mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 23:13:19 +00:00
wpa_supplicant: 2.10 -> 2.11
Upstream Changes: * Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during config exchange * MACsec - add support for GCM-AES-256 cipher suite - remove incorrect EAP Session-Id length constraint - add hardware offload support for additional drivers * HE/IEEE 802.11ax/Wi-Fi 6 - support BSS color updates - various fixes * EHT/IEEE 802.11be/Wi-Fi 7 - add preliminary support * support OpenSSL 3.0 API changes * improve EAP-TLS support for TLSv1.3 * EAP-SIM/AKA: support IMSI privacy * improve mitigation against DoS attacks when PMF is used * improve 4-way handshake operations - discard unencrypted EAPOL frames in additional cases - use Secure=1 in message 2 during PTK rekeying * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases to avoid interoperability issues * support new SAE AKM suites with variable length keys * support new AKM for 802.1X/EAP with SHA384 * improve cross-AKM roaming with driver-based SME/BSS selection * PASN - extend support for secure ranging - allow PASN implementation to be used with external programs for Wi-Fi Aware * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) - this is based on additional details being added in the IEEE 802.11 standard - the new implementation is not backwards compatible, but PMKSA caching with FT-EAP was, and still is, disabled by default * support a pregenerated MAC (mac_addr=3) as an alternative mechanism for using per-network random MAC addresses * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1) to improve security for still unfortunately common invalid configurations that do not set ca_cert * extend SCS support for QoS Characteristics * extend MSCS support * support unsynchronized service discovery (USD) * add support for explicit SSID protection in 4-way handshake (a mitigation for CVE-2023-52424; disabled by default for now, can be enabled with ssid_protection=1) - in addition, verify SSID after key setup when beacon protection is used * fix SAE H2E rejected groups validation to avoid downgrade attacks * a large number of other fixes, cleanup, and extensions Changelog: http://w1.fi/cgit/hostap/tree/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af Signed-off-by: Markus Theil <theil.markus@gmail.com>
This commit is contained in:
parent
55d80185de
commit
238488db8a
@ -1,130 +0,0 @@
|
||||
From 99ae610f0ae3608a12c864caedf396f14e68327d Mon Sep 17 00:00:00 2001
|
||||
From: Maximilian Bosch <maximilian@mbosch.me>
|
||||
Date: Fri, 19 Feb 2021 19:44:21 +0100
|
||||
Subject: [PATCH] Implement read-only mode for ssids
|
||||
|
||||
With this change it's possible to define `network=`-sections in a second
|
||||
config file specified via `-I` without having changes written to
|
||||
`/etc/wpa_supplicant.conf`.
|
||||
|
||||
This is helpful on e.g. NixOS to allow both declarative (i.e. read-only)
|
||||
and imperative (i.e. mutable) networks.
|
||||
---
|
||||
wpa_supplicant/config.h | 2 +-
|
||||
wpa_supplicant/config_file.c | 5 +++--
|
||||
wpa_supplicant/config_none.c | 2 +-
|
||||
wpa_supplicant/config_ssid.h | 2 ++
|
||||
wpa_supplicant/wpa_supplicant.c | 8 ++++----
|
||||
5 files changed, 11 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
|
||||
index 6a297ecfe..adaf4d398 100644
|
||||
--- a/wpa_supplicant/config.h
|
||||
+++ b/wpa_supplicant/config.h
|
||||
@@ -1614,7 +1614,7 @@ const char * wpa_config_get_global_field_name(unsigned int i, int *no_var);
|
||||
*
|
||||
* Each configuration backend needs to implement this function.
|
||||
*/
|
||||
-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp);
|
||||
+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro);
|
||||
|
||||
/**
|
||||
* wpa_config_write - Write or update configuration data
|
||||
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
|
||||
index 77c326df5..d5ed051b9 100644
|
||||
--- a/wpa_supplicant/config_file.c
|
||||
+++ b/wpa_supplicant/config_file.c
|
||||
@@ -373,7 +373,7 @@ static int wpa_config_process_blob(struct wpa_config *config, FILE *f,
|
||||
#endif /* CONFIG_NO_CONFIG_BLOBS */
|
||||
|
||||
|
||||
-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
|
||||
+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
|
||||
{
|
||||
FILE *f;
|
||||
char buf[512], *pos;
|
||||
@@ -415,6 +415,7 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
|
||||
while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) {
|
||||
if (os_strcmp(pos, "network={") == 0) {
|
||||
ssid = wpa_config_read_network(f, &line, id++);
|
||||
+ ssid->ro = ro;
|
||||
if (ssid == NULL) {
|
||||
wpa_printf(MSG_ERROR, "Line %d: failed to "
|
||||
"parse network block.", line);
|
||||
@@ -1591,7 +1592,7 @@ int wpa_config_write(const char *name, struct wpa_config *config)
|
||||
}
|
||||
|
||||
for (ssid = config->ssid; ssid; ssid = ssid->next) {
|
||||
- if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary)
|
||||
+ if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary || ssid->ro)
|
||||
continue; /* do not save temporary networks */
|
||||
if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set &&
|
||||
!ssid->passphrase)
|
||||
diff --git a/wpa_supplicant/config_none.c b/wpa_supplicant/config_none.c
|
||||
index 2aac28fa3..02191b425 100644
|
||||
--- a/wpa_supplicant/config_none.c
|
||||
+++ b/wpa_supplicant/config_none.c
|
||||
@@ -17,7 +17,7 @@
|
||||
#include "base64.h"
|
||||
|
||||
|
||||
-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
|
||||
+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
|
||||
{
|
||||
struct wpa_config *config;
|
||||
|
||||
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
|
||||
index d5c5c00a9..fd80c079c 100644
|
||||
--- a/wpa_supplicant/config_ssid.h
|
||||
+++ b/wpa_supplicant/config_ssid.h
|
||||
@@ -93,6 +93,8 @@ struct wpa_ssid {
|
||||
*/
|
||||
int id;
|
||||
|
||||
+ int ro;
|
||||
+
|
||||
/**
|
||||
* priority - Priority group
|
||||
*
|
||||
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
|
||||
index 911d79d17..cb0cb99b1 100644
|
||||
--- a/wpa_supplicant/wpa_supplicant.c
|
||||
+++ b/wpa_supplicant/wpa_supplicant.c
|
||||
@@ -1052,14 +1052,14 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
|
||||
|
||||
if (wpa_s->confname == NULL)
|
||||
return -1;
|
||||
- conf = wpa_config_read(wpa_s->confname, NULL);
|
||||
+ conf = wpa_config_read(wpa_s->confname, NULL, 0);
|
||||
if (conf == NULL) {
|
||||
wpa_msg(wpa_s, MSG_ERROR, "Failed to parse the configuration "
|
||||
"file '%s' - exiting", wpa_s->confname);
|
||||
return -1;
|
||||
}
|
||||
if (wpa_s->confanother &&
|
||||
- !wpa_config_read(wpa_s->confanother, conf)) {
|
||||
+ !wpa_config_read(wpa_s->confanother, conf, 1)) {
|
||||
wpa_msg(wpa_s, MSG_ERROR,
|
||||
"Failed to parse the configuration file '%s' - exiting",
|
||||
wpa_s->confanother);
|
||||
@@ -5638,7 +5638,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
|
||||
#else /* CONFIG_BACKEND_FILE */
|
||||
wpa_s->confname = os_strdup(iface->confname);
|
||||
#endif /* CONFIG_BACKEND_FILE */
|
||||
- wpa_s->conf = wpa_config_read(wpa_s->confname, NULL);
|
||||
+ wpa_s->conf = wpa_config_read(wpa_s->confname, NULL, 0);
|
||||
if (wpa_s->conf == NULL) {
|
||||
wpa_printf(MSG_ERROR, "Failed to read or parse "
|
||||
"configuration '%s'.", wpa_s->confname);
|
||||
@@ -5646,7 +5646,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
|
||||
}
|
||||
wpa_s->confanother = os_rel2abs_path(iface->confanother);
|
||||
if (wpa_s->confanother &&
|
||||
- !wpa_config_read(wpa_s->confanother, wpa_s->conf)) {
|
||||
+ !wpa_config_read(wpa_s->confanother, wpa_s->conf, 1)) {
|
||||
wpa_printf(MSG_ERROR,
|
||||
"Failed to read or parse configuration '%s'.",
|
||||
wpa_s->confanother);
|
||||
--
|
||||
2.29.2
|
||||
|
@ -1,32 +0,0 @@
|
||||
The id and cred_id variables are reset to 0 every time the
|
||||
wpa_config_read function is called, which is fine as long as it is only
|
||||
called once. However, this is not the case when using both the -c and -I
|
||||
options to specify two config files.
