DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

WNM: Fix GTK/IGTK parsing for WNM-Sleep Mode Response frame

Browse source 
These fields do not use AES keywrap. Instead, they are protected with
management frame protection (and not included if PMF is disabled).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2012-12-16 12:48:34 +02:00 committed by Jouni Malinen
parent e6955ba9f9
commit 68db9ab047
2 changed files with 43 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
src/rsn_supp/wpa.c
View file

@ -2637,7 +2637,6 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
#endif /* CONFIG_IEEE80211W */ #endif /* CONFIG_IEEE80211W */
u16 keyinfo; u16 keyinfo;
u8 keylen; /* plaintext key len */ u8 keylen; /* plaintext key len */
u8 keydatalen;
u8 *key_rsc; u8 *key_rsc;
os_memset(&gd, 0, sizeof(gd)); os_memset(&gd, 0, sizeof(gd));
@ -2656,7 +2655,6 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
if (subelem_id == WNM_SLEEP_SUBELEM_GTK) { if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
key_rsc = buf + 5; key_rsc = buf + 5;
keyinfo = WPA_GET_LE16(buf + 2); keyinfo = WPA_GET_LE16(buf + 2);
keydatalen = buf[1] - 11 - 8;
gd.gtk_len = keylen; gd.gtk_len = keylen;
if (gd.gtk_len != buf[4]) { if (gd.gtk_len != buf[4]) {
wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d", wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
@ -2667,18 +2665,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
gd.tx = wpa_supplicant_gtk_tx_bit_workaround( gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
sm, !!(keyinfo & WPA_KEY_INFO_TXRX)); sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
if (keydatalen % 8) { os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
wpa_printf(MSG_DEBUG, "WPA: Unsupported AES-WRAP len "
"%d", keydatalen);
return -1;
}
if (aes_unwrap(sm->ptk.kek, keydatalen / 8, buf + 13, gd.gtk))
{
wpa_printf(MSG_WARNING, "WNM: AES unwrap failed - "
"could not decrypt GTK");
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
gd.gtk, gd.gtk_len); gd.gtk, gd.gtk_len);
@ -2689,22 +2676,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
} }
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
if (buf[1] != 2 + 6 + WPA_IGTK_LEN + 8) {
wpa_printf(MSG_DEBUG, "WPA: Unsupported AES-WRAP len "
"%d", buf[1] - 2 - 6 - 8);
return -1;
}
os_memcpy(igd.keyid, buf + 2, 2); os_memcpy(igd.keyid, buf + 2, 2);
os_memcpy(igd.pn, buf + 4, 6); os_memcpy(igd.pn, buf + 4, 6);
keyidx = WPA_GET_LE16(igd.keyid); keyidx = WPA_GET_LE16(igd.keyid);
os_memcpy(igd.igtk, buf + 10, WPA_IGTK_LEN);
if (aes_unwrap(sm->ptk.kek, WPA_IGTK_LEN / 8, buf + 10,
igd.igtk)) {
wpa_printf(MSG_WARNING, "WNM: AES unwrap failed - "
"could not decrypr IGTK");
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
igd.igtk, WPA_IGTK_LEN); igd.igtk, WPA_IGTK_LEN);

41
wpa_supplicant/wnm_sta.c
View file

@ -156,8 +156,17 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
wpa_printf(MSG_DEBUG, "action=%d token = %d key_len_total = %d", wpa_printf(MSG_DEBUG, "action=%d token = %d key_len_total = %d",
frm[0], frm[1], key_len_total); frm[0], frm[1], key_len_total);
pos += 4 + key_len_total; pos += 4 + key_len_total;
if (pos > frm + len) {
wpa_printf(MSG_INFO, "WNM: Too short frame for Key Data field");
return;
}
while (pos - frm < len) { while (pos - frm < len) {
u8 ie_len = *(pos + 1); u8 ie_len = *(pos + 1);
if (pos + 2 + ie_len > frm + len) {
wpa_printf(MSG_INFO, "WNM: Invalid IE len %u", ie_len);
break;
}
wpa_hexdump(MSG_DEBUG, "WNM: Element", pos, 2 + ie_len);
if (*pos == WLAN_EID_WNMSLEEP) if (*pos == WLAN_EID_WNMSLEEP)
wnmsleep_ie = (struct wnm_sleep_element *) pos; wnmsleep_ie = (struct wnm_sleep_element *) pos;
else if (*pos == WLAN_EID_TFS_RESP) { else if (*pos == WLAN_EID_TFS_RESP) {
@ -210,9 +219,33 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
do { do {
/* point to key data field */ /* point to key data field */
u8 *ptr = (u8 *) frm + 1 + 1 + 2; u8 *ptr = (u8 *) frm + 1 + 1 + 2;
while (ptr < (u8 *) frm + 4 + key_len_total) { u8 *end = ptr + key_len_total;
wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data",
ptr, key_len_total);
while (ptr + 1 < end) {
if (ptr + 2 + ptr[1] > end) {
wpa_printf(MSG_DEBUG,
"WNM: Invalid Key "
"Data element "
"length");
if (end > ptr)
wpa_hexdump(MSG_DEBUG, "WNM: Remaining data", ptr, end - ptr);
break;
}
if (*ptr == WNM_SLEEP_SUBELEM_GTK) { if (*ptr == WNM_SLEEP_SUBELEM_GTK) {
if (ptr[1] < 11 + 5) {
wpa_printf(MSG_DEBUG,
"WNM: Too short GTK subelem");
break;
}
gtk_len = *(ptr + 4); gtk_len = *(ptr + 4);
if (ptr[1] < 11 + gtk_len ||
gtk_len < 5 || gtk_len > 32)
{
wpa_printf(MSG_DEBUG,
"WNM: Invalid GTK subelem");
break;
}
wpa_wnmsleep_install_key( wpa_wnmsleep_install_key(
wpa_s->wpa, wpa_s->wpa,
WNM_SLEEP_SUBELEM_GTK, WNM_SLEEP_SUBELEM_GTK,
@ -221,6 +254,12 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
} else if (*ptr == } else if (*ptr ==
WNM_SLEEP_SUBELEM_IGTK) { WNM_SLEEP_SUBELEM_IGTK) {
if (ptr[1] < 2 + 6 +
WPA_IGTK_LEN) {
wpa_printf(MSG_DEBUG,
"WNM: Too short IGTK subelem");
break;
}
wpa_wnmsleep_install_key( wpa_wnmsleep_install_key(
wpa_s->wpa, wpa_s->wpa,
WNM_SLEEP_SUBELEM_IGTK, WNM_SLEEP_SUBELEM_IGTK,