summaryrefslogtreecommitdiff
path: root/sys/net80211
diff options
context:
space:
mode:
authorStefan Sperling <stsp@cvs.openbsd.org>2017-10-16 10:39:42 +0000
committerStefan Sperling <stsp@cvs.openbsd.org>2017-10-16 10:39:42 +0000
commit2c552326d9091aec038dfcffaf6c9ae6339c45fb (patch)
tree1403e5b717454e672f79928b08b37977dc0cb8bc /sys/net80211
parentf96f1973ddbf0041b3e9c1ae881f9a51515a17ca (diff)
Add comments which document already fixed WPA attack vectors.
Diffstat (limited to 'sys/net80211')
-rw-r--r--sys/net80211/ieee80211_pae_input.c19
1 files changed, 18 insertions, 1 deletions
diff --git a/sys/net80211/ieee80211_pae_input.c b/sys/net80211/ieee80211_pae_input.c
index f5fe8230a03..f62d5f2dba4 100644
--- a/sys/net80211/ieee80211_pae_input.c
+++ b/sys/net80211/ieee80211_pae_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ieee80211_pae_input.c,v 1.30 2017/08/17 06:01:05 stsp Exp $ */
+/* $OpenBSD: ieee80211_pae_input.c,v 1.31 2017/10/16 10:39:41 stsp Exp $ */
/*-
* Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -340,6 +340,12 @@ ieee80211_recv_4way_msg2(struct ieee80211com *ic,
}
#endif /* IEEE80211_STA_ONLY */
+/*
+ * Check if a group key must be updated with a new GTK from an EAPOL frame.
+ * Manipulated group key handshake messages could trick clients into
+ * reinstalling an already used group key and hence lower or reset the
+ * associated replay counter. This check prevents such attacks.
+ */
int
ieee80211_must_update_group_key(struct ieee80211_key *k, const uint8_t *gtk,
int len)
@@ -528,6 +534,17 @@ ieee80211_recv_4way_msg3(struct ieee80211com *ic,
if (ieee80211_send_4way_msg4(ic, ni) != 0)
return; /* ..authenticator will retry */
+ /*
+ * Only install a new pairwise key if we are still expecting a new key,
+ * as indicated by the NODE_RSN_NEW_PTK flag. An adversary could be
+ * sending manipulated retransmissions of message 3 of the 4-way
+ * handshake in an attempt to trick us into reinstalling an already
+ * used pairwise key. If this attack succeeded, the incremental nonce
+ * and replay counter associated with the key would be reset.
+ * Against CCMP, the adversary could abuse this to replay and decrypt
+ * packets. Against TKIP, it would become possible to replay, decrypt,
+ * and forge packets.
+ */
if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP &&
(ni->ni_flags & IEEE80211_NODE_RSN_NEW_PTK)) {
u_int64_t prsc;