Accepting request 433620 from home:msmeissn:branches:hardware

- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile OBS-URL: https://build.opensuse.org/request/show/433620 OBS-URL: https://build.opensuse.org/package/show/hardware/wpa_supplicant?expand=0&rev=68
2016-10-06 16:48:36 +00:00 · 2016-10-06 16:48:36 +00:00 · 887e149164
commit 887e149164
parent bbf2aa5688
5 changed files with 232 additions and 4 deletions
--- a/wpa_supplicant-2.5.tar.gz
+++ b/wpa_supplicant-2.5.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316
-size 2607336
--- a/wpa_supplicant-2.6.tar.gz
+++ b/wpa_supplicant-2.6.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450
+size 2753524
--- a/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
+++ b/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
@ -0,0 +1,77 @@
+From f40c1d989762c4f3b585c86ca5d9a216d120fa12 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Fri, 16 Sep 2011 11:41:16 +0200
+Subject: [PATCH] dump certificate as PEM in debug mode
+
+---
+ src/crypto/tls_openssl.c | 13 +++++++++++++
+ src/utils/wpa_debug.c    |  5 +++++
+ src/utils/wpa_debug.h    |  8 ++++++++
+ 3 files changed, 26 insertions(+)
+
+Index: wpa_supplicant-2.4/src/crypto/tls_openssl.c
+===================================================================
+--- wpa_supplicant-2.4.orig/src/crypto/tls_openssl.c
+++ wpa_supplicant-2.4/src/crypto/tls_openssl.c
+@@ -1484,6 +1484,19 @@ static int tls_verify_cb(int preverify_o
+ 					 SSL_get_ex_data_X509_STORE_CTX_idx());
+ 	X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+ 
+	if (wpa_debug_enabled(MSG_DEBUG)) {
+		long len;
+		char* data = NULL;
+		BIO* bio = BIO_new(BIO_s_mem());
+		//X509_print_ex(bio, err_cert, (XN_FLAG_MULTILINE|ASN1_STRFLGS_UTF8_CONVERT)&~ASN1_STRFLGS_ESC_MSB, 0);
+		PEM_write_bio_X509(bio, err_cert);
+		len = BIO_get_mem_data(bio, &data);
+		if (len) {
+			wpa_printf(MSG_DEBUG, "OpenSSL certificate at depth %d:\n%*s", depth, (int)len, data);
+		}
+		BIO_free(bio);
+	}
+
+ 	conn = SSL_get_app_data(ssl);
+ 	if (conn == NULL)
+ 		return 0;
+Index: wpa_supplicant-2.4/src/utils/wpa_debug.c
+===================================================================
+--- wpa_supplicant-2.4.orig/src/utils/wpa_debug.c
+++ wpa_supplicant-2.4/src/utils/wpa_debug.c
+@@ -62,6 +62,11 @@ static FILE *out_file = NULL;
+ #endif /* CONFIG_DEBUG_FILE */
+ 
+ 
+int wpa_debug_enabled(int level)
+{
+	return level >= wpa_debug_level;
+}
+
+ void wpa_debug_print_timestamp(void)
+ {
+ #ifndef CONFIG_ANDROID_LOG
+Index: wpa_supplicant-2.4/src/utils/wpa_debug.h
+===================================================================
+--- wpa_supplicant-2.4.orig/src/utils/wpa_debug.h
+++ wpa_supplicant-2.4/src/utils/wpa_debug.h
+@@ -24,6 +24,7 @@ enum {
+ 
+ #ifdef CONFIG_NO_STDOUT_DEBUG
+ 
+#define wpa_debug_enabled(x) do { } while (0)
+ #define wpa_debug_print_timestamp() do { } while (0)
+ #define wpa_printf(args...) do { } while (0)
+ #define wpa_hexdump(l,t,b,le) do { } while (0)
+@@ -50,6 +51,13 @@ void wpa_debug_close_file(void);
+ void wpa_debug_setup_stdout(void);
+ 
+ /**
+ * wpa_debug_enabled: check whether given debug level is enabled
+ * @level: priority level (MSG_*) of the message
+ * @return: 0 or 1
+ */
+int wpa_debug_enabled(int level);
+
+/**
+  * wpa_debug_printf_timestamp - Print timestamp for debug output
+  *
+  * This function prints a timestamp in seconds_from_1970.microsoconds
--- a/wpa_supplicant.changes
+++ b/wpa_supplicant.changes
@ -1,3 +1,152 @@
+-------------------------------------------------------------------
+Thu Oct  6 15:42:23 UTC 2016 - meissner@suse.com
+
+- updated to 2.6 / 2016-10-02
+  * fixed WNM Sleep Mode processing when PMF is not enabled
+    [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254)
+  * fixed EAP-pwd last fragment validation
+    [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115)
+  * fixed EAP-pwd unexpected Confirm message processing
