Package: wpa / 2:2.4-1+deb9u4

Metadata

Package Version Patches format
wpa 2:2.4-1+deb9u4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
01_use_pkg config_for_pcsc lite_module.patch | (download)

wpa_supplicant/Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use pkg-config for libpcsclite linkage flags
 At least in debian, we can rely on pkg-config being available and
 returning more accurate ldflags.
02_dbus_group_policy.patch | (download)

wpa_supplicant/dbus/dbus-wpa_supplicant.conf | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 debian does not use pam_console but uses group membership
 to control access to D-Bus. Activating both options in the conf file
 makes it work on Debian and Ubuntu.
06_wpa_gui_menu_exec_path.patch | (download)

wpa_supplicant/wpa_gui-qt4/wpa_gui.desktop | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 debian specific patch to desktop meny entry, so that we may exec
 wpa_gui which being in /usr/sbin may not be in the PATH
07_dbus_service_syslog.patch | (download)

wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in | 2 1 + 1 - 0 !
wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in | 2 1 + 1 - 0 !
wpa_supplicant/systemd/wpa_supplicant.service.in | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 tweak d-bus/systemd service activation configuration files:
 * log wpa_supplicant messages to syslog
 * activate control socket interface so that wpa_cli can be used by D-Bus
   activated wpa_supplicant daemon
12_wpa_gui_knotify_support.patch | (download)

wpa_supplicant/wpa_gui-qt4/wpagui.cpp | 18 16 + 2 - 0 !
1 file changed, 16 insertions(+), 2 deletions(-)

 use kde's knotify when running under kde
wpa_gui_desktop_add keywords entry.patch | (download)

wpa_supplicant/wpa_gui-qt4/wpa_gui.desktop | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

---
wpasupplicant_band_selection_aa517ae2.patch | (download)

wpa_supplicant/scan.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
2015 1/0001 P2P Validate SSID element length before copying it C.patch | (download)

src/p2p/p2p.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] p2p: validate ssid element length before copying it
 (CVE-2015-1863)

This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.

Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

2015 2/0001 WPS Fix HTTP chunked transfer encoding parser.patch | (download)

src/wps/httpread.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 [patch] wps: fix http chunked transfer encoding parser

strtoul() return value may end up overflowing the int h->chunk_size and
resulting in a negative value to be stored as the chunk_size. This could
result in the following memcpy operation using a very large length
argument which would result in a buffer overflow and segmentation fault.

This could have been used to cause a denial service by any device that
has been authorized for network access (either wireless or wired). This
would affect both the WPS UPnP functionality in a WPS AP (hostapd with
upnp_iface parameter set in the configuration) and WPS ER
(wpa_supplicant with WPS_ER_START control interface command used).

Validate the parsed chunk length value to avoid this. In addition to
rejecting negative values, we can also reject chunk size that would be
larger than the maximum configured body length.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 3/0001 AP WMM Fix integer underflow in WMM Action frame par.patch | (download)

src/ap/wmm.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch] ap wmm: fix integer underflow in wmm action frame parser

The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.

This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 4/0001 EAP pwd peer Fix payload length validation for Commi.patch | (download)

src/eap_peer/eap_pwd.c | 29 29 + 0 - 0 !
1 file changed, 29 insertions(+)

 [patch 1/5] eap-pwd peer: fix payload length validation for commit
 and Confirm

The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.

Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 4/0002 EAP pwd server Fix payload length validation for Com.patch | (download)

src/eap_server/eap_server_pwd.c | 19 19 + 0 - 0 !
1 file changed, 19 insertions(+)

 [patch 2/5] eap-pwd server: fix payload length validation for commit
 and Confirm

The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.

Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 4/0003 EAP pwd peer Fix Total Length parsing for fragment r.patch | (download)

src/eap_peer/eap_pwd.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 [patch 3/5] eap-pwd peer: fix total-length parsing for fragment
 reassembly

The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.

In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 4/0004 EAP pwd server Fix Total Length parsing for fragment.patch | (download)

src/eap_server/eap_server_pwd.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 [patch 4/5] eap-pwd server: fix total-length parsing for fragment
 reassembly

The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.

In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 4/0005 EAP pwd peer Fix asymmetric fragmentation behavior.patch | (download)

src/eap_peer/eap_pwd.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 5/5] eap-pwd peer: fix asymmetric fragmentation behavior

The L (Length) and M (More) flags needs to be cleared before deciding
whether the locally generated response requires fragmentation. This
fixes an issue where these flags from the server could have been invalid
for the following message. In some cases, this could have resulted in
triggering the wpabuf security check that would terminate the process
due to invalid buffer allocation.

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 5/0001 NFC Fix payload length validation in NDEF record par.patch | (download)

src/wps/ndef.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] nfc: fix payload length validation in ndef record parser

It was possible for the 32-bit record->total_length value to end up
wrapping around due to integer overflow if the longer form of payload
length field is used and record->payload_length gets a value close to
2^32. This could result in ndef_parse_record() accepting a too large
payload length value and the record type filter reading up to about 20
bytes beyond the end of the buffer and potentially killing the process.
This could also result in an attempt to allocate close to 2^32 bytes of
heap memory and if that were to succeed, a buffer read overflow of the
same length which would most likely result in the process termination.
In case of record->total_length ending up getting the value 0, there
would be no buffer read overflow, but record parsing would result in an
infinite loop in ndef_parse_records().

Any of these error cases could potentially be used for denial of service
attacks over NFC by using a malformed NDEF record on an NFC Tag or
sending them during NFC connection handover if the application providing
the NDEF message to hostapd/wpa_supplicant did no validation of the
received records. While such validation is likely done in the NFC stack
that needs to parse the NFC messages before further processing,
hostapd/wpa_supplicant better be prepared for any data being included
here.

Fix this by validating record->payload_length value in a way that
detects integer overflow. (CID 122668)

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 6/backported WNM Ignore Key Data in WNM Sleep Mode Response frame.patch | (download)

wpa_supplicant/wnm_sta.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch] wnm: ignore key data in wnm sleep mode response frame if no
 PMF in use

WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
enabled. Verify that PMF is in use before using this field on station
side to avoid accepting unauthenticated key updates. (CVE-2015-5310)

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 7/0001 EAP pwd server Fix last fragment length validation.patch | (download)

src/eap_server/eap_server_pwd.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] eap-pwd server: fix last fragment length validation

All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5314)

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 7/0001 EAP pwd peer Fix last fragment length validation.patch | (download)

src/eap_peer/eap_pwd.c | 7 3 + 4 - 0 !
1 file changed, 3 insertions(+), 4 deletions(-)

 [patch] eap-pwd peer: fix last fragment length validation

All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5315)

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 8/0001 EAP pwd peer Fix error path for unexpected Confirm m.patch | (download)

src/eap_peer/eap_pwd.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] eap-pwd peer: fix error path for unexpected confirm message

If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received. (CVE-2015-5316)

Signed-off-by: Jouni Malinen <j@w1.fi>

systemd_order wpa_supplicant before network.target.patch | (download)

wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | 2 2 + 0 - 0 !
wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in | 2 2 + 0 - 0 !
wpa_supplicant/systemd/wpa_supplicant.service.arg.in | 2 2 + 0 - 0 !
wpa_supplicant/systemd/wpa_supplicant.service.in | 2 2 + 0 - 0 !
4 files changed, 8 insertions(+)

 systemd: order wpa_supplicant before network.target

Ordering the units before network.target causes them to be stopped
after network.target on shutdown. This ensures that any network
filesystems will be unmounted before wpa_supplicant is killed.

Adding Wants=network.target ensures that network.target will be included
in the active dependency graph. This is typical of units which are
involved in networking setup functions.

Signed-off-by: Mike Gilbert <floppym@gentoo.org>

networkd driver fallback.patch | (download)

wpa_supplicant/systemd/wpa_supplicant.service.arg.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
wpa_supplicant_fix dependency odering when invoked with dbus.patch | (download)

wpa_supplicant/systemd/wpa_supplicant.service.in | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

---
2016 1/0001 WPS Reject a Credential with invalid passphrase.patch | (download)

src/utils/common.c | 12 12 + 0 - 0 !
src/utils/common.h | 1 1 + 0 - 0 !
src/wps/wps_attr_process.c | 10 10 + 0 - 0 !
3 files changed, 23 insertions(+)

 [patch 1/5] wps: reject a credential with invalid passphrase

WPA/WPA2-Personal passphrase is not allowed to include control
characters. Reject a Credential received from a WPS Registrar both as
STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
WPA2PSK authentication type and includes an invalid passphrase.

This fixes an issue where hostapd or wpa_supplicant could have updated
the configuration file PSK/passphrase parameter with arbitrary data from
an external device (Registrar) that may not be fully trusted. Should
such data include a newline character, the resulting configuration file
could become invalid and fail to be parsed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

2016 1/0002 Reject psk parameter set with invalid passphrase cha.patch | (download)

wpa_supplicant/config.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch 2/5] reject psk parameter set with invalid passphrase
 character

WPA/WPA2-Personal passphrase is not allowed to include control
characters. Reject a passphrase configuration attempt if that passphrase
includes an invalid passphrase.

This fixes an issue where wpa_supplicant could have updated the
configuration file psk parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the passphrase value before passing it to
wpa_supplicant.

This could allow such an untrusted user to inject up to 63 characters of
almost arbitrary data into the configuration file. Such configuration
file could result in wpa_supplicant trying to load a library (e.g.,
opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
load_dynamic_eap) from user controlled location when starting again.
This would allow code from that library to be executed under the
wpa_supplicant process privileges.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

2016 1/0003 Remove newlines from wpa_supplicant config network o.patch | (download)

src/utils/common.c | 11 11 + 0 - 0 !
src/utils/common.h | 1 1 + 0 - 0 !
wpa_supplicant/config.c | 15 13 + 2 - 0 !
3 files changed, 25 insertions(+), 2 deletions(-)

 [patch 3/5] remove newlines from wpa_supplicant config network
 output

Spurious newlines output while writing the config file can corrupt the
wpa_supplicant configuration. Avoid writing these for the network block
parameters. This is a generic filter that cover cases that may not have
been explicitly addressed with a more specific commit to avoid control
characters in the psk parameter.

Signed-off-by: Paul Stewart <pstew@google.com>

2016 1/0004 Reject SET_CRED commands with newline characters in .patch | (download)

wpa_supplicant/config.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch 4/5] reject set_cred commands with newline characters in the
 string values

Most of the cred block parameters are written as strings without
filtering and if there is an embedded newline character in the value,
unexpected configuration file data might be written.

This fixes an issue where wpa_supplicant could have updated the
configuration file cred parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the credential value before passing it to
wpa_supplicant.

This could allow such an untrusted user to inject almost arbitrary data
into the configuration file. Such configuration file could result in
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
controlled location when starting again. This would allow code from that
library to be executed under the wpa_supplicant process privileges.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

2016 1/0005 Reject SET commands with newline characters in the s.patch | (download)

wpa_supplicant/config.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch 5/5] reject set commands with newline characters in the
 string values

Many of the global configuration parameters are written as strings
without filtering and if there is an embedded newline character in the
value, unexpected configuration file data might be written.

This fixes an issue where wpa_supplicant could have updated the
configuration file global parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the value of a parameter before passing it to
wpa_supplicant.

This could allow such an untrusted user to inject almost arbitrary data
into the configuration file. Such configuration file could result in
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
controlled location when starting again. This would allow code from that
library to be executed under the wpa_supplicant process privileges.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

dbus fix operations for p2p mgmt.patch | (download)

wpa_supplicant/dbus/dbus_new_handlers.c | 60 40 + 20 - 0 !
1 file changed, 40 insertions(+), 20 deletions(-)

 d-bus: fix operations when p2p management interface is used

Commit 21efc940f6e7f07b84b7e5c5867f3d81594c4fb0 ('wpa_supplicant: Do not
register a P2P management interface on DBus') hides the special P2P
management interface from D-Bus. However, it did not take into account
the possibility of wpa_s->dbus_path and wpa_s->dbus_new_path being NULL
in such cases on number of code paths within the D-Bus handlers. This
could result in invalid arguments (NULL path) being provided to D-Bus
functions (mainly, dbus_message_iter_append_basic) and NULL pointer
dereference when iterating over all interfaces. Either of these could
make wpa_supplicant process terminate.

Fix this by explicitly checking that the interface-specific D-Bus path
has been registered before using it anywhere with D-Bus handlers. In
addition, find the correct wpa_s instance to fix P2P operations through
D-Bus when the P2P Device interface is used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

BugLink: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1482439


nl80211_dont_call_linux_iface_up_for_a_dedicated_p2p_device.patch | (download)

src/drivers/driver_nl80211.c | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 nl80211: don't call linux_iface_up() for a dedicated p2p device

As a dedicated P2P Device interface does not have a network
interface associated with it, trying to call linux_iface_up()
on it would always fail so this call can be skipped for
such an interface.

Getting interface nlmode can be done only after bss->wdev_id is
set, so move this call to wpa_driver_nl80211_finish_drv_init(),
and do it only in case the nlmode != NL80211_IFTYPE_P2P_DEVICE.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>

do_not_wait_for_monitor_to_attach_if_no_control_interface.patch | (download)

wpa_supplicant/ctrl_iface_unix.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 do not wait for monitor to attach if no control interface

In case an interface has started without a control interface
initialized, skip waiting for monitor to attach at the start of
wpa_supplicant (-W).

Signed-off-by: Ilan Peer <ilan.peer@intel.com>

wpa_supplicant_do_not_wait_for_monitor_on_p2p_device_interface.patch | (download)

wpa_supplicant/wpa_supplicant.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 wpa_supplicant: do not wait for monitor on p2p device interface

External programs are not aware of the creation of a
dedicated P2P Device interface, so it does not make sense
to wait for a monitor to connect on such an interface.

Fix this by not waiting on a dedicated P2P Device interface
for monitor to attach.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>

openssl initialise pkcs 11.patch | (download)

src/crypto/tls_openssl.c | 12 9 + 3 - 0 !
1 file changed, 9 insertions(+), 3 deletions(-)

 openssl: initialise pkcs#11 engine even if found with engine_by_id()

Recent versions of engine_pkcs11 are set up to be autoloaded on demand
with ENGINE_by_id() because they don't need explicit configuration.

But if we *do* want to explicitly configure them with a PKCS#11 module
path, we should still do so.

We can't tell whether it was already initialised, but it's harmless to
repeat the MODULE_PATH command if it was.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Michael Schaller <misch@google.com>

from upstream hostapd fix SMPS mode.patch | (download)

src/drivers/driver_nl80211.c | 36 19 + 17 - 0 !
1 file changed, 19 insertions(+), 17 deletions(-)

 nl80211: do not add nl80211_attr_smps_mode attribute if ht is disabled

SMPS mode is applicable only for HT and including an attribute to
configure it when HT is disabled could result in the AP start operation
failing. Fix this by adding the attribute only in cases where HT is
enabled.

Upstream commit ee298f1b1f7efd7eb5fd510f36b25ff88208017c

2017 1/0001 hostapd Avoid key reinstallation in FT handshake.patch | (download)

src/ap/wpa_auth.c | 8 8 + 0 - 0 !
src/ap/wpa_auth.h | 1 1 + 0 - 0 !
src/ap/wpa_auth_ft.c | 10 10 + 0 - 0 !
src/ap/wpa_auth_i.h | 1 1 + 0 - 0 !
4 files changed, 20 insertions(+)

 [patch 01/12] hostapd: avoid key reinstallation in ft handshake

Do not reinstall TK to the driver during Reassociation Response frame
processing if the first attempt of setting the TK succeeded. This avoids
issues related to clearing the TX/RX PN that could result in reusing
same PN values for transmitted frames (e.g., due to CCM nonce reuse and
also hitting replay protection on the receiver) and accepting replayed
frames on RX side.

This issue was introduced by the commit
0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
authenticator') which allowed wpa_ft_install_ptk() to be called multiple
times with the same PTK. While the second configuration attempt is
needed with some drivers, it must be done only if the first attempt
failed.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>

2017 1/0002 Prevent reinstallation of an already in use group ke.patch | (download)

src/common/wpa_common.h | 11 11 + 0 - 0 !
src/rsn_supp/wpa.c | 116 72 + 44 - 0 !
src/rsn_supp/wpa_i.h | 4 4 + 0 - 0 !
3 files changed, 87 insertions(+), 44 deletions(-)

 [patch 02/12] prevent reinstallation of an already in-use group key

Track the current GTK and IGTK that is in use and when receiving a
(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
not install the given key if it is already in use. This prevents an
attacker from trying to trick the client into resetting or lowering the
sequence counter associated to the group key.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>

2017 1/0003 Extend protection of GTK IGTK reinstallation of WNM .patch | (download)

src/rsn_supp/wpa.c | 53 38 + 15 - 0 !
src/rsn_supp/wpa_i.h | 2 2 + 0 - 0 !
2 files changed, 40 insertions(+), 15 deletions(-)

 [patch 03/12] extend protection of gtk/igtk reinstallation of
 WNM-Sleep Mode cases

This extends the protection to track last configured GTK/IGTK value
separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
2017 1/0004 Fix TK configuration to the driver in EAPOL Key 3 4 .patch | (download)

src/rsn_supp/wpa.c | 8 8 + 0 - 0 !
src/rsn_supp/wpa_i.h | 1 1 + 0 - 0 !
2 files changed, 9 insertions(+)

 [patch 04/12] fix tk configuration to the driver in eapol-key 3/4
 retry case

Commit 7d711541dced759b34313477d5d163e65c5b0131 ('Clear TK part of PTK
after driver key configuration') started clearing TK from memory
immediately after having configured it to the driver when processing
EAPOL-Key message 3/4. While this covered the most common case, it did
not take into account the possibility of the authenticator having to
retry EAPOL-Key message 3/4 in case the first EAPOL-Key message 4/4
response is lost. That case ended up trying to reinstall the same TK to
the driver, but the key was not available anymore.

Fix the EAPOL-Key message 3/4 retry case by configuring TK to the driver
only once. There was no need to try to set the same key after each
EAPOL-Key message 3/4 since TK could not change. If actual PTK rekeying
is used, the new TK will be configured once when processing the new
EAPOL-Key message 3/4 for the first time.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

2017 1/0005 Prevent installation of an all zero TK.patch | (download)

src/common/wpa_common.h | 1 1 + 0 - 0 !
src/rsn_supp/wpa.c | 5 2 + 3 - 0 !
src/rsn_supp/wpa_i.h | 1 0 + 1 - 0 !
3 files changed, 3 insertions(+), 4 deletions(-)

 [patch 05/12] prevent installation of an all-zero tk

Properly track whether a PTK has already been installed to the driver
and the TK part cleared from memory. This prevents an attacker from
trying to trick the client into installing an all-zero TK.

This fixes the earlier fix in commit
ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
driver in EAPOL-Key 3/4 retry case') which did not take into account
possibility of an extra message 1/4 showing up between retries of
message 3/4.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>

2017 1/0006 Fix PTK rekeying to generate a new ANonce.patch | (download)

src/ap/wpa_auth.c | 24 21 + 3 - 0 !
1 file changed, 21 insertions(+), 3 deletions(-)

 [patch 06/12] fix ptk rekeying to generate a new anonce

The Authenticator state machine path for PTK rekeying ended up bypassing
the AUTHENTICATION2 state where a new ANonce is generated when going
directly to the PTKSTART state since there is no need to try to
determine the PMK again in such a case. This is far from ideal since the
new PTK would depend on a new nonce only from the supplicant.

Fix this by generating a new ANonce when moving to the PTKSTART state
for the purpose of starting new 4-way handshake to rekey PTK.

Signed-off-by: Jouni Malinen <j@w1.fi>

2017 1/0007 TDLS Reject TPK TK reconfiguration.patch | (download)

src/rsn_supp/tdls.c | 38 36 + 2 - 0 !
1 file changed, 36 insertions(+), 2 deletions(-)

 [patch 07/12] tdls: reject tpk-tk reconfiguration

Do not try to reconfigure the same TPK-TK to the driver after it has
been successfully configured. This is an explicit check to avoid issues
related to resetting the TX/RX packet number. There was already a check
for this for TPK M2 (retries of that message are ignored completely), so
that behavior does not get modified.

For TPK M3, the TPK-TK could have been reconfigured, but that was
followed by immediate teardown of the link due to an issue in updating
the STA entry. Furthermore, for TDLS with any real security (i.e.,
ignoring open/WEP), the TPK message exchange is protected on the AP path
and simple replay attacks are not feasible.

As an additional corner case, make sure the local nonce gets updated if
the peer uses a very unlikely "random nonce" of all zeros.

Signed-off-by: Jouni Malinen <j@w1.fi>

2017 1/0009 WNM Ignore WNM Sleep Mode Response if WNM Sleep Mode.patch | (download)

wpa_supplicant/ctrl_iface.c | 2 2 + 0 - 0 !
wpa_supplicant/events.c | 1 1 + 0 - 0 !
wpa_supplicant/wnm_sta.c | 8 8 + 0 - 0 !
wpa_supplicant/wpa_supplicant_i.h | 1 1 + 0 - 0 !
4 files changed, 12 insertions(+)

 [patch 09/12] wnm: ignore wnm-sleep mode response if wnm-sleep mode
 has not been used

The AP is not expected to send out a WNM-Sleep Mode Response frame
without the STA trying to use WNM-Sleep Mode. Drop such unexpected
responses to reduce unnecessary processing of the frame.

Signed-off-by: Jouni Malinen <j@w1.fi>

2017 1/0010 WNM Ignore WNM Sleep Mode Response without pending r.patch | (download)

wpa_supplicant/wnm_sta.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 [patch 10/12] wnm: ignore wnm-sleep mode response without pending
 request

Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
Mode Response if WNM-Sleep Mode has not been used') started ignoring the
response when no WNM-Sleep Mode Request had been used during the
association. This can be made tighter by clearing the used flag when
successfully processing a response. This adds an additional layer of
protection against unexpected retransmissions of the response frame.

Signed-off-by: Jouni Malinen <j@w1.fi>

2017 1/0011 FT Do not allow multiple Reassociation Response fram.patch | (download)

src/rsn_supp/wpa.c | 3 3 + 0 - 0 !
src/rsn_supp/wpa_ft.c | 8 8 + 0 - 0 !
src/rsn_supp/wpa_i.h | 1 1 + 0 - 0 !
3 files changed, 12 insertions(+)

 [patch 11/12] ft: do not allow multiple reassociation response frames

The driver is expected to not report a second association event without
the station having explicitly request a new association. As such, this
case should not be reachable. However, since reconfiguring the same
pairwise or group keys to the driver could result in nonce reuse issues,
be extra careful here and do an additional state check to avoid this
even if the local driver ends up somehow accepting an unexpected
Reassociation Response frame.

Signed-off-by: Jouni Malinen <j@w1.fi>

2017 1/0012 TDLS Ignore incoming TDLS Setup Response retries.patch | (download)

src/rsn_supp/tdls.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 [patch 12/12] tdls: ignore incoming tdls setup response retries

The Setup Response timer is relatively fast (500 ms) and there are
instances where it fires on the responder side after the initiator has
already sent out the TDLS Setup Confirm frame. Prevent the processing of
this stale TDLS Setup Response frame on the initiator side.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>

CVE 2018 14526/rebased v2.6 0001 WPA Ignore unauthenticated encrypted EAPOL Key data.patch | (download)

src/rsn_supp/wpa.c | 11 11 + 0 - 0 !
1 file changed, 11 insertions(+)

 [patch] wpa: ignore unauthenticated encrypted eapol-key data

Ignore unauthenticated encrypted EAPOL-Key data in supplicant
processing. When using WPA2, these are frames that have the Encrypted
flag set, but not the MIC flag.

When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
not the MIC flag, had their data field decrypted without first verifying
the MIC. In case the data field was encrypted using RC4 (i.e., when
negotiating TKIP as the pairwise cipher), this meant that
unauthenticated but decrypted data would then be processed. An adversary
could abuse this as a decryption oracle to recover sensitive information
in the data field of EAPOL-Key messages (e.g., the group key).
(CVE-2018-14526)

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>

2019 2/0001 OpenSSL Use constant time operations for private big.patch | (download)

src/crypto/crypto_openssl.c | 16 13 + 3 - 0 !
1 file changed, 13 insertions(+), 3 deletions(-)

 [patch 01/20] openssl: use constant time operations for private
 bignums

2019 4/0001 Add crypto_ec_point_cmp.patch | (download)

src/crypto/crypto.h | 11 11 + 0 - 0 !
src/crypto/crypto_openssl.c | 9 9 + 0 - 0 !
2 files changed, 20 insertions(+)

 [patch] add crypto_ec_point_cmp()

This is needed to allow SAE to check whether ECC elements are identical.

Signed-off-by: Jouni Malinen <j@w1.fi>

2019 4/0011 EAP pwd server Verify received scalar and element.patch | (download)

src/eap_server/eap_server_pwd.c | 20 20 + 0 - 0 !
1 file changed, 20 insertions(+)

 [patch 11/20] eap-pwd server: verify received scalar and element

When processing an EAP-pwd Commit frame, the peer's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and impersonate any user if the crypto
implementation did not verify the validity of the EC point.

Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9498)

The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.

Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>

2019 4/0012 EAP pwd server Detect reflection attacks.patch | (download)

src/eap_server/eap_server_pwd.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 [patch 12/20] eap-pwd server: detect reflection attacks

When processing an EAP-pwd Commit frame, verify that the peer's scalar
2019 4/0013 EAP pwd client Verify received scalar and element.patch | (download)

src/eap_peer/eap_pwd.c | 20 20 + 0 - 0 !
1 file changed, 20 insertions(+)

 [patch 13/20] eap-pwd client: verify received scalar and element

When processing an EAP-pwd Commit frame, the server's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and act as a rogue Access Point (AP) if the
crypto implementation did not verify the validity of the EC point.

Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9499)

The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.

Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>

2019 5/0001 EAP pwd server Fix reassembly buffer handling.patch | (download)

src/eap_server/eap_server_pwd.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 [patch 1/3] eap-pwd server: fix reassembly buffer handling

data->inbuf allocation might fail and if that were to happen, the next
fragment in the exchange could have resulted in NULL pointer
dereference. Unexpected fragment with more bit might also be able to
trigger this. Fix that by explicitly checking for data->inbuf to be
available before using it.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

2019 5/0003 EAP pwd peer Fix reassembly buffer handling.patch | (download)

src/eap_peer/eap_pwd.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch 3/3] eap-pwd peer: fix reassembly buffer handling

Unexpected fragment might result in data->inbuf not being allocated
before processing and that could have resulted in NULL pointer
dereference. Fix that by explicitly checking for data->inbuf to be
available before using it.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>