[gentoo-commits] repo/proj/libressl:master commit in: net-wireless/wpa_supplicant/files/, net-wireless/wpa_supplicant/

2023-08-29 Thread orbea 
commit: 2ff2a2e237d77d0cbce3f4e74501393fbaddf9e1
Author: orbea  riseup  net>
AuthorDate: Tue Aug 29 22:50:48 2023 +
Commit: orbea  riseup  net>
CommitDate: Tue Aug 29 22:51:13 2023 +
URL:https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=2ff2a2e2

net-wireless/wpa_supplicant: add 2.10-r3

Signed-off-by: orbea  riseup.net>

 ...p-security-level-to-0-with-OpenSSL-3.0-wh.patch |  57 +++
 ...upplicant-2.10-allow-legacy-renegotiation.patch |  30 ++
 .../wpa_supplicant/wpa_supplicant-2.10-r3.ebuild   | 491 +
 3 files changed, 578 insertions(+)

diff --git 
a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch
 
b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch
new file mode 100644
index 000..18f879c
--- /dev/null
+++ 
b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch
@@ -0,0 +1,57 @@
+From: Jouni Malinen 
+Date: Sun, 22 May 2022 17:01:35 +0300
+Subject: OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 
1.0/1.1
+
+Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for
+TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level
+drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be
+enabled with an explicit network configuration parameter. However, the
+default settings are still allowing TLS 1.0 and 1.1 to be negotiated
+just to see them fail immediately when using OpenSSL 3.0. This is not
+exactly helpful especially when the OpenSSL error message for this
+particular case is "internal error" which does not really say anything
+about the reason for the error.
+
+It is is a bit inconvenient to update the security policy for this
+particular issue based on the negotiated TLS version since that happens
+in the middle of processing for the first message from the server.
+However, this can be done by using the debug callback for printing out
+the received TLS messages during processing.
+
+Drop the OpenSSL security level to 0 if that is the only option to
+continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed
+in wpa_supplicant default configuration and OpenSSL 3.0 with the
+constraint on MD5-SHA1 use.
+
+Signed-off-by: Jouni Malinen 
+
+Bug-Debian: https://bugs.debian.org/1011121
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1958267
+Origin: upstream, commit:bc99366f9b960150aa2e369048bbc2218c1d414e
+---
+ src/crypto/tls_openssl.c | 9 +
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 6602ac64f591..78621d926dab 100644
+--- a/src/crypto/tls_openssl.c
 b/src/crypto/tls_openssl.c
+@@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int 
content_type,
+   struct tls_connection *conn = arg;
+   const u8 *pos = buf;
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x3000L
++  if ((SSL_version(ssl) == TLS1_VERSION ||
++   SSL_version(ssl) == TLS1_1_VERSION) &&
++  SSL_get_security_level(ssl) > 0) {
++  wpa_printf(MSG_DEBUG,
++ "OpenSSL: Drop security level to 0 to allow TLS 
1.0/1.1 use of MD5-SHA1 signature algorithm");
++  SSL_set_security_level(ssl, 0);
++  }
++#endif /* OpenSSL version >= 3.0 */
+   if (write_p == 2) {
+   wpa_printf(MSG_DEBUG,
+  "OpenSSL: session ver=0x%x content_type=%d",
+-- 
+2.39.0
+

diff --git 
a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch
 
b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch
new file mode 100644
index 000..574973f
--- /dev/null
+++ 
b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch
@@ -0,0 +1,30 @@
+From: James Ralston 
+Date: Sun, 1 May 2022 16:15:23 -0700
+Subject: Allow legacy renegotiation to fix PEAP issues with some servers
+
+Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html
+---
+ src/crypto/tls_openssl.c | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 273e5cb..ad3aa1a 100644
+--- a/src/crypto/tls_openssl.c
 b/src/crypto/tls_openssl.c
+@@ -1056,6 +1056,16 @@ void * tls_init(const struct tls_config *conf)
+   SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
+   SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+ 
++  /* Many enterprise PEAP server implementations (e.g. used in large
++   corporations and universities) do not support RFC5746 secure
++   renegotiation, and starting with OpenSSL 3.0,
++   SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
++   So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
++   only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
++   globally. */

[gentoo-commits] repo/proj/libressl:master commit in: net-wireless/wpa_supplicant/files/, net-wireless/wpa_supplicant/files/2017-1/, ...

2021-05-13 Thread Quentin Retornaz 
commit: fbcdcfc23e25521a79ab0082e15375843893d698
Author: Quentin Retornaz  retornaz  com>
AuthorDate: Thu May 13 15:16:47 2021 +
Commit: Quentin Retornaz  retornaz  com>
CommitDate: Thu May 13 15:16:47 2021 +
URL:https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=fbcdcfc2

net-wireless/wpa_supplicant: new package

Closes: https://github.com/gentoo/libressl/issues/336
Package-Manager: Portage-3.0.18, Repoman-3.0.2
Signed-off-by: Quentin Retornaz  retornaz.com>

 net-wireless/wpa_supplicant/Manifest   |   1 +
 ...-Avoid-key-reinstallation-in-FT-handshake.patch | 174 
 ...nstallation-of-an-already-in-use-group-ke.patch | 250 +++
 ...ection-of-GTK-IGTK-reinstallation-of-WNM-.patch | 184 
 ...04-Prevent-installation-of-an-all-zero-TK.patch |  79 
 ...Fix-PTK-rekeying-to-generate-a-new-ANonce.patch |  64 +++
 ...6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch | 132 ++
 ...WNM-Sleep-Mode-Response-without-pending-r.patch |  43 ++
 ...llow-multiple-Reassociation-Response-fram.patch |  82 
 net-wireless/wpa_supplicant/files/wpa_cli.sh   |  46 ++
 ...do-not-call-dbus-functions-with-NULL-path.patch |  13 +
 ...y-ignore-management-frame-from-unexpected.patch |  73 
 .../files/wpa_supplicant-2.9-libressl.patch|  12 +
 .../wpa_supplicant/files/wpa_supplicant-conf.d |  10 +
 .../wpa_supplicant/files/wpa_supplicant-init.d |  70 +++
 .../wpa_supplicant/files/wpa_supplicant.conf   |   7 +
 net-wireless/wpa_supplicant/metadata.xml   |  31 ++
 .../wpa_supplicant/wpa_supplicant-2.9-r2.ebuild| 472 +
 18 files changed, 1743 insertions(+)

diff --git a/net-wireless/wpa_supplicant/Manifest 
b/net-wireless/wpa_supplicant/Manifest
new file mode 100644
index 000..07c6500
--- /dev/null
+++ b/net-wireless/wpa_supplicant/Manifest
@@ -0,0 +1 @@
+DIST wpa_supplicant-2.9.tar.gz 3231785 BLAKE2B 
f1e2a5cb37b02d5c74116b5bc7f67c47d85f916c972cbd6b881d63a317161294a37c8517aabe6c74f9617c762aaa76d869f318af311473160e87bac8ac2a1807
 SHA512 
37a33f22cab9d27084fbef29856eaea0f692ff339c5b38bd32402dccf293cb849afd4a870cd3b5ca78179f0102f4011ce2f3444a53dc41dc75a5863b0a2226c8

diff --git 
a/net-wireless/wpa_supplicant/files/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
 
b/net-wireless/wpa_supplicant/files/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
new file mode 100644
index 000..7276848
--- /dev/null
+++ 
b/net-wireless/wpa_supplicant/files/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
@@ -0,0 +1,174 @@
+From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef 
+Date: Fri, 14 Jul 2017 15:15:35 +0200
+Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
+
+Do not reinstall TK to the driver during Reassociation Response frame
+processing if the first attempt of setting the TK succeeded. This avoids
+issues related to clearing the TX/RX PN that could result in reusing
+same PN values for transmitted frames (e.g., due to CCM nonce reuse and
+also hitting replay protection on the receiver) and accepting replayed
+frames on RX side.
+
+This issue was introduced by the commit
+0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
+authenticator') which allowed wpa_ft_install_ptk() to be called multiple
+times with the same PTK. While the second configuration attempt is
+needed with some drivers, it must be done only if the first attempt
+failed.
+
+Signed-off-by: Mathy Vanhoef 
+---
+ src/ap/ieee802_11.c  | 16 +---
+ src/ap/wpa_auth.c| 11 +++
+ src/ap/wpa_auth.h|  3 ++-
+ src/ap/wpa_auth_ft.c | 10 ++
+ src/ap/wpa_auth_i.h  |  1 +
+ 5 files changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index 4e04169..333035f 100644
+--- a/src/ap/ieee802_11.c
 b/src/ap/ieee802_11.c
+@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
+ {
+   struct ieee80211_ht_capabilities ht_cap;
+   struct ieee80211_vht_capabilities vht_cap;
++  int set = 1;
+ 
+   /*
+* Remove the STA entry to ensure the STA PS state gets cleared and
+@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd,
+* FT-over-the-DS, where a station re-associates back to the same AP but
+* skips the authentication flow, or if working with a driver that
+* does not support full AP client state.
++   *
++   * Skip this if the STA has already completed FT reassociation and the
++   * TK has been configured since the TX/RX PN must not be reset to 0 for
++   * the same key.
+*/
+-  if (!sta->added_unassoc)
++  if (!sta->added_unassoc &&
++  (!(sta->flags & WLAN_STA_AUTHORIZED) ||
++   !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
+