From patchwork Sun Dec 8 22:08:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 53806 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02BE5E77173 for ; Sun, 8 Dec 2024 22:09:08 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.87615.1733695744553297095 for ; Sun, 08 Dec 2024 14:09:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=Eb1aUC4n; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20241208220859e3772153d362e36bab-vb7dq2@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20241208220859e3772153d362e36bab for ; Sun, 08 Dec 2024 23:09:00 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=yF5k1Iv8iptbiSprmK9kPTHCg/V21musi7RjuQLQgp8=; b=Eb1aUC4nu17lHyPYi/iajdsMJ/yPoJfC+IMy5MYak8eDpgbDipU8cM3GPOG5+03DigzGGG zTrCkItSoiLYNydCycdsOwqDEN73DRivA3wmd7yXQYPSZcywG6l/xMIwPJvSXRrRsvhZMs7m ouzQprLlBde+iGsOTQmcMyL6NPuVGk1V0XDnvo88syMoy5QYAPAlsDtx8EDvYeXY53n814xZ T2BVivZq7LMkm/KvefOb46apGn5ZWrRtjtwAJLNk++88PRa/shEFEUdXAmKbUNV7/7KHGz9M RLS6JPzfT2o5uqDWGx//rHlOqJQuADO5SaLfPZiR5JwmiN/H3YQokfqg==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-oe][kirkstone][PATCH RESEND 1/2] hostapd: Patch CVE-2024-3596 Date: Sun, 8 Dec 2024 23:08:10 +0100 Message-Id: <20241208220811.51062-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 08 Dec 2024 22:09:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/114245 From: Peter Marko Picked patches according to http://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt First patch is style commit picked to have a clean cherry-pick of all mentioned commits without any conflict. Patch CVE-2024-3596_03.patch was removed as it only patched wpa_supplicant. The patch names were not changed so it is comparable with wpa_supplicant recipe. Signed-off-by: Peter Marko --- .../hostapd/hostapd/CVE-2024-3596_00.patch | 82 +++++++++ .../hostapd/hostapd/CVE-2024-3596_01.patch | 165 ++++++++++++++++++ .../hostapd/hostapd/CVE-2024-3596_02.patch | 62 +++++++ .../hostapd/hostapd/CVE-2024-3596_04.patch | 52 ++++++ .../hostapd/hostapd/CVE-2024-3596_05.patch | 51 ++++++ .../hostapd/hostapd/CVE-2024-3596_06.patch | 46 +++++ .../hostapd/hostapd/CVE-2024-3596_07.patch | 105 +++++++++++ .../hostapd/hostapd/CVE-2024-3596_08.patch | 47 +++++ .../hostapd/hostapd_2.10.bb | 8 + 9 files changed, 618 insertions(+) create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_00.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_01.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_02.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_04.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_05.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_06.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_07.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_08.patch diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_00.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_00.patch new file mode 100644 index 0000000000..7a8197d2b4 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_00.patch @@ -0,0 +1,82 @@ +From 945acf3ef06a6c312927da4fa055693dbac432d1 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 2 Apr 2022 16:28:12 +0300 +Subject: [PATCH 1/9] ieee802_11_auth: Coding style cleanup - no string + constant splitting + +Signed-off-by: Jouni Malinen + +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=945acf3ef06a6c312927da4fa055693dbac432d1] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_11_auth.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c +index 783ee6dea..47cc625be 100644 +--- a/src/ap/ieee802_11_auth.c ++++ b/src/ap/ieee802_11_auth.c +@@ -267,16 +267,16 @@ int hostapd_allowed_address(struct hostapd_data *hapd, const u8 *addr, + os_get_reltime(&query->timestamp); + os_memcpy(query->addr, addr, ETH_ALEN); + if (hostapd_radius_acl_query(hapd, addr, query)) { +- wpa_printf(MSG_DEBUG, "Failed to send Access-Request " +- "for ACL query."); ++ wpa_printf(MSG_DEBUG, ++ "Failed to send Access-Request for ACL query."); + hostapd_acl_query_free(query); + return HOSTAPD_ACL_REJECT; + } + + query->auth_msg = os_memdup(msg, len); + if (query->auth_msg == NULL) { +- wpa_printf(MSG_ERROR, "Failed to allocate memory for " +- "auth frame."); ++ wpa_printf(MSG_ERROR, ++ "Failed to allocate memory for auth frame."); + hostapd_acl_query_free(query); + return HOSTAPD_ACL_REJECT; + } +@@ -467,19 +467,21 