1. 16 Oct, 2017 9 commits
    • Merge branch 'security' into 'master' · 16fcb731
      Security issues
      See merge request !6
      Slava Monich authored
    • FT: Do not allow multiple Reassociation Response frames · 2a6e857b
      The driver is expected to not report a second association event without
      the station having explicitly request a new association. As such, this
      case should not be reachable. However, since reconfiguring the same
      pairwise or group keys to the driver could result in nonce reuse issues,
      be extra careful here and do an additional state check to avoid this
      even if the local driver ends up somehow accepting an unexpected
      Reassociation Response frame.
      Signed-off-by: 's avatarJouni Malinen <j@w1.fi>
      Jouni Malinen authored
    • WNM: Ignore WNM-Sleep Mode Response without pending request · 62da8057
      Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
      Mode Response if WNM-Sleep Mode has not been used') started ignoring the
      response when no WNM-Sleep Mode Request had been used during the
      association. This can be made tighter by clearing the used flag when
      successfully processing a response. This adds an additional layer of
      protection against unexpected retransmissions of the response frame.
      Signed-off-by: 's avatarJouni Malinen <j@w1.fi>
      Jouni Malinen authored
    • TDLS: Reject TPK-TK reconfiguration · 5a199e33
      Do not try to reconfigure the same TPK-TK to the driver after it has
      been successfully configured. This is an explicit check to avoid issues
      related to resetting the TX/RX packet number. There was already a check
      for this for TPK M2 (retries of that message are ignored completely), so
      that behavior does not get modified.
      For TPK M3, the TPK-TK could have been reconfigured, but that was
      followed by immediate teardown of the link due to an issue in updating
      the STA entry. Furthermore, for TDLS with any real security (i.e.,
      ignoring open/WEP), the TPK message exchange is protected on the AP path
      and simple replay attacks are not feasible.
      As an additional corner case, make sure the local nonce gets updated if
      the peer uses a very unlikely "random nonce" of all zeros.
      Signed-off-by: 's avatarJouni Malinen <j@w1.fi>
      Jouni Malinen authored
    • Fix PTK rekeying to generate a new ANonce · 43eb080d
      The Authenticator state machine path for PTK rekeying ended up bypassing
      the AUTHENTICATION2 state where a new ANonce is generated when going
      directly to the PTKSTART state since there is no need to try to
      determine the PMK again in such a case. This is far from ideal since the
      new PTK would depend on a new nonce only from the supplicant.
      Fix this by generating a new ANonce when moving to the PTKSTART state
      for the purpose of starting new 4-way handshake to rekey PTK.
      Signed-off-by: 's avatarJouni Malinen <j@w1.fi>
      Jouni Malinen authored
    • Prevent installation of an all-zero TK · 2e161791
      Properly track whether a PTK has already been installed to the driver
      and the TK part cleared from memory. This prevents an attacker from
      trying to trick the client into installing an all-zero TK.
      This fixes the earlier fix in commit
      ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
      driver in EAPOL-Key 3/4 retry case') which did not take into account
      possibility of an extra message 1/4 showing up between retries of
      message 3/4.
      Signed-off-by: 's avatarMathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
      Mathy Vanhoef authored
    • Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases · 9fc4f965
      This extends the protection to track last configured GTK/IGTK value
      separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
      corner case where these two different mechanisms may get used when the
      GTK/IGTK has changed and tracking a single value is not sufficient to
      detect a possible key reconfiguration.
      Signed-off-by: 's avatarJouni Malinen <j@w1.fi>
      Jouni Malinen authored
    • Prevent reinstallation of an already in-use group key · a3fae9a7
      Track the current GTK and IGTK that is in use and when receiving a
      (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
      not install the given key if it is already in use. This prevents an
      attacker from trying to trick the client into resetting or lowering the
      sequence counter associated to the group key.
      Signed-off-by: 's avatarMathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
      Mathy Vanhoef authored
    • hostapd: Avoid key reinstallation in FT handshake · 2f2ab4ae
      Do not reinstall TK to the driver during Reassociation Response frame
      processing if the first attempt of setting the TK succeeded. This avoids
      issues related to clearing the TX/RX PN that could result in reusing
      same PN values for transmitted frames (e.g., due to CCM nonce reuse and
      also hitting replay protection on the receiver) and accepting replayed
      frames on RX side.
      This issue was introduced by the commit
      0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
      authenticator') which allowed wpa_ft_install_ptk() to be called multiple
      times with the same PTK. While the second configuration attempt is
      needed with some drivers, it must be done only if the first attempt
      Signed-off-by: 's avatarMathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
      Mathy Vanhoef authored
  2. 05 Apr, 2017 1 commit
  3. 04 Apr, 2017 1 commit
  4. 17 Jan, 2017 1 commit
  5. 16 Jan, 2017 28 commits