diff --git b/package/wpa_supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch a/package/wpa_supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch new file mode 100644 index 0000000000..959788c2e9 --- /dev/null +++ a/package/wpa_supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch @@ -0,0 +1,77 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen + +Signed-off-by: Fabrice Fontaine +[Retrieved from: +https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch] +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 + diff --git b/package/wpa_supplicant/0001-build-re-enable-options-for-libwpa_client.so-and-.patch a/package/wpa_supplicant/0001-build-re-enable-options-for-libwpa_client.so-and-.patch deleted file mode 100644 index 156d0e7e2c..0000000000 --- b/package/wpa_supplicant/0001-build-re-enable-options-for-libwpa_client.so-and-.patch +++ /dev/null @@ -1,68 +0,0 @@ -From e6a6a4e3df52cc60425fcd037d3ec68a38f948ce Mon Sep 17 00:00:00 2001 -From: Sergey Matyukevich -Date: Sun, 20 Feb 2022 10:12:28 +0300 -Subject: [PATCH] build: re-enable options for libwpa_client.so and wpa_passphrase - -Commit a41a29192e5d ("build: Pull common fragments into a build.rules -file") introduced regression into wpa_supplicant build process. Build -target libwpa_client.so is not built regardless of whether the option -CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because config -option is used before it is imported from the configuration file. -Moving its usage after including build.rules does not help: variable -ALL is processed by build.rules and further changes are not applied. -Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work as -expected: wpa_passphrase is always built regardless of whether the -option is set or not. - -This commit re-enables options adding both build targets to _all -dependencies. - -Signed-off-by: Sergey Matyukevich ---- - wpa_supplicant/Makefile | 19 ++++++++++++------- - 1 file changed, 12 insertions(+), 7 deletions(-) - -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index cb66defac..e384cc6b8 100644 ---- a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -1,24 +1,29 @@ - BINALL=wpa_supplicant wpa_cli - --ifndef CONFIG_NO_WPA_PASSPHRASE --BINALL += wpa_passphrase --endif -- - ALL = $(BINALL) - ALL += systemd/wpa_supplicant.service - ALL += systemd/wpa_supplicant@.service - ALL += systemd/wpa_supplicant-nl80211@.service - ALL += systemd/wpa_supplicant-wired@.service - ALL += dbus/fi.w1.wpa_supplicant1.service --ifdef CONFIG_BUILD_WPA_CLIENT_SO --ALL += libwpa_client.so --endif - - EXTRA_TARGETS=dynamic_eap_methods - - CONFIG_FILE=.config - include ../src/build.rules - -+ifdef CONFIG_BUILD_WPA_CLIENT_SO -+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO -+# being set in the config which is read by build.rules -+_all: libwpa_client.so -+endif -+ -+ifndef CONFIG_NO_WPA_PASSPHRASE -+# add the dependency this way to allow CONFIGNO_WPA_PASSPHRASE -+# being set in the config which is read by build.rules -+_all: wpa_passphrase -+endif -+ - ifdef LIBS - # If LIBS is set with some global build system defaults, clone those for - # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well. --- -2.35.1 - diff --git b/package/wpa_supplicant/0002-ASN.1-Validate-DigestAlgorithmIdentifier-parameters.patch a/package/wpa_supplicant/0002-ASN.1-Validate-DigestAlgorithmIdentifier-parameters.patch new file mode 100644 index 0000000000..5dcfed9406 --- /dev/null +++ a/package/wpa_supplicant/0002-ASN.1-Validate-DigestAlgorithmIdentifier-parameters.patch @@ -0,0 +1,116 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen +Signed-off-by: Peter Korsgaard +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index bbdb0d72d..5761dfed0 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -244,6 +244,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -265,6 +267,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -273,6 +277,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index a8944dd2f..df337ec4d 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1964,6 +1964,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1985,6 +1986,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1992,6 +1995,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +2.20.1 + diff --git b/package/wpa_supplicant/0002-wpa_supplicant-use-a-less-generic-name-for-IEEE802.1.patch a/package/wpa_supplicant/0002-wpa_supplicant-use-a-less-generic-name-for-IEEE802.1.patch deleted file mode 100644 index a8637111bb..0000000000 --- b/package/wpa_supplicant/0002-wpa_supplicant-use-a-less-generic-name-for-IEEE802.1.patch +++ /dev/null @@ -1,79 +0,0 @@ -From c8af2e431b47d7d900e0c7359705aaa1096d302a Mon Sep 17 00:00:00 2001 -From: Sergey Matyukevich -Date: Fri, 16 Sep 2022 23:18:50 +0300 -Subject: [PATCH] wpa_supplicant: use a less generic name for IEEE802.11 CRC-32 routine - -Hostapd uses 'crc32' name for IEEE802.11 CRC-32 routine. This name is -too generic. Buildroot autobuilder detected build configuration that -failed to build due to the naming conflict: static linking with openssl -using zlib-ng as a zlib provider, e.g. see: -- http://autobuild.buildroot.net/results/9901df820d3afa4cde78e8ad6d62cb8ce7e69fdb/ -- http://autobuild.buildroot.net/results/ac19975f0bf77f4a8ca574c374092ba81cd5a332/ - -Use a less generic name ieee80211_crc32 for IEEE802.11 CRC-32 routine -to avoid such naming conflicts. - -Upstream: https://w1.fi/cgit/hostap/commit/?id=0c7b3814ca6070a8e930dea09fde08b4058a4ca6 -Signed-off-by: Sergey Matyukevich ---- - src/ap/hostapd.c | 3 ++- - src/ap/neighbor_db.c | 2 +- - src/utils/crc32.c | 2 +- - src/utils/crc32.h | 2 +- - 4 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c -index 4b88641a2..56c8fb90e 100644 ---- a/src/ap/hostapd.c -+++ b/src/ap/hostapd.c -@@ -1230,7 +1230,8 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first) - * Short SSID calculation is identical to FCS and it is defined in - * IEEE P802.11-REVmd/D3.0, 9.4.2.170.3 (Calculating the Short-SSID). - */ -- conf->ssid.short_ssid = crc32(conf->ssid.ssid, conf->ssid.ssid_len); -+ conf->ssid.short_ssid = ieee80211_crc32(conf->ssid.ssid, -+ conf->ssid.ssid_len); - - if (!hostapd_drv_none(hapd)) { - wpa_printf(MSG_DEBUG, "Using interface %s with hwaddr " MACSTR -diff --git a/src/ap/neighbor_db.c b/src/ap/neighbor_db.c -index 229edd2a9..ef17634c3 100644 ---- a/src/ap/neighbor_db.c -+++ b/src/ap/neighbor_db.c -@@ -136,7 +136,7 @@ int hostapd_neighbor_set(struct hostapd_data *hapd, const u8 *bssid, - - os_memcpy(entry->bssid, bssid, ETH_ALEN); - os_memcpy(&entry->ssid, ssid, sizeof(entry->ssid)); -- entry->short_ssid = crc32(ssid->ssid, ssid->ssid_len); -+ entry->short_ssid = ieee80211_crc32(ssid->ssid, ssid->ssid_len); - - entry->nr = wpabuf_dup(nr); - if (!entry->nr) -diff --git a/src/utils/crc32.c b/src/utils/crc32.c -index 12d9e2a70..371254994 100644 ---- a/src/utils/crc32.c -+++ b/src/utils/crc32.c -@@ -72,7 +72,7 @@ static const u32 crc32_table[256] = { - }; - - --u32 crc32(const u8 *frame, size_t frame_len) -+u32 ieee80211_crc32(const u8 *frame, size_t frame_len) - { - size_t i; - u32 crc; -diff --git a/src/utils/crc32.h b/src/utils/crc32.h -index dc31399be..71a19dc5f 100644 ---- a/src/utils/crc32.h -+++ b/src/utils/crc32.h -@@ -9,6 +9,6 @@ - #ifndef CRC32_H - #define CRC32_H - --u32 crc32(const u8 *frame, size_t frame_len); -+u32 ieee80211_crc32(const u8 *frame, size_t frame_len); - - #endif /* CRC32_H */ --- -2.37.1 - diff --git b/package/wpa_supplicant/0003-Include-HMAC-SHA384-512-KDF-for-SAE-if-SHA384-512-is.patch a/package/wpa_supplicant/0003-Include-HMAC-SHA384-512-KDF-for-SAE-if-SHA384-512-is.patch deleted file mode 100644 index 98df56e540..0000000000 --- b/package/wpa_supplicant/0003-Include-HMAC-SHA384-512-KDF-for-SAE-if-SHA384-512-is.patch +++ /dev/null @@ -1,64 +0,0 @@ -From c7f71fb8679c4cdd2607dbaac467a1d5efe9f0f9 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Sun, 17 Apr 2022 12:28:41 +0300 -Subject: [PATCH] Include HMAC-SHA384/512 KDF for SAE if SHA384/512 is included - -It was possible to miss the HMAC functions if some other build -configuration parameters ended up setting NEED_SHA384/512=y. - -Upstream: https://w1.fi/cgit/hostap/commit/?id=c7f71fb8679c4cdd2607dbaac467a1d5efe9f0f9 - -Signed-off-by: Jouni Malinen -Signed-off-by: Sergey Matyukevich ---- - wpa_supplicant/Android.mk | 11 +++++++++++ - wpa_supplicant/Makefile | 11 +++++++++++ - 2 files changed, 22 insertions(+) - -diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk -index 0e0ce467c..bcdbd6c90 100644 ---- a/wpa_supplicant/Android.mk -+++ b/wpa_supplicant/Android.mk -@@ -1361,6 +1361,17 @@ endif - endif - endif - -+ifdef CONFIG_SAE -+ifdef NEED_SHA384 -+# Need to add HMAC-SHA384 KDF as well, if SHA384 was enabled. -+NEED_HMAC_SHA384_KDF=y -+endif -+ifdef NEED_SHA512 -+# Need to add HMAC-SHA512 KDF as well, if SHA512 was enabled. -+NEED_HMAC_SHA512_KDF=y -+endif -+endif -+ - SHA256OBJS = # none by default - L_CFLAGS += -DCONFIG_SHA256 - ifneq ($(CONFIG_TLS), openssl) -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index ed49aa972..69c80121c 100644 ---- a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -1475,6 +1475,17 @@ endif - endif - endif - -+ifdef CONFIG_SAE -+ifdef NEED_SHA384 -+# Need to add HMAC-SHA384 KDF as well, if SHA384 was enabled. -+NEED_HMAC_SHA384_KDF=y -+endif -+ifdef NEED_SHA512 -+# Need to add HMAC-SHA512 KDF as well, if SHA512 was enabled. -+NEED_HMAC_SHA512_KDF=y -+endif -+endif -+ - SHA256OBJS = # none by default - CFLAGS += -DCONFIG_SHA256 - ifneq ($(CONFIG_TLS), openssl) --- -2.39.2 - diff --git b/package/wpa_supplicant/0003-Include-stdbool.h-to-allow-C99-bool-to-be-used.patch a/package/wpa_supplicant/0003-Include-stdbool.h-to-allow-C99-bool-to-be-used.patch new file mode 100644 index 0000000000..e52dbdb694 --- /dev/null +++ a/package/wpa_supplicant/0003-Include-stdbool.h-to-allow-C99-bool-to-be-used.patch @@ -0,0 +1,32 @@ +From 99cf89555313056d3a8fa54b21d02dc880b363e1 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Mon, 20 Apr 2020 20:29:31 +0300 +Subject: [PATCH] Include stdbool.h to allow C99 bool to be used + +We have practically started requiring some C99 features, so might as +well finally go ahead and bring in the C99 bool as well. + +Signed-off-by: Jouni Malinen +[geomatsi@gmail.com: backport from upstream] +Signed-off-by: Sergey Matyukevich +[yann.morin.1998@free.fr: keep upstream sha1 in header, drop numbering] +Signed-off-by: Yann E. MORIN +--- + src/utils/includes.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/utils/includes.h b/src/utils/includes.h +index 75513fc8c..741fc9c14 100644 +--- a/src/utils/includes.h ++++ b/src/utils/includes.h +@@ -18,6 +18,7 @@ + + #include + #include ++#include + #include + #include + #include +-- +2.25.1 + diff --git b/package/wpa_supplicant/0004-ASN.1-Add-helper-functions-for-recognizing-tag-value.patch a/package/wpa_supplicant/0004-ASN.1-Add-helper-functions-for-recognizing-tag-value.patch new file mode 100644 index 0000000000..a5415e7daf --- /dev/null +++ a/package/wpa_supplicant/0004-ASN.1-Add-helper-functions-for-recognizing-tag-value.patch @@ -0,0 +1,37 @@ +From 9a990e8c4eb92dd64e0ec483599820e45c35ac23 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 13 Mar 2021 23:14:23 +0200 +Subject: [PATCH] ASN.1: Add helper functions for recognizing tag values + +Signed-off-by: Jouni Malinen +[geomatsi@gmail.com: backport asn1_is_null() from upstream 9a990e8c4eb9] +Signed-off-by: Sergey Matyukevich +[yann.morin.1998@free.fr: + - reformat, keep the upstream sha1 and title, + - drop numbering +] +Signed-off-by: Yann E. MORIN +--- + src/tls/asn1.h | 102 +++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 102 insertions(+) + +diff --git a/src/tls/asn1.h b/src/tls/asn1.h +index de3430adb..a4d1be473 100644 +--- a/src/tls/asn1.h ++++ b/src/tls/asn1.h +@@ -66,6 +66,12 @@ struct wpabuf * asn1_build_alg_id(const struct asn1_oid *oid, + unsigned long asn1_bit_string_to_long(const u8 *buf, size_t len); + int asn1_oid_equal(const struct asn1_oid *a, const struct asn1_oid *b); + ++static inline bool asn1_is_null(const struct asn1_hdr *hdr) ++{ ++ return hdr->class == ASN1_CLASS_UNIVERSAL && ++ hdr->tag == ASN1_TAG_NULL; ++} ++ + extern struct asn1_oid asn1_sha1_oid; + extern struct asn1_oid asn1_sha256_oid; + +-- +2.25.1 + diff --git b/package/wpa_supplicant/Config.in a/package/wpa_supplicant/Config.in index 92953f69f0..8f095cdf2d 100644 --- b/package/wpa_supplicant/Config.in +++ a/package/wpa_supplicant/Config.in @@ -41,21 +41,12 @@ config BR2_PACKAGE_WPA_SUPPLICANT_WEXT config BR2_PACKAGE_WPA_SUPPLICANT_WIRED bool "Enable wired support" - depends on BR2_TOOLCHAIN_HAS_THREADS # libnl - depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_6 - select BR2_PACKAGE_LIBNL select BR2_PACKAGE_WPA_SUPPLICANT_EAP help Include the "wired" driver, so the internal IEEE 802.1x supplicant can be used with Ethernet. This also enables support for MACSEC. -comment "wired macsec support needs a toolchain w/ headers >= 4.6" - depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_6 - -comment "wired support needs a toolchain w/ threads" - depends on !BR2_TOOLCHAIN_HAS_THREADS - comment "wpa_supplicant will be useless without at least one driver" depends on !BR2_PACKAGE_WPA_SUPPLICANT_NL80211 && \ !BR2_PACKAGE_WPA_SUPPLICANT_WEXT && \ @@ -93,13 +84,6 @@ config BR2_PACKAGE_WPA_SUPPLICANT_MESH_NETWORKING Enable support for open and secured mesh networking (IEEE 802.11s) -config BR2_PACKAGE_WPA_SUPPLICANT_OVERRIDES - bool "Enable HT/VHT/HE overrides" - help - Enable wpa_supplicant overrides for HT, VHT and HE (disable - HT/HT40, mask MCS rates, etc.) in wpa_supplicant - configuration file. - config BR2_PACKAGE_WPA_SUPPLICANT_AUTOSCAN bool "Enable autoscan" help diff --git b/package/wpa_supplicant/ifupdown.sh a/package/wpa_supplicant/ifupdown.sh deleted file mode 100755 index 569344b683..0000000000 --- b/package/wpa_supplicant/ifupdown.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/sh - -# This file is executed by ifupdown in pre-up, post-up, pre-down and -# post-down phases of network interface configuration. - -WPA_SUP_BIN="/usr/sbin/wpa_supplicant" - -# run this script only for interfaces which have wpa-conf option -[ -z "$IF_WPA_CONF" ] && exit 0 - -# Allow wpa_supplicant interface to be specified via wpa-iface -# useful for starting wpa_supplicant on one interface of a bridge -if [ -n "$IF_WPA_IFACE" ]; then - WPA_IFACE="$IF_WPA_IFACE" -else - WPA_IFACE="$IFACE" -fi - -WPA_SUP_PIDFILE="/run/wpa_supplicant.${WPA_IFACE}.pid" - -do_start () { - if [ ! -s "$IF_WPA_CONF" ]; then - echo "cannot read contents of $IF_WPA_CONF" - exit 1 - fi - WPA_SUP_CONF="-c $IF_WPA_CONF" -} - -case "$MODE" in - start) - do_start - case "$PHASE" in - post-up) - start-stop-daemon -S -q -x ${WPA_SUP_BIN} \ - -- -B -i ${WPA_IFACE} ${WPA_SUP_CONF} -P ${WPA_SUP_PIDFILE} - ;; - esac - ;; - - stop) - case "$PHASE" in - pre-down) - start-stop-daemon -K -p ${WPA_SUP_PIDFILE} - ;; - esac - ;; -esac - -exit 0 diff --git b/package/wpa_supplicant/wpa_supplicant.conf a/package/wpa_supplicant/wpa_supplicant.conf index 20e9f7f842..1994a6c739 100644 --- b/package/wpa_supplicant/wpa_supplicant.conf +++ a/package/wpa_supplicant/wpa_supplicant.conf @@ -1,4 +1,4 @@ -#ctrl_interface=/var/run/wpa_supplicant +ctrl_interface=/var/run/wpa_supplicant ap_scan=1 network={ diff --git b/package/wpa_supplicant/wpa_supplicant.hash a/package/wpa_supplicant/wpa_supplicant.hash index fcaee0a30b..2387391a3c 100644 --- b/package/wpa_supplicant/wpa_supplicant.hash +++ a/package/wpa_supplicant/wpa_supplicant.hash @@ -1,3 +1,5 @@ # Locally calculated -sha256 20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f wpa_supplicant-2.10.tar.gz -sha256 af01e1d1ee065a1054d20ebe8a78a016f1fb1133b73e6a9d50801b165bb280c7 README +sha256 fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17 wpa_supplicant-2.9.tar.gz +sha256 9da5dd0776da266b180b915e460ff75c6ff729aca1196ab396529510f24f3761 README +sha256 c4d65cc13863e0237d0644198558e2c47b4ed91e2b2be4516ff590724187c4a5 0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch +sha256 7f40cfec5faf5e927ea9028ab9392cd118685bde7229ad24210caf0a8f6e9611 0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch diff --git b/package/wpa_supplicant/wpa_supplicant.mk a/package/wpa_supplicant/wpa_supplicant.mk index 42c6f772ac..3c0b0c1dfc 100644 --- b/package/wpa_supplicant/wpa_supplicant.mk +++ a/package/wpa_supplicant/wpa_supplicant.mk @@ -4,8 +4,11 @@ # ################################################################################ -WPA_SUPPLICANT_VERSION = 2.10 +WPA_SUPPLICANT_VERSION = 2.9 WPA_SUPPLICANT_SITE = http://w1.fi/releases +WPA_SUPPLICANT_PATCH = \ + https://w1.fi/security/2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch \ + https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch WPA_SUPPLICANT_LICENSE = BSD-3-Clause WPA_SUPPLICANT_LICENSE_FILES = README WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi @@ -13,8 +16,18 @@ WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config WPA_SUPPLICANT_SUBDIR = wpa_supplicant WPA_SUPPLICANT_DBUS_SERVICE = fi.w1.wpa_supplicant1 WPA_SUPPLICANT_CFLAGS = $(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include/libnl3/ +WPA_SUPPLICANT_LDFLAGS = $(TARGET_LDFLAGS) WPA_SUPPLICANT_SELINUX_MODULES = networkmanager +# 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch +WPA_SUPPLICANT_IGNORE_CVES += CVE-2019-16275 + +# 0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch +WPA_SUPPLICANT_IGNORE_CVES += CVE-2021-27803 + +# 0002-ASN.1-Validate-DigestAlgorithmIdentifier-parameters.patch +WPA_SUPPLICANT_IGNORE_CVES += CVE-2021-30004 + # install the wpa_client library WPA_SUPPLICANT_INSTALL_STAGING = YES @@ -62,18 +75,11 @@ WPA_SUPPLICANT_CONFIG_DISABLE += \ CONFIG_FILS endif -ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_WIRED),y) -WPA_SUPPLICANT_DEPENDENCIES += host-pkgconf libnl -WPA_SUPPLICANT_CONFIG_ENABLE += \ - CONFIG_LIBNL32 \ - CONFIG_DRIVER_WIRED \ - CONFIG_MACSEC \ - CONFIG_DRIVER_MACSEC_LINUX -else +ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_WIRED),) WPA_SUPPLICANT_CONFIG_DISABLE += \ CONFIG_DRIVER_WIRED \ CONFIG_MACSEC \ - CONFIG_DRIVER_MACSEC_LINUX + CONFIG_DRIVER_MACSEC endif ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_HOTSPOT),) @@ -104,18 +110,6 @@ else WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_MESH endif -ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_OVERRIDES),y) -WPA_SUPPLICANT_CONFIG_ENABLE += \ - CONFIG_HT_OVERRIDES \ - CONFIG_VHT_OVERRIDES \ - CONFIG_HE_OVERRIDES -else -WPA_SUPPLICANT_CONFIG_DISABLE += \ - CONFIG_HT_OVERRIDES \ - CONFIG_VHT_OVERRIDES \ - CONFIG_HE_OVERRIDES -endif - ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_AUTOSCAN),y) WPA_SUPPLICANT_CONFIG_ENABLE += \ CONFIG_AUTOSCAN_EXPONENTIAL \ @@ -130,13 +124,11 @@ ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_WPA3),y) WPA_SUPPLICANT_CONFIG_ENABLE += \ CONFIG_DPP \ CONFIG_SAE \ - CONFIG_SAE_PK \ CONFIG_OWE else WPA_SUPPLICANT_CONFIG_DISABLE += \ CONFIG_DPP \ CONFIG_SAE \ - CONFIG_SAE_PK \ CONFIG_OWE endif @@ -156,6 +148,9 @@ endif ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_DBUS),y) WPA_SUPPLICANT_DEPENDENCIES += host-pkgconf dbus +WPA_SUPPLICANT_MAKE_ENV = \ + PKG_CONFIG_SYSROOT_DIR="$(STAGING_DIR)" \ + PKG_CONFIG_PATH="$(STAGING_DIR)/usr/lib/pkgconfig" WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_CTRL_IFACE_DBUS_NEW define WPA_SUPPLICANT_INSTALL_DBUS_NEW $(INSTALL) -m 0644 -D \ @@ -180,14 +175,8 @@ WPA_SUPPLICANT_DEPENDENCIES += readline WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_READLINE endif -ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_CTRL_IFACE),y) -define WPA_SUPPLICANT_ENABLE_CTRL_IFACE - sed -i '/ctrl_interface/s/^#//g' $(TARGET_DIR)/etc/wpa_supplicant.conf -endef -endif - ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_WPA_CLIENT_SO),y) -WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_BUILD_WPA_CLIENT_SO +WPA_SUPPLICANT_CONFIG_SET += CONFIG_BUILD_WPA_CLIENT_SO define WPA_SUPPLICANT_INSTALL_WPA_CLIENT_SO $(INSTALL) -m 0644 -D $(@D)/$(WPA_SUPPLICANT_SUBDIR)/libwpa_client.so \ $(TARGET_DIR)/usr/lib/libwpa_client.so @@ -206,14 +195,9 @@ define WPA_SUPPLICANT_CONFIGURE_CMDS cp $(@D)/wpa_supplicant/defconfig $(WPA_SUPPLICANT_CONFIG) sed -i $(patsubst %,-e 's/^#\(%\)/\1/',$(WPA_SUPPLICANT_CONFIG_ENABLE)) \ $(patsubst %,-e 's/^\(%\)/#\1/',$(WPA_SUPPLICANT_CONFIG_DISABLE)) \ + $(patsubst %,-e '1i%=y',$(WPA_SUPPLICANT_CONFIG_SET)) \ $(patsubst %,-e %,$(WPA_SUPPLICANT_CONFIG_EDITS)) \ $(WPA_SUPPLICANT_CONFIG) - # set requested configuration options not listed in wpa_s defconfig - for s in $(WPA_SUPPLICANT_CONFIG_ENABLE) ; do \ - if ! grep -q "^$${s}" $(WPA_SUPPLICANT_CONFIG); then \ - echo "$${s}=y" >> $(WPA_SUPPLICANT_CONFIG) ; \ - fi \ - done endef # LIBS for wpa_supplicant, LIBS_c for wpa_cli, LIBS_p for wpa_passphrase @@ -252,16 +236,6 @@ define WPA_SUPPLICANT_INSTALL_STAGING_CMDS $(WPA_SUPPLICANT_INSTALL_STAGING_WPA_CLIENT_SO) endef -ifeq ($(BR2_PACKAGE_IFUPDOWN_SCRIPTS),y) -define WPA_SUPPLICANT_INSTALL_IFUP_SCRIPTS - $(INSTALL) -m 0755 -D package/wpa_supplicant/ifupdown.sh \ - $(TARGET_DIR)/etc/network/if-up.d/wpasupplicant - mkdir -p $(TARGET_DIR)/etc/network/if-down.d - ln -sf ../if-up.d/wpasupplicant \ - $(TARGET_DIR)/etc/network/if-down.d/wpasupplicant -endef -endif - define WPA_SUPPLICANT_INSTALL_TARGET_CMDS $(INSTALL) -m 0755 -D $(@D)/$(WPA_SUPPLICANT_SUBDIR)/wpa_supplicant \ $(TARGET_DIR)/usr/sbin/wpa_supplicant @@ -271,8 +245,6 @@ define WPA_SUPPLICANT_INSTALL_TARGET_CMDS $(WPA_SUPPLICANT_INSTALL_PASSPHRASE) $(WPA_SUPPLICANT_INSTALL_DBUS) $(WPA_SUPPLICANT_INSTALL_WPA_CLIENT_SO) - $(WPA_SUPPLICANT_INSTALL_IFUP_SCRIPTS) - $(WPA_SUPPLICANT_ENABLE_CTRL_IFACE) endef define WPA_SUPPLICANT_INSTALL_INIT_SYSTEMD