diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant')
13 files changed, 483 insertions, 1109 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch deleted file mode 100644 index 7b0713cf6d..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch +++ /dev/null | |||
@@ -1,82 +0,0 @@ | |||
1 | hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication | ||
2 | of disconnection in certain situations because source address validation is | ||
3 | mishandled. This is a denial of service that should have been prevented by PMF | ||
4 | (aka management frame protection). The attacker must send a crafted 802.11 frame | ||
5 | from a location that is within the 802.11 communications range. | ||
6 | |||
7 | CVE: CVE-2019-16275 | ||
8 | Upstream-Status: Backport | ||
9 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
10 | |||
11 | From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 | ||
12 | From: Jouni Malinen <j@w1.fi> | ||
13 | Date: Thu, 29 Aug 2019 11:52:04 +0300 | ||
14 | Subject: [PATCH] AP: Silently ignore management frame from unexpected source | ||
15 | address | ||
16 | |||
17 | Do not process any received Management frames with unexpected/invalid SA | ||
18 | so that we do not add any state for unexpected STA addresses or end up | ||
19 | sending out frames to unexpected destination. This prevents unexpected | ||
20 | sequences where an unprotected frame might end up causing the AP to send | ||
21 | out a response to another device and that other device processing the | ||
22 | unexpected response. | ||
23 | |||
24 | In particular, this prevents some potential denial of service cases | ||
25 | where the unexpected response frame from the AP might result in a | ||
26 | connected station dropping its association. | ||
27 | |||
28 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
29 | --- | ||
30 | src/ap/drv_callbacks.c | 13 +++++++++++++ | ||
31 | src/ap/ieee802_11.c | 12 ++++++++++++ | ||
32 | 2 files changed, 25 insertions(+) | ||
33 | |||
34 | diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c | ||
35 | index 31587685fe3b..34ca379edc3d 100644 | ||
36 | --- a/src/ap/drv_callbacks.c | ||
37 | +++ b/src/ap/drv_callbacks.c | ||
38 | @@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, | ||
39 | "hostapd_notif_assoc: Skip event with no address"); | ||
40 | return -1; | ||
41 | } | ||
42 | + | ||
43 | + if (is_multicast_ether_addr(addr) || | ||
44 | + is_zero_ether_addr(addr) || | ||
45 | + os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { | ||
46 | + /* Do not process any frames with unexpected/invalid SA so that | ||
47 | + * we do not add any state for unexpected STA addresses or end | ||
48 | + * up sending out frames to unexpected destination. */ | ||
49 | + wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR | ||
50 | + " in received indication - ignore this indication silently", | ||
51 | + __func__, MAC2STR(addr)); | ||
52 | + return 0; | ||
53 | + } | ||
54 | + | ||
55 | random_add_randomness(addr, ETH_ALEN); | ||
56 | |||
57 | hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, | ||
58 | diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c | ||
59 | index c85a28db44b7..e7065372e158 100644 | ||
60 | --- a/src/ap/ieee802_11.c | ||
61 | +++ b/src/ap/ieee802_11.c | ||
62 | @@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, | ||
63 | fc = le_to_host16(mgmt->frame_control); | ||
64 | stype = WLAN_FC_GET_STYPE(fc); | ||
65 | |||
66 | + if (is_multicast_ether_addr(mgmt->sa) || | ||
67 | + is_zero_ether_addr(mgmt->sa) || | ||
68 | + os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { | ||
69 | + /* Do not process any frames with unexpected/invalid SA so that | ||
70 | + * we do not add any state for unexpected STA addresses or end | ||
71 | + * up sending out frames to unexpected destination. */ | ||
72 | + wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR | ||
73 | + " in received frame - ignore this frame silently", | ||
74 | + MAC2STR(mgmt->sa)); | ||
75 | + return 0; | ||
76 | + } | ||
77 | + | ||
78 | if (stype == WLAN_FC_STYPE_BEACON) { | ||
79 | handle_beacon(hapd, mgmt, len, fi); | ||
80 | return 1; | ||
81 | -- | ||
82 | 2.20.1 | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch new file mode 100644 index 0000000000..c04c608bde --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001 | ||
2 | From: Alex Kiernan <alexk@zuma.ai> | ||
3 | Date: Thu, 21 Apr 2022 10:15:29 +0100 | ||
4 | Subject: [PATCH] Install wpa_passphrase when not disabled | ||
5 | |||
6 | As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets | ||
7 | built, its not installed during `make install`. | ||
8 | |||
9 | Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase") | ||
10 | Signed-off-by: Alex Kiernan <alexk@zuma.ai> | ||
11 | Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> | ||
12 | Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html] | ||
13 | --- | ||
14 | wpa_supplicant/Makefile | 3 +++ | ||
15 | 1 file changed, 3 insertions(+) | ||
16 | |||
17 | diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile | ||
18 | index 0bab313f2355..12787c0c7d0f 100644 | ||
19 | --- a/wpa_supplicant/Makefile | ||
20 | +++ b/wpa_supplicant/Makefile | ||
21 | @@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: % | ||
22 | |||
23 | install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL)) | ||
24 | $(MAKE) -C ../src install | ||
25 | +ifndef CONFIG_NO_WPA_PASSPHRASE | ||
26 | + install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase | ||
27 | +endif | ||
28 | ifdef CONFIG_BUILD_WPA_CLIENT_SO | ||
29 | install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so | ||
30 | install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h | ||
31 | -- | ||
32 | 2.35.1 | ||
33 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch new file mode 100644 index 0000000000..620560d3c7 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch | |||
@@ -0,0 +1,213 @@ | |||
1 | From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <j@w1.fi> | ||
3 | Date: Sat, 8 Jul 2023 19:55:32 +0300 | ||
4 | Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements | ||
5 | |||
6 | The previous PEAP client behavior allowed the server to skip Phase 2 | ||
7 | authentication with the expectation that the server was authenticated | ||
8 | during Phase 1 through TLS server certificate validation. Various PEAP | ||
9 | specifications are not exactly clear on what the behavior on this front | ||
10 | is supposed to be and as such, this ended up being more flexible than | ||
11 | the TTLS/FAST/TEAP cases. However, this is not really ideal when | ||
12 | unfortunately common misconfiguration of PEAP is used in deployed | ||
13 | devices where the server trust root (ca_cert) is not configured or the | ||
14 | user has an easy option for allowing this validation step to be skipped. | ||
15 | |||
16 | Change the default PEAP client behavior to be to require Phase 2 | ||
17 | authentication to be successfully completed for cases where TLS session | ||
18 | resumption is not used and the client certificate has not been | ||
19 | configured. Those two exceptions are the main cases where a deployed | ||
20 | authentication server might skip Phase 2 and as such, where a more | ||
21 | strict default behavior could result in undesired interoperability | ||
22 | issues. Requiring Phase 2 authentication will end up disabling TLS | ||
23 | session resumption automatically to avoid interoperability issues. | ||
24 | |||
25 | Allow Phase 2 authentication behavior to be configured with a new phase1 | ||
26 | configuration parameter option: | ||
27 | 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS | ||
28 | tunnel) behavior for PEAP: | ||
29 | * 0 = do not require Phase 2 authentication | ||
30 | * 1 = require Phase 2 authentication when client certificate | ||
31 | (private_key/client_cert) is no used and TLS session resumption was | ||
32 | not used (default) | ||
33 | * 2 = require Phase 2 authentication in all cases | ||
34 | |||
35 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
36 | |||
37 | CVE: CVE-2023-52160 | ||
38 | Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c] | ||
39 | |||
40 | Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com> | ||
41 | |||
42 | --- | ||
43 | src/eap_peer/eap_config.h | 8 ++++++ | ||
44 | src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- | ||
45 | src/eap_peer/eap_tls_common.c | 6 +++++ | ||
46 | src/eap_peer/eap_tls_common.h | 5 ++++ | ||
47 | wpa_supplicant/wpa_supplicant.conf | 7 ++++++ | ||
48 | 5 files changed, 63 insertions(+), 3 deletions(-) | ||
49 | |||
50 | diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h | ||
51 | index 3238f74..047eec2 100644 | ||
52 | --- a/src/eap_peer/eap_config.h | ||
53 | +++ b/src/eap_peer/eap_config.h | ||
54 | @@ -469,6 +469,14 @@ struct eap_peer_config { | ||
55 | * 1 = use cryptobinding if server supports it | ||
56 | * 2 = require cryptobinding | ||
57 | * | ||
58 | + * phase2_auth option can be used to control Phase 2 (i.e., within TLS | ||
59 | + * tunnel) behavior for PEAP: | ||
60 | + * 0 = do not require Phase 2 authentication | ||
61 | + * 1 = require Phase 2 authentication when client certificate | ||
62 | + * (private_key/client_cert) is no used and TLS session resumption was | ||
63 | + * not used (default) | ||
64 | + * 2 = require Phase 2 authentication in all cases | ||
65 | + * | ||
66 | * EAP-WSC (WPS) uses following options: pin=Device_Password and | ||
67 | * uuid=Device_UUID | ||
68 | * | ||
69 | diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c | ||
70 | index 12e30df..6080697 100644 | ||
71 | --- a/src/eap_peer/eap_peap.c | ||
72 | +++ b/src/eap_peer/eap_peap.c | ||
73 | @@ -67,6 +67,7 @@ struct eap_peap_data { | ||
74 | u8 cmk[20]; | ||
75 | int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) | ||
76 | * is enabled. */ | ||
77 | + enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; | ||
78 | }; | ||
79 | |||
80 | |||
81 | @@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, | ||
82 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); | ||
83 | } | ||
84 | |||
85 | + if (os_strstr(phase1, "phase2_auth=0")) { | ||
86 | + data->phase2_auth = NO_AUTH; | ||
87 | + wpa_printf(MSG_DEBUG, | ||
88 | + "EAP-PEAP: Do not require Phase 2 authentication"); | ||
89 | + } else if (os_strstr(phase1, "phase2_auth=1")) { | ||
90 | + data->phase2_auth = FOR_INITIAL; | ||
91 | + wpa_printf(MSG_DEBUG, | ||
92 | + "EAP-PEAP: Require Phase 2 authentication for initial connection"); | ||
93 | + } else if (os_strstr(phase1, "phase2_auth=2")) { | ||
94 | + data->phase2_auth = ALWAYS; | ||
95 | + wpa_printf(MSG_DEBUG, | ||
96 | + "EAP-PEAP: Require Phase 2 authentication for all cases"); | ||
97 | + } | ||
98 | #ifdef EAP_TNC | ||
99 | if (os_strstr(phase1, "tnc=soh2")) { | ||
100 | data->soh = 2; | ||
101 | @@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) | ||
102 | data->force_peap_version = -1; | ||
103 | data->peap_outer_success = 2; | ||
104 | data->crypto_binding = OPTIONAL_BINDING; | ||
105 | + data->phase2_auth = FOR_INITIAL; | ||
106 | |||
107 | if (config && config->phase1) | ||
108 | eap_peap_parse_phase1(data, config->phase1); | ||
109 | @@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, | ||
110 | } | ||
111 | |||
112 | |||
113 | +static bool peap_phase2_sufficient(struct eap_sm *sm, | ||
114 | + struct eap_peap_data *data) | ||
115 | +{ | ||
116 | + if ((data->phase2_auth == ALWAYS || | ||
117 | + (data->phase2_auth == FOR_INITIAL && | ||
118 | + !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && | ||
119 | + !data->ssl.client_cert_conf) || | ||
120 | + data->phase2_eap_started) && | ||
121 | + !data->phase2_eap_success) | ||
122 | + return false; | ||
123 | + return true; | ||
124 | +} | ||
125 | + | ||
126 | + | ||
127 | /** | ||
128 | * eap_tlv_process - Process a received EAP-TLV message and generate a response | ||
129 | * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() | ||
130 | @@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, | ||
131 | " - force failed Phase 2"); | ||
132 | resp_status = EAP_TLV_RESULT_FAILURE; | ||
133 | ret->decision = DECISION_FAIL; | ||
134 | + } else if (!peap_phase2_sufficient(sm, data)) { | ||
135 | + wpa_printf(MSG_INFO, | ||
136 | + "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); | ||
137 | + resp_status = EAP_TLV_RESULT_FAILURE; | ||
138 | + ret->decision = DECISION_FAIL; | ||
139 | } else { | ||
140 | resp_status = EAP_TLV_RESULT_SUCCESS; | ||
141 | ret->decision = DECISION_UNCOND_SUCC; | ||
142 | @@ -887,8 +921,7 @@ continue_req: | ||
143 | /* EAP-Success within TLS tunnel is used to indicate | ||
144 | * shutdown of the TLS channel. The authentication has | ||
145 | * been completed. */ | ||
146 | - if (data->phase2_eap_started && | ||
147 | - !data->phase2_eap_success) { | ||
148 | + if (!peap_phase2_sufficient(sm, data)) { | ||
149 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " | ||
150 | "Success used to indicate success, " | ||
151 | "but Phase 2 EAP was not yet " | ||
152 | @@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, | ||
153 | static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) | ||
154 | { | ||
155 | struct eap_peap_data *data = priv; | ||
156 | + | ||
157 | return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && | ||
158 | - data->phase2_success; | ||
159 | + data->phase2_success && data->phase2_auth != ALWAYS; | ||
160 | } | ||
161 | |||
162 | |||
163 | diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c | ||
164 | index c1837db..a53eeb1 100644 | ||
165 | --- a/src/eap_peer/eap_tls_common.c | ||
166 | +++ b/src/eap_peer/eap_tls_common.c | ||
167 | @@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, | ||
168 | |||
169 | sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); | ||
170 | |||
171 | + if (!phase2) | ||
172 | + data->client_cert_conf = params->client_cert || | ||
173 | + params->client_cert_blob || | ||
174 | + params->private_key || | ||
175 | + params->private_key_blob; | ||
176 | + | ||
177 | return 0; | ||
178 | } | ||
179 | |||
180 | diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h | ||
181 | index 9ac0012..3348634 100644 | ||
182 | --- a/src/eap_peer/eap_tls_common.h | ||
183 | +++ b/src/eap_peer/eap_tls_common.h | ||
184 | @@ -79,6 +79,11 @@ struct eap_ssl_data { | ||
185 | * tls_v13 - Whether TLS v1.3 or newer is used | ||
186 | */ | ||
187 | int tls_v13; | ||
188 | + | ||
189 | + /** | ||
190 | + * client_cert_conf: Whether client certificate has been configured | ||
191 | + */ | ||
192 | + bool client_cert_conf; | ||
193 | }; | ||
194 | |||
195 | |||
196 | diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf | ||
197 | index 6619d6b..d63f73c 100644 | ||
198 | --- a/wpa_supplicant/wpa_supplicant.conf | ||
199 | +++ b/wpa_supplicant/wpa_supplicant.conf | ||
200 | @@ -1321,6 +1321,13 @@ fast_reauth=1 | ||
201 | # * 0 = do not use cryptobinding (default) | ||
202 | # * 1 = use cryptobinding if server supports it | ||
203 | # * 2 = require cryptobinding | ||
204 | +# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS | ||
205 | +# tunnel) behavior for PEAP: | ||
206 | +# * 0 = do not require Phase 2 authentication | ||
207 | +# * 1 = require Phase 2 authentication when client certificate | ||
208 | +# (private_key/client_cert) is no used and TLS session resumption was | ||
209 | +# not used (default) | ||
210 | +# * 2 = require Phase 2 authentication in all cases | ||
211 | # EAP-WSC (WPS) uses following options: pin=<Device Password> or | ||
212 | # pbc=1. | ||
213 | # | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch deleted file mode 100644 index 53ad5d028a..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch +++ /dev/null | |||
@@ -1,151 +0,0 @@ | |||
1 | From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@codeaurora.org> | ||
3 | Date: Wed, 3 Jun 2020 23:17:35 +0300 | ||
4 | Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to | ||
5 | other networks | ||
6 | |||
7 | The UPnP Device Architecture 2.0 specification errata ("UDA errata | ||
8 | 16-04-2020.docx") addresses a problem with notifications being allowed | ||
9 | to go out to other domains by disallowing such cases. Do such filtering | ||
10 | for the notification callback URLs to avoid undesired connections to | ||
11 | external networks based on subscriptions that any device in the local | ||
12 | network could request when WPS support for external registrars is | ||
13 | enabled (the upnp_iface parameter in hostapd configuration). | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | CVE: CVE-2020-12695 patch #1 | ||
17 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | ||
18 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
19 | |||
20 | --- | ||
21 | src/wps/wps_er.c | 2 +- | ||
22 | src/wps/wps_upnp.c | 38 ++++++++++++++++++++++++++++++++++++-- | ||
23 | src/wps/wps_upnp_i.h | 3 ++- | ||
24 | 3 files changed, 39 insertions(+), 4 deletions(-) | ||
25 | |||
26 | Index: wpa_supplicant-2.9/src/wps/wps_er.c | ||
27 | =================================================================== | ||
28 | --- wpa_supplicant-2.9.orig/src/wps/wps_er.c | ||
29 | +++ wpa_supplicant-2.9/src/wps/wps_er.c | ||
30 | @@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, con | ||
31 | "with %s", filter); | ||
32 | } | ||
33 | if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text, | ||
34 | - er->mac_addr)) { | ||
35 | + NULL, er->mac_addr)) { | ||
36 | wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address " | ||
37 | "for %s. Does it have IP address?", er->ifname); | ||
38 | wps_er_deinit(er, NULL, NULL); | ||
39 | Index: wpa_supplicant-2.9/src/wps/wps_upnp.c | ||
40 | =================================================================== | ||
41 | --- wpa_supplicant-2.9.orig/src/wps/wps_upnp.c | ||
42 | +++ wpa_supplicant-2.9/src/wps/wps_upnp.c | ||
43 | @@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct | ||
44 | } | ||
45 | |||
46 | |||
47 | +static int local_network_addr(struct upnp_wps_device_sm *sm, | ||
48 | + struct sockaddr_in *addr) | ||
49 | +{ | ||
50 | + return (addr->sin_addr.s_addr & sm->netmask.s_addr) == | ||
51 | + (sm->ip_addr & sm->netmask.s_addr); | ||
52 | +} | ||
53 | + | ||
54 | + | ||
55 | /* subscr_addr_add_url -- add address(es) for one url to subscription */ | ||
56 | static void subscr_addr_add_url(struct subscription *s, const char *url, | ||
57 | size_t url_len) | ||
58 | @@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct s | ||
59 | |||
60 | for (rp = result; rp; rp = rp->ai_next) { | ||
61 | struct subscr_addr *a; | ||
62 | + struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr; | ||
63 | |||
64 | /* Limit no. of address to avoid denial of service attack */ | ||
65 | if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) { | ||
66 | @@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct s | ||
67 | break; | ||
68 | } | ||
69 | |||
70 | + if (!local_network_addr(s->sm, addr)) { | ||
71 | + wpa_printf(MSG_INFO, | ||
72 | + "WPS UPnP: Ignore a delivery URL that points to another network %s", | ||
73 | + inet_ntoa(addr->sin_addr)); | ||
74 | + continue; | ||
75 | + } | ||
76 | + | ||
77 | a = os_zalloc(sizeof(*a) + alloc_len); | ||
78 | if (a == NULL) | ||
79 | break; | ||
80 | @@ -889,11 +905,12 @@ static int eth_get(const char *device, u | ||
81 | * @net_if: Selected network interface name | ||
82 | * @ip_addr: Buffer for returning IP address in network byte order | ||
83 | * @ip_addr_text: Buffer for returning a pointer to allocated IP address text | ||
84 | + * @netmask: Buffer for returning netmask or %NULL if not needed | ||
85 | * @mac: Buffer for returning MAC address | ||
86 | * Returns: 0 on success, -1 on failure | ||
87 | */ | ||
88 | int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text, | ||
89 | - u8 mac[ETH_ALEN]) | ||
90 | + struct in_addr *netmask, u8 mac[ETH_ALEN]) | ||
91 | { | ||
92 | struct ifreq req; | ||
93 | int sock = -1; | ||
94 | @@ -919,6 +936,19 @@ int get_netif_info(const char *net_if, u | ||
95 | in_addr.s_addr = *ip_addr; | ||
96 | os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr)); | ||
97 | |||
98 | + if (netmask) { | ||
99 | + os_memset(&req, 0, sizeof(req)); | ||
100 | + os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name)); | ||
101 | + if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) { | ||
102 | + wpa_printf(MSG_ERROR, | ||
103 | + "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)", | ||
104 | + errno, strerror(errno)); | ||
105 | + goto fail; | ||
106 | + } | ||
107 | + addr = (struct sockaddr_in *) &req.ifr_netmask; | ||
108 | + netmask->s_addr = addr->sin_addr.s_addr; | ||
109 | + } | ||
110 | + | ||
111 | #ifdef __linux__ | ||
112 | os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name)); | ||
113 | if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) { | ||
114 | @@ -1025,11 +1055,15 @@ static int upnp_wps_device_start(struct | ||
115 | |||
116 | /* Determine which IP and mac address we're using */ | ||
117 | if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text, | ||
118 | - sm->mac_addr)) { | ||
119 | + &sm->netmask, sm->mac_addr)) { | ||
120 | wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address " | ||
121 | "for %s. Does it have IP address?", net_if); | ||
122 | goto fail; | ||
123 | } | ||
124 | + wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr " | ||
125 | + MACSTR, | ||
126 | + sm->ip_addr_text, inet_ntoa(sm->netmask), | ||
127 | + MAC2STR(sm->mac_addr)); | ||
128 | |||
129 | /* Listen for incoming TCP connections so that others | ||
130 | * can fetch our "xml files" from us. | ||
131 | Index: wpa_supplicant-2.9/src/wps/wps_upnp_i.h | ||
132 | =================================================================== | ||
133 | --- wpa_supplicant-2.9.orig/src/wps/wps_upnp_i.h | ||
134 | +++ wpa_supplicant-2.9/src/wps/wps_upnp_i.h | ||
135 | @@ -128,6 +128,7 @@ struct upnp_wps_device_sm { | ||
136 | u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */ | ||
137 | char *ip_addr_text; /* IP address of network i.f. we use */ | ||
138 | unsigned ip_addr; /* IP address of network i.f. we use (host order) */ | ||
139 | + struct in_addr netmask; | ||
140 | int multicast_sd; /* send multicast messages over this socket */ | ||
141 | int ssdp_sd; /* receive discovery UPD packets on socket */ | ||
142 | int ssdp_sd_registered; /* nonzero if we must unregister */ | ||
143 | @@ -158,7 +159,7 @@ struct subscription * subscription_find( | ||
144 | const u8 uuid[UUID_LEN]); | ||
145 | void subscr_addr_delete(struct subscr_addr *a); | ||
146 | int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text, | ||
147 | - u8 mac[ETH_ALEN]); | ||
148 | + struct in_addr *netmask, u8 mac[ETH_ALEN]); | ||
149 | |||
150 | /* wps_upnp_ssdp.c */ | ||
151 | void msearchreply_state_machine_stop(struct advertisement_state_machine *a); | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch new file mode 100644 index 0000000000..6e930fc98d --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Matyukevich <geomatsi@gmail.com> | ||
3 | Date: Tue, 22 Feb 2022 11:52:19 +0300 | ||
4 | Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and | ||
5 | wpa_passphrase | ||
6 | |||
7 | Commit a41a29192e5d ("build: Pull common fragments into a build.rules | ||
8 | file") introduced a regression into wpa_supplicant build process. The | ||
9 | build target libwpa_client.so is not built regardless of whether the | ||
10 | option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because | ||
11 | this config option is used before it is imported from the configuration | ||
12 | file. Moving its use after including build.rules does not help: the | ||
13 | variable ALL is processed by build.rules and further changes are not | ||
14 | applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work | ||
15 | as expected: wpa_passphrase is always built regardless of whether the | ||
16 | option is set or not. | ||
17 | |||
18 | Re-enable these options by adding both build targets to _all | ||
19 | dependencies. | ||
20 | |||
21 | Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file") | ||
22 | Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com> | ||
23 | Upstream-Status: Backport | ||
24 | Signed-off-by: Alex Kiernan <alexk@zuma.ai> | ||
25 | Signed-off-by: Alex Kiernan <alexk@gmail.com> | ||
26 | --- | ||
27 | wpa_supplicant/Makefile | 19 ++++++++++++------- | ||
28 | 1 file changed, 12 insertions(+), 7 deletions(-) | ||
29 | |||
30 | diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile | ||
31 | index cb66defac7c8..c456825ae75f 100644 | ||
32 | --- a/wpa_supplicant/Makefile | ||
33 | +++ b/wpa_supplicant/Makefile | ||
34 | @@ -1,24 +1,29 @@ | ||
35 | BINALL=wpa_supplicant wpa_cli | ||
36 | |||
37 | -ifndef CONFIG_NO_WPA_PASSPHRASE | ||
38 | -BINALL += wpa_passphrase | ||
39 | -endif | ||
40 | - | ||
41 | ALL = $(BINALL) | ||
42 | ALL += systemd/wpa_supplicant.service | ||
43 | ALL += systemd/wpa_supplicant@.service | ||
44 | ALL += systemd/wpa_supplicant-nl80211@.service | ||
45 | ALL += systemd/wpa_supplicant-wired@.service | ||
46 | ALL += dbus/fi.w1.wpa_supplicant1.service | ||
47 | -ifdef CONFIG_BUILD_WPA_CLIENT_SO | ||
48 | -ALL += libwpa_client.so | ||
49 | -endif | ||
50 | |||
51 | EXTRA_TARGETS=dynamic_eap_methods | ||
52 | |||
53 | CONFIG_FILE=.config | ||
54 | include ../src/build.rules | ||
55 | |||
56 | +ifdef CONFIG_BUILD_WPA_CLIENT_SO | ||
57 | +# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO | ||
58 | +# being set in the config which is read by build.rules | ||
59 | +_all: libwpa_client.so | ||
60 | +endif | ||
61 | + | ||
62 | +ifndef CONFIG_NO_WPA_PASSPHRASE | ||
63 | +# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE | ||
64 | +# being set in the config which is read by build.rules | ||
65 | +_all: wpa_passphrase | ||
66 | +endif | ||
67 | + | ||
68 | ifdef LIBS | ||
69 | # If LIBS is set with some global build system defaults, clone those for | ||
70 | # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well. | ||
71 | -- | ||
72 | 2.35.1 | ||
73 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch deleted file mode 100644 index a476cf040e..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch +++ /dev/null | |||
@@ -1,52 +0,0 @@ | |||
1 | From 94c401733a5a3d294cc412671166e6adfb409f53 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joshua DeWeese <jdeweese@hennypenny.com> | ||
3 | Date: Wed, 30 Jan 2019 16:19:47 -0500 | ||
4 | Subject: [PATCH] replace systemd install Alias with WantedBy | ||
5 | |||
6 | According to the systemd documentation "WantedBy=foo.service in a | ||
7 | service bar.service is mostly equivalent to | ||
8 | Alias=foo.service.wants/bar.service in the same file." However, | ||
9 | this is not really the intended purpose of install Aliases. | ||
10 | |||
11 | Upstream-Status: Submitted [hostap@lists.infradead.org] | ||
12 | |||
13 | Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com> | ||
14 | --- | ||
15 | wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | 2 +- | ||
16 | wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in | 2 +- | ||
17 | wpa_supplicant/systemd/wpa_supplicant.service.arg.in | 2 +- | ||
18 | 3 files changed, 3 insertions(+), 3 deletions(-) | ||
19 | |||
20 | diff --git a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | ||
21 | index 03ac507..da69a87 100644 | ||
22 | --- a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | ||
23 | +++ b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | ||
24 | @@ -12,4 +12,4 @@ Type=simple | ||
25 | ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-nl80211-%I.conf -Dnl80211 -i%I | ||
26 | |||
27 | [Install] | ||
28 | -Alias=multi-user.target.wants/wpa_supplicant-nl80211@%i.service | ||
29 | +WantedBy=multi-user.target | ||
30 | diff --git a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in | ||
31 | index c8a744d..ca3054b 100644 | ||
32 | --- a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in | ||
33 | +++ b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in | ||
34 | @@ -12,4 +12,4 @@ Type=simple | ||
35 | ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-%I.conf -Dwired -i%I | ||
36 | |||
37 | [Install] | ||
38 | -Alias=multi-user.target.wants/wpa_supplicant-wired@%i.service | ||
39 | +WantedBy=multi-user.target | ||
40 | diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in | ||
41 | index 7788b38..55d2b9c 100644 | ||
42 | --- a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in | ||
43 | +++ b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in | ||
44 | @@ -12,4 +12,4 @@ Type=simple | ||
45 | ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I | ||
46 | |||
47 | [Install] | ||
48 | -Alias=multi-user.target.wants/wpa_supplicant@%i.service | ||
49 | +WantedBy=multi-user.target | ||
50 | -- | ||
51 | 2.7.4 | ||
52 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch new file mode 100644 index 0000000000..53b0fcdf53 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch | |||
@@ -0,0 +1,26 @@ | |||
1 | From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <quic_jouni@quicinc.com> | ||
3 | Date: Thu, 3 Mar 2022 13:26:42 +0200 | ||
4 | Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean' | ||
5 | |||
6 | Fixes: 0430bc8267b4 ("build: Add a common-clean target") | ||
7 | Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com> | ||
8 | Upstream-Status: Backport | ||
9 | Signed-off-by: Alex Kiernan <alexk@zuma.ai> | ||
10 | Signed-off-by: Alex Kiernan <alexk@gmail.com> | ||
11 | --- | ||
12 | wpa_supplicant/Makefile | 1 + | ||
13 | 1 file changed, 1 insertion(+) | ||
14 | |||
15 | diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile | ||
16 | index c456825ae75f..4b4688931b1d 100644 | ||
17 | --- a/wpa_supplicant/Makefile | ||
18 | +++ b/wpa_supplicant/Makefile | ||
19 | @@ -2077,3 +2077,4 @@ clean: common-clean | ||
20 | rm -f libwpa_client.a | ||
21 | rm -f libwpa_client.so | ||
22 | rm -f libwpa_test1 libwpa_test2 | ||
23 | + rm -f wpa_passphrase | ||
24 | -- | ||
25 | 2.35.1 | ||
26 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch deleted file mode 100644 index 59640859dd..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch +++ /dev/null | |||
@@ -1,62 +0,0 @@ | |||
1 | From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@codeaurora.org> | ||
3 | Date: Wed, 3 Jun 2020 22:41:02 +0300 | ||
4 | Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL | ||
5 | path | ||
6 | |||
7 | More than about 700 character URL ended up overflowing the wpabuf used | ||
8 | for building the event notification and this resulted in the wpabuf | ||
9 | buffer overflow checks terminating the hostapd process. Fix this by | ||
10 | allocating the buffer to be large enough to contain the full URL path. | ||
11 | However, since that around 700 character limit has been the practical | ||
12 | limit for more than ten years, start explicitly enforcing that as the | ||
13 | limit or the callback URLs since any longer ones had not worked before | ||
14 | and there is no need to enable them now either. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | CVE: CVE-2020-12695 patch #2 | ||
18 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | ||
19 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
20 | |||
21 | --- | ||
22 | src/wps/wps_upnp.c | 9 +++++++-- | ||
23 | src/wps/wps_upnp_event.c | 3 ++- | ||
24 | 2 files changed, 9 insertions(+), 3 deletions(-) | ||
25 | |||
26 | diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c | ||
27 | index 7d4b7439940e..ab685d52ecab 100644 | ||
28 | --- a/src/wps/wps_upnp.c | ||
29 | +++ b/src/wps/wps_upnp.c | ||
30 | @@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url, | ||
31 | int rerr; | ||
32 | size_t host_len, path_len; | ||
33 | |||
34 | - /* url MUST begin with http: */ | ||
35 | - if (url_len < 7 || os_strncasecmp(url, "http://", 7)) | ||
36 | + /* URL MUST begin with HTTP scheme. In addition, limit the length of | ||
37 | + * the URL to 700 characters which is around the limit that was | ||
38 | + * implicitly enforced for more than 10 years due to a bug in | ||
39 | + * generating the event messages. */ | ||
40 | + if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) { | ||
41 | + wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL"); | ||
42 | goto fail; | ||
43 | + } | ||
44 | url += 7; | ||
45 | url_len -= 7; | ||
46 | |||
47 | diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c | ||
48 | index d7e6edcc6503..08a23612f338 100644 | ||
49 | --- a/src/wps/wps_upnp_event.c | ||
50 | +++ b/src/wps/wps_upnp_event.c | ||
51 | @@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e) | ||
52 | struct wpabuf *buf; | ||
53 | char *b; | ||
54 | |||
55 | - buf = wpabuf_alloc(1000 + wpabuf_len(e->data)); | ||
56 | + buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) + | ||
57 | + wpabuf_len(e->data)); | ||
58 | if (buf == NULL) | ||
59 | return NULL; | ||
60 | wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path); | ||
61 | -- | ||
62 | 2.20.1 | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch deleted file mode 100644 index 8a014ef28a..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch +++ /dev/null | |||
@@ -1,50 +0,0 @@ | |||
1 | From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@codeaurora.org> | ||
3 | Date: Thu, 4 Jun 2020 21:24:04 +0300 | ||
4 | Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more | ||
5 | properly | ||
6 | |||
7 | While it is appropriate to try to retransmit the event to another | ||
8 | callback URL on a failure to initiate the HTTP client connection, there | ||
9 | is no point in trying the exact same operation multiple times in a row. | ||
10 | Replve the event_retry() calls with event_addr_failure() for these cases | ||
11 | to avoid busy loops trying to repeat the same failing operation. | ||
12 | |||
13 | These potential busy loops would go through eloop callbacks, so the | ||
14 | process is not completely stuck on handling them, but unnecessary CPU | ||
15 | would be used to process the continues retries that will keep failing | ||
16 | for the same reason. | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2020-12695 patch #2 | ||
20 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | ||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | src/wps/wps_upnp_event.c | 4 ++-- | ||
25 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
26 | |||
27 | diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c | ||
28 | index 08a23612f338..c0d9e41d9a38 100644 | ||
29 | --- a/src/wps/wps_upnp_event.c | ||
30 | +++ b/src/wps/wps_upnp_event.c | ||
31 | @@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s) | ||
32 | |||
33 | buf = event_build_message(e); | ||
34 | if (buf == NULL) { | ||
35 | - event_retry(e, 0); | ||
36 | + event_addr_failure(e); | ||
37 | return -1; | ||
38 | } | ||
39 | |||
40 | @@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s) | ||
41 | event_http_cb, e); | ||
42 | if (e->http_event == NULL) { | ||
43 | wpabuf_free(buf); | ||
44 | - event_retry(e, 0); | ||
45 | + event_addr_failure(e); | ||
46 | return -1; | ||
47 | } | ||
48 | |||
49 | -- | ||
50 | 2.20.1 | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch deleted file mode 100644 index 8c90fa3421..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@codeaurora.org> | ||
3 | Date: Mon, 9 Nov 2020 11:43:12 +0200 | ||
4 | Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group | ||
5 | client | ||
6 | |||
7 | Parsing and copying of WPS secondary device types list was verifying | ||
8 | that the contents is not too long for the internal maximum in the case | ||
9 | of WPS messages, but similar validation was missing from the case of P2P | ||
10 | group information which encodes this information in a different | ||
11 | attribute. This could result in writing beyond the memory area assigned | ||
12 | for these entries and corrupting memory within an instance of struct | ||
13 | p2p_device. This could result in invalid operations and unexpected | ||
14 | behavior when trying to free pointers from that corrupted memory. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | CVE: CVE-2021-0326 | ||
18 | |||
19 | Reference to upstream patch: | ||
20 | [https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e] | ||
21 | |||
22 | Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 | ||
23 | Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") | ||
24 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | ||
25 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
26 | --- | ||
27 | src/p2p/p2p.c | 2 ++ | ||
28 | 1 file changed, 2 insertions(+) | ||
29 | |||
30 | diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c | ||
31 | index a08ba02..079270f 100644 | ||
32 | --- a/src/p2p/p2p.c | ||
33 | +++ b/src/p2p/p2p.c | ||
34 | @@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, | ||
35 | dev->info.config_methods = cli->config_methods; | ||
36 | os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); | ||
37 | dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; | ||
38 | + if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) | ||
39 | + dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; | ||
40 | os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, | ||
41 | dev->info.wps_sec_dev_type_list_len); | ||
42 | } | ||
43 | -- | ||
44 | 2.17.1 | ||
45 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig deleted file mode 100644 index f04e398fdb..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig +++ /dev/null | |||
@@ -1,552 +0,0 @@ | |||
1 | # Example wpa_supplicant build time configuration | ||
2 | # | ||
3 | # This file lists the configuration options that are used when building the | ||
4 | # hostapd binary. All lines starting with # are ignored. Configuration option | ||
5 | # lines must be commented out complete, if they are not to be included, i.e., | ||
6 | # just setting VARIABLE=n is not disabling that variable. | ||
7 | # | ||
8 | # This file is included in Makefile, so variables like CFLAGS and LIBS can also | ||
9 | # be modified from here. In most cases, these lines should use += in order not | ||
10 | # to override previous values of the variables. | ||
11 | |||
12 | |||
13 | # Uncomment following two lines and fix the paths if you have installed OpenSSL | ||
14 | # or GnuTLS in non-default location | ||
15 | #CFLAGS += -I/usr/local/openssl/include | ||
16 | #LIBS += -L/usr/local/openssl/lib | ||
17 | |||
18 | # Some Red Hat versions seem to include kerberos header files from OpenSSL, but | ||
19 | # the kerberos files are not in the default include path. Following line can be | ||
20 | # used to fix build issues on such systems (krb5.h not found). | ||
21 | #CFLAGS += -I/usr/include/kerberos | ||
22 | |||
23 | # Example configuration for various cross-compilation platforms | ||
24 | |||
25 | #### sveasoft (e.g., for Linksys WRT54G) ###################################### | ||
26 | #CC=mipsel-uclibc-gcc | ||
27 | #CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc | ||
28 | #CFLAGS += -Os | ||
29 | #CPPFLAGS += -I../src/include -I../../src/router/openssl/include | ||
30 | #LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl | ||
31 | ############################################################################### | ||
32 | |||
33 | #### openwrt (e.g., for Linksys WRT54G) ####################################### | ||
34 | #CC=mipsel-uclibc-gcc | ||
35 | #CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc | ||
36 | #CFLAGS += -Os | ||
37 | #CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \ | ||
38 | # -I../WRT54GS/release/src/include | ||
39 | #LIBS = -lssl | ||
40 | ############################################################################### | ||
41 | |||
42 | |||
43 | # Driver interface for Host AP driver | ||
44 | CONFIG_DRIVER_HOSTAP=y | ||
45 | |||
46 | # Driver interface for Agere driver | ||
47 | #CONFIG_DRIVER_HERMES=y | ||
48 | # Change include directories to match with the local setup | ||
49 | #CFLAGS += -I../../hcf -I../../include -I../../include/hcf | ||
50 | #CFLAGS += -I../../include/wireless | ||
51 | |||
52 | # Driver interface for madwifi driver | ||
53 | # Deprecated; use CONFIG_DRIVER_WEXT=y instead. | ||
54 | #CONFIG_DRIVER_MADWIFI=y | ||
55 | # Set include directory to the madwifi source tree | ||
56 | #CFLAGS += -I../../madwifi | ||
57 | |||
58 | # Driver interface for ndiswrapper | ||
59 | # Deprecated; use CONFIG_DRIVER_WEXT=y instead. | ||
60 | #CONFIG_DRIVER_NDISWRAPPER=y | ||
61 | |||
62 | # Driver interface for Atmel driver | ||
63 | # CONFIG_DRIVER_ATMEL=y | ||
64 | |||
65 | # Driver interface for old Broadcom driver | ||
66 | # Please note that the newer Broadcom driver ("hybrid Linux driver") supports | ||
67 | # Linux wireless extensions and does not need (or even work) with the old | ||
68 | # driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver. | ||
69 | #CONFIG_DRIVER_BROADCOM=y | ||
70 | # Example path for wlioctl.h; change to match your configuration | ||
71 | #CFLAGS += -I/opt/WRT54GS/release/src/include | ||
72 | |||
73 | # Driver interface for Intel ipw2100/2200 driver | ||
74 | # Deprecated; use CONFIG_DRIVER_WEXT=y instead. | ||
75 | #CONFIG_DRIVER_IPW=y | ||
76 | |||
77 | # Driver interface for Ralink driver | ||
78 | #CONFIG_DRIVER_RALINK=y | ||
79 | |||
80 | # Driver interface for generic Linux wireless extensions | ||
81 | # Note: WEXT is deprecated in the current Linux kernel version and no new | ||
82 | # functionality is added to it. nl80211-based interface is the new | ||
83 | # replacement for WEXT and its use allows wpa_supplicant to properly control | ||
84 | # the driver to improve existing functionality like roaming and to support new | ||
85 | # functionality. | ||
86 | CONFIG_DRIVER_WEXT=y | ||
87 | |||
88 | # Driver interface for Linux drivers using the nl80211 kernel interface | ||
89 | CONFIG_DRIVER_NL80211=y | ||
90 | |||
91 | # driver_nl80211.c requires libnl. If you are compiling it yourself | ||
92 | # you may need to point hostapd to your version of libnl. | ||
93 | # | ||
94 | #CFLAGS += -I$<path to libnl include files> | ||
95 | #LIBS += -L$<path to libnl library files> | ||
96 | |||
97 | # Use libnl v2.0 (or 3.0) libraries. | ||
98 | #CONFIG_LIBNL20=y | ||
99 | |||
100 | # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) | ||
101 | CONFIG_LIBNL32=y | ||
102 | |||
103 | |||
104 | # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) | ||
105 | #CONFIG_DRIVER_BSD=y | ||
106 | #CFLAGS += -I/usr/local/include | ||
107 | #LIBS += -L/usr/local/lib | ||
108 | #LIBS_p += -L/usr/local/lib | ||
109 | #LIBS_c += -L/usr/local/lib | ||
110 | |||
111 | # Driver interface for Windows NDIS | ||
112 | #CONFIG_DRIVER_NDIS=y | ||
113 | #CFLAGS += -I/usr/include/w32api/ddk | ||
114 | #LIBS += -L/usr/local/lib | ||
115 | # For native build using mingw | ||
116 | #CONFIG_NATIVE_WINDOWS=y | ||
117 | # Additional directories for cross-compilation on Linux host for mingw target | ||
118 | #CFLAGS += -I/opt/mingw/mingw32/include/ddk | ||
119 | #LIBS += -L/opt/mingw/mingw32/lib | ||
120 | #CC=mingw32-gcc | ||
121 | # By default, driver_ndis uses WinPcap for low-level operations. This can be | ||
122 | # replaced with the following option which replaces WinPcap calls with NDISUIO. | ||
123 | # However, this requires that WZC is disabled (net stop wzcsvc) before starting | ||
124 | # wpa_supplicant. | ||
125 | # CONFIG_USE_NDISUIO=y | ||
126 | |||
127 | # Driver interface for development testing | ||
128 | #CONFIG_DRIVER_TEST=y | ||
129 | |||
130 | # Driver interface for wired Ethernet drivers | ||
131 | CONFIG_DRIVER_WIRED=y | ||
132 | |||
133 | # Driver interface for the Broadcom RoboSwitch family | ||
134 | #CONFIG_DRIVER_ROBOSWITCH=y | ||
135 | |||
136 | # Driver interface for no driver (e.g., WPS ER only) | ||
137 | #CONFIG_DRIVER_NONE=y | ||
138 | |||
139 | # Enable IEEE 802.1X Supplicant (automatically included if any EAP method is | ||
140 | # included) | ||
141 | CONFIG_IEEE8021X_EAPOL=y | ||
142 | |||
143 | # EAP-MD5 | ||
144 | CONFIG_EAP_MD5=y | ||
145 | |||
146 | # EAP-MSCHAPv2 | ||
147 | CONFIG_EAP_MSCHAPV2=y | ||
148 | |||
149 | # EAP-TLS | ||
150 | CONFIG_EAP_TLS=y | ||
151 | |||
152 | # EAL-PEAP | ||
153 | CONFIG_EAP_PEAP=y | ||
154 | |||
155 | # EAP-TTLS | ||
156 | CONFIG_EAP_TTLS=y | ||
157 | |||
158 | # EAP-FAST | ||
159 | # Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed | ||
160 | # for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., | ||
161 | # with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. | ||
162 | #CONFIG_EAP_FAST=y | ||
163 | |||
164 | # EAP-GTC | ||
165 | CONFIG_EAP_GTC=y | ||
166 | |||
167 | # EAP-OTP | ||
168 | CONFIG_EAP_OTP=y | ||
169 | |||
170 | # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used) | ||
171 | #CONFIG_EAP_SIM=y | ||
172 | |||
173 | # EAP-PSK (experimental; this is _not_ needed for WPA-PSK) | ||
174 | #CONFIG_EAP_PSK=y | ||
175 | |||
176 | # EAP-pwd (secure authentication using only a password) | ||
177 | #CONFIG_EAP_PWD=y | ||
178 | |||
179 | # EAP-PAX | ||
180 | #CONFIG_EAP_PAX=y | ||
181 | |||
182 | # LEAP | ||
183 | CONFIG_EAP_LEAP=y | ||
184 | |||
185 | # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used) | ||
186 | #CONFIG_EAP_AKA=y | ||
187 | |||
188 | # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used). | ||
189 | # This requires CONFIG_EAP_AKA to be enabled, too. | ||
190 | #CONFIG_EAP_AKA_PRIME=y | ||
191 | |||
192 | # Enable USIM simulator (Milenage) for EAP-AKA | ||
193 | #CONFIG_USIM_SIMULATOR=y | ||
194 | |||
195 | # EAP-SAKE | ||
196 | #CONFIG_EAP_SAKE=y | ||
197 | |||
198 | # EAP-GPSK | ||
199 | #CONFIG_EAP_GPSK=y | ||
200 | # Include support for optional SHA256 cipher suite in EAP-GPSK | ||
201 | #CONFIG_EAP_GPSK_SHA256=y | ||
202 | |||
203 | # EAP-TNC and related Trusted Network Connect support (experimental) | ||
204 | #CONFIG_EAP_TNC=y | ||
205 | |||
206 | # Wi-Fi Protected Setup (WPS) | ||
207 | CONFIG_WPS=y | ||
208 | # Enable WSC 2.0 support | ||
209 | #CONFIG_WPS2=y | ||
210 | # Enable WPS external registrar functionality | ||
211 | #CONFIG_WPS_ER=y | ||
212 | # Disable credentials for an open network by default when acting as a WPS | ||
213 | # registrar. | ||
214 | #CONFIG_WPS_REG_DISABLE_OPEN=y | ||
215 | # Enable WPS support with NFC config method | ||
216 | #CONFIG_WPS_NFC=y | ||
217 | |||
218 | # EAP-IKEv2 | ||
219 | #CONFIG_EAP_IKEV2=y | ||
220 | |||
221 | # EAP-EKE | ||
222 | #CONFIG_EAP_EKE=y | ||
223 | |||
224 | # PKCS#12 (PFX) support (used to read private key and certificate file from | ||
225 | # a file that usually has extension .p12 or .pfx) | ||
226 | CONFIG_PKCS12=y | ||
227 | |||
228 | # Smartcard support (i.e., private key on a smartcard), e.g., with openssl | ||
229 | # engine. | ||
230 | CONFIG_SMARTCARD=y | ||
231 | |||
232 | # PC/SC interface for smartcards (USIM, GSM SIM) | ||
233 | # Enable this if EAP-SIM or EAP-AKA is included | ||
234 | #CONFIG_PCSC=y | ||
235 | |||
236 | # Support HT overrides (disable HT/HT40, mask MCS rates, etc.) | ||
237 | #CONFIG_HT_OVERRIDES=y | ||
238 | |||
239 | # Support VHT overrides (disable VHT, mask MCS rates, etc.) | ||
240 | #CONFIG_VHT_OVERRIDES=y | ||
241 | |||
242 | # Development testing | ||
243 | #CONFIG_EAPOL_TEST=y | ||
244 | |||
245 | # Select control interface backend for external programs, e.g, wpa_cli: | ||
246 | # unix = UNIX domain sockets (default for Linux/*BSD) | ||
247 | # udp = UDP sockets using localhost (127.0.0.1) | ||
248 | # named_pipe = Windows Named Pipe (default for Windows) | ||
249 | # udp-remote = UDP sockets with remote access (only for tests systems/purpose) | ||
250 | # y = use default (backwards compatibility) | ||
251 | # If this option is commented out, control interface is not included in the | ||
252 | # build. | ||
253 | CONFIG_CTRL_IFACE=y | ||
254 | |||
255 | # Include support for GNU Readline and History Libraries in wpa_cli. | ||
256 | # When building a wpa_cli binary for distribution, please note that these | ||
257 | # libraries are licensed under GPL and as such, BSD license may not apply for | ||
258 | # the resulting binary. | ||
259 | #CONFIG_READLINE=y | ||
260 | |||
261 | # Include internal line edit mode in wpa_cli. This can be used as a replacement | ||
262 | # for GNU Readline to provide limited command line editing and history support. | ||
263 | #CONFIG_WPA_CLI_EDIT=y | ||
264 | |||
265 | # Remove debugging code that is printing out debug message to stdout. | ||
266 | # This can be used to reduce the size of the wpa_supplicant considerably | ||
267 | # if debugging code is not needed. The size reduction can be around 35% | ||
268 | # (e.g., 90 kB). | ||
269 | #CONFIG_NO_STDOUT_DEBUG=y | ||
270 | |||
271 | # Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save | ||
272 | # 35-50 kB in code size. | ||
273 | #CONFIG_NO_WPA=y | ||
274 | |||
275 | # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support | ||
276 | # This option can be used to reduce code size by removing support for | ||
277 | # converting ASCII passphrases into PSK. If this functionality is removed, the | ||
278 | # PSK can only be configured as the 64-octet hexstring (e.g., from | ||
279 | # wpa_passphrase). This saves about 0.5 kB in code size. | ||
280 | #CONFIG_NO_WPA_PASSPHRASE=y | ||
281 | |||
282 | # Disable scan result processing (ap_mode=1) to save code size by about 1 kB. | ||
283 | # This can be used if ap_scan=1 mode is never enabled. | ||
284 | #CONFIG_NO_SCAN_PROCESSING=y | ||
285 | |||
286 | # Select configuration backend: | ||
287 | # file = text file (e.g., wpa_supplicant.conf; note: the configuration file | ||
288 | # path is given on command line, not here; this option is just used to | ||
289 | # select the backend that allows configuration files to be used) | ||
290 | # winreg = Windows registry (see win_example.reg for an example) | ||
291 | CONFIG_BACKEND=file | ||
292 | |||
293 | # Remove configuration write functionality (i.e., to allow the configuration | ||
294 | # file to be updated based on runtime configuration changes). The runtime | ||
295 | # configuration can still be changed, the changes are just not going to be | ||
296 | # persistent over restarts. This option can be used to reduce code size by | ||
297 | # about 3.5 kB. | ||
298 | #CONFIG_NO_CONFIG_WRITE=y | ||
299 | |||
300 | # Remove support for configuration blobs to reduce code size by about 1.5 kB. | ||
301 | #CONFIG_NO_CONFIG_BLOBS=y | ||
302 | |||
303 | # Select program entry point implementation: | ||
304 | # main = UNIX/POSIX like main() function (default) | ||
305 | # main_winsvc = Windows service (read parameters from registry) | ||
306 | # main_none = Very basic example (development use only) | ||
307 | #CONFIG_MAIN=main | ||
308 | |||
309 | # Select wrapper for operatins system and C library specific functions | ||
310 | # unix = UNIX/POSIX like systems (default) | ||
311 | # win32 = Windows systems | ||
312 | # none = Empty template | ||
313 | #CONFIG_OS=unix | ||
314 | |||
315 | # Select event loop implementation | ||
316 | # eloop = select() loop (default) | ||
317 | # eloop_win = Windows events and WaitForMultipleObject() loop | ||
318 | #CONFIG_ELOOP=eloop | ||
319 | |||
320 | # Should we use poll instead of select? Select is used by default. | ||
321 | #CONFIG_ELOOP_POLL=y | ||
322 | |||
323 | # Select layer 2 packet implementation | ||
324 | # linux = Linux packet socket (default) | ||
325 | # pcap = libpcap/libdnet/WinPcap | ||
326 | # freebsd = FreeBSD libpcap | ||
327 | # winpcap = WinPcap with receive thread | ||
328 | # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y) | ||
329 | # none = Empty template | ||
330 | #CONFIG_L2_PACKET=linux | ||
331 | |||
332 | # PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) | ||
333 | CONFIG_PEERKEY=y | ||
334 | |||
335 | # IEEE 802.11w (management frame protection), also known as PMF | ||
336 | # Driver support is also needed for IEEE 802.11w. | ||
337 | #CONFIG_IEEE80211W=y | ||
338 | |||
339 | # Select TLS implementation | ||
340 | # openssl = OpenSSL (default) | ||
341 | # gnutls = GnuTLS | ||
342 | # internal = Internal TLSv1 implementation (experimental) | ||
343 | # none = Empty template | ||
344 | #CONFIG_TLS=openssl | ||
345 | |||
346 | # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) | ||
347 | # can be enabled to get a stronger construction of messages when block ciphers | ||
348 | # are used. It should be noted that some existing TLS v1.0 -based | ||
349 | # implementation may not be compatible with TLS v1.1 message (ClientHello is | ||
350 | # sent prior to negotiating which version will be used) | ||
351 | #CONFIG_TLSV11=y | ||
352 | |||
353 | # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) | ||
354 | # can be enabled to enable use of stronger crypto algorithms. It should be | ||
355 | # noted that some existing TLS v1.0 -based implementation may not be compatible | ||
356 | # with TLS v1.2 message (ClientHello is sent prior to negotiating which version | ||
357 | # will be used) | ||
358 | #CONFIG_TLSV12=y | ||
359 | |||
360 | # If CONFIG_TLS=internal is used, additional library and include paths are | ||
361 | # needed for LibTomMath. Alternatively, an integrated, minimal version of | ||
362 | # LibTomMath can be used. See beginning of libtommath.c for details on benefits | ||
363 | # and drawbacks of this option. | ||
364 | #CONFIG_INTERNAL_LIBTOMMATH=y | ||
365 | #ifndef CONFIG_INTERNAL_LIBTOMMATH | ||
366 | #LTM_PATH=/usr/src/libtommath-0.39 | ||
367 | #CFLAGS += -I$(LTM_PATH) | ||
368 | #LIBS += -L$(LTM_PATH) | ||
369 | #LIBS_p += -L$(LTM_PATH) | ||
370 | #endif | ||
371 | # At the cost of about 4 kB of additional binary size, the internal LibTomMath | ||
372 | # can be configured to include faster routines for exptmod, sqr, and div to | ||
373 | # speed up DH and RSA calculation considerably | ||
374 | #CONFIG_INTERNAL_LIBTOMMATH_FAST=y | ||
375 | |||
376 | # Include NDIS event processing through WMI into wpa_supplicant/wpasvc. | ||
377 | # This is only for Windows builds and requires WMI-related header files and | ||
378 | # WbemUuid.Lib from Platform SDK even when building with MinGW. | ||
379 | #CONFIG_NDIS_EVENTS_INTEGRATED=y | ||
380 | #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib" | ||
381 | |||
382 | # Add support for old DBus control interface | ||
383 | # (fi.epitest.hostap.WPASupplicant) | ||
384 | #CONFIG_CTRL_IFACE_DBUS=y | ||
385 | |||
386 | # Add support for new DBus control interface | ||
387 | # (fi.w1.hostap.wpa_supplicant1) | ||
388 | CONFIG_CTRL_IFACE_DBUS_NEW=y | ||
389 | |||
390 | # Add introspection support for new DBus control interface | ||
391 | #CONFIG_CTRL_IFACE_DBUS_INTRO=y | ||
392 | |||
393 | # Add support for loading EAP methods dynamically as shared libraries. | ||
394 | # When this option is enabled, each EAP method can be either included | ||
395 | # statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn). | ||
396 | # Dynamic EAP methods are build as shared objects (eap_*.so) and they need to | ||
397 | # be loaded in the beginning of the wpa_supplicant configuration file | ||
398 | # (see load_dynamic_eap parameter in the example file) before being used in | ||
399 | # the network blocks. | ||
400 | # | ||
401 | # Note that some shared parts of EAP methods are included in the main program | ||
402 | # and in order to be able to use dynamic EAP methods using these parts, the | ||
403 | # main program must have been build with the EAP method enabled (=y or =dyn). | ||
404 | # This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries | ||
405 | # unless at least one of them was included in the main build to force inclusion | ||
406 | # of the shared code. Similarly, at least one of EAP-SIM/AKA must be included | ||
407 | # in the main build to be able to load these methods dynamically. | ||
408 | # | ||
409 | # Please also note that using dynamic libraries will increase the total binary | ||
410 | # size. Thus, it may not be the best option for targets that have limited | ||
411 | # amount of memory/flash. | ||
412 | #CONFIG_DYNAMIC_EAP_METHODS=y | ||
413 | |||
414 | # IEEE Std 802.11r-2008 (Fast BSS Transition) | ||
415 | #CONFIG_IEEE80211R=y | ||
416 | |||
417 | # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) | ||
418 | #CONFIG_DEBUG_FILE=y | ||
419 | |||
420 | # Send debug messages to syslog instead of stdout | ||
421 | #CONFIG_DEBUG_SYSLOG=y | ||
422 | # Set syslog facility for debug messages | ||
423 | #CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON | ||
424 | |||
425 | # Add support for sending all debug messages (regardless of debug verbosity) | ||
426 | # to the Linux kernel tracing facility. This helps debug the entire stack by | ||
427 | # making it easy to record everything happening from the driver up into the | ||
428 | # same file, e.g., using trace-cmd. | ||
429 | #CONFIG_DEBUG_LINUX_TRACING=y | ||
430 | |||
431 | # Enable privilege separation (see README 'Privilege separation' for details) | ||
432 | #CONFIG_PRIVSEP=y | ||
433 | |||
434 | # Enable mitigation against certain attacks against TKIP by delaying Michael | ||
435 | # MIC error reports by a random amount of time between 0 and 60 seconds | ||
436 | #CONFIG_DELAYED_MIC_ERROR_REPORT=y | ||
437 | |||
438 | # Enable tracing code for developer debugging | ||
439 | # This tracks use of memory allocations and other registrations and reports | ||
440 | # incorrect use with a backtrace of call (or allocation) location. | ||
441 | #CONFIG_WPA_TRACE=y | ||
442 | # For BSD, uncomment these. | ||
443 | #LIBS += -lexecinfo | ||
444 | #LIBS_p += -lexecinfo | ||
445 | #LIBS_c += -lexecinfo | ||
446 | |||
447 | # Use libbfd to get more details for developer debugging | ||
448 | # This enables use of libbfd to get more detailed symbols for the backtraces | ||
449 | # generated by CONFIG_WPA_TRACE=y. | ||
450 | #CONFIG_WPA_TRACE_BFD=y | ||
451 | # For BSD, uncomment these. | ||
452 | #LIBS += -lbfd -liberty -lz | ||
453 | #LIBS_p += -lbfd -liberty -lz | ||
454 | #LIBS_c += -lbfd -liberty -lz | ||
455 | |||
456 | CONFIG_TLS = %ssl% | ||
457 | CONFIG_CTRL_IFACE_DBUS=y | ||
458 | CONFIG_CTRL_IFACE_DBUS_NEW=y | ||
459 | |||
460 | # wpa_supplicant depends on strong random number generation being available | ||
461 | # from the operating system. os_get_random() function is used to fetch random | ||
462 | # data when needed, e.g., for key generation. On Linux and BSD systems, this | ||
463 | # works by reading /dev/urandom. It should be noted that the OS entropy pool | ||
464 | # needs to be properly initialized before wpa_supplicant is started. This is | ||
465 | # important especially on embedded devices that do not have a hardware random | ||
466 | # number generator and may by default start up with minimal entropy available | ||
467 | # for random number generation. | ||
468 | # | ||
469 | # As a safety net, wpa_supplicant is by default trying to internally collect | ||
470 | # additional entropy for generating random data to mix in with the data fetched | ||
471 | # from the OS. This by itself is not considered to be very strong, but it may | ||
472 | # help in cases where the system pool is not initialized properly. However, it | ||
473 | # is very strongly recommended that the system pool is initialized with enough | ||
474 | # entropy either by using hardware assisted random number generator or by | ||
475 | # storing state over device reboots. | ||
476 | # | ||
477 | # wpa_supplicant can be configured to maintain its own entropy store over | ||
478 | # restarts to enhance random number generation. This is not perfect, but it is | ||
479 | # much more secure than using the same sequence of random numbers after every | ||
480 | # reboot. This can be enabled with -e<entropy file> command line option. The | ||
481 | # specified file needs to be readable and writable by wpa_supplicant. | ||
482 | # | ||
483 | # If the os_get_random() is known to provide strong random data (e.g., on | ||
484 | # Linux/BSD, the board in question is known to have reliable source of random | ||
485 | # data from /dev/urandom), the internal wpa_supplicant random pool can be | ||
486 | # disabled. This will save some in binary size and CPU use. However, this | ||
487 | # should only be considered for builds that are known to be used on devices | ||
488 | # that meet the requirements described above. | ||
489 | #CONFIG_NO_RANDOM_POOL=y | ||
490 | |||
491 | # IEEE 802.11n (High Throughput) support (mainly for AP mode) | ||
492 | #CONFIG_IEEE80211N=y | ||
493 | |||
494 | # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) | ||
495 | # (depends on CONFIG_IEEE80211N) | ||
496 | #CONFIG_IEEE80211AC=y | ||
497 | |||
498 | # Wireless Network Management (IEEE Std 802.11v-2011) | ||
499 | # Note: This is experimental and not complete implementation. | ||
500 | #CONFIG_WNM=y | ||
501 | |||
502 | # Interworking (IEEE 802.11u) | ||
503 | # This can be used to enable functionality to improve interworking with | ||
504 | # external networks (GAS/ANQP to learn more about the networks and network | ||
505 | # selection based on available credentials). | ||
506 | #CONFIG_INTERWORKING=y | ||
507 | |||
508 | # Hotspot 2.0 | ||
509 | #CONFIG_HS20=y | ||
510 | |||
511 | # Disable roaming in wpa_supplicant | ||
512 | #CONFIG_NO_ROAMING=y | ||
513 | |||
514 | # AP mode operations with wpa_supplicant | ||
515 | # This can be used for controlling AP mode operations with wpa_supplicant. It | ||
516 | # should be noted that this is mainly aimed at simple cases like | ||
517 | # WPA2-Personal while more complex configurations like WPA2-Enterprise with an | ||
518 | # external RADIUS server can be supported with hostapd. | ||
519 | CONFIG_AP=y | ||
520 | |||
521 | CONFIG_BGSCAN_SIMPLE=y | ||
522 | |||
523 | # P2P (Wi-Fi Direct) | ||
524 | # This can be used to enable P2P support in wpa_supplicant. See README-P2P for | ||
525 | # more information on P2P operations. | ||
526 | #CONFIG_P2P=y | ||
527 | |||
528 | # Enable TDLS support | ||
529 | #CONFIG_TDLS=y | ||
530 | |||
531 | # Wi-Fi Direct | ||
532 | # This can be used to enable Wi-Fi Direct extensions for P2P using an external | ||
533 | # program to control the additional information exchanges in the messages. | ||
534 | #CONFIG_WIFI_DISPLAY=y | ||
535 | |||
536 | # Autoscan | ||
537 | # This can be used to enable automatic scan support in wpa_supplicant. | ||
538 | # See wpa_supplicant.conf for more information on autoscan usage. | ||
539 | # | ||
540 | # Enabling directly a module will enable autoscan support. | ||
541 | # For exponential module: | ||
542 | CONFIG_AUTOSCAN_EXPONENTIAL=y | ||
543 | # For periodic module: | ||
544 | #CONFIG_AUTOSCAN_PERIODIC=y | ||
545 | |||
546 | # Password (and passphrase, etc.) backend for external storage | ||
547 | # These optional mechanisms can be used to add support for storing passwords | ||
548 | # and other secrets in external (to wpa_supplicant) location. This allows, for | ||
549 | # example, operating system specific key storage to be used | ||
550 | # | ||
551 | # External password backend for testing purposes (developer use) | ||
552 | #CONFIG_EXT_PASSWORD_TEST=y | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb new file mode 100644 index 0000000000..22028ce957 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb | |||
@@ -0,0 +1,138 @@ | |||
1 | SUMMARY = "Client for Wi-Fi Protected Access (WPA)" | ||
2 | DESCRIPTION = "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver." | ||
3 | HOMEPAGE = "http://w1.fi/wpa_supplicant/" | ||
4 | BUGTRACKER = "http://w1.fi/security/" | ||
5 | SECTION = "network" | ||
6 | LICENSE = "BSD-3-Clause" | ||
7 | LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \ | ||
8 | file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \ | ||
9 | file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705" | ||
10 | |||
11 | DEPENDS = "dbus libnl" | ||
12 | |||
13 | SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ | ||
14 | file://wpa-supplicant.sh \ | ||
15 | file://wpa_supplicant.conf \ | ||
16 | file://wpa_supplicant.conf-sane \ | ||
17 | file://99_wpa_supplicant \ | ||
18 | file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \ | ||
19 | file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ | ||
20 | file://0001-Install-wpa_passphrase-when-not-disabled.patch \ | ||
21 | file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ | ||
22 | " | ||
23 | SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" | ||
24 | |||
25 | S = "${WORKDIR}/wpa_supplicant-${PV}" | ||
26 | |||
27 | inherit pkgconfig systemd | ||
28 | |||
29 | PACKAGECONFIG ?= "openssl" | ||
30 | PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt" | ||
31 | PACKAGECONFIG[openssl] = ",,openssl" | ||
32 | |||
33 | CVE_PRODUCT = "wpa_supplicant" | ||
34 | |||
35 | EXTRA_OEMAKE = "'LIBDIR=${libdir}' 'INCDIR=${includedir}' 'BINDIR=${sbindir}'" | ||
36 | |||
37 | do_configure () { | ||
38 | ${MAKE} -C wpa_supplicant clean | ||
39 | sed -e '/^CONFIG_TLS=/d' <wpa_supplicant/defconfig >wpa_supplicant/.config | ||
40 | |||
41 | if ${@ bb.utils.contains('PACKAGECONFIG', 'openssl', 'true', 'false', d) }; then | ||
42 | echo 'CONFIG_TLS=openssl' >>wpa_supplicant/.config | ||
43 | elif ${@ bb.utils.contains('PACKAGECONFIG', 'gnutls', 'true', 'false', d) }; then | ||
44 | echo 'CONFIG_TLS=gnutls' >>wpa_supplicant/.config | ||
45 | sed -i -e 's/\(^CONFIG_DPP=\)/#\1/' \ | ||
46 | -e 's/\(^CONFIG_EAP_PWD=\)/#\1/' \ | ||
47 | -e 's/\(^CONFIG_SAE=\)/#\1/' wpa_supplicant/.config | ||
48 | fi | ||
49 | |||
50 | # For rebuild | ||
51 | rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d | ||
52 | } | ||
53 | |||
54 | do_compile () { | ||
55 | oe_runmake -C wpa_supplicant | ||
56 | if [ -z "${DISABLE_STATIC}" ]; then | ||
57 | oe_runmake -C wpa_supplicant libwpa_client.a | ||
58 | fi | ||
59 | } | ||
60 | |||
61 | do_install () { | ||
62 | oe_runmake -C wpa_supplicant DESTDIR="${D}" install | ||
63 | |||
64 | install -d ${D}${docdir}/wpa_supplicant | ||
65 | install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant | ||
66 | |||
67 | install -d ${D}${sysconfdir} | ||
68 | install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf | ||
69 | |||
70 | install -d ${D}${sysconfdir}/network/if-pre-up.d/ | ||
71 | install -d ${D}${sysconfdir}/network/if-post-down.d/ | ||
72 | install -d ${D}${sysconfdir}/network/if-down.d/ | ||
73 | install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant | ||
74 | ln -sf ../if-pre-up.d/wpa-supplicant ${D}${sysconfdir}/network/if-post-down.d/wpa-supplicant | ||
75 | |||
76 | install -d ${D}/${sysconfdir}/dbus-1/system.d | ||
77 | install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d | ||
78 | install -d ${D}/${datadir}/dbus-1/system-services | ||
79 | install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services | ||
80 | |||
81 | if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then | ||
82 | install -d ${D}/${systemd_system_unitdir} | ||
83 | install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_system_unitdir} | ||
84 | fi | ||
85 | |||
86 | install -d ${D}/etc/default/volatiles | ||
87 | install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles | ||
88 | |||
89 | install -d ${D}${includedir} | ||
90 | install -m 0644 ${S}/src/common/wpa_ctrl.h ${D}${includedir} | ||
91 | |||
92 | if [ -z "${DISABLE_STATIC}" ]; then | ||
93 | install -d ${D}${libdir} | ||
94 | install -m 0644 wpa_supplicant/libwpa_client.a ${D}${libdir} | ||
95 | fi | ||
96 | } | ||
97 | |||
98 | pkg_postinst:${PN} () { | ||
99 | # If we're offline, we don't need to do this. | ||
100 | if [ "x$D" = "x" ]; then | ||
101 | killall -q -HUP dbus-daemon || true | ||
102 | fi | ||
103 | } | ||
104 | |||
105 | PACKAGE_BEFORE_PN += "${PN}-passphrase ${PN}-cli" | ||
106 | PACKAGES =+ "${PN}-lib" | ||
107 | PACKAGES += "${PN}-plugins" | ||
108 | ALLOW_EMPTY:${PN}-plugins = "1" | ||
109 | |||
110 | PACKAGES_DYNAMIC += "^${PN}-plugin-.*$" | ||
111 | NOAUTOPACKAGEDEBUG = "1" | ||
112 | |||
113 | FILES:${PN}-passphrase = "${sbindir}/wpa_passphrase" | ||
114 | FILES:${PN}-cli = "${sbindir}/wpa_cli" | ||
115 | FILES:${PN}-lib = "${libdir}/libwpa_client*${SOLIBSDEV}" | ||
116 | FILES:${PN} += "${datadir}/dbus-1/system-services/* ${systemd_system_unitdir}/*" | ||
117 | FILES:${PN}-dbg += "${sbindir}/.debug ${libdir}/.debug" | ||
118 | |||
119 | CONFFILES:${PN} += "${sysconfdir}/wpa_supplicant.conf" | ||
120 | |||
121 | RRECOMMENDS:${PN} = "${PN}-passphrase ${PN}-cli ${PN}-plugins" | ||
122 | |||
123 | SYSTEMD_SERVICE:${PN} = "wpa_supplicant.service" | ||
124 | SYSTEMD_AUTO_ENABLE = "disable" | ||
125 | |||
126 | python split_wpa_supplicant_libs () { | ||
127 | libdir = d.expand('${libdir}/wpa_supplicant') | ||
128 | dbglibdir = os.path.join(libdir, '.debug') | ||
129 | |||
130 | split_packages = do_split_packages(d, libdir, r'^(.*)\.so', '${PN}-plugin-%s', 'wpa_supplicant %s plugin', prepend=True) | ||
131 | split_dbg_packages = do_split_packages(d, dbglibdir, r'^(.*)\.so', '${PN}-plugin-%s-dbg', 'wpa_supplicant %s plugin - Debugging files', prepend=True, extra_depends='${PN}-dbg') | ||
132 | |||
133 | if split_packages: | ||
134 | pn = d.getVar('PN') | ||
135 | d.setVar('RRECOMMENDS:' + pn + '-plugins', ' '.join(split_packages)) | ||
136 | d.appendVar('RRECOMMENDS:' + pn + '-dbg', ' ' + ' '.join(split_dbg_packages)) | ||
137 | } | ||
138 | PACKAGESPLITFUNCS += "split_wpa_supplicant_libs" | ||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb deleted file mode 100644 index caa6018ce8..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ /dev/null | |||
@@ -1,115 +0,0 @@ | |||
1 | SUMMARY = "Client for Wi-Fi Protected Access (WPA)" | ||
2 | HOMEPAGE = "http://w1.fi/wpa_supplicant/" | ||
3 | DESCRIPTION = "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver." | ||
4 | BUGTRACKER = "http://w1.fi/security/" | ||
5 | SECTION = "network" | ||
6 | LICENSE = "BSD-3-Clause" | ||
7 | LIC_FILES_CHKSUM = "file://COPYING;md5=279b4f5abb9c153c285221855ddb78cc \ | ||
8 | file://README;beginline=1;endline=56;md5=e7d3dbb01f75f0b9799e192731d1e1ff \ | ||
9 | file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=0a8b56d3543498b742b9c0e94cc2d18b" | ||
10 | DEPENDS = "dbus libnl" | ||
11 | RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli" | ||
12 | |||
13 | PACKAGECONFIG ??= "gnutls" | ||
14 | PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt" | ||
15 | PACKAGECONFIG[openssl] = ",,openssl" | ||
16 | |||
17 | inherit pkgconfig systemd | ||
18 | |||
19 | SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service" | ||
20 | SYSTEMD_AUTO_ENABLE = "disable" | ||
21 | |||
22 | SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ | ||
23 | file://defconfig \ | ||
24 | file://wpa-supplicant.sh \ | ||
25 | file://wpa_supplicant.conf \ | ||
26 | file://wpa_supplicant.conf-sane \ | ||
27 | file://99_wpa_supplicant \ | ||
28 | file://0001-replace-systemd-install-Alias-with-WantedBy.patch \ | ||
29 | file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \ | ||
30 | file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \ | ||
31 | file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \ | ||
32 | file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ | ||
33 | file://CVE-2021-0326.patch \ | ||
34 | " | ||
35 | SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" | ||
36 | SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" | ||
37 | |||
38 | CVE_PRODUCT = "wpa_supplicant" | ||
39 | |||
40 | S = "${WORKDIR}/wpa_supplicant-${PV}" | ||
41 | |||
42 | PACKAGES_prepend = "wpa-supplicant-passphrase wpa-supplicant-cli " | ||
43 | FILES_wpa-supplicant-passphrase = "${bindir}/wpa_passphrase" | ||
44 | FILES_wpa-supplicant-cli = "${sbindir}/wpa_cli" | ||
45 | FILES_${PN} += "${datadir}/dbus-1/system-services/* ${systemd_system_unitdir}/*" | ||
46 | CONFFILES_${PN} += "${sysconfdir}/wpa_supplicant.conf" | ||
47 | |||
48 | do_configure () { | ||
49 | ${MAKE} -C wpa_supplicant clean | ||
50 | install -m 0755 ${WORKDIR}/defconfig wpa_supplicant/.config | ||
51 | |||
52 | if echo "${PACKAGECONFIG}" | grep -qw "openssl"; then | ||
53 | ssl=openssl | ||
54 | elif echo "${PACKAGECONFIG}" | grep -qw "gnutls"; then | ||
55 | ssl=gnutls | ||
56 | fi | ||
57 | if [ -n "$ssl" ]; then | ||
58 | sed -i "s/%ssl%/$ssl/" wpa_supplicant/.config | ||
59 | fi | ||
60 | |||
61 | # For rebuild | ||
62 | rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d | ||
63 | } | ||
64 | |||
65 | export EXTRA_CFLAGS = "${CFLAGS}" | ||
66 | export BINDIR = "${sbindir}" | ||
67 | |||
68 | do_compile () { | ||
69 | unset CFLAGS CPPFLAGS CXXFLAGS | ||
70 | sed -e "s:CFLAGS\ =.*:& \$(EXTRA_CFLAGS):g" -i ${S}/src/lib.rules | ||
71 | oe_runmake -C wpa_supplicant | ||
72 | } | ||
73 | |||
74 | do_install () { | ||
75 | install -d ${D}${sbindir} | ||
76 | install -m 755 wpa_supplicant/wpa_supplicant ${D}${sbindir} | ||
77 | install -m 755 wpa_supplicant/wpa_cli ${D}${sbindir} | ||
78 | |||
79 | install -d ${D}${bindir} | ||
80 | install -m 755 wpa_supplicant/wpa_passphrase ${D}${bindir} | ||
81 | |||
82 | install -d ${D}${docdir}/wpa_supplicant | ||
83 | install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant | ||
84 | |||
85 | install -d ${D}${sysconfdir} | ||
86 | install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf | ||
87 | |||
88 | install -d ${D}${sysconfdir}/network/if-pre-up.d/ | ||
89 | install -d ${D}${sysconfdir}/network/if-post-down.d/ | ||
90 | install -d ${D}${sysconfdir}/network/if-down.d/ | ||
91 | install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant | ||
92 | cd ${D}${sysconfdir}/network/ && \ | ||
93 | ln -sf ../if-pre-up.d/wpa-supplicant if-post-down.d/wpa-supplicant | ||
94 | |||
95 | install -d ${D}/${sysconfdir}/dbus-1/system.d | ||
96 | install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d | ||
97 | install -d ${D}/${datadir}/dbus-1/system-services | ||
98 | install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services | ||
99 | |||
100 | if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then | ||
101 | install -d ${D}/${systemd_unitdir}/system | ||
102 | install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_unitdir}/system | ||
103 | fi | ||
104 | |||
105 | install -d ${D}/etc/default/volatiles | ||
106 | install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles | ||
107 | } | ||
108 | |||
109 | pkg_postinst_wpa-supplicant () { | ||
110 | # If we're offline, we don't need to do this. | ||
111 | if [ "x$D" = "x" ]; then | ||
112 | killall -q -HUP dbus-daemon || true | ||
113 | fi | ||
114 | |||
115 | } | ||