diff options
author | Daniel Golle <daniel@makrotopia.org> | 2018-03-27 19:24:27 +0200 |
---|---|---|
committer | Daniel Golle <daniel@makrotopia.org> | 2018-03-27 19:25:32 +0200 |
commit | eba3b028e46dbfe54f1208e9edf47bb0c6f73ac8 (patch) | |
tree | 81958e21f681ba5d044688fa4838a54ff0698f53 /package/network/services/hostapd/patches/000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch | |
parent | 9b92afa3aa3bf19986983f4dceb54b4952d4b970 (diff) | |
download | upstream-eba3b028e46dbfe54f1208e9edf47bb0c6f73ac8.tar.gz upstream-eba3b028e46dbfe54f1208e9edf47bb0c6f73ac8.tar.bz2 upstream-eba3b028e46dbfe54f1208e9edf47bb0c6f73ac8.zip |
hostapd: update to git snapshot of 2018-03-26
The following patches were merged upstream:
000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
replaced by commit 0e3bd7ac6
001-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
replaced by commit cb5132bb3
002-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
replaced by commit 87e2db16b
003-Prevent-installation-of-an-all-zero-TK.patch
replaced by commit 53bb18cc8
004-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
replaced by commit 0adc9b28b
005-TDLS-Reject-TPK-TK-reconfiguration.patch
replaced by commit ff89af96e
006-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
replaced by commit adae51f8b
007-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
replaced by commit 2a9c5217b
008-WPA-Extra-defense-against-PTK-reinstalls-in-4-way-ha.patch
replaced by commit a00e946c1
009-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch
replaced by commit b488a1294
010-Optional-AP-side-workaround-for-key-reinstallation-a.patch
replaced by commit 6f234c1e2
011-Additional-consistentcy-checks-for-PTK-component-len.patch
replaced by commit a6ea66530
012-Clear-BSSID-information-in-supplicant-state-machine-.patch
replaced by commit c0fe5f125
013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch
replaced by commit 114f2830d
Some patches had to be modified to work with changed upstream source:
380-disable_ctrl_iface_mib.patch (adding more ifdef'ery)
plus some minor knits needed for other patches to apply which are not
worth being explicitely listed here.
For SAE key management in mesh mode, use the newly introduce
sae_password parameter instead of the psk parameter to also support
SAE keys which would fail the checks applied on the psk field (ie.
length and such). This fixes compatibility issues for users migrating
from authsae.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Diffstat (limited to 'package/network/services/hostapd/patches/000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch')
-rw-r--r-- | package/network/services/hostapd/patches/000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch | 154 |
1 files changed, 0 insertions, 154 deletions
diff --git a/package/network/services/hostapd/patches/000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch b/package/network/services/hostapd/patches/000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch deleted file mode 100644 index 14b2d7c717..0000000000 --- a/package/network/services/hostapd/patches/000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch +++ /dev/null @@ -1,154 +0,0 @@ -From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> -Date: Fri, 14 Jul 2017 15:15:35 +0200 -Subject: [PATCH] hostapd: Avoid key reinstallation in FT handshake - -Do not reinstall TK to the driver during Reassociation Response frame -processing if the first attempt of setting the TK succeeded. This avoids -issues related to clearing the TX/RX PN that could result in reusing -same PN values for transmitted frames (e.g., due to CCM nonce reuse and -also hitting replay protection on the receiver) and accepting replayed -frames on RX side. - -This issue was introduced by the commit -0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in -authenticator') which allowed wpa_ft_install_ptk() to be called multiple -times with the same PTK. While the second configuration attempt is -needed with some drivers, it must be done only if the first attempt -failed. - -Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> ---- - ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -2522,6 +2522,7 @@ static int add_associated_sta(struct hos - { - struct ieee80211_ht_capabilities ht_cap; - struct ieee80211_vht_capabilities vht_cap; -+ int set = 1; - - /* - * Remove the STA entry to ensure the STA PS state gets cleared and -@@ -2529,9 +2530,18 @@ static int add_associated_sta(struct hos - * FT-over-the-DS, where a station re-associates back to the same AP but - * skips the authentication flow, or if working with a driver that - * does not support full AP client state. -+ * -+ * Skip this if the STA has already completed FT reassociation and the -+ * TK has been configured since the TX/RX PN must not be reset to 0 for -+ * the same key. - */ -- if (!sta->added_unassoc) -+ if (!sta->added_unassoc && -+ (!(sta->flags & WLAN_STA_AUTHORIZED) || -+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { - hostapd_drv_sta_remove(hapd, sta->addr); -+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); -+ set = 0; -+ } - - #ifdef CONFIG_IEEE80211N - if (sta->flags & WLAN_STA_HT) -@@ -2554,11 +2564,11 @@ static int add_associated_sta(struct hos - sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, - sta->flags | WLAN_STA_ASSOC, sta->qosinfo, - sta->vht_opmode, sta->p2p_ie ? 1 : 0, -- sta->added_unassoc)) { -+ set)) { - hostapd_logger(hapd, sta->addr, - HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, - "Could not %s STA to kernel driver", -- sta->added_unassoc ? "set" : "add"); -+ set ? "set" : "add"); - - if (sta->added_unassoc) { - hostapd_drv_sta_remove(hapd, sta->addr); ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1783,6 +1783,9 @@ int wpa_auth_sm_event(struct wpa_state_m - #else /* CONFIG_FILS */ - break; - #endif /* CONFIG_FILS */ -+ case WPA_DRV_STA_REMOVED: -+ sm->tk_already_set = FALSE; -+ return 0; - } - - #ifdef CONFIG_IEEE80211R_AP -@@ -3922,6 +3925,14 @@ int wpa_auth_sta_wpa_version(struct wpa_ - } - - -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) -+{ -+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) -+ return 0; -+ return sm->tk_already_set; -+} -+ -+ - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry) - { ---- a/src/ap/wpa_auth.h -+++ b/src/ap/wpa_auth.h -@@ -300,7 +300,7 @@ void wpa_receive(struct wpa_authenticato - u8 *data, size_t data_len); - enum wpa_event { - WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, -- WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS -+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS, WPA_DRV_STA_REMOVED - }; - void wpa_remove_ptk(struct wpa_state_machine *sm); - int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); -@@ -313,6 +313,7 @@ int wpa_auth_pairwise_set(struct wpa_sta - int wpa_auth_get_pairwise(struct wpa_state_machine *sm); - int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); - int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry); - struct rsn_pmksa_cache_entry * ---- a/src/ap/wpa_auth_ft.c -+++ b/src/ap/wpa_auth_ft.c -@@ -1937,6 +1937,14 @@ void wpa_ft_install_ptk(struct wpa_state - return; - } - -+ if (sm->tk_already_set) { -+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX -+ * PN in the driver */ -+ wpa_printf(MSG_DEBUG, -+ "FT: Do not re-install same PTK to the driver"); -+ return; -+ } -+ - /* FIX: add STA entry to kernel/driver here? The set_key will fail - * most likely without this.. At the moment, STA entry is added only - * after association has been completed. This function will be called -@@ -1949,6 +1957,7 @@ void wpa_ft_install_ptk(struct wpa_state - - /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ - sm->pairwise_set = TRUE; -+ sm->tk_already_set = TRUE; - } - - -@@ -2152,6 +2161,7 @@ static int wpa_ft_process_auth_req(struc - - sm->pairwise = pairwise; - sm->PTK_valid = TRUE; -+ sm->tk_already_set = FALSE; - wpa_ft_install_ptk(sm); - - buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + ---- a/src/ap/wpa_auth_i.h -+++ b/src/ap/wpa_auth_i.h -@@ -61,6 +61,7 @@ struct wpa_state_machine { - struct wpa_ptk PTK; - Boolean PTK_valid; - Boolean pairwise_set; -+ Boolean tk_already_set; - int keycount; - Boolean Pair; - struct wpa_key_replay_counter { |