20 lines
735 B
Diff
20 lines
735 B
Diff
--- contrib/wpa/src/rsn_supp/wpa.c.orig
|
|
+++ contrib/wpa/src/rsn_supp/wpa.c
|
|
@@ -1829,6 +1829,17 @@
|
|
|
|
if (sm->proto == WPA_PROTO_RSN &&
|
|
(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
|
|
+ /*
|
|
+ * Only decrypt the Key Data field if the frame's authenticity
|
|
+ * was verified. When using AES-SIV (FILS), the MIC flag is not
|
|
+ * set, so this check should only be performed if mic_len != 0
|
|
+ * which is the case in this code branch.
|
|
+ */
|
|
+ if (!(key_info & WPA_KEY_INFO_MIC)) {
|
|
+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
|
|
+ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
|
|
+ goto out;
|
|
+ }
|
|
if (wpa_supplicant_decrypt_key_data(sm, key, ver))
|
|
goto out;
|
|
extra_len = WPA_GET_BE16(key->key_data_length);
|