diff options
Diffstat (limited to 'pkgs/os-specific/linux/wpa_supplicant/default.nix')
-rw-r--r-- | pkgs/os-specific/linux/wpa_supplicant/default.nix | 61 |
1 files changed, 48 insertions, 13 deletions
diff --git a/pkgs/os-specific/linux/wpa_supplicant/default.nix b/pkgs/os-specific/linux/wpa_supplicant/default.nix index 5cd440bcdfc..1dbe281e096 100644 --- a/pkgs/os-specific/linux/wpa_supplicant/default.nix +++ b/pkgs/os-specific/linux/wpa_supplicant/default.nix @@ -1,8 +1,11 @@ -{ stdenv, fetchurl, openssl, pkgconfig, libnl -, dbus, readline ? null, pcsclite ? null +{ lib, stdenv, fetchurl, fetchpatch, openssl, pkg-config, libnl +, withDbus ? true, dbus +, withReadline ? true, readline +, withPcsclite ? true, pcsclite +, readOnlyModeSSIDs ? false }: -with stdenv.lib; +with lib; stdenv.mkDerivation rec { version = "2.9"; @@ -19,6 +22,33 @@ stdenv.mkDerivation rec { url = "https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch"; sha256 = "15xjyy7crb557wxpx898b5lnyblxghlij0xby5lmj9hpwwss34dz"; }) + (fetchpatch { + # Expose OWE key management capability over DBus, remove >= 2.10 + name = "dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch"; + url = "https://w1.fi/cgit/hostap/patch/?id=7800725afb27397f7d6033d4969e2aeb61af4737"; + sha256 = "0c1la7inf4m5y9gzdjjdnhpkx32pm8vi6m5knih8p77q4mbrdgg8"; + }) + # P2P: Fix copying of secondary device types for P2P group client (https://w1.fi/security/2020-2/) + (fetchurl { + name = "CVE-2021-0326.patch"; + url = "https://w1.fi/security/2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch"; + sha256 = "19f4hx0p547mdx8y8arb3vclwyy4w9c8a6a40ryj7q33730mrmn4"; + }) + # P2P: Fix a corner case in peer addition based on PD Request (https://w1.fi/security/2021-1/) + (fetchurl { + name = "CVE-2021-27803.patch"; + url = "https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch"; + sha256 = "04cnds7hmbqc44jasabjvrdnh66i5hwvk2h2m5z94pmgbzncyh3z"; + }) + # In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c. + (fetchpatch { + name = "CVE-2021-30004.patch"; + url = "https://w1.fi/cgit/hostap/patch/?id=a0541334a6394f8237a4393b7372693cd7e96f15"; + sha256 = "1gbhlz41x1ar1hppnb76pqxj6vimiypy7c4kq6h658637s4am3xg"; + }) + ] ++ lib.optionals readOnlyModeSSIDs [ + # Allow read-only networks + ./0001-Implement-read-only-mode-for-ssids.patch ]; # TODO: Patch epoll so that the dbus actually responds @@ -32,6 +62,7 @@ stdenv.mkDerivation rec { CONFIG_EAP_SAKE=y CONFIG_EAP_GPSK=y CONFIG_EAP_GPSK_SHA256=y + CONFIG_OWE=y CONFIG_WPS=y CONFIG_WPS_ER=y CONFIG_WPS_NFS=y @@ -56,16 +87,17 @@ stdenv.mkDerivation rec { CONFIG_P2P=y CONFIG_TDLS=y CONFIG_BGSCAN_SIMPLE=y - '' + optionalString (pcsclite != null) '' + CONFIG_BGSCAN_LEARN=y + '' + optionalString withPcsclite '' CONFIG_EAP_SIM=y CONFIG_EAP_AKA=y CONFIG_EAP_AKA_PRIME=y CONFIG_PCSC=y - '' + optionalString (dbus != null) '' + '' + optionalString withDbus '' CONFIG_CTRL_IFACE_DBUS=y CONFIG_CTRL_IFACE_DBUS_NEW=y CONFIG_CTRL_IFACE_DBUS_INTRO=y - '' + (if readline != null then '' + '' + (if withReadline then '' CONFIG_READLINE=y '' else '' CONFIG_WPA_CLI_EDIT=y @@ -81,13 +113,16 @@ stdenv.mkDerivation rec { cat -n .config substituteInPlace Makefile --replace /usr/local $out export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE \ - -I$(echo "${stdenv.lib.getDev libnl}"/include/libnl*/) \ - -I${stdenv.lib.getDev pcsclite}/include/PCSC/" + -I$(echo "${lib.getDev libnl}"/include/libnl*/) \ + ${optionalString withPcsclite "-I${lib.getDev pcsclite}/include/PCSC/"}" ''; - buildInputs = [ openssl libnl dbus readline pcsclite ]; + buildInputs = [ openssl libnl ] + ++ optional withDbus dbus + ++ optional withReadline readline + ++ optional withPcsclite pcsclite; - nativeBuildInputs = [ pkgconfig ]; + nativeBuildInputs = [ pkg-config ]; postInstall = '' mkdir -p $out/share/man/man5 $out/share/man/man8 @@ -104,11 +139,11 @@ stdenv.mkDerivation rec { install -Dm444 wpa_supplicant.conf $out/share/doc/wpa_supplicant/wpa_supplicant.conf.example ''; - meta = with stdenv.lib; { - homepage = "https://hostap.epitest.fi/wpa_supplicant/"; + meta = with lib; { + homepage = "https://w1.fi/wpa_supplicant/"; description = "A tool for connecting to WPA and WPA2-protected wireless networks"; license = licenses.bsd3; - maintainers = with maintainers; [ marcweber ]; + maintainers = with maintainers; [ marcweber ma27 ]; platforms = platforms.linux; }; } |