diff options
author | Hong Liu <hongl.fnst@cn.fujitsu.com> | 2018-06-05 16:10:56 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-07-02 11:41:26 +0100 |
commit | 9a09626430b5fad7cc7837562b2ddbe2355cd9d9 (patch) | |
tree | c2e871e5dd53337037e09d31b295faf4f1968678 /meta | |
parent | c029685b1853dc7d51664590de5c2d8ba0600eba (diff) | |
download | poky-9a09626430b5fad7cc7837562b2ddbe2355cd9d9.tar.gz |
wpa-supplicant: fix the bug for PATCHTOOL = "patch"
When switch PATCHTOOL to patch, applying 'key-replay-cve-multiple.patch' failed:
checking file src/ap/ieee802_11.c
checking file src/ap/wpa_auth.c
checking file src/ap/wpa_auth.h
checking file src/ap/wpa_auth_ft.c
checking file src/ap/wpa_auth_i.h
checking file src/common/wpa_common.h
checking file src/rsn_supp/wpa.c
checking file src/rsn_supp/wpa_i.h
checking file src/rsn_supp/wpa.c
Hunk #1 FAILED at 709.
Hunk #2 FAILED at 757.
Hunk #3 succeeded at 840 (offset -12 lines).
Hunk #4 FAILED at 868.
Hunk #5 FAILED at 900.
Hunk #6 FAILED at 924.
Hunk #7 succeeded at 1536 (offset -38 lines).
Hunk #8 FAILED at 2386.
Hunk #9 FAILED at 2920.
Hunk #10 succeeded at 2940 (offset -46 lines).
Hunk #11 FAILED at 2998.
8 out of 11 hunks FAILED
checking file src/rsn_supp/wpa_i.h
Hunk #1 FAILED at 32.
1 out of 1 hunk FAILED
checking file src/common/wpa_common.h
Hunk #1 succeeded at 215 with fuzz 1.
checking file src/rsn_supp/wpa.c
checking file src/rsn_supp/wpa_i.h
checking file src/ap/wpa_auth.c
Hunk #1 succeeded at 1898 (offset -3 lines).
Hunk #2 succeeded at 2470 (offset -3 lines).
checking file src/rsn_supp/tdls.c
checking file wpa_supplicant/wnm_sta.c
checking file src/rsn_supp/wpa.c
Hunk #1 succeeded at 2378 (offset -62 lines).
checking file src/rsn_supp/wpa_ft.c
checking file src/rsn_supp/wpa_i.h
Hunk #1 succeeded at 123 (offset -5 lines).
So split the wpa-supplicant/key-replay-cve-multiple to 8 patches.
(From OE-Core rev: 4e9bc513c22b9a52c48588ef276e2ab7f7781526)
(From OE-Core rev: df1b1402733b2f6070badc2cace866030b11241d)
Signed-off-by: Hong Liu <hongl.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 61e587b32d10c796503f98f16eb3d66f24835708)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
10 files changed, 1152 insertions, 1026 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch deleted file mode 100644 index 436520fe64..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch +++ /dev/null | |||
@@ -1,1025 +0,0 @@ | |||
1 | The WPA2 four-way handshake protocol is vulnerable to replay attacks which can | ||
2 | result in unauthenticated clients gaining access to the network. | ||
3 | |||
4 | Backport a number of patches from upstream to fix this. | ||
5 | |||
6 | CVE: CVE-2017-13077 | ||
7 | CVE: CVE-2017-13078 | ||
8 | CVE: CVE-2017-13079 | ||
9 | CVE: CVE-2017-13080 | ||
10 | CVE: CVE-2017-13081 | ||
11 | CVE: CVE-2017-13082 | ||
12 | CVE: CVE-2017-13086 | ||
13 | CVE: CVE-2017-13087 | ||
14 | CVE: CVE-2017-13088 | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
18 | |||
19 | From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001 | ||
20 | From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
21 | Date: Fri, 14 Jul 2017 15:15:35 +0200 | ||
22 | Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake | ||
23 | |||
24 | Do not reinstall TK to the driver during Reassociation Response frame | ||
25 | processing if the first attempt of setting the TK succeeded. This avoids | ||
26 | issues related to clearing the TX/RX PN that could result in reusing | ||
27 | same PN values for transmitted frames (e.g., due to CCM nonce reuse and | ||
28 | also hitting replay protection on the receiver) and accepting replayed | ||
29 | frames on RX side. | ||
30 | |||
31 | This issue was introduced by the commit | ||
32 | 0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in | ||
33 | authenticator') which allowed wpa_ft_install_ptk() to be called multiple | ||
34 | times with the same PTK. While the second configuration attempt is | ||
35 | needed with some drivers, it must be done only if the first attempt | ||
36 | failed. | ||
37 | |||
38 | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
39 | --- | ||
40 | src/ap/ieee802_11.c | 16 +++++++++++++--- | ||
41 | src/ap/wpa_auth.c | 11 +++++++++++ | ||
42 | src/ap/wpa_auth.h | 3 ++- | ||
43 | src/ap/wpa_auth_ft.c | 10 ++++++++++ | ||
44 | src/ap/wpa_auth_i.h | 1 + | ||
45 | 5 files changed, 37 insertions(+), 4 deletions(-) | ||
46 | |||
47 | diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c | ||
48 | index 4e04169..333035f 100644 | ||
49 | --- a/src/ap/ieee802_11.c | ||
50 | +++ b/src/ap/ieee802_11.c | ||
51 | @@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd, | ||
52 | { | ||
53 | struct ieee80211_ht_capabilities ht_cap; | ||
54 | struct ieee80211_vht_capabilities vht_cap; | ||
55 | + int set = 1; | ||
56 | |||
57 | /* | ||
58 | * Remove the STA entry to ensure the STA PS state gets cleared and | ||
59 | @@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd, | ||
60 | * FT-over-the-DS, where a station re-associates back to the same AP but | ||
61 | * skips the authentication flow, or if working with a driver that | ||
62 | * does not support full AP client state. | ||
63 | + * | ||
64 | + * Skip this if the STA has already completed FT reassociation and the | ||
65 | + * TK has been configured since the TX/RX PN must not be reset to 0 for | ||
66 | + * the same key. | ||
67 | */ | ||
68 | - if (!sta->added_unassoc) | ||
69 | + if (!sta->added_unassoc && | ||
70 | + (!(sta->flags & WLAN_STA_AUTHORIZED) || | ||
71 | + !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { | ||
72 | hostapd_drv_sta_remove(hapd, sta->addr); | ||
73 | + wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); | ||
74 | + set = 0; | ||
75 | + } | ||
76 | |||
77 | #ifdef CONFIG_IEEE80211N | ||
78 | if (sta->flags & WLAN_STA_HT) | ||
79 | @@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd, | ||
80 | sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, | ||
81 | sta->flags | WLAN_STA_ASSOC, sta->qosinfo, | ||
82 | sta->vht_opmode, sta->p2p_ie ? 1 : 0, | ||
83 | - sta->added_unassoc)) { | ||
84 | + set)) { | ||
85 | hostapd_logger(hapd, sta->addr, | ||
86 | HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, | ||
87 | "Could not %s STA to kernel driver", | ||
88 | - sta->added_unassoc ? "set" : "add"); | ||
89 | + set ? "set" : "add"); | ||
90 | |||
91 | if (sta->added_unassoc) { | ||
92 | hostapd_drv_sta_remove(hapd, sta->addr); | ||
93 | diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c | ||
94 | index 3587086..707971d 100644 | ||
95 | --- a/src/ap/wpa_auth.c | ||
96 | +++ b/src/ap/wpa_auth.c | ||
97 | @@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) | ||
98 | #else /* CONFIG_IEEE80211R */ | ||
99 | break; | ||
100 | #endif /* CONFIG_IEEE80211R */ | ||
101 | + case WPA_DRV_STA_REMOVED: | ||
102 | + sm->tk_already_set = FALSE; | ||
103 | + return 0; | ||
104 | } | ||
105 | |||
106 | #ifdef CONFIG_IEEE80211R | ||
107 | @@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) | ||
108 | } | ||
109 | |||
110 | |||
111 | +int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) | ||
112 | +{ | ||
113 | + if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) | ||
114 | + return 0; | ||
115 | + return sm->tk_already_set; | ||
116 | +} | ||
117 | + | ||
118 | + | ||
119 | int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, | ||
120 | struct rsn_pmksa_cache_entry *entry) | ||
121 | { | ||
122 | diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h | ||
123 | index 0de8d97..97461b0 100644 | ||
124 | --- a/src/ap/wpa_auth.h | ||
125 | +++ b/src/ap/wpa_auth.h | ||
126 | @@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, | ||
127 | u8 *data, size_t data_len); | ||
128 | enum wpa_event { | ||
129 | WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, | ||
130 | - WPA_REAUTH_EAPOL, WPA_ASSOC_FT | ||
131 | + WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED | ||
132 | }; | ||
133 | void wpa_remove_ptk(struct wpa_state_machine *sm); | ||
134 | int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); | ||
135 | @@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm); | ||
136 | int wpa_auth_get_pairwise(struct wpa_state_machine *sm); | ||
137 | int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); | ||
138 | int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); | ||
139 | +int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); | ||
140 | int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, | ||
141 | struct rsn_pmksa_cache_entry *entry); | ||
142 | struct rsn_pmksa_cache_entry * | ||
143 | diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c | ||
144 | index 42242a5..e63b99a 100644 | ||
145 | --- a/src/ap/wpa_auth_ft.c | ||
146 | +++ b/src/ap/wpa_auth_ft.c | ||
147 | @@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) | ||
148 | return; | ||
149 | } | ||
150 | |||
151 | + if (sm->tk_already_set) { | ||
152 | + /* Must avoid TK reconfiguration to prevent clearing of TX/RX | ||
153 | + * PN in the driver */ | ||
154 | + wpa_printf(MSG_DEBUG, | ||
155 | + "FT: Do not re-install same PTK to the driver"); | ||
156 | + return; | ||
157 | + } | ||
158 | + | ||
159 | /* FIX: add STA entry to kernel/driver here? The set_key will fail | ||
160 | * most likely without this.. At the moment, STA entry is added only | ||
161 | * after association has been completed. This function will be called | ||
162 | @@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) | ||
163 | |||
164 | /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ | ||
165 | sm->pairwise_set = TRUE; | ||
166 | + sm->tk_already_set = TRUE; | ||
167 | } | ||
168 | |||
169 | |||
170 | @@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, | ||
171 | |||
172 | sm->pairwise = pairwise; | ||
173 | sm->PTK_valid = TRUE; | ||
174 | + sm->tk_already_set = FALSE; | ||
175 | wpa_ft_install_ptk(sm); | ||
176 | |||
177 | buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + | ||
178 | diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h | ||
179 | index 72b7eb3..7fd8f05 100644 | ||
180 | --- a/src/ap/wpa_auth_i.h | ||
181 | +++ b/src/ap/wpa_auth_i.h | ||
182 | @@ -65,6 +65,7 @@ struct wpa_state_machine { | ||
183 | struct wpa_ptk PTK; | ||
184 | Boolean PTK_valid; | ||
185 | Boolean pairwise_set; | ||
186 | + Boolean tk_already_set; | ||
187 | int keycount; | ||
188 | Boolean Pair; | ||
189 | struct wpa_key_replay_counter { | ||
190 | -- | ||
191 | 2.7.4 | ||
192 | |||
193 | From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001 | ||
194 | From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
195 | Date: Wed, 12 Jul 2017 16:03:24 +0200 | ||
196 | Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key | ||
197 | |||
198 | Track the current GTK and IGTK that is in use and when receiving a | ||
199 | (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do | ||
200 | not install the given key if it is already in use. This prevents an | ||
201 | attacker from trying to trick the client into resetting or lowering the | ||
202 | sequence counter associated to the group key. | ||
203 | |||
204 | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
205 | --- | ||
206 | src/common/wpa_common.h | 11 +++++ | ||
207 | src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------ | ||
208 | src/rsn_supp/wpa_i.h | 4 ++ | ||
209 | 3 files changed, 87 insertions(+), 44 deletions(-) | ||
210 | |||
211 | diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h | ||
212 | index af1d0f0..d200285 100644 | ||
213 | --- a/src/common/wpa_common.h | ||
214 | +++ b/src/common/wpa_common.h | ||
215 | @@ -217,6 +217,17 @@ struct wpa_ptk { | ||
216 | size_t tk_len; | ||
217 | }; | ||
218 | |||
219 | +struct wpa_gtk { | ||
220 | + u8 gtk[WPA_GTK_MAX_LEN]; | ||
221 | + size_t gtk_len; | ||
222 | +}; | ||
223 | + | ||
224 | +#ifdef CONFIG_IEEE80211W | ||
225 | +struct wpa_igtk { | ||
226 | + u8 igtk[WPA_IGTK_MAX_LEN]; | ||
227 | + size_t igtk_len; | ||
228 | +}; | ||
229 | +#endif /* CONFIG_IEEE80211W */ | ||
230 | |||
231 | /* WPA IE version 1 | ||
232 | * 00-50-f2:1 (OUI:OUI type) | ||
233 | diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c | ||
234 | index 3c47879..95bd7be 100644 | ||
235 | --- a/src/rsn_supp/wpa.c | ||
236 | +++ b/src/rsn_supp/wpa.c | ||
237 | @@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, | ||
238 | const u8 *_gtk = gd->gtk; | ||
239 | u8 gtk_buf[32]; | ||
240 | |||
241 | + /* Detect possible key reinstallation */ | ||
242 | + if (sm->gtk.gtk_len == (size_t) gd->gtk_len && | ||
243 | + os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { | ||
244 | + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
245 | + "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", | ||
246 | + gd->keyidx, gd->tx, gd->gtk_len); | ||
247 | + return 0; | ||
248 | + } | ||
249 | + | ||
250 | wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); | ||
251 | wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
252 | "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", | ||
253 | @@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, | ||
254 | } | ||
255 | os_memset(gtk_buf, 0, sizeof(gtk_buf)); | ||
256 | |||
257 | + sm->gtk.gtk_len = gd->gtk_len; | ||
258 | + os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); | ||
259 | + | ||
260 | return 0; | ||
261 | } | ||
262 | |||
263 | @@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, | ||
264 | } | ||
265 | |||
266 | |||
267 | +#ifdef CONFIG_IEEE80211W | ||
268 | +static int wpa_supplicant_install_igtk(struct wpa_sm *sm, | ||
269 | + const struct wpa_igtk_kde *igtk) | ||
270 | +{ | ||
271 | + size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); | ||
272 | + u16 keyidx = WPA_GET_LE16(igtk->keyid); | ||
273 | + | ||
274 | + /* Detect possible key reinstallation */ | ||
275 | + if (sm->igtk.igtk_len == len && | ||
276 | + os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { | ||
277 | + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
278 | + "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", | ||
279 | + keyidx); | ||
280 | + return 0; | ||
281 | + } | ||
282 | + | ||
283 | + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
284 | + "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", | ||
285 | + keyidx, MAC2STR(igtk->pn)); | ||
286 | + wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); | ||
287 | + if (keyidx > 4095) { | ||
288 | + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, | ||
289 | + "WPA: Invalid IGTK KeyID %d", keyidx); | ||
290 | + return -1; | ||
291 | + } | ||
292 | + if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), | ||
293 | + broadcast_ether_addr, | ||
294 | + keyidx, 0, igtk->pn, sizeof(igtk->pn), | ||
295 | + igtk->igtk, len) < 0) { | ||
296 | + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, | ||
297 | + "WPA: Failed to configure IGTK to the driver"); | ||
298 | + return -1; | ||
299 | + } | ||
300 | + | ||
301 | + sm->igtk.igtk_len = len; | ||
302 | + os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); | ||
303 | + | ||
304 | + return 0; | ||
305 | +} | ||
306 | +#endif /* CONFIG_IEEE80211W */ | ||
307 | + | ||
308 | + | ||
309 | static int ieee80211w_set_keys(struct wpa_sm *sm, | ||
310 | struct wpa_eapol_ie_parse *ie) | ||
311 | { | ||
312 | @@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, | ||
313 | if (ie->igtk) { | ||
314 | size_t len; | ||
315 | const struct wpa_igtk_kde *igtk; | ||
316 | - u16 keyidx; | ||
317 | + | ||
318 | len = wpa_cipher_key_len(sm->mgmt_group_cipher); | ||
319 | if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) | ||
320 | return -1; | ||
321 | + | ||
322 | igtk = (const struct wpa_igtk_kde *) ie->igtk; | ||
323 | - keyidx = WPA_GET_LE16(igtk->keyid); | ||
324 | - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " | ||
325 | - "pn %02x%02x%02x%02x%02x%02x", | ||
326 | - keyidx, MAC2STR(igtk->pn)); | ||
327 | - wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", | ||
328 | - igtk->igtk, len); | ||
329 | - if (keyidx > 4095) { | ||
330 | - wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, | ||
331 | - "WPA: Invalid IGTK KeyID %d", keyidx); | ||
332 | - return -1; | ||
333 | - } | ||
334 | - if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), | ||
335 | - broadcast_ether_addr, | ||
336 | - keyidx, 0, igtk->pn, sizeof(igtk->pn), | ||
337 | - igtk->igtk, len) < 0) { | ||
338 | - wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, | ||
339 | - "WPA: Failed to configure IGTK to the driver"); | ||
340 | + if (wpa_supplicant_install_igtk(sm, igtk) < 0) | ||
341 | return -1; | ||
342 | - } | ||
343 | } | ||
344 | |||
345 | return 0; | ||
346 | @@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) | ||
347 | */ | ||
348 | void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) | ||
349 | { | ||
350 | - int clear_ptk = 1; | ||
351 | + int clear_keys = 1; | ||
352 | |||
353 | if (sm == NULL) | ||
354 | return; | ||
355 | @@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) | ||
356 | /* Prepare for the next transition */ | ||
357 | wpa_ft_prepare_auth_request(sm, NULL); | ||
358 | |||
359 | - clear_ptk = 0; | ||
360 | + clear_keys = 0; | ||
361 | } | ||
362 | #endif /* CONFIG_IEEE80211R */ | ||
363 | |||
364 | - if (clear_ptk) { | ||
365 | + if (clear_keys) { | ||
366 | /* | ||
367 | * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if | ||
368 | * this is not part of a Fast BSS Transition. | ||
369 | @@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) | ||
370 | os_memset(&sm->ptk, 0, sizeof(sm->ptk)); | ||
371 | sm->tptk_set = 0; | ||
372 | os_memset(&sm->tptk, 0, sizeof(sm->tptk)); | ||
373 | + os_memset(&sm->gtk, 0, sizeof(sm->gtk)); | ||
374 | +#ifdef CONFIG_IEEE80211W | ||
375 | + os_memset(&sm->igtk, 0, sizeof(sm->igtk)); | ||
376 | +#endif /* CONFIG_IEEE80211W */ | ||
377 | } | ||
378 | |||
379 | #ifdef CONFIG_TDLS | ||
380 | @@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) | ||
381 | os_memset(sm->pmk, 0, sizeof(sm->pmk)); | ||
382 | os_memset(&sm->ptk, 0, sizeof(sm->ptk)); | ||
383 | os_memset(&sm->tptk, 0, sizeof(sm->tptk)); | ||
384 | + os_memset(&sm->gtk, 0, sizeof(sm->gtk)); | ||
385 | +#ifdef CONFIG_IEEE80211W | ||
386 | + os_memset(&sm->igtk, 0, sizeof(sm->igtk)); | ||
387 | +#endif /* CONFIG_IEEE80211W */ | ||
388 | #ifdef CONFIG_IEEE80211R | ||
389 | os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); | ||
390 | os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); | ||
391 | @@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) | ||
392 | os_memset(&gd, 0, sizeof(gd)); | ||
393 | #ifdef CONFIG_IEEE80211W | ||
394 | } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { | ||
395 | - struct wpa_igtk_kde igd; | ||
396 | - u16 keyidx; | ||
397 | - | ||
398 | - os_memset(&igd, 0, sizeof(igd)); | ||
399 | - keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); | ||
400 | - os_memcpy(igd.keyid, buf + 2, 2); | ||
401 | - os_memcpy(igd.pn, buf + 4, 6); | ||
402 | - | ||
403 | - keyidx = WPA_GET_LE16(igd.keyid); | ||
404 | - os_memcpy(igd.igtk, buf + 10, keylen); | ||
405 | - | ||
406 | - wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", | ||
407 | - igd.igtk, keylen); | ||
408 | - if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), | ||
409 | - broadcast_ether_addr, | ||
410 | - keyidx, 0, igd.pn, sizeof(igd.pn), | ||
411 | - igd.igtk, keylen) < 0) { | ||
412 | - wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " | ||
413 | - "WNM mode"); | ||
414 | - os_memset(&igd, 0, sizeof(igd)); | ||
415 | + const struct wpa_igtk_kde *igtk; | ||
416 | + | ||
417 | + igtk = (const struct wpa_igtk_kde *) (buf + 2); | ||
418 | + if (wpa_supplicant_install_igtk(sm, igtk) < 0) | ||
419 | return -1; | ||
420 | - } | ||
421 | - os_memset(&igd, 0, sizeof(igd)); | ||
422 | #endif /* CONFIG_IEEE80211W */ | ||
423 | } else { | ||
424 | wpa_printf(MSG_DEBUG, "Unknown element id"); | ||
425 | diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h | ||
426 | index f653ba6..afc9e37 100644 | ||
427 | --- a/src/rsn_supp/wpa_i.h | ||
428 | +++ b/src/rsn_supp/wpa_i.h | ||
429 | @@ -31,6 +31,10 @@ struct wpa_sm { | ||
430 | u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; | ||
431 | int rx_replay_counter_set; | ||
432 | u8 request_counter[WPA_REPLAY_COUNTER_LEN]; | ||
433 | + struct wpa_gtk gtk; | ||
434 | +#ifdef CONFIG_IEEE80211W | ||
435 | + struct wpa_igtk igtk; | ||
436 | +#endif /* CONFIG_IEEE80211W */ | ||
437 | |||
438 | struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ | ||
439 | |||
440 | -- | ||
441 | 2.7.4 | ||
442 | |||
443 | From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001 | ||
444 | From: Jouni Malinen <j@w1.fi> | ||
445 | Date: Sun, 1 Oct 2017 12:12:24 +0300 | ||
446 | Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep | ||
447 | Mode cases | ||
448 | |||
449 | This extends the protection to track last configured GTK/IGTK value | ||
450 | separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a | ||
451 | corner case where these two different mechanisms may get used when the | ||
452 | GTK/IGTK has changed and tracking a single value is not sufficient to | ||
453 | detect a possible key reconfiguration. | ||
454 | |||
455 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
456 | --- | ||
457 | src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++--------------- | ||
458 | src/rsn_supp/wpa_i.h | 2 ++ | ||
459 | 2 files changed, 40 insertions(+), 15 deletions(-) | ||
460 | |||
461 | diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c | ||
462 | index 95bd7be..7a2c68d 100644 | ||
463 | --- a/src/rsn_supp/wpa.c | ||
464 | +++ b/src/rsn_supp/wpa.c | ||
465 | @@ -709,14 +709,17 @@ struct wpa_gtk_data { | ||
466 | |||
467 | static int wpa_supplicant_install_gtk(struct wpa_sm *sm, | ||
468 | const struct wpa_gtk_data *gd, | ||
469 | - const u8 *key_rsc) | ||
470 | + const u8 *key_rsc, int wnm_sleep) | ||
471 | { | ||
472 | const u8 *_gtk = gd->gtk; | ||
473 | u8 gtk_buf[32]; | ||
474 | |||
475 | /* Detect possible key reinstallation */ | ||
476 | - if (sm->gtk.gtk_len == (size_t) gd->gtk_len && | ||
477 | - os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { | ||
478 | + if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && | ||
479 | + os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || | ||
480 | + (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && | ||
481 | + os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, | ||
482 | + sm->gtk_wnm_sleep.gtk_len) == 0)) { | ||
483 | wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
484 | "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", | ||
485 | gd->keyidx, gd->tx, gd->gtk_len); | ||
486 | @@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, | ||
487 | } | ||
488 | os_memset(gtk_buf, 0, sizeof(gtk_buf)); | ||
489 | |||
490 | - sm->gtk.gtk_len = gd->gtk_len; | ||
491 | - os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); | ||
492 | + if (wnm_sleep) { | ||
493 | + sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; | ||
494 | + os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, | ||
495 | + sm->gtk_wnm_sleep.gtk_len); | ||
496 | + } else { | ||
497 | + sm->gtk.gtk_len = gd->gtk_len; | ||
498 | + os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); | ||
499 | + } | ||
500 | |||
501 | return 0; | ||
502 | } | ||
503 | @@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, | ||
504 | (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, | ||
505 | gtk_len, gtk_len, | ||
506 | &gd.key_rsc_len, &gd.alg) || | ||
507 | - wpa_supplicant_install_gtk(sm, &gd, key_rsc))) { | ||
508 | + wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { | ||
509 | wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
510 | "RSN: Failed to install GTK"); | ||
511 | os_memset(&gd, 0, sizeof(gd)); | ||
512 | @@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, | ||
513 | |||
514 | #ifdef CONFIG_IEEE80211W | ||
515 | static int wpa_supplicant_install_igtk(struct wpa_sm *sm, | ||
516 | - const struct wpa_igtk_kde *igtk) | ||
517 | + const struct wpa_igtk_kde *igtk, | ||
518 | + int wnm_sleep) | ||
519 | { | ||
520 | size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); | ||
521 | u16 keyidx = WPA_GET_LE16(igtk->keyid); | ||
522 | |||
523 | /* Detect possible key reinstallation */ | ||
524 | - if (sm->igtk.igtk_len == len && | ||
525 | - os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { | ||
526 | + if ((sm->igtk.igtk_len == len && | ||
527 | + os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || | ||
528 | + (sm->igtk_wnm_sleep.igtk_len == len && | ||
529 | + os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, | ||
530 | + sm->igtk_wnm_sleep.igtk_len) == 0)) { | ||
531 | wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
532 | "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", | ||
533 | keyidx); | ||
534 | @@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, | ||
535 | return -1; | ||
536 | } | ||
537 | |||
538 | - sm->igtk.igtk_len = len; | ||
539 | - os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); | ||
540 | + if (wnm_sleep) { | ||
541 | + sm->igtk_wnm_sleep.igtk_len = len; | ||
542 | + os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, | ||
543 | + sm->igtk_wnm_sleep.igtk_len); | ||
544 | + } else { | ||
545 | + sm->igtk.igtk_len = len; | ||
546 | + os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); | ||
547 | + } | ||
548 | |||
549 | return 0; | ||
550 | } | ||
551 | @@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, | ||
552 | return -1; | ||
553 | |||
554 | igtk = (const struct wpa_igtk_kde *) ie->igtk; | ||
555 | - if (wpa_supplicant_install_igtk(sm, igtk) < 0) | ||
556 | + if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) | ||
557 | return -1; | ||
558 | } | ||
559 | |||
560 | @@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, | ||
561 | if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) | ||
562 | key_rsc = null_rsc; | ||
563 | |||
564 | - if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) || | ||
565 | + if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || | ||
566 | wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) | ||
567 | goto failed; | ||
568 | os_memset(&gd, 0, sizeof(gd)); | ||
569 | @@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) | ||
570 | sm->tptk_set = 0; | ||
571 | os_memset(&sm->tptk, 0, sizeof(sm->tptk)); | ||
572 | os_memset(&sm->gtk, 0, sizeof(sm->gtk)); | ||
573 | + os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); | ||
574 | #ifdef CONFIG_IEEE80211W | ||
575 | os_memset(&sm->igtk, 0, sizeof(sm->igtk)); | ||
576 | + os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); | ||
577 | #endif /* CONFIG_IEEE80211W */ | ||
578 | } | ||
579 | |||
580 | @@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) | ||
581 | os_memset(&sm->ptk, 0, sizeof(sm->ptk)); | ||
582 | os_memset(&sm->tptk, 0, sizeof(sm->tptk)); | ||
583 | os_memset(&sm->gtk, 0, sizeof(sm->gtk)); | ||
584 | + os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); | ||
585 | #ifdef CONFIG_IEEE80211W | ||
586 | os_memset(&sm->igtk, 0, sizeof(sm->igtk)); | ||
587 | + os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); | ||
588 | #endif /* CONFIG_IEEE80211W */ | ||
589 | #ifdef CONFIG_IEEE80211R | ||
590 | os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); | ||
591 | @@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) | ||
592 | |||
593 | wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", | ||
594 | gd.gtk, gd.gtk_len); | ||
595 | - if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { | ||
596 | + if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { | ||
597 | os_memset(&gd, 0, sizeof(gd)); | ||
598 | wpa_printf(MSG_DEBUG, "Failed to install the GTK in " | ||
599 | "WNM mode"); | ||
600 | @@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) | ||
601 | const struct wpa_igtk_kde *igtk; | ||
602 | |||
603 | igtk = (const struct wpa_igtk_kde *) (buf + 2); | ||
604 | - if (wpa_supplicant_install_igtk(sm, igtk) < 0) | ||
605 | + if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) | ||
606 | return -1; | ||
607 | #endif /* CONFIG_IEEE80211W */ | ||
608 | } else { | ||
609 | diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h | ||
610 | index afc9e37..9a54631 100644 | ||
611 | --- a/src/rsn_supp/wpa_i.h | ||
612 | +++ b/src/rsn_supp/wpa_i.h | ||
613 | @@ -32,8 +32,10 @@ struct wpa_sm { | ||
614 | int rx_replay_counter_set; | ||
615 | u8 request_counter[WPA_REPLAY_COUNTER_LEN]; | ||
616 | struct wpa_gtk gtk; | ||
617 | + struct wpa_gtk gtk_wnm_sleep; | ||
618 | #ifdef CONFIG_IEEE80211W | ||
619 | struct wpa_igtk igtk; | ||
620 | + struct wpa_igtk igtk_wnm_sleep; | ||
621 | #endif /* CONFIG_IEEE80211W */ | ||
622 | |||
623 | struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ | ||
624 | -- | ||
625 | 2.7.4 | ||
626 | |||
627 | From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001 | ||
628 | From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
629 | Date: Fri, 29 Sep 2017 04:22:51 +0200 | ||
630 | Subject: [PATCH 4/8] Prevent installation of an all-zero TK | ||
631 | |||
632 | Properly track whether a PTK has already been installed to the driver | ||
633 | and the TK part cleared from memory. This prevents an attacker from | ||
634 | trying to trick the client into installing an all-zero TK. | ||
635 | |||
636 | This fixes the earlier fix in commit | ||
637 | ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the | ||
638 | driver in EAPOL-Key 3/4 retry case') which did not take into account | ||
639 | possibility of an extra message 1/4 showing up between retries of | ||
640 | message 3/4. | ||
641 | |||
642 | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
643 | --- | ||
644 | src/common/wpa_common.h | 1 + | ||
645 | src/rsn_supp/wpa.c | 5 ++--- | ||
646 | src/rsn_supp/wpa_i.h | 1 - | ||
647 | 3 files changed, 3 insertions(+), 4 deletions(-) | ||
648 | |||
649 | diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h | ||
650 | index d200285..1021ccb 100644 | ||
651 | --- a/src/common/wpa_common.h | ||
652 | +++ b/src/common/wpa_common.h | ||
653 | @@ -215,6 +215,7 @@ struct wpa_ptk { | ||
654 | size_t kck_len; | ||
655 | size_t kek_len; | ||
656 | size_t tk_len; | ||
657 | + int installed; /* 1 if key has already been installed to driver */ | ||
658 | }; | ||
659 | |||
660 | struct wpa_gtk { | ||
661 | diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c | ||
662 | index 7a2c68d..0550a41 100644 | ||
663 | --- a/src/rsn_supp/wpa.c | ||
664 | +++ b/src/rsn_supp/wpa.c | ||
665 | @@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, | ||
666 | os_memset(buf, 0, sizeof(buf)); | ||
667 | } | ||
668 | sm->tptk_set = 1; | ||
669 | - sm->tk_to_set = 1; | ||
670 | |||
671 | kde = sm->assoc_wpa_ie; | ||
672 | kde_len = sm->assoc_wpa_ie_len; | ||
673 | @@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, | ||
674 | enum wpa_alg alg; | ||
675 | const u8 *key_rsc; | ||
676 | |||
677 | - if (!sm->tk_to_set) { | ||
678 | + if (sm->ptk.installed) { | ||
679 | wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
680 | "WPA: Do not re-install same PTK to the driver"); | ||
681 | return 0; | ||
682 | @@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, | ||
683 | |||
684 | /* TK is not needed anymore in supplicant */ | ||
685 | os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); | ||
686 | - sm->tk_to_set = 0; | ||
687 | + sm->ptk.installed = 1; | ||
688 | |||
689 | if (sm->wpa_ptk_rekey) { | ||
690 | eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); | ||
691 | diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h | ||
692 | index 9a54631..41f371f 100644 | ||
693 | --- a/src/rsn_supp/wpa_i.h | ||
694 | +++ b/src/rsn_supp/wpa_i.h | ||
695 | @@ -24,7 +24,6 @@ struct wpa_sm { | ||
696 | struct wpa_ptk ptk, tptk; | ||
697 | int ptk_set, tptk_set; | ||
698 | unsigned int msg_3_of_4_ok:1; | ||
699 | - unsigned int tk_to_set:1; | ||
700 | u8 snonce[WPA_NONCE_LEN]; | ||
701 | u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ | ||
702 | int renew_snonce; | ||
703 | -- | ||
704 | 2.7.4 | ||
705 | |||
706 | From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001 | ||
707 | From: Jouni Malinen <j@w1.fi> | ||
708 | Date: Sun, 1 Oct 2017 12:32:57 +0300 | ||
709 | Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce | ||
710 | |||
711 | The Authenticator state machine path for PTK rekeying ended up bypassing | ||
712 | the AUTHENTICATION2 state where a new ANonce is generated when going | ||
713 | directly to the PTKSTART state since there is no need to try to | ||
714 | determine the PMK again in such a case. This is far from ideal since the | ||
715 | new PTK would depend on a new nonce only from the supplicant. | ||
716 | |||
717 | Fix this by generating a new ANonce when moving to the PTKSTART state | ||
718 | for the purpose of starting new 4-way handshake to rekey PTK. | ||
719 | |||
720 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
721 | --- | ||
722 | src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- | ||
723 | 1 file changed, 21 insertions(+), 3 deletions(-) | ||
724 | |||
725 | diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c | ||
726 | index 707971d..bf10cc1 100644 | ||
727 | --- a/src/ap/wpa_auth.c | ||
728 | +++ b/src/ap/wpa_auth.c | ||
729 | @@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) | ||
730 | } | ||
731 | |||
732 | |||
733 | +static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) | ||
734 | +{ | ||
735 | + if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { | ||
736 | + wpa_printf(MSG_ERROR, | ||
737 | + "WPA: Failed to get random data for ANonce"); | ||
738 | + sm->Disconnect = TRUE; | ||
739 | + return -1; | ||
740 | + } | ||
741 | + wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, | ||
742 | + WPA_NONCE_LEN); | ||
743 | + sm->TimeoutCtr = 0; | ||
744 | + return 0; | ||
745 | +} | ||
746 | + | ||
747 | + | ||
748 | SM_STATE(WPA_PTK, INITPMK) | ||
749 | { | ||
750 | u8 msk[2 * PMK_LEN]; | ||
751 | @@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK) | ||
752 | SM_ENTER(WPA_PTK, AUTHENTICATION); | ||
753 | else if (sm->ReAuthenticationRequest) | ||
754 | SM_ENTER(WPA_PTK, AUTHENTICATION2); | ||
755 | - else if (sm->PTKRequest) | ||
756 | - SM_ENTER(WPA_PTK, PTKSTART); | ||
757 | - else switch (sm->wpa_ptk_state) { | ||
758 | + else if (sm->PTKRequest) { | ||
759 | + if (wpa_auth_sm_ptk_update(sm) < 0) | ||
760 | + SM_ENTER(WPA_PTK, DISCONNECTED); | ||
761 | + else | ||
762 | + SM_ENTER(WPA_PTK, PTKSTART); | ||
763 | + } else switch (sm->wpa_ptk_state) { | ||
764 | case WPA_PTK_INITIALIZE: | ||
765 | break; | ||
766 | case WPA_PTK_DISCONNECT: | ||
767 | -- | ||
768 | 2.7.4 | ||
769 | |||
770 | From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001 | ||
771 | From: Jouni Malinen <j@w1.fi> | ||
772 | Date: Fri, 22 Sep 2017 11:03:15 +0300 | ||
773 | Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration | ||
774 | |||
775 | Do not try to reconfigure the same TPK-TK to the driver after it has | ||
776 | been successfully configured. This is an explicit check to avoid issues | ||
777 | related to resetting the TX/RX packet number. There was already a check | ||
778 | for this for TPK M2 (retries of that message are ignored completely), so | ||
779 | that behavior does not get modified. | ||
780 | |||
781 | For TPK M3, the TPK-TK could have been reconfigured, but that was | ||
