[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/files/ - gentoo-commits

From:	Aaron Bauman <bman@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/files/
Date:	Fri, 29 Nov 2019 22:08:24
Message-Id:	`1575065258.2b82a229fbd08184cfd3595e7c39b5f0c79a740d.bman@gentoo`

1

commit:     2b82a229fbd08184cfd3595e7c39b5f0c79a740d

2

Author:     Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>

3

AuthorDate: Thu Nov 28 17:19:13 2019 +0000

4

Commit:     Aaron Bauman <bman <AT> gentoo <DOT> org>

5

CommitDate: Fri Nov 29 22:07:38 2019 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b82a229

7

8

net-wireless/wpa_supplicant: remove unused patches

9

10

Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>

11

Closes: https://github.com/gentoo/gentoo/pull/13784

12

Signed-off-by: Aaron Bauman <bman <AT> gentoo.org>

13

14

 ...-unauthenticated-encrypted-EAPOL-Key-data.patch |  44 ---------

15

 ...wpa_supplicant-2.6-libressl-compatibility.patch | 106 ---------------------

16

 .../files/wpa_supplicant-2.6-openssl-1.1.patch     |  48 ----------

17

 ...pa_supplicant-2.7-fix-undefined-remove-ie.patch |  38 --------

18

 .../files/wpa_supplicant-2.7-libressl.patch        |  46 ---------

19

 5 files changed, 282 deletions(-)

20

21

diff --git a/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch

22

deleted file mode 100644

23

index a62b52c6b9a..00000000000

24

--- a/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch

25

+++ /dev/null

26

@@ -1,44 +0,0 @@

27

-From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001

28

-From: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be>

29

-Date: Sun, 15 Jul 2018 01:25:53 +0200

30

-Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data

31

-

32

-Ignore unauthenticated encrypted EAPOL-Key data in supplicant

33

-processing. When using WPA2, these are frames that have the Encrypted

34

-flag set, but not the MIC flag.

35

-

36

-When using WPA2, EAPOL-Key frames that had the Encrypted flag set but

37

-not the MIC flag, had their data field decrypted without first verifying

38

-the MIC. In case the data field was encrypted using RC4 (i.e., when

39

-negotiating TKIP as the pairwise cipher), this meant that

40

-unauthenticated but decrypted data would then be processed. An adversary

41

-could abuse this as a decryption oracle to recover sensitive information

42

-in the data field of EAPOL-Key messages (e.g., the group key).

43

-(CVE-2018-14526)

44

-

45

-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be>

46

----

47

- src/rsn_supp/wpa.c | 11 +++++++++++

48

- 1 file changed, 11 insertions(+)

49

-

50

-diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c

51

---- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c	2016-10-02 21:51:11.000000000 +0300

52

-+++ wpa_supplicant-2.6/src/rsn_supp/wpa.c	2018-08-08 16:55:11.506831029 +0300

53

-@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c

54

-

55

- 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&

56

- 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {

57

-+		/*

58

-+		 * Only decrypt the Key Data field if the frame's authenticity

59

-+		 * was verified. When using AES-SIV (FILS), the MIC flag is not

60

-+		 * set, so this check should only be performed if mic_len != 0

61

-+		 * which is the case in this code branch.

62

-+		 */

63

-+		if (!(key_info & WPA_KEY_INFO_MIC)) {

64

-+			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,

65

-+				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");

66

-+			goto out;

67

-+		}

68

- 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,

69

- 						    &key_data_len))

70

- 			goto out;

71

72

diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl-compatibility.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl-compatibility.patch

73

deleted file mode 100644

74

index 025da58028d..00000000000

75

--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl-compatibility.patch

76

+++ /dev/null

77

@@ -1,106 +0,0 @@

78

-diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c

79

-index 19e0e2be8..6585c0245 100644

80

---- a/src/crypto/crypto_openssl.c

81

-+++ b/src/crypto/crypto_openssl.c

82

-@@ -33,7 +33,9 @@

83

- #include "aes_wrap.h"

84

- #include "crypto.h"

85

-

86

--#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

87

-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \

88

-+	(defined(LIBRESSL_VERSION_NUMBER) && \

89

-+	 LIBRESSL_VERSION_NUMBER < 0x20700000L)

90

- /* Compatibility wrappers for older versions. */

91

-

92

- static HMAC_CTX * HMAC_CTX_new(void)

93

-@@ -79,7 +81,9 @@ static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)

94

-

95

- static BIGNUM * get_group5_prime(void)

96

- {

97

--#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)

98

-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \

99

-+	!(defined(LIBRESSL_VERSION_NUMBER) && \

100

-+	LIBRESSL_VERSION_NUMBER < 0x20700000L)

101

- 	return BN_get_rfc3526_prime_1536(NULL);

102

- #elif !defined(OPENSSL_IS_BORINGSSL)

103

- 	return get_rfc3526_prime_1536(NULL);

104

-@@ -611,7 +615,9 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)

105

-

106

- void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)

107

- {

108

--#if OPENSSL_VERSION_NUMBER < 0x10100000L

109

-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \

110

-+	(defined(LIBRESSL_VERSION_NUMBER) && \

111

-+	LIBRESSL_VERSION_NUMBER < 0x20700000L)

112

- 	DH *dh;

113

- 	struct wpabuf *pubkey = NULL, *privkey = NULL;

114

- 	size_t publen, privlen;

115

-@@ -712,7 +718,9 @@ err:

116

-

117

- void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)

118

- {

119

--#if OPENSSL_VERSION_NUMBER < 0x10100000L

120

-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \

121

-+	(defined(LIBRESSL_VERSION_NUMBER) && \

122

-+	LIBRESSL_VERSION_NUMBER < 0x20700000L)

123

- 	DH *dh;

124

-

125

- 	dh = DH_new();

126

-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c

127

-index 23ac64b48..91acc579d 100644

128

---- a/src/crypto/tls_openssl.c

129

-+++ b/src/crypto/tls_openssl.c

130

-@@ -59,7 +59,8 @@ typedef int stack_index_t;

131

- #endif /* SSL_set_tlsext_status_type */

132

-

133

- #if (OPENSSL_VERSION_NUMBER < 0x10100000L || \

134

--     defined(LIBRESSL_VERSION_NUMBER)) &&    \

135

-+	(defined(LIBRESSL_VERSION_NUMBER) && \

136

-+	LIBRESSL_VERSION_NUMBER < 0x20700000L)) && \

137

-     !defined(BORINGSSL_API_VERSION)

138

- /*

139

-  * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL

140

-@@ -919,7 +920,9 @@ void * tls_init(const struct tls_config *conf)

141

- 		}

142

- #endif /* OPENSSL_FIPS */

143

- #endif /* CONFIG_FIPS */

144

--#if OPENSSL_VERSION_NUMBER < 0x10100000L

145

-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \

146

-+        (defined(LIBRESSL_VERSION_NUMBER) && \

147

-+        LIBRESSL_VERSION_NUMBER < 0x20700000L)

148

- 		SSL_load_error_strings();

149

- 		SSL_library_init();

150

- #ifndef OPENSSL_NO_SHA256

151

-@@ -1043,7 +1046,9 @@ void tls_deinit(void *ssl_ctx)

152

-

153

- 	tls_openssl_ref_count--;

154

- 	if (tls_openssl_ref_count == 0) {

155

--#if OPENSSL_VERSION_NUMBER < 0x10100000L

156

-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \

157

-+	(defined(LIBRESSL_VERSION_NUMBER) && \

158

-+	LIBRESSL_VERSION_NUMBER < 0x20700000L)

159

- #ifndef OPENSSL_NO_ENGINE

160

- 		ENGINE_cleanup();

161

- #endif /* OPENSSL_NO_ENGINE */

162

-@@ -3105,7 +3110,9 @@ int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn,

163

- #ifdef OPENSSL_NEED_EAP_FAST_PRF

164

- static int openssl_get_keyblock_size(SSL *ssl)

165

- {

166

--#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

167

-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \

168

-+        (defined(LIBRESSL_VERSION_NUMBER) && \

169

-+        LIBRESSL_VERSION_NUMBER < 0x20700000L)

170

- 	const EVP_CIPHER *c;

171

- 	const EVP_MD *h;

172

- 	int md_size;

173

-@@ -4159,7 +4166,9 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,

174

- 	struct tls_connection *conn = arg;

175

- 	int ret;

176

-

177

--#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

178

-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \

179

-+        (defined(LIBRESSL_VERSION_NUMBER) && \

180

-+        LIBRESSL_VERSION_NUMBER < 0x20700000L)

181

- 	if (conn == NULL || conn->session_ticket_cb == NULL)

182

- 		return 0;

183

-

184

185

diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch

186

deleted file mode 100644

187

index 1e2335f34c0..00000000000

188

--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch

189

+++ /dev/null

190

@@ -1,48 +0,0 @@

191

-From f665c93e1d28fbab3d9127a8c3985cc32940824f Mon Sep 17 00:00:00 2001

192

-From: Beniamino Galvani <bgalvani@××××××.com>

193

-Date: Sun, 9 Jul 2017 11:14:10 +0200

194

-Subject: OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f

195

-

196

-Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the

197

-callback from the SSL object instead of the one from the CTX, so let's

198

-set the callback on both SSL and CTX. Note that

199

-SSL_set_default_passwd_cb*() is available only in 1.1.0.

200

-

201

-Signed-off-by: Beniamino Galvani <bgalvani@××××××.com>

202

----

203

- src/crypto/tls_openssl.c | 12 ++++++++++++

204

- 1 file changed, 12 insertions(+)

205

-

206

-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c

207

-index fd94eaf..c790b53 100644

208

---- a/src/crypto/tls_openssl.c

209

-+++ b/src/crypto/tls_openssl.c

210

-@@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data,

211

- 	} else

212

- 		passwd = NULL;

213

-

214

-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)

215

-+	/*

216

-+	 * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback

217

-+	 * from the SSL object. See OpenSSL commit d61461a75253.

218

-+	 */

219

-+	SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);

220

-+	SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);

221

-+#endif /* >= 1.1.0f && !LibreSSL */

222

-+	/* Keep these for OpenSSL < 1.1.0f */

223

- 	SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);

224

- 	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);

225

-

226

-@@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data,

227

- 		return -1;

228

- 	}

229

- 	ERR_clear_error();

230

-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)

231

-+	SSL_set_default_passwd_cb(conn->ssl, NULL);

232

-+#endif /* >= 1.1.0f && !LibreSSL */

233

- 	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);

234

- 	os_free(passwd);

235

-

236

---

237

-cgit v0.12

238

-

239

240

diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch

241

deleted file mode 100644

242

index 97a8cc7f3e1..00000000000

243

--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch

244

+++ /dev/null

245

@@ -1,38 +0,0 @@

246

-From f2973fa39d6109f0f34969e91551a98dc340d537 Mon Sep 17 00:00:00 2001

247

-From: Jouni Malinen <j@××.fi>

248

-Date: Mon, 3 Dec 2018 12:00:26 +0200

249

-Subject: FT: Fix CONFIG_IEEE80211X=y build without CONFIG_FILS=y

250

-

251

-remove_ie() was defined within an ifdef CONFIG_FILS block while it is

252

-now needed even without CONFIG_FILS=y. Remove the CONFIG_FILS condition

253

-there.

254

-

255

-Fixes 8c41734e5de1 ("FT: Fix Reassociation Request IEs during FT protocol")

256

-Signed-off-by: Jouni Malinen <j@××.fi>

257

----

258

- wpa_supplicant/sme.c | 2 --

259

- 1 file changed, 2 deletions(-)

260

-

261

-diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c

262

-index 39c8069..f77f751 100644

263

---- a/wpa_supplicant/sme.c

264

-+++ b/wpa_supplicant/sme.c

265

-@@ -1386,7 +1386,6 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)

266

- }

267

-

268

-

269

--#ifdef CONFIG_FILS

270

- #ifdef CONFIG_IEEE80211R

271

- static void remove_ie(u8 *buf, size_t *len, u8 eid)

272

- {

273

-@@ -1401,7 +1400,6 @@ static void remove_ie(u8 *buf, size_t *len, u8 eid)

274

- 	}

275

- }

276

- #endif /* CONFIG_IEEE80211R */

277

--#endif /* CONFIG_FILS */

278

-

279

-

280

- void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode,

281

---

282

-cgit v0.12

283

-

284

285

diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-libressl.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-libressl.patch

