[pkg-wpa-devel] r952 - in /wpasupplicant/trunk: debian/ debian/patches/ src/common/ src/drivers/ src/eap_peer/ src/l2_packet/ src/utils/ wpa_supplicant/ wpa_supplicant/doc/docbook/ wpa_supplicant/wpa_gui-qt4/ wpa_supplicant/wpa_gui/
kelmo-guest at users.alioth.debian.org
kelmo-guest at users.alioth.debian.org
Wed Dec 26 23:51:15 UTC 2007
Author: kelmo-guest
Date: Wed Dec 26 23:51:15 2007
New Revision: 952
URL: http://svn.debian.org/wsvn/pkg-wpa/?sc=1&rev=952
Log:
merge new git snapshot, drop all patches applied upstream
Added:
wpasupplicant/trunk/src/common/privsep_commands.h
- copied unchanged from r951, wpasupplicant/branches/upstream/current/src/common/privsep_commands.h
wpasupplicant/trunk/src/drivers/driver_privsep.c
- copied unchanged from r951, wpasupplicant/branches/upstream/current/src/drivers/driver_privsep.c
wpasupplicant/trunk/src/l2_packet/l2_packet_privsep.c
- copied unchanged from r951, wpasupplicant/branches/upstream/current/src/l2_packet/l2_packet_privsep.c
wpasupplicant/trunk/wpa_supplicant/dbus-wpa_supplicant.service
- copied unchanged from r951, wpasupplicant/branches/upstream/current/wpa_supplicant/dbus-wpa_supplicant.service
wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_gui.sgml
- copied unchanged from r951, wpasupplicant/branches/upstream/current/wpa_supplicant/doc/docbook/wpa_gui.sgml
wpasupplicant/trunk/wpa_supplicant/wpa_priv.c
- copied unchanged from r951, wpasupplicant/branches/upstream/current/wpa_supplicant/wpa_priv.c
Removed:
wpasupplicant/trunk/debian/patches/11_dbus_system_service_activation.patch
wpasupplicant/trunk/debian/patches/30_wpa_gui_const_char_warnings.patch
wpasupplicant/trunk/debian/patches/31_pcsc_funcs_printf_warnings.patch
wpasupplicant/trunk/debian/patches/32_eap_wsc_printf_warnings.patch
wpasupplicant/trunk/debian/patches/40_log_to_specific_file.patch
wpasupplicant/trunk/debian/patches/41_wpa_gui_docbook_manpage.patch
wpasupplicant/trunk/debian/patches/42_wpa_cli_ctrl_interface_group_update.patch
wpasupplicant/trunk/debian/patches/43_wpa_supplicant_conf_ctrl_interface_group_update.patch
Modified:
wpasupplicant/trunk/debian/changelog
wpasupplicant/trunk/debian/patches/series
wpasupplicant/trunk/src/drivers/driver.h
wpasupplicant/trunk/src/eap_peer/eap_wsc.c
wpasupplicant/trunk/src/utils/pcsc_funcs.c
wpasupplicant/trunk/src/utils/wpa_debug.c
wpasupplicant/trunk/src/utils/wpa_debug.h
wpasupplicant/trunk/wpa_supplicant/.gitignore
wpasupplicant/trunk/wpa_supplicant/ChangeLog
wpasupplicant/trunk/wpa_supplicant/Makefile
wpasupplicant/trunk/wpa_supplicant/README
wpasupplicant/trunk/wpa_supplicant/defconfig
wpasupplicant/trunk/wpa_supplicant/doc/docbook/Makefile
wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_cli.sgml
wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml
wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
wpasupplicant/trunk/wpa_supplicant/main.c
wpasupplicant/trunk/wpa_supplicant/main_winmain.c
wpasupplicant/trunk/wpa_supplicant/main_winsvc.c
wpasupplicant/trunk/wpa_supplicant/todo.txt
wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/networkconfig.cpp
wpasupplicant/trunk/wpa_supplicant/wpa_gui/networkconfig.ui.h
wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.c
wpasupplicant/trunk/wpa_supplicant/wpa_supplicant_i.h
Modified: wpasupplicant/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/debian/changelog?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/debian/changelog (original)
+++ wpasupplicant/trunk/debian/changelog Wed Dec 26 23:51:15 2007
@@ -1,4 +1,4 @@
-wpasupplicant (0.6.2~git20071226-1) UNRELEASED; urgency=low
+wpasupplicant (0.6.2~git20071227.00d591e-1) UNRELEASED; urgency=low
* New upstream git snapshot.
* Allow "wpa-key-mgmt NONE" to form a network block via the wpa_cli calls in
@@ -19,53 +19,33 @@
* Add svn:ignore property for .pc quilt by-product.
