diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..73c97f9 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/wpa_supplicant-2.0.tar.gz diff --git a/.wpa_supplicant.metadata b/.wpa_supplicant.metadata new file mode 100644 index 0000000..f038e04 --- /dev/null +++ b/.wpa_supplicant.metadata @@ -0,0 +1 @@ +78a456ff3c4af4b9bae2e0908a40f48755ffc59c SOURCES/wpa_supplicant-2.0.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0001-Add-os_exec-helper-to-run-external-programs.patch b/SOURCES/0001-Add-os_exec-helper-to-run-external-programs.patch new file mode 100644 index 0000000..4b774bd --- /dev/null +++ b/SOURCES/0001-Add-os_exec-helper-to-run-external-programs.patch @@ -0,0 +1,143 @@ +From 89de07a9442072f88d49869d8ecd8d42bae050a0 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Mon, 6 Oct 2014 16:27:44 +0300 +Subject: [PATCH 1/2] Add os_exec() helper to run external programs + +Signed-off-by: Jouni Malinen +--- + src/utils/os.h | 9 +++++++++ + src/utils/os_unix.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/utils/os_win32.c | 6 ++++++ + 3 files changed, 70 insertions(+) + +diff --git a/src/utils/os.h b/src/utils/os.h +index f196209..b9247d8 100644 +--- a/src/utils/os.h ++++ b/src/utils/os.h +@@ -597,14 +597,23 @@ size_t os_strlcpy(char *dest, const char *src, size_t siz); + * Returns: Total length of the target string (length of src) (not including + * NUL-termination) + * + * This function matches in behavior with the strlcpy(3) function in OpenBSD. + */ + size_t os_strlcpy(char *dest, const char *src, size_t siz); + ++/** ++ * os_exec - Execute an external program ++ * @program: Path to the program ++ * @arg: Command line argument string ++ * @wait_completion: Whether to wait until the program execution completes ++ * Returns: 0 on success, -1 on error ++ */ ++int os_exec(const char *program, const char *arg, int wait_completion); ++ + + #ifdef OS_REJECT_C_LIB_FUNCTIONS + #define malloc OS_DO_NOT_USE_malloc + #define realloc OS_DO_NOT_USE_realloc + #define free OS_DO_NOT_USE_free + #define memcpy OS_DO_NOT_USE_memcpy + #define memmove OS_DO_NOT_USE_memmove +diff --git a/src/utils/os_unix.c b/src/utils/os_unix.c +index 7498967..523a4d0 100644 +--- a/src/utils/os_unix.c ++++ b/src/utils/os_unix.c +@@ -5,14 +5,15 @@ + * This software may be distributed under the terms of the BSD license. + * See README for more details. + */ + + #include "includes.h" + + #include ++#include + + #ifdef ANDROID + #include + #include + #include + #endif /* ANDROID */ + +@@ -550,7 +551,61 @@ char * os_strdup(const char *s) + return NULL; + os_memcpy(d, s, len); + d[len] = '\0'; + return d; + } + + #endif /* WPA_TRACE */ ++ ++ ++int os_exec(const char *program, const char *arg, int wait_completion) ++{ ++ pid_t pid; ++ int pid_status; ++ ++ pid = fork(); ++ if (pid < 0) { ++ perror("fork"); ++ return -1; ++ } ++ ++ if (pid == 0) { ++ /* run the external command in the child process */ ++ const int MAX_ARG = 30; ++ char *_program, *_arg, *pos; ++ char *argv[MAX_ARG + 1]; ++ int i; ++ ++ _program = os_strdup(program); ++ _arg = os_strdup(arg); ++ ++ argv[0] = _program; ++ ++ i = 1; ++ pos = _arg; ++ while (i < MAX_ARG && pos && *pos) { ++ while (*pos == ' ') ++ pos++; ++ if (*pos == '\0') ++ break; ++ argv[i++] = pos; ++ pos = os_strchr(pos, ' '); ++ if (pos) ++ *pos++ = '\0'; ++ } ++ argv[i] = NULL; ++ ++ execv(program, argv); ++ perror("execv"); ++ os_free(_program); ++ os_free(_arg); ++ exit(0); ++ return -1; ++ } ++ ++ if (wait_completion) { ++ /* wait for the child process to complete in the parent */ ++ waitpid(pid, &pid_status, 0); ++ } ++ ++ return 0; ++} +diff --git a/src/utils/os_win32.c b/src/utils/os_win32.c +index 55937de..57ee132 100644 +--- a/src/utils/os_win32.c ++++ b/src/utils/os_win32.c +@@ -254,7 +254,13 @@ int os_memcmp_const(const void *a, const void *b, size_t len) + *dest = '\0'; + while (*s++) + ; /* determine total src string length */ + } + + return s - src - 1; + } ++ ++ ++int os_exec(const char *program, const char *arg, int wait_completion) ++{ ++ return -1; ++} +-- +1.9.3 + diff --git a/SOURCES/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch b/SOURCES/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch new file mode 100644 index 0000000..2ff9301 --- /dev/null +++ b/SOURCES/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch @@ -0,0 +1,67 @@ +From c5f258de76dbb67fb64beab39a99e5c5711f41fe Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Mon, 6 Oct 2014 17:25:52 +0300 +Subject: [PATCH 2/2] wpa_cli: Use os_exec() for action script execution + +Use os_exec() to run the action script operations to avoid undesired +command line processing for control interface event strings. Previously, +it could have been possible for some of the event strings to include +unsanitized data which is not suitable for system() use. (CVE-2014-3686) + +Signed-off-by: Jouni Malinen +--- + wpa_supplicant/wpa_cli.c | 25 ++++++++----------------- + 1 file changed, 8 insertions(+), 17 deletions(-) + +diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c +index 18b9b77..fe30b41 100644 +--- a/wpa_supplicant/wpa_cli.c ++++ b/wpa_supplicant/wpa_cli.c +@@ -3155,36 +3155,27 @@ static int str_match(const char *a, const char *b) + return os_strncmp(a, b, os_strlen(b)) == 0; + } + + + static int wpa_cli_exec(const char *program, const char *arg1, + const char *arg2) + { +- char *cmd; ++ char *arg; + size_t len; + int res; +- int ret = 0; + +- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3; +- cmd = os_malloc(len); +- if (cmd == NULL) ++ len = os_strlen(arg1) + os_strlen(arg2) + 2; ++ arg = os_malloc(len); ++ if (arg == NULL) + return -1; +- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2); +- if (res < 0 || (size_t) res >= len) { +- os_free(cmd); +- return -1; +- } +- cmd[len - 1] = '\0'; +-#ifndef _WIN32_WCE +- if (system(cmd) < 0) +- ret = -1; +-#endif /* _WIN32_WCE */ +- os_free(cmd); ++ os_snprintf(arg, len, "%s %s", arg1, arg2); ++ res = os_exec(program, arg, 1); ++ os_free(arg); + +- return ret; ++ return res; + } + + + static void wpa_cli_action_process(const char *msg) + { + const char *pos; + char *copy = NULL, *id, *pos2; +-- +1.9.3 + diff --git a/SOURCES/build-config b/SOURCES/build-config new file mode 100644 index 0000000..5337f8a --- /dev/null +++ b/SOURCES/build-config @@ -0,0 +1,38 @@ +CONFIG_CTRL_IFACE=y +CONFIG_CTRL_IFACE_DBUS=y +CONFIG_CTRL_IFACE_DBUS_NEW=y +CONFIG_CTRL_IFACE_DBUS_INTRO=y +CONFIG_DRIVER_WEXT=y +CONFIG_LIBNL32=y +CONFIG_DRIVER_NL80211=y +CONFIG_DRIVER_WIRED=y +CONFIG_IEEE8021X_EAPOL=y +CONFIG_EAP_MD5=y +CONFIG_EAP_MSCHAPV2=y +CONFIG_EAP_TLS=y +CONFIG_EAP_PEAP=y +CONFIG_EAP_TTLS=y +CONFIG_EAP_FAST=y +CONFIG_EAP_GTC=y +CONFIG_EAP_OTP=y +CONFIG_EAP_AKA=y +CONFIG_EAP_PAX=y +CONFIG_EAP_LEAP=y +CONFIG_EAP_SAKE=y +CONFIG_EAP_GPSK=y +CONFIG_EAP_GPSK_SHA256=y +CONFIG_EAP_TNC=y +CONFIG_WPS=y +CONFIG_EAP_IKEV2=y +CONFIG_PKCS12=y +CONFIG_SMARTCARD=y +CONFIG_DEBUG_FILE=y +CONFIG_BACKEND=file +CONFIG_PEERKEY=y +CONFIG_BGSCAN_SIMPLE=y +#CONFIG_FIPS=y +CONFIG_AP=y +CONFIG_P2P=y +CONFIG_IBSS_RSN=y +CONFIG_IEEE80211N=y +CONFIG_EAPOL_TEST=y diff --git a/SOURCES/libnl3-includes.patch b/SOURCES/libnl3-includes.patch new file mode 100644 index 0000000..53a3c85 --- /dev/null +++ b/SOURCES/libnl3-includes.patch @@ -0,0 +1,12 @@ +diff -up wpa_supplicant-1.0-rc2/src/drivers/drivers.mak.foo wpa_supplicant-1.0-rc2/src/drivers/drivers.mak +--- wpa_supplicant-1.0-rc2/src/drivers/drivers.mak.foo 2012-03-02 16:11:43.176448714 -0600 ++++ wpa_supplicant-1.0-rc2/src/drivers/drivers.mak 2012-03-02 16:12:29.759866341 -0600 +@@ -48,7 +48,7 @@ NEED_RFKILL=y + ifdef CONFIG_LIBNL32 + DRV_LIBS += -lnl-3 + DRV_LIBS += -lnl-genl-3 +- DRV_CFLAGS += -DCONFIG_LIBNL20 -I/usr/include/libnl3 ++ DRV_CFLAGS += -DCONFIG_LIBNL20 `pkg-config --cflags libnl-3.0` + else + ifdef CONFIG_LIBNL_TINY + DRV_LIBS += -lnl-tiny diff --git a/SOURCES/rh1032758-fix-pmksa-cache-entry-clearing.patch b/SOURCES/rh1032758-fix-pmksa-cache-entry-clearing.patch new file mode 100644 index 0000000..91fdc12 --- /dev/null +++ b/SOURCES/rh1032758-fix-pmksa-cache-entry-clearing.patch @@ -0,0 +1,150 @@ +From 4033935dd9098938838d6d7934ceb65f92a1fa3c Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Wed, 22 May 2013 13:24:30 +0300 +Subject: [PATCH] Fix OKC-based PMKSA cache entry clearing + +Commit c3fea272747f738f5723fc577371fe03711d988f added a call to clear +all other PMKSA cache entries for the same network if the PMKSA cache +entry of the current AP changed. This was needed to fix OKC cases since +the other APs would likely use the new PMK in the future. However, this +ended up clearing entries in cases where that is not desired and this +resulted in needing additional full EAP authentication with networks +that did not support OKC if wpa_supplicant was configured to try to use +it. + +Make PMKSA cache entry flushing more limited so that the other entries +are removed only if they used the old PMK that was replaced for the +current AP and only if that PMK had previously been used successfully +(i.e., opportunistic flag was already cleared back to 0 in +wpa_supplicant_key_neg_complete()). This is still enough to fix the +issue described in that older commit while not causing problems for +standard PMKSA caching operations even if OKC is enabled in +wpa_supplicant configuration. + +Signed-hostap: Jouni Malinen +--- + src/rsn_supp/pmksa_cache.c | 27 ++++++++++++++++++++------- + src/rsn_supp/pmksa_cache.h | 3 ++- + src/rsn_supp/wpa.c | 2 +- + 3 files changed, 23 insertions(+), 9 deletions(-) + +diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c +index df67583..93056ea 100644 +--- a/src/rsn_supp/pmksa_cache.c ++++ b/src/rsn_supp/pmksa_cache.c +@@ -160,25 +160,31 @@ pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len, + os_free(entry); + return pos; + } + if (prev == NULL) + pmksa->pmksa = pos->next; + else + prev->next = pos->next; +- wpa_printf(MSG_DEBUG, "RSN: Replace PMKSA entry for " +- "the current AP"); +- pmksa_cache_free_entry(pmksa, pos, PMKSA_REPLACE); + + /* + * If OKC is used, there may be other PMKSA cache + * entries based on the same PMK. These needs to be + * flushed so that a new entry can be created based on +- * the new PMK. ++ * the new PMK. Only clear other entries if they have a ++ * matching PMK and this PMK has been used successfully ++ * with the current AP, i.e., if opportunistic flag has ++ * been cleared in wpa_supplicant_key_neg_complete(). + */ +- pmksa_cache_flush(pmksa, network_ctx); ++ wpa_printf(MSG_DEBUG, "RSN: Replace PMKSA entry for " ++ "the current AP and any PMKSA cache entry " ++ "that was based on the old PMK"); ++ if (!pos->opportunistic) ++ pmksa_cache_flush(pmksa, network_ctx, pos->pmk, ++ pos->pmk_len); ++ pmksa_cache_free_entry(pmksa, pos, PMKSA_REPLACE); + break; + } + prev = pos; + pos = pos->next; + } + + if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) { +@@ -231,23 +237,30 @@ pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len, + } + + + /** + * pmksa_cache_flush - Flush PMKSA cache entries for a specific network + * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init() + * @network_ctx: Network configuration context or %NULL to flush all entries ++ * @pmk: PMK to match for or %NYLL to match all PMKs ++ * @pmk_len: PMK length + */ +-void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx) ++void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx, ++ const u8 *pmk, size_t pmk_len) + { + struct rsn_pmksa_cache_entry *entry, *prev = NULL, *tmp; + int removed = 0; + + entry = pmksa->pmksa; + while (entry) { +- if (entry->network_ctx == network_ctx || network_ctx == NULL) { ++ if ((entry->network_ctx == network_ctx || ++ network_ctx == NULL) && ++ (pmk == NULL || ++ (pmk_len == entry->pmk_len && ++ os_memcmp(pmk, entry->pmk, pmk_len) == 0))) { + wpa_printf(MSG_DEBUG, "RSN: Flush PMKSA cache entry " + "for " MACSTR, MAC2STR(entry->aa)); + if (prev) + prev->next = entry->next; + else + pmksa->pmksa = entry->next; + tmp = entry; +diff --git a/src/rsn_supp/pmksa_cache.h b/src/rsn_supp/pmksa_cache.h +index 6f3dfb3..d5aa229 100644 +--- a/src/rsn_supp/pmksa_cache.h ++++ b/src/rsn_supp/pmksa_cache.h +@@ -62,15 +62,16 @@ struct rsn_pmksa_cache_entry * pmksa_cache_get_current(struct wpa_sm *sm); + void pmksa_cache_clear_current(struct wpa_sm *sm); + int pmksa_cache_set_current(struct wpa_sm *sm, const u8 *pmkid, + const u8 *bssid, void *network_ctx, + int try_opportunistic); + struct rsn_pmksa_cache_entry * + pmksa_cache_get_opportunistic(struct rsn_pmksa_cache *pmksa, + void *network_ctx, const u8 *aa); +-void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx); ++void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx, ++ const u8 *pmk, size_t pmk_len); + + #else /* IEEE8021X_EAPOL and !CONFIG_NO_WPA2 */ + + static inline struct rsn_pmksa_cache * + pmksa_cache_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry, + void *ctx, int reason), + void *ctx, struct wpa_sm *sm) +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index e50404c..365a710 100644 +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -2618,15 +2618,15 @@ void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr) + os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN); + } + + + void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) + { + #ifndef CONFIG_NO_WPA2 +- pmksa_cache_flush(sm->pmksa, network_ctx); ++ pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0); + #endif /* CONFIG_NO_WPA2 */ + } + + + #ifdef CONFIG_WNM + int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) + { +-- +1.8.3.1 + diff --git a/SOURCES/rh837402-less-aggressive-roaming.patch b/SOURCES/rh837402-less-aggressive-roaming.patch new file mode 100644 index 0000000..29f827b --- /dev/null +++ b/SOURCES/rh837402-less-aggressive-roaming.patch @@ -0,0 +1,27 @@ +diff -up wpa_supplicant-0.7.3/wpa_supplicant/events.c.foo wpa_supplicant-0.7.3/wpa_supplicant/events.c +--- wpa_supplicant-0.7.3/wpa_supplicant/events.c.foo 2012-06-12 12:03:36.172962193 -0500 ++++ wpa_supplicant-0.7.3/wpa_supplicant/events.c 2012-06-12 12:03:51.388771973 -0500 +@@ -871,16 +871,14 @@ static int wpa_supplicant_need_to_roam(s + + min_diff = 2; + if (current_bss->level < 0) { +- if (current_bss->level < -85) +- min_diff = 1; +- else if (current_bss->level < -80) +- min_diff = 2; +- else if (current_bss->level < -75) +- min_diff = 3; +- else if (current_bss->level < -70) ++ if (current_bss->level < -75) + min_diff = 4; ++ else if (current_bss->level < -70) ++ min_diff = 6; ++ else if (current_bss->level < -65) ++ min_diff = 8; + else +- min_diff = 5; ++ min_diff = 15; + } + if (abs(current_bss->level - selected->level) < min_diff) { + wpa_dbg(wpa_s, MSG_DEBUG, "Skip roam - too small difference " + diff --git a/SOURCES/rh948453-man-page.patch b/SOURCES/rh948453-man-page.patch new file mode 100644 index 0000000..06e95ca --- /dev/null +++ b/SOURCES/rh948453-man-page.patch @@ -0,0 +1,397 @@ +diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml +--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml.man-page 2014-01-20 16:40:02.340869189 -0600 ++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml 2014-01-20 16:40:02.340869189 -0600 +@@ -0,0 +1,205 @@ ++ ++ ++ ++ ++ eapol_test ++ 8 ++ ++ ++ eapol_test ++ ++ EAP peer and RADIUS client testing ++ ++ ++ ++ ++ eapol_test ++ -nWS ++ -cconfig file ++ -aserver IP address ++ -Aclient IP address ++ -pUDP port ++ -sshared secret ++ -rre-authentications ++ -ttimeout ++ -CConnect-Info ++ -MMAC address ++ -ofile ++ -Nattr spec ++ ++ ++ eapol_test scard ++ ++ ++ eapol_test sim ++ PIN ++ num triplets ++ ++ ++ ++ ++ Overview ++ ++ eapol_test is a program that links together the same EAP ++ peer implementation that wpa_supplicant is using and the RADIUS ++ authentication client code from hostapd. In addition, it has ++ minimal glue code to combine these two components in similar ++ ways to IEEE 802.1X/EAPOL Authenticator state machines. In other ++ words, it integrates IEEE 802.1X Authenticator (normally, an ++ access point) and IEEE 802.1X Supplicant (normally, a wireless ++ client) together to generate a single program that can be used to ++ test EAP methods without having to setup an access point and a ++ wireless client. ++ ++ The main uses for eapol_test are in interoperability testing ++ of EAP methods against RADIUS servers and in development testing ++ for new EAP methods. It can be easily used to automate EAP testing ++ for interoperability and regression since the program can be run ++ from shell scripts without require additional test components apart ++ from a RADIUS server. For example, the automated EAP tests described ++ in eap_testing.txt are implemented with eapol_test. Similarly, ++ eapol_test could be used to implement an automated regression ++ test suite for a RADIUS authentication server. ++ ++ ++ As an example: ++ ++
++eapol_test -ctest.conf -a127.0.0.1 -p1812 -ssecret -r1 ++
++ ++ tries to complete EAP authentication based on the network ++ configuration from test.conf against the RADIUS server running ++ on the local host. A re-authentication is triggered to test fast ++ re-authentication. The configuration file uses the same format for ++ network blocks as wpa_supplicant. ++ ++
++ ++ Command Arguments ++ ++ ++ -c configuration file path ++ ++ A configuration to use. The configuration should ++ use the same format for network blocks as wpa_supplicant. ++ ++ ++ ++ ++ -a AS address ++ ++ IP address of the authentication server. The ++ default is '127.0.0.1'. ++ ++ ++ ++ -A client address ++ ++ IP address of the client. The default is to ++ select an address automatically. ++ ++ ++ ++ -p AS port ++ ++ UDP port of the authentication server. The ++ default is '1812'. ++ ++ ++ ++ -s AS secret ++ ++ Shared secret with the authentication server. ++ The default is 'radius'. ++ ++ ++ ++ -r count ++ ++ Number of reauthentications. ++ ++ ++ ++ -t timeout ++ ++ Timeout in seconds. The default is 30. ++ ++ ++ ++ -C info ++ ++ RADIUS Connect-Info. The default is ++ 'CONNECT 11Mbps 802.11b'. ++ ++ ++ ++ ++ -M mac address ++ ++ Client MAC address (Calling-Station-Id). The ++ default is '02:00:00:00:00:01'. ++ ++ ++ ++ -o file ++ ++ Location to write out server certificate. ++ ++ ++ ++ ++ -N attr spec ++ ++ Send arbitrary attribute specific by ++ attr_id:syntax:value, or attr_id alone. attr_id should be the numeric ++ ID of the attribute, and syntax should be one of 's' (string), ++ 'd' (integer), or 'x' (octet string). The value is the attribute value ++ to send. When attr_id is given alone, NULL is used as the attribute ++ value. Multiple attributes can be specified by using the option ++ several times. ++ ++ ++ ++ -n ++ ++ Indicates that no MPPE keys are expected. ++ ++ ++ ++ ++ -W ++ ++ Wait for a control interface monitor before starting. ++ ++ ++ ++ ++ -S ++ ++ Save configuration after authentication. ++ ++ ++ ++ ++ ++ ++ See Also ++ ++ ++ wpa_supplicant ++ 8 ++ ++ ++ ++ ++ Legal ++ wpa_supplicant is copyright (c) 2003-2012, ++ Jouni Malinen j@w1.fi and ++ contributors. ++ All Rights Reserved. ++ ++ This program is licensed under the BSD license (the one with ++ advertisement clause removed). ++ ++
+diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile +--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile.man-page 2013-01-12 09:42:53.000000000 -0600 ++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile 2014-01-20 16:40:02.342869164 -0600 +@@ -1,4 +1,4 @@ +-all: man html pdf ++all: man + + FILES += wpa_background + FILES += wpa_cli +@@ -7,6 +7,7 @@ FILES += wpa_passphrase + FILES += wpa_priv + FILES += wpa_supplicant.conf + FILES += wpa_supplicant ++FILES += eapol_test + + man: + for i in $(FILES); do docbook2man $$i.sgml; done +@@ -20,7 +21,7 @@ pdf: + + + clean: +- rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8 ++ rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8 eapol_test.8 + rm -f wpa_supplicant.conf.5 + rm -f manpage.links manpage.refs + rm -f $(FILES:%=%.pdf) +diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml +--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml.man-page 2013-01-12 09:42:53.000000000 -0600 ++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml 2014-01-20 16:40:02.339869202 -0600 +@@ -15,10 +15,12 @@ + + wpa_cli + -p path to ctrl sockets ++ -g path to global ctrl_interface socket + -i ifname + -hvB + -a action file + -P pid file ++ -G ping interval + command ... + + +@@ -111,6 +113,14 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed + + + ++ -g control socket path ++ ++ Connect to the global control socket at the ++ indicated path rather than an interface-specific control ++ socket. ++ ++ ++ + -i ifname + + Specify the interface that is being +@@ -161,6 +171,13 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed + + + ++ -G ping interval ++ ++ Set the interval (in seconds) at which ++ wpa_cli pings the supplicant. ++ ++ ++ + command + + Run a command. The available commands are +diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml +--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml.man-page 2013-01-12 09:42:53.000000000 -0600 ++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml 2014-01-20 16:40:02.339869202 -0600 +@@ -12,7 +12,7 @@ + + + wpa_supplicant +- -BddfhKLqqtuvW ++ -BddfhKLqqsTtuvW + -iifname + -cconfig file + -Ddriver +@@ -344,9 +344,20 @@ + + + ++ -e entropy file ++ ++ File for wpa_supplicant to use to ++ maintain its internal entropy store in over restarts. ++ ++ ++ ++ + -f output file + +- Log output to specified file instead of stdout. ++ Log output to specified file instead of stdout. (This ++ is only available if wpa_supplicant was ++ built with the CONFIG_DEBUG_FILE ++ option.) + + + +@@ -387,6 +398,22 @@ + + + ++ -o override driver ++ ++ Override the driver parameter for new ++ interfaces. ++ ++ ++ ++ ++ -O override ctrl_interface ++ ++ Override the ctrl_interface parameter for new ++ interfaces. ++ ++ ++ ++ + -p + + Driver parameters. (Per interface) +@@ -409,10 +436,40 @@ + + + ++ -s ++ ++ Log output to syslog instead of stdout. (This is only ++ available if wpa_supplicant was built ++ with the CONFIG_DEBUG_SYSLOG ++ option.) ++ ++ ++ ++ ++ -T ++ ++ Log output to Linux tracing in addition to any other ++ destinations. (This is only available ++ if wpa_supplicant was built with ++ the CONFIG_DEBUG_LINUX_TRACING ++ option.) ++ ++ ++ ++ ++ -t ++ ++ Include timestamp in debug messages. ++ ++ ++ ++ + -u + +- Enabled DBus control interface. If enabled, interface +- definitions may be omitted. ++ Enable DBus control interface. If enabled, interface ++ definitions may be omitted. (This is only available ++ if wpa_supplicant was built with ++ the CONFIG_DBUS option.) + + + +diff -up wpa_supplicant-2.0/wpa_supplicant/main.c.man-page wpa_supplicant-2.0/wpa_supplicant/main.c +--- wpa_supplicant-2.0/wpa_supplicant/main.c.man-page 2013-01-12 09:42:53.000000000 -0600 ++++ wpa_supplicant-2.0/wpa_supplicant/main.c 2014-01-20 16:40:02.340869189 -0600 +@@ -23,11 +23,11 @@ static void usage(void) + int i; + printf("%s\n\n%s\n" + "usage:\n" +- " wpa_supplicant [-BddhKLqqstuvW] [-P] " ++ " wpa_supplicant [-BddhKLqqtvW] [-P] " + "[-g] \\\n" + " -i -c [-C] [-D] " + "[-p] \\\n" +- " [-b] [-f] [-e] " ++ " [-b] [-e] " + "\\\n" + " [-o] [-O] \\\n" + " [-N -i -c [-C] " diff --git a/SOURCES/wpa_supplicant-assoc-timeout.patch b/SOURCES/wpa_supplicant-assoc-timeout.patch new file mode 100644 index 0000000..c3b3568 --- /dev/null +++ b/SOURCES/wpa_supplicant-assoc-timeout.patch @@ -0,0 +1,16 @@ +diff -up wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c +--- wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout 2010-09-07 10:43:39.000000000 -0500 ++++ wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c 2010-12-07 18:57:45.163457000 -0600 +@@ -1262,10 +1262,10 @@ void wpa_supplicant_associate(struct wpa + + if (assoc_failed) { + /* give IBSS a bit more time */ +- timeout = ssid->mode == WPAS_MODE_IBSS ? 10 : 5; ++ timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 10; + } else if (wpa_s->conf->ap_scan == 1) { + /* give IBSS a bit more time */ +- timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 10; ++ timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 20; + } + wpa_supplicant_req_auth_timeout(wpa_s, timeout, 0); + } diff --git a/SOURCES/wpa_supplicant-dbus-service-file-args.patch b/SOURCES/wpa_supplicant-dbus-service-file-args.patch new file mode 100644 index 0000000..b7478da --- /dev/null +++ b/SOURCES/wpa_supplicant-dbus-service-file-args.patch @@ -0,0 +1,20 @@ +diff -up wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in.fedora wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in +--- wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in.fedora 2008-03-02 20:58:35.000000000 -0500 ++++ wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2008-03-02 20:58:41.000000000 -0500 +@@ -1,5 +1,5 @@ + [D-BUS Service] + Name=fi.w1.wpa_supplicant1 +-Exec=@BINDIR@/wpa_supplicant -u ++Exec=@BINDIR@/wpa_supplicant -B -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa_supplicant.conf -P /var/run/wpa_supplicant.pid + User=root + SystemdService=wpa_supplicant.service +diff -up wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in.fedora wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in +--- wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in.fedora 2008-03-02 20:58:35.000000000 -0500 ++++ wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in 2008-03-02 20:58:41.000000000 -0500 +@@ -1,5 +1,5 @@ + [D-BUS Service] + Name=fi.epitest.hostap.WPASupplicant +-Exec=@BINDIR@/wpa_supplicant -u ++Exec=@BINDIR@/wpa_supplicant -B -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa_supplicant.conf -P /var/run/wpa_supplicant.pid + User=root + SystemdService=wpa_supplicant.service diff --git a/SOURCES/wpa_supplicant-flush-debug-output.patch b/SOURCES/wpa_supplicant-flush-debug-output.patch new file mode 100644 index 0000000..a686851 --- /dev/null +++ b/SOURCES/wpa_supplicant-flush-debug-output.patch @@ -0,0 +1,49 @@ +--- wpa_supplicant-0.6.3/src/utils/wpa_debug.c.flush-debug 2007-07-30 23:15:34.000000000 -0400 ++++ wpa_supplicant-0.6.3/src/utils/wpa_debug.c 2007-07-30 23:17:06.000000000 -0400 +@@ -157,6 +157,7 @@ void wpa_debug_print_timestamp(void) + if (out_file) { + fprintf(out_file, "%ld.%06u: ", (long) tv.sec, + (unsigned int) tv.usec); ++ fflush(out_file); + } else + #endif /* CONFIG_DEBUG_FILE */ + printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); +@@ -185,6 +186,7 @@ void wpa_printf(int level, char *fmt, .. + if (out_file) { + vfprintf(out_file, fmt, ap); + fprintf(out_file, "\n"); ++ fflush(out_file); + } else { + #endif /* CONFIG_DEBUG_FILE */ + vprintf(fmt, ap); +@@ -217,6 +219,7 @@ static void _wpa_hexdump(int level, cons + fprintf(out_file, " [REMOVED]"); + } + fprintf(out_file, "\n"); ++ fflush(out_file); + } else { + #endif /* CONFIG_DEBUG_FILE */ + printf("%s - hexdump(len=%lu):", title, (unsigned long) len); +@@ -262,12 +265,14 @@ static void _wpa_hexdump_ascii(int level + fprintf(out_file, + "%s - hexdump_ascii(len=%lu): [REMOVED]\n", + title, (unsigned long) len); ++ fflush(out_file); + return; + } + if (buf == NULL) { + fprintf(out_file, + "%s - hexdump_ascii(len=%lu): [NULL]\n", + title, (unsigned long) len); ++ fflush(out_file); + return; + } + fprintf(out_file, "%s - hexdump_ascii(len=%lu):\n", +@@ -292,6 +297,7 @@ static void _wpa_hexdump_ascii(int level + pos += llen; + len -= llen; + } ++ fflush(out_file); + } else { + #endif /* CONFIG_DEBUG_FILE */ + if (!show) { diff --git a/SOURCES/wpa_supplicant-gui-qt4.patch b/SOURCES/wpa_supplicant-gui-qt4.patch new file mode 100644 index 0000000..ab7a38d --- /dev/null +++ b/SOURCES/wpa_supplicant-gui-qt4.patch @@ -0,0 +1,16 @@ +diff -up wpa_supplicant-0.7.3/wpa_supplicant/Makefile.qt4 wpa_supplicant-0.7.3/wpa_supplicant/Makefile +--- wpa_supplicant-0.7.3/wpa_supplicant/Makefile.qt4 2010-09-07 10:43:39.000000000 -0500 ++++ wpa_supplicant-0.7.3/wpa_supplicant/Makefile 2010-12-08 10:07:44.152664004 -0600 +@@ -1352,10 +1352,10 @@ wpa_gui: wpa_gui/Makefile + @echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement" + + wpa_gui-qt4/Makefile: +- qmake -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro ++ qmake-qt4 -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro + + wpa_gui-qt4/lang/wpa_gui_de.qm: wpa_gui-qt4/lang/wpa_gui_de.ts +- lrelease wpa_gui-qt4/wpa_gui.pro ++ lrelease-qt4 wpa_gui-qt4/wpa_gui.pro + + wpa_gui-qt4: wpa_gui-qt4/Makefile wpa_gui-qt4/lang/wpa_gui_de.qm + $(MAKE) -C wpa_gui-qt4 diff --git a/SOURCES/wpa_supplicant-openssl-more-algs.patch b/SOURCES/wpa_supplicant-openssl-more-algs.patch new file mode 100644 index 0000000..b44c463 --- /dev/null +++ b/SOURCES/wpa_supplicant-openssl-more-algs.patch @@ -0,0 +1,16 @@ +diff -up wpa_supplicant-0.7.3/src/crypto/tls_openssl.c.more-openssl-algs wpa_supplicant-0.7.3/src/crypto/tls_openssl.c +--- wpa_supplicant-0.7.3/src/crypto/tls_openssl.c.more-openssl-algs 2010-09-07 10:43:39.000000000 -0500 ++++ wpa_supplicant-0.7.3/src/crypto/tls_openssl.c 2010-12-08 10:01:02.967664004 -0600 +@@ -710,6 +710,11 @@ void * tls_init(const struct tls_config + #endif /* OPENSSL_FIPS */ + #endif /* CONFIG_FIPS */ + SSL_load_error_strings(); ++ /* Only add potentially weak hashes and encryption algorithms ++ * when FIPS mode is not enabled. ++ */ ++ if (!conf || !conf->fips_mode) ++ OpenSSL_add_all_algorithms(); + SSL_library_init(); + #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) + EVP_add_digest(EVP_sha256()); + diff --git a/SOURCES/wpa_supplicant-quiet-scan-results-message.patch b/SOURCES/wpa_supplicant-quiet-scan-results-message.patch new file mode 100644 index 0000000..5bb36a4 --- /dev/null +++ b/SOURCES/wpa_supplicant-quiet-scan-results-message.patch @@ -0,0 +1,13 @@ +diff -up wpa_supplicant-0.6.7/wpa_supplicant/events.c.scan-results-msg wpa_supplicant-0.6.7/wpa_supplicant/events.c +--- wpa_supplicant-0.6.7/wpa_supplicant/events.c.scan-results-msg 2009-01-30 12:08:34.000000000 -0500 ++++ wpa_supplicant-0.6.7/wpa_supplicant/events.c 2009-01-30 12:08:37.000000000 -0500 +@@ -911,7 +911,7 @@ static void wpa_supplicant_event_scan_re + } + + wpa_dbg(wpa_s, MSG_DEBUG, "New scan results available"); +- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS); ++ wpa_msg_ctrl(wpa_s, MSG_DEBUG, WPA_EVENT_SCAN_RESULTS); + wpas_notify_scan_results(wpa_s); + + wpas_notify_scan_done(wpa_s, 1); + diff --git a/SOURCES/wpa_supplicant.conf b/SOURCES/wpa_supplicant.conf new file mode 100644 index 0000000..65ad645 --- /dev/null +++ b/SOURCES/wpa_supplicant.conf @@ -0,0 +1,3 @@ +ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=wheel + diff --git a/SOURCES/wpa_supplicant.logrotate b/SOURCES/wpa_supplicant.logrotate new file mode 100644 index 0000000..bd7ef91 --- /dev/null +++ b/SOURCES/wpa_supplicant.logrotate @@ -0,0 +1,6 @@ +/var/log/wpa_supplicant.log { + missingok + notifempty + size 30k + create 0600 root root +} diff --git a/SOURCES/wpa_supplicant.service b/SOURCES/wpa_supplicant.service new file mode 100644 index 0000000..45d8b99 --- /dev/null +++ b/SOURCES/wpa_supplicant.service @@ -0,0 +1,14 @@ +[Unit] +Description=WPA Supplicant daemon +Before=network.target +After=syslog.target + +[Service] +Type=dbus +BusName=fi.w1.wpa_supplicant1 +EnvironmentFile=-/etc/sysconfig/wpa_supplicant +ExecStart=/usr/sbin/wpa_supplicant -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa_supplicant.conf $INTERFACES $DRIVERS $OTHER_ARGS + +[Install] +WantedBy=multi-user.target + diff --git a/SOURCES/wpa_supplicant.sysconfig b/SOURCES/wpa_supplicant.sysconfig new file mode 100644 index 0000000..23fc1e7 --- /dev/null +++ b/SOURCES/wpa_supplicant.sysconfig @@ -0,0 +1,16 @@ +# Use the flag "-i" before each of your interfaces, like so: +# INTERFACES="-ieth1 -iwlan0" +INTERFACES="" + +# Use the flag "-D" before each driver, like so: +# DRIVERS="-Dwext" +DRIVERS="" + +# Other arguments +# -u Enable the D-Bus interface (required for use with NetworkManager) +# -f Log to /var/log/wpa_supplicant.log +# -P Write pid file to /var/run/wpa_supplicant.pid +# required to return proper codes by init scripts (e.g. double "start" action) +# -B to daemonize that has to be used together with -P is already in wpa_supplicant.init.d +OTHER_ARGS="-u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid" + diff --git a/SPECS/wpa_supplicant.spec b/SPECS/wpa_supplicant.spec new file mode 100644 index 0000000..a36ae21 --- /dev/null +++ b/SPECS/wpa_supplicant.spec @@ -0,0 +1,621 @@ +%define rcver %{nil} +%define snapshot %{nil} + +%global _hardened_build 1 + +Summary: WPA/WPA2/IEEE 802.1X Supplicant +Name: wpa_supplicant +Epoch: 1 +Version: 2.0 +Release: 14%{?dist} +License: BSD +Group: System Environment/Base +Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz +Source1: build-config +Source2: %{name}.conf +Source3: %{name}.service +Source4: %{name}.sysconfig +Source6: %{name}.logrotate + +%define build_gui 1 +%if 0%{?rhel} >= 1 +%define build_gui 0 +%endif + +# distro specific customization and not suitable for upstream, +# works around busted drivers +Patch0: wpa_supplicant-assoc-timeout.patch +# ensures that debug output gets flushed immediately to help diagnose driver +# bugs, not suitable for upstream +Patch1: wpa_supplicant-flush-debug-output.patch +# disto specific customization for log paths, not suitable for upstream +Patch2: wpa_supplicant-dbus-service-file-args.patch +# quiet an annoying and frequent syslog message +Patch3: wpa_supplicant-quiet-scan-results-message.patch +# allow more private key encryption algorithms +Patch5: wpa_supplicant-openssl-more-algs.patch +# distro specific customization for Qt4 build tools, not suitable for upstream +Patch6: wpa_supplicant-gui-qt4.patch +# Fix libnl3 includes path +Patch7: libnl3-includes.patch +# Less aggressive roaming; signal strength is wildly variable +Patch8: rh837402-less-aggressive-roaming.patch +# Add missing command-line options to man page, also filed upstream +Patch9: rh948453-man-page.patch +# Don't evict current AP from PMKSA cache when it's large +Patch10: rh1032758-fix-pmksa-cache-entry-clearing.patch +# CVE-2014-3686 +Patch11: 0001-Add-os_exec-helper-to-run-external-programs.patch +Patch12: 0002-wpa_cli-Use-os_exec-for-action-script-execution.patch + +URL: http://w1.fi/wpa_supplicant/ + +%if %{build_gui} +BuildRequires: qt-devel >= 4.0 +%endif +BuildRequires: openssl-devel +BuildRequires: readline-devel +BuildRequires: dbus-devel +BuildRequires: libnl3-devel +BuildRequires: systemd-units +BuildRequires: docbook-utils +Requires(post): systemd-sysv +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description +wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support +for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA +component that is used in the client stations. It implements key negotiation +with a WPA Authenticator and it controls the roaming and IEEE 802.11 +authentication/association of the wlan driver. + +%if %{build_gui} + +%package gui +Summary: Graphical User Interface for %{name} +Group: Applications/System + +%description gui +Graphical User Interface for wpa_supplicant written using QT + +%endif + +%prep +%setup -q -n %{name}-%{version}%{rcver} +%patch0 -p1 -b .assoc-timeout +%patch1 -p1 -b .flush-debug-output +%patch2 -p1 -b .dbus-service-file +%patch3 -p1 -b .quiet-scan-results-msg +%patch5 -p1 -b .more-openssl-algs +%patch6 -p1 -b .qt4 +%patch7 -p1 -b .libnl3 +%patch8 -p1 -b .rh837402-less-aggressive-roaming +%patch9 -p1 -b .man-page +%patch10 -p1 -b .pmksa-clear-fix +%patch11 -p1 -b .CVE-2014-3686-1 +%patch12 -p1 -b .CVE-2014-3686-2 + +%build +pushd wpa_supplicant + cp %{SOURCE1} .config + CFLAGS="${CFLAGS:-%optflags} -fPIE -DPIE" ; export CFLAGS ; + CXXFLAGS="${CXXFLAGS:-%optflags} -fPIE -DPIE" ; export CXXFLAGS ; + LDFLAGS="${LDFLAGS:-%optflags} -pie -Wl,-z,now" ; export LDFLAGS ; + # yes, BINDIR=_sbindir + BINDIR="%{_sbindir}" ; export BINDIR ; + LIBDIR="%{_libdir}" ; export LIBDIR ; + make %{_smp_mflags} +%if %{build_gui} + QTDIR=%{_libdir}/qt4 make wpa_gui-qt4 %{_smp_mflags} +%endif + make eapol_test +popd + +pushd wpa_supplicant/doc/docbook + make +popd + +%install +# init scripts +install -D -m 0755 %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service +install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/sysconfig/%{name} +install -D -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/logrotate.d/%{name} + +# config +install -D -m 0600 %{SOURCE2} %{buildroot}/%{_sysconfdir}/%{name}/%{name}.conf + +# binary +install -d %{buildroot}/%{_sbindir} +install -m 0755 %{name}/wpa_passphrase %{buildroot}/%{_sbindir} +install -m 0755 %{name}/wpa_cli %{buildroot}/%{_sbindir} +install -m 0755 %{name}/wpa_supplicant %{buildroot}/%{_sbindir} +install -m 0755 %{name}/eapol_test %{buildroot}/%{_sbindir} +install -D -m 0644 %{name}/dbus/dbus-wpa_supplicant.conf %{buildroot}/%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf +install -D -m 0644 %{name}/dbus/fi.w1.wpa_supplicant1.service %{buildroot}/%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service +install -D -m 0644 %{name}/dbus/fi.epitest.hostap.WPASupplicant.service %{buildroot}/%{_datadir}/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service + +%if %{build_gui} +# gui +install -d %{buildroot}/%{_bindir} +install -m 0755 %{name}/wpa_gui-qt4/wpa_gui %{buildroot}/%{_bindir} +%endif + +# running +mkdir -p %{buildroot}/%{_localstatedir}/run/%{name} + +# man pages +install -d %{buildroot}%{_mandir}/man{5,8} +install -m 0644 %{name}/doc/docbook/*.8 %{buildroot}%{_mandir}/man8 +install -m 0644 %{name}/doc/docbook/*.5 %{buildroot}%{_mandir}/man5 + +# some cleanup in docs and examples +rm -f %{name}/doc/.cvsignore +rm -rf %{name}/doc/docbook +chmod -R 0644 %{name}/examples/*.py + +%post +if [ $1 -eq 1 ] ; then + # Initial installation + /bin/systemctl daemon-reload >/dev/null 2>&1 || : +fi + +%preun +if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /bin/systemctl --no-reload disable wpa_supplicant.service > /dev/null 2>&1 || : + /bin/systemctl stop wpa_supplicant.service > /dev/null 2>&1 || : +fi + +%postun +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ] ; then + # Package upgrade, not uninstall + /bin/systemctl try-restart wpa_supplicant.service >/dev/null 2>&1 || : +fi + +%triggerun -- wpa_supplicant < 0.7.3-10 +# Save the current service runlevel info +# User must manually run systemd-sysv-convert --apply wpa_supplicant +# to migrate them to systemd targets +/usr/bin/systemd-sysv-convert --save wpa_supplicant >/dev/null 2>&1 ||: + +# Run these because the SysV package being removed won't do them +/sbin/chkconfig --del wpa_supplicant >/dev/null 2>&1 || : +/bin/systemctl try-restart wpa_supplicant.service >/dev/null 2>&1 || : + + +%files +%doc COPYING %{name}/ChangeLog README %{name}/eap_testing.txt %{name}/todo.txt %{name}/wpa_supplicant.conf %{name}/examples +%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf +%config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%config(noreplace) %{_sysconfdir}/logrotate.d/%{name} +%{_unitdir}/%{name}.service +%{_sysconfdir}/dbus-1/system.d/%{name}.conf +%{_datadir}/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service +%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service +%{_sbindir}/wpa_passphrase +%{_sbindir}/wpa_supplicant +%{_sbindir}/wpa_cli +%{_sbindir}/eapol_test +%dir %{_localstatedir}/run/%{name} +%dir %{_sysconfdir}/%{name} +%{_mandir}/man8/* +%{_mandir}/man5/* + +%if %{build_gui} +%files gui +%{_bindir}/wpa_gui +%endif + +%changelog +* Wed Oct 22 2014 Dan Williams - 1:2.0-14 +- Use os_exec() for action script execution (CVE-2014-3686) + +* Mon Jul 14 2014 Thomas Haller - 1:2.0-12 +- Mass rebuild 2014-01-24 + +* Mon Jan 20 2014 Dan Williams - 1:2.0-11 +- Add eapol_test manpage (rh #948453) + +* Fri Dec 27 2013 Daniel Mach - 1:2.0-10 +- Mass rebuild 2013-12-27 + +* Mon Dec 16 2013 Dan Williams - 1:2.0-9 +- Don't disconnect when PMKSA cache gets too large (rh #1032758) (rh #1016707) + +* Mon Dec 16 2013 Dan Winship - 1:2.0-8 +- Fill in some gaps in the man pages (rh #948453) + +* Wed Jul 10 2013 Dan Williams - 1:2.0-6 +- Enable full RELRO/PIE/PIC for wpa_supplicant and libeap +- Fix changelog dates + +* Wed Jul 10 2013 Dan Williams - 1:2.0-5 +- Build and package eapol_test (rh #638218) + +* Wed Jul 10 2013 Dan Williams - 1:2.0-4 +- Disable WiMAX libeap hack for RHEL + +* Wed May 15 2013 Dan Williams - 1:2.0-3 +- Enable HT (802.11n) for AP mode + +* Tue May 7 2013 Dan Williams - 1:2.0-2 +- Use hardened build macros and ensure they apply to libeap too + +* Mon May 6 2013 Dan Williams - 1:2.0-1 +- Update to 2.0 +- Be less aggressive when roaming due to signal strength changes (rh #837402) + +* Mon Apr 1 2013 Dan Williams - 1:1.1-1 +- Update to 1.1 +- Be less aggressive when roaming due to signal strength changes + +* Fri Feb 15 2013 Fedora Release Engineering - 1:1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sun Jan 20 2013 Dan Horák - 1:1.0-3 +- rebuilt again for fixed soname in libnl3 + +* Sun Jan 20 2013 Kalev Lember - 1:1.0-2 +- Rebuilt for libnl3 + +* Wed Aug 29 2012 Dan Williams - 1:1.0-1 +- Enable lightweight AP mode support +- Enable P2P (WiFi Direct) support +- Enable RSN IBSS/AdHoc support + +* Sun Jul 22 2012 Fedora Release Engineering - 1:1.0-0.5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue May 1 2012 Dan Williams - 1:1.0-0.4 +- Update to wpa_supplicant 1.0-rc3 +- Fix systemd target dependencies (rh #815091) + +* Fri Mar 2 2012 Dan Williams - 1:1.0-0.3 +- Update to latest 1.0 git snapshot +- Rebuild against libnl3 + +* Thu Feb 2 2012 Dan Williams - 1:1.0-0.2 +- Fix driver fallback for non nl80211-based drivers (rh #783712) + +* Tue Jan 10 2012 Dan Williams - 1:1.0-0.1 +- Update to 1.0-rc1 + git + +* Fri Sep 9 2011 Tom Callaway - 1:0.7.3-11 +- add missing systemd scriptlets + +* Thu Sep 8 2011 Tom Callaway - 1:0.7.3-10 +- convert to systemd + +* Wed Jul 27 2011 Dan Williams - 1:0.7.3-9 +- Fix various crashes with D-Bus interface (rh #678625) (rh #725517) + +* Tue May 3 2011 Dan Williams - 1:0.7.3-8 +- Don't crash when trying to access invalid properties via D-Bus (rh #678625) + +* Mon May 2 2011 Dan Williams - 1:0.7.3-7 +- Make examples read-only to avoid erroneous python dependency (rh #687952) + +* Tue Apr 19 2011 Bill Nottingham - 1:0.7.3-6 +- Fix EAP patch to only apply when building libeap + +* Fri Mar 25 2011 Bill Nottingham - 1:0.7.3-5 +- Add libeap/libeap-devel subpackge for WiMAX usage + +* Mon Feb 07 2011 Fedora Release Engineering - 1:0.7.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 11 2011 Dan Williams - 1:0.7.3-3 +- Enable EAP-TNC (rh #659038) + +* Wed Dec 15 2010 Dan Williams - 1:0.7.3-2 +- Enable the bgscan_simple plugin + +* Wed Dec 8 2010 Dan Williams - 1:0.7.3-1 +- Update to 0.7.3 +- Drop upstreamed and backported patches +- Drop support for Qt3 + +* Thu Oct 7 2010 Peter Lemenkov - 1:0.6.8-11 +- Added comments to some patches (see rhbz #226544#c17) +- Shortened %%install section a bit + +* Thu May 13 2010 Dan Williams - 1:0.6.8-10 +- Remove prereq on chkconfig +- Build GUI with qt4 for rawhide (rh #537105) + +* Thu May 6 2010 Dan Williams - 1:0.6.8-9 +- Fix crash when interfaces are removed (like suspend/resume) (rh #589507) + +* Wed Jan 6 2010 Dan Williams - 1:0.6.8-8 +- Fix handling of newer PKCS#12 files (rh #541924) + +* Sun Nov 29 2009 Dan Williams - 1:0.6.8-7 +- Fix supplicant initscript return value (rh #521807) +- Fix race when connecting to WPA-Enterprise/802.1x-enabled access points (rh #508509) +- Don't double-scan when attempting to associate + +* Fri Aug 21 2009 Tomas Mraz - 1:0.6.8-6 +- rebuilt with new openssl + +* Mon Jul 27 2009 Fedora Release Engineering - 1:0.6.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed May 13 2009 Dan Williams - 1:0.6.8-4 +- Let D-Bus clients know when the supplicant is scanning + +* Tue May 12 2009 Dan Williams - 1:0.6.8-3 +- Ensure the supplicant starts and ends with clean driver state +- Handle driver disconnect spammage by forcibly clearing SSID +- Don't switch access points unless the current association is dire (rh #493745) + +* Tue May 12 2009 Dan Williams - 1:0.6.8-2 +- Avoid creating bogus Ad-Hoc networks when forcing the driver to disconnect (rh #497771) + +* Mon Mar 9 2009 Dan Williams - 1:0.6.8-1 +- Update to latest upstream release + +* Wed Feb 25 2009 Colin Walters - 1:0.6.7-4 +- Add patch from upstream to suppress unrequested replies, this + quiets a dbus warning. + +* Fri Feb 6 2009 Dan Williams - 1:0.6.7-3 +- Fix scan result retrieval in very dense wifi environments + +* Fri Feb 6 2009 Dan Williams - 1:0.6.7-2 +- Ensure that drivers don't retry association when they aren't supposed to + +* Fri Jan 30 2009 Dan Williams - 1:0.6.7-1 +- Fix PEAP connections to Windows Server 2008 authenticators (rh #465022) +- Stop supplicant on uninstall (rh #447843) +- Suppress scan results message in logs (rh #466601) + +* Sun Jan 18 2009 Tomas Mraz - 1:0.6.4-3 +- rebuild with new openssl + +* Wed Oct 15 2008 Dan Williams - 1:0.6.4-2 +- Handle encryption keys correctly when switching 802.11 modes (rh #459399) +- Better scanning behavior on resume from suspend/hibernate +- Better interaction with newer kernels and drivers + +* Wed Aug 27 2008 Dan Williams - 1:0.6.4-1 +- Update to 0.6.4 +- Remove 'hostap', 'madwifi', and 'prism54' drivers; use standard 'wext' instead +- Drop upstreamed patches + +* Tue Jun 10 2008 Dan Williams - 1:0.6.3-6 +- Fix 802.11a frequency bug +- Always schedule specific SSID scans to help find hidden APs +- Properly switch between modes on mac80211 drivers +- Give adhoc connections more time to assocate + +* Mon Mar 10 2008 Christopher Aillon - 1:0.6.3-5 +- BuildRequires qt3-devel + +* Sat Mar 8 2008 Dan Williams - 1:0.6.3-4 +- Fix log file path in service config file + +* Thu Mar 6 2008 Dan Williams - 1:0.6.3-3 +- Don't start the supplicant by default when installed (rh #436380) + +* Tue Mar 4 2008 Dan Williams - 1:0.6.3-2 +- Fix a potential use-after-free in the D-Bus byte array demarshalling code + +* Mon Mar 3 2008 Dan Williams - 1:0.6.3-1 +- Update to latest development release; remove upstreamed patches + +* Fri Feb 22 2008 Dan Williams 1:0.5.7-23 +- Fix gcc 4.3 rebuild issues + +* Mon Feb 18 2008 Fedora Release Engineering - 1:0.5.7-22 +- Autorebuild for GCC 4.3 + +* Tue Dec 25 2007 Dan Williams - 0.5.7-21 +- Backport 'frequency' option for Ad-Hoc network configs + +* Mon Dec 24 2007 Dan Williams - 0.5.7-20 +- Fix LSB initscript header to ensure 'messagebus' is started first (rh #244029) + +* Thu Dec 6 2007 Dan Williams - 1:0.5.7-19 +- Fix two leaks when signalling state and scan results (rh #408141) +- Add logrotate config file (rh #404181) +- Add new LSB initscript header to initscript with correct deps (rh #244029) +- Move other runtime arguments to /etc/sysconfig/wpa_supplicant +- Start after messagebus service (rh #385191) +- Fix initscript 'condrestart' command (rh #217281) + +* Tue Dec 4 2007 Matthias Clasen - 1:0.5.7-18 +- Rebuild against new openssl + +* Tue Dec 4 2007 Ville Skyttä - 1:0.5.7-17 +- Group: Application/System -> Applications/System in -gui. + +* Tue Nov 13 2007 Dan Williams - 0.5.7-16 +- Add IW_ENCODE_TEMP patch for airo driver and Dynamic WEP +- Fix error in wpa_supplicant-0.5.7-ignore-dup-ca-cert-addition.patch that + caused the last error to not be printed +- Fix wpa_supplicant-0.5.7-ignore-dup-ca-cert-addition.patch to ignore + duplicate cert additions for all certs and keys +- Change license to BSD due to linkage against OpenSSL since there is no + OpenSSL exception in the GPLv2 license text that upstream ships + +* Sun Oct 28 2007 Dan Williams - 0.5.7-15 +- Fix Dynamic WEP associations with mac80211-based drivers + +* Sun Oct 28 2007 Dan Williams - 0.5.7-14 +- Don't error an association on duplicate CA cert additions + +* Wed Oct 24 2007 Dan Williams - 0.5.7-13 +- Correctly set the length of blobs added via the D-Bus interface + +* Wed Oct 24 2007 Dan Williams - 0.5.7-12 +- Fix conversion of byte arrays to strings by ensuring the buffer is NULL + terminated after conversion + +* Sat Oct 20 2007 Dan Williams - 0.5.7-11 +- Add BLOB support to the D-Bus interface +- Fix D-Bus interface permissions so that only root can use the wpa_supplicant + D-Bus interface + +* Tue Oct 9 2007 Dan Williams - 0.5.7-10 +- Don't segfault with dbus control interface enabled and invalid network + interface (rh #310531) + +* Tue Sep 25 2007 Dan Williams - 0.5.7-9 +- Always allow explicit wireless scans triggered from a control interface + +* Thu Sep 20 2007 Dan Williams - 0.5.7-8 +- Change system bus activation file name to work around D-Bus bug that fails + to launch services unless their .service file is named the same as the + service itself + +* Fri Aug 24 2007 Dan Williams - 0.5.7-7 +- Make SIGUSR1 change debug level on-the-fly; useful in combination with + the -f switch to log output to /var/log/wpa_supplicant.log +- Stop stripping binaries on install so we get debuginfo packages +- Remove service start requirement for interfaces & devices from sysconfig file, + since wpa_supplicant's D-Bus interface is now turned on + +* Fri Aug 17 2007 Dan Williams - 0.5.7-6 +- Fix compilation with RPM_OPT_FLAGS (rh #249951) +- Make debug output to logfile a runtime option + +* Fri Aug 17 2007 Christopher Aillon - 0.5.7-5 +- Update the license tag + +* Tue Jun 19 2007 Dan Williams - 0.5.7-4 +- Fix initscripts to use -Dwext by default, be more verbose on startup + (rh #244511) + +* Mon Jun 4 2007 Dan Williams - 0.5.7-3 +- Fix buffer overflow by removing syslog patch (#rh242455) + +* Mon Apr 9 2007 Dan Williams - 0.5.7-2 +- Add patch to send output to syslog + +* Thu Mar 15 2007 Dan Williams - 0.5.7-1 +- Update to 0.5.7 stable release + +* Fri Oct 27 2006 Dan Williams - 0.4.9-1 +- Update to 0.4.9 for WE-21 fixes, remove upstreamed patches +- Don't package doc/ because they aren't actually wpa_supplicant user documentation, + and becuase it pulls in perl + +* Wed Jul 12 2006 Jesse Keating - 0.4.8-10.1 +- rebuild + +* Thu Apr 27 2006 Dan Williams - 0.4.8-10 +- Add fix for madwifi and WEP (wpa_supplicant/hostap bud #140) (#rh190075#) +- Fix up madwifi-ng private ioctl()s for r1331 and later +- Update madwifi headers to r1475 + +* Tue Apr 25 2006 Dan Williams - 0.4.8-9 +- Enable Wired driver, PKCS12, and Smartcard options (#rh189805#) + +* Tue Apr 11 2006 Dan Williams - 0.4.8-8 +- Fix control interface key obfuscation a bit + +* Sun Apr 2 2006 Dan Williams - 0.4.8-7 +- Work around older & incorrect drivers that return null-terminated SSIDs + +* Mon Mar 27 2006 Dan Williams - 0.4.8-6 +- Add patch to make orinoco happy with WEP keys +- Enable Prism54-specific driver +- Disable ipw-specific driver; ipw2x00 should be using WEXT instead + +* Fri Mar 3 2006 Dan Williams - 0.4.8-5 +- Increase association timeout, mainly for drivers that don't + fully support WPA ioctls yet + +* Fri Mar 3 2006 Dan Williams - 0.4.8-4 +- Add additional BuildRequires #rh181914# +- Add prereq on chkconfig #rh182905# #rh182906# +- Own /var/run/wpa_supplicant and /etc/wpa_supplicant #rh183696# + +* Wed Mar 1 2006 Dan Williams - 0.4.8-3 +- Install wpa_passphrase too #rh183480# + +* Mon Feb 27 2006 Dan Williams - 0.4.8-2 +- Don't expose private data on the control interface unless requested + +* Fri Feb 24 2006 Dan Williams - 0.4.8-1 +- Downgrade to 0.4.8 stable release rather than a dev release + +* Sun Feb 12 2006 Dan Williams - 0.5.1-3 +- Documentation cleanup (Terje Rosten ) + +* Sun Feb 12 2006 Dan Williams - 0.5.1-2 +- Move initscript to /etc/rc.d/init.d + +* Fri Feb 10 2006 Jesse Keating - 0.5.1-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 0.5.1-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Sun Feb 5 2006 Dan Williams 0.5.1-1 +- Update to 0.5.1 +- Add WE auth fallback to actually work with older drivers + +* Thu Jan 26 2006 Dan Williams 0.4.7-2 +- Bring package into Fedora Core +- Add ap_scan control interface patch +- Enable madwifi-ng driver + +* Sun Jan 15 2006 Douglas E. Warner 0.4.7-1 +- upgrade to 0.4.7 +- added package w/ wpa_gui in it + +* Mon Nov 14 2005 Douglas E. Warner 0.4.6-1 +- upgrade to 0.4.6 +- adding ctrl interface changes recommended + by Hugo Paredes + +* Sun Oct 9 2005 Douglas E. Warner 0.4.5-1 +- upgrade to 0.4.5 +- updated config file wpa_supplicant is built with + especially, the ipw2100 driver changed to just ipw + and enabled a bunch more EAP +- disabled dist tag + +* Thu Jun 30 2005 Douglas E. Warner 0.4.2-3 +- fix typo in init script + +* Thu Jun 30 2005 Douglas E. Warner 0.4.2-2 +- fixing init script using fedora-extras' template +- removing chkconfig default startup + +* Tue Jun 21 2005 Douglas E. Warner 0.4.2-1 +- upgrade to 0.4.2 +- new sample conf file that will use any unrestricted AP +- make sysconfig config entry +- new BuildRoot for Fedora Extras +- adding dist tag to Release + +* Fri May 06 2005 Douglas E. Warner 0.3.8-1 +- upgrade to 0.3.8 + +* Thu Feb 10 2005 Douglas E. Warner 0.3.6-2 +- compile ipw driver in + +* Wed Feb 09 2005 Douglas E. Warner 0.3.6-1 +- upgrade to 0.3.6 + +* Thu Dec 23 2004 Douglas E. Warner 0.2.5-4 +- fixing init script + +* Mon Dec 20 2004 Douglas E. Warner 0.2.5-3 +- fixing init script +- adding post/preun items to add/remove via chkconfig + +* Mon Dec 20 2004 Douglas E. Warner 0.2.5-2 +- adding sysV scripts + +* Mon Dec 20 2004 Douglas E. Warner 0.2.5-1 +- Initial RPM release. +