wpa_supplicant fails group key attacks even after krack patch

[David Park]

So I updated the mt7601u (this is the chipset I'm using), mac80211 and
cfg80211 drivers with all the latest patches as of the 4.14 kernel
release. Also I built the latest wpa_supplicant from the master
branch. However, even with these updates, I'm still failing the 4.1.3
and 4.2.1 using the WMA v2 tool.

What else could be missing?

--



On Tue, Dec 5, 2017 at 2:27 AM, Jouni Malinen <j at w1.fi> wrote:
> On Sun, Dec 03, 2017 at 02:04:27PM -0800, David Park wrote:
>> I downloaded and cross-compiled wpa_supplicant for ARM from commit
>> a0e3e22 which had all the patches relating to KRACK.
>>
>> Using the vulnerability detection tool from the wifi alliance, I am
>> now passing all the pairwise tests, but not the group key related
>> tests. Specifically, I am failing the 4.1.3 and 4.2.1.
>>
>> My wifi driver is part of the mainline kernel, interfacing with
>> mac82011 and cfg82011, so I would have thought all the KRACK
>> vulnerabilities would be completely handled by the wpa_supplicant
>> patches. Is there something I'm missing?
>
> Assuming that wpa_supplicant build does indeed include the applicable
> patches, I would assume this is showing an issue in replay protection:
>
>> [17:34:45] d0:c1:93:02:ed:72: Received 5 unique replies to replayed
>> broadcast ARP requests. Client is vulnerable to group
>> [17:34:45]                    key reinstallations in the 4-way
>> handshake (or client accepts replayed broadcast frames)!
>
> i.e., that "client accepts replayed broadcast frames" part. You may need
> WLAN driver and/or firmware fixes to address that (the actual CCMP
> replay protection is performed at lower layers than wpa_supplicant).
>
> --
> Jouni Malinen                                            PGP id EFC895FA