rpms/hostapd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import hostapd from current Fedora

Browse Source 
Related: rhbz#2019830
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
This commit is contained in:
Davide Caratti 2021-12-06 16:11:37 +01:00
parent bbf037820f
commit e4e41d13f7
16 changed files with 1377 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -0,0 +1 @@
/hostapd-2.9.tar.gz

73
0001-AP-Silently-ignore-management-frame-from-unexpected-.patch Normal file
View File

@ -0,0 +1,73 @@
From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Thu, 29 Aug 2019 11:52:04 +0300
Subject: [PATCH] AP: Silently ignore management frame from unexpected source
address
Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.
In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/ap/drv_callbacks.c | 13 +++++++++++++
src/ap/ieee802_11.c | 12 ++++++++++++
2 files changed, 25 insertions(+)
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 31587685fe3b..34ca379edc3d 100644
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
"hostapd_notif_assoc: Skip event with no address");
return -1;
}
+
+ if (is_multicast_ether_addr(addr) ||
+ is_zero_ether_addr(addr) ||
+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
+ /* Do not process any frames with unexpected/invalid SA so that
+ * we do not add any state for unexpected STA addresses or end
+ * up sending out frames to unexpected destination. */
+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
+ " in received indication - ignore this indication silently",
+ __func__, MAC2STR(addr));
+ return 0;
+ }
+
random_add_randomness(addr, ETH_ALEN);
hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index c85a28db44b7..e7065372e158 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
fc = le_to_host16(mgmt->frame_control);
stype = WLAN_FC_GET_STYPE(fc);
+ if (is_multicast_ether_addr(mgmt->sa) ||
+ is_zero_ether_addr(mgmt->sa) ||
+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
+ /* Do not process any frames with unexpected/invalid SA so that
+ * we do not add any state for unexpected STA addresses or end
+ * up sending out frames to unexpected destination. */
+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
+ " in received frame - ignore this frame silently",
+ MAC2STR(mgmt->sa));
+ return 0;
+ }
+
if (stype == WLAN_FC_STYPE_BEACON) {
handle_beacon(hapd, mgmt, len, fi);
return 1;
--
2.20.1

110
0001-EAP-TTLS-PEAP-peer-Fix-failure-when-using-session-ti.patch Normal file
View File

@ -0,0 +1,110 @@
From 872609c15110d32ee2d306aeeeffdd4e42ef6fc6 Mon Sep 17 00:00:00 2001
Message-Id: <872609c15110d32ee2d306aeeeffdd4e42ef6fc6.1627507211.git.davide.caratti@gmail.com>
From: Alexander Clouter <alex@digriz.org.uk>
Date: Fri, 16 Oct 2020 09:49:36 +0100
Subject: [PATCH] EAP-TTLS/PEAP peer: Fix failure when using session tickets
under TLS 1.3
EAP peer does not expect data present when beginning the Phase 2 in
EAP-{TTLS,PEAP} but in TLS 1.3 session tickets are sent after the
handshake completes.
There are several strategies that can be used to handle this, but this
patch picks up from the discussion[1] and implements the proposed use of
SSL_MODE_AUTO_RETRY. SSL_MODE_AUTO_RETRY has already been enabled by
default in OpenSSL 1.1.1, but it needs to be enabled for older versions.
The main OpenSSL wrapper change in tls_connection_decrypt() takes care
of the new possible case with SSL_MODE_AUTO_RETRY for
SSL_ERROR_WANT_READ to indicate that a non-application_data was
processed. That is not really an error case with TLS 1.3, so allow it to
complete and return an empty decrypted application data buffer.
EAP-PEAP/TTLS processing can then use this to move ahead with starting
Phase 2.
[1] https://www.spinics.net/lists/hostap/msg05376.html
Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
---
src/crypto/tls_openssl.c | 18 ++++++++++++++----
src/eap_peer/eap_peap.c | 4 ++++
src/eap_peer/eap_ttls.c | 5 +++++
3 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index ef872c50e..345a35ee1 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1045,6 +1045,8 @@ void * tls_init(const struct tls_config *conf)
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+ SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+
#ifdef SSL_MODE_NO_AUTO_CHAIN
/* Number of deployed use cases assume the default OpenSSL behavior of
* auto chaining the local certificate is in use. BoringSSL removed this
@@ -4543,10 +4545,18 @@ struct wpabuf * tls_connection_decrypt(void *tls_ctx,
return NULL;
res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf));
if (res < 0) {
- tls_show_errors(MSG_INFO, __func__,
- "Decryption failed - SSL_read");
- wpabuf_free(buf);
- return NULL;
+ int err = SSL_get_error(conn->ssl, res);
+
+ if (err == SSL_ERROR_WANT_READ) {
+ wpa_printf(MSG_DEBUG,
+ "SSL: SSL_connect - want more data");
+ res = 0;
+ } else {
+ tls_show_errors(MSG_INFO, __func__,
+ "Decryption failed - SSL_read");
+ wpabuf_free(buf);
+ return NULL;
+ }
}
wpabuf_put(buf, res);
diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
index 7c3704369..a13428d37 100644
--- a/src/eap_peer/eap_peap.c
+++ b/src/eap_peer/eap_peap.c
@@ -803,6 +803,10 @@ static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data,
res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
if (res)
return res;
+ if (wpabuf_len(in_decrypted) == 0) {
+ wpabuf_free(in_decrypted);
+ return 1;
+ }
continue_req:
wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP",
diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c
index 642d179c6..3bf1e97e6 100644
--- a/src/eap_peer/eap_ttls.c
+++ b/src/eap_peer/eap_ttls.c
@@ -1441,6 +1441,7 @@ static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data,
if ((in_data == NULL || wpabuf_len(in_data) == 0) &&
data->phase2_start) {
+start:
return eap_ttls_phase2_start(sm, data, ret, identifier,
out_data);
}
@@ -1455,6 +1456,10 @@ static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data,
retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
if (retval)
goto done;
+ if (wpabuf_len(in_decrypted) == 0) {
+ wpabuf_free(in_decrypted);
+ goto start;
+ }
continue_req:
data->phase2_start = 0;
--
2.31.1

66
0001-OpenSSL-Allow-systemwide-secpolicy-overrides-for-TLS.patch Normal file
View File

@ -0,0 +1,66 @@
From 9afb68b03976d019bb450e5e33b0d8e48867691c Mon Sep 17 00:00:00 2001
Message-Id: <9afb68b03976d019bb450e5e33b0d8e48867691c.1626202922.git.davide.caratti@gmail.com>
From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 8 Sep 2020 17:55:36 +0300
Subject: [PATCH] OpenSSL: Allow systemwide secpolicy overrides for TLS version
Explicit configuration to enable TLS v1.0 and/or v1.1 did not work with
systemwide OpenSSL secpolicy=2 cases (e.g., Ubuntu 20.04). Allow such
systemwide configuration to be overridden if the older TLS versions have
been explicitly enabled in the network profile. The default behavior
follows the systemwide policy, but this allows compatibility with old
authentication servers without having to touch the systemwide policy.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/crypto/tls_openssl.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index e73dd7f5b..f7dfecbbf 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2995,16 +2995,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
/* Explicit request to enable TLS versions even if needing to
* override systemwide policies. */
- if (flags & TLS_CONN_ENABLE_TLSv1_0) {
+ if (flags & TLS_CONN_ENABLE_TLSv1_0)
version = TLS1_VERSION;
- } else if (flags & TLS_CONN_ENABLE_TLSv1_1) {
- if (!(flags & TLS_CONN_DISABLE_TLSv1_0))
- version = TLS1_1_VERSION;
- } else if (flags & TLS_CONN_ENABLE_TLSv1_2) {
- if (!(flags & (TLS_CONN_DISABLE_TLSv1_0 |
- TLS_CONN_DISABLE_TLSv1_1)))
- version = TLS1_2_VERSION;
- }
+ else if (flags & TLS_CONN_ENABLE_TLSv1_1)
+ version = TLS1_1_VERSION;
+ else if (flags & TLS_CONN_ENABLE_TLSv1_2)
+ version = TLS1_2_VERSION;
if (!version) {
wpa_printf(MSG_DEBUG,
"OpenSSL: Invalid TLS version configuration");
@@ -3018,6 +3014,18 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
}
}
#endif /* >= 1.1.0 */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+ !defined(LIBRESSL_VERSION_NUMBER) && \
+ !defined(OPENSSL_IS_BORINGSSL)
+ if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
+ SSL_get_security_level(ssl) >= 2) {
+ /*
+ * Need to drop to security level 1 to allow TLS versions older
+ * than 1.2 to be used when explicitly enabled in configuration.
+ */
+ SSL_set_security_level(conn->ssl, 1);
+ }
+#endif
#ifdef CONFIG_SUITEB
#ifdef OPENSSL_IS_BORINGSSL
--
2.31.1

150
0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch Normal file
View File

@ -0,0 +1,150 @@
From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 3 Jun 2020 23:17:35 +0300
Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
other networks
The UPnP Device Architecture 2.0 specification errata ("UDA errata
16-04-2020.docx") addresses a problem with notifications being allowed
to go out to other domains by disallowing such cases. Do such filtering
for the notification callback URLs to avoid undesired connections to
external networks based on subscriptions that any device in the local
network could request when WPS support for external registrars is
enabled (the upnp_iface parameter in hostapd configuration).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/wps/wps_er.c | 2 +-
src/wps/wps_upnp.c | 38 ++++++++++++++++++++++++++++++++++++--
src/wps/wps_upnp_i.h | 3 ++-
3 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c
index 6bded14327f8..31d2e50e4cff 100644
--- a/src/wps/wps_er.c
+++ b/src/wps/wps_er.c
@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, const char *ifname, const char *filter)
"with %s", filter);
}
if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
- er->mac_addr)) {
+ NULL, er->mac_addr)) {
wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
"for %s. Does it have IP address?", er->ifname);
wps_er_deinit(er, NULL, NULL);
diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
index 6e10e4bc0c3f..7d4b7439940e 100644
--- a/src/wps/wps_upnp.c
+++ b/src/wps/wps_upnp.c
@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct subscription *s)
}
+static int local_network_addr(struct upnp_wps_device_sm *sm,
+ struct sockaddr_in *addr)
+{
+ return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
+ (sm->ip_addr & sm->netmask.s_addr);
+}
+
+
/* subscr_addr_add_url -- add address(es) for one url to subscription */
static void subscr_addr_add_url(struct subscription *s, const char *url,
size_t url_len)
@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
for (rp = result; rp; rp = rp->ai_next) {
struct subscr_addr *a;
+ struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
/* Limit no. of address to avoid denial of service attack */
if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
break;
}
+ if (!local_network_addr(s->sm, addr)) {
+ wpa_printf(MSG_INFO,
+ "WPS UPnP: Ignore a delivery URL that points to another network %s",
+ inet_ntoa(addr->sin_addr));
+ continue;
+ }
+
a = os_zalloc(sizeof(*a) + alloc_len);
if (a == NULL)
break;
@@ -890,11 +906,12 @@ static int eth_get(const char *device, u8 ea[ETH_ALEN])
* @net_if: Selected network interface name
* @ip_addr: Buffer for returning IP address in network byte order
* @ip_addr_text: Buffer for returning a pointer to allocated IP address text
+ * @netmask: Buffer for returning netmask or %NULL if not needed
* @mac: Buffer for returning MAC address
* Returns: 0 on success, -1 on failure
*/
int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
- u8 mac[ETH_ALEN])
+ struct in_addr *netmask, u8 mac[ETH_ALEN])
{
struct ifreq req;
int sock = -1;
@@ -920,6 +937,19 @@ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
in_addr.s_addr = *ip_addr;
os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
+ if (netmask) {
+ os_memset(&req, 0, sizeof(req));
+ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
+ if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
+ wpa_printf(MSG_ERROR,
+ "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
+ errno, strerror(errno));
+ goto fail;
+ }
+ addr = (struct sockaddr_in *) &req.ifr_netmask;
+ netmask->s_addr = addr->sin_addr.s_addr;
+ }
+
#ifdef __linux__
os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
@@ -1026,11 +1056,15 @@ static int upnp_wps_device_start(struct upnp_wps_device_sm *sm, char *net_if)
/* Determine which IP and mac address we're using */
if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
- sm->mac_addr)) {
+ &sm->netmask, sm->mac_addr)) {
wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
"for %s. Does it have IP address?", net_if);
goto fail;
}
+ wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
+ MACSTR,
+ sm->ip_addr_text, inet_ntoa(sm->netmask),
+ MAC2STR(sm->mac_addr));
/* Listen for incoming TCP connections so that others
* can fetch our "xml files" from us.
diff --git a/src/wps/wps_upnp_i.h b/src/wps/wps_upnp_i.h
index e87a93232df1..6ead7b4e9a30 100644
--- a/src/wps/wps_upnp_i.h
+++ b/src/wps/wps_upnp_i.h
@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
char *ip_addr_text; /* IP address of network i.f. we use */
unsigned ip_addr; /* IP address of network i.f. we use (host order) */
+ struct in_addr netmask;
int multicast_sd; /* send multicast messages over this socket */
int ssdp_sd; /* receive discovery UPD packets on socket */
int ssdp_sd_registered; /* nonzero if we must unregister */
@@ -158,7 +159,7 @@ struct subscription * subscription_find(struct upnp_wps_device_sm *sm,
const u8 uuid[UUID_LEN]);
void subscr_addr_delete(struct subscr_addr *a);
int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
- u8 mac[ETH_ALEN]);
+ struct in_addr *netmask, u8 mac[ETH_ALEN]);
/* wps_upnp_ssdp.c */
void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
--
2.20.1

58
0001-openssl-Disable-padding-after-initializing-the-ciphe.patch Normal file
View File

@ -0,0 +1,58 @@
From e2e9adc3d9b6bb9c433ebb6404ee439b42e91746 Mon Sep 17 00:00:00 2001
Message-Id: <e2e9adc3d9b6bb9c433ebb6404ee439b42e91746.1629375427.git.davide.caratti@gmail.com>
From: Davide Caratti <davide.caratti@gmail.com>
Date: Tue, 17 Aug 2021 10:58:53 +0200
Subject: [PATCH] openssl: Disable padding after initializing the cipher suite
according to OpenSSL documentation [1], EVP_CIPHER_CTX_set_padding()
should be called after EVP_EncryptInit_ex(), EVP_DecryptInit_ex(), or
EVP_CipherInit_ex(). Not doing this causes EVP_CIPHER_CTX_set_padding()
to return false on OpenSSL-3.0.0, resulting in the impossibility to
connect in many scenarios. Fix this changing the order of function calls
where needed.
[1] https://www.openssl.org/docs/man1.1.1/man3/EVP_CIPHER_CTX_set_padding.html
Reported-by: Vladimir Benes <vbenes@redhat.com>
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
---
src/crypto/crypto_openssl.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index 9411cb9cf..4b87702e4 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -248,8 +248,8 @@ int rc4_skip(const u8 *key, size_t keylen, size_t skip,
ctx = EVP_CIPHER_CTX_new();
if (!ctx ||
- !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
!EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
+ !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
!EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
goto out;
@@ -709,8 +709,8 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
}
if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
- !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
!EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
+ !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
!EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
!EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
if (ctx->enc)
@@ -720,8 +720,8 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
}
if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
- !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
!EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
+ !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
!EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
!EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
EVP_CIPHER_CTX_free(ctx->enc);
--
2.31.1

68
0001-openssl-Remove-deprecated-functions-from-des_encrypt.patch Normal file
View File

@ -0,0 +1,68 @@
From d265dd2d965db3669d07caa69539beb8def0edb2 Mon Sep 17 00:00:00 2001
Message-Id: <d265dd2d965db3669d07caa69539beb8def0edb2.1629375437.git.davide.caratti@gmail.com>
From: Davide Caratti <davide.caratti@gmail.com>
Date: Tue, 17 Aug 2021 10:58:54 +0200
Subject: [PATCH] openssl: Remove deprecated functions from des_encrypt()
NetworkManager-CI detected systematic failures on test scenarios using
MSCHAPv2 when wpa_supplicant uses OpenSSL-3.0.0.
The 'test_module_tests.py' script also fails, and the following log is
shown:
1627404013.761569: generate_nt_response failed
1627404013.761582: ms_funcs: 1 error
It seems that either DES_set_key() or DES_ecb_encrypt() changed their
semantic, but it doesn't make sense to fix them since their use has been
deprecated. Converting des_encrypt() to avoid use of deprecated
functions proved to fix the problem, and removed a couple of build
warnings at the same time.
Reported-by: Vladimir Benes <vbenes@redhat.com>
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
---
src/crypto/crypto_openssl.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index a4b1083bb..9411cb9cf 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -206,8 +206,8 @@ int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
{
u8 pkey[8], next, tmp;
- int i;
- DES_key_schedule ks;
+ int i, plen, ret = -1;
+ EVP_CIPHER_CTX *ctx;
/* Add parity bits to the key */
next = 0;
@@ -218,10 +218,19 @@ int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
}
pkey[i] = next | 1;
- DES_set_key((DES_cblock *) &pkey, &ks);
- DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks,
- DES_ENCRYPT);
- return 0;
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx &&
+ EVP_EncryptInit_ex(ctx, EVP_des_ecb(), NULL, pkey, NULL) == 1 &&
+ EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
+ EVP_EncryptUpdate(ctx, cypher, &plen, clear, 8) == 1 &&
+ EVP_EncryptFinal_ex(ctx, &cypher[plen], &plen) == 1)
+ ret = 0;
+ else
+ wpa_printf(MSG_ERROR, "OpenSSL: DES encrypt failed");
+
+ if (ctx)
+ EVP_CIPHER_CTX_free(ctx);
+ return ret;
}
--
2.31.1

59
0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch Normal file
View File

@ -0,0 +1,59 @@
From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 3 Jun 2020 22:41:02 +0300
Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
path
More than about 700 character URL ended up overflowing the wpabuf used
for building the event notification and this resulted in the wpabuf
buffer overflow checks terminating the hostapd process. Fix this by
allocating the buffer to be large enough to contain the full URL path.
However, since that around 700 character limit has been the practical
limit for more than ten years, start explicitly enforcing that as the
limit or the callback URLs since any longer ones had not worked before
and there is no need to enable them now either.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/wps/wps_upnp.c | 9 +++++++--
src/wps/wps_upnp_event.c | 3 ++-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
index 7d4b7439940e..ab685d52ecab 100644
--- a/src/wps/wps_upnp.c
+++ b/src/wps/wps_upnp.c
@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
int rerr;
size_t host_len, path_len;
- /* url MUST begin with http: */
- if (url_len < 7 || os_strncasecmp(url, "http://", 7))
+ /* URL MUST begin with HTTP scheme. In addition, limit the length of
+ * the URL to 700 characters which is around the limit that was
+ * implicitly enforced for more than 10 years due to a bug in
+ * generating the event messages. */
+ if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
+ wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
goto fail;
+ }
url += 7;
url_len -= 7;
diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
index d7e6edcc6503..08a23612f338 100644
--- a/src/wps/wps_upnp_event.c
+++ b/src/wps/wps_upnp_event.c
@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
struct wpabuf *buf;
char *b;
- buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
+ buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
+ wpabuf_len(e->data));
if (buf == NULL)
return NULL;
wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
--
2.20.1

47
0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch Normal file
View File

@ -0,0 +1,47 @@
From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Thu, 4 Jun 2020 21:24:04 +0300
Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
properly
While it is appropriate to try to retransmit the event to another
callback URL on a failure to initiate the HTTP client connection, there
is no point in trying the exact same operation multiple times in a row.
Replve the event_retry() calls with event_addr_failure() for these cases
to avoid busy loops trying to repeat the same failing operation.
These potential busy loops would go through eloop callbacks, so the
process is not completely stuck on handling them, but unnecessary CPU
would be used to process the continues retries that will keep failing
for the same reason.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/wps/wps_upnp_event.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
index 08a23612f338..c0d9e41d9a38 100644
--- a/src/wps/wps_upnp_event.c
+++ b/src/wps/wps_upnp_event.c
@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
buf = event_build_message(e);
if (buf == NULL) {
- event_retry(e, 0);
+ event_addr_failure(e);
return -1;
}
@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
event_http_cb, e);
if (e->http_event == NULL) {
wpabuf_free(buf);
- event_retry(e, 0);
+ event_addr_failure(e);
return -1;
}
--
2.20.1

40
hostapd.conf Normal file
View File

@ -0,0 +1,40 @@
#
# This will give you a minimal, insecure wireless network.
#
# DO NOT BE SATISFIED WITH THAT!!!
#
# A complete, well commented example configuration file is
# available here:
#
# /usr/share/doc/hostapd/hostapd.conf
#
# For more information, look here:
#
# http://wireless.kernel.org/en/users/Documentation/hostapd
#
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
# Some usable default settings...
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
# Uncomment these for base WPA & WPA2 support with a pre-shared key
#wpa=3
#wpa_key_mgmt=WPA-PSK
#wpa_pairwise=TKIP
#rsn_pairwise=CCMP
# DO NOT FORGET TO SET A WPA PASSPHRASE!!
#wpa_passphrase=YourPassPhrase
# Most modern wireless drivers in the kernel need driver=nl80211
driver=nl80211
# Customize these for your local configuration...
interface=
hw_mode=
channel=
ssid=

127
hostapd.conf.5 Normal file
View File

@ -0,0 +1,127 @@
.\" Manpage for hostapd.conf.
.\" Original scrape of https://www.daemon-systems.org/man/hostapd.conf.5.html
.\" Contact linville@redhat.com to correct errors or typos.
.TH hostapd.conf 5 "10 Feb 2021" "1.0" "hostapd.conf man page"
.SH NAME
hostapd.conf \- configuration file for hostapd(8) utility
.SH DESCRIPTION
The hostapd.conf utility is an authenticator for IEEE 802.11 networks.
It provides full support for WPA/IEEE 802.11i and can also act as an IEEE
802.1X Authenticator with a suitable backend Authentication Server
(typically FreeRADIUS).
The configuration file consists of global parameters and domain specific
configuration:
.P
\(bu IEEE 802.1X-2004
.P
\(bu RADIUS client
.P
\(bu RADIUS authentication server
.P
\(bu WPA/IEEE 802.11i
.SH GLOBAL PARAMETERS
The following parameters are recognized:
.SS interface
Interface name. Should be set in "hostap" mode.
.SS debug
Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps,
4 = excessive.
.SS dump_file
Dump file for state information (on SIGUSR1).
.SS ctrl_interface
The pathname of the directory in which hostapd(8) creates UNIX
domain socket files for communication with frontend programs such
as hostapd_cli(8).
.SS ctrl_interface_group
A group name or group ID to use in setting protection on the
control interface file. This can be set to allow non-root users
to access the control interface files. If no group is specified,
the group ID of the control interface is not modified and will,
typically, be the group ID of the directory in which the socket
is created.
.SH IEEE 802.1X-2004 PARAMETERS
The following parameters are recognized:
.SS ieee8021x
Require IEEE 802.1X authorization.
.SS eap_message
Optional displayable message sent with EAP Request-Identity.
.SS wep_key_len_broadcast
Key lengths for broadcast keys.
.SS wep_key_len_unicast
Key lengths for unicast keys.
.SS wep_rekey_period
Rekeying period in seconds.
.SS eapol_key_index_workaround
EAPOL-Key index workaround (set bit7) for WinXP Supplicant.
.SS eap_reauth_period
EAP reauthentication period in seconds. To disable
reauthentication, use "0".
.SH RADIUS CLIENT PARAMETERS
The following parameters are recognized:
.SS own_ip_addr
The own IP address of the access point (used as NAS-IP-Address).
.SS nas_identifier
Optional NAS-Identifier string for RADIUS messages.
.SS auth_server_addr, auth_server_port, auth_server_shared_secret
RADIUS authentication server parameters. Can be defined twice
for secondary servers to be used if primary one does not reply to
RADIUS packets.
.SS acct_server_addr, acct_server_port, acct_server_shared_secret
RADIUS accounting server parameters. Can be defined twice for
secondary servers to be used if primary one does not reply to
RADIUS packets.
.SS radius_retry_primary_interval
Retry interval for trying to return to the primary RADIUS server
(in seconds).
.SS radius_acct_interim_interval
Interim accounting update interval. If this is set (larger than
0) and acct_server is configured, hostapd(8) will send interim
accounting updates every N seconds.
.SH RADIUS AUTHENTICATION SERVER PARAMETERS
The following parameters are recognized:
.SS radius_server_clients
File name of the RADIUS clients configuration for the RADIUS
server. If this is commented out, RADIUS server is disabled.
.SS radius_server_auth_port
The UDP port number for the RADIUS authentication server.
.SS radius_server_ipv6
Use IPv6 with RADIUS server.
.SH WPA/IEEE 802.11i PARAMETERS
The following parameters are recognized:
.SS wpa
Enable WPA. Setting this variable configures the AP to require
WPA (either WPA-PSK or WPA-RADIUS/EAP based on other
configuration).
.SS wpa_psk, wpa_passphrase
WPA pre-shared keys for WPA-PSK. This can be either entered as a
256-bit secret in hex format (64 hex digits), wpa_psk, or as an
ASCII passphrase (8..63 characters) that will be converted to
PSK. This conversion uses SSID so the PSK changes when ASCII
passphrase is used and the SSID is changed.
.SS wpa_psk_file
Optionally, WPA PSKs can be read from a separate text file
(containing a list of (PSK,MAC address) pairs.
.SS wpa_key_mgmt
Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or
both).
.SS wpa_pairwise
Set of accepted cipher suites (encryption algorithms) for
pairwise keys (unicast packets). See the example file for more
information.
.SS wpa_group_rekey
Time interval for rekeying GTK (broadcast/multicast encryption
keys) in seconds.
.SS wpa_strict_rekey
Rekey GTK when any STA that possesses the current GTK is leaving
the BSS.
.SS wpa_gmk_rekey
Time interval for rekeying GMK (master key used internally to
generate GTKs (in seconds).
.SH SEE ALSO
hostapd(8), hostapd_cli(8), /usr/share/examples/hostapd/hostapd.conf
.SH HISTORY
The hostapd.conf manual page and hostapd(8) functionality first appeared
in NetBSD 4.0.
.SH AUTHORS
This manual page is derived from the README and hostapd.conf files in the
hostapd distribution provided by Jouni Malinen <jkmaline@cc.hut.fi>.

89
hostapd.init Normal file
View File

@ -0,0 +1,89 @@
#!/bin/bash
#
# hostapd
#
# chkconfig: - 23 88
# description: hostapd is a user space daemon for access point and
# authentication servers. It implements IEEE 802.11 access point
# management, IEEE 802.1X/WPA/WPA2/EAP Authenticators and RADIUS
# authentication server.
# processname: hostapd
# config: /etc/hostapd/hostapd.conf
#
### BEGIN INIT INFO
# Provides: hostapd
# Required-Start: $network
# Required-Stop: $network
# Default-Start:
# Default-Stop: 0 1 6
# Short-Description: start and stop hostapd
# Description: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
exec="/usr/sbin/hostapd"
prog=hostapd
conf="/etc/hostapd/hostapd.conf"
lockfile=/var/lock/subsys/$prog
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
start() {
echo -n $"Starting $prog: $conf"
daemon $prog -B $OTHER_ARGS $conf
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
restart
}
force_reload() {
restart
}
fdr_status() {
status $prog
}
case "$1" in
start|stop|restart|reload)
$1
;;
force-reload)
force_reload
;;
status)
fdr_status
;;
condrestart|try-restart)
[ -f $lockfile ] && restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|try-restart|reload|force-reload}"
exit 1
esac

12
hostapd.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
After=network.target
[Service]
Type=forking
PIDFile=/run/hostapd.pid
EnvironmentFile=/etc/sysconfig/hostapd
ExecStart=/usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B $OTHER_ARGS
[Install]
WantedBy=multi-user.target

471
hostapd.spec Normal file
View File

@ -0,0 +1,471 @@
%global _hardened_build 1
Name: hostapd
Version: 2.9
Release: 13%{?dist}
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
License: BSD
URL: http://w1.fi/hostapd
Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz
Source1: %{name}.service
Source2: %{name}.conf
Source3: %{name}.conf.5
Source4: %{name}.sysconfig
Source5: %{name}.init
# https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt
Patch1: https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
# https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt
Patch2: https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
Patch3: https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
Patch4: https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
Patch5: 0001-OpenSSL-Allow-systemwide-secpolicy-overrides-for-TLS.patch
Patch6: 0001-EAP-TTLS-PEAP-peer-Fix-failure-when-using-session-ti.patch
Patch7: 0001-openssl-Disable-padding-after-initializing-the-ciphe.patch
Patch8: 0001-openssl-Remove-deprecated-functions-from-des_encrypt.patch
BuildRequires: libnl3-devel
BuildRequires: openssl-devel
BuildRequires: perl-generators
BuildRequires: gcc
%if 0%{?fedora} || 0%{?rhel} >= 7
BuildRequires: systemd
BuildRequires: make
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%endif
%if 0%{?rhel} == 6
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig
Requires(preun): /sbin/service
Requires(postun): /sbin/service
%endif
%description
%{name} is a user space daemon for access point and authentication servers. It
implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP
Authenticators and RADIUS authentication server.
%{name} is designed to be a "daemon" program that runs in the back-ground and
acts as the backend component controlling authentication. %{name} supports
separate frontend programs and an example text-based frontend, hostapd_cli, is
included with %{name}.
%package logwatch
Summary: Logwatch scripts for hostapd
Requires: %{name} = %{version}-%{release}
Requires: logwatch
%if 0%{?rhel} == 6 || 0%{?rhel} == 7
Requires: perl
%else
Requires: perl-interpreter
%endif
%description logwatch
Logwatch scripts for hostapd.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
cd hostapd
cat defconfig | sed \
-e '$ a CONFIG_SAE=y' \
-e '/^#CONFIG_DRIVER_NL80211=y/s/^#//' \
-e '/^#CONFIG_RADIUS_SERVER=y/s/^#//' \
-e '/^#CONFIG_DRIVER_WIRED=y/s/^#//' \
-e '/^#CONFIG_DRIVER_NONE=y/s/^#//' \
-e '/^#CONFIG_IEEE80211N=y/s/^#//' \
-e '/^#CONFIG_IEEE80211R=y/s/^#//' \
-e '/^#CONFIG_IEEE80211AC=y/s/^#//' \
-e '/^#CONFIG_FULL_DYNAMIC_VLAN=y/s/^#//' \
-e '/^#CONFIG_LIBNL32=y/s/^#//' \
-e '/^#CONFIG_ACS=y/s/^#//' \
-e '/^#CONFIG_OWE=y/s/^#//' \
> .config
echo "CFLAGS += -I%{_includedir}/libnl3" >> .config
echo "LIBS += -L%{_libdir}" >> .config
make %{?_smp_mflags} EXTRA_CFLAGS="$RPM_OPT_FLAGS"
%install
%if 0%{?fedora} || 0%{?rhel} >= 7
# Systemd unit files
install -p -m 644 -D %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
%else
# Initscripts
install -p -m 755 -D %{SOURCE5} %{buildroot}%{_initrddir}/%{name}
%endif
# logwatch files
install -d %{buildroot}/%{_sysconfdir}/logwatch/conf/services
install -pm 0644 %{name}/logwatch/%{name}.conf \
%{buildroot}/%{_sysconfdir}/logwatch/conf/services/%{name}.conf
install -d %{buildroot}/%{_sysconfdir}/logwatch/scripts/services
install -pm 0755 %{name}/logwatch/%{name} \
%{buildroot}/%{_sysconfdir}/logwatch/scripts/services/%{name}
# config files
install -d %{buildroot}/%{_sysconfdir}/%{name}
install -pm 0600 %{SOURCE2} %{buildroot}/%{_sysconfdir}/%{name}
install -d %{buildroot}/%{_sysconfdir}/sysconfig
install -pm 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/sysconfig/%{name}
# binaries
install -d %{buildroot}/%{_sbindir}
install -pm 0755 %{name}/%{name} %{buildroot}%{_sbindir}/%{name}
install -pm 0755 %{name}/%{name}_cli %{buildroot}%{_sbindir}/%{name}_cli
# man pages
install -d %{buildroot}%{_mandir}/man{1,5,8}
install -pm 0644 %{name}/%{name}_cli.1 %{buildroot}%{_mandir}/man1
install -pm 0644 %{SOURCE3} %{buildroot}%{_mandir}/man5
install -pm 0644 %{name}/%{name}.8 %{buildroot}%{_mandir}/man8
# prepare docs
cp %{name}/README ./README.%{name}
cp %{name}/README-WPS ./README-WPS.%{name}
cp %{name}/logwatch/README ./README.logwatch
%if 0%{?fedora} || 0%{?rhel} >= 7
%post
%systemd_post %{name}.service
%preun
%systemd_preun %{name}.service
%postun
%systemd_postun_with_restart %{name}.service
%endif
%if 0%{?rhel} == 6
%post
/sbin/chkconfig --add %{name}
%preun
if [ $1 -eq 0 ]; then
/sbin/service %{name} stop >/dev/null 2>&1 || :
/sbin/chkconfig --del %{name}
fi
%postun
if [ $1 -ge 1 ]; then
/sbin/service %{name} condrestart >/dev/null 2>&1 || :
fi
%endif
%files
%license COPYING
%doc README README.hostapd README-WPS.hostapd
%doc %{name}/%{name}.conf %{name}/wired.conf
%doc %{name}/%{name}.accept %{name}/%{name}.deny
%doc %{name}/%{name}.eap_user %{name}/%{name}.radius_clients
%doc %{name}/%{name}.vlan %{name}/%{name}.wpa_psk
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_sbindir}/%{name}
%{_sbindir}/%{name}_cli
%dir %{_sysconfdir}/%{name}
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man8/*
%if 0%{?fedora} || 0%{?rhel} >= 7
%{_unitdir}/%{name}.service
%else
%{_initrddir}/%{name}
%endif
%files logwatch
%doc %{name}/logwatch/README
%config(noreplace) %{_sysconfdir}/logwatch/conf/services/%{name}.conf
%{_sysconfdir}/logwatch/scripts/services/%{name}
%changelog
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.9-13
- Rebuilt with OpenSSL 3.0.0
* Fri Sep 3 2021 Davide Caratti <dcaratti@redhat.com> - 2.9.12
- backport fix for NetworkManager-ci failures with openssl-3.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue May 11 2021 John W. Linville <linville@redhat.com> - 2.9-10
- Enable CONFIG_OWE build option in order to provide WPA3 capability
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.9-9
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Feb 10 2021 John W. Linville <linville@redhat.com> - 2.9-8
- Add hostapd.conf.5 man file, with content borrowed from NetBSD
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Dec 10 2020 John W. Linville <linville@redhat.com> - 2.9-6
- Enable environment file in hostapd service definition
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jun 24 2020 John W. Linville <linville@redhat.com> - 2.9-4
- Fix CVE-2020-12695 (UPnP SUBSCRIBE misbehavior in hostapd WPS AP)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Oct 30 2019 John W. Linville <linville@redhat.com> - 2.9-2
- Fix CVE-2019-16275 (AP mode PMF disconnection protection bypass)
* Fri Aug 09 2019 John W. Linville <linville@redhat.com> - 2.9-1
- Update to version 2.9 from upstream
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jul 03 2019 Lubomir Rintel <lkundrak@v3.sk> - 2.8-2
- Enable SAE
* Wed May 15 2019 John W. Linville <linville@redhat.com> - 2.8-1
- Update to version 2.8 from upstream
- Drop obsoleted patches
* Fri Apr 12 2019 John W. Linville <linville@redhat.com> - 2.7-2
- Bump N-V-R for rebuild
* Fri Apr 12 2019 John W. Linville <linville@redhat.com> - 2.7-1
- Update to version 2.7 from upstream
- Remove obsolete patches for NL80211_ATTR_SMPS_MODE encoding and KRACK
- Fix CVE-2019-9494 (cache attack against SAE)
- Fix CVE-2019-9495 (cache attack against EAP-pwd)
- Fix CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP)
- Fix CVE-2019-9497 (EAP-pwd server not checking for reflection attack)
- Fix CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element)
- Fix CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 20 2018 John W. Linville <linville@redhat.com> - 2.6-11
- Add previously unnecessary BuildRequires for gcc
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue May 29 2018 Davide Caratti <dcaratti@redhat.com> - 2.6-9
- backport fix for Fix NL80211_ATTR_SMPS_MODE encoding (rh #1582839)
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Dec 07 2017 Simone Caronni <negativo17@gmail.com> - 2.6-7
- Fix dependencies on the logwatch package for RHEL/CentOS.
* Fri Nov 03 2017 Xavier Bachelot <xavier@bachelot.org> - 2.6-6
- Add patches for KRACK : CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086,
CVE-2017-13087, CVE-2017-13088 (RHBZ#1502588).
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Thu Jul 13 2017 Petr Pisar <ppisar@redhat.com> - 2.6-3
- perl dependency renamed to perl-interpreter
<https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules>
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Mon Oct 03 2016 John W. Linville <linville@redhat.com> - 2.6-1
- Update to version 2.6 from upstream
- Remove patch for CVE-2016-4476, now included in base tarball
* Fri Jul 15 2016 John W. Linville <linville@redhat.com> - 2.5-5
- Bump NVR and rebuild to resolve GLIBC_2.24 symbol issue
* Mon Jun 06 2016 John W. Linville <linville@redhat.com> - 2.5-4
- Add WPS patch for CVE-2016-4476
* Tue Apr 19 2016 Sascha Spreitzer <sspreitz@redhat.com> - 2.5-3
- Enable ACS feature (automatic channel switching)
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Oct 13 2015 John W. Linville <linville@redhat.com> - 2.5-1
- Update to version 2.5 from upstream
- Remove patches made redundant by version update
* Fri Jul 10 2015 John W. Linville <linville@redhat.com> - 2.4-3
- apply fix for NDEF record payload length checking
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Fri May 15 2015 John W. Linville <linville@redhat.com> - 2.4-2
- apply fix for underflow in WMM action frame parser
* Tue Apr 21 2015 John W. Linville <linville@redhat.com> - 2.4-1
- Update to version 2.4 from upstream
- Enable support for IEEE802.11r and IEEE802.11ac
* Wed Feb 4 2015 John W. Linville <linville@redhat.com> - 2.3-4
- Use %%license instead of %%doc for file containing license information
* Sun Nov 02 2014 poma <poma@gmail.com> - 2.3-3
- Further simplify hostapd.conf installation
- Rebase "EAP-TLS server" patch to 2.3
* Tue Oct 28 2014 John W. Linville <linville@redhat.com> - 2.3-2
- Remove version info from /usr/share/doc/hostapd/hostapd.conf
* Thu Oct 23 2014 John W. Linville <linville@redhat.com> - 2.3-1
- Update to version 2.3 from upstream
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Jun 5 2014 John W. Linville <linville@redhat.com> - 2.2-1
- Update to version 2.2 from upstream
* Sat Feb 22 2014 Simone Caronni <negativo17@gmail.com> - 2.1-2
- Re-enable drivers (#1068849).
* Fri Feb 14 2014 John W. Linville <linville@redhat.com> - 2.1-1
- Update to version 2.1 from upstream
- Remove obsolete patch for libnl build documentation
* Mon Feb 03 2014 Simone Caronni <negativo17@gmail.com> - 2.0-6
- Add libnl build documentation and switch libnl-devel to libnl3-devel build
dependency (#1041471).
* Fri Nov 22 2013 John W. Linville <linville@redhat.com> - 2.0-5
- Enable CONFIG_FULL_DYNAMIC_VLAN build option
* Wed Aug 07 2013 Simone Caronni <negativo17@gmail.com> - 2.0-4
- Add EPEL 6 support.
- Remove obsolete EPEL 5 tags.
- Little spec file formatting.
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 2.0-2
- Perl 5.18 rebuild
* Thu May 30 2013 John W. Linville <linville@redhat.com> - 2.0-1
- Update to version 2.0 from upstream
- Convert to use of systemd-rpm macros
- Build with PIE flags
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Mon Oct 8 2012 John W. Linville <linville@redhat.com> - 1.0-3
- EAP-TLS: Add extra validation for TLS Message Length
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Fri Jun 8 2012 John W. Linville <linville@redhat.com> - 1.0-1
- Update to version 1.0 from upstream
* Fri Jun 8 2012 John W. Linville <linville@redhat.com> - 0.7.3-9
- Remove hostapd-specific runtime state directory
* Wed Jun 6 2012 John W. Linville <linville@redhat.com> - 0.7.3-8
- Fixup typo in pid file path in hostapd.service
* Wed May 30 2012 John W. Linville <linville@redhat.com> - 0.7.3-7
- Add BuildRequires for systemd-units
* Fri May 25 2012 John W. Linville <linville@redhat.com> - 0.7.3-6
- Fixup typo in configuration file path in hostapd.service
- Tighten-up default permissions for hostapd.conf
* Tue Feb 28 2012 Jon Ciesla <limburgher@gmail.com> - 0.7.3-5
- Migrate to systemd, BZ 770310.
* Wed Jan 18 2012 John W. Linville <linville@redhat.com> - 0.7.3-4
- Add reference to sample hostapd.conf in the default installed version
- Include README-WPS from the hostapd distribution as part of the docs
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Thu Dec 23 2010 John W. Linville <linville@redhat.com> - 0.7.3-1
- Update to version 0.7.3
* Wed Nov 24 2010 John W. Linville <linville@redhat.com> - 0.6.10-3
- Use ghost directive for /var/run/hostapd
- Remove some rpmlint warnings
* Thu May 27 2010 John W. Linville <linville@redhat.com> - 0.6.10-2
- Move DTIM period configuration into Beacon set operation
* Mon May 10 2010 John W. Linville <linville@redhat.com> - 0.6.10-1
- Update to version 0.6.10
* Tue Jan 19 2010 John W. Linville <linville@redhat.com> - 0.6.9-8
- Do not compress man pages manually in spec file
- Correct date of previous changelog entry
* Thu Jan 14 2010 John W. Linville <linville@redhat.com> - 0.6.9-7
- Enable 802.11n support
* Thu Dec 17 2009 John W. Linville <linville@redhat.com> - 0.6.9-6
- Enable RADIUS server
- Enable "wired" and "none" drivers
- Use BSD license option
* Wed Dec 16 2009 John W. Linville <linville@redhat.com> - 0.6.9-5
- Use openssl instead of gnutls (broken)
* Wed Dec 16 2009 John W. Linville <linville@redhat.com> - 0.6.9-4
- Remove wired.conf from doc (not in chosen configuration)
- Use $RPM_OPT_FLAGS
- Add dist tag
* Wed Dec 16 2009 John W. Linville <linville@redhat.com> - 0.6.9-3
- Use gnutls instead of openssl
- Turn-off internal EAP server (broken w/ gnutls)
- Remove doc files not applicable to chosen configuration
- Un-mangle README filename for logwatch sub-package
* Wed Dec 16 2009 John W. Linville <linville@redhat.com> - 0.6.9-2
- Initial build
- Start release at 2 to avoid conflicts w/ previous attempts by others

5
hostapd.sysconfig Normal file
View File

@ -0,0 +1,5 @@
# Other arguments
# -d show more debug messages (-dd for even more)
# -K include key data in debug messages
# -t include timestamps in some debug messages
OTHER_ARGS=""

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (hostapd-2.9.tar.gz) = 66c729380152db18b64520bda55dfa00af3b0264f97b5de100b81a46e2593571626c4bdcf900f0988ea2131e30bc8788f75d8489dd1f57e37fd56e8098e48a9c