commit: 858ab8314e6296e4b45e78992d07c1f22f0bf7a5 Author: Aaron Bauman <bman <AT> gentoo <DOT> org> AuthorDate: Thu Apr 19 03:04:01 2018 +0000 Commit: Aaron Bauman <bman <AT> gentoo <DOT> org> CommitDate: Thu Apr 19 03:04:14 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=858ab831
net-wireless/hostapd: add LibreSSL support This patch adds support for LibreSSL and ensures compatibility with dev-libs/libressl-2.7.x. Patch was backported from upstream commits: ba3658cfff2278bc2ba24c32773962b37648d0b2 dee566d98e85e00b917d3eff42cd7e969de089cc Closes: https://bugs.gentoo.org/567262 Package-Manager: Portage-2.3.29, Repoman-2.3.9 .../files/hostapd-2.6-libressl-compatibility.patch | 106 +++++++++ net-wireless/hostapd/hostapd-2.6-r3.ebuild | 240 +++++++++++++++++++++ 2 files changed, 346 insertions(+) diff --git a/net-wireless/hostapd/files/hostapd-2.6-libressl-compatibility.patch b/net-wireless/hostapd/files/hostapd-2.6-libressl-compatibility.patch new file mode 100644 index 00000000000..025da58028d --- /dev/null +++ b/net-wireless/hostapd/files/hostapd-2.6-libressl-compatibility.patch @@ -0,0 +1,106 @@ +diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c +index 19e0e2be8..6585c0245 100644 +--- a/src/crypto/crypto_openssl.c ++++ b/src/crypto/crypto_openssl.c +@@ -33,7 +33,9 @@ + #include "aes_wrap.h" + #include "crypto.h" + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && \ ++ LIBRESSL_VERSION_NUMBER < 0x20700000L) + /* Compatibility wrappers for older versions. */ + + static HMAC_CTX * HMAC_CTX_new(void) +@@ -79,7 +81,9 @@ static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) + + static BIGNUM * get_group5_prime(void) + { +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ ++ !(defined(LIBRESSL_VERSION_NUMBER) && \ ++ LIBRESSL_VERSION_NUMBER < 0x20700000L) + return BN_get_rfc3526_prime_1536(NULL); + #elif !defined(OPENSSL_IS_BORINGSSL) + return get_rfc3526_prime_1536(NULL); +@@ -611,7 +615,9 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx) + + void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) + { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && \ ++ LIBRESSL_VERSION_NUMBER < 0x20700000L) + DH *dh; + struct wpabuf *pubkey = NULL, *privkey = NULL; + size_t publen, privlen; +@@ -712,7 +718,9 @@ err: + + void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) + { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && \ ++ LIBRESSL_VERSION_NUMBER < 0x20700000L) + DH *dh; + + dh = DH_new(); +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 23ac64b48..91acc579d 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -59,7 +59,8 @@ typedef int stack_index_t; + #endif /* SSL_set_tlsext_status_type */ + + #if (OPENSSL_VERSION_NUMBER < 0x10100000L || \ +- defined(LIBRESSL_VERSION_NUMBER)) && \ ++ (defined(LIBRESSL_VERSION_NUMBER) && \ ++ LIBRESSL_VERSION_NUMBER < 0x20700000L)) && \ + !defined(BORINGSSL_API_VERSION) + /* + * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL +@@ -919,7 +920,9 @@ void * tls_init(const struct tls_config *conf) + } + #endif /* OPENSSL_FIPS */ + #endif /* CONFIG_FIPS */ +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && \ ++ LIBRESSL_VERSION_NUMBER < 0x20700000L) + SSL_load_error_strings(); + SSL_library_init(); + #ifndef OPENSSL_NO_SHA256 +@@ -1043,7 +1046,9 @@ void tls_deinit(void *ssl_ctx) + + tls_openssl_ref_count--; + if (tls_openssl_ref_count == 0) { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && \ ++ LIBRESSL_VERSION_NUMBER < 0x20700000L) + #ifndef OPENSSL_NO_ENGINE + ENGINE_cleanup(); + #endif /* OPENSSL_NO_ENGINE */ +@@ -3105,7 +3110,9 @@ int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn, + #ifdef OPENSSL_NEED_EAP_FAST_PRF + static int openssl_get_keyblock_size(SSL *ssl) + { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && \ ++ LIBRESSL_VERSION_NUMBER < 0x20700000L) + const EVP_CIPHER *c; + const EVP_MD *h; + int md_size; +@@ -4159,7 +4166,9 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len, + struct tls_connection *conn = arg; + int ret; + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && \ ++ LIBRESSL_VERSION_NUMBER < 0x20700000L) + if (conn == NULL || conn->session_ticket_cb == NULL) + return 0; + diff --git a/net-wireless/hostapd/hostapd-2.6-r3.ebuild b/net-wireless/hostapd/hostapd-2.6-r3.ebuild new file mode 100644 index 00000000000..9b9078e5558 --- /dev/null +++ b/net-wireless/hostapd/hostapd-2.6-r3.ebuild @@ -0,0 +1,240 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" + +inherit toolchain-funcs eutils systemd savedconfig + +DESCRIPTION="IEEE 802.11 wireless LAN Host AP daemon" +HOMEPAGE="http://hostap.epitest.fi"; +SRC_URI="http://hostap.epitest.fi/releases/${P}.tar.gz"; + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~amd64 ~arm ~mips ~ppc ~x86" +IUSE="ipv6 libressl logwatch netlink sqlite +ssl +wps +crda" + +DEPEND=" + ssl? ( + !libressl? ( dev-libs/openssl:0=[-bindist] ) + libressl? ( dev-libs/libressl:0= ) + ) + kernel_linux? ( + dev-libs/libnl:3 + crda? ( net-wireless/crda ) + ) + netlink? ( net-libs/libnfnetlink ) + sqlite? ( >=dev-db/sqlite-3 )" + +RDEPEND="${DEPEND}" + +S="${S}/${PN}" + +src_prepare() { + # Allow users to apply patches to src/drivers for example, + # i.e. anything outside ${S}/${PN} + pushd ../ >/dev/null || die + + # Add LibreSSL compatibility patch bug (#567262) + eapply "${FILESDIR}/${P}-libressl-compatibility.patch" + + # https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt + eapply "${FILESDIR}/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch" + eapply "${FILESDIR}/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch" + eapply "${FILESDIR}/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch" + eapply "${FILESDIR}/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch" + eapply "${FILESDIR}/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch" + eapply "${FILESDIR}/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch" + eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch" + default + popd >/dev/null || die + + sed -i -e "s:/etc/hostapd:/etc/hostapd/hostapd:g" \ + "${S}/hostapd.conf" || die + +} + +src_configure() { + local CONFIG="${S}/.config" + + restore_config "${CONFIG}" + if [[ -f "${CONFIG}" ]]; then + default_src_configure + return 0 + fi + + # toolchain setup + echo "CC = $(tc-getCC)" > ${CONFIG} + + # EAP authentication methods + echo "CONFIG_EAP=y" >> ${CONFIG} + echo "CONFIG_ERP=y" >> ${CONFIG} + echo "CONFIG_EAP_MD5=y" >> ${CONFIG} + + if use ssl; then + # SSL authentication methods + echo "CONFIG_EAP_FAST=y" >> ${CONFIG} + echo "CONFIG_EAP_TLS=y" >> ${CONFIG} + echo "CONFIG_EAP_TTLS=y" >> ${CONFIG} + echo "CONFIG_EAP_MSCHAPV2=y" >> ${CONFIG} + echo "CONFIG_EAP_PEAP=y" >> ${CONFIG} + echo "CONFIG_TLSV11=y" >> ${CONFIG} + echo "CONFIG_TLSV12=y" >> ${CONFIG} + fi + + if use wps; then + # Enable Wi-Fi Protected Setup + echo "CONFIG_WPS=y" >> ${CONFIG} + echo "CONFIG_WPS2=y" >> ${CONFIG} + echo "CONFIG_WPS_UPNP=y" >> ${CONFIG} + echo "CONFIG_WPS_NFC=y" >> ${CONFIG} + einfo "Enabling Wi-Fi Protected Setup support" + fi + + echo "CONFIG_EAP_IKEV2=y" >> ${CONFIG} + echo "CONFIG_EAP_TNC=y" >> ${CONFIG} + echo "CONFIG_EAP_GTC=y" >> ${CONFIG} + echo "CONFIG_EAP_SIM=y" >> ${CONFIG} + echo "CONFIG_EAP_AKA=y" >> ${CONFIG} + echo "CONFIG_EAP_AKA_PRIME=y" >> ${CONFIG} + echo "CONFIG_EAP_EKE=y" >> ${CONFIG} + echo "CONFIG_EAP_PAX=y" >> ${CONFIG} + echo "CONFIG_EAP_PSK=y" >> ${CONFIG} + echo "CONFIG_EAP_SAKE=y" >> ${CONFIG} + echo "CONFIG_EAP_GPSK=y" >> ${CONFIG} + echo "CONFIG_EAP_GPSK_SHA256=y" >> ${CONFIG} + echo "CONFIG_EAP_PWD=y" >> ${CONFIG} + + einfo "Enabling drivers: " + + # drivers + echo "CONFIG_DRIVER_HOSTAP=y" >> ${CONFIG} + einfo " HostAP driver enabled" + echo "CONFIG_DRIVER_WIRED=y" >> ${CONFIG} + einfo " Wired driver enabled" + echo "CONFIG_DRIVER_PRISM54=y" >> ${CONFIG} + einfo " Prism54 driver enabled" + echo "CONFIG_DRIVER_NONE=y" >> ${CONFIG} + einfo " None driver enabled" + + einfo " nl80211 driver enabled" + echo "CONFIG_DRIVER_NL80211=y" >> ${CONFIG} + + # epoll + echo "CONFIG_ELOOP_EPOLL=y" >> ${CONFIG} + + # misc + echo "CONFIG_DEBUG_FILE=y" >> ${CONFIG} + echo "CONFIG_PKCS12=y" >> ${CONFIG} + echo "CONFIG_RADIUS_SERVER=y" >> ${CONFIG} + echo "CONFIG_IAPP=y" >> ${CONFIG} + echo "CONFIG_IEEE80211R=y" >> ${CONFIG} + echo "CONFIG_IEEE80211W=y" >> ${CONFIG} + echo "CONFIG_IEEE80211N=y" >> ${CONFIG} + echo "CONFIG_IEEE80211AC=y" >> ${CONFIG} + echo "CONFIG_PEERKEY=y" >> ${CONFIG} + echo "CONFIG_RSN_PREAUTH=y" >> ${CONFIG} + echo "CONFIG_INTERWORKING=y" >> ${CONFIG} + echo "CONFIG_FULL_DYNAMIC_VLAN=y" >> ${CONFIG} + echo "CONFIG_HS20=y" >> ${CONFIG} + echo "CONFIG_WNM=y" >> ${CONFIG} + echo "CONFIG_FST=y" >> ${CONFIG} + echo "CONFIG_FST_TEST=y" >> ${CONFIG} + echo "CONFIG_ACS=y" >> ${CONFIG} + + if use netlink; then + # Netlink support + echo "CONFIG_VLAN_NETLINK=y" >> ${CONFIG} + fi + + if use ipv6; then + # IPv6 support + echo "CONFIG_IPV6=y" >> ${CONFIG} + fi + + if use sqlite; then + # Sqlite support + echo "CONFIG_SQLITE=y" >> ${CONFIG} + fi + + # If we are using libnl 2.0 and above, enable support for it + # Removed for now, since the 3.2 version is broken, and we don't + # support it. + if has_version ">=dev-libs/libnl-3.2"; then + echo "CONFIG_LIBNL32=y" >> .config + fi + + # TODO: Add support for BSD drivers + + default_src_configure +} + +src_compile() { + emake V=1 + + if use ssl; then + emake V=1 nt_password_hash + emake V=1 hlr_auc_gw + fi +} + +src_install() { + insinto /etc/${PN} + doins ${PN}.{conf,accept,deny,eap_user,radius_clients,sim_db,wpa_psk} + + fperms -R 600 /etc/${PN} + + dosbin ${PN} + dobin ${PN}_cli + + use ssl && dobin nt_password_hash hlr_auc_gw + + newinitd "${FILESDIR}"/${PN}-init.d ${PN} + newconfd "${FILESDIR}"/${PN}-conf.d ${PN} + systemd_dounit "${FILESDIR}"/${PN}.service + + doman ${PN}{.8,_cli.1} + + dodoc ChangeLog README + use wps && dodoc README-WPS + + docinto examples + dodoc wired.conf + + if use logwatch; then + insinto /etc/log.d/conf/services/ + doins logwatch/${PN}.conf + + exeinto /etc/log.d/scripts/services/ + doexe logwatch/${PN} + fi + + save_config .config +} + +pkg_postinst() { + einfo + einfo "If you are running openRC you need to follow this instructions:" + einfo "In order to use ${PN} you need to set up your wireless card" + einfo "for master mode in /etc/conf.d/net and then start" + einfo "/etc/init.d/${PN}." + einfo + einfo "Example configuration:" + einfo + einfo "config_wlan0=( \"192.168.1.1/24\" )" + einfo "channel_wlan0=\"6\"" + einfo "essid_wlan0=\"test\"" + einfo "mode_wlan0=\"master\"" + einfo + #if [ -e "${KV_DIR}"/net/mac80211 ]; then + # einfo "This package now compiles against the headers installed by" + # einfo "the kernel source for the mac80211 driver. You should " + # einfo "re-emerge ${PN} after upgrading your kernel source." + #fi + + if use wps; then + einfo "You have enabled Wi-Fi Protected Setup support, please" + einfo "read the README-WPS file in /usr/share/doc/${P}" + einfo "for info on how to use WPS" + fi +}
