mid-kid
7 years ago
commit
5326dbf93d
23 changed files with 634 additions and 0 deletions
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -0,0 +1,226 @@ |
|||
WPA packet number reuse with replayed messages and key reinstallation |
|||
|
|||
Published: October 16, 2017 |
|||
Identifiers: |
|||
- CERT case ID: VU#228519 |
|||
- CVE-2017-13077 |
|||
- CVE-2017-13078 |
|||
- CVE-2017-13079 |
|||
- CVE-2017-13080 |
|||
- CVE-2017-13081 |
|||
- CVE-2017-13082 |
|||
- CVE-2017-13084 (not applicable) |
|||
- CVE-2017-13086 |
|||
- CVE-2017-13087 |
|||
- CVE-2017-13088 |
|||
Latest version available from: https://w1.fi/security/2017-1/ |
|||
|
|||
|
|||
Vulnerability |
|||
|
|||
A vulnerability was found in how a number of implementations can be |
|||
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by |
|||
replaying a specific frame that is used to manage the keys. Such |
|||
reinstallation of the encryption key can result in two different types |
|||
of vulnerabilities: disabling replay protection and significantly |
|||
reducing the security of encryption to the point of allowing frames to |
|||
be decrypted or some parts of the keys to be determined by an attacker |
|||
depending on which cipher is used. |
|||
|
|||
This document focuses on the cases that apply to systems using hostapd |
|||
(AP) or wpa_supplicant (station), but it should be noted that the |
|||
generic vulnerability itself is applicable to other implementations and |
|||
may have different impact in other cases. |
|||
|
|||
This vulnerability can in theory apply to any case where a TK (the |
|||
pairwise/unicast encryption key used with TKIP, CCMP, GCMP), a GTK |
|||
(group/multicast encryption key), or an IGTK (group management frame |
|||
integrity protection key) is configured by the Authentication/Supplicant |
|||
component to the WLAN driver/firmware taking care of the TX/RX path and |
|||
encryption/decryption of frames. |
|||
|
|||
If the same key is configured multiple times, it is likely that the |
|||
transmit and receive packet numbers (PN, IPN, RSC/TSC, etc.) are cleared |
|||
to a smaller value (zero in case of pairwise keys, zero or at least a |
|||
smaller value than the last used value in case of group keys). When this |
|||
happens with the same key, this breaks replay protection on RX side and |
|||
can result in reuse of packet numbers on TX side. The former may allow |
|||
replaying of previously delivered packets (without the attacker being |
|||
able to decrypt them or modify their contents) while the latter may |
|||
result in more severe issues on the TX side due to resulting CCM nonce |
|||
replay and related issues with GCMP and TKIP. The TX side issue may make |
|||
it significantly easier for the attacker to decrypt frames and determine |
|||
some parts of the keys (e.g., a Michael MIC key in case of TKIP). |
|||
|
|||
Impact on AP/hostapd |
|||
|
|||
On the AP side, this generic issue has been determined to be applicable |
|||
in the case where hostapd is used to operate an RSN/WPA2 network with FT |
|||
(Fast BSS Transition from IEEE 802.11r) enabled. Replaying of the |
|||
Reassociation Request frame can be used to get the AP reinstalling the |
|||
TK which results in the AP accepting previously delivered unicast frames |
|||
from the station and the AP reusing previously used packet numbers |
|||
(local TX packet number gets reset to zero). This latter issue on the TX |
|||
side can result in CCM nonce reuse which invalidates CCMP security |
|||
properties. In case of TKIP this can result in the attacker being able |
|||
to determine part of the TK more easily and with GCMP, result in similar |
|||
issues. |
|||
|
|||
It should be noted that the AP side issue with FT would be close to |
|||
applying to FILS authentication (from IEEE 802.11ai) in hostapd with |
|||
replaying of (Re)Association Request frames. However, due to a different |
|||
handling of the repeated association processing with FILS, this would |
|||
actually result in the station getting immediately disconnected which |
