From 4f037ffde3b2589b6c5285e28c912ea7f7dfc600bc742d407e8252f00ce74de2 Mon Sep 17 00:00:00 2001 From: Karol Babioch Date: Mon, 17 Dec 2018 08:48:14 +0000 Subject: [PATCH 1/3] Accepting request 656165 from home:mnhauke:network - Update to version 2.7 * fixed WPA packet number reuse with replayed messages and key reinstallation [http://w1.fi/security/2017-1/] (CVE-2017-13082) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * FT: - added local generation of PMK-R0/PMK-R1 for FT-PSK (ft_psk_generate_local=1) - replaced inter-AP protocol with a cleaner design that is more easily extensible; this breaks backward compatibility and requires all APs in the ESS to be updated at the same time to maintain FT functionality - added support for wildcard R0KH/R1KH - replaced r0_key_lifetime (minutes) parameter with ft_r0_key_lifetime (seconds) - fixed wpa_psk_file use for FT-PSK - fixed FT-SAE PMKID matching - added expiration to PMK-R0 and PMK-R1 cache - added IEEE VLAN support (including tagged VLANs) - added support for SHA384 based AKM * SAE - fixed some PMKSA caching cases with SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - added option to require MFP for SAE associations (sae_require_pmf=1) - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection OBS-URL: https://build.opensuse.org/request/show/656165 OBS-URL: https://build.opensuse.org/package/show/Base:System/hostapd?expand=0&rev=45 --- hostapd-2.6.tar.gz | 3 - ...onfig.patch => hostapd-2.7-defconfig.patch | 57 ++-- hostapd-2.7.tar.gz | 3 + hostapd-2.7.tar.gz.asc | 7 + hostapd.changes | 69 +++++ hostapd.keyring | 36 +++ hostapd.spec | 87 +++--- ...thenticated-encrypted-EAPOL-Key-data.patch | 44 --- ...d-key-reinstallation-in-FT-handshake.patch | 174 ------------ ...lation-of-an-already-in-use-group-ke.patch | 250 ------------------ ...n-of-GTK-IGTK-reinstallation-of-WNM-.patch | 184 ------------- ...event-installation-of-an-all-zero-TK.patch | 79 ------ ...TK-rekeying-to-generate-a-new-ANonce.patch | 64 ----- ...6-TDLS-Reject-TPK-TK-reconfiguration.patch | 132 --------- ...multiple-Reassociation-Response-fram.patch | 82 ------ 15 files changed, 174 insertions(+), 1097 deletions(-) delete mode 100644 hostapd-2.6.tar.gz rename hostapd-2.6-defconfig.patch => hostapd-2.7-defconfig.patch (77%) create mode 100644 hostapd-2.7.tar.gz create mode 100644 hostapd-2.7.tar.gz.asc create mode 100644 hostapd.keyring delete mode 100644 rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch delete mode 100644 rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch delete mode 100644 rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch delete mode 100644 rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch delete mode 100644 rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch delete mode 100644 rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch delete mode 100644 rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch delete mode 100644 rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch diff --git a/hostapd-2.6.tar.gz b/hostapd-2.6.tar.gz deleted file mode 100644 index aad8e07..0000000 --- a/hostapd-2.6.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:01526b90c1d23bec4b0f052039cc4456c2fd19347b4d830d1d58a0a6aea7117d -size 1822341 diff --git a/hostapd-2.6-defconfig.patch b/hostapd-2.7-defconfig.patch similarity index 77% rename from hostapd-2.6-defconfig.patch rename to hostapd-2.7-defconfig.patch index 5474961..d9aeaac 100644 --- a/hostapd-2.6-defconfig.patch +++ b/hostapd-2.7-defconfig.patch @@ -1,15 +1,8 @@ ---- hostapd/defconfig.orig 2016-10-02 19:51:11.000000000 +0100 -+++ hostapd/defconfig 2016-10-04 11:15:48.548609106 +0100 -@@ -31,7 +31,7 @@ - #CONFIG_LIBNL20=y - - # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) --#CONFIG_LIBNL32=y -+CONFIG_LIBNL32=y - - - # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) -@@ -42,7 +42,7 @@ +diff --git a/hostapd/defconfig b/hostapd/defconfig +index 77a894d..8ccb8cb 100644 +--- a/hostapd/defconfig ++++ b/hostapd/defconfig +@@ -42,7 +42,7 @@ CONFIG_LIBNL32=y #LIBS_c += -L/usr/local/lib # Driver interface for no driver (e.g., RADIUS server only) @@ -18,7 +11,7 @@ # IEEE 802.11F/IAPP CONFIG_IAPP=y -@@ -81,53 +81,53 @@ +@@ -78,31 +78,31 @@ CONFIG_EAP_GTC=y CONFIG_EAP_TTLS=y # EAP-SIM for the integrated EAP server @@ -59,10 +52,8 @@ # EAP-FAST for the integrated EAP server # Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed - # for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., - # with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. --#CONFIG_EAP_FAST=y -+CONFIG_EAP_FAST=y +@@ -111,20 +111,20 @@ CONFIG_EAP_TTLS=y + #CONFIG_EAP_FAST=y # Wi-Fi Protected Setup (WPS) -#CONFIG_WPS=y @@ -88,14 +79,7 @@ # PKCS#12 (PFX) support (used to read private key and certificate file from # a file that usually has extension .p12 or .pfx) -@@ -135,27 +135,27 @@ - - # RADIUS authentication server. This provides access to the integrated EAP - # server from external hosts using RADIUS. --#CONFIG_RADIUS_SERVER=y -+CONFIG_RADIUS_SERVER=y - - # Build IPv6 support for RADIUS operations +@@ -138,21 +138,21 @@ CONFIG_PKCS12=y CONFIG_IPV6=y # IEEE Std 802.11r-2008 (Fast BSS Transition) @@ -120,9 +104,9 @@ -#CONFIG_IEEE80211AC=y +CONFIG_IEEE80211AC=y - # Remove debugging code that is printing out debug messages to stdout. - # This can be used to reduce the size of the hostapd considerably if debugging -@@ -183,7 +183,7 @@ + # IEEE 802.11ax HE support + # Note: This is experimental and work in progress. The definitions are still +@@ -189,11 +189,11 @@ CONFIG_IPV6=y # Enable support for fully dynamic VLANs. This enables hostapd to # automatically create bridge and VLAN interfaces if necessary. @@ -131,9 +115,14 @@ # Use netlink-based kernel API for VLAN operations instead of ioctl() # Note: This requires libnl 3.1 or newer. -@@ -257,16 +257,16 @@ - # gnutls = GnuTLS +-#CONFIG_VLAN_NETLINK=y ++CONFIG_VLAN_NETLINK=y + + # Remove support for dumping internal state through control interface commands + # This can be used to reduce binary size at the cost of disabling a debugging +@@ -264,16 +264,16 @@ CONFIG_IPV6=y # internal = Internal TLSv1 implementation (experimental) + # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) # none = Empty template -#CONFIG_TLS=openssl +CONFIG_TLS=openssl @@ -149,9 +138,9 @@ -#CONFIG_TLSV12=y +CONFIG_TLSV12=y - # If CONFIG_TLS=internal is used, additional library and include paths are - # needed for LibTomMath. Alternatively, an integrated, minimal version of -@@ -287,19 +287,19 @@ + # Select which ciphers to use by default with OpenSSL if the user does not + # specify them. +@@ -298,19 +298,19 @@ CONFIG_IPV6=y # Interworking (IEEE 802.11u) # This can be used to enable functionality to improve interworking with # external networks. @@ -176,7 +165,7 @@ # Testing options # This can be used to enable some testing options (see also the example -@@ -331,12 +331,12 @@ +@@ -342,12 +342,12 @@ CONFIG_IPV6=y # For more details refer to: # http://wireless.kernel.org/en/users/Documentation/acs # diff --git a/hostapd-2.7.tar.gz b/hostapd-2.7.tar.gz new file mode 100644 index 0000000..1ab22a5 --- /dev/null +++ b/hostapd-2.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:21b0dda3cc3abe75849437f6b9746da461f88f0ea49dd621216936f87440a141 +size 2101166 diff --git a/hostapd-2.7.tar.gz.asc b/hostapd-2.7.tar.gz.asc new file mode 100644 index 0000000..07f0376 --- /dev/null +++ b/hostapd-2.7.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlwEQ5wACgkQK270Mu/IlfpX/gCeKuTFVjKy3P5J0fwW5twOccCZ +p90An2HZ+1jz75dIAN8m2HVaGGsceGhp +=DDIo +-----END PGP SIGNATURE----- diff --git a/hostapd.changes b/hostapd.changes index 85e7a74..4776acc 100644 --- a/hostapd.changes +++ b/hostapd.changes @@ -1,3 +1,72 @@ +------------------------------------------------------------------- +Fri Dec 7 20:46:47 UTC 2018 - mardnh@gmx.de + +- Update to version 2.7 + * fixed WPA packet number reuse with replayed messages and key + reinstallation + [http://w1.fi/security/2017-1/] (CVE-2017-13082) + * added support for FILS (IEEE 802.11ai) shared key authentication + * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; + and transition mode defined by WFA) + * added support for DPP (Wi-Fi Device Provisioning Protocol) + * FT: + - added local generation of PMK-R0/PMK-R1 for FT-PSK + (ft_psk_generate_local=1) + - replaced inter-AP protocol with a cleaner design that is more + easily extensible; this breaks backward compatibility and requires + all APs in the ESS to be updated at the same time to maintain FT + functionality + - added support for wildcard R0KH/R1KH + - replaced r0_key_lifetime (minutes) parameter with + ft_r0_key_lifetime (seconds) + - fixed wpa_psk_file use for FT-PSK + - fixed FT-SAE PMKID matching + - added expiration to PMK-R0 and PMK-R1 cache + - added IEEE VLAN support (including tagged VLANs) + - added support for SHA384 based AKM + * SAE + - fixed some PMKSA caching cases with SAE + - added support for configuring SAE password separately of the + WPA2 PSK/passphrase + - added option to require MFP for SAE associations + (sae_require_pmf=1) + - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection + for SAE; + note: this is not backwards compatible, i.e., both the AP and + station side implementations will need to be update at the same + time to maintain interoperability + - added support for Password Identifier + * hostapd_cli: added support for command history and completion + * added support for requesting beacon report + * large number of other fixes, cleanup, and extensions + * added option to configure EAPOL-Key retry limits + (wpa_group_update_count and wpa_pairwise_update_count) + * removed all PeerKey functionality + * fixed nl80211 AP mode configuration regression with Linux 4.15 and + newer + * added support for using wolfSSL cryptographic library + * fixed some 20/40 MHz coexistence cases where the BSS could drop to + 20 MHz even when 40 MHz would be allowed + * Hotspot 2.0 + - added support for setting Venue URL ANQP-element (venue_url) + - added support for advertising Hotspot 2.0 operator icons + - added support for Roaming Consortium Selection element + - added support for Terms and Conditions + - added support for OSEN connection in a shared RSN BSS + * added support for using OpenSSL 1.1.1 + * added EAP-pwd server support for salted passwords + +- Remove not longer needed patches (fixed upstream) + * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch + * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch + * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch + * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch + * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch + * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch + * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch + * rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch +- Verify source signature + ------------------------------------------------------------------- Fri Oct 19 10:32:25 UTC 2018 - Karol Babioch diff --git a/hostapd.keyring b/hostapd.keyring new file mode 100644 index 0000000..50c1032 --- /dev/null +++ b/hostapd.keyring @@ -0,0 +1,36 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: SKS 1.1.6 +Comment: Hostname: keyserver.ubuntu.com + +mQGiBDoydw4RBAC9vfqCsU+dgrxUSdGf70zrEAIBxcjeqHusovztR65XOWE0ccjmQS2TVgJM ++OzYg9FJG7DuLQZDwhR10BZKJfG97fNyZVBCoO90bEcTufn96oceJlz/MHmy99+i6wYdIKYz +vmaxcC1QPhENr1scgin9nMiW1MTPJ7sSgjDqd0QPVwCgmaZUpzhKRusR5E/MmgI2kz73Ui0D +/03lVNypkQTbuBp1q71YqT9qjO8+5kXU5QXJhel0qUgJHcu3rdnIVaiANw1qauMM0DtnRKOt +caZntn03sFNnaJRx0JlmLa/cMP0nm1kPnR6Q3Cruz7InJnJZDXGsGH/ku4OcYLUJ8UgqzaO0 +J5o66j7pxQQDo1UAs4PQaoYq/ECbA/9B6b3TzuHdqUgS/g2AYTc5MU+i92ydrBv2g9SPuH78 +m/X4YicGR1HF7yNiJ/hiVa/axBUHpXE4vW0Bndj1bN4sctFeGGezGRaLiiggZkBBNnL8nF5e +ZebLvPrv4kr8Cchz+lGF5UFNVyLWwi/I5CSUqUtSXOD1Q9WcXoqJcrE2brQXSm91bmkgTWFs +aW5lbiA8akB3MS5maT6IXwQTEQIAHwUCReBvUQIbIwYLCQgHAwIEFQIIAwMWAgECHgECF4AA +CgkQK270Mu/Ilfq/HgCeMavvxAxc9CYwPkbEyFBWNk+Tx3sAn1G23zGdkLx1pTSmKijWJqyO +Oh2iiGIEExECACICGyMGCwkIBwMCBBUCCAMDFgIBAh4BAheABQJGWwf0AhkBAAoJECtu9DLv +yJX6bhgAn3dFmq4Fg3o2tFVvkfU0io0SHztXAJ9QPJ5IrKNW4Pwr1OesEr6VODKRerQZSm91 +bmkgTWFsaW5lbiA8am1Aa2lyLm51PohfBBMRAgAfBQJGWwebAhsjBgsJCAcDAgQVAggDAxYC +AQIeAQIXgAAKCRArbvQy78iV+gZgAJ0Uniuc9gpS8LleYtQrT/cNr/OU5ACfVy5Gqqzal+Mg +8aB6mxKR5B2ende0IEpvdW5pIE1hbGluZW4gPGptQGptLmVwaXRlc3QuZmk+iFcEExECABcF +Ajoydw4FCwcKAwQDFQMCAxYCAQIXgAAKCRArbvQy78iV+o0vAJ4sY07fmnqzR8fMKKju1hhq +kIdeWACeIiA1F2f70GZ8tRRv3sMxP63VFZq0IkpvdW5pIE1hbGluZW4gPGprbWFsaW5lQGNj +Lmh1dC5maT6IVwQTEQIAFwUCOjJ9SQULBwoDBAMVAwIDFgIBAheAAAoJECtu9DLvyJX6mZkA +njfcQtXqkg98YlGv8/kjANhneTb5AJ0bsG6IC8k8gW/B6gtS8SElpE0gb7kCDQQ6MndbEAgA +vKm7+dJttqvYYbOeBjA/l3poNHR4h7rk7VT2LoCak0pYUkvECQXbpUfIWGAxh2084wf5LIkB +TnCEmWfs0ESBqi2zZXX+rWhlEyIWZCIdPdEWC1wmKDBQfFywTmi1Ucu0jMLD13WyEZE/b/Qs +zI2XE1FY8Dm0CkaU4ntCWYXP/wlJmO+rHKUWOYnw10/TTq+bjAN1uRSNQBXN3fOegWIXZ4XL +iZ/kEEvl7I969r6Vc2B6Evp09J0PYsJqj7UR3qfrdXLnahKLmlk/LaV5EgdGNDIzj8hpzQ5I +PaJt4I+UCszA3EAsQlUx46lVK5lugbNkZtmFTAbv0yBuBPYRCvDGvwADBQf+KTqLfJRmwCXK +L4LUhL52ulsjpxbZgvFAlycn9TJ88ywDuhb3/HM9eooNqPu24CokHlscHeyyRInL9pA9932Z +dzqkmWzXX7DsQfYPo7Vgvrzlxis6+j4u3yAV4JIcRf3lm4RYOyo+K3fowSPRe7iv8D8mPCYr +x/L8tsOgaIqXN0u6nFJ+RpOfMNBLmawB0hirfUFnf6e6aSH4IJm3O+2BVszP8/X4jFqePmCC +ZBB+rp89/vdakF1AuCRi+kDJ7CKInqqAJP+qxzAk34RUr0MbocaS1CPj0/bALyAWS2bWuoby +ImFaUk82cYlZroqFR1IT1UHXKTuTK69VRw8AvmR/JohGBBgRAgAGBQI6MndbAAoJECtu9DLv +yJX60QgAn1hLZt3rfOZJyXlCtgKXUOeBL8Z+AKCGIt+Y3Lcw/0nycz4hNec00UvDTQ== +=X3Kw +-----END PGP PUBLIC KEY BLOCK----- diff --git a/hostapd.spec b/hostapd.spec index 0a794ba..87f1fe1 100644 --- a/hostapd.spec +++ b/hostapd.spec @@ -12,35 +12,29 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: hostapd -BuildRequires: libnl3-devel -BuildRequires: openssl-devel -BuildRequires: pkg-config -BuildRequires: sqlite3-devel -BuildRequires: pkgconfig(libnl-3.0) >= 3.0 -BuildRequires: pkgconfig(systemd) +Version: 2.7 +Release: 0 Summary: Turns Your WLAN Card into a WPA capable Access Point License: GPL-2.0-only OR BSD-3-Clause Group: Hardware/Wifi -Version: 2.6 -Release: 0 -BuildRoot: %{_tmppath}/%{name}-%{version}-build -Url: http://w1.fi/ -Source: http://w1.fi/releases/hostapd-%{version}.tar.gz -Source1: hostapd.service -Patch0: hostapd-2.6-defconfig.patch -Patch1: rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch -Patch2: rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch -Patch3: rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch -Patch4: rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch -Patch5: rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch -Patch6: rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch -Patch7: rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch -Patch8: rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch +URL: https://w1.fi/ +Source: https://w1.fi/releases/hostapd-%{version}.tar.gz +Source1: https://w1.fi/releases/hostapd-%{version}.tar.gz.asc +# https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x2B6EF432EFC895FA#/%%{name}.keyring +Source2: %{name}.keyring +Source3: hostapd.service +Patch0: hostapd-2.7-defconfig.patch +BuildRequires: libnl3-devel +BuildRequires: openssl-devel +BuildRequires: pkgconfig +BuildRequires: sqlite3-devel +BuildRequires: pkgconfig(libnl-3.0) >= 3.0 +BuildRequires: pkgconfig(systemd) %{?systemd_requires} %description @@ -51,44 +45,35 @@ RADIUS authentication server. Currently, hostapd supports HostAP, madwifi, and prism54 drivers. It also supports wired IEEE 802.1X authentication via any ethernet driver. - %prep -%setup -q -n hostapd-%{version} -%patch0 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 +%setup -q +%patch0 -p1 cd hostapd cp defconfig .config %build cd hostapd -CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE $(getconf LFS_CFLAGS)" CC="%{__cc}" make %{?_smp_mflags} V=1 +CFLAGS="%{optflags} -D_GNU_SOURCE $(getconf LFS_CFLAGS)" CC="gcc" make %{?_smp_mflags} V=1 %install cd hostapd -mkdir -p %{buildroot}/%{_sbindir} -mkdir %{buildroot}/etc -mkdir -p %{buildroot}/%{_mandir}/man8 +install -d %{buildroot}/%{_sbindir} +install -d %{buildroot}%{_sysconfdir} +install -d %{buildroot}/%{_mandir}/man8 install -m 755 hostapd %{buildroot}/%{_sbindir} -ln -s /usr/sbin/service %{buildroot}/%{_sbindir}/rchostapd +ln -s %{_sbindir}/service %{buildroot}/%{_sbindir}/rchostapd install -m 755 hostapd_cli %{buildroot}/%{_sbindir} -install -m 600 hostapd.conf %{buildroot}/etc -install -m 644 hostapd.accept %{buildroot}/etc -install -m 644 hostapd.deny %{buildroot}/etc -install -m 600 hostapd.eap_user %{buildroot}/etc -install -m 600 hostapd.radius_clients %{buildroot}/etc -install -m 644 hostapd.sim_db %{buildroot}/etc -install -m 644 hostapd.vlan %{buildroot}/etc -install -m 600 hostapd.wpa_psk %{buildroot}/etc +install -m 600 hostapd.conf %{buildroot}%{_sysconfdir} +install -m 644 hostapd.accept %{buildroot}%{_sysconfdir} +install -m 644 hostapd.deny %{buildroot}%{_sysconfdir} +install -m 600 hostapd.eap_user %{buildroot}%{_sysconfdir} +install -m 600 hostapd.radius_clients %{buildroot}%{_sysconfdir} +install -m 644 hostapd.sim_db %{buildroot}%{_sysconfdir} +install -m 644 hostapd.vlan %{buildroot}%{_sysconfdir} +install -m 600 hostapd.wpa_psk %{buildroot}%{_sysconfdir} install -m 644 hostapd.8 %{buildroot}/%{_mandir}/man8 -install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/hostapd.service +install -D -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/hostapd.service %pre %service_add_pre hostapd.service @@ -103,11 +88,11 @@ install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/hostapd.service %service_del_postun hostapd.service %files -%defattr(-,root,root) -%config(noreplace) /etc/hostapd.* +%config(noreplace) %{_sysconfdir}/hostapd.* %{_sbindir}/* -%doc hostapd/ChangeLog COPYING hostapd/README hostapd/wired.conf hostapd/hostapd.conf -%doc %{_mandir}/man8/* +%license COPYING +%doc hostapd/ChangeLog hostapd/README hostapd/wired.conf hostapd/hostapd.conf +%{_mandir}/man8/* %{_unitdir}/hostapd.service %changelog diff --git a/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch b/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch deleted file mode 100644 index 99b0549..0000000 --- a/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef -Date: Sun, 15 Jul 2018 01:25:53 +0200 -Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data - -Ignore unauthenticated encrypted EAPOL-Key data in supplicant -processing. When using WPA2, these are frames that have the Encrypted -flag set, but not the MIC flag. - -When using WPA2, EAPOL-Key frames that had the Encrypted flag set but -not the MIC flag, had their data field decrypted without first verifying -the MIC. In case the data field was encrypted using RC4 (i.e., when -negotiating TKIP as the pairwise cipher), this meant that -unauthenticated but decrypted data would then be processed. An adversary -could abuse this as a decryption oracle to recover sensitive information -in the data field of EAPOL-Key messages (e.g., the group key). -(CVE-2018-14526) - -Signed-off-by: Mathy Vanhoef ---- - src/rsn_supp/wpa.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c ---- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c 2016-10-02 21:51:11.000000000 +0300 -+++ wpa_supplicant-2.6/src/rsn_supp/wpa.c 2018-08-08 16:55:11.506831029 +0300 -@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c - - if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && - (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { -+ /* -+ * Only decrypt the Key Data field if the frame's authenticity -+ * was verified. When using AES-SIV (FILS), the MIC flag is not -+ * set, so this check should only be performed if mic_len != 0 -+ * which is the case in this code branch. -+ */ -+ if (!(key_info & WPA_KEY_INFO_MIC)) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data"); -+ goto out; -+ } - if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data, - &key_data_len)) - goto out; diff --git a/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch b/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch deleted file mode 100644 index 8a2aefe..0000000 --- a/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch +++ /dev/null @@ -1,174 +0,0 @@ -From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef -Date: Fri, 14 Jul 2017 15:15:35 +0200 -Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake - -Do not reinstall TK to the driver during Reassociation Response frame -processing if the first attempt of setting the TK succeeded. This avoids -issues related to clearing the TX/RX PN that could result in reusing -same PN values for transmitted frames (e.g., due to CCM nonce reuse and -also hitting replay protection on the receiver) and accepting replayed -frames on RX side. - -This issue was introduced by the commit -0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in -authenticator') which allowed wpa_ft_install_ptk() to be called multiple -times with the same PTK. While the second configuration attempt is -needed with some drivers, it must be done only if the first attempt -failed. - -Signed-off-by: Mathy Vanhoef ---- - src/ap/ieee802_11.c | 16 +++++++++++++--- - src/ap/wpa_auth.c | 11 +++++++++++ - src/ap/wpa_auth.h | 3 ++- - src/ap/wpa_auth_ft.c | 10 ++++++++++ - src/ap/wpa_auth_i.h | 1 + - 5 files changed, 37 insertions(+), 4 deletions(-) - -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index 4e04169..333035f 100644 ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd, - { - struct ieee80211_ht_capabilities ht_cap; - struct ieee80211_vht_capabilities vht_cap; -+ int set = 1; - - /* - * Remove the STA entry to ensure the STA PS state gets cleared and -@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd, - * FT-over-the-DS, where a station re-associates back to the same AP but - * skips the authentication flow, or if working with a driver that - * does not support full AP client state. -+ * -+ * Skip this if the STA has already completed FT reassociation and the -+ * TK has been configured since the TX/RX PN must not be reset to 0 for -+ * the same key. - */ -- if (!sta->added_unassoc) -+ if (!sta->added_unassoc && -+ (!(sta->flags & WLAN_STA_AUTHORIZED) || -+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { - hostapd_drv_sta_remove(hapd, sta->addr); -+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); -+ set = 0; -+ } - - #ifdef CONFIG_IEEE80211N - if (sta->flags & WLAN_STA_HT) -@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd, - sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, - sta->flags | WLAN_STA_ASSOC, sta->qosinfo, - sta->vht_opmode, sta->p2p_ie ? 1 : 0, -- sta->added_unassoc)) { -+ set)) { - hostapd_logger(hapd, sta->addr, - HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, - "Could not %s STA to kernel driver", -- sta->added_unassoc ? "set" : "add"); -+ set ? "set" : "add"); - - if (sta->added_unassoc) { - hostapd_drv_sta_remove(hapd, sta->addr); -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index 3587086..707971d 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) - #else /* CONFIG_IEEE80211R */ - break; - #endif /* CONFIG_IEEE80211R */ -+ case WPA_DRV_STA_REMOVED: -+ sm->tk_already_set = FALSE; -+ return 0; - } - - #ifdef CONFIG_IEEE80211R -@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) - } - - -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) -+{ -+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) -+ return 0; -+ return sm->tk_already_set; -+} -+ -+ - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry) - { -diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h -index 0de8d97..97461b0 100644 ---- a/src/ap/wpa_auth.h -+++ b/src/ap/wpa_auth.h -@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, - u8 *data, size_t data_len); - enum wpa_event { - WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, -- WPA_REAUTH_EAPOL, WPA_ASSOC_FT -+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED - }; - void wpa_remove_ptk(struct wpa_state_machine *sm); - int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); -@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm); - int wpa_auth_get_pairwise(struct wpa_state_machine *sm); - int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); - int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); -+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); - int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, - struct rsn_pmksa_cache_entry *entry); - struct rsn_pmksa_cache_entry * -diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c -index 42242a5..e63b99a 100644 ---- a/src/ap/wpa_auth_ft.c -+++ b/src/ap/wpa_auth_ft.c -@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - return; - } - -+ if (sm->tk_already_set) { -+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX -+ * PN in the driver */ -+ wpa_printf(MSG_DEBUG, -+ "FT: Do not re-install same PTK to the driver"); -+ return; -+ } -+ - /* FIX: add STA entry to kernel/driver here? The set_key will fail - * most likely without this.. At the moment, STA entry is added only - * after association has been completed. This function will be called -@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) - - /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ - sm->pairwise_set = TRUE; -+ sm->tk_already_set = TRUE; - } - - -@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, - - sm->pairwise = pairwise; - sm->PTK_valid = TRUE; -+ sm->tk_already_set = FALSE; - wpa_ft_install_ptk(sm); - - buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + -diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h -index 72b7eb3..7fd8f05 100644 ---- a/src/ap/wpa_auth_i.h -+++ b/src/ap/wpa_auth_i.h -@@ -65,6 +65,7 @@ struct wpa_state_machine { - struct wpa_ptk PTK; - Boolean PTK_valid; - Boolean pairwise_set; -+ Boolean tk_already_set; - int keycount; - Boolean Pair; - struct wpa_key_replay_counter { --- -2.7.4 - diff --git a/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch b/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch deleted file mode 100644 index b199b0f..0000000 --- a/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch +++ /dev/null @@ -1,250 +0,0 @@ -From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef -Date: Wed, 12 Jul 2017 16:03:24 +0200 -Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key - -Track the current GTK and IGTK that is in use and when receiving a -(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do -not install the given key if it is already in use. This prevents an -attacker from trying to trick the client into resetting or lowering the -sequence counter associated to the group key. - -Signed-off-by: Mathy Vanhoef ---- - src/common/wpa_common.h | 11 +++++ - src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------ - src/rsn_supp/wpa_i.h | 4 ++ - 3 files changed, 87 insertions(+), 44 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index af1d0f0..d200285 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -217,6 +217,17 @@ struct wpa_ptk { - size_t tk_len; - }; - -+struct wpa_gtk { -+ u8 gtk[WPA_GTK_MAX_LEN]; -+ size_t gtk_len; -+}; -+ -+#ifdef CONFIG_IEEE80211W -+struct wpa_igtk { -+ u8 igtk[WPA_IGTK_MAX_LEN]; -+ size_t igtk_len; -+}; -+#endif /* CONFIG_IEEE80211W */ - - /* WPA IE version 1 - * 00-50-f2:1 (OUI:OUI type) -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 3c47879..95bd7be 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - -+ /* Detect possible key reinstallation */ -+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", -+ gd->keyidx, gd->tx, gd->gtk_len); -+ return 0; -+ } -+ - wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", -@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ - return 0; - } - -@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - } - - -+#ifdef CONFIG_IEEE80211W -+static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -+ const struct wpa_igtk_kde *igtk) -+{ -+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); -+ u16 keyidx = WPA_GET_LE16(igtk->keyid); -+ -+ /* Detect possible key reinstallation */ -+ if (sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", -+ keyidx); -+ return 0; -+ } -+ -+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, -+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", -+ keyidx, MAC2STR(igtk->pn)); -+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); -+ if (keyidx > 4095) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Invalid IGTK KeyID %d", keyidx); -+ return -1; -+ } -+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -+ broadcast_ether_addr, -+ keyidx, 0, igtk->pn, sizeof(igtk->pn), -+ igtk->igtk, len) < 0) { -+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -+ "WPA: Failed to configure IGTK to the driver"); -+ return -1; -+ } -+ -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ -+ return 0; -+} -+#endif /* CONFIG_IEEE80211W */ -+ -+ - static int ieee80211w_set_keys(struct wpa_sm *sm, - struct wpa_eapol_ie_parse *ie) - { -@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - if (ie->igtk) { - size_t len; - const struct wpa_igtk_kde *igtk; -- u16 keyidx; -+ - len = wpa_cipher_key_len(sm->mgmt_group_cipher); - if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) - return -1; -+ - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- keyidx = WPA_GET_LE16(igtk->keyid); -- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " -- "pn %02x%02x%02x%02x%02x%02x", -- keyidx, MAC2STR(igtk->pn)); -- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", -- igtk->igtk, len); -- if (keyidx > 4095) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Invalid IGTK KeyID %d", keyidx); -- return -1; -- } -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igtk->pn, sizeof(igtk->pn), -- igtk->igtk, len) < 0) { -- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, -- "WPA: Failed to configure IGTK to the driver"); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } - } - - return 0; -@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) - */ - void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - { -- int clear_ptk = 1; -+ int clear_keys = 1; - - if (sm == NULL) - return; -@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - /* Prepare for the next transition */ - wpa_ft_prepare_auth_request(sm, NULL); - -- clear_ptk = 0; -+ clear_keys = 0; - } - #endif /* CONFIG_IEEE80211R */ - -- if (clear_ptk) { -+ if (clear_keys) { - /* - * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if - * this is not part of a Fast BSS Transition. -@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - } - - #ifdef CONFIG_TDLS -@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(sm->pmk, 0, sizeof(sm->pmk)); - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); -+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+#ifdef CONFIG_IEEE80211W -+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+#endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); - os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); -@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - os_memset(&gd, 0, sizeof(gd)); - #ifdef CONFIG_IEEE80211W - } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { -- struct wpa_igtk_kde igd; -- u16 keyidx; -- -- os_memset(&igd, 0, sizeof(igd)); -- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); -- os_memcpy(igd.keyid, buf + 2, 2); -- os_memcpy(igd.pn, buf + 4, 6); -- -- keyidx = WPA_GET_LE16(igd.keyid); -- os_memcpy(igd.igtk, buf + 10, keylen); -- -- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", -- igd.igtk, keylen); -- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), -- broadcast_ether_addr, -- keyidx, 0, igd.pn, sizeof(igd.pn), -- igd.igtk, keylen) < 0) { -- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " -- "WNM mode"); -- os_memset(&igd, 0, sizeof(igd)); -+ const struct wpa_igtk_kde *igtk; -+ -+ igtk = (const struct wpa_igtk_kde *) (buf + 2); -+ if (wpa_supplicant_install_igtk(sm, igtk) < 0) - return -1; -- } -- os_memset(&igd, 0, sizeof(igd)); - #endif /* CONFIG_IEEE80211W */ - } else { - wpa_printf(MSG_DEBUG, "Unknown element id"); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index f653ba6..afc9e37 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -31,6 +31,10 @@ struct wpa_sm { - u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; -+ struct wpa_gtk gtk; -+#ifdef CONFIG_IEEE80211W -+ struct wpa_igtk igtk; -+#endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ - --- -2.7.4 - diff --git a/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch b/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch deleted file mode 100644 index d178def..0000000 --- a/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Sun, 1 Oct 2017 12:12:24 +0300 -Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep - Mode cases - -This extends the protection to track last configured GTK/IGTK value -separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a -corner case where these two different mechanisms may get used when the -GTK/IGTK has changed and tracking a single value is not sufficient to -detect a possible key reconfiguration. - -Signed-off-by: Jouni Malinen ---- - src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++--------------- - src/rsn_supp/wpa_i.h | 2 ++ - 2 files changed, 40 insertions(+), 15 deletions(-) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 95bd7be..7a2c68d 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -709,14 +709,17 @@ struct wpa_gtk_data { - - static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - const struct wpa_gtk_data *gd, -- const u8 *key_rsc) -+ const u8 *key_rsc, int wnm_sleep) - { - const u8 *_gtk = gd->gtk; - u8 gtk_buf[32]; - - /* Detect possible key reinstallation */ -- if (sm->gtk.gtk_len == (size_t) gd->gtk_len && -- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { -+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || -+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && -+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", - gd->keyidx, gd->tx, gd->gtk_len); -@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, - } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); - -- sm->gtk.gtk_len = gd->gtk_len; -- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ if (wnm_sleep) { -+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, -+ sm->gtk_wnm_sleep.gtk_len); -+ } else { -+ sm->gtk.gtk_len = gd->gtk_len; -+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); -+ } - - return 0; - } -@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, - gtk_len, gtk_len, - &gd.key_rsc_len, &gd.alg) || -- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) { -+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "RSN: Failed to install GTK"); - os_memset(&gd, 0, sizeof(gd)); -@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, - - #ifdef CONFIG_IEEE80211W - static int wpa_supplicant_install_igtk(struct wpa_sm *sm, -- const struct wpa_igtk_kde *igtk) -+ const struct wpa_igtk_kde *igtk, -+ int wnm_sleep) - { - size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); - u16 keyidx = WPA_GET_LE16(igtk->keyid); - - /* Detect possible key reinstallation */ -- if (sm->igtk.igtk_len == len && -- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { -+ if ((sm->igtk.igtk_len == len && -+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || -+ (sm->igtk_wnm_sleep.igtk_len == len && -+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len) == 0)) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", - keyidx); -@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, - return -1; - } - -- sm->igtk.igtk_len = len; -- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ if (wnm_sleep) { -+ sm->igtk_wnm_sleep.igtk_len = len; -+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, -+ sm->igtk_wnm_sleep.igtk_len); -+ } else { -+ sm->igtk.igtk_len = len; -+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); -+ } - - return 0; - } -@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, - return -1; - - igtk = (const struct wpa_igtk_kde *) ie->igtk; -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) - return -1; - } - -@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, - if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) - key_rsc = null_rsc; - -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) || -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || - wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) - goto failed; - os_memset(&gd, 0, sizeof(gd)); -@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) - sm->tptk_set = 0; - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - } - -@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) - os_memset(&sm->ptk, 0, sizeof(sm->ptk)); - os_memset(&sm->tptk, 0, sizeof(sm->tptk)); - os_memset(&sm->gtk, 0, sizeof(sm->gtk)); -+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); - #ifdef CONFIG_IEEE80211W - os_memset(&sm->igtk, 0, sizeof(sm->igtk)); -+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); - #endif /* CONFIG_IEEE80211W */ - #ifdef CONFIG_IEEE80211R - os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); -@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - - wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", - gd.gtk, gd.gtk_len); -- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { -+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { - os_memset(&gd, 0, sizeof(gd)); - wpa_printf(MSG_DEBUG, "Failed to install the GTK in " - "WNM mode"); -@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) - const struct wpa_igtk_kde *igtk; - - igtk = (const struct wpa_igtk_kde *) (buf + 2); -- if (wpa_supplicant_install_igtk(sm, igtk) < 0) -+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) - return -1; - #endif /* CONFIG_IEEE80211W */ - } else { -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index afc9e37..9a54631 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -32,8 +32,10 @@ struct wpa_sm { - int rx_replay_counter_set; - u8 request_counter[WPA_REPLAY_COUNTER_LEN]; - struct wpa_gtk gtk; -+ struct wpa_gtk gtk_wnm_sleep; - #ifdef CONFIG_IEEE80211W - struct wpa_igtk igtk; -+ struct wpa_igtk igtk_wnm_sleep; - #endif /* CONFIG_IEEE80211W */ - - struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ --- -2.7.4 - diff --git a/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch b/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch deleted file mode 100644 index ff93092..0000000 --- a/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef -Date: Fri, 29 Sep 2017 04:22:51 +0200 -Subject: [PATCH 4/8] Prevent installation of an all-zero TK - -Properly track whether a PTK has already been installed to the driver -and the TK part cleared from memory. This prevents an attacker from -trying to trick the client into installing an all-zero TK. - -This fixes the earlier fix in commit -ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the -driver in EAPOL-Key 3/4 retry case') which did not take into account -possibility of an extra message 1/4 showing up between retries of -message 3/4. - -Signed-off-by: Mathy Vanhoef ---- - src/common/wpa_common.h | 1 + - src/rsn_supp/wpa.c | 5 ++--- - src/rsn_supp/wpa_i.h | 1 - - 3 files changed, 3 insertions(+), 4 deletions(-) - -diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h -index d200285..1021ccb 100644 ---- a/src/common/wpa_common.h -+++ b/src/common/wpa_common.h -@@ -215,6 +215,7 @@ struct wpa_ptk { - size_t kck_len; - size_t kek_len; - size_t tk_len; -+ int installed; /* 1 if key has already been installed to driver */ - }; - - struct wpa_gtk { -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 7a2c68d..0550a41 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, - os_memset(buf, 0, sizeof(buf)); - } - sm->tptk_set = 1; -- sm->tk_to_set = 1; - - kde = sm->assoc_wpa_ie; - kde_len = sm->assoc_wpa_ie_len; -@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - enum wpa_alg alg; - const u8 *key_rsc; - -- if (!sm->tk_to_set) { -+ if (sm->ptk.installed) { - wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, - "WPA: Do not re-install same PTK to the driver"); - return 0; -@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, - - /* TK is not needed anymore in supplicant */ - os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); -- sm->tk_to_set = 0; -+ sm->ptk.installed = 1; - - if (sm->wpa_ptk_rekey) { - eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 9a54631..41f371f 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -24,7 +24,6 @@ struct wpa_sm { - struct wpa_ptk ptk, tptk; - int ptk_set, tptk_set; - unsigned int msg_3_of_4_ok:1; -- unsigned int tk_to_set:1; - u8 snonce[WPA_NONCE_LEN]; - u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ - int renew_snonce; --- -2.7.4 - diff --git a/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch b/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch deleted file mode 100644 index ceda28b..0000000 --- a/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Sun, 1 Oct 2017 12:32:57 +0300 -Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce - -The Authenticator state machine path for PTK rekeying ended up bypassing -the AUTHENTICATION2 state where a new ANonce is generated when going -directly to the PTKSTART state since there is no need to try to -determine the PMK again in such a case. This is far from ideal since the -new PTK would depend on a new nonce only from the supplicant. - -Fix this by generating a new ANonce when moving to the PTKSTART state -for the purpose of starting new 4-way handshake to rekey PTK. - -Signed-off-by: Jouni Malinen ---- - src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) - -diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c -index 707971d..bf10cc1 100644 ---- a/src/ap/wpa_auth.c -+++ b/src/ap/wpa_auth.c -@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) - } - - -+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) -+{ -+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { -+ wpa_printf(MSG_ERROR, -+ "WPA: Failed to get random data for ANonce"); -+ sm->Disconnect = TRUE; -+ return -1; -+ } -+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, -+ WPA_NONCE_LEN); -+ sm->TimeoutCtr = 0; -+ return 0; -+} -+ -+ - SM_STATE(WPA_PTK, INITPMK) - { - u8 msk[2 * PMK_LEN]; -@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK) - SM_ENTER(WPA_PTK, AUTHENTICATION); - else if (sm->ReAuthenticationRequest) - SM_ENTER(WPA_PTK, AUTHENTICATION2); -- else if (sm->PTKRequest) -- SM_ENTER(WPA_PTK, PTKSTART); -- else switch (sm->wpa_ptk_state) { -+ else if (sm->PTKRequest) { -+ if (wpa_auth_sm_ptk_update(sm) < 0) -+ SM_ENTER(WPA_PTK, DISCONNECTED); -+ else -+ SM_ENTER(WPA_PTK, PTKSTART); -+ } else switch (sm->wpa_ptk_state) { - case WPA_PTK_INITIALIZE: - break; - case WPA_PTK_DISCONNECT: --- -2.7.4 - diff --git a/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch b/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch deleted file mode 100644 index 74066dd..0000000 --- a/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Fri, 22 Sep 2017 11:03:15 +0300 -Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration - -Do not try to reconfigure the same TPK-TK to the driver after it has -been successfully configured. This is an explicit check to avoid issues -related to resetting the TX/RX packet number. There was already a check -for this for TPK M2 (retries of that message are ignored completely), so -that behavior does not get modified. - -For TPK M3, the TPK-TK could have been reconfigured, but that was -followed by immediate teardown of the link due to an issue in updating -the STA entry. Furthermore, for TDLS with any real security (i.e., -ignoring open/WEP), the TPK message exchange is protected on the AP path -and simple replay attacks are not feasible. - -As an additional corner case, make sure the local nonce gets updated if -the peer uses a very unlikely "random nonce" of all zeros. - -Signed-off-by: Jouni Malinen ---- - src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++-- - 1 file changed, 36 insertions(+), 2 deletions(-) - -diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c -index e424168..9eb9738 100644 ---- a/src/rsn_supp/tdls.c -+++ b/src/rsn_supp/tdls.c -@@ -112,6 +112,7 @@ struct wpa_tdls_peer { - u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ - } tpk; - int tpk_set; -+ int tk_set; /* TPK-TK configured to the driver */ - int tpk_success; - int tpk_in_progress; - -@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - u8 rsc[6]; - enum wpa_alg alg; - -+ if (peer->tk_set) { -+ /* -+ * This same TPK-TK has already been configured to the driver -+ * and this new configuration attempt (likely due to an -+ * unexpected retransmitted frame) would result in clearing -+ * the TX/RX sequence number which can break security, so must -+ * not allow that to happen. -+ */ -+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR -+ " has already been configured to the driver - do not reconfigure", -+ MAC2STR(peer->addr)); -+ return -1; -+ } -+ - os_memset(rsc, 0, 6); - - switch (peer->cipher) { -@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - return -1; - } - -+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, -+ MAC2STR(peer->addr)); - if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, - rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { - wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " - "driver"); - return -1; - } -+ peer->tk_set = 1; - return 0; - } - -@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) - peer->cipher = 0; - peer->qos_info = 0; - peer->wmm_capable = 0; -- peer->tpk_set = peer->tpk_success = 0; -+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0; - peer->chan_switch_enabled = 0; - os_memset(&peer->tpk, 0, sizeof(peer->tpk)); - os_memset(peer->inonce, 0, WPA_NONCE_LEN); -@@ -1159,6 +1177,7 @@ skip_rsnie: - wpa_tdls_peer_free(sm, peer); - return -1; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", - peer->inonce, WPA_NONCE_LEN); - os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); -@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, - } - - -+static int tdls_nonce_set(const u8 *nonce) -+{ -+ int i; -+ -+ for (i = 0; i < WPA_NONCE_LEN; i++) { -+ if (nonce[i]) -+ return 1; -+ } -+ -+ return 0; -+} -+ -+ - static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, - const u8 *buf, size_t len) - { -@@ -2004,7 +2036,8 @@ skip_rsn: - peer->rsnie_i_len = kde.rsn_ie_len; - peer->cipher = cipher; - -- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { -+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || -+ !tdls_nonce_set(peer->inonce)) { - /* - * There is no point in updating the RNonce for every obtained - * TPK M1 frame (e.g., retransmission due to timeout) with the -@@ -2020,6 +2053,7 @@ skip_rsn: - "TDLS: Failed to get random data for responder nonce"); - goto error; - } -+ peer->tk_set = 0; /* A new nonce results in a new TK */ - } - - #if 0 --- -2.7.4 - diff --git a/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch b/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch deleted file mode 100644 index 503dce9..0000000 --- a/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch +++ /dev/null @@ -1,82 +0,0 @@ -From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Fri, 22 Sep 2017 12:06:37 +0300 -Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames - -The driver is expected to not report a second association event without -the station having explicitly request a new association. As such, this -case should not be reachable. However, since reconfiguring the same -pairwise or group keys to the driver could result in nonce reuse issues, -be extra careful here and do an additional state check to avoid this -even if the local driver ends up somehow accepting an unexpected -Reassociation Response frame. - -Signed-off-by: Jouni Malinen ---- - src/rsn_supp/wpa.c | 3 +++ - src/rsn_supp/wpa_ft.c | 8 ++++++++ - src/rsn_supp/wpa_i.h | 1 + - 3 files changed, 12 insertions(+) - -diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c -index 0550a41..2a53c6f 100644 ---- a/src/rsn_supp/wpa.c -+++ b/src/rsn_supp/wpa.c -@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) - #ifdef CONFIG_TDLS - wpa_tdls_disassoc(sm); - #endif /* CONFIG_TDLS */ -+#ifdef CONFIG_IEEE80211R -+ sm->ft_reassoc_completed = 0; -+#endif /* CONFIG_IEEE80211R */ - - /* Keys are not needed in the WPA state machine anymore */ - wpa_sm_drop_sa(sm); -diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c -index 205793e..d45bb45 100644 ---- a/src/rsn_supp/wpa_ft.c -+++ b/src/rsn_supp/wpa_ft.c -@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, - u16 capab; - - sm->ft_completed = 0; -+ sm->ft_reassoc_completed = 0; - - buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + - 2 + sm->r0kh_id_len + ric_ies_len + 100; -@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ if (sm->ft_reassoc_completed) { -+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); -+ return 0; -+ } -+ - if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { - wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); - return -1; -@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, - return -1; - } - -+ sm->ft_reassoc_completed = 1; -+ - if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) - return -1; - -diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h -index 41f371f..56f88dc 100644 ---- a/src/rsn_supp/wpa_i.h -+++ b/src/rsn_supp/wpa_i.h -@@ -128,6 +128,7 @@ struct wpa_sm { - size_t r0kh_id_len; - u8 r1kh_id[FT_R1KH_ID_LEN]; - int ft_completed; -+ int ft_reassoc_completed; - int over_the_ds_in_progress; - u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ - int set_ptk_after_assoc; --- -2.7.4 - From 1623467161eca9542e429ce644f481632991ddef69d600550ec0a5a05f565dd7 Mon Sep 17 00:00:00 2001 From: Karol Babioch Date: Mon, 17 Dec 2018 14:45:28 +0000 Subject: [PATCH 2/3] Accepting request 658888 from home:kbabioch:branches:Base:System - Applied spec-cleaner - Added bug reference - Use defconfig file as template for configuration instead of patching it during build. This is easier to maintain in the long run. - Enabled CLI editing and history support. [http://w1.fi/security/2017-1/] (CVE-2017-13082) (bsc#1056061) OBS-URL: https://build.opensuse.org/request/show/658888 OBS-URL: https://build.opensuse.org/package/show/Base:System/hostapd?expand=0&rev=46 --- config | 375 ++++++++++++++++++++++++++++++++++++ hostapd-2.7-defconfig.patch | 182 ----------------- hostapd.changes | 11 +- hostapd.spec | 13 +- 4 files changed, 390 insertions(+), 191 deletions(-) create mode 100644 config delete mode 100644 hostapd-2.7-defconfig.patch diff --git a/config b/config new file mode 100644 index 0000000..42c3410 --- /dev/null +++ b/config @@ -0,0 +1,375 @@ +# Example hostapd build time configuration +# +# This file lists the configuration options that are used when building the +# hostapd binary. All lines starting with # are ignored. Configuration option +# lines must be commented out complete, if they are not to be included, i.e., +# just setting VARIABLE=n is not disabling that variable. +# +# This file is included in Makefile, so variables like CFLAGS and LIBS can also +# be modified from here. In most cass, these lines should use += in order not +# to override previous values of the variables. + +# Driver interface for Host AP driver +CONFIG_DRIVER_HOSTAP=y + +# Driver interface for wired authenticator +#CONFIG_DRIVER_WIRED=y + +# Driver interface for drivers using the nl80211 kernel interface +CONFIG_DRIVER_NL80211=y + +# QCA vendor extensions to nl80211 +#CONFIG_DRIVER_NL80211_QCA=y + +# driver_nl80211.c requires libnl. If you are compiling it yourself +# you may need to point hostapd to your version of libnl. +# +#CFLAGS += -I$ +#LIBS += -L$ + +# Use libnl v2.0 (or 3.0) libraries. +#CONFIG_LIBNL20=y + +# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) +CONFIG_LIBNL32=y + + +# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) +#CONFIG_DRIVER_BSD=y +#CFLAGS += -I/usr/local/include +#LIBS += -L/usr/local/lib +#LIBS_p += -L/usr/local/lib +#LIBS_c += -L/usr/local/lib + +# Driver interface for no driver (e.g., RADIUS server only) +CONFIG_DRIVER_NONE=y + +# IEEE 802.11F/IAPP +CONFIG_IAPP=y + +# WPA2/IEEE 802.11i RSN pre-authentication +CONFIG_RSN_PREAUTH=y + +# IEEE 802.11w (management frame protection) +CONFIG_IEEE80211W=y + +# Integrated EAP server +CONFIG_EAP=y + +# EAP Re-authentication Protocol (ERP) in integrated EAP server +CONFIG_ERP=y + +# EAP-MD5 for the integrated EAP server +CONFIG_EAP_MD5=y + +# EAP-TLS for the integrated EAP server +CONFIG_EAP_TLS=y + +# EAP-MSCHAPv2 for the integrated EAP server +CONFIG_EAP_MSCHAPV2=y + +# EAP-PEAP for the integrated EAP server +CONFIG_EAP_PEAP=y + +# EAP-GTC for the integrated EAP server +CONFIG_EAP_GTC=y + +# EAP-TTLS for the integrated EAP server +CONFIG_EAP_TTLS=y + +# EAP-SIM for the integrated EAP server +CONFIG_EAP_SIM=y + +# EAP-AKA for the integrated EAP server +CONFIG_EAP_AKA=y + +# EAP-AKA' for the integrated EAP server +# This requires CONFIG_EAP_AKA to be enabled, too. +CONFIG_EAP_AKA_PRIME=y + +# EAP-PAX for the integrated EAP server +CONFIG_EAP_PAX=y + +# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) +CONFIG_EAP_PSK=y + +# EAP-pwd for the integrated EAP server (secure authentication with a password) +CONFIG_EAP_PWD=y + +# EAP-SAKE for the integrated EAP server +CONFIG_EAP_SAKE=y + +# EAP-GPSK for the integrated EAP server +CONFIG_EAP_GPSK=y +# Include support for optional SHA256 cipher suite in EAP-GPSK +CONFIG_EAP_GPSK_SHA256=y + +# EAP-FAST for the integrated EAP server +# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed +# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., +# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. +#CONFIG_EAP_FAST=y + +# Wi-Fi Protected Setup (WPS) +CONFIG_WPS=y +# Enable UPnP support for external WPS Registrars +CONFIG_WPS_UPNP=y +# Enable WPS support with NFC config method +CONFIG_WPS_NFC=y + +# EAP-IKEv2 +CONFIG_EAP_IKEV2=y + +# Trusted Network Connect (EAP-TNC) +CONFIG_EAP_TNC=y + +# EAP-EKE for the integrated EAP server +CONFIG_EAP_EKE=y + +# PKCS#12 (PFX) support (used to read private key and certificate file from +# a file that usually has extension .p12 or .pfx) +CONFIG_PKCS12=y + +# RADIUS authentication server. This provides access to the integrated EAP +# server from external hosts using RADIUS. +#CONFIG_RADIUS_SERVER=y + +# Build IPv6 support for RADIUS operations +CONFIG_IPV6=y + +# IEEE Std 802.11r-2008 (Fast BSS Transition) +CONFIG_IEEE80211R=y + +# Use the hostapd's IEEE 802.11 authentication (ACL), but without +# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) +CONFIG_DRIVER_RADIUS_ACL=y + +# IEEE 802.11n (High Throughput) support +CONFIG_IEEE80211N=y + +# Wireless Network Management (IEEE Std 802.11v-2011) +# Note: This is experimental and not complete implementation. +CONFIG_WNM=y + +# IEEE 802.11ac (Very High Throughput) support +CONFIG_IEEE80211AC=y + +# IEEE 802.11ax HE support +# Note: This is experimental and work in progress. The definitions are still +# subject to change and this should not be expected to interoperate with the +# final IEEE 802.11ax version. +#CONFIG_IEEE80211AX=y + +# Remove debugging code that is printing out debug messages to stdout. +# This can be used to reduce the size of the hostapd considerably if debugging +# code is not needed. +#CONFIG_NO_STDOUT_DEBUG=y + +# Add support for writing debug log to a file: -f /tmp/hostapd.log +# Disabled by default. +#CONFIG_DEBUG_FILE=y + +# Send debug messages to syslog instead of stdout +#CONFIG_DEBUG_SYSLOG=y + +# Add support for sending all debug messages (regardless of debug verbosity) +# to the Linux kernel tracing facility. This helps debug the entire stack by +# making it easy to record everything happening from the driver up into the +# same file, e.g., using trace-cmd. +#CONFIG_DEBUG_LINUX_TRACING=y + +# Remove support for RADIUS accounting +#CONFIG_NO_ACCOUNTING=y + +# Remove support for RADIUS +#CONFIG_NO_RADIUS=y + +# Remove support for VLANs +#CONFIG_NO_VLAN=y + +# Enable support for fully dynamic VLANs. This enables hostapd to +# automatically create bridge and VLAN interfaces if necessary. +CONFIG_FULL_DYNAMIC_VLAN=y + +# Use netlink-based kernel API for VLAN operations instead of ioctl() +# Note: This requires libnl 3.1 or newer. +CONFIG_VLAN_NETLINK=y + +# Remove support for dumping internal state through control interface commands +# This can be used to reduce binary size at the cost of disabling a debugging +# option. +#CONFIG_NO_DUMP_STATE=y + +# Enable tracing code for developer debugging +# This tracks use of memory allocations and other registrations and reports +# incorrect use with a backtrace of call (or allocation) location. +#CONFIG_WPA_TRACE=y +# For BSD, comment out these. +#LIBS += -lexecinfo +#LIBS_p += -lexecinfo +#LIBS_c += -lexecinfo + +# Use libbfd to get more details for developer debugging +# This enables use of libbfd to get more detailed symbols for the backtraces +# generated by CONFIG_WPA_TRACE=y. +#CONFIG_WPA_TRACE_BFD=y +# For BSD, comment out these. +#LIBS += -lbfd -liberty -lz +#LIBS_p += -lbfd -liberty -lz +#LIBS_c += -lbfd -liberty -lz + +# hostapd depends on strong random number generation being available from the +# operating system. os_get_random() function is used to fetch random data when +# needed, e.g., for key generation. On Linux and BSD systems, this works by +# reading /dev/urandom. It should be noted that the OS entropy pool needs to be +# properly initialized before hostapd is started. This is important especially +# on embedded devices that do not have a hardware random number generator and +# may by default start up with minimal entropy available for random number +# generation. +# +# As a safety net, hostapd is by default trying to internally collect +# additional entropy for generating random data to mix in with the data +# fetched from the OS. This by itself is not considered to be very strong, but +# it may help in cases where the system pool is not initialized properly. +# However, it is very strongly recommended that the system pool is initialized +# with enough entropy either by using hardware assisted random number +# generator or by storing state over device reboots. +# +# hostapd can be configured to maintain its own entropy store over restarts to +# enhance random number generation. This is not perfect, but it is much more +# secure than using the same sequence of random numbers after every reboot. +# This can be enabled with -e command line option. The specified +# file needs to be readable and writable by hostapd. +# +# If the os_get_random() is known to provide strong random data (e.g., on +# Linux/BSD, the board in question is known to have reliable source of random +# data from /dev/urandom), the internal hostapd random pool can be disabled. +# This will save some in binary size and CPU use. However, this should only be +# considered for builds that are known to be used on devices that meet the +# requirements described above. +#CONFIG_NO_RANDOM_POOL=y + +# Should we use poll instead of select? Select is used by default. +#CONFIG_ELOOP_POLL=y + +# Should we use epoll instead of select? Select is used by default. +#CONFIG_ELOOP_EPOLL=y + +# Should we use kqueue instead of select? Select is used by default. +#CONFIG_ELOOP_KQUEUE=y + +# Select TLS implementation +# openssl = OpenSSL (default) +# gnutls = GnuTLS +# internal = Internal TLSv1 implementation (experimental) +# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) +# none = Empty template +CONFIG_TLS=openssl + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) +# can be enabled to get a stronger construction of messages when block ciphers +# are used. +CONFIG_TLSV11=y + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) +# can be enabled to enable use of stronger crypto algorithms. +CONFIG_TLSV12=y + +# Select which ciphers to use by default with OpenSSL if the user does not +# specify them. +#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" + +# If CONFIG_TLS=internal is used, additional library and include paths are +# needed for LibTomMath. Alternatively, an integrated, minimal version of +# LibTomMath can be used. See beginning of libtommath.c for details on benefits +# and drawbacks of this option. +#CONFIG_INTERNAL_LIBTOMMATH=y +#ifndef CONFIG_INTERNAL_LIBTOMMATH +#LTM_PATH=/usr/src/libtommath-0.39 +#CFLAGS += -I$(LTM_PATH) +#LIBS += -L$(LTM_PATH) +#LIBS_p += -L$(LTM_PATH) +#endif +# At the cost of about 4 kB of additional binary size, the internal LibTomMath +# can be configured to include faster routines for exptmod, sqr, and div to +# speed up DH and RSA calculation considerably +#CONFIG_INTERNAL_LIBTOMMATH_FAST=y + +# Interworking (IEEE 802.11u) +# This can be used to enable functionality to improve interworking with +# external networks. +CONFIG_INTERWORKING=y + +# Hotspot 2.0 +CONFIG_HS20=y + +# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file +CONFIG_SQLITE=y + +# Enable Fast Session Transfer (FST) +CONFIG_FST=y + +# Enable CLI commands for FST testing +CONFIG_FST_TEST=y + +# Testing options +# This can be used to enable some testing options (see also the example +# configuration file) that are really useful only for testing clients that +# connect to this hostapd. These options allow, for example, to drop a +# certain percentage of probe requests or auth/(re)assoc frames. +# +#CONFIG_TESTING_OPTIONS=y + +# Automatic Channel Selection +# This will allow hostapd to pick the channel automatically when channel is set +# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in +# similar way. +# +# Automatic selection is currently only done through initialization, later on +# we hope to do background checks to keep us moving to more ideal channels as +# time goes by. ACS is currently only supported through the nl80211 driver and +# your driver must have survey dump capability that is filled by the driver +# during scanning. +# +# You can customize the ACS survey algorithm with the hostapd.conf variable +# acs_num_scans. +# +# Supported ACS drivers: +# * ath9k +# * ath5k +# * ath10k +# +# For more details refer to: +# http://wireless.kernel.org/en/users/Documentation/acs +# +CONFIG_ACS=y + +# Multiband Operation support +# These extentions facilitate efficient use of multiple frequency bands +# available to the AP and the devices that may associate with it. +CONFIG_MBO=y + +# Client Taxonomy +# Has the AP retain the Probe Request and (Re)Association Request frames from +# a client, from which a signature can be produced which can identify the model +# of client device like "Nexus 6P" or "iPhone 5s". +#CONFIG_TAXONOMY=y + +# Fast Initial Link Setup (FILS) (IEEE 802.11ai) +# Note: This is an experimental and not yet complete implementation. This +# should not be enabled for production use. +#CONFIG_FILS=y +# FILS shared key authentication with PFS +#CONFIG_FILS_SK_PFS=y + +# Include internal line edit mode in hostapd_cli. This can be used to provide +# limited command line editing and history support. +CONFIG_WPA_CLI_EDIT=y + +# Opportunistic Wireless Encryption (OWE) +# Experimental implementation of draft-harkins-owe-07.txt +#CONFIG_OWE=y + +# Override default value for the wpa_disable_eapol_key_retries configuration +# parameter. See that parameter in hostapd.conf for more details. +#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1 diff --git a/hostapd-2.7-defconfig.patch b/hostapd-2.7-defconfig.patch deleted file mode 100644 index d9aeaac..0000000 --- a/hostapd-2.7-defconfig.patch +++ /dev/null @@ -1,182 +0,0 @@ -diff --git a/hostapd/defconfig b/hostapd/defconfig -index 77a894d..8ccb8cb 100644 ---- a/hostapd/defconfig -+++ b/hostapd/defconfig -@@ -42,7 +42,7 @@ CONFIG_LIBNL32=y - #LIBS_c += -L/usr/local/lib - - # Driver interface for no driver (e.g., RADIUS server only) --#CONFIG_DRIVER_NONE=y -+CONFIG_DRIVER_NONE=y - - # IEEE 802.11F/IAPP - CONFIG_IAPP=y -@@ -78,31 +78,31 @@ CONFIG_EAP_GTC=y - CONFIG_EAP_TTLS=y - - # EAP-SIM for the integrated EAP server --#CONFIG_EAP_SIM=y -+CONFIG_EAP_SIM=y - - # EAP-AKA for the integrated EAP server --#CONFIG_EAP_AKA=y -+CONFIG_EAP_AKA=y - - # EAP-AKA' for the integrated EAP server - # This requires CONFIG_EAP_AKA to be enabled, too. --#CONFIG_EAP_AKA_PRIME=y -+CONFIG_EAP_AKA_PRIME=y - - # EAP-PAX for the integrated EAP server --#CONFIG_EAP_PAX=y -+CONFIG_EAP_PAX=y - - # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) --#CONFIG_EAP_PSK=y -+CONFIG_EAP_PSK=y - - # EAP-pwd for the integrated EAP server (secure authentication with a password) --#CONFIG_EAP_PWD=y -+CONFIG_EAP_PWD=y - - # EAP-SAKE for the integrated EAP server --#CONFIG_EAP_SAKE=y -+CONFIG_EAP_SAKE=y - - # EAP-GPSK for the integrated EAP server --#CONFIG_EAP_GPSK=y -+CONFIG_EAP_GPSK=y - # Include support for optional SHA256 cipher suite in EAP-GPSK --#CONFIG_EAP_GPSK_SHA256=y -+CONFIG_EAP_GPSK_SHA256=y - - # EAP-FAST for the integrated EAP server - # Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed -@@ -111,20 +111,20 @@ CONFIG_EAP_TTLS=y - #CONFIG_EAP_FAST=y - - # Wi-Fi Protected Setup (WPS) --#CONFIG_WPS=y -+CONFIG_WPS=y - # Enable UPnP support for external WPS Registrars --#CONFIG_WPS_UPNP=y -+CONFIG_WPS_UPNP=y - # Enable WPS support with NFC config method --#CONFIG_WPS_NFC=y -+CONFIG_WPS_NFC=y - - # EAP-IKEv2 --#CONFIG_EAP_IKEV2=y -+CONFIG_EAP_IKEV2=y - - # Trusted Network Connect (EAP-TNC) --#CONFIG_EAP_TNC=y -+CONFIG_EAP_TNC=y - - # EAP-EKE for the integrated EAP server --#CONFIG_EAP_EKE=y -+CONFIG_EAP_EKE=y - - # PKCS#12 (PFX) support (used to read private key and certificate file from - # a file that usually has extension .p12 or .pfx) -@@ -138,21 +138,21 @@ CONFIG_PKCS12=y - CONFIG_IPV6=y - - # IEEE Std 802.11r-2008 (Fast BSS Transition) --#CONFIG_IEEE80211R=y -+CONFIG_IEEE80211R=y - - # Use the hostapd's IEEE 802.11 authentication (ACL), but without - # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) --#CONFIG_DRIVER_RADIUS_ACL=y -+CONFIG_DRIVER_RADIUS_ACL=y - - # IEEE 802.11n (High Throughput) support --#CONFIG_IEEE80211N=y -+CONFIG_IEEE80211N=y - - # Wireless Network Management (IEEE Std 802.11v-2011) - # Note: This is experimental and not complete implementation. --#CONFIG_WNM=y -+CONFIG_WNM=y - - # IEEE 802.11ac (Very High Throughput) support --#CONFIG_IEEE80211AC=y -+CONFIG_IEEE80211AC=y - - # IEEE 802.11ax HE support - # Note: This is experimental and work in progress. The definitions are still -@@ -189,11 +189,11 @@ CONFIG_IPV6=y - - # Enable support for fully dynamic VLANs. This enables hostapd to - # automatically create bridge and VLAN interfaces if necessary. --#CONFIG_FULL_DYNAMIC_VLAN=y -+CONFIG_FULL_DYNAMIC_VLAN=y - - # Use netlink-based kernel API for VLAN operations instead of ioctl() - # Note: This requires libnl 3.1 or newer. --#CONFIG_VLAN_NETLINK=y -+CONFIG_VLAN_NETLINK=y - - # Remove support for dumping internal state through control interface commands - # This can be used to reduce binary size at the cost of disabling a debugging -@@ -264,16 +264,16 @@ CONFIG_IPV6=y - # internal = Internal TLSv1 implementation (experimental) - # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) - # none = Empty template --#CONFIG_TLS=openssl -+CONFIG_TLS=openssl - - # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) - # can be enabled to get a stronger construction of messages when block ciphers - # are used. --#CONFIG_TLSV11=y -+CONFIG_TLSV11=y - - # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) - # can be enabled to enable use of stronger crypto algorithms. --#CONFIG_TLSV12=y -+CONFIG_TLSV12=y - - # Select which ciphers to use by default with OpenSSL if the user does not - # specify them. -@@ -298,19 +298,19 @@ CONFIG_IPV6=y - # Interworking (IEEE 802.11u) - # This can be used to enable functionality to improve interworking with - # external networks. --#CONFIG_INTERWORKING=y -+CONFIG_INTERWORKING=y - - # Hotspot 2.0 --#CONFIG_HS20=y -+CONFIG_HS20=y - - # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file --#CONFIG_SQLITE=y -+CONFIG_SQLITE=y - - # Enable Fast Session Transfer (FST) --#CONFIG_FST=y -+CONFIG_FST=y - - # Enable CLI commands for FST testing --#CONFIG_FST_TEST=y -+CONFIG_FST_TEST=y - - # Testing options - # This can be used to enable some testing options (see also the example -@@ -342,12 +342,12 @@ CONFIG_IPV6=y - # For more details refer to: - # http://wireless.kernel.org/en/users/Documentation/acs - # --#CONFIG_ACS=y -+CONFIG_ACS=y - - # Multiband Operation support - # These extentions facilitate efficient use of multiple frequency bands - # available to the AP and the devices that may associate with it. --#CONFIG_MBO=y -+CONFIG_MBO=y - - # Client Taxonomy - # Has the AP retain the Probe Request and (Re)Association Request frames from diff --git a/hostapd.changes b/hostapd.changes index 4776acc..60d19ab 100644 --- a/hostapd.changes +++ b/hostapd.changes @@ -1,10 +1,19 @@ +------------------------------------------------------------------- +Mon Dec 17 09:07:15 UTC 2018 - Karol Babioch + +- Applied spec-cleaner +- Added bug reference +- Use defconfig file as template for configuration instead of patching it + during build. This is easier to maintain in the long run. +- Enabled CLI editing and history support. + ------------------------------------------------------------------- Fri Dec 7 20:46:47 UTC 2018 - mardnh@gmx.de - Update to version 2.7 * fixed WPA packet number reuse with replayed messages and key reinstallation - [http://w1.fi/security/2017-1/] (CVE-2017-13082) + [http://w1.fi/security/2017-1/] (CVE-2017-13082) (bsc#1056061) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) diff --git a/hostapd.spec b/hostapd.spec index 87f1fe1..a5bcc9e 100644 --- a/hostapd.spec +++ b/hostapd.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -27,8 +27,8 @@ Source: https://w1.fi/releases/hostapd-%{version}.tar.gz Source1: https://w1.fi/releases/hostapd-%{version}.tar.gz.asc # https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x2B6EF432EFC895FA#/%%{name}.keyring Source2: %{name}.keyring -Source3: hostapd.service -Patch0: hostapd-2.7-defconfig.patch +Source3: config +Source4: hostapd.service BuildRequires: libnl3-devel BuildRequires: openssl-devel BuildRequires: pkgconfig @@ -47,10 +47,7 @@ authentication via any ethernet driver. %prep %setup -q -%patch0 -p1 - -cd hostapd -cp defconfig .config +cp %{SOURCE3} hostapd/.config %build cd hostapd @@ -73,7 +70,7 @@ install -m 644 hostapd.sim_db %{buildroot}%{_sysconfdir} install -m 644 hostapd.vlan %{buildroot}%{_sysconfdir} install -m 600 hostapd.wpa_psk %{buildroot}%{_sysconfdir} install -m 644 hostapd.8 %{buildroot}/%{_mandir}/man8 -install -D -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/hostapd.service +install -D -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/hostapd.service %pre %service_add_pre hostapd.service From 55283dd7ca0d0f811f94e69598e8622c318304dd73acd38d3e1ff269f332888c Mon Sep 17 00:00:00 2001 From: Karol Babioch Date: Fri, 21 Dec 2018 14:29:41 +0000 Subject: [PATCH 3/3] Accepting request 658950 from home:kbabioch:branches:Base:System during build. This is easier to maintain in the long run. This removes the patch hostapd-2.6-defconfig.patch in favor of a simple config file, which is copied over from the source directory. OBS-URL: https://build.opensuse.org/request/show/658950 OBS-URL: https://build.opensuse.org/package/show/Base:System/hostapd?expand=0&rev=47 --- hostapd.changes | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hostapd.changes b/hostapd.changes index 60d19ab..b2f0555 100644 --- a/hostapd.changes +++ b/hostapd.changes @@ -4,7 +4,9 @@ Mon Dec 17 09:07:15 UTC 2018 - Karol Babioch - Applied spec-cleaner - Added bug reference - Use defconfig file as template for configuration instead of patching it - during build. This is easier to maintain in the long run. + during build. This is easier to maintain in the long run. This removes the + patch hostapd-2.6-defconfig.patch in favor of a simple config file, which is + copied over from the source directory. - Enabled CLI editing and history support. -------------------------------------------------------------------