diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-10-17 12:48:53 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-10-17 12:49:30 +0000 |
| commit | a274bb496caede406362dbb9deecc5b6e9a6b1a2 (patch) | |
| tree | c6fadf48d5338765c4537b449d2607e77e00bdb4 /main/hostapd/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch | |
| parent | 8be842a2d4f2ec289ddafe05e6aa27e39cfe4804 (diff) | |
| download | aports-a274bb496caede406362dbb9deecc5b6e9a6b1a2.tar.bz2 aports-a274bb496caede406362dbb9deecc5b6e9a6b1a2.tar.xz | |
main/hostapd: security fixes
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13084 (not applicable)
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
Diffstat (limited to 'main/hostapd/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch')
| -rw-r--r-- | main/hostapd/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/main/hostapd/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch b/main/hostapd/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch new file mode 100644 index 0000000000..c19c4c7102 --- /dev/null +++ b/main/hostapd/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch @@ -0,0 +1,64 @@ +From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sun, 1 Oct 2017 12:32:57 +0300 +Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce + +The Authenticator state machine path for PTK rekeying ended up bypassing +the AUTHENTICATION2 state where a new ANonce is generated when going +directly to the PTKSTART state since there is no need to try to +determine the PMK again in such a case. This is far from ideal since the +new PTK would depend on a new nonce only from the supplicant. + +Fix this by generating a new ANonce when moving to the PTKSTART state +for the purpose of starting new 4-way handshake to rekey PTK. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c +index 707971d..bf10cc1 100644 +--- a/src/ap/wpa_auth.c ++++ b/src/ap/wpa_auth.c +@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) + } + + ++static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) ++{ ++ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { ++ wpa_printf(MSG_ERROR, ++ "WPA: Failed to get random data for ANonce"); ++ sm->Disconnect = TRUE; ++ return -1; ++ } ++ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, ++ WPA_NONCE_LEN); ++ sm->TimeoutCtr = 0; ++ return 0; ++} ++ ++ + SM_STATE(WPA_PTK, INITPMK) + { + u8 msk[2 * PMK_LEN]; +@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK) + SM_ENTER(WPA_PTK, AUTHENTICATION); + else if (sm->ReAuthenticationRequest) + SM_ENTER(WPA_PTK, AUTHENTICATION2); +- else if (sm->PTKRequest) +- SM_ENTER(WPA_PTK, PTKSTART); +- else switch (sm->wpa_ptk_state) { ++ else if (sm->PTKRequest) { ++ if (wpa_auth_sm_ptk_update(sm) < 0) ++ SM_ENTER(WPA_PTK, DISCONNECTED); ++ else ++ SM_ENTER(WPA_PTK, PTKSTART); ++ } else switch (sm->wpa_ptk_state) { + case WPA_PTK_INITIALIZE: + break; + case WPA_PTK_DISCONNECT: +-- +2.7.4 + |