summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--abs/core/wpa_supplicant/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch74
-rw-r--r--abs/core/wpa_supplicant/PKGBUILD35
-rw-r--r--abs/core/wpa_supplicant/config120
-rw-r--r--abs/core/wpa_supplicant/hostap_allow-linking-with-libnl-3.2.patch12
4 files changed, 139 insertions, 102 deletions
diff --git a/abs/core/wpa_supplicant/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch b/abs/core/wpa_supplicant/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch
new file mode 100644
index 0000000..8b0b1b3
--- /dev/null
+++ b/abs/core/wpa_supplicant/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch
@@ -0,0 +1,74 @@
+From b62d5b5450101676a0c05691b4bcd94e11426397 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Wed, 19 Feb 2014 11:56:02 +0200
+Subject: [PATCH] Revert "OpenSSL: Do not accept SSL Client certificate for
+ server"
+
+This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are
+too many deployed AAA servers that include both id-kp-clientAuth and
+id-kp-serverAuth EKUs for this change to be acceptable as a generic rule
+for AAA authentication server validation. OpenSSL enforces the policy of
+not connecting if only id-kp-clientAuth is included. If a valid EKU is
+listed with it, the connection needs to be accepted.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/crypto/tls.h | 3 +--
+ src/crypto/tls_openssl.c | 13 -------------
+ 2 files changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/src/crypto/tls.h b/src/crypto/tls.h
+index 287fd33..feba13f 100644
+--- a/src/crypto/tls.h
++++ b/src/crypto/tls.h
+@@ -41,8 +41,7 @@ enum tls_fail_reason {
+ TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
+ TLS_FAIL_BAD_CERTIFICATE = 7,
+ TLS_FAIL_SERVER_CHAIN_PROBE = 8,
+- TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
+- TLS_FAIL_SERVER_USED_CLIENT_CERT = 10
++ TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9
+ };
+
+ union tls_event_data {
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index a13fa38..8cf1de8 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -105,7 +105,6 @@ struct tls_connection {
+ unsigned int ca_cert_verify:1;
+ unsigned int cert_probe:1;
+ unsigned int server_cert_only:1;
+- unsigned int server:1;
+
+ u8 srv_cert_hash[32];
+
+@@ -1480,16 +1479,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+ TLS_FAIL_SERVER_CHAIN_PROBE);
+ }
+
+- if (!conn->server && err_cert && preverify_ok && depth == 0 &&
+- (err_cert->ex_flags & EXFLAG_XKUSAGE) &&
+- (err_cert->ex_xkusage & XKU_SSL_CLIENT)) {
+- wpa_printf(MSG_WARNING, "TLS: Server used client certificate");
+- openssl_tls_fail_event(conn, err_cert, err, depth, buf,
+- "Server used client certificate",
+- TLS_FAIL_SERVER_USED_CLIENT_CERT);
+- preverify_ok = 0;
+- }
+-
+ if (preverify_ok && context->event_cb != NULL)
+ context->event_cb(context->cb_ctx,
+ TLS_CERT_CHAIN_SUCCESS, NULL);
+@@ -2541,8 +2530,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data,
+ int res;
+ struct wpabuf *out_data;
+
+- conn->server = !!server;
+-
+ /*
+ * Give TLS handshake data from the server (if available) to OpenSSL
+ * for processing.
+--
+1.9.0
+
diff --git a/abs/core/wpa_supplicant/PKGBUILD b/abs/core/wpa_supplicant/PKGBUILD
index 9b73f77..78860cb 100644
--- a/abs/core/wpa_supplicant/PKGBUILD
+++ b/abs/core/wpa_supplicant/PKGBUILD
@@ -1,33 +1,42 @@
-# $Id: PKGBUILD 187048 2013-06-03 11:15:42Z allan $
+# $Id$
# Maintainer: Thomas Bächler <thomas@archlinux.org>
pkgname=wpa_supplicant
-pkgver=2.0
-pkgrel=4
+pkgver=2.1
+pkgrel=3
pkgdesc="A utility providing key negotiation for WPA wireless networks"
url="http://hostap.epitest.fi/wpa_supplicant"
arch=('i686' 'x86_64')
-depends=('openssl' 'dbus-core' 'readline' 'libnl')
+depends=('openssl' 'libdbus' 'readline' 'libnl')
optdepends=('wpa_supplicant_gui: wpa_gui program')
license=('GPL')
backup=('etc/wpa_supplicant/wpa_supplicant.conf')
source=("http://w1.fi/releases/${pkgname}-${pkgver}.tar.gz"
- config)
+ config
+ 0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch)
+sha256sums=('91632e7e3b49a340ce408e2f978a93546a697383abf2e5a60f146faae9e1b277'
+ '522b1e2b330bd3fcb9c3c964b0f05ad197a2f1160741835a47585ea45ba8e0a4'
+ '3c85fa2cf2465fea86383eece75fa5479507a174da6f0cd09e691fbaaca03c74')
-build() {
+prepare() {
cd "${srcdir}/${pkgname}-${pkgver}/"
- cd "${pkgname}"
+ patch -p1 -i "${srcdir}"/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch
+ cd "${pkgname}/"
cp "${srcdir}/config" ./.config
+}
- sed -i 's@/usr/local@$(PREFIX)@g' Makefile
+build() {
+ cd "${srcdir}/${pkgname}-${pkgver}/${pkgname}"
- make PREFIX=/usr
+ # The Makefile does not pick up our CPPFLAGS
+ export CFLAGS="$CPPFLAGS $CFLAGS"
+ make LIBDIR=/usr/lib BINDIR=/usr/bin
}
package() {
cd "${srcdir}/${pkgname}-${pkgver}/${pkgname}"
- make PREFIX=/usr DESTDIR="${pkgdir}" install
+ make LIBDIR=/usr/lib BINDIR=/usr/bin DESTDIR="${pkgdir}" install
install -d -m755 "${pkgdir}/etc/wpa_supplicant"
install -m644 wpa_supplicant.conf "${pkgdir}/etc/wpa_supplicant/wpa_supplicant.conf"
@@ -45,10 +54,4 @@ package() {
install -d -m755 "${pkgdir}/usr/lib/systemd/system"
install -m644 systemd/*.service "${pkgdir}/usr/lib/systemd/system/"
-
- # usrmove
- cd "$pkgdir"/usr
- mv sbin bin
}
-md5sums=('3be2ebfdcced52e00eda0afe2889839d'
- '4aa1e5accd604091341b989b47fe1076')
diff --git a/abs/core/wpa_supplicant/config b/abs/core/wpa_supplicant/config
index 50426bf..c1035b4 100644
--- a/abs/core/wpa_supplicant/config
+++ b/abs/core/wpa_supplicant/config
@@ -20,63 +20,6 @@
# used to fix build issues on such systems (krb5.h not found).
#CFLAGS += -I/usr/include/kerberos
-# Example configuration for various cross-compilation platforms
-
-#### sveasoft (e.g., for Linksys WRT54G) ######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS += -I../src/include -I../../src/router/openssl/include
-#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl
-###############################################################################
-
-#### openwrt (e.g., for Linksys WRT54G) #######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \
-# -I../WRT54GS/release/src/include
-#LIBS = -lssl
-###############################################################################
-
-
-# Driver interface for Host AP driver
-#CONFIG_DRIVER_HOSTAP=y
-
-# Driver interface for Agere driver
-#CONFIG_DRIVER_HERMES=y
-# Change include directories to match with the local setup
-#CFLAGS += -I../../hcf -I../../include -I../../include/hcf
-#CFLAGS += -I../../include/wireless
-
-# Driver interface for madwifi driver
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_MADWIFI=y
-# Set include directory to the madwifi source tree
-#CFLAGS += -I../../madwifi
-
-# Driver interface for ndiswrapper
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_NDISWRAPPER=y
-
-# Driver interface for Atmel driver
-#CONFIG_DRIVER_ATMEL=y
-
-# Driver interface for old Broadcom driver
-# Please note that the newer Broadcom driver ("hybrid Linux driver") supports
-# Linux wireless extensions and does not need (or even work) with the old
-# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver.
-#CONFIG_DRIVER_BROADCOM=y
-# Example path for wlioctl.h; change to match your configuration
-#CFLAGS += -I/opt/WRT54GS/release/src/include
-
-# Driver interface for Intel ipw2100/2200 driver
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_IPW=y
-
-# Driver interface for Ralink driver
-#CONFIG_DRIVER_RALINK=y
-
# Driver interface for generic Linux wireless extensions
# Note: WEXT is deprecated in the current Linux kernel version and no new
# functionality is added to it. nl80211-based interface is the new
@@ -88,6 +31,19 @@ CONFIG_DRIVER_WEXT=y
# Driver interface for Linux drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y
+# driver_nl80211.c requires libnl. If you are compiling it yourself
+# you may need to point hostapd to your version of libnl.
+#
+#CFLAGS += -I$<path to libnl include files>
+#LIBS += -L$<path to libnl library files>
+
+# Use libnl v2.0 (or 3.0) libraries.
+#CONFIG_LIBNL20=y
+
+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
+CONFIG_LIBNL32=y
+
+
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include
@@ -147,11 +103,10 @@ CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y
# EAP-FAST
-# Note: Default OpenSSL package does not include support for all the
-# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL,
-# the OpenSSL library must be patched (openssl-0.9.8d-tls-extensions.patch)
-# to add the needed functions.
-#CONFIG_EAP_FAST=y
+# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
+# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
+# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
+CONFIG_EAP_FAST=y
# EAP-GTC
CONFIG_EAP_GTC=y
@@ -210,6 +165,9 @@ CONFIG_WPS_NFC=y
# EAP-IKEv2
#CONFIG_EAP_IKEV2=y
+# EAP-EKE
+#CONFIG_EAP_EKE=y
+
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y
@@ -225,6 +183,9 @@ CONFIG_SMARTCARD=y
# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
CONFIG_HT_OVERRIDES=y
+# Support VHT overrides (disable VHT, mask MCS rates, etc.)
+CONFIG_VHT_OVERRIDES=y
+
# Development testing
#CONFIG_EAPOL_TEST=y
@@ -258,11 +219,6 @@ CONFIG_READLINE=y
# 35-50 kB in code size.
#CONFIG_NO_WPA=y
-# Remove WPA2 support. This allows WPA to be used, but removes WPA2 code to
-# save about 1 kB in code size when building only WPA-Personal (no EAP support)
-# or 6 kB if building for WPA-Enterprise.
-#CONFIG_NO_WPA2=y
-
# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
# This option can be used to reduce code size by removing support for
# converting ASCII passphrases into PSK. If this functionality is removed, the
@@ -306,7 +262,6 @@ CONFIG_BACKEND=file
# Select event loop implementation
# eloop = select() loop (default)
# eloop_win = Windows events and WaitForMultipleObject() loop
-# eloop_none = Empty template
#CONFIG_ELOOP=eloop
# Should we use poll instead of select? Select is used by default.
@@ -326,7 +281,7 @@ CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection), also known as PMF
# Driver support is also needed for IEEE 802.11w.
-#CONFIG_IEEE80211W=y
+CONFIG_IEEE80211W=y
# Select TLS implementation
# openssl = OpenSSL (default)
@@ -420,6 +375,10 @@ CONFIG_DEBUG_FILE=y
# same file, e.g., using trace-cmd.
#CONFIG_DEBUG_LINUX_TRACING=y
+# Add support for writing debug log to Android logcat instead of standard
+# output
+#CONFIG_ANDROID_LOG=y
+
# Enable privilege separation (see README 'Privilege separation' for details)
#CONFIG_PRIVSEP=y
@@ -477,7 +436,11 @@ CONFIG_DEBUG_FILE=y
CONFIG_NO_RANDOM_POOL=y
# IEEE 802.11n (High Throughput) support (mainly for AP mode)
-#CONFIG_IEEE80211N=y
+CONFIG_IEEE80211N=y
+
+# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
+# (depends on CONFIG_IEEE80211N)
+CONFIG_IEEE80211AC=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
@@ -492,6 +455,9 @@ CONFIG_NO_RANDOM_POOL=y
# Hotspot 2.0
#CONFIG_HS20=y
+# Disable roaming in wpa_supplicant
+#CONFIG_NO_ROAMING=y
+
# AP mode operations with wpa_supplicant
# This can be used for controlling AP mode operations with wpa_supplicant. It
# should be noted that this is mainly aimed at simple cases like
@@ -504,9 +470,17 @@ CONFIG_AP=y
# more information on P2P operations.
CONFIG_P2P=y
+# Enable TDLS support
+CONFIG_TDLS=y
+
+# Wi-Fi Direct
+# This can be used to enable Wi-Fi Direct extensions for P2P using an external
+# program to control the additional information exchanges in the messages.
+CONFIG_WIFI_DISPLAY=y
+
# Autoscan
# This can be used to enable automatic scan support in wpa_supplicant.
-# See wpa_supplicant.conf for more information on autoscan usage.
+# See wpa_supplicant.conf for more information on autoscan usage.
#
# Enabling directly a module will enable autoscan support.
# For exponential module:
@@ -522,9 +496,7 @@ CONFIG_AUTOSCAN_PERIODIC=y
# External password backend for testing purposes (developer use)
#CONFIG_EXT_PASSWORD_TEST=y
-CONFIG_LIBNL32=y
-
-# More options that are not in defconfig:
+# Options that are present not in defconfig:
# RSN IBSS/AdHoc support
CONFIG_IBSS_RSN=y
diff --git a/abs/core/wpa_supplicant/hostap_allow-linking-with-libnl-3.2.patch b/abs/core/wpa_supplicant/hostap_allow-linking-with-libnl-3.2.patch
deleted file mode 100644
index 5d89039..0000000
--- a/abs/core/wpa_supplicant/hostap_allow-linking-with-libnl-3.2.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up wpa_supplicant-1.0-rc2/src/drivers/drivers.mak.foo wpa_supplicant-1.0-rc2/src/drivers/drivers.mak
---- wpa_supplicant-1.0-rc2/src/drivers/drivers.mak.foo 2012-03-02 16:11:43.176448714 -0600
-+++ wpa_supplicant-1.0-rc2/src/drivers/drivers.mak 2012-03-02 16:12:29.759866341 -0600
-@@ -48,7 +48,7 @@ NEED_RFKILL=y
- ifdef CONFIG_LIBNL32
- DRV_LIBS += -lnl-3
- DRV_LIBS += -lnl-genl-3
-- DRV_CFLAGS += -DCONFIG_LIBNL20
-+ DRV_CFLAGS += -DCONFIG_LIBNL20 `pkg-config --cflags libnl-3.0`
- else
- ifdef CONFIG_LIBNL_TINY
- DRV_LIBS += -lnl-tiny