1 |
commit: e00db75c895fc30a6a4ec7429a2dd0035fa217c0 |
2 |
Author: Rick Farina <zerochaos <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Nov 4 16:40:57 2019 +0000 |
4 |
Commit: Rick Farina <zerochaos <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Nov 4 16:40:57 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e00db75c |
7 |
|
8 |
net-wireless/hostapd: fix and stabilize for bug #696032 |
9 |
|
10 |
Package-Manager: Portage-2.3.78, Repoman-2.3.17 |
11 |
Signed-off-by: Rick Farina <zerochaos <AT> gentoo.org> |
12 |
|
13 |
...y-ignore-management-frame-from-unexpected.patch | 73 ++++++ |
14 |
net-wireless/hostapd/hostapd-2.9-r1.ebuild | 264 +++++++++++++++++++++ |
15 |
2 files changed, 337 insertions(+) |
16 |
|
17 |
diff --git a/net-wireless/hostapd/files/hostapd-2.9-AP-Silently-ignore-management-frame-from-unexpected.patch b/net-wireless/hostapd/files/hostapd-2.9-AP-Silently-ignore-management-frame-from-unexpected.patch |
18 |
new file mode 100644 |
19 |
index 00000000000..d764a9db016 |
20 |
--- /dev/null |
21 |
+++ b/net-wireless/hostapd/files/hostapd-2.9-AP-Silently-ignore-management-frame-from-unexpected.patch |
22 |
@@ -0,0 +1,73 @@ |
23 |
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 |
24 |
+From: Jouni Malinen <j@××.fi> |
25 |
+Date: Thu, 29 Aug 2019 11:52:04 +0300 |
26 |
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source |
27 |
+ address |
28 |
+ |
29 |
+Do not process any received Management frames with unexpected/invalid SA |
30 |
+so that we do not add any state for unexpected STA addresses or end up |
31 |
+sending out frames to unexpected destination. This prevents unexpected |
32 |
+sequences where an unprotected frame might end up causing the AP to send |
33 |
+out a response to another device and that other device processing the |
34 |
+unexpected response. |
35 |
+ |
36 |
+In particular, this prevents some potential denial of service cases |
37 |
+where the unexpected response frame from the AP might result in a |
38 |
+connected station dropping its association. |
39 |
+ |
40 |
+Signed-off-by: Jouni Malinen <j@××.fi> |
41 |
+--- |
42 |
+ src/ap/drv_callbacks.c | 13 +++++++++++++ |
43 |
+ src/ap/ieee802_11.c | 12 ++++++++++++ |
44 |
+ 2 files changed, 25 insertions(+) |
45 |
+ |
46 |
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c |
47 |
+index 31587685fe3b..34ca379edc3d 100644 |
48 |
+--- a/src/ap/drv_callbacks.c |
49 |
++++ b/src/ap/drv_callbacks.c |
50 |
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, |
51 |
+ "hostapd_notif_assoc: Skip event with no address"); |
52 |
+ return -1; |
53 |
+ } |
54 |
++ |
55 |
++ if (is_multicast_ether_addr(addr) || |
56 |
++ is_zero_ether_addr(addr) || |
57 |
++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { |
58 |
++ /* Do not process any frames with unexpected/invalid SA so that |
59 |
++ * we do not add any state for unexpected STA addresses or end |
60 |
++ * up sending out frames to unexpected destination. */ |
61 |
++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR |
62 |
++ " in received indication - ignore this indication silently", |
63 |
++ __func__, MAC2STR(addr)); |
64 |
++ return 0; |
65 |
++ } |
66 |
++ |
67 |
+ random_add_randomness(addr, ETH_ALEN); |
68 |
+ |
69 |
+ hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, |
70 |
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c |
71 |
+index c85a28db44b7..e7065372e158 100644 |
72 |
+--- a/src/ap/ieee802_11.c |
73 |
++++ b/src/ap/ieee802_11.c |
74 |
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, |
75 |
+ fc = le_to_host16(mgmt->frame_control); |
76 |
+ stype = WLAN_FC_GET_STYPE(fc); |
77 |
+ |
78 |
++ if (is_multicast_ether_addr(mgmt->sa) || |
79 |
++ is_zero_ether_addr(mgmt->sa) || |
80 |
++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { |
81 |
++ /* Do not process any frames with unexpected/invalid SA so that |
82 |
++ * we do not add any state for unexpected STA addresses or end |
83 |
++ * up sending out frames to unexpected destination. */ |
84 |
++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR |
85 |
++ " in received frame - ignore this frame silently", |
86 |
++ MAC2STR(mgmt->sa)); |
87 |
++ return 0; |
88 |
++ } |
89 |
++ |
90 |
+ if (stype == WLAN_FC_STYPE_BEACON) { |
91 |
+ handle_beacon(hapd, mgmt, len, fi); |
92 |
+ return 1; |
93 |
+-- |
94 |
+2.20.1 |
95 |
+ |
96 |
|
97 |
diff --git a/net-wireless/hostapd/hostapd-2.9-r1.ebuild b/net-wireless/hostapd/hostapd-2.9-r1.ebuild |
98 |
new file mode 100644 |
99 |
index 00000000000..8702d0125f5 |
100 |
--- /dev/null |
101 |
+++ b/net-wireless/hostapd/hostapd-2.9-r1.ebuild |
102 |
@@ -0,0 +1,264 @@ |
103 |
+# Copyright 1999-2019 Gentoo Authors |
104 |
+# Distributed under the terms of the GNU General Public License v2 |
105 |
+ |
106 |
+EAPI="6" |
107 |
+ |
108 |
+inherit toolchain-funcs systemd savedconfig |
109 |
+ |
110 |
+DESCRIPTION="IEEE 802.11 wireless LAN Host AP daemon" |
111 |
+HOMEPAGE="http://w1.fi" |
112 |
+EXTRAS_VER="2.7-r2" |
113 |
+EXTRAS_NAME="${CATEGORY}_${PN}_${EXTRAS_VER}_extras" |
114 |
+SRC_URI="https://dev.gentoo.org/~andrey_utkin/distfiles/${EXTRAS_NAME}.tar.xz" |
115 |
+ |
116 |
+if [[ $PV == 9999 ]]; then |
117 |
+ inherit git-r3 |
118 |
+ EGIT_REPO_URI="https://w1.fi/hostap.git" |
119 |
+else |
120 |
+ if [[ $PV =~ ^.*_p[0-9]{8}$ ]]; then |
121 |
+ SRC_URI+=" https://dev.gentoo.org/~andrey_utkin/distfiles/${P}.tar.xz" |
122 |
+ else |
123 |
+ SRC_URI+=" https://w1.fi/releases/${P}.tar.gz" |
124 |
+ fi |
125 |
+ # Never stabilize snapshot ebuilds please |
126 |
+ KEYWORDS="amd64 ~arm ~arm64 ~mips ~ppc x86" |
127 |
+fi |
128 |
+ |
129 |
+LICENSE="BSD" |
130 |
+SLOT="0" |
131 |
+IUSE="internal-tls ipv6 libressl logwatch netlink sqlite +wps +crda" |
132 |
+ |
133 |
+DEPEND=" |
134 |
+ libressl? ( dev-libs/libressl:0= ) |
135 |
+ !libressl? ( |
136 |
+ internal-tls? ( dev-libs/libtommath ) |
137 |
+ !internal-tls? ( dev-libs/openssl:0=[-bindist] ) |
138 |
+ ) |
139 |
+ kernel_linux? ( |
140 |
+ dev-libs/libnl:3 |
141 |
+ crda? ( net-wireless/crda ) |
142 |
+ ) |
143 |
+ netlink? ( net-libs/libnfnetlink ) |
144 |
+ sqlite? ( >=dev-db/sqlite-3 )" |
145 |
+ |
146 |
+RDEPEND="${DEPEND}" |
147 |
+ |
148 |
+S="${S}/${PN}" |
149 |
+ |
150 |
+pkg_pretend() { |
151 |
+ if use internal-tls; then |
152 |
+ if use libressl; then |
153 |
+ elog "libressl flag takes precedence over internal-tls" |
154 |
+ else |
155 |
+ ewarn "internal-tls implementation is experimental and provides fewer features" |
156 |
+ fi |
157 |
+ fi |
158 |
+} |
159 |
+ |
160 |
+src_unpack() { |
161 |
+ # Override default one because we need the SRC_URI ones even in case of 9999 ebuilds |
162 |
+ default |
163 |
+ if [[ ${PV} == 9999 ]] ; then |
164 |
+ git-r3_src_unpack |
165 |
+ fi |
166 |
+} |
167 |
+ |
168 |
+src_prepare() { |
169 |
+ # Allow users to apply patches to src/drivers for example, |
170 |
+ # i.e. anything outside ${S}/${PN} |
171 |
+ pushd ../ >/dev/null || die |
172 |
+ default |
173 |
+ #CVE-2019-16275 bug #696032 |
174 |
+ eapply "${FILESDIR}/hostapd-2.9-AP-Silently-ignore-management-frame-from-unexpected.patch" |
175 |
+ popd >/dev/null || die |
176 |
+ |
177 |
+ sed -i -e "s:/etc/hostapd:/etc/hostapd/hostapd:g" \ |
178 |
+ "${S}/hostapd.conf" || die |
179 |
+} |
180 |
+ |
181 |
+src_configure() { |
182 |
+ local CONFIG="${S}/.config" |
183 |
+ |
184 |
+ restore_config "${CONFIG}" |
185 |
+ if [[ -f "${CONFIG}" ]]; then |
186 |
+ default_src_configure |
187 |
+ return 0 |
188 |
+ fi |
189 |
+ |
190 |
+ # toolchain setup |
191 |
+ echo "CC = $(tc-getCC)" > ${CONFIG} |
192 |
+ |
193 |
+ # EAP authentication methods |
194 |
+ echo "CONFIG_EAP=y" >> ${CONFIG} |
195 |
+ echo "CONFIG_ERP=y" >> ${CONFIG} |
196 |
+ echo "CONFIG_EAP_MD5=y" >> ${CONFIG} |
197 |
+ |
198 |
+ if use internal-tls && ! use libressl; then |
199 |
+ echo "CONFIG_TLS=internal" >> ${CONFIG} |
200 |
+ else |
201 |
+ # SSL authentication methods |
202 |
+ echo "CONFIG_EAP_FAST=y" >> ${CONFIG} |
203 |
+ echo "CONFIG_EAP_TLS=y" >> ${CONFIG} |
204 |
+ echo "CONFIG_EAP_TTLS=y" >> ${CONFIG} |
205 |
+ echo "CONFIG_EAP_MSCHAPV2=y" >> ${CONFIG} |
206 |
+ echo "CONFIG_EAP_PEAP=y" >> ${CONFIG} |
207 |
+ echo "CONFIG_TLSV11=y" >> ${CONFIG} |
208 |
+ echo "CONFIG_TLSV12=y" >> ${CONFIG} |
209 |