* Ensure src/drivers/driver_madwifi/ directory is purged from source tree in
clean target of debian/rules.
- * Add debian/patches/30_wpa_gui_const_char_warnings.patch to fix warnings
- about deprecated conversions string constant to char* with g++ 4.2 and
- above.
* /var/lock/wpa_action.*.lock was not used in a version of wpasupplicant
package in a stable release, no longer need to handle its removal in
postrm anymore.
* Activate support for PC/SC interface for smartcards along with SIM and AKA
EAP methods. Build-depend on libpcsclite-dev.
- * Add debian/patches/31_pcsc_funcs_printf_warnings.patch to fix compilation
- warnings in src/utils/pcsc_funcs.c.
- * Add debian/patches/40_log_to_specific_file.patch to provide a method of
- logging wpa_supplicant debug output to a specific file given on command
- line as argument to -F option.
* Update email address in debian/ifupdown/wpa_action.8 manpage.
* Sanitize whitepsace in debian/README.modes, swapping tabs for 8 spaces,
improving layout of basic tables. Fix a couple of typo's too.
* Clarify in debian/README.modes the URI to BTS discussions. Also add a note
that using ap_scan=2 requires explicit security policies to be set for
each network.
- * Impliment dbus-wpa_supplicant.service D-Bus system activation config file
- as a patch in the package patch series. This can be sent upstream more
- easily in patch form.
+ * dbus-wpa_supplicant.service now provided by upstream.
* Impliment debian/examples/wpa_supplicant.conf.template in patch form. It
is planned to expand this small template into a more usable and
documented beginning point for the wpa-roam schema.
* Add useful comments to the new wpa-roam.conf example configuration file.
- * Impliment wpa_gui manpage as a patch against upstream. This will make it
- easier to submit to upstream for inclusion in the future.
+ * wpa_gui manpage exists in upstream, remove debian/wpa_gui.8.
* If the path to ctrl_interface directory can be determined from the
supplied configuration, do not append the -C option to wpa_supplicant
start-stop-daemon command in ifupdown.sh. This breaks the new DIR= GROUP=
ctrl_interface syntax.
- * Add debian/patches/42_wpa_cli_ctrl_interface_group_update.patch to update
- wpa_cli docbook manpage to describe the GROUP= parameter of ctrl_interface
- instead of the deprecated ctrl_interface_group option.
* Add initial subsection to README.modes about "Interacting with
wpa_supplicant with wpa_cli and wpa_gui".
- * Add debian/patches/43_wpa_supplicant_conf_ctrl_interface_group_update.patch
- to update wpa_supplicant.conf(5) docbook manpage to describe the GROUP=
- parameter of ctrl_interface instead of the deprecated ctrl_interface_group
- option.
* Activate CONFIG_IEEE80211R, CONFIG_IEEE80211W and CONFIG_EAP_WSC in the
default build configuration.
- * Add debian/patches/32_eap_wsc_printf_warnings.patch to fix compile
- warnings in src/eap_peer/eap_wsc.c on x86_64.
-
- -- Kel Modderman <kel at otaku42.de> Wed, 26 Dec 2007 23:24:14 +1000
+
+ -- Kel Modderman <kel at otaku42.de> Thu, 27 Dec 2007 09:49:28 +1000
wpasupplicant (0.6.1~git20071119-1) unstable; urgency=low
Modified: wpasupplicant/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/debian/patches/series?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/debian/patches/series (original)
+++ wpasupplicant/trunk/debian/patches/series Wed Dec 26 23:51:15 2007
@@ -1,13 +1,5 @@
00_defconfig.patch
01_debian_wpa_roam_example.patch
10_dbus_group_policy.patch
-11_dbus_system_service_activation.patch
20_madwifi_headers.patch
21_config_driver_madwifi.patch
-30_wpa_gui_const_char_warnings.patch
-31_pcsc_funcs_printf_warnings.patch
-32_eap_wsc_printf_warnings.patch
-40_log_to_specific_file.patch
-41_wpa_gui_docbook_manpage.patch
-42_wpa_cli_ctrl_interface_group_update.patch
-43_wpa_supplicant_conf_ctrl_interface_group_update.patch
Modified: wpasupplicant/trunk/src/drivers/driver.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/drivers/driver.h?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/src/drivers/driver.h (original)
+++ wpasupplicant/trunk/src/drivers/driver.h Wed Dec 26 23:51:15 2007
@@ -870,7 +870,7 @@
* This event needs to be delivered when the driver completes IEEE
* 802.11 association or reassociation successfully.
* wpa_driver_ops::get_bssid() is expected to provide the current BSSID
- * after this even has been generated. In addition, optional
+ * after this event has been generated. In addition, optional
* EVENT_ASSOCINFO may be generated just before EVENT_ASSOC to provide
* more information about the association. If the driver interface gets
* both of these events at the same time, it can also include the
Modified: wpasupplicant/trunk/src/eap_peer/eap_wsc.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_peer/eap_wsc.c?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_peer/eap_wsc.c (original)
+++ wpasupplicant/trunk/src/eap_peer/eap_wsc.c Wed Dec 26 23:51:15 2007
@@ -257,8 +257,9 @@
ret->decision = DECISION_FAIL;
if (data->out_used == data->out_len) {
- wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %u bytes "
- "(message sent completely)", send_len);
+ wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %lu bytes "
+ "(message sent completely)",
+ (unsigned long) send_len);
os_free(data->out_buf);
data->out_buf = NULL;
data->out_len = data->out_used = 0;
@@ -270,9 +271,9 @@
} else
eap_wsc_state(data, MSG);
} else {
- wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %u bytes "
- "(%u more to send)", send_len,
- data->out_len - data->out_used);
+ wpa_printf(MSG_DEBUG, "EAP-WSC: Sending out %lu bytes "
+ "(%lu more to send)", (unsigned long) send_len,
+ (unsigned long) data->out_len - data->out_used);
eap_wsc_state(data, WAIT_FRAG_ACK);
}
@@ -385,8 +386,8 @@
os_memcpy(data->in_buf + data->in_used, pos, end - pos);
data->in_used += end - pos;
wpa_printf(MSG_DEBUG, "EAP-WSC: Received %u bytes, waiting "
- "for %u bytes more", end - pos,
- data->in_len - data->in_used);
+ "for %lu bytes more", (unsigned int) (end - pos),
+ (unsigned long) data->in_len - data->in_used);
}
if (flags & WSC_FLAGS_MF) {
@@ -410,10 +411,10 @@
data->in_used = end - pos;
data->in_op_code = op_code;
os_memcpy(data->in_buf, pos, data->in_used);
- wpa_printf(MSG_DEBUG, "EAP-WSC: Received %u bytes in "
- "first fragment, waiting for %u bytes more",
- data->in_used,
- data->in_len - data->in_used);
+ wpa_printf(MSG_DEBUG, "EAP-WSC: Received %lu bytes in "
+ "first fragment, waiting for %lu bytes more",
+ (unsigned long) data->in_used,
+ (unsigned long) data->in_len - data->in_used);
}
return eap_wsc_build_frag_ack(id, EAP_CODE_RESPONSE);
Modified: wpasupplicant/trunk/src/utils/pcsc_funcs.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/utils/pcsc_funcs.c?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/src/utils/pcsc_funcs.c (original)
+++ wpasupplicant/trunk/src/utils/pcsc_funcs.c Wed Dec 26 23:51:15 2007
@@ -848,7 +848,8 @@
}
if (blen != len + 2) {
wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
- "length %d (expected %d)", blen, len + 2);
+ "length %ld (expected %ld)",
+ (long) blen, (long) len + 2);
os_free(buf);
return -3;
}
@@ -891,7 +892,8 @@
}
if (blen != len + 2) {
wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
- "length %d (expected %d)", blen, len + 2);
+ "length %ld (expected %ld)",
+ (long) blen, (long) len + 2);
os_free(buf);
return -3;
}
@@ -969,7 +971,7 @@
return -1;
if (blen < 4) {
wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-IMSI "
- "header (len=%d)", blen);
+ "header (len=%ld)", (long) blen);
return -2;
}
@@ -982,14 +984,14 @@
blen = file_size;
}
if (blen < 2 || blen > sizeof(buf)) {
- wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%d",
- blen);
+ wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%ld",
+ (long) blen);
return -3;
}
imsilen = (blen - 2) * 2 + 1;
- wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%d imsilen=%d",
- blen, imsilen);
+ wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%ld imsilen=%ld",
+ (long) blen, (long) imsilen);
if (blen < 2 || imsilen > *len) {
*len = imsilen;
return -4;
@@ -1071,8 +1073,8 @@
(scard->sim_type == SCARD_USIM &&
(len != 2 || resp[0] != 0x61 || resp[1] != 0x0e))) {
wpa_printf(MSG_WARNING, "SCARD: unexpected response for GSM "
- "auth request (len=%d resp=%02x %02x)",
- len, resp[0], resp[1]);
+ "auth request (len=%ld resp=%02x %02x)",
+ (long) len, resp[0], resp[1]);
return -3;
}
get_resp[4] = resp[1];
@@ -1085,8 +1087,8 @@
if (scard->sim_type == SCARD_GSM_SIM) {
if (len != 4 + 8 + 2) {
wpa_printf(MSG_WARNING, "SCARD: unexpected data "
- "length for GSM auth (len=%d, expected 14)",
- len);
+ "length for GSM auth (len=%ld, expected 14)",
+ (long) len);
return -5;
}
os_memcpy(sres, buf, 4);
@@ -1094,8 +1096,8 @@
} else {
if (len != 1 + 4 + 1 + 8 + 2) {
wpa_printf(MSG_WARNING, "SCARD: unexpected data "
- "length for USIM auth (len=%d, "
- "expected 16)", len);
+ "length for USIM auth (len=%ld, "
+ "expected 16)", (long) len);
return -5;
}
if (buf[0] != 4 || buf[5] != 8) {
@@ -1176,8 +1178,8 @@
return -1;
} else if (len != 2 || resp[0] != 0x61) {
wpa_printf(MSG_WARNING, "SCARD: unexpected response for UMTS "
- "auth request (len=%d resp=%02x %02x)",
- len, resp[0], resp[1]);
+ "auth request (len=%ld resp=%02x %02x)",
+ (long) len, resp[0], resp[1]);
return -1;
}
get_resp[4] = resp[1];
Modified: wpasupplicant/trunk/src/utils/wpa_debug.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/utils/wpa_debug.c?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/src/utils/wpa_debug.c (original)
+++ wpasupplicant/trunk/src/utils/wpa_debug.c Wed Dec 26 23:51:15 2007
@@ -20,7 +20,6 @@
#ifdef CONFIG_DEBUG_FILE
static FILE *out_file = NULL;
#endif /* CONFIG_DEBUG_FILE */
-int wpa_debug_use_file = 0;
int wpa_debug_level = MSG_INFO;
int wpa_debug_show_keys = 0;
int wpa_debug_timestamp = 0;
@@ -227,36 +226,29 @@
}
-int wpa_debug_open_file(void)
-{
-#ifdef CONFIG_DEBUG_FILE
- static int count = 0;
- char fname[64];
- if (!wpa_debug_use_file)
+int wpa_debug_open_file(const char *path)
+{
+#ifdef CONFIG_DEBUG_FILE
+ if (!path)
return 0;
-#ifdef _WIN32
- os_snprintf(fname, sizeof(fname), "\\Temp\\wpa_supplicant-log-%d.txt",
- count++);
-#else /* _WIN32 */
- os_snprintf(fname, sizeof(fname), "/tmp/wpa_supplicant-log-%d.txt",
- count++);
+ out_file = fopen(path, "a");
+ if (out_file == NULL) {
+ wpa_printf(MSG_ERROR, "wpa_debug_open_file: Failed to open "
+ "output file, using standard output");
+ return -1;
+ }
+#ifndef _WIN32
+ setvbuf(out_file, NULL, _IOLBF, 0);
#endif /* _WIN32 */
- out_file = fopen(fname, "w");
-#ifndef _WIN32
- if (out_file)
- setvbuf(out_file, NULL, _IOLBF, 0);
-#endif /* _WIN32 */
- return out_file == NULL ? -1 : 0;
-#else /* CONFIG_DEBUG_FILE */
+#endif /* CONFIG_DEBUG_FILE */
return 0;
-#endif /* CONFIG_DEBUG_FILE */
}
void wpa_debug_close_file(void)
{
#ifdef CONFIG_DEBUG_FILE
- if (!wpa_debug_use_file)
+ if (!out_file)
return;
fclose(out_file);
out_file = NULL;
Modified: wpasupplicant/trunk/src/utils/wpa_debug.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/utils/wpa_debug.h?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/src/utils/wpa_debug.h (original)
+++ wpasupplicant/trunk/src/utils/wpa_debug.h Wed Dec 26 23:51:15 2007
@@ -32,12 +32,12 @@
#define wpa_hexdump_buf_key(l,t,b) do { } while (0)
#define wpa_hexdump_ascii(l,t,b,le) do { } while (0)
#define wpa_hexdump_ascii_key(l,t,b,le) do { } while (0)
-#define wpa_debug_open_file() do { } while (0)
+#define wpa_debug_open_file(p) do { } while (0)
#define wpa_debug_close_file() do { } while (0)
#else /* CONFIG_NO_STDOUT_DEBUG */
-int wpa_debug_open_file(void);
+int wpa_debug_open_file(const char *path);
void wpa_debug_close_file(void);
/**
Modified: wpasupplicant/trunk/wpa_supplicant/.gitignore
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/.gitignore?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/.gitignore (original)
+++ wpasupplicant/trunk/wpa_supplicant/.gitignore Wed Dec 26 23:51:15 2007
@@ -5,3 +5,4 @@
wpa_cli
wpa_passphrase
wpa_supplicant
+wpa_priv
Modified: wpasupplicant/trunk/wpa_supplicant/ChangeLog
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/ChangeLog?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/ChangeLog (original)
+++ wpasupplicant/trunk/wpa_supplicant/ChangeLog Wed Dec 26 23:51:15 2007
@@ -2,7 +2,7 @@
????-??-?? - v0.6.2
* added support for Makefile builds to include debug-log-to-a-file
- functionality (CONFIG_DEBUG_FILE=y and -f on command line)
+ functionality (CONFIG_DEBUG_FILE=y and -f<path> on command line)
* fixed EAP-SIM and EAP-AKA message parser to validate attribute
lengths properly to avoid potential crash caused by invalid messages
* added data structure for storing allocated buffers (struct wpabuf);
@@ -23,6 +23,11 @@
* stop EAPOL timer tick when no timers are in use in order to reduce
power consumption (no need to wake up the process once per second)
[Bug 237]
+ * added support for privilege separation (run only minimal part of
+ wpa_supplicant functionality as root and rest as unprivileged,
+ non-root process); see 'Privilege separation' in README for details;
+ this is disabled by default and can be enabled with CONFIG_PRIVSEP=y
+ in .config
2007-11-24 - v0.6.1
* added support for configuring password as NtPasswordHash
Modified: wpasupplicant/trunk/wpa_supplicant/Makefile
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/Makefile?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/Makefile (original)
+++ wpasupplicant/trunk/wpa_supplicant/Makefile Wed Dec 26 23:51:15 2007
@@ -222,7 +222,7 @@
CONFIG_L2_PACKET=linux
endif
-OBJS += ../src/l2_packet/l2_packet_$(CONFIG_L2_PACKET).o
+OBJS_l2 += ../src/l2_packet/l2_packet_$(CONFIG_L2_PACKET).o
ifeq ($(CONFIG_L2_PACKET), pcap)
ifdef CONFIG_WINPCAP
@@ -920,7 +920,40 @@
OBJS_t := $(OBJS) eapol_test.o ../src/radius/radius.o ../src/radius/radius_client.o
OBJS_t += ../src/utils/ip_addr.o
OBJS_t2 := $(OBJS) preauth_test.o
-OBJS += $(CONFIG_MAIN).o ../src/drivers/drivers.o $(OBJS_d)
+OBJS += $(CONFIG_MAIN).o
+
+ifdef CONFIG_PRIVSEP
+OBJS_priv += $(OBJS_d) ../src/drivers/drivers.o
+OBJS_priv += $(OBJS_l2)
+OBJS_priv += ../src/utils/os_$(CONFIG_OS).o
+OBJS_priv += ../src/utils/$(CONFIG_ELOOP).o
+OBJS_priv += ../src/utils/common.o
+OBJS_priv += ../src/utils/wpa_debug.o
+OBJS_priv += wpa_priv.o
+ifdef CONFIG_DRIVER_TEST
+OBJS_priv += ../src/crypto/sha1.o
+OBJS_priv += ../src/crypto/md5.o
+ifeq ($(CONFIG_TLS), openssl)
+OBJS_priv += ../src/crypto/crypto_openssl.o
+endif
+ifeq ($(CONFIG_TLS), gnutls)
+OBJS_priv += ../src/crypto/crypto_gnutls.o
+endif
+ifeq ($(CONFIG_TLS), internal)
+ifeq ($(CONFIG_CRYPTO), libtomcrypt)
+OBJS_priv += ../src/crypto/crypto_libtomcrypt.o
+else
+OBJS_priv += ../src/crypto/crypto_internal.o
+endif
+endif
+endif # CONFIG_DRIVER_TEST
+OBJS += ../src/l2_packet/l2_packet_privsep.o
+OBJS += ../src/drivers/driver_privsep.o
+EXTRA_progs += wpa_priv
+else
+OBJS += $(OBJS_d) ../src/drivers/drivers.o
+OBJS += $(OBJS_l2)
+endif
ifdef CONFIG_NDIS_EVENTS_INTEGRATED
CFLAGS += -DCONFIG_NDIS_EVENTS_INTEGRATED
@@ -939,7 +972,10 @@
dynamic_eap_methods: $(EAPDYN)
-wpa_supplicant: .config $(OBJS)
+wpa_priv: $(OBJS_priv)
+ $(LDO) $(LDFLAGS) -o wpa_priv $(OBJS_priv) $(LIBS)
+
+wpa_supplicant: .config $(OBJS) $(EXTRA_progs)
$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
eapol_test: .config $(OBJS_t)
Modified: wpasupplicant/trunk/wpa_supplicant/README
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/README?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/README (original)
+++ wpasupplicant/trunk/wpa_supplicant/README Wed Dec 26 23:51:15 2007
@@ -971,3 +971,58 @@
# Remove network interface
wpa_cli -g/var/run/wpa_supplicant-global interface_remove wlan0
+
+
+Privilege separation
+--------------------
+
+To minimize the size of code that needs to be run with root privileges
+(e.g., to control wireless interface operation), wpa_supplicant
+supports optional privilege separation. If enabled, this separates the
+privileged operations into a separate process (wpa_priv) while leaving
+rest of the code (e.g., EAP authentication and WPA handshakes) into an
+unprivileged process (wpa_supplicant) that can be run as non-root
+user. Privilege separation restricts the effects of potential software
+errors by containing the majority of the code in an unprivileged
+process to avoid full system compromise.
+
+Privilege separation is not enabled by default and it can be enabled
+by adding CONFIG_PRIVSEP=y to the build configuration (.config). When
+enabled, the privileged operations (driver wrapper and l2_packet) are
+linked into a separate daemon program, wpa_priv. The unprivileged
+program, wpa_supplicant, will be built with a special driver/l2_packet
+wrappers that communicate with the privileged wpa_priv process to
+perform the needed operations. wpa_priv can control what privileged
+are allowed.
+
+wpa_priv needs to be run with network admin privileges (usually, root
+user). It opens a UNIX domain socket for each interface that is
+included on the command line; any other interface will be off limits
+for wpa_supplicant in this kind of configuration. After this,
+wpa_supplicant can be run as a non-root user (e.g., all standard users
+on a laptop or as a special non-privileged user account created just
+for this purpose to limit access to user files even further).
+
+
+Example configuration:
+- create user group for users that are allowed to use wpa_supplicant
+ ('wpapriv' in this example) and assign users that should be able to
+ use wpa_supplicant into that group
+- create /var/run/wpa_priv directory for UNIX domain sockets and control
+ user access by setting it accessible only for the wpapriv group:
+ mkdir /var/run/wpa_priv
+ chown root:wpapriv /var/run/wpa_priv
+ chmod 0750 /var/run/wpa_priv
+- start wpa_priv as root (e.g., from system startup scripts) with the
+ enabled interfaces configured on the command line:
+ wpa_priv -B -P /var/run/wpa_priv.pid wext:ath0
+- run wpa_supplicant as non-root with a user that is in wpapriv group:
+ wpa_supplicant -i ath0 -c wpa_supplicant.conf
+
+wpa_priv does not use the network interface before wpa_supplicant is
+started, so it is fine to include network interfaces that are not
+available at the time wpa_priv is started. As an alternative, wpa_priv
+can be started when an interface is added (hotplug/udev/etc. scripts).
+wpa_priv can control multiple interface with one process, but it is
+also possible to run multiple wpa_priv processes at the same time, if
+desired.
Modified: wpasupplicant/trunk/wpa_supplicant/defconfig
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/defconfig?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/defconfig (original)
+++ wpasupplicant/trunk/wpa_supplicant/defconfig Wed Dec 26 23:51:15 2007
@@ -357,3 +357,6 @@
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
#CONFIG_DEBUG_FILE=y
+
+# Enable privilege separation (see README 'Privilege separation' for details)
+#CONFIG_PRIVSEP=y
Modified: wpasupplicant/trunk/wpa_supplicant/doc/docbook/Makefile
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/doc/docbook/Makefile?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/doc/docbook/Makefile (original)
+++ wpasupplicant/trunk/wpa_supplicant/doc/docbook/Makefile Wed Dec 26 23:51:15 2007
@@ -2,6 +2,7 @@
FILES += wpa_background
FILES += wpa_cli
+FILES += wpa_gui
FILES += wpa_passphrase
FILES += wpa_supplicant.conf
FILES += wpa_supplicant
@@ -18,7 +19,7 @@
clean:
- rm -f wpa_background.8 wpa_cli.8 wpa_passphrase.8 wpa_supplicant.8
+ rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_supplicant.8
rm -f wpa_supplicant.conf.5
rm -f manpage.links manpage.refs
rm -f $(FILES:%=%.pdf)
Modified: wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_cli.sgml
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_cli.sgml?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_cli.sgml (original)
+++ wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_cli.sgml Wed Dec 26 23:51:15 2007
@@ -44,7 +44,7 @@
response.</para>
<para>The control interface of wpa_supplicant can be configured to
- allow non-root user access (ctrl_interface_group in the
+ allow non-root user access (ctrl_interface GROUP= parameter in the
configuration file). This makes it possible to run wpa_cli with a
normal user account.</para>
Modified: wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml (original)
+++ wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml Wed Dec 26 23:51:15 2007
@@ -46,8 +46,7 @@
<blockquote><programlisting>
# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
-ctrl_interface=/var/run/wpa_supplicant
-ctrl_interface_group=wheel
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
#
# home network; allow all valid ciphers
network={
@@ -80,8 +79,7 @@
Aegis, Interlink RAD-Series)</para>
<blockquote><programlisting>
-ctrl_interface=/var/run/wpa_supplicant
-ctrl_interface_group=wheel
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
ssid="example"
scan_ssid=1
@@ -103,8 +101,7 @@
<blockquote><programlisting>
-ctrl_interface=/var/run/wpa_supplicant
-ctrl_interface_group=wheel
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
ssid="example"
scan_ssid=1
@@ -126,8 +123,7 @@
authentication</para>
<blockquote><programlisting>
-ctrl_interface=/var/run/wpa_supplicant
-ctrl_interface_group=wheel
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
ssid="1x-test"
scan_ssid=1
@@ -152,8 +148,7 @@
use.</para>
<blockquote><programlisting>
-ctrl_interface=/var/run/wpa_supplicant
-ctrl_interface_group=wheel
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
ssid="example"
scan_ssid=1
@@ -182,8 +177,7 @@
'wired' interface (-Dwired on command line).</para>
<blockquote><programlisting>
-ctrl_interface=/var/run/wpa_supplicant
-ctrl_interface_group=wheel
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
ap_scan=0
network={
key_mgmt=IEEE8021X
Modified: wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.sgml?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.sgml (original)
+++ wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.sgml Wed Dec 26 23:51:15 2007
@@ -17,6 +17,7 @@
<arg>-c<replaceable>config file</replaceable></arg>
<arg>-D<replaceable>driver</replaceable></arg>
<arg>-P<replaceable>PID_file</replaceable></arg>
+ <arg>-f<replaceable>output file</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
@@ -376,9 +377,9 @@
</varlistentry>
<varlistentry>
- <term>-f</term>
- <listitem>
- <para>Log output to default log location (normally /tmp).</para>
+ <term>-f output file</term>
+ <listitem>
+ <para>Log output to specified file instead of stdout.</para>
</listitem>
</varlistentry>
Modified: wpasupplicant/trunk/wpa_supplicant/main.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/main.c?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/main.c (original)
+++ wpasupplicant/trunk/wpa_supplicant/main.c Wed Dec 26 23:51:15 2007
@@ -39,11 +39,12 @@
int i;
printf("%s\n\n%s\n"
"usage:\n"
- " wpa_supplicant [-BddfhKLqqtuvwW] [-P<pid file>] "
+ " wpa_supplicant [-BddhKLqqtuvwW] [-P<pid file>] "
"[-g<global ctrl>] \\\n"
" -i<ifname> -c<config file> [-C<ctrl>] [-D<driver>] "
"[-p<driver_param>] \\\n"
- " [-b<br_ifname> [-N -i<ifname> -c<conf> [-C<ctrl>] "
+ " [-b<br_ifname>] [-f<debug file>] \\\n"
+ " [-N -i<ifname> -c<conf> [-C<ctrl>] "
"[-D<driver>] \\\n"
" [-p<driver_param>] [-b<br_ifname>] ...]\n"
"\n"
@@ -66,7 +67,7 @@
" -d = increase debugging verbosity (-dd even more)\n"
" -D = driver name\n"
#ifdef CONFIG_DEBUG_FILE
- " -f = Log output to default log location (normally /tmp)\n"
+ " -f = log output to debug file instead of stdout\n"
#endif /* CONFIG_DEBUG_FILE */
" -g = global ctrl_interface\n"
" -K = include keys (passwords, etc.) in debug output\n"
@@ -146,7 +147,7 @@
wpa_supplicant_fd_workaround();
for (;;) {
- c = getopt(argc, argv, "b:Bc:C:D:dfg:hi:KLNp:P:qtuvwW");
+ c = getopt(argc, argv, "b:Bc:C:D:df:g:hi:KLNp:P:qtuvwW");
if (c < 0)
break;
switch (c) {
@@ -177,7 +178,7 @@
#endif /* CONFIG_NO_STDOUT_DEBUG */
#ifdef CONFIG_DEBUG_FILE
case 'f':
- params.wpa_debug_use_file = 1;
+ params.wpa_debug_file_path = optarg;
break;
#endif /* CONFIG_DEBUG_FILE */
case 'g':
Modified: wpasupplicant/trunk/wpa_supplicant/main_winmain.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/main_winmain.c?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/main_winmain.c (original)
+++ wpasupplicant/trunk/wpa_supplicant/main_winmain.c Wed Dec 26 23:51:15 2007
@@ -38,7 +38,7 @@
os_memset(¶ms, 0, sizeof(params));
params.wpa_debug_level = MSG_MSGDUMP;
- params.wpa_debug_use_file = 1;
+ params.wpa_debug_file_path = "\\Temp\\wpa_supplicant-log.txt";
params.wpa_debug_show_keys = 1;
iface = ifaces = os_zalloc(sizeof(struct wpa_interface));
Modified: wpasupplicant/trunk/wpa_supplicant/main_winsvc.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/main_winsvc.c?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/main_winsvc.c (original)
+++ wpasupplicant/trunk/wpa_supplicant/main_winsvc.c Wed Dec 26 23:51:15 2007
@@ -164,8 +164,8 @@
buflen = sizeof(val);
ret = RegQueryValueEx(hk, TEXT("debug_use_file"), NULL, NULL,
(LPBYTE) &val, &buflen);
- if (ret == ERROR_SUCCESS && buflen == sizeof(val)) {
- params.wpa_debug_use_file = val;
+ if (ret == ERROR_SUCCESS && buflen == sizeof(val) && val) {
+ params.wpa_debug_file_path = "\\Temp\\wpa_supplicant-log.txt";
}
exitcode = 0;
Modified: wpasupplicant/trunk/wpa_supplicant/todo.txt
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/todo.txt?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/todo.txt (original)
+++ wpasupplicant/trunk/wpa_supplicant/todo.txt Wed Dec 26 23:51:15 2007
@@ -4,13 +4,6 @@
Firmware did not notice the current AP disappearing..
- add support for WPA with ap_scan=0 (update selected cipher etc. based on
AssocInfo; make sure these match with configuration)
-- optional security separation (build time option): run EAPOL state machines
- as non-root (need to add something like socketpair between privileged root
- process and non-root handler; send EAPOL packets between processes
- and send keying data from non-root -> privileged)
- EAPOL-Key processing (WPA & WEP keys) could be in privileged part
- at least in the beginning; some parts might end up being moved to
- non-root part eventually
- consider closing smart card / PCSC connection when EAP-SIM/EAP-AKA
authentication has been completed (cache scard data based on serial#(?)
and try to optimize next connection if the same card is present for next
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/networkconfig.cpp
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/networkconfig.cpp?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/networkconfig.cpp (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/networkconfig.cpp Wed Dec 26 23:51:15 2007
@@ -162,7 +162,7 @@
setNetworkParam(id, "ssid", ssidEdit->text().ascii(), true);
- char *key_mgmt = NULL, *proto = NULL, *pairwise = NULL;
+ const char *key_mgmt = NULL, *proto = NULL, *pairwise = NULL;
switch (auth) {
case AUTH_NONE:
key_mgmt = "NONE";
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_gui/networkconfig.ui.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_gui/networkconfig.ui.h?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_gui/networkconfig.ui.h (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_gui/networkconfig.ui.h Wed Dec 26 23:51:15 2007
@@ -131,7 +131,7 @@
setNetworkParam(id, "ssid", ssidEdit->text().ascii(), true);
- char *key_mgmt = NULL, *proto = NULL, *pairwise = NULL;
+ const char *key_mgmt = NULL, *proto = NULL, *pairwise = NULL;
switch (auth) {
case AUTH_NONE:
key_mgmt = "NONE";
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.c?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.c (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.c Wed Dec 26 23:51:15 2007
@@ -109,7 +109,6 @@
extern struct wpa_driver_ops *wpa_supplicant_drivers[];
-extern int wpa_debug_use_file;
extern int wpa_debug_level;
extern int wpa_debug_show_keys;
extern int wpa_debug_timestamp;
@@ -1827,8 +1826,7 @@
if (params == NULL)
return NULL;
- wpa_debug_use_file = params->wpa_debug_use_file;
- wpa_debug_open_file();
+ wpa_debug_open_file(params->wpa_debug_file_path);
ret = eap_peer_register_methods();
if (ret) {
@@ -1857,8 +1855,6 @@
params->wpa_debug_show_keys;
wpa_debug_timestamp = global->params.wpa_debug_timestamp =
params->wpa_debug_timestamp;
- wpa_debug_use_file = global->params.wpa_debug_use_file =
- params->wpa_debug_use_file;
if (eloop_init(global)) {
wpa_printf(MSG_ERROR, "Failed to initialize event loop");
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_supplicant_i.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_supplicant_i.h?rev=952&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_supplicant_i.h (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_supplicant_i.h Wed Dec 26 23:51:15 2007
@@ -151,9 +151,9 @@
int dbus_ctrl_interface;
/**
- * wpa_debug_use_file - Write debug to a file (instead of stdout)
- */
- int wpa_debug_use_file;
+ * wpa_debug_file_path - Path of debug file or %NULL to use stdout
+ */
+ const char *wpa_debug_file_path;
};
/**
More information about the Pkg-wpa-devel
mailing list