This updates hostapd to version the git version from 2018-12-02 which matches the 2.7 release. The removed patches were are already available in the upstream code, one additional backport is needed to fix a compile problem. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>master
Hauke Mehrtens
6 years ago
parent
5c4277ec37
commit
99956528df
@ -1,39 +0,0 @@ |
||||
From 6588f712220797c69dbd019daa19b82a50d92782 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Sun, 14 Oct 2018 19:57:22 +0300
|
||||
Subject: Reduce undesired logging of ACL rejection events from AP mode
|
||||
|
||||
When Probe Request frame handling was extended to use MAC ACL through
|
||||
ieee802_11_allowed_address(), the MSG_INFO level log print ("Station
|
||||
<addr> not allowed to authenticate") from that function ended up getting
|
||||
printed even for Probe Request frames. That was not by design and it can
|
||||
result in excessive logging and MSG_INFO level if MAC ACL is used.
|
||||
|
||||
Fix this by printing this log entry only for authentication and
|
||||
association frames. In addition, drop the priority of that log entry to
|
||||
MSG_DEBUG since this is not really an unexpected behavior in most MAC
|
||||
ACL use cases.
|
||||
|
||||
Fixes: 92eb00aec2a0 ("Extend ACL check for Probe Request frames")
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
---
|
||||
src/ap/ieee802_11.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/src/ap/ieee802_11.c
|
||||
+++ b/src/ap/ieee802_11.c
|
||||
@@ -1636,9 +1636,11 @@ ieee802_11_allowed_address(struct hostap
|
||||
is_probe_req);
|
||||
|
||||
if (res == HOSTAPD_ACL_REJECT) {
|
||||
- wpa_printf(MSG_INFO,
|
||||
- "Station " MACSTR " not allowed to authenticate",
|
||||
- MAC2STR(addr));
|
||||
+ if (!is_probe_req)
|
||||
+ wpa_printf(MSG_DEBUG,
|
||||
+ "Station " MACSTR
|
||||
+ " not allowed to authenticate",
|
||||
+ MAC2STR(addr));
|
||||
return HOSTAPD_ACL_REJECT;
|
||||
}
|
||||
|
||||
@ -1,28 +0,0 @@ |
||||
From dc1b1c8db7905639be6f4de8173e2d97bf6df90d Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Sun, 14 Oct 2018 20:03:55 +0300
|
||||
Subject: Drop logging priority for handle_auth_cb no-STA-match messages
|
||||
|
||||
This message was printed and MSG_INFO level which would be more
|
||||
reasonable for error cases where hostapd has accepted authentication.
|
||||
However, this is not really an error case for the cases where
|
||||
authentication was rejected (e.g., due to MAC ACL). Drop this to use
|
||||
MSG_DEBUG level.
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
---
|
||||
src/ap/ieee802_11.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/src/ap/ieee802_11.c
|
||||
+++ b/src/ap/ieee802_11.c
|
||||
@@ -4018,7 +4018,8 @@ static void handle_auth_cb(struct hostap
|
||||
|
||||
sta = ap_get_sta(hapd, mgmt->da);
|
||||
if (!sta) {
|
||||
- wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found",
|
||||
+ wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
|
||||
+ " not found",
|
||||
MAC2STR(mgmt->da));
|
||||
return;
|
||||
}
|
||||
@ -1,43 +0,0 @@ |
||||
From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
|
||||
From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
|
||||
Date: Sun, 15 Jul 2018 01:25:53 +0200
|
||||
Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
|
||||
|
||||
Ignore unauthenticated encrypted EAPOL-Key data in supplicant
|
||||
processing. When using WPA2, these are frames that have the Encrypted
|
||||
flag set, but not the MIC flag.
|
||||
|
||||
When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
|
||||
not the MIC flag, had their data field decrypted without first verifying
|
||||
the MIC. In case the data field was encrypted using RC4 (i.e., when
|
||||
negotiating TKIP as the pairwise cipher), this meant that
|
||||
unauthenticated but decrypted data would then be processed. An adversary
|
||||
could abuse this as a decryption oracle to recover sensitive information
|
||||
in the data field of EAPOL-Key messages (e.g., the group key).
|
||||
(CVE-2018-14526)
|
||||
|
||||
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
|
||||
---
|
||||
src/rsn_supp/wpa.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
--- a/src/rsn_supp/wpa.c
|
||||
+++ b/src/rsn_supp/wpa.c
|
||||
@@ -2208,6 +2208,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
|
||||
|
||||
if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
|
||||
(key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
|
||||
+ /*
|
||||
+ * Only decrypt the Key Data field if the frame's authenticity
|
||||
+ * was verified. When using AES-SIV (FILS), the MIC flag is not
|
||||
+ * set, so this check should only be performed if mic_len != 0
|
||||
+ * which is the case in this code branch.
|
||||
+ */
|
||||
+ if (!(key_info & WPA_KEY_INFO_MIC)) {
|
||||
+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
|
||||
+ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
|
||||
+ goto out;
|
||||
+ }
|
||||
if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
|
||||
ver, key_data,
|
||||
&key_data_len))
|
||||
@ -1,25 +0,0 @@ |
||||
From 4a8245ec2e9d48e464488477a3e7ed234009c216 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Oh <peter.oh@bowerswilkins.com>
|
||||
Date: Tue, 29 May 2018 14:39:16 -0700
|
||||
Subject: [PATCH 12/18] mesh: allow mesh to send channel switch request
|
||||
|
||||
add mesh type to nl80211 channel switch request,
|
||||
so mesh is able to send the request to kernel drivers.
|
||||
|
||||
Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
|
||||
---
|
||||
src/drivers/driver_nl80211.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/src/drivers/driver_nl80211.c
|
||||
+++ b/src/drivers/driver_nl80211.c
|
||||
@@ -8685,7 +8685,8 @@ static int nl80211_switch_channel(void *
|
||||
}
|
||||
|
||||
if ((drv->nlmode != NL80211_IFTYPE_AP) &&
|
||||
- (drv->nlmode != NL80211_IFTYPE_P2P_GO))
|
||||
+ (drv->nlmode != NL80211_IFTYPE_P2P_GO) &&
|
||||
+ (drv->nlmode != NL80211_IFTYPE_MESH_POINT) )
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
/*
|
||||
@ -1,23 +0,0 @@ |
||||
From: Felix Fietkau <nbd@nbd.name>
|
||||
Date: Thu, 3 May 2018 12:34:31 +0200
|
||||
Subject: [PATCH] mesh: fix crash with CONFIG_TAXONOMY enabled
|
||||
|
||||
wpa_s->ifmsh needs to be allocated using hostapd_alloc_iface() instead
|
||||
of a direct call to os_zalloc, otherwise the linked list for station
|
||||
taxonomy items remains uninitialized, leading to a crash on the first
|
||||
attempt to traverse that list
|
||||
|
||||
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
---
|
||||
|
||||
--- a/wpa_supplicant/mesh.c
|
||||
+++ b/wpa_supplicant/mesh.c
|
||||
@@ -215,7 +215,7 @@ static int wpa_supplicant_mesh_init(stru
|
||||
return 0;
|
||||
}
|
||||
|
||||
- wpa_s->ifmsh = ifmsh = os_zalloc(sizeof(*wpa_s->ifmsh));
|
||||
+ wpa_s->ifmsh = ifmsh = hostapd_alloc_iface();
|
||||
if (!ifmsh)
|
||||
return -ENOMEM;
|
||||
|
||||
@ -1,45 +0,0 @@ |
||||
From 444adf78eeb129e415d53fcb2fa2f05b6a69abdc Mon Sep 17 00:00:00 2001
|
||||
From: Sven Eckelmann <sven.eckelmann@openmesh.com>
|
||||
Date: Mon, 7 May 2018 15:24:29 +0200
|
||||
Subject: wpa_supplicant: Fix parsing of max_oper_chwidth
|
||||
|
||||
The max_oper_chwidth is parsed in wpa_config_set as INT_RANGE (see
|
||||
ssid_fields). The actual parsing for INT_RANGE is done by
|
||||
wpa_config_parse_int which can only store the result as full integer.
