From 5f746f3c8d8257fa8c99fa57393ceb4600dfbbaf Mon Sep 17 00:00:00 2001
From: slaff <slaff2@gmail.com>
Date: Wed, 30 Sep 2020 10:28:26 +0200
Subject: [PATCH] Added workaround for CVE-2020-12638. (#2107)

See https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors for details.
---
 Sming/Arch/Esp32/Platform/WifiEventsImpl.cpp   | 11 +++++++++++
 Sming/Arch/Esp8266/Platform/WifiEventsImpl.cpp | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/Sming/Arch/Esp32/Platform/WifiEventsImpl.cpp b/Sming/Arch/Esp32/Platform/WifiEventsImpl.cpp
index c1f372f3d4..3778593a55 100644
--- a/Sming/Arch/Esp32/Platform/WifiEventsImpl.cpp
+++ b/Sming/Arch/Esp32/Platform/WifiEventsImpl.cpp
@@ -11,6 +11,7 @@
  */
 
 #include "WifiEventsImpl.h"
+#include <Platform/Station.h>
 #include <esp_wifi.h>
 #include <esp_event.h>
 
@@ -66,6 +67,16 @@ void WifiEventsImpl::WifiEventHandler(void* arg, esp_event_base_t base, int32_t
 			auto oldMode = WifiAuthMode(event->old_mode);
 			auto newMode = WifiAuthMode(event->new_mode);
 			debugf("mode: %d -> %d\n", oldMode, newMode);
+
+			if((oldMode != AUTH_OPEN) && (newMode == AUTH_OPEN)) {
+				// CVE-2020-12638 workaround.
+				// TODO: Remove this workaround once ESP-IDF has the proper fix.
+				debugf("Potential downgrade attack. Reconnecting WiFi. See CVE-2020-12638 for more details\n");
+				WifiStation.disconnect();
+				WifiStation.connect();
+				break;
+			}
+
 			if(onSTAAuthModeChange) {
 				onSTAAuthModeChange(oldMode, newMode);
 			}
diff --git a/Sming/Arch/Esp8266/Platform/WifiEventsImpl.cpp b/Sming/Arch/Esp8266/Platform/WifiEventsImpl.cpp
index d8e4fca199..2e4370e86d 100644
--- a/Sming/Arch/Esp8266/Platform/WifiEventsImpl.cpp
+++ b/Sming/Arch/Esp8266/Platform/WifiEventsImpl.cpp
@@ -11,6 +11,7 @@
  */
 
 #include "WifiEventsImpl.h"
+#include <Platform/Station.h>
 #include <esp_wifi.h>
 
 static WifiEventsImpl events;
@@ -48,6 +49,16 @@ void WifiEventsImpl::WifiEventHandler(System_Event_t* evt)
 		auto oldMode = WifiAuthMode(evt->event_info.auth_change.old_mode);
 		auto newMode = WifiAuthMode(evt->event_info.auth_change.new_mode);
 		debugf("mode: %d -> %d\n", oldMode, newMode);
+
+		if((oldMode != AUTH_OPEN) && (newMode == AUTH_OPEN)) {
+			// CVE-2020-12638 workaround.
+			// TODO: Remove this workaround once NON-OS SDK 3.0.x plays nicely with Sming
+			debugf("Potential downgrade attack. Reconnecting WiFi. See CVE-2020-12638 for more details\n");
+			WifiStation.disconnect();
+			WifiStation.connect();
+			break;
+		}
+
 		if(onSTAAuthModeChange) {
 			onSTAAuthModeChange(oldMode, newMode);
 		}