summary refs log tree commit diff
path: root/pkgs/os-specific/linux/wpa_supplicant/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/os-specific/linux/wpa_supplicant/default.nix')
-rw-r--r--pkgs/os-specific/linux/wpa_supplicant/default.nix61
1 files changed, 48 insertions, 13 deletions
diff --git a/pkgs/os-specific/linux/wpa_supplicant/default.nix b/pkgs/os-specific/linux/wpa_supplicant/default.nix
index 5cd440bcdfc..1dbe281e096 100644
--- a/pkgs/os-specific/linux/wpa_supplicant/default.nix
+++ b/pkgs/os-specific/linux/wpa_supplicant/default.nix
@@ -1,8 +1,11 @@
-{ stdenv, fetchurl, openssl, pkgconfig, libnl
-, dbus, readline ? null, pcsclite ? null
+{ lib, stdenv, fetchurl, fetchpatch, openssl, pkg-config, libnl
+, withDbus ? true, dbus
+, withReadline ? true, readline
+, withPcsclite ? true, pcsclite
+, readOnlyModeSSIDs ? false
 }:
 
-with stdenv.lib;
+with lib;
 stdenv.mkDerivation rec {
   version = "2.9";
 
@@ -19,6 +22,33 @@ stdenv.mkDerivation rec {
       url = "https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch";
       sha256 = "15xjyy7crb557wxpx898b5lnyblxghlij0xby5lmj9hpwwss34dz";
     })
+    (fetchpatch {
+      # Expose OWE key management capability over DBus, remove >= 2.10
+      name = "dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch";
+      url = "https://w1.fi/cgit/hostap/patch/?id=7800725afb27397f7d6033d4969e2aeb61af4737";
+      sha256 = "0c1la7inf4m5y9gzdjjdnhpkx32pm8vi6m5knih8p77q4mbrdgg8";
+    })
+    # P2P: Fix copying of secondary device types for P2P group client (https://w1.fi/security/2020-2/)
+    (fetchurl {
+      name = "CVE-2021-0326.patch";
+      url = "https://w1.fi/security/2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch";
+      sha256 = "19f4hx0p547mdx8y8arb3vclwyy4w9c8a6a40ryj7q33730mrmn4";
+    })
+    # P2P: Fix a corner case in peer addition based on PD Request (https://w1.fi/security/2021-1/)
+    (fetchurl {
+      name = "CVE-2021-27803.patch";
+      url = "https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch";
+      sha256 = "04cnds7hmbqc44jasabjvrdnh66i5hwvk2h2m5z94pmgbzncyh3z";
+    })
+    # In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.
+    (fetchpatch {
+      name = "CVE-2021-30004.patch";
+      url = "https://w1.fi/cgit/hostap/patch/?id=a0541334a6394f8237a4393b7372693cd7e96f15";
+      sha256 = "1gbhlz41x1ar1hppnb76pqxj6vimiypy7c4kq6h658637s4am3xg";
+    })
+  ] ++ lib.optionals readOnlyModeSSIDs [
+    # Allow read-only networks
+    ./0001-Implement-read-only-mode-for-ssids.patch
   ];
 
   # TODO: Patch epoll so that the dbus actually responds
@@ -32,6 +62,7 @@ stdenv.mkDerivation rec {
     CONFIG_EAP_SAKE=y
     CONFIG_EAP_GPSK=y
     CONFIG_EAP_GPSK_SHA256=y
+    CONFIG_OWE=y
     CONFIG_WPS=y
     CONFIG_WPS_ER=y
     CONFIG_WPS_NFS=y
@@ -56,16 +87,17 @@ stdenv.mkDerivation rec {
     CONFIG_P2P=y
     CONFIG_TDLS=y
     CONFIG_BGSCAN_SIMPLE=y
-  '' + optionalString (pcsclite != null) ''
+    CONFIG_BGSCAN_LEARN=y
+  '' + optionalString withPcsclite ''
     CONFIG_EAP_SIM=y
     CONFIG_EAP_AKA=y
     CONFIG_EAP_AKA_PRIME=y
     CONFIG_PCSC=y
-  '' + optionalString (dbus != null) ''
+  '' + optionalString withDbus ''
     CONFIG_CTRL_IFACE_DBUS=y
     CONFIG_CTRL_IFACE_DBUS_NEW=y
     CONFIG_CTRL_IFACE_DBUS_INTRO=y
-  '' + (if readline != null then ''
+  '' + (if withReadline then ''
     CONFIG_READLINE=y
   '' else ''
     CONFIG_WPA_CLI_EDIT=y
@@ -81,13 +113,16 @@ stdenv.mkDerivation rec {
     cat -n .config
     substituteInPlace Makefile --replace /usr/local $out
     export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE \
-      -I$(echo "${stdenv.lib.getDev libnl}"/include/libnl*/) \
-      -I${stdenv.lib.getDev pcsclite}/include/PCSC/"
+      -I$(echo "${lib.getDev libnl}"/include/libnl*/) \
+      ${optionalString withPcsclite "-I${lib.getDev pcsclite}/include/PCSC/"}"
   '';
 
-  buildInputs = [ openssl libnl dbus readline pcsclite ];
+  buildInputs = [ openssl libnl ]
+    ++ optional withDbus dbus
+    ++ optional withReadline readline
+    ++ optional withPcsclite pcsclite;
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
 
   postInstall = ''
     mkdir -p $out/share/man/man5 $out/share/man/man8
@@ -104,11 +139,11 @@ stdenv.mkDerivation rec {
     install -Dm444 wpa_supplicant.conf $out/share/doc/wpa_supplicant/wpa_supplicant.conf.example
   '';
 
-  meta = with stdenv.lib; {
-    homepage = "https://hostap.epitest.fi/wpa_supplicant/";
+  meta = with lib; {
+    homepage = "https://w1.fi/wpa_supplicant/";
     description = "A tool for connecting to WPA and WPA2-protected wireless networks";
     license = licenses.bsd3;
-    maintainers = with maintainers; [ marcweber ];
+    maintainers = with maintainers; [ marcweber ma27 ];
     platforms = platforms.linux;
   };
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-04-26 10:09:33 +0000