summaryrefslogtreecommitdiffstats
path: root/testing
diff options
context:
space:
mode:
author Patrick J Volkerding <volkerdi@slackware.com>2019-01-04 21:44:44 +0000
committer Eric Hameleers <alien@slackware.com>2019-01-05 08:59:47 +0100
commitb595b3d8f623b3c668d13768cde5e711a78f6485 (patch)
treee2f2643de207d72ae3719cae555753e63f16f6f5 /testing
parentb66dbcf50c5c89b5d222a9da91ffa5e6b9592891 (diff)
downloadcurrent-b595b3d8f623b3c668d13768cde5e711a78f6485.tar.gz
current-b595b3d8f623b3c668d13768cde5e711a78f6485.tar.xz
Fri Jan 4 21:44:44 UTC 201920190104214444
a/hwdata-0.319-noarch-1.txz: Upgraded. d/doxygen-1.8.14-x86_64-3.txz: Upgraded. Reverted (for now) to avoid segfault in doxygen-1.8.15. l/libwpg-0.3.3-x86_64-1.txz: Upgraded. l/libxml2-2.9.9-x86_64-1.txz: Upgraded. l/libxslt-1.1.33-x86_64-1.txz: Upgraded. l/python-pillow-5.4.0-x86_64-1.txz: Upgraded. x/xterm-342-x86_64-1.txz: Upgraded. testing/packages/wpa_supplicant-2.7-x86_64-3.txz: Rebuilt. Apply TLSv1 patch from Debian and make some config changes to fix WPA2-Enterprise. Once we have some testing results on this we'll consider moving it back into the main tree. Thanks to gablek.
Diffstat (limited to '')
-rw-r--r--testing/source/wpa_supplicant/config/dot.config9
-rw-r--r--testing/source/wpa_supplicant/patches/allow-tlsv1.patch22
-rwxr-xr-xtesting/source/wpa_supplicant/wpa_supplicant.SlackBuild5
3 files changed, 31 insertions, 5 deletions
diff --git a/testing/source/wpa_supplicant/config/dot.config b/testing/source/wpa_supplicant/config/dot.config
index 94871afde..966a98c27 100644
--- a/testing/source/wpa_supplicant/config/dot.config
+++ b/testing/source/wpa_supplicant/config/dot.config
@@ -32,7 +32,7 @@ CONFIG_DRIVER_WEXT=y
CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
-#CONFIG_DRIVER_NL80211_QCA=y
+CONFIG_DRIVER_NL80211_QCA=y
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
@@ -310,14 +310,14 @@ CONFIG_IEEE80211W=y
# internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template
-#CONFIG_TLS=openssl
+CONFIG_TLS=openssl
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# can be enabled to get a stronger construction of messages when block ciphers
# are used. It should be noted that some existing TLS v1.0 -based
# implementation may not be compatible with TLS v1.1 message (ClientHello is
# sent prior to negotiating which version will be used)
-#CONFIG_TLSV11=y
+CONFIG_TLSV11=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms. It should be
@@ -328,7 +328,8 @@ CONFIG_IEEE80211W=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
-CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
+#CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
+CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1"
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
diff --git a/testing/source/wpa_supplicant/patches/allow-tlsv1.patch b/testing/source/wpa_supplicant/patches/allow-tlsv1.patch
new file mode 100644
index 000000000..eb5fb7818
--- /dev/null
+++ b/testing/source/wpa_supplicant/patches/allow-tlsv1.patch
@@ -0,0 +1,22 @@
+From: Andrej Shadura <andrewsh@debian.org>
+Subject: Enable TLSv1.0 by default
+
+OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2.
+Some older networks may support for TLSv1.0 and less secure cyphers.
+
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -988,6 +988,13 @@
+ os_free(data);
+ return NULL;
+ }
++
++#ifndef EAP_SERVER_TLS
++ /* Enable TLSv1.0 by default to allow connecting to legacy
++ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */
++ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION);
++#endif
++
+ data->ssl = ssl;
+ if (conf)
+ data->tls_session_lifetime = conf->tls_session_lifetime;
diff --git a/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild b/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild
index c248c1300..492ddb722 100755
--- a/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild
+++ b/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
PKGNAM=wpa_supplicant
VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-2}
+BUILD=${BUILD:-3}
SRCVERSION=$(printf $VERSION | tr _ -)
@@ -92,6 +92,9 @@ zcat $CWD/patches/wpa_supplicant-gui-qt4.patch.gz | patch -p1 --verbose || exit
zcat $CWD/patches/wpa_supplicant-quiet-scan-results-message.patch.gz | patch -p1 --verbose || exit 1
zcat $CWD/patches/wpa_supplicant-2.7-fix-undefined-remove-ie.patch.gz | patch -p1 --verbose || exit 1
+# Allow legacy tls to avoid breaking WPA2-Enterprise:
+zcat $CWD/patches/allow-tlsv1.patch.gz | patch -p1 --verbose || exit 1
+
cd wpa_supplicant
# Create the configuration file for building wpa_supplicant: