rpms / wpa_supplicant

Clone
Source Code
GIT

Blame SOURCES/rh1495527-0004-Prevent-installation-of-an-all-zero-TK.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   rh1495527-0004-Prevent-installation-of-an-all-zero-TK.patch
Blob History Raw
d840d9 
From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
d840d9 
From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
d840d9 
Date: Fri, 29 Sep 2017 04:22:51 +0200
d840d9 
Subject: [PATCH 4/8] Prevent installation of an all-zero TK
d840d9
d840d9 
Properly track whether a PTK has already been installed to the driver
d840d9 
and the TK part cleared from memory. This prevents an attacker from
d840d9 
trying to trick the client into installing an all-zero TK.
d840d9
d840d9 
This fixes the earlier fix in commit
d840d9 
ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
d840d9 
driver in EAPOL-Key 3/4 retry case') which did not take into account
d840d9 
possibility of an extra message 1/4 showing up between retries of
d840d9 
message 3/4.
d840d9
d840d9 
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
d840d9 
---
d840d9 
 src/common/wpa_common.h | 1 +
d840d9 
 src/rsn_supp/wpa.c      | 5 ++---
d840d9 
 src/rsn_supp/wpa_i.h    | 1 -
d840d9 
 3 files changed, 3 insertions(+), 4 deletions(-)
d840d9
d840d9 
diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
d840d9 
index d200285..1021ccb 100644
d840d9 
--- a/src/common/wpa_common.h
d840d9 
+++ b/src/common/wpa_common.h
d840d9 
@@ -215,6 +215,7 @@ struct wpa_ptk {
d840d9 
 	size_t kck_len;
d840d9 
 	size_t kek_len;
d840d9 
 	size_t tk_len;
d840d9 
+	int installed; /* 1 if key has already been installed to driver */
d840d9 
 };
d840d9
d840d9 
 struct wpa_gtk {
d840d9 
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
d840d9 
index 7a2c68d..0550a41 100644
d840d9 
--- a/src/rsn_supp/wpa.c
d840d9 
+++ b/src/rsn_supp/wpa.c
d840d9 
@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
d840d9 
 		os_memset(buf, 0, sizeof(buf));
d840d9 
 	}
d840d9 
 	sm->tptk_set = 1;
d840d9 
-	sm->tk_to_set = 1;
d840d9
d840d9 
 	kde = sm->assoc_wpa_ie;
d840d9 
 	kde_len = sm->assoc_wpa_ie_len;
d840d9 
@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
d840d9 
 	enum wpa_alg alg;
d840d9 
 	const u8 *key_rsc;
d840d9
d840d9 
-	if (!sm->tk_to_set) {
d840d9 
+	if (sm->ptk.installed) {
d840d9 
 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
d840d9 
 			"WPA: Do not re-install same PTK to the driver");
d840d9 
 		return 0;
d840d9 
@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
d840d9
d840d9 
 	/* TK is not needed anymore in supplicant */
d840d9 
 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
d840d9 
-	sm->tk_to_set = 0;
d840d9 
+	sm->ptk.installed = 1;
d840d9
d840d9 
 	if (sm->wpa_ptk_rekey) {
d840d9 
 		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
d840d9 
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
d840d9 
index 9a54631..41f371f 100644
d840d9 
--- a/src/rsn_supp/wpa_i.h
d840d9 
+++ b/src/rsn_supp/wpa_i.h
d840d9 
@@ -24,7 +24,6 @@ struct wpa_sm {
d840d9 
 	struct wpa_ptk ptk, tptk;
d840d9 
 	int ptk_set, tptk_set;
d840d9 
 	unsigned int msg_3_of_4_ok:1;
d840d9 
-	unsigned int tk_to_set:1;
d840d9 
 	u8 snonce[WPA_NONCE_LEN];
d840d9 
 	u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
d840d9 
 	int renew_snonce;
d840d9 
--
d840d9 
2.7.4
d840d9

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation