projects / librecmc / librecmc.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fixes:
[librecmc/librecmc.git] / package / network / services / hostapd / patches / 008-Prevent-installation-of-an-all-zero-TK.patch
diff --git a/package/network/services/hostapd/patches/008-Prevent-installation-of-an-all-zero-TK.patch b/package/network/services/hostapd/patches/008-Prevent-installation-of-an-all-zero-TK.patch
new file mode 100644 (file)
index 0000000..e0f1773
--- /dev/null
+++ b/package/network/services/hostapd/patches/008-Prevent-installation-of-an-all-zero-TK.patch
@@ -0,0 +1,65 @@
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 29 Sep 2017 04:22:51 +0200
+Subject: [PATCH] Prevent installation of an all-zero TK
+
+Properly track whether a PTK has already been installed to the driver
+and the TK part cleared from memory. This prevents an attacker from
+trying to trick the client into installing an all-zero TK.
+
+This fixes the earlier fix in commit
+ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
+driver in EAPOL-Key 3/4 retry case') which did not take into account
+possibility of an extra message 1/4 showing up between retries of
+message 3/4.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -205,6 +205,7 @@ struct wpa_ptk {
+       size_t kck_len;
+       size_t kek_len;
+       size_t tk_len;
++      int installed; /* 1 if key has already been installed to driver */
+ };
+ struct wpa_gtk {
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -581,7 +581,6 @@ static void wpa_supplicant_process_1_of_
+               os_memset(buf, 0, sizeof(buf));
+       }
+       sm->tptk_set = 1;
+-      sm->tk_to_set = 1;
+       kde = sm->assoc_wpa_ie;
+       kde_len = sm->assoc_wpa_ie_len;
+@@ -686,7 +685,7 @@ static int wpa_supplicant_install_ptk(st
+       enum wpa_alg alg;
+       const u8 *key_rsc;
+-      if (!sm->tk_to_set) {
++      if (sm->ptk.installed) {
+               wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+                       "WPA: Do not re-install same PTK to the driver");
+               return 0;
+@@ -730,7 +729,7 @@ static int wpa_supplicant_install_ptk(st
+       /* TK is not needed anymore in supplicant */
+       os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
+-      sm->tk_to_set = 0;
++      sm->ptk.installed = 1;
+       if (sm->wpa_ptk_rekey) {
+               eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -24,7 +24,6 @@ struct wpa_sm {
+       struct wpa_ptk ptk, tptk;
+       int ptk_set, tptk_set;
+       unsigned int msg_3_of_4_ok:1;
+-      unsigned int tk_to_set:1;
+       u8 snonce[WPA_NONCE_LEN];
+       u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
+       int renew_snonce;