diff --git a/security/wpa_supplicant/Makefile b/security/wpa_supplicant/Makefile index b381ed0f12dc..9319bb55675e 100644 --- a/security/wpa_supplicant/Makefile +++ b/security/wpa_supplicant/Makefile @@ -1,225 +1,225 @@ PORTNAME= wpa_supplicant PORTVERSION= 2.10 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= security net MASTER_SITES= https://w1.fi/releases/ MAINTAINER= cy@FreeBSD.org COMMENT= Supplicant (client) for WPA/802.1x protocols WWW= https://w1.fi/wpa_supplicant/ LICENSE= BSD3CLAUSE LICENSE_FILE= ${WRKSRC}/README USES= cpe gmake pkgconfig:build readline ssl BUILD_WRKSRC= ${WRKSRC}/wpa_supplicant INSTALL_WRKSRC= ${WRKSRC}/src CFLAGS+= ${CPPFLAGS} # USES=readline only augments CPPFLAGS and LDFLAGS CFLAGS+= -I${OPENSSLINC} CFLAGS+= -Wno-deprecated-declarations LDFLAGS+= -L${OPENSSLLIB} -lutil MAKE_ENV= V=1 SUB_FILES= pkg-message PORTDOCS= README ChangeLog CFG= ${BUILD_WRKSRC}/.config .if !exists(/etc/rc.d/wpa_supplicant) USE_RC_SUBR= wpa_supplicant .endif OPTIONS_MULTI= DRV EAP OPTIONS_MULTI_DRV= BSD WIRED NDIS TEST NONE #ROBOSWITCH OPTIONS_MULTI_EAP= TLS PEAP TTLS MD5 MSCHAPV2 GTC LEAP OTP PSK FAST \ SIM PWD PAX AKA AKA_PRIME SAKE GPSK TNC IKEV2 EKE OPTIONS_DEFINE= WPS WPS_ER WPS_NOREG WPS_NFC WPS_UPNP PKCS12 SMARTCARD \ HT_OVERRIDES VHT_OVERRIDES TLSV12 IEEE80211W \ IEEE80211R DEBUG_FILE DEBUG_SYSLOG PRIVSEP \ DELAYED_MIC IEEE80211N IEEE80211AC INTERWORKING \ IEEE8021X_EAPOL EAPOL_TEST \ HS20 NO_ROAMING P2P TDLS DBUS MATCH DOCS \ SIM_SIMULATOR USIM_SIMULATOR WEP OPTIONS_DEFAULT= BSD WIRED \ TLS PEAP TTLS MD5 MSCHAPV2 GTC LEAP OTP PSK \ WPS PKCS12 SMARTCARD IEEE80211R DEBUG_SYSLOG \ INTERWORKING HS20 DBUS MATCH IEEE80211R IEEE80211W \ IEEE8021X_EAPOL WPS_ER WPS_NFC WPS_UPNP \ FAST PWD PAX SAKE GPSK TNC IKEV2 EKE WEP OPTIONS_SUB= WPS_DESC= Wi-Fi Protected Setup WPS_ER_DESC= Enable WPS External Registrar WPS_NOREG_DESC= Disable open network credentials when registrar WPS_NFC_DESC= Near Field Communication (NFC) configuration WPS_UPNP_DESC= Universal Plug and Play support PKCS12_DESC= PKCS\#12 (PFS) support SMARTCARD_DESC= Private key on smartcard support HT_OVERRIDES_DESC= Disable HT/HT40, mask MCS rates, etc VHT_OVERRIDES_DESC= Disable VHT, mask MCS rates, etc TLSV12_DESC= Build with TLS v1.2 instead of TLS v1.0 IEEE80211AC_DESC= Very High Throughput, AP mode (IEEE 802.11ac) IEEE80211N_DESC= High Throughput, AP mode (IEEE 802.11n) IEEE80211R_DESC= Fast BSS Transition (IEEE 802.11r-2008) IEEE80211W_DESC= Management Frame Protection (IEEE 802.11w) IEEE8021X_EAPOL_DESC= EAP over LAN support EAPOL_TEST_DESC= Development testing DEBUG_FILE_DESC= Support for writing debug log to a file DEBUG_SYSLOG_DESC= Send debug messages to syslog instead of stdout PRIVSEP_DESC= Privilege separation DELAYED_MIC_DESC= Mitigate TKIP attack, random delay on MIC errors INTERWORKING_DESC= Improve ext. network interworking (IEEE 802.11u) HS20_DESC= Hotspot 2.0 NO_ROAMING_DESC= Disable roaming P2P_DESC= Peer-to-Peer support TDLS_DESC= Tunneled Direct Link Setup MATCH_DESC= Interface match mode DRV_DESC= Driver options BSD_DESC= BSD net80211 interface NDIS_DESC= Windows NDIS interface WIRED_DESC= Wired ethernet interface ROBOSWITCH_DESC= Broadcom Roboswitch interface TEST_DESC= Development testing interface NONE_DESC= The 'no driver' interface, e.g. WPS ER only EAP_DESC= Extensible Authentication Protocols TLS_DESC= Transport Layer Security PEAP_DESC= Protected Extensible Authentication Protocol TTLS_DESC= Tunneled Transport Layer Security MD5_DESC= MD5 hash (deprecated, no key generation) MSCHAPV2_DESC= Microsoft CHAP version 2 (RFC 2759) GTC_DESC= Generic Token Card LEAP_DESC= Lightweight Extensible Authentication Protocol OTP_DESC= One-Time Password PSK_DESC= Pre-Shared key FAST_DESC= Flexible Authentication via Secure Tunneling AKA_DESC= Autentication and Key Agreement (UMTS) AKA_PRIME_DESC= AKA Prime variant (RFC 5448) EKE_DESC= Encrypted Key Exchange WEP_DESC= WEP support SIM_DESC= Subscriber Identity Module SIM_SIMULATOR_DESC= SIM simulator (Milenage) for EAP-SIM USIM_SIMULATOR_DESC= SIM simulator (Milenage) for EAP-AKA IKEV2_DESC= Internet Key Exchange version 2 PWD_DESC= Shared password (RFC 5931) PAX_DESC= Password Authenticated Exchange SAKE_DESC= Shared-Secret Authentication & Key Establishment GPSK_DESC= Generalized Pre-Shared Key TNC_DESC= Trusted Network Connect PRIVSEP_PLIST_FILES= sbin/wpa_priv DBUS_PLIST_FILES= share/dbus-1/system-services/fi.w1.wpa_supplicant1.service \ etc/dbus-1/system.d/dbus-wpa_supplicant.conf .include .if ${PORT_OPTIONS:MNDIS} && ${PORT_OPTIONS:MPRIVSEP} BROKEN= Fails to compile with both NDIS and PRIVSEP .endif .if ${PORT_OPTIONS:MIEEE80211AC} && ${PORT_OPTIONS:MIEEE80211N} BROKEN= Fails to compile with both IEEE80211AC and IEEE80211N .endif .if ${PORT_OPTIONS:MSIM} || ${PORT_OPTIONS:MAKA} || ${PORT_OPTIONS:MAKA_PRIME} LIB_DEPENDS+= libpcsclite.so:devel/pcsc-lite CFLAGS+= -I${LOCALBASE}/include/PCSC LDFLAGS+= -L${LOCALBASE}/lib .endif .if ${PORT_OPTIONS:MDBUS} LIB_DEPENDS+= libdbus-1.so:devel/dbus .endif post-patch: @${CP} ${FILESDIR}/Packet32.[ch] ${FILESDIR}/ntddndis.h \ ${WRKSRC}/src/utils # Set driver(s) .for item in BSD NDIS WIRED ROBOSWITCH TEST NONE . if ${PORT_OPTIONS:M${item}} @${ECHO_CMD} CONFIG_DRIVER_${item}=y >> ${CFG} . endif .endfor # Set EAP protocol(s) .for item in MD5 MSCHAPV2 TLS PEAP TTLS FAST GTC OTP PSK PWD PAX LEAP SIM \ AKA AKA_PRIME SAKE GPSK TNC IKEV2 EKE WEP . if ${PORT_OPTIONS:M${item}} @${ECHO_CMD} CONFIG_EAP_${item:tu}=y >> ${CFG} . endif .endfor .if ${PORT_OPTIONS:MSIM} || ${PORT_OPTIONS:MAKA} || ${PORT_OPTIONS:MAKA_PRIME} @${ECHO_CMD} CONFIG_PCSC=y >> ${CFG} .endif .for simple in WPS WPS_ER WPS_NFC WPS_UPNP PKCS12 SMARTCARD HT_OVERRIDES \ VHT_OVERRIDES TLSV12 IEEE80211AC IEEE80211N IEEE80211R IEEE80211W \ IEEE8021X_EAPOL EAPOL_TEST \ INTERWORKING DEBUG_FILE DEBUG_SYSLOG HS20 NO_ROAMING PRIVSEP P2P TDLS . if ${PORT_OPTIONS:M${simple}} @${ECHO_CMD} CONFIG_${simple}=y >> ${CFG} . endif .endfor .for item in READLINE PEERKEY @${ECHO_CMD} CONFIG_${item}=y >> ${CFG} .endfor .if ${PORT_OPTIONS:MIEEE80211AC} || ${PORT_OPTIONS:MIEEE80211N} @${ECHO_CMD} CONFIG_AP=y >> ${CFG} .endif .if ${PORT_OPTIONS:MGPSK} # GPSK desired, assume highest SHA desired too @${ECHO_CMD} CONFIG_EAP_GPSK_SHA256=y >> ${CFG} .endif .if ${PORT_OPTIONS:MWPS_NOREG} @${ECHO_CMD} CONFIG_WPS_REG_DISABLE_OPEN=y >> ${CFG} .endif .if ${PORT_OPTIONS:MDELAYED_MIC} @${ECHO_CMD} CONFIG_DELAYED_MIC_ERROR_REPORT=y >> ${CFG} .endif .if ${PORT_OPTIONS:MDBUS} @${ECHO_CMD} CONFIG_CTRL_IFACE_DBUS_NEW=y >> ${CFG} @${ECHO_CMD} CONFIG_CTRL_IFACE_DBUS_INTRO=y >> ${CFG} .endif .if ${PORT_OPTIONS:MMATCH} @${ECHO_CMD} CONFIG_MATCH_IFACE=y >> ${CFG} .endif .if ${PORT_OPTIONS:MUSIM_SIMULATOR} @${ECHO_CMD} CONFIG_USIM_SIMULATOR=y >> ${CFG} .endif .if ${PORT_OPTIONS:MSIM_SIMULATOR} @${ECHO_CMD} CONFIG_SIM_SIMULATOR=y >> ${CFG} .endif @${ECHO_CMD} CONFIG_OS=unix >> ${CFG} @${ECHO_CMD} CONFIG_CTRL_IFACE=unix >> ${CFG} @${ECHO_CMD} CONFIG_BACKEND=file >> ${CFG} @${ECHO_CMD} CONFIG_L2_PACKET=freebsd >> ${CFG} @${ECHO_CMD} CONFIG_TLS=openssl >> ${CFG} post-build-EAPOL_TEST-on: cd ${BUILD_WRKSRC} && ${GMAKE} eapol_test do-install: (cd ${BUILD_WRKSRC} && ${INSTALL_PROGRAM} wpa_supplicant wpa_cli \ wpa_passphrase ${STAGEDIR}${PREFIX}/sbin) ${INSTALL_DATA} ${BUILD_WRKSRC}/wpa_supplicant.conf \ ${STAGEDIR}${PREFIX}/etc/wpa_supplicant.conf.sample do-install-EAPOL_TEST-on: ${INSTALL_PROGRAM} ${BUILD_WRKSRC}/eapol_test ${STAGEDIR}${PREFIX}/sbin do-install-DOCS-on: @${MKDIR} ${STAGEDIR}${DOCSDIR} (cd ${BUILD_WRKSRC} && \ ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}) do-install-PRIVSEP-on: ${INSTALL_PROGRAM} ${BUILD_WRKSRC}/wpa_priv ${STAGEDIR}${PREFIX}/sbin do-install-DBUS-on: @${MKDIR} ${STAGEDIR}${PREFIX}/share/dbus-1/system-services/ @${MKDIR} ${STAGEDIR}${PREFIX}/etc/dbus-1/system.d/ ${INSTALL_DATA} ${BUILD_WRKSRC}/dbus/fi.w1.wpa_supplicant1.service \ ${STAGEDIR}${PREFIX}/share/dbus-1/system-services/ ${INSTALL_DATA} ${BUILD_WRKSRC}/dbus/dbus-wpa_supplicant.conf \ ${STAGEDIR}${PREFIX}/etc/dbus-1/system.d/ .include diff --git a/security/wpa_supplicant/files/patch-src_drivers_driver__bsd.c b/security/wpa_supplicant/files/patch-src_drivers_driver__bsd.c index 56df017d59d1..dd72e1710cbd 100644 --- a/security/wpa_supplicant/files/patch-src_drivers_driver__bsd.c +++ b/security/wpa_supplicant/files/patch-src_drivers_driver__bsd.c @@ -1,169 +1,281 @@ --- src/drivers/driver_bsd.c.orig 2022-01-16 12:51:29.000000000 -0800 -+++ src/drivers/driver_bsd.c 2022-07-03 14:09:49.672011000 -0700 ++++ src/drivers/driver_bsd.c 2023-09-10 23:07:12.329586000 -0700 @@ -14,6 +14,7 @@ #include "driver.h" #include "eloop.h" #include "common/ieee802_11_defs.h" +#include "common/ieee802_11_common.h" #include "common/wpa_common.h" #include -@@ -853,14 +854,18 @@ +@@ -293,8 +294,9 @@ + } + + static int +-bsd_get_iface_flags(struct bsd_driver_data *drv) ++bsd_ctrl_iface(void *priv, int enable) + { ++ struct bsd_driver_data *drv = priv; + struct ifreq ifr; + + os_memset(&ifr, 0, sizeof(ifr)); +@@ -306,7 +308,34 @@ + return -1; + } + drv->flags = ifr.ifr_flags; ++ ++ ++ if (enable) { ++ if (ifr.ifr_flags & IFF_UP) ++ goto nochange; ++ ifr.ifr_flags |= IFF_UP; ++ } else { ++ if (!(ifr.ifr_flags & IFF_UP)) ++ goto nochange; ++ ifr.ifr_flags &= ~IFF_UP; ++ } ++ ++ if (ioctl(drv->global->sock, SIOCSIFFLAGS, &ifr) < 0) { ++ wpa_printf(MSG_ERROR, "ioctl[SIOCSIFFLAGS]: %s", ++ strerror(errno)); ++ return -1; ++ } ++ ++ wpa_printf(MSG_DEBUG, "%s: if %s (changed) enable %d IFF_UP %d ", ++ __func__, drv->ifname, enable, ((ifr.ifr_flags & IFF_UP) != 0)); ++ ++ drv->flags = ifr.ifr_flags; + return 0; ++ ++nochange: ++ wpa_printf(MSG_DEBUG, "%s: if %s (no change) enable %d IFF_UP %d ", ++ __func__, drv->ifname, enable, ((ifr.ifr_flags & IFF_UP) != 0)); ++ return 0; + } + + static int +@@ -525,7 +554,7 @@ + __func__); + return -1; + } +- return 0; ++ return bsd_ctrl_iface(priv, 1); + } + + static void +@@ -853,14 +882,18 @@ drv = bsd_get_drvindex(global, ifm->ifm_index); if (drv == NULL) return; - if ((ifm->ifm_flags & IFF_UP) == 0 && - (drv->flags & IFF_UP) != 0) { + if (((ifm->ifm_flags & IFF_UP) == 0 || + (ifm->ifm_flags & IFF_RUNNING) == 0) && + (drv->flags & IFF_UP) != 0 && + (drv->flags & IFF_RUNNING) != 0) { wpa_printf(MSG_DEBUG, "RTM_IFINFO: Interface '%s' DOWN", drv->ifname); wpa_supplicant_event(drv->ctx, EVENT_INTERFACE_DISABLED, NULL); } else if ((ifm->ifm_flags & IFF_UP) != 0 && - (drv->flags & IFF_UP) == 0) { + (ifm->ifm_flags & IFF_RUNNING) != 0 && + ((drv->flags & IFF_UP) == 0 || + (drv->flags & IFF_RUNNING) == 0)) { wpa_printf(MSG_DEBUG, "RTM_IFINFO: Interface '%s' UP", drv->ifname); wpa_supplicant_event(drv->ctx, EVENT_INTERFACE_ENABLED, -@@ -1197,13 +1202,41 @@ +@@ -1025,7 +1058,8 @@ + if (l2_packet_get_own_addr(drv->sock_xmit, params->own_addr)) + goto bad; + +- if (bsd_get_iface_flags(drv) < 0) ++ /* mark down during setup */ ++ if (bsd_ctrl_iface(drv, 0) < 0) + goto bad; + + if (bsd_set_mediaopt(drv, IFM_OMASK, IFM_IEEE80211_HOSTAP) < 0) { +@@ -1050,12 +1084,13 @@ + { + struct bsd_driver_data *drv = priv; + ++ if (drv->ifindex != 0) ++ bsd_ctrl_iface(drv, 0); + if (drv->sock_xmit != NULL) + l2_packet_deinit(drv->sock_xmit); + os_free(drv); + } + +- + static int + bsd_set_sta_authorized(void *priv, const u8 *addr, + unsigned int total_flags, unsigned int flags_or, +@@ -1197,13 +1232,41 @@ } static int +wpa_driver_bsd_set_rsn_wpa_ie(struct bsd_driver_data * drv, + struct wpa_driver_associate_params *params, const u8 *ie) +{ + int privacy; + size_t ie_len = ie[1] ? ie[1] + 2 : 0; + + /* XXX error handling is wrong but unclear what to do... */ + if (wpa_driver_bsd_set_wpa_ie(drv, ie, ie_len) < 0) + return -1; + + privacy = !(params->pairwise_suite == WPA_CIPHER_NONE && + params->group_suite == WPA_CIPHER_NONE && + params->key_mgmt_suite == WPA_KEY_MGMT_NONE); + wpa_printf(MSG_DEBUG, "%s: set PRIVACY %u", __func__, + privacy); + + if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0) + return -1; + + if (ie_len && + set80211param(drv, IEEE80211_IOC_WPA, + ie[0] == WLAN_EID_RSN ? 2 : 1) < 0) + return -1; + + return 0; +} + +static int wpa_driver_bsd_associate(void *priv, struct wpa_driver_associate_params *params) { struct bsd_driver_data *drv = priv; struct ieee80211req_mlme mlme; u32 mode; - int privacy; int ret = 0; + const u8 *wpa_ie, *rsn_ie; wpa_printf(MSG_DEBUG, "%s: ssid '%.*s' wpa ie len %u pairwise %u group %u key mgmt %u" -@@ -1220,7 +1253,10 @@ +@@ -1220,7 +1283,10 @@ mode = 0 /* STA */; break; case IEEE80211_MODE_IBSS: +#if 0 mode = IFM_IEEE80211_IBSS; +#endif + mode = IFM_IEEE80211_ADHOC; break; case IEEE80211_MODE_AP: mode = IFM_IEEE80211_HOSTAP; -@@ -1249,24 +1285,33 @@ +@@ -1249,24 +1315,33 @@ ret = -1; if (wpa_driver_bsd_set_auth_alg(drv, params->auth_alg) < 0) ret = -1; - /* XXX error handling is wrong but unclear what to do... */ - if (wpa_driver_bsd_set_wpa_ie(drv, params->wpa_ie, params->wpa_ie_len) < 0) - return -1; - privacy = !(params->pairwise_suite == WPA_CIPHER_NONE && - params->group_suite == WPA_CIPHER_NONE && - params->key_mgmt_suite == WPA_KEY_MGMT_NONE && - params->wpa_ie_len == 0); - wpa_printf(MSG_DEBUG, "%s: set PRIVACY %u", __func__, privacy); + if (params->wpa_ie_len) { + rsn_ie = get_ie(params->wpa_ie, params->wpa_ie_len, + WLAN_EID_RSN); + if (rsn_ie) { + if (wpa_driver_bsd_set_rsn_wpa_ie(drv, params, + rsn_ie) < 0) + return -1; + } + else { + wpa_ie = get_vendor_ie(params->wpa_ie, + params->wpa_ie_len, WPA_IE_VENDOR_TYPE); + if (wpa_ie) { + if (wpa_driver_bsd_set_rsn_wpa_ie(drv, params, + wpa_ie) < 0) + return -1; + } + } + } - if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0) + /* + * NB: interface must be marked UP for association + * or scanning (ap_scan=2) + */ -+ if (bsd_get_iface_flags(drv) < 0) ++ if (bsd_ctrl_iface(drv, 1) < 0) return -1; - if (params->wpa_ie_len && - set80211param(drv, IEEE80211_IOC_WPA, - params->wpa_ie[0] == WLAN_EID_RSN ? 2 : 1) < 0) - return -1; - os_memset(&mlme, 0, sizeof(mlme)); mlme.im_op = IEEE80211_MLME_ASSOC; if (params->ssid != NULL) -@@ -1485,6 +1530,17 @@ +@@ -1309,11 +1384,8 @@ + } + + /* NB: interface must be marked UP to do a scan */ +- if (!(drv->flags & IFF_UP)) { +- wpa_printf(MSG_DEBUG, "%s: interface is not up, cannot scan", +- __func__); ++ if (bsd_ctrl_iface(drv, 1) < 0) + return -1; +- } + + #ifdef IEEE80211_IOC_SCAN_MAX_SSID + os_memset(&sr, 0, sizeof(sr)); +@@ -1485,6 +1557,17 @@ if (devcaps.dc_drivercaps & IEEE80211_C_WPA2) drv->capa.key_mgmt = WPA_DRIVER_CAPA_KEY_MGMT_WPA2 | WPA_DRIVER_CAPA_KEY_MGMT_WPA2_PSK; +#ifdef __FreeBSD__ + drv->capa.enc |= WPA_DRIVER_CAPA_ENC_WEP40 | + WPA_DRIVER_CAPA_ENC_WEP104 | + WPA_DRIVER_CAPA_ENC_TKIP | + WPA_DRIVER_CAPA_ENC_CCMP; +#else + /* + * XXX + * FreeBSD exports hardware cryptocaps. These have no meaning for wpa + * since net80211 performs software crypto. + */ if (devcaps.dc_cryptocaps & IEEE80211_CRYPTO_WEP) drv->capa.enc |= WPA_DRIVER_CAPA_ENC_WEP40 | -@@ -1493,6 +1549,7 @@ +@@ -1493,6 +1576,7 @@ drv->capa.enc |= WPA_DRIVER_CAPA_ENC_TKIP; if (devcaps.dc_cryptocaps & IEEE80211_CRYPTO_AES_CCM) drv->capa.enc |= WPA_DRIVER_CAPA_ENC_CCMP; +#endif if (devcaps.dc_drivercaps & IEEE80211_C_HOSTAP) drv->capa.flags |= WPA_DRIVER_FLAGS_AP; -@@ -1545,6 +1602,8 @@ +@@ -1545,6 +1629,8 @@ } if (ifmr.ifm_current & IFM_IEEE80211_HOSTAP) return IEEE80211_M_HOSTAP; + if (ifmr.ifm_current & IFM_IEEE80211_IBSS) + return IEEE80211_M_IBSS; if (ifmr.ifm_current & IFM_IEEE80211_MONITOR) return IEEE80211_M_MONITOR; #ifdef IEEE80211_M_MBSS +@@ -1605,7 +1691,7 @@ + drv->capa.key_mgmt_iftype[i] = drv->capa.key_mgmt; + + /* Down interface during setup. */ +- if (bsd_get_iface_flags(drv) < 0) ++ if (bsd_ctrl_iface(drv, 0) < 0) + goto fail; + + /* Proven to work, lets go! */ +@@ -1628,6 +1714,9 @@ + + if (drv->ifindex != 0 && !drv->if_removed) { + wpa_driver_bsd_set_wpa(drv, 0); ++ ++ /* NB: mark interface down */ ++ bsd_ctrl_iface(drv, 0); + + wpa_driver_bsd_set_wpa_internal(drv, drv->prev_wpa, + drv->prev_privacy);