From 2b1080c86d09096eee417741f28bf6aa412e7fe1 Mon Sep 17 00:00:00 2001 From: Joe Bo Run Date: Sun, 18 Dec 2022 01:45:14 +0200 Subject: [PATCH] upg wpa_supplicant --- ...T-SAE-code-with-CONFIG_IEEE80211R_AP.patch | 56 +++++++++++++++++++ wpa_supplicant/PKGBUILD | 49 +++++++++------- wpa_supplicant/PKGBUILD-arch | 30 ++++++---- wpa_supplicant/deps | 1 + wpa_supplicant/disable-eapol-werror.patch | 25 +++++++++ wpa_supplicant/sums | 10 +++- wpa_supplicant/wpa_supplicant_config | 28 +++++++--- 7 files changed, 161 insertions(+), 38 deletions(-) create mode 100644 wpa_supplicant/0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch create mode 100644 wpa_supplicant/disable-eapol-werror.patch diff --git a/wpa_supplicant/0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch b/wpa_supplicant/0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch new file mode 100644 index 0000000..6509bcd --- /dev/null +++ b/wpa_supplicant/0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch @@ -0,0 +1,56 @@ +From: Beniamino Galvani +Date: Mon, 4 Apr 2022 09:13:12 +0200 +Subject: AP: guard FT-SAE code with CONFIG_IEEE80211R_AP + +wpa_supplicant doesn't support FT in AP mode, but it still negotiates +FT-SAE. This can lead to an authentication failure when the AP is +started with key_mgmt="SAE FT-SAE" and the STA supports both. + +Ensure that FT-SAE is not negotiated when CONFIG_IEEE80211R_AP is not +defined. + +Signed-off-by: Beniamino Galvani +--- + src/ap/wpa_auth_ie.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c +index 524922e..d63cbeb 100644 +--- a/src/ap/wpa_auth_ie.c ++++ b/src/ap/wpa_auth_ie.c +@@ -228,11 +228,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8 *buf, size_t len, + pos += RSN_SELECTOR_LEN; + num_suites++; + } ++#ifdef CONFIG_IEEE80211R_AP + if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE) { + RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE); + pos += RSN_SELECTOR_LEN; + num_suites++; + } ++#endif /* CONFIG_IEEE80211R_AP */ + #endif /* CONFIG_SAE */ + if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { + RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B); +@@ -670,8 +672,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, + #ifdef CONFIG_SAE + else if (data.key_mgmt & WPA_KEY_MGMT_SAE) + selector = RSN_AUTH_KEY_MGMT_SAE; ++#ifdef CONFIG_IEEE80211R_AP + else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE) + selector = RSN_AUTH_KEY_MGMT_FT_SAE; ++#endif /* CONFIG_IEEE80211R_AP */ + #endif /* CONFIG_SAE */ + else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X) + selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X; +@@ -778,8 +782,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, + #ifdef CONFIG_SAE + else if (key_mgmt & WPA_KEY_MGMT_SAE) + sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE; ++#ifdef CONFIG_IEEE80211R_AP + else if (key_mgmt & WPA_KEY_MGMT_FT_SAE) + sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE; ++#endif /* CONFIG_IEEE80211R_AP */ + #endif /* CONFIG_SAE */ + else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X) + sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X; diff --git a/wpa_supplicant/PKGBUILD b/wpa_supplicant/PKGBUILD index 9af94d7..897b8ec 100644 --- a/wpa_supplicant/PKGBUILD +++ b/wpa_supplicant/PKGBUILD @@ -7,28 +7,36 @@ pkgname=wpa_supplicant pkgver=2.10 -pkgrel=07 +pkgrel=08 epoch=2 pkgdesc='A utility providing key negotiation for WPA wireless networks w/o systemd' url='https://w1.fi/wpa_supplicant/' arch=(x86_64) -depends=(openssl libdbus readline libnl) +depends=(openssl libdbus readline libnl pcsclite) +#options=(debug) ## uncomment this line to have the debug pkg produced backup=('etc/wpa_supplicant/wpa_supplicant.conf') -source=( https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc} +source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc} + wpa_supplicant_config wpa_supplicant_tls.patch # More permissive TLS fallback # wpa_supplicant_dbus_service_syslog.patch # Unit improvements from Ubuntu # wpa_supplicant_service_ignore-on-isolate.patch # More unit improvements from Ubuntu wpa_supplicant-legacy-server-connect.patch lower_security_level_for_tls_1.patch - wpa_supplicant_config - add_extra-ies_only_if_allowed_by_driver.patch + disable-eapol-werror.patch + 0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch + 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch ) prepare() { cd $pkgname-$pkgver - patch -p1 -i ../wpa_supplicant_tls.patch # More permissive TLS fallback -# patch -p1 -i ../wpa_supplicant_dbus_service_syslog.patch # Unit improvements from Ubuntu -# patch -p1 -i ../wpa_supplicant_service_ignore-on-isolate.patch # More unit improvements from Ubuntu + # More permissive TLS fallback + patch -Np1 -i ../wpa_supplicant_tls.patch + +# # Unit improvements from Ubuntu +# patch -Np1 -i ../wpa_supplicant_dbus_service_syslog.patch + +# # More unit improvements from Ubuntu +# patch -Np1 -i ../wpa_supplicant_service_ignore-on-isolate.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2072070#c24 patch -Np1 -i ../wpa_supplicant-legacy-server-connect.patch @@ -36,11 +44,16 @@ prepare() { # https://bugs.archlinux.org/task/76474 patch -Np1 -i ../lower_security_level_for_tls_1.patch - # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html - patch -Np1 -i ../add_extra-ies_only_if_allowed_by_driver.patch + # https://salsa.debian.org/debian/wpa/-/commit/13e1d28e4f987a220c546df94df86bb9b2371874 + patch -Np1 -i ../disable-eapol-werror.patch - cd $pkgname - cp "$srcdir/wpa_supplicant_config" ./.config + # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html + patch -Np1 -i ../0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch + + # https://lists.infradead.org/pipermail/hostap/2022-April/040352.html + patch -Np1 -i ../0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch + + cp ../wpa_supplicant_config $pkgname/.config } build() { @@ -59,7 +72,6 @@ package() { install -dm755 "$pkgdir/etc/wpa_supplicant" install -Dm644 wpa_supplicant.conf -t "$pkgdir/usr/share/doc/wpa_supplicant" - install -Dm644 wpa_supplicant.conf "$pkgdir/etc/wpa_supplicant/wpa_supplicant.conf.pacnew" # install -Dm644 dbus/fi.w1.wpa_supplicant1.service \ # -t "$pkgdir/usr/share/dbus-1/system-services" @@ -77,16 +89,15 @@ package() { license=(GPL) -validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen +validpgpkeys=(EC4AA0A991A5F2464582D52D2B6EF432EFC895FA) # Jouni Malinen sha256sums=(20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f # wpa_supplicant-2.10.tar.gz 5512ef486877b231fe4eef3240c2aec9bfb671c1fe2ceb4e5d9ac1f17caddfac # wpa_supplicant-2.10.tar.gz.asc + 1e32af4a1a147ee75358fd0b5636fb41332a7b91ec7a904292178256f735e9d2 # wpa_supplicant_config 08915b040d03a3e07cdc8ea6c76b497e00059e01ce85b67413dfe41d4fc68992 # wpa_supplicant_tls.patch -# 60f6a1cf2e124813dfce1da78ee1818e2ff5236aafa4113c7ae3b3f2a0b84006 # wpa_supplicant_dbus_service_syslog.patch -# d42bdbf3d4980b9f0a819612df0c39843c7e96c8afcb103aa656c824f93790b0 # wpa_supplicant_service_ignore-on-isolate.patch 8fba11e4a5056d9e710707ded93341f61fdfef6c64ced992e3936cbd2d41a011 # wpa_supplicant-legacy-server-connect.patch c3c0fb363f734c1512d24fd749b3ff7515f961b27bfadd04c128434b5c9f4a93 # lower_security_level_for_tls_1.patch - 89dc439b958574e9231c58bea6c83faec469909c9f84476bfc83fa35b3e97bd1 # wpa_supplicant_config - aaedf87f1530d4e6cb00bf7981d1f868409ed892cc41b83c5613019e7b51f380) # add_extra-ies_only_if_allowed_by_driver.patch - + 9aca193cc26682765467cf9131240e5de71f9b49a765a934284da5e308ea904e # disable-eapol-werror.patch + 7901d42eda48f82106901cbeb5e7be39025c878d5085a0a0d54ccbe36c3ecef4 # 0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch + 24e844b0a08fe3fede1676cedfe29643375ae56ab1a5fe4f5783765a7b759c15) # 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch diff --git a/wpa_supplicant/PKGBUILD-arch b/wpa_supplicant/PKGBUILD-arch index 51999a7..cacde59 100644 --- a/wpa_supplicant/PKGBUILD-arch +++ b/wpa_supplicant/PKGBUILD-arch @@ -5,34 +5,39 @@ pkgname=wpa_supplicant pkgver=2.10 -pkgrel=7 +pkgrel=8 epoch=2 pkgdesc='A utility providing key negotiation for WPA wireless networks' url='https://w1.fi/wpa_supplicant/' arch=(x86_64) license=(GPL) -depends=(openssl libdbus readline libnl) +depends=(openssl libdbus readline libnl pcsclite) +options=(debug) install=wpa_supplicant.install source=( https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc} + wpa_supplicant_config wpa_supplicant_tls.patch wpa_supplicant_dbus_service_syslog.patch wpa_supplicant_service_ignore-on-isolate.patch wpa_supplicant-legacy-server-connect.patch lower_security_level_for_tls_1.patch - wpa_supplicant_config - add_extra-ies_only_if_allowed_by_driver.patch + disable-eapol-werror.patch + 0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch + 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch ) validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen sha256sums=('20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f' 'SKIP' + '1e32af4a1a147ee75358fd0b5636fb41332a7b91ec7a904292178256f735e9d2' '08915b040d03a3e07cdc8ea6c76b497e00059e01ce85b67413dfe41d4fc68992' '60f6a1cf2e124813dfce1da78ee1818e2ff5236aafa4113c7ae3b3f2a0b84006' 'd42bdbf3d4980b9f0a819612df0c39843c7e96c8afcb103aa656c824f93790b0' '8fba11e4a5056d9e710707ded93341f61fdfef6c64ced992e3936cbd2d41a011' 'c3c0fb363f734c1512d24fd749b3ff7515f961b27bfadd04c128434b5c9f4a93' - '89dc439b958574e9231c58bea6c83faec469909c9f84476bfc83fa35b3e97bd1' - 'aaedf87f1530d4e6cb00bf7981d1f868409ed892cc41b83c5613019e7b51f380') + '9aca193cc26682765467cf9131240e5de71f9b49a765a934284da5e308ea904e' + '7901d42eda48f82106901cbeb5e7be39025c878d5085a0a0d54ccbe36c3ecef4' + '24e844b0a08fe3fede1676cedfe29643375ae56ab1a5fe4f5783765a7b759c15') prepare() { cd $pkgname-$pkgver @@ -53,11 +58,16 @@ prepare() { # https://bugs.archlinux.org/task/76474 patch -Np1 -i ../lower_security_level_for_tls_1.patch - # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html - patch -Np1 -i ../add_extra-ies_only_if_allowed_by_driver.patch + # https://salsa.debian.org/debian/wpa/-/commit/13e1d28e4f987a220c546df94df86bb9b2371874 + patch -Np1 -i ../disable-eapol-werror.patch - cd $pkgname - cp "$srcdir/wpa_supplicant_config" ./.config + # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html + patch -Np1 -i ../0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch + + # https://lists.infradead.org/pipermail/hostap/2022-April/040352.html + patch -Np1 -i ../0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch + + cp ../wpa_supplicant_config $pkgname/.config } build() { diff --git a/wpa_supplicant/deps b/wpa_supplicant/deps index 139597f..819d633 100644 --- a/wpa_supplicant/deps +++ b/wpa_supplicant/deps @@ -1,2 +1,3 @@ +pcsclite diff --git a/wpa_supplicant/disable-eapol-werror.patch b/wpa_supplicant/disable-eapol-werror.patch new file mode 100644 index 0000000..3a2163a --- /dev/null +++ b/wpa_supplicant/disable-eapol-werror.patch @@ -0,0 +1,25 @@ +From: Andrej Shadura +Date: Fri, 12 Feb 2021 14:28:19 +0100 +Subject: Disable -Werror for eapol_test + +This may make sense for the upstream, but we just want to build +the tool to be useful to our users; dealing with build errors due +to issues normally manifesting themselves as warnings is burdening +for Debian and its downstreams. +--- + wpa_supplicant/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index cb66def..26b0c93 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -170,7 +170,7 @@ CFLAGS += -DCONFIG_ELOOP_KQUEUE + endif + + ifdef CONFIG_EAPOL_TEST +-CFLAGS += -Werror -DEAPOL_TEST ++CFLAGS += -DEAPOL_TEST + endif + + ifdef CONFIG_CODE_COVERAGE diff --git a/wpa_supplicant/sums b/wpa_supplicant/sums index 71419d2..8e90580 100644 --- a/wpa_supplicant/sums +++ b/wpa_supplicant/sums @@ -1 +1,9 @@ -sha256sum {wpa_supp*gz*,00*,CVE*,tls*,roam*,config} >>PKGBUILD +wpa_supplicant-2.10.tar.gz +wpa_supplicant-2.10.tar.gz.asc +wpa_supplicant_config +wpa_supplicant_tls.patch +wpa_supplicant-legacy-server-connect.patch +lower_security_level_for_tls_1.patch +disable-eapol-werror.patch +0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch +0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch diff --git a/wpa_supplicant/wpa_supplicant_config b/wpa_supplicant/wpa_supplicant_config index a9d2b49..f4793fb 100644 --- a/wpa_supplicant/wpa_supplicant_config +++ b/wpa_supplicant/wpa_supplicant_config @@ -1,4 +1,4 @@ -# Example wpa_supplicant build time configuration +# Arch Linux wpa_supplicant build time configuration # # This file lists the configuration options that are used when building the # wpa_supplicant binary. All lines starting with # are ignored. Configuration @@ -195,7 +195,7 @@ CONFIG_SMARTCARD=y # PC/SC interface for smartcards (USIM, GSM SIM) # Enable this if EAP-SIM or EAP-AKA is included -#CONFIG_PCSC=y +CONFIG_PCSC=y # Support HT overrides (disable HT/HT40, mask MCS rates, etc.) CONFIG_HT_OVERRIDES=y @@ -204,7 +204,7 @@ CONFIG_HT_OVERRIDES=y CONFIG_VHT_OVERRIDES=y # Development testing -#CONFIG_EAPOL_TEST=y +CONFIG_EAPOL_TEST=y # Select control interface backend for external programs, e.g, wpa_cli: # unix = UNIX domain sockets (default for Linux/*BSD) @@ -311,7 +311,7 @@ CONFIG_L2_PACKET=linux #CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y # Support Operating Channel Validation -#CONFIG_OCV=y +CONFIG_OCV=y # Select TLS implementation # openssl = OpenSSL (default) @@ -337,7 +337,6 @@ CONFIG_TLSV12=y # Select which ciphers to use by default with OpenSSL if the user does not # specify them. -#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1" # If CONFIG_TLS=internal is used, additional library and include paths are @@ -570,12 +569,12 @@ CONFIG_FST=y CONFIG_ACS=y # Support Multi Band Operation -#CONFIG_MBO=y +CONFIG_MBO=y # Fast Initial Link Setup (FILS) (IEEE 802.11ai) -#CONFIG_FILS=y +CONFIG_FILS=y # FILS shared key authentication with PFS -#CONFIG_FILS_SK_PFS=y +CONFIG_FILS_SK_PFS=y # Support RSN on IBSS networks # This is needed to be able to use mode=1 network profile with proto=RSN and @@ -634,4 +633,17 @@ CONFIG_DPP2=y # design is still subject to change. As such, this should not yet be enabled in # production use. #CONFIG_PASN=y + +# WPA3-Enterprise (SuiteB-192) +CONFIG_SUITEB=y + +CONFIG_SUITEB192=y + +# Driver support is also needed for IEEE 802.11w. +CONFIG_IEEE80211W=y + +# IEEE 802.11n (High Throughput) support (mainly for AP mode) +CONFIG_IEEE80211N=y + +# Used by eapol_test only, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985912 CONFIG_IPV6=y