[arch-commits] Commit in wpa_supplicant/trunk (2 files)

Thomas Bächler thomas at nymeria.archlinux.org
Sun Feb 23 10:19:32 UTC 2014 

    Date: Sunday, February 23, 2014 @ 11:19:32
  Author: thomas
Revision: 206263

wpa_supplicant 2.1-2: Fix FS#38996.

Added:
  wpa_supplicant/trunk/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch
Modified:
  wpa_supplicant/trunk/PKGBUILD

-----------------------------------------------------------------+
 0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch |   74 ++++++++++
 PKGBUILD                                                        |    9 -
 2 files changed, 80 insertions(+), 3 deletions(-)

Added: 0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch
===================================================================
--- 0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch	                        (rev 0)
+++ 0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch	2014-02-23 10:19:32 UTC (rev 206263)
@@ -0,0 +1,74 @@
+From b62d5b5450101676a0c05691b4bcd94e11426397 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j at w1.fi>
+Date: Wed, 19 Feb 2014 11:56:02 +0200
+Subject: [PATCH] Revert "OpenSSL: Do not accept SSL Client certificate for
+ server"
+
+This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are
+too many deployed AAA servers that include both id-kp-clientAuth and
+id-kp-serverAuth EKUs for this change to be acceptable as a generic rule
+for AAA authentication server validation. OpenSSL enforces the policy of
+not connecting if only id-kp-clientAuth is included. If a valid EKU is
+listed with it, the connection needs to be accepted.
+
+Signed-off-by: Jouni Malinen <j at w1.fi>
+---
+ src/crypto/tls.h         |  3 +--
+ src/crypto/tls_openssl.c | 13 -------------
+ 2 files changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/src/crypto/tls.h b/src/crypto/tls.h
+index 287fd33..feba13f 100644
+--- a/src/crypto/tls.h
++++ b/src/crypto/tls.h
+@@ -41,8 +41,7 @@ enum tls_fail_reason {
+ 	TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
+ 	TLS_FAIL_BAD_CERTIFICATE = 7,
+ 	TLS_FAIL_SERVER_CHAIN_PROBE = 8,
+-	TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
+-	TLS_FAIL_SERVER_USED_CLIENT_CERT = 10
++	TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9
+ };
+ 
+ union tls_event_data {
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index a13fa38..8cf1de8 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -105,7 +105,6 @@ struct tls_connection {
+ 	unsigned int ca_cert_verify:1;
+ 	unsigned int cert_probe:1;
+ 	unsigned int server_cert_only:1;
+-	unsigned int server:1;
+ 
+ 	u8 srv_cert_hash[32];
+ 
+@@ -1480,16 +1479,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+ 				       TLS_FAIL_SERVER_CHAIN_PROBE);
+ 	}
+ 
+-	if (!conn->server && err_cert && preverify_ok && depth == 0 &&
+-	    (err_cert->ex_flags & EXFLAG_XKUSAGE) &&
+-	    (err_cert->ex_xkusage & XKU_SSL_CLIENT)) {
+-		wpa_printf(MSG_WARNING, "TLS: Server used client certificate");
+-		openssl_tls_fail_event(conn, err_cert, err, depth, buf,
+-				       "Server used client certificate",
+-				       TLS_FAIL_SERVER_USED_CLIENT_CERT);
+-		preverify_ok = 0;
+-	}
+-
+ 	if (preverify_ok && context->event_cb != NULL)
+ 		context->event_cb(context->cb_ctx,
+ 				  TLS_CERT_CHAIN_SUCCESS, NULL);
+@@ -2541,8 +2530,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data,
+ 	int res;
+ 	struct wpabuf *out_data;
+ 
+-	conn->server = !!server;
+-
+ 	/*
+ 	 * Give TLS handshake data from the server (if available) to OpenSSL
+ 	 * for processing.
+-- 
+1.9.0
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2014-02-23 10:06:43 UTC (rev 206262)
+++ PKGBUILD	2014-02-23 10:19:32 UTC (rev 206263)
@@ -3,7 +3,7 @@
 
 pkgname=wpa_supplicant
 pkgver=2.1
-pkgrel=1
+pkgrel=2
 pkgdesc="A utility providing key negotiation for WPA wireless networks"
 url="http://hostap.epitest.fi/wpa_supplicant"
 arch=('i686' 'x86_64')
@@ -12,13 +12,16 @@
 license=('GPL')
 backup=('etc/wpa_supplicant/wpa_supplicant.conf')
 source=("http://w1.fi/releases/${pkgname}-${pkgver}.tar.gz"
-	config)
+	config
+	0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch)
 sha256sums=('91632e7e3b49a340ce408e2f978a93546a697383abf2e5a60f146faae9e1b277'
-            '6cb74517f4cc1d319e5124ff049bc3fd224180cc4dabc274f8e4b0a5a2291cef')
+            '6cb74517f4cc1d319e5124ff049bc3fd224180cc4dabc274f8e4b0a5a2291cef'
+            '3c85fa2cf2465fea86383eece75fa5479507a174da6f0cd09e691fbaaca03c74')
 
 prepare() {
   cd "${srcdir}/${pkgname}-${pkgver}/${pkgname}"
 
+  patch -p1 -i "${srcdir}"/0001-Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-.patch
   cp "${srcdir}/config" ./.config
   sed -i 's@/usr/local@$(PREFIX)@g' Makefile
 }

More information about the arch-commits mailing list