summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch
diff options
context:
space:
mode:
authorHong Liu <hongl.fnst@cn.fujitsu.com>2018-06-05 16:10:56 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-06-15 17:56:24 +0100
commit61e587b32d10c796503f98f16eb3d66f24835708 (patch)
tree3915b26534a782f7017a588c5b86f4f1b3285fa4 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch
parentc8a1e372f3aa962b483b4f2280c7c44392c8b2f7 (diff)
downloadpoky-61e587b32d10c796503f98f16eb3d66f24835708.tar.gz
wpa-supplicant: fix the bug for PATCHTOOL = "patch"
When switch PATCHTOOL to patch, applying 'key-replay-cve-multiple.patch' failed: checking file src/ap/ieee802_11.c checking file src/ap/wpa_auth.c checking file src/ap/wpa_auth.h checking file src/ap/wpa_auth_ft.c checking file src/ap/wpa_auth_i.h checking file src/common/wpa_common.h checking file src/rsn_supp/wpa.c checking file src/rsn_supp/wpa_i.h checking file src/rsn_supp/wpa.c Hunk #1 FAILED at 709. Hunk #2 FAILED at 757. Hunk #3 succeeded at 840 (offset -12 lines). Hunk #4 FAILED at 868. Hunk #5 FAILED at 900. Hunk #6 FAILED at 924. Hunk #7 succeeded at 1536 (offset -38 lines). Hunk #8 FAILED at 2386. Hunk #9 FAILED at 2920. Hunk #10 succeeded at 2940 (offset -46 lines). Hunk #11 FAILED at 2998. 8 out of 11 hunks FAILED checking file src/rsn_supp/wpa_i.h Hunk #1 FAILED at 32. 1 out of 1 hunk FAILED checking file src/common/wpa_common.h Hunk #1 succeeded at 215 with fuzz 1. checking file src/rsn_supp/wpa.c checking file src/rsn_supp/wpa_i.h checking file src/ap/wpa_auth.c Hunk #1 succeeded at 1898 (offset -3 lines). Hunk #2 succeeded at 2470 (offset -3 lines). checking file src/rsn_supp/tdls.c checking file wpa_supplicant/wnm_sta.c checking file src/rsn_supp/wpa.c Hunk #1 succeeded at 2378 (offset -62 lines). checking file src/rsn_supp/wpa_ft.c checking file src/rsn_supp/wpa_i.h Hunk #1 succeeded at 123 (offset -5 lines). So split the wpa-supplicant/key-replay-cve-multiple to 8 patches. (From OE-Core rev: 4e9bc513c22b9a52c48588ef276e2ab7f7781526) Signed-off-by: Hong Liu <hongl.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch')
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch99
1 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch
new file mode 100644
index 0000000000..7f5390c312
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch
@@ -0,0 +1,99 @@
1The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
2result in unauthenticated clients gaining access to the network.
3
4Backport a number of patches from upstream to fix this.
5
6CVE: CVE-2017-13077
7CVE: CVE-2017-13078
8CVE: CVE-2017-13079
9CVE: CVE-2017-13080
10CVE: CVE-2017-13081
11CVE: CVE-2017-13082
12CVE: CVE-2017-13086
13CVE: CVE-2017-13087
14CVE: CVE-2017-13088
15
16Upstream-Status: Backport
17Signed-off-by: Ross Burton <ross.burton@intel.com>
18
19From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001
20From: Jouni Malinen <j@w1.fi>
21Date: Fri, 22 Sep 2017 12:06:37 +0300
22Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
23
24The driver is expected to not report a second association event without
25the station having explicitly request a new association. As such, this
26case should not be reachable. However, since reconfiguring the same
27pairwise or group keys to the driver could result in nonce reuse issues,
28be extra careful here and do an additional state check to avoid this
29even if the local driver ends up somehow accepting an unexpected
30Reassociation Response frame.
31
32Signed-off-by: Jouni Malinen <j@w1.fi>
33---
34 src/rsn_supp/wpa.c | 3 +++
35 src/rsn_supp/wpa_ft.c | 8 ++++++++
36 src/rsn_supp/wpa_i.h | 1 +
37 3 files changed, 12 insertions(+)
38
39diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
40index 0550a41..2a53c6f 100644
41--- a/src/rsn_supp/wpa.c
42+++ b/src/rsn_supp/wpa.c
43@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
44 #ifdef CONFIG_TDLS
45 wpa_tdls_disassoc(sm);
46 #endif /* CONFIG_TDLS */
47+#ifdef CONFIG_IEEE80211R
48+ sm->ft_reassoc_completed = 0;
49+#endif /* CONFIG_IEEE80211R */
50
51 /* Keys are not needed in the WPA state machine anymore */
52 wpa_sm_drop_sa(sm);
53diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
54index 205793e..d45bb45 100644
55--- a/src/rsn_supp/wpa_ft.c
56+++ b/src/rsn_supp/wpa_ft.c
57@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
58 u16 capab;
59
60 sm->ft_completed = 0;
61+ sm->ft_reassoc_completed = 0;
62
63 buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
64 2 + sm->r0kh_id_len + ric_ies_len + 100;
65@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
66 return -1;
67 }
68
69+ if (sm->ft_reassoc_completed) {
70+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
71+ return 0;
72+ }
73+
74 if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
75 wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
76 return -1;
77@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
78 return -1;
79 }
80
81+ sm->ft_reassoc_completed = 1;
82+
83 if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
84 return -1;
85
86diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
87index 41f371f..56f88dc 100644
88--- a/src/rsn_supp/wpa_i.h
89+++ b/src/rsn_supp/wpa_i.h
90@@ -128,6 +128,7 @@ struct wpa_sm {
91 size_t r0kh_id_len;
92 u8 r1kh_id[FT_R1KH_ID_LEN];
93 int ft_completed;
94+ int ft_reassoc_completed;
95 int over_the_ds_in_progress;
96 u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
97 int set_ptk_after_assoc;
98--
992.7.4 \ No newline at end of file