aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/config.h
diff options
context:
space:
mode:
authorMax Stepanov <Max.Stepanov@intel.com>2015-10-14 09:26:33 (GMT)
committerJouni Malinen <j@w1.fi>2015-11-01 19:00:22 (GMT)
commit73ed03f33323414ba02e50c15149bcb1c37d57e8 (patch)
tree861aaa8f5bbddd46b1bd588a6cf21bc2de64f984 /wpa_supplicant/config.h
parentea6030c77f119056868e9b8df06f3200943c61ef (diff)
downloadhostap-73ed03f33323414ba02e50c15149bcb1c37d57e8.zip
hostap-73ed03f33323414ba02e50c15149bcb1c37d57e8.tar.gz
hostap-73ed03f33323414ba02e50c15149bcb1c37d57e8.tar.bz2
wpa_supplicant: Add GTK RSC relaxation workaround
Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Diffstat (limited to 'wpa_supplicant/config.h')
-rw-r--r--wpa_supplicant/config.h11
1 files changed, 11 insertions, 0 deletions
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index 3ee0797..2dd1475 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -39,6 +39,7 @@
#define DEFAULT_KEY_MGMT_OFFLOAD 1
#define DEFAULT_CERT_IN_CB 1
#define DEFAULT_P2P_GO_CTWINDOW 0
+#define DEFAULT_WPA_RSC_RELAXATION 1
#include "config_ssid.h"
#include "wps/wps.h"
@@ -1252,6 +1253,16 @@ struct wpa_config {
* interface.
*/
int fst_llt;
+
+ /**
+ * wpa_rsc_relaxation - RSC relaxation on GTK installation
+ *
+ * Values:
+ * 0 - use the EAPOL-Key RSC value on GTK installation
+ * 1 - use the null RSC if a bogus RSC value is detected in message 3
+ * of 4-Way Handshake or message 1 of Group Key Handshake.
+ */
+ int wpa_rsc_relaxation;
};