[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/, net-wireless/wpa_supplicant/files/ - gentoo-commits

From:	Rick Farina <zerochaos@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/, net-wireless/wpa_supplicant/files/
Date:	Wed, 05 Dec 2018 20:41:18
Message-Id:	`1544042382.102ca740a0e42464d91b474119a03c8b26cdefaa.zerochaos@gentoo`

1

commit:     102ca740a0e42464d91b474119a03c8b26cdefaa

2

Author:     Rick Farina <zerochaos <AT> gentoo <DOT> org>

3

AuthorDate: Wed Dec  5 20:39:42 2018 +0000

4

Commit:     Rick Farina <zerochaos <AT> gentoo <DOT> org>

5

CommitDate: Wed Dec  5 20:39:42 2018 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=102ca740

7

8

net-wireless/wpa_supplicant: fix bug #663172

9

10

Package-Manager: Portage-2.3.52, Repoman-2.3.12

11

Signed-off-by: Rick Farina <zerochaos <AT> gentoo.org>

12

13

 ...-unauthenticated-encrypted-EAPOL-Key-data.patch | 44 ++++++++++++++++++++++

14

 ...2.6-r9.ebuild => wpa_supplicant-2.6-r10.ebuild} |  3 ++

15

 2 files changed, 47 insertions(+)

16

17

diff --git a/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch

18

new file mode 100644

19

index 00000000000..a62b52c6b9a

20

--- /dev/null

21

+++ b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch

22

@@ -0,0 +1,44 @@

23

+From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001

24

+From: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be>

25

+Date: Sun, 15 Jul 2018 01:25:53 +0200

26

+Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data

27

+

28

+Ignore unauthenticated encrypted EAPOL-Key data in supplicant

29

+processing. When using WPA2, these are frames that have the Encrypted

30

+flag set, but not the MIC flag.

31

+

32

+When using WPA2, EAPOL-Key frames that had the Encrypted flag set but

33

+not the MIC flag, had their data field decrypted without first verifying

34

+the MIC. In case the data field was encrypted using RC4 (i.e., when

35

+negotiating TKIP as the pairwise cipher), this meant that

36

+unauthenticated but decrypted data would then be processed. An adversary

37

+could abuse this as a decryption oracle to recover sensitive information

38

+in the data field of EAPOL-Key messages (e.g., the group key).

39

+(CVE-2018-14526)

40

+

41

+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be>

42

+---

43

+ src/rsn_supp/wpa.c | 11 +++++++++++

44

+ 1 file changed, 11 insertions(+)

45

+

46

+diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c

47

+--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c	2016-10-02 21:51:11.000000000 +0300

48

++++ wpa_supplicant-2.6/src/rsn_supp/wpa.c	2018-08-08 16:55:11.506831029 +0300

49

+@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c

50

+

51

+ 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&

52

+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {

53

++		/*

54

++		 * Only decrypt the Key Data field if the frame's authenticity

55

++		 * was verified. When using AES-SIV (FILS), the MIC flag is not

56

++		 * set, so this check should only be performed if mic_len != 0

57

++		 * which is the case in this code branch.

58

++		 */

59

++		if (!(key_info & WPA_KEY_INFO_MIC)) {

60

++			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,

61

++				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");

62

++			goto out;

63

++		}

64

+ 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,

65

+ 						    &key_data_len))

66

+ 			goto out;

67

68

diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild

69

similarity index 98%

70

rename from net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild

71

rename to net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild

72

index 19e3fbfe5a0..36a7ffe69b6 100644

73

--- a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild

74

+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild

75

@@ -146,6 +146,9 @@ src_prepare() {

76

 	eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch"

77

 	eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch"

78

79

+	# https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt

80

+	eapply "${FILESDIR}/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch"

81

+

82

 	# bug (640492)

83

 	sed -i 's#-Werror ##' wpa_supplicant/Makefile || die

84

}

1	commit: 102ca740a0e42464d91b474119a03c8b26cdefaa
2	Author: Rick Farina <zerochaos <AT> gentoo <DOT> org>
3	AuthorDate: Wed Dec 5 20:39:42 2018 +0000
4	Commit: Rick Farina <zerochaos <AT> gentoo <DOT> org>
5	CommitDate: Wed Dec 5 20:39:42 2018 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=102ca740
7
8	net-wireless/wpa_supplicant: fix bug #663172
9
10	Package-Manager: Portage-2.3.52, Repoman-2.3.12
11	Signed-off-by: Rick Farina <zerochaos <AT> gentoo.org>
12
13	...-unauthenticated-encrypted-EAPOL-Key-data.patch \| 44 ++++++++++++++++++++++
14	...2.6-r9.ebuild => wpa_supplicant-2.6-r10.ebuild} \| 3 ++
15	2 files changed, 47 insertions(+)
16
17	diff --git a/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
18	new file mode 100644
19	index 00000000000..a62b52c6b9a
20	--- /dev/null
21	+++ b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
22	@@ -0,0 +1,44 @@
23	+From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
24	+From: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be>
25	+Date: Sun, 15 Jul 2018 01:25:53 +0200
26	+Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
27	+
28	+Ignore unauthenticated encrypted EAPOL-Key data in supplicant
29	+processing. When using WPA2, these are frames that have the Encrypted
30	+flag set, but not the MIC flag.
31	+
32	+When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
33	+not the MIC flag, had their data field decrypted without first verifying
34	+the MIC. In case the data field was encrypted using RC4 (i.e., when
35	+negotiating TKIP as the pairwise cipher), this meant that
36	+unauthenticated but decrypted data would then be processed. An adversary
37	+could abuse this as a decryption oracle to recover sensitive information
38	+in the data field of EAPOL-Key messages (e.g., the group key).
39	+(CVE-2018-14526)
40	+
41	+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be>
42	+---
43	+ src/rsn_supp/wpa.c \| 11 +++++++++++
44	+ 1 file changed, 11 insertions(+)
45	+
46	+diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c
47	+--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c 2016-10-02 21:51:11.000000000 +0300
48	++++ wpa_supplicant-2.6/src/rsn_supp/wpa.c 2018-08-08 16:55:11.506831029 +0300
49	+@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
50	+
51	+ if ((sm->proto == WPA_PROTO_RSN \|\| sm->proto == WPA_PROTO_OSEN) &&
52	+ (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
53	++ /*
54	++ * Only decrypt the Key Data field if the frame's authenticity
55	++ * was verified. When using AES-SIV (FILS), the MIC flag is not
56	++ * set, so this check should only be performed if mic_len != 0
57	++ * which is the case in this code branch.
58	++ */
59	++ if (!(key_info & WPA_KEY_INFO_MIC)) {
60	++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
61	++ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
62	++ goto out;
63	++ }
64	+ if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
65	+ &key_data_len))
66	+ goto out;
67
68	diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild
69	similarity index 98%
70	rename from net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild
71	rename to net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild
72	index 19e3fbfe5a0..36a7ffe69b6 100644
73	--- a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild
74	+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild
75	@@ -146,6 +146,9 @@ src_prepare() {
76	eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch"
77	eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch"
78
79	+ # https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
80	+ eapply "${FILESDIR}/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch"
81	+
82	# bug (640492)
83	sed -i 's#-Werror ##' wpa_supplicant/Makefile \|\| die
84	}

Gentoo Archives: gentoo-commits