Accepting request 952645 from hardware

OBS-URL: https://build.opensuse.org/request/show/952645
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/wpa_supplicant?expand=0&rev=91

Revert-DBus-Add-sae-to-interface-key_mgmt-capabilities.patch

@@ -0,0 +1,34 @@
+From 7a9c36722511ce4df88b76cceceb241d6c6a151e Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Fri, 28 Feb 2020 15:50:47 -0800
+Subject: [PATCH] DBus: Add "sae" to interface key_mgmt capabilities
+
+This will be present when the driver supports SAE and it's included in
+the wpa_supplicant build.
+
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+---
+ doc/dbus.doxygen                        | 2 +-
+ wpa_supplicant/dbus/dbus_new_handlers.c | 6 ------
+ 2 files changed, 1 insertion(+), 7 deletions(-)
+
+diff --git b/wpa_supplicant/dbus/dbus_new_handlers.c a/wpa_supplicant/dbus/dbus_new_handlers.c
+index c842c50e9..55c5dbc99 100644
+--- b/wpa_supplicant/dbus/dbus_new_handlers.c
++++ a/wpa_supplicant/dbus/dbus_new_handlers.c
+@@ -2798,12 +2798,6 @@ dbus_bool_t wpas_dbus_getter_capabilities(
+ 			goto nomem;
+ #endif /* CONFIG_WPS */
+ 
+-#ifdef CONFIG_SAE
+-		if ((capa.key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_SAE) &&
+-		    !wpa_dbus_dict_string_array_add_element(&iter_array, "sae"))
+-			goto nomem;
+-#endif /* CONFIG_SAE */
+-
+ #ifdef CONFIG_OWE
+ 		if ((capa.key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_OWE) &&
+ 		    !wpa_dbus_dict_string_array_add_element(&iter_array, "owe"))
+-- 
+2.34.1
+

config

@@ -32,7 +32,7 @@ CONFIG_DRIVER_WEXT=y
 CONFIG_DRIVER_NL80211=y
 
 # QCA vendor extensions to nl80211
-#CONFIG_DRIVER_NL80211_QCA=y
+CONFIG_DRIVER_NL80211_QCA=y
 
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
@@ -83,7 +83,7 @@ CONFIG_DRIVER_MACSEC_LINUX=y
 #CONFIG_DRIVER_ROBOSWITCH=y
 
 # Driver interface for no driver (e.g., WPS ER only)
-#CONFIG_DRIVER_NONE=y
+CONFIG_DRIVER_NONE=y
 
 # Solaris libraries
 #LIBS += -lsocket -ldlpi -lnsl
@@ -172,7 +172,7 @@ CONFIG_WPS=y
 CONFIG_WPS_ER=y
 # Disable credentials for an open network by default when acting as a WPS
 # registrar.
-#CONFIG_WPS_REG_DISABLE_OPEN=y
+CONFIG_WPS_REG_DISABLE_OPEN=y
 # Enable WPS support with NFC config method
 CONFIG_WPS_NFC=y
 
@@ -180,7 +180,7 @@ CONFIG_WPS_NFC=y
 CONFIG_EAP_IKEV2=y
 
 # EAP-EKE
-#CONFIG_EAP_EKE=y
+CONFIG_EAP_EKE=y
 
 # MACsec
 CONFIG_MACSEC=y
@@ -198,10 +198,10 @@ CONFIG_SMARTCARD=y
 #CONFIG_PCSC=y
 
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
-#CONFIG_HT_OVERRIDES=y
+CONFIG_HT_OVERRIDES=y
 
 # Support VHT overrides (disable VHT, mask MCS rates, etc.)
-#CONFIG_VHT_OVERRIDES=y
+CONFIG_VHT_OVERRIDES=y
 
 # Development testing
 #CONFIG_EAPOL_TEST=y
@@ -248,6 +248,10 @@ CONFIG_CTRL_IFACE=y
 # Simultaneous Authentication of Equals (SAE), WPA3-Personal
 CONFIG_SAE=y
 
+# WPA3-Enterprise (SuiteB-192)
+CONFIG_SUITEB=y
+CONFIG_SUITEB192=y
+
 # Disable scan result processing (ap_scan=1) to save code size by about 1 kB.
 # This can be used if ap_scan=1 mode is never enabled.
 #CONFIG_NO_SCAN_PROCESSING=y
@@ -279,12 +283,12 @@ CONFIG_BACKEND=file
 # unix = UNIX/POSIX like systems (default)
 # win32 = Windows systems
 # none = Empty template
-#CONFIG_OS=unix
+CONFIG_OS=unix
 
 # Select event loop implementation
 # eloop = select() loop (default)
 # eloop_win = Windows events and WaitForMultipleObject() loop
-#CONFIG_ELOOP=eloop
+CONFIG_ELOOP=eloop
 
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
@@ -302,7 +306,7 @@ CONFIG_BACKEND=file
 # winpcap = WinPcap with receive thread
 # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
 # none = Empty template
-#CONFIG_L2_PACKET=linux
+CONFIG_L2_PACKET=linux
 
 # Disable Linux packet socket workaround applicable for station interface
 # in a bridge for EAPOL frames. This should be uncommented only if the kernel
@@ -311,7 +315,7 @@ CONFIG_BACKEND=file
 #CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 
 # Support Operating Channel Validation
-#CONFIG_OCV=y
+CONFIG_OCV=y
 
 # Select TLS implementation
 # openssl = OpenSSL (default)
@@ -319,25 +323,25 @@ CONFIG_BACKEND=file
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
-#CONFIG_TLS=openssl
+CONFIG_TLS=openssl
 
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
-#CONFIG_TLSV11=y
+CONFIG_TLSV11=y
 
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
 # noted that some existing TLS v1.0 -based implementation may not be compatible
 # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
 # will be used)
-#CONFIG_TLSV12=y
+CONFIG_TLSV12=y
 
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
-#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1"
 
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
@@ -361,10 +365,6 @@ CONFIG_BACKEND=file
 #CONFIG_NDIS_EVENTS_INTEGRATED=y
 #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
 
-# Add support for old DBus control interface
-# (fi.epitest.hostap.WPASupplicant)
-CONFIG_CTRL_IFACE_DBUS=y
-
 # Add support for new DBus control interface
 # (fi.w1.wpa_supplicant1)
 CONFIG_CTRL_IFACE_DBUS_NEW=y
@@ -395,6 +395,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y
 
 # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
 # CONFIG_IEEE80211R=y
+CONFIG_IEEE80211R=y
 
 # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
 CONFIG_DEBUG_FILE=y
@@ -419,7 +420,7 @@ CONFIG_DEBUG_FILE=y
 
 # Enable mitigation against certain attacks against TKIP by delaying Michael
 # MIC error reports by a random amount of time between 0 and 60 seconds
-#CONFIG_DELAYED_MIC_ERROR_REPORT=y
+CONFIG_DELAYED_MIC_ERROR_REPORT=y
 
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
@@ -473,7 +474,7 @@ CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
-#CONFIG_GETRANDOM=y
+CONFIG_GETRANDOM=y
 
 # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
 CONFIG_IEEE80211AC=y
@@ -523,9 +524,9 @@ CONFIG_WIFI_DISPLAY=y
 #
 # Enabling directly a module will enable autoscan support.
 # For exponential module:
-#CONFIG_AUTOSCAN_EXPONENTIAL=y
+CONFIG_AUTOSCAN_EXPONENTIAL=y
 # For periodic module:
-#CONFIG_AUTOSCAN_PERIODIC=y
+CONFIG_AUTOSCAN_PERIODIC=y
 
 # Password (and passphrase, etc.) backend for external storage
 # These optional mechanisms can be used to add support for storing passwords
@@ -538,7 +539,7 @@ CONFIG_WIFI_DISPLAY=y
 #CONFIG_EXT_PASSWORD_FILE=y
 
 # Enable Fast Session Transfer (FST)
-#CONFIG_FST=y
+CONFIG_FST=y
 
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
@@ -570,15 +571,15 @@ CONFIG_WIFI_DISPLAY=y
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
-#CONFIG_ACS=y
+CONFIG_ACS=y
 
 # Support Multi Band Operation
-#CONFIG_MBO=y
+CONFIG_MBO=y
 
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
-#CONFIG_FILS=y
+CONFIG_FILS=y
 # FILS shared key authentication with PFS
-#CONFIG_FILS_SK_PFS=y
+CONFIG_FILS_SK_PFS=y
 
 # Support RSN on IBSS networks
 # This is needed to be able to use mode=1 network profile with proto=RSN and
@@ -591,7 +592,7 @@ CONFIG_IBSS_RSN=y
 #CONFIG_PMKSA_CACHE_EXTERNAL=y
 
 # Mesh Networking (IEEE 802.11s)
-#CONFIG_MESH=y
+CONFIG_MESH=y
 
 # Background scanning modules
 # These can be used to request wpa_supplicant to perform background scanning
@@ -605,7 +606,7 @@ CONFIG_BGSCAN_SIMPLE=y
 
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
-#CONFIG_OWE=y
+CONFIG_OWE=y
 
 # Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect)
 CONFIG_DPP=y

wpa_supplicant-getrandom.patch

@@ -1,46 +0,0 @@
-Index: wpa_supplicant-2.10/src/utils/os_unix.c
-===================================================================
---- wpa_supplicant-2.10.orig/src/utils/os_unix.c
-+++ wpa_supplicant-2.10/src/utils/os_unix.c
-@@ -6,11 +6,15 @@
-  * See README for more details.
-  */
- 
-+#ifndef _GNU_SOURCE
-+#define _GNU_SOURCE
-+#endif
- #include "includes.h"
- 
- #include <time.h>
- #include <sys/wait.h>
--
-+#include <sys/syscall.h>
-+#include <unistd.h>
- #ifdef ANDROID
- #include <sys/capability.h>
- #include <sys/prctl.h>
-@@ -263,6 +267,10 @@ int os_get_random(unsigned char *buf, si
- 		buf[i] = i & 0xff;
- 	return 0;
- #else /* TEST_FUZZ */
-+#ifdef SYS_getrandom
-+    int gr = TEMP_FAILURE_RETRY(syscall(SYS_getrandom, buf, len, 0));
-+    return (gr != -1 && gr == len) ? 0 : -1;
-+#else /* SYS_getrandom */
- 	FILE *f;
- 	size_t rc;
- 
-@@ -275,10 +283,13 @@ int os_get_random(unsigned char *buf, si
- 		return -1;
- 	}
- 
-+	setbuf(f, NULL);
-+
- 	rc = fread(buf, 1, len, f);
- 	fclose(f);
- 
- 	return rc != len ? -1 : 0;
-+#endif /* SYS_getrandom */
- #endif /* TEST_FUZZ */
- }
- 

wpa_supplicant.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Sat Feb  5 09:28:52 UTC 2022 - Hans-Peter Jansen <hpj@urpla.net>
+
+- Apply Revert-DBus-Add-sae-to-interface-key_mgmt-capabilities.patch
+  to fix connect with AVM FB, if WPA3 transition mode is activated,
+  e.g. Wifi -> Security: is WPA2 + WPA3, alt. switch to WPA2 (CCMP)
+  (bsc#1195312)
+
+-------------------------------------------------------------------
+Tue Feb  1 19:41:41 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- drop restore-old-dbus-interface.patch, wicked has been
+  switching to the new dbus interface in version 0.6.66.
+- drop wpa_supplicant-getrandom.patch : glibc has been updated
+  so the getrandom() wrapper is now there
+- config:
+  * enable QCA vendor extensions to nl80211
+  * enable EAP-EKE
+  * Support HT overrides
+  * WPA3-Enterprise 
+  * TLS v1.1 and TLS v1.2
+  * Fast Session Transfer (FST)
+  * Automatic Channel Selection
+  * Multi Band Operation
+  * Fast Initial Link Setup
+  * Mesh Networking (IEEE 802.11s)
+
+-------------------------------------------------------------------
+Mon Jan 31 19:42:36 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- config: 
+  * Reenable Fast BSS Transition (likely fixing bsc#1195312)
+  * Enable OCV, security feature that prevents MITM
+    multi-channel attacks
+  * Enable OWE for better hotspot support
+
 -------------------------------------------------------------------
 Sun Jan 23 15:33:37 UTC 2022 - Dirk Müller <dmueller@suse.com>
 

wpa_supplicant.spec

@@ -37,9 +37,8 @@ Patch1:         wpa_supplicant-flush-debug-output.patch
 # is not portable
 Patch2:         wpa_supplicant-sigusr1-changes-debuglevel.patch
 Patch3:         wpa_supplicant-alloc_size.patch
-Patch4:         wpa_supplicant-getrandom.patch
 Patch5:         wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
-Patch6:         restore-old-dbus-interface.patch
+Patch7:         Revert-DBus-Add-sae-to-interface-key_mgmt-capabilities.patch
 BuildRequires:  pkgconfig
 BuildRequires:  readline-devel
 BuildRequires:  systemd-rpm-macros