wpa_supplicant port tweaks,

- build eapol_test, it's a useful way to test RADIUS servers + EAP - rather than using a whole new build config file, copy and patch the upstream default, making it easier to incorporate upstream changes in new versions, and see what we have/haven't enabled - replace /dev/urandom with arc4random_buf
2019-11-19 14:35:59 +00:00 · 2019-11-19 14:35:59 +00:00 · ff6546371a
commit ff6546371a
parent 2b1cce1cc7
5 changed files with 269 additions and 39 deletions
--- a/security/wpa_supplicant/Makefile
+++ b/security/wpa_supplicant/Makefile
@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.44 2019/07/12 20:49:38 sthen Exp $
+# $OpenBSD: Makefile,v 1.45 2019/11/19 14:35:59 sthen Exp $

 COMMENT=	IEEE 802.1X supplicant

 DISTNAME=	wpa_supplicant-2.8
+REVISION=	0
 CATEGORIES=	security net

 HOMEPAGE=	https://w1.fi/wpa_supplicant/
@ -25,11 +26,17 @@ WRKSRC=		${WRKDIST}/wpa_supplicant

 EXAMPLEDIR=	${PREFIX}/share/examples/wpa_supplicant

+ALL_TARGET=	all eapol_test
+
 post-extract:
-	@${SUBST_CMD} -m 444 -c ${FILESDIR}/config ${WRKSRC}/.config
+	cp ${WRKSRC}/defconfig ${WRKSRC}/.config
+
+post-patch:
+	@${SUBST_CMD} ${WRKSRC}/.config

 post-install:
 	@#${INSTALL_PROGRAM} ${WRKBUILD}/wpa_priv ${PREFIX}/sbin
+	${INSTALL_PROGRAM} ${WRKBUILD}/eapol_test ${PREFIX}/bin
 	${INSTALL_MAN} ${WRKBUILD}/doc/docbook/*.5 ${PREFIX}/man/man5/
 	${INSTALL_MAN} ${WRKBUILD}/doc/docbook/*.8 ${PREFIX}/man/man8/
 	${INSTALL_DATA_DIR} ${EXAMPLEDIR}
--- a/security/wpa_supplicant/files/config
+++ b/security/wpa_supplicant/files/config
@ -1,36 +0,0 @@
-# $OpenBSD: config,v 1.3 2013/02/06 17:27:13 sthen Exp $
-# see defconfig and README for notes
-
-CFLAGS += -I${LOCALBASE}/include/PCSC
-LIBS += -L${LOCALBASE}/lib
-
-CONFIG_BACKEND=file
-CONFIG_CTRL_IFACE=y
-CONFIG_DRIVER_WIRED=y
-CONFIG_DRIVER_OPENBSD=y
-CONFIG_IEEE8021X_EAPOL=y
-CONFIG_PEERKEY=y
-CONFIG_PKCS12=y
-
-CONFIG_EAP_MD5=y
-CONFIG_EAP_MSCHAPV2=y
-CONFIG_EAP_TLS=y
-CONFIG_EAP_PEAP=y
-CONFIG_EAP_TTLS=y
-CONFIG_EAP_FAST=y
-CONFIG_EAP_GTC=y
-CONFIG_EAP_OTP=y
-CONFIG_EAP_PSK=y
-CONFIG_EAP_SAKE=y
-CONFIG_EAP_GPSK=y
-CONFIG_EAP_PAX=y
-CONFIG_EAP_LEAP=y
-CONFIG_EAP_IKEV2=y
-
-CONFIG_EAP_AKA=y
-CONFIG_EAP_SIM=y
-CONFIG_PCSC=y
-CONFIG_SMARTCARD=y
-
-# privilege separation, see README.  not working yet.
-# CONFIG_PRIVSEP=y
--- a/security/wpa_supplicant/patches/patch-src_utils_os_unix_c
+++ b/security/wpa_supplicant/patches/patch-src_utils_os_unix_c
@ -0,0 +1,30 @@
+$OpenBSD: patch-src_utils_os_unix_c,v 1.1 2019/11/19 14:35:59 sthen Exp $
+
+Index: src/utils/os_unix.c
+--- src/utils/os_unix.c.orig
+++ src/utils/os_unix.c
+@@ -257,22 +257,11 @@ int os_get_random(unsigned char *buf, size_t len)
+ 		buf[i] = i & 0xff;
+ 	return 0;
+ #else /* TEST_FUZZ */
+-	FILE *f;
+-	size_t rc;
+-
+ 	if (TEST_FAIL())
+ 		return -1;
+ 
+-	f = fopen("/dev/urandom", "rb");
+-	if (f == NULL) {
+-		printf("Could not open /dev/urandom.\n");
+-		return -1;
+-	}
+-
+-	rc = fread(buf, 1, len, f);
+-	fclose(f);
+-
+-	return rc != len ? -1 : 0;
+	arc4random_buf(buf, len);
+	return 0;
+ #endif /* TEST_FUZZ */
+ }
+ 
--- a/security/wpa_supplicant/patches/patch-wpa_supplicant_defconfig
+++ b/security/wpa_supplicant/patches/patch-wpa_supplicant_defconfig
@ -0,0 +1,228 @@
+$OpenBSD: patch-wpa_supplicant_defconfig,v 1.1 2019/11/19 14:35:59 sthen Exp $
+
+Index: wpa_supplicant/.config
+--- wpa_supplicant/.config.orig
+++ wpa_supplicant/.config
+@@ -12,8 +12,8 @@
+ 
+ # Uncomment following two lines and fix the paths if you have installed OpenSSL
+ # or GnuTLS in non-default location
+-#CFLAGS += -I/usr/local/openssl/include
+-#LIBS += -L/usr/local/openssl/lib
+CFLAGS += -I${LOCALBASE}/include/PCSC
+LIBS += -L${LOCALBASE}/lib
+ 
+ # Some Red Hat versions seem to include kerberos header files from OpenSSL, but
+ # the kerberos files are not in the default include path. Following line can be
+@@ -26,10 +26,10 @@
+ # replacement for WEXT and its use allows wpa_supplicant to properly control
+ # the driver to improve existing functionality like roaming and to support new
+ # functionality.
+-CONFIG_DRIVER_WEXT=y
+#CONFIG_DRIVER_WEXT=y
+ 
+ # Driver interface for Linux drivers using the nl80211 kernel interface
+-CONFIG_DRIVER_NL80211=y
+#CONFIG_DRIVER_NL80211=y
+ 
+ # QCA vendor extensions to nl80211
+ #CONFIG_DRIVER_NL80211_QCA=y
+@@ -54,6 +54,8 @@ CONFIG_LIBNL32=y
+ #LIBS_p += -L/usr/local/lib
+ #LIBS_c += -L/usr/local/lib
+ 
+CONFIG_DRIVER_OPENBSD=y
+
+ # Driver interface for Windows NDIS
+ #CONFIG_DRIVER_NDIS=y
+ #CFLAGS += -I/usr/include/w32api/ddk
+@@ -118,7 +120,7 @@ CONFIG_EAP_GTC=y
+ CONFIG_EAP_OTP=y
+ 
+ # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
+-#CONFIG_EAP_SIM=y
+CONFIG_EAP_SIM=y
+ 
+ # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
+ #CONFIG_EAP_PSK=y
+@@ -133,7 +135,7 @@ CONFIG_EAP_PAX=y
+ CONFIG_EAP_LEAP=y
+ 
+ # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
+-#CONFIG_EAP_AKA=y
+CONFIG_EAP_AKA=y
+ 
+ # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
+ # This requires CONFIG_EAP_AKA to be enabled, too.
+@@ -151,10 +153,10 @@ CONFIG_EAP_GPSK=y
+ CONFIG_EAP_GPSK_SHA256=y
+ 
+ # EAP-TNC and related Trusted Network Connect support (experimental)
+-CONFIG_EAP_TNC=y
+#CONFIG_EAP_TNC=y
+ 
+ # Wi-Fi Protected Setup (WPS)
+-CONFIG_WPS=y
+#CONFIG_WPS=y
+ # Enable WPS external registrar functionality
+ #CONFIG_WPS_ER=y
+ # Disable credentials for an open network by default when acting as a WPS
+@@ -182,7 +184,7 @@ CONFIG_SMARTCARD=y
+ 
+ # PC/SC interface for smartcards (USIM, GSM SIM)
+ # Enable this if EAP-SIM or EAP-AKA is included
+-#CONFIG_PCSC=y
+CONFIG_PCSC=y
+ 
+ # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
+ #CONFIG_HT_OVERRIDES=y
+@@ -191,7 +193,7 @@ CONFIG_SMARTCARD=y
+ #CONFIG_VHT_OVERRIDES=y
+ 
+ # Development testing
+-#CONFIG_EAPOL_TEST=y
+CONFIG_EAPOL_TEST=y
+ 
+ # Select control interface backend for external programs, e.g, wpa_cli:
+ # unix = UNIX domain sockets (default for Linux/*BSD)
+@@ -233,7 +235,7 @@ CONFIG_CTRL_IFACE=y
+ #CONFIG_NO_WPA_PASSPHRASE=y
+ 
+ # Simultaneous Authentication of Equals (SAE), WPA3-Personal
+-CONFIG_SAE=y
+#CONFIG_SAE=y
+ 
+ # Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
+ # This can be used if ap_scan=1 mode is never enabled.
+@@ -299,7 +301,7 @@ CONFIG_BACKEND=file
+ 
+ # IEEE 802.11w (management frame protection), also known as PMF
+ # Driver support is also needed for IEEE 802.11w.
+-CONFIG_IEEE80211W=y
+#CONFIG_IEEE80211W=y
+ 
+ # Support Operating Channel Validation
+ #CONFIG_OCV=y
+@@ -317,14 +319,14 @@ CONFIG_IEEE80211W=y
+ # are used. It should be noted that some existing TLS v1.0 -based
+ # implementation may not be compatible with TLS v1.1 message (ClientHello is
+ # sent prior to negotiating which version will be used)
+-#CONFIG_TLSV11=y
+CONFIG_TLSV11=y
+ 
+ # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+ # can be enabled to enable use of stronger crypto algorithms. It should be
+ # noted that some existing TLS v1.0 -based implementation may not be compatible
+ # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
+ # will be used)
+-#CONFIG_TLSV12=y
+CONFIG_TLSV12=y
+ 
+ # Select which ciphers to use by default with OpenSSL if the user does not
+ # specify them.
+@@ -354,10 +356,10 @@ CONFIG_IEEE80211W=y
+ 
+ # Add support for new DBus control interface
+ # (fi.w1.hostap.wpa_supplicant1)
+-CONFIG_CTRL_IFACE_DBUS_NEW=y
+#CONFIG_CTRL_IFACE_DBUS_NEW=y
+ 
+ # Add introspection support for new DBus control interface
+-CONFIG_CTRL_IFACE_DBUS_INTRO=y
+#CONFIG_CTRL_IFACE_DBUS_INTRO=y
+ 
+ # Add support for loading EAP methods dynamically as shared libraries.
+ # When this option is enabled, each EAP method can be either included
+@@ -381,7 +383,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y
+ #CONFIG_DYNAMIC_EAP_METHODS=y
+ 
+ # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
+-CONFIG_IEEE80211R=y
+#CONFIG_IEEE80211R=y
+ 
+ # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
+ CONFIG_DEBUG_FILE=y
+@@ -455,7 +457,7 @@ CONFIG_DEBUG_SYSLOG=y
+ # disabled. This will save some in binary size and CPU use. However, this
+ # should only be considered for builds that are known to be used on devices
+ # that meet the requirements described above.
+-#CONFIG_NO_RANDOM_POOL=y
+CONFIG_NO_RANDOM_POOL=y
+ 
+ # Should we attempt to use the getrandom(2) call that provides more reliable
+ # yet secure randomness source than /dev/random on Linux 3.17 and newer.
+@@ -463,11 +465,11 @@ CONFIG_DEBUG_SYSLOG=y
+ #CONFIG_GETRANDOM=y
+ 
+ # IEEE 802.11n (High Throughput) support (mainly for AP mode)
+-CONFIG_IEEE80211N=y
+#CONFIG_IEEE80211N=y
+ 
+ # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
+ # (depends on CONFIG_IEEE80211N)
+-CONFIG_IEEE80211AC=y
+#CONFIG_IEEE80211AC=y
+ 
+ # Wireless Network Management (IEEE Std 802.11v-2011)
+ # Note: This is experimental and not complete implementation.
+@@ -477,10 +479,10 @@ CONFIG_IEEE80211AC=y
+ # This can be used to enable functionality to improve interworking with
+ # external networks (GAS/ANQP to learn more about the networks and network
+ # selection based on available credentials).
+-CONFIG_INTERWORKING=y
+#CONFIG_INTERWORKING=y
+ 
+ # Hotspot 2.0
+-CONFIG_HS20=y
+#CONFIG_HS20=y
+ 
+ # Enable interface matching in wpa_supplicant
+ #CONFIG_MATCH_IFACE=y
+@@ -493,12 +495,12 @@ CONFIG_HS20=y
+ # should be noted that this is mainly aimed at simple cases like
+ # WPA2-Personal while more complex configurations like WPA2-Enterprise with an
+ # external RADIUS server can be supported with hostapd.
+-CONFIG_AP=y
+#CONFIG_AP=y
+ 
+ # P2P (Wi-Fi Direct)
+ # This can be used to enable P2P support in wpa_supplicant. See README-P2P for
+ # more information on P2P operations.
+-CONFIG_P2P=y
+#CONFIG_P2P=y
+ 
+ # Enable TDLS support
+ #CONFIG_TDLS=y
+@@ -506,7 +508,7 @@ CONFIG_P2P=y
+ # Wi-Fi Display
+ # This can be used to enable Wi-Fi Display extensions for P2P using an external
+ # program to control the additional information exchanges in the messages.
+-CONFIG_WIFI_DISPLAY=y
+#CONFIG_WIFI_DISPLAY=y
+ 
+ # Autoscan
+ # This can be used to enable automatic scan support in wpa_supplicant.
+@@ -572,7 +574,7 @@ CONFIG_WIFI_DISPLAY=y
+ # Support RSN on IBSS networks
+ # This is needed to be able to use mode=1 network profile with proto=RSN and
+ # key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
+-CONFIG_IBSS_RSN=y
+#CONFIG_IBSS_RSN=y
+ 
+ # External PMKSA cache control
+ # This can be used to enable control interface commands that allow the current
+@@ -587,7 +589,7 @@ CONFIG_IBSS_RSN=y
+ # operations for roaming within an ESS (same SSID). See the bgscan parameter in
+ # the wpa_supplicant.conf file for more details.
+ # Periodic background scans based on signal strength
+-CONFIG_BGSCAN_SIMPLE=y
+#CONFIG_BGSCAN_SIMPLE=y
+ # Learn channels used by the network and try to avoid bgscans on other
+ # channels (experimental)
+ #CONFIG_BGSCAN_LEARN=y
+@@ -599,4 +601,4 @@ CONFIG_BGSCAN_SIMPLE=y
+ # Device Provisioning Protocol (DPP)
+ # This requires CONFIG_IEEE80211W=y to be enabled, too. (see
+ # wpa_supplicant/README-DPP for details)
+-CONFIG_DPP=y
+#CONFIG_DPP=y
--- a/security/wpa_supplicant/pkg/PLIST
+++ b/security/wpa_supplicant/pkg/PLIST
@ -1,6 +1,7 @@
-@comment $OpenBSD: PLIST,v 1.8 2019/04/23 11:50:11 sthen Exp $
+@comment $OpenBSD: PLIST,v 1.9 2019/11/19 14:35:59 sthen Exp $
@comment @bin sbin/wpa_priv
@rcscript ${RCDIR}/wpa_supplicant
+@bin bin/eapol_test
@man man/man5/wpa_supplicant.conf.5
@man man/man8/eapol_test.8
@man man/man8/wpa_background.8