rpm/wpa_supplicant
SHA256
1
0
Fork 0
forked from pool/wpa_supplicant
Code Pull Requests Activity

Accepting request 948420 from hardware

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/948420
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/wpa_supplicant?expand=0&rev=90
This commit is contained in:
Dominique Leuenberger 2022-01-26 20:26:39 +00:00 committed by Git OBS Bridge
commit 5dc06d5e03
16 changed files with 388 additions and 512 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
CVE-2019-16275.patch
View File

@ -1,73 +0,0 @@
From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Thu, 29 Aug 2019 11:52:04 +0300
Subject: [PATCH] AP: Silently ignore management frame from unexpected source
address
Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.
In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/ap/drv_callbacks.c | 13 +++++++++++++
src/ap/ieee802_11.c | 12 ++++++++++++
2 files changed, 25 insertions(+)
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 31587685fe3b..34ca379edc3d 100644
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
"hostapd_notif_assoc: Skip event with no address");
return -1;
}
+
+ if (is_multicast_ether_addr(addr) ||
+ is_zero_ether_addr(addr) ||
+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
+ /* Do not process any frames with unexpected/invalid SA so that
+ * we do not add any state for unexpected STA addresses or end
+ * up sending out frames to unexpected destination. */
+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
+ " in received indication - ignore this indication silently",
+ __func__, MAC2STR(addr));
+ return 0;
+ }
+
random_add_randomness(addr, ETH_ALEN);
hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index c85a28db44b7..e7065372e158 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
fc = le_to_host16(mgmt->frame_control);
stype = WLAN_FC_GET_STYPE(fc);
+ if (is_multicast_ether_addr(mgmt->sa) ||
+ is_zero_ether_addr(mgmt->sa) ||
+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
+ /* Do not process any frames with unexpected/invalid SA so that
+ * we do not add any state for unexpected STA addresses or end
+ * up sending out frames to unexpected destination. */
+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
+ " in received frame - ignore this frame silently",
+ MAC2STR(mgmt->sa));
+ return 0;
+ }
+
if (stype == WLAN_FC_STYPE_BEACON) {
handle_beacon(hapd, mgmt, len, fi);
return 1;
--
2.20.1

38
CVE-2021-0326.patch
View File

@ -1,38 +0,0 @@
From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Mon, 9 Nov 2020 11:43:12 +0200
Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
client
Parsing and copying of WPS secondary device types list was verifying
that the contents is not too long for the internal maximum in the case
of WPS messages, but similar validation was missing from the case of P2P
group information which encodes this information in a different
attribute. This could result in writing beyond the memory area assigned
for these entries and corrupting memory within an instance of struct
p2p_device. This could result in invalid operations and unexpected
behavior when trying to free pointers from that corrupted memory.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/p2p/p2p.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 74b7b52ae05c..5cbfc217fc1f 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
dev->info.config_methods = cli->config_methods;
os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
dev->info.wps_sec_dev_type_list_len);
}
--
2.25.1

50
CVE-2021-27803.patch
View File

@ -1,50 +0,0 @@
From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 8 Dec 2020 23:52:50 +0200
Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.
Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.
Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/p2p/p2p_pd.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
index 3994ec03f86b..05fd593494ef 100644
--- a/src/p2p/p2p_pd.c
+++ b/src/p2p/p2p_pd.c
@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
goto out;
}
+ dev = p2p_get_device(p2p, sa);
if (!dev) {
- dev = p2p_get_device(p2p, sa);
- if (!dev) {
- p2p_dbg(p2p,
- "Provision Discovery device not found "
- MACSTR, MAC2STR(sa));
- goto out;
- }
+ p2p_dbg(p2p,
+ "Provision Discovery device not found "
+ MACSTR, MAC2STR(sa));
+ goto out;
}
} else if (msg.wfd_subelems) {
wpabuf_free(dev->info.wfd_subelems);
--
2.25.1

115
CVE-2021-30004.patch
View File

@ -1,115 +0,0 @@
From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 13 Mar 2021 18:19:31 +0200
Subject: ASN.1: Validate DigestAlgorithmIdentifier parameters
The supported hash algorithms do not use AlgorithmIdentifier parameters.
However, there are implementations that include NULL parameters in
addition to ones that omit the parameters. Previous implementation did
not check the parameters value at all which supported both these cases,
but did not reject any other unexpected information.
Use strict validation of digest algorithm parameters and reject any
unexpected value when validating a signature. This is needed to prevent
potential forging attacks.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/tls/pkcs1.c | 21 +++++++++++++++++++++
src/tls/x509v3.c | 20 ++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
index bbdb0d7..5761dfe 100644
--- a/src/tls/pkcs1.c
+++ b/src/tls/pkcs1.c
@@ -244,6 +244,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
os_free(decrypted);
return -1;
}
+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
+ hdr.payload, hdr.length);
pos = hdr.payload;
end = pos + hdr.length;
@@ -265,6 +267,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
os_free(decrypted);
return -1;
}
+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
+ hdr.payload, hdr.length);
da_end = hdr.payload + hdr.length;
if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
@@ -273,6 +277,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
os_free(decrypted);
return -1;
}
+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
+ next, da_end - next);
+
+ /*
+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
+ * omit the parameters, but there are implementation that encode these
+ * as a NULL element. Allow these two cases and reject anything else.
+ */
+ if (da_end > next &&
+ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
+ !asn1_is_null(&hdr) ||
+ hdr.payload + hdr.length != da_end)) {
+ wpa_printf(MSG_DEBUG,
+ "PKCS #1: Unexpected digest algorithm parameters");
+ os_free(decrypted);
+ return -1;
+ }
if (!asn1_oid_equal(&oid, hash_alg)) {
char txt[100], txt2[100];
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index a8944dd..df337ec 100644
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -1964,6 +1964,7 @@ int x509_check_signature(struct x509_certificate *issuer,
os_free(data);
return -1;
}
+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
pos = hdr.payload;
end = pos + hdr.length;
@@ -1985,6 +1986,8 @@ int x509_check_signature(struct x509_certificate *issuer,
os_free(data);
return -1;
}
+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
+ hdr.payload, hdr.length);
da_end = hdr.payload + hdr.length;
if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
@@ -1992,6 +1995,23 @@ int x509_check_signature(struct x509_certificate *issuer,
os_free(data);
return -1;
}
+ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
+ next, da_end - next);
+
+ /*
+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
+ * omit the parameters, but there are implementation that encode these
+ * as a NULL element. Allow these two cases and reject anything else.
+ */
+ if (da_end > next &&
+ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
+ !asn1_is_null(&hdr) ||
+ hdr.payload + hdr.length != da_end)) {
+ wpa_printf(MSG_DEBUG,
+ "X509: Unexpected digest algorithm parameters");
+ os_free(data);
+ return -1;
+ }
if (x509_sha1_oid(&oid)) {
if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
--
cgit v0.12

193
config
View File

@ -1,9 +1,9 @@
# Example wpa_supplicant build time configuration
#
# This file lists the configuration options that are used when building the
# hostapd binary. All lines starting with # are ignored. Configuration option
# lines must be commented out complete, if they are not to be included, i.e.,
# just setting VARIABLE=n is not disabling that variable.
# wpa_supplicant binary. All lines starting with # are ignored. Configuration
# option lines must be commented out complete, if they are not to be included,
# i.e., just setting VARIABLE=n is not disabling that variable.
#
# This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cases, these lines should use += in order not
@ -31,6 +31,9 @@ CONFIG_DRIVER_WEXT=y
# Driver interface for Linux drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
#CONFIG_DRIVER_NL80211_QCA=y
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
#
@ -70,6 +73,12 @@ CONFIG_LIBNL32=y
# Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y
# Driver interface for MACsec capable Qualcomm Atheros drivers
#CONFIG_DRIVER_MACSEC_QCA=y
# Driver interface for Linux MACsec drivers
CONFIG_DRIVER_MACSEC_LINUX=y
# Driver interface for the Broadcom RoboSwitch family
#CONFIG_DRIVER_ROBOSWITCH=y
@ -80,8 +89,8 @@ CONFIG_DRIVER_WIRED=y
#LIBS += -lsocket -ldlpi -lnsl
#LIBS_c += -lsocket
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
# included)
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
# MACsec is included)
CONFIG_IEEE8021X_EAPOL=y
# EAP-MD5
@ -100,11 +109,18 @@ CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y
# EAP-FAST
# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
CONFIG_EAP_FAST=y
# EAP-TEAP
# Note: The current EAP-TEAP implementation is experimental and should not be
# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
# of conflicting statements and missing details and the implementation has
# vendor specific workarounds for those and as such, may not interoperate with
# any other implementation. This should not be used for anything else than
# experimentation and interoperability testing until those issues has been
# resolved.
#CONFIG_EAP_TEAP=y
# EAP-GTC
CONFIG_EAP_GTC=y
@ -114,6 +130,9 @@ CONFIG_EAP_OTP=y
# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
#CONFIG_EAP_SIM=y
# Enable SIM simulator (Milenage) for EAP-SIM
#CONFIG_SIM_SIMULATOR=y
# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y
@ -163,6 +182,9 @@ CONFIG_EAP_IKEV2=y
# EAP-EKE
#CONFIG_EAP_EKE=y
# MACsec
CONFIG_MACSEC=y
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y
@ -223,7 +245,10 @@ CONFIG_CTRL_IFACE=y
# wpa_passphrase). This saves about 0.5 kB in code size.
#CONFIG_NO_WPA_PASSPHRASE=y
# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
# Simultaneous Authentication of Equals (SAE), WPA3-Personal
CONFIG_SAE=y
# Disable scan result processing (ap_scan=1) to save code size by about 1 kB.
# This can be used if ap_scan=1 mode is never enabled.
#CONFIG_NO_SCAN_PROCESSING=y
@ -267,6 +292,9 @@ CONFIG_BACKEND=file
# Should we use epoll instead of select? Select is used by default.
#CONFIG_ELOOP_EPOLL=y
# Should we use kqueue instead of select? Select is used by default.
#CONFIG_ELOOP_KQUEUE=y
# Select layer 2 packet implementation
# linux = Linux packet socket (default)
# pcap = libpcap/libdnet/WinPcap
@ -276,17 +304,20 @@ CONFIG_BACKEND=file
# none = Empty template
#CONFIG_L2_PACKET=linux
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y
# Disable Linux packet socket workaround applicable for station interface
# in a bridge for EAPOL frames. This should be uncommented only if the kernel
# is known to not have the regression issue in packet socket behavior with
# bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
# IEEE 802.11w (management frame protection), also known as PMF
# Driver support is also needed for IEEE 802.11w.
CONFIG_IEEE80211W=y
# Support Operating Channel Validation
#CONFIG_OCV=y
# Select TLS implementation
# openssl = OpenSSL (default)
# gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template
#CONFIG_TLS=openssl
@ -304,6 +335,10 @@ CONFIG_IEEE80211W=y
# will be used)
#CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
@ -331,7 +366,7 @@ CONFIG_IEEE80211W=y
CONFIG_CTRL_IFACE_DBUS=y
# Add support for new DBus control interface
# (fi.w1.hostap.wpa_supplicant1)
# (fi.w1.wpa_supplicant1)
CONFIG_CTRL_IFACE_DBUS_NEW=y
# Add introspection support for new DBus control interface
@ -358,14 +393,14 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y
# amount of memory/flash.
#CONFIG_DYNAMIC_EAP_METHODS=y
# IEEE Std 802.11r-2008 (Fast BSS Transition)
#CONFIG_IEEE80211R=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
# CONFIG_IEEE80211R=y
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout
#CONFIG_DEBUG_SYSLOG=y
# CONFIG_DEBUG_SYSLOG=y
# Set syslog facility for debug messages
#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
@ -435,11 +470,12 @@ CONFIG_DEBUG_FILE=y
# that meet the requirements described above.
CONFIG_NO_RANDOM_POOL=y
# IEEE 802.11n (High Throughput) support (mainly for AP mode)
CONFIG_IEEE80211N=y
# Should we attempt to use the getrandom(2) call that provides more reliable
# yet secure randomness source than /dev/random on Linux 3.17 and newer.
# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
#CONFIG_GETRANDOM=y
# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
# (depends on CONFIG_IEEE80211N)
CONFIG_IEEE80211AC=y
# Wireless Network Management (IEEE Std 802.11v-2011)
@ -450,10 +486,13 @@ CONFIG_IEEE80211AC=y
# This can be used to enable functionality to improve interworking with
# external networks (GAS/ANQP to learn more about the networks and network
# selection based on available credentials).
#CONFIG_INTERWORKING=y
CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
CONFIG_HS20=y
# Enable interface matching in wpa_supplicant
#CONFIG_MATCH_IFACE=y
# Disable roaming in wpa_supplicant
#CONFIG_NO_ROAMING=y
@ -473,8 +512,8 @@ CONFIG_P2P=y
# Enable TDLS support
CONFIG_TDLS=y
# Wi-Fi Direct
# This can be used to enable Wi-Fi Direct extensions for P2P using an external
# Wi-Fi Display
# This can be used to enable Wi-Fi Display extensions for P2P using an external
# program to control the additional information exchanges in the messages.
CONFIG_WIFI_DISPLAY=y
@ -495,12 +534,106 @@ CONFIG_WIFI_DISPLAY=y
#
# External password backend for testing purposes (developer use)
#CONFIG_EXT_PASSWORD_TEST=y
# File-based backend to read passwords from an external file.
#CONFIG_EXT_PASSWORD_FILE=y
# Enable background scan to improve roaming
CONFIG_BGSCAN_SIMPLE=y
# Enable Fast Session Transfer (FST)
#CONFIG_FST=y
# Enable RSN IBSS/AdHoc
# Enable CLI commands for FST testing
#CONFIG_FST_TEST=y
# OS X builds. This is only for building eapol_test.
#CONFIG_OSX=y
# Automatic Channel Selection
# This will allow wpa_supplicant to pick the channel automatically when channel
# is set to "0".
#
# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
# to "channel=0". This would enable us to eventually add other ACS algorithms in
# similar way.
#
# Automatic selection is currently only done through initialization, later on
# we hope to do background checks to keep us moving to more ideal channels as
# time goes by. ACS is currently only supported through the nl80211 driver and
# your driver must have survey dump capability that is filled by the driver
# during scanning.
#
# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
# a newly to create wpa_supplicant.conf variable acs_num_scans.
#
# Supported ACS drivers:
# * ath9k
# * ath5k
# * ath10k
#
# For more details refer to:
# http://wireless.kernel.org/en/users/Documentation/acs
#CONFIG_ACS=y
# Support Multi Band Operation
#CONFIG_MBO=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y
# Support RSN on IBSS networks
# This is needed to be able to use mode=1 network profile with proto=RSN and
# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
CONFIG_IBSS_RSN=y
# Enable SAE support
CONFIG_SAE=y
# External PMKSA cache control
# This can be used to enable control interface commands that allow the current
# PMKSA cache entries to be fetched and new entries to be added.
#CONFIG_PMKSA_CACHE_EXTERNAL=y
# Mesh Networking (IEEE 802.11s)
#CONFIG_MESH=y
# Background scanning modules
# These can be used to request wpa_supplicant to perform background scanning
# operations for roaming within an ESS (same SSID). See the bgscan parameter in
# the wpa_supplicant.conf file for more details.
# Periodic background scans based on signal strength
CONFIG_BGSCAN_SIMPLE=y
# Learn channels used by the network and try to avoid bgscans on other
# channels (experimental)
#CONFIG_BGSCAN_LEARN=y
# Opportunistic Wireless Encryption (OWE)
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y
# Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect)
CONFIG_DPP=y
# DPP version 2 support
CONFIG_DPP2=y
# DPP version 3 support (experimental and still changing; do not enable for
# production use)
#CONFIG_DPP3=y
# Wired equivalent privacy (WEP)
# WEP is an obsolete cryptographic data confidentiality algorithm that is not
# considered secure. It should not be used for anything anymore. The
# functionality needed to use WEP is available in the current wpa_supplicant
# release under this optional build parameter. This functionality is subject to
# be completely removed in a future release.
CONFIG_WEP=y
# Remove all TKIP functionality
# TKIP is an old cryptographic data confidentiality algorithm that is not
# considered secure. It should not be used anymore for anything else than a
# backwards compatibility option as a group cipher when connecting to APs that
# use WPA+WPA2 mixed mode. For now, the default wpa_supplicant build includes
# support for this by default, but that functionality is subject to be removed
# in the future.
#CONFIG_NO_TKIP=y
# Pre-Association Security Negotiation (PASN)
# Experimental implementation based on IEEE P802.11z/D2.6 and the protocol
# design is still subject to change. As such, this should not yet be enabled in
# production use.
#CONFIG_PASN=y

218
restore-old-dbus-interface.patch
View File

@ -10,11 +10,11 @@ Date: Fri Apr 17 10:34:30 2020 +0200
wicked still uses the old dbus interface
and porting it is hard.
diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
index b5d982de3..37be1ce35 100644
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@@ -1448,25 +1448,44 @@ endif
Index: wpa_supplicant-2.10/wpa_supplicant/Android.mk
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/Android.mk
+++ wpa_supplicant-2.10/wpa_supplicant/Android.mk
@@ -1471,25 +1471,44 @@ endif
OBJS += ctrl_iface.c ctrl_iface_$(CONFIG_CTRL_IFACE).c
endif
@ -69,11 +69,11 @@ index b5d982de3..37be1ce35 100644
ifdef CONFIG_CTRL_IFACE_BINDER
WPA_SUPPLICANT_USE_BINDER=y
L_CFLAGS += -DCONFIG_BINDER -DCONFIG_CTRL_IFACE_BINDER
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index f1384d5fa..9555495e1 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -55,6 +55,7 @@ ALL += systemd/wpa_supplicant.service
Index: wpa_supplicant-2.10/wpa_supplicant/Makefile
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/Makefile
+++ wpa_supplicant-2.10/wpa_supplicant/Makefile
@@ -9,6 +9,7 @@ ALL += systemd/wpa_supplicant.service
ALL += systemd/wpa_supplicant@.service
ALL += systemd/wpa_supplicant-nl80211@.service
ALL += systemd/wpa_supplicant-wired@.service
@ -81,7 +81,7 @@ index f1384d5fa..9555495e1 100644
ALL += dbus/fi.w1.wpa_supplicant1.service
ifdef CONFIG_BUILD_WPA_CLIENT_SO
ALL += libwpa_client.so
@@ -1605,17 +1606,35 @@ endif
@@ -1606,17 +1607,35 @@ endif
OBJS += ctrl_iface.o ctrl_iface_$(CONFIG_CTRL_IFACE).o
endif
@ -124,7 +124,7 @@ index f1384d5fa..9555495e1 100644
endif
ifndef DBUS_LIBS
DBUS_LIBS := $(shell $(PKG_CONFIG) --libs dbus-1)
@@ -1624,13 +1643,22 @@ ifndef DBUS_INCLUDE
@@ -1625,13 +1644,22 @@ ifndef DBUS_INCLUDE
DBUS_INCLUDE := $(shell $(PKG_CONFIG) --cflags dbus-1)
endif
ifdef CONFIG_CTRL_IFACE_DBUS_INTRO
@ -151,8 +151,8 @@ index f1384d5fa..9555495e1 100644
ifdef CONFIG_READLINE
OBJS_c += ../src/utils/edit_readline.o
LIBS_c += -lreadline -lncurses
@@ -1992,11 +2020,13 @@ else
endif
@@ -2015,11 +2043,13 @@ eap_gpsk.so: $(SRC_EAP_GPSK)
@$(E) " CC/LD " $@
%.service: %.service.in
- $(Q)sed -e 's|\@BINDIR\@|$(BINDIR)|g' $< >$@
@ -167,11 +167,11 @@ index f1384d5fa..9555495e1 100644
@$(E) " sed" $<
wpa_supplicant.exe: wpa_supplicant
diff --git a/wpa_supplicant/android.config b/wpa_supplicant/android.config
index 6536c110a..854f48167 100644
--- a/wpa_supplicant/android.config
+++ b/wpa_supplicant/android.config
@@ -327,6 +327,10 @@ CONFIG_IEEE80211W=y
Index: wpa_supplicant-2.10/wpa_supplicant/android.config
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/android.config
+++ wpa_supplicant-2.10/wpa_supplicant/android.config
@@ -323,6 +323,10 @@ CONFIG_L2_PACKET=linux
#CONFIG_NDIS_EVENTS_INTEGRATED=y
#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
@ -182,10 +182,10 @@ index 6536c110a..854f48167 100644
# Add support for new DBus control interface
# (fi.w1.hostap.wpa_supplicant1)
#CONFIG_CTRL_IFACE_DBUS_NEW=y
diff --git a/wpa_supplicant/dbus/Makefile b/wpa_supplicant/dbus/Makefile
index 4d8700428..f355ebef5 100644
--- a/wpa_supplicant/dbus/Makefile
+++ b/wpa_supplicant/dbus/Makefile
Index: wpa_supplicant-2.10/wpa_supplicant/dbus/Makefile
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/dbus/Makefile
+++ wpa_supplicant-2.10/wpa_supplicant/dbus/Makefile
@@ -36,6 +36,7 @@ CFLAGS += -DCONFIG_WPS
endif
@ -211,10 +211,10 @@ index 4d8700428..f355ebef5 100644
LIB_OBJS += dbus_new_handlers_wps.o
endif
diff --git a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
index e81b495f4..382dcb343 100644
--- a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
+++ b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
+++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
@@ -3,6 +3,11 @@
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
@ -237,10 +237,10 @@ index e81b495f4..382dcb343 100644
<deny own="fi.w1.wpa_supplicant1"/>
<deny send_destination="fi.w1.wpa_supplicant1"/>
<deny receive_sender="fi.w1.wpa_supplicant1" receive_type="signal"/>
diff --git a/wpa_supplicant/dbus/dbus_common.c b/wpa_supplicant/dbus/dbus_common.c
index efa6c7b20..7ef6cad62 100644
--- a/wpa_supplicant/dbus/dbus_common.c
+++ b/wpa_supplicant/dbus/dbus_common.c
Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_common.c
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/dbus/dbus_common.c
+++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_common.c
@@ -16,6 +16,7 @@
#include "dbus_common.h"
#include "dbus_common_i.h"
@ -249,7 +249,7 @@ index efa6c7b20..7ef6cad62 100644
#include "../wpa_supplicant_i.h"
@@ -350,6 +351,9 @@ struct wpas_dbus_priv * wpas_dbus_init(struct wpa_global *global)
@@ -351,6 +352,9 @@ struct wpas_dbus_priv * wpas_dbus_init(s
#ifdef CONFIG_CTRL_IFACE_DBUS_NEW
wpas_dbus_ctrl_iface_init(priv) < 0 ||
#endif /* CONFIG_CTRL_IFACE_DBUS_NEW */
@ -259,7 +259,7 @@ index efa6c7b20..7ef6cad62 100644
wpas_dbus_init_common_finish(priv) < 0) {
wpas_dbus_deinit(priv);
return NULL;
@@ -368,5 +372,9 @@ void wpas_dbus_deinit(struct wpas_dbus_priv *priv)
@@ -369,5 +373,9 @@ void wpas_dbus_deinit(struct wpas_dbus_p
wpas_dbus_ctrl_iface_deinit(priv);
#endif /* CONFIG_CTRL_IFACE_DBUS_NEW */
@ -269,11 +269,10 @@ index efa6c7b20..7ef6cad62 100644
+
wpas_dbus_deinit_common(priv);
}
diff --git a/wpa_supplicant/dbus/dbus_old.c b/wpa_supplicant/dbus/dbus_old.c
new file mode 100644
index 000000000..88227af7c
Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.c
===================================================================
--- /dev/null
+++ b/wpa_supplicant/dbus/dbus_old.c
+++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.c
@@ -0,0 +1,745 @@
+/*
+ * WPA Supplicant / dbus-based control interface
@ -1020,11 +1019,10 @@ index 000000000..88227af7c
+ }
+ return NULL;
+}
diff --git a/wpa_supplicant/dbus/dbus_old.h b/wpa_supplicant/dbus/dbus_old.h
new file mode 100644
index 000000000..451a9f827
Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.h
===================================================================
--- /dev/null
+++ b/wpa_supplicant/dbus/dbus_old.h
+++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.h
@@ -0,0 +1,142 @@
+/*
+ * WPA Supplicant / dbus-based control interface
@ -1168,11 +1166,10 @@ index 000000000..451a9f827
+#endif /* CONFIG_CTRL_IFACE_DBUS */
+
+#endif /* CTRL_IFACE_DBUS_H */
diff --git a/wpa_supplicant/dbus/dbus_old_handlers.c b/wpa_supplicant/dbus/dbus_old_handlers.c
new file mode 100644
index 000000000..e540832f2
Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.c
===================================================================
--- /dev/null
+++ b/wpa_supplicant/dbus/dbus_old_handlers.c
+++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.c
@@ -0,0 +1,1393 @@
+/*
+ * WPA Supplicant / dbus-based control interface
@ -2567,11 +2564,10 @@ index 000000000..e540832f2
+
+ return wpas_dbus_new_success_reply(message);
+}
diff --git a/wpa_supplicant/dbus/dbus_old_handlers.h b/wpa_supplicant/dbus/dbus_old_handlers.h
new file mode 100644
index 000000000..e60ad06a0
Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.h
===================================================================
--- /dev/null
+++ b/wpa_supplicant/dbus/dbus_old_handlers.h
+++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.h
@@ -0,0 +1,101 @@
+/*
+ * WPA Supplicant / dbus-based control interface
@ -2674,11 +2670,10 @@ index 000000000..e60ad06a0
+
+#endif /* CTRL_IFACE_DBUS_HANDLERS_H */
+
diff --git a/wpa_supplicant/dbus/dbus_old_handlers_wps.c b/wpa_supplicant/dbus/dbus_old_handlers_wps.c
new file mode 100644
index 000000000..6c8405b85
Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers_wps.c
===================================================================
--- /dev/null
+++ b/wpa_supplicant/dbus/dbus_old_handlers_wps.c
+++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers_wps.c
@@ -0,0 +1,156 @@
+/*
+ * WPA Supplicant / dbus-based control interface (WPS)
@ -2836,22 +2831,21 @@ index 000000000..6c8405b85
+
+ return wpas_dbus_new_success_reply(message);
+}
diff --git a/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in b/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
new file mode 100644
index 000000000..a75918f93
Index: wpa_supplicant-2.10/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
===================================================================
--- /dev/null
+++ b/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
+++ wpa_supplicant-2.10/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
@@ -0,0 +1,5 @@
+[D-BUS Service]
+Name=fi.epitest.hostap.WPASupplicant
+Exec=@BINDIR@/wpa_supplicant -u
+User=root
+SystemdService=wpa_supplicant.service
diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
index cdfb1974d..57550d495 100644
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@@ -365,6 +365,10 @@ CONFIG_IEEE80211W=y
Index: wpa_supplicant-2.10/wpa_supplicant/defconfig
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/defconfig
+++ wpa_supplicant-2.10/wpa_supplicant/defconfig
@@ -361,6 +361,10 @@ CONFIG_BACKEND=file
#CONFIG_NDIS_EVENTS_INTEGRATED=y
#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
@ -2860,13 +2854,13 @@ index cdfb1974d..57550d495 100644
+#CONFIG_CTRL_IFACE_DBUS=y
+
# Add support for new DBus control interface
# (fi.w1.hostap.wpa_supplicant1)
# (fi.w1.wpa_supplicant1)
CONFIG_CTRL_IFACE_DBUS_NEW=y
diff --git a/wpa_supplicant/doc/docbook/wpa_supplicant.sgml b/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
index aaff15002..ebf102edf 100644
--- a/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
+++ b/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
@@ -471,7 +471,7 @@
Index: wpa_supplicant-2.10/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
+++ wpa_supplicant-2.10/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
@@ -475,7 +475,7 @@
<para>Enable DBus control interface. If enabled, interface
definitions may be omitted. (This is only available
if <command>wpa_supplicant</command> was built with
@ -2875,11 +2869,10 @@ index aaff15002..ebf102edf 100644
</listitem>
</varlistentry>
diff --git a/wpa_supplicant/examples/wpas-test.py b/wpa_supplicant/examples/wpas-test.py
new file mode 100755
index 000000000..bdd16a8a8
Index: wpa_supplicant-2.10/wpa_supplicant/examples/wpas-test.py
===================================================================
--- /dev/null
+++ b/wpa_supplicant/examples/wpas-test.py
+++ wpa_supplicant-2.10/wpa_supplicant/examples/wpas-test.py
@@ -0,0 +1,91 @@
+#!/usr/bin/python
+
@ -2972,10 +2965,10 @@ index 000000000..bdd16a8a8
+if __name__ == "__main__":
+ main()
+
diff --git a/wpa_supplicant/main.c b/wpa_supplicant/main.c
index 51a8a0298..e08c2fd26 100644
--- a/wpa_supplicant/main.c
+++ b/wpa_supplicant/main.c
Index: wpa_supplicant-2.10/wpa_supplicant/main.c
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/main.c
+++ wpa_supplicant-2.10/wpa_supplicant/main.c
@@ -28,9 +28,9 @@ static void usage(void)
"s"
#endif /* CONFIG_DEBUG_SYSLOG */
@ -3014,10 +3007,10 @@ index 51a8a0298..e08c2fd26 100644
case 'v':
printf("%s\n", wpa_supplicant_version);
exitcode = 0;
diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
index e41d7c41c..f47f9bb76 100644
--- a/wpa_supplicant/notify.c
+++ b/wpa_supplicant/notify.c
Index: wpa_supplicant-2.10/wpa_supplicant/notify.c
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/notify.c
+++ wpa_supplicant-2.10/wpa_supplicant/notify.c
@@ -15,6 +15,7 @@
#include "wps_supplicant.h"
#include "binder/binder.h"
@ -3026,7 +3019,7 @@ index e41d7c41c..f47f9bb76 100644
#include "dbus/dbus_new.h"
#include "rsn_supp/wpa.h"
#include "fst/fst.h"
@@ -27,13 +28,13 @@
@@ -28,13 +29,13 @@
int wpas_notify_supplicant_initialized(struct wpa_global *global)
{
@ -3042,7 +3035,7 @@ index e41d7c41c..f47f9bb76 100644
#ifdef CONFIG_BINDER
global->binder = wpas_binder_init(global);
@@ -47,10 +48,10 @@ int wpas_notify_supplicant_initialized(struct wpa_global *global)
@@ -48,10 +49,10 @@ int wpas_notify_supplicant_initialized(s
void wpas_notify_supplicant_deinitialized(struct wpa_global *global)
{
@ -3055,7 +3048,7 @@ index e41d7c41c..f47f9bb76 100644
#ifdef CONFIG_BINDER
if (global->binder)
@@ -64,6 +65,9 @@ int wpas_notify_iface_added(struct wpa_supplicant *wpa_s)
@@ -65,6 +66,9 @@ int wpas_notify_iface_added(struct wpa_s
if (wpa_s->p2p_mgmt)
return 0;
@ -3065,7 +3058,7 @@ index e41d7c41c..f47f9bb76 100644
if (wpas_dbus_register_interface(wpa_s))
return -1;
@@ -76,6 +80,9 @@ void wpas_notify_iface_removed(struct wpa_supplicant *wpa_s)
@@ -77,6 +81,9 @@ void wpas_notify_iface_removed(struct wp
if (wpa_s->p2p_mgmt)
return;
@ -3075,7 +3068,7 @@ index e41d7c41c..f47f9bb76 100644
/* unregister interface in new DBus ctrl iface */
wpas_dbus_unregister_interface(wpa_s);
}
@@ -88,6 +95,10 @@ void wpas_notify_state_changed(struct wpa_supplicant *wpa_s,
@@ -89,6 +96,10 @@ void wpas_notify_state_changed(struct wp
if (wpa_s->p2p_mgmt)
return;
@ -3086,7 +3079,7 @@ index e41d7c41c..f47f9bb76 100644
/* notify the new DBus API */
wpas_dbus_signal_prop_changed(wpa_s, WPAS_DBUS_PROP_STATE);
@@ -257,6 +268,9 @@ void wpas_notify_scanning(struct wpa_supplicant *wpa_s)
@@ -258,6 +269,9 @@ void wpas_notify_scanning(struct wpa_sup
if (wpa_s->p2p_mgmt)
return;
@ -3096,7 +3089,7 @@ index e41d7c41c..f47f9bb76 100644
/* notify the new DBus API */
wpas_dbus_signal_prop_changed(wpa_s, WPAS_DBUS_PROP_SCANNING);
}
@@ -276,6 +290,9 @@ void wpas_notify_scan_results(struct wpa_supplicant *wpa_s)
@@ -277,6 +291,9 @@ void wpas_notify_scan_results(struct wpa
if (wpa_s->p2p_mgmt)
return;
@ -3106,7 +3099,7 @@ index e41d7c41c..f47f9bb76 100644
wpas_wps_notify_scan_results(wpa_s);
}
@@ -287,6 +304,8 @@ void wpas_notify_wps_credential(struct wpa_supplicant *wpa_s,
@@ -288,6 +305,8 @@ void wpas_notify_wps_credential(struct w
return;
#ifdef CONFIG_WPS
@ -3115,21 +3108,21 @@ index e41d7c41c..f47f9bb76 100644
/* notify the new DBus API */
wpas_dbus_signal_wps_cred(wpa_s, cred);
#endif /* CONFIG_WPS */
@@ -818,6 +837,9 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s,
@@ -831,6 +850,9 @@ void wpas_notify_certification(struct wp
wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_ALT
"depth=%d %s", cert->depth, cert->altsubject[i]);
+ /* notify the old DBus API */
+ wpa_supplicant_dbus_notify_certification(wpa_s, depth, subject,
+ cert_hash, cert);
+ wpa_supplicant_dbus_notify_certification(wpa_s, cert->depth, cert->subject,
+ cert_hash, cert->cert);
/* notify the new DBus API */
wpas_dbus_signal_certification(wpa_s, cert->depth, cert->subject,
cert->altsubject, cert->num_altsubject,
diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in
index 75a37a8cd..bc5d49af8 100644
--- a/wpa_supplicant/systemd/wpa_supplicant.service.in
+++ b/wpa_supplicant/systemd/wpa_supplicant.service.in
@@ -5,9 +5,9 @@ Wants=network.target
Index: wpa_supplicant-2.10/wpa_supplicant/systemd/wpa_supplicant.service.in
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/systemd/wpa_supplicant.service.in
+++ wpa_supplicant-2.10/wpa_supplicant/systemd/wpa_supplicant.service.in
@@ -6,9 +6,9 @@ Wants=network.target
[Service]
Type=dbus
@ -3141,11 +3134,11 @@ index 75a37a8cd..bc5d49af8 100644
WantedBy=multi-user.target
-Alias=dbus-fi.w1.wpa_supplicant1.service
+Alias=dbus-@DBUS_INTERFACE@.service
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index 8a4bdf8cb..c7b131cc1 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -504,6 +504,9 @@ struct wpa_supplicant {
Index: wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant_i.h
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/wpa_supplicant_i.h
+++ wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant_i.h
@@ -706,6 +706,9 @@ struct wpa_supplicant {
#ifdef CONFIG_MATCH_IFACE
int matched;
#endif /* CONFIG_MATCH_IFACE */
@ -3155,26 +3148,3 @@ index 8a4bdf8cb..c7b131cc1 100644
#ifdef CONFIG_CTRL_IFACE_DBUS_NEW
char *dbus_new_path;
char *dbus_groupobj_path;
commit 2df86203526b872c3c17cf135340b9b3c8c35594
Author: Bernhard M. Wiedemann <bwiedemann@suse.de>
Date: Fri Apr 17 10:46:56 2020 +0200
Fixup ^ for 2019 API changes
From bc0634da4a3ef468f3142fb39ebdabb08566f411
diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
index f47f9bb76..2db8bc850 100644
--- a/wpa_supplicant/notify.c
+++ b/wpa_supplicant/notify.c
@@ -838,8 +838,8 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s,
"depth=%d %s", cert->depth, cert->altsubject[i]);
/* notify the old DBus API */
- wpa_supplicant_dbus_notify_certification(wpa_s, depth, subject,
- cert_hash, cert);
+ wpa_supplicant_dbus_notify_certification(wpa_s, cert->depth, cert->subject,
+ cert_hash, cert->cert);
/* notify the new DBus API */
wpas_dbus_signal_certification(wpa_s, cert->depth, cert->subject,
cert->altsubject, cert->num_altsubject,

BIN
wpa_supplicant-2.10.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

3
wpa_supplicant-2.9.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17
size 3231785

10
wpa_supplicant-alloc_size.patch
View File

@ -1,6 +1,8 @@
--- wpa_supplicant-2.4.orig/src/utils/os.h
+++ wpa_supplicant-2.4/src/utils/os.h
@@ -253,7 +253,7 @@ int os_file_exists(const char *fname);
Index: wpa_supplicant-2.10/src/utils/os.h
===================================================================
--- wpa_supplicant-2.10.orig/src/utils/os.h
+++ wpa_supplicant-2.10/src/utils/os.h
@@ -260,7 +260,7 @@ int os_fdatasync(FILE *stream);
*
* Caller is responsible for freeing the returned buffer with os_free().
*/
@ -9,7 +11,7 @@
/**
* os_calloc - Allocate and zero memory for an array
@@ -267,6 +267,8 @@ void * os_zalloc(size_t size);
@@ -274,6 +274,8 @@ void * os_zalloc(size_t size);
*
* Caller is responsible for freeing the returned buffer with os_free().
*/

28
wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
View File

@ -9,12 +9,12 @@ Subject: [PATCH] dump certificate as PEM in debug mode
src/utils/wpa_debug.h | 8 ++++++++
3 files changed, 26 insertions(+)
Index: wpa_supplicant-2.4/src/crypto/tls_openssl.c
Index: wpa_supplicant-2.10/src/crypto/tls_openssl.c
===================================================================
--- wpa_supplicant-2.4.orig/src/crypto/tls_openssl.c
+++ wpa_supplicant-2.4/src/crypto/tls_openssl.c
@@ -1484,6 +1484,19 @@ static int tls_verify_cb(int preverify_o
SSL_get_ex_data_X509_STORE_CTX_idx());
--- wpa_supplicant-2.10.orig/src/crypto/tls_openssl.c
+++ wpa_supplicant-2.10/src/crypto/tls_openssl.c
@@ -2361,6 +2361,19 @@ static int tls_verify_cb(int preverify_o
debug_print_cert(err_cert, buf);
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+ if (wpa_debug_enabled(MSG_DEBUG)) {
@ -33,11 +33,11 @@ Index: wpa_supplicant-2.4/src/crypto/tls_openssl.c
conn = SSL_get_app_data(ssl);
if (conn == NULL)
return 0;
Index: wpa_supplicant-2.4/src/utils/wpa_debug.c
Index: wpa_supplicant-2.10/src/utils/wpa_debug.c
===================================================================
--- wpa_supplicant-2.4.orig/src/utils/wpa_debug.c
+++ wpa_supplicant-2.4/src/utils/wpa_debug.c
@@ -62,6 +62,11 @@ static FILE *out_file = NULL;
--- wpa_supplicant-2.10.orig/src/utils/wpa_debug.c
+++ wpa_supplicant-2.10/src/utils/wpa_debug.c
@@ -66,6 +66,11 @@ static int wpa_to_android_level(int leve
#endif /* CONFIG_DEBUG_FILE */
@ -49,11 +49,11 @@ Index: wpa_supplicant-2.4/src/utils/wpa_debug.c
void wpa_debug_print_timestamp(void)
{
#ifndef CONFIG_ANDROID_LOG
Index: wpa_supplicant-2.4/src/utils/wpa_debug.h
Index: wpa_supplicant-2.10/src/utils/wpa_debug.h
===================================================================
--- wpa_supplicant-2.4.orig/src/utils/wpa_debug.h
+++ wpa_supplicant-2.4/src/utils/wpa_debug.h
@@ -24,6 +24,7 @@ enum {
--- wpa_supplicant-2.10.orig/src/utils/wpa_debug.h
+++ wpa_supplicant-2.10/src/utils/wpa_debug.h
@@ -25,6 +25,7 @@ enum {
#ifdef CONFIG_NO_STDOUT_DEBUG
@ -61,7 +61,7 @@ Index: wpa_supplicant-2.4/src/utils/wpa_debug.h
#define wpa_debug_print_timestamp() do { } while (0)
#define wpa_printf(args...) do { } while (0)
#define wpa_hexdump(l,t,b,le) do { } while (0)
@@ -50,6 +51,13 @@ void wpa_debug_close_file(void);
@@ -51,6 +52,13 @@ void wpa_debug_close_file(void);
void wpa_debug_setup_stdout(void);
/**

43
wpa_supplicant-flush-debug-output.patch
View File

@ -1,51 +1,56 @@
Index: src/utils/wpa_debug.c
Index: wpa_supplicant-2.10/src/utils/wpa_debug.c
===================================================================
--- a/src/utils/wpa_debug.c
+++ b/src/utils/wpa_debug.c
@@ -45,6 +45,7 @@ void wpa_debug_print_timestamp(void)
if (out_file) {
--- wpa_supplicant-2.10.orig/src/utils/wpa_debug.c
+++ wpa_supplicant-2.10/src/utils/wpa_debug.c
@@ -76,9 +76,11 @@ void wpa_debug_print_timestamp(void)
os_get_time(&tv);
#ifdef CONFIG_DEBUG_FILE
- if (out_file)
+ if (out_file) {
fprintf(out_file, "%ld.%06u: ", (long) tv.sec,
(unsigned int) tv.usec);
+ fflush(out_file);
} else
+ }
#endif /* CONFIG_DEBUG_FILE */
if (!out_file && !wpa_debug_syslog)
printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec);
@@ -111,6 +112,7 @@ void wpa_printf(int level, const char *f
if (out_file) {
@@ -231,6 +233,7 @@ void wpa_printf(int level, const char *f
vfprintf(out_file, fmt, ap);
fprintf(out_file, "\n");
va_end(ap);
+ fflush(out_file);
} else {
}
#endif /* CONFIG_DEBUG_FILE */
vprintf(fmt, ap);
@@ -146,6 +148,7 @@ static void _wpa_hexdump(int level, cons
if (!wpa_debug_syslog && !out_file) {
@@ -365,6 +368,7 @@ static void _wpa_hexdump(int level, cons
fprintf(out_file, " [REMOVED]");
}
fprintf(out_file, "\n");
+ fflush(out_file);
} else {
}
#endif /* CONFIG_DEBUG_FILE */
printf("%s - hexdump(len=%lu):", title, (unsigned long) len);
@@ -191,12 +194,14 @@ static void _wpa_hexdump_ascii(int level
if (!wpa_debug_syslog && !out_file) {
@@ -436,12 +440,14 @@ static void _wpa_hexdump_ascii(int level
fprintf(out_file,
"%s - hexdump_ascii(len=%lu): [REMOVED]\n",
title, (unsigned long) len);
+ fflush(out_file);
return;
goto file_done;
}
if (buf == NULL) {
fprintf(out_file,
"%s - hexdump_ascii(len=%lu): [NULL]\n",
title, (unsigned long) len);
+ fflush(out_file);
return;
goto file_done;
}
fprintf(out_file, "%s - hexdump_ascii(len=%lu):\n",
@@ -221,6 +226,7 @@ static void _wpa_hexdump_ascii(int level
@@ -466,6 +472,7 @@ static void _wpa_hexdump_ascii(int level
pos += llen;
len -= llen;
}
+ fflush(out_file);
} else {
}
file_done:
#endif /* CONFIG_DEBUG_FILE */
if (!show) {

10
wpa_supplicant-getrandom.patch
View File

@ -1,7 +1,7 @@
Index: wpa_supplicant-2.9/src/utils/os_unix.c
Index: wpa_supplicant-2.10/src/utils/os_unix.c
===================================================================
--- wpa_supplicant-2.9.orig/src/utils/os_unix.c
+++ wpa_supplicant-2.9/src/utils/os_unix.c
--- wpa_supplicant-2.10.orig/src/utils/os_unix.c
+++ wpa_supplicant-2.10/src/utils/os_unix.c
@@ -6,11 +6,15 @@
* See README for more details.
*/
@ -19,7 +19,7 @@ Index: wpa_supplicant-2.9/src/utils/os_unix.c
#ifdef ANDROID
#include <sys/capability.h>
#include <sys/prctl.h>
@@ -257,6 +261,10 @@ int os_get_random(unsigned char *buf, si
@@ -263,6 +267,10 @@ int os_get_random(unsigned char *buf, si
buf[i] = i & 0xff;
return 0;
#else /* TEST_FUZZ */
@ -30,7 +30,7 @@ Index: wpa_supplicant-2.9/src/utils/os_unix.c
FILE *f;
size_t rc;
@@ -269,10 +277,13 @@ int os_get_random(unsigned char *buf, si
@@ -275,10 +283,13 @@ int os_get_random(unsigned char *buf, si
return -1;
}

15
wpa_supplicant-p2p_iname_size.diff
View File

@ -1,15 +0,0 @@
diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
index e94bffe52..17c25889c 100644
--- a/wpa_supplicant/p2p_supplicant.c
+++ b/wpa_supplicant/p2p_supplicant.c
@@ -3929,6 +3929,10 @@ int wpas_p2p_add_p2pdev_interface(struct wpa_supplicant *wpa_s,
wpa_s->ifname);
if (os_snprintf_error(sizeof(ifname), ret))
return -1;
+ /* Cut length at the maximum size. Note that we don't need to ensure
+ * collision free names here as the created interface is not a netdev.
+ */
+ ifname[IFNAMSIZ-1] = '\0';
force_name[0] = '\0';
wpa_s->pending_interface_type = WPA_IF_P2P_DEVICE;
ret = wpa_drv_if_add(wpa_s, WPA_IF_P2P_DEVICE, ifname, NULL, NULL,

18
wpa_supplicant-sigusr1-changes-debuglevel.patch
View File

@ -2,11 +2,13 @@
wpa_supplicant/wpa_supplicant.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -123,6 +123,22 @@ int wpa_set_wep_keys(struct wpa_supplica
return set;
}
Index: wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c
===================================================================
--- wpa_supplicant-2.10.orig/wpa_supplicant/wpa_supplicant.c
+++ wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c
@@ -121,6 +121,22 @@ const char *const wpa_supplicant_full_li
"\n";
#endif /* CONFIG_NO_STDOUT_DEBUG */
+static void wpa_supplicant_handle_sigusr1(int sig,
+ void *signal_ctx)
@ -25,9 +27,9 @@
+ ((wpa_debug_level == MSG_MSGDUMP) ? "MSGDUMP" : "UNKNOWN")));
+}
int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid)
@@ -4124,6 +4140,8 @@ int wpa_supplicant_run(struct wpa_global
static void wpa_bss_tmp_disallow_timeout(void *eloop_ctx, void *timeout_ctx);
#if defined(CONFIG_FILS) && defined(IEEE8021X_EAPOL)
@@ -7474,6 +7490,8 @@ int wpa_supplicant_run(struct wpa_global
eloop_register_signal_terminate(wpa_supplicant_terminate, global);
eloop_register_signal_reconfig(wpa_supplicant_reconfig, global);

60
wpa_supplicant.changes
View File

@ -1,3 +1,63 @@
-------------------------------------------------------------------
Sun Jan 23 15:33:37 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 2.10.0:
* SAE changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
- added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2); this is currently disabled by default, but will likely
get enabled by default in the future
- fixed PMKSA caching with OKC
- added support for SAE-PK
* EAP-pwd changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
* fixed P2P provision discovery processing of a specially constructed
invalid frame
[https://w1.fi/security/2021-1/]
* fixed P2P group information processing of a specially constructed
invalid frame
[https://w1.fi/security/2020-2/]
* fixed PMF disconnection protection bypass in AP mode
[https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* increased the maximum number of EAP message exchanges (mainly to
support cases with very large certificates)
* fixed various issues in experimental support for EAP-TEAP peer
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* a number of MKA/MACsec fixes and extensions
* added support for SAE (WPA3-Personal) AP mode configuration
* added P2P support for EDMG (IEEE 802.11ay) channels
* fixed EAP-FAST peer with TLS GCM/CCM ciphers
* improved throughput estimation and BSS selection
* dropped support for libnl 1.1
* added support for nl80211 control port for EAPOL frame TX/RX
* fixed OWE key derivation with groups 20 and 21; this breaks backwards
compatibility for these groups while the default group 19 remains
backwards compatible
* added support for Beacon protection
* added support for Extended Key ID for pairwise keys
* removed WEP support from the default build (CONFIG_WEP=y can be used
to enable it, if really needed)
* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
* added support for Transition Disable mechanism to allow the AP to
automatically disable transition mode to improve security
* extended D-Bus interface
* added support for PASN
* added a file-based backend for external password storage to allow
secret information to be moved away from the main configuration file
without requiring external tools
* added EAP-TLS peer support for TLS 1.3 (disabled by default for now)
* added support for SCS, MSCS, DSCP policy
* changed driver interface selection to default to automatic fallback
to other compiled in options
* a large number of other fixes, cleanup, and extensions
- drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch,
CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch:
upstream
- refresh config from 2.10 defconfig, re-enable CONFIG_WEP
-------------------------------------------------------------------
Mon Jan 10 08:27:51 UTC 2022 - Johannes Segitz <jsegitz@suse.com>

9
wpa_supplicant.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package wpa_supplicant
#
# Copyright (c) 2021 SUSE LLC
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
Name: wpa_supplicant
Version: 2.9
Version: 2.10
Release: 0
Summary: WPA supplicant implementation
License: BSD-3-Clause AND GPL-2.0-or-later
@ -40,11 +40,6 @@ Patch3: wpa_supplicant-alloc_size.patch
Patch4: wpa_supplicant-getrandom.patch
Patch5: wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
Patch6: restore-old-dbus-interface.patch
Patch7: CVE-2019-16275.patch
Patch8: wpa_supplicant-p2p_iname_size.diff
Patch9: CVE-2021-0326.patch
Patch10: CVE-2021-27803.patch
Patch11: CVE-2021-30004.patch
BuildRequires: pkgconfig
BuildRequires: readline-devel
BuildRequires: systemd-rpm-macros