diff --git a/.gitignore b/.gitignore index 7f9a139..8f084d4 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ wpa_supplicant-0.6.8.tar.gz /wpa_supplicant-2.9.tar.gz /wpa_supplicant-2.9.20211112.gitc8b94bc7b347.tar.gz /wpa_supplicant-2.10.tar.gz +/wpa_supplicant-2.11.tar.gz diff --git a/0001-D-Bus-Add-wep_disabled-capability.patch b/0001-D-Bus-Add-wep_disabled-capability.patch deleted file mode 100644 index a6568dc..0000000 --- a/0001-D-Bus-Add-wep_disabled-capability.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 5b093570dca1855c5bf40bcbd8d149fa6f8ea8ff Mon Sep 17 00:00:00 2001 -Message-Id: <5b093570dca1855c5bf40bcbd8d149fa6f8ea8ff.1650620058.git.davide.caratti@gmail.com> -From: Lubomir Rintel -Date: Mon, 7 Mar 2022 09:54:46 +0100 -Subject: [PATCH] D-Bus: Add 'wep_disabled' capability - -Since commit 200c7693c9a1 ('Make WEP functionality an optional build -parameter'), WEP support is optional and, indeed, off by default. - -The distributions are now catching up and disabling WEP in their builds. -Unfortunately, there's no indication prior to an attempt to connect to a -WEP network that it's not going to work. Add a capability to communicate -that. - -Unlike other capabilities, this one is negative. That is, it indicates -lack of a WEP support as opposed to its presence. This is necessary -because historically there has been no capability to indicate presence -of WEP support and therefore NetworkManager (and probably others) just -assumes it's there. - -Signed-off-by: Lubomir Rintel -Acked-by: Davide Caratti ---- - wpa_supplicant/dbus/dbus_new_handlers.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c -index 1c9ded09a..0b1002bf1 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers.c -+++ b/wpa_supplicant/dbus/dbus_new_handlers.c -@@ -1121,7 +1121,7 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( - const struct wpa_dbus_property_desc *property_desc, - DBusMessageIter *iter, DBusError *error, void *user_data) - { -- const char *capabilities[13]; -+ const char *capabilities[14]; - size_t num_items = 0; - struct wpa_global *global = user_data; - struct wpa_supplicant *wpa_s; -@@ -1177,6 +1177,9 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( - #endif /* CONFIG_SUITEB192 */ - if (ext_key_id_supported) - capabilities[num_items++] = "extended_key_id"; -+#ifndef CONFIG_WEP -+ capabilities[num_items++] = "wep_disabled"; -+#endif /* !CONFIG_WEP */ - - return wpas_dbus_simple_array_property_getter(iter, - DBUS_TYPE_STRING, --- -2.35.1 - diff --git a/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch b/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch deleted file mode 100644 index 3a2ffaf..0000000 --- a/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 566ce69a8d0e64093309cbde80235aa522fbf84e Mon Sep 17 00:00:00 2001 -Message-Id: <566ce69a8d0e64093309cbde80235aa522fbf84e.1652450572.git.davide.caratti@gmail.com> -From: Jouni Malinen -Date: Thu, 5 May 2022 00:07:44 +0300 -Subject: [PATCH] EAP peer: Workaround for servers that do not support safe TLS - renegotiation - -The TLS protocol design for renegotiation was identified to have a -significant security flaw in 2009 and an extension to secure this design -was published in 2010 (RFC 5746). However, some old RADIUS -authentication servers without support for this are still used commonly. - -This is obviously not good from the security view point, but since there -are cases where the user of a network service has no realistic means for -getting the authentication server upgraded, TLS handshake may still need -to be allowed to be able to use the network. - -OpenSSL 3.0 disabled the client side workaround by default and this -resulted in issues connection to some networks with insecure -authentication servers. With OpenSSL 3.0, the client is now enforcing -security by refusing to authenticate with such servers. The pre-3.0 -behavior of ignoring this issue and leaving security to the server can -now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1. -This should be used only when having to connect to a network that has an -insecure authentication server that cannot be upgraded. - -The old (pre-2010) TLS renegotiation mechanism might open security -vulnerabilities if the authentication server were to allow TLS -renegotiation to be initiated. While this is unlikely to cause real -issues with EAP-TLS, there might be cases where use of PEAP or TTLS with -an authentication server that does not support RFC 5746 might result in -a security vulnerability. - -Signed-off-by: Jouni Malinen ---- - src/crypto/tls.h | 1 + - src/crypto/tls_openssl.c | 5 +++++ - src/eap_peer/eap_tls_common.c | 4 ++++ - wpa_supplicant/wpa_supplicant.conf | 5 +++++ - 4 files changed, 15 insertions(+) - -diff --git a/src/crypto/tls.h b/src/crypto/tls.h -index ccaac94c9..7ea32ee4a 100644 ---- a/src/crypto/tls.h -+++ b/src/crypto/tls.h -@@ -112,6 +112,7 @@ struct tls_config { - #define TLS_CONN_ENABLE_TLSv1_1 BIT(15) - #define TLS_CONN_ENABLE_TLSv1_2 BIT(16) - #define TLS_CONN_TEAP_ANON_DH BIT(17) -+#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18) - - /** - * struct tls_connection_params - Parameters for TLS connection -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index 388c6b0f4..0d23f44ad 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, - SSL_clear_options(ssl, SSL_OP_NO_TICKET); - #endif /* SSL_OP_NO_TICKET */ - -+#ifdef SSL_OP_LEGACY_SERVER_CONNECT -+ if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION) -+ SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); -+#endif /* SSL_OP_LEGACY_SERVER_CONNECT */ -+ - #ifdef SSL_OP_NO_TLSv1 - if (flags & TLS_CONN_DISABLE_TLSv1_0) - SSL_set_options(ssl, SSL_OP_NO_TLSv1); -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c -index 06c9b211e..6193b4bdb 100644 ---- a/src/eap_peer/eap_tls_common.c -+++ b/src/eap_peer/eap_tls_common.c -@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params, - params->flags |= TLS_CONN_SUITEB_NO_ECDH; - if (os_strstr(txt, "tls_suiteb_no_ecdh=0")) - params->flags &= ~TLS_CONN_SUITEB_NO_ECDH; -+ if (os_strstr(txt, "allow_unsafe_renegotiation=1")) -+ params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION; -+ if (os_strstr(txt, "allow_unsafe_renegotiation=0")) -+ params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION; - } - - -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf -index a1dc769c9..b5304a77e 100644 ---- a/wpa_supplicant/wpa_supplicant.conf -+++ b/wpa_supplicant/wpa_supplicant.conf -@@ -1370,6 +1370,11 @@ fast_reauth=1 - # tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default) - # tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in - # particular when using Suite B with RSA keys of >= 3K (3072) bits -+# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does -+# not support safe renegotiation (RFC 5746); please note that this -+# workaround should be only when having to authenticate with an old -+# authentication server that cannot be updated to use secure TLS -+# implementation. - # - # Following certificate/private key fields are used in inner Phase2 - # authentication when using EAP-TTLS or EAP-PEAP. --- -2.35.1 - diff --git a/0001-EAP-peer-status-notification-for-server-not-supporti.patch b/0001-EAP-peer-status-notification-for-server-not-supporti.patch deleted file mode 100644 index 06807ee..0000000 --- a/0001-EAP-peer-status-notification-for-server-not-supporti.patch +++ /dev/null @@ -1,106 +0,0 @@ -From a561d12d24c2c8bb0f825d4a3a55a5e47e845853 Mon Sep 17 00:00:00 2001 -Message-Id: -From: Jouni Malinen -Date: Wed, 4 May 2022 23:55:38 +0300 -Subject: [PATCH] EAP peer status notification for server not supporting RFC - 5746 - -Add a notification message to indicate reason for TLS handshake failure -due to the server not supporting safe renegotiation (RFC 5746). - -Signed-off-by: Jouni Malinen ---- - src/ap/authsrv.c | 3 +++ - src/crypto/tls.h | 3 ++- - src/crypto/tls_openssl.c | 15 +++++++++++++-- - src/eap_peer/eap.c | 5 +++++ - 4 files changed, 23 insertions(+), 3 deletions(-) - -diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c -index 516c1da74..fd9c96fad 100644 ---- a/src/ap/authsrv.c -+++ b/src/ap/authsrv.c -@@ -169,6 +169,9 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev, - wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s", - data->alert.description); - break; -+ case TLS_UNSAFE_RENEGOTIATION_DISABLED: -+ /* Not applicable to TLS server */ -+ break; - } - } - #endif /* EAP_TLS_FUNCS */ -diff --git a/src/crypto/tls.h b/src/crypto/tls.h -index 7ea32ee4a..7a2ee32df 100644 ---- a/src/crypto/tls.h -+++ b/src/crypto/tls.h -@@ -22,7 +22,8 @@ enum tls_event { - TLS_CERT_CHAIN_SUCCESS, - TLS_CERT_CHAIN_FAILURE, - TLS_PEER_CERTIFICATE, -- TLS_ALERT -+ TLS_ALERT, -+ TLS_UNSAFE_RENEGOTIATION_DISABLED, - }; - - /* -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index 0d23f44ad..912471ba2 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -4443,6 +4443,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn, - static struct wpabuf * - openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) - { -+ struct tls_context *context = conn->context; - int res; - struct wpabuf *out_data; - -@@ -4472,7 +4473,19 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) - wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to " - "write"); - else { -+ unsigned long error = ERR_peek_last_error(); -+ - tls_show_errors(MSG_INFO, __func__, "SSL_connect"); -+ -+ if (context->event_cb && -+ ERR_GET_LIB(error) == ERR_LIB_SSL && -+ ERR_GET_REASON(error) == -+ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) { -+ context->event_cb( -+ context->cb_ctx, -+ TLS_UNSAFE_RENEGOTIATION_DISABLED, -+ NULL); -+ } - conn->failed++; - if (!conn->server && !conn->client_hello_generated) { - /* The server would not understand TLS Alert -@@ -4495,8 +4508,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) - if ((conn->flags & TLS_CONN_SUITEB) && !conn->server && - os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 && - conn->server_dh_prime_len < 3072) { -- struct tls_context *context = conn->context; -- - /* - * This should not be reached since earlier cert_cb should have - * terminated the handshake. Keep this check here for extra -diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c -index 429b20d3a..729388f4f 100644 ---- a/src/eap_peer/eap.c -+++ b/src/eap_peer/eap.c -@@ -2172,6 +2172,11 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev, - eap_notify_status(sm, "remote TLS alert", - data->alert.description); - break; -+ case TLS_UNSAFE_RENEGOTIATION_DISABLED: -+ wpa_printf(MSG_INFO, -+ "TLS handshake failed due to the server not supporting safe renegotiation (RFC 5746); phase1 parameter allow_unsafe_renegotiation=1 can be used to work around this"); -+ eap_notify_status(sm, "unsafe server renegotiation", "failure"); -+ break; - } - - os_free(hash_hex); --- -2.35.1 - diff --git a/sources b/sources index 148252d..29eb89c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (wpa_supplicant-2.10.tar.gz) = 021c2a48f45d39c1dc6557730be5debaee071bc0ff82a271638beee6e32314e353e49d39e2f0dc8dff6e094dcc7008cfe1c32d0c7a34a1a345a12a3f1c1e11a1 +SHA512 (wpa_supplicant-2.11.tar.gz) = 9a0a3a9d6fa2235903c40aa57b5955f0c9dd1dccfd0e3825a3b6f92b3e32db8d464b3ea0aef3285ba3ee109e7b190560cedd744902e954f0003cdba543e277b2 diff --git a/wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch b/wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch deleted file mode 100644 index 24956a9..0000000 --- a/wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch +++ /dev/null @@ -1,192 +0,0 @@ -From 46c635910a724ed14ee9ace549fed9790ed5980b Mon Sep 17 00:00:00 2001 -Message-ID: <46c635910a724ed14ee9ace549fed9790ed5980b.1706279119.git.davide.caratti@gmail.com> -From: leiwei -Date: Mon, 15 Nov 2021 18:22:19 +0800 -Subject: [PATCH] MACsec: Support GCM-AES-256 cipher suite - -Allow macsec_csindex to be configured and select the cipher suite when -the participant acts as a key server. - -Signed-off-by: leiwei ---- - hostapd/config_file.c | 10 ++++++++++ - hostapd/hostapd.conf | 4 ++++ - src/ap/ap_config.h | 7 +++++++ - src/ap/wpa_auth_kay.c | 4 +++- - src/pae/ieee802_1x_cp.c | 8 ++++---- - src/pae/ieee802_1x_kay.c | 17 +++++++++++++---- - src/pae/ieee802_1x_kay.h | 3 ++- - wpa_supplicant/config.c | 1 + - wpa_supplicant/config_file.c | 1 + - wpa_supplicant/config_ssid.h | 7 +++++++ - wpa_supplicant/wpas_kay.c | 4 ++-- - 11 files changed, 54 insertions(+), 12 deletions(-) - ---- a/src/ap/ap_config.h -+++ b/src/ap/ap_config.h -@@ -849,6 +849,13 @@ struct hostapd_bss_config { - int mka_priority; - - /** -+ * macsec_csindex - Cipher suite index for MACsec -+ * -+ * Range: 0-1 (default: 0) -+ */ -+ int macsec_csindex; -+ -+ /** - * mka_ckn - MKA pre-shared CKN - */ - #define MACSEC_CKN_MAX_LEN 32 ---- a/src/ap/wpa_auth_kay.c -+++ b/src/ap/wpa_auth_kay.c -@@ -329,7 +329,9 @@ int ieee802_1x_alloc_kay_sm_hapd(struct - hapd->conf->macsec_replay_protect, - hapd->conf->macsec_replay_window, - hapd->conf->macsec_port, -- hapd->conf->mka_priority, hapd->conf->iface, -+ hapd->conf->mka_priority, -+ hapd->conf->macsec_csindex, -+ hapd->conf->iface, - hapd->own_addr); - /* ieee802_1x_kay_init() frees kay_ctx on failure */ - if (!res) ---- a/src/pae/ieee802_1x_cp.c -+++ b/src/pae/ieee802_1x_cp.c -@@ -20,7 +20,7 @@ - #define STATE_MACHINE_DATA struct ieee802_1x_cp_sm - #define STATE_MACHINE_DEBUG_PREFIX "CP" - --static u64 default_cs_id = CS_ID_GCM_AES_128; -+static u64 cs_id[] = { CS_ID_GCM_AES_128, CS_ID_GCM_AES_256 }; - - /* The variable defined in clause 12 in IEEE Std 802.1X-2010 */ - enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE }; -@@ -210,7 +210,6 @@ SM_STATE(CP, SECURED) - sm->replay_protect = sm->kay->macsec_replay_protect; - sm->validate_frames = sm->kay->macsec_validate; - -- /* NOTE: now no other than default cipher suite (AES-GCM-128) */ - sm->current_cipher_suite = sm->cipher_suite; - secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); - -@@ -473,8 +472,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ - sm->orx = false; - sm->otx = false; - -- sm->current_cipher_suite = default_cs_id; -- sm->cipher_suite = default_cs_id; -+ sm->current_cipher_suite = cs_id[kay->macsec_csindex]; -+ sm->cipher_suite = cs_id[kay->macsec_csindex]; - sm->cipher_offset = CONFIDENTIALITY_OFFSET_0; - sm->confidentiality_offset = sm->cipher_offset; - sm->transmit_delay = MKA_LIFE_TIME; -@@ -491,6 +490,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ - secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled); - secy_cp_control_confidentiality_offset(sm->kay, - sm->confidentiality_offset); -+ secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); - - SM_STEP_RUN(CP); - ---- a/src/pae/ieee802_1x_kay.c -+++ b/src/pae/ieee802_1x_kay.c -@@ -221,8 +221,16 @@ ieee802_1x_mka_dump_dist_sak_body(struct - - wpa_printf(MSG_DEBUG, "\tKey Number............: %d", - be_to_host32(body->kn)); -- /* TODO: Other than GCM-AES-128 case: MACsec Cipher Suite */ -- wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", body->sak, 24); -+ if (body_len == 28) { -+ wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", -+ body->sak, 24); -+ } else if (body_len > CS_ID_LEN - sizeof(body->kn)) { -+ wpa_hexdump(MSG_DEBUG, "\tMACsec Cipher Suite...:", -+ body->sak, CS_ID_LEN); -+ wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", -+ body->sak + CS_ID_LEN, -+ body_len - CS_ID_LEN - sizeof(body->kn)); -+ } - } - - -@@ -3456,7 +3464,8 @@ static void kay_l2_receive(void *ctx, co - struct ieee802_1x_kay * - ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, - bool macsec_replay_protect, u32 macsec_replay_window, -- u16 port, u8 priority, const char *ifname, const u8 *addr) -+ u16 port, u8 priority, u32 macsec_csindex, -+ const char *ifname, const u8 *addr) - { - struct ieee802_1x_kay *kay; - -@@ -3493,7 +3502,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka - kay->dist_time = 0; - - kay->pn_exhaustion = PENDING_PN_EXHAUSTION; -- kay->macsec_csindex = DEFAULT_CS_INDEX; -+ kay->macsec_csindex = macsec_csindex; - kay->mka_algindex = DEFAULT_MKA_ALG_INDEX; - kay->mka_version = MKA_VERSION_ID; - ---- a/src/pae/ieee802_1x_kay.h -+++ b/src/pae/ieee802_1x_kay.h -@@ -240,7 +240,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc - struct ieee802_1x_kay * - ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, - bool macsec_replay_protect, u32 macsec_replay_window, -- u16 port, u8 priority, const char *ifname, const u8 *addr); -+ u16 port, u8 priority, u32 macsec_csindex, -+ const char *ifname, const u8 *addr); - void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); - - struct ieee802_1x_mka_participant * ---- a/wpa_supplicant/config.c -+++ b/wpa_supplicant/config.c -@@ -2612,6 +2612,7 @@ static const struct parse_data ssid_fiel - { INT(macsec_replay_window) }, - { INT_RANGE(macsec_port, 1, 65534) }, - { INT_RANGE(mka_priority, 0, 255) }, -+ { INT_RANGE(macsec_csindex, 0, 1) }, - { FUNC_KEY(mka_cak) }, - { FUNC_KEY(mka_ckn) }, - #endif /* CONFIG_MACSEC */ ---- a/wpa_supplicant/config_file.c -+++ b/wpa_supplicant/config_file.c -@@ -810,6 +810,7 @@ static void wpa_config_write_network(FIL - INT(macsec_replay_window); - INT(macsec_port); - INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER); -+ INT(macsec_csindex); - #endif /* CONFIG_MACSEC */ - #ifdef CONFIG_HS20 - INT(update_identifier); ---- a/wpa_supplicant/config_ssid.h -+++ b/wpa_supplicant/config_ssid.h -@@ -912,6 +912,13 @@ struct wpa_ssid { - int mka_priority; - - /** -+ * macsec_csindex - Cipher suite index for MACsec -+ * -+ * Range: 0-1 (default: 0) -+ */ -+ int macsec_csindex; -+ -+ /** - * mka_ckn - MKA pre-shared CKN - */ - #define MACSEC_CKN_MAX_LEN 32 ---- a/wpa_supplicant/wpas_kay.c -+++ b/wpa_supplicant/wpas_kay.c -@@ -241,8 +241,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s - - res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect, - ssid->macsec_replay_window, ssid->macsec_port, -- ssid->mka_priority, wpa_s->ifname, -- wpa_s->own_addr); -+ ssid->mka_priority, ssid->macsec_csindex, -+ wpa_s->ifname, wpa_s->own_addr); - /* ieee802_1x_kay_init() frees kay_ctx on failure */ - if (res == NULL) - return -1; diff --git a/wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch deleted file mode 100644 index bf3d8ed..0000000 --- a/wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch +++ /dev/null @@ -1,198 +0,0 @@ -From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001 -Message-ID: <8e6485a1bcb0baffdea9e55255a81270b768439c.1708356763.git.davide.caratti@gmail.com> -From: Jouni Malinen -Date: Sat, 8 Jul 2023 19:55:32 +0300 -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements - -The previous PEAP client behavior allowed the server to skip Phase 2 -authentication with the expectation that the server was authenticated -during Phase 1 through TLS server certificate validation. Various PEAP -specifications are not exactly clear on what the behavior on this front -is supposed to be and as such, this ended up being more flexible than -the TTLS/FAST/TEAP cases. However, this is not really ideal when -unfortunately common misconfiguration of PEAP is used in deployed -devices where the server trust root (ca_cert) is not configured or the -user has an easy option for allowing this validation step to be skipped. - -Change the default PEAP client behavior to be to require Phase 2 -authentication to be successfully completed for cases where TLS session -resumption is not used and the client certificate has not been -configured. Those two exceptions are the main cases where a deployed -authentication server might skip Phase 2 and as such, where a more -strict default behavior could result in undesired interoperability -issues. Requiring Phase 2 authentication will end up disabling TLS -session resumption automatically to avoid interoperability issues. - -Allow Phase 2 authentication behavior to be configured with a new phase1 -configuration parameter option: -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS -tunnel) behavior for PEAP: - * 0 = do not require Phase 2 authentication - * 1 = require Phase 2 authentication when client certificate - (private_key/client_cert) is no used and TLS session resumption was - not used (default) - * 2 = require Phase 2 authentication in all cases - -Signed-off-by: Jouni Malinen ---- - src/eap_peer/eap_config.h | 8 ++++++ - src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- - src/eap_peer/eap_tls_common.c | 6 +++++ - src/eap_peer/eap_tls_common.h | 5 ++++ - wpa_supplicant/wpa_supplicant.conf | 7 ++++++ - 5 files changed, 63 insertions(+), 3 deletions(-) - ---- a/src/eap_peer/eap_config.h -+++ b/src/eap_peer/eap_config.h -@@ -469,6 +469,14 @@ struct eap_peer_config { - * 1 = use cryptobinding if server supports it - * 2 = require cryptobinding - * -+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS -+ * tunnel) behavior for PEAP: -+ * 0 = do not require Phase 2 authentication -+ * 1 = require Phase 2 authentication when client certificate -+ * (private_key/client_cert) is no used and TLS session resumption was -+ * not used (default) -+ * 2 = require Phase 2 authentication in all cases -+ * - * EAP-WSC (WPS) uses following options: pin=Device_Password and - * uuid=Device_UUID - * ---- a/src/eap_peer/eap_peap.c -+++ b/src/eap_peer/eap_peap.c -@@ -67,6 +67,7 @@ struct eap_peap_data { - u8 cmk[20]; - int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) - * is enabled. */ -+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; - }; - - -@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct - wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); - } - -+ if (os_strstr(phase1, "phase2_auth=0")) { -+ data->phase2_auth = NO_AUTH; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Do not require Phase 2 authentication"); -+ } else if (os_strstr(phase1, "phase2_auth=1")) { -+ data->phase2_auth = FOR_INITIAL; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Require Phase 2 authentication for initial connection"); -+ } else if (os_strstr(phase1, "phase2_auth=2")) { -+ data->phase2_auth = ALWAYS; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Require Phase 2 authentication for all cases"); -+ } - #ifdef EAP_TNC - if (os_strstr(phase1, "tnc=soh2")) { - data->soh = 2; -@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_s - data->force_peap_version = -1; - data->peap_outer_success = 2; - data->crypto_binding = OPTIONAL_BINDING; -+ data->phase2_auth = FOR_INITIAL; - - if (config && config->phase1) - eap_peap_parse_phase1(data, config->phase1); -@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobindin - } - - -+static bool peap_phase2_sufficient(struct eap_sm *sm, -+ struct eap_peap_data *data) -+{ -+ if ((data->phase2_auth == ALWAYS || -+ (data->phase2_auth == FOR_INITIAL && -+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && -+ !data->ssl.client_cert_conf) || -+ data->phase2_eap_started) && -+ !data->phase2_eap_success) -+ return false; -+ return true; -+} -+ -+ - /** - * eap_tlv_process - Process a received EAP-TLV message and generate a response - * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() -@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm - " - force failed Phase 2"); - resp_status = EAP_TLV_RESULT_FAILURE; - ret->decision = DECISION_FAIL; -+ } else if (!peap_phase2_sufficient(sm, data)) { -+ wpa_printf(MSG_INFO, -+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); -+ resp_status = EAP_TLV_RESULT_FAILURE; -+ ret->decision = DECISION_FAIL; - } else { - resp_status = EAP_TLV_RESULT_SUCCESS; - ret->decision = DECISION_UNCOND_SUCC; -@@ -887,8 +921,7 @@ continue_req: - /* EAP-Success within TLS tunnel is used to indicate - * shutdown of the TLS channel. The authentication has - * been completed. */ -- if (data->phase2_eap_started && -- !data->phase2_eap_success) { -+ if (!peap_phase2_sufficient(sm, data)) { - wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " - "Success used to indicate success, " - "but Phase 2 EAP was not yet " -@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process( - static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) - { - struct eap_peap_data *data = priv; -+ - return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && -- data->phase2_success; -+ data->phase2_success && data->phase2_auth != ALWAYS; - } - - ---- a/src/eap_peer/eap_tls_common.c -+++ b/src/eap_peer/eap_tls_common.c -@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(stru - - sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); - -+ if (!phase2) -+ data->client_cert_conf = params->client_cert || -+ params->client_cert_blob || -+ params->private_key || -+ params->private_key_blob; -+ - return 0; - } - ---- a/src/eap_peer/eap_tls_common.h -+++ b/src/eap_peer/eap_tls_common.h -@@ -79,6 +79,11 @@ struct eap_ssl_data { - * tls_v13 - Whether TLS v1.3 or newer is used - */ - int tls_v13; -+ -+ /** -+ * client_cert_conf: Whether client certificate has been configured -+ */ -+ bool client_cert_conf; - }; - - ---- a/wpa_supplicant/wpa_supplicant.conf -+++ b/wpa_supplicant/wpa_supplicant.conf -@@ -1330,6 +1330,13 @@ fast_reauth=1 - # * 0 = do not use cryptobinding (default) - # * 1 = use cryptobinding if server supports it - # * 2 = require cryptobinding -+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS -+# tunnel) behavior for PEAP: -+# * 0 = do not require Phase 2 authentication -+# * 1 = require Phase 2 authentication when client certificate -+# (private_key/client_cert) is no used and TLS session resumption was -+# not used (default) -+# * 2 = require Phase 2 authentication in all cases - # EAP-WSC (WPS) uses following options: pin= or - # pbc=1. - # diff --git a/wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch b/wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch new file mode 100644 index 0000000..b42cba1 --- /dev/null +++ b/wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch @@ -0,0 +1,50 @@ +From 2514856652f9a393e505d542cb8f039f8bac10f5 Mon Sep 17 00:00:00 2001 +From: Janne Grunau +Date: Sun, 4 Aug 2024 13:24:42 +0200 +Subject: [PATCH 1/1] Revert "Mark authorization completed on driver indication + during 4-way HS offload" + +This reverts commit 41638606054a09867fe3f9a2b5523aa4678cbfa5. +--- + wpa_supplicant/events.c | 25 ++++++++----------------- + 1 file changed, 8 insertions(+), 17 deletions(-) + +diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c +index 46e7cf1ab..7b3ef7205 100644 +--- a/wpa_supplicant/events.c ++++ b/wpa_supplicant/events.c +@@ -4441,23 +4441,14 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s, + eapol_sm_notify_eap_success(wpa_s->eapol, true); + } else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_PSK) && + wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) { +- if (already_authorized) { +- /* +- * We are done; the driver will take care of RSN 4-way +- * handshake. +- */ +- wpa_supplicant_cancel_auth_timeout(wpa_s); +- wpa_supplicant_set_state(wpa_s, WPA_COMPLETED); +- eapol_sm_notify_portValid(wpa_s->eapol, true); +- eapol_sm_notify_eap_success(wpa_s->eapol, true); +- } else { +- /* Update port, WPA_COMPLETED state from the +- * EVENT_PORT_AUTHORIZED handler when the driver is done +- * with the 4-way handshake. +- */ +- wpa_msg(wpa_s, MSG_DEBUG, +- "ASSOC INFO: wait for driver port authorized indication"); +- } ++ /* ++ * We are done; the driver will take care of RSN 4-way ++ * handshake. ++ */ ++ wpa_supplicant_cancel_auth_timeout(wpa_s); ++ wpa_supplicant_set_state(wpa_s, WPA_COMPLETED); ++ eapol_sm_notify_portValid(wpa_s->eapol, true); ++ eapol_sm_notify_eap_success(wpa_s->eapol, true); + } else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X) && + wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt)) { + /* +-- +2.45.2 + diff --git a/wpa_supplicant-assoc-timeout.patch b/wpa_supplicant-assoc-timeout.patch index c3b3568..5b7b8c0 100644 --- a/wpa_supplicant-assoc-timeout.patch +++ b/wpa_supplicant-assoc-timeout.patch @@ -1,7 +1,6 @@ -diff -up wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c ---- wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout 2010-09-07 10:43:39.000000000 -0500 -+++ wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c 2010-12-07 18:57:45.163457000 -0600 -@@ -1262,10 +1262,10 @@ void wpa_supplicant_associate(struct wpa +--- a/wpa_supplicant/wpa_supplicant.c ++++ b/wpa_supplicant/wpa_supplicant.c +@@ -4619,10 +4619,10 @@ static void wpas_start_assoc_cb(struct w if (assoc_failed) { /* give IBSS a bit more time */ diff --git a/wpa_supplicant-config.patch b/wpa_supplicant-config.patch index 04d7ab3..93efa55 100644 --- a/wpa_supplicant-config.patch +++ b/wpa_supplicant-config.patch @@ -9,7 +9,7 @@ Subject: [PATCH] defconfig: Fedora configuration --- a/wpa_supplicant/defconfig +++ b/wpa_supplicant/defconfig -@@ -146,7 +146,7 @@ CONFIG_EAP_PAX=y +@@ -149,7 +149,7 @@ CONFIG_EAP_PAX=y CONFIG_EAP_LEAP=y # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used) @@ -18,7 +18,7 @@ Subject: [PATCH] defconfig: Fedora configuration # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used). # This requires CONFIG_EAP_AKA to be enabled, too. -@@ -338,6 +338,7 @@ CONFIG_BACKEND=file +@@ -350,6 +350,7 @@ CONFIG_BACKEND=file # Select which ciphers to use by default with OpenSSL if the user does not # specify them. #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" @@ -26,8 +26,8 @@ Subject: [PATCH] defconfig: Fedora configuration # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of -@@ -390,7 +391,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y - #CONFIG_DYNAMIC_EAP_METHODS=y +@@ -418,7 +419,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y + #CONFIG_NO_LOAD_DYNAMIC_EAP=y # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode -CONFIG_IEEE80211R=y @@ -35,7 +35,7 @@ Subject: [PATCH] defconfig: Fedora configuration # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) CONFIG_DEBUG_FILE=y -@@ -469,7 +470,7 @@ CONFIG_DEBUG_SYSLOG=y +@@ -497,7 +498,7 @@ CONFIG_DEBUG_SYSLOG=y # Should we attempt to use the getrandom(2) call that provides more reliable # yet secure randomness source than /dev/random on Linux 3.17 and newer. # Requires glibc 2.25 to build, falls back to /dev/random if unavailable. @@ -44,7 +44,7 @@ Subject: [PATCH] defconfig: Fedora configuration # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) CONFIG_IEEE80211AC=y -@@ -587,7 +588,7 @@ CONFIG_IBSS_RSN=y +@@ -625,7 +626,7 @@ CONFIG_IBSS_RSN=y #CONFIG_PMKSA_CACHE_EXTERNAL=y # Mesh Networking (IEEE 802.11s) @@ -53,7 +53,7 @@ Subject: [PATCH] defconfig: Fedora configuration # Background scanning modules # These can be used to request wpa_supplicant to perform background scanning -@@ -601,7 +602,7 @@ CONFIG_BGSCAN_SIMPLE=y +@@ -639,7 +640,7 @@ CONFIG_BGSCAN_SIMPLE=y # Opportunistic Wireless Encryption (OWE) # Experimental implementation of draft-harkins-owe-07.txt @@ -62,10 +62,10 @@ Subject: [PATCH] defconfig: Fedora configuration # Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect) CONFIG_DPP=y -@@ -633,3 +634,6 @@ CONFIG_DPP2=y - # design is still subject to change. As such, this should not yet be enabled in - # production use. - #CONFIG_PASN=y +@@ -686,3 +687,6 @@ CONFIG_DPP2=y + + # Wi-Fi Aware unsynchronized service discovery (NAN USD) + #CONFIG_NAN_USD=y +# +CONFIG_SUITEB192=y + diff --git a/wpa_supplicant-gui-qt4.patch b/wpa_supplicant-gui-qt4.patch index 7acca1e..287f530 100644 --- a/wpa_supplicant-gui-qt4.patch +++ b/wpa_supplicant-gui-qt4.patch @@ -11,7 +11,7 @@ different locations. --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile -@@ -35,6 +35,9 @@ export INCDIR ?= /usr/local/include +@@ -46,6 +46,9 @@ export INCDIR ?= /usr/local/include export BINDIR ?= /usr/local/sbin PKG_CONFIG ?= pkg-config @@ -21,7 +21,7 @@ different locations. CFLAGS += $(EXTRA_CFLAGS) CFLAGS += -I$(abspath ../src) CFLAGS += -I$(abspath ../src/utils) -@@ -2039,10 +2042,10 @@ wpa_gui: +@@ -2156,10 +2159,10 @@ wpa_gui: @echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement" wpa_gui-qt4/Makefile: diff --git a/wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch b/wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch deleted file mode 100644 index be32491..0000000 --- a/wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 40c139664439b2576e1506fbca14a7b79425a9dd Mon Sep 17 00:00:00 2001 -Message-ID: <40c139664439b2576e1506fbca14a7b79425a9dd.1706279171.git.davide.caratti@gmail.com> -From: Emeel Hakim -Date: Tue, 14 Feb 2023 10:26:57 +0200 -Subject: [PATCH] macsec_linux: Add support for MACsec hardware offload - -This uses libnl3 to communicate with the macsec module available on -Linux. A recent enough version of libnl is needed for the hardware -offload support. - -Signed-off-by: Emeel Hakim ---- - src/drivers/driver_macsec_linux.c | 49 +++++++++++++++++++++++++++++++ - 1 file changed, 49 insertions(+) - -diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c -index b609bbf38..c79e8733a 100644 ---- a/src/drivers/driver_macsec_linux.c -+++ b/src/drivers/driver_macsec_linux.c -@@ -32,6 +32,10 @@ - - #define UNUSED_SCI 0xffffffffffffffff - -+#if LIBNL_VER_NUM >= LIBNL_VER(3, 6) -+#define LIBNL_HAS_OFFLOAD -+#endif -+ - struct cb_arg { - struct macsec_drv_data *drv; - u32 *pn; -@@ -73,6 +77,11 @@ struct macsec_drv_data { - bool replay_protect; - bool replay_protect_set; - -+#ifdef LIBNL_HAS_OFFLOAD -+ enum macsec_offload offload; -+ bool offload_set; -+#endif /* LIBNL_HAS_OFFLOAD */ -+ - u32 replay_window; - - u8 encoding_sa; -@@ -228,6 +237,15 @@ static int try_commit(struct macsec_drv_data *drv) - drv->replay_window); - } - -+#ifdef LIBNL_HAS_OFFLOAD -+ if (drv->offload_set) { -+ wpa_printf(MSG_DEBUG, DRV_PREFIX -+ "%s: try_commit offload=%d", -+ drv->ifname, drv->offload); -+ rtnl_link_macsec_set_offload(drv->link, drv->offload); -+ } -+#endif /* LIBNL_HAS_OFFLOAD */ -+ - if (drv->encoding_sa_set) { - wpa_printf(MSG_DEBUG, DRV_PREFIX - "%s: try_commit encoding_sa=%d", -@@ -455,6 +473,36 @@ static int macsec_drv_set_replay_protect(void *priv, bool enabled, - } - - -+/** -+ * macsec_drv_set_offload - Set offload status -+ * @priv: Private driver interface data -+ * @offload: 0 = MACSEC_OFFLOAD_OFF -+ * 1 = MACSEC_OFFLOAD_PHY -+ * 2 = MACSEC_OFFLOAD_MAC -+ * Returns: 0 on success, -1 on failure (or if not supported) -+ */ -+static int macsec_drv_set_offload(void *priv, u8 offload) -+{ -+#ifdef LIBNL_HAS_OFFLOAD -+ struct macsec_drv_data *drv = priv; -+ -+ wpa_printf(MSG_DEBUG, "%s -> %02" PRIx8, __func__, offload); -+ -+ drv->offload_set = true; -+ drv->offload = offload; -+ -+ return try_commit(drv); -+#else /* LIBNL_HAS_OFFLOAD */ -+ if (offload == 0) -+ return 0; -+ wpa_printf(MSG_INFO, -+ "%s: libnl version does not include support for MACsec offload", -+ __func__); -+ return -1; -+#endif /* LIBNL_HAS_OFFLOAD */ -+} -+ -+ - /** - * macsec_drv_set_current_cipher_suite - Set current cipher suite - * @priv: Private driver interface data -@@ -1648,6 +1696,7 @@ const struct wpa_driver_ops wpa_driver_macsec_linux_ops = { - .enable_protect_frames = macsec_drv_enable_protect_frames, - .enable_encrypt = macsec_drv_enable_encrypt, - .set_replay_protect = macsec_drv_set_replay_protect, -+ .set_offload = macsec_drv_set_offload, - .set_current_cipher_suite = macsec_drv_set_current_cipher_suite, - .enable_controlled_port = macsec_drv_enable_controlled_port, - .get_receive_lowest_pn = macsec_drv_get_receive_lowest_pn, --- -2.43.0 - diff --git a/wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch b/wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch deleted file mode 100644 index eef0aa9..0000000 --- a/wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 7e941e7a1560699a18c5890cb6e1309161bc01af Mon Sep 17 00:00:00 2001 -Message-ID: <7e941e7a1560699a18c5890cb6e1309161bc01af.1706279136.git.davide.caratti@gmail.com> -From: leiwei -Date: Mon, 15 Nov 2021 18:43:33 +0800 -Subject: [PATCH] macsec_linux: Support cipher suite configuration - -Set the cipher suite for the link. Unlike the other parameters, this -needs to be done with the first rtnl_link_add() call (NLM_F_CREATE)) -instead of the update in try_commit() since the kernel is rejecting -changes to the cipher suite after the link is first added. - -Signed-off-by: leiwei ---- - src/drivers/driver_macsec_linux.c | 25 ++++++++++++++++++++++--- - 1 file changed, 22 insertions(+), 3 deletions(-) - ---- a/src/drivers/driver_macsec_linux.c -+++ b/src/drivers/driver_macsec_linux.c -@@ -77,6 +77,9 @@ struct macsec_drv_data { - - u8 encoding_sa; - bool encoding_sa_set; -+ -+ u64 cipher_suite; -+ bool cipher_suite_set; - }; - - -@@ -460,8 +463,14 @@ static int macsec_drv_set_replay_protect - */ - static int macsec_drv_set_current_cipher_suite(void *priv, u64 cs) - { -+ struct macsec_drv_data *drv = priv; -+ - wpa_printf(MSG_DEBUG, "%s -> %016" PRIx64, __func__, cs); -- return 0; -+ -+ drv->cipher_suite_set = true; -+ drv->cipher_suite = cs; -+ -+ return try_commit(drv); - } - - -@@ -1063,7 +1072,8 @@ static int macsec_drv_disable_receive_sa - } - - --static struct rtnl_link * lookup_sc(struct nl_cache *cache, int parent, u64 sci) -+static struct rtnl_link * lookup_sc(struct nl_cache *cache, int parent, u64 sci, -+ u64 cs) - { - struct rtnl_link *needle; - void *match; -@@ -1074,6 +1084,8 @@ static struct rtnl_link * lookup_sc(stru - - rtnl_link_set_link(needle, parent); - rtnl_link_macsec_set_sci(needle, sci); -+ if (cs) -+ rtnl_link_macsec_set_cipher_suite(needle, cs); - - match = nl_cache_find(cache, (struct nl_object *) needle); - rtnl_link_put(needle); -@@ -1098,6 +1110,7 @@ static int macsec_drv_create_transmit_sc - char *ifname; - u64 sci; - int err; -+ u64 cs = 0; - - wpa_printf(MSG_DEBUG, DRV_PREFIX - "%s: create_transmit_sc -> " SCISTR " (conf_offset=%d)", -@@ -1122,6 +1135,12 @@ static int macsec_drv_create_transmit_sc - - drv->created_link = true; - -+ if (drv->cipher_suite_set) { -+ cs = drv->cipher_suite; -+ drv->cipher_suite_set = false; -+ rtnl_link_macsec_set_cipher_suite(link, cs); -+ } -+ - err = rtnl_link_add(drv->sk, link, NLM_F_CREATE); - if (err == -NLE_BUSY) { - wpa_printf(MSG_INFO, -@@ -1137,7 +1156,7 @@ static int macsec_drv_create_transmit_sc - rtnl_link_put(link); - - nl_cache_refill(drv->sk, drv->link_cache); -- link = lookup_sc(drv->link_cache, drv->parent_ifi, sci); -+ link = lookup_sc(drv->link_cache, drv->parent_ifi, sci, cs); - if (!link) { - wpa_printf(MSG_ERROR, DRV_PREFIX "couldn't find link"); - return -1; diff --git a/wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch b/wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch deleted file mode 100644 index 5755cd8..0000000 --- a/wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch +++ /dev/null @@ -1,363 +0,0 @@ -From 6d24673ab89d9002990ee51e7c87d308ca07cd01 Mon Sep 17 00:00:00 2001 -Message-ID: <6d24673ab89d9002990ee51e7c87d308ca07cd01.1706279162.git.davide.caratti@gmail.com> -From: Emeel Hakim -Date: Tue, 14 Feb 2023 10:26:56 +0200 -Subject: [PATCH] mka: Allow configuration of MACsec hardware offload - -Add new configuration parameter macsec_offload to allow user to set up -MACsec hardware offload feature. - -Signed-off-by: Emeel Hakim ---- - hostapd/config_file.c | 10 ++++++++++ - hostapd/hostapd.conf | 8 ++++++++ - src/ap/ap_config.h | 13 +++++++++++++ - src/ap/wpa_auth_kay.c | 1 + - src/drivers/driver.h | 10 ++++++++++ - src/pae/ieee802_1x_cp.c | 7 +++++++ - src/pae/ieee802_1x_kay.c | 7 +++++-- - src/pae/ieee802_1x_kay.h | 6 ++++-- - src/pae/ieee802_1x_secy_ops.c | 20 ++++++++++++++++++++ - src/pae/ieee802_1x_secy_ops.h | 1 + - wpa_supplicant/config.c | 1 + - wpa_supplicant/config_file.c | 1 + - wpa_supplicant/config_ssid.h | 12 ++++++++++++ - wpa_supplicant/driver_i.h | 8 ++++++++ - wpa_supplicant/wpa_cli.c | 1 + - wpa_supplicant/wpa_supplicant.conf | 9 +++++++++ - wpa_supplicant/wpas_kay.c | 10 +++++++++- - 17 files changed, 120 insertions(+), 5 deletions(-) - ---- a/src/ap/ap_config.h -+++ b/src/ap/ap_config.h -@@ -833,6 +833,19 @@ struct hostapd_bss_config { - u32 macsec_replay_window; - - /** -+ * macsec_offload - Enable MACsec offload -+ * -+ * This setting applies only when MACsec is in use, i.e., -+ * - macsec_policy is enabled -+ * - the key server has decided to enable MACsec -+ * -+ * 0 = MACSEC_OFFLOAD_OFF (default) -+ * 1 = MACSEC_OFFLOAD_PHY -+ * 2 = MACSEC_OFFLOAD_MAC -+ */ -+ int macsec_offload; -+ -+ /** - * macsec_port - MACsec port (in SCI) - * - * Port component of the SCI. ---- a/src/ap/wpa_auth_kay.c -+++ b/src/ap/wpa_auth_kay.c -@@ -328,6 +328,7 @@ int ieee802_1x_alloc_kay_sm_hapd(struct - res = ieee802_1x_kay_init(kay_ctx, policy, - hapd->conf->macsec_replay_protect, - hapd->conf->macsec_replay_window, -+ hapd->conf->macsec_offload, - hapd->conf->macsec_port, - hapd->conf->mka_priority, - hapd->conf->macsec_csindex, ---- a/src/drivers/driver.h -+++ b/src/drivers/driver.h -@@ -4168,6 +4168,16 @@ struct wpa_driver_ops { - int (*set_replay_protect)(void *priv, bool enabled, u32 window); - - /** -+ * set_offload - Set MACsec hardware offload -+ * @priv: Private driver interface data -+ * @offload: 0 = MACSEC_OFFLOAD_OFF -+ * 1 = MACSEC_OFFLOAD_PHY -+ * 2 = MACSEC_OFFLOAD_MAC -+ * Returns: 0 on success, -1 on failure (or if not supported) -+ */ -+ int (*set_offload)(void *priv, u8 offload); -+ -+ /** - * set_current_cipher_suite - Set current cipher suite - * @priv: Private driver interface data - * @cs: EUI64 identifier ---- a/src/pae/ieee802_1x_cp.c -+++ b/src/pae/ieee802_1x_cp.c -@@ -84,6 +84,7 @@ struct ieee802_1x_cp_sm { - - /* not defined IEEE Std 802.1X-2010 */ - struct ieee802_1x_kay *kay; -+ u8 offload; - }; - - static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx, -@@ -188,6 +189,7 @@ SM_STATE(CP, AUTHENTICATED) - sm->protect_frames = false; - sm->replay_protect = false; - sm->validate_frames = Checked; -+ sm->offload = sm->kay->macsec_offload; - - sm->port_valid = false; - sm->controlled_port_enabled = true; -@@ -197,6 +199,7 @@ SM_STATE(CP, AUTHENTICATED) - secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt); - secy_cp_control_validate_frames(sm->kay, sm->validate_frames); - secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window); -+ secy_cp_control_offload(sm->kay, sm->offload); - } - - -@@ -208,6 +211,7 @@ SM_STATE(CP, SECURED) - - sm->protect_frames = sm->kay->macsec_protect; - sm->replay_protect = sm->kay->macsec_replay_protect; -+ sm->offload = sm->kay->macsec_offload; - sm->validate_frames = sm->kay->macsec_validate; - - sm->current_cipher_suite = sm->cipher_suite; -@@ -223,6 +227,7 @@ SM_STATE(CP, SECURED) - secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt); - secy_cp_control_validate_frames(sm->kay, sm->validate_frames); - secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window); -+ secy_cp_control_offload(sm->kay, sm->offload); - } - - -@@ -462,6 +467,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ - sm->validate_frames = kay->macsec_validate; - sm->replay_protect = kay->macsec_replay_protect; - sm->replay_window = kay->macsec_replay_window; -+ sm->offload = kay->macsec_offload; - - sm->controlled_port_enabled = false; - -@@ -491,6 +497,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_ - secy_cp_control_confidentiality_offset(sm->kay, - sm->confidentiality_offset); - secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); -+ secy_cp_control_offload(sm->kay, sm->offload); - - SM_STEP_RUN(CP); - ---- a/src/pae/ieee802_1x_kay.c -+++ b/src/pae/ieee802_1x_kay.c -@@ -3464,8 +3464,8 @@ static void kay_l2_receive(void *ctx, co - struct ieee802_1x_kay * - ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, - bool macsec_replay_protect, u32 macsec_replay_window, -- u16 port, u8 priority, u32 macsec_csindex, -- const char *ifname, const u8 *addr) -+ u8 macsec_offload, u16 port, u8 priority, -+ u32 macsec_csindex, const char *ifname, const u8 *addr) - { - struct ieee802_1x_kay *kay; - -@@ -3524,6 +3524,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka - kay->macsec_validate = Disabled; - kay->macsec_replay_protect = false; - kay->macsec_replay_window = 0; -+ kay->macsec_offload = 0; - kay->macsec_confidentiality = CONFIDENTIALITY_NONE; - kay->mka_hello_time = MKA_HELLO_TIME; - } else { -@@ -3540,6 +3541,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka - kay->macsec_validate = Strict; - kay->macsec_replay_protect = macsec_replay_protect; - kay->macsec_replay_window = macsec_replay_window; -+ kay->macsec_offload = macsec_offload; - kay->mka_hello_time = MKA_HELLO_TIME; - } - -@@ -3740,6 +3742,7 @@ ieee802_1x_kay_create_mka(struct ieee802 - secy_cp_control_protect_frames(kay, kay->macsec_protect); - secy_cp_control_replay(kay, kay->macsec_replay_protect, - kay->macsec_replay_window); -+ secy_cp_control_offload(kay, kay->macsec_offload); - if (secy_create_transmit_sc(kay, participant->txsc)) - goto fail; - ---- a/src/pae/ieee802_1x_kay.h -+++ b/src/pae/ieee802_1x_kay.h -@@ -166,6 +166,7 @@ struct ieee802_1x_kay_ctx { - int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa); - int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa); - int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa); -+ int (*set_offload)(void *ctx, u8 offload); - }; - - struct ieee802_1x_kay { -@@ -206,6 +207,7 @@ struct ieee802_1x_kay { - bool is_key_server; - bool is_obliged_key_server; - char if_name[IFNAMSIZ]; -+ u8 macsec_offload; - - unsigned int macsec_csindex; /* MACsec cipher suite table index */ - int mka_algindex; /* MKA alg table index */ -@@ -240,8 +242,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc - struct ieee802_1x_kay * - ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, - bool macsec_replay_protect, u32 macsec_replay_window, -- u16 port, u8 priority, u32 macsec_csindex, -- const char *ifname, const u8 *addr); -+ u8 macsec_offload, u16 port, u8 priority, -+ u32 macsec_csindex, const char *ifname, const u8 *addr); - void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); - - struct ieee802_1x_mka_participant * ---- a/src/pae/ieee802_1x_secy_ops.c -+++ b/src/pae/ieee802_1x_secy_ops.c -@@ -85,6 +85,26 @@ int secy_cp_control_replay(struct ieee80 - } - - -+int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload) -+{ -+ struct ieee802_1x_kay_ctx *ops; -+ -+ if (!kay) { -+ wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__); -+ return -1; -+ } -+ -+ ops = kay->ctx; -+ if (!ops || !ops->set_offload) { -+ wpa_printf(MSG_ERROR, -+ "KaY: secy set_offload operation not supported"); -+ return -1; -+ } -+ -+ return ops->set_offload(ops->ctx, offload); -+} -+ -+ - int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs) - { - struct ieee802_1x_kay_ctx *ops; ---- a/src/pae/ieee802_1x_secy_ops.h -+++ b/src/pae/ieee802_1x_secy_ops.h -@@ -23,6 +23,7 @@ int secy_cp_control_validate_frames(stru - int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, bool flag); - int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, bool enabled); - int secy_cp_control_replay(struct ieee802_1x_kay *kay, bool flag, u32 win); -+int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload); - int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs); - int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay, - enum confidentiality_offset co); ---- a/wpa_supplicant/config.c -+++ b/wpa_supplicant/config.c -@@ -2610,6 +2610,7 @@ static const struct parse_data ssid_fiel - { INT_RANGE(macsec_integ_only, 0, 1) }, - { INT_RANGE(macsec_replay_protect, 0, 1) }, - { INT(macsec_replay_window) }, -+ { INT_RANGE(macsec_offload, 0, 2) }, - { INT_RANGE(macsec_port, 1, 65534) }, - { INT_RANGE(mka_priority, 0, 255) }, - { INT_RANGE(macsec_csindex, 0, 1) }, ---- a/wpa_supplicant/config_file.c -+++ b/wpa_supplicant/config_file.c -@@ -808,6 +808,7 @@ static void wpa_config_write_network(FIL - INT(macsec_integ_only); - INT(macsec_replay_protect); - INT(macsec_replay_window); -+ INT(macsec_offload); - INT(macsec_port); - INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER); - INT(macsec_csindex); ---- a/wpa_supplicant/config_ssid.h -+++ b/wpa_supplicant/config_ssid.h -@@ -896,6 +896,18 @@ struct wpa_ssid { - u32 macsec_replay_window; - - /** -+ * macsec_offload - Enable MACsec hardware offload -+ * -+ * This setting applies only when MACsec is in use, i.e., -+ * - the key server has decided to enable MACsec -+ * -+ * 0 = MACSEC_OFFLOAD_OFF (default) -+ * 1 = MACSEC_OFFLOAD_PHY -+ * 2 = MACSEC_OFFLOAD_MAC -+ */ -+ int macsec_offload; -+ -+ /** - * macsec_port - MACsec port (in SCI) - * - * Port component of the SCI. ---- a/wpa_supplicant/driver_i.h -+++ b/wpa_supplicant/driver_i.h -@@ -804,6 +804,14 @@ static inline int wpa_drv_set_replay_pro - window); - } - -+static inline int wpa_drv_set_offload(struct wpa_supplicant *wpa_s, u8 offload) -+{ -+ if (!wpa_s->driver->set_offload) -+ return -1; -+ return wpa_s->driver->set_offload(wpa_s->drv_priv, offload); -+ -+} -+ - static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s, - u64 cs) - { ---- a/wpa_supplicant/wpa_cli.c -+++ b/wpa_supplicant/wpa_cli.c -@@ -1473,6 +1473,7 @@ static const char *network_fields[] = { - "macsec_integ_only", - "macsec_replay_protect", - "macsec_replay_window", -+ "macsec_offload", - "macsec_port", - "mka_priority", - #endif /* CONFIG_MACSEC */ ---- a/wpa_supplicant/wpa_supplicant.conf -+++ b/wpa_supplicant/wpa_supplicant.conf -@@ -1094,6 +1094,15 @@ fast_reauth=1 - # 0: No replay window, strict check (default) - # 1..2^32-1: number of packets that could be misordered - # -+# macsec_offload - Enable MACsec hardware offload -+# -+# This setting applies only when MACsec is in use, i.e., -+# - the key server has decided to enable MACsec -+# -+# 0 = MACSEC_OFFLOAD_OFF (default) -+# 1 = MACSEC_OFFLOAD_PHY -+# 2 = MACSEC_OFFLOAD_MAC -+# - # macsec_port: IEEE 802.1X/MACsec port - # Port component of the SCI - # Range: 1-65534 (default: 1) ---- a/wpa_supplicant/wpas_kay.c -+++ b/wpa_supplicant/wpas_kay.c -@@ -98,6 +98,12 @@ static int wpas_set_receive_lowest_pn(vo - } - - -+static int wpas_set_offload(void *wpa_s, u8 offload) -+{ -+ return wpa_drv_set_offload(wpa_s, offload); -+} -+ -+ - static unsigned int conf_offset_val(enum confidentiality_offset co) - { - switch (co) { -@@ -220,6 +226,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s - kay_ctx->enable_protect_frames = wpas_enable_protect_frames; - kay_ctx->enable_encrypt = wpas_enable_encrypt; - kay_ctx->set_replay_protect = wpas_set_replay_protect; -+ kay_ctx->set_offload = wpas_set_offload; - kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite; - kay_ctx->enable_controlled_port = wpas_enable_controlled_port; - kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn; -@@ -240,7 +247,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s - kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa; - - res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect, -- ssid->macsec_replay_window, ssid->macsec_port, -+ ssid->macsec_replay_window, -+ ssid->macsec_offload, ssid->macsec_port, - ssid->mka_priority, ssid->macsec_csindex, - wpa_s->ifname, wpa_s->own_addr); - /* ieee802_1x_kay_init() frees kay_ctx on failure */ diff --git a/wpa_supplicant-quiet-scan-results-message.patch b/wpa_supplicant-quiet-scan-results-message.patch index c646a30..94d0b61 100644 --- a/wpa_supplicant-quiet-scan-results-message.patch +++ b/wpa_supplicant-quiet-scan-results-message.patch @@ -7,11 +7,9 @@ Subject: [PATCH 1/2] quiet an annoying and frequent syslog message wpa_supplicant/events.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c -index abe3b47..72a0412 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c -@@ -1555,11 +1555,11 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s, +@@ -2504,11 +2504,11 @@ static int _wpa_supplicant_event_scan_re if (wpa_s->last_scan_req == MANUAL_SCAN_REQ && wpa_s->manual_scan_use_id && wpa_s->own_scan_running && own_request && !(data && data->scan_info.external_scan)) { @@ -25,6 +23,3 @@ index abe3b47..72a0412 100644 } wpas_notify_scan_results(wpa_s); --- -2.9.3 - diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index 20d15e4..1ed377a 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -8,8 +8,8 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 -Version: 2.10 -Release: 5%{?dist} +Version: 2.11 +Release: 1%{?dist} License: BSD Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz Source1: wpa_supplicant.conf @@ -29,19 +29,8 @@ Patch2: wpa_supplicant-flush-debug-output.patch Patch3: wpa_supplicant-quiet-scan-results-message.patch # distro specific customization for Qt4 build tools, not suitable for upstream Patch4: wpa_supplicant-gui-qt4.patch -# backport fix for bz2063730 -Patch5: 0001-D-Bus-Add-wep_disabled-capability.patch -# backport fix for bz2077973 -Patch6: 0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch -Patch7: 0001-EAP-peer-status-notification-for-server-not-supporti.patch -# support macsec HW offload -Patch8: wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch -Patch9: wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch -Patch10: wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch -Patch11: wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch - -# fix PEAP client to require successful Phase2 authentication when needed (CVE-2023-52160) -Patch12: wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch +# backport fix for a regression introduced with upstream version 2.11 +Patch5: wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch URL: http://w1.fi/wpa_supplicant/ @@ -202,6 +191,10 @@ chmod -R 0644 wpa_supplicant/examples/*.py %changelog +* Thu Nov 28 2024 Davide Caratti - 1:2.11-1 +- Update to upstream version 2.11 (plus a follow-up backport) + Resolves: RHEL-10237, RHEL-58725 + * Thu Feb 22 2024 Davide Caratti - 1:2.10-5 - Support macsec HW offload. Resolves: RHEL-22440