286

deleted file mode 100644

287

index 45a1cf3701f..00000000000

288

--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-libressl.patch

289

+++ /dev/null

290

@@ -1,46 +0,0 @@

291

-From 2643a056bb7d0737f63f42a11c308b2804d9ebe5 Mon Sep 17 00:00:00 2001

292

-From: Andrey Utkin <andrey_utkin@g.o>

293

-Date: Tue, 11 Dec 2018 17:41:10 +0000

294

-Subject: [PATCH] Fix build with LibreSSL

295

-

296

-When using LibreSSL instead of OpenSSL, linkage of hostapd executable

297

-fails with the following error when using some LibreSSL versions

298

-

299

-    ../src/crypto/tls_openssl.o: In function `tls_verify_cb':

300

-    tls_openssl.c:(.text+0x1273): undefined reference to `ASN1_STRING_get0_data'

301

-    ../src/crypto/tls_openssl.o: In function `tls_connection_peer_serial_num':

302

-    tls_openssl.c:(.text+0x3023): undefined reference to `ASN1_STRING_get0_data'

303

-    collect2: error: ld returned 1 exit status

304

-    make: *** [Makefile:1278: hostapd] Error 1

305

-

306

-ASN1_STRING_get0_data is present in recent OpenSSL, but absent in some

307

-versions of LibreSSL (confirmed for version 2.6.5), so fallback needs to

308

-be defined in this case, just like for old OpenSSL.

309

-

310

-This patch was inspired by similar patches to other projects, such as

311

-spice-gtk, pjsip.

312

-

313

-Link: https://bugs.gentoo.org/672834

314

-Signed-off-by: Andrey Utkin <andrey_utkin@g.o>

315

----

316

- src/crypto/tls_openssl.c | 4 +++-

317

- 1 file changed, 3 insertions(+), 1 deletion(-)

318

-

319

-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c

320

-index 608818310..cb70e2c47 100644

321

---- a/src/crypto/tls_openssl.c

322

-+++ b/src/crypto/tls_openssl.c

323

-@@ -104,7 +104,9 @@ static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,

324

-

325

- #endif

326

-

327

--#if OPENSSL_VERSION_NUMBER < 0x10100000L

328

-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \

329

-+	(defined(LIBRESSL_VERSION_NUMBER) && \

330

-+	 LIBRESSL_VERSION_NUMBER < 0x20700000L)

331

- #ifdef CONFIG_SUITEB

332

- static int RSA_bits(const RSA *r)

