diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1111241 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/wpa_supplicant-2.9.tar.gz diff --git a/.wpa_supplicant.metadata b/.wpa_supplicant.metadata new file mode 100644 index 0000000..47c5168 --- /dev/null +++ b/.wpa_supplicant.metadata @@ -0,0 +1 @@ +b784c0e5e56889c81d027757a4623659bf15f9a8 SOURCES/wpa_supplicant-2.9.tar.gz diff --git a/SOURCES/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/SOURCES/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch new file mode 100644 index 0000000..d764a9d --- /dev/null +++ b/SOURCES/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch @@ -0,0 +1,73 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 + diff --git a/SOURCES/0001-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch b/SOURCES/0001-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch new file mode 100644 index 0000000..4da577e --- /dev/null +++ b/SOURCES/0001-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch @@ -0,0 +1,200 @@ +From 1c58317f56e312576b6872440f125f794e45f991 Mon Sep 17 00:00:00 2001 +Message-Id: <1c58317f56e312576b6872440f125f794e45f991.1602774933.git.davide.caratti@gmail.com> +From: Beniamino Galvani +Date: Wed, 30 Sep 2020 18:34:36 +0200 +Subject: [PATCH] D-Bus: Allow changing an interface bridge via D-Bus + +D-Bus clients can call CreateInterface() once and use the resulting +Interface object to connect multiple times to different networks. + +However, if the network interface gets added to a bridge, clients +currently have to remove the Interface object and create a new one. + +Improve this by supporting the change of the BridgeIfname property of +an existing Interface object. + +Signed-off-by: Beniamino Galvani +--- + src/rsn_supp/tdls.c | 5 +++ + wpa_supplicant/dbus/dbus_new.c | 2 +- + wpa_supplicant/dbus/dbus_new_handlers.c | 37 ++++++++++++++++ + wpa_supplicant/dbus/dbus_new_handlers.h | 1 + + wpa_supplicant/wpa_supplicant.c | 59 +++++++++++++++++++++++++ + wpa_supplicant/wpa_supplicant_i.h | 2 + + 6 files changed, 105 insertions(+), 1 deletion(-) + +diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c +index 7b47e3ac5..eff8cd829 100644 +--- a/src/rsn_supp/tdls.c ++++ b/src/rsn_supp/tdls.c +@@ -2807,6 +2807,11 @@ int wpa_tdls_init(struct wpa_sm *sm) + if (sm == NULL) + return -1; + ++ if (sm->l2_tdls) { ++ l2_packet_deinit(sm->l2_tdls); ++ sm->l2_tdls = NULL; ++ } ++ + sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : + sm->ifname, + sm->own_addr, +diff --git a/wpa_supplicant/dbus/dbus_new.c b/wpa_supplicant/dbus/dbus_new.c +index 793a881ef..ab7628f87 100644 +--- a/wpa_supplicant/dbus/dbus_new.c ++++ b/wpa_supplicant/dbus/dbus_new.c +@@ -3613,7 +3613,7 @@ static const struct wpa_dbus_property_desc wpas_dbus_interface_properties[] = { + }, + { "BridgeIfname", WPAS_DBUS_NEW_IFACE_INTERFACE, "s", + wpas_dbus_getter_bridge_ifname, +- NULL, ++ wpas_dbus_setter_bridge_ifname, + NULL + }, + { "ConfigFile", WPAS_DBUS_NEW_IFACE_INTERFACE, "s", +diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c +index 34abab752..2cfc87fa8 100644 +--- a/wpa_supplicant/dbus/dbus_new_handlers.c ++++ b/wpa_supplicant/dbus/dbus_new_handlers.c +@@ -3635,6 +3635,43 @@ dbus_bool_t wpas_dbus_getter_bridge_ifname( + } + + ++dbus_bool_t wpas_dbus_setter_bridge_ifname( ++ const struct wpa_dbus_property_desc *property_desc, ++ DBusMessageIter *iter, DBusError *error, void *user_data) ++{ ++ struct wpa_supplicant *wpa_s = user_data; ++ const char *bridge_ifname = NULL; ++ const char *msg; ++ int r; ++ ++ if (!wpas_dbus_simple_property_setter(iter, error, DBUS_TYPE_STRING, ++ &bridge_ifname)) ++ return FALSE; ++ ++ r = wpa_supplicant_update_bridge_ifname(wpa_s, bridge_ifname); ++ if (r != 0) { ++ switch (r) { ++ case -EINVAL: ++ msg = "invalid interface name"; ++ break; ++ case -EBUSY: ++ msg = "interface is busy"; ++ break; ++ case -EIO: ++ msg = "socket error"; ++ break; ++ default: ++ msg = "unknown error"; ++ break; ++ } ++ dbus_set_error_const(error, DBUS_ERROR_FAILED, msg); ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ ++ + /** + * wpas_dbus_getter_config_file - Get interface configuration file path + * @iter: Pointer to incoming dbus message iter +diff --git a/wpa_supplicant/dbus/dbus_new_handlers.h b/wpa_supplicant/dbus/dbus_new_handlers.h +index afa26efed..d528c0816 100644 +--- a/wpa_supplicant/dbus/dbus_new_handlers.h ++++ b/wpa_supplicant/dbus/dbus_new_handlers.h +@@ -167,6 +167,7 @@ DECLARE_ACCESSOR(wpas_dbus_setter_scan_interval); + DECLARE_ACCESSOR(wpas_dbus_getter_ifname); + DECLARE_ACCESSOR(wpas_dbus_getter_driver); + DECLARE_ACCESSOR(wpas_dbus_getter_bridge_ifname); ++DECLARE_ACCESSOR(wpas_dbus_setter_bridge_ifname); + DECLARE_ACCESSOR(wpas_dbus_getter_config_file); + DECLARE_ACCESSOR(wpas_dbus_getter_current_bss); + DECLARE_ACCESSOR(wpas_dbus_getter_current_network); +diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c +index 39e92fb68..a7e9e459e 100644 +--- a/wpa_supplicant/wpa_supplicant.c ++++ b/wpa_supplicant/wpa_supplicant.c +@@ -4906,6 +4906,65 @@ static void wpa_supplicant_rx_eapol_bridge(void *ctx, const u8 *src_addr, + } + + ++int wpa_supplicant_update_bridge_ifname(struct wpa_supplicant *wpa_s, ++ const char *bridge_ifname) ++{ ++ if (wpa_s->wpa_state > WPA_SCANNING) ++ return -EBUSY; ++ ++ if (bridge_ifname && ++ os_strlen(bridge_ifname) >= sizeof(wpa_s->bridge_ifname)) ++ return -EINVAL; ++ ++ if (!bridge_ifname) ++ bridge_ifname = ""; ++ ++ if (os_strcmp(wpa_s->bridge_ifname, bridge_ifname) == 0) ++ return 0; ++ ++ if (wpa_s->l2_br) { ++ l2_packet_deinit(wpa_s->l2_br); ++ wpa_s->l2_br = NULL; ++ } ++ ++ os_strlcpy(wpa_s->bridge_ifname, bridge_ifname, ++ sizeof(wpa_s->bridge_ifname)); ++ ++ if (wpa_s->bridge_ifname[0]) { ++ wpa_dbg(wpa_s, MSG_DEBUG, ++ "Receiving packets from bridge interface '%s'", ++ wpa_s->bridge_ifname); ++ wpa_s->l2_br = l2_packet_init_bridge( ++ wpa_s->bridge_ifname, wpa_s->ifname, wpa_s->own_addr, ++ ETH_P_EAPOL, wpa_supplicant_rx_eapol_bridge, wpa_s, 1); ++ if (!wpa_s->l2_br) { ++ wpa_msg(wpa_s, MSG_ERROR, ++ "Failed to open l2_packet connection for the bridge interface '%s'", ++ wpa_s->bridge_ifname); ++ goto fail; ++ } ++ } ++ ++#ifdef CONFIG_TDLS ++ if (!wpa_s->p2p_mgmt && wpa_tdls_init(wpa_s->wpa)) ++ goto fail; ++#endif /* CONFIG_TDLS */ ++ ++ return 0; ++fail: ++ wpa_s->bridge_ifname[0] = 0; ++ if (wpa_s->l2_br) { ++ l2_packet_deinit(wpa_s->l2_br); ++ wpa_s->l2_br = NULL; ++ } ++#ifdef CONFIG_TDLS ++ if (!wpa_s->p2p_mgmt) ++ wpa_tdls_init(wpa_s->wpa); ++#endif /* CONFIG_TDLS */ ++ return -EIO; ++} ++ ++ + /** + * wpa_supplicant_driver_init - Initialize driver interface parameters + * @wpa_s: Pointer to wpa_supplicant data +diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h +index 31a9b7427..eac3491cc 100644 +--- a/wpa_supplicant/wpa_supplicant_i.h ++++ b/wpa_supplicant/wpa_supplicant_i.h +@@ -1351,6 +1351,8 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s); + const char * wpa_supplicant_state_txt(enum wpa_states state); + int wpa_supplicant_update_mac_addr(struct wpa_supplicant *wpa_s); + int wpa_supplicant_driver_init(struct wpa_supplicant *wpa_s); ++int wpa_supplicant_update_bridge_ifname(struct wpa_supplicant *wpa_s, ++ const char *bridge_ifname); + int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, + struct wpa_bss *bss, struct wpa_ssid *ssid, + u8 *wpa_ie, size_t *wpa_ie_len); +-- +2.26.2 + diff --git a/SOURCES/0001-D-Bus-Fix-P2P-NULL-dereference-after-interface-remov.patch b/SOURCES/0001-D-Bus-Fix-P2P-NULL-dereference-after-interface-remov.patch new file mode 100644 index 0000000..277d1a2 --- /dev/null +++ b/SOURCES/0001-D-Bus-Fix-P2P-NULL-dereference-after-interface-remov.patch @@ -0,0 +1,209 @@ +From b2ad4e6b24ed0271ca76cb27856def0a701fb778 Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Wed, 2 Oct 2019 14:08:41 +0200 +Subject: [PATCH] D-Bus: Fix P2P NULL dereference after interface removal + +When the P2P management interface is deleted, P2P is then disabled and +global->p2p_init_wpa_s is set to NULL. After that, other interfaces can +still trigger P2P functions (like wpas_p2p_find()) using D-Bus. This +makes wpa_supplicant terminate with SIGSEGV, because it dereferences a +NULL pointer. Fix this by adding proper checks, like it's done with +wpa_cli. + +CC: Beniamino Galvani +CC: Benjamin Berg +Reported-by: Vladimir Benes +Signed-off-by: Davide Caratti +--- + wpa_supplicant/dbus/dbus_new_handlers_p2p.c | 69 ++++++++++++++++++++- + 1 file changed, 67 insertions(+), 2 deletions(-) + +diff --git a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c +index 8cdd88564..19715eb4c 100644 +--- a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c ++++ b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c +@@ -40,6 +40,14 @@ static int wpas_dbus_validate_dbus_ipaddr(struct wpa_dbus_dict_entry entry) + } + + ++static dbus_bool_t no_p2p_mgmt_interface(DBusError *error) ++{ ++ dbus_set_error_const(error, WPAS_DBUS_ERROR_IFACE_UNKNOWN, ++ "Could not find P2P mgmt interface"); ++ return FALSE; ++} ++ ++ + /** + * Parses out the mac address from the peer object path. + * @peer_path - object path of the form +@@ -78,6 +86,22 @@ wpas_dbus_error_persistent_group_unknown(DBusMessage *message) + } + + ++/** ++ * wpas_dbus_error_no_p2p_mgmt_iface - Return a new InterfaceUnknown error ++ * message ++ * @message: Pointer to incoming dbus message this error refers to ++ * Returns: a dbus error message ++ * ++ * Convenience function to create and return an unknown interface error. ++ */ ++static DBusMessage * wpas_dbus_error_no_p2p_mgmt_iface(DBusMessage *message) ++{ ++ wpa_printf(MSG_DEBUG, "dbus: Could not find P2P mgmt interface"); ++ return dbus_message_new_error(message, WPAS_DBUS_ERROR_IFACE_UNKNOWN, ++ "Could not find P2P mgmt interface"); ++} ++ ++ + DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message, + struct wpa_supplicant *wpa_s) + { +@@ -145,6 +169,10 @@ DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message, + } + + wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (!wpa_s) { ++ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); ++ goto error_nop2p; ++ } + + if (wpas_p2p_find(wpa_s, timeout, type, num_req_dev_types, + req_dev_types, NULL, 0, 0, NULL, freq)) +@@ -157,8 +185,9 @@ DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message, + error_clear: + wpa_dbus_dict_entry_clear(&entry); + error: +- os_free(req_dev_types); + reply = wpas_dbus_error_invalid_args(message, entry.key); ++error_nop2p: ++ os_free(req_dev_types); + return reply; + } + +@@ -166,7 +195,9 @@ error: + DBusMessage * wpas_dbus_handler_p2p_stop_find(DBusMessage *message, + struct wpa_supplicant *wpa_s) + { +- wpas_p2p_stop_find(wpa_s->global->p2p_init_wpa_s); ++ wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (wpa_s) ++ wpas_p2p_stop_find(wpa_s); + return NULL; + } + +@@ -185,6 +216,8 @@ DBusMessage * wpas_dbus_handler_p2p_rejectpeer(DBusMessage *message, + return wpas_dbus_error_invalid_args(message, NULL); + + wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (!wpa_s) ++ return wpas_dbus_error_no_p2p_mgmt_iface(message); + + if (wpas_p2p_reject(wpa_s, peer_addr) < 0) + return wpas_dbus_error_unknown_error(message, +@@ -204,6 +237,8 @@ DBusMessage * wpas_dbus_handler_p2p_listen(DBusMessage *message, + return wpas_dbus_error_no_memory(message); + + wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (!wpa_s) ++ return wpas_dbus_error_no_p2p_mgmt_iface(message); + + if (wpas_p2p_listen(wpa_s, (unsigned int) timeout)) { + return dbus_message_new_error(message, +@@ -245,6 +280,8 @@ DBusMessage * wpas_dbus_handler_p2p_extendedlisten( + } + + wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (!wpa_s) ++ return wpas_dbus_error_no_p2p_mgmt_iface(message); + + if (wpas_p2p_ext_listen(wpa_s, period, interval)) + return wpas_dbus_error_unknown_error( +@@ -350,6 +387,10 @@ DBusMessage * wpas_dbus_handler_p2p_group_add(DBusMessage *message, + } + + wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (!wpa_s) { ++ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); ++ goto out; ++ } + + if (pg_object_path != NULL) { + char *net_id_str; +@@ -433,6 +474,12 @@ static dbus_bool_t wpa_dbus_p2p_check_enabled(struct wpa_supplicant *wpa_s, + "P2P is not available for this interface"); + return FALSE; + } ++ if (!wpa_s->global->p2p_init_wpa_s) { ++ if (out_reply) ++ *out_reply = wpas_dbus_error_no_p2p_mgmt_iface( ++ message); ++ return no_p2p_mgmt_interface(error); ++ } + return TRUE; + } + +@@ -822,6 +869,8 @@ DBusMessage * wpas_dbus_handler_p2p_prov_disc_req(DBusMessage *message, + return wpas_dbus_error_invalid_args(message, NULL); + + wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (!wpa_s) ++ return wpas_dbus_error_no_p2p_mgmt_iface(message); + + if (wpas_p2p_prov_disc(wpa_s, peer_addr, config_method, + WPAS_P2P_PD_FOR_GO_NEG, NULL) < 0) +@@ -1882,6 +1931,8 @@ dbus_bool_t wpas_dbus_getter_p2p_peer_groups( + + wpa_s = peer_args->wpa_s; + wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (!wpa_s) ++ return no_p2p_mgmt_interface(error); + + wpa_s_go = wpas_get_p2p_client_iface(wpa_s, info->p2p_device_addr); + if (wpa_s_go) { +@@ -1963,6 +2014,9 @@ dbus_bool_t wpas_dbus_getter_persistent_groups( + dbus_bool_t success = FALSE; + + wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (!wpa_s) ++ return no_p2p_mgmt_interface(error); ++ + if (!wpa_s->parent->dbus_new_path) + return FALSE; + +@@ -2077,6 +2131,11 @@ DBusMessage * wpas_dbus_handler_add_persistent_group( + dbus_message_iter_init(message, &iter); + + wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (!wpa_s) { ++ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); ++ goto err; ++ } ++ + if (wpa_s->parent->dbus_new_path) + ssid = wpa_config_add_network(wpa_s->conf); + if (ssid == NULL) { +@@ -2159,6 +2218,10 @@ DBusMessage * wpas_dbus_handler_remove_persistent_group( + DBUS_TYPE_INVALID); + + wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (!wpa_s) { ++ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); ++ goto out; ++ } + + /* + * Extract the network ID and ensure the network is actually a child of +@@ -2235,6 +2298,8 @@ DBusMessage * wpas_dbus_handler_remove_all_persistent_groups( + struct wpa_config *config; + + wpa_s = wpa_s->global->p2p_init_wpa_s; ++ if (!wpa_s) ++ return wpas_dbus_error_no_p2p_mgmt_iface(message); + + config = wpa_s->conf; + ssid = config->ssid; +-- +2.26.2 + diff --git a/SOURCES/0001-EAP-TTLS-PEAP-peer-Fix-failure-when-using-session-ti.patch b/SOURCES/0001-EAP-TTLS-PEAP-peer-Fix-failure-when-using-session-ti.patch new file mode 100644 index 0000000..0e94b20 --- /dev/null +++ b/SOURCES/0001-EAP-TTLS-PEAP-peer-Fix-failure-when-using-session-ti.patch @@ -0,0 +1,110 @@ +From 872609c15110d32ee2d306aeeeffdd4e42ef6fc6 Mon Sep 17 00:00:00 2001 +Message-Id: <872609c15110d32ee2d306aeeeffdd4e42ef6fc6.1627507211.git.davide.caratti@gmail.com> +From: Alexander Clouter +Date: Fri, 16 Oct 2020 09:49:36 +0100 +Subject: [PATCH] EAP-TTLS/PEAP peer: Fix failure when using session tickets + under TLS 1.3 + +EAP peer does not expect data present when beginning the Phase 2 in +EAP-{TTLS,PEAP} but in TLS 1.3 session tickets are sent after the +handshake completes. + +There are several strategies that can be used to handle this, but this +patch picks up from the discussion[1] and implements the proposed use of +SSL_MODE_AUTO_RETRY. SSL_MODE_AUTO_RETRY has already been enabled by +default in OpenSSL 1.1.1, but it needs to be enabled for older versions. + +The main OpenSSL wrapper change in tls_connection_decrypt() takes care +of the new possible case with SSL_MODE_AUTO_RETRY for +SSL_ERROR_WANT_READ to indicate that a non-application_data was +processed. That is not really an error case with TLS 1.3, so allow it to +complete and return an empty decrypted application data buffer. +EAP-PEAP/TTLS processing can then use this to move ahead with starting +Phase 2. + +[1] https://www.spinics.net/lists/hostap/msg05376.html + +Signed-off-by: Alexander Clouter +--- + src/crypto/tls_openssl.c | 18 ++++++++++++++---- + src/eap_peer/eap_peap.c | 4 ++++ + src/eap_peer/eap_ttls.c | 5 +++++ + 3 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index ef872c50e..345a35ee1 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -1045,6 +1045,8 @@ void * tls_init(const struct tls_config *conf) + SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); + ++ SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY); ++ + #ifdef SSL_MODE_NO_AUTO_CHAIN + /* Number of deployed use cases assume the default OpenSSL behavior of + * auto chaining the local certificate is in use. BoringSSL removed this +@@ -4543,10 +4545,18 @@ struct wpabuf * tls_connection_decrypt(void *tls_ctx, + return NULL; + res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf)); + if (res < 0) { +- tls_show_errors(MSG_INFO, __func__, +- "Decryption failed - SSL_read"); +- wpabuf_free(buf); +- return NULL; ++ int err = SSL_get_error(conn->ssl, res); ++ ++ if (err == SSL_ERROR_WANT_READ) { ++ wpa_printf(MSG_DEBUG, ++ "SSL: SSL_connect - want more data"); ++ res = 0; ++ } else { ++ tls_show_errors(MSG_INFO, __func__, ++ "Decryption failed - SSL_read"); ++ wpabuf_free(buf); ++ return NULL; ++ } + } + wpabuf_put(buf, res); + +diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c +index 7c3704369..a13428d37 100644 +--- a/src/eap_peer/eap_peap.c ++++ b/src/eap_peer/eap_peap.c +@@ -803,6 +803,10 @@ static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, + res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); + if (res) + return res; ++ if (wpabuf_len(in_decrypted) == 0) { ++ wpabuf_free(in_decrypted); ++ return 1; ++ } + + continue_req: + wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", +diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c +index 642d179c6..3bf1e97e6 100644 +--- a/src/eap_peer/eap_ttls.c ++++ b/src/eap_peer/eap_ttls.c +@@ -1441,6 +1441,7 @@ static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, + + if ((in_data == NULL || wpabuf_len(in_data) == 0) && + data->phase2_start) { ++start: + return eap_ttls_phase2_start(sm, data, ret, identifier, + out_data); + } +@@ -1455,6 +1456,10 @@ static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, + retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); + if (retval) + goto done; ++ if (wpabuf_len(in_decrypted) == 0) { ++ wpabuf_free(in_decrypted); ++ goto start; ++ } + + continue_req: + data->phase2_start = 0; +-- +2.31.1 + diff --git a/SOURCES/0001-OpenSSL-Allow-systemwide-secpolicy-overrides-for-TLS.patch b/SOURCES/0001-OpenSSL-Allow-systemwide-secpolicy-overrides-for-TLS.patch new file mode 100644 index 0000000..fafabbd --- /dev/null +++ b/SOURCES/0001-OpenSSL-Allow-systemwide-secpolicy-overrides-for-TLS.patch @@ -0,0 +1,66 @@ +From 9afb68b03976d019bb450e5e33b0d8e48867691c Mon Sep 17 00:00:00 2001 +Message-Id: <9afb68b03976d019bb450e5e33b0d8e48867691c.1626202922.git.davide.caratti@gmail.com> +From: Jouni Malinen +Date: Tue, 8 Sep 2020 17:55:36 +0300 +Subject: [PATCH] OpenSSL: Allow systemwide secpolicy overrides for TLS version + +Explicit configuration to enable TLS v1.0 and/or v1.1 did not work with +systemwide OpenSSL secpolicy=2 cases (e.g., Ubuntu 20.04). Allow such +systemwide configuration to be overridden if the older TLS versions have +been explicitly enabled in the network profile. The default behavior +follows the systemwide policy, but this allows compatibility with old +authentication servers without having to touch the systemwide policy. + +Signed-off-by: Jouni Malinen +--- + src/crypto/tls_openssl.