security/wpa_supplicant: Update to version 2.6 and patch for LibreSSL support

Port changes: - Remove patches that have been incorporated upstream - Add patches for LibreSSL support Approved by: AMDmi3 (mentor) Differential Revision: https://reviews.freebsd.org/D8451
svn path=/head/; revision=426292
2025-05-25 07:26:29 -04:00 · 2016-11-17 17:43:32 +00:00 · 2016-11-17 17:43:32 +00:00 · f453d7ba20 · 2021-03-31 03:12:20 +00:00
commit f453d7ba20
parent 672a066c57
15 changed files with 76 additions and 613 deletions
--- a/security/wpa_supplicant/Makefile
+++ b/security/wpa_supplicant/Makefile
@ -1,8 +1,7 @@
 # $FreeBSD$
 PORTNAME=	wpa_supplicant
-PORTVERSION=	2.5
+PORTVERSION=	2.6
 PORTREVISION=	2
 CATEGORIES=	security net
 MASTER_SITES=	http://w1.fi/releases/
@ -96,15 +95,22 @@ PRIVSEP_PLIST_FILES=	sbin/wpa_priv
 .include <bsd.port.options.mk>
 .if ${PORT_OPTIONS:MNDIS} && ${PORT_OPTIONS:MPRIVSEP}
 BROKEN=	Fails to compile with both NDIS and PRIVSEP
 .endif
 .if ${PORT_OPTIONS:MIEEE80211AC} && ${PORT_OPTIONS:MIEEE80211N}
 BROKEN=	Fails to compile with both IEEE80211AC and IEEE80211N
 .endif
 .if ${PORT_OPTIONS:MSIM} || ${PORT_OPTIONS:MAKA} || ${PORT_OPTIONS:MAKA_PRIME}
 LIB_DEPENDS+=	libpcsclite.so:devel/pcsc-lite
 CFLAGS+=	-I${LOCALBASE}/include/PCSC
 LDFLAGS+=	-L${LOCALBASE}/lib
 .endif
 post-patch:
-	${CP} ${FILESDIR}/Packet32.[ch] ${FILESDIR}/ntddndis.h \
+	@${CP} ${FILESDIR}/Packet32.[ch] ${FILESDIR}/ntddndis.h \
 		${WRKSRC}/src/utils
 	# Set driver(s)
 .for item in BSD NDIS WIRED ROBOSWITCH TEST NONE
@ -157,12 +163,12 @@ do-install:
 	${INSTALL_DATA} ${BUILD_WRKSRC}/wpa_supplicant.conf \
 		${STAGEDIR}${PREFIX}/etc/wpa_supplicant.conf.sample
 do-install-PRIVSEP-on:
 	${INSTALL_PROGRAM} ${BUILD_WRKSRC}/wpa_priv ${STAGEDIR}${PREFIX}/sbin
 do-install-DOCS-on:
 	@${MKDIR} ${STAGEDIR}${DOCSDIR}
 	(cd ${BUILD_WRKSRC} && \
 		${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR})
 do-install-PRIVSEP-on:
 	${INSTALL_PROGRAM} ${BUILD_WRKSRC}/wpa_priv ${STAGEDIR}${PREFIX}/sbin
 .include <bsd.port.mk>
--- a/security/wpa_supplicant/distinfo
+++ b/security/wpa_supplicant/distinfo
@ -1,2 +1,3 @@
-SHA256 (wpa_supplicant-2.5.tar.gz) = cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316
+TIMESTAMP = 1478049569
-SIZE (wpa_supplicant-2.5.tar.gz) = 2607336
+SHA256 (wpa_supplicant-2.6.tar.gz) = b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450
 SIZE (wpa_supplicant-2.6.tar.gz) = 2753524
--- a/security/wpa_supplicant/files/patch-2015-6-backported-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame
+++ b/security/wpa_supplicant/files/patch-2015-6-backported-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame
@ -1,30 +0,0 @@
 From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <j@w1.fi>
 Date: Sun, 25 Oct 2015 15:45:50 +0200
 Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no
 PMF in use
 WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
 enabled. Verify that PMF is in use before using this field on station
 side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
 Signed-off-by: Jouni Malinen <j@w1.fi>
 ---
 wpa_supplicant/wnm_sta.c | 6 ++++++
 1 file changed, 6 insertions(+)
 --- wpa_supplicant/wnm_sta.c
 +++ wpa_supplicant/wnm_sta.c
@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s,
 	end = ptr + key_len_total;
 	wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
 +	if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
 +		wpa_msg(wpa_s, MSG_INFO,
 +			"WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
 +		return;
 +	}
 +
 	while (ptr + 1 < end) {
 		if (ptr + 2 + ptr[1] > end) {
 			wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "
--- a/security/wpa_supplicant/files/patch-2015-7-EAP-pwd-peer-Fix-last-fragment-length-validation
+++ b/security/wpa_supplicant/files/patch-2015-7-EAP-pwd-peer-Fix-last-fragment-length-validation
@ -1,52 +0,0 @@
 From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <j@w1.fi>
 Date: Sun, 1 Nov 2015 18:18:17 +0200
 Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation
 All but the last fragment had their length checked against the remaining
 room in the reassembly buffer. This allowed a suitably constructed last
 fragment frame to try to add extra data that would go beyond the buffer.
 The length validation code in wpabuf_put_data() prevents an actual
 buffer write overflow from occurring, but this results in process
 termination. (CVE-2015-5315)
 Signed-off-by: Jouni Malinen <j@w1.fi>
 ---
 src/eap_peer/eap_pwd.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)
 --- src/eap_peer/eap_pwd.c
 +++ src/eap_peer/eap_pwd.c
@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
 	/*
 	 * buffer and ACK the fragment
 	 */
 -	if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
 +	if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
 		data->in_frag_pos += len;
 		if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
 			wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
 			return NULL;
 		}
 		wpabuf_put_data(data->inbuf, pos, len);
 -
 +	}
 +	if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
 		resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
 				     EAP_PWD_HDR_SIZE,
 				     EAP_CODE_RESPONSE, eap_get_id(reqData));
@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
 	 * we're buffering and this is the last fragment
 	 */
 	if (data->in_frag_pos) {
 -		wpabuf_put_data(data->inbuf, pos, len);
 		wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
 			   (int) len);
 -		data->in_frag_pos += len;
 		pos = wpabuf_head_u8(data->inbuf);
 		len = data->in_frag_pos;
 	}
 -- 
 1.9.1
--- a/security/wpa_supplicant/files/patch-2015-7-EAP-pwd-server-Fix-last-fragment-length-validation
+++ b/security/wpa_supplicant/files/patch-2015-7-EAP-pwd-server-Fix-last-fragment-length-validation
@ -1,49 +0,0 @@
 From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <j@w1.fi>
 Date: Sun, 1 Nov 2015 18:24:16 +0200
 Subject: [PATCH] EAP-pwd server: Fix last fragment length validation
 All but the last fragment had their length checked against the remaining
 room in the reassembly buffer. This allowed a suitably constructed last
 fragment frame to try to add extra data that would go beyond the buffer.
 The length validation code in wpabuf_put_data() prevents an actual
 buffer write overflow from occurring, but this results in process
 termination. (CVE-2015-5314)
 Signed-off-by: Jouni Malinen <j@w1.fi>
 ---
 src/eap_server/eap_server_pwd.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 --- src/eap_server/eap_server_pwd.c
 +++ src/eap_server/eap_server_pwd.c
@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
 	/*
 	 * the first and all intermediate fragments have the M bit set
 	 */
 -	if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
 +	if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
 		if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
 			wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
 				   "attack detected! (%d+%d > %d)",
@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
 		}
 		wpabuf_put_data(data->inbuf, pos, len);
 		data->in_frag_pos += len;
 +	}
 +	if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
 		wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
 			   (int) len);
 		return;
@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
 	 * buffering fragments so that's how we know it's the last)
 	 */
 	if (data->in_frag_pos) {
 -		wpabuf_put_data(data->inbuf, pos, len);
 -		data->in_frag_pos += len;
 		pos = wpabuf_head_u8(data->inbuf);
 		len = data->in_frag_pos;
 		wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
 -- 
 1.9.1
--- a/security/wpa_supplicant/files/patch-2015-8-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m
+++ b/security/wpa_supplicant/files/patch-2015-8-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m
@ -1,32 +0,0 @@
 From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <j@w1.fi>
 Date: Sun, 1 Nov 2015 19:35:44 +0200
 Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message
 If the Confirm message is received from the server before the Identity
 exchange has been completed, the group has not yet been determined and
 data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
 did not take this corner case into account and could end up
 dereferencing a NULL pointer and terminating the process if invalid
 message sequence is received. (CVE-2015-5316)
 Signed-off-by: Jouni Malinen <j@w1.fi>
 ---
 src/eap_peer/eap_pwd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 --- src/eap_peer/eap_pwd.c
 +++ src/eap_peer/eap_pwd.c
@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
 	wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
 fin:
 -	bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
 +	if (data->grp)
 +		bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
 	BN_clear_free(x);
 	BN_clear_free(y);
 	if (data->outbuf == NULL) {
 -- 
 1.9.1
--- a/security/wpa_supplicant/files/patch-2016_1_1-WPS-Reject-a-Credential-with-invalid-passphrase
+++ b/security/wpa_supplicant/files/patch-2016_1_1-WPS-Reject-a-Credential-with-invalid-passphrase
@ -1,76 +0,0 @@
 From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@qca.qualcomm.com>
 Date: Fri, 4 Mar 2016 17:20:18 +0200
 Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
 WPA/WPA2-Personal passphrase is not allowed to include control
 characters. Reject a Credential received from a WPS Registrar both as
 STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
 WPA2PSK authentication type and includes an invalid passphrase.
 This fixes an issue where hostapd or wpa_supplicant could have updated
 the configuration file PSK/passphrase parameter with arbitrary data from
 an external device (Registrar) that may not be fully trusted. Should
 such data include a newline character, the resulting configuration file
 could become invalid and fail to be parsed.
 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
 ---
 src/utils/common.c         | 12 ++++++++++++
 src/utils/common.h         |  1 +
 src/wps/wps_attr_process.c | 10 ++++++++++
 3 files changed, 23 insertions(+)
 --- src/utils/common.c
 +++ src/utils/common.c
@@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len)
 }
 +int has_ctrl_char(const u8 *data, size_t len)
 +{
 +	size_t i;
 +
 +	for (i = 0; i < len; i++) {
 +		if (data[i] < 32 || data[i] == 127)
 +			return 1;
 +	}
 +	return 0;
 +}
 +
 +
 size_t merge_byte_arrays(u8 *res, size_t res_len,
 			 const u8 *src1, size_t src1_len,
 			 const u8 *src2, size_t src2_len)
 --- src/utils/common.h
 +++ src/utils/common.h
@@ -488,6 +488,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
 char * wpa_config_parse_string(const char *value, size_t *len);
 int is_hex(const u8 *data, size_t len);
 +int has_ctrl_char(const u8 *data, size_t len);
 size_t merge_byte_arrays(u8 *res, size_t res_len,
 			 const u8 *src1, size_t src1_len,
 			 const u8 *src2, size_t src2_len);
 --- src/wps/wps_attr_process.c
 +++ src/wps/wps_attr_process.c
@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential *cred)
 		cred->key_len--;
 #endif /* CONFIG_WPS_STRICT */
 	}
 +
 +
 +	if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
 +	    (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
 +		wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
 +		wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
 +				      cred->key, cred->key_len);
 +		return -1;
 +	}
 +
 	return 0;
 }
 -- 
 1.9.1
--- a/security/wpa_supplicant/files/patch-2016_1_2-Reject-psk-parameter-set-with-invalid-passphrase-cha
+++ b/security/wpa_supplicant/files/patch-2016_1_2-Reject-psk-parameter-set-with-invalid-passphrase-cha
@ -1,49 +0,0 @@
 From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@qca.qualcomm.com>
 Date: Fri, 4 Mar 2016 18:46:41 +0200
 Subject: [PATCH 2/5] Reject psk parameter set with invalid passphrase
 character
 WPA/WPA2-Personal passphrase is not allowed to include control
 characters. Reject a passphrase configuration attempt if that passphrase
 includes an invalid passphrase.
 This fixes an issue where wpa_supplicant could have updated the
 configuration file psk parameter with arbitrary data from the control
 interface or D-Bus interface. While those interfaces are supposed to be
 accessible only for trusted users/applications, it may be possible that
 an untrusted user has access to a management software component that
 does not validate the passphrase value before passing it to
 wpa_supplicant.
