commit 238488db8a3c71c5cdeaecee01aa894837a1a650 · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

wpa_supplicant: 2.10 -> 2.11

Upstream Changes:
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* MACsec
- add support for GCM-AES-256 cipher suite
- remove incorrect EAP Session-Id length constraint
- add hardware offload support for additional drivers
* HE/IEEE 802.11ax/Wi-Fi 6
- support BSS color updates
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* support OpenSSL 3.0 API changes
* improve EAP-TLS support for TLSv1.3
* EAP-SIM/AKA: support IMSI privacy
* improve mitigation against DoS attacks when PMF is used
* improve 4-way handshake operations
- discard unencrypted EAPOL frames in additional cases
- use Secure=1 in message 2 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* improve cross-AKM roaming with driver-based SME/BSS selection
* PASN
- extend support for secure ranging
- allow PASN implementation to be used with external programs for
Wi-Fi Aware
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible, but PMKSA
caching with FT-EAP was, and still is, disabled by default
* support a pregenerated MAC (mac_addr=3) as an alternative mechanism
for using per-network random MAC addresses
* EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
to improve security for still unfortunately common invalid
configurations that do not set ca_cert
* extend SCS support for QoS Characteristics
* extend MSCS support
* support unsynchronized service discovery (USD)
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
- in addition, verify SSID after key setup when beacon protection is
used
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* a large number of other fixes, cleanup, and extensions

Changelog:
http://w1.fi/cgit/hostap/tree/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af

