From owner-svn-src-vendor@freebsd.org  Thu Jul 19 17:49:40 2018
Return-Path: <owner-svn-src-vendor@freebsd.org>
Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BED99104388C;
 Thu, 19 Jul 2018 17:49:40 +0000 (UTC) (envelope-from cy@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 7462E72F64;
 Thu, 19 Jul 2018 17:49:40 +0000 (UTC) (envelope-from cy@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 562BD2C761;
 Thu, 19 Jul 2018 17:49:40 +0000 (UTC) (envelope-from cy@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w6JHneMb062231;
 Thu, 19 Jul 2018 17:49:40 GMT (envelope-from cy@FreeBSD.org)
Received: (from cy@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w6JHndcv062228;
 Thu, 19 Jul 2018 17:49:39 GMT (envelope-from cy@FreeBSD.org)
Message-Id: <201807191749.w6JHndcv062228@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: cy set sender to cy@FreeBSD.org
 using -f
From: Cy Schubert <cy@FreeBSD.org>
Date: Thu, 19 Jul 2018 17:49:39 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-vendor@freebsd.org
Subject: svn commit: r336496 - vendor/wpa/dist/src/rsn_supp
X-SVN-Group: vendor
X-SVN-Commit-Author: cy
X-SVN-Commit-Paths: vendor/wpa/dist/src/rsn_supp
X-SVN-Commit-Revision: 336496
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-vendor@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SVN commit messages for the vendor work area tree
 <svn-src-vendor.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-vendor>, 
 <mailto:svn-src-vendor-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-vendor/>
List-Post: <mailto:svn-src-vendor@freebsd.org>
List-Help: <mailto:svn-src-vendor-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-vendor>,
 <mailto:svn-src-vendor-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 17:49:41 -0000

Author: cy
Date: Thu Jul 19 17:49:39 2018
New Revision: 336496
URL: https://svnweb.freebsd.org/changeset/base/336496

Log:
  Import upline security patch: FILS: Do not allow multiple
  (Re)Association Response frames. This is also upline git commit
  e760851176c77ae6de19821bb1d5bf3ae2cb5187.
  
  Obtained from:	https://w1.fi/security/2017-1/\
  		rebased-v2.6-0008-FT-Do-not-allow-multiple-\
  		Reassociation-Response-fram.patch

Modified:
  vendor/wpa/dist/src/rsn_supp/wpa.c
  vendor/wpa/dist/src/rsn_supp/wpa_ft.c
  vendor/wpa/dist/src/rsn_supp/wpa_i.h

Modified: vendor/wpa/dist/src/rsn_supp/wpa.c
==============================================================================
--- vendor/wpa/dist/src/rsn_supp/wpa.c	Thu Jul 19 17:46:33 2018	(r336495)
+++ vendor/wpa/dist/src/rsn_supp/wpa.c	Thu Jul 19 17:49:39 2018	(r336496)
@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
 #ifdef CONFIG_TDLS
 	wpa_tdls_disassoc(sm);
 #endif /* CONFIG_TDLS */
+#ifdef CONFIG_IEEE80211R
+	sm->ft_reassoc_completed = 0;
+#endif /* CONFIG_IEEE80211R */
 
 	/* Keys are not needed in the WPA state machine anymore */
 	wpa_sm_drop_sa(sm);

Modified: vendor/wpa/dist/src/rsn_supp/wpa_ft.c
==============================================================================
--- vendor/wpa/dist/src/rsn_supp/wpa_ft.c	Thu Jul 19 17:46:33 2018	(r336495)
+++ vendor/wpa/dist/src/rsn_supp/wpa_ft.c	Thu Jul 19 17:49:39 2018	(r336496)
@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size
 	u16 capab;
 
 	sm->ft_completed = 0;
+	sm->ft_reassoc_completed = 0;
 
 	buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
 		2 + sm->r0kh_id_len + ric_ies_len + 100;
@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, co
 		return -1;
 	}
 
+	if (sm->ft_reassoc_completed) {
+		wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
+		return 0;
+	}
+
 	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
 		wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
 		return -1;
@@ -780,6 +786,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, co
 		wpa_hexdump(MSG_MSGDUMP, "FT: Calculated MIC", mic, 16);
 		return -1;
 	}
+
+	sm->ft_reassoc_completed = 1;
 
 	if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
 		return -1;

Modified: vendor/wpa/dist/src/rsn_supp/wpa_i.h
==============================================================================
--- vendor/wpa/dist/src/rsn_supp/wpa_i.h	Thu Jul 19 17:46:33 2018	(r336495)
+++ vendor/wpa/dist/src/rsn_supp/wpa_i.h	Thu Jul 19 17:49:39 2018	(r336496)
@@ -128,6 +128,7 @@ struct wpa_sm {
 	size_t r0kh_id_len;
 	u8 r1kh_id[FT_R1KH_ID_LEN];
 	int ft_completed;
+	int ft_reassoc_completed;
 	int over_the_ds_in_progress;
 	u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
 	int set_ptk_after_assoc;