wok diff wpa_supplicant/stuff/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch @ rev 20131
wpa_supplicant: security fix for KRACK
| author | Richard Dunbar <mojo@slitaz.org> |
|---|---|
| date | Sat Oct 28 02:35:58 2017 -0400 (2017-10-28) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/wpa_supplicant/stuff/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch Sat Oct 28 02:35:58 2017 -0400 1.3 @@ -0,0 +1,132 @@ 1.4 +From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001 1.5 +From: Jouni Malinen <j@w1.fi> 1.6 +Date: Fri, 22 Sep 2017 11:03:15 +0300 1.7 +Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration 1.8 + 1.9 +Do not try to reconfigure the same TPK-TK to the driver after it has 1.10 +been successfully configured. This is an explicit check to avoid issues 1.11 +related to resetting the TX/RX packet number. There was already a check 1.12 +for this for TPK M2 (retries of that message are ignored completely), so 1.13 +that behavior does not get modified. 1.14 + 1.15 +For TPK M3, the TPK-TK could have been reconfigured, but that was 1.16 +followed by immediate teardown of the link due to an issue in updating 1.17 +the STA entry. Furthermore, for TDLS with any real security (i.e., 1.18 +ignoring open/WEP), the TPK message exchange is protected on the AP path 1.19 +and simple replay attacks are not feasible. 1.20 + 1.21 +As an additional corner case, make sure the local nonce gets updated if 1.22 +the peer uses a very unlikely "random nonce" of all zeros. 1.23 + 1.24 +Signed-off-by: Jouni Malinen <j@w1.fi> 1.25 +--- 1.26 + src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++-- 1.27 + 1 file changed, 36 insertions(+), 2 deletions(-) 1.28 + 1.29 +diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c 1.30 +index e424168..9eb9738 100644 1.31 +--- a/src/rsn_supp/tdls.c 1.32 ++++ b/src/rsn_supp/tdls.c 1.33 +@@ -112,6 +112,7 @@ struct wpa_tdls_peer { 1.34 + u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ 1.35 + } tpk; 1.36 + int tpk_set; 1.37 ++ int tk_set; /* TPK-TK configured to the driver */ 1.38 + int tpk_success; 1.39 + int tpk_in_progress; 1.40 + 1.41 +@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 1.42 + u8 rsc[6]; 1.43 + enum wpa_alg alg; 1.44 + 1.45 ++ if (peer->tk_set) { 1.46 ++ /* 1.47 ++ * This same TPK-TK has already been configured to the driver 1.48 ++ * and this new configuration attempt (likely due to an 1.49 ++ * unexpected retransmitted frame) would result in clearing 1.50 ++ * the TX/RX sequence number which can break security, so must 1.51 ++ * not allow that to happen. 1.52 ++ */ 1.53 ++ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR 1.54 ++ " has already been configured to the driver - do not reconfigure", 1.55 ++ MAC2STR(peer->addr)); 1.56 ++ return -1; 1.57 ++ } 1.58 ++ 1.59 + os_memset(rsc, 0, 6); 1.60 + 1.61 + switch (peer->cipher) { 1.62 +@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 1.63 + return -1; 1.64 + } 1.65 + 1.66 ++ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, 1.67 ++ MAC2STR(peer->addr)); 1.68 + if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, 1.69 + rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { 1.70 + wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " 1.71 + "driver"); 1.72 + return -1; 1.73 + } 1.74 ++ peer->tk_set = 1; 1.75 + return 0; 1.76 + } 1.77 + 1.78 +@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) 1.79 + peer->cipher = 0; 1.80 + peer->qos_info = 0; 1.81 + peer->wmm_capable = 0; 1.82 +- peer->tpk_set = peer->tpk_success = 0; 1.83 ++ peer->tk_set = peer->tpk_set = peer->tpk_success = 0; 1.84 + peer->chan_switch_enabled = 0; 1.85 + os_memset(&peer->tpk, 0, sizeof(peer->tpk)); 1.86 + os_memset(peer->inonce, 0, WPA_NONCE_LEN); 1.87 +@@ -1159,6 +1177,7 @@ skip_rsnie: 1.88 + wpa_tdls_peer_free(sm, peer); 1.89 + return -1; 1.90 + } 1.91 ++ peer->tk_set = 0; /* A new nonce results in a new TK */ 1.92 + wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", 1.93 + peer->inonce, WPA_NONCE_LEN); 1.94 + os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); 1.95 +@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, 1.96 + } 1.97 + 1.98 + 1.99 ++static int tdls_nonce_set(const u8 *nonce) 1.100 ++{ 1.101 ++ int i; 1.102 ++ 1.103 ++ for (i = 0; i < WPA_NONCE_LEN; i++) { 1.104 ++ if (nonce[i]) 1.105 ++ return 1; 1.106 ++ } 1.107 ++ 1.108 ++ return 0; 1.109 ++} 1.110 ++ 1.111 ++ 1.112 + static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, 1.113 + const u8 *buf, size_t len) 1.114 + { 1.115 +@@ -2004,7 +2036,8 @@ skip_rsn: 1.116 + peer->rsnie_i_len = kde.rsn_ie_len; 1.117 + peer->cipher = cipher; 1.118 + 1.119 +- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { 1.120 ++ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || 1.121 ++ !tdls_nonce_set(peer->inonce)) { 1.122 + /* 1.123 + * There is no point in updating the RNonce for every obtained 1.124 + * TPK M1 frame (e.g., retransmission due to timeout) with the 1.125 +@@ -2020,6 +2053,7 @@ skip_rsn: 1.126 + "TDLS: Failed to get random data for responder nonce"); 1.127 + goto error; 1.128 + } 1.129 ++ peer->tk_set = 0; /* A new nonce results in a new TK */ 1.130 + } 1.131 + 1.132 + #if 0 1.133 +-- 1.134 +2.7.4 1.135 +