Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
OpenWrt
/
openwrt
şunun yansıması https://github.com/openwrt/openwrt.git
2
0
Çatalla 0
Dosyalar Sorunlar 0 Wiki
Ağaç: 025bd93f36
Dallar Biçim İmleri
openwrt
/
package
/
kernel
/
mac80211
/
patches
/
subsys
/
387-mac80211-prevent-attacks-on-TKIP-WEP-as-well.patch

387-mac80211-prevent-attacks-on-TKIP-WEP-as-well.patch 2.1 KB
Geçmiş Ham

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 
  1. From: Johannes Berg <[email protected]>
    2. 

  2. Date: Tue, 11 May 2021 20:02:49 +0200
    3. 

  3. Subject: [PATCH] mac80211: prevent attacks on TKIP/WEP as well
    4. 

  4. 

  5. Similar to the issues fixed in previous patches, TKIP and WEP
    6. 

  6. should be protected even if for TKIP we have the Michael MIC
    7. 

  7. protecting it, and WEP is broken anyway.
    8. 

  8. 

  9. However, this also somewhat protects potential other algorithms
    10. 

  10. that drivers might implement.
    11. 

  11. 

  12. Cc: [email protected]
    13. 

  13. Signed-off-by: Johannes Berg <[email protected]>
    14. 

  14. ---
    15. 

  15. 

  16. --- a/net/mac80211/rx.c
    17. 

  17. +++ b/net/mac80211/rx.c
    18. 

  18. @@ -2284,6 +2284,7 @@ ieee80211_rx_h_defragment(struct ieee802
    19. 

  19.  			 * next fragment has a sequential PN value.
    20. 

  20.  			 */
    21. 

  21.  			entry->check_sequential_pn = true;
    22. 

  22. +			entry->is_protected = true;
    23. 

  23.  			entry->key_color = rx->key->color;
    24. 

  24.  			memcpy(entry->last_pn,
    25. 

  25.  			       rx->key->u.ccmp.rx_pn[queue],
    26. 

  26. @@ -2296,6 +2297,9 @@ ieee80211_rx_h_defragment(struct ieee802
    27. 

  27.  				     sizeof(rx->key->u.gcmp.rx_pn[queue]));
    28. 

  28.  			BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
    29. 

  29.  				     IEEE80211_GCMP_PN_LEN);
    30. 

  30. +		} else if (rx->key && ieee80211_has_protected(fc)) {
    31. 

  31. +			entry->is_protected = true;
    32. 

  32. +			entry->key_color = rx->key->color;
    33. 

  33.  		}
    34. 

  34.  		return RX_QUEUED;
    35. 

  35.  	}
    36. 

  36. @@ -2337,6 +2341,14 @@ ieee80211_rx_h_defragment(struct ieee802
    37. 

  37.  		if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
    38. 

  38.  			return RX_DROP_UNUSABLE;
    39. 

  39.  		memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
    40. 

  40. +	} else if (entry->is_protected &&
    41. 

  41. +		   (!rx->key || !ieee80211_has_protected(fc) ||
    42. 

  42. +		    rx->key->color != entry->key_color)) {
    43. 

  43. +		/* Drop this as a mixed key or fragment cache attack, even
    44. 

  44. +		 * if for TKIP Michael MIC should protect us, and WEP is a
    45. 

  45. +		 * lost cause anyway.
    46. 

  46. +		 */
    47. 

  47. +		return RX_DROP_UNUSABLE;
    48. 

  48.  	}
    49. 

  49.  
    50. 

  50.  	skb_pull(rx->skb, ieee80211_hdrlen(fc));
    51. 

  51. --- a/net/mac80211/sta_info.h
    52. 

  52. +++ b/net/mac80211/sta_info.h
    53. 

  53. @@ -455,7 +455,8 @@ struct ieee80211_fragment_entry {
    54. 

  54.  	u16 extra_len;
    55. 

  55.  	u16 last_frag;
    56. 

  56.  	u8 rx_queue;
    57. 

  57. -	bool check_sequential_pn; /* needed for CCMP/GCMP */
    58. 

  58. +	u8 check_sequential_pn:1, /* needed for CCMP/GCMP */
    59. 

  59. +	   is_protected:1;
    60. 

  60.  	u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
    61. 

  61.  	unsigned int key_color;
    62. 

  62.  };
    63.