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index e73dd7f5b..f7dfecbbf 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -2995,16 +2995,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, + + /* Explicit request to enable TLS versions even if needing to + * override systemwide policies. */ +- if (flags & TLS_CONN_ENABLE_TLSv1_0) { ++ if (flags & TLS_CONN_ENABLE_TLSv1_0) + version = TLS1_VERSION; +- } else if (flags & TLS_CONN_ENABLE_TLSv1_1) { +- if (!(flags & TLS_CONN_DISABLE_TLSv1_0)) +- version = TLS1_1_VERSION; +- } else if (flags & TLS_CONN_ENABLE_TLSv1_2) { +- if (!(flags & (TLS_CONN_DISABLE_TLSv1_0 | +- TLS_CONN_DISABLE_TLSv1_1))) +- version = TLS1_2_VERSION; +- } ++ else if (flags & TLS_CONN_ENABLE_TLSv1_1) ++ version = TLS1_1_VERSION; ++ else if (flags & TLS_CONN_ENABLE_TLSv1_2) ++ version = TLS1_2_VERSION; + if (!version) { + wpa_printf(MSG_DEBUG, + "OpenSSL: Invalid TLS version configuration"); +@@ -3018,6 +3014,18 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, + } + } + #endif /* >= 1.1.0 */ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ ++ !defined(LIBRESSL_VERSION_NUMBER) && \ ++ !defined(OPENSSL_IS_BORINGSSL) ++ if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) && ++ SSL_get_security_level(ssl) >= 2) { ++ /* ++ * Need to drop to security level 1 to allow TLS versions older ++ * than 1.2 to be used when explicitly enabled in configuration. ++ */ ++ SSL_set_security_level(conn->ssl, 1); ++ } ++#endif + + #ifdef CONFIG_SUITEB + #ifdef OPENSSL_IS_BORINGSSL +-- +2.31.1 + diff --git a/SOURCES/0001-P2P-Always-use-global-p2p_long_listen.patch b/SOURCES/0001-P2P-Always-use-global-p2p_long_listen.patch new file mode 100644 index 0000000..a617de8 --- /dev/null +++ b/SOURCES/0001-P2P-Always-use-global-p2p_long_listen.patch @@ -0,0 +1,111 @@ +From 9ad3c12dd1bf56824ef8b3425e057e8d1e84e69d Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Fri, 3 Jan 2020 22:18:51 +0100 +Subject: [PATCH] P2P: Always use global p2p_long_listen + +The p2p_long_listen value was set on the control wpa_s struct while in a +lot of cases it operated on the p2p struct. Explicitly use the global +p2p_init_wpa_s struct in cases where we might not be operating on it +already. + +Without this, simply starting a p2p_listen operation (e.g., using +wpa_cli) will not work properly. As the p2p_long_listen is set on the +controlling interface and wpas_p2p_cancel_remain_on_channel_cb() uses +p2p_init_wpa_s, it would not actually work. This results in +wpa_supplicant stopping listening after the maximum remain-on-channel +time passes when using a separate P2P Device interface. + +Signed-off-by: Benjamin Berg +--- + wpa_supplicant/p2p_supplicant.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c +index 95bacec19..a7d3b7f1d 100644 +--- a/wpa_supplicant/p2p_supplicant.c ++++ b/wpa_supplicant/p2p_supplicant.c +@@ -2422,7 +2422,7 @@ static void wpas_go_neg_completed(void *ctx, struct p2p_go_neg_results *res) + wpas_start_wps_enrollee(group_wpa_s, res); + } + +- wpa_s->p2p_long_listen = 0; ++ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; + eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); + + eloop_cancel_timeout(wpas_p2p_group_formation_timeout, wpa_s, NULL); +@@ -4750,7 +4750,8 @@ void wpas_p2p_deinit(struct wpa_supplicant *wpa_s) + eloop_cancel_timeout(wpas_p2p_psk_failure_removal, wpa_s, NULL); + eloop_cancel_timeout(wpas_p2p_group_formation_timeout, wpa_s, NULL); + eloop_cancel_timeout(wpas_p2p_join_scan, wpa_s, NULL); +- wpa_s->p2p_long_listen = 0; ++ if (wpa_s->global->p2p_init_wpa_s) ++ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; + eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); + eloop_cancel_timeout(wpas_p2p_group_idle_timeout, wpa_s, NULL); + wpas_p2p_remove_pending_group_interface(wpa_s); +@@ -5635,7 +5636,7 @@ int wpas_p2p_connect(struct wpa_supplicant *wpa_s, const u8 *peer_addr, + go_intent = wpa_s->conf->p2p_go_intent; + + if (!auth) +- wpa_s->p2p_long_listen = 0; ++ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; + + wpa_s->p2p_wps_method = wps_method; + wpa_s->p2p_persistent_group = !!persistent_group; +@@ -6952,7 +6953,7 @@ int wpas_p2p_find(struct wpa_supplicant *wpa_s, unsigned int timeout, + u8 seek_cnt, const char **seek_string, int freq) + { + wpas_p2p_clear_pending_action_tx(wpa_s); +- wpa_s->p2p_long_listen = 0; ++ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; + + if (wpa_s->global->p2p_disabled || wpa_s->global->p2p == NULL || + wpa_s->p2p_in_provisioning) { +@@ -6997,7 +6998,7 @@ static void wpas_p2p_scan_res_ignore_search(struct wpa_supplicant *wpa_s, + static void wpas_p2p_stop_find_oper(struct wpa_supplicant *wpa_s) + { + wpas_p2p_clear_pending_action_tx(wpa_s); +- wpa_s->p2p_long_listen = 0; ++ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; + eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); + eloop_cancel_timeout(wpas_p2p_join_scan, wpa_s, NULL); + +@@ -7023,7 +7024,7 @@ void wpas_p2p_stop_find(struct wpa_supplicant *wpa_s) + static void wpas_p2p_long_listen_timeout(void *eloop_ctx, void *timeout_ctx) + { + struct wpa_supplicant *wpa_s = eloop_ctx; +- wpa_s->p2p_long_listen = 0; ++ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; + } + + +@@ -7052,7 +7053,7 @@ int wpas_p2p_listen(struct wpa_supplicant *wpa_s, unsigned int timeout) + timeout = 3600; + } + eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); +- wpa_s->p2p_long_listen = 0; ++ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; + + /* + * Stop previous find/listen operation to avoid trying to request a new +@@ -7064,7 +7065,7 @@ int wpas_p2p_listen(struct wpa_supplicant *wpa_s, unsigned int timeout) + + res = wpas_p2p_listen_start(wpa_s, timeout * 1000); + if (res == 0 && timeout * 1000 > wpa_s->max_remain_on_chan) { +- wpa_s->p2p_long_listen = timeout * 1000; ++ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = timeout * 1000; + eloop_register_timeout(timeout, 0, + wpas_p2p_long_listen_timeout, + wpa_s, NULL); +@@ -7171,7 +7172,7 @@ static void wpas_p2p_group_deinit(struct wpa_supplicant *wpa_s) + + int wpas_p2p_reject(struct wpa_supplicant *wpa_s, const u8 *addr) + { +- wpa_s->p2p_long_listen = 0; ++ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; + + if (wpa_s->global->p2p_disabled || wpa_s->global->p2p == NULL) + return -1; +-- +2.26.2 + diff --git a/SOURCES/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch b/SOURCES/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch new file mode 100644 index 0000000..1942bb3 --- /dev/null +++ b/SOURCES/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch @@ -0,0 +1,50 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec03f86b..05fd593494ef 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.25.1 + diff --git a/SOURCES/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch b/SOURCES/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch new file mode 100644 index 0000000..77a5eb9 --- /dev/null +++ b/SOURCES/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch @@ -0,0 +1,39 @@ +From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 +Message-Id: <947272febe24a8f0ea828b5b2f35f13c3821901e.1612435525.git.davide.caratti@gmail.com> +From: Jouni Malinen +Date: Mon, 9 Nov 2020 11:43:12 +0200 +Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group + client + +Parsing and copying of WPS secondary device types list was verifying +that the contents is not too long for the internal maximum in the case +of WPS messages, but similar validation was missing from the case of P2P +group information which encodes this information in a different +attribute. This could result in writing beyond the memory area assigned +for these entries and corrupting memory within an instance of struct +p2p_device. This could result in invalid operations and unexpected +behavior when trying to free pointers from that corrupted memory. + +Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 +Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") +Signed-off-by: Jouni Malinen +--- + src/p2p/p2p.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c +index 74b7b52ae..5cbfc217f 100644 +--- a/src/p2p/p2p.c ++++ b/src/p2p/p2p.c +@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, + dev->info.config_methods = cli->config_methods; + os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); + dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; ++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) ++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; + os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, + dev->info.wps_sec_dev_type_list_len); + } +-- +2.29.2 + diff --git a/SOURCES/0001-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch b/SOURCES/0001-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch new file mode 100644 index 0000000..30a07e4 --- /dev/null +++ b/SOURCES/0001-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch @@ -0,0 +1,62 @@ +From 7800725afb27397f7d6033d4969e2aeb61af4737 Mon Sep 17 00:00:00 2001 +Message-Id: <7800725afb27397f7d6033d4969e2aeb61af4737.1602780273.git.davide.caratti@gmail.com> +From: Beniamino Galvani +Date: Sun, 13 Oct 2019 15:18:54 +0200 +Subject: [PATCH] dbus: Export OWE capability and OWE BSS key_mgmt + +Export a new 'owe' capability to indicate that wpa_supplicant was +built with OWE support and accepts 'key_mgmt=OWE'. Also, support 'owe' +in the array of BSS' available key managements. + +Signed-off-by: Beniamino Galvani +--- + wpa_supplicant/dbus/dbus_new_handlers.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c +index d2c84e5c5..1206c3cde 100644 +--- a/wpa_supplicant/dbus/dbus_new_handlers.c ++++ b/wpa_supplicant/dbus/dbus_new_handlers.c +@@ -984,8 +984,7 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( + const struct wpa_dbus_property_desc *property_desc, + DBusMessageIter *iter, DBusError *error, void *user_data) + { +- const char *capabilities[10] = { NULL, NULL, NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL }; ++ const char *capabilities[11]; + size_t num_items = 0; + #ifdef CONFIG_FILS + struct wpa_global *global = user_data; +@@ -1028,6 +1027,9 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( + #ifdef CONFIG_SHA384 + capabilities[num_items++] = "sha384"; + #endif /* CONFIG_SHA384 */ ++#ifdef CONFIG_OWE ++ capabilities[num_items++] = "owe"; ++#endif /* CONFIG_OWE */ + + return wpas_dbus_simple_array_property_getter(iter, + DBUS_TYPE_STRING, +@@ -4491,7 +4493,7 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( + DBusMessageIter iter_dict, variant_iter; + const char *group; + const char *pairwise[5]; /* max 5 pairwise ciphers is supported */ +- const char *key_mgmt[15]; /* max 15 key managements may be supported */ ++ const char *key_mgmt[16]; /* max 16 key managements may be supported */ + int n; + + if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT, +@@ -4544,6 +4546,10 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( + if (ie_data->key_mgmt & WPA_KEY_MGMT_FT_SAE) + key_mgmt[n++] = "ft-sae"; + #endif /* CONFIG_SAE */ ++#ifdef CONFIG_OWE ++ if (ie_data->key_mgmt & WPA_KEY_MGMT_OWE) ++ key_mgmt[n++] = "owe"; ++#endif /* CONFIG_OWE */ + if (ie_data->key_mgmt & WPA_KEY_MGMT_NONE) + key_mgmt[n++] = "wpa-none"; + +-- +2.26.2 + diff --git a/SOURCES/0001-openssl-Disable-padding-after-initializing-the-ciphe.patch b/SOURCES/0001-openssl-Disable-padding-after-initializing-the-ciphe.patch new file mode 100644 index 0000000..3c1329d --- /dev/null +++ b/SOURCES/0001-openssl-Disable-padding-after-initializing-the-ciphe.patch @@ -0,0 +1,58 @@ +From e2e9adc3d9b6bb9c433ebb6404ee439b42e91746 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Davide Caratti +Date: Tue, 17 Aug 2021 10:58:53 +0200 +Subject: [PATCH] openssl: Disable padding after initializing the cipher suite + +according to OpenSSL documentation [1], EVP_CIPHER_CTX_set_padding() +should be called after EVP_EncryptInit_ex(), EVP_DecryptInit_ex(), or +EVP_CipherInit_ex(). Not doing this causes EVP_CIPHER_CTX_set_padding() +to return false on OpenSSL-3.0.0, resulting in the impossibility to +connect in many scenarios. Fix this changing the order of function calls +where needed. + +[1] https://www.openssl.org/docs/man1.1.1/man3/EVP_CIPHER_CTX_set_padding.html + +Reported-by: Vladimir Benes +Signed-off-by: Davide Caratti +--- + src/crypto/crypto_openssl.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c +index 9411cb9cf..4b87702e4 100644 +--- a/src/crypto/crypto_openssl.c ++++ b/src/crypto/crypto_openssl.c +@@ -248,8 +248,8 @@ int rc4_skip(const u8 *key, size_t keylen, size_t skip, + + ctx = EVP_CIPHER_CTX_new(); + if (!ctx || +- !EVP_CIPHER_CTX_set_padding(ctx, 0) || + !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) || ++ !EVP_CIPHER_CTX_set_padding(ctx, 0) || + !EVP_CIPHER_CTX_set_key_length(ctx, keylen) || + !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1)) + goto out; +@@ -709,8 +709,8 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, + } + + if (!(ctx->enc = EVP_CIPHER_CTX_new()) || +- !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) || + !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) || ++ !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) || + !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) || + !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) { + if (ctx->enc) +@@ -720,8 +720,8 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, + } + + if (!(ctx->dec = EVP_CIPHER_CTX_new()) || +- !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) || + !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) || ++ !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) || + !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) || + !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) { + EVP_CIPHER_CTX_free(ctx->enc); +-- +2.31.1 + diff --git a/SOURCES/0001-openssl-Remove-deprecated-functions-from-des_encrypt.patch b/SOURCES/0001-openssl-Remove-deprecated-functions-from-des_encrypt.patch new file mode 100644 index 0000000..85f1a0a --- /dev/null +++ b/SOURCES/0001-openssl-Remove-deprecated-functions-from-des_encrypt.patch @@ -0,0 +1,68 @@ +From d265dd2d965db3669d07caa69539beb8def0edb2 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Davide Caratti +Date: Tue, 17 Aug 2021 10:58:54 +0200 +Subject: [PATCH] openssl: Remove deprecated functions from des_encrypt() + +NetworkManager-CI detected systematic failures on test scenarios using +MSCHAPv2 when wpa_supplicant uses OpenSSL-3.0.0. +The 'test_module_tests.py' script also fails, and the following log is +shown: + + 1627404013.761569: generate_nt_response failed + 1627404013.761582: ms_funcs: 1 error + +It seems that either DES_set_key() or DES_ecb_encrypt() changed their +semantic, but it doesn't make sense to fix them since their use has been +deprecated. Converting des_encrypt() to avoid use of deprecated +functions proved to fix the problem, and removed a couple of build +warnings at the same time. + +Reported-by: Vladimir Benes +Signed-off-by: Davide Caratti +--- + src/crypto/crypto_openssl.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c +index a4b1083bb..9411cb9cf 100644 +--- a/src/crypto/crypto_openssl.c ++++ b/src/crypto/crypto_openssl.c +@@ -206,8 +206,8 @@ int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) + int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) + { + u8 pkey[8], next, tmp; +- int i; +- DES_key_schedule ks; ++ int i, plen, ret = -1; ++ EVP_CIPHER_CTX *ctx; + + /* Add parity bits to the key */ + next = 0; +@@ -218,10 +218,19 @@ int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) + } + pkey[i] = next | 1; + +- DES_set_key((DES_cblock *) &pkey, &ks); +- DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks, +- DES_ENCRYPT); +- return 0; ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx && ++ EVP_EncryptInit_ex(ctx, EVP_des_ecb(), NULL, pkey, NULL) == 1 && ++ EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && ++ EVP_EncryptUpdate(ctx, cypher, &plen, clear, 8) == 1 && ++ EVP_EncryptFinal_ex(ctx, &cypher[plen], &plen) == 1) ++ ret = 0; ++ else ++ wpa_printf(MSG_ERROR, "OpenSSL: DES encrypt failed"); ++ ++ if (ctx) ++ EVP_CIPHER_CTX_free(ctx); ++ return ret; + } + + +-- +2.31.1 + diff --git a/SOURCES/0001-p2p-Limit-P2P_DEVICE-name-to-appropriate-ifname-size.patch b/SOURCES/0001-p2p-Limit-P2P_DEVICE-name-to-appropriate-ifname-size.patch new file mode 100644 index 0000000..a29c513 --- /dev/null +++ b/SOURCES/0001-p2p-Limit-P2P_DEVICE-name-to-appropriate-ifname-size.patch @@ -0,0 +1,30 @@ +From d4348cbbdbdba5d045b5b389ba6ce97b74936f30 Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Mon, 15 Jun 2020 16:17:43 +0200 +Subject: [PATCH] p2p: Limit P2P_DEVICE name to appropriate ifname size + +Otherwise the WPA_IF_P2P_DEVICE cannot be created. As this is not a +netdev device, it is acceptable if the name is not completely unique. As +such, simply insert a NUL byte at the appropriate place. +--- + wpa_supplicant/p2p_supplicant.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c +index e94bffe52..17c25889c 100644 +--- a/wpa_supplicant/p2p_supplicant.c ++++ b/wpa_supplicant/p2p_supplicant.c +@@ -3929,6 +3929,10 @@ int wpas_p2p_add_p2pdev_interface(struct wpa_supplicant *wpa_s, + wpa_s->ifname); + if (os_snprintf_error(sizeof(ifname), ret)) + return -1; ++ /* Cut length at the maximum size. Note that we don't need to ensure ++ * collision free names here as the created interface is not a netdev. ++ */ ++ ifname[IFNAMSIZ-1] = '\0'; + force_name[0] = '\0'; + wpa_s->pending_interface_type = WPA_IF_P2P_DEVICE; + ret = wpa_drv_if_add(wpa_s, WPA_IF_P2P_DEVICE, ifname, NULL, NULL, +-- +2.26.2 + diff --git a/SOURCES/wpa_supplicant-assoc-timeout.patch b/SOURCES/wpa_supplicant-assoc-timeout.patch new file mode 100644 index 0000000..c3b3568 --- /dev/null +++ b/SOURCES/wpa_supplicant-assoc-timeout.patch @@ -0,0 +1,16 @@ +diff -up wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c +--- wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout 2010-09-07 10:43:39.000000000 -0500 ++++ wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c 2010-12-07 18:57:45.163457000 -0600 +@@ -1262,10 +1262,10 @@ void wpa_supplicant_associate(struct wpa + + if (assoc_failed) { + /* give IBSS a bit more time */ +- timeout = ssid->mode == WPAS_MODE_IBSS ? 