[people/pmueller/ipfire-2.x.git] / src / patches / wpa_supplicant / 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch

From dc55ea1e483125145459ae1e55be3b95e6263302 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Fri, 22 Sep 2017 12:06:37 +0300
Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames

The driver is expected to not report a second association event without
the station having explicitly request a new association. As such, this
case should not be reachable. However, since reconfiguring the same
pairwise or group keys to the driver could result in nonce reuse issues,
be extra careful here and do an additional state check to avoid this
even if the local driver ends up somehow accepting an unexpected
Reassociation Response frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/rsn_supp/wpa.c    | 3 +++
 src/rsn_supp/wpa_ft.c | 8 ++++++++
 src/rsn_supp/wpa_i.h  | 1 +
 3 files changed, 12 insertions(+)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index cf9bf1c..ed467e6 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -2637,6 +2637,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
 #ifdef CONFIG_FILS
 	sm->fils_completed = 0;
 #endif /* CONFIG_FILS */
+#ifdef CONFIG_IEEE80211R
+	sm->ft_reassoc_completed = 0;
+#endif /* CONFIG_IEEE80211R */
 
 	/* Keys are not needed in the WPA state machine anymore */
 	wpa_sm_drop_sa(sm);
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index aeb7aff..1ff7afe 100644
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
 	u16 capab;
 
 	sm->ft_completed = 0;
+	sm->ft_reassoc_completed = 0;
 
 	buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
 		2 + sm->r0kh_id_len + ric_ies_len + 100;
@@ -687,6 +688,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
 		return -1;
 	}
 
+	if (sm->ft_reassoc_completed) {
+		wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
+		return 0;
+	}
+
 	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
 		wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
 		return -1;
@@ -787,6 +793,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
 		return -1;
 	}
 
+	sm->ft_reassoc_completed = 1;
+
 	if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
 		return -1;
 
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index 3b42245..148c654 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -128,6 +128,7 @@ struct wpa_sm {
 	size_t r0kh_id_len;
 	u8 r1kh_id[FT_R1KH_ID_LEN];
 	int ft_completed;
+	int ft_reassoc_completed;
 	int over_the_ds_in_progress;
 	u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
 	int set_ptk_after_assoc;
-- 
2.7.4
Commit	Line	Data
d7d57745 MT	1	From dc55ea1e483125145459ae1e55be3b95e6263302 Mon Sep 17 00:00:00 2001
	2	From: Jouni Malinen <j@w1.fi>
	3	Date: Fri, 22 Sep 2017 12:06:37 +0300
	4	Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
	5
	6	The driver is expected to not report a second association event without
	7	the station having explicitly request a new association. As such, this
	8	case should not be reachable. However, since reconfiguring the same
	9	pairwise or group keys to the driver could result in nonce reuse issues,
	10	be extra careful here and do an additional state check to avoid this
	11	even if the local driver ends up somehow accepting an unexpected
	12	Reassociation Response frame.
	13
	14	Signed-off-by: Jouni Malinen <j@w1.fi>
	15	---
	16	src/rsn_supp/wpa.c \| 3 +++
	17	src/rsn_supp/wpa_ft.c \| 8 ++++++++
	18	src/rsn_supp/wpa_i.h \| 1 +
	19	3 files changed, 12 insertions(+)
	20
	21	diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
	22	index cf9bf1c..ed467e6 100644
	23	--- a/src/rsn_supp/wpa.c
	24	+++ b/src/rsn_supp/wpa.c
	25	@@ -2637,6 +2637,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
	26	#ifdef CONFIG_FILS
	27	sm->fils_completed = 0;
	28	#endif /* CONFIG_FILS */
	29	+#ifdef CONFIG_IEEE80211R
	30	+ sm->ft_reassoc_completed = 0;
	31	+#endif /* CONFIG_IEEE80211R */
	32
	33	/* Keys are not needed in the WPA state machine anymore */
	34	wpa_sm_drop_sa(sm);
	35	diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
	36	index aeb7aff..1ff7afe 100644
	37	--- a/src/rsn_supp/wpa_ft.c
	38	+++ b/src/rsn_supp/wpa_ft.c
	39	@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm sm, size_t len,
	40	u16 capab;
	41
	42	sm->ft_completed = 0;
	43	+ sm->ft_reassoc_completed = 0;
	44
	45	buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
	46	2 + sm->r0kh_id_len + ric_ies_len + 100;
	47	@@ -687,6 +688,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm sm, const u8 ies,
	48	return -1;
	49	}
	50
	51	+ if (sm->ft_reassoc_completed) {
	52	+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
	53	+ return 0;
	54	+ }
	55	+
	56	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
	57	wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
	58	return -1;
	59	@@ -787,6 +793,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm sm, const u8 ies,
	60	return -1;
	61	}
	62
	63	+ sm->ft_reassoc_completed = 1;
	64	+
65	if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
66	return -1;
67
68	diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
69	index 3b42245..148c654 100644
70	--- a/src/rsn_supp/wpa_i.h
71	+++ b/src/rsn_supp/wpa_i.h
72	@@ -128,6 +128,7 @@ struct wpa_sm {
73	size_t r0kh_id_len;
74	u8 r1kh_id[FT_R1KH_ID_LEN];
75	int ft_completed;
76	+ int ft_reassoc_completed;
77	int over_the_ds_in_progress;
78	u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
79	int set_ptk_after_assoc;
80	--
81	2.7.4
82