Blame SOURCES/rh1619553-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch

8bd3b2
From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
8bd3b2
From: Mathy Vanhoef <mathy.vanhoef@cs.kuleuven.be>
8bd3b2
Date: Sun, 15 Jul 2018 01:25:53 +0200
8bd3b2
Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
8bd3b2
8bd3b2
Ignore unauthenticated encrypted EAPOL-Key data in supplicant
8bd3b2
processing. When using WPA2, these are frames that have the Encrypted
8bd3b2
flag set, but not the MIC flag.
8bd3b2
8bd3b2
When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
8bd3b2
not the MIC flag, had their data field decrypted without first verifying
8bd3b2
the MIC. In case the data field was encrypted using RC4 (i.e., when
8bd3b2
negotiating TKIP as the pairwise cipher), this meant that
8bd3b2
unauthenticated but decrypted data would then be processed. An adversary
8bd3b2
could abuse this as a decryption oracle to recover sensitive information
8bd3b2
in the data field of EAPOL-Key messages (e.g., the group key).
8bd3b2
(CVE-2018-14526)
8bd3b2
8bd3b2
Signed-off-by: Mathy Vanhoef <mathy.vanhoef@cs.kuleuven.be>
8bd3b2
---
8bd3b2
 src/rsn_supp/wpa.c | 11 +++++++++++
8bd3b2
 1 file changed, 11 insertions(+)
8bd3b2
8bd3b2
diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c
8bd3b2
--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c	2016-10-02 21:51:11.000000000 +0300
8bd3b2
+++ wpa_supplicant-2.6/src/rsn_supp/wpa.c	2018-08-08 16:55:11.506831029 +0300
8bd3b2
@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
8bd3b2
 
8bd3b2
 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
8bd3b2
 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
8bd3b2
+		/*
8bd3b2
+		 * Only decrypt the Key Data field if the frame's authenticity
8bd3b2
+		 * was verified. When using AES-SIV (FILS), the MIC flag is not
8bd3b2
+		 * set, so this check should only be performed if mic_len != 0
8bd3b2
+		 * which is the case in this code branch.
8bd3b2
+		 */
8bd3b2
+		if (!(key_info & WPA_KEY_INFO_MIC)) {
8bd3b2
+			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
8bd3b2
+				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
8bd3b2
+			goto out;
8bd3b2
+		}
8bd3b2
 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
8bd3b2
 						    &key_data_len))
8bd3b2
 			goto out;