1 |
commit: 6970d92f9176e581d6244f99088c59b5f2e7cc95 |
2 |
Author: Zero_Chaos <zerochaos <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Oct 16 14:07:11 2017 +0000 |
4 |
Commit: Richard Farina <zerochaos <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Oct 16 14:07:11 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6970d92f |
7 |
|
8 |
net-wireless/hostapd: fix for bug #634438 |
9 |
|
10 |
Package-Manager: Portage-2.3.11, Repoman-2.3.3 |
11 |
|
12 |
...-Avoid-key-reinstallation-in-FT-handshake.patch | 174 ++++++++++++++ |
13 |
...nstallation-of-an-already-in-use-group-ke.patch | 250 +++++++++++++++++++++ |
14 |
...ection-of-GTK-IGTK-reinstallation-of-WNM-.patch | 184 +++++++++++++++ |
15 |
...04-Prevent-installation-of-an-all-zero-TK.patch | 79 +++++++ |
16 |
...Fix-PTK-rekeying-to-generate-a-new-ANonce.patch | 64 ++++++ |
17 |
...6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch | 132 +++++++++++ |
18 |
...llow-multiple-Reassociation-Response-fram.patch | 82 +++++++ |
19 |
net-wireless/hostapd/hostapd-2.6-r1.ebuild | 226 +++++++++++++++++++ |
20 |
8 files changed, 1191 insertions(+) |
21 |
|
22 |
diff --git a/net-wireless/hostapd/files/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch |
23 |
new file mode 100644 |
24 |
index 00000000000..727684865db |
25 |
--- /dev/null |
26 |
+++ b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch |
27 |
@@ -0,0 +1,174 @@ |
28 |
+From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001 |
29 |
+From: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be> |
30 |
+Date: Fri, 14 Jul 2017 15:15:35 +0200 |
31 |
+Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake |
32 |
+ |
33 |
+Do not reinstall TK to the driver during Reassociation Response frame |
34 |
+processing if the first attempt of setting the TK succeeded. This avoids |
35 |
+issues related to clearing the TX/RX PN that could result in reusing |
36 |
+same PN values for transmitted frames (e.g., due to CCM nonce reuse and |
37 |
+also hitting replay protection on the receiver) and accepting replayed |
38 |
+frames on RX side. |
39 |
+ |
40 |
+This issue was introduced by the commit |
41 |
+0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in |
42 |
+authenticator') which allowed wpa_ft_install_ptk() to be called multiple |
43 |
+times with the same PTK. While the second configuration attempt is |
44 |
+needed with some drivers, it must be done only if the first attempt |
45 |
+failed. |
46 |
+ |
47 |
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be> |
48 |
+--- |
49 |
+ src/ap/ieee802_11.c | 16 +++++++++++++--- |
50 |
+ src/ap/wpa_auth.c | 11 +++++++++++ |
51 |
+ src/ap/wpa_auth.h | 3 ++- |
52 |
+ src/ap/wpa_auth_ft.c | 10 ++++++++++ |
53 |
+ src/ap/wpa_auth_i.h | 1 + |
54 |
+ 5 files changed, 37 insertions(+), 4 deletions(-) |
55 |
+ |
56 |
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c |
57 |
+index 4e04169..333035f 100644 |
58 |
+--- a/src/ap/ieee802_11.c |
59 |
++++ b/src/ap/ieee802_11.c |
60 |
+@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd, |
61 |
+ { |
62 |
+ struct ieee80211_ht_capabilities ht_cap; |
63 |
+ struct ieee80211_vht_capabilities vht_cap; |
64 |
++ int set = 1; |
65 |
+ |
66 |
+ /* |
67 |
+ * Remove the STA entry to ensure the STA PS state gets cleared and |
68 |
+@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd, |
69 |
+ * FT-over-the-DS, where a station re-associates back to the same AP but |
70 |
+ * skips the authentication flow, or if working with a driver that |
71 |
+ * does not support full AP client state. |
72 |
++ * |
73 |
++ * Skip this if the STA has already completed FT reassociation and the |
74 |
++ * TK has been configured since the TX/RX PN must not be reset to 0 for |
75 |
++ * the same key. |
76 |
+ */ |
77 |
+- if (!sta->added_unassoc) |
78 |
++ if (!sta->added_unassoc && |
79 |
++ (!(sta->flags & WLAN_STA_AUTHORIZED) || |
80 |
++ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { |
81 |
+ hostapd_drv_sta_remove(hapd, sta->addr); |
82 |
++ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); |
83 |
++ set = 0; |
84 |
++ } |
85 |
+ |
86 |
+ #ifdef CONFIG_IEEE80211N |
87 |
+ if (sta->flags & WLAN_STA_HT) |
88 |
+@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd, |
89 |
+ sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, |
90 |
+ sta->flags | WLAN_STA_ASSOC, sta->qosinfo, |
91 |
+ sta->vht_opmode, sta->p2p_ie ? 1 : 0, |
92 |
+- sta->added_unassoc)) { |
93 |
++ set)) { |
94 |
+ hostapd_logger(hapd, sta->addr, |
95 |
+ HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, |
96 |
+ "Could not %s STA to kernel driver", |
97 |
+- sta->added_unassoc ? "set" : "add"); |
98 |
++ set ? "set" : "add"); |
99 |
+ |
100 |
+ if (sta->added_unassoc) { |
101 |
+ hostapd_drv_sta_remove(hapd, sta->addr); |
102 |
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c |
103 |
+index 3587086..707971d 100644 |
104 |
+--- a/src/ap/wpa_auth.c |
105 |
++++ b/src/ap/wpa_auth.c |
106 |
+@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) |
107 |
+ #else /* CONFIG_IEEE80211R */ |
108 |
+ break; |
109 |
+ #endif /* CONFIG_IEEE80211R */ |
110 |
++ case WPA_DRV_STA_REMOVED: |
111 |
++ sm->tk_already_set = FALSE; |
112 |
++ return 0; |
113 |
+ } |
114 |
+ |
115 |
+ #ifdef CONFIG_IEEE80211R |
116 |
+@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) |
117 |
+ } |
118 |
+ |
119 |
+ |
120 |
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) |
121 |
++{ |
122 |
++ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) |
123 |
++ return 0; |
124 |
++ return sm->tk_already_set; |
125 |
++} |
126 |
++ |
127 |
++ |
128 |
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, |
129 |
+ struct rsn_pmksa_cache_entry *entry) |
130 |
+ { |
131 |
+diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h |
132 |
+index 0de8d97..97461b0 100644 |
133 |
+--- a/src/ap/wpa_auth.h |
134 |
++++ b/src/ap/wpa_auth.h |
135 |
+@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth, |
136 |
+ u8 *data, size_t data_len); |
137 |
+ enum wpa_event { |
138 |
+ WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH, |
139 |
+- WPA_REAUTH_EAPOL, WPA_ASSOC_FT |
140 |
++ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED |
141 |
+ }; |
142 |
+ void wpa_remove_ptk(struct wpa_state_machine *sm); |
143 |
+ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event); |
144 |
+@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm); |
145 |
+ int wpa_auth_get_pairwise(struct wpa_state_machine *sm); |
146 |
+ int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm); |
147 |
+ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm); |
148 |
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm); |
149 |
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, |
150 |
+ struct rsn_pmksa_cache_entry *entry); |
151 |
+ struct rsn_pmksa_cache_entry * |
152 |
+diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c |
153 |
+index 42242a5..e63b99a 100644 |
154 |
+--- a/src/ap/wpa_auth_ft.c |
155 |
++++ b/src/ap/wpa_auth_ft.c |
156 |
+@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) |
157 |
+ return; |
158 |
+ } |
159 |
+ |
160 |
++ if (sm->tk_already_set) { |
161 |
++ /* Must avoid TK reconfiguration to prevent clearing of TX/RX |
162 |
++ * PN in the driver */ |
163 |
++ wpa_printf(MSG_DEBUG, |
164 |
++ "FT: Do not re-install same PTK to the driver"); |
165 |
++ return; |
166 |
++ } |
167 |
++ |
168 |
+ /* FIX: add STA entry to kernel/driver here? The set_key will fail |
169 |
+ * most likely without this.. At the moment, STA entry is added only |
170 |
+ * after association has been completed. This function will be called |
171 |
+@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) |
172 |
+ |
173 |
+ /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ |
174 |
+ sm->pairwise_set = TRUE; |
175 |
++ sm->tk_already_set = TRUE; |
176 |
+ } |
177 |
+ |
178 |
+ |
179 |
+@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, |
180 |
+ |
181 |
+ sm->pairwise = pairwise; |
182 |
+ sm->PTK_valid = TRUE; |
183 |
++ sm->tk_already_set = FALSE; |
184 |
+ wpa_ft_install_ptk(sm); |
185 |
+ |
186 |
+ buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + |
187 |
+diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h |
188 |
+index 72b7eb3..7fd8f05 100644 |
189 |
+--- a/src/ap/wpa_auth_i.h |
190 |
++++ b/src/ap/wpa_auth_i.h |
191 |
+@@ -65,6 +65,7 @@ struct wpa_state_machine { |
192 |
+ struct wpa_ptk PTK; |
193 |
+ Boolean PTK_valid; |
194 |
+ Boolean pairwise_set; |
195 |
++ Boolean tk_already_set; |
196 |
+ int keycount; |
197 |
+ Boolean Pair; |
198 |
+ struct wpa_key_replay_counter { |
199 |
+-- |
200 |
+2.7.4 |
201 |
+ |
202 |
|
203 |
diff --git a/net-wireless/hostapd/files/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch |
204 |
new file mode 100644 |
205 |
index 00000000000..1802d664add |
206 |
--- /dev/null |
207 |
+++ b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch |
208 |
@@ -0,0 +1,250 @@ |
209 |
+From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001 |
210 |
+From: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be> |
211 |
+Date: Wed, 12 Jul 2017 16:03:24 +0200 |
212 |
+Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key |
213 |
+ |
214 |
+Track the current GTK and IGTK that is in use and when receiving a |
215 |
+(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do |
216 |
+not install the given key if it is already in use. This prevents an |
217 |
+attacker from trying to trick the client into resetting or lowering the |
218 |
+sequence counter associated to the group key. |
219 |
+ |
220 |
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be> |
221 |
+--- |
222 |
+ src/common/wpa_common.h | 11 +++++ |
223 |
+ src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------ |
224 |
+ src/rsn_supp/wpa_i.h | 4 ++ |
225 |
+ 3 files changed, 87 insertions(+), 44 deletions(-) |
226 |
+ |
227 |
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h |
228 |
+index af1d0f0..d200285 100644 |
229 |
+--- a/src/common/wpa_common.h |
230 |
++++ b/src/common/wpa_common.h |
231 |
+@@ -217,6 +217,17 @@ struct wpa_ptk { |
232 |
+ size_t tk_len; |
233 |
+ }; |
234 |
+ |
235 |
++struct wpa_gtk { |
236 |
++ u8 gtk[WPA_GTK_MAX_LEN]; |
237 |
++ size_t gtk_len; |
238 |
++}; |
239 |
++ |
240 |
++#ifdef CONFIG_IEEE80211W |
241 |
++struct wpa_igtk { |
242 |
++ u8 igtk[WPA_IGTK_MAX_LEN]; |
243 |
++ size_t igtk_len; |
244 |
++}; |
245 |
++#endif /* CONFIG_IEEE80211W */ |
246 |
+ |
247 |
+ /* WPA IE version 1 |
248 |
+ * 00-50-f2:1 (OUI:OUI type) |
249 |
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c |
250 |
+index 3c47879..95bd7be 100644 |
251 |
+--- a/src/rsn_supp/wpa.c |
252 |
++++ b/src/rsn_supp/wpa.c |
253 |
+@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, |
254 |
+ const u8 *_gtk = gd->gtk; |
255 |
+ u8 gtk_buf[32]; |
256 |
+ |
257 |
++ /* Detect possible key reinstallation */ |
258 |
++ if (sm->gtk.gtk_len == (size_t) gd->gtk_len && |
259 |
++ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { |
260 |
++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, |
261 |
++ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", |
262 |
++ gd->keyidx, gd->tx, gd->gtk_len); |
263 |
++ return 0; |
264 |
++ } |
265 |
++ |
266 |
+ wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); |
267 |
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, |
268 |
+ "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", |
269 |
+@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, |
270 |
+ } |
271 |
+ os_memset(gtk_buf, 0, sizeof(gtk_buf)); |
272 |
+ |
273 |
++ sm->gtk.gtk_len = gd->gtk_len; |
274 |
++ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); |
275 |
++ |
276 |
+ return 0; |
277 |
+ } |
278 |
+ |
279 |
+@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, |
280 |
+ } |
281 |
+ |
282 |
+ |
283 |
++#ifdef CONFIG_IEEE80211W |
284 |
++static int wpa_supplicant_install_igtk(struct wpa_sm *sm, |
285 |
++ const struct wpa_igtk_kde *igtk) |
286 |
++{ |
287 |
++ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); |
288 |
++ u16 keyidx = WPA_GET_LE16(igtk->keyid); |
289 |
++ |
290 |
++ /* Detect possible key reinstallation */ |
291 |
++ if (sm->igtk.igtk_len == len && |
292 |
++ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { |
293 |
++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, |
294 |
++ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", |
295 |
++ keyidx); |
296 |
++ return 0; |
297 |
++ } |
298 |
++ |
299 |
++ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, |
300 |
++ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x", |
301 |
++ keyidx, MAC2STR(igtk->pn)); |
302 |
++ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); |
303 |
++ if (keyidx > 4095) { |
304 |
++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, |
305 |
++ "WPA: Invalid IGTK KeyID %d", keyidx); |
306 |
++ return -1; |
307 |
++ } |
308 |
++ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), |
309 |
++ broadcast_ether_addr, |
310 |
++ keyidx, 0, igtk->pn, sizeof(igtk->pn), |
311 |
++ igtk->igtk, len) < 0) { |
312 |
++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, |
313 |
++ "WPA: Failed to configure IGTK to the driver"); |
314 |
++ return -1; |
315 |
++ } |
316 |
++ |
317 |
++ sm->igtk.igtk_len = len; |
318 |
++ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); |
319 |
++ |
320 |
++ return 0; |
321 |
++} |
322 |
++#endif /* CONFIG_IEEE80211W */ |
323 |
++ |
324 |
++ |
325 |
+ static int ieee80211w_set_keys(struct wpa_sm *sm, |
326 |
+ struct wpa_eapol_ie_parse *ie) |
327 |
+ { |
328 |
+@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, |
329 |
+ if (ie->igtk) { |
330 |
+ size_t len; |
331 |
+ const struct wpa_igtk_kde *igtk; |
332 |
+- u16 keyidx; |
333 |
++ |
334 |
+ len = wpa_cipher_key_len(sm->mgmt_group_cipher); |
335 |
+ if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) |
336 |
+ return -1; |
337 |
++ |
338 |
+ igtk = (const struct wpa_igtk_kde *) ie->igtk; |
339 |
+- keyidx = WPA_GET_LE16(igtk->keyid); |
340 |
+- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d " |
341 |
+- "pn %02x%02x%02x%02x%02x%02x", |
342 |
+- keyidx, MAC2STR(igtk->pn)); |
343 |
+- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", |
344 |
+- igtk->igtk, len); |
345 |
+- if (keyidx > 4095) { |
346 |
+- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, |
347 |
+- "WPA: Invalid IGTK KeyID %d", keyidx); |
348 |
+- return -1; |
349 |
+- } |
350 |
+- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), |
351 |
+- broadcast_ether_addr, |
352 |
+- keyidx, 0, igtk->pn, sizeof(igtk->pn), |
353 |
+- igtk->igtk, len) < 0) { |
354 |
+- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, |
355 |
+- "WPA: Failed to configure IGTK to the driver"); |
356 |
++ if (wpa_supplicant_install_igtk(sm, igtk) < 0) |
357 |
+ return -1; |
358 |
+- } |
359 |
+ } |
360 |
+ |
361 |
+ return 0; |
362 |
+@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) |
363 |
+ */ |
364 |
+ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) |
365 |
+ { |
366 |
+- int clear_ptk = 1; |
367 |
++ int clear_keys = 1; |
368 |
+ |
369 |
+ if (sm == NULL) |
370 |
+ return; |
371 |
+@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) |
372 |
+ /* Prepare for the next transition */ |
373 |
+ wpa_ft_prepare_auth_request(sm, NULL); |
374 |
+ |
375 |
+- clear_ptk = 0; |
376 |
++ clear_keys = 0; |
377 |
+ } |
378 |
+ #endif /* CONFIG_IEEE80211R */ |
379 |
+ |
380 |
+- if (clear_ptk) { |
381 |
++ if (clear_keys) { |
382 |
+ /* |
383 |
+ * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if |
384 |
+ * this is not part of a Fast BSS Transition. |
385 |
+@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) |
386 |
+ os_memset(&sm->ptk, 0, sizeof(sm->ptk)); |
387 |
+ sm->tptk_set = 0; |
388 |
+ os_memset(&sm->tptk, 0, sizeof(sm->tptk)); |
389 |
++ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); |
390 |
++#ifdef CONFIG_IEEE80211W |
391 |
++ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); |
392 |
++#endif /* CONFIG_IEEE80211W */ |
393 |
+ } |
394 |
+ |
395 |
+ #ifdef CONFIG_TDLS |
396 |
+@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) |
397 |
+ os_memset(sm->pmk, 0, sizeof(sm->pmk)); |
398 |
+ os_memset(&sm->ptk, 0, sizeof(sm->ptk)); |
399 |
+ os_memset(&sm->tptk, 0, sizeof(sm->tptk)); |
400 |
++ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); |
401 |
++#ifdef CONFIG_IEEE80211W |
402 |
++ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); |
403 |
++#endif /* CONFIG_IEEE80211W */ |
404 |
+ #ifdef CONFIG_IEEE80211R |
405 |
+ os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); |
406 |
+ os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); |
407 |
+@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) |
408 |
+ os_memset(&gd, 0, sizeof(gd)); |
409 |
+ #ifdef CONFIG_IEEE80211W |
410 |
+ } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { |
411 |
+- struct wpa_igtk_kde igd; |
412 |
+- u16 keyidx; |
413 |
+- |
414 |
+- os_memset(&igd, 0, sizeof(igd)); |
415 |
+- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher); |
416 |
+- os_memcpy(igd.keyid, buf + 2, 2); |
417 |
+- os_memcpy(igd.pn, buf + 4, 6); |
418 |
+- |
419 |
+- keyidx = WPA_GET_LE16(igd.keyid); |
420 |
+- os_memcpy(igd.igtk, buf + 10, keylen); |
421 |
+- |
422 |
+- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", |
423 |
+- igd.igtk, keylen); |
424 |
+- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), |
425 |
+- broadcast_ether_addr, |
426 |
+- keyidx, 0, igd.pn, sizeof(igd.pn), |
427 |
+- igd.igtk, keylen) < 0) { |
428 |
+- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in " |
429 |
+- "WNM mode"); |
430 |
+- os_memset(&igd, 0, sizeof(igd)); |
431 |
++ const struct wpa_igtk_kde *igtk; |
432 |
++ |
433 |
++ igtk = (const struct wpa_igtk_kde *) (buf + 2); |
434 |
++ if (wpa_supplicant_install_igtk(sm, igtk) < 0) |
435 |
+ return -1; |
436 |
+- } |
437 |
+- os_memset(&igd, 0, sizeof(igd)); |
438 |
+ #endif /* CONFIG_IEEE80211W */ |
439 |
+ } else { |
440 |
+ wpa_printf(MSG_DEBUG, "Unknown element id"); |
441 |
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h |
442 |
+index f653ba6..afc9e37 100644 |
443 |
+--- a/src/rsn_supp/wpa_i.h |
444 |
++++ b/src/rsn_supp/wpa_i.h |
445 |
+@@ -31,6 +31,10 @@ struct wpa_sm { |
446 |
+ u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN]; |
447 |
+ int rx_replay_counter_set; |
448 |
+ u8 request_counter[WPA_REPLAY_COUNTER_LEN]; |
449 |
++ struct wpa_gtk gtk; |
450 |
++#ifdef CONFIG_IEEE80211W |
451 |
++ struct wpa_igtk igtk; |
452 |
++#endif /* CONFIG_IEEE80211W */ |
453 |
+ |
454 |
+ struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ |
455 |
+ |
456 |
+-- |
457 |
+2.7.4 |
458 |
+ |
459 |
|
460 |
diff --git a/net-wireless/hostapd/files/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch |
461 |
new file mode 100644 |
462 |
index 00000000000..e2937b851ad |
463 |
--- /dev/null |
464 |
+++ b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch |
465 |
@@ -0,0 +1,184 @@ |
466 |
+From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001 |
467 |
+From: Jouni Malinen <j@××.fi> |
468 |
+Date: Sun, 1 Oct 2017 12:12:24 +0300 |
469 |
+Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep |
470 |
+ Mode cases |
471 |
+ |
472 |
+This extends the protection to track last configured GTK/IGTK value |
473 |
+separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a |
474 |
+corner case where these two different mechanisms may get used when the |
475 |
+GTK/IGTK has changed and tracking a single value is not sufficient to |
476 |
+detect a possible key reconfiguration. |
477 |
+ |
478 |
+Signed-off-by: Jouni Malinen <j@××.fi> |
479 |
+--- |
480 |
+ src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++--------------- |
481 |
+ src/rsn_supp/wpa_i.h | 2 ++ |
482 |
+ 2 files changed, 40 insertions(+), 15 deletions(-) |
483 |
+ |
484 |
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c |
485 |
+index 95bd7be..7a2c68d 100644 |
486 |
+--- a/src/rsn_supp/wpa.c |
487 |
++++ b/src/rsn_supp/wpa.c |
488 |
+@@ -709,14 +709,17 @@ struct wpa_gtk_data { |
489 |
+ |
490 |
+ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, |
491 |
+ const struct wpa_gtk_data *gd, |
492 |
+- const u8 *key_rsc) |
493 |
++ const u8 *key_rsc, int wnm_sleep) |
494 |
+ { |
495 |
+ const u8 *_gtk = gd->gtk; |
496 |
+ u8 gtk_buf[32]; |
497 |
+ |
498 |
+ /* Detect possible key reinstallation */ |
499 |
+- if (sm->gtk.gtk_len == (size_t) gd->gtk_len && |
500 |
+- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) { |
501 |
++ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && |
502 |
++ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || |
503 |
++ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && |
504 |
++ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, |
505 |
++ sm->gtk_wnm_sleep.gtk_len) == 0)) { |
506 |
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, |
507 |
+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", |
508 |
+ gd->keyidx, gd->tx, gd->gtk_len); |
509 |
+@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, |
510 |
+ } |
511 |
+ os_memset(gtk_buf, 0, sizeof(gtk_buf)); |
512 |
+ |
513 |
+- sm->gtk.gtk_len = gd->gtk_len; |
514 |
+- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); |
515 |
++ if (wnm_sleep) { |
516 |
++ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; |
517 |
++ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, |
518 |
++ sm->gtk_wnm_sleep.gtk_len); |
519 |
++ } else { |
520 |
++ sm->gtk.gtk_len = gd->gtk_len; |
521 |
++ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); |
522 |
++ } |
523 |
+ |
524 |
+ return 0; |
525 |
+ } |
526 |
+@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, |
527 |
+ (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, |
528 |
+ gtk_len, gtk_len, |
529 |
+ &gd.key_rsc_len, &gd.alg) || |
530 |
+- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) { |
531 |
++ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { |
532 |
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, |
533 |
+ "RSN: Failed to install GTK"); |
534 |
+ os_memset(&gd, 0, sizeof(gd)); |
535 |
+@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, |
536 |
+ |
537 |
+ #ifdef CONFIG_IEEE80211W |
538 |
+ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, |
539 |
+- const struct wpa_igtk_kde *igtk) |
540 |
++ const struct wpa_igtk_kde *igtk, |
541 |
++ int wnm_sleep) |
542 |
+ { |
543 |
+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); |
544 |
+ u16 keyidx = WPA_GET_LE16(igtk->keyid); |
545 |
+ |
546 |
+ /* Detect possible key reinstallation */ |
547 |
+- if (sm->igtk.igtk_len == len && |
548 |
+- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) { |
549 |
++ if ((sm->igtk.igtk_len == len && |
550 |
++ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || |
551 |
++ (sm->igtk_wnm_sleep.igtk_len == len && |
552 |
++ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, |
553 |
++ sm->igtk_wnm_sleep.igtk_len) == 0)) { |
554 |
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, |
555 |
+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", |
556 |
+ keyidx); |
557 |
+@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm, |
558 |
+ return -1; |
559 |
+ } |
560 |
+ |
561 |
+- sm->igtk.igtk_len = len; |
562 |
+- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); |
563 |
++ if (wnm_sleep) { |
564 |
++ sm->igtk_wnm_sleep.igtk_len = len; |
565 |
++ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, |
566 |
++ sm->igtk_wnm_sleep.igtk_len); |
567 |
++ } else { |
568 |
++ sm->igtk.igtk_len = len; |
569 |
++ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); |
570 |
++ } |
571 |
+ |
572 |
+ return 0; |
573 |
+ } |
574 |
+@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm, |
575 |
+ return -1; |
576 |
+ |
577 |
+ igtk = (const struct wpa_igtk_kde *) ie->igtk; |
578 |
+- if (wpa_supplicant_install_igtk(sm, igtk) < 0) |
579 |
++ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) |
580 |
+ return -1; |
581 |
+ } |
582 |
+ |
583 |
+@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, |
584 |
+ if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) |
585 |
+ key_rsc = null_rsc; |
586 |
+ |
587 |
+- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) || |
588 |
++ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || |
589 |
+ wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) |
590 |
+ goto failed; |
591 |
+ os_memset(&gd, 0, sizeof(gd)); |
592 |
+@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) |
593 |
+ sm->tptk_set = 0; |
594 |
+ os_memset(&sm->tptk, 0, sizeof(sm->tptk)); |
595 |
+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); |
596 |
++ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); |
597 |
+ #ifdef CONFIG_IEEE80211W |
598 |
+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); |
599 |
++ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); |
600 |
+ #endif /* CONFIG_IEEE80211W */ |
601 |
+ } |
602 |
+ |
603 |
+@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm) |
604 |
+ os_memset(&sm->ptk, 0, sizeof(sm->ptk)); |
605 |
+ os_memset(&sm->tptk, 0, sizeof(sm->tptk)); |
606 |
+ os_memset(&sm->gtk, 0, sizeof(sm->gtk)); |
607 |
++ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); |
608 |
+ #ifdef CONFIG_IEEE80211W |
609 |
+ os_memset(&sm->igtk, 0, sizeof(sm->igtk)); |
610 |
++ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); |
611 |
+ #endif /* CONFIG_IEEE80211W */ |
612 |
