pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2017Q3] pkgsrc/net/wpa_supplicant



Module Name:    pkgsrc
Committed By:   spz
Date:           Tue Oct 17 05:47:37 UTC 2017

Modified Files:
        pkgsrc/net/wpa_supplicant [pkgsrc-2017Q3]: Makefile distinfo
Added Files:
        pkgsrc/net/wpa_supplicant/patches [pkgsrc-2017Q3]:
            patch-src_ap_ieee802__11.c patch-src_ap_wpa__auth.c
            patch-src_ap_wpa__auth.h patch-src_ap_wpa__auth__ft.c
            patch-src_ap_wpa__auth__i.h patch-src_common_wpa__common.h
            patch-src_rsn__supp_tdls.c patch-src_rsn__supp_wpa.c
            patch-src_rsn__supp_wpa__ft.c patch-src_rsn__supp_wpa__i.h
            patch-wpa__supplicant_wnm__sta.c

Log Message:
Pullup ticket #5578 - requested by maya
net/wpa_supplicant: security patch

Revisions pulled up:
- net/wpa_supplicant/Makefile                                   1.18
- net/wpa_supplicant/distinfo                                   1.10
- net/wpa_supplicant/patches/patch-src_ap_ieee802__11.c         1.1
- net/wpa_supplicant/patches/patch-src_ap_wpa__auth.c           1.1
- net/wpa_supplicant/patches/patch-src_ap_wpa__auth.h           1.1
- net/wpa_supplicant/patches/patch-src_ap_wpa__auth__ft.c       1.1
- net/wpa_supplicant/patches/patch-src_ap_wpa__auth__i.h        1.1
- net/wpa_supplicant/patches/patch-src_common_wpa__common.h     1.1
- net/wpa_supplicant/patches/patch-src_rsn__supp_tdls.c         1.1
- net/wpa_supplicant/patches/patch-src_rsn__supp_wpa.c          1.1
- net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__ft.c      1.1
- net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__i.h       1.1
- net/wpa_supplicant/patches/patch-wpa__supplicant_wnm__sta.c   1.1

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Mon Oct 16 10:26:21 UTC 2017

   Modified Files:
           pkgsrc/net/wpa_supplicant: Makefile distinfo
   Added Files:
           pkgsrc/net/wpa_supplicant/patches: patch-src_ap_ieee802__11.c
               patch-src_ap_wpa__auth.c patch-src_ap_wpa__auth.h
               patch-src_ap_wpa__auth__ft.c patch-src_ap_wpa__auth__i.h
               patch-src_common_wpa__common.h patch-src_rsn__supp_tdls.c
               patch-src_rsn__supp_wpa.c patch-src_rsn__supp_wpa__ft.c
               patch-src_rsn__supp_wpa__i.h patch-wpa__supplicant_wnm__sta.c

   Log Message:
   wpa_supplicant: apply upstream patch for security advisory

   Patches from Juoni Malinen and Mathy Vanhoef.

   Fixes:
   - CVE-2017-13077
   - CVE-2017-13078
   - CVE-2017-13079
   - CVE-2017-13080
   - CVE-2017-13081
   - CVE-2017-13082
   - CVE-2017-13086
   - CVE-2017-13087
   - CVE-2017-13088

   Tested by leot, thanks!

   Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake

   Do not reinstall TK to the driver during Reassociation Response frame
   processing if the first attempt of setting the TK succeeded. This avoids
   issues related to clearing the TX/RX PN that could result in reusing
   same PN values for transmitted frames (e.g., due to CCM nonce reuse and
   also hitting replay protection on the receiver) and accepting replayed
   frames on RX side.

   This issue was introduced by the commit
   0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
   authenticator') which allowed wpa_ft_install_ptk() to be called multiple
   times with the same PTK. While the second configuration attempt is
   needed with some drivers, it must be done only if the first attempt
   failed.

   Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key

   Track the current GTK and IGTK that is in use and when receiving a
   (possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
   not install the given key if it is already in use. This prevents an
   attacker from trying to trick the client into resetting or lowering the
   sequence counter associated to the group key.

   Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
    Mode cases

   This extends the protection to track last configured GTK/IGTK value
   separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
   corner case where these two different mechanisms may get used when the
   GTK/IGTK has changed and tracking a single value is not sufficient to
   detect a possible key reconfiguration.

   Subject: [PATCH 4/8] Prevent installation of an all-zero TK

   Properly track whether a PTK has already been installed to the driver
   and the TK part cleared from memory. This prevents an attacker from
   trying to trick the client into installing an all-zero TK.

   This fixes the earlier fix in commit
   ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
   driver in EAPOL-Key 3/4 retry case') which did not take into account
   possibility of an extra message 1/4 showing up between retries of
   message 3/4.

   Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce

   The Authenticator state machine path for PTK rekeying ended up bypassing
   the AUTHENTICATION2 state where a new ANonce is generated when going
   directly to the PTKSTART state since there is no need to try to
   determine the PMK again in such a case. This is far from ideal since the
   new PTK would depend on a new nonce only from the supplicant.

   Fix this by generating a new ANonce when moving to the PTKSTART state
   for the purpose of starting new 4-way handshake to rekey PTK.

   Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration

   Do not try to reconfigure the same TPK-TK to the driver after it has
   been successfully configured. This is an explicit check to avoid issues
   related to resetting the TX/RX packet number. There was already a check
   for this for TPK M2 (retries of that message are ignored completely), so
   that behavior does not get modified.

   For TPK M3, the TPK-TK could have been reconfigured, but that was
   followed by immediate teardown of the link due to an issue in updating
   the STA entry. Furthermore, for TDLS with any real security (i.e.,
   ignoring open/WEP), the TPK message exchange is protected on the AP path
   and simple replay attacks are not feasible.

   As an additional corner case, make sure the local nonce gets updated if
   the peer uses a very unlikely "random nonce" of all zeros.

   Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending
    request

   Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
   Mode Response if WNM-Sleep Mode has not been used') started ignoring the
   response when no WNM-Sleep Mode Request had been used during the
   association. This can be made tighter by clearing the used flag when
   successfully processing a response. This adds an additional layer of
   protection against unexpected retransmissions of the response frame.

   Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames

   The driver is expected to not report a second association event without
   the station having explicitly request a new association. As such, this
   case should not be reachable. However, since reconfiguring the same
   pairwise or group keys to the driver could result in nonce reuse issues,
   be extra careful here and do an additional state check to avoid this
   even if the local driver ends up somehow accepting an unexpected
   Reassociation Response frame.

   To generate a diff of this commit:
   cvs rdiff -u -r1.17 -r1.18 pkgsrc/net/wpa_supplicant/Makefile
   cvs rdiff -u -r1.9 -r1.10 pkgsrc/net/wpa_supplicant/distinfo
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/net/wpa_supplicant/patches/patch-src_ap_ieee802__11.c \
       pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth.c \
       pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth.h \
       pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth__ft.c \
       pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth__i.h \
       pkgsrc/net/wpa_supplicant/patches/patch-src_common_wpa__common.h \
       pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_tdls.c \
       pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa.c \
       pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__ft.c \
       pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__i.h \
       pkgsrc/net/wpa_supplicant/patches/patch-wpa__supplicant_wnm__sta.c


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.17.10.1 pkgsrc/net/wpa_supplicant/Makefile
cvs rdiff -u -r1.9 -r1.9.10.1 pkgsrc/net/wpa_supplicant/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/net/wpa_supplicant/patches/patch-src_ap_ieee802__11.c \
    pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth.c \
    pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth.h \
    pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth__ft.c \
    pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth__i.h \
    pkgsrc/net/wpa_supplicant/patches/patch-src_common_wpa__common.h \
    pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_tdls.c \
    pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa.c \
    pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__ft.c \
    pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__i.h \
    pkgsrc/net/wpa_supplicant/patches/patch-wpa__supplicant_wnm__sta.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/wpa_supplicant/Makefile
diff -u pkgsrc/net/wpa_supplicant/Makefile:1.17 pkgsrc/net/wpa_supplicant/Makefile:1.17.10.1
--- pkgsrc/net/wpa_supplicant/Makefile:1.17     Wed Nov 16 15:07:34 2016
+++ pkgsrc/net/wpa_supplicant/Makefile  Tue Oct 17 05:47:37 2017
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.17 2016/11/16 15:07:34 maya Exp $
+# $NetBSD: Makefile,v 1.17.10.1 2017/10/17 05:47:37 spz Exp $
 #
 
 DISTNAME=      wpa_supplicant-2.6
+PKGREVISION=   1
 CATEGORIES=    net
 MASTER_SITES=  http://hostap.epitest.fi/releases/
 

Index: pkgsrc/net/wpa_supplicant/distinfo
diff -u pkgsrc/net/wpa_supplicant/distinfo:1.9 pkgsrc/net/wpa_supplicant/distinfo:1.9.10.1
--- pkgsrc/net/wpa_supplicant/distinfo:1.9      Wed Nov 16 15:07:34 2016
+++ pkgsrc/net/wpa_supplicant/distinfo  Tue Oct 17 05:47:37 2017
@@ -1,7 +1,18 @@
-$NetBSD: distinfo,v 1.9 2016/11/16 15:07:34 maya Exp $
+$NetBSD: distinfo,v 1.9.10.1 2017/10/17 05:47:37 spz Exp $
 
 SHA1 (wpa_supplicant-2.6.tar.gz) = 8189704e257c3e9f8300c49dc6e49a381b1d6299
 RMD160 (wpa_supplicant-2.6.tar.gz) = 2fb26394d22ac3acde2d9d7c6543af8eaac9c55a
 SHA512 (wpa_supplicant-2.6.tar.gz) = 46442cddb6ca043b8b08d143908f149954c238e0f3a57a0df73ca4fab9c1acd91b078f3f26375a1d99cd1d65625986328018c735d8705882c8f91e389cad28a6
 Size (wpa_supplicant-2.6.tar.gz) = 2753524 bytes
 SHA1 (patch-aa) = 998ba9cc4ef9ebd0b629a6368957da0f1159dda0
+SHA1 (patch-src_ap_ieee802__11.c) = 8edce32847c55e0ac49b395b2aa5f370c6055bd5
+SHA1 (patch-src_ap_wpa__auth.c) = 2631770dfe42fba748ab4be4174998fff30e1f24
+SHA1 (patch-src_ap_wpa__auth.h) = 8e44f75449e656a710747a8cd581ff9d05c5eff6
+SHA1 (patch-src_ap_wpa__auth__ft.c) = ed4a15b05c46bb88ce9bf597c65088311fa47852
+SHA1 (patch-src_ap_wpa__auth__i.h) = f33a5214d0c8071f7eed9dd5fd67b6b32f0e856c
+SHA1 (patch-src_common_wpa__common.h) = 853adbcf1749d7ccd80feeb4aa6aa8ba8ac0a7e8
+SHA1 (patch-src_rsn__supp_tdls.c) = b695b8096661894e8e473ccb09386c33a8353a45
+SHA1 (patch-src_rsn__supp_wpa.c) = 4a4d966e68481eef76e7323e3d69c4c5bf8e6432
+SHA1 (patch-src_rsn__supp_wpa__ft.c) = c48b83ee5e10289d21ac3310ab92684dc69bdced
+SHA1 (patch-src_rsn__supp_wpa__i.h) = f2c9260cf6bdf59493f9870fbedc0d4e0881b641
+SHA1 (patch-wpa__supplicant_wnm__sta.c) = 818b9fcabeac9d3c6ced075a5a804b34c0d56774

Added files:

Index: pkgsrc/net/wpa_supplicant/patches/patch-src_ap_ieee802__11.c
diff -u /dev/null pkgsrc/net/wpa_supplicant/patches/patch-src_ap_ieee802__11.c:1.1.2.2
--- /dev/null   Tue Oct 17 05:47:37 2017
+++ pkgsrc/net/wpa_supplicant/patches/patch-src_ap_ieee802__11.c        Tue Oct 17 05:47:37 2017
@@ -0,0 +1,46 @@
+$NetBSD: patch-src_ap_ieee802__11.c,v 1.1.2.2 2017/10/17 05:47:37 spz Exp $
+
+--- src/ap/ieee802_11.c.orig   2016-10-02 18:51:11.000000000 +0000
++++ src/ap/ieee802_11.c
+@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hos
+ {
+       struct ieee80211_ht_capabilities ht_cap;
+       struct ieee80211_vht_capabilities vht_cap;
++      int set = 1;
+ 
+       /*
+        * Remove the STA entry to ensure the STA PS state gets cleared and
+@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hos
+        * FT-over-the-DS, where a station re-associates back to the same AP but
+        * skips the authentication flow, or if working with a driver that
+        * does not support full AP client state.
++       *
++       * Skip this if the STA has already completed FT reassociation and the
++       * TK has been configured since the TX/RX PN must not be reset to 0 for
++       * the same key.
+        */
+-      if (!sta->added_unassoc)
++      if (!sta->added_unassoc &&
++          (!(sta->flags & WLAN_STA_AUTHORIZED) ||
++           !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
+               hostapd_drv_sta_remove(hapd, sta->addr);
++              wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
++              set = 0;
++      }
+ 
+ #ifdef CONFIG_IEEE80211N
+       if (sta->flags & WLAN_STA_HT)
+@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hos
+                           sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
+                           sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
+                           sta->vht_opmode, sta->p2p_ie ? 1 : 0,
+-                          sta->added_unassoc)) {
++                          set)) {
+               hostapd_logger(hapd, sta->addr,
+                              HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
+                              "Could not %s STA to kernel driver",
+-                             sta->added_unassoc ? "set" : "add");
++                             set ? "set" : "add");
+ 
+               if (sta->added_unassoc) {
+                       hostapd_drv_sta_remove(hapd, sta->addr);
Index: pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth.c
diff -u /dev/null pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth.c:1.1.2.2
--- /dev/null   Tue Oct 17 05:47:37 2017
+++ pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth.c  Tue Oct 17 05:47:37 2017
@@ -0,0 +1,42 @@
+$NetBSD: patch-src_ap_wpa__auth.c,v 1.1.2.2 2017/10/17 05:47:37 spz Exp $
+
+--- src/ap/wpa_auth.c.orig     2017-10-16 10:06:59.832697934 +0000
++++ src/ap/wpa_auth.c
+@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
+ }
+ 
+ 
++static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
++{
++      if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
++              wpa_printf(MSG_ERROR,
++                         "WPA: Failed to get random data for ANonce");
++              sm->Disconnect = TRUE;
++              return -1;
++      }
++      wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
++                  WPA_NONCE_LEN);
++      sm->TimeoutCtr = 0;
++      return 0;
++}
++
++
+ SM_STATE(WPA_PTK, INITPMK)
+ {
+       u8 msk[2 * PMK_LEN];
+@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK)
+               SM_ENTER(WPA_PTK, AUTHENTICATION);
+       else if (sm->ReAuthenticationRequest)
+               SM_ENTER(WPA_PTK, AUTHENTICATION2);
+-      else if (sm->PTKRequest)
+-              SM_ENTER(WPA_PTK, PTKSTART);
+-      else switch (sm->wpa_ptk_state) {
++      else if (sm->PTKRequest) {
++              if (wpa_auth_sm_ptk_update(sm) < 0)
++                      SM_ENTER(WPA_PTK, DISCONNECTED);
++              else
++                      SM_ENTER(WPA_PTK, PTKSTART);
++      } else switch (sm->wpa_ptk_state) {
+       case WPA_PTK_INITIALIZE:
+               break;