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, + if (query == NULL) + return RADIUS_RX_UNKNOWN; + +- wpa_printf(MSG_DEBUG, "Found matching Access-Request for RADIUS " +- "message (id=%d)", query->radius_id); ++ wpa_printf(MSG_DEBUG, ++ "Found matching Access-Request for RADIUS message (id=%d)", ++ query->radius_id); + + if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) { +- wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have " +- "correct authenticator - dropped\n"); ++ wpa_printf(MSG_INFO, ++ "Incoming RADIUS packet did not have correct authenticator - dropped"); + return RADIUS_RX_INVALID_AUTHENTICATOR; + } + + if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && + hdr->code != RADIUS_CODE_ACCESS_REJECT) { +- wpa_printf(MSG_DEBUG, "Unknown RADIUS message code %d to ACL " +- "query", hdr->code); ++ wpa_printf(MSG_DEBUG, ++ "Unknown RADIUS message code %d to ACL query", ++ hdr->code); + return RADIUS_RX_UNKNOWN; + } + +@@ -506,8 +508,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, + msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, + &info->acct_interim_interval) == 0 && + info->acct_interim_interval < 60) { +- wpa_printf(MSG_DEBUG, "Ignored too small " +- "Acct-Interim-Interval %d for STA " MACSTR, ++ wpa_printf(MSG_DEBUG, ++ "Ignored too small Acct-Interim-Interval %d for STA " ++ MACSTR, + info->acct_interim_interval, + MAC2STR(query->addr)); + info->acct_interim_interval = 0; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_01.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_01.patch new file mode 100644 index 0000000000..dab2eedd6a --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_01.patch @@ -0,0 +1,165 @@ +From adac846bd0e258a0aa50750bbd2b411fa0085c46 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:11:44 +0200 +Subject: [PATCH 2/9] RADIUS: Allow Message-Authenticator attribute as the + first attribute + +If a Message-Authenticator attribute was already added to a RADIUS +message, use that attribute instead of adding a new one when finishing +message building. This allows the Message-Authenticator attribute to be +placed as the first attribute in the message. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46] +Signed-off-by: Peter Marko +--- + src/radius/radius.c | 85 ++++++++++++++++++++++++++++----------------- + src/radius/radius.h | 1 + + 2 files changed, 54 insertions(+), 32 deletions(-) + +diff --git a/src/radius/radius.c b/src/radius/radius.c +index be16e27b9..2d2e00b5c 100644 +--- a/src/radius/radius.c ++++ b/src/radius/radius.c +@@ -364,25 +364,54 @@ void radius_msg_dump(struct radius_msg *msg) + } + + ++u8 * radius_msg_add_msg_auth(struct radius_msg *msg) ++{ ++ u8 auth[MD5_MAC_LEN]; ++ struct radius_attr_hdr *attr; ++ ++ os_memset(auth, 0, MD5_MAC_LEN); ++ attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, ++ auth, MD5_MAC_LEN); ++ if (!attr) { ++ wpa_printf(MSG_ERROR, ++ "WARNING: Could not add Message-Authenticator"); ++ return NULL; ++ } ++ ++ return (u8 *) (attr + 1); ++} ++ ++ ++static u8 * radius_msg_auth_pos(struct radius_msg *msg) ++{ ++ u8 *pos; ++ size_t alen; ++ ++ if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, ++ &pos, &alen, NULL) == 0 && ++ alen == MD5_MAC_LEN) { ++ /* Use already added Message-Authenticator attribute */ ++ return pos; ++ } ++ ++ /* Add a Message-Authenticator attribute */ ++ return radius_msg_add_msg_auth(msg); ++} ++ ++ + int radius_msg_finish(struct radius_msg *msg, const u8 *secret, + size_t secret_len) + { + if (secret) { +- u8 auth[MD5_MAC_LEN]; +- struct radius_attr_hdr *attr; ++ u8 *pos; + +- os_memset(auth, 0, MD5_MAC_LEN); +- attr = radius_msg_add_attr(msg, +- RADIUS_ATTR_MESSAGE_AUTHENTICATOR, +- auth, MD5_MAC_LEN); +- if (attr == NULL) { +- wpa_printf(MSG_WARNING, "RADIUS: Could not add " +- "Message-Authenticator"); ++ pos = radius_msg_auth_pos(msg); ++ if (!pos) + return -1; +- } + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); +- hmac_md5(secret, secret_len, wpabuf_head(msg->buf), +- wpabuf_len(msg->buf), (u8 *) (attr + 1)); ++ if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf), ++ wpabuf_len(msg->buf), pos) < 0) ++ return -1; + } else + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); + +@@ -398,23 +427,19 @@ int radius_msg_finish(struct radius_msg *msg, const u8 *secret, + int radius_msg_finish_srv(struct radius_msg *msg, const u8 *secret, + size_t secret_len, const u8 *req_authenticator) + { +- u8 auth[MD5_MAC_LEN]; +- struct radius_attr_hdr *attr; + const u8 *addr[4]; + size_t len[4]; ++ u8 *pos; + +- os_memset(auth, 0, MD5_MAC_LEN); +- attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, +- auth, MD5_MAC_LEN); +- if (attr == NULL) { +- wpa_printf(MSG_ERROR, "WARNING: Could not add Message-Authenticator"); ++ pos = radius_msg_auth_pos(msg); ++ if (!pos) + return -1; +- } + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); + os_memcpy(msg->hdr->authenticator, req_authenticator, + sizeof(msg->hdr->authenticator)); +- hmac_md5(secret, secret_len, wpabuf_head(msg->buf), +- wpabuf_len(msg->buf), (u8 *) (attr + 1)); ++ if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf), ++ wpabuf_len(msg->buf), pos) < 0) ++ return -1; + + /* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */ + addr[0] = (u8 *) msg->hdr; +@@ -442,21 +467,17 @@ int radius_msg_finish_das_resp(struct radius_msg *msg, const u8 *secret, + { + const u8 *addr[2]; + size_t len[2]; +- u8 auth[MD5_MAC_LEN]; +- struct radius_attr_hdr *attr; ++ u8 *pos; + +- os_memset(auth, 0, MD5_MAC_LEN); +- attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, +- auth, MD5_MAC_LEN); +- if (attr == NULL) { +- wpa_printf(MSG_WARNING, "Could not add Message-Authenticator"); ++ pos = radius_msg_auth_pos(msg); ++ if (!pos) + return -1; +- } + + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); + os_memcpy(msg->hdr->authenticator, req_hdr->authenticator, 16); +- hmac_md5(secret, secret_len, wpabuf_head(msg->buf), +- wpabuf_len(msg->buf), (u8 *) (attr + 1)); ++ if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf), ++ wpabuf_len(msg->buf), pos) < 0) ++ return -1; + + /* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */ + addr[0] = wpabuf_head_u8(msg->buf); +diff --git a/src/radius/radius.h b/src/radius/radius.h +index fb8148180..6b9dfbca2 100644 +--- a/src/radius/radius.h ++++ b/src/radius/radius.h +@@ -240,6 +240,7 @@ struct wpabuf * radius_msg_get_buf(struct radius_msg *msg); + struct radius_msg * radius_msg_new(u8 code, u8 identifier); + void radius_msg_free(struct radius_msg *msg); + void radius_msg_dump(struct radius_msg *msg); ++u8 * radius_msg_add_msg_auth(struct radius_msg *msg); + int radius_msg_finish(struct radius_msg *msg, const u8 *secret, + size_t secret_len); + int radius_msg_finish_srv(struct radius_msg *msg, const u8 *secret, +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_02.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_02.patch new file mode 100644 index 0000000000..02e35bd6de --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_02.patch @@ -0,0 +1,62 @@ +From 54abb0d3cf35894e7d86e3f7555e95b106306803 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:13:32 +0200 +Subject: [PATCH 3/9] RADIUS server: Place Message-Authenticator attribute as + the first one + +Move the Message-Authenticator attribute to be the first attribute in +the RADIUS messages. This mitigates certain MD5 attacks against +RADIUS/UDP. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=54abb0d3cf35894e7d86e3f7555e95b106306803] +Signed-off-by: Peter Marko +--- + src/radius/radius_server.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c +index e02c21540..fa3691548 100644 +--- a/src/radius/radius_server.c ++++ b/src/radius/radius_server.c +@@ -920,6 +920,11 @@ radius_server_encapsulate_eap(struct radius_server_data *data, + return NULL; + } + ++ if (!radius_msg_add_msg_auth(msg)) { ++ radius_msg_free(msg); ++ return NULL; ++ } ++ + sess_id = htonl(sess->sess_id); + if (code == RADIUS_CODE_ACCESS_CHALLENGE && + !radius_msg_add_attr(msg, RADIUS_ATTR_STATE, +@@ -1204,6 +1209,11 @@ radius_server_macacl(struct radius_server_data *data, + return NULL; + } + ++ if (!radius_msg_add_msg_auth(msg)) { ++ radius_msg_free(msg); ++ return NULL; ++ } ++ + if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) { + RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)"); + radius_msg_free(msg); +@@ -1253,6 +1263,11 @@ static int radius_server_reject(struct radius_server_data *data, + return -1; + } + ++ if (!radius_msg_add_msg_auth(msg)) { ++ radius_msg_free(msg); ++ return -1; ++ } ++ + os_memset(&eapfail, 0, sizeof(eapfail)); + eapfail.code = EAP_CODE_FAILURE; + eapfail.identifier = 0; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_04.