From d981a62a2260fe1117d7692a499d1b686ff156fe Mon Sep 17 00:00:00 2001 From: kth5 Date: Sat, 5 Oct 2024 01:06:52 +0200 Subject: [PATCH] * update wpa_supplicant to 2:2.11-2 --- wpa_supplicant/.SRCINFO | 44 ++++++ wpa_supplicant/.nvchecker.toml | 8 ++ .../0001-Enable-TLSv1.0-by-default.patch | 29 ++++ .../0002-Disable-Werror-for-eapol_test.patch | 26 ++++ ...egotiation-to-fix-PEAP-issues-with-s.patch | 32 +++++ ...emd-service-activation-configuration.patch | 37 +++++ ...ate-yes-to-keep-wpa-supplicant-runni.patch | 37 +++++ ...ad-support-to-the-systemd-unit-files.patch | 68 +++++++++ ...-extra-ies-only-if-allowed-by-driver.patch | 73 ++++++++++ wpa_supplicant/PKGBUILD | 130 ++++++++++-------- ...4AA0A991A5F2464582D52D2B6EF432EFC895FA.asc | 36 +++++ 11 files changed, 466 insertions(+), 54 deletions(-) create mode 100644 wpa_supplicant/.SRCINFO create mode 100644 wpa_supplicant/.nvchecker.toml create mode 100644 wpa_supplicant/0001-Enable-TLSv1.0-by-default.patch create mode 100644 wpa_supplicant/0002-Disable-Werror-for-eapol_test.patch create mode 100644 wpa_supplicant/0003-Allow-legacy-renegotiation-to-fix-PEAP-issues-with-s.patch create mode 100644 wpa_supplicant/0004-Tweak-D-Bus-systemd-service-activation-configuration.patch create mode 100644 wpa_supplicant/0005-Add-IgnoreOnIsolate-yes-to-keep-wpa-supplicant-runni.patch create mode 100644 wpa_supplicant/0006-Add-reload-support-to-the-systemd-unit-files.patch create mode 100644 wpa_supplicant/0007-nl80211-add-extra-ies-only-if-allowed-by-driver.patch create mode 100644 wpa_supplicant/keys/pgp/EC4AA0A991A5F2464582D52D2B6EF432EFC895FA.asc diff --git a/wpa_supplicant/.SRCINFO b/wpa_supplicant/.SRCINFO new file mode 100644 index 0000000000..492804fe47 --- /dev/null +++ b/wpa_supplicant/.SRCINFO @@ -0,0 +1,44 @@ +pkgbase = wpa_supplicant + pkgdesc = A utility providing key negotiation for WPA wireless networks + pkgver = 2.11 + pkgrel = 2 + epoch = 2 + url = https://w1.fi/wpa_supplicant/ + install = wpa_supplicant.install + arch = x86_64 + arch = powerpc64le + arch = powerpc64 + arch = powerpc + arch = riscv64 + license = BSD-3-Clause + makedepends = docbook-sgml + makedepends = docbook-utils + makedepends = git + makedepends = perl-sgmls + depends = glibc + depends = libdbus + depends = libnl + depends = openssl + depends = pcsclite + depends = readline + source = git+https://w1.fi/hostap.git?signed#tag=hostap_2_11 + source = wpa_supplicant_config + source = 0001-Enable-TLSv1.0-by-default.patch + source = 0002-Disable-Werror-for-eapol_test.patch + source = 0003-Allow-legacy-renegotiation-to-fix-PEAP-issues-with-s.patch + source = 0004-Tweak-D-Bus-systemd-service-activation-configuration.patch + source = 0005-Add-IgnoreOnIsolate-yes-to-keep-wpa-supplicant-runni.patch + source = 0006-Add-reload-support-to-the-systemd-unit-files.patch + source = 0007-nl80211-add-extra-ies-only-if-allowed-by-driver.patch + validpgpkeys = EC4AA0A991A5F2464582D52D2B6EF432EFC895FA + b2sums = 163d2e6644902f36b3b5f25e328221fa34495d745801e8d3dce874b05366c81370ef75c8f7e0198e206a3d04c5ea4bb501bf97693fa481e15cf5067d80ab0c1e + b2sums = 9785af24e59e3d48dc3ab055cc6b9e5bbf081e801fbbfa70d532c2ad8f7f4e59c2679385c75aa02f856ec387cd5182640ff91d892aed9846c738da57e05574d9 + b2sums = 96b82aaa5315e931424150d47e52f70186e2eea3928a5c97792473b69e8f92463863e8044e073bf940d597a3620f63381bd6996a594c85977785cdce4038f768 + b2sums = bd00e0f6c04db9c2dc274763b97dace4d886fb105b0a605bb15877ee84e4a93a7b95ab9a0242b4937c748c8e7991e3dddb795ac4c2b0e99be0f5e48098041b70 + b2sums = aaa7604faf1fede451582c8b981579cc86724a66c783d8368d1c122e0c381b75842d83bd85a982c1d4461d65bc74e62d34768762d15b4005a24a17e1392a109a + b2sums = 7175e7aab682370aef1b3358eaa839dcb009e12940aa2b9949c8c3254406341433e84af09d09ad670bf41f5201d979af02095c87a368b76465a952b1be9de049 + b2sums = 6472d571f18c3ee718315888b9c756c4579a4b411e8c6994002f9a79fb0a36fbebe8b3d419af0f9ea881dd1bc439d03dbe3c6d6661e670f16575197c31f0bd7a + b2sums = c1ce2e8d6f42cbc8181aeb2bdc19d4a22bff804c18f6e505d8315a294c67c936e90135046812ec37765be3d0f433e31554604deb1d7b160549d7e3284610a22b + b2sums = 28bf078147cc2f3395d3f907d6d900c7976dbd9948a9513f1d7ef32a40b89fee55e243c9302d24eda62dc1f813857fa09ae79e6faf52881e463a163acb437380 + +pkgname = wpa_supplicant diff --git a/wpa_supplicant/.nvchecker.toml b/wpa_supplicant/.nvchecker.toml new file mode 100644 index 0000000000..7dc5f7f213 --- /dev/null +++ b/wpa_supplicant/.nvchecker.toml @@ -0,0 +1,8 @@ +[wpa_supplicant] +source = "git" +git = "https://w1.fi/hostap.git" +include_regex = 'hostap(_\d+)+' +prefix = "hostap_" +from_pattern = "_" +to_pattern = "." +use_max_tag = true diff --git a/wpa_supplicant/0001-Enable-TLSv1.0-by-default.patch b/wpa_supplicant/0001-Enable-TLSv1.0-by-default.patch new file mode 100644 index 0000000000..5583d0bd69 --- /dev/null +++ b/wpa_supplicant/0001-Enable-TLSv1.0-by-default.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Andrej Shadura +Date: Sat, 15 Dec 2018 14:19:22 +0100 +Subject: [PATCH] Enable TLSv1.0 by default + +OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2. +Some older networks may support for TLSv1.0 and less secure cyphers. +--- + src/crypto/tls_openssl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 17283f99817a..b27c238ec864 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -1098,6 +1098,13 @@ void * tls_init(const struct tls_config *conf) + os_free(data); + return NULL; + } ++ ++#ifndef EAP_SERVER_TLS ++ /* Enable TLSv1.0 by default to allow connecting to legacy ++ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */ ++ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION); ++#endif ++ + data->ssl = ssl; + if (conf) { + data->tls_session_lifetime = conf->tls_session_lifetime; diff --git a/wpa_supplicant/0002-Disable-Werror-for-eapol_test.patch b/wpa_supplicant/0002-Disable-Werror-for-eapol_test.patch new file mode 100644 index 0000000000..7e1773d418 --- /dev/null +++ b/wpa_supplicant/0002-Disable-Werror-for-eapol_test.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Andrej Shadura +Date: Fri, 12 Feb 2021 14:28:19 +0100 +Subject: [PATCH] Disable -Werror for eapol_test + +This may make sense for the upstream, but we just want to build +the tool to be useful to our users; dealing with build errors due +to issues normally manifesting themselves as warnings is burdening +for Debian and its downstreams. +--- + wpa_supplicant/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index 743c8acd683f..04f6dd78b580 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -187,7 +187,7 @@ CFLAGS += -DCONFIG_ELOOP_KQUEUE + endif + + ifdef CONFIG_EAPOL_TEST +-CFLAGS += -Werror -DEAPOL_TEST ++CFLAGS += -DEAPOL_TEST + endif + + ifdef CONFIG_CODE_COVERAGE diff --git a/wpa_supplicant/0003-Allow-legacy-renegotiation-to-fix-PEAP-issues-with-s.patch b/wpa_supplicant/0003-Allow-legacy-renegotiation-to-fix-PEAP-issues-with-s.patch new file mode 100644 index 0000000000..ffef7f644a --- /dev/null +++ b/wpa_supplicant/0003-Allow-legacy-renegotiation-to-fix-PEAP-issues-with-s.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: James Ralston +Date: Sun, 1 May 2022 16:15:23 -0700 +Subject: [PATCH] Allow legacy renegotiation to fix PEAP issues with some + servers + +Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html +--- + src/crypto/tls_openssl.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index b27c238ec864..59a1b0d9b9c7 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -1114,6 +1114,16 @@ void * tls_init(const struct tls_config *conf) + SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); + ++ /* Many enterprise PEAP server implementations (e.g. used in large ++ corporations and universities) do not support RFC5746 secure ++ renegotiation, and starting with OpenSSL 3.0, ++ SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL. ++ So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT ++ only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT ++ globally. */ ++ ++ SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); ++ + SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY); + + #ifdef SSL_MODE_NO_AUTO_CHAIN diff --git a/wpa_supplicant/0004-Tweak-D-Bus-systemd-service-activation-configuration.patch b/wpa_supplicant/0004-Tweak-D-Bus-systemd-service-activation-configuration.patch new file mode 100644 index 0000000000..e4283e971b --- /dev/null +++ b/wpa_supplicant/0004-Tweak-D-Bus-systemd-service-activation-configuration.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kel Modderman +Date: Sat, 21 Apr 2012 15:59:32 +1000 +Subject: [PATCH] Tweak D-Bus/systemd service activation configuration files: + + * log wpa_supplicant messages to syslog + * activate control socket interface so that wpa_cli can be used by D-Bus + activated wpa_supplicant daemon +--- + wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in | 2 +- + wpa_supplicant/systemd/wpa_supplicant.service.in | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in b/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in +index d97ff392175d..3b0af67afde0 100644 +--- a/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in ++++ b/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in +@@ -1,5 +1,5 @@ + [D-BUS Service] + Name=fi.w1.wpa_supplicant1 +-Exec=@BINDIR@/wpa_supplicant -u ++Exec=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant + User=root + SystemdService=wpa_supplicant.service +diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in +index 58a622887cd9..bc0688a800d3 100644 +--- a/wpa_supplicant/systemd/wpa_supplicant.service.in ++++ b/wpa_supplicant/systemd/wpa_supplicant.service.in +@@ -7,7 +7,7 @@ Wants=network.target + [Service] + Type=dbus + BusName=fi.w1.wpa_supplicant1 +-ExecStart=@BINDIR@/wpa_supplicant -u ++ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant + + [Install] + WantedBy=multi-user.target diff --git a/wpa_supplicant/0005-Add-IgnoreOnIsolate-yes-to-keep-wpa-supplicant-runni.patch b/wpa_supplicant/0005-Add-IgnoreOnIsolate-yes-to-keep-wpa-supplicant-runni.patch new file mode 100644 index 0000000000..044c8bb91c --- /dev/null +++ b/wpa_supplicant/0005-Add-IgnoreOnIsolate-yes-to-keep-wpa-supplicant-runni.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Mathieu Trudel-Lapierre +Date: Mon, 13 Mar 2017 13:46:12 -0400 +Subject: [PATCH] Add IgnoreOnIsolate=yes to keep wpa-supplicant running while + systemctl isolate + +> Add IgnoreOnIsolate=yes so that when switching "runlevels" in +> oem-config will not kill off wpa and cause wireless to be +> unavailable on first boot. (LP: #1576024) + +Also happens when running systemctl isolate default.target: + +> NM should be detecting that wpasupplicant is not running and start +> it -- this should already have been working by way of wpasupplicant +> being dbus-activated. +[...] +> It seems to me like IgnoreOnIsolate for wpasupplicant would be the +> right thing to do, or to figure out why it isn't being properly +> started when NM tries to use it. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1576024 +--- + wpa_supplicant/systemd/wpa_supplicant.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in +index bc0688a800d3..561ae8f827ab 100644 +--- a/wpa_supplicant/systemd/wpa_supplicant.service.in ++++ b/wpa_supplicant/systemd/wpa_supplicant.service.in +@@ -3,6 +3,7 @@ Description=WPA supplicant + Before=network.target + After=dbus.service + Wants=network.target ++IgnoreOnIsolate=true + + [Service] + Type=dbus diff --git a/wpa_supplicant/0006-Add-reload-support-to-the-systemd-unit-files.patch b/wpa_supplicant/0006-Add-reload-support-to-the-systemd-unit-files.patch new file mode 100644 index 0000000000..6c874414ed --- /dev/null +++ b/wpa_supplicant/0006-Add-reload-support-to-the-systemd-unit-files.patch @@ -0,0 +1,68 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ryutaroh Matsumoto +Date: Mon, 8 Jul 2019 00:25:48 +0900 +Subject: [PATCH] Add reload support to the systemd unit files + +When wifi password is written in /etc/wpa_supplicant/wpa_supplicant-if.conf, +wpa_supplicant@if.service is started by systemd. +When one adds a new pair of SSID and its password in the above config +file, wpa_supplicant has to reload the changed config file. +But "systemctl reload" was not accepted because "ExecReload" was missing +from wpa_supplicant@.service. + +Bug-Debian: https://bugs.debian.org/931554 +--- + wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | 1 + + wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in | 1 + + wpa_supplicant/systemd/wpa_supplicant.service.arg.in | 1 + + wpa_supplicant/systemd/wpa_supplicant.service.in | 1 + + 4 files changed, 4 insertions(+) + +diff --git a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in +index 4eab33526bba..577e550477f0 100644 +--- a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in ++++ b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in +@@ -10,6 +10,7 @@ Wants=network.target + [Service] + Type=simple + ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-nl80211-%I.conf -Dnl80211 -i%I ++ExecReload=/bin/kill -HUP $MAINPID + + [Install] + WantedBy=multi-user.target +diff --git a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in +index ca3054bc6d55..c0855babd4d1 100644 +--- a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in ++++ b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in +@@ -10,6 +10,7 @@ Wants=network.target + [Service] + Type=simple + ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-%I.conf -Dwired -i%I ++ExecReload=/bin/kill -HUP $MAINPID + + [Install] + WantedBy=multi-user.target +diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in +index b0d610fa8efb..57f6f51ce4cf 100644 +--- a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in ++++ b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in +@@ -10,6 +10,7 @@ Wants=network.target + [Service] + Type=simple + ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I ++ExecReload=/bin/kill -HUP $MAINPID + + [Install] + WantedBy=multi-user.target +diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in +index 561ae8f827ab..18cbc1108597 100644 +--- a/wpa_supplicant/systemd/wpa_supplicant.service.in ++++ b/wpa_supplicant/systemd/wpa_supplicant.service.in +@@ -9,6 +9,7 @@ IgnoreOnIsolate=true + Type=dbus + BusName=fi.w1.wpa_supplicant1 + ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant ++ExecReload=/bin/kill -HUP $MAINPID + + [Install] + WantedBy=multi-user.target diff --git a/wpa_supplicant/0007-nl80211-add-extra-ies-only-if-allowed-by-driver.patch b/wpa_supplicant/0007-nl80211-add-extra-ies-only-if-allowed-by-driver.patch new file mode 100644 index 0000000000..88f99d96d3 --- /dev/null +++ b/wpa_supplicant/0007-nl80211-add-extra-ies-only-if-allowed-by-driver.patch @@ -0,0 +1,73 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: David Bauer +Date: Sun, 30 Jan 2022 20:22:00 +0100 +Subject: [PATCH] nl80211: add extra-ies only if allowed by driver +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl +based adapters. The reason for it is hostapd tries to install additional +IEs for scanning while the driver does not support this. + +The kernel indicates the maximum number of bytes for additional scan IEs +using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and +only add additional scan IEs in case the driver can accommodate these +additional IEs. + +Reported-by: Étienne Morice +Tested-by: Étienne Morice +Signed-off-by: David Bauer + +Bug: http://lists.infradead.org/pipermail/hostap/2022-January/040178.html +Bug-ArchLinux: https://bugs.archlinux.org/task/73495 +Bug-Debian: https://bugs.debian.org/1004524 +Origin: http://lists.infradead.org/pipermail/hostap/2022-January/040185.html +--- + src/drivers/driver.h | 3 +++ + src/drivers/driver_nl80211_capa.c | 4 ++++ + src/drivers/driver_nl80211_scan.c | 2 +- + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/drivers/driver.h b/src/drivers/driver.h +index 4331782d897a..243e9b5cc4d8 100644 +--- a/src/drivers/driver.h ++++ b/src/drivers/driver.h +@@ -2357,6 +2357,9 @@ struct wpa_driver_capa { + /** Maximum number of iterations in a single scan plan */ + u32 max_sched_scan_plan_iterations; + ++ /** Maximum number of extra IE bytes for scans */ ++ u16 max_scan_ie_len; ++ + /** Whether sched_scan (offloaded scanning) is supported */ + int sched_scan_supported; + +diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c +index 26c1f41406d2..d5ba66b1073e 100644 +--- a/src/drivers/driver_nl80211_capa.c ++++ b/src/drivers/driver_nl80211_capa.c +@@ -976,6 +976,10 @@ static int wiphy_info_handler(struct nl_msg *msg, void *arg) + nla_get_u32(tb[NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS]); + } + ++ if (tb[NL80211_ATTR_MAX_SCAN_IE_LEN]) ++ capa->max_scan_ie_len = ++ nla_get_u16(tb[NL80211_ATTR_MAX_SCAN_IE_LEN]); ++ + if (tb[NL80211_ATTR_MAX_MATCH_SETS]) + capa->max_match_sets = + nla_get_u8(tb[NL80211_ATTR_MAX_MATCH_SETS]); +diff --git a/src/drivers/driver_nl80211_scan.c b/src/drivers/driver_nl80211_scan.c +index b055e684a9f8..a8ea8f2cf1d7 100644 +--- a/src/drivers/driver_nl80211_scan.c ++++ b/src/drivers/driver_nl80211_scan.c +@@ -221,7 +221,7 @@ nl80211_scan_common(struct i802_bss *bss, u8 cmd, + wpa_printf(MSG_DEBUG, "nl80211: Passive scan requested"); + } + +- if (params->extra_ies) { ++ if (params->extra_ies && drv->capa.max_scan_ie_len >= params->extra_ies_len) { + wpa_hexdump(MSG_MSGDUMP, "nl80211: Scan extra IEs", + params->extra_ies, params->extra_ies_len); + if (nla_put(msg, NL80211_ATTR_IE, params->extra_ies_len, diff --git a/wpa_supplicant/PKGBUILD b/wpa_supplicant/PKGBUILD index 427e4e600b..821f2d1749 100644 --- a/wpa_supplicant/PKGBUILD +++ b/wpa_supplicant/PKGBUILD @@ -5,82 +5,100 @@ # Contributor: loqs pkgname=wpa_supplicant -pkgver=2.10 -pkgrel=8 +pkgver=2.11 +pkgrel=2 epoch=2 pkgdesc='A utility providing key negotiation for WPA wireless networks' url='https://w1.fi/wpa_supplicant/' arch=(x86_64 powerpc64le powerpc64 powerpc riscv64) -license=(GPL) -depends=(openssl libdbus readline libnl pcsclite) +license=(BSD-3-Clause) +depends=( + glibc + libdbus + libnl + openssl + pcsclite + readline +) +makedepends=( + docbook-sgml + docbook-utils + git + perl-sgmls +) install=wpa_supplicant.install source=( - https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc} + "git+https://w1.fi/hostap.git?signed#tag=hostap_${pkgver//./_}" wpa_supplicant_config - wpa_supplicant_tls.patch - wpa_supplicant_dbus_service_syslog.patch - wpa_supplicant_service_ignore-on-isolate.patch - wpa_supplicant-legacy-server-connect.patch - lower_security_level_for_tls_1.patch - disable-eapol-werror.patch - 0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch - 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch -) -validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen -sha256sums=('20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f' - 'SKIP' - '1e32af4a1a147ee75358fd0b5636fb41332a7b91ec7a904292178256f735e9d2' - '08915b040d03a3e07cdc8ea6c76b497e00059e01ce85b67413dfe41d4fc68992' - '60f6a1cf2e124813dfce1da78ee1818e2ff5236aafa4113c7ae3b3f2a0b84006' - 'd42bdbf3d4980b9f0a819612df0c39843c7e96c8afcb103aa656c824f93790b0' - '8fba11e4a5056d9e710707ded93341f61fdfef6c64ced992e3936cbd2d41a011' - 'c3c0fb363f734c1512d24fd749b3ff7515f961b27bfadd04c128434b5c9f4a93' - '9aca193cc26682765467cf9131240e5de71f9b49a765a934284da5e308ea904e' - '7901d42eda48f82106901cbeb5e7be39025c878d5085a0a0d54ccbe36c3ecef4' - '24e844b0a08fe3fede1676cedfe29643375ae56ab1a5fe4f5783765a7b759c15') - -prepare() { - cd $pkgname-$pkgver # More permissive TLS fallback - patch -Np1 -i ../wpa_supplicant_tls.patch - - # Unit improvements from Ubuntu - patch -Np1 -i ../wpa_supplicant_dbus_service_syslog.patch - - # More unit improvements from Ubuntu - patch -Np1 -i ../wpa_supplicant_service_ignore-on-isolate.patch - - # https://bugzilla.redhat.com/show_bug.cgi?id=2072070#c24 - patch -Np1 -i ../wpa_supplicant-legacy-server-connect.patch - - # http://lists.infradead.org/pipermail/hostap/2022-May/040571.html - # https://bugs.archlinux.org/task/76474 - patch -Np1 -i ../lower_security_level_for_tls_1.patch + 0001-Enable-TLSv1.0-by-default.patch # https://salsa.debian.org/debian/wpa/-/commit/13e1d28e4f987a220c546df94df86bb9b2371874 - patch -Np1 -i ../disable-eapol-werror.patch + 0002-Disable-Werror-for-eapol_test.patch - # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html - patch -Np1 -i ../0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch + # https://lists.infradead.org/pipermail/hostap/2022-May/040511.html + # https://bugs.archlinux.org/task/76474 + 0003-Allow-legacy-renegotiation-to-fix-PEAP-issues-with-s.patch - # https://lists.infradead.org/pipermail/hostap/2022-April/040352.html - patch -Np1 -i ../0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch + # Unit improvements from Ubuntu + 0004-Tweak-D-Bus-systemd-service-activation-configuration.patch + 0005-Add-IgnoreOnIsolate-yes-to-keep-wpa-supplicant-runni.patch + + # More unit improvements from Debian + 0006-Add-reload-support-to-the-systemd-unit-files.patch + + # https://lists.infradead.org/pipermail/hostap/2022-January/040178.html + 0007-nl80211-add-extra-ies-only-if-allowed-by-driver.patch +) +b2sums=('163d2e6644902f36b3b5f25e328221fa34495d745801e8d3dce874b05366c81370ef75c8f7e0198e206a3d04c5ea4bb501bf97693fa481e15cf5067d80ab0c1e' + '9785af24e59e3d48dc3ab055cc6b9e5bbf081e801fbbfa70d532c2ad8f7f4e59c2679385c75aa02f856ec387cd5182640ff91d892aed9846c738da57e05574d9' + '96b82aaa5315e931424150d47e52f70186e2eea3928a5c97792473b69e8f92463863e8044e073bf940d597a3620f63381bd6996a594c85977785cdce4038f768' + 'bd00e0f6c04db9c2dc274763b97dace4d886fb105b0a605bb15877ee84e4a93a7b95ab9a0242b4937c748c8e7991e3dddb795ac4c2b0e99be0f5e48098041b70' + 'aaa7604faf1fede451582c8b981579cc86724a66c783d8368d1c122e0c381b75842d83bd85a982c1d4461d65bc74e62d34768762d15b4005a24a17e1392a109a' + '7175e7aab682370aef1b3358eaa839dcb009e12940aa2b9949c8c3254406341433e84af09d09ad670bf41f5201d979af02095c87a368b76465a952b1be9de049' + '6472d571f18c3ee718315888b9c756c4579a4b411e8c6994002f9a79fb0a36fbebe8b3d419af0f9ea881dd1bc439d03dbe3c6d6661e670f16575197c31f0bd7a' + 'c1ce2e8d6f42cbc8181aeb2bdc19d4a22bff804c18f6e505d8315a294c67c936e90135046812ec37765be3d0f433e31554604deb1d7b160549d7e3284610a22b' + '28bf078147cc2f3395d3f907d6d900c7976dbd9948a9513f1d7ef32a40b89fee55e243c9302d24eda62dc1f813857fa09ae79e6faf52881e463a163acb437380') +validpgpkeys=( + EC4AA0A991A5F2464582D52D2B6EF432EFC895FA # Jouni Malinen +) + +prepare() { + cd hostap + + local src + for src in "${source[@]}"; do + [[ $src = *.patch ]] || continue + echo "Applying patch $src..." + patch -Np1 < "../$src" + done cp ../wpa_supplicant_config $pkgname/.config } -build() { - cd $pkgname-$pkgver/$pkgname +_make() { + local make_options=( + BINDIR=/usr/bin + LIBDIR=/usr/lib + "$@" + ) - make LIBDIR=/usr/lib BINDIR=/usr/bin - make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test + make "${make_options[@]}" +} + +build() { + cd hostap/$pkgname + + _make + _make eapol_test + _make -C doc/docbook man } package() { - cd $pkgname-$pkgver/$pkgname + cd hostap/$pkgname - make LIBDIR=/usr/lib BINDIR=/usr/bin DESTDIR="$pkgdir" install + _make DESTDIR="$pkgdir" install install -Dm755 eapol_test "$pkgdir/usr/bin/eapol_test" @@ -98,4 +116,8 @@ package() { rm "$pkgdir"/usr/share/man/man8/wpa_{priv,gui}.8 install -Dm644 systemd/*.service -t "$pkgdir/usr/lib/systemd/system" + + install -Dm644 ../README "$pkgdir/usr/share/licenses/$pkgname/LICENSE" } + +# vim:set sw=2 sts=-1 et: diff --git a/wpa_supplicant/keys/pgp/EC4AA0A991A5F2464582D52D2B6EF432EFC895FA.asc b/wpa_supplicant/keys/pgp/EC4AA0A991A5F2464582D52D2B6EF432EFC895FA.asc new file mode 100644 index 0000000000..f7d403c4ff --- /dev/null +++ b/wpa_supplicant/keys/pgp/EC4AA0A991A5F2464582D52D2B6EF432EFC895FA.asc @@ -0,0 +1,36 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGiBDoydw4RBAC9vfqCsU+dgrxUSdGf70zrEAIBxcjeqHusovztR65XOWE0ccjm +QS2TVgJM+OzYg9FJG7DuLQZDwhR10BZKJfG97fNyZVBCoO90bEcTufn96oceJlz/ +MHmy99+i6wYdIKYzvmaxcC1QPhENr1scgin9nMiW1MTPJ7sSgjDqd0QPVwCgmaZU +pzhKRusR5E/MmgI2kz73Ui0D/03lVNypkQTbuBp1q71YqT9qjO8+5kXU5QXJhel0 +qUgJHcu3rdnIVaiANw1qauMM0DtnRKOtcaZntn03sFNnaJRx0JlmLa/cMP0nm1kP +nR6Q3Cruz7InJnJZDXGsGH/ku4OcYLUJ8UgqzaO0J5o66j7pxQQDo1UAs4PQaoYq +/ECbA/9B6b3TzuHdqUgS/g2AYTc5MU+i92ydrBv2g9SPuH78m/X4YicGR1HF7yNi +J/hiVa/axBUHpXE4vW0Bndj1bN4sctFeGGezGRaLiiggZkBBNnL8nF5eZebLvPrv +4kr8Cchz+lGF5UFNVyLWwi/I5CSUqUtSXOD1Q9WcXoqJcrE2brQXSm91bmkgTWFs +aW5lbiA8akB3MS5maT6IYgQTEQIAIgIbIwYLCQgHAwIEFQIIAwMWAgECHgECF4AF +AkZbB/QCGQEACgkQK270Mu/IlfpuGACfd0WargWDeja0VW+R9TSKjRIfO1cAn1A8 +nkiso1bg/CvU56wSvpU4MpF6tBlKb3VuaSBNYWxpbmVuIDxqbUBraXIubnU+iF8E +ExECAB8FAkZbB5sCGyMGCwkIBwMCBBUCCAMDFgIBAh4BAheAAAoJECtu9DLvyJX6 +BmAAnRSeK5z2ClLwuV5i1CtP9w2v85TkAJ9XLkaqrNqX4yDxoHqbEpHkHZ6d17Qi +Sm91bmkgTWFsaW5lbiA8amttYWxpbmVAY2MuaHV0LmZpPohXBBMRAgAXBQI6Mn1J +BQsHCgMEAxUDAgMWAgECF4AACgkQK270Mu/IlfqZmQCeN9xC1eqSD3xiUa/z+SMA +2Gd5NvkAnRuwbogLyTyBb8HqC1LxISWkTSBvtCBKb3VuaSBNYWxpbmVuIDxqbUBq +bS5lcGl0ZXN0LmZpPohXBBMRAgAXBQI6MncOBQsHCgMEAxUDAgMWAgECF4AACgkQ +K270Mu/IlfqNLwCeLGNO35p6s0fHzCio7tYYapCHXlgAniIgNRdn+9BmfLUUb97D +MT+t1RWauQINBDoyd1sQCAC8qbv50m22q9hhs54GMD+Xemg0dHiHuuTtVPYugJqT +SlhSS8QJBdulR8hYYDGHbTzjB/ksiQFOcISZZ+zQRIGqLbNldf6taGUTIhZkIh09 +0RYLXCYoMFB8XLBOaLVRy7SMwsPXdbIRkT9v9CzMjZcTUVjwObQKRpTie0JZhc// +CUmY76scpRY5ifDXT9NOr5uMA3W5FI1AFc3d856BYhdnhcuJn+QQS+Xsj3r2vpVz +YHoS+nT0nQ9iwmqPtRHep+t1cudqEouaWT8tpXkSB0Y0MjOPyGnNDkg9om3gj5QK +zMDcQCxCVTHjqVUrmW6Bs2Rm2YVMBu/TIG4E9hEK8Ma/AAMFB/4pOot8lGbAJcov +gtSEvna6WyOnFtmC8UCXJyf1MnzzLAO6Fvf8cz16ig2o+7bgKiQeWxwd7LJEicv2 +kD33fZl3OqSZbNdfsOxB9g+jtWC+vOXGKzr6Pi7fIBXgkhxF/eWbhFg7Kj4rd+jB +I9F7uK/wPyY8JivH8vy2w6Boipc3S7qcUn5Gk58w0EuZrAHSGKt9QWd/p7ppIfgg +mbc77YFWzM/z9fiMWp4+YIJkEH6unz3+91qQXUC4JGL6QMnsIoieqoAk/6rHMCTf +hFSvQxuhxpLUI+PT9sAvIBZLZta6hvIiYVpSTzZxiVmuioVHUhPVQdcpO5Mrr1VH +DwC+ZH8miEYEGBECAAYFAjoyd1sACgkQK270Mu/IlfrRCACfWEtm3et85knJeUK2 +ApdQ54Evxn4AoIYi35jctzD/SfJzPiE15zTRS8NN +=fN+f +-----END PGP PUBLIC KEY BLOCK-----