mac80211: fix TKIP races, make API easier to use

+1 -2

drivers/net/wireless/b43/xmit.c

··· 323 323 /* we give the phase1key and iv16 here, the key is stored in 324 324 * shm. With that the hardware can do phase 2 and encryption. 325 325 */ 326 - ieee80211_get_tkip_key(info->control.hw_key, skb_frag, 327 - IEEE80211_TKIP_P1_KEY, (u8*)phase1key); 326 + ieee80211_get_tkip_p1k(info->control.hw_key, skb_frag, phase1key); 328 327 /* phase1key is in host endian. Copy to little-endian txhdr->iv. */ 329 328 for (i = 0; i < 5; i++) { 330 329 txhdr->iv[i * 2 + 0] = phase1key[i];

+1 -2

drivers/net/wireless/iwlegacy/iwl-4965-tx.c

··· 240 240 241 241 case WLAN_CIPHER_SUITE_TKIP: 242 242 tx_cmd->sec_ctl = TX_CMD_SEC_TKIP; 243 - ieee80211_get_tkip_key(keyconf, skb_frag, 244 - IEEE80211_TKIP_P2_KEY, tx_cmd->key); 243 + ieee80211_get_tkip_p2k(keyconf, skb_frag, tx_cmd->key); 245 244 IWL_DEBUG_TX(priv, "tx_cmd with tkip hwcrypto\n"); 246 245 break; 247 246

+1 -2

drivers/net/wireless/iwlwifi/iwl-agn-tx.c

··· 497 497 498 498 case WLAN_CIPHER_SUITE_TKIP: 499 499 tx_cmd->sec_ctl = TX_CMD_SEC_TKIP; 500 - ieee80211_get_tkip_key(keyconf, skb_frag, 501 - IEEE80211_TKIP_P2_KEY, tx_cmd->key); 500 + ieee80211_get_tkip_p2k(keyconf, skb_frag, tx_cmd->key); 502 501 IWL_DEBUG_TX(priv, "tx_cmd with tkip hwcrypto\n"); 503 502 break; 504 503

+22 -26

include/net/mac80211.h

··· 962 962 }; 963 963 964 964 /** 965 - * enum ieee80211_tkip_key_type - get tkip key 966 - * 967 - * Used by drivers which need to get a tkip key for skb. Some drivers need a 968 - * phase 1 key, others need a phase 2 key. A single function allows the driver 969 - * to get the key, this enum indicates what type of key is required. 970 - * 971 - * @IEEE80211_TKIP_P1_KEY: the driver needs a phase 1 key 972 - * @IEEE80211_TKIP_P2_KEY: the driver needs a phase 2 key 973 - */ 974 - enum ieee80211_tkip_key_type { 975 - IEEE80211_TKIP_P1_KEY, 976 - IEEE80211_TKIP_P2_KEY, 977 - }; 978 - 979 - /** 980 965 * enum ieee80211_hw_flags - hardware flags 981 966 * 982 967 * These flags are used to indicate hardware capabilities to ··· 2564 2579 ieee80211_get_buffered_bc(struct ieee80211_hw *hw, struct ieee80211_vif *vif); 2565 2580 2566 2581 /** 2567 - * ieee80211_get_tkip_key - get a TKIP rc4 for skb 2582 + * ieee80211_get_tkip_p1k - get a TKIP phase 1 key 2568 2583 * 2569 - * This function computes a TKIP rc4 key for an skb. It computes 2570 - * a phase 1 key if needed (iv16 wraps around). This function is to 2571 - * be used by drivers which can do HW encryption but need to compute 2572 - * to phase 1/2 key in SW. 2584 + * This function returns the TKIP phase 1 key for the IV32 taken 2585 + * from the given packet. 2573 2586 * 2574 2587 * @keyconf: the parameter passed with the set key 2575 - * @skb: the skb for which the key is needed 2576 - * @type: TBD 2577 - * @key: a buffer to which the key will be written 2588 + * @skb: the packet to take the IV32 value from that will be encrypted 2589 + * with this P1K 2590 + * @p1k: a buffer to which the key will be written, as 5 u16 values 2578 2591 */ 2579 - void ieee80211_get_tkip_key(struct ieee80211_key_conf *keyconf, 2580 - struct sk_buff *skb, 2581 - enum ieee80211_tkip_key_type type, u8 *key); 2592 + void ieee80211_get_tkip_p1k(struct ieee80211_key_conf *keyconf, 2593 + struct sk_buff *skb, u16 *p1k); 2594 + 2595 + /** 2596 + * ieee80211_get_tkip_p2k - get a TKIP phase 2 key 2597 + * 2598 + * This function computes the TKIP RC4 key for the IV values 2599 + * in the packet. 2600 + * 2601 + * @keyconf: the parameter passed with the set key 2602 + * @skb: the packet to take the IV32/IV16 values from that will be 2603 + * encrypted with this key 2604 + * @p2k: a buffer to which the key will be written, 16 bytes 2605 + */ 2606 + void ieee80211_get_tkip_p2k(struct ieee80211_key_conf *keyconf, 2607 + struct sk_buff *skb, u8 *p2k); 2582 2608 2583 2609 /** 2584 2610 * ieee80211_gtk_rekey_notify - notify userspace supplicant of rekeying

+1

net/mac80211/key.c

··· 369 369 get_unaligned_le16(seq); 370 370 } 371 371 } 372 + spin_lock_init(&key->u.tkip.txlock); 372 373 break; 373 374 case WLAN_CIPHER_SUITE_CCMP: 374 375 key->conf.iv_len = CCMP_HDR_LEN;

+7 -3

net/mac80211/key.h

··· 52 52 }; 53 53 54 54 struct tkip_ctx { 55 - u32 iv32; 56 - u16 iv16; 57 - u16 p1k[5]; 55 + u32 iv32; /* current iv32 */ 56 + u16 iv16; /* current iv16 */ 57 + u16 p1k[5]; /* p1k cache */ 58 + u32 p1k_iv32; /* iv32 for which p1k computed */ 58 59 enum ieee80211_internal_tkip_state state; 59 60 }; 60 61 ··· 72 71 73 72 union { 74 73 struct { 74 + /* protects tx context */ 75 + spinlock_t txlock; 76 + 75 77 /* last used TSC */ 76 78 struct tkip_ctx tx; 77 79

+60 -51

net/mac80211/tkip.c

··· 101 101 p1k[4] += tkipS(p1k[3] ^ get_unaligned_le16(tk + 0 + j)) + i; 102 102 } 103 103 ctx->state = TKIP_STATE_PHASE1_DONE; 104 + ctx->p1k_iv32 = tsc_IV32; 104 105 } 105 106 106 107 static void tkip_mixing_phase2(const u8 *tk, struct tkip_ctx *ctx, ··· 141 140 /* Add TKIP IV and Ext. IV at @pos. @iv0, @iv1, and @iv2 are the first octets 142 141 * of the IV. Returns pointer to the octet following IVs (i.e., beginning of 143 142 * the packet payload). */ 144 - u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key, u16 iv16) 143 + u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key) 145 144 { 146 - pos = write_tkip_iv(pos, iv16); 145 + lockdep_assert_held(&key->u.tkip.txlock); 146 + 147 + pos = write_tkip_iv(pos, key->u.tkip.tx.iv16); 147 148 *pos++ = (key->conf.keyidx << 6) | (1 << 5) /* Ext IV */; 148 149 put_unaligned_le32(key->u.tkip.tx.iv32, pos); 149 150 return pos + 4; 150 151 } 151 152 152 - void ieee80211_get_tkip_key(struct ieee80211_key_conf *keyconf, 153 - struct sk_buff *skb, enum ieee80211_tkip_key_type type, 154 - u8 *outkey) 153 + static void ieee80211_compute_tkip_p1k(struct ieee80211_key *key, u32 iv32) 154 + { 155 + struct ieee80211_sub_if_data *sdata = key->sdata; 156 + struct tkip_ctx *ctx = &key->u.tkip.tx; 157 + const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY]; 158 + 159 + lockdep_assert_held(&key->u.tkip.txlock); 160 + 161 + /* 162 + * Update the P1K when the IV32 is different from the value it 163 + * had when we last computed it (or when not initialised yet). 164 + * This might flip-flop back and forth if packets are processed 165 + * out-of-order due to the different ACs, but then we have to 166 + * just compute the P1K more often. 167 + */ 168 + if (ctx->p1k_iv32 != iv32 || ctx->state == TKIP_STATE_NOT_INIT) 169 + tkip_mixing_phase1(tk, ctx, sdata->vif.addr, iv32); 170 + } 171 + 172 + void ieee80211_get_tkip_p1k(struct ieee80211_key_conf *keyconf, 173 + struct sk_buff *skb, u16 *p1k) 155 174 { 156 175 struct ieee80211_key *key = (struct ieee80211_key *) 157 176 container_of(keyconf, struct ieee80211_key, conf); 177 + struct tkip_ctx *ctx = &key->u.tkip.tx; 158 178 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 159 - u8 *data; 160 - const u8 *tk; 161 - struct tkip_ctx *ctx; 162 - u16 iv16; 163 - u32 iv32; 179 + const u8 *data = (u8 *)hdr + ieee80211_hdrlen(hdr->frame_control); 180 + u32 iv32 = get_unaligned_le32(&data[4]); 181 + unsigned long flags; 164 182 165 - data = (u8 *)hdr + ieee80211_hdrlen(hdr->frame_control); 166 - iv16 = data[2] | (data[0] << 8); 167 - iv32 = get_unaligned_le32(&data[4]); 168 - 169 - tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY]; 170 - ctx = &key->u.tkip.tx; 171 - 172 - #ifdef CONFIG_MAC80211_TKIP_DEBUG 173 - printk(KERN_DEBUG "TKIP encrypt: iv16 = 0x%04x, iv32 = 0x%08x\n", 174 - iv16, iv32); 175 - 176 - if (iv32 != ctx->iv32) { 177 - printk(KERN_DEBUG "skb: iv32 = 0x%08x key: iv32 = 0x%08x\n", 178 - iv32, ctx->iv32); 179 - printk(KERN_DEBUG "Wrap around of iv16 in the middle of a " 180 - "fragmented packet\n"); 181 - } 182 - #endif 183 - 184 - /* Update the p1k only when the iv16 in the packet wraps around, this 185 - * might occur after the wrap around of iv16 in the key in case of 186 - * fragmented packets. */ 187 - if (iv16 == 0 || ctx->state == TKIP_STATE_NOT_INIT) 188 - tkip_mixing_phase1(tk, ctx, hdr->addr2, iv32); 189 - 190 - if (type == IEEE80211_TKIP_P1_KEY) { 191 - memcpy(outkey, ctx->p1k, sizeof(u16) * 5); 192 - return; 193 - } 194 - 195 - tkip_mixing_phase2(tk, ctx, iv16, outkey); 183 + spin_lock_irqsave(&key->u.tkip.txlock, flags); 184 + ieee80211_compute_tkip_p1k(key, iv32); 185 + memcpy(p1k, ctx->p1k, sizeof(ctx->p1k)); 186 + spin_unlock_irqrestore(&key->u.tkip.txlock, flags); 196 187 } 197 - EXPORT_SYMBOL(ieee80211_get_tkip_key); 188 + EXPORT_SYMBOL(ieee80211_get_tkip_p1k); 189 + 190 + void ieee80211_get_tkip_p2k(struct ieee80211_key_conf *keyconf, 191 + struct sk_buff *skb, u8 *p2k) 192 + { 193 + struct ieee80211_key *key = (struct ieee80211_key *) 194 + container_of(keyconf, struct ieee80211_key, conf); 195 + const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY]; 196 + struct tkip_ctx *ctx = &key->u.tkip.tx; 197 + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 198 + const u8 *data = (u8 *)hdr + ieee80211_hdrlen(hdr->frame_control); 199 + u32 iv32 = get_unaligned_le32(&data[4]); 200 + u16 iv16 = data[2] | (data[0] << 8); 201 + unsigned long flags; 202 + 203 + spin_lock_irqsave(&key->u.tkip.txlock, flags); 204 + ieee80211_compute_tkip_p1k(key, iv32); 205 + tkip_mixing_phase2(tk, ctx, iv16, p2k); 206 + spin_unlock_irqrestore(&key->u.tkip.txlock, flags); 207 + } 208 + EXPORT_SYMBOL(ieee80211_get_tkip_p2k); 198 209 199 210 /* 200 211 * Encrypt packet payload with TKIP using @key. @pos is a pointer to the ··· 217 204 */ 218 205 int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm, 219 206 struct ieee80211_key *key, 220 - u8 *pos, size_t payload_len, u8 *ta) 207 + struct sk_buff *skb, 208 + u8 *payload, size_t payload_len) 221 209 { 222 210 u8 rc4key[16]; 223 - struct tkip_ctx *ctx = &key->u.tkip.tx; 224 - const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY]; 225 211 226 - /* Calculate per-packet key */ 227 - if (ctx->iv16 == 0 || ctx->state == TKIP_STATE_NOT_INIT) 228 - tkip_mixing_phase1(tk, ctx, ta, ctx->iv32); 212 + ieee80211_get_tkip_p2k(&key->conf, skb, rc4key); 229 213 230 - tkip_mixing_phase2(tk, ctx, ctx->iv16, rc4key); 231 - 232 - return ieee80211_wep_encrypt_data(tfm, rc4key, 16, pos, payload_len); 214 + return ieee80211_wep_encrypt_data(tfm, rc4key, 16, 215 + payload, payload_len); 233 216 } 234 217 235 218 /* Decrypt packet payload with TKIP using @key. @pos is a pointer to the

+5 -3

net/mac80211/tkip.h

··· 13 13 #include <linux/crypto.h> 14 14 #include "key.h" 15 15 16 - u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key, u16 iv16); 16 + u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key); 17 17 18 18 int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm, 19 - struct ieee80211_key *key, 20 - u8 *pos, size_t payload_len, u8 *ta); 19 + struct ieee80211_key *key, 20 + struct sk_buff *skb, 21 + u8 *payload, size_t payload_len); 22 + 21 23 enum { 22 24 TKIP_DECRYPT_OK = 0, 23 25 TKIP_DECRYPT_NO_EXT_IV = -1,

+5 -4

net/mac80211/wpa.c

··· 171 171 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 172 172 struct ieee80211_key *key = tx->key; 173 173 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 174 + unsigned long flags; 174 175 unsigned int hdrlen; 175 176 int len, tail; 176 177 u8 *pos; ··· 199 198 pos += hdrlen; 200 199 201 200 /* Increase IV for the frame */ 201 + spin_lock_irqsave(&key->u.tkip.txlock, flags); 202 202 key->u.tkip.tx.iv16++; 203 203 if (key->u.tkip.tx.iv16 == 0) 204 204 key->u.tkip.tx.iv32++; 205 - 206 - pos = ieee80211_tkip_add_iv(pos, key, key->u.tkip.tx.iv16); 205 + pos = ieee80211_tkip_add_iv(pos, key); 206 + spin_unlock_irqrestore(&key->u.tkip.txlock, flags); 207 207 208 208 /* hwaccel - with software IV */ 209 209 if (info->control.hw_key) ··· 213 211 /* Add room for ICV */ 214 212 skb_put(skb, TKIP_ICV_LEN); 215 213 216 - hdr = (struct ieee80211_hdr *) skb->data; 217 214 return ieee80211_tkip_encrypt_data(tx->local->wep_tx_tfm, 218 - key, pos, len, hdr->addr2); 215 + key, skb, pos, len); 219 216 } 220 217 221 218