333

- {

334

---

335

-2.20.1

336

-

1	commit: 2b82a229fbd08184cfd3595e7c39b5f0c79a740d
2	Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
3	AuthorDate: Thu Nov 28 17:19:13 2019 +0000
4	Commit: Aaron Bauman <bman <AT> gentoo <DOT> org>
5	CommitDate: Fri Nov 29 22:07:38 2019 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b82a229
7
8	net-wireless/wpa_supplicant: remove unused patches
9
10	Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
11	Closes: https://github.com/gentoo/gentoo/pull/13784
12	Signed-off-by: Aaron Bauman <bman <AT> gentoo.org>
13
14	...-unauthenticated-encrypted-EAPOL-Key-data.patch \| 44 ---------
15	...wpa_supplicant-2.6-libressl-compatibility.patch \| 106 ---------------------
16	.../files/wpa_supplicant-2.6-openssl-1.1.patch \| 48 ----------
17	...pa_supplicant-2.7-fix-undefined-remove-ie.patch \| 38 --------
18	.../files/wpa_supplicant-2.7-libressl.patch \| 46 ---------
19	5 files changed, 282 deletions(-)
20
21	diff --git a/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
22	deleted file mode 100644
23	index a62b52c6b9a..00000000000
24	--- a/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
25	+++ /dev/null
26	@@ -1,44 +0,0 @@
27	-From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
28	-From: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be>
29	-Date: Sun, 15 Jul 2018 01:25:53 +0200
30	-Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
31	-
32	-Ignore unauthenticated encrypted EAPOL-Key data in supplicant
33	-processing. When using WPA2, these are frames that have the Encrypted
34	-flag set, but not the MIC flag.
35	-
36	-When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
37	-not the MIC flag, had their data field decrypted without first verifying
38	-the MIC. In case the data field was encrypted using RC4 (i.e., when
39	-negotiating TKIP as the pairwise cipher), this meant that
40	-unauthenticated but decrypted data would then be processed. An adversary
41	-could abuse this as a decryption oracle to recover sensitive information
42	-in the data field of EAPOL-Key messages (e.g., the group key).
43	-(CVE-2018-14526)
44	-
45	-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be>
46	----
47	- src/rsn_supp/wpa.c \| 11 +++++++++++
48	- 1 file changed, 11 insertions(+)
49	-
50	-diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c
51	---- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c 2016-10-02 21:51:11.000000000 +0300
52	-+++ wpa_supplicant-2.6/src/rsn_supp/wpa.c 2018-08-08 16:55:11.506831029 +0300
53	-@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
54	-
55	- if ((sm->proto == WPA_PROTO_RSN \|\| sm->proto == WPA_PROTO_OSEN) &&
56	- (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
57	-+ /*
58	-+ * Only decrypt the Key Data field if the frame's authenticity
59	-+ * was verified. When using AES-SIV (FILS), the MIC flag is not
60	-+ * set, so this check should only be performed if mic_len != 0
61	-+ * which is the case in this code branch.
62	-+ */
63	-+ if (!(key_info & WPA_KEY_INFO_MIC)) {
64	-+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
65	-+ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
66	-+ goto out;
67	-+ }
68	- if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
69	- &key_data_len))
70	- goto out;
71
72	diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl-compatibility.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl-compatibility.patch
73	deleted file mode 100644
74	index 025da58028d..00000000000
75	--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl-compatibility.patch
76	+++ /dev/null
77	@@ -1,106 +0,0 @@
78	-diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
79	-index 19e0e2be8..6585c0245 100644
80	---- a/src/crypto/crypto_openssl.c
81	-+++ b/src/crypto/crypto_openssl.c
82	-@@ -33,7 +33,9 @@
83	- #include "aes_wrap.h"
84	- #include "crypto.h"
85	-
86	--#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
87	-+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
88	-+ (defined(LIBRESSL_VERSION_NUMBER) && \
89	-+ LIBRESSL_VERSION_NUMBER < 0x20700000L)
90	- /* Compatibility wrappers for older versions. */
91	-
92	- static HMAC_CTX * HMAC_CTX_new(void)
93	-@@ -79,7 +81,9 @@ static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
94	-
95	- static BIGNUM * get_group5_prime(void)
96	- {
97	--#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
98	-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
99	-+ !(defined(LIBRESSL_VERSION_NUMBER) && \
100	-+ LIBRESSL_VERSION_NUMBER < 0x20700000L)
101	- return BN_get_rfc3526_prime_1536(NULL);
102	- #elif !defined(OPENSSL_IS_BORINGSSL)
103	- return get_rfc3526_prime_1536(NULL);
104	-@@ -611,7 +615,9 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
105	-
106	- void * dh5_init(struct wpabuf priv, struct wpabuf publ)
107	- {
108	--#if OPENSSL_VERSION_NUMBER < 0x10100000L
109	-+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
110	-+ (defined(LIBRESSL_VERSION_NUMBER) && \
111	-+ LIBRESSL_VERSION_NUMBER < 0x20700000L)
112	- DH *dh;
113	- struct wpabuf pubkey = NULL, privkey = NULL;
114	- size_t publen, privlen;
115	-@@ -712,7 +718,9 @@ err:
116	-
117	- void * dh5_init_fixed(const struct wpabuf priv, const struct wpabuf publ)
118	- {
119	--#if OPENSSL_VERSION_NUMBER < 0x10100000L
120	-+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
121	-+ (defined(LIBRESSL_VERSION_NUMBER) && \
122	-+ LIBRESSL_VERSION_NUMBER < 0x20700000L)
123	- DH *dh;
124	-
125	- dh = DH_new();
126	-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
127	-index 23ac64b48..91acc579d 100644
128	---- a/src/crypto/tls_openssl.c
129	-+++ b/src/crypto/tls_openssl.c
130	-@@ -59,7 +59,8 @@ typedef int stack_index_t;
131	- #endif /* SSL_set_tlsext_status_type */
132	-
133	- #if (OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
134	-- defined(LIBRESSL_VERSION_NUMBER)) && \
135	-+ (defined(LIBRESSL_VERSION_NUMBER) && \
136	-+ LIBRESSL_VERSION_NUMBER < 0x20700000L)) && \
137	- !defined(BORINGSSL_API_VERSION)
138	- /*
139	- * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL
140	-@@ -919,7 +920,9 @@ void * tls_init(const struct tls_config *conf)
141	- }
142	- #endif /* OPENSSL_FIPS */
143	- #endif /* CONFIG_FIPS */
144	--#if OPENSSL_VERSION_NUMBER < 0x10100000L
145	-+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
146	-+ (defined(LIBRESSL_VERSION_NUMBER) && \
147	-+ LIBRESSL_VERSION_NUMBER < 0x20700000L)
148	- SSL_load_error_strings();
149	- SSL_library_init();
150	- #ifndef OPENSSL_NO_SHA256
151	-@@ -1043,7 +1046,9 @@ void tls_deinit(void *ssl_ctx)
152	-
153	- tls_openssl_ref_count--;
154	- if (tls_openssl_ref_count == 0) {
155	--#if OPENSSL_VERSION_NUMBER < 0x10100000L
156	-+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
157	-+ (defined(LIBRESSL_VERSION_NUMBER) && \
158	-+ LIBRESSL_VERSION_NUMBER < 0x20700000L)
159	- #ifndef OPENSSL_NO_ENGINE
160	- ENGINE_cleanup();
161	- #endif /* OPENSSL_NO_ENGINE */
162	-@@ -3105,7 +3110,9 @@ int tls_connection_get_random(void ssl_ctx, struct tls_connection conn,
163	- #ifdef OPENSSL_NEED_EAP_FAST_PRF
164	- static int openssl_get_keyblock_size(SSL *ssl)
165	- {
166	--#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
167	-+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
168	-+ (defined(LIBRESSL_VERSION_NUMBER) && \
169	-+ LIBRESSL_VERSION_NUMBER < 0x20700000L)
170	- const EVP_CIPHER *c;
171	- const EVP_MD *h;
172	- int md_size;
173	-@@ -4159,7 +4166,9 @@ static int tls_sess_sec_cb(SSL s, void secret, int *secret_len,
174	- struct tls_connection *conn = arg;
175	- int ret;
176	-
177	--#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
178	-+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
179	-+ (defined(LIBRESSL_VERSION_NUMBER) && \
180	-+ LIBRESSL_VERSION_NUMBER < 0x20700000L)
181	- if (conn == NULL \|\| conn->session_ticket_cb == NULL)
182	- return 0;
183	-
184
185	diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch
186	deleted file mode 100644
187	index 1e2335f34c0..00000000000
188	--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch
189	+++ /dev/null
190	@@ -1,48 +0,0 @@
191	-From f665c93e1d28fbab3d9127a8c3985cc32940824f Mon Sep 17 00:00:00 2001
192	-From: Beniamino Galvani <bgalvani@××××××.com>
193	-Date: Sun, 9 Jul 2017 11:14:10 +0200
194	-Subject: OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f
195	-
196	-Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
197	-callback from the SSL object instead of the one from the CTX, so let's
198	-set the callback on both SSL and CTX. Note that
199	-SSL_set_default_passwd_cb*() is available only in 1.1.0.
200	-
201	-Signed-off-by: Beniamino Galvani <bgalvani@××××××.com>
202	----
203	- src/crypto/tls_openssl.c \| 12 ++++++++++++
204	- 1 file changed, 12 insertions(+)
205	-
206	-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
207	-index fd94eaf..c790b53 100644
208	---- a/src/crypto/tls_openssl.c
209	-+++ b/src/crypto/tls_openssl.c
210	-@@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data,
211	- } else
212	- passwd = NULL;
213	-
214	-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
215	-+ /*
216	-+ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
217	-+ * from the SSL object. See OpenSSL commit d61461a75253.
218	-+ */
219	-+ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
220	-+ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
221	-+#endif /* >= 1.1.0f && !LibreSSL */
222	-+ /* Keep these for OpenSSL < 1.1.0f */
223	- SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
224	- SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
225	-
226	-@@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data,
227	- return -1;
228	- }
229	- ERR_clear_error();
230	-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
231	-+ SSL_set_default_passwd_cb(conn->ssl, NULL);
232	-+#endif /* >= 1.1.0f && !LibreSSL */
233	- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
234	- os_free(passwd);
235	-
236	---
237	-cgit v0.12
238	-
239
240	diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch
241	deleted file mode 100644
242	index 97a8cc7f3e1..00000000000
243	--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch
244	+++ /dev/null
245	@@ -1,38 +0,0 @@
246	-From f2973fa39d6109f0f34969e91551a98dc340d537 Mon Sep 17 00:00:00 2001
247	-From: Jouni Malinen <j@××.fi>
248	-Date: Mon, 3 Dec 2018 12:00:26 +0200
249	-Subject: FT: Fix CONFIG_IEEE80211X=y build without CONFIG_FILS=y
250	-
251	-remove_ie() was defined within an ifdef CONFIG_FILS block while it is
252	-now needed even without CONFIG_FILS=y. Remove the CONFIG_FILS condition
253	-there.
254	-
255	-Fixes 8c41734e5de1 ("FT: Fix Reassociation Request IEs during FT protocol")
256	-Signed-off-by: Jouni Malinen <j@××.fi>
257	----
258	- wpa_supplicant/sme.c \| 2 --
259	- 1 file changed, 2 deletions(-)
260	-
261	-diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
262	-index 39c8069..f77f751 100644
263	---- a/wpa_supplicant/sme.c
264	-+++ b/wpa_supplicant/sme.c
265	-@@ -1386,7 +1386,6 @@ void sme_event_auth(struct wpa_supplicant wpa_s, union wpa_event_data data)
266	- }
267	-
268	-
269	--#ifdef CONFIG_FILS
270	- #ifdef CONFIG_IEEE80211R
271	- static void remove_ie(u8 buf, size_t len, u8 eid)
272	- {
273	-@@ -1401,7 +1400,6 @@ static void remove_ie(u8 buf, size_t len, u8 eid)
274	- }
275	- }
276	- #endif /* CONFIG_IEEE80211R */
277	--#endif /* CONFIG_FILS */
278	-
279	-
280	- void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode,
281	---
282	-cgit v0.12
283	-
284
285	diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-libressl.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-libressl.patch
286	deleted file mode 100644
287	index 45a1cf3701f..00000000000
288	--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-libressl.patch
289	+++ /dev/null
290	@@ -1,46 +0,0 @@
291	-From 2643a056bb7d0737f63f42a11c308b2804d9ebe5 Mon Sep 17 00:00:00 2001
292	-From: Andrey Utkin <andrey_utkin@g.o>
293	-Date: Tue, 11 Dec 2018 17:41:10 +0000
294	-Subject: [PATCH] Fix build with LibreSSL
295	-
296	-When using LibreSSL instead of OpenSSL, linkage of hostapd executable
297	-fails with the following error when using some LibreSSL versions
298	-
299	- ../src/crypto/tls_openssl.o: In function `tls_verify_cb':
300	- tls_openssl.c:(.text+0x1273): undefined reference to `ASN1_STRING_get0_data'
301	- ../src/crypto/tls_openssl.o: In function `tls_connection_peer_serial_num':
302	- tls_openssl.c:(.text+0x3023): undefined reference to `ASN1_STRING_get0_data'
303	- collect2: error: ld returned 1 exit status
304	- make: *** [Makefile:1278: hostapd] Error 1
305	-
306	-ASN1_STRING_get0_data is present in recent OpenSSL, but absent in some
307	-versions of LibreSSL (confirmed for version 2.6.5), so fallback needs to
308	-be defined in this case, just like for old OpenSSL.
309	-
310	-This patch was inspired by similar patches to other projects, such as
311	-spice-gtk, pjsip.
312	-
313	-Link: https://bugs.gentoo.org/672834
314	-Signed-off-by: Andrey Utkin <andrey_utkin@g.o>
315	----
316	- src/crypto/tls_openssl.c \| 4 +++-
317	- 1 file changed, 3 insertions(+), 1 deletion(-)
318	-
319	-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
320	-index 608818310..cb70e2c47 100644
321	---- a/src/crypto/tls_openssl.c
322	-+++ b/src/crypto/tls_openssl.c
323	-@@ -104,7 +104,9 @@ static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
324	-
325	- #endif
326	-
327	--#if OPENSSL_VERSION_NUMBER < 0x10100000L
328	-+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
329	-+ (defined(LIBRESSL_VERSION_NUMBER) && \
330	-+ LIBRESSL_VERSION_NUMBER < 0x20700000L)
331	- #ifdef CONFIG_SUITEB
332	- static int RSA_bits(const RSA *r)
333	- {
334	---
335	-2.20.1
336	-

Gentoo Archives: gentoo-commits