Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: OpenMandrivaAssociation/wpa_supplicant
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 404808bf88935b214cc2651b7c69b39c13f35090
Choose a base ref
...
head repository: OpenMandrivaAssociation/wpa_supplicant
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: e6d1f456b227befc888094a961ac87224501ae88
Choose a head ref
  • 5 commits
  • 15 files changed
  • 3 contributors

Commits on May 7, 2022

  1. 2.10

    mandian committed May 7, 2022
    Copy the full SHA
    85feb5d View commit details
  2. fix BRs

    mandian committed May 7, 2022
    Copy the full SHA
    1eef0f0 View commit details

Commits on Jun 20, 2022

  1. Rebuild for new _unitdir

    berolinux committed Jun 20, 2022
    Copy the full SHA
    ce96027 View commit details

Commits on Mar 9, 2023

  1. Copy the full SHA
    b898c25 View commit details
  2. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    e6d1f45 View commit details
2 changes: 1 addition & 1 deletion .abf.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
sources:
wpa_supplicant-2.8.tar.gz: 1536ec9689ae718ea76ab0d1716c2a1b3e69f0d4
wpa_supplicant-2.10.tar.gz: e295b07d599da4b99c3836d4402ec5746f77e8e8
69 changes: 69 additions & 0 deletions 0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
From: David Bauer <mail@david-bauer.net>
Date: Sun, 30 Jan 2022 20:22:00 +0100
Subject: nl80211: add extra-ies only if allowed by driver

Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl
based adapters. The reason for it is hostapd tries to install additional
IEs for scanning while the driver does not support this.

The kernel indicates the maximum number of bytes for additional scan IEs
using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
only add additional scan IEs in case the driver can accommodate these
additional IEs.

Reported-by: Étienne Morice <neon.emorice@mail.com>
Tested-by: Étienne Morice <neon.emorice@mail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>

Bug: http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
Bug-ArchLinux: https://bugs.archlinux.org/task/73495
Bug-Debian: https://bugs.debian.org/1004524
Origin: http://lists.infradead.org/pipermail/hostap/2022-January/040185.html
---
src/drivers/driver.h | 3 +++
src/drivers/driver_nl80211_capa.c | 4 ++++
src/drivers/driver_nl80211_scan.c | 2 +-
3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/drivers/driver.h b/src/drivers/driver.h
index d3312a3..b5b6264 100644
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -2052,6 +2052,9 @@ struct wpa_driver_capa {
/** Maximum number of iterations in a single scan plan */
u32 max_sched_scan_plan_iterations;

+ /** Maximum number of extra IE bytes for scans */
+ u16 max_scan_ie_len;
+
/** Whether sched_scan (offloaded scanning) is supported */
int sched_scan_supported;

diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c
index 83868b7..b33b6ba 100644
--- a/src/drivers/driver_nl80211_capa.c
+++ b/src/drivers/driver_nl80211_capa.c
@@ -885,6 +885,10 @@ static int wiphy_info_handler(struct nl_msg *msg, void *arg)
nla_get_u32(tb[NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS]);
}

+ if (tb[NL80211_ATTR_MAX_SCAN_IE_LEN])
+ capa->max_scan_ie_len =
+ nla_get_u16(tb[NL80211_ATTR_MAX_SCAN_IE_LEN]);
+
if (tb[NL80211_ATTR_MAX_MATCH_SETS])
capa->max_match_sets =
nla_get_u8(tb[NL80211_ATTR_MAX_MATCH_SETS]);
diff --git a/src/drivers/driver_nl80211_scan.c b/src/drivers/driver_nl80211_scan.c
index 1316084..b0f0951 100644
--- a/src/drivers/driver_nl80211_scan.c
+++ b/src/drivers/driver_nl80211_scan.c
@@ -207,7 +207,7 @@ nl80211_scan_common(struct i802_bss *bss, u8 cmd,
wpa_printf(MSG_DEBUG, "nl80211: Passive scan requested");
}

- if (params->extra_ies) {
+ if (params->extra_ies && drv->capa.max_scan_ie_len >= params->extra_ies_len) {
wpa_hexdump(MSG_MSGDUMP, "nl80211: Scan extra IEs",
params->extra_ies, params->extra_ies_len);
if (nla_put(msg, NL80211_ATTR_IE, params->extra_ies_len,
56 changes: 56 additions & 0 deletions 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Mon, 4 Apr 2022 09:13:12 +0200
Subject: AP: guard FT-SAE code with CONFIG_IEEE80211R_AP

wpa_supplicant doesn't support FT in AP mode, but it still negotiates
FT-SAE. This can lead to an authentication failure when the AP is
started with key_mgmt="SAE FT-SAE" and the STA supports both.

Ensure that FT-SAE is not negotiated when CONFIG_IEEE80211R_AP is not
defined.

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
---
src/ap/wpa_auth_ie.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 524922e..d63cbeb 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -228,11 +228,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
pos += RSN_SELECTOR_LEN;
num_suites++;
}
+#ifdef CONFIG_IEEE80211R_AP
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE);
pos += RSN_SELECTOR_LEN;
num_suites++;
}
+#endif /* CONFIG_IEEE80211R_AP */
#endif /* CONFIG_SAE */
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B);
@@ -670,8 +672,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
#ifdef CONFIG_SAE
else if (data.key_mgmt & WPA_KEY_MGMT_SAE)
selector = RSN_AUTH_KEY_MGMT_SAE;
+#ifdef CONFIG_IEEE80211R_AP
else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE)
selector = RSN_AUTH_KEY_MGMT_FT_SAE;
+#endif /* CONFIG_IEEE80211R_AP */
#endif /* CONFIG_SAE */
else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X)
selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
@@ -778,8 +782,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
#ifdef CONFIG_SAE
else if (key_mgmt & WPA_KEY_MGMT_SAE)
sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE;
+#ifdef CONFIG_IEEE80211R_AP
else if (key_mgmt & WPA_KEY_MGMT_FT_SAE)
sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE;
+#endif /* CONFIG_IEEE80211R_AP */
#endif /* CONFIG_SAE */
else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X)
sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X;
52 changes: 52 additions & 0 deletions lower_security_level_for_tls_1.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
From bc99366f9b960150aa2e369048bbc2218c1d414e Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 22 May 2022 17:01:35 +0300
Subject: [PATCH] OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using
TLS 1.0/1.1

Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for
TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level
drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be
enabled with an explicit network configuration parameter. However, the
default settings are still allowing TLS 1.0 and 1.1 to be negotiated
just to see them fail immediately when using OpenSSL 3.0. This is not
exactly helpful especially when the OpenSSL error message for this
particular case is "internal error" which does not really say anything
about the reason for the error.

It is is a bit inconvenient to update the security policy for this
particular issue based on the negotiated TLS version since that happens
in the middle of processing for the first message from the server.
However, this can be done by using the debug callback for printing out
the received TLS messages during processing.

Drop the OpenSSL security level to 0 if that is the only option to
continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed
in wpa_supplicant default configuration and OpenSSL 3.0 with the
constraint on MD5-SHA1 use.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/crypto/tls_openssl.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 6602ac64f..78621d926 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type,
struct tls_connection *conn = arg;
const u8 *pos = buf;

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ if ((SSL_version(ssl) == TLS1_VERSION ||
+ SSL_version(ssl) == TLS1_1_VERSION) &&
+ SSL_get_security_level(ssl) > 0) {
+ wpa_printf(MSG_DEBUG,
+ "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm");
+ SSL_set_security_level(ssl, 0);
+ }
+#endif /* OpenSSL version >= 3.0 */
if (write_p == 2) {
wpa_printf(MSG_DEBUG,
"OpenSSL: session ver=0x%x content_type=%d",
20 changes: 20 additions & 0 deletions wpa_supplicant-2.10-allow-legacy-renegotiation.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
diff -up wpa_supplicant-2.10/src/crypto/tls_openssl.c.legacy-server-connect wpa_supplicant-2.10/src/crypto/tls_openssl.c
--- wpa_supplicant-2.10/src/crypto/tls_openssl.c.legacy-server-connect 2022-01-16 15:51:29.000000000 -0500
+++ wpa_supplicant-2.10/src/crypto/tls_openssl.c 2022-04-28 02:47:26.863529683 -0400
@@ -1049,6 +1049,16 @@
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);

+ /* Many enterprise PEAP server implementations (e.g. used in large
+ corporations and universities) do not support RFC5746 secure
+ renegotiation, and starting with OpenSSL 3.0,
+ SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
+ So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
+ only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
+ globally. */
+
+ SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
+
SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);

#ifdef SSL_MODE_NO_AUTO_CHAIN
49 changes: 49 additions & 0 deletions wpa_supplicant-2.10-flush-debug-output.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
--- a/src/utils/wpa_debug.c
+++ b/src/utils/wpa_debug.c
@@ -79,6 +79,7 @@ void wpa_debug_print_timestamp(void)
if (out_file)
fprintf(out_file, "%ld.%06u: ", (long) tv.sec,
(unsigned int) tv.usec);
+ fflush(out_file);
#endif /* CONFIG_DEBUG_FILE */
if (!out_file && !wpa_debug_syslog)
printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec);
@@ -230,6 +231,7 @@ void wpa_printf(int level, const char *f
va_start(ap, fmt);
vfprintf(out_file, fmt, ap);
fprintf(out_file, "\n");
+ fflush(out_file);
va_end(ap);
}
#endif /* CONFIG_DEBUG_FILE */
@@ -365,6 +367,7 @@ static void _wpa_hexdump(int level, cons
fprintf(out_file, " [REMOVED]");
}
fprintf(out_file, "\n");
+ fflush(out_file);
}
#endif /* CONFIG_DEBUG_FILE */
if (!wpa_debug_syslog && !out_file) {
@@ -436,12 +439,14 @@ static void _wpa_hexdump_ascii(int level
fprintf(out_file,
"%s - hexdump_ascii(len=%lu): [REMOVED]\n",
title, (unsigned long) len);
+ fflush(out_file);
goto file_done;
}
if (buf == NULL) {
fprintf(out_file,
"%s - hexdump_ascii(len=%lu): [NULL]\n",
title, (unsigned long) len);
+ fflush(out_file);
goto file_done;
}
fprintf(out_file, "%s - hexdump_ascii(len=%lu):\n",
@@ -463,6 +468,7 @@ static void _wpa_hexdump_ascii(int level
for (i = llen; i < line_len; i++)
fprintf(out_file, " ");
fprintf(out_file, "\n");
+ fflush(out_file);
pos += llen;
len -= llen;
}
22 changes: 3 additions & 19 deletions wpa_supplicant-gui-qt4.patch → wpa_supplicant-2.10-gui-qt4.patch
Original file line number Diff line number Diff line change
@@ -1,20 +1,7 @@
From 9404f356e394604d1d3d6dbffc52abd54260e4d4 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Tue, 27 Oct 2015 08:56:35 +0100
Subject: [PATCH] wpa_supplicant: allow overriding the names of the Qt4 tools

This is useful for distributions that ship different versions of Qt in
different locations.
---
wpa_supplicant/Makefile | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index ad9ead9..b19676d 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -11,6 +11,9 @@ export INCDIR ?= /usr/local/include/
export BINDIR ?= /usr/local/sbin/
@@ -35,6 +35,9 @@ export INCDIR ?= /usr/local/include
export BINDIR ?= /usr/local/sbin
PKG_CONFIG ?= pkg-config

+QMAKE ?= qmake
@@ -23,7 +10,7 @@ index ad9ead9..b19676d 100644
CFLAGS += $(EXTRA_CFLAGS)
CFLAGS += -I$(abspath ../src)
CFLAGS += -I$(abspath ../src/utils)
@@ -1787,10 +1790,10 @@ wpa_gui:
@@ -2042,10 +2045,10 @@ wpa_gui:
@echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement"

wpa_gui-qt4/Makefile:
@@ -36,6 +23,3 @@ index ad9ead9..b19676d 100644

wpa_gui-qt4: wpa_gui-qt4/Makefile wpa_gui-qt4/lang/wpa_gui_de.qm
$(MAKE) -C wpa_gui-qt4
--
2.6.2

Loading