wpa-supplicant: add package

2020-03-10 22:06:55 +01:00 · 2020-03-10 22:06:55 +01:00 · df5772c777
parent a2fc1947e1
commit df5772c777
8 changed files with 534 additions and 0 deletions
--- a/root-packages/wpa-supplicant/CVE-2019-16275.patch
+++ b/root-packages/wpa-supplicant/CVE-2019-16275.patch
@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ 			   "hostapd_notif_assoc: Skip event with no address");
+ 		return -1;
+ 	}
+
+	if (is_multicast_ether_addr(addr) ||
+	    is_zero_ether_addr(addr) ||
+	    os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
+		/* Do not process any frames with unexpected/invalid SA so that
+		 * we do not add any state for unexpected STA addresses or end
+		 * up sending out frames to unexpected destination. */
+		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
+			   " in received indication - ignore this indication silently",
+			   __func__, MAC2STR(addr));
+		return 0;
+	}
+
+ 	random_add_randomness(addr, ETH_ALEN);
+ 
+ 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ 	fc = le_to_host16(mgmt->frame_control);
+ 	stype = WLAN_FC_GET_STYPE(fc);
+ 
+	if (is_multicast_ether_addr(mgmt->sa) ||
+	    is_zero_ether_addr(mgmt->sa) ||
+	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
+		/* Do not process any frames with unexpected/invalid SA so that
+		 * we do not add any state for unexpected STA addresses or end
+		 * up sending out frames to unexpected destination. */
+		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
+			   " in received frame - ignore this frame silently",
+			   MAC2STR(mgmt->sa));
+		return 0;
+	}
+
+ 	if (stype == WLAN_FC_STYPE_BEACON) {
+ 		handle_beacon(hapd, mgmt, len, fi);
+ 		return 1;
+-- 
+2.20.1
+
--- a/root-packages/wpa-supplicant/Makefile.patch
+++ b/root-packages/wpa-supplicant/Makefile.patch
@ -0,0 +1,40 @@
+--- ../Makefile.orig	2020-03-10 20:58:52.384359092 +0100
+++ ./wpa_supplicant/Makefile	2020-03-10 21:19:03.627147971 +0100
+@@ -17,9 +17,9 @@
+ endif
+ endif
+ 
+-export LIBDIR ?= /usr/local/lib/
+-export INCDIR ?= /usr/local/include/
+-export BINDIR ?= /usr/local/sbin/
+export LIBDIR ?= $(PREFIX)/lib/
+export INCDIR ?= $(PREFIX)/include/
+export BINDIR ?= $(PREFIX)/bin/
+ PKG_CONFIG ?= pkg-config
+ 
+ CFLAGS += $(EXTRA_CFLAGS)
+@@ -60,7 +60,6 @@
+ ALL += libwpa_client.so
+ endif
+ 
+-
+ all: verify_config $(ALL) dynamic_eap_methods
+ 
+ verify_config:
+@@ -155,16 +154,6 @@
+ OBJS += ../src/utils/$(CONFIG_ELOOP).o
+ OBJS_c += ../src/utils/$(CONFIG_ELOOP).o
+ 
+-ifndef CONFIG_OSX
+-ifeq ($(CONFIG_ELOOP), eloop)
+-# Using glibc < 2.17 requires -lrt for clock_gettime()
+-# OS X has an alternate implementation
+-LIBS += -lrt
+-LIBS_c += -lrt
+-LIBS_p += -lrt
+-endif
+-endif
+-
+ ifdef CONFIG_ELOOP_POLL
+ CFLAGS += -DCONFIG_ELOOP_POLL
+ endif
--- a/root-packages/wpa-supplicant/browser.c.patch
+++ b/root-packages/wpa-supplicant/browser.c.patch
@ -0,0 +1,11 @@
+--- ../browser.c.orig	2020-03-10 21:44:47.457547015 +0100
+++ ./src/utils/browser.c	2020-03-10 21:45:08.297271869 +0100
+@@ -162,7 +162,7 @@
+ 
+ 	s = webkit_get_default_session();
+ 	g_object_set(G_OBJECT(s), "ssl-ca-file",
+-		     "/etc/ssl/certs/ca-certificates.crt", NULL);
+		     "@TERMUX_PREFIX@/etc/tls/cert.pem", NULL);
+ 	g_object_set(G_OBJECT(s), "ssl-strict", FALSE, NULL);
+ 
+ 	ctx.win = gtk_window_new(GTK_WINDOW_TOPLEVEL);
--- a/root-packages/wpa-supplicant/build.sh
+++ b/root-packages/wpa-supplicant/build.sh
@ -0,0 +1,20 @@
+TERMUX_PKG_HOMEPAGE=http://hostap.epitest.fi/wpa_supplicant
+TERMUX_PKG_DESCRIPTION="Utility providing key negotiation for WPA wireless networks"
+TERMUX_PKG_LICENSE="BSD 3-Clause"
+TERMUX_PKG_VERSION=2.9
+TERMUX_PKG_SRCURL=https://w1.fi/releases/wpa_supplicant-${TERMUX_PKG_VERSION}.tar.gz
+TERMUX_PKG_DEPENDS="openssl, readline, libnl"
+TERMUX_PKG_SHA256=fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17
+TERMUX_PKG_EXTRA_MAKE_ARGS="-C wpa_supplicant"
+TERMUX_PKG_BUILD_IN_SRC=true
+
+termux_step_post_configure() {
+	cp wpa_supplicant/defconfig wpa_supplicant/.config
+	export EXTRA_CFLAGS=$CPPFLAGS
+}
+
+termux_step_post_make_install() {
+	mkdir -p $TERMUX_PREFIX/share/man/{man5,man8}
+	install -m600 wpa_supplicant/doc/docbook/wpa_supplicant.conf.5 $TERMUX_PREFIX/share/man/man5/
+	install -m600 wpa_supplicant/doc/docbook/{wpa_cli,wpa_supplicant}.8 $TERMUX_PREFIX/share/man/man8/
+}
--- a/root-packages/wpa-supplicant/defconfig.patch
+++ b/root-packages/wpa-supplicant/defconfig.patch
@ -0,0 +1,33 @@
+--- ../defconfig.orig	2020-03-10 21:02:00.508270039 +0100
+++ ./wpa_supplicant/defconfig	2020-03-10 21:03:10.607040726 +0100
+@@ -26,7 +26,7 @@
+ # replacement for WEXT and its use allows wpa_supplicant to properly control
+ # the driver to improve existing functionality like roaming and to support new
+ # functionality.
+-CONFIG_DRIVER_WEXT=y
+# CONFIG_DRIVER_WEXT=y
+ 
+ # Driver interface for Linux drivers using the nl80211 kernel interface
+ CONFIG_DRIVER_NL80211=y
+@@ -367,7 +367,7 @@
+ 
+ # Add support for new DBus control interface
+ # (fi.w1.hostap.wpa_supplicant1)
+-CONFIG_CTRL_IFACE_DBUS_NEW=y
+# CONFIG_CTRL_IFACE_DBUS_NEW=y
+ 
+ # Add introspection support for new DBus control interface
+ CONFIG_CTRL_IFACE_DBUS_INTRO=y
+@@ -397,10 +397,10 @@
+ CONFIG_IEEE80211R=y
+ 
+ # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
+-CONFIG_DEBUG_FILE=y
+# CONFIG_DEBUG_FILE=y
+ 
+ # Send debug messages to syslog instead of stdout
+-CONFIG_DEBUG_SYSLOG=y
+# CONFIG_DEBUG_SYSLOG=y
+ # Set syslog facility for debug messages
+ #CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
+ 
--- a/root-packages/wpa-supplicant/doc-paths.patch
+++ b/root-packages/wpa-supplicant/doc-paths.patch
@ -0,0 +1,335 @@
+diff -u -r ../wpa_supplicant-doc.orig/docbook/wpa_supplicant.8 ./wpa_supplicant/doc/docbook/wpa_supplicant.8
+--- ../wpa_supplicant-doc.orig/docbook/wpa_supplicant.8	2020-03-10 21:49:08.458858646 +0100
+++ ./wpa_supplicant/doc/docbook/wpa_supplicant.8	2020-03-10 21:52:22.866338065 +0100
+@@ -348,7 +348,7 @@
+ .RS
+ 
+ .nf
+-wpa_supplicant -B -c/etc/wpa_supplicant.conf -iwlan0
+wpa_supplicant -B -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -iwlan0
+ .fi
+ .RE
+ .PP
+@@ -361,7 +361,7 @@
+ .RS
+ 
+ .nf
+-wpa_supplicant -c/etc/wpa_supplicant.conf -iwlan0 -d
+wpa_supplicant -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -iwlan0 -d
+ .fi
+ .RE
+ .PP
+@@ -373,7 +373,7 @@
+ .RS
+ 
+ .nf
+-wpa_supplicant -Dnl80211,wext -c/etc/wpa_supplicant.conf -iwlan0
+wpa_supplicant -Dnl80211,wext -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -iwlan0
+ .fi
+ .RE
+ .PP
+@@ -465,7 +465,7 @@
+ .SH "QUICK START"
+ .PP
+ First, make a configuration file, e.g.
+-\fI/etc/wpa_supplicant.conf\fR, that describes the networks
+\fI@TERMUX_PREFIX@/etc/wpa_supplicant.conf\fR, that describes the networks
+ you are interested in.  See \fBwpa_supplicant.conf\fR(5)
+ for details.
+ .PP
+@@ -477,7 +477,7 @@
+ .RS
+ 
+ .nf
+-wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -d
+wpa_supplicant -iwlan0 -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -d
+     
+ .fi
+ .RE
+@@ -489,7 +489,7 @@
+ .RS
+ 
+ .nf
+-wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -B
+wpa_supplicant -iwlan0 -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -B
+     
+ .fi
+ .RE
+@@ -504,16 +504,16 @@
+ can be used to enable WPA support:
+ .PP
+ Add MODE="Managed" and WPA="y" to the network scheme in
+-\fI/etc/pcmcia/wireless.opts\fR\&.
+\fI@TERMUX_PREFIX@/etc/pcmcia/wireless.opts\fR\&.
+ .PP
+ Add the following block to the end of \fBstart\fR
+-action handler in \fI/etc/pcmcia/wireless\fR:
+action handler in \fI@TERMUX_PREFIX@/etc/pcmcia/wireless\fR:
+ .sp
+ .RS
+ 
+ .nf
+-if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
+-    /usr/local/bin/wpa_supplicant -B -c/etc/wpa_supplicant.conf -i$DEVICE
+if [ "$WPA" = "y" -a -x @TERMUX_PREFIX@/bin/wpa_supplicant ]; then
+    @TERMUX_PREFIX@/bin/wpa_supplicant -B -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -i$DEVICE
+ fi
+     
+ .fi
+@@ -521,12 +521,12 @@
+ .PP
+ Add the following block to the end of \fBstop\fR
+ action handler (may need to be separated from other actions) in
+-\fI/etc/pcmcia/wireless\fR:
+\fI@TERMUX_PREFIX@/etc/pcmcia/wireless\fR:
+ .sp
+ .RS
+ 
+ .nf
+-if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
+if [ "$WPA" = "y" -a -x @TERMUX_PREFIX@/bin/wpa_supplicant ]; then
+     killall wpa_supplicant
+ fi
+     
+diff -u -r ../wpa_supplicant-doc.orig/docbook/wpa_supplicant.conf.5 ./wpa_supplicant/doc/docbook/wpa_supplicant.conf.5
+--- ../wpa_supplicant-doc.orig/docbook/wpa_supplicant.conf.5	2020-03-10 21:49:08.458858646 +0100
+++ ./wpa_supplicant/doc/docbook/wpa_supplicant.conf.5	2020-03-10 21:52:22.882996517 +0100
+@@ -12,7 +12,7 @@
+ \fBwpa_supplicant\fR is configured using a text
+ file that lists all accepted networks and security policies,
+ including pre-shared keys. See the example configuration file,
+-probably in \fB/usr/share/doc/wpa_supplicant/\fR, for
+probably in \fB@TERMUX_PREFIX@/share/doc/wpa_supplicant/\fR, for
+ detailed information about the configuration format and supported
+ fields.
+ .PP
+@@ -60,9 +60,9 @@
+ 	group=CCMP TKIP
+ 	eap=TLS
+ 	identity="user@example.com"
+-	ca_cert="/etc/cert/ca.pem"
+-	client_cert="/etc/cert/user.pem"
+-	private_key="/etc/cert/user.prv"
+	ca_cert="@TERMUX_PREFIX@/etc/cert/ca.pem"
+	client_cert="@TERMUX_PREFIX@/etc/cert/user.pem"
+	private_key="@TERMUX_PREFIX@/etc/cert/user.prv"
+ 	private_key_passwd="password"
+ }
+ .fi
+@@ -84,7 +84,7 @@
+ 	eap=PEAP
+ 	identity="user@example.com"
+ 	password="foobar"
+-	ca_cert="/etc/cert/ca.pem"
+	ca_cert="@TERMUX_PREFIX@/etc/cert/ca.pem"
+ 	phase1="peaplabel=0"
+ 	phase2="auth=MSCHAPV2"
+ }
+@@ -108,7 +108,7 @@
+ 	identity="user@example.com"
+ 	anonymous_identity="anonymous@example.com"
+ 	password="foobar"
+-	ca_cert="/etc/cert/ca.pem"
+	ca_cert="@TERMUX_PREFIX@/etc/cert/ca.pem"
+ 	phase2="auth=MD5"
+ }
+ .fi
+@@ -129,9 +129,9 @@
+ 	key_mgmt=IEEE8021X
+ 	eap=TLS
+ 	identity="user@example.com"
+-	ca_cert="/etc/cert/ca.pem"
+-	client_cert="/etc/cert/user.pem"
+-	private_key="/etc/cert/user.prv"
+	ca_cert="@TERMUX_PREFIX@/etc/cert/ca.pem"
+	client_cert="@TERMUX_PREFIX@/etc/cert/user.pem"
+	private_key="@TERMUX_PREFIX@/etc/cert/user.prv"
+ 	private_key_passwd="password"
+ 	eapol_flags=3
+ }
+@@ -159,14 +159,14 @@
+ 	eap=TTLS PEAP TLS
+ 	identity="user@example.com"
+ 	password="foobar"
+-	ca_cert="/etc/cert/ca.pem"
+-	client_cert="/etc/cert/user.pem"
+-	private_key="/etc/cert/user.prv"
+	ca_cert="@TERMUX_PREFIX@/etc/cert/ca.pem"
+	client_cert="@TERMUX_PREFIX@/etc/cert/user.pem"
+	private_key="@TERMUX_PREFIX@/etc/cert/user.prv"
+ 	private_key_passwd="password"
+ 	phase1="peaplabel=0"
+-	ca_cert2="/etc/cert/ca2.pem"
+-	client_cert2="/etc/cer/user.pem"
+-	private_key2="/etc/cer/user.prv"
+	ca_cert2="@TERMUX_PREFIX@/etc/cert/ca2.pem"
+	client_cert2="@TERMUX_PREFIX@/etc/cer/user.pem"
+	private_key2="@TERMUX_PREFIX@/etc/cer/user.prv"
+ 	private_key2_passwd="password"
+ }
+ .fi
+diff -u -r ../wpa_supplicant-doc.orig/docbook/wpa_supplicant.conf.sgml ./wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml
+--- ../wpa_supplicant-doc.orig/docbook/wpa_supplicant.conf.sgml	2020-03-10 21:49:08.458858646 +0100
+++ ./wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml	2020-03-10 21:52:22.876333136 +0100
+@@ -14,7 +14,7 @@
+     <para><command>wpa_supplicant</command> is configured using a text
+     file that lists all accepted networks and security policies,
+     including pre-shared keys. See the example configuration file,
+-    probably in <command>/usr/share/doc/wpa_supplicant/</command>, for
+    probably in <command>@TERMUX_PREFIX@/share/doc/wpa_supplicant/</command>, for
+     detailed information about the configuration format and supported
+     fields.</para>
+ 
+@@ -65,9 +65,9 @@
+ 	group=CCMP TKIP
+ 	eap=TLS
+ 	identity="user@example.com"
+-	ca_cert="/etc/cert/ca.pem"
+-	client_cert="/etc/cert/user.pem"
+-	private_key="/etc/cert/user.prv"
+	ca_cert="@TERMUX_PREFIX@/etc/cert/ca.pem"
+	client_cert="@TERMUX_PREFIX@/etc/cert/user.pem"
+	private_key="@TERMUX_PREFIX@/etc/cert/user.prv"
+ 	private_key_passwd="password"
+ }
+ </programlisting></blockquote>   
+@@ -87,7 +87,7 @@
+ 	eap=PEAP
+ 	identity="user@example.com"
+ 	password="foobar"
+-	ca_cert="/etc/cert/ca.pem"
+	ca_cert="@TERMUX_PREFIX@/etc/cert/ca.pem"
+ 	phase1="peaplabel=0"
+ 	phase2="auth=MSCHAPV2"
+ }
+@@ -110,7 +110,7 @@
+ 	identity="user@example.com"
+ 	anonymous_identity="anonymous@example.com"
+ 	password="foobar"
+-	ca_cert="/etc/cert/ca.pem"
+	ca_cert="@TERMUX_PREFIX@/etc/cert/ca.pem"
+ 	phase2="auth=MD5"
+ }
+ </programlisting></blockquote>
+@@ -130,9 +130,9 @@
+ 	key_mgmt=IEEE8021X
+ 	eap=TLS
+ 	identity="user@example.com"
+-	ca_cert="/etc/cert/ca.pem"
+-	client_cert="/etc/cert/user.pem"
+-	private_key="/etc/cert/user.prv"
+	ca_cert="@TERMUX_PREFIX@/etc/cert/ca.pem"
+	client_cert="@TERMUX_PREFIX@/etc/cert/user.pem"
+	private_key="@TERMUX_PREFIX@/etc/cert/user.prv"
+ 	private_key_passwd="password"
+ 	eapol_flags=3
+ }
+@@ -159,14 +159,14 @@
+ 	eap=TTLS PEAP TLS
+ 	identity="user@example.com"
+ 	password="foobar"
+-	ca_cert="/etc/cert/ca.pem"
+-	client_cert="/etc/cert/user.pem"
+-	private_key="/etc/cert/user.prv"
+	ca_cert="@TERMUX_PREFIX@/etc/cert/ca.pem"
+	client_cert="@TERMUX_PREFIX@/etc/cert/user.pem"
+	private_key="@TERMUX_PREFIX@/etc/cert/user.prv"
+ 	private_key_passwd="password"
+ 	phase1="peaplabel=0"
+-	ca_cert2="/etc/cert/ca2.pem"
+-	client_cert2="/etc/cer/user.pem"
+-	private_key2="/etc/cer/user.prv"
+	ca_cert2="@TERMUX_PREFIX@/etc/cert/ca2.pem"
+	client_cert2="@TERMUX_PREFIX@/etc/cer/user.pem"
+	private_key2="@TERMUX_PREFIX@/etc/cer/user.prv"
+ 	private_key2_passwd="password"
+ }
+ </programlisting></blockquote>
+diff -u -r ../wpa_supplicant-doc.orig/docbook/wpa_supplicant.sgml ./wpa_supplicant/doc/docbook/wpa_supplicant.sgml
+--- ../wpa_supplicant-doc.orig/docbook/wpa_supplicant.sgml	2020-03-10 21:49:08.458858646 +0100
+++ ./wpa_supplicant/doc/docbook/wpa_supplicant.sgml	2020-03-10 21:52:22.873001446 +0100
+@@ -505,7 +505,7 @@
+     started with:</para>
+ 
+ <blockquote><programlisting>
+-wpa_supplicant -B -c/etc/wpa_supplicant.conf -iwlan0
+wpa_supplicant -B -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -iwlan0
+ </programlisting></blockquote>
+ 
+     <para>This makes the process fork into background.</para>
+@@ -515,7 +515,7 @@
+     foreground with debugging enabled:</para>
+ 
+ <blockquote><programlisting>
+-wpa_supplicant -c/etc/wpa_supplicant.conf -iwlan0 -d
+wpa_supplicant -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -iwlan0 -d
+ </programlisting></blockquote>
+ 
+     <para>If the specific driver wrapper is not known beforehand, it is
+@@ -524,7 +524,7 @@
+     wrapper that is able to initialize the interface.</para>
+ 
+ <blockquote><programlisting>
+-wpa_supplicant -Dnl80211,wext -c/etc/wpa_supplicant.conf -iwlan0
+wpa_supplicant -Dnl80211,wext -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -iwlan0
+ </programlisting></blockquote>
+ 
+     <para><command>wpa_supplicant</command> can control multiple
+@@ -657,7 +657,7 @@
+     <title>Quick Start</title>
+ 
+     <para>First, make a configuration file, e.g.
+-    <filename>/etc/wpa_supplicant.conf</filename>, that describes the networks
+    <filename>@TERMUX_PREFIX@/etc/wpa_supplicant.conf</filename>, that describes the networks
+     you are interested in.  See <citerefentry>
+ 	<refentrytitle>wpa_supplicant.conf</refentrytitle>
+ 	<manvolnum>5</manvolnum>
+@@ -670,7 +670,7 @@
+     enabled:</para>
+ 
+     <blockquote><programlisting>
+-wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -d
+wpa_supplicant -iwlan0 -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -d
+     </programlisting></blockquote>
+ 
+     <para>Assuming everything goes fine, you can start using following
+@@ -678,7 +678,7 @@
+     without debugging:</para>
+ 
+     <blockquote><programlisting>
+-wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -B
+wpa_supplicant -iwlan0 -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -B
+     </programlisting></blockquote>
+ 
+     <para>Please note that if you included more than one driver
+@@ -699,24 +699,24 @@
+     can be used to enable WPA support:</para>
+ 
+     <para>Add MODE="Managed" and WPA="y" to the network scheme in
+-    <filename>/etc/pcmcia/wireless.opts</filename>.</para>
+    <filename>@TERMUX_PREFIX@/etc/pcmcia/wireless.opts</filename>.</para>
+ 
+     <para>Add the following block to the end of <emphasis>start</emphasis>
+-    action handler in <filename>/etc/pcmcia/wireless</filename>:</para>
+    action handler in <filename>@TERMUX_PREFIX@/etc/pcmcia/wireless</filename>:</para>
+ 
+     <blockquote><programlisting>
+-if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
+-    /usr/local/bin/wpa_supplicant -B -c/etc/wpa_supplicant.conf -i$DEVICE
+if [ "$WPA" = "y" -a -x @TERMUX_PREFIX@/bin/wpa_supplicant ]; then
+    @TERMUX_PREFIX@/bin/wpa_supplicant -B -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf -i$DEVICE
+ fi
+     </programlisting></blockquote>
+ 
+ 
+     <para>Add the following block to the end of <emphasis>stop</emphasis>
+     action handler (may need to be separated from other actions) in
+-    <filename>/etc/pcmcia/wireless</filename>:</para>
+    <filename>@TERMUX_PREFIX@/etc/pcmcia/wireless</filename>:</para>
+ 
+     <blockquote><programlisting>
+-if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
+if [ "$WPA" = "y" -a -x @TERMUX_PREFIX@/bin/wpa_supplicant ]; then
+     killall wpa_supplicant
+ fi
+     </programlisting></blockquote>
--- a/root-packages/wpa-supplicant/main.c.patch
+++ b/root-packages/wpa-supplicant/main.c.patch
@ -0,0 +1,11 @@
+--- ../main.c.orig	2020-03-10 21:37:55.340743885 +0100
+++ ./wpa_supplicant/main.c	2020-03-10 21:38:08.970690217 +0100
+@@ -105,7 +105,7 @@
+ 	       "  -W = wait for a control interface monitor before starting\n");
+ 
+ 	printf("example:\n"
+-	       "  wpa_supplicant -D%s -iwlan0 -c/etc/wpa_supplicant.conf\n",
+	       "  wpa_supplicant -D%s -iwlan0 -c@TERMUX_PREFIX@/etc/wpa_supplicant.conf\n",
+ 	       wpa_drivers[0] ? wpa_drivers[0]->name : "nl80211");
+ #endif /* CONFIG_NO_STDOUT_DEBUG */
+ }
--- a/root-packages/wpa-supplicant/tncs.c.patch
+++ b/root-packages/wpa-supplicant/tncs.c.patch
@ -0,0 +1,11 @@
+--- ../tncs.c.orig	2020-03-10 21:47:04.223447029 +0100
+++ ./src/eap_server/tncs.c	2020-03-10 21:47:25.669539583 +0100
+@@ -21,7 +21,7 @@
+  * needed.. */
+ 
+ #ifndef TNC_CONFIG_FILE
+-#define TNC_CONFIG_FILE "/etc/tnc_config"
+#define TNC_CONFIG_FILE "@TERMUX_PREFIX@/etc/tnc_config"
+ #endif /* TNC_CONFIG_FILE */
+ #define IF_TNCCS_START \
+ "<?xml version=\"1.0\"?>\n" \