diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2014-05-29 14:55:03 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-05-29 14:56:12 +0000 |
commit | c8b073a1dd0ac4cc792df2ec8faaf01a6f88f475 (patch) | |
tree | 7f50471353129aae18e557aca1a9f3b3a20cbf49 /main | |
parent | dae7773b7280de1e8d41e887adca5efe33e8eca4 (diff) | |
download | aports-c8b073a1dd0ac4cc792df2ec8faaf01a6f88f475.tar.bz2 aports-c8b073a1dd0ac4cc792df2ec8faaf01a6f88f475.tar.xz |
main/wpa_supplicant: fix radius server regression and build eapol_test
fixes #2774
Diffstat (limited to 'main')
-rw-r--r-- | main/wpa_supplicant/APKBUILD | 10 | ||||
-rw-r--r-- | main/wpa_supplicant/Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-for-server.patch | 68 |
2 files changed, 76 insertions, 2 deletions
diff --git a/main/wpa_supplicant/APKBUILD b/main/wpa_supplicant/APKBUILD index a06bbd8155..37acf08a6e 100644 --- a/main/wpa_supplicant/APKBUILD +++ b/main/wpa_supplicant/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=wpa_supplicant pkgver=2.1 -pkgrel=0 +pkgrel=1 pkgdesc="A utility providing key negotiation for WPA wireless networks" url="http://hostap.epitest.fi/wpa_supplicant" arch="all" @@ -11,6 +11,7 @@ depends="dbus" makedepends="openssl-dev dbus-dev libnl3-dev qt-dev" source="http://hostap.epitest.fi/releases/$pkgname-$pkgver.tar.gz musl-fix-types.patch + Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-for-server.patch wpa_supplicant.initd wpa_supplicant.confd @@ -107,7 +108,8 @@ build() { make LIBDIR=/lib BINDIR=/sbin || return 1 # comment out the network={ } stansas in config sed -i -e '/^network=/,/}/s/^/#/' wpa_supplicant.conf - make wpa_gui-qt4 + make wpa_gui-qt4 || return 1 + make eapol_test || return 1 } package() { @@ -121,6 +123,7 @@ package() { install -Dm644 doc/docbook/$i.8 \ "$pkgdir"/usr/share/man/man8/$i.8 || return 1 done + install -Dm755 eapol_test "$pkgdir"/sbin/eapol_test || return 1 # gui install -d "$pkgdir"/usr/bin @@ -150,13 +153,16 @@ gui() { md5sums="e96b8db5a8171cd17a5b2012d6ad7cc7 wpa_supplicant-2.1.tar.gz 6023cac7f7fc6801e575f255af025368 musl-fix-types.patch +ba6674b926dc30cfca46cf9a6bdacd23 Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-for-server.patch 8c88d2418857028c8a8c8489b516f22a wpa_supplicant.initd bc117427f2c538439f3f1481a028ee06 wpa_supplicant.confd" sha256sums="91632e7e3b49a340ce408e2f978a93546a697383abf2e5a60f146faae9e1b277 wpa_supplicant-2.1.tar.gz 2196f8850f72c5f269d2b5c1495c33e254c7c1526648e5cd4a51901205d3b45b musl-fix-types.patch +95f591c3d00eb1bfa1a381cb4cff25b52e72f5215bba91eff725de860caeff9f Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-for-server.patch 66b7fd1322540ed39120c453d6f8852b519b67e3efcb3abdc3a76733ff75ecb4 wpa_supplicant.initd 61ec59007f66ac5bacc0aa095d1f2ccbc977a687038e161a463d1727223d5a90 wpa_supplicant.confd" sha512sums="eb1075623502d3e8f02c803ce31487fe5efce172e30d6b818ac835f7bbfe0140a225f95573ba4557f29e54d4623be2eb4a6ee18675ae6a676ccd46c33b0b3843 wpa_supplicant-2.1.tar.gz 64bc462d10f99f13098554db85d514530fcb85bc93d65843d0db66493cf7b6280e22540c95846d0f6c870f6cbd95cc8d4208675775e964988d97351bc716b7df musl-fix-types.patch +5ad5b0c7101a5b74bd3a2cc3c4108dad17a0c6e578b068d42383934413574864134190be5f48ce965615c266c54077ed054021d54c00209bf41b6b618af0e277 Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-for-server.patch 12a59d1f60f61aea6733add7d8a961fb728d27c156c49481775194cc655b1cec77f021624cf6a9cd93d0e5db12ebfca315a41801f03213919cf2b896b901f3bb wpa_supplicant.initd 29103161ec2b9631fca9e8d9a97fafd60ffac3fe78cf613b834395ddcaf8be1e253c22e060d7d9f9b974b2d7ce794caa932a2125e29f6494b75bce475f7b30e1 wpa_supplicant.confd" diff --git a/main/wpa_supplicant/Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-for-server.patch b/main/wpa_supplicant/Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-for-server.patch new file mode 100644 index 0000000000..e3141b0eab --- /dev/null +++ b/main/wpa_supplicant/Revert-OpenSSL-Do-not-accept-SSL-Client-certificate-for-server.patch @@ -0,0 +1,68 @@ +From b62d5b5450101676a0c05691b4bcd94e11426397 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Wed, 19 Feb 2014 09:56:02 +0000 +Subject: Revert "OpenSSL: Do not accept SSL Client certificate for server" + +This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are +too many deployed AAA servers that include both id-kp-clientAuth and +id-kp-serverAuth EKUs for this change to be acceptable as a generic rule +for AAA authentication server validation. OpenSSL enforces the policy of +not connecting if only id-kp-clientAuth is included. If a valid EKU is +listed with it, the connection needs to be accepted. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- +diff --git a/src/crypto/tls.h b/src/crypto/tls.h +index 287fd33..feba13f 100644 +--- a/src/crypto/tls.h ++++ b/src/crypto/tls.h +@@ -41,8 +41,7 @@ enum tls_fail_reason { + TLS_FAIL_ALTSUBJECT_MISMATCH = 6, + TLS_FAIL_BAD_CERTIFICATE = 7, + TLS_FAIL_SERVER_CHAIN_PROBE = 8, +- TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, +- TLS_FAIL_SERVER_USED_CLIENT_CERT = 10 ++ TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9 + }; + + union tls_event_data { +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index a13fa38..8cf1de8 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -105,7 +105,6 @@ struct tls_connection { + unsigned int ca_cert_verify:1; + unsigned int cert_probe:1; + unsigned int server_cert_only:1; +- unsigned int server:1; + + u8 srv_cert_hash[32]; + +@@ -1480,16 +1479,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) + TLS_FAIL_SERVER_CHAIN_PROBE); + } + +- if (!conn->server && err_cert && preverify_ok && depth == 0 && +- (err_cert->ex_flags & EXFLAG_XKUSAGE) && +- (err_cert->ex_xkusage & XKU_SSL_CLIENT)) { +- wpa_printf(MSG_WARNING, "TLS: Server used client certificate"); +- openssl_tls_fail_event(conn, err_cert, err, depth, buf, +- "Server used client certificate", +- TLS_FAIL_SERVER_USED_CLIENT_CERT); +- preverify_ok = 0; +- } +- + if (preverify_ok && context->event_cb != NULL) + context->event_cb(context->cb_ctx, + TLS_CERT_CHAIN_SUCCESS, NULL); +@@ -2541,8 +2530,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data, + int res; + struct wpabuf *out_data; + +- conn->server = !!server; +- + /* + * Give TLS handshake data from the server (if available) to OpenSSL + * for processing. +-- +cgit v0.9.2 |