diff options
| author |   Bjarke Istrup Pedersen <gurligebis@gentoo.org> | 2014-02-25 07:53:52 +0000 |
|---|---|---|
| committer | Bjarke Istrup Pedersen <gurligebis@gentoo.org> | 2014-02-25 07:53:52 +0000 |
| commit | de9e1a9c9123704ddbf1e005e6000d7dd6691788 (patch) | |
| tree | 9414141c846009b4cdf2891d49f5036366a7966e /net-wireless/wpa_supplicant | |
| parent | sci-chemistry/xdsstat-bin: Version Bump (diff) | |
| download | gentoo-2-de9e1a9c9123704ddbf1e005e6000d7dd6691788.tar.gz gentoo-2-de9e1a9c9123704ddbf1e005e6000d7dd6691788.tar.bz2 gentoo-2-de9e1a9c9123704ddbf1e005e6000d7dd6691788.zip | |
Adding patch to fix bug #501828
(Portage version: 2.2.8-r1/cvs/Linux i686, signed Manifest commit with key 15AE484C)
Diffstat (limited to 'net-wireless/wpa_supplicant')
| -rw-r--r-- | net-wireless/wpa_supplicant/ChangeLog | 8 | ||||
| -rw-r--r-- | net-wireless/wpa_supplicant/files/wpa_supplicant-2.1-WPA-fix.patch | 68 | ||||
| -rw-r--r-- | net-wireless/wpa_supplicant/wpa_supplicant-2.1-r1.ebuild (renamed from net-wireless/wpa_supplicant/wpa_supplicant-2.1.ebuild) | 5 |
3 files changed, 79 insertions, 2 deletions
diff --git a/net-wireless/wpa_supplicant/ChangeLog b/net-wireless/wpa_supplicant/ChangeLog index 2b7693bf84d9..004daaa17346 100644 --- a/net-wireless/wpa_supplicant/ChangeLog +++ b/net-wireless/wpa_supplicant/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for net-wireless/wpa_supplicant # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-wireless/wpa_supplicant/ChangeLog,v 1.209 2014/02/14 08:20:31 gurligebis Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-wireless/wpa_supplicant/ChangeLog,v 1.210 2014/02/25 07:53:52 gurligebis Exp $ + +*wpa_supplicant-2.1-r1 (25 Feb 2014) + + 25 Feb 2014; <gurligebis@gentoo.org> -wpa_supplicant-2.1.ebuild, + +wpa_supplicant-2.1-r1.ebuild, +files/wpa_supplicant-2.1-WPA-fix.patch: + Adding patch to fix bug #501828 14 Feb 2014; <gurligebis@gentoo.org> wpa_supplicant-2.1.ebuild, +files/wpa_supplicant-2.1-NFC-fix.patch: diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.1-WPA-fix.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.1-WPA-fix.patch new file mode 100644 index 000000000000..e3141b0eab6f --- /dev/null +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.1-WPA-fix.patch @@ -0,0 +1,68 @@ +From b62d5b5450101676a0c05691b4bcd94e11426397 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Wed, 19 Feb 2014 09:56:02 +0000 +Subject: Revert "OpenSSL: Do not accept SSL Client certificate for server" + +This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are +too many deployed AAA servers that include both id-kp-clientAuth and +id-kp-serverAuth EKUs for this change to be acceptable as a generic rule +for AAA authentication server validation. OpenSSL enforces the policy of +not connecting if only id-kp-clientAuth is included. If a valid EKU is +listed with it, the connection needs to be accepted. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- +diff --git a/src/crypto/tls.h b/src/crypto/tls.h +index 287fd33..feba13f 100644 +--- a/src/crypto/tls.h ++++ b/src/crypto/tls.h +@@ -41,8 +41,7 @@ enum tls_fail_reason { + TLS_FAIL_ALTSUBJECT_MISMATCH = 6, + TLS_FAIL_BAD_CERTIFICATE = 7, + TLS_FAIL_SERVER_CHAIN_PROBE = 8, +- TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, +- TLS_FAIL_SERVER_USED_CLIENT_CERT = 10 ++ TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9 + }; + + union tls_event_data { +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index a13fa38..8cf1de8 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -105,7 +105,6 @@ struct tls_connection { + unsigned int ca_cert_verify:1; + unsigned int cert_probe:1; + unsigned int server_cert_only:1; +- unsigned int server:1; + + u8 srv_cert_hash[32]; + +@@ -1480,16 +1479,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) + TLS_FAIL_SERVER_CHAIN_PROBE); + } + +- if (!conn->server && err_cert && preverify_ok && depth == 0 && +- (err_cert->ex_flags & EXFLAG_XKUSAGE) && +- (err_cert->ex_xkusage & XKU_SSL_CLIENT)) { +- wpa_printf(MSG_WARNING, "TLS: Server used client certificate"); +- openssl_tls_fail_event(conn, err_cert, err, depth, buf, +- "Server used client certificate", +- TLS_FAIL_SERVER_USED_CLIENT_CERT); +- preverify_ok = 0; +- } +- + if (preverify_ok && context->event_cb != NULL) + context->event_cb(context->cb_ctx, + TLS_CERT_CHAIN_SUCCESS, NULL); +@@ -2541,8 +2530,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data, + int res; + struct wpabuf *out_data; + +- conn->server = !!server; +- + /* + * Give TLS handshake data from the server (if available) to OpenSSL + * for processing. +-- +cgit v0.9.2 diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.1.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.1-r1.ebuild index 04c3ecba5579..301e33789a93 100644 --- a/net-wireless/wpa_supplicant/wpa_supplicant-2.1.ebuild +++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.1-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-wireless/wpa_supplicant/wpa_supplicant-2.1.ebuild,v 1.2 2014/02/14 08:20:31 gurligebis Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-wireless/wpa_supplicant/wpa_supplicant-2.1-r1.ebuild,v 1.1 2014/02/25 07:53:52 gurligebis Exp $ EAPI=4 @@ -93,6 +93,9 @@ src_prepare() { # bug (320097) epatch "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch" + # bug (501828) + epatch "${FILESDIR}/${P}-WPA-fix.patch" + # TODO - NEED TESTING TO SEE IF STILL NEEDED, NOT COMPATIBLE WITH 1.0 OUT OF THE BOX, # SO WOULD BE NICE TO JUST DROP IT, IF IT IS NOT NEEDED. # bug (374089) |