Date: Monday, August 14, 2017 @ 13:00:28 Author: bpiotrowski Revision: 302176
archrelease: copy trunk to testing-i686, testing-x86_64 Added: wpa_supplicant/repos/testing-i686/ wpa_supplicant/repos/testing-i686/PKGBUILD (from rev 302175, wpa_supplicant/trunk/PKGBUILD) wpa_supplicant/repos/testing-i686/config (from rev 302175, wpa_supplicant/trunk/config) wpa_supplicant/repos/testing-i686/rh1462262-use-system-openssl-ciphers.patch (from rev 302175, wpa_supplicant/trunk/rh1462262-use-system-openssl-ciphers.patch) wpa_supplicant/repos/testing-i686/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch (from rev 302175, wpa_supplicant/trunk/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch) wpa_supplicant/repos/testing-i686/wpa_supplicant.install (from rev 302175, wpa_supplicant/trunk/wpa_supplicant.install) wpa_supplicant/repos/testing-x86_64/ wpa_supplicant/repos/testing-x86_64/PKGBUILD (from rev 302175, wpa_supplicant/trunk/PKGBUILD) wpa_supplicant/repos/testing-x86_64/config (from rev 302175, wpa_supplicant/trunk/config) wpa_supplicant/repos/testing-x86_64/rh1462262-use-system-openssl-ciphers.patch (from rev 302175, wpa_supplicant/trunk/rh1462262-use-system-openssl-ciphers.patch) wpa_supplicant/repos/testing-x86_64/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch (from rev 302175, wpa_supplicant/trunk/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch) wpa_supplicant/repos/testing-x86_64/wpa_supplicant.install (from rev 302175, wpa_supplicant/trunk/wpa_supplicant.install) -----------------------------------------------------------------------------+ testing-i686/PKGBUILD | 69 +++++ testing-i686/config | 46 +++ testing-i686/rh1462262-use-system-openssl-ciphers.patch | 122 +++++++++ testing-i686/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch | 127 ++++++++++ testing-i686/wpa_supplicant.install | 7 testing-x86_64/PKGBUILD | 69 +++++ testing-x86_64/config | 46 +++ testing-x86_64/rh1462262-use-system-openssl-ciphers.patch | 122 +++++++++ testing-x86_64/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch | 127 ++++++++++ testing-x86_64/wpa_supplicant.install | 7 10 files changed, 742 insertions(+) Copied: wpa_supplicant/repos/testing-i686/PKGBUILD (from rev 302175, wpa_supplicant/trunk/PKGBUILD) =================================================================== --- testing-i686/PKGBUILD (rev 0) +++ testing-i686/PKGBUILD 2017-08-14 13:00:28 UTC (rev 302176) @@ -0,0 +1,69 @@ +# $Id$ +# Maintainer: Bartłomiej Piotrowski <bpiotrow...@archlinux.org> +# Contributor: Thomas Bächler <tho...@archlinux.org> + +pkgname=wpa_supplicant +pkgver=2.6 +pkgrel=9 +epoch=1 +pkgdesc='A utility providing key negotiation for WPA wireless networks' +url='http://hostap.epitest.fi/wpa_supplicant' +arch=(i686 x86_64) +license=(GPL) +depends=(openssl libdbus readline libnl) +optdepends=('wpa_supplicant_gui: wpa_gui program') +install=wpa_supplicant.install +source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc} + config + rh1462262-use-system-openssl-ciphers.patch + rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch) +validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen +sha256sums=('b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450' + 'SKIP' + 'aeba21c48416342092964dada271ca6dfe842fc862774c2d3b150785225f66e2' + 'c52ee8bc67466cd662ebac4bad4b25dbb429526ba16fbc179a2ae014be01edfc' + 'ad2258313f06b04003dbbffe10bc3eab9deea9db400c57c3c01b08cfc0b0916b') + +prepare() { + cd "$srcdir/$pkgname-$pkgver" + patch -p1 -i "$srcdir/rh1462262-use-system-openssl-ciphers.patch" + patch -p1 -i "$srcdir/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch" + + cd $pkgname + cp "$srcdir/config" ./.config +} + +build() { + cd "$srcdir/$pkgname-$pkgver/$pkgname" + + # The Makefile does not pick up our CPPFLAGS + export CFLAGS="$CPPFLAGS $CFLAGS" + make LIBDIR=/usr/lib BINDIR=/usr/bin + make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test +} + +package() { + cd "$srcdir/$pkgname-$pkgver/$pkgname" + make LIBDIR=/usr/lib BINDIR=/usr/bin DESTDIR="$pkgdir" install + install -Dm755 eapol_test "$pkgdir/usr/bin/eapol_test" + + install -d -m755 "$pkgdir/etc/wpa_supplicant" + install -Dm644 wpa_supplicant.conf \ + "$pkgdir/usr/share/doc/wpa_supplicant/wpa_supplicant.conf" + + install -d -m755 "$pkgdir/usr/share/man/man"{5,8} + install -m644 doc/docbook/*.5 "$pkgdir/usr/share/man/man5/" + install -m644 doc/docbook/*.8 "$pkgdir/usr/share/man/man8/" + rm -f "$pkgdir/usr/share/man/man8/wpa_"{priv,gui}.8 + + install -d -m755 "$pkgdir/usr/share/dbus-1/system-services" + install -m644 \ + dbus/fi.{epitest.hostap.WPASupplicant,w1.wpa_supplicant1}.service \ + "$pkgdir/usr/share/dbus-1/system-services/" + + install -Dm644 dbus/dbus-wpa_supplicant.conf \ + "$pkgdir/etc/dbus-1/system.d/wpa_supplicant.conf" + + install -d -m755 "$pkgdir/usr/lib/systemd/system" + install -m644 systemd/*.service "$pkgdir/usr/lib/systemd/system/" +} Copied: wpa_supplicant/repos/testing-i686/config (from rev 302175, wpa_supplicant/trunk/config) =================================================================== --- testing-i686/config (rev 0) +++ testing-i686/config 2017-08-14 13:00:28 UTC (rev 302176) @@ -0,0 +1,46 @@ +CONFIG_AP=y +CONFIG_AUTOSCAN_EXPONENTIAL=y +CONFIG_AUTOSCAN_PERIODIC=y +CONFIG_BACKEND=file +CONFIG_BGSCAN_SIMPLE=y +CONFIG_CTRL_IFACE=y +CONFIG_CTRL_IFACE_BUS=y +CONFIG_CTRL_IFACE_DBUS_INTRO=y +CONFIG_CTRL_IFACE_DBUS_NEW=y +CONFIG_DEBUG_FILE=y +CONFIG_DRIVER_NL80211=y +CONFIG_DRIVER_WEXT=y +CONFIG_DRIVER_WIRED=y +CONFIG_EAP_FAST=y +CONFIG_EAP_GTC=y +CONFIG_EAP_LEAP=y +CONFIG_EAP_MD5=y +CONFIG_EAP_MSCHAPV2=y +CONFIG_EAP_OTP=y +CONFIG_EAP_PEAP=y +CONFIG_EAP_PWD=y +CONFIG_EAP_TLS=y +CONFIG_EAP_TTLS=y +CONFIG_HS20=y +CONFIG_HT_OVERRIDES=y +CONFIG_IBSS_RSN=y +CONFIG_IEEE80211AC=y +CONFIG_IEEE80211N=y +CONFIG_IEEE80211R=y +CONFIG_IEEE80211W=y +CONFIG_IEEE8021X_EAPOL=y +CONFIG_INTERWORKING=y +CONFIG_IPV6=y +CONFIG_LIBNL32=y +CONFIG_NO_RANDOM_POOL=y +CONFIG_P2P=y +CONFIG_PEERKEY=y +CONFIG_PKCS12=y +CONFIG_READLINE=y +CONFIG_SMARTCARD=y +CONFIG_TDLS=y +CONFIG_VHT_OVERRIDES=y +CONFIG_WIFI_DISPLAY=y +CONFIG_WPS=y +CONFIG_WPS_NFC=y +CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW:3DES" Copied: wpa_supplicant/repos/testing-i686/rh1462262-use-system-openssl-ciphers.patch (from rev 302175, wpa_supplicant/trunk/rh1462262-use-system-openssl-ciphers.patch) =================================================================== --- testing-i686/rh1462262-use-system-openssl-ciphers.patch (rev 0) +++ testing-i686/rh1462262-use-system-openssl-ciphers.patch 2017-08-14 13:00:28 UTC (rev 302176) @@ -0,0 +1,122 @@ +From 61665e43b0509e3d05b2519bf10531bd2163ed66 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani <bgalv...@redhat.com> +Date: Sun, 9 Jul 2017 11:06:50 +0200 +Subject: [PATCH] OpenSSL: Add build option to select default ciphers + +Add a build option to select different default ciphers for OpenSSL +instead of the hardcoded default "DEFAULT:!EXP:!LOW". + +This new option is useful on distributions where the security level +should be consistent for all applications, as in Fedora [1]. In such +cases the new configuration option would be set to "" or +"PROFILE=SYSTEM" to select the global crypto policy by default. + +[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy + +Signed-off-by: Beniamino Galvani <bgalv...@redhat.com> +(cherry picked from commit 2b9891bd6e125d3e28f26afde32e153db658b7cc) +--- + src/crypto/tls_openssl.c | 2 +- + wpa_supplicant/Android.mk | 4 ++++ + wpa_supplicant/Makefile | 4 ++++ + wpa_supplicant/android.config | 4 ++++ + wpa_supplicant/defconfig | 4 ++++ + wpa_supplicant/wpa_supplicant.conf | 4 ++-- + 6 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 23ac64b..c4170b6 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -1017,7 +1017,7 @@ void * tls_init(const struct tls_config *conf) + if (conf && conf->openssl_ciphers) + ciphers = conf->openssl_ciphers; + else +- ciphers = "DEFAULT:!EXP:!LOW"; ++ ciphers = TLS_DEFAULT_CIPHERS; + if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) { + wpa_printf(MSG_ERROR, + "OpenSSL: Failed to set cipher string '%s'", +diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk +index a8d6a7f..a9dc086 100644 +--- a/wpa_supplicant/Android.mk ++++ b/wpa_supplicant/Android.mk +@@ -971,6 +971,10 @@ ifdef CONFIG_TLS_ADD_DL + LIBS += -ldl + LIBS_p += -ldl + endif ++ifndef CONFIG_TLS_DEFAULT_CIPHERS ++CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW" ++endif ++L_CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\" + endif + + ifeq ($(CONFIG_TLS), gnutls) +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index 512052e..cc55a52 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -1020,6 +1020,10 @@ ifdef CONFIG_TLS_ADD_DL + LIBS += -ldl + LIBS_p += -ldl + endif ++ifndef CONFIG_TLS_DEFAULT_CIPHERS ++CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW" ++endif ++CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\" + endif + + ifeq ($(CONFIG_TLS), gnutls) +diff --git a/wpa_supplicant/android.config b/wpa_supplicant/android.config +index 02505bb..f3cc838 100644 +--- a/wpa_supplicant/android.config ++++ b/wpa_supplicant/android.config +@@ -291,6 +291,10 @@ CONFIG_IEEE80211W=y + # will be used) + #CONFIG_TLSV12=y + ++# Select which ciphers to use by default with OpenSSL if the user does not ++# specify them. ++#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" ++ + # If CONFIG_TLS=internal is used, additional library and include paths are + # needed for LibTomMath. Alternatively, an integrated, minimal version of + # LibTomMath can be used. See beginning of libtommath.c for details on benefits +diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig +index 1d05198..8b0eb87 100644 +--- a/wpa_supplicant/defconfig ++++ b/wpa_supplicant/defconfig +@@ -316,6 +316,10 @@ CONFIG_PEERKEY=y + # will be used) + #CONFIG_TLSV12=y + ++# Select which ciphers to use by default with OpenSSL if the user does not ++# specify them. ++#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" ++ + # If CONFIG_TLS=internal is used, additional library and include paths are + # needed for LibTomMath. Alternatively, an integrated, minimal version of + # LibTomMath can be used. See beginning of libtommath.c for details on benefits +diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf +index 1061c98..70989c0 100644 +--- a/wpa_supplicant/wpa_supplicant.conf ++++ b/wpa_supplicant/wpa_supplicant.conf +@@ -183,13 +183,13 @@ fast_reauth=1 + # OpenSSL cipher string + # + # This is an OpenSSL specific configuration option for configuring the default +-# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default. ++# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW" ++# by default) is used. + # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation + # on cipher suite configuration. This is applicable only if wpa_supplicant is + # built to use OpenSSL. + #openssl_ciphers=DEFAULT:!EXP:!LOW + +- + # Dynamic EAP methods + # If EAP methods were built dynamically as shared object files, they need to be + # loaded here before being used in the network blocks. By default, EAP methods +-- +2.9.3 + Copied: wpa_supplicant/repos/testing-i686/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch (from rev 302175, wpa_supplicant/trunk/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch) =================================================================== --- testing-i686/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch (rev 0) +++ testing-i686/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch 2017-08-14 13:00:28 UTC (rev 302176) @@ -0,0 +1,127 @@ +From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani <bgalv...@redhat.com> +Date: Sun, 9 Jul 2017 11:14:10 +0200 +Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL + >= 1.1.0f + +Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the +callback from the SSL object instead of the one from the CTX, so let's +set the callback on both SSL and CTX. Note that +SSL_set_default_passwd_cb*() is available only in 1.1.0. + +Signed-off-by: Beniamino Galvani <bgalv...@redhat.com> +(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f) +--- + src/crypto/tls_openssl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index c4170b6..bceb8c3 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data, + } else + passwd = NULL; + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ /* ++ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback ++ * from the SSL object. See OpenSSL commit d61461a75253. ++ */ ++ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb); ++ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd); ++#endif /* >= 1.1.0f && !LibreSSL */ ++ /* Keep these for OpenSSL < 1.1.0f */ + SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); + SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); + +@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data, + return -1; + } + ERR_clear_error(); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ SSL_set_default_passwd_cb(conn->ssl, NULL); ++#endif /* >= 1.1.0f && !LibreSSL */ + SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); + os_free(passwd); + +-- +2.9.3 + +From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Mon, 17 Jul 2017 12:06:17 +0300 +Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly + +Previously, the pointer to strdup passwd was left in OpenSSL library +default_passwd_cb_userdata and even the default_passwd_cb was left set +on an error path. To avoid unexpected behavior if something were to +manage to use there pointers, clear them explicitly once done with +loading of the private key. + +Signed-off-by: Jouni Malinen <j...@w1.fi> +(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384) +--- + src/crypto/tls_openssl.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index bceb8c3..770af9e 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn) + } + + ++static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl) ++{ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ if (ssl) { ++ SSL_set_default_passwd_cb(ssl, NULL); ++ SSL_set_default_passwd_cb_userdata(ssl, NULL); ++ } ++#endif /* >= 1.1.0f && !LibreSSL */ ++ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); ++ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL); ++} ++ ++ + static int tls_connection_private_key(struct tls_data *data, + struct tls_connection *conn, + const char *private_key, +@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data, + if (!ok) { + tls_show_errors(MSG_INFO, __func__, + "Failed to load private key"); ++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); + os_free(passwd); + return -1; + } + ERR_clear_error(); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +- SSL_set_default_passwd_cb(conn->ssl, NULL); +-#endif /* >= 1.1.0f && !LibreSSL */ +- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); ++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); + os_free(passwd); + + if (!SSL_check_private_key(conn->ssl)) { +@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data, + tls_read_pkcs12(data, NULL, private_key, passwd)) { + tls_show_errors(MSG_INFO, __func__, + "Failed to load private key"); ++ tls_clear_default_passwd_cb(ssl_ctx, NULL); + os_free(passwd); + ERR_clear_error(); + return -1; + } ++ tls_clear_default_passwd_cb(ssl_ctx, NULL); + os_free(passwd); + ERR_clear_error(); +- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); + + if (!SSL_CTX_check_private_key(ssl_ctx)) { + tls_show_errors(MSG_INFO, __func__, +-- +2.9.3 + Copied: wpa_supplicant/repos/testing-i686/wpa_supplicant.install (from rev 302175, wpa_supplicant/trunk/wpa_supplicant.install) =================================================================== --- testing-i686/wpa_supplicant.install (rev 0) +++ testing-i686/wpa_supplicant.install 2017-08-14 13:00:28 UTC (rev 302176) @@ -0,0 +1,7 @@ +post_upgrade() { + if [[ $(vercmp "$2" '1:2.6-3') -lt 0 ]]; then + echo ':: The /etc/wpa_supplicant/wpa_supplicant.conf is file no longer managed by pacman' + echo ' and if it was modified, it has been renamed to wpa_supplicant.conf.pacsave.' + echo ' Move it to the original location if needed.' + fi +} Copied: wpa_supplicant/repos/testing-x86_64/PKGBUILD (from rev 302175, wpa_supplicant/trunk/PKGBUILD) =================================================================== --- testing-x86_64/PKGBUILD (rev 0) +++ testing-x86_64/PKGBUILD 2017-08-14 13:00:28 UTC (rev 302176) @@ -0,0 +1,69 @@ +# $Id$ +# Maintainer: Bartłomiej Piotrowski <bpiotrow...@archlinux.org> +# Contributor: Thomas Bächler <tho...@archlinux.org> + +pkgname=wpa_supplicant +pkgver=2.6 +pkgrel=9 +epoch=1 +pkgdesc='A utility providing key negotiation for WPA wireless networks' +url='http://hostap.epitest.fi/wpa_supplicant' +arch=(i686 x86_64) +license=(GPL) +depends=(openssl libdbus readline libnl) +optdepends=('wpa_supplicant_gui: wpa_gui program') +install=wpa_supplicant.install +source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc} + config + rh1462262-use-system-openssl-ciphers.patch + rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch) +validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen +sha256sums=('b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450' + 'SKIP' + 'aeba21c48416342092964dada271ca6dfe842fc862774c2d3b150785225f66e2' + 'c52ee8bc67466cd662ebac4bad4b25dbb429526ba16fbc179a2ae014be01edfc' + 'ad2258313f06b04003dbbffe10bc3eab9deea9db400c57c3c01b08cfc0b0916b') + +prepare() { + cd "$srcdir/$pkgname-$pkgver" + patch -p1 -i "$srcdir/rh1462262-use-system-openssl-ciphers.patch" + patch -p1 -i "$srcdir/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch" + + cd $pkgname + cp "$srcdir/config" ./.config +} + +build() { + cd "$srcdir/$pkgname-$pkgver/$pkgname" + + # The Makefile does not pick up our CPPFLAGS + export CFLAGS="$CPPFLAGS $CFLAGS" + make LIBDIR=/usr/lib BINDIR=/usr/bin + make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test +} + +package() { + cd "$srcdir/$pkgname-$pkgver/$pkgname" + make LIBDIR=/usr/lib BINDIR=/usr/bin DESTDIR="$pkgdir" install + install -Dm755 eapol_test "$pkgdir/usr/bin/eapol_test" + + install -d -m755 "$pkgdir/etc/wpa_supplicant" + install -Dm644 wpa_supplicant.conf \ + "$pkgdir/usr/share/doc/wpa_supplicant/wpa_supplicant.conf" + + install -d -m755 "$pkgdir/usr/share/man/man"{5,8} + install -m644 doc/docbook/*.5 "$pkgdir/usr/share/man/man5/" + install -m644 doc/docbook/*.8 "$pkgdir/usr/share/man/man8/" + rm -f "$pkgdir/usr/share/man/man8/wpa_"{priv,gui}.8 + + install -d -m755 "$pkgdir/usr/share/dbus-1/system-services" + install -m644 \ + dbus/fi.{epitest.hostap.WPASupplicant,w1.wpa_supplicant1}.service \ + "$pkgdir/usr/share/dbus-1/system-services/" + + install -Dm644 dbus/dbus-wpa_supplicant.conf \ + "$pkgdir/etc/dbus-1/system.d/wpa_supplicant.conf" + + install -d -m755 "$pkgdir/usr/lib/systemd/system" + install -m644 systemd/*.service "$pkgdir/usr/lib/systemd/system/" +} Copied: wpa_supplicant/repos/testing-x86_64/config (from rev 302175, wpa_supplicant/trunk/config) =================================================================== --- testing-x86_64/config (rev 0) +++ testing-x86_64/config 2017-08-14 13:00:28 UTC (rev 302176) @@ -0,0 +1,46 @@ +CONFIG_AP=y +CONFIG_AUTOSCAN_EXPONENTIAL=y +CONFIG_AUTOSCAN_PERIODIC=y +CONFIG_BACKEND=file +CONFIG_BGSCAN_SIMPLE=y +CONFIG_CTRL_IFACE=y +CONFIG_CTRL_IFACE_BUS=y +CONFIG_CTRL_IFACE_DBUS_INTRO=y +CONFIG_CTRL_IFACE_DBUS_NEW=y +CONFIG_DEBUG_FILE=y +CONFIG_DRIVER_NL80211=y +CONFIG_DRIVER_WEXT=y +CONFIG_DRIVER_WIRED=y +CONFIG_EAP_FAST=y +CONFIG_EAP_GTC=y +CONFIG_EAP_LEAP=y +CONFIG_EAP_MD5=y +CONFIG_EAP_MSCHAPV2=y +CONFIG_EAP_OTP=y +CONFIG_EAP_PEAP=y +CONFIG_EAP_PWD=y +CONFIG_EAP_TLS=y +CONFIG_EAP_TTLS=y +CONFIG_HS20=y +CONFIG_HT_OVERRIDES=y +CONFIG_IBSS_RSN=y +CONFIG_IEEE80211AC=y +CONFIG_IEEE80211N=y +CONFIG_IEEE80211R=y +CONFIG_IEEE80211W=y +CONFIG_IEEE8021X_EAPOL=y +CONFIG_INTERWORKING=y +CONFIG_IPV6=y +CONFIG_LIBNL32=y +CONFIG_NO_RANDOM_POOL=y +CONFIG_P2P=y +CONFIG_PEERKEY=y +CONFIG_PKCS12=y +CONFIG_READLINE=y +CONFIG_SMARTCARD=y +CONFIG_TDLS=y +CONFIG_VHT_OVERRIDES=y +CONFIG_WIFI_DISPLAY=y +CONFIG_WPS=y +CONFIG_WPS_NFC=y +CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW:3DES" Copied: wpa_supplicant/repos/testing-x86_64/rh1462262-use-system-openssl-ciphers.patch (from rev 302175, wpa_supplicant/trunk/rh1462262-use-system-openssl-ciphers.patch) =================================================================== --- testing-x86_64/rh1462262-use-system-openssl-ciphers.patch (rev 0) +++ testing-x86_64/rh1462262-use-system-openssl-ciphers.patch 2017-08-14 13:00:28 UTC (rev 302176) @@ -0,0 +1,122 @@ +From 61665e43b0509e3d05b2519bf10531bd2163ed66 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani <bgalv...@redhat.com> +Date: Sun, 9 Jul 2017 11:06:50 +0200 +Subject: [PATCH] OpenSSL: Add build option to select default ciphers + +Add a build option to select different default ciphers for OpenSSL +instead of the hardcoded default "DEFAULT:!EXP:!LOW". + +This new option is useful on distributions where the security level +should be consistent for all applications, as in Fedora [1]. In such +cases the new configuration option would be set to "" or +"PROFILE=SYSTEM" to select the global crypto policy by default. + +[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy + +Signed-off-by: Beniamino Galvani <bgalv...@redhat.com> +(cherry picked from commit 2b9891bd6e125d3e28f26afde32e153db658b7cc) +--- + src/crypto/tls_openssl.c | 2 +- + wpa_supplicant/Android.mk | 4 ++++ + wpa_supplicant/Makefile | 4 ++++ + wpa_supplicant/android.config | 4 ++++ + wpa_supplicant/defconfig | 4 ++++ + wpa_supplicant/wpa_supplicant.conf | 4 ++-- + 6 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 23ac64b..c4170b6 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -1017,7 +1017,7 @@ void * tls_init(const struct tls_config *conf) + if (conf && conf->openssl_ciphers) + ciphers = conf->openssl_ciphers; + else +- ciphers = "DEFAULT:!EXP:!LOW"; ++ ciphers = TLS_DEFAULT_CIPHERS; + if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) { + wpa_printf(MSG_ERROR, + "OpenSSL: Failed to set cipher string '%s'", +diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk +index a8d6a7f..a9dc086 100644 +--- a/wpa_supplicant/Android.mk ++++ b/wpa_supplicant/Android.mk +@@ -971,6 +971,10 @@ ifdef CONFIG_TLS_ADD_DL + LIBS += -ldl + LIBS_p += -ldl + endif ++ifndef CONFIG_TLS_DEFAULT_CIPHERS ++CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW" ++endif ++L_CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\" + endif + + ifeq ($(CONFIG_TLS), gnutls) +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index 512052e..cc55a52 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -1020,6 +1020,10 @@ ifdef CONFIG_TLS_ADD_DL + LIBS += -ldl + LIBS_p += -ldl + endif ++ifndef CONFIG_TLS_DEFAULT_CIPHERS ++CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW" ++endif ++CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\" + endif + + ifeq ($(CONFIG_TLS), gnutls) +diff --git a/wpa_supplicant/android.config b/wpa_supplicant/android.config +index 02505bb..f3cc838 100644 +--- a/wpa_supplicant/android.config ++++ b/wpa_supplicant/android.config +@@ -291,6 +291,10 @@ CONFIG_IEEE80211W=y + # will be used) + #CONFIG_TLSV12=y + ++# Select which ciphers to use by default with OpenSSL if the user does not ++# specify them. ++#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" ++ + # If CONFIG_TLS=internal is used, additional library and include paths are + # needed for LibTomMath. Alternatively, an integrated, minimal version of + # LibTomMath can be used. See beginning of libtommath.c for details on benefits +diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig +index 1d05198..8b0eb87 100644 +--- a/wpa_supplicant/defconfig ++++ b/wpa_supplicant/defconfig +@@ -316,6 +316,10 @@ CONFIG_PEERKEY=y + # will be used) + #CONFIG_TLSV12=y + ++# Select which ciphers to use by default with OpenSSL if the user does not ++# specify them. ++#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" ++ + # If CONFIG_TLS=internal is used, additional library and include paths are + # needed for LibTomMath. Alternatively, an integrated, minimal version of + # LibTomMath can be used. See beginning of libtommath.c for details on benefits +diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf +index 1061c98..70989c0 100644 +--- a/wpa_supplicant/wpa_supplicant.conf ++++ b/wpa_supplicant/wpa_supplicant.conf +@@ -183,13 +183,13 @@ fast_reauth=1 + # OpenSSL cipher string + # + # This is an OpenSSL specific configuration option for configuring the default +-# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default. ++# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW" ++# by default) is used. + # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation + # on cipher suite configuration. This is applicable only if wpa_supplicant is + # built to use OpenSSL. + #openssl_ciphers=DEFAULT:!EXP:!LOW + +- + # Dynamic EAP methods + # If EAP methods were built dynamically as shared object files, they need to be + # loaded here before being used in the network blocks. By default, EAP methods +-- +2.9.3 + Copied: wpa_supplicant/repos/testing-x86_64/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch (from rev 302175, wpa_supplicant/trunk/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch) =================================================================== --- testing-x86_64/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch (rev 0) +++ testing-x86_64/rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch 2017-08-14 13:00:28 UTC (rev 302176) @@ -0,0 +1,127 @@ +From 25b37c54a47e49d591f5752bbf0f510480402cae Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani <bgalv...@redhat.com> +Date: Sun, 9 Jul 2017 11:14:10 +0200 +Subject: [PATCH 1/2] OpenSSL: Fix private key password handling with OpenSSL + >= 1.1.0f + +Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the +callback from the SSL object instead of the one from the CTX, so let's +set the callback on both SSL and CTX. Note that +SSL_set_default_passwd_cb*() is available only in 1.1.0. + +Signed-off-by: Beniamino Galvani <bgalv...@redhat.com> +(cherry picked from commit f665c93e1d28fbab3d9127a8c3985cc32940824f) +--- + src/crypto/tls_openssl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index c4170b6..bceb8c3 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -2779,6 +2779,15 @@ static int tls_connection_private_key(struct tls_data *data, + } else + passwd = NULL; + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ /* ++ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback ++ * from the SSL object. See OpenSSL commit d61461a75253. ++ */ ++ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb); ++ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd); ++#endif /* >= 1.1.0f && !LibreSSL */ ++ /* Keep these for OpenSSL < 1.1.0f */ + SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); + SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); + +@@ -2869,6 +2878,9 @@ static int tls_connection_private_key(struct tls_data *data, + return -1; + } + ERR_clear_error(); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ SSL_set_default_passwd_cb(conn->ssl, NULL); ++#endif /* >= 1.1.0f && !LibreSSL */ + SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); + os_free(passwd); + +-- +2.9.3 + +From b2887d6964a406eb5f88f4ad4e9764c468954382 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Mon, 17 Jul 2017 12:06:17 +0300 +Subject: [PATCH 2/2] OpenSSL: Clear default_passwd_cb more thoroughly + +Previously, the pointer to strdup passwd was left in OpenSSL library +default_passwd_cb_userdata and even the default_passwd_cb was left set +on an error path. To avoid unexpected behavior if something were to +manage to use there pointers, clear them explicitly once done with +loading of the private key. + +Signed-off-by: Jouni Malinen <j...@w1.fi> +(cherry picked from commit 89971d8b1e328a2f79699c953625d1671fd40384) +--- + src/crypto/tls_openssl.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index bceb8c3..770af9e 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -2758,6 +2758,19 @@ static int tls_connection_engine_private_key(struct tls_connection *conn) + } + + ++static void tls_clear_default_passwd_cb(SSL_CTX *ssl_ctx, SSL *ssl) ++{ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ if (ssl) { ++ SSL_set_default_passwd_cb(ssl, NULL); ++ SSL_set_default_passwd_cb_userdata(ssl, NULL); ++ } ++#endif /* >= 1.1.0f && !LibreSSL */ ++ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); ++ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, NULL); ++} ++ ++ + static int tls_connection_private_key(struct tls_data *data, + struct tls_connection *conn, + const char *private_key, +@@ -2874,14 +2887,12 @@ static int tls_connection_private_key(struct tls_data *data, + if (!ok) { + tls_show_errors(MSG_INFO, __func__, + "Failed to load private key"); ++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); + os_free(passwd); + return -1; + } + ERR_clear_error(); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +- SSL_set_default_passwd_cb(conn->ssl, NULL); +-#endif /* >= 1.1.0f && !LibreSSL */ +- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); ++ tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); + os_free(passwd); + + if (!SSL_check_private_key(conn->ssl)) { +@@ -2924,13 +2935,14 @@ static int tls_global_private_key(struct tls_data *data, + tls_read_pkcs12(data, NULL, private_key, passwd)) { + tls_show_errors(MSG_INFO, __func__, + "Failed to load private key"); ++ tls_clear_default_passwd_cb(ssl_ctx, NULL); + os_free(passwd); + ERR_clear_error(); + return -1; + } ++ tls_clear_default_passwd_cb(ssl_ctx, NULL); + os_free(passwd); + ERR_clear_error(); +- SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); + + if (!SSL_CTX_check_private_key(ssl_ctx)) { + tls_show_errors(MSG_INFO, __func__, +-- +2.9.3 + Copied: wpa_supplicant/repos/testing-x86_64/wpa_supplicant.install (from rev 302175, wpa_supplicant/trunk/wpa_supplicant.install) =================================================================== --- testing-x86_64/wpa_supplicant.install (rev 0) +++ testing-x86_64/wpa_supplicant.install 2017-08-14 13:00:28 UTC (rev 302176) @@ -0,0 +1,7 @@ +post_upgrade() { + if [[ $(vercmp "$2" '1:2.6-3') -lt 0 ]]; then + echo ':: The /etc/wpa_supplicant/wpa_supplicant.conf is file no longer managed by pacman' + echo ' and if it was modified, it has been renamed to wpa_supplicant.conf.pacsave.' + echo ' Move it to the original location if needed.' + fi +}