* [OE-core][master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
@ 2024-08-22 16:17 Siddharth
2024-08-23 0:56 ` Randy MacLeod
0 siblings, 1 reply; 7+ messages in thread
From: Siddharth @ 2024-08-22 16:17 UTC (permalink / raw)
To: openembedded-core; +Cc: Siddharth Doshi
From: Siddharth Doshi <sdoshi@mvista.com>
License-Update:
===============
- README: Change in copyright years as per https://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af
- wpa_supplicant/wpa_supplicant.c: Change in copyright years as per https://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af
CVE's Fixed:
===========
- CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation
- CVE-2023-52160 wpa_supplicant: potential authorization bypass
Changes between 2.10 -> 2.11:
============================
https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af
Note:
=====
Patches
0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch,
0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch,
0001-Install-wpa_passphrase-when-not-disabled.patch,
0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160)
are already fixed and hence removing them.
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
...all-wpa_passphrase-when-not-disabled.patch | 33 ---
...te-Phase-2-authentication-requiremen.patch | 213 ------------------
...options-for-libwpa_client.so-and-wpa.patch | 73 ------
...oval-of-wpa_passphrase-on-make-clean.patch | 26 ---
...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 10 +-
5 files changed, 3 insertions(+), 352 deletions(-)
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (90%)
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
deleted file mode 100644
index c04c608bde..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001
-From: Alex Kiernan <alexk@zuma.ai>
-Date: Thu, 21 Apr 2022 10:15:29 +0100
-Subject: [PATCH] Install wpa_passphrase when not disabled
-
-As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
-built, its not installed during `make install`.
-
-Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
-Signed-off-by: Alex Kiernan <alexk@zuma.ai>
-Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
-Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html]
----
- wpa_supplicant/Makefile | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
-index 0bab313f2355..12787c0c7d0f 100644
---- a/wpa_supplicant/Makefile
-+++ b/wpa_supplicant/Makefile
-@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: %
-
- install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL))
- $(MAKE) -C ../src install
-+ifndef CONFIG_NO_WPA_PASSPHRASE
-+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase
-+endif
- ifdef CONFIG_BUILD_WPA_CLIENT_SO
- install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so
- install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h
---
-2.35.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
deleted file mode 100644
index 620560d3c7..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
+++ /dev/null
@@ -1,213 +0,0 @@
-From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 8 Jul 2023 19:55:32 +0300
-Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
-
-The previous PEAP client behavior allowed the server to skip Phase 2
-authentication with the expectation that the server was authenticated
-during Phase 1 through TLS server certificate validation. Various PEAP
-specifications are not exactly clear on what the behavior on this front
-is supposed to be and as such, this ended up being more flexible than
-the TTLS/FAST/TEAP cases. However, this is not really ideal when
-unfortunately common misconfiguration of PEAP is used in deployed
-devices where the server trust root (ca_cert) is not configured or the
-user has an easy option for allowing this validation step to be skipped.
-
-Change the default PEAP client behavior to be to require Phase 2
-authentication to be successfully completed for cases where TLS session
-resumption is not used and the client certificate has not been
-configured. Those two exceptions are the main cases where a deployed
-authentication server might skip Phase 2 and as such, where a more
-strict default behavior could result in undesired interoperability
-issues. Requiring Phase 2 authentication will end up disabling TLS
-session resumption automatically to avoid interoperability issues.
-
-Allow Phase 2 authentication behavior to be configured with a new phase1
-configuration parameter option:
-'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-tunnel) behavior for PEAP:
- * 0 = do not require Phase 2 authentication
- * 1 = require Phase 2 authentication when client certificate
- (private_key/client_cert) is no used and TLS session resumption was
- not used (default)
- * 2 = require Phase 2 authentication in all cases
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
-
-CVE: CVE-2023-52160
-Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c]
-
-Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
-
----
- src/eap_peer/eap_config.h | 8 ++++++
- src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++---
- src/eap_peer/eap_tls_common.c | 6 +++++
- src/eap_peer/eap_tls_common.h | 5 ++++
- wpa_supplicant/wpa_supplicant.conf | 7 ++++++
- 5 files changed, 63 insertions(+), 3 deletions(-)
-
-diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
-index 3238f74..047eec2 100644
---- a/src/eap_peer/eap_config.h
-+++ b/src/eap_peer/eap_config.h
-@@ -469,6 +469,14 @@ struct eap_peer_config {
- * 1 = use cryptobinding if server supports it
- * 2 = require cryptobinding
- *
-+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS
-+ * tunnel) behavior for PEAP:
-+ * 0 = do not require Phase 2 authentication
-+ * 1 = require Phase 2 authentication when client certificate
-+ * (private_key/client_cert) is no used and TLS session resumption was
-+ * not used (default)
-+ * 2 = require Phase 2 authentication in all cases
-+ *
- * EAP-WSC (WPS) uses following options: pin=Device_Password and
- * uuid=Device_UUID
- *
-diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
-index 12e30df..6080697 100644
---- a/src/eap_peer/eap_peap.c
-+++ b/src/eap_peer/eap_peap.c
-@@ -67,6 +67,7 @@ struct eap_peap_data {
- u8 cmk[20];
- int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
- * is enabled. */
-+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
- };
-
-
-@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
- wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
- }
-
-+ if (os_strstr(phase1, "phase2_auth=0")) {
-+ data->phase2_auth = NO_AUTH;
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-PEAP: Do not require Phase 2 authentication");
-+ } else if (os_strstr(phase1, "phase2_auth=1")) {
-+ data->phase2_auth = FOR_INITIAL;
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-PEAP: Require Phase 2 authentication for initial connection");
-+ } else if (os_strstr(phase1, "phase2_auth=2")) {
-+ data->phase2_auth = ALWAYS;
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-PEAP: Require Phase 2 authentication for all cases");
-+ }
- #ifdef EAP_TNC
- if (os_strstr(phase1, "tnc=soh2")) {
- data->soh = 2;
-@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
- data->force_peap_version = -1;
- data->peap_outer_success = 2;
- data->crypto_binding = OPTIONAL_BINDING;
-+ data->phase2_auth = FOR_INITIAL;
-
- if (config && config->phase1)
- eap_peap_parse_phase1(data, config->phase1);
-@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
- }
-
-
-+static bool peap_phase2_sufficient(struct eap_sm *sm,
-+ struct eap_peap_data *data)
-+{
-+ if ((data->phase2_auth == ALWAYS ||
-+ (data->phase2_auth == FOR_INITIAL &&
-+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
-+ !data->ssl.client_cert_conf) ||
-+ data->phase2_eap_started) &&
-+ !data->phase2_eap_success)
-+ return false;
-+ return true;
-+}
-+
-+
- /**
- * eap_tlv_process - Process a received EAP-TLV message and generate a response
- * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
-@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
- " - force failed Phase 2");
- resp_status = EAP_TLV_RESULT_FAILURE;
- ret->decision = DECISION_FAIL;
-+ } else if (!peap_phase2_sufficient(sm, data)) {
-+ wpa_printf(MSG_INFO,
-+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
-+ resp_status = EAP_TLV_RESULT_FAILURE;
-+ ret->decision = DECISION_FAIL;
- } else {
- resp_status = EAP_TLV_RESULT_SUCCESS;
- ret->decision = DECISION_UNCOND_SUCC;
-@@ -887,8 +921,7 @@ continue_req:
- /* EAP-Success within TLS tunnel is used to indicate
- * shutdown of the TLS channel. The authentication has
- * been completed. */
-- if (data->phase2_eap_started &&
-- !data->phase2_eap_success) {
-+ if (!peap_phase2_sufficient(sm, data)) {
- wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
- "Success used to indicate success, "
- "but Phase 2 EAP was not yet "
-@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
- static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
- {
- struct eap_peap_data *data = priv;
-+
- return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
-- data->phase2_success;
-+ data->phase2_success && data->phase2_auth != ALWAYS;
- }
-
-
-diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
-index c1837db..a53eeb1 100644
---- a/src/eap_peer/eap_tls_common.c
-+++ b/src/eap_peer/eap_tls_common.c
-@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
-
- sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
-
-+ if (!phase2)
-+ data->client_cert_conf = params->client_cert ||
-+ params->client_cert_blob ||
-+ params->private_key ||
-+ params->private_key_blob;
-+
- return 0;
- }
-
-diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
-index 9ac0012..3348634 100644
---- a/src/eap_peer/eap_tls_common.h
-+++ b/src/eap_peer/eap_tls_common.h
-@@ -79,6 +79,11 @@ struct eap_ssl_data {
- * tls_v13 - Whether TLS v1.3 or newer is used
- */
- int tls_v13;
-+
-+ /**
-+ * client_cert_conf: Whether client certificate has been configured
-+ */
-+ bool client_cert_conf;
- };
-
-
-diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
-index 6619d6b..d63f73c 100644
---- a/wpa_supplicant/wpa_supplicant.conf
-+++ b/wpa_supplicant/wpa_supplicant.conf
-@@ -1321,6 +1321,13 @@ fast_reauth=1
- # * 0 = do not use cryptobinding (default)
- # * 1 = use cryptobinding if server supports it
- # * 2 = require cryptobinding
-+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-+# tunnel) behavior for PEAP:
-+# * 0 = do not require Phase 2 authentication
-+# * 1 = require Phase 2 authentication when client certificate
-+# (private_key/client_cert) is no used and TLS session resumption was
-+# not used (default)
-+# * 2 = require Phase 2 authentication in all cases
- # EAP-WSC (WPS) uses following options: pin=<Device Password> or
- # pbc=1.
- #
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
deleted file mode 100644
index 6e930fc98d..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001
-From: Sergey Matyukevich <geomatsi@gmail.com>
-Date: Tue, 22 Feb 2022 11:52:19 +0300
-Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and
- wpa_passphrase
-
-Commit a41a29192e5d ("build: Pull common fragments into a build.rules
-file") introduced a regression into wpa_supplicant build process. The
-build target libwpa_client.so is not built regardless of whether the
-option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because
-this config option is used before it is imported from the configuration
-file. Moving its use after including build.rules does not help: the
-variable ALL is processed by build.rules and further changes are not
-applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work
-as expected: wpa_passphrase is always built regardless of whether the
-option is set or not.
-
-Re-enable these options by adding both build targets to _all
-dependencies.
-
-Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file")
-Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
-Upstream-Status: Backport
-Signed-off-by: Alex Kiernan <alexk@zuma.ai>
-Signed-off-by: Alex Kiernan <alexk@gmail.com>
----
- wpa_supplicant/Makefile | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
-index cb66defac7c8..c456825ae75f 100644
---- a/wpa_supplicant/Makefile
-+++ b/wpa_supplicant/Makefile
-@@ -1,24 +1,29 @@
- BINALL=wpa_supplicant wpa_cli
-
--ifndef CONFIG_NO_WPA_PASSPHRASE
--BINALL += wpa_passphrase
--endif
--
- ALL = $(BINALL)
- ALL += systemd/wpa_supplicant.service
- ALL += systemd/wpa_supplicant@.service
- ALL += systemd/wpa_supplicant-nl80211@.service
- ALL += systemd/wpa_supplicant-wired@.service
- ALL += dbus/fi.w1.wpa_supplicant1.service
--ifdef CONFIG_BUILD_WPA_CLIENT_SO
--ALL += libwpa_client.so
--endif
-
- EXTRA_TARGETS=dynamic_eap_methods
-
- CONFIG_FILE=.config
- include ../src/build.rules
-
-+ifdef CONFIG_BUILD_WPA_CLIENT_SO
-+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO
-+# being set in the config which is read by build.rules
-+_all: libwpa_client.so
-+endif
-+
-+ifndef CONFIG_NO_WPA_PASSPHRASE
-+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE
-+# being set in the config which is read by build.rules
-+_all: wpa_passphrase
-+endif
-+
- ifdef LIBS
- # If LIBS is set with some global build system defaults, clone those for
- # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well.
---
-2.35.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
deleted file mode 100644
index 53b0fcdf53..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <quic_jouni@quicinc.com>
-Date: Thu, 3 Mar 2022 13:26:42 +0200
-Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean'
-
-Fixes: 0430bc8267b4 ("build: Add a common-clean target")
-Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
-Upstream-Status: Backport
-Signed-off-by: Alex Kiernan <alexk@zuma.ai>
-Signed-off-by: Alex Kiernan <alexk@gmail.com>
----
- wpa_supplicant/Makefile | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
-index c456825ae75f..4b4688931b1d 100644
---- a/wpa_supplicant/Makefile
-+++ b/wpa_supplicant/Makefile
-@@ -2077,3 +2077,4 @@ clean: common-clean
- rm -f libwpa_client.a
- rm -f libwpa_client.so
- rm -f libwpa_test1 libwpa_test2
-+ rm -f wpa_passphrase
---
-2.35.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
similarity index 90%
rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
index 8113bcab09..321dedc58a 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
@@ -5,8 +5,8 @@ BUGTRACKER = "http://w1.fi/security/"
SECTION = "network"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \
- file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \
- file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705"
+ file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \
+ file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4"
DEPENDS = "dbus libnl"
@@ -15,12 +15,8 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://wpa_supplicant.conf \
file://wpa_supplicant.conf-sane \
file://99_wpa_supplicant \
- file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \
- file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \
- file://0001-Install-wpa_passphrase-when-not-disabled.patch \
- file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \
"
-SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
+SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a"
S = "${WORKDIR}/wpa_supplicant-${PV}"
--
2.34.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [OE-core][master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
2024-08-22 16:17 [OE-core][master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11 Siddharth
@ 2024-08-23 0:56 ` Randy MacLeod
2024-08-23 15:59 ` Viswanath Kraleti
0 siblings, 1 reply; 7+ messages in thread
From: Randy MacLeod @ 2024-08-23 0:56 UTC (permalink / raw)
To: sdoshi, openembedded-core, steve@sakoman.com
[-- Attachment #1: Type: text/plain, Size: 27436 bytes --]
For scarthgap, it's good but not mandatory to have Steve on the To/CC list.
On 2024-08-22 12:17 p.m., Siddharth Doshi via lists.openembedded.org wrote:
> From: Siddharth Doshi<sdoshi@mvista.com>
>
> License-Update:
> ===============
> - README: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af
> - wpa_supplicant/wpa_supplicant.c: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af
>
> CVE's Fixed:
> ===========
> - CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation
> - CVE-2023-52160 wpa_supplicant: potential authorization bypass
>
> Changes between 2.10 -> 2.11:
> ============================
> https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af
Hello Siddharth,
This update make sense for the master brnanch but likely not for
scarthgap unless you can show that
this is a bug fix only release.
It certainly does not look like a small bug fix only update based on:
❯ git diff hostap_2_10 hostap_2_11 | diffstat | tail -1
534 files changed, 85965 insertions(+), 16847 deletions(-)
❯ git log --oneline hostap_2_10..hostap_2_11 | wc -l
2295
and the hostap and wpa-supplicant ChangeLogs which mention adding
features below (1).
Since the repo ( git://w1.fi/srv/git/hostap.git ) doesn't have a stable
branch for 2.10:
❯ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/android-jb
remotes/origin/android-kk
remotes/origin/android-l
remotes/origin/android-m
remotes/origin/aosp-jb
remotes/origin/aosp-kk
remotes/origin/main
remotes/origin/master
remotes/origin/pending
you'll have to backport any CVE fixes that you're interested in unless
someone explains why this is a sensible update for scarthgap.
Thanks,
../Randy
1)
❯ git diff hostap_2_10 hostap_2_11 hostapd/ChangeLog | cat
diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index 279298e4d..1c8240d33 100644
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -1,5 +1,42 @@
ChangeLog for hostapd
+2024-07-20 - v2.11
+ * Wi-Fi Easy Connect
+ - add support for DPP release 3
+ - allow Configurator parameters to be provided during config exchange
+ * HE/IEEE 802.11ax/Wi-Fi 6
+ - various fixes
+ * EHT/IEEE 802.11be/Wi-Fi 7
+ - add preliminary support
+ * SAE: add support for fetching the password from a RADIUS server
+ * support OpenSSL 3.0 API changes
+ * support background radar detection and CAC with some additional
+ drivers
+ * support RADIUS ACL/PSK check during 4-way handshake
(wpa_psk_radius=3)
+ * EAP-SIM/AKA: support IMSI privacy
+ * improve 4-way handshake operations
+ - use Secure=1 in message 3 during PTK rekeying
+ * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz
cases
+ to avoid interoperability issues
+ * support new SAE AKM suites with variable length keys
+ * support new AKM for 802.1X/EAP with SHA384
+ * extend PASN support for secure ranging
+ * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
+ - this is based on additional details being added in the IEEE 802.11
+ standard
+ - the new implementation is not backwards compatible
+ * improved ACS to cover additional channel types/bandwidths
+ * extended Multiple BSSID support
+ * fix beacon protection with FT protocol (incorrect BIGTK was provided)
+ * support unsynchronized service discovery (USD)
+ * add preliminary support for RADIUS/TLS
+ * add support for explicit SSID protection in 4-way handshake
+ (a mitigation for CVE-2023-52424; disabled by default for now, can be
+ enabled with ssid_protection=1)
+ * fix SAE H2E rejected groups validation to avoid downgrade attacks
+ * use stricter validation for some RADIUS messages
+ * a large number of other fixes, cleanup, and extensions
+
2022-01-16 - v2.10
* SAE changes
- improved protection against side channel attacks
❯ git diff hostap_2_10 hostap_2_11 wpa_supplicant/ChangeLog | cat
diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog
index efcc6cd9c..3f4162eb0 100644
--- a/wpa_supplicant/ChangeLog
+++ b/wpa_supplicant/ChangeLog
@@ -1,5 +1,55 @@
ChangeLog for wpa_supplicant
+2024-07-20 - v2.11
+ * Wi-Fi Easy Connect
+ - add support for DPP release 3
+ - allow Configurator parameters to be provided during config exchange
+ * MACsec
+ - add support for GCM-AES-256 cipher suite
+ - remove incorrect EAP Session-Id length constraint
+ - add hardware offload support for additional drivers
+ * HE/IEEE 802.11ax/Wi-Fi 6
+ - support BSS color updates
+ - various fixes
+ * EHT/IEEE 802.11be/Wi-Fi 7
+ - add preliminary support
+ * support OpenSSL 3.0 API changes
+ * improve EAP-TLS support for TLSv1.3
+ * EAP-SIM/AKA: support IMSI privacy
+ * improve mitigation against DoS attacks when PMF is used
+ * improve 4-way handshake operations
+ - discard unencrypted EAPOL frames in additional cases
+ - use Secure=1 in message 2 during PTK rekeying
+ * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz
cases
+ to avoid interoperability issues
+ * support new SAE AKM suites with variable length keys
+ * support new AKM for 802.1X/EAP with SHA384
+ * improve cross-AKM roaming with driver-based SME/BSS selection
+ * PASN
+ - extend support for secure ranging
+ - allow PASN implementation to be used with external programs for
+ Wi-Fi Aware
+ * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
+ - this is based on additional details being added in the IEEE 802.11
+ standard
+ - the new implementation is not backwards compatible, but PMKSA
+ caching with FT-EAP was, and still is, disabled by default
+ * support a pregenerated MAC (mac_addr=3) as an alternative mechanism
+ for using per-network random MAC addresses
+ * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
+ to improve security for still unfortunately common invalid
+ configurations that do not set ca_cert
+ * extend SCS support for QoS Characteristics
+ * extend MSCS support
+ * support unsynchronized service discovery (USD)
+ * add support for explicit SSID protection in 4-way handshake
+ (a mitigation for CVE-2023-52424; disabled by default for now, can be
+ enabled with ssid_protection=1)
+ - in addition, verify SSID after key setup when beacon protection is
+ used
+ * fix SAE H2E rejected groups validation to avoid downgrade attacks
+ * a large number of other fixes, cleanup, and extensions
+
2022-01-16 - v2.10
* SAE changes
- improved protection against side channel attacks
>
> Note:
> =====
> Patches
> 0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch,
> 0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch,
> 0001-Install-wpa_passphrase-when-not-disabled.patch,
> 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160)
> are already fixed and hence removing them.
>
> Signed-off-by: Siddharth Doshi<sdoshi@mvista.com>
> ---
> ...all-wpa_passphrase-when-not-disabled.patch | 33 ---
> ...te-Phase-2-authentication-requiremen.patch | 213 ------------------
> ...options-for-libwpa_client.so-and-wpa.patch | 73 ------
> ...oval-of-wpa_passphrase-on-make-clean.patch | 26 ---
> ...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 10 +-
> 5 files changed, 3 insertions(+), 352 deletions(-)
> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
> rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (90%)
>
> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
> deleted file mode 100644
> index c04c608bde..0000000000
> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001
> -From: Alex Kiernan<alexk@zuma.ai>
> -Date: Thu, 21 Apr 2022 10:15:29 +0100
> -Subject: [PATCH] Install wpa_passphrase when not disabled
> -
> -As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
> -built, its not installed during `make install`.
> -
> -Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
> -Signed-off-by: Alex Kiernan<alexk@zuma.ai>
> -Signed-off-by: Alex Kiernan<alex.kiernan@gmail.com>
> -Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html]
> ----
> - wpa_supplicant/Makefile | 3 +++
> - 1 file changed, 3 insertions(+)
> -
> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
> -index 0bab313f2355..12787c0c7d0f 100644
> ---- a/wpa_supplicant/Makefile
> -+++ b/wpa_supplicant/Makefile
> -@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: %
> -
> - install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL))
> - $(MAKE) -C ../src install
> -+ifndef CONFIG_NO_WPA_PASSPHRASE
> -+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase
> -+endif
> - ifdef CONFIG_BUILD_WPA_CLIENT_SO
> - install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so
> - install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h
> ---
> -2.35.1
> -
> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
> deleted file mode 100644
> index 620560d3c7..0000000000
> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
> +++ /dev/null
> @@ -1,213 +0,0 @@
> -From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001
> -From: Jouni Malinen<j@w1.fi>
> -Date: Sat, 8 Jul 2023 19:55:32 +0300
> -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
> -
> -The previous PEAP client behavior allowed the server to skip Phase 2
> -authentication with the expectation that the server was authenticated
> -during Phase 1 through TLS server certificate validation. Various PEAP
> -specifications are not exactly clear on what the behavior on this front
> -is supposed to be and as such, this ended up being more flexible than
> -the TTLS/FAST/TEAP cases. However, this is not really ideal when
> -unfortunately common misconfiguration of PEAP is used in deployed
> -devices where the server trust root (ca_cert) is not configured or the
> -user has an easy option for allowing this validation step to be skipped.
> -
> -Change the default PEAP client behavior to be to require Phase 2
> -authentication to be successfully completed for cases where TLS session
> -resumption is not used and the client certificate has not been
> -configured. Those two exceptions are the main cases where a deployed
> -authentication server might skip Phase 2 and as such, where a more
> -strict default behavior could result in undesired interoperability
> -issues. Requiring Phase 2 authentication will end up disabling TLS
> -session resumption automatically to avoid interoperability issues.
> -
> -Allow Phase 2 authentication behavior to be configured with a new phase1
> -configuration parameter option:
> -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
> -tunnel) behavior for PEAP:
> - * 0 = do not require Phase 2 authentication
> - * 1 = require Phase 2 authentication when client certificate
> - (private_key/client_cert) is no used and TLS session resumption was
> - not used (default)
> - * 2 = require Phase 2 authentication in all cases
> -
> -Signed-off-by: Jouni Malinen<j@w1.fi>
> -
> -CVE: CVE-2023-52160
> -Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c]
> -
> -Signed-off-by: Claus Stovgaard<claus.stovgaard@gmail.com>
> -
> ----
> - src/eap_peer/eap_config.h | 8 ++++++
> - src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++---
> - src/eap_peer/eap_tls_common.c | 6 +++++
> - src/eap_peer/eap_tls_common.h | 5 ++++
> - wpa_supplicant/wpa_supplicant.conf | 7 ++++++
> - 5 files changed, 63 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
> -index 3238f74..047eec2 100644
> ---- a/src/eap_peer/eap_config.h
> -+++ b/src/eap_peer/eap_config.h
> -@@ -469,6 +469,14 @@ struct eap_peer_config {
> - * 1 = use cryptobinding if server supports it
> - * 2 = require cryptobinding
> - *
> -+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS
> -+ * tunnel) behavior for PEAP:
> -+ * 0 = do not require Phase 2 authentication
> -+ * 1 = require Phase 2 authentication when client certificate
> -+ * (private_key/client_cert) is no used and TLS session resumption was
> -+ * not used (default)
> -+ * 2 = require Phase 2 authentication in all cases
> -+ *
> - * EAP-WSC (WPS) uses following options: pin=Device_Password and
> - * uuid=Device_UUID
> - *
> -diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
> -index 12e30df..6080697 100644
> ---- a/src/eap_peer/eap_peap.c
> -+++ b/src/eap_peer/eap_peap.c
> -@@ -67,6 +67,7 @@ struct eap_peap_data {
> - u8 cmk[20];
> - int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
> - * is enabled. */
> -+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
> - };
> -
> -
> -@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
> - wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
> - }
> -
> -+ if (os_strstr(phase1, "phase2_auth=0")) {
> -+ data->phase2_auth = NO_AUTH;
> -+ wpa_printf(MSG_DEBUG,
> -+ "EAP-PEAP: Do not require Phase 2 authentication");
> -+ } else if (os_strstr(phase1, "phase2_auth=1")) {
> -+ data->phase2_auth = FOR_INITIAL;
> -+ wpa_printf(MSG_DEBUG,
> -+ "EAP-PEAP: Require Phase 2 authentication for initial connection");
> -+ } else if (os_strstr(phase1, "phase2_auth=2")) {
> -+ data->phase2_auth = ALWAYS;
> -+ wpa_printf(MSG_DEBUG,
> -+ "EAP-PEAP: Require Phase 2 authentication for all cases");
> -+ }
> - #ifdef EAP_TNC
> - if (os_strstr(phase1, "tnc=soh2")) {
> - data->soh = 2;
> -@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
> - data->force_peap_version = -1;
> - data->peap_outer_success = 2;
> - data->crypto_binding = OPTIONAL_BINDING;
> -+ data->phase2_auth = FOR_INITIAL;
> -
> - if (config && config->phase1)
> - eap_peap_parse_phase1(data, config->phase1);
> -@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
> - }
> -
> -
> -+static bool peap_phase2_sufficient(struct eap_sm *sm,
> -+ struct eap_peap_data *data)
> -+{
> -+ if ((data->phase2_auth == ALWAYS ||
> -+ (data->phase2_auth == FOR_INITIAL &&
> -+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
> -+ !data->ssl.client_cert_conf) ||
> -+ data->phase2_eap_started) &&
> -+ !data->phase2_eap_success)
> -+ return false;
> -+ return true;
> -+}
> -+
> -+
> - /**
> - * eap_tlv_process - Process a received EAP-TLV message and generate a response
> - * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
> -@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
> - " - force failed Phase 2");
> - resp_status = EAP_TLV_RESULT_FAILURE;
> - ret->decision = DECISION_FAIL;
> -+ } else if (!peap_phase2_sufficient(sm, data)) {
> -+ wpa_printf(MSG_INFO,
> -+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
> -+ resp_status = EAP_TLV_RESULT_FAILURE;
> -+ ret->decision = DECISION_FAIL;
> - } else {
> - resp_status = EAP_TLV_RESULT_SUCCESS;
> - ret->decision = DECISION_UNCOND_SUCC;
> -@@ -887,8 +921,7 @@ continue_req:
> - /* EAP-Success within TLS tunnel is used to indicate
> - * shutdown of the TLS channel. The authentication has
> - * been completed. */
> -- if (data->phase2_eap_started &&
> -- !data->phase2_eap_success) {
> -+ if (!peap_phase2_sufficient(sm, data)) {
> - wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
> - "Success used to indicate success, "
> - "but Phase 2 EAP was not yet "
> -@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
> - static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
> - {
> - struct eap_peap_data *data = priv;
> -+
> - return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
> -- data->phase2_success;
> -+ data->phase2_success && data->phase2_auth != ALWAYS;
> - }
> -
> -
> -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
> -index c1837db..a53eeb1 100644
> ---- a/src/eap_peer/eap_tls_common.c
> -+++ b/src/eap_peer/eap_tls_common.c
> -@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
> -
> - sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
> -
> -+ if (!phase2)
> -+ data->client_cert_conf = params->client_cert ||
> -+ params->client_cert_blob ||
> -+ params->private_key ||
> -+ params->private_key_blob;
> -+
> - return 0;
> - }
> -
> -diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
> -index 9ac0012..3348634 100644
> ---- a/src/eap_peer/eap_tls_common.h
> -+++ b/src/eap_peer/eap_tls_common.h
> -@@ -79,6 +79,11 @@ struct eap_ssl_data {
> - * tls_v13 - Whether TLS v1.3 or newer is used
> - */
> - int tls_v13;
> -+
> -+ /**
> -+ * client_cert_conf: Whether client certificate has been configured
> -+ */
> -+ bool client_cert_conf;
> - };
> -
> -
> -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
> -index 6619d6b..d63f73c 100644
> ---- a/wpa_supplicant/wpa_supplicant.conf
> -+++ b/wpa_supplicant/wpa_supplicant.conf
> -@@ -1321,6 +1321,13 @@ fast_reauth=1
> - # * 0 = do not use cryptobinding (default)
> - # * 1 = use cryptobinding if server supports it
> - # * 2 = require cryptobinding
> -+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
> -+# tunnel) behavior for PEAP:
> -+# * 0 = do not require Phase 2 authentication
> -+# * 1 = require Phase 2 authentication when client certificate
> -+# (private_key/client_cert) is no used and TLS session resumption was
> -+# not used (default)
> -+# * 2 = require Phase 2 authentication in all cases
> - # EAP-WSC (WPS) uses following options: pin=<Device Password> or
> - # pbc=1.
> - #
> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
> deleted file mode 100644
> index 6e930fc98d..0000000000
> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
> +++ /dev/null
> @@ -1,73 +0,0 @@
> -From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001
> -From: Sergey Matyukevich<geomatsi@gmail.com>
> -Date: Tue, 22 Feb 2022 11:52:19 +0300
> -Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and
> - wpa_passphrase
> -
> -Commit a41a29192e5d ("build: Pull common fragments into a build.rules
> -file") introduced a regression into wpa_supplicant build process. The
> -build target libwpa_client.so is not built regardless of whether the
> -option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because
> -this config option is used before it is imported from the configuration
> -file. Moving its use after including build.rules does not help: the
> -variable ALL is processed by build.rules and further changes are not
> -applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work
> -as expected: wpa_passphrase is always built regardless of whether the
> -option is set or not.
> -
> -Re-enable these options by adding both build targets to _all
> -dependencies.
> -
> -Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file")
> -Signed-off-by: Sergey Matyukevich<geomatsi@gmail.com>
> -Upstream-Status: Backport
> -Signed-off-by: Alex Kiernan<alexk@zuma.ai>
> -Signed-off-by: Alex Kiernan<alexk@gmail.com>
> ----
> - wpa_supplicant/Makefile | 19 ++++++++++++-------
> - 1 file changed, 12 insertions(+), 7 deletions(-)
> -
> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
> -index cb66defac7c8..c456825ae75f 100644
> ---- a/wpa_supplicant/Makefile
> -+++ b/wpa_supplicant/Makefile
> -@@ -1,24 +1,29 @@
> - BINALL=wpa_supplicant wpa_cli
> -
> --ifndef CONFIG_NO_WPA_PASSPHRASE
> --BINALL += wpa_passphrase
> --endif
> --
> - ALL = $(BINALL)
> - ALL += systemd/wpa_supplicant.service
> - ALL +=systemd/wpa_supplicant@.service
> - ALL +=systemd/wpa_supplicant-nl80211@.service
> - ALL +=systemd/wpa_supplicant-wired@.service
> - ALL += dbus/fi.w1.wpa_supplicant1.service
> --ifdef CONFIG_BUILD_WPA_CLIENT_SO
> --ALL += libwpa_client.so
> --endif
> -
> - EXTRA_TARGETS=dynamic_eap_methods
> -
> - CONFIG_FILE=.config
> - include ../src/build.rules
> -
> -+ifdef CONFIG_BUILD_WPA_CLIENT_SO
> -+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO
> -+# being set in the config which is read by build.rules
> -+_all: libwpa_client.so
> -+endif
> -+
> -+ifndef CONFIG_NO_WPA_PASSPHRASE
> -+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE
> -+# being set in the config which is read by build.rules
> -+_all: wpa_passphrase
> -+endif
> -+
> - ifdef LIBS
> - # If LIBS is set with some global build system defaults, clone those for
> - # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well.
> ---
> -2.35.1
> -
> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
> deleted file mode 100644
> index 53b0fcdf53..0000000000
> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
> +++ /dev/null
> @@ -1,26 +0,0 @@
> -From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001
> -From: Jouni Malinen<quic_jouni@quicinc.com>
> -Date: Thu, 3 Mar 2022 13:26:42 +0200
> -Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean'
> -
> -Fixes: 0430bc8267b4 ("build: Add a common-clean target")
> -Signed-off-by: Jouni Malinen<quic_jouni@quicinc.com>
> -Upstream-Status: Backport
> -Signed-off-by: Alex Kiernan<alexk@zuma.ai>
> -Signed-off-by: Alex Kiernan<alexk@gmail.com>
> ----
> - wpa_supplicant/Makefile | 1 +
> - 1 file changed, 1 insertion(+)
> -
> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
> -index c456825ae75f..4b4688931b1d 100644
> ---- a/wpa_supplicant/Makefile
> -+++ b/wpa_supplicant/Makefile
> -@@ -2077,3 +2077,4 @@ clean: common-clean
> - rm -f libwpa_client.a
> - rm -f libwpa_client.so
> - rm -f libwpa_test1 libwpa_test2
> -+ rm -f wpa_passphrase
> ---
> -2.35.1
> -
> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
> similarity index 90%
> rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
> rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
> index 8113bcab09..321dedc58a 100644
> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
> +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
> @@ -5,8 +5,8 @@ BUGTRACKER ="http://w1.fi/security/"
> SECTION = "network"
> LICENSE = "BSD-3-Clause"
> LIC_FILES_CHKSUM ="file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \ -
> file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747
> \ -
> file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705"
> +file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \
> +file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4"
>
> DEPENDS = "dbus libnl"
>
> @@ -15,12 +15,8 @@ SRC_URI ="http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
> file://wpa_supplicant.conf \ file://wpa_supplicant.conf-sane \
> file://99_wpa_supplicant \ -
> file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
> \ - file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ -
> file://0001-Install-wpa_passphrase-when-not-disabled.patch \ -
> file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ "
> -SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
> +SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a"
>
> S = "${WORKDIR}/wpa_supplicant-${PV}"
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#203657):https://lists.openembedded.org/g/openembedded-core/message/203657
> Mute This Topic:https://lists.openembedded.org/mt/108040776/3616765
> Group Owner:openembedded-core+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
# Randy MacLeod
# Wind River Linux
[-- Attachment #2: Type: text/html, Size: 34874 bytes --]
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [OE-core][master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
2024-08-23 0:56 ` Randy MacLeod
@ 2024-08-23 15:59 ` Viswanath Kraleti
2024-08-23 16:39 ` Alexander Kanavin
0 siblings, 1 reply; 7+ messages in thread
From: Viswanath Kraleti @ 2024-08-23 15:59 UTC (permalink / raw)
To: randy.macleod, sdoshi, openembedded-core, steve@sakoman.com
Hello Randy,
2.11 version of wpa-supplicant/hostapd are released almost after 2.5 Years. 2-10 released on 2022-01-16. A lot of people are eagerly waiting for this release since a long time. 2.11 has crucial HE/IEEE 802.11ax/Wi-Fi 6 support and preliminary support for EHT/IEEE 802.11be/Wi-Fi 7. This also supports WPA3 which is a mandatory certification for Wi-Fi CERTIFIED™ devices.
I do accept this release missed the Sacrthgap cutoff of Yocto community. But considering the longevity of Scarthgap (a good 3.5 years from now) & number of people interested in Scarthgap, it is best if wpa-supplicant/hostapd are switched to 2.11.
// Viswanath
On 8/23/2024 6:26 AM, Randy MacLeod via lists.openembedded.org wrote:
> For scarthgap, it's good but not mandatory to have Steve on the To/CC list.
>
> On 2024-08-22 12:17 p.m., Siddharth Doshi via lists.openembedded.org wrote:
>> From: Siddharth Doshi<sdoshi@mvista.com>
>>
>> License-Update:
>> ===============
>> - README: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af
>> - wpa_supplicant/wpa_supplicant.c: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af
>>
>> CVE's Fixed:
>> ===========
>> - CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation
>> - CVE-2023-52160 wpa_supplicant: potential authorization bypass
>>
>> Changes between 2.10 -> 2.11:
>> ============================
>> https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af
>
>
> Hello Siddharth,
>
>
> This update make sense for the master brnanch but likely not for scarthgap unless you can show that
> this is a bug fix only release.
>
>
> It certainly does not look like a small bug fix only update based on:
>
> ❯ git diff hostap_2_10 hostap_2_11 | diffstat | tail -1
> 534 files changed, 85965 insertions(+), 16847 deletions(-)
>
> ❯ git log --oneline hostap_2_10..hostap_2_11 | wc -l
> 2295
>
> and the hostap and wpa-supplicant ChangeLogs which mention adding features below (1).
>
>
> Since the repo ( git://w1.fi/srv/git/hostap.git ) doesn't have a stable branch for 2.10:
>
> ❯ git branch -a
> * master
> remotes/origin/HEAD -> origin/master
> remotes/origin/android-jb
> remotes/origin/android-kk
> remotes/origin/android-l
> remotes/origin/android-m
> remotes/origin/aosp-jb
> remotes/origin/aosp-kk
> remotes/origin/main
> remotes/origin/master
> remotes/origin/pending
>
>
> you'll have to backport any CVE fixes that you're interested in unless
> someone explains why this is a sensible update for scarthgap.
>
> Thanks,
>
> ../Randy
>
>
> 1)
>
>
> ❯ git diff hostap_2_10 hostap_2_11 hostapd/ChangeLog | cat
> diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
> index 279298e4d..1c8240d33 100644
> --- a/hostapd/ChangeLog
> +++ b/hostapd/ChangeLog
> @@ -1,5 +1,42 @@
> ChangeLog for hostapd
>
> +2024-07-20 - v2.11
> + * Wi-Fi Easy Connect
> + - add support for DPP release 3
> + - allow Configurator parameters to be provided during config exchange
> + * HE/IEEE 802.11ax/Wi-Fi 6
> + - various fixes
> + * EHT/IEEE 802.11be/Wi-Fi 7
> + - add preliminary support
> + * SAE: add support for fetching the password from a RADIUS server
> + * support OpenSSL 3.0 API changes
> + * support background radar detection and CAC with some additional
> + drivers
> + * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
> + * EAP-SIM/AKA: support IMSI privacy
> + * improve 4-way handshake operations
> + - use Secure=1 in message 3 during PTK rekeying
> + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
> + to avoid interoperability issues
> + * support new SAE AKM suites with variable length keys
> + * support new AKM for 802.1X/EAP with SHA384
> + * extend PASN support for secure ranging
> + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
> + - this is based on additional details being added in the IEEE 802.11
> + standard
> + - the new implementation is not backwards compatible
> + * improved ACS to cover additional channel types/bandwidths
> + * extended Multiple BSSID support
> + * fix beacon protection with FT protocol (incorrect BIGTK was provided)
> + * support unsynchronized service discovery (USD)
> + * add preliminary support for RADIUS/TLS
> + * add support for explicit SSID protection in 4-way handshake
> + (a mitigation for CVE-2023-52424; disabled by default for now, can be
> + enabled with ssid_protection=1)
> + * fix SAE H2E rejected groups validation to avoid downgrade attacks
> + * use stricter validation for some RADIUS messages
> + * a large number of other fixes, cleanup, and extensions
> +
> 2022-01-16 - v2.10
> * SAE changes
> - improved protection against side channel attacks
>
>
> ❯ git diff hostap_2_10 hostap_2_11 wpa_supplicant/ChangeLog | cat
> diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog
> index efcc6cd9c..3f4162eb0 100644
> --- a/wpa_supplicant/ChangeLog
> +++ b/wpa_supplicant/ChangeLog
> @@ -1,5 +1,55 @@
> ChangeLog for wpa_supplicant
>
> +2024-07-20 - v2.11
> + * Wi-Fi Easy Connect
> + - add support for DPP release 3
> + - allow Configurator parameters to be provided during config exchange
> + * MACsec
> + - add support for GCM-AES-256 cipher suite
> + - remove incorrect EAP Session-Id length constraint
> + - add hardware offload support for additional drivers
> + * HE/IEEE 802.11ax/Wi-Fi 6
> + - support BSS color updates
> + - various fixes
> + * EHT/IEEE 802.11be/Wi-Fi 7
> + - add preliminary support
> + * support OpenSSL 3.0 API changes
> + * improve EAP-TLS support for TLSv1.3
> + * EAP-SIM/AKA: support IMSI privacy
> + * improve mitigation against DoS attacks when PMF is used
> + * improve 4-way handshake operations
> + - discard unencrypted EAPOL frames in additional cases
> + - use Secure=1 in message 2 during PTK rekeying
> + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
> + to avoid interoperability issues
> + * support new SAE AKM suites with variable length keys
> + * support new AKM for 802.1X/EAP with SHA384
> + * improve cross-AKM roaming with driver-based SME/BSS selection
> + * PASN
> + - extend support for secure ranging
> + - allow PASN implementation to be used with external programs for
> + Wi-Fi Aware
> + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
> + - this is based on additional details being added in the IEEE 802.11
> + standard
> + - the new implementation is not backwards compatible, but PMKSA
> + caching with FT-EAP was, and still is, disabled by default
> + * support a pregenerated MAC (mac_addr=3) as an alternative mechanism
> + for using per-network random MAC addresses
> + * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
> + to improve security for still unfortunately common invalid
> + configurations that do not set ca_cert
> + * extend SCS support for QoS Characteristics
> + * extend MSCS support
> + * support unsynchronized service discovery (USD)
> + * add support for explicit SSID protection in 4-way handshake
> + (a mitigation for CVE-2023-52424; disabled by default for now, can be
> + enabled with ssid_protection=1)
> + - in addition, verify SSID after key setup when beacon protection is
> + used
> + * fix SAE H2E rejected groups validation to avoid downgrade attacks
> + * a large number of other fixes, cleanup, and extensions
> +
> 2022-01-16 - v2.10
> * SAE changes
> - improved protection against side channel attacks
>
>
>>
>> Note:
>> =====
>> Patches
>> 0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch,
>> 0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch,
>> 0001-Install-wpa_passphrase-when-not-disabled.patch,
>> 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160)
>> are already fixed and hence removing them.
>>
>> Signed-off-by: Siddharth Doshi<sdoshi@mvista.com>
>> ---
>> ...all-wpa_passphrase-when-not-disabled.patch | 33 ---
>> ...te-Phase-2-authentication-requiremen.patch | 213 ------------------
>> ...options-for-libwpa_client.so-and-wpa.patch | 73 ------
>> ...oval-of-wpa_passphrase-on-make-clean.patch | 26 ---
>> ...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 10 +-
>> 5 files changed, 3 insertions(+), 352 deletions(-)
>> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
>> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
>> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
>> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
>> rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (90%)
>>
>> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
>> deleted file mode 100644
>> index c04c608bde..0000000000
>> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
>> +++ /dev/null
>> @@ -1,33 +0,0 @@
>> -From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001
>> -From: Alex Kiernan<alexk@zuma.ai>
>> -Date: Thu, 21 Apr 2022 10:15:29 +0100
>> -Subject: [PATCH] Install wpa_passphrase when not disabled
>> -
>> -As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
>> -built, its not installed during `make install`.
>> -
>> -Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
>> -Signed-off-by: Alex Kiernan<alexk@zuma.ai>
>> -Signed-off-by: Alex Kiernan<alex.kiernan@gmail.com>
>> -Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html]
>> ----
>> - wpa_supplicant/Makefile | 3 +++
>> - 1 file changed, 3 insertions(+)
>> -
>> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
>> -index 0bab313f2355..12787c0c7d0f 100644
>> ---- a/wpa_supplicant/Makefile
>> -+++ b/wpa_supplicant/Makefile
>> -@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: %
>> -
>> - install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL))
>> - $(MAKE) -C ../src install
>> -+ifndef CONFIG_NO_WPA_PASSPHRASE
>> -+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase
>> -+endif
>> - ifdef CONFIG_BUILD_WPA_CLIENT_SO
>> - install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so
>> - install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h
>> ---
>> -2.35.1
>> -
>> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
>> deleted file mode 100644
>> index 620560d3c7..0000000000
>> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
>> +++ /dev/null
>> @@ -1,213 +0,0 @@
>> -From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001
>> -From: Jouni Malinen<j@w1.fi>
>> -Date: Sat, 8 Jul 2023 19:55:32 +0300
>> -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
>> -
>> -The previous PEAP client behavior allowed the server to skip Phase 2
>> -authentication with the expectation that the server was authenticated
>> -during Phase 1 through TLS server certificate validation. Various PEAP
>> -specifications are not exactly clear on what the behavior on this front
>> -is supposed to be and as such, this ended up being more flexible than
>> -the TTLS/FAST/TEAP cases. However, this is not really ideal when
>> -unfortunately common misconfiguration of PEAP is used in deployed
>> -devices where the server trust root (ca_cert) is not configured or the
>> -user has an easy option for allowing this validation step to be skipped.
>> -
>> -Change the default PEAP client behavior to be to require Phase 2
>> -authentication to be successfully completed for cases where TLS session
>> -resumption is not used and the client certificate has not been
>> -configured. Those two exceptions are the main cases where a deployed
>> -authentication server might skip Phase 2 and as such, where a more
>> -strict default behavior could result in undesired interoperability
>> -issues. Requiring Phase 2 authentication will end up disabling TLS
>> -session resumption automatically to avoid interoperability issues.
>> -
>> -Allow Phase 2 authentication behavior to be configured with a new phase1
>> -configuration parameter option:
>> -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
>> -tunnel) behavior for PEAP:
>> - * 0 = do not require Phase 2 authentication
>> - * 1 = require Phase 2 authentication when client certificate
>> - (private_key/client_cert) is no used and TLS session resumption was
>> - not used (default)
>> - * 2 = require Phase 2 authentication in all cases
>> -
>> -Signed-off-by: Jouni Malinen<j@w1.fi>
>> -
>> -CVE: CVE-2023-52160
>> -Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c]
>> -
>> -Signed-off-by: Claus Stovgaard<claus.stovgaard@gmail.com>
>> -
>> ----
>> - src/eap_peer/eap_config.h | 8 ++++++
>> - src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++---
>> - src/eap_peer/eap_tls_common.c | 6 +++++
>> - src/eap_peer/eap_tls_common.h | 5 ++++
>> - wpa_supplicant/wpa_supplicant.conf | 7 ++++++
>> - 5 files changed, 63 insertions(+), 3 deletions(-)
>> -
>> -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
>> -index 3238f74..047eec2 100644
>> ---- a/src/eap_peer/eap_config.h
>> -+++ b/src/eap_peer/eap_config.h
>> -@@ -469,6 +469,14 @@ struct eap_peer_config {
>> - * 1 = use cryptobinding if server supports it
>> - * 2 = require cryptobinding
>> - *
>> -+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS
>> -+ * tunnel) behavior for PEAP:
>> -+ * 0 = do not require Phase 2 authentication
>> -+ * 1 = require Phase 2 authentication when client certificate
>> -+ * (private_key/client_cert) is no used and TLS session resumption was
>> -+ * not used (default)
>> -+ * 2 = require Phase 2 authentication in all cases
>> -+ *
>> - * EAP-WSC (WPS) uses following options: pin=Device_Password and
>> - * uuid=Device_UUID
>> - *
>> -diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
>> -index 12e30df..6080697 100644
>> ---- a/src/eap_peer/eap_peap.c
>> -+++ b/src/eap_peer/eap_peap.c
>> -@@ -67,6 +67,7 @@ struct eap_peap_data {
>> - u8 cmk[20];
>> - int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
>> - * is enabled. */
>> -+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
>> - };
>> -
>> -
>> -@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
>> - wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
>> - }
>> -
>> -+ if (os_strstr(phase1, "phase2_auth=0")) {
>> -+ data->phase2_auth = NO_AUTH;
>> -+ wpa_printf(MSG_DEBUG,
>> -+ "EAP-PEAP: Do not require Phase 2 authentication");
>> -+ } else if (os_strstr(phase1, "phase2_auth=1")) {
>> -+ data->phase2_auth = FOR_INITIAL;
>> -+ wpa_printf(MSG_DEBUG,
>> -+ "EAP-PEAP: Require Phase 2 authentication for initial connection");
>> -+ } else if (os_strstr(phase1, "phase2_auth=2")) {
>> -+ data->phase2_auth = ALWAYS;
>> -+ wpa_printf(MSG_DEBUG,
>> -+ "EAP-PEAP: Require Phase 2 authentication for all cases");
>> -+ }
>> - #ifdef EAP_TNC
>> - if (os_strstr(phase1, "tnc=soh2")) {
>> - data->soh = 2;
>> -@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
>> - data->force_peap_version = -1;
>> - data->peap_outer_success = 2;
>> - data->crypto_binding = OPTIONAL_BINDING;
>> -+ data->phase2_auth = FOR_INITIAL;
>> -
>> - if (config && config->phase1)
>> - eap_peap_parse_phase1(data, config->phase1);
>> -@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
>> - }
>> -
>> -
>> -+static bool peap_phase2_sufficient(struct eap_sm *sm,
>> -+ struct eap_peap_data *data)
>> -+{
>> -+ if ((data->phase2_auth == ALWAYS ||
>> -+ (data->phase2_auth == FOR_INITIAL &&
>> -+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
>> -+ !data->ssl.client_cert_conf) ||
>> -+ data->phase2_eap_started) &&
>> -+ !data->phase2_eap_success)
>> -+ return false;
>> -+ return true;
>> -+}
>> -+
>> -+
>> - /**
>> - * eap_tlv_process - Process a received EAP-TLV message and generate a response
>> - * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
>> -@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
>> - " - force failed Phase 2");
>> - resp_status = EAP_TLV_RESULT_FAILURE;
>> - ret->decision = DECISION_FAIL;
>> -+ } else if (!peap_phase2_sufficient(sm, data)) {
>> -+ wpa_printf(MSG_INFO,
>> -+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
>> -+ resp_status = EAP_TLV_RESULT_FAILURE;
>> -+ ret->decision = DECISION_FAIL;
>> - } else {
>> - resp_status = EAP_TLV_RESULT_SUCCESS;
>> - ret->decision = DECISION_UNCOND_SUCC;
>> -@@ -887,8 +921,7 @@ continue_req:
>> - /* EAP-Success within TLS tunnel is used to indicate
>> - * shutdown of the TLS channel. The authentication has
>> - * been completed. */
>> -- if (data->phase2_eap_started &&
>> -- !data->phase2_eap_success) {
>> -+ if (!peap_phase2_sufficient(sm, data)) {
>> - wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
>> - "Success used to indicate success, "
>> - "but Phase 2 EAP was not yet "
>> -@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
>> - static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
>> - {
>> - struct eap_peap_data *data = priv;
>> -+
>> - return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
>> -- data->phase2_success;
>> -+ data->phase2_success && data->phase2_auth != ALWAYS;
>> - }
>> -
>> -
>> -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
>> -index c1837db..a53eeb1 100644
>> ---- a/src/eap_peer/eap_tls_common.c
>> -+++ b/src/eap_peer/eap_tls_common.c
>> -@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
>> -
>> - sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
>> -
>> -+ if (!phase2)
>> -+ data->client_cert_conf = params->client_cert ||
>> -+ params->client_cert_blob ||
>> -+ params->private_key ||
>> -+ params->private_key_blob;
>> -+
>> - return 0;
>> - }
>> -
>> -diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
>> -index 9ac0012..3348634 100644
>> ---- a/src/eap_peer/eap_tls_common.h
>> -+++ b/src/eap_peer/eap_tls_common.h
>> -@@ -79,6 +79,11 @@ struct eap_ssl_data {
>> - * tls_v13 - Whether TLS v1.3 or newer is used
>> - */
>> - int tls_v13;
>> -+
>> -+ /**
>> -+ * client_cert_conf: Whether client certificate has been configured
>> -+ */
>> -+ bool client_cert_conf;
>> - };
>> -
>> -
>> -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
>> -index 6619d6b..d63f73c 100644
>> ---- a/wpa_supplicant/wpa_supplicant.conf
>> -+++ b/wpa_supplicant/wpa_supplicant.conf
>> -@@ -1321,6 +1321,13 @@ fast_reauth=1
>> - # * 0 = do not use cryptobinding (default)
>> - # * 1 = use cryptobinding if server supports it
>> - # * 2 = require cryptobinding
>> -+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
>> -+# tunnel) behavior for PEAP:
>> -+# * 0 = do not require Phase 2 authentication
>> -+# * 1 = require Phase 2 authentication when client certificate
>> -+# (private_key/client_cert) is no used and TLS session resumption was
>> -+# not used (default)
>> -+# * 2 = require Phase 2 authentication in all cases
>> - # EAP-WSC (WPS) uses following options: pin=<Device Password> or
>> - # pbc=1.
>> - #
>> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
>> deleted file mode 100644
>> index 6e930fc98d..0000000000
>> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
>> +++ /dev/null
>> @@ -1,73 +0,0 @@
>> -From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001
>> -From: Sergey Matyukevich<geomatsi@gmail.com>
>> -Date: Tue, 22 Feb 2022 11:52:19 +0300
>> -Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and
>> - wpa_passphrase
>> -
>> -Commit a41a29192e5d ("build: Pull common fragments into a build.rules
>> -file") introduced a regression into wpa_supplicant build process. The
>> -build target libwpa_client.so is not built regardless of whether the
>> -option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because
>> -this config option is used before it is imported from the configuration
>> -file. Moving its use after including build.rules does not help: the
>> -variable ALL is processed by build.rules and further changes are not
>> -applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work
>> -as expected: wpa_passphrase is always built regardless of whether the
>> -option is set or not.
>> -
>> -Re-enable these options by adding both build targets to _all
>> -dependencies.
>> -
>> -Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file")
>> -Signed-off-by: Sergey Matyukevich<geomatsi@gmail.com>
>> -Upstream-Status: Backport
>> -Signed-off-by: Alex Kiernan<alexk@zuma.ai>
>> -Signed-off-by: Alex Kiernan<alexk@gmail.com>
>> ----
>> - wpa_supplicant/Makefile | 19 ++++++++++++-------
>> - 1 file changed, 12 insertions(+), 7 deletions(-)
>> -
>> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
>> -index cb66defac7c8..c456825ae75f 100644
>> ---- a/wpa_supplicant/Makefile
>> -+++ b/wpa_supplicant/Makefile
>> -@@ -1,24 +1,29 @@
>> - BINALL=wpa_supplicant wpa_cli
>> -
>> --ifndef CONFIG_NO_WPA_PASSPHRASE
>> --BINALL += wpa_passphrase
>> --endif
>> --
>> - ALL = $(BINALL)
>> - ALL += systemd/wpa_supplicant.service
>> - ALL +=systemd/wpa_supplicant@.service
>> - ALL +=systemd/wpa_supplicant-nl80211@.service
>> - ALL +=systemd/wpa_supplicant-wired@.service
>> - ALL += dbus/fi.w1.wpa_supplicant1.service
>> --ifdef CONFIG_BUILD_WPA_CLIENT_SO
>> --ALL += libwpa_client.so
>> --endif
>> -
>> - EXTRA_TARGETS=dynamic_eap_methods
>> -
>> - CONFIG_FILE=.config
>> - include ../src/build.rules
>> -
>> -+ifdef CONFIG_BUILD_WPA_CLIENT_SO
>> -+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO
>> -+# being set in the config which is read by build.rules
>> -+_all: libwpa_client.so
>> -+endif
>> -+
>> -+ifndef CONFIG_NO_WPA_PASSPHRASE
>> -+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE
>> -+# being set in the config which is read by build.rules
>> -+_all: wpa_passphrase
>> -+endif
>> -+
>> - ifdef LIBS
>> - # If LIBS is set with some global build system defaults, clone those for
>> - # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well.
>> ---
>> -2.35.1
>> -
>> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
>> deleted file mode 100644
>> index 53b0fcdf53..0000000000
>> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
>> +++ /dev/null
>> @@ -1,26 +0,0 @@
>> -From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001
>> -From: Jouni Malinen<quic_jouni@quicinc.com>
>> -Date: Thu, 3 Mar 2022 13:26:42 +0200
>> -Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean'
>> -
>> -Fixes: 0430bc8267b4 ("build: Add a common-clean target")
>> -Signed-off-by: Jouni Malinen<quic_jouni@quicinc.com>
>> -Upstream-Status: Backport
>> -Signed-off-by: Alex Kiernan<alexk@zuma.ai>
>> -Signed-off-by: Alex Kiernan<alexk@gmail.com>
>> ----
>> - wpa_supplicant/Makefile | 1 +
>> - 1 file changed, 1 insertion(+)
>> -
>> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
>> -index c456825ae75f..4b4688931b1d 100644
>> ---- a/wpa_supplicant/Makefile
>> -+++ b/wpa_supplicant/Makefile
>> -@@ -2077,3 +2077,4 @@ clean: common-clean
>> - rm -f libwpa_client.a
>> - rm -f libwpa_client.so
>> - rm -f libwpa_test1 libwpa_test2
>> -+ rm -f wpa_passphrase
>> ---
>> -2.35.1
>> -
>> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
>> similarity index 90%
>> rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
>> rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
>> index 8113bcab09..321dedc58a 100644
>> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
>> +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
>> @@ -5,8 +5,8 @@ BUGTRACKER ="http://w1.fi/security/"
>> SECTION = "network"
>> LICENSE = "BSD-3-Clause"
>> LIC_FILES_CHKSUM ="file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \ - file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \ - file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705"
>> +file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \
>> +file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4"
>> DEPENDS = "dbus libnl"
>> @@ -15,12 +15,8 @@ SRC_URI ="http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://wpa_supplicant.conf \ file://wpa_supplicant.conf-sane \ file://99_wpa_supplicant \ - file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \ - file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ - file://0001-Install-wpa_passphrase-when-not-disabled.patch \ - file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ "
>> -SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
>> +SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a"
>> S = "${WORKDIR}/wpa_supplicant-${PV}"
>>
>>
>>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#203665): https://lists.openembedded.org/g/openembedded-core/message/203665
> Mute This Topic: https://lists.openembedded.org/mt/108040776/5192326
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [quic_vkraleti@quicinc.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core][master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
2024-08-23 15:59 ` Viswanath Kraleti
@ 2024-08-23 16:39 ` Alexander Kanavin
2024-08-23 17:17 ` [master][scarthgap][PATCH] " Siddharth Doshi
0 siblings, 1 reply; 7+ messages in thread
From: Alexander Kanavin @ 2024-08-23 16:39 UTC (permalink / raw)
To: quic_vkraleti; +Cc: randy.macleod, sdoshi, openembedded-core, steve@sakoman.com
Sorry, no. This same argument can be made for any other component in
scarthgap where a major new release happened after scarthgap was
released. The correct way to provide updated component versions in LTS
is via this layer:
https://git.yoctoproject.org/meta-lts-mixins/
So please send a patch for that.
Alex
On Fri, 23 Aug 2024 at 18:00, Viswanath Kraleti via
lists.openembedded.org
<quic_vkraleti=quicinc.com@lists.openembedded.org> wrote:
>
> Hello Randy,
>
> 2.11 version of wpa-supplicant/hostapd are released almost after 2.5 Years. 2-10 released on 2022-01-16. A lot of people are eagerly waiting for this release since a long time. 2.11 has crucial HE/IEEE 802.11ax/Wi-Fi 6 support and preliminary support for EHT/IEEE 802.11be/Wi-Fi 7. This also supports WPA3 which is a mandatory certification for Wi-Fi CERTIFIED™ devices.
>
> I do accept this release missed the Sacrthgap cutoff of Yocto community. But considering the longevity of Scarthgap (a good 3.5 years from now) & number of people interested in Scarthgap, it is best if wpa-supplicant/hostapd are switched to 2.11.
>
> // Viswanath
>
> On 8/23/2024 6:26 AM, Randy MacLeod via lists.openembedded.org wrote:
> > For scarthgap, it's good but not mandatory to have Steve on the To/CC list.
> >
> > On 2024-08-22 12:17 p.m., Siddharth Doshi via lists.openembedded.org wrote:
> >> From: Siddharth Doshi<sdoshi@mvista.com>
> >>
> >> License-Update:
> >> ===============
> >> - README: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af
> >> - wpa_supplicant/wpa_supplicant.c: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af
> >>
> >> CVE's Fixed:
> >> ===========
> >> - CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation
> >> - CVE-2023-52160 wpa_supplicant: potential authorization bypass
> >>
> >> Changes between 2.10 -> 2.11:
> >> ============================
> >> https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af
> >
> >
> > Hello Siddharth,
> >
> >
> > This update make sense for the master brnanch but likely not for scarthgap unless you can show that
> > this is a bug fix only release.
>
> >
> >
> > It certainly does not look like a small bug fix only update based on:
> >
> > ❯ git diff hostap_2_10 hostap_2_11 | diffstat | tail -1
> > 534 files changed, 85965 insertions(+), 16847 deletions(-)
> >
> > ❯ git log --oneline hostap_2_10..hostap_2_11 | wc -l
> > 2295
> >
> > and the hostap and wpa-supplicant ChangeLogs which mention adding features below (1).
> >
> >
> > Since the repo ( git://w1.fi/srv/git/hostap.git ) doesn't have a stable branch for 2.10:
> >
> > ❯ git branch -a
> > * master
> > remotes/origin/HEAD -> origin/master
> > remotes/origin/android-jb
> > remotes/origin/android-kk
> > remotes/origin/android-l
> > remotes/origin/android-m
> > remotes/origin/aosp-jb
> > remotes/origin/aosp-kk
> > remotes/origin/main
> > remotes/origin/master
> > remotes/origin/pending
> >
> >
> > you'll have to backport any CVE fixes that you're interested in unless
> > someone explains why this is a sensible update for scarthgap.
> >
> > Thanks,
> >
> > ../Randy
> >
> >
> > 1)
> >
> >
> > ❯ git diff hostap_2_10 hostap_2_11 hostapd/ChangeLog | cat
> > diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
> > index 279298e4d..1c8240d33 100644
> > --- a/hostapd/ChangeLog
> > +++ b/hostapd/ChangeLog
> > @@ -1,5 +1,42 @@
> > ChangeLog for hostapd
> >
> > +2024-07-20 - v2.11
> > + * Wi-Fi Easy Connect
> > + - add support for DPP release 3
> > + - allow Configurator parameters to be provided during config exchange
> > + * HE/IEEE 802.11ax/Wi-Fi 6
> > + - various fixes
> > + * EHT/IEEE 802.11be/Wi-Fi 7
> > + - add preliminary support
> > + * SAE: add support for fetching the password from a RADIUS server
> > + * support OpenSSL 3.0 API changes
> > + * support background radar detection and CAC with some additional
> > + drivers
> > + * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
> > + * EAP-SIM/AKA: support IMSI privacy
> > + * improve 4-way handshake operations
> > + - use Secure=1 in message 3 during PTK rekeying
> > + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
> > + to avoid interoperability issues
> > + * support new SAE AKM suites with variable length keys
> > + * support new AKM for 802.1X/EAP with SHA384
> > + * extend PASN support for secure ranging
> > + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
> > + - this is based on additional details being added in the IEEE 802.11
> > + standard
> > + - the new implementation is not backwards compatible
> > + * improved ACS to cover additional channel types/bandwidths
> > + * extended Multiple BSSID support
> > + * fix beacon protection with FT protocol (incorrect BIGTK was provided)
> > + * support unsynchronized service discovery (USD)
> > + * add preliminary support for RADIUS/TLS
> > + * add support for explicit SSID protection in 4-way handshake
> > + (a mitigation for CVE-2023-52424; disabled by default for now, can be
> > + enabled with ssid_protection=1)
> > + * fix SAE H2E rejected groups validation to avoid downgrade attacks
> > + * use stricter validation for some RADIUS messages
> > + * a large number of other fixes, cleanup, and extensions
> > +
> > 2022-01-16 - v2.10
> > * SAE changes
> > - improved protection against side channel attacks
> >
> >
> > ❯ git diff hostap_2_10 hostap_2_11 wpa_supplicant/ChangeLog | cat
> > diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog
> > index efcc6cd9c..3f4162eb0 100644
> > --- a/wpa_supplicant/ChangeLog
> > +++ b/wpa_supplicant/ChangeLog
> > @@ -1,5 +1,55 @@
> > ChangeLog for wpa_supplicant
> >
> > +2024-07-20 - v2.11
> > + * Wi-Fi Easy Connect
> > + - add support for DPP release 3
> > + - allow Configurator parameters to be provided during config exchange
> > + * MACsec
> > + - add support for GCM-AES-256 cipher suite
> > + - remove incorrect EAP Session-Id length constraint
> > + - add hardware offload support for additional drivers
> > + * HE/IEEE 802.11ax/Wi-Fi 6
> > + - support BSS color updates
> > + - various fixes
> > + * EHT/IEEE 802.11be/Wi-Fi 7
> > + - add preliminary support
> > + * support OpenSSL 3.0 API changes
> > + * improve EAP-TLS support for TLSv1.3
> > + * EAP-SIM/AKA: support IMSI privacy
> > + * improve mitigation against DoS attacks when PMF is used
> > + * improve 4-way handshake operations
> > + - discard unencrypted EAPOL frames in additional cases
> > + - use Secure=1 in message 2 during PTK rekeying
> > + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
> > + to avoid interoperability issues
> > + * support new SAE AKM suites with variable length keys
> > + * support new AKM for 802.1X/EAP with SHA384
> > + * improve cross-AKM roaming with driver-based SME/BSS selection
> > + * PASN
> > + - extend support for secure ranging
> > + - allow PASN implementation to be used with external programs for
> > + Wi-Fi Aware
> > + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
> > + - this is based on additional details being added in the IEEE 802.11
> > + standard
> > + - the new implementation is not backwards compatible, but PMKSA
> > + caching with FT-EAP was, and still is, disabled by default
> > + * support a pregenerated MAC (mac_addr=3) as an alternative mechanism
> > + for using per-network random MAC addresses
> > + * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
> > + to improve security for still unfortunately common invalid
> > + configurations that do not set ca_cert
> > + * extend SCS support for QoS Characteristics
> > + * extend MSCS support
> > + * support unsynchronized service discovery (USD)
> > + * add support for explicit SSID protection in 4-way handshake
> > + (a mitigation for CVE-2023-52424; disabled by default for now, can be
> > + enabled with ssid_protection=1)
> > + - in addition, verify SSID after key setup when beacon protection is
> > + used
> > + * fix SAE H2E rejected groups validation to avoid downgrade attacks
> > + * a large number of other fixes, cleanup, and extensions
> > +
> > 2022-01-16 - v2.10
> > * SAE changes
> > - improved protection against side channel attacks
> >
> >
> >>
> >> Note:
> >> =====
> >> Patches
> >> 0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch,
> >> 0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch,
> >> 0001-Install-wpa_passphrase-when-not-disabled.patch,
> >> 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160)
> >> are already fixed and hence removing them.
> >>
> >> Signed-off-by: Siddharth Doshi<sdoshi@mvista.com>
> >> ---
> >> ...all-wpa_passphrase-when-not-disabled.patch | 33 ---
> >> ...te-Phase-2-authentication-requiremen.patch | 213 ------------------
> >> ...options-for-libwpa_client.so-and-wpa.patch | 73 ------
> >> ...oval-of-wpa_passphrase-on-make-clean.patch | 26 ---
> >> ...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 10 +-
> >> 5 files changed, 3 insertions(+), 352 deletions(-)
> >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
> >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
> >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
> >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
> >> rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (90%)
> >>
> >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
> >> deleted file mode 100644
> >> index c04c608bde..0000000000
> >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
> >> +++ /dev/null
> >> @@ -1,33 +0,0 @@
> >> -From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001
> >> -From: Alex Kiernan<alexk@zuma.ai>
> >> -Date: Thu, 21 Apr 2022 10:15:29 +0100
> >> -Subject: [PATCH] Install wpa_passphrase when not disabled
> >> -
> >> -As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
> >> -built, its not installed during `make install`.
> >> -
> >> -Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
> >> -Signed-off-by: Alex Kiernan<alexk@zuma.ai>
> >> -Signed-off-by: Alex Kiernan<alex.kiernan@gmail.com>
> >> -Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html]
> >> ----
> >> - wpa_supplicant/Makefile | 3 +++
> >> - 1 file changed, 3 insertions(+)
> >> -
> >> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
> >> -index 0bab313f2355..12787c0c7d0f 100644
> >> ---- a/wpa_supplicant/Makefile
> >> -+++ b/wpa_supplicant/Makefile
> >> -@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: %
> >> -
> >> - install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL))
> >> - $(MAKE) -C ../src install
> >> -+ifndef CONFIG_NO_WPA_PASSPHRASE
> >> -+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase
> >> -+endif
> >> - ifdef CONFIG_BUILD_WPA_CLIENT_SO
> >> - install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so
> >> - install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h
> >> ---
> >> -2.35.1
> >> -
> >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
> >> deleted file mode 100644
> >> index 620560d3c7..0000000000
> >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
> >> +++ /dev/null
> >> @@ -1,213 +0,0 @@
> >> -From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001
> >> -From: Jouni Malinen<j@w1.fi>
> >> -Date: Sat, 8 Jul 2023 19:55:32 +0300
> >> -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
> >> -
> >> -The previous PEAP client behavior allowed the server to skip Phase 2
> >> -authentication with the expectation that the server was authenticated
> >> -during Phase 1 through TLS server certificate validation. Various PEAP
> >> -specifications are not exactly clear on what the behavior on this front
> >> -is supposed to be and as such, this ended up being more flexible than
> >> -the TTLS/FAST/TEAP cases. However, this is not really ideal when
> >> -unfortunately common misconfiguration of PEAP is used in deployed
> >> -devices where the server trust root (ca_cert) is not configured or the
> >> -user has an easy option for allowing this validation step to be skipped.
> >> -
> >> -Change the default PEAP client behavior to be to require Phase 2
> >> -authentication to be successfully completed for cases where TLS session
> >> -resumption is not used and the client certificate has not been
> >> -configured. Those two exceptions are the main cases where a deployed
> >> -authentication server might skip Phase 2 and as such, where a more
> >> -strict default behavior could result in undesired interoperability
> >> -issues. Requiring Phase 2 authentication will end up disabling TLS
> >> -session resumption automatically to avoid interoperability issues.
> >> -
> >> -Allow Phase 2 authentication behavior to be configured with a new phase1
> >> -configuration parameter option:
> >> -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
> >> -tunnel) behavior for PEAP:
> >> - * 0 = do not require Phase 2 authentication
> >> - * 1 = require Phase 2 authentication when client certificate
> >> - (private_key/client_cert) is no used and TLS session resumption was
> >> - not used (default)
> >> - * 2 = require Phase 2 authentication in all cases
> >> -
> >> -Signed-off-by: Jouni Malinen<j@w1.fi>
> >> -
> >> -CVE: CVE-2023-52160
> >> -Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c]
> >> -
> >> -Signed-off-by: Claus Stovgaard<claus.stovgaard@gmail.com>
> >> -
> >> ----
> >> - src/eap_peer/eap_config.h | 8 ++++++
> >> - src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++---
> >> - src/eap_peer/eap_tls_common.c | 6 +++++
> >> - src/eap_peer/eap_tls_common.h | 5 ++++
> >> - wpa_supplicant/wpa_supplicant.conf | 7 ++++++
> >> - 5 files changed, 63 insertions(+), 3 deletions(-)
> >> -
> >> -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
> >> -index 3238f74..047eec2 100644
> >> ---- a/src/eap_peer/eap_config.h
> >> -+++ b/src/eap_peer/eap_config.h
> >> -@@ -469,6 +469,14 @@ struct eap_peer_config {
> >> - * 1 = use cryptobinding if server supports it
> >> - * 2 = require cryptobinding
> >> - *
> >> -+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS
> >> -+ * tunnel) behavior for PEAP:
> >> -+ * 0 = do not require Phase 2 authentication
> >> -+ * 1 = require Phase 2 authentication when client certificate
> >> -+ * (private_key/client_cert) is no used and TLS session resumption was
> >> -+ * not used (default)
> >> -+ * 2 = require Phase 2 authentication in all cases
> >> -+ *
> >> - * EAP-WSC (WPS) uses following options: pin=Device_Password and
> >> - * uuid=Device_UUID
> >> - *
> >> -diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
> >> -index 12e30df..6080697 100644
> >> ---- a/src/eap_peer/eap_peap.c
> >> -+++ b/src/eap_peer/eap_peap.c
> >> -@@ -67,6 +67,7 @@ struct eap_peap_data {
> >> - u8 cmk[20];
> >> - int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
> >> - * is enabled. */
> >> -+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
> >> - };
> >> -
> >> -
> >> -@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
> >> - wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
> >> - }
> >> -
> >> -+ if (os_strstr(phase1, "phase2_auth=0")) {
> >> -+ data->phase2_auth = NO_AUTH;
> >> -+ wpa_printf(MSG_DEBUG,
> >> -+ "EAP-PEAP: Do not require Phase 2 authentication");
> >> -+ } else if (os_strstr(phase1, "phase2_auth=1")) {
> >> -+ data->phase2_auth = FOR_INITIAL;
> >> -+ wpa_printf(MSG_DEBUG,
> >> -+ "EAP-PEAP: Require Phase 2 authentication for initial connection");
> >> -+ } else if (os_strstr(phase1, "phase2_auth=2")) {
> >> -+ data->phase2_auth = ALWAYS;
> >> -+ wpa_printf(MSG_DEBUG,
> >> -+ "EAP-PEAP: Require Phase 2 authentication for all cases");
> >> -+ }
> >> - #ifdef EAP_TNC
> >> - if (os_strstr(phase1, "tnc=soh2")) {
> >> - data->soh = 2;
> >> -@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
> >> - data->force_peap_version = -1;
> >> - data->peap_outer_success = 2;
> >> - data->crypto_binding = OPTIONAL_BINDING;
> >> -+ data->phase2_auth = FOR_INITIAL;
> >> -
> >> - if (config && config->phase1)
> >> - eap_peap_parse_phase1(data, config->phase1);
> >> -@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
> >> - }
> >> -
> >> -
> >> -+static bool peap_phase2_sufficient(struct eap_sm *sm,
> >> -+ struct eap_peap_data *data)
> >> -+{
> >> -+ if ((data->phase2_auth == ALWAYS ||
> >> -+ (data->phase2_auth == FOR_INITIAL &&
> >> -+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
> >> -+ !data->ssl.client_cert_conf) ||
> >> -+ data->phase2_eap_started) &&
> >> -+ !data->phase2_eap_success)
> >> -+ return false;
> >> -+ return true;
> >> -+}
> >> -+
> >> -+
> >> - /**
> >> - * eap_tlv_process - Process a received EAP-TLV message and generate a response
> >> - * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
> >> -@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
> >> - " - force failed Phase 2");
> >> - resp_status = EAP_TLV_RESULT_FAILURE;
> >> - ret->decision = DECISION_FAIL;
> >> -+ } else if (!peap_phase2_sufficient(sm, data)) {
> >> -+ wpa_printf(MSG_INFO,
> >> -+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
> >> -+ resp_status = EAP_TLV_RESULT_FAILURE;
> >> -+ ret->decision = DECISION_FAIL;
> >> - } else {
> >> - resp_status = EAP_TLV_RESULT_SUCCESS;
> >> - ret->decision = DECISION_UNCOND_SUCC;
> >> -@@ -887,8 +921,7 @@ continue_req:
> >> - /* EAP-Success within TLS tunnel is used to indicate
> >> - * shutdown of the TLS channel. The authentication has
> >> - * been completed. */
> >> -- if (data->phase2_eap_started &&
> >> -- !data->phase2_eap_success) {
> >> -+ if (!peap_phase2_sufficient(sm, data)) {
> >> - wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
> >> - "Success used to indicate success, "
> >> - "but Phase 2 EAP was not yet "
> >> -@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
> >> - static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
> >> - {
> >> - struct eap_peap_data *data = priv;
> >> -+
> >> - return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
> >> -- data->phase2_success;
> >> -+ data->phase2_success && data->phase2_auth != ALWAYS;
> >> - }
> >> -
> >> -
> >> -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
> >> -index c1837db..a53eeb1 100644
> >> ---- a/src/eap_peer/eap_tls_common.c
> >> -+++ b/src/eap_peer/eap_tls_common.c
> >> -@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
> >> -
> >> - sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
> >> -
> >> -+ if (!phase2)
> >> -+ data->client_cert_conf = params->client_cert ||
> >> -+ params->client_cert_blob ||
> >> -+ params->private_key ||
> >> -+ params->private_key_blob;
> >> -+
> >> - return 0;
> >> - }
> >> -
> >> -diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
> >> -index 9ac0012..3348634 100644
> >> ---- a/src/eap_peer/eap_tls_common.h
> >> -+++ b/src/eap_peer/eap_tls_common.h
> >> -@@ -79,6 +79,11 @@ struct eap_ssl_data {
> >> - * tls_v13 - Whether TLS v1.3 or newer is used
> >> - */
> >> - int tls_v13;
> >> -+
> >> -+ /**
> >> -+ * client_cert_conf: Whether client certificate has been configured
> >> -+ */
> >> -+ bool client_cert_conf;
> >> - };
> >> -
> >> -
> >> -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
> >> -index 6619d6b..d63f73c 100644
> >> ---- a/wpa_supplicant/wpa_supplicant.conf
> >> -+++ b/wpa_supplicant/wpa_supplicant.conf
> >> -@@ -1321,6 +1321,13 @@ fast_reauth=1
> >> - # * 0 = do not use cryptobinding (default)
> >> - # * 1 = use cryptobinding if server supports it
> >> - # * 2 = require cryptobinding
> >> -+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
> >> -+# tunnel) behavior for PEAP:
> >> -+# * 0 = do not require Phase 2 authentication
> >> -+# * 1 = require Phase 2 authentication when client certificate
> >> -+# (private_key/client_cert) is no used and TLS session resumption was
> >> -+# not used (default)
> >> -+# * 2 = require Phase 2 authentication in all cases
> >> - # EAP-WSC (WPS) uses following options: pin=<Device Password> or
> >> - # pbc=1.
> >> - #
> >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
> >> deleted file mode 100644
> >> index 6e930fc98d..0000000000
> >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
> >> +++ /dev/null
> >> @@ -1,73 +0,0 @@
> >> -From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001
> >> -From: Sergey Matyukevich<geomatsi@gmail.com>
> >> -Date: Tue, 22 Feb 2022 11:52:19 +0300
> >> -Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and
> >> - wpa_passphrase
> >> -
> >> -Commit a41a29192e5d ("build: Pull common fragments into a build.rules
> >> -file") introduced a regression into wpa_supplicant build process. The
> >> -build target libwpa_client.so is not built regardless of whether the
> >> -option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because
> >> -this config option is used before it is imported from the configuration
> >> -file. Moving its use after including build.rules does not help: the
> >> -variable ALL is processed by build.rules and further changes are not
> >> -applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work
> >> -as expected: wpa_passphrase is always built regardless of whether the
> >> -option is set or not.
> >> -
> >> -Re-enable these options by adding both build targets to _all
> >> -dependencies.
> >> -
> >> -Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file")
> >> -Signed-off-by: Sergey Matyukevich<geomatsi@gmail.com>
> >> -Upstream-Status: Backport
> >> -Signed-off-by: Alex Kiernan<alexk@zuma.ai>
> >> -Signed-off-by: Alex Kiernan<alexk@gmail.com>
> >> ----
> >> - wpa_supplicant/Makefile | 19 ++++++++++++-------
> >> - 1 file changed, 12 insertions(+), 7 deletions(-)
> >> -
> >> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
> >> -index cb66defac7c8..c456825ae75f 100644
> >> ---- a/wpa_supplicant/Makefile
> >> -+++ b/wpa_supplicant/Makefile
> >> -@@ -1,24 +1,29 @@
> >> - BINALL=wpa_supplicant wpa_cli
> >> -
> >> --ifndef CONFIG_NO_WPA_PASSPHRASE
> >> --BINALL += wpa_passphrase
> >> --endif
> >> --
> >> - ALL = $(BINALL)
> >> - ALL += systemd/wpa_supplicant.service
> >> - ALL +=systemd/wpa_supplicant@.service
> >> - ALL +=systemd/wpa_supplicant-nl80211@.service
> >> - ALL +=systemd/wpa_supplicant-wired@.service
> >> - ALL += dbus/fi.w1.wpa_supplicant1.service
> >> --ifdef CONFIG_BUILD_WPA_CLIENT_SO
> >> --ALL += libwpa_client.so
> >> --endif
> >> -
> >> - EXTRA_TARGETS=dynamic_eap_methods
> >> -
> >> - CONFIG_FILE=.config
> >> - include ../src/build.rules
> >> -
> >> -+ifdef CONFIG_BUILD_WPA_CLIENT_SO
> >> -+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO
> >> -+# being set in the config which is read by build.rules
> >> -+_all: libwpa_client.so
> >> -+endif
> >> -+
> >> -+ifndef CONFIG_NO_WPA_PASSPHRASE
> >> -+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE
> >> -+# being set in the config which is read by build.rules
> >> -+_all: wpa_passphrase
> >> -+endif
> >> -+
> >> - ifdef LIBS
> >> - # If LIBS is set with some global build system defaults, clone those for
> >> - # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well.
> >> ---
> >> -2.35.1
> >> -
> >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
> >> deleted file mode 100644
> >> index 53b0fcdf53..0000000000
> >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
> >> +++ /dev/null
> >> @@ -1,26 +0,0 @@
> >> -From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001
> >> -From: Jouni Malinen<quic_jouni@quicinc.com>
> >> -Date: Thu, 3 Mar 2022 13:26:42 +0200
> >> -Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean'
> >> -
> >> -Fixes: 0430bc8267b4 ("build: Add a common-clean target")
> >> -Signed-off-by: Jouni Malinen<quic_jouni@quicinc.com>
> >> -Upstream-Status: Backport
> >> -Signed-off-by: Alex Kiernan<alexk@zuma.ai>
> >> -Signed-off-by: Alex Kiernan<alexk@gmail.com>
> >> ----
> >> - wpa_supplicant/Makefile | 1 +
> >> - 1 file changed, 1 insertion(+)
> >> -
> >> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
> >> -index c456825ae75f..4b4688931b1d 100644
> >> ---- a/wpa_supplicant/Makefile
> >> -+++ b/wpa_supplicant/Makefile
> >> -@@ -2077,3 +2077,4 @@ clean: common-clean
> >> - rm -f libwpa_client.a
> >> - rm -f libwpa_client.so
> >> - rm -f libwpa_test1 libwpa_test2
> >> -+ rm -f wpa_passphrase
> >> ---
> >> -2.35.1
> >> -
> >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
> >> similarity index 90%
> >> rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
> >> rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
> >> index 8113bcab09..321dedc58a 100644
> >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
> >> +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
> >> @@ -5,8 +5,8 @@ BUGTRACKER ="http://w1.fi/security/"
> >> SECTION = "network"
> >> LICENSE = "BSD-3-Clause"
> >> LIC_FILES_CHKSUM ="file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \ - file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \ - file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705"
> >> +file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \
> >> +file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4"
> >> DEPENDS = "dbus libnl"
> >> @@ -15,12 +15,8 @@ SRC_URI ="http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://wpa_supplicant.conf \ file://wpa_supplicant.conf-sane \ file://99_wpa_supplicant \ - file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \ - file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ - file://0001-Install-wpa_passphrase-when-not-disabled.patch \ - file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ "
> >> -SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
> >> +SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a"
> >> S = "${WORKDIR}/wpa_supplicant-${PV}"
> >>
> >>
> >>
> >
> >
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#203696): https://lists.openembedded.org/g/openembedded-core/message/203696
> Mute This Topic: https://lists.openembedded.org/mt/108040776/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
2024-08-23 16:39 ` Alexander Kanavin
@ 2024-08-23 17:17 ` Siddharth Doshi
2024-08-23 17:21 ` [OE-core] " Alexander Kanavin
0 siblings, 1 reply; 7+ messages in thread
From: Siddharth Doshi @ 2024-08-23 17:17 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 1585 bytes --]
Hi Randy and Alex,
I appreciate the feedback and your concern regarding upgrades in stable-branches.
>
> This update make sense for the master brnanch but likely not for scarthgap
> unless you can show that
> this is a bug fix only release.
>
- This release for sure is not a bug fix only release. It does include support to new feature and can never classify as bug fix only release.
>
> you'll have to backport any CVE fixes that you're interested in unless
> someone explains why this is a sensible update for scarthgap.
>
>
- I do the understand that upgrades are avoided in stable/LTS branches as it might break the compatibility and result in various compilation issues.
- However, that would only take place if the backward compatibility of the new upgrade is questionable.
- Generally every new releases will have API or ABI-symbols added but if API or ABI symbols are removed from shared libraries or binaries it a matter of concern as it would be the cause of breakdown.
- For this release, there are no ABI-symbols or API removed from the binaries and shared libraries. you can cross-check it in different ways (there are open-source tools to check or can be checked by manually comparing the header files)
- I have my own script to do so and i always check the backward compatibility before submitting any upgrades and since it was all clear for wpa-supplicant, i went ahead with the upgrade.
However, if still the opinion is that upgrade should be avoided, let me know, i would submit the CVE-patch for the same.
Regards,
Siddharth
[-- Attachment #2: Type: text/html, Size: 6695 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
2024-08-23 17:17 ` [master][scarthgap][PATCH] " Siddharth Doshi
@ 2024-08-23 17:21 ` Alexander Kanavin
2024-08-23 17:32 ` Siddharth Doshi
0 siblings, 1 reply; 7+ messages in thread
From: Alexander Kanavin @ 2024-08-23 17:21 UTC (permalink / raw)
To: sdoshi; +Cc: openembedded-core
The stable branch policy isn't about API/ABI compatibility, it's
rather about whether a new release has new features or only bugfixes.
If there are new features it is not eligible.
Alex
On Fri, 23 Aug 2024 at 19:18, Siddharth Doshi via
lists.openembedded.org <sdoshi=mvista.com@lists.openembedded.org>
wrote:
>
> Hi Randy and Alex,
>
> I appreciate the feedback and your concern regarding upgrades in stable-branches.
>
>
> This update make sense for the master brnanch but likely not for scarthgap unless you can show that
> this is a bug fix only release.
>
> - This release for sure is not a bug fix only release. It does include support to new feature and can never classify as bug fix only release.
>
> you'll have to backport any CVE fixes that you're interested in unless
> someone explains why this is a sensible update for scarthgap.
>
>
> - I do the understand that upgrades are avoided in stable/LTS branches as it might break the compatibility and result in various compilation issues.
> - However, that would only take place if the backward compatibility of the new upgrade is questionable.
> - Generally every new releases will have API or ABI-symbols added but if API or ABI symbols are removed from shared libraries or binaries it a matter of concern as it would be the cause of breakdown.
> - For this release, there are no ABI-symbols or API removed from the binaries and shared libraries. you can cross-check it in different ways (there are open-source tools to check or can be checked by manually comparing the header files)
> - I have my own script to do so and i always check the backward compatibility before submitting any upgrades and since it was all clear for wpa-supplicant, i went ahead with the upgrade.
>
> However, if still the opinion is that upgrade should be avoided, let me know, i would submit the CVE-patch for the same.
>
> Regards,
> Siddharth
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#203703): https://lists.openembedded.org/g/openembedded-core/message/203703
> Mute This Topic: https://lists.openembedded.org/mt/108040776/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11
2024-08-23 17:21 ` [OE-core] " Alexander Kanavin
@ 2024-08-23 17:32 ` Siddharth Doshi
0 siblings, 0 replies; 7+ messages in thread
From: Siddharth Doshi @ 2024-08-23 17:32 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 43 bytes --]
Hi Alex,
Noted.
Regards,
Siddharth
[-- Attachment #2: Type: text/html, Size: 121 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-08-23 17:32 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-22 16:17 [OE-core][master][scarthgap][PATCH] wpa-supplicant: Upgrade 2.10 -> 2.11 Siddharth
2024-08-23 0:56 ` Randy MacLeod
2024-08-23 15:59 ` Viswanath Kraleti
2024-08-23 16:39 ` Alexander Kanavin
2024-08-23 17:17 ` [master][scarthgap][PATCH] " Siddharth Doshi
2024-08-23 17:21 ` [OE-core] " Alexander Kanavin
2024-08-23 17:32 ` Siddharth Doshi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox