adamwill pushed to wpa_supplicant (master). "new release 2.4, backport CVE-2015-1863 fix, drop libeap"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Apr 23 17:28:10 UTC 2015
>From 47da8a0463d86cf3b0202759903b5dfc4c26fbcd Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam at redhat.com>
Date: Thu, 23 Apr 2015 10:06:50 -0700
Subject: new release 2.4, backport CVE-2015-1863 fix, drop libeap
diff --git a/.gitignore b/.gitignore
index 605a7da..2a36f05 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,4 @@ wpa_supplicant-0.6.8.tar.gz
/wpa_supplicant-1.1.tar.gz
/wpa_supplicant-2.0.tar.gz
/wpa_supplicant-2.3.tar.gz
+/wpa_supplicant-2.4.tar.gz
diff --git a/0001-Add-os_exec-helper-to-run-external-programs.patch b/0001-Add-os_exec-helper-to-run-external-programs.patch
deleted file mode 100644
index 4b774bd..0000000
--- a/0001-Add-os_exec-helper-to-run-external-programs.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From 89de07a9442072f88d49869d8ecd8d42bae050a0 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni at qca.qualcomm.com>
-Date: Mon, 6 Oct 2014 16:27:44 +0300
-Subject: [PATCH 1/2] Add os_exec() helper to run external programs
-
-Signed-off-by: Jouni Malinen <jouni at qca.qualcomm.com>
----
- src/utils/os.h | 9 +++++++++
- src/utils/os_unix.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- src/utils/os_win32.c | 6 ++++++
- 3 files changed, 70 insertions(+)
-
-diff --git a/src/utils/os.h b/src/utils/os.h
-index f196209..b9247d8 100644
---- a/src/utils/os.h
-+++ b/src/utils/os.h
-@@ -597,14 +597,23 @@ size_t os_strlcpy(char *dest, const char *src, size_t siz);
- * Returns: Total length of the target string (length of src) (not including
- * NUL-termination)
- *
- * This function matches in behavior with the strlcpy(3) function in OpenBSD.
- */
- size_t os_strlcpy(char *dest, const char *src, size_t siz);
-
-+/**
-+ * os_exec - Execute an external program
-+ * @program: Path to the program
-+ * @arg: Command line argument string
-+ * @wait_completion: Whether to wait until the program execution completes
-+ * Returns: 0 on success, -1 on error
-+ */
-+int os_exec(const char *program, const char *arg, int wait_completion);
-+
-
- #ifdef OS_REJECT_C_LIB_FUNCTIONS
- #define malloc OS_DO_NOT_USE_malloc
- #define realloc OS_DO_NOT_USE_realloc
- #define free OS_DO_NOT_USE_free
- #define memcpy OS_DO_NOT_USE_memcpy
- #define memmove OS_DO_NOT_USE_memmove
-diff --git a/src/utils/os_unix.c b/src/utils/os_unix.c
-index 7498967..523a4d0 100644
---- a/src/utils/os_unix.c
-+++ b/src/utils/os_unix.c
-@@ -5,14 +5,15 @@
- * This software may be distributed under the terms of the BSD license.
- * See README for more details.
- */
-
- #include "includes.h"
-
- #include <time.h>
-+#include <sys/wait.h>
-
- #ifdef ANDROID
- #include <linux/capability.h>
- #include <linux/prctl.h>
- #include <private/android_filesystem_config.h>
- #endif /* ANDROID */
-
-@@ -550,7 +551,61 @@ char * os_strdup(const char *s)
- return NULL;
- os_memcpy(d, s, len);
- d[len] = '\0';
- return d;
- }
-
- #endif /* WPA_TRACE */
-+
-+
-+int os_exec(const char *program, const char *arg, int wait_completion)
-+{
-+ pid_t pid;
-+ int pid_status;
-+
-+ pid = fork();
-+ if (pid < 0) {
-+ perror("fork");
-+ return -1;
-+ }
-+
-+ if (pid == 0) {
-+ /* run the external command in the child process */
-+ const int MAX_ARG = 30;
-+ char *_program, *_arg, *pos;
-+ char *argv[MAX_ARG + 1];
-+ int i;
-+
-+ _program = os_strdup(program);
-+ _arg = os_strdup(arg);
-+
-+ argv[0] = _program;
-+
-+ i = 1;
-+ pos = _arg;
-+ while (i < MAX_ARG && pos && *pos) {
-+ while (*pos == ' ')
-+ pos++;
-+ if (*pos == '\0')
-+ break;
-+ argv[i++] = pos;
-+ pos = os_strchr(pos, ' ');
-+ if (pos)
-+ *pos++ = '\0';
-+ }
-+ argv[i] = NULL;
-+
-+ execv(program, argv);
-+ perror("execv");
-+ os_free(_program);
-+ os_free(_arg);
-+ exit(0);
-+ return -1;
-+ }
-+
-+ if (wait_completion) {
-+ /* wait for the child process to complete in the parent */
-+ waitpid(pid, &pid_status, 0);
-+ }
-+
-+ return 0;
-+}
-diff --git a/src/utils/os_win32.c b/src/utils/os_win32.c
-index 55937de..57ee132 100644
---- a/src/utils/os_win32.c
-+++ b/src/utils/os_win32.c
-@@ -254,7 +254,13 @@ int os_memcmp_const(const void *a, const void *b, size_t len)
- *dest = '\0';
- while (*s++)
- ; /* determine total src string length */
- }
-
- return s - src - 1;
- }
-+
-+
-+int os_exec(const char *program, const char *arg, int wait_completion)
-+{
-+ return -1;
-+}
---
-1.9.3
-
diff --git a/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
new file mode 100644
index 0000000..626a753
--- /dev/null
+++ b/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
@@ -0,0 +1,42 @@
+From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni at qca.qualcomm.com>
+Date: Tue, 7 Apr 2015 11:32:11 +0300
+Subject: [PATCH] P2P: Validate SSID element length before copying it
+ (CVE-2015-1863)
+
+This fixes a possible memcpy overflow for P2P dev->oper_ssid in
+p2p_add_device(). The length provided by the peer device (0..255 bytes)
+was used without proper bounds checking and that could have resulted in
+arbitrary data of up to 223 bytes being written beyond the end of the
+dev->oper_ssid[] array (of which about 150 bytes would be beyond the
+heap allocation) when processing a corrupted management frame for P2P
+peer discovery purposes.
+
+This could result in corrupted state in heap, unexpected program
+behavior due to corrupted P2P peer device information, denial of service
+due to process crash, exposure of memory contents during GO Negotiation,
+and potentially arbitrary code execution.
+
+Thanks to Google security team for reporting this issue and smart
+hardware research group of Alibaba security team for discovering it.
+
+Signed-off-by: Jouni Malinen <jouni at qca.qualcomm.com>
+---
+ src/p2p/p2p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index f584fae..a45fe73 100644
+--- a/src/p2p/p2p.c
++++ b/src/p2p/p2p.c
+@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
+ if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
+ os_memcpy(dev->interface_addr, addr, ETH_ALEN);
+ if (msg.ssid &&
++ msg.ssid[1] <= sizeof(dev->oper_ssid) &&
+ (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
+ os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
+ != 0)) {
+--
+2.3.5
+
diff --git a/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch b/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
deleted file mode 100644
index 2ff9301..0000000
--- a/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From c5f258de76dbb67fb64beab39a99e5c5711f41fe Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni at qca.qualcomm.com>
-Date: Mon, 6 Oct 2014 17:25:52 +0300
-Subject: [PATCH 2/2] wpa_cli: Use os_exec() for action script execution
-
-Use os_exec() to run the action script operations to avoid undesired
-command line processing for control interface event strings. Previously,
-it could have been possible for some of the event strings to include
-unsanitized data which is not suitable for system() use. (CVE-2014-3686)
-
-Signed-off-by: Jouni Malinen <jouni at qca.qualcomm.com>
----
- wpa_supplicant/wpa_cli.c | 25 ++++++++-----------------
- 1 file changed, 8 insertions(+), 17 deletions(-)
-
-diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
-index 18b9b77..fe30b41 100644
---- a/wpa_supplicant/wpa_cli.c
-+++ b/wpa_supplicant/wpa_cli.c
-@@ -3155,36 +3155,27 @@ static int str_match(const char *a, const char *b)
- return os_strncmp(a, b, os_strlen(b)) == 0;
- }
-
-
- static int wpa_cli_exec(const char *program, const char *arg1,
- const char *arg2)
- {
-- char *cmd;
-+ char *arg;
- size_t len;
- int res;
-- int ret = 0;
-
-- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
-- cmd = os_malloc(len);
-- if (cmd == NULL)
-+ len = os_strlen(arg1) + os_strlen(arg2) + 2;
-+ arg = os_malloc(len);
-+ if (arg == NULL)
- return -1;
-- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
-- if (res < 0 || (size_t) res >= len) {
-- os_free(cmd);
-- return -1;
-- }
-- cmd[len - 1] = '\0';
--#ifndef _WIN32_WCE
-- if (system(cmd) < 0)
-- ret = -1;
--#endif /* _WIN32_WCE */
-- os_free(cmd);
-+ os_snprintf(arg, len, "%s %s", arg1, arg2);
-+ res = os_exec(program, arg, 1);
-+ os_free(arg);
-
-- return ret;
-+ return res;
- }
-
-
- static void wpa_cli_action_process(const char *msg)
- {
- const char *pos;
- char *copy = NULL, *id, *pos2;
---
-1.9.3
-
diff --git a/libnl3-includes.patch b/libnl3-includes.patch
deleted file mode 100644
index 7effbc3..0000000
--- a/libnl3-includes.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/src/drivers/drivers.mak b/src/drivers/drivers.mak
-index cdb913e..e9fc83c 100644
---- a/src/drivers/drivers.mak
-+++ b/src/drivers/drivers.mak
-@@ -35,7 +35,7 @@ NEED_RFKILL=y
- ifdef CONFIG_LIBNL32
- DRV_LIBS += -lnl-3
- DRV_LIBS += -lnl-genl-3
-- DRV_CFLAGS += -DCONFIG_LIBNL20 -I/usr/include/libnl3
-+ DRV_CFLAGS += -DCONFIG_LIBNL20 `pkg-config --cflags libnl-3.0`
- ifdef CONFIG_LIBNL3_ROUTE
- DRV_LIBS += -lnl-route-3
- DRV_CFLAGS += -DCONFIG_LIBNL3_ROUTE
diff --git a/rh1032758-fix-pmksa-cache-entry-clearing.patch b/rh1032758-fix-pmksa-cache-entry-clearing.patch
deleted file mode 100644
index 91fdc12..0000000
--- a/rh1032758-fix-pmksa-cache-entry-clearing.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From 4033935dd9098938838d6d7934ceb65f92a1fa3c Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni at qca.qualcomm.com>
-Date: Wed, 22 May 2013 13:24:30 +0300
-Subject: [PATCH] Fix OKC-based PMKSA cache entry clearing
-
-Commit c3fea272747f738f5723fc577371fe03711d988f added a call to clear
-all other PMKSA cache entries for the same network if the PMKSA cache
-entry of the current AP changed. This was needed to fix OKC cases since
-the other APs would likely use the new PMK in the future. However, this
-ended up clearing entries in cases where that is not desired and this
-resulted in needing additional full EAP authentication with networks
-that did not support OKC if wpa_supplicant was configured to try to use
-it.
-
-Make PMKSA cache entry flushing more limited so that the other entries
-are removed only if they used the old PMK that was replaced for the
-current AP and only if that PMK had previously been used successfully
-(i.e., opportunistic flag was already cleared back to 0 in
-wpa_supplicant_key_neg_complete()). This is still enough to fix the
-issue described in that older commit while not causing problems for
-standard PMKSA caching operations even if OKC is enabled in
-wpa_supplicant configuration.
-
-Signed-hostap: Jouni Malinen <jouni at qca.qualcomm.com>
----
- src/rsn_supp/pmksa_cache.c | 27 ++++++++++++++++++++-------
- src/rsn_supp/pmksa_cache.h | 3 ++-
- src/rsn_supp/wpa.c | 2 +-
- 3 files changed, 23 insertions(+), 9 deletions(-)
-
-diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c
-index df67583..93056ea 100644
---- a/src/rsn_supp/pmksa_cache.c
-+++ b/src/rsn_supp/pmksa_cache.c
-@@ -160,25 +160,31 @@ pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len,
- os_free(entry);
- return pos;
- }
- if (prev == NULL)
- pmksa->pmksa = pos->next;
- else
- prev->next = pos->next;
-- wpa_printf(MSG_DEBUG, "RSN: Replace PMKSA entry for "
-- "the current AP");
-- pmksa_cache_free_entry(pmksa, pos, PMKSA_REPLACE);
-
- /*
- * If OKC is used, there may be other PMKSA cache
- * entries based on the same PMK. These needs to be
- * flushed so that a new entry can be created based on
-- * the new PMK.
-+ * the new PMK. Only clear other entries if they have a
-+ * matching PMK and this PMK has been used successfully
-+ * with the current AP, i.e., if opportunistic flag has
-+ * been cleared in wpa_supplicant_key_neg_complete().
