1 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch
new file mode 100644
index 0000000000..9d39f18f43
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch
@@ -0,0 +1,139 @@
+From 80213629981a21825e4688fde1b590e4c4d4bcea Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Mon, 24 Jan 2022 20:21:24 +0200
+Subject: [PATCH] DPP3: Start with PKEXv2 and fall back to v1
+Use automatic PKEX version negotiation as the initiator by starting with
+PKEXv2 and if no response is received, trying again with PKEXv1. For
+now, this is enabled only in wpa_supplicant CONFIG_DPP3=y builds.
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+CVE: CVE-2022-37660
+Upstream-Status: Backport [https://git.w1.fi/cgit/hostap/commit/?id=80213629981a21825e4688fde1b590e4c4d4bcea]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ wpa_supplicant/dpp_supplicant.c | 81 +++++++++++++++++++++------------
+ 1 file changed, 52 insertions(+), 29 deletions(-)
+diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
+index 584654a..43c85d3 100644
+--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
+@@ -2557,6 +2557,45 @@ static int wpas_dpp_pkex_next_channel(struct wpa_supplicant *wpa_s,
+ }
+ 
+ 
+static int wpas_dpp_pkex_init(struct wpa_supplicant *wpa_s, bool v2)
+{
+       struct dpp_pkex *pkex;
+       struct wpabuf *msg;
+       unsigned int wait_time;
+
+       wpa_printf(MSG_DEBUG, "DPP: Initiating PKEXv%d", v2 ? 2 : 1);
+       dpp_pkex_free(wpa_s->dpp_pkex);
+       wpa_s->dpp_pkex = dpp_pkex_init(wpa_s, wpa_s->dpp_pkex_bi,
+                                       wpa_s->own_addr,
+                                       wpa_s->dpp_pkex_identifier,
+                                       wpa_s->dpp_pkex_code, v2);
+       pkex = wpa_s->dpp_pkex;
+       if (!pkex)
+               return -1;
+
+       msg = pkex->exchange_req;
+       wait_time = wpa_s->max_remain_on_chan;
+       if (wait_time > 2000)
+               wait_time = 2000;
+       pkex->freq = 2437;
+       wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_TX "dst=" MACSTR
+               " freq=%u type=%d",
+               MAC2STR(broadcast), pkex->freq,
+               v2 ? DPP_PA_PKEX_EXCHANGE_REQ :
+               DPP_PA_PKEX_V1_EXCHANGE_REQ);
+       offchannel_send_action(wpa_s, pkex->freq, broadcast,
+                              wpa_s->own_addr, broadcast,
+                              wpabuf_head(msg), wpabuf_len(msg),
+                              wait_time, wpas_dpp_tx_pkex_status, 0);
+       if (wait_time == 0)
+               wait_time = 2000;
+       pkex->exch_req_wait_time = wait_time;
+       pkex->exch_req_tries = 1;
+
+       return 0;
+}
+
+
+ static void wpas_dpp_pkex_retry_timeout(void *eloop_ctx, void *timeout_ctx)
+ {
+        struct wpa_supplicant *wpa_s = eloop_ctx;
+@@ -2566,6 +2605,14 @@ static void wpas_dpp_pkex_retry_timeout(void *eloop_ctx, void *timeout_ctx)
+                return;
+        if (pkex->exch_req_tries >= 5) {
+                if (wpas_dpp_pkex_next_channel(wpa_s, pkex) < 0) {
+#ifdef CONFIG_DPP3
+                       if (pkex->v2) {
+                               wpa_printf(MSG_DEBUG,
+                                          "DPP: Fall back to PKEXv1");
+                               wpas_dpp_pkex_init(wpa_s, false);
+                               return;
+                       }
+#endif /* CONFIG_DPP3 */
+                        wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_FAIL
+                                "No response from PKEX peer");
+                        dpp_pkex_free(pkex);
+@@ -3271,7 +3318,6 @@ int wpas_dpp_pkex_add(struct wpa_supplicant *wpa_s, const char *cmd)
+ {
+        struct dpp_bootstrap_info *own_bi;
+        const char *pos, *end;
+-       unsigned int wait_time;
+ 
+        pos = os_strstr(cmd, " own=");
+        if (!pos)
+@@ -3315,37 +3361,14 @@ int wpas_dpp_pkex_add(struct wpa_supplicant *wpa_s, const char *cmd)
+                return -1;
+ 
+        if (os_strstr(cmd, " init=1") || os_strstr(cmd, " init=2")) {
+-               struct dpp_pkex *pkex;
+-               struct wpabuf *msg;
+#ifdef CONFIG_DPP3
+               bool v2 = true;
+#else /* CONFIG_DPP3 */
+                bool v2 = os_strstr(cmd, " init=2") != NULL;
+#endif /* CONFIG_DPP3 */
+ 
+-               wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX");
+-               dpp_pkex_free(wpa_s->dpp_pkex);
+-               wpa_s->dpp_pkex = dpp_pkex_init(wpa_s, own_bi, wpa_s->own_addr,
+-                                               wpa_s->dpp_pkex_identifier,
+-                                               wpa_s->dpp_pkex_code, v2);
+-               pkex = wpa_s->dpp_pkex;
+-               if (!pkex)
+               if (wpas_dpp_pkex_init(wpa_s, v2) < 0)
+                        return -1;
+-
+-               msg = pkex->exchange_req;
+-               wait_time = wpa_s->max_remain_on_chan;
+-               if (wait_time > 2000)
+-                       wait_time = 2000;
+-               pkex->freq = 2437;
+-               wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_TX "dst=" MACSTR
+-                       " freq=%u type=%d",
+-                       MAC2STR(broadcast), pkex->freq,
+-                       v2 ? DPP_PA_PKEX_EXCHANGE_REQ :
+-                       DPP_PA_PKEX_V1_EXCHANGE_REQ);
+-               offchannel_send_action(wpa_s, pkex->freq, broadcast,
+-                                      wpa_s->own_addr, broadcast,
+-                                      wpabuf_head(msg), wpabuf_len(msg),
+-                                      wait_time, wpas_dpp_tx_pkex_status, 0);
+-               if (wait_time == 0)
+-                       wait_time = 2000;
+-               pkex->exch_req_wait_time = wait_time;
+-               pkex->exch_req_tries = 1;
+        }
+ 
+        /* TODO: Support multiple PKEX info entries */
+-- 
+2.40.0

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch new file mode 100644 index 0000000000..9d39f18f43 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch
@@ -0,0 +1,139 @@
	1	From 80213629981a21825e4688fde1b590e4c4d4bcea Mon Sep 17 00:00:00 2001
	2	From: Jouni Malinen <quic_jouni@quicinc.com>
	3	Date: Mon, 24 Jan 2022 20:21:24 +0200
	4	Subject: [PATCH] DPP3: Start with PKEXv2 and fall back to v1
	5
	6	Use automatic PKEX version negotiation as the initiator by starting with
	7	PKEXv2 and if no response is received, trying again with PKEXv1. For
	8	now, this is enabled only in wpa_supplicant CONFIG_DPP3=y builds.
	9
	10	Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
	11
	12	CVE: CVE-2022-37660
	13
	14	Upstream-Status: Backport [https://git.w1.fi/cgit/hostap/commit/?id=80213629981a21825e4688fde1b590e4c4d4bcea]
	15
	16	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
	17	---
	18	wpa_supplicant/dpp_supplicant.c \| 81 +++++++++++++++++++++------------
	19	1 file changed, 52 insertions(+), 29 deletions(-)
	20
	21	diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
	22	index 584654a..43c85d3 100644
	23	--- a/wpa_supplicant/dpp_supplicant.c
	24	+++ b/wpa_supplicant/dpp_supplicant.c
	25	@@ -2557,6 +2557,45 @@ static int wpas_dpp_pkex_next_channel(struct wpa_supplicant *wpa_s,
	26	}
	27
	28
	29	+static int wpas_dpp_pkex_init(struct wpa_supplicant *wpa_s, bool v2)
	30	+{
	31	+ struct dpp_pkex *pkex;
	32	+ struct wpabuf *msg;
	33	+ unsigned int wait_time;
	34	+
	35	+ wpa_printf(MSG_DEBUG, "DPP: Initiating PKEXv%d", v2 ? 2 : 1);
	36	+ dpp_pkex_free(wpa_s->dpp_pkex);
	37	+ wpa_s->dpp_pkex = dpp_pkex_init(wpa_s, wpa_s->dpp_pkex_bi,
	38	+ wpa_s->own_addr,
	39	+ wpa_s->dpp_pkex_identifier,
	40	+ wpa_s->dpp_pkex_code, v2);
	41	+ pkex = wpa_s->dpp_pkex;
	42	+ if (!pkex)
	43	+ return -1;
	44	+
	45	+ msg = pkex->exchange_req;
	46	+ wait_time = wpa_s->max_remain_on_chan;
	47	+ if (wait_time > 2000)
	48	+ wait_time = 2000;
	49	+ pkex->freq = 2437;
	50	+ wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_TX "dst=" MACSTR
	51	+ " freq=%u type=%d",
	52	+ MAC2STR(broadcast), pkex->freq,
	53	+ v2 ? DPP_PA_PKEX_EXCHANGE_REQ :
	54	+ DPP_PA_PKEX_V1_EXCHANGE_REQ);
	55	+ offchannel_send_action(wpa_s, pkex->freq, broadcast,
	56	+ wpa_s->own_addr, broadcast,
	57	+ wpabuf_head(msg), wpabuf_len(msg),
	58	+ wait_time, wpas_dpp_tx_pkex_status, 0);
	59	+ if (wait_time == 0)
	60	+ wait_time = 2000;
	61	+ pkex->exch_req_wait_time = wait_time;
	62	+ pkex->exch_req_tries = 1;
	63	+
	64	+ return 0;
	65	+}
	66	+
	67	+
	68	static void wpas_dpp_pkex_retry_timeout(void eloop_ctx, void timeout_ctx)
	69	{
	70	struct wpa_supplicant *wpa_s = eloop_ctx;
	71	@@ -2566,6 +2605,14 @@ static void wpas_dpp_pkex_retry_timeout(void eloop_ctx, void timeout_ctx)
	72	return;
	73	if (pkex->exch_req_tries >= 5) {
	74	if (wpas_dpp_pkex_next_channel(wpa_s, pkex) < 0) {
	75	+#ifdef CONFIG_DPP3
	76	+ if (pkex->v2) {
	77	+ wpa_printf(MSG_DEBUG,
	78	+ "DPP: Fall back to PKEXv1");
	79	+ wpas_dpp_pkex_init(wpa_s, false);
	80	+ return;
	81	+ }
	82	+#endif /* CONFIG_DPP3 */
	83	wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_FAIL
	84	"No response from PKEX peer");
	85	dpp_pkex_free(pkex);
	86	@@ -3271,7 +3318,6 @@ int wpas_dpp_pkex_add(struct wpa_supplicant wpa_s, const char cmd)
	87	{
	88	struct dpp_bootstrap_info *own_bi;
	89	const char pos, end;
	90	- unsigned int wait_time;
	91
	92	pos = os_strstr(cmd, " own=");
	93	if (!pos)
	94	@@ -3315,37 +3361,14 @@ int wpas_dpp_pkex_add(struct wpa_supplicant wpa_s, const char cmd)
	95	return -1;
	96
	97	if (os_strstr(cmd, " init=1") \|\| os_strstr(cmd, " init=2")) {
	98	- struct dpp_pkex *pkex;
	99	- struct wpabuf *msg;
	100	+#ifdef CONFIG_DPP3
	101	+ bool v2 = true;
	102	+#else /* CONFIG_DPP3 */
	103	bool v2 = os_strstr(cmd, " init=2") != NULL;
	104	+#endif /* CONFIG_DPP3 */
	105
	106	- wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX");
	107	- dpp_pkex_free(wpa_s->dpp_pkex);
	108	- wpa_s->dpp_pkex = dpp_pkex_init(wpa_s, own_bi, wpa_s->own_addr,
	109	- wpa_s->dpp_pkex_identifier,
	110	- wpa_s->dpp_pkex_code, v2);
	111	- pkex = wpa_s->dpp_pkex;
	112	- if (!pkex)
	113	+ if (wpas_dpp_pkex_init(wpa_s, v2) < 0)
	114	return -1;
	115	-
	116	- msg = pkex->exchange_req;
	117	- wait_time = wpa_s->max_remain_on_chan;
	118	- if (wait_time > 2000)
	119	- wait_time = 2000;
	120	- pkex->freq = 2437;
	121	- wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_TX "dst=" MACSTR
	122	- " freq=%u type=%d",
	123	- MAC2STR(broadcast), pkex->freq,
	124	- v2 ? DPP_PA_PKEX_EXCHANGE_REQ :
	125	- DPP_PA_PKEX_V1_EXCHANGE_REQ);
	126	- offchannel_send_action(wpa_s, pkex->freq, broadcast,
	127	- wpa_s->own_addr, broadcast,
	128	- wpabuf_head(msg), wpabuf_len(msg),
	129	- wait_time, wpas_dpp_tx_pkex_status, 0);
	130	- if (wait_time == 0)
	131	- wait_time = 2000;
	132	- pkex->exch_req_wait_time = wait_time;
	133	- pkex->exch_req_tries = 1;
	134	}
	135
	136	/* TODO: Support multiple PKEX info entries */
	137	--
	138	2.40.0
	139