Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-wireless/hostapd/, net-wireless/hostapd/files/
Date: Wed, 02 Jun 2021 12:59:48
Message-Id: 1622638770.56ce8ace503d45e60b72a79222bb6aada4c76124.whissi@gentoo
1 commit: 56ce8ace503d45e60b72a79222bb6aada4c76124
2 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jun 2 12:41:04 2021 +0000
4 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5 CommitDate: Wed Jun 2 12:59:30 2021 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56ce8ace
7
8 net-wireless/hostapd: fix CVE-2021-30004
9
10 Bug: https://bugs.gentoo.org/780135
11 Package-Manager: Portage-3.0.19, Repoman-3.0.3
12 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
13
14 ...date-DigestAlgorithmIdentifier-parameters.patch | 115 +++++++++++++++++++++
15 .../{hostapd-9999.ebuild => hostapd-2.9-r4.ebuild} | 4 +-
16 net-wireless/hostapd/hostapd-9999.ebuild | 2 +
17 3 files changed, 120 insertions(+), 1 deletion(-)
18
19 diff --git a/net-wireless/hostapd/files/hostapd-2.9-ASN-1-Validate-DigestAlgorithmIdentifier-parameters.patch b/net-wireless/hostapd/files/hostapd-2.9-ASN-1-Validate-DigestAlgorithmIdentifier-parameters.patch
20 new file mode 100644
21 index 00000000000..8c8ba933550
22 --- /dev/null
23 +++ b/net-wireless/hostapd/files/hostapd-2.9-ASN-1-Validate-DigestAlgorithmIdentifier-parameters.patch
24 @@ -0,0 +1,115 @@
25 +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
26 +From: Jouni Malinen <j@××.fi>
27 +Date: Sat, 13 Mar 2021 18:19:31 +0200
28 +Subject: ASN.1: Validate DigestAlgorithmIdentifier parameters
29 +
30 +The supported hash algorithms do not use AlgorithmIdentifier parameters.
31 +However, there are implementations that include NULL parameters in
32 +addition to ones that omit the parameters. Previous implementation did
33 +not check the parameters value at all which supported both these cases,
34 +but did not reject any other unexpected information.
35 +
36 +Use strict validation of digest algorithm parameters and reject any
37 +unexpected value when validating a signature. This is needed to prevent
38 +potential forging attacks.
39 +
40 +Signed-off-by: Jouni Malinen <j@××.fi>
41 +---
42 + src/tls/pkcs1.c | 21 +++++++++++++++++++++
43 + src/tls/x509v3.c | 20 ++++++++++++++++++++
44 + 2 files changed, 41 insertions(+)
45 +
46 +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
47 +index bbdb0d7..5761dfe 100644
48 +--- a/src/tls/pkcs1.c
49 ++++ b/src/tls/pkcs1.c
50 +@@ -244,6 +244,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
51 + os_free(decrypted);
52 + return -1;
53 + }
54 ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
55 ++ hdr.payload, hdr.length);
56 +
57 + pos = hdr.payload;
58 + end = pos + hdr.length;
59 +@@ -265,6 +267,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
60 + os_free(decrypted);
61 + return -1;
62 + }
63 ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
64 ++ hdr.payload, hdr.length);
65 + da_end = hdr.payload + hdr.length;
66 +
67 + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
68 +@@ -273,6 +277,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
69 + os_free(decrypted);
70 + return -1;
71 + }
72 ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
73 ++ next, da_end - next);
74 ++
75 ++ /*
76 ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
77 ++ * omit the parameters, but there are implementation that encode these
78 ++ * as a NULL element. Allow these two cases and reject anything else.
79 ++ */
80 ++ if (da_end > next &&
81 ++ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
82 ++ !asn1_is_null(&hdr) ||
83 ++ hdr.payload + hdr.length != da_end)) {
84 ++ wpa_printf(MSG_DEBUG,
85 ++ "PKCS #1: Unexpected digest algorithm parameters");
86 ++ os_free(decrypted);
87 ++ return -1;
88 ++ }
89 +
90 + if (!asn1_oid_equal(&oid, hash_alg)) {
91 + char txt[100], txt2[100];
92 +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
93 +index a8944dd..df337ec 100644
94 +--- a/src/tls/x509v3.c
95 ++++ b/src/tls/x509v3.c
96 +@@ -1964,6 +1964,7 @@ int x509_check_signature(struct x509_certificate *issuer,
97 + os_free(data);
98 + return -1;
99 + }
100 ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
101 +
102 + pos = hdr.payload;
103 + end = pos + hdr.length;
104 +@@ -1985,6 +1986,8 @@ int x509_check_signature(struct x509_certificate *issuer,
105 + os_free(data);
106 + return -1;
107 + }
108 ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
109 ++ hdr.payload, hdr.length);
110 + da_end = hdr.payload + hdr.length;
111 +
112 + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
113 +@@ -1992,6 +1995,23 @@ int x509_check_signature(struct x509_certificate *issuer,
114 + os_free(data);
115 + return -1;
116 + }
117 ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
118 ++ next, da_end - next);
119 ++
120 ++ /*
121 ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
122 ++ * omit the parameters, but there are implementation that encode these
123 ++ * as a NULL element. Allow these two cases and reject anything else.
124 ++ */
125 ++ if (da_end > next &&
126 ++ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
127 ++ !asn1_is_null(&hdr) ||
128 ++ hdr.payload + hdr.length != da_end)) {
129 ++ wpa_printf(MSG_DEBUG,
130 ++ "X509: Unexpected digest algorithm parameters");
131 ++ os_free(data);
132 ++ return -1;
133 ++ }
134 +
135 + if (x509_sha1_oid(&oid)) {
136 + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
137 +--
138 +cgit v0.12
139 +
140
141 diff --git a/net-wireless/hostapd/hostapd-9999.ebuild b/net-wireless/hostapd/hostapd-2.9-r4.ebuild
142 similarity index 98%
143 copy from net-wireless/hostapd/hostapd-9999.ebuild
144 copy to net-wireless/hostapd/hostapd-2.9-r4.ebuild
145 index 515d2b26e21..c94f67d82ad 100644
146 --- a/net-wireless/hostapd/hostapd-9999.ebuild
147 +++ b/net-wireless/hostapd/hostapd-2.9-r4.ebuild
148 @@ -69,6 +69,8 @@ src_prepare() {
149 eapply "${FILESDIR}/${P}-0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch"
150 eapply "${FILESDIR}/${P}-0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch"
151 eapply "${FILESDIR}/${P}-0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch"
152 + # CVE-2021-30004 bug #780135
153 + eapply "${FILESDIR}/${P}-ASN-1-Validate-DigestAlgorithmIdentifier-parameters.patch"
154
155 popd >/dev/null || die
156
157 @@ -202,7 +204,7 @@ src_configure() {
158 src_compile() {
159 emake V=1
160
161 - if use internal-tls; then
162 + if ! use internal-tls; then
163 emake V=1 nt_password_hash
164 emake V=1 hlr_auc_gw
165 fi
166
167 diff --git a/net-wireless/hostapd/hostapd-9999.ebuild b/net-wireless/hostapd/hostapd-9999.ebuild
168 index 515d2b26e21..92074dc1872 100644
169 --- a/net-wireless/hostapd/hostapd-9999.ebuild
170 +++ b/net-wireless/hostapd/hostapd-9999.ebuild
171 @@ -69,6 +69,8 @@ src_prepare() {
172 eapply "${FILESDIR}/${P}-0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch"
173 eapply "${FILESDIR}/${P}-0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch"
174 eapply "${FILESDIR}/${P}-0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch"
175 + # CVE-2021-30004 bug #780135
176 + eapply "${FILESDIR}/${P}-ASN-1-Validate-DigestAlgorithmIdentifier-parameters.patch"
177
178 popd >/dev/null || die
Report Message
Find on MARC Find on Google Groups