Accepting request 946938 from home:stroeder:network

Update to version 2.10 Seems to work just fine e.g. on my raspberry pi armv6. OBS-URL: https://build.opensuse.org/request/show/946938 OBS-URL: https://build.opensuse.org/package/show/Base:System/hostapd?expand=0&rev=66
2022-01-18 17:00:38 +00:00 · 2022-01-18 17:00:38 +00:00 · 6f3c78f2ff
commit 6f3c78f2ff
parent 928e3f9dd7
9 changed files with 61 additions and 373 deletions
--- a/CVE-2019-16275.patch
+++ b/CVE-2019-16275.patch
@ -1,73 +0,0 @@
 From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <j@w1.fi>
 Date: Thu, 29 Aug 2019 11:52:04 +0300
 Subject: [PATCH] AP: Silently ignore management frame from unexpected source
 address
 Do not process any received Management frames with unexpected/invalid SA
 so that we do not add any state for unexpected STA addresses or end up
 sending out frames to unexpected destination. This prevents unexpected
 sequences where an unprotected frame might end up causing the AP to send
 out a response to another device and that other device processing the
 unexpected response.
 In particular, this prevents some potential denial of service cases
 where the unexpected response frame from the AP might result in a
 connected station dropping its association.
 Signed-off-by: Jouni Malinen <j@w1.fi>
 ---
 src/ap/drv_callbacks.c | 13 +++++++++++++
 src/ap/ieee802_11.c    | 12 ++++++++++++
 2 files changed, 25 insertions(+)
 diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
 index 31587685fe3b..34ca379edc3d 100644
 --- a/src/ap/drv_callbacks.c
 +++ b/src/ap/drv_callbacks.c
@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
 			   "hostapd_notif_assoc: Skip event with no address");
 		return -1;
 	}
 +
 +	if (is_multicast_ether_addr(addr) ||
 +	    is_zero_ether_addr(addr) ||
 +	    os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
 +		/* Do not process any frames with unexpected/invalid SA so that
 +		 * we do not add any state for unexpected STA addresses or end
 +		 * up sending out frames to unexpected destination. */
 +		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
 +			   " in received indication - ignore this indication silently",
 +			   __func__, MAC2STR(addr));
 +		return 0;
 +	}
 +
 	random_add_randomness(addr, ETH_ALEN);
 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
 diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
 index c85a28db44b7..e7065372e158 100644
 --- a/src/ap/ieee802_11.c
 +++ b/src/ap/ieee802_11.c
@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
 	fc = le_to_host16(mgmt->frame_control);
 	stype = WLAN_FC_GET_STYPE(fc);
 +	if (is_multicast_ether_addr(mgmt->sa) ||
 +	    is_zero_ether_addr(mgmt->sa) ||
 +	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
 +		/* Do not process any frames with unexpected/invalid SA so that
 +		 * we do not add any state for unexpected STA addresses or end
 +		 * up sending out frames to unexpected destination. */
 +		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
 +			   " in received frame - ignore this frame silently",
 +			   MAC2STR(mgmt->sa));
 +		return 0;
 +	}
 +
 	if (stype == WLAN_FC_STYPE_BEACON) {
 		handle_beacon(hapd, mgmt, len, fi);
 		return 1;
 -- 
 2.20.1
--- a/CVE-2020-12695.patch
+++ b/CVE-2020-12695.patch
@ -1,171 +0,0 @@
 unchanged:
 --- a/src/wps/wps_er.c
 +++ b/src/wps/wps_er.c
@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, const char *ifname, const char *filter)
 			   "with %s", filter);
 	}
 	if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
 -			   er->mac_addr)) {
 +			   NULL, er->mac_addr)) {
 		wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
 			   "for %s. Does it have IP address?", er->ifname);
 		wps_er_deinit(er, NULL, NULL);
 unchanged:
 --- b/src/wps/wps_upnp.c
 +++ b/src/wps/wps_upnp.c
@@ -303,6 +303,14 @@
 }
 +static int local_network_addr(struct upnp_wps_device_sm *sm,
 +			      struct sockaddr_in *addr)
 +{
 +	return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
 +		(sm->ip_addr & sm->netmask.s_addr);
 +}
 +
 +
 /* subscr_addr_add_url -- add address(es) for one url to subscription */
 static void subscr_addr_add_url(struct subscription *s, const char *url,
 				size_t url_len)
@@ -320,9 +328,14 @@
 	int rerr;
 	size_t host_len, path_len;
 -	/* url MUST begin with http: */
 -	if (url_len < 7 || os_strncasecmp(url, "http://", 7))
 +	/* URL MUST begin with HTTP scheme. In addition, limit the length of
 +	 * the URL to 700 characters which is around the limit that was
 +	 * implicitly enforced for more than 10 years due to a bug in
 +	 * generating the event messages. */
 +	if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
 +		wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
 		goto fail;
 +	}
 	url += 7;
 	url_len -= 7;
@@ -381,6 +394,7 @@
 	for (rp = result; rp; rp = rp->ai_next) {
 		struct subscr_addr *a;
 +		struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
 		/* Limit no. of address to avoid denial of service attack */
 		if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
@@ -389,6 +403,13 @@
 			break;
 		}
 +		if (!local_network_addr(s->sm, addr)) {
 +			wpa_printf(MSG_INFO,
 +				   "WPS UPnP: Ignore a delivery URL that points to another network %s",
 +				   inet_ntoa(addr->sin_addr));
 +			continue;
 +		}
 +
 		a = os_zalloc(sizeof(*a) + alloc_len);
 		if (a == NULL)
 			break;
@@ -890,11 +911,12 @@
  * @net_if: Selected network interface name
  * @ip_addr: Buffer for returning IP address in network byte order
  * @ip_addr_text: Buffer for returning a pointer to allocated IP address text
 + * @netmask: Buffer for returning netmask or %NULL if not needed
  * @mac: Buffer for returning MAC address
  * Returns: 0 on success, -1 on failure
  */
 int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
 -		   u8 mac[ETH_ALEN])
 +		   struct in_addr *netmask, u8 mac[ETH_ALEN])
 {
 	struct ifreq req;
 	int sock = -1;
@@ -920,6 +942,19 @@
 	in_addr.s_addr = *ip_addr;
 	os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
 +	if (netmask) {
 +		os_memset(&req, 0, sizeof(req));
 +		os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
 +		if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
 +			wpa_printf(MSG_ERROR,
 +				   "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
 +				   errno, strerror(errno));
 +			goto fail;
 +		}
 +		addr = (struct sockaddr_in *) &req.ifr_netmask;
 +		netmask->s_addr = addr->sin_addr.s_addr;
 +	}
 +
 #ifdef __linux__
 	os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
 	if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
@@ -1026,11 +1061,15 @@
 	/* Determine which IP and mac address we're using */
 	if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
 -			   sm->mac_addr)) {
 +			   &sm->netmask, sm->mac_addr)) {
 		wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
 			   "for %s. Does it have IP address?", net_if);
 		goto fail;
 	}
 +	wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
 +		   MACSTR,
 +		   sm->ip_addr_text, inet_ntoa(sm->netmask),
 +		   MAC2STR(sm->mac_addr));
 	/* Listen for incoming TCP connections so that others
 	 * can fetch our "xml files" from us.
 unchanged:
 --- a/src/wps/wps_upnp_i.h
 +++ b/src/wps/wps_upnp_i.h
@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
 	u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
 	char *ip_addr_text; /* IP address of network i.f. we use */
 	unsigned ip_addr; /* IP address of network i.f. we use (host order) */
 +	struct in_addr netmask;
 	int multicast_sd; /* send multicast messages over this socket */
 	int ssdp_sd; /* receive discovery UPD packets on socket */
 	int ssdp_sd_registered; /* nonzero if we must unregister */
@@ -158,7 +159,7 @@ struct subscription * subscription_find(struct upnp_wps_device_sm *sm,
 					const u8 uuid[UUID_LEN]);
 void subscr_addr_delete(struct subscr_addr *a);
 int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
 -		   u8 mac[ETH_ALEN]);
 +		   struct in_addr *netmask, u8 mac[ETH_ALEN]);
 /* wps_upnp_ssdp.c */
 void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
 diff -u b/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
 --- b/src/wps/wps_upnp_event.c
 +++ b/src/wps/wps_upnp_event.c
@@ -147,7 +147,8 @@
 	struct wpabuf *buf;
 	char *b;
 -	buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
 +	buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
 +			   wpabuf_len(e->data));
 	if (buf == NULL)
 		return NULL;
 	wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
@@ -293,7 +294,7 @@
 	buf = event_build_message(e);
 	if (buf == NULL) {
 -		event_retry(e, 0);
 +		event_addr_failure(e);
 		return -1;
 	}
@@ -301,7 +302,7 @@
 					 event_http_cb, e);
 	if (e->http_event == NULL) {
 		wpabuf_free(buf);
 -		event_retry(e, 0);
 +		event_addr_failure(e);
 		return -1;
 	}
--- a/CVE-2021-30004.patch
+++ b/CVE-2021-30004.patch
@ -1,115 +0,0 @@
 From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <j@w1.fi>
 Date: Sat, 13 Mar 2021 18:19:31 +0200
 Subject: ASN.1: Validate DigestAlgorithmIdentifier parameters
 The supported hash algorithms do not use AlgorithmIdentifier parameters.
 However, there are implementations that include NULL parameters in
 addition to ones that omit the parameters. Previous implementation did
 not check the parameters value at all which supported both these cases,
 but did not reject any other unexpected information.
 Use strict validation of digest algorithm parameters and reject any
 unexpected value when validating a signature. This is needed to prevent
 potential forging attacks.
 Signed-off-by: Jouni Malinen <j@w1.fi>
 ---
 src/tls/pkcs1.c  | 21 +++++++++++++++++++++
 src/tls/x509v3.c | 20 ++++++++++++++++++++
 2 files changed, 41 insertions(+)
 diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
 index bbdb0d7..5761dfe 100644
 --- a/src/tls/pkcs1.c
 +++ b/src/tls/pkcs1.c
@@ -244,6 +244,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
 		os_free(decrypted);
 		return -1;
 	}
 +	wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
 +		    hdr.payload, hdr.length);
 	pos = hdr.payload;
 	end = pos + hdr.length;
@@ -265,6 +267,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
 		os_free(decrypted);
 		return -1;
 	}
 +	wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
 +		    hdr.payload, hdr.length);
 	da_end = hdr.payload + hdr.length;
 	if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
@@ -273,6 +277,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
 		os_free(decrypted);
 		return -1;
 	}
 +	wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
 +		    next, da_end - next);
 +
 +	/*
 +	 * RFC 5754: The correct encoding for the SHA2 algorithms would be to
 +	 * omit the parameters, but there are implementation that encode these
 +	 * as a NULL element. Allow these two cases and reject anything else.
 +	 */
 +	if (da_end > next &&
 +	    (asn1_get_next(next, da_end - next, &hdr) < 0 ||
 +	     !asn1_is_null(&hdr) ||
 +	     hdr.payload + hdr.length != da_end)) {
 +		wpa_printf(MSG_DEBUG,
 +			   "PKCS #1: Unexpected digest algorithm parameters");
 +		os_free(decrypted);
 +		return -1;
 +	}
 	if (!asn1_oid_equal(&oid, hash_alg)) {
 		char txt[100], txt2[100];
 diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
 index a8944dd..df337ec 100644
 --- a/src/tls/x509v3.c
 +++ b/src/tls/x509v3.c
@@ -1964,6 +1964,7 @@ int x509_check_signature(struct x509_certificate *issuer,
 		os_free(data);
 		return -1;
 	}
 +	wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
 	pos = hdr.payload;
 	end = pos + hdr.length;
@@ -1985,6 +1986,8 @@ int x509_check_signature(struct x509_certificate *issuer,
 		os_free(data);
 		return -1;
 	}
 +	wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
 +		    hdr.payload, hdr.length);
 	da_end = hdr.payload + hdr.length;
 	if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
@@ -1992,6 +1995,23 @@ int x509_check_signature(struct x509_certificate *issuer,
 		os_free(data);
 		return -1;
 	}
 +	wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
 +		    next, da_end - next);
 +
 +	/*
 +	 * RFC 5754: The correct encoding for the SHA2 algorithms would be to
 +	 * omit the parameters, but there are implementation that encode these
 +	 * as a NULL element. Allow these two cases and reject anything else.
 +	 */
 +	if (da_end > next &&
 +	    (asn1_get_next(next, da_end - next, &hdr) < 0 ||
 +	     !asn1_is_null(&hdr) ||
 +	     hdr.payload + hdr.length != da_end)) {
 +		wpa_printf(MSG_DEBUG,
 +			   "X509: Unexpected digest algorithm parameters");
 +		os_free(data);
 +		return -1;
 +	}
 	if (x509_sha1_oid(&oid)) {
 		if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
 -- 
 cgit v0.12
--- a/hostapd-2.10.tar.gz
+++ b/hostapd-2.10.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:206e7c799b678572c2e3d12030238784bc4a9f82323b0156b4c9466f1498915d
 size 2440435
--- a/hostapd-2.10.tar.gz.asc
+++ b/hostapd-2.10.tar.gz.asc
@ -0,0 +1,6 @@
 -----BEGIN PGP SIGNATURE-----
 iF0EABECAB0WIQTsSqCpkaXyRkWC1S0rbvQy78iV+gUCYeSJ0QAKCRArbvQy78iV
 +ryaAJ9Dg6Jolf9k10113AamARgeJObKPgCdGhRdfhroyDzd5qglBkDB0wDsqXc=
 =N0h0
 -----END PGP SIGNATURE-----
--- a/hostapd-2.9.tar.gz
+++ b/hostapd-2.9.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:881d7d6a90b2428479288d64233151448f8990ab4958e0ecaca7eeb3c9db2bd7
 size 2244312
--- a/hostapd-2.9.tar.gz.asc
+++ b/hostapd-2.9.tar.gz.asc
@ -1,6 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iF0EABECAB0WIQTsSqCpkaXyRkWC1S0rbvQy78iV+gUCXUrV2QAKCRArbvQy78iV
 +i6YAJ91waMVmURN1HmmyFsqt/LGqhB4yACeN7gXHMZhR/xCcwvJIG9abeynflg=
 =mwkH
 -----END PGP SIGNATURE-----
--- a/hostapd.changes
+++ b/hostapd.changes
@ -1,3 +1,53 @@
 -------------------------------------------------------------------
 Mon Jan 17 08:33:09 UTC 2022 - Michael Ströder <michael@stroeder.com>
 - Removed obsolete patches:
  * CVE-2019-16275.patch
  * CVE-2020-12695.patch
  * CVE-2021-30004.patch
 - Update to version 2.10
  * SAE changes
    - improved protection against side channel attacks
      [https://w1.fi/security/2022-1/]
    - added option send SAE Confirm immediately (sae_config_immediate=1)
      after SAE Commit
    - added support for the hash-to-element mechanism (sae_pwe=1 or
      sae_pwe=2)
    - fixed PMKSA caching with OKC
    - added support for SAE-PK
  * EAP-pwd changes
    - improved protection against side channel attacks
      [https://w1.fi/security/2022-1/]
  * fixed WPS UPnP SUBSCRIBE handling of invalid operations
    [https://w1.fi/security/2020-1/]
  * fixed PMF disconnection protection bypass
    [https://w1.fi/security/2019-7/]
  * added support for using OpenSSL 3.0
  * fixed various issues in experimental support for EAP-TEAP server
  * added configuration (max_auth_rounds, max_auth_rounds_short) to
    increase the maximum number of EAP message exchanges (mainly to
    support cases with very large certificates) for the EAP server
  * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
  * extended HE (IEEE 802.11ax) support, including 6 GHz support
  * removed obsolete IAPP functionality
  * fixed EAP-FAST server with TLS GCM/CCM ciphers
  * dropped support for libnl 1.1
  * added support for nl80211 control port for EAPOL frame TX/RX
  * fixed OWE key derivation with groups 20 and 21; this breaks backwards
    compatibility for these groups while the default group 19 remains
    backwards compatible; owe_ptk_workaround=1 can be used to enabled a
    a workaround for the group 20/21 backwards compatibility
  * added support for Beacon protection
  * added support for Extended Key ID for pairwise keys
  * removed WEP support from the default build (CONFIG_WEP=y can be used
    to enable it, if really needed)
  * added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
  * added support for Transition Disable mechanism to allow the AP to
    automatically disable transition mode to improve security
  * added support for PASN
  * added EAP-TLS server support for TLS 1.3 (disabled by default for now)
  * a large number of other fixes, cleanup, and extensions
 -------------------------------------------------------------------
 Fri Nov 26 20:52:19 UTC 2021 - Clemens Famulla-Conrad <cfamullaconrad@suse.com>
--- a/hostapd.spec
+++ b/hostapd.spec
@ -1,7 +1,7 @@
 #
 # spec file for package hostapd
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -18,7 +18,7 @@
 %bcond_without  apparmor
 Name:           hostapd
-Version:        2.9
+Version:        2.10
 Release:        0
 Summary:        Daemon for running a WPA capable Access Point
 License:        BSD-3-Clause OR GPL-2.0-only
@ -31,9 +31,6 @@ Source2:        %{name}.keyring
 Source3:        config
 Source4:        hostapd.service
 Source5:        apparmor-usr.sbin.hostapd
 Patch1:         CVE-2019-16275.patch
 Patch2:         CVE-2020-12695.patch
 Patch3:         CVE-2021-30004.patch
 BuildRequires:  libnl3-devel
 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig