hostapd: apply patch for CVE-2024-3596

From 58097123ec5ea6f8276b38cb9b07669ec368a6c1 Mon Sep 17 00:00:00 2001

From: Jouni Malinen <j@w1.fi>

Date: Sun, 17 Mar 2024 10:42:56 +0200

Subject: [PATCH 7/8] RADIUS: Require Message-Authenticator attribute in MAC

 ACL cases

hostapd required Message-Authenticator attribute to be included in EAP

authentication cases, but that requirement was not in place for MAC ACL

cases. Start requiring Message-Authenticator attribute for MAC ACL by

default. Unlike the EAP case, this can still be disabled with

radius_require_message_authenticator=1 to maintain compatibility with

some RADIUS servers when used in a network where the connection to such

a server is secure.

Signed-off-by: Jouni Malinen <j@w1.fi>

---

 hostapd/config_file.c    |  3 +++

 hostapd/hostapd.conf     | 11 +++++++++++

 src/ap/ap_config.c       |  1 +

 src/ap/ap_config.h       |  1 +

 src/ap/ieee802_11_auth.c |  4 +++-

 5 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c

index 96c28aea2..3fb059770 100644

--- a/hostapd/config_file.c

+++ b/hostapd/config_file.c

@@ -2988,6 +2988,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,

 #endif /* CONFIG_RADIUS_TLS */

 	} else if (os_strcmp(buf, "radius_retry_primary_interval") == 0) {

 		bss->radius->retry_primary_interval = atoi(pos);

+	} else if (os_strcmp(buf,

+			     "radius_require_message_authenticator") == 0) {

+		bss->radius_require_message_authenticator = atoi(pos);

 	} else if (os_strcmp(buf, "radius_acct_interim_interval") == 0) {

 		bss->acct_interim_interval = atoi(pos);

 	} else if (os_strcmp(buf, "radius_request_cui") == 0) {

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf

index e3367b708..3f0e66beb 100644

--- a/hostapd/hostapd.conf

+++ b/hostapd/hostapd.conf

@@ -1620,6 +1620,17 @@ own_ip_addr=127.0.0.1

 # currently used secondary server is still working.

 #radius_retry_primary_interval=600

+# Message-Authenticator attribute requirement for non-EAP cases

+# hostapd requires Message-Authenticator attribute to be included in all cases

+# where RADIUS is used for EAP authentication. This is also required for cases

+# where RADIUS is used for MAC ACL (macaddr_acl=2) by default, but that case

+# can be configured to not require this for compatibility with RADIUS servers

+# that do not include the attribute. This is not recommended due to potential

+# security concerns, but can be used as a temporary workaround in networks where

+# the connection to the RADIUS server is secure.

+# 0 = Do not require Message-Authenticator in MAC ACL response

+# 1 = Require Message-Authenticator in all authentication cases (default)

+#radius_require_message_authenticator=1

 # Interim accounting update interval

 # If this is set (larger than 0) and acct_server is configured, hostapd will

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c

index 32b04ab35..0b5a16ef9 100644

--- a/src/ap/ap_config.c

+++ b/src/ap/ap_config.c

@@ -122,6 +122,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)

 #endif /* CONFIG_IEEE80211R_AP */

 	bss->radius_das_time_window = 300;

+	bss->radius_require_message_authenticator = 1;

 	bss->anti_clogging_threshold = 5;

 	bss->sae_sync = 5;

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h

index fda937ecf..ced2181ab 100644

--- a/src/ap/ap_config.h

+++ b/src/ap/ap_config.h

@@ -309,6 +309,7 @@ struct hostapd_bss_config {

 	struct hostapd_ip_addr own_ip_addr;

 	char *nas_identifier;

 	struct hostapd_radius_servers *radius;

+	int radius_require_message_authenticator;

 	int acct_interim_interval;

 	int radius_request_cui;

 	struct hostapd_radius_attr *radius_auth_req_attr;

diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c

index cc38044d8..913a99597 100644

--- a/src/ap/ieee802_11_auth.c

+++ b/src/ap/ieee802_11_auth.c

@@ -508,7 +508,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,

 	wpa_printf(MSG_DEBUG, "Found matching Access-Request for RADIUS "

