wpa_supplicant: 2.10 -> 2.11

Upstream Changes:
	* Wi-Fi Easy Connect
	  - add support for DPP release 3
	  - allow Configurator parameters to be provided during config exchange
	* MACsec
	  - add support for GCM-AES-256 cipher suite
	  - remove incorrect EAP Session-Id length constraint
	  - add hardware offload support for additional drivers
	* HE/IEEE 802.11ax/Wi-Fi 6
	  - support BSS color updates
	  - various fixes
	* EHT/IEEE 802.11be/Wi-Fi 7
	  - add preliminary support
	* support OpenSSL 3.0 API changes
	* improve EAP-TLS support for TLSv1.3
	* EAP-SIM/AKA: support IMSI privacy
	* improve mitigation against DoS attacks when PMF is used
	* improve 4-way handshake operations
	  - discard unencrypted EAPOL frames in additional cases
	  - use Secure=1 in message 2 during PTK rekeying
	* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
	  to avoid interoperability issues
	* support new SAE AKM suites with variable length keys
	* support new AKM for 802.1X/EAP with SHA384
	* improve cross-AKM roaming with driver-based SME/BSS selection
	* PASN
	  - extend support for secure ranging
	  - allow PASN implementation to be used with external programs for
	    Wi-Fi Aware
	* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
	  - this is based on additional details being added in the IEEE 802.11
	    standard
	  - the new implementation is not backwards compatible, but PMKSA
	    caching with FT-EAP was, and still is, disabled by default
	* support a pregenerated MAC (mac_addr=3) as an alternative mechanism
	  for using per-network random MAC addresses
	* EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
	  to improve security for still unfortunately common invalid
	  configurations that do not set ca_cert
	* extend SCS support for QoS Characteristics
	* extend MSCS support
	* support unsynchronized service discovery (USD)
	* add support for explicit SSID protection in 4-way handshake
	  (a mitigation for CVE-2023-52424; disabled by default for now, can be
	  enabled with ssid_protection=1)
	  - in addition, verify SSID after key setup when beacon protection is
	    used
	* fix SAE H2E rejected groups validation to avoid downgrade attacks
	* a large number of other fixes, cleanup, and extensions

Changelog:
http://w1.fi/cgit/hostap/tree/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af

Signed-off-by: Markus Theil <theil.markus@gmail.com>

pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch

@@ -1,130 +0,0 @@
-From 99ae610f0ae3608a12c864caedf396f14e68327d Mon Sep 17 00:00:00 2001
-From: Maximilian Bosch <maximilian@mbosch.me>
-Date: Fri, 19 Feb 2021 19:44:21 +0100
-Subject: [PATCH] Implement read-only mode for ssids
-
-With this change it's possible to define `network=`-sections in a second
-config file specified via `-I` without having changes written to
-`/etc/wpa_supplicant.conf`.
-
-This is helpful on e.g. NixOS to allow both declarative (i.e. read-only)
-and imperative (i.e. mutable) networks.
----
- wpa_supplicant/config.h         | 2 +-
- wpa_supplicant/config_file.c    | 5 +++--
- wpa_supplicant/config_none.c    | 2 +-
- wpa_supplicant/config_ssid.h    | 2 ++
- wpa_supplicant/wpa_supplicant.c | 8 ++++----
- 5 files changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
-index 6a297ecfe..adaf4d398 100644
---- a/wpa_supplicant/config.h
-+++ b/wpa_supplicant/config.h
-@@ -1614,7 +1614,7 @@ const char * wpa_config_get_global_field_name(unsigned int i, int *no_var);
-  *
-  * Each configuration backend needs to implement this function.
-  */
--struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp);
-+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro);
- 
- /**
-  * wpa_config_write - Write or update configuration data
-diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
-index 77c326df5..d5ed051b9 100644
---- a/wpa_supplicant/config_file.c
-+++ b/wpa_supplicant/config_file.c
-@@ -373,7 +373,7 @@ static int wpa_config_process_blob(struct wpa_config *config, FILE *f,
- #endif /* CONFIG_NO_CONFIG_BLOBS */
- 
- 
--struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
-+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
- {
- 	FILE *f;
- 	char buf[512], *pos;
-@@ -415,6 +415,7 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
- 	while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) {
- 		if (os_strcmp(pos, "network={") == 0) {
- 			ssid = wpa_config_read_network(f, &line, id++);
-+			ssid->ro = ro;
- 			if (ssid == NULL) {
- 				wpa_printf(MSG_ERROR, "Line %d: failed to "
- 					   "parse network block.", line);
-@@ -1591,7 +1592,7 @@ int wpa_config_write(const char *name, struct wpa_config *config)
- 	}
- 
- 	for (ssid = config->ssid; ssid; ssid = ssid->next) {
--		if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary)
-+		if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary || ssid->ro)
- 			continue; /* do not save temporary networks */
- 		if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set &&
- 		    !ssid->passphrase)
-diff --git a/wpa_supplicant/config_none.c b/wpa_supplicant/config_none.c
-index 2aac28fa3..02191b425 100644
---- a/wpa_supplicant/config_none.c
-+++ b/wpa_supplicant/config_none.c
-@@ -17,7 +17,7 @@
- #include "base64.h"
- 
- 
--struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
-+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
- {
- 	struct wpa_config *config;
- 
-diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
-index d5c5c00a9..fd80c079c 100644
---- a/wpa_supplicant/config_ssid.h
-+++ b/wpa_supplicant/config_ssid.h
-@@ -93,6 +93,8 @@ struct wpa_ssid {
- 	 */
- 	int id;
- 
-+	int ro;
-+
- 	/**
- 	 * priority - Priority group
- 	 *
-diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
-index 911d79d17..cb0cb99b1 100644
---- a/wpa_supplicant/wpa_supplicant.c
-+++ b/wpa_supplicant/wpa_supplicant.c
-@@ -1052,14 +1052,14 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
- 
- 	if (wpa_s->confname == NULL)
- 		return -1;
--	conf = wpa_config_read(wpa_s->confname, NULL);
-+	conf = wpa_config_read(wpa_s->confname, NULL, 0);
- 	if (conf == NULL) {
- 		wpa_msg(wpa_s, MSG_ERROR, "Failed to parse the configuration "
- 			"file '%s' - exiting", wpa_s->confname);
- 		return -1;
- 	}
- 	if (wpa_s->confanother &&
--	    !wpa_config_read(wpa_s->confanother, conf)) {
-+	    !wpa_config_read(wpa_s->confanother, conf, 1)) {
- 		wpa_msg(wpa_s, MSG_ERROR,
- 			"Failed to parse the configuration file '%s' - exiting",
- 			wpa_s->confanother);
-@@ -5638,7 +5638,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
- #else /* CONFIG_BACKEND_FILE */
- 		wpa_s->confname = os_strdup(iface->confname);
- #endif /* CONFIG_BACKEND_FILE */
--		wpa_s->conf = wpa_config_read(wpa_s->confname, NULL);
-+		wpa_s->conf = wpa_config_read(wpa_s->confname, NULL, 0);
- 		if (wpa_s->conf == NULL) {
- 			wpa_printf(MSG_ERROR, "Failed to read or parse "
- 				   "configuration '%s'.", wpa_s->confname);
-@@ -5646,7 +5646,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
- 		}
- 		wpa_s->confanother = os_rel2abs_path(iface->confanother);
- 		if (wpa_s->confanother &&
--		    !wpa_config_read(wpa_s->confanother, wpa_s->conf)) {
-+		    !wpa_config_read(wpa_s->confanother, wpa_s->conf, 1)) {
- 			wpa_printf(MSG_ERROR,
- 				   "Failed to read or parse configuration '%s'.",
- 				   wpa_s->confanother);
--- 
-2.29.2
-

pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch

@@ -1,32 +0,0 @@
-The id and cred_id variables are reset to 0 every time the
-wpa_config_read function is called, which is fine as long as it is only
-called once. However, this is not the case when using both the -c and -I
-options to specify two config files.
-
-This is a problem because the GUI, since eadfeb0e93748eb396ae62012b92d21a7f533646,
-relies on the network IDs being unique (and increasing), and might get
-into an infinite loop otherwise.
-
-This is solved by simply making the variables static.
----
- wpa_supplicant/config_file.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
-index 6db5010db..c996e3916 100644
---- a/wpa_supplicant/config_file.c
-+++ b/wpa_supplicant/config_file.c
-@@ -297,8 +297,8 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
- 	struct wpa_ssid *ssid, *tail, *head;
- 	struct wpa_cred *cred, *cred_tail, *cred_head;
- 	struct wpa_config *config;
--	int id = 0;
--	int cred_id = 0;
-+	static int id = 0;
-+	static int cred_id = 0;
-
- 	if (name == NULL)
- 		return NULL;
---
-2.34.1
-

pkgs/os-specific/linux/wpa_supplicant/default.nix

@@ -3,28 +3,19 @@
 , dbusSupport ? !stdenv.hostPlatform.isStatic, dbus
 , withReadline ? true, readline
 , withPcsclite ? !stdenv.hostPlatform.isStatic, pcsclite
-, readOnlyModeSSIDs ? false
 }:
 
 with lib;
 stdenv.mkDerivation rec {
-  version = "2.10";
+  version = "2.11";
 
   pname = "wpa_supplicant";
 
   src = fetchurl {
     url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
-    sha256 = "sha256-IN965RVLODA1X4q0JpEjqHr/3qWf50/pKSqR0Nfhey8=";
+    sha256 = "sha256-kS6gb3TjCo42+7aAZNbN/yGNjVkdsPxddd7myBrH/Ao=";
   };
 
-  patches = [
-    # Fix a bug when using two config files
-    ./Use-unique-IDs-for-networks-and-credentials.patch
-  ] ++ lib.optionals readOnlyModeSSIDs [
-    # Allow read-only networks
-    ./0001-Implement-read-only-mode-for-ssids.patch
-  ];
-
   # TODO: Patch epoll so that the dbus actually responds
   # TODO: Figure out how to get privsep working, currently getting SIGBUS
   extraConfig = ''
@@ -49,6 +40,7 @@ stdenv.mkDerivation rec {
     CONFIG_HT_OVERRIDES=y
     CONFIG_IEEE80211AC=y
     CONFIG_IEEE80211AX=y
+    CONFIG_IEEE80211BE=y
     CONFIG_IEEE80211N=y
     CONFIG_IEEE80211R=y
     CONFIG_IEEE80211W=y

pkgs/top-level/aliases.nix

@@ -1494,6 +1494,7 @@ mapAliases ({
   wordpress6_1 = throw "'wordpress6_1' has been removed in favor of the latest version"; # Added 2023-10-10
   wordpress6_2 = throw "'wordpress6_2' has been removed in favor of the latest version"; # Added 2023-10-10
   wormhole-rs = magic-wormhole-rs; # Added 2022-05-30. preserve, reason: Arch package name, main binary name
+  wpa_supplicant_ro_ssids = lib.trivial.warn "Deprecated package: Please use wpa_supplicant instead. Read-only SSID patches are now upstream!" wpa_supplicant;
   wrapLisp_old = throw "Lisp packages have been redesigned. See 'lisp-modules' in the nixpkgs manual."; # Added 2024-05-07
   wmii_hg = wmii;
   wrapGAppsHook = wrapGAppsHook3; # Added 2024-03-26

pkgs/top-level/all-packages.nix

@@ -27763,10 +27763,6 @@ with pkgs;
 
   wpa_supplicant = callPackage ../os-specific/linux/wpa_supplicant { };
 
-  wpa_supplicant_ro_ssids = wpa_supplicant.override {
-    readOnlyModeSSIDs = true;
-  };
-
   wpa_supplicant_gui = libsForQt5.callPackage ../os-specific/linux/wpa_supplicant/gui.nix { };
 
   xf86_input_cmt = callPackage ../os-specific/linux/xf86-input-cmt { };