Hi! Here's an update to wpa_supplicant-2.1.
Some notes: openbsd driver has been merged upstream. patch-src_crypto_tls_h and patch-src_crypto_tls_openssl_c are required to unbreak handling of SSL client certificates (it would seem they have shipped a broken release, see: http://forums.gentoo.org/viewtopic-p-7505198.html) I need patch-src_crypto_ms_funcs_c to authenticate my OpenBSD laptop against my employer's Cisco + Microsoft IAS 802.1x infrastructure Please test it in your environment (eduroam users?) Ciao, David Index: Makefile =================================================================== RCS file: /cvs/ports/security/wpa_supplicant/Makefile,v retrieving revision 1.13 diff -u -p -u -p -r1.13 Makefile --- Makefile 31 Oct 2013 21:12:13 -0000 1.13 +++ Makefile 17 Mar 2014 08:54:51 -0000 @@ -2,8 +2,7 @@ COMMENT= IEEE 802.1X supplicant -DISTNAME= wpa_supplicant-2.0 -REVISION= 4 +DISTNAME= wpa_supplicant-2.1 CATEGORIES= security net HOMEPAGE= http://hostap.epitest.fi/wpa_supplicant/ @@ -31,7 +30,6 @@ EXAMPLEDIR= ${PREFIX}/share/examples/wpa post-extract: @${SUBST_CMD} -c ${FILESDIR}/config ${WRKSRC}/.config - @cp ${FILESDIR}/driver_openbsd.c ${WRKSRC}/../src/drivers/ post-install: @#${INSTALL_PROGRAM} ${WRKBUILD}/wpa_priv ${PREFIX}/sbin Index: distinfo =================================================================== RCS file: /cvs/ports/security/wpa_supplicant/distinfo,v retrieving revision 1.3 diff -u -p -u -p -r1.3 distinfo --- distinfo 28 Jan 2013 11:03:16 -0000 1.3 +++ distinfo 17 Mar 2014 08:54:51 -0000 @@ -1,2 +1,2 @@ -SHA256 (wpa_supplicant-2.0.tar.gz) = LBFWCfu1Ij1ROBCEpclERVqK/NqB1YQXP/VbojM3ngk= -SIZE (wpa_supplicant-2.0.tar.gz) = 2044281 +SHA256 (wpa_supplicant-2.1.tar.gz) = kWMufjtJo0DOQI4vl4qTVGppc4Or8uWmDxRvqunhsnc= +SIZE (wpa_supplicant-2.1.tar.gz) = 2222066 Index: files/driver_openbsd.c =================================================================== RCS file: files/driver_openbsd.c diff -N files/driver_openbsd.c --- files/driver_openbsd.c 26 Nov 2013 19:46:52 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,137 +0,0 @@ -/* - * Driver interaction with OpenBSD net80211 layer - * Copyright (c) 2013, Mark Kettenis - * - * This software may be distributed under the terms of the BSD license. - * See README for more details. - */ - -#include "includes.h" -#include <sys/ioctl.h> - -#include <net/if.h> -#include <net/if_var.h> -#include <net80211/ieee80211.h> -#include <net80211/ieee80211_crypto.h> -#include <net80211/ieee80211_ioctl.h> - -#include "common.h" -#include "driver.h" - -struct openbsd_driver_data { - char ifname[IFNAMSIZ + 1]; - void *ctx; - - int sock; /* open socket for 802.11 ioctls */ -}; - - -static int -wpa_driver_openbsd_get_ssid(void *priv, u8 *ssid) -{ - struct openbsd_driver_data *drv = priv; - struct ieee80211_nwid nwid; - struct ifreq ifr; - - os_memset(&ifr, 0, sizeof(ifr)); - os_strlcpy(ifr.ifr_name, drv->ifname, sizeof(ifr.ifr_name)); - ifr.ifr_data = (void *)&nwid; - if (ioctl(drv->sock, SIOCG80211NWID, &ifr) < 0 || - nwid.i_len > IEEE80211_NWID_LEN) - return -1; - - os_memcpy(ssid, nwid.i_nwid, nwid.i_len); - return nwid.i_len; -} - -static int -wpa_driver_openbsd_get_bssid(void *priv, u8 *bssid) -{ - struct openbsd_driver_data *drv = priv; - struct ieee80211_bssid id; - - os_strlcpy(id.i_name, drv->ifname, sizeof(id.i_name)); - if (ioctl(drv->sock, SIOCG80211BSSID, &id) < 0) - return -1; - - os_memcpy(bssid, id.i_bssid, IEEE80211_ADDR_LEN); - return 0; -} - - -static int -wpa_driver_openbsd_get_capa(void *priv, struct wpa_driver_capa *capa) -{ - os_memset(capa, 0, sizeof(*capa)); - capa->flags = WPA_DRIVER_FLAGS_4WAY_HANDSHAKE; - return 0; -} - - -static int -wpa_driver_openbsd_set_key(const char *ifname, void *priv, enum wpa_alg alg, - const unsigned char *addr, int key_idx, int set_tx, const u8 *seq, - size_t seq_len, const u8 *key, size_t key_len) -{ - struct openbsd_driver_data *drv = priv; - struct ieee80211_keyavail keyavail; - - if (alg != WPA_ALG_PMK || key_len > IEEE80211_PMK_LEN) - return -1; - - memset(&keyavail, 0, sizeof(keyavail)); - os_strlcpy(keyavail.i_name, drv->ifname, sizeof(keyavail.i_name)); - if (wpa_driver_openbsd_get_bssid(priv, keyavail.i_macaddr) < 0) - return -1; - memcpy(keyavail.i_key, key, key_len); - - if (ioctl(drv->sock, SIOCS80211KEYAVAIL, &keyavail) < 0) - return -1; - - return 0; -} - -static void * -wpa_driver_openbsd_init(void *ctx, const char *ifname) -{ - struct openbsd_driver_data *drv; - - drv = os_zalloc(sizeof(*drv)); - if (drv == NULL) - return NULL; - - drv->sock = socket(PF_INET, SOCK_DGRAM, 0); - if (drv->sock < 0) - goto fail; - - drv->ctx = ctx; - os_strlcpy(drv->ifname, ifname, sizeof(drv->ifname)); - - return drv; - -fail: - os_free(drv); - return NULL; -} - - -static void -wpa_driver_openbsd_deinit(void *priv) -{ - struct openbsd_driver_data *drv = priv; - - close(drv->sock); - os_free(drv); -} - - -const struct wpa_driver_ops wpa_driver_openbsd_ops = { - .name = "openbsd", - .desc = "OpenBSD 802.11 support", - .get_ssid = wpa_driver_openbsd_get_ssid, - .get_bssid = wpa_driver_openbsd_get_bssid, - .get_capa = wpa_driver_openbsd_get_capa, - .set_key = wpa_driver_openbsd_set_key, - .init = wpa_driver_openbsd_init, - .deinit = wpa_driver_openbsd_deinit, -}; Index: patches/patch-src_crypto_ms_funcs_c =================================================================== RCS file: patches/patch-src_crypto_ms_funcs_c diff -N patches/patch-src_crypto_ms_funcs_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_crypto_ms_funcs_c 17 Mar 2014 08:54:51 -0000 @@ -0,0 +1,24 @@ +$OpenBSD$ + +commit 22dd2d7a987325faa089e65914c1602cad85f747 +Author: Jouni Malinen <[email protected]> +Date: Sat Feb 15 12:06:35 2014 +0200 + +Fix MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding + +This fixes issues in using a password that includes a UTF-8 character +with three-byte encoding with EAP methods that use NtPasswordHash +(anything using MSCHAPv2 or LEAP). + +Signed-off-by: Jouni Malinen <[email protected]> + +--- src/crypto/ms_funcs.c.orig Tue Feb 4 12:23:35 2014 ++++ src/crypto/ms_funcs.c Fri Mar 14 10:49:39 2014 +@@ -58,6 +58,7 @@ static int utf8_to_ucs2(const u8 *utf8_string, size_t + WPA_PUT_LE16(ucs2_buffer + j, + ((c & 0xF) << 12) | + ((c2 & 0x3F) << 6) | (c3 & 0x3F)); ++ j += 2; + } + } + } Index: patches/patch-src_crypto_tls_h =================================================================== RCS file: patches/patch-src_crypto_tls_h diff -N patches/patch-src_crypto_tls_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_crypto_tls_h 17 Mar 2014 08:54:51 -0000 @@ -0,0 +1,29 @@ +$OpenBSD$ + +commit b62d5b5450101676a0c05691b4bcd94e11426397 +Author: Jouni Malinen <[email protected]> +Date: Wed Feb 19 11:56:02 2014 +0200 + +Revert "OpenSSL: Do not accept SSL Client certificate for server" + +This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are +too many deployed AAA servers that include both id-kp-clientAuth and +id-kp-serverAuth EKUs for this change to be acceptable as a generic rule +for AAA authentication server validation. OpenSSL enforces the policy of +not connecting if only id-kp-clientAuth is included. If a valid EKU is +listed with it, the connection needs to be accepted. + +Signed-off-by: Jouni Malinen <[email protected]> + +--- src/crypto/tls.h.orig Tue Feb 4 12:23:35 2014 ++++ src/crypto/tls.h Fri Mar 14 14:33:33 2014 +@@ -41,8 +41,7 @@ enum tls_fail_reason { + TLS_FAIL_ALTSUBJECT_MISMATCH = 6, + TLS_FAIL_BAD_CERTIFICATE = 7, + TLS_FAIL_SERVER_CHAIN_PROBE = 8, +- TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, +- TLS_FAIL_SERVER_USED_CLIENT_CERT = 10 ++ TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9 + }; + + union tls_event_data { Index: patches/patch-src_crypto_tls_openssl_c =================================================================== RCS file: patches/patch-src_crypto_tls_openssl_c diff -N patches/patch-src_crypto_tls_openssl_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_crypto_tls_openssl_c 17 Mar 2014 08:54:51 -0000 @@ -0,0 +1,53 @@ +$OpenBSD$ + +commit b62d5b5450101676a0c05691b4bcd94e11426397 +Author: Jouni Malinen <[email protected]> +Date: Wed Feb 19 11:56:02 2014 +0200 + +Revert "OpenSSL: Do not accept SSL Client certificate for server" + +This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are +too many deployed AAA servers that include both id-kp-clientAuth and +id-kp-serverAuth EKUs for this change to be acceptable as a generic rule +for AAA authentication server validation. OpenSSL enforces the policy of +not connecting if only id-kp-clientAuth is included. If a valid EKU is +listed with it, the connection needs to be accepted. + +Signed-off-by: Jouni Malinen <[email protected]> + +--- src/crypto/tls_openssl.c.orig Tue Feb 4 12:23:35 2014 ++++ src/crypto/tls_openssl.c Fri Mar 14 14:33:33 2014 +@@ -105,7 +105,6 @@ struct tls_connection { + unsigned int ca_cert_verify:1; + unsigned int cert_probe:1; + unsigned int server_cert_only:1; +- unsigned int server:1; + + u8 srv_cert_hash[32]; + +@@ -1477,16 +1476,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_ + TLS_FAIL_SERVER_CHAIN_PROBE); + } + +- if (!conn->server && err_cert && preverify_ok && depth == 0 && +- (err_cert->ex_flags & EXFLAG_XKUSAGE) && +- (err_cert->ex_xkusage & XKU_SSL_CLIENT)) { +- wpa_printf(MSG_WARNING, "TLS: Server used client certificate"); +- openssl_tls_fail_event(conn, err_cert, err, depth, buf, +- "Server used client certificate", +- TLS_FAIL_SERVER_USED_CLIENT_CERT); +- preverify_ok = 0; +- } +- + if (preverify_ok && context->event_cb != NULL) + context->event_cb(context->cb_ctx, + TLS_CERT_CHAIN_SUCCESS, NULL); +@@ -2537,8 +2526,6 @@ openssl_handshake(struct tls_connection *conn, const s + { + int res; + struct wpabuf *out_data; +- +- conn->server = !!server; + + /* + * Give TLS handshake data from the server (if available) to OpenSSL Index: patches/patch-src_drivers_driver_openbsd_c =================================================================== RCS file: patches/patch-src_drivers_driver_openbsd_c diff -N patches/patch-src_drivers_driver_openbsd_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_drivers_driver_openbsd_c 17 Mar 2014 08:54:51 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +missing include + +--- src/drivers/driver_openbsd.c.orig Fri Mar 14 10:44:23 2014 ++++ src/drivers/driver_openbsd.c Fri Mar 14 10:44:46 2014 +@@ -10,6 +10,7 @@ + #include <sys/ioctl.h> + + #include <net/if.h> ++#include <net/if_var.h> + #include <net80211/ieee80211.h> + #include <net80211/ieee80211_crypto.h> + #include <net80211/ieee80211_ioctl.h> Index: patches/patch-src_drivers_drivers_c =================================================================== RCS file: patches/patch-src_drivers_drivers_c diff -N patches/patch-src_drivers_drivers_c --- patches/patch-src_drivers_drivers_c 28 Jan 2013 11:03:16 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,23 +0,0 @@ -$OpenBSD: patch-src_drivers_drivers_c,v 1.1 2013/01/28 11:03:16 sthen Exp $ ---- src/drivers/drivers.c.orig Sun Jan 27 18:04:16 2013 -+++ src/drivers/drivers.c Sun Jan 27 18:05:04 2013 -@@ -24,6 +24,9 @@ extern struct wpa_driver_ops wpa_driver_madwifi_ops; / - #ifdef CONFIG_DRIVER_BSD - extern struct wpa_driver_ops wpa_driver_bsd_ops; /* driver_bsd.c */ - #endif /* CONFIG_DRIVER_BSD */ -+#ifdef CONFIG_DRIVER_OPENBSD -+extern struct wpa_driver_ops wpa_driver_openbsd_ops; /* driver_openbsd.c */ -+#endif /* CONFIG_DRIVER_OPENBSD */ - #ifdef CONFIG_DRIVER_NDIS - extern struct wpa_driver_ops wpa_driver_ndis_ops; /* driver_ndis.c */ - #endif /* CONFIG_DRIVER_NDIS */ -@@ -62,6 +65,9 @@ struct wpa_driver_ops *wpa_drivers[] = - #ifdef CONFIG_DRIVER_BSD - &wpa_driver_bsd_ops, - #endif /* CONFIG_DRIVER_BSD */ -+#ifdef CONFIG_DRIVER_OPENBSD -+ &wpa_driver_openbsd_ops, -+#endif /* CONFIG_DRIVER_OPENBSD */ - #ifdef CONFIG_DRIVER_NDIS - &wpa_driver_ndis_ops, - #endif /* CONFIG_DRIVER_NDIS */ Index: patches/patch-src_drivers_drivers_mak =================================================================== RCS file: patches/patch-src_drivers_drivers_mak diff -N patches/patch-src_drivers_drivers_mak --- patches/patch-src_drivers_drivers_mak 28 Jan 2013 11:03:16 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,18 +0,0 @@ -$OpenBSD: patch-src_drivers_drivers_mak,v 1.1 2013/01/28 11:03:16 sthen Exp $ ---- src/drivers/drivers.mak.orig Sun Jan 27 18:05:10 2013 -+++ src/drivers/drivers.mak Sun Jan 27 18:05:42 2013 -@@ -55,6 +55,14 @@ CONFIG_L2_FREEBSD=y - CONFIG_DNET_PCAP=y - endif - -+ifdef CONFIG_DRIVER_OPENBSD -+ifndef CONFIG_L2_PACKET -+CONFIG_L2_PACKET=freebsd -+endif -+DRV_CFLAGS += -DCONFIG_DRIVER_OPENBSD -+DRV_OBJS += ../src/drivers/driver_openbsd.o -+endif -+ - ifdef CONFIG_DRIVER_TEST - DRV_CFLAGS += -DCONFIG_DRIVER_TEST - DRV_OBJS += ../src/drivers/driver_test.o Index: patches/patch-src_drivers_drivers_mk =================================================================== RCS file: patches/patch-src_drivers_drivers_mk diff -N patches/patch-src_drivers_drivers_mk --- patches/patch-src_drivers_drivers_mk 28 Jan 2013 11:03:16 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,18 +0,0 @@ -$OpenBSD: patch-src_drivers_drivers_mk,v 1.1 2013/01/28 11:03:16 sthen Exp $ ---- src/drivers/drivers.mk.orig Sun Jan 27 18:05:45 2013 -+++ src/drivers/drivers.mk Sun Jan 27 18:06:11 2013 -@@ -55,6 +55,14 @@ CONFIG_L2_FREEBSD=y - CONFIG_DNET_PCAP=y - endif - -+ifdef CONFIG_DRIVER_OPENBSD -+ifndef CONFIG_L2_PACKET -+CONFIG_L2_PACKET=freebsd -+endif -+DRV_CFLAGS += -DCONFIG_DRIVER_OPENBSD -+DRV_OBJS += src/drivers/driver_openbsd.c -+endif -+ - ifdef CONFIG_DRIVER_TEST - DRV_CFLAGS += -DCONFIG_DRIVER_TEST - DRV_OBJS += src/drivers/driver_test.c Index: patches/patch-src_utils_eloop_c =================================================================== RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-src_utils_eloop_c,v retrieving revision 1.1 diff -u -p -u -p -r1.1 patch-src_utils_eloop_c --- patches/patch-src_utils_eloop_c 4 Feb 2013 10:04:44 -0000 1.1 +++ patches/patch-src_utils_eloop_c 17 Mar 2014 08:54:51 -0000 @@ -2,15 +2,15 @@ $OpenBSD: patch-src_utils_eloop_c,v 1.1 don't try to access list members to free them unless already initialised ---- src/utils/eloop.c.orig Sat Jan 12 15:42:53 2013 -+++ src/utils/eloop.c Sat Feb 2 12:11:26 2013 -@@ -793,6 +793,9 @@ void eloop_destroy(void) +--- src/utils/eloop.c.orig Fri Mar 14 10:39:29 2014 ++++ src/utils/eloop.c Fri Mar 14 10:41:10 2014 +@@ -887,6 +887,9 @@ void eloop_destroy(void) struct eloop_timeout *timeout, *prev; - struct os_time now; + struct os_reltime now; + if (eloop.timeout.prev == NULL) + return; + - os_get_time(&now); + os_get_reltime(&now); dl_list_for_each_safe(timeout, prev, &eloop.timeout, struct eloop_timeout, list) { Index: patches/patch-wpa_supplicant_Makefile =================================================================== RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-wpa_supplicant_Makefile,v retrieving revision 1.1 diff -u -p -u -p -r1.1 patch-wpa_supplicant_Makefile --- patches/patch-wpa_supplicant_Makefile 28 Jan 2013 11:03:16 -0000 1.1 +++ patches/patch-wpa_supplicant_Makefile 17 Mar 2014 08:54:51 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-wpa_supplicant_Makefile,v 1.1 2013/01/28 11:03:16 sthen Exp $ ---- wpa_supplicant/Makefile.orig Fri Jan 25 23:16:50 2013 -+++ wpa_supplicant/Makefile Fri Jan 25 23:16:53 2013 -@@ -50,7 +50,7 @@ mkconfig: +--- wpa_supplicant/Makefile.orig Tue Feb 4 12:23:35 2014 ++++ wpa_supplicant/Makefile Fri Mar 14 10:54:28 2014 +@@ -56,7 +56,7 @@ mkconfig: echo CONFIG_DRIVER_WEXT=y >> .config $(DESTDIR)$(BINDIR)/%: % @@ -10,3 +10,17 @@ $OpenBSD: patch-wpa_supplicant_Makefile, install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL)) $(MAKE) -C ../src install +@@ -118,13 +118,6 @@ CONFIG_ELOOP=eloop + endif + OBJS += ../src/utils/$(CONFIG_ELOOP).o + OBJS_c += ../src/utils/$(CONFIG_ELOOP).o +- +-ifeq ($(CONFIG_ELOOP), eloop) +-# Using glibc < 2.17 requires -lrt for clock_gettime() +-LIBS += -lrt +-LIBS_c += -lrt +-LIBS_p += -lrt +-endif + + ifdef CONFIG_ELOOP_POLL + CFLAGS += -DCONFIG_ELOOP_POLL Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/wpa_supplicant/pkg/PLIST,v retrieving revision 1.4 diff -u -p -u -p -r1.4 PLIST --- pkg/PLIST 6 Feb 2013 17:27:13 -0000 1.4 +++ pkg/PLIST 17 Mar 2014 08:54:51 -0000 @@ -1,6 +1,7 @@ @comment $OpenBSD: PLIST,v 1.4 2013/02/06 17:27:13 sthen Exp $ @comment @bin sbin/wpa_priv @man man/man5/wpa_supplicant.conf.5 +@man man/man8/eapol_test.8 @man man/man8/wpa_background.8 @man man/man8/wpa_cli.8 @comment @man man/man8/wpa_gui.8
