Patches from Juoni Malinen and Mathy Vanhoef. Fixes: - CVE-2017-13077 - CVE-2017-13078 - CVE-2017-13079 - CVE-2017-13080 - CVE-2017-13081 - CVE-2017-13082 - CVE-2017-13086 - CVE-2017-13087 - CVE-2017-13088 Tested by leot, thanks! Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake Do not reinstall TK to the driver during Reassociation Response frame processing if the first attempt of setting the TK succeeded. This avoids issues related to clearing the TX/RX PN that could result in reusing same PN values for transmitted frames (e.g., due to CCM nonce reuse and also hitting replay protection on the receiver) and accepting replayed frames on RX side. This issue was introduced by the commit 0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in authenticator') which allowed wpa_ft_install_ptk() to be called multiple times with the same PTK. While the second configuration attempt is needed with some drivers, it must be done only if the first attempt failed. Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key Track the current GTK and IGTK that is in use and when receiving a (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do not install the given key if it is already in use. This prevents an attacker from trying to trick the client into resetting or lowering the sequence counter associated to the group key. Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases This extends the protection to track last configured GTK/IGTK value separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a corner case where these two different mechanisms may get used when the GTK/IGTK has changed and tracking a single value is not sufficient to detect a possible key reconfiguration. Subject: [PATCH 4/8] Prevent installation of an all-zero TK Properly track whether a PTK has already been installed to the driver and the TK part cleared from memory. This prevents an attacker from trying to trick the client into installing an all-zero TK. This fixes the earlier fix in commit ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the driver in EAPOL-Key 3/4 retry case') which did not take into account possibility of an extra message 1/4 showing up between retries of message 3/4. Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce The Authenticator state machine path for PTK rekeying ended up bypassing the AUTHENTICATION2 state where a new ANonce is generated when going directly to the PTKSTART state since there is no need to try to determine the PMK again in such a case. This is far from ideal since the new PTK would depend on a new nonce only from the supplicant. Fix this by generating a new ANonce when moving to the PTKSTART state for the purpose of starting new 4-way handshake to rekey PTK. Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration Do not try to reconfigure the same TPK-TK to the driver after it has been successfully configured. This is an explicit check to avoid issues related to resetting the TX/RX packet number. There was already a check for this for TPK M2 (retries of that message are ignored completely), so that behavior does not get modified. For TPK M3, the TPK-TK could have been reconfigured, but that was followed by immediate teardown of the link due to an issue in updating the STA entry. Furthermore, for TDLS with any real security (i.e., ignoring open/WEP), the TPK message exchange is protected on the AP path and simple replay attacks are not feasible. As an additional corner case, make sure the local nonce gets updated if the peer uses a very unlikely "random nonce" of all zeros. Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending request Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode has not been used') started ignoring the response when no WNM-Sleep Mode Request had been used during the association. This can be made tighter by clearing the used flag when successfully processing a response. This adds an additional layer of protection against unexpected retransmissions of the response frame. Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames The driver is expected to not report a second association event without the station having explicitly request a new association. As such, this case should not be reachable. However, since reconfiguring the same pairwise or group keys to the driver could result in nonce reuse issues, be extra careful here and do an additional state check to avoid this even if the local driver ends up somehow accepting an unexpected Reassociation Response frame.
104 lines
3 KiB
C
104 lines
3 KiB
C
$NetBSD: patch-src_rsn__supp_tdls.c,v 1.1 2017/10/16 10:26:21 maya Exp $
|
|
|
|
--- src/rsn_supp/tdls.c.orig 2016-10-02 18:51:11.000000000 +0000
|
|
+++ src/rsn_supp/tdls.c
|
|
@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
|
|
u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
|
|
} tpk;
|
|
int tpk_set;
|
|
+ int tk_set; /* TPK-TK configured to the driver */
|
|
int tpk_success;
|
|
int tpk_in_progress;
|
|
|
|
@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_s
|
|
u8 rsc[6];
|
|
enum wpa_alg alg;
|
|
|
|
+ if (peer->tk_set) {
|
|
+ /*
|
|
+ * This same TPK-TK has already been configured to the driver
|
|
+ * and this new configuration attempt (likely due to an
|
|
+ * unexpected retransmitted frame) would result in clearing
|
|
+ * the TX/RX sequence number which can break security, so must
|
|
+ * not allow that to happen.
|
|
+ */
|
|
+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
|
|
+ " has already been configured to the driver - do not reconfigure",
|
|
+ MAC2STR(peer->addr));
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
os_memset(rsc, 0, 6);
|
|
|
|
switch (peer->cipher) {
|
|
@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_s
|
|
return -1;
|
|
}
|
|
|
|
+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
|
|
+ MAC2STR(peer->addr));
|
|
if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
|
|
rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
|
|
wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
|
|
"driver");
|
|
return -1;
|
|
}
|
|
+ peer->tk_set = 1;
|
|
return 0;
|
|
}
|
|
|
|
@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct w
|
|
peer->cipher = 0;
|
|
peer->qos_info = 0;
|
|
peer->wmm_capable = 0;
|
|
- peer->tpk_set = peer->tpk_success = 0;
|
|
+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
|
|
peer->chan_switch_enabled = 0;
|
|
os_memset(&peer->tpk, 0, sizeof(peer->tpk));
|
|
os_memset(peer->inonce, 0, WPA_NONCE_LEN);
|
|
@@ -1159,6 +1177,7 @@ skip_rsnie:
|
|
wpa_tdls_peer_free(sm, peer);
|
|
return -1;
|
|
}
|
|
+ peer->tk_set = 0; /* A new nonce results in a new TK */
|
|
wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
|
|
peer->inonce, WPA_NONCE_LEN);
|
|
os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
|
|
@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct w
|
|
}
|
|
|
|
|
|
+static int tdls_nonce_set(const u8 *nonce)
|
|
+{
|
|
+ int i;
|
|
+
|
|
+ for (i = 0; i < WPA_NONCE_LEN; i++) {
|
|
+ if (nonce[i])
|
|
+ return 1;
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+
|
|
static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
|
|
const u8 *buf, size_t len)
|
|
{
|
|
@@ -2004,7 +2036,8 @@ skip_rsn:
|
|
peer->rsnie_i_len = kde.rsn_ie_len;
|
|
peer->cipher = cipher;
|
|
|
|
- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
|
|
+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
|
|
+ !tdls_nonce_set(peer->inonce)) {
|
|
/*
|
|
* There is no point in updating the RNonce for every obtained
|
|
* TPK M1 frame (e.g., retransmission due to timeout) with the
|
|
@@ -2020,6 +2053,7 @@ skip_rsn:
|
|
"TDLS: Failed to get random data for responder nonce");
|
|
goto error;
|
|
}
|
|
+ peer->tk_set = 0; /* A new nonce results in a new TK */
|
|
}
|
|
|
|
#if 0
|