[Midnightbsd-cvs] src [12007] trunk/contrib/wpa/src/rsn_supp/wpa.c: When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC

[root at midnightbsd.org]

Revision: 12007
          http://svnweb.midnightbsd.org/src/?rev=12007
Author:   root
Date:     2018-08-15 09:23:05 -0400 (Wed, 15 Aug 2018)
Log Message:
-----------
When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC
flag set, the data field was decrypted first without verifying the MIC.  When
the dta field was encrypted using RC4, for example, when negotiating TKIP as
a pairwise cipher, the unauthenticated but decrypted data was subsequently
processed.  This opened wpa_supplicant(8) to abuse by decryption and recovery
of sensitive information contained in EAPOL-Key messages.

See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
for a detailed description of the bug.

Obtained from: FreeBSD

Modified Paths:
--------------
    trunk/contrib/wpa/src/rsn_supp/wpa.c

Modified: trunk/contrib/wpa/src/rsn_supp/wpa.c
===================================================================
--- trunk/contrib/wpa/src/rsn_supp/wpa.c	2018-08-14 14:54:13 UTC (rev 12006)
+++ trunk/contrib/wpa/src/rsn_supp/wpa.c	2018-08-15 13:23:05 UTC (rev 12007)
@@ -1829,6 +1829,17 @@
 
 	if (sm->proto == WPA_PROTO_RSN &&
 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
+		/*
+		 * Only decrypt the Key Data field if the frame's authenticity
+		 * was verified. When using AES-SIV (FILS), the MIC flag is not
+		 * set, so this check should only be performed if mic_len != 0
+		 * which is the case in this code branch.
+		 */
+		if (!(key_info & WPA_KEY_INFO_MIC)) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
+			goto out;
+		}
 		if (wpa_supplicant_decrypt_key_data(sm, key, ver))
 			goto out;
 		extra_len = WPA_GET_BE16(key->key_data_length);