Brad Bishop | d5ae7d9 | 2018-06-14 09:52:03 -0700 | [diff] [blame] | 1 | The WPA2 four-way handshake protocol is vulnerable to replay attacks which can |
| 2 | result in unauthenticated clients gaining access to the network. |
| 3 | |
| 4 | Backport a number of patches from upstream to fix this. |
| 5 | |
| 6 | CVE: CVE-2017-13077 |
| 7 | CVE: CVE-2017-13078 |
| 8 | CVE: CVE-2017-13079 |
| 9 | CVE: CVE-2017-13080 |
| 10 | CVE: CVE-2017-13081 |
| 11 | CVE: CVE-2017-13082 |
| 12 | CVE: CVE-2017-13086 |
| 13 | CVE: CVE-2017-13087 |
| 14 | CVE: CVE-2017-13088 |
| 15 | |
| 16 | Upstream-Status: Backport |
| 17 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 18 | |
| 19 | From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001 |
| 20 | From: Jouni Malinen <j@w1.fi> |
| 21 | Date: Sun, 1 Oct 2017 12:32:57 +0300 |
| 22 | Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce |
| 23 | |
| 24 | The Authenticator state machine path for PTK rekeying ended up bypassing |
| 25 | the AUTHENTICATION2 state where a new ANonce is generated when going |
| 26 | directly to the PTKSTART state since there is no need to try to |
| 27 | determine the PMK again in such a case. This is far from ideal since the |
| 28 | new PTK would depend on a new nonce only from the supplicant. |
| 29 | |
| 30 | Fix this by generating a new ANonce when moving to the PTKSTART state |
| 31 | for the purpose of starting new 4-way handshake to rekey PTK. |
| 32 | |
| 33 | Signed-off-by: Jouni Malinen <j@w1.fi> |
| 34 | --- |
| 35 | src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- |
| 36 | 1 file changed, 21 insertions(+), 3 deletions(-) |
| 37 | |
| 38 | diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c |
| 39 | index 707971d..bf10cc1 100644 |
| 40 | --- a/src/ap/wpa_auth.c |
| 41 | +++ b/src/ap/wpa_auth.c |
| 42 | @@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) |
| 43 | } |
| 44 | |
| 45 | |
| 46 | +static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) |
| 47 | +{ |
| 48 | + if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { |
| 49 | + wpa_printf(MSG_ERROR, |
| 50 | + "WPA: Failed to get random data for ANonce"); |
| 51 | + sm->Disconnect = TRUE; |
| 52 | + return -1; |
| 53 | + } |
| 54 | + wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, |
| 55 | + WPA_NONCE_LEN); |
| 56 | + sm->TimeoutCtr = 0; |
| 57 | + return 0; |
| 58 | +} |
| 59 | + |
| 60 | + |
| 61 | SM_STATE(WPA_PTK, INITPMK) |
| 62 | { |
| 63 | u8 msk[2 * PMK_LEN]; |
| 64 | @@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK) |
| 65 | SM_ENTER(WPA_PTK, AUTHENTICATION); |
| 66 | else if (sm->ReAuthenticationRequest) |
| 67 | SM_ENTER(WPA_PTK, AUTHENTICATION2); |
| 68 | - else if (sm->PTKRequest) |
| 69 | - SM_ENTER(WPA_PTK, PTKSTART); |
| 70 | - else switch (sm->wpa_ptk_state) { |
| 71 | + else if (sm->PTKRequest) { |
| 72 | + if (wpa_auth_sm_ptk_update(sm) < 0) |
| 73 | + SM_ENTER(WPA_PTK, DISCONNECTED); |
| 74 | + else |
| 75 | + SM_ENTER(WPA_PTK, PTKSTART); |
| 76 | + } else switch (sm->wpa_ptk_state) { |
| 77 | case WPA_PTK_INITIALIZE: |
| 78 | break; |
| 79 | case WPA_PTK_DISCONNECT: |
| 80 | -- |
| 81 | 2.7.4 |