summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/wpa-supplicant
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant')
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch191
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch267
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch201
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch96
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch81
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch149
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch60
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch99
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch44
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb (renamed from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb)19
10 files changed, 5 insertions, 1202 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch
deleted file mode 100644
index d4d49e7fca..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch
+++ /dev/null
@@ -1,191 +0,0 @@
1The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
2result in unauthenticated clients gaining access to the network.
3
4Backport a number of patches from upstream to fix this.
5
6CVE: CVE-2017-13077
7CVE: CVE-2017-13078
8CVE: CVE-2017-13079
9CVE: CVE-2017-13080
10CVE: CVE-2017-13081
11CVE: CVE-2017-13082
12CVE: CVE-2017-13086
13CVE: CVE-2017-13087
14CVE: CVE-2017-13088
15
16Upstream-Status: Backport
17Signed-off-by: Ross Burton <ross.burton@intel.com>
18
19From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001
20From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
21Date: Fri, 14 Jul 2017 15:15:35 +0200
22Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
23
24Do not reinstall TK to the driver during Reassociation Response frame
25processing if the first attempt of setting the TK succeeded. This avoids
26issues related to clearing the TX/RX PN that could result in reusing
27same PN values for transmitted frames (e.g., due to CCM nonce reuse and
28also hitting replay protection on the receiver) and accepting replayed
29frames on RX side.
30
31This issue was introduced by the commit
320e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
33authenticator') which allowed wpa_ft_install_ptk() to be called multiple
34times with the same PTK. While the second configuration attempt is
35needed with some drivers, it must be done only if the first attempt
36failed.
37
38Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
39---
40 src/ap/ieee802_11.c | 16 +++++++++++++---
41 src/ap/wpa_auth.c | 11 +++++++++++
42 src/ap/wpa_auth.h | 3 ++-
43 src/ap/wpa_auth_ft.c | 10 ++++++++++
44 src/ap/wpa_auth_i.h | 1 +
45 5 files changed, 37 insertions(+), 4 deletions(-)
46
47diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
48index 4e04169..333035f 100644
49--- a/src/ap/ieee802_11.c
50+++ b/src/ap/ieee802_11.c
51@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
52 {
53 struct ieee80211_ht_capabilities ht_cap;
54 struct ieee80211_vht_capabilities vht_cap;
55+ int set = 1;
56
57 /*
58 * Remove the STA entry to ensure the STA PS state gets cleared and
59@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd,
60 * FT-over-the-DS, where a station re-associates back to the same AP but
61 * skips the authentication flow, or if working with a driver that
62 * does not support full AP client state.
63+ *
64+ * Skip this if the STA has already completed FT reassociation and the
65+ * TK has been configured since the TX/RX PN must not be reset to 0 for
66+ * the same key.
67 */
68- if (!sta->added_unassoc)
69+ if (!sta->added_unassoc &&
70+ (!(sta->flags & WLAN_STA_AUTHORIZED) ||
71+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
72 hostapd_drv_sta_remove(hapd, sta->addr);
73+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
74+ set = 0;
75+ }
76
77 #ifdef CONFIG_IEEE80211N
78 if (sta->flags & WLAN_STA_HT)
79@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd,
80 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
81 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
82 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
83- sta->added_unassoc)) {
84+ set)) {
85 hostapd_logger(hapd, sta->addr,
86 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
87 "Could not %s STA to kernel driver",
88- sta->added_unassoc ? "set" : "add");
89+ set ? "set" : "add");
90
91 if (sta->added_unassoc) {
92 hostapd_drv_sta_remove(hapd, sta->addr);
93diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
94index 3587086..707971d 100644
95--- a/src/ap/wpa_auth.c
96+++ b/src/ap/wpa_auth.c
97@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
98 #else /* CONFIG_IEEE80211R */
99 break;
100 #endif /* CONFIG_IEEE80211R */
101+ case WPA_DRV_STA_REMOVED:
102+ sm->tk_already_set = FALSE;
103+ return 0;
104 }
105
106 #ifdef CONFIG_IEEE80211R
107@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
108 }
109
110
111+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
112+{
113+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
114+ return 0;
115+ return sm->tk_already_set;
116+}
117+
118+
119 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
120 struct rsn_pmksa_cache_entry *entry)
121 {
122diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
123index 0de8d97..97461b0 100644
124--- a/src/ap/wpa_auth.h
125+++ b/src/ap/wpa_auth.h
126@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
127 u8 *data, size_t data_len);
128 enum wpa_event {
129 WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
130- WPA_REAUTH_EAPOL, WPA_ASSOC_FT
131+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED
132 };
133 void wpa_remove_ptk(struct wpa_state_machine *sm);
134 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
135@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
136 int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
137 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
138 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
139+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
140 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
141 struct rsn_pmksa_cache_entry *entry);
142 struct rsn_pmksa_cache_entry *
143diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
144index 42242a5..e63b99a 100644
145--- a/src/ap/wpa_auth_ft.c
146+++ b/src/ap/wpa_auth_ft.c
147@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
148 return;
149 }
150
151+ if (sm->tk_already_set) {
152+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX
153+ * PN in the driver */
154+ wpa_printf(MSG_DEBUG,
155+ "FT: Do not re-install same PTK to the driver");
156+ return;
157+ }
158+
159 /* FIX: add STA entry to kernel/driver here? The set_key will fail
160 * most likely without this.. At the moment, STA entry is added only
161 * after association has been completed. This function will be called
162@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
163
164 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
165 sm->pairwise_set = TRUE;
166+ sm->tk_already_set = TRUE;
167 }
168
169
170@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
171
172 sm->pairwise = pairwise;
173 sm->PTK_valid = TRUE;
174+ sm->tk_already_set = FALSE;
175 wpa_ft_install_ptk(sm);
176
177 buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
178diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
179index 72b7eb3..7fd8f05 100644
180--- a/src/ap/wpa_auth_i.h
181+++ b/src/ap/wpa_auth_i.h
182@@ -65,6 +65,7 @@ struct wpa_state_machine {
183 struct wpa_ptk PTK;
184 Boolean PTK_valid;
185 Boolean pairwise_set;
186+ Boolean tk_already_set;
187 int keycount;
188 Boolean Pair;
189 struct wpa_key_replay_counter {
190--
1912.7.4 \ No newline at end of file
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch
deleted file mode 100644
index 501bb4b56b..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch
+++ /dev/null
@@ -1,267 +0,0 @@
1The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
2result in unauthenticated clients gaining access to the network.
