1 |
commit: 2b82a229fbd08184cfd3595e7c39b5f0c79a740d |
2 |
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com> |
3 |
AuthorDate: Thu Nov 28 17:19:13 2019 +0000 |
4 |
Commit: Aaron Bauman <bman <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Nov 29 22:07:38 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b82a229 |
7 |
|
8 |
net-wireless/wpa_supplicant: remove unused patches |
9 |
|
10 |
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com> |
11 |
Closes: https://github.com/gentoo/gentoo/pull/13784 |
12 |
Signed-off-by: Aaron Bauman <bman <AT> gentoo.org> |
13 |
|
14 |
...-unauthenticated-encrypted-EAPOL-Key-data.patch | 44 --------- |
15 |
...wpa_supplicant-2.6-libressl-compatibility.patch | 106 --------------------- |
16 |
.../files/wpa_supplicant-2.6-openssl-1.1.patch | 48 ---------- |
17 |
...pa_supplicant-2.7-fix-undefined-remove-ie.patch | 38 -------- |
18 |
.../files/wpa_supplicant-2.7-libressl.patch | 46 --------- |
19 |
5 files changed, 282 deletions(-) |
20 |
|
21 |
diff --git a/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch |
22 |
deleted file mode 100644 |
23 |
index a62b52c6b9a..00000000000 |
24 |
--- a/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch |
25 |
+++ /dev/null |
26 |
@@ -1,44 +0,0 @@ |
27 |
-From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001 |
28 |
-From: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be> |
29 |
-Date: Sun, 15 Jul 2018 01:25:53 +0200 |
30 |
-Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data |
31 |
- |
32 |
-Ignore unauthenticated encrypted EAPOL-Key data in supplicant |
33 |
-processing. When using WPA2, these are frames that have the Encrypted |
34 |
-flag set, but not the MIC flag. |
35 |
- |
36 |
-When using WPA2, EAPOL-Key frames that had the Encrypted flag set but |
37 |
-not the MIC flag, had their data field decrypted without first verifying |
38 |
-the MIC. In case the data field was encrypted using RC4 (i.e., when |
39 |
-negotiating TKIP as the pairwise cipher), this meant that |
40 |
-unauthenticated but decrypted data would then be processed. An adversary |
41 |
-could abuse this as a decryption oracle to recover sensitive information |
42 |
-in the data field of EAPOL-Key messages (e.g., the group key). |
43 |
-(CVE-2018-14526) |
44 |
- |
45 |
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be> |
46 |
---- |
47 |
- src/rsn_supp/wpa.c | 11 +++++++++++ |
48 |
- 1 file changed, 11 insertions(+) |
49 |
- |
50 |
-diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c |
51 |
---- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c 2016-10-02 21:51:11.000000000 +0300 |
52 |
-+++ wpa_supplicant-2.6/src/rsn_supp/wpa.c 2018-08-08 16:55:11.506831029 +0300 |
53 |
-@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c |
54 |
- |
55 |
- if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && |
56 |
- (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { |
57 |
-+ /* |
58 |
-+ * Only decrypt the Key Data field if the frame's authenticity |
59 |
-+ * was verified. When using AES-SIV (FILS), the MIC flag is not |
60 |
-+ * set, so this check should only be performed if mic_len != 0 |
61 |
-+ * which is the case in this code branch. |
62 |
-+ */ |
63 |
-+ if (!(key_info & WPA_KEY_INFO_MIC)) { |
64 |
-+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, |
65 |
-+ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data"); |
66 |
-+ goto out; |
67 |
-+ } |
68 |
- if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data, |
69 |
- &key_data_len)) |
70 |
- goto out; |
71 |
|
72 |
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl-compatibility.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl-compatibility.patch |
73 |
deleted file mode 100644 |
74 |
index 025da58028d..00000000000 |
75 |
--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl-compatibility.patch |
76 |
+++ /dev/null |
77 |
@@ -1,106 +0,0 @@ |
78 |
-diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c |
79 |
-index 19e0e2be8..6585c0245 100644 |
80 |
---- a/src/crypto/crypto_openssl.c |
81 |
-+++ b/src/crypto/crypto_openssl.c |
82 |
-@@ -33,7 +33,9 @@ |
83 |
- #include "aes_wrap.h" |
84 |
- #include "crypto.h" |
85 |
- |
86 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
87 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ |
88 |
-+ (defined(LIBRESSL_VERSION_NUMBER) && \ |
89 |
-+ LIBRESSL_VERSION_NUMBER < 0x20700000L) |
90 |
- /* Compatibility wrappers for older versions. */ |
91 |
- |
92 |
- static HMAC_CTX * HMAC_CTX_new(void) |
93 |
-@@ -79,7 +81,9 @@ static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) |
94 |
- |
95 |
- static BIGNUM * get_group5_prime(void) |
96 |
- { |
97 |
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) |
98 |
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ |
99 |
-+ !(defined(LIBRESSL_VERSION_NUMBER) && \ |
100 |
-+ LIBRESSL_VERSION_NUMBER < 0x20700000L) |
101 |
- return BN_get_rfc3526_prime_1536(NULL); |
102 |
- #elif !defined(OPENSSL_IS_BORINGSSL) |
103 |
- return get_rfc3526_prime_1536(NULL); |
104 |
-@@ -611,7 +615,9 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx) |
105 |
- |
106 |
- void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) |
107 |
- { |
108 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L |
109 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ |
110 |
-+ (defined(LIBRESSL_VERSION_NUMBER) && \ |
111 |
-+ LIBRESSL_VERSION_NUMBER < 0x20700000L) |
112 |
- DH *dh; |
113 |
- struct wpabuf *pubkey = NULL, *privkey = NULL; |
114 |
- size_t publen, privlen; |
115 |
-@@ -712,7 +718,9 @@ err: |
116 |
- |
117 |
- void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) |
118 |
- { |
119 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L |
120 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ |
121 |
-+ (defined(LIBRESSL_VERSION_NUMBER) && \ |
122 |
-+ LIBRESSL_VERSION_NUMBER < 0x20700000L) |
123 |
- DH *dh; |
124 |
- |
125 |
- dh = DH_new(); |
126 |
-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c |
127 |
-index 23ac64b48..91acc579d 100644 |
128 |
---- a/src/crypto/tls_openssl.c |
129 |
-+++ b/src/crypto/tls_openssl.c |
130 |
-@@ -59,7 +59,8 @@ typedef int stack_index_t; |
131 |
- #endif /* SSL_set_tlsext_status_type */ |
132 |
- |
133 |
- #if (OPENSSL_VERSION_NUMBER < 0x10100000L || \ |
134 |
-- defined(LIBRESSL_VERSION_NUMBER)) && \ |
135 |
-+ (defined(LIBRESSL_VERSION_NUMBER) && \ |
136 |
-+ LIBRESSL_VERSION_NUMBER < 0x20700000L)) && \ |
137 |
- !defined(BORINGSSL_API_VERSION) |
138 |
- /* |
139 |
- * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL |
140 |
-@@ -919,7 +920,9 @@ void * tls_init(const struct tls_config *conf) |
141 |
- } |
142 |
- #endif /* OPENSSL_FIPS */ |
143 |
- #endif /* CONFIG_FIPS */ |
144 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L |
145 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ |
146 |
-+ (defined(LIBRESSL_VERSION_NUMBER) && \ |
147 |
-+ LIBRESSL_VERSION_NUMBER < 0x20700000L) |
148 |
- SSL_load_error_strings(); |
149 |
- SSL_library_init(); |
150 |
- #ifndef OPENSSL_NO_SHA256 |
151 |
-@@ -1043,7 +1046,9 @@ void tls_deinit(void *ssl_ctx) |
152 |
- |
153 |
- tls_openssl_ref_count--; |
154 |
- if (tls_openssl_ref_count == 0) { |
155 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L |
156 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ |
157 |
-+ (defined(LIBRESSL_VERSION_NUMBER) && \ |
158 |
-+ LIBRESSL_VERSION_NUMBER < 0x20700000L) |
159 |
- #ifndef OPENSSL_NO_ENGINE |
160 |
- ENGINE_cleanup(); |
161 |
- #endif /* OPENSSL_NO_ENGINE */ |
162 |
-@@ -3105,7 +3110,9 @@ int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn, |
163 |
- #ifdef OPENSSL_NEED_EAP_FAST_PRF |
164 |
- static int openssl_get_keyblock_size(SSL *ssl) |
165 |
- { |
166 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
167 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ |
168 |
-+ (defined(LIBRESSL_VERSION_NUMBER) && \ |
169 |
-+ LIBRESSL_VERSION_NUMBER < 0x20700000L) |
170 |
- const EVP_CIPHER *c; |
171 |
- const EVP_MD *h; |
172 |
- int md_size; |
173 |
-@@ -4159,7 +4166,9 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len, |
174 |
- struct tls_connection *conn = arg; |
175 |
- int ret; |
176 |
- |
177 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
178 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ |
179 |
-+ (defined(LIBRESSL_VERSION_NUMBER) && \ |
180 |
-+ LIBRESSL_VERSION_NUMBER < 0x20700000L) |
181 |
- if (conn == NULL || conn->session_ticket_cb == NULL) |
182 |
- return 0; |
183 |
- |
184 |
|
185 |
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch |
186 |
deleted file mode 100644 |
187 |
index 1e2335f34c0..00000000000 |
188 |
--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch |
189 |
+++ /dev/null |
190 |
@@ -1,48 +0,0 @@ |
191 |
-From f665c93e1d28fbab3d9127a8c3985cc32940824f Mon Sep 17 00:00:00 2001 |
192 |
-From: Beniamino Galvani <bgalvani@××××××.com> |
193 |
-Date: Sun, 9 Jul 2017 11:14:10 +0200 |
194 |
-Subject: OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f |
195 |
- |
196 |
-Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the |
197 |
-callback from the SSL object instead of the one from the CTX, so let's |
198 |
-set the callback on both SSL and CTX. Note that |
199 |
-SSL_set_default_passwd_cb*() is available only in 1.1.0. |
200 |
- |
201 |
-Signed-off-by: Beniamino Galvani <bgalvani@××××××.com> |
202 |
---- |
203 |
- src/crypto/tls_openssl.c | 12 ++++++++++++ |
204 |
- 1 file changed, 12 insertions(+) |
205 |
- |
206 |
-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c |
207 |
-index fd94eaf..c790b53 100644 |
208 |
---- a/src/crypto/tls_openssl.c |
209 |
-+++ b/src/crypto/tls_openssl.c |
210 |
-@@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data, |
211 |
- } else |
212 |
- passwd = NULL; |
213 |
- |
214 |
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) |
215 |
-+ /* |
216 |
-+ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback |
217 |
-+ * from the SSL object. See OpenSSL commit d61461a75253. |
218 |
-+ */ |
219 |
-+ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb); |
220 |
-+ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd); |
221 |
-+#endif /* >= 1.1.0f && !LibreSSL */ |
222 |
-+ /* Keep these for OpenSSL < 1.1.0f */ |
223 |
- SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); |
224 |
- SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); |
225 |
- |
226 |
-@@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data, |
227 |
- return -1; |
228 |
- } |
229 |
- ERR_clear_error(); |
230 |
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) |
231 |
-+ SSL_set_default_passwd_cb(conn->ssl, NULL); |
232 |
-+#endif /* >= 1.1.0f && !LibreSSL */ |
233 |
- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); |
234 |
- os_free(passwd); |
235 |
- |
236 |
--- |
237 |
-cgit v0.12 |
238 |
- |
239 |
|
240 |
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch |
241 |
deleted file mode 100644 |
242 |
index 97a8cc7f3e1..00000000000 |
243 |
--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch |
244 |
+++ /dev/null |
245 |
@@ -1,38 +0,0 @@ |
246 |
-From f2973fa39d6109f0f34969e91551a98dc340d537 Mon Sep 17 00:00:00 2001 |
247 |
-From: Jouni Malinen <j@××.fi> |
248 |
-Date: Mon, 3 Dec 2018 12:00:26 +0200 |
249 |
-Subject: FT: Fix CONFIG_IEEE80211X=y build without CONFIG_FILS=y |
250 |
- |
251 |
-remove_ie() was defined within an ifdef CONFIG_FILS block while it is |
252 |
-now needed even without CONFIG_FILS=y. Remove the CONFIG_FILS condition |
253 |
-there. |
254 |
- |
255 |
-Fixes 8c41734e5de1 ("FT: Fix Reassociation Request IEs during FT protocol") |
256 |
-Signed-off-by: Jouni Malinen <j@××.fi> |
257 |
---- |
258 |
- wpa_supplicant/sme.c | 2 -- |
259 |
- 1 file changed, 2 deletions(-) |
260 |
- |
261 |
-diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c |
262 |
-index 39c8069..f77f751 100644 |
263 |
---- a/wpa_supplicant/sme.c |
264 |
-+++ b/wpa_supplicant/sme.c |
265 |
-@@ -1386,7 +1386,6 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data) |
266 |
- } |
267 |
- |
268 |
- |
269 |
--#ifdef CONFIG_FILS |
270 |
- #ifdef CONFIG_IEEE80211R |
271 |
- static void remove_ie(u8 *buf, size_t *len, u8 eid) |
272 |
- { |
273 |
-@@ -1401,7 +1400,6 @@ static void remove_ie(u8 *buf, size_t *len, u8 eid) |
274 |
- } |
275 |
- } |
276 |
- #endif /* CONFIG_IEEE80211R */ |
277 |
--#endif /* CONFIG_FILS */ |
278 |
- |
279 |
- |
280 |
- void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode, |
281 |
--- |
282 |
-cgit v0.12 |
283 |
- |
284 |
|
285 |
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-libressl.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-libressl.patch |
286 |
deleted file mode 100644 |
287 |
index 45a1cf3701f..00000000000 |
288 |
--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-libressl.patch |
289 |
+++ /dev/null |
290 |
@@ -1,46 +0,0 @@ |
291 |
-From 2643a056bb7d0737f63f42a11c308b2804d9ebe5 Mon Sep 17 00:00:00 2001 |
292 |
-From: Andrey Utkin <andrey_utkin@g.o> |
293 |
-Date: Tue, 11 Dec 2018 17:41:10 +0000 |
294 |
-Subject: [PATCH] Fix build with LibreSSL |
295 |
- |
296 |
-When using LibreSSL instead of OpenSSL, linkage of hostapd executable |
297 |
-fails with the following error when using some LibreSSL versions |
298 |
- |
299 |
- ../src/crypto/tls_openssl.o: In function `tls_verify_cb': |
300 |
- tls_openssl.c:(.text+0x1273): undefined reference to `ASN1_STRING_get0_data' |
301 |
- ../src/crypto/tls_openssl.o: In function `tls_connection_peer_serial_num': |
302 |
- tls_openssl.c:(.text+0x3023): undefined reference to `ASN1_STRING_get0_data' |
303 |
- collect2: error: ld returned 1 exit status |
304 |
- make: *** [Makefile:1278: hostapd] Error 1 |
305 |
- |
306 |
-ASN1_STRING_get0_data is present in recent OpenSSL, but absent in some |
307 |
-versions of LibreSSL (confirmed for version 2.6.5), so fallback needs to |
308 |
-be defined in this case, just like for old OpenSSL. |
309 |
- |
310 |
-This patch was inspired by similar patches to other projects, such as |
311 |
-spice-gtk, pjsip. |
312 |
- |
313 |
-Link: https://bugs.gentoo.org/672834 |
314 |
-Signed-off-by: Andrey Utkin <andrey_utkin@g.o> |
315 |
---- |
316 |
- src/crypto/tls_openssl.c | 4 +++- |
317 |
- 1 file changed, 3 insertions(+), 1 deletion(-) |
318 |
- |
319 |
-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c |
320 |
-index 608818310..cb70e2c47 100644 |
321 |
---- a/src/crypto/tls_openssl.c |
322 |
-+++ b/src/crypto/tls_openssl.c |
323 |
-@@ -104,7 +104,9 @@ static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, |
324 |
- |
325 |
- #endif |
326 |
- |
327 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L |
328 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ |
329 |
-+ (defined(LIBRESSL_VERSION_NUMBER) && \ |
330 |
-+ LIBRESSL_VERSION_NUMBER < 0x20700000L) |
331 |
- #ifdef CONFIG_SUITEB |
332 |
- static int RSA_bits(const RSA *r) |
333 |
- { |
334 |
--- |
335 |
-2.20.1 |
336 |
- |