633ab586239fae56baaf7dc826d8da0b4ab135f0
[openwrt/openwrt.git] /
1 From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
2 From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
3 Date: Sun, 15 Jul 2018 01:25:53 +0200
4 Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
5
6 Ignore unauthenticated encrypted EAPOL-Key data in supplicant
7 processing. When using WPA2, these are frames that have the Encrypted
8 flag set, but not the MIC flag.
9
10 When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
11 not the MIC flag, had their data field decrypted without first verifying
12 the MIC. In case the data field was encrypted using RC4 (i.e., when
13 negotiating TKIP as the pairwise cipher), this meant that
14 unauthenticated but decrypted data would then be processed. An adversary
15 could abuse this as a decryption oracle to recover sensitive information
16 in the data field of EAPOL-Key messages (e.g., the group key).
17 (CVE-2018-14526)
18
19 Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
20 ---
21 src/rsn_supp/wpa.c | 11 +++++++++++
22 1 file changed, 11 insertions(+)
23
24 --- a/src/rsn_supp/wpa.c
25 +++ b/src/rsn_supp/wpa.c
26 @@ -2208,6 +2208,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
27
28 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
29 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
30 + /*
31 + * Only decrypt the Key Data field if the frame's authenticity
32 + * was verified. When using AES-SIV (FILS), the MIC flag is not
33 + * set, so this check should only be performed if mic_len != 0
34 + * which is the case in this code branch.
35 + */
36 + if (!(key_info & WPA_KEY_INFO_MIC)) {
37 + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
38 + "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
39 + goto out;
40 + }
41 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
42 ver, key_data,
43 &key_data_len))