commit d86086dabd4014d31d46c808b6144e1034052912 Author: MSVSphere Packaging Team Date: Fri Oct 25 19:56:16 2024 +0300 import wpa_supplicant-2.10-11.el10 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..09da52a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/wpa_supplicant-2.10.tar.gz diff --git a/.wpa_supplicant.metadata b/.wpa_supplicant.metadata new file mode 100644 index 0000000..1466ec4 --- /dev/null +++ b/.wpa_supplicant.metadata @@ -0,0 +1 @@ +e295b07d599da4b99c3836d4402ec5746f77e8e8 SOURCES/wpa_supplicant-2.10.tar.gz diff --git a/SOURCES/0001-D-Bus-Add-wep_disabled-capability.patch b/SOURCES/0001-D-Bus-Add-wep_disabled-capability.patch new file mode 100644 index 0000000..a6568dc --- /dev/null +++ b/SOURCES/0001-D-Bus-Add-wep_disabled-capability.patch @@ -0,0 +1,52 @@ +From 5b093570dca1855c5bf40bcbd8d149fa6f8ea8ff Mon Sep 17 00:00:00 2001 +Message-Id: <5b093570dca1855c5bf40bcbd8d149fa6f8ea8ff.1650620058.git.davide.caratti@gmail.com> +From: Lubomir Rintel +Date: Mon, 7 Mar 2022 09:54:46 +0100 +Subject: [PATCH] D-Bus: Add 'wep_disabled' capability + +Since commit 200c7693c9a1 ('Make WEP functionality an optional build +parameter'), WEP support is optional and, indeed, off by default. + +The distributions are now catching up and disabling WEP in their builds. +Unfortunately, there's no indication prior to an attempt to connect to a +WEP network that it's not going to work. Add a capability to communicate +that. + +Unlike other capabilities, this one is negative. That is, it indicates +lack of a WEP support as opposed to its presence. This is necessary +because historically there has been no capability to indicate presence +of WEP support and therefore NetworkManager (and probably others) just +assumes it's there. + +Signed-off-by: Lubomir Rintel +Acked-by: Davide Caratti +--- + wpa_supplicant/dbus/dbus_new_handlers.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c +index 1c9ded09a..0b1002bf1 100644 +--- a/wpa_supplicant/dbus/dbus_new_handlers.c ++++ b/wpa_supplicant/dbus/dbus_new_handlers.c +@@ -1121,7 +1121,7 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( + const struct wpa_dbus_property_desc *property_desc, + DBusMessageIter *iter, DBusError *error, void *user_data) + { +- const char *capabilities[13]; ++ const char *capabilities[14]; + size_t num_items = 0; + struct wpa_global *global = user_data; + struct wpa_supplicant *wpa_s; +@@ -1177,6 +1177,9 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( + #endif /* CONFIG_SUITEB192 */ + if (ext_key_id_supported) + capabilities[num_items++] = "extended_key_id"; ++#ifndef CONFIG_WEP ++ capabilities[num_items++] = "wep_disabled"; ++#endif /* !CONFIG_WEP */ + + return wpas_dbus_simple_array_property_getter(iter, + DBUS_TYPE_STRING, +-- +2.35.1 + diff --git a/SOURCES/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch b/SOURCES/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch new file mode 100644 index 0000000..3a2ffaf --- /dev/null +++ b/SOURCES/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch @@ -0,0 +1,103 @@ +From 566ce69a8d0e64093309cbde80235aa522fbf84e Mon Sep 17 00:00:00 2001 +Message-Id: <566ce69a8d0e64093309cbde80235aa522fbf84e.1652450572.git.davide.caratti@gmail.com> +From: Jouni Malinen +Date: Thu, 5 May 2022 00:07:44 +0300 +Subject: [PATCH] EAP peer: Workaround for servers that do not support safe TLS + renegotiation + +The TLS protocol design for renegotiation was identified to have a +significant security flaw in 2009 and an extension to secure this design +was published in 2010 (RFC 5746). However, some old RADIUS +authentication servers without support for this are still used commonly. + +This is obviously not good from the security view point, but since there +are cases where the user of a network service has no realistic means for +getting the authentication server upgraded, TLS handshake may still need +to be allowed to be able to use the network. + +OpenSSL 3.0 disabled the client side workaround by default and this +resulted in issues connection to some networks with insecure +authentication servers. With OpenSSL 3.0, the client is now enforcing +security by refusing to authenticate with such servers. The pre-3.0 +behavior of ignoring this issue and leaving security to the server can +now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1. +This should be used only when having to connect to a network that has an +insecure authentication server that cannot be upgraded. + +The old (pre-2010) TLS renegotiation mechanism might open security +vulnerabilities if the authentication server were to allow TLS +renegotiation to be initiated. While this is unlikely to cause real +issues with EAP-TLS, there might be cases where use of PEAP or TTLS with +an authentication server that does not support RFC 5746 might result in +a security vulnerability. + +Signed-off-by: Jouni Malinen +--- + src/crypto/tls.h | 1 + + src/crypto/tls_openssl.c | 5 +++++ + src/eap_peer/eap_tls_common.c | 4 ++++ + wpa_supplicant/wpa_supplicant.conf | 5 +++++ + 4 files changed, 15 insertions(+) + +diff --git a/src/crypto/tls.h b/src/crypto/tls.h +index ccaac94c9..7ea32ee4a 100644 +--- a/src/crypto/tls.h ++++ b/src/crypto/tls.h +@@ -112,6 +112,7 @@ struct tls_config { + #define TLS_CONN_ENABLE_TLSv1_1 BIT(15) + #define TLS_CONN_ENABLE_TLSv1_2 BIT(16) + #define TLS_CONN_TEAP_ANON_DH BIT(17) ++#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18) + + /** + * struct tls_connection_params - Parameters for TLS connection +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 388c6b0f4..0d23f44ad 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, + SSL_clear_options(ssl, SSL_OP_NO_TICKET); + #endif /* SSL_OP_NO_TICKET */ + ++#ifdef SSL_OP_LEGACY_SERVER_CONNECT ++ if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION) ++ SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); ++#endif /* SSL_OP_LEGACY_SERVER_CONNECT */ ++ + #ifdef SSL_OP_NO_TLSv1 + if (flags & TLS_CONN_DISABLE_TLSv1_0) + SSL_set_options(ssl, SSL_OP_NO_TLSv1); +diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c +index 06c9b211e..6193b4bdb 100644 +--- a/src/eap_peer/eap_tls_common.c ++++ b/src/eap_peer/eap_tls_common.c +@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params, + params->flags |= TLS_CONN_SUITEB_NO_ECDH; + if (os_strstr(txt, "tls_suiteb_no_ecdh=0")) + params->flags &= ~TLS_CONN_SUITEB_NO_ECDH; ++ if (os_strstr(txt, "allow_unsafe_renegotiation=1")) ++ params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION; ++ if (os_strstr(txt, "allow_unsafe_renegotiation=0")) ++ params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION; + } + + +diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf +index a1dc769c9..b5304a77e 100644 +--- a/wpa_supplicant/wpa_supplicant.conf ++++ b/wpa_supplicant/wpa_supplicant.conf +@@ -1370,6 +1370,11 @@ fast_reauth=1 + # tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default) + # tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in + # particular when using Suite B with RSA keys of >= 3K (3072) bits ++# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does ++# not support safe renegotiation (RFC 5746); please note that this ++# workaround should be only when having to authenticate with an old ++# authentication server that cannot be updated to use secure TLS ++# implementation. + # + # Following certificate/private key fields are used in inner Phase2 + # authentication when using EAP-TTLS or EAP-PEAP. +-- +2.35.1 + diff --git a/SOURCES/0001-EAP-peer-status-notification-for-server-not-supporti.patch b/SOURCES/0001-EAP-peer-status-notification-for-server-not-supporti.patch new file mode 100644 index 0000000..06807ee --- /dev/null +++ b/SOURCES/0001-EAP-peer-status-notification-for-server-not-supporti.patch @@ -0,0 +1,106 @@ +From a561d12d24c2c8bb0f825d4a3a55a5e47e845853 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Jouni Malinen +Date: Wed, 4 May 2022 23:55:38 +0300 +Subject: [PATCH] EAP peer status notification for server not supporting RFC + 5746 + +Add a notification message to indicate reason for TLS handshake failure +due to the server not supporting safe renegotiation (RFC 5746). + +Signed-off-by: Jouni Malinen +--- + src/ap/authsrv.c | 3 +++ + src/crypto/tls.h | 3 ++- + src/crypto/tls_openssl.c | 15 +++++++++++++-- + src/eap_peer/eap.c | 5 +++++ + 4 files changed, 23 insertions(+), 3 deletions(-) + +diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c +index 516c1da74..fd9c96fad 100644 +--- a/src/ap/authsrv.c ++++ b/src/ap/authsrv.c +@@ -169,6 +169,9 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev, + wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s", + data->alert.description); + break; ++ case TLS_UNSAFE_RENEGOTIATION_DISABLED: ++ /* Not applicable to TLS server */ ++ break; + } + } + #endif /* EAP_TLS_FUNCS */ +diff --git a/src/crypto/tls.h b/src/crypto/tls.h +index 7ea32ee4a..7a2ee32df 100644 +--- a/src/crypto/tls.h ++++ b/src/crypto/tls.h +@@ -22,7 +22,8 @@ enum tls_event { + TLS_CERT_CHAIN_SUCCESS, + TLS_CERT_CHAIN_FAILURE, + TLS_PEER_CERTIFICATE, +- TLS_ALERT ++ TLS_ALERT, ++ TLS_UNSAFE_RENEGOTIATION_DISABLED, + }; + + /* +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 0d23f44ad..912471ba2 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -4443,6 +4443,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn, + static struct wpabuf * + openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) + { ++ struct tls_context *context = conn->context; + int res; + struct wpabuf *out_data; + +@@ -4472,7 +4473,19 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) + wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to " + "write"); + else { ++ unsigned long error = ERR_peek_last_error(); ++ + tls_show_errors(MSG_INFO, __func__, "SSL_connect"); ++ ++ if (context->event_cb && ++ ERR_GET_LIB(error) == ERR_LIB_SSL && ++ ERR_GET_REASON(error) == ++ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) { ++ context->event_cb( ++ context->cb_ctx, ++ TLS_UNSAFE_RENEGOTIATION_DISABLED, ++ NULL); ++ } + conn->failed++; + if (!conn->server && !conn->client_hello_generated) { + /* The server would not understand TLS Alert +@@ -4495,8 +4508,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) + if ((conn->flags & TLS_CONN_SUITEB) && !conn->server && + os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 && + conn->server_dh_prime_len < 3072) { +- struct tls_context *context = conn->context; +- + /* + * This should not be reached since earlier cert_cb should have + * terminated the handshake. Keep this check here for extra +diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c +index 429b20d3a..729388f4f 100644 +--- a/src/eap_peer/eap.c ++++ b/src/eap_peer/eap.c +@@ -2172,6 +2172,11 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev, + eap_notify_status(sm, "remote TLS alert", + data->alert.description); + break; ++ case TLS_UNSAFE_RENEGOTIATION_DISABLED: ++ wpa_printf(MSG_INFO, ++ "TLS handshake failed due to the server not supporting safe renegotiation (RFC 5746); phase1 parameter allow_unsafe_renegotiation=1 can be used to work around this"); ++ eap_notify_status(sm, "unsafe server renegotiation", "failure"); ++ break; + } + + os_free(hash_hex); +-- +2.35.1 + diff --git a/SOURCES/wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch b/SOURCES/wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch new file mode 100644 index 0000000..24956a9 --- /dev/null +++ b/SOURCES/wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch @@ -0,0 +1,192 @@ +From 46c635910a724ed14ee9ace549fed9790ed5980b Mon Sep 17 00:00:00 2001 +Message-ID: <46c635910a724ed14ee9ace549fed9790ed5980b.1706279119.git.davide.caratti@gmail.com> +From: leiwei +Date: Mon, 15 Nov 2021 18:22:19 +0800 +Subject: [PATCH] MACsec: Support GCM-AES-256 cipher suite + +Allow macsec_csindex to be configured and select the cipher suite when +the participant acts as a key server. + +Signed-off-by: leiwei +--- + hostapd/config_file.c | 10 ++++++++++ + hostapd/hostapd.conf | 4 ++++ + src/ap/ap_config.h | 7 +++++++ + src/ap/wpa_auth_kay.c | 4 +++- + src/pae/ieee802_1x_cp.c | 8 ++++---- + src/pae/ieee802_1x_kay.c | 17 +++++++++++++---- + src/pae/ieee802_1x_kay.h | 3 ++- + wpa_supplicant/config.c | 1 + + wpa_supplicant/config_file.c | 1 + + wpa_supplicant/config_ssid.h | 7 +++++++ + wpa_supplicant/wpas_kay.c | 4 ++-- + 11 files changed, 54 insertions(+), 12 deletions(-) + +--- a/src/ap/ap_config.h ++++ b/src/ap/ap_config.h +@@ -849,6 +849,13 @@ struct hostapd_bss_config { + int mka_priority; + + /** ++ * macsec_csindex - Cipher suite index for MACsec ++ * ++ * Range: 0-1 (default: 0) ++ */ ++ int macsec_csindex; ++ ++ /** + * mka_ckn - MKA pre-shared CKN + */ + #define MACSEC_CKN_MAX_LEN 32 +--- a/src/ap/wpa_auth_kay.c ++++ b/src/ap/wpa_auth_kay.c +@@ -329,7 +329,9 @@ int ieee802_1x_alloc_kay_sm_hapd(struct + hapd->conf->macsec_replay_protect, + hapd->conf->macsec_replay_window, + hapd->conf->macsec_port, +- hapd->conf->mka_priority, hapd->conf->iface, ++ hapd->conf->mka_priority, ++ hapd->conf->macsec_csindex, ++ hapd->conf->iface, + hapd->own_addr); + /* ieee802_1x_kay_init() frees kay_ctx on failure */ + if (!res) +--- a/src/pae/ieee802_1x_cp.c ++++ b/src/pae/ieee802_1x_cp.c +@@ -20,7 +20,7 @@ + #define STATE_MACHINE_DATA struct ieee802_1x_cp_sm + #define STATE_MACHINE_DEBUG_PREFIX "CP" + +-static u64 default_cs_id = CS_ID_GCM_AES_128; ++static u64 cs_id[] = { CS_ID_GCM_AES_128, CS_ID_GCM_AES_256 }; + + /* The variable defined in clause 12 in IEEE Std 802.1X-2010 */ + enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE }; +@@ -210,7 +210,6 @@ SM_STATE(CP, SECURED) + sm->replay_protect = sm->kay->macsec_replay_protect; + sm->validate_frames = sm->kay->macsec_validate; + +- /* NOTE: now no other than default cipher suite (AES-GCM-128) */ + sm->current_cipher_suite = sm->cipher_suite; + secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); + +@@ -473,8 +472,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ + sm->orx = false; + sm->otx = false; + +- sm->current_cipher_suite = default_cs_id; +- sm->cipher_suite = default_cs_id; ++ sm->current_cipher_suite = cs_id[kay->macsec_csindex]; ++ sm->cipher_suite = cs_id[kay->macsec_csindex]; + sm->cipher_offset = CONFIDENTIALITY_OFFSET_0; + sm->confidentiality_offset = sm->cipher_offset; + sm->transmit_delay = MKA_LIFE_TIME; +@@ -491,6 +490,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ + secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled); + secy_cp_control_confidentiality_offset(sm->kay, + sm->confidentiality_offset); ++ secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); + + SM_STEP_RUN(CP); + +--- a/src/pae/ieee802_1x_kay.c ++++ b/src/pae/ieee802_1x_kay.c +@@ -221,8 +221,16 @@ ieee802_1x_mka_dump_dist_sak_body(struct + + wpa_printf(MSG_DEBUG, "\tKey Number............: %d", + be_to_host32(body->kn)); +- /* TODO: Other than GCM-AES-128 case: MACsec Cipher Suite */ +- wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", body->sak, 24); ++ if (body_len == 28) { ++ wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", ++ body->sak, 24); ++ } else if (body_len > CS_ID_LEN - sizeof(body->kn)) { ++ wpa_hexdump(MSG_DEBUG, "\tMACsec Cipher Suite...:", ++ body->sak, CS_ID_LEN); ++ wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", ++ body->sak + CS_ID_LEN, ++ body_len - CS_ID_LEN - sizeof(body->kn)); ++ } + } + + +@@ -3456,7 +3464,8 @@ static void kay_l2_receive(void *ctx, co + struct ieee802_1x_kay * + ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, + bool macsec_replay_protect, u32 macsec_replay_window, +- u16 port, u8 priority, const char *ifname, const u8 *addr) ++ u16 port, u8 priority, u32 macsec_csindex, ++ const char *ifname, const u8 *addr) + { + struct ieee802_1x_kay *kay; + +@@ -3493,7 +3502,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka + kay->dist_time = 0; + + kay->pn_exhaustion = PENDING_PN_EXHAUSTION; +- kay->macsec_csindex = DEFAULT_CS_INDEX; ++ kay->macsec_csindex = macsec_csindex; + kay->mka_algindex = DEFAULT_MKA_ALG_INDEX; + kay->mka_version = MKA_VERSION_ID; + +--- a/src/pae/ieee802_1x_kay.h ++++ b/src/pae/ieee802_1x_kay.h +@@ -240,7 +240,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc + struct ieee802_1x_kay * + ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, + bool macsec_replay_protect, u32 macsec_replay_window, +- u16 port, u8 priority, const char *ifname, const u8 *addr); ++ u16 port, u8 priority, u32 macsec_csindex, ++ const char *ifname, const u8 *addr); + void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); + + struct ieee802_1x_mka_participant * +--- a/wpa_supplicant/config.c ++++ b/wpa_supplicant/config.c +@@ -2612,6 +2612,7 @@ static const struct parse_data ssid_fiel + { INT(macsec_replay_window) }, + { INT_RANGE(macsec_port, 1, 65534) }, + { INT_RANGE(mka_priority, 0, 255) }, ++ { INT_RANGE(macsec_csindex, 0, 1) }, + { FUNC_KEY(mka_cak) }, + { FUNC_KEY(mka_ckn) }, + #endif /* CONFIG_MACSEC */ +--- a/wpa_supplicant/config_file.c ++++ b/wpa_supplicant/config_file.c +@@ -810,6 +810,7 @@ static void wpa_config_write_network(FIL + INT(macsec_replay_window); + INT(macsec_port); + INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER); ++ INT(macsec_csindex); + #endif /* CONFIG_MACSEC */ + #ifdef CONFIG_HS20 + INT(update_identifier); +--- a/wpa_supplicant/config_ssid.h ++++ b/wpa_supplicant/config_ssid.h +@@ -912,6 +912,13 @@ struct wpa_ssid { + int mka_priority; + + /** ++ * macsec_csindex - Cipher suite index for MACsec ++ * ++ * Range: 0-1 (default: 0) ++ */ ++ int macsec_csindex; ++ ++ /** + * mka_ckn - MKA pre-shared CKN + */ + #define MACSEC_CKN_MAX_LEN 32 +--- a/wpa_supplicant/wpas_kay.c ++++ b/wpa_supplicant/wpas_kay.c +@@ -241,8 +241,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s + + res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect, + ssid->macsec_replay_window, ssid->macsec_port, +- ssid->mka_priority, wpa_s->ifname, +- wpa_s->own_addr); ++ ssid->mka_priority, ssid->macsec_csindex, ++ wpa_s->ifname, wpa_s->own_addr); + /* ieee802_1x_kay_init() frees kay_ctx on failure */ + if (res == NULL) + return -1; diff --git a/SOURCES/wpa_supplicant-P2P-Remove-pending-p2p-listen-radio-work-on-stopping.patch b/SOURCES/wpa_supplicant-P2P-Remove-pending-p2p-listen-radio-work-on-stopping.patch new file mode 100644 index 0000000..b4f2153 --- /dev/null +++ b/SOURCES/wpa_supplicant-P2P-Remove-pending-p2p-listen-radio-work-on-stopping.patch @@ -0,0 +1,42 @@ +From 3242793cb8df65122a11d1a90914c308c936c52f Mon Sep 17 00:00:00 2001 +Message-ID: <3242793cb8df65122a11d1a90914c308c936c52f.1718814356.git.davide.caratti@gmail.com> +From: Jouni Malinen +Date: Sat, 28 Oct 2023 17:23:25 +0300 +Subject: [PATCH] P2P: Remove pending p2p-listen radio work on stopping listen + +Some kind of race condition seemed to be hit at least in test sequence +"p2p_ext_vendor_elem_invitation pasn_comeback_after_0_sae" where the P2P +invitation response could have been received just after having scheduled +a new p2p-listen radio work, but before that work had been started. In +the case of accepted invitation, this could result in unnecessary extra +delay when that p2p-listen work ended up getting started at the exact +time that the local device was starting GO. + +Avoid this race condition by removing the pending p2p-listen radio work +when P2P listen is stopped. + +Signed-off-by: Jouni Malinen +--- + wpa_supplicant/p2p_supplicant.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c +index e60beda72..de597cbb0 100644 +--- a/wpa_supplicant/p2p_supplicant.c ++++ b/wpa_supplicant/p2p_supplicant.c +@@ -2796,6 +2796,12 @@ static void wpas_stop_listen(void *ctx) + wpa_drv_probe_req_report(wpa_s, 0); + + wpas_p2p_listen_work_done(wpa_s); ++ ++ if (radio_work_pending(wpa_s, "p2p-listen")) { ++ wpa_printf(MSG_DEBUG, ++ "P2P: p2p-listen is still pending - remove it"); ++ radio_remove_works(wpa_s, "p2p-listen", 0); ++ } + } + + +-- +2.45.1 + diff --git a/SOURCES/wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/SOURCES/wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch new file mode 100644 index 0000000..bf3d8ed --- /dev/null +++ b/SOURCES/wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch @@ -0,0 +1,198 @@ +From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001 +Message-ID: <8e6485a1bcb0baffdea9e55255a81270b768439c.1708356763.git.davide.caratti@gmail.com> +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not used (default) + * 2 = require Phase 2 authentication in all cases + +Signed-off-by: Jouni Malinen +--- + src/eap_peer/eap_config.h | 8 ++++++ + src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- + src/eap_peer/eap_tls_common.c | 6 +++++ + src/eap_peer/eap_tls_common.h | 5 ++++ + wpa_supplicant/wpa_supplicant.conf | 7 ++++++ + 5 files changed, 63 insertions(+), 3 deletions(-) + +--- a/src/eap_peer/eap_config.h ++++ b/src/eap_peer/eap_config.h +@@ -469,6 +469,14 @@ struct eap_peer_config { + * 1 = use cryptobinding if server supports it + * 2 = require cryptobinding + * ++ * phase2_auth option can be used to control Phase 2 (i.e., within TLS ++ * tunnel) behavior for PEAP: ++ * 0 = do not require Phase 2 authentication ++ * 1 = require Phase 2 authentication when client certificate ++ * (private_key/client_cert) is no used and TLS session resumption was ++ * not used (default) ++ * 2 = require Phase 2 authentication in all cases ++ * + * EAP-WSC (WPS) uses following options: pin=Device_Password and + * uuid=Device_UUID + * +--- a/src/eap_peer/eap_peap.c ++++ b/src/eap_peer/eap_peap.c +@@ -67,6 +67,7 @@ struct eap_peap_data { + u8 cmk[20]; + int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) + * is enabled. */ ++ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; + }; + + +@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct + wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); + } + ++ if (os_strstr(phase1, "phase2_auth=0")) { ++ data->phase2_auth = NO_AUTH; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Do not require Phase 2 authentication"); ++ } else if (os_strstr(phase1, "phase2_auth=1")) { ++ data->phase2_auth = FOR_INITIAL; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Require Phase 2 authentication for initial connection"); ++ } else if (os_strstr(phase1, "phase2_auth=2")) { ++ data->phase2_auth = ALWAYS; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Require Phase 2 authentication for all cases"); ++ } + #ifdef EAP_TNC + if (os_strstr(phase1, "tnc=soh2")) { + data->soh = 2; +@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_s + data->force_peap_version = -1; + data->peap_outer_success = 2; + data->crypto_binding = OPTIONAL_BINDING; ++ data->phase2_auth = FOR_INITIAL; + + if (config && config->phase1) + eap_peap_parse_phase1(data, config->phase1); +@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobindin + } + + ++static bool peap_phase2_sufficient(struct eap_sm *sm, ++ struct eap_peap_data *data) ++{ ++ if ((data->phase2_auth == ALWAYS || ++ (data->phase2_auth == FOR_INITIAL && ++ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && ++ !data->ssl.client_cert_conf) || ++ data->phase2_eap_started) && ++ !data->phase2_eap_success) ++ return false; ++ return true; ++} ++ ++ + /** + * eap_tlv_process - Process a received EAP-TLV message and generate a response + * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() +@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm + " - force failed Phase 2"); + resp_status = EAP_TLV_RESULT_FAILURE; + ret->decision = DECISION_FAIL; ++ } else if (!peap_phase2_sufficient(sm, data)) { ++ wpa_printf(MSG_INFO, ++ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); ++ resp_status = EAP_TLV_RESULT_FAILURE; ++ ret->decision = DECISION_FAIL; + } else { + resp_status = EAP_TLV_RESULT_SUCCESS; + ret->decision = DECISION_UNCOND_SUCC; +@@ -887,8 +921,7 @@ continue_req: + /* EAP-Success within TLS tunnel is used to indicate + * shutdown of the TLS channel. The authentication has + * been completed. */ +- if (data->phase2_eap_started && +- !data->phase2_eap_success) { ++ if (!peap_phase2_sufficient(sm, data)) { + wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " + "Success used to indicate success, " + "but Phase 2 EAP was not yet " +@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process( + static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) + { + struct eap_peap_data *data = priv; ++ + return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && +- data->phase2_success; ++ data->phase2_success && data->phase2_auth != ALWAYS; + } + + +--- a/src/eap_peer/eap_tls_common.c ++++ b/src/eap_peer/eap_tls_common.c +@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(stru + + sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); + ++ if (!phase2) ++ data->client_cert_conf = params->client_cert || ++ params->client_cert_blob || ++ params->private_key || ++ params->private_key_blob; ++ + return 0; + } + +--- a/src/eap_peer/eap_tls_common.h ++++ b/src/eap_peer/eap_tls_common.h +@@ -79,6 +79,11 @@ struct eap_ssl_data { + * tls_v13 - Whether TLS v1.3 or newer is used + */ + int tls_v13; ++ ++ /** ++ * client_cert_conf: Whether client certificate has been configured ++ */ ++ bool client_cert_conf; + }; + + +--- a/wpa_supplicant/wpa_supplicant.conf ++++ b/wpa_supplicant/wpa_supplicant.conf +@@ -1330,6 +1330,13 @@ fast_reauth=1 + # * 0 = do not use cryptobinding (default) + # * 1 = use cryptobinding if server supports it + # * 2 = require cryptobinding ++# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS ++# tunnel) behavior for PEAP: ++# * 0 = do not require Phase 2 authentication ++# * 1 = require Phase 2 authentication when client certificate ++# (private_key/client_cert) is no used and TLS session resumption was ++# not used (default) ++# * 2 = require Phase 2 authentication in all cases + # EAP-WSC (WPS) uses following options: pin= or + # pbc=1. + # diff --git a/SOURCES/wpa_supplicant-assoc-timeout.patch b/SOURCES/wpa_supplicant-assoc-timeout.patch new file mode 100644 index 0000000..c3b3568 --- /dev/null +++ b/SOURCES/wpa_supplicant-assoc-timeout.patch @@ -0,0 +1,16 @@ +diff -up wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c +--- wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout 2010-09-07 10:43:39.000000000 -0500 ++++ wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c 2010-12-07 18:57:45.163457000 -0600 +@@ -1262,10 +1262,10 @@ void wpa_supplicant_associate(struct wpa + + if (assoc_failed) { + /* give IBSS a bit more time */ +- timeout = ssid->mode == WPAS_MODE_IBSS ? 10 : 5; ++ timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 10; + } else if (wpa_s->conf->ap_scan == 1) { + /* give IBSS a bit more time */ +- timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 10; ++ timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 20; + } + wpa_supplicant_req_auth_timeout(wpa_s, timeout, 0); + } diff --git a/SOURCES/wpa_supplicant-config.patch b/SOURCES/wpa_supplicant-config.patch new file mode 100644 index 0000000..5e47fe0 --- /dev/null +++ b/SOURCES/wpa_supplicant-config.patch @@ -0,0 +1,72 @@ +From 72ee1e934e98ea87e4de292958817e724114703e Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Fri, 6 Sep 2019 09:46:00 +0200 +Subject: [PATCH] defconfig: Fedora configuration + +--- + wpa_supplicant/defconfig | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/wpa_supplicant/defconfig ++++ b/wpa_supplicant/defconfig +@@ -146,7 +146,7 @@ CONFIG_EAP_PAX=y + CONFIG_EAP_LEAP=y + + # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used) +-#CONFIG_EAP_AKA=y ++CONFIG_EAP_AKA=y + + # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used). + # This requires CONFIG_EAP_AKA to be enabled, too. +@@ -338,6 +338,7 @@ CONFIG_BACKEND=file + # Select which ciphers to use by default with OpenSSL if the user does not + # specify them. + #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" ++CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES" + + # If CONFIG_TLS=internal is used, additional library and include paths are + # needed for LibTomMath. Alternatively, an integrated, minimal version of +@@ -390,7 +391,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y + #CONFIG_DYNAMIC_EAP_METHODS=y + + # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode +-CONFIG_IEEE80211R=y ++#CONFIG_IEEE80211R=y + + # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) + CONFIG_DEBUG_FILE=y +@@ -469,7 +470,7 @@ CONFIG_DEBUG_SYSLOG=y + # Should we attempt to use the getrandom(2) call that provides more reliable + # yet secure randomness source than /dev/random on Linux 3.17 and newer. + # Requires glibc 2.25 to build, falls back to /dev/random if unavailable. +-#CONFIG_GETRANDOM=y ++CONFIG_GETRANDOM=y + + # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) + CONFIG_IEEE80211AC=y +@@ -587,7 +588,7 @@ CONFIG_IBSS_RSN=y + #CONFIG_PMKSA_CACHE_EXTERNAL=y + + # Mesh Networking (IEEE 802.11s) +-#CONFIG_MESH=y ++CONFIG_MESH=y + + # Background scanning modules + # These can be used to request wpa_supplicant to perform background scanning +@@ -601,7 +602,7 @@ CONFIG_BGSCAN_SIMPLE=y + + # Opportunistic Wireless Encryption (OWE) + # Experimental implementation of draft-harkins-owe-07.txt +-#CONFIG_OWE=y ++CONFIG_OWE=y + + # Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect) + CONFIG_DPP=y +@@ -633,3 +634,7 @@ CONFIG_DPP2=y + # design is still subject to change. As such, this should not yet be enabled in + # production use. + #CONFIG_PASN=y ++# ++CONFIG_SUITEB192=y ++CONFIG_IPV6=y ++ diff --git a/SOURCES/wpa_supplicant-flush-debug-output.patch b/SOURCES/wpa_supplicant-flush-debug-output.patch new file mode 100644 index 0000000..f2295bc --- /dev/null +++ b/SOURCES/wpa_supplicant-flush-debug-output.patch @@ -0,0 +1,35 @@ +--- a/src/utils/wpa_debug.c ++++ b/src/utils/wpa_debug.c +@@ -79,6 +79,7 @@ void wpa_debug_print_timestamp(void) + if (out_file) + fprintf(out_file, "%ld.%06u: ", (long) tv.sec, + (unsigned int) tv.usec); ++ fflush(out_file); + #endif /* CONFIG_DEBUG_FILE */ + if (!out_file && !wpa_debug_syslog) + printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); +@@ -230,6 +231,7 @@ void wpa_printf(int level, const char *f + va_start(ap, fmt); + vfprintf(out_file, fmt, ap); + fprintf(out_file, "\n"); ++ fflush(out_file); + va_end(ap); + } + #endif /* CONFIG_DEBUG_FILE */ +@@ -365,6 +367,7 @@ static void _wpa_hexdump(int level, cons + fprintf(out_file, " [REMOVED]"); + } + fprintf(out_file, "\n"); ++ fflush(out_file); + } + #endif /* CONFIG_DEBUG_FILE */ + if (!wpa_debug_syslog && !out_file) { +@@ -468,6 +471,8 @@ static void _wpa_hexdump_ascii(int level + } + } + file_done: ++ if (out_file) ++ fflush(out_file); + #endif /* CONFIG_DEBUG_FILE */ + if (!wpa_debug_syslog && !out_file) { + if (!show) { diff --git a/SOURCES/wpa_supplicant-gui-qt4.patch b/SOURCES/wpa_supplicant-gui-qt4.patch new file mode 100644 index 0000000..7acca1e --- /dev/null +++ b/SOURCES/wpa_supplicant-gui-qt4.patch @@ -0,0 +1,36 @@ +From 9404f356e394604d1d3d6dbffc52abd54260e4d4 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Tue, 27 Oct 2015 08:56:35 +0100 +Subject: [PATCH] wpa_supplicant: allow overriding the names of the Qt4 tools + +This is useful for distributions that ship different versions of Qt in +different locations. +--- + wpa_supplicant/Makefile | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -35,6 +35,9 @@ export INCDIR ?= /usr/local/include + export BINDIR ?= /usr/local/sbin + PKG_CONFIG ?= pkg-config + ++QMAKE ?= qmake ++LRELEASE ?= lrelease ++ + CFLAGS += $(EXTRA_CFLAGS) + CFLAGS += -I$(abspath ../src) + CFLAGS += -I$(abspath ../src/utils) +@@ -2039,10 +2042,10 @@ wpa_gui: + @echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement" + + wpa_gui-qt4/Makefile: +- qmake -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro ++ $(QMAKE) -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro + + wpa_gui-qt4/lang/wpa_gui_de.qm: wpa_gui-qt4/lang/wpa_gui_de.ts +- lrelease wpa_gui-qt4/wpa_gui.pro ++ $(LRELEASE) wpa_gui-qt4/wpa_gui.pro + + wpa_gui-qt4: wpa_gui-qt4/Makefile wpa_gui-qt4/lang/wpa_gui_de.qm + $(MAKE) -C wpa_gui-qt4 diff --git a/SOURCES/wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch b/SOURCES/wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch new file mode 100644 index 0000000..be32491 --- /dev/null +++ b/SOURCES/wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch @@ -0,0 +1,106 @@ +From 40c139664439b2576e1506fbca14a7b79425a9dd Mon Sep 17 00:00:00 2001 +Message-ID: <40c139664439b2576e1506fbca14a7b79425a9dd.1706279171.git.davide.caratti@gmail.com> +From: Emeel Hakim +Date: Tue, 14 Feb 2023 10:26:57 +0200 +Subject: [PATCH] macsec_linux: Add support for MACsec hardware offload + +This uses libnl3 to communicate with the macsec module available on +Linux. A recent enough version of libnl is needed for the hardware +offload support. + +Signed-off-by: Emeel Hakim +--- + src/drivers/driver_macsec_linux.c | 49 +++++++++++++++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c +index b609bbf38..c79e8733a 100644 +--- a/src/drivers/driver_macsec_linux.c ++++ b/src/drivers/driver_macsec_linux.c +@@ -32,6 +32,10 @@ + + #define UNUSED_SCI 0xffffffffffffffff + ++#if LIBNL_VER_NUM >= LIBNL_VER(3, 6) ++#define LIBNL_HAS_OFFLOAD ++#endif ++ + struct cb_arg { + struct macsec_drv_data *drv; + u32 *pn; +@@ -73,6 +77,11 @@ struct macsec_drv_data { + bool replay_protect; + bool replay_protect_set; + ++#ifdef LIBNL_HAS_OFFLOAD ++ enum macsec_offload offload; ++ bool offload_set; ++#endif /* LIBNL_HAS_OFFLOAD */ ++ + u32 replay_window; + + u8 encoding_sa; +@@ -228,6 +237,15 @@ static int try_commit(struct macsec_drv_data *drv) + drv->replay_window); + } + ++#ifdef LIBNL_HAS_OFFLOAD ++ if (drv->offload_set) { ++ wpa_printf(MSG_DEBUG, DRV_PREFIX ++ "%s: try_commit offload=%d", ++ drv->ifname, drv->offload); ++ rtnl_link_macsec_set_offload(drv->link, drv->offload); ++ } ++#endif /* LIBNL_HAS_OFFLOAD */ ++ + if (drv->encoding_sa_set) { + wpa_printf(MSG_DEBUG, DRV_PREFIX + "%s: try_commit encoding_sa=%d", +@@ -455,6 +473,36 @@ static int macsec_drv_set_replay_protect(void *priv, bool enabled, + } + + ++/** ++ * macsec_drv_set_offload - Set offload status ++ * @priv: Private driver interface data ++ * @offload: 0 = MACSEC_OFFLOAD_OFF ++ * 1 = MACSEC_OFFLOAD_PHY ++ * 2 = MACSEC_OFFLOAD_MAC ++ * Returns: 0 on success, -1 on failure (or if not supported) ++ */ ++static int macsec_drv_set_offload(void *priv, u8 offload) ++{ ++#ifdef LIBNL_HAS_OFFLOAD ++ struct macsec_drv_data *drv = priv; ++ ++ wpa_printf(MSG_DEBUG, "%s -> %02" PRIx8, __func__, offload); ++ ++ drv->offload_set = true; ++ drv->offload = offload; ++ ++ return try_commit(drv); ++#else /* LIBNL_HAS_OFFLOAD */ ++ if (offload == 0) ++ return 0; ++ wpa_printf(MSG_INFO, ++ "%s: libnl version does not include support for MACsec offload", ++ __func__); ++ return -1; ++#endif /* LIBNL_HAS_OFFLOAD */ ++} ++ ++ + /** + * macsec_drv_set_current_cipher_suite - Set current cipher suite + * @priv: Private driver interface data +@@ -1648,6 +1696,7 @@ const struct wpa_driver_ops wpa_driver_macsec_linux_ops = { + .enable_protect_frames = macsec_drv_enable_protect_frames, + .enable_encrypt = macsec_drv_enable_encrypt, + .set_replay_protect = macsec_drv_set_replay_protect, ++ .set_offload = macsec_drv_set_offload, + .set_current_cipher_suite = macsec_drv_set_current_cipher_suite, + .enable_controlled_port = macsec_drv_enable_controlled_port, + .get_receive_lowest_pn = macsec_drv_get_receive_lowest_pn, +-- +2.43.0 + diff --git a/SOURCES/wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch b/SOURCES/wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch new file mode 100644 index 0000000..eef0aa9 --- /dev/null +++ b/SOURCES/wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch @@ -0,0 +1,93 @@ +From 7e941e7a1560699a18c5890cb6e1309161bc01af Mon Sep 17 00:00:00 2001 +Message-ID: <7e941e7a1560699a18c5890cb6e1309161bc01af.1706279136.git.davide.caratti@gmail.com> +From: leiwei +Date: Mon, 15 Nov 2021 18:43:33 +0800 +Subject: [PATCH] macsec_linux: Support cipher suite configuration + +Set the cipher suite for the link. Unlike the other parameters, this +needs to be done with the first rtnl_link_add() call (NLM_F_CREATE)) +instead of the update in try_commit() since the kernel is rejecting +changes to the cipher suite after the link is first added. + +Signed-off-by: leiwei +--- + src/drivers/driver_macsec_linux.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +--- a/src/drivers/driver_macsec_linux.c ++++ b/src/drivers/driver_macsec_linux.c +@@ -77,6 +77,9 @@ struct macsec_drv_data { + + u8 encoding_sa; + bool encoding_sa_set; ++ ++ u64 cipher_suite; ++ bool cipher_suite_set; + }; + + +@@ -460,8 +463,14 @@ static int macsec_drv_set_replay_protect + */ + static int macsec_drv_set_current_cipher_suite(void *priv, u64 cs) + { ++ struct macsec_drv_data *drv = priv; ++ + wpa_printf(MSG_DEBUG, "%s -> %016" PRIx64, __func__, cs); +- return 0; ++ ++ drv->cipher_suite_set = true; ++ drv->cipher_suite = cs; ++ ++ return try_commit(drv); + } + + +@@ -1063,7 +1072,8 @@ static int macsec_drv_disable_receive_sa + } + + +-static struct rtnl_link * lookup_sc(struct nl_cache *cache, int parent, u64 sci) ++static struct rtnl_link * lookup_sc(struct nl_cache *cache, int parent, u64 sci, ++ u64 cs) + { + struct rtnl_link *needle; + void *match; +@@ -1074,6 +1084,8 @@ static struct rtnl_link * lookup_sc(stru + + rtnl_link_set_link(needle, parent); + rtnl_link_macsec_set_sci(needle, sci); ++ if (cs) ++ rtnl_link_macsec_set_cipher_suite(needle, cs); + + match = nl_cache_find(cache, (struct nl_object *) needle); + rtnl_link_put(needle); +@@ -1098,6 +1110,7 @@ static int macsec_drv_create_transmit_sc + char *ifname; + u64 sci; + int err; ++ u64 cs = 0; + + wpa_printf(MSG_DEBUG, DRV_PREFIX + "%s: create_transmit_sc -> " SCISTR " (conf_offset=%d)", +@@ -1122,6 +1135,12 @@ static int macsec_drv_create_transmit_sc + + drv->created_link = true; + ++ if (drv->cipher_suite_set) { ++ cs = drv->cipher_suite; ++ drv->cipher_suite_set = false; ++ rtnl_link_macsec_set_cipher_suite(link, cs); ++ } ++ + err = rtnl_link_add(drv->sk, link, NLM_F_CREATE); + if (err == -NLE_BUSY) { + wpa_printf(MSG_INFO, +@@ -1137,7 +1156,7 @@ static int macsec_drv_create_transmit_sc + rtnl_link_put(link); + + nl_cache_refill(drv->sk, drv->link_cache); +- link = lookup_sc(drv->link_cache, drv->parent_ifi, sci); ++ link = lookup_sc(drv->link_cache, drv->parent_ifi, sci, cs); + if (!link) { + wpa_printf(MSG_ERROR, DRV_PREFIX "couldn't find link"); + return -1; diff --git a/SOURCES/wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch b/SOURCES/wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch new file mode 100644 index 0000000..5755cd8 --- /dev/null +++ b/SOURCES/wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch @@ -0,0 +1,363 @@ +From 6d24673ab89d9002990ee51e7c87d308ca07cd01 Mon Sep 17 00:00:00 2001 +Message-ID: <6d24673ab89d9002990ee51e7c87d308ca07cd01.1706279162.git.davide.caratti@gmail.com> +From: Emeel Hakim +Date: Tue, 14 Feb 2023 10:26:56 +0200 +Subject: [PATCH] mka: Allow configuration of MACsec hardware offload + +Add new configuration parameter macsec_offload to allow user to set up +MACsec hardware offload feature. + +Signed-off-by: Emeel Hakim +--- + hostapd/config_file.c | 10 ++++++++++ + hostapd/hostapd.conf | 8 ++++++++ + src/ap/ap_config.h | 13 +++++++++++++ + src/ap/wpa_auth_kay.c | 1 + + src/drivers/driver.h | 10 ++++++++++ + src/pae/ieee802_1x_cp.c | 7 +++++++ + src/pae/ieee802_1x_kay.c | 7 +++++-- + src/pae/ieee802_1x_kay.h | 6 ++++-- + src/pae/ieee802_1x_secy_ops.c | 20 ++++++++++++++++++++ + src/pae/ieee802_1x_secy_ops.h | 1 + + wpa_supplicant/config.c | 1 + + wpa_supplicant/config_file.c | 1 + + wpa_supplicant/config_ssid.h | 12 ++++++++++++ + wpa_supplicant/driver_i.h | 8 ++++++++ + wpa_supplicant/wpa_cli.c | 1 + + wpa_supplicant/wpa_supplicant.conf | 9 +++++++++ + wpa_supplicant/wpas_kay.c | 10 +++++++++- + 17 files changed, 120 insertions(+), 5 deletions(-) + +--- a/src/ap/ap_config.h ++++ b/src/ap/ap_config.h +@@ -833,6 +833,19 @@ struct hostapd_bss_config { + u32 macsec_replay_window; + + /** ++ * macsec_offload - Enable MACsec offload ++ * ++ * This setting applies only when MACsec is in use, i.e., ++ * - macsec_policy is enabled ++ * - the key server has decided to enable MACsec ++ * ++ * 0 = MACSEC_OFFLOAD_OFF (default) ++ * 1 = MACSEC_OFFLOAD_PHY ++ * 2 = MACSEC_OFFLOAD_MAC ++ */ ++ int macsec_offload; ++ ++ /** + * macsec_port - MACsec port (in SCI) + * + * Port component of the SCI. +--- a/src/ap/wpa_auth_kay.c ++++ b/src/ap/wpa_auth_kay.c +@@ -328,6 +328,7 @@ int ieee802_1x_alloc_kay_sm_hapd(struct + res = ieee802_1x_kay_init(kay_ctx, policy, + hapd->conf->macsec_replay_protect, + hapd->conf->macsec_replay_window, ++ hapd->conf->macsec_offload, + hapd->conf->macsec_port, + hapd->conf->mka_priority, + hapd->conf->macsec_csindex, +--- a/src/drivers/driver.h ++++ b/src/drivers/driver.h +@@ -4168,6 +4168,16 @@ struct wpa_driver_ops { + int (*set_replay_protect)(void *priv, bool enabled, u32 window); + + /** ++ * set_offload - Set MACsec hardware offload ++ * @priv: Private driver interface data ++ * @offload: 0 = MACSEC_OFFLOAD_OFF ++ * 1 = MACSEC_OFFLOAD_PHY ++ * 2 = MACSEC_OFFLOAD_MAC ++ * Returns: 0 on success, -1 on failure (or if not supported) ++ */ ++ int (*set_offload)(void *priv, u8 offload); ++ ++ /** + * set_current_cipher_suite - Set current cipher suite + * @priv: Private driver interface data + * @cs: EUI64 identifier +--- a/src/pae/ieee802_1x_cp.c ++++ b/src/pae/ieee802_1x_cp.c +@@ -84,6 +84,7 @@ struct ieee802_1x_cp_sm { + + /* not defined IEEE Std 802.1X-2010 */ + struct ieee802_1x_kay *kay; ++ u8 offload; + }; + + static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx, +@@ -188,6 +189,7 @@ SM_STATE(CP, AUTHENTICATED) + sm->protect_frames = false; + sm->replay_protect = false; + sm->validate_frames = Checked; ++ sm->offload = sm->kay->macsec_offload; + + sm->port_valid = false; + sm->controlled_port_enabled = true; +@@ -197,6 +199,7 @@ SM_STATE(CP, AUTHENTICATED) + secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt); + secy_cp_control_validate_frames(sm->kay, sm->validate_frames); + secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window); ++ secy_cp_control_offload(sm->kay, sm->offload); + } + + +@@ -208,6 +211,7 @@ SM_STATE(CP, SECURED) + + sm->protect_frames = sm->kay->macsec_protect; + sm->replay_protect = sm->kay->macsec_replay_protect; ++ sm->offload = sm->kay->macsec_offload; + sm->validate_frames = sm->kay->macsec_validate; + + sm->current_cipher_suite = sm->cipher_suite; +@@ -223,6 +227,7 @@ SM_STATE(CP, SECURED) + secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt); + secy_cp_control_validate_frames(sm->kay, sm->validate_frames); + secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window); ++ secy_cp_control_offload(sm->kay, sm->offload); + } + + +@@ -462,6 +467,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ + sm->validate_frames = kay->macsec_validate; + sm->replay_protect = kay->macsec_replay_protect; + sm->replay_window = kay->macsec_replay_window; ++ sm->offload = kay->macsec_offload; + + sm->controlled_port_enabled = false; + +@@ -491,6 +497,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ + secy_cp_control_confidentiality_offset(sm->kay, + sm->confidentiality_offset); + secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); ++ secy_cp_control_offload(sm->kay, sm->offload); + + SM_STEP_RUN(CP); + +--- a/src/pae/ieee802_1x_kay.c ++++ b/src/pae/ieee802_1x_kay.c +@@ -3464,8 +3464,8 @@ static void kay_l2_receive(void *ctx, co + struct ieee802_1x_kay * + ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, + bool macsec_replay_protect, u32 macsec_replay_window, +- u16 port, u8 priority, u32 macsec_csindex, +- const char *ifname, const u8 *addr) ++ u8 macsec_offload, u16 port, u8 priority, ++ u32 macsec_csindex, const char *ifname, const u8 *addr) + { + struct ieee802_1x_kay *kay; + +@@ -3524,6 +3524,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka + kay->macsec_validate = Disabled; + kay->macsec_replay_protect = false; + kay->macsec_replay_window = 0; ++ kay->macsec_offload = 0; + kay->macsec_confidentiality = CONFIDENTIALITY_NONE; + kay->mka_hello_time = MKA_HELLO_TIME; + } else { +@@ -3540,6 +3541,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka + kay->macsec_validate = Strict; + kay->macsec_replay_protect = macsec_replay_protect; + kay->macsec_replay_window = macsec_replay_window; ++ kay->macsec_offload = macsec_offload; + kay->mka_hello_time = MKA_HELLO_TIME; + } + +@@ -3740,6 +3742,7 @@ ieee802_1x_kay_create_mka(struct ieee802 + secy_cp_control_protect_frames(kay, kay->macsec_protect); + secy_cp_control_replay(kay, kay->macsec_replay_protect, + kay->macsec_replay_window); ++ secy_cp_control_offload(kay, kay->macsec_offload); + if (secy_create_transmit_sc(kay, participant->txsc)) + goto fail; + +--- a/src/pae/ieee802_1x_kay.h ++++ b/src/pae/ieee802_1x_kay.h +@@ -166,6 +166,7 @@ struct ieee802_1x_kay_ctx { + int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa); + int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa); + int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa); ++ int (*set_offload)(void *ctx, u8 offload); + }; + + struct ieee802_1x_kay { +@@ -206,6 +207,7 @@ struct ieee802_1x_kay { + bool is_key_server; + bool is_obliged_key_server; + char if_name[IFNAMSIZ]; ++ u8 macsec_offload; + + unsigned int macsec_csindex; /* MACsec cipher suite table index */ + int mka_algindex; /* MKA alg table index */ +@@ -240,8 +242,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc + struct ieee802_1x_kay * + ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, + bool macsec_replay_protect, u32 macsec_replay_window, +- u16 port, u8 priority, u32 macsec_csindex, +- const char *ifname, const u8 *addr); ++ u8 macsec_offload, u16 port, u8 priority, ++ u32 macsec_csindex, const char *ifname, const u8 *addr); + void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); + + struct ieee802_1x_mka_participant * +--- a/src/pae/ieee802_1x_secy_ops.c ++++ b/src/pae/ieee802_1x_secy_ops.c +@@ -85,6 +85,26 @@ int secy_cp_control_replay(struct ieee80 + } + + ++int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload) ++{ ++ struct ieee802_1x_kay_ctx *ops; ++ ++ if (!kay) { ++ wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__); ++ return -1; ++ } ++ ++ ops = kay->ctx; ++ if (!ops || !ops->set_offload) { ++ wpa_printf(MSG_ERROR, ++ "KaY: secy set_offload operation not supported"); ++ return -1; ++ } ++ ++ return ops->set_offload(ops->ctx, offload); ++} ++ ++ + int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs) + { + struct ieee802_1x_kay_ctx *ops; +--- a/src/pae/ieee802_1x_secy_ops.h ++++ b/src/pae/ieee802_1x_secy_ops.h +@@ -23,6 +23,7 @@ int secy_cp_control_validate_frames(stru + int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, bool flag); + int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, bool enabled); + int secy_cp_control_replay(struct ieee802_1x_kay *kay, bool flag, u32 win); ++int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload); + int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs); + int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay, + enum confidentiality_offset co); +--- a/wpa_supplicant/config.c ++++ b/wpa_supplicant/config.c +@@ -2610,6 +2610,7 @@ static const struct parse_data ssid_fiel + { INT_RANGE(macsec_integ_only, 0, 1) }, + { INT_RANGE(macsec_replay_protect, 0, 1) }, + { INT(macsec_replay_window) }, ++ { INT_RANGE(macsec_offload, 0, 2) }, + { INT_RANGE(macsec_port, 1, 65534) }, + { INT_RANGE(mka_priority, 0, 255) }, + { INT_RANGE(macsec_csindex, 0, 1) }, +--- a/wpa_supplicant/config_file.c ++++ b/wpa_supplicant/config_file.c +@@ -808,6 +808,7 @@ static void wpa_config_write_network(FIL + INT(macsec_integ_only); + INT(macsec_replay_protect); + INT(macsec_replay_window); ++ INT(macsec_offload); + INT(macsec_port); + INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER); + INT(macsec_csindex); +--- a/wpa_supplicant/config_ssid.h ++++ b/wpa_supplicant/config_ssid.h +@@ -896,6 +896,18 @@ struct wpa_ssid { + u32 macsec_replay_window; + + /** ++ * macsec_offload - Enable MACsec hardware offload ++ * ++ * This setting applies only when MACsec is in use, i.e., ++ * - the key server has decided to enable MACsec ++ * ++ * 0 = MACSEC_OFFLOAD_OFF (default) ++ * 1 = MACSEC_OFFLOAD_PHY ++ * 2 = MACSEC_OFFLOAD_MAC ++ */ ++ int macsec_offload; ++ ++ /** + * macsec_port - MACsec port (in SCI) + * + * Port component of the SCI. +--- a/wpa_supplicant/driver_i.h ++++ b/wpa_supplicant/driver_i.h +@@ -804,6 +804,14 @@ static inline int wpa_drv_set_replay_pro + window); + } + ++static inline int wpa_drv_set_offload(struct wpa_supplicant *wpa_s, u8 offload) ++{ ++ if (!wpa_s->driver->set_offload) ++ return -1; ++ return wpa_s->driver->set_offload(wpa_s->drv_priv, offload); ++ ++} ++ + static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s, + u64 cs) + { +--- a/wpa_supplicant/wpa_cli.c ++++ b/wpa_supplicant/wpa_cli.c +@@ -1473,6 +1473,7 @@ static const char *network_fields[] = { + "macsec_integ_only", + "macsec_replay_protect", + "macsec_replay_window", ++ "macsec_offload", + "macsec_port", + "mka_priority", + #endif /* CONFIG_MACSEC */ +--- a/wpa_supplicant/wpa_supplicant.conf ++++ b/wpa_supplicant/wpa_supplicant.conf +@@ -1094,6 +1094,15 @@ fast_reauth=1 + # 0: No replay window, strict check (default) + # 1..2^32-1: number of packets that could be misordered + # ++# macsec_offload - Enable MACsec hardware offload ++# ++# This setting applies only when MACsec is in use, i.e., ++# - the key server has decided to enable MACsec ++# ++# 0 = MACSEC_OFFLOAD_OFF (default) ++# 1 = MACSEC_OFFLOAD_PHY ++# 2 = MACSEC_OFFLOAD_MAC ++# + # macsec_port: IEEE 802.1X/MACsec port + # Port component of the SCI + # Range: 1-65534 (default: 1) +--- a/wpa_supplicant/wpas_kay.c ++++ b/wpa_supplicant/wpas_kay.c +@@ -98,6 +98,12 @@ static int wpas_set_receive_lowest_pn(vo + } + + ++static int wpas_set_offload(void *wpa_s, u8 offload) ++{ ++ return wpa_drv_set_offload(wpa_s, offload); ++} ++ ++ + static unsigned int conf_offset_val(enum confidentiality_offset co) + { + switch (co) { +@@ -220,6 +226,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s + kay_ctx->enable_protect_frames = wpas_enable_protect_frames; + kay_ctx->enable_encrypt = wpas_enable_encrypt; + kay_ctx->set_replay_protect = wpas_set_replay_protect; ++ kay_ctx->set_offload = wpas_set_offload; + kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite; + kay_ctx->enable_controlled_port = wpas_enable_controlled_port; + kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn; +@@ -240,7 +247,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s + kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa; + + res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect, +- ssid->macsec_replay_window, ssid->macsec_port, ++ ssid->macsec_replay_window, ++ ssid->macsec_offload, ssid->macsec_port, + ssid->mka_priority, ssid->macsec_csindex, + wpa_s->ifname, wpa_s->own_addr); + /* ieee802_1x_kay_init() frees kay_ctx on failure */ diff --git a/SOURCES/wpa_supplicant-quiet-scan-results-message.patch b/SOURCES/wpa_supplicant-quiet-scan-results-message.patch new file mode 100644 index 0000000..c646a30 --- /dev/null +++ b/SOURCES/wpa_supplicant-quiet-scan-results-message.patch @@ -0,0 +1,30 @@ +From 763a4ef660e2bd81f6cdc71a2f29a0a3e71b2ebc Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Tue, 22 Nov 2016 15:48:17 +0100 +Subject: [PATCH 1/2] quiet an annoying and frequent syslog message + +--- + wpa_supplicant/events.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c +index abe3b47..72a0412 100644 +--- a/wpa_supplicant/events.c ++++ b/wpa_supplicant/events.c +@@ -1555,11 +1555,11 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s, + if (wpa_s->last_scan_req == MANUAL_SCAN_REQ && + wpa_s->manual_scan_use_id && wpa_s->own_scan_running && + own_request && !(data && data->scan_info.external_scan)) { +- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS "id=%u", ++ wpa_msg_ctrl(wpa_s, MSG_DEBUG, WPA_EVENT_SCAN_RESULTS "id=%u", + wpa_s->manual_scan_id); + wpa_s->manual_scan_use_id = 0; + } else { +- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS); ++ wpa_msg_ctrl(wpa_s, MSG_DEBUG, WPA_EVENT_SCAN_RESULTS); + } + wpas_notify_scan_results(wpa_s); + +-- +2.9.3 + diff --git a/SOURCES/wpa_supplicant.conf b/SOURCES/wpa_supplicant.conf new file mode 100644 index 0000000..65ad645 --- /dev/null +++ b/SOURCES/wpa_supplicant.conf @@ -0,0 +1,3 @@ +ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=wheel + diff --git a/SOURCES/wpa_supplicant.logrotate b/SOURCES/wpa_supplicant.logrotate new file mode 100644 index 0000000..bd7ef91 --- /dev/null +++ b/SOURCES/wpa_supplicant.logrotate @@ -0,0 +1,6 @@ +/var/log/wpa_supplicant.log { + missingok + notifempty + size 30k + create 0600 root root +} diff --git a/SOURCES/wpa_supplicant.service b/SOURCES/wpa_supplicant.service new file mode 100644 index 0000000..97d4296 --- /dev/null +++ b/SOURCES/wpa_supplicant.service @@ -0,0 +1,15 @@ +[Unit] +Description=WPA supplicant +Before=network.target +Wants=network.target +After=dbus.service + +[Service] +Type=dbus +BusName=fi.w1.wpa_supplicant1 +EnvironmentFile=-/etc/sysconfig/wpa_supplicant +ExecStart=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u $INTERFACES $DRIVERS $OTHER_ARGS + +[Install] +WantedBy=multi-user.target + diff --git a/SOURCES/wpa_supplicant.sysconfig b/SOURCES/wpa_supplicant.sysconfig new file mode 100644 index 0000000..33bd7af --- /dev/null +++ b/SOURCES/wpa_supplicant.sysconfig @@ -0,0 +1,11 @@ +# Use the flag "-i" before each of your interfaces, like so: +# INTERFACES="-ieth1 -iwlan0" +INTERFACES="" + +# Use the flag "-D" before each driver, like so: +# DRIVERS="-Dwext" +DRIVERS="" + +# Other arguments +# -s Use syslog logging backend +OTHER_ARGS="-s" diff --git a/SPECS/wpa_supplicant.spec b/SPECS/wpa_supplicant.spec new file mode 100644 index 0000000..26df030 --- /dev/null +++ b/SPECS/wpa_supplicant.spec @@ -0,0 +1,848 @@ +%global _hardened_build 1 +%if 0%{?fedora} +%bcond_without gui +%else +%bcond_with gui +%endif + +Summary: WPA/WPA2/IEEE 802.1X Supplicant +Name: wpa_supplicant +Epoch: 1 +Version: 2.10 +Release: 11%{?dist} +License: BSD-3-Clause +Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz +Source1: wpa_supplicant.conf +Source2: wpa_supplicant.service +Source3: wpa_supplicant.sysconfig +Source4: wpa_supplicant.logrotate + +# Distro specific customization and not suitable for upstream, +# Fedora-specific updates to defconfig +Patch0: wpa_supplicant-config.patch +# Works around busted drivers +Patch1: wpa_supplicant-assoc-timeout.patch +# Ensures that debug output gets flushed immediately to help diagnose driver +# bugs, not suitable for upstream +Patch2: wpa_supplicant-flush-debug-output.patch +# Quiet an annoying and frequent syslog message +Patch3: wpa_supplicant-quiet-scan-results-message.patch +# Distro specific customization for Qt4 build tools, not suitable for upstream +Patch4: wpa_supplicant-gui-qt4.patch +# backport fix for bz2063730 +Patch5: 0001-D-Bus-Add-wep_disabled-capability.patch +# backport fix for bz2077973 +Patch6: 0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch +Patch7: 0001-EAP-peer-status-notification-for-server-not-supporti.patch +# support macsec HW offload +Patch8: wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch +Patch9: wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch +Patch10: wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch +Patch11: wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch +# fix PEAP client to require successful Phase2 authentication when needed (CVE-2023-52160) +Patch12: wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch +# backport P2P bugfix causing nmci failures +Patch13: wpa_supplicant-P2P-Remove-pending-p2p-listen-radio-work-on-stopping.patch + +URL: http://w1.fi/wpa_supplicant/ + +%if %with gui +BuildRequires: qt-devel >= 4.0 +%endif +BuildRequires: openssl-devel +BuildRequires: readline-devel +BuildRequires: dbus-devel +BuildRequires: libnl3-devel +BuildRequires: systemd-units +BuildRequires: docbook-utils +BuildRequires: gcc +Requires(post): systemd-sysv +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +# libeap used to be built from wpa_supplicant with some fairly horrible +# hackery, solely for use by WiMAX. We dropped all WiMAX support around +# F21. This is here so people don't wind up with obsolete libeap packages +# lying around. If it's ever resurrected for any reason, this needs +# dropping. +Obsoletes: libeap < %{epoch}:%{version}-%{release} +Obsoletes: libeap-devel < %{epoch}:%{version}-%{release} + +%description +wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support +for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA +component that is used in the client stations. It implements key negotiation +with a WPA Authenticator and it controls the roaming and IEEE 802.11 +authentication/association of the wlan driver. + + +%if %with gui +%package gui +Summary: Graphical User Interface for %{name} + +%description gui +Graphical User Interface for wpa_supplicant written using QT +%endif + + +%prep +%autosetup -p1 -n %{name}-%{version} + + +%build +pushd wpa_supplicant + cp defconfig .config + export CFLAGS="${CFLAGS:-%optflags} -fPIE -DPIE -DOPENSSL_NO_ENGINE" + export CXXFLAGS="${CXXFLAGS:-%optflags} -fPIE -DOPENSSL_NO_ENGINE" + export LDFLAGS="${LDFLAGS:-%optflags} -pie -Wl,-z,now" + # yes, BINDIR=_sbindir + export BINDIR="%{_sbindir}" + export LIBDIR="%{_libdir}" + make %{_smp_mflags} V=1 +%if %with gui + make wpa_gui-qt4 %{_smp_mflags} V=1 QTDIR=%{_libdir}/qt4 \ + QMAKE='%{qmake_qt4}' LRELEASE='%{_qt4_bindir}/lrelease' +%endif + make eapol_test V=1 + make -C doc/docbook man V=1 +%if !%with gui + rm doc/docbook/wpa_gui.8 +%endif +popd + + +%install +# config +install -D -m 0600 %{SOURCE1} %{buildroot}/%{_sysconfdir}/wpa_supplicant/wpa_supplicant.conf + +# init scripts +install -D -m 0644 %{SOURCE2} %{buildroot}/%{_unitdir}/wpa_supplicant.service +install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/wpa_supplicant +install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/logrotate.d/wpa_supplicant + +# binary +install -d %{buildroot}/%{_sbindir} +install -m 0755 wpa_supplicant/wpa_passphrase %{buildroot}/%{_sbindir} +install -m 0755 wpa_supplicant/wpa_cli %{buildroot}/%{_sbindir} +install -m 0755 wpa_supplicant/wpa_supplicant %{buildroot}/%{_sbindir} +install -m 0755 wpa_supplicant/eapol_test %{buildroot}/%{_sbindir} +install -D -m 0644 wpa_supplicant/dbus/dbus-wpa_supplicant.conf \ + %{buildroot}/%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf +install -D -m 0644 wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service \ + %{buildroot}/%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service + +%if %with gui +# gui +install -d %{buildroot}/%{_bindir} +install -m 0755 wpa_supplicant/wpa_gui-qt4/wpa_gui %{buildroot}/%{_bindir} +%endif + +# man pages +install -d %{buildroot}%{_mandir}/man{5,8} +install -m 0644 wpa_supplicant/doc/docbook/*.8 %{buildroot}%{_mandir}/man8 +install -m 0644 wpa_supplicant/doc/docbook/*.5 %{buildroot}%{_mandir}/man5 + +# some cleanup in docs and examples +rm -f wpa_supplicant/doc/.cvsignore +rm -rf wpa_supplicant/doc/docbook +chmod -R 0644 wpa_supplicant/examples/*.py + + +%post +%systemd_post wpa_supplicant.service + + +%preun +%systemd_preun wpa_supplicant.service + +%triggerun -- wpa_supplicant < 0.7.3-10 +# Save the current service runlevel info +# User must manually run systemd-sysv-convert --apply wpa_supplicant +# to migrate them to systemd targets +/usr/bin/systemd-sysv-convert --save wpa_supplicant >/dev/null 2>&1 ||: + +# Run these because the SysV package being removed won't do them +/sbin/chkconfig --del wpa_supplicant >/dev/null 2>&1 || : +/bin/systemctl try-restart wpa_supplicant.service >/dev/null 2>&1 || : + + +%files +%config(noreplace) %{_sysconfdir}/wpa_supplicant/wpa_supplicant.conf +%config(noreplace) %{_sysconfdir}/sysconfig/wpa_supplicant +%dir %{_sysconfdir}/logrotate.d +%config(noreplace) %{_sysconfdir}/logrotate.d/wpa_supplicant +%{_unitdir}/wpa_supplicant.service +%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf +%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service +%{_sbindir}/wpa_passphrase +%{_sbindir}/wpa_supplicant +%{_sbindir}/wpa_cli +%{_sbindir}/eapol_test +%dir %{_sysconfdir}/wpa_supplicant +%{_mandir}/man8/wpa_supplicant.8.gz +%{_mandir}/man8/wpa_priv.8.gz +%{_mandir}/man8/wpa_passphrase.8.gz +%{_mandir}/man8/wpa_cli.8.gz +%{_mandir}/man8/wpa_background.8.gz +%{_mandir}/man8/eapol_test.8.gz +%{_mandir}/man5/* +%doc README +%doc wpa_supplicant/ChangeLog +%doc wpa_supplicant/eap_testing.txt +%doc wpa_supplicant/todo.txt +%doc wpa_supplicant/wpa_supplicant.conf +%doc wpa_supplicant/examples +%license COPYING + + +%if %with gui +%files gui +%{_bindir}/wpa_gui +%{_mandir}/man8/wpa_gui.8.gz +%endif + + +%changelog +* Mon Jun 24 2024 Troy Dawson - 1:2.10-11 +- Bump release for June 2024 mass rebuild + +* Fri Jun 21 2024 Davide Caratti - 1:2.10-10 +- Fix package configuration/add missing patches to avoid regressions when + upgrading from rhel-9 (RHEL-43250) +- Backport P2P fixc causing nmci failures (RHEL-17701) +- Disable OpenSSL ENGINE API (RHEL-33750) + +* Sat Jan 27 2024 Fedora Release Engineering - 1:2.10-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Aug 30 2023 Davide Cavalca - 1:2.10-8 +- Backport WPA3 support for Broadcom devices. Fixes: rhbz#2226569 +- Enable parsing of IPv6 addresses in RADIUS configuration (#2095296) + +* Sat Jul 22 2023 Fedora Release Engineering - 1:2.10-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Sat Jan 21 2023 Fedora Release Engineering - 1:2.10-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Sat Jul 23 2022 Fedora Release Engineering - 1:2.10-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon May 02 2022 Adam Williamson - 1:2.10-4 +- Allow legacy renegotiation for bad PEAP servers (James Ralston) (#2072070) + +* Wed Jan 26 2022 Michael Yartys - 1:2.10-3 +- Enable Operating Channel Validation (OCV) support + +* Sat Jan 22 2022 Fedora Release Engineering - 1:2.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Mon Jan 17 2022 Davide Caratti - 1:2.10-1 +- Update to version 2.10 (keeping CONFIG_WEP enabled). Related: rhbz#2041269 + +* Tue Sep 14 2021 Sahana Prasad - 1:2.9-16 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Sep 3 2021 Davide Caratti - 1:2.9-15 +- Fix NetworkManager-CI failures with OpenSSL 3.0 + +* Tue Jul 27 2021 Dave Olsthoorn - 1:2.9-14 +- Fix issues with FT a.k.a. 802.11r when not supported by adapter + +* Fri Jul 23 2021 Fedora Release Engineering - 1:2.9-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Mon Mar 1 2021 Davide Caratti - 1:2.9-12 +- Fix a corner case in peer addition based on PD Request (CVE-2021-27803) + +* Thu Feb 4 2021 Davide Caratti - 1:2.9-11 +- Fix copying of secondary device types for P2P group client (CVE-2021-0326) + +* Wed Jan 27 2021 Fedora Release Engineering - 1:2.9-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Jan 22 2021 Davide Caratti - 1:2.9-9 +- Expose OWE capability on D-Bus +- Allow changing interface bridge using D-Bus + +* Thu Dec 17 2020 Antonio Cardace - 1:2.9-8 +- Enable WPA-EAP-SUITE-B-192 cipher suite + +* Thu Dec 17 2020 Davide Caratti - 1:2.9-7 +- fix build on ELN target (rh #1902609) + +* Wed Jul 29 2020 Fedora Release Engineering - 1:2.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jun 15 2020 Benjamin Berg - 1:2.9-5 +- fix some issues with P2P operation + +* Thu Apr 23 2020 Davide Caratti - 1:2.9-4 +- Enable Tunneled Direct Link Setup (TDLS) + +* Fri Jan 31 2020 Fedora Release Engineering - 1:2.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Oct 30 2019 Davide Caratti - 1:2.9-2 +- fix AP mode PMF disconnection protection bypass (CVE-2019-16275, rh #1767026) + +* Fri Aug 16 2019 Lubomir Rintel - 1:2.9-1 +- Update to version 2.9 + +* Sat Jul 27 2019 Fedora Release Engineering - 1:2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri May 10 2019 Davide Caratti - 1:2.8-2 +- fix changelog for version 2.8-1 + +* Thu May 02 2019 Davide Caratti - 1:2.8-1 +- Update to 2.8 upstream release, to include latest fix for NULL + pointer dereference when EAP-PWD peer receives unexpected EAP + fragments (CVE-2019-11555, rh #1701759) + +* Fri Apr 12 2019 Davide Caratti - 1:2.7-5 +- fix SAE and EAP_PWD vulnerabilities: + CVE-2019-9494 (cache attack against SAE) + CVE-2019-9495 (cache attack against EAP-pwd) + CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) + CVE-2019-9497 (EAP-pwd server not checking for reflection attack) + CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element) + CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element) + +* Sun Feb 03 2019 Fedora Release Engineering - 1:2.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 21 2019 Lubomir Rintel - 1:2.7-3 +- Enable OWE and DPP +- Expose SAE support on D-Bus + +* Mon Jan 21 2019 Lubomir Rintel - 1:2.7-2 +- Enable MESH & SAE + +* Tue Dec 18 2018 Lubomir Rintel - 1:2.7-1 +- Update to 2.7 upstream release + +* Wed Aug 15 2018 Lubomir Rintel - 1:2.6-20 +- Expose availability of SHA384 and FT on D-Bus + +* Wed Aug 15 2018 Lubomir Rintel - 1:2.6-19 +- Drop the broken Pmf D-Bus property patch + +* Wed Aug 8 2018 Davide Caratti - 1:2.6-18 +- Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526) + +* Sat Jul 14 2018 Fedora Release Engineering - 1:2.6-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 22 2018 Davide Caratti - 1:2.6-16 +- Fix endoding of NL80211_ATTR_SMPS_MODE (rh#1570903) + +* Fri May 11 2018 Davide Caratti - 1:2.6-15 +- Make PMF configurable using D-Bus (rh#1567474) + +* Fri Feb 09 2018 Fedora Release Engineering - 1:2.6-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 16 2018 Davide Caratti - 1:2.6-13 +- Don't restart wpa_supplicant.service on package upgrade (rh#1535233) + +* Wed Nov 1 2017 Jiří Klimeš - 1:2.6-12 +- Fix crash when using MACsec without loaded macsec.ko (rh #1497640) +- Enable Fast BSS Transition for station mode (rh #1372928) + +* Mon Oct 16 2017 Lubomir Rintel - 1:2.6-11 +- hostapd: Avoid key reinstallation in FT handshake (CVE-2017-13082) +- Fix PTK rekeying to generate a new ANonce +- Prevent reinstallation of an already in-use group key and extend + protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases + (CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, + CVE-2017-13087, CVE-2017-13088) +- Prevent installation of an all-zero TK +- TDLS: Reject TPK-TK reconfiguration +- WNM: Ignore WNM-Sleep Mode Response without pending request +- FT: Do not allow multiple Reassociation Response frames + +* Thu Aug 03 2017 Fedora Release Engineering - 1:2.6-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1:2.6-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 17 2017 Beniamino Galvani - 1:2.6-8 +- OpenSSL: use system ciphers by default (rh #1462262) +- OpenSSL: fix private key password callback (rh #1465138) + +* Wed May 17 2017 Beniamino Galvani - 1:2.6-7 +- nl80211: Fix race condition in detecting MAC change (rh #1451834) + +* Tue Apr 11 2017 Davide Caratti - 1:2.6-6 +- Fix use-after-free when macsec secure channels are deleted +- Fix segmentation fault in case macsec module is not loaded (rh#1428937) + +* Mon Mar 13 2017 Thomas Haller - 1:2.6-5 +- Enable IEEE 802.11w (management frame protection, PMF) (rh#909499) + +* Thu Mar 2 2017 Davide Caratti - 1:2.6-4 +- Backport support for IEEE 802.1AE (macsec) + +* Sat Feb 11 2017 Fedora Release Engineering - 1:2.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 27 2017 Jiří Klimeš - 1:2.6-2 +- Enable Wi-Fi Display support for Miracast (rh #1395682) + +* Tue Nov 22 2016 Lubomir Rintel - 1:2.6-1 +- Update to version 2.6 + +* Fri Feb 05 2016 Fedora Release Engineering - 1:2.5-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Nov 16 2015 Lubomir Rintel - 1:2.5-4 +- Really synchronize the service file with upstream + +* Tue Nov 03 2015 Lukáš Nykrýn - 1:2.5-3 +- Scriptlets replaced with new systemd macros (rh #850369) + +* Sat Oct 31 2015 Lubomir Rintel - 1:2.5-2 +- Enable syslog by default +- Drop writing a pid and log file + +* Tue Oct 27 2015 Lubomir Rintel - 1:2.5-1 +- Update to version 2.5 + +* Fri Oct 23 2015 Lubomir Rintel - 1:2.4-6 +- Fix the D-Bus policy + +* Sat Oct 3 2015 Ville Skyttä - 1:2.4-5 +- Don't order service after syslog.target (rh #1055197) +- Mark COPYING as %%license + +* Wed Jul 15 2015 Jiří Klimeš - 1:2.4-4 +- Fix for NDEF record payload length checking (rh #1241907) + +* Tue Jun 16 2015 Jiří Klimeš - 1:2.4-3 +- Fix a crash if P2P management interface is used (rh #1231973) + +* Thu Apr 23 2015 Dan Williams - 1:2.4-2 +- Remove obsolete wpa_supplicant-openssl-more-algs.patch + +* Thu Apr 23 2015 Adam Williamson - 1:2.4-1 +- new release 2.4 +- add some info on a couple of patches +- drop some patches merged or superseded upstream +- rediff other patches +- drop libeap hackery (we dropped the kernel drivers anyhow) +- backport fix for CVE-2015-1863 + +* Sat Nov 01 2014 Orion Poplawski - 1:2.3-2 +- Do not install wpa_supplicant.service as executable (bug #803980) + +* Thu Oct 30 2014 Lubomir Rintel - 1:2.3-1 +- Update to 2.3 + +* Wed Oct 22 2014 Dan Williams - 1:2.0-12 +- Use os_exec() for action script execution (CVE-2014-3686) + +* Thu Aug 21 2014 Kevin Fenzi - 1:2.0-11 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Fedora Release Engineering - 1:2.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1:2.0-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon Nov 18 2013 Dan Williams - 1:2.0-8 +- Don't disconnect when PMKSA cache gets too large (rh #1016707) + +* Sun Aug 04 2013 Fedora Release Engineering - 1:2.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 10 2013 Dan Williams - 1:2.0-6 +- Enable full RELRO/PIE/PIC for wpa_supplicant and libeap +- Fix changelog dates + +* Wed Jul 10 2013 Dan Williams - 1:2.0-5 +- Build and package eapol_test (rh #638218) + +* Wed Jul 10 2013 Dan Williams - 1:2.0-4 +- Disable WiMAX libeap hack for RHEL + +* Wed May 15 2013 Dan Williams - 1:2.0-3 +- Enable HT (802.11n) for AP mode + +* Tue May 7 2013 Dan Williams - 1:2.0-2 +- Use hardened build macros and ensure they apply to libeap too + +* Mon May 6 2013 Dan Williams - 1:2.0-1 +- Update to 2.0 +- Be less aggressive when roaming due to signal strength changes (rh #837402) + +* Mon Apr 1 2013 Dan Williams - 1:1.1-1 +- Update to 1.1 +- Be less aggressive when roaming due to signal strength changes + +* Fri Feb 15 2013 Fedora Release Engineering - 1:1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sun Jan 20 2013 Dan Horák - 1:1.0-3 +- rebuilt again for fixed soname in libnl3 + +* Sun Jan 20 2013 Kalev Lember - 1:1.0-2 +- Rebuilt for libnl3 + +* Wed Aug 29 2012 Dan Williams - 1:1.0-1 +- Enable lightweight AP mode support +- Enable P2P (WiFi Direct) support +- Enable RSN IBSS/AdHoc support + +* Sun Jul 22 2012 Fedora Release Engineering - 1:1.0-0.5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue May 1 2012 Dan Williams - 1:1.0-0.4 +- Update to wpa_supplicant 1.0-rc3 +- Fix systemd target dependencies (rh #815091) + +* Fri Mar 2 2012 Dan Williams - 1:1.0-0.3 +- Update to latest 1.0 git snapshot +- Rebuild against libnl3 + +* Thu Feb 2 2012 Dan Williams - 1:1.0-0.2 +- Fix driver fallback for non nl80211-based drivers (rh #783712) + +* Tue Jan 10 2012 Dan Williams - 1:1.0-0.1 +- Update to 1.0-rc1 + git + +* Fri Sep 9 2011 Tom Callaway - 1:0.7.3-11 +- add missing systemd scriptlets + +* Thu Sep 8 2011 Tom Callaway - 1:0.7.3-10 +- convert to systemd + +* Wed Jul 27 2011 Dan Williams - 1:0.7.3-9 +- Fix various crashes with D-Bus interface (rh #678625) (rh #725517) + +* Tue May 3 2011 Dan Williams - 1:0.7.3-8 +- Don't crash when trying to access invalid properties via D-Bus (rh #678625) + +* Mon May 2 2011 Dan Williams - 1:0.7.3-7 +- Make examples read-only to avoid erroneous python dependency (rh #687952) + +* Tue Apr 19 2011 Bill Nottingham - 1:0.7.3-6 +- Fix EAP patch to only apply when building libeap + +* Fri Mar 25 2011 Bill Nottingham - 1:0.7.3-5 +- Add libeap/libeap-devel subpackge for WiMAX usage + +* Mon Feb 07 2011 Fedora Release Engineering - 1:0.7.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 11 2011 Dan Williams - 1:0.7.3-3 +- Enable EAP-TNC (rh #659038) + +* Wed Dec 15 2010 Dan Williams - 1:0.7.3-2 +- Enable the bgscan_simple plugin + +* Wed Dec 8 2010 Dan Williams - 1:0.7.3-1 +- Update to 0.7.3 +- Drop upstreamed and backported patches +- Drop support for Qt3 + +* Thu Oct 7 2010 Peter Lemenkov - 1:0.6.8-11 +- Added comments to some patches (see rhbz #226544#c17) +- Shortened %%install section a bit + +* Thu May 13 2010 Dan Williams - 1:0.6.8-10 +- Remove prereq on chkconfig +- Build GUI with qt4 for rawhide (rh #537105) + +* Thu May 6 2010 Dan Williams - 1:0.6.8-9 +- Fix crash when interfaces are removed (like suspend/resume) (rh #589507) + +* Wed Jan 6 2010 Dan Williams - 1:0.6.8-8 +- Fix handling of newer PKCS#12 files (rh #541924) + +* Sun Nov 29 2009 Dan Williams - 1:0.6.8-7 +- Fix supplicant initscript return value (rh #521807) +- Fix race when connecting to WPA-Enterprise/802.1x-enabled access points (rh #508509) +- Don't double-scan when attempting to associate + +* Fri Aug 21 2009 Tomas Mraz - 1:0.6.8-6 +- rebuilt with new openssl + +* Mon Jul 27 2009 Fedora Release Engineering - 1:0.6.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed May 13 2009 Dan Williams - 1:0.6.8-4 +- Let D-Bus clients know when the supplicant is scanning + +* Tue May 12 2009 Dan Williams - 1:0.6.8-3 +- Ensure the supplicant starts and ends with clean driver state +- Handle driver disconnect spammage by forcibly clearing SSID +- Don't switch access points unless the current association is dire (rh #493745) + +* Tue May 12 2009 Dan Williams - 1:0.6.8-2 +- Avoid creating bogus Ad-Hoc networks when forcing the driver to disconnect (rh #497771) + +* Mon Mar 9 2009 Dan Williams - 1:0.6.8-1 +- Update to latest upstream release + +* Wed Feb 25 2009 Colin Walters - 1:0.6.7-4 +- Add patch from upstream to suppress unrequested replies, this + quiets a dbus warning. + +* Fri Feb 6 2009 Dan Williams - 1:0.6.7-3 +- Fix scan result retrieval in very dense wifi environments + +* Fri Feb 6 2009 Dan Williams - 1:0.6.7-2 +- Ensure that drivers don't retry association when they aren't supposed to + +* Fri Jan 30 2009 Dan Williams - 1:0.6.7-1 +- Fix PEAP connections to Windows Server 2008 authenticators (rh #465022) +- Stop supplicant on uninstall (rh #447843) +- Suppress scan results message in logs (rh #466601) + +* Sun Jan 18 2009 Tomas Mraz - 1:0.6.4-3 +- rebuild with new openssl + +* Wed Oct 15 2008 Dan Williams - 1:0.6.4-2 +- Handle encryption keys correctly when switching 802.11 modes (rh #459399) +- Better scanning behavior on resume from suspend/hibernate +- Better interaction with newer kernels and drivers + +* Wed Aug 27 2008 Dan Williams - 1:0.6.4-1 +- Update to 0.6.4 +- Remove 'hostap', 'madwifi', and 'prism54' drivers; use standard 'wext' instead +- Drop upstreamed patches + +* Tue Jun 10 2008 Dan Williams - 1:0.6.3-6 +- Fix 802.11a frequency bug +- Always schedule specific SSID scans to help find hidden APs +- Properly switch between modes on mac80211 drivers +- Give adhoc connections more time to assocate + +* Mon Mar 10 2008 Christopher Aillon - 1:0.6.3-5 +- BuildRequires qt3-devel + +* Sat Mar 8 2008 Dan Williams - 1:0.6.3-4 +- Fix log file path in service config file + +* Thu Mar 6 2008 Dan Williams - 1:0.6.3-3 +- Don't start the supplicant by default when installed (rh #436380) + +* Tue Mar 4 2008 Dan Williams - 1:0.6.3-2 +- Fix a potential use-after-free in the D-Bus byte array demarshalling code + +* Mon Mar 3 2008 Dan Williams - 1:0.6.3-1 +- Update to latest development release; remove upstreamed patches + +* Fri Feb 22 2008 Dan Williams 1:0.5.7-23 +- Fix gcc 4.3 rebuild issues + +* Mon Feb 18 2008 Fedora Release Engineering - 1:0.5.7-22 +- Autorebuild for GCC 4.3 + +* Tue Dec 25 2007 Dan Williams - 0.5.7-21 +- Backport 'frequency' option for Ad-Hoc network configs + +* Mon Dec 24 2007 Dan Williams - 0.5.7-20 +- Fix LSB initscript header to ensure 'messagebus' is started first (rh #244029) + +* Thu Dec 6 2007 Dan Williams - 1:0.5.7-19 +- Fix two leaks when signalling state and scan results (rh #408141) +- Add logrotate config file (rh #404181) +- Add new LSB initscript header to initscript with correct deps (rh #244029) +- Move other runtime arguments to /etc/sysconfig/wpa_supplicant +- Start after messagebus service (rh #385191) +- Fix initscript 'condrestart' command (rh #217281) + +* Tue Dec 4 2007 Matthias Clasen - 1:0.5.7-18 +- Rebuild against new openssl + +* Tue Dec 4 2007 Ville Skyttä - 1:0.5.7-17 +- Group: Application/System -> Applications/System in -gui. + +* Tue Nov 13 2007 Dan Williams - 0.5.7-16 +- Add IW_ENCODE_TEMP patch for airo driver and Dynamic WEP +- Fix error in wpa_supplicant-0.5.7-ignore-dup-ca-cert-addition.patch that + caused the last error to not be printed +- Fix wpa_supplicant-0.5.7-ignore-dup-ca-cert-addition.patch to ignore + duplicate cert additions for all certs and keys +- Change license to BSD due to linkage against OpenSSL since there is no + OpenSSL exception in the GPLv2 license text that upstream ships + +* Sun Oct 28 2007 Dan Williams - 0.5.7-15 +- Fix Dynamic WEP associations with mac80211-based drivers + +* Sun Oct 28 2007 Dan Williams - 0.5.7-14 +- Don't error an association on duplicate CA cert additions + +* Wed Oct 24 2007 Dan Williams - 0.5.7-13 +- Correctly set the length of blobs added via the D-Bus interface + +* Wed Oct 24 2007 Dan Williams - 0.5.7-12 +- Fix conversion of byte arrays to strings by ensuring the buffer is NULL + terminated after conversion + +* Sat Oct 20 2007 Dan Williams - 0.5.7-11 +- Add BLOB support to the D-Bus interface +- Fix D-Bus interface permissions so that only root can use the wpa_supplicant + D-Bus interface + +* Tue Oct 9 2007 Dan Williams - 0.5.7-10 +- Don't segfault with dbus control interface enabled and invalid network + interface (rh #310531) + +* Tue Sep 25 2007 Dan Williams - 0.5.7-9 +- Always allow explicit wireless scans triggered from a control interface + +* Thu Sep 20 2007 Dan Williams - 0.5.7-8 +- Change system bus activation file name to work around D-Bus bug that fails + to launch services unless their .service file is named the same as the + service itself + +* Fri Aug 24 2007 Dan Williams - 0.5.7-7 +- Make SIGUSR1 change debug level on-the-fly; useful in combination with + the -f switch to log output to /var/log/wpa_supplicant.log +- Stop stripping binaries on install so we get debuginfo packages +- Remove service start requirement for interfaces & devices from sysconfig file, + since wpa_supplicant's D-Bus interface is now turned on + +* Fri Aug 17 2007 Dan Williams - 0.5.7-6 +- Fix compilation with RPM_OPT_FLAGS (rh #249951) +- Make debug output to logfile a runtime option + +* Fri Aug 17 2007 Christopher Aillon - 0.5.7-5 +- Update the license tag + +* Tue Jun 19 2007 Dan Williams - 0.5.7-4 +- Fix initscripts to use -Dwext by default, be more verbose on startup + (rh #244511) + +* Mon Jun 4 2007 Dan Williams - 0.5.7-3 +- Fix buffer overflow by removing syslog patch (#rh242455) + +* Mon Apr 9 2007 Dan Williams - 0.5.7-2 +- Add patch to send output to syslog + +* Thu Mar 15 2007 Dan Williams - 0.5.7-1 +- Update to 0.5.7 stable release + +* Fri Oct 27 2006 Dan Williams - 0.4.9-1 +- Update to 0.4.9 for WE-21 fixes, remove upstreamed patches +- Don't package doc/ because they aren't actually wpa_supplicant user documentation, + and becuase it pulls in perl + +* Wed Jul 12 2006 Jesse Keating - 0.4.8-10.1 +- rebuild + +* Thu Apr 27 2006 Dan Williams - 0.4.8-10 +- Add fix for madwifi and WEP (wpa_supplicant/hostap bud #140) (#rh190075#) +- Fix up madwifi-ng private ioctl()s for r1331 and later +- Update madwifi headers to r1475 + +* Tue Apr 25 2006 Dan Williams - 0.4.8-9 +- Enable Wired driver, PKCS12, and Smartcard options (#rh189805#) + +* Tue Apr 11 2006 Dan Williams - 0.4.8-8 +- Fix control interface key obfuscation a bit + +* Sun Apr 2 2006 Dan Williams - 0.4.8-7 +- Work around older & incorrect drivers that return null-terminated SSIDs + +* Mon Mar 27 2006 Dan Williams - 0.4.8-6 +- Add patch to make orinoco happy with WEP keys +- Enable Prism54-specific driver +- Disable ipw-specific driver; ipw2x00 should be using WEXT instead + +* Fri Mar 3 2006 Dan Williams - 0.4.8-5 +- Increase association timeout, mainly for drivers that don't + fully support WPA ioctls yet + +* Fri Mar 3 2006 Dan Williams - 0.4.8-4 +- Add additional BuildRequires #rh181914# +- Add prereq on chkconfig #rh182905# #rh182906# +- Own /var/run/wpa_supplicant and /etc/wpa_supplicant #rh183696# + +* Wed Mar 1 2006 Dan Williams - 0.4.8-3 +- Install wpa_passphrase too #rh183480# + +* Mon Feb 27 2006 Dan Williams - 0.4.8-2 +- Don't expose private data on the control interface unless requested + +* Fri Feb 24 2006 Dan Williams - 0.4.8-1 +- Downgrade to 0.4.8 stable release rather than a dev release + +* Sun Feb 12 2006 Dan Williams - 0.5.1-3 +- Documentation cleanup (Terje Rosten ) + +* Sun Feb 12 2006 Dan Williams - 0.5.1-2 +- Move initscript to /etc/rc.d/init.d + +* Fri Feb 10 2006 Jesse Keating - 0.5.1-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 0.5.1-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Sun Feb 5 2006 Dan Williams 0.5.1-1 +- Update to 0.5.1 +- Add WE auth fallback to actually work with older drivers + +* Thu Jan 26 2006 Dan Williams 0.4.7-2 +- Bring package into Fedora Core +- Add ap_scan control interface patch +- Enable madwifi-ng driver + +* Sun Jan 15 2006 Douglas E. Warner 0.4.7-1 +- upgrade to 0.4.7 +- added package w/ wpa_gui in it + +* Mon Nov 14 2005 Douglas E. Warner 0.4.6-1 +- upgrade to 0.4.6 +- adding ctrl interface changes recommended + by Hugo Paredes + +* Sun Oct 9 2005 Douglas E. Warner 0.4.5-1 +- upgrade to 0.4.5 +- updated config file wpa_supplicant is built with + especially, the ipw2100 driver changed to just ipw + and enabled a bunch more EAP +- disabled dist tag + +* Thu Jun 30 2005 Douglas E. Warner 0.4.2-3 +- fix typo in init script + +* Thu Jun 30 2005 Douglas E. Warner 0.4.2-2 +- fixing init script using fedora-extras' template +- removing chkconfig default startup + +* Tue Jun 21 2005 Douglas E. Warner 0.4.2-1 +- upgrade to 0.4.2 +- new sample conf file that will use any unrestricted AP +- make sysconfig config entry +- new BuildRoot for Fedora Extras +- adding dist tag to Release + +* Fri May 06 2005 Douglas E. Warner 0.3.8-1 +- upgrade to 0.3.8 + +* Thu Feb 10 2005 Douglas E. Warner 0.3.6-2 +- compile ipw driver in + +* Wed Feb 09 2005 Douglas E. Warner 0.3.6-1 +- upgrade to 0.3.6 + +* Thu Dec 23 2004 Douglas E. Warner 0.2.5-4 +- fixing init script + +* Mon Dec 20 2004 Douglas E. Warner 0.2.5-3 +- fixing init script +- adding post/preun items to add/remove via chkconfig + +* Mon Dec 20 2004 Douglas E. Warner 0.2.5-2 +- adding sysV scripts + +* Mon Dec 20 2004 Douglas E. Warner 0.2.5-1 +- Initial RPM release. +