[FYI] b43 vulnerable to CCMP replay attacks
b43 contains the following code (with - because I copied it from a patch
I have that removes it):
- if (skb-data[wlhdr_len + 3] (1 5)) {
- /* The Ext-IV Bit is set in the KeyID
-* octet of the IV.
-*/
- iv_len = 8;
- icv_len = 8;
- } else {
- iv_len = 4;
- icv_len = 4;
- }
- if (unlikely(skb-len (wlhdr_len + iv_len +
icv_len))) {
- b43dbg(dev-wl,
- RX: Packet size underrun (4)\n);
- goto drop;
- }
- /* Remove the IV */
- memmove(skb-data + iv_len, skb-data, wlhdr_len);
- skb_pull(skb, iv_len);
- /* Remove the ICV */
- skb_trim(skb, skb-len - icv_len);
This means that it is vulnerable to CCMP replay attacks when hardware
crypto is used because the hardware doesn't verify the CCMP PN and
mac80211 cannot.
The patch quoted above fixes this but does a bunch of changes in
mac80211 too and needs to get some review. I hope we can get to that
before 2.6.24 so that b43 can finally go mainline.
johannes
signature.asc
Description: This is a digitally signed message part
___
Bcm43xx-dev mailing list
Bcm43xx-dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
[PATCH] b43 drivers: remove IEEE80211_CONF_SSID_HIDDEN
The IEEE80211_CONF_SSID_HIDDEN setting is unclear but does not
match the closed net flag b43 hardware has; the flag influences
only the sending of probe responses which is disabled anyway.
From looking at the microcode, I can see that if the flag is set
then probe requests are required to be directed to the BSSID of
the AP to be answered by the microcode, but this not interesting
because we don't support probe request offload anyway.
This patch removes the IEEE80211_CONF_SSID_HIDDEN use from
both b43 drivers.
Cc: Michael Buesch [EMAIL PROTECTED]
Cc: Larry Finger [EMAIL PROTECTED]
---
I've also clarified the specs, please queue the change to your
respective drivers.
drivers/net/wireless/b43/main.c | 11 ---
drivers/net/wireless/b43legacy/main.c | 12
2 files changed, 23 deletions(-)
--- wireless-dev.orig/drivers/net/wireless/b43/main.c 2007-08-30
14:35:57.512051253 +0200
+++ wireless-dev/drivers/net/wireless/b43/main.c2007-08-30
14:36:01.002051253 +0200
@@ -2836,17 +2836,6 @@ static int b43_dev_config(struct ieee802
}
}
- /* Hide/Show the SSID (AP mode only). */
- if (conf-flags IEEE80211_CONF_SSID_HIDDEN) {
- b43_write32(dev, B43_MMIO_MACCTL,
- b43_read32(dev, B43_MMIO_MACCTL)
- | B43_MACCTL_CLOSEDNET);
- } else {
- b43_write32(dev, B43_MMIO_MACCTL,
- b43_read32(dev, B43_MMIO_MACCTL)
-~B43_MACCTL_CLOSEDNET);
- }
-
/* Antennas for RX and management frame TX. */
b43_mgmtframe_txantenna(dev, antenna_tx);
b43_set_rx_antenna(dev, antenna_rx);
--- wireless-dev.orig/drivers/net/wireless/b43legacy/main.c 2007-08-30
14:35:05.962051253 +0200
+++ wireless-dev/drivers/net/wireless/b43legacy/main.c 2007-08-30
14:36:01.022051253 +0200
@@ -2655,18 +2655,6 @@ static int b43legacy_dev_config(struct i
}
}
- /* Hide/Show the SSID (AP mode only). */
- if (conf-flags IEEE80211_CONF_SSID_HIDDEN)
- b43legacy_write32(dev, B43legacy_MMIO_STATUS_BITFIELD,
- b43legacy_read32(dev,
- B43legacy_MMIO_STATUS_BITFIELD)
- | B43legacy_SBF_NO_SSID_BCAST);
- else
- b43legacy_write32(dev, B43legacy_MMIO_STATUS_BITFIELD,
- b43legacy_read32(dev,
- B43legacy_MMIO_STATUS_BITFIELD)
- ~B43legacy_SBF_NO_SSID_BCAST);
-
/* Antennas for RX and management frame TX. */
b43legacy_mgmtframe_txantenna(dev, antenna_tx);
___
Bcm43xx-dev mailing list
Bcm43xx-dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Speed issues with Broadcom 4311
Anderson, Scott wrote: -Original Message- From: Larry Finger [mailto:[EMAIL PROTECTED] Sent: Thu 8/30/2007 1:57 AM To: Anderson, Scott Cc: bcm43xx-dev@lists.berlios.de Subject: Re: Speed issues with Broadcom 4311 Anderson, Scott wrote: Hello, I wanted to report that I'm experiencing extremely slow speeds (20k) down or less using my Broadcom 4311 and the newer b43 driver. Pages have a very hard time loading. I'm currently running Fedora7 with the 2.6.22.4-65.fc7 kernel. My access point is an old Linksys wireless B router with wep encryption. Lspci Shows: 01:00.0 Network controller: Broadcom Corporation Dell Wireless 1390 WLAN Mini-PCI Card (rev 01) Iwconfig Shows: wlan0 IEEE 802.11g ESSID:atlst Mode:Managed Frequency:2.412 GHz Access Point: ** Bit Rate=5.5 Mb/s Retry min limit:7 RTS thr:off Fragment thr=2346 B Encryption key:* Link Quality=73/100 Signal level=-57 dBm Noise level=-63 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 Have you had experiences with other bcm43xx drivers with this card and AP? Some people have reported poor performance at 11Mb/s, but others have no problems. I just tested my BCM4311 with b43 from wireless-dev, WEP encryption, and an AP set for b-only operation. It's speed adjusted to 11 Mbs fairly quickly and yielded about 4 Mbs uploads using iperf. Due to my network configuration, I couldn't measure download speed. BTW, when you send iwconfig output to the list, please obscure the encryption key. You have just published it to the whole world. Larry I have had experience using the older bcm43xx softmac driver since the .19 kernel. Originally I had speed issues with this driver but that has been fixed since February. I would really like to use the newer b43 driver as it seems to hold connection a lot better, plus it allows me to reconnect something that had a lot of trouble doing before. Just seems much better overall, minus of course the speed issues I seem to be having. Any reason why iwconfig is showing that my wireless B is a G network from my original post. Might not be related but just re-read my original post and thought that looked a little out of place. If you would like me to test anything else or change settings on my router I can. I also have access to a wireless n/b/g i could try out if needed. Please keep the CC's unless you have something private to convey. I reviewed the change notices associated with the release of that Fedora kernel. It has the broken power control code. I'm sure there is a newer one. If not, do you have the source or just a binary? With source, I could send you a patch to fix that part. Larry ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: fetching wireless dev
John W. Linville skrev: On Wed, Aug 29, 2007 at 09:54:16PM +0200, Richard Jonsson wrote: [EMAIL PROTECTED]:/usr/src/git/wireless-dev$ git checkout -b everything origin/everything Switched to a new branch everything [EMAIL PROTECTED]:/usr/src/git/wireless-dev$ git branch * everything master [EMAIL PROTECTED]:/usr/src/git/wireless-dev$ git pull Warning: No merge candidate found because value of config option branch.everything.merge does not match any remote branch fetched. No changes. Well, you did just clone the repository -- no new changes since your clone... John Makes sense I guess, but I got this exact message with my cloned tree that was not up to date, including the No changes. part. Anyway, it works now, but the message is still there at the end of the pull command. Thank you for getting me on track. ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Broadcom 4311 WLAN card...
Dr. techn. Alexander K. Seewald wrote: Hi Larry, When resuming from suspend-to-disk, I get the following message -- Aug 30 18:22:41 localhost kernel: b43 ssb0:0: resuming Aug 30 18:22:41 localhost kernel: b43-phy0 ERROR: Microcode not responding Aug 30 18:22:41 localhost kernel: b43-phy0 ERROR: You must go to http://linuxwireless.org/en/users/Drivers/bcm43xx#devicefirmware and download the correct firmware (version 4). Aug 30 18:22:41 localhost kernel: b43-phy0 ERROR: Resume failed at core init -- Would this be easy to fix, e.g. by re-uploading the firmware in b43_resume? This does not seem to be done or it does not work correctly. Michael, Have you done any tests with suspend/resume? I have not. Larry ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Broadcom 4311 WLAN card...
FYI Suspend/Resume is iffy. Sometimes it works, sometimes it does not. When it does not, sometimes it unloads fine, sometimes it says it's waiting for a reference (or 3) to be cleared before unloading. Only a reboot will cure that one... as the message repeats but the reference count never decreases. In all cases the unload is preceded by an ifconfig eth1 down unload = rmmod b43 Ehud dell 1390 (4311) 2.6.23-rc3 (wireless dev everything 29-aug-2007) Larry Finger wrote: Dr. techn. Alexander K. Seewald wrote: Hi Larry, When resuming from suspend-to-disk, I get the following message -- Aug 30 18:22:41 localhost kernel: b43 ssb0:0: resuming Aug 30 18:22:41 localhost kernel: b43-phy0 ERROR: Microcode not responding Aug 30 18:22:41 localhost kernel: b43-phy0 ERROR: You must go to http://linuxwireless.org/en/users/Drivers/bcm43xx#devicefirmware and download the correct firmware (version 4). Aug 30 18:22:41 localhost kernel: b43-phy0 ERROR: Resume failed at core init -- Would this be easy to fix, e.g. by re-uploading the firmware in b43_resume? This does not seem to be done or it does not work correctly. Michael, Have you done any tests with suspend/resume? I have not. Larry ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev smime.p7s Description: S/MIME Cryptographic Signature ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Broadcom 4311 WLAN card...
On Thursday 30 August 2007 19:47:50 Larry Finger wrote: Dr. techn. Alexander K. Seewald wrote: Hi Larry, When resuming from suspend-to-disk, I get the following message -- Aug 30 18:22:41 localhost kernel: b43 ssb0:0: resuming Aug 30 18:22:41 localhost kernel: b43-phy0 ERROR: Microcode not responding Aug 30 18:22:41 localhost kernel: b43-phy0 ERROR: You must go to http://linuxwireless.org/en/users/Drivers/bcm43xx#devicefirmware and download the correct firmware (version 4). Aug 30 18:22:41 localhost kernel: b43-phy0 ERROR: Resume failed at core init -- Would this be easy to fix, e.g. by re-uploading the firmware in b43_resume? This does not seem to be done or it does not work correctly. Michael, Have you done any tests with suspend/resume? I have not. Works fine for me, except that mac80211 doesn't support it. So we don't reassoc and don't upload the correct keys anymore. -- Greetings Michael. ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
RE: Speed issues with Broadcom 4311
-Original Message- From: Larry Finger [mailto:[EMAIL PROTECTED] Sent: Thu 8/30/2007 1:57 AM To: Anderson, Scott Cc: bcm43xx-dev@lists.berlios.de Subject: Re: Speed issues with Broadcom 4311 Anderson, Scott wrote: Hello, I wanted to report that I'm experiencing extremely slow speeds (20k) down or less using my Broadcom 4311 and the newer b43 driver. Pages have a very hard time loading. I'm currently running Fedora7 with the 2.6.22.4-65.fc7 kernel. My access point is an old Linksys wireless B router with wep encryption. Lspci Shows: 01:00.0 Network controller: Broadcom Corporation Dell Wireless 1390 WLAN Mini-PCI Card (rev 01) Iwconfig Shows: wlan0 IEEE 802.11g ESSID:atlst Mode:Managed Frequency:2.412 GHz Access Point: 00:0C:41:6F:1F:6A Bit Rate=5.5 Mb/s Retry min limit:7 RTS thr:off Fragment thr=2346 B Encryption key:F5CC-E107-D3 Link Quality=73/100 Signal level=-57 dBm Noise level=-63 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 Have you had experiences with other bcm43xx drivers with this card and AP? Some people have reported poor performance at 11Mb/s, but others have no problems. I just tested my BCM4311 with b43 from wireless-dev, WEP encryption, and an AP set for b-only operation. It's speed adjusted to 11 Mbs fairly quickly and yielded about 4 Mbs uploads using iperf. Due to my network configuration, I couldn't measure download speed. BTW, when you send iwconfig output to the list, please obscure the encryption key. You have just published it to the whole world. Larry *used the older message you sent so that it would have the CCs. Currently I'm using just the binary, although I will get a new kernel from source right now if you want to go ahead and send that patch over. It would be most appreciated. ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Speed issues with Broadcom 4311
On Thursday 30 August 2007 20:20:28 Anderson, Scott wrote: I just tested my BCM4311 with b43 from wireless-dev, WEP encryption, and an AP set for b-only operation. It's speed adjusted to 11 Mbs fairly quickly and yielded about 4 Mbs uploads using iperf. Due to my network configuration, I couldn't measure download speed. BTW, when you send iwconfig output to the list, please obscure the encryption key. You have just published it to the whole world. With WEP you do that anyway. :P A modern machine can find the WEP password within a few minutes. -- Greetings Michael. ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Speed issues with Broadcom 4311
Michael Buesch wrote: BTW, when you send iwconfig output to the list, please obscure the encryption key. You have just published it to the whole world. With WEP you do that anyway. :P A modern machine can find the WEP password within a few minutes. My warning was mostly for the list. I get WPA keys sent in the same way. Larry ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Speed issues with Broadcom 4311
Anderson, Scott wrote: -Original Message- From: Larry Finger [mailto:[EMAIL PROTECTED] Sent: Thu 8/30/2007 1:57 AM To: Anderson, Scott Cc: bcm43xx-dev@lists.berlios.de Subject: Re: Speed issues with Broadcom 4311 Anderson, Scott wrote: Hello, I wanted to report that I'm experiencing extremely slow speeds (20k) down or less using my Broadcom 4311 and the newer b43 driver. Pages have a very hard time loading. I'm currently running Fedora7 with the 2.6.22.4-65.fc7 kernel. My access point is an old Linksys wireless B router with wep encryption. Lspci Shows: 01:00.0 Network controller: Broadcom Corporation Dell Wireless 1390 WLAN Mini-PCI Card (rev 01) Iwconfig Shows: wlan0 IEEE 802.11g ESSID:atlst Mode:Managed Frequency:2.412 GHz Access Point: 00:0C:41:6F:1F:6A Bit Rate=5.5 Mb/s Retry min limit:7 RTS thr:off Fragment thr=2346 B Encryption key:F5CC-E107-D3 Link Quality=73/100 Signal level=-57 dBm Noise level=-63 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 Have you had experiences with other bcm43xx drivers with this card and AP? Some people have reported poor performance at 11Mb/s, but others have no problems. I just tested my BCM4311 with b43 from wireless-dev, WEP encryption, and an AP set for b-only operation. It's speed adjusted to 11 Mbs fairly quickly and yielded about 4 Mbs uploads using iperf. Due to my network configuration, I couldn't measure download speed. BTW, when you send iwconfig output to the list, please obscure the encryption key. You have just published it to the whole world. Larry *used the older message you sent so that it would have the CCs. Currently I'm using just the binary, although I will get a new kernel from source right now if you want to go ahead and send that patch over. It would be most appreciated. If possible, could you grab the source from wireless-git and build from it? That way, if you still have the problem, we will know it is current, not something from the past. Larry ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
[PATCH] b43legacy: Change Kconfig help text to match b43
This patch updates the b43legacy Kconfig text to match the latest b43 version. Signed-off-by: Larry Finger [EMAIL PROTECTED] --- 1 file changed, 14 insertions(+), 11 deletions(-) [EMAIL PROTECTED]:/home/finger/wireless-dev Index: wireless-dev/drivers/net/wireless/b43legacy/Kconfig === --- wireless-dev.orig/drivers/net/wireless/b43legacy/Kconfig +++ wireless-dev/drivers/net/wireless/b43legacy/Kconfig @@ -1,21 +1,24 @@ config B43LEGACY - tristate Broadcom BCM43xx legacy wireless support (mac80211 stack) - depends on SSB_POSSIBLE MAC80211 WLAN_80211 EXPERIMENTAL + tristate Broadcom 43xx-legacy wireless support (mac80211 stack) + depends on SSB_POSSIBLE MAC80211 WLAN_80211 select SSB select FW_LOADER select HW_RANDOM ---help--- - This is a driver for 802.11b devices from Broadcom (BCM4301 and - BCM4303). It is also the driver for early model 802.11g chips (BCM4306 - Ver. 2) that were used in the Linksys WPC54G V1 PCMCIA devices. Newer - devices need b43. It is safe to include both b43legacy and b43 as the - ssb driver will select the correct version for your hardware. + b43legacy is a driver for 802.11b devices from Broadcom (BCM4301 and + BCM4303) and early model 802.11g chips (BCM4306 Ver. 2) used in the + Linksys WPC54G V1 PCMCIA devices. + + Newer 802.11g and 802.11a devices need b43. + + It is safe to include both b43 and b43legacy as the underlying glue + layer will automatically load the correct version for your device. This driver uses V3 firmware, which must be installed separately using b43-fwcutter. - This driver can be compiled as a module (recommended) that will be - called b43legacy. + This driver can be built as a module (recommended) that will be + called b43legacy. If unsure, say M. # Auto-select SSB PCI-HOST support, if possible config B43LEGACY_PCI_AUTOSELECT @@ -32,7 +35,7 @@ config B43LEGACY_PCICORE_AUTOSELECT default y config B43LEGACY_DEBUG - bool Broadcom B43legacy debugging (RECOMMENDED) + bool Broadcom 43xx-legacy debugging depends on B43LEGACY default y ---help--- @@ -48,7 +51,7 @@ config B43LEGACY_PIO depends on B43LEGACY choice - prompt B43LEGACY data transfer mode + prompt Broadcom 43xx-legacy data transfer mode depends on B43LEGACY default B43LEGACY_DMA_AND_PIO_MODE ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
