From abfddd994a411f1de9542515e7cacd3a9996060e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 11 2022 18:45:14 +0000 Subject: import wpa_supplicant-2.9-17.20211112.gitc8b94bc7b347.el9 --- diff --git a/.gitignore b/.gitignore index 1111241..782d04b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/wpa_supplicant-2.9.tar.gz +SOURCES/wpa_supplicant-2.9.20211112.gitc8b94bc7b347.tar.gz diff --git a/.wpa_supplicant.metadata b/.wpa_supplicant.metadata index 47c5168..4459e1b 100644 --- a/.wpa_supplicant.metadata +++ b/.wpa_supplicant.metadata @@ -1 +1 @@ -b784c0e5e56889c81d027757a4623659bf15f9a8 SOURCES/wpa_supplicant-2.9.tar.gz +b2d76c4d69a93ed3a266b5fcd76a36f7d7586c56 SOURCES/wpa_supplicant-2.9.20211112.gitc8b94bc7b347.tar.gz diff --git a/SOURCES/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/SOURCES/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch deleted file mode 100644 index d764a9d..0000000 --- a/SOURCES/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Thu, 29 Aug 2019 11:52:04 +0300 -Subject: [PATCH] AP: Silently ignore management frame from unexpected source - address - -Do not process any received Management frames with unexpected/invalid SA -so that we do not add any state for unexpected STA addresses or end up -sending out frames to unexpected destination. This prevents unexpected -sequences where an unprotected frame might end up causing the AP to send -out a response to another device and that other device processing the -unexpected response. - -In particular, this prevents some potential denial of service cases -where the unexpected response frame from the AP might result in a -connected station dropping its association. - -Signed-off-by: Jouni Malinen ---- - src/ap/drv_callbacks.c | 13 +++++++++++++ - src/ap/ieee802_11.c | 12 ++++++++++++ - 2 files changed, 25 insertions(+) - -diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c -index 31587685fe3b..34ca379edc3d 100644 ---- a/src/ap/drv_callbacks.c -+++ b/src/ap/drv_callbacks.c -@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, - "hostapd_notif_assoc: Skip event with no address"); - return -1; - } -+ -+ if (is_multicast_ether_addr(addr) || -+ is_zero_ether_addr(addr) || -+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { -+ /* Do not process any frames with unexpected/invalid SA so that -+ * we do not add any state for unexpected STA addresses or end -+ * up sending out frames to unexpected destination. */ -+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR -+ " in received indication - ignore this indication silently", -+ __func__, MAC2STR(addr)); -+ return 0; -+ } -+ - random_add_randomness(addr, ETH_ALEN); - - hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index c85a28db44b7..e7065372e158 100644 ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, - fc = le_to_host16(mgmt->frame_control); - stype = WLAN_FC_GET_STYPE(fc); - -+ if (is_multicast_ether_addr(mgmt->sa) || -+ is_zero_ether_addr(mgmt->sa) || -+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { -+ /* Do not process any frames with unexpected/invalid SA so that -+ * we do not add any state for unexpected STA addresses or end -+ * up sending out frames to unexpected destination. */ -+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR -+ " in received frame - ignore this frame silently", -+ MAC2STR(mgmt->sa)); -+ return 0; -+ } -+ - if (stype == WLAN_FC_STYPE_BEACON) { - handle_beacon(hapd, mgmt, len, fi); - return 1; --- -2.20.1 - diff --git a/SOURCES/0001-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch b/SOURCES/0001-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch deleted file mode 100644 index 4da577e..0000000 --- a/SOURCES/0001-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch +++ /dev/null @@ -1,200 +0,0 @@ -From 1c58317f56e312576b6872440f125f794e45f991 Mon Sep 17 00:00:00 2001 -Message-Id: <1c58317f56e312576b6872440f125f794e45f991.1602774933.git.davide.caratti@gmail.com> -From: Beniamino Galvani -Date: Wed, 30 Sep 2020 18:34:36 +0200 -Subject: [PATCH] D-Bus: Allow changing an interface bridge via D-Bus - -D-Bus clients can call CreateInterface() once and use the resulting -Interface object to connect multiple times to different networks. - -However, if the network interface gets added to a bridge, clients -currently have to remove the Interface object and create a new one. - -Improve this by supporting the change of the BridgeIfname property of -an existing Interface object. - -Signed-off-by: Beniamino Galvani ---- - src/rsn_supp/tdls.c | 5 +++ - wpa_supplicant/dbus/dbus_new.c | 2 +- - wpa_supplicant/dbus/dbus_new_handlers.c | 37 ++++++++++++++++ - wpa_supplicant/dbus/dbus_new_handlers.h | 1 + - wpa_supplicant/wpa_supplicant.c | 59 +++++++++++++++++++++++++ - wpa_supplicant/wpa_supplicant_i.h | 2 + - 6 files changed, 105 insertions(+), 1 deletion(-) - -diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c -index 7b47e3ac5..eff8cd829 100644 ---- a/src/rsn_supp/tdls.c -+++ b/src/rsn_supp/tdls.c -@@ -2807,6 +2807,11 @@ int wpa_tdls_init(struct wpa_sm *sm) - if (sm == NULL) - return -1; - -+ if (sm->l2_tdls) { -+ l2_packet_deinit(sm->l2_tdls); -+ sm->l2_tdls = NULL; -+ } -+ - sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : - sm->ifname, - sm->own_addr, -diff --git a/wpa_supplicant/dbus/dbus_new.c b/wpa_supplicant/dbus/dbus_new.c -index 793a881ef..ab7628f87 100644 ---- a/wpa_supplicant/dbus/dbus_new.c -+++ b/wpa_supplicant/dbus/dbus_new.c -@@ -3613,7 +3613,7 @@ static const struct wpa_dbus_property_desc wpas_dbus_interface_properties[] = { - }, - { "BridgeIfname", WPAS_DBUS_NEW_IFACE_INTERFACE, "s", - wpas_dbus_getter_bridge_ifname, -- NULL, -+ wpas_dbus_setter_bridge_ifname, - NULL - }, - { "ConfigFile", WPAS_DBUS_NEW_IFACE_INTERFACE, "s", -diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c -index 34abab752..2cfc87fa8 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers.c -+++ b/wpa_supplicant/dbus/dbus_new_handlers.c -@@ -3635,6 +3635,43 @@ dbus_bool_t wpas_dbus_getter_bridge_ifname( - } - - -+dbus_bool_t wpas_dbus_setter_bridge_ifname( -+ const struct wpa_dbus_property_desc *property_desc, -+ DBusMessageIter *iter, DBusError *error, void *user_data) -+{ -+ struct wpa_supplicant *wpa_s = user_data; -+ const char *bridge_ifname = NULL; -+ const char *msg; -+ int r; -+ -+ if (!wpas_dbus_simple_property_setter(iter, error, DBUS_TYPE_STRING, -+ &bridge_ifname)) -+ return FALSE; -+ -+ r = wpa_supplicant_update_bridge_ifname(wpa_s, bridge_ifname); -+ if (r != 0) { -+ switch (r) { -+ case -EINVAL: -+ msg = "invalid interface name"; -+ break; -+ case -EBUSY: -+ msg = "interface is busy"; -+ break; -+ case -EIO: -+ msg = "socket error"; -+ break; -+ default: -+ msg = "unknown error"; -+ break; -+ } -+ dbus_set_error_const(error, DBUS_ERROR_FAILED, msg); -+ return FALSE; -+ } -+ -+ return TRUE; -+} -+ -+ - /** - * wpas_dbus_getter_config_file - Get interface configuration file path - * @iter: Pointer to incoming dbus message iter -diff --git a/wpa_supplicant/dbus/dbus_new_handlers.h b/wpa_supplicant/dbus/dbus_new_handlers.h -index afa26efed..d528c0816 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers.h -+++ b/wpa_supplicant/dbus/dbus_new_handlers.h -@@ -167,6 +167,7 @@ DECLARE_ACCESSOR(wpas_dbus_setter_scan_interval); - DECLARE_ACCESSOR(wpas_dbus_getter_ifname); - DECLARE_ACCESSOR(wpas_dbus_getter_driver); - DECLARE_ACCESSOR(wpas_dbus_getter_bridge_ifname); -+DECLARE_ACCESSOR(wpas_dbus_setter_bridge_ifname); - DECLARE_ACCESSOR(wpas_dbus_getter_config_file); - DECLARE_ACCESSOR(wpas_dbus_getter_current_bss); - DECLARE_ACCESSOR(wpas_dbus_getter_current_network); -diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c -index 39e92fb68..a7e9e459e 100644 ---- a/wpa_supplicant/wpa_supplicant.c -+++ b/wpa_supplicant/wpa_supplicant.c -@@ -4906,6 +4906,65 @@ static void wpa_supplicant_rx_eapol_bridge(void *ctx, const u8 *src_addr, - } - - -+int wpa_supplicant_update_bridge_ifname(struct wpa_supplicant *wpa_s, -+ const char *bridge_ifname) -+{ -+ if (wpa_s->wpa_state > WPA_SCANNING) -+ return -EBUSY; -+ -+ if (bridge_ifname && -+ os_strlen(bridge_ifname) >= sizeof(wpa_s->bridge_ifname)) -+ return -EINVAL; -+ -+ if (!bridge_ifname) -+ bridge_ifname = ""; -+ -+ if (os_strcmp(wpa_s->bridge_ifname, bridge_ifname) == 0) -+ return 0; -+ -+ if (wpa_s->l2_br) { -+ l2_packet_deinit(wpa_s->l2_br); -+ wpa_s->l2_br = NULL; -+ } -+ -+ os_strlcpy(wpa_s->bridge_ifname, bridge_ifname, -+ sizeof(wpa_s->bridge_ifname)); -+ -+ if (wpa_s->bridge_ifname[0]) { -+ wpa_dbg(wpa_s, MSG_DEBUG, -+ "Receiving packets from bridge interface '%s'", -+ wpa_s->bridge_ifname); -+ wpa_s->l2_br = l2_packet_init_bridge( -+ wpa_s->bridge_ifname, wpa_s->ifname, wpa_s->own_addr, -+ ETH_P_EAPOL, wpa_supplicant_rx_eapol_bridge, wpa_s, 1); -+ if (!wpa_s->l2_br) { -+ wpa_msg(wpa_s, MSG_ERROR, -+ "Failed to open l2_packet connection for the bridge interface '%s'", -+ wpa_s->bridge_ifname); -+ goto fail; -+ } -+ } -+ -+#ifdef CONFIG_TDLS -+ if (!wpa_s->p2p_mgmt && wpa_tdls_init(wpa_s->wpa)) -+ goto fail; -+#endif /* CONFIG_TDLS */ -+ -+ return 0; -+fail: -+ wpa_s->bridge_ifname[0] = 0; -+ if (wpa_s->l2_br) { -+ l2_packet_deinit(wpa_s->l2_br); -+ wpa_s->l2_br = NULL; -+ } -+#ifdef CONFIG_TDLS -+ if (!wpa_s->p2p_mgmt) -+ wpa_tdls_init(wpa_s->wpa); -+#endif /* CONFIG_TDLS */ -+ return -EIO; -+} -+ -+ - /** - * wpa_supplicant_driver_init - Initialize driver interface parameters - * @wpa_s: Pointer to wpa_supplicant data -diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h -index 31a9b7427..eac3491cc 100644 ---- a/wpa_supplicant/wpa_supplicant_i.h -+++ b/wpa_supplicant/wpa_supplicant_i.h -@@ -1351,6 +1351,8 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s); - const char * wpa_supplicant_state_txt(enum wpa_states state); - int wpa_supplicant_update_mac_addr(struct wpa_supplicant *wpa_s); - int wpa_supplicant_driver_init(struct wpa_supplicant *wpa_s); -+int wpa_supplicant_update_bridge_ifname(struct wpa_supplicant *wpa_s, -+ const char *bridge_ifname); - int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, - struct wpa_bss *bss, struct wpa_ssid *ssid, - u8 *wpa_ie, size_t *wpa_ie_len); --- -2.26.2 - diff --git a/SOURCES/0001-D-Bus-Fix-P2P-NULL-dereference-after-interface-remov.patch b/SOURCES/0001-D-Bus-Fix-P2P-NULL-dereference-after-interface-remov.patch deleted file mode 100644 index 277d1a2..0000000 --- a/SOURCES/0001-D-Bus-Fix-P2P-NULL-dereference-after-interface-remov.patch +++ /dev/null @@ -1,209 +0,0 @@ -From b2ad4e6b24ed0271ca76cb27856def0a701fb778 Mon Sep 17 00:00:00 2001 -From: Davide Caratti -Date: Wed, 2 Oct 2019 14:08:41 +0200 -Subject: [PATCH] D-Bus: Fix P2P NULL dereference after interface removal - -When the P2P management interface is deleted, P2P is then disabled and -global->p2p_init_wpa_s is set to NULL. After that, other interfaces can -still trigger P2P functions (like wpas_p2p_find()) using D-Bus. This -makes wpa_supplicant terminate with SIGSEGV, because it dereferences a -NULL pointer. Fix this by adding proper checks, like it's done with -wpa_cli. - -CC: Beniamino Galvani -CC: Benjamin Berg -Reported-by: Vladimir Benes -Signed-off-by: Davide Caratti ---- - wpa_supplicant/dbus/dbus_new_handlers_p2p.c | 69 ++++++++++++++++++++- - 1 file changed, 67 insertions(+), 2 deletions(-) - -diff --git a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c -index 8cdd88564..19715eb4c 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c -+++ b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c -@@ -40,6 +40,14 @@ static int wpas_dbus_validate_dbus_ipaddr(struct wpa_dbus_dict_entry entry) - } - - -+static dbus_bool_t no_p2p_mgmt_interface(DBusError *error) -+{ -+ dbus_set_error_const(error, WPAS_DBUS_ERROR_IFACE_UNKNOWN, -+ "Could not find P2P mgmt interface"); -+ return FALSE; -+} -+ -+ - /** - * Parses out the mac address from the peer object path. - * @peer_path - object path of the form -@@ -78,6 +86,22 @@ wpas_dbus_error_persistent_group_unknown(DBusMessage *message) - } - - -+/** -+ * wpas_dbus_error_no_p2p_mgmt_iface - Return a new InterfaceUnknown error -+ * message -+ * @message: Pointer to incoming dbus message this error refers to -+ * Returns: a dbus error message -+ * -+ * Convenience function to create and return an unknown interface error. -+ */ -+static DBusMessage * wpas_dbus_error_no_p2p_mgmt_iface(DBusMessage *message) -+{ -+ wpa_printf(MSG_DEBUG, "dbus: Could not find P2P mgmt interface"); -+ return dbus_message_new_error(message, WPAS_DBUS_ERROR_IFACE_UNKNOWN, -+ "Could