- */
-- pmksa_cache_flush(pmksa, network_ctx);
-+ wpa_printf(MSG_DEBUG, "RSN: Replace PMKSA entry for "
-+ "the current AP and any PMKSA cache entry "
-+ "that was based on the old PMK");
-+ if (!pos->opportunistic)
-+ pmksa_cache_flush(pmksa, network_ctx, pos->pmk,
-+ pos->pmk_len);
-+ pmksa_cache_free_entry(pmksa, pos, PMKSA_REPLACE);
- break;
- }
- prev = pos;
- pos = pos->next;
- }
-
- if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) {
-@@ -231,23 +237,30 @@ pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len,
- }
-
-
- /**
- * pmksa_cache_flush - Flush PMKSA cache entries for a specific network
- * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
- * @network_ctx: Network configuration context or %NULL to flush all entries
-+ * @pmk: PMK to match for or %NYLL to match all PMKs
-+ * @pmk_len: PMK length
- */
--void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx)
-+void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx,
-+ const u8 *pmk, size_t pmk_len)
- {
- struct rsn_pmksa_cache_entry *entry, *prev = NULL, *tmp;
- int removed = 0;
-
- entry = pmksa->pmksa;
- while (entry) {
-- if (entry->network_ctx == network_ctx || network_ctx == NULL) {
-+ if ((entry->network_ctx == network_ctx ||
-+ network_ctx == NULL) &&
-+ (pmk == NULL ||
-+ (pmk_len == entry->pmk_len &&
-+ os_memcmp(pmk, entry->pmk, pmk_len) == 0))) {
- wpa_printf(MSG_DEBUG, "RSN: Flush PMKSA cache entry "
- "for " MACSTR, MAC2STR(entry->aa));
- if (prev)
- prev->next = entry->next;
- else
- pmksa->pmksa = entry->next;
- tmp = entry;
-diff --git a/src/rsn_supp/pmksa_cache.h b/src/rsn_supp/pmksa_cache.h
-index 6f3dfb3..d5aa229 100644
---- a/src/rsn_supp/pmksa_cache.h
-+++ b/src/rsn_supp/pmksa_cache.h
-@@ -62,15 +62,16 @@ struct rsn_pmksa_cache_entry * pmksa_cache_get_current(struct wpa_sm *sm);
- void pmksa_cache_clear_current(struct wpa_sm *sm);
- int pmksa_cache_set_current(struct wpa_sm *sm, const u8 *pmkid,
- const u8 *bssid, void *network_ctx,
- int try_opportunistic);
- struct rsn_pmksa_cache_entry *
- pmksa_cache_get_opportunistic(struct rsn_pmksa_cache *pmksa,
- void *network_ctx, const u8 *aa);
--void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx);
-+void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx,
-+ const u8 *pmk, size_t pmk_len);
-
- #else /* IEEE8021X_EAPOL and !CONFIG_NO_WPA2 */
-
- static inline struct rsn_pmksa_cache *
- pmksa_cache_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
- void *ctx, int reason),
- void *ctx, struct wpa_sm *sm)
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index e50404c..365a710 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -2618,15 +2618,15 @@ void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
- os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
- }
-
-
- void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
- {
- #ifndef CONFIG_NO_WPA2
-- pmksa_cache_flush(sm->pmksa, network_ctx);
-+ pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0);
- #endif /* CONFIG_NO_WPA2 */
- }
-
-
- #ifdef CONFIG_WNM
- int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- {
---
-1.8.3.1
-
diff --git a/rh948453-man-page.patch b/rh948453-man-page.patch
deleted file mode 100644
index 06e95ca..0000000
--- a/rh948453-man-page.patch
+++ /dev/null
@@ -1,397 +0,0 @@
-diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml
---- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml.man-page 2014-01-20 16:40:02.340869189 -0600
-+++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml 2014-01-20 16:40:02.340869189 -0600
-@@ -0,0 +1,205 @@
-+<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-+
-+<refentry>
-+ <refmeta>
-+ <refentrytitle>eapol_test</refentrytitle>
-+ <manvolnum>8</manvolnum>
-+ </refmeta>
-+ <refnamediv>
-+ <refname>eapol_test</refname>
-+
-+ <refpurpose>EAP peer and RADIUS client testing</refpurpose>
-+ </refnamediv>
-+
-+ <refsynopsisdiv>
-+ <cmdsynopsis>
-+ <command>eapol_test</command>
-+ <arg>-nWS</arg>
-+ <arg>-c<replaceable>config file</replaceable></arg>
-+ <arg>-a<replaceable>server IP address</replaceable></arg>
-+ <arg>-A<replaceable>client IP address</replaceable></arg>
-+ <arg>-p<replaceable>UDP port</replaceable></arg>
-+ <arg>-s<replaceable>shared secret</replaceable></arg>
-+ <arg>-r<replaceable>re-authentications</replaceable></arg>
-+ <arg>-t<replaceable>timeout</replaceable></arg>
-+ <arg>-C<replaceable>Connect-Info</replaceable></arg>
-+ <arg>-M<replaceable>MAC address</replaceable></arg>
-+ <arg>-o<replaceable>file</replaceable></arg>
-+ <arg>-N<replaceable>attr spec</replaceable></arg>
-+ </cmdsynopsis>
-+ <cmdsynopsis>
-+ <command>eapol_test scard</command>
-+ </cmdsynopsis>
-+ <cmdsynopsis>
-+ <command>eapol_test sim</command>
-+ <arg>PIN</arg>
-+ <arg>num triplets</arg>
-+ </cmdsynopsis>
-+ </refsynopsisdiv>
-+
-+ <refsect1>
-+ <title>Overview</title>
-+
-+ <para>eapol_test is a program that links together the same EAP
-+ peer implementation that wpa_supplicant is using and the RADIUS
-+ authentication client code from hostapd. In addition, it has
-+ minimal glue code to combine these two components in similar
-+ ways to IEEE 802.1X/EAPOL Authenticator state machines. In other
-+ words, it integrates IEEE 802.1X Authenticator (normally, an
-+ access point) and IEEE 802.1X Supplicant (normally, a wireless
-+ client) together to generate a single program that can be used to
-+ test EAP methods without having to setup an access point and a
-+ wireless client.</para>
-+
-+ <para>The main uses for eapol_test are in interoperability testing
-+ of EAP methods against RADIUS servers and in development testing
-+ for new EAP methods. It can be easily used to automate EAP testing
-+ for interoperability and regression since the program can be run
-+ from shell scripts without require additional test components apart
-+ from a RADIUS server. For example, the automated EAP tests described
-+ in eap_testing.txt are implemented with eapol_test. Similarly,
-+ eapol_test could be used to implement an automated regression
-+ test suite for a RADIUS authentication server.</para>
-+
-+
-+ <para>As an example:</para>
-+
-+<blockquote><programlisting>
-+eapol_test -ctest.conf -a127.0.0.1 -p1812 -ssecret -r1
-+</programlisting></blockquote>
-+
-+ <para>tries to complete EAP authentication based on the network
-+ configuration from test.conf against the RADIUS server running
-+ on the local host. A re-authentication is triggered to test fast
-+ re-authentication. The configuration file uses the same format for
-+ network blocks as wpa_supplicant.</para>
-+
-+ </refsect1>
-+ <refsect1>
-+ <title>Command Arguments</title>
-+ <variablelist>
-+ <varlistentry>
-+ <term>-c configuration file path</term>
-+
-+ <listitem><para>A configuration to use. The configuration should
-+ use the same format for network blocks as wpa_supplicant.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-a AS address</term>
-+
-+ <listitem><para>IP address of the authentication server. The
-+ default is '127.0.0.1'.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-A client address</term>
-+
-+ <listitem><para>IP address of the client. The default is to
-+ select an address automatically.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-p AS port</term>
-+
-+ <listitem><para>UDP port of the authentication server. The
-+ default is '1812'.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-s AS secret</term>
-+
-+ <listitem><para>Shared secret with the authentication server.
-+ The default is 'radius'.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-r count</term>
-+
-+ <listitem><para>Number of reauthentications.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-t timeout</term>
-+
-+ <listitem><para>Timeout in seconds. The default is 30.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-C info</term>
-+
-+ <listitem><para>RADIUS Connect-Info. The default is
-+ 'CONNECT 11Mbps 802.11b'.</para></listitem>
-+ </varlistentry>
-+
-+
-+ <varlistentry>
-+ <term>-M mac address</term>
-+
-+ <listitem><para>Client MAC address (Calling-Station-Id). The
-+ default is '02:00:00:00:00:01'.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-o file</term>
-+
-+ <listitem><para>Location to write out server certificate.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-N attr spec</term>
-+
-+ <listitem><para>Send arbitrary attribute specific by
-+ attr_id:syntax:value, or attr_id alone. attr_id should be the numeric
-+ ID of the attribute, and syntax should be one of 's' (string),
-+ 'd' (integer), or 'x' (octet string). The value is the attribute value
-+ to send. When attr_id is given alone, NULL is used as the attribute
-+ value. Multiple attributes can be specified by using the option
-+ several times.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-n</term>
-+
-+ <listitem><para>Indicates that no MPPE keys are expected.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-W</term>
-+
-+ <listitem><para>Wait for a control interface monitor before starting.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-S</term>
-+
-+ <listitem><para>Save configuration after authentication.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ </variablelist>
-+ </refsect1>
-+ <refsect1>
-+ <title>See Also</title>
-+ <para>
-+ <citerefentry>
-+ <refentrytitle>wpa_supplicant</refentrytitle>
-+ <manvolnum>8</manvolnum>
-+ </citerefentry>
-+ </para>
-+ </refsect1>
-+ <refsect1>
-+ <title>Legal</title>
-+ <para>wpa_supplicant is copyright (c) 2003-2012,
-+ Jouni Malinen <email>j at w1.fi</email> and
-+ contributors.
-+ All Rights Reserved.</para>
-+
-+ <para>This program is licensed under the BSD license (the one with
-+ advertisement clause removed).</para>
-+ </refsect1>
-+</refentry>
-diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile
---- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile.man-page 2013-01-12 09:42:53.000000000 -0600
-+++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile 2014-01-20 16:40:02.342869164 -0600
-@@ -1,4 +1,4 @@
--all: man html pdf
-+all: man
-
- FILES += wpa_background
- FILES += wpa_cli
-@@ -7,6 +7,7 @@ FILES += wpa_passphrase
- FILES += wpa_priv
- FILES += wpa_supplicant.conf
- FILES += wpa_supplicant
-+FILES += eapol_test
-
- man:
- for i in $(FILES); do docbook2man $$i.sgml; done
-@@ -20,7 +21,7 @@ pdf:
-
-
- clean:
-- rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8
-+ rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8 eapol_test.8
- rm -f wpa_supplicant.conf.5
- rm -f manpage.links manpage.refs
- rm -f $(FILES:%=%.pdf)
-diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml
---- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml.man-page 2013-01-12 09:42:53.000000000 -0600
-+++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml 2014-01-20 16:40:02.339869202 -0600
-@@ -15,10 +15,12 @@
- <cmdsynopsis>
- <command>wpa_cli</command>
- <arg>-p <replaceable>path to ctrl sockets</replaceable></arg>
-+ <arg>-g <replaceable>path to global ctrl_interface socket</replaceable></arg>
- <arg>-i <replaceable>ifname</replaceable></arg>
- <arg>-hvB</arg>
- <arg>-a <replaceable>action file</replaceable></arg>
- <arg>-P <replaceable>pid file</replaceable></arg>
-+ <arg>-G <replaceable>ping interval</replaceable></arg>
- <arg><replaceable>command ...</replaceable></arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-@@ -111,6 +113,14 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed
- </varlistentry>
-
- <varlistentry>
-+ <term>-g control socket path</term>
-+
-+ <listitem><para>Connect to the global control socket at the
-+ indicated path rather than an interface-specific control
-+ socket.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>-i ifname</term>
-
- <listitem><para>Specify the interface that is being
-@@ -161,6 +171,13 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed
- </varlistentry>
-
- <varlistentry>
-+ <term>-G ping interval</term>
-+
-+ <listitem><para>Set the interval (in seconds) at which
-+ wpa_cli pings the supplicant.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>command</term>
-
- <listitem><para>Run a command. The available commands are
-diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
---- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml.man-page 2013-01-12 09:42:53.000000000 -0600
-+++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml 2014-01-20 16:40:02.339869202 -0600
-@@ -12,7 +12,7 @@
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>wpa_supplicant</command>
-- <arg>-BddfhKLqqtuvW</arg>
-+ <arg>-BddfhKLqqsTtuvW</arg>
- <arg>-i<replaceable>ifname</replaceable></arg>
- <arg>-c<replaceable>config file</replaceable></arg>
- <arg>-D<replaceable>driver</replaceable></arg>
-@@ -344,9 +344,20 @@
- </varlistentry>
-
- <varlistentry>
-+ <term>-e entropy file</term>
-+ <listitem>
-+ <para>File for <command>wpa_supplicant</command> to use to
-+ maintain its internal entropy store in over restarts.</para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>-f output file</term>
- <listitem>
-- <para>Log output to specified file instead of stdout.</para>
-+ <para>Log output to specified file instead of stdout. (This
-+ is only available if <command>wpa_supplicant</command> was
-+ built with the <literal>CONFIG_DEBUG_FILE</literal>
-+ option.)</para>
- </listitem>
- </varlistentry>
-
-@@ -387,6 +398,22 @@
- </varlistentry>
-
- <varlistentry>
-+ <term>-o override driver</term>
-+ <listitem>
-+ <para>Override the driver parameter for new
-+ interfaces.</para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-O override ctrl_interface</term>
-+ <listitem>
-+ <para>Override the ctrl_interface parameter for new
-+ interfaces.</para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>-p</term>
- <listitem>
- <para>Driver parameters. (Per interface)</para>
-@@ -409,10 +436,40 @@
- </varlistentry>
-
- <varlistentry>
-+ <term>-s</term>
-+ <listitem>
-+ <para>Log output to syslog instead of stdout. (This is only
-+ available if <command>wpa_supplicant</command> was built
-+ with the <literal>CONFIG_DEBUG_SYSLOG</literal>
-+ option.)</para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-T</term>
-+ <listitem>
-+ <para>Log output to Linux tracing in addition to any other
-+ destinations. (This is only available
-+ if <command>wpa_supplicant</command> was built with
-+ the <literal>CONFIG_DEBUG_LINUX_TRACING</literal>
-+ option.)</para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-t</term>
-+ <listitem>
-+ <para>Include timestamp in debug messages.</para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>-u</term>
- <listitem>
-- <para>Enabled DBus control interface. If enabled, interface
-- definitions may be omitted.</para>
-+ <para>Enable DBus control interface. If enabled, interface
-+ definitions may be omitted. (This is only available
-+ if <command>wpa_supplicant</command> was built with
-+ the <literal>CONFIG_DBUS</literal> option.)</para>
- </listitem>
- </varlistentry>
-
-diff -up wpa_supplicant-2.0/wpa_supplicant/main.c.man-page wpa_supplicant-2.0/wpa_supplicant/main.c
---- wpa_supplicant-2.0/wpa_supplicant/main.c.man-page 2013-01-12 09:42:53.000000000 -0600
-+++ wpa_supplicant-2.0/wpa_supplicant/main.c 2014-01-20 16:40:02.340869189 -0600
-@@ -23,11 +23,11 @@ static void usage(void)
- int i;
- printf("%s\n\n%s\n"
- "usage:\n"
-- " wpa_supplicant [-BddhKLqqstuvW] [-P<pid file>] "
-+ " wpa_supplicant [-BddhKLqqtvW] [-P<pid file>] "
- "[-g<global ctrl>] \\\n"
- " -i<ifname> -c<config file> [-C<ctrl>] [-D<driver>] "
- "[-p<driver_param>] \\\n"
-- " [-b<br_ifname>] [-f<debug file>] [-e<entropy file>] "
-+ " [-b<br_ifname>] [-e<entropy file>] "
- "\\\n"
- " [-o<override driver>] [-O<override ctrl>] \\\n"
- " [-N -i<ifname> -c<conf> [-C<ctrl>] "
diff --git a/sources b/sources
index 94e6f38..ae17477 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-f2ed8fef72cf63d8d446a2d0a6da630a wpa_supplicant-2.3.tar.gz
+f0037dbe03897dcaf2ad2722e659095d wpa_supplicant-2.4.tar.gz
diff --git a/wpa_supplicant-2.3-generate-libeap-peer.patch b/wpa_supplicant-2.3-generate-libeap-peer.patch
deleted file mode 100644
index d76343b..0000000
--- a/wpa_supplicant-2.3-generate-libeap-peer.patch
+++ /dev/null
@@ -1,402 +0,0 @@
-From 818ac0e07c9eaf4bc0026bda7d42718afcf1f92d Mon Sep 17 00:00:00 2001
-From: Inaky Perez-Gonzalez <inaky.perez-gonzalez at intel.com>
-Date: Sat, 2 Oct 2010 00:11:51 -0700
-Subject: [PATCH] eap_peer: create a libeap library, with header files and
- pkg-config [v2]
-
-This adds infrastructe in src/eap_peer to make libeap.so and install
-the needed header files and pkg-config files.
-
-Now, this is quite dirty and probably not what we want in the long
-term, but serves as an starting point:
-
- - we don't build from the wpa_supplicant directory because the
- objects the .so have to be built with -fPIC. So if you need to
- build both the binary and the library:
-
- make -C wpa_supplicant
- make -C src/eap_peer clean
- make -C src/eap_peer
-
- As I said, it's dirty -- we'd need either wpa_supplicant linking
- against the library properly (but that seems not to be desirable)
- or a multiple object build approach ala automake.
-
- - need to use 'override CFLAGS' in src/eap_peer/Makefile, otherwise
- any CFLAGS setting will kill the build infrastructure. I miss
- AM_CFLAGS.
-
- - adds 'eap_register_methods()' that will register every compiled in
- method.
-
-Signed-off-by: Inaky Perez-Gonzalez <inaky.perez-gonzalez at intel.com>
----
- src/eap_peer/Makefile | 198 +++++++++++++++++++++++++++++++++++++++++++--
- src/eap_peer/eap_methods.c | 114 ++++++++++++++++++++++++++
- src/eap_peer/eap_methods.h | 1 +
- src/eap_peer/libeap0.pc | 10 +++
- 4 files changed, 315 insertions(+), 8 deletions(-)
- create mode 100644 src/eap_peer/libeap0.pc
-
-diff --git a/src/eap_peer/Makefile b/src/eap_peer/Makefile
-index f79519b..cedd89f 100644
---- a/src/eap_peer/Makefile
-+++ b/src/eap_peer/Makefile
-@@ -1,11 +1,193 @@
--all:
-- @echo Nothing to be made.
-+LIBEAP_NAME = libeap
-+LIBEAP_CURRENT = 0
-+LIBEAP_REVISION = 0
-+LIBEAP_AGE = 0
-+
-+LIBEAP = $(LIBEAP_NAME).so.$(LIBEAP_CURRENT).$(LIBEAP_REVISION).$(LIBEAP_AGE)
-+LIBEAP_SO = $(LIBEAP_NAME).so.$(LIBEAP_CURRENT)
-+
-+.PHONY: all clean install uninstall
-+
-+all: $(LIBEAP)
-+
-+ifndef CC
-+CC=gcc
-+endif
-+
-+ifndef CFLAGS
-+CFLAGS = -MMD -O0 -Wall -g
-+endif
-+
-+CONFIG_TLS=openssl
-+
-+INCLUDE_INSTALL_DIR=/usr/include/eap_peer
-+
-+ifndef LIB
-+LIB = lib
-+endif
-+
-+# Got to use override all across the board, otherwise a 'make
-+# CFLAGS=XX' will kill us because the command line's CFLAGS will
-+# overwrite Make's and we'll loose all the infrastructure it sets.
-+override CFLAGS += -I. -I.. -I../crypto -I../utils -I../common
-+
-+# at least for now, need to include config_ssid.h and config_blob.h from
-+# wpa_supplicant directory
-+override CFLAGS += -I ../../wpa_supplicant
-+
-+OBJS_both += ../utils/common.o
-+OBJS_both += ../utils/eloop.o
-+OBJS_both += ../utils/os_unix.o
-+OBJS_both += ../utils/wpa_debug.o
-+OBJS_both += ../utils/base64.o
-+OBJS_both += ../utils/wpabuf.o
-+OBJS_both += ../crypto/md5.o
-+OBJS_both += ../crypto/sha1-tlsprf.o
-+OBJS_both += ../crypto/aes-encblock.o
-+OBJS_both += ../crypto/aes-wrap.o
-+OBJS_both += ../crypto/aes-ctr.o
-+OBJS_both += ../crypto/aes-eax.o
-+OBJS_both += ../crypto/aes-omac1.o
-+OBJS_both += ../crypto/ms_funcs.o
-+OBJS_both += ../crypto/sha256.o
-+OBJS_both += ../crypto/random.o
-+
-+
-+OBJS_both += ../eap_common/eap_peap_common.o
-+OBJS_both += ../eap_common/eap_psk_common.o
-+OBJS_both += ../eap_common/eap_pax_common.o
-+OBJS_both += ../eap_common/eap_sake_common.o
-+OBJS_both += ../eap_common/eap_gpsk_common.o
-+OBJS_both += ../eap_common/chap.o
-+
-+OBJS_peer += ../eap_peer/eap_tls.o
-+OBJS_peer += ../eap_peer/eap_peap.o
-+OBJS_peer += ../eap_peer/eap_ttls.o
-+OBJS_peer += ../eap_peer/eap_md5.o
-+OBJS_peer += ../eap_peer/eap_mschapv2.o
-+OBJS_peer += ../eap_peer/mschapv2.o
-+OBJS_peer += ../eap_peer/eap_otp.o
-+OBJS_peer += ../eap_peer/eap_gtc.o
-+OBJS_peer += ../eap_peer/eap_leap.o
-+OBJS_peer += ../eap_peer/eap_psk.o
-+OBJS_peer += ../eap_peer/eap_pax.o
-+OBJS_peer += ../eap_peer/eap_sake.o
-+OBJS_peer += ../eap_peer/eap_gpsk.o
-+OBJS_peer += ../eap_peer/eap.o
-+OBJS_peer += ../eap_common/eap_common.o
-+OBJS_peer += ../eap_peer/eap_methods.o
-+OBJS_peer += ../eap_peer/eap_tls_common.o
-+
-+override CFLAGS += -DEAP_TLS
-+override CFLAGS += -DEAP_PEAP
-+override CFLAGS += -DEAP_TTLS
-+override CFLAGS += -DEAP_MD5
-+override CFLAGS += -DEAP_MSCHAPv2
-+override CFLAGS += -DEAP_GTC
-+override CFLAGS += -DEAP_OTP
-+override CFLAGS += -DEAP_LEAP
-+override CFLAGS += -DEAP_PSK
-+override CFLAGS += -DEAP_PAX
-+override CFLAGS += -DEAP_SAKE
-+override CFLAGS += -DEAP_GPSK -DEAP_GPSK_SHA256
-+override CFLAGS += -DEAP_TLS_FUNCS
-+
-+override CFLAGS += -DIEEE8021X_EAPOL
-+
-+ifeq ($(CONFIG_TLS), openssl)
-+override CFLAGS += -DEAP_TLS_OPENSSL
-+OBJS_both += ../crypto/tls_openssl.o
-+OBJS_both += ../crypto/crypto_openssl.o
-+LIBS += -lssl -lcrypto
-+override CFLAGS += -DINTERNAL_SHA256
-+else
-+OBJS_both += ../crypto/sha1.o
-+endif
-+
-+ifeq ($(CONFIG_TLS), internal)
-+OBJS_both += ../crypto/tls_internal.o
-+OBJS_both += ../tls/tlsv1_common.o ../../tls/tlsv1_record.o
-+OBJS_both += ../tls/tlsv1_cred.o
-+OBJS_both += ../tls/asn1.o ../../tls/x509v3.o
-+OBJS_both += ../crypto/crypto_internal.o ../../tls/rsa.o ../../tls/bignum.o
-+
-+OBJS_peer += ../tls/tlsv1_client.o
-+OBJS_peer += ../tls/tlsv1_client_write.o ../../tls/tlsv1_client_read.o
-+override CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT
-+
-+OBJS_server += ../tls/tlsv1_server.o
-+OBJS_server += ../tls/tlsv1_server_write.o ../../tls/tlsv1_server_read.o
-+override CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER
-+
-+override CFLAGS += -DCONFIG_TLS_INTERNAL
-+override CFLAGS += -DCONFIG_CRYPTO_INTERNAL
-+override CFLAGS += -DCONFIG_INTERNAL_X509
-+override CFLAGS += -DINTERNAL_AES
-+override CFLAGS += -DINTERNAL_SHA1
-+override CFLAGS += -DINTERNAL_SHA256
-+override CFLAGS += -DINTERNAL_MD5
-+override CFLAGS += -DINTERNAL_MD4
-+override CFLAGS += -DINTERNAL_DES
-+ifdef CONFIG_INTERNAL_LIBTOMMATH
-+override CFLAGS += -DCONFIG_INTERNAL_LIBTOMMATH
-+else
-+LIBS += -ltommath
-+endif
-+endif
-+
-+ifndef LDO
-+LDO=$(CC)
-+endif
-+
-+
-+OBJS_lib=$(OBJS_both) $(OBJS_peer)
-+
-+ #$(OBJS_server)
-+
-+override CFLAGS += -fPIC -DPIC
-+LDFLAGS += -shared
-+
-+$(LIBEAP): $(OBJS_lib)
-+ $(LDO) $(LDFLAGS) $(OBJS_lib) -Wl,-soname -Wl,$(LIBEAP_SO) -o $(LIBEAP) $(LIBS)
-+
-+
-+UTIL_HEADERS = ../utils/includes.h ../utils/common.h \
-+ ../utils/wpabuf.h ../utils/build_config.h \
-+ ../utils/os.h ../utils/wpa_debug.h
-+COMMON_HEADERS = ../common/defs.h
-+EAP_COMMON_HEADERS = ../eap_common/eap_defs.h
-+MAIN_HEADERS = eap.h eap_methods.h eap_config.h
-+CRYPTO_HEADERS = ../crypto/tls.h
-+
-+install:
-+
-+ mkdir -p $(DESTDIR)/usr/$(LIB)
-+# copy the lib file to std lib location
-+ cp $(LIBEAP) $(DESTDIR)/usr/$(LIB)
-+ ln -fs $(LIBEAP_SO) $(DESTDIR)/usr/$(LIB)/$(LIBEAP_NAME).so
-+
-+# copy the headers reqd by apps using eap peer library in its own subfolder under /usr/include
-+ mkdir -p \
-+ $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/eap_common \
-+ $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/common \
-+ $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/util \
-+ $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/crypto
-+ install -m 0644 $(EAP_COMMON_HEADERS) $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/eap_common
-+ install -m 0644 $(COMMON_HEADERS) $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/common
-+ install -m 0644 $(CRYPTO_HEADERS) $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/crypto
-+ install -m 0644 $(UTIL_HEADERS) $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/util
-+ install -m 0644 $(MAIN_HEADERS) $(DESTDIR)/$(INCLUDE_INSTALL_DIR)/
-+
-+ mkdir -p $(DESTDIR)/usr/$(LIB)/pkgconfig
-+ cp libeap0.pc $(DESTDIR)/usr/$(LIB)/pkgconfig
-+
-+uninstall:
-+
-+ rm $(DESTDIR)/usr/$(LIB)/$(LIBEAP)
-+ rm -fr $(DESTDIR)/$(INCLUDE_INSTALL_DIR)
-+ rm -f $(DESTDIR)/usr/$(LIB)/pkgconfig/libeap0.pc
-
- clean:
-- rm -f *~ *.o *.so *.d *.gcno *.gcda *.gcov
-+ rm -f *~ *.o *.so *.d *.gcno *.gcda *.gcov libeap.a $(LIBEAP) $(OBJS_lib)
-
--install:
-- if ls *.so >/dev/null 2>&1; then \
-- install -d $(DESTDIR)$(LIBDIR)/wpa_supplicant && \
-- cp *.so $(DESTDIR)$(LIBDIR)/wpa_supplicant \
-- ; fi
-+-include $(OBJS:%.o=%.d)
-diff --git a/src/eap_peer/eap_methods.c b/src/eap_peer/eap_methods.c
-index 83a1457..95a41e6 100644
---- a/src/eap_peer/eap_methods.c
-+++ b/src/eap_peer/eap_methods.c
-@@ -336,6 +336,120 @@ int eap_peer_method_register(struct eap_method *method)
-
-
- /**
-+ * eap_peer_register_methods - Register all known EAP peer methods
-+ *
-+ * This function is called at program start to register all compiled
-+ * in EAP peer methods.
-+ */
-+int eap_peer_register_methods(void)
-+{
-+ int ret = 0;
-+
-+#ifdef EAP_MD5
-+ if (ret == 0)
-+ ret = eap_peer_md5_register();
-+#endif /* EAP_MD5 */
-+
-+#ifdef EAP_TLS
-+ if (ret == 0)
-+ ret = eap_peer_tls_register();
-+#endif /* EAP_TLS */
-+
-+#ifdef EAP_MSCHAPv2
-+ if (ret == 0)
-+ ret = eap_peer_mschapv2_register();
-+#endif /* EAP_MSCHAPv2 */
-+
-+#ifdef EAP_PEAP
-+ if (ret == 0)
-+ ret = eap_peer_peap_register();
-+#endif /* EAP_PEAP */
-+
-+#ifdef EAP_TTLS
-+ if (ret == 0)
-+ ret = eap_peer_ttls_register();
-+#endif /* EAP_TTLS */
-+
-+#ifdef EAP_GTC
-+ if (ret == 0)
-+ ret = eap_peer_gtc_register();
-+#endif /* EAP_GTC */
-+
-+#ifdef EAP_OTP
-+ if (ret == 0)
-+ ret = eap_peer_otp_register();
-+#endif /* EAP_OTP */
-+
-+#ifdef EAP_SIM
-+ if (ret == 0)
-+ ret = eap_peer_sim_register();
-+#endif /* EAP_SIM */
-+
-+#ifdef EAP_LEAP
-+ if (ret == 0)
-+ ret = eap_peer_leap_register();
-+#endif /* EAP_LEAP */
-+
-+#ifdef EAP_PSK
-+ if (ret == 0)
-+ ret = eap_peer_psk_register();
-+#endif /* EAP_PSK */
-+
-+#ifdef EAP_AKA
-+ if (ret == 0)
-+ ret = eap_peer_aka_register();
-+#endif /* EAP_AKA */
-+
-+#ifdef EAP_AKA_PRIME
-+ if (ret == 0)
-+ ret = eap_peer_aka_prime_register();
-+#endif /* EAP_AKA_PRIME */
-+
-+#ifdef EAP_FAST
-+ if (ret == 0)
-+ ret = eap_peer_fast_register();
-+#endif /* EAP_FAST */
-+
-+#ifdef EAP_PAX
-+ if (ret == 0)
-+ ret = eap_peer_pax_register();
-+#endif /* EAP_PAX */
-+
-+#ifdef EAP_SAKE
-+ if (ret == 0)
-+ ret = eap_peer_sake_register();
-+#endif /* EAP_SAKE */
-+
-+#ifdef EAP_GPSK
-+ if (ret == 0)
-+ ret = eap_peer_gpsk_register();
-+#endif /* EAP_GPSK */
-+
-+#ifdef EAP_WSC
-+ if (ret == 0)
-+ ret = eap_peer_wsc_register();
-+#endif /* EAP_WSC */
-+
-+#ifdef EAP_IKEV2
-+ if (ret == 0)
-+ ret = eap_peer_ikev2_register();
-+#endif /* EAP_IKEV2 */
-+
-+#ifdef EAP_VENDOR_TEST
-+ if (ret == 0)
-+ ret = eap_peer_vendor_test_register();
-+#endif /* EAP_VENDOR_TEST */
-+
-+#ifdef EAP_TNC
-+ if (ret == 0)
-+ ret = eap_peer_tnc_register();
-+#endif /* EAP_TNC */
-+
-+ return ret;
-+}
-+
-+
-+/**
- * eap_peer_unregister_methods - Unregister EAP peer methods
- *
- * This function is called at program termination to unregister all EAP peer
-diff --git a/src/eap_peer/eap_methods.h b/src/eap_peer/eap_methods.h
-index e35c919..da14e42 100644
---- a/src/eap_peer/eap_methods.h
-+++ b/src/eap_peer/eap_methods.h
-@@ -26,6 +26,7 @@ EapType eap_peer_get_type(const char *name, int *vendor);
- const char * eap_get_name(int vendor, EapType type);
- size_t eap_get_names(char *buf, size_t buflen);
- char ** eap_get_names_as_string_array(size_t *num);
-+int eap_peer_register_methods(void);
- void eap_peer_unregister_methods(void);
-
- #else /* IEEE8021X_EAPOL */
-diff --git a/src/eap_peer/libeap0.pc b/src/eap_peer/libeap0.pc
-new file mode 100644
-index 0000000..594fa2c
---- /dev/null
-+++ b/src/eap_peer/libeap0.pc
-@@ -0,0 +1,10 @@
-+prefix=/usr
-+exec_prefix=/usr
-+libdir=/usr/lib
-+includedir=${prefix}/include/eap_peer
-+
-+Name: libeap0
-+Description: EAP Peer Library API
-+Version: 0.7.2
-+Libs: -L${libdir} -leap
-+Cflags: -I${includedir}
---
-1.9.3
-
diff --git a/wpa_supplicant-openssl-more-algs.patch b/wpa_supplicant-openssl-more-algs.patch
index b44c463..d798a09 100644
--- a/wpa_supplicant-openssl-more-algs.patch
+++ b/wpa_supplicant-openssl-more-algs.patch
@@ -1,16 +1,16 @@
-diff -up wpa_supplicant-0.7.3/src/crypto/tls_openssl.c.more-openssl-algs wpa_supplicant-0.7.3/src/crypto/tls_openssl.c
---- wpa_supplicant-0.7.3/src/crypto/tls_openssl.c.more-openssl-algs 2010-09-07 10:43:39.000000000 -0500
-+++ wpa_supplicant-0.7.3/src/crypto/tls_openssl.c 2010-12-08 10:01:02.967664004 -0600
-@@ -710,6 +710,11 @@ void * tls_init(const struct tls_config
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 52db8fc..c5c10f7 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -770,6 +770,11 @@ void * tls_init(const struct tls_config *conf)
#endif /* OPENSSL_FIPS */
#endif /* CONFIG_FIPS */
SSL_load_error_strings();
-+ /* Only add potentially weak hashes and encryption algorithms
-+ * when FIPS mode is not enabled.
-+ */
-+ if (!conf || !conf->fips_mode)
-+ OpenSSL_add_all_algorithms();
++ /* Only add potentially weak hashes and encryption algorithms
++ * when FIPS mode is not enabled.
++ */
++ if (!conf || !conf->fips_mode)
++ OpenSSL_add_all_algorithms();
SSL_library_init();
- #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
+ #ifndef OPENSSL_NO_SHA256
EVP_add_digest(EVP_sha256());
-
diff --git a/wpa_supplicant-quiet-scan-results-message.patch b/wpa_supplicant-quiet-scan-results-message.patch
index 6ce32ac..6f1c2f3 100644
--- a/wpa_supplicant-quiet-scan-results-message.patch
+++ b/wpa_supplicant-quiet-scan-results-message.patch
@@ -1,9 +1,9 @@
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
-index 49d32c2..f1d1f92 100644
+index d275ca4..fc335c0 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
-@@ -1328,11 +1328,11 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
- wpa_s->own_scan_running, wpa_s->external_scan_running);
+@@ -1356,11 +1356,11 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
+ wpa_s->own_scan_running, wpa_s->radio->external_scan_running);
if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
wpa_s->manual_scan_use_id && wpa_s->own_scan_running) {
- wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS "id=%u",
diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec
index 0da0473..aaf4f2a 100644
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@@ -6,8 +6,8 @@
Summary: WPA/WPA2/IEEE 802.1X Supplicant
Name: wpa_supplicant
Epoch: 1
-Version: 2.3
-Release: 2%{?dist}
+Version: 2.4
+Release: 1%{?dist}
License: BSD
Group: System Environment/Base
Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@@ -18,11 +18,6 @@ Source4: %{name}.sysconfig
Source6: %{name}.logrotate
%define build_gui 1
-%define build_libeap 1
-%if 0%{?rhel} >= 1
-%define build_gui 0
-%define build_libeap 0
-%endif
# distro specific customization and not suitable for upstream,
# works around busted drivers
@@ -34,27 +29,18 @@ Patch1: wpa_supplicant-flush-debug-output.patch
Patch2: wpa_supplicant-dbus-service-file-args.patch
# quiet an annoying and frequent syslog message
Patch3: wpa_supplicant-quiet-scan-results-message.patch
-# allow more private key encryption algorithms
+# allow more private key encryption algorithms. is this really a good idea?
+# seems to be related to RHBZ #538851, see comment #12
Patch5: wpa_supplicant-openssl-more-algs.patch
# distro specific customization for Qt4 build tools, not suitable for upstream
Patch6: wpa_supplicant-gui-qt4.patch
-# Fix libnl3 includes path
-Patch7: libnl3-includes.patch
# Less aggressive roaming; signal strength is wildly variable
+# dcbw states (2015-04):
+# "upstream doesn't like that patch so it's been discussed and I think rejected"
Patch8: rh837402-less-aggressive-roaming.patch
-# Add missing command-line options to man page, also filed upstream
-Patch9: rh948453-man-page.patch
-# Don't evict current AP from PMKSA cache when it's large
-Patch10: rh1032758-fix-pmksa-cache-entry-clearing.patch
-# CVE-2014-3686
-Patch11: 0001-Add-os_exec-helper-to-run-external-programs.patch
-Patch12: 0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
-
-%if %{build_libeap}
-# Dirty hack for WiMAX
-# http://linuxwimax.org/Download?action=AttachFile&do=get&target=wpa-1.5-README.txt
-Patch100: wpa_supplicant-2.3-generate-libeap-peer.patch
-%endif
+# CVE-2015-1863, backport from upstream master, will be in 2.5
+# http://w1.fi/cgit/hostap/commit/?id=9ed4eee345f85e3025c33c6e20aa25696e341ccd
+Patch9: 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
URL: http://w1.fi/wpa_supplicant/
@@ -71,6 +57,13 @@ Requires(post): systemd-sysv
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
+# libeap used to be built from wpa_supplicant with some fairly horrible
+# hackery, solely for use by WiMAX. We dropped all WiMAX support around
+# F21. This is here so people don't wind up with obsolete libeap packages
+# lying around. If it's ever resurrected for any reason, this needs
+# dropping.
+Obsoletes: libeap < %{epoch}:%{version}-%{release}
+Obsoletes: libeap-devel < %{epoch}:%{version}-%{release}
%description
wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support
@@ -90,25 +83,6 @@ Graphical User Interface for wpa_supplicant written using QT
%endif
-%if %{build_libeap}
-%package -n libeap
-Summary: EAP peer library
-Group: System Environment/Libraries
-
-%description -n libeap
-This package contains the runtime EAP peer library. Don't use this
-unless you know what you're doing.
-
-%package -n libeap-devel
-Summary: Header files for EAP peer library
-Group: Development/Libraries
-Requires: libeap = %{epoch}:%{version}-%{release}
-
-%description -n libeap-devel
-This package contains header files for using the EAP peer library.
-Don't use this unless you know what you're doing.
-%endif
-
%prep
%setup -q -n %{name}-%{version}%{rcver}
%patch0 -p1 -b .assoc-timeout
@@ -117,8 +91,8 @@ Don't use this unless you know what you're doing.
%patch3 -p1 -b .quiet-scan-results-msg
%patch5 -p1 -b .more-openssl-algs
%patch6 -p1 -b .qt4
-%patch7 -p1 -b .libnl3
%patch8 -p1 -b .rh837402-less-aggressive-roaming
+%patch9 -p1 -b .cve-2015-1863
%build
pushd wpa_supplicant
@@ -178,25 +152,6 @@ rm -f %{name}/doc/.cvsignore
rm -rf %{name}/doc/docbook
chmod -R 0644 %{name}/examples/*.py
-%if %{build_libeap}
-# HAAACK
-patch -p1 -b --suffix .wimax < %{PATCH100}
-pushd wpa_supplicant
- make clean
-
- CFLAGS="${CFLAGS:-%optflags} -fPIC -DPIC" ; export CFLAGS ;
- CXXFLAGS="${CXXFLAGS:-%optflags} -fPIC -DPIC" ; export CXXFLAGS ;
- LDFLAGS="${LDFLAGS:-%optflags} -Wl,-z,now" ; export LDFLAGS ;
- # yes, BINDIR=_sbindir
- BINDIR="%{_sbindir}" ; export BINDIR ;
- LIBDIR="%{_libdir}" ; export LIBDIR ;
-
- make V=1 -C ../src/eap_peer
- make DESTDIR=%{buildroot} LIB=%{_lib} -C ../src/eap_peer install
- sed -i -e 's|libdir=/usr/lib|libdir=%{_libdir}|g' %{buildroot}/%{_libdir}/pkgconfig/*.pc
-popd
-%endif
-
%post
if [ $1 -eq 1 ] ; then
# Initial installation
@@ -251,22 +206,16 @@ fi
%{_bindir}/wpa_gui
%endif
-%if %{build_libeap}
-%files -n libeap
-%{_libdir}/libeap.so.0*
-
-%files -n libeap-devel
-%{_includedir}/eap_peer
-%{_libdir}/libeap.so
-%{_libdir}/pkgconfig/*.pc
-
-%post -n libeap -p /sbin/ldconfig
-
-%postun -n libeap -p /sbin/ldconfig
-%endif
-
%changelog
-* Mon Nov 01 2014 Orion Poplawski <orion at cora.nwra.com> - 1:2.3-2
+* Thu Apr 23 2015 Adam Williamson <awilliam at redhat.com> - 1:2.4-1
+- new release 2.4
+- add some info on a couple of patches
+- drop some patches merged or superseded upstream
+- rediff other patches
+- drop libeap hackery (we dropped the kernel drivers anyhow)
+- backport fix for CVE-2015-1863
+
+* Sat Nov 01 2014 Orion Poplawski <orion at cora.nwra.com> - 1:2.3-2
- Do not install wpa_supplicant.service as executable (bug #803980)
* Thu Oct 30 2014 Lubomir Rintel <lkundrak at v3.sk> - 1:2.3-1
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/wpa_supplicant.git/commit/?h=master&id=47da8a0463d86cf3b0202759903b5dfc4c26fbcd
More information about the scm-commits
mailing list