diff options
author | Robin H. Johnson <robbat2@gentoo.org> | 2015-08-08 13:49:04 -0700 |
---|---|---|
committer | Robin H. Johnson <robbat2@gentoo.org> | 2015-08-08 17:38:18 -0700 |
commit | 56bd759df1d0c750a065b8c845e93d5dfa6b549d (patch) | |
tree | 3f91093cdb475e565ae857f1c5a7fd339e2d781e /net-wireless/wpa_supplicant | |
download | gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.gz gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.xz |
proj/gentoo: Initial commit
This commit represents a new era for Gentoo:
Storing the gentoo-x86 tree in Git, as converted from CVS.
This commit is the start of the NEW history.
Any historical data is intended to be grafted onto this point.
Creation process:
1. Take final CVS checkout snapshot
2. Remove ALL ChangeLog* files
3. Transform all Manifests to thin
4. Remove empty Manifests
5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$
5.1. Do not touch files with -kb/-ko keyword flags.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration tests
X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this project
X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo developer, wrote Git features for the migration
X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve cvs2svn
X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts
X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014 work in migration
X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging
X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed
Diffstat (limited to 'net-wireless/wpa_supplicant')
23 files changed, 1879 insertions, 0 deletions
diff --git a/net-wireless/wpa_supplicant/Manifest b/net-wireless/wpa_supplicant/Manifest new file mode 100644 index 00000000000..0e170b456f4 --- /dev/null +++ b/net-wireless/wpa_supplicant/Manifest @@ -0,0 +1 @@ +DIST wpa_supplicant-2.4.tar.gz 2525648 SHA256 058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122 SHA512 03d8199325b3910f77013ddb7edd803ab4444542230484e1cb465dc3df9372b39ee3307d823ce88730e8f5a5231ef3183954c54cf07297b70432f526e45aac2b WHIRLPOOL 092ae97e2c0f55d7055fd4e5d688e2ba538f785089a13c754129829854b20a98de832d9d0925dce5823a060d10a3bb5882b0bf3d6cf55f8de9bbc2b00fbb7392 diff --git a/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch new file mode 100644 index 00000000000..de1964ca769 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch @@ -0,0 +1,42 @@ +From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@qca.qualcomm.com> +Date: Tue, 7 Apr 2015 11:32:11 +0300 +Subject: [PATCH] P2P: Validate SSID element length before copying it + (CVE-2015-1863) + +This fixes a possible memcpy overflow for P2P dev->oper_ssid in +p2p_add_device(). The length provided by the peer device (0..255 bytes) +was used without proper bounds checking and that could have resulted in +arbitrary data of up to 223 bytes being written beyond the end of the +dev->oper_ssid[] array (of which about 150 bytes would be beyond the +heap allocation) when processing a corrupted management frame for P2P +peer discovery purposes. + +This could result in corrupted state in heap, unexpected program +behavior due to corrupted P2P peer device information, denial of service +due to process crash, exposure of memory contents during GO Negotiation, +and potentially arbitrary code execution. + +Thanks to Google security team for reporting this issue and smart +hardware research group of Alibaba security team for discovering it. + +Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> +--- + src/p2p/p2p.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c +index f584fae..a45fe73 100644 +--- a/src/p2p/p2p.c ++++ b/src/p2p/p2p.c +@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq, + if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0) + os_memcpy(dev->interface_addr, addr, ETH_ALEN); + if (msg.ssid && ++ msg.ssid[1] <= sizeof(dev->oper_ssid) && + (msg.ssid[1] != P2P_WILDCARD_SSID_LEN || + os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) + != 0)) { +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch new file mode 100644 index 00000000000..36b4ca29469 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch @@ -0,0 +1,49 @@ +From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Tue, 28 Apr 2015 17:08:33 +0300 +Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser + +strtoul() return value may end up overflowing the int h->chunk_size and +resulting in a negative value to be stored as the chunk_size. This could +result in the following memcpy operation using a very large length +argument which would result in a buffer overflow and segmentation fault. + +This could have been used to cause a denial service by any device that +has been authorized for network access (either wireless or wired). This +would affect both the WPS UPnP functionality in a WPS AP (hostapd with +upnp_iface parameter set in the configuration) and WPS ER +(wpa_supplicant with WPS_ER_START control interface command used). + +Validate the parsed chunk length value to avoid this. In addition to +rejecting negative values, we can also reject chunk size that would be +larger than the maximum configured body length. + +Thanks to Kostya Kortchinsky of Google security team for discovering and +reporting this issue. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/wps/httpread.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/wps/httpread.c b/src/wps/httpread.c +index 2f08f37..d2855e3 100644 +--- a/src/wps/httpread.c ++++ b/src/wps/httpread.c +@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) + if (!isxdigit(*cbp)) + goto bad; + h->chunk_size = strtoul(cbp, NULL, 16); ++ if (h->chunk_size < 0 || ++ h->chunk_size > h->max_bytes) { ++ wpa_printf(MSG_DEBUG, ++ "httpread: Invalid chunk size %d", ++ h->chunk_size); ++ goto bad; ++ } + /* throw away chunk header + * so we have only real data + */ +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch new file mode 100644 index 00000000000..79c5af8906f --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch @@ -0,0 +1,41 @@ +From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Wed, 29 Apr 2015 02:21:53 +0300 +Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser + +The length of the WMM Action frame was not properly validated and the +length of the information elements (int left) could end up being +negative. This would result in reading significantly past the stack +buffer while parsing the IEs in ieee802_11_parse_elems() and while doing +so, resulting in segmentation fault. + +This can result in an invalid frame being used for a denial of service +attack (hostapd process killed) against an AP with a driver that uses +hostapd for management frame processing (e.g., all mac80211-based +drivers). + +Thanks to Kostya Kortchinsky of Google security team for discovering and +reporting this issue. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/ap/wmm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/ap/wmm.c b/src/ap/wmm.c +index 6d4177c..314e244 100644 +--- a/src/ap/wmm.c ++++ b/src/ap/wmm.c +@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, + return; + } + ++ if (left < 0) ++ return; /* not a valid WMM Action frame */ ++ + /* extract the tspec info element */ + if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { + hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch b/net-wireless/wpa_supplicant/files/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch new file mode 100644 index 00000000000..91627fb7b7f --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch @@ -0,0 +1,73 @@ +From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Fri, 1 May 2015 16:37:45 +0300 +Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit + and Confirm + +The length of the received Commit and Confirm message payloads was not +checked before reading them. This could result in a buffer read +overflow when processing an invalid message. + +Fix this by verifying that the payload is of expected length before +processing it. In addition, enforce correct state transition sequence to +make sure there is no unexpected behavior if receiving a Commit/Confirm +message before the previous exchanges have been completed. + +Thanks to Kostya Kortchinsky of Google security team for discovering and +reporting this issue. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c +index f2b0926..a629437 100644 +--- a/src/eap_peer/eap_pwd.c ++++ b/src/eap_peer/eap_pwd.c +@@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, + BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL; + u16 offset; + u8 *ptr, *scalar = NULL, *element = NULL; ++ size_t prime_len, order_len; ++ ++ if (data->state != PWD_Commit_Req) { ++ ret->ignore = TRUE; ++ goto fin; ++ } ++ ++ prime_len = BN_num_bytes(data->grp->prime); ++ order_len = BN_num_bytes(data->grp->order); ++ ++ if (payload_len != 2 * prime_len + order_len) { ++ wpa_printf(MSG_INFO, ++ "EAP-pwd: Unexpected Commit payload length %u (expected %u)", ++ (unsigned int) payload_len, ++ (unsigned int) (2 * prime_len + order_len)); ++ goto fin; ++ } + + if (((data->private_value = BN_new()) == NULL) || + ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) || +@@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, + u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; + int offset; + ++ if (data->state != PWD_Confirm_Req) { ++ ret->ignore = TRUE; ++ goto fin; ++ } ++ ++ if (payload_len != SHA256_MAC_LEN) { ++ wpa_printf(MSG_INFO, ++ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", ++ (unsigned int) payload_len, SHA256_MAC_LEN); ++ goto fin; ++ } ++ + /* + * first build up the ciphersuite which is group | random_function | + * prf +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch b/net-wireless/wpa_supplicant/files/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch new file mode 100644 index 00000000000..5dca20b2771 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch @@ -0,0 +1,66 @@ +From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Fri, 1 May 2015 16:40:44 +0300 +Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit + and Confirm + +The length of the received Commit and Confirm message payloads was not +checked before reading them. This could result in a buffer read +overflow when processing an invalid message. + +Fix this by verifying that the payload is of expected length before +processing it. In addition, enforce correct state transition sequence to +make sure there is no unexpected behavior if receiving a Commit/Confirm +message before the previous exchanges have been completed. + +Thanks to Kostya Kortchinsky of Google security team for discovering and +reporting this issue. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c +index 66bd5d2..3189105 100644 +--- a/src/eap_server/eap_server_pwd.c ++++ b/src/eap_server/eap_server_pwd.c +@@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, + BIGNUM *x = NULL, *y = NULL, *cofactor = NULL; + EC_POINT *K = NULL, *point = NULL; + int res = 0; ++ size_t prime_len, order_len; + + wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response"); + ++ prime_len = BN_num_bytes(data->grp->prime); ++ order_len = BN_num_bytes(data->grp->order); ++ ++ if (payload_len != 2 * prime_len + order_len) { ++ wpa_printf(MSG_INFO, ++ "EAP-pwd: Unexpected Commit payload length %u (expected %u)", ++ (unsigned int) payload_len, ++ (unsigned int) (2 * prime_len + order_len)); ++ goto fin; ++ } ++ + if (((data->peer_scalar = BN_new()) == NULL) || + ((data->k = BN_new()) == NULL) || + ((cofactor = BN_new()) == NULL) || +@@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, + u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; + int offset; + ++ if (payload_len != SHA256_MAC_LEN) { ++ wpa_printf(MSG_INFO, ++ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", ++ (unsigned int) payload_len, SHA256_MAC_LEN); ++ goto fin; ++ } ++ + /* build up the ciphersuite: group | random_function | prf */ + grp = htons(data->group_num); + ptr = (u8 *) &cs; +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch b/net-wireless/wpa_supplicant/files/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch new file mode 100644 index 00000000000..4d2f9d8aefe --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch @@ -0,0 +1,52 @@ +From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 2 May 2015 19:23:04 +0300 +Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment + reassembly + +The remaining number of bytes in the message could be smaller than the +Total-Length field size, so the length needs to be explicitly checked +prior to reading the field and decrementing the len variable. This could +have resulted in the remaining length becoming negative and interpreted +as a huge positive integer. + +In addition, check that there is no already started fragment in progress +before allocating a new buffer for reassembling fragments. This avoid a +potential memory leak when processing invalid message. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_peer/eap_pwd.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c +index a629437..1d2079b 100644 +--- a/src/eap_peer/eap_pwd.c ++++ b/src/eap_peer/eap_pwd.c +@@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, + * if it's the first fragment there'll be a length field + */ + if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { ++ if (len < 2) { ++ wpa_printf(MSG_DEBUG, ++ "EAP-pwd: Frame too short to contain Total-Length field"); ++ ret->ignore = TRUE; ++ return NULL; ++ } + tot_len = WPA_GET_BE16(pos); + wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose " + "total length = %d", tot_len); + if (tot_len > 15000) + return NULL; ++ if (data->inbuf) { ++ wpa_printf(MSG_DEBUG, ++ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); ++ ret->ignore = TRUE; ++ return NULL; ++ } + data->inbuf = wpabuf_alloc(tot_len); + if (data->inbuf == NULL) { + wpa_printf(MSG_INFO, "Out of memory to buffer " +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/net-wireless/wpa_supplicant/files/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch new file mode 100644 index 00000000000..7edef099eb5 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch @@ -0,0 +1,50 @@ +From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 2 May 2015 19:26:06 +0300 +Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment + reassembly + +The remaining number of bytes in the message could be smaller than the +Total-Length field size, so the length needs to be explicitly checked +prior to reading the field and decrementing the len variable. This could +have resulted in the remaining length becoming negative and interpreted +as a huge positive integer. + +In addition, check that there is no already started fragment in progress +before allocating a new buffer for reassembling fragments. This avoid a +potential memory leak when processing invalid message. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_server/eap_server_pwd.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c +index 3189105..2bfc3c2 100644 +--- a/src/eap_server/eap_server_pwd.c ++++ b/src/eap_server/eap_server_pwd.c +@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, + * the first fragment has a total length + */ + if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { ++ if (len < 2) { ++ wpa_printf(MSG_DEBUG, ++ "EAP-pwd: Frame too short to contain Total-Length field"); ++ return; ++ } + tot_len = WPA_GET_BE16(pos); + wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " + "length = %d", tot_len); + if (tot_len > 15000) + return; ++ if (data->inbuf) { ++ wpa_printf(MSG_DEBUG, ++ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); ++ return; ++ } + data->inbuf = wpabuf_alloc(tot_len); + if (data->inbuf == NULL) { + wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to " +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch b/net-wireless/wpa_supplicant/files/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch new file mode 100644 index 00000000000..a601323f14d --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch @@ -0,0 +1,32 @@ +From 28a069a545b06b99eb55ad53f63f2c99e65a98f6 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 2 May 2015 19:26:28 +0300 +Subject: [PATCH 5/5] EAP-pwd peer: Fix asymmetric fragmentation behavior + +The L (Length) and M (More) flags needs to be cleared before deciding +whether the locally generated response requires fragmentation. This +fixes an issue where these flags from the server could have been invalid +for the following message. In some cases, this could have resulted in +triggering the wpabuf security check that would terminate the process +due to invalid buffer allocation. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_peer/eap_pwd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c +index 1d2079b..e58b13a 100644 +--- a/src/eap_peer/eap_pwd.c ++++ b/src/eap_peer/eap_pwd.c +@@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, + /* + * we have output! Do we need to fragment it? + */ ++ lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch); + len = wpabuf_len(data->outbuf); + if ((len + EAP_PWD_HDR_SIZE) > data->mtu) { + resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu, +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch b/net-wireless/wpa_supplicant/files/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch new file mode 100644 index 00000000000..d03eb484fc2 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch @@ -0,0 +1,29 @@ +From fc880b11ed70ff9dcf8be48621f75d354cc5094d Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Tue, 7 Jul 2015 15:33:55 +0300 +Subject: [PATCH] NFC: Avoid misaligned read of an NDEF field + +The 32-bit version of payload length field may not be 32-bit aligned in +the message buffer, so use WPA_GET_BE32() to read it instead of ntohl(). + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/wps/ndef.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/wps/ndef.c b/src/wps/ndef.c +index 8d1ce1e..5604b0a 100644 +--- a/src/wps/ndef.c ++++ b/src/wps/ndef.c +@@ -47,7 +47,7 @@ static int ndef_parse_record(const u8 *data, u32 size, + } else { + if (size < 6) + return -1; +- record->payload_length = ntohl(*(u32 *)pos); ++ record->payload_length = WPA_GET_BE32(pos); + pos += sizeof(u32); + } + +-- +1.7.9.5 + diff --git a/net-wireless/wpa_supplicant/files/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/net-wireless/wpa_supplicant/files/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch new file mode 100644 index 00000000000..1f624c8dad4 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch @@ -0,0 +1,61 @@ +From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Tue, 7 Jul 2015 21:57:28 +0300 +Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser + +It was possible for the 32-bit record->total_length value to end up +wrapping around due to integer overflow if the longer form of payload +length field is used and record->payload_length gets a value close to +2^32. This could result in ndef_parse_record() accepting a too large +payload length value and the record type filter reading up to about 20 +bytes beyond the end of the buffer and potentially killing the process. +This could also result in an attempt to allocate close to 2^32 bytes of +heap memory and if that were to succeed, a buffer read overflow of the +same length which would most likely result in the process termination. +In case of record->total_length ending up getting the value 0, there +would be no buffer read overflow, but record parsing would result in an +infinite loop in ndef_parse_records(). + +Any of these error cases could potentially be used for denial of service +attacks over NFC by using a malformed NDEF record on an NFC Tag or +sending them during NFC connection handover if the application providing +the NDEF message to hostapd/wpa_supplicant did no validation of the +received records. While such validation is likely done in the NFC stack +that needs to parse the NFC messages before further processing, +hostapd/wpa_supplicant better be prepared for any data being included +here. + +Fix this by validating record->payload_length value in a way that +detects integer overflow. (CID 122668) + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/wps/ndef.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/wps/ndef.c b/src/wps/ndef.c +index 5604b0a..50d018f 100644 +--- a/src/wps/ndef.c ++++ b/src/wps/ndef.c +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + if (size < 6) + return -1; + record->payload_length = WPA_GET_BE32(pos); ++ if (record->payload_length > size - 6) ++ return -1; + pos += sizeof(u32); + } + +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + pos += record->payload_length; + + record->total_length = pos - data; +- if (record->total_length > size) ++ if (record->total_length > size || ++ record->total_length < record->payload_length) + return -1; + return 0; + } +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/wpa_cli.sh b/net-wireless/wpa_supplicant/files/wpa_cli.sh new file mode 100644 index 00000000000..f363ba9c885 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_cli.sh @@ -0,0 +1,47 @@ +#!/bin/sh +# Copyright 1999-2011 Gentoo Foundation +# Written by Roy Marples <uberlord@gentoo.org> +# Distributed under the terms of the GNU General Public License v2 +# Alternatively, this file may be distributed under the terms of the BSD License +# $Id$ + +if [ -z "$1" -o -z "$2" ]; then + logger -t wpa_cli "Insufficient parameters" + exit 1 +fi + +INTERFACE="$1" +ACTION="$2" + +# Note, the below action must NOT mark the interface down via ifconfig, ip or +# similar. Addresses can be removed, changed and daemons can be stopped, but +# the interface must remain up for wpa_supplicant to work. + +if [ -f /etc/gentoo-release ]; then + EXEC="/etc/init.d/net.${INTERFACE} --quiet" +else + logger -t wpa_cli "I don't know what to do with this distro!" + exit 1 +fi + +case ${ACTION} in + CONNECTED) + EXEC="${EXEC} start" + ;; + DISCONNECTED) + # Deactivated, since stopping /etc/init.d/net.wlanX + # stops the network completly. + EXEC="false ${EXEC} stop" + ;; + *) + logger -t wpa_cli "Unknown action ${ACTION}" + exit 1 + ;; +esac + +# ${EXEC} can use ${IN_BACKGROUND} so that it knows that the user isn't +# stopping the interface and a background process - like wpa_cli - is. +export IN_BACKGROUND=true + +logger -t wpa_cli "interface ${INTERFACE} ${ACTION}" +${EXEC} || logger -t wpa_cli "executing '${EXEC}' failed" diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-dbus-path-fix.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-dbus-path-fix.patch new file mode 100644 index 00000000000..976d71b0ec3 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-dbus-path-fix.patch @@ -0,0 +1,20 @@ +diff -aurp a/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in b/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in +--- a/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in 2012-05-15 09:00:03.048545044 +0000 ++++ b/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in 2012-05-15 09:01:19.759550509 +0000 +@@ -1,5 +1,5 @@ + [D-BUS Service] + Name=fi.epitest.hostap.WPASupplicant +-Exec=@BINDIR@/wpa_supplicant -u ++Exec=/usr/sbin/wpa_supplicant -u + User=root + SystemdService=wpa_supplicant.service +diff -aurp a/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in b/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in +--- a/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2012-05-15 09:00:03.048545044 +0000 ++++ b/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2012-05-15 09:01:28.727551913 +0000 +@@ -1,5 +1,5 @@ + [D-BUS Service] + Name=fi.w1.wpa_supplicant1 +-Exec=@BINDIR@/wpa_supplicant -u ++Exec=/usr/sbin/wpa_supplicant -u + User=root + SystemdService=wpa_supplicant.service diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-do-not-call-dbus-functions-with-NULL-path.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-do-not-call-dbus-functions-with-NULL-path.patch new file mode 100644 index 00000000000..bbff73e13d4 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-do-not-call-dbus-functions-with-NULL-path.patch @@ -0,0 +1,60 @@ +diff -aurp a/wpa_supplicant/dbus/dbus_new_helpers.c b/wpa_supplicant/dbus/dbus_new_helpers.c +--- a/wpa_supplicant/dbus/dbus_new_helpers.c 2012-05-15 07:28:37.616150164 +0000 ++++ b/wpa_supplicant/dbus/dbus_new_helpers.c 2012-05-15 07:30:21.904157611 +0000 +@@ -882,7 +882,7 @@ void wpa_dbus_mark_property_changed(stru + const struct wpa_dbus_property_desc *dsc; + int i = 0; + +- if (iface == NULL) ++ if (iface == NULL || path == NULL) + return; + + dbus_connection_get_object_path_data(iface->con, path, +diff -aurp a/wpa_supplicant/dbus/dbus_old.c b/wpa_supplicant/dbus/dbus_old.c +--- a/wpa_supplicant/dbus/dbus_old.c 2012-05-15 07:28:29.502149373 +0000 ++++ b/wpa_supplicant/dbus/dbus_old.c 2012-05-15 07:30:48.859162441 +0000 +@@ -379,7 +379,7 @@ void wpa_supplicant_dbus_notify_scan_res + DBusMessage *_signal; + + /* Do nothing if the control interface is not turned on */ +- if (iface == NULL) ++ if (iface == NULL || wpa_s->dbus_path == NULL) + return; + + _signal = dbus_message_new_signal(wpa_s->dbus_path, +@@ -419,7 +419,7 @@ void wpa_supplicant_dbus_notify_state_ch + if (wpa_s->global == NULL) + return; + iface = wpa_s->global->dbus; +- if (iface == NULL) ++ if (iface == NULL || wpa_s->dbus_path == NULL) + return; + + /* Only send signal if state really changed */ +@@ -478,7 +478,7 @@ void wpa_supplicant_dbus_notify_scanning + dbus_bool_t scanning = wpa_s->scanning ? TRUE : FALSE; + + /* Do nothing if the control interface is not turned on */ +- if (iface == NULL) ++ if (iface == NULL || wpa_s->dbus_path == NULL) + return; + + _signal = dbus_message_new_signal(wpa_s->dbus_path, +@@ -513,7 +513,7 @@ void wpa_supplicant_dbus_notify_wps_cred + if (wpa_s->global == NULL) + return; + iface = wpa_s->global->dbus; +- if (iface == NULL) ++ if (iface == NULL || wpa_s->dbus_path == NULL) + return; + + _signal = dbus_message_new_signal(wpa_s->dbus_path, +@@ -564,7 +564,7 @@ void wpa_supplicant_dbus_notify_certific + if (wpa_s->global == NULL) + return; + iface = wpa_s->global->dbus; +- if (iface == NULL) ++ if (iface == NULL || wpa_s->dbus_path == NULL) + return; + + _signal = dbus_message_new_signal(wpa_s->dbus_path, diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch new file mode 100644 index 00000000000..6f360571335 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch @@ -0,0 +1,353 @@ +diff -Naurp a/src/eap_peer/Makefile b/src/eap_peer/Makefile +--- a/src/eap_peer/Makefile 2012-05-15 08:23:17.152386964 +0000 ++++ b/src/eap_peer/Makefile 2012-05-15 08:23:57.403389760 +0000 +@@ -1,11 +1,192 @@ +-all: +- @echo Nothing to be made. ++LIBEAP_NAME = libeap ++LIBEAP_CURRENT = 0 ++LIBEAP_REVISION = 0 ++LIBEAP_AGE = 0 ++ ++LIBEAP = $(LIBEAP_NAME).so.$(LIBEAP_CURRENT).$(LIBEAP_REVISION).$(LIBEAP_AGE) ++LIBEAP_SO = $(LIBEAP_NAME).so.$(LIBEAP_CURRENT) ++ ++.PHONY: all clean install uninstall ++ ++all: $(LIBEAP) ++ ++ifndef CC ++CC=gcc ++endif ++ ++ifndef CFLAGS ++CFLAGS = -MMD -O0 -Wall -g ++endif ++ ++CONFIG_TLS=openssl ++ ++INCLUDE_INSTALL_DIR=/usr/include/eap_peer ++ ++# Got to use override all across the board, otherwise a 'make ++# CFLAGS=XX' will kill us because the command line's CFLAGS will ++# overwrite Make's and we'll loose all the infrastructure it sets. ++override CFLAGS += -I. -I.. -I../crypto -I../utils -I../common ++ ++# at least for now, need to include config_ssid.h and config_blob.h from ++# wpa_supplicant directory ++override CFLAGS += -I ../../wpa_supplicant ++ ++OBJS_both += ../utils/common.o ++OBJS_both += ../utils/os_unix.o ++OBJS_both += ../utils/wpa_debug.o ++OBJS_both += ../utils/base64.o ++OBJS_both += ../utils/wpabuf.o ++OBJS_both += ../utils/eloop.o ++ifneq ($(CONFIG_TLS), openssl) ++OBJS_both += ../crypto/md5.o ++OBJS_both += ../crypto/sha1.o ++endif ++OBJS_both += ../crypto/sha1-tlsprf.o ++OBJS_both += ../crypto/aes-encblock.o ++ifneq ($(CONFIG_TLS), openssl) ++OBJS_both += ../crypto/aes-wrap.o ++endif ++OBJS_both += ../crypto/aes-ctr.o ++OBJS_both += ../crypto/aes-eax.o ++OBJS_both += ../crypto/aes-omac1.o ++OBJS_both += ../crypto/ms_funcs.o ++OBJS_both += ../crypto/sha256.o ++OBJS_both += ../crypto/random.o ++ ++ ++OBJS_both += ../eap_common/eap_peap_common.o ++OBJS_both += ../eap_common/eap_psk_common.o ++OBJS_both += ../eap_common/eap_pax_common.o ++OBJS_both += ../eap_common/eap_sake_common.o ++OBJS_both += ../eap_common/eap_gpsk_common.o ++OBJS_both += ../eap_common/chap.o ++ ++OBJS_peer += ../eap_peer/eap_tls.o ++OBJS_peer += ../eap_peer/eap_peap.o ++OBJS_peer += ../eap_peer/eap_ttls.o ++OBJS_peer += ../eap_peer/eap_md5.o ++OBJS_peer += ../eap_peer/eap_mschapv2.o ++OBJS_peer += ../eap_peer/mschapv2.o ++OBJS_peer += ../eap_peer/eap_otp.o ++OBJS_peer += ../eap_peer/eap_gtc.o ++OBJS_peer += ../eap_peer/eap_leap.o ++OBJS_peer += ../eap_peer/eap_psk.o ++OBJS_peer += ../eap_peer/eap_pax.o ++OBJS_peer += ../eap_peer/eap_sake.o ++OBJS_peer += ../eap_peer/eap_gpsk.o ++OBJS_peer += ../eap_peer/eap.o ++OBJS_peer += ../eap_common/eap_common.o ++OBJS_peer += ../eap_peer/eap_methods.o ++OBJS_peer += ../eap_peer/eap_tls_common.o ++ ++override CFLAGS += -DEAP_TLS ++override CFLAGS += -DEAP_PEAP ++override CFLAGS += -DEAP_TTLS ++override CFLAGS += -DEAP_MD5 ++override CFLAGS += -DEAP_MSCHAPv2 ++override CFLAGS += -DEAP_GTC ++override CFLAGS += -DEAP_OTP ++override CFLAGS += -DEAP_LEAP ++override CFLAGS += -DEAP_PSK ++override CFLAGS += -DEAP_PAX ++override CFLAGS += -DEAP_SAKE ++override CFLAGS += -DEAP_GPSK -DEAP_GPSK_SHA256 ++override CFLAGS += -DEAP_TLS_FUNCS ++ ++override CFLAGS += -DIEEE8021X_EAPOL ++ ++ifeq ($(CONFIG_TLS), openssl) ++override CFLAGS += -DEAP_TLS_OPENSSL ++OBJS_both += ../crypto/tls_openssl.o ++OBJS_both += ../crypto/crypto_openssl.o ++LIBS += -lssl -lcrypto ++override CFLAGS += -DINTERNAL_SHA256 ++endif ++ ++ifeq ($(CONFIG_TLS), internal) ++OBJS_both += ../crypto/tls_internal.o ++OBJS_both += ../tls/tlsv1_common.o ../../tls/tlsv1_record.o ++OBJS_both += ../tls/tlsv1_cred.o ++OBJS_both += ../tls/asn1.o ../../tls/x509v3.o ++OBJS_both += ../crypto/crypto_internal.o ../../tls/rsa.o ../../tls/bignum.o ++ ++OBJS_peer += ../tls/tlsv1_client.o ++OBJS_peer += ../tls/tlsv1_client_write.o ../../tls/tlsv1_client_read.o ++override CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT ++ ++OBJS_server += ../tls/tlsv1_server.o ++OBJS_server += ../tls/tlsv1_server_write.o ../../tls/tlsv1_server_read.o ++override CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER ++ ++override CFLAGS += -DCONFIG_TLS_INTERNAL ++override CFLAGS += -DCONFIG_CRYPTO_INTERNAL ++override CFLAGS += -DCONFIG_INTERNAL_X509 ++override CFLAGS += -DINTERNAL_AES ++override CFLAGS += -DINTERNAL_SHA1 ++override CFLAGS += -DINTERNAL_SHA256 ++override CFLAGS += -DINTERNAL_MD5 ++override CFLAGS += -DINTERNAL_MD4 ++override CFLAGS += -DINTERNAL_DES ++ifdef CONFIG_INTERNAL_LIBTOMMATH ++override CFLAGS += -DCONFIG_INTERNAL_LIBTOMMATH ++else ++LIBS += -ltommath ++endif ++endif ++ ++ifndef LDO ++LDO=$(CC) ++endif ++ ++ ++OBJS_lib=$(OBJS_both) $(OBJS_peer) ++ ++ #$(OBJS_server) ++ ++override CFLAGS += -fPIC -DPIC ++LDFLAGS += -shared ++ ++$(LIBEAP): $(OBJS_lib) ++ $(LDO) $(LDFLAGS) $(OBJS_lib) -Wl,-soname -Wl,$(LIBEAP_SO) -o $(LIBEAP) $(LIBS) ++ ++ ++UTIL_HEADERS = ../utils/includes.h ../utils/common.h \ ++ ../utils/wpabuf.h ../utils/build_config.h \ ++ ../utils/os.h ../utils/wpa_debug.h ++COMMON_HEADERS = ../common/defs.h ++EAP_COMMON_HEADERS = ../eap_common/eap_defs.h ++MAIN_HEADERS = eap.h eap_methods.h eap_config.h ++CRYPTO_HEADERS = ../crypto/tls.h ++ ++install: ++ ++ mkdir -p $(DESTDIR)/usr/lib ++# copy the lib file to std lib location ++ cp $(LIBEAP) $(DESTDIR)/usr/lib ++ ln -fs $(LIBEAP_SO) $(DESTDIR)/usr/lib/$(LIBEAP_NAME).so ++ ln -fs $(LIBEAP_NAME).so.0.0.0 $(DESTDIR)/usr/lib/$(LIBEAP_NAME).so.0 ++ ++# copy the headers reqd by apps using eap peer library in its own subfolder under /usr/include ++ mkdir -p \ ++ $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/eap_common \ ++ $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/common \ ++ $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/util \ ++ $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/crypto ++ install -m 0644 $(EAP_COMMON_HEADERS) $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/eap_common ++ install -m 0644 $(COMMON_HEADERS) $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/common ++ install -m 0644 $(CRYPTO_HEADERS) $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/crypto ++ install -m 0644 $(UTIL_HEADERS) $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/util ++ install -m 0644 $(MAIN_HEADERS) $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/ ++ ++ mkdir -p $(DESTDIR)/usr/lib/pkgconfig ++ cp libeap0.pc $(DESTDIR)/usr/lib/pkgconfig ++ ++uninstall: ++ ++ rm $(DESTDIR)/usr/lib/$(LIBEAP) ++ rm -fr $(DESTDIR)/$(INCLUDE_INSTALL_DIR) ++ rm -f $(DESTDIR)/usr/lib/pkgconfig/libeap0.pc + + clean: +- rm -f *~ *.o *.so *.d *.gcno *.gcda *.gcov ++ rm -f *~ *.o *.so *.d *.gcno *.gcda *.gcov libeap.a $(LIBEAP) $(OBJS_lib) + +-install: +- if ls *.so >/dev/null 2>&1; then \ +- install -d $(DESTDIR)$(LIBDIR)/wpa_supplicant && \ +- cp *.so $(DESTDIR)$(LIBDIR)/wpa_supplicant \ +- ; fi +diff -Naurp a/src/eap_peer/eap_methods.c b/src/eap_peer/eap_methods.c +--- a/src/eap_peer/eap_methods.c 2012-05-15 08:23:17.151386999 +0000 ++++ b/src/eap_peer/eap_methods.c 2012-05-15 08:23:57.403389760 +0000 +@@ -336,6 +336,120 @@ + + + /** ++ * eap_peer_register_methods - Register all known EAP peer methods ++ * ++ * This function is called at program start to register all compiled ++ * in EAP peer methods. ++ */ ++int eap_peer_register_methods(void) ++{ ++ int ret = 0; ++ ++#ifdef EAP_MD5 ++ if (ret == 0) ++ ret = eap_peer_md5_register(); ++#endif /* EAP_MD5 */ ++ ++#ifdef EAP_TLS ++ if (ret == 0) ++ ret = eap_peer_tls_register(); ++#endif /* EAP_TLS */ ++ ++#ifdef EAP_MSCHAPv2 ++ if (ret == 0) ++ ret = eap_peer_mschapv2_register(); ++#endif /* EAP_MSCHAPv2 */ ++ ++#ifdef EAP_PEAP ++ if (ret == 0) ++ ret = eap_peer_peap_register(); ++#endif /* EAP_PEAP */ ++ ++#ifdef EAP_TTLS ++ if (ret == 0) ++ ret = eap_peer_ttls_register(); ++#endif /* EAP_TTLS */ ++ ++#ifdef EAP_GTC ++ if (ret == 0) ++ ret = eap_peer_gtc_register(); ++#endif /* EAP_GTC */ ++ ++#ifdef EAP_OTP ++ if (ret == 0) ++ ret = eap_peer_otp_register(); ++#endif /* EAP_OTP */ ++ ++#ifdef EAP_SIM ++ if (ret == 0) ++ ret = eap_peer_sim_register(); ++#endif /* EAP_SIM */ ++ ++#ifdef EAP_LEAP ++ if (ret == 0) ++ ret = eap_peer_leap_register(); ++#endif /* EAP_LEAP */ ++ ++#ifdef EAP_PSK ++ if (ret == 0) ++ ret = eap_peer_psk_register(); ++#endif /* EAP_PSK */ ++ ++#ifdef EAP_AKA ++ if (ret == 0) ++ ret = eap_peer_aka_register(); ++#endif /* EAP_AKA */ ++ ++#ifdef EAP_AKA_PRIME ++ if (ret == 0) ++ ret = eap_peer_aka_prime_register(); ++#endif /* EAP_AKA_PRIME */ ++ ++#ifdef EAP_FAST ++ if (ret == 0) ++ ret = eap_peer_fast_register(); ++#endif /* EAP_FAST */ ++ ++#ifdef EAP_PAX ++ if (ret == 0) ++ ret = eap_peer_pax_register(); ++#endif /* EAP_PAX */ ++ ++#ifdef EAP_SAKE ++ if (ret == 0) ++ ret = eap_peer_sake_register(); ++#endif /* EAP_SAKE */ ++ ++#ifdef EAP_GPSK ++ if (ret == 0) ++ ret = eap_peer_gpsk_register(); ++#endif /* EAP_GPSK */ ++ ++#ifdef EAP_WSC ++ if (ret == 0) ++ ret = eap_peer_wsc_register(); ++#endif /* EAP_WSC */ ++ ++#ifdef EAP_IKEV2 ++ if (ret == 0) ++ ret = eap_peer_ikev2_register(); ++#endif /* EAP_IKEV2 */ ++ ++#ifdef EAP_VENDOR_TEST ++ if (ret == 0) ++ ret = eap_peer_vendor_test_register(); ++#endif /* EAP_VENDOR_TEST */ ++ ++#ifdef EAP_TNC ++ if (ret == 0) ++ ret = eap_peer_tnc_register(); ++#endif /* EAP_TNC */ ++ ++ return ret; ++} ++ ++ ++/** + * eap_peer_unregister_methods - Unregister EAP peer methods + * + * This function is called at program termination to unregister all EAP peer +diff -Naurp a/src/eap_peer/eap_methods.h b/src/eap_peer/eap_methods.h +--- a/src/eap_peer/eap_methods.h 2012-05-15 08:23:17.151386999 +0000 ++++ b/src/eap_peer/eap_methods.h 2012-05-15 08:23:57.404389735 +0000 +@@ -26,6 +26,7 @@ + const char * eap_get_name(int vendor, EapType type); + size_t eap_get_names(char *buf, size_t buflen); + char ** eap_get_names_as_string_array(size_t *num); ++int eap_peer_register_methods(void); + void eap_peer_unregister_methods(void); + + #else /* IEEE8021X_EAPOL */ +diff -Naurp a/src/eap_peer/libeap0.pc b/src/eap_peer/libeap0.pc +--- a/src/eap_peer/libeap0.pc 1970-01-01 00:00:00.000000000 +0000 ++++ b/src/eap_peer/libeap0.pc 2012-05-15 08:23:57.404389735 +0000 +@@ -0,0 +1,10 @@ ++prefix=/usr ++exec_prefix=/usr ++libdir=${exec_prefix}/lib ++includedir=${prefix}/include/eap_peer ++ ++Name: libeap0 ++Description: EAP Peer Library API ++Version: 0.7.2 ++Libs: -L${libdir} -leap ++Cflags: -I${includedir} diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-conf.d b/net-wireless/wpa_supplicant/files/wpa_supplicant-conf.d new file mode 100644 index 00000000000..104b9dc5d8c --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-conf.d @@ -0,0 +1,6 @@ +# conf.d file for wpa_supplicant +# +# Please check man 8 wpa_supplicant for more information about the options +# wpa_supplicant accepts. +# +wpa_supplicant_args="" diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-init.d b/net-wireless/wpa_supplicant/files/wpa_supplicant-init.d new file mode 100644 index 00000000000..8429a373384 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-init.d @@ -0,0 +1,70 @@ +#!/sbin/runscript +# Copyright (c) 2009 Roy Marples <roy@marples.name> +# All rights reserved. Released under the 2-clause BSD license. + +command=/usr/sbin/wpa_supplicant +: ${wpa_supplicant_conf:=/etc/wpa_supplicant/wpa_supplicant.conf} +wpa_supplicant_if=${wpa_supplicant_if:+-i}$wpa_supplicant_if +command_args="$wpa_supplicant_args -B -c$wpa_supplicant_conf $wpa_supplicant_if" +name="WPA Supplicant Daemon" + +depend() +{ + need localmount + use logger + after bootmisc modules + before dns dhcpcd net + keyword -shutdown +} + +find_wireless() +{ + local iface= + + case "$RC_UNAME" in + Linux) + for iface in /sys/class/net/*; do + if [ -e "$iface"/wireless -o \ + -e "$iface"/phy80211 ] + then + echo "${iface##*/}" + return 0 + fi + done + ;; + *) + for iface in /dev/net/* $(ifconfig -l 2>/dev/null); do + if ifconfig "${iface##*/}" 2>/dev/null | \ + grep -q "[ ]*ssid " + then + echo "${iface##*/}" + return 0 + fi + done + ;; + esac + + return 1 +} + +append_wireless() +{ + local iface= i= + + iface=$(find_wireless) + if [ -n "$iface" ]; then + for i in $iface; do + command_args="$command_args -i$i" + done + else + eerror "Could not find a wireless interface" + fi +} + +start_pre() +{ + case " $command_args" in + *" -i"*) ;; + *) append_wireless;; + esac +} diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant.conf b/net-wireless/wpa_supplicant/files/wpa_supplicant.conf new file mode 100644 index 00000000000..c3a29e50d9c --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant.conf @@ -0,0 +1,7 @@ +# This is a network block that connects to any unsecured access point. +# We give it a low priority so any defined blocks are preferred. +network={ + key_mgmt=NONE + priority=-9999999 +} + diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant.service b/net-wireless/wpa_supplicant/files/wpa_supplicant.service new file mode 100644 index 00000000000..e1e75b12952 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant.service @@ -0,0 +1,11 @@ +[Unit] +Description=WPA supplicant + +[Service] +Type=dbus +BusName=fi.epitest.hostap.WPASupplicant +ExecStart=/usr/sbin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant.conf -u + +[Install] +WantedBy=multi-user.target +Alias=dbus-fi.epitest.hostap.WPASupplicant.service diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant_at.service b/net-wireless/wpa_supplicant/files/wpa_supplicant_at.service new file mode 100644 index 00000000000..af0cebfd691 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant_at.service @@ -0,0 +1,11 @@ +[Unit] +Description=WPA supplicant daemon (interface-specific version) + +# NetworkManager users will probably want the dbus version instead. + +[Service] +Type=simple +ExecStart=/usr/sbin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant.conf -i%I + +[Install] +Alias=multi-user.target.wants/wpa_supplicant@wlan0.service diff --git a/net-wireless/wpa_supplicant/metadata.xml b/net-wireless/wpa_supplicant/metadata.xml new file mode 100644 index 00000000000..27c3b642319 --- /dev/null +++ b/net-wireless/wpa_supplicant/metadata.xml @@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer> + <email>gurligebis@gentoo.org</email> + <name>Bjarke Istrup Pedersen</name> + </maintainer> + <maintainer> + <email>zerochaos@gentoo.org</email> + <name>Rick Farina</name> + </maintainer> + <use> + <flag name='ap'>Add support for access point mode</flag> + <flag name='eap-sim'>Add support for EAP-SIM authentication algorithm</flag> + <flag name='fasteap'>Add support for FAST-EAP authentication algorithm</flag> + <flag name='hs2-0'>Add support for 802.11u and Passpoint for HotSpot 2.0</flag> + <flag name='p2p'>Add support for Wi-Fi Direct mode</flag> + <flag name='ps3'>Add support for ps3 hypervisor driven gelic wifi</flag> + <flag name='tdls'>Add support for Tunneled Direct Link Setup (802.11z)</flag> + <flag name='uncommon-eap-types'>Add support for Wi-Fi Protected Setup</flag> + <flag name='wps'>Add support for Wi-Fi Protected Setup</flag> + <flag name='wimax'>Add support for Wimax EAP-PEER authentication algorithm</flag> + <flag name='smartcard'>Add support for smartcards</flag> + </use> + <upstream> + <remote-id type="cpe">cpe:/a:wpa_supplicant:wpa_supplicant</remote-id> + </upstream> +</pkgmetadata> diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r3.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r3.ebuild new file mode 100644 index 00000000000..98de2c06964 --- /dev/null +++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r3.ebuild @@ -0,0 +1,383 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +inherit eutils toolchain-funcs qt4-r2 systemd multilib + +DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers" +HOMEPAGE="http://hostap.epitest.fi/wpa_supplicant/" +SRC_URI="http://hostap.epitest.fi/releases/${P}.tar.gz" +LICENSE="|| ( GPL-2 BSD )" + +SLOT="0" +KEYWORDS="~alpha amd64 arm ~arm64 ~ia64 ~mips ppc ppc64 ~sparc x86 ~x86-fbsd" +IUSE="ap dbus gnutls eap-sim fasteap +hs2-0 p2p ps3 qt4 readline selinux smartcard ssl tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD" +REQUIRED_USE="fasteap? ( !gnutls !ssl ) smartcard? ( ssl )" + +CDEPEND="dbus? ( sys-apps/dbus ) + kernel_linux? ( + eap-sim? ( sys-apps/pcsc-lite ) + dev-libs/libnl:3 + net-wireless/crda + ) + !kernel_linux? ( net-libs/libpcap ) + qt4? ( + dev-qt/qtcore:4 + dev-qt/qtgui:4 + dev-qt/qtsvg:4 + ) + readline? ( + sys-libs/ncurses + sys-libs/readline:0 + ) + ssl? ( dev-libs/openssl:0 ) + !ssl? ( gnutls? ( net-libs/gnutls ) ) + !ssl? ( !gnutls? ( dev-libs/libtommath ) ) +" +DEPEND="${CDEPEND} + virtual/pkgconfig +" +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-networkmanager ) +" + +S="${WORKDIR}/${P}/${PN}" + +Kconfig_style_config() { + #param 1 is CONFIG_* item + #param 2 is what to set it = to, defaulting in y + CONFIG_PARAM="${CONFIG_HEADER:-CONFIG_}$1" + setting="${2:-y}" + + if [ ! $setting = n ]; then + #first remove any leading "# " if $2 is not n + sed -i "/^# *$CONFIG_PARAM=/s/^# *//" .config || echo "Kconfig_style_config error uncommenting $CONFIG_PARAM" + #set item = $setting (defaulting to y) + sed -i "/^$CONFIG_PARAM/s/=.*/=$setting/" .config || echo "Kconfig_style_config error setting $CONFIG_PARAM=$setting" + else + #ensure item commented out + sed -i "/^$CONFIG_PARAM/s/$CONFIG_PARAM/# $CONFIG_PARAM/" .config || echo "Kconfig_style_config error commenting $CONFIG_PARAM" + fi +} + +pkg_setup() { + if use gnutls && use ssl ; then + elog "You have both 'gnutls' and 'ssl' USE flags enabled: defaulting to USE=\"ssl\"" + fi +} + +src_prepare() { + # net/bpf.h needed for net-libs/libpcap on Gentoo/FreeBSD + sed -i \ + -e "s:\(#include <pcap\.h>\):#include <net/bpf.h>\n\1:" \ + ../src/l2_packet/l2_packet_freebsd.c || die + + # People seem to take the example configuration file too literally (bug #102361) + sed -i \ + -e "s:^\(opensc_engine_path\):#\1:" \ + -e "s:^\(pkcs11_engine_path\):#\1:" \ + -e "s:^\(pkcs11_module_path\):#\1:" \ + wpa_supplicant.conf || die + + # Change configuration to match Gentoo locations (bug #143750) + sed -i \ + -e "s:/usr/lib/opensc:/usr/$(get_libdir):" \ + -e "s:/usr/lib/pkcs11:/usr/$(get_libdir):" \ + wpa_supplicant.conf || die + + if use dbus; then + epatch "${FILESDIR}/${P}-dbus-path-fix.patch" + fi + + # systemd entries to D-Bus service files (bug #372877) + echo 'SystemdService=wpa_supplicant.service' \ + | tee -a dbus/*.service >/dev/null || die + + cd "${WORKDIR}/${P}" + + if use wimax; then + # generate-libeap-peer.patch comes before + # fix-undefined-reference-to-random_get_bytes.patch + epatch "${FILESDIR}/${P}-generate-libeap-peer.patch" + + # multilib-strict fix (bug #373685) + sed -e "s/\/usr\/lib/\/usr\/$(get_libdir)/" -i src/eap_peer/Makefile + fi + + # bug (548742) + epatch "${FILESDIR}/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch" + epatch "${FILESDIR}/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch" + epatch "${FILESDIR}/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch" + epatch "${FILESDIR}/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch" + epatch "${FILESDIR}/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch" + epatch "${FILESDIR}/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch" + epatch "${FILESDIR}/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch" + epatch "${FILESDIR}/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch" + + # bug (320097) + epatch "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch" + + # TODO - NEED TESTING TO SEE IF STILL NEEDED, NOT COMPATIBLE WITH 1.0 OUT OF THE BOX, + # SO WOULD BE NICE TO JUST DROP IT, IF IT IS NOT NEEDED. + # bug (374089) + #epatch "${FILESDIR}/${P}-dbus-WPAIE-fix.patch" +} + +src_configure() { + # Toolchain setup + tc-export CC + + cp defconfig .config + + # Basic setup + Kconfig_style_config CTRL_IFACE + Kconfig_style_config BACKEND file + Kconfig_style_config IBSS_RSN + Kconfig_style_config IEEE80211W + Kconfig_style_config IEEE80211R + + # Basic authentication methods + # NOTE: we don't set GPSK or SAKE as they conflict + # with the below options + Kconfig_style_config EAP_GTC + Kconfig_style_config EAP_MD5 + Kconfig_style_config EAP_OTP + Kconfig_style_config EAP_PAX + Kconfig_style_config EAP_PSK + Kconfig_style_config EAP_TLV + Kconfig_style_config EAP_EXE + Kconfig_style_config IEEE8021X_EAPOL + Kconfig_style_config PKCS12 + Kconfig_style_config PEERKEY + Kconfig_style_config EAP_LEAP + Kconfig_style_config EAP_MSCHAPV2 + Kconfig_style_config EAP_PEAP + Kconfig_style_config EAP_TLS + Kconfig_style_config EAP_TTLS + + # Enabling background scanning. + Kconfig_style_config BGSCAN_SIMPLE + Kconfig_style_config BGSCAN_LEARN + + if use dbus ; then + Kconfig_style_config CTRL_IFACE_DBUS + Kconfig_style_config CTRL_IFACE_DBUS_NEW + Kconfig_style_config CTRL_IFACE_DBUS_INTRO + fi + + # Enable support for writing debug info to a log file and syslog. + Kconfig_style_config DEBUG_FILE + Kconfig_style_config DEBUG_SYSLOG + + if use hs2-0 ; then + Kconfig_style_config INTERWORKING + Kconfig_style_config HS20 + fi + + if use uncommon-eap-types; then + Kconfig_style_config EAP_GPSK + Kconfig_style_config EAP_SAKE + Kconfig_style_config EAP_GPSK_SHA256 + Kconfig_style_config EAP_IKEV2 + Kconfig_style_config EAP_EKE + fi + + if use eap-sim ; then + # Smart card authentication + Kconfig_style_config EAP_SIM + Kconfig_style_config EAP_AKA + Kconfig_style_config EAP_AKA_PRIME + Kconfig_style_config PCSC + fi + + if use fasteap ; then + Kconfig_style_config EAP_FAST + fi + + if use readline ; then + # readline/history support for wpa_cli + Kconfig_style_config READLINE + else + #internal line edit mode for wpa_cli + Kconfig_style_config WPA_CLI_EDIT + fi + + # SSL authentication methods + if use ssl ; then + Kconfig_style_config TLS openssl + elif use gnutls ; then + Kconfig_style_config TLS gnutls + Kconfig_style_config GNUTLS_EXTRA + else + Kconfig_style_config TLS internal + fi + + if use smartcard ; then + Kconfig_style_config SMARTCARD + fi + + if use tdls ; then + Kconfig_style_config TDLS + fi + + if use kernel_linux ; then + # Linux specific drivers + Kconfig_style_config DRIVER_ATMEL + Kconfig_style_config DRIVER_HOSTAP + Kconfig_style_config DRIVER_IPW + Kconfig_style_config DRIVER_NL80211 + Kconfig_style_config DRIVER_RALINK + Kconfig_style_config DRIVER_WEXT + Kconfig_style_config DRIVER_WIRED + + if use ps3 ; then + Kconfig_style_config DRIVER_PS3 + fi + + elif use kernel_FreeBSD ; then + # FreeBSD specific driver + Kconfig_style_config DRIVER_BSD + fi + + # Wi-Fi Protected Setup (WPS) + if use wps ; then + Kconfig_style_config WPS + Kconfig_style_config WPS2 + # USB Flash Drive + Kconfig_style_config WPS_UFD + # External Registrar + Kconfig_style_config WPS_ER + # Universal Plug'n'Play + Kconfig_style_config WPS_UPNP + # Near Field Communication + Kconfig_style_config WPS_NFC + fi + + # Wi-Fi Direct (WiDi) + if use p2p ; then + Kconfig_style_config P2P + Kconfig_style_config WIFI_DISPLAY + fi + + # Access Point Mode + if use ap ; then + Kconfig_style_config AP + fi + + # Enable mitigation against certain attacks against TKIP + Kconfig_style_config DELAYED_MIC_ERROR_REPORT + + # If we are using libnl 2.0 and above, enable support for it + # Bug 382159 + # Removed for now, since the 3.2 version is broken, and we don't + # support it. + if has_version ">=dev-libs/libnl-3.2"; then + Kconfig_style_config LIBNL32 + fi + + if use qt4 ; then + pushd "${S}"/wpa_gui-qt4 > /dev/null + eqmake4 wpa_gui.pro + popd > /dev/null + fi +} + +src_compile() { + einfo "Building wpa_supplicant" + emake V=1 BINDIR=/usr/sbin + + if use wimax; then + emake -C ../src/eap_peer clean + emake -C ../src/eap_peer + fi + + if use qt4 ; then + pushd "${S}"/wpa_gui-qt4 > /dev/null + einfo "Building wpa_gui" + emake + popd > /dev/null + fi +} + +src_install() { + dosbin wpa_supplicant + dobin wpa_cli wpa_passphrase + + # baselayout-1 compat + if has_version "<sys-apps/baselayout-2.0.0"; then + dodir /sbin + dosym /usr/sbin/wpa_supplicant /sbin/wpa_supplicant + dodir /bin + dosym /usr/bin/wpa_cli /bin/wpa_cli + fi + + if has_version ">=sys-apps/openrc-0.5.0"; then + newinitd "${FILESDIR}/${PN}-init.d" wpa_supplicant + newconfd "${FILESDIR}/${PN}-conf.d" wpa_supplicant + fi + + exeinto /etc/wpa_supplicant/ + newexe "${FILESDIR}/wpa_cli.sh" wpa_cli.sh + + dodoc ChangeLog {eap_testing,todo}.txt README{,-WPS} \ + wpa_supplicant.conf + + newdoc .config build-config + + doman doc/docbook/*.{5,8} + + if use qt4 ; then + into /usr + dobin wpa_gui-qt4/wpa_gui + doicon wpa_gui-qt4/icons/wpa_gui.svg + make_desktop_entry wpa_gui "WPA Supplicant Administration GUI" "wpa_gui" "Qt;Network;" + fi + + use wimax && emake DESTDIR="${D}" -C ../src/eap_peer install + + if use dbus ; then + pushd "${S}"/dbus > /dev/null + insinto /etc/dbus-1/system.d + newins dbus-wpa_supplicant.conf wpa_supplicant.conf + insinto /usr/share/dbus-1/system-services + doins fi.epitest.hostap.WPASupplicant.service fi.w1.wpa_supplicant1.service + popd > /dev/null + + # This unit relies on dbus support, bug 538600. + systemd_dounit systemd/wpa_supplicant.service + fi + + systemd_dounit "systemd/wpa_supplicant@.service" + systemd_dounit "systemd/wpa_supplicant-nl80211@.service" + systemd_dounit "systemd/wpa_supplicant-wired@.service" +} + +pkg_postinst() { + elog "If this is a clean installation of wpa_supplicant, you" + elog "have to create a configuration file named" + elog "/etc/wpa_supplicant/wpa_supplicant.conf" + elog + elog "An example configuration file is available for reference in" + elog "/usr/share/doc/${PF}/" + + if [[ -e ${ROOT}etc/wpa_supplicant.conf ]] ; then + echo + ewarn "WARNING: your old configuration file ${ROOT}etc/wpa_supplicant.conf" + ewarn "needs to be moved to ${ROOT}etc/wpa_supplicant/wpa_supplicant.conf" + fi + + # Mea culpa, feel free to remove that after some time --mgorny. + local fn + for fn in wpa_supplicant{,@wlan0}.service; do + if [[ -e "${ROOT}"/etc/systemd/system/network.target.wants/${fn} ]] + then + ebegin "Moving ${fn} to multi-user.target" + mv "${ROOT}"/etc/systemd/system/network.target.wants/${fn} \ + "${ROOT}"/etc/systemd/system/multi-user.target.wants/ + eend ${?} \ + "Please try to re-enable ${fn}" + fi + done +} diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r4.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r4.ebuild new file mode 100644 index 00000000000..d52a6fb1328 --- /dev/null +++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r4.ebuild @@ -0,0 +1,387 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +inherit eutils toolchain-funcs qt4-r2 systemd multilib + +DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers" +HOMEPAGE="http://hostap.epitest.fi/wpa_supplicant/" +SRC_URI="http://hostap.epitest.fi/releases/${P}.tar.gz" +LICENSE="|| ( GPL-2 BSD )" + +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd" +IUSE="ap dbus gnutls eap-sim fasteap +hs2-0 p2p ps3 qt4 readline selinux smartcard ssl tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD" +REQUIRED_USE="fasteap? ( !gnutls !ssl ) smartcard? ( ssl )" + +CDEPEND="dbus? ( sys-apps/dbus ) + kernel_linux? ( + eap-sim? ( sys-apps/pcsc-lite ) + dev-libs/libnl:3 + net-wireless/crda + ) + !kernel_linux? ( net-libs/libpcap ) + qt4? ( + dev-qt/qtcore:4 + dev-qt/qtgui:4 + dev-qt/qtsvg:4 + ) + readline? ( + sys-libs/ncurses + sys-libs/readline:0 + ) + ssl? ( dev-libs/openssl:0 ) + !ssl? ( gnutls? ( net-libs/gnutls ) ) + !ssl? ( !gnutls? ( dev-libs/libtommath ) ) +" +DEPEND="${CDEPEND} + virtual/pkgconfig +" +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-networkmanager ) +" + +S="${WORKDIR}/${P}/${PN}" + +Kconfig_style_config() { + #param 1 is CONFIG_* item + #param 2 is what to set it = to, defaulting in y + CONFIG_PARAM="${CONFIG_HEADER:-CONFIG_}$1" + setting="${2:-y}" + + if [ ! $setting = n ]; then + #first remove any leading "# " if $2 is not n + sed -i "/^# *$CONFIG_PARAM=/s/^# *//" .config || echo "Kconfig_style_config error uncommenting $CONFIG_PARAM" + #set item = $setting (defaulting to y) + sed -i "/^$CONFIG_PARAM/s/=.*/=$setting/" .config || echo "Kconfig_style_config error setting $CONFIG_PARAM=$setting" + else + #ensure item commented out + sed -i "/^$CONFIG_PARAM/s/$CONFIG_PARAM/# $CONFIG_PARAM/" .config || echo "Kconfig_style_config error commenting $CONFIG_PARAM" + fi +} + +pkg_setup() { + if use gnutls && use ssl ; then + elog "You have both 'gnutls' and 'ssl' USE flags enabled: defaulting to USE=\"ssl\"" + fi +} + +src_prepare() { + # net/bpf.h needed for net-libs/libpcap on Gentoo/FreeBSD + sed -i \ + -e "s:\(#include <pcap\.h>\):#include <net/bpf.h>\n\1:" \ + ../src/l2_packet/l2_packet_freebsd.c || die + + # People seem to take the example configuration file too literally (bug #102361) + sed -i \ + -e "s:^\(opensc_engine_path\):#\1:" \ + -e "s:^\(pkcs11_engine_path\):#\1:" \ + -e "s:^\(pkcs11_module_path\):#\1:" \ + wpa_supplicant.conf || die + + # Change configuration to match Gentoo locations (bug #143750) + sed -i \ + -e "s:/usr/lib/opensc:/usr/$(get_libdir):" \ + -e "s:/usr/lib/pkcs11:/usr/$(get_libdir):" \ + wpa_supplicant.conf || die + + if use dbus; then + epatch "${FILESDIR}/${P}-dbus-path-fix.patch" + fi + + # systemd entries to D-Bus service files (bug #372877) + echo 'SystemdService=wpa_supplicant.service' \ + | tee -a dbus/*.service >/dev/null || die + + cd "${WORKDIR}/${P}" + + if use wimax; then + # generate-libeap-peer.patch comes before + # fix-undefined-reference-to-random_get_bytes.patch + epatch "${FILESDIR}/${P}-generate-libeap-peer.patch" + + # multilib-strict fix (bug #373685) + sed -e "s/\/usr\/lib/\/usr\/$(get_libdir)/" -i src/eap_peer/Makefile + fi + + # bug (548742) + epatch "${FILESDIR}/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch" + epatch "${FILESDIR}/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch" + epatch "${FILESDIR}/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch" + epatch "${FILESDIR}/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch" + epatch "${FILESDIR}/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch" + epatch "${FILESDIR}/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch" + epatch "${FILESDIR}/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch" + epatch "${FILESDIR}/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch" + + # bug (554860) + epatch "${FILESDIR}/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch" + epatch "${FILESDIR}/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch" + + # bug (320097) + epatch "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch" + + # TODO - NEED TESTING TO SEE IF STILL NEEDED, NOT COMPATIBLE WITH 1.0 OUT OF THE BOX, + # SO WOULD BE NICE TO JUST DROP IT, IF IT IS NOT NEEDED. + # bug (374089) + #epatch "${FILESDIR}/${P}-dbus-WPAIE-fix.patch" +} + +src_configure() { + # Toolchain setup + tc-export CC + + cp defconfig .config + + # Basic setup + Kconfig_style_config CTRL_IFACE + Kconfig_style_config BACKEND file + Kconfig_style_config IBSS_RSN + Kconfig_style_config IEEE80211W + Kconfig_style_config IEEE80211R + + # Basic authentication methods + # NOTE: we don't set GPSK or SAKE as they conflict + # with the below options + Kconfig_style_config EAP_GTC + Kconfig_style_config EAP_MD5 + Kconfig_style_config EAP_OTP + Kconfig_style_config EAP_PAX + Kconfig_style_config EAP_PSK + Kconfig_style_config EAP_TLV + Kconfig_style_config EAP_EXE + Kconfig_style_config IEEE8021X_EAPOL + Kconfig_style_config PKCS12 + Kconfig_style_config PEERKEY + Kconfig_style_config EAP_LEAP + Kconfig_style_config EAP_MSCHAPV2 + Kconfig_style_config EAP_PEAP + Kconfig_style_config EAP_TLS + Kconfig_style_config EAP_TTLS + + # Enabling background scanning. + Kconfig_style_config BGSCAN_SIMPLE + Kconfig_style_config BGSCAN_LEARN + + if use dbus ; then + Kconfig_style_config CTRL_IFACE_DBUS + Kconfig_style_config CTRL_IFACE_DBUS_NEW + Kconfig_style_config CTRL_IFACE_DBUS_INTRO + fi + + # Enable support for writing debug info to a log file and syslog. + Kconfig_style_config DEBUG_FILE + Kconfig_style_config DEBUG_SYSLOG + + if use hs2-0 ; then + Kconfig_style_config INTERWORKING + Kconfig_style_config HS20 + fi + + if use uncommon-eap-types; then + Kconfig_style_config EAP_GPSK + Kconfig_style_config EAP_SAKE + Kconfig_style_config EAP_GPSK_SHA256 + Kconfig_style_config EAP_IKEV2 + Kconfig_style_config EAP_EKE + fi + + if use eap-sim ; then + # Smart card authentication + Kconfig_style_config EAP_SIM + Kconfig_style_config EAP_AKA + Kconfig_style_config EAP_AKA_PRIME + Kconfig_style_config PCSC + fi + + if use fasteap ; then + Kconfig_style_config EAP_FAST + fi + + if use readline ; then + # readline/history support for wpa_cli + Kconfig_style_config READLINE + else + #internal line edit mode for wpa_cli + Kconfig_style_config WPA_CLI_EDIT + fi + + # SSL authentication methods + if use ssl ; then + Kconfig_style_config TLS openssl + elif use gnutls ; then + Kconfig_style_config TLS gnutls + Kconfig_style_config GNUTLS_EXTRA + else + Kconfig_style_config TLS internal + fi + + if use smartcard ; then + Kconfig_style_config SMARTCARD + fi + + if use tdls ; then + Kconfig_style_config TDLS + fi + + if use kernel_linux ; then + # Linux specific drivers + Kconfig_style_config DRIVER_ATMEL + Kconfig_style_config DRIVER_HOSTAP + Kconfig_style_config DRIVER_IPW + Kconfig_style_config DRIVER_NL80211 + Kconfig_style_config DRIVER_RALINK + Kconfig_style_config DRIVER_WEXT + Kconfig_style_config DRIVER_WIRED + + if use ps3 ; then + Kconfig_style_config DRIVER_PS3 + fi + + elif use kernel_FreeBSD ; then + # FreeBSD specific driver + Kconfig_style_config DRIVER_BSD + fi + + # Wi-Fi Protected Setup (WPS) + if use wps ; then + Kconfig_style_config WPS + Kconfig_style_config WPS2 + # USB Flash Drive + Kconfig_style_config WPS_UFD + # External Registrar + Kconfig_style_config WPS_ER + # Universal Plug'n'Play + Kconfig_style_config WPS_UPNP + # Near Field Communication + Kconfig_style_config WPS_NFC + fi + + # Wi-Fi Direct (WiDi) + if use p2p ; then + Kconfig_style_config P2P + Kconfig_style_config WIFI_DISPLAY + fi + + # Access Point Mode + if use ap ; then + Kconfig_style_config AP + fi + + # Enable mitigation against certain attacks against TKIP + Kconfig_style_config DELAYED_MIC_ERROR_REPORT + + # If we are using libnl 2.0 and above, enable support for it + # Bug 382159 + # Removed for now, since the 3.2 version is broken, and we don't + # support it. + if has_version ">=dev-libs/libnl-3.2"; then + Kconfig_style_config LIBNL32 + fi + + if use qt4 ; then + pushd "${S}"/wpa_gui-qt4 > /dev/null + eqmake4 wpa_gui.pro + popd > /dev/null + fi +} + +src_compile() { + einfo "Building wpa_supplicant" + emake V=1 BINDIR=/usr/sbin + + if use wimax; then + emake -C ../src/eap_peer clean + emake -C ../src/eap_peer + fi + + if use qt4 ; then + pushd "${S}"/wpa_gui-qt4 > /dev/null + einfo "Building wpa_gui" + emake + popd > /dev/null + fi +} + +src_install() { + dosbin wpa_supplicant + dobin wpa_cli wpa_passphrase + + # baselayout-1 compat + if has_version "<sys-apps/baselayout-2.0.0"; then + dodir /sbin + dosym /usr/sbin/wpa_supplicant /sbin/wpa_supplicant + dodir /bin + dosym /usr/bin/wpa_cli /bin/wpa_cli + fi + + if has_version ">=sys-apps/openrc-0.5.0"; then + newinitd "${FILESDIR}/${PN}-init.d" wpa_supplicant + newconfd "${FILESDIR}/${PN}-conf.d" wpa_supplicant + fi + + exeinto /etc/wpa_supplicant/ + newexe "${FILESDIR}/wpa_cli.sh" wpa_cli.sh + + dodoc ChangeLog {eap_testing,todo}.txt README{,-WPS} \ + wpa_supplicant.conf + + newdoc .config build-config + + doman doc/docbook/*.{5,8} + + if use qt4 ; then + into /usr + dobin wpa_gui-qt4/wpa_gui + doicon wpa_gui-qt4/icons/wpa_gui.svg + make_desktop_entry wpa_gui "WPA Supplicant Administration GUI" "wpa_gui" "Qt;Network;" + fi + + use wimax && emake DESTDIR="${D}" -C ../src/eap_peer install + + if use dbus ; then + pushd "${S}"/dbus > /dev/null + insinto /etc/dbus-1/system.d + newins dbus-wpa_supplicant.conf wpa_supplicant.conf + insinto /usr/share/dbus-1/system-services + doins fi.epitest.hostap.WPASupplicant.service fi.w1.wpa_supplicant1.service + popd > /dev/null + + # This unit relies on dbus support, bug 538600. + systemd_dounit systemd/wpa_supplicant.service + fi + + systemd_dounit "systemd/wpa_supplicant@.service" + systemd_dounit "systemd/wpa_supplicant-nl80211@.service" + systemd_dounit "systemd/wpa_supplicant-wired@.service" +} + +pkg_postinst() { + elog "If this is a clean installation of wpa_supplicant, you" + elog "have to create a configuration file named" + elog "/etc/wpa_supplicant/wpa_supplicant.conf" + elog + elog "An example configuration file is available for reference in" + elog "/usr/share/doc/${PF}/" + + if [[ -e ${ROOT}etc/wpa_supplicant.conf ]] ; then + echo + ewarn "WARNING: your old configuration file ${ROOT}etc/wpa_supplicant.conf" + ewarn "needs to be moved to ${ROOT}etc/wpa_supplicant/wpa_supplicant.conf" + fi + + # Mea culpa, feel free to remove that after some time --mgorny. + local fn + for fn in wpa_supplicant{,@wlan0}.service; do + if [[ -e "${ROOT}"/etc/systemd/system/network.target.wants/${fn} ]] + then + ebegin "Moving ${fn} to multi-user.target" + mv "${ROOT}"/etc/systemd/system/network.target.wants/${fn} \ + "${ROOT}"/etc/systemd/system/multi-user.target.wants/ + eend ${?} \ + "Please try to re-enable ${fn}" + fi + done +} |