Update: wpa_supplicant 2.6

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Update: wpa_supplicant 2.6

David Coppa

New release for wpa_supplicant.

As usual, please test it with your setup.

Ciao!
David

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/Makefile,v
retrieving revision 1.33
diff -u -p -r1.33 Makefile
--- Makefile 17 May 2016 08:29:27 -0000 1.33
+++ Makefile 3 Oct 2016 09:35:58 -0000
@@ -2,9 +2,8 @@
 
 COMMENT= IEEE 802.1X supplicant
 
-DISTNAME= wpa_supplicant-2.5
+DISTNAME= wpa_supplicant-2.6
 CATEGORIES= security net
-REVISION= 1
 
 HOMEPAGE= http://w1.fi/wpa_supplicant/
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/distinfo,v
retrieving revision 1.8
diff -u -p -r1.8 distinfo
--- distinfo 29 Sep 2015 11:57:54 -0000 1.8
+++ distinfo 3 Oct 2016 09:35:58 -0000
@@ -1,2 +1,2 @@
-SHA256 (wpa_supplicant-2.5.tar.gz) = zOVbrkg7Nk6uVcNbpWfCeb5ELti6tbgKPH+w0Fe5sxY=
-SIZE (wpa_supplicant-2.5.tar.gz) = 2607336
+SHA256 (wpa_supplicant-2.6.tar.gz) = tJNtNMTmzdRJVL66dCltlkvCyWaOyqUlXkmWNv4rFFA=
+SIZE (wpa_supplicant-2.6.tar.gz) = 2753524
Index: patches/patch-src_crypto_crypto_openssl_c
===================================================================
RCS file: patches/patch-src_crypto_crypto_openssl_c
diff -N patches/patch-src_crypto_crypto_openssl_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_crypto_crypto_openssl_c 3 Oct 2016 09:35:58 -0000
@@ -0,0 +1,24 @@
+$OpenBSD$
+
+Compatibility fixes for LibreSSL
+
+--- src/crypto/crypto_openssl.c.orig Mon Oct  3 11:17:18 2016
++++ src/crypto/crypto_openssl.c Mon Oct  3 11:19:25 2016
+@@ -611,7 +611,7 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
+
+ void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+ struct wpabuf *pubkey = NULL, *privkey = NULL;
+ size_t publen, privlen;
+@@ -712,7 +712,7 @@ err:
+
+ void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+
+ dh = DH_new();
Index: patches/patch-src_crypto_tls_openssl_c
===================================================================
RCS file: patches/patch-src_crypto_tls_openssl_c
diff -N patches/patch-src_crypto_tls_openssl_c
--- patches/patch-src_crypto_tls_openssl_c 29 Sep 2015 11:57:54 -0000 1.3
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,69 +0,0 @@
-$OpenBSD: patch-src_crypto_tls_openssl_c,v 1.3 2015/09/29 11:57:54 dcoppa Exp $
-
-Compatibility fixes for LibreSSL
-
---- src/crypto/tls_openssl.c.orig Sun Sep 27 21:02:05 2015
-+++ src/crypto/tls_openssl.c Mon Sep 28 13:43:46 2015
-@@ -2229,7 +2229,7 @@ static int tls_parse_pkcs12(struct tls_data *data, SSL
- }
-
- if (certs) {
--#if OPENSSL_VERSION_NUMBER >= 0x10002000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
- SSL_clear_chain_certs(ssl);
- while ((cert = sk_X509_pop(certs)) != NULL) {
- X509_NAME_oneline(X509_get_subject_name(cert), buf,
-@@ -2247,7 +2247,7 @@ static int tls_parse_pkcs12(struct tls_data *data, SSL
- /* Try to continue anyway */
- }
- sk_X509_free(certs);
--#ifndef OPENSSL_IS_BORINGSSL
-+#if !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER)
- res = SSL_build_cert_chain(ssl,
-   SSL_BUILD_CHAIN_FLAG_CHECK |
-   SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
-@@ -2812,7 +2812,7 @@ int tls_connection_get_random(void *ssl_ctx, struct tl
- if (conn == NULL || keys == NULL)
- return -1;
- ssl = conn->ssl;
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- if (ssl == NULL || ssl->s3 == NULL || ssl->session == NULL)
- return -1;
-
-@@ -2841,7 +2841,7 @@ int tls_connection_get_random(void *ssl_ctx, struct tl
- #ifndef CONFIG_FIPS
- static int openssl_get_keyblock_size(SSL *ssl)
- {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- const EVP_CIPHER *c;
- const EVP_MD *h;
- int md_size;
-@@ -2911,7 +2911,7 @@ static int openssl_tls_prf(struct tls_connection *conn
-   "mode");
- return -1;
- #else /* CONFIG_FIPS */
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- SSL *ssl;
- u8 *rnd;
- int ret = -1;
-@@ -3394,7 +3394,7 @@ int tls_connection_set_cipher_list(void *tls_ctx, stru
-
- wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
-
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
- if (os_strstr(buf, ":ADH-")) {
- /*
-@@ -3977,7 +3977,7 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *
- struct tls_connection *conn = arg;
- int ret;
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- if (conn == NULL || conn->session_ticket_cb == NULL)
- return 0;
-
Index: patches/patch-src_utils_common_c
===================================================================
RCS file: patches/patch-src_utils_common_c
diff -N patches/patch-src_utils_common_c
--- patches/patch-src_utils_common_c 17 May 2016 08:29:27 -0000 1.5
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,65 +0,0 @@
-$OpenBSD: patch-src_utils_common_c,v 1.5 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
---- src/utils/common.c.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/common.c Tue May 17 09:21:02 2016
-@@ -697,6 +697,29 @@ int is_hex(const u8 *data, size_t len)
- }
-
-
-+int has_ctrl_char(const u8 *data, size_t len)
-+{
-+ size_t i;
-+
-+ for (i = 0; i < len; i++) {
-+ if (data[i] < 32 || data[i] == 127)
-+ return 1;
-+ }
-+ return 0;
-+}
-+
-+
-+int has_newline(const char *str)
-+{
-+ while (*str) {
-+ if (*str == '\n' || *str == '\r')
-+ return 1;
-+ str++;
-+ }
-+ return 0;
-+}
-+
-+
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len)
Index: patches/patch-src_utils_common_h
===================================================================
RCS file: patches/patch-src_utils_common_h
diff -N patches/patch-src_utils_common_h
--- patches/patch-src_utils_common_h 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,44 +0,0 @@
-$OpenBSD: patch-src_utils_common_h,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
---- src/utils/common.h.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/common.h Tue May 17 09:21:02 2016
-@@ -477,6 +477,8 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_
-
- char * wpa_config_parse_string(const char *value, size_t *len);
- int is_hex(const u8 *data, size_t len);
-+int has_ctrl_char(const u8 *data, size_t len);
-+int has_newline(const char *str);
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len);
Index: patches/patch-src_utils_eloop_c
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-src_utils_eloop_c,v
retrieving revision 1.6
diff -u -p -r1.6 patch-src_utils_eloop_c
--- patches/patch-src_utils_eloop_c 17 May 2016 08:29:27 -0000 1.6
+++ patches/patch-src_utils_eloop_c 3 Oct 2016 09:35:58 -0000
@@ -3,9 +3,9 @@ $OpenBSD: patch-src_utils_eloop_c,v 1.6
 Don't try to access list members to free them unless already
 initialised
 
---- src/utils/eloop.c.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/eloop.c Mon Sep 28 09:35:05 2015
-@@ -1064,6 +1064,9 @@ void eloop_destroy(void)
+--- src/utils/eloop.c.orig Sun Oct  2 20:51:11 2016
++++ src/utils/eloop.c Mon Oct  3 11:06:38 2016
+@@ -1249,6 +1249,9 @@ void eloop_destroy(void)
  struct eloop_timeout *timeout, *prev;
  struct os_reltime now;
 
Index: patches/patch-src_wps_wps_attr_process_c
===================================================================
RCS file: patches/patch-src_wps_wps_attr_process_c
diff -N patches/patch-src_wps_wps_attr_process_c
--- patches/patch-src_wps_wps_attr_process_c 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,39 +0,0 @@
-$OpenBSD: patch-src_wps_wps_attr_process_c,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
---- src/wps/wps_attr_process.c.orig Sun Sep 27 21:02:05 2015
-+++ src/wps/wps_attr_process.c Tue May 17 09:21:02 2016
-@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credenti
- cred->key_len--;
- #endif /* CONFIG_WPS_STRICT */
- }
-+
-+
-+ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
-+    (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
-+ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
-+ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
-+      cred->key, cred->key_len);
-+ return -1;
-+ }
-+
- return 0;
- }
-
Index: patches/patch-wpa_supplicant_Makefile
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-wpa_supplicant_Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 patch-wpa_supplicant_Makefile
--- patches/patch-wpa_supplicant_Makefile 29 Sep 2015 11:57:54 -0000 1.8
+++ patches/patch-wpa_supplicant_Makefile 3 Oct 2016 09:35:58 -0000
@@ -1,7 +1,7 @@
 $OpenBSD: patch-wpa_supplicant_Makefile,v 1.8 2015/09/29 11:57:54 dcoppa Exp $
---- wpa_supplicant/Makefile.orig Mon Sep 28 09:36:07 2015
-+++ wpa_supplicant/Makefile Mon Sep 28 09:36:36 2015
-@@ -131,16 +131,6 @@ endif
+--- wpa_supplicant/Makefile.orig Sun Oct  2 20:51:11 2016
++++ wpa_supplicant/Makefile Mon Oct  3 11:06:38 2016
+@@ -153,16 +153,6 @@ endif
  OBJS += ../src/utils/$(CONFIG_ELOOP).o
  OBJS_c += ../src/utils/$(CONFIG_ELOOP).o
 
Index: patches/patch-wpa_supplicant_config_c
===================================================================
RCS file: patches/patch-wpa_supplicant_config_c
diff -N patches/patch-wpa_supplicant_config_c
--- patches/patch-wpa_supplicant_config_c 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,169 +0,0 @@
-$OpenBSD: patch-wpa_supplicant_config_c,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 18:46:41 +0200
-Subject: [PATCH 2/5] Reject psk parameter set with invalid passphrase character
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a passphrase configuration attempt if that passphrase
-includes an invalid passphrase.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file psk parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the passphrase value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject up to 63 characters of
-almost arbitrary data into the configuration file. Such configuration
-file could result in wpa_supplicant trying to load a library (e.g.,
-opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
-load_dynamic_eap) from user controlled location when starting again.
-This would allow code from that library to be executed under the
-wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
-From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Tue, 5 Apr 2016 23:33:10 +0300
-Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the string values
-
-Most of the cred block parameters are written as strings without
-filtering and if there is an embedded newline character in the value,
-unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file cred parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the credential value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Tue, 5 Apr 2016 23:55:48 +0300
-Subject: [PATCH 5/5] Reject SET commands with newline characters in the string values
-
-Many of the global configuration parameters are written as strings
-without filtering and if there is an embedded newline character in the
-value, unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file global parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the value of a parameter before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
---- wpa_supplicant/config.c.orig Sun Sep 27 21:02:05 2015
-+++ wpa_supplicant/config.c Tue May 17 09:21:02 2016
-@@ -456,6 +456,12 @@ static int wpa_config_parse_psk(const struct parse_dat
- }
- wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
-      (u8 *) value, len);
-+ if (has_ctrl_char((u8 *) value, len)) {
-+ wpa_printf(MSG_ERROR,
-+   "Line %d: Invalid passphrase character",
-+   line);
-+ return -1;
-+ }
- if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
-    os_memcmp(ssid->passphrase, value, len) == 0)
- return 0;
-@@ -2604,8 +2610,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const cha
-
- for (i = 0; i < NUM_SSID_FIELDS; i++) {
- const struct parse_data *field = &ssid_fields[i];
-- if (os_strcmp(var, field->name) == 0)
-- return field->writer(field, ssid);
-+ if (os_strcmp(var, field->name) == 0) {
-+ char *ret = field->writer(field, ssid);
-+
-+ if (ret && has_newline(ret)) {
-+ wpa_printf(MSG_ERROR,
-+   "Found newline in value for %s; not returning it",
-+   var);
-+ os_free(ret);
-+ ret = NULL;
-+ }
-+
-+ return ret;
-+ }
- }
-
- return NULL;
-@@ -2790,6 +2807,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const c
-
- if (os_strcmp(var, "password") == 0 &&
-    os_strncmp(value, "ext:", 4) == 0) {
-+ if (has_newline(value))
-+ return -1;
- str_clear_free(cred->password);
- cred->password = os_strdup(value);
- cred->ext_password = 1;
-@@ -2840,9 +2859,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const c
- }
-
- val = wpa_config_parse_string(value, &len);
-- if (val == NULL) {
-+ if (val == NULL ||
-+    (os_strcmp(var, "excluded_ssid") != 0 &&
-+     os_strcmp(var, "roaming_consortium") != 0 &&
-+     os_strcmp(var, "required_roaming_consortium") != 0 &&
-+     has_newline(val))) {
- wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
-   "value '%s'.", line, var, value);
-+ os_free(val);
- return -1;
- }
-
-@@ -3643,6 +3667,12 @@ static int wpa_global_config_parse_str(const struct gl
- wpa_printf(MSG_ERROR, "Line %d: too long %s (len=%lu "
-   "max_len=%ld)", line, data->name,
-   (unsigned long) len, (long) data->param3);
-+ return -1;
-+ }
-+
-+ if (has_newline(pos)) {
-+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
-+   line, data->name);
- return -1;
- }
-
Index: patches/patch-wpa_supplicant_main_c
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-wpa_supplicant_main_c,v
retrieving revision 1.2
diff -u -p -r1.2 patch-wpa_supplicant_main_c
--- patches/patch-wpa_supplicant_main_c 29 Sep 2015 11:57:54 -0000 1.2
+++ patches/patch-wpa_supplicant_main_c 3 Oct 2016 09:35:58 -0000
@@ -2,19 +2,19 @@ $OpenBSD: patch-wpa_supplicant_main_c,v
 
 Remove Linuxisms from usage()
 
---- wpa_supplicant/main.c.orig Sun Sep 27 21:02:05 2015
-+++ wpa_supplicant/main.c Mon Sep 28 09:35:05 2015
-@@ -68,7 +68,7 @@ static void usage(void)
-       "  -i = interface name\n"
-       "  -I = additional configuration file\n"
+--- wpa_supplicant/main.c.orig Mon Oct  3 11:10:23 2016
++++ wpa_supplicant/main.c Mon Oct  3 11:11:42 2016
+@@ -66,7 +66,7 @@ static void usage(void)
+       "  -c = Configuration file\n"
+       "  -C = ctrl_interface parameter (only used if -c is not)\n"
        "  -d = increase debugging verbosity (-dd even more)\n"
 -       "  -D = driver name (can be multiple drivers: nl80211,wext)\n"
 +       "  -D = driver name\n"
-       "  -e = entropy file\n");
+       "  -e = entropy file\n"
  #ifdef CONFIG_DEBUG_FILE
- printf("  -f = log output to debug file instead of stdout\n");
-@@ -102,8 +102,7 @@ static void usage(void)
-       "  -N = start describing new interface\n");
+       "  -f = log output to debug file instead of stdout\n"
+@@ -105,8 +105,7 @@ static void usage(void)
+       "  -W = wait for a control interface monitor before starting\n");
 
  printf("example:\n"
 -       "  wpa_supplicant -D%s -iwlan0 -c/etc/wpa_supplicant.conf\n",

Reply | Threaded
Open this post in threaded view
|

Re: Update: wpa_supplicant 2.6

Edd Barrett-3
Hi David,

On Mon, Oct 03, 2016 at 11:36:22AM +0200, David Coppa wrote:
> New release for wpa_supplicant.
>
> As usual, please test it with your setup.

Testing against eduroam:

---8<---
$ doas wpa_supplicant -i iwn0 -c /etc/wpa_supplicant.conf
Successfully initialized wpa_supplicant
SSL: Failed to initialize TLS context.
Failed to initialize EAPOL state machines.
--->8---

My config file looks like this:

---8<---
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0

network={
    ssid="eduroam"
        key_mgmt=WPA-EAP
        eap=PEAP
        phase1="peaplabel=0"
        phase2="auth=MSCHAPV2"
        identity="xxx"
        password="xxx"
}
--->8---

(The in-tree version works fine)

Cheers

--
Best Regards
Edd Barrett

http://www.theunixzoo.co.uk

Reply | Threaded
Open this post in threaded view
|

Re: Update: wpa_supplicant 2.6

David Coppa
On Mon, Oct 3, 2016 at 1:22 PM, Edd Barrett <[hidden email]> wrote:

> Hi David,
>
> On Mon, Oct 03, 2016 at 11:36:22AM +0200, David Coppa wrote:
>> New release for wpa_supplicant.
>>
>> As usual, please test it with your setup.
>
> Testing against eduroam:
>
> ---8<---
> $ doas wpa_supplicant -i iwn0 -c /etc/wpa_supplicant.conf
> Successfully initialized wpa_supplicant
> SSL: Failed to initialize TLS context.
> Failed to initialize EAPOL state machines.
> --->8---
>
> My config file looks like this:
>
> ---8<---
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> ap_scan=0
>
> network={
>     ssid="eduroam"
>         key_mgmt=WPA-EAP
>         eap=PEAP
>         phase1="peaplabel=0"
>         phase2="auth=MSCHAPV2"
>         identity="xxx"
>         password="xxx"
> }
> --->8---
>
> (The in-tree version works fine)

Can you try again with:

$ doas wpa_supplicant -dd -i iwn0 -c /etc/wpa_supplicant.conf

And send me the output?

Thanks,
David

Reply | Threaded
Open this post in threaded view
|

Question for LibreSSL hackers (was: Update: wpa_supplicant 2.6)

David Coppa

On Mon, Oct 3, 2016 at 1:22 PM, Edd Barrett <[hidden email]> wrote:

> Testing against eduroam:
>
> ---8<---
> $ doas wpa_supplicant -i iwn0 -c /etc/wpa_supplicant.conf
> Successfully initialized wpa_supplicant
> SSL: Failed to initialize TLS context.
> Failed to initialize EAPOL state machines.
> --->8---
>

On Tue, 04 Oct 2016, Laurence Tratt wrote:

> On Tue, Oct 04, 2016 at 02:09:30PM +0200, David Coppa wrote:
>
> Hello David,
>
> I'll give this a try on Thursday (which is the next time I'm around such a
> network) and let you know.
>
>
> Laurie

Hi again,

I finally got access to a proper 802.1x LAN and I was able to
reproduce and fix this issue.

New diff below.

But now I have a question for the LibreSSL hackers...

I suspect all the

#if OPENSSL_VERSION_NUMBER < 0x10100000L

conditionals should be:

#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

Is this true?

Changing two of these #if statements fixed the problem reported by
Edd and Laurie, but I could find them quite easily by diffing between
wpa_supplicant-2.5 and wpa_supplicant-2.6.

Can you have a look at the attached tls_openssl.c file and tell me
if my analysis is correct and which
"#if OPENSSL_VERSION_NUMBER < 0x10100000L"
conditional should be changed?

I'm particularly interested in this one (line 3979 of 4333):

---8<---
#if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
#if OPENSSL_VERSION_NUMBER < 0x10100000L
        if (params->flags & TLS_CONN_EAP_FAST) {
                wpa_printf(MSG_DEBUG,
                        "OpenSSL: Use TLSv1_method() for EAP-FAST");
                if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) {
                        tls_show_errors(MSG_INFO, __func__,
                                "Failed to set TLSv1_method() for EAP-FAST");
                        return -1;
                }
        }
#endif
#endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
---8<---

Because it was the same even in wpa_supplicant-2.5, and I cannot
fully understand this chunk of code.

Ciao!
David

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/Makefile,v
retrieving revision 1.33
diff -u -p -r1.33 Makefile
--- Makefile 17 May 2016 08:29:27 -0000 1.33
+++ Makefile 5 Oct 2016 12:17:46 -0000
@@ -2,9 +2,8 @@
 
 COMMENT= IEEE 802.1X supplicant
 
-DISTNAME= wpa_supplicant-2.5
+DISTNAME= wpa_supplicant-2.6
 CATEGORIES= security net
-REVISION= 1
 
 HOMEPAGE= http://w1.fi/wpa_supplicant/
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/distinfo,v
retrieving revision 1.8
diff -u -p -r1.8 distinfo
--- distinfo 29 Sep 2015 11:57:54 -0000 1.8
+++ distinfo 5 Oct 2016 12:17:46 -0000
@@ -1,2 +1,2 @@
-SHA256 (wpa_supplicant-2.5.tar.gz) = zOVbrkg7Nk6uVcNbpWfCeb5ELti6tbgKPH+w0Fe5sxY=
-SIZE (wpa_supplicant-2.5.tar.gz) = 2607336
+SHA256 (wpa_supplicant-2.6.tar.gz) = tJNtNMTmzdRJVL66dCltlkvCyWaOyqUlXkmWNv4rFFA=
+SIZE (wpa_supplicant-2.6.tar.gz) = 2753524
Index: patches/patch-src_crypto_crypto_openssl_c
===================================================================
RCS file: patches/patch-src_crypto_crypto_openssl_c
diff -N patches/patch-src_crypto_crypto_openssl_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_crypto_crypto_openssl_c 5 Oct 2016 12:17:46 -0000
@@ -0,0 +1,24 @@
+$OpenBSD$
+
+Compatibility fixes for LibreSSL
+
+--- src/crypto/crypto_openssl.c.orig Mon Oct  3 11:17:18 2016
++++ src/crypto/crypto_openssl.c Mon Oct  3 11:19:25 2016
+@@ -611,7 +611,7 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
+
+ void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+ struct wpabuf *pubkey = NULL, *privkey = NULL;
+ size_t publen, privlen;
+@@ -712,7 +712,7 @@ err:
+
+ void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+
+ dh = DH_new();
Index: patches/patch-src_crypto_tls_openssl_c
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-src_crypto_tls_openssl_c,v
retrieving revision 1.3
diff -u -p -r1.3 patch-src_crypto_tls_openssl_c
--- patches/patch-src_crypto_tls_openssl_c 29 Sep 2015 11:57:54 -0000 1.3
+++ patches/patch-src_crypto_tls_openssl_c 5 Oct 2016 12:17:46 -0000
@@ -4,66 +4,21 @@ Compatibility fixes for LibreSSL
 
 --- src/crypto/tls_openssl.c.orig Sun Sep 27 21:02:05 2015
 +++ src/crypto/tls_openssl.c Mon Sep 28 13:43:46 2015
-@@ -2229,7 +2229,7 @@ static int tls_parse_pkcs12(struct tls_data *data, SSL
- }
-
- if (certs) {
--#if OPENSSL_VERSION_NUMBER >= 0x10002000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
- SSL_clear_chain_certs(ssl);
- while ((cert = sk_X509_pop(certs)) != NULL) {
- X509_NAME_oneline(X509_get_subject_name(cert), buf,
-@@ -2247,7 +2247,7 @@ static int tls_parse_pkcs12(struct tls_data *data, SSL
- /* Try to continue anyway */
+@@ -919,7 +919,7 @@ void * tls_init(const struct tls_config *conf)
  }
- sk_X509_free(certs);
--#ifndef OPENSSL_IS_BORINGSSL
-+#if !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER)
- res = SSL_build_cert_chain(ssl,
-   SSL_BUILD_CHAIN_FLAG_CHECK |
-   SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
-@@ -2812,7 +2812,7 @@ int tls_connection_get_random(void *ssl_ctx, struct tl
- if (conn == NULL || keys == NULL)
- return -1;
- ssl = conn->ssl;
+ #endif /* OPENSSL_FIPS */
+ #endif /* CONFIG_FIPS */
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- if (ssl == NULL || ssl->s3 == NULL || ssl->session == NULL)
- return -1;
+ SSL_load_error_strings();
+ SSL_library_init();
+ #ifndef OPENSSL_NO_SHA256
+@@ -1043,7 +1043,7 @@ void tls_deinit(void *ssl_ctx)
 
-@@ -2841,7 +2841,7 @@ int tls_connection_get_random(void *ssl_ctx, struct tl
- #ifndef CONFIG_FIPS
- static int openssl_get_keyblock_size(SSL *ssl)
- {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- const EVP_CIPHER *c;
- const EVP_MD *h;
- int md_size;
-@@ -2911,7 +2911,7 @@ static int openssl_tls_prf(struct tls_connection *conn
-   "mode");
- return -1;
- #else /* CONFIG_FIPS */
+ tls_openssl_ref_count--;
+ if (tls_openssl_ref_count == 0) {
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- SSL *ssl;
- u8 *rnd;
- int ret = -1;
-@@ -3394,7 +3394,7 @@ int tls_connection_set_cipher_list(void *tls_ctx, stru
-
- wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
-
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
- if (os_strstr(buf, ":ADH-")) {
- /*
-@@ -3977,7 +3977,7 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *
- struct tls_connection *conn = arg;
- int ret;
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- if (conn == NULL || conn->session_ticket_cb == NULL)
- return 0;
-
+ #ifndef OPENSSL_NO_ENGINE
+ ENGINE_cleanup();
+ #endif /* OPENSSL_NO_ENGINE */
Index: patches/patch-src_utils_common_c
===================================================================
RCS file: patches/patch-src_utils_common_c
diff -N patches/patch-src_utils_common_c
--- patches/patch-src_utils_common_c 17 May 2016 08:29:27 -0000 1.5
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,65 +0,0 @@
-$OpenBSD: patch-src_utils_common_c,v 1.5 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
---- src/utils/common.c.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/common.c Tue May 17 09:21:02 2016
-@@ -697,6 +697,29 @@ int is_hex(const u8 *data, size_t len)
- }
-
-
-+int has_ctrl_char(const u8 *data, size_t len)
-+{
-+ size_t i;
-+
-+ for (i = 0; i < len; i++) {
-+ if (data[i] < 32 || data[i] == 127)
-+ return 1;
-+ }
-+ return 0;
-+}
-+
-+
-+int has_newline(const char *str)
-+{
-+ while (*str) {
-+ if (*str == '\n' || *str == '\r')
-+ return 1;
-+ str++;
-+ }
-+ return 0;
-+}
-+
-+
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len)
Index: patches/patch-src_utils_common_h
===================================================================
RCS file: patches/patch-src_utils_common_h
diff -N patches/patch-src_utils_common_h
--- patches/patch-src_utils_common_h 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,44 +0,0 @@
-$OpenBSD: patch-src_utils_common_h,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
---- src/utils/common.h.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/common.h Tue May 17 09:21:02 2016
-@@ -477,6 +477,8 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_
-
- char * wpa_config_parse_string(const char *value, size_t *len);
- int is_hex(const u8 *data, size_t len);
-+int has_ctrl_char(const u8 *data, size_t len);
-+int has_newline(const char *str);
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len);
Index: patches/patch-src_utils_eloop_c
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-src_utils_eloop_c,v
retrieving revision 1.6
diff -u -p -r1.6 patch-src_utils_eloop_c
--- patches/patch-src_utils_eloop_c 17 May 2016 08:29:27 -0000 1.6
+++ patches/patch-src_utils_eloop_c 5 Oct 2016 12:17:46 -0000
@@ -3,9 +3,9 @@ $OpenBSD: patch-src_utils_eloop_c,v 1.6
 Don't try to access list members to free them unless already
 initialised
 
---- src/utils/eloop.c.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/eloop.c Mon Sep 28 09:35:05 2015
-@@ -1064,6 +1064,9 @@ void eloop_destroy(void)
+--- src/utils/eloop.c.orig Sun Oct  2 20:51:11 2016
++++ src/utils/eloop.c Mon Oct  3 11:06:38 2016
+@@ -1249,6 +1249,9 @@ void eloop_destroy(void)
  struct eloop_timeout *timeout, *prev;
  struct os_reltime now;
 
Index: patches/patch-src_wps_wps_attr_process_c
===================================================================
RCS file: patches/patch-src_wps_wps_attr_process_c
diff -N patches/patch-src_wps_wps_attr_process_c
--- patches/patch-src_wps_wps_attr_process_c 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,39 +0,0 @@
-$OpenBSD: patch-src_wps_wps_attr_process_c,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
---- src/wps/wps_attr_process.c.orig Sun Sep 27 21:02:05 2015
-+++ src/wps/wps_attr_process.c Tue May 17 09:21:02 2016
-@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credenti
- cred->key_len--;
- #endif /* CONFIG_WPS_STRICT */
- }
-+
-+
-+ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
-+    (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
-+ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
-+ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
-+      cred->key, cred->key_len);
-+ return -1;
-+ }
-+
- return 0;
- }
-
Index: patches/patch-wpa_supplicant_Makefile
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-wpa_supplicant_Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 patch-wpa_supplicant_Makefile
--- patches/patch-wpa_supplicant_Makefile 29 Sep 2015 11:57:54 -0000 1.8
+++ patches/patch-wpa_supplicant_Makefile 5 Oct 2016 12:17:46 -0000
@@ -1,7 +1,7 @@
 $OpenBSD: patch-wpa_supplicant_Makefile,v 1.8 2015/09/29 11:57:54 dcoppa Exp $
---- wpa_supplicant/Makefile.orig Mon Sep 28 09:36:07 2015
-+++ wpa_supplicant/Makefile Mon Sep 28 09:36:36 2015
-@@ -131,16 +131,6 @@ endif
+--- wpa_supplicant/Makefile.orig Sun Oct  2 20:51:11 2016
++++ wpa_supplicant/Makefile Mon Oct  3 11:06:38 2016
+@@ -153,16 +153,6 @@ endif
  OBJS += ../src/utils/$(CONFIG_ELOOP).o
  OBJS_c += ../src/utils/$(CONFIG_ELOOP).o
 
Index: patches/patch-wpa_supplicant_config_c
===================================================================
RCS file: patches/patch-wpa_supplicant_config_c
diff -N patches/patch-wpa_supplicant_config_c
--- patches/patch-wpa_supplicant_config_c 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,169 +0,0 @@
-$OpenBSD: patch-wpa_supplicant_config_c,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 18:46:41 +0200
-Subject: [PATCH 2/5] Reject psk parameter set with invalid passphrase character
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a passphrase configuration attempt if that passphrase
-includes an invalid passphrase.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file psk parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the passphrase value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject up to 63 characters of
-almost arbitrary data into the configuration file. Such configuration
-file could result in wpa_supplicant trying to load a library (e.g.,
-opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
-load_dynamic_eap) from user controlled location when starting again.
-This would allow code from that library to be executed under the
-wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
-From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Tue, 5 Apr 2016 23:33:10 +0300
-Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the string values
-
-Most of the cred block parameters are written as strings without
-filtering and if there is an embedded newline character in the value,
-unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file cred parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the credential value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Tue, 5 Apr 2016 23:55:48 +0300
-Subject: [PATCH 5/5] Reject SET commands with newline characters in the string values
-
-Many of the global configuration parameters are written as strings
-without filtering and if there is an embedded newline character in the
-value, unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file global parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the value of a parameter before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
---- wpa_supplicant/config.c.orig Sun Sep 27 21:02:05 2015
-+++ wpa_supplicant/config.c Tue May 17 09:21:02 2016
-@@ -456,6 +456,12 @@ static int wpa_config_parse_psk(const struct parse_dat
- }
- wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
-      (u8 *) value, len);
-+ if (has_ctrl_char((u8 *) value, len)) {
-+ wpa_printf(MSG_ERROR,
-+   "Line %d: Invalid passphrase character",
-+   line);
-+ return -1;
-+ }
- if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
-    os_memcmp(ssid->passphrase, value, len) == 0)
- return 0;
-@@ -2604,8 +2610,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const cha
-
- for (i = 0; i < NUM_SSID_FIELDS; i++) {
- const struct parse_data *field = &ssid_fields[i];
-- if (os_strcmp(var, field->name) == 0)
-- return field->writer(field, ssid);
-+ if (os_strcmp(var, field->name) == 0) {
-+ char *ret = field->writer(field, ssid);
-+
-+ if (ret && has_newline(ret)) {
-+ wpa_printf(MSG_ERROR,
-+   "Found newline in value for %s; not returning it",
-+   var);
-+ os_free(ret);
-+ ret = NULL;
-+ }
-+
-+ return ret;
-+ }
- }
-
- return NULL;
-@@ -2790,6 +2807,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const c
-
- if (os_strcmp(var, "password") == 0 &&
-    os_strncmp(value, "ext:", 4) == 0) {
-+ if (has_newline(value))
-+ return -1;
- str_clear_free(cred->password);
- cred->password = os_strdup(value);
- cred->ext_password = 1;
-@@ -2840,9 +2859,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const c
- }
-
- val = wpa_config_parse_string(value, &len);
-- if (val == NULL) {
-+ if (val == NULL ||
-+    (os_strcmp(var, "excluded_ssid") != 0 &&
-+     os_strcmp(var, "roaming_consortium") != 0 &&
-+     os_strcmp(var, "required_roaming_consortium") != 0 &&
-+     has_newline(val))) {
- wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
-   "value '%s'.", line, var, value);
-+ os_free(val);
- return -1;
- }
-
-@@ -3643,6 +3667,12 @@ static int wpa_global_config_parse_str(const struct gl
- wpa_printf(MSG_ERROR, "Line %d: too long %s (len=%lu "
-   "max_len=%ld)", line, data->name,
-   (unsigned long) len, (long) data->param3);
-+ return -1;
-+ }
-+
-+ if (has_newline(pos)) {
-+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
-+   line, data->name);
- return -1;
- }
-
Index: patches/patch-wpa_supplicant_main_c
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-wpa_supplicant_main_c,v
retrieving revision 1.2
diff -u -p -r1.2 patch-wpa_supplicant_main_c
--- patches/patch-wpa_supplicant_main_c 29 Sep 2015 11:57:54 -0000 1.2
+++ patches/patch-wpa_supplicant_main_c 5 Oct 2016 12:17:46 -0000
@@ -2,19 +2,19 @@ $OpenBSD: patch-wpa_supplicant_main_c,v
 
 Remove Linuxisms from usage()
 
---- wpa_supplicant/main.c.orig Sun Sep 27 21:02:05 2015
-+++ wpa_supplicant/main.c Mon Sep 28 09:35:05 2015
-@@ -68,7 +68,7 @@ static void usage(void)
-       "  -i = interface name\n"
-       "  -I = additional configuration file\n"
+--- wpa_supplicant/main.c.orig Mon Oct  3 11:10:23 2016
++++ wpa_supplicant/main.c Mon Oct  3 11:11:42 2016
+@@ -66,7 +66,7 @@ static void usage(void)
+       "  -c = Configuration file\n"
+       "  -C = ctrl_interface parameter (only used if -c is not)\n"
        "  -d = increase debugging verbosity (-dd even more)\n"
 -       "  -D = driver name (can be multiple drivers: nl80211,wext)\n"
 +       "  -D = driver name\n"
-       "  -e = entropy file\n");
+       "  -e = entropy file\n"
  #ifdef CONFIG_DEBUG_FILE
- printf("  -f = log output to debug file instead of stdout\n");
-@@ -102,8 +102,7 @@ static void usage(void)
-       "  -N = start describing new interface\n");
+       "  -f = log output to debug file instead of stdout\n"
+@@ -105,8 +105,7 @@ static void usage(void)
+       "  -W = wait for a control interface monitor before starting\n");
 
  printf("example:\n"
 -       "  wpa_supplicant -D%s -iwlan0 -c/etc/wpa_supplicant.conf\n",

tls_openssl.c (111K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question for LibreSSL hackers (was: Update: wpa_supplicant 2.6)

Stuart Henderson
On 2016/10/05 14:20, David Coppa wrote:

>
> On Mon, Oct 3, 2016 at 1:22 PM, Edd Barrett <[hidden email]> wrote:
>
> > Testing against eduroam:
> >
> > ---8<---
> > $ doas wpa_supplicant -i iwn0 -c /etc/wpa_supplicant.conf
> > Successfully initialized wpa_supplicant
> > SSL: Failed to initialize TLS context.
> > Failed to initialize EAPOL state machines.
> > --->8---
> >
>
> On Tue, 04 Oct 2016, Laurence Tratt wrote:
>
> > On Tue, Oct 04, 2016 at 02:09:30PM +0200, David Coppa wrote:
> >
> > Hello David,
> >
> > I'll give this a try on Thursday (which is the next time I'm around such a
> > network) and let you know.
> >
> >
> > Laurie
>
> Hi again,
>
> I finally got access to a proper 802.1x LAN and I was able to
> reproduce and fix this issue.
>
> New diff below.
>
> But now I have a question for the LibreSSL hackers...
>
> I suspect all the
>
> #if OPENSSL_VERSION_NUMBER < 0x10100000L
>
> conditionals should be:
>
> #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
>
> Is this true?

It is true for some but not necessarily others... Some of these are to do
with APIs which we may or may not have added (and then it may change later).
Others are for bug workarounds.

> Changing two of these #if statements fixed the problem reported by
> Edd and Laurie, but I could find them quite easily by diffing between
> wpa_supplicant-2.5 and wpa_supplicant-2.6.
>
> Can you have a look at the attached tls_openssl.c file and tell me
> if my analysis is correct and which
> "#if OPENSSL_VERSION_NUMBER < 0x10100000L"
> conditional should be changed?
>
> I'm particularly interested in this one (line 3979 of 4333):
>
> ---8<---
> #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
> #if OPENSSL_VERSION_NUMBER < 0x10100000L
> if (params->flags & TLS_CONN_EAP_FAST) {
> wpa_printf(MSG_DEBUG,
> "OpenSSL: Use TLSv1_method() for EAP-FAST");
> if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) {
> tls_show_errors(MSG_INFO, __func__,
> "Failed to set TLSv1_method() for EAP-FAST");
> return -1;
> }
> }
> #endif
> #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
> ---8<---
>
> Because it was the same even in wpa_supplicant-2.5, and I cannot
> fully understand this chunk of code.

This is a workaround for an OpenSSL bug affecting EAP-FAST.

https://mta.openssl.org/pipermail/openssl-dev/2015-July/002191.html

Reply | Threaded
Open this post in threaded view
|

Re: Question for LibreSSL hackers (was: Update: wpa_supplicant 2.6)

David Coppa
On Wed, Oct 5, 2016 at 3:13 PM, Stuart Henderson <[hidden email]> wrote:

> This is a workaround for an OpenSSL bug affecting EAP-FAST.
>
> https://mta.openssl.org/pipermail/openssl-dev/2015-July/002191.html

So it's not needed, I suppose.

Thanks!
David

Reply | Threaded
Open this post in threaded view
|

Re: Question for LibreSSL hackers (was: Update: wpa_supplicant 2.6)

Stuart Henderson
On 2016/10/05 15:30, David Coppa wrote:

> On Wed, Oct 5, 2016 at 3:13 PM, Stuart Henderson <[hidden email]> wrote:
>
> > This is a workaround for an OpenSSL bug affecting EAP-FAST.
> >
> > https://mta.openssl.org/pipermail/openssl-dev/2015-July/002191.html
>
> So it's not needed, I suppose.
>
> Thanks!
> David
>

I think it probably is needed - the fork pre-dates that fix, and while
some of ssl23_client_hello() was rewritten it does still wait until the
serverhello before creating the session.

Reply | Threaded
Open this post in threaded view
|

Re: Question for LibreSSL hackers (was: Update: wpa_supplicant 2.6)

David Coppa
On Wed, 05 Oct 2016, Stuart Henderson wrote:

> On 2016/10/05 15:30, David Coppa wrote:
> > On Wed, Oct 5, 2016 at 3:13 PM, Stuart Henderson <[hidden email]> wrote:
> >
> > > This is a workaround for an OpenSSL bug affecting EAP-FAST.
> > >
> > > https://mta.openssl.org/pipermail/openssl-dev/2015-July/002191.html
> >
> > So it's not needed, I suppose.
> >
> > Thanks!
> > David
> >
>
> I think it probably is needed - the fork pre-dates that fix, and while
> some of ssl23_client_hello() was rewritten it does still wait until the
> serverhello before creating the session.

Here's the updated diff, then.

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/Makefile,v
retrieving revision 1.33
diff -u -p -r1.33 Makefile
--- Makefile 17 May 2016 08:29:27 -0000 1.33
+++ Makefile 5 Oct 2016 14:22:05 -0000
@@ -2,9 +2,8 @@
 
 COMMENT= IEEE 802.1X supplicant
 
-DISTNAME= wpa_supplicant-2.5
+DISTNAME= wpa_supplicant-2.6
 CATEGORIES= security net
-REVISION= 1
 
 HOMEPAGE= http://w1.fi/wpa_supplicant/
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/distinfo,v
retrieving revision 1.8
diff -u -p -r1.8 distinfo
--- distinfo 29 Sep 2015 11:57:54 -0000 1.8
+++ distinfo 5 Oct 2016 14:22:05 -0000
@@ -1,2 +1,2 @@
-SHA256 (wpa_supplicant-2.5.tar.gz) = zOVbrkg7Nk6uVcNbpWfCeb5ELti6tbgKPH+w0Fe5sxY=
-SIZE (wpa_supplicant-2.5.tar.gz) = 2607336
+SHA256 (wpa_supplicant-2.6.tar.gz) = tJNtNMTmzdRJVL66dCltlkvCyWaOyqUlXkmWNv4rFFA=
+SIZE (wpa_supplicant-2.6.tar.gz) = 2753524
Index: patches/patch-src_crypto_crypto_openssl_c
===================================================================
RCS file: patches/patch-src_crypto_crypto_openssl_c
diff -N patches/patch-src_crypto_crypto_openssl_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_crypto_crypto_openssl_c 5 Oct 2016 14:22:05 -0000
@@ -0,0 +1,24 @@
+$OpenBSD$
+
+Compatibility fixes for LibreSSL
+
+--- src/crypto/crypto_openssl.c.orig Mon Oct  3 11:17:18 2016
++++ src/crypto/crypto_openssl.c Mon Oct  3 11:19:25 2016
+@@ -611,7 +611,7 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
+
+ void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+ struct wpabuf *pubkey = NULL, *privkey = NULL;
+ size_t publen, privlen;
+@@ -712,7 +712,7 @@ err:
+
+ void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+
+ dh = DH_new();
Index: patches/patch-src_crypto_tls_openssl_c
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-src_crypto_tls_openssl_c,v
retrieving revision 1.3
diff -u -p -r1.3 patch-src_crypto_tls_openssl_c
--- patches/patch-src_crypto_tls_openssl_c 29 Sep 2015 11:57:54 -0000 1.3
+++ patches/patch-src_crypto_tls_openssl_c 5 Oct 2016 14:22:05 -0000
@@ -4,66 +4,30 @@ Compatibility fixes for LibreSSL
 
 --- src/crypto/tls_openssl.c.orig Sun Sep 27 21:02:05 2015
 +++ src/crypto/tls_openssl.c Mon Sep 28 13:43:46 2015
-@@ -2229,7 +2229,7 @@ static int tls_parse_pkcs12(struct tls_data *data, SSL
- }
-
- if (certs) {
--#if OPENSSL_VERSION_NUMBER >= 0x10002000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
- SSL_clear_chain_certs(ssl);
- while ((cert = sk_X509_pop(certs)) != NULL) {
- X509_NAME_oneline(X509_get_subject_name(cert), buf,
-@@ -2247,7 +2247,7 @@ static int tls_parse_pkcs12(struct tls_data *data, SSL
- /* Try to continue anyway */
+@@ -919,7 +919,7 @@ void * tls_init(const struct tls_config *conf)
  }
- sk_X509_free(certs);
--#ifndef OPENSSL_IS_BORINGSSL
-+#if !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER)
- res = SSL_build_cert_chain(ssl,
-   SSL_BUILD_CHAIN_FLAG_CHECK |
-   SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
-@@ -2812,7 +2812,7 @@ int tls_connection_get_random(void *ssl_ctx, struct tl
- if (conn == NULL || keys == NULL)
- return -1;
- ssl = conn->ssl;
+ #endif /* OPENSSL_FIPS */
+ #endif /* CONFIG_FIPS */
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- if (ssl == NULL || ssl->s3 == NULL || ssl->session == NULL)
- return -1;
+ SSL_load_error_strings();
+ SSL_library_init();
+ #ifndef OPENSSL_NO_SHA256
+@@ -1043,7 +1043,7 @@ void tls_deinit(void *ssl_ctx)
 
-@@ -2841,7 +2841,7 @@ int tls_connection_get_random(void *ssl_ctx, struct tl
- #ifndef CONFIG_FIPS
- static int openssl_get_keyblock_size(SSL *ssl)
- {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- const EVP_CIPHER *c;
- const EVP_MD *h;
- int md_size;
-@@ -2911,7 +2911,7 @@ static int openssl_tls_prf(struct tls_connection *conn
-   "mode");
- return -1;
- #else /* CONFIG_FIPS */
+ tls_openssl_ref_count--;
+ if (tls_openssl_ref_count == 0) {
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- SSL *ssl;
- u8 *rnd;
- int ret = -1;
-@@ -3394,7 +3394,7 @@ int tls_connection_set_cipher_list(void *tls_ctx, stru
+ #ifndef OPENSSL_NO_ENGINE
+ ENGINE_cleanup();
+ #endif /* OPENSSL_NO_ENGINE */
+@@ -3976,7 +3976,7 @@ int tls_connection_set_params(void *tls_ctx, struct tl
+ engine_id = "pkcs11";
 
- wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
-
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
  #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
- if (os_strstr(buf, ":ADH-")) {
- /*
-@@ -3977,7 +3977,7 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *
- struct tls_connection *conn = arg;
- int ret;
-
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- if (conn == NULL || conn->session_ticket_cb == NULL)
- return 0;
-
+ if (params->flags & TLS_CONN_EAP_FAST) {
+ wpa_printf(MSG_DEBUG,
+   "OpenSSL: Use TLSv1_method() for EAP-FAST");
Index: patches/patch-src_utils_common_c
===================================================================
RCS file: patches/patch-src_utils_common_c
diff -N patches/patch-src_utils_common_c
--- patches/patch-src_utils_common_c 17 May 2016 08:29:27 -0000 1.5
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,65 +0,0 @@
-$OpenBSD: patch-src_utils_common_c,v 1.5 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
---- src/utils/common.c.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/common.c Tue May 17 09:21:02 2016
-@@ -697,6 +697,29 @@ int is_hex(const u8 *data, size_t len)
- }
-
-
-+int has_ctrl_char(const u8 *data, size_t len)
-+{
-+ size_t i;
-+
-+ for (i = 0; i < len; i++) {
-+ if (data[i] < 32 || data[i] == 127)
-+ return 1;
-+ }
-+ return 0;
-+}
-+
-+
-+int has_newline(const char *str)
-+{
-+ while (*str) {
-+ if (*str == '\n' || *str == '\r')
-+ return 1;
-+ str++;
-+ }
-+ return 0;
-+}
-+
-+
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len)
Index: patches/patch-src_utils_common_h
===================================================================
RCS file: patches/patch-src_utils_common_h
diff -N patches/patch-src_utils_common_h
--- patches/patch-src_utils_common_h 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,44 +0,0 @@
-$OpenBSD: patch-src_utils_common_h,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
---- src/utils/common.h.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/common.h Tue May 17 09:21:02 2016
-@@ -477,6 +477,8 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_
-
- char * wpa_config_parse_string(const char *value, size_t *len);
- int is_hex(const u8 *data, size_t len);
-+int has_ctrl_char(const u8 *data, size_t len);
-+int has_newline(const char *str);
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len);
Index: patches/patch-src_utils_eloop_c
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-src_utils_eloop_c,v
retrieving revision 1.6
diff -u -p -r1.6 patch-src_utils_eloop_c
--- patches/patch-src_utils_eloop_c 17 May 2016 08:29:27 -0000 1.6
+++ patches/patch-src_utils_eloop_c 5 Oct 2016 14:22:05 -0000
@@ -3,9 +3,9 @@ $OpenBSD: patch-src_utils_eloop_c,v 1.6
 Don't try to access list members to free them unless already
 initialised
 
---- src/utils/eloop.c.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/eloop.c Mon Sep 28 09:35:05 2015
-@@ -1064,6 +1064,9 @@ void eloop_destroy(void)
+--- src/utils/eloop.c.orig Sun Oct  2 20:51:11 2016
++++ src/utils/eloop.c Mon Oct  3 11:06:38 2016
+@@ -1249,6 +1249,9 @@ void eloop_destroy(void)
  struct eloop_timeout *timeout, *prev;
  struct os_reltime now;
 
Index: patches/patch-src_wps_wps_attr_process_c
===================================================================
RCS file: patches/patch-src_wps_wps_attr_process_c
diff -N patches/patch-src_wps_wps_attr_process_c
--- patches/patch-src_wps_wps_attr_process_c 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,39 +0,0 @@
-$OpenBSD: patch-src_wps_wps_attr_process_c,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
---- src/wps/wps_attr_process.c.orig Sun Sep 27 21:02:05 2015
-+++ src/wps/wps_attr_process.c Tue May 17 09:21:02 2016
-@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credenti
- cred->key_len--;
- #endif /* CONFIG_WPS_STRICT */
- }
-+
-+
-+ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
-+    (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
-+ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
-+ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
-+      cred->key, cred->key_len);
-+ return -1;
-+ }
-+
- return 0;
- }
-
Index: patches/patch-wpa_supplicant_Makefile
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-wpa_supplicant_Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 patch-wpa_supplicant_Makefile
--- patches/patch-wpa_supplicant_Makefile 29 Sep 2015 11:57:54 -0000 1.8
+++ patches/patch-wpa_supplicant_Makefile 5 Oct 2016 14:22:05 -0000
@@ -1,7 +1,7 @@
 $OpenBSD: patch-wpa_supplicant_Makefile,v 1.8 2015/09/29 11:57:54 dcoppa Exp $
---- wpa_supplicant/Makefile.orig Mon Sep 28 09:36:07 2015
-+++ wpa_supplicant/Makefile Mon Sep 28 09:36:36 2015
-@@ -131,16 +131,6 @@ endif
+--- wpa_supplicant/Makefile.orig Sun Oct  2 20:51:11 2016
++++ wpa_supplicant/Makefile Mon Oct  3 11:06:38 2016
+@@ -153,16 +153,6 @@ endif
  OBJS += ../src/utils/$(CONFIG_ELOOP).o
  OBJS_c += ../src/utils/$(CONFIG_ELOOP).o
 
Index: patches/patch-wpa_supplicant_config_c
===================================================================
RCS file: patches/patch-wpa_supplicant_config_c
diff -N patches/patch-wpa_supplicant_config_c
--- patches/patch-wpa_supplicant_config_c 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,169 +0,0 @@
-$OpenBSD: patch-wpa_supplicant_config_c,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 18:46:41 +0200
-Subject: [PATCH 2/5] Reject psk parameter set with invalid passphrase character
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a passphrase configuration attempt if that passphrase
-includes an invalid passphrase.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file psk parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the passphrase value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject up to 63 characters of
-almost arbitrary data into the configuration file. Such configuration
-file could result in wpa_supplicant trying to load a library (e.g.,
-opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
-load_dynamic_eap) from user controlled location when starting again.
-This would allow code from that library to be executed under the
-wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
-From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Tue, 5 Apr 2016 23:33:10 +0300
-Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the string values
-
-Most of the cred block parameters are written as strings without
-filtering and if there is an embedded newline character in the value,
-unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file cred parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the credential value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Tue, 5 Apr 2016 23:55:48 +0300
-Subject: [PATCH 5/5] Reject SET commands with newline characters in the string values
-
-Many of the global configuration parameters are written as strings
-without filtering and if there is an embedded newline character in the
-value, unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file global parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the value of a parameter before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
---- wpa_supplicant/config.c.orig Sun Sep 27 21:02:05 2015
-+++ wpa_supplicant/config.c Tue May 17 09:21:02 2016
-@@ -456,6 +456,12 @@ static int wpa_config_parse_psk(const struct parse_dat
- }
- wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
-      (u8 *) value, len);
-+ if (has_ctrl_char((u8 *) value, len)) {
-+ wpa_printf(MSG_ERROR,
-+   "Line %d: Invalid passphrase character",
-+   line);
-+ return -1;
-+ }
- if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
-    os_memcmp(ssid->passphrase, value, len) == 0)
- return 0;
-@@ -2604,8 +2610,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const cha
-
- for (i = 0; i < NUM_SSID_FIELDS; i++) {
- const struct parse_data *field = &ssid_fields[i];
-- if (os_strcmp(var, field->name) == 0)
-- return field->writer(field, ssid);
-+ if (os_strcmp(var, field->name) == 0) {
-+ char *ret = field->writer(field, ssid);
-+
-+ if (ret && has_newline(ret)) {
-+ wpa_printf(MSG_ERROR,
-+   "Found newline in value for %s; not returning it",
-+   var);
-+ os_free(ret);
-+ ret = NULL;
-+ }
-+
-+ return ret;
-+ }
- }
-
- return NULL;
-@@ -2790,6 +2807,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const c
-
- if (os_strcmp(var, "password") == 0 &&
-    os_strncmp(value, "ext:", 4) == 0) {
-+ if (has_newline(value))
-+ return -1;
- str_clear_free(cred->password);
- cred->password = os_strdup(value);
- cred->ext_password = 1;
-@@ -2840,9 +2859,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const c
- }
-
- val = wpa_config_parse_string(value, &len);
-- if (val == NULL) {
-+ if (val == NULL ||
-+    (os_strcmp(var, "excluded_ssid") != 0 &&
-+     os_strcmp(var, "roaming_consortium") != 0 &&
-+     os_strcmp(var, "required_roaming_consortium") != 0 &&
-+     has_newline(val))) {
- wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
-   "value '%s'.", line, var, value);
-+ os_free(val);
- return -1;
- }
-
-@@ -3643,6 +3667,12 @@ static int wpa_global_config_parse_str(const struct gl
- wpa_printf(MSG_ERROR, "Line %d: too long %s (len=%lu "
-   "max_len=%ld)", line, data->name,
-   (unsigned long) len, (long) data->param3);
-+ return -1;
-+ }
-+
-+ if (has_newline(pos)) {
-+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
-+   line, data->name);
- return -1;
- }
-
Index: patches/patch-wpa_supplicant_main_c
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-wpa_supplicant_main_c,v
retrieving revision 1.2
diff -u -p -r1.2 patch-wpa_supplicant_main_c
--- patches/patch-wpa_supplicant_main_c 29 Sep 2015 11:57:54 -0000 1.2
+++ patches/patch-wpa_supplicant_main_c 5 Oct 2016 14:22:05 -0000
@@ -2,19 +2,19 @@ $OpenBSD: patch-wpa_supplicant_main_c,v
 
 Remove Linuxisms from usage()
 
---- wpa_supplicant/main.c.orig Sun Sep 27 21:02:05 2015
-+++ wpa_supplicant/main.c Mon Sep 28 09:35:05 2015
-@@ -68,7 +68,7 @@ static void usage(void)
-       "  -i = interface name\n"
-       "  -I = additional configuration file\n"
+--- wpa_supplicant/main.c.orig Mon Oct  3 11:10:23 2016
++++ wpa_supplicant/main.c Mon Oct  3 11:11:42 2016
+@@ -66,7 +66,7 @@ static void usage(void)
+       "  -c = Configuration file\n"
+       "  -C = ctrl_interface parameter (only used if -c is not)\n"
        "  -d = increase debugging verbosity (-dd even more)\n"
 -       "  -D = driver name (can be multiple drivers: nl80211,wext)\n"
 +       "  -D = driver name\n"
-       "  -e = entropy file\n");
+       "  -e = entropy file\n"
  #ifdef CONFIG_DEBUG_FILE
- printf("  -f = log output to debug file instead of stdout\n");
-@@ -102,8 +102,7 @@ static void usage(void)
-       "  -N = start describing new interface\n");
+       "  -f = log output to debug file instead of stdout\n"
+@@ -105,8 +105,7 @@ static void usage(void)
+       "  -W = wait for a control interface monitor before starting\n");
 
  printf("example:\n"
 -       "  wpa_supplicant -D%s -iwlan0 -c/etc/wpa_supplicant.conf\n",

Reply | Threaded
Open this post in threaded view
|

Re: Update: wpa_supplicant 2.6

David Coppa
In reply to this post by David Coppa
On Tue, 04 Oct 2016, Laurence Tratt wrote:

> On Tue, Oct 04, 2016 at 02:09:30PM +0200, David Coppa wrote:
>
> Hello David,
>
> I'll give this a try on Thursday (which is the next time I'm around such a
> network) and let you know.
>
>
> Laurie

Please try the following diff:

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/Makefile,v
retrieving revision 1.33
diff -u -p -r1.33 Makefile
--- Makefile 17 May 2016 08:29:27 -0000 1.33
+++ Makefile 5 Oct 2016 14:22:05 -0000
@@ -2,9 +2,8 @@
 
 COMMENT= IEEE 802.1X supplicant
 
-DISTNAME= wpa_supplicant-2.5
+DISTNAME= wpa_supplicant-2.6
 CATEGORIES= security net
-REVISION= 1
 
 HOMEPAGE= http://w1.fi/wpa_supplicant/
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/distinfo,v
retrieving revision 1.8
diff -u -p -r1.8 distinfo
--- distinfo 29 Sep 2015 11:57:54 -0000 1.8
+++ distinfo 5 Oct 2016 14:22:05 -0000
@@ -1,2 +1,2 @@
-SHA256 (wpa_supplicant-2.5.tar.gz) = zOVbrkg7Nk6uVcNbpWfCeb5ELti6tbgKPH+w0Fe5sxY=
-SIZE (wpa_supplicant-2.5.tar.gz) = 2607336
+SHA256 (wpa_supplicant-2.6.tar.gz) = tJNtNMTmzdRJVL66dCltlkvCyWaOyqUlXkmWNv4rFFA=
+SIZE (wpa_supplicant-2.6.tar.gz) = 2753524
Index: patches/patch-src_crypto_crypto_openssl_c
===================================================================
RCS file: patches/patch-src_crypto_crypto_openssl_c
diff -N patches/patch-src_crypto_crypto_openssl_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_crypto_crypto_openssl_c 5 Oct 2016 14:22:05 -0000
@@ -0,0 +1,24 @@
+$OpenBSD$
+
+Compatibility fixes for LibreSSL
+
+--- src/crypto/crypto_openssl.c.orig Mon Oct  3 11:17:18 2016
++++ src/crypto/crypto_openssl.c Mon Oct  3 11:19:25 2016
+@@ -611,7 +611,7 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
+
+ void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+ struct wpabuf *pubkey = NULL, *privkey = NULL;
+ size_t publen, privlen;
+@@ -712,7 +712,7 @@ err:
+
+ void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+
+ dh = DH_new();
Index: patches/patch-src_crypto_tls_openssl_c
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-src_crypto_tls_openssl_c,v
retrieving revision 1.3
diff -u -p -r1.3 patch-src_crypto_tls_openssl_c
--- patches/patch-src_crypto_tls_openssl_c 29 Sep 2015 11:57:54 -0000 1.3
+++ patches/patch-src_crypto_tls_openssl_c 5 Oct 2016 14:22:05 -0000
@@ -4,66 +4,30 @@ Compatibility fixes for LibreSSL
 
 --- src/crypto/tls_openssl.c.orig Sun Sep 27 21:02:05 2015
 +++ src/crypto/tls_openssl.c Mon Sep 28 13:43:46 2015
-@@ -2229,7 +2229,7 @@ static int tls_parse_pkcs12(struct tls_data *data, SSL
- }
-
- if (certs) {
--#if OPENSSL_VERSION_NUMBER >= 0x10002000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
- SSL_clear_chain_certs(ssl);
- while ((cert = sk_X509_pop(certs)) != NULL) {
- X509_NAME_oneline(X509_get_subject_name(cert), buf,
-@@ -2247,7 +2247,7 @@ static int tls_parse_pkcs12(struct tls_data *data, SSL
- /* Try to continue anyway */
+@@ -919,7 +919,7 @@ void * tls_init(const struct tls_config *conf)
  }
- sk_X509_free(certs);
--#ifndef OPENSSL_IS_BORINGSSL
-+#if !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER)
- res = SSL_build_cert_chain(ssl,
-   SSL_BUILD_CHAIN_FLAG_CHECK |
-   SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
-@@ -2812,7 +2812,7 @@ int tls_connection_get_random(void *ssl_ctx, struct tl
- if (conn == NULL || keys == NULL)
- return -1;
- ssl = conn->ssl;
+ #endif /* OPENSSL_FIPS */
+ #endif /* CONFIG_FIPS */
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- if (ssl == NULL || ssl->s3 == NULL || ssl->session == NULL)
- return -1;
+ SSL_load_error_strings();
+ SSL_library_init();
+ #ifndef OPENSSL_NO_SHA256
+@@ -1043,7 +1043,7 @@ void tls_deinit(void *ssl_ctx)
 
-@@ -2841,7 +2841,7 @@ int tls_connection_get_random(void *ssl_ctx, struct tl
- #ifndef CONFIG_FIPS
- static int openssl_get_keyblock_size(SSL *ssl)
- {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- const EVP_CIPHER *c;
- const EVP_MD *h;
- int md_size;
-@@ -2911,7 +2911,7 @@ static int openssl_tls_prf(struct tls_connection *conn
-   "mode");
- return -1;
- #else /* CONFIG_FIPS */
+ tls_openssl_ref_count--;
+ if (tls_openssl_ref_count == 0) {
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- SSL *ssl;
- u8 *rnd;
- int ret = -1;
-@@ -3394,7 +3394,7 @@ int tls_connection_set_cipher_list(void *tls_ctx, stru
+ #ifndef OPENSSL_NO_ENGINE
+ ENGINE_cleanup();
+ #endif /* OPENSSL_NO_ENGINE */
+@@ -3976,7 +3976,7 @@ int tls_connection_set_params(void *tls_ctx, struct tl
+ engine_id = "pkcs11";
 
- wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
-
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
  #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
- if (os_strstr(buf, ":ADH-")) {
- /*
-@@ -3977,7 +3977,7 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *
- struct tls_connection *conn = arg;
- int ret;
-
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- if (conn == NULL || conn->session_ticket_cb == NULL)
- return 0;
-
+ if (params->flags & TLS_CONN_EAP_FAST) {
+ wpa_printf(MSG_DEBUG,
+   "OpenSSL: Use TLSv1_method() for EAP-FAST");
Index: patches/patch-src_utils_common_c
===================================================================
RCS file: patches/patch-src_utils_common_c
diff -N patches/patch-src_utils_common_c
--- patches/patch-src_utils_common_c 17 May 2016 08:29:27 -0000 1.5
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,65 +0,0 @@
-$OpenBSD: patch-src_utils_common_c,v 1.5 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
---- src/utils/common.c.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/common.c Tue May 17 09:21:02 2016
-@@ -697,6 +697,29 @@ int is_hex(const u8 *data, size_t len)
- }
-
-
-+int has_ctrl_char(const u8 *data, size_t len)
-+{
-+ size_t i;
-+
-+ for (i = 0; i < len; i++) {
-+ if (data[i] < 32 || data[i] == 127)
-+ return 1;
-+ }
-+ return 0;
-+}
-+
-+
-+int has_newline(const char *str)
-+{
-+ while (*str) {
-+ if (*str == '\n' || *str == '\r')
-+ return 1;
-+ str++;
-+ }
-+ return 0;
-+}
-+
-+
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len)
Index: patches/patch-src_utils_common_h
===================================================================
RCS file: patches/patch-src_utils_common_h
diff -N patches/patch-src_utils_common_h
--- patches/patch-src_utils_common_h 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,44 +0,0 @@
-$OpenBSD: patch-src_utils_common_h,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
---- src/utils/common.h.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/common.h Tue May 17 09:21:02 2016
-@@ -477,6 +477,8 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_
-
- char * wpa_config_parse_string(const char *value, size_t *len);
- int is_hex(const u8 *data, size_t len);
-+int has_ctrl_char(const u8 *data, size_t len);
-+int has_newline(const char *str);
- size_t merge_byte_arrays(u8 *res, size_t res_len,
- const u8 *src1, size_t src1_len,
- const u8 *src2, size_t src2_len);
Index: patches/patch-src_utils_eloop_c
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-src_utils_eloop_c,v
retrieving revision 1.6
diff -u -p -r1.6 patch-src_utils_eloop_c
--- patches/patch-src_utils_eloop_c 17 May 2016 08:29:27 -0000 1.6
+++ patches/patch-src_utils_eloop_c 5 Oct 2016 14:22:05 -0000
@@ -3,9 +3,9 @@ $OpenBSD: patch-src_utils_eloop_c,v 1.6
 Don't try to access list members to free them unless already
 initialised
 
---- src/utils/eloop.c.orig Sun Sep 27 21:02:05 2015
-+++ src/utils/eloop.c Mon Sep 28 09:35:05 2015
-@@ -1064,6 +1064,9 @@ void eloop_destroy(void)
+--- src/utils/eloop.c.orig Sun Oct  2 20:51:11 2016
++++ src/utils/eloop.c Mon Oct  3 11:06:38 2016
+@@ -1249,6 +1249,9 @@ void eloop_destroy(void)
  struct eloop_timeout *timeout, *prev;
  struct os_reltime now;
 
Index: patches/patch-src_wps_wps_attr_process_c
===================================================================
RCS file: patches/patch-src_wps_wps_attr_process_c
diff -N patches/patch-src_wps_wps_attr_process_c
--- patches/patch-src_wps_wps_attr_process_c 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,39 +0,0 @@
-$OpenBSD: patch-src_wps_wps_attr_process_c,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 17:20:18 +0200
-Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a Credential received from a WPS Registrar both as
-STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
-WPA2PSK authentication type and includes an invalid passphrase.
-
-This fixes an issue where hostapd or wpa_supplicant could have updated
-the configuration file PSK/passphrase parameter with arbitrary data from
-an external device (Registrar) that may not be fully trusted. Should
-such data include a newline character, the resulting configuration file
-could become invalid and fail to be parsed.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
---- src/wps/wps_attr_process.c.orig Sun Sep 27 21:02:05 2015
-+++ src/wps/wps_attr_process.c Tue May 17 09:21:02 2016
-@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credenti
- cred->key_len--;
- #endif /* CONFIG_WPS_STRICT */
- }
-+
-+
-+ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
-+    (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
-+ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
-+ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
-+      cred->key, cred->key_len);
-+ return -1;
-+ }
-+
- return 0;
- }
-
Index: patches/patch-wpa_supplicant_Makefile
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-wpa_supplicant_Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 patch-wpa_supplicant_Makefile
--- patches/patch-wpa_supplicant_Makefile 29 Sep 2015 11:57:54 -0000 1.8
+++ patches/patch-wpa_supplicant_Makefile 5 Oct 2016 14:22:05 -0000
@@ -1,7 +1,7 @@
 $OpenBSD: patch-wpa_supplicant_Makefile,v 1.8 2015/09/29 11:57:54 dcoppa Exp $
---- wpa_supplicant/Makefile.orig Mon Sep 28 09:36:07 2015
-+++ wpa_supplicant/Makefile Mon Sep 28 09:36:36 2015
-@@ -131,16 +131,6 @@ endif
+--- wpa_supplicant/Makefile.orig Sun Oct  2 20:51:11 2016
++++ wpa_supplicant/Makefile Mon Oct  3 11:06:38 2016
+@@ -153,16 +153,6 @@ endif
  OBJS += ../src/utils/$(CONFIG_ELOOP).o
  OBJS_c += ../src/utils/$(CONFIG_ELOOP).o
 
Index: patches/patch-wpa_supplicant_config_c
===================================================================
RCS file: patches/patch-wpa_supplicant_config_c
diff -N patches/patch-wpa_supplicant_config_c
--- patches/patch-wpa_supplicant_config_c 17 May 2016 08:29:27 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,169 +0,0 @@
-$OpenBSD: patch-wpa_supplicant_config_c,v 1.1 2016/05/17 08:29:27 dcoppa Exp $
-
-From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Fri, 4 Mar 2016 18:46:41 +0200
-Subject: [PATCH 2/5] Reject psk parameter set with invalid passphrase character
-
-WPA/WPA2-Personal passphrase is not allowed to include control
-characters. Reject a passphrase configuration attempt if that passphrase
-includes an invalid passphrase.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file psk parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the passphrase value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject up to 63 characters of
-almost arbitrary data into the configuration file. Such configuration
-file could result in wpa_supplicant trying to load a library (e.g.,
-opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
-load_dynamic_eap) from user controlled location when starting again.
-This would allow code from that library to be executed under the
-wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
-From: Paul Stewart <[hidden email]>
-Date: Thu, 3 Mar 2016 15:40:19 -0800
-Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network output
-
-Spurious newlines output while writing the config file can corrupt the
-wpa_supplicant configuration. Avoid writing these for the network block
-parameters. This is a generic filter that cover cases that may not have
-been explicitly addressed with a more specific commit to avoid control
-characters in the psk parameter.
-
-Signed-off-by: Paul Stewart <[hidden email]>
-
-From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Tue, 5 Apr 2016 23:33:10 +0300
-Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the string values
-
-Most of the cred block parameters are written as strings without
-filtering and if there is an embedded newline character in the value,
-unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file cred parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the credential value before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
-From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <[hidden email]>
-Date: Tue, 5 Apr 2016 23:55:48 +0300
-Subject: [PATCH 5/5] Reject SET commands with newline characters in the string values
-
-Many of the global configuration parameters are written as strings
-without filtering and if there is an embedded newline character in the
-value, unexpected configuration file data might be written.
-
-This fixes an issue where wpa_supplicant could have updated the
-configuration file global parameter with arbitrary data from the control
-interface or D-Bus interface. While those interfaces are supposed to be
-accessible only for trusted users/applications, it may be possible that
-an untrusted user has access to a management software component that
-does not validate the value of a parameter before passing it to
-wpa_supplicant.
-
-This could allow such an untrusted user to inject almost arbitrary data
-into the configuration file. Such configuration file could result in
-wpa_supplicant trying to load a library (e.g., opensc_engine_path,
-pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
-controlled location when starting again. This would allow code from that
-library to be executed under the wpa_supplicant process privileges.
-
-Signed-off-by: Jouni Malinen <[hidden email]>
-
---- wpa_supplicant/config.c.orig Sun Sep 27 21:02:05 2015
-+++ wpa_supplicant/config.c Tue May 17 09:21:02 2016
-@@ -456,6 +456,12 @@ static int wpa_config_parse_psk(const struct parse_dat
- }
- wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
-      (u8 *) value, len);
-+ if (has_ctrl_char((u8 *) value, len)) {
-+ wpa_printf(MSG_ERROR,
-+   "Line %d: Invalid passphrase character",
-+   line);
-+ return -1;
-+ }
- if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
-    os_memcmp(ssid->passphrase, value, len) == 0)
- return 0;
-@@ -2604,8 +2610,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const cha
-
- for (i = 0; i < NUM_SSID_FIELDS; i++) {
- const struct parse_data *field = &ssid_fields[i];
-- if (os_strcmp(var, field->name) == 0)
-- return field->writer(field, ssid);
-+ if (os_strcmp(var, field->name) == 0) {
-+ char *ret = field->writer(field, ssid);
-+
-+ if (ret && has_newline(ret)) {
-+ wpa_printf(MSG_ERROR,
-+   "Found newline in value for %s; not returning it",
-+   var);
-+ os_free(ret);
-+ ret = NULL;
-+ }
-+
-+ return ret;
-+ }
- }
-
- return NULL;
-@@ -2790,6 +2807,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const c
-
- if (os_strcmp(var, "password") == 0 &&
-    os_strncmp(value, "ext:", 4) == 0) {
-+ if (has_newline(value))
-+ return -1;
- str_clear_free(cred->password);
- cred->password = os_strdup(value);
- cred->ext_password = 1;
-@@ -2840,9 +2859,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const c
- }
-
- val = wpa_config_parse_string(value, &len);
-- if (val == NULL) {
-+ if (val == NULL ||
-+    (os_strcmp(var, "excluded_ssid") != 0 &&
-+     os_strcmp(var, "roaming_consortium") != 0 &&
-+     os_strcmp(var, "required_roaming_consortium") != 0 &&
-+     has_newline(val))) {
- wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
-   "value '%s'.", line, var, value);
-+ os_free(val);
- return -1;
- }
-
-@@ -3643,6 +3667,12 @@ static int wpa_global_config_parse_str(const struct gl
- wpa_printf(MSG_ERROR, "Line %d: too long %s (len=%lu "
-   "max_len=%ld)", line, data->name,
-   (unsigned long) len, (long) data->param3);
-+ return -1;
-+ }
-+
-+ if (has_newline(pos)) {
-+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
-+   line, data->name);
- return -1;
- }
-
Index: patches/patch-wpa_supplicant_main_c
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-wpa_supplicant_main_c,v
retrieving revision 1.2
diff -u -p -r1.2 patch-wpa_supplicant_main_c
--- patches/patch-wpa_supplicant_main_c 29 Sep 2015 11:57:54 -0000 1.2
+++ patches/patch-wpa_supplicant_main_c 5 Oct 2016 14:22:05 -0000
@@ -2,19 +2,19 @@ $OpenBSD: patch-wpa_supplicant_main_c,v
 
 Remove Linuxisms from usage()
 
---- wpa_supplicant/main.c.orig Sun Sep 27 21:02:05 2015
-+++ wpa_supplicant/main.c Mon Sep 28 09:35:05 2015
-@@ -68,7 +68,7 @@ static void usage(void)
-       "  -i = interface name\n"
-       "  -I = additional configuration file\n"
+--- wpa_supplicant/main.c.orig Mon Oct  3 11:10:23 2016
++++ wpa_supplicant/main.c Mon Oct  3 11:11:42 2016
+@@ -66,7 +66,7 @@ static void usage(void)
+       "  -c = Configuration file\n"
+       "  -C = ctrl_interface parameter (only used if -c is not)\n"
        "  -d = increase debugging verbosity (-dd even more)\n"
 -       "  -D = driver name (can be multiple drivers: nl80211,wext)\n"
 +       "  -D = driver name\n"
-       "  -e = entropy file\n");
+       "  -e = entropy file\n"
  #ifdef CONFIG_DEBUG_FILE
- printf("  -f = log output to debug file instead of stdout\n");
-@@ -102,8 +102,7 @@ static void usage(void)
-       "  -N = start describing new interface\n");
+       "  -f = log output to debug file instead of stdout\n"
+@@ -105,8 +105,7 @@ static void usage(void)
+       "  -W = wait for a control interface monitor before starting\n");
 
  printf("example:\n"
 -       "  wpa_supplicant -D%s -iwlan0 -c/etc/wpa_supplicant.conf\n",

Reply | Threaded
Open this post in threaded view
|

Re: Update: wpa_supplicant 2.6

David Coppa
On Wed, Oct 5, 2016 at 4:52 PM, Pascal Stumpf <[hidden email]> wrote:

> On Wed, 5 Oct 2016 16:30:15 +0200, David Coppa wrote:
>> On Tue, 04 Oct 2016, Laurence Tratt wrote:
>>
>> > On Tue, Oct 04, 2016 at 02:09:30PM +0200, David Coppa wrote:
>> >
>> > Hello David,
>> >
>> > I'll give this a try on Thursday (which is the next time I'm around such a
>> > network) and let you know.
>> >
>> >
>> > Laurie
>>
>> Please try the following diff:
>
> Works for me on eduroam.

Thanks for testing.

David