10 : 5; ++ timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 10; + } else if (wpa_s->conf->ap_scan == 1) { + /* give IBSS a bit more time */ +- timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 10; ++ timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 20; + } + wpa_supplicant_req_auth_timeout(wpa_s, timeout, 0); + } diff --git a/SOURCES/wpa_supplicant-config.patch b/SOURCES/wpa_supplicant-config.patch new file mode 100644 index 0000000..6eddd30 --- /dev/null +++ b/SOURCES/wpa_supplicant-config.patch @@ -0,0 +1,85 @@ +From 72ee1e934e98ea87e4de292958817e724114703e Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Fri, 6 Sep 2019 09:46:00 +0200 +Subject: [PATCH] defconfig: Fedora configuration + +--- + wpa_supplicant/defconfig | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/wpa_supplicant/defconfig ++++ b/wpa_supplicant/defconfig +@@ -77,7 +77,7 @@ CONFIG_DRIVER_WIRED=y + #CONFIG_DRIVER_MACSEC_QCA=y + + # Driver interface for Linux MACsec drivers +-#CONFIG_DRIVER_MACSEC_LINUX=y ++CONFIG_DRIVER_MACSEC_LINUX=y + + # Driver interface for the Broadcom RoboSwitch family + #CONFIG_DRIVER_ROBOSWITCH=y +@@ -146,7 +146,7 @@ CONFIG_EAP_PAX=y + CONFIG_EAP_LEAP=y + + # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used) +-#CONFIG_EAP_AKA=y ++CONFIG_EAP_AKA=y + + # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used). + # This requires CONFIG_EAP_AKA to be enabled, too. +@@ -183,7 +183,7 @@ CONFIG_EAP_IKEV2=y + #CONFIG_EAP_EKE=y + + # MACsec +-#CONFIG_MACSEC=y ++CONFIG_MACSEC=y + + # PKCS#12 (PFX) support (used to read private key and certificate file from + # a file that usually has extension .p12 or .pfx) +@@ -342,6 +342,7 @@ CONFIG_IEEE80211W=y + # Select which ciphers to use by default with OpenSSL if the user does not + # specify them. + #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" ++CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES" + + # If CONFIG_TLS=internal is used, additional library and include paths are + # needed for LibTomMath. Alternatively, an integrated, minimal version of +@@ -473,7 +474,7 @@ CONFIG_DEBUG_SYSLOG=y + # Should we attempt to use the getrandom(2) call that provides more reliable + # yet secure randomness source than /dev/random on Linux 3.17 and newer. + # Requires glibc 2.25 to build, falls back to /dev/random if unavailable. +-#CONFIG_GETRANDOM=y ++CONFIG_GETRANDOM=y + + # IEEE 802.11n (High Throughput) support (mainly for AP mode) + CONFIG_IEEE80211N=y +@@ -514,7 +515,7 @@ CONFIG_AP=y + CONFIG_P2P=y + + # Enable TDLS support +-#CONFIG_TDLS=y ++CONFIG_TDLS=y + + # Wi-Fi Display + # This can be used to enable Wi-Fi Display extensions for P2P using an external +@@ -593,7 +594,7 @@ CONFIG_IBSS_RSN=y + #CONFIG_PMKSA_CACHE_EXTERNAL=y + + # Mesh Networking (IEEE 802.11s) +-#CONFIG_MESH=y ++CONFIG_MESH=y + + # Background scanning modules + # These can be used to request wpa_supplicant to perform background scanning +@@ -607,9 +608,10 @@ CONFIG_BGSCAN_SIMPLE=y + + # Opportunistic Wireless Encryption (OWE) + # Experimental implementation of draft-harkins-owe-07.txt +-#CONFIG_OWE=y ++CONFIG_OWE=y + + # Device Provisioning Protocol (DPP) + # This requires CONFIG_IEEE80211W=y to be enabled, too. (see + # wpa_supplicant/README-DPP for details) + CONFIG_DPP=y ++CONFIG_SUITEB192=y diff --git a/SOURCES/wpa_supplicant-flush-debug-output.patch b/SOURCES/wpa_supplicant-flush-debug-output.patch new file mode 100644 index 0000000..a686851 --- /dev/null +++ b/SOURCES/wpa_supplicant-flush-debug-output.patch @@ -0,0 +1,49 @@ +--- wpa_supplicant-0.6.3/src/utils/wpa_debug.c.flush-debug 2007-07-30 23:15:34.000000000 -0400 ++++ wpa_supplicant-0.6.3/src/utils/wpa_debug.c 2007-07-30 23:17:06.000000000 -0400 +@@ -157,6 +157,7 @@ void wpa_debug_print_timestamp(void) + if (out_file) { + fprintf(out_file, "%ld.%06u: ", (long) tv.sec, + (unsigned int) tv.usec); ++ fflush(out_file); + } else + #endif /* CONFIG_DEBUG_FILE */ + printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); +@@ -185,6 +186,7 @@ void wpa_printf(int level, char *fmt, .. + if (out_file) { + vfprintf(out_file, fmt, ap); + fprintf(out_file, "\n"); ++ fflush(out_file); + } else { + #endif /* CONFIG_DEBUG_FILE */ + vprintf(fmt, ap); +@@ -217,6 +219,7 @@ static void _wpa_hexdump(int level, cons + fprintf(out_file, " [REMOVED]"); + } + fprintf(out_file, "\n"); ++ fflush(out_file); + } else { + #endif /* CONFIG_DEBUG_FILE */ + printf("%s - hexdump(len=%lu):", title, (unsigned long) len); +@@ -262,12 +265,14 @@ static void _wpa_hexdump_ascii(int level + fprintf(out_file, + "%s - hexdump_ascii(len=%lu): [REMOVED]\n", + title, (unsigned long) len); ++ fflush(out_file); + return; + } + if (buf == NULL) { + fprintf(out_file, + "%s - hexdump_ascii(len=%lu): [NULL]\n", + title, (unsigned long) len); ++ fflush(out_file); + return; + } + fprintf(out_file, "%s - hexdump_ascii(len=%lu):\n", +@@ -292,6 +297,7 @@ static void _wpa_hexdump_ascii(int level + pos += llen; + len -= llen; + } ++ fflush(out_file); + } else { + #endif /* CONFIG_DEBUG_FILE */ + if (!show) { diff --git a/SOURCES/wpa_supplicant-gui-qt4.patch b/SOURCES/wpa_supplicant-gui-qt4.patch new file mode 100644 index 0000000..c54cd9a --- /dev/null +++ b/SOURCES/wpa_supplicant-gui-qt4.patch @@ -0,0 +1,41 @@ +From 9404f356e394604d1d3d6dbffc52abd54260e4d4 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Tue, 27 Oct 2015 08:56:35 +0100 +Subject: [PATCH] wpa_supplicant: allow overriding the names of the Qt4 tools + +This is useful for distributions that ship different versions of Qt in +different locations. +--- + wpa_supplicant/Makefile | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index ad9ead9..b19676d 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -11,6 +11,9 @@ export INCDIR ?= /usr/local/include/ + export BINDIR ?= /usr/local/sbin/ + PKG_CONFIG ?= pkg-config + ++QMAKE ?= qmake ++LRELEASE ?= lrelease ++ + CFLAGS += $(EXTRA_CFLAGS) + CFLAGS += -I$(abspath ../src) + CFLAGS += -I$(abspath ../src/utils) +@@ -1787,10 +1790,10 @@ wpa_gui: + @echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement" + + wpa_gui-qt4/Makefile: +- qmake -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro ++ $(QMAKE) -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro + + wpa_gui-qt4/lang/wpa_gui_de.qm: wpa_gui-qt4/lang/wpa_gui_de.ts +- lrelease wpa_gui-qt4/wpa_gui.pro ++ $(LRELEASE) wpa_gui-qt4/wpa_gui.pro + + wpa_gui-qt4: wpa_gui-qt4/Makefile wpa_gui-qt4/lang/wpa_gui_de.qm + $(MAKE) -C wpa_gui-qt4 +-- +2.6.2 + diff --git a/SOURCES/wpa_supplicant-quiet-scan-results-message.patch b/SOURCES/wpa_supplicant-quiet-scan-results-message.patch new file mode 100644 index 0000000..c646a30 --- /dev/null +++ b/SOURCES/wpa_supplicant-quiet-scan-results-message.patch @@ -0,0 +1,30 @@ +From 763a4ef660e2bd81f6cdc71a2f29a0a3e71b2ebc Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Tue, 22 Nov 2016 15:48:17 +0100 +Subject: [PATCH 1/2] quiet an annoying and frequent syslog message + +--- + wpa_supplicant/events.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c +index abe3b47..72a0412 100644 +--- a/wpa_supplicant/events.c ++++ b/wpa_supplicant/events.c +@@ -1555,11 +1555,11 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s, + if (wpa_s->last_scan_req == MANUAL_SCAN_REQ && + wpa_s->manual_scan_use_id && wpa_s->own_scan_running && + own_request && !(data && data->scan_info.external_scan)) { +- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS "id=%u", ++ wpa_msg_ctrl(wpa_s, MSG_DEBUG, WPA_EVENT_SCAN_RESULTS "id=%u", + wpa_s->manual_scan_id); + wpa_s->manual_scan_use_id = 0; + } else { +- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS); ++ wpa_msg_ctrl(wpa_s, MSG_DEBUG, WPA_EVENT_SCAN_RESULTS); + } + wpas_notify_scan_results(wpa_s); + +-- +2.9.3 + diff --git a/SOURCES/wpa_supplicant.conf b/SOURCES/wpa_supplicant.conf new file mode 100644 index 0000000..65ad645 --- /dev/null +++ b/SOURCES/wpa_supplicant.conf @@ -0,0 +1,3 @@ +ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=wheel + diff --git a/SOURCES/wpa_supplicant.logrotate b/SOURCES/wpa_supplicant.logrotate new file mode 100644 index 0000000..bd7ef91 --- /dev/null +++ b/SOURCES/wpa_supplicant.logrotate @@ -0,0 +1,6 @@ +/var/log/wpa_supplicant.log { + missingok + notifempty + size 30k + create 0600 root root +} diff --git a/SOURCES/wpa_supplicant.service b/SOURCES/wpa_supplicant.service new file mode 100644 index 0000000..97d4296 --- /dev/null +++ b/SOURCES/wpa_supplicant.service @@ -0,0 +1,15 @@ +[Unit] +Description=WPA supplicant +Before=network.target +Wants=network.target +After=dbus.service + +[Service] +Type=dbus +BusName=fi.w1.wpa_supplicant1 +EnvironmentFile=-/etc/sysconfig/wpa_supplicant +ExecStart=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u $INTERFACES $DRIVERS $OTHER_ARGS + +[Install] +WantedBy=multi-user.target + diff --git a/SOURCES/wpa_supplicant.sysconfig b/SOURCES/wpa_supplicant.sysconfig new file mode 100644 index 0000000..33bd7af --- /dev/null +++ b/SOURCES/wpa_supplicant.sysconfig @@ -0,0 +1,11 @@ +# Use the flag "-i" before each of your interfaces, like so: +# INTERFACES="-ieth1 -iwlan0" +INTERFACES="" + +# Use the flag "-D" before each driver, like so: +# DRIVERS="-Dwext" +DRIVERS="" + +# Other arguments +# -s Use syslog logging backend +OTHER_ARGS="-s" diff --git a/SPECS/wpa_supplicant.spec b/SPECS/wpa_supplicant.spec new file mode 100644 index 0000000..7b4b169 --- /dev/null +++ b/SPECS/wpa_supplicant.spec @@ -0,0 +1,828 @@ +%global _hardened_build 1 +%if 0%{?fedora} +%bcond_without gui +%else +%bcond_with gui +%endif + +Summary: WPA/WPA2/IEEE 802.1X Supplicant +Name: wpa_supplicant +Epoch: 1 +Version: 2.9 +Release: 17%{?dist} +License: BSD +Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz +Source1: wpa_supplicant.conf +Source2: wpa_supplicant.service +Source3: wpa_supplicant.sysconfig +Source4: wpa_supplicant.logrotate + +# distro specific customization and not suitable for upstream, +# Fedora-specific updates to defconfig +Patch0: wpa_supplicant-config.patch +# works around busted drivers +Patch1: wpa_supplicant-assoc-timeout.patch +# ensures that debug output gets flushed immediately to help diagnose driver +# bugs, not suitable for upstream +Patch2: wpa_supplicant-flush-debug-output.patch +# quiet an annoying and frequent syslog message +Patch3: wpa_supplicant-quiet-scan-results-message.patch +# distro specific customization for Qt4 build tools, not suitable for upstream +Patch4: wpa_supplicant-gui-qt4.patch +# fix AP mode PMF disconnection protection bypass +Patch5: 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch + +# fix some issues with P2P operation +Patch6: 0001-P2P-Always-use-global-p2p_long_listen.patch +Patch7: 0001-D-Bus-Fix-P2P-NULL-dereference-after-interface-remov.patch +Patch8: 0001-p2p-Limit-P2P_DEVICE-name-to-appropriate-ifname-size.patch + +#fix for bz1915236 +Patch9: 0001-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch + +#expose OWE capability in D-Bus +Patch10: 0001-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch + +#fix for CVE-2021-0326 +Patch11: 0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch + +#fix for CVE-2021-27803 +Patch12: 0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch + +#fix for bz1975718 +Patch13: 0001-OpenSSL-Allow-systemwide-secpolicy-overrides-for-TLS.patch +Patch14: 0001-EAP-TTLS-PEAP-peer-Fix-failure-when-using-session-ti.patch +Patch15: 0001-openssl-Disable-padding-after-initializing-the-ciphe.patch +Patch16: 0001-openssl-Remove-deprecated-functions-from-des_encrypt.patch + + +URL: http://w1.fi/wpa_supplicant/ + +%if %with gui +BuildRequires: qt-devel >= 4.0 +%endif +BuildRequires: openssl-devel +BuildRequires: readline-devel +BuildRequires: dbus-devel +BuildRequires: libnl3-devel +BuildRequires: systemd-units +BuildRequires: docbook-utils +BuildRequires: gcc +Requires(post): systemd-sysv +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +# libeap used to be built from wpa_supplicant with some fairly horrible +# hackery, solely for use by WiMAX. We dropped all WiMAX support around +# F21. This is here so people don't wind up with obsolete libeap packages +# lying around. If it's ever resurrected for any reason, this needs +# dropping. +Obsoletes: libeap < %{epoch}:%{version}-%{release} +Obsoletes: libeap-devel < %{epoch}:%{version}-%{release} + +%description +wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support +for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA +component that is used in the client stations. It implements key negotiation +with a WPA Authenticator and it controls the roaming and IEEE 802.11 +authentication/association of the wlan driver. + + +%if %with gui +%package gui +Summary: Graphical User Interface for %{name} + +%description gui +Graphical User Interface for wpa_supplicant written using QT +%endif + + +%prep +%autosetup -p1 + + +%build +pushd wpa_supplicant + cp defconfig .config + export CFLAGS="${CFLAGS:-%optflags} -fPIE -DPIE" + export CXXFLAGS="${CXXFLAGS:-%optflags} -fPIE -DPIE" + export LDFLAGS="${LDFLAGS:-%optflags} -pie -Wl,-z,now" + # yes, BINDIR=_sbindir + export BINDIR="%{_sbindir}" + export LIBDIR="%{_libdir}" + make %{_smp_mflags} V=1 +%if %with gui + make wpa_gui-qt4 %{_smp_mflags} V=1 QTDIR=%{_libdir}/qt4 \ + QMAKE='%{qmake_qt4}' LRELEASE='%{_qt4_bindir}/lrelease' +%endif + make eapol_test V=1 + make -C doc/docbook man V=1 +%if !%with gui + rm doc/docbook/wpa_gui.8 +%endif +popd + + +%install +# config +install -D -m 0600 %{SOURCE1} %{buildroot}/%{_sysconfdir}/wpa_supplicant/wpa_supplicant.conf + +# init scripts +install -D -m 0644 %{SOURCE2} %{buildroot}/%{_unitdir}/wpa_supplicant.service +install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/wpa_supplicant +install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/logrotate.d/wpa_supplicant + +# binary +install -d %{buildroot}/%{_sbindir} +install -m 0755 wpa_supplicant/wpa_passphrase %{buildroot}/%{_sbindir} +install -m 0755 wpa_supplicant/wpa_cli %{buildroot}/%{_sbindir} +install -m 0755 wpa_supplicant/wpa_supplicant %{buildroot}/%{_sbindir} +install -m 0755 wpa_supplicant/eapol_test %{buildroot}/%{_sbindir} +install -D -m 0644 wpa_supplicant/dbus/dbus-wpa_supplicant.conf \ + %{buildroot}/%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf +install -D -m 0644 wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service \ + %{buildroot}/%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service + +%if %with gui +# gui +install -d %{buildroot}/%{_bindir} +install -m 0755 wpa_supplicant/wpa_gui-qt4/wpa_gui %{buildroot}/%{_bindir} +%endif + +# man pages +install -d %{buildroot}%{_mandir}/man{5,8} +install -m 0644 wpa_supplicant/doc/docbook/*.8 %{buildroot}%{_mandir}/man8 +install -m 0644 wpa_supplicant/doc/docbook/*.5 %{buildroot}%{_mandir}/man5 + +# some cleanup in docs and examples +rm -f wpa_supplicant/doc/.cvsignore +rm -rf wpa_supplicant/doc/docbook +chmod -R 0644 wpa_supplicant/examples/*.py + + +%post +%systemd_post wpa_supplicant.service + + +%preun +%systemd_preun wpa_supplicant.service + +%triggerun -- wpa_supplicant < 0.7.3-10 +# Save the current service runlevel info +# User must manually run systemd-sysv-convert --apply wpa_supplicant +# to migrate them to systemd targets +/usr/bin/systemd-sysv-convert --save wpa_supplicant >/dev/null 2>&1 ||: + +# Run these because the SysV package being removed won't do them +/sbin/chkconfig --del wpa_supplicant >/dev/null 2>&1 || : +/bin/systemctl try-restart wpa_supplicant.service >/dev/null 2>&1 || : + + +%files +%config(noreplace) %{_sysconfdir}/wpa_supplicant/wpa_supplicant.conf +%config(noreplace) %{_sysconfdir}/sysconfig/wpa_supplicant +%dir %{_sysconfdir}/logrotate.d +%config(noreplace) %{_sysconfdir}/logrotate.d/wpa_supplicant +%{_unitdir}/wpa_supplicant.service +%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf +%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service +%{_sbindir}/wpa_passphrase +%{_sbindir}/wpa_supplicant +%{_sbindir}/wpa_cli +%{_sbindir}/eapol_test +%dir %{_sysconfdir}/wpa_supplicant +%{_mandir}/man8/wpa_supplicant.8.gz +%{_mandir}/man8/wpa_priv.8.gz +%{_mandir}/man8/wpa_passphrase.8.gz +%{_mandir}/man8/wpa_cli.8.gz +%{_mandir}/man8/wpa_background.8.gz +%{_mandir}/man8/eapol_test.8.gz +%{_mandir}/man5/* +%doc README +%doc wpa_supplicant/ChangeLog +%doc wpa_supplicant/eap_testing.txt +%doc wpa_supplicant/todo.txt +%doc wpa_supplicant/wpa_supplicant.conf +%doc wpa_supplicant/examples +%license COPYING + + +%if %with gui +%files gui +%{_bindir}/wpa_gui +%{_mandir}/man8/wpa_gui.8.gz +%endif + + +%changelog +* Thu Aug 19 2021 Davide Caratti - 1:2.9-17 +- Fix NetworkManager-CI failures with OpenSSL 3.0 + +* Tue Aug 10 2021 Mohan Boddu - 1:2.9-16 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 1:2.9-15 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Thu Jun 3 2021 Davide Caratti - 1:2.9-14 +- Disable 'badfuncs' test in rpminspect. Related: rhbz#1967579 + +* Fri Apr 16 2021 Mohan Boddu - 1:2.9-13 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Mon Mar 1 2021 Davide Caratti - 1:2.9-12 +- Fix a corner case in peer addition based on PD Request (CVE-2021-27803) + +* Thu Feb 4 2021 Davide Caratti - 1:2.9-11 +- Fix copying of secondary device types for P2P group client (CVE-2021-0326) + +* Wed Jan 27 2021 Fedora Release Engineering - 1:2.9-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Jan 22 2021 Davide Caratti - 1:2.9-9 +- Expose OWE capability on D-Bus +- Allow changing interface bridge using D-Bus + +* Thu Dec 17 2020 Antonio Cardace - 1:2.9-8 +- Enable WPA-EAP-SUITE-B-192 cipher suite + +* Thu Dec 17 2020 Davide Caratti - 1:2.9-7 +- fix build on ELN target (rh #1902609) + +* Wed Jul 29 2020 Fedora Release Engineering - 1:2.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jun 15 2020 Benjamin Berg - 1:2.9-5 +- fix some issues with P2P operation + +* Thu Apr 23 2020 Davide Caratti - 1:2.9-4 +- Enable Tunneled Direct Link Setup (TDLS) + +* Fri Jan 31 2020 Fedora Release Engineering - 1:2.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Oct 30 2019 Davide Caratti - 1:2.9-2 +- fix AP mode PMF disconnection protection bypass (CVE-2019-16275, rh #1767026) + +* Fri Aug 16 2019 Lubomir Rintel - 1:2.9-1 +- Update to version 2.9 + +* Sat Jul 27 2019 Fedora Release Engineering - 1:2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri May 10 2019 Davide Caratti - 1:2.8-2 +- fix changelog for version 2.8-1 + +* Thu May 02 2019 Davide Caratti - 1:2.8-1 +- Update to 2.8 upstream release, to include latest fix for NULL + pointer dereference when EAP-PWD peer receives unexpected EAP + fragments (CVE-2019-11555, rh #1701759) + +* Fri Apr 12 2019 Davide Caratti - 1:2.7-5 +- fix SAE and EAP_PWD vulnerabilities: + CVE-2019-9494 (cache attack against SAE) + CVE-2019-9495 (cache attack against EAP-pwd) + CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) + CVE-2019-9497 (EAP-pwd server not checking for reflection attack) + CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element) + CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element) + +* Sun Feb 03 2019 Fedora Release Engineering - 1:2.