|
||||
|
||||
This is a problem because the GUI, since eadfeb0e93748eb396ae62012b92d21a7f533646,
|
||||
relies on the network IDs being unique (and increasing), and might get
|
||||
into an infinite loop otherwise.
|
||||
|
||||
This is solved by simply making the variables static.
|
||||
---
|
||||
wpa_supplicant/config_file.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
|
||||
index 6db5010db..c996e3916 100644
|
||||
--- a/wpa_supplicant/config_file.c
|
||||
+++ b/wpa_supplicant/config_file.c
|
||||
@@ -297,8 +297,8 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
|
||||
struct wpa_ssid *ssid, *tail, *head;
|
||||
struct wpa_cred *cred, *cred_tail, *cred_head;
|
||||
struct wpa_config *config;
|
||||
- int id = 0;
|
||||
- int cred_id = 0;
|
||||
+ static int id = 0;
|
||||
+ static int cred_id = 0;
|
||||
|
||||
if (name == NULL)
|
||||
return NULL;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -3,28 +3,19 @@
|
||||
, dbusSupport ? !stdenv.hostPlatform.isStatic, dbus
|
||||
, withReadline ? true, readline
|
||||
, withPcsclite ? !stdenv.hostPlatform.isStatic, pcsclite
|
||||
, readOnlyModeSSIDs ? false
|
||||
}:
|
||||
|
||||
with lib;
|
||||
stdenv.mkDerivation rec {
|
||||
version = "2.10";
|
||||
version = "2.11";
|
||||
|
||||
pname = "wpa_supplicant";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
|
||||
sha256 = "sha256-IN965RVLODA1X4q0JpEjqHr/3qWf50/pKSqR0Nfhey8=";
|
||||
sha256 = "sha256-kS6gb3TjCo42+7aAZNbN/yGNjVkdsPxddd7myBrH/Ao=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
# Fix a bug when using two config files
|
||||
./Use-unique-IDs-for-networks-and-credentials.patch
|
||||
] ++ lib.optionals readOnlyModeSSIDs [
|
||||
# Allow read-only networks
|
||||
./0001-Implement-read-only-mode-for-ssids.patch
|
||||
];
|
||||
|
||||
# TODO: Patch epoll so that the dbus actually responds
|
||||
# TODO: Figure out how to get privsep working, currently getting SIGBUS
|
||||
extraConfig = ''
|
||||
@ -49,6 +40,7 @@ stdenv.mkDerivation rec {
|
||||
CONFIG_HT_OVERRIDES=y
|
||||
CONFIG_IEEE80211AC=y
|
||||
CONFIG_IEEE80211AX=y
|
||||
CONFIG_IEEE80211BE=y
|
||||
CONFIG_IEEE80211N=y
|
||||
CONFIG_IEEE80211R=y
|
||||
CONFIG_IEEE80211W=y
|
||||
|
@ -1494,6 +1494,7 @@ mapAliases ({
|
||||
wordpress6_1 = throw "'wordpress6_1' has been removed in favor of the latest version"; # Added 2023-10-10
|
||||
wordpress6_2 = throw "'wordpress6_2' has been removed in favor of the latest version"; # Added 2023-10-10
|
||||
wormhole-rs = magic-wormhole-rs; # Added 2022-05-30. preserve, reason: Arch package name, main binary name
|
||||
wpa_supplicant_ro_ssids = lib.trivial.warn "Deprecated package: Please use wpa_supplicant instead. Read-only SSID patches are now upstream!" wpa_supplicant;
|
||||
wrapLisp_old = throw "Lisp packages have been redesigned. See 'lisp-modules' in the nixpkgs manual."; # Added 2024-05-07
|
||||
wmii_hg = wmii;
|
||||
wrapGAppsHook = wrapGAppsHook3; # Added 2024-03-26
|
||||
|
@ -27763,10 +27763,6 @@ with pkgs;
|
||||
|
||||
wpa_supplicant = callPackage ../os-specific/linux/wpa_supplicant { };
|
||||
|
||||
wpa_supplicant_ro_ssids = wpa_supplicant.override {
|
||||
readOnlyModeSSIDs = true;
|
||||
};
|
||||
|
||||
wpa_supplicant_gui = libsForQt5.callPackage ../os-specific/linux/wpa_supplicant/gui.nix { };
|
||||
|
||||
xf86_input_cmt = callPackage ../os-specific/linux/xf86-input-cmt { };
|
||||
|
Loading…
Reference in New Issue
Block a user