[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/, net-wireless/wpa_supplicant/files/

[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/, net-wireless/wpa_supplicant/files/

[Bjarke Istrup Pedersen]

commit:     0cff14d765f37cec7c324c1fc15a8768e9058397
Author:     Bjarke Istrup Pedersen <gurligebis <AT> gentoo <DOT> org>
AuthorDate: Wed Oct  5 17:02:50 2016 +0000
Commit:     Bjarke Istrup Pedersen <gurligebis <AT> gentoo <DOT> org>
CommitDate: Wed Oct  5 17:03:21 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0cff14d7

net-wireless/wpa_supplicant: Bumping to 2.6

Package-Manager: portage-2.3.1

 net-wireless/wpa_supplicant/Manifest               |   1 +
 ...do-not-call-dbus-functions-with-NULL-path.patch |  13 +
 .../wpa_supplicant/wpa_supplicant-2.6.ebuild       | 395 +++++++++++++++++++++
 3 files changed, 409 insertions(+)

diff --git a/net-wireless/wpa_supplicant/Manifest b/net-wireless/wpa_supplicant/Manifest
index 192819a..41e9b86 100644
--- a/net-wireless/wpa_supplicant/Manifest
+++ b/net-wireless/wpa_supplicant/Manifest
@@ -1 +1,2 @@
 DIST wpa_supplicant-2.5.tar.gz 2607336 SHA256 cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316 SHA512 e3ca36ed10b4dae8f663e98ad230c8c059c952316c21a6b0638ecb1b40a5ef1b9083138ab45207cb764a17e870b4bd0625dd6efdb65856cb4dca13ccc0559e81 WHIRLPOOL 7f35ba06fc4022fe21f05a54a5b108bf2111dcb22e795e1566a514400db8348e79cc80b605dab5b586ab8f3966833ade7153e63c118794a0f06c4afd7a37781d
+DIST wpa_supplicant-2.6.tar.gz 2753524 SHA256 b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450 SHA512 46442cddb6ca043b8b08d143908f149954c238e0f3a57a0df73ca4fab9c1acd91b078f3f26375a1d99cd1d65625986328018c735d8705882c8f91e389cad28a6 WHIRLPOOL 63f91b9f72fee65df5412e90f5a4b38f327f47b44724164aa27a6933a68c68672a129d7c01e658c7fed1f7018fe9e4b743f3c6cef2f69fd75c3f5b9a1cb67c1b

diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-do-not-call-dbus-functions-with-NULL-path.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-do-not-call-dbus-functions-with-NULL-path.patch
new file mode 100644
index 00000000..0f340c9
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-do-not-call-dbus-functions-with-NULL-path.patch
@@ -0,0 +1,13 @@
+diff --git a/wpa_supplicant/dbus/dbus_new_helpers.c b/wpa_supplicant/dbus/dbus_new_helpers.c
+index 45623f3..0fc3d08 100644
+--- a/wpa_supplicant/dbus/dbus_new_helpers.c
++++ b/wpa_supplicant/dbus/dbus_new_helpers.c
+@@ -847,7 +847,7 @@ void wpa_dbus_mark_property_changed(struct wpas_dbus_priv *iface,
+ 	const struct wpa_dbus_property_desc *dsc;
+ 	int i = 0;
+ 
+-	if (iface == NULL)
++	if (iface == NULL || path == NULL)
+ 		return;
+ 
+ 	dbus_connection_get_object_path_data(iface->con, path,

diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6.ebuild
new file mode 100644
index 00000000..7f44dcf
--- /dev/null
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.6.ebuild
@@ -0,0 +1,395 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit eutils toolchain-funcs qt4-r2 qmake-utils systemd multilib
+
+DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers"
+HOMEPAGE="http://hostap.epitest.fi/wpa_supplicant/"
+SRC_URI="http://hostap.epitest.fi/releases/${P}.tar.gz"
+LICENSE="|| ( GPL-2 BSD )"
+
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+IUSE="ap dbus gnutls eap-sim fasteap +hs2-0 libressl p2p ps3 qt4 qt5 readline selinux smartcard ssl tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD"
+REQUIRED_USE="fasteap? ( !gnutls !ssl ) smartcard? ( ssl ) ?? ( qt4 qt5 )"
+
+CDEPEND="dbus? ( sys-apps/dbus )
+	kernel_linux? (
+		eap-sim? ( sys-apps/pcsc-lite )
+		dev-libs/libnl:3
+		net-wireless/crda
+	)
+	!kernel_linux? ( net-libs/libpcap )
+	qt4? (
+		dev-qt/qtcore:4
+		dev-qt/qtgui:4
+		dev-qt/qtsvg:4
+	)
+	qt5? (
+		dev-qt/qtcore:5
+		dev-qt/qtgui:5
+		dev-qt/qtwidgets:5
+		dev-qt/qtsvg:5
+	)
+	readline? (
+		sys-libs/ncurses:0=
+		sys-libs/readline:0=
+	)
+	ssl? (
+		!libressl? ( dev-libs/openssl:0= )
+		libressl? ( dev-libs/libressl )
+	)
+	!ssl? (
+		gnutls? (
+			net-libs/gnutls
+			dev-libs/libgcrypt:*
+		)
+		!gnutls? ( dev-libs/libtommath )
+	)
+"
+DEPEND="${CDEPEND}
+	virtual/pkgconfig
+"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-networkmanager )
+"
+
+S="${WORKDIR}/${P}/${PN}"
+
+Kconfig_style_config() {
+		#param 1 is CONFIG_* item
+		#param 2 is what to set it = to, defaulting in y
+		CONFIG_PARAM="${CONFIG_HEADER:-CONFIG_}$1"
+		setting="${2:-y}"
+
+		if [ ! $setting = n ]; then
+			#first remove any leading "# " if $2 is not n
+			sed -i "/^# *$CONFIG_PARAM=/s/^# *//" .config || echo "Kconfig_style_config error uncommenting $CONFIG_PARAM"
+			#set item = $setting (defaulting to y)
+			sed -i "/^$CONFIG_PARAM/s/=.*/=$setting/" .config || echo "Kconfig_style_config error setting $CONFIG_PARAM=$setting"
+		else
+			#ensure item commented out
+			sed -i "/^$CONFIG_PARAM/s/$CONFIG_PARAM/# $CONFIG_PARAM/" .config || echo "Kconfig_style_config error commenting $CONFIG_PARAM"
+		fi
+}
+
+pkg_setup() {
+	if use gnutls && use ssl ; then
+		elog "You have both 'gnutls' and 'ssl' USE flags enabled: defaulting to USE=\"ssl\""
+	fi
+}
+
+src_prepare() {
+	# net/bpf.h needed for net-libs/libpcap on Gentoo/FreeBSD
+	sed -i \
+		-e "s:\(#include <pcap\.h>\):#include <net/bpf.h>\n\1:" \
+		../src/l2_packet/l2_packet_freebsd.c || die
+
+	# People seem to take the example configuration file too literally (bug #102361)
+	sed -i \
+		-e "s:^\(opensc_engine_path\):#\1:" \
+		-e "s:^\(pkcs11_engine_path\):#\1:" \
+		-e "s:^\(pkcs11_module_path\):#\1:" \
+		wpa_supplicant.conf || die
+
+	# Change configuration to match Gentoo locations (bug #143750)
+	sed -i \
+		-e "s:/usr/lib/opensc:/usr/$(get_libdir):" \
+		-e "s:/usr/lib/pkcs11:/usr/$(get_libdir):" \
+		wpa_supplicant.conf || die
+
+	#if use dbus; then
+	#	epatch "${FILESDIR}/${P}-dbus-path-fix.patch"
+	#fi
+
+	# systemd entries to D-Bus service files (bug #372877)
+	echo 'SystemdService=wpa_supplicant.service' \
+		| tee -a dbus/*.service >/dev/null || die
+
+	cd "${WORKDIR}/${P}"
+
+	if use wimax; then
+		# generate-libeap-peer.patch comes before
+		# fix-undefined-reference-to-random_get_bytes.patch
+		epatch "${FILESDIR}/${P}-generate-libeap-peer.patch"
+
+		# multilib-strict fix (bug #373685)
+		sed -e "s/\/usr\/lib/\/usr\/$(get_libdir)/" -i src/eap_peer/Makefile
+	fi
+
+	# bug (320097)
+	epatch "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch"
+
+	# TODO - NEED TESTING TO SEE IF STILL NEEDED, NOT COMPATIBLE WITH 1.0 OUT OF THE BOX,
+	# SO WOULD BE NICE TO JUST DROP IT, IF IT IS NOT NEEDED.
+	# bug (374089)
+	#epatch "${FILESDIR}/${P}-dbus-WPAIE-fix.patch"
+}
+
+src_configure() {
+	# Toolchain setup
+	tc-export CC
+
+	cp defconfig .config
+
+	# Basic setup
+	Kconfig_style_config CTRL_IFACE
+	Kconfig_style_config BACKEND file
+	Kconfig_style_config IBSS_RSN
+	Kconfig_style_config IEEE80211W
+	Kconfig_style_config IEEE80211R
+
+	# Basic authentication methods
+	# NOTE: we don't set GPSK or SAKE as they conflict
+	# with the below options
+	Kconfig_style_config EAP_GTC
+	Kconfig_style_config EAP_MD5
+	Kconfig_style_config EAP_OTP
+	Kconfig_style_config EAP_PAX
+	Kconfig_style_config EAP_PSK
+	Kconfig_style_config EAP_TLV
+	Kconfig_style_config EAP_EXE
+	Kconfig_style_config IEEE8021X_EAPOL
+	Kconfig_style_config PKCS12
+	Kconfig_style_config PEERKEY
+	Kconfig_style_config EAP_LEAP
+	Kconfig_style_config EAP_MSCHAPV2
+	Kconfig_style_config EAP_PEAP
+	Kconfig_style_config EAP_TLS
+	Kconfig_style_config EAP_TTLS
+
+	# Enabling background scanning.
+	Kconfig_style_config BGSCAN_SIMPLE
+	Kconfig_style_config BGSCAN_LEARN
+
+	# Enabling mesh networks.
+	Kconfig_style_config MESH
+
+	if use dbus ; then
+		Kconfig_style_config CTRL_IFACE_DBUS
+		Kconfig_style_config CTRL_IFACE_DBUS_NEW
+		Kconfig_style_config CTRL_IFACE_DBUS_INTRO
+	fi
+
+	# Enable support for writing debug info to a log file and syslog.
+	Kconfig_style_config DEBUG_FILE
+	Kconfig_style_config DEBUG_SYSLOG
+
+	if use hs2-0 ; then
+		Kconfig_style_config INTERWORKING
+		Kconfig_style_config HS20
+	fi
+
+	if use uncommon-eap-types; then
+		Kconfig_style_config EAP_GPSK
+		Kconfig_style_config EAP_SAKE
+		Kconfig_style_config EAP_GPSK_SHA256
+		Kconfig_style_config EAP_IKEV2
+		Kconfig_style_config EAP_EKE
+	fi
+
+	if use eap-sim ; then
+		# Smart card authentication
+		Kconfig_style_config EAP_SIM
+		Kconfig_style_config EAP_AKA
+		Kconfig_style_config EAP_AKA_PRIME
+		Kconfig_style_config PCSC
+	fi
+
+	if use fasteap ; then
+		Kconfig_style_config EAP_FAST
+	fi
+
+	if use readline ; then
+		# readline/history support for wpa_cli
+		Kconfig_style_config READLINE
+	else
+		#internal line edit mode for wpa_cli
+		Kconfig_style_config WPA_CLI_EDIT
+	fi
+
+	# SSL authentication methods
+	if use ssl ; then
+		Kconfig_style_config TLS openssl
+	elif use gnutls ; then
+		Kconfig_style_config TLS gnutls
+		Kconfig_style_config GNUTLS_EXTRA
+	else
+		Kconfig_style_config TLS internal
+	fi
+
+	if use smartcard ; then
+		Kconfig_style_config SMARTCARD
+	fi
+
+	if use tdls ; then
+		Kconfig_style_config TDLS
+	fi
+
+	if use kernel_linux ; then
+		# Linux specific drivers
+		Kconfig_style_config DRIVER_ATMEL
+		Kconfig_style_config DRIVER_HOSTAP
+		Kconfig_style_config DRIVER_IPW
+		Kconfig_style_config DRIVER_NL80211
+		Kconfig_style_config DRIVER_RALINK
+		Kconfig_style_config DRIVER_WEXT
+		Kconfig_style_config DRIVER_WIRED
+
+		if use ps3 ; then
+			Kconfig_style_config DRIVER_PS3
+		fi
+
+	elif use kernel_FreeBSD ; then
+		# FreeBSD specific driver
+		Kconfig_style_config DRIVER_BSD
+	fi
+
+	# Wi-Fi Protected Setup (WPS)
+	if use wps ; then
+		Kconfig_style_config WPS
+		Kconfig_style_config WPS2
+		# USB Flash Drive
+		Kconfig_style_config WPS_UFD
+		# External Registrar
+		Kconfig_style_config WPS_ER
+		# Universal Plug'n'Play
+		Kconfig_style_config WPS_UPNP
+		# Near Field Communication
+		Kconfig_style_config WPS_NFC
+	fi
+
+	# Wi-Fi Direct (WiDi)
+	if use p2p ; then
+		Kconfig_style_config P2P
+		Kconfig_style_config WIFI_DISPLAY
+	fi
+
+	# Access Point Mode
+	if use ap ; then
+		Kconfig_style_config AP
+	fi
+
+	# Enable mitigation against certain attacks against TKIP
+	Kconfig_style_config DELAYED_MIC_ERROR_REPORT
+
+	# If we are using libnl 2.0 and above, enable support for it
+	# Bug 382159
+	# Removed for now, since the 3.2 version is broken, and we don't
+	# support it.
+	if has_version ">=dev-libs/libnl-3.2"; then
+		Kconfig_style_config LIBNL32
+	fi
+
+	if use qt4 ; then
+		pushd "${S}"/wpa_gui-qt4 > /dev/null
+		eqmake4 wpa_gui.pro
+		popd > /dev/null
+	fi
+	if use qt5 ; then
+		pushd "${S}"/wpa_gui-qt4 > /dev/null
+		eqmake5 wpa_gui.pro
+		popd > /dev/null
+	fi
+}
+
+src_compile() {
+	einfo "Building wpa_supplicant"
+	emake V=1 BINDIR=/usr/sbin
+
+	if use wimax; then
+		emake -C ../src/eap_peer clean
+		emake -C ../src/eap_peer
+	fi
+
+	if use qt4 || use qt5; then
+		pushd "${S}"/wpa_gui-qt4 > /dev/null
+		einfo "Building wpa_gui"
+		emake
+		popd > /dev/null
+	fi
+}
+
+src_install() {
+	dosbin wpa_supplicant
+	dobin wpa_cli wpa_passphrase
+
+	# baselayout-1 compat
+	if has_version "<sys-apps/baselayout-2.0.0"; then
+		dodir /sbin
+		dosym /usr/sbin/wpa_supplicant /sbin/wpa_supplicant
+		dodir /bin
+		dosym /usr/bin/wpa_cli /bin/wpa_cli
+	fi
+
+	if has_version ">=sys-apps/openrc-0.5.0"; then
+		newinitd "${FILESDIR}/${PN}-init.d" wpa_supplicant
+		newconfd "${FILESDIR}/${PN}-conf.d" wpa_supplicant
+	fi
+
+	exeinto /etc/wpa_supplicant/
+	newexe "${FILESDIR}/wpa_cli.sh" wpa_cli.sh
+
+	dodoc ChangeLog {eap_testing,todo}.txt README{,-WPS} \
+		wpa_supplicant.conf
+
+	newdoc .config build-config
+
+	doman doc/docbook/*.{5,8}
+
+	if use qt4 || use qt5 ; then
+		into /usr
+		dobin wpa_gui-qt4/wpa_gui
+		doicon wpa_gui-qt4/icons/wpa_gui.svg
+		make_desktop_entry wpa_gui "WPA Supplicant Administration GUI" "wpa_gui" "Qt;Network;"
+	fi
+
+	use wimax && emake DESTDIR="${D}" -C ../src/eap_peer install
+
+	if use dbus ; then
+		pushd "${S}"/dbus > /dev/null
+		insinto /etc/dbus-1/system.d
+		newins dbus-wpa_supplicant.conf wpa_supplicant.conf
+		insinto /usr/share/dbus-1/system-services
+		doins fi.epitest.hostap.WPASupplicant.service fi.w1.wpa_supplicant1.service
+		popd > /dev/null
+
+		# This unit relies on dbus support, bug 538600.
+		systemd_dounit systemd/wpa_supplicant.service
+	fi
+
+	systemd_dounit "systemd/wpa_supplicant@.service"
+	systemd_dounit "systemd/wpa_supplicant-nl80211@.service"
+	systemd_dounit "systemd/wpa_supplicant-wired@.service"
+}
+
+pkg_postinst() {
+	elog "If this is a clean installation of wpa_supplicant, you"
+	elog "have to create a configuration file named"
+	elog "/etc/wpa_supplicant/wpa_supplicant.conf"
+	elog
+	elog "An example configuration file is available for reference in"
+	elog "/usr/share/doc/${PF}/"
+
+	if [[ -e ${ROOT}etc/wpa_supplicant.conf ]] ; then
+		echo
+		ewarn "WARNING: your old configuration file ${ROOT}etc/wpa_supplicant.conf"
+		ewarn "needs to be moved to ${ROOT}etc/wpa_supplicant/wpa_supplicant.conf"
+	fi
+
+	# Mea culpa, feel free to remove that after some time --mgorny.
+	local fn
+	for fn in wpa_supplicant{,@wlan0}.service; do
+		if [[ -e "${ROOT}"/etc/systemd/system/network.target.wants/${fn} ]]
+		then
+			ebegin "Moving ${fn} to multi-user.target"
+			mv "${ROOT}"/etc/systemd/system/network.target.wants/${fn} \
+				"${ROOT}"/etc/systemd/system/multi-user.target.wants/
+			eend ${?} \
+				"Please try to re-enable ${fn}"
+		fi
+	done
+}