|||
prevents this attack in practice. In addition, the FILS implementation |
|||
in the current hostapd version is still experimental and documented as |
|||
being discouraged in production use cases. |
|||
|
|||
Another area of potentially reduced security was identified when looking |
|||
into these issues. When AP/Authenticator implementation in hostapd is |
|||
requested to rekey the PTK without performing EAP reauthentication |
|||
(either through local periodic rekeying or due to a request from an |
|||
association station), the ANonce value does not get updated. This |
|||
results in the new 4-way handshake depending on the station/supplicant |
|||
side generating a new, unique (for the current PMK/PSK) SNonce for the |
|||
PTK derivation to result in a new key. While a properly working |
|||
supplicant would do so, if there is a supplicant implementation that |
|||
does not, this combination could result in deriving the same PTK |
|||
again. When the TK from that PTK gets configured in the driver, this |
|||
would result in reinstalling the same key and the same issues as |
|||
described above for the FT protocol case. |
|||
|
|||
Impact on station/wpa_supplicant |
|||
|
|||
On the station side, this generic issue has been determined to be |
|||
applicable in the cases where wpa_supplicant processes a group key (GTK |
|||
or IGTK) update from the AP. An attacker that is able to limit access |
|||
to frame delivery may be able to extract two update messages and deliver |
|||
those to the station with significant time delay between them. When |
|||
wpa_supplicant processes the second message, it may end up reinstalling |
|||
the same key to the driver and when doing this, clear the RX packet |
|||
number to an old value. This would allow the attacker to replay all |
|||
group-addressed frames that the AP sent between the time the key update |
|||
message was originally sent and the time when the attacker forwarded the |
|||
second frame to the station. The attacker would not be able to decrypt |
|||
or modify the frames based on this vulnerability, though. There is an |
|||
exception to this with older wpa_supplicant versions as noted below in |
|||
version specific notes. |
|||
|
|||
For the current wpa_supplicant version (v2.6), there is also an |
|||
additional EAPOL-Key replay sequence where an additional forged |
|||
EAPOL-Key message can be used to bypass the existing protection for the |
|||
pairwise key reconfiguration in a manner that ends up configuring a |
|||
known TK that an attacker could use to decrypt any frame sent by the |
|||
station and to inject arbitrary unicast frames. Similar issues are |
|||
reachable in older versions as noted below. |
|||
|
|||
PeerKey / TDLS PeerKey |
|||
|
|||
As far as the related CVE-2017-13084 (reinstallation of the STK key in |
|||
the PeerKey handshake) is concerned, it should be noted that PeerKey |
|||
implementation in wpa_supplicant is not fully functional and the actual |
|||
installation of the key into the driver does not work. As such, this |
|||
item is not applicable in practice. Furthermore, the PeerKey handshake |
|||
for IEEE 802.11e DLS is obsolete and not known to have been deployed. |
|||
|
|||
As far as the TDLS PeerKey handshake is concerned (CVE-2017-13086), |
|||
wpa_supplicant implementation is already rejecting TPK M2 retries, so |
|||
the reconfiguration issue cannot apply for it. For TPK M3, there is a |
|||
theoretical impact. However, if that frame is replayed, the current |
|||
wpa_supplicant implementation ends up tearing down the TDLS link |
|||
immediately and as such, there is no real window for performing the |
|||
attack. Furthermore, TPK M3 goes through the AP path and if RSN is used |
|||
there, that frame has replay protection, so the attacker could not |
|||
perform the attack. If the AP path were to use WEP, the frame could be |
|||
replayed, though. That said, if WEP is used on the AP path, it would be |
|||
fair to assume that there is no security in the network, so a new attack |
|||
vector would be of small additional value. |
|||
|
|||
With older wpa_supplicant versions, it may be possible for an attacker |
|||
to cause TPK M2 to be retransmitted with delay that would be able to |
|||
trigger reinstallation of TK on the peer receiving TPK M2 |
|||
(CVE-2017-13086). This may open a short window for the attack with v2.3, |
|||
v2.4, and v2.5; and a longer window with older versions. |
|||
|
|||
Vulnerable versions/configurations |
|||
|
|||
For the AP/Authenticator TK (unicast) reinstallation in FT protocol |
|||
(CVE-2017-13082): |
|||
|
|||
hostapd v0.7.2 and newer with FT enabled (i.e., practically all versions |
|||
that include full FT implementation). FT needs to be enabled in the |
|||
runtime configuration to make this applicable. |
|||
|
|||
For the AP/Authenticator missing ANonce during PTK rekeying: |
|||
|
|||
All hostapd versions. |
|||
|
|||
For the station/Supplicant side GTK/IGTK reinstallation and TK |
|||
configuration: |
|||
|
|||
All wpa_supplicant versions. The impact on older versions can be more |
|||
severe due to earlier changes in this area: v2.3 and older can also |
|||
reinstall the pairwise key and as such have similar impact as the AP FT |
|||
case (CVE-2017-13077); v2.4 and v2.5 end up configuring an all-zero TK |
|||
which breaks the normal data path, but could allow an attacker to |
|||
decrypt all following frames from the station and to inject arbitrary |
|||
frames to the station. In addition, a different message sequence |
|||
involving 4-way handshake can result in configuration of an all-zero TK |
|||
in v2.6 and the current snapshot of the development repository as of the |
|||
publication of this advisory. |
|||
|
|||
|
|||
Acknowledgments |
|||
|
|||
Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU |
|||
Leuven for discovering and reporting this issue. Thanks to John A. Van |
|||
Boxtel for finding additional issues related to this topic. |
|||
|
|||
|
|||
Possible mitigation steps |
|||
|
|||
- For AP/hostapd and FT replay issue (CVE-2017-13082), it is possible to |
|||
prevent the issue temporarily by disabling FT in runtime |
|||
configuration, if needed before being able to update the |
|||
implementations. |
|||
|
|||
- Merge the following commits to hostapd/wpa_supplicant and rebuild them: |
|||
|
|||
hostapd and replayed FT reassociation request frame (CVE-2017-13082): |
|||
hostapd: Avoid key reinstallation in FT handshake |
|||
|
|||
hostapd PTK rekeying and ANonce update: |
|||
Fix PTK rekeying to generate a new ANonce |
|||
|
|||
wpa_supplicant and GTK/IGTK rekeying (CVE-2017-13078, CVE-2017-13079, |
|||
CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): |
|||
Prevent reinstallation of an already in-use group key |
|||
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases |
|||
|
|||
wpa_supplicant (v2.6 or newer snapshot) and known TK issue: |
|||
Prevent installation of an all-zero TK |
|||
|
|||
Additional protection steps for wpa_supplicant: |
|||
TDLS: Reject TPK-TK reconfiguration |
|||
WNM: Ignore WNM-Sleep Mode Response without pending request |
|||
FT: Do not allow multiple Reassociation Response frames |
|||
|
|||
These patches are available from https://w1.fi/security/2017-1/ |
|||
(both against the snapshot of hostap.git master branch and rebased on |
|||
top of the v2.6 release) |
|||
|
|||
For the TDLS TPK M2 retransmission issue (CVE-2017-13086) with older |
|||
wpa_supplicant versions, consider updating to the latest version or |
|||
merge in a commit that is present in v2.6: |
|||
https://w1.fi/cgit/hostap/commit/?id=dabdef9e048b17b22b1c025ad592922eab30dda8 |
|||
('TDLS: Ignore incoming TDLS Setup Response retries') |
|||
|
|||
- Update to hostapd/wpa_supplicant v2.7 or newer, once available |
|||
* it should be noted that there are number of additional changes in |
|||
the related areas of the implementation to provide extra layer of |
|||
protection for potential unknown issues; these changes are not |
|||
included in this advisory as they have not been identified to be |
|||
critical for preventing any of the identified security |
|||
vulnerabilities; however, users of hostapd/wpa_supplicant are |
|||
encouraged to consider merging such changes even if not fully |
|||
moving to v2.7 |
@ -0,0 +1,55 @@ |
|||
================================================= |
|||
How do I get my card to use WPA-PSK in Slackware? |
|||
================================================= |
|||
|
|||
First off: wpa_supplicant REQUIRES the AP to broadcast the SSID. When the AP |
|||
hides its SSID, all you will get out of wpa_supplicant is the message: |
|||
"No suitable AP found" |
|||
|
|||
Also, read the MADwifi FAQ (http://madwifi.sourceforge.net/dokuwiki/doku.php) |
|||
since it contains a wealth of information. |
|||
|
|||
This being said, you'll have to do the following (as root): |
|||
Edit the file named /etc/wpa_supplicant.conf and add these lines: |
|||
|
|||
network={ |
|||
scan_ssid=0 |
|||
proto=WPA |
|||
key_mgmt=WPA-PSK |
|||
pairwise=CCMP TKIP |
|||
group=CCMP TKIP WEP104 WEP40 |
|||
} |
|||
|
|||
Then execute: |
|||
|
|||
/usr/sbin/wpa_passphrase YOURSSID passphrase |
|||
|
|||
with the SSID of your AP and the passphrase you've entered in its WPA-PSK configuration. You'll receive an output, which looks like this: |
|||
|
|||
network={ |
|||
ssid="YOURSSID" |
|||
#psk="passphrase" |
|||
|
|||
psk=66a4bfb03de5656cf26cfa03a116097546046f4aea11ee044b841171207d8308 |
|||
} |
|||
|
|||
Copy the three lines within the network-tag into your own entry in wpa_supplicant.conf and change the permissions after you've finished editing: |
|||
|
|||
chmod 640 /etc/wpa_supplicant.conf |
|||
|
|||
To get your network device up and running, execute: |
|||
|
|||
### /usr/sbin/wpa_supplicant -Bw -c/etc/wpa_supplicant.conf -iath0 -Dmadwifi ### |
|||
### you don't have to run the above command by hand, because it will ### |
|||
### be executed by the rc.inet1 command that you run: ### |
|||
|
|||
/etc/rc.d/rc.inet1 ath0_start |
|||
|
|||
In case you want to see the wpa_supplicant in action, start it on the command line before enabling the wireless device, by running: |
|||
/usr/sbin/wpa_supplicant -dw -c/etc/wpa_supplicant.conf -iath0 -Dmadwifi |
|||
The terminal where you've started the wpa_supplicant should now show the communication between your wlan card and the AP. If you got everything up and running you can let Slackware's init script take over by killing wpa_supplicant and running: |
|||
|
|||
/etc/rc.d/rc.inet1 ath0_restart |
|||
|
|||
Studying the wpa_supplicant README is also highly recommended for further insight! |
|||
|
@ -0,0 +1,37 @@ |
|||
CONFIG_AP=y |
|||
CONFIG_BACKEND=file |
|||
CONFIG_BGSCAN_SIMPLE=y |
|||
CONFIG_CTRL_IFACE=y |
|||
CONFIG_CTRL_IFACE_DBUS=y |
|||
CONFIG_CTRL_IFACE_DBUS_INTRO=y |
|||
CONFIG_CTRL_IFACE_DBUS_NEW=y |
|||
CONFIG_DEBUG_FILE=y |
|||
CONFIG_DRIVER_NL80211=y |
|||
CONFIG_DRIVER_WEXT=y |
|||
CONFIG_DRIVER_WIRED=y |
|||
CONFIG_EAP_AKA=y |
|||
CONFIG_EAP_FAST=y |
|||
CONFIG_EAP_GPSK=y |
|||
CONFIG_EAP_GPSK_SHA256=y |
|||
CONFIG_EAP_GTC=y |
|||
CONFIG_EAP_IKEV2=y |
|||
CONFIG_EAP_LEAP=y |
|||
CONFIG_EAP_MD5=y |
|||
CONFIG_EAP_MSCHAPV2=y |
|||
CONFIG_EAP_OTP=y |
|||
CONFIG_EAP_PAX=y |
|||
CONFIG_EAP_PEAP=y |
|||
CONFIG_EAP_SAKE=y |
|||
CONFIG_EAP_TLS=y |
|||
CONFIG_EAP_TNC=y |
|||
CONFIG_EAP_TTLS=y |
|||
CONFIG_IBSS_RSN=y |
|||
CONFIG_IEEE8021X_EAPOL=y |
|||
CONFIG_LIBNL32=y |
|||
CONFIG_P2P=y |
|||
CONFIG_PEERKEY=y |
|||
CONFIG_PKCS12=y |
|||
CONFIG_READLINE=y |
|||
CONFIG_SMARTCARD=y |
|||
CONFIG_WPS=y |
|||
|
@ -0,0 +1,7 @@ |
|||
[Desktop Entry] |
|||
Name=wpa_gui |
|||
Comment[en]=Wpa_supplicant management |
|||
Exec=kdesu wpa_gui |
|||
Icon=wpa_gui |
|||
Type=Application |
|||
Categories=Qt;Network; |
After Width: | Height: | Size: 5.0 KiB |
@ -0,0 +1,2 @@ |
|||
ctrl_interface=/var/run/wpa_supplicant |
|||
ctrl_interface_group=root |
@ -0,0 +1,6 @@ |
|||
/var/log/wpa_supplicant.log { |
|||
missingok |
|||
notifempty |
|||
size 30k |
|||
create 0600 root root |
|||
} |
Binary file not shown.
@ -0,0 +1,16 @@ |
|||
diff -Nur wpa_supplicant-2.0.orig/wpa_supplicant/wpa_supplicant.c wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.c
|
|||
--- wpa_supplicant-2.0.orig/wpa_supplicant/wpa_supplicant.c 2013-01-12 09:42:53.000000000 -0600
|
|||
+++ wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.c 2013-05-11 14:09:34.586718122 -0500
|
|||
@@ -1666,10 +1666,10 @@
|
|||
|
|||
if (assoc_failed) { |
|||
/* give IBSS a bit more time */ |
|||
- timeout = ssid->mode == WPAS_MODE_IBSS ? 10 : 5;
|
|||
+ timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 10;
|
|||
} else if (wpa_s->conf->ap_scan == 1) { |
|||
/* give IBSS a bit more time */ |
|||
- timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 10;
|
|||
+ timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 20;
|
|||
} |
|||
wpa_supplicant_req_auth_timeout(wpa_s, timeout, 0); |
|||
} |
@ -0,0 +1,20 @@ |
|||
diff -Nur wpa_supplicant-1.0-rc3.orig/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in wpa_supplicant-1.0-rc3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
|
|||
--- wpa_supplicant-1.0-rc3.orig/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in 2012-04-16 15:15:40.000000000 -0500
|
|||
+++ wpa_supplicant-1.0-rc3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in 2012-05-06 01:07:44.523999837 -0500
|
|||
@@ -1,5 +1,5 @@
|
|||
[D-BUS Service] |
|||
Name=fi.epitest.hostap.WPASupplicant |
|||
-Exec=@BINDIR@/wpa_supplicant -u
|
|||
+Exec=@BINDIR@/wpa_supplicant -B -u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid
|
|||
User=root |
|||
SystemdService=wpa_supplicant.service |
|||
diff -Nur wpa_supplicant-1.0-rc3.orig/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in wpa_supplicant-1.0-rc3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in
|
|||
--- wpa_supplicant-1.0-rc3.orig/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2012-04-16 15:15:40.000000000 -0500
|
|||
+++ wpa_supplicant-1.0-rc3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2012-05-06 01:06:59.528589953 -0500
|
|||
@@ -1,5 +1,5 @@
|
|||
[D-BUS Service] |
|||
Name=fi.w1.wpa_supplicant1 |
|||
-Exec=@BINDIR@/wpa_supplicant -u
|
|||
+Exec=@BINDIR@/wpa_supplicant -B -u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid
|
|||
User=root |
|||
SystemdService=wpa_supplicant.service |
@ -0,0 +1,50 @@ |
|||
diff -Nur wpa_supplicant-2.0.orig/src/utils/wpa_debug.c wpa_supplicant-2.0/src/utils/wpa_debug.c
|
|||
--- wpa_supplicant-2.0.orig/src/utils/wpa_debug.c 2013-01-12 09:42:53.000000000 -0600
|
|||
+++ wpa_supplicant-2.0/src/utils/wpa_debug.c 2013-05-11 14:10:37.886101742 -0500
|
|||
@@ -75,6 +75,7 @@
|
|||
if (out_file) { |
|||
fprintf(out_file, "%ld.%06u: ", (long) tv.sec, |
|||
(unsigned int) tv.usec); |
|||
+ fflush(out_file);
|
|||
} else |
|||
#endif /* CONFIG_DEBUG_FILE */ |
|||
printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); |
|||
@@ -221,6 +222,7 @@
|
|||
if (out_file) { |
|||
vfprintf(out_file, fmt, ap); |
|||
fprintf(out_file, "\n"); |
|||
+ fflush(out_file);
|
|||
} else { |
|||
#endif /* CONFIG_DEBUG_FILE */ |
|||
vprintf(fmt, ap); |
|||
@@ -357,6 +359,7 @@
|
|||
fprintf(out_file, " [REMOVED]"); |
|||
} |
|||
fprintf(out_file, "\n"); |
|||
+ fflush(out_file);
|
|||
} else { |
|||
#endif /* CONFIG_DEBUG_FILE */ |
|||
printf("%s - hexdump(len=%lu):", title, (unsigned long) len); |
|||
@@ -425,12 +428,14 @@
|
|||
fprintf(out_file, |
|||
"%s - hexdump_ascii(len=%lu): [REMOVED]\n", |
|||
title, (unsigned long) len); |
|||
+ fflush(out_file);
|
|||
return; |
|||
} |
|||
if (buf == NULL) { |
|||
fprintf(out_file, |
|||
"%s - hexdump_ascii(len=%lu): [NULL]\n", |
|||
title, (unsigned long) len); |
|||
+ fflush(out_file);
|
|||
return; |
|||
} |
|||
fprintf(out_file, "%s - hexdump_ascii(len=%lu):\n", |
|||
@@ -455,6 +460,7 @@
|
|||
pos += llen; |
|||
len -= llen; |
|||
} |
|||
+ fflush(out_file);
|
|||
} else { |
|||
#endif /* CONFIG_DEBUG_FILE */ |
|||
if (!show) { |
@ -0,0 +1,16 @@ |
|||
--- ./wpa_supplicant/events.c.orig 2017-01-05 11:29:16.968898845 -0600
|
|||
+++ ./wpa_supplicant/events.c 2017-01-05 11:31:13.515907254 -0600
|
|||
@@ -1555,11 +1555,11 @@
|
|||
if (wpa_s->last_scan_req == MANUAL_SCAN_REQ && |
|||
wpa_s->manual_scan_use_id && wpa_s->own_scan_running && |
|||
own_request && !(data && data->scan_info.external_scan)) { |
|||
- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS "id=%u",
|
|||
+ wpa_msg_ctrl(wpa_s, MSG_DEBUG, WPA_EVENT_SCAN_RESULTS "id=%u",
|
|||
wpa_s->manual_scan_id); |
|||
wpa_s->manual_scan_use_id = 0; |
|||
} else { |
|||
- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS);
|
|||
+ wpa_msg_ctrl(wpa_s, MSG_DEBUG, WPA_EVENT_SCAN_RESULTS);
|
|||
} |
|||
wpas_notify_scan_results(wpa_s); |
|||
|
@ -0,0 +1,18 @@ |
|||
# HOW TO EDIT THIS FILE: |
|||
# The "handy ruler" below makes it easier to edit a package description. Line |
|||
# up the first '|' above the ':' following the base package name, and the '|' |
|||
# on the right side marks the last column you can put a character in. You must |
|||
# make exactly 11 lines for the formatting to be correct. It's also |
|||
# customary to leave one space after the ':'. |
|||
|-----handy-ruler------------------------------------------------------| |
|||
wpa_supplicant: wpa_supplicant (WPA/WPA2/IEEE 802.1X Supplicant) |
|||
wpa_supplicant: |
|||
wpa_supplicant: wpa_supplicant is a WPA Supplicant for Linux with support for WPA and |
|||
wpa_supplicant: WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA |
|||
wpa_supplicant: component that is used in the client stations. It implements key |
|||
wpa_supplicant: negotiation with a WPA Authenticator and it controls the roaming and |
|||
wpa_supplicant: IEEE 802.11 authentication/association of the wlan driver. |
|||
wpa_supplicant: |
|||
wpa_supplicant: More info: http://hostap.epitest.fi/wpa_supplicant/ |
|||
wpa_supplicant: |
|||
wpa_supplicant: |
Binary file not shown.
@ -0,0 +1,181 @@ |
|||
#!/bin/sh |
|||
|
|||
# Copyright 2004-2008 Eric Hameleers, Eindhoven, NL |
|||
# Copyright 2008-2015 Patrick J. Volkerding, Sebeka, MN, USA |
|||
# Permission to use, copy, modify, and distribute this software for |
|||
# any purpose with or without fee is hereby granted, provided that |
|||
# the above copyright notice and this permission notice appear in all |
|||
# copies. |
|||
# |
|||
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED |
|||
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
|||
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
|||
# IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR |
|||
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
|||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
|||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF |
|||
# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
|||
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, |
|||
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT |
|||
# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
|||
# SUCH DAMAGE. |
|||
# ----------------------------------------------------------------------------- |
|||
|
|||
PKGNAM=wpa_supplicant |
|||
VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} |
|||
BUILD=${BUILD:-1_slack14.2} |
|||
|
|||
SRCVERSION=$(printf $VERSION | tr _ -) |
|||
|
|||
# Automatically determine the architecture we're building on: |
|||
if [ -z "$ARCH" ]; then |
|||
case "$( uname -m )" in |
|||
i?86) export ARCH=i586 ;; |
|||
arm*) export ARCH=arm ;; |
|||
# Unless $ARCH is already set, use uname -m for all other archs: |
|||
*) export ARCH=$( uname -m ) ;; |
|||
esac |
|||
fi |
|||
|
|||
NUMJOBS=${NUMJOBS:-" -j7 "} |
|||
|
|||
if [ "$ARCH" = "i586" ]; then |
|||
SLKCFLAGS="-O2 -march=i586 -mtune=i686" |
|||
LIBDIRSUFFIX="" |
|||
elif [ "$ARCH" = "s390" ]; then |
|||
SLKCFLAGS="-O2" |
|||
LIBDIRSUFFIX="" |
|||
elif [ "$ARCH" = "x86_64" ]; then |
|||
SLKCFLAGS="-O2 -fPIC" |
|||
LIBDIRSUFFIX="64" |
|||
elif [ "$ARCH" = "arm" ]; then |
|||
SLKCFLAGS="-O2 -march=armv4 -mtune=xscale" |
|||
LIBDIRSUFFIX="" |
|||
elif [ "$ARCH" = "armel" ]; then |
|||
SLKCFLAGS="-O2 -march=armv4t" |
|||
LIBDIRSUFFIX="" |
|||
else |
|||
SLKCFLAGS="-O2" |
|||
LIBDIRSUFFIX="" |
|||
fi |
|||
|
|||
CWD=$(pwd) |
|||
TMP=${TMP:-/tmp} |
|||
PKG=$TMP/package-$PKGNAM |
|||
|
|||
rm -rf $PKG |
|||
mkdir -p $TMP $PKG |
|||
cd $TMP |
|||
rm -rf ${PKGNAM}-${SRCVERSION} |
|||
tar xvf $CWD/${PKGNAM}-${SRCVERSION}.tar.?z* || exit 1 |
|||
cd ${PKGNAM}-${SRCVERSION} |
|||
chown -R root:root . |
|||
find . \ |
|||
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ |
|||
-exec chmod 755 {} \; -o \ |
|||
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ |
|||
-exec chmod 644 {} \; |
|||
|
|||
|
|||
zcat $CWD/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch.gz | patch -p1 || exit 1 |
|||
zcat $CWD/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch.gz | patch -p1 || exit 1 |
|||
zcat $CWD/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch.gz | patch -p1 || exit 1 |
|||
zcat $CWD/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch.gz | patch -p1 || exit 1 |
|||
zcat $CWD/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch.gz | patch -p1 || exit 1 |
|||
zcat $CWD/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch.gz | patch -p1 || exit 1 |
|||
zcat $CWD/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch.gz | patch -p1 || exit 1 |
|||
zcat $CWD/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch.gz | patch -p1 || exit 1 |
|||
|
|||
# Fixup various paths in the dbus service file |
|||
cat $CWD/patches/dbus-service-file-args.diff | patch -p1 --verbose || exit 1 |
|||
|
|||
# Eliminate some logspam |
|||
cat $CWD/patches/quiet-scan-results-message.diff | patch -p1 --verbose || exit 1 |
|||
|
|||
# Apply a couple of other patches from Fedora |
|||
cat $CWD/patches/assoc-timeout.diff | patch -p1 --verbose || exit 1 |
|||
cat $CWD/patches/flush-debug-output.diff | patch -p1 --verbose || exit 1 |
|||
|
|||
cd wpa_supplicant |
|||
|
|||
# Create the configuration file for building wpa_supplicant: |
|||
cat $CWD/config/dot.config > .config |
|||
|
|||
# Build the usual binaries |
|||
CFLAGS="$SLKCFLAGS" \ |
|||
make $NUMJOBS \ |
|||
BINDIR=/usr/sbin \ |
|||
LIBDIR=/usr/lib${LIBDIRSUFFIX} || exit 1 |
|||
|
|||
# Build the Qt4 GUI client |
|||
CFLAGS="$SLKCFLAGS" \ |
|||
make $NUMJOBS \ |
|||
wpa_gui-qt4 \ |
|||
BINDIR=/usr/sbin \ |
|||
LIBDIR=/usr/lib${LIBDIRSUFFIX} || exit 1 |
|||
|
|||
# Make sure man pages are built |
|||
make -C doc/docbook man |
|||
|
|||
# This goes into the doc directory later on: |
|||
mv wpa_supplicant.conf wpa_supplicant.conf.sample |
|||
|
|||
# Install binaries: |
|||
mkdir -p $PKG/usr/sbin $PKG/usr/bin |
|||
cp wpa_supplicant wpa_passphrase wpa_cli $PKG/usr/sbin/ |
|||
cp wpa_gui-qt4/wpa_gui $PKG/usr/bin/ |
|||
|
|||
find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \ |
|||
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null |
|||
|
|||
# Install dbus configuration file: |
|||
mkdir -p $PKG/etc/dbus-1/system.d/ |
|||
cp dbus/dbus-wpa_supplicant.conf \ |
|||
$PKG/etc/dbus-1/system.d/dbus-wpa_supplicant.conf |
|||
|
|||
mkdir -p $PKG/usr/share/dbus-1/system-services |
|||
install -m644 dbus/*.service $PKG/usr/share/dbus-1/system-services/ |
|||
|
|||
# Install a .desktop file and icon for wpa_gui: |
|||
# (converted from the wpa_gui.svg in the source) |
|||
mkdir -p $PKG/usr/share/{applications,pixmaps} |
|||
cat $CWD/config/wpa_gui.desktop > $PKG/usr/share/applications/wpa_gui.desktop |
|||
cat $CWD/config/wpa_gui.png > $PKG/usr/share/pixmaps/wpa_gui.png |
|||
|
|||
# Install a logrotate config |
|||
mkdir -p $PKG/etc/logrotate.d |
|||
cat $CWD/config/wpa_supplicant.logrotate > $PKG/etc/logrotate.d/wpa_supplicant.new |
|||
|
|||
# Install man pages: |
|||
for m in 5 8; do |
|||
mkdir -p $PKG/usr/man/man${m} |
|||
cp doc/docbook/*.${m} $PKG/usr/man/man${m}/ |
|||
done |
|||
find $PKG/usr/man -type f -name "*.?" -exec gzip -9f {} \; |
|||
|
|||
# Install a default configuration file (only readable by root): |
|||
mkdir -p $PKG/etc |
|||
cat $CWD/config/wpa_supplicant.conf > $PKG/etc/wpa_supplicant.conf.new |
|||
chmod 600 $PKG/etc/wpa_supplicant.conf.new |
|||
|
|||
mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION |
|||
cp -a \ |
|||
ChangeLog ../COPYING README README-{P2P,WPS} examples *.txt *.sample $CWD/README.slackware \ |
|||
$PKG/usr/doc/$PKGNAM-$VERSION |
|||
chown -R root:root $PKG/usr/doc/$PKGNAM-$VERSION/* |
|||
chmod -R a-w $PKG/usr/doc/$PKGNAM-$VERSION/* |
|||
|
|||
# If there's a ChangeLog, installing at least part of the recent history |
|||
# is useful, but don't let it get totally out of control: |
|||
if [ -r ChangeLog ]; then |
|||
DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION) |
|||
cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog |
|||
touch -r ChangeLog $DOCSDIR/ChangeLog |
|||
fi |
|||
|
|||
mkdir -p $PKG/install |
|||
cat $CWD/slack-desc > $PKG/install/slack-desc |
|||
zcat $CWD/doinst.sh.gz >> $PKG/install/doinst.sh |
|||
|
|||
cd $PKG |
|||
/sbin/makepkg -l y -c n $TMP/${PKGNAM}-${VERSION}-${ARCH}-${BUILD}.txz |
Loading…
Reference in new issue