package/kernel/mac80211/patches/subsys/387-mac80211-prevent-attacks-on-TKIP-WEP-as-well.patch

   1 From: Johannes Berg <johannes.berg@intel.com>
   2 Date: Tue, 11 May 2021 20:02:49 +0200
   3 Subject: [PATCH] mac80211: prevent attacks on TKIP/WEP as well
   4
   5 Similar to the issues fixed in previous patches, TKIP and WEP
   6 should be protected even if for TKIP we have the Michael MIC
   7 protecting it, and WEP is broken anyway.
   8
   9 However, this also somewhat protects potential other algorithms
  10 that drivers might implement.
  11
  12 Cc: stable@vger.kernel.org
  13 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  14 ---
  15
  16 --- a/net/mac80211/rx.c
  17 +++ b/net/mac80211/rx.c
  18 @@ -2284,6 +2284,7 @@ ieee80211_rx_h_defragment(struct ieee802
  19                          * next fragment has a sequential PN value.
  20                          */
  21                         entry->check_sequential_pn = true;
  22 +                       entry->is_protected = true;
  23                         entry->key_color = rx->key->color;
  24                         memcpy(entry->last_pn,
  25                                rx->key->u.ccmp.rx_pn[queue],
  26 @@ -2296,6 +2297,9 @@ ieee80211_rx_h_defragment(struct ieee802
  27                                      sizeof(rx->key->u.gcmp.rx_pn[queue]));
  28                         BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
  29                                      IEEE80211_GCMP_PN_LEN);
  30 +               } else if (rx->key && ieee80211_has_protected(fc)) {
  31 +                       entry->is_protected = true;
  32 +                       entry->key_color = rx->key->color;
  33                 }
  34                 return RX_QUEUED;
  35         }
  36 @@ -2337,6 +2341,14 @@ ieee80211_rx_h_defragment(struct ieee802
  37                 if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
  38                         return RX_DROP_UNUSABLE;
  39                 memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
  40 +       } else if (entry->is_protected &&
  41 +                  (!rx->key || !ieee80211_has_protected(fc) ||
  42 +                   rx->key->color != entry->key_color)) {
  43 +               /* Drop this as a mixed key or fragment cache attack, even
  44 +                * if for TKIP Michael MIC should protect us, and WEP is a
  45 +                * lost cause anyway.
  46 +                */
  47 +               return RX_DROP_UNUSABLE;
  48         }
  49
  50         skb_pull(rx->skb, ieee80211_hdrlen(fc));
  51 --- a/net/mac80211/sta_info.h
  52 +++ b/net/mac80211/sta_info.h
  53 @@ -455,7 +455,8 @@ struct ieee80211_fragment_entry {
  54         u16 extra_len;
  55         u16 last_frag;
  56         u8 rx_queue;
  57 -       bool check_sequential_pn; /* needed for CCMP/GCMP */
  58 +       u8 check_sequential_pn:1, /* needed for CCMP/GCMP */
  59 +          is_protected:1;
  60         u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
  61         unsigned int key_color;
  62  };