[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/, net-wireless/wpa_supplicant/files/

[Bjarke Istrup Pedersen]

commit:     860e9b1a04e420c144a6c9b41c1b0292027ef4ea
Author:     Bjarke Istrup Pedersen <gurligebis <AT> gentoo <DOT> org>
AuthorDate: Sun Oct  9 09:08:52 2016 +0000
Commit:     Bjarke Istrup Pedersen <gurligebis <AT> gentoo <DOT> org>
CommitDate: Sun Oct  9 09:09:15 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=860e9b1a

net-wireless/wpa_supplicant: Adding libressl fix, to fix bug #596332

Package-Manager: portage-2.3.1

 .../files/wpa_supplicant-2.6-libressl.patch        | 81 ++++++++++++++++++++++
 .../wpa_supplicant/wpa_supplicant-2.6.ebuild       |  3 +
 2 files changed, 84 insertions(+)

diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl.patch
new file mode 100644
index 00000000..0394ab5
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-libressl.patch
@@ -0,0 +1,81 @@
+From d53b107120af86a0c711bac950bfc2fa728cb4e6 Mon Sep 17 00:00:00 2001
+From: Julian Ospald <hasufell@hasufell.de>
+Date: Fri, 7 Oct 2016 17:45:46 +0200
+Subject: [PATCH] Fix LibreSSL compatibility
+Upstream: pending, http://lists.infradead.org/pipermail/hostap/2016-October/036458.html
+
+This basically just follows
+587b0457e0238b7b1800d46f5cdd5e1d2b06732f
+with the same pattern, which was missed here.
+
+Signed-off-by: Julian Ospald <hasufell@hasufell.de>
+---
+ src/crypto/crypto_openssl.c | 4 ++--
+ src/crypto/tls_openssl.c    | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 19e0e2b..b3d1b07 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -611,7 +611,7 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
+ 
+ void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	DH *dh;
+ 	struct wpabuf *pubkey = NULL, *privkey = NULL;
+ 	size_t publen, privlen;
+@@ -712,7 +712,7 @@ err:
+ 
+ void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	DH *dh;
+ 
+ 	dh = DH_new();
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 23ac64b..a7d4880 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -919,7 +919,7 @@ void * tls_init(const struct tls_config *conf)
+ 		}
+ #endif /* OPENSSL_FIPS */
+ #endif /* CONFIG_FIPS */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 		SSL_load_error_strings();
+ 		SSL_library_init();
+ #ifndef OPENSSL_NO_SHA256
+@@ -1043,7 +1043,7 @@ void tls_deinit(void *ssl_ctx)
+ 
+ 	tls_openssl_ref_count--;
+ 	if (tls_openssl_ref_count == 0) {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #ifndef OPENSSL_NO_ENGINE
+ 		ENGINE_cleanup();
+ #endif /* OPENSSL_NO_ENGINE */
+@@ -2334,7 +2334,7 @@ static int tls_connection_client_cert(struct tls_connection *conn,
+ 		return 0;
+ 
+ #ifdef PKCS12_FUNCS
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L
++#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	/*
+ 	 * Clear previously set extra chain certificates, if any, from PKCS#12
+ 	 * processing in tls_parse_pkcs12() to allow OpenSSL to build a new
+@@ -3976,7 +3976,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
+ 		engine_id = "pkcs11";
+ 
+ #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	if (params->flags & TLS_CONN_EAP_FAST) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "OpenSSL: Use TLSv1_method() for EAP-FAST");
+-- 
+2.10.1
+

diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6.ebuild
index ebb32c5..c07b5fc 100644
--- a/net-wireless/wpa_supplicant/wpa_supplicant-2.6.ebuild
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.6.ebuild
@@ -127,6 +127,9 @@ src_prepare() {
 	# SO WOULD BE NICE TO JUST DROP IT, IF IT IS NOT NEEDED.
 	# bug (374089)
 	#epatch "${FILESDIR}/${P}-dbus-WPAIE-fix.patch"
+
+	# bug (596332)
+	epatch "${FILESDIR}/${P}-libressl.patch"
 }
 
 src_configure() {

[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/, net-wireless/wpa_supplicant/files/

[Rick Farina]

commit:     696f3772a422e25bd62e69d497717985d1fe295d
Author:     Craig Andrews <candrews <AT> gentoo <DOT> org>
AuthorDate: Mon Dec  3 20:21:11 2018 +0000
Commit:     Rick Farina <zerochaos <AT> gentoo <DOT> org>
CommitDate: Tue Dec  4 01:39:10 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=696f3772

net-wireless/wpa_supplicant: Fix EAP-TLS with OpenSSL 1.1

Closes: https://bugs.gentoo.org/671006
Package-Manager: Portage-2.3.52, Repoman-2.3.12
Signed-off-by: Craig Andrews <candrews <AT> gentoo.org>
Signed-off-by: Rick Farina <zerochaos <AT> gentoo.org>

 .../files/wpa_supplicant-2.6-openssl-1.1.patch     |  48 +++
 .../wpa_supplicant/wpa_supplicant-2.6-r9.ebuild    | 460 +++++++++++++++++++++
 2 files changed, 508 insertions(+)

diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch
new file mode 100644
index 00000000000..1e2335f34c0
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch
@@ -0,0 +1,48 @@
+From f665c93e1d28fbab3d9127a8c3985cc32940824f Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Sun, 9 Jul 2017 11:14:10 +0200
+Subject: OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f
+
+Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
+callback from the SSL object instead of the one from the CTX, so let's
+set the callback on both SSL and CTX. Note that
+SSL_set_default_passwd_cb*() is available only in 1.1.0.
+
+Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
+---
+ src/crypto/tls_openssl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index fd94eaf..c790b53 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data,
+ 	} else
+ 		passwd = NULL;
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	/*
++	 * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
++	 * from the SSL object. See OpenSSL commit d61461a75253.
++	 */
++	SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
++	SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
++#endif /* >= 1.1.0f && !LibreSSL */
++	/* Keep these for OpenSSL < 1.1.0f */
+ 	SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
+ 	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
+ 
+@@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data,
+ 		return -1;
+ 	}
+ 	ERR_clear_error();
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	SSL_set_default_passwd_cb(conn->ssl, NULL);
++#endif /* >= 1.1.0f && !LibreSSL */
+ 	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+ 	os_free(passwd);
+ 
+-- 
+cgit v0.12
+

diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild
new file mode 100644
index 00000000000..19e3fbfe5a0
--- /dev/null
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild
@@ -0,0 +1,460 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit eutils qmake-utils systemd toolchain-funcs readme.gentoo-r1
+
+DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers"
+HOMEPAGE="https://w1.fi/wpa_supplicant/"
+SRC_URI="https://w1.fi/releases/${P}.tar.gz"
+LICENSE="|| ( GPL-2 BSD )"
+
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+IUSE="ap bindist dbus eap-sim eapol_test fasteap gnutls +hs2-0 libressl p2p privsep ps3 qt5 readline selinux smartcard ssl suiteb tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD"
+REQUIRED_USE="smartcard? ( ssl )"
+
+CDEPEND="dbus? ( sys-apps/dbus )
+	kernel_linux? (
+		dev-libs/libnl:3
+		net-wireless/crda
+		eap-sim? ( sys-apps/pcsc-lite )
+	)
+	!kernel_linux? ( net-libs/libpcap )
+	qt5? (
+		dev-qt/qtcore:5
+		dev-qt/qtgui:5
+		dev-qt/qtsvg:5
+		dev-qt/qtwidgets:5
+	)
+	readline? (
+		sys-libs/ncurses:0=
+		sys-libs/readline:0=
+	)
+	ssl? (
+		gnutls? (
+			dev-libs/libgcrypt:0=
+			net-libs/gnutls:=
+		)
+		!gnutls? (
+			!libressl? ( >=dev-libs/openssl-1.0.2k:0=[bindist=] )
+			libressl? ( dev-libs/libressl:0= )
+		)
+	)
+	!ssl? ( dev-libs/libtommath )
+"
+DEPEND="${CDEPEND}
+	virtual/pkgconfig
+"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-networkmanager )
+"
+
+DOC_CONTENTS="
+	If this is a clean installation of wpa_supplicant, you
+	have to create a configuration file named
+	${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf
+	An example configuration file is available for reference in
+	${EROOT%/}/usr/share/doc/${PF}/
+"
+
+S="${WORKDIR}/${P}/${PN}"
+
+Kconfig_style_config() {
+		#param 1 is CONFIG_* item
+		#param 2 is what to set it = to, defaulting in y
+		CONFIG_PARAM="${CONFIG_HEADER:-CONFIG_}$1"
+		setting="${2:-y}"
+
+		if [ ! $setting = n ]; then
+			#first remove any leading "# " if $2 is not n
+			sed -i "/^# *$CONFIG_PARAM=/s/^# *//" .config || echo "Kconfig_style_config error uncommenting $CONFIG_PARAM"
+			#set item = $setting (defaulting to y)
+			sed -i "/^$CONFIG_PARAM/s/=.*/=$setting/" .config || echo "Kconfig_style_config error setting $CONFIG_PARAM=$setting"
+			if [ -z "$( grep ^$CONFIG_PARAM= .config )" ] ; then
+				echo "$CONFIG_PARAM=$setting" >>.config
+			fi
+		else
+			#ensure item commented out
+			sed -i "/^$CONFIG_PARAM/s/$CONFIG_PARAM/# $CONFIG_PARAM/" .config || echo "Kconfig_style_config error commenting $CONFIG_PARAM"
+		fi
+}
+
+pkg_setup() {
+	if use ssl ; then
+		if use gnutls && use libressl ; then
+			elog "You have both 'gnutls' and 'libressl' USE flags enabled: defaulting to USE=\"gnutls\""
+		fi
+	else
+		elog "You have 'ssl' USE flag disabled: defaulting to internal TLS implementation"
+	fi
+}
+
+src_prepare() {
+	default
+
+	# net/bpf.h needed for net-libs/libpcap on Gentoo/FreeBSD
+	sed -i \
+		-e "s:\(#include <pcap\.h>\):#include <net/bpf.h>\n\1:" \
+		../src/l2_packet/l2_packet_freebsd.c || die
+
+	# People seem to take the example configuration file too literally (bug #102361)
+	sed -i \
+		-e "s:^\(opensc_engine_path\):#\1:" \
+		-e "s:^\(pkcs11_engine_path\):#\1:" \
+		-e "s:^\(pkcs11_module_path\):#\1:" \
+		wpa_supplicant.conf || die
+
+	# Change configuration to match Gentoo locations (bug #143750)
+	sed -i \
+		-e "s:/usr/lib/opensc:/usr/$(get_libdir):" \
+		-e "s:/usr/lib/pkcs11:/usr/$(get_libdir):" \
+		wpa_supplicant.conf || die
+
+	# systemd entries to D-Bus service files (bug #372877)
+	echo 'SystemdService=wpa_supplicant.service' \
+		| tee -a dbus/*.service >/dev/null || die
+
+	cd "${WORKDIR}/${P}" || die
+
+	if use wimax; then
+		# generate-libeap-peer.patch comes before
+		# fix-undefined-reference-to-random_get_bytes.patch
+		eapply "${FILESDIR}/${P}-generate-libeap-peer.patch"
+
+		# multilib-strict fix (bug #373685)
+		sed -e "s/\/usr\/lib/\/usr\/$(get_libdir)/" -i src/eap_peer/Makefile || die
+	fi
+
+	# bug (320097)
+	eapply "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch"
+
+	# bug (596332 & 651314)
+	eapply "${FILESDIR}/${P}-libressl-compatibility.patch"
+
+	# bug (671006)
+	eapply "${FILESDIR}/${P}-openssl-1.1.patch"
+
+	# https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch"
+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch"
+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch"
+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch"
+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch"
+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch"
+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch"
+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch"
+
+	# bug (640492)
+	sed -i 's#-Werror ##' wpa_supplicant/Makefile || die
+}
+
+src_configure() {
+	# Toolchain setup
+	tc-export CC
+
+	cp defconfig .config || die
+
+	# Basic setup
+	Kconfig_style_config CTRL_IFACE
+	Kconfig_style_config MATCH_IFACE
+	Kconfig_style_config BACKEND file
+	Kconfig_style_config IBSS_RSN
+	Kconfig_style_config IEEE80211W
+	Kconfig_style_config IEEE80211R
+
+	# Basic authentication methods
+	# NOTE: we don't set GPSK or SAKE as they conflict
+	# with the below options
+	Kconfig_style_config EAP_GTC
+	Kconfig_style_config EAP_MD5
+	Kconfig_style_config EAP_OTP
+	Kconfig_style_config EAP_PAX
+	Kconfig_style_config EAP_PSK
+	Kconfig_style_config EAP_TLV
+	Kconfig_style_config EAP_EXE
+	Kconfig_style_config IEEE8021X_EAPOL
+	Kconfig_style_config PKCS12
+	Kconfig_style_config PEERKEY
+	Kconfig_style_config EAP_LEAP
+	Kconfig_style_config EAP_MSCHAPV2
+	Kconfig_style_config EAP_PEAP
+	Kconfig_style_config EAP_TLS
+	Kconfig_style_config EAP_TTLS
+
+	# Enabling background scanning.
+	Kconfig_style_config BGSCAN_SIMPLE
+	Kconfig_style_config BGSCAN_LEARN
+
+	if use dbus ; then
+		Kconfig_style_config CTRL_IFACE_DBUS
+		Kconfig_style_config CTRL_IFACE_DBUS_NEW
+		Kconfig_style_config CTRL_IFACE_DBUS_INTRO
+	fi
+
+	if use eapol_test ; then
+		Kconfig_style_config EAPOL_TEST
+	fi
+
+	# Enable support for writing debug info to a log file and syslog.
+	Kconfig_style_config DEBUG_FILE
+	Kconfig_style_config DEBUG_SYSLOG
+
+	if use hs2-0 ; then
+		Kconfig_style_config INTERWORKING
+		Kconfig_style_config HS20
+	fi
+
+	if use uncommon-eap-types; then
