rpm/hostapd
SHA256
1
0
Fork 0
forked from pool/hostapd
Code Pull Requests Activity

Accepting request 643154 from home:kbabioch:branches:Base:System

Browse Source 
- Added rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
  Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).

OBS-URL: https://build.opensuse.org/request/show/643154
OBS-URL: https://build.opensuse.org/package/show/Base:System/hostapd?expand=0&rev=43
This commit is contained in:
Dirk Mueller 2018-10-22 09:25:17 +00:00 committed by Git OBS Bridge
parent 534a7fd05b
commit 24d8d87c79
3 changed files with 55 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hostapd.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Fri Oct 19 10:32:25 UTC 2018 - Karol Babioch <kbabioch@suse.com>
- Added rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Oct 18 21:59:01 UTC 2017 - chris@intrbiz.com Wed Oct 18 21:59:01 UTC 2017 - chris@intrbiz.com

8
hostapd.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package hostapd # spec file for package hostapd
# #
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9) # license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative. # published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #
@ -24,7 +24,7 @@ BuildRequires: sqlite3-devel
BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-3.0) >= 3.0
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
Summary: Turns Your WLAN Card into a WPA capable Access Point Summary: Turns Your WLAN Card into a WPA capable Access Point
License: GPL-2.0 or BSD-3-Clause License: GPL-2.0-only OR BSD-3-Clause
Group: Hardware/Wifi Group: Hardware/Wifi
Version: 2.6 Version: 2.6
Release: 0 Release: 0
@ -40,6 +40,7 @@ Patch4: rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
Patch5: rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch Patch5: rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
Patch6: rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch Patch6: rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
Patch7: rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch Patch7: rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
Patch8: rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
%{?systemd_requires} %{?systemd_requires}
%description %description
@ -61,6 +62,7 @@ authentication via any ethernet driver.
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1 %patch7 -p1
%patch8 -p1
cd hostapd cd hostapd
cp defconfig .config cp defconfig .config

44
rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch Normal file
View File

@ -0,0 +1,44 @@
From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
Date: Sun, 15 Jul 2018 01:25:53 +0200
Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
Ignore unauthenticated encrypted EAPOL-Key data in supplicant
processing. When using WPA2, these are frames that have the Encrypted
flag set, but not the MIC flag.
When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
not the MIC flag, had their data field decrypted without first verifying
the MIC. In case the data field was encrypted using RC4 (i.e., when
negotiating TKIP as the pairwise cipher), this meant that
unauthenticated but decrypted data would then be processed. An adversary
could abuse this as a decryption oracle to recover sensitive information
in the data field of EAPOL-Key messages (e.g., the group key).
(CVE-2018-14526)
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
---
src/rsn_supp/wpa.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c
--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c 2016-10-02 21:51:11.000000000 +0300
+++ wpa_supplicant-2.6/src/rsn_supp/wpa.c 2018-08-08 16:55:11.506831029 +0300
@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
+ /*
+ * Only decrypt the Key Data field if the frame's authenticity
+ * was verified. When using AES-SIV (FILS), the MIC flag is not
+ * set, so this check should only be performed if mic_len != 0
+ * which is the case in this code branch.
+ */
+ if (!(key_info & WPA_KEY_INFO_MIC)) {
+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
+ goto out;
+ }
if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
&key_data_len))
goto out;