 		   "message (id=%d)", query->radius_id);

-	if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) {

+	if (radius_msg_verify(

+		    msg, shared_secret, shared_secret_len, req,

+		    hapd->conf->radius_require_message_authenticator)) {

 		wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have "

 			   "correct authenticator - dropped\n");

 		return RADIUS_RX_INVALID_AUTHENTICATOR;

-- 

2.45.1

{ lib, stdenv, fetchurl, pkg-config, libnl, openssl, sqlite ? null }:

{ lib, stdenv, fetchurl, fetchpatch, pkg-config, libnl, openssl, sqlite ? null }:

stdenv.mkDerivation rec {

  pname = "hostapd";

      url = "https://raw.githubusercontent.com/openwrt/openwrt/eefed841b05c3cd4c65a78b50ce0934d879e6acf/package/network/services/hostapd/patches/300-noscan.patch";

      sha256 = "08p5frxhpq1rp2nczkscapwwl8g9nc4fazhjpxic5bcbssc3sb00";

    })

    # Backported security patches for CVE-2024-3596 (https://blastradius.fail),

    # these can be removed when updating to 2.11.

    # RADIUS: Allow Message-Authenticator attribute as the first attribute

    (fetchpatch {

      url = "https://w1.fi/cgit/hostap/patch/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46";

      hash = "sha256-1jfSeVGL5tyZn8F2wpQ7KwaQaEKWsCOW/bavovMcdz4=";

    })

    # RADIUS server: Place Message-Authenticator attribute as the first one

    (fetchpatch {

      url = "https://w1.fi/cgit/hostap/patch/?id=54abb0d3cf35894e7d86e3f7555e95b106306803";

      hash = "sha256-fVhQlOVETttVf1M9iKrXJrv7mxpxSjCt3w8kndRal08=";

    })

    # hostapd: Move Message-Authenticator attribute to be the first one in req

    (fetchpatch {

      url = "https://w1.fi/cgit/hostap/patch/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17";

      hash = "sha256-3eoAkXhieO3f0R5PTlH6g5wcgo/aLQN6XcPSITGgciE=";

    })

    # RADIUS DAS: Move Message-Authenticator attribute to be the first one

    (fetchpatch {

      url = "https://w1.fi/cgit/hostap/patch/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf";

      hash = "sha256-dcaghKbKNFVSN6ONNaFt1s0S35mkqox2aykiExEXyPQ=";

    })

    # Require Message-Authenticator in Access-Reject even without EAP-Message

    (fetchpatch {

      url = "https://w1.fi/cgit/hostap/patch/?id=934b0c3a45ce0726560ccefbd992a9d385c36385";

      hash = "sha256-9GquP/+lsghF81nMhOuRwlSz/pEnmk+mSex8aM3/qdA=";

    })

    # RADIUS: Require Message-Authenticator attribute in MAC ACL cases

    #(fetchpatch {

    #  url = "https://w1.fi/cgit/hostap/patch/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1";

    #  hash = "sha256-mW+PAeAkNcrlFPsjxLvZ/1Smq6H6KXq5Le3HuLA2KKw=";

    #})

    # Needed to be fixed to apply correctly:

    ./0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch

    # RADIUS: Check Message-Authenticator if it is present even if not required

    (fetchpatch {

      url = "https://w1.fi/cgit/hostap/patch/?id=f302d9f9646704cce745734af21d540baa0da65f";

      hash = "sha256-6i0cq5YBm2w03yMrdYGaEqe1dTsmokZWOs4WPFX36qo=";

    })

  ];

  outputs = [ "out" "man" ];

    homepage = "https://w1.fi/hostapd/";

    description = "User space daemon for access point and authentication servers";

    license = licenses.bsd3;

    maintainers = with maintainers; [ ];

    maintainers = with maintainers; [ oddlama ];

    platforms = platforms.linux;

  };

}