+		Kconfig_style_config EAP_GPSK
+		Kconfig_style_config EAP_SAKE
+		Kconfig_style_config EAP_GPSK_SHA256
+		Kconfig_style_config EAP_IKEV2
+		Kconfig_style_config EAP_EKE
+	fi
+
+	if use eap-sim ; then
+		# Smart card authentication
+		Kconfig_style_config EAP_SIM
+		Kconfig_style_config EAP_AKA
+		Kconfig_style_config EAP_AKA_PRIME
+		Kconfig_style_config PCSC
+	fi
+
+	if use fasteap ; then
+		Kconfig_style_config EAP_FAST
+	fi
+
+	if use readline ; then
+		# readline/history support for wpa_cli
+		Kconfig_style_config READLINE
+	else
+		#internal line edit mode for wpa_cli
+		Kconfig_style_config WPA_CLI_EDIT
+	fi
+
+	if use suiteb; then
+		Kconfig_style_config SUITEB
+	fi
+
+	# SSL authentication methods
+	if use ssl ; then
+		if use gnutls ; then
+			Kconfig_style_config TLS gnutls
+			Kconfig_style_config GNUTLS_EXTRA
+		else
+			#this fails for gnutls
+			Kconfig_style_config SUITEB192
+			Kconfig_style_config TLS openssl
+			if ! use bindist; then
+			  #this fails for gnutls
+			  Kconfig_style_config EAP_PWD
+			  # SAE fails on gnutls and everything below here needs SAE
+			  # Enabling mesh networks.
+			  Kconfig_style_config MESH
+			  #WPA3
+			  Kconfig_style_config OWE
+			  Kconfig_style_config SAE
+			  #we also need to disable FILS, except that isn't enabled yet
+			fi
+
+		fi
+	else
+		Kconfig_style_config TLS internal
+	fi
+
+	if use smartcard ; then
+		Kconfig_style_config SMARTCARD
+	fi
+
+	if use tdls ; then
+		Kconfig_style_config TDLS
+	fi
+
+	if use kernel_linux ; then
+		# Linux specific drivers
+		Kconfig_style_config DRIVER_ATMEL
+		Kconfig_style_config DRIVER_HOSTAP
+		Kconfig_style_config DRIVER_IPW
+		Kconfig_style_config DRIVER_NL80211
+		Kconfig_style_config DRIVER_RALINK
+		Kconfig_style_config DRIVER_WEXT
+		Kconfig_style_config DRIVER_WIRED
+
+		if use ps3 ; then
+			Kconfig_style_config DRIVER_PS3
+		fi
+
+	elif use kernel_FreeBSD ; then
+		# FreeBSD specific driver
+		Kconfig_style_config DRIVER_BSD
+	fi
+
+	# Wi-Fi Protected Setup (WPS)
+	if use wps ; then
+		Kconfig_style_config WPS
+		Kconfig_style_config WPS2
+		# USB Flash Drive
+		Kconfig_style_config WPS_UFD
+		# External Registrar
+		Kconfig_style_config WPS_ER
+		# Universal Plug'n'Play
+		Kconfig_style_config WPS_UPNP
+		# Near Field Communication
+		Kconfig_style_config WPS_NFC
+	fi
+
+	# Wi-Fi Direct (WiDi)
+	if use p2p ; then
+		Kconfig_style_config P2P
+		Kconfig_style_config WIFI_DISPLAY
+	fi
+
+	# Access Point Mode
+	if use ap ; then
+		Kconfig_style_config AP
+	fi
+
+	# Enable essentials for AP/P2P
+	if use ap || use p2p ; then
+		# Enabling HT support (802.11n)
+		Kconfig_style_config IEEE80211N
+
+		# Enabling VHT support (802.11ac)
+		Kconfig_style_config IEEE80211AC
+	fi
+
+	# Enable mitigation against certain attacks against TKIP
+	Kconfig_style_config DELAYED_MIC_ERROR_REPORT
+
+	if use privsep ; then
+		Kconfig_style_config PRIVSEP
+	fi
+
+	# If we are using libnl 2.0 and above, enable support for it
+	# Bug 382159
+	# Removed for now, since the 3.2 version is broken, and we don't
+	# support it.
+	if has_version ">=dev-libs/libnl-3.2"; then
+		Kconfig_style_config LIBNL32
+	fi
+
+	if use qt5 ; then
+		pushd "${S}"/wpa_gui-qt4 > /dev/null || die
+		eqmake5 wpa_gui.pro
+		popd > /dev/null || die
+	fi
+}
+
+src_compile() {
+	einfo "Building wpa_supplicant"
+	emake V=1 BINDIR=/usr/sbin
+
+	if use wimax; then
+		emake -C ../src/eap_peer clean
+		emake -C ../src/eap_peer
+	fi
+
+	if use qt5; then
+		einfo "Building wpa_gui"
+		emake -C "${S}"/wpa_gui-qt4
+	fi
+
+	if use eapol_test ; then
+		emake eapol_test
+	fi
+}
+
+src_install() {
+	dosbin wpa_supplicant
+	use privsep && dosbin wpa_priv
+	dobin wpa_cli wpa_passphrase
+
+	# baselayout-1 compat
+	if has_version "<sys-apps/baselayout-2.0.0"; then
+		dodir /sbin
+		dosym ../usr/sbin/wpa_supplicant /sbin/wpa_supplicant
+		dodir /bin
+		dosym ../usr/bin/wpa_cli /bin/wpa_cli
+	fi
+
+	if has_version ">=sys-apps/openrc-0.5.0"; then
+		newinitd "${FILESDIR}/${PN}-init.d" wpa_supplicant
+		newconfd "${FILESDIR}/${PN}-conf.d" wpa_supplicant
+	fi
+
+	exeinto /etc/wpa_supplicant/
+	newexe "${FILESDIR}/wpa_cli.sh" wpa_cli.sh
+
+	readme.gentoo_create_doc
+	dodoc ChangeLog {eap_testing,todo}.txt README{,-WPS} \
+		wpa_supplicant.conf
+
+	newdoc .config build-config
+
+	doman doc/docbook/*.{5,8}
+
+	if use qt5 ; then
+		into /usr
+		dobin wpa_gui-qt4/wpa_gui
+		doicon wpa_gui-qt4/icons/wpa_gui.svg
+		make_desktop_entry wpa_gui "WPA Supplicant Administration GUI" "wpa_gui" "Qt;Network;"
+	else
+		rm "${ED}"/usr/share/man/man8/wpa_gui.8
+	fi
+
+	use wimax && emake DESTDIR="${D}" -C ../src/eap_peer install
+
+	if use dbus ; then
+		pushd "${S}"/dbus > /dev/null || die
+		insinto /etc/dbus-1/system.d
+		newins dbus-wpa_supplicant.conf wpa_supplicant.conf
+		insinto /usr/share/dbus-1/system-services
+		doins fi.epitest.hostap.WPASupplicant.service fi.w1.wpa_supplicant1.service
+		popd > /dev/null || die
+
+		# This unit relies on dbus support, bug 538600.
+		systemd_dounit systemd/wpa_supplicant.service
+	fi
+
+	if use eapol_test ; then
+		dobin eapol_test
+	fi
+
+	systemd_dounit "systemd/wpa_supplicant@.service"
+	systemd_dounit "systemd/wpa_supplicant-nl80211@.service"
+	systemd_dounit "systemd/wpa_supplicant-wired@.service"
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+
+	if [[ -e "${EROOT%/}"/etc/wpa_supplicant.conf ]] ; then
+		echo
+		ewarn "WARNING: your old configuration file ${EROOT%/}/etc/wpa_supplicant.conf"
+		ewarn "needs to be moved to ${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf"
+	fi
+
+	if use bindist || use gnutls; then
+		if ! use libressl; then
+			ewarn "Using bindist or gnutls use flags presently breaks WPA3 (specifically SAE and OWE)."
+			ewarn "This is incredibly undesirable"
+		fi
+	fi
+
+	# Mea culpa, feel free to remove that after some time --mgorny.
+	local fn
+	for fn in wpa_supplicant{,@wlan0}.service; do
+		if [[ -e "${EROOT%/}"/etc/systemd/system/network.target.wants/${fn} ]]
+		then
+			ebegin "Moving ${fn} to multi-user.target"
+			mv "${EROOT%/}"/etc/systemd/system/network.target.wants/${fn} \
+				"${EROOT%/}"/etc/systemd/system/multi-user.target.wants/ || die
+			eend ${?} \
+				"Please try to re-enable ${fn}"
+		fi
+	done
+
+	systemd_reenable wpa_supplicant.service
+}

[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/, net-wireless/wpa_supplicant/files/

[Rick Farina]

commit:     102ca740a0e42464d91b474119a03c8b26cdefaa
Author:     Rick Farina <zerochaos <AT> gentoo <DOT> org>
AuthorDate: Wed Dec  5 20:39:42 2018 +0000
Commit:     Rick Farina <zerochaos <AT> gentoo <DOT> org>
CommitDate: Wed Dec  5 20:39:42 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=102ca740

net-wireless/wpa_supplicant: fix bug #663172

Package-Manager: Portage-2.3.52, Repoman-2.3.12
Signed-off-by: Rick Farina <zerochaos <AT> gentoo.org>

 ...-unauthenticated-encrypted-EAPOL-Key-data.patch | 44 ++++++++++++++++++++++
 ...2.6-r9.ebuild => wpa_supplicant-2.6-r10.ebuild} |  3 ++
 2 files changed, 47 insertions(+)

diff --git a/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
new file mode 100644
index 00000000000..a62b52c6b9a
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
@@ -0,0 +1,44 @@
+From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Sun, 15 Jul 2018 01:25:53 +0200
+Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
+
+Ignore unauthenticated encrypted EAPOL-Key data in supplicant
+processing. When using WPA2, these are frames that have the Encrypted
+flag set, but not the MIC flag.
+
+When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
+not the MIC flag, had their data field decrypted without first verifying
+the MIC. In case the data field was encrypted using RC4 (i.e., when
+negotiating TKIP as the pairwise cipher), this meant that
+unauthenticated but decrypted data would then be processed. An adversary
+could abuse this as a decryption oracle to recover sensitive information
+in the data field of EAPOL-Key messages (e.g., the group key).
+(CVE-2018-14526)
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/rsn_supp/wpa.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c
+--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c	2016-10-02 21:51:11.000000000 +0300
++++ wpa_supplicant-2.6/src/rsn_supp/wpa.c	2018-08-08 16:55:11.506831029 +0300
+@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
+ 
+ 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
++		/*
++		 * Only decrypt the Key Data field if the frame's authenticity
++		 * was verified. When using AES-SIV (FILS), the MIC flag is not
++		 * set, so this check should only be performed if mic_len != 0
++		 * which is the case in this code branch.
++		 */
++		if (!(key_info & WPA_KEY_INFO_MIC)) {
++			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
++			goto out;
++		}
+ 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
+ 						    &key_data_len))
+ 			goto out;

diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild
similarity index 98%
rename from net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild
rename to net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild
index 19e3fbfe5a0..36a7ffe69b6 100644
--- a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild
@@ -146,6 +146,9 @@ src_prepare() {
 	eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch"
 	eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch"
 
+	# https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
+	eapply "${FILESDIR}/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch"
+
 	# bug (640492)
 	sed -i 's#-Werror ##' wpa_supplicant/Makefile || die
 }

[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/, net-wireless/wpa_supplicant/files/

[Sam James]

commit:     fd7a5cbd5907d0ca44b418ce6d413a2d02173ab1
Author:     Christopher Byrne <salah.coronya <AT> gmail <DOT> com>
AuthorDate: Sat Feb 22 00:39:22 2025 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Feb 22 23:29:03 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd7a5cbd

net-wireless/wpa_supplicant: add 2.11

This contains a patch to fix certain brcmfmac adapters. It reverts
commit 41638606054a09867fe3f9a2b5523aa4678cbfa5 "Mark authorization
completed on driver indication during 4-way HS offload".

Bug: https://bugs.gentoo.org/948052
Bug: https://bugs.gentoo.org/937452
Closes: https://bugs.gentoo.org/939007
Signed-off-by: Christopher Byrne <salah.coronya <AT> gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/40693
Signed-off-by: Sam James <sam <AT> gentoo.org>

 net-wireless/wpa_supplicant/Manifest               |   1 +
 ...-authorization-completed-on-driver-indica.patch |  53 +++
 .../wpa_supplicant/wpa_supplicant-2.11.ebuild      | 480 +++++++++++++++++++++
 3 files changed, 534 insertions(+)

diff --git a/net-wireless/wpa_supplicant/Manifest b/net-wireless/wpa_supplicant/Manifest
index 0e445ba324c5..eb1993df7edc 100644
--- a/net-wireless/wpa_supplicant/Manifest
+++ b/net-wireless/wpa_supplicant/Manifest
@@ -1 +1,2 @@
 DIST wpa_supplicant-2.10.tar.gz 3511622 BLAKE2B 7f6045e5dcf24f7ccf1ea75c99541f9d68fadaea858a6ca11a95c997de14e33b3aa89138e748664579b5a4ea493d247cf6613da3c5fae49a4dbb5cd58dace752 SHA512 021c2a48f45d39c1dc6557730be5debaee071bc0ff82a271638beee6e32314e353e49d39e2f0dc8dff6e094dcc7008cfe1c32d0c7a34a1a345a12a3f1c1e11a1
+DIST wpa_supplicant-2.11.tar.gz 3841433 BLAKE2B 71bd0d11cd31eb5bc6beb51caf0f1399856ea188f316d2330053a2d8c81869057811e9f500828e8981eabd0af38f30a18a3ae584d744005c78681c82fa910abf SHA512 9a0a3a9d6fa2235903c40aa57b5955f0c9dd1dccfd0e3825a3b6f92b3e32db8d464b3ea0aef3285ba3ee109e7b190560cedd744902e954f0003cdba543e277b2

diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.11-Revert-Mark-authorization-completed-on-driver-indica.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.11-Revert-Mark-authorization-completed-on-driver-indica.patch
new file mode 100644
index 000000000000..6d28eea8caf6
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.11-Revert-Mark-authorization-completed-on-driver-indica.patch
@@ -0,0 +1,53 @@
+Bug: https://bugs.gentoo.org/937452
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2302577
+
+From 071336247683d82a74f3567abf67a0b37db856ae Mon Sep 17 00:00:00 2001
+From: Christopher Byrne <salah.coronya@gmail.com>
+Date: Fri, 21 Feb 2025 18:58:19 -0600
+Subject: [PATCH] Revert "Mark authorization completed on driver indication
+ during 4-way HS offload"
+
+This reverts commit 41638606054a09867fe3f9a2b5523aa4678cbfa5.
+---
+ wpa_supplicant/events.c | 25 ++++++++-----------------
+ 1 file changed, 8 insertions(+), 17 deletions(-)
+
+diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
+index 49917f7aa..bbb3a3eda 100644
+--- a/wpa_supplicant/events.c
++++ b/wpa_supplicant/events.c
+@@ -4327,23 +4327,14 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
+ 		eapol_sm_notify_eap_success(wpa_s->eapol, true);
+ 	} else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_PSK) &&
+ 		   wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) {
+-		if (already_authorized) {
+-			/*
+-			 * We are done; the driver will take care of RSN 4-way
+-			 * handshake.
+-			 */
+-			wpa_supplicant_cancel_auth_timeout(wpa_s);
+-			wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
+-			eapol_sm_notify_portValid(wpa_s->eapol, true);
+-			eapol_sm_notify_eap_success(wpa_s->eapol, true);
+-		} else {
+-			/* Update port, WPA_COMPLETED state from the
+-			 * EVENT_PORT_AUTHORIZED handler when the driver is done
+-			 * with the 4-way handshake.
+-			 */
+-			wpa_msg(wpa_s, MSG_DEBUG,
+-				"ASSOC INFO: wait for driver port authorized indication");
+-		}
++		/*
++		 * We are done; the driver will take care of RSN 4-way
++		 * handshake.
++		 */
++		wpa_supplicant_cancel_auth_timeout(wpa_s);
++		wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
++		eapol_sm_notify_portValid(wpa_s->eapol, true);
++		eapol_sm_notify_eap_success(wpa_s->eapol, true);
+ 	} else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X) &&
+ 		   wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt)) {
+ 		/*
+-- 
+2.45.3
+

diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.11.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.11.ebuild
new file mode 100644
index 000000000000..abd9ab422c9b
--- /dev/null
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.11.ebuild
@@ -0,0 +1,480 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit desktop linux-info qmake-utils readme.gentoo-r1 systemd toolchain-funcs
+
+DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers"
+HOMEPAGE="https://w1.fi/wpa_supplicant/"
+LICENSE="|| ( GPL-2 BSD )"
+
+if [ "${PV}" = "9999" ]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://w1.fi/hostap.git"
+else
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+	SRC_URI="https://w1.fi/releases/${P}.tar.gz"
+fi
+
+SLOT="0"
+IUSE="ap broadcom-sta dbus eap-sim eapol-test fasteap +fils +hs2-0 macsec +mbo +mesh p2p privsep ps3 qt6 readline selinux smartcard tdls tkip uncommon-eap-types wep wimax wps"
+
+# CONFIG_PRIVSEP=y does not have sufficient support for the new driver
+# interface functions used for MACsec, so this combination cannot be used
+# at least for now. bug #684442
+REQUIRED_USE="
+	macsec? ( !privsep )
+	privsep? ( !macsec )
+	broadcom-sta? ( !fils !mesh !mbo )
+"
+
+DEPEND="
+	>=dev-libs/openssl-1.0.2k:=
+	dbus? ( sys-apps/dbus )
+	kernel_linux? (
+		>=dev-libs/libnl-3.2:3
+		eap-sim? ( sys-apps/pcsc-lite )
+	)
+	!kernel_linux? ( net-libs/libpcap )
+	qt6? (
+		dev-qt/qtbase:6[gui,widgets]
+		dev-qt/qtsvg:6
+	)
+	readline? (
+		sys-libs/ncurses:0=
+		sys-libs/readline:0=
+	)
+"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-networkmanager )
+	kernel_linux? (
+		net-wireless/wireless-regdb
+	)
+"
+BDEPEND="virtual/pkgconfig"
+
+DOC_CONTENTS="
+	If this is a clean installation of wpa_supplicant, you
+	have to create a configuration file named
+	/etc/wpa_supplicant/wpa_supplicant.conf
+	An example configuration file is available for reference in
+	/usr/share/doc/${PF}/
+"
+
+S="${WORKDIR}/${P}/${PN}"
+
+Kconfig_style_config() {
+		#param 1 is CONFIG_* item
+		#param 2 is what to set it = to, defaulting in y
+		CONFIG_PARAM="${CONFIG_HEADER:-CONFIG_}$1"
+		setting="${2:-y}"
+
+		if [ ! $setting = n ]; then
+			#first remove any leading "# " if $2 is not n
+			sed -i "/^# *$CONFIG_PARAM=/s/^# *//" .config || echo "Kconfig_style_config error uncommenting $CONFIG_PARAM"
+			#set item = $setting (defaulting to y)
+			if ! sed -i "/^$CONFIG_PARAM\>/s/=.*/=$setting/" .config; then
+				echo "Kconfig_style_config error setting $CONFIG_PARAM=$setting"
+			fi
+			if [ -z "$( grep ^$CONFIG_PARAM= .config )" ] ; then
+				echo "$CONFIG_PARAM=$setting" >>.config
+			fi
+		else
+			#ensure item commented out
+			if ! sed -i "/^$CONFIG_PARAM\>/s/$CONFIG_PARAM/# $CONFIG_PARAM/" .config; then
+				echo "Kconfig_style_config error commenting $CONFIG_PARAM"
+			fi
+		fi
+}
+
+src_prepare() {
+	default
+
+	# net/bpf.h needed for net-libs/libpcap on Gentoo/FreeBSD
+	sed -i \
+		-e "s:\(#include <pcap\.h>\):#include <net/bpf.h>\n\1:" \
+		../src/l2_packet/l2_packet_freebsd.c || die
+
+	# Change configuration to match Gentoo locations (bug #143750)
+	sed -i \
+		-e "s:/usr/lib/opensc:/usr/$(get_libdir):" \
+		-e "s:/usr/lib/pkcs11:/usr/$(get_libdir):" \
+		wpa_supplicant.conf || die
+
+	# systemd entries to D-Bus service files (bug #372877)
+	echo 'SystemdService=wpa_supplicant.service' \
+		| tee -a dbus/*.service >/dev/null || die
+
+	cd "${WORKDIR}/${P}" || die
+
+	if use wimax; then
+		# generate-libeap-peer.patch comes before
+		# fix-undefined-reference-to-random_get_bytes.patch
+		eapply "${FILESDIR}/${P}-generate-libeap-peer.patch"
+
+		# multilib-strict fix (bug #373685)
+		sed -e "s/\/usr\/lib/\/usr\/$(get_libdir)/" -i src/eap_peer/Makefile || die
+	fi
+
+	# bug (320097)
+	eapply "${FILESDIR}/${PN}-2.6-do-not-call-dbus-functions-with-NULL-path.patch"
+
+	# bug (912315)
+	eapply "${FILESDIR}/${PN}-2.10-allow-legacy-renegotiation.patch"
+
+	# bug (948052)
+	eapply "${FILESDIR}/${PN}-2.10-use-qt6.patch"
+
+	# bug (937452)
+	eapply "${FILESDIR}/${PN}-2.11-Revert-Mark-authorization-completed-on-driver-indica.patch"
+
+	# bug (640492)
+	sed -i 's#-Werror ##' wpa_supplicant/Makefile || die
+}
+
+src_configure() {
+	# Toolchain setup
+	tc-export CC PKG_CONFIG
+
+	cp defconfig .config || die
+
+	# Basic setup
+	Kconfig_style_config CTRL_IFACE
+	Kconfig_style_config MATCH_IFACE
+	Kconfig_style_config BACKEND file
+	Kconfig_style_config IBSS_RSN
+	Kconfig_style_config IEEE80211W
+	Kconfig_style_config IEEE80211R
+	Kconfig_style_config HT_OVERRIDES
+	Kconfig_style_config VHT_OVERRIDES
+	Kconfig_style_config OCV
+	Kconfig_style_config TLSV11
+	Kconfig_style_config TLSV12
+	Kconfig_style_config GETRANDOM
+
+	# Basic authentication methods
+	# NOTE: we don't set GPSK or SAKE as they conflict
+	# with the below options
+	Kconfig_style_config EAP_GTC
+	Kconfig_style_config EAP_MD5
+	Kconfig_style_config EAP_OTP
+	Kconfig_style_config EAP_PAX
+	Kconfig_style_config EAP_PSK
+	Kconfig_style_config EAP_TLV
+	Kconfig_style_config EAP_EXE
+	Kconfig_style_config IEEE8021X_EAPOL
+	Kconfig_style_config PKCS12
+	Kconfig_style_config PEERKEY
+	Kconfig_style_config EAP_LEAP
+	Kconfig_style_config EAP_MSCHAPV2
+	Kconfig_style_config EAP_PEAP
+	Kconfig_style_config EAP_TEAP
+	Kconfig_style_config EAP_TLS
+	Kconfig_style_config EAP_TTLS
+
+	# Enabling background scanning.
+	Kconfig_style_config BGSCAN_SIMPLE
+	Kconfig_style_config BGSCAN_LEARN
+
+	if use dbus ; then
+		Kconfig_style_config CTRL_IFACE_DBUS
+		Kconfig_style_config CTRL_IFACE_DBUS_NEW
+		Kconfig_style_config CTRL_IFACE_DBUS_INTRO
+	else
+		Kconfig_style_config CTRL_IFACE_DBUS n
+		Kconfig_style_config CTRL_IFACE_DBUS_NEW n
+		Kconfig_style_config CTRL_IFACE_DBUS_INTRO n
+	fi
+
+	if use eapol-test ; then
+		Kconfig_style_config EAPOL_TEST
+	fi
+
+	# Enable support for writing debug info to a log file and syslog.
+	Kconfig_style_config DEBUG_FILE
+	Kconfig_style_config DEBUG_SYSLOG
+
+	if use hs2-0 ; then
+		Kconfig_style_config INTERWORKING
+		Kconfig_style_config HS20
+	fi
+
+	if use mbo ; then
+		Kconfig_style_config MBO
+	else
+		Kconfig_style_config MBO n
+	fi
+
+	if use uncommon-eap-types; then
+		Kconfig_style_config EAP_GPSK
+		Kconfig_style_config EAP_SAKE
+		Kconfig_style_config EAP_GPSK_SHA256
+		Kconfig_style_config EAP_IKEV2
+		Kconfig_style_config EAP_EKE
+	fi
+
+	if use eap-sim ; then
+		# Smart card authentication
+		Kconfig_style_config EAP_SIM
+		Kconfig_style_config EAP_AKA
+		Kconfig_style_config EAP_AKA_PRIME
+		Kconfig_style_config PCSC
+	fi
+
+	if use fasteap ; then
+		Kconfig_style_config EAP_FAST
+	fi
+
+	if use readline ; then
+		# readline/history support for wpa_cli
+		Kconfig_style_config READLINE
+	else
+		#internal line edit mode for wpa_cli
+		Kconfig_style_config WPA_CLI_EDIT
+	fi
+
+	Kconfig_style_config TLS openssl
+	Kconfig_style_config FST
+
+	Kconfig_style_config EAP_PWD
+	if use fils; then
+		Kconfig_style_config FILS
+		Kconfig_style_config FILS_SK_PFS
+	fi
+	if use mesh; then
+		Kconfig_style_config MESH
+	else
+		Kconfig_style_config MESH n
+	fi
+	# WPA3
+	Kconfig_style_config OWE
+	Kconfig_style_config SAE
+	Kconfig_style_config DPP
+	Kconfig_style_config DPP2
+	Kconfig_style_config SUITEB192
+	Kconfig_style_config SUITEB
+
+	if use wep ; then
+		Kconfig_style_config WEP
+	else
+		Kconfig_style_config WEP n
+	fi
+
+	# Watch out, reversed logic
+	if use tkip ; then
+		Kconfig_style_config NO_TKIP n
+	else
+		Kconfig_style_config NO_TKIP
+	fi
+
+	if use smartcard ; then
+		Kconfig_style_config SMARTCARD
+	else
+		Kconfig_style_config SMARTCARD n
+	fi
+
+	if use tdls ; then
+		Kconfig_style_config TDLS
+	fi
+
+	if use kernel_linux ; then
+		# Linux specific drivers
+		Kconfig_style_config DRIVER_ATMEL
+		Kconfig_style_config DRIVER_HOSTAP
+		Kconfig_style_config DRIVER_IPW
+		Kconfig_style_config DRIVER_NL80211
+		Kconfig_style_config DRIVER_RALINK
+		Kconfig_style_config DRIVER_WEXT
+		Kconfig_style_config DRIVER_WIRED
+
+		if use macsec ; then
+			#requires something, no idea what
+			#Kconfig_style_config DRIVER_MACSEC_QCA
+			Kconfig_style_config DRIVER_MACSEC_LINUX
+			Kconfig_style_config MACSEC
+		else
+			# bug #831369 and bug #684442
+			Kconfig_style_config DRIVER_MACSEC_LINUX n
+			Kconfig_style_config MACSEC n
+		fi
+
+		if use ps3 ; then
+			Kconfig_style_config DRIVER_PS3
+		fi
+	fi
+
+	# Wi-Fi Protected Setup (WPS)
+	if use wps ; then
+		Kconfig_style_config WPS
+		Kconfig_style_config WPS2
+		# USB Flash Drive
+		Kconfig_style_config WPS_UFD
+		# External Registrar
+		Kconfig_style_config WPS_ER
+		# Universal Plug'n'Play
+		Kconfig_style_config WPS_UPNP
+		# Near Field Communication
+		Kconfig_style_config WPS_NFC
+	else
+		Kconfig_style_config WPS n
+		Kconfig_style_config WPS2 n
+		Kconfig_style_config WPS_UFD n
+		Kconfig_style_config WPS_ER n
+		Kconfig_style_config WPS_UPNP n
+		Kconfig_style_config WPS_NFC n
+	fi
+
+	# Wi-Fi Direct (WiDi)
+	if use p2p ; then
+		Kconfig_style_config P2P
+		Kconfig_style_config WIFI_DISPLAY
+	else
+		Kconfig_style_config P2P n
+		Kconfig_style_config WIFI_DISPLAY n
+	fi
+
+	# Access Point Mode
+	if use ap ; then
+		Kconfig_style_config AP
+	else
+		Kconfig_style_config AP n
+	fi
+
+	# Enable essentials for AP/P2P
+	if use ap || use p2p ; then
+		# Enabling HT support (802.11n)
+		Kconfig_style_config IEEE80211N
+
+		# Enabling VHT support (802.11ac)
+		Kconfig_style_config IEEE80211AC
+	fi
+
+	# Enable mitigation against certain attacks against TKIP
+	Kconfig_style_config DELAYED_MIC_ERROR_REPORT
+
+	if use privsep ; then
+		Kconfig_style_config PRIVSEP
+	fi
+
+	if use kernel_linux ; then
+		Kconfig_style_config LIBNL32
+	fi
+
+	if use qt6 ; then
+		pushd "${S}"/wpa_gui-qt4 > /dev/null || die
+		eqmake6 wpa_gui.pro
+		popd > /dev/null || die
+	fi
+}
+
+src_compile() {
+	einfo "Building wpa_supplicant"
+	emake V=1 BINDIR=/usr/sbin
+
+	if use wimax; then
+		emake -C ../src/eap_peer clean
+		emake -C ../src/eap_peer
+	fi
+
+	if use qt6; then
+		einfo "Building wpa_gui"
+		emake -C "${S}"/wpa_gui-qt4
+	fi
+
+	if use eapol-test ; then
+		emake eapol_test
+	fi
+}
+
+src_install() {
+	dosbin wpa_supplicant
+	use privsep && dosbin wpa_priv
+	dobin wpa_cli wpa_passphrase
+
+	newinitd "${FILESDIR}/${PN}-init.d" wpa_supplicant
+	newconfd "${FILESDIR}/${PN}-conf.d" wpa_supplicant
+
+	exeinto /etc/wpa_supplicant/
+	newexe "${FILESDIR}/wpa_cli-r1.sh" wpa_cli.sh
+
+	readme.gentoo_create_doc
+	dodoc ChangeLog {eap_testing,todo}.txt README{,-WPS} \
+		wpa_supplicant.conf
+
+	newdoc .config build-config
+
+	if [ "${PV}" != "9999" ]; then
+		doman doc/docbook/*.{5,8}
+	fi
+
+	if use qt6 ; then
+		into /usr
+		dobin wpa_gui-qt4/wpa_gui
+		doicon wpa_gui-qt4/icons/wpa_gui.svg
+		domenu wpa_gui-qt4/wpa_gui.desktop
+	else
+		rm "${ED}"/usr/share/man/man8/wpa_gui.8
+	fi
+
+	use wimax && emake DESTDIR="${D}" -C ../src/eap_peer install
+
+	if use dbus ; then
+		pushd "${S}"/dbus > /dev/null || die
+		insinto /etc/dbus-1/system.d
+		newins dbus-wpa_supplicant.conf wpa_supplicant.conf
+		insinto /usr/share/dbus-1/system-services
+		doins fi.w1.wpa_supplicant1.service
+		popd > /dev/null || die
+
+		# This unit relies on dbus support, bug 538600.
+		systemd_dounit systemd/wpa_supplicant.service
+	fi
+
+	if use eapol-test ; then
+		dobin eapol_test
+	fi
+
+	systemd_dounit "systemd/wpa_supplicant@.service"
+	systemd_dounit "systemd/wpa_supplicant-nl80211@.service"
+	systemd_dounit "systemd/wpa_supplicant-wired@.service"
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+
+	if [[ -e "${EROOT}"/etc/wpa_supplicant.conf ]] ; then
+		echo
+		ewarn "WARNING: your old configuration file ${EROOT}/etc/wpa_supplicant.conf"
+		ewarn "needs to be moved to ${EROOT}/etc/wpa_supplicant/wpa_supplicant.conf"
+	fi
+	if ! use wep; then
+		einfo "WARNING: You are building with WEP support disabled, which is recommended since"
+		einfo "this protocol is deprecated and insecure.  If you still need to connect to"
+		einfo "WEP-enabled networks, you may turn this flag back on.  With this flag off,"
+		einfo "WEP-enabled networks will not even show up as available."
+		einfo "If your network is missing you may wish to USE=wep"
+	fi
+	if ! use tkip; then
+		ewarn "WARNING: You are building with TKIP support disabled, which is recommended since"
+		ewarn "this protocol is deprecated and insecure.  If you still need to connect to"
+		ewarn "TKIP-enabled networks, you may turn this flag back on.  With this flag off,"
+		ewarn "TKIP-enabled networks, including mixed mode TKIP/AES-CCMP will not even show up"
+		ewarn "as available.  If your network is missing you may wish to USE=tkip"
+	fi
+
+	# Mea culpa, feel free to remove that after some time --mgorny.
+	local fn
+	for fn in wpa_supplicant{,@wlan0}.service; do
+		if [[ -e "${EROOT}"/etc/systemd/system/network.target.wants/${fn} ]]
+		then
+			ebegin "Moving ${fn} to multi-user.target"
+			mv "${EROOT}"/etc/systemd/system/network.target.wants/${fn} \
+				"${EROOT}"/etc/systemd/system/multi-user.target.wants/ || die
+			eend ${?} \
+				"Please try to re-enable ${fn}"
+		fi
+	done
+
+	systemd_reenable wpa_supplicant.service
+}