[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/, net-wireless/wpa_supplicant/files/ - gentoo-commits

From:	Rick Farina <zerochaos@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-wireless/wpa_supplicant/, net-wireless/wpa_supplicant/files/
Date:	Tue, 04 Dec 2018 01:40:22
Message-Id:	`1543887550.696f3772a422e25bd62e69d497717985d1fe295d.zerochaos@gentoo`

1

commit:     696f3772a422e25bd62e69d497717985d1fe295d

2

Author:     Craig Andrews <candrews <AT> gentoo <DOT> org>

3

AuthorDate: Mon Dec  3 20:21:11 2018 +0000

4

Commit:     Rick Farina <zerochaos <AT> gentoo <DOT> org>

5

CommitDate: Tue Dec  4 01:39:10 2018 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=696f3772

7

8

net-wireless/wpa_supplicant: Fix EAP-TLS with OpenSSL 1.1

9

10

Closes: https://bugs.gentoo.org/671006

11

Package-Manager: Portage-2.3.52, Repoman-2.3.12

12

Signed-off-by: Craig Andrews <candrews <AT> gentoo.org>

13

Signed-off-by: Rick Farina <zerochaos <AT> gentoo.org>

14

15

 .../files/wpa_supplicant-2.6-openssl-1.1.patch     |  48 +++

16

 .../wpa_supplicant/wpa_supplicant-2.6-r9.ebuild    | 460 +++++++++++++++++++++

17

 2 files changed, 508 insertions(+)

18

19

diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch

20

new file mode 100644

21

index 00000000000..1e2335f34c0

22

--- /dev/null

23

+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch

24

@@ -0,0 +1,48 @@

25

+From f665c93e1d28fbab3d9127a8c3985cc32940824f Mon Sep 17 00:00:00 2001

26

+From: Beniamino Galvani <bgalvani@××××××.com>

27

+Date: Sun, 9 Jul 2017 11:14:10 +0200

28

+Subject: OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f

29

+

30

+Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the

31

+callback from the SSL object instead of the one from the CTX, so let's

32

+set the callback on both SSL and CTX. Note that

33

+SSL_set_default_passwd_cb*() is available only in 1.1.0.

34

+

35

+Signed-off-by: Beniamino Galvani <bgalvani@××××××.com>

36

+---

37

+ src/crypto/tls_openssl.c | 12 ++++++++++++

38

+ 1 file changed, 12 insertions(+)

39

+

40

+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c

41

+index fd94eaf..c790b53 100644

42

+--- a/src/crypto/tls_openssl.c

43

++++ b/src/crypto/tls_openssl.c

44

+@@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data,

45

+ 	} else

46

+ 		passwd = NULL;

47

+

48

++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)

49

++	/*

50

++	 * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback

51

++	 * from the SSL object. See OpenSSL commit d61461a75253.

52

++	 */

53

++	SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);

54

++	SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);

55

++#endif /* >= 1.1.0f && !LibreSSL */

56

++	/* Keep these for OpenSSL < 1.1.0f */

57

+ 	SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);

58

+ 	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);

59

+

60

+@@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data,

61

+ 		return -1;

62

+ 	}

63

+ 	ERR_clear_error();

64

++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)

65

++	SSL_set_default_passwd_cb(conn->ssl, NULL);

66

++#endif /* >= 1.1.0f && !LibreSSL */

67

+ 	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);

68

+ 	os_free(passwd);

69

+

70

+--

71

+cgit v0.12

72

+

73

74

diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild

75

new file mode 100644

76

index 00000000000..19e3fbfe5a0

77

--- /dev/null

78

+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild

79

@@ -0,0 +1,460 @@

80

+# Copyright 1999-2018 Gentoo Authors

81

+# Distributed under the terms of the GNU General Public License v2

82

+

83

+EAPI=6

84

+

85

+inherit eutils qmake-utils systemd toolchain-funcs readme.gentoo-r1

86

+

87

+DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers"

88

+HOMEPAGE="https://w1.fi/wpa_supplicant/"

89

+SRC_URI="https://w1.fi/releases/${P}.tar.gz"

90

+LICENSE="|| ( GPL-2 BSD )"

91

+

92

+SLOT="0"

93

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"

94

+IUSE="ap bindist dbus eap-sim eapol_test fasteap gnutls +hs2-0 libressl p2p privsep ps3 qt5 readline selinux smartcard ssl suiteb tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD"

95

+REQUIRED_USE="smartcard? ( ssl )"

96

+

97

+CDEPEND="dbus? ( sys-apps/dbus )

98

+	kernel_linux? (

99

+		dev-libs/libnl:3

100

+		net-wireless/crda

101

+		eap-sim? ( sys-apps/pcsc-lite )

102

+	)

103

+	!kernel_linux? ( net-libs/libpcap )

104

+	qt5? (

105

+		dev-qt/qtcore:5

106

+		dev-qt/qtgui:5

107

+		dev-qt/qtsvg:5

108

+		dev-qt/qtwidgets:5

109

+	)

110

+	readline? (

111

+		sys-libs/ncurses:0=

112

+		sys-libs/readline:0=

113

+	)

114

+	ssl? (

115

+		gnutls? (

116

+			dev-libs/libgcrypt:0=

117

+			net-libs/gnutls:=

118

+		)

119

+		!gnutls? (

120

+			!libressl? ( >=dev-libs/openssl-1.0.2k:0=[bindist=] )

121

+			libressl? ( dev-libs/libressl:0= )

122

+		)

123

+	)

124

+	!ssl? ( dev-libs/libtommath )

125

+"

126

+DEPEND="${CDEPEND}

127

+	virtual/pkgconfig

128

+"

