diff --git a/CVE-2019-16275.patch b/CVE-2019-16275.patch deleted file mode 100644 index 4f9c566..0000000 --- a/CVE-2019-16275.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Thu, 29 Aug 2019 11:52:04 +0300 -Subject: [PATCH] AP: Silently ignore management frame from unexpected source - address - -Do not process any received Management frames with unexpected/invalid SA -so that we do not add any state for unexpected STA addresses or end up -sending out frames to unexpected destination. This prevents unexpected -sequences where an unprotected frame might end up causing the AP to send -out a response to another device and that other device processing the -unexpected response. - -In particular, this prevents some potential denial of service cases -where the unexpected response frame from the AP might result in a -connected station dropping its association. - -Signed-off-by: Jouni Malinen ---- - src/ap/drv_callbacks.c | 13 +++++++++++++ - src/ap/ieee802_11.c | 12 ++++++++++++ - 2 files changed, 25 insertions(+) - -diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c -index 31587685fe3b..34ca379edc3d 100644 ---- a/src/ap/drv_callbacks.c -+++ b/src/ap/drv_callbacks.c -@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, - "hostapd_notif_assoc: Skip event with no address"); - return -1; - } -+ -+ if (is_multicast_ether_addr(addr) || -+ is_zero_ether_addr(addr) || -+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { -+ /* Do not process any frames with unexpected/invalid SA so that -+ * we do not add any state for unexpected STA addresses or end -+ * up sending out frames to unexpected destination. */ -+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR -+ " in received indication - ignore this indication silently", -+ __func__, MAC2STR(addr)); -+ return 0; -+ } -+ - random_add_randomness(addr, ETH_ALEN); - - hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index c85a28db44b7..e7065372e158 100644 ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, - fc = le_to_host16(mgmt->frame_control); - stype = WLAN_FC_GET_STYPE(fc); - -+ if (is_multicast_ether_addr(mgmt->sa) || -+ is_zero_ether_addr(mgmt->sa) || -+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { -+ /* Do not process any frames with unexpected/invalid SA so that -+ * we do not add any state for unexpected STA addresses or end -+ * up sending out frames to unexpected destination. */ -+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR -+ " in received frame - ignore this frame silently", -+ MAC2STR(mgmt->sa)); -+ return 0; -+ } -+ - if (stype == WLAN_FC_STYPE_BEACON) { - handle_beacon(hapd, mgmt, len, fi); - return 1; --- -2.20.1 - diff --git a/CVE-2021-0326.patch b/CVE-2021-0326.patch deleted file mode 100644 index 763c8bd..0000000 --- a/CVE-2021-0326.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Mon, 9 Nov 2020 11:43:12 +0200 -Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group - client - -Parsing and copying of WPS secondary device types list was verifying -that the contents is not too long for the internal maximum in the case -of WPS messages, but similar validation was missing from the case of P2P -group information which encodes this information in a different -attribute. This could result in writing beyond the memory area assigned -for these entries and corrupting memory within an instance of struct -p2p_device. This could result in invalid operations and unexpected -behavior when trying to free pointers from that corrupted memory. - -Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 -Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") -Signed-off-by: Jouni Malinen ---- - src/p2p/p2p.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c -index 74b7b52ae05c..5cbfc217fc1f 100644 ---- a/src/p2p/p2p.c -+++ b/src/p2p/p2p.c -@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, - dev->info.config_methods = cli->config_methods; - os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); - dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; -+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) -+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; - os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, - dev->info.wps_sec_dev_type_list_len); - } --- -2.25.1 - diff --git a/CVE-2021-27803.patch b/CVE-2021-27803.patch deleted file mode 100644 index 3dba865..0000000 --- a/CVE-2021-27803.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Tue, 8 Dec 2020 23:52:50 +0200 -Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request - -p2p_add_device() may remove the oldest entry if there is no room in the -peer table for a new peer. This would result in any pointer to that -removed entry becoming stale. A corner case with an invalid PD Request -frame could result in such a case ending up using (read+write) freed -memory. This could only by triggered when the peer table has reached its -maximum size and the PD Request frame is received from the P2P Device -Address of the oldest remaining entry and the frame has incorrect P2P -Device Address in the payload. - -Fix this by fetching the dev pointer again after having called -p2p_add_device() so that the stale pointer cannot be used. - -Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") -Signed-off-by: Jouni Malinen ---- - src/p2p/p2p_pd.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c -index 3994ec03f86b..05fd593494ef 100644 ---- a/src/p2p/p2p_pd.c -+++ b/src/p2p/p2p_pd.c -@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, - goto out; - } - -+ dev = p2p_get_device(p2p, sa); - if (!dev) { -- dev = p2p_get_device(p2p, sa); -- if (!dev) { -- p2p_dbg(p2p, -- "Provision Discovery device not found " -- MACSTR, MAC2STR(sa)); -- goto out; -- } -+ p2p_dbg(p2p, -+ "Provision Discovery device not found " -+ MACSTR, MAC2STR(sa)); -+ goto out; - } - } else if (msg.wfd_subelems) { - wpabuf_free(dev->info.wfd_subelems); --- -2.25.1 - diff --git a/CVE-2021-30004.patch b/CVE-2021-30004.patch deleted file mode 100644 index e00c010..0000000 --- a/CVE-2021-30004.patch +++ /dev/null @@ -1,115 +0,0 @@ -From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Sat, 13 Mar 2021 18:19:31 +0200 -Subject: ASN.1: Validate DigestAlgorithmIdentifier parameters - -The supported hash algorithms do not use AlgorithmIdentifier parameters. -However, there are implementations that include NULL parameters in -addition to ones that omit the parameters. Previous implementation did -not check the parameters value at all which supported both these cases, -but did not reject any other unexpected information. - -Use strict validation of digest algorithm parameters and reject any -unexpected value when validating a signature. This is needed to prevent -potential forging attacks. - -Signed-off-by: Jouni Malinen ---- - src/tls/pkcs1.c | 21 +++++++++++++++++++++ - src/tls/x509v3.c | 20 ++++++++++++++++++++ - 2 files changed, 41 insertions(+) - -diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c -index bbdb0d7..5761dfe 100644 ---- a/src/tls/pkcs1.c -+++ b/src/tls/pkcs1.c -@@ -244,6 +244,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, - os_free(decrypted); - return -1; - } -+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", -+ hdr.payload, hdr.length); - - pos = hdr.payload; - end = pos + hdr.length; -@@ -265,6 +267,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, - os_free(decrypted); - return -1; - } -+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", -+ hdr.payload, hdr.length); - da_end = hdr.payload + hdr.length; - - if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { -@@ -273,6 +277,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, - os_free(decrypted); - return -1; - } -+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", -+ next, da_end - next); -+ -+ /* -+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to -+ * omit the parameters, but there are implementation that encode these -+ * as a NULL element. Allow these two cases and reject anything else. -+ */ -+ if (da_end > next && -+ (asn1_get_next(next, da_end - next, &hdr) < 0 || -+ !asn1_is_null(&hdr) || -+ hdr.payload + hdr.length != da_end)) { -+ wpa_printf(MSG_DEBUG, -+ "PKCS #1: Unexpected digest algorithm parameters"); -+ os_free(decrypted); -+ return -1; -+ } - - if (!asn1_oid_equal(&oid, hash_alg)) { - char txt[100], txt2[100]; -diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c -index a8944dd..df337ec 100644 ---- a/src/tls/x509v3.c -+++ b/src/tls/x509v3.c -@@ -1964,6 +1964,7 @@ int x509_check_signature(struct x509_certificate *issuer, - os_free(data); - return -1; - } -+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); - - pos = hdr.payload; - end = pos + hdr.length; -@@ -1985,6 +1986,8 @@ int x509_check_signature(struct x509_certificate *issuer, - os_free(data); - return -1; - } -+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", -+ hdr.payload, hdr.length); - da_end = hdr.payload + hdr.length; - - if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { -@@ -1992,6 +1995,23 @@ int x509_check_signature(struct x509_certificate *issuer, - os_free(data); - return -1; - } -+ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", -+ next, da_end - next); -+ -+ /* -+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to -+ * omit the parameters, but there are implementation that encode these -+ * as a NULL element. Allow these two cases and reject anything else. -+ */ -+ if (da_end > next && -+ (asn1_get_next(next, da_end - next, &hdr) < 0 || -+ !asn1_is_null(&hdr) || -+ hdr.payload + hdr.length != da_end)) { -+ wpa_printf(MSG_DEBUG, -+ "X509: Unexpected digest algorithm parameters"); -+ os_free(data); -+ return -1; -+ } - - if (x509_sha1_oid(&oid)) { - if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { --- -cgit v0.12 - diff --git a/config b/config index 6af659f..5e3386b 100644 --- a/config +++ b/config @@ -1,9 +1,9 @@ # Example wpa_supplicant build time configuration # # This file lists the configuration options that are used when building the -# hostapd binary. All lines starting with # are ignored. Configuration option -# lines must be commented out complete, if they are not to be included, i.e., -# just setting VARIABLE=n is not disabling that variable. +# wpa_supplicant binary. All lines starting with # are ignored. Configuration +# option lines must be commented out complete, if they are not to be included, +# i.e., just setting VARIABLE=n is not disabling that variable. # # This file is included in Makefile, so variables like CFLAGS and LIBS can also # be modified from here. In most cases, these lines should use += in order not @@ -31,6 +31,9 @@ CONFIG_DRIVER_WEXT=y # Driver interface for Linux drivers using the nl80211 kernel interface CONFIG_DRIVER_NL80211=y +# QCA vendor extensions to nl80211 +#CONFIG_DRIVER_NL80211_QCA=y + # driver_nl80211.c requires libnl. If you are compiling it yourself # you may need to point hostapd to your version of libnl. # @@ -70,6 +73,12 @@ CONFIG_LIBNL32=y # Driver interface for wired Ethernet drivers CONFIG_DRIVER_WIRED=y +# Driver interface for MACsec capable Qualcomm Atheros drivers +#CONFIG_DRIVER_MACSEC_QCA=y + +# Driver interface for Linux MACsec drivers +CONFIG_DRIVER_MACSEC_LINUX=y + # Driver interface for the Broadcom RoboSwitch family #CONFIG_DRIVER_ROBOSWITCH=y @@ -80,8 +89,8 @@ CONFIG_DRIVER_WIRED=y #LIBS += -lsocket -ldlpi -lnsl #LIBS_c += -lsocket -# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is -# included) +# Enable IEEE 802.1X Supplicant (automatically included if any EAP method or +# MACsec is included) CONFIG_IEEE8021X_EAPOL=y # EAP-MD5 @@ -100,11 +109,18 @@ CONFIG_EAP_PEAP=y CONFIG_EAP_TTLS=y # EAP-FAST -# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed -# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., -# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. CONFIG_EAP_FAST=y +# EAP-TEAP +# Note: The current EAP-TEAP implementation is experimental and should not be +# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number +# of conflicting statements and missing details and the implementation has +# vendor specific workarounds for those and as such, may not interoperate with +# any other implementation. This should not be used for anything else than +# experimentation and interoperability testing until those issues has been +# resolved. +#CONFIG_EAP_TEAP=y + # EAP-GTC CONFIG_EAP_GTC=y @@ -114,6 +130,9 @@ CONFIG_EAP_OTP=y # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used) #CONFIG_EAP_SIM=y +# Enable SIM simulator (Milenage) for EAP-SIM +#CONFIG_SIM_SIMULATOR=y + # EAP-PSK (experimental; this is _not_ needed for WPA-PSK) #CONFIG_EAP_PSK=y @@ -163,6 +182,9 @@ CONFIG_EAP_IKEV2=y # EAP-EKE #CONFIG_EAP_EKE=y +# MACsec +CONFIG_MACSEC=y + # PKCS#12 (PFX) support (used to read private key and certificate file from # a file that usually has extension .p12 or .pfx) CONFIG_PKCS12=y @@ -223,7 +245,10 @@ CONFIG_CTRL_IFACE=y # wpa_passphrase). This saves about 0.5 kB in code size. #CONFIG_NO_WPA_PASSPHRASE=y -# Disable scan result processing (ap_mode=1) to save code size by about 1 kB. +# Simultaneous Authentication of Equals (SAE), WPA3-Personal +CONFIG_SAE=y + +# Disable scan result processing (ap_scan=1) to save code size by about 1 kB. # This can be used if ap_scan=1 mode is never enabled. #CONFIG_NO_SCAN_PROCESSING=y @@ -267,6 +292,9 @@ CONFIG_BACKEND=file # Should we use epoll instead of select? Select is used by default. #CONFIG_ELOOP_EPOLL=y +# Should we use kqueue instead of select? Select is used by default. +#CONFIG_ELOOP_KQUEUE=y + # Select layer 2 packet implementation # linux = Linux packet socket (default) # pcap = libpcap/libdnet/WinPcap @@ -276,17 +304,20 @@ CONFIG_BACKEND=file # none = Empty template #CONFIG_L2_PACKET=linux -# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) -CONFIG_PEERKEY=y +# Disable Linux packet socket workaround applicable for station interface +# in a bridge for EAPOL frames. This should be uncommented only if the kernel +# is known to not have the regression issue in packet socket behavior with +# bridge interfaces (commit 'bridge: respect RFC2863 operational state')'). +#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y -# IEEE 802.11w (management frame protection), also known as PMF -# Driver support is also needed for IEEE 802.11w. -CONFIG_IEEE80211W=y +# Support Operating Channel Validation +#CONFIG_OCV=y # Select TLS implementation # openssl = OpenSSL (default) # gnutls = GnuTLS # internal = Internal TLSv1 implementation (experimental) +# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) # none = Empty template #CONFIG_TLS=openssl @@ -304,6 +335,10 @@ CONFIG_IEEE80211W=y # will be used) #CONFIG_TLSV12=y +# Select which ciphers to use by default with OpenSSL if the user does not +# specify them. +#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" + # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of # LibTomMath can be used. See beginning of libtommath.c for details on benefits @@ -331,7 +366,7 @@ CONFIG_IEEE80211W=y CONFIG_CTRL_IFACE_DBUS=y # Add support for new DBus control interface -# (fi.w1.hostap.wpa_supplicant1) +# (fi.w1.wpa_supplicant1) CONFIG_CTRL_IFACE_DBUS_NEW=y # Add introspection support for new DBus control interface @@ -358,14 +393,14 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y # amount of memory/flash. #CONFIG_DYNAMIC_EAP_METHODS=y -# IEEE Std 802.11r-2008 (Fast BSS Transition) -#CONFIG_IEEE80211R=y +# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode +# CONFIG_IEEE80211R=y # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) CONFIG_DEBUG_FILE=y # Send debug messages to syslog instead of stdout -#CONFIG_DEBUG_SYSLOG=y +# CONFIG_DEBUG_SYSLOG=y # Set syslog facility for debug messages #CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON @@ -435,11 +470,12 @@ CONFIG_DEBUG_FILE=y # that meet the requirements described above. CONFIG_NO_RANDOM_POOL=y -# IEEE 802.11n (High Throughput) support (mainly for AP mode) -CONFIG_IEEE80211N=y +# Should we attempt to use the getrandom(2) call that provides more reliable +# yet secure randomness source than /dev/random on Linux 3.17 and newer. +# Requires glibc 2.25 to build, falls back to /dev/random if unavailable. +#CONFIG_GETRANDOM=y # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) -# (depends on CONFIG_IEEE80211N) CONFIG_IEEE80211AC=y # Wireless Network Management (IEEE Std 802.11v-2011) @@ -450,10 +486,13 @@ CONFIG_IEEE80211AC=y # This can be used to enable functionality to improve interworking with # external networks (GAS/ANQP to learn more about the networks and network # selection based on available credentials). -#CONFIG_INTERWORKING=y +CONFIG_INTERWORKING=y # Hotspot 2.0 -#CONFIG_HS20=y +CONFIG_HS20=y + +# Enable interface matching in wpa_supplicant +#CONFIG_MATCH_IFACE=y # Disable roaming in wpa_supplicant #CONFIG_NO_ROAMING=y @@ -473,8 +512,8 @@ CONFIG_P2P=y # Enable TDLS support CONFIG_TDLS=y -# Wi-Fi Direct -# This can be used to enable Wi-Fi Direct extensions for P2P using an external +# Wi-Fi Display +# This can be used to enable Wi-Fi Display extensions for P2P using an external # program to control the additional information exchanges in the messages. CONFIG_WIFI_DISPLAY=y @@ -495,12 +534,106 @@ CONFIG_WIFI_DISPLAY=y # # External password backend for testing purposes (developer use) #CONFIG_EXT_PASSWORD_TEST=y +# File-based backend to read passwords from an external file. +#CONFIG_EXT_PASSWORD_FILE=y -# Enable background scan to improve roaming -CONFIG_BGSCAN_SIMPLE=y +# Enable Fast Session Transfer (FST) +#CONFIG_FST=y -# Enable RSN IBSS/AdHoc +# Enable CLI commands for FST testing +#CONFIG_FST_TEST=y + +# OS X builds. This is only for building eapol_test. +#CONFIG_OSX=y + +# Automatic Channel Selection +# This will allow wpa_supplicant to pick the channel automatically when channel +# is set to "0". +# +# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative +# to "channel=0". This would enable us to eventually add other ACS algorithms in +# similar way. +# +# Automatic selection is currently only done through initialization, later on +# we hope to do background checks to keep us moving to more ideal channels as +# time goes by. ACS is currently only supported through the nl80211 driver and +# your driver must have survey dump capability that is filled by the driver +# during scanning. +# +# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with +# a newly to create wpa_supplicant.conf variable acs_num_scans. +# +# Supported ACS drivers: +# * ath9k +# * ath5k +# * ath10k +# +# For more details refer to: +# http://wireless.kernel.org/en/users/Documentation/acs +#CONFIG_ACS=y + +# Support Multi Band Operation +#CONFIG_MBO=y + +# Fast Initial Link Setup (FILS) (IEEE 802.11ai) +#CONFIG_FILS=y +# FILS shared key authentication with PFS +#CONFIG_FILS_SK_PFS=y + +# Support RSN on IBSS networks +# This is needed to be able to use mode=1 network profile with proto=RSN and +# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None). CONFIG_IBSS_RSN=y -# Enable SAE support -CONFIG_SAE=y +# External PMKSA cache control +# This can be used to enable control interface commands that allow the current +# PMKSA cache entries to be fetched and new entries to be added. +#CONFIG_PMKSA_CACHE_EXTERNAL=y + +# Mesh Networking (IEEE 802.11s) +#CONFIG_MESH=y + +# Background scanning modules +# These can be used to request wpa_supplicant to perform background scanning +# operations for roaming within an ESS (same SSID). See the bgscan parameter in +# the wpa_supplicant.conf file for more details. +# Periodic background scans based on signal strength +CONFIG_BGSCAN_SIMPLE=y +# Learn channels used by the network and try to avoid bgscans on other +# channels (experimental) +#CONFIG_BGSCAN_LEARN=y + +# Opportunistic Wireless Encryption (OWE) +# Experimental implementation of draft-harkins-owe-07.txt +#CONFIG_OWE=y + +# Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect) +CONFIG_DPP=y +# DPP version 2 support +CONFIG_DPP2=y +# DPP version 3 support (experimental and still changing; do not enable for +# production use) +#CONFIG_DPP3=y + +# Wired equivalent privacy (WEP) +# WEP is an obsolete cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used for anything anymore. The +# functionality needed to use WEP is available in the current wpa_supplicant +# release under this optional build parameter. This functionality is subject to +# be completely removed in a future release. +CONFIG_WEP=y + +# Remove all TKIP functionality +# TKIP is an old cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used anymore for anything else than a +# backwards compatibility option as a group cipher when connecting to APs that +# use WPA+WPA2 mixed mode. For now, the default wpa_supplicant build includes +# support for this by default, but that functionality is subject to be removed +# in the future. +#CONFIG_NO_TKIP=y + +# Pre-Association Security Negotiation (PASN) +# Experimental implementation based on IEEE P802.11z/D2.6 and the protocol +# design is still subject to change. As such, this should not yet be enabled in +# production use. +#CONFIG_PASN=y diff --git a/restore-old-dbus-interface.patch b/restore-old-dbus-interface.patch index 30db9b0..6596378 100644 --- a/restore-old-dbus-interface.patch +++ b/restore-old-dbus-interface.patch @@ -10,11 +10,11 @@ Date: Fri Apr 17 10:34:30 2020 +0200 wicked still uses the old dbus interface and porting it is hard. -diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk -index b5d982de3..37be1ce35 100644 ---- a/wpa_supplicant/Android.mk -+++ b/wpa_supplicant/Android.mk -@@ -1448,25 +1448,44 @@ endif +Index: wpa_supplicant-2.10/wpa_supplicant/Android.mk +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/Android.mk ++++ wpa_supplicant-2.10/wpa_supplicant/Android.mk +@@ -1471,25 +1471,44 @@ endif OBJS += ctrl_iface.c ctrl_iface_$(CONFIG_CTRL_IFACE).c endif @@ -69,11 +69,11 @@ index b5d982de3..37be1ce35 100644 ifdef CONFIG_CTRL_IFACE_BINDER WPA_SUPPLICANT_USE_BINDER=y L_CFLAGS += -DCONFIG_BINDER -DCONFIG_CTRL_IFACE_BINDER -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index f1384d5fa..9555495e1 100644 ---- a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -55,6 +55,7 @@ ALL += systemd/wpa_supplicant.service +Index: wpa_supplicant-2.10/wpa_supplicant/Makefile +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/Makefile ++++ wpa_supplicant-2.10/wpa_supplicant/Makefile +@@ -9,6 +9,7 @@ ALL += systemd/wpa_supplicant.service ALL += systemd/wpa_supplicant@.service ALL += systemd/wpa_supplicant-nl80211@.service ALL += systemd/wpa_supplicant-wired@.service @@ -81,7 +81,7 @@ index f1384d5fa..9555495e1 100644 ALL += dbus/fi.w1.wpa_supplicant1.service ifdef CONFIG_BUILD_WPA_CLIENT_SO ALL += libwpa_client.so -@@ -1605,17 +1606,35 @@ endif +@@ -1606,17 +1607,35 @@ endif OBJS += ctrl_iface.o ctrl_iface_$(CONFIG_CTRL_IFACE).o endif @@ -124,7 +124,7 @@ index f1384d5fa..9555495e1 100644 endif ifndef DBUS_LIBS DBUS_LIBS := $(shell $(PKG_CONFIG) --libs dbus-1) -@@ -1624,13 +1643,22 @@ ifndef DBUS_INCLUDE +@@ -1625,13 +1644,22 @@ ifndef DBUS_INCLUDE DBUS_INCLUDE := $(shell $(PKG_CONFIG) --cflags dbus-1) endif ifdef CONFIG_CTRL_IFACE_DBUS_INTRO @@ -151,8 +151,8 @@ index f1384d5fa..9555495e1 100644 ifdef CONFIG_READLINE OBJS_c += ../src/utils/edit_readline.o LIBS_c += -lreadline -lncurses -@@ -1992,11 +2020,13 @@ else - endif +@@ -2015,11 +2043,13 @@ eap_gpsk.so: $(SRC_EAP_GPSK) + @$(E) " CC/LD " $@ %.service: %.service.in - $(Q)sed -e 's|\@BINDIR\@|$(BINDIR)|g' $< >$@ @@ -167,11 +167,11 @@ index f1384d5fa..9555495e1 100644 @$(E) " sed" $< wpa_supplicant.exe: wpa_supplicant -diff --git a/wpa_supplicant/android.config b/wpa_supplicant/android.config -index 6536c110a..854f48167 100644 ---- a/wpa_supplicant/android.config -+++ b/wpa_supplicant/android.config -@@ -327,6 +327,10 @@ CONFIG_IEEE80211W=y +Index: wpa_supplicant-2.10/wpa_supplicant/android.config +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/android.config ++++ wpa_supplicant-2.10/wpa_supplicant/android.config +@@ -323,6 +323,10 @@ CONFIG_L2_PACKET=linux #CONFIG_NDIS_EVENTS_INTEGRATED=y #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib" @@ -182,10 +182,10 @@ index 6536c110a..854f48167 100644 # Add support for new DBus control interface # (fi.w1.hostap.wpa_supplicant1) #CONFIG_CTRL_IFACE_DBUS_NEW=y -diff --git a/wpa_supplicant/dbus/Makefile b/wpa_supplicant/dbus/Makefile -index 4d8700428..f355ebef5 100644 ---- a/wpa_supplicant/dbus/Makefile -+++ b/wpa_supplicant/dbus/Makefile +Index: wpa_supplicant-2.10/wpa_supplicant/dbus/Makefile +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/dbus/Makefile ++++ wpa_supplicant-2.10/wpa_supplicant/dbus/Makefile @@ -36,6 +36,7 @@ CFLAGS += -DCONFIG_WPS endif @@ -211,10 +211,10 @@ index 4d8700428..f355ebef5 100644 LIB_OBJS += dbus_new_handlers_wps.o endif -diff --git a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf -index e81b495f4..382dcb343 100644 ---- a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf -+++ b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf +Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus-wpa_supplicant.conf +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus-wpa_supplicant.conf @@ -3,6 +3,11 @@ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> @@ -237,10 +237,10 @@ index e81b495f4..382dcb343 100644 -diff --git a/wpa_supplicant/dbus/dbus_common.c b/wpa_supplicant/dbus/dbus_common.c -index efa6c7b20..7ef6cad62 100644 ---- a/wpa_supplicant/dbus/dbus_common.c -+++ b/wpa_supplicant/dbus/dbus_common.c +Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_common.c +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/dbus/dbus_common.c ++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_common.c @@ -16,6 +16,7 @@ #include "dbus_common.h" #include "dbus_common_i.h" @@ -249,7 +249,7 @@ index efa6c7b20..7ef6cad62 100644 #include "../wpa_supplicant_i.h" -@@ -350,6 +351,9 @@ struct wpas_dbus_priv * wpas_dbus_init(struct wpa_global *global) +@@ -351,6 +352,9 @@ struct wpas_dbus_priv * wpas_dbus_init(s #ifdef CONFIG_CTRL_IFACE_DBUS_NEW wpas_dbus_ctrl_iface_init(priv) < 0 || #endif /* CONFIG_CTRL_IFACE_DBUS_NEW */ @@ -259,7 +259,7 @@ index efa6c7b20..7ef6cad62 100644 wpas_dbus_init_common_finish(priv) < 0) { wpas_dbus_deinit(priv); return NULL; -@@ -368,5 +372,9 @@ void wpas_dbus_deinit(struct wpas_dbus_priv *priv) +@@ -369,5 +373,9 @@ void wpas_dbus_deinit(struct wpas_dbus_p wpas_dbus_ctrl_iface_deinit(priv); #endif /* CONFIG_CTRL_IFACE_DBUS_NEW */ @@ -269,11 +269,10 @@ index efa6c7b20..7ef6cad62 100644 + wpas_dbus_deinit_common(priv); } -diff --git a/wpa_supplicant/dbus/dbus_old.c b/wpa_supplicant/dbus/dbus_old.c -new file mode 100644 -index 000000000..88227af7c +Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.c +=================================================================== --- /dev/null -+++ b/wpa_supplicant/dbus/dbus_old.c ++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.c @@ -0,0 +1,745 @@ +/* + * WPA Supplicant / dbus-based control interface @@ -1020,11 +1019,10 @@ index 000000000..88227af7c + } + return NULL; +} -diff --git a/wpa_supplicant/dbus/dbus_old.h b/wpa_supplicant/dbus/dbus_old.h -new file mode 100644 -index 000000000..451a9f827 +Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.h +=================================================================== --- /dev/null -+++ b/wpa_supplicant/dbus/dbus_old.h ++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.h @@ -0,0 +1,142 @@ +/* + * WPA Supplicant / dbus-based control interface @@ -1168,11 +1166,10 @@ index 000000000..451a9f827 +#endif /* CONFIG_CTRL_IFACE_DBUS */ + +#endif /* CTRL_IFACE_DBUS_H */ -diff --git a/wpa_supplicant/dbus/dbus_old_handlers.c b/wpa_supplicant/dbus/dbus_old_handlers.c -new file mode 100644 -index 000000000..e540832f2 +Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.c +=================================================================== --- /dev/null -+++ b/wpa_supplicant/dbus/dbus_old_handlers.c ++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.c @@ -0,0 +1,1393 @@ +/* + * WPA Supplicant / dbus-based control interface @@ -2567,11 +2564,10 @@ index 000000000..e540832f2 + + return wpas_dbus_new_success_reply(message); +} -diff --git a/wpa_supplicant/dbus/dbus_old_handlers.h b/wpa_supplicant/dbus/dbus_old_handlers.h -new file mode 100644 -index 000000000..e60ad06a0 +Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.h +=================================================================== --- /dev/null -+++ b/wpa_supplicant/dbus/dbus_old_handlers.h ++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.h @@ -0,0 +1,101 @@ +/* + * WPA Supplicant / dbus-based control interface @@ -2674,11 +2670,10 @@ index 000000000..e60ad06a0 + +#endif /* CTRL_IFACE_DBUS_HANDLERS_H */ + -diff --git a/wpa_supplicant/dbus/dbus_old_handlers_wps.c b/wpa_supplicant/dbus/dbus_old_handlers_wps.c -new file mode 100644 -index 000000000..6c8405b85 +Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers_wps.c +=================================================================== --- /dev/null -+++ b/wpa_supplicant/dbus/dbus_old_handlers_wps.c ++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers_wps.c @@ -0,0 +1,156 @@ +/* + * WPA Supplicant / dbus-based control interface (WPS) @@ -2836,22 +2831,21 @@ index 000000000..6c8405b85 + + return wpas_dbus_new_success_reply(message); +} -diff --git a/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in b/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in -new file mode 100644 -index 000000000..a75918f93 +Index: wpa_supplicant-2.10/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in +=================================================================== --- /dev/null -+++ b/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in ++++ wpa_supplicant-2.10/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in @@ -0,0 +1,5 @@ +[D-BUS Service] +Name=fi.epitest.hostap.WPASupplicant +Exec=@BINDIR@/wpa_supplicant -u +User=root +SystemdService=wpa_supplicant.service -diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig -index cdfb1974d..57550d495 100644 ---- a/wpa_supplicant/defconfig -+++ b/wpa_supplicant/defconfig -@@ -365,6 +365,10 @@ CONFIG_IEEE80211W=y +Index: wpa_supplicant-2.10/wpa_supplicant/defconfig +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/defconfig ++++ wpa_supplicant-2.10/wpa_supplicant/defconfig +@@ -361,6 +361,10 @@ CONFIG_BACKEND=file #CONFIG_NDIS_EVENTS_INTEGRATED=y #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib" @@ -2860,13 +2854,13 @@ index cdfb1974d..57550d495 100644 +#CONFIG_CTRL_IFACE_DBUS=y + # Add support for new DBus control interface - # (fi.w1.hostap.wpa_supplicant1) + # (fi.w1.wpa_supplicant1) CONFIG_CTRL_IFACE_DBUS_NEW=y -diff --git a/wpa_supplicant/doc/docbook/wpa_supplicant.sgml b/wpa_supplicant/doc/docbook/wpa_supplicant.sgml -index aaff15002..ebf102edf 100644 ---- a/wpa_supplicant/doc/docbook/wpa_supplicant.sgml -+++ b/wpa_supplicant/doc/docbook/wpa_supplicant.sgml -@@ -471,7 +471,7 @@ +Index: wpa_supplicant-2.10/wpa_supplicant/doc/docbook/wpa_supplicant.sgml +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/doc/docbook/wpa_supplicant.sgml ++++ wpa_supplicant-2.10/wpa_supplicant/doc/docbook/wpa_supplicant.sgml +@@ -475,7 +475,7 @@ Enable DBus control interface. If enabled, interface definitions may be omitted. (This is only available if wpa_supplicant was built with @@ -2875,11 +2869,10 @@ index aaff15002..ebf102edf 100644 -diff --git a/wpa_supplicant/examples/wpas-test.py b/wpa_supplicant/examples/wpas-test.py -new file mode 100755 -index 000000000..bdd16a8a8 +Index: wpa_supplicant-2.10/wpa_supplicant/examples/wpas-test.py +=================================================================== --- /dev/null -+++ b/wpa_supplicant/examples/wpas-test.py ++++ wpa_supplicant-2.10/wpa_supplicant/examples/wpas-test.py @@ -0,0 +1,91 @@ +#!/usr/bin/python + @@ -2972,10 +2965,10 @@ index 000000000..bdd16a8a8 +if __name__ == "__main__": + main() + -diff --git a/wpa_supplicant/main.c b/wpa_supplicant/main.c -index 51a8a0298..e08c2fd26 100644 ---- a/wpa_supplicant/main.c -+++ b/wpa_supplicant/main.c +Index: wpa_supplicant-2.10/wpa_supplicant/main.c +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/main.c ++++ wpa_supplicant-2.10/wpa_supplicant/main.c @@ -28,9 +28,9 @@ static void usage(void) "s" #endif /* CONFIG_DEBUG_SYSLOG */ @@ -3014,10 +3007,10 @@ index 51a8a0298..e08c2fd26 100644 case 'v': printf("%s\n", wpa_supplicant_version); exitcode = 0; -diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c -index e41d7c41c..f47f9bb76 100644 ---- a/wpa_supplicant/notify.c -+++ b/wpa_supplicant/notify.c +Index: wpa_supplicant-2.10/wpa_supplicant/notify.c +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/notify.c ++++ wpa_supplicant-2.10/wpa_supplicant/notify.c @@ -15,6 +15,7 @@ #include "wps_supplicant.h" #include "binder/binder.h" @@ -3026,7 +3019,7 @@ index e41d7c41c..f47f9bb76 100644 #include "dbus/dbus_new.h" #include "rsn_supp/wpa.h" #include "fst/fst.h" -@@ -27,13 +28,13 @@ +@@ -28,13 +29,13 @@ int wpas_notify_supplicant_initialized(struct wpa_global *global) { @@ -3042,7 +3035,7 @@ index e41d7c41c..f47f9bb76 100644 #ifdef CONFIG_BINDER global->binder = wpas_binder_init(global); -@@ -47,10 +48,10 @@ int wpas_notify_supplicant_initialized(struct wpa_global *global) +@@ -48,10 +49,10 @@ int wpas_notify_supplicant_initialized(s void wpas_notify_supplicant_deinitialized(struct wpa_global *global) { @@ -3055,7 +3048,7 @@ index e41d7c41c..f47f9bb76 100644 #ifdef CONFIG_BINDER if (global->binder) -@@ -64,6 +65,9 @@ int wpas_notify_iface_added(struct wpa_supplicant *wpa_s) +@@ -65,6 +66,9 @@ int wpas_notify_iface_added(struct wpa_s if (wpa_s->p2p_mgmt) return 0; @@ -3065,7 +3058,7 @@ index e41d7c41c..f47f9bb76 100644 if (wpas_dbus_register_interface(wpa_s)) return -1; -@@ -76,6 +80,9 @@ void wpas_notify_iface_removed(struct wpa_supplicant *wpa_s) +@@ -77,6 +81,9 @@ void wpas_notify_iface_removed(struct wp if (wpa_s->p2p_mgmt) return; @@ -3075,7 +3068,7 @@ index e41d7c41c..f47f9bb76 100644 /* unregister interface in new DBus ctrl iface */ wpas_dbus_unregister_interface(wpa_s); } -@@ -88,6 +95,10 @@ void wpas_notify_state_changed(struct wpa_supplicant *wpa_s, +@@ -89,6 +96,10 @@ void wpas_notify_state_changed(struct wp if (wpa_s->p2p_mgmt) return; @@ -3086,7 +3079,7 @@ index e41d7c41c..f47f9bb76 100644 /* notify the new DBus API */ wpas_dbus_signal_prop_changed(wpa_s, WPAS_DBUS_PROP_STATE); -@@ -257,6 +268,9 @@ void wpas_notify_scanning(struct wpa_supplicant *wpa_s) +@@ -258,6 +269,9 @@ void wpas_notify_scanning(struct wpa_sup if (wpa_s->p2p_mgmt) return; @@ -3096,7 +3089,7 @@ index e41d7c41c..f47f9bb76 100644 /* notify the new DBus API */ wpas_dbus_signal_prop_changed(wpa_s, WPAS_DBUS_PROP_SCANNING); } -@@ -276,6 +290,9 @@ void wpas_notify_scan_results(struct wpa_supplicant *wpa_s) +@@ -277,6 +291,9 @@ void wpas_notify_scan_results(struct wpa if (wpa_s->p2p_mgmt) return; @@ -3106,7 +3099,7 @@ index e41d7c41c..f47f9bb76 100644 wpas_wps_notify_scan_results(wpa_s); } -@@ -287,6 +304,8 @@ void wpas_notify_wps_credential(struct wpa_supplicant *wpa_s, +@@ -288,6 +305,8 @@ void wpas_notify_wps_credential(struct w return; #ifdef CONFIG_WPS @@ -3115,21 +3108,21 @@ index e41d7c41c..f47f9bb76 100644 /* notify the new DBus API */ wpas_dbus_signal_wps_cred(wpa_s, cred); #endif /* CONFIG_WPS */ -@@ -818,6 +837,9 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s, +@@ -831,6 +850,9 @@ void wpas_notify_certification(struct wp wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_ALT "depth=%d %s", cert->depth, cert->altsubject[i]); + /* notify the old DBus API */ -+ wpa_supplicant_dbus_notify_certification(wpa_s, depth, subject, -+ cert_hash, cert); ++ wpa_supplicant_dbus_notify_certification(wpa_s, cert->depth, cert->subject, ++ cert_hash, cert->cert); /* notify the new DBus API */ wpas_dbus_signal_certification(wpa_s, cert->depth, cert->subject, cert->altsubject, cert->num_altsubject, -diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in -index 75a37a8cd..bc5d49af8 100644 ---- a/wpa_supplicant/systemd/wpa_supplicant.service.in -+++ b/wpa_supplicant/systemd/wpa_supplicant.service.in -@@ -5,9 +5,9 @@ Wants=network.target +Index: wpa_supplicant-2.10/wpa_supplicant/systemd/wpa_supplicant.service.in +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/systemd/wpa_supplicant.service.in ++++ wpa_supplicant-2.10/wpa_supplicant/systemd/wpa_supplicant.service.in +@@ -6,9 +6,9 @@ Wants=network.target [Service] Type=dbus @@ -3141,11 +3134,11 @@ index 75a37a8cd..bc5d49af8 100644 WantedBy=multi-user.target -Alias=dbus-fi.w1.wpa_supplicant1.service +Alias=dbus-@DBUS_INTERFACE@.service -diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h -index 8a4bdf8cb..c7b131cc1 100644 ---- a/wpa_supplicant/wpa_supplicant_i.h -+++ b/wpa_supplicant/wpa_supplicant_i.h -@@ -504,6 +504,9 @@ struct wpa_supplicant { +Index: wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant_i.h +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/wpa_supplicant_i.h ++++ wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant_i.h +@@ -706,6 +706,9 @@ struct wpa_supplicant { #ifdef CONFIG_MATCH_IFACE int matched; #endif /* CONFIG_MATCH_IFACE */ @@ -3155,26 +3148,3 @@ index 8a4bdf8cb..c7b131cc1 100644 #ifdef CONFIG_CTRL_IFACE_DBUS_NEW char *dbus_new_path; char *dbus_groupobj_path; -commit 2df86203526b872c3c17cf135340b9b3c8c35594 -Author: Bernhard M. Wiedemann -Date: Fri Apr 17 10:46:56 2020 +0200 - - Fixup ^ for 2019 API changes - - From bc0634da4a3ef468f3142fb39ebdabb08566f411 - -diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c -index f47f9bb76..2db8bc850 100644 ---- a/wpa_supplicant/notify.c -+++ b/wpa_supplicant/notify.c -@@ -838,8 +838,8 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s, - "depth=%d %s", cert->depth, cert->altsubject[i]); - - /* notify the old DBus API */ -- wpa_supplicant_dbus_notify_certification(wpa_s, depth, subject, -- cert_hash, cert); -+ wpa_supplicant_dbus_notify_certification(wpa_s, cert->depth, cert->subject, -+ cert_hash, cert->cert); - /* notify the new DBus API */ - wpas_dbus_signal_certification(wpa_s, cert->depth, cert->subject, - cert->altsubject, cert->num_altsubject, diff --git a/wpa_supplicant-2.10.tar.gz b/wpa_supplicant-2.10.tar.gz new file mode 100644 index 0000000..1c2bd58 --- /dev/null +++ b/wpa_supplicant-2.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f +size 3511622 diff --git a/wpa_supplicant-2.9.tar.gz b/wpa_supplicant-2.9.tar.gz deleted file mode 100644 index b2f41f3..0000000 --- a/wpa_supplicant-2.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17 -size 3231785 diff --git a/wpa_supplicant-alloc_size.patch b/wpa_supplicant-alloc_size.patch index e19d1fb..cd4e7d1 100644 --- a/wpa_supplicant-alloc_size.patch +++ b/wpa_supplicant-alloc_size.patch @@ -1,6 +1,8 @@ ---- wpa_supplicant-2.4.orig/src/utils/os.h -+++ wpa_supplicant-2.4/src/utils/os.h -@@ -253,7 +253,7 @@ int os_file_exists(const char *fname); +Index: wpa_supplicant-2.10/src/utils/os.h +=================================================================== +--- wpa_supplicant-2.10.orig/src/utils/os.h ++++ wpa_supplicant-2.10/src/utils/os.h +@@ -260,7 +260,7 @@ int os_fdatasync(FILE *stream); * * Caller is responsible for freeing the returned buffer with os_free(). */ @@ -9,7 +11,7 @@ /** * os_calloc - Allocate and zero memory for an array -@@ -267,6 +267,8 @@ void * os_zalloc(size_t size); +@@ -274,6 +274,8 @@ void * os_zalloc(size_t size); * * Caller is responsible for freeing the returned buffer with os_free(). */ diff --git a/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff b/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff index 8137649..74fb70d 100644 --- a/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff +++ b/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff @@ -9,12 +9,12 @@ Subject: [PATCH] dump certificate as PEM in debug mode src/utils/wpa_debug.h | 8 ++++++++ 3 files changed, 26 insertions(+) -Index: wpa_supplicant-2.4/src/crypto/tls_openssl.c +Index: wpa_supplicant-2.10/src/crypto/tls_openssl.c =================================================================== ---- wpa_supplicant-2.4.orig/src/crypto/tls_openssl.c -+++ wpa_supplicant-2.4/src/crypto/tls_openssl.c -@@ -1484,6 +1484,19 @@ static int tls_verify_cb(int preverify_o - SSL_get_ex_data_X509_STORE_CTX_idx()); +--- wpa_supplicant-2.10.orig/src/crypto/tls_openssl.c ++++ wpa_supplicant-2.10/src/crypto/tls_openssl.c +@@ -2361,6 +2361,19 @@ static int tls_verify_cb(int preverify_o + debug_print_cert(err_cert, buf); X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf)); + if (wpa_debug_enabled(MSG_DEBUG)) { @@ -33,11 +33,11 @@ Index: wpa_supplicant-2.4/src/crypto/tls_openssl.c conn = SSL_get_app_data(ssl); if (conn == NULL) return 0; -Index: wpa_supplicant-2.4/src/utils/wpa_debug.c +Index: wpa_supplicant-2.10/src/utils/wpa_debug.c =================================================================== ---- wpa_supplicant-2.4.orig/src/utils/wpa_debug.c -+++ wpa_supplicant-2.4/src/utils/wpa_debug.c -@@ -62,6 +62,11 @@ static FILE *out_file = NULL; +--- wpa_supplicant-2.10.orig/src/utils/wpa_debug.c ++++ wpa_supplicant-2.10/src/utils/wpa_debug.c +@@ -66,6 +66,11 @@ static int wpa_to_android_level(int leve #endif /* CONFIG_DEBUG_FILE */ @@ -49,11 +49,11 @@ Index: wpa_supplicant-2.4/src/utils/wpa_debug.c void wpa_debug_print_timestamp(void) { #ifndef CONFIG_ANDROID_LOG -Index: wpa_supplicant-2.4/src/utils/wpa_debug.h +Index: wpa_supplicant-2.10/src/utils/wpa_debug.h =================================================================== ---- wpa_supplicant-2.4.orig/src/utils/wpa_debug.h -+++ wpa_supplicant-2.4/src/utils/wpa_debug.h -@@ -24,6 +24,7 @@ enum { +--- wpa_supplicant-2.10.orig/src/utils/wpa_debug.h ++++ wpa_supplicant-2.10/src/utils/wpa_debug.h +@@ -25,6 +25,7 @@ enum { #ifdef CONFIG_NO_STDOUT_DEBUG @@ -61,7 +61,7 @@ Index: wpa_supplicant-2.4/src/utils/wpa_debug.h #define wpa_debug_print_timestamp() do { } while (0) #define wpa_printf(args...) do { } while (0) #define wpa_hexdump(l,t,b,le) do { } while (0) -@@ -50,6 +51,13 @@ void wpa_debug_close_file(void); +@@ -51,6 +52,13 @@ void wpa_debug_close_file(void); void wpa_debug_setup_stdout(void); /** diff --git a/wpa_supplicant-flush-debug-output.patch b/wpa_supplicant-flush-debug-output.patch index 6762a91..c901699 100644 --- a/wpa_supplicant-flush-debug-output.patch +++ b/wpa_supplicant-flush-debug-output.patch @@ -1,51 +1,56 @@ -Index: src/utils/wpa_debug.c +Index: wpa_supplicant-2.10/src/utils/wpa_debug.c =================================================================== ---- a/src/utils/wpa_debug.c -+++ b/src/utils/wpa_debug.c -@@ -45,6 +45,7 @@ void wpa_debug_print_timestamp(void) - if (out_file) { +--- wpa_supplicant-2.10.orig/src/utils/wpa_debug.c ++++ wpa_supplicant-2.10/src/utils/wpa_debug.c +@@ -76,9 +76,11 @@ void wpa_debug_print_timestamp(void) + + os_get_time(&tv); + #ifdef CONFIG_DEBUG_FILE +- if (out_file) ++ if (out_file) { fprintf(out_file, "%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); -+ fflush(out_file); - } else ++ fflush(out_file); ++ } #endif /* CONFIG_DEBUG_FILE */ - printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); -@@ -111,6 +112,7 @@ void wpa_printf(int level, const char *f - if (out_file) { + if (!out_file && !wpa_debug_syslog) + printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); +@@ -231,6 +233,7 @@ void wpa_printf(int level, const char *f vfprintf(out_file, fmt, ap); fprintf(out_file, "\n"); -+ fflush(out_file); - } else { + va_end(ap); ++ fflush(out_file); + } #endif /* CONFIG_DEBUG_FILE */ - vprintf(fmt, ap); -@@ -146,6 +148,7 @@ static void _wpa_hexdump(int level, cons + if (!wpa_debug_syslog && !out_file) { +@@ -365,6 +368,7 @@ static void _wpa_hexdump(int level, cons fprintf(out_file, " [REMOVED]"); } fprintf(out_file, "\n"); -+ fflush(out_file); - } else { ++ fflush(out_file); + } #endif /* CONFIG_DEBUG_FILE */ - printf("%s - hexdump(len=%lu):", title, (unsigned long) len); -@@ -191,12 +194,14 @@ static void _wpa_hexdump_ascii(int level + if (!wpa_debug_syslog && !out_file) { +@@ -436,12 +440,14 @@ static void _wpa_hexdump_ascii(int level fprintf(out_file, "%s - hexdump_ascii(len=%lu): [REMOVED]\n", title, (unsigned long) len); -+ fflush(out_file); - return; ++ fflush(out_file); + goto file_done; } if (buf == NULL) { fprintf(out_file, "%s - hexdump_ascii(len=%lu): [NULL]\n", title, (unsigned long) len); -+ fflush(out_file); - return; ++ fflush(out_file); + goto file_done; } fprintf(out_file, "%s - hexdump_ascii(len=%lu):\n", -@@ -221,6 +226,7 @@ static void _wpa_hexdump_ascii(int level +@@ -466,6 +472,7 @@ static void _wpa_hexdump_ascii(int level pos += llen; len -= llen; } -+ fflush(out_file); - } else { ++ fflush(out_file); + } + file_done: #endif /* CONFIG_DEBUG_FILE */ - if (!show) { diff --git a/wpa_supplicant-getrandom.patch b/wpa_supplicant-getrandom.patch index f5efa97..18295ae 100644 --- a/wpa_supplicant-getrandom.patch +++ b/wpa_supplicant-getrandom.patch @@ -1,7 +1,7 @@ -Index: wpa_supplicant-2.9/src/utils/os_unix.c +Index: wpa_supplicant-2.10/src/utils/os_unix.c =================================================================== ---- wpa_supplicant-2.9.orig/src/utils/os_unix.c -+++ wpa_supplicant-2.9/src/utils/os_unix.c +--- wpa_supplicant-2.10.orig/src/utils/os_unix.c ++++ wpa_supplicant-2.10/src/utils/os_unix.c @@ -6,11 +6,15 @@ * See README for more details. */ @@ -19,7 +19,7 @@ Index: wpa_supplicant-2.9/src/utils/os_unix.c #ifdef ANDROID #include #include -@@ -257,6 +261,10 @@ int os_get_random(unsigned char *buf, si +@@ -263,6 +267,10 @@ int os_get_random(unsigned char *buf, si buf[i] = i & 0xff; return 0; #else /* TEST_FUZZ */ @@ -30,7 +30,7 @@ Index: wpa_supplicant-2.9/src/utils/os_unix.c FILE *f; size_t rc; -@@ -269,10 +277,13 @@ int os_get_random(unsigned char *buf, si +@@ -275,10 +283,13 @@ int os_get_random(unsigned char *buf, si return -1; } diff --git a/wpa_supplicant-p2p_iname_size.diff b/wpa_supplicant-p2p_iname_size.diff deleted file mode 100644 index f863689..0000000 --- a/wpa_supplicant-p2p_iname_size.diff +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c -index e94bffe52..17c25889c 100644 ---- a/wpa_supplicant/p2p_supplicant.c -+++ b/wpa_supplicant/p2p_supplicant.c -@@ -3929,6 +3929,10 @@ int wpas_p2p_add_p2pdev_interface(struct wpa_supplicant *wpa_s, - wpa_s->ifname); - if (os_snprintf_error(sizeof(ifname), ret)) - return -1; -+ /* Cut length at the maximum size. Note that we don't need to ensure -+ * collision free names here as the created interface is not a netdev. -+ */ -+ ifname[IFNAMSIZ-1] = '\0'; - force_name[0] = '\0'; - wpa_s->pending_interface_type = WPA_IF_P2P_DEVICE; - ret = wpa_drv_if_add(wpa_s, WPA_IF_P2P_DEVICE, ifname, NULL, NULL, diff --git a/wpa_supplicant-sigusr1-changes-debuglevel.patch b/wpa_supplicant-sigusr1-changes-debuglevel.patch index c47b60e..8ecdfe9 100644 --- a/wpa_supplicant-sigusr1-changes-debuglevel.patch +++ b/wpa_supplicant-sigusr1-changes-debuglevel.patch @@ -2,11 +2,13 @@ wpa_supplicant/wpa_supplicant.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) ---- a/wpa_supplicant/wpa_supplicant.c -+++ b/wpa_supplicant/wpa_supplicant.c -@@ -123,6 +123,22 @@ int wpa_set_wep_keys(struct wpa_supplica - return set; - } +Index: wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c +=================================================================== +--- wpa_supplicant-2.10.orig/wpa_supplicant/wpa_supplicant.c ++++ wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c +@@ -121,6 +121,22 @@ const char *const wpa_supplicant_full_li + "\n"; + #endif /* CONFIG_NO_STDOUT_DEBUG */ +static void wpa_supplicant_handle_sigusr1(int sig, + void *signal_ctx) @@ -25,9 +27,9 @@ + ((wpa_debug_level == MSG_MSGDUMP) ? "MSGDUMP" : "UNKNOWN"))); +} - int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s, - struct wpa_ssid *ssid) -@@ -4124,6 +4140,8 @@ int wpa_supplicant_run(struct wpa_global + static void wpa_bss_tmp_disallow_timeout(void *eloop_ctx, void *timeout_ctx); + #if defined(CONFIG_FILS) && defined(IEEE8021X_EAPOL) +@@ -7474,6 +7490,8 @@ int wpa_supplicant_run(struct wpa_global eloop_register_signal_terminate(wpa_supplicant_terminate, global); eloop_register_signal_reconfig(wpa_supplicant_reconfig, global); diff --git a/wpa_supplicant.changes b/wpa_supplicant.changes index c69e074..9a1ce0e 100644 --- a/wpa_supplicant.changes +++ b/wpa_supplicant.changes @@ -1,3 +1,63 @@ +------------------------------------------------------------------- +Sun Jan 23 15:33:37 UTC 2022 - Dirk Müller + +- update to 2.10.0: + * SAE changes + - improved protection against side channel attacks + [https://w1.fi/security/2022-1/] + - added support for the hash-to-element mechanism (sae_pwe=1 or + sae_pwe=2); this is currently disabled by default, but will likely + get enabled by default in the future + - fixed PMKSA caching with OKC + - added support for SAE-PK + * EAP-pwd changes + - improved protection against side channel attacks + [https://w1.fi/security/2022-1/] + * fixed P2P provision discovery processing of a specially constructed + invalid frame + [https://w1.fi/security/2021-1/] + * fixed P2P group information processing of a specially constructed + invalid frame + [https://w1.fi/security/2020-2/] + * fixed PMF disconnection protection bypass in AP mode + [https://w1.fi/security/2019-7/] + * added support for using OpenSSL 3.0 + * increased the maximum number of EAP message exchanges (mainly to + support cases with very large certificates) + * fixed various issues in experimental support for EAP-TEAP peer + * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) + * a number of MKA/MACsec fixes and extensions + * added support for SAE (WPA3-Personal) AP mode configuration + * added P2P support for EDMG (IEEE 802.11ay) channels + * fixed EAP-FAST peer with TLS GCM/CCM ciphers + * improved throughput estimation and BSS selection + * dropped support for libnl 1.1 + * added support for nl80211 control port for EAPOL frame TX/RX + * fixed OWE key derivation with groups 20 and 21; this breaks backwards + compatibility for these groups while the default group 19 remains + backwards compatible + * added support for Beacon protection + * added support for Extended Key ID for pairwise keys + * removed WEP support from the default build (CONFIG_WEP=y can be used + to enable it, if really needed) + * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) + * added support for Transition Disable mechanism to allow the AP to + automatically disable transition mode to improve security + * extended D-Bus interface + * added support for PASN + * added a file-based backend for external password storage to allow + secret information to be moved away from the main configuration file + without requiring external tools + * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) + * added support for SCS, MSCS, DSCP policy + * changed driver interface selection to default to automatic fallback + to other compiled in options + * a large number of other fixes, cleanup, and extensions +- drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, + CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch: + upstream +- refresh config from 2.10 defconfig, re-enable CONFIG_WEP + ------------------------------------------------------------------- Mon Jan 10 08:27:51 UTC 2022 - Johannes Segitz diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index 865cc50..bff4da6 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -1,7 +1,7 @@ # # spec file for package wpa_supplicant # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: wpa_supplicant -Version: 2.9 +Version: 2.10 Release: 0 Summary: WPA supplicant implementation License: BSD-3-Clause AND GPL-2.0-or-later @@ -40,11 +40,6 @@ Patch3: wpa_supplicant-alloc_size.patch Patch4: wpa_supplicant-getrandom.patch Patch5: wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff Patch6: restore-old-dbus-interface.patch -Patch7: CVE-2019-16275.patch -Patch8: wpa_supplicant-p2p_iname_size.diff -Patch9: CVE-2021-0326.patch -Patch10: CVE-2021-27803.patch -Patch11: CVE-2021-30004.patch BuildRequires: pkgconfig BuildRequires: readline-devel BuildRequires: systemd-rpm-macros