Accepting request 1200682 from hardware

- update to v2.11:
  * Wi-Fi Easy Connect
    - add support for DPP release 3
    - allow Configurator parameters to be provided during config exchange
  * HE/IEEE 802.11ax/Wi-Fi 6
    - various fixes
  * EHT/IEEE 802.11be/Wi-Fi 7
    - add preliminary support
  * SAE: add support for fetching the password from a RADIUS server
  * support OpenSSL 3.0 API changes
  * support background radar detection and CAC with some additional
    drivers
  * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
  * EAP-SIM/AKA: support IMSI privacy
  * improve 4-way handshake operations
    - use Secure=1 in message 3 during PTK rekeying
  * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
    to avoid interoperability issues
  * support new SAE AKM suites with variable length keys
  * support new AKM for 802.1X/EAP with SHA384
  * extend PASN support for secure ranging
  * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
    - this is based on additional details being added in the IEEE 802.11
      standard
    - the new implementation is not backwards compatible
  * improved ACS to cover additional channel types/bandwidths
  * extended Multiple BSSID support
  * fix beacon protection with FT protocol (incorrect BIGTK was provided)
  * support unsynchronized service discovery (USD)
  * add preliminary support for RADIUS/TLS
  * add support for explicit SSID protection in 4-way handshake
    (a mitigation for CVE-2023-52424; disabled by default for now, can be
    enabled with ssid_protection=1)
  * fix SAE H2E rejected groups validation to avoid downgrade attacks
  * use stricter validation for some RADIUS messages
  * a large number of other fixes, cleanup, and extensions
- refresh patches:
    wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
    wpa_supplicant-sigusr1-changes-debuglevel.patch
- drop patches:
    CVE-2023-52160.patch 
    dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch

OBS-URL: https://build.opensuse.org/request/show/1200682
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/wpa_supplicant?expand=0&rev=96

CVE-2023-52160.patch

@@ -1,210 +0,0 @@
-From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 8 Jul 2023 19:55:32 +0300
-Subject: PEAP client: Update Phase 2 authentication requirements
-
-The previous PEAP client behavior allowed the server to skip Phase 2
-authentication with the expectation that the server was authenticated
-during Phase 1 through TLS server certificate validation. Various PEAP
-specifications are not exactly clear on what the behavior on this front
-is supposed to be and as such, this ended up being more flexible than
-the TTLS/FAST/TEAP cases. However, this is not really ideal when
-unfortunately common misconfiguration of PEAP is used in deployed
-devices where the server trust root (ca_cert) is not configured or the
-user has an easy option for allowing this validation step to be skipped.
-
-Change the default PEAP client behavior to be to require Phase 2
-authentication to be successfully completed for cases where TLS session
-resumption is not used and the client certificate has not been
-configured. Those two exceptions are the main cases where a deployed
-authentication server might skip Phase 2 and as such, where a more
-strict default behavior could result in undesired interoperability
-issues. Requiring Phase 2 authentication will end up disabling TLS
-session resumption automatically to avoid interoperability issues.
-
-Allow Phase 2 authentication behavior to be configured with a new phase1
-configuration parameter option:
-'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-tunnel) behavior for PEAP:
- * 0 = do not require Phase 2 authentication
- * 1 = require Phase 2 authentication when client certificate
-   (private_key/client_cert) is no used and TLS session resumption was
-   not used (default)
- * 2 = require Phase 2 authentication in all cases
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_config.h          |  8 ++++++++
- src/eap_peer/eap_peap.c            | 40 +++++++++++++++++++++++++++++++++++---
- src/eap_peer/eap_tls_common.c      |  6 ++++++
- src/eap_peer/eap_tls_common.h      |  5 +++++
- wpa_supplicant/wpa_supplicant.conf |  7 +++++++
- 5 files changed, 63 insertions(+), 3 deletions(-)
-
-diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
-index 26744ab68..58d5a1359 100644
---- a/src/eap_peer/eap_config.h
-+++ b/src/eap_peer/eap_config.h
-@@ -471,6 +471,14 @@ struct eap_peer_config {
- 	 * 1 = use cryptobinding if server supports it
- 	 * 2 = require cryptobinding
- 	 *
-+	 * phase2_auth option can be used to control Phase 2 (i.e., within TLS
-+	 * tunnel) behavior for PEAP:
-+	 * 0 = do not require Phase 2 authentication
-+	 * 1 = require Phase 2 authentication when client certificate
-+	 *  (private_key/client_cert) is no used and TLS session resumption was
-+	 *  not used (default)
-+	 * 2 = require Phase 2 authentication in all cases
-+	 *
- 	 * EAP-WSC (WPS) uses following options: pin=Device_Password and
- 	 * uuid=Device_UUID
- 	 *
-diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
-index 12e30df29..608069719 100644
---- a/src/eap_peer/eap_peap.c
-+++ b/src/eap_peer/eap_peap.c
-@@ -67,6 +67,7 @@ struct eap_peap_data {
- 	u8 cmk[20];
- 	int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
- 		  * is enabled. */
-+	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
- };
- 
- 
-@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
- 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
- 	}
- 
-+	if (os_strstr(phase1, "phase2_auth=0")) {
-+		data->phase2_auth = NO_AUTH;
-+		wpa_printf(MSG_DEBUG,
-+			   "EAP-PEAP: Do not require Phase 2 authentication");
-+	} else if (os_strstr(phase1, "phase2_auth=1")) {
-+		data->phase2_auth = FOR_INITIAL;
-+		wpa_printf(MSG_DEBUG,
-+			   "EAP-PEAP: Require Phase 2 authentication for initial connection");
-+	} else if (os_strstr(phase1, "phase2_auth=2")) {
-+		data->phase2_auth = ALWAYS;
-+		wpa_printf(MSG_DEBUG,
-+			   "EAP-PEAP: Require Phase 2 authentication for all cases");
-+	}
- #ifdef EAP_TNC
- 	if (os_strstr(phase1, "tnc=soh2")) {
- 		data->soh = 2;
-@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
- 	data->force_peap_version = -1;
- 	data->peap_outer_success = 2;
- 	data->crypto_binding = OPTIONAL_BINDING;
-+	data->phase2_auth = FOR_INITIAL;
- 
- 	if (config && config->phase1)
- 		eap_peap_parse_phase1(data, config->phase1);
-@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
- }
- 
- 
-+static bool peap_phase2_sufficient(struct eap_sm *sm,
-+				   struct eap_peap_data *data)
-+{
-+	if ((data->phase2_auth == ALWAYS ||
-+	     (data->phase2_auth == FOR_INITIAL &&
-+	      !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
-+	      !data->ssl.client_cert_conf) ||
-+	     data->phase2_eap_started) &&
-+	    !data->phase2_eap_success)
-+		return false;
-+	return true;
-+}
-+
-+
- /**
-  * eap_tlv_process - Process a received EAP-TLV message and generate a response
-  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
-@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
- 					   " - force failed Phase 2");
- 				resp_status = EAP_TLV_RESULT_FAILURE;
- 				ret->decision = DECISION_FAIL;
-+			} else if (!peap_phase2_sufficient(sm, data)) {
-+				wpa_printf(MSG_INFO,
-+					   "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
-+				resp_status = EAP_TLV_RESULT_FAILURE;
-+				ret->decision = DECISION_FAIL;
- 			} else {
- 				resp_status = EAP_TLV_RESULT_SUCCESS;
- 				ret->decision = DECISION_UNCOND_SUCC;
-@@ -887,8 +921,7 @@ continue_req:
- 			/* EAP-Success within TLS tunnel is used to indicate
- 			 * shutdown of the TLS channel. The authentication has
- 			 * been completed. */
--			if (data->phase2_eap_started &&
--			    !data->phase2_eap_success) {
-+			if (!peap_phase2_sufficient(sm, data)) {
- 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
- 					   "Success used to indicate success, "
- 					   "but Phase 2 EAP was not yet "
-@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
- static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
- {
- 	struct eap_peap_data *data = priv;
-+
- 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
--		data->phase2_success;
-+		data->phase2_success && data->phase2_auth != ALWAYS;
- }
- 
- 
-diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
-index 6193b4bdb..966cbd6c7 100644
---- a/src/eap_peer/eap_tls_common.c
-+++ b/src/eap_peer/eap_tls_common.c
-@@ -242,6 +242,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
- 
- 	sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
- 
-+	if (!phase2)
-+		data->client_cert_conf = params->client_cert ||
-+			params->client_cert_blob ||
-+			params->private_key ||
-+			params->private_key_blob;
-+
- 	return 0;
- }
- 
-diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
-index 9ac00121f..334863413 100644
---- a/src/eap_peer/eap_tls_common.h
-+++ b/src/eap_peer/eap_tls_common.h
-@@ -79,6 +79,11 @@ struct eap_ssl_data {
- 	 * tls_v13 - Whether TLS v1.3 or newer is used
- 	 */
- 	int tls_v13;
-+
-+	/**
-+	 * client_cert_conf: Whether client certificate has been configured
-+	 */
-+	bool client_cert_conf;
- };
- 
- 
-diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
-index f0b82443e..1b09f57d3 100644
---- a/wpa_supplicant/wpa_supplicant.conf
-+++ b/wpa_supplicant/wpa_supplicant.conf
-@@ -1370,6 +1370,13 @@ fast_reauth=1
- #	 * 0 = do not use cryptobinding (default)
- #	 * 1 = use cryptobinding if server supports it
- #	 * 2 = require cryptobinding
-+#	'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-+#	tunnel) behavior for PEAP:
-+#	 * 0 = do not require Phase 2 authentication
-+#	 * 1 = require Phase 2 authentication when client certificate
-+#	   (private_key/client_cert) is no used and TLS session resumption was
-+#	   not used (default)
-+#	 * 2 = require Phase 2 authentication in all cases
- #	EAP-WSC (WPS) uses following options: pin=<Device Password> or
- #	pbc=1.
- #
--- 
-cgit v1.2.3-18-g5258
-

dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch

@@ -1,46 +0,0 @@
-From 903f0848ce7d67c99eb5a2569aa5c31bcd7adbc1 Mon Sep 17 00:00:00 2001
-From: Clemens Famulla-Conrad <cfamullaconrad@suse.de>
-Date: Tue, 5 Jul 2022 13:04:52 +0200
-Subject: [PATCH] dbus: Fix property DebugShowKeys and DebugTimestamp
-
-It is possible to specify -t or -K multiple times. With this the
-value isn't boolean anymore and we hit a assert in libdbus
-function `dbus_message_iter_append_basic()`, which expect 0 or 1
-for DBUS_TYPE_BOOLEAN.
-
-Signed-off-by: Clemens Famulla-Conrad <cfamullaconrad@suse.de>
----
- wpa_supplicant/dbus/dbus_new_handlers.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
-index 0b1002bf1..de82930e8 100644
---- a/wpa_supplicant/dbus/dbus_new_handlers.c
-+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
-@@ -908,8 +908,10 @@ dbus_bool_t wpas_dbus_getter_debug_timestamp(
- 	const struct wpa_dbus_property_desc *property_desc,
- 	DBusMessageIter *iter, DBusError *error, void *user_data)
- {
-+	dbus_bool_t b = wpa_debug_timestamp ? TRUE : FALSE;
-+
- 	return wpas_dbus_simple_property_getter(iter, DBUS_TYPE_BOOLEAN,
--						&wpa_debug_timestamp, error);
-+						&b, error);
- 
- }
- 
-@@ -927,8 +929,10 @@ dbus_bool_t wpas_dbus_getter_debug_show_keys(
- 	const struct wpa_dbus_property_desc *property_desc,
- 	DBusMessageIter *iter, DBusError *error, void *user_data)
- {
-+	dbus_bool_t b = wpa_debug_timestamp ? TRUE : FALSE;
-+
- 	return wpas_dbus_simple_property_getter(iter, DBUS_TYPE_BOOLEAN,
--						&wpa_debug_show_keys, error);
-+						&b, error);
- 
- }
- 
--- 
-2.35.3
-

wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff

@@ -4,16 +4,14 @@ Date: Fri, 16 Sep 2011 11:41:16 +0200
 Subject: [PATCH] dump certificate as PEM in debug mode
 
 ---
- src/crypto/tls_openssl.c | 13 +++++++++++++
- src/utils/wpa_debug.c    |  5 +++++
- src/utils/wpa_debug.h    |  8 ++++++++
+ src/crypto/tls_openssl.c |   13 +++++++++++++
+ src/utils/wpa_debug.c    |    5 +++++
+ src/utils/wpa_debug.h    |    8 ++++++++
  3 files changed, 26 insertions(+)
 
-Index: wpa_supplicant-2.10/src/crypto/tls_openssl.c
-===================================================================
---- wpa_supplicant-2.10.orig/src/crypto/tls_openssl.c
-+++ wpa_supplicant-2.10/src/crypto/tls_openssl.c
-@@ -2361,6 +2361,19 @@ static int tls_verify_cb(int preverify_o
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2515,6 +2515,19 @@
  	debug_print_cert(err_cert, buf);
  	X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
  
@@ -33,11 +31,9 @@ Index: wpa_supplicant-2.10/src/crypto/tls_openssl.c
  	conn = SSL_get_app_data(ssl);
  	if (conn == NULL)
  		return 0;
-Index: wpa_supplicant-2.10/src/utils/wpa_debug.c
-===================================================================
---- wpa_supplicant-2.10.orig/src/utils/wpa_debug.c
-+++ wpa_supplicant-2.10/src/utils/wpa_debug.c
-@@ -66,6 +66,11 @@ static int wpa_to_android_level(int leve
+--- a/src/utils/wpa_debug.c
++++ b/src/utils/wpa_debug.c
+@@ -66,6 +66,11 @@
  #endif /* CONFIG_DEBUG_FILE */
  
  
@@ -49,11 +45,9 @@ Index: wpa_supplicant-2.10/src/utils/wpa_debug.c
  void wpa_debug_print_timestamp(void)
  {
  #ifndef CONFIG_ANDROID_LOG
-Index: wpa_supplicant-2.10/src/utils/wpa_debug.h
-===================================================================
---- wpa_supplicant-2.10.orig/src/utils/wpa_debug.h
-+++ wpa_supplicant-2.10/src/utils/wpa_debug.h
-@@ -25,6 +25,7 @@ enum {
+--- a/src/utils/wpa_debug.h
++++ b/src/utils/wpa_debug.h
+@@ -25,6 +25,7 @@
  
  #ifdef CONFIG_NO_STDOUT_DEBUG
  
@@ -61,8 +55,8 @@ Index: wpa_supplicant-2.10/src/utils/wpa_debug.h
  #define wpa_debug_print_timestamp() do { } while (0)
  #define wpa_printf(args...) do { } while (0)
  #define wpa_hexdump(l,t,b,le) do { } while (0)
-@@ -51,6 +52,13 @@ void wpa_debug_close_file(void);
- void wpa_debug_setup_stdout(void);
+@@ -52,6 +53,13 @@
+ void wpa_debug_stop_log(void);
  
  /**
 + * wpa_debug_enabled: check whether given debug level is enabled

wpa_supplicant-sigusr1-changes-debuglevel.patch

@@ -2,11 +2,9 @@
  wpa_supplicant/wpa_supplicant.c |   18 ++++++++++++++++++
  1 file changed, 18 insertions(+)
 
-Index: wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c
-===================================================================
---- wpa_supplicant-2.10.orig/wpa_supplicant/wpa_supplicant.c
-+++ wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c
-@@ -121,6 +121,22 @@ const char *const wpa_supplicant_full_li
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -123,6 +123,22 @@
  "\n";
  #endif /* CONFIG_NO_STDOUT_DEBUG */
  
@@ -28,8 +26,8 @@ Index: wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c
 +}
  
  static void wpa_bss_tmp_disallow_timeout(void *eloop_ctx, void *timeout_ctx);
- #if defined(CONFIG_FILS) && defined(IEEE8021X_EAPOL)
-@@ -7474,6 +7490,8 @@ int wpa_supplicant_run(struct wpa_global
+ static void wpas_verify_ssid_beacon(void *eloop_ctx, void *timeout_ctx);
+@@ -8189,6 +8205,8 @@
  	eloop_register_signal_terminate(wpa_supplicant_terminate, global);
  	eloop_register_signal_reconfig(wpa_supplicant_reconfig, global);
  

wpa_supplicant.changes

@@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Wed Sep 11 14:44:58 UTC 2024 - Clemens Famulla-Conrad <cfamullaconrad@suse.com>
+
+- update to v2.11:
+  * Wi-Fi Easy Connect
+    - add support for DPP release 3
+    - allow Configurator parameters to be provided during config exchange
+  * HE/IEEE 802.11ax/Wi-Fi 6
+    - various fixes
+  * EHT/IEEE 802.11be/Wi-Fi 7
+    - add preliminary support
+  * SAE: add support for fetching the password from a RADIUS server
+  * support OpenSSL 3.0 API changes
+  * support background radar detection and CAC with some additional
+    drivers
+  * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
+  * EAP-SIM/AKA: support IMSI privacy
+  * improve 4-way handshake operations
+    - use Secure=1 in message 3 during PTK rekeying
+  * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
+    to avoid interoperability issues
+  * support new SAE AKM suites with variable length keys
+  * support new AKM for 802.1X/EAP with SHA384
+  * extend PASN support for secure ranging
+  * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
+    - this is based on additional details being added in the IEEE 802.11
+      standard
+    - the new implementation is not backwards compatible
+  * improved ACS to cover additional channel types/bandwidths
+  * extended Multiple BSSID support
+  * fix beacon protection with FT protocol (incorrect BIGTK was provided)
+  * support unsynchronized service discovery (USD)
+  * add preliminary support for RADIUS/TLS
+  * add support for explicit SSID protection in 4-way handshake
+    (a mitigation for CVE-2023-52424; disabled by default for now, can be
+    enabled with ssid_protection=1)
+  * fix SAE H2E rejected groups validation to avoid downgrade attacks
+  * use stricter validation for some RADIUS messages
+  * a large number of other fixes, cleanup, and extensions
+- refresh patches:
+    wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
+    wpa_supplicant-sigusr1-changes-debuglevel.patch
+- drop patches:
+    CVE-2023-52160.patch 
+    dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch
+
 -------------------------------------------------------------------
 Thu Feb 15 15:48:52 UTC 2024 - Clemens Famulla-Conrad <cfamullaconrad@suse.com>
 

wpa_supplicant.spec

@@ -17,7 +17,7 @@
 
 
 Name:           wpa_supplicant
-Version:        2.10
+Version:        2.11
 Release:        0
 Summary:        WPA supplicant implementation
 License:        BSD-3-Clause AND GPL-2.0-or-later
@@ -38,8 +38,6 @@ Patch1:         wpa_supplicant-flush-debug-output.patch
 Patch2:         wpa_supplicant-sigusr1-changes-debuglevel.patch
 Patch3:         wpa_supplicant-alloc_size.patch
 Patch5:         wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
-Patch6:         dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch
-Patch7:         CVE-2023-52160.patch
 BuildRequires:  pkgconfig
 BuildRequires:  readline-devel
 BuildRequires:  systemd-rpm-macros