[arch-commits] Commit in wpa_supplicant/trunk (4 files)

Jan Steffens heftig at archlinux.org
Wed Jan 22 22:55:45 UTC 2020 

    Date: Wednesday, January 22, 2020 @ 22:55:45
  Author: heftig
Revision: 373806

improve units and avoid breakage from increases TLS version

Added:
  wpa_supplicant/trunk/CVE-2019-16275.patch
  wpa_supplicant/trunk/systemd.patch
  wpa_supplicant/trunk/tls.patch
Modified:
  wpa_supplicant/trunk/PKGBUILD

----------------------+
 CVE-2019-16275.patch |   73 +++++++++++++++++++++++++++++++++++++++++++++++++
 PKGBUILD             |    9 ++++--
 systemd.patch        |   29 +++++++++++++++++++
 tls.patch            |   26 +++++++++++++++++
 4 files changed, 135 insertions(+), 2 deletions(-)

Added: CVE-2019-16275.patch
===================================================================
--- CVE-2019-16275.patch	                        (rev 0)
+++ CVE-2019-16275.patch	2020-01-22 22:55:45 UTC (rev 373806)
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j at w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j at w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ 			   "hostapd_notif_assoc: Skip event with no address");
+ 		return -1;
+ 	}
++
++	if (is_multicast_ether_addr(addr) ||
++	    is_zero_ether_addr(addr) ||
++	    os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++			   " in received indication - ignore this indication silently",
++			   __func__, MAC2STR(addr));
++		return 0;
++	}
++
+ 	random_add_randomness(addr, ETH_ALEN);
+ 
+ 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ 	fc = le_to_host16(mgmt->frame_control);
+ 	stype = WLAN_FC_GET_STYPE(fc);
+ 
++	if (is_multicast_ether_addr(mgmt->sa) ||
++	    is_zero_ether_addr(mgmt->sa) ||
++	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++			   " in received frame - ignore this frame silently",
++			   MAC2STR(mgmt->sa));
++		return 0;
++	}
++
+ 	if (stype == WLAN_FC_STYPE_BEACON) {
+ 		handle_beacon(hapd, mgmt, len, fi);
+ 		return 1;
+-- 
+2.20.1
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2020-01-22 22:30:13 UTC (rev 373805)
+++ PKGBUILD	2020-01-22 22:55:45 UTC (rev 373806)
@@ -12,11 +12,16 @@
 depends=(openssl libdbus readline libnl)
 install=wpa_supplicant.install
 source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
-        config
-)
+        CVE-2019-16275.patch
+        tls.patch     # More permissive TLS fallback
+        systemd.patch # Unit improvements from Ubuntu
+        config)
 validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen
 sha256sums=('fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17'
             'SKIP'
+            'bf91a135e717265969f1ab0319297c9d2e6f695928a17e3b3fa5accc8ef7b297'
+            '449c7dad67b246b5b93e796f57c2f90c5c32cfc5b16f7aa4f17802dc260d3414'
+            'dd14f99618bb4db40eadfaf4ced29d6139ccf319429a1eef54c2c08c80924742'
             'c7a2405487d1bfc2fceccd52268992bc79d85d91c3e8069b1432f751e3e307a9')
 
 prepare() {

Added: systemd.patch
===================================================================
--- systemd.patch	                        (rev 0)
+++ systemd.patch	2020-01-22 22:55:45 UTC (rev 373806)
@@ -0,0 +1,29 @@
+diff -u -r wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in
+--- wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in	2019-08-07 13:25:25.000000000 +0000
++++ wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in	2020-01-22 22:46:14.676497087 +0000
+@@ -1,5 +1,5 @@
+ [D-BUS Service]
+ Name=fi.w1.wpa_supplicant1
+-Exec=@BINDIR@/wpa_supplicant -u
++Exec=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant
+ User=root
+ SystemdService=wpa_supplicant.service
+diff -u -r wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in
+--- wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in	2019-08-07 13:25:25.000000000 +0000
++++ wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in	2020-01-22 22:47:53.561183663 +0000
+@@ -1,12 +1,14 @@
+ [Unit]
+ Description=WPA supplicant
+ Before=network.target
++After=dbus.service
+ Wants=network.target
++IgnoreOnIsolate=true
+ 
+ [Service]
+ Type=dbus
+ BusName=fi.w1.wpa_supplicant1
+-ExecStart=@BINDIR@/wpa_supplicant -u
++ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant
+ 
+ [Install]
+ WantedBy=multi-user.target

Added: tls.patch
===================================================================
--- tls.patch	                        (rev 0)
+++ tls.patch	2020-01-22 22:55:45 UTC (rev 373806)
@@ -0,0 +1,26 @@
+diff -u -r wpa_supplicant-2.9/src/crypto/tls_openssl.c wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c
+--- wpa_supplicant-2.9/src/crypto/tls_openssl.c	2019-08-07 13:25:25.000000000 +0000
++++ wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c	2020-01-22 22:49:12.575598357 +0000
+@@ -1035,6 +1035,13 @@
+ 		os_free(data);
+ 		return NULL;
+ 	}
++
++#ifndef EAP_SERVER_TLS
++	/* Enable TLSv1.0 by default to allow connecting to legacy
++	 * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */
++	SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION);
++#endif
++
+ 	data->ssl = ssl;
+ 	if (conf) {
+ 		data->tls_session_lifetime = conf->tls_session_lifetime;
+@@ -1577,6 +1584,7 @@
+ #ifdef SSL_OP_NO_COMPRESSION
+ 	options |= SSL_OP_NO_COMPRESSION;
+ #endif /* SSL_OP_NO_COMPRESSION */
++	options |= SSL_OP_NO_TICKET;
+ 	SSL_set_options(conn->ssl, options);
+ #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+ 	/* Hopefully there is no need for middlebox compatibility mechanisms
+Only in wpa_supplicant-2.9-tls/src/crypto: tls_openssl.c.orig

More information about the arch-commits mailing list