Re: [OE-core] [PATCH] [PATCH] wpa-supplicant: fix the bug for PATCHTOOL = "patch"
> -Original Message- > From: Richard Purdie [mailto:richard.pur...@linuxfoundation.org] > Sent: den 5 juni 2018 12:50 > To: Peter Kjellerstedt ; Hong Liu > ; openembedded-core@lists.openembedded.org > Subject: Re: [OE-core] [PATCH] [PATCH] wpa-supplicant: fix the bug for > PATCHTOOL = "patch" > > On Tue, 2018-06-05 at 10:43 +, Peter Kjellerstedt wrote: > > > -Original Message- > > > From: openembedded-core-boun...@lists.openembedded.org > > > [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf > > > Of > > > Hong Liu > > > Sent: den 5 juni 2018 10:11 > > > To: openembedded-core@lists.openembedded.org > > > Subject: [OE-core] [PATCH] [PATCH] wpa-supplicant: fix the bug for > > > PATCHTOOL = "patch" > > > > > > When switch PATCHTOOL to patch, applying 'key-replay-cve- > > > multiple.patch' failed: > > > > > > checking file src/ap/ieee802_11.c > > > checking file src/ap/wpa_auth.c > > > checking file src/ap/wpa_auth.h > > > checking file src/ap/wpa_auth_ft.c > > > checking file src/ap/wpa_auth_i.h > > > checking file src/common/wpa_common.h > > > checking file src/rsn_supp/wpa.c > > > checking file src/rsn_supp/wpa_i.h > > > checking file src/rsn_supp/wpa.c > > > Hunk #1 FAILED at 709. > > > Hunk #2 FAILED at 757. > > > Hunk #3 succeeded at 840 (offset -12 lines). > > > Hunk #4 FAILED at 868. > > > Hunk #5 FAILED at 900. > > > Hunk #6 FAILED at 924. > > > Hunk #7 succeeded at 1536 (offset -38 lines). > > > Hunk #8 FAILED at 2386. > > > Hunk #9 FAILED at 2920. > > > Hunk #10 succeeded at 2940 (offset -46 lines). > > > Hunk #11 FAILED at 2998. > > > 8 out of 11 hunks FAILED > > > checking file src/rsn_supp/wpa_i.h > > > Hunk #1 FAILED at 32. > > > 1 out of 1 hunk FAILED > > > checking file src/common/wpa_common.h > > > Hunk #1 succeeded at 215 with fuzz 1. > > > checking file src/rsn_supp/wpa.c > > > checking file src/rsn_supp/wpa_i.h > > > checking file src/ap/wpa_auth.c > > > Hunk #1 succeeded at 1898 (offset -3 lines). > > > Hunk #2 succeeded at 2470 (offset -3 lines). > > > checking file src/rsn_supp/tdls.c > > > checking file wpa_supplicant/wnm_sta.c > > > checking file src/rsn_supp/wpa.c > > > Hunk #1 succeeded at 2378 (offset -62 lines). > > > checking file src/rsn_supp/wpa_ft.c > > > checking file src/rsn_supp/wpa_i.h > > > Hunk #1 succeeded at 123 (offset -5 lines). > > > > > > So split the wpa-supplicant/key-replay-cve-multiple to 8 patches. > > > > Why does it need to be split into eight separate patches? Isn't it > > just a case of having to regenerate the patch so that the hunk > > contexts match the current code? > > You're technically right but I think separate patches may be a lot > clearer... > > Cheers, > > Richard I should probably have looked at the patches and not just the new file names. I just assumed the original patch was split along the file borders, but I now see that it was actually split according to functionality. However, it might be an idea to let git format-patch regenerate the file names to better indicate their contents. //Peter -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] [PATCH] wpa-supplicant: fix the bug for PATCHTOOL = "patch"
On Tue, 2018-06-05 at 10:43 +, Peter Kjellerstedt wrote: > > -Original Message- > > From: openembedded-core-boun...@lists.openembedded.org > > [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf > > Of > > Hong Liu > > Sent: den 5 juni 2018 10:11 > > To: openembedded-core@lists.openembedded.org > > Subject: [OE-core] [PATCH] [PATCH] wpa-supplicant: fix the bug for > > PATCHTOOL = "patch" > > > > When switch PATCHTOOL to patch, applying 'key-replay-cve- > > multiple.patch' failed: > > > > checking file src/ap/ieee802_11.c > > checking file src/ap/wpa_auth.c > > checking file src/ap/wpa_auth.h > > checking file src/ap/wpa_auth_ft.c > > checking file src/ap/wpa_auth_i.h > > checking file src/common/wpa_common.h > > checking file src/rsn_supp/wpa.c > > checking file src/rsn_supp/wpa_i.h > > checking file src/rsn_supp/wpa.c > > Hunk #1 FAILED at 709. > > Hunk #2 FAILED at 757. > > Hunk #3 succeeded at 840 (offset -12 lines). > > Hunk #4 FAILED at 868. > > Hunk #5 FAILED at 900. > > Hunk #6 FAILED at 924. > > Hunk #7 succeeded at 1536 (offset -38 lines). > > Hunk #8 FAILED at 2386. > > Hunk #9 FAILED at 2920. > > Hunk #10 succeeded at 2940 (offset -46 lines). > > Hunk #11 FAILED at 2998. > > 8 out of 11 hunks FAILED > > checking file src/rsn_supp/wpa_i.h > > Hunk #1 FAILED at 32. > > 1 out of 1 hunk FAILED > > checking file src/common/wpa_common.h > > Hunk #1 succeeded at 215 with fuzz 1. > > checking file src/rsn_supp/wpa.c > > checking file src/rsn_supp/wpa_i.h > > checking file src/ap/wpa_auth.c > > Hunk #1 succeeded at 1898 (offset -3 lines). > > Hunk #2 succeeded at 2470 (offset -3 lines). > > checking file src/rsn_supp/tdls.c > > checking file wpa_supplicant/wnm_sta.c > > checking file src/rsn_supp/wpa.c > > Hunk #1 succeeded at 2378 (offset -62 lines). > > checking file src/rsn_supp/wpa_ft.c > > checking file src/rsn_supp/wpa_i.h > > Hunk #1 succeeded at 123 (offset -5 lines). > > > > So split the wpa-supplicant/key-replay-cve-multiple to 8 patches. > > Why does it need to be split into eight separate patches? Isn't it > just a case of having to regenerate the patch so that the hunk > contexts match the current code? You're technically right but I think separate patches may be a lot clearer... Cheers, Richard -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] [PATCH] wpa-supplicant: fix the bug for PATCHTOOL = "patch"
> -Original Message- > From: openembedded-core-boun...@lists.openembedded.org > [mailto:openembedded-core-boun...@lists.openembedded.org] On Behalf Of > Hong Liu > Sent: den 5 juni 2018 10:11 > To: openembedded-core@lists.openembedded.org > Subject: [OE-core] [PATCH] [PATCH] wpa-supplicant: fix the bug for > PATCHTOOL = "patch" > > When switch PATCHTOOL to patch, applying 'key-replay-cve- > multiple.patch' failed: > > checking file src/ap/ieee802_11.c > checking file src/ap/wpa_auth.c > checking file src/ap/wpa_auth.h > checking file src/ap/wpa_auth_ft.c > checking file src/ap/wpa_auth_i.h > checking file src/common/wpa_common.h > checking file src/rsn_supp/wpa.c > checking file src/rsn_supp/wpa_i.h > checking file src/rsn_supp/wpa.c > Hunk #1 FAILED at 709. > Hunk #2 FAILED at 757. > Hunk #3 succeeded at 840 (offset -12 lines). > Hunk #4 FAILED at 868. > Hunk #5 FAILED at 900. > Hunk #6 FAILED at 924. > Hunk #7 succeeded at 1536 (offset -38 lines). > Hunk #8 FAILED at 2386. > Hunk #9 FAILED at 2920. > Hunk #10 succeeded at 2940 (offset -46 lines). > Hunk #11 FAILED at 2998. > 8 out of 11 hunks FAILED > checking file src/rsn_supp/wpa_i.h > Hunk #1 FAILED at 32. > 1 out of 1 hunk FAILED > checking file src/common/wpa_common.h > Hunk #1 succeeded at 215 with fuzz 1. > checking file src/rsn_supp/wpa.c > checking file src/rsn_supp/wpa_i.h > checking file src/ap/wpa_auth.c > Hunk #1 succeeded at 1898 (offset -3 lines). > Hunk #2 succeeded at 2470 (offset -3 lines). > checking file src/rsn_supp/tdls.c > checking file wpa_supplicant/wnm_sta.c > checking file src/rsn_supp/wpa.c > Hunk #1 succeeded at 2378 (offset -62 lines). > checking file src/rsn_supp/wpa_ft.c > checking file src/rsn_supp/wpa_i.h > Hunk #1 succeeded at 123 (offset -5 lines). > > So split the wpa-supplicant/key-replay-cve-multiple to 8 patches. Why does it need to be split into eight separate patches? Isn't it just a case of having to regenerate the patch so that the hunk contexts match the current code? > Signed-off-by: Hong Liu > --- > .../wpa-supplicant/key-replay-cve-multiple.patch | 1025 > > .../wpa-supplicant/key-replay-cve-multiple1.patch | 191 > .../wpa-supplicant/key-replay-cve-multiple2.patch | 249 + > .../wpa-supplicant/key-replay-cve-multiple3.patch | 183 > .../wpa-supplicant/key-replay-cve-multiple4.patch | 78 ++ > .../wpa-supplicant/key-replay-cve-multiple5.patch | 63 ++ > .../wpa-supplicant/key-replay-cve-multiple6.patch | 131 +++ > .../wpa-supplicant/key-replay-cve-multiple7.patch | 42 + > .../wpa-supplicant/key-replay-cve-multiple8.patch | 81 ++ > .../wpa-supplicant/wpa-supplicant_2.6.bb |9 +- > 10 files changed, 1026 insertions(+), 1026 deletions(-) > delete mode 100644 > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch > create mode 100644 > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch > create mode 100644 > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch > create mode 100644 > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch > create mode 100644 > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch > create mode 100644 > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch > create mode 100644 > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch > create mode 100644 > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch > create mode 100644 > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch //Peter -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] [PATCH] wpa-supplicant: fix the bug for PATCHTOOL = "patch"
When switch PATCHTOOL to patch, applying 'key-replay-cve-multiple.patch' failed:
checking file src/ap/ieee802_11.c
checking file src/ap/wpa_auth.c
checking file src/ap/wpa_auth.h
checking file src/ap/wpa_auth_ft.c
checking file src/ap/wpa_auth_i.h
checking file src/common/wpa_common.h
checking file src/rsn_supp/wpa.c
checking file src/rsn_supp/wpa_i.h
checking file src/rsn_supp/wpa.c
Hunk #1 FAILED at 709.
Hunk #2 FAILED at 757.
Hunk #3 succeeded at 840 (offset -12 lines).
Hunk #4 FAILED at 868.
Hunk #5 FAILED at 900.
Hunk #6 FAILED at 924.
Hunk #7 succeeded at 1536 (offset -38 lines).
Hunk #8 FAILED at 2386.
Hunk #9 FAILED at 2920.
Hunk #10 succeeded at 2940 (offset -46 lines).
Hunk #11 FAILED at 2998.
8 out of 11 hunks FAILED
checking file src/rsn_supp/wpa_i.h
Hunk #1 FAILED at 32.
1 out of 1 hunk FAILED
checking file src/common/wpa_common.h
Hunk #1 succeeded at 215 with fuzz 1.
checking file src/rsn_supp/wpa.c
checking file src/rsn_supp/wpa_i.h
checking file src/ap/wpa_auth.c
Hunk #1 succeeded at 1898 (offset -3 lines).
Hunk #2 succeeded at 2470 (offset -3 lines).
checking file src/rsn_supp/tdls.c
checking file wpa_supplicant/wnm_sta.c
checking file src/rsn_supp/wpa.c
Hunk #1 succeeded at 2378 (offset -62 lines).
checking file src/rsn_supp/wpa_ft.c
checking file src/rsn_supp/wpa_i.h
Hunk #1 succeeded at 123 (offset -5 lines).
So split the wpa-supplicant/key-replay-cve-multiple to 8 patches.
Signed-off-by: Hong Liu
---
.../wpa-supplicant/key-replay-cve-multiple.patch | 1025
.../wpa-supplicant/key-replay-cve-multiple1.patch | 191
.../wpa-supplicant/key-replay-cve-multiple2.patch | 249 +
.../wpa-supplicant/key-replay-cve-multiple3.patch | 183
.../wpa-supplicant/key-replay-cve-multiple4.patch | 78 ++
.../wpa-supplicant/key-replay-cve-multiple5.patch | 63 ++
.../wpa-supplicant/key-replay-cve-multiple6.patch | 131 +++
.../wpa-supplicant/key-replay-cve-multiple7.patch | 42 +
.../wpa-supplicant/key-replay-cve-multiple8.patch | 81 ++
.../wpa-supplicant/wpa-supplicant_2.6.bb |9 +-
10 files changed, 1026 insertions(+), 1026 deletions(-)
delete mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch
create mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch
create mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch
create mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch
create mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch
create mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch
create mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch
create mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch
create mode 100644
meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch
diff --git
a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch
b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch
deleted file mode 100644
index 436520f..000
---
a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch
+++ /dev/null
@@ -1,1025 +0,0 @@
-The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
-result in unauthenticated clients gaining access to the network.
-
-Backport a number of patches from upstream to fix this.
-
-CVE: CVE-2017-13077
-CVE: CVE-2017-13078
-CVE: CVE-2017-13079
-CVE: CVE-2017-13080
-CVE: CVE-2017-13081
-CVE: CVE-2017-13082
-CVE: CVE-2017-13086
-CVE: CVE-2017-13087
-CVE: CVE-2017-13088
-
-Upstream-Status: Backport
-Signed-off-by: Ross Burton
-
-From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef
-Date: Fri, 14 Jul 2017 15:15:35 +0200
-Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
-
-Do not reinstall TK to the driver during Reassociation Response frame
-processing if the first attempt of setting the TK succeeded. This avoids
-issues related to clearing the TX/RX PN that could result in reusing
-same PN values for transmitted frames (e.g., due to CCM nonce reuse and
-also hitting replay protection on the receiver) and accepting replayed
-frames on RX side.
-
-This issue was introduced by the commit
-0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
-authenticator') which allowed wpa_ft_install_ptk() to be called multiple
-times with the same PTK. While the second configuration attempt is
-needed with some drivers, it must be done only if the first attempt
-failed.
-
-Signed-off-by: Mathy Vanhoef
- src/ap/ieee802_11.c | 16 +---
- src/ap/wpa_auth.c| 11 +++
-
