Add comments which document already fixed WPA attack vectors.

1 files changed, 18 insertions, 1 deletions

diff --git a/sys/net80211/ieee80211_pae_input.c b/sys/net80211/ieee80211_pae_input.c
index f5fe8230a03..f62d5f2dba4 100644
--- a/sys/net80211/ieee80211_pae_input.c
+++ b/sys/net80211/ieee80211_pae_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ieee80211_pae_input.c,v 1.30 2017/08/17 06:01:05 stsp Exp $	*/
+/*	$OpenBSD: ieee80211_pae_input.c,v 1.31 2017/10/16 10:39:41 stsp Exp $	*/
 
 /*-
  * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -340,6 +340,12 @@ ieee80211_recv_4way_msg2(struct ieee80211com *ic,
 }
 #endif	/* IEEE80211_STA_ONLY */
 
+/* 
+ * Check if a group key must be updated with a new GTK from an EAPOL frame.
+ * Manipulated group key handshake messages could trick clients into
+ * reinstalling an already used group key and hence lower or reset the
+ * associated replay counter. This check prevents such attacks.
+ */
 int
 ieee80211_must_update_group_key(struct ieee80211_key *k, const uint8_t *gtk,
     int len)
@@ -528,6 +534,17 @@ ieee80211_recv_4way_msg3(struct ieee80211com *ic,
 	if (ieee80211_send_4way_msg4(ic, ni) != 0)
 		return;	/* ..authenticator will retry */
 
+	/* 
+	 * Only install a new pairwise key if we are still expecting a new key,
+	 * as indicated by the NODE_RSN_NEW_PTK flag. An adversary could be
+	 * sending manipulated retransmissions of message 3 of the 4-way
+	 * handshake in an attempt to trick us into reinstalling an already
+	 * used pairwise key. If this attack succeeded, the incremental nonce
+	 * and replay counter associated with the key would be reset.
+	 * Against CCMP, the adversary could abuse this to replay and decrypt
+	 * packets. Against TKIP, it would become possible to replay, decrypt,
+	 * and forge packets.
+	 */
 	if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP &&
 	    (ni->ni_flags & IEEE80211_NODE_RSN_NEW_PTK)) {
 		u_int64_t prsc;