3
4Backport a number of patches from upstream to fix this.
5
6CVE: CVE-2017-13077
7CVE: CVE-2017-13078
8CVE: CVE-2017-13079
9CVE: CVE-2017-13080
10CVE: CVE-2017-13081
11CVE: CVE-2017-13082
12CVE: CVE-2017-13086
13CVE: CVE-2017-13087
14CVE: CVE-2017-13088
15
16Upstream-Status: Backport
17Signed-off-by: Ross Burton <ross.burton@intel.com>
18
19From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001
20From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
21Date: Wed, 12 Jul 2017 16:03:24 +0200
22Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
23
24Track the current GTK and IGTK that is in use and when receiving a
25(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
26not install the given key if it is already in use. This prevents an
27attacker from trying to trick the client into resetting or lowering the
28sequence counter associated to the group key.
29
30Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
31---
32 src/common/wpa_common.h | 11 +++++
33 src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------
34 src/rsn_supp/wpa_i.h | 4 ++
35 3 files changed, 87 insertions(+), 44 deletions(-)
36
37diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
38index af1d0f0..d200285 100644
39--- a/src/common/wpa_common.h
40+++ b/src/common/wpa_common.h
41@@ -217,6 +217,17 @@ struct wpa_ptk {
42 size_t tk_len;
43 };
44
45+struct wpa_gtk {
46+ u8 gtk[WPA_GTK_MAX_LEN];
47+ size_t gtk_len;
48+};
49+
50+#ifdef CONFIG_IEEE80211W
51+struct wpa_igtk {
52+ u8 igtk[WPA_IGTK_MAX_LEN];
53+ size_t igtk_len;
54+};
55+#endif /* CONFIG_IEEE80211W */
56
57 /* WPA IE version 1
58 * 00-50-f2:1 (OUI:OUI type)
59diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
60index 3c47879..95bd7be 100644
61--- a/src/rsn_supp/wpa.c
62+++ b/src/rsn_supp/wpa.c
63@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
64 const u8 *_gtk = gd->gtk;
65 u8 gtk_buf[32];
66
67+ /* Detect possible key reinstallation */
68+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
69+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
70+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
71+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
72+ gd->keyidx, gd->tx, gd->gtk_len);
73+ return 0;
74+ }
75+
76 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
77 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
78 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
79@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
80 }
81 os_memset(gtk_buf, 0, sizeof(gtk_buf));
82
83+ sm->gtk.gtk_len = gd->gtk_len;
84+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
85+
86 return 0;
87 }
88
89@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
90 }
91
92
93+#ifdef CONFIG_IEEE80211W
94+static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
95+ const struct wpa_igtk_kde *igtk)
96+{
97+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
98+ u16 keyidx = WPA_GET_LE16(igtk->keyid);
99+
100+ /* Detect possible key reinstallation */
101+ if (sm->igtk.igtk_len == len &&
102+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
103+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
104+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
105+ keyidx);
106+ return 0;
107+ }
108+
109+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
110+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
111+ keyidx, MAC2STR(igtk->pn));
112+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
113+ if (keyidx > 4095) {
114+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
115+ "WPA: Invalid IGTK KeyID %d", keyidx);
116+ return -1;
117+ }
118+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
119+ broadcast_ether_addr,
120+ keyidx, 0, igtk->pn, sizeof(igtk->pn),
121+ igtk->igtk, len) < 0) {
122+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
123+ "WPA: Failed to configure IGTK to the driver");
124+ return -1;
125+ }
126+
127+ sm->igtk.igtk_len = len;
128+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
129+
130+ return 0;
131+}
132+#endif /* CONFIG_IEEE80211W */
133+
134+
135 static int ieee80211w_set_keys(struct wpa_sm *sm,
136 struct wpa_eapol_ie_parse *ie)
137 {
138@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
139 if (ie->igtk) {
140 size_t len;
141 const struct wpa_igtk_kde *igtk;
142- u16 keyidx;
143+
144 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
145 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
146 return -1;
147+
148 igtk = (const struct wpa_igtk_kde *) ie->igtk;
149- keyidx = WPA_GET_LE16(igtk->keyid);
150- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
151- "pn %02x%02x%02x%02x%02x%02x",
152- keyidx, MAC2STR(igtk->pn));
153- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
154- igtk->igtk, len);
155- if (keyidx > 4095) {
156- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
157- "WPA: Invalid IGTK KeyID %d", keyidx);
158- return -1;
159- }
160- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
161- broadcast_ether_addr,
162- keyidx, 0, igtk->pn, sizeof(igtk->pn),
163- igtk->igtk, len) < 0) {
164- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
165- "WPA: Failed to configure IGTK to the driver");
166+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
167 return -1;
168- }
169 }
170
171 return 0;
172@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
173 */
174 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
175 {
176- int clear_ptk = 1;
177+ int clear_keys = 1;
178
179 if (sm == NULL)
180 return;
181@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
182 /* Prepare for the next transition */
183 wpa_ft_prepare_auth_request(sm, NULL);
184
185- clear_ptk = 0;
186+ clear_keys = 0;
187 }
188 #endif /* CONFIG_IEEE80211R */
189
190- if (clear_ptk) {
191+ if (clear_keys) {
192 /*
193 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
194 * this is not part of a Fast BSS Transition.
195@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
196 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
197 sm->tptk_set = 0;
198 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
199+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
200+#ifdef CONFIG_IEEE80211W
201+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
202+#endif /* CONFIG_IEEE80211W */
203 }
204
205 #ifdef CONFIG_TDLS
206@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
207 os_memset(sm->pmk, 0, sizeof(sm->pmk));
208 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
209 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
210+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
211+#ifdef CONFIG_IEEE80211W
212+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
213+#endif /* CONFIG_IEEE80211W */
214 #ifdef CONFIG_IEEE80211R
215 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
216 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
217@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
218 os_memset(&gd, 0, sizeof(gd));
219 #ifdef CONFIG_IEEE80211W
220 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
221- struct wpa_igtk_kde igd;
222- u16 keyidx;
223-
224- os_memset(&igd, 0, sizeof(igd));
225- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
226- os_memcpy(igd.keyid, buf + 2, 2);
227- os_memcpy(igd.pn, buf + 4, 6);
228-
229- keyidx = WPA_GET_LE16(igd.keyid);
230- os_memcpy(igd.igtk, buf + 10, keylen);
231-
232- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
233- igd.igtk, keylen);
234- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
235- broadcast_ether_addr,
236- keyidx, 0, igd.pn, sizeof(igd.pn),
237- igd.igtk, keylen) < 0) {
238- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
239- "WNM mode");
240- os_memset(&igd, 0, sizeof(igd));
241+ const struct wpa_igtk_kde *igtk;
242+
243+ igtk = (const struct wpa_igtk_kde *) (buf + 2);
244+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
245 return -1;
246- }
247- os_memset(&igd, 0, sizeof(igd));
248 #endif /* CONFIG_IEEE80211W */
249 } else {
250 wpa_printf(MSG_DEBUG, "Unknown element id");
251diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
252index f653ba6..afc9e37 100644
253--- a/src/rsn_supp/wpa_i.h
254+++ b/src/rsn_supp/wpa_i.h
255@@ -31,6 +31,10 @@ struct wpa_sm {
256 u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
257 int rx_replay_counter_set;
258 u8 request_counter[WPA_REPLAY_COUNTER_LEN];
259+ struct wpa_gtk gtk;
260+#ifdef CONFIG_IEEE80211W
261+ struct wpa_igtk igtk;
262+#endif /* CONFIG_IEEE80211W */
263
264 struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
265
266--
2672.7.4 \ No newline at end of file
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch
deleted file mode 100644
index 2e22655851..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch
+++ /dev/null
@@ -1,201 +0,0 @@
1The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
2result in unauthenticated clients gaining access to the network.
3
4Backport a number of patches from upstream to fix this.
5
6CVE: CVE-2017-13077
7CVE: CVE-2017-13078
8CVE: CVE-2017-13079
9CVE: CVE-2017-13080
10CVE: CVE-2017-13081
11CVE: CVE-2017-13082
12CVE: CVE-2017-13086
13CVE: CVE-2017-13087
14CVE: CVE-2017-13088
15
16Upstream-Status: Backport
17Signed-off-by: Ross Burton <ross.burton@intel.com>
18
19From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001
20From: Jouni Malinen <j@w1.fi>
21Date: Sun, 1 Oct 2017 12:12:24 +0300
22Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
23 Mode cases
24
25This extends the protection to track last configured GTK/IGTK value
26separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
27corner case where these two different mechanisms may get used when the
28GTK/IGTK has changed and tracking a single value is not sufficient to
29detect a possible key reconfiguration.
30
31Signed-off-by: Jouni Malinen <j@w1.fi>
32---
33 src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++---------------
34 src/rsn_supp/wpa_i.h | 2 ++
35 2 files changed, 40 insertions(+), 15 deletions(-)
36
37diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
38index 95bd7be..7a2c68d 100644
39--- a/src/rsn_supp/wpa.c
40+++ b/src/rsn_supp/wpa.c
41@@ -709,14 +709,17 @@ struct wpa_gtk_data {
42
43 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
44 const struct wpa_gtk_data *gd,
45- const u8 *key_rsc)
46+ const u8 *key_rsc, int wnm_sleep)
47 {
48 const u8 *_gtk = gd->gtk;
49 u8 gtk_buf[32];
50
51 /* Detect possible key reinstallation */
52- if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
53- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
54+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
55+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
56+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
57+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
58+ sm->gtk_wnm_sleep.gtk_len) == 0)) {
59 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
60 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
61 gd->keyidx, gd->tx, gd->gtk_len);
62@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
63 }
64 os_memset(gtk_buf, 0, sizeof(gtk_buf));
65
66- sm->gtk.gtk_len = gd->gtk_len;
67- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
68+ if (wnm_sleep) {
69+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
70+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
71+ sm->gtk_wnm_sleep.gtk_len);
72+ } else {
73+ sm->gtk.gtk_len = gd->gtk_len;
74+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
75+ }
76
77 return 0;
78 }
79@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
80 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
81 gtk_len, gtk_len,
82 &gd.key_rsc_len, &gd.alg) ||
83- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
84+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
85 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
86 "RSN: Failed to install GTK");
87 os_memset(&gd, 0, sizeof(gd));
88@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
89
90 #ifdef CONFIG_IEEE80211W
91 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
92- const struct wpa_igtk_kde *igtk)
93+ const struct wpa_igtk_kde *igtk,
94+ int wnm_sleep)
95 {
96 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
97 u16 keyidx = WPA_GET_LE16(igtk->keyid);
98
99 /* Detect possible key reinstallation */
100- if (sm->igtk.igtk_len == len &&
101- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
102+ if ((sm->igtk.igtk_len == len &&
103+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
104+ (sm->igtk_wnm_sleep.igtk_len == len &&
105+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
106+ sm->igtk_wnm_sleep.igtk_len) == 0)) {
107 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
108 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
109 keyidx);
110@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
111 return -1;
112 }
113
114- sm->igtk.igtk_len = len;
115- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
116+ if (wnm_sleep) {
117+ sm->igtk_wnm_sleep.igtk_len = len;
118+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
119+ sm->igtk_wnm_sleep.igtk_len);
120+ } else {
121+ sm->igtk.igtk_len = len;
122+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
123+ }
124
125 return 0;
126 }
127@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
128 return -1;
129
130 igtk = (const struct wpa_igtk_kde *) ie->igtk;
131- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
132+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
133 return -1;
134 }
135
136@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
137 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
138 key_rsc = null_rsc;
139
140- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
141+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
142 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
143 goto failed;
144 os_memset(&gd, 0, sizeof(gd));
145@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
146 sm->tptk_set = 0;
147 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
148 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
149+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
150 #ifdef CONFIG_IEEE80211W
151 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
152+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
153 #endif /* CONFIG_IEEE80211W */
154 }
155
156@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
157 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
158 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
159 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
160+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
161 #ifdef CONFIG_IEEE80211W
162 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
163+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
164 #endif /* CONFIG_IEEE80211W */
165 #ifdef CONFIG_IEEE80211R
166 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
167@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
168
169 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
170 gd.gtk, gd.gtk_len);
171- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
172+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
173 os_memset(&gd, 0, sizeof(gd));
174 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
175 "WNM mode");
176@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
177 const struct wpa_igtk_kde *igtk;
178
179 igtk = (const struct wpa_igtk_kde *) (buf + 2);
180- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
181+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
182 return -1;
183 #endif /* CONFIG_IEEE80211W */
184 } else {
185diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
186index afc9e37..9a54631 100644
187--- a/src/rsn_supp/wpa_i.h
188+++ b/src/rsn_supp/wpa_i.h
189@@ -32,8 +32,10 @@ struct wpa_sm {
190 int rx_replay_counter_set;
191 u8 request_counter[WPA_REPLAY_COUNTER_LEN];
192 struct wpa_gtk gtk;
193+ struct wpa_gtk gtk_wnm_sleep;
194 #ifdef CONFIG_IEEE80211W
195 struct wpa_igtk igtk;
196+ struct wpa_igtk igtk_wnm_sleep;
197 #endif /* CONFIG_IEEE80211W */
198
199 struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
200--
2012.7.4 \ No newline at end of file
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch
deleted file mode 100644
index 6c1948696e..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch
+++ /dev/null
@@ -1,96 +0,0 @@
1The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
2result in unauthenticated clients gaining access to the network.
3
4Backport a number of patches from upstream to fix this.
