[arch-commits] Commit in wpa_supplicant/repos (12 files)
Bartłomiej Piotrowski
bpiotrowski at archlinux.org
Mon Aug 14 13:00:29 UTC 2017
Date: Monday, August 14, 2017 @ 13:00:28
Author: bpiotrowski
Revision: 302176
archrelease: copy trunk to testing-i686, testing-x86_64
Added:
wpa_supplicant/repos/testing-i686/
wpa_supplicant/repos/testing-i686/PKGBUILD
(from rev 302175, wpa_supplicant/trunk/PKGBUILD)
wpa_supplicant/repos/testing-i686/config
(from rev 302175, wpa_supplicant/trunk/config)
wpa_supplicant/repos/testing-i686/rh1462262-use-system-openssl-ciphers.patch
(from rev 302175, wpa_supplicant/trunk/rh1462262-use-system-openssl-ciphers.patch)
wpa_supplicant/repos/testing-i686/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
(from rev 302175, wpa_supplicant/trunk/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch)
wpa_supplicant/repos/testing-i686/wpa_supplicant.install
(from rev 302175, wpa_supplicant/trunk/wpa_supplicant.install)
wpa_supplicant/repos/testing-x86_64/
wpa_supplicant/repos/testing-x86_64/PKGBUILD
(from rev 302175, wpa_supplicant/trunk/PKGBUILD)
wpa_supplicant/repos/testing-x86_64/config
(from rev 302175, wpa_supplicant/trunk/config)
wpa_supplicant/repos/testing-x86_64/rh1462262-use-system-openssl-ciphers.patch
(from rev 302175, wpa_supplicant/trunk/rh1462262-use-system-openssl-ciphers.patch)
wpa_supplicant/repos/testing-x86_64/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
(from rev 302175, wpa_supplicant/trunk/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch)
wpa_supplicant/repos/testing-x86_64/wpa_supplicant.install
(from rev 302175, wpa_supplicant/trunk/wpa_supplicant.install)
-----------------------------------------------------------------------------+
testing-i686/PKGBUILD | 69 +++++
testing-i686/config | 46 +++
testing-i686/rh1462262-use-system-openssl-ciphers.patch | 122 +++++++++
testing-i686/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch | 127 ++++++++++
testing-i686/wpa_supplicant.install | 7
testing-x86_64/PKGBUILD | 69 +++++
testing-x86_64/config | 46 +++
testing-x86_64/rh1462262-use-system-openssl-ciphers.patch | 122 +++++++++
testing-x86_64/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch | 127 ++++++++++
testing-x86_64/wpa_supplicant.install | 7
10 files changed, 742 insertions(+)
Copied: wpa_supplicant/repos/testing-i686/PKGBUILD (from rev 302175, wpa_supplicant/trunk/PKGBUILD)
===================================================================
--- testing-i686/PKGBUILD (rev 0)
+++ testing-i686/PKGBUILD 2017-08-14 13:00:28 UTC (rev 302176)
@@ -0,0 +1,69 @@
+# $Id$
+# Maintainer: Bartłomiej Piotrowski <bpiotrowski at archlinux.org>
+# Contributor: Thomas Bächler <thomas at archlinux.org>
+
+pkgname=wpa_supplicant
+pkgver=2.6
+pkgrel=9
+epoch=1
+pkgdesc='A utility providing key negotiation for WPA wireless networks'
+url='http://hostap.epitest.fi/wpa_supplicant'
+arch=(i686 x86_64)
+license=(GPL)
+depends=(openssl libdbus readline libnl)
+optdepends=('wpa_supplicant_gui: wpa_gui program')
+install=wpa_supplicant.install
+source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
+ config
+ rh1462262-use-system-openssl-ciphers.patch
+ rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch)
+validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen
+sha256sums=('b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450'
+ 'SKIP'
+ 'aeba21c48416342092964dada271ca6dfe842fc862774c2d3b150785225f66e2'
+ 'c52ee8bc67466cd662ebac4bad4b25dbb429526ba16fbc179a2ae014be01edfc'
+ 'ad2258313f06b04003dbbffe10bc3eab9deea9db400c57c3c01b08cfc0b0916b')
+
+prepare() {
+ cd "$srcdir/$pkgname-$pkgver"
+ patch -p1 -i "$srcdir/rh1462262-use-system-openssl-ciphers.patch"
+ patch -p1 -i "$srcdir/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch"
+
+ cd $pkgname
+ cp "$srcdir/config" ./.config
+}
+
+build() {
+ cd "$srcdir/$pkgname-$pkgver/$pkgname"
+
+ # The Makefile does not pick up our CPPFLAGS
+ export CFLAGS="$CPPFLAGS $CFLAGS"
+ make LIBDIR=/usr/lib BINDIR=/usr/bin
+ make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test
+}
+
+package() {
+ cd "$srcdir/$pkgname-$pkgver/$pkgname"
+ make LIBDIR=/usr/lib BINDIR=/usr/bin DESTDIR="$pkgdir" install
+ install -Dm755 eapol_test "$pkgdir/usr/bin/eapol_test"
+
+ install -d -m755 "$pkgdir/etc/wpa_supplicant"
+ install -Dm644 wpa_supplicant.conf \
+ "$pkgdir/usr/share/doc/wpa_supplicant/wpa_supplicant.conf"
+
+ install -d -m755 "$pkgdir/usr/share/man/man"{5,8}
+ install -m644 doc/docbook/*.5 "$pkgdir/usr/share/man/man5/"
+ install -m644 doc/docbook/*.8 "$pkgdir/usr/share/man/man8/"
+ rm -f "$pkgdir/usr/share/man/man8/wpa_"{priv,gui}.8
+
+ install -d -m755 "$pkgdir/usr/share/dbus-1/system-services"
+ install -m644 \
+ dbus/fi.{epitest.hostap.WPASupplicant,w1.wpa_supplicant1}.service \
+ "$pkgdir/usr/share/dbus-1/system-services/"
+
+ install -Dm644 dbus/dbus-wpa_supplicant.conf \
+ "$pkgdir/etc/dbus-1/system.d/wpa_supplicant.conf"
+
+ install -d -m755 "$pkgdir/usr/lib/systemd/system"
+ install -m644 systemd/*.service "$pkgdir/usr/lib/systemd/system/"
+}
Copied: wpa_supplicant/repos/testing-i686/config (from rev 302175, wpa_supplicant/trunk/config)
===================================================================
--- testing-i686/config (rev 0)
+++ testing-i686/config 2017-08-14 13:00:28 UTC (rev 302176)
@@ -0,0 +1,46 @@
+CONFIG_AP=y
+CONFIG_AUTOSCAN_EXPONENTIAL=y
+CONFIG_AUTOSCAN_PERIODIC=y
+CONFIG_BACKEND=file
+CONFIG_BGSCAN_SIMPLE=y
+CONFIG_CTRL_IFACE=y
+CONFIG_CTRL_IFACE_BUS=y
+CONFIG_CTRL_IFACE_DBUS_INTRO=y
+CONFIG_CTRL_IFACE_DBUS_NEW=y
+CONFIG_DEBUG_FILE=y
+CONFIG_DRIVER_NL80211=y
+CONFIG_DRIVER_WEXT=y
+CONFIG_DRIVER_WIRED=y
+CONFIG_EAP_FAST=y
+CONFIG_EAP_GTC=y
+CONFIG_EAP_LEAP=y
+CONFIG_EAP_MD5=y
+CONFIG_EAP_MSCHAPV2=y
+CONFIG_EAP_OTP=y
+CONFIG_EAP_PEAP=y
+CONFIG_EAP_PWD=y
+CONFIG_EAP_TLS=y
+CONFIG_EAP_TTLS=y
+CONFIG_HS20=y
+CONFIG_HT_OVERRIDES=y
+CONFIG_IBSS_RSN=y
+CONFIG_IEEE80211AC=y
+CONFIG_IEEE80211N=y
+CONFIG_IEEE80211R=y
+CONFIG_IEEE80211W=y
+CONFIG_IEEE8021X_EAPOL=y
+CONFIG_INTERWORKING=y
+CONFIG_IPV6=y
+CONFIG_LIBNL32=y
+CONFIG_NO_RANDOM_POOL=y
+CONFIG_P2P=y
+CONFIG_PEERKEY=y
+CONFIG_PKCS12=y
+CONFIG_READLINE=y
+CONFIG_SMARTCARD=y
+CONFIG_TDLS=y
+CONFIG_VHT_OVERRIDES=y
+CONFIG_WIFI_DISPLAY=y
+CONFIG_WPS=y
+CONFIG_WPS_NFC=y
+CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW:3DES"
Copied: wpa_supplicant/repos/testing-i686/rh1462262-use-system-openssl-ciphers.patch (from rev 302175, wpa_supplicant/trunk/rh1462262-use-system-openssl-ciphers.patch)
===================================================================
--- testing-i686/rh1462262-use-system-openssl-ciphers.patch (rev 0)
+++ testing-i686/rh1462262-use-system-openssl-ciphers.patch 2017-08-14 13:00:28 UTC (rev 302176)
@@ -0,0 +1,122 @@
+From 61665e43b0509e3d05b2519bf10531bd2163ed66 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani at redhat.com>
+Date: Sun, 9 Jul 2017 11:06:50 +0200
+Subject: [PATCH] OpenSSL: Add build option to select default ciphers
+
+Add a build option to select different default ciphers for OpenSSL
+instead of the hardcoded default "DEFAULT:!EXP:!LOW".
