Reject Group Key message 1/2 prior to completion of 4-way handshake
Previously, it would have been possible to complete RSN connection by
skipping the msg 3/4 and 4/4 completely. This would have resulted in
pairwise key not being configured. This is obviously not supposed to
happen in practice and could result in unexpected behavior, so reject
group key message before the initial 4-way handshake has been completed.
Signed-off-by: Jouni Malinen <j@w1.fi>
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 37e4b35..8adeef4 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1244,6 +1244,7 @@
sm->cur_pmksa = sa;
}
+ sm->msg_3_of_4_ok = 1;
return;
failed:
@@ -1436,6 +1437,12 @@
int rekey, ret;
struct wpa_gtk_data gd;
+ if (!sm->msg_3_of_4_ok) {
+ wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+ "WPA: Group Key Handshake started prior to completion of 4-way handshake");
+ goto failed;
+ }
+
os_memset(&gd, 0, sizeof(gd));
rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
@@ -2295,6 +2302,8 @@
/* Keys are not needed in the WPA state machine anymore */
wpa_sm_drop_sa(sm);
+
+ sm->msg_3_of_4_ok = 0;
}
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index 431bb20..965a9c1 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -23,6 +23,7 @@
size_t pmk_len;
struct wpa_ptk ptk, tptk;
int ptk_set, tptk_set;
+ unsigned int msg_3_of_4_ok:1;
u8 snonce[WPA_NONCE_LEN];
u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
int renew_snonce;