5
6CVE: CVE-2017-13077
7CVE: CVE-2017-13078
8CVE: CVE-2017-13079
9CVE: CVE-2017-13080
10CVE: CVE-2017-13081
11CVE: CVE-2017-13082
12CVE: CVE-2017-13086
13CVE: CVE-2017-13087
14CVE: CVE-2017-13088
15
16Upstream-Status: Backport
17Signed-off-by: Ross Burton <ross.burton@intel.com>
18
19From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
20From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
21Date: Fri, 29 Sep 2017 04:22:51 +0200
22Subject: [PATCH 4/8] Prevent installation of an all-zero TK
23
24Properly track whether a PTK has already been installed to the driver
25and the TK part cleared from memory. This prevents an attacker from
26trying to trick the client into installing an all-zero TK.
27
28This fixes the earlier fix in commit
29ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
30driver in EAPOL-Key 3/4 retry case') which did not take into account
31possibility of an extra message 1/4 showing up between retries of
32message 3/4.
33
34Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
35---
36 src/common/wpa_common.h | 1 +
37 src/rsn_supp/wpa.c | 5 ++---
38 src/rsn_supp/wpa_i.h | 1 -
39 3 files changed, 3 insertions(+), 4 deletions(-)
40
41diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
42index d200285..1021ccb 100644
43--- a/src/common/wpa_common.h
44+++ b/src/common/wpa_common.h
45@@ -215,6 +215,7 @@ struct wpa_ptk {
46 size_t kck_len;
47 size_t kek_len;
48 size_t tk_len;
49+ int installed; /* 1 if key has already been installed to driver */
50 };
51
52 struct wpa_gtk {
53diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
54index 7a2c68d..0550a41 100644
55--- a/src/rsn_supp/wpa.c
56+++ b/src/rsn_supp/wpa.c
57@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
58 os_memset(buf, 0, sizeof(buf));
59 }
60 sm->tptk_set = 1;
61- sm->tk_to_set = 1;
62
63 kde = sm->assoc_wpa_ie;
64 kde_len = sm->assoc_wpa_ie_len;
65@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
66 enum wpa_alg alg;
67 const u8 *key_rsc;
68
69- if (!sm->tk_to_set) {
70+ if (sm->ptk.installed) {
71 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
72 "WPA: Do not re-install same PTK to the driver");
73 return 0;
74@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
75
76 /* TK is not needed anymore in supplicant */
77 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
78- sm->tk_to_set = 0;
79+ sm->ptk.installed = 1;
80
81 if (sm->wpa_ptk_rekey) {
82 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
83diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
84index 9a54631..41f371f 100644
85--- a/src/rsn_supp/wpa_i.h
86+++ b/src/rsn_supp/wpa_i.h
87@@ -24,7 +24,6 @@ struct wpa_sm {
88 struct wpa_ptk ptk, tptk;
89 int ptk_set, tptk_set;
90 unsigned int msg_3_of_4_ok:1;
91- unsigned int tk_to_set:1;
92 u8 snonce[WPA_NONCE_LEN];
93 u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
94 int renew_snonce;
95--
962.7.4 \ No newline at end of file
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch
deleted file mode 100644
index b262dcac55..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch
+++ /dev/null
@@ -1,81 +0,0 @@
1The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
2result in unauthenticated clients gaining access to the network.
3
4Backport a number of patches from upstream to fix this.
5
6CVE: CVE-2017-13077
7CVE: CVE-2017-13078
8CVE: CVE-2017-13079
9CVE: CVE-2017-13080
10CVE: CVE-2017-13081
11CVE: CVE-2017-13082
12CVE: CVE-2017-13086
13CVE: CVE-2017-13087
14CVE: CVE-2017-13088
15
16Upstream-Status: Backport
17Signed-off-by: Ross Burton <ross.burton@intel.com>
18
19From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001
20From: Jouni Malinen <j@w1.fi>
21Date: Sun, 1 Oct 2017 12:32:57 +0300
22Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce
23
24The Authenticator state machine path for PTK rekeying ended up bypassing
25the AUTHENTICATION2 state where a new ANonce is generated when going
26directly to the PTKSTART state since there is no need to try to
27determine the PMK again in such a case. This is far from ideal since the
28new PTK would depend on a new nonce only from the supplicant.
29
30Fix this by generating a new ANonce when moving to the PTKSTART state
31for the purpose of starting new 4-way handshake to rekey PTK.
32
33Signed-off-by: Jouni Malinen <j@w1.fi>
34---
35 src/ap/wpa_auth.c | 24 +++++++++++++++++++++---
36 1 file changed, 21 insertions(+), 3 deletions(-)
37
38diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
39index 707971d..bf10cc1 100644
40--- a/src/ap/wpa_auth.c
41+++ b/src/ap/wpa_auth.c
42@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
43 }
44
45
46+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
47+{
48+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
49+ wpa_printf(MSG_ERROR,
50+ "WPA: Failed to get random data for ANonce");
51+ sm->Disconnect = TRUE;
52+ return -1;
53+ }
54+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
55+ WPA_NONCE_LEN);
56+ sm->TimeoutCtr = 0;
57+ return 0;
58+}
59+
60+
61 SM_STATE(WPA_PTK, INITPMK)
62 {
63 u8 msk[2 * PMK_LEN];
64@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK)
65 SM_ENTER(WPA_PTK, AUTHENTICATION);
66 else if (sm->ReAuthenticationRequest)
67 SM_ENTER(WPA_PTK, AUTHENTICATION2);
68- else if (sm->PTKRequest)
69- SM_ENTER(WPA_PTK, PTKSTART);
70- else switch (sm->wpa_ptk_state) {
71+ else if (sm->PTKRequest) {
72+ if (wpa_auth_sm_ptk_update(sm) < 0)
73+ SM_ENTER(WPA_PTK, DISCONNECTED);
74+ else
75+ SM_ENTER(WPA_PTK, PTKSTART);
76+ } else switch (sm->wpa_ptk_state) {
77 case WPA_PTK_INITIALIZE:
78 break;
79 case WPA_PTK_DISCONNECT:
80--
812.7.4 \ No newline at end of file
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch
deleted file mode 100644
index 15183f40c1..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch
+++ /dev/null
@@ -1,149 +0,0 @@
1The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
2result in unauthenticated clients gaining access to the network.
3
4Backport a number of patches from upstream to fix this.
5
6CVE: CVE-2017-13077
7CVE: CVE-2017-13078
8CVE: CVE-2017-13079
9CVE: CVE-2017-13080
10CVE: CVE-2017-13081
11CVE: CVE-2017-13082
12CVE: CVE-2017-13086
13CVE: CVE-2017-13087
14CVE: CVE-2017-13088
15
16Upstream-Status: Backport
17Signed-off-by: Ross Burton <ross.burton@intel.com>
18
19From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001
20From: Jouni Malinen <j@w1.fi>
21Date: Fri, 22 Sep 2017 11:03:15 +0300
22Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration
23
24Do not try to reconfigure the same TPK-TK to the driver after it has
25been successfully configured. This is an explicit check to avoid issues
26related to resetting the TX/RX packet number. There was already a check
27for this for TPK M2 (retries of that message are ignored completely), so
28that behavior does not get modified.
29
30For TPK M3, the TPK-TK could have been reconfigured, but that was
31followed by immediate teardown of the link due to an issue in updating
32the STA entry. Furthermore, for TDLS with any real security (i.e.,
33ignoring open/WEP), the TPK message exchange is protected on the AP path
34and simple replay attacks are not feasible.
35
36As an additional corner case, make sure the local nonce gets updated if
37the peer uses a very unlikely "random nonce" of all zeros.
38
39Signed-off-by: Jouni Malinen <j@w1.fi>
40---
41 src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++--
42 1 file changed, 36 insertions(+), 2 deletions(-)
43
44diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
45index e424168..9eb9738 100644
46--- a/src/rsn_supp/tdls.c
47+++ b/src/rsn_supp/tdls.c
48@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
49 u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
50 } tpk;
51 int tpk_set;
52+ int tk_set; /* TPK-TK configured to the driver */
53 int tpk_success;
54 int tpk_in_progress;
55
56@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
57 u8 rsc[6];
58 enum wpa_alg alg;
59
60+ if (peer->tk_set) {
61+ /*
62+ * This same TPK-TK has already been configured to the driver
63+ * and this new configuration attempt (likely due to an
64+ * unexpected retransmitted frame) would result in clearing
65+ * the TX/RX sequence number which can break security, so must
66+ * not allow that to happen.
67+ */
68+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
69+ " has already been configured to the driver - do not reconfigure",
70+ MAC2STR(peer->addr));
71+ return -1;
72+ }
73+
74 os_memset(rsc, 0, 6);
75
76 switch (peer->cipher) {
77@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
78 return -1;
79 }
80
81+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
82+ MAC2STR(peer->addr));
83 if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
84 rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
85 wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
86 "driver");
87 return -1;
88 }
89+ peer->tk_set = 1;
90 return 0;
91 }
92
93@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
94 peer->cipher = 0;
95 peer->qos_info = 0;
96 peer->wmm_capable = 0;
97- peer->tpk_set = peer->tpk_success = 0;
98+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
99 peer->chan_switch_enabled = 0;
100 os_memset(&peer->tpk, 0, sizeof(peer->tpk));
101 os_memset(peer->inonce, 0, WPA_NONCE_LEN);
102@@ -1159,6 +1177,7 @@ skip_rsnie:
103 wpa_tdls_peer_free(sm, peer);
104 return -1;
105 }
106+ peer->tk_set = 0; /* A new nonce results in a new TK */
107 wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
108 peer->inonce, WPA_NONCE_LEN);
109 os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
110@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
111 }
112
113
114+static int tdls_nonce_set(const u8 *nonce)
115+{
116+ int i;
117+
118+ for (i = 0; i < WPA_NONCE_LEN; i++) {
119+ if (nonce[i])
120+ return 1;
121+ }
122+
123+ return 0;
124+}
125+
126+
127 static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
128 const u8 *buf, size_t len)
129 {
130@@ -2004,7 +2036,8 @@ skip_rsn:
131 peer->rsnie_i_len = kde.rsn_ie_len;
132 peer->cipher = cipher;
133
134- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
135+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
136+ !tdls_nonce_set(peer->inonce)) {
137 /*
138 * There is no point in updating the RNonce for every obtained
139 * TPK M1 frame (e.g., retransmission due to timeout) with the
140@@ -2020,6 +2053,7 @@ skip_rsn:
141 "TDLS: Failed to get random data for responder nonce");
142 goto error;
143 }
144+ peer->tk_set = 0; /* A new nonce results in a new TK */
145 }
146
147 #if 0
148--
1492.7.4 \ No newline at end of file
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch
deleted file mode 100644
index 2e12bc7555..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch
+++ /dev/null
@@ -1,60 +0,0 @@
1The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
2result in unauthenticated clients gaining access to the network.
3
4Backport a number of patches from upstream to fix this.
5
6CVE: CVE-2017-13077
7CVE: CVE-2017-13078
8CVE: CVE-2017-13079
9CVE: CVE-2017-13080
10CVE: CVE-2017-13081
11CVE: CVE-2017-13082
12CVE: CVE-2017-13086
13CVE: CVE-2017-13087
14CVE: CVE-2017-13088
15
16Upstream-Status: Backport
17Signed-off-by: Ross Burton <ross.burton@intel.com>
18
19From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001
20From: Jouni Malinen <j@w1.fi>
21Date: Fri, 22 Sep 2017 11:25:02 +0300
22Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending
23 request
24
25Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
26Mode Response if WNM-Sleep Mode has not been used') started ignoring the
27response when no WNM-Sleep Mode Request had been used during the
28association. This can be made tighter by clearing the used flag when
29successfully processing a response. This adds an additional layer of
30protection against unexpected retransmissions of the response frame.
31
32Signed-off-by: Jouni Malinen <j@w1.fi>
33---
34 wpa_supplicant/wnm_sta.c | 4 +++-
35 1 file changed, 3 insertions(+), 1 deletion(-)
36
37diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
38index 1b3409c..67a07ff 100644
39--- a/wpa_supplicant/wnm_sta.c
40+++ b/wpa_supplicant/wnm_sta.c
41@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
42
43 if (!wpa_s->wnmsleep_used) {
44 wpa_printf(MSG_DEBUG,
45- "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
46+ "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
47 return;
48 }
49
50@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
51 return;
52 }
53
54+ wpa_s->wnmsleep_used = 0;
55+
56 if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
57 wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
58 wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "
59--
602.7.4 \ No newline at end of file
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch
deleted file mode 100644
index 7f5390c312..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch
+++ /dev/null
@@ -1,99 +0,0 @@
1The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
2result in unauthenticated clients gaining access to the network.
3
4Backport a number of patches from upstream to fix this.
5
6CVE: CVE-2017-13077
7CVE: CVE-2017-13078
8CVE: CVE-2017-13079
9CVE: CVE-2017-13080
10CVE: CVE-2017-13081
11CVE: CVE-2017-13082
12CVE: CVE-2017-13086
13CVE: CVE-2017-13087
14CVE: CVE-2017-13088
15
16Upstream-Status: Backport
17Signed-off-by: Ross Burton <ross.burton@intel.com>
18
19From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001
20From: Jouni Malinen <j@w1.fi>
21Date: Fri, 22 Sep 2017 12:06:37 +0300
22Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
23
24The driver is expected to not report a second association event without
25the station having explicitly request a new association. As such, this
26case should not be reachable. However, since reconfiguring the same
27pairwise or group keys to the driver could result in nonce reuse issues,
28be extra careful here and do an additional state check to avoid this
29even if the local driver ends up somehow accepting an unexpected
30Reassociation Response frame.
31
32Signed-off-by: Jouni Malinen <j@w1.fi>
33---
34 src/rsn_supp/wpa.c | 3 +++
35 src/rsn_supp/wpa_ft.c | 8 ++++++++
36 src/rsn_supp/wpa_i.h | 1 +
37 3 files changed, 12 insertions(+)
38
39diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
40index 0550a41..2a53c6f 100644
41--- a/src/rsn_supp/wpa.c
42+++ b/src/rsn_supp/wpa.c
43@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
44 #ifdef CONFIG_TDLS
45 wpa_tdls_disassoc(sm);
46 #endif /* CONFIG_TDLS */
47+#ifdef CONFIG_IEEE80211R
48+ sm->ft_reassoc_completed = 0;
49+#endif /* CONFIG_IEEE80211R */
50
51 /* Keys are not needed in the WPA state machine anymore */
52 wpa_sm_drop_sa(sm);
53diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
54index 205793e..d45bb45 100644
55--- a/src/rsn_supp/wpa_ft.c
56+++ b/src/rsn_supp/wpa_ft.c
57@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
58 u16 capab;
59
60 sm->ft_completed = 0;
61+ sm->ft_reassoc_completed = 0;
62
63 buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
64 2 + sm->r0kh_id_len + ric_ies_len + 100;
65@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
66 return -1;
67 }
68
69+ if (sm->ft_reassoc_completed) {
70+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
71+ return 0;
72+ }
73+
74 if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
75 wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
76 return -1;
77@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
78 return -1;
79 }
80
81+ sm->ft_reassoc_completed = 1;
82+
83 if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
84 return -1;
85
86diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
87index 41f371f..56f88dc 100644
88--- a/src/rsn_supp/wpa_i.h
89+++ b/src/rsn_supp/wpa_i.h
90@@ -128,6 +128,7 @@ struct wpa_sm {
91 size_t r0kh_id_len;
92 u8 r1kh_id[FT_R1KH_ID_LEN];
93 int ft_completed;
94+ int ft_reassoc_completed;
95 int over_the_ds_in_progress;
96 u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
97 int set_ptk_after_assoc;
98--
992.7.4 \ No newline at end of file
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch
deleted file mode 100644
index e800a410ea..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1wpa_supplicant-2.6: Fix CVE-2018-14526
2
3[No upstream tracking] -- https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
4
5wpa: Ignore unauthenticated encrypted EAPOL-Key data
6
7Ignore unauthenticated encrypted EAPOL-Key data in supplicant
8processing. When using WPA2, these are frames that have the Encrypted
9flag set, but not the MIC flag.
10
11When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
12not the MIC flag, had their data field decrypted without first verifying
13the MIC. In case the data field was encrypted using RC4 (i.e., when
14negotiating TKIP as the pairwise cipher), this meant that
15unauthenticated but decrypted data would then be processed. An adversary
16could abuse this as a decryption oracle to recover sensitive information
17in the data field of EAPOL-Key messages (e.g., the group key).
18
19Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/src/rsn_supp/wpa.c?id=3e34cfdff6b192fe337c6fb3f487f73e96582961]
20CVE: CVE-2018-14526
21Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
22
23diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
24index 3c47879..6bdf923 100644
25--- a/src/rsn_supp/wpa.c
26+++ b/src/rsn_supp/wpa.c
27@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
28
29 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
30 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
31+ /*
32+ * Only decrypt the Key Data field if the frame's authenticity
33+ * was verified. When using AES-SIV (FILS), the MIC flag is not
34+ * set, so this check should only be performed if mic_len != 0
35+ * which is the case in this code branch.
36+ */
37+ if (!(key_info & WPA_KEY_INFO_MIC)) {
38+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
39+ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
40+ goto out;
41+ }
42 if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
43 &key_data_len))
44 goto out;
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
index c92ed4ab93..6fc5cf5db7 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
@@ -3,9 +3,9 @@ HOMEPAGE = "http://w1.fi/wpa_supplicant/"
3BUGTRACKER = "http://w1.fi/security/" 3BUGTRACKER = "http://w1.fi/security/"
4SECTION = "network" 4SECTION = "network"
5LICENSE = "BSD" 5LICENSE = "BSD"
6LIC_FILES_CHKSUM = "file://COPYING;md5=292eece3f2ebbaa25608eed8464018a3 \ 6LIC_FILES_CHKSUM = "file://COPYING;md5=a3791c270ad6bb026707d17bf750e5ef \
7 file://README;beginline=1;endline=56;md5=3f01d778be8f953962388307ee38ed2b \ 7 file://README;beginline=1;endline=56;md5=495cbce6008253de4b4d8f4cdfae9f4f \
8 file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=4061612fc5715696134e3baf933e8aba" 8 file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=a5687903a31b8679e6a06b3afa5c819e"
9DEPENDS = "dbus libnl" 9DEPENDS = "dbus libnl"
10RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli" 10RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli"
11 11
@@ -24,19 +24,10 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
24 file://wpa_supplicant.conf \ 24 file://wpa_supplicant.conf \
25 file://wpa_supplicant.conf-sane \ 25 file://wpa_supplicant.conf-sane \
26 file://99_wpa_supplicant \ 26 file://99_wpa_supplicant \
27 file://key-replay-cve-multiple1.patch \
28 file://key-replay-cve-multiple2.patch \
29 file://key-replay-cve-multiple3.patch \
30 file://key-replay-cve-multiple4.patch \
31 file://key-replay-cve-multiple5.patch \
32 file://key-replay-cve-multiple6.patch \
33 file://key-replay-cve-multiple7.patch \
34 file://key-replay-cve-multiple8.patch \
35 file://wpa_supplicant-CVE-2018-14526.patch \
36 file://0001-replace-systemd-install-Alias-with-WantedBy.patch \ 27 file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
37 " 28 "
38SRC_URI[md5sum] = "091569eb4440b7d7f2b4276dbfc03c3c" 29SRC_URI[md5sum] = "a68538fb62766f40f890125026c42c10"
39SRC_URI[sha256sum] = "b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450" 30SRC_URI[sha256sum] = "76ea6b06b7a2ea8e6d9eb1a9166166f1656e6d48c7508914f592100c95c73074"
40 31
41CVE_PRODUCT = "wpa_supplicant" 32CVE_PRODUCT = "wpa_supplicant"
42 33