From 2b92dac8a6ad8aea872ed68dbaaf2108202272dd Mon Sep 17 00:00:00 2001 From: Capi X Date: Sat, 2 Nov 2019 12:42:22 +0700 Subject: network/hostapd: Updated for version 2.0.6. Signed-off-by: Willy Sudiarto Raharjo --- network/hostapd/hostapd.SlackBuild | 6 +- network/hostapd/hostapd.defconfig | 119 +++++++++++++++++---- network/hostapd/hostapd.info | 6 +- ...-ignore-management-frame-from-unexpected-.patch | 73 +++++++++++++ 4 files changed, 178 insertions(+), 26 deletions(-) create mode 100644 network/hostapd/patches/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch (limited to 'network') diff --git a/network/hostapd/hostapd.SlackBuild b/network/hostapd/hostapd.SlackBuild index 6a519a3787..8dd14ed682 100644 --- a/network/hostapd/hostapd.SlackBuild +++ b/network/hostapd/hostapd.SlackBuild @@ -4,7 +4,7 @@ # Copyright 2008-2013 Murat D. Kadirov # Copyright 2014-2016 LukenShiro, Italy -# Copyright 2018 Brenton Earl +# Copyright 2018, 2019 Brenton Earl # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -27,8 +27,8 @@ # Fixed doinst.sh by Mario Preksavec PRGNAM=hostapd -VERSION=${VERSION:-2.6} -BUILD=${BUILD:-3} +VERSION=${VERSION:-2.7} +BUILD=${BUILD:-1} TAG=${TAG:-_SBo} if [ -z "$ARCH" ]; then diff --git a/network/hostapd/hostapd.defconfig b/network/hostapd/hostapd.defconfig index 2faf7eff4b..08005f26b4 100644 --- a/network/hostapd/hostapd.defconfig +++ b/network/hostapd/hostapd.defconfig @@ -13,15 +13,14 @@ CONFIG_DRIVER_HOSTAP=y # Driver interface for wired authenticator -#CONFIG_DRIVER_WIRED=y - -# Driver interface for madwifi driver -#CONFIG_DRIVER_MADWIFI=y -#CFLAGS += -I../../madwifi # change to the madwifi source directory +CONFIG_DRIVER_WIRED=y # Driver interface for drivers using the nl80211 kernel interface CONFIG_DRIVER_NL80211=y +# QCA vendor extensions to nl80211 +#CONFIG_DRIVER_NL80211_QCA=y + # driver_nl80211.c requires libnl. If you are compiling it yourself # you may need to point hostapd to your version of libnl. # @@ -32,7 +31,7 @@ CONFIG_DRIVER_NL80211=y #CONFIG_LIBNL20=y # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) -#CONFIG_LIBNL32=y +CONFIG_LIBNL32=y # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) @@ -43,7 +42,7 @@ CONFIG_DRIVER_NL80211=y #LIBS_c += -L/usr/local/lib # Driver interface for no driver (e.g., RADIUS server only) -CONFIG_DRIVER_NONE=y +#CONFIG_DRIVER_NONE=y # IEEE 802.11F/IAPP CONFIG_IAPP=y @@ -51,15 +50,18 @@ CONFIG_IAPP=y # WPA2/IEEE 802.11i RSN pre-authentication CONFIG_RSN_PREAUTH=y -# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) -CONFIG_PEERKEY=y - # IEEE 802.11w (management frame protection) CONFIG_IEEE80211W=y +# Support Operating Channel Validation +#CONFIG_OCV=y + # Integrated EAP server CONFIG_EAP=y +# EAP Re-authentication Protocol (ERP) in integrated EAP server +CONFIG_ERP=y + # EAP-MD5 for the integrated EAP server CONFIG_EAP_MD5=y @@ -98,25 +100,32 @@ CONFIG_EAP_PSK=y #CONFIG_EAP_PWD=y # EAP-SAKE for the integrated EAP server -#CONFIG_EAP_SAKE=y +CONFIG_EAP_SAKE=y # EAP-GPSK for the integrated EAP server -#CONFIG_EAP_GPSK=y +CONFIG_EAP_GPSK=y # Include support for optional SHA256 cipher suite in EAP-GPSK -#CONFIG_EAP_GPSK_SHA256=y +CONFIG_EAP_GPSK_SHA256=y # EAP-FAST for the integrated EAP server -# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed -# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., -# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. #CONFIG_EAP_FAST=y +# EAP-TEAP for the integrated EAP server +# Note: The current EAP-TEAP implementation is experimental and should not be +# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number +# of conflicting statements and missing details and the implementation has +# vendor specific workarounds for those and as such, may not interoperate with +# any other implementation. This should not be used for anything else than +# experimentation and interoperability testing until those issues has been +# resolved. +#CONFIG_EAP_TEAP=y + # Wi-Fi Protected Setup (WPS) CONFIG_WPS=y # Enable UPnP support for external WPS Registrars CONFIG_WPS_UPNP=y # Enable WPS support with NFC config method -#CONFIG_WPS_NFC=y +CONFIG_WPS_NFC=y # EAP-IKEv2 #CONFIG_EAP_IKEV2=y @@ -142,7 +151,7 @@ CONFIG_IPV6=y CONFIG_IEEE80211R=y # Use the hostapd's IEEE 802.11 authentication (ACL), but without -# the IEEE 802.11 Management capability (e.g., madwifi or FreeBSD/net80211) +# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) #CONFIG_DRIVER_RADIUS_ACL=y # IEEE 802.11n (High Throughput) support @@ -155,6 +164,12 @@ CONFIG_IEEE80211N=y # IEEE 802.11ac (Very High Throughput) support CONFIG_IEEE80211AC=y +# IEEE 802.11ax HE support +# Note: This is experimental and work in progress. The definitions are still +# subject to change and this should not be expected to interoperate with the +# final IEEE 802.11ax version. +#CONFIG_IEEE80211AX=y + # Remove debugging code that is printing out debug messages to stdout. # This can be used to reduce the size of the hostapd considerably if debugging # code is not needed. @@ -164,6 +179,9 @@ CONFIG_IEEE80211AC=y # Disabled by default. #CONFIG_DEBUG_FILE=y +# Send debug messages to syslog instead of stdout +#CONFIG_DEBUG_SYSLOG=y + # Add support for sending all debug messages (regardless of debug verbosity) # to the Linux kernel tracing facility. This helps debug the entire stack by # making it easy to record everything happening from the driver up into the @@ -241,10 +259,25 @@ CONFIG_IEEE80211AC=y # requirements described above. #CONFIG_NO_RANDOM_POOL=y +# Should we attempt to use the getrandom(2) call that provides more reliable +# yet secure randomness source than /dev/random on Linux 3.17 and newer. +# Requires glibc 2.25 to build, falls back to /dev/random if unavailable. +#CONFIG_GETRANDOM=y + +# Should we use poll instead of select? Select is used by default. +#CONFIG_ELOOP_POLL=y + +# Should we use epoll instead of select? Select is used by default. +#CONFIG_ELOOP_EPOLL=y + +# Should we use kqueue instead of select? Select is used by default. +#CONFIG_ELOOP_KQUEUE=y + # Select TLS implementation # openssl = OpenSSL (default) # gnutls = GnuTLS # internal = Internal TLSv1 implementation (experimental) +# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) # none = Empty template #CONFIG_TLS=openssl @@ -257,6 +290,10 @@ CONFIG_IEEE80211AC=y # can be enabled to enable use of stronger crypto algorithms. #CONFIG_TLSV12=y +# Select which ciphers to use by default with OpenSSL if the user does not +# specify them. +#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" + # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of # LibTomMath can be used. See beginning of libtommath.c for details on benefits @@ -282,7 +319,13 @@ CONFIG_IEEE80211AC=y #CONFIG_HS20=y # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file -#CONFIG_SQLITE=y +CONFIG_SQLITE=y + +# Enable Fast Session Transfer (FST) +#CONFIG_FST=y + +# Enable CLI commands for FST testing +#CONFIG_FST_TEST=y # Testing options # This can be used to enable some testing options (see also the example @@ -314,4 +357,40 @@ CONFIG_IEEE80211AC=y # For more details refer to: # http://wireless.kernel.org/en/users/Documentation/acs # -#CONFIG_ACS=y +CONFIG_ACS=y + +# Multiband Operation support +# These extentions facilitate efficient use of multiple frequency bands +# available to the AP and the devices that may associate with it. +#CONFIG_MBO=y + +# Client Taxonomy +# Has the AP retain the Probe Request and (Re)Association Request frames from +# a client, from which a signature can be produced which can identify the model +# of client device like "Nexus 6P" or "iPhone 5s". +#CONFIG_TAXONOMY=y + +# Fast Initial Link Setup (FILS) (IEEE 802.11ai) +#CONFIG_FILS=y +# FILS shared key authentication with PFS +#CONFIG_FILS_SK_PFS=y + +# Include internal line edit mode in hostapd_cli. This can be used to provide +# limited command line editing and history support. +#CONFIG_WPA_CLI_EDIT=y + +# Opportunistic Wireless Encryption (OWE) +# Experimental implementation of draft-harkins-owe-07.txt +#CONFIG_OWE=y + +# Airtime policy support +#CONFIG_AIRTIME_POLICY=y + +# Override default value for the wpa_disable_eapol_key_retries configuration +# parameter. See that parameter in hostapd.conf for more details. +#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1 + +# custom configuration options +CONFIG_MESH=y +CONFIG_SAE=y +CONFIG_WPS2=y diff --git a/network/hostapd/hostapd.info b/network/hostapd/hostapd.info index c7cf70d848..c4e87e1a2d 100644 --- a/network/hostapd/hostapd.info +++ b/network/hostapd/hostapd.info @@ -1,8 +1,8 @@ PRGNAM="hostapd" -VERSION="2.6" +VERSION="2.7" HOMEPAGE="https://w1.fi/hostapd/" -DOWNLOAD="https://w1.fi/releases/hostapd-2.6.tar.gz" -MD5SUM="eaa56dce9bd8f1d195eb62596eab34c7" +DOWNLOAD="https://w1.fi/releases/hostapd-2.7.tar.gz" +MD5SUM="8d3799f3a3c247cff47d41503698721b" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="" diff --git a/network/hostapd/patches/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/network/hostapd/patches/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch new file mode 100644 index 0000000000..d764a9db01 --- /dev/null +++ b/network/hostapd/patches/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch @@ -0,0 +1,73 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 + -- cgit v1.2.3