commit 788dd5615cdd93e1e5724e1ee266eb085e264c59937f206a0e5e1f09aa0bf67c Author: Dirk Mueller Date: Sat Aug 31 09:32:18 2024 +0000 Update to 2.11, fix for CVE-2023-52424 OBS-URL: https://build.opensuse.org/package/show/Base:System/hostapd?expand=0&rev=69 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/apparmor-usr.sbin.hostapd b/apparmor-usr.sbin.hostapd new file mode 100644 index 0000000..a21505a --- /dev/null +++ b/apparmor-usr.sbin.hostapd @@ -0,0 +1,33 @@ +abi , + +#include + +profile hostapd /usr/sbin/hostapd { + #include + #include + + capability net_admin, + capability net_raw, + network packet, + network raw, + + # for RADIUS + network inet dgram, + network inet6 dgram, + + # grant read access to config files + /etc/hostapd.* r, + /etc/ssl/openssl.cnf r, + /etc/libnl/classid r, + + @{PROC}/sys/net/ipv*/conf/*/arp_accept w, + /sys/devices/platform/**/net/**/proxyarp_wifi w, + /sys/devices/platform/**/net/**/hairpin_mode w, + + # grant access to RFKILL control device + /dev/rfkill rw, + + /run/hostapd/ rw, + /run/hostapd/* rw, + +} diff --git a/config b/config new file mode 100644 index 0000000..35f3145 --- /dev/null +++ b/config @@ -0,0 +1,431 @@ +# Example hostapd build time configuration +# +# This file lists the configuration options that are used when building the +# hostapd binary. All lines starting with # are ignored. Configuration option +# lines must be commented out complete, if they are not to be included, i.e., +# just setting VARIABLE=n is not disabling that variable. +# +# This file is included in Makefile, so variables like CFLAGS and LIBS can also +# be modified from here. In most cass, these lines should use += in order not +# to override previous values of the variables. + +# Driver interface for Host AP driver +CONFIG_DRIVER_HOSTAP=y + +# Driver interface for wired authenticator +CONFIG_DRIVER_WIRED=y + +# Driver interface for drivers using the nl80211 kernel interface +CONFIG_DRIVER_NL80211=y + +# QCA vendor extensions to nl80211 +#CONFIG_DRIVER_NL80211_QCA=y + +# driver_nl80211.c requires libnl. If you are compiling it yourself +# you may need to point hostapd to your version of libnl. +# +#CFLAGS += -I$ +#LIBS += -L$ + +# Use libnl v2.0 (or 3.0) libraries. +#CONFIG_LIBNL20=y + +# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) +CONFIG_LIBNL32=y + + +# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) +#CONFIG_DRIVER_BSD=y +#CFLAGS += -I/usr/local/include +#LIBS += -L/usr/local/lib +#LIBS_p += -L/usr/local/lib +#LIBS_c += -L/usr/local/lib + +# Driver interface for no driver (e.g., RADIUS server only) +CONFIG_DRIVER_NONE=y + +# IEEE 802.11F/IAPP +CONFIG_IAPP=y + +# WPA2/IEEE 802.11i RSN pre-authentication +CONFIG_RSN_PREAUTH=y + +# IEEE 802.11w (management frame protection) +CONFIG_IEEE80211W=y + +# Support Operating Channel Validation +#CONFIG_OCV=y + +# Integrated EAP server +CONFIG_EAP=y + +# EAP Re-authentication Protocol (ERP) in integrated EAP server +CONFIG_ERP=y + +# EAP-MD5 for the integrated EAP server +CONFIG_EAP_MD5=y + +# EAP-TLS for the integrated EAP server +CONFIG_EAP_TLS=y + +# EAP-MSCHAPv2 for the integrated EAP server +CONFIG_EAP_MSCHAPV2=y + +# EAP-PEAP for the integrated EAP server +CONFIG_EAP_PEAP=y + +# EAP-GTC for the integrated EAP server +CONFIG_EAP_GTC=y + +# EAP-TTLS for the integrated EAP server +CONFIG_EAP_TTLS=y + +# EAP-SIM for the integrated EAP server +CONFIG_EAP_SIM=y + +# EAP-AKA for the integrated EAP server +CONFIG_EAP_AKA=y + +# EAP-AKA' for the integrated EAP server +# This requires CONFIG_EAP_AKA to be enabled, too. +CONFIG_EAP_AKA_PRIME=y + +# EAP-PAX for the integrated EAP server +CONFIG_EAP_PAX=y + +# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) +CONFIG_EAP_PSK=y + +# EAP-pwd for the integrated EAP server (secure authentication with a password) +CONFIG_EAP_PWD=y + +# EAP-SAKE for the integrated EAP server +CONFIG_EAP_SAKE=y + +# EAP-GPSK for the integrated EAP server +CONFIG_EAP_GPSK=y +# Include support for optional SHA256 cipher suite in EAP-GPSK +CONFIG_EAP_GPSK_SHA256=y + +# EAP-FAST for the integrated EAP server +# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed +# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., +# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. +#CONFIG_EAP_FAST=y + +# EAP-TEAP for the integrated EAP server +# Note: The current EAP-TEAP implementation is experimental and should not be +# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number +# of conflicting statements and missing details and the implementation has +# vendor specific workarounds for those and as such, may not interoperate with +# any other implementation. This should not be used for anything else than +# experimentation and interoperability testing until those issues has been +# resolved. +#CONFIG_EAP_TEAP=y + +# Wi-Fi Protected Setup (WPS) +CONFIG_WPS=y +# Enable UPnP support for external WPS Registrars +CONFIG_WPS_UPNP=y +# Enable WPS support with NFC config method +CONFIG_WPS_NFC=y + +# EAP-IKEv2 +CONFIG_EAP_IKEV2=y + +# Trusted Network Connect (EAP-TNC) +CONFIG_EAP_TNC=y + +# EAP-EKE for the integrated EAP server +CONFIG_EAP_EKE=y + +# PKCS#12 (PFX) support (used to read private key and certificate file from +# a file that usually has extension .p12 or .pfx) +CONFIG_PKCS12=y + +# RADIUS authentication server. This provides access to the integrated EAP +# server from external hosts using RADIUS. +#CONFIG_RADIUS_SERVER=y + +# Build IPv6 support for RADIUS operations +CONFIG_IPV6=y + +# IEEE Std 802.11r-2008 (Fast BSS Transition) +CONFIG_IEEE80211R=y + +# Use the hostapd's IEEE 802.11 authentication (ACL), but without +# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) +CONFIG_DRIVER_RADIUS_ACL=y + +# IEEE 802.11n (High Throughput) support +CONFIG_IEEE80211N=y + +# Wireless Network Management (IEEE Std 802.11v-2011) +# Note: This is experimental and not complete implementation. +CONFIG_WNM=y + +# IEEE 802.11ac (Very High Throughput) support +CONFIG_IEEE80211AC=y + +# IEEE 802.11ax HE support +# Note: This is experimental and work in progress. The definitions are still +# subject to change and this should not be expected to interoperate with the +# final IEEE 802.11ax version. +#CONFIG_IEEE80211AX=y + +# Remove debugging code that is printing out debug messages to stdout. +# This can be used to reduce the size of the hostapd considerably if debugging +# code is not needed. +#CONFIG_NO_STDOUT_DEBUG=y + +# Add support for writing debug log to a file: -f /tmp/hostapd.log +# Disabled by default. +CONFIG_DEBUG_FILE=y + +# Send debug messages to syslog instead of stdout +#CONFIG_DEBUG_SYSLOG=y + +# Add support for sending all debug messages (regardless of debug verbosity) +# to the Linux kernel tracing facility. This helps debug the entire stack by +# making it easy to record everything happening from the driver up into the +# same file, e.g., using trace-cmd. +#CONFIG_DEBUG_LINUX_TRACING=y + +# Remove support for RADIUS accounting +#CONFIG_NO_ACCOUNTING=y + +# Remove support for RADIUS +#CONFIG_NO_RADIUS=y + +# Remove support for VLANs +#CONFIG_NO_VLAN=y + +# Enable support for fully dynamic VLANs. This enables hostapd to +# automatically create bridge and VLAN interfaces if necessary. +CONFIG_FULL_DYNAMIC_VLAN=y + +# Use netlink-based kernel API for VLAN operations instead of ioctl() +# Note: This requires libnl 3.1 or newer. +CONFIG_VLAN_NETLINK=y + +# Remove support for dumping internal state through control interface commands +# This can be used to reduce binary size at the cost of disabling a debugging +# option. +#CONFIG_NO_DUMP_STATE=y + +# Enable tracing code for developer debugging +# This tracks use of memory allocations and other registrations and reports +# incorrect use with a backtrace of call (or allocation) location. +#CONFIG_WPA_TRACE=y +# For BSD, comment out these. +#LIBS += -lexecinfo +#LIBS_p += -lexecinfo +#LIBS_c += -lexecinfo + +# Use libbfd to get more details for developer debugging +# This enables use of libbfd to get more detailed symbols for the backtraces +# generated by CONFIG_WPA_TRACE=y. +#CONFIG_WPA_TRACE_BFD=y +# For BSD, comment out these. +#LIBS += -lbfd -liberty -lz +#LIBS_p += -lbfd -liberty -lz +#LIBS_c += -lbfd -liberty -lz + +# hostapd depends on strong random number generation being available from the +# operating system. os_get_random() function is used to fetch random data when +# needed, e.g., for key generation. On Linux and BSD systems, this works by +# reading /dev/urandom. It should be noted that the OS entropy pool needs to be +# properly initialized before hostapd is started. This is important especially +# on embedded devices that do not have a hardware random number generator and +# may by default start up with minimal entropy available for random number +# generation. +# +# As a safety net, hostapd is by default trying to internally collect +# additional entropy for generating random data to mix in with the data +# fetched from the OS. This by itself is not considered to be very strong, but +# it may help in cases where the system pool is not initialized properly. +# However, it is very strongly recommended that the system pool is initialized +# with enough entropy either by using hardware assisted random number +# generator or by storing state over device reboots. +# +# hostapd can be configured to maintain its own entropy store over restarts to +# enhance random number generation. This is not perfect, but it is much more +# secure than using the same sequence of random numbers after every reboot. +# This can be enabled with -e command line option. The specified +# file needs to be readable and writable by hostapd. +# +# If the os_get_random() is known to provide strong random data (e.g., on +# Linux/BSD, the board in question is known to have reliable source of random +# data from /dev/urandom), the internal hostapd random pool can be disabled. +# This will save some in binary size and CPU use. However, this should only be +# considered for builds that are known to be used on devices that meet the +# requirements described above. +#CONFIG_NO_RANDOM_POOL=y + +# Should we attempt to use the getrandom(2) call that provides more reliable +# yet secure randomness source than /dev/random on Linux 3.17 and newer. +# Requires glibc 2.25 to build, falls back to /dev/random if unavailable. +CONFIG_GETRANDOM=y + +# Should we use poll instead of select? Select is used by default. +#CONFIG_ELOOP_POLL=y + +# Should we use epoll instead of select? Select is used by default. +#CONFIG_ELOOP_EPOLL=y + +# Should we use kqueue instead of select? Select is used by default. +#CONFIG_ELOOP_KQUEUE=y + +# Select TLS implementation +# openssl = OpenSSL (default) +# gnutls = GnuTLS +# internal = Internal TLSv1 implementation (experimental) +# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) +# none = Empty template +CONFIG_TLS=openssl + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) +# can be enabled to get a stronger construction of messages when block ciphers +# are used. +CONFIG_TLSV11=y + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) +# can be enabled to enable use of stronger crypto algorithms. +CONFIG_TLSV12=y + +# Select which ciphers to use by default with OpenSSL if the user does not +# specify them. +#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" + +# If CONFIG_TLS=internal is used, additional library and include paths are +# needed for LibTomMath. Alternatively, an integrated, minimal version of +# LibTomMath can be used. See beginning of libtommath.c for details on benefits +# and drawbacks of this option. +#CONFIG_INTERNAL_LIBTOMMATH=y +#ifndef CONFIG_INTERNAL_LIBTOMMATH +#LTM_PATH=/usr/src/libtommath-0.39 +#CFLAGS += -I$(LTM_PATH) +#LIBS += -L$(LTM_PATH) +#LIBS_p += -L$(LTM_PATH) +#endif +# At the cost of about 4 kB of additional binary size, the internal LibTomMath +# can be configured to include faster routines for exptmod, sqr, and div to +# speed up DH and RSA calculation considerably +#CONFIG_INTERNAL_LIBTOMMATH_FAST=y + +# Interworking (IEEE 802.11u) +# This can be used to enable functionality to improve interworking with +# external networks. +CONFIG_INTERWORKING=y + +# Hotspot 2.0 +CONFIG_HS20=y + +# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file +CONFIG_SQLITE=y + +# Enable Fast Session Transfer (FST) +CONFIG_FST=y + +# Enable CLI commands for FST testing +CONFIG_FST_TEST=y + +# Testing options +# This can be used to enable some testing options (see also the example +# configuration file) that are really useful only for testing clients that +# connect to this hostapd. These options allow, for example, to drop a +# certain percentage of probe requests or auth/(re)assoc frames. +# +#CONFIG_TESTING_OPTIONS=y + +# Automatic Channel Selection +# This will allow hostapd to pick the channel automatically when channel is set +# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in +# similar way. +# +# Automatic selection is currently only done through initialization, later on +# we hope to do background checks to keep us moving to more ideal channels as +# time goes by. ACS is currently only supported through the nl80211 driver and +# your driver must have survey dump capability that is filled by the driver +# during scanning. +# +# You can customize the ACS survey algorithm with the hostapd.conf variable +# acs_num_scans. +# +# Supported ACS drivers: +# * ath9k +# * ath5k +# * ath10k +# +# For more details refer to: +# http://wireless.kernel.org/en/users/Documentation/acs +# +CONFIG_ACS=y + +# Multiband Operation support +# These extensions facilitate efficient use of multiple frequency bands +# available to the AP and the devices that may associate with it. +CONFIG_MBO=y + +# Client Taxonomy +# Has the AP retain the Probe Request and (Re)Association Request frames from +# a client, from which a signature can be produced which can identify the model +# of client device like "Nexus 6P" or "iPhone 5s". +#CONFIG_TAXONOMY=y + +# Fast Initial Link Setup (FILS) (IEEE 802.11ai) +CONFIG_FILS=y +# FILS shared key authentication with PFS +CONFIG_FILS_SK_PFS=y + +# Include internal line edit mode in hostapd_cli. This can be used to provide +# limited command line editing and history support. +CONFIG_WPA_CLI_EDIT=y + +# Opportunistic Wireless Encryption (OWE) +# Experimental implementation of draft-harkins-owe-07.txt +CONFIG_OWE=y + +# Airtime policy support +CONFIG_AIRTIME_POLICY=y + +# Override default value for the wpa_disable_eapol_key_retries configuration +# parameter. See that parameter in hostapd.conf for more details. +#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1 + +# Wired equivalent privacy (WEP) +# WEP is an obsolete cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used for anything anymore. The +# functionality needed to use WEP is available in the current hostapd +# release under this optional build parameter. This functionality is subject to +# be completely removed in a future release. +#CONFIG_WEP=y + +# Remove all TKIP functionality +# TKIP is an old cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used anymore. For now, the default hostapd +# build includes this to allow mixed mode WPA+WPA2 networks to be enabled, but +# that functionality is subject to be removed in the future. +#CONFIG_NO_TKIP=y + +# Pre-Association Security Negotiation (PASN) +# Experimental implementation based on IEEE P802.11z/D2.6 and the protocol +# design is still subject to change. As such, this should not yet be enabled in +# production use. +# This requires CONFIG_IEEE80211W=y to be enabled, too. +#CONFIG_PASN=y + +# Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect) +CONFIG_DPP=y +# DPP version 2 support +CONFIG_DPP2=y +# DPP version 3 support (experimental and still changing; do not enable for +# production use) +#CONFIG_DPP3=y + +# Simultaneous Authentication of Equals (SAE) +CONFIG_SAE=y + +# WPA3-Enterprise (SuiteB-192) +CONFIG_SUITEB=y +CONFIG_SUITEB192=y diff --git a/hostapd-2.10.tar.gz b/hostapd-2.10.tar.gz new file mode 100644 index 0000000..b3f61cc --- /dev/null +++ b/hostapd-2.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:206e7c799b678572c2e3d12030238784bc4a9f82323b0156b4c9466f1498915d +size 2440435 diff --git a/hostapd-2.10.tar.gz.asc b/hostapd-2.10.tar.gz.asc new file mode 100644 index 0000000..d3ddd24 --- /dev/null +++ b/hostapd-2.10.tar.gz.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iF0EABECAB0WIQTsSqCpkaXyRkWC1S0rbvQy78iV+gUCYeSJ0QAKCRArbvQy78iV ++ryaAJ9Dg6Jolf9k10113AamARgeJObKPgCdGhRdfhroyDzd5qglBkDB0wDsqXc= +=N0h0 +-----END PGP SIGNATURE----- diff --git a/hostapd-2.11.tar.gz b/hostapd-2.11.tar.gz new file mode 100644 index 0000000..a115866 --- /dev/null +++ b/hostapd-2.11.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2b3facb632fd4f65e32f4bf82a76b4b72c501f995a4f62e330219fe7aed1747a +size 2708343 diff --git a/hostapd-2.11.tar.gz.asc b/hostapd-2.11.tar.gz.asc new file mode 100644 index 0000000..7515ad4 --- /dev/null +++ b/hostapd-2.11.tar.gz.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iF0EABECAB0WIQTsSqCpkaXyRkWC1S0rbvQy78iV+gUCZpwBjgAKCRArbvQy78iV ++kn0AJ425X6Qa2egH+GcGYD/W0Im31POWACfTus+8lK5KJGLsOuXcPGCazUGkl0= +=2w57 +-----END PGP SIGNATURE----- diff --git a/hostapd.changes b/hostapd.changes new file mode 100644 index 0000000..02b6630 --- /dev/null +++ b/hostapd.changes @@ -0,0 +1,1377 @@ +------------------------------------------------------------------- +Thu Aug 8 07:30:47 UTC 2024 - chris@computersalat.de + +- 2024-07-20 - v2.11 + * Wi-Fi Easy Connect + - add support for DPP release 3 + - allow Configurator parameters to be provided during config exchange + * HE/IEEE 802.11ax/Wi-Fi 6 + - various fixes + * EHT/IEEE 802.11be/Wi-Fi 7 + - add preliminary support + * SAE: add support for fetching the password from a RADIUS server + * support OpenSSL 3.0 API changes + * support background radar detection and CAC with some additional + drivers + * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3) + * EAP-SIM/AKA: support IMSI privacy + * improve 4-way handshake operations + - use Secure=1 in message 3 during PTK rekeying + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases + to avoid interoperability issues + * support new SAE AKM suites with variable length keys + * support new AKM for 802.1X/EAP with SHA384 + * extend PASN support for secure ranging + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) + - this is based on additional details being added in the IEEE 802.11 + standard + - the new implementation is not backwards compatible + * improved ACS to cover additional channel types/bandwidths + * extended Multiple BSSID support + * fix beacon protection with FT protocol (incorrect BIGTK was provided) + * support unsynchronized service discovery (USD) + * add preliminary support for RADIUS/TLS + * add support for explicit SSID protection in 4-way handshake + (a mitigation for CVE-2023-52424; disabled by default for now, can be + enabled with ssid_protection=1) + * fix SAE H2E rejected groups validation to avoid downgrade attacks + * use stricter validation for some RADIUS messages + * a large number of other fixes, cleanup, and extensions + +------------------------------------------------------------------- +Fri Mar 11 21:35:37 UTC 2022 - Clemens Famulla-Conrad + +- Adjust config + * Enable SAE + * Enable DPP + * Enable wired driver + * Enable Airtime policy support + * Enable Fast Initial Link Setup (FILS) (IEEE 802.11ai) + +------------------------------------------------------------------- +Mon Jan 17 08:33:09 UTC 2022 - Michael Ströder + +- Removed obsolete patches: + * CVE-2019-16275.patch + * CVE-2020-12695.patch + * CVE-2021-30004.patch +- Update to version 2.10 + * SAE changes + - improved protection against side channel attacks + [https://w1.fi/security/2022-1/] + - added option send SAE Confirm immediately (sae_config_immediate=1) + after SAE Commit + - added support for the hash-to-element mechanism (sae_pwe=1 or + sae_pwe=2) + - fixed PMKSA caching with OKC + - added support for SAE-PK + * EAP-pwd changes + - improved protection against side channel attacks + [https://w1.fi/security/2022-1/] + * fixed WPS UPnP SUBSCRIBE handling of invalid operations + [https://w1.fi/security/2020-1/] + * fixed PMF disconnection protection bypass + [https://w1.fi/security/2019-7/] + * added support for using OpenSSL 3.0 + * fixed various issues in experimental support for EAP-TEAP server + * added configuration (max_auth_rounds, max_auth_rounds_short) to + increase the maximum number of EAP message exchanges (mainly to + support cases with very large certificates) for the EAP server + * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) + * extended HE (IEEE 802.11ax) support, including 6 GHz support + * removed obsolete IAPP functionality + * fixed EAP-FAST server with TLS GCM/CCM ciphers + * dropped support for libnl 1.1 + * added support for nl80211 control port for EAPOL frame TX/RX + * fixed OWE key derivation with groups 20 and 21; this breaks backwards + compatibility for these groups while the default group 19 remains + backwards compatible; owe_ptk_workaround=1 can be used to enabled a + a workaround for the group 20/21 backwards compatibility + * added support for Beacon protection + * added support for Extended Key ID for pairwise keys + * removed WEP support from the default build (CONFIG_WEP=y can be used + to enable it, if really needed) + * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) + * added support for Transition Disable mechanism to allow the AP to + automatically disable transition mode to improve security + * added support for PASN + * added EAP-TLS server support for TLS 1.3 (disabled by default for now) + * a large number of other fixes, cleanup, and extensions + +------------------------------------------------------------------- +Fri Nov 26 20:52:19 UTC 2021 - Clemens Famulla-Conrad + +- Fix AppArmor profile -- allow access to /etc/ssl/openssl.cnf + (bsc#1192959) + +------------------------------------------------------------------- +Fri Oct 15 07:29:27 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * hostapd.service + +------------------------------------------------------------------- +Wed Jul 14 08:41:42 UTC 2021 - Michael Ströder + +- fixed AppArmor profile + +------------------------------------------------------------------- +Tue Apr 6 14:51:18 UTC 2021 - Clemens Famulla-Conrad + +- Add CVE-2021-30004.patch -- forging attacks may occur because + AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c + (bsc#1184348) +------------------------------------------------------------------- +Tue Feb 23 19:33:56 UTC 2021 - Michael Ströder + +- added AppArmor profile (source apparmor-usr.sbin.hostapd) + +------------------------------------------------------------------- +Tue Sep 29 12:52:10 UTC 2020 - Clemens Famulla-Conrad + +- Add CVE-2020-12695.patch -- UPnP SUBSCRIBE misbehavior in hostapd WPS AP + (bsc#1172700) + +------------------------------------------------------------------- +Thu Apr 23 22:14:35 UTC 2020 - Clemens Famulla-Conrad + +- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass + (bsc#1150934) + +------------------------------------------------------------------- +Thu Sep 5 17:58:05 UTC 2019 - Michael Ströder + +- Update to version 2.9 + * SAE changes + - disable use of groups using Brainpool curves + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * EAP-pwd changes + - disable use of groups using Brainpool curves + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * fixed FT-EAP initial mobility domain association using PMKSA caching + * added configuration of airtime policy + * fixed FILS to and RSNE into (Re)Association Response frames + * fixed DPP bootstrapping URI parser of channel list + * added support for regulatory WMM limitation (for ETSI) + * added support for MACsec Key Agreement using IEEE 802.1X/PSK + * added experimental support for EAP-TEAP server (RFC 7170) + * added experimental support for EAP-TLS server with TLS v1.3 + * added support for two server certificates/keys (RSA/ECC) + * added AKMSuiteSelector into "STA " control interface data to + determine with AKM was used for an association + * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and + fast reauthentication use to be disabled + * fixed an ECDH operation corner case with OpenSSL + +------------------------------------------------------------------- +Wed Apr 24 07:22:30 UTC 2019 - Michael Ströder + +- Update to version 2.8 + * SAE changes + - added support for SAE Password Identifier + - changed default configuration to enable only group 19 + (i.e., disable groups 20, 21, 25, 26 from default configuration) and + disable all unsuitable groups completely based on REVmd changes + - improved anti-clogging token mechanism and SAE authentication + frame processing during heavy CPU load; this mitigates some issues + with potential DoS attacks trying to flood an AP with large number + of SAE messages + - added Finite Cyclic Group field in status code 77 responses + - reject use of unsuitable groups based on new implementation guidance + in REVmd (allow only FFC groups with prime >= 3072 bits and ECC + groups with prime >= 256) + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-1/] (CVE-2019-9494) + - fixed confirm message validation in error cases + [https://w1.fi/security/2019-3/] (CVE-2019-9496) + * EAP-pwd changes + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-2/] (CVE-2019-9495) + - verify peer scalar/element + [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498) + - fix message reassembly issue with unexpected fragment + [https://w1.fi/security/2019-5/] + - enforce rand,mask generation rules more strictly + - fix a memory leak in PWE derivation + - disallow ECC groups with a prime under 256 bits (groups 25, 26, and + 27) + * Hotspot 2.0 changes + - added support for release number 3 + - reject release 2 or newer association without PMF + * added support for RSN operating channel validation + (CONFIG_OCV=y and configuration parameter ocv=1) + * added Multi-AP protocol support + * added FTM responder configuration + * fixed build with LibreSSL + * added FT/RRB workaround for short Ethernet frame padding + * fixed KEK2 derivation for FILS+FT + * added RSSI-based association rejection from OCE + * extended beacon reporting functionality + * VLAN changes + - allow local VLAN management with remote RADIUS authentication + - add WPA/WPA2 passphrase/PSK -based VLAN assignment + * OpenSSL: allow systemwide policies to be overridden + * extended PEAP to derive EMSK to enable use with ERP/FILS + * extended WPS to allow SAE configuration to be added automatically + for PSK (wps_cred_add_sae=1) + * fixed FT and SA Query Action frame with AP-MLME-in-driver cases + * OWE: allow Diffie-Hellman Parameter element to be included with DPP + in preparation for DPP protocol extension + * RADIUS server: started to accept ERP keyName-NAI as user identity + automatically without matching EAP database entry + * fixed PTK rekeying with FILS and FT + + wpa_supplicant: + * SAE changes + - added support for SAE Password Identifier + - changed default configuration to enable only groups 19, 20, 21 + (i.e., disable groups 25 and 26) and disable all unsuitable groups + completely based on REVmd changes + - do not regenerate PWE unnecessarily when the AP uses the + anti-clogging token mechanisms + - fixed some association cases where both SAE and FT-SAE were enabled + on both the station and the selected AP + - started to prefer FT-SAE over SAE AKM if both are enabled + - started to prefer FT-SAE over FT-PSK if both are enabled + - fixed FT-SAE when SAE PMKSA caching is used + - reject use of unsuitable groups based on new implementation guidance + in REVmd (allow only FFC groups with prime >= 3072 bits and ECC + groups with prime >= 256) + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-1/] (CVE-2019-9494) + * EAP-pwd changes + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-2/] (CVE-2019-9495) + - verify server scalar/element + [https://w1.fi/security/2019-4/] (CVE-2019-9499) + - fix message reassembly issue with unexpected fragment + [https://w1.fi/security/2019-5/] + - enforce rand,mask generation rules more strictly + - fix a memory leak in PWE derivation + - disallow ECC groups with a prime under 256 bits (groups 25, 26, and + 27) + * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y + * Hotspot 2.0 changes + - do not indicate release number that is higher than the one + AP supports + - added support for release number 3 + - enable PMF automatically for network profiles created from + credentials + * fixed OWE network profile saving + * fixed DPP network profile saving + * added support for RSN operating channel validation + (CONFIG_OCV=y and network profile parameter ocv=1) + * added Multi-AP backhaul STA support + * fixed build with LibreSSL + * number of MKA/MACsec fixes and extensions + * extended domain_match and domain_suffix_match to allow list of values + * fixed dNSName matching in domain_match and domain_suffix_match when + using wolfSSL + * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both + are enabled + * extended nl80211 Connect and external authentication to support + SAE, FT-SAE, FT-EAP-SHA384 + * fixed KEK2 derivation for FILS+FT + * extended client_cert file to allow loading of a chain of PEM + encoded certificates + * extended beacon reporting functionality + * extended D-Bus interface with number of new properties + * fixed a regression in FT-over-DS with mac80211-based drivers + * OpenSSL: allow systemwide policies to be overridden + * extended driver flags indication for separate 802.1X and PSK + 4-way handshake offload capability + * added support for random P2P Device/Interface Address use + * extended PEAP to derive EMSK to enable use with ERP/FILS + * extended WPS to allow SAE configuration to be added automatically + for PSK (wps_cred_add_sae=1) + * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) + * extended domain_match and domain_suffix_match to allow list of values + * added a RSN workaround for misbehaving PMF APs that advertise + IGTK/BIP KeyID using incorrect byte order + * fixed PTK rekeying with FILS and FT + +------------------------------------------------------------------- +Fri Dec 28 12:01:55 UTC 2018 - Jan Engelhardt + +- Use noun phrase in summary. + +------------------------------------------------------------------- +Mon Dec 17 09:07:15 UTC 2018 - Karol Babioch + +- Applied spec-cleaner +- Added bug reference +- Use defconfig file as template for configuration instead of patching it + during build. This is easier to maintain in the long run. This removes the + patch hostapd-2.6-defconfig.patch in favor of a simple config file, which is + copied over from the source directory. +- Enabled CLI editing and history support. + +------------------------------------------------------------------- +Fri Dec 7 20:46:47 UTC 2018 - mardnh@gmx.de + +- Update to version 2.7 + * fixed WPA packet number reuse with replayed messages and key + reinstallation + [http://w1.fi/security/2017-1/] (CVE-2017-13082) (bsc#1056061) + * added support for FILS (IEEE 802.11ai) shared key authentication + * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; + and transition mode defined by WFA) + * added support for DPP (Wi-Fi Device Provisioning Protocol) + * FT: + - added local generation of PMK-R0/PMK-R1 for FT-PSK + (ft_psk_generate_local=1) + - replaced inter-AP protocol with a cleaner design that is more + easily extensible; this breaks backward compatibility and requires + all APs in the ESS to be updated at the same time to maintain FT + functionality + - added support for wildcard R0KH/R1KH + - replaced r0_key_lifetime (minutes) parameter with + ft_r0_key_lifetime (seconds) + - fixed wpa_psk_file use for FT-PSK + - fixed FT-SAE PMKID matching + - added expiration to PMK-R0 and PMK-R1 cache + - added IEEE VLAN support (including tagged VLANs) + - added support for SHA384 based AKM + * SAE + - fixed some PMKSA caching cases with SAE + - added support for configuring SAE password separately of the + WPA2 PSK/passphrase + - added option to require MFP for SAE associations + (sae_require_pmf=1) + - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection + for SAE; + note: this is not backwards compatible, i.e., both the AP and + station side implementations will need to be update at the same + time to maintain interoperability + - added support for Password Identifier + * hostapd_cli: added support for command history and completion + * added support for requesting beacon report + * large number of other fixes, cleanup, and extensions + * added option to configure EAPOL-Key retry limits + (wpa_group_update_count and wpa_pairwise_update_count) + * removed all PeerKey functionality + * fixed nl80211 AP mode configuration regression with Linux 4.15 and + newer + * added support for using wolfSSL cryptographic library + * fixed some 20/40 MHz coexistence cases where the BSS could drop to + 20 MHz even when 40 MHz would be allowed + * Hotspot 2.0 + - added support for setting Venue URL ANQP-element (venue_url) + - added support for advertising Hotspot 2.0 operator icons + - added support for Roaming Consortium Selection element + - added support for Terms and Conditions + - added support for OSEN connection in a shared RSN BSS + * added support for using OpenSSL 1.1.1 + * added EAP-pwd server support for salted passwords + +- Remove not longer needed patches (fixed upstream) + * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch + * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch + * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch + * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch + * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch + * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch + * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch + * rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch +- Verify source signature + +------------------------------------------------------------------- +Fri Oct 19 10:32:25 UTC 2018 - Karol Babioch + +- Added rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch + Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205). + +------------------------------------------------------------------- +Wed Oct 18 21:59:01 UTC 2017 - chris@intrbiz.com + +- Fix KRACK attacks (bsc#1063479, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): + * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch + * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch + * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch + * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch + * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch + * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch + * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch + * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch + +------------------------------------------------------------------- +Mon Oct 02 14:39:02 BST 2016 - chris@intrbiz.com + +- update to upstream release 2.6 + * fixed EAP-pwd last fragment validation + [http://w1.fi/security/2015-7/] (CVE-2015-5314) + * fixed WPS configuration update vulnerability with malformed passphrase + [http://w1.fi/security/2016-1/] (CVE-2016-4476) + * extended channel switch support for VHT bandwidth changes + * added support for configuring new ANQP-elements with + anqp_elem=: + * fixed Suite B 192-bit AKM to use proper PMK length + (note: this makes old releases incompatible with the fixed behavior) + * added no_probe_resp_if_max_sta=1 parameter to disable Probe Response + frame sending for not-associated STAs if max_num_sta limit has been + reached + * added option (-S as command line argument) to request all interfaces + to be started at the same time + * modified rts_threshold and fragm_threshold configuration parameters + to allow -1 to be used to disable RTS/fragmentation + * EAP-pwd: added support for Brainpool Elliptic Curves + (with OpenSSL 1.0.2 and newer) + * fixed EAPOL reauthentication after FT protocol run + * fixed FTIE generation for 4-way handshake after FT protocol run + * fixed and improved various FST operations + * TLS server + - support SHA384 and SHA512 hashes + - support TLS v1.2 signature algorithm with SHA384 and SHA512 + - support PKCS #5 v2.0 PBES2 + - support PKCS #5 with PKCS #12 style key decryption + - minimal support for PKCS #12 + - support OCSP stapling (including ocsp_multi) + * added support for OpenSSL 1.1 API changes + - drop support for OpenSSL 0.9.8 + - drop support for OpenSSL 1.0.0 + * EAP-PEAP: support fast-connect crypto binding + * RADIUS + - fix Called-Station-Id to not escape SSID + - add Event-Timestamp to all Accounting-Request packets + - add Acct-Session-Id to Accounting-On/Off + - add Acct-Multi-Session-Id ton Access-Request packets + - add Service-Type (= Frames) + - allow server to provide PSK instead of passphrase for WPA-PSK + Tunnel_password case + - update full message for interim accounting updates + - add Acct-Delay-Time into Accounting messages + - add require_message_authenticator configuration option to require + CoA/Disconnect-Request packets to be authenticated + * started to postpone WNM-Notification frame sending by 100 ms so that + the STA has some more time to configure the key before this frame is + received after the 4-way handshake + * VHT: added interoperability workaround for 80+80 and 160 MHz channels + * extended VLAN support (per-STA vif, etc.) + * fixed PMKID derivation with SAE + * nl80211 + - added support for full station state operations + - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use + unencrypted EAPOL frames + * added initial MBO support; number of extensions to WNM BSS Transition + Management + * added initial functionality for location related operations + * added assocresp_elements parameter to allow vendor specific elements + to be added into (Re)Association Response frames + * improved Public Action frame addressing + - use Address 3 = wildcard BSSID in GAS response if a query from an + unassociated STA used that address + - fix TX status processing for Address 3 = wildcard BSSID + - add gas_address3 configuration parameter to control Address 3 + behavior + * added command line parameter -i to override interface parameter in + hostapd.conf + * added command completion support to hostapd_cli + * added passive client taxonomy determination (CONFIG_TAXONOMY=y + compile option and "SIGNATURE " control interface command) + * number of small fixes +- renamed hostapd-2.5-defconfig.patch to hostapd-2.6-defconfig.patch + +------------------------------------------------------------------- +Sun Oct 18 12:59:02 UTC 2015 - michael@stroeder.com + +- update to upstream release 2.5 +- removed 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch + (CVE-2015-1863) because it's fixed in upstream release 2.5 +- rebased hostapd-2.4-defconfig.patch -> hostapd-2.5-defconfig.patch + +ChangeLog for hostapd since 2.4: + +2015-09-27 - v2.5 + * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding + [http://w1.fi/security/2015-2/] (CVE-2015-4141 bsc#930077) + * fixed WMM Action frame parser + [http://w1.fi/security/2015-3/] (CVE-2015-4142 bsc#930078) + * fixed EAP-pwd server missing payload length validation + [http://w1.fi/security/2015-4/] + (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, bsc#930079) + * fixed validation of WPS and P2P NFC NDEF record payload length + [http://w1.fi/security/2015-5/] + * nl80211: + - fixed vendor command handling to check OUI properly + * fixed hlr_auc_gw build with OpenSSL + * hlr_auc_gw: allow Milenage RES length to be reduced + * disable HT for a station that does not support WMM/QoS + * added support for hashed password (NtHash) in EAP-pwd server + * fixed and extended dynamic VLAN cases + * added EAP-EKE server support for deriving Session-Id + * set Acct-Session-Id to a random value to make it more likely to be + unique even if the device does not have a proper clock + * added more 2.4 GHz channels for 20/40 MHz HT co-ex scan + * modified SAE routines to be more robust and PWE generation to be + stronger against timing attacks + * added support for Brainpool Elliptic Curves with SAE + * increases maximum value accepted for cwmin/cwmax + * added support for CCMP-256 and GCMP-256 as group ciphers with FT + * added Fast Session Transfer (FST) module + * removed optional fields from RSNE when using FT with PMF + (workaround for interoperability issues with iOS 8.4) + * added EAP server support for TLS session resumption + * fixed key derivation for Suite B 192-bit AKM (this breaks + compatibility with the earlier version) + * added mechanism to track unconnected stations and do minimal band + steering + * number of small fixes + +------------------------------------------------------------------- +Thu Apr 23 19:45:41 UTC 2015 - michael@stroeder.com + +- update version 2.4 +- added 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch + for CVE-2015-1863 +- updated URLs +- require pkg-config and libnl3-devel during build +- replaced hostapd-2.3-defconfig.patch by hostapd-2.4-defconfig.patch + +ChangeLog for hostapd since 2.3: + +2015-03-15 - v2.4 + * allow OpenSSL cipher configuration to be set for internal EAP server + (openssl_ciphers parameter) + * fixed number of small issues based on hwsim test case failures and + static analyzer reports + * fixed Accounting-Request to not include duplicated Acct-Session-Id + * add support for Acct-Multi-Session-Id in RADIUS Accounting messages + * add support for PMKSA caching with SAE + * add support for generating BSS Load element (bss_load_update_period) + * fixed channel switch from VHT to HT + * add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events + * add support for learning STA IPv4/IPv6 addresses and configuring + ProxyARP support + * dropped support for the madwifi driver interface + * add support for Suite B (128-bit and 192-bit level) key management and + cipher suites + * fixed a regression with driver=wired + * extend EAPOL-Key msg 1/4 retry workaround for changing SNonce + * add BSS_TM_REQ ctrl_iface command to send BSS Transition Management + Request frames and BSS-TM-RESP event to indicate response to such + frame + * add support for EAP Re-Authentication Protocol (ERP) + * fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled + * fixed a regression in HT 20/40 coex Action frame parsing + * set stdout to be line-buffered + * add support for vendor specific VHT extension to enable 256 QAM rates + (VHT-MCS 8 and 9) on 2.4 GHz band + * RADIUS DAS: + - extend Disconnect-Request processing to allow matching of multiple + sessions + - support Acct-Multi-Session-Id as an identifier + - allow PMKSA cache entry to be removed without association + * expire hostapd STA entry if kernel does not have a matching entry + * allow chanlist to be used to specify a subset of channels for ACS + * improve ACS behavior on 2.4 GHz band and allow channel bias to be + configured with acs_chan_bias parameter + * do not reply to a Probe Request frame that includes DSS Parameter Set + element in which the channel does not match the current operating + channel + * add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon + frame contents to be updated and to start beaconing on an interface + that used start_disabled=1 + * fixed some RADIUS server failover cases + +------------------------------------------------------------------- +Mon Jan 5 19:23:24 UTC 2015 - michael@stroeder.com + +- update version 2.3 +- removed patch hostapd-2.1-be-host_to_le.patch because it + seems obsolete +- hostapd-2.1-defconfig.patch rediffed and renamed to hostapd-2.3-defconfig.patch + +ChangeLog for hostapd since 2.1: + +2014-10-09 - v2.3 + * fixed number of minor issues identified in static analyzer warnings + * fixed DFS and channel switch operation for multi-BSS cases + * started to use constant time comparison for various password and hash + values to reduce possibility of any externally measurable timing + differences + * extended explicit clearing of freed memory and expired keys to avoid + keeping private data in memory longer than necessary + * added support for number of new RADIUS attributes from RFC 7268 + (Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher, + WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher) + * fixed GET_CONFIG wpa_pairwise_cipher value + * added code to clear bridge FDB entry on station disconnection + * fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases + * fixed OKC PMKSA cache entry fetch to avoid a possible infinite loop + in case the first entry does not match + * fixed hostapd_cli action script execution to use more robust mechanism + (CVE-2014-3686) + +2014-06-04 - v2.2 + * fixed SAE confirm-before-commit validation to avoid a potential + segmentation fault in an unexpected message sequence that could be + triggered remotely + * extended VHT support + - Operating Mode Notification + - Power Constraint element (local_pwr_constraint) + - Spectrum management capability (spectrum_mgmt_required=1) + - fix VHT80 segment picking in ACS + - fix vht_capab 'Maximum A-MPDU Length Exponent' handling + - fix VHT20 + * fixed HT40 co-ex scan for some pri/sec channel switches + * extended HT40 co-ex support to allow dynamic channel width changes + during the lifetime of the BSS + * fixed HT40 co-ex support to check for overlapping 20 MHz BSS + * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding; + this fixes password with include UTF-8 characters that use + three-byte encoding EAP methods that use NtPasswordHash + * reverted TLS certificate validation step change in v2.1 that rejected + any AAA server certificate with id-kp-clientAuth even if + id-kp-serverAuth EKU was included + * fixed STA validation step for WPS ER commands to prevent a potential + crash if an ER sends an unexpected PutWLANResponse to a station that + is disassociated, but not fully removed + * enforce full EAP authentication after RADIUS Disconnect-Request by + removing the PMKSA cache entry + * added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address + in RADIUS Disconnect-Request + * added mechanism for removing addresses for MAC ACLs by prefixing an + entry with "-" + * Interworking/Hotspot 2.0 enhancements + - support Hotspot 2.0 Release 2 + * OSEN network for online signup connection + * subscription remediation (based on RADIUS server request or + control interface HS20_WNM_NOTIF for testing purposes) + * Hotspot 2.0 release number indication in WFA RADIUS VSA + * deauthentication request (based on RADIUS server request or + control interface WNM_DEAUTH_REQ for testing purposes) + * Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent + * hs20_icon config parameter to configure icon files for OSU + * osu_* config parameters for OSU Providers list + - do not use Interworking filtering rules on Probe Request if + Interworking is disabled to avoid interop issues + * added/fixed nl80211 functionality + - AP interface teardown optimization + - support vendor specific driver command + (VENDOR []) + * fixed PMF protection of Deauthentication frame when this is triggered + by session timeout + * internal TLS implementation enhancements/fixes + - add SHA256-based cipher suites + - add DHE-RSA cipher suites + - fix X.509 validation of PKCS#1 signature to check for extra data + * RADIUS server functionality + - add minimal RADIUS accounting server support (hostapd-as-server); + this is mainly to enable testing coverage with hwsim scripts + - allow authentication log to be written into SQLite databse + - added option for TLS protocol testing of an EAP peer by simulating + various misbehaviors/known attacks + - MAC ACL support for testing purposes + * fixed PTK derivation for CCMP-256 and GCMP-256 + * extended WPS per-station PSK to support ER case + * added option to configure the management group cipher + (group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256, + BIP-CMAC-256) + * fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these + were rounded incorrectly) + * added support for postponing FT response in case PMK-R1 needs to be + pulled from R0KH + * added option to advertise 40 MHz intolerant HT capability with + ht_capab=[40-INTOLERANT] + * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled + whenever CONFIG_WPS=y is set + * EAP-pwd fixes + - fix possible segmentation fault on EAP method deinit if an invalid + group is negotiated + * fixed RADIUS client retransmit/failover behavior + - there was a potential ctash due to freed memory being accessed + - failover to a backup server mechanism did not work properly + * fixed a possible crash on double DISABLE command when multiple BSSes + are enabled + * fixed a memory leak in SAE random number generation + * fixed GTK rekeying when the station uses FT protocol + * fixed off-by-one bounds checking in printf_encode() + - this could result in deinial of service in some EAP server cases + * various bug fixes + +------------------------------------------------------------------- +Tue May 27 19:57:16 UTC 2014 - crrodriguez@opensuse.org + +- Update hostapd-2.1-defconfig.patch and spec file + to build with libnl3 instead of libnl1 + +------------------------------------------------------------------- +Wed Apr 16 15:50:48 UTC 2014 - i@marguerite.su + +- update version 2.1 + * see http://hostap.epitest.fi/cgit/hostap/log/ for details. +- change hostapd.diff to hostapd-2.1-defconfig.patch +- remove patch: hostapd-tmp.diff, no longer needed. + +------------------------------------------------------------------- +Wed Oct 2 15:33:43 UTC 2013 - dvaleev@suse.com + +- fix host_to_le32 undefined on BigEndian architectures + (hostapd-be-host_to_le.patch) + +------------------------------------------------------------------- +Thu Apr 18 08:05:13 UTC 2013 - aj@suse.com + +- Do not package /etc/init.d +- Do not install init file since package contains a service file and + is only build for Factory +- Cleanup spec file +- Use /run instead of /var/run + +------------------------------------------------------------------- +Wed Apr 17 16:14:02 UTC 2013 - cfarrell@suse.com + +- license update: GPL-2.0 or BSD-3-Clause + README makes it clear that this is a dual license - i.e. choice of either + or + +------------------------------------------------------------------- +Tue Apr 9 17:49:22 UTC 2013 - avm-xandry@yandex.ru + +- update to version 2.0 +- fix corrected file name hostapd.dif to hostapd.diff +- in default config includes all features (IEEE 802.11w, Hotspot 2.0, IEEE 802.11ac, WPS, etc.) + +------------------------------------------------------------------- +Tue Nov 6 04:41:17 UTC 2012 - crrodriguez@opensuse.org + +- Add Native systemd units + +------------------------------------------------------------------- +Tue May 15 04:55:22 UTC 2012 - glin@suse.com + +- update to version 1.0 +- respin hostapd.dif to fit the new defconfig +- change the file permission of the config files with passwords + to 600 (bnc#740964) + +------------------------------------------------------------------- +Wed Oct 12 08:46:43 UTC 2011 - lnussel@suse.de + +- update to version 0.7.3 +- don't use /tmp for dump file in default config +- verbose build +- fix build for older distros +- enable driver 'none' for radius only mode +- add init script + +------------------------------------------------------------------- +Fri Sep 30 15:22:48 UTC 2011 - uli@suse.com + +- cross-build fix: use %__cc macro + +------------------------------------------------------------------- +Fri Sep 16 12:02:37 UTC 2011 - jengelh@medozas.de + +- Select libnl-1_1-devel + +------------------------------------------------------------------- +Sun Oct 31 12:37:02 UTC 2010 - jengelh@medozas.de + +- Use %_smp_mflags + +------------------------------------------------------------------- +Wed Jun 9 05:32:08 CEST 2010 - sndirsch@suse.de + +- udpated to release 0.6.10 +- updated hostapd.dif +- git-commit-eb1f744.diff: + * Move DTIM period configuration into Beacon set operation; fixes + "Could not set DTIM period for kernel driver; wlan0: Unable to + setup interface.rmdir[ctrl_interface]: No such file or + directory" error when using "nl80211" driver + +------------------------------------------------------------------- +Wed Sep 24 00:58:59 CEST 2008 - ro@suse.de + +- drop buildreq for madwifi (dropped package) + +------------------------------------------------------------------- +Tue Sep 23 01:14:12 CEST 2008 - ro@suse.de + +- updae to version 0.5.10, changes: + * fixed EAP-SIM and EAP-AKA message parser to validate attribute + lengths properly to avoid potential crash caused by invalid messages + * fixed Reassociation Response callback processing when using internal + MLME (driver_{hostap,devicescape,test}.c) + * fixed EAP-SIM/AKA realm processing to allow decorated usernames to + be used + * added a workaround for EAP-SIM/AKA peers that include incorrect null + termination in the username + * fixed EAP-SIM Start response processing for fast reauthentication + case + * copy optional Proxy-State attributes into RADIUS response when acting + as a RADIUS authentication server + +- update to version 0.5.9, changes: + * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest + draft (draft-ietf-emu-eap-gpsk-07.txt) + * fixed debugging code not to use potentially unaligned read to fetch + IPv4 addresses + +------------------------------------------------------------------- +Mon Jan 21 14:54:48 CET 2008 - cstender@suse.de + +- fixed madwifi include dir (b.n.c #350982) + +------------------------------------------------------------------- +Mon Jul 30 16:57:16 CEST 2007 - jg@suse.de + +- update to version 0.5.8, changes: + * updated driver_devicescape.c to build with the current + wireless-dev.git tree and net/d80211 changes + * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest + draft (draft-ietf-emu-eap-gpsk-03.txt) + * fixed EAP-MSCHAPv2 server to use a space between S and M parameters + in Success Request [Bug 203] + * added support for sending EAP-AKA Notifications in error cases + * RADIUS server: added support for processing duplicate messages + (retransmissions from RADIUS client) by replying with the previous + reply + +------------------------------------------------------------------- +Wed Mar 14 17:27:32 CET 2007 - jg@suse.de + +- split off hostapd in its own package +- update to version 0.5.7, changes (shortened): + * fixed EAP-PSK bit ordering of the Flags field + * fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs + * fixed IPv6 connection to RADIUS accounting server + * added support for configuring and controlling multiple BSSes per + radio interface (bss= in hostapd.conf) + * added support for dynamic VLAN configuration + * driver_madwifi: fixed configuration of unencrypted modes + * added preliminary implementation of IEEE 802.11w/D1.0 (management + frame protection) + * fixed session timeout processing with drivers that do not use + ieee802_11.c (e.g., madwifi) + * added 'hostapd_cli new_sta ' command for adding a new STA + into hostapd + * fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 + when using WPA2 even if PMKSA caching is not used + * added -P argument for hostapd to write the current + process id into a file + * added support for RADIUS Authentication Server MIB (RFC 2619) + * added support for EAP Generalized Pre-Shared Key + * fixed a segmentation fault when RSN pre-authentication was + completed successfully + * added support for EAP-SAKE + * driver_madwifi: added support for getting station RSN IE from + madwifi-ng svn r1453 and newer + * fixed WPA message 3/4 not to encrypt Key Data field (WPA IE) + * added ap_max_inactivity configuration parameter + * added support for EAP expanded type (vendor specific EAP methods) + * added support for using EAP-SIM pseudonyms and fast re-authentication + * added support for EAP-AKA in the integrated EAP authenticator + +------------------------------------------------------------------- +Mon Sep 18 14:13:31 CEST 2006 - jg@suse.de + +- hostap-utils: Fixed usage of uninitialised variable (bug 184410) +- hostapd: Update to version 0.4.9, changes: + * added a new configuration option, eapol_version, that can be + used to set EAPOL version to 1 (default is 2) to work around + broken client implementations that drop EAPOL frames which use + version number 2 [Bug 89] + * fixed EAP-MSCHAPv2 message length validation + * fixed stdarg use in hostapd_logger(): if both stdout and syslog + logging was enabled, hostapd could trigger a segmentation fault + in vsyslog on some CPU -- C library combinations + +------------------------------------------------------------------- +Sun Feb 5 19:37:30 CET 2006 - ro@suse.de + +- use madwifi-devel in BuildRequires + +------------------------------------------------------------------- +Sun Feb 5 17:09:48 CET 2006 - aj@suse.de + +- Remove BuildRequires on km_wlan. + +------------------------------------------------------------------- +Wed Jan 25 21:36:28 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Nov 21 14:00:48 CET 2005 - jg@suse.de + +- hostapd: update to 0.4.7, changes: + * driver_wired: fixed EAPOL sending to optionally use PAE group + address as the destination instead of supplicant MAC address + * driver_madwifi: configure driver to use TKIP countermeasures in + order to get correct behavior + * driver_madwifi: added support for madwifi-ng +- hostapd: remove obsolete madwifi patch +- hostapd: updated config file +- hostap-utils: update to 0.4.7 (no changes) +- use %{jobs} + +------------------------------------------------------------------- +Tue Nov 8 15:28:33 CET 2005 - jg@suse.de + +- do not build as root + +------------------------------------------------------------------- +Fri Nov 4 17:51:44 CET 2005 - jg@suse.de + +- hostapd, update to 0.4.6, changes: + * added support for replacing user identity from EAP with RADIUS + User-Name attribute from Access-Accept message, if that is included, + for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get + tunneled identity into accounting messages when the RADIUS server + does not support better way of doing this with Class attribute) + * driver_madwifi: fixed EAPOL packet receive for configuration where + ath# is part of a bridge interface + * added a configuration file and log analyzer script for logwatch + * fixed EAPOL state machine step function to process all state + transitions before processing new events; this resolves a race + condition in which EAPOL-Start message could trigger hostapd to send + two EAP-Response/Identity frames to the authentication server +- hostapd: added support for madwifi-ng +- removed hostap-driver, is part of the kernel now + +------------------------------------------------------------------- +Thu Oct 13 16:29:17 CEST 2005 - jg@suse.de + +- hostapd: update to 0.4.5, changes (shortened): + * added client CA list to the TLS certificate request in order to + make it easier for the client to select which certificate to use + * added experimental support for EAP-PSK + * added support for WE-19 (hostap, madwifi) + * fixed PMKSA caching to copy User-Name and Class attributes so + that RADIUS accounting gets correct information + * start RADIUS accounting only after successful completion of WPA + 4-Way Handshake if WPA-PSK is used + * fixed PMKSA caching for the case where + * EAP-PAX is now registered as EAP type 46 + * fixed EAP-PAX MAC calculation + * fixed EAP-PAX CK and ICK key derivation +- hostap-driver: update to 0.4.5, changes: + * added support for WE-19 +- hostap-utils: update to 0.4.0 (no real changes) + +------------------------------------------------------------------- +Thu Sep 8 16:41:41 CEST 2005 - jg@suse.de + +- fixed file permissions + +------------------------------------------------------------------- +Mon Aug 22 15:21:31 CEST 2005 - jg@suse.de + +- hostap-driver: update to 0.4.4, changes: + * added support for pcmcia changes in Linux 2.6.13 + * added support for creating sysfs device files (Linux 2.6.x) + * fixed power save processing for PS-Poll frames with PwrMgmt flag + set (this was causing "wifi0: invalid skb->cb magic" errors) + * fixed linking both hostap_cs and hostap_pci to kernel + * filter out sequential disconnect events to make race condition with + received EAPOL frames less likely to happen (this improves + authentication success rate with some APs that send EAPOL frames + very quickly after the (re)association response) + * added support for setting channel mask for scan requests + +------------------------------------------------------------------- +Sun Aug 7 22:13:32 CEST 2005 - ro@suse.de + +- fix build with current wireless drivers + +------------------------------------------------------------------- +Mon Jul 11 16:34:25 CEST 2005 - jg@suse.de + +- hostapd: update to 0.3.9, changes: + * fixed a bug which caused some RSN pre-authentication cases to + use freed memory and potentially crash hostapd + * fixed private key loading for cases where passphrase is not set + * fixed WPA2 to add PMKSA cache entry when using integrated EAP + authenticator + * driver_madwifi: fixed pairwise key removal to allow WPA reauth + without disassociation + * fixed RADIUS attribute Class processing to only use + Access-Accept packets to update Class; previously, other RADIUS + authentication packets could have cleared Class attribute + * fixed PMKSA caching (EAP authentication was not skipped correctly + with the new state machine changes from IEEE 802.1X draft) +- hostap-driver: update to 0.3.9, changes: + * fixed background scans (iwlist wlan0 scan) not to break data + connection when in host_roaming 2 mode + * fixed beacon frame when moving from monitor mode to master mode + +------------------------------------------------------------------- +Wed Jun 8 08:23:34 CEST 2005 - meissner@suse.de + +- adjust hostapd/Makefile to be able to correctly + get passed RPM_OPT_FLAGS. + +------------------------------------------------------------------- +Wed Jun 8 00:09:10 CEST 2005 - meissner@suse.de + +- Use RPM_OPT_FLAGS. + +------------------------------------------------------------------- +Fri Mar 11 14:36:44 CET 2005 - jg@suse.de + +- hostap-driver: + * create sysfs links for ethernet device, not IEEE80211 device + * disabled sysfs links for hostap_cs, as it breaks association + +------------------------------------------------------------------- +Thu Feb 24 15:28:31 CET 2005 - jg@suse.de + +- hostap-driver: fixed sysfs support + +------------------------------------------------------------------- +Mon Feb 14 10:11:51 CET 2005 - jg@suse.de + +- hostapd, hostap-utils, hostap-driver: update to 0.3.7 final + (no real changes, just version rename) + +------------------------------------------------------------------- +Mon Feb 7 21:11:32 CET 2005 - jg@suse.de + +- disabled support for madwifi on non x86(-64) platforms + +------------------------------------------------------------------- +Mon Feb 7 14:43:27 CET 2005 - jg@suse.de + +- hostapd: update to version 0.3.7-pre, changes (shortened): + * added support for configuring a forced PEAP version based on + the Phase 1 identity + * fixed PEAPv1 to use tunneled EAP-Success/Failure instead of + EAP-TLV to terminate authentication + * driver_madwifi: filter wireless events based on ifindex to + allow more than one network interface to be used + * added support for configuring multiple allowed EAP types for + Phase 2 authentication (EAP-PEAP, EAP-TTLS) + * added support for EAP-PEAP in the integrated EAP authenticator + * added support for EAP-GTC in the integrated EAP authenticator + * added support for configuring list of EAP methods for Phase 1 + so that the integrated EAP authenticator can, e.g., use the + wildcard entry for EAP-TLS and EAP-PEAP + * added support for EAP-TTLS in the integrated EAP authenticator + * added support for EAP-SIM in the integrated EAP authenticator + * added support for using hostapd as a RADIUS authentication + server with the integrated EAP authenticator taking care of + EAP authentication + * driver_madwifi: fixed group key setup and added get_ssid method + * added support for EAP-MSCHAPv2 in the integrated EAP + authenticator + * added support for integrated EAP-TLS authentication + * added support for reading PKCS#12 (PFX) files (as a replacement + for PEM/DER) to get certificate and private key (CONFIG_PKCS12) + * added support for Acct-{Input,Output}-Gigawords + * added support for Event-Timestamp (in RADIUS Accounting-Requests) + * added support for RADIUS Authentication Client MIB (RFC2618) + * added support for RADIUS Accounting Client MIB (RFC2620) + * made EAP re-authentication period configurable + * fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication + * added support for multiple WPA pre-shared keys + * added support for multiple driver interfaces to allow hostapd + to be used with other drivers + * added wired authenticator driver interface + * added madwifi driver interface + * fixed RADIUS reconnection after an error in sending interim + accounting packets + * added hostapd control interface for external programs + * finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV + (now d11) + * added support for strict GTK rekeying + * added Prism54 driver interface + * dual-licensed hostapd (GPLv2 and BSD licenses) + * added integrated EAP authenticator that can be used instead of + external RADIUS authentication server +- hostap-driver: update to version 0.3.7-pre, changes: + * improved suspend operation: disable firmware (hostap_cs) and + generate disconnect event to trigger wpa_supplicant to + reassociate immediately after resume + * added new ioctl command for hostapd to clear station specific + accounting data when starting a new accounting session + * added support for the special initialization needed for the + wireless part of multi-function SanDisk ConnectPlus CF cards + (manfid 0xd601, 0x0101) + * fixed card enabling after firmware download in case any of the + netdevs were up when the download was started + * added support for Linux wireless extension v17 +- hostap-utils: update to version 0.3.7-pre (no changes) +- added all example configuration files + +------------------------------------------------------------------- +Thu Jan 13 12:26:34 CET 2005 - jg@suse.de + +- hostapd: update to version 0.2.6, changes: + * fixed RADIUS accounting to generate a new session id for cases + where a station reassociates without first being complete + deauthenticated + * fixed STA disassociation handler to mark next timeout state to + deauthenticate the station, i.e., skip long wait for inactivity + poll and extra disassociation, if the STA disassociates without + deauthenticating + * removed 'daemonize' configuration file option since it has not + really been used at all for more than year +- hostap-utils: update to version 0.2.6, changes: + * split_combined_hex: updated to use head/tail -n argument +- hostap-driver: update to version 0.2.6, changes: + * added support for changed PCI API in Linux 2.6.10-rc1 and newer + +------------------------------------------------------------------- +Tue Nov 2 17:53:18 CET 2004 - jg@suse.de + +- hostapd: update to version 0.2.5, changes: + * fixed EAPOL reauthentication to trigger WPA/WPA2 + reauthentication + * fixed EAPOL state machine to stop if STA is removed during + eapol_sm_step(); this fixes at least one segfault triggering + bug with IEEE 802.11i pre-authentication + * fixed an alignment issue that could cause SHA-1 to fail on some + platforms (e.g., Intel ixp425 with a compiler that does not + 32-bit align variables) + * fixed RADIUS reconnection after an error in sending interim + accounting packets +- hostap-driver: update to version 0.2.5, changes: + * fixed card enabling after firmware download in case any of the + netdevs were up when the download was started + * fixed netif_carrier_on/off() calls to leave carrier on for + Master mode; previously this may have been left off in some + cases which could prevent packet bridging with new kernel + versions +- hostap-driver: enabled support for non-volatile firmware download + +------------------------------------------------------------------- +Fri Oct 1 18:13:12 CEST 2004 - jg@suse.de + +- fixed sysfs device/driver links (bug 46633) + +------------------------------------------------------------------- +Mon Aug 9 09:35:05 CEST 2004 - jg@suse.de + +- fixed filelist + +------------------------------------------------------------------- +Fri Aug 6 15:09:06 CEST 2004 - jg@suse.de + +- do not install /etc/pcmcia/hostap_cs.conf.example anymore + +------------------------------------------------------------------- +Thu Jul 29 19:51:55 CEST 2004 - jg@suse.de + +- update hostapd to 0.2.4: + * fixed some accounting cases where Accounting-Start was sent + when IEEE 802.1X port was being deauthorized + * modified RADIUS client to re-connect the socket in case of + certain error codes that are generated when a network + interface state is changes (e.g., when IP address changes or + the interface is set UP) + * fixed couple of cases where EAPOL state for a station was freed + twice causing a segfault for hostapd + * fixed couple of bugs in processing WPA deauthentication + * fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM) + * fixed group rekeying to send zero TSC in EAPOL-Key messages to + fix cases where STAs dropped multicast frames as replay attacks + * added support for copying RADIUS Attribute 'Class' from + authentication messages into accounting messages + * send canned EAP failure if RADIUS server sends Access-Reject + without EAP message (previously, Supplicant was not notified + in this case) + * fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK +- update hostap-utils to 0.2.4 (no changes) +- update hostap-driver to 0.2.4: + * fixed wlan#/wifi# interface packet counters (both are supposed + to see data packets once; wlan# was counting TX twice and wifi# + did not count TX or RX at all for most cases) + * fixed compilation with PRISM2_NO_STATION_MODES defined + * fixed MAC address changing to update address for wifi# interface + (without this, at least Master mode did not work correctly when + MAC address was changed for wlan#) + * fixed inner-BSS bridge (ap_bridge_packets=1) not to bridge + packets to unauthorized ports when IEEE 802.1X/WPA is used + * merged CryptoAPI versions of WEP/TKIP/CCMP from the wireless-2.6 + BitKeeper tree (not used by default, can be enabled by defining + HOSTAP_USE_CRYPTO_API) + * fixed a buffer overflow in TKIP encryption (hostap_crypt_tkip + module) on big endian hosts + +------------------------------------------------------------------- +Mon May 17 18:15:57 CEST 2004 - jg@suse.de + +- update hostapd to 0.2.1 (shortened): + * added WPA and IEEE 802.11i/RSN (WPA2) Authenticator + functionality + * added support for Acct-Interim-Interval + * added new hostapd.conf variable, nas_identifier, that can be + used to add an optional RADIUS Attribute, NAS-Identifier, into + authentication and accounting messages + * added support for Accounting-On and Accounting-Off messages +- update hostap-utils to 0.2.1: + * hostap_rid: fixed handling of failed RID reads + * fixed prism2_srec not to allow combination of volatile and + non-volatile firmware images (they will corrupt the card flash) + * added support for loading PRI firmware for cards without PRI + * fixed volatile download of combined primary and secondary + firmware to start running the secondary firmware + * added support for dumping PDA in text format and overriding PDA + with text and binary files (prism2_srec options -D, -P, and -O) +- update hostap-driver to 0.2.1 (shortened): + * allow hostapd to send encrypted frames using wlan#ap interface + * added driver support for hostapd WPA Authenticator + * fixed TKIP get sequence number + * clear IFF_RUNNING and generate linkwatch events based on + association status in Managed mode + * added alternative TKIP implementation which uses Michael MIC + implementation in CryptoAPI instead of Host AP specific + implementation + * added support for RSN (IEEE 802.11i/WPA2) + * dropped support for Linux 2.2.x and old Linux 2.4.x kernels + * fixed hostap_cs unregistration when PC Card is removed while + Host AP interfaces are still up + * restructured Linux net device use to be more like IEEE 802.1q + VLAN + * disable wlan hardware when radio netdev (wifi#) is down + * fixed Shared Key authentication when using host_decrypt and + kernel driver based IEEE 802.11 management + * added crypto hooks for full MSDU encrypt/decrypt + * fixed iwspy support with Linux wireless ext v16 + * fixed IEEE 802.11 defragmentation when using host-based WEP + decryption and bridging packets between two associated STAs + * added driver support for WPA Authenticator/Supplicant + * added minimal support for ethtool +- fixed bug in hostap-driver Makefile which prevented hostap_cs.ko + from being built + +------------------------------------------------------------------- +Sat Apr 3 17:39:13 CEST 2004 - jg@suse.de + +- fixed sysfs support in hostap driver (bug #37278) + +------------------------------------------------------------------- +Tue Mar 30 11:09:31 CEST 2004 - jg@suse.de + +- skipping build for UM kernels (bug #37448) +- skipping build of hostap_cs in case PCMCIA is disabled in the + kernel config (also bug #37448) + +------------------------------------------------------------------- +Tue Mar 2 08:20:38 CET 2004 - jg@suse.de + +- typo fix in makefile + +------------------------------------------------------------------- +Sun Feb 29 12:28:30 CET 2004 - jg@suse.de + +- update to hostapd-0.1.3, changes: + * fixed event loop to call signal handlers only after returning from + the real signal handler + * reset sta->timeout_next after successful association to make sure + that the previously registered inactivity timer will not remove the + STA immediately (e.g., if STA deauthenticates and re-associates + before the timer is triggered). +- update to hostap-driver-0.1.3, changes: + * fixed IEEE 802.11 defragmentation when using host-based WEP + decryption and bridging packets between two associated STAs + (this caused a kernel crash in dev_queue_xmit()) + * reconfigure fragmentation threshold after Port0 enable to work around + issues with some STA firmware versions forgetting the configured + value + * restore retry limit after card reset + * update STA RX statistics also in Repeater mode + * hostap_cs: fixed CS reset when the netdev is down: need to reset + hardware even in this case to make resume from suspend mode work + correctly + * fixed error reporting from Genesis mode download + * changed README to use 'make' instead of 'make pccard/pci/plx' when + building the driver + * replaced CardServices() calls with calls to matching pcmcia_*() + functions (required for Linux 2.6.2 and newer) + * fixed module reference counting of hostap_crypt_wep module for + Linux 2.6.x (i.e., prevent it from be unloaded if it is still used) +- update to hostap-utils-0.1.3, changes: + * prism2_srec: ignore PDR 0x0413 if it is not used (this allows some + of the newer STA firmware 1.8.x versions to be downloaded) + * prism2_srec: fixed combined RAM download of PRI and STA firmwares + to use correct start address +- added driver race condition fix from hostap CVS +- rewrote driver Makefile + +------------------------------------------------------------------- +Mon Jan 26 15:01:49 CET 2004 - jg@suse.de + +- removed kernel-source from neededforbuild + +------------------------------------------------------------------- +Fri Jan 9 18:44:30 CET 2004 - jg@suse.de + +- driver update to version 0.1.2, from ChangeLog + * fixed RTS and Fragmentation thresholds after hw reset + * fixed Managed/Ad-hoc mode authentication with Open System + algorithm when using old (e.g., version 0.6.2) STA firmware + * fixed iwspy support with Linux wireless ext v16 + * fixed WDS interface selection to not select non-WDS interface + * fixed wlan#wds#, wlan#ap, and wlan#sta netdevice unregistration + * added PCI ID for Prism3 mini-PCI [hostap_pci] + * fixed yield() backward compatibility code for Linux 2.4.0-18 + * added support for 32-bit CommTallies (if STA f/w >= 0.8.2) + * update counters used for /proc/net/hostap/wlan#/stats periodically + * fixed CommTallies handling on big endian platforms + * added support for Primary-only mode + * fixed failure handling in PCI probe not to crash kernel [hostap_pci] + * merged hostap_crypt module into hostap module + * fixed inactivity polling of stations that are in power saving mode +- utils update to version 0.1.2, from ChangeLog + * fixed prism2_srec not to allow combination of volatile and + non-volatile firmware images (they will corrupt the card flash) + * reduced verbosity of prism2_srec + * added support for volatile download of Primary firmware using + Genesis mode (this is available only for hfa3842; hfa3841, i.e., old + Prism2 cards, require hardware changes for similar function) + ('-g' command line option in prism2_srec) + * added support for merging two srec file (Primary and Secondary(STA) + firmware) into one non-volatile (flash) download +- hostapd update to version 0.1.0 + +------------------------------------------------------------------- +Mon Sep 8 18:35:40 CEST 2003 - agruen@suse.de + +- km_hostap-HZ.diff: Adapt to dynamic-hz kernel patch. + +------------------------------------------------------------------- +Mon Jul 28 16:52:09 CEST 2003 - jg@suse.de + +- update to version 0.0.4, from ChangeLog (shortened) + * moved non-hardware specific RX code from hostap_hw.c into a new file, + hostap_80211_rx.c and removed Prism2 RX descriptor dependency from + hostap_ap.c + * fixed number of compilation issues (RH9 kernel, *.mod files to local + directory, 2.4.x compilation with CONFIG_MODVERSIONS, external + pcmcia-cs) + * removed extra tasklet that was used with TX callback handler + * update basic rate set automaticallyt when changing supported rate set + * fixed compilation without Linux Wireless Extensions + * use less aggressive transmit rate decreasing algorithm + * fixed inactivity expiration of stations using power saving mode + * fixed sending of IEEE 802.1X frames to buffer them if STA is in power + saving mode + * removed backward compatibility code for Linux Wireless Extensions + versions older than ver 9 + * added module parameter 'dev_template' for setting the device name + template (default: 'wlan%d'); this is for hostap_{cs,pci,plx}.o + * changed monitor mode to use pseudo-IBSS mode instead of Host AP mode + to avoid sending out Beacon and ProbeResp frames + * fixed enh_sec setting (hide SSID) to reset Port0 so that the changes + to the beacon are taken into use immediately + * added support for selection which authentication algorithm to use + in station mode + * added support for manual scan and roaming mode (managed/ad-hoc); + * process beacon frames in kernel driver even when hostapd is used + * removed TX power controlling (iwconfig txpower) + +------------------------------------------------------------------- +Tue Jun 17 10:06:30 CEST 2003 - jg@suse.de + +- added directory /usr/src/kernel-modules to filelist + +------------------------------------------------------------------- +Wed Jun 4 13:25:28 CEST 2003 - jg@suse.de + +- Initial package + diff --git a/hostapd.keyring b/hostapd.keyring new file mode 100644 index 0000000..50c1032 --- /dev/null +++ b/hostapd.keyring @@ -0,0 +1,36 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: SKS 1.1.6 +Comment: Hostname: keyserver.ubuntu.com + +mQGiBDoydw4RBAC9vfqCsU+dgrxUSdGf70zrEAIBxcjeqHusovztR65XOWE0ccjmQS2TVgJM ++OzYg9FJG7DuLQZDwhR10BZKJfG97fNyZVBCoO90bEcTufn96oceJlz/MHmy99+i6wYdIKYz +vmaxcC1QPhENr1scgin9nMiW1MTPJ7sSgjDqd0QPVwCgmaZUpzhKRusR5E/MmgI2kz73Ui0D +/03lVNypkQTbuBp1q71YqT9qjO8+5kXU5QXJhel0qUgJHcu3rdnIVaiANw1qauMM0DtnRKOt +caZntn03sFNnaJRx0JlmLa/cMP0nm1kPnR6Q3Cruz7InJnJZDXGsGH/ku4OcYLUJ8UgqzaO0 +J5o66j7pxQQDo1UAs4PQaoYq/ECbA/9B6b3TzuHdqUgS/g2AYTc5MU+i92ydrBv2g9SPuH78 +m/X4YicGR1HF7yNiJ/hiVa/axBUHpXE4vW0Bndj1bN4sctFeGGezGRaLiiggZkBBNnL8nF5e +ZebLvPrv4kr8Cchz+lGF5UFNVyLWwi/I5CSUqUtSXOD1Q9WcXoqJcrE2brQXSm91bmkgTWFs +aW5lbiA8akB3MS5maT6IXwQTEQIAHwUCReBvUQIbIwYLCQgHAwIEFQIIAwMWAgECHgECF4AA +CgkQK270Mu/Ilfq/HgCeMavvxAxc9CYwPkbEyFBWNk+Tx3sAn1G23zGdkLx1pTSmKijWJqyO +Oh2iiGIEExECACICGyMGCwkIBwMCBBUCCAMDFgIBAh4BAheABQJGWwf0AhkBAAoJECtu9DLv +yJX6bhgAn3dFmq4Fg3o2tFVvkfU0io0SHztXAJ9QPJ5IrKNW4Pwr1OesEr6VODKRerQZSm91 +bmkgTWFsaW5lbiA8am1Aa2lyLm51PohfBBMRAgAfBQJGWwebAhsjBgsJCAcDAgQVAggDAxYC +AQIeAQIXgAAKCRArbvQy78iV+gZgAJ0Uniuc9gpS8LleYtQrT/cNr/OU5ACfVy5Gqqzal+Mg +8aB6mxKR5B2ende0IEpvdW5pIE1hbGluZW4gPGptQGptLmVwaXRlc3QuZmk+iFcEExECABcF +Ajoydw4FCwcKAwQDFQMCAxYCAQIXgAAKCRArbvQy78iV+o0vAJ4sY07fmnqzR8fMKKju1hhq +kIdeWACeIiA1F2f70GZ8tRRv3sMxP63VFZq0IkpvdW5pIE1hbGluZW4gPGprbWFsaW5lQGNj +Lmh1dC5maT6IVwQTEQIAFwUCOjJ9SQULBwoDBAMVAwIDFgIBAheAAAoJECtu9DLvyJX6mZkA +njfcQtXqkg98YlGv8/kjANhneTb5AJ0bsG6IC8k8gW/B6gtS8SElpE0gb7kCDQQ6MndbEAgA +vKm7+dJttqvYYbOeBjA/l3poNHR4h7rk7VT2LoCak0pYUkvECQXbpUfIWGAxh2084wf5LIkB +TnCEmWfs0ESBqi2zZXX+rWhlEyIWZCIdPdEWC1wmKDBQfFywTmi1Ucu0jMLD13WyEZE/b/Qs +zI2XE1FY8Dm0CkaU4ntCWYXP/wlJmO+rHKUWOYnw10/TTq+bjAN1uRSNQBXN3fOegWIXZ4XL +iZ/kEEvl7I969r6Vc2B6Evp09J0PYsJqj7UR3qfrdXLnahKLmlk/LaV5EgdGNDIzj8hpzQ5I +PaJt4I+UCszA3EAsQlUx46lVK5lugbNkZtmFTAbv0yBuBPYRCvDGvwADBQf+KTqLfJRmwCXK +L4LUhL52ulsjpxbZgvFAlycn9TJ88ywDuhb3/HM9eooNqPu24CokHlscHeyyRInL9pA9932Z +dzqkmWzXX7DsQfYPo7Vgvrzlxis6+j4u3yAV4JIcRf3lm4RYOyo+K3fowSPRe7iv8D8mPCYr +x/L8tsOgaIqXN0u6nFJ+RpOfMNBLmawB0hirfUFnf6e6aSH4IJm3O+2BVszP8/X4jFqePmCC +ZBB+rp89/vdakF1AuCRi+kDJ7CKInqqAJP+qxzAk34RUr0MbocaS1CPj0/bALyAWS2bWuoby +ImFaUk82cYlZroqFR1IT1UHXKTuTK69VRw8AvmR/JohGBBgRAgAGBQI6MndbAAoJECtu9DLv +yJX60QgAn1hLZt3rfOZJyXlCtgKXUOeBL8Z+AKCGIt+Y3Lcw/0nycz4hNec00UvDTQ== +=X3Kw +-----END PGP PUBLIC KEY BLOCK----- diff --git a/hostapd.service b/hostapd.service new file mode 100644 index 0000000..e3047cb --- /dev/null +++ b/hostapd.service @@ -0,0 +1,21 @@ +[Unit] +Description=Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator +After=network.target + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +ExecStart=/usr/sbin/hostapd /etc/hostapd.conf +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/hostapd.spec b/hostapd.spec new file mode 100644 index 0000000..864963f --- /dev/null +++ b/hostapd.spec @@ -0,0 +1,115 @@ +# +# spec file for package hostapd +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%bcond_without apparmor +Name: hostapd +Version: 2.11 +Release: 0 +Summary: Daemon for running a WPA capable Access Point +License: BSD-3-Clause OR GPL-2.0-only +Group: Hardware/Wifi +URL: https://w1.fi/ +Source: https://w1.fi/releases/hostapd-%{version}.tar.gz +Source1: https://w1.fi/releases/hostapd-%{version}.tar.gz.asc +# https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x2B6EF432EFC895FA#/%%{name}.keyring +Source2: %{name}.keyring +Source3: config +Source4: hostapd.service +Source5: apparmor-usr.sbin.hostapd +BuildRequires: libnl3-devel +BuildRequires: openssl-devel +BuildRequires: pkgconfig +BuildRequires: sqlite3-devel +BuildRequires: pkgconfig(libnl-3.0) >= 3.0 +BuildRequires: pkgconfig(systemd) +%{?systemd_requires} +%if %{with apparmor} +BuildRequires: apparmor-abstractions +BuildRequires: apparmor-rpm-macros +Recommends: apparmor-abstractions +%endif + +%description +hostapd is a user space daemon for access point and authentication +servers. It implements IEEE 802.11 access point management, IEEE +802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and +RADIUS authentication server. Currently, hostapd supports HostAP, +madwifi, and prism54 drivers. It also supports wired IEEE 802.1X +authentication via any ethernet driver. + +%prep +%setup -q +cp %{SOURCE3} hostapd/.config +%autopatch -p1 + +%build +cd hostapd +CFLAGS="%{optflags} -D_GNU_SOURCE $(getconf LFS_CFLAGS)" CC="gcc" make %{?_smp_mflags} V=1 + +%install +cd hostapd +install -d %{buildroot}/%{_sbindir} +install -d %{buildroot}%{_sysconfdir} +install -d %{buildroot}/%{_mandir}/man8 +install -m 755 hostapd %{buildroot}/%{_sbindir} +ln -s %{_sbindir}/service %{buildroot}/%{_sbindir}/rchostapd +install -m 755 hostapd_cli %{buildroot}/%{_sbindir} +install -m 600 hostapd.conf %{buildroot}%{_sysconfdir} +install -m 644 hostapd.accept %{buildroot}%{_sysconfdir} +install -m 644 hostapd.deny %{buildroot}%{_sysconfdir} +install -m 600 hostapd.eap_user %{buildroot}%{_sysconfdir} +install -m 600 hostapd.radius_clients %{buildroot}%{_sysconfdir} +install -m 644 hostapd.sim_db %{buildroot}%{_sysconfdir} +install -m 644 hostapd.vlan %{buildroot}%{_sysconfdir} +install -m 600 hostapd.wpa_psk %{buildroot}%{_sysconfdir} +install -m 644 hostapd.8 %{buildroot}/%{_mandir}/man8 +install -D -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/hostapd.service +%if %{with apparmor} +# AppArmor profile +mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d +install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/apparmor.d/usr.sbin.hostapd +%endif + +%pre +%service_add_pre hostapd.service + +%post +%service_add_post hostapd.service +%if %{with apparmor} +%apparmor_reload %{_sysconfdir}/apparmor.d/usr.sbin.hostapd +%endif + +%preun +%service_del_preun hostapd.service + +%postun +%service_del_postun hostapd.service + +%files +%config(noreplace) %{_sysconfdir}/hostapd.* +%if %{with apparmor} +%dir %{_sysconfdir}/apparmor.d +%config %{_sysconfdir}/apparmor.d/usr.sbin.hostapd +%endif +%{_sbindir}/* +%license COPYING +%doc hostapd/ChangeLog hostapd/README hostapd/wired.conf hostapd/hostapd.conf +%{_mandir}/man8/* +%{_unitdir}/hostapd.service + +%changelog