net-wireless/iwd: add patch for CVE-2020-17497

Bug: https://bugs.gentoo.org/736906

Package-Manager: Portage-3.0.2, Repoman-2.3.23
Signed-off-by: Ben Kohler <bkohler@gentoo.org>

2 files changed, 229 insertions, 0 deletions

diff --git a/net-wireless/iwd/files/iwd-1.8-eapol-prevent-key-reinstallation.patch b/net-wireless/iwd/files/iwd-1.8-eapol-prevent-key-reinstallation.patch
new file mode 100644
index 000000000000..dceb808297e3
--- /dev/null
+++ b/net-wireless/iwd/files/iwd-1.8-eapol-prevent-key-reinstallation.patch
@@ -0,0 +1,73 @@
+From f22ba5aebb569ca54521afd2babdc1f67e3904ea Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Date: Wed, 12 Aug 2020 15:17:21 +0400
+Subject: eapol: prevent key reinstallation on retransmitted Msg4/4
+
+Currently an adversary can retransmit EAPOL Msg4/4 to make the AP
+reinstall the PTK. Against older Linux kernels this can subsequently
+be used to decrypt, replay, and possibly decrypt frames. See the
+KRACK attacks research at krackattacks.com for attack scenarios.
+In this case no machine-in-the-middle position is needed to trigger
+the key reinstallation.
+
+Fix this by using the ptk_complete boolean to track when the 4-way
+handshake has completed (similar to its usage for clients). When
+receiving a retransmitted Msg4/4 accept this frame but do not reinstall
+the PTK.
+
+Credits to Chris M. Stone, Sam Thomas, and Tom Chothia of Birmingham
+University to help discover this issue.
+---
+ src/eapol.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/eapol.c b/src/eapol.c
+index b0036c10..e3581cfe 100644
+--- a/src/eapol.c
++++ b/src/eapol.c
+@@ -1462,7 +1462,6 @@ static void eapol_handle_ptk_2_of_4(struct eapol_sm *sm,
+ 	memcpy(sm->handshake->snonce, ek->key_nonce,
+ 			sizeof(sm->handshake->snonce));
+ 	sm->handshake->have_snonce = true;
+-	sm->handshake->ptk_complete = true;
+ 
+ 	sm->frame_retry = 0;
+ 
+@@ -1782,7 +1781,15 @@ static void eapol_handle_ptk_4_of_4(struct eapol_sm *sm,
+ 	l_timeout_remove(sm->timeout);
+ 	sm->timeout = NULL;
+ 
+-	handshake_state_install_ptk(sm->handshake);
++	/*
++	 * If ptk_complete is set, then we are receiving Message 4 again.
++	 * This might be a retransmission, so accept but don't install
++	 * the keys again.
++	 */
++	if (!sm->handshake->ptk_complete)
++		handshake_state_install_ptk(sm->handshake);
++
++	sm->handshake->ptk_complete = true;
+ }
+ 
+ static void eapol_handle_gtk_1_of_2(struct eapol_sm *sm,
+@@ -2185,6 +2192,7 @@ static void eapol_auth_key_handle(struct eapol_sm *sm,
+ 	size_t frame_len = 4 + L_BE16_TO_CPU(frame->header.packet_len);
+ 	const struct eapol_key *ek = eapol_key_validate((const void *) frame,
+ 							frame_len, sm->mic_len);
++	uint16_t key_data_len;
+ 
+ 	if (!ek)
+ 		return;
+@@ -2199,7 +2207,8 @@ static void eapol_auth_key_handle(struct eapol_sm *sm,
+ 	if (!sm->handshake->have_anonce)
+ 		return; /* Not expecting an EAPoL-Key yet */
+ 
+-	if (!sm->handshake->ptk_complete)
++	key_data_len = EAPOL_KEY_DATA_LEN(ek, sm->mic_len);
++	if (key_data_len != 0)
+ 		eapol_handle_ptk_2_of_4(sm, ek);
+ 	else
+ 		eapol_handle_ptk_4_of_4(sm, ek);
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/net-wireless/iwd/iwd-1.8-r1.ebuild b/net-wireless/iwd/iwd-1.8-r1.ebuild
new file mode 100644
index 000000000000..d482d4a45c79
--- /dev/null
+++ b/net-wireless/iwd/iwd-1.8-r1.ebuild
@@ -0,0 +1,156 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+inherit flag-o-matic linux-info systemd
+
+#Set this variable to the required external ell version
+ELL_REQ="0.32"
+
+if [[ ${PV} == *9999* ]]; then
+	inherit autotools git-r3
+	IWD_EGIT_REPO_URI="https://git.kernel.org/pub/scm/network/wireless/iwd.git"
+	ELL_EGIT_REPO_URI="https://git.kernel.org/pub/scm/libs/ell/ell.git"
+else
+	SRC_URI="https://www.kernel.org/pub/linux/network/wireless/${P}.tar.xz"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86"
+fi
+
+DESCRIPTION="Wireless daemon for linux"
+HOMEPAGE="https://git.kernel.org/pub/scm/network/wireless/iwd.git/"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="+client +crda +monitor ofono wired cpu_flags_x86_aes cpu_flags_x86_ssse3"
+
+COMMON_DEPEND="sys-apps/dbus
+	client? ( sys-libs/readline:0= )"
+
+[[ -z "${ELL_REQ}" ]] || COMMON_DEPEND+=" >=dev-libs/ell-${ELL_REQ}"
+
+RDEPEND="${COMMON_DEPEND}
+	net-wireless/wireless-regdb
+	crda? ( net-wireless/crda )"
+
+DEPEND="${COMMON_DEPEND}
+	virtual/pkgconfig"
+
+[[ ${PV} == *9999* ]] && DEPEND+=" dev-python/docutils"
+
+PATCHES=( "${FILESDIR}"/iwd-1.8-eapol-prevent-key-reinstallation.patch )
+
+pkg_setup() {
+	CONFIG_CHECK="
+		~ASYMMETRIC_KEY_TYPE
+		~ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+		~CFG80211
+		~CRYPTO_AES
+		~CRYPTO_ARC4
+		~CRYPTO_CBC
+		~CRYPTO_CMAC
+		~CRYPTO_DES
+		~CRYPTO_ECB
+		~CRYPTO_HMAC
+		~CRYPTO_MD4
+		~CRYPTO_MD5
+		~CRYPTO_RSA
+		~CRYPTO_SHA1
+		~CRYPTO_SHA256
+		~CRYPTO_SHA512
+		~CRYPTO_USER_API_HASH
+		~CRYPTO_USER_API_SKCIPHER
+		~KEY_DH_OPERATIONS
+		~PKCS7_MESSAGE_PARSER
+		~RFKILL
+		~X509_CERTIFICATE_PARSER
+	"
+	if use crda;then
+		CONFIG_CHECK="${CONFIG_CHECK} ~CFG80211_CRDA_SUPPORT"
+		WARNING_CFG80211_CRDA_SUPPORT="REGULATORY DOMAIN PROBLEM: please enable CFG80211_CRDA_SUPPORT for proper regulatory domain support"
+	fi
+
+	if use amd64;then
+		CONFIG_CHECK="${CONFIG_CHECK} ~CRYPTO_DES3_EDE_X86_64"
+		WARNING_CRYPTO_DES3_EDE_X86_64="CRYPTO_DES3_EDE_X86_64: enable for increased performance"
+	fi
+
+	if use cpu_flags_x86_aes;then
+		CONFIG_CHECK="${CONFIG_CHECK} ~CRYPTO_AES_NI_INTEL"
+		WARNING_CRYPTO_AES_NI_INTEL="CRYPTO_AES_NI_INTEL: enable for increased performance"
+	fi
+
+	if use cpu_flags_x86_ssse3 && use amd64; then
+		CONFIG_CHECK="${CONFIG_CHECK} ~CRYPTO_SHA1_SSSE3 ~CRYPTO_SHA256_SSSE3 ~CRYPTO_SHA512_SSSE3"
+		WARNING_CRYPTO_SHA1_SSSE3="CRYPTO_SHA1_SSSE3: enable for increased performance"
+		WARNING_CRYPTO_SHA256_SSSE3="CRYPTO_SHA256_SSSE3: enable for increased performance"
+		WARNING_CRYPTO_SHA512_SSSE3="CRYPTO_SHA512_SSSE3: enable for increased performance"
+	fi
+
+	if use kernel_linux && kernel_is -ge 4 20; then
+		CONFIG_CHECK="${CONFIG_CHECK} ~PKCS8_PRIVATE_KEY_PARSER"
+	fi
+
+	check_extra_config
+
+	if ! use crda; then
+		if linux_config_exists && linux_chkconfig_builtin CFG80211 &&
+			[[ $(linux_chkconfig_string EXTRA_FIRMWARE) != *regulatory.db* ]]
+		then
+			ewarn ""
+			ewarn "REGULATORY DOMAIN PROBLEM:"
+			ewarn "With CONFIG_CFG80211=y (built-in), the driver won't be able to load regulatory.db from"
+			ewarn " /lib/firmware, resulting in broken regulatory domain support.  Please set CONFIG_CFG80211=m"
+			ewarn " or add regulatory.db and regulatory.db.p7s to CONFIG_EXTRA_FIRMWARE."
+			ewarn ""
+		fi
+	fi
+}
+
+src_unpack() {
+	if [[ ${PV} == *9999* ]] ; then
+		EGIT_REPO_URI=${IWD_EGIT_REPO_URI} git-r3_src_unpack
+		EGIT_REPO_URI=${ELL_EGIT_REPO_URI} EGIT_CHECKOUT_DIR=${WORKDIR}/ell git-r3_src_unpack
+	else
+		default
+	fi
+}
+
+src_prepare() {
+	default
+	if [[ ${PV} == *9999* ]] ; then
+		eautoreconf
+	fi
+}
+
+src_configure() {
+	append-cflags "-fsigned-char"
+	local myeconfargs=(
+		--sysconfdir="${EPREFIX}"/etc/iwd --localstatedir="${EPREFIX}"/var
+		$(use_enable client)
+		$(use_enable monitor)
+		$(use_enable ofono)
+		$(use_enable wired)
+		--enable-systemd-service
+		--with-systemd-unitdir="$(systemd_get_systemunitdir)"
+		--with-systemd-modloaddir="${EPREFIX}/usr/lib/modules-load.d"
+		--with-systemd-networkdir="$(systemd_get_utildir)/network"
+	)
+	[[ ${PV} == *9999* ]] || myeconfargs+=(--enable-external-ell)
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+	keepdir /var/lib/${PN}
+
+	newinitd "${FILESDIR}/iwd.initd-r1" iwd
+
+	if use wired;then
+		newinitd "${FILESDIR}/ead.initd" ead
+	fi
+
+	if [[ ${PV} == *9999* ]] ; then
+		exeinto /usr/share/iwd/scripts/
+		doexe test/*
+	fi
+}