Date: Saturday, December 17, 2022 @ 00:57:56
Author: heftig
Revision: 464496
2.10-8: FS#65314 enable WPA3 Enterprise; Sync with Debian's config
Added:
wpa_supplicant/trunk/0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
(from rev 464495,
wpa_supplicant/trunk/add_extra-ies_only_if_allowed_by_driver.patch)
wpa_supplicant/trunk/0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
wpa_supplicant/trunk/disable-eapol-werror.patch
Modified:
wpa_supplicant/trunk/PKGBUILD
wpa_supplicant/trunk/wpa_supplicant_config
Deleted:
wpa_supplicant/trunk/add_extra-ies_only_if_allowed_by_driver.patch
------------------------------------------------------------+
0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch | 69 +++++++++++
0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch | 56 ++++++++
PKGBUILD | 28 +++-
add_extra-ies_only_if_allowed_by_driver.patch | 62 ---------
disable-eapol-werror.patch | 25 +++
wpa_supplicant_config | 28 +++-
6 files changed, 189 insertions(+), 79 deletions(-)
Copied:
wpa_supplicant/trunk/0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
(from rev 464495,
wpa_supplicant/trunk/add_extra-ies_only_if_allowed_by_driver.patch)
===================================================================
--- 0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
(rev 0)
+++ 0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch 2022-12-17
00:57:56 UTC (rev 464496)
@@ -0,0 +1,69 @@
+From: David Bauer <[email protected]>
+Date: Sun, 30 Jan 2022 20:22:00 +0100
+Subject: nl80211: add extra-ies only if allowed by driver
+
+Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl
+based adapters. The reason for it is hostapd tries to install additional
+IEs for scanning while the driver does not support this.
+
+The kernel indicates the maximum number of bytes for additional scan IEs
+using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
+only add additional scan IEs in case the driver can accommodate these
+additional IEs.
+
+Reported-by: Étienne Morice <[email protected]>
+Tested-by: Étienne Morice <[email protected]>
+Signed-off-by: David Bauer <[email protected]>
+
+Bug: http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
+Bug-ArchLinux: https://bugs.archlinux.org/task/73495
+Bug-Debian: https://bugs.debian.org/1004524
+Origin: http://lists.infradead.org/pipermail/hostap/2022-January/040185.html
+---
+ src/drivers/driver.h | 3 +++
+ src/drivers/driver_nl80211_capa.c | 4 ++++
+ src/drivers/driver_nl80211_scan.c | 2 +-
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/drivers/driver.h b/src/drivers/driver.h
+index d3312a3..b5b6264 100644
+--- a/src/drivers/driver.h
++++ b/src/drivers/driver.h
+@@ -2052,6 +2052,9 @@ struct wpa_driver_capa {
+ /** Maximum number of iterations in a single scan plan */
+ u32 max_sched_scan_plan_iterations;
+
++ /** Maximum number of extra IE bytes for scans */
++ u16 max_scan_ie_len;
++
+ /** Whether sched_scan (offloaded scanning) is supported */
+ int sched_scan_supported;
+
+diff --git a/src/drivers/driver_nl80211_capa.c
b/src/drivers/driver_nl80211_capa.c
+index 83868b7..b33b6ba 100644
+--- a/src/drivers/driver_nl80211_capa.c
++++ b/src/drivers/driver_nl80211_capa.c
+@@ -885,6 +885,10 @@ static int wiphy_info_handler(struct nl_msg *msg, void
*arg)
+ nla_get_u32(tb[NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS]);
+ }
+
++ if (tb[NL80211_ATTR_MAX_SCAN_IE_LEN])
++ capa->max_scan_ie_len =
++ nla_get_u16(tb[NL80211_ATTR_MAX_SCAN_IE_LEN]);
++
+ if (tb[NL80211_ATTR_MAX_MATCH_SETS])
+ capa->max_match_sets =
+ nla_get_u8(tb[NL80211_ATTR_MAX_MATCH_SETS]);
+diff --git a/src/drivers/driver_nl80211_scan.c
b/src/drivers/driver_nl80211_scan.c
+index 1316084..b0f0951 100644
+--- a/src/drivers/driver_nl80211_scan.c
++++ b/src/drivers/driver_nl80211_scan.c
+@@ -207,7 +207,7 @@ nl80211_scan_common(struct i802_bss *bss, u8 cmd,
+ wpa_printf(MSG_DEBUG, "nl80211: Passive scan requested");
+ }
+
+- if (params->extra_ies) {
++ if (params->extra_ies && drv->capa.max_scan_ie_len >=
params->extra_ies_len) {
+ wpa_hexdump(MSG_MSGDUMP, "nl80211: Scan extra IEs",
+ params->extra_ies, params->extra_ies_len);
+ if (nla_put(msg, NL80211_ATTR_IE, params->extra_ies_len,
Added: 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
===================================================================
--- 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
(rev 0)
+++ 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch 2022-12-17
00:57:56 UTC (rev 464496)
@@ -0,0 +1,56 @@
+From: Beniamino Galvani <[email protected]>
+Date: Mon, 4 Apr 2022 09:13:12 +0200
+Subject: AP: guard FT-SAE code with CONFIG_IEEE80211R_AP
+
+wpa_supplicant doesn't support FT in AP mode, but it still negotiates
+FT-SAE. This can lead to an authentication failure when the AP is
+started with key_mgmt="SAE FT-SAE" and the STA supports both.
+
+Ensure that FT-SAE is not negotiated when CONFIG_IEEE80211R_AP is not
+defined.
+
+Signed-off-by: Beniamino Galvani <[email protected]>
+---
+ src/ap/wpa_auth_ie.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
+index 524922e..d63cbeb 100644
+--- a/src/ap/wpa_auth_ie.c
++++ b/src/ap/wpa_auth_ie.c
+@@ -228,11 +228,13 @@ int wpa_write_rsn_ie(struct wpa_auth_config *conf, u8
*buf, size_t len,
+ pos += RSN_SELECTOR_LEN;
+ num_suites++;
+ }
++#ifdef CONFIG_IEEE80211R_AP
+ if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE) {
+ RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE);
+ pos += RSN_SELECTOR_LEN;
+ num_suites++;
+ }
++#endif /* CONFIG_IEEE80211R_AP */
+ #endif /* CONFIG_SAE */
+ if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) {
+ RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B);
+@@ -670,8 +672,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
+ #ifdef CONFIG_SAE
+ else if (data.key_mgmt & WPA_KEY_MGMT_SAE)
+ selector = RSN_AUTH_KEY_MGMT_SAE;
++#ifdef CONFIG_IEEE80211R_AP
+ else if (data.key_mgmt & WPA_KEY_MGMT_FT_SAE)
+ selector = RSN_AUTH_KEY_MGMT_FT_SAE;
++#endif /* CONFIG_IEEE80211R_AP */
+ #endif /* CONFIG_SAE */
+ else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X)
+ selector = RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
+@@ -778,8 +782,10 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
+ #ifdef CONFIG_SAE
+ else if (key_mgmt & WPA_KEY_MGMT_SAE)
+ sm->wpa_key_mgmt = WPA_KEY_MGMT_SAE;
++#ifdef CONFIG_IEEE80211R_AP
+ else if (key_mgmt & WPA_KEY_MGMT_FT_SAE)
+ sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_SAE;
++#endif /* CONFIG_IEEE80211R_AP */
+ #endif /* CONFIG_SAE */
+ else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X)
+ sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X;
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2022-12-17 00:31:01 UTC (rev 464495)
+++ PKGBUILD 2022-12-17 00:57:56 UTC (rev 464496)
@@ -5,34 +5,39 @@
pkgname=wpa_supplicant
pkgver=2.10
-pkgrel=7
+pkgrel=8
epoch=2
pkgdesc='A utility providing key negotiation for WPA wireless networks'
url='https://w1.fi/wpa_supplicant/'
arch=(x86_64)
license=(GPL)
-depends=(openssl libdbus readline libnl)
+depends=(openssl libdbus readline libnl pcsclite)
+options=(debug)
install=wpa_supplicant.install
source=(
https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
+ wpa_supplicant_config
wpa_supplicant_tls.patch
wpa_supplicant_dbus_service_syslog.patch
wpa_supplicant_service_ignore-on-isolate.patch
wpa_supplicant-legacy-server-connect.patch
lower_security_level_for_tls_1.patch
- wpa_supplicant_config
- add_extra-ies_only_if_allowed_by_driver.patch
+ disable-eapol-werror.patch
+ 0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
+ 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
)
validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen
sha256sums=('20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f'
'SKIP'
+ '1e32af4a1a147ee75358fd0b5636fb41332a7b91ec7a904292178256f735e9d2'
'08915b040d03a3e07cdc8ea6c76b497e00059e01ce85b67413dfe41d4fc68992'
'60f6a1cf2e124813dfce1da78ee1818e2ff5236aafa4113c7ae3b3f2a0b84006'
'd42bdbf3d4980b9f0a819612df0c39843c7e96c8afcb103aa656c824f93790b0'
'8fba11e4a5056d9e710707ded93341f61fdfef6c64ced992e3936cbd2d41a011'
'c3c0fb363f734c1512d24fd749b3ff7515f961b27bfadd04c128434b5c9f4a93'
- '89dc439b958574e9231c58bea6c83faec469909c9f84476bfc83fa35b3e97bd1'
- 'aaedf87f1530d4e6cb00bf7981d1f868409ed892cc41b83c5613019e7b51f380')
+ '9aca193cc26682765467cf9131240e5de71f9b49a765a934284da5e308ea904e'
+ '7901d42eda48f82106901cbeb5e7be39025c878d5085a0a0d54ccbe36c3ecef4'
+ '24e844b0a08fe3fede1676cedfe29643375ae56ab1a5fe4f5783765a7b759c15')
prepare() {
cd $pkgname-$pkgver
@@ -53,11 +58,16 @@
# https://bugs.archlinux.org/task/76474
patch -Np1 -i ../lower_security_level_for_tls_1.patch
+ #
https://salsa.debian.org/debian/wpa/-/commit/13e1d28e4f987a220c546df94df86bb9b2371874
+ patch -Np1 -i ../disable-eapol-werror.patch
+
# http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
- patch -Np1 -i ../add_extra-ies_only_if_allowed_by_driver.patch
+ patch -Np1 -i ../0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
- cd $pkgname
- cp "$srcdir/wpa_supplicant_config" ./.config
+ # https://lists.infradead.org/pipermail/hostap/2022-April/040352.html
+ patch -Np1 -i ../0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
+
+ cp ../wpa_supplicant_config $pkgname/.config
}
build() {
Deleted: add_extra-ies_only_if_allowed_by_driver.patch
===================================================================
--- add_extra-ies_only_if_allowed_by_driver.patch 2022-12-17 00:31:01 UTC
(rev 464495)
+++ add_extra-ies_only_if_allowed_by_driver.patch 2022-12-17 00:57:56 UTC
(rev 464496)
@@ -1,62 +0,0 @@
-Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl
-based adapters. The reason for it is hostapd tries to install additional
-IEs for scanning while the driver does not support this.
-
-The kernel indicates the maximum number of bytes for additional scan IEs
-using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
-only add additional scan IEs in case the driver can accommodate these
-additional IEs.
-
-Reported-by: Étienne Morice <neon.emorice at mail.com>
-Tested-by: Étienne Morice <neon.emorice at mail.com>
-Signed-off-by: David Bauer <mail at david-bauer.net>
----
- src/drivers/driver.h | 3 +++
- src/drivers/driver_nl80211_capa.c | 4 ++++
- src/drivers/driver_nl80211_scan.c | 2 +-
- 3 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/drivers/driver.h b/src/drivers/driver.h
-index d3312a34d..b5b626451 100644
---- a/src/drivers/driver.h
-+++ b/src/drivers/driver.h
-@@ -2052,6 +2052,9 @@ struct wpa_driver_capa {
- /** Maximum number of iterations in a single scan plan */
- u32 max_sched_scan_plan_iterations;
-
-+ /** Maximum number of extra IE bytes for scans */
-+ u16 max_scan_ie_len;
-+
- /** Whether sched_scan (offloaded scanning) is supported */
- int sched_scan_supported;
-
-diff --git a/src/drivers/driver_nl80211_capa.c
b/src/drivers/driver_nl80211_capa.c
-index 83868b78e..b33b6badb 100644
---- a/src/drivers/driver_nl80211_capa.c
-+++ b/src/drivers/driver_nl80211_capa.c
-@@ -885,6 +885,10 @@ static int wiphy_info_handler(struct nl_msg *msg, void
*arg)
- nla_get_u32(tb[NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS]);
- }
-
-+ if (tb[NL80211_ATTR_MAX_SCAN_IE_LEN])
-+ capa->max_scan_ie_len =
-+ nla_get_u16(tb[NL80211_ATTR_MAX_SCAN_IE_LEN]);
-+
- if (tb[NL80211_ATTR_MAX_MATCH_SETS])
- capa->max_match_sets =
- nla_get_u8(tb[NL80211_ATTR_MAX_MATCH_SETS]);
-diff --git a/src/drivers/driver_nl80211_scan.c
b/src/drivers/driver_nl80211_scan.c
-index 131608480..b0f095192 100644
---- a/src/drivers/driver_nl80211_scan.c
-+++ b/src/drivers/driver_nl80211_scan.c
-@@ -207,7 +207,7 @@ nl80211_scan_common(struct i802_bss *bss, u8 cmd,
- wpa_printf(MSG_DEBUG, "nl80211: Passive scan requested");
- }
-
-- if (params->extra_ies) {
-+ if (params->extra_ies && drv->capa.max_scan_ie_len >=
params->extra_ies_len) {
- wpa_hexdump(MSG_MSGDUMP, "nl80211: Scan extra IEs",
- params->extra_ies, params->extra_ies_len);
- if (nla_put(msg, NL80211_ATTR_IE, params->extra_ies_len,
---
-2.35.1
Added: disable-eapol-werror.patch
===================================================================
--- disable-eapol-werror.patch (rev 0)
+++ disable-eapol-werror.patch 2022-12-17 00:57:56 UTC (rev 464496)
@@ -0,0 +1,25 @@
+From: Andrej Shadura <[email protected]>
+Date: Fri, 12 Feb 2021 14:28:19 +0100
+Subject: Disable -Werror for eapol_test
+
+This may make sense for the upstream, but we just want to build
+the tool to be useful to our users; dealing with build errors due
+to issues normally manifesting themselves as warnings is burdening
+for Debian and its downstreams.
+---
+ wpa_supplicant/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index cb66def..26b0c93 100644
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -170,7 +170,7 @@ CFLAGS += -DCONFIG_ELOOP_KQUEUE
+ endif
+
+ ifdef CONFIG_EAPOL_TEST
+-CFLAGS += -Werror -DEAPOL_TEST
++CFLAGS += -DEAPOL_TEST
+ endif
+
+ ifdef CONFIG_CODE_COVERAGE
Modified: wpa_supplicant_config
===================================================================
--- wpa_supplicant_config 2022-12-17 00:31:01 UTC (rev 464495)
+++ wpa_supplicant_config 2022-12-17 00:57:56 UTC (rev 464496)
@@ -1,4 +1,4 @@
-# Example wpa_supplicant build time configuration
+# Arch Linux wpa_supplicant build time configuration
#
# This file lists the configuration options that are used when building the
# wpa_supplicant binary. All lines starting with # are ignored. Configuration
@@ -195,7 +195,7 @@
# PC/SC interface for smartcards (USIM, GSM SIM)
# Enable this if EAP-SIM or EAP-AKA is included
-#CONFIG_PCSC=y
+CONFIG_PCSC=y
# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
CONFIG_HT_OVERRIDES=y
@@ -204,7 +204,7 @@
CONFIG_VHT_OVERRIDES=y
# Development testing
-#CONFIG_EAPOL_TEST=y
+CONFIG_EAPOL_TEST=y
# Select control interface backend for external programs, e.g, wpa_cli:
# unix = UNIX domain sockets (default for Linux/*BSD)
@@ -311,7 +311,7 @@
#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
# Support Operating Channel Validation
-#CONFIG_OCV=y
+CONFIG_OCV=y
# Select TLS implementation
# openssl = OpenSSL (default)
@@ -337,7 +337,6 @@
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
-#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1"
# If CONFIG_TLS=internal is used, additional library and include paths are
@@ -570,12 +569,12 @@
CONFIG_ACS=y
# Support Multi Band Operation
-#CONFIG_MBO=y
+CONFIG_MBO=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
-#CONFIG_FILS=y
+CONFIG_FILS=y
# FILS shared key authentication with PFS
-#CONFIG_FILS_SK_PFS=y
+CONFIG_FILS_SK_PFS=y
# Support RSN on IBSS networks
# This is needed to be able to use mode=1 network profile with proto=RSN and
@@ -634,4 +633,17 @@
# design is still subject to change. As such, this should not yet be enabled in
# production use.
#CONFIG_PASN=y
+
+# WPA3-Enterprise (SuiteB-192)
+CONFIG_SUITEB=y
+
+CONFIG_SUITEB192=y
+
+# Driver support is also needed for IEEE 802.11w.
+CONFIG_IEEE80211W=y
+
+# IEEE 802.11n (High Throughput) support (mainly for AP mode)
+CONFIG_IEEE80211N=y
+
+# Used by eapol_test only, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985912
CONFIG_IPV6=y
