wpa_supplicant: 2.10 -> 2.11

Upstream Changes:
	* Wi-Fi Easy Connect
	  - add support for DPP release 3
	  - allow Configurator parameters to be provided during config exchange
	* MACsec
	  - add support for GCM-AES-256 cipher suite
	  - remove incorrect EAP Session-Id length constraint
	  - add hardware offload support for additional drivers
	* HE/IEEE 802.11ax/Wi-Fi 6
	  - support BSS color updates
	  - various fixes
	* EHT/IEEE 802.11be/Wi-Fi 7
	  - add preliminary support
	* support OpenSSL 3.0 API changes
	* improve EAP-TLS support for TLSv1.3
	* EAP-SIM/AKA: support IMSI privacy
	* improve mitigation against DoS attacks when PMF is used
	* improve 4-way handshake operations
	  - discard unencrypted EAPOL frames in additional cases
	  - use Secure=1 in message 2 during PTK rekeying
	* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
	  to avoid interoperability issues
	* support new SAE AKM suites with variable length keys
	* support new AKM for 802.1X/EAP with SHA384
	* improve cross-AKM roaming with driver-based SME/BSS selection
	* PASN
	  - extend support for secure ranging
	  - allow PASN implementation to be used with external programs for
	    Wi-Fi Aware
	* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
	  - this is based on additional details being added in the IEEE 802.11
	    standard
	  - the new implementation is not backwards compatible, but PMKSA
	    caching with FT-EAP was, and still is, disabled by default
	* support a pregenerated MAC (mac_addr=3) as an alternative mechanism
	  for using per-network random MAC addresses
	* EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
	  to improve security for still unfortunately common invalid
	  configurations that do not set ca_cert
	* extend SCS support for QoS Characteristics
	* extend MSCS support
	* support unsynchronized service discovery (USD)
	* add support for explicit SSID protection in 4-way handshake
	  (a mitigation for CVE-2023-52424; disabled by default for now, can be
	  enabled with ssid_protection=1)
	  - in addition, verify SSID after key setup when beacon protection is
	    used
	* fix SAE H2E rejected groups validation to avoid downgrade attacks
	* a large number of other fixes, cleanup, and extensions

Changelog:
http://w1.fi/cgit/hostap/tree/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af

Signed-off-by: Markus Theil <theil.markus@gmail.com>
This commit is contained in:
Markus Theil 2024-07-24 19:40:16 +02:00
parent 55d80185de
commit 238488db8a
5 changed files with 4 additions and 177 deletions

View File

@ -1,130 +0,0 @@
From 99ae610f0ae3608a12c864caedf396f14e68327d Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Fri, 19 Feb 2021 19:44:21 +0100
Subject: [PATCH] Implement read-only mode for ssids
With this change it's possible to define `network=`-sections in a second
config file specified via `-I` without having changes written to
`/etc/wpa_supplicant.conf`.
This is helpful on e.g. NixOS to allow both declarative (i.e. read-only)
and imperative (i.e. mutable) networks.
---
wpa_supplicant/config.h | 2 +-
wpa_supplicant/config_file.c | 5 +++--
wpa_supplicant/config_none.c | 2 +-
wpa_supplicant/config_ssid.h | 2 ++
wpa_supplicant/wpa_supplicant.c | 8 ++++----
5 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index 6a297ecfe..adaf4d398 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -1614,7 +1614,7 @@ const char * wpa_config_get_global_field_name(unsigned int i, int *no_var);
*
* Each configuration backend needs to implement this function.
*/
-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp);
+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro);
/**
* wpa_config_write - Write or update configuration data
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 77c326df5..d5ed051b9 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -373,7 +373,7 @@ static int wpa_config_process_blob(struct wpa_config *config, FILE *f,
#endif /* CONFIG_NO_CONFIG_BLOBS */
-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
{
FILE *f;
char buf[512], *pos;
@@ -415,6 +415,7 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) {
if (os_strcmp(pos, "network={") == 0) {
ssid = wpa_config_read_network(f, &line, id++);
+ ssid->ro = ro;
if (ssid == NULL) {
wpa_printf(MSG_ERROR, "Line %d: failed to "
"parse network block.", line);
@@ -1591,7 +1592,7 @@ int wpa_config_write(const char *name, struct wpa_config *config)
}
for (ssid = config->ssid; ssid; ssid = ssid->next) {
- if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary)
+ if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary || ssid->ro)
continue; /* do not save temporary networks */
if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set &&
!ssid->passphrase)
diff --git a/wpa_supplicant/config_none.c b/wpa_supplicant/config_none.c
index 2aac28fa3..02191b425 100644
--- a/wpa_supplicant/config_none.c
+++ b/wpa_supplicant/config_none.c
@@ -17,7 +17,7 @@
#include "base64.h"
-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
{
struct wpa_config *config;
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index d5c5c00a9..fd80c079c 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -93,6 +93,8 @@ struct wpa_ssid {
*/
int id;
+ int ro;
+
/**
* priority - Priority group
*
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 911d79d17..cb0cb99b1 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1052,14 +1052,14 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
if (wpa_s->confname == NULL)
return -1;
- conf = wpa_config_read(wpa_s->confname, NULL);
+ conf = wpa_config_read(wpa_s->confname, NULL, 0);
if (conf == NULL) {
wpa_msg(wpa_s, MSG_ERROR, "Failed to parse the configuration "
"file '%s' - exiting", wpa_s->confname);
return -1;
}
if (wpa_s->confanother &&
- !wpa_config_read(wpa_s->confanother, conf)) {
+ !wpa_config_read(wpa_s->confanother, conf, 1)) {
wpa_msg(wpa_s, MSG_ERROR,
"Failed to parse the configuration file '%s' - exiting",
wpa_s->confanother);
@@ -5638,7 +5638,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
#else /* CONFIG_BACKEND_FILE */
wpa_s->confname = os_strdup(iface->confname);
#endif /* CONFIG_BACKEND_FILE */
- wpa_s->conf = wpa_config_read(wpa_s->confname, NULL);
+ wpa_s->conf = wpa_config_read(wpa_s->confname, NULL, 0);
if (wpa_s->conf == NULL) {
wpa_printf(MSG_ERROR, "Failed to read or parse "
"configuration '%s'.", wpa_s->confname);
@@ -5646,7 +5646,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
}
wpa_s->confanother = os_rel2abs_path(iface->confanother);
if (wpa_s->confanother &&
- !wpa_config_read(wpa_s->confanother, wpa_s->conf)) {
+ !wpa_config_read(wpa_s->confanother, wpa_s->conf, 1)) {
wpa_printf(MSG_ERROR,
"Failed to read or parse configuration '%s'.",
wpa_s->confanother);
--
2.29.2

View File

@ -1,32 +0,0 @@
The id and cred_id variables are reset to 0 every time the
wpa_config_read function is called, which is fine as long as it is only
called once. However, this is not the case when using both the -c and -I
options to specify two config files.
This is a problem because the GUI, since eadfeb0e93748eb396ae62012b92d21a7f533646,
relies on the network IDs being unique (and increasing), and might get
into an infinite loop otherwise.
This is solved by simply making the variables static.
---
wpa_supplicant/config_file.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 6db5010db..c996e3916 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -297,8 +297,8 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
struct wpa_ssid *ssid, *tail, *head;
struct wpa_cred *cred, *cred_tail, *cred_head;
struct wpa_config *config;
- int id = 0;
- int cred_id = 0;
+ static int id = 0;
+ static int cred_id = 0;
if (name == NULL)
return NULL;
--
2.34.1

View File

@ -3,28 +3,19 @@
, dbusSupport ? !stdenv.hostPlatform.isStatic, dbus , dbusSupport ? !stdenv.hostPlatform.isStatic, dbus
, withReadline ? true, readline , withReadline ? true, readline
, withPcsclite ? !stdenv.hostPlatform.isStatic, pcsclite , withPcsclite ? !stdenv.hostPlatform.isStatic, pcsclite
, readOnlyModeSSIDs ? false
}: }:
with lib; with lib;
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
version = "2.10"; version = "2.11";
pname = "wpa_supplicant"; pname = "wpa_supplicant";
src = fetchurl { src = fetchurl {
url = "https://w1.fi/releases/${pname}-${version}.tar.gz"; url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
sha256 = "sha256-IN965RVLODA1X4q0JpEjqHr/3qWf50/pKSqR0Nfhey8="; sha256 = "sha256-kS6gb3TjCo42+7aAZNbN/yGNjVkdsPxddd7myBrH/Ao=";
}; };
patches = [
# Fix a bug when using two config files
./Use-unique-IDs-for-networks-and-credentials.patch
] ++ lib.optionals readOnlyModeSSIDs [
# Allow read-only networks
./0001-Implement-read-only-mode-for-ssids.patch
];
# TODO: Patch epoll so that the dbus actually responds # TODO: Patch epoll so that the dbus actually responds
# TODO: Figure out how to get privsep working, currently getting SIGBUS # TODO: Figure out how to get privsep working, currently getting SIGBUS
extraConfig = '' extraConfig = ''
@ -49,6 +40,7 @@ stdenv.mkDerivation rec {
CONFIG_HT_OVERRIDES=y CONFIG_HT_OVERRIDES=y
CONFIG_IEEE80211AC=y CONFIG_IEEE80211AC=y
CONFIG_IEEE80211AX=y CONFIG_IEEE80211AX=y
CONFIG_IEEE80211BE=y
CONFIG_IEEE80211N=y CONFIG_IEEE80211N=y
CONFIG_IEEE80211R=y CONFIG_IEEE80211R=y
CONFIG_IEEE80211W=y CONFIG_IEEE80211W=y

View File

@ -1494,6 +1494,7 @@ mapAliases ({
wordpress6_1 = throw "'wordpress6_1' has been removed in favor of the latest version"; # Added 2023-10-10 wordpress6_1 = throw "'wordpress6_1' has been removed in favor of the latest version"; # Added 2023-10-10
wordpress6_2 = throw "'wordpress6_2' has been removed in favor of the latest version"; # Added 2023-10-10 wordpress6_2 = throw "'wordpress6_2' has been removed in favor of the latest version"; # Added 2023-10-10
wormhole-rs = magic-wormhole-rs; # Added 2022-05-30. preserve, reason: Arch package name, main binary name wormhole-rs = magic-wormhole-rs; # Added 2022-05-30. preserve, reason: Arch package name, main binary name
wpa_supplicant_ro_ssids = lib.trivial.warn "Deprecated package: Please use wpa_supplicant instead. Read-only SSID patches are now upstream!" wpa_supplicant;
wrapLisp_old = throw "Lisp packages have been redesigned. See 'lisp-modules' in the nixpkgs manual."; # Added 2024-05-07 wrapLisp_old = throw "Lisp packages have been redesigned. See 'lisp-modules' in the nixpkgs manual."; # Added 2024-05-07
wmii_hg = wmii; wmii_hg = wmii;
wrapGAppsHook = wrapGAppsHook3; # Added 2024-03-26 wrapGAppsHook = wrapGAppsHook3; # Added 2024-03-26

View File

@ -27763,10 +27763,6 @@ with pkgs;
wpa_supplicant = callPackage ../os-specific/linux/wpa_supplicant { }; wpa_supplicant = callPackage ../os-specific/linux/wpa_supplicant { };
wpa_supplicant_ro_ssids = wpa_supplicant.override {
readOnlyModeSSIDs = true;
};
wpa_supplicant_gui = libsForQt5.callPackage ../os-specific/linux/wpa_supplicant/gui.nix { }; wpa_supplicant_gui = libsForQt5.callPackage ../os-specific/linux/wpa_supplicant/gui.nix { };
xf86_input_cmt = callPackage ../os-specific/linux/xf86-input-cmt { }; xf86_input_cmt = callPackage ../os-specific/linux/xf86-input-cmt { };