+ echo "CONFIG_EAP_PWD=y" >> ${CONFIG} |
210 |
+ fi |
211 |
+ |
212 |
+ if use wps; then |
213 |
+ # Enable Wi-Fi Protected Setup |
214 |
+ echo "CONFIG_WPS=y" >> ${CONFIG} |
215 |
+ echo "CONFIG_WPS2=y" >> ${CONFIG} |
216 |
+ echo "CONFIG_WPS_UPNP=y" >> ${CONFIG} |
217 |
+ echo "CONFIG_WPS_NFC=y" >> ${CONFIG} |
218 |
+ einfo "Enabling Wi-Fi Protected Setup support" |
219 |
+ fi |
220 |
+ |
221 |
+ echo "CONFIG_EAP_IKEV2=y" >> ${CONFIG} |
222 |
+ echo "CONFIG_EAP_TNC=y" >> ${CONFIG} |
223 |
+ echo "CONFIG_EAP_GTC=y" >> ${CONFIG} |
224 |
+ echo "CONFIG_EAP_SIM=y" >> ${CONFIG} |
225 |
+ echo "CONFIG_EAP_AKA=y" >> ${CONFIG} |
226 |
+ echo "CONFIG_EAP_AKA_PRIME=y" >> ${CONFIG} |
227 |
+ echo "CONFIG_EAP_EKE=y" >> ${CONFIG} |
228 |
+ echo "CONFIG_EAP_PAX=y" >> ${CONFIG} |
229 |
+ echo "CONFIG_EAP_PSK=y" >> ${CONFIG} |
230 |
+ echo "CONFIG_EAP_SAKE=y" >> ${CONFIG} |
231 |
+ echo "CONFIG_EAP_GPSK=y" >> ${CONFIG} |
232 |
+ echo "CONFIG_EAP_GPSK_SHA256=y" >> ${CONFIG} |
233 |
+ |
234 |
+ einfo "Enabling drivers: " |
235 |
+ |
236 |
+ # drivers |
237 |
+ echo "CONFIG_DRIVER_HOSTAP=y" >> ${CONFIG} |
238 |
+ einfo " HostAP driver enabled" |
239 |
+ echo "CONFIG_DRIVER_WIRED=y" >> ${CONFIG} |
240 |
+ einfo " Wired driver enabled" |
241 |
+ echo "CONFIG_DRIVER_NONE=y" >> ${CONFIG} |
242 |
+ einfo " None driver enabled" |
243 |
+ |
244 |
+ einfo " nl80211 driver enabled" |
245 |
+ echo "CONFIG_DRIVER_NL80211=y" >> ${CONFIG} |
246 |
+ |
247 |
+ # epoll |
248 |
+ echo "CONFIG_ELOOP_EPOLL=y" >> ${CONFIG} |
249 |
+ |
250 |
+ # misc |
251 |
+ echo "CONFIG_DEBUG_FILE=y" >> ${CONFIG} |
252 |
+ echo "CONFIG_PKCS12=y" >> ${CONFIG} |
253 |
+ echo "CONFIG_RADIUS_SERVER=y" >> ${CONFIG} |
254 |
+ echo "CONFIG_IAPP=y" >> ${CONFIG} |
255 |
+ echo "CONFIG_IEEE80211R=y" >> ${CONFIG} |
256 |
+ echo "CONFIG_IEEE80211W=y" >> ${CONFIG} |
257 |
+ echo "CONFIG_IEEE80211N=y" >> ${CONFIG} |
258 |
+ echo "CONFIG_IEEE80211AC=y" >> ${CONFIG} |
259 |
+ echo "CONFIG_PEERKEY=y" >> ${CONFIG} |
260 |
+ echo "CONFIG_RSN_PREAUTH=y" >> ${CONFIG} |
261 |
+ echo "CONFIG_INTERWORKING=y" >> ${CONFIG} |
262 |
+ echo "CONFIG_FULL_DYNAMIC_VLAN=y" >> ${CONFIG} |
263 |
+ echo "CONFIG_HS20=y" >> ${CONFIG} |
264 |
+ echo "CONFIG_WNM=y" >> ${CONFIG} |
265 |
+ echo "CONFIG_FST=y" >> ${CONFIG} |
266 |
+ echo "CONFIG_FST_TEST=y" >> ${CONFIG} |
267 |
+ echo "CONFIG_ACS=y" >> ${CONFIG} |
268 |
+ |
269 |
+ if use netlink; then |
270 |
+ # Netlink support |
271 |
+ echo "CONFIG_VLAN_NETLINK=y" >> ${CONFIG} |
272 |
+ fi |
273 |
+ |
274 |
+ if use ipv6; then |
275 |
+ # IPv6 support |
276 |
+ echo "CONFIG_IPV6=y" >> ${CONFIG} |
277 |
+ fi |
278 |
+ |
279 |
+ if use sqlite; then |
280 |
+ # Sqlite support |
281 |
+ echo "CONFIG_SQLITE=y" >> ${CONFIG} |
282 |
+ fi |
283 |
+ |
284 |
+ # If we are using libnl 2.0 and above, enable support for it |
285 |
+ # Removed for now, since the 3.2 version is broken, and we don't |
286 |
+ # support it. |
287 |
+ if has_version ">=dev-libs/libnl-3.2"; then |
288 |
+ echo "CONFIG_LIBNL32=y" >> .config |
289 |
+ fi |
290 |
+ |
291 |
+ # TODO: Add support for BSD drivers |
292 |
+ |
293 |
+ default_src_configure |
294 |
+} |
295 |
+ |
296 |
+src_compile() { |
297 |
+ emake V=1 |
298 |
+ |
299 |
+ if use libressl || ! use internal-tls; then |
300 |
+ emake V=1 nt_password_hash |
301 |
+ emake V=1 hlr_auc_gw |
302 |
+ fi |
303 |
+} |
304 |
+ |
305 |
+src_install() { |
306 |
+ insinto /etc/${PN} |
307 |
+ doins ${PN}.{conf,accept,deny,eap_user,radius_clients,sim_db,wpa_psk} |
308 |
+ |
309 |
+ fperms -R 600 /etc/${PN} |
310 |
+ |
311 |
+ dosbin ${PN} |
312 |
+ dobin ${PN}_cli |
313 |
+ |
314 |
+ if use libressl || ! use internal-tls; then |
315 |
+ dobin nt_password_hash hlr_auc_gw |
316 |
+ fi |
317 |
+ |
318 |
+ newinitd "${WORKDIR}/${EXTRAS_NAME}"/${PN}-init.d ${PN} |
319 |
+ newconfd "${WORKDIR}/${EXTRAS_NAME}"/${PN}-conf.d ${PN} |
320 |
+ systemd_dounit "${WORKDIR}/${EXTRAS_NAME}"/${PN}.service |
321 |
+ |
322 |
+ doman ${PN}{.8,_cli.1} |
323 |
+ |
324 |
+ dodoc ChangeLog README |
325 |
+ use wps && dodoc README-WPS |
326 |
+ |
327 |
+ docinto examples |
328 |
+ dodoc wired.conf |
329 |
+ |
330 |
+ if use logwatch; then |
331 |
+ insinto /etc/log.d/conf/services/ |
332 |
+ doins logwatch/${PN}.conf |
333 |
+ |
334 |
+ exeinto /etc/log.d/scripts/services/ |
335 |
+ doexe logwatch/${PN} |
336 |
+ fi |
337 |
+ |
338 |
+ save_config .config |
339 |
+} |
340 |
+ |
341 |
+pkg_postinst() { |
342 |
+ einfo |
343 |
+ einfo "If you are running openRC you need to follow this instructions:" |
344 |
+ einfo "In order to use ${PN} you need to set up your wireless card" |
345 |
+ einfo "for master mode in /etc/conf.d/net and then start" |
346 |
+ einfo "/etc/init.d/${PN}." |
347 |
+ einfo |
348 |
+ einfo "Example configuration:" |
349 |
+ einfo |
350 |
+ einfo "config_wlan0=( \"192.168.1.1/24\" )" |
351 |
+ einfo "channel_wlan0=\"6\"" |
352 |
+ einfo "essid_wlan0=\"test\"" |
353 |
+ einfo "mode_wlan0=\"master\"" |
354 |
+ einfo |
355 |
+ #if [ -e "${KV_DIR}"/net/mac80211 ]; then |
356 |
+ # einfo "This package now compiles against the headers installed by" |
357 |
+ # einfo "the kernel source for the mac80211 driver. You should " |
358 |
+ # einfo "re-emerge ${PN} after upgrading your kernel source." |
359 |
+ #fi |
360 |
+ |
361 |
+ if use wps; then |
362 |
+ einfo "You have enabled Wi-Fi Protected Setup support, please" |
363 |
+ einfo "read the README-WPS file in /usr/share/doc/${P}" |
364 |
+ einfo "for info on how to use WPS" |
365 |
+ fi |
366 |
+} |