wpa_supplicant: update to 2.1. refs #961

4 files changed, 139 insertions, 102 deletions

diff --git a/abs/core/wpa_supplicant/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch b/abs/core/wpa_supplicant/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch
new file mode 100644
index 0000000..8b0b1b3
--- /dev/null
+++ b/abs/core/wpa_supplicant/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch
@@ -0,0 +1,74 @@
+From b62d5b5450101676a0c05691b4bcd94e11426397 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Wed, 19 Feb 2014 11:56:02 +0200
+Subject: [PATCH] Revert "OpenSSL: Do not accept SSL Client certificate for
+ server"
+
+This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are
+too many deployed AAA servers that include both id-kp-clientAuth and
+id-kp-serverAuth EKUs for this change to be acceptable as a generic rule
+for AAA authentication server validation. OpenSSL enforces the policy of
+not connecting if only id-kp-clientAuth is included. If a valid EKU is
+listed with it, the connection needs to be accepted.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/crypto/tls.h         |  3 +--
+ src/crypto/tls_openssl.c | 13 -------------
+ 2 files changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/src/crypto/tls.h b/src/crypto/tls.h
+index 287fd33..feba13f 100644
+--- a/src/crypto/tls.h
++++ b/src/crypto/tls.h
+@@ -41,8 +41,7 @@ enum tls_fail_reason {
+ 	TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
+ 	TLS_FAIL_BAD_CERTIFICATE = 7,
+ 	TLS_FAIL_SERVER_CHAIN_PROBE = 8,
+-	TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
+-	TLS_FAIL_SERVER_USED_CLIENT_CERT = 10
++	TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9
+ };
+ 
+ union tls_event_data {
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index a13fa38..8cf1de8 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -105,7 +105,6 @@ struct tls_connection {
+ 	unsigned int ca_cert_verify:1;
+ 	unsigned int cert_probe:1;
+ 	unsigned int server_cert_only:1;
+-	unsigned int server:1;
+ 
+ 	u8 srv_cert_hash[32];
+ 
+@@ -1480,16 +1479,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+ 				       TLS_FAIL_SERVER_CHAIN_PROBE);
+ 	}
+ 
+-	if (!conn->server && err_cert && preverify_ok && depth == 0 &&
+-	    (err_cert->ex_flags & EXFLAG_XKUSAGE) &&
+-	    (err_cert->ex_xkusage & XKU_SSL_CLIENT)) {
+-		wpa_printf(MSG_WARNING, "TLS: Server used client certificate");
+-		openssl_tls_fail_event(conn, err_cert, err, depth, buf,
+-				       "Server used client certificate",
+-				       TLS_FAIL_SERVER_USED_CLIENT_CERT);
+-		preverify_ok = 0;
+-	}
+-
+ 	if (preverify_ok && context->event_cb != NULL)
+ 		context->event_cb(context->cb_ctx,
+ 				  TLS_CERT_CHAIN_SUCCESS, NULL);
+@@ -2541,8 +2530,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data,
+ 	int res;
+ 	struct wpabuf *out_data;
+ 
+-	conn->server = !!server;
+-
+ 	/*
+ 	 * Give TLS handshake data from the server (if available) to OpenSSL
+ 	 * for processing.
+-- 
+1.9.0
+
diff --git a/abs/core/wpa_supplicant/PKGBUILD b/abs/core/wpa_supplicant/PKGBUILD
index 9b73f77..78860cb 100644
--- a/abs/core/wpa_supplicant/PKGBUILD
+++ b/abs/core/wpa_supplicant/PKGBUILD
@@ -1,33 +1,42 @@
-# $Id: PKGBUILD 187048 2013-06-03 11:15:42Z allan $
+# $Id$
 # Maintainer: Thomas Bächler <thomas@archlinux.org>
 
 pkgname=wpa_supplicant
-pkgver=2.0
-pkgrel=4
+pkgver=2.1
+pkgrel=3
 pkgdesc="A utility providing key negotiation for WPA wireless networks"
 url="http://hostap.epitest.fi/wpa_supplicant"
 arch=('i686' 'x86_64')
-depends=('openssl' 'dbus-core' 'readline' 'libnl')
+depends=('openssl' 'libdbus' 'readline' 'libnl')
 optdepends=('wpa_supplicant_gui: wpa_gui program')
 license=('GPL')
 backup=('etc/wpa_supplicant/wpa_supplicant.conf')
 source=("http://w1.fi/releases/${pkgname}-${pkgver}.tar.gz"
-	config)
+	config
+	0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch)
+sha256sums=('91632e7e3b49a340ce408e2f978a93546a697383abf2e5a60f146faae9e1b277'
+            '522b1e2b330bd3fcb9c3c964b0f05ad197a2f1160741835a47585ea45ba8e0a4'
+            '3c85fa2cf2465fea86383eece75fa5479507a174da6f0cd09e691fbaaca03c74')
 
-build() {
+prepare() {
   cd "${srcdir}/${pkgname}-${pkgver}/"
-  cd "${pkgname}"
+  patch -p1 -i "${srcdir}"/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch
 
+  cd "${pkgname}/"
   cp "${srcdir}/config" ./.config
+}
 
-  sed -i 's@/usr/local@$(PREFIX)@g' Makefile
+build() {
+  cd "${srcdir}/${pkgname}-${pkgver}/${pkgname}"
 
-  make PREFIX=/usr
+  # The Makefile does not pick up our CPPFLAGS
+  export CFLAGS="$CPPFLAGS $CFLAGS"
+  make LIBDIR=/usr/lib BINDIR=/usr/bin
 }
 
 package() {
   cd "${srcdir}/${pkgname}-${pkgver}/${pkgname}"
-  make PREFIX=/usr DESTDIR="${pkgdir}" install
+  make LIBDIR=/usr/lib BINDIR=/usr/bin DESTDIR="${pkgdir}" install
 
   install -d -m755 "${pkgdir}/etc/wpa_supplicant"
   install -m644 wpa_supplicant.conf "${pkgdir}/etc/wpa_supplicant/wpa_supplicant.conf"
@@ -45,10 +54,4 @@ package() {
 
   install -d -m755 "${pkgdir}/usr/lib/systemd/system"
   install -m644 systemd/*.service "${pkgdir}/usr/lib/systemd/system/"
-
-  # usrmove
-  cd "$pkgdir"/usr
-  mv sbin bin
 }
-md5sums=('3be2ebfdcced52e00eda0afe2889839d'
-         '4aa1e5accd604091341b989b47fe1076')
diff --git a/abs/core/wpa_supplicant/config b/abs/core/wpa_supplicant/config
index 50426bf..c1035b4 100644
--- a/abs/core/wpa_supplicant/config
+++ b/abs/core/wpa_supplicant/config
@@ -20,63 +20,6 @@
 # used to fix build issues on such systems (krb5.h not found).
 #CFLAGS += -I/usr/include/kerberos
 
-# Example configuration for various cross-compilation platforms
-
-#### sveasoft (e.g., for Linksys WRT54G) ######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS += -I../src/include -I../../src/router/openssl/include
-#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl
-###############################################################################
-
-#### openwrt (e.g., for Linksys WRT54G) #######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \
-#	-I../WRT54GS/release/src/include
-#LIBS = -lssl
-###############################################################################
-
-
-# Driver interface for Host AP driver
-#CONFIG_DRIVER_HOSTAP=y
-
-# Driver interface for Agere driver
-#CONFIG_DRIVER_HERMES=y
-# Change include directories to match with the local setup
-#CFLAGS += -I../../hcf -I../../include -I../../include/hcf
-#CFLAGS += -I../../include/wireless
-
-# Driver interface for madwifi driver
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_MADWIFI=y
-# Set include directory to the madwifi source tree
-#CFLAGS += -I../../madwifi
-
-# Driver interface for ndiswrapper
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_NDISWRAPPER=y
-
-# Driver interface for Atmel driver
-#CONFIG_DRIVER_ATMEL=y
-
-# Driver interface for old Broadcom driver
-# Please note that the newer Broadcom driver ("hybrid Linux driver") supports
-# Linux wireless extensions and does not need (or even work) with the old
-# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver.
-#CONFIG_DRIVER_BROADCOM=y
-# Example path for wlioctl.h; change to match your configuration
-#CFLAGS += -I/opt/WRT54GS/release/src/include
-
-# Driver interface for Intel ipw2100/2200 driver
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_IPW=y
-
-# Driver interface for Ralink driver
-#CONFIG_DRIVER_RALINK=y
-
 # Driver interface for generic Linux wireless extensions
 # Note: WEXT is deprecated in the current Linux kernel version and no new
 # functionality is added to it. nl80211-based interface is the new
@@ -88,6 +31,19 @@ CONFIG_DRIVER_WEXT=y
 # Driver interface for Linux drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 
+# driver_nl80211.c requires libnl. If you are compiling it yourself
+# you may need to point hostapd to your version of libnl.
+#
+#CFLAGS += -I$<path to libnl include files>
+#LIBS += -L$<path to libnl library files>
+
+# Use libnl v2.0 (or 3.0) libraries.
+#CONFIG_LIBNL20=y
+
+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
+CONFIG_LIBNL32=y
+
+
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
@@ -147,11 +103,10 @@ CONFIG_EAP_PEAP=y
 CONFIG_EAP_TTLS=y
 
 # EAP-FAST
-# Note: Default OpenSSL package does not include support for all the
-# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL,
-# the OpenSSL library must be patched (openssl-0.9.8d-tls-extensions.patch)
-# to add the needed functions.
-#CONFIG_EAP_FAST=y
+# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
+# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
+# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
+CONFIG_EAP_FAST=y
 
 # EAP-GTC
 CONFIG_EAP_GTC=y
@@ -210,6 +165,9 @@ CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 
+# EAP-EKE
+#CONFIG_EAP_EKE=y
+
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 CONFIG_PKCS12=y
@@ -225,6 +183,9 @@ CONFIG_SMARTCARD=y
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
 CONFIG_HT_OVERRIDES=y
 
+# Support VHT overrides (disable VHT, mask MCS rates, etc.)
+CONFIG_VHT_OVERRIDES=y
+
 # Development testing
 #CONFIG_EAPOL_TEST=y
 
@@ -258,11 +219,6 @@ CONFIG_READLINE=y
 # 35-50 kB in code size.
 #CONFIG_NO_WPA=y
 
-# Remove WPA2 support. This allows WPA to be used, but removes WPA2 code to
-# save about 1 kB in code size when building only WPA-Personal (no EAP support)
-# or 6 kB if building for WPA-Enterprise.
-#CONFIG_NO_WPA2=y
-
 # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
 # This option can be used to reduce code size by removing support for
 # converting ASCII passphrases into PSK. If this functionality is removed, the
@@ -306,7 +262,6 @@ CONFIG_BACKEND=file
 # Select event loop implementation
 # eloop = select() loop (default)
 # eloop_win = Windows events and WaitForMultipleObject() loop
-# eloop_none = Empty template
 #CONFIG_ELOOP=eloop
 
 # Should we use poll instead of select? Select is used by default.
@@ -326,7 +281,7 @@ CONFIG_PEERKEY=y
 
 # IEEE 802.11w (management frame protection), also known as PMF
 # Driver support is also needed for IEEE 802.11w.
-#CONFIG_IEEE80211W=y
+CONFIG_IEEE80211W=y
 
 # Select TLS implementation
 # openssl = OpenSSL (default)
@@ -420,6 +375,10 @@ CONFIG_DEBUG_FILE=y
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 
+# Add support for writing debug log to Android logcat instead of standard
+# output
+#CONFIG_ANDROID_LOG=y
+
 # Enable privilege separation (see README 'Privilege separation' for details)
 #CONFIG_PRIVSEP=y
 
@@ -477,7 +436,11 @@ CONFIG_DEBUG_FILE=y
 CONFIG_NO_RANDOM_POOL=y
 
 # IEEE 802.11n (High Throughput) support (mainly for AP mode)
-#CONFIG_IEEE80211N=y
+CONFIG_IEEE80211N=y
+
+# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
+# (depends on CONFIG_IEEE80211N)
+CONFIG_IEEE80211AC=y
 
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
@@ -492,6 +455,9 @@ CONFIG_NO_RANDOM_POOL=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 
+# Disable roaming in wpa_supplicant
+#CONFIG_NO_ROAMING=y
+
 # AP mode operations with wpa_supplicant
 # This can be used for controlling AP mode operations with wpa_supplicant. It
 # should be noted that this is mainly aimed at simple cases like
@@ -504,9 +470,17 @@ CONFIG_AP=y
 # more information on P2P operations.
 CONFIG_P2P=y
 
+# Enable TDLS support
+CONFIG_TDLS=y
+
+# Wi-Fi Direct
+# This can be used to enable Wi-Fi Direct extensions for P2P using an external
+# program to control the additional information exchanges in the messages.
+CONFIG_WIFI_DISPLAY=y
+
 # Autoscan
 # This can be used to enable automatic scan support in wpa_supplicant.
-# See wpa_supplicant.conf for more information on autoscan usage.
+# See wpa_supplicant.conf for more information on autoscan usage.
 #
 # Enabling directly a module will enable autoscan support.
 # For exponential module:
@@ -522,9 +496,7 @@ CONFIG_AUTOSCAN_PERIODIC=y
 # External password backend for testing purposes (developer use)
 #CONFIG_EXT_PASSWORD_TEST=y
 
-CONFIG_LIBNL32=y
-
-# More options that are not in defconfig:
+# Options that are present not in defconfig:
 
 # RSN IBSS/AdHoc support
 CONFIG_IBSS_RSN=y
diff --git a/abs/core/wpa_supplicant/hostap_allow-linking-with-libnl-3.2.patch b/abs/core/wpa_supplicant/hostap_allow-linking-with-libnl-3.2.patch
deleted file mode 100644
index 5d89039..0000000
--- a/abs/core/wpa_supplicant/hostap_allow-linking-with-libnl-3.2.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up wpa_supplicant-1.0-rc2/src/drivers/drivers.mak.foo wpa_supplicant-1.0-rc2/src/drivers/drivers.mak
---- wpa_supplicant-1.0-rc2/src/drivers/drivers.mak.foo	2012-03-02 16:11:43.176448714 -0600
-+++ wpa_supplicant-1.0-rc2/src/drivers/drivers.mak	2012-03-02 16:12:29.759866341 -0600
-@@ -48,7 +48,7 @@ NEED_RFKILL=y
- ifdef CONFIG_LIBNL32
-   DRV_LIBS += -lnl-3
-   DRV_LIBS += -lnl-genl-3
--  DRV_CFLAGS += -DCONFIG_LIBNL20
-+  DRV_CFLAGS += -DCONFIG_LIBNL20 `pkg-config --cflags libnl-3.0`
- else
-   ifdef CONFIG_LIBNL_TINY
-     DRV_LIBS += -lnl-tiny