This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via ea9cb48ae775a7040edaf58224535b71dcde25ea (commit) via b2ee5e8aa4056c7ce07fa753b677768b954e8c0b (commit) via d6d5999af1cf53a4a7609935f41e2ca03bf92d6c (commit) via 146c837e78449c63e858378dfc84cba9d6a490ce (commit) via 5a3c9ef298b9004876691f95a63905c11cfdab84 (commit) via 758a1893a190249e3bd6a0cca7d9ab21be20a4a8 (commit) via 3f2341da8d3b517466f42338956342fde6e45eec (commit) from 71a355c3a246a5de886ffee0376d83be942f48df (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit ea9cb48ae775a7040edaf58224535b71dcde25ea Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 09:25:13 2019 +0000
core129: Ship wpa_supplicant
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b2ee5e8aa4056c7ce07fa753b677768b954e8c0b Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Mar 5 19:12:52 2019 +0100
wpa_supplicant: Update to 2.7
For details see: https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d6d5999af1cf53a4a7609935f41e2ca03bf92d6c Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Mar 5 19:12:51 2019 +0100
hostapd: Update to 2.7
For details see: https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
This patch sticks to 'wpa_supplicant: Update to 2.7'.
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 146c837e78449c63e858378dfc84cba9d6a490ce Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Mar 3 13:33:52 2019 +0000
netsnmp: Fix rootfile to build on other architectures
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5a3c9ef298b9004876691f95a63905c11cfdab84 Author: Erik Kapfer ummeegge@ipfire.org Date: Wed Feb 27 06:03:48 2019 +0100
netsnmpd: OpenSSL patch is incl. in new version
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 758a1893a190249e3bd6a0cca7d9ab21be20a4a8 Author: Erik Kapfer ummeegge@ipfire.org Date: Wed Feb 27 06:03:47 2019 +0100
netsnmpd: Update to version 5.8
Overview of the changes can be found in here https://sourceforge.net/p/net-snmp/mailman/message/36386084/ .
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3f2341da8d3b517466f42338956342fde6e45eec Author: Erik Kapfer ummeegge@ipfire.org Date: Sun Mar 3 09:09:18 2019 +0100
iptables: Update to 1.8.2
netfilter-layer7 has also been updated to v2.23 .
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/iptables | 19 +- .../103 => core/129}/filelists/wpa_supplicant | 0 config/rootfiles/packages/netsnmpd | 75 +++-- lfs/hostapd | 21 +- lfs/iptables | 17 +- lfs/netsnmpd | 11 +- lfs/wpa_supplicant | 16 +- src/patches/hostapd/hostapd-2.6-noscan.patch | 62 ----- .../hostapd-2.7-increase_EAPOL-timeouts.patch} | 14 +- src/patches/hostapd/hostapd-2.7-noscan.patch | 62 +++++ src/patches/net-snmp-5.7.3-openssl.patch | 303 --------------------- ...-Avoid-key-reinstallation-in-FT-handshake.patch | 174 ------------ ...nstallation-of-an-already-in-use-group-ke.patch | 259 ------------------ ...ection-of-GTK-IGTK-reinstallation-of-WNM-.patch | 193 ------------- ...04-Prevent-installation-of-an-all-zero-TK.patch | 87 ------ ...Fix-PTK-rekeying-to-generate-a-new-ANonce.patch | 64 ----- .../0006-TDLS-Reject-TPK-TK-reconfiguration.patch | 132 --------- ...WNM-Sleep-Mode-Response-without-pending-r.patch | 43 --- ...llow-multiple-Reassociation-Response-fram.patch | 82 ------ ...-Avoid-key-reinstallation-in-FT-handshake.patch | 174 ------------ ...nstallation-of-an-already-in-use-group-ke.patch | 250 ----------------- ...ection-of-GTK-IGTK-reinstallation-of-WNM-.patch | 184 ------------- ...04-Prevent-installation-of-an-all-zero-TK.patch | 79 ------ ...Fix-PTK-rekeying-to-generate-a-new-ANonce.patch | 64 ----- ...6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch | 132 --------- ...WNM-Sleep-Mode-Response-without-pending-r.patch | 43 --- ...llow-multiple-Reassociation-Response-fram.patch | 82 ------ 27 files changed, 155 insertions(+), 2487 deletions(-) copy config/rootfiles/{oldcore/103 => core/129}/filelists/wpa_supplicant (100%) delete mode 100644 src/patches/hostapd/hostapd-2.6-noscan.patch rename src/patches/{hostapd-2.3_increase_EAPOL-timeouts.patch => hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch} (50%) create mode 100644 src/patches/hostapd/hostapd-2.7-noscan.patch delete mode 100644 src/patches/net-snmp-5.7.3-openssl.patch delete mode 100644 src/patches/wpa_supplicant/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch delete mode 100644 src/patches/wpa_supplicant/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch delete mode 100644 src/patches/wpa_supplicant/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch delete mode 100644 src/patches/wpa_supplicant/0004-Prevent-installation-of-an-all-zero-TK.patch delete mode 100644 src/patches/wpa_supplicant/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch delete mode 100644 src/patches/wpa_supplicant/0006-TDLS-Reject-TPK-TK-reconfiguration.patch delete mode 100644 src/patches/wpa_supplicant/0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch delete mode 100644 src/patches/wpa_supplicant/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch delete mode 100644 src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
Difference in files: diff --git a/config/rootfiles/common/iptables b/config/rootfiles/common/iptables index d7584c0ad..9aa9e51cb 100644 --- a/config/rootfiles/common/iptables +++ b/config/rootfiles/common/iptables @@ -17,12 +17,8 @@ lib/libiptc.so.0.0.0 #lib/libxtables.la lib/libxtables.so lib/libxtables.so.12 -lib/libxtables.so.12.0.0 +lib/libxtables.so.12.2.0 #lib/xtables -lib/xtables/libebt_802_3.so -lib/xtables/libebt_ip.so -lib/xtables/libebt_log.so -lib/xtables/libebt_mark_m.so lib/xtables/libip6t_DNAT.so lib/xtables/libip6t_DNPT.so lib/xtables/libip6t_HL.so @@ -109,7 +105,6 @@ lib/xtables/libxt_layer7.so lib/xtables/libxt_length.so lib/xtables/libxt_limit.so lib/xtables/libxt_mac.so -lib/xtables/libxt_mangle.so lib/xtables/libxt_mark.so lib/xtables/libxt_multiport.so lib/xtables/libxt_nfacct.so @@ -136,14 +131,20 @@ lib/xtables/libxt_tos.so lib/xtables/libxt_u32.so lib/xtables/libxt_udp.so sbin/ip6tables +sbin/ip6tables-legacy +sbin/ip6tables-legacy-restore +sbin/ip6tables-legacy-save sbin/ip6tables-restore sbin/ip6tables-save sbin/iptables +sbin/iptables-legacy +sbin/iptables-legacy-restore +sbin/iptables-legacy-save sbin/iptables-restore sbin/iptables-save sbin/iptables-xml #sbin/nfnl_osf -sbin/xtables-multi +sbin/xtables-legacy-multi #usr/include/libipq.h #usr/include/libiptc #usr/include/libiptc/ipt_kernel_headers.h @@ -178,5 +179,9 @@ sbin/xtables-multi #usr/share/man/man8/iptables-save.8 #usr/share/man/man8/iptables.8 #usr/share/man/man8/nfnl_osf.8 +#usr/share/man/man8/xtables-legacy.8 +#usr/share/man/man8/xtables-monitor.8 +#usr/share/man/man8/xtables-nft.8 +#usr/share/man/man8/xtables-translate.8 #usr/share/xtables usr/share/xtables/pf.os diff --git a/config/rootfiles/core/129/filelists/wpa_supplicant b/config/rootfiles/core/129/filelists/wpa_supplicant new file mode 120000 index 000000000..1d04c03c0 --- /dev/null +++ b/config/rootfiles/core/129/filelists/wpa_supplicant @@ -0,0 +1 @@ +../../../common/wpa_supplicant \ No newline at end of file diff --git a/config/rootfiles/packages/netsnmpd b/config/rootfiles/packages/netsnmpd index 9d80ec2ad..7a0ad242e 100644 --- a/config/rootfiles/packages/netsnmpd +++ b/config/rootfiles/packages/netsnmpd @@ -1,8 +1,10 @@ +etc/rc.d/init.d/netsnmpd etc/rc.d/rc0.d/K02netsnmpd etc/rc.d/rc3.d/S65netsnmpd etc/rc.d/rc6.d/K02netsnmpd etc/snmpd.conf usr/bin/agentxtrap +usr/bin/checkbandwidth usr/bin/encode_keychange usr/bin/fixproc usr/bin/ipf-mod.pl @@ -22,10 +24,14 @@ usr/bin/snmpget usr/bin/snmpgetnext usr/bin/snmpinform usr/bin/snmpnetstat +usr/bin/snmppcap +usr/bin/snmpping +usr/bin/snmpps usr/bin/snmpset usr/bin/snmpstatus usr/bin/snmptable usr/bin/snmptest +usr/bin/snmptop usr/bin/snmptranslate usr/bin/snmptrap usr/bin/snmpusm @@ -58,6 +64,7 @@ usr/bin/traptoemail #usr/include/net-snmp/agent/mode_end_call.h #usr/include/net-snmp/agent/multiplexer.h #usr/include/net-snmp/agent/net-snmp-agent-includes.h +#usr/include/net-snmp/agent/netsnmp_close_fds.h #usr/include/net-snmp/agent/null.h #usr/include/net-snmp/agent/old_api.h #usr/include/net-snmp/agent/read_only.h @@ -114,6 +121,7 @@ usr/bin/traptoemail #usr/include/net-snmp/library/md5.h #usr/include/net-snmp/library/mib.h #usr/include/net-snmp/library/mt_support.h +#usr/include/net-snmp/library/netsnmp-attribute-format.h #usr/include/net-snmp/library/oid.h #usr/include/net-snmp/library/oid_stash.h #usr/include/net-snmp/library/parse.h @@ -124,12 +132,15 @@ usr/bin/traptoemail #usr/include/net-snmp/library/snmpAliasDomain.h #usr/include/net-snmp/library/snmpCallbackDomain.h #usr/include/net-snmp/library/snmpIPv4BaseDomain.h +#usr/include/net-snmp/library/snmpIPv6BaseDomain.h #usr/include/net-snmp/library/snmpSocketBaseDomain.h #usr/include/net-snmp/library/snmpTCPBaseDomain.h #usr/include/net-snmp/library/snmpTCPDomain.h +#usr/include/net-snmp/library/snmpTCPIPv6Domain.h #usr/include/net-snmp/library/snmpUDPBaseDomain.h #usr/include/net-snmp/library/snmpUDPDomain.h #usr/include/net-snmp/library/snmpUDPIPv4BaseDomain.h +#usr/include/net-snmp/library/snmpUDPIPv6Domain.h #usr/include/net-snmp/library/snmpUnixDomain.h #usr/include/net-snmp/library/snmp_alarm.h #usr/include/net-snmp/library/snmp_api.h @@ -174,6 +185,13 @@ usr/bin/traptoemail #usr/include/net-snmp/system/cygwin.h #usr/include/net-snmp/system/darwin.h #usr/include/net-snmp/system/darwin10.h +#usr/include/net-snmp/system/darwin11.h +#usr/include/net-snmp/system/darwin12.h +#usr/include/net-snmp/system/darwin13.h +#usr/include/net-snmp/system/darwin14.h +#usr/include/net-snmp/system/darwin15.h +#usr/include/net-snmp/system/darwin16.h +#usr/include/net-snmp/system/darwin17.h #usr/include/net-snmp/system/darwin7.h #usr/include/net-snmp/system/darwin8.h #usr/include/net-snmp/system/darwin9.h @@ -194,13 +212,17 @@ usr/bin/traptoemail #usr/include/net-snmp/system/generic.h #usr/include/net-snmp/system/hpux.h #usr/include/net-snmp/system/irix.h +#usr/include/net-snmp/system/kfreebsd.h #usr/include/net-snmp/system/linux.h #usr/include/net-snmp/system/mingw32.h +#usr/include/net-snmp/system/mingw32msvc.h #usr/include/net-snmp/system/mips.h #usr/include/net-snmp/system/netbsd.h +#usr/include/net-snmp/system/nto-qnx6.h #usr/include/net-snmp/system/openbsd.h #usr/include/net-snmp/system/openbsd4.h #usr/include/net-snmp/system/openbsd5.h +#usr/include/net-snmp/system/openbsd6.h #usr/include/net-snmp/system/osf5.h #usr/include/net-snmp/system/solaris.h #usr/include/net-snmp/system/solaris2.3.h @@ -217,31 +239,31 @@ usr/bin/traptoemail #usr/include/net-snmp/version.h #usr/lib/libnetsnmp.a #usr/lib/libnetsnmp.la -usr/lib/libnetsnmp.so -usr/lib/libnetsnmp.so.30 -usr/lib/libnetsnmp.so.30.0.3 +#usr/lib/libnetsnmp.so +usr/lib/libnetsnmp.so.35 +usr/lib/libnetsnmp.so.35.0.0 #usr/lib/libnetsnmpagent.a #usr/lib/libnetsnmpagent.la -usr/lib/libnetsnmpagent.so -usr/lib/libnetsnmpagent.so.30 -usr/lib/libnetsnmpagent.so.30.0.3 +#usr/lib/libnetsnmpagent.so +usr/lib/libnetsnmpagent.so.35 +usr/lib/libnetsnmpagent.so.35.0.0 #usr/lib/libnetsnmphelpers.a #usr/lib/libnetsnmphelpers.la -usr/lib/libnetsnmphelpers.so -usr/lib/libnetsnmphelpers.so.30 -usr/lib/libnetsnmphelpers.so.30.0.3 +#usr/lib/libnetsnmphelpers.so +usr/lib/libnetsnmphelpers.so.35 +usr/lib/libnetsnmphelpers.so.35.0.0 #usr/lib/libnetsnmpmibs.a #usr/lib/libnetsnmpmibs.la -usr/lib/libnetsnmpmibs.so -usr/lib/libnetsnmpmibs.so.30 -usr/lib/libnetsnmpmibs.so.30.0.3 +#usr/lib/libnetsnmpmibs.so +usr/lib/libnetsnmpmibs.so.35 +usr/lib/libnetsnmpmibs.so.35.0.0 #usr/lib/libnetsnmptrapd.a #usr/lib/libnetsnmptrapd.la -usr/lib/libnetsnmptrapd.so -usr/lib/libnetsnmptrapd.so.30 -usr/lib/libnetsnmptrapd.so.30.0.3 +#usr/lib/libnetsnmptrapd.so +usr/lib/libnetsnmptrapd.so.35 +usr/lib/libnetsnmptrapd.so.35.0.0 #usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle -#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle/Makefile.subs.pl +usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle/MakefileSubs.pm #usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP/ASN.pm usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP/OID.pm @@ -305,10 +327,12 @@ usr/sbin/snmptrapd #usr/share/man/man1/snmpgetnext.1 #usr/share/man/man1/snmpinform.1 #usr/share/man/man1/snmpnetstat.1 +#usr/share/man/man1/snmpps.1 #usr/share/man/man1/snmpset.1 #usr/share/man/man1/snmpstatus.1 #usr/share/man/man1/snmptable.1 #usr/share/man/man1/snmptest.1 +#usr/share/man/man1/snmptop.1 #usr/share/man/man1/snmptranslate.1 #usr/share/man/man1/snmptrap.1 #usr/share/man/man1/snmpusm.1 @@ -427,8 +451,8 @@ usr/sbin/snmptrapd #usr/share/man/man5/variables.5 #usr/share/man/man8/snmpd.8 #usr/share/man/man8/snmptrapd.8 -usr/share/snmp -usr/share/snmp/mib2c-data +#usr/share/snmp +#usr/share/snmp/mib2c-data usr/share/snmp/mib2c-data/default-mfd-top.m2c usr/share/snmp/mib2c-data/details-enums.m2i usr/share/snmp/mib2c-data/details-node.m2i @@ -513,11 +537,12 @@ usr/share/snmp/mib2c.iterate_access.conf usr/share/snmp/mib2c.mfd.conf usr/share/snmp/mib2c.notify.conf usr/share/snmp/mib2c.old-api.conf +usr/share/snmp/mib2c.org-mode.conf usr/share/snmp/mib2c.perl.conf usr/share/snmp/mib2c.raw-table.conf usr/share/snmp/mib2c.scalar.conf usr/share/snmp/mib2c.table_data.conf -usr/share/snmp/mibs +#usr/share/snmp/mibs usr/share/snmp/mibs/AGENTX-MIB.txt usr/share/snmp/mibs/BRIDGE-MIB.txt usr/share/snmp/mibs/DISMAN-EVENT-MIB.txt @@ -570,6 +595,7 @@ usr/share/snmp/mibs/SNMP-TSM-MIB.txt usr/share/snmp/mibs/SNMP-USER-BASED-SM-MIB.txt usr/share/snmp/mibs/SNMP-USM-AES-MIB.txt usr/share/snmp/mibs/SNMP-USM-DH-OBJECTS-MIB.txt +usr/share/snmp/mibs/SNMP-USM-HMAC-SHA2-MIB.txt usr/share/snmp/mibs/SNMP-VIEW-BASED-ACM-MIB.txt usr/share/snmp/mibs/SNMPv2-CONF.txt usr/share/snmp/mibs/SNMPv2-MIB.txt @@ -587,14 +613,14 @@ usr/share/snmp/mibs/UCD-SNMP-MIB.txt usr/share/snmp/mibs/UDP-MIB.txt usr/share/snmp/snmp_perl.pl usr/share/snmp/snmp_perl_trapd.pl -usr/share/snmp/snmpconf-data -usr/share/snmp/snmpconf-data/snmp-data +#usr/share/snmp/snmpconf-data +#usr/share/snmp/snmpconf-data/snmp-data usr/share/snmp/snmpconf-data/snmp-data/authopts usr/share/snmp/snmpconf-data/snmp-data/debugging usr/share/snmp/snmpconf-data/snmp-data/mibs usr/share/snmp/snmpconf-data/snmp-data/output usr/share/snmp/snmpconf-data/snmp-data/snmpconf-config -usr/share/snmp/snmpconf-data/snmpd-data +#usr/share/snmp/snmpconf-data/snmpd-data usr/share/snmp/snmpconf-data/snmpd-data/acl usr/share/snmp/snmpconf-data/snmpd-data/basic_setup usr/share/snmp/snmpconf-data/snmpd-data/extending @@ -603,12 +629,11 @@ usr/share/snmp/snmpconf-data/snmpd-data/operation usr/share/snmp/snmpconf-data/snmpd-data/snmpconf-config usr/share/snmp/snmpconf-data/snmpd-data/system usr/share/snmp/snmpconf-data/snmpd-data/trapsinks -usr/share/snmp/snmpconf-data/snmptrapd-data +#usr/share/snmp/snmpconf-data/snmptrapd-data usr/share/snmp/snmpconf-data/snmptrapd-data/authentication usr/share/snmp/snmpconf-data/snmptrapd-data/formatting usr/share/snmp/snmpconf-data/snmptrapd-data/logging usr/share/snmp/snmpconf-data/snmptrapd-data/runtime usr/share/snmp/snmpconf-data/snmptrapd-data/snmpconf-config usr/share/snmp/snmpconf-data/snmptrapd-data/traphandle -var/ipfire/backup/addons/includes/netsnmpd -etc/rc.d/init.d/netsnmpd +var/ipfire/backup/addons/includes/netsnmpd \ No newline at end of file diff --git a/lfs/hostapd b/lfs/hostapd index a8302ccdd..233863646 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.6 +VER = 2.7
THISAPP = hostapd-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 43 +PAK_VER = 44
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = eaa56dce9bd8f1d195eb62596eab34c7 +$(DL_FILE)_MD5 = 8d3799f3a3c247cff47d41503698721b
install : $(TARGET)
@@ -78,17 +78,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- # Security Patches https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages... - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch - - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd-2.3_increase_EAPOL-timeouts.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.6-noscan.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.7-noscan.patch
cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile diff --git a/lfs/iptables b/lfs/iptables index b4a2834b8..17817a9ef 100644 --- a/lfs/iptables +++ b/lfs/iptables @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.6.2 +VER = 1.8.2
THISAPP = iptables-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -36,13 +36,13 @@ TARGET = $(DIR_INFO)/$(THISAPP) # Top-level Rules ############################################################################### objects = $(DL_FILE) \ - netfilter-layer7-v2.22.tar.gz + netfilter-layer7-v2.23.tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE) -netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.22.tar.gz +netfilter-layer7-v2.23.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.23.tar.gz
-$(DL_FILE)_MD5 = 7d2b7847e4aa8832a18437b8a4c1873d -netfilter-layer7-v2.22.tar.gz_MD5 = 98dff8a3d5a31885b73341633f69501f +$(DL_FILE)_MD5 = 944558e88ddcc3b9b0d9550070fa3599 +netfilter-layer7-v2.23.tar.gz_MD5 = 10910b6173d18e426cb56ae7e1300eeb
install : $(TARGET)
@@ -75,8 +75,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
# Layer7 - cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.22.tar.gz - cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \ + cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.23.tar.gz + cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/* \ ./extensions/
# imq @@ -88,6 +88,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --libdir=/lib \ --includedir=/usr/include \ --enable-libipq \ + --with-xtlibdir=/lib/xtables \ --libexecdir=/lib \ --bindir=/sbin \ --sbindir=/sbin \ diff --git a/lfs/netsnmpd b/lfs/netsnmpd index 06233f3e9..0af276093 100644 --- a/lfs/netsnmpd +++ b/lfs/netsnmpd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 5.7.3 +VER = 5.8
THISAPP = net-snmp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = netsnmpd -PAK_VER = 7 +PAK_VER = 8
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = d4a3459e1577d0efa8d96ca70a885e53 +$(DL_FILE)_MD5 = 63bfc65fbb86cdb616598df1aff6458a
install : $(TARGET)
@@ -77,7 +77,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/net-snmp-5.7.3-openssl.patch + $(UPDATE_AUTOMAKE) cd $(DIR_APP) && ./configure \ --prefix=/usr \ @@ -95,6 +95,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) sctp-mib rmon-mib etherlike-mib ucd-snmp/lmsensorsMib" --libdir=/usr/lib \ --sysconfdir="/etc" + cd $(DIR_APP) && make cd $(DIR_APP) && make install install -v -m 644 $(DIR_SRC)/config/netsnmpd/snmpd.conf /etc/snmpd.conf diff --git a/lfs/wpa_supplicant b/lfs/wpa_supplicant index 4d8174cbb..887ec6bd5 100644 --- a/lfs/wpa_supplicant +++ b/lfs/wpa_supplicant @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.6 +VER = 2.7
THISAPP = wpa_supplicant-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -41,7 +41,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 091569eb4440b7d7f2b4276dbfc03c3c +$(DL_FILE)_MD5 = a68538fb62766f40f890125026c42c10
install : $(TARGET)
@@ -75,16 +75,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- # Security Patches https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages... - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch - cd $(DIR_APP)/wpa_supplicant && cp $(DIR_SRC)/config/wpa_supplicant/config ./.config cd $(DIR_APP)/wpa_supplicant && sed -e "s/wpa_cli\ dynamic_eap_methods/wpa_cli\ #dynamic_eap_methods/" -i Makefile cd $(DIR_APP)/wpa_supplicant && sed -e "s@/usr/local@/usr@g" -i Makefile diff --git a/src/patches/hostapd/hostapd-2.6-noscan.patch b/src/patches/hostapd/hostapd-2.6-noscan.patch deleted file mode 100644 index 8009fa04b..000000000 --- a/src/patches/hostapd/hostapd-2.6-noscan.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff -Naur hostapd-2.6.org/hostapd/config_file.c hostapd-2.6/hostapd/config_file.c ---- hostapd-2.6.org/hostapd/config_file.c 2016-10-02 20:51:11.000000000 +0200 -+++ hostapd-2.6/hostapd/config_file.c 2018-10-26 09:16:34.393456086 +0200 -@@ -2863,6 +2863,10 @@ - } - #endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211N -+ } else if (os_strcmp(buf, "noscan") == 0) { -+ conf->noscan = atoi(pos); -+ } else if (os_strcmp(buf, "ht_coex") == 0) { -+ conf->no_ht_coex = !atoi(pos); - } else if (os_strcmp(buf, "ieee80211n") == 0) { - conf->ieee80211n = atoi(pos); - } else if (os_strcmp(buf, "ht_capab") == 0) { -diff -Naur hostapd-2.6.org/src/ap/ap_config.h hostapd-2.6/src/ap/ap_config.h ---- hostapd-2.6.org/src/ap/ap_config.h 2016-10-02 20:51:11.000000000 +0200 -+++ hostapd-2.6/src/ap/ap_config.h 2018-10-26 09:16:34.393456086 +0200 -@@ -664,6 +664,8 @@ - - int ht_op_mode_fixed; - u16 ht_capab; -+ int noscan; -+ int no_ht_coex; - int ieee80211n; - int secondary_channel; - int no_pri_sec_switch; -diff -Naur hostapd-2.6.org/src/ap/hw_features.c hostapd-2.6/src/ap/hw_features.c ---- hostapd-2.6.org/src/ap/hw_features.c 2016-10-02 20:51:11.000000000 +0200 -+++ hostapd-2.6/src/ap/hw_features.c 2018-10-26 09:16:34.393456086 +0200 -@@ -474,7 +474,8 @@ - int ret; - - /* Check that HT40 is used and PRI / SEC switch is allowed */ -- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch) -+ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch || -+ iface->conf->noscan) - return 0; - - hostapd_set_state(iface, HAPD_IFACE_HT_SCAN); -diff -Naur hostapd-2.6.org/src/ap/ieee802_11_ht.c hostapd-2.6/src/ap/ieee802_11_ht.c ---- hostapd-2.6.org/src/ap/ieee802_11_ht.c 2016-10-02 20:51:11.000000000 +0200 -+++ hostapd-2.6/src/ap/ieee802_11_ht.c 2018-10-26 09:17:42.976793198 +0200 -@@ -244,6 +244,9 @@ - if (!(iface->conf->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) - return; - -+ if (iface->conf->noscan || iface->conf->no_ht_coex) -+ return; -+ - if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) - return; - -@@ -368,6 +371,9 @@ - if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G) - return; - -+ if (iface->conf->noscan || iface->conf->no_ht_coex) -+ return; -+ - wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR - " in Association Request", MAC2STR(sta->addr)); - diff --git a/src/patches/hostapd-2.3_increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch similarity index 50% rename from src/patches/hostapd-2.3_increase_EAPOL-timeouts.patch rename to src/patches/hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch index bbda55a63..285b54c61 100644 --- a/src/patches/hostapd-2.3_increase_EAPOL-timeouts.patch +++ b/src/patches/hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch @@ -1,16 +1,16 @@ -diff -Naur hostapd-2.3.org/src/ap/wpa_auth.c hostapd-2.3/src/ap/wpa_auth.c ---- hostapd-2.3.org/src/ap/wpa_auth.c 2014-10-09 16:41:31.000000000 +0200 -+++ hostapd-2.3/src/ap/wpa_auth.c 2015-04-07 16:32:10.671422975 +0200 -@@ -45,9 +45,9 @@ +diff U3 a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c +--- a/src/ap/wpa_auth.c Sun Dec 2 20:34:59 2018 ++++ b/src/ap/wpa_auth.c Mon Mar 4 15:47:26 2019 +@@ -63,9 +63,9 @@ + struct wpa_group *group); + static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
- static const u32 dot11RSNAConfigGroupUpdateCount = 4; - static const u32 dot11RSNAConfigPairwiseUpdateCount = 4; -static const u32 eapol_key_timeout_first = 100; /* ms */ -static const u32 eapol_key_timeout_subseq = 1000; /* ms */ -static const u32 eapol_key_timeout_first_group = 500; /* ms */ +static const u32 eapol_key_timeout_first = 300; /* ms */ +static const u32 eapol_key_timeout_subseq = 3000; /* ms */ +static const u32 eapol_key_timeout_first_group = 1500; /* ms */ + static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
/* TODO: make these configurable */ - static const int dot11RSNAConfigPMKLifetime = 43200; diff --git a/src/patches/hostapd/hostapd-2.7-noscan.patch b/src/patches/hostapd/hostapd-2.7-noscan.patch new file mode 100644 index 000000000..31219c8c5 --- /dev/null +++ b/src/patches/hostapd/hostapd-2.7-noscan.patch @@ -0,0 +1,62 @@ +diff U3 a/src/ap/ap_config.h b/src/ap/ap_config.h +--- a/src/ap/ap_config.h Sun Dec 2 20:34:59 2018 ++++ b/src/ap/ap_config.h Mon Mar 4 15:58:05 2019 +@@ -779,6 +779,8 @@ + + int ht_op_mode_fixed; + u16 ht_capab; ++ int noscan; ++ int no_ht_coex; + int ieee80211n; + int secondary_channel; + int no_pri_sec_switch; +diff U3 a/hostapd/config_file.c b/hostapd/config_file.c +--- a/hostapd/config_file.c Sun Dec 2 20:34:59 2018 ++++ b/hostapd/config_file.c Mon Mar 4 15:56:51 2019 +@@ -3317,6 +3317,10 @@ + } + #endif /* CONFIG_IEEE80211W */ + #ifdef CONFIG_IEEE80211N ++ } else if (os_strcmp(buf, "noscan") == 0) { ++ conf->noscan = atoi(pos); ++ } else if (os_strcmp(buf, "ht_coex") == 0) { ++ conf->no_ht_coex = !atoi(pos); + } else if (os_strcmp(buf, "ieee80211n") == 0) { + conf->ieee80211n = atoi(pos); + } else if (os_strcmp(buf, "ht_capab") == 0) { +diff U3 a/src/ap/hw_features.c b/src/ap/hw_features.c +--- a/src/ap/hw_features.c Sun Dec 2 20:34:59 2018 ++++ b/src/ap/hw_features.c Mon Mar 4 15:59:08 2019 +@@ -480,7 +480,8 @@ + int ret; + + /* Check that HT40 is used and PRI / SEC switch is allowed */ +- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch) ++ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch || ++ iface->conf->noscan) + return 0; + + hostapd_set_state(iface, HAPD_IFACE_HT_SCAN); +diff U3 a/src/ap/ieee802_11_ht.c b/src/ap/ieee802_11_ht.c +--- a/src/ap/ieee802_11_ht.c Sun Dec 2 20:34:59 2018 ++++ b/src/ap/ieee802_11_ht.c Mon Mar 4 16:02:13 2019 +@@ -252,6 +252,9 @@ + return; + } + ++ if (iface->conf->noscan || iface->conf->no_ht_coex) ++ return; ++ + if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) { + wpa_printf(MSG_DEBUG, + "Ignore too short 20/40 BSS Coexistence Management frame"); +@@ -410,6 +413,9 @@ + void ht40_intolerant_add(struct hostapd_iface *iface, struct sta_info *sta) + { + if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G) ++ return; ++ ++ if (iface->conf->noscan || iface->conf->no_ht_coex) + return; + + wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR diff --git a/src/patches/net-snmp-5.7.3-openssl.patch b/src/patches/net-snmp-5.7.3-openssl.patch deleted file mode 100644 index 0651a24ec..000000000 --- a/src/patches/net-snmp-5.7.3-openssl.patch +++ /dev/null @@ -1,303 +0,0 @@ -diff -urNp old/apps/snmpusm.c new/apps/snmpusm.c ---- old/apps/snmpusm.c 2014-12-08 21:23:22.000000000 +0100 -+++ new/apps/snmpusm.c 2017-02-20 15:20:36.994022905 +0100 -@@ -190,7 +190,7 @@ get_USM_DH_key(netsnmp_variable_list *va - oid *keyoid, size_t keyoid_len) { - u_char *dhkeychange; - DH *dh; -- BIGNUM *other_pub; -+ BIGNUM *p, *g, *pub_key, *other_pub; - u_char *key; - size_t key_len; - -@@ -205,25 +205,29 @@ get_USM_DH_key(netsnmp_variable_list *va - dh = d2i_DHparams(NULL, &cp, dhvar->val_len); - } - -- if (!dh || !dh->g || !dh->p) { -+ if (dh) -+ DH_get0_pqg(dh, &p, NULL, &g); -+ -+ if (!dh || !g || !p) { - SNMP_FREE(dhkeychange); - return SNMPERR_GENERR; - } - -- DH_generate_key(dh); -- if (!dh->pub_key) { -+ if (!DH_generate_key(dh)) { - SNMP_FREE(dhkeychange); - return SNMPERR_GENERR; - } - -- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) { -+ DH_get0_key(dh, &pub_key, NULL); -+ -+ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) { - SNMP_FREE(dhkeychange); - fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n", -- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key)); -+ (unsigned long)vars->val_len, BN_num_bytes(pub_key)); - return SNMPERR_GENERR; - } - -- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len); -+ BN_bn2bin(pub_key, dhkeychange + vars->val_len); - - key_len = DH_size(dh); - if (!key_len) { -diff -urNp old/configure new/configure ---- old/configure 2017-02-20 10:08:16.440396223 +0100 -+++ new/configure 2017-02-20 10:57:15.749734281 +0100 -@@ -23176,9 +23176,9 @@ $as_echo "#define HAVE_AES_CFB128_ENCRYP - fi - - -- as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_create" | $as_tr_sh` --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_create in -l${CRYPTO}" >&5 --$as_echo_n "checking for EVP_MD_CTX_create in -l${CRYPTO}... " >&6; } -+ as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_new" | $as_tr_sh` -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_new in -l${CRYPTO}" >&5 -+$as_echo_n "checking for EVP_MD_CTX_new in -l${CRYPTO}... " >&6; } - if eval ${$as_ac_Lib+:} false; then : - $as_echo_n "(cached) " >&6 - else -@@ -23193,11 +23193,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ - #ifdef __cplusplus - extern "C" - #endif --char EVP_MD_CTX_create (); -+char EVP_MD_CTX_new (); - int - main () - { --return EVP_MD_CTX_create (); -+return EVP_MD_CTX_new (); - ; - return 0; - } -@@ -23216,10 +23216,10 @@ eval ac_res=$$as_ac_Lib - $as_echo "$ac_res" >&6; } - if eval test "x$"$as_ac_Lib"" = x"yes"; then : - --$as_echo "#define HAVE_EVP_MD_CTX_CREATE /**/" >>confdefs.h -+$as_echo "#define HAVE_EVP_MD_CTX_NEW /**/" >>confdefs.h - - --$as_echo "#define HAVE_EVP_MD_CTX_DESTROY /**/" >>confdefs.h -+$as_echo "#define HAVE_EVP_MD_CTX_FREE /**/" >>confdefs.h - - fi - -@@ -23293,7 +23293,7 @@ char SSL_library_init (); - int - main () - { --return SSL_library_init (); -+return OPENSSL_init_ssl(0, NULL); - ; - return 0; - } -diff -urNp old/configure.d/config_os_libs2 new/configure.d/config_os_libs2 ---- old/configure.d/config_os_libs2 2014-12-08 21:23:22.000000000 +0100 -+++ new/configure.d/config_os_libs2 2017-02-20 10:56:21.041616611 +0100 -@@ -292,11 +292,11 @@ if test "x$tryopenssl" != "xno" -a "x$tr - AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1, - [Define to 1 if you have the `AES_cfb128_encrypt' function.])) - -- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create, -- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [], -- [Define to 1 if you have the `EVP_MD_CTX_create' function.]) -- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [], -- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.])) -+ AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_new, -+ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [], -+ [Define to 1 if you have the `EVP_MD_CTX_new' function.]) -+ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [], -+ [Define to 1 if you have the `EVP_MD_CTX_free' function.])) - fi - if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then - AC_CHECK_LIB(ssl, DTLSv1_method, -@@ -307,7 +307,7 @@ if test "x$tryopenssl" != "xno" -a "x$tr - TLSPROG=yes - fi - if echo " $transport_result_list " | $GREP "TLS" > /dev/null; then -- AC_CHECK_LIB(ssl, SSL_library_init, -+ AC_CHECK_LIB(ssl, OPENSSL_init_ssl, - AC_DEFINE(HAVE_LIBSSL, 1, - [Define to 1 if you have the `ssl' library (-lssl).]) - LIBCRYPTO=" -lssl $LIBCRYPTO", -diff -urNp old/include/net-snmp/net-snmp-config.h.in new/include/net-snmp/net-snmp-config.h.in ---- old/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:08:16.443522417 +0100 -+++ new/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:24:05.790584283 +0100 -@@ -149,11 +149,11 @@ - /* Define to 1 if you have the `eval_pv' function. */ - #undef HAVE_EVAL_PV - --/* Define to 1 if you have the `EVP_MD_CTX_create' function. */ --#undef HAVE_EVP_MD_CTX_CREATE -+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ -+#undef HAVE_EVP_MD_CTX_NEW - --/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ --#undef HAVE_EVP_MD_CTX_DESTROY -+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ -+#undef HAVE_EVP_MD_CTX_FREE - - /* Define if you have EVP_sha224/256 in openssl */ - #undef HAVE_EVP_SHA224 -diff -urNp old/snmplib/keytools.c new/snmplib/keytools.c ---- old/snmplib/keytools.c 2014-12-08 21:23:22.000000000 +0100 -+++ new/snmplib/keytools.c 2017-02-20 10:30:27.412068264 +0100 -@@ -149,8 +149,8 @@ generate_Ku(const oid * hashtype, u_int - */ - #ifdef NETSNMP_USE_OPENSSL - --#ifdef HAVE_EVP_MD_CTX_CREATE -- ctx = EVP_MD_CTX_create(); -+#ifdef HAVE_EVP_MD_CTX_NEW -+ ctx = EVP_MD_CTX_new(); - #else - ctx = malloc(sizeof(*ctx)); - if (!EVP_MD_CTX_init(ctx)) -@@ -259,8 +259,8 @@ generate_Ku(const oid * hashtype, u_int - memset(buf, 0, sizeof(buf)); - #ifdef NETSNMP_USE_OPENSSL - if (ctx) { --#ifdef HAVE_EVP_MD_CTX_DESTROY -- EVP_MD_CTX_destroy(ctx); -+#ifdef HAVE_EVP_MD_CTX_FREE -+ EVP_MD_CTX_free(ctx); - #else - EVP_MD_CTX_cleanup(ctx); - free(ctx); -diff -urNp old/snmplib/scapi.c new/snmplib/scapi.c ---- old/snmplib/scapi.c 2014-12-08 21:23:22.000000000 +0100 -+++ new/snmplib/scapi.c 2017-02-20 10:27:34.152379515 +0100 -@@ -486,14 +486,14 @@ sc_hash(const oid * hashtype, size_t has - } - - /** initialize the pointer */ --#ifdef HAVE_EVP_MD_CTX_CREATE -- cptr = EVP_MD_CTX_create(); -+#ifdef HAVE_EVP_MD_CTX_NEW -+ cptr = EVP_MD_CTX_new(); - #else - cptr = malloc(sizeof(*cptr)); - #if defined(OLD_DES) - memset(cptr, 0, sizeof(*cptr)); - #else -- EVP_MD_CTX_init(cptr); -+ EVP_MD_CTX_init(&cptr); - #endif - #endif - if (!EVP_DigestInit(cptr, hashfn)) { -@@ -507,11 +507,11 @@ sc_hash(const oid * hashtype, size_t has - /** do the final pass */ - EVP_DigestFinal(cptr, MAC, &tmp_len); - *MAC_len = tmp_len; --#ifdef HAVE_EVP_MD_CTX_DESTROY -- EVP_MD_CTX_destroy(cptr); -+#ifdef HAVE_EVP_MD_CTX_FREE -+ EVP_MD_CTX_free(cptr); - #else - #if !defined(OLD_DES) -- EVP_MD_CTX_cleanup(cptr); -+ EVP_MD_CTX_cleanup(&cptr); - #endif - free(cptr); - #endif -diff -urNp old/snmplib/snmp_openssl.c new/snmplib/snmp_openssl.c ---- old/snmplib/snmp_openssl.c 2014-12-08 21:23:22.000000000 +0100 -+++ new/snmplib/snmp_openssl.c 2017-02-20 12:46:00.059727928 +0100 -@@ -47,7 +47,7 @@ void netsnmp_init_openssl(void) { - DEBUGMSGTL(("snmp_openssl", "initializing\n")); - - /* Initializing OpenSSL */ -- SSL_library_init(); -+ OPENSSL_init_ssl(0, NULL); - SSL_load_error_strings(); - ERR_load_BIO_strings(); - OpenSSL_add_all_algorithms(); -@@ -164,11 +164,11 @@ netsnmp_openssl_cert_dump_names(X509 *oc - oname_entry = X509_NAME_get_entry(osubj_name, i); - netsnmp_assert(NULL != oname_entry); - -- if (oname_entry->value->type != V_ASN1_PRINTABLESTRING) -+ if (X509_NAME_ENTRY_get_data(oname_entry)->type != V_ASN1_PRINTABLESTRING) - continue; - - /** get NID */ -- onid = OBJ_obj2nid(oname_entry->object); -+ onid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(oname_entry)); - if (onid == NID_undef) { - prefix_long = prefix_short = "UNKNOWN"; - } -@@ -179,9 +179,9 @@ netsnmp_openssl_cert_dump_names(X509 *oc - - DEBUGMSGT(("9:cert:dump:names", - "[%02d] NID type %d, ASN type %d\n", i, onid, -- oname_entry->value->type)); -+ X509_NAME_ENTRY_get_data(oname_entry)->type)); - DEBUGMSGT(("9:cert:dump:names", "%s/%s: '%s'\n", prefix_long, -- prefix_short, ASN1_STRING_data(oname_entry->value))); -+ prefix_short, ASN1_STRING_data(X509_NAME_ENTRY_get_data(oname_entry)))); - } - } - #endif /* NETSNMP_FEATURE_REMOVE_CERT_DUMP_NAMES */ -@@ -470,7 +470,7 @@ netsnmp_openssl_cert_get_hash_type(X509 - if (NULL == ocert) - return 0; - -- return _nid2ht(OBJ_obj2nid(ocert->sig_alg->algorithm)); -+ return _nid2ht(X509_get_signature_nid(ocert)); - } - - /** -@@ -487,7 +487,7 @@ netsnmp_openssl_cert_get_fingerprint(X50 - if (NULL == ocert) - return NULL; - -- nid = OBJ_obj2nid(ocert->sig_alg->algorithm); -+ nid = X509_get_signature_nid(ocert); - DEBUGMSGT(("9:openssl:fingerprint", "alg %d, cert nid %d (%d)\n", alg, nid, - _nid2ht(nid))); - -diff -urNp old/win32/net-snmp/net-snmp-config.h new/win32/net-snmp/net-snmp-config.h ---- old/win32/net-snmp/net-snmp-config.h 2014-12-08 21:23:22.000000000 +0100 -+++ new/win32/net-snmp/net-snmp-config.h 2017-02-20 10:23:20.796778512 +0100 -@@ -1366,11 +1366,11 @@ - /* Define to 1 if you have the <openssl/aes.h> header file. */ - #define HAVE_OPENSSL_AES_H 1 - --/* Define to 1 if you have the `EVP_MD_CTX_create' function. */ --#define HAVE_EVP_MD_CTX_CREATE 1 -+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ -+#define HAVE_EVP_MD_CTX_NEW 1 - --/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ --#define HAVE_EVP_MD_CTX_DESTROY 1 -+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ -+#define HAVE_EVP_MD_CTX_FREE 1 - - /* Define to 1 if you have the `AES_cfb128_encrypt' function. */ - #define HAVE_AES_CFB128_ENCRYPT 1 -diff -urNp old/win32/net-snmp/net-snmp-config.h.in new/win32/net-snmp/net-snmp-config.h.in ---- old/win32/net-snmp/net-snmp-config.h.in 2014-12-08 21:23:22.000000000 +0100 -+++ new/win32/net-snmp/net-snmp-config.h.in 2017-02-20 10:22:51.348367754 +0100 -@@ -1366,11 +1366,11 @@ - /* Define to 1 if you have the <openssl/aes.h> header file. */ - #define HAVE_OPENSSL_AES_H 1 - --/* Define to 1 if you have the `EVP_MD_CTX_create' function. */ --#define HAVE_EVP_MD_CTX_CREATE 1 -+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ -+#define HAVE_EVP_MD_CTX_NEW 1 - --/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ --#define HAVE_EVP_MD_CTX_DESTROY 1 -+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ -+#define HAVE_EVP_MD_CTX_FREE 1 - - /* Define to 1 if you have the `AES_cfb128_encrypt' function. */ - #define HAVE_AES_CFB128_ENCRYPT 1 diff --git a/src/patches/wpa_supplicant/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch b/src/patches/wpa_supplicant/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch deleted file mode 100644 index 91630834c..000000000 --- a/src/patches/wpa_supplicant/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 3692833a62280a0270e4e1ba30f9acf5a8c8f808 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Fri, 14 Jul 2017 15:15:35 +0200 -Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake - -Do not reinstall TK to the driver during Reassociation Response frame -processing if the first attempt of setting the TK succeeded. This avoids -issues related to clearing the TX/RX PN that could result in reusing -same PN values for transmitted frames (e.g., due to CCM nonce reuse and -also hitting replay protection on the receiver) and accepting replayed -frames on RX side. - -This issue was introduced by the commit -0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in -authenticator') which allowed wpa_ft_install_ptk() to be called multiple -times with the same PTK. While the second configuration attempt is -needed with some drivers, it must be done only if the first attempt -failed. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/ap/ieee802_11.c | 16 +++++++++++++--- - src/ap/wpa_auth.c | 11 +++++++++++ - src/ap/wpa_auth.h | 3 ++- - src/ap/wpa_auth_ft.c | 10 ++++++++++ - src/ap/wpa_auth_i.h | 1 + - 5 files changed, 37 insertions(+), 4 deletions(-) - -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index 5163139..174af8b 100644 ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -2552,6 +2552,7 @@ static int add_associated_sta(struct hostapd_data *hapd, - { - struct ieee80211_ht_capabilities ht_cap; - struct ieee80211_vht_capabilities vht_cap; -+ int set = 1; - - /* - * Remove the STA entry to ensure the STA PS state gets cleared and -@@ -2559,9 +2560,18 @@ static int add_associated_sta(struct hostapd_data *hapd, - * FT-over-the-DS, where a station re-associates back to the same AP but - * skips the authentication flow, or if working with a driver that - * does not support full AP client state. -+ * -+ * Skip this if the STA has already completed FT reassociation and the -+ * TK has been configured since the TX/RX PN must not be reset to 0 for -+ * the same key. - */ -- if (!sta->added_unassoc) -+ if (!sta->added_unassoc && -+ (!(sta->flags & WLAN_STA_AUTHORIZED) || -+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { - hostapd_drv_sta_remove(hapd, sta->addr); -+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); -+ set = 0; -+ } - - #ifdef CONFIG_IEEE80211N - if (sta->flags & WLAN_STA_HT) -@@ -2584,11 +2594,11 @@ static int add_associated_sta(struct hostapd_data *hapd, - sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, - sta->flags | WLAN_STA_ASSOC, sta->qosinfo, - sta->vht_opmode, sta->p2p_ie ? 1 : 0, -- sta->added_unassoc)) { -+ set)) { - hostapd_logger(hapd, sta->addr, - HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, - "Could not %s STA to kernel driver", -- sta->added_unassoc ? "set" : "add"); -+ set ? "set" : "add"); - - if (sta->added_unassoc) { - hostapd_drv_sta_remove(hapd, sta->addr); -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index aca687c..42ef0bf 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1785,6 +1785,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) - #else /* CONFIG_FILS */ - break; - #endif /* CONFIG_FILS */ -+ case WPA_DRV_STA_REMOVED: -+ sm->tk_already_set = FALSE; -+ return 0; - } - - #ifdef CONFIG_IEEE80211R_AP -@@ -3939,6 +3942,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) - } - - -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) -+{ -+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) -+ return 0; -+ return sm->tk_already_set; -+} -+ -+ - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry) - { -diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h -index 5e8a4cc..f92f8b6 100644 ---- a/src/ap/wpa_auth.h -+++ b/src/ap/wpa_auth.h -@@ -300,7 +300,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, - u8 *data, size_t data_len); - enum wpa_event { - WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, -- WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS -+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS, WPA_DRV_STA_REMOVED - }; - void wpa_remove_ptk(struct wpa_state_machine *sm); - int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); -@@ -313,6 +313,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm); - int wpa_auth_get_pairwise(struct wpa_state_machine *sm); - int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); - int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry); - struct rsn_pmksa_cache_entry * -diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c -index dd99db7..2120cfd 100644 ---- a/src/ap/wpa_auth_ft.c -+++ b/src/ap/wpa_auth_ft.c -@@ -1937,6 +1937,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - return; - } - -+ if (sm->tk_already_set) { -+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX -+ * PN in the driver */ -+ wpa_printf(MSG_DEBUG, -+ "FT: Do not re-install same PTK to the driver"); -+ return; -+ } -+ - /* FIX: add STA entry to kernel/driver here? The set_key will fail - * most likely without this.. At the moment, STA entry is added only - * after association has been completed. This function will be called -@@ -1949,6 +1957,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - - /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ - sm->pairwise_set = TRUE; -+ sm->tk_already_set = TRUE; - } - - -@@ -2152,6 +2161,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, - - sm->pairwise = pairwise; - sm->PTK_valid = TRUE; -+ sm->tk_already_set = FALSE; - wpa_ft_install_ptk(sm); - - buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + -diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h -index 23d2af3..b779af7 100644 ---- a/src/ap/wpa_auth_i.h -+++ b/src/ap/wpa_auth_i.h -@@ -61,6 +61,7 @@ struct wpa_state_machine { - struct wpa_ptk PTK; - Boolean PTK_valid; - Boolean pairwise_set; -+ Boolean tk_already_set; - int keycount; - Boolean Pair; - struct wpa_key_replay_counter { --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch b/src/patches/wpa_supplicant/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch deleted file mode 100644 index e372e329c..000000000 --- a/src/patches/wpa_supplicant/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch +++ /dev/null @@ -1,259 +0,0 @@ -From cf62cadcadc68377d72e2238a0f06b21c0777f90 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Wed, 12 Jul 2017 16:03:24 +0200 -Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key - -Track the current GTK and IGTK that is in use and when receiving a -(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do -not install the given key if it is already in use. This prevents an -attacker from trying to trick the client into resetting or lowering the -sequence counter associated to the group key. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/common/wpa_common.h | 11 +++++ - src/rsn_supp/wpa.c | 118 ++++++++++++++++++++++++++++++------------------ - src/rsn_supp/wpa_i.h | 4 ++ - 3 files changed, 88 insertions(+), 45 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index cc8edf8..0872b12 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -221,6 +221,17 @@ struct wpa_ptk { - size_t tk_len; - }; - -+struct wpa_gtk { -+ u8 gtk[WPA_GTK_MAX_LEN]; -+ size_t gtk_len; -+}; -+ -+#ifdef CONFIG_IEEE80211W -+struct wpa_igtk { -+ u8 igtk[WPA_IGTK_MAX_LEN]; -+ size_t igtk_len; -+}; -+#endif /* CONFIG_IEEE80211W */ - - /* WPA IE version 1 - * 00-50-f2:1 (OUI:OUI type) -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 739689d..5e5fb2a 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -800,6 +800,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - -+ /* Detect possible key reinstallation */ -+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", -+ gd->keyidx, gd->tx, gd->gtk_len); -+ return 0; -+ } -+ - wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", -@@ -834,6 +843,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ - return 0; - } - -@@ -940,6 +952,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - } - - -+#ifdef CONFIG_IEEE80211W -+static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -+ const struct wpa_igtk_kde *igtk) -+{ -+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); -+ u16 keyidx = WPA_GET_LE16(igtk->keyid); -+ -+ /* Detect possible key reinstallation */ -+ if (sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", -+ keyidx); -+ return 0; -+ } -+ -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", -+ keyidx, MAC2STR(igtk->pn)); -+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); -+ if (keyidx > 4095) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Invalid IGTK KeyID %d", keyidx); -+ return -1; -+ } -+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -+ broadcast_ether_addr, -+ keyidx, 0, igtk->pn, sizeof(igtk->pn), -+ igtk->igtk, len) < 0) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Failed to configure IGTK to the driver"); -+ return -1; -+ } -+ -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ -+ return 0; -+} -+#endif /* CONFIG_IEEE80211W */ -+ -+ - static int ieee80211w_set_keys(struct wpa_sm *sm, - struct wpa_eapol_ie_parse *ie) - { -@@ -950,30 +1004,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - if (ie->igtk) { - size_t len; - const struct wpa_igtk_kde *igtk; -- u16 keyidx; -+ - len = wpa_cipher_key_len(sm->mgmt_group_cipher); - if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) - return -1; -+ - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- keyidx = WPA_GET_LE16(igtk->keyid); -- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " -- "pn %02x%02x%02x%02x%02x%02x", -- keyidx, MAC2STR(igtk->pn)); -- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", -- igtk->igtk, len); -- if (keyidx > 4095) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Invalid IGTK KeyID %d", keyidx); -- return -1; -- } -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igtk->pn, sizeof(igtk->pn), -- igtk->igtk, len) < 0) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Failed to configure IGTK to the driver"); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } - } - - return 0; -@@ -2491,7 +2529,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) - */ - void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - { -- int clear_ptk = 1; -+ int clear_keys = 1; - - if (sm == NULL) - return; -@@ -2517,7 +2555,7 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - /* Prepare for the next transition */ - wpa_ft_prepare_auth_request(sm, NULL); - -- clear_ptk = 0; -+ clear_keys = 0; - } - #endif /* CONFIG_IEEE80211R */ - #ifdef CONFIG_FILS -@@ -2527,11 +2565,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - * AUTHENTICATED state to get the EAPOL port Authorized. - */ - wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); -- clear_ptk = 0; -+ clear_keys = 0; - } - #endif /* CONFIG_FILS */ - -- if (clear_ptk) { -+ if (clear_keys) { - /* - * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if - * this is not part of a Fast BSS Transition. -@@ -2541,6 +2579,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - } - - #ifdef CONFIG_TDLS -@@ -3117,6 +3159,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(sm->pmk, 0, sizeof(sm->pmk)); - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); - os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); -@@ -3189,29 +3235,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - os_memset(&gd, 0, sizeof(gd)); - #ifdef CONFIG_IEEE80211W - } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { -- struct wpa_igtk_kde igd; -- u16 keyidx; -- -- os_memset(&igd, 0, sizeof(igd)); -- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); -- os_memcpy(igd.keyid, buf + 2, 2); -- os_memcpy(igd.pn, buf + 4, 6); -- -- keyidx = WPA_GET_LE16(igd.keyid); -- os_memcpy(igd.igtk, buf + 10, keylen); -- -- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", -- igd.igtk, keylen); -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igd.pn, sizeof(igd.pn), -- igd.igtk, keylen) < 0) { -- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " -- "WNM mode"); -- os_memset(&igd, 0, sizeof(igd)); -+ const struct wpa_igtk_kde *igtk; -+ -+ igtk = (const struct wpa_igtk_kde *) (buf + 2); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } -- os_memset(&igd, 0, sizeof(igd)); - #endif /* CONFIG_IEEE80211W */ - } else { - wpa_printf(MSG_DEBUG, "Unknown element id"); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 82e1941..2827ed6 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -31,6 +31,10 @@ struct wpa_sm { - u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; -+ struct wpa_gtk gtk; -+#ifdef CONFIG_IEEE80211W -+ struct wpa_igtk igtk; -+#endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ - --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch b/src/patches/wpa_supplicant/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch deleted file mode 100644 index 68059de04..000000000 --- a/src/patches/wpa_supplicant/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch +++ /dev/null @@ -1,193 +0,0 @@ -From a0d426a662997b87095c87edc1d2bdc6e1c8fd11 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Sun, 1 Oct 2017 12:12:24 +0300 -Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep - Mode cases - -This extends the protection to track last configured GTK/IGTK value -separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a -corner case where these two different mechanisms may get used when the -GTK/IGTK has changed and tracking a single value is not sufficient to -detect a possible key reconfiguration. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/wpa.c | 55 +++++++++++++++++++++++++++++++++++++--------------- - src/rsn_supp/wpa_i.h | 2 ++ - 2 files changed, 41 insertions(+), 16 deletions(-) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 5e5fb2a..3c8871d 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -795,14 +795,17 @@ struct wpa_gtk_data { - - static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const struct wpa_gtk_data *gd, -- const u8 *key_rsc) -+ const u8 *key_rsc, int wnm_sleep) - { - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - - /* Detect possible key reinstallation */ -- if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || -+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", - gd->keyidx, gd->tx, gd->gtk_len); -@@ -843,8 +846,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -- sm->gtk.gtk_len = gd->gtk_len; -- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ if (wnm_sleep) { -+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len); -+ } else { -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ } - - return 0; - } -@@ -938,7 +947,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, - gtk_len, gtk_len, - &gd.key_rsc_len, &gd.alg) || -- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) { -+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "RSN: Failed to install GTK"); - os_memset(&gd, 0, sizeof(gd)); -@@ -954,14 +963,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - - #ifdef CONFIG_IEEE80211W - static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -- const struct wpa_igtk_kde *igtk) -+ const struct wpa_igtk_kde *igtk, -+ int wnm_sleep) - { - size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); - u16 keyidx = WPA_GET_LE16(igtk->keyid); - - /* Detect possible key reinstallation */ -- if (sm->igtk.igtk_len == len && -- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ if ((sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || -+ (sm->igtk_wnm_sleep.igtk_len == len && -+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", - keyidx); -@@ -986,8 +999,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, - return -1; - } - -- sm->igtk.igtk_len = len; -- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ if (wnm_sleep) { -+ sm->igtk_wnm_sleep.igtk_len = len; -+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len); -+ } else { -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ } - - return 0; - } -@@ -1010,7 +1029,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - return -1; - - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) - return -1; - } - -@@ -1659,7 +1678,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, - if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) - key_rsc = null_rsc; - -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) || -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || - wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) - goto failed; - os_memset(&gd, 0, sizeof(gd)); -@@ -2580,8 +2599,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - } - -@@ -3160,8 +3181,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); -@@ -3226,7 +3249,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - - wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", - gd.gtk, gd.gtk_len); -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { - os_memset(&gd, 0, sizeof(gd)); - wpa_printf(MSG_DEBUG, "Failed to install the GTK in " - "WNM mode"); -@@ -3238,7 +3261,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - const struct wpa_igtk_kde *igtk; - - igtk = (const struct wpa_igtk_kde *) (buf + 2); -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) - return -1; - #endif /* CONFIG_IEEE80211W */ - } else { -@@ -4132,7 +4155,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) - os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2); - - wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver"); -- if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery) < 0) { -+ if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) { - wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK"); - goto fail; - } -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 2827ed6..156e6cb 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -32,8 +32,10 @@ struct wpa_sm { - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; - struct wpa_gtk gtk; -+ struct wpa_gtk gtk_wnm_sleep; - #ifdef CONFIG_IEEE80211W - struct wpa_igtk igtk; -+ struct wpa_igtk igtk_wnm_sleep; - #endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0004-Prevent-installation-of-an-all-zero-TK.patch b/src/patches/wpa_supplicant/0004-Prevent-installation-of-an-all-zero-TK.patch deleted file mode 100644 index e3bfccbaf..000000000 --- a/src/patches/wpa_supplicant/0004-Prevent-installation-of-an-all-zero-TK.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 327b6d780f2667e99e9b74d4c064531c0208b22b Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Fri, 29 Sep 2017 04:22:51 +0200 -Subject: [PATCH 4/8] Prevent installation of an all-zero TK - -Properly track whether a PTK has already been installed to the driver -and the TK part cleared from memory. This prevents an attacker from -trying to trick the client into installing an all-zero TK. - -This fixes the earlier fix in commit -ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the -driver in EAPOL-Key 3/4 retry case') which did not take into account -possibility of an extra message 1/4 showing up between retries of -message 3/4. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/common/wpa_common.h | 1 + - src/rsn_supp/wpa.c | 6 +++--- - src/rsn_supp/wpa_i.h | 1 - - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index 0872b12..8411686 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -219,6 +219,7 @@ struct wpa_ptk { - size_t kck_len; - size_t kek_len; - size_t tk_len; -+ int installed; /* 1 if key has already been installed to driver */ - }; - - struct wpa_gtk { -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 3c8871d..cf9bf1c 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -594,7 +594,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, - os_memset(buf, 0, sizeof(buf)); - } - sm->tptk_set = 1; -- sm->tk_to_set = 1; - - kde = sm->assoc_wpa_ie; - kde_len = sm->assoc_wpa_ie_len; -@@ -701,7 +700,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - enum wpa_alg alg; - const u8 *key_rsc; - -- if (!sm->tk_to_set) { -+ if (sm->ptk.installed) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Do not re-install same PTK to the driver"); - return 0; -@@ -745,7 +744,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - - /* TK is not needed anymore in supplicant */ - os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); -- sm->tk_to_set = 0; -+ sm->ptk.installed = 1; - - if (sm->wpa_ptk_rekey) { - eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); -@@ -4183,6 +4182,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) - * takes care of association frame encryption/decryption. */ - /* TK is not needed anymore in supplicant */ - os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); -+ sm->ptk.installed = 1; - - /* FILS HLP Container */ - fils_process_hlp_container(sm, ie_start, end - ie_start); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 156e6cb..3b42245 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -24,7 +24,6 @@ struct wpa_sm { - struct wpa_ptk ptk, tptk; - int ptk_set, tptk_set; - unsigned int msg_3_of_4_ok:1; -- unsigned int tk_to_set:1; - u8 snonce[WPA_NONCE_LEN]; - u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ - int renew_snonce; --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch b/src/patches/wpa_supplicant/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch deleted file mode 100644 index b019152f3..000000000 --- a/src/patches/wpa_supplicant/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch +++ /dev/null @@ -1,64 +0,0 @@ -From f1800cce24e8f81e909a68fe8ef1f13abfdec9e3 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Sun, 1 Oct 2017 12:32:57 +0300 -Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce - -The Authenticator state machine path for PTK rekeying ended up bypassing -the AUTHENTICATION2 state where a new ANonce is generated when going -directly to the PTKSTART state since there is no need to try to -determine the PMK again in such a case. This is far from ideal since the -new PTK would depend on a new nonce only from the supplicant. - -Fix this by generating a new ANonce when moving to the PTKSTART state -for the purpose of starting new 4-way handshake to rekey PTK. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) - -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index 42ef0bf..3b2f97c 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1953,6 +1953,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) - } - - -+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) -+{ -+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { -+ wpa_printf(MSG_ERROR, -+ "WPA: Failed to get random data for ANonce"); -+ sm->Disconnect = TRUE; -+ return -1; -+ } -+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, -+ WPA_NONCE_LEN); -+ sm->TimeoutCtr = 0; -+ return 0; -+} -+ -+ - SM_STATE(WPA_PTK, INITPMK) - { - u8 msk[2 * PMK_LEN]; -@@ -3129,9 +3144,12 @@ SM_STEP(WPA_PTK) - SM_ENTER(WPA_PTK, AUTHENTICATION); - else if (sm->ReAuthenticationRequest) - SM_ENTER(WPA_PTK, AUTHENTICATION2); -- else if (sm->PTKRequest) -- SM_ENTER(WPA_PTK, PTKSTART); -- else switch (sm->wpa_ptk_state) { -+ else if (sm->PTKRequest) { -+ if (wpa_auth_sm_ptk_update(sm) < 0) -+ SM_ENTER(WPA_PTK, DISCONNECTED); -+ else -+ SM_ENTER(WPA_PTK, PTKSTART); -+ } else switch (sm->wpa_ptk_state) { - case WPA_PTK_INITIALIZE: - break; - case WPA_PTK_DISCONNECT: --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0006-TDLS-Reject-TPK-TK-reconfiguration.patch b/src/patches/wpa_supplicant/0006-TDLS-Reject-TPK-TK-reconfiguration.patch deleted file mode 100644 index d857e50eb..000000000 --- a/src/patches/wpa_supplicant/0006-TDLS-Reject-TPK-TK-reconfiguration.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 1b198fae80a4c97ecf358fe825c0488d6ac0e65e Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 11:03:15 +0300 -Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration - -Do not try to reconfigure the same TPK-TK to the driver after it has -been successfully configured. This is an explicit check to avoid issues -related to resetting the TX/RX packet number. There was already a check -for this for TPK M2 (retries of that message are ignored completely), so -that behavior does not get modified. - -For TPK M3, the TPK-TK could have been reconfigured, but that was -followed by immediate teardown of the link due to an issue in updating -the STA entry. Furthermore, for TDLS with any real security (i.e., -ignoring open/WEP), the TPK message exchange is protected on the AP path -and simple replay attacks are not feasible. - -As an additional corner case, make sure the local nonce gets updated if -the peer uses a very unlikely "random nonce" of all zeros. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++-- - 1 file changed, 36 insertions(+), 2 deletions(-) - -diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c -index 7c95bed..5e350ed 100644 ---- a/src/rsn_supp/tdls.c -+++ b/src/rsn_supp/tdls.c -@@ -112,6 +112,7 @@ struct wpa_tdls_peer { - u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ - } tpk; - int tpk_set; -+ int tk_set; /* TPK-TK configured to the driver */ - int tpk_success; - int tpk_in_progress; - -@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - u8 rsc[6]; - enum wpa_alg alg; - -+ if (peer->tk_set) { -+ /* -+ * This same TPK-TK has already been configured to the driver -+ * and this new configuration attempt (likely due to an -+ * unexpected retransmitted frame) would result in clearing -+ * the TX/RX sequence number which can break security, so must -+ * not allow that to happen. -+ */ -+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR -+ " has already been configured to the driver - do not reconfigure", -+ MAC2STR(peer->addr)); -+ return -1; -+ } -+ - os_memset(rsc, 0, 6); - - switch (peer->cipher) { -@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - return -1; - } - -+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, -+ MAC2STR(peer->addr)); - if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, - rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { - wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " - "driver"); - return -1; - } -+ peer->tk_set = 1; - return 0; - } - -@@ -693,7 +711,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - peer->cipher = 0; - peer->qos_info = 0; - peer->wmm_capable = 0; -- peer->tpk_set = peer->tpk_success = 0; -+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0; - peer->chan_switch_enabled = 0; - os_memset(&peer->tpk, 0, sizeof(peer->tpk)); - os_memset(peer->inonce, 0, WPA_NONCE_LEN); -@@ -1156,6 +1174,7 @@ skip_rsnie: - wpa_tdls_peer_free(sm, peer); - return -1; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", - peer->inonce, WPA_NONCE_LEN); - os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); -@@ -1749,6 +1768,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, - } - - -+static int tdls_nonce_set(const u8 *nonce) -+{ -+ int i; -+ -+ for (i = 0; i < WPA_NONCE_LEN; i++) { -+ if (nonce[i]) -+ return 1; -+ } -+ -+ return 0; -+} -+ -+ - static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, - const u8 *buf, size_t len) - { -@@ -2002,7 +2034,8 @@ skip_rsn: - peer->rsnie_i_len = kde.rsn_ie_len; - peer->cipher = cipher; - -- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { -+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || -+ !tdls_nonce_set(peer->inonce)) { - /* - * There is no point in updating the RNonce for every obtained - * TPK M1 frame (e.g., retransmission due to timeout) with the -@@ -2018,6 +2051,7 @@ skip_rsn: - "TDLS: Failed to get random data for responder nonce"); - goto error; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - } - - #if 0 --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch b/src/patches/wpa_supplicant/0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch deleted file mode 100644 index 890eb3471..000000000 --- a/src/patches/wpa_supplicant/0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch +++ /dev/null @@ -1,43 +0,0 @@ -From b839814391abb4f95486ef2e24eb5498267eccf5 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 11:25:02 +0300 -Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending - request - -Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep -Mode Response if WNM-Sleep Mode has not been used') started ignoring the -response when no WNM-Sleep Mode Request had been used during the -association. This can be made tighter by clearing the used flag when -successfully processing a response. This adds an additional layer of -protection against unexpected retransmissions of the response frame. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - wpa_supplicant/wnm_sta.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c -index 7339ed2..28346ea 100644 ---- a/wpa_supplicant/wnm_sta.c -+++ b/wpa_supplicant/wnm_sta.c -@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, - - if (!wpa_s->wnmsleep_used) { - wpa_printf(MSG_DEBUG, -- "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association"); -+ "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested"); - return; - } - -@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, - return; - } - -+ wpa_s->wnmsleep_used = 0; -+ - if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT || - wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) { - wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response " --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch b/src/patches/wpa_supplicant/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch deleted file mode 100644 index e5c56b849..000000000 --- a/src/patches/wpa_supplicant/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch +++ /dev/null @@ -1,82 +0,0 @@ -From dc55ea1e483125145459ae1e55be3b95e6263302 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 12:06:37 +0300 -Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames - -The driver is expected to not report a second association event without -the station having explicitly request a new association. As such, this -case should not be reachable. However, since reconfiguring the same -pairwise or group keys to the driver could result in nonce reuse issues, -be extra careful here and do an additional state check to avoid this -even if the local driver ends up somehow accepting an unexpected -Reassociation Response frame. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/wpa.c | 3 +++ - src/rsn_supp/wpa_ft.c | 8 ++++++++ - src/rsn_supp/wpa_i.h | 1 + - 3 files changed, 12 insertions(+) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index cf9bf1c..ed467e6 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -2637,6 +2637,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) - #ifdef CONFIG_FILS - sm->fils_completed = 0; - #endif /* CONFIG_FILS */ -+#ifdef CONFIG_IEEE80211R -+ sm->ft_reassoc_completed = 0; -+#endif /* CONFIG_IEEE80211R */ - - /* Keys are not needed in the WPA state machine anymore */ - wpa_sm_drop_sa(sm); -diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c -index aeb7aff..1ff7afe 100644 ---- a/src/rsn_supp/wpa_ft.c -+++ b/src/rsn_supp/wpa_ft.c -@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, - u16 capab; - - sm->ft_completed = 0; -+ sm->ft_reassoc_completed = 0; - - buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + - 2 + sm->r0kh_id_len + ric_ies_len + 100; -@@ -687,6 +688,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ if (sm->ft_reassoc_completed) { -+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); -+ return 0; -+ } -+ - if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { - wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); - return -1; -@@ -787,6 +793,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ sm->ft_reassoc_completed = 1; -+ - if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) - return -1; - -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 3b42245..148c654 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -128,6 +128,7 @@ struct wpa_sm { - size_t r0kh_id_len; - u8 r1kh_id[FT_R1KH_ID_LEN]; - int ft_completed; -+ int ft_reassoc_completed; - int over_the_ds_in_progress; - u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ - int set_ptk_after_assoc; --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch b/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch deleted file mode 100644 index 727684865..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch +++ /dev/null @@ -1,174 +0,0 @@ -From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Fri, 14 Jul 2017 15:15:35 +0200 -Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake - -Do not reinstall TK to the driver during Reassociation Response frame -processing if the first attempt of setting the TK succeeded. This avoids -issues related to clearing the TX/RX PN that could result in reusing -same PN values for transmitted frames (e.g., due to CCM nonce reuse and -also hitting replay protection on the receiver) and accepting replayed -frames on RX side. - -This issue was introduced by the commit -0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in -authenticator') which allowed wpa_ft_install_ptk() to be called multiple -times with the same PTK. While the second configuration attempt is -needed with some drivers, it must be done only if the first attempt -failed. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/ap/ieee802_11.c | 16 +++++++++++++--- - src/ap/wpa_auth.c | 11 +++++++++++ - src/ap/wpa_auth.h | 3 ++- - src/ap/wpa_auth_ft.c | 10 ++++++++++ - src/ap/wpa_auth_i.h | 1 + - 5 files changed, 37 insertions(+), 4 deletions(-) - -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index 4e04169..333035f 100644 ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd, - { - struct ieee80211_ht_capabilities ht_cap; - struct ieee80211_vht_capabilities vht_cap; -+ int set = 1; - - /* - * Remove the STA entry to ensure the STA PS state gets cleared and -@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd, - * FT-over-the-DS, where a station re-associates back to the same AP but - * skips the authentication flow, or if working with a driver that - * does not support full AP client state. -+ * -+ * Skip this if the STA has already completed FT reassociation and the -+ * TK has been configured since the TX/RX PN must not be reset to 0 for -+ * the same key. - */ -- if (!sta->added_unassoc) -+ if (!sta->added_unassoc && -+ (!(sta->flags & WLAN_STA_AUTHORIZED) || -+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { - hostapd_drv_sta_remove(hapd, sta->addr); -+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); -+ set = 0; -+ } - - #ifdef CONFIG_IEEE80211N - if (sta->flags & WLAN_STA_HT) -@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd, - sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, - sta->flags | WLAN_STA_ASSOC, sta->qosinfo, - sta->vht_opmode, sta->p2p_ie ? 1 : 0, -- sta->added_unassoc)) { -+ set)) { - hostapd_logger(hapd, sta->addr, - HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, - "Could not %s STA to kernel driver", -- sta->added_unassoc ? "set" : "add"); -+ set ? "set" : "add"); - - if (sta->added_unassoc) { - hostapd_drv_sta_remove(hapd, sta->addr); -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index 3587086..707971d 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) - #else /* CONFIG_IEEE80211R */ - break; - #endif /* CONFIG_IEEE80211R */ -+ case WPA_DRV_STA_REMOVED: -+ sm->tk_already_set = FALSE; -+ return 0; - } - - #ifdef CONFIG_IEEE80211R -@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) - } - - -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) -+{ -+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) -+ return 0; -+ return sm->tk_already_set; -+} -+ -+ - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry) - { -diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h -index 0de8d97..97461b0 100644 ---- a/src/ap/wpa_auth.h -+++ b/src/ap/wpa_auth.h -@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, - u8 *data, size_t data_len); - enum wpa_event { - WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, -- WPA_REAUTH_EAPOL, WPA_ASSOC_FT -+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED - }; - void wpa_remove_ptk(struct wpa_state_machine *sm); - int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); -@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm); - int wpa_auth_get_pairwise(struct wpa_state_machine *sm); - int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); - int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry); - struct rsn_pmksa_cache_entry * -diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c -index 42242a5..e63b99a 100644 ---- a/src/ap/wpa_auth_ft.c -+++ b/src/ap/wpa_auth_ft.c -@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - return; - } - -+ if (sm->tk_already_set) { -+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX -+ * PN in the driver */ -+ wpa_printf(MSG_DEBUG, -+ "FT: Do not re-install same PTK to the driver"); -+ return; -+ } -+ - /* FIX: add STA entry to kernel/driver here? The set_key will fail - * most likely without this.. At the moment, STA entry is added only - * after association has been completed. This function will be called -@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - - /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ - sm->pairwise_set = TRUE; -+ sm->tk_already_set = TRUE; - } - - -@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, - - sm->pairwise = pairwise; - sm->PTK_valid = TRUE; -+ sm->tk_already_set = FALSE; - wpa_ft_install_ptk(sm); - - buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + -diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h -index 72b7eb3..7fd8f05 100644 ---- a/src/ap/wpa_auth_i.h -+++ b/src/ap/wpa_auth_i.h -@@ -65,6 +65,7 @@ struct wpa_state_machine { - struct wpa_ptk PTK; - Boolean PTK_valid; - Boolean pairwise_set; -+ Boolean tk_already_set; - int keycount; - Boolean Pair; - struct wpa_key_replay_counter { --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch b/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch deleted file mode 100644 index 1802d664a..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch +++ /dev/null @@ -1,250 +0,0 @@ -From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Wed, 12 Jul 2017 16:03:24 +0200 -Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key - -Track the current GTK and IGTK that is in use and when receiving a -(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do -not install the given key if it is already in use. This prevents an -attacker from trying to trick the client into resetting or lowering the -sequence counter associated to the group key. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/common/wpa_common.h | 11 +++++ - src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------ - src/rsn_supp/wpa_i.h | 4 ++ - 3 files changed, 87 insertions(+), 44 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index af1d0f0..d200285 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -217,6 +217,17 @@ struct wpa_ptk { - size_t tk_len; - }; - -+struct wpa_gtk { -+ u8 gtk[WPA_GTK_MAX_LEN]; -+ size_t gtk_len; -+}; -+ -+#ifdef CONFIG_IEEE80211W -+struct wpa_igtk { -+ u8 igtk[WPA_IGTK_MAX_LEN]; -+ size_t igtk_len; -+}; -+#endif /* CONFIG_IEEE80211W */ - - /* WPA IE version 1 - * 00-50-f2:1 (OUI:OUI type) -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 3c47879..95bd7be 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - -+ /* Detect possible key reinstallation */ -+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", -+ gd->keyidx, gd->tx, gd->gtk_len); -+ return 0; -+ } -+ - wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", -@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ - return 0; - } - -@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - } - - -+#ifdef CONFIG_IEEE80211W -+static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -+ const struct wpa_igtk_kde *igtk) -+{ -+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); -+ u16 keyidx = WPA_GET_LE16(igtk->keyid); -+ -+ /* Detect possible key reinstallation */ -+ if (sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", -+ keyidx); -+ return 0; -+ } -+ -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", -+ keyidx, MAC2STR(igtk->pn)); -+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); -+ if (keyidx > 4095) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Invalid IGTK KeyID %d", keyidx); -+ return -1; -+ } -+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -+ broadcast_ether_addr, -+ keyidx, 0, igtk->pn, sizeof(igtk->pn), -+ igtk->igtk, len) < 0) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Failed to configure IGTK to the driver"); -+ return -1; -+ } -+ -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ -+ return 0; -+} -+#endif /* CONFIG_IEEE80211W */ -+ -+ - static int ieee80211w_set_keys(struct wpa_sm *sm, - struct wpa_eapol_ie_parse *ie) - { -@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - if (ie->igtk) { - size_t len; - const struct wpa_igtk_kde *igtk; -- u16 keyidx; -+ - len = wpa_cipher_key_len(sm->mgmt_group_cipher); - if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) - return -1; -+ - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- keyidx = WPA_GET_LE16(igtk->keyid); -- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " -- "pn %02x%02x%02x%02x%02x%02x", -- keyidx, MAC2STR(igtk->pn)); -- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", -- igtk->igtk, len); -- if (keyidx > 4095) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Invalid IGTK KeyID %d", keyidx); -- return -1; -- } -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igtk->pn, sizeof(igtk->pn), -- igtk->igtk, len) < 0) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Failed to configure IGTK to the driver"); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } - } - - return 0; -@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) - */ - void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - { -- int clear_ptk = 1; -+ int clear_keys = 1; - - if (sm == NULL) - return; -@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - /* Prepare for the next transition */ - wpa_ft_prepare_auth_request(sm, NULL); - -- clear_ptk = 0; -+ clear_keys = 0; - } - #endif /* CONFIG_IEEE80211R */ - -- if (clear_ptk) { -+ if (clear_keys) { - /* - * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if - * this is not part of a Fast BSS Transition. -@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - } - - #ifdef CONFIG_TDLS -@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(sm->pmk, 0, sizeof(sm->pmk)); - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); - os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); -@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - os_memset(&gd, 0, sizeof(gd)); - #ifdef CONFIG_IEEE80211W - } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { -- struct wpa_igtk_kde igd; -- u16 keyidx; -- -- os_memset(&igd, 0, sizeof(igd)); -- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); -- os_memcpy(igd.keyid, buf + 2, 2); -- os_memcpy(igd.pn, buf + 4, 6); -- -- keyidx = WPA_GET_LE16(igd.keyid); -- os_memcpy(igd.igtk, buf + 10, keylen); -- -- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", -- igd.igtk, keylen); -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igd.pn, sizeof(igd.pn), -- igd.igtk, keylen) < 0) { -- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " -- "WNM mode"); -- os_memset(&igd, 0, sizeof(igd)); -+ const struct wpa_igtk_kde *igtk; -+ -+ igtk = (const struct wpa_igtk_kde *) (buf + 2); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } -- os_memset(&igd, 0, sizeof(igd)); - #endif /* CONFIG_IEEE80211W */ - } else { - wpa_printf(MSG_DEBUG, "Unknown element id"); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index f653ba6..afc9e37 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -31,6 +31,10 @@ struct wpa_sm { - u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; -+ struct wpa_gtk gtk; -+#ifdef CONFIG_IEEE80211W -+ struct wpa_igtk igtk; -+#endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ - --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch b/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch deleted file mode 100644 index e2937b851..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Sun, 1 Oct 2017 12:12:24 +0300 -Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep - Mode cases - -This extends the protection to track last configured GTK/IGTK value -separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a -corner case where these two different mechanisms may get used when the -GTK/IGTK has changed and tracking a single value is not sufficient to -detect a possible key reconfiguration. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++--------------- - src/rsn_supp/wpa_i.h | 2 ++ - 2 files changed, 40 insertions(+), 15 deletions(-) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 95bd7be..7a2c68d 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -709,14 +709,17 @@ struct wpa_gtk_data { - - static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const struct wpa_gtk_data *gd, -- const u8 *key_rsc) -+ const u8 *key_rsc, int wnm_sleep) - { - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - - /* Detect possible key reinstallation */ -- if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || -+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", - gd->keyidx, gd->tx, gd->gtk_len); -@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -- sm->gtk.gtk_len = gd->gtk_len; -- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ if (wnm_sleep) { -+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len); -+ } else { -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ } - - return 0; - } -@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, - gtk_len, gtk_len, - &gd.key_rsc_len, &gd.alg) || -- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) { -+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "RSN: Failed to install GTK"); - os_memset(&gd, 0, sizeof(gd)); -@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - - #ifdef CONFIG_IEEE80211W - static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -- const struct wpa_igtk_kde *igtk) -+ const struct wpa_igtk_kde *igtk, -+ int wnm_sleep) - { - size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); - u16 keyidx = WPA_GET_LE16(igtk->keyid); - - /* Detect possible key reinstallation */ -- if (sm->igtk.igtk_len == len && -- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ if ((sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || -+ (sm->igtk_wnm_sleep.igtk_len == len && -+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", - keyidx); -@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, - return -1; - } - -- sm->igtk.igtk_len = len; -- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ if (wnm_sleep) { -+ sm->igtk_wnm_sleep.igtk_len = len; -+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len); -+ } else { -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ } - - return 0; - } -@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - return -1; - - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) - return -1; - } - -@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, - if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) - key_rsc = null_rsc; - -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) || -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || - wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) - goto failed; - os_memset(&gd, 0, sizeof(gd)); -@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - } - -@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); -@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - - wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", - gd.gtk, gd.gtk_len); -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { - os_memset(&gd, 0, sizeof(gd)); - wpa_printf(MSG_DEBUG, "Failed to install the GTK in " - "WNM mode"); -@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - const struct wpa_igtk_kde *igtk; - - igtk = (const struct wpa_igtk_kde *) (buf + 2); -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) - return -1; - #endif /* CONFIG_IEEE80211W */ - } else { -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index afc9e37..9a54631 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -32,8 +32,10 @@ struct wpa_sm { - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; - struct wpa_gtk gtk; -+ struct wpa_gtk gtk_wnm_sleep; - #ifdef CONFIG_IEEE80211W - struct wpa_igtk igtk; -+ struct wpa_igtk igtk_wnm_sleep; - #endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch b/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch deleted file mode 100644 index 22ee21794..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be -Date: Fri, 29 Sep 2017 04:22:51 +0200 -Subject: [PATCH 4/8] Prevent installation of an all-zero TK - -Properly track whether a PTK has already been installed to the driver -and the TK part cleared from memory. This prevents an attacker from -trying to trick the client into installing an all-zero TK. - -This fixes the earlier fix in commit -ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the -driver in EAPOL-Key 3/4 retry case') which did not take into account -possibility of an extra message 1/4 showing up between retries of -message 3/4. - -Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@cs.kuleuven.be ---- - src/common/wpa_common.h | 1 + - src/rsn_supp/wpa.c | 5 ++--- - src/rsn_supp/wpa_i.h | 1 - - 3 files changed, 3 insertions(+), 4 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index d200285..1021ccb 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -215,6 +215,7 @@ struct wpa_ptk { - size_t kck_len; - size_t kek_len; - size_t tk_len; -+ int installed; /* 1 if key has already been installed to driver */ - }; - - struct wpa_gtk { -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 7a2c68d..0550a41 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, - os_memset(buf, 0, sizeof(buf)); - } - sm->tptk_set = 1; -- sm->tk_to_set = 1; - - kde = sm->assoc_wpa_ie; - kde_len = sm->assoc_wpa_ie_len; -@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - enum wpa_alg alg; - const u8 *key_rsc; - -- if (!sm->tk_to_set) { -+ if (sm->ptk.installed) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Do not re-install same PTK to the driver"); - return 0; -@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - - /* TK is not needed anymore in supplicant */ - os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); -- sm->tk_to_set = 0; -+ sm->ptk.installed = 1; - - if (sm->wpa_ptk_rekey) { - eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 9a54631..41f371f 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -24,7 +24,6 @@ struct wpa_sm { - struct wpa_ptk ptk, tptk; - int ptk_set, tptk_set; - unsigned int msg_3_of_4_ok:1; -- unsigned int tk_to_set:1; - u8 snonce[WPA_NONCE_LEN]; - u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ - int renew_snonce; --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch b/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch deleted file mode 100644 index c19c4c710..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Sun, 1 Oct 2017 12:32:57 +0300 -Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce - -The Authenticator state machine path for PTK rekeying ended up bypassing -the AUTHENTICATION2 state where a new ANonce is generated when going -directly to the PTKSTART state since there is no need to try to -determine the PMK again in such a case. This is far from ideal since the -new PTK would depend on a new nonce only from the supplicant. - -Fix this by generating a new ANonce when moving to the PTKSTART state -for the purpose of starting new 4-way handshake to rekey PTK. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) - -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index 707971d..bf10cc1 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) - } - - -+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) -+{ -+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { -+ wpa_printf(MSG_ERROR, -+ "WPA: Failed to get random data for ANonce"); -+ sm->Disconnect = TRUE; -+ return -1; -+ } -+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, -+ WPA_NONCE_LEN); -+ sm->TimeoutCtr = 0; -+ return 0; -+} -+ -+ - SM_STATE(WPA_PTK, INITPMK) - { - u8 msk[2 * PMK_LEN]; -@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK) - SM_ENTER(WPA_PTK, AUTHENTICATION); - else if (sm->ReAuthenticationRequest) - SM_ENTER(WPA_PTK, AUTHENTICATION2); -- else if (sm->PTKRequest) -- SM_ENTER(WPA_PTK, PTKSTART); -- else switch (sm->wpa_ptk_state) { -+ else if (sm->PTKRequest) { -+ if (wpa_auth_sm_ptk_update(sm) < 0) -+ SM_ENTER(WPA_PTK, DISCONNECTED); -+ else -+ SM_ENTER(WPA_PTK, PTKSTART); -+ } else switch (sm->wpa_ptk_state) { - case WPA_PTK_INITIALIZE: - break; - case WPA_PTK_DISCONNECT: --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch b/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch deleted file mode 100644 index e1bd5a572..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 11:03:15 +0300 -Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration - -Do not try to reconfigure the same TPK-TK to the driver after it has -been successfully configured. This is an explicit check to avoid issues -related to resetting the TX/RX packet number. There was already a check -for this for TPK M2 (retries of that message are ignored completely), so -that behavior does not get modified. - -For TPK M3, the TPK-TK could have been reconfigured, but that was -followed by immediate teardown of the link due to an issue in updating -the STA entry. Furthermore, for TDLS with any real security (i.e., -ignoring open/WEP), the TPK message exchange is protected on the AP path -and simple replay attacks are not feasible. - -As an additional corner case, make sure the local nonce gets updated if -the peer uses a very unlikely "random nonce" of all zeros. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++-- - 1 file changed, 36 insertions(+), 2 deletions(-) - -diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c -index e424168..9eb9738 100644 ---- a/src/rsn_supp/tdls.c -+++ b/src/rsn_supp/tdls.c -@@ -112,6 +112,7 @@ struct wpa_tdls_peer { - u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ - } tpk; - int tpk_set; -+ int tk_set; /* TPK-TK configured to the driver */ - int tpk_success; - int tpk_in_progress; - -@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - u8 rsc[6]; - enum wpa_alg alg; - -+ if (peer->tk_set) { -+ /* -+ * This same TPK-TK has already been configured to the driver -+ * and this new configuration attempt (likely due to an -+ * unexpected retransmitted frame) would result in clearing -+ * the TX/RX sequence number which can break security, so must -+ * not allow that to happen. -+ */ -+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR -+ " has already been configured to the driver - do not reconfigure", -+ MAC2STR(peer->addr)); -+ return -1; -+ } -+ - os_memset(rsc, 0, 6); - - switch (peer->cipher) { -@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - return -1; - } - -+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, -+ MAC2STR(peer->addr)); - if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, - rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { - wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " - "driver"); - return -1; - } -+ peer->tk_set = 1; - return 0; - } - -@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - peer->cipher = 0; - peer->qos_info = 0; - peer->wmm_capable = 0; -- peer->tpk_set = peer->tpk_success = 0; -+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0; - peer->chan_switch_enabled = 0; - os_memset(&peer->tpk, 0, sizeof(peer->tpk)); - os_memset(peer->inonce, 0, WPA_NONCE_LEN); -@@ -1159,6 +1177,7 @@ skip_rsnie: - wpa_tdls_peer_free(sm, peer); - return -1; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", - peer->inonce, WPA_NONCE_LEN); - os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); -@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, - } - - -+static int tdls_nonce_set(const u8 *nonce) -+{ -+ int i; -+ -+ for (i = 0; i < WPA_NONCE_LEN; i++) { -+ if (nonce[i]) -+ return 1; -+ } -+ -+ return 0; -+} -+ -+ - static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, - const u8 *buf, size_t len) - { -@@ -2004,7 +2036,8 @@ skip_rsn: - peer->rsnie_i_len = kde.rsn_ie_len; - peer->cipher = cipher; - -- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { -+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || -+ !tdls_nonce_set(peer->inonce)) { - /* - * There is no point in updating the RNonce for every obtained - * TPK M1 frame (e.g., retransmission due to timeout) with the -@@ -2020,6 +2053,7 @@ skip_rsn: - "TDLS: Failed to get random data for responder nonce"); - goto error; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - } - - #if 0 --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch b/src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch deleted file mode 100644 index 85ea1d62b..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 11:25:02 +0300 -Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending - request - -Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep -Mode Response if WNM-Sleep Mode has not been used') started ignoring the -response when no WNM-Sleep Mode Request had been used during the -association. This can be made tighter by clearing the used flag when -successfully processing a response. This adds an additional layer of -protection against unexpected retransmissions of the response frame. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - wpa_supplicant/wnm_sta.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c -index 1b3409c..67a07ff 100644 ---- a/wpa_supplicant/wnm_sta.c -+++ b/wpa_supplicant/wnm_sta.c -@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, - - if (!wpa_s->wnmsleep_used) { - wpa_printf(MSG_DEBUG, -- "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association"); -+ "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested"); - return; - } - -@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, - return; - } - -+ wpa_s->wnmsleep_used = 0; -+ - if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT || - wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) { - wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response " --- -2.7.4 - diff --git a/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch b/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch deleted file mode 100644 index b9678f681..000000000 --- a/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch +++ /dev/null @@ -1,82 +0,0 @@ -From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen j@w1.fi -Date: Fri, 22 Sep 2017 12:06:37 +0300 -Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames - -The driver is expected to not report a second association event without -the station having explicitly request a new association. As such, this -case should not be reachable. However, since reconfiguring the same -pairwise or group keys to the driver could result in nonce reuse issues, -be extra careful here and do an additional state check to avoid this -even if the local driver ends up somehow accepting an unexpected -Reassociation Response frame. - -Signed-off-by: Jouni Malinen j@w1.fi ---- - src/rsn_supp/wpa.c | 3 +++ - src/rsn_supp/wpa_ft.c | 8 ++++++++ - src/rsn_supp/wpa_i.h | 1 + - 3 files changed, 12 insertions(+) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 0550a41..2a53c6f 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) - #ifdef CONFIG_TDLS - wpa_tdls_disassoc(sm); - #endif /* CONFIG_TDLS */ -+#ifdef CONFIG_IEEE80211R -+ sm->ft_reassoc_completed = 0; -+#endif /* CONFIG_IEEE80211R */ - - /* Keys are not needed in the WPA state machine anymore */ - wpa_sm_drop_sa(sm); -diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c -index 205793e..d45bb45 100644 ---- a/src/rsn_supp/wpa_ft.c -+++ b/src/rsn_supp/wpa_ft.c -@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, - u16 capab; - - sm->ft_completed = 0; -+ sm->ft_reassoc_completed = 0; - - buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + - 2 + sm->r0kh_id_len + ric_ies_len + 100; -@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ if (sm->ft_reassoc_completed) { -+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); -+ return 0; -+ } -+ - if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { - wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); - return -1; -@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ sm->ft_reassoc_completed = 1; -+ - if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) - return -1; - -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 41f371f..56f88dc 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -128,6 +128,7 @@ struct wpa_sm { - size_t r0kh_id_len; - u8 r1kh_id[FT_R1KH_ID_LEN]; - int ft_completed; -+ int ft_reassoc_completed; - int over_the_ds_in_progress; - u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ - int set_ptk_after_assoc; --- -2.7.4 -
hooks/post-receive -- IPFire 2.x development tree