Discard unencrypted EAPOL/EAP when TK is set and PMF is enabled (AP)
RSN design is supposed to encrypt all Data frames, including EAPOL frames, once the TK has been configured. However, there are deployed implementations that do not really follow this design and there are various examples from the older uses of EAPOL frame where those frames were not encrypted. As such, strict filtering of unencrypted EAPOL frames might results in undesired interoperation issues. However, some of the most important cases of missing EAPOL frame encryption should be possible to handle without causing too significant issues. These are for cases where an attacker could potentially cause an existing association to be dropped when PMF is used. EAPOL-Start and EAPOL-Logoff are potential candidate for such attacks since those frames could be used to terminate an authentication or initiate a new EAP authentication. Such an attack could result in the station ending up disconnecting or at minimum, getting into somewhat mismatching state with the AP. Drop EAPOL-Start/Logoff/EAP frames on the AP/Authenticator when it is known that it was not encrypted but should have been and when PMF is enabled. While it would be correct to drop this even without PMF, that does not provide any significant benefit since it is trivial to force disconnection in no-PMF cases. It should also be noted that not all drivers provide information about the encryption status of the EAPOL frames and this change has no impact with drivers that do not indicate whether the frame was encrypted. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
3c2fbe9f56
commit
8690374439
1 changed files with 22 additions and 0 deletions
|
|
@ -1021,6 +1021,22 @@ static void ieee802_1x_save_eapol(struct sta_info *sta, const u8 *buf,
|
|||
}
|
||||
|
||||
|
||||
static bool ieee802_1x_check_encryption(struct sta_info *sta,
|
||||
enum frame_encryption encrypted,
|
||||
u8 type)
|
||||
{
|
||||
if (encrypted != FRAME_NOT_ENCRYPTED)
|
||||
return true;
|
||||
if (type != IEEE802_1X_TYPE_EAP_PACKET &&
|
||||
type != IEEE802_1X_TYPE_EAPOL_START &&
|
||||
type != IEEE802_1X_TYPE_EAPOL_LOGOFF)
|
||||
return true;
|
||||
if (!(sta->flags & WLAN_STA_MFP))
|
||||
return true;
|
||||
return !wpa_auth_pairwise_set(sta->wpa_sm);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* ieee802_1x_receive - Process the EAPOL frames from the Supplicant
|
||||
* @hapd: hostapd BSS data
|
||||
|
|
@ -1117,6 +1133,12 @@ void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf,
|
|||
return;
|
||||
}
|
||||
|
||||
if (!ieee802_1x_check_encryption(sta, encrypted, hdr->type)) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"IEEE 802.1X: Discard unencrypted EAPOL message - encryption was expected");
|
||||
return;
|
||||
}
|
||||
|
||||
if (!sta->eapol_sm) {
|
||||
sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
|
||||
if (!sta->eapol_sm)
|
||||
|
|
|
|||
Loading…
Reference in a new issue