Date: Friday, February 9, 2018 @ 12:54:14 Author: spupykin Revision: 290445
archrelease: copy trunk to community-x86_64 Added: hostapd/repos/community-x86_64/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch (from rev 290444, hostapd/trunk/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch) hostapd/repos/community-x86_64/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch (from rev 290444, hostapd/trunk/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch) hostapd/repos/community-x86_64/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch (from rev 290444, hostapd/trunk/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch) hostapd/repos/community-x86_64/0004-Prevent-installation-of-an-all-zero-TK.patch (from rev 290444, hostapd/trunk/0004-Prevent-installation-of-an-all-zero-TK.patch) hostapd/repos/community-x86_64/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch (from rev 290444, hostapd/trunk/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch) hostapd/repos/community-x86_64/0006-TDLS-Reject-TPK-TK-reconfiguration.patch (from rev 290444, hostapd/trunk/0006-TDLS-Reject-TPK-TK-reconfiguration.patch) hostapd/repos/community-x86_64/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch (from rev 290444, hostapd/trunk/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch) hostapd/repos/community-x86_64/PKGBUILD (from rev 290444, hostapd/trunk/PKGBUILD) hostapd/repos/community-x86_64/config (from rev 290444, hostapd/trunk/config) hostapd/repos/community-x86_64/hostapd-2.3-noscan.patch (from rev 290444, hostapd/trunk/hostapd-2.3-noscan.patch) hostapd/repos/community-x86_64/hostapd.service (from rev 290444, hostapd/trunk/hostapd.service) hostapd/repos/community-x86_64/openvswitch.patch (from rev 290444, hostapd/trunk/openvswitch.patch) Deleted: hostapd/repos/community-x86_64/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch hostapd/repos/community-x86_64/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch hostapd/repos/community-x86_64/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch hostapd/repos/community-x86_64/0004-Prevent-installation-of-an-all-zero-TK.patch hostapd/repos/community-x86_64/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch hostapd/repos/community-x86_64/0006-TDLS-Reject-TPK-TK-reconfiguration.patch hostapd/repos/community-x86_64/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch hostapd/repos/community-x86_64/PKGBUILD hostapd/repos/community-x86_64/config hostapd/repos/community-x86_64/hostapd-2.3-noscan.patch hostapd/repos/community-x86_64/hostapd.service hostapd/repos/community-x86_64/openvswitch.patch -----------------------------------------------------------------+ 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch | 348 +++--- 0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch | 500 +++++----- 0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch | 368 +++---- 0004-Prevent-installation-of-an-all-zero-TK.patch | 158 +-- 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch | 128 +- 0006-TDLS-Reject-TPK-TK-reconfiguration.patch | 264 ++--- 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch | 164 +-- PKGBUILD | 170 +-- config | 206 ++-- hostapd-2.3-noscan.patch | 152 +-- hostapd.service | 20 openvswitch.patch | 306 +++--- 12 files changed, 1395 insertions(+), 1389 deletions(-) Deleted: 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch =================================================================== --- 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch 2018-02-09 12:53:40 UTC (rev 290444) +++ 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,174 +0,0 @@ -From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> -Date: Fri, 14 Jul 2017 15:15:35 +0200 -Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake - -Do not reinstall TK to the driver during Reassociation Response frame -processing if the first attempt of setting the TK succeeded. This avoids -issues related to clearing the TX/RX PN that could result in reusing -same PN values for transmitted frames (e.g., due to CCM nonce reuse and -also hitting replay protection on the receiver) and accepting replayed -frames on RX side. - -This issue was introduced by the commit -0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in -authenticator') which allowed wpa_ft_install_ptk() to be called multiple -times with the same PTK. While the second configuration attempt is -needed with some drivers, it must be done only if the first attempt -failed. - -Signed-off-by: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> ---- - src/ap/ieee802_11.c | 16 +++++++++++++--- - src/ap/wpa_auth.c | 11 +++++++++++ - src/ap/wpa_auth.h | 3 ++- - src/ap/wpa_auth_ft.c | 10 ++++++++++ - src/ap/wpa_auth_i.h | 1 + - 5 files changed, 37 insertions(+), 4 deletions(-) - -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index 4e04169..333035f 100644 ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd, - { - struct ieee80211_ht_capabilities ht_cap; - struct ieee80211_vht_capabilities vht_cap; -+ int set = 1; - - /* - * Remove the STA entry to ensure the STA PS state gets cleared and -@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd, - * FT-over-the-DS, where a station re-associates back to the same AP but - * skips the authentication flow, or if working with a driver that - * does not support full AP client state. -+ * -+ * Skip this if the STA has already completed FT reassociation and the -+ * TK has been configured since the TX/RX PN must not be reset to 0 for -+ * the same key. - */ -- if (!sta->added_unassoc) -+ if (!sta->added_unassoc && -+ (!(sta->flags & WLAN_STA_AUTHORIZED) || -+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { - hostapd_drv_sta_remove(hapd, sta->addr); -+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); -+ set = 0; -+ } - - #ifdef CONFIG_IEEE80211N - if (sta->flags & WLAN_STA_HT) -@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd, - sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, - sta->flags | WLAN_STA_ASSOC, sta->qosinfo, - sta->vht_opmode, sta->p2p_ie ? 1 : 0, -- sta->added_unassoc)) { -+ set)) { - hostapd_logger(hapd, sta->addr, - HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, - "Could not %s STA to kernel driver", -- sta->added_unassoc ? "set" : "add"); -+ set ? "set" : "add"); - - if (sta->added_unassoc) { - hostapd_drv_sta_remove(hapd, sta->addr); -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index 3587086..707971d 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) - #else /* CONFIG_IEEE80211R */ - break; - #endif /* CONFIG_IEEE80211R */ -+ case WPA_DRV_STA_REMOVED: -+ sm->tk_already_set = FALSE; -+ return 0; - } - - #ifdef CONFIG_IEEE80211R -@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) - } - - -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) -+{ -+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) -+ return 0; -+ return sm->tk_already_set; -+} -+ -+ - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry) - { -diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h -index 0de8d97..97461b0 100644 ---- a/src/ap/wpa_auth.h -+++ b/src/ap/wpa_auth.h -@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, - u8 *data, size_t data_len); - enum wpa_event { - WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, -- WPA_REAUTH_EAPOL, WPA_ASSOC_FT -+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED - }; - void wpa_remove_ptk(struct wpa_state_machine *sm); - int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); -@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm); - int wpa_auth_get_pairwise(struct wpa_state_machine *sm); - int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); - int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry); - struct rsn_pmksa_cache_entry * -diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c -index 42242a5..e63b99a 100644 ---- a/src/ap/wpa_auth_ft.c -+++ b/src/ap/wpa_auth_ft.c -@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - return; - } - -+ if (sm->tk_already_set) { -+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX -+ * PN in the driver */ -+ wpa_printf(MSG_DEBUG, -+ "FT: Do not re-install same PTK to the driver"); -+ return; -+ } -+ - /* FIX: add STA entry to kernel/driver here? The set_key will fail - * most likely without this.. At the moment, STA entry is added only - * after association has been completed. This function will be called -@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - - /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ - sm->pairwise_set = TRUE; -+ sm->tk_already_set = TRUE; - } - - -@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, - - sm->pairwise = pairwise; - sm->PTK_valid = TRUE; -+ sm->tk_already_set = FALSE; - wpa_ft_install_ptk(sm); - - buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + -diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h -index 72b7eb3..7fd8f05 100644 ---- a/src/ap/wpa_auth_i.h -+++ b/src/ap/wpa_auth_i.h -@@ -65,6 +65,7 @@ struct wpa_state_machine { - struct wpa_ptk PTK; - Boolean PTK_valid; - Boolean pairwise_set; -+ Boolean tk_already_set; - int keycount; - Boolean Pair; - struct wpa_key_replay_counter { --- -2.7.4 - Copied: hostapd/repos/community-x86_64/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch (from rev 290444, hostapd/trunk/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch) =================================================================== --- 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch (rev 0) +++ 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,174 @@ +From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> +Date: Fri, 14 Jul 2017 15:15:35 +0200 +Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake + +Do not reinstall TK to the driver during Reassociation Response frame +processing if the first attempt of setting the TK succeeded. This avoids +issues related to clearing the TX/RX PN that could result in reusing +same PN values for transmitted frames (e.g., due to CCM nonce reuse and +also hitting replay protection on the receiver) and accepting replayed +frames on RX side. + +This issue was introduced by the commit +0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in +authenticator') which allowed wpa_ft_install_ptk() to be called multiple +times with the same PTK. While the second configuration attempt is +needed with some drivers, it must be done only if the first attempt +failed. + +Signed-off-by: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> +--- + src/ap/ieee802_11.c | 16 +++++++++++++--- + src/ap/wpa_auth.c | 11 +++++++++++ + src/ap/wpa_auth.h | 3 ++- + src/ap/wpa_auth_ft.c | 10 ++++++++++ + src/ap/wpa_auth_i.h | 1 + + 5 files changed, 37 insertions(+), 4 deletions(-) + +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index 4e04169..333035f 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd, + { + struct ieee80211_ht_capabilities ht_cap; + struct ieee80211_vht_capabilities vht_cap; ++ int set = 1; + + /* + * Remove the STA entry to ensure the STA PS state gets cleared and +@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd, + * FT-over-the-DS, where a station re-associates back to the same AP but + * skips the authentication flow, or if working with a driver that + * does not support full AP client state. ++ * ++ * Skip this if the STA has already completed FT reassociation and the ++ * TK has been configured since the TX/RX PN must not be reset to 0 for ++ * the same key. + */ +- if (!sta->added_unassoc) ++ if (!sta->added_unassoc && ++ (!(sta->flags & WLAN_STA_AUTHORIZED) || ++ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { + hostapd_drv_sta_remove(hapd, sta->addr); ++ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); ++ set = 0; ++ } + + #ifdef CONFIG_IEEE80211N + if (sta->flags & WLAN_STA_HT) +@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd, + sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, + sta->flags | WLAN_STA_ASSOC, sta->qosinfo, + sta->vht_opmode, sta->p2p_ie ? 1 : 0, +- sta->added_unassoc)) { ++ set)) { + hostapd_logger(hapd, sta->addr, + HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, + "Could not %s STA to kernel driver", +- sta->added_unassoc ? "set" : "add"); ++ set ? "set" : "add"); + + if (sta->added_unassoc) { + hostapd_drv_sta_remove(hapd, sta->addr); +diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c +index 3587086..707971d 100644 +--- a/src/ap/wpa_auth.c ++++ b/src/ap/wpa_auth.c +@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) + #else /* CONFIG_IEEE80211R */ + break; + #endif /* CONFIG_IEEE80211R */ ++ case WPA_DRV_STA_REMOVED: ++ sm->tk_already_set = FALSE; ++ return 0; + } + + #ifdef CONFIG_IEEE80211R +@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) + } + + ++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) ++{ ++ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) ++ return 0; ++ return sm->tk_already_set; ++} ++ ++ + int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, + struct rsn_pmksa_cache_entry *entry) + { +diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h +index 0de8d97..97461b0 100644 +--- a/src/ap/wpa_auth.h ++++ b/src/ap/wpa_auth.h +@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, + u8 *data, size_t data_len); + enum wpa_event { + WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, +- WPA_REAUTH_EAPOL, WPA_ASSOC_FT ++ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED + }; + void wpa_remove_ptk(struct wpa_state_machine *sm); + int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); +@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm); + int wpa_auth_get_pairwise(struct wpa_state_machine *sm); + int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); + int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); ++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); + int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, + struct rsn_pmksa_cache_entry *entry); + struct rsn_pmksa_cache_entry * +diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c +index 42242a5..e63b99a 100644 +--- a/src/ap/wpa_auth_ft.c ++++ b/src/ap/wpa_auth_ft.c +@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) + return; + } + ++ if (sm->tk_already_set) { ++ /* Must avoid TK reconfiguration to prevent clearing of TX/RX ++ * PN in the driver */ ++ wpa_printf(MSG_DEBUG, ++ "FT: Do not re-install same PTK to the driver"); ++ return; ++ } ++ + /* FIX: add STA entry to kernel/driver here? The set_key will fail + * most likely without this.. At the moment, STA entry is added only + * after association has been completed. This function will be called +@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) + + /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ + sm->pairwise_set = TRUE; ++ sm->tk_already_set = TRUE; + } + + +@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, + + sm->pairwise = pairwise; + sm->PTK_valid = TRUE; ++ sm->tk_already_set = FALSE; + wpa_ft_install_ptk(sm); + + buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + +diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h +index 72b7eb3..7fd8f05 100644 +--- a/src/ap/wpa_auth_i.h ++++ b/src/ap/wpa_auth_i.h +@@ -65,6 +65,7 @@ struct wpa_state_machine { + struct wpa_ptk PTK; + Boolean PTK_valid; + Boolean pairwise_set; ++ Boolean tk_already_set; + int keycount; + Boolean Pair; + struct wpa_key_replay_counter { +-- +2.7.4 + Deleted: 0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch =================================================================== --- 0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch 2018-02-09 12:53:40 UTC (rev 290444) +++ 0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,250 +0,0 @@ -From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> -Date: Wed, 12 Jul 2017 16:03:24 +0200 -Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key - -Track the current GTK and IGTK that is in use and when receiving a -(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do -not install the given key if it is already in use. This prevents an -attacker from trying to trick the client into resetting or lowering the -sequence counter associated to the group key. - -Signed-off-by: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> ---- - src/common/wpa_common.h | 11 +++++ - src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------ - src/rsn_supp/wpa_i.h | 4 ++ - 3 files changed, 87 insertions(+), 44 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index af1d0f0..d200285 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -217,6 +217,17 @@ struct wpa_ptk { - size_t tk_len; - }; - -+struct wpa_gtk { -+ u8 gtk[WPA_GTK_MAX_LEN]; -+ size_t gtk_len; -+}; -+ -+#ifdef CONFIG_IEEE80211W -+struct wpa_igtk { -+ u8 igtk[WPA_IGTK_MAX_LEN]; -+ size_t igtk_len; -+}; -+#endif /* CONFIG_IEEE80211W */ - - /* WPA IE version 1 - * 00-50-f2:1 (OUI:OUI type) -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 3c47879..95bd7be 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - -+ /* Detect possible key reinstallation */ -+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", -+ gd->keyidx, gd->tx, gd->gtk_len); -+ return 0; -+ } -+ - wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", -@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ - return 0; - } - -@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - } - - -+#ifdef CONFIG_IEEE80211W -+static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -+ const struct wpa_igtk_kde *igtk) -+{ -+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); -+ u16 keyidx = WPA_GET_LE16(igtk->keyid); -+ -+ /* Detect possible key reinstallation */ -+ if (sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", -+ keyidx); -+ return 0; -+ } -+ -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", -+ keyidx, MAC2STR(igtk->pn)); -+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); -+ if (keyidx > 4095) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Invalid IGTK KeyID %d", keyidx); -+ return -1; -+ } -+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -+ broadcast_ether_addr, -+ keyidx, 0, igtk->pn, sizeof(igtk->pn), -+ igtk->igtk, len) < 0) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Failed to configure IGTK to the driver"); -+ return -1; -+ } -+ -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ -+ return 0; -+} -+#endif /* CONFIG_IEEE80211W */ -+ -+ - static int ieee80211w_set_keys(struct wpa_sm *sm, - struct wpa_eapol_ie_parse *ie) - { -@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - if (ie->igtk) { - size_t len; - const struct wpa_igtk_kde *igtk; -- u16 keyidx; -+ - len = wpa_cipher_key_len(sm->mgmt_group_cipher); - if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) - return -1; -+ - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- keyidx = WPA_GET_LE16(igtk->keyid); -- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " -- "pn %02x%02x%02x%02x%02x%02x", -- keyidx, MAC2STR(igtk->pn)); -- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", -- igtk->igtk, len); -- if (keyidx > 4095) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Invalid IGTK KeyID %d", keyidx); -- return -1; -- } -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igtk->pn, sizeof(igtk->pn), -- igtk->igtk, len) < 0) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Failed to configure IGTK to the driver"); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } - } - - return 0; -@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) - */ - void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - { -- int clear_ptk = 1; -+ int clear_keys = 1; - - if (sm == NULL) - return; -@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - /* Prepare for the next transition */ - wpa_ft_prepare_auth_request(sm, NULL); - -- clear_ptk = 0; -+ clear_keys = 0; - } - #endif /* CONFIG_IEEE80211R */ - -- if (clear_ptk) { -+ if (clear_keys) { - /* - * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if - * this is not part of a Fast BSS Transition. -@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - } - - #ifdef CONFIG_TDLS -@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(sm->pmk, 0, sizeof(sm->pmk)); - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); - os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); -@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - os_memset(&gd, 0, sizeof(gd)); - #ifdef CONFIG_IEEE80211W - } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { -- struct wpa_igtk_kde igd; -- u16 keyidx; -- -- os_memset(&igd, 0, sizeof(igd)); -- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); -- os_memcpy(igd.keyid, buf + 2, 2); -- os_memcpy(igd.pn, buf + 4, 6); -- -- keyidx = WPA_GET_LE16(igd.keyid); -- os_memcpy(igd.igtk, buf + 10, keylen); -- -- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", -- igd.igtk, keylen); -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igd.pn, sizeof(igd.pn), -- igd.igtk, keylen) < 0) { -- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " -- "WNM mode"); -- os_memset(&igd, 0, sizeof(igd)); -+ const struct wpa_igtk_kde *igtk; -+ -+ igtk = (const struct wpa_igtk_kde *) (buf + 2); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } -- os_memset(&igd, 0, sizeof(igd)); - #endif /* CONFIG_IEEE80211W */ - } else { - wpa_printf(MSG_DEBUG, "Unknown element id"); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index f653ba6..afc9e37 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -31,6 +31,10 @@ struct wpa_sm { - u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; -+ struct wpa_gtk gtk; -+#ifdef CONFIG_IEEE80211W -+ struct wpa_igtk igtk; -+#endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ - --- -2.7.4 - Copied: hostapd/repos/community-x86_64/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch (from rev 290444, hostapd/trunk/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch) =================================================================== --- 0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch (rev 0) +++ 0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,250 @@ +From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> +Date: Wed, 12 Jul 2017 16:03:24 +0200 +Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key + +Track the current GTK and IGTK that is in use and when receiving a +(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do +not install the given key if it is already in use. This prevents an +attacker from trying to trick the client into resetting or lowering the +sequence counter associated to the group key. + +Signed-off-by: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> +--- + src/common/wpa_common.h | 11 +++++ + src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------ + src/rsn_supp/wpa_i.h | 4 ++ + 3 files changed, 87 insertions(+), 44 deletions(-) + +diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h +index af1d0f0..d200285 100644 +--- a/src/common/wpa_common.h ++++ b/src/common/wpa_common.h +@@ -217,6 +217,17 @@ struct wpa_ptk { + size_t tk_len; + }; + ++struct wpa_gtk { ++ u8 gtk[WPA_GTK_MAX_LEN]; ++ size_t gtk_len; ++}; ++ ++#ifdef CONFIG_IEEE80211W ++struct wpa_igtk { ++ u8 igtk[WPA_IGTK_MAX_LEN]; ++ size_t igtk_len; ++}; ++#endif /* CONFIG_IEEE80211W */ + + /* WPA IE version 1 + * 00-50-f2:1 (OUI:OUI type) +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index 3c47879..95bd7be 100644 +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, + const u8 *_gtk = gd->gtk; + u8 gtk_buf[32]; + ++ /* Detect possible key reinstallation */ ++ if (sm->gtk.gtk_len == (size_t) gd->gtk_len && ++ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { ++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, ++ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", ++ gd->keyidx, gd->tx, gd->gtk_len); ++ return 0; ++ } ++ + wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, + "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", +@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, + } + os_memset(gtk_buf, 0, sizeof(gtk_buf)); + ++ sm->gtk.gtk_len = gd->gtk_len; ++ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); ++ + return 0; + } + +@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, + } + + ++#ifdef CONFIG_IEEE80211W ++static int wpa_supplicant_install_igtk(struct wpa_sm *sm, ++ const struct wpa_igtk_kde *igtk) ++{ ++ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); ++ u16 keyidx = WPA_GET_LE16(igtk->keyid); ++ ++ /* Detect possible key reinstallation */ ++ if (sm->igtk.igtk_len == len && ++ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { ++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, ++ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", ++ keyidx); ++ return 0; ++ } ++ ++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, ++ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", ++ keyidx, MAC2STR(igtk->pn)); ++ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); ++ if (keyidx > 4095) { ++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, ++ "WPA: Invalid IGTK KeyID %d", keyidx); ++ return -1; ++ } ++ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), ++ broadcast_ether_addr, ++ keyidx, 0, igtk->pn, sizeof(igtk->pn), ++ igtk->igtk, len) < 0) { ++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, ++ "WPA: Failed to configure IGTK to the driver"); ++ return -1; ++ } ++ ++ sm->igtk.igtk_len = len; ++ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); ++ ++ return 0; ++} ++#endif /* CONFIG_IEEE80211W */ ++ ++ + static int ieee80211w_set_keys(struct wpa_sm *sm, + struct wpa_eapol_ie_parse *ie) + { +@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, + if (ie->igtk) { + size_t len; + const struct wpa_igtk_kde *igtk; +- u16 keyidx; ++ + len = wpa_cipher_key_len(sm->mgmt_group_cipher); + if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) + return -1; ++ + igtk = (const struct wpa_igtk_kde *) ie->igtk; +- keyidx = WPA_GET_LE16(igtk->keyid); +- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " +- "pn %02x%02x%02x%02x%02x%02x", +- keyidx, MAC2STR(igtk->pn)); +- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", +- igtk->igtk, len); +- if (keyidx > 4095) { +- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, +- "WPA: Invalid IGTK KeyID %d", keyidx); +- return -1; +- } +- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), +- broadcast_ether_addr, +- keyidx, 0, igtk->pn, sizeof(igtk->pn), +- igtk->igtk, len) < 0) { +- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, +- "WPA: Failed to configure IGTK to the driver"); ++ if (wpa_supplicant_install_igtk(sm, igtk) < 0) + return -1; +- } + } + + return 0; +@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) + */ + void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) + { +- int clear_ptk = 1; ++ int clear_keys = 1; + + if (sm == NULL) + return; +@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) + /* Prepare for the next transition */ + wpa_ft_prepare_auth_request(sm, NULL); + +- clear_ptk = 0; ++ clear_keys = 0; + } + #endif /* CONFIG_IEEE80211R */ + +- if (clear_ptk) { ++ if (clear_keys) { + /* + * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if + * this is not part of a Fast BSS Transition. +@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) + os_memset(&sm->ptk, 0, sizeof(sm->ptk)); + sm->tptk_set = 0; + os_memset(&sm->tptk, 0, sizeof(sm->tptk)); ++ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); ++#ifdef CONFIG_IEEE80211W ++ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); ++#endif /* CONFIG_IEEE80211W */ + } + + #ifdef CONFIG_TDLS +@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) + os_memset(sm->pmk, 0, sizeof(sm->pmk)); + os_memset(&sm->ptk, 0, sizeof(sm->ptk)); + os_memset(&sm->tptk, 0, sizeof(sm->tptk)); ++ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); ++#ifdef CONFIG_IEEE80211W ++ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); ++#endif /* CONFIG_IEEE80211W */ + #ifdef CONFIG_IEEE80211R + os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); + os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); +@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) + os_memset(&gd, 0, sizeof(gd)); + #ifdef CONFIG_IEEE80211W + } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { +- struct wpa_igtk_kde igd; +- u16 keyidx; +- +- os_memset(&igd, 0, sizeof(igd)); +- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); +- os_memcpy(igd.keyid, buf + 2, 2); +- os_memcpy(igd.pn, buf + 4, 6); +- +- keyidx = WPA_GET_LE16(igd.keyid); +- os_memcpy(igd.igtk, buf + 10, keylen); +- +- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", +- igd.igtk, keylen); +- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), +- broadcast_ether_addr, +- keyidx, 0, igd.pn, sizeof(igd.pn), +- igd.igtk, keylen) < 0) { +- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " +- "WNM mode"); +- os_memset(&igd, 0, sizeof(igd)); ++ const struct wpa_igtk_kde *igtk; ++ ++ igtk = (const struct wpa_igtk_kde *) (buf + 2); ++ if (wpa_supplicant_install_igtk(sm, igtk) < 0) + return -1; +- } +- os_memset(&igd, 0, sizeof(igd)); + #endif /* CONFIG_IEEE80211W */ + } else { + wpa_printf(MSG_DEBUG, "Unknown element id"); +diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h +index f653ba6..afc9e37 100644 +--- a/src/rsn_supp/wpa_i.h ++++ b/src/rsn_supp/wpa_i.h +@@ -31,6 +31,10 @@ struct wpa_sm { + u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; + int rx_replay_counter_set; + u8 request_counter[WPA_REPLAY_COUNTER_LEN]; ++ struct wpa_gtk gtk; ++#ifdef CONFIG_IEEE80211W ++ struct wpa_igtk igtk; ++#endif /* CONFIG_IEEE80211W */ + + struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ + +-- +2.7.4 + Deleted: 0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch =================================================================== --- 0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch 2018-02-09 12:53:40 UTC (rev 290444) +++ 0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,184 +0,0 @@ -From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Sun, 1 Oct 2017 12:12:24 +0300 -Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep - Mode cases - -This extends the protection to track last configured GTK/IGTK value -separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a -corner case where these two different mechanisms may get used when the -GTK/IGTK has changed and tracking a single value is not sufficient to -detect a possible key reconfiguration. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++--------------- - src/rsn_supp/wpa_i.h | 2 ++ - 2 files changed, 40 insertions(+), 15 deletions(-) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 95bd7be..7a2c68d 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -709,14 +709,17 @@ struct wpa_gtk_data { - - static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const struct wpa_gtk_data *gd, -- const u8 *key_rsc) -+ const u8 *key_rsc, int wnm_sleep) - { - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - - /* Detect possible key reinstallation */ -- if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || -+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", - gd->keyidx, gd->tx, gd->gtk_len); -@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -- sm->gtk.gtk_len = gd->gtk_len; -- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ if (wnm_sleep) { -+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len); -+ } else { -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ } - - return 0; - } -@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, - gtk_len, gtk_len, - &gd.key_rsc_len, &gd.alg) || -- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) { -+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "RSN: Failed to install GTK"); - os_memset(&gd, 0, sizeof(gd)); -@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - - #ifdef CONFIG_IEEE80211W - static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -- const struct wpa_igtk_kde *igtk) -+ const struct wpa_igtk_kde *igtk, -+ int wnm_sleep) - { - size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); - u16 keyidx = WPA_GET_LE16(igtk->keyid); - - /* Detect possible key reinstallation */ -- if (sm->igtk.igtk_len == len && -- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ if ((sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || -+ (sm->igtk_wnm_sleep.igtk_len == len && -+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", - keyidx); -@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, - return -1; - } - -- sm->igtk.igtk_len = len; -- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ if (wnm_sleep) { -+ sm->igtk_wnm_sleep.igtk_len = len; -+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len); -+ } else { -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ } - - return 0; - } -@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - return -1; - - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) - return -1; - } - -@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, - if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) - key_rsc = null_rsc; - -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) || -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || - wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) - goto failed; - os_memset(&gd, 0, sizeof(gd)); -@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - } - -@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); -@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - - wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", - gd.gtk, gd.gtk_len); -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { - os_memset(&gd, 0, sizeof(gd)); - wpa_printf(MSG_DEBUG, "Failed to install the GTK in " - "WNM mode"); -@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - const struct wpa_igtk_kde *igtk; - - igtk = (const struct wpa_igtk_kde *) (buf + 2); -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) - return -1; - #endif /* CONFIG_IEEE80211W */ - } else { -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index afc9e37..9a54631 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -32,8 +32,10 @@ struct wpa_sm { - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; - struct wpa_gtk gtk; -+ struct wpa_gtk gtk_wnm_sleep; - #ifdef CONFIG_IEEE80211W - struct wpa_igtk igtk; -+ struct wpa_igtk igtk_wnm_sleep; - #endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ --- -2.7.4 - Copied: hostapd/repos/community-x86_64/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch (from rev 290444, hostapd/trunk/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch) =================================================================== --- 0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch (rev 0) +++ 0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,184 @@ +From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Sun, 1 Oct 2017 12:12:24 +0300 +Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep + Mode cases + +This extends the protection to track last configured GTK/IGTK value +separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a +corner case where these two different mechanisms may get used when the +GTK/IGTK has changed and tracking a single value is not sufficient to +detect a possible key reconfiguration. + +Signed-off-by: Jouni Malinen <j...@w1.fi> +--- + src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++--------------- + src/rsn_supp/wpa_i.h | 2 ++ + 2 files changed, 40 insertions(+), 15 deletions(-) + +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index 95bd7be..7a2c68d 100644 +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -709,14 +709,17 @@ struct wpa_gtk_data { + + static int wpa_supplicant_install_gtk(struct wpa_sm *sm, + const struct wpa_gtk_data *gd, +- const u8 *key_rsc) ++ const u8 *key_rsc, int wnm_sleep) + { + const u8 *_gtk = gd->gtk; + u8 gtk_buf[32]; + + /* Detect possible key reinstallation */ +- if (sm->gtk.gtk_len == (size_t) gd->gtk_len && +- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { ++ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && ++ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || ++ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && ++ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, ++ sm->gtk_wnm_sleep.gtk_len) == 0)) { + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, + "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", + gd->keyidx, gd->tx, gd->gtk_len); +@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, + } + os_memset(gtk_buf, 0, sizeof(gtk_buf)); + +- sm->gtk.gtk_len = gd->gtk_len; +- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); ++ if (wnm_sleep) { ++ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; ++ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, ++ sm->gtk_wnm_sleep.gtk_len); ++ } else { ++ sm->gtk.gtk_len = gd->gtk_len; ++ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); ++ } + + return 0; + } +@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, + (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, + gtk_len, gtk_len, + &gd.key_rsc_len, &gd.alg) || +- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) { ++ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, + "RSN: Failed to install GTK"); + os_memset(&gd, 0, sizeof(gd)); +@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, + + #ifdef CONFIG_IEEE80211W + static int wpa_supplicant_install_igtk(struct wpa_sm *sm, +- const struct wpa_igtk_kde *igtk) ++ const struct wpa_igtk_kde *igtk, ++ int wnm_sleep) + { + size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); + u16 keyidx = WPA_GET_LE16(igtk->keyid); + + /* Detect possible key reinstallation */ +- if (sm->igtk.igtk_len == len && +- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { ++ if ((sm->igtk.igtk_len == len && ++ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || ++ (sm->igtk_wnm_sleep.igtk_len == len && ++ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, ++ sm->igtk_wnm_sleep.igtk_len) == 0)) { + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, + "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", + keyidx); +@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, + return -1; + } + +- sm->igtk.igtk_len = len; +- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); ++ if (wnm_sleep) { ++ sm->igtk_wnm_sleep.igtk_len = len; ++ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, ++ sm->igtk_wnm_sleep.igtk_len); ++ } else { ++ sm->igtk.igtk_len = len; ++ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); ++ } + + return 0; + } +@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, + return -1; + + igtk = (const struct wpa_igtk_kde *) ie->igtk; +- if (wpa_supplicant_install_igtk(sm, igtk) < 0) ++ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) + return -1; + } + +@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, + if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) + key_rsc = null_rsc; + +- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) || ++ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || + wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) + goto failed; + os_memset(&gd, 0, sizeof(gd)); +@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) + sm->tptk_set = 0; + os_memset(&sm->tptk, 0, sizeof(sm->tptk)); + os_memset(&sm->gtk, 0, sizeof(sm->gtk)); ++ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); + #ifdef CONFIG_IEEE80211W + os_memset(&sm->igtk, 0, sizeof(sm->igtk)); ++ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); + #endif /* CONFIG_IEEE80211W */ + } + +@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) + os_memset(&sm->ptk, 0, sizeof(sm->ptk)); + os_memset(&sm->tptk, 0, sizeof(sm->tptk)); + os_memset(&sm->gtk, 0, sizeof(sm->gtk)); ++ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); + #ifdef CONFIG_IEEE80211W + os_memset(&sm->igtk, 0, sizeof(sm->igtk)); ++ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); + #endif /* CONFIG_IEEE80211W */ + #ifdef CONFIG_IEEE80211R + os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); +@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) + + wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", + gd.gtk, gd.gtk_len); +- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { ++ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { + os_memset(&gd, 0, sizeof(gd)); + wpa_printf(MSG_DEBUG, "Failed to install the GTK in " + "WNM mode"); +@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) + const struct wpa_igtk_kde *igtk; + + igtk = (const struct wpa_igtk_kde *) (buf + 2); +- if (wpa_supplicant_install_igtk(sm, igtk) < 0) ++ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) + return -1; + #endif /* CONFIG_IEEE80211W */ + } else { +diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h +index afc9e37..9a54631 100644 +--- a/src/rsn_supp/wpa_i.h ++++ b/src/rsn_supp/wpa_i.h +@@ -32,8 +32,10 @@ struct wpa_sm { + int rx_replay_counter_set; + u8 request_counter[WPA_REPLAY_COUNTER_LEN]; + struct wpa_gtk gtk; ++ struct wpa_gtk gtk_wnm_sleep; + #ifdef CONFIG_IEEE80211W + struct wpa_igtk igtk; ++ struct wpa_igtk igtk_wnm_sleep; + #endif /* CONFIG_IEEE80211W */ + + struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ +-- +2.7.4 + Deleted: 0004-Prevent-installation-of-an-all-zero-TK.patch =================================================================== --- 0004-Prevent-installation-of-an-all-zero-TK.patch 2018-02-09 12:53:40 UTC (rev 290444) +++ 0004-Prevent-installation-of-an-all-zero-TK.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,79 +0,0 @@ -From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> -Date: Fri, 29 Sep 2017 04:22:51 +0200 -Subject: [PATCH 4/8] Prevent installation of an all-zero TK - -Properly track whether a PTK has already been installed to the driver -and the TK part cleared from memory. This prevents an attacker from -trying to trick the client into installing an all-zero TK. - -This fixes the earlier fix in commit -ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the -driver in EAPOL-Key 3/4 retry case') which did not take into account -possibility of an extra message 1/4 showing up between retries of -message 3/4. - -Signed-off-by: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> ---- - src/common/wpa_common.h | 1 + - src/rsn_supp/wpa.c | 5 ++--- - src/rsn_supp/wpa_i.h | 1 - - 3 files changed, 3 insertions(+), 4 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index d200285..1021ccb 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -215,6 +215,7 @@ struct wpa_ptk { - size_t kck_len; - size_t kek_len; - size_t tk_len; -+ int installed; /* 1 if key has already been installed to driver */ - }; - - struct wpa_gtk { -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 7a2c68d..0550a41 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, - os_memset(buf, 0, sizeof(buf)); - } - sm->tptk_set = 1; -- sm->tk_to_set = 1; - - kde = sm->assoc_wpa_ie; - kde_len = sm->assoc_wpa_ie_len; -@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - enum wpa_alg alg; - const u8 *key_rsc; - -- if (!sm->tk_to_set) { -+ if (sm->ptk.installed) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Do not re-install same PTK to the driver"); - return 0; -@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - - /* TK is not needed anymore in supplicant */ - os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); -- sm->tk_to_set = 0; -+ sm->ptk.installed = 1; - - if (sm->wpa_ptk_rekey) { - eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 9a54631..41f371f 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -24,7 +24,6 @@ struct wpa_sm { - struct wpa_ptk ptk, tptk; - int ptk_set, tptk_set; - unsigned int msg_3_of_4_ok:1; -- unsigned int tk_to_set:1; - u8 snonce[WPA_NONCE_LEN]; - u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ - int renew_snonce; --- -2.7.4 - Copied: hostapd/repos/community-x86_64/0004-Prevent-installation-of-an-all-zero-TK.patch (from rev 290444, hostapd/trunk/0004-Prevent-installation-of-an-all-zero-TK.patch) =================================================================== --- 0004-Prevent-installation-of-an-all-zero-TK.patch (rev 0) +++ 0004-Prevent-installation-of-an-all-zero-TK.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,79 @@ +From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> +Date: Fri, 29 Sep 2017 04:22:51 +0200 +Subject: [PATCH 4/8] Prevent installation of an all-zero TK + +Properly track whether a PTK has already been installed to the driver +and the TK part cleared from memory. This prevents an attacker from +trying to trick the client into installing an all-zero TK. + +This fixes the earlier fix in commit +ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the +driver in EAPOL-Key 3/4 retry case') which did not take into account +possibility of an extra message 1/4 showing up between retries of +message 3/4. + +Signed-off-by: Mathy Vanhoef <mathy.vanh...@cs.kuleuven.be> +--- + src/common/wpa_common.h | 1 + + src/rsn_supp/wpa.c | 5 ++--- + src/rsn_supp/wpa_i.h | 1 - + 3 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h +index d200285..1021ccb 100644 +--- a/src/common/wpa_common.h ++++ b/src/common/wpa_common.h +@@ -215,6 +215,7 @@ struct wpa_ptk { + size_t kck_len; + size_t kek_len; + size_t tk_len; ++ int installed; /* 1 if key has already been installed to driver */ + }; + + struct wpa_gtk { +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index 7a2c68d..0550a41 100644 +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, + os_memset(buf, 0, sizeof(buf)); + } + sm->tptk_set = 1; +- sm->tk_to_set = 1; + + kde = sm->assoc_wpa_ie; + kde_len = sm->assoc_wpa_ie_len; +@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, + enum wpa_alg alg; + const u8 *key_rsc; + +- if (!sm->tk_to_set) { ++ if (sm->ptk.installed) { + wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, + "WPA: Do not re-install same PTK to the driver"); + return 0; +@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, + + /* TK is not needed anymore in supplicant */ + os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); +- sm->tk_to_set = 0; ++ sm->ptk.installed = 1; + + if (sm->wpa_ptk_rekey) { + eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); +diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h +index 9a54631..41f371f 100644 +--- a/src/rsn_supp/wpa_i.h ++++ b/src/rsn_supp/wpa_i.h +@@ -24,7 +24,6 @@ struct wpa_sm { + struct wpa_ptk ptk, tptk; + int ptk_set, tptk_set; + unsigned int msg_3_of_4_ok:1; +- unsigned int tk_to_set:1; + u8 snonce[WPA_NONCE_LEN]; + u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ + int renew_snonce; +-- +2.7.4 + Deleted: 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch =================================================================== --- 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch 2018-02-09 12:53:40 UTC (rev 290444) +++ 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,64 +0,0 @@ -From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Sun, 1 Oct 2017 12:32:57 +0300 -Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce - -The Authenticator state machine path for PTK rekeying ended up bypassing -the AUTHENTICATION2 state where a new ANonce is generated when going -directly to the PTKSTART state since there is no need to try to -determine the PMK again in such a case. This is far from ideal since the -new PTK would depend on a new nonce only from the supplicant. - -Fix this by generating a new ANonce when moving to the PTKSTART state -for the purpose of starting new 4-way handshake to rekey PTK. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) - -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index 707971d..bf10cc1 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) - } - - -+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) -+{ -+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { -+ wpa_printf(MSG_ERROR, -+ "WPA: Failed to get random data for ANonce"); -+ sm->Disconnect = TRUE; -+ return -1; -+ } -+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, -+ WPA_NONCE_LEN); -+ sm->TimeoutCtr = 0; -+ return 0; -+} -+ -+ - SM_STATE(WPA_PTK, INITPMK) - { - u8 msk[2 * PMK_LEN]; -@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK) - SM_ENTER(WPA_PTK, AUTHENTICATION); - else if (sm->ReAuthenticationRequest) - SM_ENTER(WPA_PTK, AUTHENTICATION2); -- else if (sm->PTKRequest) -- SM_ENTER(WPA_PTK, PTKSTART); -- else switch (sm->wpa_ptk_state) { -+ else if (sm->PTKRequest) { -+ if (wpa_auth_sm_ptk_update(sm) < 0) -+ SM_ENTER(WPA_PTK, DISCONNECTED); -+ else -+ SM_ENTER(WPA_PTK, PTKSTART); -+ } else switch (sm->wpa_ptk_state) { - case WPA_PTK_INITIALIZE: - break; - case WPA_PTK_DISCONNECT: --- -2.7.4 - Copied: hostapd/repos/community-x86_64/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch (from rev 290444, hostapd/trunk/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch) =================================================================== --- 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch (rev 0) +++ 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,64 @@ +From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Sun, 1 Oct 2017 12:32:57 +0300 +Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce + +The Authenticator state machine path for PTK rekeying ended up bypassing +the AUTHENTICATION2 state where a new ANonce is generated when going +directly to the PTKSTART state since there is no need to try to +determine the PMK again in such a case. This is far from ideal since the +new PTK would depend on a new nonce only from the supplicant. + +Fix this by generating a new ANonce when moving to the PTKSTART state +for the purpose of starting new 4-way handshake to rekey PTK. + +Signed-off-by: Jouni Malinen <j...@w1.fi> +--- + src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c +index 707971d..bf10cc1 100644 +--- a/src/ap/wpa_auth.c ++++ b/src/ap/wpa_auth.c +@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) + } + + ++static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) ++{ ++ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { ++ wpa_printf(MSG_ERROR, ++ "WPA: Failed to get random data for ANonce"); ++ sm->Disconnect = TRUE; ++ return -1; ++ } ++ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, ++ WPA_NONCE_LEN); ++ sm->TimeoutCtr = 0; ++ return 0; ++} ++ ++ + SM_STATE(WPA_PTK, INITPMK) + { + u8 msk[2 * PMK_LEN]; +@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK) + SM_ENTER(WPA_PTK, AUTHENTICATION); + else if (sm->ReAuthenticationRequest) + SM_ENTER(WPA_PTK, AUTHENTICATION2); +- else if (sm->PTKRequest) +- SM_ENTER(WPA_PTK, PTKSTART); +- else switch (sm->wpa_ptk_state) { ++ else if (sm->PTKRequest) { ++ if (wpa_auth_sm_ptk_update(sm) < 0) ++ SM_ENTER(WPA_PTK, DISCONNECTED); ++ else ++ SM_ENTER(WPA_PTK, PTKSTART); ++ } else switch (sm->wpa_ptk_state) { + case WPA_PTK_INITIALIZE: + break; + case WPA_PTK_DISCONNECT: +-- +2.7.4 + Deleted: 0006-TDLS-Reject-TPK-TK-reconfiguration.patch =================================================================== --- 0006-TDLS-Reject-TPK-TK-reconfiguration.patch 2018-02-09 12:53:40 UTC (rev 290444) +++ 0006-TDLS-Reject-TPK-TK-reconfiguration.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,132 +0,0 @@ -From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Fri, 22 Sep 2017 11:03:15 +0300 -Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration - -Do not try to reconfigure the same TPK-TK to the driver after it has -been successfully configured. This is an explicit check to avoid issues -related to resetting the TX/RX packet number. There was already a check -for this for TPK M2 (retries of that message are ignored completely), so -that behavior does not get modified. - -For TPK M3, the TPK-TK could have been reconfigured, but that was -followed by immediate teardown of the link due to an issue in updating -the STA entry. Furthermore, for TDLS with any real security (i.e., -ignoring open/WEP), the TPK message exchange is protected on the AP path -and simple replay attacks are not feasible. - -As an additional corner case, make sure the local nonce gets updated if -the peer uses a very unlikely "random nonce" of all zeros. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++-- - 1 file changed, 36 insertions(+), 2 deletions(-) - -diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c -index e424168..9eb9738 100644 ---- a/src/rsn_supp/tdls.c -+++ b/src/rsn_supp/tdls.c -@@ -112,6 +112,7 @@ struct wpa_tdls_peer { - u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ - } tpk; - int tpk_set; -+ int tk_set; /* TPK-TK configured to the driver */ - int tpk_success; - int tpk_in_progress; - -@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - u8 rsc[6]; - enum wpa_alg alg; - -+ if (peer->tk_set) { -+ /* -+ * This same TPK-TK has already been configured to the driver -+ * and this new configuration attempt (likely due to an -+ * unexpected retransmitted frame) would result in clearing -+ * the TX/RX sequence number which can break security, so must -+ * not allow that to happen. -+ */ -+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR -+ " has already been configured to the driver - do not reconfigure", -+ MAC2STR(peer->addr)); -+ return -1; -+ } -+ - os_memset(rsc, 0, 6); - - switch (peer->cipher) { -@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - return -1; - } - -+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, -+ MAC2STR(peer->addr)); - if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, - rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { - wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " - "driver"); - return -1; - } -+ peer->tk_set = 1; - return 0; - } - -@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - peer->cipher = 0; - peer->qos_info = 0; - peer->wmm_capable = 0; -- peer->tpk_set = peer->tpk_success = 0; -+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0; - peer->chan_switch_enabled = 0; - os_memset(&peer->tpk, 0, sizeof(peer->tpk)); - os_memset(peer->inonce, 0, WPA_NONCE_LEN); -@@ -1159,6 +1177,7 @@ skip_rsnie: - wpa_tdls_peer_free(sm, peer); - return -1; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", - peer->inonce, WPA_NONCE_LEN); - os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); -@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, - } - - -+static int tdls_nonce_set(const u8 *nonce) -+{ -+ int i; -+ -+ for (i = 0; i < WPA_NONCE_LEN; i++) { -+ if (nonce[i]) -+ return 1; -+ } -+ -+ return 0; -+} -+ -+ - static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, - const u8 *buf, size_t len) - { -@@ -2004,7 +2036,8 @@ skip_rsn: - peer->rsnie_i_len = kde.rsn_ie_len; - peer->cipher = cipher; - -- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { -+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || -+ !tdls_nonce_set(peer->inonce)) { - /* - * There is no point in updating the RNonce for every obtained - * TPK M1 frame (e.g., retransmission due to timeout) with the -@@ -2020,6 +2053,7 @@ skip_rsn: - "TDLS: Failed to get random data for responder nonce"); - goto error; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - } - - #if 0 --- -2.7.4 - Copied: hostapd/repos/community-x86_64/0006-TDLS-Reject-TPK-TK-reconfiguration.patch (from rev 290444, hostapd/trunk/0006-TDLS-Reject-TPK-TK-reconfiguration.patch) =================================================================== --- 0006-TDLS-Reject-TPK-TK-reconfiguration.patch (rev 0) +++ 0006-TDLS-Reject-TPK-TK-reconfiguration.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,132 @@ +From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Fri, 22 Sep 2017 11:03:15 +0300 +Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration + +Do not try to reconfigure the same TPK-TK to the driver after it has +been successfully configured. This is an explicit check to avoid issues +related to resetting the TX/RX packet number. There was already a check +for this for TPK M2 (retries of that message are ignored completely), so +that behavior does not get modified. + +For TPK M3, the TPK-TK could have been reconfigured, but that was +followed by immediate teardown of the link due to an issue in updating +the STA entry. Furthermore, for TDLS with any real security (i.e., +ignoring open/WEP), the TPK message exchange is protected on the AP path +and simple replay attacks are not feasible. + +As an additional corner case, make sure the local nonce gets updated if +the peer uses a very unlikely "random nonce" of all zeros. + +Signed-off-by: Jouni Malinen <j...