Package: wpa / 2:2.7+git20190128+0c1e29f-6

Metadata

Package Version Patches format
wpa 2:2.7+git20190128+0c1e29f-6 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
01_use_pkg config_for_pcsc lite_module.patch | (download)

wpa_supplicant/Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use pkg-config for libpcsclite linkage flags

At least in debian, we can rely on pkg-config being available and
returning more accurate ldflags.

02_dbus_group_policy.patch | (download)

wpa_supplicant/dbus/dbus-wpa_supplicant.conf | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 add d-bus group policy

Debian does not use pam_console but uses group membership
to control access to D-Bus. Activating both options in the conf file
makes it work on Debian and Ubuntu.

Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;bug=412179

06_wpa_gui_menu_exec_path.patch | (download)

wpa_supplicant/wpa_gui-qt4/wpa_gui.desktop | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use full executable path into wpa_gui.desktop

Debian specific patch to desktop meny entry, so that we may exec
wpa_gui which being in /usr/sbin may not be in the PATH

07_dbus_service_syslog.patch | (download)

wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in | 2 1 + 1 - 0 !
wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in | 2 1 + 1 - 0 !
wpa_supplicant/systemd/wpa_supplicant.service.in | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 tweak d-bus/systemd service activation configuration files:

 * log wpa_supplicant messages to syslog
 * activate control socket interface so that wpa_cli can be used by D-Bus
   activated wpa_supplicant daemon

12_wpa_gui_knotify_support.patch | (download)

wpa_supplicant/wpa_gui-qt4/wpagui.cpp | 18 16 + 2 - 0 !
1 file changed, 16 insertions(+), 2 deletions(-)

 use kde's knotify when running under kde

Bug-Debian: http://bugs.debian.org/582793

networkd driver fallback.patch | (download)

wpa_supplicant/systemd/wpa_supplicant.service.arg.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 wpasupplicant: configure driver fallback for networkd

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>

wpa_supplicant_fix dependency odering when invoked with dbus.patch | (download)

wpa_supplicant/systemd/wpa_supplicant.service.in | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 wpa_supplicant: fix dependency odering when invoked with dbus

Make sure that DBus isn't shut down before wpa_supplicant, as that would
also bring down wireless links which are still holding open NFS shares.

Debian bug: https://bugs.debian.org/785579
systemd upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=89847

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>

allow tlsv1.patch | (download)

src/crypto/tls_openssl.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 enable tlsv1.0 by default

OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2.
Some older networks may support for TLSv1.0 and less secure cyphers.


PMF Allow Key ID in BE format.patch | (download)

src/rsn_supp/wpa.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 re: sv: [rfc] pmf: allow key id in big endian format to workaround faulty aps
Date: Fri, 15 Feb 2019 17:35:12 +0200
Message-ID: <20190215153512.GA16110@w1.fi>

: The following description was taken from the original email from
: Mikael Kanstrup <mikael.kanstrup@sony.com>, Message-ID:
: <20190214124653.24793-1-mikael.kanstrup@sony.com>

fix ENGINE support with openssl 1.1.patch | (download)

src/crypto/tls_openssl.c | 5 1 + 4 - 0 !
1 file changed, 1 insertion(+), 4 deletions(-)

 [patch v2] fix engine support with openssl 1.1+
To: Rosen Penev <rosenp@gmail.com>
Cc: <hostap@lists.infradead.org>


Commit 373c7969485 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and
deprecated APIs") removed a call to ENGINE_load_dynamic() for newer
versions of OpenSSL, asserting that it should happen automatically.

That appears not to be the case, and loading engines now fails because
the dynamic engine isn't present.

Fix it by calling ENGINE_load_builtin_engines(), which works for all
versions of OpenSSL. Also remove the call to ERR_load_ENGINE_strings()
because that should have happened when SSL_load_error_strings() is
called anyway.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

2019 sae eap/0001 OpenSSL Use constant time operations for private big.patch | (download)

src/crypto/crypto_openssl.c | 20 15 + 5 - 0 !
1 file changed, 15 insertions(+), 5 deletions(-)

 [patch 01/20] openssl: use constant time operations for private
 bignums

2019 sae eap/0002 Add helper functions for constant time operations.patch | (download)

src/utils/const_time.h | 191 191 + 0 - 0 !
1 file changed, 191 insertions(+)

 [patch 02/20] add helper functions for constant time operations

These functions can be used to help implement constant time operations
for various cryptographic operations that must minimize externally
2019 sae eap/0003 OpenSSL Use constant time selection for crypto_bignu.patch | (download)

src/crypto/crypto_openssl.c | 15 9 + 6 - 0 !
1 file changed, 9 insertions(+), 6 deletions(-)

 [patch 03/20] openssl: use constant time selection for
 crypto_bignum_legendre()

Get rid of the branches that depend on the result of the Legendre
2019 sae eap/0004 EAP pwd Use constant time and memory access for find.patch | (download)

src/eap_common/eap_pwd_common.c | 187 99 + 88 - 0 !
1 file changed, 99 insertions(+), 88 deletions(-)

 [patch 04/20] eap-pwd: use constant time and memory access for
 finding the PWE

This algorithm could leak information to external observers in form of
2019 sae eap/0005 SAE Minimize timing differences in PWE derivation.patch | (download)

src/common/sae.c | 106 57 + 49 - 0 !
1 file changed, 57 insertions(+), 49 deletions(-)

 [patch 05/20] sae: minimize timing differences in pwe derivation

The QR test result can provide information about the password to an
2019 sae eap/0006 SAE Avoid branches in is_quadratic_residue_blind.patch | (download)

src/common/sae.c | 64 37 + 27 - 0 !
1 file changed, 37 insertions(+), 27 deletions(-)

 [patch 06/20] sae: avoid branches in is_quadratic_residue_blind()

Make the non-failure path in the function proceed without branches based
2019 sae eap/0007 SAE Mask timing of MODP groups 22 23 24.patch | (download)

src/common/sae.c | 38 28 + 10 - 0 !
1 file changed, 28 insertions(+), 10 deletions(-)

 [patch 07/20] sae: mask timing of modp groups 22, 23, 24

These groups have significant probability of coming up with pwd-value
that is equal or greater than the prime and as such, need for going
through the PWE derivation loop multiple times. This can result in
2019 sae eap/0008 SAE Use const_time selection for PWE in FFC.patch | (download)

src/common/sae.c | 53 35 + 18 - 0 !
1 file changed, 35 insertions(+), 18 deletions(-)

 [patch 08/20] sae: use const_time selection for pwe in ffc

This is an initial step towards making the FFC case use strictly
constant time operations similarly to the ECC case.
sae_test_pwd_seed_ffc() does not yet have constant time behavior,
though.

This is related to CVE-2019-9494.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

2019 sae eap/0009 SAE Use constant time operations in sae_test_pwd_see.patch | (download)

src/common/sae.c | 75 46 + 29 - 0 !
1 file changed, 46 insertions(+), 29 deletions(-)

 [patch 09/20] sae: use constant time operations in
 sae_test_pwd_seed_ffc()

Try to avoid showing externally visible timing or memory access
2019 sae eap/0010 SAE Fix confirm message validation in error cases.patch | (download)

src/common/sae.c | 14 11 + 3 - 0 !
1 file changed, 11 insertions(+), 3 deletions(-)

 [patch 10/20] sae: fix confirm message validation in error cases

Explicitly verify that own and peer commit scalar/element are available
when trying to check SAE confirm message. It could have been possible to
hit a NULL pointer dereference if the peer element could not have been
parsed. (CVE-2019-9496)

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

2019 sae eap/0011 EAP pwd server Verify received scalar and element.patch | (download)

src/eap_server/eap_server_pwd.c | 20 20 + 0 - 0 !
1 file changed, 20 insertions(+)

 [patch 11/20] eap-pwd server: verify received scalar and element

When processing an EAP-pwd Commit frame, the peer's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and impersonate any user if the crypto
implementation did not verify the validity of the EC point.

Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9498)

The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.

Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>

2019 sae eap/0012 EAP pwd server Detect reflection attacks.patch | (download)

src/eap_server/eap_server_pwd.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 [patch 12/20] eap-pwd server: detect reflection attacks

When processing an EAP-pwd Commit frame, verify that the peer's scalar
2019 sae eap/0013 EAP pwd client Verify received scalar and element.patch | (download)

src/eap_peer/eap_pwd.c | 20 20 + 0 - 0 !
1 file changed, 20 insertions(+)

 [patch 13/20] eap-pwd client: verify received scalar and element

When processing an EAP-pwd Commit frame, the server's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and act as a rogue Access Point (AP) if the
crypto implementation did not verify the validity of the EC point.

Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9499)

The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.

Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>

2019 sae eap/0014 EAP pwd Check element x y coordinates explicitly.patch | (download)

src/eap_common/eap_pwd_common.c | 106 106 + 0 - 0 !
src/eap_common/eap_pwd_common.h | 3 3 + 0 - 0 !
src/eap_peer/eap_pwd.c | 45 4 + 41 - 0 !
src/eap_server/eap_server_pwd.c | 45 4 + 41 - 0 !
4 files changed, 117 insertions(+), 82 deletions(-)

 [patch 14/20] eap-pwd: check element x,y coordinates explicitly

This adds an explicit check for 0 < x,y < prime based on RFC 5931,
2.8.5.2.2 requirement. The earlier checks might have covered this
implicitly, but it is safer to avoid any dependency on implicit checks
and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)

Furthermore, this moves the EAP-pwd element and scalar parsing and
validation steps into shared helper functions so that there is no need
to maintain two separate copies of this common functionality between the
server and peer implementations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

2019 5/0001 EAP pwd server Fix reassembly buffer handling.patch | (download)

src/eap_server/eap_server_pwd.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 [patch 1/3] eap-pwd server: fix reassembly buffer handling

data->inbuf allocation might fail and if that were to happen, the next
fragment in the exchange could have resulted in NULL pointer
dereference. Unexpected fragment with more bit might also be able to
trigger this. Fix that by explicitly checking for data->inbuf to be
available before using it.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

2019 5/0003 EAP pwd peer Fix reassembly buffer handling.patch | (download)

src/eap_peer/eap_pwd.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch 3/3] eap-pwd peer: fix reassembly buffer handling

Unexpected fragment might result in data->inbuf not being allocated
before processing and that could have resulted in NULL pointer
dereference. Fix that by explicitly checking for data->inbuf to be
available before using it.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>