Signed-off-by: Markus Theil <theil.markus@gmail.com>

Markus Theil 2 years ago 238488db 55d80185

+4 -177

5 changed files

expand all

unified split

pkgs

os-specific

linux

wpa_supplicant

0001-Implement-read-only-mode-for-ssids.patch

Use-unique-IDs-for-networks-and-credentials.patch

default.nix

top-level

aliases.nix

all-packages.nix

-130

pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch

··· 1 - From 99ae610f0ae3608a12c864caedf396f14e68327d Mon Sep 17 00:00:00 2001 2 - From: Maximilian Bosch <maximilian@mbosch.me> 3 - Date: Fri, 19 Feb 2021 19:44:21 +0100 4 - Subject: [PATCH] Implement read-only mode for ssids 5 - 6 - With this change it's possible to define `network=`-sections in a second 7 - config file specified via `-I` without having changes written to 8 - `/etc/wpa_supplicant.conf`. 9 - 10 - This is helpful on e.g. NixOS to allow both declarative (i.e. read-only) 11 - and imperative (i.e. mutable) networks. 12 - --- 13 - wpa_supplicant/config.h | 2 +- 14 - wpa_supplicant/config_file.c | 5 +++-- 15 - wpa_supplicant/config_none.c | 2 +- 16 - wpa_supplicant/config_ssid.h | 2 ++ 17 - wpa_supplicant/wpa_supplicant.c | 8 ++++---- 18 - 5 files changed, 11 insertions(+), 8 deletions(-) 19 - 20 - diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h 21 - index 6a297ecfe..adaf4d398 100644 22 - --- a/wpa_supplicant/config.h 23 - +++ b/wpa_supplicant/config.h 24 - @@ -1614,7 +1614,7 @@ const char * wpa_config_get_global_field_name(unsigned int i, int *no_var); 25 - * 26 - * Each configuration backend needs to implement this function. 27 - */ 28 - -struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp); 29 - +struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro); 30 - 31 - /** 32 - * wpa_config_write - Write or update configuration data 33 - diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c 34 - index 77c326df5..d5ed051b9 100644 35 - --- a/wpa_supplicant/config_file.c 36 - +++ b/wpa_supplicant/config_file.c 37 - @@ -373,7 +373,7 @@ static int wpa_config_process_blob(struct wpa_config *config, FILE *f, 38 - #endif /* CONFIG_NO_CONFIG_BLOBS */ 39 - 40 - 41 - -struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp) 42 - +struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro) 43 - { 44 - FILE *f; 45 - char buf[512], *pos; 46 - @@ -415,6 +415,7 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp) 47 - while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) { 48 - if (os_strcmp(pos, "network={") == 0) { 49 - ssid = wpa_config_read_network(f, &line, id++); 50 - + ssid->ro = ro; 51 - if (ssid == NULL) { 52 - wpa_printf(MSG_ERROR, "Line %d: failed to " 53 - "parse network block.", line); 54 - @@ -1591,7 +1592,7 @@ int wpa_config_write(const char *name, struct wpa_config *config) 55 - } 56 - 57 - for (ssid = config->ssid; ssid; ssid = ssid->next) { 58 - - if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary) 59 - + if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary || ssid->ro) 60 - continue; /* do not save temporary networks */ 61 - if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set && 62 - !ssid->passphrase) 63 - diff --git a/wpa_supplicant/config_none.c b/wpa_supplicant/config_none.c 64 - index 2aac28fa3..02191b425 100644 65 - --- a/wpa_supplicant/config_none.c 66 - +++ b/wpa_supplicant/config_none.c 67 - @@ -17,7 +17,7 @@ 68 - #include "base64.h" 69 - 70 - 71 - -struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp) 72 - +struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro) 73 - { 74 - struct wpa_config *config; 75 - 76 - diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h 77 - index d5c5c00a9..fd80c079c 100644 78 - --- a/wpa_supplicant/config_ssid.h 79 - +++ b/wpa_supplicant/config_ssid.h 80 - @@ -93,6 +93,8 @@ struct wpa_ssid { 81 - */ 82 - int id; 83 - 84 - + int ro; 85 - + 86 - /** 87 - * priority - Priority group 88 - * 89 - diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c 90 - index 911d79d17..cb0cb99b1 100644 91 - --- a/wpa_supplicant/wpa_supplicant.c 92 - +++ b/wpa_supplicant/wpa_supplicant.c 93 - @@ -1052,14 +1052,14 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s) 94 - 95 - if (wpa_s->confname == NULL) 96 - return -1; 97 - - conf = wpa_config_read(wpa_s->confname, NULL); 98 - + conf = wpa_config_read(wpa_s->confname, NULL, 0); 99 - if (conf == NULL) { 100 - wpa_msg(wpa_s, MSG_ERROR, "Failed to parse the configuration " 101 - "file '%s' - exiting", wpa_s->confname); 102 - return -1; 103 - } 104 - if (wpa_s->confanother && 105 - - !wpa_config_read(wpa_s->confanother, conf)) { 106 - + !wpa_config_read(wpa_s->confanother, conf, 1)) { 107 - wpa_msg(wpa_s, MSG_ERROR, 108 - "Failed to parse the configuration file '%s' - exiting", 109 - wpa_s->confanother); 110 - @@ -5638,7 +5638,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, 111 - #else /* CONFIG_BACKEND_FILE */ 112 - wpa_s->confname = os_strdup(iface->confname); 113 - #endif /* CONFIG_BACKEND_FILE */ 114 - - wpa_s->conf = wpa_config_read(wpa_s->confname, NULL); 115 - + wpa_s->conf = wpa_config_read(wpa_s->confname, NULL, 0); 116 - if (wpa_s->conf == NULL) { 117 - wpa_printf(MSG_ERROR, "Failed to read or parse " 118 - "configuration '%s'.", wpa_s->confname); 119 - @@ -5646,7 +5646,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, 120 - } 121 - wpa_s->confanother = os_rel2abs_path(iface->confanother); 122 - if (wpa_s->confanother && 123 - - !wpa_config_read(wpa_s->confanother, wpa_s->conf)) { 124 - + !wpa_config_read(wpa_s->confanother, wpa_s->conf, 1)) { 125 - wpa_printf(MSG_ERROR, 126 - "Failed to read or parse configuration '%s'.", 127 - wpa_s->confanother); 128 - -- 129 - 2.29.2 130 -

···

-32

pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch

··· 1 - The id and cred_id variables are reset to 0 every time the 2 - wpa_config_read function is called, which is fine as long as it is only 3 - called once. However, this is not the case when using both the -c and -I 4 - options to specify two config files. 5 - 6 - This is a problem because the GUI, since eadfeb0e93748eb396ae62012b92d21a7f533646, 7 - relies on the network IDs being unique (and increasing), and might get 8 - into an infinite loop otherwise. 9 - 10 - This is solved by simply making the variables static. 11 - --- 12 - wpa_supplicant/config_file.c | 4 ++-- 13 - 1 file changed, 2 insertions(+), 2 deletions(-) 14 - 15 - diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c 16 - index 6db5010db..c996e3916 100644 17 - --- a/wpa_supplicant/config_file.c 18 - +++ b/wpa_supplicant/config_file.c 19 - @@ -297,8 +297,8 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp) 20 - struct wpa_ssid *ssid, *tail, *head; 21 - struct wpa_cred *cred, *cred_tail, *cred_head; 22 - struct wpa_config *config; 23 - - int id = 0; 24 - - int cred_id = 0; 25 - + static int id = 0; 26 - + static int cred_id = 0; 27 - 28 - if (name == NULL) 29 - return NULL; 30 - -- 31 - 2.34.1 32 -

···

+3 -11

pkgs/os-specific/linux/wpa_supplicant/default.nix

··· 3 , dbusSupport ? !stdenv.hostPlatform.isStatic, dbus 4 , withReadline ? true, readline 5 , withPcsclite ? !stdenv.hostPlatform.isStatic, pcsclite 6 - , readOnlyModeSSIDs ? false 7 }: 8 9 with lib; 10 stdenv.mkDerivation rec { 11 - version = "2.10"; 12 13 pname = "wpa_supplicant"; 14 15 src = fetchurl { 16 url = "https://w1.fi/releases/${pname}-${version}.tar.gz"; 17 - sha256 = "sha256-IN965RVLODA1X4q0JpEjqHr/3qWf50/pKSqR0Nfhey8="; 18 }; 19 - 20 - patches = [ 21 - # Fix a bug when using two config files 22 - ./Use-unique-IDs-for-networks-and-credentials.patch 23 - ] ++ lib.optionals readOnlyModeSSIDs [ 24 - # Allow read-only networks 25 - ./0001-Implement-read-only-mode-for-ssids.patch 26 - ]; 27 28 # TODO: Patch epoll so that the dbus actually responds 29 # TODO: Figure out how to get privsep working, currently getting SIGBUS ··· 49 CONFIG_HT_OVERRIDES=y 50 CONFIG_IEEE80211AC=y 51 CONFIG_IEEE80211AX=y 52 CONFIG_IEEE80211N=y 53 CONFIG_IEEE80211R=y 54 CONFIG_IEEE80211W=y

··· 3 , dbusSupport ? !stdenv.hostPlatform.isStatic, dbus 4 , withReadline ? true, readline 5 , withPcsclite ? !stdenv.hostPlatform.isStatic, pcsclite 6 }: 7 8 with lib; 9 stdenv.mkDerivation rec { 10 + version = "2.11"; 11 12 pname = "wpa_supplicant"; 13 14 src = fetchurl { 15 url = "https://w1.fi/releases/${pname}-${version}.tar.gz"; 16 + sha256 = "sha256-kS6gb3TjCo42+7aAZNbN/yGNjVkdsPxddd7myBrH/Ao="; 17 }; 18 19 # TODO: Patch epoll so that the dbus actually responds 20 # TODO: Figure out how to get privsep working, currently getting SIGBUS ··· 40 CONFIG_HT_OVERRIDES=y 41 CONFIG_IEEE80211AC=y 42 CONFIG_IEEE80211AX=y 43 + CONFIG_IEEE80211BE=y 44 CONFIG_IEEE80211N=y 45 CONFIG_IEEE80211R=y 46 CONFIG_IEEE80211W=y

pkgs/top-level/aliases.nix

··· 1494 wordpress6_1 = throw "'wordpress6_1' has been removed in favor of the latest version"; # Added 2023-10-10 1495 wordpress6_2 = throw "'wordpress6_2' has been removed in favor of the latest version"; # Added 2023-10-10 1496 wormhole-rs = magic-wormhole-rs; # Added 2022-05-30. preserve, reason: Arch package name, main binary name 1497 wrapLisp_old = throw "Lisp packages have been redesigned. See 'lisp-modules' in the nixpkgs manual."; # Added 2024-05-07 1498 wmii_hg = wmii; 1499 wrapGAppsHook = wrapGAppsHook3; # Added 2024-03-26

··· 1494 wordpress6_1 = throw "'wordpress6_1' has been removed in favor of the latest version"; # Added 2023-10-10 1495 wordpress6_2 = throw "'wordpress6_2' has been removed in favor of the latest version"; # Added 2023-10-10 1496 wormhole-rs = magic-wormhole-rs; # Added 2022-05-30. preserve, reason: Arch package name, main binary name 1497 + wpa_supplicant_ro_ssids = lib.trivial.warn "Deprecated package: Please use wpa_supplicant instead. Read-only SSID patches are now upstream!" wpa_supplicant; 1498 wrapLisp_old = throw "Lisp packages have been redesigned. See 'lisp-modules' in the nixpkgs manual."; # Added 2024-05-07 1499 wmii_hg = wmii; 1500 wrapGAppsHook = wrapGAppsHook3; # Added 2024-03-26

-4

pkgs/top-level/all-packages.nix

··· 27763 27764 wpa_supplicant = callPackage ../os-specific/linux/wpa_supplicant { }; 27765 27766 - wpa_supplicant_ro_ssids = wpa_supplicant.override { 27767 - readOnlyModeSSIDs = true; 27768 - }; 27769 - 27770 wpa_supplicant_gui = libsForQt5.callPackage ../os-specific/linux/wpa_supplicant/gui.nix { }; 27771 27772 xf86_input_cmt = callPackage ../os-specific/linux/xf86-input-cmt { };

··· 27763 27764 wpa_supplicant = callPackage ../os-specific/linux/wpa_supplicant { }; 27765 27766 wpa_supplicant_gui = libsForQt5.callPackage ../os-specific/linux/wpa_supplicant/gui.nix { }; 27767 27768 xf86_input_cmt = callPackage ../os-specific/linux/xf86-input-cmt { };