openwrtv3/package/network/services/hostapd/patches/009-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch

From b488a12948751f57871f09baa345e59b23959a41 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 8 Oct 2017 13:18:02 +0300
Subject: [PATCH] Clear PMK length and check for this when deriving PTK

Instead of setting the default PMK length for the cleared PMK, set the
length to 0 and explicitly check for this when deriving PTK to avoid
unexpected key derivation with an all-zeroes key should it be possible
to somehow trigger PTK derivation to happen before PMK derivation.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/common/wpa_common.c | 5 +++++
 src/rsn_supp/wpa.c      | 7 ++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -225,6 +225,11 @@ int wpa_pmk_to_ptk(const u8 *pmk, size_t
 	u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
 	size_t ptk_len;
 
+	if (pmk_len == 0) {
+		wpa_printf(MSG_ERROR, "WPA: No PMK set for PT derivation");
+		return -1;
+	}
+
 	if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
 		os_memcpy(data, addr1, ETH_ALEN);
 		os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -584,7 +584,8 @@ static void wpa_supplicant_process_1_of_
 	/* Calculate PTK which will be stored as a temporary PTK until it has
 	 * been verified when processing message 3/4. */
 	ptk = &sm->tptk;
-	wpa_derive_ptk(sm, src_addr, key, ptk);
+	if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
+		goto failed;
 	if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
 		u8 buf[8];
 		/* Supplicant: swap tx/rx Mic keys */
@@ -2705,8 +2706,8 @@ void wpa_sm_set_pmk_from_pmksa(struct wp
 		sm->pmk_len = sm->cur_pmksa->pmk_len;
 		os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
 	} else {
-		sm->pmk_len = PMK_LEN;
-		os_memset(sm->pmk, 0, PMK_LEN);
+		sm->pmk_len = 0;
+		os_memset(sm->pmk, 0, PMK_LEN_MAX);
 	}
 }