 This could allow such an untrusted user to inject up to 63 characters of
 almost arbitrary data into the configuration file. Such configuration
 file could result in wpa_supplicant trying to load a library (e.g.,
 opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
 load_dynamic_eap) from user controlled location when starting again.
 This would allow code from that library to be executed under the
 wpa_supplicant process privileges.
 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
 ---
 wpa_supplicant/config.c | 6 ++++++
 1 file changed, 6 insertions(+)
 --- wpa_supplicant/config.c
 +++ wpa_supplicant/config.c
@@ -478,6 +478,12 @@ static int wpa_config_parse_psk(const struct parse_data *data,
 		}
 		wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
 				      (u8 *) value, len);
 +		if (has_ctrl_char((u8 *) value, len)) {
 +			wpa_printf(MSG_ERROR,
 +				   "Line %d: Invalid passphrase character",
 +				   line);
 +			return -1;
 +		}
 		if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
 		    os_memcmp(ssid->passphrase, value, len) == 0) {
 			/* No change to the previously configured value */
 -- 
 1.9.1
--- a/security/wpa_supplicant/files/patch-2016_1_3-Remove-newlines-from-wpa_supplicant-config-network-o
+++ b/security/wpa_supplicant/files/patch-2016_1_3-Remove-newlines-from-wpa_supplicant-config-network-o
@ -1,76 +0,0 @@
 From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
 From: Paul Stewart <pstew@google.com>
 Date: Thu, 3 Mar 2016 15:40:19 -0800
 Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network
 output
 Spurious newlines output while writing the config file can corrupt the
 wpa_supplicant configuration. Avoid writing these for the network block
 parameters. This is a generic filter that cover cases that may not have
 been explicitly addressed with a more specific commit to avoid control
 characters in the psk parameter.
 Signed-off-by: Paul Stewart <pstew@google.com>
 ---
 src/utils/common.c      | 11 +++++++++++
 src/utils/common.h      |  1 +
 wpa_supplicant/config.c | 15 +++++++++++++--
 3 files changed, 25 insertions(+), 2 deletions(-)
 --- src/utils/common.c
 +++ src/utils/common.c
@@ -709,6 +709,17 @@ int has_ctrl_char(const u8 *data, size_t len)
 }
 +int has_newline(const char *str)
 +{
 +	while (*str) {
 +		if (*str == '\n' || *str == '\r')
 +			return 1;
 +		str++;
 +	}
 +	return 0;
 +}
 +
 +
 size_t merge_byte_arrays(u8 *res, size_t res_len,
 			 const u8 *src1, size_t src1_len,
 			 const u8 *src2, size_t src2_len)
 --- src/utils/common.h
 +++ src/utils/common.h
@@ -489,6 +489,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
 char * wpa_config_parse_string(const char *value, size_t *len);
 int is_hex(const u8 *data, size_t len);
 int has_ctrl_char(const u8 *data, size_t len);
 +int has_newline(const char *str);
 size_t merge_byte_arrays(u8 *res, size_t res_len,
 			 const u8 *src1, size_t src1_len,
 			 const u8 *src2, size_t src2_len);
 --- wpa_supplicant/config.c
 +++ wpa_supplicant/config.c
@@ -2699,8 +2699,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const char *var)
 	for (i = 0; i < NUM_SSID_FIELDS; i++) {
 		const struct parse_data *field = &ssid_fields[i];
 -		if (os_strcmp(var, field->name) == 0)
 -			return field->writer(field, ssid);
 +		if (os_strcmp(var, field->name) == 0) {
 +			char *ret = field->writer(field, ssid);
 +
 +			if (ret && has_newline(ret)) {
 +				wpa_printf(MSG_ERROR,
 +					   "Found newline in value for %s; not returning it",
 +					   var);
 +				os_free(ret);
 +				ret = NULL;
 +			}
 +
 +			return ret;
 +		}
 	}
 	return NULL;
 -- 
 1.9.1
--- a/security/wpa_supplicant/files/patch-2016_1_4-Reject-SET_CRED-commands-with-newline-characters-in
+++ b/security/wpa_supplicant/files/patch-2016_1_4-Reject-SET_CRED-commands-with-newline-characters-in
@ -1,60 +0,0 @@
 From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@qca.qualcomm.com>
 Date: Tue, 5 Apr 2016 23:33:10 +0300
 Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the
 string values
 Most of the cred block parameters are written as strings without
 filtering and if there is an embedded newline character in the value,
 unexpected configuration file data might be written.
 This fixes an issue where wpa_supplicant could have updated the
 configuration file cred parameter with arbitrary data from the control
 interface or D-Bus interface. While those interfaces are supposed to be
 accessible only for trusted users/applications, it may be possible that
 an untrusted user has access to a management software component that
 does not validate the credential value before passing it to
 wpa_supplicant.
 This could allow such an untrusted user to inject almost arbitrary data
 into the configuration file. Such configuration file could result in
 wpa_supplicant trying to load a library (e.g., opensc_engine_path,
 pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
 controlled location when starting again. This would allow code from that
 library to be executed under the wpa_supplicant process privileges.
 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
 ---
 wpa_supplicant/config.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
 --- wpa_supplicant/config.c
 +++ wpa_supplicant/config.c
@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
 	if (os_strcmp(var, "password") == 0 &&
 	    os_strncmp(value, "ext:", 4) == 0) {
 +		if (has_newline(value))
 +			return -1;
 		str_clear_free(cred->password);
 		cred->password = os_strdup(value);
 		cred->ext_password = 1;
@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
 	}
 	val = wpa_config_parse_string(value, &len);
 -	if (val == NULL) {
 +	if (val == NULL ||
 +	    (os_strcmp(var, "excluded_ssid") != 0 &&
 +	     os_strcmp(var, "roaming_consortium") != 0 &&
 +	     os_strcmp(var, "required_roaming_consortium") != 0 &&
 +	     has_newline(val))) {
 		wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
 			   "value '%s'.", line, var, value);
 +		os_free(val);
 		return -1;
 	}
 -- 
 1.9.1
--- a/security/wpa_supplicant/files/patch-2016_1_5-Reject-SET-commands-with-newline-characters-in-the-s
+++ b/security/wpa_supplicant/files/patch-2016_1_5-Reject-SET-commands-with-newline-characters-in-the-s
@ -1,48 +0,0 @@
 From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@qca.qualcomm.com>
 Date: Tue, 5 Apr 2016 23:55:48 +0300
 Subject: [PATCH 5/5] Reject SET commands with newline characters in the
 string values
 Many of the global configuration parameters are written as strings
 without filtering and if there is an embedded newline character in the
 value, unexpected configuration file data might be written.
 This fixes an issue where wpa_supplicant could have updated the
 configuration file global parameter with arbitrary data from the control
 interface or D-Bus interface. While those interfaces are supposed to be
 accessible only for trusted users/applications, it may be possible that
 an untrusted user has access to a management software component that
 does not validate the value of a parameter before passing it to
 wpa_supplicant.
 This could allow such an untrusted user to inject almost arbitrary data
 into the configuration file. Such configuration file could result in
 wpa_supplicant trying to load a library (e.g., opensc_engine_path,
 pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
 controlled location when starting again. This would allow code from that
 library to be executed under the wpa_supplicant process privileges.
 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
 ---
 wpa_supplicant/config.c | 6 ++++++
 1 file changed, 6 insertions(+)
 --- wpa_supplicant/config.c
 +++ wpa_supplicant/config.c
@@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data,
 		return -1;
 	}
 +	if (has_newline(pos)) {
 +		wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
 +			   line, data->name);
 +		return -1;
 +	}
 +
 	tmp = os_strdup(pos);
 	if (tmp == NULL)
 		return -1;
 -- 
 1.9.1
--- a/security/wpa_supplicant/files/patch-src_crypto_crypto__openssl.c
+++ b/security/wpa_supplicant/files/patch-src_crypto_crypto__openssl.c
@ -0,0 +1,20 @@
 --- src/crypto/crypto_openssl.c.orig	2016-11-02 18:04:18 UTC
 +++ src/crypto/crypto_openssl.c
@@ -611,7 +611,7 @@ void crypto_cipher_deinit(struct crypto_
 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
 {
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	DH *dh;
 	struct wpabuf *pubkey = NULL, *privkey = NULL;
 	size_t publen, privlen;
@@ -712,7 +712,7 @@ err:
 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
 {
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	DH *dh;
 	dh = DH_new();
--- a/security/wpa_supplicant/files/patch-src_crypto_tls__openssl.c
+++ b/security/wpa_supplicant/files/patch-src_crypto_tls__openssl.c
@ -1,67 +1,29 @@
-Compatibility fixes for LibreSSL
+--- src/crypto/tls_openssl.c.orig	2016-11-02 18:46:25 UTC
 --- src/crypto/tls_openssl.c.orig	2015-09-27 19:02:05 UTC
 +++ src/crypto/tls_openssl.c
-@@ -2229,7 +2229,7 @@ static int tls_parse_pkcs12(struct tls_d
+@@ -919,7 +919,7 @@ void * tls_init(const struct tls_config 
 		}
- 
+ #endif /* OPENSSL_FIPS */
- 	if (certs) {
+ #endif /* CONFIG_FIPS */
 -#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
 		SSL_clear_chain_certs(ssl);
 		while ((cert = sk_X509_pop(certs)) != NULL) {
 			X509_NAME_oneline(X509_get_subject_name(cert), buf,
@@ -2247,7 +2247,7 @@ static int tls_parse_pkcs12(struct tls_d
 			/* Try to continue anyway */
 		}
 		sk_X509_free(certs);
 -#ifndef OPENSSL_IS_BORINGSSL
 +#if !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER)
 		res = SSL_build_cert_chain(ssl,
 					   SSL_BUILD_CHAIN_FLAG_CHECK |
 					   SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
@@ -2812,7 +2812,7 @@ int tls_connection_get_random(void *ssl_
 	if (conn == NULL || keys == NULL)
 		return -1;
 	ssl = conn->ssl;
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 	if (ssl == NULL || ssl->s3 == NULL || ssl->session == NULL)
+ 		SSL_load_error_strings();
- 		return -1;
+ 		SSL_library_init();
 #ifndef OPENSSL_NO_SHA256
@@ -1043,7 +1043,7 @@ void tls_deinit(void *ssl_ctx)
-@@ -2841,7 +2841,7 @@ int tls_connection_get_random(void *ssl_
+ 	tls_openssl_ref_count--;
- #ifndef CONFIG_FIPS
+ 	if (tls_openssl_ref_count == 0) {
 static int openssl_get_keyblock_size(SSL *ssl)
 {
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 	const EVP_CIPHER *c;
+ #ifndef OPENSSL_NO_ENGINE
- 	const EVP_MD *h;
+ 		ENGINE_cleanup();
- 	int md_size;
+ #endif /* OPENSSL_NO_ENGINE */
-@@ -2911,7 +2911,7 @@ static int openssl_tls_prf(struct tls_co
+@@ -3976,7 +3976,7 @@ int tls_connection_set_params(void *tls_
- 		   "mode");
+ 		engine_id = "pkcs11";
 	return -1;
 #else /* CONFIG_FIPS */
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	SSL *ssl;
 	u8 *rnd;
 	int ret = -1;
@@ -3394,7 +3394,7 @@ int tls_connection_set_cipher_list(void
 	wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
 -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
 	if (os_strstr(buf, ":ADH-")) {
 		/*
@@ -3977,7 +3977,7 @@ static int tls_sess_sec_cb(SSL *s, void
 	struct tls_connection *conn = arg;
 	int ret;
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 	if (conn == NULL || conn->session_ticket_cb == NULL)
+ 	if (params->flags & TLS_CONN_EAP_FAST) {
- 		return 0;
+ 		wpa_printf(MSG_DEBUG,
- 
+ 			   "OpenSSL: Use TLSv1_method() for EAP-FAST");
--- a/security/wpa_supplicant/files/patch-src_utils_os__unix.c
+++ b/security/wpa_supplicant/files/patch-src_utils_os__unix.c
@ -1,73 +0,0 @@
 --- src/utils/os_unix.c.orig	2015-09-27 19:02:05 UTC
 +++ src/utils/os_unix.c
@@ -214,17 +214,42 @@ static int os_daemon(int nochdir, int no
 #define os_daemon daemon
 #endif /* __APPLE__ */
 +#if defined(__FreeBSD__) || defined(__DragonFly__)
 +#define FREE_DRAGON
 +#include <err.h>
 +#include <libutil.h>
 +#include <stdint.h>
 +#endif /* __FreeBSD__ || __DragonFly__ */
 int os_daemonize(const char *pid_file)
 {
 #if defined(__uClinux__) || defined(__sun__)
 	return -1;
 #else /* defined(__uClinux__) || defined(__sun__) */
 +#ifdef FREE_DRAGON
 +	pid_t otherpid;
 +	struct pidfh *pfh;
 +
 +	pfh = pidfile_open(pid_file, 0600, &otherpid);
 +	if (pfh == NULL) {
 +		if (errno == EEXIST) {
 +			errx(1, "Daemon already running, pid: %jd.",
 +			    (intmax_t)otherpid);
 +		}
 +		warn("Cannot open or create pidfile.");
 +	}
 +#endif /* FREE_DRAGON */
 	if (os_daemon(0, 0)) {
 		perror("daemon");
 +#ifdef FREE_DRAGON
 +		pidfile_remove(pfh);
 +#endif /* FREE_DRAGON */
 		return -1;
 	}
 +#ifdef FREE_DRAGON
 +	pidfile_write(pfh);
 +#else
 	if (pid_file) {
 		FILE *f = fopen(pid_file, "w");
 		if (f) {
@@ -232,6 +257,7 @@ int os_daemonize(const char *pid_file)
 			fclose(f);
 		}
 	}
 +#endif /* FREE_DRAGON */
 	return -0;
 #endif /* defined(__uClinux__) || defined(__sun__) */
@@ -384,7 +410,7 @@ int os_setenv(const char *name, const ch
 int os_unsetenv(const char *name)
 {
 -#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__APPLE__) || \
 +#if defined(FREE_DRAGON) || defined(__NetBSD__) || defined(__APPLE__) || \
     defined(__OpenBSD__)
 	unsetenv(name);
 	return 0;
@@ -445,7 +471,9 @@ int os_file_exists(const char *fname)
 int os_fdatasync(FILE *stream)
 {
 	if (!fflush(stream)) {
 -#ifndef __MACH__
 +#ifdef FREE_DRAGON
 +		return fsync(fileno(stream));
 +#elif !defined __MACH__
 		return fdatasync(fileno(stream));
 #else /* __MACH__ */
 #ifdef F_FULLFSYNC
--- a/security/wpa_supplicant/files/patch-wpa__supplicant_main.c
+++ b/security/wpa_supplicant/files/patch-wpa__supplicant_main.c
@ -1,6 +1,25 @@
--- wpa_supplicant/main.c.orig	2015-03-15 17:30:39 UTC
+--- wpa_supplicant/main.c.orig	2016-11-05 20:56:30 UTC
 +++ wpa_supplicant/main.c
-@@ -173,6 +173,11 @@ int main(int argc, char *argv[])
+@@ -66,7 +66,7 @@ static void usage(void)
 	       "  -c = Configuration file\n"
 	       "  -C = ctrl_interface parameter (only used if -c is not)\n"
 	       "  -d = increase debugging verbosity (-dd even more)\n"
 -	       "  -D = driver name (can be multiple drivers: nl80211,wext)\n"
 +	       "  -D = driver name (can be multiple drivers: bsd,wired)\n"
 	       "  -e = entropy file\n"
 #ifdef CONFIG_DEBUG_FILE
 	       "  -f = log output to debug file instead of stdout\n"
@@ -105,8 +105,7 @@ static void usage(void)
 	       "  -W = wait for a control interface monitor before starting\n");
 	printf("example:\n"
 -	       "  wpa_supplicant -D%s -iwlan0 -c/etc/wpa_supplicant.conf\n",
 -	       wpa_drivers[0] ? wpa_drivers[0]->name : "nl80211");
 +                "  wpa_supplicant -Dbsd -iwlan0 -c/etc/wpa_supplicant.conf\n");
 #endif /* CONFIG_NO_STDOUT_DEBUG */
 }
@@ -199,6 +198,11 @@ int main(int argc, char *argv[])
 	wpa_supplicant_fd_workaround(1);
@ -11,4 +30,4 @@
 +
 	for (;;) {
 		c = getopt(argc, argv,
- 			   "b:Bc:C:D:de:f:g:G:hi:I:KLm:No:O:p:P:qsTtuvW");
+ 			   "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuvW");