aboutsummaryrefslogtreecommitdiffstats
path: root/src/rsn_supp
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-03-07 10:58:19 (GMT)
committerJouni Malinen <j@w1.fi>2015-03-07 11:00:06 (GMT)
commit761396e4bef0218cd64347976520235f4868fbc7 (patch)
treea9e09d9645d2ae0a1dfef80dfca4e1b4550c8f2d /src/rsn_supp
parent68baa82cd298ec0f6f5ce02ac4e2f94ac967ec60 (diff)
downloadhostap-761396e4bef0218cd64347976520235f4868fbc7.zip
hostap-761396e4bef0218cd64347976520235f4868fbc7.tar.gz
hostap-761396e4bef0218cd64347976520235f4868fbc7.tar.bz2
Reject Group Key message 1/2 prior to completion of 4-way handshake
Previously, it would have been possible to complete RSN connection by skipping the msg 3/4 and 4/4 completely. This would have resulted in pairwise key not being configured. This is obviously not supposed to happen in practice and could result in unexpected behavior, so reject group key message before the initial 4-way handshake has been completed. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/rsn_supp')
-rw-r--r--src/rsn_supp/wpa.c9
-rw-r--r--src/rsn_supp/wpa_i.h1
2 files changed, 10 insertions, 0 deletions
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 37e4b35..8adeef4 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1244,6 +1244,7 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
sm->cur_pmksa = sa;
}
+ sm->msg_3_of_4_ok = 1;
return;
failed:
@@ -1436,6 +1437,12 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
int rekey, ret;
struct wpa_gtk_data gd;
+ if (!sm->msg_3_of_4_ok) {
+ wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+ "WPA: Group Key Handshake started prior to completion of 4-way handshake");
+ goto failed;
+ }
+
os_memset(&gd, 0, sizeof(gd));
rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
@@ -2295,6 +2302,8 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
/* Keys are not needed in the WPA state machine anymore */
wpa_sm_drop_sa(sm);
+
+ sm->msg_3_of_4_ok = 0;
}
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index 431bb20..965a9c1 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -23,6 +23,7 @@ struct wpa_sm {
size_t pmk_len;
struct wpa_ptk ptk, tptk;
int ptk_set, tptk_set;
+ unsigned int msg_3_of_4_ok:1;
u8 snonce[WPA_NONCE_LEN];
u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
int renew_snonce;