=================================================================== RCS file: /cvs/src/sys/net80211/ieee80211_pae_input.c,v retrieving revision 1.30 retrieving revision 1.31 diff -u -r1.30 -r1.31 --- src/sys/net80211/ieee80211_pae_input.c 2017/08/17 06:01:05 1.30 +++ src/sys/net80211/ieee80211_pae_input.c 2017/10/16 10:39:41 1.31 @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_pae_input.c,v 1.30 2017/08/17 06:01:05 stsp Exp $ */ +/* $OpenBSD: ieee80211_pae_input.c,v 1.31 2017/10/16 10:39:41 stsp Exp $ */ /*- * Copyright (c) 2007,2008 Damien Bergamini @@ -340,6 +340,12 @@ } #endif /* IEEE80211_STA_ONLY */ +/* + * Check if a group key must be updated with a new GTK from an EAPOL frame. + * Manipulated group key handshake messages could trick clients into + * reinstalling an already used group key and hence lower or reset the + * associated replay counter. This check prevents such attacks. + */ int ieee80211_must_update_group_key(struct ieee80211_key *k, const uint8_t *gtk, int len) @@ -528,6 +534,17 @@ if (ieee80211_send_4way_msg4(ic, ni) != 0) return; /* ..authenticator will retry */ + /* + * Only install a new pairwise key if we are still expecting a new key, + * as indicated by the NODE_RSN_NEW_PTK flag. An adversary could be + * sending manipulated retransmissions of message 3 of the 4-way + * handshake in an attempt to trick us into reinstalling an already + * used pairwise key. If this attack succeeded, the incremental nonce + * and replay counter associated with the key would be reset. + * Against CCMP, the adversary could abuse this to replay and decrypt + * packets. Against TKIP, it would become possible to replay, decrypt, + * and forge packets. + */ if (ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP && (ni->ni_flags & IEEE80211_NODE_RSN_NEW_PTK)) { u_int64_t prsc;