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 21 2019 Lubomir Rintel - 1:2.7-3 +- Enable OWE and DPP +- Expose SAE support on D-Bus + +* Mon Jan 21 2019 Lubomir Rintel - 1:2.7-2 +- Enable MESH & SAE + +* Tue Dec 18 2018 Lubomir Rintel - 1:2.7-1 +- Update to 2.7 upstream release + +* Wed Aug 15 2018 Lubomir Rintel - 1:2.6-20 +- Expose availability of SHA384 and FT on D-Bus + +* Wed Aug 15 2018 Lubomir Rintel - 1:2.6-19 +- Drop the broken Pmf D-Bus property patch + +* Wed Aug 8 2018 Davide Caratti - 1:2.6-18 +- Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526) + +* Sat Jul 14 2018 Fedora Release Engineering - 1:2.6-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 22 2018 Davide Caratti - 1:2.6-16 +- Fix endoding of NL80211_ATTR_SMPS_MODE (rh#1570903) + +* Fri May 11 2018 Davide Caratti - 1:2.6-15 +- Make PMF configurable using D-Bus (rh#1567474) + +* Fri Feb 09 2018 Fedora Release Engineering - 1:2.6-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 16 2018 Davide Caratti - 1:2.6-13 +- Don't restart wpa_supplicant.service on package upgrade (rh#1535233) + +* Wed Nov 1 2017 Jiří Klimeš - 1:2.6-12 +- Fix crash when using MACsec without loaded macsec.ko (rh #1497640) +- Enable Fast BSS Transition for station mode (rh #1372928) + +* Mon Oct 16 2017 Lubomir Rintel - 1:2.6-11 +- hostapd: Avoid key reinstallation in FT handshake (CVE-2017-13082) +- Fix PTK rekeying to generate a new ANonce +- Prevent reinstallation of an already in-use group key and extend + protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases + (CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, + CVE-2017-13087, CVE-2017-13088) +- Prevent installation of an all-zero TK +- TDLS: Reject TPK-TK reconfiguration +- WNM: Ignore WNM-Sleep Mode Response without pending request +- FT: Do not allow multiple Reassociation Response frames + +* Thu Aug 03 2017 Fedora Release Engineering - 1:2.6-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1:2.6-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 17 2017 Beniamino Galvani - 1:2.6-8 +- OpenSSL: use system ciphers by default (rh #1462262) +- OpenSSL: fix private key password callback (rh #1465138) + +* Wed May 17 2017 Beniamino Galvani - 1:2.6-7 +- nl80211: Fix race condition in detecting MAC change (rh #1451834) + +* Tue Apr 11 2017 Davide Caratti - 1:2.6-6 +- Fix use-after-free when macsec secure channels are deleted +- Fix segmentation fault in case macsec module is not loaded (rh#1428937) + +* Mon Mar 13 2017 Thomas Haller - 1:2.6-5 +- Enable IEEE 802.11w (management frame protection, PMF) (rh#909499) + +* Thu Mar 2 2017 Davide Caratti - 1:2.6-4 +- Backport support for IEEE 802.1AE (macsec) + +* Sat Feb 11 2017 Fedora Release Engineering - 1:2.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 27 2017 Jiří Klimeš - 1:2.6-2 +- Enable Wi-Fi Display support for Miracast (rh #1395682) + +* Tue Nov 22 2016 Lubomir Rintel - 1:2.6-1 +- Update to version 2.6 + +* Fri Feb 05 2016 Fedora Release Engineering - 1:2.5-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Nov 16 2015 Lubomir Rintel - 1:2.5-4 +- Really synchronize the service file with upstream + +* Tue Nov 03 2015 Lukáš Nykrýn - 1:2.5-3 +- Scriptlets replaced with new systemd macros (rh #850369) + +* Sat Oct 31 2015 Lubomir Rintel - 1:2.5-2 +- Enable syslog by default +- Drop writing a pid and log file + +* Tue Oct 27 2015 Lubomir Rintel - 1:2.5-1 +- Update to version 2.5 + +* Fri Oct 23 2015 Lubomir Rintel - 1:2.4-6 +- Fix the D-Bus policy + +* Sat Oct 3 2015 Ville Skyttä - 1:2.4-5 +- Don't order service after syslog.target (rh #1055197) +- Mark COPYING as %%license + +* Wed Jul 15 2015 Jiří Klimeš - 1:2.4-4 +- Fix for NDEF record payload length checking (rh #1241907) + +* Tue Jun 16 2015 Jiří Klimeš - 1:2.4-3 +- Fix a crash if P2P management interface is used (rh #1231973) + +* Thu Apr 23 2015 Dan Williams - 1:2.4-2 +- Remove obsolete wpa_supplicant-openssl-more-algs.patch + +* Thu Apr 23 2015 Adam Williamson - 1:2.4-1 +- new release 2.4 +- add some info on a couple of patches +- drop some patches merged or superseded upstream +- rediff other patches +- drop libeap hackery (we dropped the kernel drivers anyhow) +- backport fix for CVE-2015-1863 + +* Sat Nov 01 2014 Orion Poplawski - 1:2.3-2 +- Do not install wpa_supplicant.service as executable (bug #803980) + +* Thu Oct 30 2014 Lubomir Rintel - 1:2.3-1 +- Update to 2.3 + +* Wed Oct 22 2014 Dan Williams - 1:2.0-12 +- Use os_exec() for action script execution (CVE-2014-3686) + +* Thu Aug 21 2014 Kevin Fenzi - 1:2.0-11 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Fedora Release Engineering - 1:2.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1:2.0-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon Nov 18 2013 Dan Williams - 1:2.0-8 +- Don't disconnect when PMKSA cache gets too large (rh #1016707) + +* Sun Aug 04 2013 Fedora Release Engineering - 1:2.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 10 2013 Dan Williams - 1:2.0-6 +- Enable full RELRO/PIE/PIC for wpa_supplicant and libeap +- Fix changelog dates + +* Wed Jul 10 2013 Dan Williams - 1:2.0-5 +- Build and package eapol_test (rh #638218) + +* Wed Jul 10 2013 Dan Williams - 1:2.0-4 +- Disable WiMAX libeap hack for RHEL + +* Wed May 15 2013 Dan Williams - 1:2.0-3 +- Enable HT (802.11n) for AP mode + +* Tue May 7 2013 Dan Williams - 1:2.0-2 +- Use hardened build macros and ensure they apply to libeap too + +* Mon May 6 2013 Dan Williams - 1:2.0-1 +- Update to 2.0 +- Be less aggressive when roaming due to signal strength changes (rh #837402) + +* Mon Apr 1 2013 Dan Williams - 1:1.1-1 +- Update to 1.1 +- Be less aggressive when roaming due to signal strength changes + +* Fri Feb 15 2013 Fedora Release Engineering - 1:1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sun Jan 20 2013 Dan Horák - 1:1.0-3 +- rebuilt again for fixed soname in libnl3 + +* Sun Jan 20 2013 Kalev Lember - 1:1.0-2 +- Rebuilt for libnl3 + +* Wed Aug 29 2012 Dan Williams - 1:1.0-1 +- Enable lightweight AP mode support +- Enable P2P (WiFi Direct) support +- Enable RSN IBSS/AdHoc support + +* Sun Jul 22 2012 Fedora Release Engineering - 1:1.0-0.5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue May 1 2012 Dan Williams - 1:1.0-0.4 +- Update to wpa_supplicant 1.0-rc3 +- Fix systemd target dependencies (rh #815091) + +* Fri Mar 2 2012 Dan Williams - 1:1.0-0.3 +- Update to latest 1.0 git snapshot +- Rebuild against libnl3 + +* Thu Feb 2 2012 Dan Williams - 1:1.0-0.2 +- Fix driver fallback for non nl80211-based drivers (rh #783712) + +* Tue Jan 10 2012 Dan Williams - 1:1.0-0.1 +- Update to 1.0-rc1 + git + +* Fri Sep 9 2011 Tom Callaway - 1:0.7.3-11 +- add missing systemd scriptlets + +* Thu Sep 8 2011 Tom Callaway - 1:0.7.3-10 +- convert to systemd + +* Wed Jul 27 2011 Dan Williams - 1:0.7.3-9 +- Fix various crashes with D-Bus interface (rh #678625) (rh #725517) + +* Tue May 3 2011 Dan Williams - 1:0.7.3-8 +- Don't crash when trying to access invalid properties via D-Bus (rh #678625) + +* Mon May 2 2011 Dan Williams - 1:0.7.3-7 +- Make examples read-only to avoid erroneous python dependency (rh #687952) + +* Tue Apr 19 2011 Bill Nottingham - 1:0.7.3-6 +- Fix EAP patch to only apply when building libeap + +* Fri Mar 25 2011 Bill Nottingham - 1:0.7.3-5 +- Add libeap/libeap-devel subpackge for WiMAX usage + +* Mon Feb 07 2011 Fedora Release Engineering - 1:0.7.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 11 2011 Dan Williams - 1:0.7.3-3 +- Enable EAP-TNC (rh #659038) + +* Wed Dec 15 2010 Dan Williams - 1:0.7.3-2 +- Enable the bgscan_simple plugin + +* Wed Dec 8 2010 Dan Williams - 1:0.7.3-1 +- Update to 0.7.3 +- Drop upstreamed and backported patches +- Drop support for Qt3 + +* Thu Oct 7 2010 Peter Lemenkov - 1:0.6.8-11 +- Added comments to some patches (see rhbz #226544#c17) +- Shortened %%install section a bit + +* Thu May 13 2010 Dan Williams - 1:0.6.8-10 +- Remove prereq on chkconfig +- Build GUI with qt4 for rawhide (rh #537105) + +* Thu May 6 2010 Dan Williams - 1:0.6.8-9 +- Fix crash when interfaces are removed (like suspend/resume) (rh #589507) + +* Wed Jan 6 2010 Dan Williams - 1:0.6.8-8 +- Fix handling of newer PKCS#12 files (rh #541924) + +* Sun Nov 29 2009 Dan Williams - 1:0.6.8-7 +- Fix supplicant initscript return value (rh #521807) +- Fix race when connecting to WPA-Enterprise/802.1x-enabled access points (rh #508509) +- Don't double-scan when attempting to associate + +* Fri Aug 21 2009 Tomas Mraz - 1:0.6.8-6 +- rebuilt with new openssl + +* Mon Jul 27 2009 Fedora Release Engineering - 1:0.6.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed May 13 2009 Dan Williams - 1:0.6.8-4 +- Let D-Bus clients know when the supplicant is scanning + +* Tue May 12 2009 Dan Williams - 1:0.6.8-3 +- Ensure the supplicant starts and ends with clean driver state +- Handle driver disconnect spammage by forcibly clearing SSID +- Don't switch access points unless the current association is dire (rh #493745) + +* Tue May 12 2009 Dan Williams - 1:0.6.8-2 +- Avoid creating bogus Ad-Hoc networks when forcing the driver to disconnect (rh #497771) + +* Mon Mar 9 2009 Dan Williams - 1:0.6.8-1 +- Update to latest upstream release + +* Wed Feb 25 2009 Colin Walters - 1:0.6.7-4 +- Add patch from upstream to suppress unrequested replies, this + quiets a dbus warning. + +* Fri Feb 6 2009 Dan Williams - 1:0.6.7-3 +- Fix scan result retrieval in very dense wifi environments + +* Fri Feb 6 2009 Dan Williams - 1:0.6.7-2 +- Ensure that drivers don't retry association when they aren't supposed to + +* Fri Jan 30 2009 Dan Williams - 1:0.6.7-1 +- Fix PEAP connections to Windows Server 2008 authenticators (rh #465022) +- Stop supplicant on uninstall (rh #447843) +- Suppress scan results message in logs (rh #466601) + +* Sun Jan 18 2009 Tomas Mraz - 1:0.6.4-3 +- rebuild with new openssl + +* Wed Oct 15 2008 Dan Williams - 1:0.6.4-2 +- Handle encryption keys correctly when switching 802.11 modes (rh #459399) +- Better scanning behavior on resume from suspend/hibernate +- Better interaction with newer kernels and drivers + +* Wed Aug 27 2008 Dan Williams - 1:0.6.4-1 +- Update to 0.6.4 +- Remove 'hostap', 'madwifi', and 'prism54' drivers; use standard 'wext' instead +- Drop upstreamed patches + +* Tue Jun 10 2008 Dan Williams - 1:0.6.3-6 +- Fix 802.11a frequency bug +- Always schedule specific SSID scans to help find hidden APs +- Properly switch between modes on mac80211 drivers +- Give adhoc connections more time to assocate + +* Mon Mar 10 2008 Christopher Aillon - 1:0.6.3-5 +- BuildRequires qt3-devel + +* Sat Mar 8 2008 Dan Williams - 1:0.6.3-4 +- Fix log file path in service config file + +* Thu Mar 6 2008 Dan Williams - 1:0.6.3-3 +- Don't start the supplicant by default when installed (rh #436380) + +* Tue Mar 4 2008 Dan Williams - 1:0.6.3-2 +- Fix a potential use-after-free in the D-Bus byte array demarshalling code + +* Mon Mar 3 2008 Dan Williams - 1:0.6.3-1 +- Update to latest development release; remove upstreamed patches + +* Fri Feb 22 2008 Dan Williams 1:0.5.7-23 +- Fix gcc 4.3 rebuild issues + +* Mon Feb 18 2008 Fedora Release Engineering - 1:0.5.7-22 +- Autorebuild for GCC 4.3 + +* Tue Dec 25 2007 Dan Williams - 0.5.7-21 +- Backport 'frequency' option for Ad-Hoc network configs + +* Mon Dec 24 2007 Dan Williams - 0.5.7-20 +- Fix LSB initscript header to ensure 'messagebus' is started first (rh #244029) + +* Thu Dec 6 2007 Dan Williams - 1:0.5.7-19 +- Fix two leaks when signalling state and scan results (rh #408141) +- Add logrotate config file (rh #404181) +- Add new LSB initscript header to initscript with correct deps (rh #244029) +- Move other runtime arguments to /etc/sysconfig/wpa_supplicant +- Start after messagebus service (rh #385191) +- Fix initscript 'condrestart' command (rh #217281) + +* Tue Dec 4 2007 Matthias Clasen - 1:0.5.7-18 +- Rebuild against new openssl + +* Tue Dec 4 2007 Ville Skyttä - 1:0.5.7-17 +- Group: Application/System -> Applications/System in -gui. + +* Tue Nov 13 2007 Dan Williams - 0.5.7-16 +- Add IW_ENCODE_TEMP patch for airo driver and Dynamic WEP +- Fix error in wpa_supplicant-0.5.7-ignore-dup-ca-cert-addition.patch that + caused the last error to not be printed +- Fix wpa_supplicant-0.5.7-ignore-dup-ca-cert-addition.patch to ignore + duplicate cert additions for all certs and keys +- Change license to BSD due to linkage against OpenSSL since there is no + OpenSSL exception in the GPLv2 license text that upstream ships + +* Sun Oct 28 2007 Dan Williams - 0.5.7-15 +- Fix Dynamic WEP associations with mac80211-based drivers + +* Sun Oct 28 2007 Dan Williams - 0.5.7-14 +- Don't error an association on duplicate CA cert additions + +* Wed Oct 24 2007 Dan Williams - 0.5.7-13 +- Correctly set the length of blobs added via the D-Bus interface + +* Wed Oct 24 2007 Dan Williams - 0.5.7-12 +- Fix conversion of byte arrays to strings by ensuring the buffer is NULL + terminated after conversion + +* Sat Oct 20 2007 Dan Williams - 0.5.7-11 +- Add BLOB support to the D-Bus interface +- Fix D-Bus interface permissions so that only root can use the wpa_supplicant + D-Bus interface + +* Tue Oct 9 2007 Dan Williams - 0.5.7-10 +- Don't segfault with dbus control interface enabled and invalid network + interface (rh #310531) + +* Tue Sep 25 2007 Dan Williams - 0.5.7-9 +- Always allow explicit wireless scans triggered from a control interface + +* Thu Sep 20 2007 Dan Williams - 0.5.7-8 +- Change system bus activation file name to work around D-Bus bug that fails + to launch services unless their .service file is named the same as the + service itself + +* Fri Aug 24 2007 Dan Williams - 0.5.7-7 +- Make SIGUSR1 change debug level on-the-fly; useful in combination with + the -f switch to log output to /var/log/wpa_supplicant.log +- Stop stripping binaries on install so we get debuginfo packages +- Remove service start requirement for interfaces & devices from sysconfig file, + since wpa_supplicant's D-Bus interface is now turned on + +* Fri Aug 17 2007 Dan Williams - 0.5.7-6 +- Fix compilation with RPM_OPT_FLAGS (rh #249951) +- Make debug output to logfile a runtime option + +* Fri Aug 17 2007 Christopher Aillon - 0.5.7-5 +- Update the license tag + +* Tue Jun 19 2007 Dan Williams - 0.5.7-4 +- Fix initscripts to use -Dwext by default, be more verbose on startup + (rh #244511) + +* Mon Jun 4 2007 Dan Williams - 0.5.7-3 +- Fix buffer overflow by removing syslog patch (#rh242455) + +* Mon Apr 9 2007 Dan Williams - 0.5.7-2 +- Add patch to send output to syslog + +* Thu Mar 15 2007 Dan Williams - 0.5.7-1 +- Update to 0.5.7 stable release + +* Fri Oct 27 2006 Dan Williams - 0.4.9-1 +- Update to 0.4.9 for WE-21 fixes, remove upstreamed patches +- Don't package doc/ because they aren't actually wpa_supplicant user documentation, + and becuase it pulls in perl + +* Wed Jul 12 2006 Jesse Keating - 0.4.8-10.1 +- rebuild + +* Thu Apr 27 2006 Dan Williams - 0.4.8-10 +- Add fix for madwifi and WEP (wpa_supplicant/hostap bud #140) (#rh190075#) +- Fix up madwifi-ng private ioctl()s for r1331 and later +- Update madwifi headers to r1475 + +* Tue Apr 25 2006 Dan Williams - 0.4.8-9 +- Enable Wired driver, PKCS12, and Smartcard options (#rh189805#) + +* Tue Apr 11 2006 Dan Williams - 0.4.8-8 +- Fix control interface key obfuscation a bit + +* Sun Apr 2 2006 Dan Williams - 0.4.8-7 +- Work around older & incorrect drivers that return null-terminated SSIDs + +* Mon Mar 27 2006 Dan Williams - 0.4.8-6 +- Add patch to make orinoco happy with WEP keys +- Enable Prism54-specific driver +- Disable ipw-specific driver; ipw2x00 should be using WEXT instead + +* Fri Mar 3 2006 Dan Williams - 0.4.8-5 +- Increase association timeout, mainly for drivers that don't + fully support WPA ioctls yet + +* Fri Mar 3 2006 Dan Williams - 0.4.8-4 +- Add additional BuildRequires #rh181914# +- Add prereq on chkconfig #rh182905# #rh182906# +- Own /var/run/wpa_supplicant and /etc/wpa_supplicant #rh183696# + +* Wed Mar 1 2006 Dan Williams - 0.4.8-3 +- Install wpa_passphrase too #rh183480# + +* Mon Feb 27 2006 Dan Williams - 0.4.8-2 +- Don't expose private data on the control interface unless requested + +* Fri Feb 24 2006 Dan Williams - 0.4.8-1 +- Downgrade to 0.4.8 stable release rather than a dev release + +* Sun Feb 12 2006 Dan Williams - 0.5.1-3 +- Documentation cleanup (Terje Rosten ) + +* Sun Feb 12 2006 Dan Williams - 0.5.1-2 +- Move initscript to /etc/rc.d/init.d + +* Fri Feb 10 2006 Jesse Keating - 0.5.1-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 0.5.1-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Sun Feb 5 2006 Dan Williams 0.5.1-1 +- Update to 0.5.1 +- Add WE auth fallback to actually work with older drivers + +* Thu Jan 26 2006 Dan Williams 0.4.7-2 +- Bring package into Fedora Core +- Add ap_scan control interface patch +- Enable madwifi-ng driver + +* Sun Jan 15 2006 Douglas E. Warner 0.4.7-1 +- upgrade to 0.4.7 +- added package w/ wpa_gui in it + +* Mon Nov 14 2005 Douglas E. Warner 0.4.6-1 +- upgrade to 0.4.6 +- adding ctrl interface changes recommended + by Hugo Paredes + +* Sun Oct 9 2005 Douglas E. Warner 0.4.5-1 +- upgrade to 0.4.5 +- updated config file wpa_supplicant is built with + especially, the ipw2100 driver changed to just ipw + and enabled a bunch more EAP +- disabled dist tag + +* Thu Jun 30 2005 Douglas E. Warner 0.4.2-3 +- fix typo in init script + +* Thu Jun 30 2005 Douglas E. Warner 0.4.2-2 +- fixing init script using fedora-extras' template +- removing chkconfig default startup + +* Tue Jun 21 2005 Douglas E. Warner 0.4.2-1 +- upgrade to 0.4.2 +- new sample conf file that will use any unrestricted AP +- make sysconfig config entry +- new BuildRoot for Fedora Extras +- adding dist tag to Release + +* Fri May 06 2005 Douglas E. Warner 0.3.8-1 +- upgrade to 0.3.8 + +* Thu Feb 10 2005 Douglas E. Warner 0.3.6-2 +- compile ipw driver in + +* Wed Feb 09 2005 Douglas E. Warner 0.3.6-1 +- upgrade to 0.3.6 + +* Thu Dec 23 2004 Douglas E. Warner 0.2.5-4 +- fixing init script + +* Mon Dec 20 2004 Douglas E. Warner 0.2.5-3 +- fixing init script +- adding post/preun items to add/remove via chkconfig + +* Mon Dec 20 2004 Douglas E. Warner 0.2.5-2 +- adding sysV scripts + +* Mon Dec 20 2004 Douglas E. Warner 0.2.5-1 +- Initial RPM release. +