+       case WPA_PTK_DISCONNECT:
Index: pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth.h
diff -u /dev/null pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth.h:1.1.2.2
--- /dev/null   Tue Oct 17 05:47:37 2017
+++ pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth.h  Tue Oct 17 05:47:37 2017
@@ -0,0 +1,21 @@
+$NetBSD: patch-src_ap_wpa__auth.h,v 1.1.2.2 2017/10/17 05:47:37 spz Exp $
+
+--- src/ap/wpa_auth.h.orig     2016-10-02 18:51:11.000000000 +0000
++++ src/ap/wpa_auth.h
+@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticato
+                u8 *data, size_t data_len);
+ enum wpa_event {
+       WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
+-      WPA_REAUTH_EAPOL, WPA_ASSOC_FT
++      WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED
+ };
+ void wpa_remove_ptk(struct wpa_state_machine *sm);
+ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
+@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_sta
+ int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
+ int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
+ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+                            struct rsn_pmksa_cache_entry *entry);
+ struct rsn_pmksa_cache_entry *
Index: pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth__ft.c
diff -u /dev/null pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth__ft.c:1.1.2.2
--- /dev/null   Tue Oct 17 05:47:37 2017
+++ pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth__ft.c      Tue Oct 17 05:47:37 2017
@@ -0,0 +1,35 @@
+$NetBSD: patch-src_ap_wpa__auth__ft.c,v 1.1.2.2 2017/10/17 05:47:37 spz Exp $
+
+--- src/ap/wpa_auth_ft.c.orig  2016-10-02 18:51:11.000000000 +0000
++++ src/ap/wpa_auth_ft.c
+@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state
+               return;
+       }
+ 
++      if (sm->tk_already_set) {
++              /* Must avoid TK reconfiguration to prevent clearing of TX/RX
++               * PN in the driver */
++              wpa_printf(MSG_DEBUG,
++                         "FT: Do not re-install same PTK to the driver");
++              return;
++      }
++
+       /* FIX: add STA entry to kernel/driver here? The set_key will fail
+        * most likely without this.. At the moment, STA entry is added only
+        * after association has been completed. This function will be called
+@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state
+ 
+       /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
+       sm->pairwise_set = TRUE;
++      sm->tk_already_set = TRUE;
+ }
+ 
+ 
+@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struc
+ 
+       sm->pairwise = pairwise;
+       sm->PTK_valid = TRUE;
++      sm->tk_already_set = FALSE;
+       wpa_ft_install_ptk(sm);
+ 
+       buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
Index: pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth__i.h
diff -u /dev/null pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth__i.h:1.1.2.2
--- /dev/null   Tue Oct 17 05:47:37 2017
+++ pkgsrc/net/wpa_supplicant/patches/patch-src_ap_wpa__auth__i.h       Tue Oct 17 05:47:37 2017
@@ -0,0 +1,12 @@
+$NetBSD: patch-src_ap_wpa__auth__i.h,v 1.1.2.2 2017/10/17 05:47:37 spz Exp $
+
+--- src/ap/wpa_auth_i.h.orig   2016-10-02 18:51:11.000000000 +0000
++++ src/ap/wpa_auth_i.h
+@@ -65,6 +65,7 @@ struct wpa_state_machine {
+       struct wpa_ptk PTK;
+       Boolean PTK_valid;
+       Boolean pairwise_set;
++      Boolean tk_already_set;
+       int keycount;
+       Boolean Pair;
+       struct wpa_key_replay_counter {
Index: pkgsrc/net/wpa_supplicant/patches/patch-src_common_wpa__common.h
diff -u /dev/null pkgsrc/net/wpa_supplicant/patches/patch-src_common_wpa__common.h:1.1.2.2
--- /dev/null   Tue Oct 17 05:47:37 2017
+++ pkgsrc/net/wpa_supplicant/patches/patch-src_common_wpa__common.h    Tue Oct 17 05:47:37 2017
@@ -0,0 +1,12 @@
+$NetBSD: patch-src_common_wpa__common.h,v 1.1.2.2 2017/10/17 05:47:37 spz Exp $
+
+--- src/common/wpa_common.h.orig       2016-10-02 18:51:11.000000000 +0000
++++ src/common/wpa_common.h
+@@ -215,6 +215,7 @@ struct wpa_ptk {
+       size_t kck_len;
+       size_t kek_len;
+       size_t tk_len;
++      int installed; /* 1 if key has already been installed to driver */
+ };
+ 
+ 
Index: pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_tdls.c
diff -u /dev/null pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_tdls.c:1.1.2.2
--- /dev/null   Tue Oct 17 05:47:37 2017
+++ pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_tdls.c        Tue Oct 17 05:47:37 2017
@@ -0,0 +1,104 @@
+$NetBSD: patch-src_rsn__supp_tdls.c,v 1.1.2.2 2017/10/17 05:47:37 spz Exp $
+
+--- src/rsn_supp/tdls.c.orig   2016-10-02 18:51:11.000000000 +0000
++++ src/rsn_supp/tdls.c
+@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
+               u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
+       } tpk;
+       int tpk_set;
++      int tk_set; /* TPK-TK configured to the driver */
+       int tpk_success;
+       int tpk_in_progress;
+ 
+@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_s
+       u8 rsc[6];
+       enum wpa_alg alg;
+ 
++      if (peer->tk_set) {
++              /*
++               * This same TPK-TK has already been configured to the driver
++               * and this new configuration attempt (likely due to an
++               * unexpected retransmitted frame) would result in clearing
++               * the TX/RX sequence number which can break security, so must
++               * not allow that to happen.
++               */
++              wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
++                         " has already been configured to the driver - do not reconfigure",
++                         MAC2STR(peer->addr));
++              return -1;
++      }
++
+       os_memset(rsc, 0, 6);
+ 
+       switch (peer->cipher) {
+@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_s
+               return -1;
+       }
+ 
++      wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
++                 MAC2STR(peer->addr));
+       if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
+                          rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
+               wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
+                          "driver");
+               return -1;
+       }
++      peer->tk_set = 1;
+       return 0;
+ }
+ 
+@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct w
+       peer->cipher = 0;
+       peer->qos_info = 0;
+       peer->wmm_capable = 0;
+-      peer->tpk_set = peer->tpk_success = 0;
++      peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
+       peer->chan_switch_enabled = 0;
+       os_memset(&peer->tpk, 0, sizeof(peer->tpk));
+       os_memset(peer->inonce, 0, WPA_NONCE_LEN);
+@@ -1159,6 +1177,7 @@ skip_rsnie:
+               wpa_tdls_peer_free(sm, peer);
+               return -1;
+       }
++      peer->tk_set = 0; /* A new nonce results in a new TK */
+       wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
+                   peer->inonce, WPA_NONCE_LEN);
+       os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
+@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct w
+ }
+ 
+ 
++static int tdls_nonce_set(const u8 *nonce)
++{
++      int i;
++
++      for (i = 0; i < WPA_NONCE_LEN; i++) {
++              if (nonce[i])
++                      return 1;
++      }
++
++      return 0;
++}
++
++
+ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
+                                  const u8 *buf, size_t len)
+ {
+@@ -2004,7 +2036,8 @@ skip_rsn:
+       peer->rsnie_i_len = kde.rsn_ie_len;
+       peer->cipher = cipher;
+ 
+-      if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
++      if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
++          !tdls_nonce_set(peer->inonce)) {
+               /*
+                * There is no point in updating the RNonce for every obtained
+                * TPK M1 frame (e.g., retransmission due to timeout) with the
+@@ -2020,6 +2053,7 @@ skip_rsn:
+                               "TDLS: Failed to get random data for responder nonce");
+                       goto error;
+               }
++              peer->tk_set = 0; /* A new nonce results in a new TK */
+       }
+ 
+ #if 0
Index: pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa.c