+
+This new option is useful on distributions where the security level
+should be consistent for all applications, as in Fedora [1]. In such
+cases the new configuration option would be set to "" or
+"PROFILE=SYSTEM" to select the global crypto policy by default.
+
+[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
+
+Signed-off-by: Beniamino Galvani <bgalvani at redhat.com>
+(cherry picked from commit 2b9891bd6e125d3e28f26afde32e153db658b7cc)
+---
+ src/crypto/tls_openssl.c | 2 +-
+ wpa_supplicant/Android.mk | 4 ++++
+ wpa_supplicant/Makefile | 4 ++++
+ wpa_supplicant/android.config | 4 ++++
+ wpa_supplicant/defconfig | 4 ++++
+ wpa_supplicant/wpa_supplicant.conf | 4 ++--
+ 6 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 23ac64b..c4170b6 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -1017,7 +1017,7 @@ void * tls_init(const struct tls_config *conf)
+ if (conf && conf->openssl_ciphers)
+ ciphers = conf->openssl_ciphers;
+ else
+- ciphers = "DEFAULT:!EXP:!LOW";
++ ciphers = TLS_DEFAULT_CIPHERS;
+ if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
+ wpa_printf(MSG_ERROR,
+ "OpenSSL: Failed to set cipher string '%s'",
+diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
+index a8d6a7f..a9dc086 100644
+--- a/wpa_supplicant/Android.mk
++++ b/wpa_supplicant/Android.mk
+@@ -971,6 +971,10 @@ ifdef CONFIG_TLS_ADD_DL
+ LIBS += -ldl
+ LIBS_p += -ldl
+ endif
++ifndef CONFIG_TLS_DEFAULT_CIPHERS
++CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
++endif
++L_CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
+ endif
+
+ ifeq ($(CONFIG_TLS), gnutls)
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index 512052e..cc55a52 100644
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -1020,6 +1020,10 @@ ifdef CONFIG_TLS_ADD_DL
+ LIBS += -ldl
+ LIBS_p += -ldl
+ endif
++ifndef CONFIG_TLS_DEFAULT_CIPHERS
++CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
++endif
++CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
+ endif
+
+ ifeq ($(CONFIG_TLS), gnutls)
+diff --git a/wpa_supplicant/android.config b/wpa_supplicant/android.config
+index 02505bb..f3cc838 100644
+--- a/wpa_supplicant/android.config
++++ b/wpa_supplicant/android.config
+@@ -291,6 +291,10 @@ CONFIG_IEEE80211W=y
+ # will be used)
+ #CONFIG_TLSV12=y
+
++# Select which ciphers to use by default with OpenSSL if the user does not
++# specify them.
