Browse Source

Import 2.6-1_slack14.2

wpa_supplicant
mid-kid 7 years ago
commit
5326dbf93d
  1. BIN
      2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch.gz
  2. BIN
      2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch.gz
  3. BIN
      2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch.gz
  4. BIN
      2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch.gz
  5. BIN
      2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch.gz
  6. BIN
      2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch.gz
  7. BIN
      2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch.gz
  8. BIN
      2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch.gz
  9. 226
      2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
  10. 55
      README.slackware
  11. 37
      config/dot.config
  12. 7
      config/wpa_gui.desktop
  13. BIN
      config/wpa_gui.png
  14. 2
      config/wpa_supplicant.conf
  15. 6
      config/wpa_supplicant.logrotate
  16. BIN
      doinst.sh.gz
  17. 16
      patches/assoc-timeout.diff
  18. 20
      patches/dbus-service-file-args.diff
  19. 50
      patches/flush-debug-output.diff
  20. 16
      patches/quiet-scan-results-message.diff
  21. 18
      slack-desc
  22. BIN
      wpa_supplicant-2.6.tar.xz
  23. 181
      wpa_supplicant.SlackBuild

BIN
2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch.gz

Binary file not shown.

BIN
2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch.gz

Binary file not shown.

BIN
2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch.gz

Binary file not shown.

BIN
2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch.gz

Binary file not shown.

BIN
2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch.gz

Binary file not shown.

BIN
2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch.gz

Binary file not shown.

BIN
2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch.gz

Binary file not shown.

BIN
2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch.gz

Binary file not shown.

226
2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

@ -0,0 +1,226 @@
WPA packet number reuse with replayed messages and key reinstallation
Published: October 16, 2017
Identifiers:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13084 (not applicable)
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088
Latest version available from: https://w1.fi/security/2017-1/
Vulnerability
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
This document focuses on the cases that apply to systems using hostapd
(AP) or wpa_supplicant (station), but it should be noted that the
generic vulnerability itself is applicable to other implementations and
may have different impact in other cases.
This vulnerability can in theory apply to any case where a TK (the
pairwise/unicast encryption key used with TKIP, CCMP, GCMP), a GTK
(group/multicast encryption key), or an IGTK (group management frame
integrity protection key) is configured by the Authentication/Supplicant
component to the WLAN driver/firmware taking care of the TX/RX path and
encryption/decryption of frames.
If the same key is configured multiple times, it is likely that the
transmit and receive packet numbers (PN, IPN, RSC/TSC, etc.) are cleared
to a smaller value (zero in case of pairwise keys, zero or at least a
smaller value than the last used value in case of group keys). When this
happens with the same key, this breaks replay protection on RX side and
can result in reuse of packet numbers on TX side. The former may allow
replaying of previously delivered packets (without the attacker being
able to decrypt them or modify their contents) while the latter may
result in more severe issues on the TX side due to resulting CCM nonce
replay and related issues with GCMP and TKIP. The TX side issue may make
it significantly easier for the attacker to decrypt frames and determine
some parts of the keys (e.g., a Michael MIC key in case of TKIP).
Impact on AP/hostapd
On the AP side, this generic issue has been determined to be applicable
in the case where hostapd is used to operate an RSN/WPA2 network with FT
(Fast BSS Transition from IEEE 802.11r) enabled. Replaying of the
Reassociation Request frame can be used to get the AP reinstalling the
TK which results in the AP accepting previously delivered unicast frames
from the station and the AP reusing previously used packet numbers
(local TX packet number gets reset to zero). This latter issue on the TX
side can result in CCM nonce reuse which invalidates CCMP security
properties. In case of TKIP this can result in the attacker being able
to determine part of the TK more easily and with GCMP, result in similar
issues.
It should be noted that the AP side issue with FT would be close to
applying to FILS authentication (from IEEE 802.11ai) in hostapd with
replaying of (Re)Association Request frames. However, due to a different
handling of the repeated association processing with FILS, this would
actually result in the station getting immediately disconnected which
prevents this attack in practice. In addition, the FILS implementation
in the current hostapd version is still experimental and documented as
being discouraged in production use cases.
Another area of potentially reduced security was identified when looking
into these issues. When AP/Authenticator implementation in hostapd is
requested to rekey the PTK without performing EAP reauthentication
(either through local periodic rekeying or due to a request from an
association station), the ANonce value does not get updated. This
results in the new 4-way handshake depending on the station/supplicant
side generating a new, unique (for the current PMK/PSK) SNonce for the
PTK derivation to result in a new key. While a properly working
supplicant would do so, if there is a supplicant implementation that
does not, this combination could result in deriving the same PTK
again. When the TK from that PTK gets configured in the driver, this
would result in reinstalling the same key and the same issues as
described above for the FT protocol case.
Impact on station/wpa_supplicant
On the station side, this generic issue has been determined to be
applicable in the cases where wpa_supplicant processes a group key (GTK
or IGTK) update from the AP. An attacker that is able to limit access
to frame delivery may be able to extract two update messages and deliver
those to the station with significant time delay between them. When
wpa_supplicant processes the second message, it may end up reinstalling
the same key to the driver and when doing this, clear the RX packet
number to an old value. This would allow the attacker to replay all
group-addressed frames that the AP sent between the time the key update
message was originally sent and the time when the attacker forwarded the
second frame to the station. The attacker would not be able to decrypt
or modify the frames based on this vulnerability, though. There is an
exception to this with older wpa_supplicant versions as noted below in
version specific notes.
For the current wpa_supplicant version (v2.6), there is also an
additional EAPOL-Key replay sequence where an additional forged
EAPOL-Key message can be used to bypass the existing protection for the
pairwise key reconfiguration in a manner that ends up configuring a
known TK that an attacker could use to decrypt any frame sent by the
station and to inject arbitrary unicast frames. Similar issues are
reachable in older versions as noted below.
PeerKey / TDLS PeerKey
As far as the related CVE-2017-13084 (reinstallation of the STK key in
the PeerKey handshake) is concerned, it should be noted that PeerKey
implementation in wpa_supplicant is not fully functional and the actual
installation of the key into the driver does not work. As such, this
item is not applicable in practice. Furthermore, the PeerKey handshake
for IEEE 802.11e DLS is obsolete and not known to have been deployed.
As far as the TDLS PeerKey handshake is concerned (CVE-2017-13086),
wpa_supplicant implementation is already rejecting TPK M2 retries, so
the reconfiguration issue cannot apply for it. For TPK M3, there is a
theoretical impact. However, if that frame is replayed, the current
wpa_supplicant implementation ends up tearing down the TDLS link
immediately and as such, there is no real window for performing the
attack. Furthermore, TPK M3 goes through the AP path and if RSN is used
there, that frame has replay protection, so the attacker could not
perform the attack. If the AP path were to use WEP, the frame could be
replayed, though. That said, if WEP is used on the AP path, it would be
fair to assume that there is no security in the network, so a new attack
vector would be of small additional value.
With older wpa_supplicant versions, it may be possible for an attacker
to cause TPK M2 to be retransmitted with delay that would be able to
trigger reinstallation of TK on the peer receiving TPK M2
(CVE-2017-13086). This may open a short window for the attack with v2.3,
v2.4, and v2.5; and a longer window with older versions.
Vulnerable versions/configurations
For the AP/Authenticator TK (unicast) reinstallation in FT protocol
(CVE-2017-13082):
hostapd v0.7.2 and newer with FT enabled (i.e., practically all versions
that include full FT implementation). FT needs to be enabled in the
runtime configuration to make this applicable.
For the AP/Authenticator missing ANonce during PTK rekeying:
All hostapd versions.
For the station/Supplicant side GTK/IGTK reinstallation and TK
configuration:
All wpa_supplicant versions. The impact on older versions can be more
severe due to earlier changes in this area: v2.3 and older can also
reinstall the pairwise key and as such have similar impact as the AP FT
case (CVE-2017-13077); v2.4 and v2.5 end up configuring an all-zero TK
which breaks the normal data path, but could allow an attacker to
decrypt all following frames from the station and to inject arbitrary
frames to the station. In addition, a different message sequence
involving 4-way handshake can result in configuration of an all-zero TK
in v2.6 and the current snapshot of the development repository as of the
publication of this advisory.
Acknowledgments
Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue. Thanks to John A. Van
Boxtel for finding additional issues related to this topic.
Possible mitigation steps
- For AP/hostapd and FT replay issue (CVE-2017-13082), it is possible to
prevent the issue temporarily by disabling FT in runtime
configuration, if needed before being able to update the
implementations.
- Merge the following commits to hostapd/wpa_supplicant and rebuild them:
hostapd and replayed FT reassociation request frame (CVE-2017-13082):
hostapd: Avoid key reinstallation in FT handshake
hostapd PTK rekeying and ANonce update:
Fix PTK rekeying to generate a new ANonce
wpa_supplicant and GTK/IGTK rekeying (CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088):
Prevent reinstallation of an already in-use group key
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
wpa_supplicant (v2.6 or newer snapshot) and known TK issue:
Prevent installation of an all-zero TK
Additional protection steps for wpa_supplicant:
TDLS: Reject TPK-TK reconfiguration
WNM: Ignore WNM-Sleep Mode Response without pending request
FT: Do not allow multiple Reassociation Response frames
These patches are available from https://w1.fi/security/2017-1/
(both against the snapshot of hostap.git master branch and rebased on
top of the v2.6 release)
For the TDLS TPK M2 retransmission issue (CVE-2017-13086) with older
wpa_supplicant versions, consider updating to the latest version or
merge in a commit that is present in v2.6:
https://w1.fi/cgit/hostap/commit/?id=dabdef9e048b17b22b1c025ad592922eab30dda8
('TDLS: Ignore incoming TDLS Setup Response retries')
- Update to hostapd/wpa_supplicant v2.7 or newer, once available
* it should be noted that there are number of additional changes in
the related areas of the implementation to provide extra layer of
protection for potential unknown issues; these changes are not
included in this advisory as they have not been identified to be
critical for preventing any of the identified security
vulnerabilities; however, users of hostapd/wpa_supplicant are
encouraged to consider merging such changes even if not fully
moving to v2.7

55
README.slackware

@ -0,0 +1,55 @@
=================================================
How do I get my card to use WPA-PSK in Slackware?
=================================================
First off: wpa_supplicant REQUIRES the AP to broadcast the SSID. When the AP
hides its SSID, all you will get out of wpa_supplicant is the message:
"No suitable AP found"
Also, read the MADwifi FAQ (http://madwifi.sourceforge.net/dokuwiki/doku.php)
since it contains a wealth of information.
This being said, you'll have to do the following (as root):
Edit the file named /etc/wpa_supplicant.conf and add these lines:
network={
scan_ssid=0
proto=WPA
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
}
Then execute:
/usr/sbin/wpa_passphrase YOURSSID passphrase
with the SSID of your AP and the passphrase you've entered in its WPA-PSK configuration. You'll receive an output, which looks like this:
network={
ssid="YOURSSID"
#psk="passphrase"
psk=66a4bfb03de5656cf26cfa03a116097546046f4aea11ee044b841171207d8308
}
Copy the three lines within the network-tag into your own entry in wpa_supplicant.conf and change the permissions after you've finished editing:
chmod 640 /etc/wpa_supplicant.conf
To get your network device up and running, execute:
### /usr/sbin/wpa_supplicant -Bw -c/etc/wpa_supplicant.conf -iath0 -Dmadwifi ###
### you don't have to run the above command by hand, because it will ###
### be executed by the rc.inet1 command that you run: ###
/etc/rc.d/rc.inet1 ath0_start
In case you want to see the wpa_supplicant in action, start it on the command line before enabling the wireless device, by running:
/usr/sbin/wpa_supplicant -dw -c/etc/wpa_supplicant.conf -iath0 -Dmadwifi
The terminal where you've started the wpa_supplicant should now show the communication between your wlan card and the AP. If you got everything up and running you can let Slackware's init script take over by killing wpa_supplicant and running:
/etc/rc.d/rc.inet1 ath0_restart
Studying the wpa_supplicant README is also highly recommended for further insight!

37
config/dot.config

@ -0,0 +1,37 @@
CONFIG_AP=y
CONFIG_BACKEND=file
CONFIG_BGSCAN_SIMPLE=y
CONFIG_CTRL_IFACE=y
CONFIG_CTRL_IFACE_DBUS=y
CONFIG_CTRL_IFACE_DBUS_INTRO=y
CONFIG_CTRL_IFACE_DBUS_NEW=y
CONFIG_DEBUG_FILE=y
CONFIG_DRIVER_NL80211=y
CONFIG_DRIVER_WEXT=y
CONFIG_DRIVER_WIRED=y
CONFIG_EAP_AKA=y
CONFIG_EAP_FAST=y
CONFIG_EAP_GPSK=y
CONFIG_EAP_GPSK_SHA256=y
CONFIG_EAP_GTC=y
CONFIG_EAP_IKEV2=y
CONFIG_EAP_LEAP=y
CONFIG_EAP_MD5=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_OTP=y
CONFIG_EAP_PAX=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_SAKE=y
CONFIG_EAP_TLS=y
CONFIG_EAP_TNC=y
CONFIG_EAP_TTLS=y
CONFIG_IBSS_RSN=y
CONFIG_IEEE8021X_EAPOL=y
CONFIG_LIBNL32=y
CONFIG_P2P=y
CONFIG_PEERKEY=y
CONFIG_PKCS12=y
CONFIG_READLINE=y
CONFIG_SMARTCARD=y
CONFIG_WPS=y

7
config/wpa_gui.desktop

@ -0,0 +1,7 @@
[Desktop Entry]
Name=wpa_gui
Comment[en]=Wpa_supplicant management
Exec=kdesu wpa_gui
Icon=wpa_gui
Type=Application
Categories=Qt;Network;

BIN
config/wpa_gui.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.0 KiB

2
config/wpa_supplicant.conf

@ -0,0 +1,2 @@
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root

6
config/wpa_supplicant.logrotate

@ -0,0 +1,6 @@
/var/log/wpa_supplicant.log {
missingok
notifempty
size 30k
create 0600 root root
}

BIN
doinst.sh.gz

Binary file not shown.

16
patches/assoc-timeout.diff

@ -0,0 +1,16 @@
diff -Nur wpa_supplicant-2.0.orig/wpa_supplicant/wpa_supplicant.c wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.c
--- wpa_supplicant-2.0.orig/wpa_supplicant/wpa_supplicant.c 2013-01-12 09:42:53.000000000 -0600
+++ wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.c 2013-05-11 14:09:34.586718122 -0500
@@ -1666,10 +1666,10 @@
if (assoc_failed) {
/* give IBSS a bit more time */
- timeout = ssid->mode == WPAS_MODE_IBSS ? 10 : 5;
+ timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 10;
} else if (wpa_s->conf->ap_scan == 1) {
/* give IBSS a bit more time */
- timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 10;
+ timeout = ssid->mode == WPAS_MODE_IBSS ? 20 : 20;
}
wpa_supplicant_req_auth_timeout(wpa_s, timeout, 0);
}

20
patches/dbus-service-file-args.diff

@ -0,0 +1,20 @@
diff -Nur wpa_supplicant-1.0-rc3.orig/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in wpa_supplicant-1.0-rc3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
--- wpa_supplicant-1.0-rc3.orig/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in 2012-04-16 15:15:40.000000000 -0500
+++ wpa_supplicant-1.0-rc3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in 2012-05-06 01:07:44.523999837 -0500
@@ -1,5 +1,5 @@
[D-BUS Service]
Name=fi.epitest.hostap.WPASupplicant
-Exec=@BINDIR@/wpa_supplicant -u
+Exec=@BINDIR@/wpa_supplicant -B -u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid
User=root
SystemdService=wpa_supplicant.service
diff -Nur wpa_supplicant-1.0-rc3.orig/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in wpa_supplicant-1.0-rc3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in
--- wpa_supplicant-1.0-rc3.orig/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2012-04-16 15:15:40.000000000 -0500
+++ wpa_supplicant-1.0-rc3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in 2012-05-06 01:06:59.528589953 -0500
@@ -1,5 +1,5 @@
[D-BUS Service]
Name=fi.w1.wpa_supplicant1
-Exec=@BINDIR@/wpa_supplicant -u
+Exec=@BINDIR@/wpa_supplicant -B -u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid
User=root
SystemdService=wpa_supplicant.service

50
patches/flush-debug-output.diff

@ -0,0 +1,50 @@
diff -Nur wpa_supplicant-2.0.orig/src/utils/wpa_debug.c wpa_supplicant-2.0/src/utils/wpa_debug.c
--- wpa_supplicant-2.0.orig/src/utils/wpa_debug.c 2013-01-12 09:42:53.000000000 -0600
+++ wpa_supplicant-2.0/src/utils/wpa_debug.c 2013-05-11 14:10:37.886101742 -0500
@@ -75,6 +75,7 @@
if (out_file) {
fprintf(out_file, "%ld.%06u: ", (long) tv.sec,
(unsigned int) tv.usec);
+ fflush(out_file);
} else
#endif /* CONFIG_DEBUG_FILE */
printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec);
@@ -221,6 +222,7 @@
if (out_file) {
vfprintf(out_file, fmt, ap);
fprintf(out_file, "\n");
+ fflush(out_file);
} else {
#endif /* CONFIG_DEBUG_FILE */
vprintf(fmt, ap);
@@ -357,6 +359,7 @@
fprintf(out_file, " [REMOVED]");
}
fprintf(out_file, "\n");
+ fflush(out_file);
} else {
#endif /* CONFIG_DEBUG_FILE */
printf("%s - hexdump(len=%lu):", title, (unsigned long) len);
@@ -425,12 +428,14 @@
fprintf(out_file,
"%s - hexdump_ascii(len=%lu): [REMOVED]\n",
title, (unsigned long) len);
+ fflush(out_file);
return;
}
if (buf == NULL) {
fprintf(out_file,
"%s - hexdump_ascii(len=%lu): [NULL]\n",
title, (unsigned long) len);
+ fflush(out_file);
return;
}
fprintf(out_file, "%s - hexdump_ascii(len=%lu):\n",
@@ -455,6 +460,7 @@
pos += llen;
len -= llen;
}
+ fflush(out_file);
} else {
#endif /* CONFIG_DEBUG_FILE */
if (!show) {

16
patches/quiet-scan-results-message.diff

@ -0,0 +1,16 @@
--- ./wpa_supplicant/events.c.orig 2017-01-05 11:29:16.968898845 -0600
+++ ./wpa_supplicant/events.c 2017-01-05 11:31:13.515907254 -0600
@@ -1555,11 +1555,11 @@
if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
wpa_s->manual_scan_use_id && wpa_s->own_scan_running &&
own_request && !(data && data->scan_info.external_scan)) {
- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS "id=%u",
+ wpa_msg_ctrl(wpa_s, MSG_DEBUG, WPA_EVENT_SCAN_RESULTS "id=%u",
wpa_s->manual_scan_id);
wpa_s->manual_scan_use_id = 0;
} else {
- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS);
+ wpa_msg_ctrl(wpa_s, MSG_DEBUG, WPA_EVENT_SCAN_RESULTS);
}
wpas_notify_scan_results(wpa_s);

18
slack-desc

@ -0,0 +1,18 @@
# HOW TO EDIT THIS FILE:
# The "handy ruler" below makes it easier to edit a package description. Line
# up the first '|' above the ':' following the base package name, and the '|'
# on the right side marks the last column you can put a character in. You must
# make exactly 11 lines for the formatting to be correct. It's also
# customary to leave one space after the ':'.
|-----handy-ruler------------------------------------------------------|
wpa_supplicant: wpa_supplicant (WPA/WPA2/IEEE 802.1X Supplicant)
wpa_supplicant:
wpa_supplicant: wpa_supplicant is a WPA Supplicant for Linux with support for WPA and
wpa_supplicant: WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA
wpa_supplicant: component that is used in the client stations. It implements key
wpa_supplicant: negotiation with a WPA Authenticator and it controls the roaming and
wpa_supplicant: IEEE 802.11 authentication/association of the wlan driver.
wpa_supplicant:
wpa_supplicant: More info: http://hostap.epitest.fi/wpa_supplicant/
wpa_supplicant:
wpa_supplicant:

BIN
wpa_supplicant-2.6.tar.xz

Binary file not shown.

181
wpa_supplicant.SlackBuild

@ -0,0 +1,181 @@
#!/bin/sh
# Copyright 2004-2008 Eric Hameleers, Eindhoven, NL
# Copyright 2008-2015 Patrick J. Volkerding, Sebeka, MN, USA
# Permission to use, copy, modify, and distribute this software for
# any purpose with or without fee is hereby granted, provided that
# the above copyright notice and this permission notice appear in all
# copies.
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# -----------------------------------------------------------------------------
PKGNAM=wpa_supplicant
VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
BUILD=${BUILD:-1_slack14.2}
SRCVERSION=$(printf $VERSION | tr _ -)
# Automatically determine the architecture we're building on:
if [ -z "$ARCH" ]; then
case "$( uname -m )" in
i?86) export ARCH=i586 ;;
arm*) export ARCH=arm ;;
# Unless $ARCH is already set, use uname -m for all other archs:
*) export ARCH=$( uname -m ) ;;
esac
fi
NUMJOBS=${NUMJOBS:-" -j7 "}
if [ "$ARCH" = "i586" ]; then
SLKCFLAGS="-O2 -march=i586 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "s390" ]; then
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "x86_64" ]; then
SLKCFLAGS="-O2 -fPIC"
LIBDIRSUFFIX="64"
elif [ "$ARCH" = "arm" ]; then
SLKCFLAGS="-O2 -march=armv4 -mtune=xscale"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "armel" ]; then
SLKCFLAGS="-O2 -march=armv4t"
LIBDIRSUFFIX=""
else
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
fi
CWD=$(pwd)
TMP=${TMP:-/tmp}
PKG=$TMP/package-$PKGNAM
rm -rf $PKG
mkdir -p $TMP $PKG
cd $TMP
rm -rf ${PKGNAM}-${SRCVERSION}
tar xvf $CWD/${PKGNAM}-${SRCVERSION}.tar.?z* || exit 1
cd ${PKGNAM}-${SRCVERSION}
chown -R root:root .
find . \
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
-exec chmod 755 {} \; -o \
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
-exec chmod 644 {} \;
zcat $CWD/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch.gz | patch -p1 || exit 1
zcat $CWD/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch.gz | patch -p1 || exit 1
zcat $CWD/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch.gz | patch -p1 || exit 1
zcat $CWD/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch.gz | patch -p1 || exit 1
zcat $CWD/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch.gz | patch -p1 || exit 1
zcat $CWD/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch.gz | patch -p1 || exit 1
zcat $CWD/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch.gz | patch -p1 || exit 1
zcat $CWD/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch.gz | patch -p1 || exit 1
# Fixup various paths in the dbus service file
cat $CWD/patches/dbus-service-file-args.diff | patch -p1 --verbose || exit 1
# Eliminate some logspam
cat $CWD/patches/quiet-scan-results-message.diff | patch -p1 --verbose || exit 1
# Apply a couple of other patches from Fedora
cat $CWD/patches/assoc-timeout.diff | patch -p1 --verbose || exit 1
cat $CWD/patches/flush-debug-output.diff | patch -p1 --verbose || exit 1
cd wpa_supplicant
# Create the configuration file for building wpa_supplicant:
cat $CWD/config/dot.config > .config
# Build the usual binaries
CFLAGS="$SLKCFLAGS" \
make $NUMJOBS \
BINDIR=/usr/sbin \
LIBDIR=/usr/lib${LIBDIRSUFFIX} || exit 1
# Build the Qt4 GUI client
CFLAGS="$SLKCFLAGS" \
make $NUMJOBS \
wpa_gui-qt4 \
BINDIR=/usr/sbin \
LIBDIR=/usr/lib${LIBDIRSUFFIX} || exit 1
# Make sure man pages are built
make -C doc/docbook man
# This goes into the doc directory later on:
mv wpa_supplicant.conf wpa_supplicant.conf.sample
# Install binaries:
mkdir -p $PKG/usr/sbin $PKG/usr/bin
cp wpa_supplicant wpa_passphrase wpa_cli $PKG/usr/sbin/
cp wpa_gui-qt4/wpa_gui $PKG/usr/bin/
find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
# Install dbus configuration file:
mkdir -p $PKG/etc/dbus-1/system.d/
cp dbus/dbus-wpa_supplicant.conf \
$PKG/etc/dbus-1/system.d/dbus-wpa_supplicant.conf
mkdir -p $PKG/usr/share/dbus-1/system-services
install -m644 dbus/*.service $PKG/usr/share/dbus-1/system-services/
# Install a .desktop file and icon for wpa_gui:
# (converted from the wpa_gui.svg in the source)
mkdir -p $PKG/usr/share/{applications,pixmaps}
cat $CWD/config/wpa_gui.desktop > $PKG/usr/share/applications/wpa_gui.desktop
cat $CWD/config/wpa_gui.png > $PKG/usr/share/pixmaps/wpa_gui.png
# Install a logrotate config
mkdir -p $PKG/etc/logrotate.d
cat $CWD/config/wpa_supplicant.logrotate > $PKG/etc/logrotate.d/wpa_supplicant.new
# Install man pages:
for m in 5 8; do
mkdir -p $PKG/usr/man/man${m}
cp doc/docbook/*.${m} $PKG/usr/man/man${m}/
done
find $PKG/usr/man -type f -name "*.?" -exec gzip -9f {} \;
# Install a default configuration file (only readable by root):
mkdir -p $PKG/etc
cat $CWD/config/wpa_supplicant.conf > $PKG/etc/wpa_supplicant.conf.new
chmod 600 $PKG/etc/wpa_supplicant.conf.new
mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION
cp -a \
ChangeLog ../COPYING README README-{P2P,WPS} examples *.txt *.sample $CWD/README.slackware \
$PKG/usr/doc/$PKGNAM-$VERSION
chown -R root:root $PKG/usr/doc/$PKGNAM-$VERSION/*
chmod -R a-w $PKG/usr/doc/$PKGNAM-$VERSION/*
# If there's a ChangeLog, installing at least part of the recent history
# is useful, but don't let it get totally out of control:
if [ -r ChangeLog ]; then
DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION)
cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
touch -r ChangeLog $DOCSDIR/ChangeLog
fi
mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
zcat $CWD/doinst.sh.gz >> $PKG/install/doinst.sh
cd $PKG
/sbin/makepkg -l y -c n $TMP/${PKGNAM}-${VERSION}-${ARCH}-${BUILD}.txz
Loading…
Cancel
Save