Thanks Thomas, that seems to solve the problem as well. --Fabrice
On 12/11/2011 8:43 PM, Thomas Pedersen wrote: > Hey Guys, > > The following patch seems to allow new secure peer links to be established > without any disruption in service, following Chun-Yeow and Fabrice's > description in > http://www.mail-archive.com/[email protected]/msg01198.html. Thanks > for characterizing this. > > Previously authsae was reinstalling it's own mgtk TX key each time a new peer > link was established. Now we just do it once during the initialization phase, > which should be OK since AFAIK there is no rekeying currently implemented. > > github.com is currently down, so you'll have to apply this manually for now. > > Please let me know if this resolves your issue. > > Regards, > Thomas > > --- > ampe.c | 8 -------- > ampe.h | 10 ++++++++-- > linux/meshd-nl80211.c | 14 ++++++-------- > 3 files changed, 14 insertions(+), 18 deletions(-) > > diff --git a/ampe.c b/ampe.c > index 7bdaf09..373d73b 100644 > --- a/ampe.c > +++ b/ampe.c > @@ -72,15 +72,9 @@ > #define MESH_SECURITY_INCONSISTENT_PARAMS 59 > #define MESH_SECURITY_INVALID_CAPABILITY 60 > > -static unsigned char meshid[32]; > -static unsigned char meshid_len; > -static unsigned char mgtk_tx[16]; > -static struct ampe_config config; > static const unsigned char akm_suite_selector[4] = { 0x0, 0xf, 0xac, 0x8 }; > /* SAE */ > static const unsigned char pw_suite_selector[4] = { 0x0, 0xf, 0xac, 0x4 }; > /* CCMP */ > static const unsigned char null_nonce[32] = { 0 }; > -static unsigned char *sta_fixed_ies; > -static unsigned char sta_fixed_ies_len; > > /* For debugging use */ > static const char *mplstates[] = { > @@ -637,7 +631,6 @@ static void fsm_step(struct candidate *cand, enum > plink_event event) > derive_mtk(cand); > estab_peer_link(cand->peer_mac, > cand->mtk, sizeof(cand->mtk), > - mgtk_tx, sizeof(mgtk_tx), > cand->mgtk, sizeof(cand->mgtk), > cand->mgtk_expiration, > cand->sup_rates, > @@ -669,7 +662,6 @@ static void fsm_step(struct candidate *cand, enum > plink_event event) > cand->link_state = PLINK_ESTAB; > estab_peer_link(cand->peer_mac, > cand->mtk, sizeof(cand->mtk), > - mgtk_tx, sizeof(mgtk_tx), > cand->mgtk, sizeof(cand->mgtk), > cand->mgtk_expiration, cand->sup_rates, > cand->sup_rates_len, > diff --git a/ampe.h b/ampe.h > index c94e750..5ffe287 100644 > --- a/ampe.h > +++ b/ampe.h > @@ -1,6 +1,13 @@ > #ifndef __AMPE_H > #define __AMPE_H > > +unsigned char meshid[32]; > +unsigned char meshid_len; > +unsigned char mgtk_tx[16]; > +struct ampe_config config; > +unsigned char *sta_fixed_ies; > +unsigned char sta_fixed_ies_len; > + > enum plink_state { > PLINK_LISTEN, > PLINK_OPN_SNT, > @@ -27,8 +34,7 @@ int start_peer_link(unsigned char *peer_mac, unsigned char > *me, void *cookie); > > /* and implements these: */ > void estab_peer_link(unsigned char *peer, unsigned char *mtk, > - int mtk_len, unsigned char *mgtk, int mgtk_len, > - unsigned char *peer_mgtk, int peer_mgtk_len, > + int mtk_len, unsigned char *peer_mgtk, int peer_mgtk_len, > unsigned int mgtk_expiration, > unsigned char *sup_rates, > unsigned short sup_rates_len, > diff --git a/linux/meshd-nl80211.c b/linux/meshd-nl80211.c > index eb97a2d..dc1f167 100644 > --- a/linux/meshd-nl80211.c > +++ b/linux/meshd-nl80211.c > @@ -905,7 +905,6 @@ nla_put_failure: > > void estab_peer_link(unsigned char *peer, > unsigned char *mtk, int mtk_len, > - unsigned char *mgtk, int mgtk_len, > unsigned char *peer_mgtk, int peer_mgtk_len, > unsigned int mgtk_expiration, > unsigned char *rates, > @@ -914,7 +913,7 @@ void estab_peer_link(unsigned char *peer, > { > assert(cookie ==&nlcfg); > > - assert(mtk_len == 16&& mgtk_len == 16&& peer_mgtk_len == 16); > + assert(mtk_len == 16&& peer_mgtk_len == 16); > > if (peer) { > sae_debug(MESHD_DEBUG, "estab with " MACSTR "\n", MAC2STR(peer)); > @@ -925,12 +924,6 @@ void estab_peer_link(unsigned char *peer, > /* key to encrypt/decrypt unicast data AND mgmt traffic to/from > this peer */ > install_key(&nlcfg, peer, CIPHER_CCMP, NL80211_KEYTYPE_PAIRWISE, 0, > mtk); > > - /* key to protect integrity of multicast mgmt frames tx*/ > - install_key(&nlcfg, NULL, CIPHER_AES_CMAC, NL80211_KEYTYPE_GROUP, > 4, mgtk); > - > - /* key to encrypt multicast data traffic */ > - install_key(&nlcfg, NULL, CIPHER_CCMP, NL80211_KEYTYPE_GROUP, 0, > mgtk); > - > /* key to decrypt multicast data traffic from this peer */ > install_key(&nlcfg, peer, CIPHER_CCMP, NL80211_KEYTYPE_GROUP, 0, > peer_mgtk); > > @@ -1239,6 +1232,11 @@ int main(int argc, char *argv[]) > goto out; > } > > + /* key to protect integrity of multicast mgmt frames tx*/ > + install_key(&nlcfg, NULL, CIPHER_AES_CMAC, NL80211_KEYTYPE_GROUP, 4, > mgtk_tx); > + /* key to encrypt multicast data traffic */ > + install_key(&nlcfg, NULL, CIPHER_CCMP, NL80211_KEYTYPE_GROUP, 0, > mgtk_tx); > + > get_wiphy(&nlcfg); > > srv_main_loop(srvctx); _______________________________________________ Devel mailing list [email protected] http://open80211s.com/mailman/listinfo/devel