+ #ifdef CONFIG_IEEE80211R |
613 |
+ os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); |
614 |
+@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) |
615 |
+ |
616 |
+ wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", |
617 |
+ gd.gtk, gd.gtk_len); |
618 |
+- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) { |
619 |
++ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { |
620 |
+ os_memset(&gd, 0, sizeof(gd)); |
621 |
+ wpa_printf(MSG_DEBUG, "Failed to install the GTK in " |
622 |
+ "WNM mode"); |
623 |
+@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) |
624 |
+ const struct wpa_igtk_kde *igtk; |
625 |
+ |
626 |
+ igtk = (const struct wpa_igtk_kde *) (buf + 2); |
627 |
+- if (wpa_supplicant_install_igtk(sm, igtk) < 0) |
628 |
++ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) |
629 |
+ return -1; |
630 |
+ #endif /* CONFIG_IEEE80211W */ |
631 |
+ } else { |
632 |
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h |
633 |
+index afc9e37..9a54631 100644 |
634 |
+--- a/src/rsn_supp/wpa_i.h |
635 |
++++ b/src/rsn_supp/wpa_i.h |
636 |
+@@ -32,8 +32,10 @@ struct wpa_sm { |
637 |
+ int rx_replay_counter_set; |
638 |
+ u8 request_counter[WPA_REPLAY_COUNTER_LEN]; |
639 |
+ struct wpa_gtk gtk; |
640 |
++ struct wpa_gtk gtk_wnm_sleep; |
641 |
+ #ifdef CONFIG_IEEE80211W |
642 |
+ struct wpa_igtk igtk; |
643 |
++ struct wpa_igtk igtk_wnm_sleep; |
644 |
+ #endif /* CONFIG_IEEE80211W */ |
645 |
+ |
646 |
+ struct eapol_sm *eapol; /* EAPOL state machine from upper level code */ |
647 |
+-- |
648 |
+2.7.4 |
649 |
+ |
650 |
|
651 |
diff --git a/net-wireless/hostapd/files/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch |
652 |
new file mode 100644 |
653 |
index 00000000000..22ee217947d |
654 |
--- /dev/null |
655 |
+++ b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch |
656 |
@@ -0,0 +1,79 @@ |
657 |
+From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001 |
658 |
+From: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be> |
659 |
+Date: Fri, 29 Sep 2017 04:22:51 +0200 |
660 |
+Subject: [PATCH 4/8] Prevent installation of an all-zero TK |
661 |
+ |
662 |
+Properly track whether a PTK has already been installed to the driver |
663 |
+and the TK part cleared from memory. This prevents an attacker from |
664 |
+trying to trick the client into installing an all-zero TK. |
665 |
+ |
666 |
+This fixes the earlier fix in commit |
667 |
+ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the |
668 |
+driver in EAPOL-Key 3/4 retry case') which did not take into account |
669 |
+possibility of an extra message 1/4 showing up between retries of |
670 |
+message 3/4. |
671 |
+ |
672 |
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@×××××××××××.be> |
673 |
+--- |
674 |
+ src/common/wpa_common.h | 1 + |
675 |
+ src/rsn_supp/wpa.c | 5 ++--- |
676 |
+ src/rsn_supp/wpa_i.h | 1 - |
677 |
+ 3 files changed, 3 insertions(+), 4 deletions(-) |
678 |
+ |
679 |
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h |
680 |
+index d200285..1021ccb 100644 |
681 |
+--- a/src/common/wpa_common.h |
682 |
++++ b/src/common/wpa_common.h |
683 |
+@@ -215,6 +215,7 @@ struct wpa_ptk { |
684 |
+ size_t kck_len; |
685 |
+ size_t kek_len; |
686 |
+ size_t tk_len; |
687 |
++ int installed; /* 1 if key has already been installed to driver */ |
688 |
+ }; |
689 |
+ |
690 |
+ struct wpa_gtk { |
691 |
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c |
692 |
+index 7a2c68d..0550a41 100644 |
693 |
+--- a/src/rsn_supp/wpa.c |
694 |
++++ b/src/rsn_supp/wpa.c |
695 |
+@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, |
696 |
+ os_memset(buf, 0, sizeof(buf)); |
697 |
+ } |
698 |
+ sm->tptk_set = 1; |
699 |
+- sm->tk_to_set = 1; |
700 |
+ |
701 |
+ kde = sm->assoc_wpa_ie; |
702 |
+ kde_len = sm->assoc_wpa_ie_len; |
703 |
+@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, |
704 |
+ enum wpa_alg alg; |
705 |
+ const u8 *key_rsc; |
706 |
+ |
707 |
+- if (!sm->tk_to_set) { |
708 |
++ if (sm->ptk.installed) { |
709 |
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, |
710 |
+ "WPA: Do not re-install same PTK to the driver"); |
711 |
+ return 0; |
712 |
+@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, |
713 |
+ |
714 |
+ /* TK is not needed anymore in supplicant */ |
715 |
+ os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); |
716 |
+- sm->tk_to_set = 0; |
717 |
++ sm->ptk.installed = 1; |
718 |
+ |
719 |
+ if (sm->wpa_ptk_rekey) { |
720 |
+ eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); |
721 |
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h |
722 |
+index 9a54631..41f371f 100644 |
723 |
+--- a/src/rsn_supp/wpa_i.h |
724 |
++++ b/src/rsn_supp/wpa_i.h |
725 |
+@@ -24,7 +24,6 @@ struct wpa_sm { |
726 |
+ struct wpa_ptk ptk, tptk; |
727 |
+ int ptk_set, tptk_set; |
728 |
+ unsigned int msg_3_of_4_ok:1; |
729 |
+- unsigned int tk_to_set:1; |
730 |
+ u8 snonce[WPA_NONCE_LEN]; |
731 |
+ u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */ |
732 |
+ int renew_snonce; |
733 |
+-- |
734 |
+2.7.4 |
735 |
+ |
736 |
|
737 |
diff --git a/net-wireless/hostapd/files/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch |
738 |
new file mode 100644 |
739 |
index 00000000000..c19c4c71023 |
740 |
--- /dev/null |
741 |
+++ b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch |
742 |
@@ -0,0 +1,64 @@ |
743 |
+From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001 |
744 |
+From: Jouni Malinen <j@××.fi> |
745 |
+Date: Sun, 1 Oct 2017 12:32:57 +0300 |
746 |
+Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce |
747 |
+ |
748 |
+The Authenticator state machine path for PTK rekeying ended up bypassing |
749 |
+the AUTHENTICATION2 state where a new ANonce is generated when going |
750 |
+directly to the PTKSTART state since there is no need to try to |
751 |
+determine the PMK again in such a case. This is far from ideal since the |
752 |
+new PTK would depend on a new nonce only from the supplicant. |
753 |
+ |
754 |
+Fix this by generating a new ANonce when moving to the PTKSTART state |
755 |
+for the purpose of starting new 4-way handshake to rekey PTK. |
756 |
+ |
757 |
+Signed-off-by: Jouni Malinen <j@××.fi> |
758 |
+--- |
759 |
+ src/ap/wpa_auth.c | 24 +++++++++++++++++++++--- |
760 |
+ 1 file changed, 21 insertions(+), 3 deletions(-) |
761 |
+ |
762 |
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c |
763 |
+index 707971d..bf10cc1 100644 |
764 |
+--- a/src/ap/wpa_auth.c |
765 |
++++ b/src/ap/wpa_auth.c |
766 |
+@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) |
767 |
+ } |
768 |
+ |
769 |
+ |
770 |
++static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) |
771 |
++{ |
772 |
++ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { |
773 |
++ wpa_printf(MSG_ERROR, |
774 |
++ "WPA: Failed to get random data for ANonce"); |
775 |
++ sm->Disconnect = TRUE; |
776 |
++ return -1; |
777 |
++ } |
778 |
++ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, |
779 |
++ WPA_NONCE_LEN); |
780 |
++ sm->TimeoutCtr = 0; |
781 |
++ return 0; |
782 |
++} |
783 |
++ |
784 |
++ |
785 |
+ SM_STATE(WPA_PTK, INITPMK) |
786 |
+ { |
787 |
+ u8 msk[2 * PMK_LEN]; |
788 |
+@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK) |
789 |
+ SM_ENTER(WPA_PTK, AUTHENTICATION); |
790 |
+ else if (sm->ReAuthenticationRequest) |
791 |
+ SM_ENTER(WPA_PTK, AUTHENTICATION2); |
792 |
+- else if (sm->PTKRequest) |
793 |
+- SM_ENTER(WPA_PTK, PTKSTART); |
794 |
+- else switch (sm->wpa_ptk_state) { |
795 |
++ else if (sm->PTKRequest) { |
796 |
++ if (wpa_auth_sm_ptk_update(sm) < 0) |
797 |
++ SM_ENTER(WPA_PTK, DISCONNECTED); |
798 |
++ else |
799 |
++ SM_ENTER(WPA_PTK, PTKSTART); |
800 |
++ } else switch (sm->wpa_ptk_state) { |
801 |
+ case WPA_PTK_INITIALIZE: |
802 |
+ break; |
803 |
+ case WPA_PTK_DISCONNECT: |
804 |
+-- |
805 |
+2.7.4 |
806 |
+ |
807 |
|
808 |
diff --git a/net-wireless/hostapd/files/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch |
809 |
new file mode 100644 |
810 |
index 00000000000..e1bd5a57262 |
811 |
--- /dev/null |
812 |
+++ b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch |
813 |
@@ -0,0 +1,132 @@ |
814 |
+From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001 |
815 |
+From: Jouni Malinen <j@××.fi> |
816 |
+Date: Fri, 22 Sep 2017 11:03:15 +0300 |
817 |
+Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration |
818 |
+ |
819 |
+Do not try to reconfigure the same TPK-TK to the driver after it has |
820 |
+been successfully configured. This is an explicit check to avoid issues |
821 |
+related to resetting the TX/RX packet number. There was already a check |
822 |
+for this for TPK M2 (retries of that message are ignored completely), so |
823 |
+that behavior does not get modified. |
824 |
+ |
825 |
+For TPK M3, the TPK-TK could have been reconfigured, but that was |
826 |
+followed by immediate teardown of the link due to an issue in updating |
827 |
+the STA entry. Furthermore, for TDLS with any real security (i.e., |
828 |
+ignoring open/WEP), the TPK message exchange is protected on the AP path |
829 |
+and simple replay attacks are not feasible. |
830 |
+ |
831 |
+As an additional corner case, make sure the local nonce gets updated if |
832 |
+the peer uses a very unlikely "random nonce" of all zeros. |
833 |
+ |
834 |
+Signed-off-by: Jouni Malinen <j@××.fi> |
835 |
+--- |
836 |
+ src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++-- |
837 |
+ 1 file changed, 36 insertions(+), 2 deletions(-) |
838 |
+ |
839 |
+diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c |
840 |
+index e424168..9eb9738 100644 |
841 |
+--- a/src/rsn_supp/tdls.c |
842 |
++++ b/src/rsn_supp/tdls.c |
843 |
+@@ -112,6 +112,7 @@ struct wpa_tdls_peer { |
844 |
+ u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */ |
845 |
+ } tpk; |
846 |
+ int tpk_set; |
847 |
++ int tk_set; /* TPK-TK configured to the driver */ |
848 |
+ int tpk_success; |
849 |
+ int tpk_in_progress; |
850 |
+ |
851 |
+@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) |
852 |
+ u8 rsc[6]; |
853 |
+ enum wpa_alg alg; |
854 |
+ |
855 |
++ if (peer->tk_set) { |
856 |
++ /* |
857 |
++ * This same TPK-TK has already been configured to the driver |
858 |
++ * and this new configuration attempt (likely due to an |
859 |
++ * unexpected retransmitted frame) would result in clearing |
860 |
++ * the TX/RX sequence number which can break security, so must |
861 |
++ * not allow that to happen. |
862 |
++ */ |
863 |
++ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR |
864 |
++ " has already been configured to the driver - do not reconfigure", |
865 |
++ MAC2STR(peer->addr)); |
866 |
++ return -1; |
867 |
++ } |
868 |
++ |
869 |
+ os_memset(rsc, 0, 6); |
870 |
+ |
871 |
+ switch (peer->cipher) { |
872 |
+@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer) |
873 |
+ return -1; |
874 |
+ } |
875 |
+ |
876 |
++ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR, |
877 |
++ MAC2STR(peer->addr)); |
878 |
+ if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1, |
879 |
+ rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) { |
880 |
+ wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the " |
881 |
+ "driver"); |
882 |
+ return -1; |
883 |
+ } |
884 |
++ peer->tk_set = 1; |
885 |
+ return 0; |
886 |
+ } |
887 |
+ |
888 |
+@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer) |
889 |
+ peer->cipher = 0; |
890 |
+ peer->qos_info = 0; |
891 |
+ peer->wmm_capable = 0; |
892 |
+- peer->tpk_set = peer->tpk_success = 0; |
893 |
++ peer->tk_set = peer->tpk_set = peer->tpk_success = 0; |
894 |
+ peer->chan_switch_enabled = 0; |
895 |
+ os_memset(&peer->tpk, 0, sizeof(peer->tpk)); |
896 |
+ os_memset(peer->inonce, 0, WPA_NONCE_LEN); |
897 |
+@@ -1159,6 +1177,7 @@ skip_rsnie: |
898 |
+ wpa_tdls_peer_free(sm, peer); |
899 |
+ return -1; |
900 |
+ } |
901 |
++ peer->tk_set = 0; /* A new nonce results in a new TK */ |
902 |
+ wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake", |
903 |
+ peer->inonce, WPA_NONCE_LEN); |
904 |
+ os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN); |
905 |
+@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer, |
906 |
+ } |
907 |
+ |
908 |
+ |
909 |
++static int tdls_nonce_set(const u8 *nonce) |
910 |
++{ |
911 |
++ int i; |
912 |
++ |
913 |
++ for (i = 0; i < WPA_NONCE_LEN; i++) { |
914 |
++ if (nonce[i]) |
915 |
++ return 1; |
916 |
++ } |
917 |
++ |
918 |
++ return 0; |
919 |
++} |
920 |
++ |
921 |
++ |
922 |
+ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr, |
923 |
+ const u8 *buf, size_t len) |
924 |
+ { |
925 |
+@@ -2004,7 +2036,8 @@ skip_rsn: |
926 |
+ peer->rsnie_i_len = kde.rsn_ie_len; |
927 |
+ peer->cipher = cipher; |
928 |
+ |
929 |
+- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) { |
930 |
++ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 || |
931 |
++ !tdls_nonce_set(peer->inonce)) { |
932 |
+ /* |
933 |
+ * There is no point in updating the RNonce for every obtained |
934 |
+ * TPK M1 frame (e.g., retransmission due to timeout) with the |
935 |
+@@ -2020,6 +2053,7 @@ skip_rsn: |
936 |
+ "TDLS: Failed to get random data for responder nonce"); |
937 |
+ goto error; |
938 |
+ } |
939 |
++ peer->tk_set = 0; /* A new nonce results in a new TK */ |
940 |
+ } |
941 |
+ |
942 |
+ #if 0 |
943 |
+-- |
944 |
+2.7.4 |
945 |
+ |
946 |
|
947 |
diff --git a/net-wireless/hostapd/files/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch |
948 |
new file mode 100644 |
949 |
index 00000000000..b9678f6815a |
950 |
--- /dev/null |
951 |
+++ b/net-wireless/hostapd/files/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch |
952 |
@@ -0,0 +1,82 @@ |
953 |
+From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001 |
954 |
+From: Jouni Malinen <j@××.fi> |
955 |
+Date: Fri, 22 Sep 2017 12:06:37 +0300 |
956 |
+Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames |
957 |
+ |
958 |
+The driver is expected to not report a second association event without |
959 |
+the station having explicitly request a new association. As such, this |
960 |
+case should not be reachable. However, since reconfiguring the same |
961 |
+pairwise or group keys to the driver could result in nonce reuse issues, |
962 |
+be extra careful here and do an additional state check to avoid this |
963 |
+even if the local driver ends up somehow accepting an unexpected |
964 |
+Reassociation Response frame. |
965 |
+ |
966 |
+Signed-off-by: Jouni Malinen <j@××.fi> |
967 |
+--- |
968 |
+ src/rsn_supp/wpa.c | 3 +++ |
969 |
+ src/rsn_supp/wpa_ft.c | 8 ++++++++ |
970 |
+ src/rsn_supp/wpa_i.h | 1 + |
971 |
+ 3 files changed, 12 insertions(+) |
972 |
+ |
973 |
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c |
974 |
+index 0550a41..2a53c6f 100644 |
975 |
+--- a/src/rsn_supp/wpa.c |
976 |
++++ b/src/rsn_supp/wpa.c |
977 |
+@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm) |
978 |
+ #ifdef CONFIG_TDLS |
979 |
+ wpa_tdls_disassoc(sm); |
980 |
+ #endif /* CONFIG_TDLS */ |
981 |
++#ifdef CONFIG_IEEE80211R |
982 |
++ sm->ft_reassoc_completed = 0; |
983 |
++#endif /* CONFIG_IEEE80211R */ |
984 |
+ |
985 |
+ /* Keys are not needed in the WPA state machine anymore */ |
986 |
+ wpa_sm_drop_sa(sm); |
987 |
+diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c |
988 |
+index 205793e..d45bb45 100644 |
989 |
+--- a/src/rsn_supp/wpa_ft.c |
990 |
++++ b/src/rsn_supp/wpa_ft.c |
991 |
+@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, |
992 |
+ u16 capab; |
993 |
+ |
994 |
+ sm->ft_completed = 0; |
995 |
++ sm->ft_reassoc_completed = 0; |
996 |
+ |
997 |
+ buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + |
998 |
+ 2 + sm->r0kh_id_len + ric_ies_len + 100; |
999 |
+@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, |
1000 |
+ return -1; |
1001 |
+ } |
1002 |
+ |
1003 |
++ if (sm->ft_reassoc_completed) { |
1004 |
++ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); |
1005 |
++ return 0; |
1006 |
++ } |
1007 |
++ |
1008 |
+ if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) { |
1009 |
+ wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); |
1010 |
+ return -1; |
1011 |
+@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, |
1012 |
+ return -1; |
1013 |
+ } |
1014 |
+ |
1015 |
++ sm->ft_reassoc_completed = 1; |
1016 |
++ |
1017 |
+ if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) |
1018 |
+ return -1; |
1019 |
+ |
1020 |
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h |
1021 |
+index 41f371f..56f88dc 100644 |
1022 |
+--- a/src/rsn_supp/wpa_i.h |
1023 |
++++ b/src/rsn_supp/wpa_i.h |
1024 |
+@@ -128,6 +128,7 @@ struct wpa_sm { |
1025 |
+ size_t r0kh_id_len; |
1026 |
+ u8 r1kh_id[FT_R1KH_ID_LEN]; |
1027 |
+ int ft_completed; |
1028 |
++ int ft_reassoc_completed; |
1029 |
+ int over_the_ds_in_progress; |
1030 |
+ u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */ |
1031 |
+ int set_ptk_after_assoc; |
1032 |
+-- |
1033 |
+2.7.4 |
1034 |
+ |
1035 |
|
1036 |
diff --git a/net-wireless/hostapd/hostapd-2.6-r1.ebuild b/net-wireless/hostapd/hostapd-2.6-r1.ebuild |
1037 |
new file mode 100644 |
1038 |
index 00000000000..76965506ee1 |
1039 |
--- /dev/null |
1040 |
+++ b/net-wireless/hostapd/hostapd-2.6-r1.ebuild |
1041 |
@@ -0,0 +1,226 @@ |
1042 |
+# Copyright 1999-2017 Gentoo Foundation |
1043 |
+# Distributed under the terms of the GNU General Public License v2 |
1044 |
+ |
1045 |
+EAPI="6" |
1046 |
+ |
1047 |
+inherit toolchain-funcs eutils systemd |
1048 |
+ |
1049 |
+# bogus commit to force manifest regeneration #596462 |
1050 |
+ |
1051 |
+DESCRIPTION="IEEE 802.11 wireless LAN Host AP daemon" |
1052 |
+HOMEPAGE="http://hostap.epitest.fi" |
1053 |
+SRC_URI="http://hostap.epitest.fi/releases/${P}.tar.gz" |
1054 |
+ |
1055 |
+LICENSE="|| ( GPL-2 BSD )" |
1056 |
+SLOT="0" |
1057 |
+KEYWORDS="~amd64 ~arm ~mips ~ppc ~x86" |
1058 |
+IUSE="ipv6 logwatch netlink sqlite +ssl +wps +crda" |
1059 |
+ |
1060 |
+DEPEND="ssl? ( dev-libs/openssl:*[-bindist] ) |
1061 |
+ kernel_linux? ( |
1062 |
+ dev-libs/libnl:3 |
1063 |
+ crda? ( net-wireless/crda ) |
1064 |
+ ) |
1065 |
+ netlink? ( net-libs/libnfnetlink ) |
1066 |
+ sqlite? ( >=dev-db/sqlite-3 )" |
1067 |
+ |
1068 |
+RDEPEND="${DEPEND}" |
1069 |
+ |
1070 |
+S="${S}/${PN}" |
1071 |
+ |
1072 |
+src_prepare() { |
1073 |
+ # Allow users to apply patches to src/drivers for example, |
1074 |
+ # i.e. anything outside ${S}/${PN} |
1075 |
+ pushd ../ >/dev/null || die |
1076 |
+ # https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt |
1077 |
+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch" |
1078 |
+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch" |
1079 |
+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch" |
1080 |
+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch" |
1081 |
+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch" |
1082 |
+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch" |
1083 |
+ eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch" |
1084 |
+ default |
1085 |
+ popd >/dev/null || die |
1086 |
+ |
1087 |
+ sed -i -e "s:/etc/hostapd:/etc/hostapd/hostapd:g" \ |
1088 |
+ "${S}/hostapd.conf" || die |
1089 |
+ |
1090 |
+} |
1091 |
+ |
1092 |
+src_configure() { |
1093 |
+ local CONFIG="${S}/.config" |
1094 |
+ |
1095 |
+ # toolchain setup |
1096 |
+ echo "CC = $(tc-getCC)" > ${CONFIG} |
1097 |
+ |
1098 |
+ # EAP authentication methods |
1099 |
+ echo "CONFIG_EAP=y" >> ${CONFIG} |
1100 |
+ echo "CONFIG_ERP=y" >> ${CONFIG} |
1101 |
+ echo "CONFIG_EAP_MD5=y" >> ${CONFIG} |
1102 |
+ |
1103 |
+ if use ssl; then |
1104 |
+ # SSL authentication methods |
1105 |
+ echo "CONFIG_EAP_FAST=y" >> ${CONFIG} |
1106 |
+ echo "CONFIG_EAP_TLS=y" >> ${CONFIG} |
1107 |
+ echo "CONFIG_EAP_TTLS=y" >> ${CONFIG} |
1108 |
+ echo "CONFIG_EAP_MSCHAPV2=y" >> ${CONFIG} |
1109 |
+ echo "CONFIG_EAP_PEAP=y" >> ${CONFIG} |
1110 |
+ echo "CONFIG_TLSV11=y" >> ${CONFIG} |
1111 |
+ echo "CONFIG_TLSV12=y" >> ${CONFIG} |
1112 |
+ fi |
1113 |
+ |
1114 |
+ if use wps; then |
1115 |
+ # Enable Wi-Fi Protected Setup |
1116 |
+ echo "CONFIG_WPS=y" >> ${CONFIG} |
1117 |
+ echo "CONFIG_WPS2=y" >> ${CONFIG} |
1118 |
+ echo "CONFIG_WPS_UPNP=y" >> ${CONFIG} |
1119 |
+ echo "CONFIG_WPS_NFC=y" >> ${CONFIG} |
1120 |
+ einfo "Enabling Wi-Fi Protected Setup support" |
1121 |
+ fi |
1122 |
+ |
1123 |
+ echo "CONFIG_EAP_IKEV2=y" >> ${CONFIG} |
1124 |
+ echo "CONFIG_EAP_TNC=y" >> ${CONFIG} |
1125 |
+ echo "CONFIG_EAP_GTC=y" >> ${CONFIG} |
1126 |
+ echo "CONFIG_EAP_SIM=y" >> ${CONFIG} |
1127 |
+ echo "CONFIG_EAP_AKA=y" >> ${CONFIG} |
1128 |
+ echo "CONFIG_EAP_AKA_PRIME=y" >> ${CONFIG} |
1129 |
+ echo "CONFIG_EAP_EKE=y" >> ${CONFIG} |
1130 |
+ echo "CONFIG_EAP_PAX=y" >> ${CONFIG} |
1131 |
+ echo "CONFIG_EAP_PSK=y" >> ${CONFIG} |
1132 |
+ echo "CONFIG_EAP_SAKE=y" >> ${CONFIG} |
1133 |
+ echo "CONFIG_EAP_GPSK=y" >> ${CONFIG} |
1134 |
+ echo "CONFIG_EAP_GPSK_SHA256=y" >> ${CONFIG} |
1135 |
+ echo "CONFIG_EAP_PWD=y" >> ${CONFIG} |
1136 |
+ |
1137 |
+ einfo "Enabling drivers: " |
1138 |
+ |
1139 |
+ # drivers |
1140 |
+ echo "CONFIG_DRIVER_HOSTAP=y" >> ${CONFIG} |
1141 |
+ einfo " HostAP driver enabled" |
1142 |
+ echo "CONFIG_DRIVER_WIRED=y" >> ${CONFIG} |
1143 |
+ einfo " Wired driver enabled" |
1144 |
+ echo "CONFIG_DRIVER_PRISM54=y" >> ${CONFIG} |
1145 |
+ einfo " Prism54 driver enabled" |
1146 |
+ echo "CONFIG_DRIVER_NONE=y" >> ${CONFIG} |
1147 |
+ einfo " None driver enabled" |
1148 |
+ |
1149 |
+ einfo " nl80211 driver enabled" |
1150 |
+ echo "CONFIG_DRIVER_NL80211=y" >> ${CONFIG} |
1151 |
+ |
1152 |
+ # epoll |
1153 |
+ echo "CONFIG_ELOOP_EPOLL=y" >> ${CONFIG} |
1154 |
+ |
1155 |
+ # misc |
1156 |
+ echo "CONFIG_DEBUG_FILE=y" >> ${CONFIG} |
1157 |
+ echo "CONFIG_PKCS12=y" >> ${CONFIG} |
1158 |
+ echo "CONFIG_RADIUS_SERVER=y" >> ${CONFIG} |
1159 |
+ echo "CONFIG_IAPP=y" >> ${CONFIG} |
1160 |
+ echo "CONFIG_IEEE80211R=y" >> ${CONFIG} |
1161 |
+ echo "CONFIG_IEEE80211W=y" >> ${CONFIG} |
1162 |
+ echo "CONFIG_IEEE80211N=y" >> ${CONFIG} |
1163 |
+ echo "CONFIG_IEEE80211AC=y" >> ${CONFIG} |
1164 |
+ echo "CONFIG_PEERKEY=y" >> ${CONFIG} |
1165 |
+ echo "CONFIG_RSN_PREAUTH=y" >> ${CONFIG} |
1166 |
+ echo "CONFIG_INTERWORKING=y" >> ${CONFIG} |
1167 |
+ echo "CONFIG_FULL_DYNAMIC_VLAN=y" >> ${CONFIG} |
1168 |
+ echo "CONFIG_HS20=y" >> ${CONFIG} |
1169 |
+ echo "CONFIG_WNM=y" >> ${CONFIG} |
1170 |
+ echo "CONFIG_FST=y" >> ${CONFIG} |
1171 |
+ echo "CONFIG_FST_TEST=y" >> ${CONFIG} |
1172 |
+ echo "CONFIG_ACS=y" >> ${CONFIG} |
1173 |
+ |
1174 |
+ if use netlink; then |
1175 |
+ # Netlink support |
1176 |
+ echo "CONFIG_VLAN_NETLINK=y" >> ${CONFIG} |
1177 |
+ fi |
1178 |
+ |
1179 |
+ if use ipv6; then |
1180 |
+ # IPv6 support |
1181 |
+ echo "CONFIG_IPV6=y" >> ${CONFIG} |
1182 |
+ fi |
1183 |
+ |
1184 |
+ if use sqlite; then |
1185 |
+ # Sqlite support |
1186 |
+ echo "CONFIG_SQLITE=y" >> ${CONFIG} |
1187 |
+ fi |
1188 |
+ |
1189 |
+ # If we are using libnl 2.0 and above, enable support for it |
1190 |
+ # Removed for now, since the 3.2 version is broken, and we don't |
1191 |
+ # support it. |
1192 |
+ if has_version ">=dev-libs/libnl-3.2"; then |
1193 |
+ echo "CONFIG_LIBNL32=y" >> .config |
1194 |
+ fi |
1195 |
+ |
1196 |
+ # TODO: Add support for BSD drivers |
1197 |
+ |
1198 |
+ default_src_configure |
1199 |
+} |
1200 |
+ |
1201 |
+src_compile() { |
1202 |
+ emake V=1 |
1203 |
+ |
1204 |
+ if use ssl; then |
1205 |
+ emake V=1 nt_password_hash |
1206 |
+ emake V=1 hlr_auc_gw |
1207 |
+ fi |
1208 |
+} |
1209 |
+ |
1210 |
+src_install() { |
1211 |
+ insinto /etc/${PN} |
1212 |
+ doins ${PN}.{conf,accept,deny,eap_user,radius_clients,sim_db,wpa_psk} |
1213 |
+ |
1214 |
+ fperms -R 600 /etc/${PN} |
1215 |
+ |
1216 |
+ dosbin ${PN} |
1217 |
+ dobin ${PN}_cli |
1218 |
+ |
1219 |
+ use ssl && dobin nt_password_hash hlr_auc_gw |
1220 |
+ |
1221 |
+ newinitd "${FILESDIR}"/${PN}-init.d ${PN} |
1222 |
+ newconfd "${FILESDIR}"/${PN}-conf.d ${PN} |
1223 |
+ systemd_dounit "${FILESDIR}"/${PN}.service |
1224 |
+ |
1225 |
+ doman ${PN}{.8,_cli.1} |
1226 |
+ |
1227 |
+ dodoc ChangeLog README |
1228 |
+ use wps && dodoc README-WPS |
1229 |
+ |
1230 |
+ docinto examples |
1231 |
+ dodoc wired.conf |
1232 |
+ |
1233 |
+ if use logwatch; then |
1234 |
+ insinto /etc/log.d/conf/services/ |
1235 |
+ doins logwatch/${PN}.conf |
1236 |
+ |
1237 |
+ exeinto /etc/log.d/scripts/services/ |
1238 |
+ doexe logwatch/${PN} |
1239 |
+ fi |
1240 |
+} |
1241 |
+ |
1242 |
+pkg_postinst() { |
1243 |
+ einfo |
1244 |
+ einfo "If you are running openRC you need to follow this instructions:" |
1245 |
+ einfo "In order to use ${PN} you need to set up your wireless card" |
1246 |
+ einfo "for master mode in /etc/conf.d/net and then start" |
1247 |
+ einfo "/etc/init.d/${PN}." |
1248 |
+ einfo |
1249 |
+ einfo "Example configuration:" |
1250 |
+ einfo |
1251 |
+ einfo "config_wlan0=( \"192.168.1.1/24\" )" |
1252 |
+ einfo "channel_wlan0=\"6\"" |
1253 |
+ einfo "essid_wlan0=\"test\"" |
1254 |
+ einfo "mode_wlan0=\"master\"" |
1255 |
+ einfo |
1256 |
+ #if [ -e "${KV_DIR}"/net/mac80211 ]; then |
1257 |
+ # einfo "This package now compiles against the headers installed by" |
1258 |
+ # einfo "the kernel source for the mac80211 driver. You should " |
1259 |
+ # einfo "re-emerge ${PN} after upgrading your kernel source." |
1260 |
+ #fi |
1261 |
+ |
1262 |
+ if use wps; then |
1263 |
+ einfo "You have enabled Wi-Fi Protected Setup support, please" |
1264 |
+ einfo "read the README-WPS file in /usr/share/doc/${P}" |
1265 |
+ einfo "for info on how to use WPS" |
1266 |
+ fi |
1267 |
+} |