lkundrak / rpms / hostapd

Forked from rpms/hostapd 4 years ago
Clone

Blame rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch

41817b0
From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
41817b0
From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
41817b0
Date: Fri, 29 Sep 2017 04:22:51 +0200
41817b0
Subject: [PATCH 4/8] Prevent installation of an all-zero TK
41817b0
41817b0
Properly track whether a PTK has already been installed to the driver
41817b0
and the TK part cleared from memory. This prevents an attacker from
41817b0
trying to trick the client into installing an all-zero TK.
41817b0
41817b0
This fixes the earlier fix in commit
41817b0
ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
41817b0
driver in EAPOL-Key 3/4 retry case') which did not take into account
41817b0
possibility of an extra message 1/4 showing up between retries of
41817b0
message 3/4.
41817b0
41817b0
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
41817b0
---
41817b0
 src/common/wpa_common.h | 1 +
41817b0
 src/rsn_supp/wpa.c      | 5 ++---
41817b0
 src/rsn_supp/wpa_i.h    | 1 -
41817b0
 3 files changed, 3 insertions(+), 4 deletions(-)
41817b0
41817b0
diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
41817b0
index d200285..1021ccb 100644
41817b0
--- a/src/common/wpa_common.h
41817b0
+++ b/src/common/wpa_common.h
41817b0
@@ -215,6 +215,7 @@ struct wpa_ptk {
41817b0
 	size_t kck_len;
41817b0
 	size_t kek_len;
41817b0
 	size_t tk_len;
41817b0
+	int installed; /* 1 if key has already been installed to driver */
41817b0
 };
41817b0
 
41817b0
 struct wpa_gtk {
41817b0
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
41817b0
index 7a2c68d..0550a41 100644
41817b0
--- a/src/rsn_supp/wpa.c
41817b0
+++ b/src/rsn_supp/wpa.c
41817b0
@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
41817b0
 		os_memset(buf, 0, sizeof(buf));
41817b0
 	}
41817b0
 	sm->tptk_set = 1;
41817b0
-	sm->tk_to_set = 1;
41817b0
 
41817b0
 	kde = sm->assoc_wpa_ie;
41817b0
 	kde_len = sm->assoc_wpa_ie_len;
41817b0
@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
41817b0
 	enum wpa_alg alg;
41817b0
 	const u8 *key_rsc;
41817b0
 
41817b0
-	if (!sm->tk_to_set) {
41817b0
+	if (sm->ptk.installed) {
41817b0
 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
41817b0
 			"WPA: Do not re-install same PTK to the driver");
41817b0
 		return 0;
41817b0
@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
41817b0
 
41817b0
 	/* TK is not needed anymore in supplicant */
41817b0
 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
41817b0
-	sm->tk_to_set = 0;
41817b0
+	sm->ptk.installed = 1;
41817b0
 
41817b0
 	if (sm->wpa_ptk_rekey) {
41817b0
 		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
41817b0
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
41817b0
index 9a54631..41f371f 100644
41817b0
--- a/src/rsn_supp/wpa_i.h
41817b0
+++ b/src/rsn_supp/wpa_i.h
41817b0
@@ -24,7 +24,6 @@ struct wpa_sm {
41817b0
 	struct wpa_ptk ptk, tptk;
41817b0
 	int ptk_set, tptk_set;
41817b0
 	unsigned int msg_3_of_4_ok:1;
41817b0
-	unsigned int tk_to_set:1;
41817b0
 	u8 snonce[WPA_NONCE_LEN];
41817b0
 	u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
41817b0
 	int renew_snonce;
41817b0
-- 
41817b0
2.7.4
41817b0