From: Jouni Malinen Date: Sun, 29 Oct 2017 15:13:54 +0000 (+0200) Subject: AP-side workaround for WNM-Sleep Mode GTK/IGTK reinstallation issues X-Git-Tag: hostap_2_7~936 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=348c93847a31ac99aa27f0dd0c47286e7014e962;p=thirdparty%2Fhostap.git AP-side workaround for WNM-Sleep Mode GTK/IGTK reinstallation issues Normally, WNM-Sleep Mode exit with management frame protection negotiated would result in the current GTK/IGTK getting added into the WNM-Sleep Mode Response frame. Some station implementations may have a vulnerability that results in GTK/IGTK reinstallation based on this frame being replayed. Add a new hostapd configuration parameter that can be used to disable that behavior and use EAPOL-Key frames for GTK/IGTK update instead. This would likely be only used with wpa_disable_eapol_key_retries=1 that enables a workaround for similar issues with EAPOL-Key. This is related to station side vulnerabilities CVE-2017-13087 and CVE-2017-13088. To enable this AP-side workaround, set wnm_sleep_mode_no_keys=1. Signed-off-by: Jouni Malinen --- diff --git a/hostapd/config_file.c b/hostapd/config_file.c index e2a470c5b..2230c8fe2 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -3293,6 +3293,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, #ifdef CONFIG_WNM_AP } else if (os_strcmp(buf, "wnm_sleep_mode") == 0) { bss->wnm_sleep_mode = atoi(pos); + } else if (os_strcmp(buf, "wnm_sleep_mode_no_keys") == 0) { + bss->wnm_sleep_mode_no_keys = atoi(pos); } else if (os_strcmp(buf, "bss_transition") == 0) { bss->bss_transition = atoi(pos); #endif /* CONFIG_WNM_AP */ diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index f5588551e..2cd8ae5fa 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1841,6 +1841,18 @@ own_ip_addr=127.0.0.1 # 1 = enabled (allow stations to use WNM-Sleep Mode) #wnm_sleep_mode=1 +# WNM-Sleep Mode GTK/IGTK workaround +# Normally, WNM-Sleep Mode exit with management frame protection negotiated +# would result in the current GTK/IGTK getting added into the WNM-Sleep Mode +# Response frame. Some station implementations may have a vulnerability that +# results in GTK/IGTK reinstallation based on this frame being replayed. This +# configuration parameter can be used to disable that behavior and use EAPOL-Key +# frames for GTK/IGTK update instead. This would likely be only used with +# wpa_disable_eapol_key_retries=1 that enables a workaround for similar issues +# with EAPOL-Key. This is related to station side vulnerabilities CVE-2017-13087 +# and CVE-2017-13088. To enable this AP-side workaround, set the parameter to 1. +#wnm_sleep_mode_no_keys=0 + # BSS Transition Management # 0 = disabled (default) # 1 = enabled diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 89bf2895e..6548892fb 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -479,6 +479,7 @@ struct hostapd_bss_config { int time_advertisement; char *time_zone; int wnm_sleep_mode; + int wnm_sleep_mode_no_keys; int bss_transition; /* IEEE 802.11u - Interworking */ diff --git a/src/ap/wnm_ap.c b/src/ap/wnm_ap.c index bbc26a5a2..f0462829f 100644 --- a/src/ap/wnm_ap.c +++ b/src/ap/wnm_ap.c @@ -109,6 +109,7 @@ static int ieee802_11_send_wnmsleep_resp(struct hostapd_data *hapd, pos = (u8 *)mgmt->u.action.u.wnm_sleep_resp.variable; /* add key data if MFP is enabled */ if (!wpa_auth_uses_mfp(sta->wpa_sm) || + hapd->conf->wnm_sleep_mode_no_keys || action_type != WNM_SLEEP_MODE_EXIT) { mgmt->u.action.u.wnm_sleep_resp.keydata_len = 0; } else { @@ -173,7 +174,8 @@ static int ieee802_11_send_wnmsleep_resp(struct hostapd_data *hapd, wpa_set_wnmsleep(sta->wpa_sm, 0); hostapd_drv_wnm_oper(hapd, WNM_SLEEP_EXIT_CONFIRM, addr, NULL, NULL); - if (!wpa_auth_uses_mfp(sta->wpa_sm)) + if (!wpa_auth_uses_mfp(sta->wpa_sm) || + hapd->conf->wnm_sleep_mode_no_keys) wpa_wnmsleep_rekey_gtk(sta->wpa_sm); } } else