Hello community, here is the log from the commit of package wpa_supplicant for openSUSE:Factory checked in at 2019-11-11 12:57:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wpa_supplicant (Old) and /work/SRC/openSUSE:Factory/.wpa_supplicant.new.2990 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wpa_supplicant" Mon Nov 11 12:57:37 2019 rev:76 rq:745943 version:2.9 Changes: -------- --- /work/SRC/openSUSE:Factory/wpa_supplicant/wpa_supplicant.changes 2019-08-05 10:29:22.863452296 +0200 +++ /work/SRC/openSUSE:Factory/.wpa_supplicant.new.2990/wpa_supplicant.changes 2019-11-11 12:57:38.505515671 +0100 @@ -1,0 +2,185 @@ +Mon Nov 4 10:57:57 UTC 2019 - Tomáš Chvátal <[email protected]> + +- Update to 2.9 release: + * SAE changes + - disable use of groups using Brainpool curves + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * EAP-pwd changes + - disable use of groups using Brainpool curves + - allow the set of groups to be configured (eap_pwd_groups) + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * fixed FT-EAP initial mobility domain association using PMKSA caching + (disabled by default for backwards compatibility; can be enabled + with ft_eap_pmksa_caching=1) + * fixed a regression in OpenSSL 1.1+ engine loading + * added validation of RSNE in (Re)Association Response frames + * fixed DPP bootstrapping URI parser of channel list + * extended EAP-SIM/AKA fast re-authentication to allow use with FILS + * extended ca_cert_blob to support PEM format + * improved robustness of P2P Action frame scheduling + * added support for EAP-SIM/AKA using anonymous@realm identity + * fixed Hotspot 2.0 credential selection based on roaming consortium + to ignore credentials without a specific EAP method + * added experimental support for EAP-TEAP peer (RFC 7170) + * added experimental support for EAP-TLS peer with TLS v1.3 + * fixed a regression in WMM parameter configuration for a TDLS peer + * fixed a regression in operation with drivers that offload 802.1X + 4-way handshake + * fixed an ECDH operation corner case with OpenSSL + * SAE changes + - added support for SAE Password Identifier + - changed default configuration to enable only groups 19, 20, 21 + (i.e., disable groups 25 and 26) and disable all unsuitable groups + completely based on REVmd changes + - do not regenerate PWE unnecessarily when the AP uses the + anti-clogging token mechanisms + - fixed some association cases where both SAE and FT-SAE were enabled + on both the station and the selected AP + - started to prefer FT-SAE over SAE AKM if both are enabled + - started to prefer FT-SAE over FT-PSK if both are enabled + - fixed FT-SAE when SAE PMKSA caching is used + - reject use of unsuitable groups based on new implementation guidance + in REVmd (allow only FFC groups with prime >= 3072 bits and ECC + groups with prime >= 256) + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-1/] (CVE-2019-9494) + * EAP-pwd changes + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-2/] (CVE-2019-9495) + - verify server scalar/element + [https://w1.fi/security/2019-4/] (CVE-2019-9499) + - fix message reassembly issue with unexpected fragment + [https://w1.fi/security/2019-5/] + - enforce rand,mask generation rules more strictly + - fix a memory leak in PWE derivation + - disallow ECC groups with a prime under 256 bits (groups 25, 26, and + 27) + * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y + * Hotspot 2.0 changes + - do not indicate release number that is higher than the one + AP supports + - added support for release number 3 + - enable PMF automatically for network profiles created from + credentials + * fixed OWE network profile saving + * fixed DPP network profile saving + * added support for RSN operating channel validation + (CONFIG_OCV=y and network profile parameter ocv=1) + * added Multi-AP backhaul STA support + * fixed build with LibreSSL + * number of MKA/MACsec fixes and extensions + * extended domain_match and domain_suffix_match to allow list of values + * fixed dNSName matching in domain_match and domain_suffix_match when + using wolfSSL + * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both + are enabled + * extended nl80211 Connect and external authentication to support + SAE, FT-SAE, FT-EAP-SHA384 + * fixed KEK2 derivation for FILS+FT + * extended client_cert file to allow loading of a chain of PEM + encoded certificates + * extended beacon reporting functionality + * extended D-Bus interface with number of new properties + * fixed a regression in