1 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch
new file mode 100644
index 0000000000..6c1948696e
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch
@@ -0,0 +1,96 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+Backport a number of patches from upstream to fix this.
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 29 Sep 2017 04:22:51 +0200
+Subject: [PATCH 4/8] Prevent installation of an all-zero TK
+Properly track whether a PTK has already been installed to the driver
+and the TK part cleared from memory. This prevents an attacker from
+trying to trick the client into installing an all-zero TK.
+This fixes the earlier fix in commit
+ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
+driver in EAPOL-Key 3/4 retry case') which did not take into account
+possibility of an extra message 1/4 showing up between retries of
+message 3/4.
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/common/wpa_common.h | 1 +
+ src/rsn_supp/wpa.c      | 5 ++---
+ src/rsn_supp/wpa_i.h    | 1 -
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index d200285..1021ccb 100644
+--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
+@@ -215,6 +215,7 @@ struct wpa_ptk {
+        size_t kck_len;
+        size_t kek_len;
+        size_t tk_len;
+       int installed; /* 1 if key has already been installed to driver */
+ };
+ 
+ struct wpa_gtk {
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 7a2c68d..0550a41 100644
+--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
+@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
+                os_memset(buf, 0, sizeof(buf));
+        }
+        sm->tptk_set = 1;
+-       sm->tk_to_set = 1;
+ 
+        kde = sm->assoc_wpa_ie;
+        kde_len = sm->assoc_wpa_ie_len;
+@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+        enum wpa_alg alg;
+        const u8 *key_rsc;
+ 
+-       if (!sm->tk_to_set) {
+       if (sm->ptk.installed) {
+                wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+                        "WPA: Do not re-install same PTK to the driver");
+                return 0;
+@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+ 
+        /* TK is not needed anymore in supplicant */
+        os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
+-       sm->tk_to_set = 0;
+       sm->ptk.installed = 1;
+ 
+        if (sm->wpa_ptk_rekey) {
+                eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 9a54631..41f371f 100644
+--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
+@@ -24,7 +24,6 @@ struct wpa_sm {
+        struct wpa_ptk ptk, tptk;
+        int ptk_set, tptk_set;
+        unsigned int msg_3_of_4_ok:1;
+-       unsigned int tk_to_set:1;
+        u8 snonce[WPA_NONCE_LEN];
+        u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
+        int renew_snonce;
+-- 
+2.7.4
+\ No newline at end of file

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch new file mode 100644 index 0000000000..6c1948696e --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch
@@ -0,0 +1,96 @@
	1	The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
	2	result in unauthenticated clients gaining access to the network.
	3
	4	Backport a number of patches from upstream to fix this.
	5
	6	CVE: CVE-2017-13077
	7	CVE: CVE-2017-13078
	8	CVE: CVE-2017-13079
	9	CVE: CVE-2017-13080
	10	CVE: CVE-2017-13081
	11	CVE: CVE-2017-13082
	12	CVE: CVE-2017-13086
	13	CVE: CVE-2017-13087
	14	CVE: CVE-2017-13088
	15
	16	Upstream-Status: Backport
	17	Signed-off-by: Ross Burton <ross.burton@intel.com>
	18
	19	From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
	20	From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
	21	Date: Fri, 29 Sep 2017 04:22:51 +0200
	22	Subject: [PATCH 4/8] Prevent installation of an all-zero TK
	23
	24	Properly track whether a PTK has already been installed to the driver
	25	and the TK part cleared from memory. This prevents an attacker from
	26	trying to trick the client into installing an all-zero TK.
	27
	28	This fixes the earlier fix in commit
	29	ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
	30	driver in EAPOL-Key 3/4 retry case') which did not take into account
	31	possibility of an extra message 1/4 showing up between retries of
	32	message 3/4.
	33
	34	Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
	35	---
	36	src/common/wpa_common.h \| 1 +
	37	src/rsn_supp/wpa.c \| 5 ++---
	38	src/rsn_supp/wpa_i.h \| 1 -
	39	3 files changed, 3 insertions(+), 4 deletions(-)
	40
	41	diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
	42	index d200285..1021ccb 100644
	43	--- a/src/common/wpa_common.h
	44	+++ b/src/common/wpa_common.h
	45	@@ -215,6 +215,7 @@ struct wpa_ptk {
	46	size_t kck_len;
	47	size_t kek_len;
	48	size_t tk_len;
	49	+ int installed; /* 1 if key has already been installed to driver */
	50	};
	51
	52	struct wpa_gtk {
	53	diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
	54	index 7a2c68d..0550a41 100644
	55	--- a/src/rsn_supp/wpa.c
	56	+++ b/src/rsn_supp/wpa.c
	57	@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
	58	os_memset(buf, 0, sizeof(buf));
	59	}
	60	sm->tptk_set = 1;
	61	- sm->tk_to_set = 1;
	62
	63	kde = sm->assoc_wpa_ie;
	64	kde_len = sm->assoc_wpa_ie_len;
	65	@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
	66	enum wpa_alg alg;
	67	const u8 *key_rsc;
	68
	69	- if (!sm->tk_to_set) {
	70	+ if (sm->ptk.installed) {
	71	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
	72	"WPA: Do not re-install same PTK to the driver");
	73	return 0;
	74	@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
	75
	76	/* TK is not needed anymore in supplicant */
	77	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
	78	- sm->tk_to_set = 0;
	79	+ sm->ptk.installed = 1;
	80
	81	if (sm->wpa_ptk_rekey) {
	82	eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
	83	diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
	84	index 9a54631..41f371f 100644
	85	--- a/src/rsn_supp/wpa_i.h
	86	+++ b/src/rsn_supp/wpa_i.h
	87	@@ -24,7 +24,6 @@ struct wpa_sm {
	88	struct wpa_ptk ptk, tptk;
	89	int ptk_set, tptk_set;
	90	unsigned int msg_3_of_4_ok:1;
	91	- unsigned int tk_to_set:1;
	92	u8 snonce[WPA_NONCE_LEN];
	93	u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
	94	int renew_snonce;
	95	--
	96	2.7.4 \ No newline at end of file