diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2018-12-24 14:11:38 +0000 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2018-12-24 14:11:38 +0000 |
commit | de49812990871e1705b64051c35161d5e6400269 (patch) | |
tree | 5e1e8fcb0ff4579dbd22a1bfee28a6b97dc8aaeb /net-wireless/wpa_supplicant | |
parent | 536c3711867ec947c1738f2c4b96f22e4863322d (diff) |
gentoo resync : 24.12.2018
Diffstat (limited to 'net-wireless/wpa_supplicant')
-rw-r--r-- | net-wireless/wpa_supplicant/Manifest | 11 | ||||
-rw-r--r-- | net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch | 44 | ||||
-rw-r--r-- | net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch | 48 | ||||
-rw-r--r-- | net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch | 38 | ||||
-rw-r--r-- | net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild (renamed from net-wireless/wpa_supplicant/wpa_supplicant-2.6-r8.ebuild) | 10 | ||||
-rw-r--r-- | net-wireless/wpa_supplicant/wpa_supplicant-2.6-r3.ebuild | 401 | ||||
-rw-r--r-- | net-wireless/wpa_supplicant/wpa_supplicant-2.7.ebuild (renamed from net-wireless/wpa_supplicant/wpa_supplicant-2.6-r5.ebuild) | 64 | ||||
-rw-r--r-- | net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild | 11 |
8 files changed, 192 insertions, 435 deletions
diff --git a/net-wireless/wpa_supplicant/Manifest b/net-wireless/wpa_supplicant/Manifest index fe9df8bed0c0..d3ef9de00be4 100644 --- a/net-wireless/wpa_supplicant/Manifest +++ b/net-wireless/wpa_supplicant/Manifest @@ -6,17 +6,20 @@ AUX 2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch 194 AUX 2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch 4309 BLAKE2B 6164e0343d7e4bedcaf2be9c3800eeb146a564fffeb339d032706797c04f268ade0674e67c962653c2a124af5a8ff8d28004bbeba0f3e73b166dbed03cd9a355 SHA512 37d050b2e4a3598484912667d8b2705fbe84c5c562267f900d42b0c7b606fb1fed09ddca8b80e2131768baa8f3690aab6ba7a232dee6ff1e66150fdb8816c927 AUX 2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch 1649 BLAKE2B a8a486e782b7095c3eeb13706d815cd2f72ddf94c50e5bc8c3a9f36fc68580b1a10150ce405a161f2af2f2e5f2e5ba63d6c54807fcd9c71337956d69cd57b90e SHA512 111e655cfbb3a86e3792040e0ea375490d31c42c9d43cbe911290d54df5f4db437e4c8ad0e937c51729dcefeb0db0989b8ab55b9523398683abd08ebfec18076 AUX 2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch 2750 BLAKE2B 059da1df148c8db68c9fa6aa656e46da301ebe7de3e41ecd4675ca579ebf6f1a66395e852cd8b562743ba83a345d4860618ea11bd01304a3386867115867fb9f SHA512 fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed792bef1887dcc8c4626586465d78dd0258edb83dcd50a65a +AUX rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch 1999 BLAKE2B d261d3184fcb57f804aeaad487dcbd81f1b74b1145f90285cc226839675b00bc6bf21ac8ec3a891427d3ce01a398d2fe118184ae36effa62df199e8398c1cb24 SHA512 c275cb1a41901d3e5389ca301809baa16a73b40afdcd3a24b63b294e1b9e5eaead148b30742273deecbdd03c6b387a6b3da74de2ae6c49a499b5dd326ff4da9f AUX wpa_cli.sh 1284 BLAKE2B 50757aa432bf714923d0ff5e2e8357bf3126c82dcfebbc2c342325ad97e3ca95a15ea138f9a55e5a7b9ac86cb2518c173e7d5186d5feb3e57ac762a71b11ef85 SHA512 250372231eda6f7228fcf76b13fc1b95637d0d9dec96b7bef820bfa1af1496f218909f521daf2ddb2ca81d0ebb3162500f833575b64d8d2b4820c247499e1c56 AUX wpa_supplicant-2.6-do-not-call-dbus-functions-with-NULL-path.patch 486 BLAKE2B 877e15a45851331a1499cf8bc96fd514d88b6b270f54d52760e46cc7edbcc4b74a48a0271f0c93b546bb659203c56fdfba63b231757c21ca8ee6ade98406ac2e SHA512 dac56bc505a51167042ebe548f0e81a20a5578f753af9bb7ec3335a542d799c6e8739681ef7c8f7747a9bc954f8aa6f1a147250eacba17fd7fff80c4e53638ed AUX wpa_supplicant-2.6-libressl-compatibility.patch 3873 BLAKE2B 281029d49bd4267df5913aa87b2e70741def66646f6cfbf5cf163e88522ae5bb933be3ed0df971ff2872a25a36584409feb0d22acf8254f446421201026b1ce8 SHA512 61c4cfeb119a9bc7ab1d4f690c1af5bce2def7836212469011c277ad4d97ab601d2a1efca7dc7bea433d974a8820aed7740e2cf047a0c63734d8a71e3df14e45 AUX wpa_supplicant-2.6-libressl.patch 3003 BLAKE2B 49781bcb77e84912b8f46ec992da7c6b1b015cc793208e1f8afa6457991bcc1be130810d90671f0e53fa65dcebd4528c6e359f69a2576ee715317b796d31eec2 SHA512 2fb29ec14db2f33f8c011e1c2e98eef4d36b2e9f3b36f6058c390484ae5c64ad5d67aa25f138829503fabfac374bda24172871bdefef2a0566db963a5a362ec8 +AUX wpa_supplicant-2.6-openssl-1.1.patch 1777 BLAKE2B 0c879e05aba224524919a3879cf5995bae9f973c5629079292cb17666151b981748d9e7ab8589da977cc2c04b96c232abba359446ee14b5a69742b865293f746 SHA512 638d1238387382bdd888158f4c97b2af13d16ec12db31e2d409957bf00fa45fbf3a1beb109c56c815b0dc64a861b17cccc4d7cc998110c772dd2d1bfa724efc5 +AUX wpa_supplicant-2.7-fix-undefined-remove-ie.patch 1115 BLAKE2B 207c8265f6819b9d956cd99cd1f1056d6fcdf6f857fc63150a9419ee83263e0173f2e8f00b061a4c48eb516cb1c3c00f5137a9bacb857dbe6d5e6f912d77c574 SHA512 5e790b3ae50f3d29cb38f73cff30f8994798e7bdbecc9f852def910a8150c1724c051bbb52603fa9c6818c950a5fe347bccd21848427f31f54d641ae40621c3f AUX wpa_supplicant-conf.d 291 BLAKE2B 348e7d21fe01d2fdd2117adf22444557fa3d401f649489afd1636105cdddc29d58d45659c5368cc177f919ce94a7e2b5a9ed3fe8ddccd1fba3d059d270bae1a8 SHA512 6bbb9d4f6132b3d4e20cd65f27245ccadd60712ef5794261499f882057a930a393297e491d8147e04e30c0a53645af0eb3514332587118c19b5594f23f1d62ad AUX wpa_supplicant-init.d 1250 BLAKE2B 159ebbd5a3552cbd8fdd6d48984c3a511e77cf1e140f56fc1d3e6b16454351a270e566dd7fc4717b92251193bdf59a77f57fc3fdd1d53b067f2e5253796c041b SHA512 f7439937a11d7a91eee98ab9e16a4853ce8e27395970007ae60ca9a8b1852fadc4a37ee0bf81d7e4806c545f70b139f26942ed1630db070abe8fe8e5ce752403 AUX wpa_supplicant.conf 183 BLAKE2B ea25d56f366783548b8d4bc14615d89d1c9cff1e6535992d14fa2f87a095b6c7226fbdf6b2d2ecd5fdcc13fb413fc56d5294f906c840ab3f9386c99ea69139fc SHA512 425a5c955d462ea0d0d3f79c3e1bbf68e15b495df04ad03ed7aee12408b52616af05650dfc147ca5940d69e97360c33995d33733820fef8eb8769b31e58434e8 DIST wpa_supplicant-2.6.tar.gz 2753524 BLAKE2B 99c61326c402f60b384fa6c9a7381e43d4d021d7e44537a6e05552909270f30997da91b690d8a30aa690f0d1ce0aed7798bd8bb8972fcf6830c282ccc91193ac SHA512 46442cddb6ca043b8b08d143908f149954c238e0f3a57a0df73ca4fab9c1acd91b078f3f26375a1d99cd1d65625986328018c735d8705882c8f91e389cad28a6 -EBUILD wpa_supplicant-2.6-r3.ebuild 11044 BLAKE2B ec092b2d8c8094c19ce1e019642ff074cfcc8ab40045d394e01c219fad6cb306dd0c8e6e33879c33d950d95af5bb5e851a667030aad5cc1fe6c9b5aeb6d9fc7d SHA512 2e2b23824a0a073a44e7c40cf21bc06f797a34d8768ecd645aa0f7216c81e1f0425fb09129824b1d927166f0d6fce0f4cff87afd1f65214db4546d83031c1e62 -EBUILD wpa_supplicant-2.6-r5.ebuild 11782 BLAKE2B b74866e78cc82cb5e3600135052024c11b628371932b52634754fa578c6f31ed0d58f5ba2e980fdd7f1ddf50c92e721e538098af2270a9061c64ee5e902940fe SHA512 afd5fc95a798031f7ac84fb17737a113db720686d9ad304d2abfd56b4c16468fc446926594ff87b17438d2b9c39762865782de794019a780074df87f9479307e +DIST wpa_supplicant-2.7.tar.gz 3093713 BLAKE2B bbf961b6e13757e9d7bb8b9de1808382a551265cd2d54de14e24bde3567aa5298b48fdcd0df75db79189a051532c54b28eab5519c32fc8fc00459365b57039aa SHA512 8b6eb5b5f30d351c73db63d73c09f24028a18166246539b4a4f89f0d226fb42751afa2ff72296df33317f615150325d285e8e7bda30e0d88abcdc9637ab731d3 +EBUILD wpa_supplicant-2.6-r10.ebuild 12648 BLAKE2B c67a87d8edae237a17d8799fb79c2aad65da5ba6a8c80d2a8ad925542e8fb0494a5f7732a0b9e4915d64f564507c347559c459e29190e10713474b4d00c27afe SHA512 518d7f5ba4f7cd0587151af95024b8d42d7220677ba2fc73a7b29a7e6a5c47b0947e7c353d74f38fe46f17f5fe91dc6c4bd61688a8a4fe2769e55f7e48131a20 EBUILD wpa_supplicant-2.6-r6.ebuild 11810 BLAKE2B 2c4dccf5392657392567b56598a9cf98ab968b34da44210a7608e1eda9e2eea3fbadcd6c51bbd6cffab841295cf49aa8f17d2602be537fc107b7d08370282955 SHA512 eb1a814b2cb50a5b0752061b3563c514c69c4bd637b83f9ee0e477310510869d05a1f5cbc9e2f3f894886e4309fc60c10d2f77b30adcba9d590bf9c8adde93eb -EBUILD wpa_supplicant-2.6-r8.ebuild 12421 BLAKE2B 83f93e2381b3108939901b18a5222e0a632fd79913ba6f5c2d454e871bceb65f3d9a87dea0a5eaab2f556866ee1e554d570c7181a6e3aa12fb428a06eab677c6 SHA512 03667d27cc8c82df0b3223649f0c1649a055f3bc52dbd2cdaf6ef44a214033c9d073af41e0c569cd25cc8221db058c1112ece26f14697bc088a5719bc8327622 -EBUILD wpa_supplicant-9999.ebuild 11650 BLAKE2B e9b4ed5aac7d60c348184b07f0b56e7b4cb74f530be90a67fece55916e5065cfc82a66310fa682b6a94763e396a1ad15db967288680e1cb758754453cfacc18e SHA512 a37fbc96d8cd2b64d705fdd9f0d7499cfbf17115b42ab9aeb2d66acc277cdf1e3513a45ff95896ee03b992a2fbcaadb5572a2ff32f48428bc8d50a194f17a598 +EBUILD wpa_supplicant-2.7.ebuild 11704 BLAKE2B ee03f052b3e896025970ae8be65aea336c3c0cee3eed18af4e0f6e8d5a91b1fe1a851954b3114fbdbb8a7cca99b193f9a84509e3ec0ff5cfeff6fa03d6b79d4a SHA512 ad8dedda2a83e5ba230a60b3e32471eba5334ebe7bb80f9e048a09c0701f29652ea4184d29a84736b4708db9325481056301fdff868b085e32f952577507e33b +EBUILD wpa_supplicant-9999.ebuild 11604 BLAKE2B bba465e8a711a22fda12cfea28378e9cef2b0f634f1c268e55bd8da5a9f630f4ca0001709c54f37160a4aa1dcdd6888f6d20c18fcd53c2b843c7399c00f54b15 SHA512 005f63ab95bdd23156ba9a878fdd06dd119b9a4bf8de2a06a12e48c24851975f8a9d20ace85883184a5ca42289cbb60d578ff8ea1b2aabecde39b79ebf99e2da MISC metadata.xml 1387 BLAKE2B d18ad59ec0e7852ed299596a6217d705f3344b1e215875fa5eb4afb9aeb91d17edd77ed35e5cb83b6868b529d3c173574f7d1810f2f145c8398860f72b0792fe SHA512 ab26df54e5dc68ef0db3f654df1dbf144b38d78e63d11d428bd04a4b374c6b704b334e3812a4042b4827bdab887bebe6de24a82c05edb7df7d614d4d4b8925fb diff --git a/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch new file mode 100644 index 000000000000..a62b52c6b9a8 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch @@ -0,0 +1,44 @@ +From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> +Date: Sun, 15 Jul 2018 01:25:53 +0200 +Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data + +Ignore unauthenticated encrypted EAPOL-Key data in supplicant +processing. When using WPA2, these are frames that have the Encrypted +flag set, but not the MIC flag. + +When using WPA2, EAPOL-Key frames that had the Encrypted flag set but +not the MIC flag, had their data field decrypted without first verifying +the MIC. In case the data field was encrypted using RC4 (i.e., when +negotiating TKIP as the pairwise cipher), this meant that +unauthenticated but decrypted data would then be processed. An adversary +could abuse this as a decryption oracle to recover sensitive information +in the data field of EAPOL-Key messages (e.g., the group key). +(CVE-2018-14526) + +Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> +--- + src/rsn_supp/wpa.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c +--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c 2016-10-02 21:51:11.000000000 +0300 ++++ wpa_supplicant-2.6/src/rsn_supp/wpa.c 2018-08-08 16:55:11.506831029 +0300 +@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c + + if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && + (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { ++ /* ++ * Only decrypt the Key Data field if the frame's authenticity ++ * was verified. When using AES-SIV (FILS), the MIC flag is not ++ * set, so this check should only be performed if mic_len != 0 ++ * which is the case in this code branch. ++ */ ++ if (!(key_info & WPA_KEY_INFO_MIC)) { ++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, ++ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data"); ++ goto out; ++ } + if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data, + &key_data_len)) + goto out; diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch new file mode 100644 index 000000000000..1e2335f34c06 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch @@ -0,0 +1,48 @@ +From f665c93e1d28fbab3d9127a8c3985cc32940824f Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani <bgalvani@redhat.com> +Date: Sun, 9 Jul 2017 11:14:10 +0200 +Subject: OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f + +Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the +callback from the SSL object instead of the one from the CTX, so let's +set the callback on both SSL and CTX. Note that +SSL_set_default_passwd_cb*() is available only in 1.1.0. + +Signed-off-by: Beniamino Galvani <bgalvani@redhat.com> +--- + src/crypto/tls_openssl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index fd94eaf..c790b53 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data, + } else + passwd = NULL; + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ /* ++ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback ++ * from the SSL object. See OpenSSL commit d61461a75253. ++ */ ++ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb); ++ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd); ++#endif /* >= 1.1.0f && !LibreSSL */ ++ /* Keep these for OpenSSL < 1.1.0f */ + SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); + SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); + +@@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data, + return -1; + } + ERR_clear_error(); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ SSL_set_default_passwd_cb(conn->ssl, NULL); ++#endif /* >= 1.1.0f && !LibreSSL */ + SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); + os_free(passwd); + +-- +cgit v0.12 + diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch new file mode 100644 index 000000000000..97a8cc7f3e12 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch @@ -0,0 +1,38 @@ +From f2973fa39d6109f0f34969e91551a98dc340d537 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Mon, 3 Dec 2018 12:00:26 +0200 +Subject: FT: Fix CONFIG_IEEE80211X=y build without CONFIG_FILS=y + +remove_ie() was defined within an ifdef CONFIG_FILS block while it is +now needed even without CONFIG_FILS=y. Remove the CONFIG_FILS condition +there. + +Fixes 8c41734e5de1 ("FT: Fix Reassociation Request IEs during FT protocol") +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + wpa_supplicant/sme.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c +index 39c8069..f77f751 100644 +--- a/wpa_supplicant/sme.c ++++ b/wpa_supplicant/sme.c +@@ -1386,7 +1386,6 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data) + } + + +-#ifdef CONFIG_FILS + #ifdef CONFIG_IEEE80211R + static void remove_ie(u8 *buf, size_t *len, u8 eid) + { +@@ -1401,7 +1400,6 @@ static void remove_ie(u8 *buf, size_t *len, u8 eid) + } + } + #endif /* CONFIG_IEEE80211R */ +-#endif /* CONFIG_FILS */ + + + void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode, +-- +cgit v0.12 + diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r8.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild index 15d823b942f1..aee917dd595b 100644 --- a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r8.ebuild +++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2018 Gentoo Foundation +# Copyright 1999-2018 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=6 @@ -11,7 +11,7 @@ SRC_URI="https://w1.fi/releases/${P}.tar.gz" LICENSE="|| ( GPL-2 BSD )" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd" +KEYWORDS="~alpha amd64 arm ~arm64 ~ia64 ~mips ppc ppc64 ~sparc x86 ~x86-fbsd" IUSE="ap bindist dbus eap-sim eapol_test fasteap gnutls +hs2-0 libressl p2p privsep ps3 qt5 readline selinux smartcard ssl suiteb tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD" REQUIRED_USE="smartcard? ( ssl )" @@ -133,6 +133,9 @@ src_prepare() { # bug (596332 & 651314) eapply "${FILESDIR}/${P}-libressl-compatibility.patch" + # bug (671006) + eapply "${FILESDIR}/${P}-openssl-1.1.patch" + # https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt eapply "${FILESDIR}/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch" eapply "${FILESDIR}/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch" @@ -143,6 +146,9 @@ src_prepare() { eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch" eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch" + # https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt + eapply "${FILESDIR}/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch" + # bug (640492) sed -i 's#-Werror ##' wpa_supplicant/Makefile || die } diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r3.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r3.ebuild deleted file mode 100644 index 94efb65ea575..000000000000 --- a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r3.ebuild +++ /dev/null @@ -1,401 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -inherit eutils qmake-utils systemd toolchain-funcs readme.gentoo-r1 - -DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers" -HOMEPAGE="https://w1.fi/wpa_supplicant/" -SRC_URI="https://w1.fi/releases/${P}.tar.gz" -LICENSE="|| ( GPL-2 BSD )" - -SLOT="0" -KEYWORDS="~alpha amd64 arm ~arm64 ~ia64 ~mips ppc ppc64 ~sparc x86 ~x86-fbsd" -IUSE="ap dbus gnutls eap-sim fasteap +hs2-0 libressl p2p ps3 qt5 readline selinux smartcard ssl tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD" -REQUIRED_USE="fasteap? ( !ssl ) smartcard? ( ssl )" - -CDEPEND="dbus? ( sys-apps/dbus ) - kernel_linux? ( - dev-libs/libnl:3 - net-wireless/crda - eap-sim? ( sys-apps/pcsc-lite ) - ) - !kernel_linux? ( net-libs/libpcap ) - qt5? ( - dev-qt/qtcore:5 - dev-qt/qtgui:5 - dev-qt/qtsvg:5 - dev-qt/qtwidgets:5 - ) - readline? ( - sys-libs/ncurses:0= - sys-libs/readline:0= - ) - ssl? ( - gnutls? ( - dev-libs/libgcrypt:0= - net-libs/gnutls:= - ) - !gnutls? ( - !libressl? ( dev-libs/openssl:0= ) - libressl? ( dev-libs/libressl:0= ) - ) - ) - !ssl? ( dev-libs/libtommath ) -" -DEPEND="${CDEPEND} - virtual/pkgconfig -" -RDEPEND="${CDEPEND} - selinux? ( sec-policy/selinux-networkmanager ) -" - -DOC_CONTENTS=" - If this is a clean installation of wpa_supplicant, you - have to create a configuration file named - ${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf - An example configuration file is available for reference in - ${EROOT%/}/usr/share/doc/${PF}/ -" - -S="${WORKDIR}/${P}/${PN}" - -Kconfig_style_config() { - #param 1 is CONFIG_* item - #param 2 is what to set it = to, defaulting in y - CONFIG_PARAM="${CONFIG_HEADER:-CONFIG_}$1" - setting="${2:-y}" - - if [ ! $setting = n ]; then - #first remove any leading "# " if $2 is not n - sed -i "/^# *$CONFIG_PARAM=/s/^# *//" .config || echo "Kconfig_style_config error uncommenting $CONFIG_PARAM" - #set item = $setting (defaulting to y) - sed -i "/^$CONFIG_PARAM/s/=.*/=$setting/" .config || echo "Kconfig_style_config error setting $CONFIG_PARAM=$setting" - else - #ensure item commented out - sed -i "/^$CONFIG_PARAM/s/$CONFIG_PARAM/# $CONFIG_PARAM/" .config || echo "Kconfig_style_config error commenting $CONFIG_PARAM" - fi -} - -pkg_setup() { - if use ssl ; then - if use gnutls && use libressl ; then - elog "You have both 'gnutls' and 'libressl' USE flags enabled: defaulting to USE=\"gnutls\"" - fi - else - elog "You have 'ssl' USE flag disabled: defaulting to internal TLS implementation" - fi -} - -src_prepare() { - default - - # net/bpf.h needed for net-libs/libpcap on Gentoo/FreeBSD - sed -i \ - -e "s:\(#include <pcap\.h>\):#include <net/bpf.h>\n\1:" \ - ../src/l2_packet/l2_packet_freebsd.c || die - - # People seem to take the example configuration file too literally (bug #102361) - sed -i \ - -e "s:^\(opensc_engine_path\):#\1:" \ - -e "s:^\(pkcs11_engine_path\):#\1:" \ - -e "s:^\(pkcs11_module_path\):#\1:" \ - wpa_supplicant.conf || die - - # Change configuration to match Gentoo locations (bug #143750) - sed -i \ - -e "s:/usr/lib/opensc:/usr/$(get_libdir):" \ - -e "s:/usr/lib/pkcs11:/usr/$(get_libdir):" \ - wpa_supplicant.conf || die - - # systemd entries to D-Bus service files (bug #372877) - echo 'SystemdService=wpa_supplicant.service' \ - | tee -a dbus/*.service >/dev/null || die - - cd "${WORKDIR}/${P}" || die - - if use wimax; then - # generate-libeap-peer.patch comes before - # fix-undefined-reference-to-random_get_bytes.patch - eapply "${FILESDIR}/${P}-generate-libeap-peer.patch" - - # multilib-strict fix (bug #373685) - sed -e "s/\/usr\/lib/\/usr\/$(get_libdir)/" -i src/eap_peer/Makefile || die - fi - - # bug (320097) - eapply "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch" - - # bug (596332) - eapply "${FILESDIR}/${P}-libressl.patch" - - # https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt - eapply "${FILESDIR}/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch" -} - -src_configure() { - # Toolchain setup - tc-export CC - - cp defconfig .config || die - - # Basic setup - Kconfig_style_config CTRL_IFACE - Kconfig_style_config MATCH_IFACE - Kconfig_style_config BACKEND file - Kconfig_style_config IBSS_RSN - Kconfig_style_config IEEE80211W - Kconfig_style_config IEEE80211R - - # Basic authentication methods - # NOTE: we don't set GPSK or SAKE as they conflict - # with the below options - Kconfig_style_config EAP_GTC - Kconfig_style_config EAP_MD5 - Kconfig_style_config EAP_OTP - Kconfig_style_config EAP_PAX - Kconfig_style_config EAP_PSK - Kconfig_style_config EAP_TLV - Kconfig_style_config EAP_EXE - Kconfig_style_config IEEE8021X_EAPOL - Kconfig_style_config PKCS12 - Kconfig_style_config PEERKEY - Kconfig_style_config EAP_LEAP - Kconfig_style_config EAP_MSCHAPV2 - Kconfig_style_config EAP_PEAP - Kconfig_style_config EAP_TLS - Kconfig_style_config EAP_TTLS - - # Enabling background scanning. - Kconfig_style_config BGSCAN_SIMPLE - Kconfig_style_config BGSCAN_LEARN - - # Enabling mesh networks. - Kconfig_style_config MESH - - if use dbus ; then - Kconfig_style_config CTRL_IFACE_DBUS - Kconfig_style_config CTRL_IFACE_DBUS_NEW - Kconfig_style_config CTRL_IFACE_DBUS_INTRO - fi - - # Enable support for writing debug info to a log file and syslog. - Kconfig_style_config DEBUG_FILE - Kconfig_style_config DEBUG_SYSLOG - - if use hs2-0 ; then - Kconfig_style_config INTERWORKING - Kconfig_style_config HS20 - fi - - if use uncommon-eap-types; then - Kconfig_style_config EAP_GPSK - Kconfig_style_config EAP_SAKE - Kconfig_style_config EAP_GPSK_SHA256 - Kconfig_style_config EAP_IKEV2 - Kconfig_style_config EAP_EKE - fi - - if use eap-sim ; then - # Smart card authentication - Kconfig_style_config EAP_SIM - Kconfig_style_config EAP_AKA - Kconfig_style_config EAP_AKA_PRIME - Kconfig_style_config PCSC - fi - - if use fasteap ; then - Kconfig_style_config EAP_FAST - fi - - if use readline ; then - # readline/history support for wpa_cli - Kconfig_style_config READLINE - else - #internal line edit mode for wpa_cli - Kconfig_style_config WPA_CLI_EDIT - fi - - # SSL authentication methods - if use ssl ; then - if use gnutls ; then - Kconfig_style_config TLS gnutls - Kconfig_style_config GNUTLS_EXTRA - else - Kconfig_style_config TLS openssl - fi - else - Kconfig_style_config TLS internal - fi - - if use smartcard ; then - Kconfig_style_config SMARTCARD - fi - - if use tdls ; then - Kconfig_style_config TDLS - fi - - if use kernel_linux ; then - # Linux specific drivers - Kconfig_style_config DRIVER_ATMEL - Kconfig_style_config DRIVER_HOSTAP - Kconfig_style_config DRIVER_IPW - Kconfig_style_config DRIVER_NL80211 - Kconfig_style_config DRIVER_RALINK - Kconfig_style_config DRIVER_WEXT - Kconfig_style_config DRIVER_WIRED - - if use ps3 ; then - Kconfig_style_config DRIVER_PS3 - fi - - elif use kernel_FreeBSD ; then - # FreeBSD specific driver - Kconfig_style_config DRIVER_BSD - fi - - # Wi-Fi Protected Setup (WPS) - if use wps ; then - Kconfig_style_config WPS - Kconfig_style_config WPS2 - # USB Flash Drive - Kconfig_style_config WPS_UFD - # External Registrar - Kconfig_style_config WPS_ER - # Universal Plug'n'Play - Kconfig_style_config WPS_UPNP - # Near Field Communication - Kconfig_style_config WPS_NFC - fi - - # Wi-Fi Direct (WiDi) - if use p2p ; then - Kconfig_style_config P2P - Kconfig_style_config WIFI_DISPLAY - fi - - # Access Point Mode - if use ap ; then - Kconfig_style_config AP - fi - - # Enable mitigation against certain attacks against TKIP - Kconfig_style_config DELAYED_MIC_ERROR_REPORT - - # If we are using libnl 2.0 and above, enable support for it - # Bug 382159 - # Removed for now, since the 3.2 version is broken, and we don't - # support it. - if has_version ">=dev-libs/libnl-3.2"; then - Kconfig_style_config LIBNL32 - fi - - if use qt5 ; then - pushd "${S}"/wpa_gui-qt4 > /dev/null || die - eqmake5 wpa_gui.pro - popd > /dev/null || die - fi -} - -src_compile() { - einfo "Building wpa_supplicant" - emake V=1 BINDIR=/usr/sbin - - if use wimax; then - emake -C ../src/eap_peer clean - emake -C ../src/eap_peer - fi - - if use qt5; then - einfo "Building wpa_gui" - emake -C "${S}"/wpa_gui-qt4 - fi -} - -src_install() { - dosbin wpa_supplicant - dobin wpa_cli wpa_passphrase - - # baselayout-1 compat - if has_version "<sys-apps/baselayout-2.0.0"; then - dodir /sbin - dosym ../usr/sbin/wpa_supplicant /sbin/wpa_supplicant - dodir /bin - dosym ../usr/bin/wpa_cli /bin/wpa_cli - fi - - if has_version ">=sys-apps/openrc-0.5.0"; then - newinitd "${FILESDIR}/${PN}-init.d" wpa_supplicant - newconfd "${FILESDIR}/${PN}-conf.d" wpa_supplicant - fi - - exeinto /etc/wpa_supplicant/ - newexe "${FILESDIR}/wpa_cli.sh" wpa_cli.sh - - readme.gentoo_create_doc - dodoc ChangeLog {eap_testing,todo}.txt README{,-WPS} \ - wpa_supplicant.conf - - newdoc .config build-config - - doman doc/docbook/*.{5,8} - - if use qt5 ; then - into /usr - dobin wpa_gui-qt4/wpa_gui - doicon wpa_gui-qt4/icons/wpa_gui.svg - make_desktop_entry wpa_gui "WPA Supplicant Administration GUI" "wpa_gui" "Qt;Network;" - fi - - use wimax && emake DESTDIR="${D}" -C ../src/eap_peer install - - if use dbus ; then - pushd "${S}"/dbus > /dev/null || die - insinto /etc/dbus-1/system.d - newins dbus-wpa_supplicant.conf wpa_supplicant.conf - insinto /usr/share/dbus-1/system-services - doins fi.epitest.hostap.WPASupplicant.service fi.w1.wpa_supplicant1.service - popd > /dev/null || die - - # This unit relies on dbus support, bug 538600. - systemd_dounit systemd/wpa_supplicant.service - fi - - systemd_dounit "systemd/wpa_supplicant@.service" - systemd_dounit "systemd/wpa_supplicant-nl80211@.service" - systemd_dounit "systemd/wpa_supplicant-wired@.service" -} - -pkg_postinst() { - readme.gentoo_print_elog - - if [[ -e "${EROOT%/}"/etc/wpa_supplicant.conf ]] ; then - echo - ewarn "WARNING: your old configuration file ${EROOT%/}/etc/wpa_supplicant.conf" - ewarn "needs to be moved to ${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf" - fi - - # Mea culpa, feel free to remove that after some time --mgorny. - local fn - for fn in wpa_supplicant{,@wlan0}.service; do - if [[ -e "${EROOT%/}"/etc/systemd/system/network.target.wants/${fn} ]] - then - ebegin "Moving ${fn} to multi-user.target" - mv "${EROOT%/}"/etc/systemd/system/network.target.wants/${fn} \ - "${EROOT%/}"/etc/systemd/system/multi-user.target.wants/ || die - eend ${?} \ - "Please try to re-enable ${fn}" - fi - done - - systemd_reenable wpa_supplicant.service -} diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r5.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.7.ebuild index db98a23c929a..12a69aa090d4 100644 --- a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r5.ebuild +++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.7.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2018 Gentoo Foundation +# Copyright 1999-2018 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=6 @@ -7,12 +7,19 @@ inherit eutils qmake-utils systemd toolchain-funcs readme.gentoo-r1 DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers" HOMEPAGE="https://w1.fi/wpa_supplicant/" -SRC_URI="https://w1.fi/releases/${P}.tar.gz" LICENSE="|| ( GPL-2 BSD )" +if [ "${PV}" = "9999" ]; then + inherit git-r3 + EGIT_REPO_URI="https://w1.fi/hostap.git" + KEYWORDS="" +else + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd" + SRC_URI="https://w1.fi/releases/${P}.tar.gz" +fi + SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd" -IUSE="ap dbus eap-sim eapol_test fasteap gnutls +hs2-0 libressl p2p privsep ps3 qt5 readline selinux smartcard ssl tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD" +IUSE="ap bindist dbus eap-sim eapol_test fasteap gnutls +hs2-0 libressl p2p privsep ps3 qt5 readline selinux smartcard ssl suiteb tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD" REQUIRED_USE="smartcard? ( ssl )" CDEPEND="dbus? ( sys-apps/dbus ) @@ -38,7 +45,7 @@ CDEPEND="dbus? ( sys-apps/dbus ) net-libs/gnutls:= ) !gnutls? ( - !libressl? ( >=dev-libs/openssl-1.0.2k:0= ) + !libressl? ( >=dev-libs/openssl-1.0.2k:0=[bindist=] ) libressl? ( dev-libs/libressl:0= ) ) ) @@ -128,20 +135,10 @@ src_prepare() { fi # bug (320097) - eapply "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch" - - # bug (596332) - eapply "${FILESDIR}/${P}-libressl.patch" + eapply "${FILESDIR}/${PN}-2.6-do-not-call-dbus-functions-with-NULL-path.patch" - # https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt - eapply "${FILESDIR}/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch" - eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch" + # fix undefined reference to remove_ie() + eapply "${FILESDIR}/${P}-fix-undefined-remove-ie.patch" # bug (640492) sed -i 's#-Werror ##' wpa_supplicant/Makefile || die @@ -231,17 +228,31 @@ src_configure() { Kconfig_style_config WPA_CLI_EDIT fi + if use suiteb; then + Kconfig_style_config SUITEB + fi + # SSL authentication methods if use ssl ; then if use gnutls ; then Kconfig_style_config TLS gnutls Kconfig_style_config GNUTLS_EXTRA else + #this fails for gnutls + Kconfig_style_config SUITEB192 Kconfig_style_config TLS openssl - Kconfig_style_config EAP_PWD + if ! use bindist; then + #this fails for gnutls + Kconfig_style_config EAP_PWD + # SAE fails on gnutls and everything below here needs SAE + # Enabling mesh networks. + Kconfig_style_config MESH + #WPA3 + Kconfig_style_config OWE + Kconfig_style_config SAE + #we also need to disable FILS, except that isn't enabled yet + fi - # Enabling mesh networks. - Kconfig_style_config MESH fi else Kconfig_style_config TLS internal @@ -376,7 +387,9 @@ src_install() { newdoc .config build-config - doman doc/docbook/*.{5,8} + if [ "${PV}" != "9999" ]; then + doman doc/docbook/*.{5,8} + fi if use qt5 ; then into /usr @@ -419,6 +432,13 @@ pkg_postinst() { ewarn "needs to be moved to ${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf" fi + if use bindist || use gnutls; then + if ! use libressl; then + ewarn "Using bindist or gnutls use flags presently breaks WPA3 (specifically SAE and OWE)." + ewarn "This is incredibly undesirable" + fi + fi + # Mea culpa, feel free to remove that after some time --mgorny. local fn for fn in wpa_supplicant{,@wlan0}.service; do diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild index 5c5676770af4..df34e7baa75c 100644 --- a/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild +++ b/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2018 Gentoo Foundation +# Copyright 1999-2018 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=6 @@ -135,10 +135,7 @@ src_prepare() { fi # bug (320097) - #eapply "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch" - - # bug (596332 & 651314) - #eapply "${FILESDIR}/${P}-libressl-compatibility.patch" + eapply "${FILESDIR}/${PN}-2.6-do-not-call-dbus-functions-with-NULL-path.patch" # bug (640492) sed -i 's#-Werror ##' wpa_supplicant/Makefile || die @@ -387,7 +384,9 @@ src_install() { newdoc .config build-config - #doman doc/docbook/*.{5,8} + if [ "${PV}" != "9999" ]; then + doman doc/docbook/*.{5,8} + fi if use qt5 ; then into /usr |