| Brad Bishop | 316dfdd | 2018-06-25 12:45:53 -0400 | [diff] [blame^] | 1 | From abf941647f2dc33b0b59612f525e1b292331cc9f Mon Sep 17 00:00:00 2001 |
| 2 | From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> |
| 3 | Date: Fri, 29 Sep 2017 04:22:51 +0200 |
| 4 | Subject: [PATCH 4/7] Prevent installation of an all-zero TK |
| 5 | |
| 6 | Properly track whether a PTK has already been installed to the driver |
| 7 | and the TK part cleared from memory. This prevents an attacker from |
| 8 | trying to trick the client into installing an all-zero TK. |
| 9 | |
| 10 | This fixes the earlier fix in commit |
| 11 | ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the |
| 12 | driver in EAPOL-Key 3/4 retry case') which did not take into account |
| 13 | possibility of an extra message 1/4 showing up between retries of |
| 14 | message 3/4. |
| 15 | |
| 16 | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> |
| 17 | |
| 18 | Upstream-Status: Backport |
| 19 | Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> |
| 20 | --- |
| 21 | src/common/wpa_common.h | 1 + |
| 22 | src/rsn_supp/wpa.c | 5 ++--- |
| 23 | src/rsn_supp/wpa_i.h | 1 - |
| 24 | 3 files changed, 3 insertions(+), 4 deletions(-) |
| 25 | |
| 26 | diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h |
| 27 | index d200285..1021ccb 100644 |
| 28 | --- a/src/common/wpa_common.h |
| 29 | +++ b/src/common/wpa_common.h |
| 30 | @@ -215,6 +215,7 @@ struct wpa_ptk { |
| 31 | size_t kck_len; |
| 32 | size_t kek_len; |
| 33 | size_t tk_len; |
| 34 | + int installed; /* 1 if key has already been installed to driver */ |
| 35 | }; |
| 36 | |
| 37 | struct wpa_gtk { |
| 38 | diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c |
| 39 | index 7a2c68d..0550a41 100644 |
| 40 | --- a/src/rsn_supp/wpa.c |
| 41 | +++ b/src/rsn_supp/wpa.c |
| 42 | @@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, |
| 43 | os_memset(buf, 0, sizeof(buf)); |
| 44 | } |
| 45 | sm->tptk_set = 1; |
| 46 | - sm->tk_to_set = 1; |
| 47 | |
| 48 | kde = sm->assoc_wpa_ie; |
| 49 | kde_len = sm->assoc_wpa_ie_len; |
| 50 | @@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, |
| 51 | enum wpa_alg alg; |
| 52 | const u8 *key_rsc; |
| 53 | |
| 54 | - if (!sm->tk_to_set) { |
| 55 | + if (sm->ptk.installed) { |
| 56 | wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, |
| 57 | "WPA: Do not re-install same PTK to the driver"); |
| 58 | return 0; |
| 59 | @@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, |
| 60 | |
| 61 | /* TK is not needed anymore in supplicant */ |
| 62 | os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); |
| 63 | - sm->tk_to_set = 0; |
| 64 | + sm->ptk.installed = 1; |
| 65 | |
| 66 | if (sm->wpa_ptk_rekey) { |
| 67 | eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); |
| 68 | diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h |
| 69 | index 9a54631..41f371f 100644 |
| 70 | --- a/src/rsn_supp/wpa_i.h |
| 71 | +++ b/src/rsn_supp/wpa_i.h |
| 72 | @@ -24,7 +24,6 @@ struct wpa_sm { |
| 73 | struct wpa_ptk ptk, tptk; |
| 74 | int ptk_set, tptk_set; |
| 75 | unsigned int msg_3_of_4_ok:1; |
| 76 | - unsigned int tk_to_set:1; |
| 77 | u8 snonce[WPA_NONCE_LEN]; |
| 78 | u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ |
| 79 | int renew_snonce; |
| 80 | -- |
| 81 | 1.8.3.1 |
| 82 | |