Date: Friday, February 21, 2020 @ 00:30:22 Author: heftig Revision: 375979
archrelease: copy trunk to testing-x86_64 Added: wpa_supplicant/repos/testing-x86_64/ wpa_supplicant/repos/testing-x86_64/CVE-2019-16275.patch (from rev 375978, wpa_supplicant/trunk/CVE-2019-16275.patch) wpa_supplicant/repos/testing-x86_64/PKGBUILD (from rev 375978, wpa_supplicant/trunk/PKGBUILD) wpa_supplicant/repos/testing-x86_64/config (from rev 375978, wpa_supplicant/trunk/config) wpa_supplicant/repos/testing-x86_64/roam-properties.patch (from rev 375978, wpa_supplicant/trunk/roam-properties.patch) wpa_supplicant/repos/testing-x86_64/systemd.patch (from rev 375978, wpa_supplicant/trunk/systemd.patch) wpa_supplicant/repos/testing-x86_64/tls.patch (from rev 375978, wpa_supplicant/trunk/tls.patch) wpa_supplicant/repos/testing-x86_64/wpa_supplicant.install (from rev 375978, wpa_supplicant/trunk/wpa_supplicant.install) ------------------------+ CVE-2019-16275.patch | 73 ++++++++++++++++++++++++++++++++++++++ PKGBUILD | 78 +++++++++++++++++++++++++++++++++++++++++ config | 81 +++++++++++++++++++++++++++++++++++++++++++ roam-properties.patch | 88 +++++++++++++++++++++++++++++++++++++++++++++++ systemd.patch | 29 +++++++++++++++ tls.patch | 26 +++++++++++++ wpa_supplicant.install | 7 +++ 7 files changed, 382 insertions(+) Copied: wpa_supplicant/repos/testing-x86_64/CVE-2019-16275.patch (from rev 375978, wpa_supplicant/trunk/CVE-2019-16275.patch) =================================================================== --- testing-x86_64/CVE-2019-16275.patch (rev 0) +++ testing-x86_64/CVE-2019-16275.patch 2020-02-21 00:30:22 UTC (rev 375979) @@ -0,0 +1,73 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen <j...@w1.fi> +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 + Copied: wpa_supplicant/repos/testing-x86_64/PKGBUILD (from rev 375978, wpa_supplicant/trunk/PKGBUILD) =================================================================== --- testing-x86_64/PKGBUILD (rev 0) +++ testing-x86_64/PKGBUILD 2020-02-21 00:30:22 UTC (rev 375979) @@ -0,0 +1,78 @@ +# Maintainer: Bartłomiej Piotrowski <bpiotrow...@archlinux.org> +# Contributor: Thomas Bächler <tho...@archlinux.org> + +pkgname=wpa_supplicant +pkgver=2.9 +pkgrel=6 +epoch=2 +pkgdesc='A utility providing key negotiation for WPA wireless networks' +url='http://hostap.epitest.fi/wpa_supplicant' +arch=(x86_64) +license=(GPL) +depends=(openssl libdbus readline libnl) +install=wpa_supplicant.install +source=( + https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc} + CVE-2019-16275.patch + tls.patch # More permissive TLS fallback + systemd.patch # Unit improvements from Ubuntu + roam-properties.patch # https://bugs.archlinux.org/task/65482 + config +) +validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen +sha256sums=('fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17' + 'SKIP' + 'bf91a135e717265969f1ab0319297c9d2e6f695928a17e3b3fa5accc8ef7b297' + '449c7dad67b246b5b93e796f57c2f90c5c32cfc5b16f7aa4f17802dc260d3414' + 'dd14f99618bb4db40eadfaf4ced29d6139ccf319429a1eef54c2c08c80924742' + '1ad3b61397c4a1dbafbf89059bccdda07cfe7eaff9f23ee25bed7bdd82c2bd87' + '176a863a8f9c784b109b69db14cb0eeb1fbe4a62e6583cd65e6855067803f443') + +prepare() { + cd "$srcdir/$pkgname-$pkgver" + local i; for i in "${source[@]}"; do + case $i in + *.patch) + echo "Applying patch $i" + patch -p1 -i "$srcdir/$i" + ;; + esac + done + + cd "$srcdir/$pkgname-$pkgver/$pkgname" + cp "$srcdir/config" ./.config +} + +build() { + cd "$srcdir/$pkgname-$pkgver/$pkgname" + + make LIBDIR=/usr/lib BINDIR=/usr/bin + make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test +} + +package() { + cd "$srcdir/$pkgname-$pkgver/$pkgname" + make LIBDIR=/usr/lib BINDIR=/usr/bin DESTDIR="$pkgdir" install + install -Dm755 eapol_test "$pkgdir/usr/bin/eapol_test" + + install -d -m755 "$pkgdir/etc/wpa_supplicant" + install -Dm644 wpa_supplicant.conf \ + "$pkgdir/usr/share/doc/wpa_supplicant/wpa_supplicant.conf" + + +install -d -m755 "$pkgdir"/usr/share/dbus-1/{system.d,system-services} +install -m644 \ +dbus/fi.w1.wpa_supplicant1.service \ +"$pkgdir/usr/share/dbus-1/system-services/" + + install -Dm644 dbus/dbus-wpa_supplicant.conf \ +"$pkgdir/usr/share/dbus-1/system.d/wpa_supplicant.conf" + + install -d -m755 "$pkgdir/usr/share/man/man"{5,8} + install -m644 doc/docbook/*.5 "$pkgdir/usr/share/man/man5/" + install -m644 doc/docbook/*.8 "$pkgdir/usr/share/man/man8/" + rm -f "$pkgdir/usr/share/man/man8/wpa_"{priv,gui}.8 + + install -d -m755 "$pkgdir/usr/lib/systemd/system" + install -m644 systemd/*.service "$pkgdir/usr/lib/systemd/system/" +} Copied: wpa_supplicant/repos/testing-x86_64/config (from rev 375978, wpa_supplicant/trunk/config) =================================================================== --- testing-x86_64/config (rev 0) +++ testing-x86_64/config 2020-02-21 00:30:22 UTC (rev 375979) @@ -0,0 +1,81 @@ +CONFIG_ACS=y +CONFIG_AP=y +CONFIG_AUTOSCAN_EXPONENTIAL=y +CONFIG_AUTOSCAN_PERIODIC=y +CONFIG_BACKEND=file +CONFIG_BGSCAN_LEARN=y +CONFIG_BGSCAN_SIMPLE=y +CONFIG_CTRL_IFACE=y +CONFIG_CTRL_IFACE_DBUS_INTRO=y +CONFIG_CTRL_IFACE_DBUS_NEW=y +CONFIG_DEBUG_FILE=y +CONFIG_DEBUG_LINUX_TRACING=y +CONFIG_DEBUG_SYSLOG=y +CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON +CONFIG_DELAYED_MIC_ERROR_REPORT=y +CONFIG_DPP=y +CONFIG_DRIVER_MACSEC_LINUX=y +CONFIG_DRIVER_NL80211=y +CONFIG_DRIVER_NL80211_QCA=y +CONFIG_DRIVER_NONE=y +CONFIG_DRIVER_WEXT=y +CONFIG_DRIVER_WIRED=y +CONFIG_EAP_AKA=y +CONFIG_EAP_AKA_PRIME=y +CONFIG_EAP_EKE=y +CONFIG_EAP_FAST=y +CONFIG_EAP_GPSK=y +CONFIG_EAP_GPSK_SHA256=y +CONFIG_EAP_GTC=y +CONFIG_EAP_IKEV2=y +CONFIG_EAP_LEAP=y +CONFIG_EAP_MD5=y +CONFIG_EAP_MSCHAPV2=y +CONFIG_EAP_OTP=y +CONFIG_EAP_PAX=y +CONFIG_EAP_PEAP=y +CONFIG_EAP_PSK=y +CONFIG_EAP_PWD=y +CONFIG_EAP_SAKE=y +CONFIG_EAP_SIM=y +CONFIG_EAP_TLS=y +CONFIG_EAP_TNC=y +CONFIG_EAP_TTLS=y +CONFIG_ELOOP=eloop +CONFIG_FST=y +CONFIG_GETRANDOM=y +CONFIG_HS20=y +CONFIG_HT_OVERRIDES=y +CONFIG_IBSS_RSN=y +CONFIG_IEEE80211AC=y +CONFIG_IEEE80211N=y +CONFIG_IEEE80211R=y +CONFIG_IEEE80211W=y +CONFIG_IEEE8021X_EAPOL=y +CONFIG_INTERWORKING=y +CONFIG_IPV6=y +CONFIG_L2_PACKET=linux +CONFIG_LIBNL32=y +CONFIG_MACSEC=y +CONFIG_MAIN=main +CONFIG_NO_RANDOM_POOL=y +CONFIG_OS=unix +CONFIG_OWE=y +CONFIG_P2P=y +CONFIG_PKCS12=y +CONFIG_PMKSA_CACHE_EXTERNAL=y +CONFIG_READLINE=y +CONFIG_SAE=y +CONFIG_SMARTCARD=y +CONFIG_TDLS=y +CONFIG_TLS=openssl +CONFIG_TLSV11=y +CONFIG_TLSV12=y +CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1" +CONFIG_VHT_OVERRIDES=y +CONFIG_WIFI_DISPLAY=y +CONFIG_WNM=y +CONFIG_WPS=y +CONFIG_WPS_ER=y +CONFIG_WPS_NFC=y +CONFIG_WPS_REG_DISABLE_OPEN=y Copied: wpa_supplicant/repos/testing-x86_64/roam-properties.patch (from rev 375978, wpa_supplicant/trunk/roam-properties.patch) =================================================================== --- testing-x86_64/roam-properties.patch (rev 0) +++ testing-x86_64/roam-properties.patch 2020-02-21 00:30:22 UTC (rev 375979) @@ -0,0 +1,88 @@ +From 23d87687c2428f3b94865580b0d33e05c03e6756 Mon Sep 17 00:00:00 2001 +From: Matthew Wang <matthewmw...@chromium.org> +Date: Fri, 11 Oct 2019 13:49:25 -0700 +Subject: dbus: Move roam metrics to the correct interface + +These properties were in the wpas_dbus_bss_properties array when they +should have been in the wpas_dbus_interface_properties array. Move them +to the right place. This is the logical location for these properties +and it matches both the other parts of the implementation (e.g., being +in enum wpas_dbus_prop, not in enum wpas_dbus_bss_prop) and what +was originally documented for the interface in dbus.doxygen. + +Fixes: 2bbad1c7c9cb ("dbus: Export roam time, roam complete, and session length") +Fixes: 80d06d0ca9f3 ("dbus: Export BSS Transition Management status") +Signed-off-by: Matthew Wang <matthewmw...@chromium.org> +--- + wpa_supplicant/dbus/dbus_new.c | 48 +++++++++++++++++++++--------------------- + 1 file changed, 24 insertions(+), 24 deletions(-) + +diff --git a/wpa_supplicant/dbus/dbus_new.c b/wpa_supplicant/dbus/dbus_new.c +index 5e6b522..e9e77bd 100644 +--- a/wpa_supplicant/dbus/dbus_new.c ++++ b/wpa_supplicant/dbus/dbus_new.c +@@ -2855,30 +2855,6 @@ static const struct wpa_dbus_property_desc wpas_dbus_bss_properties[] = { + NULL, + NULL + }, +- { +- "RoamTime", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", +- wpas_dbus_getter_roam_time, +- NULL, +- NULL +- }, +- { +- "RoamComplete", WPAS_DBUS_NEW_IFACE_INTERFACE, "b", +- wpas_dbus_getter_roam_complete, +- NULL, +- NULL +- }, +- { +- "SessionLength", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", +- wpas_dbus_getter_session_length, +- NULL, +- NULL +- }, +- { +- "BSSTMStatus", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", +- wpas_dbus_getter_bss_tm_status, +- NULL, +- NULL +- }, + { NULL, NULL, NULL, NULL, NULL, NULL } + }; + +@@ -3786,6 +3762,30 @@ static const struct wpa_dbus_property_desc wpas_dbus_interface_properties[] = { + NULL, + NULL + }, ++ { ++ "RoamTime", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", ++ wpas_dbus_getter_roam_time, ++ NULL, ++ NULL ++ }, ++ { ++ "RoamComplete", WPAS_DBUS_NEW_IFACE_INTERFACE, "b", ++ wpas_dbus_getter_roam_complete, ++ NULL, ++ NULL ++ }, ++ { ++ "SessionLength", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", ++ wpas_dbus_getter_session_length, ++ NULL, ++ NULL ++ }, ++ { ++ "BSSTMStatus", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", ++ wpas_dbus_getter_bss_tm_status, ++ NULL, ++ NULL ++ }, + #ifdef CONFIG_MESH + { "MeshPeers", WPAS_DBUS_NEW_IFACE_MESH, "aay", + wpas_dbus_getter_mesh_peers, +-- +cgit v0.12 + Copied: wpa_supplicant/repos/testing-x86_64/systemd.patch (from rev 375978, wpa_supplicant/trunk/systemd.patch) =================================================================== --- testing-x86_64/systemd.patch (rev 0) +++ testing-x86_64/systemd.patch 2020-02-21 00:30:22 UTC (rev 375979) @@ -0,0 +1,29 @@ +diff -u -r wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in +--- wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2019-08-07 13:25:25.000000000 +0000 ++++ wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2020-01-22 22:46:14.676497087 +0000 +@@ -1,5 +1,5 @@ + [D-BUS Service] + Name=fi.w1.wpa_supplicant1 +-Exec=@BINDIR@/wpa_supplicant -u ++Exec=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant + User=root + SystemdService=wpa_supplicant.service +diff -u -r wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in +--- wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in 2019-08-07 13:25:25.000000000 +0000 ++++ wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in 2020-01-22 22:47:53.561183663 +0000 +@@ -1,12 +1,14 @@ + [Unit] + Description=WPA supplicant + Before=network.target ++After=dbus.service + Wants=network.target ++IgnoreOnIsolate=true + + [Service] + Type=dbus + BusName=fi.w1.wpa_supplicant1 +-ExecStart=@BINDIR@/wpa_supplicant -u ++ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant + + [Install] + WantedBy=multi-user.target Copied: wpa_supplicant/repos/testing-x86_64/tls.patch (from rev 375978, wpa_supplicant/trunk/tls.patch) =================================================================== --- testing-x86_64/tls.patch (rev 0) +++ testing-x86_64/tls.patch 2020-02-21 00:30:22 UTC (rev 375979) @@ -0,0 +1,26 @@ +diff -u -r wpa_supplicant-2.9/src/crypto/tls_openssl.c wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c +--- wpa_supplicant-2.9/src/crypto/tls_openssl.c 2019-08-07 13:25:25.000000000 +0000 ++++ wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c 2020-01-22 22:49:12.575598357 +0000 +@@ -1035,6 +1035,13 @@ + os_free(data); + return NULL; + } ++ ++#ifndef EAP_SERVER_TLS ++ /* Enable TLSv1.0 by default to allow connecting to legacy ++ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */ ++ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION); ++#endif ++ + data->ssl = ssl; + if (conf) { + data->tls_session_lifetime = conf->tls_session_lifetime; +@@ -1577,6 +1584,7 @@ + #ifdef SSL_OP_NO_COMPRESSION + options |= SSL_OP_NO_COMPRESSION; + #endif /* SSL_OP_NO_COMPRESSION */ ++ options |= SSL_OP_NO_TICKET; + SSL_set_options(conn->ssl, options); + #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT + /* Hopefully there is no need for middlebox compatibility mechanisms +Only in wpa_supplicant-2.9-tls/src/crypto: tls_openssl.c.orig Copied: wpa_supplicant/repos/testing-x86_64/wpa_supplicant.install (from rev 375978, wpa_supplicant/trunk/wpa_supplicant.install) =================================================================== --- testing-x86_64/wpa_supplicant.install (rev 0) +++ testing-x86_64/wpa_supplicant.install 2020-02-21 00:30:22 UTC (rev 375979) @@ -0,0 +1,7 @@ +post_upgrade() { + if [[ $(vercmp "$2" '1:2.6-3') -lt 0 ]]; then + echo ':: The /etc/wpa_supplicant/wpa_supplicant.conf is file no longer managed by pacman' + echo ' and if it was modified, it has been renamed to wpa_supplicant.conf.pacsave.' + echo ' Move it to the original location if needed.' + fi +}