net-wireless/hostapd: cleanup

This commit is contained in:
Alarig Le Lay 2022-04-30 16:01:50 +02:00
parent 2e209a3691
commit 33c6e867de
Signed by: alarig
GPG key ID: 7AFE62C6DF8BCDEC
9 changed files with 0 additions and 1176 deletions

View file

@ -1,2 +0,0 @@
DIST hostapd-2.9.tar.gz 2244312 BLAKE2B 07308376dd1576313513fba815b220e4ab2f30ed1a402e24b5c8e62ded79c6d718ff47aad1a2222c9e46ffb7334580b556f19a8aef013eab34a8d61d708d2f01 SHA512 66c729380152db18b64520bda55dfa00af3b0264f97b5de100b81a46e2593571626c4bdcf900f0988ea2131e30bc8788f75d8489dd1f57e37fd56e8098e48a9c
DIST net-wireless_hostapd_2.7-r2_extras.tar.xz 1820 BLAKE2B 5c4daf0e4fcf5ae0803cdbe2aabcc75e89b1e92048e8a01894d73639a16b049174b37eca6b6206c337a2874a6e6d5588d50fa5b8a4813e7f6c22bf02efca852f SHA512 65bc4634c8314280ceab44d1f5d6d62092f4bca48253f107b076211020f6f6502388490aee907f9910846a25ba2da7e4122bdb1873eb2b12bf94e867e3295f4c

View file

@ -1,150 +0,0 @@
From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 3 Jun 2020 23:17:35 +0300
Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
other networks
The UPnP Device Architecture 2.0 specification errata ("UDA errata
16-04-2020.docx") addresses a problem with notifications being allowed
to go out to other domains by disallowing such cases. Do such filtering
for the notification callback URLs to avoid undesired connections to
external networks based on subscriptions that any device in the local
network could request when WPS support for external registrars is
enabled (the upnp_iface parameter in hostapd configuration).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/wps/wps_er.c | 2 +-
src/wps/wps_upnp.c | 38 ++++++++++++++++++++++++++++++++++++--
src/wps/wps_upnp_i.h | 3 ++-
3 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c
index 6bded14327f8..31d2e50e4cff 100644
--- a/src/wps/wps_er.c
+++ b/src/wps/wps_er.c
@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, const char *ifname, const char *filter)
"with %s", filter);
}
if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
- er->mac_addr)) {
+ NULL, er->mac_addr)) {
wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
"for %s. Does it have IP address?", er->ifname);
wps_er_deinit(er, NULL, NULL);
diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
index 6e10e4bc0c3f..7d4b7439940e 100644
--- a/src/wps/wps_upnp.c
+++ b/src/wps/wps_upnp.c
@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct subscription *s)
}
+static int local_network_addr(struct upnp_wps_device_sm *sm,
+ struct sockaddr_in *addr)
+{
+ return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
+ (sm->ip_addr & sm->netmask.s_addr);
+}
+
+
/* subscr_addr_add_url -- add address(es) for one url to subscription */
static void subscr_addr_add_url(struct subscription *s, const char *url,
size_t url_len)
@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
for (rp = result; rp; rp = rp->ai_next) {
struct subscr_addr *a;
+ struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
/* Limit no. of address to avoid denial of service attack */
if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
break;
}
+ if (!local_network_addr(s->sm, addr)) {
+ wpa_printf(MSG_INFO,
+ "WPS UPnP: Ignore a delivery URL that points to another network %s",
+ inet_ntoa(addr->sin_addr));
+ continue;
+ }
+
a = os_zalloc(sizeof(*a) + alloc_len);
if (a == NULL)
break;
@@ -890,11 +906,12 @@ static int eth_get(const char *device, u8 ea[ETH_ALEN])
* @net_if: Selected network interface name
* @ip_addr: Buffer for returning IP address in network byte order
* @ip_addr_text: Buffer for returning a pointer to allocated IP address text
+ * @netmask: Buffer for returning netmask or %NULL if not needed
* @mac: Buffer for returning MAC address
* Returns: 0 on success, -1 on failure
*/
int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
- u8 mac[ETH_ALEN])
+ struct in_addr *netmask, u8 mac[ETH_ALEN])
{
struct ifreq req;
int sock = -1;
@@ -920,6 +937,19 @@ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
in_addr.s_addr = *ip_addr;
os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
+ if (netmask) {
+ os_memset(&req, 0, sizeof(req));
+ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
+ if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
+ wpa_printf(MSG_ERROR,
+ "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
+ errno, strerror(errno));
+ goto fail;
+ }
+ addr = (struct sockaddr_in *) &req.ifr_netmask;
+ netmask->s_addr = addr->sin_addr.s_addr;
+ }
+
#ifdef __linux__
os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
@@ -1026,11 +1056,15 @@ static int upnp_wps_device_start(struct upnp_wps_device_sm *sm, char *net_if)
/* Determine which IP and mac address we're using */
if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
- sm->mac_addr)) {
+ &sm->netmask, sm->mac_addr)) {
wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
"for %s. Does it have IP address?", net_if);
goto fail;
}
+ wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
+ MACSTR,
+ sm->ip_addr_text, inet_ntoa(sm->netmask),
+ MAC2STR(sm->mac_addr));
/* Listen for incoming TCP connections so that others
* can fetch our "xml files" from us.
diff --git a/src/wps/wps_upnp_i.h b/src/wps/wps_upnp_i.h
index e87a93232df1..6ead7b4e9a30 100644
--- a/src/wps/wps_upnp_i.h
+++ b/src/wps/wps_upnp_i.h
@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
char *ip_addr_text; /* IP address of network i.f. we use */
unsigned ip_addr; /* IP address of network i.f. we use (host order) */
+ struct in_addr netmask;
int multicast_sd; /* send multicast messages over this socket */
int ssdp_sd; /* receive discovery UPD packets on socket */
int ssdp_sd_registered; /* nonzero if we must unregister */
@@ -158,7 +159,7 @@ struct subscription * subscription_find(struct upnp_wps_device_sm *sm,
const u8 uuid[UUID_LEN]);
void subscr_addr_delete(struct subscr_addr *a);
int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
- u8 mac[ETH_ALEN]);
+ struct in_addr *netmask, u8 mac[ETH_ALEN]);
/* wps_upnp_ssdp.c */
void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
--
2.20.1

View file

@ -1,59 +0,0 @@
From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 3 Jun 2020 22:41:02 +0300
Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
path
More than about 700 character URL ended up overflowing the wpabuf used
for building the event notification and this resulted in the wpabuf
buffer overflow checks terminating the hostapd process. Fix this by
allocating the buffer to be large enough to contain the full URL path.
However, since that around 700 character limit has been the practical
limit for more than ten years, start explicitly enforcing that as the
limit or the callback URLs since any longer ones had not worked before
and there is no need to enable them now either.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/wps/wps_upnp.c | 9 +++++++--
src/wps/wps_upnp_event.c | 3 ++-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
index 7d4b7439940e..ab685d52ecab 100644
--- a/src/wps/wps_upnp.c
+++ b/src/wps/wps_upnp.c
@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
int rerr;
size_t host_len, path_len;
- /* url MUST begin with http: */
- if (url_len < 7 || os_strncasecmp(url, "http://", 7))
+ /* URL MUST begin with HTTP scheme. In addition, limit the length of
+ * the URL to 700 characters which is around the limit that was
+ * implicitly enforced for more than 10 years due to a bug in
+ * generating the event messages. */
+ if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
+ wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
goto fail;
+ }
url += 7;
url_len -= 7;
diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
index d7e6edcc6503..08a23612f338 100644
--- a/src/wps/wps_upnp_event.c
+++ b/src/wps/wps_upnp_event.c
@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
struct wpabuf *buf;
char *b;
- buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
+ buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
+ wpabuf_len(e->data));
if (buf == NULL)
return NULL;
wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
--
2.20.1

View file

@ -1,47 +0,0 @@
From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Thu, 4 Jun 2020 21:24:04 +0300
Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
properly
While it is appropriate to try to retransmit the event to another
callback URL on a failure to initiate the HTTP client connection, there
is no point in trying the exact same operation multiple times in a row.
Replve the event_retry() calls with event_addr_failure() for these cases
to avoid busy loops trying to repeat the same failing operation.
These potential busy loops would go through eloop callbacks, so the
process is not completely stuck on handling them, but unnecessary CPU
would be used to process the continues retries that will keep failing
for the same reason.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/wps/wps_upnp_event.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
index 08a23612f338..c0d9e41d9a38 100644
--- a/src/wps/wps_upnp_event.c
+++ b/src/wps/wps_upnp_event.c
@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
buf = event_build_message(e);
if (buf == NULL) {
- event_retry(e, 0);
+ event_addr_failure(e);
return -1;
}
@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
event_http_cb, e);
if (e->http_event == NULL) {
wpabuf_free(buf);
- event_retry(e, 0);
+ event_addr_failure(e);
return -1;
}
--
2.20.1

View file

@ -1,73 +0,0 @@
From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Thu, 29 Aug 2019 11:52:04 +0300
Subject: [PATCH] AP: Silently ignore management frame from unexpected source
address
Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.
In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/ap/drv_callbacks.c | 13 +++++++++++++
src/ap/ieee802_11.c | 12 ++++++++++++
2 files changed, 25 insertions(+)
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 31587685fe3b..34ca379edc3d 100644
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
"hostapd_notif_assoc: Skip event with no address");
return -1;
}
+
+ if (is_multicast_ether_addr(addr) ||
+ is_zero_ether_addr(addr) ||
+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
+ /* Do not process any frames with unexpected/invalid SA so that
+ * we do not add any state for unexpected STA addresses or end
+ * up sending out frames to unexpected destination. */
+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
+ " in received indication - ignore this indication silently",
+ __func__, MAC2STR(addr));
+ return 0;
+ }
+
random_add_randomness(addr, ETH_ALEN);
hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index c85a28db44b7..e7065372e158 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
fc = le_to_host16(mgmt->frame_control);
stype = WLAN_FC_GET_STYPE(fc);
+ if (is_multicast_ether_addr(mgmt->sa) ||
+ is_zero_ether_addr(mgmt->sa) ||
+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
+ /* Do not process any frames with unexpected/invalid SA so that
+ * we do not add any state for unexpected STA addresses or end
+ * up sending out frames to unexpected destination. */
+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
+ " in received frame - ignore this frame silently",
+ MAC2STR(mgmt->sa));
+ return 0;
+ }
+
if (stype == WLAN_FC_STYPE_BEACON) {
handle_beacon(hapd, mgmt, len, fi);
return 1;
--
2.20.1

View file

@ -1,264 +0,0 @@
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="6"
inherit toolchain-funcs systemd savedconfig
DESCRIPTION="IEEE 802.11 wireless LAN Host AP daemon"
HOMEPAGE="http://w1.fi"
EXTRAS_VER="2.7-r2"
EXTRAS_NAME="${CATEGORY}_${PN}_${EXTRAS_VER}_extras"
SRC_URI="https://dev.gentoo.org/~andrey_utkin/distfiles/${EXTRAS_NAME}.tar.xz"
if [[ $PV == 9999 ]]; then
inherit git-r3
EGIT_REPO_URI="https://w1.fi/hostap.git"
else
if [[ $PV =~ ^.*_p[0-9]{8}$ ]]; then
SRC_URI+=" https://dev.gentoo.org/~andrey_utkin/distfiles/${P}.tar.xz"
else
SRC_URI+=" https://w1.fi/releases/${P}.tar.gz"
fi
# Never stabilize snapshot ebuilds please
KEYWORDS="amd64 arm arm64 ~mips ppc x86"
fi
LICENSE="BSD"
SLOT="0"
IUSE="internal-tls ipv6 libressl logwatch netlink sqlite +wps +crda"
DEPEND="
libressl? ( dev-libs/libressl:0= )
!libressl? (
internal-tls? ( dev-libs/libtommath )
!internal-tls? ( dev-libs/openssl:0=[-bindist] )
)
kernel_linux? (
dev-libs/libnl:3
crda? ( net-wireless/crda )
)
netlink? ( net-libs/libnfnetlink )
sqlite? ( >=dev-db/sqlite-3 )"
RDEPEND="${DEPEND}"
S="${S}/${PN}"
pkg_pretend() {
if use internal-tls; then
if use libressl; then
elog "libressl flag takes precedence over internal-tls"
else
ewarn "internal-tls implementation is experimental and provides fewer features"
fi
fi
}
src_unpack() {
# Override default one because we need the SRC_URI ones even in case of 9999 ebuilds
default
if [[ ${PV} == 9999 ]] ; then
git-r3_src_unpack
fi
}
src_prepare() {
# Allow users to apply patches to src/drivers for example,
# i.e. anything outside ${S}/${PN}
pushd ../ >/dev/null || die
default
#CVE-2019-16275 bug #696032
eapply "${FILESDIR}/hostapd-2.9-AP-Silently-ignore-management-frame-from-unexpected.patch"
popd >/dev/null || die
sed -i -e "s:/etc/hostapd:/etc/hostapd/hostapd:g" \
"${S}/hostapd.conf" || die
}
src_configure() {
local CONFIG="${S}/.config"
restore_config "${CONFIG}"
if [[ -f "${CONFIG}" ]]; then
default_src_configure
return 0
fi
# toolchain setup
echo "CC = $(tc-getCC)" > ${CONFIG}
# EAP authentication methods
echo "CONFIG_EAP=y" >> ${CONFIG}
echo "CONFIG_ERP=y" >> ${CONFIG}
echo "CONFIG_EAP_MD5=y" >> ${CONFIG}
if use internal-tls && ! use libressl; then
echo "CONFIG_TLS=internal" >> ${CONFIG}
else
# SSL authentication methods
echo "CONFIG_EAP_FAST=y" >> ${CONFIG}
echo "CONFIG_EAP_TLS=y" >> ${CONFIG}
echo "CONFIG_EAP_TTLS=y" >> ${CONFIG}
echo "CONFIG_EAP_MSCHAPV2=y" >> ${CONFIG}
echo "CONFIG_EAP_PEAP=y" >> ${CONFIG}
echo "CONFIG_TLSV11=y" >> ${CONFIG}
echo "CONFIG_TLSV12=y" >> ${CONFIG}
echo "CONFIG_EAP_PWD=y" >> ${CONFIG}
fi
if use wps; then
# Enable Wi-Fi Protected Setup
echo "CONFIG_WPS=y" >> ${CONFIG}
echo "CONFIG_WPS2=y" >> ${CONFIG}
echo "CONFIG_WPS_UPNP=y" >> ${CONFIG}
echo "CONFIG_WPS_NFC=y" >> ${CONFIG}
einfo "Enabling Wi-Fi Protected Setup support"
fi
echo "CONFIG_EAP_IKEV2=y" >> ${CONFIG}
echo "CONFIG_EAP_TNC=y" >> ${CONFIG}
echo "CONFIG_EAP_GTC=y" >> ${CONFIG}
echo "CONFIG_EAP_SIM=y" >> ${CONFIG}
echo "CONFIG_EAP_AKA=y" >> ${CONFIG}
echo "CONFIG_EAP_AKA_PRIME=y" >> ${CONFIG}
echo "CONFIG_EAP_EKE=y" >> ${CONFIG}
echo "CONFIG_EAP_PAX=y" >> ${CONFIG}
echo "CONFIG_EAP_PSK=y" >> ${CONFIG}
echo "CONFIG_EAP_SAKE=y" >> ${CONFIG}
echo "CONFIG_EAP_GPSK=y" >> ${CONFIG}
echo "CONFIG_EAP_GPSK_SHA256=y" >> ${CONFIG}
einfo "Enabling drivers: "
# drivers
echo "CONFIG_DRIVER_HOSTAP=y" >> ${CONFIG}
einfo " HostAP driver enabled"
echo "CONFIG_DRIVER_WIRED=y" >> ${CONFIG}
einfo " Wired driver enabled"
echo "CONFIG_DRIVER_NONE=y" >> ${CONFIG}
einfo " None driver enabled"
einfo " nl80211 driver enabled"
echo "CONFIG_DRIVER_NL80211=y" >> ${CONFIG}
# epoll
echo "CONFIG_ELOOP_EPOLL=y" >> ${CONFIG}
# misc
echo "CONFIG_DEBUG_FILE=y" >> ${CONFIG}
echo "CONFIG_PKCS12=y" >> ${CONFIG}
echo "CONFIG_RADIUS_SERVER=y" >> ${CONFIG}
echo "CONFIG_IAPP=y" >> ${CONFIG}
echo "CONFIG_IEEE80211R=y" >> ${CONFIG}
echo "CONFIG_IEEE80211W=y" >> ${CONFIG}
echo "CONFIG_IEEE80211N=y" >> ${CONFIG}
echo "CONFIG_IEEE80211AC=y" >> ${CONFIG}
echo "CONFIG_PEERKEY=y" >> ${CONFIG}
echo "CONFIG_RSN_PREAUTH=y" >> ${CONFIG}
echo "CONFIG_INTERWORKING=y" >> ${CONFIG}
echo "CONFIG_FULL_DYNAMIC_VLAN=y" >> ${CONFIG}
echo "CONFIG_HS20=y" >> ${CONFIG}
echo "CONFIG_WNM=y" >> ${CONFIG}
echo "CONFIG_FST=y" >> ${CONFIG}
echo "CONFIG_FST_TEST=y" >> ${CONFIG}
echo "CONFIG_ACS=y" >> ${CONFIG}
if use netlink; then
# Netlink support
echo "CONFIG_VLAN_NETLINK=y" >> ${CONFIG}
fi
if use ipv6; then
# IPv6 support
echo "CONFIG_IPV6=y" >> ${CONFIG}
fi
if use sqlite; then
# Sqlite support
echo "CONFIG_SQLITE=y" >> ${CONFIG}
fi
# If we are using libnl 2.0 and above, enable support for it
# Removed for now, since the 3.2 version is broken, and we don't
# support it.
if has_version ">=dev-libs/libnl-3.2"; then
echo "CONFIG_LIBNL32=y" >> .config
fi
# TODO: Add support for BSD drivers
default_src_configure
}
src_compile() {
emake V=1
if use libressl || ! use internal-tls; then
emake V=1 nt_password_hash
emake V=1 hlr_auc_gw
fi
}
src_install() {
insinto /etc/${PN}
doins ${PN}.{conf,accept,deny,eap_user,radius_clients,sim_db,wpa_psk}
fperms -R 600 /etc/${PN}
dosbin ${PN}
dobin ${PN}_cli
if use libressl || ! use internal-tls; then
dobin nt_password_hash hlr_auc_gw
fi
newinitd "${WORKDIR}/${EXTRAS_NAME}"/${PN}-init.d ${PN}
newconfd "${WORKDIR}/${EXTRAS_NAME}"/${PN}-conf.d ${PN}
systemd_dounit "${WORKDIR}/${EXTRAS_NAME}"/${PN}.service
doman ${PN}{.8,_cli.1}
dodoc ChangeLog README
use wps && dodoc README-WPS
docinto examples
dodoc wired.conf
if use logwatch; then
insinto /etc/log.d/conf/services/
doins logwatch/${PN}.conf
exeinto /etc/log.d/scripts/services/
doexe logwatch/${PN}
fi
save_config .config
}
pkg_postinst() {
einfo
einfo "If you are running openRC you need to follow this instructions:"
einfo "In order to use ${PN} you need to set up your wireless card"
einfo "for master mode in /etc/conf.d/net and then start"
einfo "/etc/init.d/${PN}."
einfo
einfo "Example configuration:"
einfo
einfo "config_wlan0=( \"192.168.1.1/24\" )"
einfo "channel_wlan0=\"6\""
einfo "essid_wlan0=\"test\""
einfo "mode_wlan0=\"master\""
einfo
#if [ -e "${KV_DIR}"/net/mac80211 ]; then
# einfo "This package now compiles against the headers installed by"
# einfo "the kernel source for the mac80211 driver. You should "
# einfo "re-emerge ${PN} after upgrading your kernel source."
#fi
if use wps; then
einfo "You have enabled Wi-Fi Protected Setup support, please"
einfo "read the README-WPS file in /usr/share/doc/${P}"
einfo "for info on how to use WPS"
fi
}

View file

@ -1,279 +0,0 @@
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="6"
inherit toolchain-funcs systemd savedconfig
DESCRIPTION="IEEE 802.11 wireless LAN Host AP daemon"
HOMEPAGE="http://w1.fi"
EXTRAS_VER="2.7-r2"
EXTRAS_NAME="${CATEGORY}_${PN}_${EXTRAS_VER}_extras"
SRC_URI="https://dev.gentoo.org/~andrey_utkin/distfiles/${EXTRAS_NAME}.tar.xz"
if [[ $PV == 9999 ]]; then
inherit git-r3
EGIT_REPO_URI="https://w1.fi/hostap.git"
else
if [[ $PV =~ ^.*_p[0-9]{8}$ ]]; then
SRC_URI+=" https://dev.gentoo.org/~andrey_utkin/distfiles/${P}.tar.xz"
else
SRC_URI+=" https://w1.fi/releases/${P}.tar.gz"
fi
# Never stabilize snapshot ebuilds please
KEYWORDS="amd64 arm arm64 ~mips ppc x86"
fi
LICENSE="BSD"
SLOT="0"
IUSE="internal-tls ipv6 libressl logwatch netlink sqlite +suiteb +wps +crda"
# suiteb impl uses openssl feature not available in libressl, see bug 710992
REQUIRED_USE="?? ( libressl suiteb )"
DEPEND="
libressl? ( dev-libs/libressl:0= )
!libressl? (
internal-tls? ( dev-libs/libtommath )
!internal-tls? ( dev-libs/openssl:0=[-bindist] )
)
kernel_linux? (
dev-libs/libnl:3
crda? ( net-wireless/crda )
)
netlink? ( net-libs/libnfnetlink )
sqlite? ( >=dev-db/sqlite-3 )"
RDEPEND="${DEPEND}"
S="${S}/${PN}"
pkg_pretend() {
if use internal-tls; then
if use libressl; then
elog "libressl flag takes precedence over internal-tls"
else
ewarn "internal-tls implementation is experimental and provides fewer features"
fi
fi
}
src_unpack() {
# Override default one because we need the SRC_URI ones even in case of 9999 ebuilds
default
if [[ ${PV} == 9999 ]] ; then
git-r3_src_unpack
fi
}
src_prepare() {
# Allow users to apply patches to src/drivers for example,
# i.e. anything outside ${S}/${PN}
pushd ../ >/dev/null || die
default
#CVE-2019-16275 bug #696032
eapply "${FILESDIR}/hostapd-2.9-AP-Silently-ignore-management-frame-from-unexpected.patch"
# CVE-2020-12695 bug #727542
eapply "${FILESDIR}/${P}-0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch"
eapply "${FILESDIR}/${P}-0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch"
eapply "${FILESDIR}/${P}-0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch"
popd >/dev/null || die
sed -i -e "s:/etc/hostapd:/etc/hostapd/hostapd:g" \
"${S}/hostapd.conf" || die
}
src_configure() {
local CONFIG="${S}/.config"
restore_config "${CONFIG}"
if [[ -f "${CONFIG}" ]]; then
default_src_configure
return 0
fi
# toolchain setup
echo "CC = $(tc-getCC)" > ${CONFIG}
# EAP authentication methods
echo "CONFIG_EAP=y" >> ${CONFIG}
echo "CONFIG_ERP=y" >> ${CONFIG}
echo "CONFIG_EAP_MD5=y" >> ${CONFIG}
if use suiteb; then
echo "CONFIG_SUITEB=y" >> ${CONFIG}
echo "CONFIG_SUITEB192=y" >> ${CONFIG}
fi
if use internal-tls && ! use libressl; then
echo "CONFIG_TLS=internal" >> ${CONFIG}
else
# SSL authentication methods
echo "CONFIG_DPP=y" >> ${CONFIG}
echo "CONFIG_EAP_FAST=y" >> ${CONFIG}
echo "CONFIG_EAP_MSCHAPV2=y" >> ${CONFIG}
echo "CONFIG_EAP_PEAP=y" >> ${CONFIG}
echo "CONFIG_EAP_PWD=y" >> ${CONFIG}
echo "CONFIG_EAP_TLS=y" >> ${CONFIG}
echo "CONFIG_EAP_TTLS=y" >> ${CONFIG}
echo "CONFIG_OWE=y" >> ${CONFIG}
echo "CONFIG_SAE=y" >> ${CONFIG}
echo "CONFIG_TLSV11=y" >> ${CONFIG}
echo "CONFIG_TLSV12=y" >> ${CONFIG}
fi
if use wps; then
# Enable Wi-Fi Protected Setup
echo "CONFIG_WPS=y" >> ${CONFIG}
echo "CONFIG_WPS2=y" >> ${CONFIG}
echo "CONFIG_WPS_UPNP=y" >> ${CONFIG}
echo "CONFIG_WPS_NFC=y" >> ${CONFIG}
einfo "Enabling Wi-Fi Protected Setup support"
fi
echo "CONFIG_EAP_IKEV2=y" >> ${CONFIG}
echo "CONFIG_EAP_TNC=y" >> ${CONFIG}
echo "CONFIG_EAP_GTC=y" >> ${CONFIG}
echo "CONFIG_EAP_SIM=y" >> ${CONFIG}
echo "CONFIG_EAP_AKA=y" >> ${CONFIG}
echo "CONFIG_EAP_AKA_PRIME=y" >> ${CONFIG}
echo "CONFIG_EAP_EKE=y" >> ${CONFIG}
echo "CONFIG_EAP_PAX=y" >> ${CONFIG}
echo "CONFIG_EAP_PSK=y" >> ${CONFIG}
echo "CONFIG_EAP_SAKE=y" >> ${CONFIG}
echo "CONFIG_EAP_GPSK=y" >> ${CONFIG}
echo "CONFIG_EAP_GPSK_SHA256=y" >> ${CONFIG}
einfo "Enabling drivers: "
# drivers
echo "CONFIG_DRIVER_HOSTAP=y" >> ${CONFIG}
einfo " HostAP driver enabled"
echo "CONFIG_DRIVER_WIRED=y" >> ${CONFIG}
einfo " Wired driver enabled"
echo "CONFIG_DRIVER_NONE=y" >> ${CONFIG}
einfo " None driver enabled"
einfo " nl80211 driver enabled"
echo "CONFIG_DRIVER_NL80211=y" >> ${CONFIG}
# epoll
echo "CONFIG_ELOOP_EPOLL=y" >> ${CONFIG}
# misc
echo "CONFIG_DEBUG_FILE=y" >> ${CONFIG}
echo "CONFIG_PKCS12=y" >> ${CONFIG}
echo "CONFIG_RADIUS_SERVER=y" >> ${CONFIG}
echo "CONFIG_IAPP=y" >> ${CONFIG}
echo "CONFIG_IEEE80211R=y" >> ${CONFIG}
echo "CONFIG_IEEE80211W=y" >> ${CONFIG}
echo "CONFIG_IEEE80211N=y" >> ${CONFIG}
echo "CONFIG_IEEE80211AC=y" >> ${CONFIG}
echo "CONFIG_PEERKEY=y" >> ${CONFIG}
echo "CONFIG_RSN_PREAUTH=y" >> ${CONFIG}
echo "CONFIG_INTERWORKING=y" >> ${CONFIG}
echo "CONFIG_FULL_DYNAMIC_VLAN=y" >> ${CONFIG}
echo "CONFIG_HS20=y" >> ${CONFIG}
echo "CONFIG_WNM=y" >> ${CONFIG}
echo "CONFIG_FST=y" >> ${CONFIG}
echo "CONFIG_FST_TEST=y" >> ${CONFIG}
echo "CONFIG_ACS=y" >> ${CONFIG}
if use netlink; then
# Netlink support
echo "CONFIG_VLAN_NETLINK=y" >> ${CONFIG}
fi
if use ipv6; then
# IPv6 support
echo "CONFIG_IPV6=y" >> ${CONFIG}
fi
if use sqlite; then
# Sqlite support
echo "CONFIG_SQLITE=y" >> ${CONFIG}
fi
# If we are using libnl 2.0 and above, enable support for it
# Removed for now, since the 3.2 version is broken, and we don't
# support it.
if has_version ">=dev-libs/libnl-3.2"; then
echo "CONFIG_LIBNL32=y" >> .config
fi
# TODO: Add support for BSD drivers
default_src_configure
}
src_compile() {
emake V=1
if use libressl || ! use internal-tls; then
emake V=1 nt_password_hash
emake V=1 hlr_auc_gw
fi
}
src_install() {
insinto /etc/${PN}
doins ${PN}.{conf,accept,deny,eap_user,radius_clients,sim_db,wpa_psk}
fperms -R 600 /etc/${PN}
dosbin ${PN}
dobin ${PN}_cli
if use libressl || ! use internal-tls; then
dobin nt_password_hash hlr_auc_gw
fi
newinitd "${WORKDIR}/${EXTRAS_NAME}"/${PN}-init.d ${PN}
newconfd "${WORKDIR}/${EXTRAS_NAME}"/${PN}-conf.d ${PN}
systemd_dounit "${WORKDIR}/${EXTRAS_NAME}"/${PN}.service
doman ${PN}{.8,_cli.1}
dodoc ChangeLog README
use wps && dodoc README-WPS
docinto examples
dodoc wired.conf
if use logwatch; then
insinto /etc/log.d/conf/services/
doins logwatch/${PN}.conf
exeinto /etc/log.d/scripts/services/
doexe logwatch/${PN}
fi
save_config .config
}
pkg_postinst() {
einfo
einfo "If you are running openRC you need to follow this instructions:"
einfo "In order to use ${PN} you need to set up your wireless card"
einfo "for master mode in /etc/conf.d/net and then start"
einfo "/etc/init.d/${PN}."
einfo
einfo "Example configuration:"
einfo
einfo "config_wlan0=( \"192.168.1.1/24\" )"
einfo "channel_wlan0=\"6\""
einfo "essid_wlan0=\"test\""
einfo "mode_wlan0=\"master\""
einfo
#if [ -e "${KV_DIR}"/net/mac80211 ]; then
# einfo "This package now compiles against the headers installed by"
# einfo "the kernel source for the mac80211 driver. You should "
# einfo "re-emerge ${PN} after upgrading your kernel source."
#fi
if use wps; then
einfo "You have enabled Wi-Fi Protected Setup support, please"
einfo "read the README-WPS file in /usr/share/doc/${P}"
einfo "for info on how to use WPS"
fi
}

View file

@ -1,273 +0,0 @@
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="6"
inherit toolchain-funcs systemd savedconfig
DESCRIPTION="IEEE 802.11 wireless LAN Host AP daemon"
HOMEPAGE="http://w1.fi"
EXTRAS_VER="2.7-r2"
EXTRAS_NAME="${CATEGORY}_${PN}_${EXTRAS_VER}_extras"
SRC_URI="https://dev.gentoo.org/~andrey_utkin/distfiles/${EXTRAS_NAME}.tar.xz"
if [[ $PV == 9999 ]]; then
inherit git-r3
EGIT_REPO_URI="https://w1.fi/hostap.git"
else
if [[ $PV =~ ^.*_p[0-9]{8}$ ]]; then
SRC_URI+=" https://dev.gentoo.org/~andrey_utkin/distfiles/${P}.tar.xz"
else
SRC_URI+=" https://w1.fi/releases/${P}.tar.gz"
fi
# Never stabilize snapshot ebuilds please
KEYWORDS="~amd64 ~arm ~arm64 ~mips ~ppc ~x86"
fi
LICENSE="BSD"
SLOT="0"
IUSE="internal-tls ipv6 libressl logwatch netlink sqlite +suiteb +wps +crda"
# suiteb impl uses openssl feature not available in libressl, see bug 710992
REQUIRED_USE="?? ( libressl suiteb )"
DEPEND="
libressl? ( dev-libs/libressl:0= )
!libressl? (
internal-tls? ( dev-libs/libtommath )
!internal-tls? ( dev-libs/openssl:0=[-bindist] )
)
kernel_linux? (
dev-libs/libnl:3
crda? ( net-wireless/crda )
)
netlink? ( net-libs/libnfnetlink )
sqlite? ( >=dev-db/sqlite-3 )"
RDEPEND="${DEPEND}"
S="${S}/${PN}"
pkg_pretend() {
if use internal-tls; then
if use libressl; then
elog "libressl flag takes precedence over internal-tls"
else
ewarn "internal-tls implementation is experimental and provides fewer features"
fi
fi
}
src_unpack() {
# Override default one because we need the SRC_URI ones even in case of 9999 ebuilds
default
if [[ ${PV} == 9999 ]] ; then
git-r3_src_unpack
fi
}
src_prepare() {
# Allow users to apply patches to src/drivers for example,
# i.e. anything outside ${S}/${PN}
pushd ../ >/dev/null || die
default
popd >/dev/null || die
sed -i -e "s:/etc/hostapd:/etc/hostapd/hostapd:g" \
"${S}/hostapd.conf" || die
}
src_configure() {
local CONFIG="${S}/.config"
restore_config "${CONFIG}"
if [[ -f "${CONFIG}" ]]; then
default_src_configure
return 0
fi
# toolchain setup
echo "CC = $(tc-getCC)" > ${CONFIG}
# EAP authentication methods
echo "CONFIG_EAP=y" >> ${CONFIG}
echo "CONFIG_ERP=y" >> ${CONFIG}
echo "CONFIG_EAP_MD5=y" >> ${CONFIG}
echo "CONFIG_SAE=y" >> ${CONFIG}
echo "CONFIG_OWE=y" >> ${CONFIG}
echo "CONFIG_DPP=y" >> ${CONFIG}
if use suiteb; then
echo "CONFIG_SUITEB=y" >> ${CONFIG}
echo "CONFIG_SUITEB192=y" >> ${CONFIG}
fi
if use internal-tls && ! use libressl; then
echo "CONFIG_TLS=internal" >> ${CONFIG}
else
# SSL authentication methods
echo "CONFIG_EAP_FAST=y" >> ${CONFIG}
echo "CONFIG_EAP_TLS=y" >> ${CONFIG}
echo "CONFIG_EAP_TTLS=y" >> ${CONFIG}
echo "CONFIG_EAP_MSCHAPV2=y" >> ${CONFIG}
echo "CONFIG_EAP_PEAP=y" >> ${CONFIG}
echo "CONFIG_TLSV11=y" >> ${CONFIG}
echo "CONFIG_TLSV12=y" >> ${CONFIG}
echo "CONFIG_EAP_PWD=y" >> ${CONFIG}
fi
if use wps; then
# Enable Wi-Fi Protected Setup
echo "CONFIG_WPS=y" >> ${CONFIG}
echo "CONFIG_WPS2=y" >> ${CONFIG}
echo "CONFIG_WPS_UPNP=y" >> ${CONFIG}
echo "CONFIG_WPS_NFC=y" >> ${CONFIG}
einfo "Enabling Wi-Fi Protected Setup support"
fi
echo "CONFIG_EAP_IKEV2=y" >> ${CONFIG}
echo "CONFIG_EAP_TNC=y" >> ${CONFIG}
echo "CONFIG_EAP_GTC=y" >> ${CONFIG}
echo "CONFIG_EAP_SIM=y" >> ${CONFIG}
echo "CONFIG_EAP_AKA=y" >> ${CONFIG}
echo "CONFIG_EAP_AKA_PRIME=y" >> ${CONFIG}
echo "CONFIG_EAP_EKE=y" >> ${CONFIG}
echo "CONFIG_EAP_PAX=y" >> ${CONFIG}
echo "CONFIG_EAP_PSK=y" >> ${CONFIG}
echo "CONFIG_EAP_SAKE=y" >> ${CONFIG}
echo "CONFIG_EAP_GPSK=y" >> ${CONFIG}
echo "CONFIG_EAP_GPSK_SHA256=y" >> ${CONFIG}
einfo "Enabling drivers: "
# drivers
echo "CONFIG_DRIVER_HOSTAP=y" >> ${CONFIG}
einfo " HostAP driver enabled"
echo "CONFIG_DRIVER_WIRED=y" >> ${CONFIG}
einfo " Wired driver enabled"
echo "CONFIG_DRIVER_NONE=y" >> ${CONFIG}
einfo " None driver enabled"
einfo " nl80211 driver enabled"
echo "CONFIG_DRIVER_NL80211=y" >> ${CONFIG}
# epoll
echo "CONFIG_ELOOP_EPOLL=y" >> ${CONFIG}
# misc
echo "CONFIG_DEBUG_FILE=y" >> ${CONFIG}
echo "CONFIG_PKCS12=y" >> ${CONFIG}
echo "CONFIG_RADIUS_SERVER=y" >> ${CONFIG}
echo "CONFIG_IAPP=y" >> ${CONFIG}
echo "CONFIG_IEEE80211R=y" >> ${CONFIG}
echo "CONFIG_IEEE80211W=y" >> ${CONFIG}
echo "CONFIG_IEEE80211N=y" >> ${CONFIG}
echo "CONFIG_IEEE80211AC=y" >> ${CONFIG}
echo "CONFIG_PEERKEY=y" >> ${CONFIG}
echo "CONFIG_RSN_PREAUTH=y" >> ${CONFIG}
echo "CONFIG_INTERWORKING=y" >> ${CONFIG}
echo "CONFIG_FULL_DYNAMIC_VLAN=y" >> ${CONFIG}
echo "CONFIG_HS20=y" >> ${CONFIG}
echo "CONFIG_WNM=y" >> ${CONFIG}
echo "CONFIG_FST=y" >> ${CONFIG}
echo "CONFIG_FST_TEST=y" >> ${CONFIG}
echo "CONFIG_ACS=y" >> ${CONFIG}
if use netlink; then
# Netlink support
echo "CONFIG_VLAN_NETLINK=y" >> ${CONFIG}
fi
if use ipv6; then
# IPv6 support
echo "CONFIG_IPV6=y" >> ${CONFIG}
fi
if use sqlite; then
# Sqlite support
echo "CONFIG_SQLITE=y" >> ${CONFIG}
fi
# If we are using libnl 2.0 and above, enable support for it
# Removed for now, since the 3.2 version is broken, and we don't
# support it.
if has_version ">=dev-libs/libnl-3.2"; then
echo "CONFIG_LIBNL32=y" >> .config
fi
# TODO: Add support for BSD drivers
default_src_configure
}
src_compile() {
emake V=1
if use libressl || ! use internal-tls; then
emake V=1 nt_password_hash
emake V=1 hlr_auc_gw
fi
}
src_install() {
insinto /etc/${PN}
doins ${PN}.{conf,accept,deny,eap_user,radius_clients,sim_db,wpa_psk}
fperms -R 600 /etc/${PN}
dosbin ${PN}
dobin ${PN}_cli
if use libressl || ! use internal-tls; then
dobin nt_password_hash hlr_auc_gw
fi
newinitd "${WORKDIR}/${EXTRAS_NAME}"/${PN}-init.d ${PN}
newconfd "${WORKDIR}/${EXTRAS_NAME}"/${PN}-conf.d ${PN}
systemd_dounit "${WORKDIR}/${EXTRAS_NAME}"/${PN}.service
doman ${PN}{.8,_cli.1}
dodoc ChangeLog README
use wps && dodoc README-WPS
docinto examples
dodoc wired.conf
if use logwatch; then
insinto /etc/log.d/conf/services/
doins logwatch/${PN}.conf
exeinto /etc/log.d/scripts/services/
doexe logwatch/${PN}
fi
save_config .config
}
pkg_postinst() {
einfo
einfo "If you are running openRC you need to follow this instructions:"
einfo "In order to use ${PN} you need to set up your wireless card"
einfo "for master mode in /etc/conf.d/net and then start"
einfo "/etc/init.d/${PN}."
einfo
einfo "Example configuration:"
einfo
einfo "config_wlan0=( \"192.168.1.1/24\" )"
einfo "channel_wlan0=\"6\""
einfo "essid_wlan0=\"test\""
einfo "mode_wlan0=\"master\""
einfo
#if [ -e "${KV_DIR}"/net/mac80211 ]; then
# einfo "This package now compiles against the headers installed by"
# einfo "the kernel source for the mac80211 driver. You should "
# einfo "re-emerge ${PN} after upgrading your kernel source."
#fi
if use wps; then
einfo "You have enabled Wi-Fi Protected Setup support, please"
einfo "read the README-WPS file in /usr/share/doc/${P}"
einfo "for info on how to use WPS"
fi
}

View file

@ -1,29 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<longdescription>
User space daemon for the hostap-driver.
Extended IEEE 802.11 management, IEEE 802.1X Authenticator,
RADIUS Authentication client, RADIUS Accounting client
</longdescription>
<use>
<flag name="crda">Add CRDA support</flag>
<flag name="internal-tls">Use internal TLSv1 implementation instead of depending on OpenSSL, LibreSSL or GnuTLS</flag>
<flag name="logwatch">Install support files for
<pkg>sys-apps/logwatch</pkg></flag>
<flag name="netlink">Adding support for using netlink to create VLANs</flag>
<flag name="suiteb">Adding support for NSA Suite B Cryptography</flag>
<flag name="wps">Add support for Wi-Fi Protected Setup</flag>
</use>
<maintainer type="person">
<email>zerochaos@gentoo.org</email>
<name>Rick Farina</name>
</maintainer>
<maintainer type="person">
<email>sam@gentoo.org</email>
<name>Sam James</name>
</maintainer>
<upstream>
<remote-id type="cpe">cpe:/a:w1.fi:hostapd</remote-id>
</upstream>
</pkgmetadata>