!67 fix CVE-2024-5290

From: @zhangxianting 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

Add-clang-support-for-qmake.patch

@@ -0,0 +1,30 @@
+From dfd0125ffd4f2afd0ad78dfac4c8d588b1b666db Mon Sep 17 00:00:00 2001
+From: sunmin89 <sunmin@kubuds.cn>
+Date: Wed, 3 Apr 2024 19:18:23 +0800
+Subject: [PATCH] Add support for qmake clang
+
+---
+ wpa_supplicant/wpa_gui-qt4/wpa_gui.pro | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/wpa_supplicant/wpa_gui-qt4/wpa_gui.pro b/wpa_supplicant/wpa_gui-qt4/wpa_gui.pro
+index 3fa734b..f8f9f71 100644
+--- a/wpa_supplicant/wpa_gui-qt4/wpa_gui.pro
++++ b/wpa_supplicant/wpa_gui-qt4/wpa_gui.pro
+@@ -3,6 +3,13 @@ LANGUAGE	= C++
+ TRANSLATIONS	= lang/wpa_gui_de.ts
+ greaterThan(QT_MAJOR_VERSION, 4): QT += widgets
+ 
++#Add support for clang
++QMAKE_CC = clang
++QMAKE_CXX = clang++
++QMAKE_LINK = clang++
++QMAKE_AR = llvm-ar
++QMAKE_STRIP = llvm-strip
++
+ CONFIG	+= qt warn_on release
+ 
+ DEFINES += CONFIG_CTRL_IFACE
+-- 
+2.27.0
+

backport-CVE-2024-5290.patch

@@ -0,0 +1,34 @@
+https://github.com/deepin-community/wpa/commit/512af510f0ae65392ff128008252fa37fbafa26b
+Description: slow certification.
+ When using PEAP certification, the server may use Identity's Request message
+ as a heartbeat; there will be many clients on the Internet to send address
+ 01: 80: C2: 00: 03 Identity's Response message as a heartbeat; at this time
+ When a client is broken and reconnect, it is easy to receive this message,
+ resulting in triggering restart of EAPOL authentication, resulting in a slow
+ authentication. So Ignore the response message in the Connecting state.
+
+Author: xinpeng wang <wangxinpeng@uniontech.com>
+
+
+Origin: https://gerrit.uniontech.com/plugins/gitiles/base/wpa/+/accd188752a1b2656a92dabca48616cb9889f386
+Bug: https://pms.uniontech.com/zentao/bug-view-105383.html
+Last-Update: 2022-05-19
+
+--- wpa-2.10.orig/src/eapol_supp/eapol_supp_sm.c
++++ wpa-2.10/src/eapol_supp/eapol_supp_sm.c
+@@ -1357,6 +1357,15 @@ int eapol_sm_rx_eapol(struct eapol_sm *s
+ 				break;
+ 			}
+ 		}
++		{
++			const struct eap_hdr *ehdr =
++				(const struct eap_hdr *) (hdr + 1);
++			if (plen >= sizeof(*ehdr) && ehdr->code == EAP_CODE_RESPONSE &&
++				sm->SUPP_PAE_state == SUPP_PAE_CONNECTING) {
++				wpa_printf(MSG_DEBUG, "EAPOL: Ignore EAP packet with response when connecting workaround %d",sm->conf.workaround);
++				break;
++			}
++		}
+
+ 		if (sm->cached_pmk) {
+ 			/* Trying to use PMKSA caching, but Authenticator did

backport-wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch

@@ -0,0 +1,198 @@
+From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001
+Message-ID: <8e6485a1bcb0baffdea9e55255a81270b768439c.1708356763.git.davide.caratti@gmail.com>
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 8 Jul 2023 19:55:32 +0300
+Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
+
+The previous PEAP client behavior allowed the server to skip Phase 2
+authentication with the expectation that the server was authenticated
+during Phase 1 through TLS server certificate validation. Various PEAP
+specifications are not exactly clear on what the behavior on this front
+is supposed to be and as such, this ended up being more flexible than
+the TTLS/FAST/TEAP cases. However, this is not really ideal when
+unfortunately common misconfiguration of PEAP is used in deployed
+devices where the server trust root (ca_cert) is not configured or the
+user has an easy option for allowing this validation step to be skipped.
+
+Change the default PEAP client behavior to be to require Phase 2
+authentication to be successfully completed for cases where TLS session
+resumption is not used and the client certificate has not been
+configured. Those two exceptions are the main cases where a deployed
+authentication server might skip Phase 2 and as such, where a more
+strict default behavior could result in undesired interoperability
+issues. Requiring Phase 2 authentication will end up disabling TLS
+session resumption automatically to avoid interoperability issues.
+
+Allow Phase 2 authentication behavior to be configured with a new phase1
+configuration parameter option:
+'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+   (private_key/client_cert) is no used and TLS session resumption was
+   not used (default)
+ * 2 = require Phase 2 authentication in all cases
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_peer/eap_config.h          |  8 ++++++
+ src/eap_peer/eap_peap.c            | 40 +++++++++++++++++++++++++++---
+ src/eap_peer/eap_tls_common.c      |  6 +++++
+ src/eap_peer/eap_tls_common.h      |  5 ++++
+ wpa_supplicant/wpa_supplicant.conf |  7 ++++++
+ 5 files changed, 63 insertions(+), 3 deletions(-)
+
+--- a/src/eap_peer/eap_config.h
++++ b/src/eap_peer/eap_config.h
+@@ -469,6 +469,14 @@ struct eap_peer_config {
+ 	 * 1 = use cryptobinding if server supports it
+ 	 * 2 = require cryptobinding
+ 	 *
++	 * phase2_auth option can be used to control Phase 2 (i.e., within TLS
++	 * tunnel) behavior for PEAP:
++	 * 0 = do not require Phase 2 authentication
++	 * 1 = require Phase 2 authentication when client certificate
++	 *  (private_key/client_cert) is no used and TLS session resumption was
++	 *  not used (default)
++	 * 2 = require Phase 2 authentication in all cases
++	 *
+ 	 * EAP-WSC (WPS) uses following options: pin=Device_Password and
+ 	 * uuid=Device_UUID
+ 	 *
+--- a/src/eap_peer/eap_peap.c
++++ b/src/eap_peer/eap_peap.c
+@@ -67,6 +67,7 @@ struct eap_peap_data {
+ 	u8 cmk[20];
+ 	int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
+ 		  * is enabled. */
++	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
+ };
+ 
+ 
+@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct
+ 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
+ 	}
+ 
++	if (os_strstr(phase1, "phase2_auth=0")) {
++		data->phase2_auth = NO_AUTH;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Do not require Phase 2 authentication");
++	} else if (os_strstr(phase1, "phase2_auth=1")) {
++		data->phase2_auth = FOR_INITIAL;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for initial connection");
++	} else if (os_strstr(phase1, "phase2_auth=2")) {
++		data->phase2_auth = ALWAYS;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for all cases");
++	}
+ #ifdef EAP_TNC
+ 	if (os_strstr(phase1, "tnc=soh2")) {
+ 		data->soh = 2;
+@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_s
+ 	data->force_peap_version = -1;
+ 	data->peap_outer_success = 2;
+ 	data->crypto_binding = OPTIONAL_BINDING;
++	data->phase2_auth = FOR_INITIAL;
+ 
+ 	if (config && config->phase1)
+ 		eap_peap_parse_phase1(data, config->phase1);
+@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobindin
+ }
+ 
+ 
++static bool peap_phase2_sufficient(struct eap_sm *sm,
++				   struct eap_peap_data *data)
++{
++	if ((data->phase2_auth == ALWAYS ||
++	     (data->phase2_auth == FOR_INITIAL &&
++	      !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
++	      !data->ssl.client_cert_conf) ||
++	     data->phase2_eap_started) &&
++	    !data->phase2_eap_success)
++		return false;
++	return true;
++}
++
++
+ /**
+  * eap_tlv_process - Process a received EAP-TLV message and generate a response
+  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
+@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm
+ 					   " - force failed Phase 2");
+ 				resp_status = EAP_TLV_RESULT_FAILURE;
+ 				ret->decision = DECISION_FAIL;
++			} else if (!peap_phase2_sufficient(sm, data)) {
++				wpa_printf(MSG_INFO,
++					   "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
++				resp_status = EAP_TLV_RESULT_FAILURE;
++				ret->decision = DECISION_FAIL;
+ 			} else {
+ 				resp_status = EAP_TLV_RESULT_SUCCESS;
+ 				ret->decision = DECISION_UNCOND_SUCC;
+@@ -887,8 +921,7 @@ continue_req:
+ 			/* EAP-Success within TLS tunnel is used to indicate
+ 			 * shutdown of the TLS channel. The authentication has
+ 			 * been completed. */
+-			if (data->phase2_eap_started &&
+-			    !data->phase2_eap_success) {
++			if (!peap_phase2_sufficient(sm, data)) {
+ 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
+ 					   "Success used to indicate success, "
+ 					   "but Phase 2 EAP was not yet "
+@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(
+ static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
+ {
+ 	struct eap_peap_data *data = priv;
++
+ 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
+-		data->phase2_success;
++		data->phase2_success && data->phase2_auth != ALWAYS;
+ }
+ 
+ 
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(stru
+ 
+ 	sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
+ 
++	if (!phase2)
++		data->client_cert_conf = params->client_cert ||
++			params->client_cert_blob ||
++			params->private_key ||
++			params->private_key_blob;
++
+ 	return 0;
+ }
+ 
+--- a/src/eap_peer/eap_tls_common.h
++++ b/src/eap_peer/eap_tls_common.h
+@@ -79,6 +79,11 @@ struct eap_ssl_data {
+ 	 * tls_v13 - Whether TLS v1.3 or newer is used
+ 	 */
+ 	int tls_v13;
++
++	/**
++	 * client_cert_conf: Whether client certificate has been configured
++	 */
++	bool client_cert_conf;
+ };
+ 
+ 
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1330,6 +1330,13 @@ fast_reauth=1
+ #	 * 0 = do not use cryptobinding (default)
+ #	 * 1 = use cryptobinding if server supports it
+ #	 * 2 = require cryptobinding
++#	'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
++#	tunnel) behavior for PEAP:
++#	 * 0 = do not require Phase 2 authentication
++#	 * 1 = require Phase 2 authentication when client certificate
++#	   (private_key/client_cert) is no used and TLS session resumption was
++#	   not used (default)
++#	 * 2 = require Phase 2 authentication in all cases
+ #	EAP-WSC (WPS) uses following options: pin=<Device Password> or
+ #	pbc=1.
+ #

wpa_supplicant.service

@@ -8,7 +8,7 @@ After=dbus.service
 Type=dbus
 BusName=fi.w1.wpa_supplicant1
 EnvironmentFile=-/etc/sysconfig/wpa_supplicant
-ExecStart=/usr/sbin/wpa_supplicant -u $INTERFACES $DRIVERS $OTHER_ARGS
+ExecStart=/usr/sbin/wpa_supplicant -u -O /var/run/wpa_supplicant $INTERFACES $DRIVERS $OTHER_ARGS
 
 [Install]
 WantedBy=multi-user.target

wpa_supplicant.spec

@@ -1,7 +1,7 @@
 Name:          wpa_supplicant
 Epoch:         1
 Version:       2.10
-Release:       3
+Release:       7
 Summary:       A WPA Supplicant with support for WPA and WPA2 (IEEE 802.11i / RSN)
 License:       BSD or GPLv2
 Url:           https://w1.fi/wpa_supplicant/
@@ -10,9 +10,24 @@ Source1:       build-config
 Source3:       %{name}.service
 Source5:       %{name}.logrotate
 
-Patch6000:     wpa_supplicant-gui-qt4.patch
+#fix PEAP client to require successful Phase2 authentication when needed (CVE-2023-52160)
+Patch0: backport-wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch
+
+%ifnarch loongarch64
+Patch6000:     wpa_supplicant-gui-qt4.patch
+%endif
+%if "%{?toolchain}" == "clang"
+Patch6001:     Add-clang-support-for-qmake.patch
+%endif
+Patch6002:     backport-CVE-2024-5290.patch
+
+%ifarch loongarch64
+BuildRequires: /usr/bin/qmake
+%else
+BuildRequires: qt-devel >= 4.0
+%endif
+BuildRequires: openssl-devel readline-devel dbus-devel libnl3-devel systemd-units docbook-utils
 
-BuildRequires: qt-devel >= 4.0 openssl-devel readline-devel dbus-devel libnl3-devel systemd-units docbook-utils
 Requires(post): systemd-sysv
 Requires(post): systemd
 Requires(preun): systemd
@@ -25,11 +40,13 @@ It is suitable for both desktop/laptop computers and embedded systems. Supplican
 used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming
 and IEEE 802.11 authentication/association of the wlan driver.
 
+%ifnarch loongarch64
 %package gui
 Summary: Graphical User Interface for %{name}
 
 %description gui
 Graphical User Interface for wpa_supplicant written using QT
+%endif
 
 %package help
 Summary: Help package for %{name}
@@ -53,7 +70,9 @@ export CFLAGS="${CFLAGS:-%optflags} -fPIE -DPIE"\
 
 cp -f %{SOURCE1} %{name}/.config
 %{_build_cmd__ %{name}}
+%ifnarch loongarch64
 %{_build_cmd__ %{name} wpa_gui-qt4} %{_build_setups_qt__}
+%endif
 %{_build_cmd__ %{name} eapol_test}
 %{_build_cmd__ %{name}/doc/docbook man}
 
@@ -67,7 +86,9 @@ install -m755 %{name}/{wpa_passphrase,wpa_cli,wpa_supplicant,eapol_test} %{build
 install -Dm644 %{name}/dbus/dbus-wpa_supplicant.conf %{buildroot}%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf
 install -Dm644 %{name}/dbus/fi.w1.wpa_supplicant1.service %{buildroot}%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service
 
+%ifnarch loongarch64
 install -Dm755 %{name}/wpa_gui-qt4/wpa_gui %{buildroot}/%{_bindir}/wpa_gui
+%endif
 
 install -d %{buildroot}%{_mandir}/man{5,8}
 install -m644 %{name}/doc/docbook/*.8 %{buildroot}%{_mandir}/man8
@@ -90,8 +111,10 @@ install -m644 %{name}/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
 %{_sbindir}/wpa_cli
 %{_sbindir}/eapol_test
 
+%ifnarch loongarch64
 %files gui
 %{_bindir}/wpa_gui
+%endif
 
 %files help
 %doc %{name}/ChangeLog README %{name}/eap_testing.txt %{name}/todo.txt %{name}/wpa_supplicant.conf %{name}/examples
@@ -99,6 +122,20 @@ install -m644 %{name}/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
 %{_mandir}/man5/*
 
 %changelog
+* Fri Aug  9 2024 zhangxianting <zhangxianting@uniontech.com> - 1:2.10-7
+- fix CVE-2024-5290
+
+* Wed May 29 2024 Wenlong Zhang <zhangwenlong@loongson.cn> - 1:2.10-6
+- fix build error for loongarch64
+
+* Mon Apr 15 2024 Han Jinpeng <hanjinpeng@kylinos.cn> - 1:2.10-5
+- Backport patch fix CVE-2023-52160
+
+* Mon Apr 15 2024 sunmin <sunmin@kubuds.cn> - 1:2.10-5
+- Add clang support for qmake
+
+* Tue Sep 5 2023 xiaofan <xiaofan@iscas.ac.cn> - 1:2.10-4
+- fix wpa_cli not work
 
 * Mon Sep 4 2023 xiaofan <xiaofan@iscas.ac.cn> - 1:2.10-3
 - remove redundant command argument and file