Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package iwd for openSUSE:Factory checked in
at 2023-02-15 13:41:07
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/iwd (Old)
and /work/SRC/openSUSE:Factory/.iwd.new.22824 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "iwd"
Wed Feb 15 13:41:07 2023 rev:36 rq:1065884 version:2.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/iwd/iwd.changes 2023-01-29 14:29:44.109208297
+0100
+++ /work/SRC/openSUSE:Factory/.iwd.new.22824/iwd.changes 2023-02-15
13:41:25.587066271 +0100
@@ -1,0 +2,9 @@
+Wed Feb 15 08:35:18 UTC 2023 - Dirk Müller <dmuel...@suse.com>
+
+- update to 2.3 (bsc#1208267):
+ * Fix issue with length calculation for WMM IE.
+ * Fix issue with channel number allocation off-by-one.
+ * Fix issue with cached session when TLS phase2 fails.
+ * Add support for FastReauthentication setting for EAP-TLS.
+
+-------------------------------------------------------------------
Old:
----
iwd-2.2.tar.sign
iwd-2.2.tar.xz
New:
----
iwd-2.3.tar.sign
iwd-2.3.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ iwd.spec ++++++
--- /var/tmp/diff_new_pack.q7hlCP/_old 2023-02-15 13:41:26.067068908 +0100
+++ /var/tmp/diff_new_pack.q7hlCP/_new 2023-02-15 13:41:26.075068952 +0100
@@ -17,7 +17,7 @@
Name: iwd
-Version: 2.2
+Version: 2.3
Release: 0
Summary: Wireless daemon for Linux
License: LGPL-2.1-or-later
++++++ iwd-2.2.tar.xz -> iwd-2.3.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.2/ChangeLog new/iwd-2.3/ChangeLog
--- old/iwd-2.2/ChangeLog 2023-01-23 19:46:38.000000000 +0100
+++ new/iwd-2.3/ChangeLog 2023-02-02 13:57:32.000000000 +0100
@@ -1,3 +1,9 @@
+ver 2.3:
+ Fix issue with length calculation for WMM IE.
+ Fix issue with channel number allocation off-by-one.
+ Fix issue with cached session when TLS phase2 fails.
+ Add support for FastReauthentication setting for EAP-TLS.
+
ver 2.2:
Fix issue with handling FT and multiple roaming scans.
Fix issue with handling multiple wiphy registrations.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.2/configure new/iwd-2.3/configure
--- old/iwd-2.2/configure 2023-01-23 19:48:38.000000000 +0100
+++ new/iwd-2.3/configure 2023-02-02 13:59:45.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for iwd 2.2.
+# Generated by GNU Autoconf 2.71 for iwd 2.3.
#
#
# Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation,
@@ -618,8 +618,8 @@
# Identity of this package.
PACKAGE_NAME='iwd'
PACKAGE_TARNAME='iwd'
-PACKAGE_VERSION='2.2'
-PACKAGE_STRING='iwd 2.2'
+PACKAGE_VERSION='2.3'
+PACKAGE_STRING='iwd 2.3'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1421,7 +1421,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures iwd 2.2 to adapt to many kinds of systems.
+\`configure' configures iwd 2.3 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1492,7 +1492,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of iwd 2.2:";;
+ short | recursive ) echo "Configuration of iwd 2.3:";;
esac
cat <<\_ACEOF
@@ -1643,7 +1643,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-iwd configure 2.2
+iwd configure 2.3
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -1861,7 +1861,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by iwd $as_me 2.2, which was
+It was created by iwd $as_me 2.3, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -3136,7 +3136,7 @@
# Define the identity of the package.
PACKAGE='iwd'
- VERSION='2.2'
+ VERSION='2.3'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -14712,7 +14712,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by iwd $as_me 2.2, which was
+This file was extended by iwd $as_me 2.3, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -14780,7 +14780,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-iwd config.status 2.2
+iwd config.status 2.3
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.2/configure.ac new/iwd-2.3/configure.ac
--- old/iwd-2.2/configure.ac 2023-01-23 19:46:38.000000000 +0100
+++ new/iwd-2.3/configure.ac 2023-02-02 13:57:32.000000000 +0100
@@ -1,5 +1,5 @@
AC_PREREQ([2.69])
-AC_INIT([iwd],[2.2])
+AC_INIT([iwd],[2.3])
AC_CONFIG_HEADERS(config.h)
AC_CONFIG_AUX_DIR(build-aux)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.2/monitor/nlmon.c new/iwd-2.3/monitor/nlmon.c
--- old/iwd-2.2/monitor/nlmon.c 2023-01-23 19:46:38.000000000 +0100
+++ new/iwd-2.3/monitor/nlmon.c 2023-02-02 13:57:32.000000000 +0100
@@ -4530,6 +4530,7 @@
{
const char *str;
const struct mmpdu_authentication *body;
+ uint16_t alg;
if (!mmpdu)
return;
@@ -4540,8 +4541,9 @@
print_mpdu_frame_control(level + 1, &mmpdu->fc);
print_mmpdu_header(level + 1, mmpdu);
+ alg = L_LE16_TO_CPU(body->algorithm);
- switch (L_LE16_TO_CPU(body->algorithm)) {
+ switch (alg) {
case MMPDU_AUTH_ALGO_OPEN_SYSTEM:
str = "Open";
break;
@@ -4563,7 +4565,8 @@
L_LE16_TO_CPU(body->transaction_sequence),
L_LE16_TO_CPU(body->status));
- if (L_LE16_TO_CPU(body->algorithm) != MMPDU_AUTH_ALGO_SHARED_KEY)
+ if (!L_IN_SET(alg, MMPDU_AUTH_ALGO_SHARED_KEY,
+ MMPDU_AUTH_ALGO_FT, MMPDU_AUTH_ALGO_SAE))
return;
if (L_LE16_TO_CPU(body->transaction_sequence) < 2 ||
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.2/src/ap.c new/iwd-2.3/src/ap.c
--- old/iwd-2.2/src/ap.c 2023-01-23 19:46:38.000000000 +0100
+++ new/iwd-2.3/src/ap.c 2023-02-02 13:57:32.000000000 +0100
@@ -939,8 +939,9 @@
len += ap_get_wsc_ie_len(ap, type, client_frame, client_frame_len);
+ /* WMM IE length */
if (ap->supports_ht)
- len += 26;
+ len += 50;
if (ap->ops->get_extra_ies_len)
len += ap->ops->get_extra_ies_len(type, client_frame,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.2/src/eap-tls-common.c
new/iwd-2.3/src/eap-tls-common.c
--- old/iwd-2.2/src/eap-tls-common.c 2023-01-23 19:46:38.000000000 +0100
+++ new/iwd-2.3/src/eap-tls-common.c 2023-02-02 13:57:32.000000000 +0100
@@ -115,6 +115,8 @@
bool expecting_frag_ack:1;
bool tunnel_ready:1;
+ bool tls_session_resumed:1;
+ bool tls_cache_disabled:1;
struct l_queue *ca_cert;
struct l_certchain *client_cert;
@@ -129,8 +131,11 @@
static eap_tls_session_cache_load_func_t eap_tls_session_cache_load;
static eap_tls_session_cache_sync_func_t eap_tls_session_cache_sync;
-static void __eap_tls_common_state_reset(struct eap_tls_state *eap_tls)
+static void __eap_tls_common_state_reset(struct eap_state *eap)
{
+ struct eap_tls_state *eap_tls = eap_get_data(eap);
+ const char *peer_id;
+
eap_tls->version_negotiated = EAP_TLS_VERSION_NOT_NEGOTIATED;
eap_tls->method_completed = false;
eap_tls->phase2_failed = false;
@@ -145,6 +150,43 @@
if (eap_tls->tunnel)
l_tls_reset(eap_tls->tunnel);
+ /*
+ * Drop the TLS session cache for this peer if the overall EAP
+ * method didn't succeed.
+ *
+ * Additionally if the session was cached previously, meaning
+ * that we've had a successful authentication at least once before,
+ * and we now used session resumption successfully and the method
+ * failed, become suspicious of this server's TLS session
+ * resumption support. Some authenticators strangely allow
+ * resumption but can't handle it all the way to EAP method
+ * success. This improves the chances that authentication
+ * succeeds on the next attempt.
+ *
+ * Drop the cache even if we have no indication that the
+ * method failed but it just didn't succeed, to handle cases like
+ * the server getting stuck and a timout occuring at a higher
+ * layer. The risk is that we may occasionally flush the session
+ * data when there was only a momentary radio issue, invalid
+ * phase2 credentials or decision to abort. Those are not hot
+ * paths.
+ *
+ * Note: TLS errors before the ready callback are handled in l_tls.
+ */
+ peer_id = eap_get_peer_id(eap);
+ if (peer_id && eap_tls_session_cache && !eap_method_is_success(eap) &&
+ l_settings_has_group(eap_tls_session_cache, peer_id)) {
+ eap_tls_forget_peer(peer_id);
+
+ if (eap_tls->tls_session_resumed)
+ l_warn("EAP: method did not finish after successful TLS"
+ " session resumption. If this repeats consider"
+ " disabling
[Security].EAP-%sFastReauthentication",
+ eap_get_method_name(eap));
+ }
+
+ eap_tls->tls_session_resumed = false;
+
eap_tls->tx_frag_offset = 0;
eap_tls->tx_frag_last_len = 0;
@@ -187,7 +229,7 @@
{
struct eap_tls_state *eap_tls = eap_get_data(eap);
- __eap_tls_common_state_reset(eap_tls);
+ __eap_tls_common_state_reset(eap);
if (eap_tls->variant_ops->reset)
eap_tls->variant_ops->reset(eap_tls->variant_data);
@@ -199,7 +241,7 @@
{
struct eap_tls_state *eap_tls = eap_get_data(eap);
- __eap_tls_common_state_reset(eap_tls);
+ __eap_tls_common_state_reset(eap);
eap_set_data(eap, NULL);
@@ -244,7 +286,9 @@
{
struct eap_state *eap = user_data;
struct eap_tls_state *eap_tls = eap_get_data(eap);
- bool resumed = l_tls_get_session_resumed(eap_tls->tunnel);
+
+ eap_tls->tls_session_resumed =
+ l_tls_get_session_resumed(eap_tls->tunnel);
if (eap_tls->ca_cert && !peer_identity) {
l_error("%s: TLS did not verify AP identity",
@@ -265,7 +309,8 @@
if (!eap_tls->variant_ops->tunnel_ready)
return;
- if (!eap_tls->variant_ops->tunnel_ready(eap, peer_identity, resumed))
+ if (!eap_tls->variant_ops->tunnel_ready(eap, peer_identity,
+ eap_tls->tls_session_resumed))
l_tls_close(eap_tls->tunnel);
}
@@ -649,7 +694,7 @@
if (eap_tls->domain_mask)
l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask);
- if (!eap_tls_session_cache_load)
+ if (!eap_tls_session_cache_load || eap_tls->tls_cache_disabled)
goto start;
if (!eap_tls_session_cache)
@@ -998,6 +1043,16 @@
return -EINVAL;
}
+ snprintf(setting_key, sizeof(setting_key),
+ "%sFastReauthentication", prefix);
+
+ if (l_settings_has_key(settings, "Security", setting_key) &&
+ !l_settings_get_bool(settings, "Security",
+ setting_key, NULL)) {
+ l_error("Can't parse %s", setting_key);
+ return -EINVAL;
+ }
+
return 0;
}
@@ -1009,6 +1064,7 @@
struct eap_tls_state *eap_tls;
char setting_key[72];
char *domain_mask_str;
+ bool bool_val;
L_AUTO_FREE_VAR(char *, value) = NULL;
@@ -1038,6 +1094,14 @@
l_free(domain_mask_str);
}
+ snprintf(setting_key, sizeof(setting_key),
+ "%sFastReauthentication", prefix);
+
+ if (!l_settings_get_bool(settings, "Security", setting_key, &bool_val))
+ bool_val = true;
+
+ eap_tls->tls_cache_disabled = !bool_val;
+
eap_set_data(eap, eap_tls);
return true;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.2/src/iwd.network.5
new/iwd-2.3/src/iwd.network.5
--- old/iwd-2.2/src/iwd.network.5 2023-01-23 19:54:42.000000000 +0100
+++ new/iwd-2.3/src/iwd.network.5 2023-02-02 14:01:33.000000000 +0100
@@ -360,6 +360,27 @@
_
T{
.nf
+EAP\-TLS\-FastReauthentication,
+EAP\-TTLS\-FastReauthentication,
+EAP\-PEAP\-FastReauthentication,
+.fi
+T} T{
+Values: \fBtrue\fP, false
+.sp
+Controls whether TLS session caching for EAP\-TLS, EAP\-TTLS and EAP\-PEAP
+is used. This allows for faster re\-connections to EAP\-Enterprise based
+networks.
+.sp
+Some network authenticators may be misconfigured in a way that TLS
+session resumption is allowed but actually attempting it will cause
+the EAP method to fail or time out. In that case, assuming the
+credentials and other settings are correct, every other connection
+attempt will fail as sessions are cached and forgotten in alternating
+attempts. Use this setting to disable caching for this network.
+T}
+_
+T{
+.nf
EAP\-TTLS\-Phase2\-Method
.fi
T} T{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.2/src/iwd.network.rst
new/iwd-2.3/src/iwd.network.rst
--- old/iwd-2.2/src/iwd.network.rst 2022-09-07 20:42:27.000000000 +0200
+++ new/iwd-2.3/src/iwd.network.rst 2023-02-02 13:57:32.000000000 +0100
@@ -281,6 +281,21 @@
domain name. An asterisk segment in the mask matches any label. An
asterisk segment at the beginning of the mask matches one or more
consecutive labels from the beginning of the domain string.
+ * - | EAP-TLS-FastReauthentication,
+ | EAP-TTLS-FastReauthentication,
+ | EAP-PEAP-FastReauthentication,
+ - Values: **true**, false
+
+ Controls whether TLS session caching for EAP-TLS, EAP-TTLS and EAP-PEAP
+ is used. This allows for faster re-connections to EAP-Enterprise based
+ networks.
+
+ Some network authenticators may be misconfigured in a way that TLS
+ session resumption is allowed but actually attempting it will cause
+ the EAP method to fail or time out. In that case, assuming the
+ credentials and other settings are correct, every other connection
+ attempt will fail as sessions are cached and forgotten in alternating
+ attempts. Use this setting to disable caching for this network.
* - | EAP-TTLS-Phase2-Method
- | The following values are allowed:
| Tunneled-CHAP,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.2/src/wiphy.c new/iwd-2.3/src/wiphy.c
--- old/iwd-2.2/src/wiphy.c 2023-01-23 19:46:38.000000000 +0100
+++ new/iwd-2.3/src/wiphy.c 2023-02-02 13:57:32.000000000 +0100
@@ -1616,8 +1616,12 @@
continue;
band->freq = freq;
+ /*
+ * Since channels start at 1, allocate one extra in
+ * order to use channel indexes without arithmetic
+ */
band->freq_attrs = l_new(struct band_freq_attrs,
- num_channels);
+ num_channels + 1);
band->freqs_len = num_channels;
/* Reset iter to beginning */
