upg wpa_supplicant

wpa_supplicant/0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch

@@ -0,0 +1,56 @@
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Mon, 4 Apr 2022 09:13:12 +0200
+Subject: AP: guard FT-SAE code with CONFIG_IEEE80211R_AP
+
+wpa_supplicant doesn't support FT in AP mode, but it still negotiates
+FT-SAE. This can lead to an authentication failure when the AP is
+started with key_mgmt="SAE FT-SAE" and the STA supports both.
+
+Ensure that FT-SAE is not negotiated when CONFIG_IEEE80211R_AP is not
+defined.
+
+Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
+---
+ src/ap/wpa_auth_ie.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
+index 524922e..d63cbeb 100644
+--- a/src/ap/wpa_auth_ie.c
++++ b/src/ap/wpa_auth_ie.c
+@@ -228,11 +228,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len,
+ 		pos += RSN_SELECTOR_LEN;
+ 		num_suites++;
+ 	}
++#ifdef CONFIG_IEEE80211R_AP
+ 	if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE) {
+ 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE);
+ 		pos += RSN_SELECTOR_LEN;
+ 		num_suites++;
+ 	}
++#endif /* CONFIG_IEEE80211R_AP */
+ #endif /* CONFIG_SAE */
+ 	if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) {
+ 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B);
+@@ -670,8 +672,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
+ #ifdef CONFIG_SAE
+ 		else if (data.key_mgmt & WPA_KEY_MGMT_SAE)
+ 			selector = RSN_AUTH_KEY_MGMT_SAE;
++#ifdef CONFIG_IEEE80211R_AP
+ 		else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE)
+ 			selector = RSN_AUTH_KEY_MGMT_FT_SAE;
++#endif /* CONFIG_IEEE80211R_AP */
+ #endif /* CONFIG_SAE */
+ 		else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X)
+ 			selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
+@@ -778,8 +782,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
+ #ifdef CONFIG_SAE
+ 	else if (key_mgmt & WPA_KEY_MGMT_SAE)
+ 		sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE;
++#ifdef CONFIG_IEEE80211R_AP
+ 	else if (key_mgmt & WPA_KEY_MGMT_FT_SAE)
+ 		sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE;
++#endif /* CONFIG_IEEE80211R_AP */
+ #endif /* CONFIG_SAE */
+ 	else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X)
+ 		sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X;

wpa_supplicant/PKGBUILD

@@ -7,28 +7,36 @@
 
 pkgname=wpa_supplicant
 pkgver=2.10
-pkgrel=07
+pkgrel=08
 epoch=2
 pkgdesc='A utility providing key negotiation for WPA wireless networks w/o systemd'
 url='https://w1.fi/wpa_supplicant/'
 arch=(x86_64)
-depends=(openssl libdbus readline libnl)
+depends=(openssl libdbus readline libnl pcsclite)
+#options=(debug)   ##  uncomment this line to have the debug pkg produced
 backup=('etc/wpa_supplicant/wpa_supplicant.conf')
-source=( https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
+source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
+  wpa_supplicant_config
   wpa_supplicant_tls.patch                        # More permissive TLS fallback
 #  wpa_supplicant_dbus_service_syslog.patch        # Unit improvements from Ubuntu
 #  wpa_supplicant_service_ignore-on-isolate.patch  # More unit improvements from Ubuntu
   wpa_supplicant-legacy-server-connect.patch
   lower_security_level_for_tls_1.patch
-  wpa_supplicant_config
-  add_extra-ies_only_if_allowed_by_driver.patch
+  disable-eapol-werror.patch
+  0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
+  0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
 )
 
 prepare() {
   cd $pkgname-$pkgver
-  patch -p1 -i ../wpa_supplicant_tls.patch                        # More permissive TLS fallback
-#  patch -p1 -i ../wpa_supplicant_dbus_service_syslog.patch        # Unit improvements from Ubuntu
-#  patch -p1 -i ../wpa_supplicant_service_ignore-on-isolate.patch  # More unit improvements from Ubuntu
+  # More permissive TLS fallback
+  patch -Np1 -i ../wpa_supplicant_tls.patch
+
+#  # Unit improvements from Ubuntu
+#  patch -Np1 -i ../wpa_supplicant_dbus_service_syslog.patch
+
+#  # More unit improvements from Ubuntu
+#  patch -Np1 -i ../wpa_supplicant_service_ignore-on-isolate.patch
   # https://bugzilla.redhat.com/show_bug.cgi?id=2072070#c24
   patch -Np1 -i ../wpa_supplicant-legacy-server-connect.patch
 
@@ -36,11 +44,16 @@ prepare() {
   # https://bugs.archlinux.org/task/76474
   patch -Np1 -i ../lower_security_level_for_tls_1.patch
 
-  # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
-  patch -Np1 -i ../add_extra-ies_only_if_allowed_by_driver.patch
+  # https://salsa.debian.org/debian/wpa/-/commit/13e1d28e4f987a220c546df94df86bb9b2371874
+  patch -Np1 -i ../disable-eapol-werror.patch
 
-  cd $pkgname
-  cp "$srcdir/wpa_supplicant_config" ./.config
+  # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
+  patch -Np1 -i ../0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
+
+  # https://lists.infradead.org/pipermail/hostap/2022-April/040352.html
+  patch -Np1 -i ../0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
+
+  cp ../wpa_supplicant_config $pkgname/.config
 }
 
 build() {
@@ -59,7 +72,6 @@ package() {
 
   install -dm755 "$pkgdir/etc/wpa_supplicant"
   install -Dm644 wpa_supplicant.conf -t "$pkgdir/usr/share/doc/wpa_supplicant"
-  install -Dm644 wpa_supplicant.conf "$pkgdir/etc/wpa_supplicant/wpa_supplicant.conf.pacnew"
 
 #  install -Dm644 dbus/fi.w1.wpa_supplicant1.service \
 #    -t "$pkgdir/usr/share/dbus-1/system-services"
@@ -77,16 +89,15 @@ package() {
 
 license=(GPL)
 
-validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen
+validpgpkeys=(EC4AA0A991A5F2464582D52D2B6EF432EFC895FA) # Jouni Malinen
 
 sha256sums=(20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f  # wpa_supplicant-2.10.tar.gz
 	5512ef486877b231fe4eef3240c2aec9bfb671c1fe2ceb4e5d9ac1f17caddfac  # wpa_supplicant-2.10.tar.gz.asc
+	1e32af4a1a147ee75358fd0b5636fb41332a7b91ec7a904292178256f735e9d2  # wpa_supplicant_config
 	08915b040d03a3e07cdc8ea6c76b497e00059e01ce85b67413dfe41d4fc68992  # wpa_supplicant_tls.patch
-#	60f6a1cf2e124813dfce1da78ee1818e2ff5236aafa4113c7ae3b3f2a0b84006  # wpa_supplicant_dbus_service_syslog.patch
-#	d42bdbf3d4980b9f0a819612df0c39843c7e96c8afcb103aa656c824f93790b0  # wpa_supplicant_service_ignore-on-isolate.patch
 	8fba11e4a5056d9e710707ded93341f61fdfef6c64ced992e3936cbd2d41a011  # wpa_supplicant-legacy-server-connect.patch
 	c3c0fb363f734c1512d24fd749b3ff7515f961b27bfadd04c128434b5c9f4a93  # lower_security_level_for_tls_1.patch
-	89dc439b958574e9231c58bea6c83faec469909c9f84476bfc83fa35b3e97bd1  # wpa_supplicant_config
-	aaedf87f1530d4e6cb00bf7981d1f868409ed892cc41b83c5613019e7b51f380) # add_extra-ies_only_if_allowed_by_driver.patch
-
+	9aca193cc26682765467cf9131240e5de71f9b49a765a934284da5e308ea904e  # disable-eapol-werror.patch
+	7901d42eda48f82106901cbeb5e7be39025c878d5085a0a0d54ccbe36c3ecef4  # 0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
+	24e844b0a08fe3fede1676cedfe29643375ae56ab1a5fe4f5783765a7b759c15) # 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
 

