%global _hardened_build 1 Name: hostapd Version: 2.7 Release: 1%{?dist} Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator License: BSD URL: http://w1.fi/hostapd Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz Source1: %{name}.service Source2: %{name}.conf Source3: %{name}.sysconfig Source4: %{name}.init # https://w1.fi/security/2019-1/sae-side-channel-attacks.txt Patch1: https://w1.fi/security/2019-1/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch Patch2: https://w1.fi/security/2019-1/0002-Add-helper-functions-for-constant-time-operations.patch Patch3: https://w1.fi/security/2019-1/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch Patch4: https://w1.fi/security/2019-1/0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch Patch5: https://w1.fi/security/2019-1/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch Patch6: https://w1.fi/security/2019-1/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch Patch7: https://w1.fi/security/2019-1/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch Patch8: https://w1.fi/security/2019-1/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch # https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt Patch9: https://w1.fi/security/2019-2/0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch # https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt Patch10: https://w1.fi/security/2019-3/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch # https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt Patch11: https://w1.fi/security/2019-4/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch Patch12: https://w1.fi/security/2019-4/0012-EAP-pwd-server-Detect-reflection-attacks.patch Patch13: https://w1.fi/security/2019-4/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch Patch14: https://w1.fi/security/2019-4/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch BuildRequires: libnl3-devel BuildRequires: openssl-devel BuildRequires: perl-generators BuildRequires: gcc %if 0%{?fedora} || 0%{?rhel} >= 7 BuildRequires: systemd Requires(post): systemd Requires(preun): systemd Requires(postun): systemd %endif %if 0%{?rhel} == 6 Requires(post): /sbin/chkconfig Requires(preun): /sbin/chkconfig Requires(preun): /sbin/service Requires(postun): /sbin/service %endif %description %{name} is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators and RADIUS authentication server. %{name} is designed to be a "daemon" program that runs in the back-ground and acts as the backend component controlling authentication. %{name} supports separate frontend programs and an example text-based frontend, hostapd_cli, is included with %{name}. %package logwatch Summary: Logwatch scripts for hostapd Requires: %{name} = %{version}-%{release} Requires: logwatch %if 0%{?rhel} == 6 || 0%{?rhel} == 7 Requires: perl %else Requires: perl-interpreter %endif %description logwatch Logwatch scripts for hostapd. %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %build cd hostapd cat defconfig | sed \ -e '/^#CONFIG_DRIVER_NL80211=y/s/^#//' \ -e '/^#CONFIG_RADIUS_SERVER=y/s/^#//' \ -e '/^#CONFIG_DRIVER_WIRED=y/s/^#//' \ -e '/^#CONFIG_DRIVER_NONE=y/s/^#//' \ -e '/^#CONFIG_IEEE80211N=y/s/^#//' \ -e '/^#CONFIG_IEEE80211R=y/s/^#//' \ -e '/^#CONFIG_IEEE80211AC=y/s/^#//' \ -e '/^#CONFIG_FULL_DYNAMIC_VLAN=y/s/^#//' \ -e '/^#CONFIG_LIBNL32=y/s/^#//' \ -e '/^#CONFIG_ACS=y/s/^#//' \ > .config echo "CFLAGS += -I%{_includedir}/libnl3" >> .config echo "LIBS += -L%{_libdir}" >> .config make %{?_smp_mflags} EXTRA_CFLAGS="$RPM_OPT_FLAGS" %install %if 0%{?fedora} || 0%{?rhel} >= 7 # Systemd unit files install -p -m 644 -D %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service %else # Initscripts install -p -m 755 -D %{SOURCE4} %{buildroot}%{_initrddir}/%{name} %endif # logwatch files install -d %{buildroot}/%{_sysconfdir}/logwatch/conf/services install -pm 0644 %{name}/logwatch/%{name}.conf \ %{buildroot}/%{_sysconfdir}/logwatch/conf/services/%{name}.conf install -d %{buildroot}/%{_sysconfdir}/logwatch/scripts/services install -pm 0755 %{name}/logwatch/%{name} \ %{buildroot}/%{_sysconfdir}/logwatch/scripts/services/%{name} # config files install -d %{buildroot}/%{_sysconfdir}/%{name} install -pm 0600 %{SOURCE2} %{buildroot}/%{_sysconfdir}/%{name} install -d %{buildroot}/%{_sysconfdir}/sysconfig install -pm 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/%{name} # binaries install -d %{buildroot}/%{_sbindir} install -pm 0755 %{name}/%{name} %{buildroot}%{_sbindir}/%{name} install -pm 0755 %{name}/%{name}_cli %{buildroot}%{_sbindir}/%{name}_cli # man pages install -d %{buildroot}%{_mandir}/man{1,8} install -pm 0644 %{name}/%{name}_cli.1 %{buildroot}%{_mandir}/man1 install -pm 0644 %{name}/%{name}.8 %{buildroot}%{_mandir}/man8 # prepare docs cp %{name}/README ./README.%{name} cp %{name}/README-WPS ./README-WPS.%{name} cp %{name}/logwatch/README ./README.logwatch %if 0%{?fedora} || 0%{?rhel} >= 7 %post %systemd_post %{name}.service %preun %systemd_preun %{name}.service %postun %systemd_postun_with_restart %{name}.service %endif %if 0%{?rhel} == 6 %post /sbin/chkconfig --add %{name} %preun if [ $1 -eq 0 ]; then /sbin/service %{name} stop >/dev/null 2>&1 || : /sbin/chkconfig --del %{name} fi %postun if [ $1 -ge 1 ]; then /sbin/service %{name} condrestart >/dev/null 2>&1 || : fi %endif %files %license COPYING %doc README README.hostapd README-WPS.hostapd %doc %{name}/%{name}.conf %{name}/wired.conf %doc %{name}/%{name}.accept %{name}/%{name}.deny %doc %{name}/%{name}.eap_user %{name}/%{name}.radius_clients %doc %{name}/%{name}.vlan %{name}/%{name}.wpa_psk %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %{_sbindir}/%{name} %{_sbindir}/%{name}_cli %dir %{_sysconfdir}/%{name} %{_mandir}/man1/* %{_mandir}/man8/* %if 0%{?fedora} || 0%{?rhel} >= 7 %{_unitdir}/%{name}.service %else %{_initrddir}/%{name} %endif %files logwatch %doc %{name}/logwatch/README %config(noreplace) %{_sysconfdir}/logwatch/conf/services/%{name}.conf %{_sysconfdir}/logwatch/scripts/services/%{name} %changelog * Fri Apr 12 2019 John W. Linville - 2.7-1 - Update to version 2.6 from upstream - Remove obsolete patches for NL80211_ATTR_SMPS_MODE encoding and KRACK - Fix CVE-2019-9494 (cache attack against SAE) - Fix CVE-2019-9495 (cache attack against EAP-pwd) - Fix CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) - Fix CVE-2019-9497 (EAP-pwd server not checking for reflection attack) - Fix CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element) - Fix CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element) * Fri Feb 01 2019 Fedora Release Engineering - 2.6-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Fri Jul 20 2018 John W. Linville - 2.6-11 - Add previously unnecessary BuildRequires for gcc * Fri Jul 13 2018 Fedora Release Engineering - 2.6-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Tue May 29 2018 Davide Caratti - 2.6-9 - backport fix for Fix NL80211_ATTR_SMPS_MODE encoding (rh #1582839) * Wed Feb 07 2018 Fedora Release Engineering - 2.6-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Thu Dec 07 2017 Simone Caronni - 2.6-7 - Fix dependencies on the logwatch package for RHEL/CentOS. * Fri Nov 03 2017 Xavier Bachelot - 2.6-6 - Add patches for KRACK : CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 (RHBZ#1502588). * Wed Aug 02 2017 Fedora Release Engineering - 2.6-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild * Wed Jul 26 2017 Fedora Release Engineering - 2.6-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Thu Jul 13 2017 Petr Pisar - 2.6-3 - perl dependency renamed to perl-interpreter * Fri Feb 10 2017 Fedora Release Engineering - 2.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild * Mon Oct 03 2016 John W. Linville - 2.6-1 - Update to version 2.6 from upstream - Remove patch for CVE-2016-4476, now included in base tarball * Fri Jul 15 2016 John W. Linville - 2.5-5 - Bump NVR and rebuild to resolve GLIBC_2.24 symbol issue * Mon Jun 06 2016 John W. Linville - 2.5-4 - Add WPS patch for CVE-2016-4476 * Tue Apr 19 2016 Sascha Spreitzer - 2.5-3 - Enable ACS feature (automatic channel switching) * Wed Feb 03 2016 Fedora Release Engineering - 2.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild * Tue Oct 13 2015 John W. Linville - 2.5-1 - Update to version 2.5 from upstream - Remove patches made redundant by version update * Fri Jul 10 2015 John W. Linville - 2.4-3 - apply fix for NDEF record payload length checking * Wed Jun 17 2015 Fedora Release Engineering - 2.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild * Fri May 15 2015 John W. Linville - 2.4-2 - apply fix for underflow in WMM action frame parser * Tue Apr 21 2015 John W. Linville - 2.4-1 - Update to version 2.4 from upstream - Enable support for IEEE802.11r and IEEE802.11ac * Wed Feb 4 2015 John W. Linville - 2.3-4 - Use %%license instead of %%doc for file containing license information * Sun Nov 02 2014 poma - 2.3-3 - Further simplify hostapd.conf installation - Rebase "EAP-TLS server" patch to 2.3 * Tue Oct 28 2014 John W. Linville - 2.3-2 - Remove version info from /usr/share/doc/hostapd/hostapd.conf * Thu Oct 23 2014 John W. Linville - 2.3-1 - Update to version 2.3 from upstream * Sat Aug 16 2014 Fedora Release Engineering - 2.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild * Sat Jun 07 2014 Fedora Release Engineering - 2.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Thu Jun 5 2014 John W. Linville - 2.2-1 - Update to version 2.2 from upstream * Sat Feb 22 2014 Simone Caronni - 2.1-2 - Re-enable drivers (#1068849). * Fri Feb 14 2014 John W. Linville - 2.1-1 - Update to version 2.1 from upstream - Remove obsolete patch for libnl build documentation * Mon Feb 03 2014 Simone Caronni - 2.0-6 - Add libnl build documentation and switch libnl-devel to libnl3-devel build dependency (#1041471). * Fri Nov 22 2013 John W. Linville - 2.0-5 - Enable CONFIG_FULL_DYNAMIC_VLAN build option * Wed Aug 07 2013 Simone Caronni - 2.0-4 - Add EPEL 6 support. - Remove obsolete EPEL 5 tags. - Little spec file formatting. * Sat Aug 03 2013 Fedora Release Engineering - 2.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Wed Jul 17 2013 Petr Pisar - 2.0-2 - Perl 5.18 rebuild * Thu May 30 2013 John W. Linville - 2.0-1 - Update to version 2.0 from upstream - Convert to use of systemd-rpm macros - Build with PIE flags * Thu Feb 14 2013 Fedora Release Engineering - 1.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild * Mon Oct 8 2012 John W. Linville - 1.0-3 - EAP-TLS: Add extra validation for TLS Message Length * Thu Jul 19 2012 Fedora Release Engineering - 1.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Fri Jun 8 2012 John W. Linville - 1.0-1 - Update to version 1.0 from upstream * Fri Jun 8 2012 John W. Linville - 0.7.3-9 - Remove hostapd-specific runtime state directory * Wed Jun 6 2012 John W. Linville - 0.7.3-8 - Fixup typo in pid file path in hostapd.service * Wed May 30 2012 John W. Linville - 0.7.3-7 - Add BuildRequires for systemd-units * Fri May 25 2012 John W. Linville - 0.7.3-6 - Fixup typo in configuration file path in hostapd.service - Tighten-up default permissions for hostapd.conf * Tue Feb 28 2012 Jon Ciesla - 0.7.3-5 - Migrate to systemd, BZ 770310. * Wed Jan 18 2012 John W. Linville - 0.7.3-4 - Add reference to sample hostapd.conf in the default installed version - Include README-WPS from the hostapd distribution as part of the docs * Fri Jan 13 2012 Fedora Release Engineering - 0.7.3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild * Wed Feb 09 2011 Fedora Release Engineering - 0.7.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild * Thu Dec 23 2010 John W. Linville - 0.7.3-1 - Update to version 0.7.3 * Wed Nov 24 2010 John W. Linville - 0.6.10-3 - Use ghost directive for /var/run/hostapd - Remove some rpmlint warnings * Thu May 27 2010 John W. Linville - 0.6.10-2 - Move DTIM period configuration into Beacon set operation * Mon May 10 2010 John W. Linville - 0.6.10-1 - Update to version 0.6.10 * Tue Jan 19 2010 John W. Linville - 0.6.9-8 - Do not compress man pages manually in spec file - Correct date of previous changelog entry * Thu Jan 14 2010 John W. Linville - 0.6.9-7 - Enable 802.11n support * Thu Dec 17 2009 John W. Linville - 0.6.9-6 - Enable RADIUS server - Enable "wired" and "none" drivers - Use BSD license option * Wed Dec 16 2009 John W. Linville - 0.6.9-5 - Use openssl instead of gnutls (broken) * Wed Dec 16 2009 John W. Linville - 0.6.9-4 - Remove wired.conf from doc (not in chosen configuration) - Use $RPM_OPT_FLAGS - Add dist tag * Wed Dec 16 2009 John W. Linville - 0.6.9-3 - Use gnutls instead of openssl - Turn-off internal EAP server (broken w/ gnutls) - Remove doc files not applicable to chosen configuration - Un-mangle README filename for logwatch sub-package * Wed Dec 16 2009 John W. Linville - 0.6.9-2 - Initial build - Start release at 2 to avoid conflicts w/ previous attempts by others