diff options
author | Hong Liu <hongl.fnst@cn.fujitsu.com> | 2018-06-05 16:10:56 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-06-15 17:56:24 +0100 |
commit | 61e587b32d10c796503f98f16eb3d66f24835708 (patch) | |
tree | 3915b26534a782f7017a588c5b86f4f1b3285fa4 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch | |
parent | c8a1e372f3aa962b483b4f2280c7c44392c8b2f7 (diff) | |
download | poky-61e587b32d10c796503f98f16eb3d66f24835708.tar.gz |
wpa-supplicant: fix the bug for PATCHTOOL = "patch"
When switch PATCHTOOL to patch, applying 'key-replay-cve-multiple.patch' failed:
checking file src/ap/ieee802_11.c
checking file src/ap/wpa_auth.c
checking file src/ap/wpa_auth.h
checking file src/ap/wpa_auth_ft.c
checking file src/ap/wpa_auth_i.h
checking file src/common/wpa_common.h
checking file src/rsn_supp/wpa.c
checking file src/rsn_supp/wpa_i.h
checking file src/rsn_supp/wpa.c
Hunk #1 FAILED at 709.
Hunk #2 FAILED at 757.
Hunk #3 succeeded at 840 (offset -12 lines).
Hunk #4 FAILED at 868.
Hunk #5 FAILED at 900.
Hunk #6 FAILED at 924.
Hunk #7 succeeded at 1536 (offset -38 lines).
Hunk #8 FAILED at 2386.
Hunk #9 FAILED at 2920.
Hunk #10 succeeded at 2940 (offset -46 lines).
Hunk #11 FAILED at 2998.
8 out of 11 hunks FAILED
checking file src/rsn_supp/wpa_i.h
Hunk #1 FAILED at 32.
1 out of 1 hunk FAILED
checking file src/common/wpa_common.h
Hunk #1 succeeded at 215 with fuzz 1.
checking file src/rsn_supp/wpa.c
checking file src/rsn_supp/wpa_i.h
checking file src/ap/wpa_auth.c
Hunk #1 succeeded at 1898 (offset -3 lines).
Hunk #2 succeeded at 2470 (offset -3 lines).
checking file src/rsn_supp/tdls.c
checking file wpa_supplicant/wnm_sta.c
checking file src/rsn_supp/wpa.c
Hunk #1 succeeded at 2378 (offset -62 lines).
checking file src/rsn_supp/wpa_ft.c
checking file src/rsn_supp/wpa_i.h
Hunk #1 succeeded at 123 (offset -5 lines).
So split the wpa-supplicant/key-replay-cve-multiple to 8 patches.
(From OE-Core rev: 4e9bc513c22b9a52c48588ef276e2ab7f7781526)
Signed-off-by: Hong Liu <hongl.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch new file mode 100644 index 0000000000..7f5390c312 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | The WPA2 four-way handshake protocol is vulnerable to replay attacks which can | ||
2 | result in unauthenticated clients gaining access to the network. | ||
3 | |||
4 | Backport a number of patches from upstream to fix this. | ||
5 | |||
6 | CVE: CVE-2017-13077 | ||
7 | CVE: CVE-2017-13078 | ||
8 | CVE: CVE-2017-13079 | ||
9 | CVE: CVE-2017-13080 | ||
10 | CVE: CVE-2017-13081 | ||
11 | CVE: CVE-2017-13082 | ||
12 | CVE: CVE-2017-13086 | ||
13 | CVE: CVE-2017-13087 | ||
14 | CVE: CVE-2017-13088 | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
18 | |||
19 | From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001 | ||
20 | From: Jouni Malinen <j@w1.fi> | ||
21 | Date: Fri, 22 Sep 2017 12:06:37 +0300 | ||
22 | Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames | ||
23 | |||
24 | The driver is expected to not report a second association event without | ||
25 | the station having explicitly request a new association. As such, this | ||
26 | case should not be reachable. However, since reconfiguring the same | ||
27 | pairwise or group keys to the driver could result in nonce reuse issues, | ||
28 | be extra careful here and do an additional state check to avoid this | ||
29 | even if the local driver ends up somehow accepting an unexpected | ||
30 | Reassociation Response frame. | ||
31 | |||
32 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
33 | --- | ||
34 | src/rsn_supp/wpa.c | 3 +++ | ||
35 | src/rsn_supp/wpa_ft.c | 8 ++++++++ | ||
36 | src/rsn_supp/wpa_i.h | 1 + | ||
37 | 3 files changed, 12 insertions(+) | ||
38 | |||
39 | diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c | ||
40 | index 0550a41..2a53c6f 100644 | ||
41 | --- a/src/rsn_supp/wpa.c | ||
42 | +++ b/src/rsn_supp/wpa.c | ||
43 | @@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) | ||
44 | #ifdef CONFIG_TDLS | ||
45 | wpa_tdls_disassoc(sm); | ||
46 | #endif /* CONFIG_TDLS */ | ||
47 | +#ifdef CONFIG_IEEE80211R | ||
48 | + sm->ft_reassoc_completed = 0; | ||
49 | +#endif /* CONFIG_IEEE80211R */ | ||
50 | |||
51 | /* Keys are not needed in the WPA state machine anymore */ | ||
52 | wpa_sm_drop_sa(sm); | ||
53 | diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c | ||
54 | index 205793e..d45bb45 100644 | ||
55 | --- a/src/rsn_supp/wpa_ft.c | ||
56 | +++ b/src/rsn_supp/wpa_ft.c | ||
57 | @@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, | ||
58 | u16 capab; | ||
59 | |||
60 | sm->ft_completed = 0; | ||
61 | + sm->ft_reassoc_completed = 0; | ||
62 | |||
63 | buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + | ||
64 | 2 + sm->r0kh_id_len + ric_ies_len + 100; | ||
65 | @@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, | ||
66 | return -1; | ||
67 | } | ||
68 | |||
69 | + if (sm->ft_reassoc_completed) { | ||
70 | + wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); | ||
71 | + return 0; | ||
72 | + } | ||
73 | + | ||
74 | if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { | ||
75 | wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); | ||
76 | return -1; | ||
77 | @@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, | ||
78 | return -1; | ||
79 | } | ||
80 | |||
81 | + sm->ft_reassoc_completed = 1; | ||
82 | + | ||
83 | if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) | ||
84 | return -1; | ||
85 | |||
86 | diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h | ||
87 | index 41f371f..56f88dc 100644 | ||
88 | --- a/src/rsn_supp/wpa_i.h | ||
89 | +++ b/src/rsn_supp/wpa_i.h | ||
90 | @@ -128,6 +128,7 @@ struct wpa_sm { | ||
91 | size_t r0kh_id_len; | ||
92 | u8 r1kh_id[FT_R1KH_ID_LEN]; | ||
93 | int ft_completed; | ||
94 | + int ft_reassoc_completed; | ||
95 | int over_the_ds_in_progress; | ||
96 | u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ | ||
97 | int set_ptk_after_assoc; | ||
98 | -- | ||
99 | 2.7.4 \ No newline at end of file | ||