diff mbox series

[bug#35563] WPA Supplicant 2.8

Message ID 87sgtudw3h.fsf@fastmail.com
State Accepted
Headers show
Series [bug#35563] WPA Supplicant 2.8 | expand

Checks

Context Check Description
cbaines/applying patch fail Apply failed

Commit Message

Marius Bakke May 4, 2019, 4:26 p.m. UTC
Hello!

Attached is a security update for WPA Supplicant.

The new version toggles a lot of build-time options to more closely
resemble what Debian and Arch do.  Unfortunately the new defaults
appears to require OpenSSL instead of GnuTLS.

Thoughts?

Comments

Ludovic Courtès May 6, 2019, 8:10 a.m. UTC | #1
Hello Marius,

Marius Bakke <mbakke@fastmail.com> skribis:

> Attached is a security update for WPA Supplicant.
>
> The new version toggles a lot of build-time options to more closely
> resemble what Debian and Arch do.  Unfortunately the new defaults
> appears to require OpenSSL instead of GnuTLS.

What happens when you keep CONFIG_TLS=gnutls?

> From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Tue, 30 Apr 2019 00:05:36 +0200
> Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes].
>
> This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497,
> CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555.
>
> * gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8.
> [source](snippet): New field.  Disable D-Bus.
> [arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=y.  Change CONFIG_TLS to
> use OpenSSL rather than GnuTLS.
> [inputs]: Remove GNUTLS and LIBGCRYPT.  Add OPENSSL-NEXT.
> (wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=y.

[...]

> +                  (substitute* "wpa_supplicant/defconfig"
> +                    ;; Disable D-Bus by default.
> +                    (("^CONFIG_CTRL_IFACE_DBUS_" line _)
> +                     (string-append "#" line)))

This change is unrelated to the upgrade, right?  It would break Connman
(which expects to talk to wpa_supplicant over D-Bus), as well as
NetworkManager probably, no?  Or am I missing something?

I’d like to have to make sure wpa_supplicant works well in the 1.0.1
installer.  :-)

Thanks for looking into it!

Ludo’.
Marius Bakke May 6, 2019, 1:20 p.m. UTC | #2
Ludovic Courtès <ludo@gnu.org> writes:

> Hello Marius,
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> Attached is a security update for WPA Supplicant.
>>
>> The new version toggles a lot of build-time options to more closely
>> resemble what Debian and Arch do.  Unfortunately the new defaults
>> appears to require OpenSSL instead of GnuTLS.
>
> What happens when you keep CONFIG_TLS=gnutls?

The linker fails to find a lot of OpenSSL interfaces.  Short excerpt:

ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point':
/tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY'
ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group'
ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free'

Omitting the OpenSSL input makes it fail earlier due to lack of headers.

>> From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Tue, 30 Apr 2019 00:05:36 +0200
>> Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes].
>>
>> This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497,
>> CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555.
>>
>> * gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8.
>> [source](snippet): New field.  Disable D-Bus.
>> [arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=y.  Change CONFIG_TLS to
>> use OpenSSL rather than GnuTLS.
>> [inputs]: Remove GNUTLS and LIBGCRYPT.  Add OPENSSL-NEXT.
>> (wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=y.
>
> [...]
>
>> +                  (substitute* "wpa_supplicant/defconfig"
>> +                    ;; Disable D-Bus by default.
>> +                    (("^CONFIG_CTRL_IFACE_DBUS_" line _)
>> +                     (string-append "#" line)))
>
> This change is unrelated to the upgrade, right?  It would break Connman
> (which expects to talk to wpa_supplicant over D-Bus), as well as
> NetworkManager probably, no?  Or am I missing something?

The distinguishing feature between "wpa-supplicant-minimal" and
"wpa-supplicant" is D-Bus support.

Upstream enabled D-Bus by default in version 2.8, so I toggled it back
with the snippet above so "wpa-supplicant-minimal" stays the same.

However I notice now that the new "wpa-supplicant-minimal" has D-Bus in
its closure even though the D-Bus interface is disabled.

So I'm not sure if it makes sense to have the separate -minimal variant
anymore.  The size of both wpa-supplicant variants are 102.4MiB after
this patch, down from 157.4 and 143.1 MiB on the Guix master branch.

Thoughts?
Ludovic Courtès May 7, 2019, 3:21 p.m. UTC | #3
Hi,

Marius Bakke <mbakke@fastmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hello Marius,
>>
>> Marius Bakke <mbakke@fastmail.com> skribis:
>>
>>> Attached is a security update for WPA Supplicant.
>>>
>>> The new version toggles a lot of build-time options to more closely
>>> resemble what Debian and Arch do.  Unfortunately the new defaults
>>> appears to require OpenSSL instead of GnuTLS.
>>
>> What happens when you keep CONFIG_TLS=gnutls?
>
> The linker fails to find a lot of OpenSSL interfaces.  Short excerpt:
>
> ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point':
> /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY'
> ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group'
> ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free'
>
> Omitting the OpenSSL input makes it fail earlier due to lack of headers.

OK.

>> This change is unrelated to the upgrade, right?  It would break Connman
>> (which expects to talk to wpa_supplicant over D-Bus), as well as
>> NetworkManager probably, no?  Or am I missing something?
>
> The distinguishing feature between "wpa-supplicant-minimal" and
> "wpa-supplicant" is D-Bus support.
>
> Upstream enabled D-Bus by default in version 2.8, so I toggled it back
> with the snippet above so "wpa-supplicant-minimal" stays the same.
>
> However I notice now that the new "wpa-supplicant-minimal" has D-Bus in
> its closure even though the D-Bus interface is disabled.
>
> So I'm not sure if it makes sense to have the separate -minimal variant
> anymore.  The size of both wpa-supplicant variants are 102.4MiB after
> this patch, down from 157.4 and 143.1 MiB on the Guix master branch.

Well you’re right, maybe it doesn’t make much sense to keep both
variants in that case.

So I guess you can go ahead and push so we can all test it in the coming
days!

Thanks,
Ludo’.
Marius Bakke May 9, 2019, 3:35 p.m. UTC | #4
Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>>
>>> Hello Marius,
>>>
>>> Marius Bakke <mbakke@fastmail.com> skribis:
>>>
>>>> Attached is a security update for WPA Supplicant.
>>>>
>>>> The new version toggles a lot of build-time options to more closely
>>>> resemble what Debian and Arch do.  Unfortunately the new defaults
>>>> appears to require OpenSSL instead of GnuTLS.
>>>
>>> What happens when you keep CONFIG_TLS=gnutls?
>>
>> The linker fails to find a lot of OpenSSL interfaces.  Short excerpt:
>>
>> ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point':
>> /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY'
>> ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group'
>> ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free'
>>
>> Omitting the OpenSSL input makes it fail earlier due to lack of headers.
>
> OK.
>
>>> This change is unrelated to the upgrade, right?  It would break Connman
>>> (which expects to talk to wpa_supplicant over D-Bus), as well as
>>> NetworkManager probably, no?  Or am I missing something?
>>
>> The distinguishing feature between "wpa-supplicant-minimal" and
>> "wpa-supplicant" is D-Bus support.
>>
>> Upstream enabled D-Bus by default in version 2.8, so I toggled it back
>> with the snippet above so "wpa-supplicant-minimal" stays the same.
>>
>> However I notice now that the new "wpa-supplicant-minimal" has D-Bus in
>> its closure even though the D-Bus interface is disabled.
>>
>> So I'm not sure if it makes sense to have the separate -minimal variant
>> anymore.  The size of both wpa-supplicant variants are 102.4MiB after
>> this patch, down from 157.4 and 143.1 MiB on the Guix master branch.
>
> Well you’re right, maybe it doesn’t make much sense to keep both
> variants in that case.

Errh nevermind, the "wpa-supplicant-minimal" package does *not* have
D-Bus in its closure.  The updated sizes are 87.8 and 102.1 MiB.

> So I guess you can go ahead and push so we can all test it in the coming
> days!

I have tested this on a few different setups and it appears to work
fine.  Pushed as aeb1ed1abcc953694bcd742ae5e3ba5a13506373!
Ludovic Courtès May 10, 2019, 7:52 a.m. UTC | #5
Hi!

Marius Bakke <mbakke@fastmail.com> skribis:

> Errh nevermind, the "wpa-supplicant-minimal" package does *not* have
> D-Bus in its closure.  The updated sizes are 87.8 and 102.1 MiB.

Alright.  :-)

>> So I guess you can go ahead and push so we can all test it in the coming
>> days!
>
> I have tested this on a few different setups and it appears to work
> fine.  Pushed as aeb1ed1abcc953694bcd742ae5e3ba5a13506373!

Thanks!

Ludo’.
diff mbox series

Patch

From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Tue, 30 Apr 2019 00:05:36 +0200
Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes].

This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497,
CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555.

* gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8.
[source](snippet): New field.  Disable D-Bus.
[arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=y.  Change CONFIG_TLS to
use OpenSSL rather than GnuTLS.
[inputs]: Remove GNUTLS and LIBGCRYPT.  Add OPENSSL-NEXT.
(wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=y.
---
 gnu/packages/admin.scm | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 275ce8bb2f..e0fc1c54c9 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -1198,16 +1198,23 @@  commands and their arguments.")
 (define-public wpa-supplicant-minimal
   (package
     (name "wpa-supplicant-minimal")
-    (version "2.7")
+    (version "2.8")
     (source (origin
               (method url-fetch)
               (uri (string-append
                     "https://w1.fi/releases/wpa_supplicant-"
-                    version
-                    ".tar.gz"))
+                    version ".tar.gz"))
               (sha256
                (base32
-                "0x1hqyahq44jyla8jl6791nnwrgicrhidadikrnqxsm2nw36pskn"))))
+                "15ixzm347n8w6gdvi3j3yks3i15qmp6by9ayvswm34d929m372d6"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  (substitute* "wpa_supplicant/defconfig"
+                    ;; Disable D-Bus by default.
+                    (("^CONFIG_CTRL_IFACE_DBUS_" line _)
+                     (string-append "#" line)))
+                    #t))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
@@ -1218,10 +1225,7 @@  commands and their arguments.")
              (copy-file "defconfig" ".config")
              (let ((port (open-file ".config" "al")))
                (display "
-      CONFIG_DEBUG_SYSLOG=y
-
-      # Choose GnuTLS (the default is OpenSSL.)
-      CONFIG_TLS=gnutls
+      CONFIG_TLS=openssl
 
       CONFIG_DRIVER_NL80211=y
       CFLAGS += $(shell pkg-config libnl-3.0 --cflags)
@@ -1255,8 +1259,7 @@  commands and their arguments.")
     (inputs
      `(("readline" ,readline)
        ("libnl" ,libnl)
-       ("gnutls" ,gnutls)
-       ("libgcrypt" ,libgcrypt)))                 ;needed by crypto_gnutls.c
+       ("openssl" ,openssl-next)))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (home-page "https://w1.fi/wpa_supplicant/")
@@ -1289,7 +1292,6 @@  command.")
              (lambda _
                (let ((port (open-file ".config" "al")))
                  (display "
-      CONFIG_CTRL_IFACE_DBUS=y
       CONFIG_CTRL_IFACE_DBUS_NEW=y
       CONFIG_CTRL_IFACE_DBUS_INTRO=y\n" port)
                  (close-port port))
-- 
2.21.0