Home Explore Help
Register Sign In
wareck
/
openwrt_lede
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 488fc98adf
Branches Tags
openwrt_lede
/
package
/
network
/
services
/
hostapd
/
patches
/
008-Prevent-installation-of-an-all-zero-TK.patch

008-Prevent-installation-of-an-all-zero-TK.patch 2.0 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 
  1. From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
    2. 

  2. Date: Fri, 29 Sep 2017 04:22:51 +0200
    3. 

  3. Subject: [PATCH] Prevent installation of an all-zero TK
    4. 

  4. 

  5. Properly track whether a PTK has already been installed to the driver
    6. 

  6. and the TK part cleared from memory. This prevents an attacker from
    7. 

  7. trying to trick the client into installing an all-zero TK.
    8. 

  8. 

  9. This fixes the earlier fix in commit
    10. 

  10. ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
    11. 

  11. driver in EAPOL-Key 3/4 retry case') which did not take into account
    12. 

  12. possibility of an extra message 1/4 showing up between retries of
    13. 

  13. message 3/4.
    14. 

  14. 

  15. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
    16. 

  16. ---
    17. 

  17. 

  18. --- a/src/common/wpa_common.h
    19. 

  19. +++ b/src/common/wpa_common.h
    20. 

  20. @@ -205,6 +205,7 @@ struct wpa_ptk {
    21. 

  21.  	size_t kck_len;
    22. 

  22.  	size_t kek_len;
    23. 

  23.  	size_t tk_len;
    24. 

  24. +	int installed; /* 1 if key has already been installed to driver */
    25. 

  25.  };
    26. 

  26.  
    27. 

  27.  struct wpa_gtk {
    28. 

  28. --- a/src/rsn_supp/wpa.c
    29. 

  29. +++ b/src/rsn_supp/wpa.c
    30. 

  30. @@ -581,7 +581,6 @@ static void wpa_supplicant_process_1_of_
    31. 

  31.  		os_memset(buf, 0, sizeof(buf));
    32. 

  32.  	}
    33. 

  33.  	sm->tptk_set = 1;
    34. 

  34. -	sm->tk_to_set = 1;
    35. 

  35.  
    36. 

  36.  	kde = sm->assoc_wpa_ie;
    37. 

  37.  	kde_len = sm->assoc_wpa_ie_len;
    38. 

  38. @@ -686,7 +685,7 @@ static int wpa_supplicant_install_ptk(st
    39. 

  39.  	enum wpa_alg alg;
    40. 

  40.  	const u8 *key_rsc;
    41. 

  41.  
    42. 

  42. -	if (!sm->tk_to_set) {
    43. 

  43. +	if (sm->ptk.installed) {
    44. 

  44.  		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
    45. 

  45.  			"WPA: Do not re-install same PTK to the driver");
    46. 

  46.  		return 0;
    47. 

  47. @@ -730,7 +729,7 @@ static int wpa_supplicant_install_ptk(st
    48. 

  48.  
    49. 

  49.  	/* TK is not needed anymore in supplicant */
    50. 

  50.  	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
    51. 

  51. -	sm->tk_to_set = 0;
    52. 

  52. +	sm->ptk.installed = 1;
    53. 

  53.  
    54. 

  54.  	if (sm->wpa_ptk_rekey) {
    55. 

  55.  		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
    56. 

  56. --- a/src/rsn_supp/wpa_i.h
    57. 

  57. +++ b/src/rsn_supp/wpa_i.h
    58. 

  58. @@ -24,7 +24,6 @@ struct wpa_sm {
    59. 

  59.  	struct wpa_ptk ptk, tptk;
    60. 

  60.  	int ptk_set, tptk_set;
    61. 

  61.  	unsigned int msg_3_of_4_ok:1;
    62. 

  62. -	unsigned int tk_to_set:1;
    63. 

  63.  	u8 snonce[WPA_NONCE_LEN];
    64. 

  64.  	u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
    65. 

  65.  	int renew_snonce;
    66.