Accepting request 952644 from home:dirkmueller:Factory

- Apply Revert-DBus-Add-sae-to-interface-key_mgmt-capabilities.patch to fix connect with AVM FB, if WPA3 transition mode is activated, e.g. Wifi -> Security: is WPA2 + WPA3, alt. switch to WPA2 (CCMP) (bsc#1195312) - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66. - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - config: * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * WPA3-Enterprise * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - config: * Reenable Fast BSS Transition (likely fixing bsc#1195312) * Enable OCV, security feature that prevents MITM multi-channel attacks * Enable OWE for better hotspot support OBS-URL: https://build.opensuse.org/request/show/952644 OBS-URL: https://build.opensuse.org/package/show/hardware/wpa_supplicant?expand=0&rev=131
2022-02-08 10:24:23 +00:00 · 2022-02-08 10:24:23 +00:00 · 4664420d0a
commit 4664420d0a
parent a7a45f374a
6 changed files with 101 additions and 3227 deletions
--- a/Revert-DBus-Add-sae-to-interface-key_mgmt-capabilities.patch
+++ b/Revert-DBus-Add-sae-to-interface-key_mgmt-capabilities.patch
@ -0,0 +1,34 @@
 From 7a9c36722511ce4df88b76cceceb241d6c6a151e Mon Sep 17 00:00:00 2001
 From: Brian Norris <briannorris@chromium.org>
 Date: Fri, 28 Feb 2020 15:50:47 -0800
 Subject: [PATCH] DBus: Add "sae" to interface key_mgmt capabilities
 This will be present when the driver supports SAE and it's included in
 the wpa_supplicant build.
 Signed-off-by: Brian Norris <briannorris@chromium.org>
 ---
 doc/dbus.doxygen                        | 2 +-
 wpa_supplicant/dbus/dbus_new_handlers.c | 6 ------
 2 files changed, 1 insertion(+), 7 deletions(-)
 diff --git b/wpa_supplicant/dbus/dbus_new_handlers.c a/wpa_supplicant/dbus/dbus_new_handlers.c
 index c842c50e9..55c5dbc99 100644
 --- b/wpa_supplicant/dbus/dbus_new_handlers.c
 +++ a/wpa_supplicant/dbus/dbus_new_handlers.c
@@ -2798,12 +2798,6 @@ dbus_bool_t wpas_dbus_getter_capabilities(
 			goto nomem;
 #endif /* CONFIG_WPS */
 -#ifdef CONFIG_SAE
 -		if ((capa.key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE) &&
 -		    !wpa_dbus_dict_string_array_add_element(&iter_array, "sae"))
 -			goto nomem;
 -#endif /* CONFIG_SAE */
 -
 #ifdef CONFIG_OWE
 		if ((capa.key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_OWE) &&
 		    !wpa_dbus_dict_string_array_add_element(&iter_array, "owe"))
 -- 
 2.34.1
--- a/59
+++ b/59
@ -32,7 +32,7 @@ CONFIG_DRIVER_WEXT=y
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
-#CONFIG_DRIVER_NL80211_QCA=y
+CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
@ -83,7 +83,7 @@ CONFIG_DRIVER_MACSEC_LINUX=y
 #CONFIG_DRIVER_ROBOSWITCH=y
 # Driver interface for no driver (e.g., WPS ER only)
-#CONFIG_DRIVER_NONE=y
+CONFIG_DRIVER_NONE=y
 # Solaris libraries
 #LIBS += -lsocket -ldlpi -lnsl
@ -172,7 +172,7 @@ CONFIG_WPS=y
 CONFIG_WPS_ER=y
 # Disable credentials for an open network by default when acting as a WPS
 # registrar.
-#CONFIG_WPS_REG_DISABLE_OPEN=y
+CONFIG_WPS_REG_DISABLE_OPEN=y
 # Enable WPS support with NFC config method
 CONFIG_WPS_NFC=y
@ -180,7 +180,7 @@ CONFIG_WPS_NFC=y
 CONFIG_EAP_IKEV2=y
 # EAP-EKE
-#CONFIG_EAP_EKE=y
+CONFIG_EAP_EKE=y
 # MACsec
 CONFIG_MACSEC=y
@ -198,10 +198,10 @@ CONFIG_SMARTCARD=y
 #CONFIG_PCSC=y
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
-#CONFIG_HT_OVERRIDES=y
+CONFIG_HT_OVERRIDES=y
 # Support VHT overrides (disable VHT, mask MCS rates, etc.)
-#CONFIG_VHT_OVERRIDES=y
+CONFIG_VHT_OVERRIDES=y
 # Development testing
 #CONFIG_EAPOL_TEST=y
@ -248,6 +248,10 @@ CONFIG_CTRL_IFACE=y
 # Simultaneous Authentication of Equals (SAE), WPA3-Personal
 CONFIG_SAE=y
 # WPA3-Enterprise (SuiteB-192)
 CONFIG_SUITEB=y
 CONFIG_SUITEB192=y
 # Disable scan result processing (ap_scan=1) to save code size by about 1 kB.
 # This can be used if ap_scan=1 mode is never enabled.
 #CONFIG_NO_SCAN_PROCESSING=y
@ -279,12 +283,12 @@ CONFIG_BACKEND=file
 # unix = UNIX/POSIX like systems (default)
 # win32 = Windows systems
 # none = Empty template
-#CONFIG_OS=unix
+CONFIG_OS=unix
 # Select event loop implementation
 # eloop = select() loop (default)
 # eloop_win = Windows events and WaitForMultipleObject() loop
-#CONFIG_ELOOP=eloop
+CONFIG_ELOOP=eloop
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
@ -302,7 +306,7 @@ CONFIG_BACKEND=file
 # winpcap = WinPcap with receive thread
 # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
 # none = Empty template
-#CONFIG_L2_PACKET=linux
+CONFIG_L2_PACKET=linux
 # Disable Linux packet socket workaround applicable for station interface
 # in a bridge for EAPOL frames. This should be uncommented only if the kernel
@ -311,7 +315,7 @@ CONFIG_BACKEND=file
 #CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 # Support Operating Channel Validation
-#CONFIG_OCV=y
+CONFIG_OCV=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
@ -319,25 +323,25 @@ CONFIG_BACKEND=file
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
-#CONFIG_TLS=openssl
+CONFIG_TLS=openssl
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
-#CONFIG_TLSV11=y
+CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
 # noted that some existing TLS v1.0 -based implementation may not be compatible
 # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
 # will be used)
-#CONFIG_TLSV12=y
+CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
-#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
@ -361,10 +365,6 @@ CONFIG_BACKEND=file
 #CONFIG_NDIS_EVENTS_INTEGRATED=y
 #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
 # Add support for old DBus control interface
 # (fi.epitest.hostap.WPASupplicant)
 CONFIG_CTRL_IFACE_DBUS=y
 # Add support for new DBus control interface
 # (fi.w1.wpa_supplicant1)
 CONFIG_CTRL_IFACE_DBUS_NEW=y
@ -395,6 +395,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
 # CONFIG_IEEE80211R=y
 CONFIG_IEEE80211R=y
 # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
 CONFIG_DEBUG_FILE=y
@ -419,7 +420,7 @@ CONFIG_DEBUG_FILE=y
 # Enable mitigation against certain attacks against TKIP by delaying Michael
 # MIC error reports by a random amount of time between 0 and 60 seconds
-#CONFIG_DELAYED_MIC_ERROR_REPORT=y
+CONFIG_DELAYED_MIC_ERROR_REPORT=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
@ -473,7 +474,7 @@ CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
-#CONFIG_GETRANDOM=y
+CONFIG_GETRANDOM=y
 # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
 CONFIG_IEEE80211AC=y
@ -523,9 +524,9 @@ CONFIG_WIFI_DISPLAY=y
 #
 # Enabling directly a module will enable autoscan support.
 # For exponential module:
-#CONFIG_AUTOSCAN_EXPONENTIAL=y
+CONFIG_AUTOSCAN_EXPONENTIAL=y
 # For periodic module:
-#CONFIG_AUTOSCAN_PERIODIC=y
+CONFIG_AUTOSCAN_PERIODIC=y
 # Password (and passphrase, etc.) backend for external storage
 # These optional mechanisms can be used to add support for storing passwords
@ -538,7 +539,7 @@ CONFIG_WIFI_DISPLAY=y
 #CONFIG_EXT_PASSWORD_FILE=y
 # Enable Fast Session Transfer (FST)
-#CONFIG_FST=y
+CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
@ -570,15 +571,15 @@ CONFIG_WIFI_DISPLAY=y
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
-#CONFIG_ACS=y
+CONFIG_ACS=y
 # Support Multi Band Operation
-#CONFIG_MBO=y
+CONFIG_MBO=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
-#CONFIG_FILS=y
+CONFIG_FILS=y
 # FILS shared key authentication with PFS
-#CONFIG_FILS_SK_PFS=y
+CONFIG_FILS_SK_PFS=y
 # Support RSN on IBSS networks
 # This is needed to be able to use mode=1 network profile with proto=RSN and
@ -591,7 +592,7 @@ CONFIG_IBSS_RSN=y
 #CONFIG_PMKSA_CACHE_EXTERNAL=y
 # Mesh Networking (IEEE 802.11s)
-#CONFIG_MESH=y
+CONFIG_MESH=y
 # Background scanning modules
 # These can be used to request wpa_supplicant to perform background scanning
@ -605,7 +606,7 @@ CONFIG_BGSCAN_SIMPLE=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
-#CONFIG_OWE=y
+CONFIG_OWE=y
 # Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect)
 CONFIG_DPP=y
--- a/restore-old-dbus-interface.patch
+++ b/restore-old-dbus-interface.patch
--- a/wpa_supplicant-getrandom.patch
+++ b/wpa_supplicant-getrandom.patch
@ -1,46 +0,0 @@
 Index: wpa_supplicant-2.10/src/utils/os_unix.c
 ===================================================================
 --- wpa_supplicant-2.10.orig/src/utils/os_unix.c
 +++ wpa_supplicant-2.10/src/utils/os_unix.c
@@ -6,11 +6,15 @@
  * See README for more details.
  */
 +#ifndef _GNU_SOURCE
 +#define _GNU_SOURCE
 +#endif
 #include "includes.h"
 #include <time.h>
 #include <sys/wait.h>
 -
 +#include <sys/syscall.h>
 +#include <unistd.h>
 #ifdef ANDROID
 #include <sys/capability.h>
 #include <sys/prctl.h>
@@ -263,6 +267,10 @@ int os_get_random(unsigned char *buf, si
 		buf[i] = i & 0xff;
 	return 0;
 #else /* TEST_FUZZ */
 +#ifdef SYS_getrandom
 +    int gr = TEMP_FAILURE_RETRY(syscall(SYS_getrandom, buf, len, 0));
 +    return (gr != -1 && gr == len) ? 0 : -1;
 +#else /* SYS_getrandom */
 	FILE *f;
 	size_t rc;
@@ -275,10 +283,13 @@ int os_get_random(unsigned char *buf, si
 		return -1;
 	}
 +	setbuf(f, NULL);
 +
 	rc = fread(buf, 1, len, f);
 	fclose(f);
 	return rc != len ? -1 : 0;
 +#endif /* SYS_getrandom */
 #endif /* TEST_FUZZ */
 }
--- a/wpa_supplicant.changes
+++ b/wpa_supplicant.changes
@ -1,3 +1,39 @@
 -------------------------------------------------------------------
 Sat Feb  5 09:28:52 UTC 2022 - Hans-Peter Jansen <hpj@urpla.net>
 - Apply Revert-DBus-Add-sae-to-interface-key_mgmt-capabilities.patch
  to fix connect with AVM FB, if WPA3 transition mode is activated,
  e.g. Wifi -> Security: is WPA2 + WPA3, alt. switch to WPA2 (CCMP)
  (bsc#1195312)
 -------------------------------------------------------------------
 Tue Feb  1 19:41:41 UTC 2022 - Dirk Müller <dmueller@suse.com>
 - drop restore-old-dbus-interface.patch, wicked has been
  switching to the new dbus interface in version 0.6.66.
 - drop wpa_supplicant-getrandom.patch : glibc has been updated
  so the getrandom() wrapper is now there
 - config:
  * enable QCA vendor extensions to nl80211
  * enable EAP-EKE
  * Support HT overrides
  * WPA3-Enterprise 
  * TLS v1.1 and TLS v1.2
  * Fast Session Transfer (FST)
  * Automatic Channel Selection
  * Multi Band Operation
  * Fast Initial Link Setup
  * Mesh Networking (IEEE 802.11s)
 -------------------------------------------------------------------
 Mon Jan 31 19:42:36 UTC 2022 - Dirk Müller <dmueller@suse.com>
 - config: 
  * Reenable Fast BSS Transition (likely fixing bsc#1195312)
  * Enable OCV, security feature that prevents MITM
    multi-channel attacks
  * Enable OWE for better hotspot support
 -------------------------------------------------------------------
 Sun Jan 23 15:33:37 UTC 2022 - Dirk Müller <dmueller@suse.com>
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@ -37,9 +37,8 @@ Patch1:         wpa_supplicant-flush-debug-output.patch
 # is not portable
 Patch2:         wpa_supplicant-sigusr1-changes-debuglevel.patch
 Patch3:         wpa_supplicant-alloc_size.patch
 Patch4:         wpa_supplicant-getrandom.patch
 Patch5:         wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
-Patch6:         restore-old-dbus-interface.patch
+Patch7:         Revert-DBus-Add-sae-to-interface-key_mgmt-capabilities.patch
 BuildRequires:  pkgconfig
 BuildRequires:  readline-devel
 BuildRequires:  systemd-rpm-macros