initial buildroot for linux 5.15
This commit is contained in:
+77
@@ -0,0 +1,77 @@
|
||||
From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Thu, 29 Aug 2019 11:52:04 +0300
|
||||
Subject: [PATCH] AP: Silently ignore management frame from unexpected source
|
||||
address
|
||||
|
||||
Do not process any received Management frames with unexpected/invalid SA
|
||||
so that we do not add any state for unexpected STA addresses or end up
|
||||
sending out frames to unexpected destination. This prevents unexpected
|
||||
sequences where an unprotected frame might end up causing the AP to send
|
||||
out a response to another device and that other device processing the
|
||||
unexpected response.
|
||||
|
||||
In particular, this prevents some potential denial of service cases
|
||||
where the unexpected response frame from the AP might result in a
|
||||
connected station dropping its association.
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
|
||||
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
[Retrieved from:
|
||||
https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch]
|
||||
---
|
||||
src/ap/drv_callbacks.c | 13 +++++++++++++
|
||||
src/ap/ieee802_11.c | 12 ++++++++++++
|
||||
2 files changed, 25 insertions(+)
|
||||
|
||||
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
|
||||
index 31587685fe3b..34ca379edc3d 100644
|
||||
--- a/src/ap/drv_callbacks.c
|
||||
+++ b/src/ap/drv_callbacks.c
|
||||
@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
|
||||
"hostapd_notif_assoc: Skip event with no address");
|
||||
return -1;
|
||||
}
|
||||
+
|
||||
+ if (is_multicast_ether_addr(addr) ||
|
||||
+ is_zero_ether_addr(addr) ||
|
||||
+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
|
||||
+ /* Do not process any frames with unexpected/invalid SA so that
|
||||
+ * we do not add any state for unexpected STA addresses or end
|
||||
+ * up sending out frames to unexpected destination. */
|
||||
+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
|
||||
+ " in received indication - ignore this indication silently",
|
||||
+ __func__, MAC2STR(addr));
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
random_add_randomness(addr, ETH_ALEN);
|
||||
|
||||
hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
|
||||
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
|
||||
index c85a28db44b7..e7065372e158 100644
|
||||
--- a/src/ap/ieee802_11.c
|
||||
+++ b/src/ap/ieee802_11.c
|
||||
@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
|
||||
fc = le_to_host16(mgmt->frame_control);
|
||||
stype = WLAN_FC_GET_STYPE(fc);
|
||||
|
||||
+ if (is_multicast_ether_addr(mgmt->sa) ||
|
||||
+ is_zero_ether_addr(mgmt->sa) ||
|
||||
+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
|
||||
+ /* Do not process any frames with unexpected/invalid SA so that
|
||||
+ * we do not add any state for unexpected STA addresses or end
|
||||
+ * up sending out frames to unexpected destination. */
|
||||
+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
|
||||
+ " in received frame - ignore this frame silently",
|
||||
+ MAC2STR(mgmt->sa));
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (stype == WLAN_FC_STYPE_BEACON) {
|
||||
handle_beacon(hapd, mgmt, len, fi);
|
||||
return 1;
|
||||
--
|
||||
2.20.1
|
||||
|
||||
+116
@@ -0,0 +1,116 @@
|
||||
From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Sat, 13 Mar 2021 18:19:31 +0200
|
||||
Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
|
||||
|
||||
The supported hash algorithms do not use AlgorithmIdentifier parameters.
|
||||
However, there are implementations that include NULL parameters in
|
||||
addition to ones that omit the parameters. Previous implementation did
|
||||
not check the parameters value at all which supported both these cases,
|
||||
but did not reject any other unexpected information.
|
||||
|
||||
Use strict validation of digest algorithm parameters and reject any
|
||||
unexpected value when validating a signature. This is needed to prevent
|
||||
potential forging attacks.
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
||||
---
|
||||
src/tls/pkcs1.c | 21 +++++++++++++++++++++
|
||||
src/tls/x509v3.c | 20 ++++++++++++++++++++
|
||||
2 files changed, 41 insertions(+)
|
||||
|
||||
diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
|
||||
index bbdb0d72d..5761dfed0 100644
|
||||
--- a/src/tls/pkcs1.c
|
||||
+++ b/src/tls/pkcs1.c
|
||||
@@ -244,6 +244,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
|
||||
os_free(decrypted);
|
||||
return -1;
|
||||
}
|
||||
+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
|
||||
+ hdr.payload, hdr.length);
|
||||
|
||||
pos = hdr.payload;
|
||||
end = pos + hdr.length;
|
||||
@@ -265,6 +267,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
|
||||
os_free(decrypted);
|
||||
return -1;
|
||||
}
|
||||
+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
|
||||
+ hdr.payload, hdr.length);
|
||||
da_end = hdr.payload + hdr.length;
|
||||
|
||||
if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
|
||||
@@ -273,6 +277,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
|
||||
os_free(decrypted);
|
||||
return -1;
|
||||
}
|
||||
+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
|
||||
+ next, da_end - next);
|
||||
+
|
||||
+ /*
|
||||
+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
|
||||
+ * omit the parameters, but there are implementation that encode these
|
||||
+ * as a NULL element. Allow these two cases and reject anything else.
|
||||
+ */
|
||||
+ if (da_end > next &&
|
||||
+ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
|
||||
+ !asn1_is_null(&hdr) ||
|
||||
+ hdr.payload + hdr.length != da_end)) {
|
||||
+ wpa_printf(MSG_DEBUG,
|
||||
+ "PKCS #1: Unexpected digest algorithm parameters");
|
||||
+ os_free(decrypted);
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
if (!asn1_oid_equal(&oid, hash_alg)) {
|
||||
char txt[100], txt2[100];
|
||||
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
|
||||
index a8944dd2f..df337ec4d 100644
|
||||
--- a/src/tls/x509v3.c
|
||||
+++ b/src/tls/x509v3.c
|
||||
@@ -1964,6 +1964,7 @@ int x509_check_signature(struct x509_certificate *issuer,
|
||||
os_free(data);
|
||||
return -1;
|
||||
}
|
||||
+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
|
||||
|
||||
pos = hdr.payload;
|
||||
end = pos + hdr.length;
|
||||
@@ -1985,6 +1986,8 @@ int x509_check_signature(struct x509_certificate *issuer,
|
||||
os_free(data);
|
||||
return -1;
|
||||
}
|
||||
+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
|
||||
+ hdr.payload, hdr.length);
|
||||
da_end = hdr.payload + hdr.length;
|
||||
|
||||
if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
|
||||
@@ -1992,6 +1995,23 @@ int x509_check_signature(struct x509_certificate *issuer,
|
||||
os_free(data);
|
||||
return -1;
|
||||
}
|
||||
+ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
|
||||
+ next, da_end - next);
|
||||
+
|
||||
+ /*
|
||||
+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
|
||||
+ * omit the parameters, but there are implementation that encode these
|
||||
+ * as a NULL element. Allow these two cases and reject anything else.
|
||||
+ */
|
||||
+ if (da_end > next &&
|
||||
+ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
|
||||
+ !asn1_is_null(&hdr) ||
|
||||
+ hdr.payload + hdr.length != da_end)) {
|
||||
+ wpa_printf(MSG_DEBUG,
|
||||
+ "X509: Unexpected digest algorithm parameters");
|
||||
+ os_free(data);
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
if (x509_sha1_oid(&oid)) {
|
||||
if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
|
||||
--
|
||||
2.20.1
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
From 99cf89555313056d3a8fa54b21d02dc880b363e1 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <jouni@codeaurora.org>
|
||||
Date: Mon, 20 Apr 2020 20:29:31 +0300
|
||||
Subject: [PATCH] Include stdbool.h to allow C99 bool to be used
|
||||
|
||||
We have practically started requiring some C99 features, so might as
|
||||
well finally go ahead and bring in the C99 bool as well.
|
||||
|
||||
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
|
||||
[geomatsi@gmail.com: backport from upstream]
|
||||
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
|
||||
[yann.morin.1998@free.fr: keep upstream sha1 in header, drop numbering]
|
||||
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
|
||||
---
|
||||
src/utils/includes.h | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/utils/includes.h b/src/utils/includes.h
|
||||
index 75513fc8c..741fc9c14 100644
|
||||
--- a/src/utils/includes.h
|
||||
+++ b/src/utils/includes.h
|
||||
@@ -18,6 +18,7 @@
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stddef.h>
|
||||
+#include <stdbool.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
--
|
||||
2.25.1
|
||||
|
||||
+37
@@ -0,0 +1,37 @@
|
||||
From 9a990e8c4eb92dd64e0ec483599820e45c35ac23 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Sat, 13 Mar 2021 23:14:23 +0200
|
||||
Subject: [PATCH] ASN.1: Add helper functions for recognizing tag values
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
[geomatsi@gmail.com: backport asn1_is_null() from upstream 9a990e8c4eb9]
|
||||
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
|
||||
[yann.morin.1998@free.fr:
|
||||
- reformat, keep the upstream sha1 and title,
|
||||
- drop numbering
|
||||
]
|
||||
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
|
||||
---
|
||||
src/tls/asn1.h | 102 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 102 insertions(+)
|
||||
|
||||
diff --git a/src/tls/asn1.h b/src/tls/asn1.h
|
||||
index de3430adb..a4d1be473 100644
|
||||
--- a/src/tls/asn1.h
|
||||
+++ b/src/tls/asn1.h
|
||||
@@ -66,6 +66,12 @@ struct wpabuf * asn1_build_alg_id(const struct asn1_oid *oid,
|
||||
unsigned long asn1_bit_string_to_long(const u8 *buf, size_t len);
|
||||
int asn1_oid_equal(const struct asn1_oid *a, const struct asn1_oid *b);
|
||||
|
||||
+static inline bool asn1_is_null(const struct asn1_hdr *hdr)
|
||||
+{
|
||||
+ return hdr->class == ASN1_CLASS_UNIVERSAL &&
|
||||
+ hdr->tag == ASN1_TAG_NULL;
|
||||
+}
|
||||
+
|
||||
extern struct asn1_oid asn1_sha1_oid;
|
||||
extern struct asn1_oid asn1_sha256_oid;
|
||||
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
disable wpa_supplicant@.service
|
||||
disable wpa_supplicant-nl80211@.service
|
||||
disable wpa_supplicant-wired@.service
|
||||
|
||||
@@ -0,0 +1,162 @@
|
||||
menuconfig BR2_PACKAGE_WPA_SUPPLICANT
|
||||
bool "wpa_supplicant"
|
||||
depends on BR2_USE_MMU # fork()
|
||||
select BR2_PACKAGE_LIBOPENSSL_ENABLE_DES if BR2_PACKAGE_LIBOPENSSL
|
||||
select BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4 if BR2_PACKAGE_LIBOPENSSL
|
||||
help
|
||||
WPA supplicant for secure wireless networks
|
||||
|
||||
http://w1.fi/wpa_supplicant/
|
||||
|
||||
if BR2_PACKAGE_WPA_SUPPLICANT
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_NL80211
|
||||
bool "Enable nl80211 support"
|
||||
default y
|
||||
depends on BR2_TOOLCHAIN_HAS_THREADS # libnl
|
||||
select BR2_PACKAGE_LIBNL
|
||||
help
|
||||
Enable support for nl80211. This is the current wireless
|
||||
API for Linux, supported by all wireless drivers in vanilla
|
||||
Linux, but may not be supported by some out-of-tree Linux
|
||||
wireless drivers. wpa_supplicant will still fall back to
|
||||
using the Wireless Extensions (wext) API with these drivers.
|
||||
|
||||
If this option is disabled, then only the deprecated wext
|
||||
API will be supported, with far less features. Linux may
|
||||
supports using wext with modern drivers using a
|
||||
compatibility layer, but it must be enabled in the kernel
|
||||
configuration.
|
||||
|
||||
comment "nl80211 support needs a toolchain w/ threads"
|
||||
depends on !BR2_TOOLCHAIN_HAS_THREADS
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_WEXT
|
||||
bool "Enable wext (deprecated)"
|
||||
default y if !BR2_TOOLCHAIN_HAS_THREADS
|
||||
help
|
||||
Enable support for wext. This is the historic wireless API
|
||||
for Linux, which is now deprecated and in maintenance-only in
|
||||
the kernel. It may still be required by out-of-tree drivers.
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_WIRED
|
||||
bool "Enable wired support"
|
||||
select BR2_PACKAGE_WPA_SUPPLICANT_EAP
|
||||
help
|
||||
Include the "wired" driver, so the internal IEEE 802.1x
|
||||
supplicant can be used with Ethernet. This also enables
|
||||
support for MACSEC.
|
||||
|
||||
comment "wpa_supplicant will be useless without at least one driver"
|
||||
depends on !BR2_PACKAGE_WPA_SUPPLICANT_NL80211 && \
|
||||
!BR2_PACKAGE_WPA_SUPPLICANT_WEXT && \
|
||||
!BR2_PACKAGE_WPA_SUPPLICANT_WIRED
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_IBSS_RSN
|
||||
bool "Enable IBSS RSN"
|
||||
depends on BR2_PACKAGE_WPA_SUPPLICANT_NL80211
|
||||
help
|
||||
Enable support for RSN/WPA2 in Ad-Hoc mode.
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_AP_SUPPORT
|
||||
bool "Enable AP mode"
|
||||
depends on BR2_PACKAGE_WPA_SUPPLICANT_NL80211
|
||||
help
|
||||
With this option enabled, wpa_supplicant can act as an
|
||||
access point much like hostapd does with a limited feature
|
||||
set. This links in parts of hostapd functionality into
|
||||
wpa_supplicant, making it bigger but dispensing the need for
|
||||
a separate hostapd binary in some applications hence being
|
||||
smaller overall. It also enables support for Wi-Fi Direct.
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_WIFI_DISPLAY
|
||||
bool "Enable Wi-Fi Display"
|
||||
depends on BR2_PACKAGE_WPA_SUPPLICANT_AP_SUPPORT
|
||||
help
|
||||
Enable support for Wi-Fi Display
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_MESH_NETWORKING
|
||||
bool "Enable mesh networking"
|
||||
depends on BR2_PACKAGE_WPA_SUPPLICANT_AP_SUPPORT
|
||||
select BR2_PACKAGE_OPENSSL
|
||||
select BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL
|
||||
help
|
||||
Enable support for open and secured mesh networking
|
||||
(IEEE 802.11s)
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_AUTOSCAN
|
||||
bool "Enable autoscan"
|
||||
help
|
||||
Enable support for the autoscan feature (allow periodic scan)
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_EAP
|
||||
bool "Enable EAP"
|
||||
help
|
||||
Enable support for EAP, 802.1x/WPA-Enterprise and FILS.
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_HOTSPOT
|
||||
bool "Enable HS20"
|
||||
select BR2_PACKAGE_WPA_SUPPLICANT_EAP
|
||||
help
|
||||
Enable Hotspot 2.0 and IEEE 802.11u interworking
|
||||
functionality.
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_DEBUG_SYSLOG
|
||||
bool "Enable syslog support"
|
||||
help
|
||||
Enable support for sending debug messages to syslog.
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_WPS
|
||||
bool "Enable WPS"
|
||||
help
|
||||
Enable support for Wi-Fi Protected Setup (WPS).
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_WPA3
|
||||
bool "Enable WPA3 support"
|
||||
select BR2_PACKAGE_OPENSSL
|
||||
select BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL
|
||||
help
|
||||
Enable WPA3 support including OWE, SAE, DPP
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_CLI
|
||||
bool "Install wpa_cli binary"
|
||||
select BR2_PACKAGE_WPA_SUPPLICANT_CTRL_IFACE
|
||||
help
|
||||
Install wpa_cli command line utility
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_WPA_CLIENT_SO
|
||||
bool "Install wpa_client shared library"
|
||||
depends on !BR2_STATIC_LIBS
|
||||
help
|
||||
Install libwpa_client.so.
|
||||
|
||||
comment "wpa_client library needs a toolchain w/ dynamic library"
|
||||
depends on BR2_STATIC_LIBS
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_PASSPHRASE
|
||||
bool "Install wpa_passphrase binary"
|
||||
help
|
||||
Install wpa_passphrase command line utility.
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_CTRL_IFACE
|
||||
bool "Enable the Unix-socket control interface"
|
||||
help
|
||||
Enable support for the Unix-socket-based API.
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_DBUS
|
||||
bool "Enable support for the DBus control interface"
|
||||
depends on BR2_TOOLCHAIN_HAS_THREADS # dbus
|
||||
select BR2_PACKAGE_DBUS
|
||||
help
|
||||
Enable support for the DBus control interface.
|
||||
|
||||
comment "dbus support needs a toolchain w/ threads"
|
||||
depends on !BR2_TOOLCHAIN_HAS_THREADS
|
||||
|
||||
config BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION
|
||||
bool "Introspection support"
|
||||
depends on BR2_PACKAGE_WPA_SUPPLICANT_DBUS
|
||||
help
|
||||
Add introspection support for the DBus control interface.
|
||||
|
||||
endif
|
||||
@@ -0,0 +1,6 @@
|
||||
ctrl_interface=/var/run/wpa_supplicant
|
||||
ap_scan=1
|
||||
|
||||
network={
|
||||
key_mgmt=NONE
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
# Locally calculated
|
||||
sha256 fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17 wpa_supplicant-2.9.tar.gz
|
||||
sha256 9da5dd0776da266b180b915e460ff75c6ff729aca1196ab396529510f24f3761 README
|
||||
sha256 c4d65cc13863e0237d0644198558e2c47b4ed91e2b2be4516ff590724187c4a5 0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch
|
||||
sha256 7f40cfec5faf5e927ea9028ab9392cd118685bde7229ad24210caf0a8f6e9611 0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
|
||||
@@ -0,0 +1,263 @@
|
||||
################################################################################
|
||||
#
|
||||
# wpa_supplicant
|
||||
#
|
||||
################################################################################
|
||||
|
||||
WPA_SUPPLICANT_VERSION = 2.9
|
||||
WPA_SUPPLICANT_SITE = http://w1.fi/releases
|
||||
WPA_SUPPLICANT_PATCH = \
|
||||
https://w1.fi/security/2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch \
|
||||
https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
|
||||
WPA_SUPPLICANT_LICENSE = BSD-3-Clause
|
||||
WPA_SUPPLICANT_LICENSE_FILES = README
|
||||
WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi
|
||||
WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config
|
||||
WPA_SUPPLICANT_SUBDIR = wpa_supplicant
|
||||
WPA_SUPPLICANT_DBUS_SERVICE = fi.w1.wpa_supplicant1
|
||||
WPA_SUPPLICANT_CFLAGS = $(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include/libnl3/
|
||||
WPA_SUPPLICANT_LDFLAGS = $(TARGET_LDFLAGS)
|
||||
WPA_SUPPLICANT_SELINUX_MODULES = networkmanager
|
||||
|
||||
# 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
|
||||
WPA_SUPPLICANT_IGNORE_CVES += CVE-2019-16275
|
||||
|
||||
# 0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
|
||||
WPA_SUPPLICANT_IGNORE_CVES += CVE-2021-27803
|
||||
|
||||
# 0002-ASN.1-Validate-DigestAlgorithmIdentifier-parameters.patch
|
||||
WPA_SUPPLICANT_IGNORE_CVES += CVE-2021-30004
|
||||
|
||||
# install the wpa_client library
|
||||
WPA_SUPPLICANT_INSTALL_STAGING = YES
|
||||
|
||||
WPA_SUPPLICANT_CONFIG_EDITS =
|
||||
|
||||
WPA_SUPPLICANT_CONFIG_ENABLE = \
|
||||
CONFIG_INTERNAL_LIBTOMMATH \
|
||||
CONFIG_MATCH_IFACE
|
||||
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE = \
|
||||
CONFIG_SMARTCARD
|
||||
|
||||
# libnl-3 needs -lm (for rint) and -lpthread if linking statically
|
||||
# And library order matters hence stick -lnl-3 first since it's appended
|
||||
# in the wpa_supplicant Makefiles as in LIBS+=-lnl-3 ... thus failing
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_NL80211),y)
|
||||
ifeq ($(BR2_STATIC_LIBS),y)
|
||||
WPA_SUPPLICANT_LIBS += -lnl-3 -lm -lpthread
|
||||
endif
|
||||
WPA_SUPPLICANT_DEPENDENCIES += host-pkgconf libnl
|
||||
WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_LIBNL32
|
||||
else
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_DRIVER_NL80211
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_WEXT),)
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_DRIVER_WEXT
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_IBSS_RSN), )
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_IBSS_RSN
|
||||
endif
|
||||
|
||||
# Trailing underscore on purpose to not enable CONFIG_EAPOL_TEST
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_EAP),y)
|
||||
WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_EAP_
|
||||
# uses dlopen()
|
||||
ifeq ($(BR2_STATIC_LIBS),y)
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_EAP_TNC
|
||||
endif
|
||||
else
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += \
|
||||
CONFIG_EAP \
|
||||
CONFIG_IEEE8021X_EAPOL \
|
||||
CONFIG_FILS
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_WIRED),)
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += \
|
||||
CONFIG_DRIVER_WIRED \
|
||||
CONFIG_MACSEC \
|
||||
CONFIG_DRIVER_MACSEC
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_HOTSPOT),)
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += \
|
||||
CONFIG_HS20 \
|
||||
CONFIG_INTERWORKING
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_AP_SUPPORT),y)
|
||||
WPA_SUPPLICANT_CONFIG_ENABLE += \
|
||||
CONFIG_AP \
|
||||
CONFIG_P2P
|
||||
else
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += \
|
||||
CONFIG_AP \
|
||||
CONFIG_P2P
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_WIFI_DISPLAY),y)
|
||||
WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_WIFI_DISPLAY
|
||||
else
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_WIFI_DISPLAY
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_MESH_NETWORKING),y)
|
||||
WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_MESH
|
||||
else
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_MESH
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_AUTOSCAN),y)
|
||||
WPA_SUPPLICANT_CONFIG_ENABLE += \
|
||||
CONFIG_AUTOSCAN_EXPONENTIAL \
|
||||
CONFIG_AUTOSCAN_PERIODIC
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_WPS),)
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_WPS
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_WPA3),y)
|
||||
WPA_SUPPLICANT_CONFIG_ENABLE += \
|
||||
CONFIG_DPP \
|
||||
CONFIG_SAE \
|
||||
CONFIG_OWE
|
||||
else
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += \
|
||||
CONFIG_DPP \
|
||||
CONFIG_SAE \
|
||||
CONFIG_OWE
|
||||
endif
|
||||
|
||||
# Try to use openssl if it's already available
|
||||
ifeq ($(BR2_PACKAGE_LIBOPENSSL),y)
|
||||
WPA_SUPPLICANT_DEPENDENCIES += host-pkgconf libopenssl
|
||||
WPA_SUPPLICANT_LIBS += `$(PKG_CONFIG_HOST_BINARY) --libs openssl`
|
||||
WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=openssl\)/\1/'
|
||||
else
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_EAP_PWD CONFIG_EAP_TEAP
|
||||
WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=\).*/\1internal/'
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_CTRL_IFACE),)
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_CTRL_IFACE\>
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_DBUS),y)
|
||||
WPA_SUPPLICANT_DEPENDENCIES += host-pkgconf dbus
|
||||
WPA_SUPPLICANT_MAKE_ENV = \
|
||||
PKG_CONFIG_SYSROOT_DIR="$(STAGING_DIR)" \
|
||||
PKG_CONFIG_PATH="$(STAGING_DIR)/usr/lib/pkgconfig"
|
||||
WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_CTRL_IFACE_DBUS_NEW
|
||||
define WPA_SUPPLICANT_INSTALL_DBUS_NEW
|
||||
$(INSTALL) -m 0644 -D \
|
||||
$(@D)/wpa_supplicant/dbus/$(WPA_SUPPLICANT_DBUS_SERVICE).service \
|
||||
$(TARGET_DIR)/usr/share/dbus-1/system-services/$(WPA_SUPPLICANT_DBUS_SERVICE).service
|
||||
endef
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION),y)
|
||||
WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_CTRL_IFACE_DBUS_INTRO
|
||||
endif
|
||||
|
||||
else
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_CTRL_IFACE_DBUS_NEW
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_DEBUG_SYSLOG),)
|
||||
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_DEBUG_SYSLOG
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_READLINE),y)
|
||||
WPA_SUPPLICANT_DEPENDENCIES += readline
|
||||
WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_READLINE
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_WPA_CLIENT_SO),y)
|
||||
WPA_SUPPLICANT_CONFIG_SET += CONFIG_BUILD_WPA_CLIENT_SO
|
||||
define WPA_SUPPLICANT_INSTALL_WPA_CLIENT_SO
|
||||
$(INSTALL) -m 0644 -D $(@D)/$(WPA_SUPPLICANT_SUBDIR)/libwpa_client.so \
|
||||
$(TARGET_DIR)/usr/lib/libwpa_client.so
|
||||
$(INSTALL) -m 0644 -D $(@D)/src/common/wpa_ctrl.h \
|
||||
$(TARGET_DIR)/usr/include/wpa_ctrl.h
|
||||
endef
|
||||
define WPA_SUPPLICANT_INSTALL_STAGING_WPA_CLIENT_SO
|
||||
$(INSTALL) -m 0644 -D $(@D)/$(WPA_SUPPLICANT_SUBDIR)/libwpa_client.so \
|
||||
$(STAGING_DIR)/usr/lib/libwpa_client.so
|
||||
$(INSTALL) -m 0644 -D $(@D)/src/common/wpa_ctrl.h \
|
||||
$(STAGING_DIR)/usr/include/wpa_ctrl.h
|
||||
endef
|
||||
endif
|
||||
|
||||
define WPA_SUPPLICANT_CONFIGURE_CMDS
|
||||
cp $(@D)/wpa_supplicant/defconfig $(WPA_SUPPLICANT_CONFIG)
|
||||
sed -i $(patsubst %,-e 's/^#\(%\)/\1/',$(WPA_SUPPLICANT_CONFIG_ENABLE)) \
|
||||
$(patsubst %,-e 's/^\(%\)/#\1/',$(WPA_SUPPLICANT_CONFIG_DISABLE)) \
|
||||
$(patsubst %,-e '1i%=y',$(WPA_SUPPLICANT_CONFIG_SET)) \
|
||||
$(patsubst %,-e %,$(WPA_SUPPLICANT_CONFIG_EDITS)) \
|
||||
$(WPA_SUPPLICANT_CONFIG)
|
||||
endef
|
||||
|
||||
# LIBS for wpa_supplicant, LIBS_c for wpa_cli, LIBS_p for wpa_passphrase
|
||||
define WPA_SUPPLICANT_BUILD_CMDS
|
||||
$(TARGET_MAKE_ENV) CFLAGS="$(WPA_SUPPLICANT_CFLAGS)" \
|
||||
LDFLAGS="$(TARGET_LDFLAGS)" BINDIR=/usr/sbin \
|
||||
LIBS="$(WPA_SUPPLICANT_LIBS)" LIBS_c="$(WPA_SUPPLICANT_LIBS)" \
|
||||
LIBS_p="$(WPA_SUPPLICANT_LIBS)" \
|
||||
$(MAKE) CC="$(TARGET_CC)" -C $(@D)/$(WPA_SUPPLICANT_SUBDIR)
|
||||
endef
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_CLI),y)
|
||||
define WPA_SUPPLICANT_INSTALL_CLI
|
||||
$(INSTALL) -m 0755 -D $(@D)/$(WPA_SUPPLICANT_SUBDIR)/wpa_cli \
|
||||
$(TARGET_DIR)/usr/sbin/wpa_cli
|
||||
endef
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_PASSPHRASE),y)
|
||||
define WPA_SUPPLICANT_INSTALL_PASSPHRASE
|
||||
$(INSTALL) -m 0755 -D $(@D)/$(WPA_SUPPLICANT_SUBDIR)/wpa_passphrase \
|
||||
$(TARGET_DIR)/usr/sbin/wpa_passphrase
|
||||
endef
|
||||
endif
|
||||
|
||||
ifeq ($(BR2_PACKAGE_DBUS),y)
|
||||
define WPA_SUPPLICANT_INSTALL_DBUS
|
||||
$(INSTALL) -m 0644 -D \
|
||||
$(@D)/wpa_supplicant/dbus/dbus-wpa_supplicant.conf \
|
||||
$(TARGET_DIR)/etc/dbus-1/system.d/wpa_supplicant.conf
|
||||
$(WPA_SUPPLICANT_INSTALL_DBUS_NEW)
|
||||
endef
|
||||
endif
|
||||
|
||||
define WPA_SUPPLICANT_INSTALL_STAGING_CMDS
|
||||
$(WPA_SUPPLICANT_INSTALL_STAGING_WPA_CLIENT_SO)
|
||||
endef
|
||||
|
||||
define WPA_SUPPLICANT_INSTALL_TARGET_CMDS
|
||||
$(INSTALL) -m 0755 -D $(@D)/$(WPA_SUPPLICANT_SUBDIR)/wpa_supplicant \
|
||||
$(TARGET_DIR)/usr/sbin/wpa_supplicant
|
||||
$(INSTALL) -m 644 -D package/wpa_supplicant/wpa_supplicant.conf \
|
||||
$(TARGET_DIR)/etc/wpa_supplicant.conf
|
||||
$(WPA_SUPPLICANT_INSTALL_CLI)
|
||||
$(WPA_SUPPLICANT_INSTALL_PASSPHRASE)
|
||||
$(WPA_SUPPLICANT_INSTALL_DBUS)
|
||||
$(WPA_SUPPLICANT_INSTALL_WPA_CLIENT_SO)
|
||||
endef
|
||||
|
||||
define WPA_SUPPLICANT_INSTALL_INIT_SYSTEMD
|
||||
$(INSTALL) -m 0644 -D $(@D)/$(WPA_SUPPLICANT_SUBDIR)/systemd/wpa_supplicant.service \
|
||||
$(TARGET_DIR)/usr/lib/systemd/system/wpa_supplicant.service
|
||||
$(INSTALL) -m 0644 -D $(@D)/$(WPA_SUPPLICANT_SUBDIR)/systemd/wpa_supplicant@.service \
|
||||
$(TARGET_DIR)/usr/lib/systemd/system/wpa_supplicant@.service
|
||||
$(INSTALL) -m 0644 -D $(@D)/$(WPA_SUPPLICANT_SUBDIR)/systemd/wpa_supplicant-nl80211@.service \
|
||||
$(TARGET_DIR)/usr/lib/systemd/system/wpa_supplicant-nl80211@.service
|
||||
$(INSTALL) -m 0644 -D $(@D)/$(WPA_SUPPLICANT_SUBDIR)/systemd/wpa_supplicant-wired@.service \
|
||||
$(TARGET_DIR)/usr/lib/systemd/system/wpa_supplicant-wired@.service
|
||||
$(INSTALL) -D -m 644 $(WPA_SUPPLICANT_PKGDIR)/50-wpa_supplicant.preset \
|
||||
$(TARGET_DIR)/usr/lib/systemd/system-preset/50-wpa_supplicant.preset
|
||||
endef
|
||||
|
||||
$(eval $(generic-package))
|
||||
Reference in New Issue
Block a user