hostapd: fix CVE-2021-30004

In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c. References: https://nvd.nist.gov/vuln/detail/CVE-2021-30004 Upstream patches: https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15 Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e2bd6a52bf689b77b237eaee3067d2b0b6eee3d5) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 98c5cddf677addcb9aa296a7437b92100a478566) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 730de4763a508234d09c755c838cdc4c8dd49493) Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Stefan Ghinea <stefan.ghinea@windriver.com> 2021-04-09 16:12:08 +0300
committer: Armin Kuster <akuster808@gmail.com> 2021-04-23 18:45:08 -0700
commit: d126440422d9585ea400c04b29b0f3e0a07c05c8 (patch)
tree: fc239b268affa178607c1c54c62132c6b9b81484
parent: d2b027d8d8fcd7c759d60b6a09123748bb6de626 (diff)
download: meta-openembedded-d126440422d9585ea400c04b29b0f3e0a07c05c8.tar.gz
2 files changed, 124 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch
new file mode 100644
index 0000000000..e2540fc26b
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch
@@ -0,0 +1,123 @@
+From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Mar 2021 18:19:31 +0200
+Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
+The supported hash algorithms do not use AlgorithmIdentifier parameters.
+However, there are implementations that include NULL parameters in
+addition to ones that omit the parameters. Previous implementation did
+not check the parameters value at all which supported both these cases,
+but did not reject any other unexpected information.
+Use strict validation of digest algorithm parameters and reject any
+unexpected value when validating a signature. This is needed to prevent
+potential forging attacks.
+Signed-off-by: Jouni Malinen <j@w1.fi>
+Upstream-Status: Backport
+CVE: CVE-2021-30004
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/tls/pkcs1.c  | 21 +++++++++++++++++++++
+ src/tls/x509v3.c | 20 ++++++++++++++++++++
+ 2 files changed, 41 insertions(+)
+diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
+index 141ac50..e09db07 100644
+--- a/src/tls/pkcs1.c
+++ b/src/tls/pkcs1.c
+@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+                os_free(decrypted);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
+                   hdr.payload, hdr.length);
+ 
+        pos = hdr.payload;
+        end = pos + hdr.length;
+@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+                os_free(decrypted);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
+                   hdr.payload, hdr.length);
+        da_end = hdr.payload + hdr.length;
+ 
+        if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+                os_free(decrypted);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
+                   next, da_end - next);
+
+       /*
+        * RFC 5754: The correct encoding for the SHA2 algorithms would be to
+        * omit the parameters, but there are implementation that encode these
+        * as a NULL element. Allow these two cases and reject anything else.
+        */
+       if (da_end > next &&
+           (asn1_get_next(next, da_end - next, &hdr) < 0 ||
+            !asn1_is_null(&hdr) ||
+            hdr.payload + hdr.length != da_end)) {
+               wpa_printf(MSG_DEBUG,
+                          "PKCS #1: Unexpected digest algorithm parameters");
+               os_free(decrypted);
+               return -1;
+       }
+ 
+        if (!asn1_oid_equal(&oid, hash_alg)) {
+                char txt[100], txt2[100];
+diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
+index 1bd5aa0..bf2289f 100644
+--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
+@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer,
+                os_free(data);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
+ 
+        pos = hdr.payload;
+        end = pos + hdr.length;
+@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer,
+                os_free(data);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
+                   hdr.payload, hdr.length);
+        da_end = hdr.payload + hdr.length;
+ 
+        if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer,
+                os_free(data);
+                return -1;
+        }
+       wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
+                   next, da_end - next);
+
+       /*
+        * RFC 5754: The correct encoding for the SHA2 algorithms would be to
+        * omit the parameters, but there are implementation that encode these
+        * as a NULL element. Allow these two cases and reject anything else.
+        */
+       if (da_end > next &&
+           (asn1_get_next(next, da_end - next, &hdr) < 0 ||
+            !asn1_is_null(&hdr) ||
+            hdr.payload + hdr.length != da_end)) {
+               wpa_printf(MSG_DEBUG,
+                          "X509: Unexpected digest algorithm parameters");
+               os_free(data);
+               return -1;
+       }
+ 
+        if (x509_sha1_oid(&oid)) {
+                if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
+-- 
+2.17.1
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
index 87899f3da2..e586018685 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
    file://CVE-2019-5061.patch \
    file://CVE-2021-0326.patch \
    file://CVE-2021-27803.patch \
+    file://CVE-2021-30004.patch \
 "
 SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"
author	Stefan Ghinea <stefan.ghinea@windriver.com>	2021-04-09 16:12:08 +0300
committer	Armin Kuster <akuster808@gmail.com>	2021-04-23 18:45:08 -0700
commit	d126440422d9585ea400c04b29b0f3e0a07c05c8 (patch)
tree	fc239b268affa178607c1c54c62132c6b9b81484
parent	d2b027d8d8fcd7c759d60b6a09123748bb6de626 (diff)
download	meta-openembedded-d126440422d9585ea400c04b29b0f3e0a07c05c8.tar.gz

diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch new file mode 100644 index 0000000000..e2540fc26b --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch
@@ -0,0 +1,123 @@
		1	From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <j@w1.fi>
		3	Date: Sat, 13 Mar 2021 18:19:31 +0200
		4	Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
		5
		6	The supported hash algorithms do not use AlgorithmIdentifier parameters.
		7	However, there are implementations that include NULL parameters in
		8	addition to ones that omit the parameters. Previous implementation did
		9	not check the parameters value at all which supported both these cases,
		10	but did not reject any other unexpected information.
		11
		12	Use strict validation of digest algorithm parameters and reject any
		13	unexpected value when validating a signature. This is needed to prevent
		14	potential forging attacks.
		15
		16	Signed-off-by: Jouni Malinen <j@w1.fi>
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2021-30004
		20
		21	Reference to upstream patch:
		22	[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15]
		23
		24	Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
		25	---
		26	src/tls/pkcs1.c \| 21 +++++++++++++++++++++
		27	src/tls/x509v3.c \| 20 ++++++++++++++++++++
		28	2 files changed, 41 insertions(+)
		29
		30	diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
		31	index 141ac50..e09db07 100644
		32	--- a/src/tls/pkcs1.c
		33	+++ b/src/tls/pkcs1.c
		34	@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
		35	os_free(decrypted);
		36	return -1;
		37	}
		38	+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
		39	+ hdr.payload, hdr.length);
		40
		41	pos = hdr.payload;
		42	end = pos + hdr.length;
		43	@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
		44	os_free(decrypted);
		45	return -1;
		46	}
		47	+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
		48	+ hdr.payload, hdr.length);
		49	da_end = hdr.payload + hdr.length;
		50
		51	if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
		52	@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
		53	os_free(decrypted);
		54	return -1;
		55	}
		56	+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
		57	+ next, da_end - next);
		58	+
		59	+ /*
		60	+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
		61	+ * omit the parameters, but there are implementation that encode these
		62	+ * as a NULL element. Allow these two cases and reject anything else.
		63	+ */
		64	+ if (da_end > next &&
		65	+ (asn1_get_next(next, da_end - next, &hdr) < 0 \|\|
		66	+ !asn1_is_null(&hdr) \|\|
		67	+ hdr.payload + hdr.length != da_end)) {
		68	+ wpa_printf(MSG_DEBUG,
		69	+ "PKCS #1: Unexpected digest algorithm parameters");
		70	+ os_free(decrypted);
		71	+ return -1;
		72	+ }
		73
		74	if (!asn1_oid_equal(&oid, hash_alg)) {
		75	char txt[100], txt2[100];
		76	diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
		77	index 1bd5aa0..bf2289f 100644
		78	--- a/src/tls/x509v3.c
		79	+++ b/src/tls/x509v3.c
		80	@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer,
		81	os_free(data);
		82	return -1;
		83	}
		84	+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
		85
		86	pos = hdr.payload;
		87	end = pos + hdr.length;
		88	@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer,
		89	os_free(data);
		90	return -1;
		91	}
		92	+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
		93	+ hdr.payload, hdr.length);
		94	da_end = hdr.payload + hdr.length;
		95
		96	if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
		97	@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer,
		98	os_free(data);
		99	return -1;
		100	}
		101	+ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
		102	+ next, da_end - next);
		103	+
		104	+ /*
		105	+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
		106	+ * omit the parameters, but there are implementation that encode these
		107	+ * as a NULL element. Allow these two cases and reject anything else.
		108	+ */
		109	+ if (da_end > next &&
		110	+ (asn1_get_next(next, da_end - next, &hdr) < 0 \|\|
		111	+ !asn1_is_null(&hdr) \|\|
		112	+ hdr.payload + hdr.length != da_end)) {
		113	+ wpa_printf(MSG_DEBUG,
		114	+ "X509: Unexpected digest algorithm parameters");
		115	+ os_free(data);
		116	+ return -1;
		117	+ }
		118
		119	if (x509_sha1_oid(&oid)) {
		120	if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
		121	--
		122	2.17.1
		123


diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb index 87899f3da2..e586018685 100644 --- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb +++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
15	file://CVE-2019-5061.patch \	15	file://CVE-2019-5061.patch \
16	file://CVE-2021-0326.patch \	16	file://CVE-2021-0326.patch \
17	file://CVE-2021-27803.patch \	17	file://CVE-2021-27803.patch \
		18	file://CVE-2021-30004.patch \
18	"	19	"
19		20
20	SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"	21	SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"