Update to Linux 6.6 & 6.8, and Alpine 3.19

- Update dhcpcd to 10.0.5
- Update iptables to 1.8.10
- Update linux-lts to 6.6.22
- Update linux-edge to 6.8.1
- Update openrc 0.52.1
- Update mDNSResponder to 2200.80.16
- Update rtl8821ce to snapshot of 20240120
- Update rtw88 to snapshot of 20231024
- Resolve driver conflict between rtw88 and rtl8821ce
- Update rtw89 to snapshot of 20240310
- Update socat to 1.8.0.0
- Import security fixes for wpa_supplicant

5 files changed, 221 insertions, 22 deletions

diff --git a/aports/wpa_supplicant/APKBUILD b/aports/wpa_supplicant/APKBUILD
index dff5eed..58c5cce 100644
--- a/aports/wpa_supplicant/APKBUILD
+++ b/aports/wpa_supplicant/APKBUILD
@@ -2,7 +2,7 @@
 
 pkgname=wpa_supplicant
 pkgver=2.10
-pkgrel=5 # base: 7
+pkgrel=6 # base: 10
 pkgdesc="utility providing key negotiation for WPA wireless networks"
 url="https://w1.fi/wpa_supplicant/"
 arch="all"
@@ -14,18 +14,22 @@ source="https://w1.fi/releases/wpa_supplicant-$pkgver.tar.gz
 	wpa_supplicant.initd
 	wpa_supplicant.confd
 
-	eloop.patch
+	CVE-2023-52160.patch
+
 	unsafe-renegotiation-1.patch
 	unsafe-renegotiation-2.patch
 
 	0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
 	0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
+
 	lower-security-level-for-tls-1.patch
 	no-tools.patch
 	config
 	"
 
 # secfixes:
+#   2.10-r10:
+#     - CVE-2023-52160
 #   2.9-r13:
 #     - CVE-2021-30004
 #   2.9-r12:
@@ -81,14 +85,14 @@ package() {
 
 sha512sums="
 021c2a48f45d39c1dc6557730be5debaee071bc0ff82a271638beee6e32314e353e49d39e2f0dc8dff6e094dcc7008cfe1c32d0c7a34a1a345a12a3f1c1e11a1  wpa_supplicant-2.10.tar.gz
-92c4cbaa9776a354275640c9411d2f547f4c0e00415af4ab30039f1a0be6a11082d49e2514905010f0abcc4a9276353276da9864e3d5f7264a0f0767c8cc9d78  wpa_supplicant.initd
+8e5f0958f6086c465d7a13e793be7dedc021fae2162f0f3b29d00919c355f13e1c257744ae99ae063cca525fb8fa03abd5c117efe0ba9c6812b560ce62366846  wpa_supplicant.initd
 c7e4041fe41743c5e63a07edc9234d0c44c4c0f193a180b27342b43f3be45fb87b42ee0f9e4a20614cf6ad58cf64d25f74d1e75e2e1d521c2f6d45cdc5737eae  wpa_supplicant.confd
-2be055dd1f7da5a3d8e79c2f2c0220ddd31df309452da18f290144d2112d6dbde0fc633bb2ad02c386a39d7785323acaf5f70e5969995a1e8303a094eb5fe232  eloop.patch
+955c219a9e4e3e89f7f880561755059ea9f1ea27f5a5ec9f6a5b7c29195b06123c8eecfba324f3695bdb8cb53c401745c3d030a97e133dd1730351dc36c92fec  CVE-2023-52160.patch
 9528735924faf876a7094de46760605e5e66e265187421a668be06dbf03d7b4db6b84cbad793fcd6bd614e3ba540f82f1f80660d75e8a6070eeb7e9abb54ed28  unsafe-renegotiation-1.patch
 a92ba3ed3f41022a8af9396d2b703ee47f78aa05c1fddb42919a7fe6a6fad71e3515c63457e97e252ae0a32c6c34d67ea6efe0278df1e141cf36e650237e5295  unsafe-renegotiation-2.patch
 fb328872087268056b035802f71df2f7af8d11699822fe68611201a07dc693c4fdb8c50dd4fd509ed6db4cca89f6003ce3303770951686a35633977f466f4fb5  0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
 f8a5f5e18509b61ad6fb7ce78207c039fccfca6b71f494cbe9853bcb1b09025364554a45b6129a5b992f6327f72c8a97b660088d9c542f0e62a1c370a3c628a8  0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
 b1217eff6fbdba5a4c7302ea33bec64290d26745967b24e825c100de9b0e9b6400f0769c3cfac3c761596bb01079c31b632f14bd3374735200385f38557d8cad  lower-security-level-for-tls-1.patch
 3278eff7118f9dc9e177adc3ed91cad562a8edde396af8619321ac8552a86e9c7de25212d5578ea17cbe4b6dc928d83cd6e9a7f0d41e07576656e6e9274107d6  no-tools.patch
-310ee960c3d8beab80169bedf43ff9dfbf49f808c5a32accac2f41e54fff6d047a6136488de72cbcfa66c5205a3b68019dff6e7f2ebb87e00bbcdc509fca95ee  config
+450563b68fd99740cfae49521439e876e67b94c50f5ea20a84a96411713e5b93fbe428284105d13e4616a3d10d5bb0e6a9d752be1a939fb342fa3ea935210c7c  config
 "
diff --git a/aports/wpa_supplicant/CVE-2023-52160.patch b/aports/wpa_supplicant/CVE-2023-52160.patch
new file mode 100644
index 0000000..0726373
--- /dev/null
+++ b/aports/wpa_supplicant/CVE-2023-52160.patch
@@ -0,0 +1,210 @@
+From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 8 Jul 2023 19:55:32 +0300
+Subject: PEAP client: Update Phase 2 authentication requirements
+
+The previous PEAP client behavior allowed the server to skip Phase 2
+authentication with the expectation that the server was authenticated
+during Phase 1 through TLS server certificate validation. Various PEAP
+specifications are not exactly clear on what the behavior on this front
+is supposed to be and as such, this ended up being more flexible than
+the TTLS/FAST/TEAP cases. However, this is not really ideal when
+unfortunately common misconfiguration of PEAP is used in deployed
+devices where the server trust root (ca_cert) is not configured or the
+user has an easy option for allowing this validation step to be skipped.
+
+Change the default PEAP client behavior to be to require Phase 2
+authentication to be successfully completed for cases where TLS session
+resumption is not used and the client certificate has not been
+configured. Those two exceptions are the main cases where a deployed
+authentication server might skip Phase 2 and as such, where a more
+strict default behavior could result in undesired interoperability
+issues. Requiring Phase 2 authentication will end up disabling TLS
+session resumption automatically to avoid interoperability issues.
+
+Allow Phase 2 authentication behavior to be configured with a new phase1
+configuration parameter option:
+'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+   (private_key/client_cert) is no used and TLS session resumption was
+   not used (default)
+ * 2 = require Phase 2 authentication in all cases
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_peer/eap_config.h          |  8 ++++++++
+ src/eap_peer/eap_peap.c            | 40 +++++++++++++++++++++++++++++++++++---
+ src/eap_peer/eap_tls_common.c      |  6 ++++++
+ src/eap_peer/eap_tls_common.h      |  5 +++++
+ wpa_supplicant/wpa_supplicant.conf |  7 +++++++
+ 5 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
+index 26744ab68..58d5a1359 100644
+--- a/src/eap_peer/eap_config.h
++++ b/src/eap_peer/eap_config.h
+@@ -471,6 +471,14 @@ struct eap_peer_config {
+ 	 * 1 = use cryptobinding if server supports it
+ 	 * 2 = require cryptobinding
+ 	 *
++	 * phase2_auth option can be used to control Phase 2 (i.e., within TLS
++	 * tunnel) behavior for PEAP:
++	 * 0 = do not require Phase 2 authentication
++	 * 1 = require Phase 2 authentication when client certificate
++	 *  (private_key/client_cert) is no used and TLS session resumption was
++	 *  not used (default)
++	 * 2 = require Phase 2 authentication in all cases
++	 *
+ 	 * EAP-WSC (WPS) uses following options: pin=Device_Password and
+ 	 * uuid=Device_UUID
+ 	 *
+diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
+index 12e30df29..608069719 100644
+--- a/src/eap_peer/eap_peap.c
++++ b/src/eap_peer/eap_peap.c
+@@ -67,6 +67,7 @@ struct eap_peap_data {
+ 	u8 cmk[20];
+ 	int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
+ 		  * is enabled. */
++	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
+ };
+ 
+ 
+@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
+ 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
+ 	}
+ 
++	if (os_strstr(phase1, "phase2_auth=0")) {
++		data->phase2_auth = NO_AUTH;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Do not require Phase 2 authentication");
++	} else if (os_strstr(phase1, "phase2_auth=1")) {
++		data->phase2_auth = FOR_INITIAL;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for initial connection");
++	} else if (os_strstr(phase1, "phase2_auth=2")) {
++		data->phase2_auth = ALWAYS;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for all cases");
++	}
+ #ifdef EAP_TNC
+ 	if (os_strstr(phase1, "tnc=soh2")) {
+ 		data->soh = 2;
+@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
+ 	data->force_peap_version = -1;
+ 	data->peap_outer_success = 2;
+ 	data->crypto_binding = OPTIONAL_BINDING;
++	data->phase2_auth = FOR_INITIAL;
+ 
+ 	if (config && config->phase1)
+ 		eap_peap_parse_phase1(data, config->phase1);
+@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
+ }
+ 
+ 
++static bool peap_phase2_sufficient(struct eap_sm *sm,
++				   struct eap_peap_data *data)
++{
++	if ((data->phase2_auth == ALWAYS ||
++	     (data->phase2_auth == FOR_INITIAL &&
++	      !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
++	      !data->ssl.client_cert_conf) ||
++	     data->phase2_eap_started) &&
++	    !data->phase2_eap_success)
++		return false;
++	return true;
++}
++
++
+ /**
+  * eap_tlv_process - Process a received EAP-TLV message and generate a response
+  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
+@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
+ 					   " - force failed Phase 2");
+ 				resp_status = EAP_TLV_RESULT_FAILURE;
+ 				ret->decision = DECISION_FAIL;
++			} else if (!peap_phase2_sufficient(sm, data)) {
++				wpa_printf(MSG_INFO,
++					   "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
++				resp_status = EAP_TLV_RESULT_FAILURE;
++				ret->decision = DECISION_FAIL;
+ 			} else {
+ 				resp_status = EAP_TLV_RESULT_SUCCESS;
+ 				ret->decision = DECISION_UNCOND_SUCC;
+@@ -887,8 +921,7 @@ continue_req:
+ 			/* EAP-Success within TLS tunnel is used to indicate
+ 			 * shutdown of the TLS channel. The authentication has
+ 			 * been completed. */
+-			if (data->phase2_eap_started &&
+-			    !data->phase2_eap_success) {
++			if (!peap_phase2_sufficient(sm, data)) {
+ 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
+ 					   "Success used to indicate success, "
+ 					   "but Phase 2 EAP was not yet "
+@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
+ static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
+ {
+ 	struct eap_peap_data *data = priv;
++
+ 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
+-		data->phase2_success;
++		data->phase2_success && data->phase2_auth != ALWAYS;
+ }
+ 
+ 
+diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
+index 6193b4bdb..966cbd6c7 100644
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -242,6 +242,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
+ 
+ 	sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
+ 
++	if (!phase2)
++		data->client_cert_conf = params->client_cert ||
++			params->client_cert_blob ||
++			params->private_key ||
++			params->private_key_blob;
++
+ 	return 0;
+ }
+ 
+diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
+index 9ac00121f..334863413 100644
+--- a/src/eap_peer/eap_tls_common.h
++++ b/src/eap_peer/eap_tls_common.h
+@@ -79,6 +79,11 @@ struct eap_ssl_data {
+ 	 * tls_v13 - Whether TLS v1.3 or newer is used
+ 	 */
+ 	int tls_v13;
++
++	/**
++	 * client_cert_conf: Whether client certificate has been configured
++	 */
++	bool client_cert_conf;
+ };
+ 
+ 
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index f0b82443e..1b09f57d3 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1370,6 +1370,13 @@ fast_reauth=1
+ #	 * 0 = do not use cryptobinding (default)
+ #	 * 1 = use cryptobinding if server supports it
+ #	 * 2 = require cryptobinding
++#	'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
++#	tunnel) behavior for PEAP:
++#	 * 0 = do not require Phase 2 authentication
++#	 * 1 = require Phase 2 authentication when client certificate
++#	   (private_key/client_cert) is no used and TLS session resumption was
++#	   not used (default)
++#	 * 2 = require Phase 2 authentication in all cases
+ #	EAP-WSC (WPS) uses following options: pin=<Device Password> or
+ #	pbc=1.
+ #
+-- 
+cgit v1.2.3-18-g5258
+
diff --git a/aports/wpa_supplicant/config b/aports/wpa_supplicant/config
index 5bf8072..cdefd95 100644
--- a/aports/wpa_supplicant/config
+++ b/aports/wpa_supplicant/config
@@ -532,7 +532,7 @@ CONFIG_TDLS=y
 # Wi-Fi Display
 # This can be used to enable Wi-Fi Display extensions for P2P using an external
 # program to control the additional information exchanges in the messages.
-#CONFIG_WIFI_DISPLAY=y
+CONFIG_WIFI_DISPLAY=y
 
 # Autoscan
 # This can be used to enable automatic scan support in wpa_supplicant.
diff --git a/aports/wpa_supplicant/eloop.patch b/aports/wpa_supplicant/eloop.patch
deleted file mode 100644
index bab2cee..0000000
--- a/aports/wpa_supplicant/eloop.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-$OpenBSD: patch-src_utils_eloop_c,v 1.5 2015/09/29 11:57:54 dcoppa Exp $
-
-don't try to access list members to free them unless already initialised
-
---- a/src/utils/eloop.c.orig	Sun Sep 27 21:02:05 2015
-+++ b/src/utils/eloop.c	Mon Sep 28 09:35:05 2015
-@@ -1064,6 +1064,9 @@ void eloop_destroy(void)
- 	struct eloop_timeout *timeout, *prev;
- 	struct os_reltime now;
- 
-+	if (eloop.timeout.prev == NULL)
-+		return;
-+
- 	os_get_reltime(&now);
- 	dl_list_for_each_safe(timeout, prev, &eloop.timeout,
- 			      struct eloop_timeout, list) {
diff --git a/aports/wpa_supplicant/wpa_supplicant.initd b/aports/wpa_supplicant/wpa_supplicant.initd
index c1a4834..91f57e6 100644
--- a/aports/wpa_supplicant/wpa_supplicant.initd
+++ b/aports/wpa_supplicant/wpa_supplicant.initd
@@ -18,6 +18,7 @@ depend() {
 	after bootmisc modules entropy udev-settle
 	before dns dhcpcd net
 	keyword -shutdown
+	provide wlan
 }
 
 find_wireless() {