129

+RDEPEND="${CDEPEND}

130

+	selinux? ( sec-policy/selinux-networkmanager )

131

+"

132

+

133

+DOC_CONTENTS="

134

+	If this is a clean installation of wpa_supplicant, you

135

+	have to create a configuration file named

136

+	${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf

137

+	An example configuration file is available for reference in

138

+	${EROOT%/}/usr/share/doc/${PF}/

139

+"

140

+

141

+S="${WORKDIR}/${P}/${PN}"

142

+

143

+Kconfig_style_config() {

144

+		#param 1 is CONFIG_* item

145

+		#param 2 is what to set it = to, defaulting in y

146

+		CONFIG_PARAM="${CONFIG_HEADER:-CONFIG_}$1"

147

+		setting="${2:-y}"

148

+

149

+		if [ ! $setting = n ]; then

150

+			#first remove any leading "# " if $2 is not n

151

+			sed -i "/^# *$CONFIG_PARAM=/s/^# *//" .config || echo "Kconfig_style_config error uncommenting $CONFIG_PARAM"

152

+			#set item = $setting (defaulting to y)

153

+			sed -i "/^$CONFIG_PARAM/s/=.*/=$setting/" .config || echo "Kconfig_style_config error setting $CONFIG_PARAM=$setting"

154

+			if [ -z "$( grep ^$CONFIG_PARAM= .config )" ] ; then

155

+				echo "$CONFIG_PARAM=$setting" >>.config

156

+			fi

157

+		else

158

+			#ensure item commented out

159

+			sed -i "/^$CONFIG_PARAM/s/$CONFIG_PARAM/# $CONFIG_PARAM/" .config || echo "Kconfig_style_config error commenting $CONFIG_PARAM"

160

+		fi

161

+}

162

+

163

+pkg_setup() {

164

+	if use ssl ; then

165

+		if use gnutls && use libressl ; then

166

+			elog "You have both 'gnutls' and 'libressl' USE flags enabled: defaulting to USE=\"gnutls\""

167

+		fi

168

+	else

169

+		elog "You have 'ssl' USE flag disabled: defaulting to internal TLS implementation"

170

+	fi

171

+}

172

+

173

+src_prepare() {

174

+	default

175

+

176

+	# net/bpf.h needed for net-libs/libpcap on Gentoo/FreeBSD

177

+	sed -i \

178

+		-e "s:\(#include <pcap\.h>\):#include <net/bpf.h>\n\1:" \

179

+		../src/l2_packet/l2_packet_freebsd.c || die

180

+

181

+	# People seem to take the example configuration file too literally (bug #102361)

182

+	sed -i \

183

+		-e "s:^\(opensc_engine_path\):#\1:" \

184

+		-e "s:^\(pkcs11_engine_path\):#\1:" \

185

+		-e "s:^\(pkcs11_module_path\):#\1:" \

186

+		wpa_supplicant.conf || die

187

+

188

+	# Change configuration to match Gentoo locations (bug #143750)

189

+	sed -i \

190

+		-e "s:/usr/lib/opensc:/usr/$(get_libdir):" \

191

+		-e "s:/usr/lib/pkcs11:/usr/$(get_libdir):" \

192

+		wpa_supplicant.conf || die

193

+

194

+	# systemd entries to D-Bus service files (bug #372877)

195

+	echo 'SystemdService=wpa_supplicant.service' \

196

+		| tee -a dbus/*.service >/dev/null || die

197

+

198

+	cd "${WORKDIR}/${P}" || die

199

+

200

+	if use wimax; then

201

+		# generate-libeap-peer.patch comes before

202

+		# fix-undefined-reference-to-random_get_bytes.patch

203

+		eapply "${FILESDIR}/${P}-generate-libeap-peer.patch"

204

+

205

+		# multilib-strict fix (bug #373685)

206

+		sed -e "s/\/usr\/lib/\/usr\/$(get_libdir)/" -i src/eap_peer/Makefile || die

207

+	fi

208

+

209

+	# bug (320097)

210

+	eapply "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch"

211

+

212

+	# bug (596332 & 651314)

213

+	eapply "${FILESDIR}/${P}-libressl-compatibility.patch"

214

+

215

+	# bug (671006)

216

+	eapply "${FILESDIR}/${P}-openssl-1.1.patch"

217

+

218

+	# https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

219

+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch"

220

+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch"

221

+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch"

222

+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch"

223

+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch"

224

+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch"

225

+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch"

226

+	eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch"

227

+

228

+	# bug (640492)

229

+	sed -i 's#-Werror ##' wpa_supplicant/Makefile || die

230

+}

231

+

232

+src_configure() {

233

+	# Toolchain setup

234

+	tc-export CC

235

+

236

+	cp defconfig .config || die

237

+

238

+	# Basic setup

239

+	Kconfig_style_config CTRL_IFACE

240

+	Kconfig_style_config MATCH_IFACE

241

+	Kconfig_style_config BACKEND file

242

+	Kconfig_style_config IBSS_RSN

243

+	Kconfig_style_config IEEE80211W

244

+	Kconfig_style_config IEEE80211R

245

+

246

+	# Basic authentication methods

247

+	# NOTE: we don't set GPSK or SAKE as they conflict

248

+	# with the below options

249

+	Kconfig_style_config EAP_GTC

250

+	Kconfig_style_config EAP_MD5

251

+	Kconfig_style_config EAP_OTP

252

+	Kconfig_style_config EAP_PAX

253

+	Kconfig_style_config EAP_PSK

254

+	Kconfig_style_config EAP_TLV

255

+	Kconfig_style_config EAP_EXE

256

+	Kconfig_style_config IEEE8021X_EAPOL

257

+	Kconfig_style_config PKCS12

258

+	Kconfig_style_config PEERKEY

259

+	Kconfig_style_config EAP_LEAP

260

+	Kconfig_style_config EAP_MSCHAPV2

261

+	Kconfig_style_config EAP_PEAP

262

+	Kconfig_style_config EAP_TLS

263

+	Kconfig_style_config EAP_TTLS

264

+

265

+	# Enabling background scanning.

