Don't install a zeroed encryption key: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt Patch copied from upstream: https://w1.fi/security/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001 From: Mathy Vanhoef Date: Fri, 29 Sep 2017 04:22:51 +0200 Subject: [PATCH 4/8] Prevent installation of an all-zero TK Properly track whether a PTK has already been installed to the driver and the TK part cleared from memory. This prevents an attacker from trying to trick the client into installing an all-zero TK. This fixes the earlier fix in commit ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the driver in EAPOL-Key 3/4 retry case') which did not take into account possibility of an extra message 1/4 showing up between retries of message 3/4. Signed-off-by: Mathy Vanhoef --- src/common/wpa_common.h | 1 + src/rsn_supp/wpa.c | 5 ++--- src/rsn_supp/wpa_i.h | 1 - 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h index d200285..1021ccb 100644 --- a/src/common/wpa_common.h +++ b/src/common/wpa_common.h @@ -215,6 +215,7 @@ struct wpa_ptk { size_t kck_len; size_t kek_len; size_t tk_len; + int installed; /* 1 if key has already been installed to driver */ }; struct wpa_gtk { diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 7a2c68d..0550a41 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, os_memset(buf, 0, sizeof(buf)); } sm->tptk_set = 1; - sm->tk_to_set = 1; kde = sm->assoc_wpa_ie; kde_len = sm->assoc_wpa_ie_len; @@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, enum wpa_alg alg; const u8 *key_rsc; - if (!sm->tk_to_set) { + if (sm->ptk.installed) { wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Do not re-install same PTK to the driver"); return 0; @@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, /* TK is not needed anymore in supplicant */ os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); - sm->tk_to_set = 0; + sm->ptk.installed = 1; if (sm->wpa_ptk_rekey) { eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h index 9a54631..41f371f 100644 --- a/src/rsn_supp/wpa_i.h +++ b/src/rsn_supp/wpa_i.h @@ -24,7 +24,6 @@ struct wpa_sm { struct wpa_ptk ptk, tptk; int ptk_set, tptk_set; unsigned int msg_3_of_4_ok:1; - unsigned int tk_to_set:1; u8 snonce[WPA_NONCE_LEN]; u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ int renew_snonce; -- 2.7.4 lass='msg-tooltip'>This is a followup to 64a070717c3de32332201df5d6d2d52a7f99dce9. * tests/guix-describe.sh: Add trailing slash when checking URL. Ludovic Courtès