[][MAC80211][WiFi6][Misc][Fix default /etc/config/wireless setting and backport wpa_supp patch of CVE-2023-52160]
[Description]
Fix default /etc/config/wireless setting and backport wpa_supp patch of CVE-2023-52160
[Release-log]
N/A
Change-Id: I47b794febba1bab9cd70837c93afe95c9590fedf
Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/8753082
diff --git a/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch b/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch
index e70eb3a..0552d50 100644
--- a/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch
+++ b/autobuild_mac80211_release/0001-wifi6-mac80211-generate-hostapd-setting-from-ap-cap.patch
@@ -415,7 +415,7 @@
NEWUMLIST=
diff --git a/package/kernel/mac80211/files/lib/wifi/mac80211.sh b/package/kernel/mac80211/files/lib/wifi/mac80211.sh
-index 3ecd932..0ce1fc1 100644
+index 3ecd932..d4b42ce 100644
--- a/package/kernel/mac80211/files/lib/wifi/mac80211.sh
+++ b/package/kernel/mac80211/files/lib/wifi/mac80211.sh
@@ -46,8 +46,13 @@ check_mac80211_device() {
@@ -432,25 +432,17 @@
( iw phy "$phy" info; echo ) | awk '
BEGIN {
bands = ""
-@@ -58,12 +63,12 @@ BEGIN {
+@@ -58,7 +63,8 @@ BEGIN {
mode="NOHT"
if (ht) mode="HT20"
if (vht && band != "1:") mode="VHT80"
- if (he) mode="HE80"
+ if (he) mode="HE160"
+ if (he && mt7915) mode="HE80"
-+ if (he && (lspci | grep -q "7915")); then
-+ mode="HE80"
-+ fi
if (he && band == "1:") mode="HE20"
-- sub("\\[", "", channel)
-- sub("\\]", "", channel)
-- bands = bands band channel ":" mode " "
-- }
- band=""
- }
-
-@@ -87,6 +92,11 @@ $0 ~ "HE Iftypes" {
+ sub("\\[", "", channel)
+ sub("\\]", "", channel)
+@@ -87,6 +93,11 @@ $0 ~ "HE Iftypes" {
he=1
}
@@ -462,7 +454,7 @@
$1 == "*" && $3 == "MHz" && $0 !~ /disabled/ && band && !channel {
channel = $4
}
-@@ -120,6 +130,20 @@ get_band_defaults() {
+@@ -120,6 +131,20 @@ get_band_defaults() {
mode_band="$band"
channel="$chan"
htmode="$mode"
@@ -483,7 +475,7 @@
done
}
-@@ -153,6 +177,10 @@ detect_mac80211() {
+@@ -153,6 +178,10 @@ detect_mac80211() {
json_load_file /etc/board.json
@@ -494,7 +486,7 @@
for _dev in /sys/class/ieee80211/*; do
[ -e "$_dev" ] || continue
-@@ -162,6 +190,13 @@ detect_mac80211() {
+@@ -162,6 +191,13 @@ detect_mac80211() {
channel=""
htmode=""
ht_capab=""
@@ -508,7 +500,7 @@
get_band_defaults "$dev"
-@@ -192,6 +227,14 @@ detect_mac80211() {
+@@ -192,6 +228,14 @@ detect_mac80211() {
;;
esac
@@ -523,7 +515,7 @@
uci -q batch <<-EOF
set wireless.${name}=wifi-device
set wireless.${name}.type=mac80211
-@@ -199,15 +242,43 @@ detect_mac80211() {
+@@ -199,15 +243,43 @@ detect_mac80211() {
set wireless.${name}.channel=${channel}
set wireless.${name}.band=${mode_band}
set wireless.${name}.htmode=$htmode
@@ -952,4 +944,3 @@
if [ "$key_mgmt" = "WPS" ]; then
echo "wps_cred_processing=1" >> "$_config"
else
-
diff --git a/autobuild_mac80211_release/package/network/services/hostapd/patches/bp-0005-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/autobuild_mac80211_release/package/network/services/hostapd/patches/bp-0005-PEAP-client-Update-Phase-2-authentication-requiremen.patch
new file mode 100644
index 0000000..82cccd5
--- /dev/null
+++ b/autobuild_mac80211_release/package/network/services/hostapd/patches/bp-0005-PEAP-client-Update-Phase-2-authentication-requiremen.patch
@@ -0,0 +1,210 @@
+From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 8 Jul 2023 19:55:32 +0300
+Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
+
+The previous PEAP client behavior allowed the server to skip Phase 2
+authentication with the expectation that the server was authenticated
+during Phase 1 through TLS server certificate validation. Various PEAP
+specifications are not exactly clear on what the behavior on this front
+is supposed to be and as such, this ended up being more flexible than
+the TTLS/FAST/TEAP cases. However, this is not really ideal when
+unfortunately common misconfiguration of PEAP is used in deployed
+devices where the server trust root (ca_cert) is not configured or the
+user has an easy option for allowing this validation step to be skipped.
+
+Change the default PEAP client behavior to be to require Phase 2
+authentication to be successfully completed for cases where TLS session
+resumption is not used and the client certificate has not been
+configured. Those two exceptions are the main cases where a deployed
+authentication server might skip Phase 2 and as such, where a more
+strict default behavior could result in undesired interoperability
+issues. Requiring Phase 2 authentication will end up disabling TLS
+session resumption automatically to avoid interoperability issues.
+
+Allow Phase 2 authentication behavior to be configured with a new phase1
+configuration parameter option:
+'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+ (private_key/client_cert) is no used and TLS session resumption was
+ not used (default)
+ * 2 = require Phase 2 authentication in all cases
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_peer/eap_config.h | 8 ++++++
+ src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++---
+ src/eap_peer/eap_tls_common.c | 6 +++++
+ src/eap_peer/eap_tls_common.h | 5 ++++
+ wpa_supplicant/wpa_supplicant.conf | 7 ++++++
+ 5 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
+index 26744ab68..58d5a1359 100644
+--- a/src/eap_peer/eap_config.h
++++ b/src/eap_peer/eap_config.h
+@@ -471,6 +471,14 @@ struct eap_peer_config {
+ * 1 = use cryptobinding if server supports it
+ * 2 = require cryptobinding
+ *
++ * phase2_auth option can be used to control Phase 2 (i.e., within TLS
++ * tunnel) behavior for PEAP:
++ * 0 = do not require Phase 2 authentication
++ * 1 = require Phase 2 authentication when client certificate
++ * (private_key/client_cert) is no used and TLS session resumption was
++ * not used (default)
++ * 2 = require Phase 2 authentication in all cases
++ *
+ * EAP-WSC (WPS) uses following options: pin=Device_Password and
+ * uuid=Device_UUID
+ *
+diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
+index 12e30df29..608069719 100644
+--- a/src/eap_peer/eap_peap.c
++++ b/src/eap_peer/eap_peap.c
+@@ -67,6 +67,7 @@ struct eap_peap_data {
+ u8 cmk[20];
+ int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
+ * is enabled. */
++ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
+ };
+
+
+@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
+ }
+
++ if (os_strstr(phase1, "phase2_auth=0")) {
++ data->phase2_auth = NO_AUTH;
++ wpa_printf(MSG_DEBUG,
++ "EAP-PEAP: Do not require Phase 2 authentication");
++ } else if (os_strstr(phase1, "phase2_auth=1")) {
++ data->phase2_auth = FOR_INITIAL;
++ wpa_printf(MSG_DEBUG,
++ "EAP-PEAP: Require Phase 2 authentication for initial connection");
++ } else if (os_strstr(phase1, "phase2_auth=2")) {
++ data->phase2_auth = ALWAYS;
++ wpa_printf(MSG_DEBUG,
++ "EAP-PEAP: Require Phase 2 authentication for all cases");
++ }
+ #ifdef EAP_TNC
+ if (os_strstr(phase1, "tnc=soh2")) {
+ data->soh = 2;
+@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
+ data->force_peap_version = -1;
+ data->peap_outer_success = 2;
+ data->crypto_binding = OPTIONAL_BINDING;
++ data->phase2_auth = FOR_INITIAL;
+
+ if (config && config->phase1)
+ eap_peap_parse_phase1(data, config->phase1);
+@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
+ }
+
+
++static bool peap_phase2_sufficient(struct eap_sm *sm,
++ struct eap_peap_data *data)
++{
++ if ((data->phase2_auth == ALWAYS ||
++ (data->phase2_auth == FOR_INITIAL &&
++ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
++ !data->ssl.client_cert_conf) ||
++ data->phase2_eap_started) &&
++ !data->phase2_eap_success)
++ return false;
++ return true;
++}
++
++
+ /**
+ * eap_tlv_process - Process a received EAP-TLV message and generate a response
+ * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
+@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
+ " - force failed Phase 2");
+ resp_status = EAP_TLV_RESULT_FAILURE;
+ ret->decision = DECISION_FAIL;
++ } else if (!peap_phase2_sufficient(sm, data)) {
++ wpa_printf(MSG_INFO,
++ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
++ resp_status = EAP_TLV_RESULT_FAILURE;
++ ret->decision = DECISION_FAIL;
+ } else {
+ resp_status = EAP_TLV_RESULT_SUCCESS;
+ ret->decision = DECISION_UNCOND_SUCC;
+@@ -887,8 +921,7 @@ continue_req:
+ /* EAP-Success within TLS tunnel is used to indicate
+ * shutdown of the TLS channel. The authentication has
+ * been completed. */
+- if (data->phase2_eap_started &&
+- !data->phase2_eap_success) {
++ if (!peap_phase2_sufficient(sm, data)) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
+ "Success used to indicate success, "
+ "but Phase 2 EAP was not yet "
+@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
+ static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
+ {
+ struct eap_peap_data *data = priv;
++
+ return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
+- data->phase2_success;
++ data->phase2_success && data->phase2_auth != ALWAYS;
+ }
+
+
+diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
+index 6193b4bdb..966cbd6c7 100644
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -242,6 +242,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
+
+ sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
+
++ if (!phase2)
++ data->client_cert_conf = params->client_cert ||
++ params->client_cert_blob ||
++ params->private_key ||
++ params->private_key_blob;
++
+ return 0;
+ }
+
+diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
+index 9ac00121f..334863413 100644
+--- a/src/eap_peer/eap_tls_common.h
++++ b/src/eap_peer/eap_tls_common.h
+@@ -79,6 +79,11 @@ struct eap_ssl_data {
+ * tls_v13 - Whether TLS v1.3 or newer is used
+ */
+ int tls_v13;
++
++ /**
++ * client_cert_conf: Whether client certificate has been configured
++ */
++ bool client_cert_conf;
+ };
+
+
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index f0b82443e..1b09f57d3 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1370,6 +1370,13 @@ fast_reauth=1
+ # * 0 = do not use cryptobinding (default)
+ # * 1 = use cryptobinding if server supports it
+ # * 2 = require cryptobinding
++# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
++# tunnel) behavior for PEAP:
++# * 0 = do not require Phase 2 authentication
++# * 1 = require Phase 2 authentication when client certificate
++# (private_key/client_cert) is no used and TLS session resumption was
++# not used (default)
++# * 2 = require Phase 2 authentication in all cases
+ # EAP-WSC (WPS) uses following options: pin=<Device Password> or
+ # pbc=1.
+ #
+--
+2.18.0
+