Update to wpa_supplicant-2.2

Tested by pascal@ and myself. I also take maintainership, as per sthen's request.
2014-09-02 13:04:34 +00:00 · 2014-09-02 13:04:34 +00:00 · f2af671cce
commit f2af671cce
parent fd2577db50
7 changed files with 9 additions and 128 deletions
--- a/security/wpa_supplicant/Makefile
+++ b/security/wpa_supplicant/Makefile
@ -1,14 +1,13 @@
-# $OpenBSD: Makefile,v 1.18 2014/07/22 10:55:41 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.19 2014/09/02 13:04:34 dcoppa Exp $

 COMMENT=	IEEE 802.1X supplicant

-DISTNAME=	wpa_supplicant-2.1
-REVISION=	2
+DISTNAME=	wpa_supplicant-2.2
 CATEGORIES=	security net

 HOMEPAGE=	http://hostap.epitest.fi/wpa_supplicant/

-MAINTAINER=	Stuart Henderson <sthen@openbsd.org>
+MAINTAINER=	David Coppa <dcoppa@openbsd.org>

 # BSD
 PERMIT_PACKAGE_CDROM=	Yes
--- a/security/wpa_supplicant/distinfo
+++ b/security/wpa_supplicant/distinfo
@ -1,2 +1,2 @@
-SHA256 (wpa_supplicant-2.1.tar.gz) = kWMufjtJo0DOQI4vl4qTVGppc4Or8uWmDxRvqunhsnc=
-SIZE (wpa_supplicant-2.1.tar.gz) = 2222066
+SHA256 (wpa_supplicant-2.2.tar.gz) = 4Ni4/WimWWNuq6JGuyyqy/U9ItU7K2uQ60tP7wmTyO0=
+SIZE (wpa_supplicant-2.2.tar.gz) = 2382570
--- a/security/wpa_supplicant/patches/patch-src_crypto_ms_funcs_c
+++ b/security/wpa_supplicant/patches/patch-src_crypto_ms_funcs_c
@ -1,24 +0,0 @@
-$OpenBSD: patch-src_crypto_ms_funcs_c,v 1.1 2014/03/18 05:57:22 dcoppa Exp $
-
-commit 22dd2d7a987325faa089e65914c1602cad85f747
-Author: Jouni Malinen <j@w1.fi>
-Date:   Sat Feb 15 12:06:35 2014 +0200
-
-Fix MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding
-
-This fixes issues in using a password that includes a UTF-8 character
-with three-byte encoding with EAP methods that use NtPasswordHash
-(anything using MSCHAPv2 or LEAP).
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
-
--- src/crypto/ms_funcs.c.orig	Tue Feb  4 12:23:35 2014
-+++ src/crypto/ms_funcs.c	Fri Mar 14 10:49:39 2014
-@@ -58,6 +58,7 @@ static int utf8_to_ucs2(const u8 *utf8_string, size_t 
- 				WPA_PUT_LE16(ucs2_buffer + j,
- 					     ((c & 0xF) << 12) |
- 					     ((c2 & 0x3F) << 6) | (c3 & 0x3F));
-+				j += 2;
- 			}
- 		}
- 	}
--- a/security/wpa_supplicant/patches/patch-src_crypto_tls_h
+++ b/security/wpa_supplicant/patches/patch-src_crypto_tls_h
@ -1,29 +0,0 @@
-$OpenBSD: patch-src_crypto_tls_h,v 1.1 2014/03/18 05:57:22 dcoppa Exp $
-
-commit b62d5b5450101676a0c05691b4bcd94e11426397
-Author: Jouni Malinen <j@w1.fi>
-Date:   Wed Feb 19 11:56:02 2014 +0200
-
-Revert "OpenSSL: Do not accept SSL Client certificate for server"
-
-This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are
-too many deployed AAA servers that include both id-kp-clientAuth and
-id-kp-serverAuth EKUs for this change to be acceptable as a generic rule
-for AAA authentication server validation. OpenSSL enforces the policy of
-not connecting if only id-kp-clientAuth is included. If a valid EKU is
-listed with it, the connection needs to be accepted.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
-
--- src/crypto/tls.h.orig	Tue Feb  4 12:23:35 2014
-+++ src/crypto/tls.h	Fri Mar 14 14:33:33 2014
-@@ -41,8 +41,7 @@ enum tls_fail_reason {
- 	TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
- 	TLS_FAIL_BAD_CERTIFICATE = 7,
- 	TLS_FAIL_SERVER_CHAIN_PROBE = 8,
-	TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
-	TLS_FAIL_SERVER_USED_CLIENT_CERT = 10
-+	TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9
- };
- 
- union tls_event_data {
--- a/security/wpa_supplicant/patches/patch-src_crypto_tls_openssl_c
+++ b/security/wpa_supplicant/patches/patch-src_crypto_tls_openssl_c
@ -1,53 +0,0 @@
-$OpenBSD: patch-src_crypto_tls_openssl_c,v 1.1 2014/03/18 05:57:22 dcoppa Exp $
-
-commit b62d5b5450101676a0c05691b4bcd94e11426397
-Author: Jouni Malinen <j@w1.fi>
-Date:   Wed Feb 19 11:56:02 2014 +0200
-
-Revert "OpenSSL: Do not accept SSL Client certificate for server"
-
-This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are
-too many deployed AAA servers that include both id-kp-clientAuth and
-id-kp-serverAuth EKUs for this change to be acceptable as a generic rule
-for AAA authentication server validation. OpenSSL enforces the policy of
-not connecting if only id-kp-clientAuth is included. If a valid EKU is
-listed with it, the connection needs to be accepted.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
-
--- src/crypto/tls_openssl.c.orig	Tue Feb  4 12:23:35 2014
-+++ src/crypto/tls_openssl.c	Fri Mar 14 14:33:33 2014
-@@ -105,7 +105,6 @@ struct tls_connection {
- 	unsigned int ca_cert_verify:1;
- 	unsigned int cert_probe:1;
- 	unsigned int server_cert_only:1;
-	unsigned int server:1;
- 
- 	u8 srv_cert_hash[32];
- 
-@@ -1477,16 +1476,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_
- 				       TLS_FAIL_SERVER_CHAIN_PROBE);
- 	}
- 
-	if (!conn->server && err_cert && preverify_ok && depth == 0 &&
-	    (err_cert->ex_flags & EXFLAG_XKUSAGE) &&
-	    (err_cert->ex_xkusage & XKU_SSL_CLIENT)) {
-		wpa_printf(MSG_WARNING, "TLS: Server used client certificate");
-		openssl_tls_fail_event(conn, err_cert, err, depth, buf,
-				       "Server used client certificate",
-				       TLS_FAIL_SERVER_USED_CLIENT_CERT);
-		preverify_ok = 0;
-	}
-
- 	if (preverify_ok && context->event_cb != NULL)
- 		context->event_cb(context->cb_ctx,
- 				  TLS_CERT_CHAIN_SUCCESS, NULL);
-@@ -2537,8 +2526,6 @@ openssl_handshake(struct tls_connection *conn, const s
- {
- 	int res;
- 	struct wpabuf *out_data;
-
-	conn->server = !!server;
- 
- 	/*
- 	 * Give TLS handshake data from the server (if available) to OpenSSL
--- a/security/wpa_supplicant/patches/patch-src_utils_common_c
+++ b/security/wpa_supplicant/patches/patch-src_utils_common_c
@ -1,12 +0,0 @@
-$OpenBSD: patch-src_utils_common_c,v 1.1 2014/06/02 11:26:21 sthen Exp $
--- src/utils/common.c.orig	Mon Jun  2 12:22:46 2014
-+++ src/utils/common.c	Mon Jun  2 12:23:29 2014
-@@ -350,7 +350,7 @@ void printf_encode(char *txt, size_t maxlen, const u8 
- 	size_t i;
- 
- 	for (i = 0; i < len; i++) {
-		if (txt + 4 > end)
-+		if (txt + 4 >= end)
- 			break;
- 
- 		switch (data[i]) {
--- a/security/wpa_supplicant/patches/patch-src_utils_eloop_c
+++ b/security/wpa_supplicant/patches/patch-src_utils_eloop_c
@ -1,10 +1,10 @@
-$OpenBSD: patch-src_utils_eloop_c,v 1.2 2014/03/18 05:57:22 dcoppa Exp $
+$OpenBSD: patch-src_utils_eloop_c,v 1.3 2014/09/02 13:04:34 dcoppa Exp $

 don't try to access list members to free them unless already initialised

--- src/utils/eloop.c.orig	Fri Mar 14 10:39:29 2014
-+++ src/utils/eloop.c	Fri Mar 14 10:41:10 2014
-@@ -887,6 +887,9 @@ void eloop_destroy(void)
+--- src/utils/eloop.c.orig	Wed Jun  4 15:26:14 2014
+++ src/utils/eloop.c	Tue Sep  2 13:00:23 2014
+@@ -1033,6 +1033,9 @@ void eloop_destroy(void)
 	struct eloop_timeout *timeout, *prev;
 	struct os_reltime now;