diff options
author | Stefan Sperling <stsp@cvs.openbsd.org> | 2017-10-16 10:39:42 +0000 |
---|---|---|
committer | Stefan Sperling <stsp@cvs.openbsd.org> | 2017-10-16 10:39:42 +0000 |
commit | 2c552326d9091aec038dfcffaf6c9ae6339c45fb (patch) | |
tree | 1403e5b717454e672f79928b08b37977dc0cb8bc /sys/net80211 | |
parent | f96f1973ddbf0041b3e9c1ae881f9a51515a17ca (diff) |
Add comments which document already fixed WPA attack vectors.
Diffstat (limited to 'sys/net80211')
-rw-r--r-- | sys/net80211/ieee80211_pae_input.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/sys/net80211/ieee80211_pae_input.c b/sys/net80211/ieee80211_pae_input.c index f5fe8230a03..f62d5f2dba4 100644 --- a/sys/net80211/ieee80211_pae_input.c +++ b/sys/net80211/ieee80211_pae_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_pae_input.c,v 1.30 2017/08/17 06:01:05 stsp Exp $ */ +/* $OpenBSD: ieee80211_pae_input.c,v 1.31 2017/10/16 10:39:41 stsp Exp $ */ /*- * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr> @@ -340,6 +340,12 @@ ieee80211_recv_4way_msg2(struct ieee80211com *ic, } #endif /* IEEE80211_STA_ONLY */ +/* + * Check if a group key must be updated with a new GTK from an EAPOL frame. + * Manipulated group key handshake messages could trick clients into + * reinstalling an already used group key and hence lower or reset the + * associated replay counter. This check prevents such attacks. + */ int ieee80211_must_update_group_key(struct ieee80211_key *k, const uint8_t *gtk, int len) @@ -528,6 +534,17 @@ ieee80211_recv_4way_msg3(struct ieee80211com *ic, if (ieee80211_send_4way_msg4(ic, ni) != 0) return; /* ..authenticator will retry */ + /* + * Only install a new pairwise key if we are still expecting a new key, + * as indicated by the NODE_RSN_NEW_PTK flag. An adversary could be + * sending manipulated retransmissions of message 3 of the 4-way + * handshake in an attempt to trick us into reinstalling an already + * used pairwise key. If this attack succeeded, the incremental nonce + * and replay counter associated with the key would be reset. + * Against CCMP, the adversary could abuse this to replay and decrypt + * packets. Against TKIP, it would become possible to replay, decrypt, + * and forge packets. + */ if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP && (ni->ni_flags & IEEE80211_NODE_RSN_NEW_PTK)) { u_int64_t prsc; |