diff --git a/.gitignore b/.gitignore index 09da52a..a8bfc18 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/wpa_supplicant-2.10.tar.gz +SOURCES/wpa_supplicant-2.11.tar.gz diff --git a/.wpa_supplicant.metadata b/.wpa_supplicant.metadata index 1466ec4..252c920 100644 --- a/.wpa_supplicant.metadata +++ b/.wpa_supplicant.metadata @@ -1 +1 @@ -e295b07d599da4b99c3836d4402ec5746f77e8e8 SOURCES/wpa_supplicant-2.10.tar.gz +aadb740bd2b3e2e1f39b5d8d543f9e18f2c1c090 SOURCES/wpa_supplicant-2.11.tar.gz diff --git a/SOURCES/0001-D-Bus-Add-wep_disabled-capability.patch b/SOURCES/0001-D-Bus-Add-wep_disabled-capability.patch deleted file mode 100644 index a6568dc..0000000 --- a/SOURCES/0001-D-Bus-Add-wep_disabled-capability.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 5b093570dca1855c5bf40bcbd8d149fa6f8ea8ff Mon Sep 17 00:00:00 2001 -Message-Id: <5b093570dca1855c5bf40bcbd8d149fa6f8ea8ff.1650620058.git.davide.caratti@gmail.com> -From: Lubomir Rintel -Date: Mon, 7 Mar 2022 09:54:46 +0100 -Subject: [PATCH] D-Bus: Add 'wep_disabled' capability - -Since commit 200c7693c9a1 ('Make WEP functionality an optional build -parameter'), WEP support is optional and, indeed, off by default. - -The distributions are now catching up and disabling WEP in their builds. -Unfortunately, there's no indication prior to an attempt to connect to a -WEP network that it's not going to work. Add a capability to communicate -that. - -Unlike other capabilities, this one is negative. That is, it indicates -lack of a WEP support as opposed to its presence. This is necessary -because historically there has been no capability to indicate presence -of WEP support and therefore NetworkManager (and probably others) just -assumes it's there. - -Signed-off-by: Lubomir Rintel -Acked-by: Davide Caratti ---- - wpa_supplicant/dbus/dbus_new_handlers.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c -index 1c9ded09a..0b1002bf1 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers.c -+++ b/wpa_supplicant/dbus/dbus_new_handlers.c -@@ -1121,7 +1121,7 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( - const struct wpa_dbus_property_desc *property_desc, - DBusMessageIter *iter, DBusError *error, void *user_data) - { -- const char *capabilities[13]; -+ const char *capabilities[14]; - size_t num_items = 0; - struct wpa_global *global = user_data; - struct wpa_supplicant *wpa_s; -@@ -1177,6 +1177,9 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( - #endif /* CONFIG_SUITEB192 */ - if (ext_key_id_supported) - capabilities[num_items++] = "extended_key_id"; -+#ifndef CONFIG_WEP -+ capabilities[num_items++] = "wep_disabled"; -+#endif /* !CONFIG_WEP */ - - return wpas_dbus_simple_array_property_getter(iter, - DBUS_TYPE_STRING, --- -2.35.1 - diff --git a/SOURCES/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch b/SOURCES/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch deleted file mode 100644 index 3a2ffaf..0000000 --- a/SOURCES/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 566ce69a8d0e64093309cbde80235aa522fbf84e Mon Sep 17 00:00:00 2001 -Message-Id: <566ce69a8d0e64093309cbde80235aa522fbf84e.1652450572.git.davide.caratti@gmail.com> -From: Jouni Malinen -Date: Thu, 5 May 2022 00:07:44 +0300 -Subject: [PATCH] EAP peer: Workaround for servers that do not support safe TLS - renegotiation - -The TLS protocol design for renegotiation was identified to have a -significant security flaw in 2009 and an extension to secure this design -was published in 2010 (RFC 5746). However, some old RADIUS -authentication servers without support for this are still used commonly. - -This is obviously not good from the security view point, but since there -are cases where the user of a network service has no realistic means for -getting the authentication server upgraded, TLS handshake may still need -to be allowed to be able to use the network. - -OpenSSL 3.0 disabled the client side workaround by default and this -resulted in issues connection to some networks with insecure -authentication servers. With OpenSSL 3.0, the client is now enforcing -security by refusing to authenticate with such