[gentoo-commits] repo/proj/libressl:master commit in: net-wireless/wpa_supplicant/files/, net-wireless/wpa_supplicant/
commit: 2ff2a2e237d77d0cbce3f4e74501393fbaddf9e1 Author: orbea riseup net> AuthorDate: Tue Aug 29 22:50:48 2023 + Commit: orbea riseup net> CommitDate: Tue Aug 29 22:51:13 2023 + URL:https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=2ff2a2e2 net-wireless/wpa_supplicant: add 2.10-r3 Signed-off-by: orbea riseup.net> ...p-security-level-to-0-with-OpenSSL-3.0-wh.patch | 57 +++ ...upplicant-2.10-allow-legacy-renegotiation.patch | 30 ++ .../wpa_supplicant/wpa_supplicant-2.10-r3.ebuild | 491 + 3 files changed, 578 insertions(+) diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch new file mode 100644 index 000..18f879c --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch @@ -0,0 +1,57 @@ +From: Jouni Malinen +Date: Sun, 22 May 2022 17:01:35 +0300 +Subject: OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1 + +Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for +TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level +drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be +enabled with an explicit network configuration parameter. However, the +default settings are still allowing TLS 1.0 and 1.1 to be negotiated +just to see them fail immediately when using OpenSSL 3.0. This is not +exactly helpful especially when the OpenSSL error message for this +particular case is "internal error" which does not really say anything +about the reason for the error. + +It is is a bit inconvenient to update the security policy for this +particular issue based on the negotiated TLS version since that happens +in the middle of processing for the first message from the server. +However, this can be done by using the debug callback for printing out +the received TLS messages during processing. + +Drop the OpenSSL security level to 0 if that is the only option to +continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed +in wpa_supplicant default configuration and OpenSSL 3.0 with the +constraint on MD5-SHA1 use. + +Signed-off-by: Jouni Malinen + +Bug-Debian: https://bugs.debian.org/1011121 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1958267 +Origin: upstream, commit:bc99366f9b960150aa2e369048bbc2218c1d414e +--- + src/crypto/tls_openssl.c | 9 + + 1 file changed, 9 insertions(+) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 6602ac64f591..78621d926dab 100644 +--- a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +@@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type, + struct tls_connection *conn = arg; + const u8 *pos = buf; + ++#if OPENSSL_VERSION_NUMBER >= 0x3000L ++ if ((SSL_version(ssl) == TLS1_VERSION || ++ SSL_version(ssl) == TLS1_1_VERSION) && ++ SSL_get_security_level(ssl) > 0) { ++ wpa_printf(MSG_DEBUG, ++ "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm"); ++ SSL_set_security_level(ssl, 0); ++ } ++#endif /* OpenSSL version >= 3.0 */ + if (write_p == 2) { + wpa_printf(MSG_DEBUG, + "OpenSSL: session ver=0x%x content_type=%d", +-- +2.39.0 + diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch new file mode 100644 index 000..574973f --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch @@ -0,0 +1,30 @@ +From: James Ralston +Date: Sun, 1 May 2022 16:15:23 -0700 +Subject: Allow legacy renegotiation to fix PEAP issues with some servers + +Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html +--- + src/crypto/tls_openssl.c | 10 ++ + 1 file changed, 10 insertions(+) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 273e5cb..ad3aa1a 100644 +--- a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +@@ -1056,6 +1056,16 @@ void * tls_init(const struct tls_config *conf) + SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); + ++ /* Many enterprise PEAP server implementations (e.g. used in large ++ corporations and universities) do not support RFC5746 secure ++ renegotiation, and starting with OpenSSL 3.0, ++ SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL. ++ So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT ++ only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT ++ globally. */
[gentoo-commits] repo/proj/libressl:master commit in: net-wireless/wpa_supplicant/files/, net-wireless/wpa_supplicant/files/2017-1/, ...
commit: fbcdcfc23e25521a79ab0082e15375843893d698 Author: Quentin Retornaz retornaz com> AuthorDate: Thu May 13 15:16:47 2021 + Commit: Quentin Retornaz retornaz com> CommitDate: Thu May 13 15:16:47 2021 + URL:https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=fbcdcfc2 net-wireless/wpa_supplicant: new package Closes: https://github.com/gentoo/libressl/issues/336 Package-Manager: Portage-3.0.18, Repoman-3.0.2 Signed-off-by: Quentin Retornaz retornaz.com> net-wireless/wpa_supplicant/Manifest | 1 + ...-Avoid-key-reinstallation-in-FT-handshake.patch | 174 ...nstallation-of-an-already-in-use-group-ke.patch | 250 +++ ...ection-of-GTK-IGTK-reinstallation-of-WNM-.patch | 184 ...04-Prevent-installation-of-an-all-zero-TK.patch | 79 ...Fix-PTK-rekeying-to-generate-a-new-ANonce.patch | 64 +++ ...6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch | 132 ++ ...WNM-Sleep-Mode-Response-without-pending-r.patch | 43 ++ ...llow-multiple-Reassociation-Response-fram.patch | 82 net-wireless/wpa_supplicant/files/wpa_cli.sh | 46 ++ ...do-not-call-dbus-functions-with-NULL-path.patch | 13 + ...y-ignore-management-frame-from-unexpected.patch | 73 .../files/wpa_supplicant-2.9-libressl.patch| 12 + .../wpa_supplicant/files/wpa_supplicant-conf.d | 10 + .../wpa_supplicant/files/wpa_supplicant-init.d | 70 +++ .../wpa_supplicant/files/wpa_supplicant.conf | 7 + net-wireless/wpa_supplicant/metadata.xml | 31 ++ .../wpa_supplicant/wpa_supplicant-2.9-r2.ebuild| 472 + 18 files changed, 1743 insertions(+) diff --git a/net-wireless/wpa_supplicant/Manifest b/net-wireless/wpa_supplicant/Manifest new file mode 100644 index 000..07c6500 --- /dev/null +++ b/net-wireless/wpa_supplicant/Manifest @@ -0,0 +1 @@ +DIST wpa_supplicant-2.9.tar.gz 3231785 BLAKE2B f1e2a5cb37b02d5c74116b5bc7f67c47d85f916c972cbd6b881d63a317161294a37c8517aabe6c74f9617c762aaa76d869f318af311473160e87bac8ac2a1807 SHA512 37a33f22cab9d27084fbef29856eaea0f692ff339c5b38bd32402dccf293cb849afd4a870cd3b5ca78179f0102f4011ce2f3444a53dc41dc75a5863b0a2226c8 diff --git a/net-wireless/wpa_supplicant/files/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch b/net-wireless/wpa_supplicant/files/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch new file mode 100644 index 000..7276848 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch @@ -0,0 +1,174 @@ +From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef +Date: Fri, 14 Jul 2017 15:15:35 +0200 +Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake + +Do not reinstall TK to the driver during Reassociation Response frame +processing if the first attempt of setting the TK succeeded. This avoids +issues related to clearing the TX/RX PN that could result in reusing +same PN values for transmitted frames (e.g., due to CCM nonce reuse and +also hitting replay protection on the receiver) and accepting replayed +frames on RX side. + +This issue was introduced by the commit +0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in +authenticator') which allowed wpa_ft_install_ptk() to be called multiple +times with the same PTK. While the second configuration attempt is +needed with some drivers, it must be done only if the first attempt +failed. + +Signed-off-by: Mathy Vanhoef +--- + src/ap/ieee802_11.c | 16 +--- + src/ap/wpa_auth.c| 11 +++ + src/ap/wpa_auth.h| 3 ++- + src/ap/wpa_auth_ft.c | 10 ++ + src/ap/wpa_auth_i.h | 1 + + 5 files changed, 37 insertions(+), 4 deletions(-) + +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index 4e04169..333035f 100644 +--- a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd, + { + struct ieee80211_ht_capabilities ht_cap; + struct ieee80211_vht_capabilities vht_cap; ++ int set = 1; + + /* +* Remove the STA entry to ensure the STA PS state gets cleared and +@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd, +* FT-over-the-DS, where a station re-associates back to the same AP but +* skips the authentication flow, or if working with a driver that +* does not support full AP client state. ++ * ++ * Skip this if the STA has already completed FT reassociation and the ++ * TK has been configured since the TX/RX PN must not be reset to 0 for ++ * the same key. +*/ +- if (!sta->added_unassoc) ++ if (!sta->added_unassoc && ++ (!(sta->flags & WLAN_STA_AUTHORIZED) || ++ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { +