- fix 'Server used client certificate' error

diff --git a/wpa_supplicant-client-cert.patch b/wpa_supplicant-client-cert.patch
new file mode 100644 (file)
index 0000000..7e207fa
--- /dev/null
+++ b/wpa_supplicant-client-cert.patch
@@ -0,0 +1,67 @@
+commit b62d5b5450101676a0c05691b4bcd94e11426397
+Author: Jouni Malinen <j@w1.fi>
+Date:   Wed Feb 19 11:56:02 2014 +0200
+
+    Revert "OpenSSL: Do not accept SSL Client certificate for server"
+    
+    This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are
+    too many deployed AAA servers that include both id-kp-clientAuth and
+    id-kp-serverAuth EKUs for this change to be acceptable as a generic rule
+    for AAA authentication server validation. OpenSSL enforces the policy of
+    not connecting if only id-kp-clientAuth is included. If a valid EKU is
+    listed with it, the connection needs to be accepted.
+    
+    Signed-off-by: Jouni Malinen <j@w1.fi>
+
+diff --git a/src/crypto/tls.h b/src/crypto/tls.h
+index 287fd33..feba13f 100644
+--- a/src/crypto/tls.h
++++ b/src/crypto/tls.h
+@@ -41,8 +41,7 @@ enum tls_fail_reason {
+       TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
+       TLS_FAIL_BAD_CERTIFICATE = 7,
+       TLS_FAIL_SERVER_CHAIN_PROBE = 8,
+-      TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
+-      TLS_FAIL_SERVER_USED_CLIENT_CERT = 10
++      TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9
+ };
+ 
+ union tls_event_data {
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index a13fa38..8cf1de8 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -105,7 +105,6 @@ struct tls_connection {
+       unsigned int ca_cert_verify:1;
+       unsigned int cert_probe:1;
+       unsigned int server_cert_only:1;
+-      unsigned int server:1;
+ 
+       u8 srv_cert_hash[32];
+ 
+@@ -1480,16 +1479,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+                                      TLS_FAIL_SERVER_CHAIN_PROBE);
+       }
+ 
+-      if (!conn->server && err_cert && preverify_ok && depth == 0 &&
+-          (err_cert->ex_flags & EXFLAG_XKUSAGE) &&
+-          (err_cert->ex_xkusage & XKU_SSL_CLIENT)) {
+-              wpa_printf(MSG_WARNING, "TLS: Server used client certificate");
+-              openssl_tls_fail_event(conn, err_cert, err, depth, buf,
+-                                     "Server used client certificate",
+-                                     TLS_FAIL_SERVER_USED_CLIENT_CERT);
+-              preverify_ok = 0;
+-      }
+-
+       if (preverify_ok && context->event_cb != NULL)
+               context->event_cb(context->cb_ctx,
+                                 TLS_CERT_CHAIN_SUCCESS, NULL);
+@@ -2541,8 +2530,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data,
+       int res;
+       struct wpabuf *out_data;
+ 
+-      conn->server = !!server;
+-
+       /*
+        * Give TLS handshake data from the server (if available) to OpenSSL
+        * for processing.

diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec
index 6aa78c471fbeca0bb95198d9b4d50abf0ff2703e..530d6353cb57a4facb0a731a7cc2aa044797610c 100644 (file)
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@@ -16,7 +16,7 @@ Summary:      Linux WPA/WPA2/RSN/IEEE 802.1X supplicant
 Summary(pl.UTF-8):     Suplikant WPA/WPA2/RSN/IEEE 802.1X dla Linuksa
 Name:          wpa_supplicant
 Version:       2.1
-Release:       2
+Release:       3
 License:       GPL v2
 Group:         Networking
 Source0:       http://hostap.epitest.fi/releases/%{name}-%{version}.tar.gz
@@ -31,6 +31,7 @@ Patch2:               %{name}-lrelease.patch
 # http://www.linuxwimax.org/Download
 Patch3:                %{name}-0.7.2-generate-libeap-peer.patch
 Patch4:                dbus-services.patch
+Patch5:                %{name}-client-cert.patch
 URL:           http://hostap.epitest.fi/wpa_supplicant/
 %{?with_dbus:BuildRequires:    dbus-devel}
 BuildRequires: libnl-devel >= 1:3.2
@@ -136,6 +137,7 @@ Pliki programistyczne dla biblioteki eap.
 %patch2 -p0
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 %{__sed} -i -e 's,@LIB@,%{_lib},' src/eap_peer/libeap0.pc