From dda06c8255d189bc951d81c67d29c6a378a705ba Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Fri, 22 Sep 2017 12:06:37 +0300
Subject: [PATCH 09/10] FT: Do not allow multiple Reassociation Response frames
The driver is expected to not report a second association event without
the station having explicitly request a new association. As such, this
case should not be reachable. However, since reconfiguring the same
pairwise or group keys to the driver could result in nonce reuse issues,
be extra careful here and do an additional state check to avoid this
even if the local driver ends up somehow accepting an unexpected
Reassociation Response frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/rsn_supp/wpa.c | 3 +++
src/rsn_supp/wpa_ft.c | 8 ++++++++
src/rsn_supp/wpa_i.h | 1 +
3 files changed, 12 insertions(+)
@@ -2236,6 +2236,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
#ifdef CONFIG_TDLS
wpa_tdls_disassoc(sm);
#endif /* CONFIG_TDLS */
+#ifdef CONFIG_IEEE80211R
+ sm->ft_reassoc_completed = 0;
+#endif /* CONFIG_IEEE80211R */
}
@@ -156,6 +156,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
u16 capab;
sm->ft_completed = 0;
+ sm->ft_reassoc_completed = 0;
buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
2 + sm->r0kh_id_len + ric_ies_len + 100;
@@ -687,6 +688,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
return -1;
}
+ if (sm->ft_reassoc_completed) {
+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
+ return 0;
+ }
+
if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
return -1;
@@ -787,6 +793,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
return -1;
}
+ sm->ft_reassoc_completed = 1;
+
if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
return -1;
@@ -122,6 +122,7 @@ struct wpa_sm {
size_t r0kh_id_len;
u8 r1kh_id[FT_R1KH_ID_LEN];
int ft_completed;
+ int ft_reassoc_completed;
int over_the_ds_in_progress;
u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
int set_ptk_after_assoc;
--
2.7.4
Hi, I finalized a backport and review of the KRACK patchset against ancient wpa code, for the Debian LTS project, which ships a modified version of the 1.0 release. I wasn't able to track a tag or commit in the hostapd repository that matches the code in LTS, so unfortunately those are synthetic patches that are not directly derived from git, even though they have headers that may look as such. Those patches are derived from the patchset shipped in Debian "oldstable" (jessie, wpa 2.3) as part of the coordinated release, towards "oldoldstable" (wheezy, LTS, wpa 1.0). https://anonscm.debian.org/cgit/collab-maint/wpa.git/tree/debian/patches/2017-1?h=debian/jessie permalink: https://anonscm.debian.org/cgit/collab-maint/wpa.git/tree/debian/patches/2017-1?h=debian/2.3-1%2bdeb8u5&id=5f6f0abe2bc946b23b7c679a921501bc8a17c0d7 I submit those patches here for review before an upload in Debian LTS, but I hope those can also be useful for other providers and distributors that ship older versions of WPA and cannot upgrade them in any practical way. I hope that anyone using those patches or testing the resulting binaries will report back here (or privately) their results. My knowledge of WPA's is somewhat limited in time and depth so I hope some more experienced developers can look at the patchset and confirm the approach is correct. As I previously mentioned, I have some concerns regarding the resulting patchset: https://lists.debian.org/debian-lts/2017/10/msg00081.html After a more thorough review, I am confident that removing patches 3, 6, 7 and 8 is the correct approach, as WNM sleep support is completely missing from 1.0. I am unsure, however, whether the nonce setup in patch #5 is correct, considering how 1.0 was doing things. In the last chunk, you'll notice I reset peer->tk_set to negociate a new TK. The other approach I considered was to backport 1380fcbd9f ("TDLS: Do not modify RNonce for an TPK M1 frame with same INonce"). Updated binary and source debian packages are available for amd64 at the following site: https://people.debian.org/~anarcat/debian/wheezy-lts/ I'll upload i386, armel and armhf binaries as they are built. Note that those differ from the ones posted on monday slightly: I have modified parts of the source code after a review, so be sure to review this version and not the previous one if you already downloaded them. Thanks for any feedback, A.