From b595b3d8f623b3c668d13768cde5e711a78f6485 Mon Sep 17 00:00:00 2001
From: Patrick J Volkerding <volkerdi@slackware.com>
Date: Fri, 4 Jan 2019 21:44:44 +0000
Subject: Fri Jan  4 21:44:44 UTC 2019

a/hwdata-0.319-noarch-1.txz:  Upgraded.
d/doxygen-1.8.14-x86_64-3.txz:  Upgraded.
  Reverted (for now) to avoid segfault in doxygen-1.8.15.
l/libwpg-0.3.3-x86_64-1.txz:  Upgraded.
l/libxml2-2.9.9-x86_64-1.txz:  Upgraded.
l/libxslt-1.1.33-x86_64-1.txz:  Upgraded.
l/python-pillow-5.4.0-x86_64-1.txz:  Upgraded.
x/xterm-342-x86_64-1.txz:  Upgraded.
testing/packages/wpa_supplicant-2.7-x86_64-3.txz:  Rebuilt.
  Apply TLSv1 patch from Debian and make some config changes to fix
  WPA2-Enterprise. Once we have some testing results on this we'll consider
  moving it back into the main tree. Thanks to gablek.
---
 testing/source/wpa_supplicant/config/dot.config    |  9 +++++----
 .../wpa_supplicant/patches/allow-tlsv1.patch       | 22 ++++++++++++++++++++++
 .../wpa_supplicant/wpa_supplicant.SlackBuild       |  5 ++++-
 3 files changed, 31 insertions(+), 5 deletions(-)
 create mode 100644 testing/source/wpa_supplicant/patches/allow-tlsv1.patch

(limited to 'testing')

diff --git a/testing/source/wpa_supplicant/config/dot.config b/testing/source/wpa_supplicant/config/dot.config
index 94871afde..966a98c27 100644
--- a/testing/source/wpa_supplicant/config/dot.config
+++ b/testing/source/wpa_supplicant/config/dot.config
@@ -32,7 +32,7 @@ CONFIG_DRIVER_WEXT=y
 CONFIG_DRIVER_NL80211=y
 
 # QCA vendor extensions to nl80211
-#CONFIG_DRIVER_NL80211_QCA=y
+CONFIG_DRIVER_NL80211_QCA=y
 
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
@@ -310,14 +310,14 @@ CONFIG_IEEE80211W=y
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
-#CONFIG_TLS=openssl
+CONFIG_TLS=openssl
 
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
-#CONFIG_TLSV11=y
+CONFIG_TLSV11=y
 
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
@@ -328,7 +328,8 @@ CONFIG_IEEE80211W=y
 
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
-CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
+#CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
+CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1"
 
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
diff --git a/testing/source/wpa_supplicant/patches/allow-tlsv1.patch b/testing/source/wpa_supplicant/patches/allow-tlsv1.patch
new file mode 100644
index 000000000..eb5fb7818
--- /dev/null
+++ b/testing/source/wpa_supplicant/patches/allow-tlsv1.patch
@@ -0,0 +1,22 @@
+From: Andrej Shadura <andrewsh@debian.org>
+Subject: Enable TLSv1.0 by default
+
+OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2.
+Some older networks may support for TLSv1.0 and less secure cyphers.
+
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -988,6 +988,13 @@
+ 		os_free(data);
+ 		return NULL;
+ 	}
++
++#ifndef EAP_SERVER_TLS
++	/* Enable TLSv1.0 by default to allow connecting to legacy
++	 * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */
++	SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION);
++#endif
++
+ 	data->ssl = ssl;
+ 	if (conf)
+ 		data->tls_session_lifetime = conf->tls_session_lifetime;
diff --git a/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild b/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild
index c248c1300..492ddb722 100755
--- a/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild
+++ b/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=wpa_supplicant
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-2}
+BUILD=${BUILD:-3}
 
 SRCVERSION=$(printf $VERSION | tr _ -)
 
@@ -92,6 +92,9 @@ zcat $CWD/patches/wpa_supplicant-gui-qt4.patch.gz | patch -p1 --verbose || exit
 zcat $CWD/patches/wpa_supplicant-quiet-scan-results-message.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/patches/wpa_supplicant-2.7-fix-undefined-remove-ie.patch.gz | patch -p1 --verbose || exit 1
 
+# Allow legacy tls to avoid breaking WPA2-Enterprise:
+zcat $CWD/patches/allow-tlsv1.patch.gz | patch -p1 --verbose || exit 1
+
 cd wpa_supplicant
 
 # Create the configuration file for building wpa_supplicant:
-- 
cgit v1.2.3