diff -u /dev/null pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa.c:1.1.2.2
--- /dev/null   Tue Oct 17 05:47:37 2017
+++ pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa.c Tue Oct 17 05:47:37 2017
@@ -0,0 +1,14 @@
+$NetBSD: patch-src_rsn__supp_wpa.c,v 1.1.2.2 2017/10/17 05:47:37 spz Exp $
+
+--- src/rsn_supp/wpa.c.orig    2017-10-16 10:07:14.696331509 +0000
++++ src/rsn_supp/wpa.c
+@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_s
+ #ifdef CONFIG_TDLS
+       wpa_tdls_disassoc(sm);
+ #endif /* CONFIG_TDLS */
++#ifdef CONFIG_IEEE80211R
++      sm->ft_reassoc_completed = 0;
++#endif /* CONFIG_IEEE80211R */
+ 
+       /* Keys are not needed in the WPA state machine anymore */
+       wpa_sm_drop_sa(sm);
Index: pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__ft.c
diff -u /dev/null pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__ft.c:1.1.2.2
--- /dev/null   Tue Oct 17 05:47:37 2017
+++ pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__ft.c     Tue Oct 17 05:47:37 2017
@@ -0,0 +1,33 @@
+$NetBSD: patch-src_rsn__supp_wpa__ft.c,v 1.1.2.2 2017/10/17 05:47:37 spz Exp $
+
+--- src/rsn_supp/wpa_ft.c.orig 2016-10-02 18:51:11.000000000 +0000
++++ src/rsn_supp/wpa_ft.c
+@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wp
+       u16 capab;
+ 
+       sm->ft_completed = 0;
++      sm->ft_reassoc_completed = 0;
+ 
+       buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+               2 + sm->r0kh_id_len + ric_ies_len + 100;
+@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct 
+               return -1;
+       }
+ 
++      if (sm->ft_reassoc_completed) {
++              wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
++              return 0;
++      }
++
+       if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
+               wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
+               return -1;
+@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct 
+               return -1;
+       }
+ 
++      sm->ft_reassoc_completed = 1;
++
+       if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
+               return -1;
+ 
Index: pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__i.h
diff -u /dev/null pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__i.h:1.1.2.2
--- /dev/null   Tue Oct 17 05:47:37 2017
+++ pkgsrc/net/wpa_supplicant/patches/patch-src_rsn__supp_wpa__i.h      Tue Oct 17 05:47:37 2017
@@ -0,0 +1,12 @@
+$NetBSD: patch-src_rsn__supp_wpa__i.h,v 1.1.2.2 2017/10/17 05:47:37 spz Exp $
+
+--- src/rsn_supp/wpa_i.h.orig  2017-10-16 10:07:14.696977884 +0000
++++ src/rsn_supp/wpa_i.h
+@@ -128,6 +128,7 @@ struct wpa_sm {
+       size_t r0kh_id_len;
+       u8 r1kh_id[FT_R1KH_ID_LEN];
+       int ft_completed;
++      int ft_reassoc_completed;
+       int over_the_ds_in_progress;
+       u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
+       int set_ptk_after_assoc;
Index: pkgsrc/net/wpa_supplicant/patches/patch-wpa__supplicant_wnm__sta.c
diff -u /dev/null pkgsrc/net/wpa_supplicant/patches/patch-wpa__supplicant_wnm__sta.c:1.1.2.2
--- /dev/null   Tue Oct 17 05:47:37 2017
+++ pkgsrc/net/wpa_supplicant/patches/patch-wpa__supplicant_wnm__sta.c  Tue Oct 17 05:47:37 2017
@@ -0,0 +1,22 @@
+$NetBSD: patch-wpa__supplicant_wnm__sta.c,v 1.1.2.2 2017/10/17 05:47:37 spz Exp $
+
+--- wpa_supplicant/wnm_sta.c.orig      2016-10-02 18:51:11.000000000 +0000
++++ wpa_supplicant/wnm_sta.c
+@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(
+ 
+       if (!wpa_s->wnmsleep_used) {
+               wpa_printf(MSG_DEBUG,
+-                         "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
++                         "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
+               return;
+       }
+ 
+@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(
+               return;
+       }
+ 
++      wpa_s->wnmsleep_used = 0;
++
+       if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
+           wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
+               wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "



Home | Main Index | Thread Index | Old Index