++#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
++
+ # If CONFIG_TLS=internal is used, additional library and include paths are
+ # needed for LibTomMath. Alternatively, an integrated, minimal version of
+ # LibTomMath can be used. See beginning of libtommath.c for details on benefits
+diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
+index 1d05198..8b0eb87 100644
+--- a/wpa_supplicant/defconfig
++++ b/wpa_supplicant/defconfig
+@@ -316,6 +316,10 @@ CONFIG_PEERKEY=y
+ # will be used)
+ #CONFIG_TLSV12=y
+
++# Select which ciphers to use by default with OpenSSL if the user does not
++# specify them.
++#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
++
+ # If CONFIG_TLS=internal is used, additional library and include paths are
+ # needed for LibTomMath. Alternatively, an integrated, minimal version of
+ # LibTomMath can be used. See beginning of libtommath.c for details on benefits
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index 1061c98..70989c0 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -183,13 +183,13 @@ fast_reauth=1
+ # OpenSSL cipher string
+ #
+ # This is an OpenSSL specific configuration option for configuring the default
+-# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
++# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
++# by default) is used.
+ # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
+ # on cipher suite configuration. This is applicable only if wpa_supplicant is
+ # built to use OpenSSL.
+ #openssl_ciphers=DEFAULT:!EXP:!LOW
+
+-
+ # Dynamic EAP methods
+ # If EAP methods were built dynamically as shared object files, they need to be
+ # loaded here before being used in the network blocks. By default, EAP methods
+--
+2.9.3
+
Copied: wpa_supplicant/repos/testing-i686/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch (from rev 302175, wpa_supplicant/trunk/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch)
===================================================================
--- testing-i686/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch (rev 0)
+++ testing-i686/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch 2017-08-14 13:00:28 UTC (rev 302176)
@@ -0,0 +1,127 @@
+From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani at redhat.com>
+Date: Sun, 9 Jul 2017 11:14:10 +0200
+Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL
+ >= 1.1.0f
+
+Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
+callback from the SSL object instead of the one from the CTX, so let's
+set the callback on both SSL and CTX. Note that
+SSL_set_default_passwd_cb*() is available only in 1.1.0.
+
+Signed-off-by: Beniamino Galvani <bgalvani at redhat.com>
+(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f)
+---
+ src/crypto/tls_openssl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index c4170b6..bceb8c3 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data,
+ } else
+ passwd = NULL;
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ /*
++ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
++ * from the SSL object. See OpenSSL commit d61461a75253.
++ */
++ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
++ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
++#endif /* >= 1.1.0f && !LibreSSL */
++ /* Keep these for OpenSSL < 1.1.0f */
+ SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
+ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
+
+@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data,
+ return -1;
+ }
+ ERR_clear_error();
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ SSL_set_default_passwd_cb(conn->ssl, NULL);
++#endif /* >= 1.1.0f && !LibreSSL */
+ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+ os_free(passwd);
+
+--
+2.9.3
+
+From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j at w1.fi>
+Date: Mon, 17 Jul 2017 12:06:17 +0300
+Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly
+
+Previously, the pointer to strdup passwd was left in OpenSSL library
+default_passwd_cb_userdata and even the default_passwd_cb was left set
+on an error path. To avoid unexpected behavior if something were to
+manage to use there pointers, clear them explicitly once done with
+loading of the private key.
