|
|
@@ -1641,10 +1641,23 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
|
|
|
|
|
|
wpa_group_ensure_init(sm->wpa_auth, sm->group);
|
|
|
|
|
|
- os_memcpy(sm->ANonce, sm->group->Counter, WPA_NONCE_LEN);
|
|
|
+ /*
|
|
|
+ * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
|
|
|
+ * ambiguous. The Authenticator state machine uses a counter that is
|
|
|
+ * incremented by one for each 4-way handshake. However, the security
|
|
|
+ * analysis of 4-way handshake points out that unpredictable nonces
|
|
|
+ * help in preventing precomputation attacks. Instead of the state
|
|
|
+ * machine definition, use an unpredictable nonce value here to provide
|
|
|
+ * stronger protection against potential precomputation attacks.
|
|
|
+ */
|
|
|
+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
|
|
|
+ wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
|
|
|
+ "ANonce.");
|
|
|
+ wpa_sta_disconnect(sm->wpa_auth, sm->addr);
|
|
|
+ return;
|
|
|
+ }
|
|
|
wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
|
|
|
WPA_NONCE_LEN);
|
|
|
- inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
|
|
|
sm->ReAuthenticationRequest = FALSE;
|
|
|
/* IEEE 802.11i does not clear TimeoutCtr here, but this is more
|
|
|
* logical place than INITIALIZE since AUTHENTICATION2 can be
|
Jouni Malinen