Hello community,
here is the log from the commit of package wpa_supplicant.3820 for openSUSE:13.1:Update checked in at 2015-06-11 13:39:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.1:Update/wpa_supplicant.3820 (Old)
and /work/SRC/openSUSE:13.1:Update/.wpa_supplicant.3820.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wpa_supplicant.3820"
Changes:
--------
New Changes file:
--- /dev/null 2015-05-15 19:41:08.266053825 +0200
+++ /work/SRC/openSUSE:13.1:Update/.wpa_supplicant.3820.new/wpa_supplicant.changes 2015-06-11 13:39:10.000000000 +0200
@@ -0,0 +1,1369 @@
+-------------------------------------------------------------------
+Thu May 7 17:18:29 CEST 2015 - ro@suse.de
+
+- added patch for bnc#930077
+ 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
+- added patch for bnc#930078
+ 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
+- added patches for bnc#930079
+ 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
+ 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
+ 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
+ 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
+ 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
+
+-------------------------------------------------------------------
+Mon Apr 20 01:55:01 CEST 2015 - ro@suse.de
+
+- add patch (bnc#927558) (CVE-2015-1863)
+ 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
+ wpa_supplicant P2P SSID processing vulnerability
+
+-------------------------------------------------------------------
+Mon Oct 13 17:39:56 CEST 2014 - ro@suse.de
+
+- add 0001-Add-os_exec-helper-to-run-external-programs.patch
+- add 0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
+- fixing CVE-2014-3686 (bnc#900611) trying to abuse the action
+ scripts in wpa_cli
+
+-------------------------------------------------------------------
+Mon Jun 16 06:29:16 UTC 2014 - glin@suse.com
+
+- Enable AP mode and P2P (bnc#860885)
+
+-------------------------------------------------------------------
+Mon Sep 9 09:18:17 UTC 2013 - fcrozat@suse.com
+
+- Add systemd service file, to properly track wpa_supplicant in
+ its own systemd service (and not in dbus one).
+- Always enable systemd service, it is still dbus activated.
+
+-------------------------------------------------------------------
+Wed Apr 24 03:48:27 UTC 2013 - glin@suse.com
+
+- Update to 2.0
+ * removed Qt3-based wpa_gui (obsoleted by wpa_qui-qt4)
+ * removed unmaintained driver wrappers broadcom, iphone, osx,
+ ralink, hostap, madwifi (hostap and madwifi remain available
+ for hostapd; their wpa_supplicant functionality is obsoleted
+ by wext)
+ * improved debug logging (human readable event names, interface
+ name included in more entries)
+ * changed AP mode behavior to enable WPS only for open and
+ WPA/WPA2-Personal configuration
+ * improved P2P concurrency operations
+ - better coordination of concurrent scan and P2P search
+ operations
+ - avoid concurrent remain-on-channel operation requests by
+ canceling previous operations prior to starting a new one
+ - reject operations that would require multi-channel
+ concurrency if the driver does not support it
+ - add parameter to select whether STA or P2P connection is
+ preferred if the driver cannot support both at the same time
+ - allow driver to indicate channel changes
+ - added optional delay=<search delay in milliseconds> parameter
+ for p2p_find to avoid taking all radio resources
+ - use 500 ms p2p_find search delay by default during concurrent
+ operations
+ - allow all channels in GO Negotiation if the driver supports
+ multi-channel concurrency
+ * added number of small changes to make it easier for static
+ analyzers to understand the implementation
+ * fixed number of small bugs (see git logs for more details)
+ * nl80211: number of updates to use new cfg80211/nl80211
+ functionality
+ - replace monitor interface with nl80211 commands for AP mode
+ - additional information for driver-based AP SME
+ - STA entry authorization in RSN IBSS
+ * EAP-pwd:
+ - fixed KDF for group 21 and zero-padding
+ - added support for fragmentation
+ - increased maximum number of hunting-and-pecking iterations
+ * avoid excessive Probe Response retries for broadcast Probe
+ Request frames (only with drivers using wpa_supplicant AP mode
+ SME/MLME)
+ * added "GET country" ctrl_iface command
+ * do not save an invalid network block in wpa_supplicant.conf to
+ avoid problems reading the file on next start
+ * send STA connected/disconnected ctrl_iface events to both the
+ P2P group and parent interfaces
+ * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y)
+ * added "SET pno <1/0>" ctrl_iface command to start/stop
+ preferred network offload with sched_scan driver command
+ * merged in number of changes from Android repository for P2P,
+ nl80211, and build parameters
+ * changed P2P GO mode configuration to use driver capabilities
+ to automatically enable HT operations when supported
+ * added "wpa_cli status wps" command to fetch WPA2-Personal
+ passhrase for WPS use cases in AP mode
+ * EAP-AKA: keep pseudonym identity across EAP exchanges to match
+ EAP-SIM behavior
+ * improved reassociation behavior in cases where association is
+ rejected or when an AP disconnects us to handle common load
+ balancing mechanisms
+ - try to avoid extra scans when the needed information is
+ available
+ * added optional "join" argument for p2p_prov_disc ctrl_iface
+ command
+ * added group ifname to P2P-PROV-DISC-* events
+ * added P2P Device Address to AP-STA-DISCONNECTED event and use
+ p2p_dev_addr parameter name with AP-STA-CONNECTED
+ * added workarounds for WPS PBC overlap detection for some P2P
+ use cases where deployed stations work incorrectly
+ * optimize WPS connection speed by disconnecting prior to WPS
+ scan and by using single channel scans when AP channel is
+ known
+ * PCSC and SIM/USIM improvements:
+ - accept 0x67 (Wrong length) as a response to READ RECORD to
+ fix issues with some USIM cards
+ - try to read MNC length from SIM/USIM
+ - build realm according to 3GPP TS 23.003 with identity from
+ the SIM
+ - allow T1 protocol to be enabled
+ * added more WPS and P2P information available through D-Bus
+ * improve P2P negotiation robustness
+ - extra waits to get ACK frames through
+ - longer timeouts for cases where deployed devices have been
+ identified have issues meeting the specification
+ requirements
+ - more retries for some P2P frames
+ - handle race conditions in GO Negotiation start by both
+ devices
+ - ignore unexpected GO Negotiation Response frame
+ * added support for libnl 3.2 and newer
+ * added P2P persistent group info to P2P_PEER data
+ * maintain a list of P2P Clients for persistent group on GO
+ * AP: increased initial group key handshake retransmit timeout to
+ 500 ms
+ * added optional dev_id parameter for p2p_find
+ * added P2P-FIND-STOPPED ctrl_iface event
+ * fixed issues in WPA/RSN element validation when roaming with
+ ap_scan=1 and driver-based BSS selection
+ * do not expire P2P peer entries while connected with the peer in a
+ group
+ * fixed WSC element inclusion in cases where P2P is disabled
+ * AP: added a WPS workaround for mixed mode AP Settings with
+ Windows 7
+ * EAP-SIM: fixed AT_COUNTER_TOO_SMALL use
+ * EAP-SIM/AKA: append realm to pseudonym identity
+ * EAP-SIM/AKA: store pseudonym identity in network configuration
+ to allow it to persist over multiple EAP sessions and
+ wpa_supplicant restarts
+ * EAP-AKA': updated to RFC 5448 (username prefixes changed);
+ note: this breaks interoperability with older versions
+ * added support for WFA Hotspot 2.0
+ - GAS/ANQP to fetch network information
+ - credential configuration and automatic network selections
+ based on credential match with ANQP information
+ * limited PMKSA cache entries to be used only with the network
+ context that was used to create them
+ * improved PMKSA cache expiration to avoid unnecessary
+ disconnections
+ * adjusted bgscan_simple fast-scan backoff to avoid too frequent
+ background scans
+ * removed ctrl_iface event on P2P PD Response in join-group case
+ * added option to fetch BSS table entry based on P2P Device
+ Address ("BSS p2p_dev_addr=<P2P Device Address>")
+ * added BSS entry age to ctrl_iface BSS command output
+ * added optional MASK=0xH option for ctrl_iface BSS command to
+ select which fields are included in the response
+ * added optional RANGE=ALL|N1-N2 option for ctrl_iface BSS
+ command to fetch information about several BSSes in one call
+ * simplified licensing terms by selecting the BSD license as the
+ only alternative
+ * added "P2P_SET disallow_freq <freq list>" ctrl_iface command
+ to disable channels from P2P use
+ * added p2p_pref_chan configuration parameter to allow preferred
+ P2P channels to be specified
+ * added support for advertising immediate availability of a WPS
+ credential for P2P use cases
+ * optimized scan operations for P2P use cases (use single channel
+ scan for a specific SSID when possible)
+ * EAP-TTLS: fixed peer challenge generation for MSCHAPv2
+ * SME: do not use reassociation after explicit disconnection
+ request (local or a notification from an AP)
+ * added support for sending debug info to Linux tracing (-T on
+ command line)
+ * added support for using Deauthentication reason code 3 as an
+ indication of P2P group termination
+ * added wps_vendor_ext_m1 configuration parameter to allow
+ vendor specific attributes to be added to WPS M1
+ * started using separate TLS library context for tunneled TLS
+ (EAP-PEAP/TLS, EAP-TTLS/TLS, EAP-FAST/TLS) to support different
+ CA certificate configuration between Phase 1 and Phase 2
+ * added optional "auto" parameter for p2p_connect to request
+ automatic GO Negotiation vs. join-a-group selection
+ * added disabled_scan_offload parameter to disable automatic scan
++++ 1172 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:13.1:Update/.wpa_supplicant.3820.new/wpa_supplicant.changes
New:
----
0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
0001-Add-os_exec-helper-to-run-external-programs.patch
0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
config
fi.epitest.hostap.WPASupplicant.service
fi.w1.wpa_supplicant1.service
logrotate.wpa_supplicant
wpa_supplicant-2.0.tar.gz
wpa_supplicant-driver-wext-debug.patch
wpa_supplicant-errormsg.patch
wpa_supplicant-flush-debug-output.patch
wpa_supplicant-sigusr1-changes-debuglevel.patch
wpa_supplicant.changes
wpa_supplicant.conf
wpa_supplicant.service
wpa_supplicant.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ wpa_supplicant.spec ++++++
#
# spec file for package wpa_supplicant
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: wpa_supplicant
BuildRequires: dbus-1-devel
BuildRequires: libqt4
BuildRequires: libqt4-devel
BuildRequires: openssl-devel
BuildRequires: pkg-config
BuildRequires: readline-devel
%if 0%{?suse_version} > 1230
BuildRequires: systemd-rpm-macros
%systemd_requires
%endif
%if 0%{?suse_version} > 1140
BuildRequires: libnl-1_1-devel
BuildRequires: libnl3-devel
%else
BuildRequires: libnl-devel
%endif
Url: http://hostap.epitest.fi/wpa_supplicant/
Version: 2.0
Release: 0
Summary: WPA supplicant implementation
License: BSD-3-Clause and GPL-2.0+
Group: Productivity/Networking/Other
Source: http://hostap.epitest.fi/releases/wpa_supplicant-%{version}.tar.gz
Source1: config
Source2: %{name}.conf
Source3: fi.epitest.hostap.WPASupplicant.service
Source4: logrotate.wpa_supplicant
Source5: fi.w1.wpa_supplicant1.service
Source6: wpa_supplicant.service
Patch0: wpa_supplicant-driver-wext-debug.patch
# wpa_supplicant-flush-debug-output.patch won't go upstream as it might
# change timings
Patch1: wpa_supplicant-flush-debug-output.patch
# wpa_supplicant-sigusr1-changes-debuglevel.patch won't go upstream as it
# is not portable
Patch2: wpa_supplicant-sigusr1-changes-debuglevel.patch
Patch3: wpa_supplicant-errormsg.patch
# CVE-2014-3686
Patch4: 0001-Add-os_exec-helper-to-run-external-programs.patch
Patch5: 0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
# CVE-2015-1863
Patch6: 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
# PATCH-FIX-UPSTREAM 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch bnc#930077
Patch8: 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
# PATCH-FIX-UPSTREAM 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch bnc#930078
Patch9: 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
# PATCH-FIX-UPSTREAM 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch bnc#930079
Patch10: 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
# PATCH-FIX-UPSTREAM 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch bnc#930079
Patch11: 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
# PATCH-FIX-UPSTREAM 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch bnc#930079
Patch12: 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
# PATCH-FIX-UPSTREAM 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch bnc#930079
Patch13: 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
# PATCH-FIX-UPSTREAM 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch bnc#930079
Patch14: 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Requires: logrotate
%description
wpa_supplicant is an implementation of the WPA Supplicant component,
i.e., the part that runs in the client stations. It implements key
negotiation with a WPA Authenticator and it controls the roaming and
IEEE 802.11 authentication/association of the wlan driver.
Authors:
--------
Jouni Malinen
%package gui
Summary: WPA supplicant graphical front-end
Group: System/Monitoring
Requires: wpa_supplicant
%description gui
This package contains a graphical front-end to wpa_supplicant, an
implementation of the WPA Supplicant component.
Authors:
--------
Jouni Malinen
%prep
%setup -q -n wpa_supplicant-%{version}
rm -rf wpa_supplicant-%{version}/patches
cp %{SOURCE1} wpa_supplicant/.config
%if 0%{?suse_version} > 1140
echo "CONFIG_LIBNL32=y" >> wpa_supplicant/.config
%endif
%patch0 -p0
%patch1 -p0
%patch2 -p0
%patch3 -p0
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%build
cd wpa_supplicant
CFLAGS="$RPM_OPT_FLAGS" make V=1 %{?_smp_mflags}
cd wpa_gui-qt4
qmake QMAKE_CXXFLAGS="$RPM_OPT_FLAGS" QMAKE_CFLAGS="$RPM_OPT_FLAGS"
make %{?_smp_mflags}
%install
install -d %{buildroot}/%{_sbindir}
install -m 0755 wpa_supplicant/wpa_cli %{buildroot}%{_sbindir}
install -m 0755 wpa_supplicant/wpa_passphrase %{buildroot}%{_sbindir}
install -m 0755 wpa_supplicant/wpa_supplicant %{buildroot}%{_sbindir}
install -d %{buildroot}%{_sysconfdir}/dbus-1/system.d
install -m 0644 wpa_supplicant/dbus/dbus-wpa_supplicant.conf %{buildroot}%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf
install -d %{buildroot}/%{_sysconfdir}/%{name}
install -m 0600 %{SOURCE2} %{buildroot}/%{_sysconfdir}/%{name}
install -d %{buildroot}/%{_datadir}/dbus-1/system-services
install -m 0644 %{SOURCE3} %{buildroot}/%{_datadir}/dbus-1/system-services
install -m 0644 %{SOURCE5} %{buildroot}/%{_datadir}/dbus-1/system-services
install -d %{buildroot}/%{_sysconfdir}/logrotate.d/
install -m 644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/logrotate.d/wpa_supplicant
install -d %{buildroot}/%{_localstatedir}/run/%{name}
install -d %{buildroot}%{_mandir}/man{5,8}
install -m 0644 wpa_supplicant/doc/docbook/*.8 %{buildroot}%{_mandir}/man8
install -m 0644 wpa_supplicant/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
install -m 755 wpa_supplicant/wpa_gui-qt4/wpa_gui %{buildroot}%{_sbindir}
%if 0%{?suse_version} > 1230
install -d %{buildroot}%{_unitdir}
install -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}
%endif
%if 0%{?suse_version} > 1230
%pre
%service_add_pre wpa_supplicant.service
%post
%service_add_post wpa_supplicant.service
systemctl --quiet enable wpa_supplicant.service || :
%preun
%service_del_preun wpa_supplicant.service
%postun
%service_del_postun wpa_supplicant.service
%endif
%files
%defattr(-,root,root)
%doc wpa_supplicant/ChangeLog COPYING README wpa_supplicant/todo.txt wpa_supplicant/examples wpa_supplicant/wpa_supplicant.conf
%{_sbindir}/wpa_cli
%{_sbindir}/wpa_passphrase
%{_sbindir}/wpa_supplicant
%config %{_sysconfdir}/dbus-1/system.d/%{name}.conf
%{_datadir}/dbus-1/system-services
%config %{_sysconfdir}/%{name}/%{name}.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/wpa_supplicant
%dir %{_localstatedir}/run/%{name}
%if 0%{?suse_version} > 1140
%ghost %{_localstatedir}/run/%{name}
%endif
%if 0%{?suse_version} > 1230
%{_unitdir}/wpa_supplicant.service
%endif
%dir %{_sysconfdir}/%{name}
%doc %{_mandir}/man8/*
%doc %{_mandir}/man5/*
%files gui
%defattr(-,root,root)
/usr/sbin/wpa_gui
%changelog
++++++ 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch ++++++
From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
From: Jouni Malinen
Date: Wed, 29 Apr 2015 02:21:53 +0300
Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen
---
src/ap/wmm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/ap/wmm.c b/src/ap/wmm.c
index 6d4177c..314e244 100644
--- a/src/ap/wmm.c
+++ b/src/ap/wmm.c
@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
return;
}
+ if (left < 0)
+ return; /* not a valid WMM Action frame */
+
/* extract the tspec info element */
if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
--
1.9.1
++++++ 0001-Add-os_exec-helper-to-run-external-programs.patch ++++++
From 89de07a9442072f88d49869d8ecd8d42bae050a0 Mon Sep 17 00:00:00 2001
From: Jouni Malinen
Date: Mon, 6 Oct 2014 16:27:44 +0300
Subject: [PATCH 1/3] Add os_exec() helper to run external programs
Signed-off-by: Jouni Malinen
================================================================================
--- wpa_supplicant-2.0/src/utils/os.h
+++ wpa_supplicant-2.0/src/utils/os.h
@@ -506,6 +506,14 @@
*/
size_t os_strlcpy(char *dest, const char *src, size_t siz);
+/**
+ * os_exec - Execute an external program
+ * @program: Path to the program
+ * @arg: Command line argument string
+ * @wait_completion: Whether to wait until the program execution completes
+ * Returns: 0 on success, -1 on error
+ */
+int os_exec(const char *program, const char *arg, int wait_completion);
#ifdef OS_REJECT_C_LIB_FUNCTIONS
#define malloc OS_DO_NOT_USE_malloc
--- wpa_supplicant-2.0/src/utils/os_unix.c
+++ wpa_supplicant-2.0/src/utils/os_unix.c
@@ -9,6 +9,7 @@
#include "includes.h"
#include
+#include
#ifdef ANDROID
#include
@@ -486,3 +487,57 @@
}
#endif /* WPA_TRACE */
+
+
+int os_exec(const char *program, const char *arg, int wait_completion)
+{
+ pid_t pid;
+ int pid_status;
+
+ pid = fork();
+ if (pid < 0) {
+ perror("fork");
+ return -1;
+ }
+
+ if (pid == 0) {
+ /* run the external command in the child process */
+ const int MAX_ARG = 30;
+ char *_program, *_arg, *pos;
+ char *argv[MAX_ARG + 1];
+ int i;
+
+ _program = os_strdup(program);
+ _arg = os_strdup(arg);
+
+ argv[0] = _program;
+
+ i = 1;
+ pos = _arg;
+ while (i < MAX_ARG && pos && *pos) {
+ while (*pos == ' ')
+ pos++;
+ if (*pos == '\0')
+ break;
+ argv[i++] = pos;
+ pos = os_strchr(pos, ' ');
+ if (pos)
+ *pos++ = '\0';
+ }
+ argv[i] = NULL;
+
+ execv(program, argv);
+ perror("execv");
+ os_free(_program);
+ os_free(_arg);
+ exit(0);
+ return -1;
+ }
+
+ if (wait_completion) {
+ /* wait for the child process to complete in the parent */
+ waitpid(pid, &pid_status, 0);
+ }
+
+ return 0;
+}
--- wpa_supplicant-2.0/src/utils/os_win32.c
+++ wpa_supplicant-2.0/src/utils/os_win32.c
@@ -233,3 +233,9 @@
return s - src - 1;
}
+
+int os_exec(const char *program, const char *arg, int wait_completion)
+{
+ return -1;
+}
+
++++++ 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch ++++++
From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001
From: Jouni Malinen
Date: Fri, 1 May 2015 16:37:45 +0300
Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit
and Confirm
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.
Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen
---
src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index f2b0926..a629437 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
u16 offset;
u8 *ptr, *scalar = NULL, *element = NULL;
+ size_t prime_len, order_len;
+
+ if (data->state != PWD_Commit_Req) {
+ ret->ignore = TRUE;
+ goto fin;
+ }
+
+ prime_len = BN_num_bytes(data->grp->prime);
+ order_len = BN_num_bytes(data->grp->order);
+
+ if (payload_len != 2 * prime_len + order_len) {
+ wpa_printf(MSG_INFO,
+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
+ (unsigned int) payload_len,
+ (unsigned int) (2 * prime_len + order_len));
+ goto fin;
+ }
if (((data->private_value = BN_new()) == NULL) ||
((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
@@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
int offset;
+ if (data->state != PWD_Confirm_Req) {
+ ret->ignore = TRUE;
+ goto fin;
+ }
+
+ if (payload_len != SHA256_MAC_LEN) {
+ wpa_printf(MSG_INFO,
+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
+ (unsigned int) payload_len, SHA256_MAC_LEN);
+ goto fin;
+ }
+
/*
* first build up the ciphersuite which is group | random_function |
* prf
--
1.9.1
++++++ 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch ++++++
From 2674f84b8fb95d1b79f946e2c51e9d5173305085 Mon Sep 17 00:00:00 2001
From: Jouni Malinen
Date: Tue, 7 Apr 2015 11:32:11 +0300
Subject: [PATCH] P2P: Validate SSID element length before copying it
(CVE-2015-1863)
This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.
This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.
Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.
Signed-off-by: Jouni Malinen
---
src/p2p/p2p.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index f584fae..a45fe73 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
os_memcpy(dev->interface_addr, addr, ETH_ALEN);
if (msg.ssid &&
+ msg.ssid[1] <= sizeof(dev->oper_ssid) &&
(msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
!= 0)) {
--
1.9.1
++++++ 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch ++++++
From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001
From: Jouni Malinen
Date: Tue, 28 Apr 2015 17:08:33 +0300
Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser
strtoul() return value may end up overflowing the int h->chunk_size and
resulting in a negative value to be stored as the chunk_size. This could
result in the following memcpy operation using a very large length
argument which would result in a buffer overflow and segmentation fault.
This could have been used to cause a denial service by any device that
has been authorized for network access (either wireless or wired). This
would affect both the WPS UPnP functionality in a WPS AP (hostapd with
upnp_iface parameter set in the configuration) and WPS ER
(wpa_supplicant with WPS_ER_START control interface command used).
Validate the parsed chunk length value to avoid this. In addition to
rejecting negative values, we can also reject chunk size that would be
larger than the maximum configured body length.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen
---
src/wps/httpread.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/wps/httpread.c b/src/wps/httpread.c
index 2f08f37..d2855e3 100644
--- a/src/wps/httpread.c
+++ b/src/wps/httpread.c
@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
if (!isxdigit(*cbp))
goto bad;
h->chunk_size = strtoul(cbp, NULL, 16);
+ if (h->chunk_size < 0 ||
+ h->chunk_size > h->max_bytes) {
+ wpa_printf(MSG_DEBUG,
+ "httpread: Invalid chunk size %d",
+ h->chunk_size);
+ goto bad;
+ }
/* throw away chunk header
* so we have only real data
*/
--
1.9.1
++++++ 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch ++++++
From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001
From: Jouni Malinen
Date: Fri, 1 May 2015 16:40:44 +0300
Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit
and Confirm
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.
Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen
---
src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index 66bd5d2..3189105 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
EC_POINT *K = NULL, *point = NULL;
int res = 0;
+ size_t prime_len, order_len;
wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response");
+ prime_len = BN_num_bytes(data->grp->prime);
+ order_len = BN_num_bytes(data->grp->order);
+
+ if (payload_len != 2 * prime_len + order_len) {
+ wpa_printf(MSG_INFO,
+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
+ (unsigned int) payload_len,
+ (unsigned int) (2 * prime_len + order_len));
+ goto fin;
+ }
+
if (((data->peer_scalar = BN_new()) == NULL) ||
((data->k = BN_new()) == NULL) ||
((cofactor = BN_new()) == NULL) ||
@@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
int offset;
+ if (payload_len != SHA256_MAC_LEN) {
+ wpa_printf(MSG_INFO,
+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
+ (unsigned int) payload_len, SHA256_MAC_LEN);
+ goto fin;
+ }
+
/* build up the ciphersuite: group | random_function | prf */
grp = htons(data->group_num);
ptr = (u8 *) &cs;
--
1.9.1
++++++ 0002-wpa_cli-Use-os_exec-for-action-script-execution.patch ++++++
From c5f258de76dbb67fb64beab39a99e5c5711f41fe Mon Sep 17 00:00:00 2001
From: Jouni Malinen
Date: Mon, 6 Oct 2014 17:25:52 +0300
Subject: [PATCH 2/3] wpa_cli: Use os_exec() for action script execution
Use os_exec() to run the action script operations to avoid undesired
command line processing for control interface event strings. Previously,
it could have been possible for some of the event strings to include
unsanitized data which is not suitable for system() use. (CVE-2014-3686)
Signed-off-by: Jouni Malinen
---
wpa_supplicant/wpa_cli.c | 25 ++++++++-----------------
1 file changed, 8 insertions(+), 17 deletions(-)
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 18b9b77..fe30b41 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -3159,28 +3159,19 @@ static int str_match(const char *a, const char *b)
static int wpa_cli_exec(const char *program, const char *arg1,
const char *arg2)
{
- char *cmd;
+ char *arg;
size_t len;
int res;
- int ret = 0;
- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
- cmd = os_malloc(len);
- if (cmd == NULL)
- return -1;
- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
- if (res < 0 || (size_t) res >= len) {
- os_free(cmd);
+ len = os_strlen(arg1) + os_strlen(arg2) + 2;
+ arg = os_malloc(len);
+ if (arg == NULL)
return -1;
- }
- cmd[len - 1] = '\0';
-#ifndef _WIN32_WCE
- if (system(cmd) < 0)
- ret = -1;
-#endif /* _WIN32_WCE */
- os_free(cmd);
+ os_snprintf(arg, len, "%s %s", arg1, arg2);
+ res = os_exec(program, arg, 1);
+ os_free(arg);
- return ret;
+ return res;
}
--
1.9.1
++++++ 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch ++++++
From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001
From: Jouni Malinen
Date: Sat, 2 May 2015 19:23:04 +0300
Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment
reassembly
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.
In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.
Signed-off-by: Jouni Malinen
================================================================================
--- wpa_supplicant-2.2/src/eap_peer/eap_pwd.c
+++ wpa_supplicant-2.2/src/eap_peer/eap_pwd.c
@@ -808,9 +808,24 @@
* if it's the first fragment there'll be a length field
*/
if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
+ if (len < 2) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Frame too short to contain Total-Length field");
+ ret->ignore = TRUE;
+ return NULL;
+ }
tot_len = WPA_GET_BE16(pos);
wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
"total length = %d", tot_len);
+ if (tot_len > 15000)
+ return NULL;
+ if (data->inbuf) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
+ ret->ignore = TRUE;
+ return NULL;
+ }
+
data->inbuf = wpabuf_alloc(tot_len);
if (data->inbuf == NULL) {
wpa_printf(MSG_INFO, "Out of memory to buffer "
++++++ 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch ++++++
From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001
From: Jouni Malinen
Date: Sat, 2 May 2015 19:26:06 +0300
Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment
reassembly
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.
In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.
Signed-off-by: Jouni Malinen
================================================================================
--- wpa_supplicant-2.2/src/eap_server/eap_server_pwd.c
+++ wpa_supplicant-2.2/src/eap_server/eap_server_pwd.c
@@ -916,9 +916,21 @@
* the first fragment has a total length
*/
if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
+ if (len < 2) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Frame too short to contain Total-Length field");
+ return;
+ }
tot_len = WPA_GET_BE16(pos);
wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
"length = %d", tot_len);
+ if (tot_len > 15000)
+ return;
+ if (data->inbuf) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
+ return;
+ }
data->inbuf = wpabuf_alloc(tot_len);
if (data->inbuf == NULL) {
wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "
++++++ 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch ++++++
From 28a069a545b06b99eb55ad53f63f2c99e65a98f6 Mon Sep 17 00:00:00 2001
From: Jouni Malinen
Date: Sat, 2 May 2015 19:26:28 +0300
Subject: [PATCH 5/5] EAP-pwd peer: Fix asymmetric fragmentation behavior
The L (Length) and M (More) flags needs to be cleared before deciding
whether the locally generated response requires fragmentation. This
fixes an issue where these flags from the server could have been invalid
for the following message. In some cases, this could have resulted in
triggering the wpabuf security check that would terminate the process
due to invalid buffer allocation.
Signed-off-by: Jouni Malinen
---
src/eap_peer/eap_pwd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index 1d2079b..e58b13a 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
/*
* we have output! Do we need to fragment it?
*/
+ lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch);
len = wpabuf_len(data->outbuf);
if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu,
--
1.9.1
++++++ config ++++++
# Example wpa_supplicant build time configuration
#
# This file lists the configuration options that are used when building the
# hostapd binary. All lines starting with # are ignored. Configuration option
# lines must be commented out complete, if they are not to be included, i.e.,
# just setting VARIABLE=n is not disabling that variable.
#
# This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cases, these lines should use += in order not
# to override previous values of the variables.
# Uncomment following two lines and fix the paths if you have installed OpenSSL
# or GnuTLS in non-default location
#CFLAGS += -I/usr/local/openssl/include
#LIBS += -L/usr/local/openssl/lib
# Some Red Hat versions seem to include kerberos header files from OpenSSL, but
# the kerberos files are not in the default include path. Following line can be
# used to fix build issues on such systems (krb5.h not found).
#CFLAGS += -I/usr/include/kerberos
# Example configuration for various cross-compilation platforms
#### sveasoft (e.g., for Linksys WRT54G) ######################################
#CC=mipsel-uclibc-gcc
#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
#CFLAGS += -Os
#CPPFLAGS += -I../src/include -I../../src/router/openssl/include
#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl
###############################################################################
#### openwrt (e.g., for Linksys WRT54G) #######################################
#CC=mipsel-uclibc-gcc
#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
#CFLAGS += -Os
#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \
# -I../WRT54GS/release/src/include
#LIBS = -lssl
###############################################################################
# Driver interface for Host AP driver
CONFIG_DRIVER_HOSTAP=y
# Driver interface for Agere driver
#CONFIG_DRIVER_HERMES=y
# Change include directories to match with the local setup
#CFLAGS += -I../../hcf -I../../include -I../../include/hcf
#CFLAGS += -I../../include/wireless
# Driver interface for madwifi driver
# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
#CONFIG_DRIVER_MADWIFI=y
# Set include directory to the madwifi source tree
#CFLAGS += -I../../madwifi
# Driver interface for ndiswrapper
# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
CONFIG_DRIVER_NDISWRAPPER=y
# Driver interface for Atmel driver
CONFIG_DRIVER_ATMEL=y
# Driver interface for old Broadcom driver
# Please note that the newer Broadcom driver ("hybrid Linux driver") supports
# Linux wireless extensions and does not need (or even work) with the old
# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver.
#CONFIG_DRIVER_BROADCOM=y
# Example path for wlioctl.h; change to match your configuration
#CFLAGS += -I/opt/WRT54GS/release/src/include
# Driver interface for Intel ipw2100/2200 driver
# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
#CONFIG_DRIVER_IPW=y
# Driver interface for Ralink driver
#CONFIG_DRIVER_RALINK=y
# Driver interface for generic Linux wireless extensions
# Note: WEXT is deprecated in the current Linux kernel version and no new
# functionality is added to it. nl80211-based interface is the new
# replacement for WEXT and its use allows wpa_supplicant to properly control
# the driver to improve existing functionality like roaming and to support new
# functionality.
CONFIG_DRIVER_WEXT=y
# Driver interface for Linux drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include
#LIBS += -L/usr/local/lib
#LIBS_p += -L/usr/local/lib
#LIBS_c += -L/usr/local/lib
# Driver interface for Windows NDIS
#CONFIG_DRIVER_NDIS=y
#CFLAGS += -I/usr/include/w32api/ddk
#LIBS += -L/usr/local/lib
# For native build using mingw
#CONFIG_NATIVE_WINDOWS=y
# Additional directories for cross-compilation on Linux host for mingw target
#CFLAGS += -I/opt/mingw/mingw32/include/ddk
#LIBS += -L/opt/mingw/mingw32/lib
#CC=mingw32-gcc
# By default, driver_ndis uses WinPcap for low-level operations. This can be
# replaced with the following option which replaces WinPcap calls with NDISUIO.
# However, this requires that WZC is disabled (net stop wzcsvc) before starting
# wpa_supplicant.
# CONFIG_USE_NDISUIO=y
# Driver interface for development testing
#CONFIG_DRIVER_TEST=y
# Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y
# Driver interface for the Broadcom RoboSwitch family
#CONFIG_DRIVER_ROBOSWITCH=y
# Driver interface for no driver (e.g., WPS ER only)
#CONFIG_DRIVER_NONE=y
# Solaris libraries
#LIBS += -lsocket -ldlpi -lnsl
#LIBS_c += -lsocket
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
# included)
CONFIG_IEEE8021X_EAPOL=y
# EAP-MD5
CONFIG_EAP_MD5=y
# EAP-MSCHAPv2
CONFIG_EAP_MSCHAPV2=y
# EAP-TLS
CONFIG_EAP_TLS=y
# EAL-PEAP
CONFIG_EAP_PEAP=y
# EAP-TTLS
CONFIG_EAP_TTLS=y
# EAP-FAST
# Note: Default OpenSSL package does not include support for all the
# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL,
# the OpenSSL library must be patched (openssl-0.9.8d-tls-extensions.patch)
# to add the needed functions.
#CONFIG_EAP_FAST=y
# EAP-GTC
CONFIG_EAP_GTC=y
# EAP-OTP
CONFIG_EAP_OTP=y
# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
#CONFIG_EAP_SIM=y
# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
CONFIG_EAP_PSK=y
# EAP-pwd (secure authentication using only a password)
#CONFIG_EAP_PWD=y
# EAP-PAX
CONFIG_EAP_PAX=y
# LEAP
CONFIG_EAP_LEAP=y
# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
#CONFIG_EAP_AKA=y
# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
# This requires CONFIG_EAP_AKA to be enabled, too.
#CONFIG_EAP_AKA_PRIME=y
# Enable USIM simulator (Milenage) for EAP-AKA
#CONFIG_USIM_SIMULATOR=y
# EAP-SAKE
CONFIG_EAP_SAKE=y
# EAP-GPSK
CONFIG_EAP_GPSK=y
# Include support for optional SHA256 cipher suite in EAP-GPSK
CONFIG_EAP_GPSK_SHA256=y
# EAP-TNC and related Trusted Network Connect support (experimental)
CONFIG_EAP_TNC=y
# Wi-Fi Protected Setup (WPS)
CONFIG_WPS=y
# Enable WSC 2.0 support
CONFIG_WPS2=y
# Enable WPS external registrar functionality
CONFIG_WPS_ER=y
# Disable credentials for an open network by default when acting as a WPS
# registrar.
#CONFIG_WPS_REG_DISABLE_OPEN=y
# Enable WPS support with NFC config method
#CONFIG_WPS_NFC=y
# EAP-IKEv2
CONFIG_EAP_IKEV2=y
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y
# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
# engine.
CONFIG_SMARTCARD=y
# PC/SC interface for smartcards (USIM, GSM SIM)
# Enable this if EAP-SIM or EAP-AKA is included
#CONFIG_PCSC=y
# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
#CONFIG_HT_OVERRIDES=y
# Development testing
#CONFIG_EAPOL_TEST=y
# Select control interface backend for external programs, e.g, wpa_cli:
# unix = UNIX domain sockets (default for Linux/*BSD)
# udp = UDP sockets using localhost (127.0.0.1)
# named_pipe = Windows Named Pipe (default for Windows)
# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
# y = use default (backwards compatibility)
# If this option is commented out, control interface is not included in the
# build.
CONFIG_CTRL_IFACE=y
# Include support for GNU Readline and History Libraries in wpa_cli.
# When building a wpa_cli binary for distribution, please note that these
# libraries are licensed under GPL and as such, BSD license may not apply for
# the resulting binary.
#CONFIG_READLINE=y
# Include internal line edit mode in wpa_cli. This can be used as a replacement
# for GNU Readline to provide limited command line editing and history support.
#CONFIG_WPA_CLI_EDIT=y
# Remove debugging code that is printing out debug message to stdout.
# This can be used to reduce the size of the wpa_supplicant considerably
# if debugging code is not needed. The size reduction can be around 35%
# (e.g., 90 kB).
#CONFIG_NO_STDOUT_DEBUG=y
# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
# 35-50 kB in code size.
#CONFIG_NO_WPA=y
# Remove WPA2 support. This allows WPA to be used, but removes WPA2 code to
# save about 1 kB in code size when building only WPA-Personal (no EAP support)
# or 6 kB if building for WPA-Enterprise.
#CONFIG_NO_WPA2=y
# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
# This option can be used to reduce code size by removing support for
# converting ASCII passphrases into PSK. If this functionality is removed, the
# PSK can only be configured as the 64-octet hexstring (e.g., from
# wpa_passphrase). This saves about 0.5 kB in code size.
#CONFIG_NO_WPA_PASSPHRASE=y
# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
# This can be used if ap_scan=1 mode is never enabled.
#CONFIG_NO_SCAN_PROCESSING=y
# Select configuration backend:
# file = text file (e.g., wpa_supplicant.conf; note: the configuration file
# path is given on command line, not here; this option is just used to
# select the backend that allows configuration files to be used)
# winreg = Windows registry (see win_example.reg for an example)
CONFIG_BACKEND=file
# Remove configuration write functionality (i.e., to allow the configuration
# file to be updated based on runtime configuration changes). The runtime
# configuration can still be changed, the changes are just not going to be
# persistent over restarts. This option can be used to reduce code size by
# about 3.5 kB.
#CONFIG_NO_CONFIG_WRITE=y
# Remove support for configuration blobs to reduce code size by about 1.5 kB.
#CONFIG_NO_CONFIG_BLOBS=y
# Select program entry point implementation:
# main = UNIX/POSIX like main() function (default)
# main_winsvc = Windows service (read parameters from registry)
# main_none = Very basic example (development use only)
#CONFIG_MAIN=main
# Select wrapper for operatins system and C library specific functions
# unix = UNIX/POSIX like systems (default)
# win32 = Windows systems
# none = Empty template
#CONFIG_OS=unix
# Select event loop implementation
# eloop = select() loop (default)
# eloop_win = Windows events and WaitForMultipleObject() loop
# eloop_none = Empty template
#CONFIG_ELOOP=eloop
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y
# Select layer 2 packet implementation
# linux = Linux packet socket (default)
# pcap = libpcap/libdnet/WinPcap
# freebsd = FreeBSD libpcap
# winpcap = WinPcap with receive thread
# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
# none = Empty template
#CONFIG_L2_PACKET=linux
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection), also known as PMF
# Driver support is also needed for IEEE 802.11w.
CONFIG_IEEE80211W=y
# Select TLS implementation
# openssl = OpenSSL (default)
# gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental)
# none = Empty template
#CONFIG_TLS=openssl
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# can be enabled to get a stronger construction of messages when block ciphers
# are used. It should be noted that some existing TLS v1.0 -based
# implementation may not be compatible with TLS v1.1 message (ClientHello is
# sent prior to negotiating which version will be used)
#CONFIG_TLSV11=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms. It should be
# noted that some existing TLS v1.0 -based implementation may not be compatible
# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
# will be used)
#CONFIG_TLSV12=y
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
# and drawbacks of this option.
#CONFIG_INTERNAL_LIBTOMMATH=y
#ifndef CONFIG_INTERNAL_LIBTOMMATH
#LTM_PATH=/usr/src/libtommath-0.39
#CFLAGS += -I$(LTM_PATH)
#LIBS += -L$(LTM_PATH)
#LIBS_p += -L$(LTM_PATH)
#endif
# At the cost of about 4 kB of additional binary size, the internal LibTomMath
# can be configured to include faster routines for exptmod, sqr, and div to
# speed up DH and RSA calculation considerably
#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
# This is only for Windows builds and requires WMI-related header files and
# WbemUuid.Lib from Platform SDK even when building with MinGW.
#CONFIG_NDIS_EVENTS_INTEGRATED=y
#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
# Add support for old DBus control interface
# (fi.epitest.hostap.WPASupplicant)
CONFIG_CTRL_IFACE_DBUS=y
# Add support for new DBus control interface
# (fi.w1.hostap.wpa_supplicant1)
CONFIG_CTRL_IFACE_DBUS_NEW=y
# Add introspection support for new DBus control interface
CONFIG_CTRL_IFACE_DBUS_INTRO=y
# Add support for loading EAP methods dynamically as shared libraries.
# When this option is enabled, each EAP method can be either included
# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
# be loaded in the beginning of the wpa_supplicant configuration file
# (see load_dynamic_eap parameter in the example file) before being used in
# the network blocks.
#
# Note that some shared parts of EAP methods are included in the main program
# and in order to be able to use dynamic EAP methods using these parts, the
# main program must have been build with the EAP method enabled (=y or =dyn).
# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
# unless at least one of them was included in the main build to force inclusion
# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
# in the main build to be able to load these methods dynamically.
#
# Please also note that using dynamic libraries will increase the total binary
# size. Thus, it may not be the best option for targets that have limited
# amount of memory/flash.
#CONFIG_DYNAMIC_EAP_METHODS=y
# IEEE Std 802.11r-2008 (Fast BSS Transition)
#CONFIG_IEEE80211R=y
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout
#CONFIG_DEBUG_SYSLOG=y
# Set syslog facility for debug messages
#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
# Add support for sending all debug messages (regardless of debug verbosity)
# to the Linux kernel tracing facility. This helps debug the entire stack by
# making it easy to record everything happening from the driver up into the
# same file, e.g., using trace-cmd.
#CONFIG_DEBUG_LINUX_TRACING=y
# Enable privilege separation (see README 'Privilege separation' for details)
#CONFIG_PRIVSEP=y
# Enable mitigation against certain attacks against TKIP by delaying Michael
# MIC error reports by a random amount of time between 0 and 60 seconds
#CONFIG_DELAYED_MIC_ERROR_REPORT=y
# Enable tracing code for developer debugging
# This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y
# For BSD, uncomment these.
#LIBS += -lexecinfo
#LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo
# Use libbfd to get more details for developer debugging
# This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y
# For BSD, uncomment these.
#LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz
# wpa_supplicant depends on strong random number generation being available
# from the operating system. os_get_random() function is used to fetch random
# data when needed, e.g., for key generation. On Linux and BSD systems, this
# works by reading /dev/urandom. It should be noted that the OS entropy pool
# needs to be properly initialized before wpa_supplicant is started. This is
# important especially on embedded devices that do not have a hardware random
# number generator and may by default start up with minimal entropy available
# for random number generation.
#
# As a safety net, wpa_supplicant is by default trying to internally collect
# additional entropy for generating random data to mix in with the data fetched
# from the OS. This by itself is not considered to be very strong, but it may
# help in cases where the system pool is not initialized properly. However, it
# is very strongly recommended that the system pool is initialized with enough
# entropy either by using hardware assisted random number generator or by
# storing state over device reboots.
#
# wpa_supplicant can be configured to maintain its own entropy store over
# restarts to enhance random number generation. This is not perfect, but it is
# much more secure than using the same sequence of random numbers after every
# reboot. This can be enabled with -e<entropy file> command line option. The
# specified file needs to be readable and writable by wpa_supplicant.
#
# If the os_get_random() is known to provide strong random data (e.g., on
# Linux/BSD, the board in question is known to have reliable source of random
# data from /dev/urandom), the internal wpa_supplicant random pool can be
# disabled. This will save some in binary size and CPU use. However, this
# should only be considered for builds that are known to be used on devices
# that meet the requirements described above.
#CONFIG_NO_RANDOM_POOL=y
# IEEE 802.11n (High Throughput) support (mainly for AP mode)
CONFIG_IEEE80211N=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
#CONFIG_WNM=y
# Interworking (IEEE 802.11u)
# This can be used to enable functionality to improve interworking with
# external networks (GAS/ANQP to learn more about the networks and network
# selection based on available credentials).
#CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
# AP mode operations with wpa_supplicant
# This can be used for controlling AP mode operations with wpa_supplicant. It
# should be noted that this is mainly aimed at simple cases like
# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
# external RADIUS server can be supported with hostapd.
CONFIG_AP=y
# P2P (Wi-Fi Direct)
# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
# more information on P2P operations.
CONFIG_P2P=y
# Autoscan
# This can be used to enable automatic scan support in wpa_supplicant.
# See wpa_supplicant.conf for more information on autoscan usage.
#
# Enabling directly a module will enable autoscan support.
# For exponential module:
#CONFIG_AUTOSCAN_EXPONENTIAL=y
# For periodic module:
#CONFIG_AUTOSCAN_PERIODIC=y
# Password (and passphrase, etc.) backend for external storage
# These optional mechanisms can be used to add support for storing passwords
# and other secrets in external (to wpa_supplicant) location. This allows, for
# example, operating system specific key storage to be used
#
# External password backend for testing purposes (developer use)
#CONFIG_EXT_PASSWORD_TEST=y
# Enable background scan to improve roaming
CONFIG_BGSCAN_SIMPLE=y
# Enable RSN IBSS/AdHoc
CONFIG_IBSS_RSN=y
++++++ fi.epitest.hostap.WPASupplicant.service ++++++
[D-BUS Service]
Name=fi.epitest.hostap.WPASupplicant
Exec=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log
User=root
++++++ fi.w1.wpa_supplicant1.service ++++++
[D-BUS Service]
Name=fi.w1.wpa_supplicant1
Exec=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log
User=root
++++++ logrotate.wpa_supplicant ++++++
/var/log/wpa_supplicant.log {
compress
dateext
maxage 365
rotate 99
missingok
notifempty
size +4096k
copytruncate
}
++++++ wpa_supplicant-driver-wext-debug.patch ++++++
Index: src/drivers/driver_wext.c
===================================================================
--- src/drivers/driver_wext.c.orig
+++ src/drivers/driver_wext.c
@@ -1901,19 +1901,26 @@ int wpa_driver_wext_associate(void *priv
* SIOCSIWENCODE here.
*/
if (drv->auth_alg_fallback &&
- wpa_driver_wext_auth_alg_fallback(drv, params) < 0)
+ wpa_driver_wext_auth_alg_fallback(drv, params) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because auth_alg_fallback failed", __FUNCTION__);
ret = -1;
+ }
if (!params->bssid &&
- wpa_driver_wext_set_bssid(drv, NULL) < 0)
+ wpa_driver_wext_set_bssid(drv, NULL) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_bssid failed", __FUNCTION__);
ret = -1;
+ }
/* TODO: should consider getting wpa version and cipher/key_mgmt suites
* from configuration, not from here, where only the selected suite is
* available */
if (wpa_driver_wext_set_gen_ie(drv, params->wpa_ie, params->wpa_ie_len)
- < 0)
+ < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_gen_ie failed", __FUNCTION__);
ret = -1;
+ }
+
if (params->wpa_ie == NULL || params->wpa_ie_len == 0)
value = IW_AUTH_WPA_VERSION_DISABLED;
else if (params->wpa_ie[0] == WLAN_EID_RSN)
@@ -1921,27 +1928,41 @@ int wpa_driver_wext_associate(void *priv
else
value = IW_AUTH_WPA_VERSION_WPA;
if (wpa_driver_wext_set_auth_param(drv,
- IW_AUTH_WPA_VERSION, value) < 0)
+ IW_AUTH_WPA_VERSION, value) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_auth_param(WPA_VERSION) failed", __FUNCTION__);
ret = -1;
+ }
+
value = wpa_driver_wext_cipher2wext(params->pairwise_suite);
if (wpa_driver_wext_set_auth_param(drv,
- IW_AUTH_CIPHER_PAIRWISE, value) < 0)
+ IW_AUTH_CIPHER_PAIRWISE, value) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_auth_param(CIPHER_PAIRWISE) failed", __FUNCTION__);
ret = -1;
+ }
+
value = wpa_driver_wext_cipher2wext(params->group_suite);
if (wpa_driver_wext_set_auth_param(drv,
- IW_AUTH_CIPHER_GROUP, value) < 0)
+ IW_AUTH_CIPHER_GROUP, value) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_auth_param(CIPHER_GROUP) failed", __FUNCTION__);
ret = -1;
+ }
+
value = wpa_driver_wext_keymgmt2wext(params->key_mgmt_suite);
if (wpa_driver_wext_set_auth_param(drv,
- IW_AUTH_KEY_MGMT, value) < 0)
+ IW_AUTH_KEY_MGMT, value) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_auth_param(KEY_MGMT) failed", __FUNCTION__);
ret = -1;
+ }
+
value = params->key_mgmt_suite != KEY_MGMT_NONE ||
params->pairwise_suite != CIPHER_NONE ||
params->group_suite != CIPHER_NONE ||
params->wpa_ie_len;
if (wpa_driver_wext_set_auth_param(drv,
- IW_AUTH_PRIVACY_INVOKED, value) < 0)
+ IW_AUTH_PRIVACY_INVOKED, value) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_auth_param(PRIVACY_INVOKED) failed", __FUNCTION__);
ret = -1;
+ }
/* Allow unencrypted EAPOL messages even if pairwise keys are set when
* not using WPA. IEEE 802.1X specifies that these frames are not
@@ -1952,12 +1973,18 @@ int wpa_driver_wext_associate(void *priv
else
allow_unencrypted_eapol = 1;
- if (wpa_driver_wext_set_psk(drv, params->psk) < 0)
+ if (wpa_driver_wext_set_psk(drv, params->psk) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_psk failed", __FUNCTION__);
ret = -1;
+ }
+
if (wpa_driver_wext_set_auth_param(drv,
IW_AUTH_RX_UNENCRYPTED_EAPOL,
- allow_unencrypted_eapol) < 0)
+ allow_unencrypted_eapol) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_auth_param(RX_UNENCRYPTED_EAPOL) failed", __FUNCTION__);
ret = -1;
+ }
+
#ifdef CONFIG_IEEE80211W
switch (params->mgmt_frame_protection) {
case NO_MGMT_FRAME_PROTECTION:
@@ -1970,17 +1997,25 @@ int wpa_driver_wext_associate(void *priv
value = IW_AUTH_MFP_REQUIRED;
break;
};
- if (wpa_driver_wext_set_auth_param(drv, IW_AUTH_MFP, value) < 0)
+ if (wpa_driver_wext_set_auth_param(drv, IW_AUTH_MFP, value) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_auth_param(IW_AUTH_MFP) failed", __FUNCTION__);
ret = -1;
+ }
#endif /* CONFIG_IEEE80211W */
- if (params->freq && wpa_driver_wext_set_freq(drv, params->freq) < 0)
+ if (params->freq && wpa_driver_wext_set_freq(drv, params->freq) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_freq failed", __FUNCTION__);
ret = -1;
+ }
if (!drv->cfg80211 &&
- wpa_driver_wext_set_ssid(drv, params->ssid, params->ssid_len) < 0)
+ wpa_driver_wext_set_ssid(drv, params->ssid, params->ssid_len) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_ssid failed", __FUNCTION__);
ret = -1;
+ }
if (params->bssid &&
- wpa_driver_wext_set_bssid(drv, params->bssid) < 0)
+ wpa_driver_wext_set_bssid(drv, params->bssid) < 0) {
+ wpa_printf(MSG_DEBUG, "%s: assoc failed because set_bssid failed", __FUNCTION__);
ret = -1;
+ }
if (drv->cfg80211 &&
wpa_driver_wext_set_ssid(drv, params->ssid, params->ssid_len) < 0)
ret = -1;
@@ -2008,6 +2043,10 @@ static int wpa_driver_wext_set_auth_alg(
res = wpa_driver_wext_set_auth_param(drv, IW_AUTH_80211_AUTH_ALG,
algs);
drv->auth_alg_fallback = res == -2;
+
+ if (res == -2)
+ wpa_printf(MSG_DEBUG, "%s: falling back to ENCODE for AUTH", __FUNCTION__);
+
return res;
}
++++++ wpa_supplicant-errormsg.patch ++++++
Index: src/drivers/driver_wext.c
===================================================================
--- src/drivers/driver_wext.c.orig
+++ src/drivers/driver_wext.c
@@ -54,12 +54,13 @@ int wpa_driver_wext_set_auth_param(struc
iwr.u.param.value = value;
if (ioctl(drv->ioctl_sock, SIOCSIWAUTH, &iwr) < 0) {
+ int saved_errno = errno;
if (errno != EOPNOTSUPP) {
wpa_printf(MSG_DEBUG, "WEXT: SIOCSIWAUTH(param %d "
"value 0x%x) failed: %s)",
idx, value, strerror(errno));
}
- ret = errno == EOPNOTSUPP ? -2 : -1;
+ ret = saved_errno == EOPNOTSUPP ? -2 : -1;
}
return ret;
++++++ wpa_supplicant-flush-debug-output.patch ++++++
Index: src/utils/wpa_debug.c
===================================================================
--- src/utils/wpa_debug.c.orig
+++ src/utils/wpa_debug.c
@@ -45,6 +45,7 @@ void wpa_debug_print_timestamp(void)
if (out_file) {
fprintf(out_file, "%ld.%06u: ", (long) tv.sec,
(unsigned int) tv.usec);
+ fflush(out_file);
} else
#endif /* CONFIG_DEBUG_FILE */
printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec);
@@ -111,6 +112,7 @@ void wpa_printf(int level, const char *f
if (out_file) {
vfprintf(out_file, fmt, ap);
fprintf(out_file, "\n");
+ fflush(out_file);
} else {
#endif /* CONFIG_DEBUG_FILE */
vprintf(fmt, ap);
@@ -146,6 +148,7 @@ static void _wpa_hexdump(int level, cons
fprintf(out_file, " [REMOVED]");
}
fprintf(out_file, "\n");
+ fflush(out_file);
} else {
#endif /* CONFIG_DEBUG_FILE */
printf("%s - hexdump(len=%lu):", title, (unsigned long) len);
@@ -191,12 +194,14 @@ static void _wpa_hexdump_ascii(int level
fprintf(out_file,
"%s - hexdump_ascii(len=%lu): [REMOVED]\n",
title, (unsigned long) len);
+ fflush(out_file);
return;
}
if (buf == NULL) {
fprintf(out_file,
"%s - hexdump_ascii(len=%lu): [NULL]\n",
title, (unsigned long) len);
+ fflush(out_file);
return;
}
fprintf(out_file, "%s - hexdump_ascii(len=%lu):\n",
@@ -221,6 +226,7 @@ static void _wpa_hexdump_ascii(int level
pos += llen;
len -= llen;
}
+ fflush(out_file);
} else {
#endif /* CONFIG_DEBUG_FILE */
if (!show) {
++++++ wpa_supplicant-sigusr1-changes-debuglevel.patch ++++++
Index: wpa_supplicant/wpa_supplicant.c
===================================================================
--- wpa_supplicant/wpa_supplicant.c.orig
+++ wpa_supplicant/wpa_supplicant.c
@@ -139,6 +139,22 @@ int wpa_set_wep_keys(struct wpa_supplica
return set;
}
+static void wpa_supplicant_handle_sigusr1(int sig, void *eloop_ctx,
+ void *signal_ctx)
+{
+ /* Increase verbosity (by decreasing the debug level) and wrap back
+ * to MSG_INFO when needed.
+ */
+ if (wpa_debug_level)
+ wpa_debug_level--;
+ else
+ wpa_debug_level = MSG_INFO;
+
+ wpa_printf(MSG_INFO, "Signal %d received - changing debug level to %s", sig,
+ (wpa_debug_level == MSG_INFO) ? "INFO" :
+ ((wpa_debug_level == MSG_DEBUG) ? "DEBUG" :
+ ((wpa_debug_level == MSG_MSGDUMP) ? "MSGDUMP" : "UNKNOWN")));
+}
static int wpa_supplicant_set_wpa_none_key(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid)
@@ -2342,6 +2358,8 @@ int wpa_supplicant_run(struct wpa_global
eloop_register_signal_terminate(wpa_supplicant_terminate, global);
eloop_register_signal_reconfig(wpa_supplicant_reconfig, global);
+ eloop_register_signal(SIGUSR1, wpa_supplicant_handle_sigusr1, NULL);
+
eloop_run();
return 0;
++++++ wpa_supplicant.conf ++++++
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
++++++ wpa_supplicant.service ++++++
[Unit]
Description=WPA Supplicant daemon
Before=network.target
[Service]
Type=dbus
BusName=fi.w1.wpa_supplicant1
ExecStart=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log
[Install]
WantedBy=multi-user.target