not find P2P mgmt interface"); -+} -+ -+ - DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message, - struct wpa_supplicant *wpa_s) - { -@@ -145,6 +169,10 @@ DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message, - } - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) { -+ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); -+ goto error_nop2p; -+ } - - if (wpas_p2p_find(wpa_s, timeout, type, num_req_dev_types, - req_dev_types, NULL, 0, 0, NULL, freq)) -@@ -157,8 +185,9 @@ DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message, - error_clear: - wpa_dbus_dict_entry_clear(&entry); - error: -- os_free(req_dev_types); - reply = wpas_dbus_error_invalid_args(message, entry.key); -+error_nop2p: -+ os_free(req_dev_types); - return reply; - } - -@@ -166,7 +195,9 @@ error: - DBusMessage * wpas_dbus_handler_p2p_stop_find(DBusMessage *message, - struct wpa_supplicant *wpa_s) - { -- wpas_p2p_stop_find(wpa_s->global->p2p_init_wpa_s); -+ wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (wpa_s) -+ wpas_p2p_stop_find(wpa_s); - return NULL; - } - -@@ -185,6 +216,8 @@ DBusMessage * wpas_dbus_handler_p2p_rejectpeer(DBusMessage *message, - return wpas_dbus_error_invalid_args(message, NULL); - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return wpas_dbus_error_no_p2p_mgmt_iface(message); - - if (wpas_p2p_reject(wpa_s, peer_addr) < 0) - return wpas_dbus_error_unknown_error(message, -@@ -204,6 +237,8 @@ DBusMessage * wpas_dbus_handler_p2p_listen(DBusMessage *message, - return wpas_dbus_error_no_memory(message); - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return wpas_dbus_error_no_p2p_mgmt_iface(message); - - if (wpas_p2p_listen(wpa_s, (unsigned int) timeout)) { - return dbus_message_new_error(message, -@@ -245,6 +280,8 @@ DBusMessage * wpas_dbus_handler_p2p_extendedlisten( - } - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return wpas_dbus_error_no_p2p_mgmt_iface(message); - - if (wpas_p2p_ext_listen(wpa_s, period, interval)) - return wpas_dbus_error_unknown_error( -@@ -350,6 +387,10 @@ DBusMessage * wpas_dbus_handler_p2p_group_add(DBusMessage *message, - } - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) { -+ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); -+ goto out; -+ } - - if (pg_object_path != NULL) { - char *net_id_str; -@@ -433,6 +474,12 @@ static dbus_bool_t wpa_dbus_p2p_check_enabled(struct wpa_supplicant *wpa_s, - "P2P is not available for this interface"); - return FALSE; - } -+ if (!wpa_s->global->p2p_init_wpa_s) { -+ if (out_reply) -+ *out_reply = wpas_dbus_error_no_p2p_mgmt_iface( -+ message); -+ return no_p2p_mgmt_interface(error); -+ } - return TRUE; - } - -@@ -822,6 +869,8 @@ DBusMessage * wpas_dbus_handler_p2p_prov_disc_req(DBusMessage *message, - return wpas_dbus_error_invalid_args(message, NULL); - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return wpas_dbus_error_no_p2p_mgmt_iface(message); - - if (wpas_p2p_prov_disc(wpa_s, peer_addr, config_method, - WPAS_P2P_PD_FOR_GO_NEG, NULL) < 0) -@@ -1882,6 +1931,8 @@ dbus_bool_t wpas_dbus_getter_p2p_peer_groups( - - wpa_s = peer_args->wpa_s; - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return no_p2p_mgmt_interface(error); - - wpa_s_go = wpas_get_p2p_client_iface(wpa_s, info->p2p_device_addr); - if (wpa_s_go) { -@@ -1963,6 +2014,9 @@ dbus_bool_t wpas_dbus_getter_persistent_groups( - dbus_bool_t success = FALSE; - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return no_p2p_mgmt_interface(error); -+ - if (!wpa_s->parent->dbus_new_path) - return FALSE; - -@@ -2077,6 +2131,11 @@ DBusMessage * wpas_dbus_handler_add_persistent_group( - dbus_message_iter_init(message, &iter); - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) { -+ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); -+ goto err; -+ } -+ - if (wpa_s->parent->dbus_new_path) - ssid = wpa_config_add_network(wpa_s->conf); - if (ssid == NULL) { -@@ -2159,6 +2218,10 @@ DBusMessage * wpas_dbus_handler_remove_persistent_group( - DBUS_TYPE_INVALID); - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) { -+ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); -+ goto out; -+ } - - /* - * Extract the network ID and ensure the network is actually a child of -@@ -2235,6 +2298,8 @@ DBusMessage * wpas_dbus_handler_remove_all_persistent_groups( - struct wpa_config *config; - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return wpas_dbus_error_no_p2p_mgmt_iface(message); - - config = wpa_s->conf; - ssid = config->ssid; --- -2.26.2 - diff --git a/SOURCES/0001-EAP-TTLS-PEAP-peer-Fix-failure-when-using-session-ti.patch b/SOURCES/0001-EAP-TTLS-PEAP-peer-Fix-failure-when-using-session-ti.patch deleted file mode 100644 index 0e94b20..0000000 --- a/SOURCES/0001-EAP-TTLS-PEAP-peer-Fix-failure-when-using-session-ti.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 872609c15110d32ee2d306aeeeffdd4e42ef6fc6 Mon Sep 17 00:00:00 2001 -Message-Id: <872609c15110d32ee2d306aeeeffdd4e42ef6fc6.1627507211.git.davide.caratti@gmail.com> -From: Alexander Clouter -Date: Fri, 16 Oct 2020 09:49:36 +0100 -Subject: [PATCH] EAP-TTLS/PEAP peer: Fix failure when using session tickets - under TLS 1.3 - -EAP peer does not expect data present when beginning the Phase 2 in -EAP-{TTLS,PEAP} but in TLS 1.3 session tickets are sent after the -handshake completes. - -There are several strategies that can be used to handle this, but this -patch picks up from the discussion[1] and implements the proposed use of -SSL_MODE_AUTO_RETRY. SSL_MODE_AUTO_RETRY has already been enabled by -default in OpenSSL 1.1.1, but it needs to be enabled for older versions. - -The main OpenSSL wrapper change in tls_connection_decrypt() takes care -of the new possible case with SSL_MODE_AUTO_RETRY for -SSL_ERROR_WANT_READ to indicate that a non-application_data was -processed. That is not really an error case with TLS 1.3, so allow it to -complete and return an empty decrypted application data buffer. -EAP-PEAP/TTLS processing can then use this to move ahead with starting -Phase 2. - -[1] https://www.spinics.net/lists/hostap/msg05376.html - -Signed-off-by: Alexander Clouter ---- - src/crypto/tls_openssl.c | 18 ++++++++++++++---- - src/eap_peer/eap_peap.c | 4 ++++ - src/eap_peer/eap_ttls.c | 5 +++++ - 3 files changed, 23 insertions(+), 4 deletions(-) - -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index ef872c50e..345a35ee1 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -1045,6 +1045,8 @@ void * tls_init(const struct tls_config *conf) - SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); - SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); - -+ SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY); -+ - #ifdef SSL_MODE_NO_AUTO_CHAIN - /* Number of deployed use cases assume the default OpenSSL behavior of - * auto chaining the local certificate is in use. BoringSSL removed this -@@ -4543,10 +4545,18 @@ struct wpabuf * tls_connection_decrypt(void *tls_ctx, - return NULL; - res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf)); - if (res < 0) { -- tls_show_errors(MSG_INFO, __func__, -- "Decryption failed - SSL_read"); -- wpabuf_free(buf); -- return NULL; -+ int err = SSL_get_error(conn->ssl, res); -+ -+ if (err == SSL_ERROR_WANT_READ) { -+ wpa_printf(MSG_DEBUG, -+ "SSL: SSL_connect - want more data"); -+ res = 0; -+ } else { -+ tls_show_errors(MSG_INFO, __func__, -+ "Decryption failed - SSL_read"); -+ wpabuf_free(buf); -+ return NULL; -+ } - } - wpabuf_put(buf, res); - -diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c -index 7c3704369..a13428d37 100644 ---- a/src/eap_peer/eap_peap.c -+++ b/src/eap_peer/eap_peap.c -@@ -803,6 +803,10 @@ static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, - res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); - if (res) - return res; -+ if (wpabuf_len(in_decrypted) == 0) { -+ wpabuf_free(in_decrypted); -+ return 1; -+ } - - continue_req: - wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", -diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c -index 642d179c6..3bf1e97e6 100644 ---- a/src/eap_peer/eap_ttls.c -+++ b/src/eap_peer/eap_ttls.c -@@ -1441,6 +1441,7 @@ static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, - - if ((in_data == NULL || wpabuf_len(in_data) == 0) && - data->phase2_start) { -+start: - return eap_ttls_phase2_start(sm, data, ret, identifier, - out_data); - } -@@ -1455,6 +1456,10 @@ static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, - retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); - if (retval) - goto done; -+ if (wpabuf_len(in_decrypted) == 0) { -+ wpabuf_free(in_decrypted); -+ goto start; -+ } - - continue_req: - data->phase2_start = 0; --- -2.31.1 - diff --git a/SOURCES/0001-OpenSSL-Allow-systemwide-secpolicy-overrides-for-TLS.patch b/SOURCES/0001-OpenSSL-Allow-systemwide-secpolicy-overrides-for-TLS.patch deleted file mode 100644 index fafabbd..0000000 --- a/SOURCES/0001-OpenSSL-Allow-systemwide-secpolicy-overrides-for-TLS.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 9afb68b03976d019bb450e5e33b0d8e48867691c Mon Sep 17 00:00:00 2001 -Message-Id: <9afb68b03976d019bb450e5e33b0d8e48867691c.1626202922.git.davide.caratti@gmail.com> -From: Jouni Malinen -Date: Tue, 8 Sep 2020 17:55:36 +0300 -Subject: [PATCH] OpenSSL: Allow systemwide secpolicy overrides for TLS version - -Explicit configuration to enable TLS v1.0 and/or v1.1 did not work with -systemwide OpenSSL secpolicy=2 cases (e.g., Ubuntu 20.04). Allow such -systemwide configuration to be overridden if the older TLS versions have -been explicitly enabled in the network profile. The default behavior -follows the systemwide policy, but this allows compatibility with old -authentication servers without having to touch the systemwide policy. - -Signed-off-by: Jouni Malinen ---- - src/crypto/tls_openssl.c | 26 +++++++++++++++++--------- - 1 file changed, 17 insertions(+), 9 deletions(-) - -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index e73dd7f5b..f7dfecbbf 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -2995,16 +2995,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, - - /* Explicit request to enable TLS versions even if needing to - * override systemwide policies. */ -- if (flags & TLS_CONN_ENABLE_TLSv1_0) { -+ if (flags & TLS_CONN_ENABLE_TLSv1_0) - version = TLS1_VERSION; -- } else if (flags & TLS_CONN_ENABLE_TLSv1_1) { -- if (!(flags & TLS_CONN_DISABLE_TLSv1_0)) -- version = TLS1_1_VERSION; -- } else if (flags & TLS_CONN_ENABLE_TLSv1_2) { -- if (!(flags & (TLS_CONN_DISABLE_TLSv1_0 | -- TLS_CONN_DISABLE_TLSv1_1))) -- version = TLS1_2_VERSION; -- } -+ else if (flags & TLS_CONN_ENABLE_TLSv1_1) -+ version = TLS1_1_VERSION; -+ else if (flags & TLS_CONN_ENABLE_TLSv1_2) -+ version = TLS1_2_VERSION; - if (!version) { - wpa_printf(MSG_DEBUG, - "OpenSSL: Invalid TLS version configuration"); -@@ -3018,6 +3014,18 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, - } - } - #endif /* >= 1.1.0 */ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ -+ !defined(LIBRESSL_VERSION_NUMBER) && \ -+ !defined(OPENSSL_IS_BORINGSSL) -+ if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) && -+ SSL_get_security_level(ssl) >= 2) { -+ /* -+ * Need to drop to security level 1 to allow TLS versions older -+ * than 1.2 to be used when explicitly enabled in configuration. -+ */ -+ SSL_set_security_level(conn->ssl, 1); -+ } -+#endif - - #ifdef CONFIG_SUITEB - #ifdef OPENSSL_IS_BORINGSSL --- -2.31.1 - diff --git a/SOURCES/0001-P2P-Always-use-global-p2p_long_listen.patch b/SOURCES/0001-P2P-Always-use-global-p2p_long_listen.patch deleted file mode 100644 index a617de8..0000000 --- a/SOURCES/0001-P2P-Always-use-global-p2p_long_listen.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 9ad3c12dd1bf56824ef8b3425e057e8d1e84e69d Mon Sep 17 00:00:00 2001 -From: Benjamin Berg -Date: Fri, 3 Jan 2020 22:18:51 +0100 -Subject: [PATCH] P2P: Always use global p2p_long_listen - -The p2p_long_listen value was set on the control wpa_s struct while in a -lot of cases it operated on the p2p struct. Explicitly use the global -p2p_init_wpa_s struct in cases where we might not be operating on it -already. - -Without this, simply starting a p2p_listen operation (e.g., using -wpa_cli) will not work properly. As the p2p_long_listen is set on the -controlling interface and wpas_p2p_cancel_remain_on_channel_cb() uses -p2p_init_wpa_s, it would not actually work. This results in -wpa_supplicant stopping listening after the maximum remain-on-channel -time passes when using a separate P2P Device interface. - -Signed-off-by: Benjamin Berg ---- - wpa_supplicant/p2p_supplicant.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - -diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c -index 95bacec19..a7d3b7f1d 100644 ---- a/wpa_supplicant/p2p_supplicant.c -+++ b/wpa_supplicant/p2p_supplicant.c -@@ -2422,7 +2422,7 @@ static void wpas_go_neg_completed(void *ctx, struct p2p_go_neg_results *res) - wpas_start_wps_enrollee(group_wpa_s, res); - } - -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); - - eloop_cancel_timeout(wpas_p2p_group_formation_timeout, wpa_s, NULL); -@@ -4750,7 +4750,8 @@ void wpas_p2p_deinit(struct wpa_supplicant *wpa_s) - eloop_cancel_timeout(wpas_p2p_psk_failure_removal, wpa_s, NULL); - eloop_cancel_timeout(wpas_p2p_group_formation_timeout, wpa_s, NULL); - eloop_cancel_timeout(wpas_p2p_join_scan, wpa_s, NULL); -- wpa_s->p2p_long_listen = 0; -+ if (wpa_s->global->p2p_init_wpa_s) -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); - eloop_cancel_timeout(wpas_p2p_group_idle_timeout, wpa_s, NULL); - wpas_p2p_remove_pending_group_interface(wpa_s); -@@ -5635,7 +5636,7 @@ int wpas_p2p_connect(struct wpa_supplicant *wpa_s, const u8 *peer_addr, - go_intent = wpa_s->conf->p2p_go_intent; - - if (!auth) -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - - wpa_s->p2p_wps_method = wps_method; - wpa_s->p2p_persistent_group = !!persistent_group; -@@ -6952,7 +6953,7 @@ int wpas_p2p_find(struct wpa_supplicant *wpa_s, unsigned int timeout, - u8 seek_cnt, const char **seek_string, int freq) - { - wpas_p2p_clear_pending_action_tx(wpa_s); -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - - if (wpa_s->global->p2p_disabled || wpa_s->global->p2p == NULL || - wpa_s->p2p_in_provisioning) { -@@ -6997,7 +6998,7 @@ static void wpas_p2p_scan_res_ignore_search(struct wpa_supplicant *wpa_s, - static void wpas_p2p_stop_find_oper(struct wpa_supplicant *wpa_s) - { - wpas_p2p_clear_pending_action_tx(wpa_s); -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); - eloop_cancel_timeout(wpas_p2p_join_scan, wpa_s, NULL); - -@@ -7023,7 +7024,7 @@ void wpas_p2p_stop_find(struct wpa_supplicant *wpa_s) - static void wpas_p2p_long_listen_timeout(void *eloop_ctx, void *timeout_ctx) - { - struct wpa_supplicant *wpa_s = eloop_ctx; -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - } - - -@@ -7052,7 +7053,7 @@ int wpas_p2p_listen(struct wpa_supplicant *wpa_s, unsigned int timeout) - timeout = 3600; - } - eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - - /* - * Stop previous find/listen operation to avoid trying to request a new -@@ -7064,7 +7065,7 @@ int wpas_p2p_listen(struct wpa_supplicant *wpa_s, unsigned int timeout) - - res = wpas_p2p_listen_start(wpa_s, timeout * 1000); - if (res == 0 && timeout * 1000 > wpa_s->max_remain_on_chan) { -- wpa_s->p2p_long_listen = timeout * 1000; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = timeout * 1000; - eloop_register_timeout(timeout, 0, - wpas_p2p_long_listen_timeout, - wpa_s, NULL); -@@ -7171,7 +7172,7 @@ static void wpas_p2p_group_deinit(struct wpa_supplicant *wpa_s) - - int wpas_p2p_reject(struct wpa_supplicant *wpa_s, const u8 *addr) - { -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - - if (wpa_s->global->p2p_disabled || wpa_s->global->p2p == NULL) - return -1; --- -2.26.2 - diff --git a/SOURCES/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch b/SOURCES/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch deleted file mode 100644 index 1942bb3..0000000 --- a/SOURCES/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Tue, 8 Dec 2020 23:52:50 +0200 -Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request - -p2p_add_device() may remove the oldest entry if there is no room in the -peer table for a new peer. This would result in any pointer to that -removed entry becoming stale. A corner case with an invalid PD Request -frame could result in such a case ending up using (read+write) freed -memory. This could only by triggered when the peer table has reached its -maximum size and the PD Request frame is received from the P2P Device -Address of the oldest remaining entry and the frame has incorrect P2P -Device Address in the payload. - -Fix this by fetching the dev pointer again after having called -p2p_add_device() so that the stale pointer cannot be used. - -Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") -Signed-off-by: Jouni Malinen ---- - src/p2p/p2p_pd.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c -index 3994ec03f86b..05fd593494ef 100644 ---- a/src/p2p/p2p_pd.c -+++ b/src/p2p/p2p_pd.c -@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, - goto out; - } - -+ dev = p2p_get_device(p2p, sa); - if (!dev) { -- dev = p2p_get_device(p2p, sa); -- if (!dev) { -- p2p_dbg(p2p, -- "Provision Discovery device not found " -- MACSTR, MAC2STR(sa)); -- goto out; -- } -+ p2p_dbg(p2p, -+ "Provision Discovery device not found " -+ MACSTR, MAC2STR(sa)); -+ goto out; - } - } else if (msg.wfd_subelems) { - wpabuf_free(dev->info.wfd_subelems); --- -2.25.1 - diff --git a/SOURCES/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch b/SOURCES/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch deleted file mode 100644 index 77a5eb9..0000000 --- a/SOURCES/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 -Message-Id: <947272febe24a8f0ea828b5b2f35f13c3821901e.1612435525.git.davide.caratti@gmail.com> -From: Jouni Malinen -Date: Mon, 9 Nov 2020 11:43:12 +0200 -Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group - client - -Parsing and copying of WPS secondary device types list was verifying -that the contents is not too long for the internal maximum in the case -of WPS messages, but similar validation was missing from the case of P2P -group information which encodes this information in a different -attribute. This could result in writing beyond the memory area assigned -for these entries and corrupting memory within an instance of struct -p2p_device. This could result in invalid operations and unexpected -behavior when trying to free pointers from that corrupted memory. - -Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 -Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") -Signed-off-by: Jouni Malinen ---- - src/p2p/p2p.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c -index 74b7b52ae..5cbfc217f 100644 ---- a/src/p2p/p2p.c -+++ b/src/p2p/p2p.c -@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, - dev->info.config_methods = cli->config_methods; - os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); - dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; -+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) -+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; - os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, - dev->info.wps_sec_dev_type_list_len); - } --- -2.29.2 - diff --git a/SOURCES/0001-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch b/SOURCES/0001-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch deleted file mode 100644 index 30a07e4..0000000 --- a/SOURCES/0001-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 7800725afb27397f7d6033d4969e2aeb61af4737 Mon Sep 17 00:00:00 2001 -Message-Id: <7800725afb27397f7d6033d4969e2aeb61af4737.1602780273.git.davide.caratti@gmail.com> -From: Beniamino Galvani -Date: Sun, 13 Oct 2019 15:18:54 +0200 -Subject: [PATCH] dbus: Export OWE capability and OWE BSS key_mgmt - -Export a new 'owe' capability to indicate that wpa_supplicant was -built with OWE support and accepts 'key_mgmt=OWE'. Also, support 'owe' -in the array of BSS' available key managements. - -Signed-off-by: Beniamino Galvani ---- - wpa_supplicant/dbus/dbus_new_handlers.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c -index d2c84e5c5..1206c3cde 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers.c -+++ b/wpa_supplicant/dbus/dbus_new_handlers.c -@@ -984,8 +984,7 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( - const struct wpa_dbus_property_desc *property_desc, - DBusMessageIter *iter, DBusError *error, void *user_data) - { -- const char *capabilities[10] = { NULL, NULL, NULL, NULL, NULL, NULL, -- NULL, NULL, NULL, NULL }; -+ const char *capabilities[11]; - size_t num_items = 0; - #ifdef CONFIG_FILS - struct wpa_global *global = user_data; -@@ -1028,6 +1027,9 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( - #ifdef CONFIG_SHA384 - capabilities[num_items++] = "sha384"; - #endif /* CONFIG_SHA384 */ -+#ifdef CONFIG_OWE -+ capabilities[num_items++] = "owe"; -+#endif /* CONFIG_OWE */ - - return wpas_dbus_simple_array_property_getter(iter, - DBUS_TYPE_STRING, -@@ -4491,7 +4493,7 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( - DBusMessageIter iter_dict, variant_iter; - const char *group; - const char *pairwise[5]; /* max 5 pairwise ciphers is supported */ -- const char *key_mgmt[15]; /* max 15 key managements may be supported */ -+ const char *key_mgmt[16]; /* max 16 key managements may be supported */ - int n; - - if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT, -@@ -4544,6 +4546,10 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( - if (ie_data->key_mgmt & WPA_KEY_MGMT_FT_SAE) - key_mgmt[n++] = "ft-sae"; - #endif /* CONFIG_SAE */ -+#ifdef CONFIG_OWE -+ if (ie_data->key_mgmt & WPA_KEY_MGMT_OWE) -+ key_mgmt[n++] = "owe"; -+#endif /* CONFIG_OWE */ - if (ie_data->key_mgmt & WPA_KEY_MGMT_NONE) - key_mgmt[n++] = "wpa-none"; - --- -2.26.2 - diff --git a/SOURCES/0001-openssl-Disable-padding-after-initializing-the-ciphe.patch b/SOURCES/0001-openssl-Disable-padding-after-initializing-the-ciphe.patch deleted file mode 100644 index 3c1329d..0000000 --- a/SOURCES/0001-openssl-Disable-padding-after-initializing-the-ciphe.patch +++ /dev/null @@ -1,58 +0,0 @@ -From e2e9adc3d9b6bb9c433ebb6404ee439b42e91746 Mon Sep 17 00:00:00 2001 -Message-Id: -From: Davide Caratti -Date: Tue, 17 Aug 2021 10:58:53 +0200 -Subject: [PATCH] openssl: Disable padding after initializing the cipher suite - -according to OpenSSL documentation [1], EVP_CIPHER_CTX_set_padding() -should be called after EVP_EncryptInit_ex(), EVP_DecryptInit_ex(), or -EVP_CipherInit_ex(). Not doing this causes EVP_CIPHER_CTX_set_padding() -to return false on OpenSSL-3.0.0, resulting in the impossibility to -connect in many scenarios. Fix this changing the order of function calls -where needed. - -[1] https://www.openssl.org/docs/man1.1.1/man3/EVP_CIPHER_CTX_set_padding.html - -Reported-by: Vladimir Benes -Signed-off-by: Davide Caratti ---- - src/crypto/crypto_openssl.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c -index 9411cb9cf..4b87702e4 100644 ---- a/src/crypto/crypto_openssl.c -+++ b/src/crypto/crypto_openssl.c -@@ -248,8 +248,8 @@ int rc4_skip(const u8 *key, size_t keylen, size_t skip, - - ctx = EVP_CIPHER_CTX_new(); - if (!ctx || -- !EVP_CIPHER_CTX_set_padding(ctx, 0) || - !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) || -+ !EVP_CIPHER_CTX_set_padding(ctx, 0) || - !EVP_CIPHER_CTX_set_key_length(ctx, keylen) || - !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1)) - goto out; -@@ -709,8 +709,8 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, - } - - if (!(ctx->enc = EVP_CIPHER_CTX_new()) || -- !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) || - !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) || -+ !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) || - !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) || - !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) { - if (ctx->enc) -@@ -720,8 +720,8 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, - } - - if (!(ctx->dec = EVP_CIPHER_CTX_new()) || -- !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) || - !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) || -+ !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) || - !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) || - !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) { - EVP_CIPHER_CTX_free(ctx->enc); --- -2.31.1 - diff --git a/SOURCES/0001-openssl-Remove-deprecated-functions-from-des_encrypt.patch b/SOURCES/0001-openssl-Remove-deprecated-functions-from-des_encrypt.patch deleted file mode 100644 index 85f1a0a..0000000 --- a/SOURCES/0001-openssl-Remove-deprecated-functions-from-des_encrypt.patch +++ /dev/null @@ -1,68 +0,0 @@ -From d265dd2d965db3669d07caa69539beb8def0edb2 Mon Sep 17 00:00:00 2001 -Message-Id: -From: Davide Caratti -Date: Tue, 17 Aug 2021 10:58:54 +0200 -Subject: [PATCH] openssl: Remove deprecated functions from des_encrypt() - -NetworkManager-CI detected systematic failures on test scenarios using -MSCHAPv2 when wpa_supplicant uses OpenSSL-3.0.0. -The 'test_module_tests.py' script also fails, and the following log is -shown: - - 1627404013.761569: generate_nt_response failed - 1627404013.761582: ms_funcs: 1 error - -It seems that either DES_set_key() or DES_ecb_encrypt() changed their -semantic, but it doesn't make sense to fix them since their use has been -deprecated. Converting des_encrypt() to avoid use of deprecated -functions proved to fix the problem, and removed a couple of build -warnings at the same time. - -Reported-by: Vladimir Benes -Signed-off-by: Davide Caratti ---- - src/crypto/crypto_openssl.c | 21 +++++++++++++++------ - 1 file changed, 15 insertions(+), 6 deletions(-) - -diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c -index a4b1083bb..9411cb9cf 100644 ---- a/src/crypto/crypto_openssl.c -+++ b/src/crypto/crypto_openssl.c -@@ -206,8 +206,8 @@ int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) - int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) - { - u8 pkey[8], next, tmp; -- int i; -- DES_key_schedule ks; -+ int i, plen, ret = -1; -+ EVP_CIPHER_CTX *ctx; - - /* Add parity bits to the key */ - next = 0; -@@ -218,10 +218,19 @@ int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) - } - pkey[i] = next | 1; - -- DES_set_key((DES_cblock *) &pkey, &ks); -- DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks, -- DES_ENCRYPT); -- return 0; -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx && -+ EVP_EncryptInit_ex(ctx, EVP_des_ecb(), NULL, pkey, NULL) == 1 && -+ EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && -+ EVP_EncryptUpdate(ctx, cypher, &plen, clear, 8) == 1 && -+ EVP_EncryptFinal_ex(ctx, &cypher[plen], &plen) == 1) -+ ret = 0; -+ else -+ wpa_printf(MSG_ERROR, "OpenSSL: DES encrypt failed"); -+ -+ if (ctx) -+ EVP_CIPHER_CTX_free(ctx); -+ return ret; - } - - --- -2.31.1 - diff --git a/SOURCES/0001-p2p-Limit-P2P_DEVICE-name-to-appropriate-ifname-size.patch b/SOURCES/0001-p2p-Limit-P2P_DEVICE-name-to-appropriate-ifname-size.patch deleted file mode 100644 index a29c513..0000000 --- a/SOURCES/0001-p2p-Limit-P2P_DEVICE-name-to-appropriate-ifname-size.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d4348cbbdbdba5d045b5b389ba6ce97b74936f30 Mon Sep 17 00:00:00 2001 -From: Benjamin Berg -Date: Mon, 15 Jun 2020 16:17:43 +0200 -Subject: [PATCH] p2p: Limit P2P_DEVICE name to appropriate ifname size - -Otherwise the WPA_IF_P2P_DEVICE cannot be created. As this is not a -netdev device, it is acceptable if the name is not completely unique. As -such, simply insert a NUL byte at the appropriate place. ---- - wpa_supplicant/p2p_supplicant.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c -index e94bffe52..17c25889c 100644 ---- a/wpa_supplicant/p2p_supplicant.c -+++ b/wpa_supplicant/p2p_supplicant.c -@@ -3929,6 +3929,10 @@ int wpas_p2p_add_p2pdev_interface(struct wpa_supplicant *wpa_s, - wpa_s->ifname); - if (os_snprintf_error(sizeof(ifname), ret)) - return -1; -+ /* Cut length at the maximum size. Note that we don't need to ensure -+ * collision free names here as the created interface is not a netdev. -+ */ -+ ifname[IFNAMSIZ-1] = '\0'; - force_name[0] = '\0'; - wpa_s->pending_interface_type = WPA_IF_P2P_DEVICE; - ret = wpa_drv_if_add(wpa_s, WPA_IF_P2P_DEVICE, ifname, NULL, NULL, --- -2.26.2 - diff --git a/SOURCES/wpa_supplicant-config.patch b/SOURCES/wpa_supplicant-config.patch index 6eddd30..45456ff 100644 --- a/SOURCES/wpa_supplicant-config.patch +++ b/SOURCES/wpa_supplicant-config.patch @@ -9,15 +9,6 @@ Subject: [PATCH] defconfig: Fedora configuration --- a/wpa_supplicant/defconfig +++ b/wpa_supplicant/defconfig -@@ -77,7 +77,7 @@ CONFIG_DRIVER_WIRED=y - #CONFIG_DRIVER_MACSEC_QCA=y - - # Driver interface for Linux MACsec drivers --#CONFIG_DRIVER_MACSEC_LINUX=y -+CONFIG_DRIVER_MACSEC_LINUX=y - - # Driver interface for the Broadcom RoboSwitch family - #CONFIG_DRIVER_ROBOSWITCH=y @@ -146,7 +146,7 @@ CONFIG_EAP_PAX=y CONFIG_EAP_LEAP=y @@ -27,16 +18,7 @@ Subject: [PATCH] defconfig: Fedora configuration # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used). # This requires CONFIG_EAP_AKA to be enabled, too. -@@ -183,7 +183,7 @@ CONFIG_EAP_IKEV2=y - #CONFIG_EAP_EKE=y - - # MACsec --#CONFIG_MACSEC=y -+CONFIG_MACSEC=y - - # PKCS#12 (PFX) support (used to read private key and certificate file from - # a file that usually has extension .p12 or .pfx) -@@ -342,6 +342,7 @@ CONFIG_IEEE80211W=y +@@ -338,6 +338,7 @@ CONFIG_BACKEND=file # Select which ciphers to use by default with OpenSSL if the user does not # specify them. #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" @@ -44,25 +26,16 @@ Subject: [PATCH] defconfig: Fedora configuration # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of -@@ -473,7 +474,7 @@ CONFIG_DEBUG_SYSLOG=y +@@ -469,7 +470,7 @@ CONFIG_DEBUG_SYSLOG=y # Should we attempt to use the getrandom(2) call that provides more reliable # yet secure randomness source than /dev/random on Linux 3.17 and newer. # Requires glibc 2.25 to build, falls back to /dev/random if unavailable. -#CONFIG_GETRANDOM=y +CONFIG_GETRANDOM=y - # IEEE 802.11n (High Throughput) support (mainly for AP mode) - CONFIG_IEEE80211N=y -@@ -514,7 +515,7 @@ CONFIG_AP=y - CONFIG_P2P=y - - # Enable TDLS support --#CONFIG_TDLS=y -+CONFIG_TDLS=y - - # Wi-Fi Display - # This can be used to enable Wi-Fi Display extensions for P2P using an external -@@ -593,7 +594,7 @@ CONFIG_IBSS_RSN=y + # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) + CONFIG_IEEE80211AC=y +@@ -587,7 +588,7 @@ CONFIG_IBSS_RSN=y #CONFIG_PMKSA_CACHE_EXTERNAL=y # Mesh Networking (IEEE 802.11s) @@ -71,7 +44,7 @@ Subject: [PATCH] defconfig: Fedora configuration # Background scanning modules # These can be used to request wpa_supplicant to perform background scanning -@@ -607,9 +608,10 @@ CONFIG_BGSCAN_SIMPLE=y +@@ -601,7 +602,7 @@ CONFIG_BGSCAN_SIMPLE=y # Opportunistic Wireless Encryption (OWE) # Experimental implementation of draft-harkins-owe-07.txt @@ -79,7 +52,11 @@ Subject: [PATCH] defconfig: Fedora configuration +CONFIG_OWE=y # Device Provisioning Protocol (DPP) - # This requires CONFIG_IEEE80211W=y to be enabled, too. (see - # wpa_supplicant/README-DPP for details) CONFIG_DPP=y +@@ -628,3 +629,6 @@ CONFIG_DPP=y + # design is still subject to change. As such, this should not yet be enabled in + # production use. + #CONFIG_PASN=y ++# +CONFIG_SUITEB192=y ++ diff --git a/SOURCES/wpa_supplicant-flush-debug-output.patch b/SOURCES/wpa_supplicant-flush-debug-output.patch index a686851..f2295bc 100644 --- a/SOURCES/wpa_supplicant-flush-debug-output.patch +++ b/SOURCES/wpa_supplicant-flush-debug-output.patch @@ -1,49 +1,35 @@ ---- wpa_supplicant-0.6.3/src/utils/wpa_debug.c.flush-debug 2007-07-30 23:15:34.000000000 -0400 -+++ wpa_supplicant-0.6.3/src/utils/wpa_debug.c 2007-07-30 23:17:06.000000000 -0400 -@@ -157,6 +157,7 @@ void wpa_debug_print_timestamp(void) - if (out_file) { +--- a/src/utils/wpa_debug.c ++++ b/src/utils/wpa_debug.c +@@ -79,6 +79,7 @@ void wpa_debug_print_timestamp(void) + if (out_file) fprintf(out_file, "%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); -+ fflush(out_file); - } else ++ fflush(out_file); #endif /* CONFIG_DEBUG_FILE */ - printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); -@@ -185,6 +186,7 @@ void wpa_printf(int level, char *fmt, .. - if (out_file) { + if (!out_file && !wpa_debug_syslog) + printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); +@@ -230,6 +231,7 @@ void wpa_printf(int level, const char *f + va_start(ap, fmt); vfprintf(out_file, fmt, ap); fprintf(out_file, "\n"); + fflush(out_file); - } else { + va_end(ap); + } #endif /* CONFIG_DEBUG_FILE */ - vprintf(fmt, ap); -@@ -217,6 +219,7 @@ static void _wpa_hexdump(int level, cons +@@ -365,6 +367,7 @@ static void _wpa_hexdump(int level, cons fprintf(out_file, " [REMOVED]"); } fprintf(out_file, "\n"); + fflush(out_file); - } else { + } #endif /* CONFIG_DEBUG_FILE */ - printf("%s - hexdump(len=%lu):", title, (unsigned long) len); -@@ -262,12 +265,14 @@ static void _wpa_hexdump_ascii(int level - fprintf(out_file, - "%s - hexdump_ascii(len=%lu): [REMOVED]\n", - title, (unsigned long) len); -+ fflush(out_file); - return; - } - if (buf == NULL) { - fprintf(out_file, - "%s - hexdump_ascii(len=%lu): [NULL]\n", - title, (unsigned long) len); -+ fflush(out_file); - return; - } - fprintf(out_file, "%s - hexdump_ascii(len=%lu):\n", -@@ -292,6 +297,7 @@ static void _wpa_hexdump_ascii(int level - pos += llen; - len -= llen; + if (!wpa_debug_syslog && !out_file) { +@@ -468,6 +471,8 @@ static void _wpa_hexdump_ascii(int level } + } + file_done: ++ if (out_file) + fflush(out_file); - } else { #endif /* CONFIG_DEBUG_FILE */ - if (!show) { + if (!wpa_debug_syslog && !out_file) { + if (!show) { diff --git a/SOURCES/wpa_supplicant-gui-qt4.patch b/SOURCES/wpa_supplicant-gui-qt4.patch index c54cd9a..7acca1e 100644 --- a/SOURCES/wpa_supplicant-gui-qt4.patch +++ b/SOURCES/wpa_supplicant-gui-qt4.patch @@ -9,12 +9,10 @@ different locations. wpa_supplicant/Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index ad9ead9..b19676d 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile -@@ -11,6 +11,9 @@ export INCDIR ?= /usr/local/include/ - export BINDIR ?= /usr/local/sbin/ +@@ -35,6 +35,9 @@ export INCDIR ?= /usr/local/include + export BINDIR ?= /usr/local/sbin PKG_CONFIG ?= pkg-config +QMAKE ?= qmake @@ -23,7 +21,7 @@ index ad9ead9..b19676d 100644 CFLAGS += $(EXTRA_CFLAGS) CFLAGS += -I$(abspath ../src) CFLAGS += -I$(abspath ../src/utils) -@@ -1787,10 +1790,10 @@ wpa_gui: +@@ -2039,10 +2042,10 @@ wpa_gui: @echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement" wpa_gui-qt4/Makefile: @@ -36,6 +34,3 @@ index ad9ead9..b19676d 100644 wpa_gui-qt4: wpa_gui-qt4/Makefile wpa_gui-qt4/lang/wpa_gui_de.qm $(MAKE) -C wpa_gui-qt4 --- -2.6.2 - diff --git a/SPECS/wpa_supplicant.spec b/SPECS/wpa_supplicant.spec index 7b4b169..f59f7c2 100644 --- a/SPECS/wpa_supplicant.spec +++ b/SPECS/wpa_supplicant.spec @@ -1,3 +1,8 @@ +%global gitdate 20211112 +%global gitcommit c8b94bc7b347dac0422d32a3e330d4425d898906 +%global gitshortcommit %(c=%{gitcommit}; echo ${c:0:12}) +%global snapshot .%{gitdate}.git%{gitshortcommit} + %global _hardened_build 1 %if 0%{?fedora} %bcond_without gui @@ -9,9 +14,9 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 Version: 2.9 -Release: 17%{?dist} +Release: 17%{snapshot}%{?dist} License: BSD -Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz +Source0: http://w1.fi/releases/%{name}-%{version}%{snapshot}.tar.gz Source1: wpa_supplicant.conf Source2: wpa_supplicant.service Source3: wpa_supplicant.sysconfig @@ -29,32 +34,6 @@ Patch2: wpa_supplicant-flush-debug-output.patch Patch3: wpa_supplicant-quiet-scan-results-message.patch # distro specific customization for Qt4 build tools, not suitable for upstream Patch4: wpa_supplicant-gui-qt4.patch -# fix AP mode PMF disconnection protection bypass -Patch5: 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch - -# fix some issues with P2P operation -Patch6: 0001-P2P-Always-use-global-p2p_long_listen.patch -Patch7: 0001-D-Bus-Fix-P2P-NULL-dereference-after-interface-remov.patch -Patch8: 0001-p2p-Limit-P2P_DEVICE-name-to-appropriate-ifname-size.patch - -#fix for bz1915236 -Patch9: 0001-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch - -#expose OWE capability in D-Bus -Patch10: 0001-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch - -#fix for CVE-2021-0326 -Patch11: 0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch - -#fix for CVE-2021-27803 -Patch12: 0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch - -#fix for bz1975718 -Patch13: 0001-OpenSSL-Allow-systemwide-secpolicy-overrides-for-TLS.patch -Patch14: 0001-EAP-TTLS-PEAP-peer-Fix-failure-when-using-session-ti.patch -Patch15: 0001-openssl-Disable-padding-after-initializing-the-ciphe.patch -Patch16: 0001-openssl-Remove-deprecated-functions-from-des_encrypt.patch - URL: http://w1.fi/wpa_supplicant/ @@ -98,7 +77,7 @@ Graphical User Interface for wpa_supplicant written using QT %prep -%autosetup -p1 +%autosetup -p1 -n %{name}-%{version}%{snapshot} %build @@ -215,6 +194,10 @@ chmod -R 0644 wpa_supplicant/examples/*.py %changelog +* Mon Nov 22 2021 Davide Caratti - 1:2.9-17.20211112gitc8b94bc7b347 +- Update to latest upstream tree to include support for H2E + Resolves: rhbz#2007334 + * Thu Aug 19 2021 Davide Caratti - 1:2.9-17 - Fix NetworkManager-CI failures with OpenSSL 3.0