[arch-commits] Commit in wpa_supplicant/repos (7 files)
Jan Steffens
heftig at archlinux.org
Fri Jan 24 20:43:26 UTC 2020
Date: Friday, January 24, 2020 @ 20:43:25
Author: heftig
Revision: 373885
archrelease: copy trunk to testing-x86_64
Added:
wpa_supplicant/repos/testing-x86_64/
wpa_supplicant/repos/testing-x86_64/CVE-2019-16275.patch
(from rev 373884, wpa_supplicant/trunk/CVE-2019-16275.patch)
wpa_supplicant/repos/testing-x86_64/PKGBUILD
(from rev 373884, wpa_supplicant/trunk/PKGBUILD)
wpa_supplicant/repos/testing-x86_64/config
(from rev 373884, wpa_supplicant/trunk/config)
wpa_supplicant/repos/testing-x86_64/systemd.patch
(from rev 373884, wpa_supplicant/trunk/systemd.patch)
wpa_supplicant/repos/testing-x86_64/tls.patch
(from rev 373884, wpa_supplicant/trunk/tls.patch)
wpa_supplicant/repos/testing-x86_64/wpa_supplicant.install
(from rev 373884, wpa_supplicant/trunk/wpa_supplicant.install)
------------------------+
CVE-2019-16275.patch | 73 ++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 74 +++++++++++++++++++++++++++++++++++++++++++
config | 80 +++++++++++++++++++++++++++++++++++++++++++++++
systemd.patch | 29 +++++++++++++++++
tls.patch | 26 +++++++++++++++
wpa_supplicant.install | 7 ++++
6 files changed, 289 insertions(+)
Copied: wpa_supplicant/repos/testing-x86_64/CVE-2019-16275.patch (from rev 373884, wpa_supplicant/trunk/CVE-2019-16275.patch)
===================================================================
--- testing-x86_64/CVE-2019-16275.patch (rev 0)
+++ testing-x86_64/CVE-2019-16275.patch 2020-01-24 20:43:25 UTC (rev 373885)
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j at w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j at w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ "hostapd_notif_assoc: Skip event with no address");
+ return -1;
+ }
++
++ if (is_multicast_ether_addr(addr) ||
++ is_zero_ether_addr(addr) ||
++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++ " in received indication - ignore this indication silently",
++ __func__, MAC2STR(addr));
++ return 0;
++ }
++
+ random_add_randomness(addr, ETH_ALEN);
+
+ hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ fc = le_to_host16(mgmt->frame_control);
+ stype = WLAN_FC_GET_STYPE(fc);
+
++ if (is_multicast_ether_addr(mgmt->sa) ||
++ is_zero_ether_addr(mgmt->sa) ||
++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++ " in received frame - ignore this frame silently",
++ MAC2STR(mgmt->sa));
++ return 0;
++ }
++
+ if (stype == WLAN_FC_STYPE_BEACON) {
+ handle_beacon(hapd, mgmt, len, fi);
+ return 1;
+--
+2.20.1
+
Copied: wpa_supplicant/repos/testing-x86_64/PKGBUILD (from rev 373884, wpa_supplicant/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2020-01-24 20:43:25 UTC (rev 373885)
@@ -0,0 +1,74 @@
+# Maintainer: Bartłomiej Piotrowski <bpiotrowski at archlinux.org>
+# Contributor: Thomas Bächler <thomas at archlinux.org>
+
+pkgname=wpa_supplicant
+pkgver=2.9
+pkgrel=5
+epoch=2
+pkgdesc='A utility providing key negotiation for WPA wireless networks'
+url='http://hostap.epitest.fi/wpa_supplicant'
+arch=(x86_64)
+license=(GPL)
+depends=(openssl libdbus readline libnl)
+install=wpa_supplicant.install
+source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
+ CVE-2019-16275.patch
+ tls.patch # More permissive TLS fallback
+ systemd.patch # Unit improvements from Ubuntu
+ config)
+validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen
+sha256sums=('fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17'
+ 'SKIP'
+ 'bf91a135e717265969f1ab0319297c9d2e6f695928a17e3b3fa5accc8ef7b297'
+ '449c7dad67b246b5b93e796f57c2f90c5c32cfc5b16f7aa4f17802dc260d3414'
+ 'dd14f99618bb4db40eadfaf4ced29d6139ccf319429a1eef54c2c08c80924742'
+ '6f71a04875465178992e78216603d3c4735ee717a31738a6e30702c7a81c6c4e')
+
+prepare() {
+ cd "$srcdir/$pkgname-$pkgver"
+ local i; for i in "${source[@]}"; do
+ case $i in
+ *.patch)
+ echo "Applying patch $i"
+ patch -p1 -i "$srcdir/$i"
+ ;;
+ esac
+ done
+
+ cd "$srcdir/$pkgname-$pkgver/$pkgname"
+ cp "$srcdir/config" ./.config
+}
+
+build() {
+ cd "$srcdir/$pkgname-$pkgver/$pkgname"
+
+ make LIBDIR=/usr/lib BINDIR=/usr/bin
+ make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test
+}
+
+package() {
+ cd "$srcdir/$pkgname-$pkgver/$pkgname"
+ make LIBDIR=/usr/lib BINDIR=/usr/bin DESTDIR="$pkgdir" install
+ install -Dm755 eapol_test "$pkgdir/usr/bin/eapol_test"
+
+ install -d -m755 "$pkgdir/etc/wpa_supplicant"
+ install -Dm644 wpa_supplicant.conf \
+ "$pkgdir/usr/share/doc/wpa_supplicant/wpa_supplicant.conf"
+
+
+install -d -m755 "$pkgdir"/usr/share/dbus-1/{system.d,system-services}
+install -m644 \
+dbus/fi.w1.wpa_supplicant1.service \
+"$pkgdir/usr/share/dbus-1/system-services/"
+
+ install -Dm644 dbus/dbus-wpa_supplicant.conf \
+"$pkgdir/usr/share/dbus-1/system.d/wpa_supplicant.conf"
+
+ install -d -m755 "$pkgdir/usr/share/man/man"{5,8}
+ install -m644 doc/docbook/*.5 "$pkgdir/usr/share/man/man5/"
+ install -m644 doc/docbook/*.8 "$pkgdir/usr/share/man/man8/"
+ rm -f "$pkgdir/usr/share/man/man8/wpa_"{priv,gui}.8
+
+ install -d -m755 "$pkgdir/usr/lib/systemd/system"
+ install -m644 systemd/*.service "$pkgdir/usr/lib/systemd/system/"
+}
Copied: wpa_supplicant/repos/testing-x86_64/config (from rev 373884, wpa_supplicant/trunk/config)
===================================================================
--- testing-x86_64/config (rev 0)
+++ testing-x86_64/config 2020-01-24 20:43:25 UTC (rev 373885)
@@ -0,0 +1,80 @@
+CONFIG_ACS=y
+CONFIG_AP=y
+CONFIG_AUTOSCAN_EXPONENTIAL=y
+CONFIG_AUTOSCAN_PERIODIC=y
+CONFIG_BACKEND=file
+CONFIG_BGSCAN_LEARN=y
+CONFIG_BGSCAN_SIMPLE=y
+CONFIG_CTRL_IFACE=y
+CONFIG_CTRL_IFACE_DBUS_INTRO=y
+CONFIG_CTRL_IFACE_DBUS_NEW=y
+CONFIG_DEBUG_FILE=y
+CONFIG_DEBUG_LINUX_TRACING=y
+CONFIG_DEBUG_SYSLOG=y
+CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
+CONFIG_DELAYED_MIC_ERROR_REPORT=y
+CONFIG_DPP=y
+CONFIG_DRIVER_MACSEC_LINUX=y
+CONFIG_DRIVER_NL80211=y
+CONFIG_DRIVER_NL80211_QCA=y
+CONFIG_DRIVER_NONE=y
+CONFIG_DRIVER_WEXT=y
+CONFIG_DRIVER_WIRED=y
+CONFIG_EAP_AKA=y
+CONFIG_EAP_AKA_PRIME=y
+CONFIG_EAP_EKE=y
+CONFIG_EAP_FAST=y
+CONFIG_EAP_GPSK=y
+CONFIG_EAP_GPSK_SHA256=y
+CONFIG_EAP_GTC=y
+CONFIG_EAP_IKEV2=y
+CONFIG_EAP_LEAP=y
+CONFIG_EAP_MD5=y
+CONFIG_EAP_MSCHAPV2=y
+CONFIG_EAP_OTP=y
+CONFIG_EAP_PAX=y
+CONFIG_EAP_PEAP=y
+CONFIG_EAP_PSK=y
+CONFIG_EAP_PWD=y
+CONFIG_EAP_SAKE=y
+CONFIG_EAP_SIM=y
+CONFIG_EAP_TLS=y
+CONFIG_EAP_TNC=y
+CONFIG_EAP_TTLS=y
+CONFIG_ELOOP=eloop
+CONFIG_FST=y
+CONFIG_GETRANDOM=y
+CONFIG_HS20=y
+CONFIG_HT_OVERRIDES=y
+CONFIG_IBSS_RSN=y
+CONFIG_IEEE80211AC=y
+CONFIG_IEEE80211N=y
+CONFIG_IEEE80211R=y
+CONFIG_IEEE80211W=y
+CONFIG_IEEE8021X_EAPOL=y
+CONFIG_INTERWORKING=y
+CONFIG_IPV6=y
+CONFIG_L2_PACKET=linux
+CONFIG_LIBNL32=y
+CONFIG_MACSEC=y
+CONFIG_MAIN=main
+CONFIG_NO_RANDOM_POOL=y
+CONFIG_OS=unix
+CONFIG_OWE=y
+CONFIG_P2P=y
+CONFIG_PKCS12=y
+CONFIG_PMKSA_CACHE_EXTERNAL=y
+CONFIG_READLINE=y
+CONFIG_SAE=y
+CONFIG_SMARTCARD=y
+CONFIG_TDLS=y
+CONFIG_TLS=openssl
+CONFIG_TLSV11=y
+CONFIG_TLSV12=y
+CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT at SECLEVEL=1"
+CONFIG_VHT_OVERRIDES=y
+CONFIG_WIFI_DISPLAY=y
+CONFIG_WPS=y
+CONFIG_WPS_ER=y
+CONFIG_WPS_NFC=y
+CONFIG_WPS_REG_DISABLE_OPEN=y
Copied: wpa_supplicant/repos/testing-x86_64/systemd.patch (from rev 373884, wpa_supplicant/trunk/systemd.patch)
===================================================================
--- testing-x86_64/systemd.patch (rev 0)
+++ testing-x86_64/systemd.patch 2020-01-24 20:43:25 UTC (rev 373885)
@@ -0,0 +1,29 @@
+diff -u -r wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in
+--- wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2019-08-07 13:25:25.000000000 +0000
++++ wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2020-01-22 22:46:14.676497087 +0000
+@@ -1,5 +1,5 @@
+ [D-BUS Service]
+ Name=fi.w1.wpa_supplicant1
+-Exec=@BINDIR@/wpa_supplicant -u
++Exec=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant
+ User=root
+ SystemdService=wpa_supplicant.service
+diff -u -r wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in
+--- wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in 2019-08-07 13:25:25.000000000 +0000
++++ wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in 2020-01-22 22:47:53.561183663 +0000
+@@ -1,12 +1,14 @@
+ [Unit]
+ Description=WPA supplicant
+ Before=network.target
++After=dbus.service
+ Wants=network.target
++IgnoreOnIsolate=true
+
+ [Service]
+ Type=dbus
+ BusName=fi.w1.wpa_supplicant1
+-ExecStart=@BINDIR@/wpa_supplicant -u
++ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant
+
+ [Install]
+ WantedBy=multi-user.target
Copied: wpa_supplicant/repos/testing-x86_64/tls.patch (from rev 373884, wpa_supplicant/trunk/tls.patch)
===================================================================
--- testing-x86_64/tls.patch (rev 0)
+++ testing-x86_64/tls.patch 2020-01-24 20:43:25 UTC (rev 373885)
@@ -0,0 +1,26 @@
+diff -u -r wpa_supplicant-2.9/src/crypto/tls_openssl.c wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c
+--- wpa_supplicant-2.9/src/crypto/tls_openssl.c 2019-08-07 13:25:25.000000000 +0000
++++ wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c 2020-01-22 22:49:12.575598357 +0000
+@@ -1035,6 +1035,13 @@
+ os_free(data);
+ return NULL;
+ }
++
++#ifndef EAP_SERVER_TLS
++ /* Enable TLSv1.0 by default to allow connecting to legacy
++ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */
++ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION);
++#endif
++
+ data->ssl = ssl;
+ if (conf) {
+ data->tls_session_lifetime = conf->tls_session_lifetime;
+@@ -1577,6 +1584,7 @@
+ #ifdef SSL_OP_NO_COMPRESSION
+ options |= SSL_OP_NO_COMPRESSION;
+ #endif /* SSL_OP_NO_COMPRESSION */
++ options |= SSL_OP_NO_TICKET;
+ SSL_set_options(conn->ssl, options);
+ #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+ /* Hopefully there is no need for middlebox compatibility mechanisms
+Only in wpa_supplicant-2.9-tls/src/crypto: tls_openssl.c.orig
Copied: wpa_supplicant/repos/testing-x86_64/wpa_supplicant.install (from rev 373884, wpa_supplicant/trunk/wpa_supplicant.install)
===================================================================
--- testing-x86_64/wpa_supplicant.install (rev 0)
+++ testing-x86_64/wpa_supplicant.install 2020-01-24 20:43:25 UTC (rev 373885)
@@ -0,0 +1,7 @@
+post_upgrade() {
+ if [[ $(vercmp "$2" '1:2.6-3') -lt 0 ]]; then
+ echo ':: The /etc/wpa_supplicant/wpa_supplicant.conf is file no longer managed by pacman'
+ echo ' and if it was modified, it has been renamed to wpa_supplicant.conf.pacsave.'
+ echo ' Move it to the original location if needed.'
+ fi
+}
More information about the arch-commits
mailing list