From owner-svn-ports-head@freebsd.org Thu Nov 17 17:43:34 2016 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE42CC4752A; Thu, 17 Nov 2016 17:43:34 +0000 (UTC) (envelope-from jrm@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 704E79F9; Thu, 17 Nov 2016 17:43:34 +0000 (UTC) (envelope-from jrm@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAHHhXWx032631; Thu, 17 Nov 2016 17:43:33 GMT (envelope-from jrm@FreeBSD.org) Received: (from jrm@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAHHhXtk032626; Thu, 17 Nov 2016 17:43:33 GMT (envelope-from jrm@FreeBSD.org) Message-Id: <201611171743.uAHHhXtk032626@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jrm set sender to jrm@FreeBSD.org using -f From: Joseph Mingrone Date: Thu, 17 Nov 2016 17:43:33 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r426292 - in head/security/wpa_supplicant: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2016 17:43:34 -0000 Author: jrm Date: Thu Nov 17 17:43:32 2016 New Revision: 426292 URL: https://svnweb.freebsd.org/changeset/ports/426292 Log: security/wpa_supplicant: Update to version 2.6 and patch for LibreSSL support Port changes: - Remove patches that have been incorporated upstream - Add patches for LibreSSL support Approved by: AMDmi3 (mentor) Differential Revision: https://reviews.freebsd.org/D8451 Added: head/security/wpa_supplicant/files/patch-src_crypto_crypto__openssl.c (contents, props changed) Deleted: head/security/wpa_supplicant/files/patch-2015-6-backported-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame head/security/wpa_supplicant/files/patch-2015-7-EAP-pwd-peer-Fix-last-fragment-length-validation head/security/wpa_supplicant/files/patch-2015-7-EAP-pwd-server-Fix-last-fragment-length-validation head/security/wpa_supplicant/files/patch-2015-8-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m head/security/wpa_supplicant/files/patch-2016_1_1-WPS-Reject-a-Credential-with-invalid-passphrase head/security/wpa_supplicant/files/patch-2016_1_2-Reject-psk-parameter-set-with-invalid-passphrase-cha head/security/wpa_supplicant/files/patch-2016_1_3-Remove-newlines-from-wpa_supplicant-config-network-o head/security/wpa_supplicant/files/patch-2016_1_4-Reject-SET_CRED-commands-with-newline-characters-in head/security/wpa_supplicant/files/patch-2016_1_5-Reject-SET-commands-with-newline-characters-in-the-s head/security/wpa_supplicant/files/patch-src_utils_os__unix.c Modified: head/security/wpa_supplicant/Makefile head/security/wpa_supplicant/distinfo (contents, props changed) head/security/wpa_supplicant/files/patch-src_crypto_tls__openssl.c head/security/wpa_supplicant/files/patch-wpa__supplicant_main.c Modified: head/security/wpa_supplicant/Makefile ============================================================================== --- head/security/wpa_supplicant/Makefile Thu Nov 17 16:56:26 2016 (r426291) +++ head/security/wpa_supplicant/Makefile Thu Nov 17 17:43:32 2016 (r426292) @@ -1,8 +1,7 @@ # $FreeBSD$ PORTNAME= wpa_supplicant -PORTVERSION= 2.5 -PORTREVISION= 2 +PORTVERSION= 2.6 CATEGORIES= security net MASTER_SITES= http://w1.fi/releases/ @@ -96,15 +95,22 @@ PRIVSEP_PLIST_FILES= sbin/wpa_priv .include +.if ${PORT_OPTIONS:MNDIS} && ${PORT_OPTIONS:MPRIVSEP} +BROKEN= Fails to compile with both NDIS and PRIVSEP +.endif + +.if ${PORT_OPTIONS:MIEEE80211AC} && ${PORT_OPTIONS:MIEEE80211N} +BROKEN= Fails to compile with both IEEE80211AC and IEEE80211N +.endif + .if ${PORT_OPTIONS:MSIM} || ${PORT_OPTIONS:MAKA} || ${PORT_OPTIONS:MAKA_PRIME} LIB_DEPENDS+= libpcsclite.so:devel/pcsc-lite CFLAGS+= -I${LOCALBASE}/include/PCSC LDFLAGS+= -L${LOCALBASE}/lib .endif - post-patch: - ${CP} ${FILESDIR}/Packet32.[ch] ${FILESDIR}/ntddndis.h \ + @${CP} ${FILESDIR}/Packet32.[ch] ${FILESDIR}/ntddndis.h \ ${WRKSRC}/src/utils # Set driver(s) .for item in BSD NDIS WIRED ROBOSWITCH TEST NONE @@ -157,12 +163,12 @@ do-install: ${INSTALL_DATA} ${BUILD_WRKSRC}/wpa_supplicant.conf \ ${STAGEDIR}${PREFIX}/etc/wpa_supplicant.conf.sample -do-install-PRIVSEP-on: - ${INSTALL_PROGRAM} ${BUILD_WRKSRC}/wpa_priv ${STAGEDIR}${PREFIX}/sbin - do-install-DOCS-on: @${MKDIR} ${STAGEDIR}${DOCSDIR} (cd ${BUILD_WRKSRC} && \ ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}) +do-install-PRIVSEP-on: + ${INSTALL_PROGRAM} ${BUILD_WRKSRC}/wpa_priv ${STAGEDIR}${PREFIX}/sbin + .include Modified: head/security/wpa_supplicant/distinfo ============================================================================== --- head/security/wpa_supplicant/distinfo Thu Nov 17 16:56:26 2016 (r426291) +++ head/security/wpa_supplicant/distinfo Thu Nov 17 17:43:32 2016 (r426292) @@ -1,2 +1,3 @@ -SHA256 (wpa_supplicant-2.5.tar.gz) = cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316 -SIZE (wpa_supplicant-2.5.tar.gz) = 2607336 +TIMESTAMP = 1478049569 +SHA256 (wpa_supplicant-2.6.tar.gz) = b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450 +SIZE (wpa_supplicant-2.6.tar.gz) = 2753524 Added: head/security/wpa_supplicant/files/patch-src_crypto_crypto__openssl.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/wpa_supplicant/files/patch-src_crypto_crypto__openssl.c Thu Nov 17 17:43:32 2016 (r426292) @@ -0,0 +1,20 @@ +--- src/crypto/crypto_openssl.c.orig 2016-11-02 18:04:18 UTC ++++ src/crypto/crypto_openssl.c +@@ -611,7 +611,7 @@ void crypto_cipher_deinit(struct crypto_ + + void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) + { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + DH *dh; + struct wpabuf *pubkey = NULL, *privkey = NULL; + size_t publen, privlen; +@@ -712,7 +712,7 @@ err: + + void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) + { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + DH *dh; + + dh = DH_new(); Modified: head/security/wpa_supplicant/files/patch-src_crypto_tls__openssl.c ============================================================================== --- head/security/wpa_supplicant/files/patch-src_crypto_tls__openssl.c Thu Nov 17 16:56:26 2016 (r426291) +++ head/security/wpa_supplicant/files/patch-src_crypto_tls__openssl.c Thu Nov 17 17:43:32 2016 (r426292) @@ -1,67 +1,29 @@ -Compatibility fixes for LibreSSL - ---- src/crypto/tls_openssl.c.orig 2015-09-27 19:02:05 UTC +--- src/crypto/tls_openssl.c.orig 2016-11-02 18:46:25 UTC +++ src/crypto/tls_openssl.c -@@ -2229,7 +2229,7 @@ static int tls_parse_pkcs12(struct tls_d - } - - if (certs) { --#if OPENSSL_VERSION_NUMBER >= 0x10002000L -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - SSL_clear_chain_certs(ssl); - while ((cert = sk_X509_pop(certs)) != NULL) { - X509_NAME_oneline(X509_get_subject_name(cert), buf, -@@ -2247,7 +2247,7 @@ static int tls_parse_pkcs12(struct tls_d - /* Try to continue anyway */ +@@ -919,7 +919,7 @@ void * tls_init(const struct tls_config } - sk_X509_free(certs); --#ifndef OPENSSL_IS_BORINGSSL -+#if !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER) - res = SSL_build_cert_chain(ssl, - SSL_BUILD_CHAIN_FLAG_CHECK | - SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR); -@@ -2812,7 +2812,7 @@ int tls_connection_get_random(void *ssl_ - if (conn == NULL || keys == NULL) - return -1; - ssl = conn->ssl; + #endif /* OPENSSL_FIPS */ + #endif /* CONFIG_FIPS */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - if (ssl == NULL || ssl->s3 == NULL || ssl->session == NULL) - return -1; + SSL_load_error_strings(); + SSL_library_init(); + #ifndef OPENSSL_NO_SHA256 +@@ -1043,7 +1043,7 @@ void tls_deinit(void *ssl_ctx) -@@ -2841,7 +2841,7 @@ int tls_connection_get_random(void *ssl_ - #ifndef CONFIG_FIPS - static int openssl_get_keyblock_size(SSL *ssl) - { --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - const EVP_CIPHER *c; - const EVP_MD *h; - int md_size; -@@ -2911,7 +2911,7 @@ static int openssl_tls_prf(struct tls_co - "mode"); - return -1; - #else /* CONFIG_FIPS */ + tls_openssl_ref_count--; + if (tls_openssl_ref_count == 0) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - SSL *ssl; - u8 *rnd; - int ret = -1; -@@ -3394,7 +3394,7 @@ int tls_connection_set_cipher_list(void + #ifndef OPENSSL_NO_ENGINE + ENGINE_cleanup(); + #endif /* OPENSSL_NO_ENGINE */ +@@ -3976,7 +3976,7 @@ int tls_connection_set_params(void *tls_ + engine_id = "pkcs11"; - wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1); - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) - if (os_strstr(buf, ":ADH-")) { - /* -@@ -3977,7 +3977,7 @@ static int tls_sess_sec_cb(SSL *s, void - struct tls_connection *conn = arg; - int ret; - -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - if (conn == NULL || conn->session_ticket_cb == NULL) - return 0; - + if (params->flags & TLS_CONN_EAP_FAST) { + wpa_printf(MSG_DEBUG, + "OpenSSL: Use TLSv1_method() for EAP-FAST"); Modified: head/security/wpa_supplicant/files/patch-wpa__supplicant_main.c ============================================================================== --- head/security/wpa_supplicant/files/patch-wpa__supplicant_main.c Thu Nov 17 16:56:26 2016 (r426291) +++ head/security/wpa_supplicant/files/patch-wpa__supplicant_main.c Thu Nov 17 17:43:32 2016 (r426292) @@ -1,6 +1,25 @@ ---- wpa_supplicant/main.c.orig 2015-03-15 17:30:39 UTC +--- wpa_supplicant/main.c.orig 2016-11-05 20:56:30 UTC +++ wpa_supplicant/main.c -@@ -173,6 +173,11 @@ int main(int argc, char *argv[]) +@@ -66,7 +66,7 @@ static void usage(void) + " -c = Configuration file\n" + " -C = ctrl_interface parameter (only used if -c is not)\n" + " -d = increase debugging verbosity (-dd even more)\n" +- " -D = driver name (can be multiple drivers: nl80211,wext)\n" ++ " -D = driver name (can be multiple drivers: bsd,wired)\n" + " -e = entropy file\n" + #ifdef CONFIG_DEBUG_FILE + " -f = log output to debug file instead of stdout\n" +@@ -105,8 +105,7 @@ static void usage(void) + " -W = wait for a control interface monitor before starting\n"); + + printf("example:\n" +- " wpa_supplicant -D%s -iwlan0 -c/etc/wpa_supplicant.conf\n", +- wpa_drivers[0] ? wpa_drivers[0]->name : "nl80211"); ++ " wpa_supplicant -Dbsd -iwlan0 -c/etc/wpa_supplicant.conf\n"); + #endif /* CONFIG_NO_STDOUT_DEBUG */ + } + +@@ -199,6 +198,11 @@ int main(int argc, char *argv[]) wpa_supplicant_fd_workaround(1); @@ -11,4 +30,4 @@ + for (;;) { c = getopt(argc, argv, - "b:Bc:C:D:de:f:g:G:hi:I:KLm:No:O:p:P:qsTtuvW"); + "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuvW");