| Message ID | 20240822161721.6699-1-sdoshi@mvista.com |
|---|---|
| State | Accepted |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [master,scarthgap] wpa-supplicant: Upgrade 2.10 -> 2.11 | expand |
For scarthgap, it's good but not mandatory to have Steve on the To/CC list. On 2024-08-22 12:17 p.m., Siddharth Doshi via lists.openembedded.org wrote: > From: Siddharth Doshi<sdoshi@mvista.com> > > License-Update: > =============== > - README: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af > - wpa_supplicant/wpa_supplicant.c: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af > > CVE's Fixed: > =========== > - CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation > - CVE-2023-52160 wpa_supplicant: potential authorization bypass > > Changes between 2.10 -> 2.11: > ============================ > https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af Hello Siddharth, This update make sense for the master brnanch but likely not for scarthgap unless you can show that this is a bug fix only release. It certainly does not look like a small bug fix only update based on: ❯ git diff hostap_2_10 hostap_2_11 | diffstat | tail -1 534 files changed, 85965 insertions(+), 16847 deletions(-) ❯ git log --oneline hostap_2_10..hostap_2_11 | wc -l 2295 and the hostap and wpa-supplicant ChangeLogs which mention adding features below (1). Since the repo ( git://w1.fi/srv/git/hostap.git ) doesn't have a stable branch for 2.10: ❯ git branch -a * master remotes/origin/HEAD -> origin/master remotes/origin/android-jb remotes/origin/android-kk remotes/origin/android-l remotes/origin/android-m remotes/origin/aosp-jb remotes/origin/aosp-kk remotes/origin/main remotes/origin/master remotes/origin/pending you'll have to backport any CVE fixes that you're interested in unless someone explains why this is a sensible update for scarthgap. Thanks, ../Randy 1) ❯ git diff hostap_2_10 hostap_2_11 hostapd/ChangeLog | cat diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog index 279298e4d..1c8240d33 100644 --- a/hostapd/ChangeLog +++ b/hostapd/ChangeLog @@ -1,5 +1,42 @@ ChangeLog for hostapd +2024-07-20 - v2.11 + * Wi-Fi Easy Connect + - add support for DPP release 3 + - allow Configurator parameters to be provided during config exchange + * HE/IEEE 802.11ax/Wi-Fi 6 + - various fixes + * EHT/IEEE 802.11be/Wi-Fi 7 + - add preliminary support + * SAE: add support for fetching the password from a RADIUS server + * support OpenSSL 3.0 API changes + * support background radar detection and CAC with some additional + drivers + * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3) + * EAP-SIM/AKA: support IMSI privacy + * improve 4-way handshake operations + - use Secure=1 in message 3 during PTK rekeying + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases + to avoid interoperability issues + * support new SAE AKM suites with variable length keys + * support new AKM for 802.1X/EAP with SHA384 + * extend PASN support for secure ranging + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) + - this is based on additional details being added in the IEEE 802.11 + standard + - the new implementation is not backwards compatible + * improved ACS to cover additional channel types/bandwidths + * extended Multiple BSSID support + * fix beacon protection with FT protocol (incorrect BIGTK was provided) + * support unsynchronized service discovery (USD) + * add preliminary support for RADIUS/TLS + * add support for explicit SSID protection in 4-way handshake + (a mitigation for CVE-2023-52424; disabled by default for now, can be + enabled with ssid_protection=1) + * fix SAE H2E rejected groups validation to avoid downgrade attacks + * use stricter validation for some RADIUS messages + * a large number of other fixes, cleanup, and extensions + 2022-01-16 - v2.10 * SAE changes - improved protection against side channel attacks ❯ git diff hostap_2_10 hostap_2_11 wpa_supplicant/ChangeLog | cat diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog index efcc6cd9c..3f4162eb0 100644 --- a/wpa_supplicant/ChangeLog +++ b/wpa_supplicant/ChangeLog @@ -1,5 +1,55 @@ ChangeLog for wpa_supplicant +2024-07-20 - v2.11 + * Wi-Fi Easy Connect + - add support for DPP release 3 + - allow Configurator parameters to be provided during config exchange + * MACsec + - add support for GCM-AES-256 cipher suite + - remove incorrect EAP Session-Id length constraint + - add hardware offload support for additional drivers + * HE/IEEE 802.11ax/Wi-Fi 6 + - support BSS color updates + - various fixes + * EHT/IEEE 802.11be/Wi-Fi 7 + - add preliminary support + * support OpenSSL 3.0 API changes + * improve EAP-TLS support for TLSv1.3 + * EAP-SIM/AKA: support IMSI privacy + * improve mitigation against DoS attacks when PMF is used + * improve 4-way handshake operations + - discard unencrypted EAPOL frames in additional cases + - use Secure=1 in message 2 during PTK rekeying + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases + to avoid interoperability issues + * support new SAE AKM suites with variable length keys + * support new AKM for 802.1X/EAP with SHA384 + * improve cross-AKM roaming with driver-based SME/BSS selection + * PASN + - extend support for secure ranging + - allow PASN implementation to be used with external programs for + Wi-Fi Aware + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) + - this is based on additional details being added in the IEEE 802.11 + standard + - the new implementation is not backwards compatible, but PMKSA + caching with FT-EAP was, and still is, disabled by default + * support a pregenerated MAC (mac_addr=3) as an alternative mechanism + for using per-network random MAC addresses + * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1) + to improve security for still unfortunately common invalid + configurations that do not set ca_cert + * extend SCS support for QoS Characteristics + * extend MSCS support + * support unsynchronized service discovery (USD) + * add support for explicit SSID protection in 4-way handshake + (a mitigation for CVE-2023-52424; disabled by default for now, can be + enabled with ssid_protection=1) + - in addition, verify SSID after key setup when beacon protection is + used + * fix SAE H2E rejected groups validation to avoid downgrade attacks + * a large number of other fixes, cleanup, and extensions + 2022-01-16 - v2.10 * SAE changes - improved protection against side channel attacks > > Note: > ===== > Patches > 0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch, > 0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch, > 0001-Install-wpa_passphrase-when-not-disabled.patch, > 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160) > are already fixed and hence removing them. > > Signed-off-by: Siddharth Doshi<sdoshi@mvista.com> > --- > ...all-wpa_passphrase-when-not-disabled.patch | 33 --- > ...te-Phase-2-authentication-requiremen.patch | 213 ------------------ > ...options-for-libwpa_client.so-and-wpa.patch | 73 ------ > ...oval-of-wpa_passphrase-on-make-clean.patch | 26 --- > ...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 10 +- > 5 files changed, 3 insertions(+), 352 deletions(-) > delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch > delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch > delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch > delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch > rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (90%) > > diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch > deleted file mode 100644 > index c04c608bde..0000000000 > --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch > +++ /dev/null > @@ -1,33 +0,0 @@ > -From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001 > -From: Alex Kiernan<alexk@zuma.ai> > -Date: Thu, 21 Apr 2022 10:15:29 +0100 > -Subject: [PATCH] Install wpa_passphrase when not disabled > - > -As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets > -built, its not installed during `make install`. > - > -Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase") > -Signed-off-by: Alex Kiernan<alexk@zuma.ai> > -Signed-off-by: Alex Kiernan<alex.kiernan@gmail.com> > -Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html] > ---- > - wpa_supplicant/Makefile | 3 +++ > - 1 file changed, 3 insertions(+) > - > -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile > -index 0bab313f2355..12787c0c7d0f 100644 > ---- a/wpa_supplicant/Makefile > -+++ b/wpa_supplicant/Makefile > -@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: % > - > - install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL)) > - $(MAKE) -C ../src install > -+ifndef CONFIG_NO_WPA_PASSPHRASE > -+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase > -+endif > - ifdef CONFIG_BUILD_WPA_CLIENT_SO > - install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so > - install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h > --- > -2.35.1 > - > diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch > deleted file mode 100644 > index 620560d3c7..0000000000 > --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch > +++ /dev/null > @@ -1,213 +0,0 @@ > -From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001 > -From: Jouni Malinen<j@w1.fi> > -Date: Sat, 8 Jul 2023 19:55:32 +0300 > -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements > - > -The previous PEAP client behavior allowed the server to skip Phase 2 > -authentication with the expectation that the server was authenticated > -during Phase 1 through TLS server certificate validation. Various PEAP > -specifications are not exactly clear on what the behavior on this front > -is supposed to be and as such, this ended up being more flexible than > -the TTLS/FAST/TEAP cases. However, this is not really ideal when > -unfortunately common misconfiguration of PEAP is used in deployed > -devices where the server trust root (ca_cert) is not configured or the > -user has an easy option for allowing this validation step to be skipped. > - > -Change the default PEAP client behavior to be to require Phase 2 > -authentication to be successfully completed for cases where TLS session > -resumption is not used and the client certificate has not been > -configured. Those two exceptions are the main cases where a deployed > -authentication server might skip Phase 2 and as such, where a more > -strict default behavior could result in undesired interoperability > -issues. Requiring Phase 2 authentication will end up disabling TLS > -session resumption automatically to avoid interoperability issues. > - > -Allow Phase 2 authentication behavior to be configured with a new phase1 > -configuration parameter option: > -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS > -tunnel) behavior for PEAP: > - * 0 = do not require Phase 2 authentication > - * 1 = require Phase 2 authentication when client certificate > - (private_key/client_cert) is no used and TLS session resumption was > - not used (default) > - * 2 = require Phase 2 authentication in all cases > - > -Signed-off-by: Jouni Malinen<j@w1.fi> > - > -CVE: CVE-2023-52160 > -Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c] > - > -Signed-off-by: Claus Stovgaard<claus.stovgaard@gmail.com> > - > ---- > - src/eap_peer/eap_config.h | 8 ++++++ > - src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- > - src/eap_peer/eap_tls_common.c | 6 +++++ > - src/eap_peer/eap_tls_common.h | 5 ++++ > - wpa_supplicant/wpa_supplicant.conf | 7 ++++++ > - 5 files changed, 63 insertions(+), 3 deletions(-) > - > -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h > -index 3238f74..047eec2 100644 > ---- a/src/eap_peer/eap_config.h > -+++ b/src/eap_peer/eap_config.h > -@@ -469,6 +469,14 @@ struct eap_peer_config { > - * 1 = use cryptobinding if server supports it > - * 2 = require cryptobinding > - * > -+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS > -+ * tunnel) behavior for PEAP: > -+ * 0 = do not require Phase 2 authentication > -+ * 1 = require Phase 2 authentication when client certificate > -+ * (private_key/client_cert) is no used and TLS session resumption was > -+ * not used (default) > -+ * 2 = require Phase 2 authentication in all cases > -+ * > - * EAP-WSC (WPS) uses following options: pin=Device_Password and > - * uuid=Device_UUID > - * > -diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c > -index 12e30df..6080697 100644 > ---- a/src/eap_peer/eap_peap.c > -+++ b/src/eap_peer/eap_peap.c > -@@ -67,6 +67,7 @@ struct eap_peap_data { > - u8 cmk[20]; > - int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) > - * is enabled. */ > -+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; > - }; > - > - > -@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, > - wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); > - } > - > -+ if (os_strstr(phase1, "phase2_auth=0")) { > -+ data->phase2_auth = NO_AUTH; > -+ wpa_printf(MSG_DEBUG, > -+ "EAP-PEAP: Do not require Phase 2 authentication"); > -+ } else if (os_strstr(phase1, "phase2_auth=1")) { > -+ data->phase2_auth = FOR_INITIAL; > -+ wpa_printf(MSG_DEBUG, > -+ "EAP-PEAP: Require Phase 2 authentication for initial connection"); > -+ } else if (os_strstr(phase1, "phase2_auth=2")) { > -+ data->phase2_auth = ALWAYS; > -+ wpa_printf(MSG_DEBUG, > -+ "EAP-PEAP: Require Phase 2 authentication for all cases"); > -+ } > - #ifdef EAP_TNC > - if (os_strstr(phase1, "tnc=soh2")) { > - data->soh = 2; > -@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) > - data->force_peap_version = -1; > - data->peap_outer_success = 2; > - data->crypto_binding = OPTIONAL_BINDING; > -+ data->phase2_auth = FOR_INITIAL; > - > - if (config && config->phase1) > - eap_peap_parse_phase1(data, config->phase1); > -@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, > - } > - > - > -+static bool peap_phase2_sufficient(struct eap_sm *sm, > -+ struct eap_peap_data *data) > -+{ > -+ if ((data->phase2_auth == ALWAYS || > -+ (data->phase2_auth == FOR_INITIAL && > -+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && > -+ !data->ssl.client_cert_conf) || > -+ data->phase2_eap_started) && > -+ !data->phase2_eap_success) > -+ return false; > -+ return true; > -+} > -+ > -+ > - /** > - * eap_tlv_process - Process a received EAP-TLV message and generate a response > - * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() > -@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, > - " - force failed Phase 2"); > - resp_status = EAP_TLV_RESULT_FAILURE; > - ret->decision = DECISION_FAIL; > -+ } else if (!peap_phase2_sufficient(sm, data)) { > -+ wpa_printf(MSG_INFO, > -+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); > -+ resp_status = EAP_TLV_RESULT_FAILURE; > -+ ret->decision = DECISION_FAIL; > - } else { > - resp_status = EAP_TLV_RESULT_SUCCESS; > - ret->decision = DECISION_UNCOND_SUCC; > -@@ -887,8 +921,7 @@ continue_req: > - /* EAP-Success within TLS tunnel is used to indicate > - * shutdown of the TLS channel. The authentication has > - * been completed. */ > -- if (data->phase2_eap_started && > -- !data->phase2_eap_success) { > -+ if (!peap_phase2_sufficient(sm, data)) { > - wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " > - "Success used to indicate success, " > - "but Phase 2 EAP was not yet " > -@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, > - static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) > - { > - struct eap_peap_data *data = priv; > -+ > - return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && > -- data->phase2_success; > -+ data->phase2_success && data->phase2_auth != ALWAYS; > - } > - > - > -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c > -index c1837db..a53eeb1 100644 > ---- a/src/eap_peer/eap_tls_common.c > -+++ b/src/eap_peer/eap_tls_common.c > -@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, > - > - sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); > - > -+ if (!phase2) > -+ data->client_cert_conf = params->client_cert || > -+ params->client_cert_blob || > -+ params->private_key || > -+ params->private_key_blob; > -+ > - return 0; > - } > - > -diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h > -index 9ac0012..3348634 100644 > ---- a/src/eap_peer/eap_tls_common.h > -+++ b/src/eap_peer/eap_tls_common.h > -@@ -79,6 +79,11 @@ struct eap_ssl_data { > - * tls_v13 - Whether TLS v1.3 or newer is used > - */ > - int tls_v13; > -+ > -+ /** > -+ * client_cert_conf: Whether client certificate has been configured > -+ */ > -+ bool client_cert_conf; > - }; > - > - > -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf > -index 6619d6b..d63f73c 100644 > ---- a/wpa_supplicant/wpa_supplicant.conf > -+++ b/wpa_supplicant/wpa_supplicant.conf > -@@ -1321,6 +1321,13 @@ fast_reauth=1 > - # * 0 = do not use cryptobinding (default) > - # * 1 = use cryptobinding if server supports it > - # * 2 = require cryptobinding > -+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS > -+# tunnel) behavior for PEAP: > -+# * 0 = do not require Phase 2 authentication > -+# * 1 = require Phase 2 authentication when client certificate > -+# (private_key/client_cert) is no used and TLS session resumption was > -+# not used (default) > -+# * 2 = require Phase 2 authentication in all cases > - # EAP-WSC (WPS) uses following options: pin=<Device Password> or > - # pbc=1. > - # > diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch > deleted file mode 100644 > index 6e930fc98d..0000000000 > --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch > +++ /dev/null > @@ -1,73 +0,0 @@ > -From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001 > -From: Sergey Matyukevich<geomatsi@gmail.com> > -Date: Tue, 22 Feb 2022 11:52:19 +0300 > -Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and > - wpa_passphrase > - > -Commit a41a29192e5d ("build: Pull common fragments into a build.rules > -file") introduced a regression into wpa_supplicant build process. The > -build target libwpa_client.so is not built regardless of whether the > -option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because > -this config option is used before it is imported from the configuration > -file. Moving its use after including build.rules does not help: the > -variable ALL is processed by build.rules and further changes are not > -applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work > -as expected: wpa_passphrase is always built regardless of whether the > -option is set or not. > - > -Re-enable these options by adding both build targets to _all > -dependencies. > - > -Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file") > -Signed-off-by: Sergey Matyukevich<geomatsi@gmail.com> > -Upstream-Status: Backport > -Signed-off-by: Alex Kiernan<alexk@zuma.ai> > -Signed-off-by: Alex Kiernan<alexk@gmail.com> > ---- > - wpa_supplicant/Makefile | 19 ++++++++++++------- > - 1 file changed, 12 insertions(+), 7 deletions(-) > - > -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile > -index cb66defac7c8..c456825ae75f 100644 > ---- a/wpa_supplicant/Makefile > -+++ b/wpa_supplicant/Makefile > -@@ -1,24 +1,29 @@ > - BINALL=wpa_supplicant wpa_cli > - > --ifndef CONFIG_NO_WPA_PASSPHRASE > --BINALL += wpa_passphrase > --endif > -- > - ALL = $(BINALL) > - ALL += systemd/wpa_supplicant.service > - ALL +=systemd/wpa_supplicant@.service > - ALL +=systemd/wpa_supplicant-nl80211@.service > - ALL +=systemd/wpa_supplicant-wired@.service > - ALL += dbus/fi.w1.wpa_supplicant1.service > --ifdef CONFIG_BUILD_WPA_CLIENT_SO > --ALL += libwpa_client.so > --endif > - > - EXTRA_TARGETS=dynamic_eap_methods > - > - CONFIG_FILE=.config > - include ../src/build.rules > - > -+ifdef CONFIG_BUILD_WPA_CLIENT_SO > -+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO > -+# being set in the config which is read by build.rules > -+_all: libwpa_client.so > -+endif > -+ > -+ifndef CONFIG_NO_WPA_PASSPHRASE > -+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE > -+# being set in the config which is read by build.rules > -+_all: wpa_passphrase > -+endif > -+ > - ifdef LIBS > - # If LIBS is set with some global build system defaults, clone those for > - # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well. > --- > -2.35.1 > - > diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch > deleted file mode 100644 > index 53b0fcdf53..0000000000 > --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch > +++ /dev/null > @@ -1,26 +0,0 @@ > -From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001 > -From: Jouni Malinen<quic_jouni@quicinc.com> > -Date: Thu, 3 Mar 2022 13:26:42 +0200 > -Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean' > - > -Fixes: 0430bc8267b4 ("build: Add a common-clean target") > -Signed-off-by: Jouni Malinen<quic_jouni@quicinc.com> > -Upstream-Status: Backport > -Signed-off-by: Alex Kiernan<alexk@zuma.ai> > -Signed-off-by: Alex Kiernan<alexk@gmail.com> > ---- > - wpa_supplicant/Makefile | 1 + > - 1 file changed, 1 insertion(+) > - > -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile > -index c456825ae75f..4b4688931b1d 100644 > ---- a/wpa_supplicant/Makefile > -+++ b/wpa_supplicant/Makefile > -@@ -2077,3 +2077,4 @@ clean: common-clean > - rm -f libwpa_client.a > - rm -f libwpa_client.so > - rm -f libwpa_test1 libwpa_test2 > -+ rm -f wpa_passphrase > --- > -2.35.1 > - > diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb > similarity index 90% > rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb > rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb > index 8113bcab09..321dedc58a 100644 > --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb > +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb > @@ -5,8 +5,8 @@ BUGTRACKER ="http://w1.fi/security/" > SECTION = "network" > LICENSE = "BSD-3-Clause" > LIC_FILES_CHKSUM ="file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \ - > file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 > \ - > file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705" > +file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \ > +file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4" > > DEPENDS = "dbus libnl" > > @@ -15,12 +15,8 @@ SRC_URI ="http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ > file://wpa_supplicant.conf \ file://wpa_supplicant.conf-sane \ > file://99_wpa_supplicant \ - > file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch > \ - file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ - > file://0001-Install-wpa_passphrase-when-not-disabled.patch \ - > file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ " > -SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" > +SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a" > > S = "${WORKDIR}/wpa_supplicant-${PV}" > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#203657):https://lists.openembedded.org/g/openembedded-core/message/203657 > Mute This Topic:https://lists.openembedded.org/mt/108040776/3616765 > Group Owner:openembedded-core+owner@lists.openembedded.org > Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hello Randy, 2.11 version of wpa-supplicant/hostapd are released almost after 2.5 Years. 2-10 released on 2022-01-16. A lot of people are eagerly waiting for this release since a long time. 2.11 has crucial HE/IEEE 802.11ax/Wi-Fi 6 support and preliminary support for EHT/IEEE 802.11be/Wi-Fi 7. This also supports WPA3 which is a mandatory certification for Wi-Fi CERTIFIED™ devices. I do accept this release missed the Sacrthgap cutoff of Yocto community. But considering the longevity of Scarthgap (a good 3.5 years from now) & number of people interested in Scarthgap, it is best if wpa-supplicant/hostapd are switched to 2.11. // Viswanath On 8/23/2024 6:26 AM, Randy MacLeod via lists.openembedded.org wrote: > For scarthgap, it's good but not mandatory to have Steve on the To/CC list. > > On 2024-08-22 12:17 p.m., Siddharth Doshi via lists.openembedded.org wrote: >> From: Siddharth Doshi<sdoshi@mvista.com> >> >> License-Update: >> =============== >> - README: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af >> - wpa_supplicant/wpa_supplicant.c: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af >> >> CVE's Fixed: >> =========== >> - CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation >> - CVE-2023-52160 wpa_supplicant: potential authorization bypass >> >> Changes between 2.10 -> 2.11: >> ============================ >> https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af > > > Hello Siddharth, > > > This update make sense for the master brnanch but likely not for scarthgap unless you can show that > this is a bug fix only release. > > > It certainly does not look like a small bug fix only update based on: > > ❯ git diff hostap_2_10 hostap_2_11 | diffstat | tail -1 > 534 files changed, 85965 insertions(+), 16847 deletions(-) > > ❯ git log --oneline hostap_2_10..hostap_2_11 | wc -l > 2295 > > and the hostap and wpa-supplicant ChangeLogs which mention adding features below (1). > > > Since the repo ( git://w1.fi/srv/git/hostap.git ) doesn't have a stable branch for 2.10: > > ❯ git branch -a > * master > remotes/origin/HEAD -> origin/master > remotes/origin/android-jb > remotes/origin/android-kk > remotes/origin/android-l > remotes/origin/android-m > remotes/origin/aosp-jb > remotes/origin/aosp-kk > remotes/origin/main > remotes/origin/master > remotes/origin/pending > > > you'll have to backport any CVE fixes that you're interested in unless > someone explains why this is a sensible update for scarthgap. > > Thanks, > > ../Randy > > > 1) > > > ❯ git diff hostap_2_10 hostap_2_11 hostapd/ChangeLog | cat > diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog > index 279298e4d..1c8240d33 100644 > --- a/hostapd/ChangeLog > +++ b/hostapd/ChangeLog > @@ -1,5 +1,42 @@ > ChangeLog for hostapd > > +2024-07-20 - v2.11 > + * Wi-Fi Easy Connect > + - add support for DPP release 3 > + - allow Configurator parameters to be provided during config exchange > + * HE/IEEE 802.11ax/Wi-Fi 6 > + - various fixes > + * EHT/IEEE 802.11be/Wi-Fi 7 > + - add preliminary support > + * SAE: add support for fetching the password from a RADIUS server > + * support OpenSSL 3.0 API changes > + * support background radar detection and CAC with some additional > + drivers > + * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3) > + * EAP-SIM/AKA: support IMSI privacy > + * improve 4-way handshake operations > + - use Secure=1 in message 3 during PTK rekeying > + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases > + to avoid interoperability issues > + * support new SAE AKM suites with variable length keys > + * support new AKM for 802.1X/EAP with SHA384 > + * extend PASN support for secure ranging > + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) > + - this is based on additional details being added in the IEEE 802.11 > + standard > + - the new implementation is not backwards compatible > + * improved ACS to cover additional channel types/bandwidths > + * extended Multiple BSSID support > + * fix beacon protection with FT protocol (incorrect BIGTK was provided) > + * support unsynchronized service discovery (USD) > + * add preliminary support for RADIUS/TLS > + * add support for explicit SSID protection in 4-way handshake > + (a mitigation for CVE-2023-52424; disabled by default for now, can be > + enabled with ssid_protection=1) > + * fix SAE H2E rejected groups validation to avoid downgrade attacks > + * use stricter validation for some RADIUS messages > + * a large number of other fixes, cleanup, and extensions > + > 2022-01-16 - v2.10 > * SAE changes > - improved protection against side channel attacks > > > ❯ git diff hostap_2_10 hostap_2_11 wpa_supplicant/ChangeLog | cat > diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog > index efcc6cd9c..3f4162eb0 100644 > --- a/wpa_supplicant/ChangeLog > +++ b/wpa_supplicant/ChangeLog > @@ -1,5 +1,55 @@ > ChangeLog for wpa_supplicant > > +2024-07-20 - v2.11 > + * Wi-Fi Easy Connect > + - add support for DPP release 3 > + - allow Configurator parameters to be provided during config exchange > + * MACsec > + - add support for GCM-AES-256 cipher suite > + - remove incorrect EAP Session-Id length constraint > + - add hardware offload support for additional drivers > + * HE/IEEE 802.11ax/Wi-Fi 6 > + - support BSS color updates > + - various fixes > + * EHT/IEEE 802.11be/Wi-Fi 7 > + - add preliminary support > + * support OpenSSL 3.0 API changes > + * improve EAP-TLS support for TLSv1.3 > + * EAP-SIM/AKA: support IMSI privacy > + * improve mitigation against DoS attacks when PMF is used > + * improve 4-way handshake operations > + - discard unencrypted EAPOL frames in additional cases > + - use Secure=1 in message 2 during PTK rekeying > + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases > + to avoid interoperability issues > + * support new SAE AKM suites with variable length keys > + * support new AKM for 802.1X/EAP with SHA384 > + * improve cross-AKM roaming with driver-based SME/BSS selection > + * PASN > + - extend support for secure ranging > + - allow PASN implementation to be used with external programs for > + Wi-Fi Aware > + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) > + - this is based on additional details being added in the IEEE 802.11 > + standard > + - the new implementation is not backwards compatible, but PMKSA > + caching with FT-EAP was, and still is, disabled by default > + * support a pregenerated MAC (mac_addr=3) as an alternative mechanism > + for using per-network random MAC addresses > + * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1) > + to improve security for still unfortunately common invalid > + configurations that do not set ca_cert > + * extend SCS support for QoS Characteristics > + * extend MSCS support > + * support unsynchronized service discovery (USD) > + * add support for explicit SSID protection in 4-way handshake > + (a mitigation for CVE-2023-52424; disabled by default for now, can be > + enabled with ssid_protection=1) > + - in addition, verify SSID after key setup when beacon protection is > + used > + * fix SAE H2E rejected groups validation to avoid downgrade attacks > + * a large number of other fixes, cleanup, and extensions > + > 2022-01-16 - v2.10 > * SAE changes > - improved protection against side channel attacks > > >> >> Note: >> ===== >> Patches >> 0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch, >> 0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch, >> 0001-Install-wpa_passphrase-when-not-disabled.patch, >> 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160) >> are already fixed and hence removing them. >> >> Signed-off-by: Siddharth Doshi<sdoshi@mvista.com> >> --- >> ...all-wpa_passphrase-when-not-disabled.patch | 33 --- >> ...te-Phase-2-authentication-requiremen.patch | 213 ------------------ >> ...options-for-libwpa_client.so-and-wpa.patch | 73 ------ >> ...oval-of-wpa_passphrase-on-make-clean.patch | 26 --- >> ...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 10 +- >> 5 files changed, 3 insertions(+), 352 deletions(-) >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch >> rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (90%) >> >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch >> deleted file mode 100644 >> index c04c608bde..0000000000 >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch >> +++ /dev/null >> @@ -1,33 +0,0 @@ >> -From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001 >> -From: Alex Kiernan<alexk@zuma.ai> >> -Date: Thu, 21 Apr 2022 10:15:29 +0100 >> -Subject: [PATCH] Install wpa_passphrase when not disabled >> - >> -As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets >> -built, its not installed during `make install`. >> - >> -Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase") >> -Signed-off-by: Alex Kiernan<alexk@zuma.ai> >> -Signed-off-by: Alex Kiernan<alex.kiernan@gmail.com> >> -Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html] >> ---- >> - wpa_supplicant/Makefile | 3 +++ >> - 1 file changed, 3 insertions(+) >> - >> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile >> -index 0bab313f2355..12787c0c7d0f 100644 >> ---- a/wpa_supplicant/Makefile >> -+++ b/wpa_supplicant/Makefile >> -@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: % >> - >> - install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL)) >> - $(MAKE) -C ../src install >> -+ifndef CONFIG_NO_WPA_PASSPHRASE >> -+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase >> -+endif >> - ifdef CONFIG_BUILD_WPA_CLIENT_SO >> - install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so >> - install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h >> --- >> -2.35.1 >> - >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch >> deleted file mode 100644 >> index 620560d3c7..0000000000 >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch >> +++ /dev/null >> @@ -1,213 +0,0 @@ >> -From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001 >> -From: Jouni Malinen<j@w1.fi> >> -Date: Sat, 8 Jul 2023 19:55:32 +0300 >> -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements >> - >> -The previous PEAP client behavior allowed the server to skip Phase 2 >> -authentication with the expectation that the server was authenticated >> -during Phase 1 through TLS server certificate validation. Various PEAP >> -specifications are not exactly clear on what the behavior on this front >> -is supposed to be and as such, this ended up being more flexible than >> -the TTLS/FAST/TEAP cases. However, this is not really ideal when >> -unfortunately common misconfiguration of PEAP is used in deployed >> -devices where the server trust root (ca_cert) is not configured or the >> -user has an easy option for allowing this validation step to be skipped. >> - >> -Change the default PEAP client behavior to be to require Phase 2 >> -authentication to be successfully completed for cases where TLS session >> -resumption is not used and the client certificate has not been >> -configured. Those two exceptions are the main cases where a deployed >> -authentication server might skip Phase 2 and as such, where a more >> -strict default behavior could result in undesired interoperability >> -issues. Requiring Phase 2 authentication will end up disabling TLS >> -session resumption automatically to avoid interoperability issues. >> - >> -Allow Phase 2 authentication behavior to be configured with a new phase1 >> -configuration parameter option: >> -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS >> -tunnel) behavior for PEAP: >> - * 0 = do not require Phase 2 authentication >> - * 1 = require Phase 2 authentication when client certificate >> - (private_key/client_cert) is no used and TLS session resumption was >> - not used (default) >> - * 2 = require Phase 2 authentication in all cases >> - >> -Signed-off-by: Jouni Malinen<j@w1.fi> >> - >> -CVE: CVE-2023-52160 >> -Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c] >> - >> -Signed-off-by: Claus Stovgaard<claus.stovgaard@gmail.com> >> - >> ---- >> - src/eap_peer/eap_config.h | 8 ++++++ >> - src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- >> - src/eap_peer/eap_tls_common.c | 6 +++++ >> - src/eap_peer/eap_tls_common.h | 5 ++++ >> - wpa_supplicant/wpa_supplicant.conf | 7 ++++++ >> - 5 files changed, 63 insertions(+), 3 deletions(-) >> - >> -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h >> -index 3238f74..047eec2 100644 >> ---- a/src/eap_peer/eap_config.h >> -+++ b/src/eap_peer/eap_config.h >> -@@ -469,6 +469,14 @@ struct eap_peer_config { >> - * 1 = use cryptobinding if server supports it >> - * 2 = require cryptobinding >> - * >> -+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS >> -+ * tunnel) behavior for PEAP: >> -+ * 0 = do not require Phase 2 authentication >> -+ * 1 = require Phase 2 authentication when client certificate >> -+ * (private_key/client_cert) is no used and TLS session resumption was >> -+ * not used (default) >> -+ * 2 = require Phase 2 authentication in all cases >> -+ * >> - * EAP-WSC (WPS) uses following options: pin=Device_Password and >> - * uuid=Device_UUID >> - * >> -diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c >> -index 12e30df..6080697 100644 >> ---- a/src/eap_peer/eap_peap.c >> -+++ b/src/eap_peer/eap_peap.c >> -@@ -67,6 +67,7 @@ struct eap_peap_data { >> - u8 cmk[20]; >> - int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) >> - * is enabled. */ >> -+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; >> - }; >> - >> - >> -@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, >> - wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); >> - } >> - >> -+ if (os_strstr(phase1, "phase2_auth=0")) { >> -+ data->phase2_auth = NO_AUTH; >> -+ wpa_printf(MSG_DEBUG, >> -+ "EAP-PEAP: Do not require Phase 2 authentication"); >> -+ } else if (os_strstr(phase1, "phase2_auth=1")) { >> -+ data->phase2_auth = FOR_INITIAL; >> -+ wpa_printf(MSG_DEBUG, >> -+ "EAP-PEAP: Require Phase 2 authentication for initial connection"); >> -+ } else if (os_strstr(phase1, "phase2_auth=2")) { >> -+ data->phase2_auth = ALWAYS; >> -+ wpa_printf(MSG_DEBUG, >> -+ "EAP-PEAP: Require Phase 2 authentication for all cases"); >> -+ } >> - #ifdef EAP_TNC >> - if (os_strstr(phase1, "tnc=soh2")) { >> - data->soh = 2; >> -@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) >> - data->force_peap_version = -1; >> - data->peap_outer_success = 2; >> - data->crypto_binding = OPTIONAL_BINDING; >> -+ data->phase2_auth = FOR_INITIAL; >> - >> - if (config && config->phase1) >> - eap_peap_parse_phase1(data, config->phase1); >> -@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, >> - } >> - >> - >> -+static bool peap_phase2_sufficient(struct eap_sm *sm, >> -+ struct eap_peap_data *data) >> -+{ >> -+ if ((data->phase2_auth == ALWAYS || >> -+ (data->phase2_auth == FOR_INITIAL && >> -+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && >> -+ !data->ssl.client_cert_conf) || >> -+ data->phase2_eap_started) && >> -+ !data->phase2_eap_success) >> -+ return false; >> -+ return true; >> -+} >> -+ >> -+ >> - /** >> - * eap_tlv_process - Process a received EAP-TLV message and generate a response >> - * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() >> -@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, >> - " - force failed Phase 2"); >> - resp_status = EAP_TLV_RESULT_FAILURE; >> - ret->decision = DECISION_FAIL; >> -+ } else if (!peap_phase2_sufficient(sm, data)) { >> -+ wpa_printf(MSG_INFO, >> -+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); >> -+ resp_status = EAP_TLV_RESULT_FAILURE; >> -+ ret->decision = DECISION_FAIL; >> - } else { >> - resp_status = EAP_TLV_RESULT_SUCCESS; >> - ret->decision = DECISION_UNCOND_SUCC; >> -@@ -887,8 +921,7 @@ continue_req: >> - /* EAP-Success within TLS tunnel is used to indicate >> - * shutdown of the TLS channel. The authentication has >> - * been completed. */ >> -- if (data->phase2_eap_started && >> -- !data->phase2_eap_success) { >> -+ if (!peap_phase2_sufficient(sm, data)) { >> - wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " >> - "Success used to indicate success, " >> - "but Phase 2 EAP was not yet " >> -@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, >> - static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) >> - { >> - struct eap_peap_data *data = priv; >> -+ >> - return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && >> -- data->phase2_success; >> -+ data->phase2_success && data->phase2_auth != ALWAYS; >> - } >> - >> - >> -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c >> -index c1837db..a53eeb1 100644 >> ---- a/src/eap_peer/eap_tls_common.c >> -+++ b/src/eap_peer/eap_tls_common.c >> -@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, >> - >> - sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); >> - >> -+ if (!phase2) >> -+ data->client_cert_conf = params->client_cert || >> -+ params->client_cert_blob || >> -+ params->private_key || >> -+ params->private_key_blob; >> -+ >> - return 0; >> - } >> - >> -diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h >> -index 9ac0012..3348634 100644 >> ---- a/src/eap_peer/eap_tls_common.h >> -+++ b/src/eap_peer/eap_tls_common.h >> -@@ -79,6 +79,11 @@ struct eap_ssl_data { >> - * tls_v13 - Whether TLS v1.3 or newer is used >> - */ >> - int tls_v13; >> -+ >> -+ /** >> -+ * client_cert_conf: Whether client certificate has been configured >> -+ */ >> -+ bool client_cert_conf; >> - }; >> - >> - >> -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf >> -index 6619d6b..d63f73c 100644 >> ---- a/wpa_supplicant/wpa_supplicant.conf >> -+++ b/wpa_supplicant/wpa_supplicant.conf >> -@@ -1321,6 +1321,13 @@ fast_reauth=1 >> - # * 0 = do not use cryptobinding (default) >> - # * 1 = use cryptobinding if server supports it >> - # * 2 = require cryptobinding >> -+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS >> -+# tunnel) behavior for PEAP: >> -+# * 0 = do not require Phase 2 authentication >> -+# * 1 = require Phase 2 authentication when client certificate >> -+# (private_key/client_cert) is no used and TLS session resumption was >> -+# not used (default) >> -+# * 2 = require Phase 2 authentication in all cases >> - # EAP-WSC (WPS) uses following options: pin=<Device Password> or >> - # pbc=1. >> - # >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch >> deleted file mode 100644 >> index 6e930fc98d..0000000000 >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch >> +++ /dev/null >> @@ -1,73 +0,0 @@ >> -From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001 >> -From: Sergey Matyukevich<geomatsi@gmail.com> >> -Date: Tue, 22 Feb 2022 11:52:19 +0300 >> -Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and >> - wpa_passphrase >> - >> -Commit a41a29192e5d ("build: Pull common fragments into a build.rules >> -file") introduced a regression into wpa_supplicant build process. The >> -build target libwpa_client.so is not built regardless of whether the >> -option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because >> -this config option is used before it is imported from the configuration >> -file. Moving its use after including build.rules does not help: the >> -variable ALL is processed by build.rules and further changes are not >> -applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work >> -as expected: wpa_passphrase is always built regardless of whether the >> -option is set or not. >> - >> -Re-enable these options by adding both build targets to _all >> -dependencies. >> - >> -Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file") >> -Signed-off-by: Sergey Matyukevich<geomatsi@gmail.com> >> -Upstream-Status: Backport >> -Signed-off-by: Alex Kiernan<alexk@zuma.ai> >> -Signed-off-by: Alex Kiernan<alexk@gmail.com> >> ---- >> - wpa_supplicant/Makefile | 19 ++++++++++++------- >> - 1 file changed, 12 insertions(+), 7 deletions(-) >> - >> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile >> -index cb66defac7c8..c456825ae75f 100644 >> ---- a/wpa_supplicant/Makefile >> -+++ b/wpa_supplicant/Makefile >> -@@ -1,24 +1,29 @@ >> - BINALL=wpa_supplicant wpa_cli >> - >> --ifndef CONFIG_NO_WPA_PASSPHRASE >> --BINALL += wpa_passphrase >> --endif >> -- >> - ALL = $(BINALL) >> - ALL += systemd/wpa_supplicant.service >> - ALL +=systemd/wpa_supplicant@.service >> - ALL +=systemd/wpa_supplicant-nl80211@.service >> - ALL +=systemd/wpa_supplicant-wired@.service >> - ALL += dbus/fi.w1.wpa_supplicant1.service >> --ifdef CONFIG_BUILD_WPA_CLIENT_SO >> --ALL += libwpa_client.so >> --endif >> - >> - EXTRA_TARGETS=dynamic_eap_methods >> - >> - CONFIG_FILE=.config >> - include ../src/build.rules >> - >> -+ifdef CONFIG_BUILD_WPA_CLIENT_SO >> -+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO >> -+# being set in the config which is read by build.rules >> -+_all: libwpa_client.so >> -+endif >> -+ >> -+ifndef CONFIG_NO_WPA_PASSPHRASE >> -+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE >> -+# being set in the config which is read by build.rules >> -+_all: wpa_passphrase >> -+endif >> -+ >> - ifdef LIBS >> - # If LIBS is set with some global build system defaults, clone those for >> - # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well. >> --- >> -2.35.1 >> - >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch >> deleted file mode 100644 >> index 53b0fcdf53..0000000000 >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch >> +++ /dev/null >> @@ -1,26 +0,0 @@ >> -From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001 >> -From: Jouni Malinen<quic_jouni@quicinc.com> >> -Date: Thu, 3 Mar 2022 13:26:42 +0200 >> -Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean' >> - >> -Fixes: 0430bc8267b4 ("build: Add a common-clean target") >> -Signed-off-by: Jouni Malinen<quic_jouni@quicinc.com> >> -Upstream-Status: Backport >> -Signed-off-by: Alex Kiernan<alexk@zuma.ai> >> -Signed-off-by: Alex Kiernan<alexk@gmail.com> >> ---- >> - wpa_supplicant/Makefile | 1 + >> - 1 file changed, 1 insertion(+) >> - >> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile >> -index c456825ae75f..4b4688931b1d 100644 >> ---- a/wpa_supplicant/Makefile >> -+++ b/wpa_supplicant/Makefile >> -@@ -2077,3 +2077,4 @@ clean: common-clean >> - rm -f libwpa_client.a >> - rm -f libwpa_client.so >> - rm -f libwpa_test1 libwpa_test2 >> -+ rm -f wpa_passphrase >> --- >> -2.35.1 >> - >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb >> similarity index 90% >> rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb >> rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb >> index 8113bcab09..321dedc58a 100644 >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb >> +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb >> @@ -5,8 +5,8 @@ BUGTRACKER ="http://w1.fi/security/" >> SECTION = "network" >> LICENSE = "BSD-3-Clause" >> LIC_FILES_CHKSUM ="file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \ - file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \ - file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705" >> +file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \ >> +file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4" >> DEPENDS = "dbus libnl" >> @@ -15,12 +15,8 @@ SRC_URI ="http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://wpa_supplicant.conf \ file://wpa_supplicant.conf-sane \ file://99_wpa_supplicant \ - file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \ - file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ - file://0001-Install-wpa_passphrase-when-not-disabled.patch \ - file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ " >> -SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" >> +SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a" >> S = "${WORKDIR}/wpa_supplicant-${PV}" >> >> >> > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#203665): https://lists.openembedded.org/g/openembedded-core/message/203665 > Mute This Topic: https://lists.openembedded.org/mt/108040776/5192326 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [quic_vkraleti@quicinc.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Sorry, no. This same argument can be made for any other component in scarthgap where a major new release happened after scarthgap was released. The correct way to provide updated component versions in LTS is via this layer: https://git.yoctoproject.org/meta-lts-mixins/ So please send a patch for that. Alex On Fri, 23 Aug 2024 at 18:00, Viswanath Kraleti via lists.openembedded.org <quic_vkraleti=quicinc.com@lists.openembedded.org> wrote: > > Hello Randy, > > 2.11 version of wpa-supplicant/hostapd are released almost after 2.5 Years. 2-10 released on 2022-01-16. A lot of people are eagerly waiting for this release since a long time. 2.11 has crucial HE/IEEE 802.11ax/Wi-Fi 6 support and preliminary support for EHT/IEEE 802.11be/Wi-Fi 7. This also supports WPA3 which is a mandatory certification for Wi-Fi CERTIFIED™ devices. > > I do accept this release missed the Sacrthgap cutoff of Yocto community. But considering the longevity of Scarthgap (a good 3.5 years from now) & number of people interested in Scarthgap, it is best if wpa-supplicant/hostapd are switched to 2.11. > > // Viswanath > > On 8/23/2024 6:26 AM, Randy MacLeod via lists.openembedded.org wrote: > > For scarthgap, it's good but not mandatory to have Steve on the To/CC list. > > > > On 2024-08-22 12:17 p.m., Siddharth Doshi via lists.openembedded.org wrote: > >> From: Siddharth Doshi<sdoshi@mvista.com> > >> > >> License-Update: > >> =============== > >> - README: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af > >> - wpa_supplicant/wpa_supplicant.c: Change in copyright years as perhttps://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af > >> > >> CVE's Fixed: > >> =========== > >> - CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation > >> - CVE-2023-52160 wpa_supplicant: potential authorization bypass > >> > >> Changes between 2.10 -> 2.11: > >> ============================ > >> https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af > > > > > > Hello Siddharth, > > > > > > This update make sense for the master brnanch but likely not for scarthgap unless you can show that > > this is a bug fix only release. > > > > > > > It certainly does not look like a small bug fix only update based on: > > > > ❯ git diff hostap_2_10 hostap_2_11 | diffstat | tail -1 > > 534 files changed, 85965 insertions(+), 16847 deletions(-) > > > > ❯ git log --oneline hostap_2_10..hostap_2_11 | wc -l > > 2295 > > > > and the hostap and wpa-supplicant ChangeLogs which mention adding features below (1). > > > > > > Since the repo ( git://w1.fi/srv/git/hostap.git ) doesn't have a stable branch for 2.10: > > > > ❯ git branch -a > > * master > > remotes/origin/HEAD -> origin/master > > remotes/origin/android-jb > > remotes/origin/android-kk > > remotes/origin/android-l > > remotes/origin/android-m > > remotes/origin/aosp-jb > > remotes/origin/aosp-kk > > remotes/origin/main > > remotes/origin/master > > remotes/origin/pending > > > > > > you'll have to backport any CVE fixes that you're interested in unless > > someone explains why this is a sensible update for scarthgap. > > > > Thanks, > > > > ../Randy > > > > > > 1) > > > > > > ❯ git diff hostap_2_10 hostap_2_11 hostapd/ChangeLog | cat > > diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog > > index 279298e4d..1c8240d33 100644 > > --- a/hostapd/ChangeLog > > +++ b/hostapd/ChangeLog > > @@ -1,5 +1,42 @@ > > ChangeLog for hostapd > > > > +2024-07-20 - v2.11 > > + * Wi-Fi Easy Connect > > + - add support for DPP release 3 > > + - allow Configurator parameters to be provided during config exchange > > + * HE/IEEE 802.11ax/Wi-Fi 6 > > + - various fixes > > + * EHT/IEEE 802.11be/Wi-Fi 7 > > + - add preliminary support > > + * SAE: add support for fetching the password from a RADIUS server > > + * support OpenSSL 3.0 API changes > > + * support background radar detection and CAC with some additional > > + drivers > > + * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3) > > + * EAP-SIM/AKA: support IMSI privacy > > + * improve 4-way handshake operations > > + - use Secure=1 in message 3 during PTK rekeying > > + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases > > + to avoid interoperability issues > > + * support new SAE AKM suites with variable length keys > > + * support new AKM for 802.1X/EAP with SHA384 > > + * extend PASN support for secure ranging > > + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) > > + - this is based on additional details being added in the IEEE 802.11 > > + standard > > + - the new implementation is not backwards compatible > > + * improved ACS to cover additional channel types/bandwidths > > + * extended Multiple BSSID support > > + * fix beacon protection with FT protocol (incorrect BIGTK was provided) > > + * support unsynchronized service discovery (USD) > > + * add preliminary support for RADIUS/TLS > > + * add support for explicit SSID protection in 4-way handshake > > + (a mitigation for CVE-2023-52424; disabled by default for now, can be > > + enabled with ssid_protection=1) > > + * fix SAE H2E rejected groups validation to avoid downgrade attacks > > + * use stricter validation for some RADIUS messages > > + * a large number of other fixes, cleanup, and extensions > > + > > 2022-01-16 - v2.10 > > * SAE changes > > - improved protection against side channel attacks > > > > > > ❯ git diff hostap_2_10 hostap_2_11 wpa_supplicant/ChangeLog | cat > > diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog > > index efcc6cd9c..3f4162eb0 100644 > > --- a/wpa_supplicant/ChangeLog > > +++ b/wpa_supplicant/ChangeLog > > @@ -1,5 +1,55 @@ > > ChangeLog for wpa_supplicant > > > > +2024-07-20 - v2.11 > > + * Wi-Fi Easy Connect > > + - add support for DPP release 3 > > + - allow Configurator parameters to be provided during config exchange > > + * MACsec > > + - add support for GCM-AES-256 cipher suite > > + - remove incorrect EAP Session-Id length constraint > > + - add hardware offload support for additional drivers > > + * HE/IEEE 802.11ax/Wi-Fi 6 > > + - support BSS color updates > > + - various fixes > > + * EHT/IEEE 802.11be/Wi-Fi 7 > > + - add preliminary support > > + * support OpenSSL 3.0 API changes > > + * improve EAP-TLS support for TLSv1.3 > > + * EAP-SIM/AKA: support IMSI privacy > > + * improve mitigation against DoS attacks when PMF is used > > + * improve 4-way handshake operations > > + - discard unencrypted EAPOL frames in additional cases > > + - use Secure=1 in message 2 during PTK rekeying > > + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases > > + to avoid interoperability issues > > + * support new SAE AKM suites with variable length keys > > + * support new AKM for 802.1X/EAP with SHA384 > > + * improve cross-AKM roaming with driver-based SME/BSS selection > > + * PASN > > + - extend support for secure ranging > > + - allow PASN implementation to be used with external programs for > > + Wi-Fi Aware > > + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) > > + - this is based on additional details being added in the IEEE 802.11 > > + standard > > + - the new implementation is not backwards compatible, but PMKSA > > + caching with FT-EAP was, and still is, disabled by default > > + * support a pregenerated MAC (mac_addr=3) as an alternative mechanism > > + for using per-network random MAC addresses > > + * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1) > > + to improve security for still unfortunately common invalid > > + configurations that do not set ca_cert > > + * extend SCS support for QoS Characteristics > > + * extend MSCS support > > + * support unsynchronized service discovery (USD) > > + * add support for explicit SSID protection in 4-way handshake > > + (a mitigation for CVE-2023-52424; disabled by default for now, can be > > + enabled with ssid_protection=1) > > + - in addition, verify SSID after key setup when beacon protection is > > + used > > + * fix SAE H2E rejected groups validation to avoid downgrade attacks > > + * a large number of other fixes, cleanup, and extensions > > + > > 2022-01-16 - v2.10 > > * SAE changes > > - improved protection against side channel attacks > > > > > >> > >> Note: > >> ===== > >> Patches > >> 0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch, > >> 0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch, > >> 0001-Install-wpa_passphrase-when-not-disabled.patch, > >> 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160) > >> are already fixed and hence removing them. > >> > >> Signed-off-by: Siddharth Doshi<sdoshi@mvista.com> > >> --- > >> ...all-wpa_passphrase-when-not-disabled.patch | 33 --- > >> ...te-Phase-2-authentication-requiremen.patch | 213 ------------------ > >> ...options-for-libwpa_client.so-and-wpa.patch | 73 ------ > >> ...oval-of-wpa_passphrase-on-make-clean.patch | 26 --- > >> ...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 10 +- > >> 5 files changed, 3 insertions(+), 352 deletions(-) > >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch > >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch > >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch > >> delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch > >> rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (90%) > >> > >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch > >> deleted file mode 100644 > >> index c04c608bde..0000000000 > >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch > >> +++ /dev/null > >> @@ -1,33 +0,0 @@ > >> -From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001 > >> -From: Alex Kiernan<alexk@zuma.ai> > >> -Date: Thu, 21 Apr 2022 10:15:29 +0100 > >> -Subject: [PATCH] Install wpa_passphrase when not disabled > >> - > >> -As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets > >> -built, its not installed during `make install`. > >> - > >> -Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase") > >> -Signed-off-by: Alex Kiernan<alexk@zuma.ai> > >> -Signed-off-by: Alex Kiernan<alex.kiernan@gmail.com> > >> -Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html] > >> ---- > >> - wpa_supplicant/Makefile | 3 +++ > >> - 1 file changed, 3 insertions(+) > >> - > >> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile > >> -index 0bab313f2355..12787c0c7d0f 100644 > >> ---- a/wpa_supplicant/Makefile > >> -+++ b/wpa_supplicant/Makefile > >> -@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: % > >> - > >> - install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL)) > >> - $(MAKE) -C ../src install > >> -+ifndef CONFIG_NO_WPA_PASSPHRASE > >> -+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase > >> -+endif > >> - ifdef CONFIG_BUILD_WPA_CLIENT_SO > >> - install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so > >> - install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h > >> --- > >> -2.35.1 > >> - > >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch > >> deleted file mode 100644 > >> index 620560d3c7..0000000000 > >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch > >> +++ /dev/null > >> @@ -1,213 +0,0 @@ > >> -From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001 > >> -From: Jouni Malinen<j@w1.fi> > >> -Date: Sat, 8 Jul 2023 19:55:32 +0300 > >> -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements > >> - > >> -The previous PEAP client behavior allowed the server to skip Phase 2 > >> -authentication with the expectation that the server was authenticated > >> -during Phase 1 through TLS server certificate validation. Various PEAP > >> -specifications are not exactly clear on what the behavior on this front > >> -is supposed to be and as such, this ended up being more flexible than > >> -the TTLS/FAST/TEAP cases. However, this is not really ideal when > >> -unfortunately common misconfiguration of PEAP is used in deployed > >> -devices where the server trust root (ca_cert) is not configured or the > >> -user has an easy option for allowing this validation step to be skipped. > >> - > >> -Change the default PEAP client behavior to be to require Phase 2 > >> -authentication to be successfully completed for cases where TLS session > >> -resumption is not used and the client certificate has not been > >> -configured. Those two exceptions are the main cases where a deployed > >> -authentication server might skip Phase 2 and as such, where a more > >> -strict default behavior could result in undesired interoperability > >> -issues. Requiring Phase 2 authentication will end up disabling TLS > >> -session resumption automatically to avoid interoperability issues. > >> - > >> -Allow Phase 2 authentication behavior to be configured with a new phase1 > >> -configuration parameter option: > >> -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS > >> -tunnel) behavior for PEAP: > >> - * 0 = do not require Phase 2 authentication > >> - * 1 = require Phase 2 authentication when client certificate > >> - (private_key/client_cert) is no used and TLS session resumption was > >> - not used (default) > >> - * 2 = require Phase 2 authentication in all cases > >> - > >> -Signed-off-by: Jouni Malinen<j@w1.fi> > >> - > >> -CVE: CVE-2023-52160 > >> -Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c] > >> - > >> -Signed-off-by: Claus Stovgaard<claus.stovgaard@gmail.com> > >> - > >> ---- > >> - src/eap_peer/eap_config.h | 8 ++++++ > >> - src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- > >> - src/eap_peer/eap_tls_common.c | 6 +++++ > >> - src/eap_peer/eap_tls_common.h | 5 ++++ > >> - wpa_supplicant/wpa_supplicant.conf | 7 ++++++ > >> - 5 files changed, 63 insertions(+), 3 deletions(-) > >> - > >> -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h > >> -index 3238f74..047eec2 100644 > >> ---- a/src/eap_peer/eap_config.h > >> -+++ b/src/eap_peer/eap_config.h > >> -@@ -469,6 +469,14 @@ struct eap_peer_config { > >> - * 1 = use cryptobinding if server supports it > >> - * 2 = require cryptobinding > >> - * > >> -+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS > >> -+ * tunnel) behavior for PEAP: > >> -+ * 0 = do not require Phase 2 authentication > >> -+ * 1 = require Phase 2 authentication when client certificate > >> -+ * (private_key/client_cert) is no used and TLS session resumption was > >> -+ * not used (default) > >> -+ * 2 = require Phase 2 authentication in all cases > >> -+ * > >> - * EAP-WSC (WPS) uses following options: pin=Device_Password and > >> - * uuid=Device_UUID > >> - * > >> -diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c > >> -index 12e30df..6080697 100644 > >> ---- a/src/eap_peer/eap_peap.c > >> -+++ b/src/eap_peer/eap_peap.c > >> -@@ -67,6 +67,7 @@ struct eap_peap_data { > >> - u8 cmk[20]; > >> - int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) > >> - * is enabled. */ > >> -+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; > >> - }; > >> - > >> - > >> -@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, > >> - wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); > >> - } > >> - > >> -+ if (os_strstr(phase1, "phase2_auth=0")) { > >> -+ data->phase2_auth = NO_AUTH; > >> -+ wpa_printf(MSG_DEBUG, > >> -+ "EAP-PEAP: Do not require Phase 2 authentication"); > >> -+ } else if (os_strstr(phase1, "phase2_auth=1")) { > >> -+ data->phase2_auth = FOR_INITIAL; > >> -+ wpa_printf(MSG_DEBUG, > >> -+ "EAP-PEAP: Require Phase 2 authentication for initial connection"); > >> -+ } else if (os_strstr(phase1, "phase2_auth=2")) { > >> -+ data->phase2_auth = ALWAYS; > >> -+ wpa_printf(MSG_DEBUG, > >> -+ "EAP-PEAP: Require Phase 2 authentication for all cases"); > >> -+ } > >> - #ifdef EAP_TNC > >> - if (os_strstr(phase1, "tnc=soh2")) { > >> - data->soh = 2; > >> -@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) > >> - data->force_peap_version = -1; > >> - data->peap_outer_success = 2; > >> - data->crypto_binding = OPTIONAL_BINDING; > >> -+ data->phase2_auth = FOR_INITIAL; > >> - > >> - if (config && config->phase1) > >> - eap_peap_parse_phase1(data, config->phase1); > >> -@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, > >> - } > >> - > >> - > >> -+static bool peap_phase2_sufficient(struct eap_sm *sm, > >> -+ struct eap_peap_data *data) > >> -+{ > >> -+ if ((data->phase2_auth == ALWAYS || > >> -+ (data->phase2_auth == FOR_INITIAL && > >> -+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && > >> -+ !data->ssl.client_cert_conf) || > >> -+ data->phase2_eap_started) && > >> -+ !data->phase2_eap_success) > >> -+ return false; > >> -+ return true; > >> -+} > >> -+ > >> -+ > >> - /** > >> - * eap_tlv_process - Process a received EAP-TLV message and generate a response > >> - * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() > >> -@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, > >> - " - force failed Phase 2"); > >> - resp_status = EAP_TLV_RESULT_FAILURE; > >> - ret->decision = DECISION_FAIL; > >> -+ } else if (!peap_phase2_sufficient(sm, data)) { > >> -+ wpa_printf(MSG_INFO, > >> -+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); > >> -+ resp_status = EAP_TLV_RESULT_FAILURE; > >> -+ ret->decision = DECISION_FAIL; > >> - } else { > >> - resp_status = EAP_TLV_RESULT_SUCCESS; > >> - ret->decision = DECISION_UNCOND_SUCC; > >> -@@ -887,8 +921,7 @@ continue_req: > >> - /* EAP-Success within TLS tunnel is used to indicate > >> - * shutdown of the TLS channel. The authentication has > >> - * been completed. */ > >> -- if (data->phase2_eap_started && > >> -- !data->phase2_eap_success) { > >> -+ if (!peap_phase2_sufficient(sm, data)) { > >> - wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " > >> - "Success used to indicate success, " > >> - "but Phase 2 EAP was not yet " > >> -@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, > >> - static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) > >> - { > >> - struct eap_peap_data *data = priv; > >> -+ > >> - return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && > >> -- data->phase2_success; > >> -+ data->phase2_success && data->phase2_auth != ALWAYS; > >> - } > >> - > >> - > >> -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c > >> -index c1837db..a53eeb1 100644 > >> ---- a/src/eap_peer/eap_tls_common.c > >> -+++ b/src/eap_peer/eap_tls_common.c > >> -@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, > >> - > >> - sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); > >> - > >> -+ if (!phase2) > >> -+ data->client_cert_conf = params->client_cert || > >> -+ params->client_cert_blob || > >> -+ params->private_key || > >> -+ params->private_key_blob; > >> -+ > >> - return 0; > >> - } > >> - > >> -diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h > >> -index 9ac0012..3348634 100644 > >> ---- a/src/eap_peer/eap_tls_common.h > >> -+++ b/src/eap_peer/eap_tls_common.h > >> -@@ -79,6 +79,11 @@ struct eap_ssl_data { > >> - * tls_v13 - Whether TLS v1.3 or newer is used > >> - */ > >> - int tls_v13; > >> -+ > >> -+ /** > >> -+ * client_cert_conf: Whether client certificate has been configured > >> -+ */ > >> -+ bool client_cert_conf; > >> - }; > >> - > >> - > >> -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf > >> -index 6619d6b..d63f73c 100644 > >> ---- a/wpa_supplicant/wpa_supplicant.conf > >> -+++ b/wpa_supplicant/wpa_supplicant.conf > >> -@@ -1321,6 +1321,13 @@ fast_reauth=1 > >> - # * 0 = do not use cryptobinding (default) > >> - # * 1 = use cryptobinding if server supports it > >> - # * 2 = require cryptobinding > >> -+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS > >> -+# tunnel) behavior for PEAP: > >> -+# * 0 = do not require Phase 2 authentication > >> -+# * 1 = require Phase 2 authentication when client certificate > >> -+# (private_key/client_cert) is no used and TLS session resumption was > >> -+# not used (default) > >> -+# * 2 = require Phase 2 authentication in all cases > >> - # EAP-WSC (WPS) uses following options: pin=<Device Password> or > >> - # pbc=1. > >> - # > >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch > >> deleted file mode 100644 > >> index 6e930fc98d..0000000000 > >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch > >> +++ /dev/null > >> @@ -1,73 +0,0 @@ > >> -From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001 > >> -From: Sergey Matyukevich<geomatsi@gmail.com> > >> -Date: Tue, 22 Feb 2022 11:52:19 +0300 > >> -Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and > >> - wpa_passphrase > >> - > >> -Commit a41a29192e5d ("build: Pull common fragments into a build.rules > >> -file") introduced a regression into wpa_supplicant build process. The > >> -build target libwpa_client.so is not built regardless of whether the > >> -option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because > >> -this config option is used before it is imported from the configuration > >> -file. Moving its use after including build.rules does not help: the > >> -variable ALL is processed by build.rules and further changes are not > >> -applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work > >> -as expected: wpa_passphrase is always built regardless of whether the > >> -option is set or not. > >> - > >> -Re-enable these options by adding both build targets to _all > >> -dependencies. > >> - > >> -Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file") > >> -Signed-off-by: Sergey Matyukevich<geomatsi@gmail.com> > >> -Upstream-Status: Backport > >> -Signed-off-by: Alex Kiernan<alexk@zuma.ai> > >> -Signed-off-by: Alex Kiernan<alexk@gmail.com> > >> ---- > >> - wpa_supplicant/Makefile | 19 ++++++++++++------- > >> - 1 file changed, 12 insertions(+), 7 deletions(-) > >> - > >> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile > >> -index cb66defac7c8..c456825ae75f 100644 > >> ---- a/wpa_supplicant/Makefile > >> -+++ b/wpa_supplicant/Makefile > >> -@@ -1,24 +1,29 @@ > >> - BINALL=wpa_supplicant wpa_cli > >> - > >> --ifndef CONFIG_NO_WPA_PASSPHRASE > >> --BINALL += wpa_passphrase > >> --endif > >> -- > >> - ALL = $(BINALL) > >> - ALL += systemd/wpa_supplicant.service > >> - ALL +=systemd/wpa_supplicant@.service > >> - ALL +=systemd/wpa_supplicant-nl80211@.service > >> - ALL +=systemd/wpa_supplicant-wired@.service > >> - ALL += dbus/fi.w1.wpa_supplicant1.service > >> --ifdef CONFIG_BUILD_WPA_CLIENT_SO > >> --ALL += libwpa_client.so > >> --endif > >> - > >> - EXTRA_TARGETS=dynamic_eap_methods > >> - > >> - CONFIG_FILE=.config > >> - include ../src/build.rules > >> - > >> -+ifdef CONFIG_BUILD_WPA_CLIENT_SO > >> -+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO > >> -+# being set in the config which is read by build.rules > >> -+_all: libwpa_client.so > >> -+endif > >> -+ > >> -+ifndef CONFIG_NO_WPA_PASSPHRASE > >> -+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE > >> -+# being set in the config which is read by build.rules > >> -+_all: wpa_passphrase > >> -+endif > >> -+ > >> - ifdef LIBS > >> - # If LIBS is set with some global build system defaults, clone those for > >> - # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well. > >> --- > >> -2.35.1 > >> - > >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch > >> deleted file mode 100644 > >> index 53b0fcdf53..0000000000 > >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch > >> +++ /dev/null > >> @@ -1,26 +0,0 @@ > >> -From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001 > >> -From: Jouni Malinen<quic_jouni@quicinc.com> > >> -Date: Thu, 3 Mar 2022 13:26:42 +0200 > >> -Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean' > >> - > >> -Fixes: 0430bc8267b4 ("build: Add a common-clean target") > >> -Signed-off-by: Jouni Malinen<quic_jouni@quicinc.com> > >> -Upstream-Status: Backport > >> -Signed-off-by: Alex Kiernan<alexk@zuma.ai> > >> -Signed-off-by: Alex Kiernan<alexk@gmail.com> > >> ---- > >> - wpa_supplicant/Makefile | 1 + > >> - 1 file changed, 1 insertion(+) > >> - > >> -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile > >> -index c456825ae75f..4b4688931b1d 100644 > >> ---- a/wpa_supplicant/Makefile > >> -+++ b/wpa_supplicant/Makefile > >> -@@ -2077,3 +2077,4 @@ clean: common-clean > >> - rm -f libwpa_client.a > >> - rm -f libwpa_client.so > >> - rm -f libwpa_test1 libwpa_test2 > >> -+ rm -f wpa_passphrase > >> --- > >> -2.35.1 > >> - > >> diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb > >> similarity index 90% > >> rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb > >> rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb > >> index 8113bcab09..321dedc58a 100644 > >> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb > >> +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb > >> @@ -5,8 +5,8 @@ BUGTRACKER ="http://w1.fi/security/" > >> SECTION = "network" > >> LICENSE = "BSD-3-Clause" > >> LIC_FILES_CHKSUM ="file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \ - file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \ - file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705" > >> +file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \ > >> +file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4" > >> DEPENDS = "dbus libnl" > >> @@ -15,12 +15,8 @@ SRC_URI ="http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://wpa_supplicant.conf \ file://wpa_supplicant.conf-sane \ file://99_wpa_supplicant \ - file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \ - file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ - file://0001-Install-wpa_passphrase-when-not-disabled.patch \ - file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ " > >> -SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" > >> +SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a" > >> S = "${WORKDIR}/wpa_supplicant-${PV}" > >> > >> > >> > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#203696): https://lists.openembedded.org/g/openembedded-core/message/203696 > Mute This Topic: https://lists.openembedded.org/mt/108040776/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Randy and Alex, I appreciate the feedback and your concern regarding upgrades in stable-branches. > > This update make sense for the master brnanch but likely not for scarthgap > unless you can show that > this is a bug fix only release. > - This release for sure is not a bug fix only release. It does include support to new feature and can never classify as bug fix only release. > > you'll have to backport any CVE fixes that you're interested in unless > someone explains why this is a sensible update for scarthgap. > > - I do the understand that upgrades are avoided in stable/LTS branches as it might break the compatibility and result in various compilation issues. - However, that would only take place if the backward compatibility of the new upgrade is questionable. - Generally every new releases will have API or ABI-symbols added but if API or ABI symbols are removed from shared libraries or binaries it a matter of concern as it would be the cause of breakdown. - For this release, there are no ABI-symbols or API removed from the binaries and shared libraries. you can cross-check it in different ways (there are open-source tools to check or can be checked by manually comparing the header files) - I have my own script to do so and i always check the backward compatibility before submitting any upgrades and since it was all clear for wpa-supplicant, i went ahead with the upgrade. However, if still the opinion is that upgrade should be avoided, let me know, i would submit the CVE-patch for the same. Regards, Siddharth
The stable branch policy isn't about API/ABI compatibility, it's rather about whether a new release has new features or only bugfixes. If there are new features it is not eligible. Alex On Fri, 23 Aug 2024 at 19:18, Siddharth Doshi via lists.openembedded.org <sdoshi=mvista.com@lists.openembedded.org> wrote: > > Hi Randy and Alex, > > I appreciate the feedback and your concern regarding upgrades in stable-branches. > > > This update make sense for the master brnanch but likely not for scarthgap unless you can show that > this is a bug fix only release. > > - This release for sure is not a bug fix only release. It does include support to new feature and can never classify as bug fix only release. > > you'll have to backport any CVE fixes that you're interested in unless > someone explains why this is a sensible update for scarthgap. > > > - I do the understand that upgrades are avoided in stable/LTS branches as it might break the compatibility and result in various compilation issues. > - However, that would only take place if the backward compatibility of the new upgrade is questionable. > - Generally every new releases will have API or ABI-symbols added but if API or ABI symbols are removed from shared libraries or binaries it a matter of concern as it would be the cause of breakdown. > - For this release, there are no ABI-symbols or API removed from the binaries and shared libraries. you can cross-check it in different ways (there are open-source tools to check or can be checked by manually comparing the header files) > - I have my own script to do so and i always check the backward compatibility before submitting any upgrades and since it was all clear for wpa-supplicant, i went ahead with the upgrade. > > However, if still the opinion is that upgrade should be avoided, let me know, i would submit the CVE-patch for the same. > > Regards, > Siddharth > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#203703): https://lists.openembedded.org/g/openembedded-core/message/203703 > Mute This Topic: https://lists.openembedded.org/mt/108040776/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Alex, Noted. Regards, Siddharth
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch deleted file mode 100644 index c04c608bde..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001 -From: Alex Kiernan <alexk@zuma.ai> -Date: Thu, 21 Apr 2022 10:15:29 +0100 -Subject: [PATCH] Install wpa_passphrase when not disabled - -As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets -built, its not installed during `make install`. - -Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase") -Signed-off-by: Alex Kiernan <alexk@zuma.ai> -Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> -Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html] ---- - wpa_supplicant/Makefile | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index 0bab313f2355..12787c0c7d0f 100644 ---- a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: % - - install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL)) - $(MAKE) -C ../src install -+ifndef CONFIG_NO_WPA_PASSPHRASE -+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase -+endif - ifdef CONFIG_BUILD_WPA_CLIENT_SO - install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so - install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h --- -2.35.1 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch deleted file mode 100644 index 620560d3c7..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch +++ /dev/null @@ -1,213 +0,0 @@ -From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j@w1.fi> -Date: Sat, 8 Jul 2023 19:55:32 +0300 -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements - -The previous PEAP client behavior allowed the server to skip Phase 2 -authentication with the expectation that the server was authenticated -during Phase 1 through TLS server certificate validation. Various PEAP -specifications are not exactly clear on what the behavior on this front -is supposed to be and as such, this ended up being more flexible than -the TTLS/FAST/TEAP cases. However, this is not really ideal when -unfortunately common misconfiguration of PEAP is used in deployed -devices where the server trust root (ca_cert) is not configured or the -user has an easy option for allowing this validation step to be skipped. - -Change the default PEAP client behavior to be to require Phase 2 -authentication to be successfully completed for cases where TLS session -resumption is not used and the client certificate has not been -configured. Those two exceptions are the main cases where a deployed -authentication server might skip Phase 2 and as such, where a more -strict default behavior could result in undesired interoperability -issues. Requiring Phase 2 authentication will end up disabling TLS -session resumption automatically to avoid interoperability issues. - -Allow Phase 2 authentication behavior to be configured with a new phase1 -configuration parameter option: -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS -tunnel) behavior for PEAP: - * 0 = do not require Phase 2 authentication - * 1 = require Phase 2 authentication when client certificate - (private_key/client_cert) is no used and TLS session resumption was - not used (default) - * 2 = require Phase 2 authentication in all cases - -Signed-off-by: Jouni Malinen <j@w1.fi> - -CVE: CVE-2023-52160 -Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c] - -Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com> - ---- - src/eap_peer/eap_config.h | 8 ++++++ - src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- - src/eap_peer/eap_tls_common.c | 6 +++++ - src/eap_peer/eap_tls_common.h | 5 ++++ - wpa_supplicant/wpa_supplicant.conf | 7 ++++++ - 5 files changed, 63 insertions(+), 3 deletions(-) - -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h -index 3238f74..047eec2 100644 ---- a/src/eap_peer/eap_config.h -+++ b/src/eap_peer/eap_config.h -@@ -469,6 +469,14 @@ struct eap_peer_config { - * 1 = use cryptobinding if server supports it - * 2 = require cryptobinding - * -+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS -+ * tunnel) behavior for PEAP: -+ * 0 = do not require Phase 2 authentication -+ * 1 = require Phase 2 authentication when client certificate -+ * (private_key/client_cert) is no used and TLS session resumption was -+ * not used (default) -+ * 2 = require Phase 2 authentication in all cases -+ * - * EAP-WSC (WPS) uses following options: pin=Device_Password and - * uuid=Device_UUID - * -diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c -index 12e30df..6080697 100644 ---- a/src/eap_peer/eap_peap.c -+++ b/src/eap_peer/eap_peap.c -@@ -67,6 +67,7 @@ struct eap_peap_data { - u8 cmk[20]; - int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) - * is enabled. */ -+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; - }; - - -@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, - wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); - } - -+ if (os_strstr(phase1, "phase2_auth=0")) { -+ data->phase2_auth = NO_AUTH; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Do not require Phase 2 authentication"); -+ } else if (os_strstr(phase1, "phase2_auth=1")) { -+ data->phase2_auth = FOR_INITIAL; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Require Phase 2 authentication for initial connection"); -+ } else if (os_strstr(phase1, "phase2_auth=2")) { -+ data->phase2_auth = ALWAYS; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Require Phase 2 authentication for all cases"); -+ } - #ifdef EAP_TNC - if (os_strstr(phase1, "tnc=soh2")) { - data->soh = 2; -@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) - data->force_peap_version = -1; - data->peap_outer_success = 2; - data->crypto_binding = OPTIONAL_BINDING; -+ data->phase2_auth = FOR_INITIAL; - - if (config && config->phase1) - eap_peap_parse_phase1(data, config->phase1); -@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, - } - - -+static bool peap_phase2_sufficient(struct eap_sm *sm, -+ struct eap_peap_data *data) -+{ -+ if ((data->phase2_auth == ALWAYS || -+ (data->phase2_auth == FOR_INITIAL && -+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && -+ !data->ssl.client_cert_conf) || -+ data->phase2_eap_started) && -+ !data->phase2_eap_success) -+ return false; -+ return true; -+} -+ -+ - /** - * eap_tlv_process - Process a received EAP-TLV message and generate a response - * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() -@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, - " - force failed Phase 2"); - resp_status = EAP_TLV_RESULT_FAILURE; - ret->decision = DECISION_FAIL; -+ } else if (!peap_phase2_sufficient(sm, data)) { -+ wpa_printf(MSG_INFO, -+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); -+ resp_status = EAP_TLV_RESULT_FAILURE; -+ ret->decision = DECISION_FAIL; - } else { - resp_status = EAP_TLV_RESULT_SUCCESS; - ret->decision = DECISION_UNCOND_SUCC; -@@ -887,8 +921,7 @@ continue_req: - /* EAP-Success within TLS tunnel is used to indicate - * shutdown of the TLS channel. The authentication has - * been completed. */ -- if (data->phase2_eap_started && -- !data->phase2_eap_success) { -+ if (!peap_phase2_sufficient(sm, data)) { - wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " - "Success used to indicate success, " - "but Phase 2 EAP was not yet " -@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, - static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) - { - struct eap_peap_data *data = priv; -+ - return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && -- data->phase2_success; -+ data->phase2_success && data->phase2_auth != ALWAYS; - } - - -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c -index c1837db..a53eeb1 100644 ---- a/src/eap_peer/eap_tls_common.c -+++ b/src/eap_peer/eap_tls_common.c -@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, - - sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); - -+ if (!phase2) -+ data->client_cert_conf = params->client_cert || -+ params->client_cert_blob || -+ params->private_key || -+ params->private_key_blob; -+ - return 0; - } - -diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h -index 9ac0012..3348634 100644 ---- a/src/eap_peer/eap_tls_common.h -+++ b/src/eap_peer/eap_tls_common.h -@@ -79,6 +79,11 @@ struct eap_ssl_data { - * tls_v13 - Whether TLS v1.3 or newer is used - */ - int tls_v13; -+ -+ /** -+ * client_cert_conf: Whether client certificate has been configured -+ */ -+ bool client_cert_conf; - }; - - -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf -index 6619d6b..d63f73c 100644 ---- a/wpa_supplicant/wpa_supplicant.conf -+++ b/wpa_supplicant/wpa_supplicant.conf -@@ -1321,6 +1321,13 @@ fast_reauth=1 - # * 0 = do not use cryptobinding (default) - # * 1 = use cryptobinding if server supports it - # * 2 = require cryptobinding -+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS -+# tunnel) behavior for PEAP: -+# * 0 = do not require Phase 2 authentication -+# * 1 = require Phase 2 authentication when client certificate -+# (private_key/client_cert) is no used and TLS session resumption was -+# not used (default) -+# * 2 = require Phase 2 authentication in all cases - # EAP-WSC (WPS) uses following options: pin=<Device Password> or - # pbc=1. - # diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch deleted file mode 100644 index 6e930fc98d..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch +++ /dev/null @@ -1,73 +0,0 @@ -From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001 -From: Sergey Matyukevich <geomatsi@gmail.com> -Date: Tue, 22 Feb 2022 11:52:19 +0300 -Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and - wpa_passphrase - -Commit a41a29192e5d ("build: Pull common fragments into a build.rules -file") introduced a regression into wpa_supplicant build process. The -build target libwpa_client.so is not built regardless of whether the -option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because -this config option is used before it is imported from the configuration -file. Moving its use after including build.rules does not help: the -variable ALL is processed by build.rules and further changes are not -applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work -as expected: wpa_passphrase is always built regardless of whether the -option is set or not. - -Re-enable these options by adding both build targets to _all -dependencies. - -Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file") -Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com> -Upstream-Status: Backport -Signed-off-by: Alex Kiernan <alexk@zuma.ai> -Signed-off-by: Alex Kiernan <alexk@gmail.com> ---- - wpa_supplicant/Makefile | 19 ++++++++++++------- - 1 file changed, 12 insertions(+), 7 deletions(-) - -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index cb66defac7c8..c456825ae75f 100644 ---- a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -1,24 +1,29 @@ - BINALL=wpa_supplicant wpa_cli - --ifndef CONFIG_NO_WPA_PASSPHRASE --BINALL += wpa_passphrase --endif -- - ALL = $(BINALL) - ALL += systemd/wpa_supplicant.service - ALL += systemd/wpa_supplicant@.service - ALL += systemd/wpa_supplicant-nl80211@.service - ALL += systemd/wpa_supplicant-wired@.service - ALL += dbus/fi.w1.wpa_supplicant1.service --ifdef CONFIG_BUILD_WPA_CLIENT_SO --ALL += libwpa_client.so --endif - - EXTRA_TARGETS=dynamic_eap_methods - - CONFIG_FILE=.config - include ../src/build.rules - -+ifdef CONFIG_BUILD_WPA_CLIENT_SO -+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO -+# being set in the config which is read by build.rules -+_all: libwpa_client.so -+endif -+ -+ifndef CONFIG_NO_WPA_PASSPHRASE -+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE -+# being set in the config which is read by build.rules -+_all: wpa_passphrase -+endif -+ - ifdef LIBS - # If LIBS is set with some global build system defaults, clone those for - # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well. --- -2.35.1 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch deleted file mode 100644 index 53b0fcdf53..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <quic_jouni@quicinc.com> -Date: Thu, 3 Mar 2022 13:26:42 +0200 -Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean' - -Fixes: 0430bc8267b4 ("build: Add a common-clean target") -Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com> -Upstream-Status: Backport -Signed-off-by: Alex Kiernan <alexk@zuma.ai> -Signed-off-by: Alex Kiernan <alexk@gmail.com> ---- - wpa_supplicant/Makefile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index c456825ae75f..4b4688931b1d 100644 ---- a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -2077,3 +2077,4 @@ clean: common-clean - rm -f libwpa_client.a - rm -f libwpa_client.so - rm -f libwpa_test1 libwpa_test2 -+ rm -f wpa_passphrase --- -2.35.1 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb similarity index 90% rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb index 8113bcab09..321dedc58a 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb @@ -5,8 +5,8 @@ BUGTRACKER = "http://w1.fi/security/" SECTION = "network" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \ - file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \ - file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705" + file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \ + file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4" DEPENDS = "dbus libnl" @@ -15,12 +15,8 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://wpa_supplicant.conf \ file://wpa_supplicant.conf-sane \ file://99_wpa_supplicant \ - file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \ - file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ - file://0001-Install-wpa_passphrase-when-not-disabled.patch \ - file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ " -SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" +SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a" S = "${WORKDIR}/wpa_supplicant-${PV}"