diff --git a/trunk/CVE-2019-16275.patch b/trunk/CVE-2019-16275.patch deleted file mode 100644 index d764a9d..0000000 --- a/trunk/CVE-2019-16275.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Thu, 29 Aug 2019 11:52:04 +0300 -Subject: [PATCH] AP: Silently ignore management frame from unexpected source - address - -Do not process any received Management frames with unexpected/invalid SA -so that we do not add any state for unexpected STA addresses or end up -sending out frames to unexpected destination. This prevents unexpected -sequences where an unprotected frame might end up causing the AP to send -out a response to another device and that other device processing the -unexpected response. - -In particular, this prevents some potential denial of service cases -where the unexpected response frame from the AP might result in a -connected station dropping its association. - -Signed-off-by: Jouni Malinen ---- - src/ap/drv_callbacks.c | 13 +++++++++++++ - src/ap/ieee802_11.c | 12 ++++++++++++ - 2 files changed, 25 insertions(+) - -diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c -index 31587685fe3b..34ca379edc3d 100644 ---- a/src/ap/drv_callbacks.c -+++ b/src/ap/drv_callbacks.c -@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, - "hostapd_notif_assoc: Skip event with no address"); - return -1; - } -+ -+ if (is_multicast_ether_addr(addr) || -+ is_zero_ether_addr(addr) || -+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { -+ /* Do not process any frames with unexpected/invalid SA so that -+ * we do not add any state for unexpected STA addresses or end -+ * up sending out frames to unexpected destination. */ -+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR -+ " in received indication - ignore this indication silently", -+ __func__, MAC2STR(addr)); -+ return 0; -+ } -+ - random_add_randomness(addr, ETH_ALEN); - - hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index c85a28db44b7..e7065372e158 100644 ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, - fc = le_to_host16(mgmt->frame_control); - stype = WLAN_FC_GET_STYPE(fc); - -+ if (is_multicast_ether_addr(mgmt->sa) || -+ is_zero_ether_addr(mgmt->sa) || -+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { -+ /* Do not process any frames with unexpected/invalid SA so that -+ * we do not add any state for unexpected STA addresses or end -+ * up sending out frames to unexpected destination. */ -+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR -+ " in received frame - ignore this frame silently", -+ MAC2STR(mgmt->sa)); -+ return 0; -+ } -+ - if (stype == WLAN_FC_STYPE_BEACON) { - handle_beacon(hapd, mgmt, len, fi); - return 1; --- -2.20.1 - diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD index 0efacb4..3ceea83 100644 --- a/trunk/PKGBUILD +++ b/trunk/PKGBUILD @@ -2,8 +2,8 @@ # Contributor: Thomas Bächler pkgname=wpa_supplicant -pkgver=2.9 -pkgrel=8 +pkgver=2.10 +pkgrel=1 epoch=2 pkgdesc='A utility providing key negotiation for WPA wireless networks' url='https://w1.fi/wpa_supplicant/' @@ -13,21 +13,17 @@ depends=(openssl libdbus readline libnl) install=wpa_supplicant.install source=( https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc} - https://w1.fi/security/2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch - CVE-2019-16275.patch - tls.patch # More permissive TLS fallback - systemd.patch # Unit improvements from Ubuntu - roam-properties.patch # https://bugs.archlinux.org/task/65482 - config + wpa_supplicant_tls.patch # More permissive TLS fallback + wpa_supplicant_dbus_service_syslog.patch # Unit improvements from Ubuntu + wpa_supplicant_service_ignore-on-isolate.patch # More unit improvements from Ubuntu + wpa_supplicant_config ) validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen -sha256sums=('fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17' +sha256sums=('20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f' 'SKIP' - 'c4d65cc13863e0237d0644198558e2c47b4ed91e2b2be4516ff590724187c4a5' - 'bf91a135e717265969f1ab0319297c9d2e6f695928a17e3b3fa5accc8ef7b297' - '449c7dad67b246b5b93e796f57c2f90c5c32cfc5b16f7aa4f17802dc260d3414' - 'dd14f99618bb4db40eadfaf4ced29d6139ccf319429a1eef54c2c08c80924742' - '1ad3b61397c4a1dbafbf89059bccdda07cfe7eaff9f23ee25bed7bdd82c2bd87' + '08915b040d03a3e07cdc8ea6c76b497e00059e01ce85b67413dfe41d4fc68992' + '60f6a1cf2e124813dfce1da78ee1818e2ff5236aafa4113c7ae3b3f2a0b84006' + 'd42bdbf3d4980b9f0a819612df0c39843c7e96c8afcb103aa656c824f93790b0' '6f71a04875465178992e78216603d3c4735ee717a31738a6e30702c7a81c6c4e') prepare() { @@ -42,7 +38,7 @@ prepare() { done cd "$srcdir/$pkgname-$pkgver/$pkgname" - cp "$srcdir/config" ./.config + cp "$srcdir/wpa_supplicant_config" ./.config } build() { diff --git a/trunk/roam-properties.patch b/trunk/roam-properties.patch deleted file mode 100644 index 30cd2ef..0000000 --- a/trunk/roam-properties.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 23d87687c2428f3b94865580b0d33e05c03e6756 Mon Sep 17 00:00:00 2001 -From: Matthew Wang -Date: Fri, 11 Oct 2019 13:49:25 -0700 -Subject: dbus: Move roam metrics to the correct interface - -These properties were in the wpas_dbus_bss_properties array when they -should have been in the wpas_dbus_interface_properties array. Move them -to the right place. This is the logical location for these properties -and it matches both the other parts of the implementation (e.g., being -in enum wpas_dbus_prop, not in enum wpas_dbus_bss_prop) and what -was originally documented for the interface in dbus.doxygen. - -Fixes: 2bbad1c7c9cb ("dbus: Export roam time, roam complete, and session length") -Fixes: 80d06d0ca9f3 ("dbus: Export BSS Transition Management status") -Signed-off-by: Matthew Wang ---- - wpa_supplicant/dbus/dbus_new.c | 48 +++++++++++++++++++++--------------------- - 1 file changed, 24 insertions(+), 24 deletions(-) - -diff --git a/wpa_supplicant/dbus/dbus_new.c b/wpa_supplicant/dbus/dbus_new.c -index 5e6b522..e9e77bd 100644 ---- a/wpa_supplicant/dbus/dbus_new.c -+++ b/wpa_supplicant/dbus/dbus_new.c -@@ -2855,30 +2855,6 @@ static const struct wpa_dbus_property_desc wpas_dbus_bss_properties[] = { - NULL, - NULL - }, -- { -- "RoamTime", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", -- wpas_dbus_getter_roam_time, -- NULL, -- NULL -- }, -- { -- "RoamComplete", WPAS_DBUS_NEW_IFACE_INTERFACE, "b", -- wpas_dbus_getter_roam_complete, -- NULL, -- NULL -- }, -- { -- "SessionLength", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", -- wpas_dbus_getter_session_length, -- NULL, -- NULL -- }, -- { -- "BSSTMStatus", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", -- wpas_dbus_getter_bss_tm_status, -- NULL, -- NULL -- }, - { NULL, NULL, NULL, NULL, NULL, NULL } - }; - -@@ -3786,6 +3762,30 @@ static const struct wpa_dbus_property_desc wpas_dbus_interface_properties[] = { - NULL, - NULL - }, -+ { -+ "RoamTime", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", -+ wpas_dbus_getter_roam_time, -+ NULL, -+ NULL -+ }, -+ { -+ "RoamComplete", WPAS_DBUS_NEW_IFACE_INTERFACE, "b", -+ wpas_dbus_getter_roam_complete, -+ NULL, -+ NULL -+ }, -+ { -+ "SessionLength", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", -+ wpas_dbus_getter_session_length, -+ NULL, -+ NULL -+ }, -+ { -+ "BSSTMStatus", WPAS_DBUS_NEW_IFACE_INTERFACE, "u", -+ wpas_dbus_getter_bss_tm_status, -+ NULL, -+ NULL -+ }, - #ifdef CONFIG_MESH - { "MeshPeers", WPAS_DBUS_NEW_IFACE_MESH, "aay", - wpas_dbus_getter_mesh_peers, --- -cgit v0.12 - diff --git a/trunk/systemd.patch b/trunk/systemd.patch deleted file mode 100644 index 0ef2778..0000000 --- a/trunk/systemd.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -u -r wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in ---- wpa_supplicant-2.9/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2019-08-07 13:25:25.000000000 +0000 -+++ wpa_supplicant-2.9-systemd/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2020-01-22 22:46:14.676497087 +0000 -@@ -1,5 +1,5 @@ - [D-BUS Service] - Name=fi.w1.wpa_supplicant1 --Exec=@BINDIR@/wpa_supplicant -u -+Exec=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant - User=root - SystemdService=wpa_supplicant.service -diff -u -r wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in ---- wpa_supplicant-2.9/wpa_supplicant/systemd/wpa_supplicant.service.in 2019-08-07 13:25:25.000000000 +0000 -+++ wpa_supplicant-2.9-systemd/wpa_supplicant/systemd/wpa_supplicant.service.in 2020-01-22 22:47:53.561183663 +0000 -@@ -1,12 +1,14 @@ - [Unit] - Description=WPA supplicant - Before=network.target -+After=dbus.service - Wants=network.target -+IgnoreOnIsolate=true - - [Service] - Type=dbus - BusName=fi.w1.wpa_supplicant1 --ExecStart=@BINDIR@/wpa_supplicant -u -+ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant - - [Install] - WantedBy=multi-user.target diff --git a/trunk/tls.patch b/trunk/tls.patch deleted file mode 100644 index 819f69e..0000000 --- a/trunk/tls.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -u -r wpa_supplicant-2.9/src/crypto/tls_openssl.c wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c ---- wpa_supplicant-2.9/src/crypto/tls_openssl.c 2019-08-07 13:25:25.000000000 +0000 -+++ wpa_supplicant-2.9-tls/src/crypto/tls_openssl.c 2020-01-22 22:49:12.575598357 +0000 -@@ -1035,6 +1035,13 @@ - os_free(data); - return NULL; - } -+ -+#ifndef EAP_SERVER_TLS -+ /* Enable TLSv1.0 by default to allow connecting to legacy -+ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */ -+ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION); -+#endif -+ - data->ssl = ssl; - if (conf) { - data->tls_session_lifetime = conf->tls_session_lifetime; -@@ -1577,6 +1584,7 @@ - #ifdef SSL_OP_NO_COMPRESSION - options |= SSL_OP_NO_COMPRESSION; - #endif /* SSL_OP_NO_COMPRESSION */ -+ options |= SSL_OP_NO_TICKET; - SSL_set_options(conn->ssl, options); - #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT - /* Hopefully there is no need for middlebox compatibility mechanisms -Only in wpa_supplicant-2.9-tls/src/crypto: tls_openssl.c.orig diff --git a/trunk/config b/trunk/wpa_supplicant_config similarity index 100% rename from trunk/config rename to trunk/wpa_supplicant_config diff --git a/trunk/wpa_supplicant_dbus_service_syslog.patch b/trunk/wpa_supplicant_dbus_service_syslog.patch new file mode 100644 index 0000000..5abc41b --- /dev/null +++ b/trunk/wpa_supplicant_dbus_service_syslog.patch @@ -0,0 +1,36 @@ +From: Kel Modderman +Date: Sat, 21 Apr 2012 15:59:32 +1000 +Subject: Tweak D-Bus/systemd service activation configuration files: + + * log wpa_supplicant messages to syslog + * activate control socket interface so that wpa_cli can be used by D-Bus + activated wpa_supplicant daemon +--- + wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in | 2 +- + wpa_supplicant/systemd/wpa_supplicant.service.in | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in b/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in +index d97ff39..3b0af67 100644 +--- a/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in ++++ b/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in +@@ -1,5 +1,5 @@ + [D-BUS Service] + Name=fi.w1.wpa_supplicant1 +-Exec=@BINDIR@/wpa_supplicant -u ++Exec=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant + User=root + SystemdService=wpa_supplicant.service +diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in +index 58a6228..bc0688a 100644 +--- a/wpa_supplicant/systemd/wpa_supplicant.service.in ++++ b/wpa_supplicant/systemd/wpa_supplicant.service.in +@@ -7,7 +7,7 @@ Wants=network.target + [Service] + Type=dbus + BusName=fi.w1.wpa_supplicant1 +-ExecStart=@BINDIR@/wpa_supplicant -u ++ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant + + [Install] + WantedBy=multi-user.target diff --git a/trunk/wpa_supplicant_service_ignore-on-isolate.patch b/trunk/wpa_supplicant_service_ignore-on-isolate.patch new file mode 100644 index 0000000..454030d --- /dev/null +++ b/trunk/wpa_supplicant_service_ignore-on-isolate.patch @@ -0,0 +1,36 @@ +From: Mathieu Trudel-Lapierre +Date: Mon, 13 Mar 2017 13:46:12 -0400 +Subject: Add IgnoreOnIsolate=yes to keep wpa-supplicant running while + systemctl isolate + +> Add IgnoreOnIsolate=yes so that when switching "runlevels" in +> oem-config will not kill off wpa and cause wireless to be +> unavailable on first boot. (LP: #1576024) + +Also happens when running systemctl isolate default.target: + +> NM should be detecting that wpasupplicant is not running and start +> it -- this should already have been working by way of wpasupplicant +> being dbus-activated. +[...] +> It seems to me like IgnoreOnIsolate for wpasupplicant would be the +> right thing to do, or to figure out why it isn't being properly +> started when NM tries to use it. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1576024 +--- + wpa_supplicant/systemd/wpa_supplicant.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in +index bc0688a..561ae8f 100644 +--- a/wpa_supplicant/systemd/wpa_supplicant.service.in ++++ b/wpa_supplicant/systemd/wpa_supplicant.service.in +@@ -3,6 +3,7 @@ Description=WPA supplicant + Before=network.target + After=dbus.service + Wants=network.target ++IgnoreOnIsolate=true + + [Service] + Type=dbus diff --git a/trunk/wpa_supplicant_tls.patch b/trunk/wpa_supplicant_tls.patch new file mode 100644 index 0000000..ca1028b --- /dev/null +++ b/trunk/wpa_supplicant_tls.patch @@ -0,0 +1,28 @@ +From: Andrej Shadura +Date: Sat, 15 Dec 2018 14:19:22 +0100 +Subject: Enable TLSv1.0 by default + +OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2. +Some older networks may support for TLSv1.0 and less secure cyphers. +--- + src/crypto/tls_openssl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index c9e00b3..273e5cb 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -1040,6 +1040,13 @@ void * tls_init(const struct tls_config *conf) + os_free(data); + return NULL; + } ++ ++#ifndef EAP_SERVER_TLS ++ /* Enable TLSv1.0 by default to allow connecting to legacy ++ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */ ++ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION); ++#endif ++ + data->ssl = ssl; + if (conf) { + data->tls_session_lifetime = conf->tls_session_lifetime;