From 628ca1c4b6c8050e916e3233fd28550904a9efee Mon Sep 17 00:00:00 2001 From: stsp Date: Mon, 24 Sep 2018 20:14:59 +0000 Subject: [PATCH] Prevent ieee80211_get_txkey() from returning the integrity group temporal key (IGTK) if a node doesn't have management frame protection (MFP) enabled. The IGTK is not initialized if MFP is disabled, so using it triggers this panic in ieee80211_encrypt(): panic("invalid key cipher 0x%x", k->k_cipher) (As far as I can tell, at present, MFP is never enabled.) Problem reported and fix tested by tj@ on athn(4) hostap --- sys/net80211/ieee80211_crypto.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c index 046412f9e5c..8ede6e324a4 100644 --- a/sys/net80211/ieee80211_crypto.c +++ b/sys/net80211/ieee80211_crypto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_crypto.c,v 1.73 2018/04/28 14:46:10 stsp Exp $ */ +/* $OpenBSD: ieee80211_crypto.c,v 1.74 2018/09/24 20:14:59 stsp Exp $ */ /*- * Copyright (c) 2008 Damien Bergamini @@ -196,13 +196,12 @@ ieee80211_get_txkey(struct ieee80211com *ic, const struct ieee80211_frame *wh, ni->ni_rsncipher != IEEE80211_CIPHER_USEGROUP) return &ni->ni_pairwise_key; - if ((ic->ic_flags & IEEE80211_F_WEPON) || - !IEEE80211_IS_MULTICAST(wh->i_addr1) || - (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) != - IEEE80211_FC0_TYPE_MGT) - kid = ic->ic_def_txkey; - else + /* All other cases (including WEP) use a group key. */ + if (ni->ni_flags & IEEE80211_NODE_MFP) kid = ic->ic_igtk_kid; + else + kid = ic->ic_def_txkey; + return &ic->ic_nw_keys[kid]; } -- 2.20.1