266

+	Kconfig_style_config BGSCAN_SIMPLE

267

+	Kconfig_style_config BGSCAN_LEARN

268

+

269

+	if use dbus ; then

270

+		Kconfig_style_config CTRL_IFACE_DBUS

271

+		Kconfig_style_config CTRL_IFACE_DBUS_NEW

272

+		Kconfig_style_config CTRL_IFACE_DBUS_INTRO

273

+	fi

274

+

275

+	if use eapol_test ; then

276

+		Kconfig_style_config EAPOL_TEST

277

+	fi

278

+

279

+	# Enable support for writing debug info to a log file and syslog.

280

+	Kconfig_style_config DEBUG_FILE

281

+	Kconfig_style_config DEBUG_SYSLOG

282

+

283

+	if use hs2-0 ; then

284

+		Kconfig_style_config INTERWORKING

285

+		Kconfig_style_config HS20

286

+	fi

287

+

288

+	if use uncommon-eap-types; then

289

+		Kconfig_style_config EAP_GPSK

290

+		Kconfig_style_config EAP_SAKE

291

+		Kconfig_style_config EAP_GPSK_SHA256

292

+		Kconfig_style_config EAP_IKEV2

293

+		Kconfig_style_config EAP_EKE

294

+	fi

295

+

296

+	if use eap-sim ; then

297

+		# Smart card authentication

298

+		Kconfig_style_config EAP_SIM

299

+		Kconfig_style_config EAP_AKA

300

+		Kconfig_style_config EAP_AKA_PRIME

301

+		Kconfig_style_config PCSC

302

+	fi

303

+

304

+	if use fasteap ; then

305

+		Kconfig_style_config EAP_FAST

306

+	fi

307

+

308

+	if use readline ; then

309

+		# readline/history support for wpa_cli

310

+		Kconfig_style_config READLINE

311

+	else

312

+		#internal line edit mode for wpa_cli

313

+		Kconfig_style_config WPA_CLI_EDIT

314

+	fi

315

+

316

+	if use suiteb; then

317

+		Kconfig_style_config SUITEB

318

+	fi

319

+

320

+	# SSL authentication methods

321

+	if use ssl ; then

322

+		if use gnutls ; then

323

+			Kconfig_style_config TLS gnutls

324

+			Kconfig_style_config GNUTLS_EXTRA

325

+		else

326

+			#this fails for gnutls

327

+			Kconfig_style_config SUITEB192

328

+			Kconfig_style_config TLS openssl

329

+			if ! use bindist; then

330

+			  #this fails for gnutls

331

+			  Kconfig_style_config EAP_PWD

332

+			  # SAE fails on gnutls and everything below here needs SAE

333

+			  # Enabling mesh networks.

334

+			  Kconfig_style_config MESH

335

+			  #WPA3

336

+			  Kconfig_style_config OWE

337

+			  Kconfig_style_config SAE

338

+			  #we also need to disable FILS, except that isn't enabled yet

339

+			fi

340

+

341

+		fi

342

+	else

343

+		Kconfig_style_config TLS internal

344

+	fi

345

+

346

+	if use smartcard ; then

347

+		Kconfig_style_config SMARTCARD

348

+	fi

349

+

350

+	if use tdls ; then

351

+		Kconfig_style_config TDLS

352

+	fi

353

+

354

+	if use kernel_linux ; then

355

+		# Linux specific drivers

356

+		Kconfig_style_config DRIVER_ATMEL

357

+		Kconfig_style_config DRIVER_HOSTAP

358

+		Kconfig_style_config DRIVER_IPW

359

+		Kconfig_style_config DRIVER_NL80211

360

+		Kconfig_style_config DRIVER_RALINK

361

+		Kconfig_style_config DRIVER_WEXT

362

+		Kconfig_style_config DRIVER_WIRED

363

+

364

+		if use ps3 ; then

365

+			Kconfig_style_config DRIVER_PS3

366

+		fi

367

+

368

+	elif use kernel_FreeBSD ; then

369

+		# FreeBSD specific driver

370

+		Kconfig_style_config DRIVER_BSD

371

+	fi

372

+

373

+	# Wi-Fi Protected Setup (WPS)

374

+	if use wps ; then

375

+		Kconfig_style_config WPS

376

+		Kconfig_style_config WPS2

377

+		# USB Flash Drive

378

+		Kconfig_style_config WPS_UFD

379

+		# External Registrar

380

+		Kconfig_style_config WPS_ER

381

+		# Universal Plug'n'Play

382

+		Kconfig_style_config WPS_UPNP

383

+		# Near Field Communication

384

+		Kconfig_style_config WPS_NFC

385

+	fi

386

+

387

+	# Wi-Fi Direct (WiDi)

388

+	if use p2p ; then

389

+		Kconfig_style_config P2P

390

+		Kconfig_style_config WIFI_DISPLAY

391

+	fi

392

+

393

+	# Access Point Mode

394

+	if use ap ; then

395

+		Kconfig_style_config AP

396

+	fi

397

+

398

+	# Enable essentials for AP/P2P

399

+	if use ap || use p2p ; then

400

+		# Enabling HT support (802.11n)

401

+		Kconfig_style_config IEEE80211N

402

+

403

+		# Enabling VHT support (802.11ac)

404

+		Kconfig_style_config IEEE80211AC

405

+	fi

406

+

407

+	# Enable mitigation against certain attacks against TKIP

408

+	Kconfig_style_config DELAYED_MIC_ERROR_REPORT

409

+

410

+	if use privsep ; then

411

+		Kconfig_style_config PRIVSEP

412

+	fi

413

+

414

+	# If we are using libnl 2.0 and above, enable support for it

415

+	# Bug 382159

416

+	# Removed for now, since the 3.2 version is broken, and we don't

417

+	# support it.

418

+	if has_version ">=dev-libs/libnl-3.2"; then

419

+		Kconfig_style_config LIBNL32

420

+	fi

421

+

422

+	if use qt5 ; then

423

+		pushd "${S}"/wpa_gui-qt4 > /dev/null || die

424

+		eqmake5 wpa_gui.pro

425

+		popd > /dev/null || die

426

+	fi

427

+}

428

+

429

+src_compile() {

430

+	einfo "Building wpa_supplicant"

431

+	emake V=1 BINDIR=/usr/sbin

432

+

433

+	if use wimax; then

434

+		emake -C ../src/eap_peer clean

435

+		emake -C ../src/eap_peer

436

+	fi

437

+

438

+	if use qt5; then

439

+		einfo "Building wpa_gui"

440

+		emake -C "${S}"/wpa_gui-qt4

441

+	fi

442

+

443

+	if use eapol_test ; then

444

+		emake eapol_test

445

+	fi

446

+}

447

+

448

+src_install() {

449

+	dosbin wpa_supplicant

450

+	use privsep && dosbin wpa_priv

451

+	dobin wpa_cli wpa_passphrase

452

+

453

+	# baselayout-1 compat

454

+	if has_version "<sys-apps/baselayout-2.0.0"; then

455

+		dodir /sbin

456

+		dosym ../usr/sbin/wpa_supplicant /sbin/wpa_supplicant

457

+		dodir /bin

458

+		dosym ../usr/bin/wpa_cli /bin/wpa_cli

459

+	fi

460

+

461

+	if has_version ">=sys-apps/openrc-0.5.0"; then

462

+		newinitd "${FILESDIR}/${PN}-init.d" wpa_supplicant

463

+		newconfd "${FILESDIR}/${PN}-conf.d" wpa_supplicant

464

+	fi

465

+

466

+	exeinto /etc/wpa_supplicant/

467

+	newexe "${FILESDIR}/wpa_cli.sh" wpa_cli.sh

468

+

469

+	readme.gentoo_create_doc

470

+	dodoc ChangeLog {eap_testing,todo}.txt README{,-WPS} \

471

+		wpa_supplicant.conf

472

+

473

+	newdoc .config build-config

474

+

475

+	doman doc/docbook/*.{5,8}

476

+

477

+	if use qt5 ; then

478

+		into /usr

479

+		dobin wpa_gui-qt4/wpa_gui

480

+		doicon wpa_gui-qt4/icons/wpa_gui.svg

481

+		make_desktop_entry wpa_gui "WPA Supplicant Administration GUI" "wpa_gui" "Qt;Network;"

482

+	else

483

+		rm "${ED}"/usr/share/man/man8/wpa_gui.8

484

+	fi

485

+

486

+	use wimax && emake DESTDIR="${D}" -C ../src/eap_peer install

487

+

488

+	if use dbus ; then

489

+		pushd "${S}"/dbus > /dev/null || die

490

+		insinto /etc/dbus-1/system.d

491

+		newins dbus-wpa_supplicant.conf wpa_supplicant.conf

492

+		insinto /usr/share/dbus-1/system-services

493

+		doins fi.epitest.hostap.WPASupplicant.service fi.w1.wpa_supplicant1.service

494

+		popd > /dev/null || die

495

+

496

+		# This unit relies on dbus support, bug 538600.

497

+		systemd_dounit systemd/wpa_supplicant.service

498

+	fi

499

+

500

+	if use eapol_test ; then

501

+		dobin eapol_test

502

+	fi

503

+

504

+	systemd_dounit "systemd/wpa_supplicant@.service"

505

+	systemd_dounit "systemd/wpa_supplicant-nl80211@.service"

506

+	systemd_dounit "systemd/wpa_supplicant-wired@.service"

507

+}

508

+

509

+pkg_postinst() {

510

+	readme.gentoo_print_elog

511

+

512

+	if [[ -e "${EROOT%/}"/etc/wpa_supplicant.conf ]] ; then

513

+		echo

514

+		ewarn "WARNING: your old configuration file ${EROOT%/}/etc/wpa_supplicant.conf"

515

+		ewarn "needs to be moved to ${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf"

516

+	fi

517

+

518

+	if use bindist || use gnutls; then

519

+		if ! use libressl; then

520

+			ewarn "Using bindist or gnutls use flags presently breaks WPA3 (specifically SAE and OWE)."

521

+			ewarn "This is incredibly undesirable"

522

+		fi

523

+	fi

524

+

525

+	# Mea culpa, feel free to remove that after some time --mgorny.

526

+	local fn

527

+	for fn in wpa_supplicant{,@wlan0}.service; do

528

+		if [[ -e "${EROOT%/}"/etc/systemd/system/network.target.wants/${fn} ]]

529

+		then

530

+			ebegin "Moving ${fn} to multi-user.target"

531

+			mv "${EROOT%/}"/etc/systemd/system/network.target.wants/${fn} \

532

+				"${EROOT%/}"/etc/systemd/system/multi-user.target.wants/ || die

533

+			eend ${?} \

534

+				"Please try to re-enable ${fn}"

535

+		fi

536

+	done

537

+

538

+	systemd_reenable wpa_supplicant.service

539

+}

1	commit: 696f3772a422e25bd62e69d497717985d1fe295d
2	Author: Craig Andrews <candrews <AT> gentoo <DOT> org>
3	AuthorDate: Mon Dec 3 20:21:11 2018 +0000
4	Commit: Rick Farina <zerochaos <AT> gentoo <DOT> org>
5	CommitDate: Tue Dec 4 01:39:10 2018 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=696f3772
7
8	net-wireless/wpa_supplicant: Fix EAP-TLS with OpenSSL 1.1
9
10	Closes: https://bugs.gentoo.org/671006
11	Package-Manager: Portage-2.3.52, Repoman-2.3.12
12	Signed-off-by: Craig Andrews <candrews <AT> gentoo.org>
13	Signed-off-by: Rick Farina <zerochaos <AT> gentoo.org>
14
15	.../files/wpa_supplicant-2.6-openssl-1.1.patch \| 48 +++
16	.../wpa_supplicant/wpa_supplicant-2.6-r9.ebuild \| 460 +++++++++++++++++++++
17	2 files changed, 508 insertions(+)
18
19	diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch
20	new file mode 100644
21	index 00000000000..1e2335f34c0
22	--- /dev/null
23	+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch
24	@@ -0,0 +1,48 @@
25	+From f665c93e1d28fbab3d9127a8c3985cc32940824f Mon Sep 17 00:00:00 2001
26	+From: Beniamino Galvani <bgalvani@××××××.com>
27	+Date: Sun, 9 Jul 2017 11:14:10 +0200
28	+Subject: OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f
29	+
30	+Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
31	+callback from the SSL object instead of the one from the CTX, so let's
32	+set the callback on both SSL and CTX. Note that
33	+SSL_set_default_passwd_cb*() is available only in 1.1.0.
34	+
35	+Signed-off-by: Beniamino Galvani <bgalvani@××××××.com>
36	+---
37	+ src/crypto/tls_openssl.c \| 12 ++++++++++++
38	+ 1 file changed, 12 insertions(+)
39	+
40	+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
41	+index fd94eaf..c790b53 100644
42	+--- a/src/crypto/tls_openssl.c
43	++++ b/src/crypto/tls_openssl.c
44	+@@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data,
45	+ } else
46	+ passwd = NULL;
47	+
48	++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
49	++ /*
50	++ * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
51	++ * from the SSL object. See OpenSSL commit d61461a75253.
52	++ */
53	++ SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
54	++ SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
55	++#endif /* >= 1.1.0f && !LibreSSL */
56	++ /* Keep these for OpenSSL < 1.1.0f */
57	+ SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
58	+ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
59	+
60	+@@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data,
61	+ return -1;
62	+ }
63	+ ERR_clear_error();
64	++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
65	++ SSL_set_default_passwd_cb(conn->ssl, NULL);
66	++#endif /* >= 1.1.0f && !LibreSSL */
67	+ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
68	+ os_free(passwd);
69	+
70	+--
71	+cgit v0.12
72	+
73
74	diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild
75	new file mode 100644
76	index 00000000000..19e3fbfe5a0
77	--- /dev/null
78	+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r9.ebuild
79	@@ -0,0 +1,460 @@
80	+# Copyright 1999-2018 Gentoo Authors
81	+# Distributed under the terms of the GNU General Public License v2
82	+
83	+EAPI=6
84	+
85	+inherit eutils qmake-utils systemd toolchain-funcs readme.gentoo-r1
86	+
87	+DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers"
88	+HOMEPAGE="https://w1.fi/wpa_supplicant/"
89	+SRC_URI="https://w1.fi/releases/${P}.tar.gz"
90	+LICENSE="\|\| ( GPL-2 BSD )"
91	+
92	+SLOT="0"
93	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
94	+IUSE="ap bindist dbus eap-sim eapol_test fasteap gnutls +hs2-0 libressl p2p privsep ps3 qt5 readline selinux smartcard ssl suiteb tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD"
95	+REQUIRED_USE="smartcard? ( ssl )"
96	+
97	+CDEPEND="dbus? ( sys-apps/dbus )
98	+ kernel_linux? (
99	+ dev-libs/libnl:3
100	+ net-wireless/crda
101	+ eap-sim? ( sys-apps/pcsc-lite )
102	+ )
103	+ !kernel_linux? ( net-libs/libpcap )
104	+ qt5? (
105	+ dev-qt/qtcore:5
106	+ dev-qt/qtgui:5
107	+ dev-qt/qtsvg:5
108	+ dev-qt/qtwidgets:5
109	+ )
110	+ readline? (
111	+ sys-libs/ncurses:0=
112	+ sys-libs/readline:0=
113	+ )
114	+ ssl? (
115	+ gnutls? (
116	+ dev-libs/libgcrypt:0=
117	+ net-libs/gnutls:=
118	+ )
119	+ !gnutls? (
120	+ !libressl? ( >=dev-libs/openssl-1.0.2k:0=[bindist=] )
121	+ libressl? ( dev-libs/libressl:0= )
122	+ )
123	+ )
124	+ !ssl? ( dev-libs/libtommath )
125	+"
126	+DEPEND="${CDEPEND}
127	+ virtual/pkgconfig
128	+"
129	+RDEPEND="${CDEPEND}
130	+ selinux? ( sec-policy/selinux-networkmanager )
131	+"
132	+
133	+DOC_CONTENTS="
134	+ If this is a clean installation of wpa_supplicant, you
135	+ have to create a configuration file named
136	+ ${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf
137	+ An example configuration file is available for reference in
138	+ ${EROOT%/}/usr/share/doc/${PF}/
139	+"
140	+
141	+S="${WORKDIR}/${P}/${PN}"
142	+
143	+Kconfig_style_config() {
144	+ #param 1 is CONFIG_* item
145	+ #param 2 is what to set it = to, defaulting in y
146	+ CONFIG_PARAM="${CONFIG_HEADER:-CONFIG_}$1"
147	+ setting="${2:-y}"
148	+
149	+ if [ ! $setting = n ]; then
150	+ #first remove any leading "# " if $2 is not n
151	+ sed -i "/^# $CONFIG_PARAM=/s/^# //" .config \|\| echo "Kconfig_style_config error uncommenting $CONFIG_PARAM"
152	+ #set item = $setting (defaulting to y)
153	+ sed -i "/^$CONFIG_PARAM/s/=.*/=$setting/" .config \|\| echo "Kconfig_style_config error setting $CONFIG_PARAM=$setting"
154	+ if [ -z "$( grep ^$CONFIG_PARAM= .config )" ] ; then
155	+ echo "$CONFIG_PARAM=$setting" >>.config
156	+ fi
157	+ else
158	+ #ensure item commented out
159	+ sed -i "/^$CONFIG_PARAM/s/$CONFIG_PARAM/# $CONFIG_PARAM/" .config \|\| echo "Kconfig_style_config error commenting $CONFIG_PARAM"
160	+ fi
161	+}
162	+
163	+pkg_setup() {
164	+ if use ssl ; then
165	+ if use gnutls && use libressl ; then
166	+ elog "You have both 'gnutls' and 'libressl' USE flags enabled: defaulting to USE=\"gnutls\""
167	+ fi
168	+ else
169	+ elog "You have 'ssl' USE flag disabled: defaulting to internal TLS implementation"
170	+ fi
171	+}
172	+
173	+src_prepare() {
174	+ default
175	+
176	+ # net/bpf.h needed for net-libs/libpcap on Gentoo/FreeBSD
177	+ sed -i \
178	+ -e "s:\(#include <pcap\.h>\):#include <net/bpf.h>\n\1:" \
179	+ ../src/l2_packet/l2_packet_freebsd.c \|\| die
180	+
181	+ # People seem to take the example configuration file too literally (bug #102361)
182	+ sed -i \
183	+ -e "s:^\(opensc_engine_path\):#\1:" \
184	+ -e "s:^\(pkcs11_engine_path\):#\1:" \
185	+ -e "s:^\(pkcs11_module_path\):#\1:" \
186	+ wpa_supplicant.conf \|\| die
187	+
188	+ # Change configuration to match Gentoo locations (bug #143750)
189	+ sed -i \
190	+ -e "s:/usr/lib/opensc:/usr/$(get_libdir):" \
191	+ -e "s:/usr/lib/pkcs11:/usr/$(get_libdir):" \
192	+ wpa_supplicant.conf \|\| die
193	+
194	+ # systemd entries to D-Bus service files (bug #372877)
195	+ echo 'SystemdService=wpa_supplicant.service' \
196	+ \| tee -a dbus/*.service >/dev/null \|\| die
197	+
198	+ cd "${WORKDIR}/${P}" \|\| die
199	+
200	+ if use wimax; then
201	+ # generate-libeap-peer.patch comes before
202	+ # fix-undefined-reference-to-random_get_bytes.patch
203	+ eapply "${FILESDIR}/${P}-generate-libeap-peer.patch"
204	+
205	+ # multilib-strict fix (bug #373685)
206	+ sed -e "s/\/usr\/lib/\/usr\/$(get_libdir)/" -i src/eap_peer/Makefile \|\| die
207	+ fi
208	+
209	+ # bug (320097)
210	+ eapply "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch"
211	+
212	+ # bug (596332 & 651314)
213	+ eapply "${FILESDIR}/${P}-libressl-compatibility.patch"
214	+
215	+ # bug (671006)
216	+ eapply "${FILESDIR}/${P}-openssl-1.1.patch"
217	+
218	+ # https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
219	+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch"
220	+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch"
221	+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch"
222	+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch"
223	+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch"
224	+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch"
225	+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch"
226	+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch"
227	+
228	+ # bug (640492)
229	+ sed -i 's#-Werror ##' wpa_supplicant/Makefile \|\| die
230	+}
231	+
232	+src_configure() {
233	+ # Toolchain setup
234	+ tc-export CC
235	+
236	+ cp defconfig .config \|\| die
237	+
238	+ # Basic setup
239	+ Kconfig_style_config CTRL_IFACE
240	+ Kconfig_style_config MATCH_IFACE
241	+ Kconfig_style_config BACKEND file
242	+ Kconfig_style_config IBSS_RSN
243	+ Kconfig_style_config IEEE80211W
244	+ Kconfig_style_config IEEE80211R
245	+
246	+ # Basic authentication methods
247	+ # NOTE: we don't set GPSK or SAKE as they conflict
248	+ # with the below options
249	+ Kconfig_style_config EAP_GTC
250	+ Kconfig_style_config EAP_MD5
251	+ Kconfig_style_config EAP_OTP
252	+ Kconfig_style_config EAP_PAX
253	+ Kconfig_style_config EAP_PSK
254	+ Kconfig_style_config EAP_TLV
255	+ Kconfig_style_config EAP_EXE
256	+ Kconfig_style_config IEEE8021X_EAPOL
257	+ Kconfig_style_config PKCS12
258	+ Kconfig_style_config PEERKEY
259	+ Kconfig_style_config EAP_LEAP
260	+ Kconfig_style_config EAP_MSCHAPV2
261	+ Kconfig_style_config EAP_PEAP
262	+ Kconfig_style_config EAP_TLS
263	+ Kconfig_style_config EAP_TTLS
264	+
265	+ # Enabling background scanning.
266	+ Kconfig_style_config BGSCAN_SIMPLE
267	+ Kconfig_style_config BGSCAN_LEARN
268	+
269	+ if use dbus ; then
270	+ Kconfig_style_config CTRL_IFACE_DBUS
271	+ Kconfig_style_config CTRL_IFACE_DBUS_NEW
272	+ Kconfig_style_config CTRL_IFACE_DBUS_INTRO
273	+ fi
274	+
275	+ if use eapol_test ; then
276	+ Kconfig_style_config EAPOL_TEST
277	+ fi
278	+
279	+ # Enable support for writing debug info to a log file and syslog.
280	+ Kconfig_style_config DEBUG_FILE
281	+ Kconfig_style_config DEBUG_SYSLOG
282	+
283	+ if use hs2-0 ; then
284	+ Kconfig_style_config INTERWORKING
285	+ Kconfig_style_config HS20
286	+ fi
287	+
288	+ if use uncommon-eap-types; then
289	+ Kconfig_style_config EAP_GPSK
290	+ Kconfig_style_config EAP_SAKE
291	+ Kconfig_style_config EAP_GPSK_SHA256
292	+ Kconfig_style_config EAP_IKEV2
293	+ Kconfig_style_config EAP_EKE
294	+ fi
295	+
296	+ if use eap-sim ; then
297	+ # Smart card authentication
298	+ Kconfig_style_config EAP_SIM
299	+ Kconfig_style_config EAP_AKA
300	+ Kconfig_style_config EAP_AKA_PRIME
301	+ Kconfig_style_config PCSC
302	+ fi
303	+
304	+ if use fasteap ; then
305	+ Kconfig_style_config EAP_FAST
306	+ fi
307	+
308	+ if use readline ; then
309	+ # readline/history support for wpa_cli
310	+ Kconfig_style_config READLINE
311	+ else
312	+ #internal line edit mode for wpa_cli
313	+ Kconfig_style_config WPA_CLI_EDIT
314	+ fi
315	+
316	+ if use suiteb; then
317	+ Kconfig_style_config SUITEB
318	+ fi
319	+
320	+ # SSL authentication methods
321	+ if use ssl ; then
322	+ if use gnutls ; then
323	+ Kconfig_style_config TLS gnutls
324	+ Kconfig_style_config GNUTLS_EXTRA
325	+ else
326	+ #this fails for gnutls
327	+ Kconfig_style_config SUITEB192
328	+ Kconfig_style_config TLS openssl
329	+ if ! use bindist; then
330	+ #this fails for gnutls
331	+ Kconfig_style_config EAP_PWD
332	+ # SAE fails on gnutls and everything below here needs SAE
333	+ # Enabling mesh networks.
334	+ Kconfig_style_config MESH
335	+ #WPA3
336	+ Kconfig_style_config OWE
337	+ Kconfig_style_config SAE
338	+ #we also need to disable FILS, except that isn't enabled yet
339	+ fi
340	+
341	+ fi
342	+ else
343	+ Kconfig_style_config TLS internal
344	+ fi
345	+
346	+ if use smartcard ; then
347	+ Kconfig_style_config SMARTCARD
348	+ fi
349	+
350	+ if use tdls ; then
351	+ Kconfig_style_config TDLS
352	+ fi
353	+
354	+ if use kernel_linux ; then
355	+ # Linux specific drivers
356	+ Kconfig_style_config DRIVER_ATMEL
357	+ Kconfig_style_config DRIVER_HOSTAP
358	+ Kconfig_style_config DRIVER_IPW
359	+ Kconfig_style_config DRIVER_NL80211
360	+ Kconfig_style_config DRIVER_RALINK
361	+ Kconfig_style_config DRIVER_WEXT
362	+ Kconfig_style_config DRIVER_WIRED
363	+
364	+ if use ps3 ; then
365	+ Kconfig_style_config DRIVER_PS3
366	+ fi
367	+
368	+ elif use kernel_FreeBSD ; then
369	+ # FreeBSD specific driver
370	+ Kconfig_style_config DRIVER_BSD
371	+ fi
372	+
373	+ # Wi-Fi Protected Setup (WPS)
374	+ if use wps ; then
375	+ Kconfig_style_config WPS
376	+ Kconfig_style_config WPS2
377	+ # USB Flash Drive
378	+ Kconfig_style_config WPS_UFD
379	+ # External Registrar
380	+ Kconfig_style_config WPS_ER
381	+ # Universal Plug'n'Play
382	+ Kconfig_style_config WPS_UPNP
383	+ # Near Field Communication
384	+ Kconfig_style_config WPS_NFC
385	+ fi
386	+
387	+ # Wi-Fi Direct (WiDi)
388	+ if use p2p ; then
389	+ Kconfig_style_config P2P
390	+ Kconfig_style_config WIFI_DISPLAY
391	+ fi
392	+
393	+ # Access Point Mode
394	+ if use ap ; then
395	+ Kconfig_style_config AP
396	+ fi
397	+
398	+ # Enable essentials for AP/P2P
399	+ if use ap \|\| use p2p ; then
400	+ # Enabling HT support (802.11n)
401	+ Kconfig_style_config IEEE80211N
402	+
403	+ # Enabling VHT support (802.11ac)
404	+ Kconfig_style_config IEEE80211AC
405	+ fi
406	+
407	+ # Enable mitigation against certain attacks against TKIP
408	+ Kconfig_style_config DELAYED_MIC_ERROR_REPORT
409	+
410	+ if use privsep ; then
411	+ Kconfig_style_config PRIVSEP
412	+ fi
413	+
414	+ # If we are using libnl 2.0 and above, enable support for it
415	+ # Bug 382159
416	+ # Removed for now, since the 3.2 version is broken, and we don't
417	+ # support it.
418	+ if has_version ">=dev-libs/libnl-3.2"; then
419	+ Kconfig_style_config LIBNL32
420	+ fi
421	+
422	+ if use qt5 ; then
423	+ pushd "${S}"/wpa_gui-qt4 > /dev/null \|\| die
424	+ eqmake5 wpa_gui.pro
425	+ popd > /dev/null \|\| die
426	+ fi
427	+}
428	+
429	+src_compile() {
430	+ einfo "Building wpa_supplicant"
431	+ emake V=1 BINDIR=/usr/sbin
432	+
433	+ if use wimax; then
434	+ emake -C ../src/eap_peer clean
435	+ emake -C ../src/eap_peer
436	+ fi
437	+
438	+ if use qt5; then
439	+ einfo "Building wpa_gui"
440	+ emake -C "${S}"/wpa_gui-qt4
441	+ fi
442	+
443	+ if use eapol_test ; then
444	+ emake eapol_test
445	+ fi
446	+}
447	+
448	+src_install() {
449	+ dosbin wpa_supplicant
450	+ use privsep && dosbin wpa_priv
451	+ dobin wpa_cli wpa_passphrase
452	+
453	+ # baselayout-1 compat
454	+ if has_version "<sys-apps/baselayout-2.0.0"; then
455	+ dodir /sbin
456	+ dosym ../usr/sbin/wpa_supplicant /sbin/wpa_supplicant
457	+ dodir /bin
458	+ dosym ../usr/bin/wpa_cli /bin/wpa_cli
459	+ fi
460	+
461	+ if has_version ">=sys-apps/openrc-0.5.0"; then
462	+ newinitd "${FILESDIR}/${PN}-init.d" wpa_supplicant
463	+ newconfd "${FILESDIR}/${PN}-conf.d" wpa_supplicant
464	+ fi
465	+
466	+ exeinto /etc/wpa_supplicant/
467	+ newexe "${FILESDIR}/wpa_cli.sh" wpa_cli.sh
468	+
469	+ readme.gentoo_create_doc
470	+ dodoc ChangeLog {eap_testing,todo}.txt README{,-WPS} \
471	+ wpa_supplicant.conf
472	+
473	+ newdoc .config build-config
474	+
475	+ doman doc/docbook/*.{5,8}
476	+
477	+ if use qt5 ; then
478	+ into /usr
479	+ dobin wpa_gui-qt4/wpa_gui
480	+ doicon wpa_gui-qt4/icons/wpa_gui.svg
481	+ make_desktop_entry wpa_gui "WPA Supplicant Administration GUI" "wpa_gui" "Qt;Network;"
482	+ else
483	+ rm "${ED}"/usr/share/man/man8/wpa_gui.8
484	+ fi
485	+
486	+ use wimax && emake DESTDIR="${D}" -C ../src/eap_peer install
487	+
488	+ if use dbus ; then
489	+ pushd "${S}"/dbus > /dev/null \|\| die
490	+ insinto /etc/dbus-1/system.d
491	+ newins dbus-wpa_supplicant.conf wpa_supplicant.conf
492	+ insinto /usr/share/dbus-1/system-services
493	+ doins fi.epitest.hostap.WPASupplicant.service fi.w1.wpa_supplicant1.service
494	+ popd > /dev/null \|\| die
495	+
496	+ # This unit relies on dbus support, bug 538600.
497	+ systemd_dounit systemd/wpa_supplicant.service
498	+ fi
499	+
500	+ if use eapol_test ; then
501	+ dobin eapol_test
502	+ fi
503	+
504	+ systemd_dounit "systemd/wpa_supplicant@.service"
505	+ systemd_dounit "systemd/wpa_supplicant-nl80211@.service"
506	+ systemd_dounit "systemd/wpa_supplicant-wired@.service"
507	+}
508	+
509	+pkg_postinst() {
510	+ readme.gentoo_print_elog
511	+
512	+ if [[ -e "${EROOT%/}"/etc/wpa_supplicant.conf ]] ; then
513	+ echo
514	+ ewarn "WARNING: your old configuration file ${EROOT%/}/etc/wpa_supplicant.conf"
515	+ ewarn "needs to be moved to ${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf"
516	+ fi
517	+
518	+ if use bindist \|\| use gnutls; then
519	+ if ! use libressl; then
520	+ ewarn "Using bindist or gnutls use flags presently breaks WPA3 (specifically SAE and OWE)."
521	+ ewarn "This is incredibly undesirable"
522	+ fi
523	+ fi
524	+
525	+ # Mea culpa, feel free to remove that after some time --mgorny.
526	+ local fn
527	+ for fn in wpa_supplicant{,@wlan0}.service; do
528	+ if [[ -e "${EROOT%/}"/etc/systemd/system/network.target.wants/${fn} ]]
529	+ then
530	+ ebegin "Moving ${fn} to multi-user.target"
531	+ mv "${EROOT%/}"/etc/systemd/system/network.target.wants/${fn} \
532	+ "${EROOT%/}"/etc/systemd/system/multi-user.target.wants/ \|\| die
533	+ eend ${?} \
534	+ "Please try to re-enable ${fn}"
535	+ fi
536	+ done
537	+
538	+ systemd_reenable wpa_supplicant.service
539	+}

Gentoo Archives: gentoo-commits