Wed Feb 28 18:36:48 UTC 2024

patches/packages/wpa_supplicant-2.10-x86_64-2_slack15.0.txz:  Rebuilt.
  Patched the implementation of PEAP in wpa_supplicant to prevent an
  authentication bypass. For a successful attack, wpa_supplicant must be
  configured to not verify the network's TLS certificate during Phase 1
  authentication, and an eap_peap_decrypt vulnerability can then be abused
  to skip Phase 2 authentication. The attack vector is sending an EAP-TLV
  Success packet instead of starting Phase 2. This allows an adversary to
  impersonate Enterprise Wi-Fi networks.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-52160
  (* Security fix *)
This commit is contained in:
Patrick J Volkerding 2024-02-28 18:36:48 +00:00 committed by Eric Hameleers
parent 6008910371
commit 970e55afb6
19 changed files with 1438 additions and 137 deletions

View file

@ -11,9 +11,30 @@
<description>Tracking Slackware development in git.</description>
<language>en-us</language>
<id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id>
<pubDate>Mon, 26 Feb 2024 20:09:43 GMT</pubDate>
<lastBuildDate>Tue, 27 Feb 2024 12:30:26 GMT</lastBuildDate>
<pubDate>Wed, 28 Feb 2024 18:36:48 GMT</pubDate>
<lastBuildDate>Thu, 29 Feb 2024 12:30:28 GMT</lastBuildDate>
<generator>maintain_current_git.sh v 1.17</generator>
<item>
<title>Wed, 28 Feb 2024 18:36:48 GMT</title>
<pubDate>Wed, 28 Feb 2024 18:36:48 GMT</pubDate>
<link>https://git.slackware.nl/current/tag/?h=20240228183648</link>
<guid isPermaLink="false">20240228183648</guid>
<description>
<![CDATA[<pre>
patches/packages/wpa_supplicant-2.10-x86_64-2_slack15.0.txz: Rebuilt.
Patched the implementation of PEAP in wpa_supplicant to prevent an
authentication bypass. For a successful attack, wpa_supplicant must be
configured to not verify the network's TLS certificate during Phase 1
authentication, and an eap_peap_decrypt vulnerability can then be abused
to skip Phase 2 authentication. The attack vector is sending an EAP-TLV
Success packet instead of starting Phase 2. This allows an adversary to
impersonate Enterprise Wi-Fi networks.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-52160
(* Security fix *)
</pre>]]>
</description>
</item>
<item>
<title>Mon, 26 Feb 2024 20:09:43 GMT</title>
<pubDate>Mon, 26 Feb 2024 20:09:43 GMT</pubDate>

View file

@ -1,3 +1,16 @@
Wed Feb 28 18:36:48 UTC 2024
patches/packages/wpa_supplicant-2.10-x86_64-2_slack15.0.txz: Rebuilt.
Patched the implementation of PEAP in wpa_supplicant to prevent an
authentication bypass. For a successful attack, wpa_supplicant must be
configured to not verify the network's TLS certificate during Phase 1
authentication, and an eap_peap_decrypt vulnerability can then be abused
to skip Phase 2 authentication. The attack vector is sending an EAP-TLV
Success packet instead of starting Phase 2. This allows an adversary to
impersonate Enterprise Wi-Fi networks.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-52160
(* Security fix *)
+--------------------------+
Mon Feb 26 20:09:43 UTC 2024
patches/packages/openjpeg-2.5.1-x86_64-1_slack15.0.txz: Upgraded.
Fixed a heap-based buffer overflow in openjpeg in color.c:379:42 in

View file

@ -1,20 +1,20 @@
Mon Feb 26 20:12:29 UTC 2024
Wed Feb 28 18:40:26 UTC 2024
Here is the file list for this directory. If you are using a
mirror site and find missing or extra files in the disk
subdirectories, please have the archive administrator refresh
the mirror.
drwxr-xr-x 12 root root 4096 2024-02-26 20:09 .
drwxr-xr-x 12 root root 4096 2024-02-28 18:36 .
-rw-r--r-- 1 root root 5767 2022-02-02 22:44 ./ANNOUNCE.15.0
-rw-r--r-- 1 root root 16609 2022-03-30 19:03 ./CHANGES_AND_HINTS.TXT
-rw-r--r-- 1 root root 1223634 2024-02-25 19:19 ./CHECKSUMS.md5
-rw-r--r-- 1 root root 163 2024-02-25 19:19 ./CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 1224241 2024-02-26 20:12 ./CHECKSUMS.md5
-rw-r--r-- 1 root root 163 2024-02-26 20:12 ./CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 17976 1994-06-10 02:28 ./COPYING
-rw-r--r-- 1 root root 35147 2007-06-30 04:21 ./COPYING3
-rw-r--r-- 1 root root 19573 2016-06-23 20:08 ./COPYRIGHT.TXT
-rw-r--r-- 1 root root 616 2006-10-02 04:37 ./CRYPTO_NOTICE.TXT
-rw-r--r-- 1 root root 2095903 2024-02-26 20:09 ./ChangeLog.txt
-rw-r--r-- 1 root root 2096612 2024-02-28 18:36 ./ChangeLog.txt
drwxr-xr-x 3 root root 4096 2013-03-20 22:17 ./EFI
drwxr-xr-x 2 root root 4096 2022-02-02 08:21 ./EFI/BOOT
-rw-r--r-- 1 root root 1187840 2021-06-15 19:16 ./EFI/BOOT/bootx64.efi
@ -25,7 +25,7 @@ drwxr-xr-x 2 root root 4096 2022-02-02 08:21 ./EFI/BOOT
-rwxr-xr-x 1 root root 2504 2019-07-05 18:54 ./EFI/BOOT/make-grub.sh
-rw-r--r-- 1 root root 10722 2013-09-21 19:02 ./EFI/BOOT/osdetect.cfg
-rw-r--r-- 1 root root 1273 2013-08-12 21:08 ./EFI/BOOT/tools.cfg
-rw-r--r-- 1 root root 1601635 2024-02-25 19:19 ./FILELIST.TXT
-rw-r--r-- 1 root root 1602437 2024-02-26 20:12 ./FILELIST.TXT
-rw-r--r-- 1 root root 1572 2012-08-29 18:27 ./GPG-KEY
-rw-r--r-- 1 root root 864745 2022-02-02 08:25 ./PACKAGES.TXT
-rw-r--r-- 1 root root 8034 2022-02-02 03:36 ./README.TXT
@ -828,13 +828,13 @@ drwxr-xr-x 2 root root 4096 2022-12-17 19:52 ./pasture/source/samba
-rw-r--r-- 1 root root 7921 2018-04-29 17:31 ./pasture/source/samba/smb.conf.default
-rw-r--r-- 1 root root 7933 2018-01-14 20:41 ./pasture/source/samba/smb.conf.default.orig
-rw-r--r-- 1 root root 536 2017-03-23 19:18 ./pasture/source/samba/smb.conf.diff.gz
drwxr-xr-x 4 root root 4096 2024-02-26 20:12 ./patches
-rw-r--r-- 1 root root 106656 2024-02-26 20:12 ./patches/CHECKSUMS.md5
-rw-r--r-- 1 root root 163 2024-02-26 20:12 ./patches/CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 145762 2024-02-26 20:12 ./patches/FILE_LIST
-rw-r--r-- 1 root root 15274196 2024-02-26 20:12 ./patches/MANIFEST.bz2
-rw-r--r-- 1 root root 75731 2024-02-26 20:12 ./patches/PACKAGES.TXT
drwxr-xr-x 5 root root 32768 2024-02-26 20:12 ./patches/packages
drwxr-xr-x 4 root root 4096 2024-02-28 18:40 ./patches
-rw-r--r-- 1 root root 108212 2024-02-28 18:40 ./patches/CHECKSUMS.md5
-rw-r--r-- 1 root root 163 2024-02-28 18:40 ./patches/CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 147885 2024-02-28 18:40 ./patches/FILE_LIST
-rw-r--r-- 1 root root 15280380 2024-02-28 18:40 ./patches/MANIFEST.bz2
-rw-r--r-- 1 root root 76505 2024-02-28 18:40 ./patches/PACKAGES.TXT
drwxr-xr-x 5 root root 32768 2024-02-28 18:40 ./patches/packages
-rw-r--r-- 1 root root 360 2023-09-26 19:28 ./patches/packages/Cython-0.29.36-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 2389564 2023-09-26 19:28 ./patches/packages/Cython-0.29.36-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 163 2023-09-26 19:28 ./patches/packages/Cython-0.29.36-x86_64-1_slack15.0.txz.asc
@ -1168,6 +1168,9 @@ drwxr-xr-x 2 root root 4096 2023-11-21 21:09 ./patches/packages/old-linux
-rw-r--r-- 1 root root 367 2024-02-25 18:50 ./patches/packages/whois-5.5.21-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 64492 2024-02-25 18:50 ./patches/packages/whois-5.5.21-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 163 2024-02-25 18:50 ./patches/packages/whois-5.5.21-x86_64-1_slack15.0.txz.asc
-rw-r--r-- 1 root root 600 2024-02-28 18:13 ./patches/packages/wpa_supplicant-2.10-x86_64-2_slack15.0.txt
-rw-r--r-- 1 root root 1330792 2024-02-28 18:13 ./patches/packages/wpa_supplicant-2.10-x86_64-2_slack15.0.txz
-rw-r--r-- 1 root root 163 2024-02-28 18:13 ./patches/packages/wpa_supplicant-2.10-x86_64-2_slack15.0.txz.asc
-rw-r--r-- 1 root root 377 2022-11-17 01:47 ./patches/packages/xfce4-settings-4.16.5-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 801956 2022-11-17 01:47 ./patches/packages/xfce4-settings-4.16.5-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 163 2022-11-17 01:47 ./patches/packages/xfce4-settings-4.16.5-x86_64-1_slack15.0.txz.asc
@ -1204,7 +1207,7 @@ drwxr-xr-x 2 root root 4096 2023-11-21 21:09 ./patches/packages/old-linux
-rw-r--r-- 1 root root 463 2023-04-05 18:16 ./patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 459652 2023-04-05 18:16 ./patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 163 2023-04-05 18:16 ./patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txz.asc
drwxr-xr-x 107 root root 4096 2024-02-26 20:00 ./patches/source
drwxr-xr-x 108 root root 4096 2024-02-28 18:29 ./patches/source
drwxr-xr-x 2 root root 4096 2023-09-26 19:22 ./patches/source/Cython
-rw-r--r-- 1 root root 1623580 2023-07-04 19:24 ./patches/source/Cython/Cython-0.29.36.tar.lz
-rwxr-xr-x 1 root root 3041 2023-09-26 19:23 ./patches/source/Cython/Cython.SlackBuild
@ -2208,6 +2211,24 @@ drwxr-xr-x 2 root root 4096 2024-02-25 18:50 ./patches/source/whois
-rw-r--r-- 1 root root 90290 2024-02-24 18:16 ./patches/source/whois/whois-5.5.21.tar.lz
-rwxr-xr-x 1 root root 3056 2023-02-28 19:25 ./patches/source/whois/whois.SlackBuild
-rw-r--r-- 1 root root 33 2019-07-24 18:55 ./patches/source/whois/whois.url
drwxr-xr-x 4 root root 4096 2023-03-07 21:39 ./patches/source/wpa_supplicant
-rw-r--r-- 1 root root 2080 2005-08-06 20:17 ./patches/source/wpa_supplicant/README.slackware
drwxr-xr-x 2 root root 4096 2021-06-09 18:33 ./patches/source/wpa_supplicant/config
-rw-r--r-- 1 root root 22874 2021-06-09 18:33 ./patches/source/wpa_supplicant/config/dot.config
-rw-r--r-- 1 root root 153 2020-12-27 07:03 ./patches/source/wpa_supplicant/config/wpa_gui.desktop
-rw-r--r-- 1 root root 5124 2009-04-20 18:10 ./patches/source/wpa_supplicant/config/wpa_gui.png
-rw-r--r-- 1 root root 65 2012-05-06 07:08 ./patches/source/wpa_supplicant/config/wpa_supplicant.conf
-rw-r--r-- 1 root root 100 2012-05-06 07:05 ./patches/source/wpa_supplicant/config/wpa_supplicant.logrotate
-rw-r--r-- 1 root root 284 2012-05-06 07:31 ./patches/source/wpa_supplicant/doinst.sh.gz
drwxr-xr-x 2 root root 4096 2024-02-28 18:01 ./patches/source/wpa_supplicant/patches
-rw-r--r-- 1 root root 2815 2024-02-28 18:00 ./patches/source/wpa_supplicant/patches/8e6485a1bcb0baffdea9e55255a81270b768439c.patch.gz
-rw-r--r-- 1 root root 454 2018-12-15 14:31 ./patches/source/wpa_supplicant/patches/allow-tlsv1.patch.gz
-rw-r--r-- 1 root root 687 2018-12-18 16:36 ./patches/source/wpa_supplicant/patches/wpa_supplicant-gui-qt4.patch.gz
-rw-r--r-- 1 root root 625 2018-12-18 16:36 ./patches/source/wpa_supplicant/patches/wpa_supplicant-quiet-scan-results-message.patch.gz
-rw-r--r-- 1 root root 1061 2018-12-06 20:13 ./patches/source/wpa_supplicant/slack-desc
-rw-r--r-- 1 root root 2372460 2022-01-16 21:11 ./patches/source/wpa_supplicant/wpa_supplicant-2.10.tar.xz
-rwxr-xr-x 1 root root 6195 2024-02-28 18:12 ./patches/source/wpa_supplicant/wpa_supplicant.SlackBuild
-rw-r--r-- 1 root root 30 2022-01-19 17:10 ./patches/source/wpa_supplicant/wpa_supplicant.url
drwxr-xr-x 2 root root 4096 2022-11-16 19:13 ./patches/source/xfce4-settings
-rw-r--r-- 1 root root 839 2018-02-27 06:13 ./patches/source/xfce4-settings/slack-desc
-rw-r--r-- 1 root root 1211837 2022-11-12 22:27 ./patches/source/xfce4-settings/xfce4-settings-4.16.5.tar.lz

View file

@ -0,0 +1,11 @@
wpa_supplicant: wpa_supplicant (WPA/WPA2/IEEE 802.1X Supplicant)
wpa_supplicant:
wpa_supplicant: wpa_supplicant is a WPA Supplicant for Linux with support for WPA and
wpa_supplicant: WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA
wpa_supplicant: component that is used in the client stations. It implements key
wpa_supplicant: negotiation with a WPA Authenticator and it controls the roaming and
wpa_supplicant: IEEE 802.11 authentication/association of the wlan driver.
wpa_supplicant:
wpa_supplicant: Homepage: http://hostap.epitest.fi/wpa_supplicant/
wpa_supplicant:
wpa_supplicant:

View file

@ -0,0 +1,55 @@
=================================================
How do I get my card to use WPA-PSK in Slackware?
=================================================
First off: wpa_supplicant REQUIRES the AP to broadcast the SSID. When the AP
hides its SSID, all you will get out of wpa_supplicant is the message:
"No suitable AP found"
Also, read the MADwifi FAQ (http://madwifi.sourceforge.net/dokuwiki/doku.php)
since it contains a wealth of information.
This being said, you'll have to do the following (as root):
Edit the file named /etc/wpa_supplicant.conf and add these lines:
network={
scan_ssid=0
proto=WPA
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
}
Then execute:
/usr/sbin/wpa_passphrase YOURSSID passphrase
with the SSID of your AP and the passphrase you've entered in its WPA-PSK configuration. You'll receive an output, which looks like this:
network={
ssid="YOURSSID"
#psk="passphrase"
psk=66a4bfb03de5656cf26cfa03a116097546046f4aea11ee044b841171207d8308
}
Copy the three lines within the network-tag into your own entry in wpa_supplicant.conf and change the permissions after you've finished editing:
chmod 640 /etc/wpa_supplicant.conf
To get your network device up and running, execute:
### /usr/sbin/wpa_supplicant -Bw -c/etc/wpa_supplicant.conf -iath0 -Dmadwifi ###
### you don't have to run the above command by hand, because it will ###
### be executed by the rc.inet1 command that you run: ###
/etc/rc.d/rc.inet1 ath0_start
In case you want to see the wpa_supplicant in action, start it on the command line before enabling the wireless device, by running:
/usr/sbin/wpa_supplicant -dw -c/etc/wpa_supplicant.conf -iath0 -Dmadwifi
The terminal where you've started the wpa_supplicant should now show the communication between your wlan card and the AP. If you got everything up and running you can let Slackware's init script take over by killing wpa_supplicant and running:
/etc/rc.d/rc.inet1 ath0_restart
Studying the wpa_supplicant README is also highly recommended for further insight!

View file

@ -0,0 +1,632 @@
# Example wpa_supplicant build time configuration
#
# This file lists the configuration options that are used when building the
# wpa_supplicant binary. All lines starting with # are ignored. Configuration
# option lines must be commented out complete, if they are not to be included,
# i.e., just setting VARIABLE=n is not disabling that variable.
#
# This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cases, these lines should use += in order not
# to override previous values of the variables.
# Uncomment following two lines and fix the paths if you have installed OpenSSL
# or GnuTLS in non-default location
#CFLAGS += -I/usr/local/openssl/include
#LIBS += -L/usr/local/openssl/lib
# Some Red Hat versions seem to include kerberos header files from OpenSSL, but
# the kerberos files are not in the default include path. Following line can be
# used to fix build issues on such systems (krb5.h not found).
#CFLAGS += -I/usr/include/kerberos
# Driver interface for generic Linux wireless extensions
# Note: WEXT is deprecated in the current Linux kernel version and no new
# functionality is added to it. nl80211-based interface is the new
# replacement for WEXT and its use allows wpa_supplicant to properly control
# the driver to improve existing functionality like roaming and to support new
# functionality.
CONFIG_DRIVER_WEXT=y
# Driver interface for Linux drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
CONFIG_DRIVER_NL80211_QCA=y
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
#
#CFLAGS += -I$<path to libnl include files>
#LIBS += -L$<path to libnl library files>
# Use libnl v2.0 (or 3.0) libraries.
#CONFIG_LIBNL20=y
# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
CONFIG_LIBNL32=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include
#LIBS += -L/usr/local/lib
#LIBS_p += -L/usr/local/lib
#LIBS_c += -L/usr/local/lib
# Driver interface for Windows NDIS
#CONFIG_DRIVER_NDIS=y
#CFLAGS += -I/usr/include/w32api/ddk
#LIBS += -L/usr/local/lib
# For native build using mingw
#CONFIG_NATIVE_WINDOWS=y
# Additional directories for cross-compilation on Linux host for mingw target
#CFLAGS += -I/opt/mingw/mingw32/include/ddk
#LIBS += -L/opt/mingw/mingw32/lib
#CC=mingw32-gcc
# By default, driver_ndis uses WinPcap for low-level operations. This can be
# replaced with the following option which replaces WinPcap calls with NDISUIO.
# However, this requires that WZC is disabled (net stop wzcsvc) before starting
# wpa_supplicant.
# CONFIG_USE_NDISUIO=y
# Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y
# Driver interface for MACsec capable Qualcomm Atheros drivers
#CONFIG_DRIVER_MACSEC_QCA=y
# Driver interface for Linux MACsec drivers
CONFIG_DRIVER_MACSEC_LINUX=y
# Driver interface for the Broadcom RoboSwitch family
#CONFIG_DRIVER_ROBOSWITCH=y
# Driver interface for no driver (e.g., WPS ER only)
#CONFIG_DRIVER_NONE=y
# Solaris libraries
#LIBS += -lsocket -ldlpi -lnsl
#LIBS_c += -lsocket
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
# MACsec is included)
CONFIG_IEEE8021X_EAPOL=y
# EAP-MD5
CONFIG_EAP_MD5=y
# EAP-MSCHAPv2
CONFIG_EAP_MSCHAPV2=y
# EAP-TLS
CONFIG_EAP_TLS=y
# EAL-PEAP
CONFIG_EAP_PEAP=y
# EAP-TTLS
CONFIG_EAP_TTLS=y
# EAP-FAST
# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
CONFIG_EAP_FAST=y
# EAP-TEAP
# Note: The current EAP-TEAP implementation is experimental and should not be
# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
# of conflicting statements and missing details and the implementation has
# vendor specific workarounds for those and as such, may not interoperate with
# any other implementation. This should not be used for anything else than
# experimentation and interoperability testing until those issues has been
# resolved.
#CONFIG_EAP_TEAP=y
# EAP-GTC
CONFIG_EAP_GTC=y
# EAP-OTP
CONFIG_EAP_OTP=y
# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
#CONFIG_EAP_SIM=y
# Enable SIM simulator (Milenage) for EAP-SIM
#CONFIG_SIM_SIMULATOR=y
# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y
# EAP-pwd (secure authentication using only a password)
#CONFIG_EAP_PWD=y
# EAP-PAX
CONFIG_EAP_PAX=y
# LEAP
CONFIG_EAP_LEAP=y
# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
CONFIG_EAP_AKA=y
# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
# This requires CONFIG_EAP_AKA to be enabled, too.
#CONFIG_EAP_AKA_PRIME=y
# Enable USIM simulator (Milenage) for EAP-AKA
#CONFIG_USIM_SIMULATOR=y
# EAP-SAKE
CONFIG_EAP_SAKE=y
# EAP-GPSK
CONFIG_EAP_GPSK=y
# Include support for optional SHA256 cipher suite in EAP-GPSK
CONFIG_EAP_GPSK_SHA256=y
# EAP-TNC and related Trusted Network Connect support (experimental)
CONFIG_EAP_TNC=y
# Wi-Fi Protected Setup (WPS)
CONFIG_WPS=y
# Enable WPS external registrar functionality
#CONFIG_WPS_ER=y
# Disable credentials for an open network by default when acting as a WPS
# registrar.
#CONFIG_WPS_REG_DISABLE_OPEN=y
# Enable WPS support with NFC config method
#CONFIG_WPS_NFC=y
# EAP-IKEv2
CONFIG_EAP_IKEV2=y
# EAP-EKE
#CONFIG_EAP_EKE=y
# MACsec
CONFIG_MACSEC=y
# Peerkey support:
CONFIG_PEERKEY=y
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y
# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
# engine.
CONFIG_SMARTCARD=y
# PC/SC interface for smartcards (USIM, GSM SIM)
# Enable this if EAP-SIM or EAP-AKA is included
#CONFIG_PCSC=y
# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
#CONFIG_HT_OVERRIDES=y
# Support VHT overrides (disable VHT, mask MCS rates, etc.)
#CONFIG_VHT_OVERRIDES=y
# Development testing
#CONFIG_EAPOL_TEST=y
# Select control interface backend for external programs, e.g, wpa_cli:
# unix = UNIX domain sockets (default for Linux/*BSD)
# udp = UDP sockets using localhost (127.0.0.1)
# udp6 = UDP IPv6 sockets using localhost (::1)
# named_pipe = Windows Named Pipe (default for Windows)
# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
# y = use default (backwards compatibility)
# If this option is commented out, control interface is not included in the
# build.
CONFIG_CTRL_IFACE=y
# Include support for GNU Readline and History Libraries in wpa_cli.
# When building a wpa_cli binary for distribution, please note that these
# libraries are licensed under GPL and as such, BSD license may not apply for
# the resulting binary.
CONFIG_READLINE=y
# Include internal line edit mode in wpa_cli. This can be used as a replacement
# for GNU Readline to provide limited command line editing and history support.
#CONFIG_WPA_CLI_EDIT=y
# Remove debugging code that is printing out debug message to stdout.
# This can be used to reduce the size of the wpa_supplicant considerably
# if debugging code is not needed. The size reduction can be around 35%
# (e.g., 90 kB).
#CONFIG_NO_STDOUT_DEBUG=y
# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
# 35-50 kB in code size.
#CONFIG_NO_WPA=y
# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
# This option can be used to reduce code size by removing support for
# converting ASCII passphrases into PSK. If this functionality is removed, the
# PSK can only be configured as the 64-octet hexstring (e.g., from
# wpa_passphrase). This saves about 0.5 kB in code size.
#CONFIG_NO_WPA_PASSPHRASE=y
# Simultaneous Authentication of Equals (SAE), WPA3-Personal
CONFIG_SAE=y
# WPA3-Enterprise (SuiteB-192)
CONFIG_SUITEB=y
CONFIG_SUITEB192=y
# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
# This can be used if ap_scan=1 mode is never enabled.
#CONFIG_NO_SCAN_PROCESSING=y
# Select configuration backend:
# file = text file (e.g., wpa_supplicant.conf; note: the configuration file
# path is given on command line, not here; this option is just used to
# select the backend that allows configuration files to be used)
# winreg = Windows registry (see win_example.reg for an example)
CONFIG_BACKEND=file
# Remove configuration write functionality (i.e., to allow the configuration
# file to be updated based on runtime configuration changes). The runtime
# configuration can still be changed, the changes are just not going to be
# persistent over restarts. This option can be used to reduce code size by
# about 3.5 kB.
#CONFIG_NO_CONFIG_WRITE=y
# Remove support for configuration blobs to reduce code size by about 1.5 kB.
#CONFIG_NO_CONFIG_BLOBS=y
# Select program entry point implementation:
# main = UNIX/POSIX like main() function (default)
# main_winsvc = Windows service (read parameters from registry)
# main_none = Very basic example (development use only)
#CONFIG_MAIN=main
# Select wrapper for operating system and C library specific functions
# unix = UNIX/POSIX like systems (default)
# win32 = Windows systems
# none = Empty template
#CONFIG_OS=unix
# Select event loop implementation
# eloop = select() loop (default)
# eloop_win = Windows events and WaitForMultipleObject() loop
#CONFIG_ELOOP=eloop
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y
# Should we use epoll instead of select? Select is used by default.
#CONFIG_ELOOP_EPOLL=y
# Should we use kqueue instead of select? Select is used by default.
#CONFIG_ELOOP_KQUEUE=y
# Select layer 2 packet implementation
# linux = Linux packet socket (default)
# pcap = libpcap/libdnet/WinPcap
# freebsd = FreeBSD libpcap
# winpcap = WinPcap with receive thread
# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
# none = Empty template
#CONFIG_L2_PACKET=linux
# Disable Linux packet socket workaround applicable for station interface
# in a bridge for EAPOL frames. This should be uncommented only if the kernel
# is known to not have the regression issue in packet socket behavior with
# bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
# IEEE 802.11w (management frame protection), also known as PMF
# Driver support is also needed for IEEE 802.11w.
CONFIG_IEEE80211W=y
# Support Operating Channel Validation
#CONFIG_OCV=y
# Select TLS implementation
# openssl = OpenSSL (default)
# gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template
CONFIG_TLS=openssl
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# can be enabled to get a stronger construction of messages when block ciphers
# are used. It should be noted that some existing TLS v1.0 -based
# implementation may not be compatible with TLS v1.1 message (ClientHello is
# sent prior to negotiating which version will be used)
CONFIG_TLSV11=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms. It should be
# noted that some existing TLS v1.0 -based implementation may not be compatible
# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
# will be used)
#CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1"
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
# and drawbacks of this option.
#CONFIG_INTERNAL_LIBTOMMATH=y
#ifndef CONFIG_INTERNAL_LIBTOMMATH
#LTM_PATH=/usr/src/libtommath-0.39
#CFLAGS += -I$(LTM_PATH)
#LIBS += -L$(LTM_PATH)
#LIBS_p += -L$(LTM_PATH)
#endif
# At the cost of about 4 kB of additional binary size, the internal LibTomMath
# can be configured to include faster routines for exptmod, sqr, and div to
# speed up DH and RSA calculation considerably
#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
# This is only for Windows builds and requires WMI-related header files and
# WbemUuid.Lib from Platform SDK even when building with MinGW.
#CONFIG_NDIS_EVENTS_INTEGRATED=y
#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
# Add support for old DBus control interface
# (fi.epitest.hostap.WPASupplicant)
CONFIG_CTRL_IFACE_DBUS=y
# Add support for new DBus control interface
# (fi.w1.hostap.wpa_supplicant1)
CONFIG_CTRL_IFACE_DBUS_NEW=y
# Add introspection support for new DBus control interface
CONFIG_CTRL_IFACE_DBUS_INTRO=y
# Add support for loading EAP methods dynamically as shared libraries.
# When this option is enabled, each EAP method can be either included
# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
# be loaded in the beginning of the wpa_supplicant configuration file
# (see load_dynamic_eap parameter in the example file) before being used in
# the network blocks.
#
# Note that some shared parts of EAP methods are included in the main program
# and in order to be able to use dynamic EAP methods using these parts, the
# main program must have been build with the EAP method enabled (=y or =dyn).
# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
# unless at least one of them was included in the main build to force inclusion
# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
# in the main build to be able to load these methods dynamically.
#
# Please also note that using dynamic libraries will increase the total binary
# size. Thus, it may not be the best option for targets that have limited
# amount of memory/flash.
#CONFIG_DYNAMIC_EAP_METHODS=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
CONFIG_IEEE80211R=y
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout
CONFIG_DEBUG_SYSLOG=y
# Set syslog facility for debug messages
#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
# Add support for sending all debug messages (regardless of debug verbosity)
# to the Linux kernel tracing facility. This helps debug the entire stack by
# making it easy to record everything happening from the driver up into the
# same file, e.g., using trace-cmd.
#CONFIG_DEBUG_LINUX_TRACING=y
# Add support for writing debug log to Android logcat instead of standard
# output
#CONFIG_ANDROID_LOG=y
# Enable privilege separation (see README 'Privilege separation' for details)
#CONFIG_PRIVSEP=y
# Enable mitigation against certain attacks against TKIP by delaying Michael
# MIC error reports by a random amount of time between 0 and 60 seconds
#CONFIG_DELAYED_MIC_ERROR_REPORT=y
# Enable tracing code for developer debugging
# This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y
# For BSD, uncomment these.
#LIBS += -lexecinfo
#LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo
# Use libbfd to get more details for developer debugging
# This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y
# For BSD, uncomment these.
#LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz
# wpa_supplicant depends on strong random number generation being available
# from the operating system. os_get_random() function is used to fetch random
# data when needed, e.g., for key generation. On Linux and BSD systems, this
# works by reading /dev/urandom. It should be noted that the OS entropy pool
# needs to be properly initialized before wpa_supplicant is started. This is
# important especially on embedded devices that do not have a hardware random
# number generator and may by default start up with minimal entropy available
# for random number generation.
#
# As a safety net, wpa_supplicant is by default trying to internally collect
# additional entropy for generating random data to mix in with the data fetched
# from the OS. This by itself is not considered to be very strong, but it may
# help in cases where the system pool is not initialized properly. However, it
# is very strongly recommended that the system pool is initialized with enough
# entropy either by using hardware assisted random number generator or by
# storing state over device reboots.
#
# wpa_supplicant can be configured to maintain its own entropy store over
# restarts to enhance random number generation. This is not perfect, but it is
# much more secure than using the same sequence of random numbers after every
# reboot. This can be enabled with -e<entropy file> command line option. The
# specified file needs to be readable and writable by wpa_supplicant.
#
# If the os_get_random() is known to provide strong random data (e.g., on
# Linux/BSD, the board in question is known to have reliable source of random
# data from /dev/urandom), the internal wpa_supplicant random pool can be
# disabled. This will save some in binary size and CPU use. However, this
# should only be considered for builds that are known to be used on devices
# that meet the requirements described above.
#CONFIG_NO_RANDOM_POOL=y
# Should we attempt to use the getrandom(2) call that provides more reliable
# yet secure randomness source than /dev/random on Linux 3.17 and newer.
# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
#CONFIG_GETRANDOM=y
# IEEE 802.11n (High Throughput) support (mainly for AP mode)
CONFIG_IEEE80211N=y
# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
# (depends on CONFIG_IEEE80211N)
CONFIG_IEEE80211AC=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
#CONFIG_WNM=y
# Interworking (IEEE 802.11u)
# This can be used to enable functionality to improve interworking with
# external networks (GAS/ANQP to learn more about the networks and network
# selection based on available credentials).
#CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
# Enable interface matching in wpa_supplicant
#CONFIG_MATCH_IFACE=y
# Disable roaming in wpa_supplicant
#CONFIG_NO_ROAMING=y
# AP mode operations with wpa_supplicant
# This can be used for controlling AP mode operations with wpa_supplicant. It
# should be noted that this is mainly aimed at simple cases like
# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
# external RADIUS server can be supported with hostapd.
CONFIG_AP=y
# P2P (Wi-Fi Direct)
# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
# more information on P2P operations.
CONFIG_P2P=y
# Enable TDLS support
#CONFIG_TDLS=y
# Wi-Fi Display
# This can be used to enable Wi-Fi Display extensions for P2P using an external
# program to control the additional information exchanges in the messages.
CONFIG_WIFI_DISPLAY=y
# Autoscan
# This can be used to enable automatic scan support in wpa_supplicant.
# See wpa_supplicant.conf for more information on autoscan usage.
#
# Enabling directly a module will enable autoscan support.
# For exponential module:
#CONFIG_AUTOSCAN_EXPONENTIAL=y
# For periodic module:
#CONFIG_AUTOSCAN_PERIODIC=y
# Password (and passphrase, etc.) backend for external storage
# These optional mechanisms can be used to add support for storing passwords
# and other secrets in external (to wpa_supplicant) location. This allows, for
# example, operating system specific key storage to be used
#
# External password backend for testing purposes (developer use)
#CONFIG_EXT_PASSWORD_TEST=y
# Enable Fast Session Transfer (FST)
#CONFIG_FST=y
# Enable CLI commands for FST testing
#CONFIG_FST_TEST=y
# OS X builds. This is only for building eapol_test.
#CONFIG_OSX=y
# Automatic Channel Selection
# This will allow wpa_supplicant to pick the channel automatically when channel
# is set to "0".
#
# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
# to "channel=0". This would enable us to eventually add other ACS algorithms in
# similar way.
#
# Automatic selection is currently only done through initialization, later on
# we hope to do background checks to keep us moving to more ideal channels as
# time goes by. ACS is currently only supported through the nl80211 driver and
# your driver must have survey dump capability that is filled by the driver
# during scanning.
#
# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
# a newly to create wpa_supplicant.conf variable acs_num_scans.
#
# Supported ACS drivers:
# * ath9k
# * ath5k
# * ath10k
#
# For more details refer to:
# http://wireless.kernel.org/en/users/Documentation/acs
#CONFIG_ACS=y
# Support Multi Band Operation
#CONFIG_MBO=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
# Note: This is an experimental and not yet complete implementation. This
# should not be enabled for production use.
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y
# Support RSN on IBSS networks
# This is needed to be able to use mode=1 network profile with proto=RSN and
# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
CONFIG_IBSS_RSN=y
# External PMKSA cache control
# This can be used to enable control interface commands that allow the current
# PMKSA cache entries to be fetched and new entries to be added.
#CONFIG_PMKSA_CACHE_EXTERNAL=y
# Mesh Networking (IEEE 802.11s)
#CONFIG_MESH=y
# Background scanning modules
# These can be used to request wpa_supplicant to perform background scanning
# operations for roaming within an ESS (same SSID). See the bgscan parameter in
# the wpa_supplicant.conf file for more details.
# Periodic background scans based on signal strength
CONFIG_BGSCAN_SIMPLE=y
# Learn channels used by the network and try to avoid bgscans on other
# channels (experimental)
#CONFIG_BGSCAN_LEARN=y
# Opportunistic Wireless Encryption (OWE)
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y
# Device Provisioning Protocol (DPP)
# This requires CONFIG_IEEE80211W=y to be enabled, too. (see
# wpa_supplicant/README-DPP for details)
CONFIG_DPP=y

View file

@ -0,0 +1,8 @@
[Desktop Entry]
Name=wpa_gui
Comment[en]=Wpa_supplicant management
TryExec=kdesu
Exec=kdesu wpa_gui
Icon=wpa_gui
Type=Application
Categories=Qt;Network;

Binary file not shown.

After

Width:  |  Height:  |  Size: 5 KiB

View file

@ -0,0 +1,2 @@
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root

View file

@ -0,0 +1,6 @@
/var/log/wpa_supplicant.log {
missingok
notifempty
size 30k
create 0600 root root
}

View file

@ -0,0 +1,15 @@
config() {
NEW="$1"
OLD="$(dirname $NEW)/$(basename $NEW .new)"
# If there's no config file by that name, mv it over:
if [ ! -r $OLD ]; then
mv $NEW $OLD
elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
# toss the redundant copy
rm $NEW
fi
# Otherwise, we leave the .new copy for the admin to consider...
}
config etc/wpa_supplicant.conf.new
config etc/logrotate.d/wpa_supplicant.new

View file

@ -0,0 +1,210 @@
From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 8 Jul 2023 19:55:32 +0300
Subject: PEAP client: Update Phase 2 authentication requirements
The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.
Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.
Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
* 0 = do not require Phase 2 authentication
* 1 = require Phase 2 authentication when client certificate
(private_key/client_cert) is no used and TLS session resumption was
not used (default)
* 2 = require Phase 2 authentication in all cases
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_peer/eap_config.h | 8 ++++++++
src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++++++++++---
src/eap_peer/eap_tls_common.c | 6 ++++++
src/eap_peer/eap_tls_common.h | 5 +++++
wpa_supplicant/wpa_supplicant.conf | 7 +++++++
5 files changed, 63 insertions(+), 3 deletions(-)
diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
index 26744ab68..58d5a1359 100644
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -471,6 +471,14 @@ struct eap_peer_config {
* 1 = use cryptobinding if server supports it
* 2 = require cryptobinding
*
+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS
+ * tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+ * (private_key/client_cert) is no used and TLS session resumption was
+ * not used (default)
+ * 2 = require Phase 2 authentication in all cases
+ *
* EAP-WSC (WPS) uses following options: pin=Device_Password and
* uuid=Device_UUID
*
diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
index 12e30df29..608069719 100644
--- a/src/eap_peer/eap_peap.c
+++ b/src/eap_peer/eap_peap.c
@@ -67,6 +67,7 @@ struct eap_peap_data {
u8 cmk[20];
int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
* is enabled. */
+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
};
@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
}
+ if (os_strstr(phase1, "phase2_auth=0")) {
+ data->phase2_auth = NO_AUTH;
+ wpa_printf(MSG_DEBUG,
+ "EAP-PEAP: Do not require Phase 2 authentication");
+ } else if (os_strstr(phase1, "phase2_auth=1")) {
+ data->phase2_auth = FOR_INITIAL;
+ wpa_printf(MSG_DEBUG,
+ "EAP-PEAP: Require Phase 2 authentication for initial connection");
+ } else if (os_strstr(phase1, "phase2_auth=2")) {
+ data->phase2_auth = ALWAYS;
+ wpa_printf(MSG_DEBUG,
+ "EAP-PEAP: Require Phase 2 authentication for all cases");
+ }
#ifdef EAP_TNC
if (os_strstr(phase1, "tnc=soh2")) {
data->soh = 2;
@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
data->force_peap_version = -1;
data->peap_outer_success = 2;
data->crypto_binding = OPTIONAL_BINDING;
+ data->phase2_auth = FOR_INITIAL;
if (config && config->phase1)
eap_peap_parse_phase1(data, config->phase1);
@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
}
+static bool peap_phase2_sufficient(struct eap_sm *sm,
+ struct eap_peap_data *data)
+{
+ if ((data->phase2_auth == ALWAYS ||
+ (data->phase2_auth == FOR_INITIAL &&
+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
+ !data->ssl.client_cert_conf) ||
+ data->phase2_eap_started) &&
+ !data->phase2_eap_success)
+ return false;
+ return true;
+}
+
+
/**
* eap_tlv_process - Process a received EAP-TLV message and generate a response
* @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
" - force failed Phase 2");
resp_status = EAP_TLV_RESULT_FAILURE;
ret->decision = DECISION_FAIL;
+ } else if (!peap_phase2_sufficient(sm, data)) {
+ wpa_printf(MSG_INFO,
+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
+ resp_status = EAP_TLV_RESULT_FAILURE;
+ ret->decision = DECISION_FAIL;
} else {
resp_status = EAP_TLV_RESULT_SUCCESS;
ret->decision = DECISION_UNCOND_SUCC;
@@ -887,8 +921,7 @@ continue_req:
/* EAP-Success within TLS tunnel is used to indicate
* shutdown of the TLS channel. The authentication has
* been completed. */
- if (data->phase2_eap_started &&
- !data->phase2_eap_success) {
+ if (!peap_phase2_sufficient(sm, data)) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
"Success used to indicate success, "
"but Phase 2 EAP was not yet "
@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
{
struct eap_peap_data *data = priv;
+
return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
- data->phase2_success;
+ data->phase2_success && data->phase2_auth != ALWAYS;
}
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 6193b4bdb..966cbd6c7 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -242,6 +242,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
+ if (!phase2)
+ data->client_cert_conf = params->client_cert ||
+ params->client_cert_blob ||
+ params->private_key ||
+ params->private_key_blob;
+
return 0;
}
diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
index 9ac00121f..334863413 100644
--- a/src/eap_peer/eap_tls_common.h
+++ b/src/eap_peer/eap_tls_common.h
@@ -79,6 +79,11 @@ struct eap_ssl_data {
* tls_v13 - Whether TLS v1.3 or newer is used
*/
int tls_v13;
+
+ /**
+ * client_cert_conf: Whether client certificate has been configured
+ */
+ bool client_cert_conf;
};
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index f0b82443e..1b09f57d3 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1370,6 +1370,13 @@ fast_reauth=1
# * 0 = do not use cryptobinding (default)
# * 1 = use cryptobinding if server supports it
# * 2 = require cryptobinding
+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+# tunnel) behavior for PEAP:
+# * 0 = do not require Phase 2 authentication
+# * 1 = require Phase 2 authentication when client certificate
+# (private_key/client_cert) is no used and TLS session resumption was
+# not used (default)
+# * 2 = require Phase 2 authentication in all cases
# EAP-WSC (WPS) uses following options: pin=<Device Password> or
# pbc=1.
#
--
cgit v1.2.3-18-g5258

View file

@ -0,0 +1,22 @@
From: Andrej Shadura <andrewsh@debian.org>
Subject: Enable TLSv1.0 by default
OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2.
Some older networks may support for TLSv1.0 and less secure cyphers.
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -988,6 +988,13 @@
os_free(data);
return NULL;
}
+
+#ifndef EAP_SERVER_TLS
+ /* Enable TLSv1.0 by default to allow connecting to legacy
+ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */
+ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION);
+#endif
+
data->ssl = ssl;
if (conf)
data->tls_session_lifetime = conf->tls_session_lifetime;

View file

@ -0,0 +1,41 @@
From 9404f356e394604d1d3d6dbffc52abd54260e4d4 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Tue, 27 Oct 2015 08:56:35 +0100
Subject: [PATCH] wpa_supplicant: allow overriding the names of the Qt4 tools
This is useful for distributions that ship different versions of Qt in
different locations.
---
wpa_supplicant/Makefile | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index ad9ead9..b19676d 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -11,6 +11,9 @@ export INCDIR ?= /usr/local/include/
export BINDIR ?= /usr/local/sbin/
PKG_CONFIG ?= pkg-config
+QMAKE ?= qmake
+LRELEASE ?= lrelease
+
CFLAGS += $(EXTRA_CFLAGS)
CFLAGS += -I$(abspath ../src)
CFLAGS += -I$(abspath ../src/utils)
@@ -1787,10 +1790,10 @@ wpa_gui:
@echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement"
wpa_gui-qt4/Makefile:
- qmake -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro
+ $(QMAKE) -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro
wpa_gui-qt4/lang/wpa_gui_de.qm: wpa_gui-qt4/lang/wpa_gui_de.ts
- lrelease wpa_gui-qt4/wpa_gui.pro
+ $(LRELEASE) wpa_gui-qt4/wpa_gui.pro
wpa_gui-qt4: wpa_gui-qt4/Makefile wpa_gui-qt4/lang/wpa_gui_de.qm
$(MAKE) -C wpa_gui-qt4
--
2.6.2

View file

@ -0,0 +1,30 @@
From 763a4ef660e2bd81f6cdc71a2f29a0a3e71b2ebc Mon Sep 17 00:00:00 2001
From: Dan Williams <dcbw@redhat.com>
Date: Tue, 22 Nov 2016 15:48:17 +0100
Subject: [PATCH 1/2] quiet an annoying and frequent syslog message
---
wpa_supplicant/events.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index abe3b47..72a0412 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -1555,11 +1555,11 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
wpa_s->manual_scan_use_id && wpa_s->own_scan_running &&
own_request && !(data && data->scan_info.external_scan)) {
- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS "id=%u",
+ wpa_msg_ctrl(wpa_s, MSG_DEBUG, WPA_EVENT_SCAN_RESULTS "id=%u",
wpa_s->manual_scan_id);
wpa_s->manual_scan_use_id = 0;
} else {
- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS);
+ wpa_msg_ctrl(wpa_s, MSG_DEBUG, WPA_EVENT_SCAN_RESULTS);
}
wpas_notify_scan_results(wpa_s);
--
2.9.3

View file

@ -0,0 +1,18 @@
# HOW TO EDIT THIS FILE:
# The "handy ruler" below makes it easier to edit a package description. Line
# up the first '|' above the ':' following the base package name, and the '|'
# on the right side marks the last column you can put a character in. You must
# make exactly 11 lines for the formatting to be correct. It's also
# customary to leave one space after the ':'.
|-----handy-ruler------------------------------------------------------|
wpa_supplicant: wpa_supplicant (WPA/WPA2/IEEE 802.1X Supplicant)
wpa_supplicant:
wpa_supplicant: wpa_supplicant is a WPA Supplicant for Linux with support for WPA and
wpa_supplicant: WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA
wpa_supplicant: component that is used in the client stations. It implements key
wpa_supplicant: negotiation with a WPA Authenticator and it controls the roaming and
wpa_supplicant: IEEE 802.11 authentication/association of the wlan driver.
wpa_supplicant:
wpa_supplicant: Homepage: http://hostap.epitest.fi/wpa_supplicant/
wpa_supplicant:
wpa_supplicant:

View file

@ -0,0 +1,190 @@
#!/bin/bash
# Copyright 2004-2008 Eric Hameleers, Eindhoven, NL
# Copyright 2008-2021 Patrick J. Volkerding, Sebeka, MN, USA
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
# permitted provided that the following conditions are met:
#
# 1. Redistributions of this script must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
cd $(dirname $0) ; CWD=$(pwd)
PKGNAM=wpa_supplicant
VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
BUILD=${BUILD:-2_slack15.0}
SRCVERSION=$(printf $VERSION | tr _ -)
# Automatically determine the architecture we're building on:
if [ -z "$ARCH" ]; then
case "$( uname -m )" in
i?86) export ARCH=i586 ;;
arm*) export ARCH=arm ;;
# Unless $ARCH is already set, use uname -m for all other archs:
*) export ARCH=$( uname -m ) ;;
esac
fi
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
# the name of the created package would be, and then exit. This information
# could be useful to other scripts.
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
exit 0
fi
NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
if [ "$ARCH" = "i586" ]; then
SLKCFLAGS="-O2 -march=i586 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "s390" ]; then
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "x86_64" ]; then
SLKCFLAGS="-O2 -fPIC"
LIBDIRSUFFIX="64"
elif [ "$ARCH" = "arm" ]; then
SLKCFLAGS="-O2 -march=armv4 -mtune=xscale"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "armel" ]; then
SLKCFLAGS="-O2 -march=armv4t"
LIBDIRSUFFIX=""
else
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
fi
TMP=${TMP:-/tmp}
PKG=$TMP/package-$PKGNAM
rm -rf $PKG
mkdir -p $TMP $PKG
cd $TMP
rm -rf ${PKGNAM}-${SRCVERSION}
tar xvf $CWD/${PKGNAM}-${SRCVERSION}.tar.?z* || exit 1
cd ${PKGNAM}-${SRCVERSION}
chown -R root:root .
find . \
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
-exec chmod 755 {} \+ -o \
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
-exec chmod 644 {} \+
zcat $CWD/patches/wpa_supplicant-gui-qt4.patch.gz | patch -p1 --verbose || exit 1
zcat $CWD/patches/wpa_supplicant-quiet-scan-results-message.patch.gz | patch -p1 --verbose || exit 1
# Allow legacy tls to avoid breaking WPA2-Enterprise:
zcat $CWD/patches/allow-tlsv1.patch.gz | patch -p1 --verbose || exit 1
# CVE-2023-52160:
zcat $CWD/patches/8e6485a1bcb0baffdea9e55255a81270b768439c.patch.gz | patch -p1 --verbose || exit 1
cd wpa_supplicant
# Create the configuration file for building wpa_supplicant:
cat $CWD/config/dot.config > .config
# Build the usual binaries
CFLAGS="$SLKCFLAGS" \
make $NUMJOBS \
BINDIR=/usr/sbin \
LIBDIR=/usr/lib${LIBDIRSUFFIX} || exit 1
# Build the Qt5 GUI client
#The following directory name is labelled qt4, but is compatible with qt5.
#pushd wpa_gui-qt4 &&
#qmake wpa_gui.pro &&
#make &&
#popd
pushd wpa_gui-qt4
qmake-qt5 wpa_gui.pro
CFLAGS="$SLKCFLAGS" \
make $NUMJOBS \
BINDIR=/usr/sbin \
LIBDIR=/usr/lib${LIBDIRSUFFIX} || exit 1
popd
# Make sure man pages are built
make -C doc/docbook man
# This goes into the doc directory later on:
mv wpa_supplicant.conf wpa_supplicant.conf.sample
# Install binaries:
mkdir -p $PKG/usr/sbin $PKG/usr/bin
cp wpa_supplicant wpa_passphrase wpa_cli $PKG/usr/sbin/
cp wpa_gui-qt4/wpa_gui $PKG/usr/bin/
find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
# Install dbus configuration file:
mkdir -p $PKG/usr/share/dbus-1/system.d/
cp dbus/dbus-wpa_supplicant.conf \
$PKG/usr/share/dbus-1/system.d/dbus-wpa_supplicant.conf
mkdir -p $PKG/usr/share/dbus-1/system-services
install -m644 dbus/*.service $PKG/usr/share/dbus-1/system-services/
# Install a .desktop file and icon for wpa_gui:
# (converted from the wpa_gui.svg in the source)
mkdir -p $PKG/usr/share/{applications,pixmaps}
cat $CWD/config/wpa_gui.desktop > $PKG/usr/share/applications/wpa_gui.desktop
cat $CWD/config/wpa_gui.png > $PKG/usr/share/pixmaps/wpa_gui.png
# Install a logrotate config
mkdir -p $PKG/etc/logrotate.d
cat $CWD/config/wpa_supplicant.logrotate > $PKG/etc/logrotate.d/wpa_supplicant.new
# Install man pages:
for m in 5 8; do
mkdir -p $PKG/usr/man/man${m}
cp doc/docbook/*.${m} $PKG/usr/man/man${m}/
done
find $PKG/usr/man -type f -name "*.?" -exec gzip -9f {} \+
# Install a default configuration file (only readable by root):
mkdir -p $PKG/etc
cat $CWD/config/wpa_supplicant.conf > $PKG/etc/wpa_supplicant.conf.new
chmod 600 $PKG/etc/wpa_supplicant.conf.new
mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION
cp -a \
ChangeLog ../COPYING README README-{P2P,WPS} examples *.txt *.sample $CWD/README.slackware \
$PKG/usr/doc/$PKGNAM-$VERSION
chown -R root:root $PKG/usr/doc/$PKGNAM-$VERSION/*
chmod -R a-w $PKG/usr/doc/$PKGNAM-$VERSION/*
# If there's a ChangeLog, installing at least part of the recent history
# is useful, but don't let it get totally out of control:
if [ -r ChangeLog ]; then
DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION)
cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
touch -r ChangeLog $DOCSDIR/ChangeLog
fi
mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
zcat $CWD/doinst.sh.gz >> $PKG/install/doinst.sh
cd $PKG
/sbin/makepkg -l y -c n $TMP/${PKGNAM}-${VERSION}-${ARCH}-${BUILD}.txz

View file

@ -0,0 +1 @@
https://w1.fi/wpa_supplicant/

View file

@ -1362,6 +1362,11 @@ gzip ./patches/source/flac/flac.man.diff
gzip ./patches/source/libtiff/patches/CVE-2022-2056_2057_2058.patch
gzip ./patches/source/libtiff/patches/CVE-2022-34526.patch
gzip ./patches/source/libtiff/patches/CVE-2022-3970.patch
gzip ./patches/source/wpa_supplicant/patches/wpa_supplicant-quiet-scan-results-message.patch
gzip ./patches/source/wpa_supplicant/patches/wpa_supplicant-gui-qt4.patch
gzip ./patches/source/wpa_supplicant/patches/allow-tlsv1.patch
gzip ./patches/source/wpa_supplicant/patches/8e6485a1bcb0baffdea9e55255a81270b768439c.patch
gzip ./patches/source/wpa_supplicant/doinst.sh
gzip ./patches/source/php/php-fpm.conf.diff
gzip ./patches/source/php/CVE-2023-0662.patch
gzip ./patches/source/php/php.enchant-2.patch