diff --git a/CVE-2023-52160.patch b/CVE-2023-52160.patch deleted file mode 100644 index a6639e8..0000000 --- a/CVE-2023-52160.patch +++ /dev/null @@ -1,210 +0,0 @@ -From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Sat, 8 Jul 2023 19:55:32 +0300 -Subject: PEAP client: Update Phase 2 authentication requirements - -The previous PEAP client behavior allowed the server to skip Phase 2 -authentication with the expectation that the server was authenticated -during Phase 1 through TLS server certificate validation. Various PEAP -specifications are not exactly clear on what the behavior on this front -is supposed to be and as such, this ended up being more flexible than -the TTLS/FAST/TEAP cases. However, this is not really ideal when -unfortunately common misconfiguration of PEAP is used in deployed -devices where the server trust root (ca_cert) is not configured or the -user has an easy option for allowing this validation step to be skipped. - -Change the default PEAP client behavior to be to require Phase 2 -authentication to be successfully completed for cases where TLS session -resumption is not used and the client certificate has not been -configured. Those two exceptions are the main cases where a deployed -authentication server might skip Phase 2 and as such, where a more -strict default behavior could result in undesired interoperability -issues. Requiring Phase 2 authentication will end up disabling TLS -session resumption automatically to avoid interoperability issues. - -Allow Phase 2 authentication behavior to be configured with a new phase1 -configuration parameter option: -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS -tunnel) behavior for PEAP: - * 0 = do not require Phase 2 authentication - * 1 = require Phase 2 authentication when client certificate - (private_key/client_cert) is no used and TLS session resumption was - not used (default) - * 2 = require Phase 2 authentication in all cases - -Signed-off-by: Jouni Malinen ---- - src/eap_peer/eap_config.h | 8 ++++++++ - src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++++++++++--- - src/eap_peer/eap_tls_common.c | 6 ++++++ - src/eap_peer/eap_tls_common.h | 5 +++++ - wpa_supplicant/wpa_supplicant.conf | 7 +++++++ - 5 files changed, 63 insertions(+), 3 deletions(-) - -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h -index 26744ab68..58d5a1359 100644 ---- a/src/eap_peer/eap_config.h -+++ b/src/eap_peer/eap_config.h -@@ -471,6 +471,14 @@ struct eap_peer_config { - * 1 = use cryptobinding if server supports it - * 2 = require cryptobinding - * -+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS -+ * tunnel) behavior for PEAP: -+ * 0 = do not require Phase 2 authentication -+ * 1 = require Phase 2 authentication when client certificate -+ * (private_key/client_cert) is no used and TLS session resumption was -+ * not used (default) -+ * 2 = require Phase 2 authentication in all cases -+ * - * EAP-WSC (WPS) uses following options: pin=Device_Password and - * uuid=Device_UUID - * -diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c -index 12e30df29..608069719 100644 ---- a/src/eap_peer/eap_peap.c -+++ b/src/eap_peer/eap_peap.c -@@ -67,6 +67,7 @@ struct eap_peap_data { - u8 cmk[20]; - int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) - * is enabled. */ -+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; - }; - - -@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, - wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); - } - -+ if (os_strstr(phase1, "phase2_auth=0")) { -+ data->phase2_auth = NO_AUTH; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Do not require Phase 2 authentication"); -+ } else if (os_strstr(phase1, "phase2_auth=1")) { -+ data->phase2_auth = FOR_INITIAL; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Require Phase 2 authentication for initial connection"); -+ } else if (os_strstr(phase1, "phase2_auth=2")) { -+ data->phase2_auth = ALWAYS; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Require Phase 2 authentication for all cases"); -+ } - #ifdef EAP_TNC - if (os_strstr(phase1, "tnc=soh2")) { - data->soh = 2; -@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) - data->force_peap_version = -1; - data->peap_outer_success = 2; - data->crypto_binding = OPTIONAL_BINDING; -+ data->phase2_auth = FOR_INITIAL; - - if (config && config->phase1) - eap_peap_parse_phase1(data, config->phase1); -@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, - } - - -+static bool peap_phase2_sufficient(struct eap_sm *sm, -+ struct eap_peap_data *data) -+{ -+ if ((data->phase2_auth == ALWAYS || -+ (data->phase2_auth == FOR_INITIAL && -+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && -+ !data->ssl.client_cert_conf) || -+ data->phase2_eap_started) && -+ !data->phase2_eap_success) -+ return false; -+ return true; -+} -+ -+ - /** - * eap_tlv_process - Process a received EAP-TLV message and generate a response - * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() -@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, - " - force failed Phase 2"); - resp_status = EAP_TLV_RESULT_FAILURE; - ret->decision = DECISION_FAIL; -+ } else if (!peap_phase2_sufficient(sm, data)) { -+ wpa_printf(MSG_INFO, -+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); -+ resp_status = EAP_TLV_RESULT_FAILURE; -+ ret->decision = DECISION_FAIL; - } else { - resp_status = EAP_TLV_RESULT_SUCCESS; - ret->decision = DECISION_UNCOND_SUCC; -@@ -887,8 +921,7 @@ continue_req: - /* EAP-Success within TLS tunnel is used to indicate - * shutdown of the TLS channel. The authentication has - * been completed. */ -- if (data->phase2_eap_started && -- !data->phase2_eap_success) { -+ if (!peap_phase2_sufficient(sm, data)) { - wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " - "Success used to indicate success, " - "but Phase 2 EAP was not yet " -@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, - static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) - { - struct eap_peap_data *data = priv; -+ - return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && -- data->phase2_success; -+ data->phase2_success && data->phase2_auth != ALWAYS; - } - - -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c -index 6193b4bdb..966cbd6c7 100644 ---- a/src/eap_peer/eap_tls_common.c -+++ b/src/eap_peer/eap_tls_common.c -@@ -242,6 +242,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, - - sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); - -+ if (!phase2) -+ data->client_cert_conf = params->client_cert || -+ params->client_cert_blob || -+ params->private_key || -+ params->private_key_blob; -+ - return 0; - } - -diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h -index 9ac00121f..334863413 100644 ---- a/src/eap_peer/eap_tls_common.h -+++ b/src/eap_peer/eap_tls_common.h -@@ -79,6 +79,11 @@ struct eap_ssl_data { - * tls_v13 - Whether TLS v1.3 or newer is used - */ - int tls_v13; -+ -+ /** -+ * client_cert_conf: Whether client certificate has been configured -+ */ -+ bool client_cert_conf; - }; - - -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf -index f0b82443e..1b09f57d3 100644 ---- a/wpa_supplicant/wpa_supplicant.conf -+++ b/wpa_supplicant/wpa_supplicant.conf -@@ -1370,6 +1370,13 @@ fast_reauth=1 - # * 0 = do not use cryptobinding (default) - # * 1 = use cryptobinding if server supports it - # * 2 = require cryptobinding -+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS -+# tunnel) behavior for PEAP: -+# * 0 = do not require Phase 2 authentication -+# * 1 = require Phase 2 authentication when client certificate -+# (private_key/client_cert) is no used and TLS session resumption was -+# not used (default) -+# * 2 = require Phase 2 authentication in all cases - # EAP-WSC (WPS) uses following options: pin= or - # pbc=1. - # --- -cgit v1.2.3-18-g5258 - diff --git a/dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch b/dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch deleted file mode 100644 index 4c47707..0000000 --- a/dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 903f0848ce7d67c99eb5a2569aa5c31bcd7adbc1 Mon Sep 17 00:00:00 2001 -From: Clemens Famulla-Conrad -Date: Tue, 5 Jul 2022 13:04:52 +0200 -Subject: [PATCH] dbus: Fix property DebugShowKeys and DebugTimestamp - -It is possible to specify -t or -K multiple times. With this the -value isn't boolean anymore and we hit a assert in libdbus -function `dbus_message_iter_append_basic()`, which expect 0 or 1 -for DBUS_TYPE_BOOLEAN. - -Signed-off-by: Clemens Famulla-Conrad ---- - wpa_supplicant/dbus/dbus_new_handlers.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c -index 0b1002bf1..de82930e8 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers.c -+++ b/wpa_supplicant/dbus/dbus_new_handlers.c -@@ -908,8 +908,10 @@ dbus_bool_t wpas_dbus_getter_debug_timestamp( - const struct wpa_dbus_property_desc *property_desc, - DBusMessageIter *iter, DBusError *error, void *user_data) - { -+ dbus_bool_t b = wpa_debug_timestamp ? TRUE : FALSE; -+ - return wpas_dbus_simple_property_getter(iter, DBUS_TYPE_BOOLEAN, -- &wpa_debug_timestamp, error); -+ &b, error); - - } - -@@ -927,8 +929,10 @@ dbus_bool_t wpas_dbus_getter_debug_show_keys( - const struct wpa_dbus_property_desc *property_desc, - DBusMessageIter *iter, DBusError *error, void *user_data) - { -+ dbus_bool_t b = wpa_debug_timestamp ? TRUE : FALSE; -+ - return wpas_dbus_simple_property_getter(iter, DBUS_TYPE_BOOLEAN, -- &wpa_debug_show_keys, error); -+ &b, error); - - } - --- -2.35.3 - diff --git a/wpa_supplicant-2.10.tar.gz b/wpa_supplicant-2.10.tar.gz deleted file mode 100644 index 1c2bd58..0000000 --- a/wpa_supplicant-2.10.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f -size 3511622 diff --git a/wpa_supplicant-2.11.tar.gz b/wpa_supplicant-2.11.tar.gz new file mode 100644 index 0000000..032ca92 --- /dev/null +++ b/wpa_supplicant-2.11.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a +size 3841433 diff --git a/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff b/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff index 74fb70d..503f53c 100644 --- a/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff +++ b/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff @@ -4,16 +4,14 @@ Date: Fri, 16 Sep 2011 11:41:16 +0200 Subject: [PATCH] dump certificate as PEM in debug mode --- - src/crypto/tls_openssl.c | 13 +++++++++++++ - src/utils/wpa_debug.c | 5 +++++ - src/utils/wpa_debug.h | 8 ++++++++ + src/crypto/tls_openssl.c | 13 +++++++++++++ + src/utils/wpa_debug.c | 5 +++++ + src/utils/wpa_debug.h | 8 ++++++++ 3 files changed, 26 insertions(+) -Index: wpa_supplicant-2.10/src/crypto/tls_openssl.c -=================================================================== ---- wpa_supplicant-2.10.orig/src/crypto/tls_openssl.c -+++ wpa_supplicant-2.10/src/crypto/tls_openssl.c -@@ -2361,6 +2361,19 @@ static int tls_verify_cb(int preverify_o +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -2515,6 +2515,19 @@ debug_print_cert(err_cert, buf); X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf)); @@ -33,11 +31,9 @@ Index: wpa_supplicant-2.10/src/crypto/tls_openssl.c conn = SSL_get_app_data(ssl); if (conn == NULL) return 0; -Index: wpa_supplicant-2.10/src/utils/wpa_debug.c -=================================================================== ---- wpa_supplicant-2.10.orig/src/utils/wpa_debug.c -+++ wpa_supplicant-2.10/src/utils/wpa_debug.c -@@ -66,6 +66,11 @@ static int wpa_to_android_level(int leve +--- a/src/utils/wpa_debug.c ++++ b/src/utils/wpa_debug.c +@@ -66,6 +66,11 @@ #endif /* CONFIG_DEBUG_FILE */ @@ -49,11 +45,9 @@ Index: wpa_supplicant-2.10/src/utils/wpa_debug.c void wpa_debug_print_timestamp(void) { #ifndef CONFIG_ANDROID_LOG -Index: wpa_supplicant-2.10/src/utils/wpa_debug.h -=================================================================== ---- wpa_supplicant-2.10.orig/src/utils/wpa_debug.h -+++ wpa_supplicant-2.10/src/utils/wpa_debug.h -@@ -25,6 +25,7 @@ enum { +--- a/src/utils/wpa_debug.h ++++ b/src/utils/wpa_debug.h +@@ -25,6 +25,7 @@ #ifdef CONFIG_NO_STDOUT_DEBUG @@ -61,8 +55,8 @@ Index: wpa_supplicant-2.10/src/utils/wpa_debug.h #define wpa_debug_print_timestamp() do { } while (0) #define wpa_printf(args...) do { } while (0) #define wpa_hexdump(l,t,b,le) do { } while (0) -@@ -51,6 +52,13 @@ void wpa_debug_close_file(void); - void wpa_debug_setup_stdout(void); +@@ -52,6 +53,13 @@ + void wpa_debug_stop_log(void); /** + * wpa_debug_enabled: check whether given debug level is enabled diff --git a/wpa_supplicant-sigusr1-changes-debuglevel.patch b/wpa_supplicant-sigusr1-changes-debuglevel.patch index 8ecdfe9..d0e77e3 100644 --- a/wpa_supplicant-sigusr1-changes-debuglevel.patch +++ b/wpa_supplicant-sigusr1-changes-debuglevel.patch @@ -2,11 +2,9 @@ wpa_supplicant/wpa_supplicant.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) -Index: wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c -=================================================================== ---- wpa_supplicant-2.10.orig/wpa_supplicant/wpa_supplicant.c -+++ wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c -@@ -121,6 +121,22 @@ const char *const wpa_supplicant_full_li +--- a/wpa_supplicant/wpa_supplicant.c ++++ b/wpa_supplicant/wpa_supplicant.c +@@ -123,6 +123,22 @@ "\n"; #endif /* CONFIG_NO_STDOUT_DEBUG */ @@ -28,8 +26,8 @@ Index: wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c +} static void wpa_bss_tmp_disallow_timeout(void *eloop_ctx, void *timeout_ctx); - #if defined(CONFIG_FILS) && defined(IEEE8021X_EAPOL) -@@ -7474,6 +7490,8 @@ int wpa_supplicant_run(struct wpa_global + static void wpas_verify_ssid_beacon(void *eloop_ctx, void *timeout_ctx); +@@ -8189,6 +8205,8 @@ eloop_register_signal_terminate(wpa_supplicant_terminate, global); eloop_register_signal_reconfig(wpa_supplicant_reconfig, global); diff --git a/wpa_supplicant.changes b/wpa_supplicant.changes index 9c80154..fbf4efa 100644 --- a/wpa_supplicant.changes +++ b/wpa_supplicant.changes @@ -1,3 +1,49 @@ +------------------------------------------------------------------- +Wed Sep 11 14:44:58 UTC 2024 - Clemens Famulla-Conrad + +- update to v2.11: + * Wi-Fi Easy Connect + - add support for DPP release 3 + - allow Configurator parameters to be provided during config exchange + * HE/IEEE 802.11ax/Wi-Fi 6 + - various fixes + * EHT/IEEE 802.11be/Wi-Fi 7 + - add preliminary support + * SAE: add support for fetching the password from a RADIUS server + * support OpenSSL 3.0 API changes + * support background radar detection and CAC with some additional + drivers + * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3) + * EAP-SIM/AKA: support IMSI privacy + * improve 4-way handshake operations + - use Secure=1 in message 3 during PTK rekeying + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases + to avoid interoperability issues + * support new SAE AKM suites with variable length keys + * support new AKM for 802.1X/EAP with SHA384 + * extend PASN support for secure ranging + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) + - this is based on additional details being added in the IEEE 802.11 + standard + - the new implementation is not backwards compatible + * improved ACS to cover additional channel types/bandwidths + * extended Multiple BSSID support + * fix beacon protection with FT protocol (incorrect BIGTK was provided) + * support unsynchronized service discovery (USD) + * add preliminary support for RADIUS/TLS + * add support for explicit SSID protection in 4-way handshake + (a mitigation for CVE-2023-52424; disabled by default for now, can be + enabled with ssid_protection=1) + * fix SAE H2E rejected groups validation to avoid downgrade attacks + * use stricter validation for some RADIUS messages + * a large number of other fixes, cleanup, and extensions +- refresh patches: + wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff + wpa_supplicant-sigusr1-changes-debuglevel.patch +- drop patches: + CVE-2023-52160.patch + dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch + ------------------------------------------------------------------- Thu Feb 15 15:48:52 UTC 2024 - Clemens Famulla-Conrad diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index c4c6a7c..43f4ad3 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -17,7 +17,7 @@ Name: wpa_supplicant -Version: 2.10 +Version: 2.11 Release: 0 Summary: WPA supplicant implementation License: BSD-3-Clause AND GPL-2.0-or-later @@ -38,8 +38,6 @@ Patch1: wpa_supplicant-flush-debug-output.patch Patch2: wpa_supplicant-sigusr1-changes-debuglevel.patch Patch3: wpa_supplicant-alloc_size.patch Patch5: wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff -Patch6: dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch -Patch7: CVE-2023-52160.patch BuildRequires: pkgconfig BuildRequires: readline-devel BuildRequires: systemd-rpm-macros