|
||||
|
||||
max_oper_chwidth is stored as u8 (a single byte) in wpa_ssid. This means
|
||||
that on little endian systems, the least significant byte of the parsed
|
||||
value are really stored in the max_oper_chwidth. But on big endian system,
|
||||
the only most significant byte is stored as max_oper_chwidth. This means
|
||||
that 0 is always stored because the provided range doesn't allow any other
|
||||
value for systems with multi-byte-wide integers.
|
||||
|
||||
This also means that for common systems with 4-byte-wide integers, the
|
||||
remaining 3 bytes were written after the actual member of the struct. This
|
||||
should not have influenced the behavior of succeeding members because these
|
||||
bytes would have been part of the padding between the members on most
|
||||
systems.
|
||||
|
||||
Increasing its size to a full int fixes the write operations outside of the
|
||||
member and allows to use the max_oper_chwidth setting on big endian
|
||||
systems.
|
||||
|
||||
Fixes: 0f29bc68d18e ("IBSS/mesh: Add support for VHT80P80 configuration")
|
||||
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
|
||||
|
||||
Forwarded: https://patchwork.ozlabs.org/patch/909751/
|
||||
---
|
||||
wpa_supplicant/config_ssid.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/wpa_supplicant/config_ssid.h
|
||||
+++ b/wpa_supplicant/config_ssid.h
|
||||
@@ -511,7 +511,7 @@ struct wpa_ssid {
|
||||
|
||||
int vht;
|
||||
|
||||
- u8 max_oper_chwidth;
|
||||
+ int max_oper_chwidth;
|
||||
|
||||
unsigned int vht_center_freq1;
|
||||
unsigned int vht_center_freq2;
|
||||
@ -0,0 +1,33 @@ |
||||
From f2973fa39d6109f0f34969e91551a98dc340d537 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Mon, 3 Dec 2018 12:00:26 +0200
|
||||
Subject: FT: Fix CONFIG_IEEE80211X=y build without CONFIG_FILS=y
|
||||
|
||||
remove_ie() was defined within an ifdef CONFIG_FILS block while it is
|
||||
now needed even without CONFIG_FILS=y. Remove the CONFIG_FILS condition
|
||||
there.
|
||||
|
||||
Fixes 8c41734e5de1 ("FT: Fix Reassociation Request IEs during FT protocol")
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
---
|
||||
wpa_supplicant/sme.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
--- a/wpa_supplicant/sme.c
|
||||
+++ b/wpa_supplicant/sme.c
|
||||
@@ -1386,7 +1386,6 @@ void sme_event_auth(struct wpa_supplican
|
||||
}
|
||||
|
||||
|
||||
-#ifdef CONFIG_FILS
|
||||
#ifdef CONFIG_IEEE80211R
|
||||
static void remove_ie(u8 *buf, size_t *len, u8 eid)
|
||||
{
|
||||
@@ -1401,7 +1400,6 @@ static void remove_ie(u8 *buf, size_t *l
|
||||
}
|
||||
}
|
||||
#endif /* CONFIG_IEEE80211R */
|
||||
-#endif /* CONFIG_FILS */
|
||||
|
||||
|
||||
void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode,
|
||||
@ -1,29 +0,0 @@ |
||||
From 410e2dd1d6b645bf5ed3ed55a9a415acbd993532 Mon Sep 17 00:00:00 2001
|
||||
From: Chaitanya T K <Chaitanya.Mgit@gmail.com>
|
||||
Date: Wed, 29 Aug 2018 02:14:33 +0530
|
||||
Subject: [PATCH] OWE: Fix build error in AP code without CONFIG_IEEE80211W=y
|
||||
|
||||
When CONFIG_OWE is enabled but none of 11R/11W/FILS are enabled hostapd
|
||||
(and wpa_supplicant with AP mode support) build failed. Fix this by
|
||||
adding OWE to the list of conditions for including the local variables.
