From 6c5ec7934f40e4a352f0ebf2ff747358a2a264f4 Mon Sep 17 00:00:00 2001
From: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
Date: Sat, 28 Mar 2020 15:29:29 +0200
Subject: wpa-supplicant: upgrade to version 2.9

The version 2.9 works better with Marvel WiFi solutions.

Related-to: ELB-2724
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
---
 ...-ignore-management-frame-from-unexpected-.patch |  82 +++++++++++++++
 .../wpa-supplicant/wpa-supplicant_2.7.bb           | 109 --------------------
 .../wpa-supplicant/wpa-supplicant_2.9.bb           | 110 +++++++++++++++++++++
 3 files changed, 192 insertions(+), 109 deletions(-)
 create mode 100644 recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
 delete mode 100644 recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
 create mode 100644 recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb

diff --git a/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
new file mode 100644
index 0000000..7b0713c
--- /dev/null
+++ b/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
@@ -0,0 +1,82 @@
+hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication
+of disconnection in certain situations because source address validation is
+mishandled. This is a denial of service that should have been prevented by PMF
+(aka management frame protection). The attacker must send a crafted 802.11 frame
+from a location that is within the 802.11 communications range.
+
+CVE: CVE-2019-16275
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ 			   "hostapd_notif_assoc: Skip event with no address");
+ 		return -1;
+ 	}
++
++	if (is_multicast_ether_addr(addr) ||
++	    is_zero_ether_addr(addr) ||
++	    os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++			   " in received indication - ignore this indication silently",
++			   __func__, MAC2STR(addr));
++		return 0;
++	}
++
+ 	random_add_randomness(addr, ETH_ALEN);
+ 
+ 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ 	fc = le_to_host16(mgmt->frame_control);
+ 	stype = WLAN_FC_GET_STYPE(fc);
+ 
++	if (is_multicast_ether_addr(mgmt->sa) ||
++	    is_zero_ether_addr(mgmt->sa) ||
++	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++			   " in received frame - ignore this frame silently",
++			   MAC2STR(mgmt->sa));
++		return 0;
++	}
++
+ 	if (stype == WLAN_FC_STYPE_BEACON) {
+ 		handle_beacon(hapd, mgmt, len, fi);
+ 		return 1;
+-- 
+2.20.1
diff --git a/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb b/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
deleted file mode 100644
index fe5fa2b..0000000
--- a/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
+++ /dev/null
@@ -1,109 +0,0 @@
-SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
-HOMEPAGE = "http://w1.fi/wpa_supplicant/"
-BUGTRACKER = "http://w1.fi/security/"
-SECTION = "network"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://COPYING;md5=a3791c270ad6bb026707d17bf750e5ef \
-                    file://README;beginline=1;endline=56;md5=495cbce6008253de4b4d8f4cdfae9f4f \
-                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=a5687903a31b8679e6a06b3afa5c819e"
-DEPENDS = "dbus libnl"
-RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli"
-
-PACKAGECONFIG ??= "gnutls"
-PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt"
-PACKAGECONFIG[openssl] = ",,openssl"
-
-inherit pkgconfig systemd
-
-SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service wpa_supplicant-nl80211@.service wpa_supplicant-wired@.service"
-SYSTEMD_AUTO_ENABLE = "disable"
-
-SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
-           file://defconfig \
-           file://wpa-supplicant.sh \
-           file://wpa_supplicant.conf \
-           file://wpa_supplicant.conf-sane \
-           file://99_wpa_supplicant \
-           file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
-          "
-SRC_URI[md5sum] = "a68538fb62766f40f890125026c42c10"
-SRC_URI[sha256sum] = "76ea6b06b7a2ea8e6d9eb1a9166166f1656e6d48c7508914f592100c95c73074"
-
-CVE_PRODUCT = "wpa_supplicant"
-
-S = "${WORKDIR}/wpa_supplicant-${PV}"
-
-PACKAGES_prepend = "wpa-supplicant-passphrase wpa-supplicant-cli "
-FILES_wpa-supplicant-passphrase = "${bindir}/wpa_passphrase"
-FILES_wpa-supplicant-cli = "${sbindir}/wpa_cli"
-FILES_${PN} += "${datadir}/dbus-1/system-services/*"
-CONFFILES_${PN} += "${sysconfdir}/wpa_supplicant.conf"
-
-do_configure () {
-	${MAKE} -C wpa_supplicant clean
-	install -m 0755 ${WORKDIR}/defconfig wpa_supplicant/.config
-	
-	if echo "${PACKAGECONFIG}" | grep -qw "openssl"; then
-        	ssl=openssl
-	elif echo "${PACKAGECONFIG}" | grep -qw "gnutls"; then
-        	ssl=gnutls
-	fi
-	if [ -n "$ssl" ]; then
-        	sed -i "s/%ssl%/$ssl/" wpa_supplicant/.config
-	fi
-
-	# For rebuild
-	rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d
-}
-
-export EXTRA_CFLAGS = "${CFLAGS}"
-export BINDIR = "${sbindir}"
-
-do_compile () {
-	unset CFLAGS CPPFLAGS CXXFLAGS
-	sed -e "s:CFLAGS\ =.*:& \$(EXTRA_CFLAGS):g" -i ${S}/src/lib.rules
-	oe_runmake -C wpa_supplicant
-}
-
-do_install () {
-	install -d ${D}${sbindir}
-	install -m 755 wpa_supplicant/wpa_supplicant ${D}${sbindir}
-	install -m 755 wpa_supplicant/wpa_cli        ${D}${sbindir}
-
-	install -d ${D}${bindir}
-	install -m 755 wpa_supplicant/wpa_passphrase ${D}${bindir}
-
-	install -d ${D}${docdir}/wpa_supplicant
-	install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant
-
-	install -d ${D}${sysconfdir}
-	install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf
-
-	install -d ${D}${sysconfdir}/network/if-pre-up.d/
-	install -d ${D}${sysconfdir}/network/if-post-down.d/
-	install -d ${D}${sysconfdir}/network/if-down.d/
-	install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant
-	cd ${D}${sysconfdir}/network/ && \
-	ln -sf ../if-pre-up.d/wpa-supplicant if-post-down.d/wpa-supplicant
-
-	install -d ${D}/${sysconfdir}/dbus-1/system.d
-	install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d
-	install -d ${D}/${datadir}/dbus-1/system-services
-	install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services
-
-	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-		install -d ${D}/${systemd_unitdir}/system
-		install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_unitdir}/system
-	fi
-
-	install -d ${D}/etc/default/volatiles
-	install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles
-}
-
-pkg_postinst_wpa-supplicant () {
-	# If we're offline, we don't need to do this.
-	if [ "x$D" = "x" ]; then
-		killall -q -HUP dbus-daemon || true
-	fi
-
-}
diff --git a/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
new file mode 100644
index 0000000..3e92427
--- /dev/null
+++ b/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -0,0 +1,110 @@
+SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
+HOMEPAGE = "http://w1.fi/wpa_supplicant/"
+BUGTRACKER = "http://w1.fi/security/"
+SECTION = "network"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=279b4f5abb9c153c285221855ddb78cc \
+                    file://README;beginline=1;endline=56;md5=e7d3dbb01f75f0b9799e192731d1e1ff \
+                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=0a8b56d3543498b742b9c0e94cc2d18b"
+DEPENDS = "dbus libnl"
+RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli"
+
+PACKAGECONFIG ??= "gnutls"
+PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt"
+PACKAGECONFIG[openssl] = ",,openssl"
+
+inherit pkgconfig systemd
+
+SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service wpa_supplicant-nl80211@.service wpa_supplicant-wired@.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
+           file://defconfig \
+           file://wpa-supplicant.sh \
+           file://wpa_supplicant.conf \
+           file://wpa_supplicant.conf-sane \
+           file://99_wpa_supplicant \
+           file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
+		   file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
+          "
+SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
+SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
+
+CVE_PRODUCT = "wpa_supplicant"
+
+S = "${WORKDIR}/wpa_supplicant-${PV}"
+
+PACKAGES_prepend = "wpa-supplicant-passphrase wpa-supplicant-cli "
+FILES_wpa-supplicant-passphrase = "${bindir}/wpa_passphrase"
+FILES_wpa-supplicant-cli = "${sbindir}/wpa_cli"
+FILES_${PN} += "${datadir}/dbus-1/system-services/*"
+CONFFILES_${PN} += "${sysconfdir}/wpa_supplicant.conf"
+
+do_configure () {
+	${MAKE} -C wpa_supplicant clean
+	install -m 0755 ${WORKDIR}/defconfig wpa_supplicant/.config
+	
+	if echo "${PACKAGECONFIG}" | grep -qw "openssl"; then
+        	ssl=openssl
+	elif echo "${PACKAGECONFIG}" | grep -qw "gnutls"; then
+        	ssl=gnutls
+	fi
+	if [ -n "$ssl" ]; then
+        	sed -i "s/%ssl%/$ssl/" wpa_supplicant/.config
+	fi
+
+	# For rebuild
+	rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d
+}
+
+export EXTRA_CFLAGS = "${CFLAGS}"
+export BINDIR = "${sbindir}"
+
+do_compile () {
+	unset CFLAGS CPPFLAGS CXXFLAGS
+	sed -e "s:CFLAGS\ =.*:& \$(EXTRA_CFLAGS):g" -i ${S}/src/lib.rules
+	oe_runmake -C wpa_supplicant
+}
+
+do_install () {
+	install -d ${D}${sbindir}
+	install -m 755 wpa_supplicant/wpa_supplicant ${D}${sbindir}
+	install -m 755 wpa_supplicant/wpa_cli        ${D}${sbindir}
+
+	install -d ${D}${bindir}
+	install -m 755 wpa_supplicant/wpa_passphrase ${D}${bindir}
+
+	install -d ${D}${docdir}/wpa_supplicant
+	install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant
+
+	install -d ${D}${sysconfdir}
+	install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf
+
+	install -d ${D}${sysconfdir}/network/if-pre-up.d/
+	install -d ${D}${sysconfdir}/network/if-post-down.d/
+	install -d ${D}${sysconfdir}/network/if-down.d/
+	install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant
+	cd ${D}${sysconfdir}/network/ && \
+	ln -sf ../if-pre-up.d/wpa-supplicant if-post-down.d/wpa-supplicant
+
+	install -d ${D}/${sysconfdir}/dbus-1/system.d
+	install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d
+	install -d ${D}/${datadir}/dbus-1/system-services
+	install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services
+
+	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+		install -d ${D}/${systemd_unitdir}/system
+		install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_unitdir}/system
+	fi
+
+	install -d ${D}/etc/default/volatiles
+	install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles
+}
+
+pkg_postinst_wpa-supplicant () {
+	# If we're offline, we don't need to do this.
+	if [ "x$D" = "x" ]; then
+		killall -q -HUP dbus-daemon || true
+	fi
+
+}
-- 
cgit v1.2.3