Date: Wednesday, January 22, 2020 @ 22:55:45 Author: heftig Revision: 373806
improve units and avoid breakage from increases TLS version Added: wpa_supplicant/trunk/CVE-2019-16275.patch wpa_supplicant/trunk/systemd.patch wpa_supplicant/trunk/tls.patch Modified: wpa_supplicant/trunk/PKGBUILD ----------------------+ CVE-2019-16275.patch | 73 +++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 9 ++++-- systemd.patch | 29 +++++++++++++++++++ tls.patch | 26 +++++++++++++++++ 4 files changed, 135 insertions(+), 2 deletions(-) Added: CVE-2019-16275.patch =================================================================== --- CVE-2019-16275.patch (rev 0) +++ CVE-2019-16275.patch 2020-01-22 22:55:45 UTC (rev 373806) @@ -0,0 +1,73 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen <j...@w1.fi> +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-01-22 22:30:13 UTC (rev 373805) +++ PKGBUILD 2020-01-22 22:55:45 UTC (rev 373806) @@ -12,11 +12,16 @@ depends=(openssl libdbus readline libnl) install=wpa_supplicant.install source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc} - config -) + CVE-2019-16275.patch + tls.patch # More permissive TLS fallback + systemd.patch # Unit improvements from Ubuntu + config) validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen sha256sums=('fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17' 'SKIP' + 'bf91a135e717265969f1ab0319297c9d2e6f695928a17e3b3fa5accc8ef7b297' + '449c7dad67b246b5b93e796f57c2f90c5c32cfc5b16f7aa4f17802dc260d3414' + 'dd14f99618bb4db40eadfaf4ced29d6139ccf319429a1eef54c2c08c80924742' 'c7a2405487d1bfc2fceccd52268992bc79d85d91c3e8069b1432f751e3e307a9') prepare() { Added: systemd.patch =================================================================== --- systemd.patch (rev 0) +++ systemd.patch 2020-01-22 22:55:45 UTC (rev 373806) @@ -0,0 +1,29 @@ +diff -u -r wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in +--- wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2019-08-07 13:25:25.000000000 +0000 ++++ wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2020-01-22 22:46:14.676497087 +0000 +@@ -1,5 +1,5 @@ + [D-BUS Service] + Name=fi.w1.wpa_supplicant1 +-Exec=@BINDIR@/wpa_supplicant -u ++Exec=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant + User=root + SystemdService=wpa_supplicant.service +diff -u -r wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in +--- wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in 2019-08-07 13:25:25.000000000 +0000 ++++ wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in 2020-01-22 22:47:53.561183663 +0000 +@@ -1,12 +1,14 @@ + [Unit] + Description=WPA supplicant + Before=network.target ++After=dbus.service + Wants=network.target ++IgnoreOnIsolate=true + + [Service] + Type=dbus + BusName=fi.w1.wpa_supplicant1 +-ExecStart=@BINDIR@/wpa_supplicant -u ++ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant + + [Install] + WantedBy=multi-user.target Added: tls.patch =================================================================== --- tls.patch (rev 0) +++ tls.patch 2020-01-22 22:55:45 UTC (rev 373806) @@ -0,0 +1,26 @@ +diff -u -r wpa_supplicant-2.9/src/crypto/tls_openssl.c wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c +--- wpa_supplicant-2.9/src/crypto/tls_openssl.c 2019-08-07 13:25:25.000000000 +0000 ++++ wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c 2020-01-22 22:49:12.575598357 +0000 +@@ -1035,6 +1035,13 @@ + os_free(data); + return NULL; + } ++ ++#ifndef EAP_SERVER_TLS ++ /* Enable TLSv1.0 by default to allow connecting to legacy ++ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */ ++ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION); ++#endif ++ + data->ssl = ssl; + if (conf) { + data->tls_session_lifetime = conf->tls_session_lifetime; +@@ -1577,6 +1584,7 @@ + #ifdef SSL_OP_NO_COMPRESSION + options |= SSL_OP_NO_COMPRESSION; + #endif /* SSL_OP_NO_COMPRESSION */ ++ options |= SSL_OP_NO_TICKET; + SSL_set_options(conn->ssl, options); + #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT + /* Hopefully there is no need for middlebox compatibility mechanisms +Only in wpa_supplicant-2.9-tls/src/crypto: tls_openssl.c.orig