summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Sperling <stsp@cvs.openbsd.org>2017-08-18 17:30:13 +0000
committerStefan Sperling <stsp@cvs.openbsd.org>2017-08-18 17:30:13 +0000
commitabcae05bd2addbfaf44f322a3751b941577bac3f (patch)
tree3c17d9deba12931a3d056f2b7b5d82122f7b0af7
parent33959bed813bbf60dd7243a493b17fe2407ebe08 (diff)
Clear WPA group keys from memory before initiating a key exchange
with an access point. Prevents false positive 'reused group key' warnings in dmesg when re-associating to the same access point. Problem reported by tb@ ok tb@
-rw-r--r--sys/net80211/ieee80211_crypto.c24
-rw-r--r--sys/net80211/ieee80211_crypto.h3
-rw-r--r--sys/net80211/ieee80211_proto.c5
3 files changed, 21 insertions, 11 deletions
diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c
index c534bf6dc29..db68889c548 100644
--- a/sys/net80211/ieee80211_crypto.c
+++ b/sys/net80211/ieee80211_crypto.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ieee80211_crypto.c,v 1.70 2017/05/02 17:07:06 mikeb Exp $ */
+/* $OpenBSD: ieee80211_crypto.c,v 1.71 2017/08/18 17:30:12 stsp Exp $ */
/*-
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -74,13 +74,11 @@ ieee80211_crypto_attach(struct ifnet *ifp)
#endif
}
-
void
ieee80211_crypto_detach(struct ifnet *ifp)
{
struct ieee80211com *ic = (void *)ifp;
struct ieee80211_pmk *pmk;
- int i;
/* purge the PMKSA cache */
while ((pmk = TAILQ_FIRST(&ic->ic_pmksa)) != NULL) {
@@ -90,12 +88,7 @@ ieee80211_crypto_detach(struct ifnet *ifp)
}
/* clear all group keys from memory */
- for (i = 0; i < IEEE80211_GROUP_NKID; i++) {
- struct ieee80211_key *k = &ic->ic_nw_keys[i];
- if (k->k_cipher != IEEE80211_CIPHER_NONE)
- (*ic->ic_delete_key)(ic, NULL, k);
- explicit_bzero(k, sizeof(*k));
- }
+ ieee80211_crypto_clear_groupkeys(ic);
/* clear pre-shared key from memory */
explicit_bzero(ic->ic_psk, IEEE80211_PMK_LEN);
@@ -105,6 +98,19 @@ ieee80211_crypto_detach(struct ifnet *ifp)
#endif
}
+void
+ieee80211_crypto_clear_groupkeys(struct ieee80211com *ic)
+{
+ int i;
+
+ for (i = 0; i < IEEE80211_GROUP_NKID; i++) {
+ struct ieee80211_key *k = &ic->ic_nw_keys[i];
+ if (k->k_cipher != IEEE80211_CIPHER_NONE)
+ (*ic->ic_delete_key)(ic, NULL, k);
+ explicit_bzero(k, sizeof(*k));
+ }
+}
+
/*
* Return the length in bytes of a cipher suite key (see Table 60).
*/
diff --git a/sys/net80211/ieee80211_crypto.h b/sys/net80211/ieee80211_crypto.h
index 8881b3896e7..348d035c283 100644
--- a/sys/net80211/ieee80211_crypto.h
+++ b/sys/net80211/ieee80211_crypto.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ieee80211_crypto.h,v 1.24 2016/12/17 18:35:54 stsp Exp $ */
+/* $OpenBSD: ieee80211_crypto.h,v 1.25 2017/08/18 17:30:12 stsp Exp $ */
/*-
* Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -111,6 +111,7 @@ struct ieee80211_node;
void ieee80211_crypto_attach(struct ifnet *);
void ieee80211_crypto_detach(struct ifnet *);
+void ieee80211_crypto_clear_groupkeys(struct ieee80211com *);
struct ieee80211_key *ieee80211_get_txkey(struct ieee80211com *,
const struct ieee80211_frame *, struct ieee80211_node *);
struct ieee80211_key *ieee80211_get_rxkey(struct ieee80211com *,
diff --git a/sys/net80211/ieee80211_proto.c b/sys/net80211/ieee80211_proto.c
index 9eab14598b9..c0978acfc31 100644
--- a/sys/net80211/ieee80211_proto.c
+++ b/sys/net80211/ieee80211_proto.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ieee80211_proto.c,v 1.79 2017/08/04 16:25:10 stsp Exp $ */
+/* $OpenBSD: ieee80211_proto.c,v 1.80 2017/08/18 17:30:12 stsp Exp $ */
/* $NetBSD: ieee80211_proto.c,v 1.8 2004/04/30 23:58:20 dyoung Exp $ */
/*-
@@ -926,6 +926,7 @@ justcleanup:
break;
}
ni->ni_rsn_supp_state = RSNA_SUPP_INITIALIZE;
+ ieee80211_crypto_clear_groupkeys(ic);
break;
case IEEE80211_S_SCAN:
ic->ic_flags &= ~IEEE80211_F_SIBSS;
@@ -937,6 +938,7 @@ justcleanup:
ni->ni_associd = 0;
ni->ni_rstamp = 0;
ni->ni_rsn_supp_state = RSNA_SUPP_INITIALIZE;
+ ieee80211_crypto_clear_groupkeys(ic);
switch (ostate) {
case IEEE80211_S_INIT:
#ifndef IEEE80211_STA_ONLY
@@ -980,6 +982,7 @@ justcleanup:
break;
case IEEE80211_S_AUTH:
ni->ni_rsn_supp_state = RSNA_SUPP_INITIALIZE;
+ ieee80211_crypto_clear_groupkeys(ic);
switch (ostate) {
case IEEE80211_S_INIT:
if (ifp->if_flags & IFF_DEBUG)