+
+Signed-off-by: Jouni Malinen <j at w1.fi>
+(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384)
+---
+ src/crypto/tls_openssl.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index bceb8c3..770af9e 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn)
+ }
+
+
++static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl)
++{
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ if (ssl) {
++ SSL_set_default_passwd_cb(ssl, NULL);
++ SSL_set_default_passwd_cb_userdata(ssl, NULL);
++ }
++#endif /* >= 1.1.0f && !LibreSSL */
++ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
++ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL);
++}
++
++
+ static int tls_connection_private_key(struct tls_data *data,
+ struct tls_connection *conn,
+ const char *private_key,
+@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data,
+ if (!ok) {
+ tls_show_errors(MSG_INFO, __func__,
+ "Failed to load private key");
++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
+ os_free(passwd);
+ return -1;
+ }
+ ERR_clear_error();
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+- SSL_set_default_passwd_cb(conn->ssl, NULL);
+-#endif /* >= 1.1.0f && !LibreSSL */
+- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
+ os_free(passwd);
+
+ if (!SSL_check_private_key(conn->ssl)) {
+@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data,
+ tls_read_pkcs12(data, NULL, private_key, passwd)) {
+ tls_show_errors(MSG_INFO, __func__,
+ "Failed to load private key");
++ tls_clear_default_passwd_cb(ssl_ctx, NULL);
+ os_free(passwd);
+ ERR_clear_error();
+ return -1;
+ }
++ tls_clear_default_passwd_cb(ssl_ctx, NULL);
+ os_free(passwd);
+ ERR_clear_error();
+- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+
+ if (!SSL_CTX_check_private_key(ssl_ctx)) {
+ tls_show_errors(MSG_INFO, __func__,
+--
+2.9.3
+
Copied: wpa_supplicant/repos/testing-i686/wpa_supplicant.install (from rev 302175, wpa_supplicant/trunk/wpa_supplicant.install)
===================================================================
--- testing-i686/wpa_supplicant.install (rev 0)
+++ testing-i686/wpa_supplicant.install 2017-08-14 13:00:28 UTC (rev 302176)
@@ -0,0 +1,7 @@
+post_upgrade() {
+ if [[ $(vercmp "$2" '1:2.6-3') -lt 0 ]]; then
+ echo ':: The /etc/wpa_supplicant/wpa_supplicant.conf is file no longer managed by pacman'
+ echo ' and if it was modified, it has been renamed to wpa_supplicant.conf.pacsave.'
+ echo ' Move it to the original location if needed.'
+ fi
+}
Copied: wpa_supplicant/repos/testing-x86_64/PKGBUILD (from rev 302175, wpa_supplicant/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2017-08-14 13:00:28 UTC (rev 302176)
@@ -0,0 +1,69 @@
+# $Id$
+# Maintainer: Bartłomiej Piotrowski <bpiotrowski at archlinux.org>
+# Contributor: Thomas Bächler <thomas at archlinux.org>
+
+pkgname=wpa_supplicant
+pkgver=2.6
+pkgrel=9
+epoch=1
+pkgdesc='A utility providing key negotiation for WPA wireless networks'
+url='http://hostap.epitest.fi/wpa_supplicant'
+arch=(i686 x86_64)
+license=(GPL)
+depends=(openssl libdbus readline libnl)
+optdepends=('wpa_supplicant_gui: wpa_gui program')
+install=wpa_supplicant.install
+source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
+ config
+ rh1462262-use-system-openssl-ciphers.patch
+ rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch)
+validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen
+sha256sums=('b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450'
+ 'SKIP'
+ 'aeba21c48416342092964dada271ca6dfe842fc862774c2d3b150785225f66e2'
+ 'c52ee8bc67466cd662ebac4bad4b25dbb429526ba16fbc179a2ae014be01edfc'
+ 'ad2258313f06b04003dbbffe10bc3eab9deea9db400c57c3c01b08cfc0b0916b')
+
+prepare() {
+ cd "$srcdir/$pkgname-$pkgver"
+ patch -p1 -i "$srcdir/rh1462262-use-system-openssl-ciphers.patch"
+ patch -p1 -i "$srcdir/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch"
+
+ cd $pkgname
+ cp "$srcdir/config" ./.config
+}
+
+build() {
+ cd "$srcdir/$pkgname-$pkgver/$pkgname"
+
+ # The Makefile does not pick up our CPPFLAGS
+ export CFLAGS="$CPPFLAGS $CFLAGS"
+ make LIBDIR=/usr/lib BINDIR=/usr/bin
+ make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test
+}
+
+package() {
+ cd "$srcdir/$pkgname-$pkgver/$pkgname"
+ make LIBDIR=/usr/lib BINDIR=/usr/bin DESTDIR="$pkgdir" install
+ install -Dm755 eapol_test "$pkgdir/usr/bin/eapol_test"
+
+ install -d -m755 "$pkgdir/etc/wpa_supplicant"
+ install -Dm644 wpa_supplicant.conf \
+ "$pkgdir/usr/share/doc/wpa_supplicant/wpa_supplicant.conf"
+
+ install -d -m755 "$pkgdir/usr/share/man/man"{5,8}
+ install -m644 doc/docbook/*.5 "$pkgdir/usr/share/man/man5/"
+ install -m644 doc/docbook/*.8 "$pkgdir/usr/share/man/man8/"
+ rm -f "$pkgdir/usr/share/man/man8/wpa_"{priv,gui}.8
+
+ install -d -m755 "$pkgdir/usr/share/dbus-1/system-services"
+ install -m644 \
+ dbus/fi.{epitest.hostap.WPASupplicant,w1.wpa_supplicant1}.service \
+ "$pkgdir/usr/share/dbus-1/system-services/"
+
+ install -Dm644 dbus/dbus-wpa_supplicant.conf \
+ "$pkgdir/etc/dbus-1/system.d/wpa_supplicant.conf"
+
+ install -d -m755 "$pkgdir/usr/lib/systemd/system"
+ install -m644 systemd/*.service "$pkgdir/usr/lib/systemd/system/"
+}
Copied: wpa_supplicant/repos/testing-x86_64/config (from rev 302175, wpa_supplicant/trunk/config)
===================================================================
--- testing-x86_64/config (rev 0)
+++ testing-x86_64/config 2017-08-14 13:00:28 UTC (rev 302176)
@@ -0,0 +1,46 @@
+CONFIG_AP=y
+CONFIG_AUTOSCAN_EXPONENTIAL=y
+CONFIG_AUTOSCAN_PERIODIC=y
+CONFIG_BACKEND=file
+CONFIG_BGSCAN_SIMPLE=y
+CONFIG_CTRL_IFACE=y
+CONFIG_CTRL_IFACE_BUS=y
+CONFIG_CTRL_IFACE_DBUS_INTRO=y
+CONFIG_CTRL_IFACE_DBUS_NEW=y
+CONFIG_DEBUG_FILE=y
+CONFIG_DRIVER_NL80211=y
+CONFIG_DRIVER_WEXT=y
+CONFIG_DRIVER_WIRED=y
+CONFIG_EAP_FAST=y
+CONFIG_EAP_GTC=y
+CONFIG_EAP_LEAP=y
+CONFIG_EAP_MD5=y
+CONFIG_EAP_MSCHAPV2=y
+CONFIG_EAP_OTP=y
+CONFIG_EAP_PEAP=y
+CONFIG_EAP_PWD=y
+CONFIG_EAP_TLS=y
+CONFIG_EAP_TTLS=y
+CONFIG_HS20=y
+CONFIG_HT_OVERRIDES=y
+CONFIG_IBSS_RSN=y
+CONFIG_IEEE80211AC=y
+CONFIG_IEEE80211N=y
+CONFIG_IEEE80211R=y
+CONFIG_IEEE80211W=y
+CONFIG_IEEE8021X_EAPOL=y
+CONFIG_INTERWORKING=y
+CONFIG_IPV6=y
+CONFIG_LIBNL32=y
+CONFIG_NO_RANDOM_POOL=y
+CONFIG_P2P=y
+CONFIG_PEERKEY=y
+CONFIG_PKCS12=y
+CONFIG_READLINE=y
+CONFIG_SMARTCARD=y
+CONFIG_TDLS=y
+CONFIG_VHT_OVERRIDES=y
+CONFIG_WIFI_DISPLAY=y
+CONFIG_WPS=y
+CONFIG_WPS_NFC=y
+CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW:3DES"
Copied: wpa_supplicant/repos/testing-x86_64/rh1462262-use-system-openssl-ciphers.patch (from rev 302175, wpa_supplicant/trunk/rh1462262-use-system-openssl-ciphers.patch)
===================================================================
--- testing-x86_64/rh1462262-use-system-openssl-ciphers.patch (rev 0)
+++ testing-x86_64/rh1462262-use-system-openssl-ciphers.patch 2017-08-14 13:00:28 UTC (rev 302176)
@@ -0,0 +1,122 @@
+From 61665e43b0509e3d05b2519bf10531bd2163ed66 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani at redhat.com>
+Date: Sun, 9 Jul 2017 11:06:50 +0200
+Subject: [PATCH] OpenSSL: Add build option to select default ciphers
+
+Add a build option to select different default ciphers for OpenSSL
+instead of the hardcoded default "DEFAULT:!EXP:!LOW".
+
+This new option is useful on distributions where the security level
+should be consistent for all applications, as in Fedora [1]. In such
+cases the new configuration option would be set to "" or
+"PROFILE=SYSTEM" to select the global crypto policy by default.
+
+[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
+
+Signed-off-by: Beniamino Galvani <bgalvani at redhat.com>
+(cherry picked from commit 2b9891bd6e125d3e28f26afde32e153db658b7cc)
+---
+ src/crypto/tls_openssl.c | 2 +-
+ wpa_supplicant/Android.mk | 4 ++++
+ wpa_supplicant/Makefile | 4 ++++
+ wpa_supplicant/android.config | 4 ++++
+ wpa_supplicant/defconfig | 4 ++++
+ wpa_supplicant/wpa_supplicant.conf | 4 ++--
+ 6 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 23ac64b..c4170b6 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -1017,7 +1017,7 @@ void * tls_init(const struct tls_config *conf)
+ if (conf && conf->openssl_ciphers)
+ ciphers = conf->openssl_ciphers;
+ else
+- ciphers = "DEFAULT:!EXP:!LOW";
++ ciphers = TLS_DEFAULT_CIPHERS;
+ if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
+ wpa_printf(MSG_ERROR,
+ "OpenSSL: Failed to set cipher string '%s'",
+diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
+index a8d6a7f..a9dc086 100644
+--- a/wpa_supplicant/Android.mk
++++ b/wpa_supplicant/Android.mk
+@@ -971,6 +971,10 @@ ifdef CONFIG_TLS_ADD_DL
+ LIBS += -ldl
+ LIBS_p += -ldl
+ endif
++ifndef CONFIG_TLS_DEFAULT_CIPHERS
++CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
++endif
++L_CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
+ endif
+
+ ifeq ($(CONFIG_TLS), gnutls)
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index 512052e..cc55a52 100644
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -1020,6 +1020,10 @@ ifdef CONFIG_TLS_ADD_DL
+ LIBS += -ldl
+ LIBS_p += -ldl
+ endif
++ifndef CONFIG_TLS_DEFAULT_CIPHERS
++CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
++endif
++CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
+ endif
+
+ ifeq ($(CONFIG_TLS), gnutls)
+diff --git a/wpa_supplicant/android.config b/wpa_supplicant/android.config
+index 02505bb..f3cc838 100644
+--- a/wpa_supplicant/android.config
++++ b/wpa_supplicant/android.config
+@@ -291,6 +291,10 @@ CONFIG_IEEE80211W=y
+ # will be used)
+ #CONFIG_TLSV12=y
+
++# Select which ciphers to use by default with OpenSSL if the user does not
++# specify them.
++#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
++
+ # If CONFIG_TLS=internal is used, additional library and include paths are
+ # needed for LibTomMath. Alternatively, an integrated, minimal version of
+ # LibTomMath can be used. See beginning of libtommath.c for details on benefits
+diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
+index 1d05198..8b0eb87 100644
+--- a/wpa_supplicant/defconfig
++++ b/wpa_supplicant/defconfig
+@@ -316,6 +316,10 @@ CONFIG_PEERKEY=y
+ # will be used)
+ #CONFIG_TLSV12=y
+
++# Select which ciphers to use by default with OpenSSL if the user does not
++# specify them.
++#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
++
+ # If CONFIG_TLS=internal is used, additional library and include paths are
+ # needed for LibTomMath. Alternatively, an integrated, minimal version of
+ # LibTomMath can be used. See beginning of libtommath.c for details on benefits
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index 1061c98..70989c0 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -183,13 +183,13 @@ fast_reauth=1
+ # OpenSSL cipher string
+ #
+ # This is an OpenSSL specific configuration option for configuring the default
+-# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
++# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
++# by default) is used.
+ # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
+ # on cipher suite configuration. This is applicable only if wpa_supplicant is
+ # built to use OpenSSL.
+ #openssl_ciphers=DEFAULT:!EXP:!LOW
+
+-
+ # Dynamic EAP methods
+ # If EAP methods were built dynamically as shared object files, they need to be
+ # loaded here before being used in the network blocks. By default, EAP methods
+--
+2.9.3
+
Copied: wpa_supplicant/repos/testing-x86_64/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch (from rev 302175, wpa_supplicant/trunk/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch)
===================================================================
--- testing-x86_64/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch (rev 0)
+++ testing-x86_64/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch 2017-08-14 13:00:28 UTC (rev 302176)
@@ -0,0 +1,127 @@
+From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani at redhat.com>
+Date: Sun, 9 Jul 2017 11:14:10 +0200
+Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL
+ >= 1.1.0f
+
+Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
+callback from the SSL object instead of the one from the CTX, so let's
+set the callback on both SSL and CTX. Note that
+SSL_set_default_passwd_cb*() is available only in 1.1.0.
+
+Signed-off-by: Beniamino Galvani <bgalvani at redhat.com>
+(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f)
+---
+ src/crypto/tls_openssl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index c4170b6..bceb8c3 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data,
+ } else
+ passwd = NULL;
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ /*
++ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
++ * from the SSL object. See OpenSSL commit d61461a75253.
++ */
++ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
++ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
++#endif /* >= 1.1.0f && !LibreSSL */
++ /* Keep these for OpenSSL < 1.1.0f */
+ SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
+ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
+
+@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data,
+ return -1;
+ }
+ ERR_clear_error();
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ SSL_set_default_passwd_cb(conn->ssl, NULL);
++#endif /* >= 1.1.0f && !LibreSSL */
+ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+ os_free(passwd);
+
+--
+2.9.3
+
+From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j at w1.fi>
+Date: Mon, 17 Jul 2017 12:06:17 +0300
+Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly
+
+Previously, the pointer to strdup passwd was left in OpenSSL library
+default_passwd_cb_userdata and even the default_passwd_cb was left set
+on an error path. To avoid unexpected behavior if something were to
+manage to use there pointers, clear them explicitly once done with
+loading of the private key.
+
+Signed-off-by: Jouni Malinen <j at w1.fi>
+(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384)
+---
+ src/crypto/tls_openssl.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index bceb8c3..770af9e 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn)
+ }
+
+
++static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl)
++{
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ if (ssl) {
++ SSL_set_default_passwd_cb(ssl, NULL);
++ SSL_set_default_passwd_cb_userdata(ssl, NULL);
++ }
++#endif /* >= 1.1.0f && !LibreSSL */
++ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
++ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL);
++}
++
++
+ static int tls_connection_private_key(struct tls_data *data,
+ struct tls_connection *conn,
+ const char *private_key,
+@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data,
+ if (!ok) {
+ tls_show_errors(MSG_INFO, __func__,
+ "Failed to load private key");
++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
+ os_free(passwd);
+ return -1;
+ }
+ ERR_clear_error();
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+- SSL_set_default_passwd_cb(conn->ssl, NULL);
+-#endif /* >= 1.1.0f && !LibreSSL */
+- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
+ os_free(passwd);
+
+ if (!SSL_check_private_key(conn->ssl)) {
+@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data,
+ tls_read_pkcs12(data, NULL, private_key, passwd)) {
+ tls_show_errors(MSG_INFO, __func__,
+ "Failed to load private key");
++ tls_clear_default_passwd_cb(ssl_ctx, NULL);
+ os_free(passwd);
+ ERR_clear_error();
+ return -1;
+ }
++ tls_clear_default_passwd_cb(ssl_ctx, NULL);
+ os_free(passwd);
+ ERR_clear_error();
+- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+
+ if (!SSL_CTX_check_private_key(ssl_ctx)) {
+ tls_show_errors(MSG_INFO, __func__,
+--
+2.9.3
+
Copied: wpa_supplicant/repos/testing-x86_64/wpa_supplicant.install (from rev 302175, wpa_supplicant/trunk/wpa_supplicant.install)
===================================================================
--- testing-x86_64/wpa_supplicant.install (rev 0)
+++ testing-x86_64/wpa_supplicant.install 2017-08-14 13:00:28 UTC (rev 302176)
@@ -0,0 +1,7 @@
+post_upgrade() {
+ if [[ $(vercmp "$2" '1:2.6-3') -lt 0 ]]; then
+ echo ':: The /etc/wpa_supplicant/wpa_supplicant.conf is file no longer managed by pacman'
+ echo ' and if it was modified, it has been renamed to wpa_supplicant.conf.pacsave.'
+ echo ' Move it to the original location if needed.'
+ fi
+}
More information about the arch-commits
mailing list