servers. The pre-3.0 -behavior of ignoring this issue and leaving security to the server can -now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1. -This should be used only when having to connect to a network that has an -insecure authentication server that cannot be upgraded. - -The old (pre-2010) TLS renegotiation mechanism might open security -vulnerabilities if the authentication server were to allow TLS -renegotiation to be initiated. While this is unlikely to cause real -issues with EAP-TLS, there might be cases where use of PEAP or TTLS with -an authentication server that does not support RFC 5746 might result in -a security vulnerability. - -Signed-off-by: Jouni Malinen ---- - src/crypto/tls.h | 1 + - src/crypto/tls_openssl.c | 5 +++++ - src/eap_peer/eap_tls_common.c | 4 ++++ - wpa_supplicant/wpa_supplicant.conf | 5 +++++ - 4 files changed, 15 insertions(+) - -diff --git a/src/crypto/tls.h b/src/crypto/tls.h -index ccaac94c9..7ea32ee4a 100644 ---- a/src/crypto/tls.h -+++ b/src/crypto/tls.h -@@ -112,6 +112,7 @@ struct tls_config { - #define TLS_CONN_ENABLE_TLSv1_1 BIT(15) - #define TLS_CONN_ENABLE_TLSv1_2 BIT(16) - #define TLS_CONN_TEAP_ANON_DH BIT(17) -+#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18) - - /** - * struct tls_connection_params - Parameters for TLS connection -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index 388c6b0f4..0d23f44ad 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, - SSL_clear_options(ssl, SSL_OP_NO_TICKET); - #endif /* SSL_OP_NO_TICKET */ - -+#ifdef SSL_OP_LEGACY_SERVER_CONNECT -+ if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION) -+ SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); -+#endif /* SSL_OP_LEGACY_SERVER_CONNECT */ -+ - #ifdef SSL_OP_NO_TLSv1 - if (flags & TLS_CONN_DISABLE_TLSv1_0) - SSL_set_options(ssl, SSL_OP_NO_TLSv1); -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c -index 06c9b211e..6193b4bdb 100644 ---- a/src/eap_peer/eap_tls_common.c -+++ b/src/eap_peer/eap_tls_common.c -@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params, - params->flags |= TLS_CONN_SUITEB_NO_ECDH; - if (os_strstr(txt, "tls_suiteb_no_ecdh=0")) - params->flags &= ~TLS_CONN_SUITEB_NO_ECDH; -+ if (os_strstr(txt, "allow_unsafe_renegotiation=1")) -+ params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION; -+ if (os_strstr(txt, "allow_unsafe_renegotiation=0")) -+ params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION; - } - - -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf -index a1dc769c9..b5304a77e 100644 ---- a/wpa_supplicant/wpa_supplicant.conf -+++ b/wpa_supplicant/wpa_supplicant.conf -@@ -1370,6 +1370,11 @@ fast_reauth=1 - # tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default) - # tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in - # particular when using Suite B with RSA keys of >= 3K (3072) bits -+# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does -+# not support safe renegotiation (RFC 5746); please note that this -+# workaround should be only when having to authenticate with an old -+# authentication server that cannot be updated to use secure TLS -+# implementation. - # - # Following certificate/private key fields are used in inner Phase2 - # authentication when using EAP-TTLS or EAP-PEAP. --- -2.35.1 - diff --git a/SOURCES/0001-EAP-peer-status-notification-for-server-not-supporti.patch b/SOURCES/0001-EAP-peer-status-notification-for-server-not-supporti.patch deleted file mode 100644 index 06807ee..0000000 --- a/SOURCES/0001-EAP-peer-status-notification-for-server-not-supporti.patch +++ /dev/null @@ -1,106 +0,0 @@ -From a561d12d24c2c8bb0f825d4a3a55a5e47e845853 Mon Sep 17 00:00:00 2001 -Message-Id: -From: Jouni Malinen -Date: Wed, 4 May 2022 23:55:38 +0300 -Subject: [PATCH] EAP peer status notification for server not supporting RFC - 5746 - -Add a notification message to indicate reason for TLS handshake failure -due to the server not supporting safe renegotiation (RFC 5746). - -Signed-off-by: Jouni Malinen ---- - src/ap/authsrv.c | 3 +++ - src/crypto/tls.h | 3 ++- - src/crypto/tls_openssl.c | 15 +++++++++++++-- - src/eap_peer/eap.c | 5 +++++ - 4 files changed, 23 insertions(+), 3 deletions(-) - -diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c -index 516c1da74..fd9c96fad 100644 ---- a/src/ap/authsrv.c -+++ b/src/ap/authsrv.c -@@ -169,6 +169,9 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev, - wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s", - data->alert.description); - break; -+ case TLS_UNSAFE_RENEGOTIATION_DISABLED: -+ /* Not applicable to TLS server */ -+ break; - } - } - #endif /* EAP_TLS_FUNCS */ -diff --git a/src/crypto/tls.h b/src/crypto/tls.h -index 7ea32ee4a..7a2ee32df 100644 ---- a/src/crypto/tls.h -+++ b/src/crypto/tls.h -@@ -22,7 +22,8 @@ enum tls_event { - TLS_CERT_CHAIN_SUCCESS, - TLS_CERT_CHAIN_FAILURE, - TLS_PEER_CERTIFICATE, -- TLS_ALERT -+ TLS_ALERT, -+ TLS_UNSAFE_RENEGOTIATION_DISABLED, - }; - - /* -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index 0d23f44ad..912471ba2 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -4443,6 +4443,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn, - static struct wpabuf * - openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) - { -+ struct tls_context *context = conn->context; - int res; - struct wpabuf *out_data; - -@@ -4472,7 +4473,19 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) - wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to " - "write"); - else { -+ unsigned long error = ERR_peek_last_error(); -+ - tls_show_errors(MSG_INFO, __func__, "SSL_connect"); -+ -+ if (context->event_cb && -+ ERR_GET_LIB(error) == ERR_LIB_SSL && -+ ERR_GET_REASON(error) == -+ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) { -+ context->event_cb( -+ context->cb_ctx, -+ TLS_UNSAFE_RENEGOTIATION_DISABLED, -+ NULL); -+ } - conn->failed++; - if (!conn->server && !conn->client_hello_generated) { - /* The server would not understand TLS Alert -@@ -4495,8 +4508,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) - if ((conn->flags & TLS_CONN_SUITEB) && !conn->server && - os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 && - conn->server_dh_prime_len < 3072) { -- struct tls_context *context = conn->context; -- - /* - * This should not be reached since earlier cert_cb should have - * terminated the handshake. Keep this check here for extra -diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c -index 429b20d3a..729388f4f 100644 ---- a/src/eap_peer/eap.c -+++ b/src/eap_peer/eap.c -@@ -2172,6 +2172,11 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev, - eap_notify_status(sm, "remote TLS alert", - data->alert.description); - break; -+ case TLS_UNSAFE_RENEGOTIATION_DISABLED: -+ wpa_printf(MSG_INFO, -+ "TLS handshake failed due to the server not supporting safe renegotiation (RFC 5746); phase1 parameter allow_unsafe_renegotiation=1 can be used to work around this"); -+ eap_notify_status(sm, "unsafe server renegotiation", "failure"); -+ break; - } - - os_free(hash_hex); --- -2.35.1 - diff --git a/SOURCES/wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch b/SOURCES/wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch new file mode 100644 index 0000000..b42cba1 --- /dev/null +++ b/SOURCES/wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch @@ -0,0 +1,50 @@ +From 2514856652f9a393e505d542cb8f039f8bac10f5 Mon Sep 17 00:00:00 2001 +From: Janne Grunau +Date: Sun, 4 Aug 2024 13:24:42 +0200 +Subject: [PATCH 1/1] Revert "Mark authorization completed on driver indication + during 4-way HS offload" + +This reverts commit 41638606054a09867fe3f9a2b5523aa4678cbfa5. +--- + wpa_supplicant/events.c | 25 ++++++++----------------- + 1 file changed, 8 insertions(+), 17 deletions(-) + +diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c +index 46e7cf1ab..7b3ef7205 100644 +--- a/wpa_supplicant/events.c ++++ b/wpa_supplicant/events.c +@@ -4441,23 +4441,14 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s, + eapol_sm_notify_eap_success(wpa_s->eapol, true); + } else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_PSK) && + wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) { +- if (already_authorized) { +- /* +- * We are done; the driver will take care of RSN 4-way +- * handshake. +- */ +- wpa_supplicant_cancel_auth_timeout(wpa_s); +- wpa_supplicant_set_state(wpa_s, WPA_COMPLETED); +- eapol_sm_notify_portValid(wpa_s->eapol, true); +- eapol_sm_notify_eap_success(wpa_s->eapol, true); +- } else { +- /* Update port, WPA_COMPLETED state from the +- * EVENT_PORT_AUTHORIZED handler when the driver is done +- * with the 4-way handshake. +- */ +- wpa_msg(wpa_s, MSG_DEBUG, +- "ASSOC INFO: wait for driver port authorized indication"); +- } ++ /* ++ * We are done; the driver will take care of RSN 4-way ++ * handshake. ++ */ ++ wpa_supplicant_cancel_auth_timeout(wpa_s); ++ wpa_supplicant_set_state(wpa_s, WPA_COMPLETED); ++ eapol_sm_notify_portValid(wpa_s->eapol, true); ++ eapol_sm_notify_eap_success(wpa_s->eapol, true); + } else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X) && + wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt)) { + /* +-- +2.45.2 + diff --git a/SOURCES/wpa_supplicant-assoc-timeout.patch b/SOURCES/wpa_supplicant-assoc-timeout.patch index c3b3568..5b7b8c0 100644 --- a/SOURCES/wpa_supplicant-assoc-timeout.patch +++ b/SOURCES/wpa_supplicant-assoc-timeout.patch @@ -1,7 +1,6 @@ -diff -up wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c ---- wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout 2010-09-07 10:43:39.000000000 -0500 -+++ wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c 2010-12-07 18:57:45.163457000 -0600 -@@ -1262,10 +1262,10 @@ void wpa_supplicant_associate(struct wpa +--- a/wpa_supplicant/wpa_supplicant.c ++++ b/wpa_supplicant/wpa_supplicant.c +@@ -4619,10 +4619,10 @@ static void wpas_start_assoc_cb(struct w if (assoc_failed) { /* give IBSS a bit more time */ diff --git a/SOURCES/wpa_supplicant-config.patch b/SOURCES/wpa_supplicant-config.patch index 04d7ab3..d53ce7d 100644 --- a/SOURCES/wpa_supplicant-config.patch +++ b/SOURCES/wpa_supplicant-config.patch @@ -9,7 +9,7 @@ Subject: [PATCH] defconfig: Fedora configuration --- a/wpa_supplicant/defconfig +++ b/wpa_supplicant/defconfig -@@ -146,7 +146,7 @@ CONFIG_EAP_PAX=y +@@ -149,7 +149,7 @@ CONFIG_EAP_PAX=y CONFIG_EAP_LEAP=y # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used) @@ -18,7 +18,7 @@ Subject: [PATCH] defconfig: Fedora configuration # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used). # This requires CONFIG_EAP_AKA to be enabled, too. -@@ -338,6 +338,7 @@ CONFIG_BACKEND=file +@@ -350,6 +350,7 @@ CONFIG_BACKEND=file # Select which ciphers to use by default with OpenSSL if the user does not # specify them. #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" @@ -26,8 +26,8 @@ Subject: [PATCH] defconfig: Fedora configuration # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of -@@ -390,7 +391,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y - #CONFIG_DYNAMIC_EAP_METHODS=y +@@ -418,7 +419,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y + #CONFIG_NO_LOAD_DYNAMIC_EAP=y # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode -CONFIG_IEEE80211R=y @@ -35,7 +35,7 @@ Subject: [PATCH] defconfig: Fedora configuration # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) CONFIG_DEBUG_FILE=y -@@ -469,7 +470,7 @@ CONFIG_DEBUG_SYSLOG=y +@@ -497,7 +498,7 @@ CONFIG_DEBUG_SYSLOG=y # Should we attempt to use the getrandom(2) call that provides more reliable # yet secure randomness source than /dev/random on Linux 3.17 and newer. # Requires glibc 2.25 to build, falls back to /dev/random if unavailable. @@ -44,7 +44,16 @@ Subject: [PATCH] defconfig: Fedora configuration # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) CONFIG_IEEE80211AC=y -@@ -587,7 +588,7 @@ CONFIG_IBSS_RSN=y +@@ -510,7 +511,7 @@ CONFIG_IEEE80211AX=y + # Note: This is experimental and work in progress. The definitions are still + # subject to change and this should not be expected to interoperate with the + # final IEEE 802.11be version. +-#CONFIG_IEEE80211BE=y ++CONFIG_IEEE80211BE=y + + # Wireless Network Management (IEEE Std 802.11v-2011) + # Note: This is experimental and not complete implementation. +@@ -625,7 +626,7 @@ CONFIG_IBSS_RSN=y #CONFIG_PMKSA_CACHE_EXTERNAL=y # Mesh Networking (IEEE 802.11s) @@ -53,7 +62,7 @@ Subject: [PATCH] defconfig: Fedora configuration # Background scanning modules # These can be used to request wpa_supplicant to perform background scanning -@@ -601,7 +602,7 @@ CONFIG_BGSCAN_SIMPLE=y +@@ -639,7 +640,7 @@ CONFIG_BGSCAN_SIMPLE=y # Opportunistic Wireless Encryption (OWE) # Experimental implementation of draft-harkins-owe-07.txt @@ -62,10 +71,10 @@ Subject: [PATCH] defconfig: Fedora configuration # Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect) CONFIG_DPP=y -@@ -633,3 +634,6 @@ CONFIG_DPP2=y - # design is still subject to change. As such, this should not yet be enabled in - # production use. - #CONFIG_PASN=y +@@ -686,3 +687,6 @@ CONFIG_DPP2=y + + # Wi-Fi Aware unsynchronized service discovery (NAN USD) + #CONFIG_NAN_USD=y +# +CONFIG_SUITEB192=y + diff --git a/SOURCES/wpa_supplicant-gui-qt4.patch b/SOURCES/wpa_supplicant-gui-qt4.patch index 7acca1e..287f530 100644 --- a/SOURCES/wpa_supplicant-gui-qt4.patch +++ b/SOURCES/wpa_supplicant-gui-qt4.patch @@ -11,7 +11,7 @@ different locations. --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile -@@ -35,6 +35,9 @@ export INCDIR ?= /usr/local/include +@@ -46,6 +46,9 @@ export INCDIR ?= /usr/local/include export BINDIR ?= /usr/local/sbin PKG_CONFIG ?= pkg-config @@ -21,7 +21,7 @@ different locations. CFLAGS += $(EXTRA_CFLAGS) CFLAGS += -I$(abspath ../src) CFLAGS += -I$(abspath ../src/utils) -@@ -2039,10 +2042,10 @@ wpa_gui: +@@ -2156,10 +2159,10 @@ wpa_gui: @echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement" wpa_gui-qt4/Makefile: diff --git a/SOURCES/wpa_supplicant-quiet-scan-results-message.patch b/SOURCES/wpa_supplicant-quiet-scan-results-message.patch index c646a30..94d0b61 100644 --- a/SOURCES/wpa_supplicant-quiet-scan-results-message.patch +++ b/SOURCES/wpa_supplicant-quiet-scan-results-message.patch @@ -7,11 +7,9 @@ Subject: [PATCH 1/2] quiet an annoying and frequent syslog message wpa_supplicant/events.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c -index abe3b47..72a0412 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c -@@ -1555,11 +1555,11 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s, +@@ -2504,11 +2504,11 @@ static int _wpa_supplicant_event_scan_re if (wpa_s->last_scan_req == MANUAL_SCAN_REQ && wpa_s->manual_scan_use_id && wpa_s->own_scan_running && own_request && !(data && data->scan_info.external_scan)) { @@ -25,6 +23,3 @@ index abe3b47..72a0412 100644 } wpas_notify_scan_results(wpa_s); --- -2.9.3 - diff --git a/SPECS/wpa_supplicant.spec b/SPECS/wpa_supplicant.spec index 1c0d907..3839536 100644 --- a/SPECS/wpa_supplicant.spec +++ b/SPECS/wpa_supplicant.spec @@ -8,8 +8,8 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 -Version: 2.10 -Release: 4%{?dist} +Version: 2.11 +Release: 2%{?dist} License: BSD Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz Source1: wpa_supplicant.conf @@ -29,11 +29,8 @@ Patch2: wpa_supplicant-flush-debug-output.patch Patch3: wpa_supplicant-quiet-scan-results-message.patch # distro specific customization for Qt4 build tools, not suitable for upstream Patch4: wpa_supplicant-gui-qt4.patch -# backport fix for bz2063730 -Patch5: 0001-D-Bus-Add-wep_disabled-capability.patch -# backport fix for bz2077973 -Patch6: 0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch -Patch7: 0001-EAP-peer-status-notification-for-server-not-supporti.patch +# backport fix for a regression introduced with upstream version 2.11 +Patch5: wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch URL: http://w1.fi/wpa_supplicant/ @@ -194,6 +191,18 @@ chmod -R 0644 wpa_supplicant/examples/*.py %changelog +* Thu Feb 13 2025 Davide Caratti - 1:2.11-2 +- Enable CONFIG_IEEE80211BE (RHEL-10237) + +* Thu Nov 28 2024 Davide Caratti - 1:2.11-1 +- Update to upstream version 2.11 (plus a follow-up backport) + Resolves: RHEL-10237, RHEL-58725 + +* Thu Feb 22 2024 Davide Caratti - 1:2.10-5 +- Support macsec HW offload. + Resolves: RHEL-22440 +- Backport fix for PEAP client (CVE-2023-52160) + * Fri May 13 2022 Davide Caratti - 1:2.10-4 - Explicitly allow/disallow unsafe legacy renegotiation on configuration base. Resolves: rhbz#2077973