffic from this peer */
            install_key(&nlcfg, peer, CIPHER_CCMP, NL80211_KEYTYPE_GROUP, 0, 
peer_mgtk);
 
@@ -1239,6 +1232,11 @@ int main(int argc, char *argv[])
         goto out;
     }
 
+    /* key to protect integrity of multicast mgmt frames tx*/
+    install_key(&nlcfg, NULL, CIPHER_AES_CMAC, NL80211_KEYTYPE_GROUP, 4, 
mgtk_tx);
+    /* key to encrypt multicast data traffic */
+    install_key(&nlcfg, NULL, CIPHER_CCMP, NL80211_KEYTYPE_GROUP, 0, mgtk_tx);
+
     get_wiphy(&nlcfg);
 
     srv_main_loop(srvctx);
-- 
1.7.5.4

_______________________________________________
Devel mailing list
[email protected]
http://open80211s.com/mailman/listinfo/devel

[PATCH] authsae: install mgtk TX key once on startup

Reply via email to