aboutsummaryrefslogtreecommitdiffstats
path: root/src/rsn_supp/wpa.h
diff options
context:
space:
mode:
authorMax Stepanov <Max.Stepanov@intel.com>2015-10-14 09:26:33 (GMT)
committerJouni Malinen <j@w1.fi>2015-11-01 19:00:22 (GMT)
commit73ed03f33323414ba02e50c15149bcb1c37d57e8 (patch)
tree861aaa8f5bbddd46b1bd588a6cf21bc2de64f984 /src/rsn_supp/wpa.h
parentea6030c77f119056868e9b8df06f3200943c61ef (diff)
downloadhostap-73ed03f33323414ba02e50c15149bcb1c37d57e8.zip
hostap-73ed03f33323414ba02e50c15149bcb1c37d57e8.tar.gz
hostap-73ed03f33323414ba02e50c15149bcb1c37d57e8.tar.bz2
wpa_supplicant: Add GTK RSC relaxation workaround
Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Diffstat (limited to 'src/rsn_supp/wpa.h')
-rw-r--r--src/rsn_supp/wpa.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index e163b70..9bfe0e2 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -104,6 +104,7 @@ struct rsn_supp_config {
size_t ssid_len;
int wpa_ptk_rekey;
int p2p;
+ int wpa_rsc_relaxation;
};
#ifndef CONFIG_NO_WPA