[kirkstone] wpa-supplicant: Upgrade 2.10 -> 2.11

From: Siddharth Doshi <sdoshi@mvista.com>

License-Update:
===============
- README: Change in copyright years as per https://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af
- wpa_supplicant/wpa_supplicant.c: Change in copyright years as per https://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af

CVE's Fixed:
===========
- CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation
- CVE-2023-52160 wpa_supplicant: potential authorization bypass

Changes between 2.10 -> 2.11:
============================
https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af

Note:
=====
Patche 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160) is already fixed and hence removing it.

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
 ...te-Phase-2-authentication-requiremen.patch | 213 ------------------
 ...plicant_2.10.bb => wpa-supplicant_2.11.bb} |   7 +-
 2 files changed, 3 insertions(+), 217 deletions(-)
 delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
 rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (92%)

Updates like this are not eligible for stable branches. Please pay
attention to what Randy said.

Alex


On Fri, 23 Aug 2024 at 09:38, Siddharth Doshi via
lists.openembedded.org <sdoshi=mvista.com@lists.openembedded.org>
wrote:
>
> From: Siddharth Doshi <sdoshi@mvista.com>
>
> License-Update:
> ===============
> - README: Change in copyright years as per https://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af
> - wpa_supplicant/wpa_supplicant.c: Change in copyright years as per https://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af
>
> CVE's Fixed:
> ===========
> - CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation
> - CVE-2023-52160 wpa_supplicant: potential authorization bypass
>
> Changes between 2.10 -> 2.11:
> ============================
> https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af
>
> Note:
> =====
> Patche 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160) is already fixed and hence removing it.
>
> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> ---
>  ...te-Phase-2-authentication-requiremen.patch | 213 ------------------
>  ...plicant_2.10.bb => wpa-supplicant_2.11.bb} |   7 +-
>  2 files changed, 3 insertions(+), 217 deletions(-)
>  delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
>  rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (92%)
>
> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
> deleted file mode 100644
> index bc2db972c3..0000000000
> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
> +++ /dev/null
> @@ -1,213 +0,0 @@
> -From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001
> -From: Jouni Malinen <j@w1.fi>
> -Date: Sat, 8 Jul 2023 19:55:32 +0300
> -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
> -
> -The previous PEAP client behavior allowed the server to skip Phase 2
> -authentication with the expectation that the server was authenticated
> -during Phase 1 through TLS server certificate validation. Various PEAP
> -specifications are not exactly clear on what the behavior on this front
> -is supposed to be and as such, this ended up being more flexible than
> -the TTLS/FAST/TEAP cases. However, this is not really ideal when
> -unfortunately common misconfiguration of PEAP is used in deployed
> -devices where the server trust root (ca_cert) is not configured or the
> -user has an easy option for allowing this validation step to be skipped.
> -
> -Change the default PEAP client behavior to be to require Phase 2
> -authentication to be successfully completed for cases where TLS session
> -resumption is not used and the client certificate has not been
> -configured. Those two exceptions are the main cases where a deployed
> -authentication server might skip Phase 2 and as such, where a more
> -strict default behavior could result in undesired interoperability
> -issues. Requiring Phase 2 authentication will end up disabling TLS
> -session resumption automatically to avoid interoperability issues.
> -
> -Allow Phase 2 authentication behavior to be configured with a new phase1
> -configuration parameter option:
> -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
> -tunnel) behavior for PEAP:
> - * 0 = do not require Phase 2 authentication
> - * 1 = require Phase 2 authentication when client certificate
> -   (private_key/client_cert) is no used and TLS session resumption was
> -   not used (default)
> - * 2 = require Phase 2 authentication in all cases
> -
> -Signed-off-by: Jouni Malinen <j@w1.fi>
> -
> -CVE: CVE-2023-52160
> -Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c]
> -
> -Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ----
> - src/eap_peer/eap_config.h          |  8 ++++++
> - src/eap_peer/eap_peap.c            | 40 +++++++++++++++++++++++++++---
> - src/eap_peer/eap_tls_common.c      |  6 +++++
> - src/eap_peer/eap_tls_common.h      |  5 ++++
> - wpa_supplicant/wpa_supplicant.conf |  7 ++++++
> - 5 files changed, 63 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
> -index 3238f74..047eec2 100644
> ---- a/src/eap_peer/eap_config.h
> -+++ b/src/eap_peer/eap_config.h
> -@@ -469,6 +469,14 @@ struct eap_peer_config {
> -        * 1 = use cryptobinding if server supports it
> -        * 2 = require cryptobinding
> -        *
> -+       * phase2_auth option can be used to control Phase 2 (i.e., within TLS
> -+       * tunnel) behavior for PEAP:
> -+       * 0 = do not require Phase 2 authentication
> -+       * 1 = require Phase 2 authentication when client certificate
> -+       *  (private_key/client_cert) is no used and TLS session resumption was
> -+       *  not used (default)
> -+       * 2 = require Phase 2 authentication in all cases
> -+       *
> -        * EAP-WSC (WPS) uses following options: pin=Device_Password and
> -        * uuid=Device_UUID
> -        *
> -diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
> -index 12e30df..6080697 100644
> ---- a/src/eap_peer/eap_peap.c
> -+++ b/src/eap_peer/eap_peap.c
> -@@ -67,6 +67,7 @@ struct eap_peap_data {
> -       u8 cmk[20];
> -       int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
> -                 * is enabled. */
> -+      enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
> - };
> -
> -
> -@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
> -               wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
> -       }
> -
> -+      if (os_strstr(phase1, "phase2_auth=0")) {
> -+              data->phase2_auth = NO_AUTH;
> -+              wpa_printf(MSG_DEBUG,
> -+                         "EAP-PEAP: Do not require Phase 2 authentication");
> -+      } else if (os_strstr(phase1, "phase2_auth=1")) {
> -+              data->phase2_auth = FOR_INITIAL;
> -+              wpa_printf(MSG_DEBUG,
> -+                         "EAP-PEAP: Require Phase 2 authentication for initial connection");
> -+      } else if (os_strstr(phase1, "phase2_auth=2")) {
> -+              data->phase2_auth = ALWAYS;
> -+              wpa_printf(MSG_DEBUG,
> -+                         "EAP-PEAP: Require Phase 2 authentication for all cases");
> -+      }
> - #ifdef EAP_TNC
> -       if (os_strstr(phase1, "tnc=soh2")) {
> -               data->soh = 2;
> -@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
> -       data->force_peap_version = -1;
> -       data->peap_outer_success = 2;
> -       data->crypto_binding = OPTIONAL_BINDING;
> -+      data->phase2_auth = FOR_INITIAL;
> -
> -       if (config && config->phase1)
> -               eap_peap_parse_phase1(data, config->phase1);
> -@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
> - }
> -
> -
> -+static bool peap_phase2_sufficient(struct eap_sm *sm,
> -+                                 struct eap_peap_data *data)
> -+{
> -+      if ((data->phase2_auth == ALWAYS ||
> -+           (data->phase2_auth == FOR_INITIAL &&
> -+            !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
> -+            !data->ssl.client_cert_conf) ||
> -+           data->phase2_eap_started) &&
> -+          !data->phase2_eap_success)
> -+              return false;
> -+      return true;
> -+}
> -+
> -+
> - /**
> -  * eap_tlv_process - Process a received EAP-TLV message and generate a response
> -  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
> -@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
> -                                          " - force failed Phase 2");
> -                               resp_status = EAP_TLV_RESULT_FAILURE;
> -                               ret->decision = DECISION_FAIL;
> -+                      } else if (!peap_phase2_sufficient(sm, data)) {
> -+                              wpa_printf(MSG_INFO,
> -+                                         "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
> -+                              resp_status = EAP_TLV_RESULT_FAILURE;
> -+                              ret->decision = DECISION_FAIL;
> -                       } else {
> -                               resp_status = EAP_TLV_RESULT_SUCCESS;
> -                               ret->decision = DECISION_UNCOND_SUCC;
> -@@ -887,8 +921,7 @@ continue_req:
> -                       /* EAP-Success within TLS tunnel is used to indicate
> -                        * shutdown of the TLS channel. The authentication has
> -                        * been completed. */
> --                      if (data->phase2_eap_started &&
> --                          !data->phase2_eap_success) {
> -+                      if (!peap_phase2_sufficient(sm, data)) {
> -                               wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
> -                                          "Success used to indicate success, "
> -                                          "but Phase 2 EAP was not yet "
> -@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
> - static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
> - {
> -       struct eap_peap_data *data = priv;
> -+
> -       return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
> --              data->phase2_success;
> -+              data->phase2_success && data->phase2_auth != ALWAYS;
> - }
> -
> -
> -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
> -index c1837db..a53eeb1 100644
> ---- a/src/eap_peer/eap_tls_common.c
> -+++ b/src/eap_peer/eap_tls_common.c
> -@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
> -
> -       sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
> -
> -+      if (!phase2)
> -+              data->client_cert_conf = params->client_cert ||
> -+                      params->client_cert_blob ||
> -+                      params->private_key ||
> -+                      params->private_key_blob;
> -+
> -       return 0;
> - }
> -
> -diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
> -index 9ac0012..3348634 100644
> ---- a/src/eap_peer/eap_tls_common.h
> -+++ b/src/eap_peer/eap_tls_common.h
> -@@ -79,6 +79,11 @@ struct eap_ssl_data {
> -        * tls_v13 - Whether TLS v1.3 or newer is used
> -        */
> -       int tls_v13;
> -+
> -+      /**
> -+       * client_cert_conf: Whether client certificate has been configured
> -+       */
> -+      bool client_cert_conf;
> - };
> -
> -
> -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
> -index 6619d6b..d63f73c 100644
> ---- a/wpa_supplicant/wpa_supplicant.conf
> -+++ b/wpa_supplicant/wpa_supplicant.conf
> -@@ -1321,6 +1321,13 @@ fast_reauth=1
> - #      * 0 = do not use cryptobinding (default)
> - #      * 1 = use cryptobinding if server supports it
> - #      * 2 = require cryptobinding
> -+#     'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
> -+#     tunnel) behavior for PEAP:
> -+#      * 0 = do not require Phase 2 authentication
> -+#      * 1 = require Phase 2 authentication when client certificate
> -+#        (private_key/client_cert) is no used and TLS session resumption was
> -+#        not used (default)
> -+#      * 2 = require Phase 2 authentication in all cases
> - #     EAP-WSC (WPS) uses following options: pin=<Device Password> or
> - #     pbc=1.
> - #
> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
> similarity index 92%
> rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
> rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
> index 70f1fd6fc9..8b6bbf50eb 100644
> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
> +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
> @@ -5,8 +5,8 @@ BUGTRACKER = "http://w1.fi/security/"
>  SECTION = "network"
>  LICENSE = "BSD-3-Clause"
>  LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \
> -                    file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \
> -                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705"
> +                    file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \
> +                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4"
>  DEPENDS = "dbus libnl"
>  RRECOMMENDS:${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli"
>
> @@ -25,9 +25,8 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
>             file://wpa_supplicant.conf \
>             file://wpa_supplicant.conf-sane \
>             file://99_wpa_supplicant \
> -           file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \
>             "
> -SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
> +SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a"
>
>  CVE_PRODUCT = "wpa_supplicant"
>
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#203680): https://lists.openembedded.org/g/openembedded-core/message/203680
> Mute This Topic: https://lists.openembedded.org/mt/108052523/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Hi Alex,

For some unknown reason, Randy's message was filtered to spam and i missed it. Else, would have replied before submitting the patch for kirkstone.

I did stat my own investigations and reasons for the upgrade -> https://lists.openembedded.org/g/openembedded-core/message/203703

However, if you still feel, i should be avoiding the upgrade for wpa-supplicant, let me know, i would submit CVE patch for the issues needed.

Regards,
Siddharth