summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-wireless/hostapd')
-rw-r--r--net-wireless/hostapd/ChangeLog8
-rw-r--r--net-wireless/hostapd/files/hostapd-1.0-tls_length_fix.patch48
-rw-r--r--net-wireless/hostapd/hostapd-1.0-r4.ebuild204
3 files changed, 259 insertions, 1 deletions
diff --git a/net-wireless/hostapd/ChangeLog b/net-wireless/hostapd/ChangeLog
index 123232ccea48..162c3c120f9e 100644
--- a/net-wireless/hostapd/ChangeLog
+++ b/net-wireless/hostapd/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for net-wireless/hostapd
# Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/ChangeLog,v 1.128 2012/10/03 19:56:15 gurligebis Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/ChangeLog,v 1.129 2012/10/10 13:14:08 gurligebis Exp $
+
+*hostapd-1.0-r4 (10 Oct 2012)
+
+ 10 Oct 2012; <gurligebis@gentoo.org> +hostapd-1.0-r4.ebuild,
+ +files/hostapd-1.0-tls_length_fix.patch:
+ Bumping to 1.0-r4, to include fix for bug #437830
*hostapd-1.0-r3 (03 Oct 2012)
diff --git a/net-wireless/hostapd/files/hostapd-1.0-tls_length_fix.patch b/net-wireless/hostapd/files/hostapd-1.0-tls_length_fix.patch
new file mode 100644
index 000000000000..bda92cf405fa
--- /dev/null
+++ b/net-wireless/hostapd/files/hostapd-1.0-tls_length_fix.patch
@@ -0,0 +1,48 @@
+From 586c446e0ff42ae00315b014924ec669023bd8de Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 7 Oct 2012 20:06:29 +0300
+Subject: [PATCH] EAP-TLS server: Fix TLS Message Length validation
+
+EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
+Message Length value properly and could end up trying to store more
+information into the message buffer than the allocated size if the first
+fragment is longer than the indicated size. This could result in hostapd
+process terminating in wpabuf length validation. Fix this by rejecting
+messages that have invalid TLS Message Length value.
+
+This would affect cases that use the internal EAP authentication server
+in hostapd either directly with IEEE 802.1X or when using hostapd as a
+RADIUS authentication server and when receiving an incorrectly
+constructed EAP-TLS message. Cases where hostapd uses an external
+authentication are not affected.
+
+Thanks to Timo Warns for finding and reporting this issue.
+
+Signed-hostap: Jouni Malinen <j@w1.fi>
+intended-for: hostap-1
+---
+ src/eap_server/eap_server_tls_common.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
+index 31be2ec..46f282b 100644
+--- a/src/eap_server/eap_server_tls_common.c
++++ b/src/eap_server/eap_server_tls_common.c
+@@ -228,6 +228,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
+ return -1;
+ }
+
++ if (len > message_length) {
++ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
++ "first fragment of frame (TLS Message "
++ "Length %d bytes)",
++ (int) len, (int) message_length);
++ return -1;
++ }
++
+ data->tls_in = wpabuf_alloc(message_length);
+ if (data->tls_in == NULL) {
+ wpa_printf(MSG_DEBUG, "SSL: No memory for message");
+--
+1.7.4-rc1
+
diff --git a/net-wireless/hostapd/hostapd-1.0-r4.ebuild b/net-wireless/hostapd/hostapd-1.0-r4.ebuild
new file mode 100644
index 000000000000..904d60f4e281
--- /dev/null
+++ b/net-wireless/hostapd/hostapd-1.0-r4.ebuild
@@ -0,0 +1,204 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/hostapd-1.0-r4.ebuild,v 1.1 2012/10/10 13:14:08 gurligebis Exp $
+
+EAPI="4"
+
+inherit toolchain-funcs eutils
+
+DESCRIPTION="IEEE 802.11 wireless LAN Host AP daemon"
+HOMEPAGE="http://hostap.epitest.fi"
+SRC_URI="http://hostap.epitest.fi/releases/${P}.tar.gz"
+
+LICENSE="|| ( GPL-2 BSD )"
+SLOT="0"
+KEYWORDS="~amd64 ~mips ~ppc ~x86"
+IUSE="debug ipv6 logwatch madwifi +ssl +wps +crda"
+
+DEPEND="ssl? ( dev-libs/openssl )
+ kernel_linux? (
+ dev-libs/libnl:3
+ crda? ( net-wireless/crda )
+ )
+ madwifi? ( ||
+ ( >net-wireless/madwifi-ng-tools-0.9.3
+ net-wireless/madwifi-old ) )"
+RDEPEND="${DEPEND}"
+
+S="${S}/${PN}"
+
+src_prepare() {
+ cd ..
+ epatch "${FILESDIR}/${P}-libnl_path_fix.patch"
+ epatch "${FILESDIR}/${P}-tls_length_fix.patch"
+
+ sed -i -e "s:/etc/hostapd:/etc/hostapd/hostapd:g" \
+ "${S}/hostapd.conf" || die
+}
+
+src_configure() {
+ local CONFIG="${S}/.config"
+
+ # toolchain setup
+ echo "CC = $(tc-getCC)" > ${CONFIG}
+
+ # EAP authentication methods
+ echo "CONFIG_EAP=y" >> ${CONFIG}
+ echo "CONFIG_EAP_MD5=y" >> ${CONFIG}
+
+ if use ssl; then
+ # SSL authentication methods
+ echo "CONFIG_EAP_TLS=y" >> ${CONFIG}
+ echo "CONFIG_EAP_TTLS=y" >> ${CONFIG}
+ echo "CONFIG_EAP_MSCHAPV2=y" >> ${CONFIG}
+ echo "CONFIG_EAP_PEAP=y" >> ${CONFIG}
+ fi
+
+ if use wps; then
+ # Enable Wi-Fi Protected Setup
+ echo "CONFIG_WPS=y" >> ${CONFIG}
+ echo "CONFIG_WPS2=y" >> ${CONFIG}
+ echo "CONFIG_WPS_UPNP=y" >> ${CONFIG}
+ einfo "Enabling Wi-Fi Protected Setup support"
+ fi
+
+ echo "CONFIG_EAP_GTC=y" >> ${CONFIG}
+ echo "CONFIG_EAP_SIM=y" >> ${CONFIG}
+ echo "CONFIG_EAP_AKA=y" >> ${CONFIG}
+ echo "CONFIG_EAP_PAX=y" >> ${CONFIG}
+ echo "CONFIG_EAP_PSK=y" >> ${CONFIG}
+ echo "CONFIG_EAP_SAKE=y" >> ${CONFIG}
+ echo "CONFIG_EAP_GPSK=y" >> ${CONFIG}
+ echo "CONFIG_EAP_GPSK_SHA256=y" >> ${CONFIG}
+
+ einfo "Enabling drivers: "
+
+ # drivers
+ echo "CONFIG_DRIVER_HOSTAP=y" >> ${CONFIG}
+ einfo " HostAP driver enabled"
+ echo "CONFIG_DRIVER_WIRED=y" >> ${CONFIG}
+ einfo " Wired driver enabled"
+ echo "CONFIG_DRIVER_PRISM54=y" >> ${CONFIG}
+ einfo " Prism54 driver enabled"
+ echo "CONFIG_DRIVER_NONE=y" >> ${CONFIG}
+ einfo " None driver enabled"
+
+ if use madwifi; then
+ # Add include path for madwifi-driver headers
+ einfo " Madwifi driver enabled"
+ echo "CFLAGS += -I/usr/include/madwifi" >> ${CONFIG}
+ echo "CONFIG_DRIVER_MADWIFI=y" >> ${CONFIG}
+ else
+ einfo " Madwifi driver disabled"
+ fi
+
+ einfo " nl80211 driver enabled"
+ echo "CONFIG_DRIVER_NL80211=y" >> ${CONFIG}
+ echo "LIBS += -L/usr/lib" >> ${CONFIG}
+
+ # misc
+ echo "CONFIG_PKCS12=y" >> ${CONFIG}
+ echo "CONFIG_RADIUS_SERVER=y" >> ${CONFIG}
+ echo "CONFIG_IAPP=y" >> ${CONFIG}
+ echo "CONFIG_IEEE80211R=y" >> ${CONFIG}
+ echo "CONFIG_IEEE80211W=y" >> ${CONFIG}
+ echo "CONFIG_IEEE80211N=y" >> ${CONFIG}
+ echo "CONFIG_PEERKEY=y" >> ${CONFIG}
+ echo "CONFIG_RSN_PREAUTH=y" >> ${CONFIG}
+ echo "CONFIG_INTERWORKING=y" >> ${CONFIG}
+
+ if use ipv6; then
+ # IPv6 support
+ echo "CONFIG_IPV6=y" >> ${CONFIG}
+ fi
+
+ if ! use debug; then
+ echo "CONFIG_NO_STDOUT_DEBUG=y" >> ${CONFIG}
+ fi
+
+ # If we are using libnl 2.0 and above, enable support for it
+ # Removed for now, since the 3.2 version is broken, and we don't
+ # support it.
+ if has_version ">=dev-libs/libnl-3.2"; then
+ echo "CONFIG_LIBNL32=y" >> .config
+ fi
+
+ # TODO: Add support for BSD drivers
+
+ default_src_configure
+}
+
+src_compile() {
+ emake V=1
+
+ if use ssl; then
+ emake V=1 nt_password_hash
+ emake V=1 hlr_auc_gw
+ fi
+}
+
+src_install() {
+ insinto /etc/${PN}
+ doins ${PN}.{conf,accept,deny,eap_user,radius_clients,sim_db,wpa_psk}
+
+ fperms -R 600 /etc/${PN}
+
+ dosbin ${PN}
+ dobin ${PN}_cli
+
+ use ssl && dobin nt_password_hash hlr_auc_gw
+
+ newinitd "${FILESDIR}"/${PN}-init.d ${PN}
+ newconfd "${FILESDIR}"/${PN}-conf.d ${PN}
+
+ doman ${PN}{.8,_cli.1}
+
+ dodoc ChangeLog README
+ use wps && dodoc README-WPS
+
+ docinto examples
+ dodoc wired.conf
+
+ if use logwatch; then
+ insinto /etc/log.d/conf/services/
+ doins logwatch/${PN}.conf
+
+ exeinto /etc/log.d/scripts/services/
+ doexe logwatch/${PN}
+ fi
+}
+
+pkg_postinst() {
+ einfo
+ einfo "In order to use ${PN} you need to set up your wireless card"
+ einfo "for master mode in /etc/conf.d/net and then start"
+ einfo "/etc/init.d/${PN}."
+ einfo
+ einfo "Example configuration:"
+ einfo
+ einfo "config_wlan0=( \"192.168.1.1/24\" )"
+ einfo "channel_wlan0=\"6\""
+ einfo "essid_wlan0=\"test\""
+ einfo "mode_wlan0=\"master\""
+ einfo
+ if use madwifi; then
+ einfo "This package compiles against the headers installed by"
+ einfo "madwifi-old, madwifi-ng or madwifi-ng-tools."
+ einfo "You should remerge ${PN} after upgrading these packages."
+ einfo
+ einfo "Since you are using the madwifi-ng driver, you should disable or"
+ einfo "comment out wme_enabled from ${PN}.conf, since it will"
+ einfo "cause problems otherwise (see bug #260377"
+ fi
+ #if [ -e "${KV_DIR}"/net/mac80211 ]; then
+ # einfo "This package now compiles against the headers installed by"
+ # einfo "the kernel source for the mac80211 driver. You should "
+ # einfo "re-emerge ${PN} after upgrading your kernel source."
+ #fi
+
+ if use wps; then
+ einfo "You have enabled Wi-Fi Protected Setup support, please"
+ einfo "read the README-WPS file in /usr/share/doc/${P}"
+ einfo "for info on how to use WPS"
+ fi
+}