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_04.patch new file mode 100644 index 0000000000..ce499ce8b6 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_04.patch @@ -0,0 +1,52 @@ +From 37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:22:43 +0200 +Subject: [PATCH 5/9] hostapd: Move Message-Authenticator attribute to be the + first one in req + +Even if this is not strictly speaking necessary for mitigating certain +RADIUS protocol attacks, be consistent with the RADIUS server behavior +and move the Message-Authenticator attribute to be the first attribute +in the message from RADIUS client in hostapd. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_11_auth.c | 3 +++ + src/ap/ieee802_1x.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c +index 47cc625be..2a950cf7f 100644 +--- a/src/ap/ieee802_11_auth.c ++++ b/src/ap/ieee802_11_auth.c +@@ -119,6 +119,9 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr, + goto fail; + } + ++ if (!radius_msg_add_msg_auth(msg)) ++ goto fail; ++ + os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr)); + if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf, + os_strlen(buf))) { +diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c +index 753c88335..89e3dd30e 100644 +--- a/src/ap/ieee802_1x.c ++++ b/src/ap/ieee802_1x.c +@@ -702,6 +702,9 @@ void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, + goto fail; + } + ++ if (!radius_msg_add_msg_auth(msg)) ++ goto fail; ++ + if (sm->identity && + !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, + sm->identity, sm->identity_len)) { +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_05.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_05.patch new file mode 100644 index 0000000000..44113afd4a --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_05.patch @@ -0,0 +1,51 @@ +From f54157077f799d84ce26bed6ad6b01c4a16e31cf Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:26:58 +0200 +Subject: [PATCH 6/9] RADIUS DAS: Move Message-Authenticator attribute to be + the first one + +Even if this might not be strictly speaking necessary for mitigating +certain RADIUS protocol attacks, be consistent with the RADIUS server +behavior and move the Message-Authenticator attribute to be the first +attribute in the RADIUS DAS responses from hostapd. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf] +Signed-off-by: Peter Marko +--- + src/radius/radius_das.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/radius/radius_das.c b/src/radius/radius_das.c +index aaa3fc267..8d7c9b4c4 100644 +--- a/src/radius/radius_das.c ++++ b/src/radius/radius_das.c +@@ -177,6 +177,11 @@ fail: + if (reply == NULL) + return NULL; + ++ if (!radius_msg_add_msg_auth(reply)) { ++ radius_msg_free(reply); ++ return NULL; ++ } ++ + if (error) { + if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, + error)) { +@@ -368,6 +373,11 @@ fail: + if (!reply) + return NULL; + ++ if (!radius_msg_add_msg_auth(reply)) { ++ radius_msg_free(reply); ++ return NULL; ++ } ++ + if (error && + !radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) { + radius_msg_free(reply); +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_06.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_06.patch new file mode 100644 index 0000000000..9a284b5261 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_06.patch @@ -0,0 +1,46 @@ +From 934b0c3a45ce0726560ccefbd992a9d385c36385 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:31:37 +0200 +Subject: [PATCH 7/9] Require Message-Authenticator in Access-Reject even + without EAP-Message + +Do not allow the exception for missing Message-Authenticator in +Access-Reject without EAP-Message. While such exception is allowed in +RADIUS definition, there is no strong reason to maintain this since +Access-Reject is supposed to include EAP-Message and even if it doesn't, +discarding Access-Reject will result in the connection not completing. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=934b0c3a45ce0726560ccefbd992a9d385c36385] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_1x.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c +index 89e3dd30e..6e7b75128 100644 +--- a/src/ap/ieee802_1x.c ++++ b/src/ap/ieee802_1x.c +@@ -1939,16 +1939,7 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, + } + sta = sm->sta; + +- /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be +- * present when packet contains an EAP-Message attribute */ +- if (hdr->code == RADIUS_CODE_ACCESS_REJECT && +- radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, +- 0) < 0 && +- radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { +- wpa_printf(MSG_DEBUG, +- "Allowing RADIUS Access-Reject without Message-Authenticator since it does not include EAP-Message"); +- } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, +- req, 1)) { ++ if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 1)) { + wpa_printf(MSG_INFO, + "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); + return RADIUS_RX_INVALID_AUTHENTICATOR; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_07.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_07.patch new file mode 100644 index 0000000000..78d3f5d591 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_07.patch @@ -0,0 +1,105 @@ +From 58097123ec5ea6f8276b38cb9b07669ec368a6c1 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 17 Mar 2024 10:42:56 +0200 +Subject: [PATCH 8/9] RADIUS: Require Message-Authenticator attribute in MAC + ACL cases + +hostapd required Message-Authenticator attribute to be included in EAP +authentication cases, but that requirement was not in place for MAC ACL +cases. Start requiring Message-Authenticator attribute for MAC ACL by +default. Unlike the EAP case, this can still be disabled with +radius_require_message_authenticator=1 to maintain compatibility with +some RADIUS servers when used in a network where the connection to such +a server is secure. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1] +Signed-off-by: Peter Marko +--- + hostapd/config_file.c | 3 +++ + hostapd/hostapd.conf | 11 +++++++++++ + src/ap/ap_config.c | 1 + + src/ap/ap_config.h | 1 + + src/ap/ieee802_11_auth.c | 4 +++- + 5 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/hostapd/config_file.c b/hostapd/config_file.c +index b14728d1b..af1e81d1d 100644 +--- a/hostapd/config_file.c ++++ b/hostapd/config_file.c +@@ -2806,6 +2806,9 @@ static int hostapd_config_fill(struct hostapd_config *conf, + bss->radius->acct_server->shared_secret_len = len; + } else if (os_strcmp(buf, "radius_retry_primary_interval") == 0) { + bss->radius->retry_primary_interval = atoi(pos); ++ } else if (os_strcmp(buf, ++ "radius_require_message_authenticator") == 0) { ++ bss->radius_require_message_authenticator = atoi(pos); + } else if (os_strcmp(buf, "radius_acct_interim_interval") == 0) { + bss->acct_interim_interval = atoi(pos); + } else if (os_strcmp(buf, "radius_request_cui") == 0) { +diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf +index 3c2019f73..c055946a6 100644 +--- a/hostapd/hostapd.conf ++++ b/hostapd/hostapd.conf +@@ -1447,6 +1447,17 @@ own_ip_addr=127.0.0.1 + # currently used secondary server is still working. + #radius_retry_primary_interval=600 + ++# Message-Authenticator attribute requirement for non-EAP cases ++# hostapd requires Message-Authenticator attribute to be included in all cases ++# where RADIUS is used for EAP authentication. This is also required for cases ++# where RADIUS is used for MAC ACL (macaddr_acl=2) by default, but that case ++# can be configured to not require this for compatibility with RADIUS servers ++# that do not include the attribute. This is not recommended due to potential ++# security concerns, but can be used as a temporary workaround in networks where ++# the connection to the RADIUS server is secure. ++# 0 = Do not require Message-Authenticator in MAC ACL response ++# 1 = Require Message-Authenticator in all authentication cases (default) ++#radius_require_message_authenticator=1 + + # Interim accounting update interval + # If this is set (larger than 0) and acct_server is configured, hostapd will +diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c +index 86b6e097c..cf497a180 100644 +--- a/src/ap/ap_config.c ++++ b/src/ap/ap_config.c +@@ -120,6 +120,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) + #endif /* CONFIG_IEEE80211R_AP */ + + bss->radius_das_time_window = 300; ++ bss->radius_require_message_authenticator = 1; + + bss->anti_clogging_threshold = 5; + bss->sae_sync = 5; +diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h +index 49cd3168a..22ad617f4 100644 +--- a/src/ap/ap_config.h ++++ b/src/ap/ap_config.h +@@ -302,6 +302,7 @@ struct hostapd_bss_config { + struct hostapd_ip_addr own_ip_addr; + char *nas_identifier; + struct hostapd_radius_servers *radius; ++ int radius_require_message_authenticator; + int acct_interim_interval; + int radius_request_cui; + struct hostapd_radius_attr *radius_auth_req_attr; +diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c +index 2a950cf7f..dab9bcde3 100644 +--- a/src/ap/ieee802_11_auth.c ++++ b/src/ap/ieee802_11_auth.c +@@ -474,7 +474,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, + "Found matching Access-Request for RADIUS message (id=%d)", + query->radius_id); + +- if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) { ++ if (radius_msg_verify( ++ msg, shared_secret, shared_secret_len, req, ++ hapd->conf->radius_require_message_authenticator)) { + wpa_printf(MSG_INFO, + "Incoming RADIUS packet did not have correct authenticator - dropped"); + return RADIUS_RX_INVALID_AUTHENTICATOR; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_08.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_08.patch new file mode 100644 index 0000000000..e23d1e0047 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_08.patch @@ -0,0 +1,47 @@ +From f302d9f9646704cce745734af21d540baa0da65f Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 17 Mar 2024 10:47:58 +0200 +Subject: [PATCH 9/9] RADIUS: Check Message-Authenticator if it is present even + if not required + +Always check the Message-Authenticator attribute in a received RADIUS +message if it is present. Previously, this would have been skipped if +the attribute was not required to be present. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=f302d9f9646704cce745734af21d540baa0da65f] +Signed-off-by: Peter Marko +--- + src/radius/radius.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/radius/radius.c b/src/radius/radius.c +index 2d2e00b5c..a0e3ce399 100644 +--- a/src/radius/radius.c ++++ b/src/radius/radius.c +@@ -879,6 +879,20 @@ int radius_msg_verify(struct radius_msg *msg, const u8 *secret, + return 1; + } + ++ if (!auth) { ++ u8 *pos; ++ size_t alen; ++ ++ if (radius_msg_get_attr_ptr(msg, ++ RADIUS_ATTR_MESSAGE_AUTHENTICATOR, ++ &pos, &alen, NULL) == 0) { ++ /* Check the Message-Authenticator attribute since it ++ * was included even if we are configured to not ++ * require it. */ ++ auth = 1; ++ } ++ } ++ + if (auth && + radius_msg_verify_msg_auth(msg, secret, secret_len, + sent_msg->hdr->authenticator)) { +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb index 039847efbd..8edfecffa2 100644 --- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb +++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb @@ -12,6 +12,14 @@ SRC_URI = " \ file://init \ file://hostapd.service \ file://CVE-2023-52160.patch \ + file://CVE-2024-3596_00.patch \ + file://CVE-2024-3596_01.patch \ + file://CVE-2024-3596_02.patch \ + file://CVE-2024-3596_04.patch \ + file://CVE-2024-3596_05.patch \ + file://CVE-2024-3596_06.patch \ + file://CVE-2024-3596_07.patch \ + file://CVE-2024-3596_08.patch \ " From patchwork Sun Dec 8 22:08:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 53807 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DCCB1E7717F for ; Sun, 8 Dec 2024 22:09:17 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.87763.1733695755703785304 for ; Sun, 08 Dec 2024 14:09:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=iopKQo9J; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-256628-2024120822091205c9e4dbf62068afdc-c2l_n6@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 2024120822091205c9e4dbf62068afdc for ; Sun, 08 Dec 2024 23:09:13 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=8IcK9Fvj9vmONZBXIMkHD2fubzkefJH83UECdyQQrh4=; b=iopKQo9JXvPc1XSd1scXICmcssUQ2kZobUdTDaWq+8pzXD+PcPR2856GzhPfKrtjMCQUGQ U62Khr+FFJlio81+Mli3EvL4L+RkvyLUP3sB9gzFGBlUWL0CCX3oAUehs83J5FmL9na4CgeT BPckRRBwDHnDjLqBACbzkMq6+UFmAVme0uzqwDw52LvFcinvJDUPPcap5riKG6g5ZV9vO3Nd UWC5Gb4PX5gO6yvDjhZ8WlX2GNTm+Bm7lQrOPUWxG5b8U1oQvMDhikAMbP3XFowwacm9Bn8W FP5eUBRUDQf9BQWr9ipKBtHLRCs0Vo1xssqrc4GscWULtZOxBfuNQ64Q==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-oe][kirkstone][PATCH RESEND 2/2] hostapd: Patch security advisory 2024-2 Date: Sun, 8 Dec 2024 23:08:11 +0100 Message-Id: <20241208220811.51062-2-peter.marko@siemens.com> In-Reply-To: <20241208220811.51062-1-peter.marko@siemens.com> References: <20241208220811.51062-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 08 Dec 2024 22:09:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/114246 From: Peter Marko Pick patches according to http://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt SAE H2E and incomplete downgrade protection for group negotiation Patch 0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch was removed as it only patched wpa_supplicant. The patch names were not changed so it is comparable with wpa_supplicant recipe. Signed-off-by: Peter Marko --- ...valid-Rejected-Groups-element-length.patch | 52 +++++++++++++++++++ ...id-Rejected-Groups-element-in-the-pa.patch | 38 ++++++++++++++ .../hostapd/hostapd_2.10.bb | 2 + 3 files changed, 92 insertions(+) create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch new file mode 100644 index 0000000000..5780f27f8b --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch @@ -0,0 +1,52 @@ +From 364c2da8741f0979dae497551e70b94c0e6c8636 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 7 Jul 2024 11:46:49 +0300 +Subject: [PATCH 1/3] SAE: Check for invalid Rejected Groups element length + explicitly + +Instead of practically ignoring an odd octet at the end of the element, +check for such invalid case explicitly. This is needed to avoid a +potential group downgrade attack. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=364c2da8741f0979dae497551e70b94c0e6c8636] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_11.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index db4104928..1a62e30cc 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -1258,7 +1258,7 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd, + struct sae_data *sae) + { + const struct wpabuf *groups; +- size_t i, count; ++ size_t i, count, len; + const u8 *pos; + + if (!sae->tmp) +@@ -1268,7 +1268,15 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd, + return 0; + + pos = wpabuf_head(groups); +- count = wpabuf_len(groups) / 2; ++ len = wpabuf_len(groups); ++ if (len & 1) { ++ wpa_printf(MSG_DEBUG, ++ "SAE: Invalid length of the Rejected Groups element payload: %zu", ++ len); ++ return 1; ++ } ++ ++ count = len / 2; + for (i = 0; i < count; i++) { + int enabled; + u16 group; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch new file mode 100644 index 0000000000..5e9e8bc01d --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch @@ -0,0 +1,38 @@ +From 9716bf1160beb677e965d9e6475d6c9e162e8374 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 9 Jul 2024 23:34:34 +0300 +Subject: [PATCH 3/3] SAE: Reject invalid Rejected Groups element in the parser + +There is no need to depend on all uses (i.e., both hostapd and +wpa_supplicant) to verify that the length of the Rejected Groups field +in the Rejected Groups element is valid (i.e., a multiple of two octets) +since the common parser can reject the message when detecting this. + +Signed-off-by: Jouni Malinen + +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=9716bf1160beb677e965d9e6475d6c9e162e8374] +Signed-off-by: Peter Marko +--- + src/common/sae.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/common/sae.c b/src/common/sae.c +index c0f154e91..620bdf753 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -2076,6 +2076,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae, + return WLAN_STATUS_UNSPECIFIED_FAILURE; + epos++; /* skip ext ID */ + len--; ++ if (len & 1) { ++ wpa_printf(MSG_DEBUG, ++ "SAE: Invalid length of the Rejected Groups element payload: %u", ++ len); ++ return WLAN_STATUS_UNSPECIFIED_FAILURE; ++ } + + wpabuf_free(sae->tmp->peer_rejected_groups); + sae->tmp->peer_rejected_groups = wpabuf_alloc(len); +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb index 8edfecffa2..798f1ea909 100644 --- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb +++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb @@ -20,6 +20,8 @@ SRC_URI = " \ file://CVE-2024-3596_06.patch \ file://CVE-2024-3596_07.patch \ file://CVE-2024-3596_08.patch \ + file://0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \ + file://0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch \ "