Commit e3d4df15 authored by David Mondou's avatar David Mondou
Browse files

Merge branch 'fix-wpa' into 'master'

Update hostapd and wpa-supplicant to 2.6 and add security patches

See merge request vesta/meta-vesta!58
parents a4144a00 4232b24b
# Example hostapd build time configuration
#
# This file lists the configuration options that are used when building the
# hostapd binary. All lines starting with # are ignored. Configuration option
# lines must be commented out complete, if they are not to be included, i.e.,
# just setting VARIABLE=n is not disabling that variable.
#
# This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cass, these lines should use += in order not
# to override previous values of the variables.
# Driver interface for Host AP driver
CONFIG_DRIVER_HOSTAP=y
# Driver interface for wired authenticator
CONFIG_DRIVER_WIRED=y
# Driver interface for madwifi driver
#CONFIG_DRIVER_MADWIFI=y
#CFLAGS += -I../../madwifi # change to the madwifi source directory
# Driver interface for Prism54 driver
CONFIG_DRIVER_PRISM54=y
# Driver interface for drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y
CONFIG_LIBNL32=y
# driver_nl80211.c requires a rather new libnl (version 1.1) which may not be
# shipped with your distribution yet. If that is the case, you need to build
# newer libnl version and point the hostapd build to use it.
#LIBNL=/usr/src/libnl
#CFLAGS += -I$(LIBNL)/include
#LIBS += -L$(LIBNL)/lib
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include
#LIBS += -L/usr/local/lib
# Driver interface for no driver (e.g., RADIUS server only)
#CONFIG_DRIVER_NONE=y
# IEEE 802.11F/IAPP
CONFIG_IAPP=y
# WPA2/IEEE 802.11i RSN pre-authentication
CONFIG_RSN_PREAUTH=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection)
# This version is an experimental implementation based on IEEE 802.11w/D1.0
# draft and is subject to change since the standard has not yet been finalized.
# Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y
# Integrated EAP server
CONFIG_EAP=y
# EAP-MD5 for the integrated EAP server
CONFIG_EAP_MD5=y
# EAP-TLS for the integrated EAP server
CONFIG_EAP_TLS=y
# EAP-MSCHAPv2 for the integrated EAP server
CONFIG_EAP_MSCHAPV2=y
# EAP-PEAP for the integrated EAP server
CONFIG_EAP_PEAP=y
# EAP-GTC for the integrated EAP server
CONFIG_EAP_GTC=y
# EAP-TTLS for the integrated EAP server
CONFIG_EAP_TTLS=y
# EAP-SIM for the integrated EAP server
#CONFIG_EAP_SIM=y
# EAP-AKA for the integrated EAP server
#CONFIG_EAP_AKA=y
# EAP-AKA' for the integrated EAP server
# This requires CONFIG_EAP_AKA to be enabled, too.
#CONFIG_EAP_AKA_PRIME=y
# EAP-PAX for the integrated EAP server
#CONFIG_EAP_PAX=y
# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y
# EAP-SAKE for the integrated EAP server
#CONFIG_EAP_SAKE=y
# EAP-GPSK for the integrated EAP server
#CONFIG_EAP_GPSK=y
# Include support for optional SHA256 cipher suite in EAP-GPSK
#CONFIG_EAP_GPSK_SHA256=y
# EAP-FAST for the integrated EAP server
# Note: Default OpenSSL package does not include support for all the
# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL,
# the OpenSSL library must be patched (openssl-0.9.9-session-ticket.patch)
# to add the needed functions.
#CONFIG_EAP_FAST=y
# Wi-Fi Protected Setup (WPS)
CONFIG_WPS=y
# Enable UPnP support for external WPS Registrars
#CONFIG_WPS_UPNP=y
# EAP-IKEv2
#CONFIG_EAP_IKEV2=y
# Trusted Network Connect (EAP-TNC)
#CONFIG_EAP_TNC=y
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y
# RADIUS authentication server. This provides access to the integrated EAP
# server from external hosts using RADIUS.
CONFIG_RADIUS_SERVER=y
# Build IPv6 support for RADIUS operations
CONFIG_IPV6=y
# IEEE Std 802.11r-2008 (Fast BSS Transition)
#CONFIG_IEEE80211R=y
# Use the hostapd's IEEE 802.11 authentication (ACL), but without
# the IEEE 802.11 Management capability (e.g., madwifi or FreeBSD/net80211)
CONFIG_DRIVER_RADIUS_ACL=y
# IEEE 802.11n (High Throughput) support
CONFIG_IEEE80211N=y
# Remove debugging code that is printing out debug messages to stdout.
# This can be used to reduce the size of the hostapd considerably if debugging
# code is not needed.
#CONFIG_NO_STDOUT_DEBUG=y
[Unit]
Description=Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
After=network.target
[Service]
Type=forking
PIDFile=/run/hostapd.pid
ExecStart=@SBINDIR@/hostapd @SYSCONFDIR@/hostapd.conf -P /run/hostapd.pid -B
[Install]
WantedBy=multi-user.target
#!/bin/sh
DAEMON=/usr/sbin/hostapd
NAME=hostapd
DESC="HOSTAP Daemon"
ARGS="/etc/hostapd.conf -B"
test -f $DAEMON || exit 0
set -e
# source function library
. /etc/init.d/functions
delay_stop() {
count=0
while [ $count -lt 9 ] ; do
if pidof $DAEMON >/dev/null; then
sleep 1
else
return 0
fi
count=`expr $count + 1`
done
echo "Failed to stop $DESC."
return 1
}
case "$1" in
start)
echo -n "Starting $DESC: "
start-stop-daemon -S -x $DAEMON -- $ARGS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon -K --oknodo -x $DAEMON
echo "$NAME."
;;
restart)
$0 stop
delay_stop && $0 start
;;
reload)
echo -n "Reloading $DESC: "
killall -HUP $(basename ${DAEMON})
echo "$NAME."
;;
status)
status $DAEMON
exit $?
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status}"
exit 1
;;
esac
exit 0
DESCRIPTION = "Prevent hostapd from being started on boot."
INITSCRIPT_NAME = ""
HOMEPAGE = "http://w1.fi/hostapd/"
SECTION = "kernel/userland"
LICENSE = "GPLv2 | BSD"
LIC_FILES_CHKSUM = "file://${B}/README;md5=8aa4e8c78b59b12016c4cb2d0a8db350"
DEPENDS = "libnl openssl"
SUMMARY = "User space daemon for extended IEEE 802.11 management"
inherit update-rc.d systemd
INITSCRIPT_NAME = "hostapd"
PREFERRED_VERSION_hostapd = "2.6"
SYSTEMD_SERVICE_${PN} = "hostapd.service"
SYSTEMD_AUTO_ENABLE_${PN} = "disable"
SRC_URI = " \
http://w1.fi/releases/hostapd-${PV}.tar.gz \
file://defconfig \
file://init \
file://hostapd.service \
file://key-replay-cve-multiple.patch \
"
S = "${WORKDIR}/hostapd-${PV}"
B = "${WORKDIR}/hostapd-${PV}/hostapd"
do_configure() {
install -m 0644 ${WORKDIR}/defconfig ${B}/.config
}
do_compile() {
export CFLAGS="-MMD -O2 -Wall -g -I${STAGING_INCDIR}/libnl3"
make
}
do_install() {
install -d ${D}${sbindir} ${D}${sysconfdir}/init.d ${D}${systemd_unitdir}/system/
install -m 0644 ${B}/hostapd.conf ${D}${sysconfdir}
install -m 0755 ${B}/hostapd ${D}${sbindir}
install -m 0755 ${B}/hostapd_cli ${D}${sbindir}
install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/hostapd
install -m 0644 ${WORKDIR}/hostapd.service ${D}${systemd_unitdir}/system/
sed -i -e 's,@SBINDIR@,${sbindir},g' -e 's,@SYSCONFDIR@,${sysconfdir},g' ${D}${systemd_unitdir}/system/hostapd.service
}
CONFFILES_${PN} += "${sysconfdir}/hostapd.conf"
SRC_URI[md5sum] = "eaa56dce9bd8f1d195eb62596eab34c7"
SRC_URI[sha256sum] = "01526b90c1d23bec4b0f052039cc4456c2fd19347b4d830d1d58a0a6aea7117d"
This diff is collapsed.
#!/bin/sh
WPA_SUP_BIN="/usr/sbin/wpa_supplicant"
WPA_SUP_PNAME="wpa_supplicant"
WPA_SUP_PIDFILE="/var/run/wpa_supplicant.$IFACE.pid"
WPA_SUP_OPTIONS="-B -P $WPA_SUP_PIDFILE -i $IFACE"
VERBOSITY=0
if [ -s "$IF_WPA_CONF" ]; then
WPA_SUP_CONF="-c $IF_WPA_CONF"
else
exit 0
fi
if [ ! -x "$WPA_SUP_BIN" ]; then
if [ "$VERBOSITY" = "1" ]; then
echo "$WPA_SUP_PNAME: binaries not executable or missing from $WPA_SUP_BIN"
fi
exit 1
fi
if [ "$MODE" = "start" ] ; then
# driver type of interface, defaults to wext when undefined
if [ -s "/etc/wpa_supplicant/driver.$IFACE" ]; then
IF_WPA_DRIVER=$(cat "/etc/wpa_supplicant/driver.$IFACE")
elif [ -z "$IF_WPA_DRIVER" ]; then
if [ "$VERBOSITY" = "1" ]; then
echo "$WPA_SUP_PNAME: wpa-driver not provided, using \"wext\""
fi
IF_WPA_DRIVER="wext"
fi
# if we have passed the criteria, start wpa_supplicant
if [ -n "$WPA_SUP_CONF" ]; then
if [ "$VERBOSITY" = "1" ]; then
echo "$WPA_SUP_PNAME: $WPA_SUP_BIN $WPA_SUP_OPTIONS $WPA_SUP_CONF -D $IF_WPA_DRIVER"
fi
start-stop-daemon --start --quiet \
--name $WPA_SUP_PNAME --startas $WPA_SUP_BIN --pidfile $WPA_SUP_PIDFILE \
-- $WPA_SUP_OPTIONS $WPA_SUP_CONF -D $IF_WPA_DRIVER
fi
# if the interface socket exists, then wpa_supplicant was invoked successfully
if [ -S "$WPA_COMMON_CTRL_IFACE/$IFACE" ]; then
if [ "$VERBOSITY" = "1" ]; then
echo "$WPA_SUP_PNAME: ctrl_interface socket located at $WPA_COMMON_CTRL_IFACE/$IFACE"
fi
exit 0
fi
elif [ "$MODE" = "stop" ]; then
if [ -f "$WPA_SUP_PIDFILE" ]; then
if [ "$VERBOSITY" = "1" ]; then
echo "$WPA_SUP_PNAME: terminating $WPA_SUP_PNAME daemon"
fi
start-stop-daemon --stop --quiet \
--name $WPA_SUP_PNAME --pidfile $WPA_SUP_PIDFILE
if [ -S "$WPA_COMMON_CTRL_IFACE/$IFACE" ]; then
rm -f $WPA_COMMON_CTRL_IFACE/$IFACE
fi
if [ -f "$WPA_SUP_PIDFILE" ]; then
rm -f $WPA_SUP_PIDFILE
fi
fi
fi
exit 0
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1
network={
key_mgmt=NONE
}
SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
HOMEPAGE = "http://w1.fi/wpa_supplicant/"
BUGTRACKER = "http://w1.fi/security/"
SECTION = "network"
LICENSE = "BSD"
LIC_FILES_CHKSUM = "file://COPYING;md5=292eece3f2ebbaa25608eed8464018a3 \
file://README;beginline=1;endline=56;md5=3f01d778be8f953962388307ee38ed2b \
file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=4061612fc5715696134e3baf933e8aba"
DEPENDS = "dbus libnl"
RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli"
PREFERRED_VERSION_wpa-supplicant = "2.6"
PACKAGECONFIG ??= "gnutls"
PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt"
PACKAGECONFIG[openssl] = ",,openssl"
inherit pkgconfig systemd
SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service wpa_supplicant-nl80211@.service wpa_supplicant-wired@.service"
SYSTEMD_AUTO_ENABLE = "disable"
SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://defconfig \
file://wpa-supplicant.sh \
file://wpa_supplicant.conf \
file://wpa_supplicant.conf-sane \
file://99_wpa_supplicant \
file://key-replay-cve-multiple.patch \
"
SRC_URI[md5sum] = "091569eb4440b7d7f2b4276dbfc03c3c"
SRC_URI[sha256sum] = "b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450"
CVE_PRODUCT = "wpa_supplicant"
S = "${WORKDIR}/wpa_supplicant-${PV}"
PACKAGES_prepend = "wpa-supplicant-passphrase wpa-supplicant-cli "
FILES_wpa-supplicant-passphrase = "${bindir}/wpa_passphrase"
FILES_wpa-supplicant-cli = "${sbindir}/wpa_cli"
FILES_${PN} += "${datadir}/dbus-1/system-services/*"
CONFFILES_${PN} += "${sysconfdir}/wpa_supplicant.conf"
do_configure () {
${MAKE} -C wpa_supplicant clean
install -m 0755 ${WORKDIR}/defconfig wpa_supplicant/.config
echo "CFLAGS +=\"-I${STAGING_INCDIR}/libnl3\"" >> wpa_supplicant/.config
echo "DRV_CFLAGS +=\"-I${STAGING_INCDIR}/libnl3\"" >> wpa_supplicant/.config
if echo "${PACKAGECONFIG}" | grep -qw "openssl"; then
ssl=openssl
elif echo "${PACKAGECONFIG}" | grep -qw "gnutls"; then
ssl=gnutls
fi
if [ -n "$ssl" ]; then
sed -i "s/%ssl%/$ssl/" wpa_supplicant/.config
fi
# For rebuild
rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d
}
export EXTRA_CFLAGS = "${CFLAGS}"
export BINDIR = "${sbindir}"
do_compile () {
unset CFLAGS CPPFLAGS CXXFLAGS
sed -e "s:CFLAGS\ =.*:& \$(EXTRA_CFLAGS):g" -i ${S}/src/lib.rules
oe_runmake -C wpa_supplicant
}
do_install () {
install -d ${D}${sbindir}
install -m 755 wpa_supplicant/wpa_supplicant ${D}${sbindir}
install -m 755 wpa_supplicant/wpa_cli ${D}${sbindir}
install -d ${D}${bindir}
install -m 755 wpa_supplicant/wpa_passphrase ${D}${bindir}
install -d ${D}${docdir}/wpa_supplicant
install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant
install -d ${D}${sysconfdir}
install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf
install -d ${D}${sysconfdir}/network/if-pre-up.d/
install -d ${D}${sysconfdir}/network/if-post-down.d/
install -d ${D}${sysconfdir}/network/if-down.d/
install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant
cd ${D}${sysconfdir}/network/ && \
ln -sf ../if-pre-up.d/wpa-supplicant if-post-down.d/wpa-supplicant
install -d ${D}/${sysconfdir}/dbus-1/system.d
install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d
install -d ${D}/${datadir}/dbus-1/system-services
install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
install -d ${D}/${systemd_unitdir}/system
install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_unitdir}/system
fi
install -d ${D}/etc/default/volatiles
install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles
}
pkg_postinst_wpa-supplicant () {
# If we're offline, we don't need to do this.
if [ "x$D" = "x" ]; then
killall -q -HUP dbus-daemon || true
fi
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment