diff options
4 files changed, 139 insertions, 102 deletions
diff --git a/abs/core/wpa_supplicant/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch b/abs/core/wpa_supplicant/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch new file mode 100644 index 0000000..8b0b1b3 --- /dev/null +++ b/abs/core/wpa_supplicant/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch @@ -0,0 +1,74 @@ +From b62d5b5450101676a0c05691b4bcd94e11426397 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Wed, 19 Feb 2014 11:56:02 +0200 +Subject: [PATCH] Revert "OpenSSL: Do not accept SSL Client certificate for + server" + +This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are +too many deployed AAA servers that include both id-kp-clientAuth and +id-kp-serverAuth EKUs for this change to be acceptable as a generic rule +for AAA authentication server validation. OpenSSL enforces the policy of +not connecting if only id-kp-clientAuth is included. If a valid EKU is +listed with it, the connection needs to be accepted. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/crypto/tls.h | 3 +-- + src/crypto/tls_openssl.c | 13 ------------- + 2 files changed, 1 insertion(+), 15 deletions(-) + +diff --git a/src/crypto/tls.h b/src/crypto/tls.h +index 287fd33..feba13f 100644 +--- a/src/crypto/tls.h ++++ b/src/crypto/tls.h +@@ -41,8 +41,7 @@ enum tls_fail_reason { + TLS_FAIL_ALTSUBJECT_MISMATCH = 6, + TLS_FAIL_BAD_CERTIFICATE = 7, + TLS_FAIL_SERVER_CHAIN_PROBE = 8, +- TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, +- TLS_FAIL_SERVER_USED_CLIENT_CERT = 10 ++ TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9 + }; + + union tls_event_data { +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index a13fa38..8cf1de8 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -105,7 +105,6 @@ struct tls_connection { + unsigned int ca_cert_verify:1; + unsigned int cert_probe:1; + unsigned int server_cert_only:1; +- unsigned int server:1; + + u8 srv_cert_hash[32]; + +@@ -1480,16 +1479,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) + TLS_FAIL_SERVER_CHAIN_PROBE); + } + +- if (!conn->server && err_cert && preverify_ok && depth == 0 && +- (err_cert->ex_flags & EXFLAG_XKUSAGE) && +- (err_cert->ex_xkusage & XKU_SSL_CLIENT)) { +- wpa_printf(MSG_WARNING, "TLS: Server used client certificate"); +- openssl_tls_fail_event(conn, err_cert, err, depth, buf, +- "Server used client certificate", +- TLS_FAIL_SERVER_USED_CLIENT_CERT); +- preverify_ok = 0; +- } +- + if (preverify_ok && context->event_cb != NULL) + context->event_cb(context->cb_ctx, + TLS_CERT_CHAIN_SUCCESS, NULL); +@@ -2541,8 +2530,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data, + int res; + struct wpabuf *out_data; + +- conn->server = !!server; +- + /* + * Give TLS handshake data from the server (if available) to OpenSSL + * for processing. +-- +1.9.0 + diff --git a/abs/core/wpa_supplicant/PKGBUILD b/abs/core/wpa_supplicant/PKGBUILD index 9b73f77..78860cb 100644 --- a/abs/core/wpa_supplicant/PKGBUILD +++ b/abs/core/wpa_supplicant/PKGBUILD @@ -1,33 +1,42 @@ -# $Id: PKGBUILD 187048 2013-06-03 11:15:42Z allan $ +# $Id$ # Maintainer: Thomas Bächler <thomas@archlinux.org> pkgname=wpa_supplicant -pkgver=2.0 -pkgrel=4 +pkgver=2.1 +pkgrel=3 pkgdesc="A utility providing key negotiation for WPA wireless networks" url="http://hostap.epitest.fi/wpa_supplicant" arch=('i686' 'x86_64') -depends=('openssl' 'dbus-core' 'readline' 'libnl') +depends=('openssl' 'libdbus' 'readline' 'libnl') optdepends=('wpa_supplicant_gui: wpa_gui program') license=('GPL') backup=('etc/wpa_supplicant/wpa_supplicant.conf') source=("http://w1.fi/releases/${pkgname}-${pkgver}.tar.gz" - config) + config + 0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch) +sha256sums=('91632e7e3b49a340ce408e2f978a93546a697383abf2e5a60f146faae9e1b277' + '522b1e2b330bd3fcb9c3c964b0f05ad197a2f1160741835a47585ea45ba8e0a4' + '3c85fa2cf2465fea86383eece75fa5479507a174da6f0cd09e691fbaaca03c74') -build() { +prepare() { cd "${srcdir}/${pkgname}-${pkgver}/" - cd "${pkgname}" + patch -p1 -i "${srcdir}"/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch + cd "${pkgname}/" cp "${srcdir}/config" ./.config +} - sed -i 's@/usr/local@$(PREFIX)@g' Makefile +build() { + cd "${srcdir}/${pkgname}-${pkgver}/${pkgname}" - make PREFIX=/usr + # The Makefile does not pick up our CPPFLAGS + export CFLAGS="$CPPFLAGS $CFLAGS" + make LIBDIR=/usr/lib BINDIR=/usr/bin } package() { cd "${srcdir}/${pkgname}-${pkgver}/${pkgname}" - make PREFIX=/usr DESTDIR="${pkgdir}" install + make LIBDIR=/usr/lib BINDIR=/usr/bin DESTDIR="${pkgdir}" install install -d -m755 "${pkgdir}/etc/wpa_supplicant" install -m644 wpa_supplicant.conf "${pkgdir}/etc/wpa_supplicant/wpa_supplicant.conf" @@ -45,10 +54,4 @@ package() { install -d -m755 "${pkgdir}/usr/lib/systemd/system" install -m644 systemd/*.service "${pkgdir}/usr/lib/systemd/system/" - - # usrmove - cd "$pkgdir"/usr - mv sbin bin } -md5sums=('3be2ebfdcced52e00eda0afe2889839d' - '4aa1e5accd604091341b989b47fe1076') diff --git a/abs/core/wpa_supplicant/config b/abs/core/wpa_supplicant/config index 50426bf..c1035b4 100644 --- a/abs/core/wpa_supplicant/config +++ b/abs/core/wpa_supplicant/config @@ -20,63 +20,6 @@ # used to fix build issues on such systems (krb5.h not found). #CFLAGS += -I/usr/include/kerberos -# Example configuration for various cross-compilation platforms - -#### sveasoft (e.g., for Linksys WRT54G) ###################################### -#CC=mipsel-uclibc-gcc -#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc -#CFLAGS += -Os -#CPPFLAGS += -I../src/include -I../../src/router/openssl/include -#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl -############################################################################### - -#### openwrt (e.g., for Linksys WRT54G) ####################################### -#CC=mipsel-uclibc-gcc -#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc -#CFLAGS += -Os -#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \ -# -I../WRT54GS/release/src/include -#LIBS = -lssl -############################################################################### - - -# Driver interface for Host AP driver -#CONFIG_DRIVER_HOSTAP=y - -# Driver interface for Agere driver -#CONFIG_DRIVER_HERMES=y -# Change include directories to match with the local setup -#CFLAGS += -I../../hcf -I../../include -I../../include/hcf -#CFLAGS += -I../../include/wireless - -# Driver interface for madwifi driver -# Deprecated; use CONFIG_DRIVER_WEXT=y instead. -#CONFIG_DRIVER_MADWIFI=y -# Set include directory to the madwifi source tree -#CFLAGS += -I../../madwifi - -# Driver interface for ndiswrapper -# Deprecated; use CONFIG_DRIVER_WEXT=y instead. -#CONFIG_DRIVER_NDISWRAPPER=y - -# Driver interface for Atmel driver -#CONFIG_DRIVER_ATMEL=y - -# Driver interface for old Broadcom driver -# Please note that the newer Broadcom driver ("hybrid Linux driver") supports -# Linux wireless extensions and does not need (or even work) with the old -# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver. -#CONFIG_DRIVER_BROADCOM=y -# Example path for wlioctl.h; change to match your configuration -#CFLAGS += -I/opt/WRT54GS/release/src/include - -# Driver interface for Intel ipw2100/2200 driver -# Deprecated; use CONFIG_DRIVER_WEXT=y instead. -#CONFIG_DRIVER_IPW=y - -# Driver interface for Ralink driver -#CONFIG_DRIVER_RALINK=y - # Driver interface for generic Linux wireless extensions # Note: WEXT is deprecated in the current Linux kernel version and no new # functionality is added to it. nl80211-based interface is the new @@ -88,6 +31,19 @@ CONFIG_DRIVER_WEXT=y # Driver interface for Linux drivers using the nl80211 kernel interface CONFIG_DRIVER_NL80211=y +# driver_nl80211.c requires libnl. If you are compiling it yourself +# you may need to point hostapd to your version of libnl. +# +#CFLAGS += -I$<path to libnl include files> +#LIBS += -L$<path to libnl library files> + +# Use libnl v2.0 (or 3.0) libraries. +#CONFIG_LIBNL20=y + +# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) +CONFIG_LIBNL32=y + + # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) #CONFIG_DRIVER_BSD=y #CFLAGS += -I/usr/local/include @@ -147,11 +103,10 @@ CONFIG_EAP_PEAP=y CONFIG_EAP_TTLS=y # EAP-FAST -# Note: Default OpenSSL package does not include support for all the -# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL, -# the OpenSSL library must be patched (openssl-0.9.8d-tls-extensions.patch) -# to add the needed functions. -#CONFIG_EAP_FAST=y +# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed +# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., +# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. +CONFIG_EAP_FAST=y # EAP-GTC CONFIG_EAP_GTC=y @@ -210,6 +165,9 @@ CONFIG_WPS_NFC=y # EAP-IKEv2 #CONFIG_EAP_IKEV2=y +# EAP-EKE +#CONFIG_EAP_EKE=y + # PKCS#12 (PFX) support (used to read private key and certificate file from # a file that usually has extension .p12 or .pfx) CONFIG_PKCS12=y @@ -225,6 +183,9 @@ CONFIG_SMARTCARD=y # Support HT overrides (disable HT/HT40, mask MCS rates, etc.) CONFIG_HT_OVERRIDES=y +# Support VHT overrides (disable VHT, mask MCS rates, etc.) +CONFIG_VHT_OVERRIDES=y + # Development testing #CONFIG_EAPOL_TEST=y @@ -258,11 +219,6 @@ CONFIG_READLINE=y # 35-50 kB in code size. #CONFIG_NO_WPA=y -# Remove WPA2 support. This allows WPA to be used, but removes WPA2 code to -# save about 1 kB in code size when building only WPA-Personal (no EAP support) -# or 6 kB if building for WPA-Enterprise. -#CONFIG_NO_WPA2=y - # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support # This option can be used to reduce code size by removing support for # converting ASCII passphrases into PSK. If this functionality is removed, the @@ -306,7 +262,6 @@ CONFIG_BACKEND=file # Select event loop implementation # eloop = select() loop (default) # eloop_win = Windows events and WaitForMultipleObject() loop -# eloop_none = Empty template #CONFIG_ELOOP=eloop # Should we use poll instead of select? Select is used by default. @@ -326,7 +281,7 @@ CONFIG_PEERKEY=y # IEEE 802.11w (management frame protection), also known as PMF # Driver support is also needed for IEEE 802.11w. -#CONFIG_IEEE80211W=y +CONFIG_IEEE80211W=y # Select TLS implementation # openssl = OpenSSL (default) @@ -420,6 +375,10 @@ CONFIG_DEBUG_FILE=y # same file, e.g., using trace-cmd. #CONFIG_DEBUG_LINUX_TRACING=y +# Add support for writing debug log to Android logcat instead of standard +# output +#CONFIG_ANDROID_LOG=y + # Enable privilege separation (see README 'Privilege separation' for details) #CONFIG_PRIVSEP=y @@ -477,7 +436,11 @@ CONFIG_DEBUG_FILE=y CONFIG_NO_RANDOM_POOL=y # IEEE 802.11n (High Throughput) support (mainly for AP mode) -#CONFIG_IEEE80211N=y +CONFIG_IEEE80211N=y + +# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) +# (depends on CONFIG_IEEE80211N) +CONFIG_IEEE80211AC=y # Wireless Network Management (IEEE Std 802.11v-2011) # Note: This is experimental and not complete implementation. @@ -492,6 +455,9 @@ CONFIG_NO_RANDOM_POOL=y # Hotspot 2.0 #CONFIG_HS20=y +# Disable roaming in wpa_supplicant +#CONFIG_NO_ROAMING=y + # AP mode operations with wpa_supplicant # This can be used for controlling AP mode operations with wpa_supplicant. It # should be noted that this is mainly aimed at simple cases like @@ -504,9 +470,17 @@ CONFIG_AP=y # more information on P2P operations. CONFIG_P2P=y +# Enable TDLS support +CONFIG_TDLS=y + +# Wi-Fi Direct +# This can be used to enable Wi-Fi Direct extensions for P2P using an external +# program to control the additional information exchanges in the messages. +CONFIG_WIFI_DISPLAY=y + # Autoscan # This can be used to enable automatic scan support in wpa_supplicant. -# See wpa_supplicant.conf for more information on autoscan usage. +# See wpa_supplicant.conf for more information on autoscan usage. # # Enabling directly a module will enable autoscan support. # For exponential module: @@ -522,9 +496,7 @@ CONFIG_AUTOSCAN_PERIODIC=y # External password backend for testing purposes (developer use) #CONFIG_EXT_PASSWORD_TEST=y -CONFIG_LIBNL32=y - -# More options that are not in defconfig: +# Options that are present not in defconfig: # RSN IBSS/AdHoc support CONFIG_IBSS_RSN=y diff --git a/abs/core/wpa_supplicant/hostap_allow-linking-with-libnl-3.2.patch b/abs/core/wpa_supplicant/hostap_allow-linking-with-libnl-3.2.patch deleted file mode 100644 index 5d89039..0000000 --- a/abs/core/wpa_supplicant/hostap_allow-linking-with-libnl-3.2.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up wpa_supplicant-1.0-rc2/src/drivers/drivers.mak.foo wpa_supplicant-1.0-rc2/src/drivers/drivers.mak ---- wpa_supplicant-1.0-rc2/src/drivers/drivers.mak.foo 2012-03-02 16:11:43.176448714 -0600 -+++ wpa_supplicant-1.0-rc2/src/drivers/drivers.mak 2012-03-02 16:12:29.759866341 -0600 -@@ -48,7 +48,7 @@ NEED_RFKILL=y - ifdef CONFIG_LIBNL32 - DRV_LIBS += -lnl-3 - DRV_LIBS += -lnl-genl-3 -- DRV_CFLAGS += -DCONFIG_LIBNL20 -+ DRV_CFLAGS += -DCONFIG_LIBNL20 `pkg-config --cflags libnl-3.0` - else - ifdef CONFIG_LIBNL_TINY - DRV_LIBS += -lnl-tiny |