openwrtv3/package/network/services/hostapd/patches/011-Additional-consistentcy-checks-for-PTK-component-len.patch

From a6ea665300919d6a3af22b1f4237203647fda93a Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 17 Oct 2017 00:01:11 +0300
Subject: [PATCH] Additional consistentcy checks for PTK component lengths

Verify that TK, KCK, and KEK lengths are set to consistent values within
struct wpa_ptk before using them in supplicant. This is an additional
layer of protection against unexpected states.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/common/wpa_common.c |  6 ++++++
 src/rsn_supp/wpa.c      | 26 ++++++++++++++++++++------
 2 files changed, 26 insertions(+), 6 deletions(-)

--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -100,6 +100,12 @@ int wpa_eapol_key_mic(const u8 *key, siz
 {
 	u8 hash[SHA512_MAC_LEN];
 
+	if (key_len == 0) {
+		wpa_printf(MSG_DEBUG,
+			   "WPA: KCK not set - cannot calculate MIC");
+		return -1;
+	}
+
 	switch (ver) {
 #ifndef CONFIG_FIPS
 	case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -725,6 +725,11 @@ static int wpa_supplicant_install_ptk(st
 
 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
+	if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
+		wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
+			   keylen, (long unsigned int) sm->ptk.tk_len);
+		return -1;
+	}
 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
 
 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
@@ -745,6 +750,7 @@ static int wpa_supplicant_install_ptk(st
 
 	/* TK is not needed anymore in supplicant */
 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
+	sm->ptk.tk_len = 0;
 	sm->ptk.installed = 1;
 
 	if (sm->wpa_ptk_rekey) {
@@ -1717,9 +1723,10 @@ static int wpa_supplicant_verify_eapol_k
 	os_memcpy(mic, key + 1, mic_len);
 	if (sm->tptk_set) {
 		os_memset(key + 1, 0, mic_len);
-		wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, sm->key_mgmt,
-				  ver, buf, len, (u8 *) (key + 1));
-		if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
+		if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
+				      sm->key_mgmt,
+				      ver, buf, len, (u8 *) (key + 1)) < 0 ||
+		    os_memcmp_const(mic, key + 1, mic_len) != 0) {
 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 				"WPA: Invalid EAPOL-Key MIC "
 				"when using TPTK - ignoring TPTK");
@@ -1742,9 +1749,10 @@ static int wpa_supplicant_verify_eapol_k
 
 	if (!ok && sm->ptk_set) {
 		os_memset(key + 1, 0, mic_len);
-		wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, sm->key_mgmt,
-				  ver, buf, len, (u8 *) (key + 1));
-		if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
+		if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
+				      sm->key_mgmt,
+				      ver, buf, len, (u8 *) (key + 1)) < 0 ||
+		    os_memcmp_const(mic, key + 1, mic_len) != 0) {
 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 				"WPA: Invalid EAPOL-Key MIC - "
 				"dropping packet");
@@ -4167,6 +4175,11 @@ int fils_process_assoc_resp(struct wpa_s
 
 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
+	if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
+		wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
+			   keylen, (long unsigned int) sm->ptk.tk_len);
+		goto fail;
+	}
 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
 			sm->ptk.tk, keylen);
@@ -4183,6 +4196,7 @@ int fils_process_assoc_resp(struct wpa_s
 	 * takes care of association frame encryption/decryption. */
 	/* TK is not needed anymore in supplicant */
 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
+	sm->ptk.tk_len = 0;
 	sm->ptk.installed = 1;
 
 	/* FILS HLP Container */
hostapd: backport extra changes related to KRACK While these changes are not included in the advisory, upstream encourages users to merge them. See http://lists.infradead.org/pipermail/hostap/2017-October/037989.html Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> 2017-10-17 13:24:14 +00:00			`From a6ea665300919d6a3af22b1f4237203647fda93a Mon Sep 17 00:00:00 2001`
			`From: Jouni Malinen <j@w1.fi>`
			`Date: Tue, 17 Oct 2017 00:01:11 +0300`
			`Subject: [PATCH] Additional consistentcy checks for PTK component lengths`

			`Verify that TK, KCK, and KEK lengths are set to consistent values within`
			`struct wpa_ptk before using them in supplicant. This is an additional`
			`layer of protection against unexpected states.`

			`Signed-off-by: Jouni Malinen <j@w1.fi>`
			`---`
			`src/common/wpa_common.c \| 6 ++++++`
			`src/rsn_supp/wpa.c \| 26 ++++++++++++++++++++------`
			`2 files changed, 26 insertions(+), 6 deletions(-)`

			`--- a/src/common/wpa_common.c`
			`+++ b/src/common/wpa_common.c`
			`@@ -100,6 +100,12 @@ int wpa_eapol_key_mic(const u8 *key, siz`
			`{`
			`u8 hash[SHA512_MAC_LEN];`

			`+ if (key_len == 0) {`
			`+ wpa_printf(MSG_DEBUG,`
			`+ "WPA: KCK not set - cannot calculate MIC");`
			`+ return -1;`
			`+ }`
			`+`
			`switch (ver) {`
			`#ifndef CONFIG_FIPS`
			`case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:`
			`--- a/src/rsn_supp/wpa.c`
			`+++ b/src/rsn_supp/wpa.c`
			`@@ -725,6 +725,11 @@ static int wpa_supplicant_install_ptk(st`

			`alg = wpa_cipher_to_alg(sm->pairwise_cipher);`
			`keylen = wpa_cipher_key_len(sm->pairwise_cipher);`
			`+ if (keylen <= 0 \|\| (unsigned int) keylen != sm->ptk.tk_len) {`
			`+ wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",`
			`+ keylen, (long unsigned int) sm->ptk.tk_len);`
			`+ return -1;`
			`+ }`
			`rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);`

			`if (sm->proto == WPA_PROTO_RSN \|\| sm->proto == WPA_PROTO_OSEN) {`
			`@@ -745,6 +750,7 @@ static int wpa_supplicant_install_ptk(st`

			`/* TK is not needed anymore in supplicant */`
			`os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);`
			`+ sm->ptk.tk_len = 0;`
			`sm->ptk.installed = 1;`

			`if (sm->wpa_ptk_rekey) {`
			`@@ -1717,9 +1723,10 @@ static int wpa_supplicant_verify_eapol_k`
			`os_memcpy(mic, key + 1, mic_len);`
			`if (sm->tptk_set) {`
			`os_memset(key + 1, 0, mic_len);`
			`- wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, sm->key_mgmt,`
			`- ver, buf, len, (u8 *) (key + 1));`
			`- if (os_memcmp_const(mic, key + 1, mic_len) != 0) {`
			`+ if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,`
			`+ sm->key_mgmt,`
			`+ ver, buf, len, (u8 *) (key + 1)) < 0 \|\|`
			`+ os_memcmp_const(mic, key + 1, mic_len) != 0) {`
			`wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,`
			`"WPA: Invalid EAPOL-Key MIC "`
			`"when using TPTK - ignoring TPTK");`
			`@@ -1742,9 +1749,10 @@ static int wpa_supplicant_verify_eapol_k`

			`if (!ok && sm->ptk_set) {`
			`os_memset(key + 1, 0, mic_len);`
			`- wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, sm->key_mgmt,`
			`- ver, buf, len, (u8 *) (key + 1));`
			`- if (os_memcmp_const(mic, key + 1, mic_len) != 0) {`
			`+ if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,`
			`+ sm->key_mgmt,`
			`+ ver, buf, len, (u8 *) (key + 1)) < 0 \|\|`
			`+ os_memcmp_const(mic, key + 1, mic_len) != 0) {`
			`wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,`
			`"WPA: Invalid EAPOL-Key MIC - "`
			`"dropping packet");`
			`@@ -4167,6 +4175,11 @@ int fils_process_assoc_resp(struct wpa_s`

			`alg = wpa_cipher_to_alg(sm->pairwise_cipher);`
			`keylen = wpa_cipher_key_len(sm->pairwise_cipher);`
			`+ if (keylen <= 0 \|\| (unsigned int) keylen != sm->ptk.tk_len) {`
			`+ wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",`
			`+ keylen, (long unsigned int) sm->ptk.tk_len);`
			`+ goto fail;`
			`+ }`
			`rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);`
			`wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",`
			`sm->ptk.tk, keylen);`
			`@@ -4183,6 +4196,7 @@ int fils_process_assoc_resp(struct wpa_s`
			`* takes care of association frame encryption/decryption. */`
			`/* TK is not needed anymore in supplicant */`
			`os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);`
			`+ sm->ptk.tk_len = 0;`
			`sm->ptk.installed = 1;`

			`/* FILS HLP Container */`