From 54d65e2d50a83335dd3e218385d4f1bacd91c296 Mon Sep 17 00:00:00 2001
From: cfconrad <>
Date: Jan 26 2022 20:34:29 +0000
Subject: Update wpa_supplicant to version 2.10 / rev 90 via SR 948420
https://build.opensuse.org/request/show/948420
by user cfconrad + dimstar_suse
---
diff --git a/.files b/.files
index 01e8ce4..a2c6f63 100644
Binary files a/.files and b/.files differ
diff --git a/.rev b/.rev
index 0272720..de1f1b3 100644
--- a/.rev
+++ b/.rev
@@ -730,4 +730,12 @@
<comment></comment>
<requestid>945257</requestid>
</revision>
+ <revision rev="90" vrev="1">
+ <srcmd5>a7e5dea8106dcd98e94600828ef4d600</srcmd5>
+ <version>2.10</version>
+ <time>1643228799</time>
+ <user>dimstar_suse</user>
+ <comment></comment>
+ <requestid>948420</requestid>
+ </revision>
</revisionlist>
diff --git a/CVE-2019-16275.patch b/CVE-2019-16275.patch
deleted file mode 100644
index d764a9d..0000000
--- a/CVE-2019-16275.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Thu, 29 Aug 2019 11:52:04 +0300
-Subject: [PATCH] AP: Silently ignore management frame from unexpected source
- address
-
-Do not process any received Management frames with unexpected/invalid SA
-so that we do not add any state for unexpected STA addresses or end up
-sending out frames to unexpected destination. This prevents unexpected
-sequences where an unprotected frame might end up causing the AP to send
-out a response to another device and that other device processing the
-unexpected response.
-
-In particular, this prevents some potential denial of service cases
-where the unexpected response frame from the AP might result in a
-connected station dropping its association.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/ap/drv_callbacks.c | 13 +++++++++++++
- src/ap/ieee802_11.c | 12 ++++++++++++
- 2 files changed, 25 insertions(+)
-
-diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
-index 31587685fe3b..34ca379edc3d 100644
---- a/src/ap/drv_callbacks.c
-+++ b/src/ap/drv_callbacks.c
-@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
- "hostapd_notif_assoc: Skip event with no address");
- return -1;
- }
-+
-+ if (is_multicast_ether_addr(addr) ||
-+ is_zero_ether_addr(addr) ||
-+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
-+ /* Do not process any frames with unexpected/invalid SA so that
-+ * we do not add any state for unexpected STA addresses or end
-+ * up sending out frames to unexpected destination. */
-+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
-+ " in received indication - ignore this indication silently",
-+ __func__, MAC2STR(addr));
-+ return 0;
-+ }
-+
- random_add_randomness(addr, ETH_ALEN);
-
- hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
-diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
-index c85a28db44b7..e7065372e158 100644
---- a/src/ap/ieee802_11.c
-+++ b/src/ap/ieee802_11.c
-@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
- fc = le_to_host16(mgmt->frame_control);
- stype = WLAN_FC_GET_STYPE(fc);
-
-+ if (is_multicast_ether_addr(mgmt->sa) ||
-+ is_zero_ether_addr(mgmt->sa) ||
-+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
-+ /* Do not process any frames with unexpected/invalid SA so that
-+ * we do not add any state for unexpected STA addresses or end
-+ * up sending out frames to unexpected destination. */
-+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
-+ " in received frame - ignore this frame silently",
-+ MAC2STR(mgmt->sa));
-+ return 0;
-+ }
-+
- if (stype == WLAN_FC_STYPE_BEACON) {
- handle_beacon(hapd, mgmt, len, fi);
- return 1;
---
-2.20.1
-
diff --git a/CVE-2021-0326.patch b/CVE-2021-0326.patch
deleted file mode 100644
index 4657b55..0000000
--- a/CVE-2021-0326.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Mon, 9 Nov 2020 11:43:12 +0200
-Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
- client
-
-Parsing and copying of WPS secondary device types list was verifying
-that the contents is not too long for the internal maximum in the case
-of WPS messages, but similar validation was missing from the case of P2P
-group information which encodes this information in a different
-attribute. This could result in writing beyond the memory area assigned
-for these entries and corrupting memory within an instance of struct
-p2p_device. This could result in invalid operations and unexpected
-behavior when trying to free pointers from that corrupted memory.
-
-Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
-Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
----
- src/p2p/p2p.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
-index 74b7b52ae05c..5cbfc217fc1f 100644
---- a/src/p2p/p2p.c
-+++ b/src/p2p/p2p.c
-@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
- dev->info.config_methods = cli->config_methods;
- os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
- dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
-+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
-+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
- os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
- dev->info.wps_sec_dev_type_list_len);
- }
---
-2.25.1
-
diff --git a/CVE-2021-27803.patch b/CVE-2021-27803.patch
deleted file mode 100644
index 1942bb3..0000000
--- a/CVE-2021-27803.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Tue, 8 Dec 2020 23:52:50 +0200
-Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
-
-p2p_add_device() may remove the oldest entry if there is no room in the
-peer table for a new peer. This would result in any pointer to that
-removed entry becoming stale. A corner case with an invalid PD Request
-frame could result in such a case ending up using (read+write) freed
-memory. This could only by triggered when the peer table has reached its
-maximum size and the PD Request frame is received from the P2P Device
-Address of the oldest remaining entry and the frame has incorrect P2P
-Device Address in the payload.
-
-Fix this by fetching the dev pointer again after having called
-p2p_add_device() so that the stale pointer cannot be used.
-
-Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
----
- src/p2p/p2p_pd.c | 12 +++++-------
- 1 file changed, 5 insertions(+), 7 deletions(-)
-
-diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
-index 3994ec03f86b..05fd593494ef 100644
---- a/src/p2p/p2p_pd.c
-+++ b/src/p2p/p2p_pd.c
-@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
- goto out;
- }
-
-+ dev = p2p_get_device(p2p, sa);
- if (!dev) {
-- dev = p2p_get_device(p2p, sa);
-- if (!dev) {
-- p2p_dbg(p2p,
-- "Provision Discovery device not found "
-- MACSTR, MAC2STR(sa));
-- goto out;
-- }
-+ p2p_dbg(p2p,
-+ "Provision Discovery device not found "
-+ MACSTR, MAC2STR(sa));
-+ goto out;
- }
- } else if (msg.wfd_subelems) {
- wpabuf_free(dev->info.wfd_subelems);
---
-2.25.1
-
diff --git a/CVE-2021-30004.patch b/CVE-2021-30004.patch
deleted file mode 100644
index 8c8ba93..0000000
--- a/CVE-2021-30004.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 13 Mar 2021 18:19:31 +0200
-Subject: ASN.1: Validate DigestAlgorithmIdentifier parameters
-
-The supported hash algorithms do not use AlgorithmIdentifier parameters.
-However, there are implementations that include NULL parameters in
-addition to ones that omit the parameters. Previous implementation did
-not check the parameters value at all which supported both these cases,
-but did not reject any other unexpected information.
-
-Use strict validation of digest algorithm parameters and reject any
-unexpected value when validating a signature. This is needed to prevent
-potential forging attacks.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/tls/pkcs1.c | 21 +++++++++++++++++++++
- src/tls/x509v3.c | 20 ++++++++++++++++++++
- 2 files changed, 41 insertions(+)
-
-diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
-index bbdb0d7..5761dfe 100644
---- a/src/tls/pkcs1.c
-+++ b/src/tls/pkcs1.c
-@@ -244,6 +244,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
- os_free(decrypted);
- return -1;
- }
-+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
-+ hdr.payload, hdr.length);
-
- pos = hdr.payload;
- end = pos + hdr.length;
-@@ -265,6 +267,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
- os_free(decrypted);
- return -1;
- }
-+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
-+ hdr.payload, hdr.length);
- da_end = hdr.payload + hdr.length;
-
- if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
-@@ -273,6 +277,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
- os_free(decrypted);
- return -1;
- }
-+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
-+ next, da_end - next);
-+
-+ /*
-+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
-+ * omit the parameters, but there are implementation that encode these
-+ * as a NULL element. Allow these two cases and reject anything else.
-+ */
-+ if (da_end > next &&
-+ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
-+ !asn1_is_null(&hdr) ||
-+ hdr.payload + hdr.length != da_end)) {
-+ wpa_printf(MSG_DEBUG,
-+ "PKCS #1: Unexpected digest algorithm parameters");
-+ os_free(decrypted);
-+ return -1;
-+ }
-
- if (!asn1_oid_equal(&oid, hash_alg)) {
- char txt[100], txt2[100];
-diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
-index a8944dd..df337ec 100644
---- a/src/tls/x509v3.c
-+++ b/src/tls/x509v3.c
-@@ -1964,6 +1964,7 @@ int x509_check_signature(struct x509_certificate *issuer,
- os_free(data);
- return -1;
- }
-+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
-
- pos = hdr.payload;
- end = pos + hdr.length;
-@@ -1985,6 +1986,8 @@ int x509_check_signature(struct x509_certificate *issuer,
- os_free(data);
- return -1;
- }
-+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
-+ hdr.payload, hdr.length);
- da_end = hdr.payload + hdr.length;
-
- if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
-@@ -1992,6 +1995,23 @@ int x509_check_signature(struct x509_certificate *issuer,
- os_free(data);
- return -1;
- }
-+ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
-+ next, da_end - next);
-+
-+ /*
-+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
-+ * omit the parameters, but there are implementation that encode these
-+ * as a NULL element. Allow these two cases and reject anything else.
-+ */
-+ if (da_end > next &&
-+ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
-+ !asn1_is_null(&hdr) ||
-+ hdr.payload + hdr.length != da_end)) {
-+ wpa_printf(MSG_DEBUG,
-+ "X509: Unexpected digest algorithm parameters");
-+ os_free(data);
-+ return -1;
-+ }
-
- if (x509_sha1_oid(&oid)) {
- if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
---
-cgit v0.12
-
diff --git a/config b/config
index 969da9b..a5a74e2 100644
--- a/config
+++ b/config
@@ -1,9 +1,9 @@
# Example wpa_supplicant build time configuration
#
# This file lists the configuration options that are used when building the
-# hostapd binary. All lines starting with # are ignored. Configuration option
-# lines must be commented out complete, if they are not to be included, i.e.,
-# just setting VARIABLE=n is not disabling that variable.
+# wpa_supplicant binary. All lines starting with # are ignored. Configuration
+# option lines must be commented out complete, if they are not to be included,
+# i.e., just setting VARIABLE=n is not disabling that variable.
#
# This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cases, these lines should use += in order not
@@ -31,6 +31,9 @@ CONFIG_DRIVER_WEXT=y
# Driver interface for Linux drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y
+# QCA vendor extensions to nl80211
+#CONFIG_DRIVER_NL80211_QCA=y
+
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
#
@@ -70,6 +73,12 @@ CONFIG_LIBNL32=y
# Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y
+# Driver interface for MACsec capable Qualcomm Atheros drivers
+#CONFIG_DRIVER_MACSEC_QCA=y
+
+# Driver interface for Linux MACsec drivers
+CONFIG_DRIVER_MACSEC_LINUX=y
+
# Driver interface for the Broadcom RoboSwitch family
#CONFIG_DRIVER_ROBOSWITCH=y
@@ -80,8 +89,8 @@ CONFIG_DRIVER_WIRED=y
#LIBS += -lsocket -ldlpi -lnsl
#LIBS_c += -lsocket
-# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
-# included)
+# Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
+# MACsec is included)
CONFIG_IEEE8021X_EAPOL=y
# EAP-MD5
@@ -100,11 +109,18 @@ CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y
# EAP-FAST
-# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
-# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
-# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
CONFIG_EAP_FAST=y
+# EAP-TEAP
+# Note: The current EAP-TEAP implementation is experimental and should not be
+# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
+# of conflicting statements and missing details and the implementation has
+# vendor specific workarounds for those and as such, may not interoperate with
+# any other implementation. This should not be used for anything else than
+# experimentation and interoperability testing until those issues has been
+# resolved.
+#CONFIG_EAP_TEAP=y
+
# EAP-GTC
CONFIG_EAP_GTC=y
@@ -114,6 +130,9 @@ CONFIG_EAP_OTP=y
# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
#CONFIG_EAP_SIM=y
+# Enable SIM simulator (Milenage) for EAP-SIM
+#CONFIG_SIM_SIMULATOR=y
+
# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y
@@ -163,6 +182,9 @@ CONFIG_EAP_IKEV2=y
# EAP-EKE
#CONFIG_EAP_EKE=y
+# MACsec
+CONFIG_MACSEC=y
+
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y
@@ -223,7 +245,10 @@ CONFIG_CTRL_IFACE=y
# wpa_passphrase). This saves about 0.5 kB in code size.
#CONFIG_NO_WPA_PASSPHRASE=y
-# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
+# Simultaneous Authentication of Equals (SAE), WPA3-Personal
+CONFIG_SAE=y
+
+# Disable scan result processing (ap_scan=1) to save code size by about 1 kB.
# This can be used if ap_scan=1 mode is never enabled.
#CONFIG_NO_SCAN_PROCESSING=y
@@ -267,6 +292,9 @@ CONFIG_BACKEND=file
# Should we use epoll instead of select? Select is used by default.
#CONFIG_ELOOP_EPOLL=y
+# Should we use kqueue instead of select? Select is used by default.
+#CONFIG_ELOOP_KQUEUE=y
+
# Select layer 2 packet implementation
# linux = Linux packet socket (default)
# pcap = libpcap/libdnet/WinPcap
@@ -276,17 +304,20 @@ CONFIG_BACKEND=file
# none = Empty template
#CONFIG_L2_PACKET=linux
-# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
-CONFIG_PEERKEY=y
+# Disable Linux packet socket workaround applicable for station interface
+# in a bridge for EAPOL frames. This should be uncommented only if the kernel
+# is known to not have the regression issue in packet socket behavior with
+# bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
+#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
-# IEEE 802.11w (management frame protection), also known as PMF
-# Driver support is also needed for IEEE 802.11w.
-CONFIG_IEEE80211W=y
+# Support Operating Channel Validation
+#CONFIG_OCV=y
# Select TLS implementation
# openssl = OpenSSL (default)
# gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental)
+# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template
#CONFIG_TLS=openssl
@@ -304,6 +335,10 @@ CONFIG_IEEE80211W=y
# will be used)
#CONFIG_TLSV12=y
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
@@ -331,7 +366,7 @@ CONFIG_IEEE80211W=y
CONFIG_CTRL_IFACE_DBUS=y
# Add support for new DBus control interface
-# (fi.w1.hostap.wpa_supplicant1)
+# (fi.w1.wpa_supplicant1)
CONFIG_CTRL_IFACE_DBUS_NEW=y
# Add introspection support for new DBus control interface
@@ -358,14 +393,14 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y
# amount of memory/flash.
#CONFIG_DYNAMIC_EAP_METHODS=y
-# IEEE Std 802.11r-2008 (Fast BSS Transition)
-#CONFIG_IEEE80211R=y
+# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
+# CONFIG_IEEE80211R=y
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout
-#CONFIG_DEBUG_SYSLOG=y
+# CONFIG_DEBUG_SYSLOG=y
# Set syslog facility for debug messages
#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
@@ -435,11 +470,12 @@ CONFIG_DEBUG_FILE=y
# that meet the requirements described above.
CONFIG_NO_RANDOM_POOL=y
-# IEEE 802.11n (High Throughput) support (mainly for AP mode)
-CONFIG_IEEE80211N=y
+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+#CONFIG_GETRANDOM=y
# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
-# (depends on CONFIG_IEEE80211N)
CONFIG_IEEE80211AC=y
# Wireless Network Management (IEEE Std 802.11v-2011)
@@ -450,10 +486,13 @@ CONFIG_IEEE80211AC=y
# This can be used to enable functionality to improve interworking with
# external networks (GAS/ANQP to learn more about the networks and network
# selection based on available credentials).
-#CONFIG_INTERWORKING=y
+CONFIG_INTERWORKING=y
# Hotspot 2.0
-#CONFIG_HS20=y
+CONFIG_HS20=y
+
+# Enable interface matching in wpa_supplicant
+#CONFIG_MATCH_IFACE=y
# Disable roaming in wpa_supplicant
#CONFIG_NO_ROAMING=y
@@ -473,8 +512,8 @@ CONFIG_P2P=y
# Enable TDLS support
CONFIG_TDLS=y
-# Wi-Fi Direct
-# This can be used to enable Wi-Fi Direct extensions for P2P using an external
+# Wi-Fi Display
+# This can be used to enable Wi-Fi Display extensions for P2P using an external
# program to control the additional information exchanges in the messages.
CONFIG_WIFI_DISPLAY=y
@@ -495,12 +534,106 @@ CONFIG_WIFI_DISPLAY=y
#
# External password backend for testing purposes (developer use)
#CONFIG_EXT_PASSWORD_TEST=y
+# File-based backend to read passwords from an external file.
+#CONFIG_EXT_PASSWORD_FILE=y
-# Enable background scan to improve roaming
-CONFIG_BGSCAN_SIMPLE=y
+# Enable Fast Session Transfer (FST)
+#CONFIG_FST=y
+
+# Enable CLI commands for FST testing
+#CONFIG_FST_TEST=y
-# Enable RSN IBSS/AdHoc
+# OS X builds. This is only for building eapol_test.
+#CONFIG_OSX=y
+
+# Automatic Channel Selection
+# This will allow wpa_supplicant to pick the channel automatically when channel
+# is set to "0".
+#
+# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
+# to "channel=0". This would enable us to eventually add other ACS algorithms in
+# similar way.
+#
+# Automatic selection is currently only done through initialization, later on
+# we hope to do background checks to keep us moving to more ideal channels as
+# time goes by. ACS is currently only supported through the nl80211 driver and
+# your driver must have survey dump capability that is filled by the driver
+# during scanning.
+#
+# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
+# a newly to create wpa_supplicant.conf variable acs_num_scans.
+#
+# Supported ACS drivers:
+# * ath9k
+# * ath5k
+# * ath10k
+#
+# For more details refer to:
+# http://wireless.kernel.org/en/users/Documentation/acs
+#CONFIG_ACS=y
+
+# Support Multi Band Operation
+#CONFIG_MBO=y
+
+# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
+#CONFIG_FILS=y
+# FILS shared key authentication with PFS
+#CONFIG_FILS_SK_PFS=y
+
+# Support RSN on IBSS networks
+# This is needed to be able to use mode=1 network profile with proto=RSN and
+# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
CONFIG_IBSS_RSN=y
-# Enable SAE support
-CONFIG_SAE=y
+# External PMKSA cache control
+# This can be used to enable control interface commands that allow the current
+# PMKSA cache entries to be fetched and new entries to be added.
+#CONFIG_PMKSA_CACHE_EXTERNAL=y
+
+# Mesh Networking (IEEE 802.11s)
+#CONFIG_MESH=y
+
+# Background scanning modules
+# These can be used to request wpa_supplicant to perform background scanning
+# operations for roaming within an ESS (same SSID). See the bgscan parameter in
+# the wpa_supplicant.conf file for more details.
+# Periodic background scans based on signal strength
+CONFIG_BGSCAN_SIMPLE=y
+# Learn channels used by the network and try to avoid bgscans on other
+# channels (experimental)
+#CONFIG_BGSCAN_LEARN=y
+
+# Opportunistic Wireless Encryption (OWE)
+# Experimental implementation of draft-harkins-owe-07.txt
+#CONFIG_OWE=y
+
+# Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect)
+CONFIG_DPP=y
+# DPP version 2 support
+CONFIG_DPP2=y
+# DPP version 3 support (experimental and still changing; do not enable for
+# production use)
+#CONFIG_DPP3=y
+
+# Wired equivalent privacy (WEP)
+# WEP is an obsolete cryptographic data confidentiality algorithm that is not
+# considered secure. It should not be used for anything anymore. The
+# functionality needed to use WEP is available in the current wpa_supplicant
+# release under this optional build parameter. This functionality is subject to
+# be completely removed in a future release.
+CONFIG_WEP=y
+
+# Remove all TKIP functionality
+# TKIP is an old cryptographic data confidentiality algorithm that is not
+# considered secure. It should not be used anymore for anything else than a
+# backwards compatibility option as a group cipher when connecting to APs that
+# use WPA+WPA2 mixed mode. For now, the default wpa_supplicant build includes
+# support for this by default, but that functionality is subject to be removed
+# in the future.
+#CONFIG_NO_TKIP=y
+
+# Pre-Association Security Negotiation (PASN)
+# Experimental implementation based on IEEE P802.11z/D2.6 and the protocol
+# design is still subject to change. As such, this should not yet be enabled in
+# production use.
+#CONFIG_PASN=y
diff --git a/restore-old-dbus-interface.patch b/restore-old-dbus-interface.patch
index 4248993..fc91a32 100644
--- a/restore-old-dbus-interface.patch
+++ b/restore-old-dbus-interface.patch
@@ -10,11 +10,11 @@ Date: Fri Apr 17 10:34:30 2020 +0200
wicked still uses the old dbus interface
and porting it is hard.
-diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
-index b5d982de3..37be1ce35 100644
---- a/wpa_supplicant/Android.mk
-+++ b/wpa_supplicant/Android.mk
-@@ -1448,25 +1448,44 @@ endif
+Index: wpa_supplicant-2.10/wpa_supplicant/Android.mk
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/Android.mk
++++ wpa_supplicant-2.10/wpa_supplicant/Android.mk
+@@ -1471,25 +1471,44 @@ endif
OBJS += ctrl_iface.c ctrl_iface_$(CONFIG_CTRL_IFACE).c
endif
@@ -69,11 +69,11 @@ index b5d982de3..37be1ce35 100644
ifdef CONFIG_CTRL_IFACE_BINDER
WPA_SUPPLICANT_USE_BINDER=y
L_CFLAGS += -DCONFIG_BINDER -DCONFIG_CTRL_IFACE_BINDER
-diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
-index f1384d5fa..9555495e1 100644
---- a/wpa_supplicant/Makefile
-+++ b/wpa_supplicant/Makefile
-@@ -55,6 +55,7 @@ ALL += systemd/wpa_supplicant.service
+Index: wpa_supplicant-2.10/wpa_supplicant/Makefile
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/Makefile
++++ wpa_supplicant-2.10/wpa_supplicant/Makefile
+@@ -9,6 +9,7 @@ ALL += systemd/wpa_supplicant.service
ALL += systemd/wpa_supplicant@.service
ALL += systemd/wpa_supplicant-nl80211@.service
ALL += systemd/wpa_supplicant-wired@.service
@@ -81,7 +81,7 @@ index f1384d5fa..9555495e1 100644
ALL += dbus/fi.w1.wpa_supplicant1.service
ifdef CONFIG_BUILD_WPA_CLIENT_SO
ALL += libwpa_client.so
-@@ -1605,17 +1606,35 @@ endif
+@@ -1606,17 +1607,35 @@ endif
OBJS += ctrl_iface.o ctrl_iface_$(CONFIG_CTRL_IFACE).o
endif
@@ -124,7 +124,7 @@ index f1384d5fa..9555495e1 100644
endif
ifndef DBUS_LIBS
DBUS_LIBS := $(shell $(PKG_CONFIG) --libs dbus-1)
-@@ -1624,13 +1643,22 @@ ifndef DBUS_INCLUDE
+@@ -1625,13 +1644,22 @@ ifndef DBUS_INCLUDE
DBUS_INCLUDE := $(shell $(PKG_CONFIG) --cflags dbus-1)
endif
ifdef CONFIG_CTRL_IFACE_DBUS_INTRO
@@ -151,8 +151,8 @@ index f1384d5fa..9555495e1 100644
ifdef CONFIG_READLINE
OBJS_c += ../src/utils/edit_readline.o
LIBS_c += -lreadline -lncurses
-@@ -1992,11 +2020,13 @@ else
- endif
+@@ -2015,11 +2043,13 @@ eap_gpsk.so: $(SRC_EAP_GPSK)
+ @$(E) " CC/LD " $@
%.service: %.service.in
- $(Q)sed -e 's|\@BINDIR\@|$(BINDIR)|g' $< >$@
@@ -167,11 +167,11 @@ index f1384d5fa..9555495e1 100644
@$(E) " sed" $<
wpa_supplicant.exe: wpa_supplicant
-diff --git a/wpa_supplicant/android.config b/wpa_supplicant/android.config
-index 6536c110a..854f48167 100644
---- a/wpa_supplicant/android.config
-+++ b/wpa_supplicant/android.config
-@@ -327,6 +327,10 @@ CONFIG_IEEE80211W=y
+Index: wpa_supplicant-2.10/wpa_supplicant/android.config
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/android.config
++++ wpa_supplicant-2.10/wpa_supplicant/android.config
+@@ -323,6 +323,10 @@ CONFIG_L2_PACKET=linux
#CONFIG_NDIS_EVENTS_INTEGRATED=y
#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
@@ -182,10 +182,10 @@ index 6536c110a..854f48167 100644
# Add support for new DBus control interface
# (fi.w1.hostap.wpa_supplicant1)
#CONFIG_CTRL_IFACE_DBUS_NEW=y
-diff --git a/wpa_supplicant/dbus/Makefile b/wpa_supplicant/dbus/Makefile
-index 4d8700428..f355ebef5 100644
---- a/wpa_supplicant/dbus/Makefile
-+++ b/wpa_supplicant/dbus/Makefile
+Index: wpa_supplicant-2.10/wpa_supplicant/dbus/Makefile
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/dbus/Makefile
++++ wpa_supplicant-2.10/wpa_supplicant/dbus/Makefile
@@ -36,6 +36,7 @@ CFLAGS += -DCONFIG_WPS
endif
@@ -211,10 +211,10 @@ index 4d8700428..f355ebef5 100644
LIB_OBJS += dbus_new_handlers_wps.o
endif
-diff --git a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
-index e81b495f4..382dcb343 100644
---- a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
-+++ b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
+Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
@@ -3,6 +3,11 @@
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
@@ -237,10 +237,10 @@ index e81b495f4..382dcb343 100644
<deny own="fi.w1.wpa_supplicant1"/>
<deny send_destination="fi.w1.wpa_supplicant1"/>
<deny receive_sender="fi.w1.wpa_supplicant1" receive_type="signal"/>
-diff --git a/wpa_supplicant/dbus/dbus_common.c b/wpa_supplicant/dbus/dbus_common.c
-index efa6c7b20..7ef6cad62 100644
---- a/wpa_supplicant/dbus/dbus_common.c
-+++ b/wpa_supplicant/dbus/dbus_common.c
+Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_common.c
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/dbus/dbus_common.c
++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_common.c
@@ -16,6 +16,7 @@
#include "dbus_common.h"
#include "dbus_common_i.h"
@@ -249,7 +249,7 @@ index efa6c7b20..7ef6cad62 100644
#include "../wpa_supplicant_i.h"
-@@ -350,6 +351,9 @@ struct wpas_dbus_priv * wpas_dbus_init(struct wpa_global *global)
+@@ -351,6 +352,9 @@ struct wpas_dbus_priv * wpas_dbus_init(s
#ifdef CONFIG_CTRL_IFACE_DBUS_NEW
wpas_dbus_ctrl_iface_init(priv) < 0 ||
#endif /* CONFIG_CTRL_IFACE_DBUS_NEW */
@@ -259,7 +259,7 @@ index efa6c7b20..7ef6cad62 100644
wpas_dbus_init_common_finish(priv) < 0) {
wpas_dbus_deinit(priv);
return NULL;
-@@ -368,5 +372,9 @@ void wpas_dbus_deinit(struct wpas_dbus_priv *priv)
+@@ -369,5 +373,9 @@ void wpas_dbus_deinit(struct wpas_dbus_p
wpas_dbus_ctrl_iface_deinit(priv);
#endif /* CONFIG_CTRL_IFACE_DBUS_NEW */
@@ -269,11 +269,10 @@ index efa6c7b20..7ef6cad62 100644
+
wpas_dbus_deinit_common(priv);
}
-diff --git a/wpa_supplicant/dbus/dbus_old.c b/wpa_supplicant/dbus/dbus_old.c
-new file mode 100644
-index 000000000..88227af7c
+Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.c
+===================================================================
--- /dev/null
-+++ b/wpa_supplicant/dbus/dbus_old.c
++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.c
@@ -0,0 +1,745 @@
+/*
+ * WPA Supplicant / dbus-based control interface
@@ -1020,11 +1019,10 @@ index 000000000..88227af7c
+ }
+ return NULL;
+}
-diff --git a/wpa_supplicant/dbus/dbus_old.h b/wpa_supplicant/dbus/dbus_old.h
-new file mode 100644
-index 000000000..451a9f827
+Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.h
+===================================================================
--- /dev/null
-+++ b/wpa_supplicant/dbus/dbus_old.h
++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old.h
@@ -0,0 +1,142 @@
