provide systemd service, fix configuration, add upstream security patches [release 2.9-2mamba;Wed Mar 03 2021]

2024-01-05 23:42:25 +01:00 · 2024-01-05 23:42:25 +01:00 · c526ca438b
commit c526ca438b
parent cee6e09655
8 changed files with 796 additions and 59 deletions
--- a/hostapd-2.9-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
+++ b/hostapd-2.9-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
@ -0,0 +1,50 @@
 From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@codeaurora.org>
 Date: Tue, 8 Dec 2020 23:52:50 +0200
 Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
 p2p_add_device() may remove the oldest entry if there is no room in the
 peer table for a new peer. This would result in any pointer to that
 removed entry becoming stale. A corner case with an invalid PD Request
 frame could result in such a case ending up using (read+write) freed
 memory. This could only by triggered when the peer table has reached its
 maximum size and the PD Request frame is received from the P2P Device
 Address of the oldest remaining entry and the frame has incorrect P2P
 Device Address in the payload.
 Fix this by fetching the dev pointer again after having called
 p2p_add_device() so that the stale pointer cannot be used.
 Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
 ---
 src/p2p/p2p_pd.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)
 diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
 index 3994ec03f86b..05fd593494ef 100644
 --- a/src/p2p/p2p_pd.c
 +++ b/src/p2p/p2p_pd.c
@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
 			goto out;
 		}
 +		dev = p2p_get_device(p2p, sa);
 		if (!dev) {
 -			dev = p2p_get_device(p2p, sa);
 -			if (!dev) {
 -				p2p_dbg(p2p,
 -					"Provision Discovery device not found "
 -					MACSTR, MAC2STR(sa));
 -				goto out;
 -			}
 +			p2p_dbg(p2p,
 +				"Provision Discovery device not found "
 +				MACSTR, MAC2STR(sa));
 +			goto out;
 		}
 	} else if (msg.wfd_subelems) {
 		wpabuf_free(dev->info.wfd_subelems);
 -- 
 2.25.1
--- a/hostapd-2.9-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch
+++ b/hostapd-2.9-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch
@ -0,0 +1,38 @@
 From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@codeaurora.org>
 Date: Mon, 9 Nov 2020 11:43:12 +0200
 Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
 client
 Parsing and copying of WPS secondary device types list was verifying
 that the contents is not too long for the internal maximum in the case
 of WPS messages, but similar validation was missing from the case of P2P
 group information which encodes this information in a different
 attribute. This could result in writing beyond the memory area assigned
 for these entries and corrupting memory within an instance of struct
 p2p_device. This could result in invalid operations and unexpected
 behavior when trying to free pointers from that corrupted memory.
 Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
 Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
 ---
 src/p2p/p2p.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
 index 74b7b52ae05c..5cbfc217fc1f 100644
 --- a/src/p2p/p2p.c
 +++ b/src/p2p/p2p.c
@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
 	dev->info.config_methods = cli->config_methods;
 	os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
 	dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
 +	if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
 +		dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
 	os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
 		  dev->info.wps_sec_dev_type_list_len);
 }
 -- 
 2.25.1
--- a/hostapd-2.9-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs.patch
+++ b/hostapd-2.9-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs.patch
@ -0,0 +1,150 @@
 From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@codeaurora.org>
 Date: Wed, 3 Jun 2020 23:17:35 +0300
 Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
 other networks
 The UPnP Device Architecture 2.0 specification errata ("UDA errata
 16-04-2020.docx") addresses a problem with notifications being allowed
 to go out to other domains by disallowing such cases. Do such filtering
 for the notification callback URLs to avoid undesired connections to
 external networks based on subscriptions that any device in the local
 network could request when WPS support for external registrars is
 enabled (the upnp_iface parameter in hostapd configuration).
 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
 ---
 src/wps/wps_er.c     |  2 +-
 src/wps/wps_upnp.c   | 38 ++++++++++++++++++++++++++++++++++++--
 src/wps/wps_upnp_i.h |  3 ++-
 3 files changed, 39 insertions(+), 4 deletions(-)
 diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c
 index 6bded14327f8..31d2e50e4cff 100644
 --- a/src/wps/wps_er.c
 +++ b/src/wps/wps_er.c
@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, const char *ifname, const char *filter)
 			   "with %s", filter);
 	}
 	if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
 -			   er->mac_addr)) {
 +			   NULL, er->mac_addr)) {
 		wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
 			   "for %s. Does it have IP address?", er->ifname);
 		wps_er_deinit(er, NULL, NULL);
 diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
 index 6e10e4bc0c3f..7d4b7439940e 100644
 --- a/src/wps/wps_upnp.c
 +++ b/src/wps/wps_upnp.c
@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct subscription *s)
 }
 +static int local_network_addr(struct upnp_wps_device_sm *sm,
 +			      struct sockaddr_in *addr)
 +{
 +	return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
 +		(sm->ip_addr & sm->netmask.s_addr);
 +}
 +
 +
 /* subscr_addr_add_url -- add address(es) for one url to subscription */
 static void subscr_addr_add_url(struct subscription *s, const char *url,
 				size_t url_len)
@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
 	for (rp = result; rp; rp = rp->ai_next) {
 		struct subscr_addr *a;
 +		struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
 		/* Limit no. of address to avoid denial of service attack */
 		if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
 			break;
 		}
 +		if (!local_network_addr(s->sm, addr)) {
 +			wpa_printf(MSG_INFO,
 +				   "WPS UPnP: Ignore a delivery URL that points to another network %s",
 +				   inet_ntoa(addr->sin_addr));
 +			continue;
 +		}
 +
 		a = os_zalloc(sizeof(*a) + alloc_len);
 		if (a == NULL)
 			break;
@@ -890,11 +906,12 @@ static int eth_get(const char *device, u8 ea[ETH_ALEN])
  * @net_if: Selected network interface name
  * @ip_addr: Buffer for returning IP address in network byte order
  * @ip_addr_text: Buffer for returning a pointer to allocated IP address text
 + * @netmask: Buffer for returning netmask or %NULL if not needed
  * @mac: Buffer for returning MAC address
  * Returns: 0 on success, -1 on failure
  */
 int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
 -		   u8 mac[ETH_ALEN])
 +		   struct in_addr *netmask, u8 mac[ETH_ALEN])
 {
 	struct ifreq req;
 	int sock = -1;
@@ -920,6 +937,19 @@ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
 	in_addr.s_addr = *ip_addr;
 	os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
 +	if (netmask) {
 +		os_memset(&req, 0, sizeof(req));
 +		os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
 +		if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
 +			wpa_printf(MSG_ERROR,
 +				   "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
 +				   errno, strerror(errno));
 +			goto fail;
 +		}
 +		addr = (struct sockaddr_in *) &req.ifr_netmask;
 +		netmask->s_addr = addr->sin_addr.s_addr;
 +	}
 +
 #ifdef __linux__
 	os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
 	if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
@@ -1026,11 +1056,15 @@ static int upnp_wps_device_start(struct upnp_wps_device_sm *sm, char *net_if)
 	/* Determine which IP and mac address we're using */
 	if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
 -			   sm->mac_addr)) {
 +			   &sm->netmask, sm->mac_addr)) {
 		wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
 			   "for %s. Does it have IP address?", net_if);
 		goto fail;
 	}
 +	wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
 +		   MACSTR,
 +		   sm->ip_addr_text, inet_ntoa(sm->netmask),
 +		   MAC2STR(sm->mac_addr));
 	/* Listen for incoming TCP connections so that others
 	 * can fetch our "xml files" from us.
 diff --git a/src/wps/wps_upnp_i.h b/src/wps/wps_upnp_i.h
 index e87a93232df1..6ead7b4e9a30 100644
 --- a/src/wps/wps_upnp_i.h
 +++ b/src/wps/wps_upnp_i.h
@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
 	u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
 	char *ip_addr_text; /* IP address of network i.f. we use */
 	unsigned ip_addr; /* IP address of network i.f. we use (host order) */
 +	struct in_addr netmask;
 	int multicast_sd; /* send multicast messages over this socket */
 	int ssdp_sd; /* receive discovery UPD packets on socket */
 	int ssdp_sd_registered; /* nonzero if we must unregister */
@@ -158,7 +159,7 @@ struct subscription * subscription_find(struct upnp_wps_device_sm *sm,
 					const u8 uuid[UUID_LEN]);
 void subscr_addr_delete(struct subscr_addr *a);
 int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
 -		   u8 mac[ETH_ALEN]);
 +		   struct in_addr *netmask, u8 mac[ETH_ALEN]);
 /* wps_upnp_ssdp.c */
 void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
 -- 
 2.20.1
--- a/hostapd-2.9-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
+++ b/hostapd-2.9-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
@ -0,0 +1,59 @@
 From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@codeaurora.org>
 Date: Wed, 3 Jun 2020 22:41:02 +0300
 Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
 path
 More than about 700 character URL ended up overflowing the wpabuf used
 for building the event notification and this resulted in the wpabuf
 buffer overflow checks terminating the hostapd process. Fix this by
 allocating the buffer to be large enough to contain the full URL path.
 However, since that around 700 character limit has been the practical
 limit for more than ten years, start explicitly enforcing that as the
 limit or the callback URLs since any longer ones had not worked before
 and there is no need to enable them now either.
 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
 ---
 src/wps/wps_upnp.c       | 9 +++++++--
 src/wps/wps_upnp_event.c | 3 ++-
 2 files changed, 9 insertions(+), 3 deletions(-)
 diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
 index 7d4b7439940e..ab685d52ecab 100644
 --- a/src/wps/wps_upnp.c
 +++ b/src/wps/wps_upnp.c
@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
 	int rerr;
 	size_t host_len, path_len;
 -	/* url MUST begin with http: */
 -	if (url_len < 7 || os_strncasecmp(url, "http://", 7))
 +	/* URL MUST begin with HTTP scheme. In addition, limit the length of
 +	 * the URL to 700 characters which is around the limit that was
 +	 * implicitly enforced for more than 10 years due to a bug in
 +	 * generating the event messages. */
 +	if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
 +		wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
 		goto fail;
 +	}
 	url += 7;
 	url_len -= 7;
 diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
 index d7e6edcc6503..08a23612f338 100644
 --- a/src/wps/wps_upnp_event.c
 +++ b/src/wps/wps_upnp_event.c
@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
 	struct wpabuf *buf;
 	char *b;
 -	buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
 +	buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
 +			   wpabuf_len(e->data));
 	if (buf == NULL)
 		return NULL;
 	wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
 -- 
 2.20.1
--- a/hostapd-2.9-WPS-UPnP-Handle-HTTP-initiation-failures-for-events.patch
+++ b/hostapd-2.9-WPS-UPnP-Handle-HTTP-initiation-failures-for-events.patch
@ -0,0 +1,47 @@
 From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@codeaurora.org>
 Date: Thu, 4 Jun 2020 21:24:04 +0300
 Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
 properly
 While it is appropriate to try to retransmit the event to another
 callback URL on a failure to initiate the HTTP client connection, there
 is no point in trying the exact same operation multiple times in a row.
 Replve the event_retry() calls with event_addr_failure() for these cases
 to avoid busy loops trying to repeat the same failing operation.
 These potential busy loops would go through eloop callbacks, so the
 process is not completely stuck on handling them, but unnecessary CPU
 would be used to process the continues retries that will keep failing
 for the same reason.
 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
 ---
 src/wps/wps_upnp_event.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
 index 08a23612f338..c0d9e41d9a38 100644
 --- a/src/wps/wps_upnp_event.c
 +++ b/src/wps/wps_upnp_event.c
@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
 	buf = event_build_message(e);
 	if (buf == NULL) {
 -		event_retry(e, 0);
 +		event_addr_failure(e);
 		return -1;
 	}
@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
 					 event_http_cb, e);
 	if (e->http_event == NULL) {
 		wpabuf_free(buf);
 -		event_retry(e, 0);
 +		event_addr_failure(e);
 		return -1;
 	}
 -- 
 2.20.1
--- a/448
+++ b/448
@ -1,54 +1,396 @@
-# Enable WPA. Setting this variable configures the AP to require WPA (either
+# Example hostapd build time configuration
 # WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
 # wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
 # For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
 # RADIUS authentication server must be configured, and WPA-EAP must be included
 # in wpa_key_mgmt.
 # This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
 # and/or WPA2 (full IEEE 802.11i/RSN):
 # bit0 = WPA
 # bit1 = IEEE 802.11i/RSN (WPA2)
 #wpa=1
 # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
 # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
 # (8..63 characters) that will be converted to PSK. This conversion uses SSID
 # so the PSK changes when ASCII passphrase is used and the SSID is changed.
 #wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
 #wpa_passphrase=secret passphrase
 # Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
 # entries are separated with a space.
 #wpa_key_mgmt=WPA-PSK WPA-EAP
 # Set of accepted cipher suites (encryption algorithms) for pairwise keys
 # (unicast packets). This is a space separated list of algorithms:
 # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i]
 # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i]
 # Group cipher suite (encryption algorithm for broadcast and multicast frames)
 # is automatically selected based on this configuration. If only CCMP is
 # allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
 # TKIP will be used as the group cipher.
 #wpa_pairwise=TKIP CCMP
 # Time interval for rekeying GTK (broadcast/multicast encryption keys) in
 # seconds.
 #wpa_group_rekey=600
 # Time interval for rekeying GMK (master key used internally to generate GTKs
 # (in seconds).
 #wpa_gmk_rekey=86400
 # Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
 # roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
 # authentication and key handshake before actually associating with a new AP.
 #rsn_preauth=1
 #
-# Space separated list of interfaces from which pre-authentication frames are
+# This file lists the configuration options that are used when building the
-# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
+# hostapd binary. All lines starting with # are ignored. Configuration option
-# interface that are used for connections to other APs. This could include
+# lines must be commented out complete, if they are not to be included, i.e.,
-# wired interfaces and WDS links. The normal wireless data interface towards
+# just setting VARIABLE=n is not disabling that variable.
-# associated stations (e.g., wlan0) should not be added, since
+#
-# pre-authentication is only used with APs other than the currently associated
+# This file is included in Makefile, so variables like CFLAGS and LIBS can also
-# one.
+# be modified from here. In most cass, these lines should use += in order not
-#rsn_preauth_interfaces=eth0
+# to override previous values of the variables.
 # Driver interface for Host AP driver
 CONFIG_DRIVER_HOSTAP=y
 # Driver interface for wired authenticator
 CONFIG_DRIVER_WIRED=y
 # Driver interface for drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for no driver (e.g., RADIUS server only)
 #CONFIG_DRIVER_NONE=y
 # IEEE 802.11F/IAPP
 CONFIG_IAPP=y
 # WPA2/IEEE 802.11i RSN pre-authentication
 CONFIG_RSN_PREAUTH=y
 # IEEE 802.11w (management frame protection)
 CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 #CONFIG_OCV=y
 # Integrated EAP server
 CONFIG_EAP=y
 # EAP Re-authentication Protocol (ERP) in integrated EAP server
 CONFIG_ERP=y
 # EAP-MD5 for the integrated EAP server
 CONFIG_EAP_MD5=y
 # EAP-TLS for the integrated EAP server
 CONFIG_EAP_TLS=y
 # EAP-MSCHAPv2 for the integrated EAP server
 CONFIG_EAP_MSCHAPV2=y
 # EAP-PEAP for the integrated EAP server
 CONFIG_EAP_PEAP=y
 # EAP-GTC for the integrated EAP server
 CONFIG_EAP_GTC=y
 # EAP-TTLS for the integrated EAP server
 CONFIG_EAP_TTLS=y
 # EAP-SIM for the integrated EAP server
 CONFIG_EAP_SIM=y
 # EAP-AKA for the integrated EAP server
 CONFIG_EAP_AKA=y
 # EAP-AKA' for the integrated EAP server
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # EAP-PAX for the integrated EAP server
 CONFIG_EAP_PAX=y
 # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
 CONFIG_EAP_PSK=y
 # EAP-pwd for the integrated EAP server (secure authentication with a password)
 #CONFIG_EAP_PWD=y
 # EAP-SAKE for the integrated EAP server
 CONFIG_EAP_SAKE=y
 # EAP-GPSK for the integrated EAP server
 CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 CONFIG_EAP_GPSK_SHA256=y
 # EAP-FAST for the integrated EAP server
 #CONFIG_EAP_FAST=y
 # EAP-TEAP for the integrated EAP server
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # Wi-Fi Protected Setup (WPS)
 CONFIG_WPS=y
 # Enable UPnP support for external WPS Registrars
 CONFIG_WPS_UPNP=y
 # Enable WPS support with NFC config method
 CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # Trusted Network Connect (EAP-TNC)
 #CONFIG_EAP_TNC=y
 # EAP-EKE for the integrated EAP server
 #CONFIG_EAP_EKE=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 CONFIG_PKCS12=y
 # RADIUS authentication server. This provides access to the integrated EAP
 # server from external hosts using RADIUS.
 CONFIG_RADIUS_SERVER=y
 # Build IPv6 support for RADIUS operations
 CONFIG_IPV6=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition)
 CONFIG_IEEE80211R=y
 # Use the hostapd's IEEE 802.11 authentication (ACL), but without
 # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
 #CONFIG_DRIVER_RADIUS_ACL=y
 # IEEE 802.11n (High Throughput) support
 CONFIG_IEEE80211N=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 #CONFIG_WNM=y
 # IEEE 802.11ac (Very High Throughput) support
 CONFIG_IEEE80211AC=y
 # IEEE 802.11ax HE support
 # Note: This is experimental and work in progress. The definitions are still
 # subject to change and this should not be expected to interoperate with the
 # final IEEE 802.11ax version.
 #CONFIG_IEEE80211AX=y
 # Remove debugging code that is printing out debug messages to stdout.
 # This can be used to reduce the size of the hostapd considerably if debugging
 # code is not needed.
 #CONFIG_NO_STDOUT_DEBUG=y
 # Add support for writing debug log to a file: -f /tmp/hostapd.log
 # Disabled by default.
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 #CONFIG_DEBUG_SYSLOG=y
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Remove support for RADIUS accounting
 #CONFIG_NO_ACCOUNTING=y
 # Remove support for RADIUS
 #CONFIG_NO_RADIUS=y
 # Remove support for VLANs
 #CONFIG_NO_VLAN=y
 # Enable support for fully dynamic VLANs. This enables hostapd to
 # automatically create bridge and VLAN interfaces if necessary.
 #CONFIG_FULL_DYNAMIC_VLAN=y
 # Use netlink-based kernel API for VLAN operations instead of ioctl()
 # Note: This requires libnl 3.1 or newer.
 #CONFIG_VLAN_NETLINK=y
 # Remove support for dumping internal state through control interface commands
 # This can be used to reduce binary size at the cost of disabling a debugging
 # option.
 #CONFIG_NO_DUMP_STATE=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, comment out these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, comment out these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # hostapd depends on strong random number generation being available from the
 # operating system. os_get_random() function is used to fetch random data when
 # needed, e.g., for key generation. On Linux and BSD systems, this works by
 # reading /dev/urandom. It should be noted that the OS entropy pool needs to be
 # properly initialized before hostapd is started. This is important especially
 # on embedded devices that do not have a hardware random number generator and
 # may by default start up with minimal entropy available for random number
 # generation.
 #
 # As a safety net, hostapd is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data
 # fetched from the OS. This by itself is not considered to be very strong, but
 # it may help in cases where the system pool is not initialized properly.
 # However, it is very strongly recommended that the system pool is initialized
 # with enough entropy either by using hardware assisted random number
 # generator or by storing state over device reboots.
 #
 # hostapd can be configured to maintain its own entropy store over restarts to
 # enhance random number generation. This is not perfect, but it is much more
 # secure than using the same sequence of random numbers after every reboot.
 # This can be enabled with -e<entropy file> command line option. The specified
 # file needs to be readable and writable by hostapd.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal hostapd random pool can be disabled.
 # This will save some in binary size and CPU use. However, this should only be
 # considered for builds that are known to be used on devices that meet the
 # requirements described above.
 #CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 #CONFIG_GETRANDOM=y
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 #CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 #CONFIG_TLS=openssl
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used.
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms.
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 #CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks.
 #CONFIG_INTERWORKING=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
 CONFIG_SQLITE=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # Testing options
 # This can be used to enable some testing options (see also the example
 # configuration file) that are really useful only for testing clients that
 # connect to this hostapd. These options allow, for example, to drop a
 # certain percentage of probe requests or auth/(re)assoc frames.
 #
 #CONFIG_TESTING_OPTIONS=y
 # Automatic Channel Selection
 # This will allow hostapd to pick the channel automatically when channel is set
 # to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # You can customize the ACS survey algorithm with the hostapd.conf variable
 # acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #
 CONFIG_ACS=y
 # Multiband Operation support
 # These extentions facilitate efficient use of multiple frequency bands
 # available to the AP and the devices that may associate with it.
 #CONFIG_MBO=y
 # Client Taxonomy
 # Has the AP retain the Probe Request and (Re)Association Request frames from
 # a client, from which a signature can be produced which can identify the model
 # of client device like "Nexus 6P" or "iPhone 5s".
 #CONFIG_TAXONOMY=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Include internal line edit mode in hostapd_cli. This can be used to provide
 # limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Airtime policy support
 #CONFIG_AIRTIME_POLICY=y
 # Override default value for the wpa_disable_eapol_key_retries configuration
 # parameter. See that parameter in hostapd.conf for more details.
 #CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
 # custom configuration options
 CONFIG_MESH=y
 CONFIG_SAE=y
 CONFIG_WPS2=y
--- a/hostapd.service
+++ b/hostapd.service
@ -0,0 +1,10 @@
 [Unit]
 Description=Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
 After=network.target
 [Service]
 ExecStart=/usr/bin/hostapd /etc/hostapd.conf
 ExecReload=/bin/kill -HUP $MAINPID
 [Install]
 WantedBy=multi-user.target
--- a/hostapd.spec
+++ b/hostapd.spec
@ -1,21 +1,27 @@
 Name:          hostapd
 Version:       2.9
-Release:       1mamba
+Release:       2mamba
 Summary:       A user space daemon for access point and authentication servers
 Group:         Applications/Networking
 Vendor:        openmamba
 Distribution:  openmamba
 Packager:      Silvan Calarco <silvan.calarco@mambasoft.it>
-URL:           http://hostap.epitest.fi/hostapd/
+URL:           https://w1.fi/hostapd/
-Source:        http://hostap.epitest.fi/releases/hostapd-%{version}.tar.gz
+Source:        https://w1.fi/releases/hostapd-%{version}.tar.gz
 Source1:       hostapd-config
 Source2:       hostapd.service
 # Patches from https://w1.fi/security/
 Patch0:        hostapd-2.6-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch.patch
 Patch1:        hostapd-2.9-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs.patch
 Patch2:        hostapd-2.9-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
 Patch3:        hostapd-2.9-WPS-UPnP-Handle-HTTP-initiation-failures-for-events.patch
 Patch4:        hostapd-2.9-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch
 Patch5:        hostapd-2.9-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
 License:       BSD
 ## AUTOBUILDREQ-BEGIN
 BuildRequires: glibc-devel
 BuildRequires: libopenssl-devel
 ## AUTOBUILDREQ-END
 BuildRoot:     %{_tmppath}/%{name}-%{version}-root
 %description
 hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server. The current version supports Linux (Host AP, madwifi, mac80211-based drivers) and FreeBSD (net80211).
@ -26,6 +32,11 @@ hostapd is designed to be a "daemon" program that runs in the background and act
 %prep
 %setup -q
 #%patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 install %{SOURCE1} hostapd/.config
@ -42,18 +53,48 @@ install -D -m0644 hostapd/wired.conf %{buildroot}%{_sysconfdir}/hostapd-wired.co
 %makeinstall -C src
 # install service
 install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/hostapd.service
 # install man pages
 install -D -m0644 hostapd/hostapd.8 %{buildroot}%{_mandir}/man8/hostapd.8
 install -D -m0644 hostapd/hostapd_cli.1 %{buildroot}%{_mandir}/man1/hostapd_cli.1
 # create state dir
 install -d -m0750 %{buildroot}/var/lib/hostapd
 %clean
 [ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
 %post
 %systemd_post hostapd
 :
 %preun
 %systemd_preun hostapd
 :
 %postun
 %systemd_postun_with_restart hostapd
 :
 %files
 %defattr(-,root,root)
-%{_sysconfdir}/hostapd.conf
+%config(noreplace) %{_sysconfdir}/hostapd.conf
-%{_sysconfdir}/hostapd-wired.conf
+%config(noreplace) %{_sysconfdir}/hostapd-wired.conf
 %{_bindir}/hostapd
 %{_bindir}/hostapd_cli
 %{_unitdir}/hostapd.service
 %{_mandir}/man1/hostapd_cli.1*
 %{_mandir}/man8/hostapd.8*
 %dir /var/lib/hostapd
 %doc COPYING
 %changelog
 * Wed Mar 03 2021 Silvan Calarco <silvan.calarco@mambasoft.it> 2.9-2mamba
 - provide systemd service, fix configuration, add upstream security patches
 * Fri Aug 09 2019 Automatic Build System <autodist@mambasoft.it> 2.9-1mamba
 - automatic version update by autodist