[arch-commits] Commit in wpa_supplicant/trunk (4 files)
Jan Steffens
heftig at archlinux.org
Wed Jan 22 22:55:45 UTC 2020
Date: Wednesday, January 22, 2020 @ 22:55:45
Author: heftig
Revision: 373806
improve units and avoid breakage from increases TLS version
Added:
wpa_supplicant/trunk/CVE-2019-16275.patch
wpa_supplicant/trunk/systemd.patch
wpa_supplicant/trunk/tls.patch
Modified:
wpa_supplicant/trunk/PKGBUILD
----------------------+
CVE-2019-16275.patch | 73 +++++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 9 ++++--
systemd.patch | 29 +++++++++++++++++++
tls.patch | 26 +++++++++++++++++
4 files changed, 135 insertions(+), 2 deletions(-)
Added: CVE-2019-16275.patch
===================================================================
--- CVE-2019-16275.patch (rev 0)
+++ CVE-2019-16275.patch 2020-01-22 22:55:45 UTC (rev 373806)
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j at w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j at w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ "hostapd_notif_assoc: Skip event with no address");
+ return -1;
+ }
++
++ if (is_multicast_ether_addr(addr) ||
++ is_zero_ether_addr(addr) ||
++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++ " in received indication - ignore this indication silently",
++ __func__, MAC2STR(addr));
++ return 0;
++ }
++
+ random_add_randomness(addr, ETH_ALEN);
+
+ hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ fc = le_to_host16(mgmt->frame_control);
+ stype = WLAN_FC_GET_STYPE(fc);
+
++ if (is_multicast_ether_addr(mgmt->sa) ||
++ is_zero_ether_addr(mgmt->sa) ||
++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++ " in received frame - ignore this frame silently",
++ MAC2STR(mgmt->sa));
++ return 0;
++ }
++
+ if (stype == WLAN_FC_STYPE_BEACON) {
+ handle_beacon(hapd, mgmt, len, fi);
+ return 1;
+--
+2.20.1
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-01-22 22:30:13 UTC (rev 373805)
+++ PKGBUILD 2020-01-22 22:55:45 UTC (rev 373806)
@@ -12,11 +12,16 @@
depends=(openssl libdbus readline libnl)
install=wpa_supplicant.install
source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
- config
-)
+ CVE-2019-16275.patch
+ tls.patch # More permissive TLS fallback
+ systemd.patch # Unit improvements from Ubuntu
+ config)
validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen
sha256sums=('fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17'
'SKIP'
+ 'bf91a135e717265969f1ab0319297c9d2e6f695928a17e3b3fa5accc8ef7b297'
+ '449c7dad67b246b5b93e796f57c2f90c5c32cfc5b16f7aa4f17802dc260d3414'
+ 'dd14f99618bb4db40eadfaf4ced29d6139ccf319429a1eef54c2c08c80924742'
'c7a2405487d1bfc2fceccd52268992bc79d85d91c3e8069b1432f751e3e307a9')
prepare() {
Added: systemd.patch
===================================================================
--- systemd.patch (rev 0)
+++ systemd.patch 2020-01-22 22:55:45 UTC (rev 373806)
@@ -0,0 +1,29 @@
+diff -u -r wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in
+--- wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2019-08-07 13:25:25.000000000 +0000
++++ wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2020-01-22 22:46:14.676497087 +0000
+@@ -1,5 +1,5 @@
+ [D-BUS Service]
+ Name=fi.w1.wpa_supplicant1
+-Exec=@BINDIR@/wpa_supplicant -u
++Exec=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant
+ User=root
+ SystemdService=wpa_supplicant.service
+diff -u -r wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in
+--- wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in 2019-08-07 13:25:25.000000000 +0000
++++ wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in 2020-01-22 22:47:53.561183663 +0000
+@@ -1,12 +1,14 @@
+ [Unit]
+ Description=WPA supplicant
+ Before=network.target
++After=dbus.service
+ Wants=network.target
++IgnoreOnIsolate=true
+
+ [Service]
+ Type=dbus
+ BusName=fi.w1.wpa_supplicant1
+-ExecStart=@BINDIR@/wpa_supplicant -u
++ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant
+
+ [Install]
+ WantedBy=multi-user.target
Added: tls.patch
===================================================================
--- tls.patch (rev 0)
+++ tls.patch 2020-01-22 22:55:45 UTC (rev 373806)
@@ -0,0 +1,26 @@
+diff -u -r wpa_supplicant-2.9/src/crypto/tls_openssl.c wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c
+--- wpa_supplicant-2.9/src/crypto/tls_openssl.c 2019-08-07 13:25:25.000000000 +0000
++++ wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c 2020-01-22 22:49:12.575598357 +0000
+@@ -1035,6 +1035,13 @@
+ os_free(data);
+ return NULL;
+ }
++
++#ifndef EAP_SERVER_TLS
++ /* Enable TLSv1.0 by default to allow connecting to legacy
++ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */
++ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION);
++#endif
++
+ data->ssl = ssl;
+ if (conf) {
+ data->tls_session_lifetime = conf->tls_session_lifetime;
+@@ -1577,6 +1584,7 @@
+ #ifdef SSL_OP_NO_COMPRESSION
+ options |= SSL_OP_NO_COMPRESSION;
+ #endif /* SSL_OP_NO_COMPRESSION */
++ options |= SSL_OP_NO_TICKET;
+ SSL_set_options(conn->ssl, options);
+ #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+ /* Hopefully there is no need for middlebox compatibility mechanisms
+Only in wpa_supplicant-2.9-tls/src/crypto: tls_openssl.c.orig
More information about the arch-commits
mailing list