forked from coolsnowwolf/lede
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'origin/master' into ci
- Loading branch information
Showing
26 changed files
with
999 additions
and
271 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
81 changes: 81 additions & 0 deletions
81
...ge/kernel/mac80211/patches/327-mac80211-accept-key-reinstall-without-changing-anyth.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| From fdf7cb4185b60c68e1a75e61691c4afdc15dea0e Mon Sep 17 00:00:00 2001 | ||
| From: Johannes Berg <johannes.berg@intel.com> | ||
| Date: Tue, 5 Sep 2017 14:54:54 +0200 | ||
| Subject: [PATCH] mac80211: accept key reinstall without changing anything | ||
|
|
||
| When a key is reinstalled we can reset the replay counters | ||
| etc. which can lead to nonce reuse and/or replay detection | ||
| being impossible, breaking security properties, as described | ||
| in the "KRACK attacks". | ||
|
|
||
| In particular, CVE-2017-13080 applies to GTK rekeying that | ||
| happened in firmware while the host is in D3, with the second | ||
| part of the attack being done after the host wakes up. In | ||
| this case, the wpa_supplicant mitigation isn't sufficient | ||
| since wpa_supplicant doesn't know the GTK material. | ||
|
|
||
| In case this happens, simply silently accept the new key | ||
| coming from userspace but don't take any action on it since | ||
| it's the same key; this keeps the PN replay counters intact. | ||
|
|
||
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> | ||
| --- | ||
| net/mac80211/key.c | 21 +++++++++++++++++---- | ||
| 1 file changed, 17 insertions(+), 4 deletions(-) | ||
|
|
||
| diff --git a/net/mac80211/key.c b/net/mac80211/key.c | ||
| index a98fc2b5e0dc..ae995c8480db 100644 | ||
| --- a/net/mac80211/key.c | ||
| +++ b/net/mac80211/key.c | ||
| @@ -4,7 +4,7 @@ | ||
| * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> | ||
| * Copyright 2007-2008 Johannes Berg <johannes@sipsolutions.net> | ||
| * Copyright 2013-2014 Intel Mobile Communications GmbH | ||
| - * Copyright 2015 Intel Deutschland GmbH | ||
| + * Copyright 2015-2017 Intel Deutschland GmbH | ||
| * | ||
| * This program is free software; you can redistribute it and/or modify | ||
| * it under the terms of the GNU General Public License version 2 as | ||
| @@ -620,9 +620,6 @@ int ieee80211_key_link(struct ieee80211_key *key, | ||
|
|
||
| pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; | ||
| idx = key->conf.keyidx; | ||
| - key->local = sdata->local; | ||
| - key->sdata = sdata; | ||
| - key->sta = sta; | ||
|
|
||
| mutex_lock(&sdata->local->key_mtx); | ||
|
|
||
| @@ -633,6 +630,21 @@ int ieee80211_key_link(struct ieee80211_key *key, | ||
| else | ||
| old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]); | ||
|
|
||
| + /* | ||
| + * Silently accept key re-installation without really installing the | ||
| + * new version of the key to avoid nonce reuse or replay issues. | ||
| + */ | ||
| + if (old_key && key->conf.keylen == old_key->conf.keylen && | ||
| + !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) { | ||
| + ieee80211_key_free_unused(key); | ||
| + ret = 0; | ||
| + goto out; | ||
| + } | ||
| + | ||
| + key->local = sdata->local; | ||
| + key->sdata = sdata; | ||
| + key->sta = sta; | ||
| + | ||
| increment_tailroom_need_count(sdata); | ||
|
|
||
| ieee80211_key_replace(sdata, sta, pairwise, old_key, key); | ||
| @@ -648,6 +660,7 @@ int ieee80211_key_link(struct ieee80211_key *key, | ||
| ret = 0; | ||
| } | ||
|
|
||
| + out: | ||
| mutex_unlock(&sdata->local->key_mtx); | ||
|
|
||
| return ret; | ||
| -- | ||
| 2.13.6 | ||
|
|
33 changes: 33 additions & 0 deletions
33
package/kernel/mac80211/patches/328-mac80211-use-constant-time-comparison-with-keys.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| From 2bdd713b92a9cade239d3c7d15205a09f556624d Mon Sep 17 00:00:00 2001 | ||
| From: "Jason A. Donenfeld" <Jason@zx2c4.com> | ||
| Date: Tue, 17 Oct 2017 20:32:07 +0200 | ||
| Subject: [PATCH] mac80211: use constant time comparison with keys | ||
|
|
||
| Otherwise we risk leaking information via timing side channel. | ||
|
|
||
| Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") | ||
| Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> | ||
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> | ||
| --- | ||
| net/mac80211/key.c | 3 ++- | ||
| 1 file changed, 2 insertions(+), 1 deletion(-) | ||
|
|
||
| --- a/net/mac80211/key.c | ||
| +++ b/net/mac80211/key.c | ||
| @@ -19,6 +19,7 @@ | ||
| #include <linux/slab.h> | ||
| #include <linux/export.h> | ||
| #include <net/mac80211.h> | ||
| +#include <crypto/algapi.h> | ||
| #include <asm/unaligned.h> | ||
| #include "ieee80211_i.h" | ||
| #include "driver-ops.h" | ||
| @@ -635,7 +636,7 @@ int ieee80211_key_link(struct ieee80211_ | ||
| * new version of the key to avoid nonce reuse or replay issues. | ||
| */ | ||
| if (old_key && key->conf.keylen == old_key->conf.keylen && | ||
| - !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) { | ||
| + !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) { | ||
| ieee80211_key_free_unused(key); | ||
| ret = 0; | ||
| goto out; |
73 changes: 73 additions & 0 deletions
73
...age/kernel/mac80211/patches/329-mac80211-don-t-compare-TKIP-TX-MIC-key-in-reinstall.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| From cfbb0d90a7abb289edc91833d0905931f8805f12 Mon Sep 17 00:00:00 2001 | ||
| From: Johannes Berg <johannes.berg@intel.com> | ||
| Date: Tue, 24 Oct 2017 21:12:13 +0200 | ||
| Subject: [PATCH] mac80211: don't compare TKIP TX MIC key in reinstall prevention | ||
|
|
||
| For the reinstall prevention, the code I had added compares the | ||
| whole key. It turns out though that iwlwifi firmware doesn't | ||
| provide the TKIP TX MIC key as it's not needed in client mode, | ||
| and thus the comparison will always return false. | ||
|
|
||
| For client mode, thus always zero out the TX MIC key part before | ||
| doing the comparison in order to avoid accepting the reinstall | ||
| of the key with identical encryption and RX MIC key, but not the | ||
| same TX MIC key (since the supplicant provides the real one.) | ||
|
|
||
| Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") | ||
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> | ||
| --- | ||
| net/mac80211/key.c | 36 ++++++++++++++++++++++++++++++++++-- | ||
| 1 file changed, 34 insertions(+), 2 deletions(-) | ||
|
|
||
| --- a/net/mac80211/key.c | ||
| +++ b/net/mac80211/key.c | ||
| @@ -610,6 +610,39 @@ void ieee80211_key_free_unused(struct ie | ||
| ieee80211_key_free_common(key); | ||
| } | ||
|
|
||
| +static bool ieee80211_key_identical(struct ieee80211_sub_if_data *sdata, | ||
| + struct ieee80211_key *old, | ||
| + struct ieee80211_key *new) | ||
| +{ | ||
| + u8 tkip_old[WLAN_KEY_LEN_TKIP], tkip_new[WLAN_KEY_LEN_TKIP]; | ||
| + u8 *tk_old, *tk_new; | ||
| + | ||
| + if (!old || new->conf.keylen != old->conf.keylen) | ||
| + return false; | ||
| + | ||
| + tk_old = old->conf.key; | ||
| + tk_new = new->conf.key; | ||
| + | ||
| + /* | ||
| + * In station mode, don't compare the TX MIC key, as it's never used | ||
| + * and offloaded rekeying may not care to send it to the host. This | ||
| + * is the case in iwlwifi, for example. | ||
| + */ | ||
| + if (sdata->vif.type == NL80211_IFTYPE_STATION && | ||
| + new->conf.cipher == WLAN_CIPHER_SUITE_TKIP && | ||
| + new->conf.keylen == WLAN_KEY_LEN_TKIP && | ||
| + !(new->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) { | ||
| + memcpy(tkip_old, tk_old, WLAN_KEY_LEN_TKIP); | ||
| + memcpy(tkip_new, tk_new, WLAN_KEY_LEN_TKIP); | ||
| + memset(tkip_old + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); | ||
| + memset(tkip_new + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); | ||
| + tk_old = tkip_old; | ||
| + tk_new = tkip_new; | ||
| + } | ||
| + | ||
| + return !crypto_memneq(tk_old, tk_new, new->conf.keylen); | ||
| +} | ||
| + | ||
| int ieee80211_key_link(struct ieee80211_key *key, | ||
| struct ieee80211_sub_if_data *sdata, | ||
| struct sta_info *sta) | ||
| @@ -635,8 +668,7 @@ int ieee80211_key_link(struct ieee80211_ | ||
| * Silently accept key re-installation without really installing the | ||
| * new version of the key to avoid nonce reuse or replay issues. | ||
| */ | ||
| - if (old_key && key->conf.keylen == old_key->conf.keylen && | ||
| - !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) { | ||
| + if (ieee80211_key_identical(sdata, old_key, key)) { | ||
| ieee80211_key_free_unused(key); | ||
| ret = 0; | ||
| goto out; |
Oops, something went wrong.