+/*
+ * WPA Supplicant / dbus-based control interface
@@ -1168,11 +1166,10 @@ index 000000000..451a9f827
+#endif /* CONFIG_CTRL_IFACE_DBUS */
+
+#endif /* CTRL_IFACE_DBUS_H */
-diff --git a/wpa_supplicant/dbus/dbus_old_handlers.c b/wpa_supplicant/dbus/dbus_old_handlers.c
-new file mode 100644
-index 000000000..e540832f2
+Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.c
+===================================================================
--- /dev/null
-+++ b/wpa_supplicant/dbus/dbus_old_handlers.c
++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.c
@@ -0,0 +1,1393 @@
+/*
+ * WPA Supplicant / dbus-based control interface
@@ -2567,11 +2564,10 @@ index 000000000..e540832f2
+
+ return wpas_dbus_new_success_reply(message);
+}
-diff --git a/wpa_supplicant/dbus/dbus_old_handlers.h b/wpa_supplicant/dbus/dbus_old_handlers.h
-new file mode 100644
-index 000000000..e60ad06a0
+Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.h
+===================================================================
--- /dev/null
-+++ b/wpa_supplicant/dbus/dbus_old_handlers.h
++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers.h
@@ -0,0 +1,101 @@
+/*
+ * WPA Supplicant / dbus-based control interface
@@ -2674,11 +2670,10 @@ index 000000000..e60ad06a0
+
+#endif /* CTRL_IFACE_DBUS_HANDLERS_H */
+
-diff --git a/wpa_supplicant/dbus/dbus_old_handlers_wps.c b/wpa_supplicant/dbus/dbus_old_handlers_wps.c
-new file mode 100644
-index 000000000..6c8405b85
+Index: wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers_wps.c
+===================================================================
--- /dev/null
-+++ b/wpa_supplicant/dbus/dbus_old_handlers_wps.c
++++ wpa_supplicant-2.10/wpa_supplicant/dbus/dbus_old_handlers_wps.c
@@ -0,0 +1,156 @@
+/*
+ * WPA Supplicant / dbus-based control interface (WPS)
@@ -2836,22 +2831,21 @@ index 000000000..6c8405b85
+
+ return wpas_dbus_new_success_reply(message);
+}
-diff --git a/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in b/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
-new file mode 100644
-index 000000000..a75918f93
+Index: wpa_supplicant-2.10/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
+===================================================================
--- /dev/null
-+++ b/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
++++ wpa_supplicant-2.10/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
@@ -0,0 +1,5 @@
+[D-BUS Service]
+Name=fi.epitest.hostap.WPASupplicant
+Exec=@BINDIR@/wpa_supplicant -u
+User=root
+SystemdService=wpa_supplicant.service
-diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
-index cdfb1974d..57550d495 100644
---- a/wpa_supplicant/defconfig
-+++ b/wpa_supplicant/defconfig
-@@ -365,6 +365,10 @@ CONFIG_IEEE80211W=y
+Index: wpa_supplicant-2.10/wpa_supplicant/defconfig
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/defconfig
++++ wpa_supplicant-2.10/wpa_supplicant/defconfig
+@@ -361,6 +361,10 @@ CONFIG_BACKEND=file
#CONFIG_NDIS_EVENTS_INTEGRATED=y
#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
@@ -2860,13 +2854,13 @@ index cdfb1974d..57550d495 100644
+#CONFIG_CTRL_IFACE_DBUS=y
+
# Add support for new DBus control interface
- # (fi.w1.hostap.wpa_supplicant1)
+ # (fi.w1.wpa_supplicant1)
CONFIG_CTRL_IFACE_DBUS_NEW=y
-diff --git a/wpa_supplicant/doc/docbook/wpa_supplicant.sgml b/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
-index aaff15002..ebf102edf 100644
---- a/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
-+++ b/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
-@@ -471,7 +471,7 @@
+Index: wpa_supplicant-2.10/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
++++ wpa_supplicant-2.10/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
+@@ -475,7 +475,7 @@
<para>Enable DBus control interface. If enabled, interface
definitions may be omitted. (This is only available
if <command>wpa_supplicant</command> was built with
@@ -2875,11 +2869,10 @@ index aaff15002..ebf102edf 100644
</listitem>
</varlistentry>
-diff --git a/wpa_supplicant/examples/wpas-test.py b/wpa_supplicant/examples/wpas-test.py
-new file mode 100755
-index 000000000..bdd16a8a8
+Index: wpa_supplicant-2.10/wpa_supplicant/examples/wpas-test.py
+===================================================================
--- /dev/null
-+++ b/wpa_supplicant/examples/wpas-test.py
++++ wpa_supplicant-2.10/wpa_supplicant/examples/wpas-test.py
@@ -0,0 +1,91 @@
+#!/usr/bin/python
+
@@ -2972,10 +2965,10 @@ index 000000000..bdd16a8a8
+if __name__ == "__main__":
+ main()
+
-diff --git a/wpa_supplicant/main.c b/wpa_supplicant/main.c
-index 51a8a0298..e08c2fd26 100644
---- a/wpa_supplicant/main.c
-+++ b/wpa_supplicant/main.c
+Index: wpa_supplicant-2.10/wpa_supplicant/main.c
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/main.c
++++ wpa_supplicant-2.10/wpa_supplicant/main.c
@@ -28,9 +28,9 @@ static void usage(void)
"s"
#endif /* CONFIG_DEBUG_SYSLOG */
@@ -3014,10 +3007,10 @@ index 51a8a0298..e08c2fd26 100644
case 'v':
printf("%s\n", wpa_supplicant_version);
exitcode = 0;
-diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
-index e41d7c41c..f47f9bb76 100644
---- a/wpa_supplicant/notify.c
-+++ b/wpa_supplicant/notify.c
+Index: wpa_supplicant-2.10/wpa_supplicant/notify.c
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/notify.c
++++ wpa_supplicant-2.10/wpa_supplicant/notify.c
@@ -15,6 +15,7 @@
#include "wps_supplicant.h"
#include "binder/binder.h"
@@ -3026,7 +3019,7 @@ index e41d7c41c..f47f9bb76 100644
#include "dbus/dbus_new.h"
#include "rsn_supp/wpa.h"
#include "fst/fst.h"
-@@ -27,13 +28,13 @@
+@@ -28,13 +29,13 @@
int wpas_notify_supplicant_initialized(struct wpa_global *global)
{
@@ -3042,7 +3035,7 @@ index e41d7c41c..f47f9bb76 100644
#ifdef CONFIG_BINDER
global->binder = wpas_binder_init(global);
-@@ -47,10 +48,10 @@ int wpas_notify_supplicant_initialized(struct wpa_global *global)
+@@ -48,10 +49,10 @@ int wpas_notify_supplicant_initialized(s
void wpas_notify_supplicant_deinitialized(struct wpa_global *global)
{
@@ -3055,7 +3048,7 @@ index e41d7c41c..f47f9bb76 100644
#ifdef CONFIG_BINDER
if (global->binder)
-@@ -64,6 +65,9 @@ int wpas_notify_iface_added(struct wpa_supplicant *wpa_s)
+@@ -65,6 +66,9 @@ int wpas_notify_iface_added(struct wpa_s
if (wpa_s->p2p_mgmt)
return 0;
@@ -3065,7 +3058,7 @@ index e41d7c41c..f47f9bb76 100644
if (wpas_dbus_register_interface(wpa_s))
return -1;
-@@ -76,6 +80,9 @@ void wpas_notify_iface_removed(struct wpa_supplicant *wpa_s)
+@@ -77,6 +81,9 @@ void wpas_notify_iface_removed(struct wp
if (wpa_s->p2p_mgmt)
return;
@@ -3075,7 +3068,7 @@ index e41d7c41c..f47f9bb76 100644
/* unregister interface in new DBus ctrl iface */
wpas_dbus_unregister_interface(wpa_s);
}
-@@ -88,6 +95,10 @@ void wpas_notify_state_changed(struct wpa_supplicant *wpa_s,
+@@ -89,6 +96,10 @@ void wpas_notify_state_changed(struct wp
if (wpa_s->p2p_mgmt)
return;
@@ -3086,7 +3079,7 @@ index e41d7c41c..f47f9bb76 100644
/* notify the new DBus API */
wpas_dbus_signal_prop_changed(wpa_s, WPAS_DBUS_PROP_STATE);
-@@ -257,6 +268,9 @@ void wpas_notify_scanning(struct wpa_supplicant *wpa_s)
+@@ -258,6 +269,9 @@ void wpas_notify_scanning(struct wpa_sup
if (wpa_s->p2p_mgmt)
return;
@@ -3096,7 +3089,7 @@ index e41d7c41c..f47f9bb76 100644
/* notify the new DBus API */
wpas_dbus_signal_prop_changed(wpa_s, WPAS_DBUS_PROP_SCANNING);
}
-@@ -276,6 +290,9 @@ void wpas_notify_scan_results(struct wpa_supplicant *wpa_s)
+@@ -277,6 +291,9 @@ void wpas_notify_scan_results(struct wpa
if (wpa_s->p2p_mgmt)
return;
@@ -3106,7 +3099,7 @@ index e41d7c41c..f47f9bb76 100644
wpas_wps_notify_scan_results(wpa_s);
}
-@@ -287,6 +304,8 @@ void wpas_notify_wps_credential(struct wpa_supplicant *wpa_s,
+@@ -288,6 +305,8 @@ void wpas_notify_wps_credential(struct w
return;
#ifdef CONFIG_WPS
@@ -3115,21 +3108,21 @@ index e41d7c41c..f47f9bb76 100644
/* notify the new DBus API */
wpas_dbus_signal_wps_cred(wpa_s, cred);
#endif /* CONFIG_WPS */
-@@ -818,6 +837,9 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s,
+@@ -831,6 +850,9 @@ void wpas_notify_certification(struct wp
wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_ALT
"depth=%d %s", cert->depth, cert->altsubject[i]);
+ /* notify the old DBus API */
-+ wpa_supplicant_dbus_notify_certification(wpa_s, depth, subject,
-+ cert_hash, cert);
++ wpa_supplicant_dbus_notify_certification(wpa_s, cert->depth, cert->subject,
++ cert_hash, cert->cert);
/* notify the new DBus API */
wpas_dbus_signal_certification(wpa_s, cert->depth, cert->subject,
cert->altsubject, cert->num_altsubject,
-diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in
-index 75a37a8cd..bc5d49af8 100644
---- a/wpa_supplicant/systemd/wpa_supplicant.service.in
-+++ b/wpa_supplicant/systemd/wpa_supplicant.service.in
-@@ -5,9 +5,9 @@ Wants=network.target
+Index: wpa_supplicant-2.10/wpa_supplicant/systemd/wpa_supplicant.service.in
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/systemd/wpa_supplicant.service.in
++++ wpa_supplicant-2.10/wpa_supplicant/systemd/wpa_supplicant.service.in
+@@ -6,9 +6,9 @@ Wants=network.target
[Service]
Type=dbus
@@ -3141,11 +3134,11 @@ index 75a37a8cd..bc5d49af8 100644
WantedBy=multi-user.target
-Alias=dbus-fi.w1.wpa_supplicant1.service
+Alias=dbus-@DBUS_INTERFACE@.service
-diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
-index 8a4bdf8cb..c7b131cc1 100644
---- a/wpa_supplicant/wpa_supplicant_i.h
-+++ b/wpa_supplicant/wpa_supplicant_i.h
-@@ -504,6 +504,9 @@ struct wpa_supplicant {
+Index: wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant_i.h
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/wpa_supplicant_i.h
++++ wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant_i.h
+@@ -706,6 +706,9 @@ struct wpa_supplicant {
#ifdef CONFIG_MATCH_IFACE
int matched;
#endif /* CONFIG_MATCH_IFACE */
@@ -3155,26 +3148,3 @@ index 8a4bdf8cb..c7b131cc1 100644
#ifdef CONFIG_CTRL_IFACE_DBUS_NEW
char *dbus_new_path;
char *dbus_groupobj_path;
-commit 2df86203526b872c3c17cf135340b9b3c8c35594
-Author: Bernhard M. Wiedemann <bwiedemann@suse.de>
-Date: Fri Apr 17 10:46:56 2020 +0200
-
- Fixup ^ for 2019 API changes
-
- From bc0634da4a3ef468f3142fb39ebdabb08566f411
-
-diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
-index f47f9bb76..2db8bc850 100644
---- a/wpa_supplicant/notify.c
-+++ b/wpa_supplicant/notify.c
-@@ -838,8 +838,8 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s,
- "depth=%d %s", cert->depth, cert->altsubject[i]);
-
- /* notify the old DBus API */
-- wpa_supplicant_dbus_notify_certification(wpa_s, depth, subject,
-- cert_hash, cert);
-+ wpa_supplicant_dbus_notify_certification(wpa_s, cert->depth, cert->subject,
-+ cert_hash, cert->cert);
- /* notify the new DBus API */
- wpas_dbus_signal_certification(wpa_s, cert->depth, cert->subject,
- cert->altsubject, cert->num_altsubject,
diff --git a/wpa_supplicant-2.10.tar.gz b/wpa_supplicant-2.10.tar.gz
new file mode 120000
index 0000000..f901926
--- /dev/null
+++ b/wpa_supplicant-2.10.tar.gz
@@ -0,0 +1 @@
+/ipfs/bafybeihyjikazd44tqn6wjqcwvaxxxfjh2pkcad4vjtmxr3avram7gasle
\ No newline at end of file
diff --git a/wpa_supplicant-2.9.tar.gz b/wpa_supplicant-2.9.tar.gz
deleted file mode 120000
index cc055f8..0000000
--- a/wpa_supplicant-2.9.tar.gz
+++ /dev/null
@@ -1 +0,0 @@
-/ipfs/bafybeihx2i5wizibbzdxwvezpchp7a3du3i5qw42q7i6mkuqs356hkmcte
\ No newline at end of file
diff --git a/wpa_supplicant-alloc_size.patch b/wpa_supplicant-alloc_size.patch
index 536fcb1..27d0f7b 100644
--- a/wpa_supplicant-alloc_size.patch
+++ b/wpa_supplicant-alloc_size.patch
@@ -1,6 +1,8 @@
---- wpa_supplicant-2.4.orig/src/utils/os.h
-+++ wpa_supplicant-2.4/src/utils/os.h
-@@ -253,7 +253,7 @@ int os_file_exists(const char *fname);
+Index: wpa_supplicant-2.10/src/utils/os.h
+===================================================================
+--- wpa_supplicant-2.10.orig/src/utils/os.h
++++ wpa_supplicant-2.10/src/utils/os.h
+@@ -260,7 +260,7 @@ int os_fdatasync(FILE *stream);
*
* Caller is responsible for freeing the returned buffer with os_free().
*/
@@ -9,7 +11,7 @@
/**
* os_calloc - Allocate and zero memory for an array
-@@ -267,6 +267,8 @@ void * os_zalloc(size_t size);
+@@ -274,6 +274,8 @@ void * os_zalloc(size_t size);
*
* Caller is responsible for freeing the returned buffer with os_free().
*/
diff --git a/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff b/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
index 9cb693b..6229aeb 100644
--- a/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
+++ b/wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
@@ -9,12 +9,12 @@ Subject: [PATCH] dump certificate as PEM in debug mode
src/utils/wpa_debug.h | 8 ++++++++
3 files changed, 26 insertions(+)
-Index: wpa_supplicant-2.4/src/crypto/tls_openssl.c
+Index: wpa_supplicant-2.10/src/crypto/tls_openssl.c
===================================================================
---- wpa_supplicant-2.4.orig/src/crypto/tls_openssl.c
-+++ wpa_supplicant-2.4/src/crypto/tls_openssl.c
-@@ -1484,6 +1484,19 @@ static int tls_verify_cb(int preverify_o
- SSL_get_ex_data_X509_STORE_CTX_idx());
+--- wpa_supplicant-2.10.orig/src/crypto/tls_openssl.c
++++ wpa_supplicant-2.10/src/crypto/tls_openssl.c
+@@ -2361,6 +2361,19 @@ static int tls_verify_cb(int preverify_o
+ debug_print_cert(err_cert, buf);
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+ if (wpa_debug_enabled(MSG_DEBUG)) {
@@ -33,11 +33,11 @@ Index: wpa_supplicant-2.4/src/crypto/tls_openssl.c
conn = SSL_get_app_data(ssl);
if (conn == NULL)
return 0;
-Index: wpa_supplicant-2.4/src/utils/wpa_debug.c
+Index: wpa_supplicant-2.10/src/utils/wpa_debug.c
===================================================================
---- wpa_supplicant-2.4.orig/src/utils/wpa_debug.c
-+++ wpa_supplicant-2.4/src/utils/wpa_debug.c
-@@ -62,6 +62,11 @@ static FILE *out_file = NULL;
+--- wpa_supplicant-2.10.orig/src/utils/wpa_debug.c
++++ wpa_supplicant-2.10/src/utils/wpa_debug.c
+@@ -66,6 +66,11 @@ static int wpa_to_android_level(int leve
#endif /* CONFIG_DEBUG_FILE */
@@ -49,11 +49,11 @@ Index: wpa_supplicant-2.4/src/utils/wpa_debug.c
void wpa_debug_print_timestamp(void)
{
#ifndef CONFIG_ANDROID_LOG
-Index: wpa_supplicant-2.4/src/utils/wpa_debug.h
+Index: wpa_supplicant-2.10/src/utils/wpa_debug.h
===================================================================
---- wpa_supplicant-2.4.orig/src/utils/wpa_debug.h
-+++ wpa_supplicant-2.4/src/utils/wpa_debug.h
-@@ -24,6 +24,7 @@ enum {
+--- wpa_supplicant-2.10.orig/src/utils/wpa_debug.h
++++ wpa_supplicant-2.10/src/utils/wpa_debug.h
+@@ -25,6 +25,7 @@ enum {
#ifdef CONFIG_NO_STDOUT_DEBUG
@@ -61,7 +61,7 @@ Index: wpa_supplicant-2.4/src/utils/wpa_debug.h
#define wpa_debug_print_timestamp() do { } while (0)
#define wpa_printf(args...) do { } while (0)
#define wpa_hexdump(l,t,b,le) do { } while (0)
-@@ -50,6 +51,13 @@ void wpa_debug_close_file(void);
+@@ -51,6 +52,13 @@ void wpa_debug_close_file(void);
void wpa_debug_setup_stdout(void);
/**
diff --git a/wpa_supplicant-flush-debug-output.patch b/wpa_supplicant-flush-debug-output.patch
index 53d743b..c06f10e 100644
--- a/wpa_supplicant-flush-debug-output.patch
+++ b/wpa_supplicant-flush-debug-output.patch
@@ -1,51 +1,56 @@
-Index: src/utils/wpa_debug.c
+Index: wpa_supplicant-2.10/src/utils/wpa_debug.c
===================================================================
---- a/src/utils/wpa_debug.c
-+++ b/src/utils/wpa_debug.c
-@@ -45,6 +45,7 @@ void wpa_debug_print_timestamp(void)
- if (out_file) {
+--- wpa_supplicant-2.10.orig/src/utils/wpa_debug.c
++++ wpa_supplicant-2.10/src/utils/wpa_debug.c
+@@ -76,9 +76,11 @@ void wpa_debug_print_timestamp(void)
+
+ os_get_time(&tv);
+ #ifdef CONFIG_DEBUG_FILE
+- if (out_file)
++ if (out_file) {
fprintf(out_file, "%ld.%06u: ", (long) tv.sec,
(unsigned int) tv.usec);
-+ fflush(out_file);
- } else
++ fflush(out_file);
++ }
#endif /* CONFIG_DEBUG_FILE */
- printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec);
-@@ -111,6 +112,7 @@ void wpa_printf(int level, const char *f
- if (out_file) {
+ if (!out_file && !wpa_debug_syslog)
+ printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec);
+@@ -231,6 +233,7 @@ void wpa_printf(int level, const char *f
vfprintf(out_file, fmt, ap);
fprintf(out_file, "\n");
-+ fflush(out_file);
- } else {
+ va_end(ap);
++ fflush(out_file);
+ }
#endif /* CONFIG_DEBUG_FILE */
- vprintf(fmt, ap);
-@@ -146,6 +148,7 @@ static void _wpa_hexdump(int level, cons
+ if (!wpa_debug_syslog && !out_file) {
+@@ -365,6 +368,7 @@ static void _wpa_hexdump(int level, cons
fprintf(out_file, " [REMOVED]");
}
fprintf(out_file, "\n");
-+ fflush(out_file);
- } else {
++ fflush(out_file);
+ }
#endif /* CONFIG_DEBUG_FILE */
- printf("%s - hexdump(len=%lu):", title, (unsigned long) len);
-@@ -191,12 +194,14 @@ static void _wpa_hexdump_ascii(int level
+ if (!wpa_debug_syslog && !out_file) {
+@@ -436,12 +440,14 @@ static void _wpa_hexdump_ascii(int level
fprintf(out_file,
"%s - hexdump_ascii(len=%lu): [REMOVED]\n",
title, (unsigned long) len);
-+ fflush(out_file);
- return;
++ fflush(out_file);
+ goto file_done;
}
if (buf == NULL) {
fprintf(out_file,
"%s - hexdump_ascii(len=%lu): [NULL]\n",
title, (unsigned long) len);
-+ fflush(out_file);
- return;
++ fflush(out_file);
+ goto file_done;
}
fprintf(out_file, "%s - hexdump_ascii(len=%lu):\n",
-@@ -221,6 +226,7 @@ static void _wpa_hexdump_ascii(int level
+@@ -466,6 +472,7 @@ static void _wpa_hexdump_ascii(int level
pos += llen;
len -= llen;
}
-+ fflush(out_file);
- } else {
++ fflush(out_file);
+ }
+ file_done:
#endif /* CONFIG_DEBUG_FILE */
- if (!show) {
diff --git a/wpa_supplicant-getrandom.patch b/wpa_supplicant-getrandom.patch
index 658b3cc..b13be8e 100644
--- a/wpa_supplicant-getrandom.patch
+++ b/wpa_supplicant-getrandom.patch
@@ -1,7 +1,7 @@
-Index: wpa_supplicant-2.9/src/utils/os_unix.c
+Index: wpa_supplicant-2.10/src/utils/os_unix.c
===================================================================
---- wpa_supplicant-2.9.orig/src/utils/os_unix.c
-+++ wpa_supplicant-2.9/src/utils/os_unix.c
+--- wpa_supplicant-2.10.orig/src/utils/os_unix.c
++++ wpa_supplicant-2.10/src/utils/os_unix.c
@@ -6,11 +6,15 @@
* See README for more details.
*/
@@ -19,7 +19,7 @@ Index: wpa_supplicant-2.9/src/utils/os_unix.c
#ifdef ANDROID
#include <sys/capability.h>
#include <sys/prctl.h>
-@@ -257,6 +261,10 @@ int os_get_random(unsigned char *buf, si
+@@ -263,6 +267,10 @@ int os_get_random(unsigned char *buf, si
buf[i] = i & 0xff;
return 0;
#else /* TEST_FUZZ */
@@ -30,7 +30,7 @@ Index: wpa_supplicant-2.9/src/utils/os_unix.c
FILE *f;
size_t rc;
-@@ -269,10 +277,13 @@ int os_get_random(unsigned char *buf, si
+@@ -275,10 +283,13 @@ int os_get_random(unsigned char *buf, si
return -1;
}
diff --git a/wpa_supplicant-p2p_iname_size.diff b/wpa_supplicant-p2p_iname_size.diff
deleted file mode 100644
index 9431ca7..0000000
--- a/wpa_supplicant-p2p_iname_size.diff
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
-index e94bffe52..17c25889c 100644
---- a/wpa_supplicant/p2p_supplicant.c
-+++ b/wpa_supplicant/p2p_supplicant.c
-@@ -3929,6 +3929,10 @@ int wpas_p2p_add_p2pdev_interface(struct wpa_supplicant *wpa_s,
- wpa_s->ifname);
- if (os_snprintf_error(sizeof(ifname), ret))
- return -1;
-+ /* Cut length at the maximum size. Note that we don't need to ensure
-+ * collision free names here as the created interface is not a netdev.
-+ */
-+ ifname[IFNAMSIZ-1] = '\0';
- force_name[0] = '\0';
- wpa_s->pending_interface_type = WPA_IF_P2P_DEVICE;
- ret = wpa_drv_if_add(wpa_s, WPA_IF_P2P_DEVICE, ifname, NULL, NULL,
diff --git a/wpa_supplicant-sigusr1-changes-debuglevel.patch b/wpa_supplicant-sigusr1-changes-debuglevel.patch
index ed5bc06..f423f65 100644
--- a/wpa_supplicant-sigusr1-changes-debuglevel.patch
+++ b/wpa_supplicant-sigusr1-changes-debuglevel.patch
@@ -2,11 +2,13 @@
wpa_supplicant/wpa_supplicant.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
---- a/wpa_supplicant/wpa_supplicant.c
-+++ b/wpa_supplicant/wpa_supplicant.c
-@@ -123,6 +123,22 @@ int wpa_set_wep_keys(struct wpa_supplica
- return set;
- }
+Index: wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c
+===================================================================
+--- wpa_supplicant-2.10.orig/wpa_supplicant/wpa_supplicant.c
++++ wpa_supplicant-2.10/wpa_supplicant/wpa_supplicant.c
+@@ -121,6 +121,22 @@ const char *const wpa_supplicant_full_li
+ "\n";
+ #endif /* CONFIG_NO_STDOUT_DEBUG */
+static void wpa_supplicant_handle_sigusr1(int sig,
+ void *signal_ctx)
@@ -25,9 +27,9 @@
+ ((wpa_debug_level == MSG_MSGDUMP) ? "MSGDUMP" : "UNKNOWN")));
+}
- int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s,
- struct wpa_ssid *ssid)
-@@ -4124,6 +4140,8 @@ int wpa_supplicant_run(struct wpa_global
+ static void wpa_bss_tmp_disallow_timeout(void *eloop_ctx, void *timeout_ctx);
+ #if defined(CONFIG_FILS) && defined(IEEE8021X_EAPOL)
+@@ -7474,6 +7490,8 @@ int wpa_supplicant_run(struct wpa_global
eloop_register_signal_terminate(wpa_supplicant_terminate, global);
eloop_register_signal_reconfig(wpa_supplicant_reconfig, global);
diff --git a/wpa_supplicant.changes b/wpa_supplicant.changes
index 02ee402..b3c4a91 100644
--- a/wpa_supplicant.changes
+++ b/wpa_supplicant.changes
@@ -1,4 +1,64 @@
-------------------------------------------------------------------
+Sun Jan 23 15:33:37 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.10.0:
+ * SAE changes
+ - improved protection against side channel attacks
+ [https://w1.fi/security/2022-1/]
+ - added support for the hash-to-element mechanism (sae_pwe=1 or
+ sae_pwe=2); this is currently disabled by default, but will likely
+ get enabled by default in the future
+ - fixed PMKSA caching with OKC
+ - added support for SAE-PK
+ * EAP-pwd changes
+ - improved protection against side channel attacks
+ [https://w1.fi/security/2022-1/]
+ * fixed P2P provision discovery processing of a specially constructed
+ invalid frame
+ [https://w1.fi/security/2021-1/]
+ * fixed P2P group information processing of a specially constructed
+ invalid frame
+ [https://w1.fi/security/2020-2/]
+ * fixed PMF disconnection protection bypass in AP mode
+ [https://w1.fi/security/2019-7/]
+ * added support for using OpenSSL 3.0
+ * increased the maximum number of EAP message exchanges (mainly to
+ support cases with very large certificates)
+ * fixed various issues in experimental support for EAP-TEAP peer
+ * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
+ * a number of MKA/MACsec fixes and extensions
+ * added support for SAE (WPA3-Personal) AP mode configuration
+ * added P2P support for EDMG (IEEE 802.11ay) channels
+ * fixed EAP-FAST peer with TLS GCM/CCM ciphers
+ * improved throughput estimation and BSS selection
+ * dropped support for libnl 1.1
+ * added support for nl80211 control port for EAPOL frame TX/RX
+ * fixed OWE key derivation with groups 20 and 21; this breaks backwards
+ compatibility for these groups while the default group 19 remains
+ backwards compatible
+ * added support for Beacon protection
+ * added support for Extended Key ID for pairwise keys
+ * removed WEP support from the default build (CONFIG_WEP=y can be used
+ to enable it, if really needed)
+ * added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
+ * added support for Transition Disable mechanism to allow the AP to
+ automatically disable transition mode to improve security
+ * extended D-Bus interface
+ * added support for PASN
+ * added a file-based backend for external password storage to allow
+ secret information to be moved away from the main configuration file
+ without requiring external tools
+ * added EAP-TLS peer support for TLS 1.3 (disabled by default for now)
+ * added support for SCS, MSCS, DSCP policy
+ * changed driver interface selection to default to automatic fallback
+ to other compiled in options
+ * a large number of other fixes, cleanup, and extensions
+- drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch,
+ CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch:
+ upstream
+- refresh config from 2.10 defconfig, re-enable CONFIG_WEP
+
+-------------------------------------------------------------------
Mon Jan 10 08:27:51 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Modified:
diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec
index 415efe7..f6dbc75 100644
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@@ -1,7 +1,7 @@
#
# spec file for package wpa_supplicant
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: wpa_supplicant
-Version: 2.9
+Version: 2.10
Release: 0
Summary: WPA supplicant implementation
License: BSD-3-Clause AND GPL-2.0-or-later
@@ -40,11 +40,6 @@ Patch3: wpa_supplicant-alloc_size.patch
Patch4: wpa_supplicant-getrandom.patch
Patch5: wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff
Patch6: restore-old-dbus-interface.patch
-Patch7: CVE-2019-16275.patch
-Patch8: wpa_supplicant-p2p_iname_size.diff
-Patch9: CVE-2021-0326.patch
-Patch10: CVE-2021-27803.patch
-Patch11: CVE-2021-30004.patch
BuildRequires: pkgconfig
BuildRequires: readline-devel
BuildRequires: systemd-rpm-macros