From 57905c7ecf5288d1f51bd46238e5231079a8488f Mon Sep 17 00:00:00 2001 From: Hrudaynath Dhabe Date: Thu, 10 Feb 2022 14:40:01 +0530 Subject: [PATCH] esp_wifi: Ignore unauthenticated encrypted EAPOL-Key data and fix handling of key RSC. Closes https://github.com/espressif/esp-idf/issues/8401 --- components/wpa_supplicant/src/rsn_supp/wpa.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/components/wpa_supplicant/src/rsn_supp/wpa.c b/components/wpa_supplicant/src/rsn_supp/wpa.c index 6579ef9045..77c8c14923 100644 --- a/components/wpa_supplicant/src/rsn_supp/wpa.c +++ b/components/wpa_supplicant/src/rsn_supp/wpa.c @@ -1129,7 +1129,7 @@ static void wpa_sm_set_seq(struct wpa_sm *sm, struct wpa_eapol_key *key, u8 ispt os_bzero(null_rsc, WPA_KEY_RSC_LEN); - if (sm->proto == WPA_PROTO_RSN) { + if (sm->proto == WPA_PROTO_RSN && isptk) { key_rsc = null_rsc; } else { key_rsc = key->key_rsc; @@ -1979,7 +1979,18 @@ int wpa_sm_rx_eapol(u8 *src_addr, u8 *buf, u32 len) } if (sm->proto == WPA_PROTO_RSN && - (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { + (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) { + /* + * Only decrypt the Key Data field if the frame's authenticity + * was verified. When using AES-SIV (FILS), the MIC flag is not + * set, so this check should only be performed if mic_len != 0 + * which is the case in this code branch. + */ + if (!(key_info & WPA_KEY_INFO_MIC)) { + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, + "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data"); + goto out; + } if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data, &key_data_len)) goto out;