+    [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115)
+  * fixed WPS configuration update vulnerability with malformed passphrase
+    [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172)
+  * fixed configuration update vulnerability with malformed parameters set
+    over the local control interface
+    [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175)
+  * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case
+  * extended channel switch support for P2P GO
+  * started to throttle control interface event message bursts to avoid
+    issues with monitor sockets running out of buffer space
+  * mesh mode fixes/improvements
+    - generate proper AID for peer
+    - enable WMM by default
+    - add VHT support
+    - fix PMKID derivation
+    - improve robustness on various exchanges
+    - fix peer link counting in reconnect case
+    - improve mesh joining behavior
+    - allow DTIM period to be configured
+    - allow HT to be disabled (disable_ht=1)
+    - add MESH_PEER_ADD and MESH_PEER_REMOVE commands
+    - add support for PMKSA caching
+    - add minimal support for SAE group negotiation
+    - allow pairwise/group cipher to be configured in the network profile
+    - use ieee80211w profile parameter to enable/disable PMF and derive
+      a separate TX IGTK if PMF is enabled instead of using MGTK
+      incorrectly
+    - fix AEK and MTK derivation
+    - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close
+    - note: these changes are not fully backwards compatible for secure
+      (RSN) mesh network
+  * fixed PMKID derivation with SAE
+  * added support for requesting and fetching arbitrary ANQP-elements
+    without internal support in wpa_supplicant for the specific element
+    (anqp[265]=<hexdump> in "BSS <BSSID>" command output)
+  * P2P
+    - filter control characters in group client device names to be
+      consistent with other P2P peer cases
+    - support VHT 80+80 MHz and 160 MHz
+    - indicate group completion in P2P Client role after data association
+      instead of already after the WPS provisioning step
+    - improve group-join operation to use SSID, if known, to filter BSS
+      entries
+    - added optional ssid=<hexdump> argument to P2P_CONNECT for join case
+    - added P2P_GROUP_MEMBER command to fetch client interface address
+  * P2PS
+    - fix follow-on PD Response behavior
+    - fix PD Response generation for unknown peer
+    - fix persistent group reporting
+    - add channel policy to PD Request
+    - add group SSID to the P2PS-PROV-DONE event
+    - allow "P2P_CONNECT <addr> p2ps" to be used without specifying the
+      default PIN
+  * BoringSSL
+    - support for OCSP stapling
+    - support building of h20-osu-client
+  * D-Bus
+    - add ExpectDisconnect()
+    - add global config parameters as properties
+    - add SaveConfig()
+    - add VendorElemAdd(), VendorElemGet(), VendorElemRem()
+  * fixed Suite B 192-bit AKM to use proper PMK length
+    (note: this makes old releases incompatible with the fixed behavior)
+  * improved PMF behavior for cases where the AP and STA has different
+    configuration by not trying to connect in some corner cases where the
+    connection cannot succeed
+  * added option to reopen debug log (e.g., to rotate the file) upon
+    receipt of SIGHUP signal
+  * EAP-pwd: added support for Brainpool Elliptic Curves
+    (with OpenSSL 1.0.2 and newer)
+  * fixed EAPOL reauthentication after FT protocol run
+  * fixed FTIE generation for 4-way handshake after FT protocol run
+  * extended INTERFACE_ADD command to allow certain type (sta/ap)
+    interface to be created
+  * fixed and improved various FST operations
+  * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh
+  * fixed SIGNAL_POLL in IBSS and mesh cases
+  * added an option to abort an ongoing scan (used to speed up connection
+    and can also be done with the new ABORT_SCAN command)
+  * TLS client
+    - do not verify CA certificates when ca_cert is not specified
+    - support validating server certificate hash
+    - support SHA384 and SHA512 hashes
+    - add signature_algorithms extension into ClientHello
+    - support TLS v1.2 signature algorithm with SHA384 and SHA512
+    - support server certificate probing
+    - allow specific TLS versions to be disabled with phase2 parameter
+    - support extKeyUsage
+    - support PKCS #5 v2.0 PBES2
+    - support PKCS #5 with PKCS #12 style key decryption
+    - minimal support for PKCS #12
+    - support OCSP stapling (including ocsp_multi)
+  * OpenSSL
+    - support OpenSSL 1.1 API changes
+    - drop support for OpenSSL 0.9.8
+    - drop support for OpenSSL 1.0.0
+  * added support for multiple schedule scan plans (sched_scan_plans)
+  * added support for external server certificate chain validation
+    (tls_ext_cert_check=1 in the network profile phase1 parameter)
+  * made phase2 parser more strict about correct use of auth=<val> and
+    autheap=<val> values
+  * improved GAS offchannel operations with comeback request
+  * added SIGNAL_MONITOR command to request signal strength monitoring
+    events
+  * added command for retrieving HS 2.0 icons with in-memory storage
+    (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and
+    RX-HS20-ICON event)
+  * enabled ACS support for AP mode operations with wpa_supplicant
+  * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server
+    ("Invalid Compound_MAC in cryptobinding TLV")
+  * EAP-TTLS: fixed success after fragmented final Phase 2 message
+  * VHT: added interoperability workaround for 80+80 and 160 MHz channels
+  * WNM: workaround for broken AP operating class behavior
+  * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE)
+  * nl80211:
+    - add support for full station state operations
+    - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled
+    - add NL80211_ATTR_PREV_BSSID with Connect command
+    - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
+      unencrypted EAPOL frames
+  * added initial MBO support; number of extensions to WNM BSS Transition
+    Management
+  * added support for PBSS/PCP and P2P on 60 GHz
+  * Interworking: add credential realm to EAP-TLS identity
+  * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set
+  * HS 2.0: add support for configuring frame filters
+  * added POLL_STA command to check connectivity in AP mode
+  * added initial functionality for location related operations
+  * started to ignore pmf=1/2 parameter for non-RSN networks
+  * added wps_disabled=1 network profile parameter to allow AP mode to
+    be started without enabling WPS
+  * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED
+    events
+  * improved Public Action frame addressing
+    - add gas_address3 configuration parameter to control Address 3
+      behavior
+  * number of small fixes
+- wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509
+  certificates from remote radius server in debug mode in WPA-EAP.
+
 -------------------------------------------------------------------
 Wed Jul 20 11:54:37 UTC 2016 - tchvatal@suse.com

--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@ -17,7 +17,7 @@


 Name:           wpa_supplicant
-Version:        2.5
+Version:        2.6
 Release:        0
 Summary:        WPA supplicant implementation
 License:        BSD-3-Clause and GPL-2.0+
@ -38,6 +38,7 @@ Patch1:         wpa_supplicant-flush-debug-output.patch
 Patch2:         wpa_supplicant-sigusr1-changes-debuglevel.patch
 Patch3:         wpa_supplicant-alloc_size.patch
 Patch4:         wpa_supplicant-getrandom.patch
+Patch5:         wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig
 BuildRequires:  readline-devel
@ -74,6 +75,7 @@ cp %{SOURCE1} wpa_supplicant/.config
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1

 %build
 cd wpa_supplicant