diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant')
24 files changed, 483 insertions, 2859 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch deleted file mode 100644 index 45e6e87dfe..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch +++ /dev/null @@ -1,48 +0,0 @@ -From fe76f487e28bdc61940f304f153a954cf36935ea Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Wed, 17 Apr 2019 01:55:32 +0300 -Subject: [PATCH 1/3] EAP-pwd server: Fix reassembly buffer handling - -data->inbuf allocation might fail and if that were to happen, the next -fragment in the exchange could have resulted in NULL pointer -dereference. Unexpected fragment with more bit might also be able to -trigger this. Fix that by explicitly checking for data->inbuf to be -available before using it. - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-11555 ---- - src/eap_server/eap_server_pwd.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index 11bef55..38e2af8 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -912,6 +912,12 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - * the first and all intermediate fragments have the M bit set - */ - if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) { -+ if (!data->inbuf) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: No buffer for reassembly"); -+ eap_pwd_state(data, FAILURE); -+ return; -+ } - if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) { - wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow " - "attack detected! (%d+%d > %d)", -@@ -932,7 +938,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - * last fragment won't have the M bit set (but we're obviously - * buffering fragments so that's how we know it's the last) - */ -- if (data->in_frag_pos) { -+ if (data->in_frag_pos && data->inbuf) { - pos = wpabuf_head_u8(data->inbuf); - len = data->in_frag_pos; - wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes", --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch new file mode 100644 index 0000000000..c04c608bde --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch @@ -0,0 +1,33 @@ +From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001 +From: Alex Kiernan <alexk@zuma.ai> +Date: Thu, 21 Apr 2022 10:15:29 +0100 +Subject: [PATCH] Install wpa_passphrase when not disabled + +As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets +built, its not installed during `make install`. + +Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase") +Signed-off-by: Alex Kiernan <alexk@zuma.ai> +Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> +Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html] +--- + wpa_supplicant/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index 0bab313f2355..12787c0c7d0f 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: % + + install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL)) + $(MAKE) -C ../src install ++ifndef CONFIG_NO_WPA_PASSPHRASE ++ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase ++endif + ifdef CONFIG_BUILD_WPA_CLIENT_SO + install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so + install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h +-- +2.35.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch deleted file mode 100644 index e64d140c7b..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch +++ /dev/null @@ -1,97 +0,0 @@ -From d42c477cc794163a3757956bbffca5cea000923c Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Tue, 26 Feb 2019 11:43:03 +0200 -Subject: [PATCH 01/14] OpenSSL: Use constant time operations for private - bignums - -This helps in reducing measurable timing differences in operations -involving private information. BoringSSL has removed BN_FLG_CONSTTIME -and expects specific constant time functions to be called instead, so a -bit different approach is needed depending on which library is used. - -The main operation that needs protection against side channel attacks is -BN_mod_exp() that depends on private keys (the public key validation -step in crypto_dh_derive_secret() is an exception that can use the -faster version since it does not depend on private keys). - -crypto_bignum_div() is currently used only in SAE FFC case with not -safe-prime groups and only with values that do not depend on private -keys, so it is not critical to protect it. - -crypto_bignum_inverse() is currently used only in SAE FFC PWE -derivation. The additional protection here is targeting only OpenSSL. -BoringSSL may need conversion to using BN_mod_inverse_blinded(). - -This is related to CVE-2019-9494 and CVE-2019-9495. - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9494 -CVE: CVE-2019-9495 ---- - src/crypto/crypto_openssl.c | 20 +++++++++++++++----- - 1 file changed, 15 insertions(+), 5 deletions(-) - -diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c -index 9c2ba58..ac53cc8 100644 ---- a/src/crypto/crypto_openssl.c -+++ b/src/crypto/crypto_openssl.c -@@ -607,7 +607,8 @@ int crypto_mod_exp(const u8 *base, size_t base_len, - bn_result == NULL) - goto error; - -- if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1) -+ if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus, -+ ctx, NULL) != 1) - goto error; - - *result_len = BN_bn2bin(bn_result, result); -@@ -1360,8 +1361,9 @@ int crypto_bignum_exptmod(const struct crypto_bignum *a, - bnctx = BN_CTX_new(); - if (bnctx == NULL) - return -1; -- res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, -- (const BIGNUM *) c, bnctx); -+ res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a, -+ (const BIGNUM *) b, (const BIGNUM *) c, -+ bnctx, NULL); - BN_CTX_free(bnctx); - - return res ? 0 : -1; -@@ -1380,6 +1382,11 @@ int crypto_bignum_inverse(const struct crypto_bignum *a, - bnctx = BN_CTX_new(); - if (bnctx == NULL) - return -1; -+#ifdef OPENSSL_IS_BORINGSSL -+ /* TODO: use BN_mod_inverse_blinded() ? */ -+#else /* OPENSSL_IS_BORINGSSL */ -+ BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME); -+#endif /* OPENSSL_IS_BORINGSSL */ - res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a, - (const BIGNUM *) b, bnctx); - BN_CTX_free(bnctx); -@@ -1413,6 +1420,9 @@ int crypto_bignum_div(const struct crypto_bignum *a, - bnctx = BN_CTX_new(); - if (bnctx == NULL) - return -1; -+#ifndef OPENSSL_IS_BORINGSSL -+ BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME); -+#endif /* OPENSSL_IS_BORINGSSL */ - res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a, - (const BIGNUM *) b, bnctx); - BN_CTX_free(bnctx); -@@ -1504,8 +1514,8 @@ int crypto_bignum_legendre(const struct crypto_bignum *a, - /* exp = (p-1) / 2 */ - !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) || - !BN_rshift1(exp, exp) || -- !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p, -- bnctx)) -+ !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp, -+ (const BIGNUM *) p, bnctx, NULL)) - goto fail; - - if (BN_is_word(tmp, 1)) --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch new file mode 100644 index 0000000000..620560d3c7 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch @@ -0,0 +1,213 @@ +From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not used (default) + * 2 = require Phase 2 authentication in all cases + +Signed-off-by: Jouni Malinen <j@w1.fi> + +CVE: CVE-2023-52160 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c] + +Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com> + +--- + src/eap_peer/eap_config.h | 8 ++++++ + src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- + src/eap_peer/eap_tls_common.c | 6 +++++ + src/eap_peer/eap_tls_common.h | 5 ++++ + wpa_supplicant/wpa_supplicant.conf | 7 ++++++ + 5 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h +index 3238f74..047eec2 100644 +--- a/src/eap_peer/eap_config.h ++++ b/src/eap_peer/eap_config.h +@@ -469,6 +469,14 @@ struct eap_peer_config { + * 1 = use cryptobinding if server supports it + * 2 = require cryptobinding + * ++ * phase2_auth option can be used to control Phase 2 (i.e., within TLS ++ * tunnel) behavior for PEAP: ++ * 0 = do not require Phase 2 authentication ++ * 1 = require Phase 2 authentication when client certificate ++ * (private_key/client_cert) is no used and TLS session resumption was ++ * not used (default) ++ * 2 = require Phase 2 authentication in all cases ++ * + * EAP-WSC (WPS) uses following options: pin=Device_Password and + * uuid=Device_UUID + * +diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c +index 12e30df..6080697 100644 +--- a/src/eap_peer/eap_peap.c ++++ b/src/eap_peer/eap_peap.c +@@ -67,6 +67,7 @@ struct eap_peap_data { + u8 cmk[20]; + int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) + * is enabled. */ ++ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; + }; + + +@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, + wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); + } + ++ if (os_strstr(phase1, "phase2_auth=0")) { ++ data->phase2_auth = NO_AUTH; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Do not require Phase 2 authentication"); ++ } else if (os_strstr(phase1, "phase2_auth=1")) { ++ data->phase2_auth = FOR_INITIAL; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Require Phase 2 authentication for initial connection"); ++ } else if (os_strstr(phase1, "phase2_auth=2")) { ++ data->phase2_auth = ALWAYS; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Require Phase 2 authentication for all cases"); ++ } + #ifdef EAP_TNC + if (os_strstr(phase1, "tnc=soh2")) { + data->soh = 2; +@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) + data->force_peap_version = -1; + data->peap_outer_success = 2; + data->crypto_binding = OPTIONAL_BINDING; ++ data->phase2_auth = FOR_INITIAL; + + if (config && config->phase1) + eap_peap_parse_phase1(data, config->phase1); +@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, + } + + ++static bool peap_phase2_sufficient(struct eap_sm *sm, ++ struct eap_peap_data *data) ++{ ++ if ((data->phase2_auth == ALWAYS || ++ (data->phase2_auth == FOR_INITIAL && ++ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && ++ !data->ssl.client_cert_conf) || ++ data->phase2_eap_started) && ++ !data->phase2_eap_success) ++ return false; ++ return true; ++} ++ ++ + /** + * eap_tlv_process - Process a received EAP-TLV message and generate a response + * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() +@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, + " - force failed Phase 2"); + resp_status = EAP_TLV_RESULT_FAILURE; + ret->decision = DECISION_FAIL; ++ } else if (!peap_phase2_sufficient(sm, data)) { ++ wpa_printf(MSG_INFO, ++ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); ++ resp_status = EAP_TLV_RESULT_FAILURE; ++ ret->decision = DECISION_FAIL; + } else { + resp_status = EAP_TLV_RESULT_SUCCESS; + ret->decision = DECISION_UNCOND_SUCC; +@@ -887,8 +921,7 @@ continue_req: + /* EAP-Success within TLS tunnel is used to indicate + * shutdown of the TLS channel. The authentication has + * been completed. */ +- if (data->phase2_eap_started && +- !data->phase2_eap_success) { ++ if (!peap_phase2_sufficient(sm, data)) { + wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " + "Success used to indicate success, " + "but Phase 2 EAP was not yet " +@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, + static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) + { + struct eap_peap_data *data = priv; ++ + return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && +- data->phase2_success; ++ data->phase2_success && data->phase2_auth != ALWAYS; + } + + +diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c +index c1837db..a53eeb1 100644 +--- a/src/eap_peer/eap_tls_common.c ++++ b/src/eap_peer/eap_tls_common.c +@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, + + sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); + ++ if (!phase2) ++ data->client_cert_conf = params->client_cert || ++ params->client_cert_blob || ++ params->private_key || ++ params->private_key_blob; ++ + return 0; + } + +diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h +index 9ac0012..3348634 100644 +--- a/src/eap_peer/eap_tls_common.h ++++ b/src/eap_peer/eap_tls_common.h +@@ -79,6 +79,11 @@ struct eap_ssl_data { + * tls_v13 - Whether TLS v1.3 or newer is used + */ + int tls_v13; ++ ++ /** ++ * client_cert_conf: Whether client certificate has been configured ++ */ ++ bool client_cert_conf; + }; + + +diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf +index 6619d6b..d63f73c 100644 +--- a/wpa_supplicant/wpa_supplicant.conf ++++ b/wpa_supplicant/wpa_supplicant.conf +@@ -1321,6 +1321,13 @@ fast_reauth=1 + # * 0 = do not use cryptobinding (default) + # * 1 = use cryptobinding if server supports it + # * 2 = require cryptobinding ++# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS ++# tunnel) behavior for PEAP: ++# * 0 = do not require Phase 2 authentication ++# * 1 = require Phase 2 authentication when client certificate ++# (private_key/client_cert) is no used and TLS session resumption was ++# not used (default) ++# * 2 = require Phase 2 authentication in all cases + # EAP-WSC (WPS) uses following options: pin=<Device Password> or + # pbc=1. + # diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch new file mode 100644 index 0000000000..6e930fc98d --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch @@ -0,0 +1,73 @@ +From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001 +From: Sergey Matyukevich <geomatsi@gmail.com> +Date: Tue, 22 Feb 2022 11:52:19 +0300 +Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and + wpa_passphrase + +Commit a41a29192e5d ("build: Pull common fragments into a build.rules +file") introduced a regression into wpa_supplicant build process. The +build target libwpa_client.so is not built regardless of whether the +option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because +this config option is used before it is imported from the configuration +file. Moving its use after including build.rules does not help: the +variable ALL is processed by build.rules and further changes are not +applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work +as expected: wpa_passphrase is always built regardless of whether the +option is set or not. + +Re-enable these options by adding both build targets to _all +dependencies. + +Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file") +Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com> +Upstream-Status: Backport +Signed-off-by: Alex Kiernan <alexk@zuma.ai> +Signed-off-by: Alex Kiernan <alexk@gmail.com> +--- + wpa_supplicant/Makefile | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index cb66defac7c8..c456825ae75f 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -1,24 +1,29 @@ + BINALL=wpa_supplicant wpa_cli + +-ifndef CONFIG_NO_WPA_PASSPHRASE +-BINALL += wpa_passphrase +-endif +- + ALL = $(BINALL) + ALL += systemd/wpa_supplicant.service + ALL += systemd/wpa_supplicant@.service + ALL += systemd/wpa_supplicant-nl80211@.service + ALL += systemd/wpa_supplicant-wired@.service + ALL += dbus/fi.w1.wpa_supplicant1.service +-ifdef CONFIG_BUILD_WPA_CLIENT_SO +-ALL += libwpa_client.so +-endif + + EXTRA_TARGETS=dynamic_eap_methods + + CONFIG_FILE=.config + include ../src/build.rules + ++ifdef CONFIG_BUILD_WPA_CLIENT_SO ++# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO ++# being set in the config which is read by build.rules ++_all: libwpa_client.so ++endif ++ ++ifndef CONFIG_NO_WPA_PASSPHRASE ++# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE ++# being set in the config which is read by build.rules ++_all: wpa_passphrase ++endif ++ + ifdef LIBS + # If LIBS is set with some global build system defaults, clone those for + # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well. +-- +2.35.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch deleted file mode 100644 index a476cf040e..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 94c401733a5a3d294cc412671166e6adfb409f53 Mon Sep 17 00:00:00 2001 -From: Joshua DeWeese <jdeweese@hennypenny.com> -Date: Wed, 30 Jan 2019 16:19:47 -0500 -Subject: [PATCH] replace systemd install Alias with WantedBy - -According to the systemd documentation "WantedBy=foo.service in a -service bar.service is mostly equivalent to -Alias=foo.service.wants/bar.service in the same file." However, -this is not really the intended purpose of install Aliases. - -Upstream-Status: Submitted [hostap@lists.infradead.org] - -Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com> ---- - wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | 2 +- - wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in | 2 +- - wpa_supplicant/systemd/wpa_supplicant.service.arg.in | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in -index 03ac507..da69a87 100644 ---- a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in -+++ b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in -@@ -12,4 +12,4 @@ Type=simple - ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-nl80211-%I.conf -Dnl80211 -i%I - - [Install] --Alias=multi-user.target.wants/wpa_supplicant-nl80211@%i.service -+WantedBy=multi-user.target -diff --git a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in -index c8a744d..ca3054b 100644 ---- a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in -+++ b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in -@@ -12,4 +12,4 @@ Type=simple - ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-%I.conf -Dwired -i%I - - [Install] --Alias=multi-user.target.wants/wpa_supplicant-wired@%i.service -+WantedBy=multi-user.target -diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in -index 7788b38..55d2b9c 100644 ---- a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in -+++ b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in -@@ -12,4 +12,4 @@ Type=simple - ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I - - [Install] --Alias=multi-user.target.wants/wpa_supplicant@%i.service -+WantedBy=multi-user.target --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Add-helper-functions-for-constant-time-operations.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Add-helper-functions-for-constant-time-operations.patch deleted file mode 100644 index fd6f2ce158..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Add-helper-functions-for-constant-time-operations.patch +++ /dev/null @@ -1,222 +0,0 @@ -From 6e34f618d37ddbb5854c42e2ad4fca83492fa7b7 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Wed, 27 Feb 2019 18:38:30 +0200 -Subject: [PATCH 02/14] Add helper functions for constant time operations - -These functions can be used to help implement constant time operations -for various cryptographic operations that must minimize externally -observable differences in processing (both in timing and also in -internal cache use, etc.). - -This is related to CVE-2019-9494 and CVE-2019-9495. - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9494 -CVE: CVE-2019-9495 ---- - src/utils/const_time.h | 191 +++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 191 insertions(+) - create mode 100644 src/utils/const_time.h - -diff --git a/src/utils/const_time.h b/src/utils/const_time.h -new file mode 100644 -index 0000000..ab8f611 ---- /dev/null -+++ b/src/utils/const_time.h -@@ -0,0 +1,191 @@ -+/* -+ * Helper functions for constant time operations -+ * Copyright (c) 2019, The Linux Foundation -+ * -+ * This software may be distributed under the terms of the BSD license. -+ * See README for more details. -+ * -+ * These helper functions can be used to implement logic that needs to minimize -+ * externally visible differences in execution path by avoiding use of branches, -+ * avoiding early termination or other time differences, and forcing same memory -+ * access pattern regardless of values. -+ */ -+ -+#ifndef CONST_TIME_H -+#define CONST_TIME_H -+ -+ -+#if defined(__clang__) -+#define NO_UBSAN_UINT_OVERFLOW \ -+ __attribute__((no_sanitize("unsigned-integer-overflow"))) -+#else -+#define NO_UBSAN_UINT_OVERFLOW -+#endif -+ -+ -+/** -+ * const_time_fill_msb - Fill all bits with MSB value -+ * @val: Input value -+ * Returns: Value with all the bits set to the MSB of the input val -+ */ -+static inline unsigned int const_time_fill_msb(unsigned int val) -+{ -+ /* Move the MSB to LSB and multiple by -1 to fill in all bits. */ -+ return (val >> (sizeof(val) * 8 - 1)) * ~0U; -+} -+ -+ -+/* Returns: -1 if val is zero; 0 if val is not zero */ -+static inline unsigned int const_time_is_zero(unsigned int val) -+ NO_UBSAN_UINT_OVERFLOW -+{ -+ /* Set MSB to 1 for 0 and fill rest of bits with the MSB value */ -+ return const_time_fill_msb(~val & (val - 1)); -+} -+ -+ -+/* Returns: -1 if a == b; 0 if a != b */ -+static inline unsigned int const_time_eq(unsigned int a, unsigned int b) -+{ -+ return const_time_is_zero(a ^ b); -+} -+ -+ -+/* Returns: -1 if a == b; 0 if a != b */ -+static inline u8 const_time_eq_u8(unsigned int a, unsigned int b) -+{ -+ return (u8) const_time_eq(a, b); -+} -+ -+ -+/** -+ * const_time_eq_bin - Constant time memory comparison -+ * @a: First buffer to compare -+ * @b: Second buffer to compare -+ * @len: Number of octets to compare -+ * Returns: -1 if buffers are equal, 0 if not -+ * -+ * This function is meant for comparing passwords or hash values where -+ * difference in execution time or memory access pattern could provide external -+ * observer information about the location of the difference in the memory -+ * buffers. The return value does not behave like memcmp(), i.e., -+ * const_time_eq_bin() cannot be used to sort items into a defined order. Unlike -+ * memcmp(), the execution time of const_time_eq_bin() does not depend on the -+ * contents of the compared memory buffers, but only on the total compared -+ * length. -+ */ -+static inline unsigned int const_time_eq_bin(const void *a, const void *b, -+ size_t len) -+{ -+ const u8 *aa = a; -+ const u8 *bb = b; -+ size_t i; -+ u8 res = 0; -+ -+ for (i = 0; i < len; i++) -+ res |= aa[i] ^ bb[i]; -+ -+ return const_time_is_zero(res); -+} -+ -+ -+/** -+ * const_time_select - Constant time unsigned int selection -+ * @mask: 0 (false) or -1 (true) to identify which value to select -+ * @true_val: Value to select for the true case -+ * @false_val: Value to select for the false case -+ * Returns: true_val if mask == -1, false_val if mask == 0 -+ */ -+static inline unsigned int const_time_select(unsigned int mask, -+ unsigned int true_val, -+ unsigned int false_val) -+{ -+ return (mask & true_val) | (~mask & false_val); -+} -+ -+ -+/** -+ * const_time_select_int - Constant time int selection -+ * @mask: 0 (false) or -1 (true) to identify which value to select -+ * @true_val: Value to select for the true case -+ * @false_val: Value to select for the false case -+ * Returns: true_val if mask == -1, false_val if mask == 0 -+ */ -+static inline int const_time_select_int(unsigned int mask, int true_val, -+ int false_val) -+{ -+ return (int) const_time_select(mask, (unsigned int) true_val, -+ (unsigned int) false_val); -+} -+ -+ -+/** -+ * const_time_select_u8 - Constant time u8 selection -+ * @mask: 0 (false) or -1 (true) to identify which value to select -+ * @true_val: Value to select for the true case -+ * @false_val: Value to select for the false case -+ * Returns: true_val if mask == -1, false_val if mask == 0 -+ */ -+static inline u8 const_time_select_u8(u8 mask, u8 true_val, u8 false_val) -+{ -+ return (u8) const_time_select(mask, true_val, false_val); -+} -+ -+ -+/** -+ * const_time_select_s8 - Constant time s8 selection -+ * @mask: 0 (false) or -1 (true) to identify which value to select -+ * @true_val: Value to select for the true case -+ * @false_val: Value to select for the false case -+ * Returns: true_val if mask == -1, false_val if mask == 0 -+ */ -+static inline s8 const_time_select_s8(u8 mask, s8 true_val, s8 false_val) -+{ -+ return (s8) const_time_select(mask, (unsigned int) true_val, -+ (unsigned int) false_val); -+} -+ -+ -+/** -+ * const_time_select_bin - Constant time binary buffer selection copy -+ * @mask: 0 (false) or -1 (true) to identify which value to copy -+ * @true_val: Buffer to copy for the true case -+ * @false_val: Buffer to copy for the false case -+ * @len: Number of octets to copy -+ * @dst: Destination buffer for the copy -+ * -+ * This function copies the specified buffer into the destination buffer using -+ * operations with identical memory access pattern regardless of which buffer -+ * is being copied. -+ */ -+static inline void const_time_select_bin(u8 mask, const u8 *true_val, -+ const u8 *false_val, size_t len, -+ u8 *dst) -+{ -+ size_t i; -+ -+ for (i = 0; i < len; i++) -+ dst[i] = const_time_select_u8(mask, true_val[i], false_val[i]); -+} -+ -+ -+static inline int const_time_memcmp(const void *a, const void *b, size_t len) -+{ -+ const u8 *aa = a; -+ const u8 *bb = b; -+ int diff, res = 0; -+ unsigned int mask; -+ -+ if (len == 0) -+ return 0; -+ do { -+ len--; -+ diff = (int) aa[len] - (int) bb[len]; -+ mask = const_time_is_zero((unsigned int) diff); -+ res = const_time_select_int(mask, res, diff); -+ } while (len); -+ -+ return res; -+} -+ -+#endif /* CONST_TIME_H */ --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch new file mode 100644 index 0000000000..53b0fcdf53 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch @@ -0,0 +1,26 @@ +From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <quic_jouni@quicinc.com> +Date: Thu, 3 Mar 2022 13:26:42 +0200 +Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean' + +Fixes: 0430bc8267b4 ("build: Add a common-clean target") +Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com> +Upstream-Status: Backport +Signed-off-by: Alex Kiernan <alexk@zuma.ai> +Signed-off-by: Alex Kiernan <alexk@gmail.com> +--- + wpa_supplicant/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index c456825ae75f..4b4688931b1d 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -2077,3 +2077,4 @@ clean: common-clean + rm -f libwpa_client.a + rm -f libwpa_client.so + rm -f libwpa_test1 libwpa_test2 ++ rm -f wpa_passphrase +-- +2.35.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch deleted file mode 100644 index 95ea809ef2..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d2d1a324ce937628e4d9d9999fe113819b7d4478 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Wed, 17 Apr 2019 02:21:20 +0300 -Subject: [PATCH 3/3] EAP-pwd peer: Fix reassembly buffer handling - -Unexpected fragment might result in data->inbuf not being allocated -before processing and that could have resulted in NULL pointer -dereference. Fix that by explicitly checking for data->inbuf to be -available before using it. - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-11555 ---- - src/eap_peer/eap_pwd.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c -index 46894a5..76fcad4 100644 ---- a/src/eap_peer/eap_pwd.c -+++ b/src/eap_peer/eap_pwd.c -@@ -932,6 +932,13 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, - * buffer and ACK the fragment - */ - if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) { -+ if (!data->inbuf) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: No buffer for reassembly"); -+ ret->methodState = METHOD_DONE; -+ ret->decision = DECISION_FAIL; -+ return NULL; -+ } - data->in_frag_pos += len; - if (data->in_frag_pos > wpabuf_size(data->inbuf)) { - wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack " -@@ -958,7 +965,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, - /* - * we're buffering and this is the last fragment - */ -- if (data->in_frag_pos) { -+ if (data->in_frag_pos && data->inbuf) { - wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes", - (int) len); - pos = wpabuf_head_u8(data->inbuf); --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch deleted file mode 100644 index 790041f259..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch +++ /dev/null @@ -1,64 +0,0 @@ -From c93461c1d98f52681717a088776ab32fd97872b0 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Fri, 8 Mar 2019 00:24:12 +0200 -Subject: [PATCH 03/14] OpenSSL: Use constant time selection for - crypto_bignum_legendre() - -Get rid of the branches that depend on the result of the Legendre -operation. This is needed to avoid leaking information about different -temporary results in blinding mechanisms. - -This is related to CVE-2019-9494 and CVE-2019-9495. - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9494 -CVE: CVE-2019-9495 ---- - src/crypto/crypto_openssl.c | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - -diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c -index ac53cc8..0f52101 100644 ---- a/src/crypto/crypto_openssl.c -+++ b/src/crypto/crypto_openssl.c -@@ -24,6 +24,7 @@ - #endif /* CONFIG_ECC */ - - #include "common.h" -+#include "utils/const_time.h" - #include "wpabuf.h" - #include "dh_group5.h" - #include "sha1.h" -@@ -1500,6 +1501,7 @@ int crypto_bignum_legendre(const struct crypto_bignum *a, - BN_CTX *bnctx; - BIGNUM *exp = NULL, *tmp = NULL; - int res = -2; -+ unsigned int mask; - - if (TEST_FAIL()) - return -2; -@@ -1518,12 +1520,13 @@ int crypto_bignum_legendre(const struct crypto_bignum *a, - (const BIGNUM *) p, bnctx, NULL)) - goto fail; - -- if (BN_is_word(tmp, 1)) -- res = 1; -- else if (BN_is_zero(tmp)) -- res = 0; -- else -- res = -1; -+ /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use -+ * constant time selection to avoid branches here. */ -+ res = -1; -+ mask = const_time_eq(BN_is_word(tmp, 1), 1); -+ res = const_time_select_int(mask, 1, res); -+ mask = const_time_eq(BN_is_zero(tmp), 1); -+ res = const_time_select_int(mask, 0, res); - - fail: - BN_clear_free(tmp); --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch deleted file mode 100644 index 471380c443..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch +++ /dev/null @@ -1,327 +0,0 @@ -From aaf65feac67c3993935634eefe5bc76b9fce03aa Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Tue, 26 Feb 2019 11:59:45 +0200 -Subject: [PATCH 04/14] EAP-pwd: Use constant time and memory access for - finding the PWE - -This algorithm could leak information to external observers in form of -timing differences or memory access patterns (cache use). While the -previous implementation had protection against the most visible timing -differences (looping 40 rounds and masking the legendre operation), it -did not protect against memory access patterns between the two possible -code paths in the masking operations. That might be sufficient to allow -an unprivileged process running on the same device to be able to -determine which path is being executed through a cache attack and based -on that, determine information about the used password. - -Convert the PWE finding loop to use constant time functions and -identical memory access path without different branches for the QR/QNR -cases to minimize possible side-channel information similarly to the -changes done for SAE authentication. (CVE-2019-9495) - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9495 ---- - src/eap_common/eap_pwd_common.c | 187 +++++++++++++++++++++------------------- - 1 file changed, 99 insertions(+), 88 deletions(-) - -diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c -index 02fe01e..e49aaf8 100644 ---- a/src/eap_common/eap_pwd_common.c -+++ b/src/eap_common/eap_pwd_common.c -@@ -8,11 +8,15 @@ - - #include "includes.h" - #include "common.h" -+#include "utils/const_time.h" - #include "crypto/sha256.h" - #include "crypto/crypto.h" - #include "eap_defs.h" - #include "eap_pwd_common.h" - -+#define MAX_ECC_PRIME_LEN 66 -+ -+ - /* The random function H(x) = HMAC-SHA256(0^32, x) */ - struct crypto_hash * eap_pwd_h_init(void) - { -@@ -102,6 +106,15 @@ EAP_PWD_group * get_eap_pwd_group(u16 num) - } - - -+static void buf_shift_right(u8 *buf, size_t len, size_t bits) -+{ -+ size_t i; -+ for (i = len - 1; i > 0; i--) -+ buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits); -+ buf[0] >>= bits; -+} -+ -+ - /* - * compute a "random" secret point on an elliptic curve based - * on the password and identities. -@@ -113,17 +126,27 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, - const u8 *token) - { - struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL; -+ struct crypto_bignum *qr_or_qnr = NULL; -+ u8 qr_bin[MAX_ECC_PRIME_LEN]; -+ u8 qnr_bin[MAX_ECC_PRIME_LEN]; -+ u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; -+ u8 x_bin[MAX_ECC_PRIME_LEN]; - struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL; - struct crypto_hash *hash; - unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; -- int is_odd, ret = 0, check, found = 0; -- size_t primebytelen, primebitlen; -- struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL; -+ int ret = 0, check, res; -+ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* -+ * mask */ -+ size_t primebytelen = 0, primebitlen; -+ struct crypto_bignum *x_candidate = NULL, *cofactor = NULL; - const struct crypto_bignum *prime; -+ u8 mask, found_ctr = 0, is_odd = 0; - - if (grp->pwe) - return -1; - -+ os_memset(x_bin, 0, sizeof(x_bin)); -+ - prime = crypto_ec_get_prime(grp->group); - cofactor = crypto_bignum_init(); - grp->pwe = crypto_ec_point_init(grp->group); -@@ -152,8 +175,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, - - /* get a random quadratic residue and nonresidue */ - while (!qr || !qnr) { -- int res; -- - if (crypto_bignum_rand(tmp1, prime) < 0) - goto fail; - res = crypto_bignum_legendre(tmp1, prime); -@@ -167,6 +188,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, - if (!tmp1) - goto fail; - } -+ if (crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), -+ primebytelen) < 0 || -+ crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), -+ primebytelen) < 0) -+ goto fail; - - os_memset(prfbuf, 0, primebytelen); - ctr = 0; -@@ -194,17 +220,16 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, - eap_pwd_h_update(hash, &ctr, sizeof(ctr)); - eap_pwd_h_final(hash, pwe_digest); - -- crypto_bignum_deinit(rnd, 1); -- rnd = crypto_bignum_init_set(pwe_digest, SHA256_MAC_LEN); -- if (!rnd) { -- wpa_printf(MSG_INFO, "EAP-pwd: unable to create rnd"); -- goto fail; -- } -+ is_odd = const_time_select_u8( -+ found, is_odd, pwe_digest[SHA256_MAC_LEN - 1] & 0x01); - if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN, - (u8 *) "EAP-pwd Hunting And Pecking", - os_strlen("EAP-pwd Hunting And Pecking"), - prfbuf, primebitlen) < 0) - goto fail; -+ if (primebitlen % 8) -+ buf_shift_right(prfbuf, primebytelen, -+ 8 - primebitlen % 8); - - crypto_bignum_deinit(x_candidate, 1); - x_candidate = crypto_bignum_init_set(prfbuf, primebytelen); -@@ -214,24 +239,13 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, - goto fail; - } - -- /* -- * eap_pwd_kdf() returns a string of bits 0..primebitlen but -- * BN_bin2bn will treat that string of bits as a big endian -- * number. If the primebitlen is not an even multiple of 8 -- * then excessive bits-- those _after_ primebitlen-- so now -- * we have to shift right the amount we masked off. -- */ -- if ((primebitlen % 8) && -- crypto_bignum_rshift(x_candidate, -- (8 - (primebitlen % 8)), -- x_candidate) < 0) -- goto fail; -- - if (crypto_bignum_cmp(x_candidate, prime) >= 0) - continue; - -- wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate", -- prfbuf, primebytelen); -+ wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate", -+ prfbuf, primebytelen); -+ const_time_select_bin(found, x_bin, prfbuf, primebytelen, -+ x_bin); - - /* - * compute y^2 using the equation of the curve -@@ -261,13 +275,15 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, - * Flip a coin, multiply by the random quadratic residue or the - * random quadratic nonresidue and record heads or tails. - */ -- if (crypto_bignum_is_odd(tmp1)) { -- crypto_bignum_mulmod(tmp2, qr, prime, tmp2); -- check = 1; -- } else { -- crypto_bignum_mulmod(tmp2, qnr, prime, tmp2); -- check = -1; -- } -+ mask = const_time_eq_u8(crypto_bignum_is_odd(tmp1), 1); -+ check = const_time_select_s8(mask, 1, -1); -+ const_time_select_bin(mask, qr_bin, qnr_bin, primebytelen, -+ qr_or_qnr_bin); -+ crypto_bignum_deinit(qr_or_qnr, 1); -+ qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, primebytelen); -+ if (!qr_or_qnr || -+ crypto_bignum_mulmod(tmp2, qr_or_qnr, prime, tmp2) < 0) -+ goto fail; - - /* - * Now it's safe to do legendre, if check is 1 then it's -@@ -275,59 +291,12 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, - * change result), if check is -1 then it's the opposite test - * (multiplying a qr by qnr would make a qnr). - */ -- if (crypto_bignum_legendre(tmp2, prime) == check) { -- if (found == 1) -- continue; -- -- /* need to unambiguously identify the solution */ -- is_odd = crypto_bignum_is_odd(rnd); -- -- /* -- * We know x_candidate is a quadratic residue so set -- * it here. -- */ -- if (crypto_ec_point_solve_y_coord(grp->group, grp->pwe, -- x_candidate, -- is_odd) != 0) { -- wpa_printf(MSG_INFO, -- "EAP-pwd: Could not solve for y"); -- continue; -- } -- -- /* -- * If there's a solution to the equation then the point -- * must be on the curve so why check again explicitly? -- * OpenSSL code says this is required by X9.62. We're -- * not X9.62 but it can't hurt just to be sure. -- */ -- if (!crypto_ec_point_is_on_curve(grp->group, -- grp->pwe)) { -- wpa_printf(MSG_INFO, -- "EAP-pwd: point is not on curve"); -- continue; -- } -- -- if (!crypto_bignum_is_one(cofactor)) { -- /* make sure the point is not in a small -- * sub-group */ -- if (crypto_ec_point_mul(grp->group, grp->pwe, -- cofactor, -- grp->pwe) != 0) { -- wpa_printf(MSG_INFO, -- "EAP-pwd: cannot multiply generator by order"); -- continue; -- } -- if (crypto_ec_point_is_at_infinity(grp->group, -- grp->pwe)) { -- wpa_printf(MSG_INFO, -- "EAP-pwd: point is at infinity"); -- continue; -- } -- } -- wpa_printf(MSG_DEBUG, -- "EAP-pwd: found a PWE in %d tries", ctr); -- found = 1; -- } -+ res = crypto_bignum_legendre(tmp2, prime); -+ if (res == -2) -+ goto fail; -+ mask = const_time_eq(res, check); -+ found_ctr = const_time_select_u8(found, found_ctr, ctr); -+ found |= mask; - } - if (found == 0) { - wpa_printf(MSG_INFO, -@@ -335,6 +304,44 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, - num); - goto fail; - } -+ -+ /* -+ * We know x_candidate is a quadratic residue so set it here. -+ */ -+ crypto_bignum_deinit(x_candidate, 1); -+ x_candidate = crypto_bignum_init_set(x_bin, primebytelen); -+ if (!x_candidate || -+ crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate, -+ is_odd) != 0) { -+ wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y"); -+ goto fail; -+ } -+ -+ /* -+ * If there's a solution to the equation then the point must be on the -+ * curve so why check again explicitly? OpenSSL code says this is -+ * required by X9.62. We're not X9.62 but it can't hurt just to be sure. -+ */ -+ if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) { -+ wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve"); -+ goto fail; -+ } -+ -+ if (!crypto_bignum_is_one(cofactor)) { -+ /* make sure the point is not in a small sub-group */ -+ if (crypto_ec_point_mul(grp->group, grp->pwe, cofactor, -+ grp->pwe) != 0) { -+ wpa_printf(MSG_INFO, -+ "EAP-pwd: cannot multiply generator by order"); -+ goto fail; -+ } -+ if (crypto_ec_point_is_at_infinity(grp->group, grp->pwe)) { -+ wpa_printf(MSG_INFO, "EAP-pwd: point is at infinity"); -+ goto fail; -+ } -+ } -+ wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr); -+ - if (0) { - fail: - crypto_ec_point_deinit(grp->pwe, 1); -@@ -344,14 +351,18 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, - /* cleanliness and order.... */ - crypto_bignum_deinit(cofactor, 1); - crypto_bignum_deinit(x_candidate, 1); -- crypto_bignum_deinit(rnd, 1); - crypto_bignum_deinit(pm1, 0); - crypto_bignum_deinit(tmp1, 1); - crypto_bignum_deinit(tmp2, 1); - crypto_bignum_deinit(qr, 1); - crypto_bignum_deinit(qnr, 1); -+ crypto_bignum_deinit(qr_or_qnr, 1); - crypto_bignum_deinit(one, 0); -- os_free(prfbuf); -+ bin_clear_free(prfbuf, primebytelen); -+ os_memset(qr_bin, 0, sizeof(qr_bin)); -+ os_memset(qnr_bin, 0, sizeof(qnr_bin)); -+ os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin)); -+ os_memset(pwe_digest, 0, sizeof(pwe_digest)); - - return ret; - } --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch deleted file mode 100644 index 6a567c5fb6..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch +++ /dev/null @@ -1,244 +0,0 @@ -From 6513db3e96c43c2e36805cf5ead349765d18eaf7 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Tue, 26 Feb 2019 13:05:09 +0200 -Subject: [PATCH 05/14] SAE: Minimize timing differences in PWE derivation - -The QR test result can provide information about the password to an -attacker, so try to minimize differences in how the -sae_test_pwd_seed_ecc() result is used. (CVE-2019-9494) - -Use heap memory for the dummy password to allow the same password length -to be used even with long passwords. - -Use constant time selection functions to track the real vs. dummy -variables so that the exact same operations can be performed for both QR -test results. - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9494 ---- - src/common/sae.c | 106 ++++++++++++++++++++++++++++++------------------------- - 1 file changed, 57 insertions(+), 49 deletions(-) - -diff --git a/src/common/sae.c b/src/common/sae.c -index 8129a7c..d55323b 100644 ---- a/src/common/sae.c -+++ b/src/common/sae.c -@@ -9,6 +9,7 @@ - #include "includes.h" - - #include "common.h" -+#include "utils/const_time.h" - #include "crypto/crypto.h" - #include "crypto/sha256.h" - #include "crypto/random.h" -@@ -292,15 +293,12 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, - const u8 *prime, - const struct crypto_bignum *qr, - const struct crypto_bignum *qnr, -- struct crypto_bignum **ret_x_cand) -+ u8 *pwd_value) - { -- u8 pwd_value[SAE_MAX_ECC_PRIME_LEN]; - struct crypto_bignum *y_sqr, *x_cand; - int res; - size_t bits; - -- *ret_x_cand = NULL; -- - wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); - - /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */ -@@ -309,7 +307,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, - prime, sae->tmp->prime_len, pwd_value, bits) < 0) - return -1; - if (bits % 8) -- buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8); -+ buf_shift_right(pwd_value, sae->tmp->prime_len, 8 - bits % 8); - wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", - pwd_value, sae->tmp->prime_len); - -@@ -320,20 +318,13 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, - if (!x_cand) - return -1; - y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand); -- if (!y_sqr) { -- crypto_bignum_deinit(x_cand, 1); -+ crypto_bignum_deinit(x_cand, 1); -+ if (!y_sqr) - return -1; -- } - - res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr); - crypto_bignum_deinit(y_sqr, 1); -- if (res <= 0) { -- crypto_bignum_deinit(x_cand, 1); -- return res; -- } -- -- *ret_x_cand = x_cand; -- return 1; -+ return res; - } - - -@@ -454,25 +445,30 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, - const u8 *addr[3]; - size_t len[3]; - size_t num_elem; -- u8 dummy_password[32]; -- size_t dummy_password_len; -+ u8 *dummy_password, *tmp_password; - int pwd_seed_odd = 0; - u8 prime[SAE_MAX_ECC_PRIME_LEN]; - size_t prime_len; -- struct crypto_bignum *x = NULL, *qr, *qnr; -+ struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL; -+ u8 x_bin[SAE_MAX_ECC_PRIME_LEN]; -+ u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN]; - size_t bits; -- int res; -+ int res = -1; -+ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* -+ * mask */ - -- dummy_password_len = password_len; -- if (dummy_password_len > sizeof(dummy_password)) -- dummy_password_len = sizeof(dummy_password); -- if (random_get_bytes(dummy_password, dummy_password_len) < 0) -- return -1; -+ os_memset(x_bin, 0, sizeof(x_bin)); -+ -+ dummy_password = os_malloc(password_len); -+ tmp_password = os_malloc(password_len); -+ if (!dummy_password || !tmp_password || -+ random_get_bytes(dummy_password, password_len) < 0) -+ goto fail; - - prime_len = sae->tmp->prime_len; - if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime), - prime_len) < 0) -- return -1; -+ goto fail; - bits = crypto_ec_prime_len_bits(sae->tmp->ec); - - /* -@@ -481,7 +477,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, - */ - if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits, - &qr, &qnr) < 0) -- return -1; -+ goto fail; - - wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", - password, password_len); -@@ -497,7 +493,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, - */ - sae_pwd_seed_key(addr1, addr2, addrs); - -- addr[0] = password; -+ addr[0] = tmp_password; - len[0] = password_len; - num_elem = 1; - if (identifier) { -@@ -514,9 +510,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, - * attacks that attempt to determine the number of iterations required - * in the loop. - */ -- for (counter = 1; counter <= k || !x; counter++) { -+ for (counter = 1; counter <= k || !found; counter++) { - u8 pwd_seed[SHA256_MAC_LEN]; -- struct crypto_bignum *x_cand; - - if (counter > 200) { - /* This should not happen in practice */ -@@ -524,36 +519,45 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, - break; - } - -- wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter); -+ wpa_printf(MSG_DEBUG, "SAE: counter = %03u", counter); -+ const_time_select_bin(found, dummy_password, password, -+ password_len, tmp_password); - if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem, - addr, len, pwd_seed) < 0) - break; - - res = sae_test_pwd_seed_ecc(sae, pwd_seed, -- prime, qr, qnr, &x_cand); -+ prime, qr, qnr, x_cand_bin); -+ const_time_select_bin(found, x_bin, x_cand_bin, prime_len, -+ x_bin); -+ pwd_seed_odd = const_time_select_u8( -+ found, pwd_seed_odd, -+ pwd_seed[SHA256_MAC_LEN - 1] & 0x01); -+ os_memset(pwd_seed, 0, sizeof(pwd_seed)); - if (res < 0) - goto fail; -- if (res > 0 && !x) { -- wpa_printf(MSG_DEBUG, -- "SAE: Selected pwd-seed with counter %u", -- counter); -- x = x_cand; -- pwd_seed_odd = pwd_seed[SHA256_MAC_LEN - 1] & 0x01; -- os_memset(pwd_seed, 0, sizeof(pwd_seed)); -+ /* Need to minimize differences in handling res == 0 and 1 here -+ * to avoid differences in timing and instruction cache access, -+ * so use const_time_select_*() to make local copies of the -+ * values based on whether this loop iteration was the one that -+ * found the pwd-seed/x. */ -+ -+ /* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them -+ * (with res converted to 0/0xff) handles this in constant time. -+ */ -+ found |= res * 0xff; -+ wpa_printf(MSG_DEBUG, "SAE: pwd-seed result %d found=0x%02x", -+ res, found); -+ } - -- /* -- * Use a dummy password for the following rounds, if -- * any. -- */ -- addr[0] = dummy_password; -- len[0] = dummy_password_len; -- } else if (res > 0) { -- crypto_bignum_deinit(x_cand, 1); -- } -+ if (!found) { -+ wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE"); -+ res = -1; -+ goto fail; - } - -+ x = crypto_bignum_init_set(x_bin, prime_len); - if (!x) { -- wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE"); - res = -1; - goto fail; - } -@@ -566,7 +570,6 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, - res = crypto_ec_point_solve_y_coord(sae->tmp->ec, - sae->tmp->pwe_ecc, x, - pwd_seed_odd); -- crypto_bignum_deinit(x, 1); - if (res < 0) { - /* - * This should not happen since we already checked that there -@@ -578,6 +581,11 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, - fail: - crypto_bignum_deinit(qr, 0); - crypto_bignum_deinit(qnr, 0); -+ os_free(dummy_password); -+ bin_clear_free(tmp_password, password_len); -+ crypto_bignum_deinit(x, 1); -+ os_memset(x_bin, 0, sizeof(x_bin)); -+ os_memset(x_cand_bin, 0, sizeof(x_cand_bin)); - - return res; - } --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch deleted file mode 100644 index 5209559659..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 362704dda04507e7ebb8035122e83d9f0ae7c320 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Tue, 26 Feb 2019 19:34:38 +0200 -Subject: [PATCH 06/14] SAE: Avoid branches in is_quadratic_residue_blind() - -Make the non-failure path in the function proceed without branches based -on r_odd and in constant time to minimize risk of observable differences -in timing or cache use. (CVE-2019-9494) - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9494 ---- - src/common/sae.c | 64 ++++++++++++++++++++++++++++++++------------------------ - 1 file changed, 37 insertions(+), 27 deletions(-) - -diff --git a/src/common/sae.c b/src/common/sae.c -index d55323b..5df9b95 100644 ---- a/src/common/sae.c -+++ b/src/common/sae.c -@@ -232,12 +232,14 @@ get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits, - - static int is_quadratic_residue_blind(struct sae_data *sae, - const u8 *prime, size_t bits, -- const struct crypto_bignum *qr, -- const struct crypto_bignum *qnr, -+ const u8 *qr, const u8 *qnr, - const struct crypto_bignum *y_sqr) - { -- struct crypto_bignum *r, *num; -+ struct crypto_bignum *r, *num, *qr_or_qnr = NULL; - int r_odd, check, res = -1; -+ u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN]; -+ size_t prime_len = sae->tmp->prime_len; -+ unsigned int mask; - - /* - * Use the blinding technique to mask y_sqr while determining -@@ -248,7 +250,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae, - * r = a random number between 1 and p-1, inclusive - * num = (v * r * r) modulo p - */ -- r = get_rand_1_to_p_1(prime, sae->tmp->prime_len, bits, &r_odd); -+ r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd); - if (!r) - return -1; - -@@ -258,41 +260,45 @@ static int is_quadratic_residue_blind(struct sae_data *sae, - crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0) - goto fail; - -- if (r_odd) { -- /* -- * num = (num * qr) module p -- * LGR(num, p) = 1 ==> quadratic residue -- */ -- if (crypto_bignum_mulmod(num, qr, sae->tmp->prime, num) < 0) -- goto fail; -- check = 1; -- } else { -- /* -- * num = (num * qnr) module p -- * LGR(num, p) = -1 ==> quadratic residue -- */ -- if (crypto_bignum_mulmod(num, qnr, sae->tmp->prime, num) < 0) -- goto fail; -- check = -1; -- } -+ /* -+ * Need to minimize differences in handling different cases, so try to -+ * avoid branches and timing differences. -+ * -+ * If r_odd: -+ * num = (num * qr) module p -+ * LGR(num, p) = 1 ==> quadratic residue -+ * else: -+ * num = (num * qnr) module p -+ * LGR(num, p) = -1 ==> quadratic residue -+ */ -+ mask = const_time_is_zero(r_odd); -+ const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin); -+ qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len); -+ if (!qr_or_qnr || -+ crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0) -+ goto fail; -+ /* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */ -+ check = const_time_select_int(mask, -1, 1); - - res = crypto_bignum_legendre(num, sae->tmp->prime); - if (res == -2) { - res = -1; - goto fail; - } -- res = res == check; -+ /* branchless version of res = res == check -+ * (res is -1, 0, or 1; check is -1 or 1) */ -+ mask = const_time_eq(res, check); -+ res = const_time_select_int(mask, 1, 0); - fail: - crypto_bignum_deinit(num, 1); - crypto_bignum_deinit(r, 1); -+ crypto_bignum_deinit(qr_or_qnr, 1); - return res; - } - - - static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, -- const u8 *prime, -- const struct crypto_bignum *qr, -- const struct crypto_bignum *qnr, -+ const u8 *prime, const u8 *qr, const u8 *qnr, - u8 *pwd_value) - { - struct crypto_bignum *y_sqr, *x_cand; -@@ -452,6 +458,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, - struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL; - u8 x_bin[SAE_MAX_ECC_PRIME_LEN]; - u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN]; -+ u8 qr_bin[SAE_MAX_ECC_PRIME_LEN]; -+ u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN]; - size_t bits; - int res = -1; - u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* -@@ -476,7 +484,9 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, - * (qnr) modulo p for blinding purposes during the loop. - */ - if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits, -- &qr, &qnr) < 0) -+ &qr, &qnr) < 0 || -+ crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), prime_len) < 0 || -+ crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), prime_len) < 0) - goto fail; - - wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", -@@ -527,7 +537,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, - break; - - res = sae_test_pwd_seed_ecc(sae, pwd_seed, -- prime, qr, qnr, x_cand_bin); -+ prime, qr_bin, qnr_bin, x_cand_bin); - const_time_select_bin(found, x_bin, x_cand_bin, prime_len, - x_bin); - pwd_seed_odd = const_time_select_u8( --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch deleted file mode 100644 index 6cfa7220e1..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 90839597cc4016b33f00055b12d59174c62770a3 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Sat, 2 Mar 2019 12:24:09 +0200 -Subject: [PATCH 07/14] SAE: Mask timing of MODP groups 22, 23, 24 - -These groups have significant probability of coming up with pwd-value -that is equal or greater than the prime and as such, need for going -through the PWE derivation loop multiple times. This can result in -sufficient timing different to allow an external observer to determine -how many rounds are needed and that can leak information about the used -password. - -Force at least 40 loop rounds for these MODP groups similarly to the ECC -group design to mask timing. This behavior is not described in IEEE Std -802.11-2016 for SAE, but it does not result in different values (i.e., -only different timing), so such implementation specific countermeasures -can be done without breaking interoperability with other implementation. - -Note: These MODP groups 22, 23, and 24 are not considered sufficiently -strong to be used with SAE (or more or less anything else). As such, -they should never be enabled in runtime configuration for any production -use cases. These changes to introduce additional protection to mask -timing is only for completeness of implementation and not an indication -that these groups should be used. - -This is related to CVE-2019-9494. - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9494 ---- - src/common/sae.c | 38 ++++++++++++++++++++++++++++---------- - 1 file changed, 28 insertions(+), 10 deletions(-) - -diff --git a/src/common/sae.c b/src/common/sae.c -index 5df9b95..75b1b4a 100644 ---- a/src/common/sae.c -+++ b/src/common/sae.c -@@ -601,22 +601,27 @@ fail: - } - - -+static int sae_modp_group_require_masking(int group) -+{ -+ /* Groups for which pwd-value is likely to be >= p frequently */ -+ return group == 22 || group == 23 || group == 24; -+} -+ -+ - static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, - const u8 *addr2, const u8 *password, - size_t password_len, const char *identifier) - { -- u8 counter; -+ u8 counter, k; - u8 addrs[2 * ETH_ALEN]; - const u8 *addr[3]; - size_t len[3]; - size_t num_elem; - int found = 0; -+ struct crypto_bignum *pwe = NULL; - -- if (sae->tmp->pwe_ffc == NULL) { -- sae->tmp->pwe_ffc = crypto_bignum_init(); -- if (sae->tmp->pwe_ffc == NULL) -- return -1; -- } -+ crypto_bignum_deinit(sae->tmp->pwe_ffc, 1); -+ sae->tmp->pwe_ffc = NULL; - - wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", - password, password_len); -@@ -640,7 +645,9 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, - len[num_elem] = sizeof(counter); - num_elem++; - -- for (counter = 1; !found; counter++) { -+ k = sae_modp_group_require_masking(sae->group) ? 40 : 1; -+ -+ for (counter = 1; counter <= k || !found; counter++) { - u8 pwd_seed[SHA256_MAC_LEN]; - int res; - -@@ -650,19 +657,30 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, - break; - } - -- wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter); -+ wpa_printf(MSG_DEBUG, "SAE: counter = %02u", counter); - if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem, - addr, len, pwd_seed) < 0) - break; -- res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc); -+ if (!pwe) { -+ pwe = crypto_bignum_init(); -+ if (!pwe) -+ break; -+ } -+ res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe); - if (res < 0) - break; - if (res > 0) { -- wpa_printf(MSG_DEBUG, "SAE: Use this PWE"); - found = 1; -+ if (!sae->tmp->pwe_ffc) { -+ wpa_printf(MSG_DEBUG, "SAE: Use this PWE"); -+ sae->tmp->pwe_ffc = pwe; -+ pwe = NULL; -+ } - } - } - -+ crypto_bignum_deinit(pwe, 1); -+ - return found ? 0 : -1; - } - --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch deleted file mode 100644 index 7b8616a66d..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch +++ /dev/null @@ -1,108 +0,0 @@ -From f8f20717f87eff1f025f48ed585c7684debacf72 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Sat, 2 Mar 2019 12:45:33 +0200 -Subject: [PATCH 08/14] SAE: Use const_time selection for PWE in FFC - -This is an initial step towards making the FFC case use strictly -constant time operations similarly to the ECC case. -sae_test_pwd_seed_ffc() does not yet have constant time behavior, -though. - -This is related to CVE-2019-9494. - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9494 ---- - src/common/sae.c | 53 +++++++++++++++++++++++++++++++++++------------------ - 1 file changed, 35 insertions(+), 18 deletions(-) - -diff --git a/src/common/sae.c b/src/common/sae.c -index 75b1b4a..fa9a145 100644 ---- a/src/common/sae.c -+++ b/src/common/sae.c -@@ -612,17 +612,28 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, - const u8 *addr2, const u8 *password, - size_t password_len, const char *identifier) - { -- u8 counter, k; -+ u8 counter, k, sel_counter = 0; - u8 addrs[2 * ETH_ALEN]; - const u8 *addr[3]; - size_t len[3]; - size_t num_elem; -- int found = 0; -- struct crypto_bignum *pwe = NULL; -+ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* -+ * mask */ -+ u8 mask; -+ struct crypto_bignum *pwe; -+ size_t prime_len = sae->tmp->prime_len * 8; -+ u8 *pwe_buf; - - crypto_bignum_deinit(sae->tmp->pwe_ffc, 1); - sae->tmp->pwe_ffc = NULL; - -+ /* Allocate a buffer to maintain selected and candidate PWE for constant -+ * time selection. */ -+ pwe_buf = os_zalloc(prime_len * 2); -+ pwe = crypto_bignum_init(); -+ if (!pwe_buf || !pwe) -+ goto fail; -+ - wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", - password, password_len); - -@@ -661,27 +672,33 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, - if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem, - addr, len, pwd_seed) < 0) - break; -- if (!pwe) { -- pwe = crypto_bignum_init(); -- if (!pwe) -- break; -- } - res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe); -+ /* res is -1 for fatal failure, 0 if a valid PWE was not found, -+ * or 1 if a valid PWE was found. */ - if (res < 0) - break; -- if (res > 0) { -- found = 1; -- if (!sae->tmp->pwe_ffc) { -- wpa_printf(MSG_DEBUG, "SAE: Use this PWE"); -- sae->tmp->pwe_ffc = pwe; -- pwe = NULL; -- } -- } -+ /* Store the candidate PWE into the second half of pwe_buf and -+ * the selected PWE in the beginning of pwe_buf using constant -+ * time selection. */ -+ if (crypto_bignum_to_bin(pwe, pwe_buf + prime_len, prime_len, -+ prime_len) < 0) -+ break; -+ const_time_select_bin(found, pwe_buf, pwe_buf + prime_len, -+ prime_len, pwe_buf); -+ sel_counter = const_time_select_u8(found, sel_counter, counter); -+ mask = const_time_eq_u8(res, 1); -+ found = const_time_select_u8(found, found, mask); - } - -- crypto_bignum_deinit(pwe, 1); -+ if (!found) -+ goto fail; - -- return found ? 0 : -1; -+ wpa_printf(MSG_DEBUG, "SAE: Use PWE from counter = %02u", sel_counter); -+ sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len); -+fail: -+ crypto_bignum_deinit(pwe, 1); -+ bin_clear_free(pwe_buf, prime_len * 2); -+ return sae->tmp->pwe_ffc ? 0 : -1; - } - - --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch deleted file mode 100644 index d2ae8188e1..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch +++ /dev/null @@ -1,139 +0,0 @@ -From cff138b0747fa39765cbc641b66cfa5d7f1735d1 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Sat, 2 Mar 2019 16:05:56 +0200 -Subject: [PATCH 09/14] SAE: Use constant time operations in - sae_test_pwd_seed_ffc() - -Try to avoid showing externally visible timing or memory access -differences regardless of whether the derived pwd-value is smaller than -the group prime. - -This is related to CVE-2019-9494. - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9494 ---- - src/common/sae.c | 75 ++++++++++++++++++++++++++++++++++---------------------- - 1 file changed, 46 insertions(+), 29 deletions(-) - -diff --git a/src/common/sae.c b/src/common/sae.c -index fa9a145..eaf825d 100644 ---- a/src/common/sae.c -+++ b/src/common/sae.c -@@ -334,14 +334,17 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, - } - - -+/* Returns -1 on fatal failure, 0 if PWE cannot be derived from the provided -+ * pwd-seed, or 1 if a valid PWE was derived from pwd-seed. */ - static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed, - struct crypto_bignum *pwe) - { - u8 pwd_value[SAE_MAX_PRIME_LEN]; - size_t bits = sae->tmp->prime_len * 8; - u8 exp[1]; -- struct crypto_bignum *a, *b; -- int res; -+ struct crypto_bignum *a, *b = NULL; -+ int res, is_val; -+ u8 pwd_value_valid; - - wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); - -@@ -353,16 +356,29 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed, - wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value, - sae->tmp->prime_len); - -- if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0) -- { -- wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p"); -- return 0; -- } -+ /* Check whether pwd-value < p */ -+ res = const_time_memcmp(pwd_value, sae->tmp->dh->prime, -+ sae->tmp->prime_len); -+ /* pwd-value >= p is invalid, so res is < 0 for the valid cases and -+ * the negative sign can be used to fill the mask for constant time -+ * selection */ -+ pwd_value_valid = const_time_fill_msb(res); -+ -+ /* If pwd-value >= p, force pwd-value to be < p and perform the -+ * calculations anyway to hide timing difference. The derived PWE will -+ * be ignored in that case. */ -+ pwd_value[0] = const_time_select_u8(pwd_value_valid, pwd_value[0], 0); - - /* PWE = pwd-value^((p-1)/r) modulo p */ - -+ res = -1; - a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); -+ if (!a) -+ goto fail; - -+ /* This is an optimization based on the used group that does not depend -+ * on the password in any way, so it is fine to use separate branches -+ * for this step without constant time operations. */ - if (sae->tmp->dh->safe_prime) { - /* - * r = (p-1)/2 for the group used here, so this becomes: -@@ -376,33 +392,34 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed, - b = crypto_bignum_init_set(exp, sizeof(exp)); - if (b == NULL || - crypto_bignum_sub(sae->tmp->prime, b, b) < 0 || -- crypto_bignum_div(b, sae->tmp->order, b) < 0) { -- crypto_bignum_deinit(b, 0); -- b = NULL; -- } -+ crypto_bignum_div(b, sae->tmp->order, b) < 0) -+ goto fail; - } - -- if (a == NULL || b == NULL) -- res = -1; -- else -- res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe); -- -- crypto_bignum_deinit(a, 0); -- crypto_bignum_deinit(b, 0); -+ if (!b) -+ goto fail; - -- if (res < 0) { -- wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE"); -- return -1; -- } -+ res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe); -+ if (res < 0) -+ goto fail; - -- /* if (PWE > 1) --> found */ -- if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) { -- wpa_printf(MSG_DEBUG, "SAE: PWE <= 1"); -- return 0; -- } -+ /* There were no fatal errors in calculations, so determine the return -+ * value using constant time operations. We get here for number of -+ * invalid cases which are cleared here after having performed all the -+ * computation. PWE is valid if pwd-value was less than prime and -+ * PWE > 1. Start with pwd-value check first and then use constant time -+ * operations to clear res to 0 if PWE is 0 or 1. -+ */ -+ res = const_time_select_u8(pwd_value_valid, 1, 0); -+ is_val = crypto_bignum_is_zero(pwe); -+ res = const_time_select_u8(const_time_is_zero(is_val), res, 0); -+ is_val = crypto_bignum_is_one(pwe); -+ res = const_time_select_u8(const_time_is_zero(is_val), res, 0); - -- wpa_printf(MSG_DEBUG, "SAE: PWE found"); -- return 1; -+fail: -+ crypto_bignum_deinit(a, 1); -+ crypto_bignum_deinit(b, 1); -+ return res; - } - - --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch deleted file mode 100644 index 9d2c6983d4..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch +++ /dev/null @@ -1,60 +0,0 @@ -From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Tue, 5 Mar 2019 23:43:25 +0200 -Subject: [PATCH 10/14] SAE: Fix confirm message validation in error cases - -Explicitly verify that own and peer commit scalar/element are available -when trying to check SAE confirm message. It could have been possible to -hit a NULL pointer dereference if the peer element could not have been -parsed. (CVE-2019-9496) - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9496 ---- - src/common/sae.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/src/common/sae.c b/src/common/sae.c -index eaf825d..5a50294 100644 ---- a/src/common/sae.c -+++ b/src/common/sae.c -@@ -1487,23 +1487,31 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len) - - wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data)); - -- if (sae->tmp == NULL) { -+ if (!sae->tmp || !sae->peer_commit_scalar || -+ !sae->tmp->own_commit_scalar) { - wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available"); - return -1; - } - -- if (sae->tmp->ec) -+ if (sae->tmp->ec) { -+ if (!sae->tmp->peer_commit_element_ecc || -+ !sae->tmp->own_commit_element_ecc) -+ return -1; - sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar, - sae->tmp->peer_commit_element_ecc, - sae->tmp->own_commit_scalar, - sae->tmp->own_commit_element_ecc, - verifier); -- else -+ } else { -+ if (!sae->tmp->peer_commit_element_ffc || -+ !sae->tmp->own_commit_element_ffc) -+ return -1; - sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar, - sae->tmp->peer_commit_element_ffc, - sae->tmp->own_commit_scalar, - sae->tmp->own_commit_element_ffc, - verifier); -+ } - - if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) { - wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch"); --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch deleted file mode 100644 index 87095bf7f4..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 70ff850e89fbc8bc7da515321b4d15b5eef70581 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef <mathy.vanhoef@nyu.edu> -Date: Sun, 31 Mar 2019 17:13:06 +0200 -Subject: [PATCH 11/14] EAP-pwd server: Verify received scalar and element - -When processing an EAP-pwd Commit frame, the peer's scalar and element -(elliptic curve point) were not validated. This allowed an adversary to -bypass authentication, and impersonate any user if the crypto -implementation did not verify the validity of the EC point. - -Fix this vulnerability by assuring the received scalar lies within the -valid range, and by checking that the received element is not the point -at infinity and lies on the elliptic curve being used. (CVE-2019-9498) - -The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower -is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL -(and also BoringSSL) implicitly validate the elliptic curve point in -EC_POINT_set_affine_coordinates_GFp(), preventing the attack. - -Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9498 ---- - src/eap_server/eap_server_pwd.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index d0fa54a..74979da 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -718,6 +718,26 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, - goto fin; - } - -+ /* verify received scalar */ -+ if (crypto_bignum_is_zero(data->peer_scalar) || -+ crypto_bignum_is_one(data->peer_scalar) || -+ crypto_bignum_cmp(data->peer_scalar, -+ crypto_ec_get_order(data->grp->group)) >= 0) { -+ wpa_printf(MSG_INFO, -+ "EAP-PWD (server): received scalar is invalid"); -+ goto fin; -+ } -+ -+ /* verify received element */ -+ if (!crypto_ec_point_is_on_curve(data->grp->group, -+ data->peer_element) || -+ crypto_ec_point_is_at_infinity(data->grp->group, -+ data->peer_element)) { -+ wpa_printf(MSG_INFO, -+ "EAP-PWD (server): received element is invalid"); -+ goto fin; -+ } -+ - /* check to ensure peer's element is not in a small sub-group */ - if (!crypto_bignum_is_one(cofactor)) { - if (crypto_ec_point_mul(data->grp->group, data->peer_element, --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0012-EAP-pwd-server-Detect-reflection-attacks.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0012-EAP-pwd-server-Detect-reflection-attacks.patch deleted file mode 100644 index 32d134db41..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0012-EAP-pwd-server-Detect-reflection-attacks.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d63edfa90243e9a7de6ae5c275032f2cc79fef95 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef <mathy.vanhoef@nyu.edu> -Date: Sun, 31 Mar 2019 17:26:01 +0200 -Subject: [PATCH 12/14] EAP-pwd server: Detect reflection attacks - -When processing an EAP-pwd Commit frame, verify that the peer's scalar -and elliptic curve element differ from the one sent by the server. This -prevents reflection attacks where the adversary reflects the scalar and -element sent by the server. (CVE-2019-9497) - -The vulnerability allows an adversary to complete the EAP-pwd handshake -as any user. However, the adversary does not learn the negotiated -session key, meaning the subsequent 4-way handshake would fail. As a -result, this cannot be abused to bypass authentication unless EAP-pwd is -used in non-WLAN cases without any following key exchange that would -require the attacker to learn the MSK. - -Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9497 ---- - src/eap_server/eap_server_pwd.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index 74979da..16057e9 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -753,6 +753,15 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, - } - } - -+ /* detect reflection attacks */ -+ if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 || -+ crypto_ec_point_cmp(data->grp->group, data->my_element, -+ data->peer_element) == 0) { -+ wpa_printf(MSG_INFO, -+ "EAP-PWD (server): detected reflection attack!"); -+ goto fin; -+ } -+ - /* compute the shared key, k */ - if ((crypto_ec_point_mul(data->grp->group, data->grp->pwe, - data->peer_scalar, K) < 0) || --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch deleted file mode 100644 index c6e61cb803..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 8ad8585f91823ddcc3728155e288e0f9f872e31a Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef <mathy.vanhoef@nyu.edu> -Date: Sun, 31 Mar 2019 17:43:44 +0200 -Subject: [PATCH 13/14] EAP-pwd client: Verify received scalar and element - -When processing an EAP-pwd Commit frame, the server's scalar and element -(elliptic curve point) were not validated. This allowed an adversary to -bypass authentication, and act as a rogue Access Point (AP) if the -crypto implementation did not verify the validity of the EC point. - -Fix this vulnerability by assuring the received scalar lies within the -valid range, and by checking that the received element is not the point -at infinity and lies on the elliptic curve being used. (CVE-2019-9499) - -The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower -is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL -(and also BoringSSL) implicitly validate the elliptic curve point in -EC_POINT_set_affine_coordinates_GFp(), preventing the attack. - -Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9499 ---- - src/eap_peer/eap_pwd.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c -index 761c16a..5a05e54 100644 ---- a/src/eap_peer/eap_pwd.c -+++ b/src/eap_peer/eap_pwd.c -@@ -594,6 +594,26 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, - goto fin; - } - -+ /* verify received scalar */ -+ if (crypto_bignum_is_zero(data->server_scalar) || -+ crypto_bignum_is_one(data->server_scalar) || -+ crypto_bignum_cmp(data->server_scalar, -+ crypto_ec_get_order(data->grp->group)) >= 0) { -+ wpa_printf(MSG_INFO, -+ "EAP-PWD (peer): received scalar is invalid"); -+ goto fin; -+ } -+ -+ /* verify received element */ -+ if (!crypto_ec_point_is_on_curve(data->grp->group, -+ data->server_element) || -+ crypto_ec_point_is_at_infinity(data->grp->group, -+ data->server_element)) { -+ wpa_printf(MSG_INFO, -+ "EAP-PWD (peer): received element is invalid"); -+ goto fin; -+ } -+ - /* check to ensure server's element is not in a small sub-group */ - if (!crypto_bignum_is_one(cofactor)) { - if (crypto_ec_point_mul(data->grp->group, data->server_element, --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch deleted file mode 100644 index e944ef110f..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch +++ /dev/null @@ -1,335 +0,0 @@ -From 16d4f1069118aa19bfce013493e1ac5783f92f1d Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Fri, 5 Apr 2019 02:12:50 +0300 -Subject: [PATCH 14/14] EAP-pwd: Check element x,y coordinates explicitly - -This adds an explicit check for 0 < x,y < prime based on RFC 5931, -2.8.5.2.2 requirement. The earlier checks might have covered this -implicitly, but it is safer to avoid any dependency on implicit checks -and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499) - -Furthermore, this moves the EAP-pwd element and scalar parsing and -validation steps into shared helper functions so that there is no need -to maintain two separate copies of this common functionality between the -server and peer implementations. - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Adrian Bunk <bunk@stusta.de> -Upstream-Status: Backport -CVE: CVE-2019-9498 -CVE: CVE-2019-9499 ---- - src/eap_common/eap_pwd_common.c | 106 ++++++++++++++++++++++++++++++++++++++++ - src/eap_common/eap_pwd_common.h | 3 ++ - src/eap_peer/eap_pwd.c | 45 ++--------------- - src/eap_server/eap_server_pwd.c | 45 ++--------------- - 4 files changed, 117 insertions(+), 82 deletions(-) - -diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c -index e49aaf8..c28b56d 100644 ---- a/src/eap_common/eap_pwd_common.c -+++ b/src/eap_common/eap_pwd_common.c -@@ -428,3 +428,109 @@ int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k, - - return 1; - } -+ -+ -+static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime, -+ const u8 *buf, size_t len) -+{ -+ struct crypto_bignum *val; -+ int ok = 1; -+ -+ val = crypto_bignum_init_set(buf, len); -+ if (!val || crypto_bignum_is_zero(val) || -+ crypto_bignum_cmp(val, prime) >= 0) -+ ok = 0; -+ crypto_bignum_deinit(val, 0); -+ return ok; -+} -+ -+ -+struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group, -+ const u8 *buf) -+{ -+ struct crypto_ec_point *element; -+ const struct crypto_bignum *prime; -+ size_t prime_len; -+ struct crypto_bignum *cofactor = NULL; -+ -+ prime = crypto_ec_get_prime(group->group); -+ prime_len = crypto_ec_prime_len(group->group); -+ -+ /* RFC 5931, 2.8.5.2.2: 0 < x,y < p */ -+ if (!eap_pwd_element_coord_ok(prime, buf, prime_len) || -+ !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) { -+ wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element"); -+ return NULL; -+ } -+ -+ element = crypto_ec_point_from_bin(group->group, buf); -+ if (!element) { -+ wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed"); -+ return NULL; -+ } -+ -+ /* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */ -+ if (!crypto_ec_point_is_on_curve(group->group, element) || -+ crypto_ec_point_is_at_infinity(group->group, element)) { -+ wpa_printf(MSG_INFO, "EAP-pwd: Invalid element"); -+ goto fail; -+ } -+ -+ cofactor = crypto_bignum_init(); -+ if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) { -+ wpa_printf(MSG_INFO, -+ "EAP-pwd: Unable to get cofactor for curve"); -+ goto fail; -+ } -+ -+ if (!crypto_bignum_is_one(cofactor)) { -+ struct crypto_ec_point *point; -+ int ok = 1; -+ -+ /* check to ensure peer's element is not in a small sub-group */ -+ point = crypto_ec_point_init(group->group); -+ if (!point || -+ crypto_ec_point_mul(group->group, element, -+ cofactor, point) != 0 || -+ crypto_ec_point_is_at_infinity(group->group, point)) -+ ok = 0; -+ crypto_ec_point_deinit(point, 0); -+ -+ if (!ok) { -+ wpa_printf(MSG_INFO, -+ "EAP-pwd: Small sub-group check on peer element failed"); -+ goto fail; -+ } -+ } -+ -+out: -+ crypto_bignum_deinit(cofactor, 0); -+ return element; -+fail: -+ crypto_ec_point_deinit(element, 0); -+ element = NULL; -+ goto out; -+} -+ -+ -+struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf) -+{ -+ struct crypto_bignum *scalar; -+ const struct crypto_bignum *order; -+ size_t order_len; -+ -+ order = crypto_ec_get_order(group->group); -+ order_len = crypto_ec_order_len(group->group); -+ -+ /* RFC 5931, 2.8.5.2: 1 < scalar < r */ -+ scalar = crypto_bignum_init_set(buf, order_len); -+ if (!scalar || crypto_bignum_is_zero(scalar) || -+ crypto_bignum_is_one(scalar) || -+ crypto_bignum_cmp(scalar, order) >= 0) { -+ wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid"); -+ crypto_bignum_deinit(scalar, 0); -+ scalar = NULL; -+ } -+ -+ return scalar; -+} -diff --git a/src/eap_common/eap_pwd_common.h b/src/eap_common/eap_pwd_common.h -index 6b07cf8..2387e59 100644 ---- a/src/eap_common/eap_pwd_common.h -+++ b/src/eap_common/eap_pwd_common.h -@@ -67,5 +67,8 @@ int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k, - struct crypto_hash * eap_pwd_h_init(void); - void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len); - void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest); -+struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group, -+ const u8 *buf); -+struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf); - - #endif /* EAP_PWD_COMMON_H */ -diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c -index 5a05e54..f37b974 100644 ---- a/src/eap_peer/eap_pwd.c -+++ b/src/eap_peer/eap_pwd.c -@@ -308,7 +308,7 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, - const struct wpabuf *reqData, - const u8 *payload, size_t payload_len) - { -- struct crypto_ec_point *K = NULL, *point = NULL; -+ struct crypto_ec_point *K = NULL; - struct crypto_bignum *mask = NULL, *cofactor = NULL; - const u8 *ptr = payload; - u8 *scalar = NULL, *element = NULL; -@@ -572,63 +572,27 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, - /* process the request */ - data->k = crypto_bignum_init(); - K = crypto_ec_point_init(data->grp->group); -- point = crypto_ec_point_init(data->grp->group); -- if (!data->k || !K || !point) { -+ if (!data->k || !K) { - wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation " - "fail"); - goto fin; - } - - /* element, x then y, followed by scalar */ -- data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr); -+ data->server_element = eap_pwd_get_element(data->grp, ptr); - if (!data->server_element) { - wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element " - "fail"); - goto fin; - } - ptr += prime_len * 2; -- data->server_scalar = crypto_bignum_init_set(ptr, order_len); -+ data->server_scalar = eap_pwd_get_scalar(data->grp, ptr); - if (!data->server_scalar) { - wpa_printf(MSG_INFO, - "EAP-PWD (peer): setting peer scalar fail"); - goto fin; - } - -- /* verify received scalar */ -- if (crypto_bignum_is_zero(data->server_scalar) || -- crypto_bignum_is_one(data->server_scalar) || -- crypto_bignum_cmp(data->server_scalar, -- crypto_ec_get_order(data->grp->group)) >= 0) { -- wpa_printf(MSG_INFO, -- "EAP-PWD (peer): received scalar is invalid"); -- goto fin; -- } -- -- /* verify received element */ -- if (!crypto_ec_point_is_on_curve(data->grp->group, -- data->server_element) || -- crypto_ec_point_is_at_infinity(data->grp->group, -- data->server_element)) { -- wpa_printf(MSG_INFO, -- "EAP-PWD (peer): received element is invalid"); -- goto fin; -- } -- -- /* check to ensure server's element is not in a small sub-group */ -- if (!crypto_bignum_is_one(cofactor)) { -- if (crypto_ec_point_mul(data->grp->group, data->server_element, -- cofactor, point) < 0) { -- wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply " -- "server element by order!\n"); -- goto fin; -- } -- if (crypto_ec_point_is_at_infinity(data->grp->group, point)) { -- wpa_printf(MSG_INFO, "EAP-PWD (peer): server element " -- "is at infinity!\n"); -- goto fin; -- } -- } -- - /* compute the shared key, k */ - if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, - data->server_scalar, K) < 0 || -@@ -702,7 +666,6 @@ fin: - crypto_bignum_deinit(mask, 1); - crypto_bignum_deinit(cofactor, 1); - crypto_ec_point_deinit(K, 1); -- crypto_ec_point_deinit(point, 1); - if (data->outbuf == NULL) - eap_pwd_state(data, FAILURE); - else -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index 16057e9..f6c75cf 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -669,7 +669,7 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, - { - const u8 *ptr; - struct crypto_bignum *cofactor = NULL; -- struct crypto_ec_point *K = NULL, *point = NULL; -+ struct crypto_ec_point *K = NULL; - int res = 0; - size_t prime_len, order_len; - -@@ -688,9 +688,8 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, - - data->k = crypto_bignum_init(); - cofactor = crypto_bignum_init(); -- point = crypto_ec_point_init(data->grp->group); - K = crypto_ec_point_init(data->grp->group); -- if (!data->k || !cofactor || !point || !K) { -+ if (!data->k || !cofactor || !K) { - wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation " - "fail"); - goto fin; -@@ -704,55 +703,20 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, - - /* element, x then y, followed by scalar */ - ptr = payload; -- data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr); -+ data->peer_element = eap_pwd_get_element(data->grp, ptr); - if (!data->peer_element) { - wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element " - "fail"); - goto fin; - } - ptr += prime_len * 2; -- data->peer_scalar = crypto_bignum_init_set(ptr, order_len); -+ data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr); - if (!data->peer_scalar) { - wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation " - "fail"); - goto fin; - } - -- /* verify received scalar */ -- if (crypto_bignum_is_zero(data->peer_scalar) || -- crypto_bignum_is_one(data->peer_scalar) || -- crypto_bignum_cmp(data->peer_scalar, -- crypto_ec_get_order(data->grp->group)) >= 0) { -- wpa_printf(MSG_INFO, -- "EAP-PWD (server): received scalar is invalid"); -- goto fin; -- } -- -- /* verify received element */ -- if (!crypto_ec_point_is_on_curve(data->grp->group, -- data->peer_element) || -- crypto_ec_point_is_at_infinity(data->grp->group, -- data->peer_element)) { -- wpa_printf(MSG_INFO, -- "EAP-PWD (server): received element is invalid"); -- goto fin; -- } -- -- /* check to ensure peer's element is not in a small sub-group */ -- if (!crypto_bignum_is_one(cofactor)) { -- if (crypto_ec_point_mul(data->grp->group, data->peer_element, -- cofactor, point) != 0) { -- wpa_printf(MSG_INFO, "EAP-PWD (server): cannot " -- "multiply peer element by order"); -- goto fin; -- } -- if (crypto_ec_point_is_at_infinity(data->grp->group, point)) { -- wpa_printf(MSG_INFO, "EAP-PWD (server): peer element " -- "is at infinity!\n"); -- goto fin; -- } -- } -- - /* detect reflection attacks */ - if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 || - crypto_ec_point_cmp(data->grp->group, data->my_element, -@@ -804,7 +768,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, - - fin: - crypto_ec_point_deinit(K, 1); -- crypto_ec_point_deinit(point, 1); - crypto_bignum_deinit(cofactor, 1); - - if (res) --- -2.7.4 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig deleted file mode 100644 index f04e398fdb..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig +++ /dev/null @@ -1,552 +0,0 @@ -# Example wpa_supplicant build time configuration -# -# This file lists the configuration options that are used when building the -# hostapd binary. All lines starting with # are ignored. Configuration option -# lines must be commented out complete, if they are not to be included, i.e., -# just setting VARIABLE=n is not disabling that variable. -# -# This file is included in Makefile, so variables like CFLAGS and LIBS can also -# be modified from here. In most cases, these lines should use += in order not -# to override previous values of the variables. - - -# Uncomment following two lines and fix the paths if you have installed OpenSSL -# or GnuTLS in non-default location -#CFLAGS += -I/usr/local/openssl/include -#LIBS += -L/usr/local/openssl/lib - -# Some Red Hat versions seem to include kerberos header files from OpenSSL, but -# the kerberos files are not in the default include path. Following line can be -# used to fix build issues on such systems (krb5.h not found). -#CFLAGS += -I/usr/include/kerberos - -# Example configuration for various cross-compilation platforms - -#### sveasoft (e.g., for Linksys WRT54G) ###################################### -#CC=mipsel-uclibc-gcc -#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc -#CFLAGS += -Os -#CPPFLAGS += -I../src/include -I../../src/router/openssl/include -#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl -############################################################################### - -#### openwrt (e.g., for Linksys WRT54G) ####################################### -#CC=mipsel-uclibc-gcc -#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc -#CFLAGS += -Os -#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \ -# -I../WRT54GS/release/src/include -#LIBS = -lssl -############################################################################### - - -# Driver interface for Host AP driver -CONFIG_DRIVER_HOSTAP=y - -# Driver interface for Agere driver -#CONFIG_DRIVER_HERMES=y -# Change include directories to match with the local setup -#CFLAGS += -I../../hcf -I../../include -I../../include/hcf -#CFLAGS += -I../../include/wireless - -# Driver interface for madwifi driver -# Deprecated; use CONFIG_DRIVER_WEXT=y instead. -#CONFIG_DRIVER_MADWIFI=y -# Set include directory to the madwifi source tree -#CFLAGS += -I../../madwifi - -# Driver interface for ndiswrapper -# Deprecated; use CONFIG_DRIVER_WEXT=y instead. -#CONFIG_DRIVER_NDISWRAPPER=y - -# Driver interface for Atmel driver -# CONFIG_DRIVER_ATMEL=y - -# Driver interface for old Broadcom driver -# Please note that the newer Broadcom driver ("hybrid Linux driver") supports -# Linux wireless extensions and does not need (or even work) with the old -# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver. -#CONFIG_DRIVER_BROADCOM=y -# Example path for wlioctl.h; change to match your configuration -#CFLAGS += -I/opt/WRT54GS/release/src/include - -# Driver interface for Intel ipw2100/2200 driver -# Deprecated; use CONFIG_DRIVER_WEXT=y instead. -#CONFIG_DRIVER_IPW=y - -# Driver interface for Ralink driver -#CONFIG_DRIVER_RALINK=y - -# Driver interface for generic Linux wireless extensions -# Note: WEXT is deprecated in the current Linux kernel version and no new -# functionality is added to it. nl80211-based interface is the new -# replacement for WEXT and its use allows wpa_supplicant to properly control -# the driver to improve existing functionality like roaming and to support new -# functionality. -CONFIG_DRIVER_WEXT=y - -# Driver interface for Linux drivers using the nl80211 kernel interface -CONFIG_DRIVER_NL80211=y - -# driver_nl80211.c requires libnl. If you are compiling it yourself -# you may need to point hostapd to your version of libnl. -# -#CFLAGS += -I$<path to libnl include files> -#LIBS += -L$<path to libnl library files> - -# Use libnl v2.0 (or 3.0) libraries. -#CONFIG_LIBNL20=y - -# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) -CONFIG_LIBNL32=y - - -# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) -#CONFIG_DRIVER_BSD=y -#CFLAGS += -I/usr/local/include -#LIBS += -L/usr/local/lib -#LIBS_p += -L/usr/local/lib -#LIBS_c += -L/usr/local/lib - -# Driver interface for Windows NDIS -#CONFIG_DRIVER_NDIS=y -#CFLAGS += -I/usr/include/w32api/ddk -#LIBS += -L/usr/local/lib -# For native build using mingw -#CONFIG_NATIVE_WINDOWS=y -# Additional directories for cross-compilation on Linux host for mingw target -#CFLAGS += -I/opt/mingw/mingw32/include/ddk -#LIBS += -L/opt/mingw/mingw32/lib -#CC=mingw32-gcc -# By default, driver_ndis uses WinPcap for low-level operations. This can be -# replaced with the following option which replaces WinPcap calls with NDISUIO. -# However, this requires that WZC is disabled (net stop wzcsvc) before starting -# wpa_supplicant. -# CONFIG_USE_NDISUIO=y - -# Driver interface for development testing -#CONFIG_DRIVER_TEST=y - -# Driver interface for wired Ethernet drivers -CONFIG_DRIVER_WIRED=y - -# Driver interface for the Broadcom RoboSwitch family -#CONFIG_DRIVER_ROBOSWITCH=y - -# Driver interface for no driver (e.g., WPS ER only) -#CONFIG_DRIVER_NONE=y - -# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is -# included) -CONFIG_IEEE8021X_EAPOL=y - -# EAP-MD5 -CONFIG_EAP_MD5=y - -# EAP-MSCHAPv2 -CONFIG_EAP_MSCHAPV2=y - -# EAP-TLS -CONFIG_EAP_TLS=y - -# EAL-PEAP -CONFIG_EAP_PEAP=y - -# EAP-TTLS -CONFIG_EAP_TTLS=y - -# EAP-FAST -# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed -# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., -# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. -#CONFIG_EAP_FAST=y - -# EAP-GTC -CONFIG_EAP_GTC=y - -# EAP-OTP -CONFIG_EAP_OTP=y - -# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used) -#CONFIG_EAP_SIM=y - -# EAP-PSK (experimental; this is _not_ needed for WPA-PSK) -#CONFIG_EAP_PSK=y - -# EAP-pwd (secure authentication using only a password) -#CONFIG_EAP_PWD=y - -# EAP-PAX -#CONFIG_EAP_PAX=y - -# LEAP -CONFIG_EAP_LEAP=y - -# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used) -#CONFIG_EAP_AKA=y - -# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used). -# This requires CONFIG_EAP_AKA to be enabled, too. -#CONFIG_EAP_AKA_PRIME=y - -# Enable USIM simulator (Milenage) for EAP-AKA -#CONFIG_USIM_SIMULATOR=y - -# EAP-SAKE -#CONFIG_EAP_SAKE=y - -# EAP-GPSK -#CONFIG_EAP_GPSK=y -# Include support for optional SHA256 cipher suite in EAP-GPSK -#CONFIG_EAP_GPSK_SHA256=y - -# EAP-TNC and related Trusted Network Connect support (experimental) -#CONFIG_EAP_TNC=y - -# Wi-Fi Protected Setup (WPS) -CONFIG_WPS=y -# Enable WSC 2.0 support -#CONFIG_WPS2=y -# Enable WPS external registrar functionality -#CONFIG_WPS_ER=y -# Disable credentials for an open network by default when acting as a WPS -# registrar. -#CONFIG_WPS_REG_DISABLE_OPEN=y -# Enable WPS support with NFC config method -#CONFIG_WPS_NFC=y - -# EAP-IKEv2 -#CONFIG_EAP_IKEV2=y - -# EAP-EKE -#CONFIG_EAP_EKE=y - -# PKCS#12 (PFX) support (used to read private key and certificate file from -# a file that usually has extension .p12 or .pfx) -CONFIG_PKCS12=y - -# Smartcard support (i.e., private key on a smartcard), e.g., with openssl -# engine. -CONFIG_SMARTCARD=y - -# PC/SC interface for smartcards (USIM, GSM SIM) -# Enable this if EAP-SIM or EAP-AKA is included -#CONFIG_PCSC=y - -# Support HT overrides (disable HT/HT40, mask MCS rates, etc.) -#CONFIG_HT_OVERRIDES=y - -# Support VHT overrides (disable VHT, mask MCS rates, etc.) -#CONFIG_VHT_OVERRIDES=y - -# Development testing -#CONFIG_EAPOL_TEST=y - -# Select control interface backend for external programs, e.g, wpa_cli: -# unix = UNIX domain sockets (default for Linux/*BSD) -# udp = UDP sockets using localhost (127.0.0.1) -# named_pipe = Windows Named Pipe (default for Windows) -# udp-remote = UDP sockets with remote access (only for tests systems/purpose) -# y = use default (backwards compatibility) -# If this option is commented out, control interface is not included in the -# build. -CONFIG_CTRL_IFACE=y - -# Include support for GNU Readline and History Libraries in wpa_cli. -# When building a wpa_cli binary for distribution, please note that these -# libraries are licensed under GPL and as such, BSD license may not apply for -# the resulting binary. -#CONFIG_READLINE=y - -# Include internal line edit mode in wpa_cli. This can be used as a replacement -# for GNU Readline to provide limited command line editing and history support. -#CONFIG_WPA_CLI_EDIT=y - -# Remove debugging code that is printing out debug message to stdout. -# This can be used to reduce the size of the wpa_supplicant considerably -# if debugging code is not needed. The size reduction can be around 35% -# (e.g., 90 kB). -#CONFIG_NO_STDOUT_DEBUG=y - -# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save -# 35-50 kB in code size. -#CONFIG_NO_WPA=y - -# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support -# This option can be used to reduce code size by removing support for -# converting ASCII passphrases into PSK. If this functionality is removed, the -# PSK can only be configured as the 64-octet hexstring (e.g., from -# wpa_passphrase). This saves about 0.5 kB in code size. -#CONFIG_NO_WPA_PASSPHRASE=y - -# Disable scan result processing (ap_mode=1) to save code size by about 1 kB. -# This can be used if ap_scan=1 mode is never enabled. -#CONFIG_NO_SCAN_PROCESSING=y - -# Select configuration backend: -# file = text file (e.g., wpa_supplicant.conf; note: the configuration file -# path is given on command line, not here; this option is just used to -# select the backend that allows configuration files to be used) -# winreg = Windows registry (see win_example.reg for an example) -CONFIG_BACKEND=file - -# Remove configuration write functionality (i.e., to allow the configuration -# file to be updated based on runtime configuration changes). The runtime -# configuration can still be changed, the changes are just not going to be -# persistent over restarts. This option can be used to reduce code size by -# about 3.5 kB. -#CONFIG_NO_CONFIG_WRITE=y - -# Remove support for configuration blobs to reduce code size by about 1.5 kB. -#CONFIG_NO_CONFIG_BLOBS=y - -# Select program entry point implementation: -# main = UNIX/POSIX like main() function (default) -# main_winsvc = Windows service (read parameters from registry) -# main_none = Very basic example (development use only) -#CONFIG_MAIN=main - -# Select wrapper for operatins system and C library specific functions -# unix = UNIX/POSIX like systems (default) -# win32 = Windows systems -# none = Empty template -#CONFIG_OS=unix - -# Select event loop implementation -# eloop = select() loop (default) -# eloop_win = Windows events and WaitForMultipleObject() loop -#CONFIG_ELOOP=eloop - -# Should we use poll instead of select? Select is used by default. -#CONFIG_ELOOP_POLL=y - -# Select layer 2 packet implementation -# linux = Linux packet socket (default) -# pcap = libpcap/libdnet/WinPcap -# freebsd = FreeBSD libpcap -# winpcap = WinPcap with receive thread -# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y) -# none = Empty template -#CONFIG_L2_PACKET=linux - -# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) -CONFIG_PEERKEY=y - -# IEEE 802.11w (management frame protection), also known as PMF -# Driver support is also needed for IEEE 802.11w. -#CONFIG_IEEE80211W=y - -# Select TLS implementation -# openssl = OpenSSL (default) -# gnutls = GnuTLS -# internal = Internal TLSv1 implementation (experimental) -# none = Empty template -#CONFIG_TLS=openssl - -# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) -# can be enabled to get a stronger construction of messages when block ciphers -# are used. It should be noted that some existing TLS v1.0 -based -# implementation may not be compatible with TLS v1.1 message (ClientHello is -# sent prior to negotiating which version will be used) -#CONFIG_TLSV11=y - -# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) -# can be enabled to enable use of stronger crypto algorithms. It should be -# noted that some existing TLS v1.0 -based implementation may not be compatible -# with TLS v1.2 message (ClientHello is sent prior to negotiating which version -# will be used) -#CONFIG_TLSV12=y - -# If CONFIG_TLS=internal is used, additional library and include paths are -# needed for LibTomMath. Alternatively, an integrated, minimal version of -# LibTomMath can be used. See beginning of libtommath.c for details on benefits -# and drawbacks of this option. -#CONFIG_INTERNAL_LIBTOMMATH=y -#ifndef CONFIG_INTERNAL_LIBTOMMATH -#LTM_PATH=/usr/src/libtommath-0.39 -#CFLAGS += -I$(LTM_PATH) -#LIBS += -L$(LTM_PATH) -#LIBS_p += -L$(LTM_PATH) -#endif -# At the cost of about 4 kB of additional binary size, the internal LibTomMath -# can be configured to include faster routines for exptmod, sqr, and div to -# speed up DH and RSA calculation considerably -#CONFIG_INTERNAL_LIBTOMMATH_FAST=y - -# Include NDIS event processing through WMI into wpa_supplicant/wpasvc. -# This is only for Windows builds and requires WMI-related header files and -# WbemUuid.Lib from Platform SDK even when building with MinGW. -#CONFIG_NDIS_EVENTS_INTEGRATED=y -#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib" - -# Add support for old DBus control interface -# (fi.epitest.hostap.WPASupplicant) -#CONFIG_CTRL_IFACE_DBUS=y - -# Add support for new DBus control interface -# (fi.w1.hostap.wpa_supplicant1) -CONFIG_CTRL_IFACE_DBUS_NEW=y - -# Add introspection support for new DBus control interface -#CONFIG_CTRL_IFACE_DBUS_INTRO=y - -# Add support for loading EAP methods dynamically as shared libraries. -# When this option is enabled, each EAP method can be either included -# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn). -# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to -# be loaded in the beginning of the wpa_supplicant configuration file -# (see load_dynamic_eap parameter in the example file) before being used in -# the network blocks. -# -# Note that some shared parts of EAP methods are included in the main program -# and in order to be able to use dynamic EAP methods using these parts, the -# main program must have been build with the EAP method enabled (=y or =dyn). -# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries -# unless at least one of them was included in the main build to force inclusion -# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included -# in the main build to be able to load these methods dynamically. -# -# Please also note that using dynamic libraries will increase the total binary -# size. Thus, it may not be the best option for targets that have limited -# amount of memory/flash. -#CONFIG_DYNAMIC_EAP_METHODS=y - -# IEEE Std 802.11r-2008 (Fast BSS Transition) -#CONFIG_IEEE80211R=y - -# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) -#CONFIG_DEBUG_FILE=y - -# Send debug messages to syslog instead of stdout -#CONFIG_DEBUG_SYSLOG=y -# Set syslog facility for debug messages -#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON - -# Add support for sending all debug messages (regardless of debug verbosity) -# to the Linux kernel tracing facility. This helps debug the entire stack by -# making it easy to record everything happening from the driver up into the -# same file, e.g., using trace-cmd. -#CONFIG_DEBUG_LINUX_TRACING=y - -# Enable privilege separation (see README 'Privilege separation' for details) -#CONFIG_PRIVSEP=y - -# Enable mitigation against certain attacks against TKIP by delaying Michael -# MIC error reports by a random amount of time between 0 and 60 seconds -#CONFIG_DELAYED_MIC_ERROR_REPORT=y - -# Enable tracing code for developer debugging -# This tracks use of memory allocations and other registrations and reports -# incorrect use with a backtrace of call (or allocation) location. -#CONFIG_WPA_TRACE=y -# For BSD, uncomment these. -#LIBS += -lexecinfo -#LIBS_p += -lexecinfo -#LIBS_c += -lexecinfo - -# Use libbfd to get more details for developer debugging -# This enables use of libbfd to get more detailed symbols for the backtraces -# generated by CONFIG_WPA_TRACE=y. -#CONFIG_WPA_TRACE_BFD=y -# For BSD, uncomment these. -#LIBS += -lbfd -liberty -lz -#LIBS_p += -lbfd -liberty -lz -#LIBS_c += -lbfd -liberty -lz - -CONFIG_TLS = %ssl% -CONFIG_CTRL_IFACE_DBUS=y -CONFIG_CTRL_IFACE_DBUS_NEW=y - -# wpa_supplicant depends on strong random number generation being available -# from the operating system. os_get_random() function is used to fetch random -# data when needed, e.g., for key generation. On Linux and BSD systems, this -# works by reading /dev/urandom. It should be noted that the OS entropy pool -# needs to be properly initialized before wpa_supplicant is started. This is -# important especially on embedded devices that do not have a hardware random -# number generator and may by default start up with minimal entropy available -# for random number generation. -# -# As a safety net, wpa_supplicant is by default trying to internally collect -# additional entropy for generating random data to mix in with the data fetched -# from the OS. This by itself is not considered to be very strong, but it may -# help in cases where the system pool is not initialized properly. However, it -# is very strongly recommended that the system pool is initialized with enough -# entropy either by using hardware assisted random number generator or by -# storing state over device reboots. -# -# wpa_supplicant can be configured to maintain its own entropy store over -# restarts to enhance random number generation. This is not perfect, but it is -# much more secure than using the same sequence of random numbers after every -# reboot. This can be enabled with -e<entropy file> command line option. The -# specified file needs to be readable and writable by wpa_supplicant. -# -# If the os_get_random() is known to provide strong random data (e.g., on -# Linux/BSD, the board in question is known to have reliable source of random -# data from /dev/urandom), the internal wpa_supplicant random pool can be -# disabled. This will save some in binary size and CPU use. However, this -# should only be considered for builds that are known to be used on devices -# that meet the requirements described above. -#CONFIG_NO_RANDOM_POOL=y - -# IEEE 802.11n (High Throughput) support (mainly for AP mode) -#CONFIG_IEEE80211N=y - -# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) -# (depends on CONFIG_IEEE80211N) -#CONFIG_IEEE80211AC=y - -# Wireless Network Management (IEEE Std 802.11v-2011) -# Note: This is experimental and not complete implementation. -#CONFIG_WNM=y - -# Interworking (IEEE 802.11u) -# This can be used to enable functionality to improve interworking with -# external networks (GAS/ANQP to learn more about the networks and network -# selection based on available credentials). -#CONFIG_INTERWORKING=y - -# Hotspot 2.0 -#CONFIG_HS20=y - -# Disable roaming in wpa_supplicant -#CONFIG_NO_ROAMING=y - -# AP mode operations with wpa_supplicant -# This can be used for controlling AP mode operations with wpa_supplicant. It -# should be noted that this is mainly aimed at simple cases like -# WPA2-Personal while more complex configurations like WPA2-Enterprise with an -# external RADIUS server can be supported with hostapd. -CONFIG_AP=y - -CONFIG_BGSCAN_SIMPLE=y - -# P2P (Wi-Fi Direct) -# This can be used to enable P2P support in wpa_supplicant. See README-P2P for -# more information on P2P operations. -#CONFIG_P2P=y - -# Enable TDLS support -#CONFIG_TDLS=y - -# Wi-Fi Direct -# This can be used to enable Wi-Fi Direct extensions for P2P using an external -# program to control the additional information exchanges in the messages. -#CONFIG_WIFI_DISPLAY=y - -# Autoscan -# This can be used to enable automatic scan support in wpa_supplicant. -# See wpa_supplicant.conf for more information on autoscan usage. -# -# Enabling directly a module will enable autoscan support. -# For exponential module: -CONFIG_AUTOSCAN_EXPONENTIAL=y -# For periodic module: -#CONFIG_AUTOSCAN_PERIODIC=y - -# Password (and passphrase, etc.) backend for external storage -# These optional mechanisms can be used to add support for storing passwords -# and other secrets in external (to wpa_supplicant) location. This allows, for -# example, operating system specific key storage to be used -# -# External password backend for testing purposes (developer use) -#CONFIG_EXT_PASSWORD_TEST=y diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb new file mode 100644 index 0000000000..8113bcab09 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb @@ -0,0 +1,138 @@ +SUMMARY = "Client for Wi-Fi Protected Access (WPA)" +DESCRIPTION = "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver." +HOMEPAGE = "http://w1.fi/wpa_supplicant/" +BUGTRACKER = "http://w1.fi/security/" +SECTION = "network" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \ + file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \ + file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705" + +DEPENDS = "dbus libnl" + +SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ + file://wpa-supplicant.sh \ + file://wpa_supplicant.conf \ + file://wpa_supplicant.conf-sane \ + file://99_wpa_supplicant \ + file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \ + file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ + file://0001-Install-wpa_passphrase-when-not-disabled.patch \ + file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ + " +SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" + +S = "${WORKDIR}/wpa_supplicant-${PV}" + +inherit pkgconfig systemd + +PACKAGECONFIG ?= "openssl" +PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt" +PACKAGECONFIG[openssl] = ",,openssl" + +CVE_PRODUCT = "wpa_supplicant" + +EXTRA_OEMAKE = "'LIBDIR=${libdir}' 'INCDIR=${includedir}' 'BINDIR=${sbindir}'" + +do_configure () { + ${MAKE} -C wpa_supplicant clean + sed -e '/^CONFIG_TLS=/d' <wpa_supplicant/defconfig >wpa_supplicant/.config + + if ${@ bb.utils.contains('PACKAGECONFIG', 'openssl', 'true', 'false', d) }; then + echo 'CONFIG_TLS=openssl' >>wpa_supplicant/.config + elif ${@ bb.utils.contains('PACKAGECONFIG', 'gnutls', 'true', 'false', d) }; then + echo 'CONFIG_TLS=gnutls' >>wpa_supplicant/.config + sed -i -e 's/\(^CONFIG_DPP=\)/#\1/' \ + -e 's/\(^CONFIG_EAP_PWD=\)/#\1/' \ + -e 's/\(^CONFIG_SAE=\)/#\1/' wpa_supplicant/.config + fi + + # For rebuild + rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d +} + +do_compile () { + oe_runmake -C wpa_supplicant + if [ -z "${DISABLE_STATIC}" ]; then + oe_runmake -C wpa_supplicant libwpa_client.a + fi +} + +do_install () { + oe_runmake -C wpa_supplicant DESTDIR="${D}" install + + install -d ${D}${docdir}/wpa_supplicant + install -m 644 wpa_supplicant/README ${UNPACKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant + + install -d ${D}${sysconfdir} + install -m 600 ${UNPACKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf + + install -d ${D}${sysconfdir}/network/if-pre-up.d/ + install -d ${D}${sysconfdir}/network/if-post-down.d/ + install -d ${D}${sysconfdir}/network/if-down.d/ + install -m 755 ${UNPACKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant + ln -sf ../if-pre-up.d/wpa-supplicant ${D}${sysconfdir}/network/if-post-down.d/wpa-supplicant + + install -d ${D}/${sysconfdir}/dbus-1/system.d + install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d + install -d ${D}/${datadir}/dbus-1/system-services + install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}/${systemd_system_unitdir} + install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_system_unitdir} + fi + + install -d ${D}/etc/default/volatiles + install -m 0644 ${UNPACKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles + + install -d ${D}${includedir} + install -m 0644 ${S}/src/common/wpa_ctrl.h ${D}${includedir} + + if [ -z "${DISABLE_STATIC}" ]; then + install -d ${D}${libdir} + install -m 0644 wpa_supplicant/libwpa_client.a ${D}${libdir} + fi +} + +pkg_postinst:${PN} () { + # If we're offline, we don't need to do this. + if [ "x$D" = "x" ]; then + killall -q -HUP dbus-daemon || true + fi +} + +PACKAGE_BEFORE_PN += "${PN}-passphrase ${PN}-cli" +PACKAGES =+ "${PN}-lib" +PACKAGES += "${PN}-plugins" +ALLOW_EMPTY:${PN}-plugins = "1" + +PACKAGES_DYNAMIC += "^${PN}-plugin-.*$" +NOAUTOPACKAGEDEBUG = "1" + +FILES:${PN}-passphrase = "${sbindir}/wpa_passphrase" +FILES:${PN}-cli = "${sbindir}/wpa_cli" +FILES:${PN}-lib = "${libdir}/libwpa_client*${SOLIBSDEV}" +FILES:${PN} += "${datadir}/dbus-1/system-services/* ${systemd_system_unitdir}/*" +FILES:${PN}-dbg += "${sbindir}/.debug ${libdir}/.debug" + +CONFFILES:${PN} += "${sysconfdir}/wpa_supplicant.conf" + +RRECOMMENDS:${PN} = "${PN}-passphrase ${PN}-cli ${PN}-plugins" + +SYSTEMD_SERVICE:${PN} = "wpa_supplicant.service" +SYSTEMD_AUTO_ENABLE = "disable" + +python split_wpa_supplicant_libs () { + libdir = d.expand('${libdir}/wpa_supplicant') + dbglibdir = os.path.join(libdir, '.debug') + + split_packages = do_split_packages(d, libdir, r'^(.*)\.so', '${PN}-plugin-%s', 'wpa_supplicant %s plugin', prepend=True) + split_dbg_packages = do_split_packages(d, dbglibdir, r'^(.*)\.so', '${PN}-plugin-%s-dbg', 'wpa_supplicant %s plugin - Debugging files', prepend=True, extra_depends='${PN}-dbg') + + if split_packages: + pn = d.getVar('PN') + d.setVar('RRECOMMENDS:' + pn + '-plugins', ' '.join(split_packages)) + d.appendVar('RRECOMMENDS:' + pn + '-dbg', ' ' + ' '.join(split_dbg_packages)) +} +PACKAGESPLITFUNCS += "split_wpa_supplicant_libs" diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb deleted file mode 100644 index 277bbaec63..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb +++ /dev/null @@ -1,125 +0,0 @@ -SUMMARY = "Client for Wi-Fi Protected Access (WPA)" -HOMEPAGE = "http://w1.fi/wpa_supplicant/" -BUGTRACKER = "http://w1.fi/security/" -SECTION = "network" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://COPYING;md5=a3791c270ad6bb026707d17bf750e5ef \ - file://README;beginline=1;endline=56;md5=495cbce6008253de4b4d8f4cdfae9f4f \ - file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=a5687903a31b8679e6a06b3afa5c819e" -DEPENDS = "dbus libnl" -RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli" - -PACKAGECONFIG ??= "gnutls" -PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt" -PACKAGECONFIG[openssl] = ",,openssl" - -inherit pkgconfig systemd - -SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service wpa_supplicant-nl80211@.service wpa_supplicant-wired@.service" -SYSTEMD_AUTO_ENABLE = "disable" - -SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ - file://defconfig \ - file://wpa-supplicant.sh \ - file://wpa_supplicant.conf \ - file://wpa_supplicant.conf-sane \ - file://99_wpa_supplicant \ - file://0001-replace-systemd-install-Alias-with-WantedBy.patch \ - file://0001-OpenSSL-Use-constant-time-operations-for-private-big.patch \ - file://0002-Add-helper-functions-for-constant-time-operations.patch \ - file://0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch \ - file://0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch \ - file://0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch \ - file://0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch \ - file://0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch \ - file://0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch \ - file://0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch \ - file://0010-SAE-Fix-confirm-message-validation-in-error-cases.patch \ - file://0011-EAP-pwd-server-Verify-received-scalar-and-element.patch \ - file://0012-EAP-pwd-server-Detect-reflection-attacks.patch \ - file://0013-EAP-pwd-client-Verify-received-scalar-and-element.patch \ - file://0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch \ - file://0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch \ - file://0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch \ - " -SRC_URI[md5sum] = "a68538fb62766f40f890125026c42c10" -SRC_URI[sha256sum] = "76ea6b06b7a2ea8e6d9eb1a9166166f1656e6d48c7508914f592100c95c73074" - -CVE_PRODUCT = "wpa_supplicant" - -S = "${WORKDIR}/wpa_supplicant-${PV}" - -PACKAGES_prepend = "wpa-supplicant-passphrase wpa-supplicant-cli " -FILES_wpa-supplicant-passphrase = "${bindir}/wpa_passphrase" -FILES_wpa-supplicant-cli = "${sbindir}/wpa_cli" -FILES_${PN} += "${datadir}/dbus-1/system-services/*" -CONFFILES_${PN} += "${sysconfdir}/wpa_supplicant.conf" - -do_configure () { - ${MAKE} -C wpa_supplicant clean - install -m 0755 ${WORKDIR}/defconfig wpa_supplicant/.config - - if echo "${PACKAGECONFIG}" | grep -qw "openssl"; then - ssl=openssl - elif echo "${PACKAGECONFIG}" | grep -qw "gnutls"; then - ssl=gnutls - fi - if [ -n "$ssl" ]; then - sed -i "s/%ssl%/$ssl/" wpa_supplicant/.config - fi - - # For rebuild - rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d -} - -export EXTRA_CFLAGS = "${CFLAGS}" -export BINDIR = "${sbindir}" - -do_compile () { - unset CFLAGS CPPFLAGS CXXFLAGS - sed -e "s:CFLAGS\ =.*:& \$(EXTRA_CFLAGS):g" -i ${S}/src/lib.rules - oe_runmake -C wpa_supplicant -} - -do_install () { - install -d ${D}${sbindir} - install -m 755 wpa_supplicant/wpa_supplicant ${D}${sbindir} - install -m 755 wpa_supplicant/wpa_cli ${D}${sbindir} - - install -d ${D}${bindir} - install -m 755 wpa_supplicant/wpa_passphrase ${D}${bindir} - - install -d ${D}${docdir}/wpa_supplicant - install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant - - install -d ${D}${sysconfdir} - install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf - - install -d ${D}${sysconfdir}/network/if-pre-up.d/ - install -d ${D}${sysconfdir}/network/if-post-down.d/ - install -d ${D}${sysconfdir}/network/if-down.d/ - install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant - cd ${D}${sysconfdir}/network/ && \ - ln -sf ../if-pre-up.d/wpa-supplicant if-post-down.d/wpa-supplicant - - install -d ${D}/${sysconfdir}/dbus-1/system.d - install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d - install -d ${D}/${datadir}/dbus-1/system-services - install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}/${systemd_unitdir}/system - install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_unitdir}/system - fi - - install -d ${D}/etc/default/volatiles - install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles -} - -pkg_postinst_wpa-supplicant () { - # If we're offline, we don't need to do this. - if [ "x$D" = "x" ]; then - killall -q -HUP dbus-daemon || true - fi - -} |