FT-over-DS with mac80211-based drivers + * OpenSSL: allow systemwide policies to be overridden + * extended driver flags indication for separate 802.1X and PSK + 4-way handshake offload capability + * added support for random P2P Device/Interface Address use + * extended PEAP to derive EMSK to enable use with ERP/FILS + * extended WPS to allow SAE configuration to be added automatically + for PSK (wps_cred_add_sae=1) + * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) + * extended domain_match and domain_suffix_match to allow list of values + * added a RSN workaround for misbehaving PMF APs that advertise + IGTK/BIP KeyID using incorrect byte order + * fixed PTK rekeying with FILS and FT + * fixed WPA packet number reuse with replayed messages and key + reinstallation + [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, + CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, + CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) + * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant + [https://w1.fi/security/2018-1/] (CVE-2018-14526) + * added support for FILS (IEEE 802.11ai) shared key authentication + * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; + and transition mode defined by WFA) + * added support for DPP (Wi-Fi Device Provisioning Protocol) + * added support for RSA 3k key case with Suite B 192-bit level + * fixed Suite B PMKSA caching not to update PMKID during each 4-way + handshake + * fixed EAP-pwd pre-processing with PasswordHashHash + * added EAP-pwd client support for salted passwords + * fixed a regression in TDLS prohibited bit validation + * started to use estimated throughput to avoid undesired signal + strength based roaming decision + * MACsec/MKA: + - new macsec_linux driver interface support for the Linux + kernel macsec module + - number of fixes and extensions + * added support for external persistent storage of PMKSA cache + (PMKSA_GET/PMKSA_ADD control interface commands; and + MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) + * fixed mesh channel configuration pri/sec switch case + * added support for beacon report + * large number of other fixes, cleanup, and extensions + * added support for randomizing local address for GAS queries + (gas_rand_mac_addr parameter) + * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel + * added option for using random WPS UUID (auto_uuid=1) + * added SHA256-hash support for OCSP certificate matching + * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure + * fixed a regression in RSN pre-authentication candidate selection + * added option to configure allowed group management cipher suites + (group_mgmt network profile parameter) + * removed all PeerKey functionality + * fixed nl80211 AP and mesh mode configuration regression with + Linux 4.15 and newer + * added ap_isolate configuration option for AP mode + * added support for nl80211 to offload 4-way handshake into the driver + * added support for using wolfSSL cryptographic library + * SAE + - added support for configuring SAE password separately of the + WPA2 PSK/passphrase + - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection + for SAE; + note: this is not backwards compatible, i.e., both the AP and + station side implementations will need to be update at the same + time to maintain interoperability + - added support for Password Identifier + - fixed FT-SAE PMKID matching + * Hotspot 2.0 + - added support for fetching of Operator Icon Metadata ANQP-element + - added support for Roaming Consortium Selection element + - added support for Terms and Conditions + - added support for OSEN connection in a shared RSN BSS + - added support for fetching Venue URL information + * added support for using OpenSSL 1.1.1 + * FT + - disabled PMKSA caching with FT since it is not fully functional + - added support for SHA384 based AKM + - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, + BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 + - fixed additional IE inclusion in Reassociation Request frame when + using FT protocol +- Drop merged patches: + * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch + * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch + * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch + * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch + * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch + * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch + * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch + * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch + * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch + * wpa_supplicant-bnc-1099835-fix-private-key-password.patch + * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch + * wpa_supplicant-log-file-permission.patch + * wpa_supplicant-log-file-cloexec.patch + * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch + * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch +- Rebase patches: + * wpa_supplicant-getrandom.patch + +------------------------------------------------------------------- Old: ---- rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch wpa_supplicant-2.6.tar.gz wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch wpa_supplicant-bnc-1099835-fix-private-key-password.patch wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch wpa_supplicant-log-file-cloexec.patch wpa_supplicant-log-file-permission.patch New: ---- wpa_supplicant-2.9.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wpa_supplicant.spec ++++++ --- /var/tmp/diff_new_pack.S1mvJF/_old 2019-11-11 12:57:40.097517357 +0100 +++ /var/tmp/diff_new_pack.S1mvJF/_new 2019-11-11 12:57:40.109517369 +0100 @@ -17,11 +17,10 @@ Name: wpa_supplicant -Version: 2.6 +Version: 2.9 Release: 0 Summary: WPA supplicant implementation License: BSD-3-Clause AND GPL-2.0-or-later -Group: Productivity/Networking/Other URL: https://w1.fi/wpa_supplicant Source0: https://w1.fi/releases/%{name}-%{version}.tar.gz Source1: config @@ -40,22 +39,6 @@ Patch3: wpa_supplicant-alloc_size.patch Patch4: wpa_supplicant-getrandom.patch Patch5: wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff -Patch10: rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch -Patch11: rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch -Patch12: rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch -Patch13: rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch -Patch14: rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch -Patch15: rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch -Patch16: rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch -Patch17: rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch -Patch18: wpa_supplicant-bnc-1099835-fix-private-key-password.patch -Patch19: wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch -Patch20: rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch -Patch21: wpa_supplicant-log-file-permission.patch -Patch22: wpa_supplicant-log-file-cloexec.patch -Patch23: wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch -Patch24: wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch -BuildRequires: openssl-devel BuildRequires: pkgconfig BuildRequires: readline-devel BuildRequires: systemd-rpm-macros @@ -64,6 +47,7 @@ BuildRequires: pkgconfig(Qt5Widgets) BuildRequires: pkgconfig(dbus-1) BuildRequires: pkgconfig(libnl-3.0) +BuildRequires: pkgconfig(openssl) Requires: logrotate %description @@ -74,7 +58,6 @@ %package gui Summary: WPA supplicant graphical front-end -Group: System/Monitoring Requires: wpa_supplicant %description gui ++++++ wpa_supplicant-2.6.tar.gz -> wpa_supplicant-2.9.tar.gz ++++++ ++++ 153227 lines of diff (skipped) ++++++ wpa_supplicant-getrandom.patch ++++++ --- /var/tmp/diff_new_pack.S1mvJF/_old 2019-11-11 12:57:40.993518305 +0100 +++ /var/tmp/diff_new_pack.S1mvJF/_new 2019-11-11 12:57:40.993518305 +0100 @@ -1,5 +1,7 @@ ---- wpa_supplicant-2.4.orig/src/utils/os_unix.c -+++ wpa_supplicant-2.4/src/utils/os_unix.c +Index: wpa_supplicant-2.9/src/utils/os_unix.c +=================================================================== +--- wpa_supplicant-2.9.orig/src/utils/os_unix.c ++++ wpa_supplicant-2.9/src/utils/os_unix.c @@ -6,11 +6,15 @@ * See README for more details. */ @@ -17,28 +19,28 @@ #ifdef ANDROID #include <sys/capability.h> #include <sys/prctl.h> -@@ -223,6 +227,10 @@ void os_daemonize_terminate(const char * - - int os_get_random(unsigned char *buf, size_t len) - { +@@ -257,6 +261,10 @@ int os_get_random(unsigned char *buf, si + buf[i] = i & 0xff; + return 0; + #else /* TEST_FUZZ */ +#ifdef SYS_getrandom + int gr = TEMP_FAILURE_RETRY(syscall(SYS_getrandom, buf, len, 0)); + return (gr != -1 && gr == len) ? 0 : -1; -+#else ++#else /* SYS_getrandom */ FILE *f; size_t rc; -@@ -232,10 +240,13 @@ int os_get_random(unsigned char *buf, si +@@ -269,10 +277,13 @@ int os_get_random(unsigned char *buf, si return -1; } -+ setbuf(f, NULL); ++ setbuf(f, NULL); + rc = fread(buf, 1, len, f); fclose(f); return rc != len ? -1 : 0; -+#endif ++#endif /* SYS_getrandom */ + #endif /* TEST_FUZZ */ } -
