[arch-commits] Commit in hostapd/trunk (9 files)
Date: Wednesday, December 5, 2018 @ 09:35:50 Author: spupykin Revision: 411318 upgpkg: hostapd 2.7-1 Modified: hostapd/trunk/PKGBUILD hostapd/trunk/hostapd-2.3-noscan.patch Deleted: hostapd/trunk/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch hostapd/trunk/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch hostapd/trunk/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch hostapd/trunk/0004-Prevent-installation-of-an-all-zero-TK.patch hostapd/trunk/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch hostapd/trunk/0006-TDLS-Reject-TPK-TK-reconfiguration.patch hostapd/trunk/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch -+ 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch | 174 -- 0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch | 250 -- 0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch | 184 --- 0004-Prevent-installation-of-an-all-zero-TK.patch | 79 --- 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch| 64 -- 0006-TDLS-Reject-TPK-TK-reconfiguration.patch | 132 - 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch | 82 --- PKGBUILD| 26 - hostapd-2.3-noscan.patch| 10 9 files changed, 11 insertions(+), 990 deletions(-) Deleted: 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch === --- 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch 2018-12-05 09:27:49 UTC (rev 411317) +++ 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch 2018-12-05 09:35:50 UTC (rev 411318) @@ -1,174 +0,0 @@ -From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef -Date: Fri, 14 Jul 2017 15:15:35 +0200 -Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake - -Do not reinstall TK to the driver during Reassociation Response frame -processing if the first attempt of setting the TK succeeded. This avoids -issues related to clearing the TX/RX PN that could result in reusing -same PN values for transmitted frames (e.g., due to CCM nonce reuse and -also hitting replay protection on the receiver) and accepting replayed -frames on RX side. - -This issue was introduced by the commit -0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in -authenticator') which allowed wpa_ft_install_ptk() to be called multiple -times with the same PTK. While the second configuration attempt is -needed with some drivers, it must be done only if the first attempt -failed. - -Signed-off-by: Mathy Vanhoef - src/ap/ieee802_11.c | 16 +--- - src/ap/wpa_auth.c| 11 +++ - src/ap/wpa_auth.h| 3 ++- - src/ap/wpa_auth_ft.c | 10 ++ - src/ap/wpa_auth_i.h | 1 + - 5 files changed, 37 insertions(+), 4 deletions(-) - -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index 4e04169..333035f 100644 a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd, - { - struct ieee80211_ht_capabilities ht_cap; - struct ieee80211_vht_capabilities vht_cap; -+ int set = 1; - - /* -* Remove the STA entry to ensure the STA PS state gets cleared and -@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd, -* FT-over-the-DS, where a station re-associates back to the same AP but -* skips the authentication flow, or if working with a driver that -* does not support full AP client state. -+ * -+ * Skip this if the STA has already completed FT reassociation and the -+ * TK has been configured since the TX/RX PN must not be reset to 0 for -+ * the same key. -*/ -- if (!sta->added_unassoc) -+ if (!sta->added_unassoc && -+ (!(sta->flags & WLAN_STA_AUTHORIZED) || -+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { - hostapd_drv_sta_remove(hapd, sta->addr); -+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); -+ set = 0; -+ } - - #ifdef CONFIG_IEEE80211N - if (sta->flags & WLAN_STA_HT) -@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd, - sta->flags & WLAN_STA_VHT ? _cap : NULL, - sta->flags | WLAN_STA_ASSOC, sta->qosinfo, - sta->vht_opmode, sta->p2p_ie ? 1 : 0, -- sta->added_unassoc)) { -+ set)) { - hostapd_logger(hapd, sta->addr, - HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, - "Could not %s STA to kernel driver", --
[arch-commits] Commit in hostapd/trunk (9 files)
Date: Monday, October 16, 2017 @ 11:20:17 Author: anthraxx Revision: 263056 upgpkg: hostapd 2.6-6 (security update) https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt Added: hostapd/trunk/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch hostapd/trunk/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch hostapd/trunk/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch hostapd/trunk/0004-Prevent-installation-of-an-all-zero-TK.patch hostapd/trunk/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch hostapd/trunk/0006-TDLS-Reject-TPK-TK-reconfiguration.patch hostapd/trunk/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch Modified: hostapd/trunk/PKGBUILD Deleted: hostapd/trunk/hostapd.install -+ 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch | 174 ++ 0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch | 250 ++ 0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch | 184 +++ 0004-Prevent-installation-of-an-all-zero-TK.patch | 79 +++ 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch| 64 ++ 0006-TDLS-Reject-TPK-TK-reconfiguration.patch | 132 + 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch | 82 +++ PKGBUILD| 43 + hostapd.install |3 9 files changed, 996 insertions(+), 15 deletions(-) Added: 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch === --- 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch (rev 0) +++ 0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch 2017-10-16 11:20:17 UTC (rev 263056) @@ -0,0 +1,174 @@ +From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef+Date: Fri, 14 Jul 2017 15:15:35 +0200 +Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake + +Do not reinstall TK to the driver during Reassociation Response frame +processing if the first attempt of setting the TK succeeded. This avoids +issues related to clearing the TX/RX PN that could result in reusing +same PN values for transmitted frames (e.g., due to CCM nonce reuse and +also hitting replay protection on the receiver) and accepting replayed +frames on RX side. + +This issue was introduced by the commit +0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in +authenticator') which allowed wpa_ft_install_ptk() to be called multiple +times with the same PTK. While the second configuration attempt is +needed with some drivers, it must be done only if the first attempt +failed. + +Signed-off-by: Mathy Vanhoef +--- + src/ap/ieee802_11.c | 16 +--- + src/ap/wpa_auth.c| 11 +++ + src/ap/wpa_auth.h| 3 ++- + src/ap/wpa_auth_ft.c | 10 ++ + src/ap/wpa_auth_i.h | 1 + + 5 files changed, 37 insertions(+), 4 deletions(-) + +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index 4e04169..333035f 100644 +--- a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd, + { + struct ieee80211_ht_capabilities ht_cap; + struct ieee80211_vht_capabilities vht_cap; ++ int set = 1; + + /* +* Remove the STA entry to ensure the STA PS state gets cleared and +@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd, +* FT-over-the-DS, where a station re-associates back to the same AP but +* skips the authentication flow, or if working with a driver that +* does not support full AP client state. ++ * ++ * Skip this if the STA has already completed FT reassociation and the ++ * TK has been configured since the TX/RX PN must not be reset to 0 for ++ * the same key. +*/ +- if (!sta->added_unassoc) ++ if (!sta->added_unassoc && ++ (!(sta->flags & WLAN_STA_AUTHORIZED) || ++ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { + hostapd_drv_sta_remove(hapd, sta->addr); ++ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); ++ set = 0; ++ } + + #ifdef CONFIG_IEEE80211N + if (sta->flags & WLAN_STA_HT) +@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd, + sta->flags & WLAN_STA_VHT ? _cap : NULL, + sta->flags | WLAN_STA_ASSOC, sta->qosinfo, + sta->vht_opmode, sta->p2p_ie ? 1 : 0, +- sta->added_unassoc)) { ++ set)) { + hostapd_logger(hapd, sta->addr, +