From: Johannes Berg <johannes@sipsolutions.net>
To: linux-wireless@vger.kernel.org
Cc: stable@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH v4.14 08/10] mac80211: prevent attacks on TKIP/WEP as well
Date: Mon, 31 May 2021 22:31:33 +0200 [thread overview]
Message-ID: <20210531203135.180427-9-johannes@sipsolutions.net> (raw)
In-Reply-To: <20210531203135.180427-1-johannes@sipsolutions.net>
From: Johannes Berg <johannes.berg@intel.com>
commit 7e44a0b597f04e67eee8cdcbe7ee706c6f5de38b upstream.
Similar to the issues fixed in previous patches, TKIP and WEP
should be protected even if for TKIP we have the Michael MIC
protecting it, and WEP is broken anyway.
However, this also somewhat protects potential other algorithms
that drivers might implement.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20210511200110.430e8c202313.Ia37e4e5b6b3eaab1a5ae050e015f6c92859dbe27@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
net/mac80211/rx.c | 12 ++++++++++++
net/mac80211/sta_info.h | 3 ++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index a00ec2ccb363..61fe65696e6e 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2048,6 +2048,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
* next fragment has a sequential PN value.
*/
entry->check_sequential_pn = true;
+ entry->is_protected = true;
entry->key_color = rx->key->color;
memcpy(entry->last_pn,
rx->key->u.ccmp.rx_pn[queue],
@@ -2060,6 +2061,9 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
sizeof(rx->key->u.gcmp.rx_pn[queue]));
BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
IEEE80211_GCMP_PN_LEN);
+ } else if (rx->key && ieee80211_has_protected(fc)) {
+ entry->is_protected = true;
+ entry->key_color = rx->key->color;
}
return RX_QUEUED;
}
@@ -2101,6 +2105,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
return RX_DROP_UNUSABLE;
memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
+ } else if (entry->is_protected &&
+ (!rx->key || !ieee80211_has_protected(fc) ||
+ rx->key->color != entry->key_color)) {
+ /* Drop this as a mixed key or fragment cache attack, even
+ * if for TKIP Michael MIC should protect us, and WEP is a
+ * lost cause anyway.
+ */
+ return RX_DROP_UNUSABLE;
}
skb_pull(rx->skb, ieee80211_hdrlen(fc));
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index 0447197c4a2b..f1d293f5678f 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -415,7 +415,8 @@ struct ieee80211_fragment_entry {
u16 extra_len;
u16 last_frag;
u8 rx_queue;
- bool check_sequential_pn; /* needed for CCMP/GCMP */
+ u8 check_sequential_pn:1, /* needed for CCMP/GCMP */
+ is_protected:1;
u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
unsigned int key_color;
};
--
2.31.1
next prev parent reply other threads:[~2021-05-31 20:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-31 20:31 [PATCH v4.14 00/10] wireless security fixes backports Johannes Berg
2021-05-31 20:31 ` [PATCH v4.14 01/10] mac80211: assure all fragments are encrypted Johannes Berg
2021-05-31 20:31 ` [PATCH v4.14 02/10] mac80211: prevent mixed key and fragment cache attacks Johannes Berg
2021-05-31 20:31 ` [PATCH v4.14 03/10] mac80211: properly handle A-MSDUs that start with an RFC 1042 header Johannes Berg
2021-05-31 20:31 ` [PATCH v4.14 04/10] cfg80211: mitigate A-MSDU aggregation attacks Johannes Berg
2021-05-31 20:31 ` [PATCH v4.14 05/10] mac80211: drop A-MSDUs on old ciphers Johannes Berg
2021-05-31 20:31 ` [PATCH v4.14 06/10] mac80211: add fragment cache to sta_info Johannes Berg
2021-05-31 20:31 ` [PATCH v4.14 07/10] mac80211: check defrag PN against current frame Johannes Berg
2021-05-31 20:31 ` Johannes Berg [this message]
2021-05-31 20:31 ` [PATCH v4.14 09/10] mac80211: do not accept/forward invalid EAPOL frames Johannes Berg
2021-05-31 20:31 ` [PATCH v4.14 10/10] mac80211: extend protection against mixed key and fragment cache attacks Johannes Berg
2021-06-01 7:27 ` [PATCH v4.14 00/10] wireless security fixes backports Greg KH
2021-06-01 7:29 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210531203135.180427-9-johannes@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=johannes.berg@intel.com \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.