* update wpa_supplicant to 2:2.10-7

2022-12-14 14:38:41 +01:00 · 2022-12-14 14:38:41 +01:00 · f00f642bd6
commit f00f642bd6
parent 77f5a61c98
3 changed files with 101 additions and 8 deletions
--- a/wpa_supplicant/PKGBUILD
+++ b/wpa_supplicant/PKGBUILD
@ -6,7 +6,7 @@

 pkgname=wpa_supplicant
 pkgver=2.10
-pkgrel=6
+pkgrel=7
 epoch=2
 pkgdesc='A utility providing key negotiation for WPA wireless networks'
 url='https://w1.fi/wpa_supplicant/'
@ -16,9 +16,11 @@ depends=(openssl libdbus readline libnl)
 install=wpa_supplicant.install
 source=(
  https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
-  wpa_supplicant_tls.patch                        # More permissive TLS fallback
-  wpa_supplicant_dbus_service_syslog.patch        # Unit improvements from Ubuntu
-  wpa_supplicant_service_ignore-on-isolate.patch  # More unit improvements from Ubuntu
+  wpa_supplicant_tls.patch
+  wpa_supplicant_dbus_service_syslog.patch
+  wpa_supplicant_service_ignore-on-isolate.patch
+  wpa_supplicant-legacy-server-connect.patch
+  lower_security_level_for_tls_1.patch
  wpa_supplicant_config
  add_extra-ies_only_if_allowed_by_driver.patch
 )
@ -28,15 +30,32 @@ sha256sums=('20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f'
            '08915b040d03a3e07cdc8ea6c76b497e00059e01ce85b67413dfe41d4fc68992'
            '60f6a1cf2e124813dfce1da78ee1818e2ff5236aafa4113c7ae3b3f2a0b84006'
            'd42bdbf3d4980b9f0a819612df0c39843c7e96c8afcb103aa656c824f93790b0'
+            '8fba11e4a5056d9e710707ded93341f61fdfef6c64ced992e3936cbd2d41a011'
+            'c3c0fb363f734c1512d24fd749b3ff7515f961b27bfadd04c128434b5c9f4a93'
            '89dc439b958574e9231c58bea6c83faec469909c9f84476bfc83fa35b3e97bd1'
            'aaedf87f1530d4e6cb00bf7981d1f868409ed892cc41b83c5613019e7b51f380')

 prepare() {
  cd $pkgname-$pkgver
-  patch -p1 -i ../wpa_supplicant_tls.patch                        # More permissive TLS fallback
-  patch -p1 -i ../wpa_supplicant_dbus_service_syslog.patch        # Unit improvements from Ubuntu
-  patch -p1 -i ../wpa_supplicant_service_ignore-on-isolate.patch  # More unit improvements from Ubuntu
-  patch -p1 -i ../add_extra-ies_only_if_allowed_by_driver.patch # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
+
+  # More permissive TLS fallback
+  patch -Np1 -i ../wpa_supplicant_tls.patch
+
+  # Unit improvements from Ubuntu
+  patch -Np1 -i ../wpa_supplicant_dbus_service_syslog.patch
+
+  # More unit improvements from Ubuntu
+  patch -Np1 -i ../wpa_supplicant_service_ignore-on-isolate.patch
+
+  # https://bugzilla.redhat.com/show_bug.cgi?id=2072070#c24
+  patch -Np1 -i ../wpa_supplicant-legacy-server-connect.patch
+
+  # http://lists.infradead.org/pipermail/hostap/2022-May/040571.html
+  # https://bugs.archlinux.org/task/76474
+  patch -Np1 -i ../lower_security_level_for_tls_1.patch
+
+  # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
+  patch -Np1 -i ../add_extra-ies_only_if_allowed_by_driver.patch

  cd $pkgname
  cp "$srcdir/wpa_supplicant_config" ./.config
--- a/wpa_supplicant/lower_security_level_for_tls_1.patch
+++ b/wpa_supplicant/lower_security_level_for_tls_1.patch
@ -0,0 +1,52 @@
+From bc99366f9b960150aa2e369048bbc2218c1d414e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 22 May 2022 17:01:35 +0300
+Subject: [PATCH] OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using
+ TLS 1.0/1.1
+
+Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for
+TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level
+drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be
+enabled with an explicit network configuration parameter. However, the
+default settings are still allowing TLS 1.0 and 1.1 to be negotiated
+just to see them fail immediately when using OpenSSL 3.0. This is not
+exactly helpful especially when the OpenSSL error message for this
+particular case is "internal error" which does not really say anything
+about the reason for the error.
+
+It is is a bit inconvenient to update the security policy for this
+particular issue based on the negotiated TLS version since that happens
+in the middle of processing for the first message from the server.
+However, this can be done by using the debug callback for printing out
+the received TLS messages during processing.
+
+Drop the OpenSSL security level to 0 if that is the only option to
+continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed
+in wpa_supplicant default configuration and OpenSSL 3.0 with the
+constraint on MD5-SHA1 use.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/crypto/tls_openssl.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 6602ac64f..78621d926 100644
+--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
+@@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type,
+ 	struct tls_connection *conn = arg;
+ 	const u8 *pos = buf;
+ 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	if ((SSL_version(ssl) == TLS1_VERSION ||
+	     SSL_version(ssl) == TLS1_1_VERSION) &&
+	    SSL_get_security_level(ssl) > 0) {
+		wpa_printf(MSG_DEBUG,
+			   "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm");
+		SSL_set_security_level(ssl, 0);
+	}
+#endif /* OpenSSL version >= 3.0 */
+ 	if (write_p == 2) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "OpenSSL: session ver=0x%x content_type=%d",
--- a/wpa_supplicant/wpa_supplicant-legacy-server-connect.patch
+++ b/wpa_supplicant/wpa_supplicant-legacy-server-connect.patch
@ -0,0 +1,22 @@
+# Patch origin: https://bugzilla.redhat.com/show_bug.cgi?id=2072070#c24
+
+diff -up wpa_supplicant-2.10/src/crypto/tls_openssl.c.legacy-server-connect wpa_supplicant-2.10/src/crypto/tls_openssl.c
+--- wpa_supplicant-2.10/src/crypto/tls_openssl.c.legacy-server-connect  2022-01-16 15:51:29.000000000 -0500
+++ wpa_supplicant-2.10/src/crypto/tls_openssl.c        2022-04-28 02:47:26.863529683 -0400
+@@ -1049,6 +1049,16 @@
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+ 
+	/* Many enterprise PEAP server implementations (e.g. used in large
+	 corporations and universities) do not support RFC5746 secure
+	 renegotiation, and starting with OpenSSL 3.0,
+	 SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
+	 So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
+	 only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
+	 globally. */
+
+	SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
+
+ 	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+ 
+ #ifdef SSL_MODE_NO_AUTO_CHAIN