Generate random ANonce instead of one based on Counter

[thirdparty/hostap.git] / src / ap / wpa_auth.c

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index d1b9b4d2f0f822b338e3a0c49b9006c6d346f893..1d942a445935e66a579b7d992bc8399853517600 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1641,10 +1641,23 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
 
        wpa_group_ensure_init(sm->wpa_auth, sm->group);
 
-       os_memcpy(sm->ANonce, sm->group->Counter, WPA_NONCE_LEN);
+       /*
+        * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
+        * ambiguous. The Authenticator state machine uses a counter that is
+        * incremented by one for each 4-way handshake. However, the security
+        * analysis of 4-way handshake points out that unpredictable nonces
+        * help in preventing precomputation attacks. Instead of the state
+        * machine definition, use an unpredictable nonce value here to provide
+        * stronger protection against potential precomputation attacks.
+        */
+       if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
+               wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
+                          "ANonce.");
+               wpa_sta_disconnect(sm->wpa_auth, sm->addr);
+               return;
+       }
        wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
                    WPA_NONCE_LEN);
-       inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
        sm->ReAuthenticationRequest = FALSE;
        /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
         * logical place than INITIALIZE since AUTHENTICATION2 can be