wpa_supplicant/PKGBUILD-arch

@@ -5,34 +5,39 @@
 
 pkgname=wpa_supplicant
 pkgver=2.10
-pkgrel=7
+pkgrel=8
 epoch=2
 pkgdesc='A utility providing key negotiation for WPA wireless networks'
 url='https://w1.fi/wpa_supplicant/'
 arch=(x86_64)
 license=(GPL)
-depends=(openssl libdbus readline libnl)
+depends=(openssl libdbus readline libnl pcsclite)
+options=(debug)
 install=wpa_supplicant.install
 source=(
   https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
+  wpa_supplicant_config
   wpa_supplicant_tls.patch
   wpa_supplicant_dbus_service_syslog.patch
   wpa_supplicant_service_ignore-on-isolate.patch
   wpa_supplicant-legacy-server-connect.patch
   lower_security_level_for_tls_1.patch
-  wpa_supplicant_config
-  add_extra-ies_only_if_allowed_by_driver.patch
+  disable-eapol-werror.patch
+  0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
+  0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
 )
 validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen
 sha256sums=('20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f'
             'SKIP'
+            '1e32af4a1a147ee75358fd0b5636fb41332a7b91ec7a904292178256f735e9d2'
             '08915b040d03a3e07cdc8ea6c76b497e00059e01ce85b67413dfe41d4fc68992'
             '60f6a1cf2e124813dfce1da78ee1818e2ff5236aafa4113c7ae3b3f2a0b84006'
             'd42bdbf3d4980b9f0a819612df0c39843c7e96c8afcb103aa656c824f93790b0'
             '8fba11e4a5056d9e710707ded93341f61fdfef6c64ced992e3936cbd2d41a011'
             'c3c0fb363f734c1512d24fd749b3ff7515f961b27bfadd04c128434b5c9f4a93'
-            '89dc439b958574e9231c58bea6c83faec469909c9f84476bfc83fa35b3e97bd1'
-            'aaedf87f1530d4e6cb00bf7981d1f868409ed892cc41b83c5613019e7b51f380')
+            '9aca193cc26682765467cf9131240e5de71f9b49a765a934284da5e308ea904e'
+            '7901d42eda48f82106901cbeb5e7be39025c878d5085a0a0d54ccbe36c3ecef4'
+            '24e844b0a08fe3fede1676cedfe29643375ae56ab1a5fe4f5783765a7b759c15')
 
 prepare() {
   cd $pkgname-$pkgver
@@ -53,11 +58,16 @@ prepare() {
   # https://bugs.archlinux.org/task/76474
   patch -Np1 -i ../lower_security_level_for_tls_1.patch
 
-  # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
-  patch -Np1 -i ../add_extra-ies_only_if_allowed_by_driver.patch
+  # https://salsa.debian.org/debian/wpa/-/commit/13e1d28e4f987a220c546df94df86bb9b2371874
+  patch -Np1 -i ../disable-eapol-werror.patch
 
-  cd $pkgname
-  cp "$srcdir/wpa_supplicant_config" ./.config
+  # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
+  patch -Np1 -i ../0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
+
+  # https://lists.infradead.org/pipermail/hostap/2022-April/040352.html
+  patch -Np1 -i ../0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
+
+  cp ../wpa_supplicant_config $pkgname/.config
 }
 
 build() {

wpa_supplicant/deps

@@ -1,2 +1,3 @@
 
 
+pcsclite

wpa_supplicant/disable-eapol-werror.patch

@@ -0,0 +1,25 @@
+From: Andrej Shadura <andrew.shadura@collabora.co.uk>
+Date: Fri, 12 Feb 2021 14:28:19 +0100
+Subject: Disable -Werror for eapol_test
+
+This may make sense for the upstream, but we just want to build
+the tool to be useful to our users; dealing with build errors due
+to issues normally manifesting themselves as warnings is burdening
+for Debian and its downstreams.
+---
+ wpa_supplicant/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index cb66def..26b0c93 100644
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -170,7 +170,7 @@ CFLAGS += -DCONFIG_ELOOP_KQUEUE
+ endif
+ 
+ ifdef CONFIG_EAPOL_TEST
+-CFLAGS += -Werror -DEAPOL_TEST
++CFLAGS += -DEAPOL_TEST
+ endif
+ 
+ ifdef CONFIG_CODE_COVERAGE

wpa_supplicant/sums

@@ -1 +1,9 @@
-sha256sum {wpa_supp*gz*,00*,CVE*,tls*,roam*,config} >>PKGBUILD
+wpa_supplicant-2.10.tar.gz
+wpa_supplicant-2.10.tar.gz.asc
+wpa_supplicant_config
+wpa_supplicant_tls.patch
+wpa_supplicant-legacy-server-connect.patch
+lower_security_level_for_tls_1.patch
+disable-eapol-werror.patch
+0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
+0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch

wpa_supplicant/wpa_supplicant_config

@@ -1,4 +1,4 @@
-# Example wpa_supplicant build time configuration
+# Arch Linux wpa_supplicant build time configuration
 #
 # This file lists the configuration options that are used when building the
 # wpa_supplicant binary. All lines starting with # are ignored. Configuration
@@ -195,7 +195,7 @@ CONFIG_SMARTCARD=y
 
 # PC/SC interface for smartcards (USIM, GSM SIM)
 # Enable this if EAP-SIM or EAP-AKA is included
-#CONFIG_PCSC=y
+CONFIG_PCSC=y
 
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
 CONFIG_HT_OVERRIDES=y
@@ -204,7 +204,7 @@ CONFIG_HT_OVERRIDES=y
 CONFIG_VHT_OVERRIDES=y
 
 # Development testing
-#CONFIG_EAPOL_TEST=y
+CONFIG_EAPOL_TEST=y
 
 # Select control interface backend for external programs, e.g, wpa_cli:
 # unix = UNIX domain sockets (default for Linux/*BSD)
@@ -311,7 +311,7 @@ CONFIG_L2_PACKET=linux
 #CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 
 # Support Operating Channel Validation
-#CONFIG_OCV=y
+CONFIG_OCV=y
 
 # Select TLS implementation
 # openssl = OpenSSL (default)
@@ -337,7 +337,6 @@ CONFIG_TLSV12=y
 
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
-#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1"
 
 # If CONFIG_TLS=internal is used, additional library and include paths are
@@ -570,12 +569,12 @@ CONFIG_FST=y
 CONFIG_ACS=y
 
 # Support Multi Band Operation
-#CONFIG_MBO=y
+CONFIG_MBO=y
 
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
-#CONFIG_FILS=y
+CONFIG_FILS=y
 # FILS shared key authentication with PFS
-#CONFIG_FILS_SK_PFS=y
+CONFIG_FILS_SK_PFS=y
 
 # Support RSN on IBSS networks
 # This is needed to be able to use mode=1 network profile with proto=RSN and
@@ -634,4 +633,17 @@ CONFIG_DPP2=y
 # design is still subject to change. As such, this should not yet be enabled in
 # production use.
 #CONFIG_PASN=y
+
+# WPA3-Enterprise (SuiteB-192)
+CONFIG_SUITEB=y
+
+CONFIG_SUITEB192=y
+
+# Driver support is also needed for IEEE 802.11w.
+CONFIG_IEEE80211W=y
+
+# IEEE 802.11n (High Throughput) support (mainly for AP mode)
+CONFIG_IEEE80211N=y
+
+# Used by eapol_test only, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985912
 CONFIG_IPV6=y