782 | followed by immediate teardown of the link due to an issue in updating | ||
783 | the STA entry. Furthermore, for TDLS with any real security (i.e., | ||
784 | ignoring open/WEP), the TPK message exchange is protected on the AP path | ||
785 | and simple replay attacks are not feasible. | ||
786 | |||
787 | As an additional corner case, make sure the local nonce gets updated if | ||
788 | the peer uses a very unlikely "random nonce" of all zeros. | ||
789 | |||
790 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
791 | --- | ||
792 | src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++-- | ||
793 | 1 file changed, 36 insertions(+), 2 deletions(-) | ||
794 | |||
795 | diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c | ||
796 | index e424168..9eb9738 100644 | ||
797 | --- a/src/rsn_supp/tdls.c | ||
798 | +++ b/src/rsn_supp/tdls.c | ||
799 | @@ -112,6 +112,7 @@ struct wpa_tdls_peer { | ||
800 | u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ | ||
801 | } tpk; | ||
802 | int tpk_set; | ||
803 | + int tk_set; /* TPK-TK configured to the driver */ | ||
804 | int tpk_success; | ||
805 | int tpk_in_progress; | ||
806 | |||
807 | @@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) | ||
808 | u8 rsc[6]; | ||
809 | enum wpa_alg alg; | ||
810 | |||
811 | + if (peer->tk_set) { | ||
812 | + /* | ||
813 | + * This same TPK-TK has already been configured to the driver | ||
814 | + * and this new configuration attempt (likely due to an | ||
815 | + * unexpected retransmitted frame) would result in clearing | ||
816 | + * the TX/RX sequence number which can break security, so must | ||
817 | + * not allow that to happen. | ||
818 | + */ | ||
819 | + wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR | ||
820 | + " has already been configured to the driver - do not reconfigure", | ||
821 | + MAC2STR(peer->addr)); | ||
822 | + return -1; | ||
823 | + } | ||
824 | + | ||
825 | os_memset(rsc, 0, 6); | ||
826 | |||
827 | switch (peer->cipher) { | ||
828 | @@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) | ||
829 | return -1; | ||
830 | } | ||
831 | |||
832 | + wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, | ||
833 | + MAC2STR(peer->addr)); | ||
834 | if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, | ||
835 | rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { | ||
836 | wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " | ||
837 | "driver"); | ||
838 | return -1; | ||
839 | } | ||
840 | + peer->tk_set = 1; | ||
841 | return 0; | ||
842 | } | ||
843 | |||
844 | @@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) | ||
845 | peer->cipher = 0; | ||
846 | peer->qos_info = 0; | ||
847 | peer->wmm_capable = 0; | ||
848 | - peer->tpk_set = peer->tpk_success = 0; | ||
849 | + peer->tk_set = peer->tpk_set = peer->tpk_success = 0; | ||
850 | peer->chan_switch_enabled = 0; | ||
851 | os_memset(&peer->tpk, 0, sizeof(peer->tpk)); | ||
852 | os_memset(peer->inonce, 0, WPA_NONCE_LEN); | ||
853 | @@ -1159,6 +1177,7 @@ skip_rsnie: | ||
854 | wpa_tdls_peer_free(sm, peer); | ||
855 | return -1; | ||
856 | } | ||
857 | + peer->tk_set = 0; /* A new nonce results in a new TK */ | ||
858 | wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", | ||
859 | peer->inonce, WPA_NONCE_LEN); | ||
860 | os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); | ||
861 | @@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, | ||
862 | } | ||
863 | |||
864 | |||
865 | +static int tdls_nonce_set(const u8 *nonce) | ||
866 | +{ | ||
867 | + int i; | ||
868 | + | ||
869 | + for (i = 0; i < WPA_NONCE_LEN; i++) { | ||
870 | + if (nonce[i]) | ||
871 | + return 1; | ||
872 | + } | ||
873 | + | ||
874 | + return 0; | ||
875 | +} | ||
876 | + | ||
877 | + | ||
878 | static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, | ||
879 | const u8 *buf, size_t len) | ||
880 | { | ||
881 | @@ -2004,7 +2036,8 @@ skip_rsn: | ||
882 | peer->rsnie_i_len = kde.rsn_ie_len; | ||
883 | peer->cipher = cipher; | ||
884 | |||
885 | - if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { | ||
886 | + if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || | ||
887 | + !tdls_nonce_set(peer->inonce)) { | ||
888 | /* | ||
889 | * There is no point in updating the RNonce for every obtained | ||
890 | * TPK M1 frame (e.g., retransmission due to timeout) with the | ||
891 | @@ -2020,6 +2053,7 @@ skip_rsn: | ||
892 | "TDLS: Failed to get random data for responder nonce"); | ||
893 | goto error; | ||
894 | } | ||
895 | + peer->tk_set = 0; /* A new nonce results in a new TK */ | ||
896 | } | ||
897 | |||
898 | #if 0 | ||
899 | -- | ||
900 | 2.7.4 | ||
901 | |||
902 | From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001 | ||
903 | From: Jouni Malinen <j@w1.fi> | ||
904 | Date: Fri, 22 Sep 2017 11:25:02 +0300 | ||
905 | Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending | ||
906 | request | ||
907 | |||
908 | Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep | ||
909 | Mode Response if WNM-Sleep Mode has not been used') started ignoring the | ||
910 | response when no WNM-Sleep Mode Request had been used during the | ||
911 | association. This can be made tighter by clearing the used flag when | ||
912 | successfully processing a response. This adds an additional layer of | ||
913 | protection against unexpected retransmissions of the response frame. | ||
914 | |||
915 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
916 | --- | ||
917 | wpa_supplicant/wnm_sta.c | 4 +++- | ||
918 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
919 | |||
920 | diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c | ||
921 | index 1b3409c..67a07ff 100644 | ||
922 | --- a/wpa_supplicant/wnm_sta.c | ||
923 | +++ b/wpa_supplicant/wnm_sta.c | ||
924 | @@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, | ||
925 | |||
926 | if (!wpa_s->wnmsleep_used) { | ||
927 | wpa_printf(MSG_DEBUG, | ||
928 | - "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association"); | ||
929 | + "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested"); | ||
930 | return; | ||
931 | } | ||
932 | |||
933 | @@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, | ||
934 | return; | ||
935 | } | ||
936 | |||
937 | + wpa_s->wnmsleep_used = 0; | ||
938 | + | ||
939 | if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT || | ||
940 | wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) { | ||
941 | wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response " | ||
942 | -- | ||
943 | 2.7.4 | ||
944 | |||
945 | From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001 | ||
946 | From: Jouni Malinen <j@w1.fi> | ||
947 | Date: Fri, 22 Sep 2017 12:06:37 +0300 | ||
948 | Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames | ||
949 | |||
950 | The driver is expected to not report a second association event without | ||
951 | the station having explicitly request a new association. As such, this | ||
952 | case should not be reachable. However, since reconfiguring the same | ||
953 | pairwise or group keys to the driver could result in nonce reuse issues, | ||
954 | be extra careful here and do an additional state check to avoid this | ||
955 | even if the local driver ends up somehow accepting an unexpected | ||
956 | Reassociation Response frame. | ||
957 | |||
958 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
959 | --- | ||
960 | src/rsn_supp/wpa.c | 3 +++ | ||
961 | src/rsn_supp/wpa_ft.c | 8 ++++++++ | ||
962 | src/rsn_supp/wpa_i.h | 1 + | ||
963 | 3 files changed, 12 insertions(+) | ||
964 | |||
965 | diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c | ||
966 | index 0550a41..2a53c6f 100644 | ||
967 | --- a/src/rsn_supp/wpa.c | ||
968 | +++ b/src/rsn_supp/wpa.c | ||
969 | @@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) | ||
970 | #ifdef CONFIG_TDLS | ||
971 | wpa_tdls_disassoc(sm); | ||
972 | #endif /* CONFIG_TDLS */ | ||
973 | +#ifdef CONFIG_IEEE80211R | ||
974 | + sm->ft_reassoc_completed = 0; | ||
975 | +#endif /* CONFIG_IEEE80211R */ | ||
976 | |||
977 | /* Keys are not needed in the WPA state machine anymore */ | ||
978 | wpa_sm_drop_sa(sm); | ||
979 | diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c | ||
980 | index 205793e..d45bb45 100644 | ||
981 | --- a/src/rsn_supp/wpa_ft.c | ||
982 | +++ b/src/rsn_supp/wpa_ft.c | ||
983 | @@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, | ||
984 | u16 capab; | ||
985 | |||
986 | sm->ft_completed = 0; | ||
987 | + sm->ft_reassoc_completed = 0; | ||
988 | |||
989 | buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + | ||
990 | 2 + sm->r0kh_id_len + ric_ies_len + 100; | ||
991 | @@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, | ||
992 | return -1; | ||
993 | } | ||
994 | |||
995 | + if (sm->ft_reassoc_completed) { | ||
996 | + wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); | ||
997 | + return 0; | ||
998 | + } | ||
999 | + | ||
1000 | if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { | ||
1001 | wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); | ||
1002 | return -1; | ||
1003 | @@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, | ||
1004 | return -1; | ||
1005 | } | ||
1006 | |||
1007 | + sm->ft_reassoc_completed = 1; | ||
1008 | + | ||
1009 | if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) | ||
1010 | return -1; | ||
1011 | |||
1012 | diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h | ||
1013 | index 41f371f..56f88dc 100644 | ||
1014 | --- a/src/rsn_supp/wpa_i.h | ||
1015 | +++ b/src/rsn_supp/wpa_i.h | ||
1016 | @@ -128,6 +128,7 @@ struct wpa_sm { | ||
1017 | size_t r0kh_id_len; | ||
1018 | u8 r1kh_id[FT_R1KH_ID_LEN]; | ||
1019 | int ft_completed; | ||
1020 | + int ft_reassoc_completed; | ||
1021 | int over_the_ds_in_progress; | ||
1022 | u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ | ||
1023 | int set_ptk_after_assoc; | ||
1024 | -- | ||
1025 | 2.7.4 | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch new file mode 100644 index 0000000000..d4d49e7fca --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch | |||
@@ -0,0 +1,191 @@ | |||
1 | The WPA2 four-way handshake protocol is vulnerable to replay attacks which can | ||
2 | result in unauthenticated clients gaining access to the network. | ||
3 | |||
4 | Backport a number of patches from upstream to fix this. | ||
5 | |||
6 | CVE: CVE-2017-13077 | ||
7 | CVE: CVE-2017-13078 | ||
8 | CVE: CVE-2017-13079 | ||
9 | CVE: CVE-2017-13080 | ||
10 | CVE: CVE-2017-13081 | ||
11 | CVE: CVE-2017-13082 | ||
12 | CVE: CVE-2017-13086 | ||
13 | CVE: CVE-2017-13087 | ||
14 | CVE: CVE-2017-13088 | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
18 | |||
19 | From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001 | ||
20 | From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
21 | Date: Fri, 14 Jul 2017 15:15:35 +0200 | ||
22 | Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake | ||
23 | |||
24 | Do not reinstall TK to the driver during Reassociation Response frame | ||
25 | processing if the first attempt of setting the TK succeeded. This avoids | ||
26 | issues related to clearing the TX/RX PN that could result in reusing | ||
27 | same PN values for transmitted frames (e.g., due to CCM nonce reuse and | ||
28 | also hitting replay protection on the receiver) and accepting replayed | ||
29 | frames on RX side. | ||
30 | |||
31 | This issue was introduced by the commit | ||
32 | 0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in | ||
33 | authenticator') which allowed wpa_ft_install_ptk() to be called multiple | ||
34 | times with the same PTK. While the second configuration attempt is | ||
35 | needed with some drivers, it must be done only if the first attempt | ||
36 | failed. | ||
37 | |||
38 | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
39 | --- | ||
40 | src/ap/ieee802_11.c | 16 +++++++++++++--- | ||
41 | src/ap/wpa_auth.c | 11 +++++++++++ | ||
42 | src/ap/wpa_auth.h | 3 ++- | ||
43 | src/ap/wpa_auth_ft.c | 10 ++++++++++ | ||
44 | src/ap/wpa_auth_i.h | 1 + | ||
45 | 5 files changed, 37 insertions(+), 4 deletions(-) | ||
46 | |||
47 | diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c | ||
48 | index 4e04169..333035f 100644 | ||
49 | --- a/src/ap/ieee802_11.c | ||
50 | +++ b/src/ap/ieee802_11.c | ||
51 | @@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd, | ||
52 | { | ||
53 | struct ieee80211_ht_capabilities ht_cap; | ||
54 | struct ieee80211_vht_capabilities vht_cap; | ||
55 | + int set = 1; | ||
56 | |||
57 | /* | ||
58 | * Remove the STA entry to ensure the STA PS state gets cleared and | ||
59 | @@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd, | ||
60 | * FT-over-the-DS, where a station re-associates back to the same AP but | ||
61 | * skips the authentication flow, or if working with a driver that | ||
62 | * does not support full AP client state. | ||
63 | + * | ||
64 | + * Skip this if the STA has already completed FT reassociation and the | ||
65 | + * TK has been configured since the TX/RX PN must not be reset to 0 for | ||
66 | + * the same key. | ||
67 | */ | ||
68 | - if (!sta->added_unassoc) | ||
69 | + if (!sta->added_unassoc && | ||
70 | + (!(sta->flags & WLAN_STA_AUTHORIZED) || | ||
71 | + !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { | ||
72 | hostapd_drv_sta_remove(hapd, sta->addr); | ||
73 | + wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); | ||
74 | + set = 0; | ||
75 | + } | ||
76 | |||
77 | #ifdef CONFIG_IEEE80211N | ||
78 | if (sta->flags & WLAN_STA_HT) | ||
79 | @@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd, | ||
80 | sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, | ||
81 | sta->flags | WLAN_STA_ASSOC, sta->qosinfo, | ||
82 | sta->vht_opmode, sta->p2p_ie ? 1 : 0, | ||
83 | - sta->added_unassoc)) { | ||
84 | + set)) { | ||
85 | hostapd_logger(hapd, sta->addr, | ||
86 | HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, | ||
87 | "Could not %s STA to kernel driver", | ||
88 | - sta->added_unassoc ? "set" : "add"); | ||
89 | + set ? "set" : "add"); | ||
90 | |||
91 | if (sta->added_unassoc) { | ||
92 | hostapd_drv_sta_remove(hapd, sta->addr); | ||
93 | diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c | ||
94 | index 3587086..707971d 100644 | ||
95 | --- a/src/ap/wpa_auth.c | ||
96 | +++ b/src/ap/wpa_auth.c | ||
97 | @@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) | ||
98 | #else /* CONFIG_IEEE80211R */ | ||
99 | break; | ||
100 | #endif /* CONFIG_IEEE80211R */ | ||
101 | + case WPA_DRV_STA_REMOVED: | ||
102 | + sm->tk_already_set = FALSE; | ||
103 | + return 0; | ||
104 | } | ||
105 | |||
106 | #ifdef CONFIG_IEEE80211R | ||
107 | @@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) | ||
108 | } | ||
109 | |||
110 | |||
111 | +int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) | ||
112 | +{ | ||
113 | + if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) | ||
114 | + return 0; | ||
115 | + return sm->tk_already_set; | ||
116 | +} | ||
117 | + | ||
118 | + | ||
119 | int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, | ||
120 | struct rsn_pmksa_cache_entry *entry) | ||
121 | { | ||
122 | diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h | ||
123 | index 0de8d97..97461b0 100644 | ||
124 | --- a/src/ap/wpa_auth.h | ||
125 | +++ b/src/ap/wpa_auth.h | ||
126 | @@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, | ||
127 | u8 *data, size_t data_len); | ||
128 | enum wpa_event { | ||
129 | WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, | ||
130 | - WPA_REAUTH_EAPOL, WPA_ASSOC_FT | ||
131 | + WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED | ||
132 | }; | ||
133 | void wpa_remove_ptk(struct wpa_state_machine *sm); | ||
134 | int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); | ||
135 | @@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm); | ||
136 | int wpa_auth_get_pairwise(struct wpa_state_machine *sm); | ||
137 | int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); | ||
138 | int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); | ||
139 | +int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); | ||
140 | int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, | ||
141 | struct rsn_pmksa_cache_entry *entry); | ||
142 | struct rsn_pmksa_cache_entry * | ||
143 | diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c | ||
144 | index 42242a5..e63b99a 100644 | ||
145 | --- a/src/ap/wpa_auth_ft.c | ||
146 | +++ b/src/ap/wpa_auth_ft.c | ||
147 | @@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) | ||
148 | return; | ||
149 | } | ||
150 | |||
151 | + if (sm->tk_already_set) { | ||
152 | + /* Must avoid TK reconfiguration to prevent clearing of TX/RX | ||
153 | + * PN in the driver */ | ||
154 | + wpa_printf(MSG_DEBUG, | ||
155 | + "FT: Do not re-install same PTK to the driver"); | ||
156 | + return; | ||
157 | + } | ||
158 | + | ||
159 | /* FIX: add STA entry to kernel/driver here? The set_key will fail | ||
160 | * most likely without this.. At the moment, STA entry is added only | ||
161 | * after association has been completed. This function will be called | ||
162 | @@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) | ||
163 | |||
164 | /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ | ||
165 | sm->pairwise_set = TRUE; | ||
166 | + sm->tk_already_set = TRUE; | ||
167 | } | ||
168 | |||
169 | |||
170 | @@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, | ||
171 | |||
172 | sm->pairwise = pairwise; | ||
173 | sm->PTK_valid = TRUE; | ||
174 | + sm->tk_already_set = FALSE; | ||
175 | wpa_ft_install_ptk(sm); | ||
176 | |||
177 | buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + | ||
178 | diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h | ||
179 | index 72b7eb3..7fd8f05 100644 | ||
180 | --- a/src/ap/wpa_auth_i.h | ||
181 | +++ b/src/ap/wpa_auth_i.h | ||
182 | @@ -65,6 +65,7 @@ struct wpa_state_machine { | ||
183 | struct wpa_ptk PTK; | ||
184 | Boolean PTK_valid; | ||
185 | Boolean pairwise_set; | ||
186 | + Boolean tk_already_set; | ||
187 | int keycount; | ||
188 | Boolean Pair; | ||
189 | struct wpa_key_replay_counter { | ||
190 | -- | ||
191 | 2.7.4 \ No newline at end of file | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch new file mode 100644 index 0000000000..501bb4b56b --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch | |||
@@ -0,0 +1,267 @@ | |||
1 | The WPA2 four-way handshake protocol is vulnerable to replay attacks which can | ||
2 | result in unauthenticated clients gaining access to the network. | ||
3 | |||
4 | Backport a number of patches from upstream to fix this. | ||
5 | |||
6 | CVE: CVE-2017-13077 | ||
7 | CVE: CVE-2017-13078 | ||
8 | CVE: CVE-2017-13079 | ||
9 | CVE: CVE-2017-13080 | ||
10 | CVE: CVE-2017-13081 | ||
11 | CVE: CVE-2017-13082 | ||
12 | CVE: CVE-2017-13086 | ||
13 | CVE: CVE-2017-13087 | ||
14 | CVE: CVE-2017-13088 | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
18 | |||
19 | From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001 | ||
20 | From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
21 | Date: Wed, 12 Jul 2017 16:03:24 +0200 | ||
22 | Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key | ||
23 | |||
24 | Track the current GTK and IGTK that is in use and when receiving a | ||
25 | (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do | ||
26 | not install the given key if it is already in use. This prevents an | ||
27 | attacker from trying to trick the client into resetting or lowering the | ||
28 | sequence counter associated to the group key. | ||
29 | |||
30 | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
31 | --- | ||
32 | src/common/wpa_common.h | 11 +++++ | ||
33 | src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------ | ||
34 | src/rsn_supp/wpa_i.h | 4 ++ | ||
35 | 3 files changed, 87 insertions(+), 44 deletions(-) | ||
36 | |||
37 | diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h | ||
38 | index af1d0f0..d200285 100644 | ||
39 | --- a/src/common/wpa_common.h | ||
40 | +++ b/src/common/wpa_common.h | ||
41 | @@ -217,6 +217,17 @@ struct wpa_ptk { | ||
42 | size_t tk_len; | ||
43 | }; | ||
44 | |||
45 | +struct wpa_gtk { | ||
46 | + u8 gtk[WPA_GTK_MAX_LEN]; | ||
47 | + size_t gtk_len; | ||
48 | +}; | ||
49 | + | ||
50 | +#ifdef CONFIG_IEEE80211W | ||
51 | +struct wpa_igtk { | ||
52 | + u8 igtk[WPA_IGTK_MAX_LEN]; | ||
53 | + size_t igtk_len; | ||
54 | +}; | ||
55 | +#endif /* CONFIG_IEEE80211W */ | ||
56 | |||
57 | /* WPA IE version 1 | ||
58 | * 00-50-f2:1 (OUI:OUI type) | ||
59 | diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c | ||
60 | index 3c47879..95bd7be 100644 | ||
61 | --- a/src/rsn_supp/wpa.c | ||
62 | +++ b/src/rsn_supp/wpa.c | ||
63 | @@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, | ||
64 | const u8 *_gtk = gd->gtk; | ||
65 | u8 gtk_buf[32]; | ||
66 | |||
67 | + /* Detect possible key reinstallation */ | ||
68 | + if (sm->gtk.gtk_len == (size_t) gd->gtk_len && | ||
69 | + os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { | ||
70 | + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
71 | + "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", | ||
72 | + gd->keyidx, gd->tx, gd->gtk_len); | ||
73 | + return 0; | ||
74 | + } | ||
75 | + | ||
76 | wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); | ||
77 | wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
78 | "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", | ||
79 | @@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, | ||
80 | } | ||
81 | os_memset(gtk_buf, 0, sizeof(gtk_buf)); | ||
82 | |||
83 | + sm->gtk.gtk_len = gd->gtk_len; | ||
84 | + os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); | ||
85 | + | ||
86 | return 0; | ||
87 | } | ||
88 | |||
89 | @@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, | ||
90 | } | ||
91 | |||
92 | |||
93 | +#ifdef CONFIG_IEEE80211W | ||
94 | +static int wpa_supplicant_install_igtk(struct wpa_sm *sm, | ||
95 | + const struct wpa_igtk_kde *igtk) | ||
96 | +{ | ||
97 | + size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); | ||
98 | + u16 keyidx = WPA_GET_LE16(igtk->keyid); | ||
99 | + | ||
100 | + /* Detect possible key reinstallation */ | ||
101 | + if (sm->igtk.igtk_len == len && | ||
102 | + os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { | ||
103 | + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
104 | + "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", | ||
105 | + keyidx); | ||
106 | + return 0; | ||
107 | + } | ||
108 | + | ||
109 | + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
110 | + "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", | ||
111 | + keyidx, MAC2STR(igtk->pn)); | ||
112 | + wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); | ||
113 | + if (keyidx > 4095) { | ||
114 | + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, | ||
115 | + "WPA: Invalid IGTK KeyID %d", keyidx); | ||
116 | + return -1; | ||
117 | + } | ||
118 | + if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), | ||
119 | + broadcast_ether_addr, | ||
120 | + keyidx, 0, igtk->pn, sizeof(igtk->pn), | ||
121 | + igtk->igtk, len) < 0) { | ||
122 | + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, | ||
123 | + "WPA: Failed to configure IGTK to the driver"); | ||
124 | + return -1; | ||
125 | + } | ||
126 | + | ||
127 | + sm->igtk.igtk_len = len; | ||
128 | + os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); | ||
129 | + | ||
130 | + return 0; | ||
131 | +} | ||
132 | +#endif /* CONFIG_IEEE80211W */ | ||
133 | + | ||
134 | + | ||
135 | static int ieee80211w_set_keys(struct wpa_sm *sm, | ||
136 | struct wpa_eapol_ie_parse *ie) | ||
137 | { | ||
138 | @@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, | ||
139 | if (ie->igtk) { | ||
140 | size_t len; | ||
141 | const struct wpa_igtk_kde *igtk; | ||
142 | - u16 keyidx; | ||
143 | + | ||
144 | len = wpa_cipher_key_len(sm->mgmt_group_cipher); | ||
145 | if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) | ||
146 | return -1; | ||
147 | + | ||
148 | igtk = (const struct wpa_igtk_kde *) ie->igtk; | ||
149 | - keyidx = WPA_GET_LE16(igtk->keyid); | ||
150 | - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " | ||
151 | - "pn %02x%02x%02x%02x%02x%02x", | ||
152 | - keyidx, MAC2STR(igtk->pn)); | ||
153 | - wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", | ||
154 | - igtk->igtk, len); | ||
155 | - if (keyidx > 4095) { | ||
156 | - wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, | ||
157 | - "WPA: Invalid IGTK KeyID %d", keyidx); | ||
158 | - return -1; | ||
159 | - } | ||
160 | - if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), | ||
161 | - broadcast_ether_addr, | ||
162 | - keyidx, 0, igtk->pn, sizeof(igtk->pn), | ||
163 | - igtk->igtk, len) < 0) { | ||
164 | - wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, | ||
165 | - "WPA: Failed to configure IGTK to the driver"); | ||
166 | + if (wpa_supplicant_install_igtk(sm, igtk) < 0) | ||
167 | return -1; | ||
168 | - } | ||
169 | } | ||
170 | |||
171 | return 0; | ||
172 | @@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) | ||
173 | */ | ||
174 | void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) | ||
175 | { | ||
176 | - int clear_ptk = 1; | ||
177 | + int clear_keys = 1; | ||
178 | |||
179 | if (sm == NULL) | ||
180 | return; | ||
181 | @@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) | ||
182 | /* Prepare for the next transition */ | ||
183 | wpa_ft_prepare_auth_request(sm, NULL); | ||
184 | |||
185 | - clear_ptk = 0; | ||
186 | + clear_keys = 0; | ||
187 | } | ||
188 | #endif /* CONFIG_IEEE80211R */ | ||
189 | |||
190 | - if (clear_ptk) { | ||
191 | + if (clear_keys) { | ||
192 | /* | ||
193 | * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if | ||
194 | * this is not part of a Fast BSS Transition. | ||
195 | @@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) | ||
196 | os_memset(&sm->ptk, 0, sizeof(sm->ptk)); | ||
197 | sm->tptk_set = 0; | ||
198 | os_memset(&sm->tptk, 0, sizeof(sm->tptk)); | ||
199 | + os_memset(&sm->gtk, 0, sizeof(sm->gtk)); | ||
200 | +#ifdef CONFIG_IEEE80211W | ||
201 | + os_memset(&sm->igtk, 0, sizeof(sm->igtk)); | ||
202 | +#endif /* CONFIG_IEEE80211W */ | ||
203 | } | ||
204 | |||
205 | #ifdef CONFIG_TDLS | ||
206 | @@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) | ||
207 | os_memset(sm->pmk, 0, sizeof(sm->pmk)); | ||
208 | os_memset(&sm->ptk, 0, sizeof(sm->ptk)); | ||
209 | os_memset(&sm->tptk, 0, sizeof(sm->tptk)); | ||
210 | + os_memset(&sm->gtk, 0, sizeof(sm->gtk)); | ||
211 | +#ifdef CONFIG_IEEE80211W | ||
212 | + os_memset(&sm->igtk, 0, sizeof(sm->igtk)); | ||
213 | +#endif /* CONFIG_IEEE80211W */ | ||
214 | #ifdef CONFIG_IEEE80211R | ||
215 | os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); | ||
216 | os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); | ||
217 | @@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) | ||
218 | os_memset(&gd, 0, sizeof(gd)); | ||
219 | #ifdef CONFIG_IEEE80211W | ||
220 | } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { | ||
221 | - struct wpa_igtk_kde igd; | ||
222 | - u16 keyidx; | ||
223 | - | ||
224 | - os_memset(&igd, 0, sizeof(igd)); | ||
225 | - keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); | ||
226 | - os_memcpy(igd.keyid, buf + 2, 2); | ||
227 | - os_memcpy(igd.pn, buf + 4, 6); | ||
228 | - | ||
229 | - keyidx = WPA_GET_LE16(igd.keyid); | ||
230 | - os_memcpy(igd.igtk, buf + 10, keylen); | ||
231 | - | ||
232 | - wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", | ||
233 | - igd.igtk, keylen); | ||
234 | - if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), | ||
235 | - broadcast_ether_addr, | ||
236 | - keyidx, 0, igd.pn, sizeof(igd.pn), | ||
237 | - igd.igtk, keylen) < 0) { | ||
238 | - wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " | ||
239 | - "WNM mode"); | ||
240 | - os_memset(&igd, 0, sizeof(igd)); | ||
241 | + const struct wpa_igtk_kde *igtk; | ||
242 | + | ||
243 | + igtk = (const struct wpa_igtk_kde *) (buf + 2); | ||
244 | + if (wpa_supplicant_install_igtk(sm, igtk) < 0) | ||
245 | return -1; | ||
246 | - } | ||
247 | - os_memset(&igd, 0, sizeof(igd)); | ||
248 | #endif /* CONFIG_IEEE80211W */ | ||
249 | } else { | ||
250 | wpa_printf(MSG_DEBUG, "Unknown element id"); | ||
251 | diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h | ||
252 | index f653ba6..afc9e37 100644 | ||
253 | --- a/src/rsn_supp/wpa_i.h | ||
254 | +++ b/src/rsn_supp/wpa_i.h | ||
255 | @@ -31,6 +31,10 @@ struct wpa_sm { | ||
256 | u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; | ||
257 | int rx_replay_counter_set; | ||
258 | u8 request_counter[WPA_REPLAY_COUNTER_LEN]; | ||
259 | + struct wpa_gtk gtk; | ||
260 | +#ifdef CONFIG_IEEE80211W | ||
261 | + struct wpa_igtk igtk; | ||
262 | +#endif /* CONFIG_IEEE80211W */ | ||
263 | |||
264 | struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ | ||
265 | |||
266 | -- | ||
267 | 2.7.4 \ No newline at end of file | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch new file mode 100644 index 0000000000..2e22655851 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch | |||
@@ -0,0 +1,201 @@ | |||
1 | The WPA2 four-way handshake protocol is vulnerable to replay attacks which can | ||
2 | result in unauthenticated clients gaining access to the network. | ||
3 | |||
4 | Backport a number of patches from upstream to fix this. | ||
5 | |||
6 | CVE: CVE-2017-13077 | ||
7 | CVE: CVE-2017-13078 | ||
8 | CVE: CVE-2017-13079 | ||
9 | CVE: CVE-2017-13080 | ||
10 | CVE: CVE-2017-13081 | ||
11 | CVE: CVE-2017-13082 | ||
12 | CVE: CVE-2017-13086 | ||
13 | CVE: CVE-2017-13087 | ||
14 | CVE: CVE-2017-13088 | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
18 | |||
19 | From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001 | ||
20 | From: Jouni Malinen <j@w1.fi> | ||
21 | Date: Sun, 1 Oct 2017 12:12:24 +0300 | ||
22 | Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep | ||
23 | Mode cases | ||
24 | |||
25 | This extends the protection to track last configured GTK/IGTK value | ||
26 | separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a | ||
27 | corner case where these two different mechanisms may get used when the | ||
28 | GTK/IGTK has changed and tracking a single value is not sufficient to | ||
29 | detect a possible key reconfiguration. | ||
30 | |||
31 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
32 | --- | ||
33 | src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++--------------- | ||
34 | src/rsn_supp/wpa_i.h | 2 ++ | ||
35 | 2 files changed, 40 insertions(+), 15 deletions(-) | ||
36 | |||
37 | diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c | ||
38 | index 95bd7be..7a2c68d 100644 | ||
39 | --- a/src/rsn_supp/wpa.c | ||
40 | +++ b/src/rsn_supp/wpa.c | ||
41 | @@ -709,14 +709,17 @@ struct wpa_gtk_data { | ||
42 | |||
43 | static int wpa_supplicant_install_gtk(struct wpa_sm *sm, | ||
44 | const struct wpa_gtk_data *gd, | ||
45 | - const u8 *key_rsc) | ||
46 | + const u8 *key_rsc, int wnm_sleep) | ||
47 | { | ||
48 | const u8 *_gtk = gd->gtk; | ||
49 | u8 gtk_buf[32]; | ||
50 | |||
51 | /* Detect possible key reinstallation */ | ||
52 | - if (sm->gtk.gtk_len == (size_t) gd->gtk_len && | ||
53 | - os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { | ||
54 | + if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && | ||
55 | + os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || | ||
56 | + (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && | ||
57 | + os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, | ||
58 | + sm->gtk_wnm_sleep.gtk_len) == 0)) { | ||
59 | wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
60 | "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", | ||
61 | gd->keyidx, gd->tx, gd->gtk_len); | ||
62 | @@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, | ||
63 | } | ||
64 | os_memset(gtk_buf, 0, sizeof(gtk_buf)); | ||
65 | |||
66 | - sm->gtk.gtk_len = gd->gtk_len; | ||
67 | - os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); | ||
68 | + if (wnm_sleep) { | ||
69 | + sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; | ||
70 | + os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, | ||
71 | + sm->gtk_wnm_sleep.gtk_len); | ||
72 | + } else { | ||
73 | + sm->gtk.gtk_len = gd->gtk_len; | ||
74 | + os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); | ||
75 | + } | ||
76 | |||
77 | return 0; | ||
78 | } | ||
79 | @@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, | ||
80 | (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, | ||
81 | gtk_len, gtk_len, | ||
82 | &gd.key_rsc_len, &gd.alg) || | ||
83 | - wpa_supplicant_install_gtk(sm, &gd, key_rsc))) { | ||
84 | + wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { | ||
85 | wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
86 | "RSN: Failed to install GTK"); | ||
87 | os_memset(&gd, 0, sizeof(gd)); | ||
88 | @@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, | ||
89 | |||
90 | #ifdef CONFIG_IEEE80211W | ||
91 | static int wpa_supplicant_install_igtk(struct wpa_sm *sm, | ||
92 | - const struct wpa_igtk_kde *igtk) | ||
93 | + const struct wpa_igtk_kde *igtk, | ||
94 | + int wnm_sleep) | ||
95 | { | ||
96 | size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); | ||
97 | u16 keyidx = WPA_GET_LE16(igtk->keyid); | ||
98 | |||
99 | /* Detect possible key reinstallation */ | ||
100 | - if (sm->igtk.igtk_len == len && | ||
101 | - os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { | ||
102 | + if ((sm->igtk.igtk_len == len && | ||
103 | + os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || | ||
104 | + (sm->igtk_wnm_sleep.igtk_len == len && | ||
105 | + os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, | ||
106 | + sm->igtk_wnm_sleep.igtk_len) == 0)) { | ||
107 | wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
108 | "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", | ||
109 | keyidx); | ||
110 | @@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, | ||
111 | return -1; | ||
112 | } | ||
113 | |||
114 | - sm->igtk.igtk_len = len; | ||
115 | - os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); | ||
116 | + if (wnm_sleep) { | ||
117 | + sm->igtk_wnm_sleep.igtk_len = len; | ||
118 | + os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, | ||
119 | + sm->igtk_wnm_sleep.igtk_len); | ||
120 | + } else { | ||
121 | + sm->igtk.igtk_len = len; | ||
122 | + os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); | ||
123 | + } | ||
124 | |||
125 | return 0; | ||
126 | } | ||
127 | @@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, | ||
128 | return -1; | ||
129 | |||
130 | igtk = (const struct wpa_igtk_kde *) ie->igtk; | ||
131 | - if (wpa_supplicant_install_igtk(sm, igtk) < 0) | ||
132 | + if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) | ||
133 | return -1; | ||
134 | } | ||
135 | |||
136 | @@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, | ||
137 | if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) | ||
138 | key_rsc = null_rsc; | ||
139 | |||
140 | - if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) || | ||
141 | + if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || | ||
142 | wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) | ||
143 | goto failed; | ||
144 | os_memset(&gd, 0, sizeof(gd)); | ||
145 | @@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) | ||
146 | sm->tptk_set = 0; | ||
147 | os_memset(&sm->tptk, 0, sizeof(sm->tptk)); | ||
148 | os_memset(&sm->gtk, 0, sizeof(sm->gtk)); | ||
149 | + os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); | ||
150 | #ifdef CONFIG_IEEE80211W | ||
151 | os_memset(&sm->igtk, 0, sizeof(sm->igtk)); | ||
152 | + os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); | ||
153 | #endif /* CONFIG_IEEE80211W */ | ||
154 | } | ||
155 | |||
156 | @@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) | ||
157 | os_memset(&sm->ptk, 0, sizeof(sm->ptk)); | ||
158 | os_memset(&sm->tptk, 0, sizeof(sm->tptk)); | ||
159 | os_memset(&sm->gtk, 0, sizeof(sm->gtk)); | ||
160 | + os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); | ||
161 | #ifdef CONFIG_IEEE80211W | ||
162 | os_memset(&sm->igtk, 0, sizeof(sm->igtk)); | ||
163 | + os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); | ||
164 | #endif /* CONFIG_IEEE80211W */ | ||
165 | #ifdef CONFIG_IEEE80211R | ||
166 | os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); | ||
167 | @@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) | ||
168 | |||
169 | wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", | ||
170 | gd.gtk, gd.gtk_len); | ||
171 | - if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { | ||
172 | + if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { | ||
173 | os_memset(&gd, 0, sizeof(gd)); | ||
174 | wpa_printf(MSG_DEBUG, "Failed to install the GTK in " | ||
175 | "WNM mode"); | ||
176 | @@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) | ||
177 | const struct wpa_igtk_kde *igtk; | ||
178 | |||
179 | igtk = (const struct wpa_igtk_kde *) (buf + 2); | ||
180 | - if (wpa_supplicant_install_igtk(sm, igtk) < 0) | ||
181 | + if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) | ||
182 | return -1; | ||
183 | #endif /* CONFIG_IEEE80211W */ | ||
184 | } else { | ||
185 | diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h | ||
186 | index afc9e37..9a54631 100644 | ||
187 | --- a/src/rsn_supp/wpa_i.h | ||
188 | +++ b/src/rsn_supp/wpa_i.h | ||
189 | @@ -32,8 +32,10 @@ struct wpa_sm { | ||
190 | int rx_replay_counter_set; | ||
191 | u8 request_counter[WPA_REPLAY_COUNTER_LEN]; | ||
192 | struct wpa_gtk gtk; | ||
193 | + struct wpa_gtk gtk_wnm_sleep; | ||
194 | #ifdef CONFIG_IEEE80211W | ||
195 | struct wpa_igtk igtk; | ||
196 | + struct wpa_igtk igtk_wnm_sleep; | ||
197 | #endif /* CONFIG_IEEE80211W */ | ||
198 | |||
199 | struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ | ||
200 | -- | ||
201 | 2.7.4 \ No newline at end of file | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch new file mode 100644 index 0000000000..6c1948696e --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch | |||
@@ -0,0 +1,96 @@ | |||
1 | The WPA2 four-way handshake protocol is vulnerable to replay attacks which can | ||
2 | result in unauthenticated clients gaining access to the network. | ||
3 | |||
4 | Backport a number of patches from upstream to fix this. | ||
5 | |||
6 | CVE: CVE-2017-13077 | ||
7 | CVE: CVE-2017-13078 | ||
8 | CVE: CVE-2017-13079 | ||
9 | CVE: CVE-2017-13080 | ||
10 | CVE: CVE-2017-13081 | ||
11 | CVE: CVE-2017-13082 | ||
12 | CVE: CVE-2017-13086 | ||
13 | CVE: CVE-2017-13087 | ||
14 | CVE: CVE-2017-13088 | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
18 | |||
19 | From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001 | ||
20 | From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
21 | Date: Fri, 29 Sep 2017 04:22:51 +0200 | ||
22 | Subject: [PATCH 4/8] Prevent installation of an all-zero TK | ||
23 | |||
24 | Properly track whether a PTK has already been installed to the driver | ||
25 | and the TK part cleared from memory. This prevents an attacker from | ||
26 | trying to trick the client into installing an all-zero TK. | ||
27 | |||
28 | This fixes the earlier fix in commit | ||
29 | ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the | ||
30 | driver in EAPOL-Key 3/4 retry case') which did not take into account | ||
31 | possibility of an extra message 1/4 showing up between retries of | ||
32 | message 3/4. | ||
33 | |||
34 | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> | ||
35 | --- | ||
36 | src/common/wpa_common.h | 1 + | ||
37 | src/rsn_supp/wpa.c | 5 ++--- | ||
38 | src/rsn_supp/wpa_i.h | 1 - | ||
39 | 3 files changed, 3 insertions(+), 4 deletions(-) | ||
40 | |||
41 | diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h | ||
42 | index d200285..1021ccb 100644 | ||
43 | --- a/src/common/wpa_common.h | ||
44 | +++ b/src/common/wpa_common.h | ||
45 | @@ -215,6 +215,7 @@ struct wpa_ptk { | ||
46 | size_t kck_len; | ||
47 | size_t kek_len; | ||
48 | size_t tk_len; | ||
49 | + int installed; /* 1 if key has already been installed to driver */ | ||
50 | }; | ||
51 | |||
52 | struct wpa_gtk { | ||
53 | diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c | ||
54 | index 7a2c68d..0550a41 100644 | ||
55 | --- a/src/rsn_supp/wpa.c | ||
56 | +++ b/src/rsn_supp/wpa.c | ||
57 | @@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, | ||
58 | os_memset(buf, 0, sizeof(buf)); | ||
59 | } | ||
60 | sm->tptk_set = 1; | ||
61 | - sm->tk_to_set = 1; | ||
62 | |||
63 | kde = sm->assoc_wpa_ie; | ||
64 | kde_len = sm->assoc_wpa_ie_len; | ||
65 | @@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, | ||
66 | enum wpa_alg alg; | ||
67 | const u8 *key_rsc; | ||
68 | |||
69 | - if (!sm->tk_to_set) { | ||
70 | + if (sm->ptk.installed) { | ||
71 | wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, | ||
72 | "WPA: Do not re-install same PTK to the driver"); | ||
73 | return 0; | ||
74 | @@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, | ||
75 | |||
76 | /* TK is not needed anymore in supplicant */ | ||
77 | os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); | ||
78 | - sm->tk_to_set = 0; | ||
79 | + sm->ptk.installed = 1; | ||
80 | |||
81 | if (sm->wpa_ptk_rekey) { | ||
82 | eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); | ||
83 | diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h | ||
84 | index 9a54631..41f371f 100644 | ||
85 | --- a/src/rsn_supp/wpa_i.h | ||
86 | +++ b/src/rsn_supp/wpa_i.h | ||
87 | @@ -24,7 +24,6 @@ struct wpa_sm { | ||
88 | struct wpa_ptk ptk, tptk; | ||
89 | int ptk_set, tptk_set; | ||
90 | unsigned int msg_3_of_4_ok:1; | ||
91 | - unsigned int tk_to_set:1; | ||
92 | u8 snonce[WPA_NONCE_LEN]; | ||
93 | u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ | ||
94 | int renew_snonce; | ||
95 | -- | ||
96 | 2.7.4 \ No newline at end of file | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch new file mode 100644 index 0000000000..b262dcac55 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch | |||
@@ -0,0 +1,81 @@ | |||
1 | The WPA2 four-way handshake protocol is vulnerable to replay attacks which can | ||
2 | result in unauthenticated clients gaining access to the network. | ||
3 | |||
4 | Backport a number of patches from upstream to fix this. | ||
5 | |||
6 | CVE: CVE-2017-13077 | ||
7 | CVE: CVE-2017-13078 | ||
8 | CVE: CVE-2017-13079 | ||
9 | CVE: CVE-2017-13080 | ||
10 | CVE: CVE-2017-13081 | ||
11 | CVE: CVE-2017-13082 | ||
12 | CVE: CVE-2017-13086 | ||
13 | CVE: CVE-2017-13087 | ||
14 | CVE: CVE-2017-13088 | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
18 | |||
19 | From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001 | ||
20 | From: Jouni Malinen <j@w1.fi> | ||
21 | Date: Sun, 1 Oct 2017 12:32:57 +0300 | ||
22 | Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce | ||
23 | |||
24 | The Authenticator state machine path for PTK rekeying ended up bypassing | ||
25 | the AUTHENTICATION2 state where a new ANonce is generated when going | ||
26 | directly to the PTKSTART state since there is no need to try to | ||
27 | determine the PMK again in such a case. This is far from ideal since the | ||
28 | new PTK would depend on a new nonce only from the supplicant. | ||
29 | |||
30 | Fix this by generating a new ANonce when moving to the PTKSTART state | ||
31 | for the purpose of starting new 4-way handshake to rekey PTK. | ||
32 | |||
33 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
34 | --- | ||
35 | src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- | ||
36 | 1 file changed, 21 insertions(+), 3 deletions(-) | ||
37 | |||
38 | diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c | ||
39 | index 707971d..bf10cc1 100644 | ||
40 | --- a/src/ap/wpa_auth.c | ||
41 | +++ b/src/ap/wpa_auth.c | ||
42 | @@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) | ||
43 | } | ||
44 | |||
45 | |||
46 | +static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) | ||
47 | +{ | ||
48 | + if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { | ||
49 | + wpa_printf(MSG_ERROR, | ||
50 | + "WPA: Failed to get random data for ANonce"); | ||
51 | + sm->Disconnect = TRUE; | ||
52 | + return -1; | ||
53 | + } | ||
54 | + wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, | ||
55 | + WPA_NONCE_LEN); | ||
56 | + sm->TimeoutCtr = 0; | ||
57 | + return 0; | ||
58 | +} | ||
59 | + | ||
60 | + | ||
61 | SM_STATE(WPA_PTK, INITPMK) | ||
62 | { | ||
63 | u8 msk[2 * PMK_LEN]; | ||
64 | @@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK) | ||
65 | SM_ENTER(WPA_PTK, AUTHENTICATION); | ||
66 | else if (sm->ReAuthenticationRequest) | ||
67 | SM_ENTER(WPA_PTK, AUTHENTICATION2); | ||
68 | - else if (sm->PTKRequest) | ||
69 | - SM_ENTER(WPA_PTK, PTKSTART); | ||
70 | - else switch (sm->wpa_ptk_state) { | ||
71 | + else if (sm->PTKRequest) { | ||
72 | + if (wpa_auth_sm_ptk_update(sm) < 0) | ||
73 | + SM_ENTER(WPA_PTK, DISCONNECTED); | ||
74 | + else | ||
75 | + SM_ENTER(WPA_PTK, PTKSTART); | ||
76 | + } else switch (sm->wpa_ptk_state) { | ||
77 | case WPA_PTK_INITIALIZE: | ||
78 | break; | ||
79 | case WPA_PTK_DISCONNECT: | ||
80 | -- | ||
81 | 2.7.4 \ No newline at end of file | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch new file mode 100644 index 0000000000..15183f40c1 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch | |||
@@ -0,0 +1,149 @@ | |||
1 | The WPA2 four-way handshake protocol is vulnerable to replay attacks which can | ||
2 | result in unauthenticated clients gaining access to the network. | ||
3 | |||
4 | Backport a number of patches from upstream to fix this. | ||
5 | |||
6 | CVE: CVE-2017-13077 | ||
7 | CVE: CVE-2017-13078 | ||
8 | CVE: CVE-2017-13079 | ||
9 | CVE: CVE-2017-13080 | ||
10 | CVE: CVE-2017-13081 | ||
11 | CVE: CVE-2017-13082 | ||
12 | CVE: CVE-2017-13086 | ||
13 | CVE: CVE-2017-13087 | ||
14 | CVE: CVE-2017-13088 | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
18 | |||
19 | From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001 | ||
20 | From: Jouni Malinen <j@w1.fi> | ||
21 | Date: Fri, 22 Sep 2017 11:03:15 +0300 | ||
22 | Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration | ||
23 | |||
24 | Do not try to reconfigure the same TPK-TK to the driver after it has | ||
25 | been successfully configured. This is an explicit check to avoid issues | ||
26 | related to resetting the TX/RX packet number. There was already a check | ||
27 | for this for TPK M2 (retries of that message are ignored completely), so | ||
28 | that behavior does not get modified. | ||
29 | |||
30 | For TPK M3, the TPK-TK could have been reconfigured, but that was | ||
31 | followed by immediate teardown of the link due to an issue in updating | ||
32 | the STA entry. Furthermore, for TDLS with any real security (i.e., | ||
33 | ignoring open/WEP), the TPK message exchange is protected on the AP path | ||
34 | and simple replay attacks are not feasible. | ||
35 | |||
36 | As an additional corner case, make sure the local nonce gets updated if | ||
37 | the peer uses a very unlikely "random nonce" of all zeros. | ||
38 | |||
39 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
40 | --- | ||
41 | src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++-- | ||
42 | 1 file changed, 36 insertions(+), 2 deletions(-) | ||
43 | |||
44 | diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c | ||
45 | index e424168..9eb9738 100644 | ||
46 | --- a/src/rsn_supp/tdls.c | ||
47 | +++ b/src/rsn_supp/tdls.c | ||
48 | @@ -112,6 +112,7 @@ struct wpa_tdls_peer { | ||
49 | u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ | ||
50 | } tpk; | ||
51 | int tpk_set; | ||
52 | + int tk_set; /* TPK-TK configured to the driver */ | ||
53 | int tpk_success; | ||
54 | int tpk_in_progress; | ||
55 | |||
56 | @@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) | ||
57 | u8 rsc[6]; | ||
58 | enum wpa_alg alg; | ||
59 | |||
60 | + if (peer->tk_set) { | ||
61 | + /* | ||
62 | + * This same TPK-TK has already been configured to the driver | ||
63 | + * and this new configuration attempt (likely due to an | ||
64 | + * unexpected retransmitted frame) would result in clearing | ||
65 | + * the TX/RX sequence number which can break security, so must | ||
66 | + * not allow that to happen. | ||
67 | + */ | ||
68 | + wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR | ||
69 | + " has already been configured to the driver - do not reconfigure", | ||
70 | + MAC2STR(peer->addr)); | ||
71 | + return -1; | ||
72 | + } | ||
73 | + | ||
74 | os_memset(rsc, 0, 6); | ||
75 | |||
76 | switch (peer->cipher) { | ||
77 | @@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) | ||
78 | return -1; | ||
79 | } | ||
80 | |||
81 | + wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, | ||
82 | + MAC2STR(peer->addr)); | ||
83 | if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, | ||
84 | rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { | ||
85 | wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " | ||
86 | "driver"); | ||
87 | return -1; | ||
88 | } | ||
89 | + peer->tk_set = 1; | ||
90 | return 0; | ||
91 | } | ||
92 | |||
93 | @@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) | ||
94 | peer->cipher = 0; | ||
95 | peer->qos_info = 0; | ||
96 | peer->wmm_capable = 0; | ||
97 | - peer->tpk_set = peer->tpk_success = 0; | ||
98 | + peer->tk_set = peer->tpk_set = peer->tpk_success = 0; | ||
99 | peer->chan_switch_enabled = 0; | ||
100 | os_memset(&peer->tpk, 0, sizeof(peer->tpk)); | ||
101 | os_memset(peer->inonce, 0, WPA_NONCE_LEN); | ||
102 | @@ -1159,6 +1177,7 @@ skip_rsnie: | ||
103 | wpa_tdls_peer_free(sm, peer); | ||
104 | return -1; | ||
105 | } | ||
106 | + peer->tk_set = 0; /* A new nonce results in a new TK */ | ||
107 | wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", | ||
108 | peer->inonce, WPA_NONCE_LEN); | ||
109 | os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); | ||
110 | @@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, | ||
111 | } | ||
112 | |||
113 | |||
114 | +static int tdls_nonce_set(const u8 *nonce) | ||
115 | +{ | ||
116 | + int i; | ||
117 | + | ||
118 | + for (i = 0; i < WPA_NONCE_LEN; i++) { | ||
119 | + if (nonce[i]) | ||
120 | + return 1; | ||
121 | + } | ||
122 | + | ||
123 | + return 0; | ||
124 | +} | ||
125 | + | ||
126 | + | ||
127 | static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, | ||
128 | const u8 *buf, size_t len) | ||
129 | { | ||
130 | @@ -2004,7 +2036,8 @@ skip_rsn: | ||
131 | peer->rsnie_i_len = kde.rsn_ie_len; | ||
132 | peer->cipher = cipher; | ||
133 | |||
134 | - if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { | ||
135 | + if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || | ||
136 | + !tdls_nonce_set(peer->inonce)) { | ||
137 | /* | ||
138 | * There is no point in updating the RNonce for every obtained | ||
139 | * TPK M1 frame (e.g., retransmission due to timeout) with the | ||
140 | @@ -2020,6 +2053,7 @@ skip_rsn: | ||
141 | "TDLS: Failed to get random data for responder nonce"); | ||
142 | goto error; | ||
143 | } | ||
144 | + peer->tk_set = 0; /* A new nonce results in a new TK */ | ||
145 | } | ||
146 | |||
147 | #if 0 | ||
148 | -- | ||
149 | 2.7.4 \ No newline at end of file | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch new file mode 100644 index 0000000000..2e12bc7555 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | The WPA2 four-way handshake protocol is vulnerable to replay attacks which can | ||
2 | result in unauthenticated clients gaining access to the network. | ||
3 | |||
4 | Backport a number of patches from upstream to fix this. | ||
5 | |||
6 | CVE: CVE-2017-13077 | ||
7 | CVE: CVE-2017-13078 | ||
8 | CVE: CVE-2017-13079 | ||
9 | CVE: CVE-2017-13080 | ||
10 | CVE: CVE-2017-13081 | ||
11 | CVE: CVE-2017-13082 | ||
12 | CVE: CVE-2017-13086 | ||
13 | CVE: CVE-2017-13087 | ||
14 | CVE: CVE-2017-13088 | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
18 | |||
19 | From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001 | ||
20 | From: Jouni Malinen <j@w1.fi> | ||
21 | Date: Fri, 22 Sep 2017 11:25:02 +0300 | ||
22 | Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending | ||
23 | request | ||
24 | |||
25 | Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep | ||
26 | Mode Response if WNM-Sleep Mode has not been used') started ignoring the | ||
27 | response when no WNM-Sleep Mode Request had been used during the | ||
28 | association. This can be made tighter by clearing the used flag when | ||
29 | successfully processing a response. This adds an additional layer of | ||
30 | protection against unexpected retransmissions of the response frame. | ||
31 | |||
32 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
33 | --- | ||
34 | wpa_supplicant/wnm_sta.c | 4 +++- | ||
35 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
36 | |||
37 | diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c | ||
38 | index 1b3409c..67a07ff 100644 | ||
39 | --- a/wpa_supplicant/wnm_sta.c | ||
40 | +++ b/wpa_supplicant/wnm_sta.c | ||
41 | @@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, | ||
42 | |||
43 | if (!wpa_s->wnmsleep_used) { | ||
44 | wpa_printf(MSG_DEBUG, | ||
45 | - "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association"); | ||
46 | + "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested"); | ||
47 | return; | ||
48 | } | ||
49 | |||
50 | @@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, | ||
51 | return; | ||
52 | } | ||
53 | |||
54 | + wpa_s->wnmsleep_used = 0; | ||
55 | + | ||
56 | if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT || | ||
57 | wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) { | ||
58 | wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response " | ||
59 | -- | ||
60 | 2.7.4 \ No newline at end of file | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch new file mode 100644 index 0000000000..7f5390c312 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | The WPA2 four-way handshake protocol is vulnerable to replay attacks which can | ||
2 | result in unauthenticated clients gaining access to the network. | ||
3 | |||
4 | Backport a number of patches from upstream to fix this. | ||
5 | |||
6 | CVE: CVE-2017-13077 | ||
7 | CVE: CVE-2017-13078 | ||
8 | CVE: CVE-2017-13079 | ||
9 | CVE: CVE-2017-13080 | ||
10 | CVE: CVE-2017-13081 | ||
11 | CVE: CVE-2017-13082 | ||
12 | CVE: CVE-2017-13086 | ||
13 | CVE: CVE-2017-13087 | ||
14 | CVE: CVE-2017-13088 | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
18 | |||
19 | From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001 | ||
20 | From: Jouni Malinen <j@w1.fi> | ||
21 | Date: Fri, 22 Sep 2017 12:06:37 +0300 | ||
22 | Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames | ||
23 | |||
24 | The driver is expected to not report a second association event without | ||
25 | the station having explicitly request a new association. As such, this | ||
26 | case should not be reachable. However, since reconfiguring the same | ||
27 | pairwise or group keys to the driver could result in nonce reuse issues, | ||
28 | be extra careful here and do an additional state check to avoid this | ||
29 | even if the local driver ends up somehow accepting an unexpected | ||
30 | Reassociation Response frame. | ||
31 | |||
32 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
33 | --- | ||
34 | src/rsn_supp/wpa.c | 3 +++ | ||
35 | src/rsn_supp/wpa_ft.c | 8 ++++++++ | ||
36 | src/rsn_supp/wpa_i.h | 1 + | ||
37 | 3 files changed, 12 insertions(+) | ||
38 | |||
39 | diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c | ||
40 | index 0550a41..2a53c6f 100644 | ||
41 | --- a/src/rsn_supp/wpa.c | ||
42 | +++ b/src/rsn_supp/wpa.c | ||
43 | @@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) | ||
44 | #ifdef CONFIG_TDLS | ||
45 | wpa_tdls_disassoc(sm); | ||
46 | #endif /* CONFIG_TDLS */ | ||
47 | +#ifdef CONFIG_IEEE80211R | ||
48 | + sm->ft_reassoc_completed = 0; | ||
49 | +#endif /* CONFIG_IEEE80211R */ | ||
50 | |||
51 | /* Keys are not needed in the WPA state machine anymore */ | ||
52 | wpa_sm_drop_sa(sm); | ||
53 | diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c | ||
54 | index 205793e..d45bb45 100644 | ||
55 | --- a/src/rsn_supp/wpa_ft.c | ||
56 | +++ b/src/rsn_supp/wpa_ft.c | ||
57 | @@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, | ||
58 | u16 capab; | ||
59 | |||
60 | sm->ft_completed = 0; | ||
61 | + sm->ft_reassoc_completed = 0; | ||
62 | |||
63 | buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + | ||
64 | 2 + sm->r0kh_id_len + ric_ies_len + 100; | ||
65 | @@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, | ||
66 | return -1; | ||
67 | } | ||
68 | |||
69 | + if (sm->ft_reassoc_completed) { | ||
70 | + wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); | ||
71 | + return 0; | ||
72 | + } | ||
73 | + | ||
74 | if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { | ||
75 | wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); | ||
76 | return -1; | ||
77 | @@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, | ||
78 | return -1; | ||
79 | } | ||
80 | |||
81 | + sm->ft_reassoc_completed = 1; | ||
82 | + | ||
83 | if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) | ||
84 | return -1; | ||
85 | |||
86 | diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h | ||
87 | index 41f371f..56f88dc 100644 | ||
88 | --- a/src/rsn_supp/wpa_i.h | ||
89 | +++ b/src/rsn_supp/wpa_i.h | ||
90 | @@ -128,6 +128,7 @@ struct wpa_sm { | ||
91 | size_t r0kh_id_len; | ||
92 | u8 r1kh_id[FT_R1KH_ID_LEN]; | ||
93 | int ft_completed; | ||
94 | + int ft_reassoc_completed; | ||
95 | int over_the_ds_in_progress; | ||
96 | u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ | ||
97 | int set_ptk_after_assoc; | ||
98 | -- | ||
99 | 2.7.4 \ No newline at end of file | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb index d6d4206a58..e684537486 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb | |||
@@ -24,7 +24,14 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ | |||
24 | file://wpa_supplicant.conf \ | 24 | file://wpa_supplicant.conf \ |
25 | file://wpa_supplicant.conf-sane \ | 25 | file://wpa_supplicant.conf-sane \ |
26 | file://99_wpa_supplicant \ | 26 | file://99_wpa_supplicant \ |
27 | file://key-replay-cve-multiple.patch \ | 27 | file://key-replay-cve-multiple1.patch \ |
28 | file://key-replay-cve-multiple2.patch \ | ||
29 | file://key-replay-cve-multiple3.patch \ | ||
30 | file://key-replay-cve-multiple4.patch \ | ||
31 | file://key-replay-cve-multiple5.patch \ | ||
32 | file://key-replay-cve-multiple6.patch \ | ||
33 | file://key-replay-cve-multiple7.patch \ | ||
34 | file://key-replay-cve-multiple8.patch \ | ||
28 | " | 35 | " |
29 | SRC_URI[md5sum] = "091569eb4440b7d7f2b4276dbfc03c3c" | 36 | SRC_URI[md5sum] = "091569eb4440b7d7f2b4276dbfc03c3c" |
30 | SRC_URI[sha256sum] = "b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450" | 37 | SRC_URI[sha256sum] = "b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450" |