@w1.fi> +--- + src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 36 insertions(+), 2 deletions(-) + +diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c +index e424168..9eb9738 100644 +--- a/src/rsn_supp/tdls.c ++++ b/src/rsn_supp/tdls.c +@@ -112,6 +112,7 @@ struct wpa_tdls_peer { + u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ + } tpk; + int tpk_set; ++ int tk_set; /* TPK-TK configured to the driver */ + int tpk_success; + int tpk_in_progress; + +@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) + u8 rsc[6]; + enum wpa_alg alg; + ++ if (peer->tk_set) { ++ /* ++ * This same TPK-TK has already been configured to the driver ++ * and this new configuration attempt (likely due to an ++ * unexpected retransmitted frame) would result in clearing ++ * the TX/RX sequence number which can break security, so must ++ * not allow that to happen. ++ */ ++ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR ++ " has already been configured to the driver - do not reconfigure", ++ MAC2STR(peer->addr)); ++ return -1; ++ } ++ + os_memset(rsc, 0, 6); + + switch (peer->cipher) { +@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) + return -1; + } + ++ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, ++ MAC2STR(peer->addr)); + if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, + rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { + wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " + "driver"); + return -1; + } ++ peer->tk_set = 1; + return 0; + } + +@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) + peer->cipher = 0; + peer->qos_info = 0; + peer->wmm_capable = 0; +- peer->tpk_set = peer->tpk_success = 0; ++ peer->tk_set = peer->tpk_set = peer->tpk_success = 0; + peer->chan_switch_enabled = 0; + os_memset(&peer->tpk, 0, sizeof(peer->tpk)); + os_memset(peer->inonce, 0, WPA_NONCE_LEN); +@@ -1159,6 +1177,7 @@ skip_rsnie: + wpa_tdls_peer_free(sm, peer); + return -1; + } ++ peer->tk_set = 0; /* A new nonce results in a new TK */ + wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", + peer->inonce, WPA_NONCE_LEN); + os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); +@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, + } + + ++static int tdls_nonce_set(const u8 *nonce) ++{ ++ int i; ++ ++ for (i = 0; i < WPA_NONCE_LEN; i++) { ++ if (nonce[i]) ++ return 1; ++ } ++ ++ return 0; ++} ++ ++ + static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, + const u8 *buf, size_t len) + { +@@ -2004,7 +2036,8 @@ skip_rsn: + peer->rsnie_i_len = kde.rsn_ie_len; + peer->cipher = cipher; + +- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { ++ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || ++ !tdls_nonce_set(peer->inonce)) { + /* + * There is no point in updating the RNonce for every obtained + * TPK M1 frame (e.g., retransmission due to timeout) with the +@@ -2020,6 +2053,7 @@ skip_rsn: + "TDLS: Failed to get random data for responder nonce"); + goto error; + } ++ peer->tk_set = 0; /* A new nonce results in a new TK */ + } + + #if 0 +-- +2.7.4 + Deleted: 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch =================================================================== --- 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch 2018-02-09 12:53:40 UTC (rev 290444) +++ 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,82 +0,0 @@ -From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Fri, 22 Sep 2017 12:06:37 +0300 -Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames - -The driver is expected to not report a second association event without -the station having explicitly request a new association. As such, this -case should not be reachable. However, since reconfiguring the same -pairwise or group keys to the driver could result in nonce reuse issues, -be extra careful here and do an additional state check to avoid this -even if the local driver ends up somehow accepting an unexpected -Reassociation Response frame. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/rsn_supp/wpa.c | 3 +++ - src/rsn_supp/wpa_ft.c | 8 ++++++++ - src/rsn_supp/wpa_i.h | 1 + - 3 files changed, 12 insertions(+) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 0550a41..2a53c6f 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) - #ifdef CONFIG_TDLS - wpa_tdls_disassoc(sm); - #endif /* CONFIG_TDLS */ -+#ifdef CONFIG_IEEE80211R -+ sm->ft_reassoc_completed = 0; -+#endif /* CONFIG_IEEE80211R */ - - /* Keys are not needed in the WPA state machine anymore */ - wpa_sm_drop_sa(sm); -diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c -index 205793e..d45bb45 100644 ---- a/src/rsn_supp/wpa_ft.c -+++ b/src/rsn_supp/wpa_ft.c -@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, - u16 capab; - - sm->ft_completed = 0; -+ sm->ft_reassoc_completed = 0; - - buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + - 2 + sm->r0kh_id_len + ric_ies_len + 100; -@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ if (sm->ft_reassoc_completed) { -+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); -+ return 0; -+ } -+ - if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { - wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); - return -1; -@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ sm->ft_reassoc_completed = 1; -+ - if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) - return -1; - -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 41f371f..56f88dc 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -128,6 +128,7 @@ struct wpa_sm { - size_t r0kh_id_len; - u8 r1kh_id[FT_R1KH_ID_LEN]; - int ft_completed; -+ int ft_reassoc_completed; - int over_the_ds_in_progress; - u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ - int set_ptk_after_assoc; --- -2.7.4 - Copied: hostapd/repos/community-x86_64/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch (from rev 290444, hostapd/trunk/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch) =================================================================== --- 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch (rev 0) +++ 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,82 @@ +From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Fri, 22 Sep 2017 12:06:37 +0300 +Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames + +The driver is expected to not report a second association event without +the station having explicitly request a new association. As such, this +case should not be reachable. However, since reconfiguring the same +pairwise or group keys to the driver could result in nonce reuse issues, +be extra careful here and do an additional state check to avoid this +even if the local driver ends up somehow accepting an unexpected +Reassociation Response frame. + +Signed-off-by: Jouni Malinen <j...@w1.fi> +--- + src/rsn_supp/wpa.c | 3 +++ + src/rsn_supp/wpa_ft.c | 8 ++++++++ + src/rsn_supp/wpa_i.h | 1 + + 3 files changed, 12 insertions(+) + +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index 0550a41..2a53c6f 100644 +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) + #ifdef CONFIG_TDLS + wpa_tdls_disassoc(sm); + #endif /* CONFIG_TDLS */ ++#ifdef CONFIG_IEEE80211R ++ sm->ft_reassoc_completed = 0; ++#endif /* CONFIG_IEEE80211R */ + + /* Keys are not needed in the WPA state machine anymore */ + wpa_sm_drop_sa(sm); +diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c +index 205793e..d45bb45 100644 +--- a/src/rsn_supp/wpa_ft.c ++++ b/src/rsn_supp/wpa_ft.c +@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, + u16 capab; + + sm->ft_completed = 0; ++ sm->ft_reassoc_completed = 0; + + buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + + 2 + sm->r0kh_id_len + ric_ies_len + 100; +@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, + return -1; + } + ++ if (sm->ft_reassoc_completed) { ++ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); ++ return 0; ++ } ++ + if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { + wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); + return -1; +@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, + return -1; + } + ++ sm->ft_reassoc_completed = 1; ++ + if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) + return -1; + +diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h +index 41f371f..56f88dc 100644 +--- a/src/rsn_supp/wpa_i.h ++++ b/src/rsn_supp/wpa_i.h +@@ -128,6 +128,7 @@ struct wpa_sm { + size_t r0kh_id_len; + u8 r1kh_id[FT_R1KH_ID_LEN]; + int ft_completed; ++ int ft_reassoc_completed; + int over_the_ds_in_progress; + u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ + int set_ptk_after_assoc; +-- +2.7.4 + Deleted: PKGBUILD =================================================================== --- PKGBUILD 2018-02-09 12:53:40 UTC (rev 290444) +++ PKGBUILD 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,85 +0,0 @@ -# $Id$ -# Maintainer: Sergej Pupykin <pupykin.s+a...@gmail.com> - -pkgname=hostapd -pkgver=2.6 -pkgrel=6 -pkgdesc="IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator" -arch=('i686' 'x86_64') -url="https://w1.fi/hostapd/" -license=(GPL) -depends=('openssl' 'libnl') -options=(emptydirs) -validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen -source=(https://w1.fi/releases/$pkgname-$pkgver.tar.gz{,.asc} - config - hostapd.service - hostapd-2.3-noscan.patch - openvswitch.patch - 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - 0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - 0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - 0004-Prevent-installation-of-an-all-zero-TK.patch - 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - 0006-TDLS-Reject-TPK-TK-reconfiguration.patch - 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch) -sha256sums=('01526b90c1d23bec4b0f052039cc4456c2fd19347b4d830d1d58a0a6aea7117d' - 'SKIP' - '2d736aebe345137c60145517f1116d6b5366eb374e01c70d79788bb5de0a44be' - '989bc6855f44c0b360e3d4cd4a146c35b7c12f8a0ced627b4b033f58edcade8e' - 'c15b4310f21b41254e4d4485bc04e36926572f213e7c4d3a17038fdff19529b5' - 'eeb07b5a3b971b3108ce8c5c947f4600d98ec9b338b8b88a96a7774cef269e49' - '529113cc81256c6178f3c1cf25dd8d3f33e6d770e4a180bd31c6ab7e4917f40b' - 'd86d47ab74170f3648b45b91bce780949ca92b09ab43df065178850ec0c335d7' - 'd4535e36739a0cc7f3585e6bcba3c0bb8fc67cb3e729844e448c5dc751f47e81' - '793a54748161b5af430dd9de4a1988d19cb8e85ab29bc2340f886b0297cee20b' - '147c8abe07606905d16404fb2d2c8849796ca7c85ed8673c09bb50038bcdeb9e' - '596d4d3b63ea859ed7ea9791b3a21cb11b6173b04c0a14a2afa47edf1666afa6' - 'c8840d857b9432f3b488113c85c1ff5d4a4b8d81078b7033388dae1e990843b1') - -prepare() { - cd $pkgname-$pkgver - local i; for i in "${source[@]}"; do - case $i in - *.patch) - msg2 "Applying patch $i" - patch -p1 -i "$srcdir/$i" - ;; - esac - done -} - -build() { - cd $pkgname-$pkgver/hostapd - cp ../../config .config - sed -i 's#/etc/hostapd#/etc/hostapd/hostapd#' hostapd.conf - export CFLAGS="$CFLAGS $(pkg-config --cflags libnl-3.0)" - make -} - -package() { - # Systemd unit - install -Dm644 hostapd.service "$pkgdir/usr/lib/systemd/system/hostapd.service" - - cd $pkgname-$pkgver - - # License - install -Dm644 COPYING "$pkgdir/usr/share/licenses/$pkgname/COPYING" - - cd hostapd - - # Binaries - install -d "$pkgdir/usr/bin" - install -t "$pkgdir/usr/bin" hostapd hostapd_cli - - # Configuration - install -d "$pkgdir/etc/hostapd" - install -d "$pkgdir/usr/share/doc/hostapd" - install -m644 -t "$pkgdir/usr/share/doc/hostapd" \ - hostapd.{accept,conf,deny,eap_user,radius_clients,sim_db,vlan,wpa_psk} \ - wired.conf hlr_auc_gw.milenage_db - - # Man pages - install -Dm644 hostapd.8 "$pkgdir/usr/share/man/man8/hostapd.8" - install -Dm644 hostapd_cli.1 "$pkgdir/usr/share/man/man1/hostapd_cli.1" -} Copied: hostapd/repos/community-x86_64/PKGBUILD (from rev 290444, hostapd/trunk/PKGBUILD) =================================================================== --- PKGBUILD (rev 0) +++ PKGBUILD 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,85 @@ +# $Id$ +# Maintainer: Sergej Pupykin <pupykin.s+a...@gmail.com> + +pkgname=hostapd +pkgver=2.6 +pkgrel=7 +pkgdesc="IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator" +arch=('x86_64') +url="https://w1.fi/hostapd/" +license=(GPL) +depends=('openssl' 'libnl') +options=(emptydirs) +validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen +source=(https://w1.fi/releases/$pkgname-$pkgver.tar.gz{,.asc} + config + hostapd.service + hostapd-2.3-noscan.patch + openvswitch.patch + 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch + 0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch + 0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch + 0004-Prevent-installation-of-an-all-zero-TK.patch + 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch + 0006-TDLS-Reject-TPK-TK-reconfiguration.patch + 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch) +sha256sums=('01526b90c1d23bec4b0f052039cc4456c2fd19347b4d830d1d58a0a6aea7117d' + 'SKIP' + 'a39e011bf0c3f2d21db8816a7e608a99b9d598c7b559d58d026f10e4359d428d' + '989bc6855f44c0b360e3d4cd4a146c35b7c12f8a0ced627b4b033f58edcade8e' + 'c15b4310f21b41254e4d4485bc04e36926572f213e7c4d3a17038fdff19529b5' + 'eeb07b5a3b971b3108ce8c5c947f4600d98ec9b338b8b88a96a7774cef269e49' + '529113cc81256c6178f3c1cf25dd8d3f33e6d770e4a180bd31c6ab7e4917f40b' + 'd86d47ab74170f3648b45b91bce780949ca92b09ab43df065178850ec0c335d7' + 'd4535e36739a0cc7f3585e6bcba3c0bb8fc67cb3e729844e448c5dc751f47e81' + '793a54748161b5af430dd9de4a1988d19cb8e85ab29bc2340f886b0297cee20b' + '147c8abe07606905d16404fb2d2c8849796ca7c85ed8673c09bb50038bcdeb9e' + '596d4d3b63ea859ed7ea9791b3a21cb11b6173b04c0a14a2afa47edf1666afa6' + 'c8840d857b9432f3b488113c85c1ff5d4a4b8d81078b7033388dae1e990843b1') + +prepare() { + cd $pkgname-$pkgver + local i; for i in "${source[@]}"; do + case $i in + *.patch) + msg2 "Applying patch $i" + patch -p1 -i "$srcdir/$i" + ;; + esac + done +} + +build() { + cd $pkgname-$pkgver/hostapd + cp ../../config .config + sed -i 's#/etc/hostapd#/etc/hostapd/hostapd#' hostapd.conf + export CFLAGS="$CFLAGS $(pkg-config --cflags libnl-3.0)" + make +} + +package() { + # Systemd unit + install -Dm644 hostapd.service "$pkgdir/usr/lib/systemd/system/hostapd.service" + + cd $pkgname-$pkgver + + # License + install -Dm644 COPYING "$pkgdir/usr/share/licenses/$pkgname/COPYING" + + cd hostapd + + # Binaries + install -d "$pkgdir/usr/bin" + install -t "$pkgdir/usr/bin" hostapd hostapd_cli + + # Configuration + install -d "$pkgdir/etc/hostapd" + install -d "$pkgdir/usr/share/doc/hostapd" + install -m644 -t "$pkgdir/usr/share/doc/hostapd" \ + hostapd.{accept,conf,deny,eap_user,radius_clients,sim_db,vlan,wpa_psk} \ + wired.conf hlr_auc_gw.milenage_db + + # Man pages + install -Dm644 hostapd.8 "$pkgdir/usr/share/man/man8/hostapd.8" + install -Dm644 hostapd_cli.1 "$pkgdir/usr/share/man/man1/hostapd_cli.1" +} Deleted: config =================================================================== --- config 2018-02-09 12:53:40 UTC (rev 290444) +++ config 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,100 +0,0 @@ -# Example hostapd build time configuration -# -# This file lists the configuration options that are used when building the -# hostapd binary. All lines starting with # are ignored. Configuration option -# lines must be commented out complete, if they are not to be included, i.e., -# just setting VARIABLE=n is not disabling that variable. -# -# This file is included in Makefile, so variables like CFLAGS and LIBS can also -# be modified from here. In most cass, these lines should use += in order not -# to override previous values of the variables. - -# Driver interface for Host AP driver -CONFIG_DRIVER_HOSTAP=y - -# Driver interface for wired authenticator -CONFIG_DRIVER_WIRED=y - -# Driver interface for Prism54 driver -CONFIG_DRIVER_PRISM54=y - -# IEEE 802.11F/IAPP -CONFIG_IAPP=y - -# WPA2/IEEE 802.11i RSN pre-authentication -CONFIG_RSN_PREAUTH=y - -# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) -CONFIG_PEERKEY=y - -# IEEE 802.11w (management frame protection) -# This version is an experimental implementation based on IEEE 802.11w/D1.0 -# draft and is subject to change since the standard has not yet been finalized. -# Driver support is also needed for IEEE 802.11w. -CONFIG_IEEE80211W=y - -# Integrated EAP server -CONFIG_EAP=y - -# EAP-MD5 for the integrated EAP server -CONFIG_EAP_MD5=y - -# EAP-TLS for the integrated EAP server -CONFIG_EAP_TLS=y - -# EAP-MSCHAPv2 for the integrated EAP server -CONFIG_EAP_MSCHAPV2=y - -# EAP-PEAP for the integrated EAP server -CONFIG_EAP_PEAP=y - -# EAP-GTC for the integrated EAP server -CONFIG_EAP_GTC=y - -# EAP-TTLS for the integrated EAP server -CONFIG_EAP_TTLS=y - -# EAP-SIM for the integrated EAP server -CONFIG_EAP_SIM=y - -# EAP-AKA for the integrated EAP server -CONFIG_EAP_AKA=y - -# EAP-PAX for the integrated EAP server -CONFIG_EAP_PAX=y - -# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) -CONFIG_EAP_PSK=y - -# EAP-SAKE for the integrated EAP server -CONFIG_EAP_SAKE=y - -# EAP-GPSK for the integrated EAP server -CONFIG_EAP_GPSK=y -# Include support for optional SHA256 cipher suite in EAP-GPSK -CONFIG_EAP_GPSK_SHA256=y - -# PKCS#12 (PFX) support (used to read private key and certificate file from -# a file that usually has extension .p12 or .pfx) -CONFIG_PKCS12=y - -# RADIUS authentication server. This provides access to the integrated EAP -# server from external hosts using RADIUS. -CONFIG_RADIUS_SERVER=y - -# Build IPv6 support for RADIUS operations -CONFIG_IPV6=y - -CONFIG_DRIVER_NL80211=y - -CONFIG_IEEE80211N=y - -CONFIG_LIBNL32=y - -CONFIG_ACS=y - -CONFIG_IEEE80211AC=y - -CONFIG_OPENVSWITCH=y - -CONFIG_IEEE80211R=y Copied: hostapd/repos/community-x86_64/config (from rev 290444, hostapd/trunk/config) =================================================================== --- config (rev 0) +++ config 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,106 @@ +# Example hostapd build time configuration +# +# This file lists the configuration options that are used when building the +# hostapd binary. All lines starting with # are ignored. Configuration option +# lines must be commented out complete, if they are not to be included, i.e., +# just setting VARIABLE=n is not disabling that variable. +# +# This file is included in Makefile, so variables like CFLAGS and LIBS can also +# be modified from here. In most cass, these lines should use += in order not +# to override previous values of the variables. + +# Driver interface for Host AP driver +CONFIG_DRIVER_HOSTAP=y + +# Driver interface for wired authenticator +CONFIG_DRIVER_WIRED=y + +# Driver interface for Prism54 driver +CONFIG_DRIVER_PRISM54=y + +# IEEE 802.11F/IAPP +CONFIG_IAPP=y + +# WPA2/IEEE 802.11i RSN pre-authentication +CONFIG_RSN_PREAUTH=y + +# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) +CONFIG_PEERKEY=y + +# IEEE 802.11w (management frame protection) +# This version is an experimental implementation based on IEEE 802.11w/D1.0 +# draft and is subject to change since the standard has not yet been finalized. +# Driver support is also needed for IEEE 802.11w. +CONFIG_IEEE80211W=y + +# Integrated EAP server +CONFIG_EAP=y + +# EAP-MD5 for the integrated EAP server +CONFIG_EAP_MD5=y + +# EAP-TLS for the integrated EAP server +CONFIG_EAP_TLS=y + +# EAP-MSCHAPv2 for the integrated EAP server +CONFIG_EAP_MSCHAPV2=y + +# EAP-PEAP for the integrated EAP server +CONFIG_EAP_PEAP=y + +# EAP-GTC for the integrated EAP server +CONFIG_EAP_GTC=y + +# EAP-TTLS for the integrated EAP server +CONFIG_EAP_TTLS=y + +# EAP-SIM for the integrated EAP server +CONFIG_EAP_SIM=y + +# EAP-AKA for the integrated EAP server +CONFIG_EAP_AKA=y + +# EAP-PAX for the integrated EAP server +CONFIG_EAP_PAX=y + +# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) +CONFIG_EAP_PSK=y + +# EAP-SAKE for the integrated EAP server +CONFIG_EAP_SAKE=y + +# EAP-GPSK for the integrated EAP server +CONFIG_EAP_GPSK=y +# Include support for optional SHA256 cipher suite in EAP-GPSK +CONFIG_EAP_GPSK_SHA256=y + +# PKCS#12 (PFX) support (used to read private key and certificate file from +# a file that usually has extension .p12 or .pfx) +CONFIG_PKCS12=y + +# RADIUS authentication server. This provides access to the integrated EAP +# server from external hosts using RADIUS. +CONFIG_RADIUS_SERVER=y + +# Build IPv6 support for RADIUS operations +CONFIG_IPV6=y + +CONFIG_DRIVER_NL80211=y + +CONFIG_IEEE80211N=y + +CONFIG_LIBNL32=y + +CONFIG_ACS=y + +CONFIG_IEEE80211AC=y + +CONFIG_OPENVSWITCH=y + +CONFIG_IEEE80211R=y + +CONFIG_WPS=y + +CONFIG_WPS2=y + +CONFIG_WPS_UPNP=y Deleted: hostapd-2.3-noscan.patch =================================================================== --- hostapd-2.3-noscan.patch 2018-02-09 12:53:40 UTC (rev 290444) +++ hostapd-2.3-noscan.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,76 +0,0 @@ -diff -wbBur hostapd-2.6/hostapd/config_file.c hostapd-2.6.my/hostapd/config_file.c ---- hostapd-2.6/hostapd/config_file.c 2016-10-02 21:51:11.000000000 +0300 -+++ hostapd-2.6.my/hostapd/config_file.c 2016-10-04 21:14:04.986440035 +0300 -@@ -2863,6 +2863,8 @@ - } - #endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211N -+ } else if (os_strcmp(buf, "noscan") == 0) { -+ conf->noscan = atoi(pos); - } else if (os_strcmp(buf, "ieee80211n") == 0) { - conf->ieee80211n = atoi(pos); - } else if (os_strcmp(buf, "ht_capab") == 0) { -diff -wbBur hostapd-2.6/src/ap/ap_config.h hostapd-2.6.my/src/ap/ap_config.h ---- hostapd-2.6/src/ap/ap_config.h 2016-10-02 21:51:11.000000000 +0300 -+++ hostapd-2.6.my/src/ap/ap_config.h 2016-10-04 21:14:04.986440035 +0300 -@@ -664,6 +664,7 @@ - - int ht_op_mode_fixed; - u16 ht_capab; -+ int noscan; - int ieee80211n; - int secondary_channel; - int no_pri_sec_switch; -diff -wbBur hostapd-2.6/src/ap/hw_features.c hostapd-2.6.my/src/ap/hw_features.c ---- hostapd-2.6/src/ap/hw_features.c 2016-10-02 21:51:11.000000000 +0300 -+++ hostapd-2.6.my/src/ap/hw_features.c 2016-10-04 21:15:19.323105847 +0300 -@@ -226,7 +226,7 @@ - { - int pri_chan, sec_chan; - -- if (!iface->conf->secondary_channel) -+ if (!iface->conf->secondary_channel || iface->conf->noscan) - return 1; /* HT40 not used */ - - pri_chan = iface->conf->channel; -@@ -474,7 +474,7 @@ - int ret; - - /* Check that HT40 is used and PRI / SEC switch is allowed */ -- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch) -+ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch || iface->conf->noscan) - return 0; - - hostapd_set_state(iface, HAPD_IFACE_HT_SCAN); -@@ -794,7 +794,7 @@ - if (!hostapd_is_usable_chan(iface, iface->conf->channel, 1)) - return 0; - -- if (!iface->conf->secondary_channel) -+ if (!iface->conf->secondary_channel || iface->conf->noscan) - return 1; - - return hostapd_is_usable_chan(iface, iface->conf->channel + -diff -wbBur hostapd-2.6/src/ap/ieee802_11_ht.c hostapd-2.6.my/src/ap/ieee802_11_ht.c ---- hostapd-2.6/src/ap/ieee802_11_ht.c 2016-10-02 21:51:11.000000000 +0300 -+++ hostapd-2.6.my/src/ap/ieee802_11_ht.c 2016-10-04 21:14:04.989773368 +0300 -@@ -244,6 +244,9 @@ - if (!(iface->conf->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) - return; - -+ if (iface->conf->noscan) -+ return; -+ - if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) - return; - -@@ -368,6 +371,9 @@ - if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G) - return; - -+ if (iface->conf->noscan) -+ return; -+ - wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR - " in Association Request", MAC2STR(sta->addr)); - Copied: hostapd/repos/community-x86_64/hostapd-2.3-noscan.patch (from rev 290444, hostapd/trunk/hostapd-2.3-noscan.patch) =================================================================== --- hostapd-2.3-noscan.patch (rev 0) +++ hostapd-2.3-noscan.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,76 @@ +diff -wbBur hostapd-2.6/hostapd/config_file.c hostapd-2.6.my/hostapd/config_file.c +--- hostapd-2.6/hostapd/config_file.c 2016-10-02 21:51:11.000000000 +0300 ++++ hostapd-2.6.my/hostapd/config_file.c 2016-10-04 21:14:04.986440035 +0300 +@@ -2863,6 +2863,8 @@ + } + #endif /* CONFIG_IEEE80211W */ + #ifdef CONFIG_IEEE80211N ++ } else if (os_strcmp(buf, "noscan") == 0) { ++ conf->noscan = atoi(pos); + } else if (os_strcmp(buf, "ieee80211n") == 0) { + conf->ieee80211n = atoi(pos); + } else if (os_strcmp(buf, "ht_capab") == 0) { +diff -wbBur hostapd-2.6/src/ap/ap_config.h hostapd-2.6.my/src/ap/ap_config.h +--- hostapd-2.6/src/ap/ap_config.h 2016-10-02 21:51:11.000000000 +0300 ++++ hostapd-2.6.my/src/ap/ap_config.h 2016-10-04 21:14:04.986440035 +0300 +@@ -664,6 +664,7 @@ + + int ht_op_mode_fixed; + u16 ht_capab; ++ int noscan; + int ieee80211n; + int secondary_channel; + int no_pri_sec_switch; +diff -wbBur hostapd-2.6/src/ap/hw_features.c hostapd-2.6.my/src/ap/hw_features.c +--- hostapd-2.6/src/ap/hw_features.c 2016-10-02 21:51:11.000000000 +0300 ++++ hostapd-2.6.my/src/ap/hw_features.c 2016-10-04 21:15:19.323105847 +0300 +@@ -226,7 +226,7 @@ + { + int pri_chan, sec_chan; + +- if (!iface->conf->secondary_channel) ++ if (!iface->conf->secondary_channel || iface->conf->noscan) + return 1; /* HT40 not used */ + + pri_chan = iface->conf->channel; +@@ -474,7 +474,7 @@ + int ret; + + /* Check that HT40 is used and PRI / SEC switch is allowed */ +- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch) ++ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch || iface->conf->noscan) + return 0; + + hostapd_set_state(iface, HAPD_IFACE_HT_SCAN); +@@ -794,7 +794,7 @@ + if (!hostapd_is_usable_chan(iface, iface->conf->channel, 1)) + return 0; + +- if (!iface->conf->secondary_channel) ++ if (!iface->conf->secondary_channel || iface->conf->noscan) + return 1; + + return hostapd_is_usable_chan(iface, iface->conf->channel + +diff -wbBur hostapd-2.6/src/ap/ieee802_11_ht.c hostapd-2.6.my/src/ap/ieee802_11_ht.c +--- hostapd-2.6/src/ap/ieee802_11_ht.c 2016-10-02 21:51:11.000000000 +0300 ++++ hostapd-2.6.my/src/ap/ieee802_11_ht.c 2016-10-04 21:14:04.989773368 +0300 +@@ -244,6 +244,9 @@ + if (!(iface->conf->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) + return; + ++ if (iface->conf->noscan) ++ return; ++ + if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) + return; + +@@ -368,6 +371,9 @@ + if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G) + return; + ++ if (iface->conf->noscan) ++ return; ++ + wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR + " in Association Request", MAC2STR(sta->addr)); + Deleted: hostapd.service =================================================================== --- hostapd.service 2018-02-09 12:53:40 UTC (rev 290444) +++ hostapd.service 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,10 +0,0 @@ -[Unit] -Description=Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator -After=network.target - -[Service] -ExecStart=/usr/bin/hostapd /etc/hostapd/hostapd.conf -ExecReload=/bin/kill -HUP $MAINPID - -[Install] -WantedBy=multi-user.target Copied: hostapd/repos/community-x86_64/hostapd.service (from rev 290444, hostapd/trunk/hostapd.service) =================================================================== --- hostapd.service (rev 0) +++ hostapd.service 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,10 @@ +[Unit] +Description=Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator +After=network.target + +[Service] +ExecStart=/usr/bin/hostapd /etc/hostapd/hostapd.conf +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target Deleted: openvswitch.patch =================================================================== --- openvswitch.patch 2018-02-09 12:53:40 UTC (rev 290444) +++ openvswitch.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -1,153 +0,0 @@ -diff --git a/src/drivers/drivers.mak b/src/drivers/drivers.mak -index 9434078..7d8786c 100644 ---- a/src/drivers/drivers.mak -+++ b/src/drivers/drivers.mak -@@ -145,6 +145,10 @@ DRV_WPA_OBJS += ../src/drivers/driver_wext.o - NEED_RFKILL=y - endif - -+ifdef CONFIG_OPENVSWITCH -+DRV_CFLAGS += -DCONFIG_OPENVSWITCH -+endif -+ - ifdef NEED_NETLINK - DRV_OBJS += ../src/drivers/netlink.o - endif -diff --git a/src/drivers/drivers.mk b/src/drivers/drivers.mk -index 8da4c53..4cee638 100644 ---- a/src/drivers/drivers.mk -+++ b/src/drivers/drivers.mk -@@ -132,6 +132,10 @@ DRV_WPA_OBJS += src/drivers/driver_wext.c - NEED_RFKILL=y - endif - -+ifdef CONFIG_OPENVSWITCH -+DRV_CFLAGS += -DCONFIG_OPENVSWITCH -+endif -+ - ifdef NEED_NETLINK - DRV_OBJS += src/drivers/netlink.c - endif -diff --git a/src/drivers/linux_ioctl.c b/src/drivers/linux_ioctl.c -index 837971d..f666e27 100644 ---- a/src/drivers/linux_ioctl.c -+++ b/src/drivers/linux_ioctl.c -@@ -14,6 +14,69 @@ - #include "utils/common.h" - #include "linux_ioctl.h" - -+#ifdef CONFIG_OPENVSWITCH -+#include <sys/wait.h> -+#include <sys/stat.h> -+ -+#define run_prog(p, ...) ({ \ -+ struct stat q; \ -+ int rc = -1, status; \ -+ if(stat(p, &q) == 0) \ -+ { \ -+ pid_t pid = fork(); \ -+ if (!pid) \ -+ exit(execl(p, p, ##__VA_ARGS__, NULL)); \ -+ if (pid < 0) { \ -+ rc = -1; \ -+ } else { \ -+ while ((rc = waitpid(pid, &status, 0)) == -1 && errno == EINTR); \ -+ rc = (rc == pid && WIFEXITED(status)) ? WEXITSTATUS(status) : -1; \ -+ } \ -+ } \ -+ rc; \ -+}) -+ -+int ovs_br_get(char *brname, const char *ifname) -+{ -+ FILE *f; -+ char cmd[64]; -+ char *c; -+ struct stat q; -+ -+ if(stat("/usr/bin/ovs-vsctl", &q) != 0) -+ return -1; -+ -+ brname[0] = '\0'; -+ sprintf(cmd, "/usr/bin/ovs-vsctl iface-to-br %s", ifname); -+ f = popen(cmd, "r"); -+ if (!f) -+ return -1; -+ c = fgets(brname, IFNAMSIZ, f); -+ pclose(f); -+ if (c && strlen(brname)) { -+ /* Ignore newline */ -+ if ((c = strchr(brname, '\n'))) -+ *c = '\0'; -+ return 0; -+ } -+ return -1; -+} -+ -+int ovs_br_add_if(const char *brname, const char *ifname) -+{ -+ if (run_prog("/usr/bin/ovs-vsctl", "add-port", brname, ifname)) -+ return -1; -+ return 0; -+} -+ -+int ovs_br_del_if(const char *brname, const char *ifname) -+{ -+ if (run_prog("/usr/bin/ovs-vsctl", "del-port", brname, ifname)) -+ return -1; -+ return 0; -+} -+ -+#endif - - int linux_set_iface_flags(int sock, const char *ifname, int dev_up) - { -@@ -118,7 +181,6 @@ int linux_set_ifhwaddr(int sock, const char *ifname, const u8 *addr) - return 0; - } - -- - #ifndef SIOCBRADDBR - #define SIOCBRADDBR 0x89a0 - #endif -@@ -162,6 +224,11 @@ int linux_br_add_if(int sock, const char *brname, const char *ifname) - struct ifreq ifr; - int ifindex; - -+#ifdef CONFIG_OPENVSWITCH -+ if (!ovs_br_add_if(brname, ifname)) -+ return 0; -+#endif -+ - ifindex = if_nametoindex(ifname); - if (ifindex == 0) - return -1; -@@ -184,6 +251,11 @@ int linux_br_del_if(int sock, const char *brname, const char *ifname) - struct ifreq ifr; - int ifindex; - -+#ifdef CONFIG_OPENVSWITCH -+ if (!ovs_br_del_if(brname, ifname)) -+ return 0; -+#endif -+ - ifindex = if_nametoindex(ifname); - if (ifindex == 0) - return -1; -@@ -206,6 +278,11 @@ int linux_br_get(char *brname, const char *ifname) - char path[128], brlink[128], *pos; - ssize_t res; - -+#ifdef CONFIG_OPENVSWITCH -+ if (!ovs_br_get(brname, ifname)) -+ return 0; -+#endif -+ - os_snprintf(path, sizeof(path), "/sys/class/net/%s/brport/bridge", - ifname); - res = readlink(path, brlink, sizeof(brlink)); -@@ -219,3 +296,4 @@ int linux_br_get(char *brname, const char *ifname) - os_strlcpy(brname, pos, IFNAMSIZ); - return 0; - } -+ Copied: hostapd/repos/community-x86_64/openvswitch.patch (from rev 290444, hostapd/trunk/openvswitch.patch) =================================================================== --- openvswitch.patch (rev 0) +++ openvswitch.patch 2018-02-09 12:54:14 UTC (rev 290445) @@ -0,0 +1,153 @@ +diff --git a/src/drivers/drivers.mak b/src/drivers/drivers.mak +index 9434078..7d8786c 100644 +--- a/src/drivers/drivers.mak ++++ b/src/drivers/drivers.mak +@@ -145,6 +145,10 @@ DRV_WPA_OBJS += ../src/drivers/driver_wext.o + NEED_RFKILL=y + endif + ++ifdef CONFIG_OPENVSWITCH ++DRV_CFLAGS += -DCONFIG_OPENVSWITCH ++endif ++ + ifdef NEED_NETLINK + DRV_OBJS += ../src/drivers/netlink.o + endif +diff --git a/src/drivers/drivers.mk b/src/drivers/drivers.mk +index 8da4c53..4cee638 100644 +--- a/src/drivers/drivers.mk ++++ b/src/drivers/drivers.mk +@@ -132,6 +132,10 @@ DRV_WPA_OBJS += src/drivers/driver_wext.c + NEED_RFKILL=y + endif + ++ifdef CONFIG_OPENVSWITCH ++DRV_CFLAGS += -DCONFIG_OPENVSWITCH ++endif ++ + ifdef NEED_NETLINK + DRV_OBJS += src/drivers/netlink.c + endif +diff --git a/src/drivers/linux_ioctl.c b/src/drivers/linux_ioctl.c +index 837971d..f666e27 100644 +--- a/src/drivers/linux_ioctl.c ++++ b/src/drivers/linux_ioctl.c +@@ -14,6 +14,69 @@ + #include "utils/common.h" + #include "linux_ioctl.h" + ++#ifdef CONFIG_OPENVSWITCH ++#include <sys/wait.h> ++#include <sys/stat.h> ++ ++#define run_prog(p, ...) ({ \ ++ struct stat q; \ ++ int rc = -1, status; \ ++ if(stat(p, &q) == 0) \ ++ { \ ++ pid_t pid = fork(); \ ++ if (!pid) \ ++ exit(execl(p, p, ##__VA_ARGS__, NULL)); \ ++ if (pid < 0) { \ ++ rc = -1; \ ++ } else { \ ++ while ((rc = waitpid(pid, &status, 0)) == -1 && errno == EINTR); \ ++ rc = (rc == pid && WIFEXITED(status)) ? WEXITSTATUS(status) : -1; \ ++ } \ ++ } \ ++ rc; \ ++}) ++ ++int ovs_br_get(char *brname, const char *ifname) ++{ ++ FILE *f; ++ char cmd[64]; ++ char *c; ++ struct stat q; ++ ++ if(stat("/usr/bin/ovs-vsctl", &q) != 0) ++ return -1; ++ ++ brname[0] = '\0'; ++ sprintf(cmd, "/usr/bin/ovs-vsctl iface-to-br %s", ifname); ++ f = popen(cmd, "r"); ++ if (!f) ++ return -1; ++ c = fgets(brname, IFNAMSIZ, f); ++ pclose(f); ++ if (c && strlen(brname)) { ++ /* Ignore newline */ ++ if ((c = strchr(brname, '\n'))) ++ *c = '\0'; ++ return 0; ++ } ++ return -1; ++} ++ ++int ovs_br_add_if(const char *brname, const char *ifname) ++{ ++ if (run_prog("/usr/bin/ovs-vsctl", "add-port", brname, ifname)) ++ return -1; ++ return 0; ++} ++ ++int ovs_br_del_if(const char *brname, const char *ifname) ++{ ++ if (run_prog("/usr/bin/ovs-vsctl", "del-port", brname, ifname)) ++ return -1; ++ return 0; ++} ++ ++#endif + + int linux_set_iface_flags(int sock, const char *ifname, int dev_up) + { +@@ -118,7 +181,6 @@ int linux_set_ifhwaddr(int sock, const char *ifname, const u8 *addr) + return 0; + } + +- + #ifndef SIOCBRADDBR + #define SIOCBRADDBR 0x89a0 + #endif +@@ -162,6 +224,11 @@ int linux_br_add_if(int sock, const char *brname, const char *ifname) + struct ifreq ifr; + int ifindex; + ++#ifdef CONFIG_OPENVSWITCH ++ if (!ovs_br_add_if(brname, ifname)) ++ return 0; ++#endif ++ + ifindex = if_nametoindex(ifname); + if (ifindex == 0) + return -1; +@@ -184,6 +251,11 @@ int linux_br_del_if(int sock, const char *brname, const char *ifname) + struct ifreq ifr; + int ifindex; + ++#ifdef CONFIG_OPENVSWITCH ++ if (!ovs_br_del_if(brname, ifname)) ++ return 0; ++#endif ++ + ifindex = if_nametoindex(ifname); + if (ifindex == 0) + return -1; +@@ -206,6 +278,11 @@ int linux_br_get(char *brname, const char *ifname) + char path[128], brlink[128], *pos; + ssize_t res; + ++#ifdef CONFIG_OPENVSWITCH ++ if (!ovs_br_get(brname, ifname)) ++ return 0; ++#endif ++ + os_snprintf(path, sizeof(path), "/sys/class/net/%s/brport/bridge", + ifname); + res = readlink(path, brlink, sizeof(brlink)); +@@ -219,3 +296,4 @@ int linux_br_get(char *brname, const char *ifname) + os_strlcpy(brname, pos, IFNAMSIZ); + return 0; + } ++