T5151: hostap: Reintroduce Debian's allow-legacy-renegotiation.patch

The Debian 12 upgrade in T5003 caused a regression for connecting to
legacy networks that only support TLSv1.0/1.1 for EAP-TLS. This commit
fixes one part of the issue by adding Debian's patch for allowing legacy
renegotiation (SSL_OP_LEGACY_SERVER_CONNECT flag). The flag used to be
allowed by default, but that changed with the openssl 3.0 upgrade in
Debian 12.

(This commit also updates `build.sh` to just overwrite
`debian/patches/series` and not delete patch files since
dpkg-buildpackage/quilt never applies unlisted patches.)

Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>

2 files changed, 7 insertions, 4 deletions

diff --git a/packages/hostap/Jenkinsfile b/packages/hostap/Jenkinsfile
index 1aeb4521..70c0e71b 100644
--- a/packages/hostap/Jenkinsfile
+++ b/packages/hostap/Jenkinsfile
@@ -21,7 +21,7 @@
 
 def pkgList = [
     ['name': 'wpa',
-     'scmCommit': 'debian/2%2.10-10',
+     'scmCommit': 'debian/2%2.10-12',
      'scmUrl': 'https://salsa.debian.org/debian/wpa',
      'buildCmd': '/bin/true'],
     ['name': 'hostap',
diff --git a/packages/hostap/build.sh b/packages/hostap/build.sh
index c66bda3d..e69236dd 100755
--- a/packages/hostap/build.sh
+++ b/packages/hostap/build.sh
@@ -16,9 +16,12 @@ fi
 
 echo "I: Copy Debian build instructions"
 cp -a ${SRC_DEB}/debian ${SRC}
-# Preserve Debian's default of allowing TLSv1.0 for compatibility
-find ${SRC}/debian/patches -mindepth 1 ! -name allow-tlsv1.patch -delete
-echo 'allow-tlsv1.patch' > ${SRC}/debian/patches/series
+# Preserve Debian's default of allowing TLSv1.0 and legacy renegotiation for
+# compatibility with networks that use legacy crypto
+cat > ${SRC}/debian/patches/series << EOF
+allow-tlsv1.patch
+allow-legacy-renegotiation.patch
+EOF
 
 # Build Debian package
 cd ${SRC}