diff --git a/0001-Add-os_exec-helper-to-run-external-programs.patch b/0001-Add-os_exec-helper-to-run-external-programs.patch new file mode 100644 index 0000000..4b774bd --- /dev/null +++ b/0001-Add-os_exec-helper-to-run-external-programs.patch @@ -0,0 +1,143 @@ +From 89de07a9442072f88d49869d8ecd8d42bae050a0 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Mon, 6 Oct 2014 16:27:44 +0300 +Subject: [PATCH 1/2] Add os_exec() helper to run external programs + +Signed-off-by: Jouni Malinen +--- + src/utils/os.h | 9 +++++++++ + src/utils/os_unix.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/utils/os_win32.c | 6 ++++++ + 3 files changed, 70 insertions(+) + +diff --git a/src/utils/os.h b/src/utils/os.h +index f196209..b9247d8 100644 +--- a/src/utils/os.h ++++ b/src/utils/os.h +@@ -597,14 +597,23 @@ size_t os_strlcpy(char *dest, const char *src, size_t siz); + * Returns: Total length of the target string (length of src) (not including + * NUL-termination) + * + * This function matches in behavior with the strlcpy(3) function in OpenBSD. + */ + size_t os_strlcpy(char *dest, const char *src, size_t siz); + ++/** ++ * os_exec - Execute an external program ++ * @program: Path to the program ++ * @arg: Command line argument string ++ * @wait_completion: Whether to wait until the program execution completes ++ * Returns: 0 on success, -1 on error ++ */ ++int os_exec(const char *program, const char *arg, int wait_completion); ++ + + #ifdef OS_REJECT_C_LIB_FUNCTIONS + #define malloc OS_DO_NOT_USE_malloc + #define realloc OS_DO_NOT_USE_realloc + #define free OS_DO_NOT_USE_free + #define memcpy OS_DO_NOT_USE_memcpy + #define memmove OS_DO_NOT_USE_memmove +diff --git a/src/utils/os_unix.c b/src/utils/os_unix.c +index 7498967..523a4d0 100644 +--- a/src/utils/os_unix.c ++++ b/src/utils/os_unix.c +@@ -5,14 +5,15 @@ + * This software may be distributed under the terms of the BSD license. + * See README for more details. + */ + + #include "includes.h" + + #include ++#include + + #ifdef ANDROID + #include + #include + #include + #endif /* ANDROID */ + +@@ -550,7 +551,61 @@ char * os_strdup(const char *s) + return NULL; + os_memcpy(d, s, len); + d[len] = '\0'; + return d; + } + + #endif /* WPA_TRACE */ ++ ++ ++int os_exec(const char *program, const char *arg, int wait_completion) ++{ ++ pid_t pid; ++ int pid_status; ++ ++ pid = fork(); ++ if (pid < 0) { ++ perror("fork"); ++ return -1; ++ } ++ ++ if (pid == 0) { ++ /* run the external command in the child process */ ++ const int MAX_ARG = 30; ++ char *_program, *_arg, *pos; ++ char *argv[MAX_ARG + 1]; ++ int i; ++ ++ _program = os_strdup(program); ++ _arg = os_strdup(arg); ++ ++ argv[0] = _program; ++ ++ i = 1; ++ pos = _arg; ++ while (i < MAX_ARG && pos && *pos) { ++ while (*pos == ' ') ++ pos++; ++ if (*pos == '\0') ++ break; ++ argv[i++] = pos; ++ pos = os_strchr(pos, ' '); ++ if (pos) ++ *pos++ = '\0'; ++ } ++ argv[i] = NULL; ++ ++ execv(program, argv); ++ perror("execv"); ++ os_free(_program); ++ os_free(_arg); ++ exit(0); ++ return -1; ++ } ++ ++ if (wait_completion) { ++ /* wait for the child process to complete in the parent */ ++ waitpid(pid, &pid_status, 0); ++ } ++ ++ return 0; ++} +diff --git a/src/utils/os_win32.c b/src/utils/os_win32.c +index 55937de..57ee132 100644 +--- a/src/utils/os_win32.c ++++ b/src/utils/os_win32.c +@@ -254,7 +254,13 @@ int os_memcmp_const(const void *a, const void *b, size_t len) + *dest = '\0'; + while (*s++) + ; /* determine total src string length */ + } + + return s - src - 1; + } ++ ++ ++int os_exec(const char *program, const char *arg, int wait_completion) ++{ ++ return -1; ++} +-- +1.9.3 + diff --git a/0001-Fix-OKC-based-PMKSA-cache-entry-clearing.patch b/0001-Fix-OKC-based-PMKSA-cache-entry-clearing.patch deleted file mode 100644 index 91fdc12..0000000 --- a/0001-Fix-OKC-based-PMKSA-cache-entry-clearing.patch +++ /dev/null @@ -1,150 +0,0 @@ -From 4033935dd9098938838d6d7934ceb65f92a1fa3c Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Wed, 22 May 2013 13:24:30 +0300 -Subject: [PATCH] Fix OKC-based PMKSA cache entry clearing - -Commit c3fea272747f738f5723fc577371fe03711d988f added a call to clear -all other PMKSA cache entries for the same network if the PMKSA cache -entry of the current AP changed. This was needed to fix OKC cases since -the other APs would likely use the new PMK in the future. However, this -ended up clearing entries in cases where that is not desired and this -resulted in needing additional full EAP authentication with networks -that did not support OKC if wpa_supplicant was configured to try to use -it. - -Make PMKSA cache entry flushing more limited so that the other entries -are removed only if they used the old PMK that was replaced for the -current AP and only if that PMK had previously been used successfully -(i.e., opportunistic flag was already cleared back to 0 in -wpa_supplicant_key_neg_complete()). This is still enough to fix the -issue described in that older commit while not causing problems for -standard PMKSA caching operations even if OKC is enabled in -wpa_supplicant configuration. - -Signed-hostap: Jouni Malinen ---- - src/rsn_supp/pmksa_cache.c | 27 ++++++++++++++++++++------- - src/rsn_supp/pmksa_cache.h | 3 ++- - src/rsn_supp/wpa.c | 2 +- - 3 files changed, 23 insertions(+), 9 deletions(-) - -diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c -index df67583..93056ea 100644 ---- a/src/rsn_supp/pmksa_cache.c -+++ b/src/rsn_supp/pmksa_cache.c -@@ -160,25 +160,31 @@ pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len, - os_free(entry); - return pos; - } - if (prev == NULL) - pmksa->pmksa = pos->next; - else - prev->next = pos->next; -- wpa_printf(MSG_DEBUG, "RSN: Replace PMKSA entry for " -- "the current AP"); -- pmksa_cache_free_entry(pmksa, pos, PMKSA_REPLACE); - - /* - * If OKC is used, there may be other PMKSA cache - * entries based on the same PMK. These needs to be - * flushed so that a new entry can be created based on -- * the new PMK. -+ * the new PMK. Only clear other entries if they have a -+ * matching PMK and this PMK has been used successfully -+ * with the current AP, i.e., if opportunistic flag has -+ * been cleared in wpa_supplicant_key_neg_complete(). - */ -- pmksa_cache_flush(pmksa, network_ctx); -+ wpa_printf(MSG_DEBUG, "RSN: Replace PMKSA entry for " -+ "the current AP and any PMKSA cache entry " -+ "that was based on the old PMK"); -+ if (!pos->opportunistic) -+ pmksa_cache_flush(pmksa, network_ctx, pos->pmk, -+ pos->pmk_len); -+ pmksa_cache_free_entry(pmksa, pos, PMKSA_REPLACE); - break; - } - prev = pos; - pos = pos->next; - } - - if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) { -@@ -231,23 +237,30 @@ pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len, - } - - - /** - * pmksa_cache_flush - Flush PMKSA cache entries for a specific network - * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init() - * @network_ctx: Network configuration context or %NULL to flush all entries -+ * @pmk: PMK to match for or %NYLL to match all PMKs -+ * @pmk_len: PMK length - */ --void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx) -+void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx, -+ const u8 *pmk, size_t pmk_len) - { - struct rsn_pmksa_cache_entry *entry, *prev = NULL, *tmp; - int removed = 0; - - entry = pmksa->pmksa; - while (entry) { -- if (entry->network_ctx == network_ctx || network_ctx == NULL) { -+ if ((entry->network_ctx == network_ctx || -+ network_ctx == NULL) && -+ (pmk == NULL || -+ (pmk_len == entry->pmk_len && -+ os_memcmp(pmk, entry->pmk, pmk_len) == 0))) { - wpa_printf(MSG_DEBUG, "RSN: Flush PMKSA cache entry " - "for " MACSTR, MAC2STR(entry->aa)); - if (prev) - prev->next = entry->next; - else - pmksa->pmksa = entry->next; - tmp = entry; -diff --git a/src/rsn_supp/pmksa_cache.h b/src/rsn_supp/pmksa_cache.h -index 6f3dfb3..d5aa229 100644 ---- a/src/rsn_supp/pmksa_cache.h -+++ b/src/rsn_supp/pmksa_cache.h -@@ -62,15 +62,16 @@ struct rsn_pmksa_cache_entry * pmksa_cache_get_current(struct wpa_sm *sm); - void pmksa_cache_clear_current(struct wpa_sm *sm); - int pmksa_cache_set_current(struct wpa_sm *sm, const u8 *pmkid, - const u8 *bssid, void *network_ctx, - int try_opportunistic); - struct rsn_pmksa_cache_entry * - pmksa_cache_get_opportunistic(struct rsn_pmksa_cache *pmksa, - void *network_ctx, const u8 *aa); --void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx); -+void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx, -+ const u8 *pmk, size_t pmk_len); - - #else /* IEEE8021X_EAPOL and !CONFIG_NO_WPA2 */ - - static inline struct rsn_pmksa_cache * - pmksa_cache_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry, - void *ctx, int reason), - void *ctx, struct wpa_sm *sm) -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index e50404c..365a710 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -2618,15 +2618,15 @@ void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr) - os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN); - } - - - void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) - { - #ifndef CONFIG_NO_WPA2 -- pmksa_cache_flush(sm->pmksa, network_ctx); -+ pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0); - #endif /* CONFIG_NO_WPA2 */ - } - - - #ifdef CONFIG_WNM - int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - { --- -1.8.3.1 - diff --git a/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch b/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch new file mode 100644 index 0000000..2ff9301 --- /dev/null +++ b/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch @@ -0,0 +1,67 @@ +From c5f258de76dbb67fb64beab39a99e5c5711f41fe Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Mon, 6 Oct 2014 17:25:52 +0300 +Subject: [PATCH 2/2] wpa_cli: Use os_exec() for action script execution + +Use os_exec() to run the action script operations to avoid undesired +command line processing for control interface event strings. Previously, +it could have been possible for some of the event strings to include +unsanitized data which is not suitable for system() use. (CVE-2014-3686) + +Signed-off-by: Jouni Malinen +--- + wpa_supplicant/wpa_cli.c | 25 ++++++++----------------- + 1 file changed, 8 insertions(+), 17 deletions(-) + +diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c +index 18b9b77..fe30b41 100644 +--- a/wpa_supplicant/wpa_cli.c ++++ b/wpa_supplicant/wpa_cli.c +@@ -3155,36 +3155,27 @@ static int str_match(const char *a, const char *b) + return os_strncmp(a, b, os_strlen(b)) == 0; + } + + + static int wpa_cli_exec(const char *program, const char *arg1, + const char *arg2) + { +- char *cmd; ++ char *arg; + size_t len; + int res; +- int ret = 0; + +- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3; +- cmd = os_malloc(len); +- if (cmd == NULL) ++ len = os_strlen(arg1) + os_strlen(arg2) + 2; ++ arg = os_malloc(len); ++ if (arg == NULL) + return -1; +- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2); +- if (res < 0 || (size_t) res >= len) { +- os_free(cmd); +- return -1; +- } +- cmd[len - 1] = '\0'; +-#ifndef _WIN32_WCE +- if (system(cmd) < 0) +- ret = -1; +-#endif /* _WIN32_WCE */ +- os_free(cmd); ++ os_snprintf(arg, len, "%s %s", arg1, arg2); ++ res = os_exec(program, arg, 1); ++ os_free(arg); + +- return ret; ++ return res; + } + + + static void wpa_cli_action_process(const char *msg) + { + const char *pos; + char *copy = NULL, *id, *pos2; +-- +1.9.3 + diff --git a/rh1032758-fix-pmksa-cache-entry-clearing.patch b/rh1032758-fix-pmksa-cache-entry-clearing.patch new file mode 100644 index 0000000..91fdc12 --- /dev/null +++ b/rh1032758-fix-pmksa-cache-entry-clearing.patch @@ -0,0 +1,150 @@ +From 4033935dd9098938838d6d7934ceb65f92a1fa3c Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Wed, 22 May 2013 13:24:30 +0300 +Subject: [PATCH] Fix OKC-based PMKSA cache entry clearing + +Commit c3fea272747f738f5723fc577371fe03711d988f added a call to clear +all other PMKSA cache entries for the same network if the PMKSA cache +entry of the current AP changed. This was needed to fix OKC cases since +the other APs would likely use the new PMK in the future. However, this +ended up clearing entries in cases where that is not desired and this +resulted in needing additional full EAP authentication with networks +that did not support OKC if wpa_supplicant was configured to try to use +it. + +Make PMKSA cache entry flushing more limited so that the other entries +are removed only if they used the old PMK that was replaced for the +current AP and only if that PMK had previously been used successfully +(i.e., opportunistic flag was already cleared back to 0 in +wpa_supplicant_key_neg_complete()). This is still enough to fix the +issue described in that older commit while not causing problems for +standard PMKSA caching operations even if OKC is enabled in +wpa_supplicant configuration. + +Signed-hostap: Jouni Malinen +--- + src/rsn_supp/pmksa_cache.c | 27 ++++++++++++++++++++------- + src/rsn_supp/pmksa_cache.h | 3 ++- + src/rsn_supp/wpa.c | 2 +- + 3 files changed, 23 insertions(+), 9 deletions(-) + +diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c +index df67583..93056ea 100644 +--- a/src/rsn_supp/pmksa_cache.c ++++ b/src/rsn_supp/pmksa_cache.c +@@ -160,25 +160,31 @@ pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len, + os_free(entry); + return pos; + } + if (prev == NULL) + pmksa->pmksa = pos->next; + else + prev->next = pos->next; +- wpa_printf(MSG_DEBUG, "RSN: Replace PMKSA entry for " +- "the current AP"); +- pmksa_cache_free_entry(pmksa, pos, PMKSA_REPLACE); + + /* + * If OKC is used, there may be other PMKSA cache + * entries based on the same PMK. These needs to be + * flushed so that a new entry can be created based on +- * the new PMK. ++ * the new PMK. Only clear other entries if they have a ++ * matching PMK and this PMK has been used successfully ++ * with the current AP, i.e., if opportunistic flag has ++ * been cleared in wpa_supplicant_key_neg_complete(). + */ +- pmksa_cache_flush(pmksa, network_ctx); ++ wpa_printf(MSG_DEBUG, "RSN: Replace PMKSA entry for " ++ "the current AP and any PMKSA cache entry " ++ "that was based on the old PMK"); ++ if (!pos->opportunistic) ++ pmksa_cache_flush(pmksa, network_ctx, pos->pmk, ++ pos->pmk_len); ++ pmksa_cache_free_entry(pmksa, pos, PMKSA_REPLACE); + break; + } + prev = pos; + pos = pos->next; + } + + if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) { +@@ -231,23 +237,30 @@ pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len, + } + + + /** + * pmksa_cache_flush - Flush PMKSA cache entries for a specific network + * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init() + * @network_ctx: Network configuration context or %NULL to flush all entries ++ * @pmk: PMK to match for or %NYLL to match all PMKs ++ * @pmk_len: PMK length + */ +-void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx) ++void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx, ++ const u8 *pmk, size_t pmk_len) + { + struct rsn_pmksa_cache_entry *entry, *prev = NULL, *tmp; + int removed = 0; + + entry = pmksa->pmksa; + while (entry) { +- if (entry->network_ctx == network_ctx || network_ctx == NULL) { ++ if ((entry->network_ctx == network_ctx || ++ network_ctx == NULL) && ++ (pmk == NULL || ++ (pmk_len == entry->pmk_len && ++ os_memcmp(pmk, entry->pmk, pmk_len) == 0))) { + wpa_printf(MSG_DEBUG, "RSN: Flush PMKSA cache entry " + "for " MACSTR, MAC2STR(entry->aa)); + if (prev) + prev->next = entry->next; + else + pmksa->pmksa = entry->next; + tmp = entry; +diff --git a/src/rsn_supp/pmksa_cache.h b/src/rsn_supp/pmksa_cache.h +index 6f3dfb3..d5aa229 100644 +--- a/src/rsn_supp/pmksa_cache.h ++++ b/src/rsn_supp/pmksa_cache.h +@@ -62,15 +62,16 @@ struct rsn_pmksa_cache_entry * pmksa_cache_get_current(struct wpa_sm *sm); + void pmksa_cache_clear_current(struct wpa_sm *sm); + int pmksa_cache_set_current(struct wpa_sm *sm, const u8 *pmkid, + const u8 *bssid, void *network_ctx, + int try_opportunistic); + struct rsn_pmksa_cache_entry * + pmksa_cache_get_opportunistic(struct rsn_pmksa_cache *pmksa, + void *network_ctx, const u8 *aa); +-void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx); ++void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx, ++ const u8 *pmk, size_t pmk_len); + + #else /* IEEE8021X_EAPOL and !CONFIG_NO_WPA2 */ + + static inline struct rsn_pmksa_cache * + pmksa_cache_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry, + void *ctx, int reason), + void *ctx, struct wpa_sm *sm) +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index e50404c..365a710 100644 +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -2618,15 +2618,15 @@ void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr) + os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN); + } + + + void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) + { + #ifndef CONFIG_NO_WPA2 +- pmksa_cache_flush(sm->pmksa, network_ctx); ++ pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0); + #endif /* CONFIG_NO_WPA2 */ + } + + + #ifdef CONFIG_WNM + int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) + { +-- +1.8.3.1 + diff --git a/rh948453-man-page.patch b/rh948453-man-page.patch new file mode 100644 index 0000000..06e95ca --- /dev/null +++ b/rh948453-man-page.patch @@ -0,0 +1,397 @@ +diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml +--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml.man-page 2014-01-20 16:40:02.340869189 -0600 ++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml 2014-01-20 16:40:02.340869189 -0600 +@@ -0,0 +1,205 @@ ++ ++ ++ ++ ++ eapol_test ++ 8 ++ ++ ++ eapol_test ++ ++ EAP peer and RADIUS client testing ++ ++ ++ ++ ++ eapol_test ++ -nWS ++ -cconfig file ++ -aserver IP address ++ -Aclient IP address ++ -pUDP port ++ -sshared secret ++ -rre-authentications ++ -ttimeout ++ -CConnect-Info ++ -MMAC address ++ -ofile ++ -Nattr spec ++ ++ ++ eapol_test scard ++ ++ ++ eapol_test sim ++ PIN ++ num triplets ++ ++ ++ ++ ++ Overview ++ ++ eapol_test is a program that links together the same EAP ++ peer implementation that wpa_supplicant is using and the RADIUS ++ authentication client code from hostapd. In addition, it has ++ minimal glue code to combine these two components in similar ++ ways to IEEE 802.1X/EAPOL Authenticator state machines. In other ++ words, it integrates IEEE 802.1X Authenticator (normally, an ++ access point) and IEEE 802.1X Supplicant (normally, a wireless ++ client) together to generate a single program that can be used to ++ test EAP methods without having to setup an access point and a ++ wireless client. ++ ++ The main uses for eapol_test are in interoperability testing ++ of EAP methods against RADIUS servers and in development testing ++ for new EAP methods. It can be easily used to automate EAP testing ++ for interoperability and regression since the program can be run ++ from shell scripts without require additional test components apart ++ from a RADIUS server. For example, the automated EAP tests described ++ in eap_testing.txt are implemented with eapol_test. Similarly, ++ eapol_test could be used to implement an automated regression ++ test suite for a RADIUS authentication server. ++ ++ ++ As an example: ++ ++
++eapol_test -ctest.conf -a127.0.0.1 -p1812 -ssecret -r1 ++
++ ++ tries to complete EAP authentication based on the network ++ configuration from test.conf against the RADIUS server running ++ on the local host. A re-authentication is triggered to test fast ++ re-authentication. The configuration file uses the same format for ++ network blocks as wpa_supplicant. ++ ++ ++ ++ Command Arguments ++ ++ ++ -c configuration file path ++ ++ A configuration to use. The configuration should ++ use the same format for network blocks as wpa_supplicant. ++ ++ ++ ++ ++ -a AS address ++ ++ IP address of the authentication server. The ++ default is '127.0.0.1'. ++ ++ ++ ++ -A client address ++ ++ IP address of the client. The default is to ++ select an address automatically. ++ ++ ++ ++ -p AS port ++ ++ UDP port of the authentication server. The ++ default is '1812'. ++ ++ ++ ++ -s AS secret ++ ++ Shared secret with the authentication server. ++ The default is 'radius'. ++ ++ ++ ++ -r count ++ ++ Number of reauthentications. ++ ++ ++ ++ -t timeout ++ ++ Timeout in seconds. The default is 30. ++ ++ ++ ++ -C info ++ ++ RADIUS Connect-Info. The default is ++ 'CONNECT 11Mbps 802.11b'. ++ ++ ++ ++ ++ -M mac address ++ ++ Client MAC address (Calling-Station-Id). The ++ default is '02:00:00:00:00:01'. ++ ++ ++ ++ -o file ++ ++ Location to write out server certificate. ++ ++ ++ ++ ++ -N attr spec ++ ++ Send arbitrary attribute specific by ++ attr_id:syntax:value, or attr_id alone. attr_id should be the numeric ++ ID of the attribute, and syntax should be one of 's' (string), ++ 'd' (integer), or 'x' (octet string). The value is the attribute value ++ to send. When attr_id is given alone, NULL is used as the attribute ++ value. Multiple attributes can be specified by using the option ++ several times. ++ ++ ++ ++ -n ++ ++ Indicates that no MPPE keys are expected. ++ ++ ++ ++ ++ -W ++ ++ Wait for a control interface monitor before starting. ++ ++ ++ ++ ++ -S ++ ++ Save configuration after authentication. ++ ++ ++ ++ ++ ++ ++ See Also ++ ++ ++ wpa_supplicant ++ 8 ++ ++ ++ ++ ++ Legal ++ wpa_supplicant is copyright (c) 2003-2012, ++ Jouni Malinen j@w1.fi and ++ contributors. ++ All Rights Reserved. ++ ++ This program is licensed under the BSD license (the one with ++ advertisement clause removed). ++ ++ +diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile +--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile.man-page 2013-01-12 09:42:53.000000000 -0600 ++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile 2014-01-20 16:40:02.342869164 -0600 +@@ -1,4 +1,4 @@ +-all: man html pdf ++all: man + + FILES += wpa_background + FILES += wpa_cli +@@ -7,6 +7,7 @@ FILES += wpa_passphrase + FILES += wpa_priv + FILES += wpa_supplicant.conf + FILES += wpa_supplicant ++FILES += eapol_test + + man: + for i in $(FILES); do docbook2man $$i.sgml; done +@@ -20,7 +21,7 @@ pdf: + + + clean: +- rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8 ++ rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8 eapol_test.8 + rm -f wpa_supplicant.conf.5 + rm -f manpage.links manpage.refs + rm -f $(FILES:%=%.pdf) +diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml +--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml.man-page 2013-01-12 09:42:53.000000000 -0600 ++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml 2014-01-20 16:40:02.339869202 -0600 +@@ -15,10 +15,12 @@ + + wpa_cli + -p path to ctrl sockets ++ -g path to global ctrl_interface socket + -i ifname + -hvB + -a action file + -P pid file ++ -G ping interval + command ... + + +@@ -111,6 +113,14 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed + + + ++ -g control socket path ++ ++ Connect to the global control socket at the ++ indicated path rather than an interface-specific control ++ socket. ++ ++ ++ + -i ifname + + Specify the interface that is being +@@ -161,6 +171,13 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed + + + ++ -G ping interval ++ ++ Set the interval (in seconds) at which ++ wpa_cli pings the supplicant. ++ ++ ++ + command + + Run a command. The available commands are +diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml +--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml.man-page 2013-01-12 09:42:53.000000000 -0600 ++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml 2014-01-20 16:40:02.339869202 -0600 +@@ -12,7 +12,7 @@ + + + wpa_supplicant +- -BddfhKLqqtuvW ++ -BddfhKLqqsTtuvW + -iifname + -cconfig file + -Ddriver +@@ -344,9 +344,20 @@ + + + ++ -e entropy file ++ ++ File for wpa_supplicant to use to ++ maintain its internal entropy store in over restarts. ++ ++ ++ ++ + -f output file + +- Log output to specified file instead of stdout. ++ Log output to specified file instead of stdout. (This ++ is only available if wpa_supplicant was ++ built with the CONFIG_DEBUG_FILE ++ option.) + + + +@@ -387,6 +398,22 @@ + + + ++ -o override driver ++ ++ Override the driver parameter for new ++ interfaces. ++ ++ ++ ++ ++ -O override ctrl_interface ++ ++ Override the ctrl_interface parameter for new ++ interfaces. ++ ++ ++ ++ + -p + + Driver parameters. (Per interface) +@@ -409,10 +436,40 @@ + + + ++ -s ++ ++ Log output to syslog instead of stdout. (This is only ++ available if wpa_supplicant was built ++ with the CONFIG_DEBUG_SYSLOG ++ option.) ++ ++ ++ ++ ++ -T ++ ++ Log output to Linux tracing in addition to any other ++ destinations. (This is only available ++ if wpa_supplicant was built with ++ the CONFIG_DEBUG_LINUX_TRACING ++ option.) ++ ++ ++ ++ ++ -t ++ ++ Include timestamp in debug messages. ++ ++ ++ ++ + -u + +- Enabled DBus control interface. If enabled, interface +- definitions may be omitted. ++ Enable DBus control interface. If enabled, interface ++ definitions may be omitted. (This is only available ++ if wpa_supplicant was built with ++ the CONFIG_DBUS option.) + + + +diff -up wpa_supplicant-2.0/wpa_supplicant/main.c.man-page wpa_supplicant-2.0/wpa_supplicant/main.c +--- wpa_supplicant-2.0/wpa_supplicant/main.c.man-page 2013-01-12 09:42:53.000000000 -0600 ++++ wpa_supplicant-2.0/wpa_supplicant/main.c 2014-01-20 16:40:02.340869189 -0600 +@@ -23,11 +23,11 @@ static void usage(void) + int i; + printf("%s\n\n%s\n" + "usage:\n" +- " wpa_supplicant [-BddhKLqqstuvW] [-P] " ++ " wpa_supplicant [-BddhKLqqtvW] [-P] " + "[-g] \\\n" + " -i -c [-C] [-D] " + "[-p] \\\n" +- " [-b] [-f] [-e] " ++ " [-b] [-e] " + "\\\n" + " [-o] [-O] \\\n" + " [-N -i -c [-C] " diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index ef4236c..fb8370c 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 Version: 2.0 -Release: 11%{?dist} +Release: 12%{?dist} License: BSD Group: System Environment/Base Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz @@ -42,8 +42,13 @@ Patch6: wpa_supplicant-gui-qt4.patch Patch7: libnl3-includes.patch # Less aggressive roaming; signal strength is wildly variable Patch8: rh837402-less-aggressive-roaming.patch +# Add missing command-line options to man page, also filed upstream +Patch9: rh948453-man-page.patch # Don't evict current AP from PMKSA cache when it's large -Patch9: 0001-Fix-OKC-based-PMKSA-cache-entry-clearing.patch +Patch10: rh1032758-fix-pmksa-cache-entry-clearing.patch +# CVE-2014-3686 +Patch11: 0001-Add-os_exec-helper-to-run-external-programs.patch +Patch12: 0002-wpa_cli-Use-os_exec-for-action-script-execution.patch %if %{build_libeap} # Dirty hack for WiMAX @@ -61,6 +66,7 @@ BuildRequires: readline-devel BuildRequires: dbus-devel BuildRequires: libnl3-devel BuildRequires: systemd-units +BuildRequires: docbook-utils Requires(post): systemd-sysv Requires(post): systemd-units Requires(preun): systemd-units @@ -113,7 +119,10 @@ Don't use this unless you know what you're doing. %patch6 -p1 -b .qt4 %patch7 -p1 -b .libnl3 %patch8 -p1 -b .rh837402-less-aggressive-roaming -%patch9 -p1 -b .okc-current-fix +%patch9 -p1 -b .man-page +%patch10 -p1 -b .pmksa-clear-fix +%patch11 -p1 -b .CVE-2014-3686-1 +%patch12 -p1 -b .CVE-2014-3686-2 %build pushd wpa_supplicant @@ -131,6 +140,10 @@ pushd wpa_supplicant make eapol_test popd +pushd wpa_supplicant/doc/docbook + make +popd + %install # init scripts install -D -m 0755 %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service @@ -257,6 +270,9 @@ fi %endif %changelog +* Wed Oct 22 2014 Dan Williams - 1:2.0-12 +- Use os_exec() for action script execution (CVE-2014-3686) + * Thu Aug 21 2014 Kevin Fenzi - 1:2.0-11 - Rebuild for rpm bug 1131960