From c894c820ff837c4e700fa5a2b08e159126e80d85 Mon Sep 17 00:00:00 2001 From: Mathy Vanhoef Date: Wed, 11 Oct 2023 22:39:10 +0200 Subject: [PATCH] fragattacks: ignore old EAPOL replay counters When testing the TelenetWiFree hotspot using the command: ./fragattack.py wlan0 --no-drivercheck ping I,F,E --rekey-req --rekey-plain Then the AP would reuse old EAPOL replay counters in the rekey 4-way handshake. So for the rekey handshake to succeed, the client has to accept these EAPOL handshake messages with a "reused" replay counter. Note that these networks also performed the rekey handshake in plaintext, which will be handled by a subsequent patch. --- src/rsn_supp/wpa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 52fc61656..ae2e3fe8f 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -2615,10 +2615,16 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, if (sm->rx_replay_counter_set && os_memcmp(key->replay_counter, sm->rx_replay_counter, WPA_REPLAY_COUNTER_LEN) <= 0) { +#ifndef CONFIG_TESTING_OPTIONS wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: EAPOL-Key Replay Counter did not increase - " "dropping packet"); goto out; +#else /* CONFIG_TESTING_OPTIONS */ + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, + "WPA: Ignoring that EAPOL-Key Replay Counter did " + "not increase - can happen during rekeys"); +#endif /* CONFIG_TESTING_OPTIONS */ } if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {