diff options
Diffstat (limited to 'source/n/wpa_supplicant/patches')
3 files changed, 304 insertions, 0 deletions
diff --git a/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch b/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch new file mode 100644 index 000000000..bee574a5c --- /dev/null +++ b/source/n/wpa_supplicant/patches/Fix-openssl-1-1-private-key-callback.patch @@ -0,0 +1,127 @@ +From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani <bgalvani@redhat.com> +Date: Sun, 9 Jul 2017 11:14:10 +0200 +Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL + >= 1.1.0f + +Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the +callback from the SSL object instead of the one from the CTX, so let's +set the callback on both SSL and CTX. Note that +SSL_set_default_passwd_cb*() is available only in 1.1.0. + +Signed-off-by: Beniamino Galvani <bgalvani@redhat.com> +(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f) +--- + src/crypto/tls_openssl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index c4170b6..bceb8c3 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data, + } else + passwd = NULL; + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ /* ++ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback ++ * from the SSL object. See OpenSSL commit d61461a75253. ++ */ ++ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb); ++ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd); ++#endif /* >= 1.1.0f && !LibreSSL */ ++ /* Keep these for OpenSSL < 1.1.0f */ + SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); + SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); + +@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data, + return -1; + } + ERR_clear_error(); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ SSL_set_default_passwd_cb(conn->ssl, NULL); ++#endif /* >= 1.1.0f && !LibreSSL */ + SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); + os_free(passwd); + +-- +2.9.3 + +From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Mon, 17 Jul 2017 12:06:17 +0300 +Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly + +Previously, the pointer to strdup passwd was left in OpenSSL library +default_passwd_cb_userdata and even the default_passwd_cb was left set +on an error path. To avoid unexpected behavior if something were to +manage to use there pointers, clear them explicitly once done with +loading of the private key. + +Signed-off-by: Jouni Malinen <j@w1.fi> +(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384) +--- + src/crypto/tls_openssl.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index bceb8c3..770af9e 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn) + } + + ++static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl) ++{ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ if (ssl) { ++ SSL_set_default_passwd_cb(ssl, NULL); ++ SSL_set_default_passwd_cb_userdata(ssl, NULL); ++ } ++#endif /* >= 1.1.0f && !LibreSSL */ ++ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); ++ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL); ++} ++ ++ + static int tls_connection_private_key(struct tls_data *data, + struct tls_connection *conn, + const char *private_key, +@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data, + if (!ok) { + tls_show_errors(MSG_INFO, __func__, + "Failed to load private key"); ++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); + os_free(passwd); + return -1; + } + ERR_clear_error(); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +- SSL_set_default_passwd_cb(conn->ssl, NULL); +-#endif /* >= 1.1.0f && !LibreSSL */ +- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); ++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); + os_free(passwd); + + if (!SSL_check_private_key(conn->ssl)) { +@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data, + tls_read_pkcs12(data, NULL, private_key, passwd)) { + tls_show_errors(MSG_INFO, __func__, + "Failed to load private key"); ++ tls_clear_default_passwd_cb(ssl_ctx, NULL); + os_free(passwd); + ERR_clear_error(); + return -1; + } ++ tls_clear_default_passwd_cb(ssl_ctx, NULL); + os_free(passwd); + ERR_clear_error(); +- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); + + if (!SSL_CTX_check_private_key(ssl_ctx)) { + tls_show_errors(MSG_INFO, __func__, +-- +2.9.3 + diff --git a/source/n/wpa_supplicant/patches/rh1451834-nl80211-Fix-race-condition-in-detecting-MAC-change.patch b/source/n/wpa_supplicant/patches/rh1451834-nl80211-Fix-race-condition-in-detecting-MAC-change.patch new file mode 100644 index 000000000..0c03e1dc4 --- /dev/null +++ b/source/n/wpa_supplicant/patches/rh1451834-nl80211-Fix-race-condition-in-detecting-MAC-change.patch @@ -0,0 +1,99 @@ +From 290834df69556b903b49f2a45671cc62b44f13bb Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani <bgalvani@redhat.com> +Date: Fri, 28 Apr 2017 17:59:30 +0200 +Subject: [PATCH] nl80211: Fix race condition in detecting MAC change + +Commit 3e0272ca00ce1df35b45e7d739dd7e935f13fd84 ('nl80211: Re-read MAC +address on RTM_NEWLINK') added the detection of external changes to MAC +address when the interface is brought up. + +If the interface state is changed quickly enough, wpa_supplicant may +receive the netlink message for the !IFF_UP event when the interface +has already been brought up and would ignore the next netlink IFF_UP +message, missing the MAC change. + +Fix this by also reloading the MAC address when a !IFF_UP event is +received with the interface up, because this implies that the +interface went down and up again, possibly changing the address. + +Signed-off-by: Beniamino Galvani <bgalvani@redhat.com> +--- + src/drivers/driver_nl80211.c | 47 +++++++++++++++++++++++++------------------- + 1 file changed, 27 insertions(+), 20 deletions(-) + +diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c +index af1cb84..24fad29 100644 +--- a/src/drivers/driver_nl80211.c ++++ b/src/drivers/driver_nl80211.c +@@ -933,6 +933,30 @@ nl80211_find_drv(struct nl80211_global *global, int idx, u8 *buf, size_t len) + } + + ++static void nl80211_refresh_mac(struct wpa_driver_nl80211_data *drv, ++ int ifindex) ++{ ++ struct i802_bss *bss; ++ u8 addr[ETH_ALEN]; ++ ++ bss = get_bss_ifindex(drv, ifindex); ++ if (bss && ++ linux_get_ifhwaddr(drv->global->ioctl_sock, ++ bss->ifname, addr) < 0) { ++ wpa_printf(MSG_DEBUG, ++ "nl80211: %s: failed to re-read MAC address", ++ bss->ifname); ++ } else if (bss && os_memcmp(addr, bss->addr, ETH_ALEN) != 0) { ++ wpa_printf(MSG_DEBUG, ++ "nl80211: Own MAC address on ifindex %d (%s) changed from " ++ MACSTR " to " MACSTR, ++ ifindex, bss->ifname, ++ MAC2STR(bss->addr), MAC2STR(addr)); ++ os_memcpy(bss->addr, addr, ETH_ALEN); ++ } ++} ++ ++ + static void wpa_driver_nl80211_event_rtm_newlink(void *ctx, + struct ifinfomsg *ifi, + u8 *buf, size_t len) +@@ -997,6 +1021,8 @@ static void wpa_driver_nl80211_event_rtm_newlink(void *ctx, + namebuf[0] = '\0'; + if (if_indextoname(ifi->ifi_index, namebuf) && + linux_iface_up(drv->global->ioctl_sock, namebuf) > 0) { ++ /* Re-read MAC address as it may have changed */ ++ nl80211_refresh_mac(drv, ifi->ifi_index); + wpa_printf(MSG_DEBUG, "nl80211: Ignore interface down " + "event since interface %s is up", namebuf); + drv->ignore_if_down_event = 0; +@@ -1044,27 +1070,8 @@ static void wpa_driver_nl80211_event_rtm_newlink(void *ctx, + "event since interface %s is marked " + "removed", drv->first_bss->ifname); + } else { +- struct i802_bss *bss; +- u8 addr[ETH_ALEN]; +- + /* Re-read MAC address as it may have changed */ +- bss = get_bss_ifindex(drv, ifi->ifi_index); +- if (bss && +- linux_get_ifhwaddr(drv->global->ioctl_sock, +- bss->ifname, addr) < 0) { +- wpa_printf(MSG_DEBUG, +- "nl80211: %s: failed to re-read MAC address", +- bss->ifname); +- } else if (bss && +- os_memcmp(addr, bss->addr, ETH_ALEN) != 0) { +- wpa_printf(MSG_DEBUG, +- "nl80211: Own MAC address on ifindex %d (%s) changed from " +- MACSTR " to " MACSTR, +- ifi->ifi_index, bss->ifname, +- MAC2STR(bss->addr), +- MAC2STR(addr)); +- os_memcpy(bss->addr, addr, ETH_ALEN); +- } ++ nl80211_refresh_mac(drv, ifi->ifi_index); + + wpa_printf(MSG_DEBUG, "nl80211: Interface up"); + drv->if_disabled = 0; +-- +2.9.3 + diff --git a/source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch b/source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch new file mode 100644 index 000000000..d99be04c3 --- /dev/null +++ b/source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch @@ -0,0 +1,78 @@ +From 0ad5893a2f1f521d44712cd395e067ccf0a397c3 Mon Sep 17 00:00:00 2001 +From: Michael Braun <michael-dev@fami-braun.de> +Date: Fri, 18 Aug 2017 01:14:28 +0200 +Subject: PAE: Validate input before pointer + +ieee802_1x_kay_decode_mkpdu() calls ieee802_1x_mka_i_in_peerlist() +before body_len has been checked on all segments. + +ieee802_1x_kay_decode_mkpdu() and ieee802_1x_mka_i_in_peerlist() might +continue and thus underflow left_len even if it finds left_len to small +(or before checking). + +Additionally, ieee802_1x_mka_dump_peer_body() might perform out of bound +reads in this case. + +Fix this by checking left_len and aborting if too small early. + +Signed-off-by: Michael Braun <michael-dev@fami-braun.de> +--- + src/pae/ieee802_1x_kay.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c +index c4bfcbc..cad0292 100644 +--- a/src/pae/ieee802_1x_kay.c ++++ b/src/pae/ieee802_1x_kay.c +@@ -964,21 +964,19 @@ ieee802_1x_mka_i_in_peerlist(struct ieee802_1x_mka_participant *participant, + body_len = get_mka_param_body_len(hdr); + body_type = get_mka_param_body_type(hdr); + +- if (body_type != MKA_LIVE_PEER_LIST && +- body_type != MKA_POTENTIAL_PEER_LIST) +- continue; +- +- ieee802_1x_mka_dump_peer_body( +- (struct ieee802_1x_mka_peer_body *)pos); +- +- if (left_len < (MKA_HDR_LEN + body_len + DEFAULT_ICV_LEN)) { ++ if (left_len < (MKA_HDR_LEN + MKA_ALIGN_LENGTH(body_len) + DEFAULT_ICV_LEN)) { + wpa_printf(MSG_ERROR, + "KaY: MKA Peer Packet Body Length (%zu bytes) is less than the Parameter Set Header Length (%zu bytes) + the Parameter Set Body Length (%zu bytes) + %d bytes of ICV", + left_len, MKA_HDR_LEN, +- body_len, DEFAULT_ICV_LEN); +- continue; ++ MKA_ALIGN_LENGTH(body_len), ++ DEFAULT_ICV_LEN); ++ return FALSE; + } + ++ if (body_type != MKA_LIVE_PEER_LIST && ++ body_type != MKA_POTENTIAL_PEER_LIST) ++ continue; ++ + if ((body_len % 16) != 0) { + wpa_printf(MSG_ERROR, + "KaY: MKA Peer Packet Body Length (%zu bytes) should be a multiple of 16 octets", +@@ -986,6 +984,9 @@ ieee802_1x_mka_i_in_peerlist(struct ieee802_1x_mka_participant *participant, + continue; + } + ++ ieee802_1x_mka_dump_peer_body( ++ (struct ieee802_1x_mka_peer_body *)pos); ++ + for (i = 0; i < body_len; + i += sizeof(struct ieee802_1x_mka_peer_id)) { + const struct ieee802_1x_mka_peer_id *peer_mi; +@@ -3018,7 +3019,7 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, + "KaY: MKA Peer Packet Body Length (%zu bytes) is less than the Parameter Set Header Length (%zu bytes) + the Parameter Set Body Length (%zu bytes) + %d bytes of ICV", + left_len, MKA_HDR_LEN, + body_len, DEFAULT_ICV_LEN); +- continue; ++ return -1; + } + + if (handled[body_type]) +-- +cgit v0.12 + |