|
||||
|
||||
Signed-off-by: Chaitanya T K <chaitanya.mgit@gmail.com>
|
||||
---
|
||||
src/ap/drv_callbacks.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/src/ap/drv_callbacks.c
|
||||
+++ b/src/ap/drv_callbacks.c
|
||||
@@ -109,10 +109,10 @@ int hostapd_notif_assoc(struct hostapd_d
|
||||
struct ieee802_11_elems elems;
|
||||
const u8 *ie;
|
||||
size_t ielen;
|
||||
-#if defined(CONFIG_IEEE80211R_AP) || defined(CONFIG_IEEE80211W) || defined(CONFIG_FILS)
|
||||
+#if defined(CONFIG_IEEE80211R_AP) || defined(CONFIG_IEEE80211W) || defined(CONFIG_FILS) || defined(CONFIG_OWE)
|
||||
u8 buf[sizeof(struct ieee80211_mgmt) + 1024];
|
||||
u8 *p = buf;
|
||||
-#endif /* CONFIG_IEEE80211R_AP || CONFIG_IEEE80211W || CONFIG_FILS */
|
||||
+#endif /* CONFIG_IEEE80211R_AP || CONFIG_IEEE80211W || CONFIG_FILS || CONFIG_OWE */
|
||||
u16 reason = WLAN_REASON_UNSPECIFIED;
|
||||
u16 status = WLAN_STATUS_SUCCESS;
|
||||
const u8 *p2p_dev_addr = NULL;
|
||||
@ -1,26 +0,0 @@ |
||||
From 54e0de1a9ee81477e9dfb93985c1fbf105b3d1d4 Mon Sep 17 00:00:00 2001
|
||||
From: Hauke Mehrtens <hauke@hauke-m.de>
|
||||
Date: Wed, 10 Oct 2018 23:22:23 +0200
|
||||
Subject: SAE: Do not ignore option sae_require_mfp
|
||||
|
||||
Without this patch sae_require_mfp is always activate, when ieee80211w
|
||||
is set to optional all stations negotiating SAEs are being rejected when
|
||||
they do not support PMF. With this patch hostapd only rejects these
|
||||
stations in case sae_require_mfp is set to some value and not null.
|
||||
|
||||
Fixes ba3d435fe43 ("SAE: Add option to require MFP for SAE associations")
|
||||
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
||||
---
|
||||
src/ap/wpa_auth_ie.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/src/ap/wpa_auth_ie.c
|
||||
+++ b/src/ap/wpa_auth_ie.c
|
||||
@@ -721,6 +721,7 @@ int wpa_validate_wpa_ie(struct wpa_authe
|
||||
|
||||
#ifdef CONFIG_SAE
|
||||
if (wpa_auth->conf.ieee80211w == MGMT_FRAME_PROTECTION_OPTIONAL &&
|
||||
+ wpa_auth->conf.sae_require_mfp &&
|
||||
wpa_key_mgmt_sae(sm->wpa_key_mgmt) &&
|
||||
!(data.capabilities & WPA_CAPABILITY_MFPC)) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
@ -1,35 +0,0 @@ |
||||
From 672540d4ddbd24782b5c65b35d636bdfe8a90d0f Mon Sep 17 00:00:00 2001
|
||||
From: Rosen Penev <rosenp@gmail.com>
|
||||
Date: Fri, 15 Jun 2018 18:35:30 -0700
|
||||
Subject: [PATCH] Fix compile with OpenSSL 1.1.0 and deprecated APIs
|
||||
|
||||
SSL_session_reused is the same as SSL_cache_hit. The engine load stuff is
|
||||
now handled by OPENSSL_init.
|
||||
|
||||
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
||||
---
|
||||
src/crypto/tls_openssl.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/src/crypto/tls_openssl.c
|
||||
+++ b/src/crypto/tls_openssl.c
|
||||
@@ -1024,8 +1024,10 @@ void * tls_init(const struct tls_config
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
wpa_printf(MSG_DEBUG, "ENGINE: Loading dynamic engine");
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
ERR_load_ENGINE_strings();
|
||||
ENGINE_load_dynamic();
|
||||
+#endif /* OPENSSL_VERSION_NUMBER */
|
||||
|
||||
if (conf &&
|
||||
(conf->opensc_engine_path || conf->pkcs11_engine_path ||
|
||||
@@ -3874,7 +3876,7 @@ struct wpabuf * tls_connection_decrypt(v
|
||||
|
||||
int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
|
||||
{
|
||||
- return conn ? SSL_cache_hit(conn->ssl) : 0;
|
||||
+ return conn ? SSL_session_reused(conn->ssl) : 0;
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in new issue