diff options
author | Felix Fietkau <nbd@nbd.name> | 2017-10-16 12:05:09 +0200 |
---|---|---|
committer | Felix Fietkau <nbd@nbd.name> | 2017-10-16 12:18:19 +0200 |
commit | 63c17142c865618977a540485eea7a9487a58029 (patch) | |
tree | 4bd4ca6557f792b9b0a8a0428848e34326ee4211 /package/network/services/hostapd/patches/012-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch | |
parent | cdd093b5399d5962a44680aef74e2034f4bcf64a (diff) | |
download | upstream-63c17142c865618977a540485eea7a9487a58029.tar.gz upstream-63c17142c865618977a540485eea7a9487a58029.tar.bz2 upstream-63c17142c865618977a540485eea7a9487a58029.zip |
hostapd: merge fixes for WPA packet number reuse with replayed messages and key reinstallation
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088
For more information see:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
Backport of bbda81ce3077dfade2a43a39f772cfec2e82a9a5
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Diffstat (limited to 'package/network/services/hostapd/patches/012-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch')
-rw-r--r-- | package/network/services/hostapd/patches/012-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/package/network/services/hostapd/patches/012-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch b/package/network/services/hostapd/patches/012-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch new file mode 100644 index 0000000000..12904faf1f --- /dev/null +++ b/package/network/services/hostapd/patches/012-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch @@ -0,0 +1,68 @@ +From: Jouni Malinen <j@w1.fi> +Date: Fri, 22 Sep 2017 12:06:37 +0300 +Subject: [PATCH] FT: Do not allow multiple Reassociation Response frames + +The driver is expected to not report a second association event without +the station having explicitly request a new association. As such, this +case should not be reachable. However, since reconfiguring the same +pairwise or group keys to the driver could result in nonce reuse issues, +be extra careful here and do an additional state check to avoid this +even if the local driver ends up somehow accepting an unexpected +Reassociation Response frame. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -2568,6 +2568,9 @@ void wpa_sm_notify_assoc(struct wpa_sm * + #ifdef CONFIG_TDLS + wpa_tdls_assoc(sm); + #endif /* CONFIG_TDLS */ ++#ifdef CONFIG_IEEE80211R ++ sm->ft_reassoc_completed = 0; ++#endif /* CONFIG_IEEE80211R */ + + #ifdef CONFIG_P2P + os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr)); +--- a/src/rsn_supp/wpa_ft.c ++++ b/src/rsn_supp/wpa_ft.c +@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wp + u16 capab; + + sm->ft_completed = 0; ++ sm->ft_reassoc_completed = 0; + + buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + + 2 + sm->r0kh_id_len + ric_ies_len + 100; +@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct + return -1; + } + ++ if (sm->ft_reassoc_completed) { ++ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); ++ return 0; ++ } ++ + if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { + wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); + return -1; +@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct + return -1; + } + ++ sm->ft_reassoc_completed = 1; ++ + if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) + return -1; + +--- a/src/rsn_supp/wpa_i.h ++++ b/src/rsn_supp/wpa_i.h +@@ -128,6 +128,7 @@ struct wpa_sm { + size_t r0kh_id_len; + u8 r1kh_id[FT_R1KH_ID_LEN]; + int ft_completed; ++ int ft_reassoc_completed; + int over_the_ds_in_progress; + u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ + int set_ptk_after_assoc; |